malware_traffic

2019-02-08 (Friday) - Trickbot malspam (gtag: sat36)

Feb 8th, 2019
1,073
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2019-02-08 (FRIDAY) - TRICKBOT MALSPAM (GTAG: SAT36)
  2.  
  3. START DATE/TIME:
  4.  
  5. - Friday 2019-02-08 as early as 16:33 UTC
  6.  
  7. EMAIL EXAMPLES:
  8.  
  9. - All had spoofed sending addresses that used the same email domain as the recipient's address
  10.  
  11. - Subject: Settlement for ypu account 28893094 received
  12. - Attachment name: Account_Payment_4651801.doc
  13.  
  14. - Subject: Settlement for ypu checking account 38015546
  15. - Attachment name: Account_Payment_4651717.doc
  16.  
  17. - Subject: Payment for ypu account 89042649 received
  18. - Attachment name: Account_Payment_4651806.doc
  19.  
  20. ATTACHMENT PROPERTIES:
  21.  
  22. - File size: 233,984 bytes
  23. - File type: Microsoft Word 97 - 2003 Document
  24. - SHA256 hashes seen so far:
  25. -- 34da3e85b059cc5d7e18ac679621afce70eb6dc860fa08cba84f1f3a5b7a6ea8
  26. -- 77a7e2d8569609b296e27c7d4d8cf3209e52e67d2f4df77e9ead57db596a940f
  27. -- be4cb7d1624d19856fb19113dc39e3a63303671e4482db2c5ba128fb593bb65d
  28.  
  29. URLS FOR EXE DOWNLOAD:
  30.  
  31. hxxps://107.173.104[.]221/corona.mor
  32. hxxps://107.173.104[.]220/corona.mor
  33. hxxps://108.170.31[.]53/corona.mor
  34.  
  35. TRICKBOT EXE:
  36.  
  37. - SHA256 hash: 41b6047c2edf7edcd565450ef04b92a5aa9b0a29cf35e0b2a3f27538d21559df
  38. - File size: 391,504 bytes
  39. - File location: hxxps://107.173.104[.]221/corona.mor
  40. - File location: C:\Users\[username]\AppData\Local\Temp\varan.exe
  41. - File location: C:\Users\[username]\AppData\Roaming\cleanmem\vatap.exe
  42. - Any.Run analysis: https://app.any.run/tasks/b621b7ef-eeb0-4d87-93cb-36b8bebb8c5b
  43. - CAPE sandbox: https://cape.contextis.com/analysis/35734/
  44. - Reverse.it: https://www.reverse.it/sample/41b6047c2edf7edcd565450ef04b92a5aa9b0a29cf35e0b2a3f27538d21559df
  45.  
  46. NOTE:
  47.  
  48. - I kept getting a PuTTY installer when checking the corona.mor URLs to 107.173.104[.]220 and 108.170.31[.]53 - SHA256 hash: 7afb56dd48565c3c9804f683c80ef47e5333f847f2d3211ec11ed13ad36061e1
RAW Paste Data