2018-07-02 - TRICKBOT MALSPAM INFECTION TRAFFIC

ASSOCIATED FILES:

  • 2018-07-02-Trickbot-malspam-1429-UTC.eml   (118,838 bytes)
  • 2018-07-02-Trickbot-malspam-infection-traffic-in-AD-environment.pcap   (18,881,128 bytes)/li>
  • 2018-07-02-Trickbot-artifact-gudisb.bat.txt   (318 bytes)
  • 2018-07-02-Trickbot-malware-binary.exe   (397,312 bytes)
  • 2018-07-02-attached-Word-doc-with-macro-for-Trickbot.doc   (86,528 bytes)

 

NOTES:

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following full and partial URLs:

 

EMAILS


Shown above:  Example of the malspam (raw text with headers and formatting).

 

EMAIL HEADERS FROM TODAY'S TRICKBOT MALSPAM EXAMPLE:

Received: from hmrc-invoice.co.uk ([128.127.111.193] verified)
  by
[removed] for [removed]; Mon, 02 Jul 2018 17:41:57 +0300
Received-SPF: pass
 receiver=
[removed]; client-ip=128.127.111.193; envelope-from=Natalie.Brat-[recipient's email address]@hmrc-invoice.co.uk
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=key; d=hmrc-invoice.co.uk;
 h=Mime-Version:Date:To:Subject:From:Content-Type:Message-ID;
 bh=mow3w55DA/VV1IkNgMakIlPYsXs=;
 b=fZLJrs0z2fsIOzBilK01aKmebFGwy8ms4UpCdfGf/I+y5LqF4fWeocoDNnFidWjn3ELKxzwE6oQD
   WPwE/DsRiBrqfPgcTJ3RmXwl7U7/M7dsa97VE+Qh066IczoagYFE5m9OVZixFddSbgLKDSO+QmuC
   W29tvmrt48bU4+T+o2Q=
Received: by hmrc-invoice.co.uk id h78t0ed5nv49 for
[removed]; Mon, 2 Jul 2018 10:29:06 -0400 (envelope-from <Natalie.Brat-[recipient's email address]@hmrc-invoice.co.uk>)
Mime-Version: 1.0
Date: Mon, 2 Jul 2018 10:29:06 -0400
To:
[removed]
Subject:  RE: Invoice
From: "HMRC Invoice" <Natalie.Brat@hmrc-invoice.co.uk>
Content-Type: multipart/mixed;
 boundary=280b5443f95a2bc6ed8e8cdc9ad20ec0
Message-ID: <0.0.E.0.1D4121108ADAB50.14BCBFF0@hmrc-invoice.co.uk>

 


Shown above:  Attached Word doc from the malspam.

 

INFECTION TRAFFIC


Shown above:  Traffic from an infection filtered in Wireshark.

 

NETWORK TRAFFIC FROM MY INFECTED WINDOWS HOST:

 

MALWARE

MALWARE RETRIEVED FROM MY INFECTED WINDOWS HOST:

 

IMAGES


Shown above:  Files created on an infected Windows client.

 

FINAL NOTES

Once again, here are the associated files:

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.