2018-05-01 - TRICKBOT FROM MALSPAM, SUBJECT: FW: ACCOUNT DOCUMENTS

NOTICE:

ASSOCIATED FILES:

  • 2018-05-01-Trickbot-infection-traffic.pcap   (7,121,402 bytes)
  • 2018-05-01-Trickbot-malspam-1133-UTC.eml   (116,476 bytes)
  • 2018-05-01-Trickbot-artifact.txt   (329 bytes)
  • 2018-05-01-Trickbot-binary-1-of-2.exe   (270,336 bytes)
  • 2018-05-01-Trickbot-binary-2-of-2.exe   (372,224 bytes)
  • 2018-05-01-Trickbot-malspam-attached-RTF-file.doc   (62,492 bytes)
  • 2018-05-01-scheduled-task-to-keep-Trickbot-persistent.txt   (3,676 bytes)

NOTES:

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following URLs:

 

EMAILS


Shown above:  Screenshot from one of the emails.

 

EMAIL HEADERS:

Received: from santander-bank[.]co[.]uk (unknown [128.127.108[.]227])
        by [removed] for [removed]; Tue, 1 May 2018 18:41:12 +0700 (WIB)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=key; d=santander-bank[.]co[.]uk;
 h=Mime-Version:Subject:From:Date:To:Content-Type:Message-ID;
 bh=ejKKHFcJirhlS5iAlWanrKPxCG8=;
 b=Apz+AO1YOiBWaxpz8Ec6NlMRyqEMSv/OEh4xSjpC3BSjKEGyX2Ne0iuDUF/P0ybaxeUKkF+x0Ez7
   wzMHw2bLhSz+fTeLMRhEL6bId+lafRAAnD2iaOVnI8SLONPTsRtZ2+ZTl340x3cyBrFodl0/hOXU
   K851ysBuZDS/9aiXpP4=
Received: by santander-bank[.]co[.]uk id ht196nocte0i for [removed]; Tue, 1 May 2018 07:33:09 -0400 (envelope-from <noreply-[recipient's email address]@santander-bank[.]co[.]uk>)
Mime-Version: 1.0
Subject:  FW: Account Documents
From: "Santander" <noreply@santander-bank[.]co[.]uk>
Date: Tue, 1 May 2018 07:33:09 -0400
To: [removed]
Content-Type: multipart/mixed;
 boundary=01b8f130f133240b42a2a8ce9c735cd9
Message-ID: <0.0.0.0.1D3E1402E438116.43E88E4@santander-bank[.]co[.]uk>

 


Shown above:  RTF document attached to the malspam.

 

TRAFFIC


Shown above:  Traffic from an infection filtered in Wireshark.

 

NETWORK TRAFFIC FROM AN INFECTED LAB HOST:

 

FILE HASHES

RTF ATTACHMENT FROM THE MALSPAM:

TRICKBOT BINARY (1 OF 2):

TRICKBOT BINARY (2 OF 2):


Shown above:  Trickbot malware persistent on the infected Windows host.

 

Click here to return to the main page.