Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- THREAT IDENTIFICATION: TRICKBOT
- TRICKBOT GTAG
- gtag: rob59
- SUBJECTS OBSERVED
- DocuSign: Contract # 18264
- DocuSign: Contract # 3844
- SENDERS OBSERVED
- steve@curbhuggers.com
- MALDOC FILE HASHES
- Sign_1122909780-1482301699.xls
- 5210bb023dd17deb4ef356a19cd81db7
- Sign_1003875156-920007929.xls
- adb7ee67f5846ec880190a91878f2958
- TRICKBOT PAYLOAD URLS
- http://artifkt.com/okmobi/certificate.php
- TRICKBOT PAYLOAD FILE HASHES
- 10.fbr
- 853c5f48616fd2afd63e487d197c9796
- TRICKBOT C2
- http://108.170.20.75:443
- http://110.39.160.66:447
- http://185.118.15.137:447
- http://186.137.85.76:443
- http://200.52.147.93:443
- http://222.124.7.150:447
- http://36.94.113.249:447
- TRICKBOT ADDITIONAL DOWNLOAD FILE HASH
- pwgrab64
- 783802a08864d86405a99adc3ca0179e
- TRICKBOT CONFIG FILE
- opera_shutdown_ms.txt
- 0d2a3e13ac22198b62134ffa0c880ed7
- ADDITIONAL IOCs
- Here's what Fiddler captured during the run:
- https://200.52.147.93/rob59/WIN7PC_W617601.B055FB70DF37D903BF0FBB37DFB9E977/0/Windows%207%20x64%20SP1/1103/62.182.99.35/B7E4CBA0AC3BFD329AB910D91B19E896CD3FC46BD43AB29ED7A447624A92BB20/PXJtvJf1xRh35TpB7/
- https://200.52.147.93/rob59/WIN7PC_W617601.B055FB70DF37D903BF0FBB37DFB9E977/1/1HLlH9ZBhZXPvnrpLDx39R/
- https://200.52.147.93/rob59/WIN7PC_W617601.B055FB70DF37D903BF0FBB37DFB9E977/1/3rHBhljH99pjFJHphhNHnrpNF/
- https://200.52.147.93/rob59/WIN7PC_W617601.B055FB70DF37D903BF0FBB37DFB9E977/1/AwLAYY65JJ1qEEmlz/
- https://200.52.147.93/rob59/WIN7PC_W617601.B055FB70DF37D903BF0FBB37DFB9E977/1/jtzNjpxVln5Tpv3brt/
- https://200.52.147.93/rob59/WIN7PC_W617601.B055FB70DF37D903BF0FBB37DFB9E977/1/NZ3NN51fLvflBtPFnjFDzZ9TpB/
- https://200.52.147.93/rob59/WIN7PC_W617601.B055FB70DF37D903BF0FBB37DFB9E977/1/rVb7hrDN9pR5fpBL7nDdvtjbBbX/
- https://200.52.147.93/rob59/WIN7PC_W617601.B055FB70DF37D903BF0FBB37DFB9E977/1/rzV1nJZvV1HpZ5LbHnrbLrNN3/
- https://200.52.147.93/rob59/WIN7PC_W617601.B055FB70DF37D903BF0FBB37DFB9E977/1/v3LV7nx7rPhrT9JTDl3DpVfpZ7/
- https://200.52.147.93/rob59/WIN7PC_W617601.B055FB70DF37D903BF0FBB37DFB9E977/1/xl0flTNY8qGv1jdoO6WBHzt/
- https://200.52.147.93/rob59/WIN7PC_W617601.B055FB70DF37D903BF0FBB37DFB9E977/10/62/TRRFHFLXTZB/1/
- https://200.52.147.93/rob59/WIN7PC_W617601.B055FB70DF37D903BF0FBB37DFB9E977/14/DNSBL/not%20listed/0/
- https://200.52.147.93/rob59/WIN7PC_W617601.B055FB70DF37D903BF0FBB37DFB9E977/14/NAT%20status/client%20is%20behind%20NAT/0/
- https://200.52.147.93/rob59/WIN7PC_W617601.B055FB70DF37D903BF0FBB37DFB9E977/14/path/C:%5CUsers%5Canalyst%5CAppData%5CRoaming%5CQNetMonitor2686282466%5CamNDksgk.rrd/0/
- https://200.52.147.93/rob59/WIN7PC_W617601.B055FB70DF37D903BF0FBB37DFB9E977/14/user/analyst/0/
- https://200.52.147.93/rob59/WIN7PC_W617601.B055FB70DF37D903BF0FBB37DFB9E977/23/100011/
- https://200.52.147.93/rob59/WIN7PC_W617601.B055FB70DF37D903BF0FBB37DFB9E977/5/dpost/
- https://200.52.147.93/rob59/WIN7PC_W617601.B055FB70DF37D903BF0FBB37DFB9E977/5/file/
- https://200.52.147.93/rob59/WIN7PC_W617601.B055FB70DF37D903BF0FBB37DFB9E977/64/pwgrab/DEBG//
- https://200.52.147.93/rob59/WIN7PC_W617601.B055FB70DF37D903BF0FBB37DFB9E977/64/pwgrab/DPST//
- https://200.52.147.93/rob59/WIN7PC_W617601.B055FB70DF37D903BF0FBB37DFB9E977/64/pwgrab/VERS//
- https://222.124.7.150:447/rob59/WIN7PC_W617601.B055FB70DF37D903BF0FBB37DFB9E977/5/pwgrab64/
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement