Trickbot IOC list -2021

0

Trickbot is computer malware, a trojan for Microsoft Windows and other operating systems. Its major function was originally the theft of banking details and other credentials, but its operators have extended its capabilities to create a complete modular malware ecosystem. Below are the latest signs of indicators.

Credits : Research by ExecuteMalware

Indicators of compromise

THREAT IDENTIFICATION: TRICKBOT

ANALYST NOTES
Downloaded modules:
pwgrab64
shareDll64
tabDll64
wormDll64

SUBJECTS OBSERVED
[STK] Hadfields INVOICE- Ref: 739241 A

SENDERS OBSERVED
sales@globextratech [.]com

MALDOC FILE NAMES
Upload_737160487_1591215127 [.]xls
4023f96dfa75f5ab44da157f085e8db1

Upload_747556100_1817075317 [.]xls
d38d3ee1983b5d2bb504b341846f4cea

MALDOC FILE HASHES
4023f96dfa75f5ab44da157f085e8db1
d38d3ee1983b5d2bb504b341846f4cea

TRICKBOT PAYLOAD URLS
http://beachtreepestcontrol [.]com/viewer/counter [.]php

TRICKBOT PAYLOAD FILE HASHES
10 [.]counter
5e3ac60f9af6bd3b89111fc54fb64293

TRICKBOT C2
https://103 [.]76 [.]20 [.]226
https://114 [.]34 [.]226 [.]52:447

TRICKBOT ADDITONAL PAYLOAD URL
http://194 [.]5 [.]249 [.]113/images/control [.]png

ADDITIONAL PAYLOAD FILE HASH
control [.]png
7546faae3f2b31e132ea54ac9fabdd15

FIDDLER TRAFFIC CAPTURE
http://beachtreepestcontrol [.]com/viewer/counter [.]php
http://0php/
http://179 [.]191 [.]108 [.]58:449
http://190 [.]152 [.]71 [.]230:443
http://103 [.]76 [.]20 [.]226:443
https://103 [.]76 [.]20 [.]226/rob20/WIN7PC_W617601 [.]23367CF7354BBEE6FF12C3FBD39F9351/5/kps/
https://103 [.]76 [.]20 [.]226/rob20/WIN7PC_W617601 [.]23367CF7354BBEE6FF12C3FBD39F9351/0/Windows%207%20×64%20SP1/1104/62 [.]182 [.]99 [.]61/B7E4CBA0AC3BFD329AB910D91B19E896CD3FC46BD43AB29ED7A447624A92BB20/lvHnrrDdvzXXtxxJJf5ddzz3LPllNj/
https://103 [.]76 [.]20 [.]226/rob20/WIN7PC_W617601 [.]23367CF7354BBEE6FF12C3FBD39F9351/14/user/analyst/0/
https://103 [.]76 [.]20 [.]226/rob20/WIN7PC_W617601 [.]23367CF7354BBEE6FF12C3FBD39F9351/14/path/C:%5CUsers%5Canalyst%5CAppData%5CRoaming%5CWInternetDownloadManager8868080426%5Cmwgrtfem [.]dwn/0/
https://103 [.]76 [.]20 [.]226/rob20/WIN7PC_W617601 [.]23367CF7354BBEE6FF12C3FBD39F9351/23/2000026/
https://103 [.]76 [.]20 [.]226/rob20/WIN7PC_W617601 [.]23367CF7354BBEE6FF12C3FBD39F9351/14/DNSBL/not%20listed/0/
https://103 [.]76 [.]20 [.]226/rob20/WIN7PC_W617601 [.]23367CF7354BBEE6FF12C3FBD39F9351/14/NAT%20status/client%20is%20behind%20NAT/0/
https://114 [.]34 [.]226 [.]52:447/rob20/WIN7PC_W617601 [.]23367CF7354BBEE6FF12C3FBD39F9351/5/pwgrab64/
https://103 [.]76 [.]20 [.]226/rob20/WIN7PC_W617601 [.]23367CF7354BBEE6FF12C3FBD39F9351/5/dpost/
https://103 [.]76 [.]20 [.]226/rob20/WIN7PC_W617601 [.]23367CF7354BBEE6FF12C3FBD39F9351/64/pwgrab/VERS//
https://103 [.]76 [.]20 [.]226/rob20/WIN7PC_W617601 [.]23367CF7354BBEE6FF12C3FBD39F9351/10/62/VPXZFFBXPHLLBNZFFVV/1/
https://103 [.]76 [.]20 [.]226/rob20/WIN7PC_W617601 [.]23367CF7354BBEE6FF12C3FBD39F9351/1/IQUEyiSUEyiSCEyiSCwyiSCwgiSC/
https://103 [.]76 [.]20 [.]226/rob20/WIN7PC_W617601 [.]23367CF7354BBEE6FF12C3FBD39F9351/10/62/541889/1/
https://103 [.]76 [.]20 [.]226/rob20/WIN7PC_W617601 [.]23367CF7354BBEE6FF12C3FBD39F9351/64/pwgrab/DEBG//
https://103 [.]76 [.]20 [.]226/rob20/WIN7PC_W617601 [.]23367CF7354BBEE6FF12C3FBD39F9351/14/pwgrab/sTart%20pwgrab%20working/0/
https://103 [.]76 [.]20 [.]226/rob20/WIN7PC_W617601 [.]23367CF7354BBEE6FF12C3FBD39F9351/64/pwgrab/DPST//
https://103 [.]76 [.]20 [.]226/rob20/WIN7PC_W617601 [.]23367CF7354BBEE6FF12C3FBD39F9351/1/EJMe0Qi4Um8QmCUqGYuKcyGc2Kg6Ok2/
https://114 [.]34 [.]226 [.]52:447/rob20/WIN7PC_W617601 [.]23367CF7354BBEE6FF12C3FBD39F9351/5/tabDll64/
https://103 [.]76 [.]20 [.]226/rob20/WIN7PC_W617601 [.]23367CF7354BBEE6FF12C3FBD39F9351/64/tabDll/InfMach/infect/
https://103 [.]76 [.]20 [.]226/rob20/WIN7PC_W617601 [.]23367CF7354BBEE6FF12C3FBD39F9351/10/62/541904/1/
https://103 [.]76 [.]20 [.]226/rob20/WIN7PC_W617601 [.]23367CF7354BBEE6FF12C3FBD39F9351/63/tabDll/infect///
https://103 [.]76 [.]20 [.]226/rob20/WIN7PC_W617601 [.]23367CF7354BBEE6FF12C3FBD39F9351/14/tabDll64/reload1/0/
https://103 [.]76 [.]20 [.]226/rob20/WIN7PC_W617601 [.]23367CF7354BBEE6FF12C3FBD39F9351/1/9LRhJZl1VhxDp1pP1/
https://114 [.]34 [.]226 [.]52:447/rob20/WIN7PC_W617601 [.]23367CF7354BBEE6FF12C3FBD39F9351/5/wormDll64/
https://103 [.]76 [.]20 [.]226/rob20/WIN7PC_W617601 [.]23367CF7354BBEE6FF12C3FBD39F9351/10/62/541910/1/
https://103 [.]76 [.]20 [.]226/rob20/WIN7PC_W617601 [.]23367CF7354BBEE6FF12C3FBD39F9351/63/wormDll/infect///
https://103 [.]76 [.]20 [.]226/rob20/WIN7PC_W617601 [.]23367CF7354BBEE6FF12C3FBD39F9351/1/lJxZFjL1V7bDtNzf9lFvX1dJnP5Z/
https://114 [.]34 [.]226 [.]52:447/rob20/WIN7PC_W617601 [.]23367CF7354BBEE6FF12C3FBD39F9351/5/shareDll64/
https://103 [.]76 [.]20 [.]226/rob20/WIN7PC_W617601 [.]23367CF7354BBEE6FF12C3FBD39F9351/10/62/541911/1/
https://103 [.]76 [.]20 [.]226/rob20/WIN7PC_W617601 [.]23367CF7354BBEE6FF12C3FBD39F9351/63/shareDll/infect///
https://103 [.]76 [.]20 [.]226/rob20/WIN7PC_W617601 [.]23367CF7354BBEE6FF12C3FBD39F9351/1/xZ9vLvh7dTtPf5fRrRDd/
https://103 [.]76 [.]20 [.]226/rob20/WIN7PC_W617601 [.]23367CF7354BBEE6FF12C3FBD39F9351/1/ZDRfhhfhhfhhffdf/
https://103 [.]76 [.]20 [.]226/rob20/WIN7PC_W617601 [.]23367CF7354BBEE6FF12C3FBD39F9351/1/D1wQ2WCoIya4gMqSwcEiO0U6a/
https://103 [.]76 [.]20 [.]226/rob20/WIN7PC_W617601 [.]23367CF7354BBEE6FF12C3FBD39F9351/1/vXnR5N1bFtBpT3hLdHvV9n5j/
https://103 [.]76 [.]20 [.]226/rob20/WIN7PC_W617601 [.]23367CF7354BBEE6FF12C3FBD39F9351/1/DpHpPXFB9DvVDLXFxxfJFd/
https://103 [.]76 [.]20 [.]226/rob20/WIN7PC_W617601 [.]23367CF7354BBEE6FF12C3FBD39F9351/1/mlWcACkqsQSY68EmoMSU2/
https://103 [.]76 [.]20 [.]226/rob20/WIN7PC_W617601 [.]23367CF7354BBEE6FF12C3FBD39F9351/1/ZPNVlTBXFtnvZHDL3tbfbJ1Hz/
https://103 [.]76 [.]20 [.]226/rob20/WIN7PC_W617601 [.]23367CF7354BBEE6FF12C3FBD39F9351/1/1phdbZPNLxvt3hfdZDB/
https://103 [.]76 [.]20 [.]226/rob20/WIN7PC_W617601 [.]23367CF7354BBEE6FF12C3FBD39F9351/1/06tf9dPtN9dTtN9d7tNDd/
https://103 [.]76 [.]20 [.]226/rob20/WIN7PC_W617601 [.]23367CF7354BBEE6FF12C3FBD39F9351/1/gKKGmIoIoKqMqMsOuQuQwSy/
https://103 [.]76 [.]20 [.]226/rob20/WIN7PC_W617601 [.]23367CF7354BBEE6FF12C3FBD39F9351/1/rjfBTbtl3LHLdvb5Nf/

SUPPORTING EVIDENCE
https://urlhaus [.]abuse [.]ch/browse [.]php?search=http%3A%2F%2Fbeachtreepestcontrol [.]com%2Fviewer%2Fcounter [.]php
https://urlhaus [.]abuse [.]ch/browse [.]php?search=control [.]png

Previous articleBlackBerry’s PE Tree Tool for Malware Reverse Engineers
Next articleThreat Intelligence – Buerloader Malware Latest IOCs
BalaGanesh
Balaganesh is a Incident Responder. Certified Ethical Hacker, Penetration Tester, Security blogger, Founder & Author of Soc Investigation.

LEAVE A REPLY

Please enter your comment!
Please enter your name here