2018-07-02 - TRICKBOT INFECTION

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2018-07-02-Trickbot-malspam-1429-UTC.eml.zip   68.7 kB (68,652 bytes)

• 2018-07-02-Trickbot-malspam-1429-UTC.eml   (118,838 bytes)

• 2018-07-02-Trickbot-infection-traffic.pcap.zip   16.3 MB (16,326,173 bytes)

• 2018-07-02-Trickbot-infection-traffic.pcap   (18,881,128 bytes)/li>

• 2018-07-02-malware-and-artifacts-from-Trickbot-infection.zip   362 kB (362,481 bytes)

• 2018-07-02-Trickbot-artifact-gudisb.bat.txt   (318 bytes)
• 2018-07-02-Trickbot-malware-binary.exe   (397,312 bytes)
• 2018-07-02-attached-Word-doc-with-macro-for-Trickbot.doc   (86,528 bytes)

 

NOTES:

• Generated this infection in an Active Directory (AD) environment.
• I didn't see any movement of Trickbot from the infected Windows client to the domain controller today.

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following full and partial URLs:

• hxxp[:]//25kstartups[.]com/sec.bin
• hxxp[:]//winandgo-dz[.]com/sec.bin
• hxxp[:]//109.234.36[.]103/table.png
• hxxp[:]//109.234.36[.]103/toler.png
• hxxp[:]//109.234.36[.]103/worming.png
• hxxp[:]//188.124.167[.]132/ser0702/
• hxxp[:]//188.124.167[.]132:8082/ser0702/

 

EMAILS

Shown above:  Example of the malspam (raw text with headers and formatting).

 

EMAIL HEADERS FROM TODAY'S TRICKBOT MALSPAM EXAMPLE:

Received: from hmrc-invoice[.]co[.]uk ([128.127.111[.]193] verified)
  by [removed] for [removed]; Mon, 02 Jul 2018 17:41:57 +0300
Received-SPF: pass
 receiver=[removed]; client-ip=128.127.111[.]193; envelope-from=Natalie.Brat-[recipient's email address]@hmrc-invoice[.]co[.]uk
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=key; d=hmrc-invoice[.]co[.]uk;
 h=Mime-Version:Date:To:Subject:From:Content-Type:Message-ID;
 bh=mow3w55DA/VV1IkNgMakIlPYsXs=;
 b=fZLJrs0z2fsIOzBilK01aKmebFGwy8ms4UpCdfGf/I+y5LqF4fWeocoDNnFidWjn3ELKxzwE6oQD
   WPwE/DsRiBrqfPgcTJ3RmXwl7U7/M7dsa97VE+Qh066IczoagYFE5m9OVZixFddSbgLKDSO+QmuC
   W29tvmrt48bU4+T+o2Q=
Received: by hmrc-invoice[.]co[.]uk id h78t0ed5nv49 for [removed]; Mon, 2 Jul 2018 10:29:06 -0400 (envelope-from <Natalie.Brat-[recipient's email address]@hmrc-invoice[.]co[.]uk>)
Mime-Version: 1.0
Date: Mon, 2 Jul 2018 10:29:06 -0400
To: [removed]
Subject:  RE: Invoice
From: "HMRC Invoice" <Natalie.Brat@hmrc-invoice[.]co[.]uk>
Content-Type: multipart/mixed;
 boundary=280b5443f95a2bc6ed8e8cdc9ad20ec0
Message-ID: <0.0.E.0.1D4121108ADAB50.14BCBFF0@hmrc-invoice[.]co[.]uk>

 

Shown above:  Attached Word doc from the malspam.

 

INFECTION TRAFFIC

Shown above:  Traffic from an infection filtered in Wireshark.

 

NETWORK TRAFFIC FROM MY INFECTED WINDOWS HOST:

• 75.98.175[.]108 port 80 - 25kstartups[.]com - GET /sec.bin
• 75.98.175[.]108 port 80 - www.25kstartups[.]com - GET /sec.bin
• port 80 - ipecho[.]net - GET /plain
• 138.34.32[.]74 port 443 - SSL/TLS traffic caused by Trickbot
• 94.103.81[.]144 port 447 - SSL/TLS traffic caused by Trickbot
• 109.234.34[.]106 port 443 - SSL/TLS traffic caused by Trickbot
• 104.193.252[.]163 port 443 - SSL/TLS traffic caused by Trickbot
• 188.124.167[.]132 port 8082 - 188.124.167[.]132:8082 - POST /ser0702/[hostname]_W617601.[unique string]/90
• 109.234.36[.]103 port 80 - 109.234.36[.]103 - GET /table.png
• 109.234.36[.]103 port 80 - 109.234.36[.]103 - GET /toler.png
• 109.234.36[.]103 port 80 - 109.234.36[.]103 - GET /worming.png
• 109.234.36[.]103 port 80 - 109.234.36[.]103 - GET /toler.png
• 188.124.167[.]132 port 8082 - 188.124.167[.]132 - POST /ser0702/[hostname]_W617601.[unique string]/81/
• 188.124.167[.]132 port 8082 - 188.124.167[.]132 - POST /ser0702/[hostname]_W617601.[unique string]/82/

 

MALWARE

MALWARE RETRIEVED FROM MY INFECTED WINDOWS HOST:

• SHA256 hash:  99e5d62bf30a17c4ce8ba5720573338a4cb26863d17a0f61e370618fc5e75adf
  File size:  86,528 bytes
  File name:  invoice.doc
  File description:  Attached Word doc with macro to cause Trickot infection

• SHA256 hash:  c2438bf316d3221fc2fbefd2a7811979005d30d09f2f3e9c09247199fc16f417
  File size:  397,312 bytes
  File location:  C:\Users\[username]\AppData\Roaming\sysmon\mxxbgh.exe
  File location:  C:\Users\[username]\AppData\Local\Temp\mxxbgh.exe
  File description:  Trickbot malware binary

 

IMAGES

Shown above:  Files created on an infected Windows client.

 

Click here to return to the main page.