2020-05-01 Trickbot/Remcos/Adwind IOCs

1. TRICKBOT
2. ========
3. SUBJECTS OBSERVED
4. Case 89310
5. Case 18621
6. Case 92644
7. Document 42048
8. Info 50741
9. Information Co-VID 2019 US-21779
10. Information Co-VID 2019 US-25575
11. Information Co-VID 2019 US-26131
12. Information Co-VID 2019 US-29315
13. Inportant Certificate 70904
14. Inportant Certificate 76315
15. Inportant Certificate 85845
16. Notice 62959
17. Notice 75037
18. Notice 12183
19. Notice 24902
20. Notice 89864
21. Price list 20655
22. Price list 21571
23. Pricelist 67723
24.  
25. SENDERS OBSERVED
26. agnes-bo@orange.fr
27. bernavaesken@orange.fr
28. bourqui_aurelia@orange.fr
29. fahrikalkan@yahoo.com
30. fred.courbis@orange.fr
31. halsmith56@sbcglobal.net
32. harper.ryan@sbcglobal.net
33. hugoserru@orange.fr
34. jasondatdude@sbcglobal.net
35. kikel@bellsouth.net
36. ksmith1941@att.net
37. laineygee@sbcglobal.net
38. sbrillaud@orange.fr
39. stephaneguitet@orange.fr
40. tylerpayne97@att.net
41.  
42. XLS FILE HASHES
43. 396342d0f56c2bd48090928533b84811
44. 4b27434ebfecbe10791cbff4a3f9d5ae
45. 5992a0512b07dc649966593c5fa83615
46. 7e3d6b2e5c80a362a26c5c6b2f7be699
47.  
48. TRICKBOT PAYLOAD
49. https://dichthuatsnu.com/goodweb/pwofiles.php
50.  
51. (404 for me)
52.  
53. REMCOS RAT
54. ==========
55. SUBJECTS OBSERVED
56. UPS - Pending delivery
57.  
58. SENDERS OBSERVED
59. customer@ups.com
60.  
61. ISO FILE HASH
62. UPS FILE.iso
63. 234dad41dcc5a322f52389d9240f8a17
64.  
65. EXE FILE HASH
66. ReadMe.exe
67. dda0e966b7ac2212f5198148f38671e8
68.  
69. PAYLOAD URL
70. https://drive.google.com/u/0/uc?id=1lVL8gvfw2wnlmPUClhC25NoOYP9k-g43&export=download
71. https://doc-0s-5k-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/ra0dot23h8r8t95f4j3399di0c634nqe/1588353900000/01481671314862437446/*/1lVL8gvfw2wnlmPUClhC25NoOYP9k-g43?e=download
72.  
73. FOLLOW-UP DOWNLOAD
74. Cqsl
75. 42274f35bf8af5c7e1375637cc645067
76.  
77. ADDITIONAL DOWNLOADS
78. Cqslset.exe
79. dda0e966b7ac2212f5198148f38671e8
80.  
81. Cqsl.hta
82. 578bf01e06d2f3c533b704ea98c02591
83.  
84. HTA FILE CONTENTS
85. <script>
86. var shell = new ActiveXObject("Shell.Application");
87. shell.ShellExecute("C:\\Users\\analyst\\AppData\\Local\\Cqsl\\Cqslset.exe","","","open","0");
88. window.close();
89. </script>
90.  
91. ADDITONAL FILES DROPPED/DOWNLOADED
92. I also found the following two files that were created and added to C\Windows\system32
93.  
94. fodhelper.exe
95. 7215c73ec1aae35b9e4b1f22c811f85c
96.  
97. propsys.dll
98. 487766bf2f0add388cb123d1ef7ece46
99.  
100. REMCOS C2
101. u864246.nvpn.so:2404
102. C:\Program Files (x86)\Internet Explorer\ieinstal.exe Connects to "185.140.53.21" on port 2404 (TCP).
103.  
104. ADDITIONAL FILES
105. The following files were created:
106.  
107. C:\Windows\System32\fodhelper.exe
108. C:\Windows\System32\propsys.dll
109. C:\Users\analyst\AppData\Local\Cqsl\Cqsl.hta
110. C:\Users\analyst\AppData\Local\Cqsl\Cqslset.exe
111. C:\Users\analyst\AppData\Local\Cqsl\Fuck
112.  
113.  
114. ADWIND
115. ======
116. SUBJECTS OBSERVED
117. Congratulations!!! You have been awarded $500 Amazon gift card
118.  
119. SENDERS OBSERVED
120. noreply@amazon.com
121.  
122. FILE ATTACHMENT HASHES
123. Amazon Gift card.zip
124. 6dda0276b4afd1e6be26a7690a8add2f
125.  
126. Amazon Gift card.jar
127. 1f88741dbf450bde1deafb256b6a1495
128.  
129. ADWIND C2
130. Queried DNS: praisesalways.ddns.net
131. No reply
132.  
133. Also saw TCP traffic to:
134. 79.134.225.111:1010