Skip to main content

Posts

Showing posts from February, 2019

Emotet February 2019 Wk 4 C2i

OTX Pulse:https://otx.alienvault.com/pulse/5c74e87bf481ce4d9544c4ef Indicator type Indicator IPv4 107.10.49.252 IPv4 12.235.180.10 IPv4 133.242.164.31 IPv4 138.201.140.110 IPv4 147.135.210.39 IPv4 153.121.36.202 IPv4 167.114.210.191 IPv4 172.98.243.40 IPv4 173.21.116.239 IPv4 173.255.196.209 IPv4 173.8.8.73 IPv4 178.62.37.188 IPv4 187.138.90.97 IPv4 187.153.90.98 IPv4 191.92.83.137 IPv4 197.245.16.149 IPv4 208.78.100.202 IPv4 208.82.45.8 IPv4 211.115.111.19 IPv4 217.13.106.160 IPv4 24.151.31.150 IPv4 24.153.169.62 IPv4 24.185.185.187 IPv4 45.123.3.54 IPv4 45.63.17.206 IPv4 5.230.147.179 IPv4 50.31.0.160 IPv4 62.75.187.192 IPv4 62.75.191.231 IPv4 64.19.74.49 IPv4 64.228.72.40

TrickBot Execution Flow

Step by step In this post, we go through a step by step look at the execution flow of the latest TrickBot variant. I’ll skip some of the more basic stuff and get to the parts that are interesting. To get you started, I have summed it up in this diagram, it shows the entire flow but as I said earlier, we’ll skip over the some of the steps. Trickbot execution stages I’ll start off with some of the interesting bits. In the code below, you can see that the malware uses some very clever ways to get around the local anti-malware software. The anti-malware in this case happens to be Windows Defender. It tries to simply stop the service to start with. Then it moves on to deleting the service altogether. Stop the Defender service Delete the Defender service Then the malware moves on to an interesting approach. It uses Powershell to disable the ‘Real-time Monitoring’ feature of the application — which would allow the malware to execute without being detected at all.

TrickBot Feb 2019 C2i and Configs

Article by  Vishal Thakur OTX Pulse:  https://otx.alienvault.com/pulse/5c64d81e6308ea2ac9e351c1 http://190.146.112.216:8082 http://96.36.253.146:8082 http://46.146.252.178:8082 http://96.36.253.146:8082 http://14.102.107.114:8082 http://181.115.156.218:80 http://181.129.140.140:80 http://190.14.158.135:80 http://97.87.127.198:80 http://190.152.125.162:80 http://185.117.72.35:443 http://185.106.120.47:443 http://108.170.31.47:443 http://92.223.105.42:443 http://185.106.120.45:443 http://194.87.239.212:443 Configs:  iGroup -  2E 70 68 70 3F 73 3D 31 35 33 30 35 35 38 37 39 31 35 37 31 38 34 39 26 69 64 3D 77 39 38 6D 47 7A 72 78 57 49 78 54 6A 47 37 41 32 49 6A 35 3C 2F 68 6C 3E 0A 3C 70 72 69 3E 31 30 30 3C 2F 70 72 69 3E 0A 3C 73 71 3E 32 3C 2F 73 71 3E 0A 3C 72 65 71 75 69 72 65 5F 68 65 61 64 65 72 3E 2A 74 65 78 74 2F 68 74 6D 6C 2A 3C 2F 72 65 71 75 69 72 65 5F 68 65 61 64 65 72 3E 0A 3C 2F 64 69 6E 6A 3E 0A 3C 64 69 6E 6A 3E 0