SHARE
TWEET

2019-02-08 (Friday) - Trickbot malspam (gtag: sat36)

malware_traffic Feb 8th, 2019 (edited) 908 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2019-02-08 (FRIDAY) - TRICKBOT MALSPAM (GTAG: SAT36)
  2.  
  3. START DATE/TIME:
  4.  
  5. - Friday 2019-02-08 as early as 16:33 UTC
  6.  
  7. EMAIL EXAMPLES:
  8.  
  9. - All had spoofed sending addresses that used the same email domain as the recipient's address
  10.  
  11. - Subject: Settlement for ypu account 28893094 received
  12. - Attachment name: Account_Payment_4651801.doc
  13.  
  14. - Subject: Settlement for ypu checking account 38015546
  15. - Attachment name: Account_Payment_4651717.doc
  16.  
  17. - Subject: Payment for ypu account 89042649 received
  18. - Attachment name: Account_Payment_4651806.doc
  19.  
  20. ATTACHMENT PROPERTIES:
  21.  
  22. - File size: 233,984 bytes
  23. - File type: Microsoft Word 97 - 2003 Document
  24. - SHA256 hashes seen so far:
  25.   -- 34da3e85b059cc5d7e18ac679621afce70eb6dc860fa08cba84f1f3a5b7a6ea8
  26.   -- 77a7e2d8569609b296e27c7d4d8cf3209e52e67d2f4df77e9ead57db596a940f  
  27.   -- be4cb7d1624d19856fb19113dc39e3a63303671e4482db2c5ba128fb593bb65d
  28.  
  29. URLS FOR EXE DOWNLOAD:
  30.  
  31. hxxps://107.173.104[.]221/corona.mor
  32. hxxps://107.173.104[.]220/corona.mor
  33. hxxps://108.170.31[.]53/corona.mor
  34.  
  35. TRICKBOT EXE:
  36.  
  37. - SHA256 hash: 41b6047c2edf7edcd565450ef04b92a5aa9b0a29cf35e0b2a3f27538d21559df
  38. - File size: 391,504 bytes
  39. - File location: hxxps://107.173.104[.]221/corona.mor
  40. - File location: C:\Users\[username]\AppData\Local\Temp\varan.exe
  41. - File location: C:\Users\[username]\AppData\Roaming\cleanmem\vatap.exe
  42. - Any.Run analysis: https://app.any.run/tasks/b621b7ef-eeb0-4d87-93cb-36b8bebb8c5b
  43. - CAPE sandbox: https://cape.contextis.com/analysis/35734/
  44. - Reverse.it: https://www.reverse.it/sample/41b6047c2edf7edcd565450ef04b92a5aa9b0a29cf35e0b2a3f27538d21559df
  45.  
  46. NOTE:
  47.  
  48. - I kept getting a PuTTY installer when checking the corona.mor URLs to 107.173.104[.]220 and 108.170.31[.]53 - SHA256 hash: 7afb56dd48565c3c9804f683c80ef47e5333f847f2d3211ec11ed13ad36061e1
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top