2023-04-21 13:25:09 +00:00
{
2023-12-14 14:30:15 +00:00
"Event" : {
"analysis" : "2" ,
"date" : "2017-08-05" ,
"extends_uuid" : "" ,
"info" : "OSINT - Tale of the Two Payloads \u00e2\u20ac\u201c TrickBot and Nitol" ,
"publish_timestamp" : "1501965248" ,
"published" : true ,
"threat_level_id" : "3" ,
"timestamp" : "1501965244" ,
"uuid" : "598626ea-83e0-4b11-a9a5-485b950d210f" ,
"Orgc" : {
"name" : "CIRCL" ,
"uuid" : "55f6ea5e-2c60-40e5-964f-47a8950d210f"
} ,
"Tag" : [
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:tool=\"Trick Bot\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#ffffff" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "tlp:white" ,
"relationship_type" : ""
} ,
{
"colour" : "#000a64" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "europol-incident:availability=\"dos-ddos\"" ,
"relationship_type" : ""
}
] ,
"Attribute" : [
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1501964277" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "59862752-752c-4adc-9984-9603950d210f" ,
"value" : "https://www.trustwave.com/Resources/SpiderLabs-Blog/Tale-of-the-Two-Payloads-%E2%80%93-TrickBot-and-Nitol/" ,
"Tag" : [
{
"colour" : "#00223b" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "osint:source-type=\"blog-post\"" ,
"relationship_type" : ""
}
]
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1501964277" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "59862767-ed94-49e9-84d2-4243950d210f" ,
"value" : "A couple of weeks ago, we observed the Necurs botnet distributing a new malware spam campaign with a payload combo that includes Trickbot and Nitol. Trickbot is a banking trojan that first appeared late last year targeting banks in Europe, UK, Australia and other countries. This trojan injects malicious code into a web browser process and siphons sensitive data when the victim visits a target banking website. The Nitol family is well-known for its distributed denial of service (DDOS) and backdoor capabilities." ,
"Tag" : [
{
"colour" : "#00223b" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "osint:source-type=\"blog-post\"" ,
"relationship_type" : ""
}
]
} ,
{
"category" : "Payload delivery" ,
"comment" : "Both spam campaign have the same payload:" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1501964277" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "59862781-f178-47cf-9ac9-9533950d210f" ,
"value" : "d127c60b32fb4a83f711a4a38e9053f347ed90ec"
} ,
{
"category" : "External analysis" ,
"comment" : "Payloads \u00e2\u20ac\u201c Nitol and Trickbot Packages" ,
"data" : " i V B O R w 0 K G g o A A A A N S U h E U g A A A d k A A A Q A C A Y A A A C t T i N C A A A g A E l E Q V R 4 X u y d B 5 w c Z d 2 A n 6 n b 93 r L 5 d I L S Q g k J J T Q q x C C g E F B 6 R A g 0 g R F E C w o i v A p I l I k H 1 F E Q P C T K i B F Q H o J J a S T k N 7 u L t f 3 t u 9 O + 37 v 3 O 1 l 7 x I w K k i A m e + 33 + H O v O + 885 / J P v P v k u M 4 D t 7 m S c C T g C c B T w K e B D w J f O w S k D z I f u w y 9 S b 0 J O B J w J O A J w F P A q 4 E P M h 6 D 4 I n A U 8 C n g Q 8 C X g S + I Q k 4 E H 2 E x K s N 60 n A U 8 C n g Q 8 C X g S 8 C D r P Q O e B D w J e B L w J O B J 4 B O S g A f Z T 0 i w 3 r S e B D w J e B L w J O B J w I O s 9 w x 4 E v A k 4 E n A k 4 A n g U 9 I A h 5 k P y H B e t N 6 E v A k 4 E n A k 4 A n A Q + y 3 j P g S c C T g C c B T w K e B D 4 h C X i Q / Y Q E 603 r S c C T g C c B T w K e B D z I e s + A J w F P A p 4 E P A l 4 E v i E J O B B 9 h M S r D e t J w F P A p 4 E P A l 4 E v A g 6 z 0 D n g Q 8 C X g S 8 C T g S e A T k o A H 2 U 9 I s N 60 n g Q 8 C X g S 8 C T g S c C D r P c M e B L Y G S T g 2 C D 1 L K S 4 L V b P f 4 s d P T t 7 / r + D 5 B 5 V O F L u 2 / N J X I p t 2 z 3 n l i T 307 f I j + r f J Z b k b Z 4 E P A l 4 D Q K 8 Z + C L J 4 G B 3 R 37 w P E p i s J x r L 6 z O 1 I P P n s + D r K j I B U I 7 O L U R k I c X w C z / o l B V s j K s n r W p i h K z x o F Z y 2 Q 7 F 7 g b k d u j u r 0 H N c L 4 p 1 B x p / i 7 f V O / Q W W g K f J f o F v / h f 10 n d G y J p 96 u F W j h X u j 1 x A r E v d X v x K 4 q + A r C C Z + o n e y m 1 a T v 8 T y I o X A 0 f p r + b K s q f a f q I 3 y Z t 8 p 5 W A B 9 m d 9 t Z 4 C / u 8 S 6 B g h h X X a c k C p S B Q J D 6 O 7 b h a o K v B 2 r 1 a r i K D 3 F 97 F I f 1 m I 574 V w w 5 / 4 b w h M w L Q b q Q D C K f W L N 4 n t J q N v i z W B 7 y q x Y s m z 3 m Z Y 9 L f b f u B n e k M + N B D z I / j u 30 r J w 4 v F + I 6 V w G D T N 1 T S c V A o M Y + s P X y g E u j D p e Z s n g R 4 J F I D m A k i S s O w c j m 3 h G B a S a e H k D S T T x j I t M u k 0 e c P A F J B T V G R / g G h p O X r Q h 6 p I L v Q K c / b z m / 6 L w t 4 R y A r T s T A b f x R k h S Z r S c K e D I q s b P X j / o v r 8 Q 73 J P B 5 k I A H 2 X / x L r o + q m X L y E 2 d 2 m + k / s g j K E c e C d 3 d 5 G b N w n 766 b 792 u 9 + h 3 b q q d 6 P z b 8 o 68 / k 4 Q W l 8 k O D m H o 0 1 Q I U T d P E t A x w 0 i g 4 K I 6 E J K z A e R P y J m Y i S W e 8 m 3 j O J J 3 J k s o b J A 2 L j A m q 309 V d R U 1 V V G q K i v x B 4 I u c H u W U A i Z 6 q 9 q F v y r 4 g g B 5 H / F j F v w z + 4 I Z B 25 x y f 7 n 0 D / M 3 n / v U V 7 E h g g A Q + y O / B I F E x o h T d 9 A V l j r 736 j V R + 8 A P k y y 6 D Z B L z v P N w n n m m b 79 y x x 19 k C 2 Y z j w T 2 g 4 I / r N 2 i L D q C p 9 p b z C w I 7 v x Q c J z 2 q O 5 W i a q r C L C h 1 K p J D 5 d F d F D O N i o q h 9 H k s m b l g s + T U D Q y m K m 2 z E z r T R t i d H Z 4 S e b l 0 m a c W L p D l I Z 0 N Q I m t F N z a B q G k a M Y l D D Y I K B A K Z t I T s S i i w i g r f 6 Q / 9 T f 7 Q Y 3 y / C e M A 9 K v w b c e H 94 X F R n 7 U 7663 X k 8 C / L Q E P s j s g u s I P h / B H i Y + 1 d C n 2 v v v 2 H y m g + / D D O L k c 0 g U X w L P P 9 u 2 X 58 x B O e U U 98 f T 9 W f 1 + s 0 80 O 6 A 8 D 9 L h w i a 9 j h J 3 U 8 B s m 6 o k m 0 g O w a O J b N 0 0 f t s X L + Z Q X W 1 O L K M z 6 c j y Q Z D R 44 g G C 7 F c W x S i R i K b K O T I W d 0 s a k 1 S a I z g p G X y B m d S H K W d A L i 3 R L Z b J K c n U f 1 y w w b O Y Q p u 46 j v C w K p o 0 k I K v 2 R g X / F 2 R p O 7 b r T + 6 L R P 4 v n N M 7 h S e B n V k C H m T / y d 0 p B q w w t Y m P u W Q J y k E H 9 R / p 85 F / 6 C H s E S P Q v / U t 5 H / 8 o 2 + / f e u t y C e f j K q q L m R d c 1 t x z u H O / I R 4 a 9 t x C b g W W u G R 7 N m 2 / p f Q J h 3 S 2 R z z 3 l z E B x 80 o v v K a G r p p G l L G 7 l 8 i q 74 G o 489 m i O O f x Q l n y w l q e f e Q 6 f p l J V V k 5 W z b O q a Q s h q Z 6 A 6 g M 7 h Z W J U R W u R 5 L L 2 B h v J 56 O Y V l p K k p 1 a q I + j j p w b / b d a 1 J f G p B Y z 3 / j 5 a 6 f J r v j k v O O 9 C T w u Z W A B 9 k d g K y r v Q q 4 m i a G Y W A t W Y L v 8 M O 3 G Z n 58 Y / J H H M M J Z d f j v L S S 337 j V //Gucb30DTNPcjrV4N8+djXnst5PPucfLee6OcfDLKIYcgR6PbzO1kMpgvvYT5u9/hvPeeu1/afXeUE09E/fKXkSKRvjH5yy/HeuihfnOos2cjH388xgUX4Kxb17dP3mcftJ/+FKelhfzZZ/cL2FJOPx317LOx/vEPrLvvxv/yy+44e/167IULMS6/HMye5BNp1KietZx4InJp6ef2H8xHXZhrLRZ5rYWDLNsNEBLfxeNp5r21jGxex5JLWbxiM+sa2ymvHkw8ncSJJAgFdVKpDJ3tcXy+MFkT4nGTvJbGkPMkW0GxDc47/SA2b1jLP55ejl+vI6tnseU8ie5WNCnLhOG1KJk4Z3/jWI48ZKprfSls3svdF/LR9C76U5SAB9kdgKwArICr+GSzWewlS4jMmLHNSHvQIBrvuYfqH/8Y3+uv9+1P/8//YH396/iEr+2FF5B+9jNYs2a7Z5YOOAD91ltRxo7t2S8AP38++bPOwvmQMeIw7ZlnUPbbD2QZY/ZsrD/9qd/8yqWXIn3961innoojIN+7ifMpN96I09yM9bWv9UHfBb84Z3s7zpNPIg0Zgm/JEqx58zAvuwxn8eLtr3/wYLQ770Q94AA3avaLYhIX2quIJxd/XeOsbaPYPSkx6XyOV554iub3llFePZQ3FqymJSkhh8sIlFYQqShnc7IVXYaSaCmypJPIghyoZuXaVjL+HGV1FaQ6bTraNnHkYaM47ODdUOwA9961nPWrV1JRGSGd7QIrRS7eRkNZFL9kc9ZpB7P//hP6UnM8M+6n+GvrnfoLKQEPsv/ktgstoKDB5nI5MpkM1qJFVMycud2RjTfcQMXDD+OfN69vf/xnPyP31a8SWrGCwFVXIa1Y0bfPGT0aLAtp7dp+4NP/8heIRnFWrcL81rewX321Z7/w51ZV4VRVIa1fLyJoer6vqUF54gkYMwZbaKv3399/fRdfDAKiZ53VH/D77w+//CU0N8M3vtEPspSV9cwvtO1hw5BExPTVV+M8+ODWuevrccrLkYR2nEz2fF9fj/7ssyjDh/9XTJQ7y79cyzGxHaHJKjiyhGla+GzYuHg5K/72BNXpThYtWUln0qSkdjjr2jrIOBKbuzvZ65Tj2We/g3ngd7+jeV0zFaX1dKZkgpE62jWThAaVJXVs3LSeRLINnyYxYdRYjJROrL2bvGmQSHYzdGgDWxo3Y6STTBg7hki0i3O/eTzjxu3iarS6sKT8B7m0O4usvXV4EvisSMCD7A5AVmiw+Xze1WJTqRT2okXUnHTSdkfGTjgBfeNGgu+807e/80c/In3ssZQ98gih66/vN86891437Ue96KJ+30t//CPSccfhPPAAzlVXQWdnz35Nc7VR6+ST0a68Emn+/J7vg0Gc734X68ILkYVPWEC6aDPPPx9r5kz02bP7Ad3Zd1+Ma69FamlBO/30fubi4vHO0KFYf/gDyne/i7RgQd8uYfK2DzwQ9aqrkIu0d/nuu1FnzuwL9Pr8mymF1poXEU5I6OQkyNgmgWSWRfc+hH/1RrREnLVr1jNixFiaO7tJ2g6xTJ7WfJrT/ngtZcEof/7Fr5j37KsMrh5Gd9LGIkDap5ELaISi5azbtIXOrhiKZONXJUIBhXimG1XT3chkR9GQVZ1UziBaUoIelth7v1359iWzCUfDPSUZRUSWm1/ziVVj/Kz8/nnr9CTwiUvAg+wOQFYAVnzS6bQLWWvhQupPOWW7I83qauxgEF1omb1b65VXkjzySGrnziX45z/3G5e8916cdJrI7Nn9vreF9vq97yHfdhtyMZh9PnJnnEHuxBMJXn016htv9IyTZayjjiJ96634v/c9tAE+2fSsWeSPPZbIJZegFK3N2ntvUldfjdzaSvi887aBrDl1Klnhfy4pgVGjCF12GdLGjX1rzVx/Pbn993dfHrSnnur73rnpJtSzzuoL9CqOqv7En+pP4Q
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1501964277" ,
"to_ids" : false ,
"type" : "attachment" ,
"uuid" : "598627bd-bce0-49bc-b0fe-4842950d210f" ,
"value" : "6a01676411d5a7970b01b7c9124d75970b-800wi.png" ,
"Tag" : [
{
"colour" : "#00223b" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "osint:source-type=\"blog-post\"" ,
"relationship_type" : ""
}
]
} ,
{
"category" : "Payload delivery" ,
"comment" : "Both spam campaign have the same payload: - Xchecked via VT: d127c60b32fb4a83f711a4a38e9053f347ed90ec" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1501964277" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "598627f5-011c-4c56-aef4-953302de0b81" ,
"value" : "b50904ae9527ed6ea09576db81bca8dc46a1921ae4e90f7c388e17ee034123b2"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Both spam campaign have the same payload: - Xchecked via VT: d127c60b32fb4a83f711a4a38e9053f347ed90ec" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1501964277" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "598627f5-7ab0-4b3a-a33e-953302de0b81" ,
"value" : "2c5639ddaa3ed639e17a0fa669e35da1"
} ,
{
"category" : "External analysis" ,
"comment" : "Both spam campaign have the same payload: - Xchecked via VT: d127c60b32fb4a83f711a4a38e9053f347ed90ec" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1501964277" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "598627f5-1190-41a7-ba3b-953302de0b81" ,
"value" : "https://www.virustotal.com/file/b50904ae9527ed6ea09576db81bca8dc46a1921ae4e90f7c388e17ee034123b2/analysis/1501775685/"
} ,
{
"category" : "Support Tool" ,
"comment" : "This malware avoids static analysis by encoding most of its strings using a lookup algorithm that involves a decoder table represented by this code:" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1501964368" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "59862850-d16c-4b97-90bc-485b950d210f" ,
"value" : "def trickbot_decode(text):\r\n\tts = \"aZbwIiWO39SuApBFcPC/RGYomVxUNL01nr56le47Hv8DJsjQgEkKy+fT2dXtzhMq\"\r\n\talphabet = [n for n in ts]\r\n\tbit_str = \"\"\r\n\ttext_str = \"\"\r\n\r\n\tfor char in text:\r\n\t\tif char in alphabet:\r\n\t\t\tbin_char = bin(alphabet.index(char)).lstrip(\"0b\")\r\n\t\t\tbin_char = bin_char.zfill(6)\r\n\t\t\tbit_str += bin_char\r\n\r\n\tbrackets = [bit_str[x:x+8] for x in range(0,len(bit_str),8)]\r\n\r\n\tfor bracket in brackets:\r\n\t\ttext_str += chr(int(bracket,2))\r\n\r\n\treturn text_str.encode(\"UTF-8\")"
} ,
{
"category" : "Network activity" ,
"comment" : "On port 40" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1501965244" ,
"to_ids" : true ,
"type" : "hostname" ,
"uuid" : "59862bbc-fed0-48b7-9331-4674950d210f" ,
"value" : "e.googlex.me"
}
2023-04-21 13:25:09 +00:00
]
2023-12-14 14:30:15 +00:00
}
2023-04-21 13:25:09 +00:00
}