malware_traffic

Trickbot EXE from .png URLs as of Thursday 2019-12-19

Dec 19th, 2019
1,012
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. TRICKBOT EXE FROM .PNG URLS AS OF THURSDAY 2019-12-19
  2.  
  3. URLS:
  4.  
  5. - hxxp://64.44.51[.]114/images/flygame.png
  6. - hxxp://64.44.51[.]114/images/lastimg.png
  7. - hxxp://64.44.51[.]114/images/mini.png
  8.  
  9. NOTES:
  10.  
  11. - The http request for flygame.png is caused by Trickbot's mwormDll module.
  12. - The http request for lastimg.png is caused by Trickbot's tabDll module.
  13. - The http request for mini.png is caused by Trickbot's mshareDll module.
  14. - All of these URLs returned a Windows executable file (EXE).
  15. - Each of these Trickbot EXE has a different gtag.
  16. - I think these are different file hashes every time they are retrieved.
  17.  
  18. FILE INFO:
  19.  
  20. - SHA256 hash: bd1bf7a54c085859287ee903d63ed47c4f2d089fee49a3bd2a63a16eb9af4205
  21. - File size: 643,198 bytes
  22. - File location: hxxp://64.44.51[.]114/images/flygame.png
  23. - File description: Windows executable file for Trickbot
  24. - Analysis:
  25. -- https://urlhaus.abuse.ch/url/273261/
  26. -- https://app.any.run/tasks/0869a11e-a21f-43e5-8a56-be1a4f3220bd
  27. -- https://hybrid-analysis.com/sample/bd1bf7a54c085859287ee903d63ed47c4f2d089fee49a3bd2a63a16eb9af4205
  28.  
  29. - SHA256 hash: 8f4e7faf3b46423d0b7412e63459b1ff24a1f2c80e4754926eefa40c8fe6e4a1
  30. - File size: 643,198 bytes
  31. - File location: hxxp://64.44.51[.]114/images/lastimg.png
  32. - File description: Windows executable file for Trickbot
  33. - Analysis:
  34. -- https://urlhaus.abuse.ch/url/273262/
  35. -- https://app.any.run/tasks/58373d87-5399-409f-a95b-04390b0909d2
  36. -- https://hybrid-analysis.com/sample/8f4e7faf3b46423d0b7412e63459b1ff24a1f2c80e4754926eefa40c8fe6e4a1
  37.  
  38. - SHA256 hash: 38484ecbe01f1f043dfa4ff187e12e704716d57309309f85c47ef8f56dc0a6bc
  39. - File size: 643,198 bytes
  40. - File location: hxxp://64.44.51[.]114/images/mini.png
  41. - File description: Windows executable file for Trickbot
  42. - Analysis:
  43. -- https://urlhaus.abuse.ch/url/273263/
  44. -- https://app.any.run/tasks/eb2f4a46-6b78-4f8a-8aca-e57933911ef5
  45. -- https://hybrid-analysis.com/sample/38484ecbe01f1f043dfa4ff187e12e704716d57309309f85c47ef8f56dc0a6bc
RAW Paste Data