Derin Analiz - TrickBot Multi-Dropper / BrokenShield | Tehdit: KRITIK

Dosya Kimligi

SHA25612454a323dec0a56a23cd5215bb335d7842c85bbf38e3bd696c9237e26454388
Boyut339,968 byte (332 KB) PE32+ native x86-64
Entropi5.98 (normal, packed degil)
Section12 section (yuksek)
ImageBaseSupheli

C2 ve Payload URL'leri

KRITIK IOC: TrickBot miner modulu C2 + birden fazla payload indirme URL'i!
--- TrickBot Miner C2 ---\nhttp://api.foxovsky.ru/gate/connection.php  <- TrickBot XMR miner C2 gate\n[CPUMinerThread] - SUCCESS injected to pId  <- CPU miner inject log\n[WinMain] - Bot installed, start SupremeThread <- botnet init log\n\n--- Payload Download URL'leri ---\nhttp://185.185.25.175/ref45.php             <- C2 gate\nhttp://138.204.171.108/BxjL5iKld8.zip       <- ZIP payload\nhttp://92.63.197.153/good.exe               <- EXE payload\nhttp://js.1226bye.xyz:280/v.sctscrobj.dll   <- SCR+DLL payload (port 280)\nhttp://bcaou.cn/a.hta                       <- HTA dropper\nhttp://droobox.online/luncher.doc           <- DOC dropper

C2 IP Adresleri

138.204.171.108   (payload server)\n173.208.139.170\n178.128.115.182   (DigitalOcean)\n18.130.111.206    (AWS eu-west-2)\n185.185.25.175    (C2 gate server)\n46.101.202.232    (DigitalOcean)\n92.63.197.153     (payload server)\n94.156.189.77

Gelistirici PDB Yollari

\Users\x\Desktop\Home\Code\Trik v[x].[x]\Release\Trik.pdb\n  -> TrickBot builder ciktisi! (gelistirici: "x")\n\nF:\Work\d2Od7s43\revShell\fwshell-master\Release\fwshell.pdb\n  -> Reverse shell modulu\n\nD:\C++\AsusShellCode\Release\AsusShellCode.pdb\n  -> Asus cihazlara ozgu shellcode (hedefli saldiri?)\n\nC:\Users\Meister\Documents\Projects\BrokenShield\Bin\x86\Release\BrokenShield.pdb\n  -> BrokenShield projesi (gelistirici: "Meister")\n\nSteamHook\new\SteamGhost\Release\Injection.pdb\n  -> Steam oyun platformu kanca enjeksiyonu

Operatör Bilgileri

Email: pdharmaparrack@protonmail.com\nEmail: ttpettigrew8922555@mail.com\nMiner URL: stratum+tcp://xmr.pool.minergate.com: (XMR madencilik)\nDomains: 1226bye.xyz, alfahad.io, artisbond.org

IOC

SHA25612454a323dec0a56a23cd5215bb335d7842c85bbf38e3bd696c9237e26454388
TrickBot C2api.foxovsky.ru/gate/connection.php
Payload185.185.25.175, 138.204.171.108, 92.63.197.153
Domain1226bye.xyz:280, api.foxovsky.ru
MinerXMR pool.minergate.com (CPUMinerThread)
Emailpdharmaparrack@protonmail.com

TrickBotMultiDropper — Malware Profile

TrickBot XMR miner modulu + BrokenShield + revShell + SteamGhost enjeksiyonu iceren cok amacli dropper. api.foxovsky.ru/gate/connection.php TrickBot C2 gate. CPUMinerThread ile XMR madenciligi. Cok sayida payload URL. 12 PE section. Gelistirici imzalari: Meister (BrokenShield), x (Trik builder).

Malware Type
Loader
Programming Language
C++
C2 Protocol
HTTP
Target Systems
Kuresel/Oyuncu

Capabilities & Behavior

Payload İndirme
Süreç Enjeksiyonu
Modüler Mimari
Kimlik Bilgisi Hırsızlığı
Yanal Hareket
Kalıcılık
Anti-VM/Sandbox
İkincil Payload Dağıtımı

IOC List (9 indicators)

IOC — TrickBotMultiDropper
# SHA256 12454a323dec0a56a23cd5215bb335d7842c85bbf38e3bd696c9237e26454388 # IP 173.208.139.170 # IP 178.128.115.182 # IP 18.130.111.206 # IP 46.101.202.232 # IP 94.156.189.77 # DOMAIN alfahad.io # DOMAIN artisbond.org # EMAIL pdharmaparrack@protonmail.com
TypeValueNote
sha256 12454a323dec0a56a23cd5215bb335d7842c85bbf38e3bd696c9237e26454388
ip 173.208.139.170
ip 178.128.115.182
ip 18.130.111.206
ip 46.101.202.232
ip 94.156.189.77
domain alfahad.io
domain artisbond.org
email pdharmaparrack@protonmail.com

C2 Servers (5 recorded servers for this family)

Address Type Port Protocol Status Country
api.foxovsky.ru domain 80 HTTP inactive &mdash;
185.185.25.175 ip 80 HTTP inactive &mdash;
138.204.171.108 ip 80 HTTP inactive &mdash;
92.63.197.153 ip 80 HTTP inactive &mdash;
1226bye.xyz domain 280 HTTP inactive &mdash;

C2 addresses are provided only from malware samples manually verified by the KEYDAL team. Commercial use is prohibited.

Tags
trickbot-xmr-miner-cpuminerthreadapi-foxovsky-ru-gate-connection-phpbroken-shield-injection-dllsteamhook-steam-ghost-injectionasus-shellcode-targetedrevshell-fwshell-pdb1226bye-xyz-c2-domain185-185-25-175-c2138-204-171-108-payload92-63-197-153-payloadxmr-minergate-pool-miningpdharmaparrack-protonmail-operatorbotinstall-supremethread-botnet-marker12-pe-sections-suspicious