Trickbot propagation URLs (and EXEs) on Thursday 2020-05-28

1. TRICKBOT PROPAGATION URLS (AND EXES) ON THURSDAY 2020-05-28
2.  
3. URLS:
4.  
5. - hxxp://162.216.0[.]163/ico/VidT6cErs
6. - hxxp://162.216.0[.]163/images/cursor.png
7. - hxxp://162.216.0[.]163/images/imgpaper.png
8. - hxxp://162.216.0[.]163/images/redcar.png
9.  
10. NOTES:
11.  
12. - The HTTP request for VidT6cErs is caused by Trickbot's nwormDll module (jim-series gtag).
13. - The HTTP request for cursor.png is caused by Trickbot's mshareDll module (tot-series gtag).
14. - The HTTP request for imgpaper.png is caused by Trickbot's tabDll module (lib-series gtag).
15. - The HTTP request for redcar.png was caused by Trickbot's old mwormDll module, but it can still retrieve Trickbot EXEs with jim-series gtags, presumably with associated with the new nwormDll module.
16.  
17. More info on the new "nworm" module used by Trickbot:
18.  
19. - https://unit42.paloaltonetworks.com/goodbye-mworm-hello-nworm-trickbot-updates-propagation-module/
20.  
21. $ file *.png
22. VidT6cErs: data
23. cursor.png: PE32 executable (GUI) Intel 80386, for MS Windows
24. imgpaper.png: PE32 executable (GUI) Intel 80386, for MS Windows
25. redcar.png: PE32 executable (GUI) Intel 80386, for MS Windows
26.  
27. FILE INFO:
28.  
29. - SHA256 hash: 7afa5dec9cd50b65cc272965bff7ed474fd15599cfb9eff3f86fdc41671e2612
30. - File size: 359,424 bytes
31. - File location: hxxp://162.216.0[.]163/ico/VidT6cErs
32. - File description: encoded binary (not an executable) associated with nwormDll for Trickbot, gtag jim734
33. - Analysis:
34. -- https://urlhaus.abuse.ch/url/371429/
35. -- https://app.any.run/tasks/d2d8e69a-02da-41ac-87a0-f6b6e471a292
36. -- https://capesandbox.com/analysis/5230/
37. -- https://www.hybrid-analysis.com/sample/7afa5dec9cd50b65cc272965bff7ed474fd15599cfb9eff3f86fdc41671e2612
38.  
39. - SHA256 hash: d49371ff32fb4581d091429a990b972465c7bcc47a2877ba91e7fb64f1843ce3
40. - File size: 503,808 bytes
41. - File location: hxxp://162.216.0[.]163/images/cursor.png
42. - File description: Windows executable file associated with mshareDll for Trickbot, gtag tot734
43. - Analysis:
44. -- https://urlhaus.abuse.ch/url/371428/
45. -- https://app.any.run/tasks/d466b4f5-6ecd-4c88-8e6e-437048f1a061
46. -- https://capesandbox.com/analysis/5220/
47. -- https://www.hybrid-analysis.com/sample/d49371ff32fb4581d091429a990b972465c7bcc47a2877ba91e7fb64f1843ce3
48.  
49. - SHA256 hash: 80cacb103845c0788affd5df5923c6973816ae87c285befee05c6c336fe29b2a
50. - File size: 503,808 bytes
51. - File location: hxxp://162.216.0[.]163/images/imgpaper.png
52. - File description: Windows executable file associated with tabDll for Trickbot, gtag lib734
53. - Analysis:
54. -- https://urlhaus.abuse.ch/url/371427/
55. -- https://app.any.run/tasks/ed45d774-f541-494f-83b7-b991c79e0867/
56. -- https://capesandbox.com/analysis/5221/
57. -- https://www.hybrid-analysis.com/sample/80cacb103845c0788affd5df5923c6973816ae87c285befee05c6c336fe29b2a
58.  
59. - SHA256 hash: 008d6dac88a54cacf184b46ccc6777abe88002802914f11139b575457579f67e
60. - File size: 516,096 bytes
61. - File location: hxxp://162.216.0[.]163/images/redcar.png
62. - File description: Windows executable file for Trickbot, gtag jim734 (URL associated with the old "mworm" module)
63. - Analysis:
64. -- https://urlhaus.abuse.ch/url/371433/
65. -- https://app.any.run/tasks/c68ca39d-c046-49ee-b764-5be7cea148f1/
66. -- https://capesandbox.com/analysis/5226/
67. -- https://www.hybrid-analysis.com/sample/008d6dac88a54cacf184b46ccc6777abe88002802914f11139b575457579f67e