Malware-Traffic-Analysis.net - 2017-09-18

2017-09-18 - TRICKBOT INFECTION

NOTICE:

The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.

ASSOCIATED FILES:

2017-09-18-Trickbot-infection-traffic.pcap (2,012,719 bytes)

2017-09-18-Trickbot-malspam-1307-UTC.eml (125,866 bytes)

natwest12053922350652_21256.doc (91,136 bytes)

ovlvfsdboimz.bat.txt (340 bytes)

udyk.exe (528,384 bytes)

ASSOCIATED BLOG POST:

2017-08-15 - Internet Storm Center (ISC) - Malspam pushing Trickbot banking Trojan

Shown above: Screenshot from an email seen on 2017-09-18.

EMAIL HEADER INFORMATION:

Shown above: Malicious Word document attached to the email.

Shown above: Traffic from the infection filtered in Wireshark.

URLS FROM THE WORD DOCUMENT TO DOWNLOAD TRICKBOT:

TRICKBOT POST-INFECTION TRAFFIC:

ipinfo.io - IP address check by the infected host
23.254.97[.]211 port 443 - encrypted traffic
194.87.144[.]27 port 443 - encrypted traffic
194.87.232[.]127 port 447 - encrypted traffic
94.242.224[.]226 port 447 - attempted TCP connections, but no response from the server
185.158.115[.]47 port 447 - attempted TCP connections, but no response from the server

WORD DOCUMENT ATTACHED TO THE EMAIL:

SHA256 hash: e3fe7c4063c15c7589bd8023f0c0d1bc04d296a404a5d3008aed522ab283e292
File size: 91,136 bytes
File name: natwest12053922350652_21256.doc

FOLLOW-UP MALWARE (TRICKBOT):

SHA256 hash: b83529a86234f160e3741f79dcded9d61bfdd39f0d66311f727c9c8e36843ad6
File size: 528,384 bytes
File location: C:\Users\[username]\AppData\Local\Temp\udyk.exe
File location: C:\Users\[username]\AppData\Roaming\winapp\tcxj.exe

Click here to return to the main page.