2018-03-22 - TRICKBOT MALSPAM - SUBJECT: YOU HAVE RECEIVED A SECURE DOCUMENT
ASSOCIATED FILES:
- Zip archive of 5 email examples: 2018-03-22-Trickbot-malspam-5-email-examples.zip 256 kB (255,919 bytes)
- 2018-03-22-Trickbot-malspam-120834-UTC.eml (144,137 bytes)
- 2018-03-22-Trickbot-malspam-120844a-UTC.eml (146,448 bytes)
- 2018-03-22-Trickbot-malspam-120844b-UTC.eml (146,454 bytes)
- 2018-03-22-Trickbot-malspam-120845a-UTC.eml (146,450 bytes)
- 2018-03-22-Trickbot-malspam-120845b-UTC.eml (146,460 bytes)
- Zip archive of the infection traffic: 2018-03-22-Trickbot-malspam-infection-traffic-2-pcaps.zip 6.4 MB (6,369,820 bytes)
- 2018-03-22-Trickbot-malspam-infection-traffic.pcap (2,622,359 bytes)
- 2018-03-22-sanitized-traffic-from-Reverse.it-analysis-of-Word-document.pcap (4,597,230 bytes)
- Zip archive of the malware and artifacts: 2018-03-22-Trickbot-malware-and-artifacts.zip 243 kB (242,649 bytes)
- 2018-03-22-Trickbot-artifact-group_tag.txt (16 bytes)
- 2018-03-22-Trickbot-artifact-rhknve.bat.txt (328 bytes)
- 2018-03-22-Trickbot-binary-Yknxohk.exe (348,160 bytes)
- 2018-03-22-Trickbot-scheduled-task-MsNetMonitor.xml.txt (3,736 bytes)
- 2018-03-22-maldoc-with-macro-to-install-Trickbot-9S659EHDCSI72649DS.doc (80,896 bytes)
NOTES:
- This page has sanitized email examples, pcaps, and malware/artifacts from a Trickbot infection as identified in this blog post from myonlinesecurity.co.uk.
WEB TRAFFIC BLOCK LIST
Indicators are not a block list. If you feel the need to block web traffic, I suggest the following URLs:
- hxxp://ebrotasa.com/morbery.png
- hxxp://pcstore.com.ve/morbery.png
- hxxp://185.17.121.49/table.png
- hxxp://185.17.121.49/toler.png
DATA FROM 5 EMAIL SAMPLES:
- Date/Time: Thursday 2018-03-22 as early as 12:08:34 through at least 12:08:45 UTC
- Received: from docusignemail.com ([162.13.147.46])
- Received: from docusignemail.com ([162.13.147.61])
- Received: from docusignmail.com (docusignmail.com [5.79.31.5])
- Received: from docusignmail.com (docusignmail.com [5.79.31.6])
- Received: from docusignmail.com ([162.13.147.65])
- From: "DocuSign" <no-reply@docusignemail.com>
- From: "DocuSign" <no-reply@docusignmail.com>
- Subject: You have received a secure document
- Attachment name: 9S659EHDCSI72649DS.doc
TRAFFIC
Shown above: Traffic from an infection filtered in Wireshark.
TRAFFIC FROM AN INFECTED WINDOWS HOST:
- 212.7.63.16 port 80 - ebrotasa.com - GET /morbery.png
- port 80 - ipinfo.io - GET /ip
- 185.55.64.47 port 449 - encrypted post-infection traffic caused by Trickbot
- 185.68.93.66 port 447 - encrypted post-infection traffic caused by Trickbot
- 87.101.70.109 port 449 - encrypted post-infection traffic caused by Trickbot
ADDITIONAL TRAFFIC FROM REVERSE.IT ANALYSIS OF THE WORD DOCUMENT (LINK):
- port 80 - wtfismyip.com - GET /text
- 212.14.51.56 port 443 - encrypted post-infection traffic caused by Trickbot
- 195.123.217.207 port 443 - encrypted post-infection traffic caused by Trickbot
- 185.17.121.49 port 80 - 185.17.121.49 - GET /table.png
- 185.17.121.49 port 80 - 185.17.121.49 - GET /toler.png
FILE HASHES
DOWNLOADED WORD DOCUMENT:
- SHA256 hash: 10281a188a26dbb10562bdc6f5467abad4b0e7fe73672b48a11fdd55819f81f3
File size: 80,896 bytes
File name: 9S659EHDCSI72649DS.doc
File description: Word document with malicious macro to download/install Trickbot
EMOTET BINARY:
- SHA256 hash: 1ea818b42112608931b01892a9b24d4120a8f96140b69531305ac0d7135eb3a2
File size: 348,160 bytes
File location: C:\Users\[username]\AppData\Local\Temp\Yknxohk.exe
File location: C:\Users\[username]\AppData\Roaming\TeamViewer\Yknxohk.exe
File description: Trickbot malware binary
FINAL NOTES
Once again, here are the associated files:
- Zip archive of 5 email examples: 2018-03-22-Trickbot-malspam-5-email-examples.zip 256 kB (255,919 bytes)
- Zip archive of the infection traffic: 2018-03-22-Trickbot-malspam-infection-traffic-2-pcaps.zip 6.4 MB (6,369,820 bytes)
- Zip archive of the malware and artifacts: 2018-03-22-Trickbot-malware-and-artifacts.zip 243 kB (242,649 bytes)
Zip archives are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.