malware_traffic

Trickbot EXE from .png URLs as of Thursday 2019-12-26

Dec 26th, 2019
1,801
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. TRICKBOT EXE FROM .PNG URLS AS OF THURSDAY 2019-12-26
  2.  
  3. URLS:
  4.  
  5. - hxxp://5.182.211[.]76/images/flygame.png
  6. - hxxp://5.182.211[.]76/images/lastimg.png
  7. - hxxp://5.182.211[.]76/images/mini.png
  8.  
  9.  
  10. - One of these URLs was submitted to VirusTotal on Monday 2019-12-23
  11. - The http request for flygame.png is caused by Trickbot's mwormDll module.
  12. - The http request for lastimg.png is caused by Trickbot's tabDll module.
  13. - The http request for mini.png is caused by Trickbot's mshareDll module.
  14. - All of these URLs returned a Windows executable file (EXE).
  15. - Each of these Trickbot EXE has a different gtag.
  16. - These appear to return files with different hashes every time they are retrieved.
  17.  
  18. FILE INFO:
  19.  
  20. - SHA256 hash: 430fb1394b5c2bcec4cc37eb0112d2807a24b7ea0d910efcdcd7493ca66c29d5
  21. - File size: 352,256 bytes
  22. - File location: hxxp://5.182.211[.]76/images/flygame.png
  23. - File description: Windows executable file for Trickbot
  24. - Analysis:
  25. -- https://urlhaus.abuse.ch/url/279170/
  26. -- https://app.any.run/tasks/588c575b-866b-44a7-9295-902c7f994784
  27. -- https://hybrid-analysis.com/sample/430fb1394b5c2bcec4cc37eb0112d2807a24b7ea0d910efcdcd7493ca66c29d5
  28.  
  29. - SHA256 hash: 7ba2496e888beaaff008e5cc49d5e883641eb7338f4a654a54bbeb96506f1bc8
  30. - File size: 352,256 bytes
  31. - File location: hxxp://5.182.211[.]76/images/lastimg.png
  32. - File description: Windows executable file for Trickbot
  33. - Analysis:
  34. -- https://urlhaus.abuse.ch/url/279171/
  35. -- https://app.any.run/tasks/9fe59ad6-4270-4244-b68e-8e2d9c2d11fe
  36. -- https://hybrid-analysis.com/sample/7ba2496e888beaaff008e5cc49d5e883641eb7338f4a654a54bbeb96506f1bc8
  37.  
  38. - SHA256 hash: 5933adae2b826dccc03edc7258fca62b4f03239436b11dac0fcecaf653db43d3
  39. - File size: 352,256 bytes
  40. - File location: hxxp://5.182.211[.]76/images/mini.png
  41. - File description: Windows executable file for Trickbot
  42. - Analysis:
  43. -- https://urlhaus.abuse.ch/url/279172/
  44. -- https://app.any.run/tasks/d70ba3e6-9039-4e07-996a-b0c96b85e79c
  45. -- https://hybrid-analysis.com/sample/5933adae2b826dccc03edc7258fca62b4f03239436b11dac0fcecaf653db43d3
RAW Paste Data