SHARE
TWEET

Trickbot propagation URLs on Tuesday 2020-06-23

malware_traffic Jun 23rd, 2020 532 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. TRICKBOT PROPAGATION URLS ON TUESDAY 2020-06-23
  2.  
  3. URLS:
  4.  
  5. - hxxp://23.95.231[.]200/ico/VidT6cErs
  6. - hxxp://23.95.231[.]200/images/cursor.png
  7. - hxxp://23.95.231[.]200/images/imgpaper.png
  8.  
  9. NOTES:
  10.  
  11. - These URLs were noted as early as Tuesday 2020-06-23.
  12. - Theese URLs appear to be return a different file hash each time they are queried.
  13.  
  14. - The HTTP request for VidT6cErs is caused by Trickbot's nwormDll module (jim-series gtag).
  15. - The HTTP request for cursor.png is caused by Trickbot's mshareDll module (tot-series gtag).
  16. - The HTTP request for imgpaper.png is caused by Trickbot's tabDll module (lib-series gtag).
  17.  
  18. More info on the new "nworm" module used by Trickbot:
  19.  
  20. - https://unit42.paloaltonetworks.com/goodbye-mworm-hello-nworm-trickbot-updates-propagation-module/
  21.  
  22. $ file *
  23. VidT6cErs:    data
  24. cursor.png:   PE32 executable (GUI) Intel 80386, for MS Windows
  25. imgpaper.png: PE32 executable (GUI) Intel 80386, for MS Windows
  26.  
  27. FILE INFO:
  28.  
  29. - SHA256 hash: 7c55da28fd671d377ff68ab0fcf75248e804b4e910001d2a93f7af24532aa7bc
  30. - File size: 105,668 bytes
  31. - File location: hxxp://23.95.231[.]200/ico/VidT6cErs
  32. - File description: encoded binary (not an executable) associated with nwormDll for Trickbot, gtag jim752
  33. - Analysis:
  34.  -- https://urlhaus.abuse.ch/url/400730/
  35.  -- https://app.any.run/tasks/8beed1a6-f424-4e75-99b5-73576b3332ef
  36.  -- https://capesandbox.com/analysis/13136/
  37.  -- https://www.hybrid-analysis.com/sample/7c55da28fd671d377ff68ab0fcf75248e804b4e910001d2a93f7af24532aa7bc
  38.  
  39. - SHA256 hash: b22d3482f8f33cbfa1845d701f9a7755b49d9adce7b9839e23b6d07a25da07f6
  40. - File size: 316,928 bytes
  41. - File location: hxxp://23.95.231[.]200/images/cursor.png
  42. - File description: Windows executable file associated with mshareDll for Trickbot, gtag tot752
  43. - Analysis:
  44.  -- https://urlhaus.abuse.ch/url/400728/
  45.  -- https://app.any.run/tasks/28ea944c-23b4-4b33-8a81-e63af357778c
  46.  -- https://capesandbox.com/analysis/13137/
  47.  -- https://www.hybrid-analysis.com/sample/b22d3482f8f33cbfa1845d701f9a7755b49d9adce7b9839e23b6d07a25da07f6
  48.  
  49. - SHA256 hash: 61dacaedf57dffd1c485e3e6b44bc5c8e336f19fca301ad2976df94b0dd23172
  50. - File size: 316,928 bytes
  51. - File location: hxxp://23.95.231[.]200/images/imgpaper.png
  52. - File description: Windows executable file associated with tabDll for Trickbot, gtag lib752
  53. - Analysis:
  54.  -- https://urlhaus.abuse.ch/url/400727/
  55.  -- https://app.any.run/tasks/be7c7e8a-0e90-4261-a28f-0896698bc282
  56.  -- https://capesandbox.com/analysis/13140/
  57.  -- https://www.hybrid-analysis.com/sample/61dacaedf57dffd1c485e3e6b44bc5c8e336f19fca301ad2976df94b0dd23172
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top