2018-11-12 - TRICKBOT MALSPAM TARGETING UNITED STATES RECIPIENTS (GTAG: SAT100)

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• Email example:  2018-11-12-example-of-malspam-pushing-Trickbot.eml.zip   181 kB (180,879 bytes)

• 2018-11-12-example-of-malspam-pushing-Trickbot.eml   (290,084 bytes)

• Traffic:  2018-11-12-Trickbot-infection-traffic-gtag-sat100.pcap.zip   8.4 MB (8,407,574 bytes)

• 2018-11-12-Trickbot-infection-traffic-gtag-sat100.pcap   (9,908,247 bytes)

• Malware and artifacts:  2018-11-12-malware-and-artifacts-from-Trickbot-infection.zip   14.7 MB (14,711,092 bytes)

• 2018-11-12-attached-Word-doc-with-macro-for-Trickbot.doc   (209,920 bytes)
• 2018-11-12-Trickbot-malware-binary.exe   (592,384 bytes)
• socketvision/compatibility.ini   (36,031 bytes)
• socketvision/tmp119.exe   (592,384 bytes)
• socketvision/Data/importDll64   (8,952,080 bytes)
• socketvision/Data/injectDll64   (982,992 bytes)
• socketvision/Data/injectDll64_configs/dinj   (70,960 bytes)
• socketvision/Data/injectDll64_configs/dpost   (880 bytes)
• socketvision/Data/injectDll64_configs/sinj   (73,312 bytes)
• socketvision/Data/mailsearcher64   (27,824 bytes)
• socketvision/Data/mailsearcher64_configs/mailconf   (240 bytes)
• socketvision/Data/networkDll64   (22,704 bytes)
• socketvision/Data/networkDll64_configs/dpost   (880 bytes)
• socketvision/Data/pwgrab64   (1,106,256 bytes)
• socketvision/Data/pwgrab64_configs/dpost   (880 bytes)
• socketvision/Data/shareDll64   (45,280 bytes)
• socketvision/Data/systeminfo64   (87,728 bytes)
• socketvision/Data/tabDll64   (2,432,864 bytes)
• socketvision/Data/tabDll64_configs/dpost   (880 bytes)
• socketvision/Data/wormDll64   (59,168 bytes)

NOTES:

• Curious about Trickbot?  Read the following post written by @hasherezade published earlier today on the Malwarebytes blog:  What's new in TrickBot? Deobfuscating elements

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following URLs and partial URL:

• hxxp[:]//46.173.218[.]172/alfa.gir
• hxxp[:]//46.173.218[.]175/alfa.gir
• hxxp[:]//192.227.186[.]151/radiance.png
• hxxp[:]//192.227.186[.]151/table.png
• hxxp[:]//192.227.186[.]151/worming.png
• hxxp[:]//24.247.181[.]125/sat100/

 

EMAIL

Shown above:  Example of an email pushing Trickbot on Monday, 2018-11-12.

 

EXAMPLES OF THE MALSPAM (READ: DATE/TIME -- ATTACHMENT NAME -- SUBJECT LINE):

• 2018-11-12 16:45 UTC -- Attachment: Invoice-65213.doc -- Subject: Payment data. Order c5352
• 2018-11-12 16:46 UTC -- Attachment: Invoice-65213.doc -- Subject: Payment invoice. Transaction b6825
• 2018-11-12 17:21 UTC -- Attachment: Invoice-65201.doc -- Subject: Payment receipt. Order l8573
• 2018-11-12 17:22 UTC -- Attachment: Invoice-65206.doc -- Subject: Payment info. Transaction p8059
• 2018-11-12 17:23 UTC -- Attachment: Invoice-65220.doc -- Subject: Financial Operation data. Transaction a8077
• 2018-11-12 17:23 UTC -- Attachment: Invoice-65211.doc -- Subject: Transaction information. Transaction s6191
• 2018-11-12 17:23 UTC -- Attachment: Invoice-65206.doc -- Subject: Financial Operation invoice. Order y8763
• 2018-11-12 17:24 UTC -- Attachment: Invoice-65209.doc -- Subject: Financial Operation information. Transaction z6054
• 2018-11-12 17:24 UTC -- Attachment: Invoice-65207.doc -- Subject: Payment receipt. Transaction n5910
• 2018-11-12 17:24 UTC -- Attachment: Invoice-65207.doc -- Subject: Suspected Spam: Payment information. Transaction t6876
• 2018-11-12 17:24 UTC -- Attachment: Invoice-65207.doc -- Subject: Transaction info. Transaction d5065
• 2018-11-12 17:25 UTC -- Attachment: Invoice-65209.doc -- Subject: Financial Operation data. Order w2105
• 2018-11-12 17:25 UTC -- Attachment: Invoice-65209.doc -- Subject: Financial Operation info. Transaction g1236
• 2018-11-12 17:25 UTC -- Attachment: Invoice-65206.doc -- Subject: Transaction information. Order h2559
• 2018-11-12 17:26 UTC -- Attachment: Invoice-65208.doc -- Subject: Transaction receipt. Transaction n6137
• 2018-11-12 17:26 UTC -- Attachment: Invoice-65206.doc -- Subject: Transaction info. Transaction a6795
• 2018-11-12 17:26 UTC -- Attachment: Invoice-65207.doc -- Subject: Payment receipt. Transaction y3625
• 2018-11-12 17:27 UTC -- Attachment: Invoice-65205.doc -- Subject: Transaction receipt. Transaction z3406
• 2018-11-12 17:32 UTC -- Attachment: Invoice-65205.doc -- Subject: Payment information. Transaction i8922
• 2018-11-12 17:32 UTC -- Attachment: Invoice-65201.doc -- Subject: Payment info. Order c3096
• 2018-11-12 17:46 UTC -- Attachment: Transaction_identity-006.doc -- Subject: Financial Operation info. Order i4208
• 2018-11-12 17:48 UTC -- Attachment: Transaction_identity-001.doc -- Subject: Financial Operation data. Order i3710
• 2018-11-12 17:48 UTC -- Attachment: Transaction_identity-001.doc -- Subject: Financial Operation invoice. Transaction a6192
• 2018-11-12 17:49 UTC -- Attachment: Transaction_identity-001.doc -- Subject: Financial Operation info. Order z7966
• 2018-11-12 17:49 UTC -- Attachment: Transaction_identity-001.doc -- Subject: Transaction information. Transaction n4792
• 2018-11-12 17:49 UTC -- Attachment: Transaction_identity-001.doc -- Subject: Transaction data. Transaction q3376
• 2018-11-12 17:49 UTC -- Attachment: Transaction_identity-007.doc -- Subject: Financial Operation information. Order b2026
• 2018-11-12 17:49 UTC -- Attachment: Transaction_identity-017.doc -- Subject: Payment invoice. Order a3709
• 2018-11-12 17:49 UTC -- Attachment: Transaction_identity-017.doc -- Subject: Payment receipt. Transaction i6813
• 2018-11-12 17:49 UTC -- Attachment: Transaction_identity-017.doc -- Subject: Payment invoice. Order x4823
• 2018-11-12 17:50 UTC -- Attachment: Transaction_identity-001.doc -- Subject: Payment info. Order l7069
• 2018-11-12 17:50 UTC -- Attachment: Transaction_identity-001.doc -- Subject: Financial Operation information. Order g8769
• 2018-11-12 17:50 UTC -- Attachment: Transaction_identity-017.doc -- Subject: Payment information. Order m1271
• 2018-11-12 17:50 UTC -- Attachment: Transaction_identity-017.doc -- Subject: Transaction data. Transaction c3797
• 2018-11-12 17:50 UTC -- Attachment: Transaction_identity-010.doc -- Subject: Financial Operation information. Order h4104
• 2018-11-12 17:50 UTC -- Attachment: Transaction_identity-017.doc -- Subject: Transaction info. Transaction x7467
• 2018-11-12 17:51 UTC -- Attachment: Transaction_identity-017.doc -- Subject: Financial Operation information. Transaction j3765
• 2018-11-12 17:51 UTC -- Attachment: Transaction_identity-007.doc -- Subject: Transaction invoice. Order j3389
• 2018-11-12 17:51 UTC -- Attachment: Transaction_identity-010.doc -- Subject: Transaction receipt. Transaction z8573
• 2018-11-12 17:51 UTC -- Attachment: Transaction_identity-010.doc -- Subject: Transaction information. Order f6109
• 2018-11-12 17:51 UTC -- Attachment: Transaction_identity-010.doc -- Subject: Transaction receipt. Transaction i2894
• 2018-11-12 17:51 UTC -- Attachment: Transaction_identity-007.doc -- Subject: Payment info. Order o1905
• 2018-11-12 17:53 UTC -- Attachment: Transaction_identity-001.doc -- Subject: Transaction invoice. Order y9584
• 2018-11-12 17:53 UTC -- Attachment: Transaction_identity-010.doc -- Subject: transaction information. transaction j2274
• 2018-11-12 17:54 UTC -- Attachment: Transaction_identity-007.doc -- Subject: Transaction data. Order c3742
• 2018-11-12 17:55 UTC -- Attachment: Transaction_identity-007.doc -- Subject: Payment information. Transaction j7707
• 2018-11-12 17:58 UTC -- Attachment: Transaction_identity-007.doc -- Subject: Payment info. Order p3608
• 2018-11-12 17:59 UTC -- Attachment: Transaction_identity-007.doc -- Subject: Transaction data. Order z4482
• 2018-11-12 18:02 UTC -- Attachment: Transaction_identity-007.doc -- Subject: Transaction data. Order s6143
• 2018-11-12 18:02 UTC -- Attachment: Transaction_identity-007.doc -- Subject: Transaction information. Transaction a9552
• 2018-11-12 18:06 UTC -- Attachment: Transaction_identity-007.doc -- Subject: Payment information. Order v6026
• 2018-11-12 18:07 UTC -- Attachment: Transaction_identity-007.doc -- Subject: Payment receipt. Order i1734
• 2018-11-12 18:10 UTC -- Attachment: Transaction_identity-007.doc -- Subject: Financial Operation information. Order g7140
• 2018-11-12 18:10 UTC -- Attachment: Transaction_identity-007.doc -- Subject: Payment receipt. Transaction c8555
• 2018-11-12 18:15 UTC -- Attachment: Transaction_identity-001.doc -- Subject: Financial Operation receipt. Order f8275
• 2018-11-12 19:04 UTC -- Attachment: Invoice-65220.doc -- Subject: Financial Operation receipt. Transaction i4179
• 2018-11-12 19:07 UTC -- Attachment: Invoice-65220.doc -- Subject: Payment information. Order o9044
• 2018-11-12 19:18 UTC -- Attachment: Transaction_identity-015.doc -- Subject: Payment receipt. Order o2434
• 2018-11-12 19:18 UTC -- Attachment: Transaction_identity-015.doc -- Subject: Financial Operation data. Order y9478
• 2018-11-12 19:49 UTC -- Attachment: Invoice-65216.doc -- Subject: Transaction information. Order n1937
• 2018-11-12 19:49 UTC -- Attachment: Invoice-65216.doc -- Subject: Transaction receipt. Order k9935

 

TRAFFIC

Shown above:  Traffic from an infection filtered in Wireshark.

 

TRAFFIC FROM AN INFECTED WINDOWS HOST:

• 46.173.218[.]172 port 80 - 46.173.218[.]172 - GET /alfa.gir
• port 443 - api.ip[.]sb - IP address check by the infected host (not inherently malicious)
• port 80 - checkip.amazonaws[.]com - IP address check by the infected host (not inherently malicious)
• port 80 - api.ipify[.]org - IP address check by the infected host (not inherently malicious)
• port 80 - icanhazip[.]com - IP address check by the infected host (not inherently malicious)
• 190.145.74[.]84 port 449 - SSL/TLS traffic caused by Trickbot
• 72.189.124[.]41 port 449 - SSL/TLS traffic caused by Trickbot
• 5.135.37[.]87 port 447 - SSL/TLS traffic caused by Trickbot
• 24.247.181[.]125 port 8082 - 24.247.181[.]125 - POST /sat100/[long string of numbers]
• 192.227.186[.]151 port 80 - 192.227.186[.]151 - GET /radiance.png
• 192.227.186[.]151 port 80 - 192.227.186[.]151 - GET /table.png

 

MALWARE

SHA256 HASHES FOR THE ATTACHED WORD DOCUMENTS:

• 11aeefc7d8b417b70c733ee5566ce144b43d0d487d5474be8af33f72e360f833 - 209,920 bytes
• 2adfb28fd7e46eeea6315204a633b2992050e205f1d1c1499a524af82f0fc064 - 209,920 bytes - used for today's infection
• 3d6e4088b34f754102596b632ca0ba240c71bea4f37ef4b87024e390d16800a5 - 209,920 bytes
• 402e66628c24672327a5fd4070502d3d27e1306840e527e13a5bd382a9075eb7 - 209,920 bytes
• 4c037afa8604b43519a9daa7531f9a26ba95ea198f94d5f01a41ef8e08475a49 - 209,920 bytes
• 5a490751a9bfb030756c58779997830a7b16ef1eb6a68d685569a6421727e994 - 209,920 bytes
• 5b537a7691a7f4ea64fd902394d912a7eb69a152445f4d752c310e12479bf056 - 209,920 bytes
• 604d214f9af1f86d58ae88ce1ca45d384e23cd1eb435187753e868401356118e - 209,920 bytes
• 6dcebcb3edd5462d9e1e7d1648311668337adc4734796766f7ca99c9f5214aa0 - 209,920 bytes
• 8ca2449b42d6074ea5975ab1e67dadc025b636b9bf011fdcaecde867e4c54053 - 209,920 bytes
• b355d2c656a46da49f2092e38ef4c6bbf4acd0518863e2f82db30079c9508c83 - 209,920 bytes
• d3e79d9e3102a4e21e9693f626ba94f83a73a2f45418c24e3a4fe0ad63a8eac1 - 209,920 bytes
• dcf83e2bf09d931afe4601392cb028f8b8c31e69222a0bc8208510ac1ae1fa69 - 209,920 bytes
• dd7010c0dd588a1c00aa2f0f3c3b438ac8548dac9ec6e826a7a6e070a693b320 - 209,920 bytes
• dd8a153516bf82b5919d35aaf86298549ce5b6ec4d5e41b6b4755fb932d2dfad - 209,920 bytes
• f6d48c6c1b37e2da29569f47ccc4bafd1fbb0e62e5576f769c83efa180380320 - 209,920 bytes
• fd125864d690acd7841bddffb25632a2648256bf0dea8d33c516a33724a65751 - 209,920 bytes
• ffddf2919cee8166c2018afc0015d95150c1448e036ab7d4e00995881ee2ff48 - 209,920 bytes

TRICKBOT MALWARE BINARY (GTAG: SAT100):

• SHA256 hash:  24d775cde5e5b069948e25d7e38ba2bc41326e5a06ef33c653b958956ce8bab6
  File size:  592,384 bytes

 

IMAGES

Shown above:  Trickbot persistent on an infected Windows host.

 

Shown above:  Trickbot modules on an infected Windows host.

 

Click here to return to the main page.