truebot – ViriBack Blog https://viriback.com Malware Tracker, IOCs & more ... Sun, 09 Apr 2023 12:25:05 +0000 en-CA hourly 1 https://wordpress.org/?v=6.9.4 https://viriback.com/wp-content/uploads/2019/01/cropped-android-chrome-512x512-32x32.png truebot – ViriBack Blog https://viriback.com 32 32 ModernLoader to Truebot via PNG https://viriback.com/modernloader-to-truebot-via-png/ Sat, 08 Apr 2023 00:57:48 +0000 https://viriback.com/?p=282 While perusing on VT I found a new C2 domain for TrueBot.

I have compiled a list of IOC’s denoting the infection chain and some notes related to it.

It starts with some JavaScript files. 4 of them have been identified and pointing to same TrueBot C2 ultimately.

At time of writing this, they all had low detection on VT, with 2 out of 59 engines falling them as malicious.

MD5
71e7a2549311647a6178b84393700bf8
4c75c5f63418b48ede30c16b079f324a
3c57867dc4bdeb8a7d55dfb7d8ef5008
287b172c23da5426cf039ef55d959fbd

 

As per comment from @thor_scanner on VT. These files are from an unknown Javascript obfuscator and first noticed in February 23 by the @malwrhunterteam on Twitter.

See the comment here

 

See: Tweet Here

These files are heavily obfuscated Javascript file, that I didnt waste time on trying to deobfuscate. I trusted the sandbox execution on VT to further correlate.

They all called out to a url on the following IP: 62[.]204[.]41[.]69. The Url in question is : hxxp://62[.]204[.]41[.]69/dll[.]png

 

 

WGET on this url retrieves a file, that was not recognized as an image of PNG format. The MD5 of the file was: 8245ac0319d4b55dd29a13e20fc5db35

This script as show above in the HTTP response of the screenshot, gave us another interesting url : hxxp://62[.]204[.]41[.]69/ldn[.]dll

Which served a another payload in the form of a dll with MD5 hash: f52363b6cf282669e5fcc5537b5c3451

This one is Truebot. It is a signed code file and loaded the previously mentionned script.

 

That Truebot sample calls out to domain: droogggdhfhf[.]com which is hosted on the following IP: 92[.]118[.]36[.]236 but the server doesnt seem to respond at the moment.

Truebot Resolves

Further to this, the IP serving the payload: 62[.]204[.]41[.]69 is host to ModernLoader C2 Panel at hxxp://62[.]204[.]41[.]69/AVA/

 

IOCs:

Javascript MD5 Hash:

71e7a2549311647a6178b84393700bf8
4c75c5f63418b48ede30c16b079f324a
3c57867dc4bdeb8a7d55dfb7d8ef5008
287b172c23da5426cf039ef55d959fbd

Fake PNG MD5 Hash:

8245ac0319d4b55dd29a13e20fc5db35

Truebot DLL payload MD5 Hash:

f52363b6cf282669e5fcc5537b5c3451

ModernLoader IP:

62[.]204[.]41[.]69.

ModernLoader URL:

hxxp://62[.]204[.]41[.]69/dll[.]png

Truebot Callout C2 Domain:

droogggdhfhf[.]com

Truebot C2 IP:

92[.]118[.]36[.]236

 

 

]]>