malware_traffic

Trickbot propagation URLs on Friday 2020-06-19

Jun 19th, 2020
1,968
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. TRICKBOT PROPAGATION URLS ON FRIDAY 2020-06-19
  2.  
  3. URLS:
  4.  
  5. - hxxp://162.216.0[.]166/ico/VidT6cErs
  6. - hxxp://162.216.0[.]166/images/cursor.png
  7. - hxxp://162.216.0[.]166/images/imgpaper.png
  8.  
  9. NOTES:
  10.  
  11. - These URLs were noted as early as Wednesday 2020-06-16.
  12. - Theese URLs appear to be return a different file hash each time they are queried.
  13.  
  14. - The HTTP request for VidT6cErs is caused by Trickbot's nwormDll module (jim-series gtag).
  15. - The HTTP request for cursor.png is caused by Trickbot's mshareDll module (tot-series gtag).
  16. - The HTTP request for imgpaper.png is caused by Trickbot's tabDll module (lib-series gtag).
  17.  
  18. More info on the new "nworm" module used by Trickbot:
  19.  
  20. - https://unit42.paloaltonetworks.com/goodbye-mworm-hello-nworm-trickbot-updates-propagation-module/
  21.  
  22. $ file *.png
  23. VidT6cErs: data
  24. cursor.png: PE32 executable (GUI) Intel 80386, for MS Windows
  25. imgpaper.png: PE32 executable (GUI) Intel 80386, for MS Windows
  26.  
  27. FILE INFO:
  28.  
  29. - SHA256 hash: 1ec9bdc03f0f642dc27730fe1be83dc9960c133bd3aadc163fcdc65d3b7740ca
  30. - File size: 105,555 bytes
  31. - File location: hxxp://162.216.0[.]166/ico/VidT6cErs
  32. - File description: encoded binary (not an executable) associated with nwormDll for Trickbot, gtag jim750
  33. - Analysis:
  34. -- https://urlhaus.abuse.ch/url/399496/
  35. -- https://app.any.run/tasks/2b0a7593-9ec5-474e-9197-cccb73b14825
  36. -- https://capesandbox.com/analysis/9817/
  37. -- https://www.hybrid-analysis.com/sample/1ec9bdc03f0f642dc27730fe1be83dc9960c133bd3aadc163fcdc65d3b7740ca
  38.  
  39. - SHA256 hash: 605a4c603284686d5d31831b7d9b34cd7cd639332c10c97d55dff2f7835ac2a0
  40. - File size: 593,920 bytes
  41. - File location: hxxp://162.216.0[.]166/images/cursor.png
  42. - File description: Windows executable file associated with mshareDll for Trickbot, gtag tot750
  43. - Analysis:
  44. -- https://urlhaus.abuse.ch/url/399494/
  45. -- https://app.any.run/tasks/6f6e9807-2a9f-4632-a23a-e74551072d2c
  46. -- https://capesandbox.com/analysis/9808/
  47. -- https://www.hybrid-analysis.com/sample/605a4c603284686d5d31831b7d9b34cd7cd639332c10c97d55dff2f7835ac2a0
  48.  
  49. - SHA256 hash: 05f9b81e3cfa7c83a4ddecd9978e4136f64a396622355497885e2209a4c28065
  50. - File size: 593,920 bytes
  51. - File location: hxxp://162.216.0[.]166/images/imgpaper.png
  52. - File description: Windows executable file associated with tabDll for Trickbot, gtag lib750
  53. - Analysis:
  54. -- https://urlhaus.abuse.ch/url/399495/
  55. -- https://app.any.run/tasks/b8900487-3fcf-454e-b8bb-82667f849ce0
  56. -- https://capesandbox.com/analysis/9815/
  57. -- https://www.hybrid-analysis.com/sample/05f9b81e3cfa7c83a4ddecd9978e4136f64a396622355497885e2209a4c28065
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×