2018-05-03 - TRICKBOT MALSPAM - SUBJECT: BILL PAYMENT ALERT

ASSOCIATED FILES:

  • 2018-05-03-Trickbot-malspam-infection-traffic.pcap   (2,447,254 bytes)
  • 2018-05-03-Trickbot-malspam-1022-UTC.eml   (75,642 bytes)
  • 2018-05-03-Trickbot-artifact.bat.txt   (303 bytes)
  • 2018-05-03-Trickbot-binary.exe   (221,184 bytes)
  • 2018-05-03-Trickbot-malspam-attached-RTF-file.doc   (48,472 bytes)
  • 2018-05-03-scheduled-task-to-keep-Trickbot-persistent.txt   (3,664 bytes)

NOTES:

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following URLs:

 

EMAIL


Shown above:  Screenshot of the email.

 

EMAIL HEADERS:

Received: from natwestmail.uk (185.236.78.101.deltahost-ptr [185.236.78.101])
        by [removed] for [removed]; Thu, 03 May 2018 10:30:28 -0000
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=key; d=natwestmail.uk;
 h=Mime-Version:Date:To:Subject:From:Content-Type:Message-ID;
 bh=BVbHwBN3bcQQRlwm+gJW43kUGLI=;
 b=tO2xlwQEJa4sHJGvyXQZQHfsHZRC/ZjdW6YWGCbENAF77clrh/nggHFvGVDHqTb+Issrrjg0nN3X
   0d8dpLn4mmtHrw2Z6Slp2e97V9Yb29/BPHNJPliBT58De4Vp3EhGdQJHCbq65vhmqrllXuZ69KSr
   3pzL9c8rnk4w1gGJ3nk=
Received: by natwestmail.uk id htbi65oct4o3 for [removed]; Thu, 3 May 2018 06:22:02 -0400 (envelope-from lt;alert-[recipient's email address]@natwestmail.uk>)
Mime-Version: 1.0
Date: Thu, 3 May 2018 06:22:02 -0400
To: [removed]
Subject:  Bill payment alert
From: "Natwest" <alert@natwestmail.uk>
Content-Type: multipart/mixed;
boundary=07fa11edf9f656d391c58e21c9c14d93
Message-ID: <0.0.1.0.1D3E2C89411442C.1D2F1DF4@natwestmail.uk>

 


Shown above:  RTF document attached to the malspam.

 

TRAFFIC


Shown above:  Traffic from an infection filtered in Wireshark.

 

NETWORK TRAFFIC FROM AN INFECTED LAB HOST:

 

FILE HASHES

RTF ATTACHMENT FROM THE MALSPAM:

TRICKBOT BINARY:

 

FINAL NOTES

Once again, here are the associated files:

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.