Scribd Logo
Upload

Welcome to Scribd!

  • 2021 02 23 Trickbot IOCs

    Uploaded by

    Ezequiel Junior
    6 views3 pages
    This document contains information about a Trickbot infection, including malware file names and hashes, command and control server IP addresses, and URLs and traffic captured by a Fiddler proxy. Key details identified include Trickbot payloads and additional downloaded files like pwgrab64 used for credential theft, and the C2 infrastructure communicating over ports 443 and 449.

    Original Description:

    Copyright

    © © All Rights Reserved

    Available Formats

    TXT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document contains information about a Trickbot infection, including malware file names and hashes, command and control server IP addresses, and URLs and traffic captured by a Fiddler proxy. Key details identified include Trickbot payloads and additional downloaded files like pwgrab64 used for credential theft, and the C2 infrastructure communicating over ports 443 and 449.

    Copyright:

    © All Rights Reserved
    Download as TXT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    6 views3 pages

    2021 02 23 Trickbot IOCs

    Uploaded by

    Ezequiel Junior
    This document contains information about a Trickbot infection, including malware file names and hashes, command and control server IP addresses, and URLs and traffic captured by a Fiddler proxy. Key details identified include Trickbot payloads and additional downloaded files like pwgrab64 used for credential theft, and the C2 infrastructure communicating over ports 443 and 449.

    Copyright:

    © All Rights Reserved
    Download as TXT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 3

    THREAT IDENTIFICATION: TRICKBOT

    TRICKBOT GTAG
    gtag: rob16

    SUBJECTS OBSERVED
    Important Notification: Precept # 6423
    Important Notification: Precept # 8251

    SENDERS OBSERVED
    kevin.blough@pwstores.com

    MALDOC FILE NAMES


    Attach_2024121422_59606374.xls
    ef149fa0e847a59880b1fc0b6b1977f1

    Attach_452701361_1806650968.xls
    21c92b5f324f5c301e8911c39c24d0e5

    MALDOC FILE HASHES


    ef149fa0e847a59880b1fc0b6b1977f1
    21c92b5f324f5c301e8911c39c24d0e5

    TRICKBOT PAYLOAD URLS


    http://bearcatpumps.com.cn/css/tolkio.php

    TRICKBOT PAYLOAD FILE HASHES


    10.point
    884dab96c679194fc5140322d5ce9e9d

    TRICKBOT C2
    https://102.164.211.138:449
    https://103.119.117.42:443
    https://103.146.2.152:449
    https://103.73.101.98:449
    https://103.76.20.226:443
    https://103.84.164.87:443
    https://103.91.244.102:449
    https://108.170.20.72:443
    https://111.235.66.83:443
    https://117.212.193.62:449
    https://118.67.216.238:449
    https://154.79.252.132:449
    https://167.179.194.205:443
    https://168.232.188.88:449
    https://173.81.4.147:449
    https://177.47.88.62:443
    https://178.54.230.164:443
    https://179.191.108.58:449
    https://179.60.243.52:443
    https://182.48.66.106:443
    https://185.234.72.84:443
    https://186.195.199.238:449
    https://187.19.200.154:449
    https://187.190.116.59:443
    https://190.119.167.154:447
    https://190.152.71.230:443
    https://200.6.169.124:443
    https://201.184.190.59:449
    https://202.142.151.190:449
    https://221.176.88.201:449
    https://36.92.93.5:449
    https://36.94.202.131:443
    https://37.235.230.123:449
    https://45.234.248.66:449
    https://79.122.166.236:449
    https://80.78.75.246:443
    https://80.78.77.116:449
    https://85.159.214.61:443

    TRICKBOT ADDITIONAL DOWNLOAD FILE HASH


    pwgrab64
    f653abaab18c36ad20bfc369f2a87fd3

    shareDll64
    7e40b08dc13256e67b4d94080f4d9a24

    networkDll64
    c9e79d2f60b6630116aaee9abb02a06f

    TRICKBOT CONFIG FILE


    serviceworker.txt
    e8e485ac450f7daac1dc7e245b52b8f9

    FIDDLER TRAFFIC CAPTURE


    http://bearcatpumps.com.cn/css/tolkio.php
    http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/
    authrootstl.cab?0a882b783b913a3b
    http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/
    authrootstl.cab?184cc342f3942d16
    http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/
    disallowedcertstl.cab?06cb81692939b5c4
    https://186.195.199.238:449/rob16/WIN7PC_W617601.51CB3CF6B57C9F7F6675DC98BB8EBDFA/
    5/kps/
    https://api.ipify.org/?format=text
    https://186.195.199.238:449/rob16/WIN7PC_W617601.51CB3CF6B57C9F7F6675DC98BB8EBDFA/
    0/Windows 7 x64
    SP1/1103/104.140.52.99/B7E4CBA0AC3BFD329AB910D91B19E896CD3FC46BD43AB29ED7A447624A92
    BB20/RHEoK375rj75w4i8c4jzFbP/
    https://186.195.199.238:449/rob16/WIN7PC_W617601.51CB3CF6B57C9F7F6675DC98BB8EBDFA/
    14/user/analyst/0/
    https://186.195.199.238:449/rob16/WIN7PC_W617601.51CB3CF6B57C9F7F6675DC98BB8EBDFA/
    14/path/C:\Users\analyst\AppData\Roaming\InternetFreeDownloadManager2420202460\
    kiTDCSqy.dwn/0/
    https://186.195.199.238:449/rob16/WIN7PC_W617601.51CB3CF6B57C9F7F6675DC98BB8EBDFA/
    23/2000026/
    https://186.195.199.238:449/rob16/WIN7PC_W617601.51CB3CF6B57C9F7F6675DC98BB8EBDFA/
    14/DNSBL/not listed/0/
    https://186.195.199.238:449/rob16/WIN7PC_W617601.51CB3CF6B57C9F7F6675DC98BB8EBDFA/
    14/NAT status/client is behind NAT/0/
    https://190.119.167.154:447/rob16/WIN7PC_W617601.51CB3CF6B57C9F7F6675DC98BB8EBDFA/
    5/pwgrab64/
    https://186.195.199.238:449/rob16/WIN7PC_W617601.51CB3CF6B57C9F7F6675DC98BB8EBDFA/
    5/dpost/
    https://186.195.199.238:449/rob16/WIN7PC_W617601.51CB3CF6B57C9F7F6675DC98BB8EBDFA/
    10/62/BRHJHVXVPLJHF/1/
    https://186.195.199.238:449/rob16/WIN7PC_W617601.51CB3CF6B57C9F7F6675DC98BB8EBDFA/
    64/pwgrab/VERS//
    https://186.195.199.238:449/rob16/WIN7PC_W617601.51CB3CF6B57C9F7F6675DC98BB8EBDFA/
    1/0CEi2SaSK2UUawMI/
    https://190.119.167.154:447/rob16/WIN7PC_W617601.51CB3CF6B57C9F7F6675DC98BB8EBDFA/
    5/networkDll64/
    https://186.195.199.238:449/rob16/WIN7PC_W617601.51CB3CF6B57C9F7F6675DC98BB8EBDFA/
    64/pwgrab/DEBG//
    https://186.195.199.238:449/rob16/WIN7PC_W617601.51CB3CF6B57C9F7F6675DC98BB8EBDFA/
    64/networkDll/NETWORKDLL//
    https://186.195.199.238:449/rob16/WIN7PC_W617601.51CB3CF6B57C9F7F6675DC98BB8EBDFA/
    64/pwgrab/DPST//
    https://186.195.199.238:449/rob16/WIN7PC_W617601.51CB3CF6B57C9F7F6675DC98BB8EBDFA/
    10/62/498676/1/
    https://186.195.199.238:449/rob16/WIN7PC_W617601.51CB3CF6B57C9F7F6675DC98BB8EBDFA/
    63/networkDll/start///
    https://186.195.199.238:449/rob16/WIN7PC_W617601.51CB3CF6B57C9F7F6675DC98BB8EBDFA/
    1/ZfpWRo3y9CYJUP5mhsYzAPlSNc/
    https://186.195.199.238:449/rob16/WIN7PC_W617601.51CB3CF6B57C9F7F6675DC98BB8EBDFA/
    10/62/498678/1/
    https://186.195.199.238:449/rob16/WIN7PC_W617601.51CB3CF6B57C9F7F6675DC98BB8EBDFA/
    14/pwgrab/sTart pwgrab working/0/
    https://186.195.199.238:449/rob16/WIN7PC_W617601.51CB3CF6B57C9F7F6675DC98BB8EBDFA/
    1/37XXLjnvjJBF7hpdV5D1t/
    https://190.119.167.154:447/rob16/WIN7PC_W617601.51CB3CF6B57C9F7F6675DC98BB8EBDFA/
    5/shareDll64/
    https://186.195.199.238:449/rob16/WIN7PC_W617601.51CB3CF6B57C9F7F6675DC98BB8EBDFA/
    10/62/498680/1/
    https://186.195.199.238:449/rob16/WIN7PC_W617601.51CB3CF6B57C9F7F6675DC98BB8EBDFA/
    63/shareDll/infect///
    https://186.195.199.238:449/rob16/WIN7PC_W617601.51CB3CF6B57C9F7F6675DC98BB8EBDFA/
    1/X3aZmjqEHORjwzwKXUXz25CQdah58FIa/
    https://186.195.199.238:449/rob16/WIN7PC_W617601.51CB3CF6B57C9F7F6675DC98BB8EBDFA/
    1/N6eGDam7vAIJRAxltgLTjXr/
    https://186.195.199.238:449/rob16/WIN7PC_W617601.51CB3CF6B57C9F7F6675DC98BB8EBDFA/
    1/fzvdjpP39DrVddHv15lLRV9n/
    https://186.195.199.238:449/rob16/WIN7PC_W617601.51CB3CF6B57C9F7F6675DC98BB8EBDFA/
    1/3LhVndDNXJ97PFt3Lzlv5rh/
    https://186.195.199.238:449/rob16/WIN7PC_W617601.51CB3CF6B57C9F7F6675DC98BB8EBDFA/
    1/Llnjh1nd9vB53JdvRlXNtfvln3NfBVD7/
    https://186.195.199.238:449/rob16/WIN7PC_W617601.51CB3CF6B57C9F7F6675DC98BB8EBDFA/
    1/BFrLVJ75FTHFTH53dRFDRBPNbPDB/
    https://186.195.199.238:449/rob16/WIN7PC_W617601.51CB3CF6B57C9F7F6675DC98BB8EBDFA/
    1/y0ckaASyoggo64u2UIaGKWowYM2Am/
    https://186.195.199.238:449/rob16/WIN7PC_W617601.51CB3CF6B57C9F7F6675DC98BB8EBDFA/
    1/LPt7fzRz9nJT1LnLZpft3hDNvFhFPjZ/
    https://186.195.199.238:449/rob16/WIN7PC_W617601.51CB3CF6B57C9F7F6675DC98BB8EBDFA/
    1/AAy1wBMETeZlwr6E9O/

    You might also like