Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- * ID: 1489
- * MalFamily: "TrickBot"
- * MalScore: 10.0
- * File Name: "Trickbot_30c35d8c6f6691cc967ef79d3847ee4c.jpg"
- * File Size: 17408
- * File Type: "PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows"
- * SHA256: "9e7645f45c092e203c5795663a5b8ba0862987a5e4a2d04b024c935ed23e032c"
- * MD5: "30c35d8c6f6691cc967ef79d3847ee4c"
- * SHA1: "e7c94298f843cb89039b2dfd5531a46ed50cf5fc"
- * SHA512: "90cea89684c733e5c5eb319994ae16349c8f820a3ab591e7985248f2dcebe4174ca075778d70afa9ef9134db599a33cc84878e63b3cafcc9059065c0093cc11a"
- * CRC32: "33CBADAF"
- * SSDEEP: "384:B3ZsZrjpFINb0vNZl53XZFk8990ZUjbd/axM8GTf8pKc/78+i8NxBMYXkat:B3ZsZrjpFINb0vNZl53XZFk8990ZUPdK"
- * Process Execution:
- * Executed Commands:
- * Signatures Detected:
- "Description": "Communicates with IPs located across a large number of unique countries",
- "Details":
- "country": "Bulgaria"
- "country": "United States"
- "country": "unknown"
- "country": "Ukraine"
- "country": "France"
- "country": "Brazil"
- "Description": "File has been identified by 6 Antiviruses on VirusTotal as malicious",
- "Details":
- "Cylance": "Unsafe"
- "APEX": "Malicious"
- "Endgame": "malicious (high confidence)"
- "FireEye": "Generic.mg.30c35d8c6f6691cc"
- "SentinelOne": "DFI - Malicious PE"
- "CrowdStrike": "win/malicious_confidence_80% (D)"
- "Description": "Multiple direct IP connections",
- "Details":
- "direct_ip_connections": "Made direct connections to 7 unique IP addresses"
- "Description": "HTTP traffic contains suspicious features which may be indicative of malware related traffic",
- "Details":
- "post_no_referer": "HTTP traffic contains a POST request with no referer header"
- "ip_hostname": "HTTP connection was made to an IP address rather than domain name"
- "suspicious_request_iocs": "http://69.16.254.181/JdNG9d"
- "suspicious_request_iocs": "http://hrpm.ca/images/result.php"
- "suspicious_request_iocs": "http://icanhazip.com/"
- "suspicious_request_iocs": "http://170.238.117.187:8082/wmd14/Host_W617601.D9936AC2B15997B35B9FDDFD52F37B1F/90"
- "suspicious_request_iocs": "http://170.238.117.187:8082/wmd14/Host_W617601.D9936AC2B15997B35B9FDDFD52F37B1F/83/"
- "Description": "Performs some HTTP requests",
- "Details":
- "url_iocs": "http://69.16.254.181/JdNG9d"
- "url_iocs": "http://hrpm.ca/images/result.php"
- "url_iocs": "http://icanhazip.com/"
- "url_iocs": "http://170.238.117.187:8082/wmd14/Host_W617601.D9936AC2B15997B35B9FDDFD52F37B1F/90"
- "url_iocs": "http://170.238.117.187:8082/wmd14/Host_W617601.D9936AC2B15997B35B9FDDFD52F37B1F/83/"
- "Description": "Looks up the external IP address",
- "Details":
- "domain": "icanhazip.com"
- "Description": "Created network traffic indicative of malicious activity",
- "Details":
- "signature": "ET CNC Feodo Tracker Reported CnC Server group 21"
- "signature": "ET CNC Feodo Tracker Reported CnC Server group 2"
- "signature": "ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC)"
- "signature": "ET CNC Feodo Tracker Reported CnC Server group 4"
- "signature": "ET TROJAN PTsecurity Trickbot Data Exfiltration"
- * Started Service:
- * Mutexes:
- * Modified Files:
- * Deleted Files:
- * Modified Registry Keys:
- * Deleted Registry Keys:
- * DNS Communications:
- "type": "A",
- "request": "hrpm.ca",
- "answers":
- "data": "162.208.2.182",
- "type": "A"
- "type": "A",
- "request": "icanhazip.com",
- "answers":
- "data": "104.20.16.242",
- "type": "A"
- "data": "104.20.17.242",
- "type": "A"
- "type": "A",
- "request": "238.175.207.91.zen.spamhaus.org",
- "answers":
- "data": "",
- "type": "NXDOMAIN"
- "type": "A",
- "request": "238.175.207.91.cbl.abuseat.org",
- "answers":
- "data": "127.0.0.2",
- "type": "A"
- * Domains:
- "ip": "127.0.0.4",
- "domain": "238.175.207.91.zen.spamhaus.org"
- "ip": "104.20.17.242",
- "domain": "icanhazip.com"
- "ip": "162.208.2.182",
- "domain": "hrpm.ca"
- "ip": "127.0.0.2",
- "domain": "238.175.207.91.cbl.abuseat.org"
- * Network Communication - ICMP:
- * Network Communication - HTTP:
- "count": 1,
- "body": "",
- "uri": "http://69.16.254.181/JdNG9d",
- "user-agent": "OnkyoblasterOS X-f5.99",
- "method": "GET",
- "host": "69.16.254.181",
- "version": "1.1",
- "path": "/JdNG9d",
- "data": "GET /JdNG9d HTTP/1.1\r\nUser-Agent: OnkyoblasterOS X-f5.99\r\nHost: 69.16.254.181\r\nConnection: Keep-Alive\r\n\r\n",
- "port": 80
- "count": 1,
- "body": "",
- "uri": "http://hrpm.ca/images/result.php",
- "user-agent": "OnkyoblasterOS X-f5.99",
- "method": "GET",
- "host": "hrpm.ca",
- "version": "1.1",
- "path": "/images/result.php",
- "data": "GET /images/result.php HTTP/1.1\r\nUser-Agent: OnkyoblasterOS X-f5.99\r\nHost: hrpm.ca\r\nConnection: Keep-Alive\r\n\r\n",
- "port": 80
- "count": 1,
- "body": "",
- "uri": "http://icanhazip.com/",
- "user-agent": "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3731.0 Safari/537.36",
- "method": "GET",
- "host": "icanhazip.com",
- "version": "1.1",
- "path": "/",
- "data": "GET / HTTP/1.1\r\nConnection: Keep-Alive\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3731.0 Safari/537.36\r\nHost: icanhazip.com\r\n\r\n",
- "port": 80
- "count": 1,
- "body": "--Arasfjasu7\r\nContent-Disposition: form-data; name=\"proclist\"\r\n\r\nEmpty\r\n--Arasfjasu7\r\nContent-Disposition: form-data; name=\"sysinfo\"\r\n\r\n--Arasfjasu7--\r\n\r\n",
- "uri": "http://170.238.117.187:8082/wmd14/Host_W617601.D9936AC2B15997B35B9FDDFD52F37B1F/90",
- "user-agent": "test",
- "method": "POST",
- "host": "170.238.117.187:8082",
- "version": "1.1",
- "path": "/wmd14/Host_W617601.D9936AC2B15997B35B9FDDFD52F37B1F/90",
- "data": "POST /wmd14/Host_W617601.D9936AC2B15997B35B9FDDFD52F37B1F/90 HTTP/1.1\r\nContent-Type: multipart/form-data; boundary=Arasfjasu7\r\nUser-Agent: test\r\nHost: 170.238.117.187:8082\r\nContent-Length: 154\r\nCache-Control: no-cache\r\n\r\n--Arasfjasu7\r\nContent-Disposition: form-data; name=\"proclist\"\r\n\r\nEmpty\r\n--Arasfjasu7\r\nContent-Disposition: form-data; name=\"sysinfo\"\r\n\r\n--Arasfjasu7--\r\n\r\n",
- "port": 8082
- "count": 1,
- "body": "",
- "uri": "http://170.238.117.187:8082/wmd14/Host_W617601.D9936AC2B15997B35B9FDDFD52F37B1F/83/",
- "user-agent": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/4.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)",
- "method": "POST",
- "host": "170.238.117.187",
- "version": "1.1",
- "path": "/wmd14/Host_W617601.D9936AC2B15997B35B9FDDFD52F37B1F/83/",
- "data": "POST /wmd14/Host_W617601.D9936AC2B15997B35B9FDDFD52F37B1F/83/ HTTP/1.1\r\nAccept: */*\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/4.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)\r\nHost: 170.238.117.187\r\nConnection: close\r\nContent-Type: multipart/form-data; boundary=---------UUAPUKXHESSJPTKD\r\nContent-Length: 286\r\n\r\n",
- "port": 8082
- * Network Communication - SMTP:
- * Network Communication - Hosts:
- "country_name": "Bulgaria",
- "ip": "79.124.49.206",
- "inaddrarpa": "",
- "hostname": ""
- "country_name": "United States",
- "ip": "69.16.254.181",
- "inaddrarpa": "",
- "hostname": ""
- "country_name": "unknown",
- "ip": "45.80.148.173",
- "inaddrarpa": "",
- "hostname": ""
- "country_name": "Ukraine",
- "ip": "195.123.242.175",
- "inaddrarpa": "",
- "hostname": ""
- "country_name": "France",
- "ip": "178.33.26.175",
- "inaddrarpa": "",
- "hostname": ""
- "country_name": "Brazil",
- "ip": "170.238.117.187",
- "inaddrarpa": "",
- "hostname": ""
- "country_name": "United States",
- "ip": "162.208.2.182",
- "inaddrarpa": "",
- "hostname": "hrpm.ca"
- "country_name": "United States",
- "ip": "107.173.160.19",
- "inaddrarpa": "",
- "hostname": ""
- "country_name": "United States",
- "ip": "104.20.16.242",
- "inaddrarpa": "",
- "hostname": "icanhazip.com"
- * Network Communication - IRC:
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement