API tools faq
paste
ExecuteMalware

2021-02-23 Trickbot IOCs

ExecuteMalware
Feb 23rd, 2021
7,105
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 5.98 KB | None | 0 0
raw download clone embed print report
  1. THREAT IDENTIFICATION: TRICKBOT
  2.  
  3. TRICKBOT GTAG
  4. gtag: rob16
  5.  
  6. SUBJECTS OBSERVED
  7. Important Notification: Precept # 6423
  8. Important Notification: Precept # 8251
  9.  
  10. SENDERS OBSERVED
  11. [email protected]
  12.  
  13. MALDOC FILE NAMES
  14. Attach_2024121422_59606374.xls
  15. ef149fa0e847a59880b1fc0b6b1977f1
  16.  
  17. Attach_452701361_1806650968.xls
  18. 21c92b5f324f5c301e8911c39c24d0e5
  19.  
  20. MALDOC FILE HASHES
  21. ef149fa0e847a59880b1fc0b6b1977f1
  22. 21c92b5f324f5c301e8911c39c24d0e5
  23.  
  24. TRICKBOT PAYLOAD URLS
  25. http://bearcatpumps.com.cn/css/tolkio.php
  26.  
  27. TRICKBOT PAYLOAD FILE HASHES
  28. 10.point
  29. 884dab96c679194fc5140322d5ce9e9d
  30.  
  31. TRICKBOT C2
  32. https://102.164.211.138:449
  33. https://103.119.117.42:443
  34. https://103.146.2.152:449
  35. https://103.73.101.98:449
  36. https://103.76.20.226:443
  37. https://103.84.164.87:443
  38. https://103.91.244.102:449
  39. https://108.170.20.72:443
  40. https://111.235.66.83:443
  41. https://117.212.193.62:449
  42. https://118.67.216.238:449
  43. https://154.79.252.132:449
  44. https://167.179.194.205:443
  45. https://168.232.188.88:449
  46. https://173.81.4.147:449
  47. https://177.47.88.62:443
  48. https://178.54.230.164:443
  49. https://179.191.108.58:449
  50. https://179.60.243.52:443
  51. https://182.48.66.106:443
  52. https://185.234.72.84:443
  53. https://186.195.199.238:449
  54. https://187.19.200.154:449
  55. https://187.190.116.59:443
  56. https://190.119.167.154:447
  57. https://190.152.71.230:443
  58. https://200.6.169.124:443
  59. https://201.184.190.59:449
  60. https://202.142.151.190:449
  61. https://221.176.88.201:449
  62. https://36.92.93.5:449
  63. https://36.94.202.131:443
  64. https://37.235.230.123:449
  65. https://45.234.248.66:449
  66. https://79.122.166.236:449
  67. https://80.78.75.246:443
  68. https://80.78.77.116:449
  69. https://85.159.214.61:443
  70.  
  71. TRICKBOT ADDITIONAL DOWNLOAD FILE HASH
  72. pwgrab64
  73. f653abaab18c36ad20bfc369f2a87fd3
  74.  
  75. shareDll64
  76. 7e40b08dc13256e67b4d94080f4d9a24
  77.  
  78. networkDll64
  79. c9e79d2f60b6630116aaee9abb02a06f
  80.  
  81. TRICKBOT CONFIG FILE
  82. serviceworker.txt
  83. e8e485ac450f7daac1dc7e245b52b8f9
  84.  
  85.  
  86. FIDDLER TRAFFIC CAPTURE
  87. http://bearcatpumps.com.cn/css/tolkio.php
  88. http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?0a882b783b913a3b
  89. http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?184cc342f3942d16
  90. http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?06cb81692939b5c4
  91. https://186.195.199.238:449/rob16/WIN7PC_W617601.51CB3CF6B57C9F7F6675DC98BB8EBDFA/5/kps/
  92. https://api.ipify.org/?format=text
  93. https://186.195.199.238:449/rob16/WIN7PC_W617601.51CB3CF6B57C9F7F6675DC98BB8EBDFA/0/Windows 7 x64 SP1/1103/104.140.52.99/B7E4CBA0AC3BFD329AB910D91B19E896CD3FC46BD43AB29ED7A447624A92BB20/RHEoK375rj75w4i8c4jzFbP/
  94. https://186.195.199.238:449/rob16/WIN7PC_W617601.51CB3CF6B57C9F7F6675DC98BB8EBDFA/14/user/analyst/0/
  95. https://186.195.199.238:449/rob16/WIN7PC_W617601.51CB3CF6B57C9F7F6675DC98BB8EBDFA/14/path/C:\Users\analyst\AppData\Roaming\InternetFreeDownloadManager2420202460\kiTDCSqy.dwn/0/
  96. https://186.195.199.238:449/rob16/WIN7PC_W617601.51CB3CF6B57C9F7F6675DC98BB8EBDFA/23/2000026/
  97. https://186.195.199.238:449/rob16/WIN7PC_W617601.51CB3CF6B57C9F7F6675DC98BB8EBDFA/14/DNSBL/not listed/0/
  98. https://186.195.199.238:449/rob16/WIN7PC_W617601.51CB3CF6B57C9F7F6675DC98BB8EBDFA/14/NAT status/client is behind NAT/0/
  99. https://190.119.167.154:447/rob16/WIN7PC_W617601.51CB3CF6B57C9F7F6675DC98BB8EBDFA/5/pwgrab64/
  100. https://186.195.199.238:449/rob16/WIN7PC_W617601.51CB3CF6B57C9F7F6675DC98BB8EBDFA/5/dpost/
  101. https://186.195.199.238:449/rob16/WIN7PC_W617601.51CB3CF6B57C9F7F6675DC98BB8EBDFA/10/62/BRHJHVXVPLJHF/1/
  102. https://186.195.199.238:449/rob16/WIN7PC_W617601.51CB3CF6B57C9F7F6675DC98BB8EBDFA/64/pwgrab/VERS//
  103. https://186.195.199.238:449/rob16/WIN7PC_W617601.51CB3CF6B57C9F7F6675DC98BB8EBDFA/1/0CEi2SaSK2UUawMI/
  104. https://190.119.167.154:447/rob16/WIN7PC_W617601.51CB3CF6B57C9F7F6675DC98BB8EBDFA/5/networkDll64/
  105. https://186.195.199.238:449/rob16/WIN7PC_W617601.51CB3CF6B57C9F7F6675DC98BB8EBDFA/64/pwgrab/DEBG//
  106. https://186.195.199.238:449/rob16/WIN7PC_W617601.51CB3CF6B57C9F7F6675DC98BB8EBDFA/64/networkDll/NETWORKDLL//
  107. https://186.195.199.238:449/rob16/WIN7PC_W617601.51CB3CF6B57C9F7F6675DC98BB8EBDFA/64/pwgrab/DPST//
  108. https://186.195.199.238:449/rob16/WIN7PC_W617601.51CB3CF6B57C9F7F6675DC98BB8EBDFA/10/62/498676/1/
  109. https://186.195.199.238:449/rob16/WIN7PC_W617601.51CB3CF6B57C9F7F6675DC98BB8EBDFA/63/networkDll/start///
  110. https://186.195.199.238:449/rob16/WIN7PC_W617601.51CB3CF6B57C9F7F6675DC98BB8EBDFA/1/ZfpWRo3y9CYJUP5mhsYzAPlSNc/
  111. https://186.195.199.238:449/rob16/WIN7PC_W617601.51CB3CF6B57C9F7F6675DC98BB8EBDFA/10/62/498678/1/
  112. https://186.195.199.238:449/rob16/WIN7PC_W617601.51CB3CF6B57C9F7F6675DC98BB8EBDFA/14/pwgrab/sTart pwgrab working/0/
  113. https://186.195.199.238:449/rob16/WIN7PC_W617601.51CB3CF6B57C9F7F6675DC98BB8EBDFA/1/37XXLjnvjJBF7hpdV5D1t/
  114. https://190.119.167.154:447/rob16/WIN7PC_W617601.51CB3CF6B57C9F7F6675DC98BB8EBDFA/5/shareDll64/
  115. https://186.195.199.238:449/rob16/WIN7PC_W617601.51CB3CF6B57C9F7F6675DC98BB8EBDFA/10/62/498680/1/
  116. https://186.195.199.238:449/rob16/WIN7PC_W617601.51CB3CF6B57C9F7F6675DC98BB8EBDFA/63/shareDll/infect///
  117. https://186.195.199.238:449/rob16/WIN7PC_W617601.51CB3CF6B57C9F7F6675DC98BB8EBDFA/1/X3aZmjqEHORjwzwKXUXz25CQdah58FIa/
  118. https://186.195.199.238:449/rob16/WIN7PC_W617601.51CB3CF6B57C9F7F6675DC98BB8EBDFA/1/N6eGDam7vAIJRAxltgLTjXr/
  119. https://186.195.199.238:449/rob16/WIN7PC_W617601.51CB3CF6B57C9F7F6675DC98BB8EBDFA/1/fzvdjpP39DrVddHv15lLRV9n/
  120. https://186.195.199.238:449/rob16/WIN7PC_W617601.51CB3CF6B57C9F7F6675DC98BB8EBDFA/1/3LhVndDNXJ97PFt3Lzlv5rh/
  121. https://186.195.199.238:449/rob16/WIN7PC_W617601.51CB3CF6B57C9F7F6675DC98BB8EBDFA/1/Llnjh1nd9vB53JdvRlXNtfvln3NfBVD7/
  122. https://186.195.199.238:449/rob16/WIN7PC_W617601.51CB3CF6B57C9F7F6675DC98BB8EBDFA/1/BFrLVJ75FTHFTH53dRFDRBPNbPDB/
  123. https://186.195.199.238:449/rob16/WIN7PC_W617601.51CB3CF6B57C9F7F6675DC98BB8EBDFA/1/y0ckaASyoggo64u2UIaGKWowYM2Am/
  124. https://186.195.199.238:449/rob16/WIN7PC_W617601.51CB3CF6B57C9F7F6675DC98BB8EBDFA/1/LPt7fzRz9nJT1LnLZpft3hDNvFhFPjZ/
  125. https://186.195.199.238:449/rob16/WIN7PC_W617601.51CB3CF6B57C9F7F6675DC98BB8EBDFA/1/AAy1wBMETeZlwr6E9O/
  126.  
  127.  
Advertisement
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!