misp-circl-feed/feeds/circl/misp/598626ea-83e0-4b11-a9a5-485b950d210f.json

163 lines
290 KiB
JSON
Raw Permalink Normal View History

2023-04-21 13:25:09 +00:00
{
2023-12-14 14:30:15 +00:00
"Event": {
"analysis": "2",
"date": "2017-08-05",
"extends_uuid": "",
"info": "OSINT - Tale of the Two Payloads \u00e2\u20ac\u201c TrickBot and Nitol",
"publish_timestamp": "1501965248",
"published": true,
"threat_level_id": "3",
"timestamp": "1501965244",
"uuid": "598626ea-83e0-4b11-a9a5-485b950d210f",
"Orgc": {
"name": "CIRCL",
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
},
"Tag": [
{
"colour": "#0088cc",
2024-04-05 12:15:17 +00:00
"local": false,
2023-12-14 14:30:15 +00:00
"name": "misp-galaxy:tool=\"Trick Bot\"",
"relationship_type": ""
},
{
"colour": "#ffffff",
2024-04-05 12:15:17 +00:00
"local": false,
2023-12-14 14:30:15 +00:00
"name": "tlp:white",
"relationship_type": ""
},
{
"colour": "#000a64",
2024-04-05 12:15:17 +00:00
"local": false,
2023-12-14 14:30:15 +00:00
"name": "europol-incident:availability=\"dos-ddos\"",
"relationship_type": ""
}
],
"Attribute": [
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1501964277",
"to_ids": false,
"type": "link",
"uuid": "59862752-752c-4adc-9984-9603950d210f",
"value": "https://www.trustwave.com/Resources/SpiderLabs-Blog/Tale-of-the-Two-Payloads-%E2%80%93-TrickBot-and-Nitol/",
"Tag": [
{
"colour": "#00223b",
2024-04-05 12:15:17 +00:00
"local": false,
2023-12-14 14:30:15 +00:00
"name": "osint:source-type=\"blog-post\"",
"relationship_type": ""
}
]
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1501964277",
"to_ids": false,
"type": "text",
"uuid": "59862767-ed94-49e9-84d2-4243950d210f",
"value": "A couple of weeks ago, we observed the Necurs botnet distributing a new malware spam campaign with a payload combo that includes Trickbot and Nitol. Trickbot is a banking trojan that first appeared late last year targeting banks in Europe, UK, Australia and other countries. This trojan injects malicious code into a web browser process and siphons sensitive data when the victim visits a target banking website. The Nitol family is well-known for its distributed denial of service (DDOS) and backdoor capabilities.",
"Tag": [
{
"colour": "#00223b",
2024-04-05 12:15:17 +00:00
"local": false,
2023-12-14 14:30:15 +00:00
"name": "osint:source-type=\"blog-post\"",
"relationship_type": ""
}
]
},
{
"category": "Payload delivery",
"comment": "Both spam campaign have the same payload:",
"deleted": false,
"disable_correlation": false,
"timestamp": "1501964277",
"to_ids": true,
"type": "sha1",
"uuid": "59862781-f178-47cf-9ac9-9533950d210f",
"value": "d127c60b32fb4a83f711a4a38e9053f347ed90ec"
},
{
"category": "External analysis",
"comment": "Payloads \u00e2\u20ac\u201c Nitol and Trickbot Packages",
"data": "iVBORw0KGgoAAAANSUhEUgAAAdkAAAQACAYAAACtTiNCAAAgAElEQVR4XuydB5wcZd2An6nb93rL5dILSQgkJJTQqxCCgEFB6RAg0gRFECwoivApIlIkH1FEQPCTKiBFQHoJJaSTkN7uLtf3tu9O+37v3O1l7xIwKkiAme+33+HOvO+885/JPvPvkuM4Dt7mScCTgCcBTwKeBDwJfOwSkDzIfuwy9Sb0JOBJwJOAJwFPAq4EPMh6D4InAU8CngQ8CXgS+IQk4EH2ExKsN60nAU8CngQ8CXgS8CDrPQOeBDwJeBLwJOBJ4BOSgAfZT0iw3rSeBDwJeBLwJOBJwIOs9wx4EvAk4EnAk4AngU9IAh5kPyHBetN6EvAk4EnAk4AnAQ+y3jPgScCTgCcBTwKeBD4hCXiQ/YQE603rScCTgCcBTwKeBDzIes+AJwFPAp4EPAl4EviEJOBB9hMSrDetJwFPAp4EPAl4EvAg6z0DngQ8CXgS8CTgSeATkoAH2U9IsN60ngQ8CXgS8CTgScCDrPcMeBLYGSTg2CD1LKS4LVbPf4sdPTt7/r+D5B5VOFLu2/NJXIpt2z3nliT307fIj+rfJZbkbZ4EPAl4DQK8Z+CLJ4GB3R37wPEpisJxrL6zO1IPPns+DrKjIBUI7OLURkIcXwCz/olBVsjKsnrWpihKzxoFZy2Q7F7gbkdujur0HNcL4p1Bxp/i7fVO/QWWgKfJfoFv/hf10ndGyJp96uFWjhXuj1xArEvdXvxK4q+ArCCZ+oneym1aTv8TyIoXA0fpr+bKsqfafqI3yZt8p5WAB9md9tZ4C/u8S6BghhXXackCpSBQJD6O7bhaoKvB2r1ariKD3F97FIf1mI574Vww5/4bwhMwLQbqQDCKfWLN4ntJqNvizWB7yqxYsmz3mZY9LfbfuBnekM+NBDzI/ju30rJw4vF+I6VwGDTN1TScVAoMY+sPXygEujDpeZsngR4JFIDmAkiSsOwcjm3hGBaSaeHkDSTTxjItMuk0ecPAFJBTVGR/gGhpOXrQh6pILvQKc/bzm/6Lwt4RyArTsTAbfxRkhSZrScKeDIqsbPXj/ovr8Q73JPB5kIAH2X/xLro+qmXLyE2d2m+k/sgjKEceCd3d5GbNwn766b792u9+h3bqqd6Pzb8o68/k4QWl8kODmHo01QIUTdPEtAxw0ig4KI6EJKzAeRPyJmYiSWe8m3jOJJ3JksobJA2LjAmq309VdRU1VVGqKivxB4IucHuWUAiZ6q9qFvyr4ggB5H/FjFvwz+4IZB25xyf7n0D/M3n/vUV7EhggAQ+yO/BIFExohTd9AVljr736jVR+8APkyy6DZBLzvPNwnnmmb79yxx19kC2YzjwT2g4I/rN2iLDqCp9pbzCwI7vxQcJz2qO5WiaqrCLCh1KpJD5dFdFDONioqh9Hksmblgs+TUDQymKm2zEzrTRtidHZ4Sebl0macWLpDlIZ0NQImtFNzaBqGkaMYlDDYIKBAKZtITsSiiwigrf6Q/9Tf7QY3y/CeMA9KvwbceH94XFRn7U7663Xk8C/LQEPsjsgusIPh/BHiY+1dCn2vvv2Hymg+/DDOLkc0gUXwLPP9u2X58xBOeUU98fT9Wf1+s080O6A8D9Lhwia9jhJ3U8Bsm6okm0gOwaOJbN00ftsXL+ZQXW1OLKMz6cjyQZDR44gGC7FcWxSiRiKbKOTIWd0sak1SaIzgpGXyBmdSHKWdALi3RLZbJKcnUf1ywwbOYQpu46jvCwKpo0kIKv2RgX/F2RpO7brT+6LRP4vnNM7hSeBnVkCHmT/yd0pBqwwtYmPuWQJykEH9R/p85F/6CHsESPQv/Ut5H/8o2+/feutyCefjKqqLmRdc1txzuHO/IR4a9txCbgWWuGR7Nm2/pfQJh3S2Rzz3lzEBx80ovvKaGrppGlLG7l8iq74Go489miOOfxQlnywlqefeQ6fplJVVk5WzbOqaQshqZ6A6gM7hZWJURWuR5LL2BhvJ56OYVlpKkp1aqI+jjpwb/bda1JfGpBYz3/j5a6fJrvjkvOO9CTwuZWAB9kdgKyrvQq4miaGYWAtWYLv8MO3GZn58Y/JHHMMJZdfjvLSS337jV//Gucb30DTNPcjrV4N8+djXnst5PPucfLee6OcfDLKIYcgR6PbzO1kMpgvvYT5u9/hvPeeu1/afXeUE09E/fKXkSKRvjH5yy/HeuihfnOos2cjH388xgUX4Kxb17dP3mcftJ/+FKelhfzZZ/cL2FJOPx317LOx/vEPrLvvxv/yy+44e/167IULMS6/HMye5BNp1KietZx4InJp6ef2H8xHXZhrLRZ5rYWDLNsNEBLfxeNp5r21jGxex5JLWbxiM+sa2ymvHkw8ncSJJAgFdVKpDJ3tcXy+MFkT4nGTvJbGkPMkW0GxDc47/SA2b1jLP55ejl+vI6tnseU8ie5WNCnLhOG1KJk4Z3/jWI48ZKprfSls3svdF/LR9C76U5SAB9kdgKwArICr+GSzWewlS4jMmLHNSHvQIBrvuYfqH/8Y3+uv9+1P/8//YH396/iEr+2FF5B+9jNYs2a7Z5YOOAD91ltRxo7t2S8AP38++bPOwvmQMeIw7ZlnUPbbD2QZY/ZsrD/9qd/8yqWXIn3961innoojIN+7ifMpN96I09yM9bWv9UHfBb84Z3s7zpNPIg0Zgm/JEqx58zAvuwxn8eLtr3/wYLQ770Q94AA3avaLYhIX2quIJxd/XeOsbaPYPSkx6XyOV554iub3llFePZQ3FqymJSkhh8sIlFYQqShnc7IVXYaSaCmypJPIghyoZuXaVjL+HGV1FaQ6bTraNnHkYaM47ODdUOwA9961nPWrV1JRGSGd7QIrRS7eRkNZFL9kc9ZpB7P//hP6UnM8M+6n+GvrnfoLKQEPsv/ktgstoKDB5nI5MpkM1qJFVMycud2RjTfcQMXDD+OfN69vf/xnPyP31a8SWrGCwFVXIa1Y0bfPGT0aLAtp7dp+4NP/8heIRnFWrcL81rewX321Z7/w51ZV4VRVIa1fLyJoer6vqUF54gkYMwZbaKv3399/fRdfDAKiZ53VH/D77w+//CU0N8M3vtEPspSV9cwvtO1hw5BExPTVV+M8+ODWuevrccrLkYR2nEz2fF9fj/7ssyjDh/9XTJQ7y79cyzGxHaHJKjiyhGla+GzYuHg5K/72BNXpThYtWUln0qSkdjjr2jrIOBKbuzvZ65Tj2We/g3ngd7+jeV0zFaX1dKZkgpE62jWThAaVJXVs3LSeRLINnyYxYdRYjJROrL2bvGmQSHYzdGgDWxo3Y6STTBg7hki0i3O/eTzjxu3iarS6sKT8B7m0O4usvXV4EvisSMCD7A5AVmiw+Xze1WJTqRT2okXUnHTSdkfGTjgBfeNGgu+807e/80c/In3ssZQ98gih66/vN86891437Ue96KJ+30t//CPSccfhPPAAzlVXQWdnz35Nc7VR6+ST0a68Emn+/J7vg0Gc734X68ILkYVPWEC6aDPPPx9r5kz02bP7Ad3Zd1+Ma69FamlBO/30fubi4vHO0KFYf/gDyne/i7RgQd8uYfK2DzwQ9aqrkIu0d/nuu1FnzuwL9Pr8mymF1poXEU5I6OQkyNgmgWSWRfc+hH/1RrREnLVr1jNixFiaO7tJ2g6xTJ7WfJrT/ngtZcEof/7Fr5j37KsMrh5Gd9LGIkDap5ELaISi5azbtIXOrhiKZONXJUIBhXimG1XT3chkR9GQVZ1UziBaUoIelth7v1359iWzCUfDPSUZRUSWm1/ziVVj/Kz8/nnr9CTwiUvAg+wOQFYAVnzS6bQLWWvhQupPOWW7I83qauxgEF1omb1b65VXkjzySGrnziX45z/3G5e8916cdJrI7Nn9vreF9vq97yHfdhtyMZh9PnJnnEHuxBMJXn016htv9IyTZayjjiJ96634v/c9tAE+2fSsWeSPPZbIJZegFK3N2ntvUldfjdzaSvi887aBrDl1Klnhfy4pgVGjCF12GdLGjX1rzVx/Pbn993dfHrSnnur73rnpJtSzzuoL9CqOqv7En+pP4Q
"deleted": false,
"disable_correlation": false,
"timestamp": "1501964277",
"to_ids": false,
"type": "attachment",
"uuid": "598627bd-bce0-49bc-b0fe-4842950d210f",
"value": "6a01676411d5a7970b01b7c9124d75970b-800wi.png",
"Tag": [
{
"colour": "#00223b",
2024-04-05 12:15:17 +00:00
"local": false,
2023-12-14 14:30:15 +00:00
"name": "osint:source-type=\"blog-post\"",
"relationship_type": ""
}
]
},
{
"category": "Payload delivery",
"comment": "Both spam campaign have the same payload: - Xchecked via VT: d127c60b32fb4a83f711a4a38e9053f347ed90ec",
"deleted": false,
"disable_correlation": false,
"timestamp": "1501964277",
"to_ids": true,
"type": "sha256",
"uuid": "598627f5-011c-4c56-aef4-953302de0b81",
"value": "b50904ae9527ed6ea09576db81bca8dc46a1921ae4e90f7c388e17ee034123b2"
},
{
"category": "Payload delivery",
"comment": "Both spam campaign have the same payload: - Xchecked via VT: d127c60b32fb4a83f711a4a38e9053f347ed90ec",
"deleted": false,
"disable_correlation": false,
"timestamp": "1501964277",
"to_ids": true,
"type": "md5",
"uuid": "598627f5-7ab0-4b3a-a33e-953302de0b81",
"value": "2c5639ddaa3ed639e17a0fa669e35da1"
},
{
"category": "External analysis",
"comment": "Both spam campaign have the same payload: - Xchecked via VT: d127c60b32fb4a83f711a4a38e9053f347ed90ec",
"deleted": false,
"disable_correlation": false,
"timestamp": "1501964277",
"to_ids": false,
"type": "link",
"uuid": "598627f5-1190-41a7-ba3b-953302de0b81",
"value": "https://www.virustotal.com/file/b50904ae9527ed6ea09576db81bca8dc46a1921ae4e90f7c388e17ee034123b2/analysis/1501775685/"
},
{
"category": "Support Tool",
"comment": "This malware avoids static analysis by encoding most of its strings using a lookup algorithm that involves a decoder table represented by this code:",
"deleted": false,
"disable_correlation": false,
"timestamp": "1501964368",
"to_ids": false,
"type": "text",
"uuid": "59862850-d16c-4b97-90bc-485b950d210f",
"value": "def trickbot_decode(text):\r\n\tts = \"aZbwIiWO39SuApBFcPC/RGYomVxUNL01nr56le47Hv8DJsjQgEkKy+fT2dXtzhMq\"\r\n\talphabet = [n for n in ts]\r\n\tbit_str = \"\"\r\n\ttext_str = \"\"\r\n\r\n\tfor char in text:\r\n\t\tif char in alphabet:\r\n\t\t\tbin_char = bin(alphabet.index(char)).lstrip(\"0b\")\r\n\t\t\tbin_char = bin_char.zfill(6)\r\n\t\t\tbit_str += bin_char\r\n\r\n\tbrackets = [bit_str[x:x+8] for x in range(0,len(bit_str),8)]\r\n\r\n\tfor bracket in brackets:\r\n\t\ttext_str += chr(int(bracket,2))\r\n\r\n\treturn text_str.encode(\"UTF-8\")"
},
{
"category": "Network activity",
"comment": "On port 40",
"deleted": false,
"disable_correlation": false,
"timestamp": "1501965244",
"to_ids": true,
"type": "hostname",
"uuid": "59862bbc-fed0-48b7-9331-4674950d210f",
"value": "e.googlex.me"
}
2023-04-21 13:25:09 +00:00
]
2023-12-14 14:30:15 +00:00
}
2023-04-21 13:25:09 +00:00
}