SHARE
TWEET

Trickbot EXE files from ".png" URLs on Monday 2020-03-16

malware_traffic Mar 16th, 2020 723 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. TRICKBOT EXE FILES FROM .PNG URLs ON MONDAY 2020-03-16
  2.  
  3. URLS:
  4.  
  5. - hxxp://64.44.51[.]120/images/cursor.png
  6. - hxxp://64.44.51[.]120/images/imgpaper.png
  7. - hxxp://64.44.51[.]120/images/redcar.png
  8.  
  9. NOTES:
  10.  
  11. - The http request for cursor.png is caused by Trickbot's mshareDll module.
  12. - The http request for imgpaper.png is caused by Trickbot's tabDll module.
  13. - The http request for redcar.png is caused by Trickbot's mwormDll module.
  14. - All of these URLs returned a Windows executable file (EXE).
  15. - Each of these Trickbot EXE has a different gtag.
  16. - These URLs may return files with different hashes every time they are retrieved.
  17.  
  18. FILE INFO:
  19.  
  20. - SHA256 hash: 3e6570e962b3c327e27c46e1cb48adba417858d5abf8888242a22c8c02303343
  21. - File size: 483,328 bytes
  22. - File location: hxxp://64.44.51[.]120/images/cursor.png
  23. - File description: Windows executable file for Trickbot, gtag tot697
  24. - Analysis:
  25.  -- https://urlhaus.abuse.ch/url/325821/
  26.  -- https://app.any.run/tasks/90d52d06-c52a-4371-a630-ddf79469ed2c
  27.  -- https://capesandbox.com/analysis/14421/
  28.  -- https://www.hybrid-analysis.com/sample/3e6570e962b3c327e27c46e1cb48adba417858d5abf8888242a22c8c02303343
  29.  
  30. - SHA256 hash: d6ff25b6331fe776f5d8dd3749adef221eaf627e5c764327ebf30929a648bd79
  31. - File size: 483,328 bytes
  32. - File location: hxxp://64.44.51[.]120/images/imgpaper.png
  33. - File description: Windows executable file for Trickbot, gtag lib697
  34. - Analysis:
  35.  -- https://urlhaus.abuse.ch/url/325822/
  36.  -- https://app.any.run/tasks/a5951422-91fb-47cb-9b5b-e7470ca4343d
  37.  -- https://capesandbox.com/analysis/14422/
  38.  -- https://www.hybrid-analysis.com/sample/d6ff25b6331fe776f5d8dd3749adef221eaf627e5c764327ebf30929a648bd79
  39.  
  40. - SHA256 hash: 51903e594cf91da56380accc7a6f7e990d926ade2ff0bf1c428c8a917c4b14e3
  41. - File size: 491,520 bytes
  42. - File location: hxxp://64.44.51[.]120/images/redcar.png
  43. - File description: Windows executable file for Trickbot, gtag jim697
  44. - Analysis:
  45.  -- https://urlhaus.abuse.ch/url/325823/
  46.  -- https://app.any.run/tasks/90d52d06-c52a-4371-a630-ddf79469ed2c
  47.  -- https://capesandbox.com/analysis/14423/
  48.  -- https://www.hybrid-analysis.com/sample/51903e594cf91da56380accc7a6f7e990d926ade2ff0bf1c428c8a917c4b14e3
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top