2017-06-12 - MALSPAM PUSHING TRICKBOT FROM .WSF FILES

ASSOCIATED FILES:

NOTES:

 

EMAIL


Shown above:  An example of the emails.

 

6 EMAIL EXAMPLES:

READ: DATE/TIME -- SENDING ADDRESS (SPOOFED) -- SUBJECT -- ATTACHMENT -- ZIP IN THE ZIP -- EXTRACTED .WSF FILE

 

MALWARE


Shown above:  The attached zip archive contains another zip archive which, in turn, contains a Windows Script File (WSF) file.

 

SHA256 HASHES FOR THE ZIP ATTACHMENTS:

SHA256 HASHES FOR THE EXTRACTED .WSF FILES:

TRICKBOT SAMPLE:

 

OTHER MALWARE NOTED:

 

TRAFFIC

URLS FROM THE .WSF FILES TO DOWNLOAD TRICKBOT:

 

TRICKBOT POST-INFECTION TRAFFIC:

 


Shown above:  Traffic from one of the infections filtered in Wireshark.

 


Shown above:  Some alerts on the infection traffic from the Emerging Threats ruleset using Sguil and tcpreplay on Security Onion.

 

IMAGES


Shown above:  Another infection from this malspam (note the different domain for the IP address check).

 


Shown above:  Yet another infection from this malspam (note yet another different domain for the IP address check).

 


Shown above:  Artifacts discovered on one of the infected hosts.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.