malware_traffic

Trickbot EXE files from ".png" URLs on Monday 2020-03-16

Mar 16th, 2020
1,001
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. TRICKBOT EXE FILES FROM .PNG URLs ON MONDAY 2020-03-16
  2.  
  3. URLS:
  4.  
  5. - hxxp://64.44.51[.]120/images/cursor.png
  6. - hxxp://64.44.51[.]120/images/imgpaper.png
  7. - hxxp://64.44.51[.]120/images/redcar.png
  8.  
  9. NOTES:
  10.  
  11. - The http request for cursor.png is caused by Trickbot's mshareDll module.
  12. - The http request for imgpaper.png is caused by Trickbot's tabDll module.
  13. - The http request for redcar.png is caused by Trickbot's mwormDll module.
  14. - All of these URLs returned a Windows executable file (EXE).
  15. - Each of these Trickbot EXE has a different gtag.
  16. - These URLs may return files with different hashes every time they are retrieved.
  17.  
  18. FILE INFO:
  19.  
  20. - SHA256 hash: 3e6570e962b3c327e27c46e1cb48adba417858d5abf8888242a22c8c02303343
  21. - File size: 483,328 bytes
  22. - File location: hxxp://64.44.51[.]120/images/cursor.png
  23. - File description: Windows executable file for Trickbot, gtag tot697
  24. - Analysis:
  25. -- https://urlhaus.abuse.ch/url/325821/
  26. -- https://app.any.run/tasks/90d52d06-c52a-4371-a630-ddf79469ed2c
  27. -- https://capesandbox.com/analysis/14421/
  28. -- https://www.hybrid-analysis.com/sample/3e6570e962b3c327e27c46e1cb48adba417858d5abf8888242a22c8c02303343
  29.  
  30. - SHA256 hash: d6ff25b6331fe776f5d8dd3749adef221eaf627e5c764327ebf30929a648bd79
  31. - File size: 483,328 bytes
  32. - File location: hxxp://64.44.51[.]120/images/imgpaper.png
  33. - File description: Windows executable file for Trickbot, gtag lib697
  34. - Analysis:
  35. -- https://urlhaus.abuse.ch/url/325822/
  36. -- https://app.any.run/tasks/a5951422-91fb-47cb-9b5b-e7470ca4343d
  37. -- https://capesandbox.com/analysis/14422/
  38. -- https://www.hybrid-analysis.com/sample/d6ff25b6331fe776f5d8dd3749adef221eaf627e5c764327ebf30929a648bd79
  39.  
  40. - SHA256 hash: 51903e594cf91da56380accc7a6f7e990d926ade2ff0bf1c428c8a917c4b14e3
  41. - File size: 491,520 bytes
  42. - File location: hxxp://64.44.51[.]120/images/redcar.png
  43. - File description: Windows executable file for Trickbot, gtag jim697
  44. - Analysis:
  45. -- https://urlhaus.abuse.ch/url/325823/
  46. -- https://app.any.run/tasks/90d52d06-c52a-4371-a630-ddf79469ed2c
  47. -- https://capesandbox.com/analysis/14423/
  48. -- https://www.hybrid-analysis.com/sample/51903e594cf91da56380accc7a6f7e990d926ade2ff0bf1c428c8a917c4b14e3
RAW Paste Data