2021-04-29 Trickbot IOCs

1. THREAT ATTRIBUTION: TRICKBOT
2.  
3. SUBJECTS OBSERVED
4. DocuSign Please.
5.  
6. SENDERS OBSERVED
7. xumi05701@maia.eonet.ne.jp
8.  
9. MALDOC FILE HASHES
10. Documents_426352811_571431978.xls
11. 6099cc9b417f2902e0c01e52bd0c3a16
12.  
13. TRICKBOT PAYLOAD URLS
14. https://jrfastener.com/netmount.dll
15.  
16. TRICKBOT PAYLOAD FILE HASHES
17. isnsondlk.ksu
18. 3f3cb269876273534664a5d37118de14
19.  
20. TRICKBOT GTAG
21. gtag: net5
22.  
23. TRICKBOT MODULE FILE HASHES
24. networkDll64
25. c9e79d2f60b6630116aaee9abb02a06f
26.  
27. shareDll64
28. 75356318504e259a5930fb84105507ce
29.  
30. tabDll64
31. 86d2499559223eb57d1b6ec878c7c30d
32.  
33. wormDll64
34. 401deb42f30a0aa6d6add840f921bb29
35.  
36. ADDITIONAL DOWNLOADS
37. http://23.160.193.91/images/redbutton.png
38. http://23.160.193.91/images/cutscroll.png
39.  
40. ADDITIONAL FILE HASHES
41. redbutton.png
42. 53e9a0d31d13590a26485e4ed5f2774c
43.  
44. cutscroll.png
45. bc0fda0c6d368d4bbebee5f392b1b404
46.  
47. TRICKBOT C2s
48. https://154.79.251.172:443
49. https://103.124.173.35:443
50. https://103.66.72.217:443
51. https://131.0.112.122:443
52. https://117.54.250.246:443
53.  
54. POST TRAFFIC
55. http://36.95.27.243:443/net5/WIN7PC_W617601.65B7FDBB55EDD8897BF95BD390FB3852/90
56. http://5.202.120.150:443/net5/WIN7PC_W617601.65B7FDBB55EDD8897BF95BD390FB3852/90
57. http://103.102.220.50:443/net5/WIN7PC_W617601.65B7FDBB55EDD8897BF95BD390FB3852/90
58.