2017-08-21 - MALSPAM CONTINUES PUSHING TRICKBOT BANKING TROJAN
ASSOCIATED FILES:
- Zip archive of the pcaps: 2017-08-21-Trickbot-malspam-traffic.pcap.zip 934 kB (934,462 bytes)
- 2017-08-21-Trickbot-malspam-traffic.pcap (1,246,136 bytes)
- Zip archive of the malware and artifacts: 2017-08-21-Trickbot-malspam-and-artifacts.zip 403 kB (403,021 bytes)
- 2017-08-21-Trickbot-Vpjnf.bat.txt (332 bytes)
- 2017-08-21-Trickbot-Xttayo.exe (509,952 bytes)
- 2017-08-21-Trickbot-malspam-0924-UTC.eml (133,295 bytes)
- 2017-08-21-Trickbot-services_update.xml.txt (3,950 bytes)
- NatWest258345907_2243.doc (96,258 bytes)
ASSOCIATED BLOG POSTS:
- My Online Security - Recent posts tagged "Trickbot" (There's one for today covering the same thing I'm reporting here.)
- 2017-08-12 - Malware-Traffic-Analysis.net - Malspam continues to push Trickbot banking Trojan
- 2017-08-15 - Internet Storm Center (ISC) - Malspam pushing Trickbot banking Trojan
HEADER INFORMATION:
- Date: Monday, 2017-08-21 09:24 UTC
- Message-ID: <000001d31a78$7f5d1240$7e1736c0$@ml>
- From: New post NatWest Bank <noreply@natwest78.ml>
- Subject: NatWest
- Attachment: NatWest258345907_2243.doc
Shown above: Screenshot of the email.
Shown above: Attachment from the email.
TRAFFIC
Shown above: Traffic from an infection filtered in Wireshark.
ASSOCIATED DOMAINS:
- 95.110.196.214 port 80 - cagliaricity.com - GET /eresterter.png [URL generated by Word macro to retrieve Trickbot binary]
- 69.64.57.170 port 80 - cepsanny.com.br - GET /Laudos/eresterter.png [URL generated by Word macro to retrieve Trickbot binary]
- 67.21.90.105 port 443 - post-infection HTTPS/SSL/TLS traffic from Trickbot-infected host
- 79.124.78.81 port 447 - post-infection HTTPS/SSL/TLS traffic from Trickbot-infected host
- 72.211.215.68 port 449 - post-infection connection attempts from Trickbot-infected host
MALWARE
EMAIL ATTACHMENT (WORD DOCUMENT):
- SHA256 hash: b895c34ecf45d111049a34fe69fdc4dce634de42d93fd1438b8e0c2e582217d8
File name: NatWest258345907_2243.doc
File size: 96,258 bytes
TRICKBOT BINARY:
- SHA256 hash: a573c781543b04747f259278de09908b1a76b2afc6c00cc6bb1eeefa4df43756
File location: C:\Users\[username]\AppData\Local\Temp\Xttayo.exe
File location: C:\Users\[username]\AppData\Roaming\winapp\Wssaxn.exe
File size: 509,952 bytes
Shown above: Today's Trickbot binary.
Shown above: Scheduled taskt to keep Trickbot binary persistent after a reboot.
FINAL NOTES
Once again, here are the associated files:
- Zip archive of the pcaps: 2017-08-21-Trickbot-malspam-traffic.pcap.zip 934 kB (934,462 bytes)
- Zip archive of the malware and artifacts: 2017-08-21-Trickbot-malspam-and-artifacts.zip 403 kB (403,021 bytes)
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.