malware_traffic

Trickbot propagation URLs on Tuesday 2020-06-23

Jun 23rd, 2020
1,038
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. TRICKBOT PROPAGATION URLS ON TUESDAY 2020-06-23
  2.  
  3. URLS:
  4.  
  5. - hxxp://23.95.231[.]200/ico/VidT6cErs
  6. - hxxp://23.95.231[.]200/images/cursor.png
  7. - hxxp://23.95.231[.]200/images/imgpaper.png
  8.  
  9. NOTES:
  10.  
  11. - These URLs were noted as early as Tuesday 2020-06-23.
  12. - Theese URLs appear to be return a different file hash each time they are queried.
  13.  
  14. - The HTTP request for VidT6cErs is caused by Trickbot's nwormDll module (jim-series gtag).
  15. - The HTTP request for cursor.png is caused by Trickbot's mshareDll module (tot-series gtag).
  16. - The HTTP request for imgpaper.png is caused by Trickbot's tabDll module (lib-series gtag).
  17.  
  18. More info on the new "nworm" module used by Trickbot:
  19.  
  20. - https://unit42.paloaltonetworks.com/goodbye-mworm-hello-nworm-trickbot-updates-propagation-module/
  21.  
  22. $ file *
  23. VidT6cErs: data
  24. cursor.png: PE32 executable (GUI) Intel 80386, for MS Windows
  25. imgpaper.png: PE32 executable (GUI) Intel 80386, for MS Windows
  26.  
  27. FILE INFO:
  28.  
  29. - SHA256 hash: 7c55da28fd671d377ff68ab0fcf75248e804b4e910001d2a93f7af24532aa7bc
  30. - File size: 105,668 bytes
  31. - File location: hxxp://23.95.231[.]200/ico/VidT6cErs
  32. - File description: encoded binary (not an executable) associated with nwormDll for Trickbot, gtag jim752
  33. - Analysis:
  34. -- https://urlhaus.abuse.ch/url/400730/
  35. -- https://app.any.run/tasks/8beed1a6-f424-4e75-99b5-73576b3332ef
  36. -- https://capesandbox.com/analysis/13136/
  37. -- https://www.hybrid-analysis.com/sample/7c55da28fd671d377ff68ab0fcf75248e804b4e910001d2a93f7af24532aa7bc
  38.  
  39. - SHA256 hash: b22d3482f8f33cbfa1845d701f9a7755b49d9adce7b9839e23b6d07a25da07f6
  40. - File size: 316,928 bytes
  41. - File location: hxxp://23.95.231[.]200/images/cursor.png
  42. - File description: Windows executable file associated with mshareDll for Trickbot, gtag tot752
  43. - Analysis:
  44. -- https://urlhaus.abuse.ch/url/400728/
  45. -- https://app.any.run/tasks/28ea944c-23b4-4b33-8a81-e63af357778c
  46. -- https://capesandbox.com/analysis/13137/
  47. -- https://www.hybrid-analysis.com/sample/b22d3482f8f33cbfa1845d701f9a7755b49d9adce7b9839e23b6d07a25da07f6
  48.  
  49. - SHA256 hash: 61dacaedf57dffd1c485e3e6b44bc5c8e336f19fca301ad2976df94b0dd23172
  50. - File size: 316,928 bytes
  51. - File location: hxxp://23.95.231[.]200/images/imgpaper.png
  52. - File description: Windows executable file associated with tabDll for Trickbot, gtag lib752
  53. - Analysis:
  54. -- https://urlhaus.abuse.ch/url/400727/
  55. -- https://app.any.run/tasks/be7c7e8a-0e90-4261-a28f-0896698bc282
  56. -- https://capesandbox.com/analysis/13140/
  57. -- https://www.hybrid-analysis.com/sample/61dacaedf57dffd1c485e3e6b44bc5c8e336f19fca301ad2976df94b0dd23172
RAW Paste Data