malware_traffic

Trickbot propagation URLs (and EXEs) on Thursday 2020-05-28

May 28th, 2020
2,136
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. TRICKBOT PROPAGATION URLS (AND EXES) ON THURSDAY 2020-05-28
  2.  
  3. URLS:
  4.  
  5. - hxxp://162.216.0[.]163/ico/VidT6cErs
  6. - hxxp://162.216.0[.]163/images/cursor.png
  7. - hxxp://162.216.0[.]163/images/imgpaper.png
  8. - hxxp://162.216.0[.]163/images/redcar.png
  9.  
  10. NOTES:
  11.  
  12. - The HTTP request for VidT6cErs is caused by Trickbot's nwormDll module (jim-series gtag).
  13. - The HTTP request for cursor.png is caused by Trickbot's mshareDll module (tot-series gtag).
  14. - The HTTP request for imgpaper.png is caused by Trickbot's tabDll module (lib-series gtag).
  15. - The HTTP request for redcar.png was caused by Trickbot's old mwormDll module, but it can still retrieve Trickbot EXEs with jim-series gtags, presumably with associated with the new nwormDll module.
  16.  
  17. More info on the new "nworm" module used by Trickbot:
  18.  
  19. - https://unit42.paloaltonetworks.com/goodbye-mworm-hello-nworm-trickbot-updates-propagation-module/
  20.  
  21. $ file *.png
  22. VidT6cErs: data
  23. cursor.png: PE32 executable (GUI) Intel 80386, for MS Windows
  24. imgpaper.png: PE32 executable (GUI) Intel 80386, for MS Windows
  25. redcar.png: PE32 executable (GUI) Intel 80386, for MS Windows
  26.  
  27. FILE INFO:
  28.  
  29. - SHA256 hash: 7afa5dec9cd50b65cc272965bff7ed474fd15599cfb9eff3f86fdc41671e2612
  30. - File size: 359,424 bytes
  31. - File location: hxxp://162.216.0[.]163/ico/VidT6cErs
  32. - File description: encoded binary (not an executable) associated with nwormDll for Trickbot, gtag jim734
  33. - Analysis:
  34. -- https://urlhaus.abuse.ch/url/371429/
  35. -- https://app.any.run/tasks/d2d8e69a-02da-41ac-87a0-f6b6e471a292
  36. -- https://capesandbox.com/analysis/5230/
  37. -- https://www.hybrid-analysis.com/sample/7afa5dec9cd50b65cc272965bff7ed474fd15599cfb9eff3f86fdc41671e2612
  38.  
  39. - SHA256 hash: d49371ff32fb4581d091429a990b972465c7bcc47a2877ba91e7fb64f1843ce3
  40. - File size: 503,808 bytes
  41. - File location: hxxp://162.216.0[.]163/images/cursor.png
  42. - File description: Windows executable file associated with mshareDll for Trickbot, gtag tot734
  43. - Analysis:
  44. -- https://urlhaus.abuse.ch/url/371428/
  45. -- https://app.any.run/tasks/d466b4f5-6ecd-4c88-8e6e-437048f1a061
  46. -- https://capesandbox.com/analysis/5220/
  47. -- https://www.hybrid-analysis.com/sample/d49371ff32fb4581d091429a990b972465c7bcc47a2877ba91e7fb64f1843ce3
  48.  
  49. - SHA256 hash: 80cacb103845c0788affd5df5923c6973816ae87c285befee05c6c336fe29b2a
  50. - File size: 503,808 bytes
  51. - File location: hxxp://162.216.0[.]163/images/imgpaper.png
  52. - File description: Windows executable file associated with tabDll for Trickbot, gtag lib734
  53. - Analysis:
  54. -- https://urlhaus.abuse.ch/url/371427/
  55. -- https://app.any.run/tasks/ed45d774-f541-494f-83b7-b991c79e0867/
  56. -- https://capesandbox.com/analysis/5221/
  57. -- https://www.hybrid-analysis.com/sample/80cacb103845c0788affd5df5923c6973816ae87c285befee05c6c336fe29b2a
  58.  
  59. - SHA256 hash: 008d6dac88a54cacf184b46ccc6777abe88002802914f11139b575457579f67e
  60. - File size: 516,096 bytes
  61. - File location: hxxp://162.216.0[.]163/images/redcar.png
  62. - File description: Windows executable file for Trickbot, gtag jim734 (URL associated with the old "mworm" module)
  63. - Analysis:
  64. -- https://urlhaus.abuse.ch/url/371433/
  65. -- https://app.any.run/tasks/c68ca39d-c046-49ee-b764-5be7cea148f1/
  66. -- https://capesandbox.com/analysis/5226/
  67. -- https://www.hybrid-analysis.com/sample/008d6dac88a54cacf184b46ccc6777abe88002802914f11139b575457579f67e
RAW Paste Data