While perusing on VT I found a new C2 domain for TrueBot.
I have compiled a list of IOC’s denoting the infection chain and some notes related to it.
At time of writing this, they all had low detection on VT, with 2 out of 59 engines falling them as malicious.
See the comment here
See: Tweet Here
They all called out to a url on the following IP: 62[.]204[.]41[.]69. The Url in question is : hxxp://62[.]204[.]41[.]69/dll[.]png
WGET on this url retrieves a file, that was not recognized as an image of PNG format. The MD5 of the file was: 8245ac0319d4b55dd29a13e20fc5db35
This script as show above in the HTTP response of the screenshot, gave us another interesting url : hxxp://62[.]204[.]41[.]69/ldn[.]dll
Which served a another payload in the form of a dll with MD5 hash: f52363b6cf282669e5fcc5537b5c3451
This one is Truebot. It is a signed code file and loaded the previously mentionned script.
That Truebot sample calls out to domain: droogggdhfhf[.]com which is hosted on the following IP: 92[.]118[.]36[.]236 but the server doesnt seem to respond at the moment.
Further to this, the IP serving the payload: 62[.]204[.]41[.]69 is host to ModernLoader C2 Panel at hxxp://62[.]204[.]41[.]69/AVA/
Fake PNG MD5 Hash:
Truebot DLL payload MD5 Hash:
Truebot Callout C2 Domain:
Truebot C2 IP: