Derin Analiz - TrickBot Multi-Dropper / BrokenShield | Tehdit: KRITIK
Dosya Kimligi
| SHA256 | 12454a323dec0a56a23cd5215bb335d7842c85bbf38e3bd696c9237e26454388 |
|---|---|
| Boyut | 339,968 byte (332 KB) PE32+ native x86-64 |
| Entropi | 5.98 (normal, packed degil) |
| Section | 12 section (yuksek) |
| ImageBase | Supheli |
C2 ve Payload URL'leri
KRITIK IOC: TrickBot miner modulu C2 + birden fazla payload indirme URL'i!
--- TrickBot Miner C2 ---\nhttp://api.foxovsky.ru/gate/connection.php <- TrickBot XMR miner C2 gate\n[CPUMinerThread] - SUCCESS injected to pId <- CPU miner inject log\n[WinMain] - Bot installed, start SupremeThread <- botnet init log\n\n--- Payload Download URL'leri ---\nhttp://185.185.25.175/ref45.php <- C2 gate\nhttp://138.204.171.108/BxjL5iKld8.zip <- ZIP payload\nhttp://92.63.197.153/good.exe <- EXE payload\nhttp://js.1226bye.xyz:280/v.sctscrobj.dll <- SCR+DLL payload (port 280)\nhttp://bcaou.cn/a.hta <- HTA dropper\nhttp://droobox.online/luncher.doc <- DOC dropper
C2 IP Adresleri
138.204.171.108 (payload server)\n173.208.139.170\n178.128.115.182 (DigitalOcean)\n18.130.111.206 (AWS eu-west-2)\n185.185.25.175 (C2 gate server)\n46.101.202.232 (DigitalOcean)\n92.63.197.153 (payload server)\n94.156.189.77
Gelistirici PDB Yollari
\Users\x\Desktop\Home\Code\Trik v[x].[x]\Release\Trik.pdb\n -> TrickBot builder ciktisi! (gelistirici: "x")\n\nF:\Work\d2Od7s43\revShell\fwshell-master\Release\fwshell.pdb\n -> Reverse shell modulu\n\nD:\C++\AsusShellCode\Release\AsusShellCode.pdb\n -> Asus cihazlara ozgu shellcode (hedefli saldiri?)\n\nC:\Users\Meister\Documents\Projects\BrokenShield\Bin\x86\Release\BrokenShield.pdb\n -> BrokenShield projesi (gelistirici: "Meister")\n\nSteamHook\new\SteamGhost\Release\Injection.pdb\n -> Steam oyun platformu kanca enjeksiyonu
Operatör Bilgileri
Email: pdharmaparrack@protonmail.com\nEmail: ttpettigrew8922555@mail.com\nMiner URL: stratum+tcp://xmr.pool.minergate.com: (XMR madencilik)\nDomains: 1226bye.xyz, alfahad.io, artisbond.org
IOC
| SHA256 | 12454a323dec0a56a23cd5215bb335d7842c85bbf38e3bd696c9237e26454388 |
|---|---|
| TrickBot C2 | api.foxovsky.ru/gate/connection.php |
| Payload | 185.185.25.175, 138.204.171.108, 92.63.197.153 |
| Domain | 1226bye.xyz:280, api.foxovsky.ru |
| Miner | XMR pool.minergate.com (CPUMinerThread) |
| pdharmaparrack@protonmail.com |
TrickBotMultiDropper — Malware Profile
TrickBot XMR miner modulu + BrokenShield + revShell + SteamGhost enjeksiyonu iceren cok amacli dropper. api.foxovsky.ru/gate/connection.php TrickBot C2 gate. CPUMinerThread ile XMR madenciligi. Cok sayida payload URL. 12 PE section. Gelistirici imzalari: Meister (BrokenShield), x (Trik builder).
Malware Type
Loader
Programming Language
C++
C2 Protocol
HTTP
Target Systems
Kuresel/Oyuncu
Capabilities & Behavior
Payload İndirme
Süreç Enjeksiyonu
Modüler Mimari
Kimlik Bilgisi Hırsızlığı
Yanal Hareket
Kalıcılık
Anti-VM/Sandbox
İkincil Payload Dağıtımı
IOC List (9 indicators)
IOC — TrickBotMultiDropper
# SHA256
12454a323dec0a56a23cd5215bb335d7842c85bbf38e3bd696c9237e26454388
# IP
173.208.139.170
# IP
178.128.115.182
# IP
18.130.111.206
# IP
46.101.202.232
# IP
94.156.189.77
# DOMAIN
alfahad.io
# DOMAIN
artisbond.org
# EMAIL
pdharmaparrack@protonmail.com
| Type | Value | Note |
|---|---|---|
| sha256 | 12454a323dec0a56a23cd5215bb335d7842c85bbf38e3bd696c9237e26454388 | |
| ip | 173.208.139.170 | |
| ip | 178.128.115.182 | |
| ip | 18.130.111.206 | |
| ip | 46.101.202.232 | |
| ip | 94.156.189.77 | |
| domain | alfahad.io | |
| domain | artisbond.org | |
| pdharmaparrack@protonmail.com |
C2 Servers (5 recorded servers for this family)
| Address | Type | Port | Protocol | Status | Country |
|---|---|---|---|---|---|
| api.foxovsky.ru | domain | 80 | HTTP | inactive | — |
| 185.185.25.175 | ip | 80 | HTTP | inactive | — |
| 138.204.171.108 | ip | 80 | HTTP | inactive | — |
| 92.63.197.153 | ip | 80 | HTTP | inactive | — |
| 1226bye.xyz | domain | 280 | HTTP | inactive | — |
C2 addresses are provided only from malware samples manually verified by the KEYDAL team. Commercial use is prohibited.