malware_traffic

Trickbot propagation URLs (and EXEs) on Thursday 2020-05-28

May 28th, 2020
2,633
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. TRICKBOT PROPAGATION URLS (AND EXES) ON THURSDAY 2020-05-28
  2.  
  3. URLS:
  4.  
  5. - hxxp://162.216.0[.]163/ico/VidT6cErs
  6. - hxxp://162.216.0[.]163/images/cursor.png
  7. - hxxp://162.216.0[.]163/images/imgpaper.png
  8. - hxxp://162.216.0[.]163/images/redcar.png
  9.  
  10. NOTES:
  11.  
  12. - The HTTP request for VidT6cErs is caused by Trickbot's nwormDll module (jim-series gtag).
  13. - The HTTP request for cursor.png is caused by Trickbot's mshareDll module (tot-series gtag).
  14. - The HTTP request for imgpaper.png is caused by Trickbot's tabDll module (lib-series gtag).
  15. - The HTTP request for redcar.png was caused by Trickbot's old mwormDll module, but it can still retrieve Trickbot EXEs with jim-series gtags, presumably with associated with the new nwormDll module.
  16.  
  17. More info on the new "nworm" module used by Trickbot:
  18.  
  19. - https://unit42.paloaltonetworks.com/goodbye-mworm-hello-nworm-trickbot-updates-propagation-module/
  20.  
  21. $ file *.png
  22. VidT6cErs: data
  23. cursor.png: PE32 executable (GUI) Intel 80386, for MS Windows
  24. imgpaper.png: PE32 executable (GUI) Intel 80386, for MS Windows
  25. redcar.png: PE32 executable (GUI) Intel 80386, for MS Windows
  26.  
  27. FILE INFO:
  28.  
  29. - SHA256 hash: 7afa5dec9cd50b65cc272965bff7ed474fd15599cfb9eff3f86fdc41671e2612
  30. - File size: 359,424 bytes
  31. - File location: hxxp://162.216.0[.]163/ico/VidT6cErs
  32. - File description: encoded binary (not an executable) associated with nwormDll for Trickbot, gtag jim734
  33. - Analysis:
  34. -- https://urlhaus.abuse.ch/url/371429/
  35. -- https://app.any.run/tasks/d2d8e69a-02da-41ac-87a0-f6b6e471a292
  36. -- https://capesandbox.com/analysis/5230/
  37. -- https://www.hybrid-analysis.com/sample/7afa5dec9cd50b65cc272965bff7ed474fd15599cfb9eff3f86fdc41671e2612
  38.  
  39. - SHA256 hash: d49371ff32fb4581d091429a990b972465c7bcc47a2877ba91e7fb64f1843ce3
  40. - File size: 503,808 bytes
  41. - File location: hxxp://162.216.0[.]163/images/cursor.png
  42. - File description: Windows executable file associated with mshareDll for Trickbot, gtag tot734
  43. - Analysis:
  44. -- https://urlhaus.abuse.ch/url/371428/
  45. -- https://app.any.run/tasks/d466b4f5-6ecd-4c88-8e6e-437048f1a061
  46. -- https://capesandbox.com/analysis/5220/
  47. -- https://www.hybrid-analysis.com/sample/d49371ff32fb4581d091429a990b972465c7bcc47a2877ba91e7fb64f1843ce3
  48.  
  49. - SHA256 hash: 80cacb103845c0788affd5df5923c6973816ae87c285befee05c6c336fe29b2a
  50. - File size: 503,808 bytes
  51. - File location: hxxp://162.216.0[.]163/images/imgpaper.png
  52. - File description: Windows executable file associated with tabDll for Trickbot, gtag lib734
  53. - Analysis:
  54. -- https://urlhaus.abuse.ch/url/371427/
  55. -- https://app.any.run/tasks/ed45d774-f541-494f-83b7-b991c79e0867/
  56. -- https://capesandbox.com/analysis/5221/
  57. -- https://www.hybrid-analysis.com/sample/80cacb103845c0788affd5df5923c6973816ae87c285befee05c6c336fe29b2a
  58.  
  59. - SHA256 hash: 008d6dac88a54cacf184b46ccc6777abe88002802914f11139b575457579f67e
  60. - File size: 516,096 bytes
  61. - File location: hxxp://162.216.0[.]163/images/redcar.png
  62. - File description: Windows executable file for Trickbot, gtag jim734 (URL associated with the old "mworm" module)
  63. - Analysis:
  64. -- https://urlhaus.abuse.ch/url/371433/
  65. -- https://app.any.run/tasks/c68ca39d-c046-49ee-b764-5be7cea148f1/
  66. -- https://capesandbox.com/analysis/5226/
  67. -- https://www.hybrid-analysis.com/sample/008d6dac88a54cacf184b46ccc6777abe88002802914f11139b575457579f67e
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×