2017-09-18 - TRICKBOT INFECTION
NOTICE:
- The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.
ASSOCIATED FILES:
- 2017-09-18-Trickbot-infection-traffic.pcap.zip 1.7 MB (1,652,815 bytes)
- 2017-09-18-Trickbot-infection-traffic.pcap (2,012,719 bytes)
- 2017-09-18-Trickbot-malspam-1307-UTC.eml.zip 56.9 kB (56,902 bytes)
- 2017-09-18-Trickbot-malspam-1307-UTC.eml (125,866 bytes)
- 2017-09-18-malware-from-Trickbot-infection.zip 352.3 kB (352,284 bytes)
- natwest12053922350652_21256.doc (91,136 bytes)
- ovlvfsdboimz.bat.txt (340 bytes)
- udyk.exe (528,384 bytes)
ASSOCIATED BLOG POST:
- 2017-08-15 - Internet Storm Center (ISC) - Malspam pushing Trickbot banking Trojan
Shown above: Screenshot from an email seen on 2017-09-18.
EMAIL HEADER INFORMATION:
- Date: Monday, 2017-09-18 13:07 UTC
- Subject: Customer message
- Message-ID: <000001d3308f$c8fb8620$5af29260$@ml>
- From: NatWest Bank Plc <noreply@natwestservice56[.]ml>
Shown above: Malicious Word document attached to the email.
TRAFFIC
Shown above: Traffic from the infection filtered in Wireshark.
URLS FROM THE WORD DOCUMENT TO DOWNLOAD TRICKBOT:
- 77.236.96[.]52 port 80 - 6-express[.]ch - GET /kassa2g20.png
- 88.150.140[.]232 port 80 - tregartha-dinnie[.]co[.]uk - GET /kassa2g20.png
TRICKBOT POST-INFECTION TRAFFIC:
- ipinfo.io - IP address check by the infected host
- 23.254.97[.]211 port 443 - encrypted traffic
- 194.87.144[.]27 port 443 - encrypted traffic
- 194.87.232[.]127 port 447 - encrypted traffic
- 94.242.224[.]226 port 447 - attempted TCP connections, but no response from the server
- 185.158.115[.]47 port 447 - attempted TCP connections, but no response from the server
MALWARE
WORD DOCUMENT ATTACHED TO THE EMAIL:
- SHA256 hash: e3fe7c4063c15c7589bd8023f0c0d1bc04d296a404a5d3008aed522ab283e292
File size: 91,136 bytes
File name: natwest12053922350652_21256.doc
FOLLOW-UP MALWARE (TRICKBOT):
- SHA256 hash: b83529a86234f160e3741f79dcded9d61bfdd39f0d66311f727c9c8e36843ad6
File size: 528,384 bytes
File location: C:\Users\[username]\AppData\Local\Temp\udyk.exe
File location: C:\Users\[username]\AppData\Roaming\winapp\tcxj.exe
Click here to return to the main page.