Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- THREAT ATTRIBUTION: TRICKBOT - gtag:ono52
- SUBJECTS OBSERVED
- Credit and Reissued Invoice 12878
- Credit and Reissued Invoice 44231
- Credit and Reissued Invoice 45014
- Credit and Reissued Invoice 54543
- Credit and Reissued Invoice 64975
- Credit and Reissued Invoice 86673
- SENDERS OBSERVED
- aquick@cguhsd[.]org
- blpachecolo@uide[.]edu[.]ec
- CDHIXON39@RANGERS[.]NWOSU[.]EDU
- cyril[.]leite@viacesi[.]fr
- E1151@365office[.]one
- stigrero@agroproduzca[.]com[.]ec
- EMAIL BODY
- Good morning,
- See attached for credit note and invoice request for your approval. Information regarding the reasons for the credit note is below in the email chain.
- AR,
- On Ellen’s approval, please raise the credit note and invoice.
- Please note the request in both documents where the number for each document is to be referenced in the other. If you have any questions don’t hesitate to ask.
- Thanks,
- MALDOC FILE HASHES
- CreditNote (1377).xls
- 15985bae9492afba65bf71ecefa1980a
- fddr_1660.xls
- 8de84c345735147bea7d024afd15a0b6
- fddr_1699.xls
- 40ad66f4e94b9917659cce3d7e62b5cb
- TRICKBOT PAYLOAD FILE HASHES
- 832o7n8n9n0m0[.]exe
- 4f471b6c788cabc4d520028360bb494d
- Saw this when I ran it in my sandbox:
- dZOiYPd[.]exe
- 09f273b309d070247e3118c525e7b0b4
- SECONDARY DOWNLOAD FILE HASHES
- cursor[.]png
- 816a5be6fad59f4abf7dc87ee9a37587
- imgpaper[.]png
- ac63ac867af3aaf2c3d6e1ffaf3654ea
- TRICKBOT PAYLOAD URLS
- hxxps://www[.]ruths-brownies[.]com/adbanner/ololomadam[.]php
- SECONDARY PAYLOAD URLS
- hxxp://5[.]182[.]210[.]136/images/cursor[.]png
- hxxp://5[.]182[.]210[.]136/images/imgpaper[.]png
- TRICKBOT C2
- hxxp://170[.]238[.]117[.]187:8082/ono52/WIN7PC_W617601[.]5851ABB11A8412C201F720DC1508EBCF/81/
- hxxp://203[.]176[.]135[.]102:8082/ono52/WIN7PC_W617601[.]5851ABB11A8412C201F720DC1508EBCF/90
Add Comment
Please, Sign In to add comment