2017-08-21 - MALSPAM CONTINUES PUSHING TRICKBOT BANKING TROJAN

ASSOCIATED FILES:

• Zip archive of the pcaps:  2017-08-21-Trickbot-malspam-traffic.pcap.zip   934 kB (934,462 bytes)

• 2017-08-21-Trickbot-malspam-traffic.pcap   (1,246,136 bytes)

• Zip archive of the malware and artifacts:  2017-08-21-Trickbot-malspam-and-artifacts.zip   403 kB (403,021 bytes)

• 2017-08-21-Trickbot-Vpjnf.bat.txt   (332 bytes)
• 2017-08-21-Trickbot-Xttayo.exe   (509,952 bytes)
• 2017-08-21-Trickbot-malspam-0924-UTC.eml   (133,295 bytes)
• 2017-08-21-Trickbot-services_update.xml.txt   (3,950 bytes)
• NatWest258345907_2243.doc   (96,258 bytes)

ASSOCIATED BLOG POSTS:

• My Online Security - Recent posts tagged "Trickbot" (There's one for today covering the same thing I'm reporting here.)
• 2017-08-12 - Malware-Traffic-Analysis.net - Malspam continues to push Trickbot banking Trojan
• 2017-08-15 - Internet Storm Center (ISC) - Malspam pushing Trickbot banking Trojan

 

EMAIL

HEADER INFORMATION:

• Date:  Monday, 2017-08-21 09:24 UTC
• Message-ID:  <000001d31a78$7f5d1240$7e1736c0$@ml>
• From:  New post NatWest Bank <noreply@natwest78.ml>
• Subject:  NatWest
• Attachment:  NatWest258345907_2243.doc

 

Shown above:  Screenshot of the email.

 

Shown above:  Attachment from the email.

 

TRAFFIC

Shown above:  Traffic from an infection filtered in Wireshark.

 

ASSOCIATED DOMAINS:

• 95.110.196.214 port 80 - cagliaricity.com - GET /eresterter.png   [URL generated by Word macro to retrieve Trickbot binary]
• 69.64.57.170 port 80 - cepsanny.com.br - GET /Laudos/eresterter.png   [URL generated by Word macro to retrieve Trickbot binary]
• 67.21.90.105 port 443 - post-infection HTTPS/SSL/TLS traffic from Trickbot-infected host
• 79.124.78.81 port 447 - post-infection HTTPS/SSL/TLS traffic from Trickbot-infected host
• 72.211.215.68 port 449 - post-infection connection attempts from Trickbot-infected host

 

MALWARE

EMAIL ATTACHMENT (WORD DOCUMENT):

• SHA256 hash:  b895c34ecf45d111049a34fe69fdc4dce634de42d93fd1438b8e0c2e582217d8
  File name:  NatWest258345907_2243.doc
  File size:  96,258 bytes

TRICKBOT BINARY:

• SHA256 hash:  a573c781543b04747f259278de09908b1a76b2afc6c00cc6bb1eeefa4df43756
  File location:  C:\Users\[username]\AppData\Local\Temp\Xttayo.exe
  File location:  C:\Users\[username]\AppData\Roaming\winapp\Wssaxn.exe
  File size:  509,952 bytes

Shown above:  Today's Trickbot binary.

 

Shown above:  Scheduled taskt to keep Trickbot binary persistent after a reboot.

 

FINAL NOTES

Once again, here are the associated files:

• Zip archive of the pcaps:  2017-08-21-Trickbot-malspam-traffic.pcap.zip   934 kB (934,462 bytes)
• Zip archive of the malware and artifacts:  2017-08-21-Trickbot-malspam-and-artifacts.zip   403 kB (403,021 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.