2021-03-01 Trickbot IOCs

1. THREAT IDENTIFICATION: TRICKBOT
2.  
3. TRICKBOT GTAG
4. gtag: rob20
5.  
6. ANALYST NOTES
7. Downloaded modules:
8. pwgrab64
9. shareDll64
10. tabDll64
11. wormDll64
12.  
13. SUBJECTS OBSERVED
14. [STK] Hadfields INVOICE- Ref: 739241 A
15.  
16. SENDERS OBSERVED
17. [email protected]
18.  
19. MALDOC FILE NAMES
20. Upload_737160487_1591215127.xls
21. 4023f96dfa75f5ab44da157f085e8db1
22.  
23. Upload_747556100_1817075317.xls
24. d38d3ee1983b5d2bb504b341846f4cea
25.  
26. MALDOC FILE HASHES
27. 4023f96dfa75f5ab44da157f085e8db1
28. d38d3ee1983b5d2bb504b341846f4cea
29.  
30. TRICKBOT PAYLOAD URLS
31. http://beachtreepestcontrol.com/viewer/counter.php
32.  
33. TRICKBOT PAYLOAD FILE HASHES
34. 10.counter
35. 5e3ac60f9af6bd3b89111fc54fb64293
36.  
37. TRICKBOT C2
38. https://103.76.20.226
39. https://114.34.226.52:447
40.  
41. TRICKBOT ADDITONAL PAYLOAD URL
42. http://194.5.249.113/images/control.png
43.  
44. ADDITIONAL PAYLOAD FILE HASH
45. control.png
46. 7546faae3f2b31e132ea54ac9fabdd15
47.  
48. FIDDLER TRAFFIC CAPTURE
49. http://beachtreepestcontrol.com/viewer/counter.php
50. http://0php/
51. http://179.191.108.58:449
52. http://190.152.71.230:443
53. http://103.76.20.226:443
54. https://103.76.20.226/rob20/WIN7PC_W617601.23367CF7354BBEE6FF12C3FBD39F9351/5/kps/
55. https://103.76.20.226/rob20/WIN7PC_W617601.23367CF7354BBEE6FF12C3FBD39F9351/0/Windows%207%20x64%20SP1/1104/62.182.99.61/B7E4CBA0AC3BFD329AB910D91B19E896CD3FC46BD43AB29ED7A447624A92BB20/lvHnrrDdvzXXtxxJJf5ddzz3LPllNj/
56. https://103.76.20.226/rob20/WIN7PC_W617601.23367CF7354BBEE6FF12C3FBD39F9351/14/user/analyst/0/
57. https://103.76.20.226/rob20/WIN7PC_W617601.23367CF7354BBEE6FF12C3FBD39F9351/14/path/C:%5CUsers%5Canalyst%5CAppData%5CRoaming%5CWInternetDownloadManager8868080426%5Cmwgrtfem.dwn/0/
58. https://103.76.20.226/rob20/WIN7PC_W617601.23367CF7354BBEE6FF12C3FBD39F9351/23/2000026/
59. https://103.76.20.226/rob20/WIN7PC_W617601.23367CF7354BBEE6FF12C3FBD39F9351/14/DNSBL/not%20listed/0/
60. https://103.76.20.226/rob20/WIN7PC_W617601.23367CF7354BBEE6FF12C3FBD39F9351/14/NAT%20status/client%20is%20behind%20NAT/0/
61. https://114.34.226.52:447/rob20/WIN7PC_W617601.23367CF7354BBEE6FF12C3FBD39F9351/5/pwgrab64/
62. https://103.76.20.226/rob20/WIN7PC_W617601.23367CF7354BBEE6FF12C3FBD39F9351/5/dpost/
63. https://103.76.20.226/rob20/WIN7PC_W617601.23367CF7354BBEE6FF12C3FBD39F9351/64/pwgrab/VERS//
64. https://103.76.20.226/rob20/WIN7PC_W617601.23367CF7354BBEE6FF12C3FBD39F9351/10/62/VPXZFFBXPHLLBNZFFVV/1/
65. https://103.76.20.226/rob20/WIN7PC_W617601.23367CF7354BBEE6FF12C3FBD39F9351/1/IQUEyiSUEyiSCEyiSCwyiSCwgiSC/
66. https://103.76.20.226/rob20/WIN7PC_W617601.23367CF7354BBEE6FF12C3FBD39F9351/10/62/541889/1/
67. https://103.76.20.226/rob20/WIN7PC_W617601.23367CF7354BBEE6FF12C3FBD39F9351/64/pwgrab/DEBG//
68. https://103.76.20.226/rob20/WIN7PC_W617601.23367CF7354BBEE6FF12C3FBD39F9351/14/pwgrab/sTart%20pwgrab%20working/0/
69. https://103.76.20.226/rob20/WIN7PC_W617601.23367CF7354BBEE6FF12C3FBD39F9351/64/pwgrab/DPST//
70. https://103.76.20.226/rob20/WIN7PC_W617601.23367CF7354BBEE6FF12C3FBD39F9351/1/EJMe0Qi4Um8QmCUqGYuKcyGc2Kg6Ok2/
71. https://114.34.226.52:447/rob20/WIN7PC_W617601.23367CF7354BBEE6FF12C3FBD39F9351/5/tabDll64/
72. https://103.76.20.226/rob20/WIN7PC_W617601.23367CF7354BBEE6FF12C3FBD39F9351/64/tabDll/InfMach/infect/
73. https://103.76.20.226/rob20/WIN7PC_W617601.23367CF7354BBEE6FF12C3FBD39F9351/10/62/541904/1/
74. https://103.76.20.226/rob20/WIN7PC_W617601.23367CF7354BBEE6FF12C3FBD39F9351/63/tabDll/infect///
75. https://103.76.20.226/rob20/WIN7PC_W617601.23367CF7354BBEE6FF12C3FBD39F9351/14/tabDll64/reload1/0/
76. https://103.76.20.226/rob20/WIN7PC_W617601.23367CF7354BBEE6FF12C3FBD39F9351/1/9LRhJZl1VhxDp1pP1/
77. https://114.34.226.52:447/rob20/WIN7PC_W617601.23367CF7354BBEE6FF12C3FBD39F9351/5/wormDll64/
78. https://103.76.20.226/rob20/WIN7PC_W617601.23367CF7354BBEE6FF12C3FBD39F9351/10/62/541910/1/
79. https://103.76.20.226/rob20/WIN7PC_W617601.23367CF7354BBEE6FF12C3FBD39F9351/63/wormDll/infect///
80. https://103.76.20.226/rob20/WIN7PC_W617601.23367CF7354BBEE6FF12C3FBD39F9351/1/lJxZFjL1V7bDtNzf9lFvX1dJnP5Z/
81. https://114.34.226.52:447/rob20/WIN7PC_W617601.23367CF7354BBEE6FF12C3FBD39F9351/5/shareDll64/
82. https://103.76.20.226/rob20/WIN7PC_W617601.23367CF7354BBEE6FF12C3FBD39F9351/10/62/541911/1/
83. https://103.76.20.226/rob20/WIN7PC_W617601.23367CF7354BBEE6FF12C3FBD39F9351/63/shareDll/infect///
84. https://103.76.20.226/rob20/WIN7PC_W617601.23367CF7354BBEE6FF12C3FBD39F9351/1/xZ9vLvh7dTtPf5fRrRDd/
85. https://103.76.20.226/rob20/WIN7PC_W617601.23367CF7354BBEE6FF12C3FBD39F9351/1/ZDRfhhfhhfhhffdf/
86. https://103.76.20.226/rob20/WIN7PC_W617601.23367CF7354BBEE6FF12C3FBD39F9351/1/D1wQ2WCoIya4gMqSwcEiO0U6a/
87. https://103.76.20.226/rob20/WIN7PC_W617601.23367CF7354BBEE6FF12C3FBD39F9351/1/vXnR5N1bFtBpT3hLdHvV9n5j/
88. https://103.76.20.226/rob20/WIN7PC_W617601.23367CF7354BBEE6FF12C3FBD39F9351/1/DpHpPXFB9DvVDLXFxxfJFd/
89. https://103.76.20.226/rob20/WIN7PC_W617601.23367CF7354BBEE6FF12C3FBD39F9351/1/mlWcACkqsQSY68EmoMSU2/
90. https://103.76.20.226/rob20/WIN7PC_W617601.23367CF7354BBEE6FF12C3FBD39F9351/1/ZPNVlTBXFtnvZHDL3tbfbJ1Hz/
91. https://103.76.20.226/rob20/WIN7PC_W617601.23367CF7354BBEE6FF12C3FBD39F9351/1/1phdbZPNLxvt3hfdZDB/
92. https://103.76.20.226/rob20/WIN7PC_W617601.23367CF7354BBEE6FF12C3FBD39F9351/1/06tf9dPtN9dTtN9d7tNDd/
93. https://103.76.20.226/rob20/WIN7PC_W617601.23367CF7354BBEE6FF12C3FBD39F9351/1/gKKGmIoIoKqMqMsOuQuQwSy/
94. https://103.76.20.226/rob20/WIN7PC_W617601.23367CF7354BBEE6FF12C3FBD39F9351/1/rjfBTbtl3LHLdvb5Nf/
95.  
96. SUPPORTING EVIDENCE
97. https://urlhaus.abuse.ch/browse.php?search=http%3A%2F%2Fbeachtreepestcontrol.com%2Fviewer%2Fcounter.php
98. https://urlhaus.abuse.ch/browse.php?search=control.png
99.