Dissecting TrickBot

Posted on 2018-10-09 by Adam Swanda

After the demise of the Dyreza banking malware, the banking trojan vacuum was quickly filled by the TrickBot malware family. TrickBot is a banking and information stealing trojan which is modular in design and can rapidly expand its functionality by retrieving DLLs from its Command and Control server. This threat is spread most commonly by phishing emails but it also includes network propagation functionality to spread through a victims network by using the Microsoft Windows vulnerability known as EternalRomance. In this blog post, we'll dive into the TrickBot malware, its functionality, modules, and Command and Control communications.

TrickBot

The sample we'll be analyzing in this post is from the campaign we covered in our recent blog Emotet campaign delivers AZORult, IcedID, and TrickBot. Since the TrickBot malware can include many features due to its use of additional modules, we decided to split its analysis into a separate report.

The TrickBot payload analyzed here can be identified by the following hashes:

  • MD5: 3dc023e04846d5d543bcef3e348296da
  • SHA1: faa8045bf605ffdcb436d05ec29798eb70ba8f9e
  • SHA256: 806bc3a91b86dbc5c367ecc259136f77482266d9fedca009e4e78f7465058d16

When executed, TrickBot will first contact the website icanhazip[.]com to retrieve the infected systems public IP address and test Internet connectivity. Next a new directory created is created at the %APPDATA\Roaming\AIMT\ location and a copy of the original payload is placed inside.

The copied payload is executed as a child of the original and execution is then transferred to the child. After TrickBot is running in the context of the newly created process, it will launch several cmd.exe instances and run commands to disable built-in Windows security measures. This is done by first stopping Windows Defender and then deleting it from autostart.

  • cmd.exe /c sc stop WinDefend
  • cmd.exe /c delete WinDefend

Additionally, a Powershell process is launched to disable built-in monitoring using the command cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true.

Threat Hunting Tip: If you were to approach detecting TrickBot from an endpoint threat hunting perspective, the use of the commands above, in that order, executed by a newly created child process could be used as an indication of a TrickBot infection.

Windows APIs that TrickBot needs will be loaded dynamically through the use of the LoadLibraryA, LoadLibraryW, and GetProcAddress calls. This is a conventional technique to see in malware. Instead of being able to view all needed functions in the Import Address Table (IAT), API calls are loaded as necessary in an attempt to hide functionality.

At this point, TrickBot will spawn a copy of svchost.exe in a suspended state in order to inject itself into the application. From here on out TrickBot will run primarily within the context of svchost.exe. This process will be used to contact the C&C server and retrieve and load modules.

The main configuration contains a list of Command and Control servers, as well as instructions for which modules to run. The extracted configuration file for this sample is shown below.

Configuration Data

<?xml version="1.0"?>
<mcconf>
  <ver>1000268</ver>
  <gtag>arz1</gtag>
  <servs>
    <srv>23.92.93[.]229:443</srv>
    <srv>94.181.47[.]198:449</srv>
    <srv>75.103.4[.]186:443</srv>
    <srv>23.94.41[.]215:443</srv>
    <srv>181.113.17[.]230:449</srv>
    <srv>212.23.70[.]149:443</srv>
    <srv>23.94.233[.]142:443</srv>
    <srv>170.81.32[.]66:449</srv>
    <srv>42.115.91[.]177:443</srv>
    <srv>107.173.102[.]231:443</srv>
    <srv>121.58.242[.]206:449</srv>
    <srv>167.114.13[.]91:443</srv>
    <srv>192.252.209[.]44:443</srv>
    <srv>182.50.64[.]148:449</srv>
    <srv>187.190.249[.]230:443</srv>
    <srv>107.175.127[.]147:443</srv>
    <srv>82.222.40[.]119:449</srv>
    <srv>198.100.157[.]163:443</srv>
    <srv>23.226.138[.]169:443</srv>
    <srv>103.110.91[.]118:449</srv>
    <srv>173.239.128[.]74:443</srv>
    <srv>128.201.92[.]41:449</srv>
    <srv>70.48.101[.]54:443</srv>
    <srv>103.111.53[.]126:449</srv>
    <srv>185.66.227[.]183:443</srv>
    <srv>182.253.20[.]66:449</srv>
    <srv>71.13.140[.]89:443</srv>
    <srv>103.10.145[.]197:449</srv>
    <srv>178.116.83[.]49:443</srv>
    <srv>46.149.182[.]112:449</srv>
    <srv>81.17.86[.]112:443</srv>
    <srv>62.141.94[.]107:443</srv>
    <srv>115.78.3[.]170:443</srv>
    <srv>197.232.50[.]85:443</srv>
    <srv>94.232.20[.]113:443</srv>
    <srv>190.145.74[.]84:449</srv>
    <srv>47.49.168[.]50:443</srv>
    <srv>116.212.152[.]12:449</srv>
    <srv>68.109.83[.]22:443</srv>
  </servs>
  <autorun>
    <module name="systeminfo" ctl="GetSystemInfo"/>
    <module name="injectDll"/>
  </autorun>
</mcconf>

From this configuration file we can see that the systeminfo and injectDll modules are set to run automatically. Also, the <gtag> identifies the group ID used for this TrickBot campaign and the same arz1 string will also be used in the HTTP requests sent to the C&C servers.

Persistence

To persist across system reboots and ensure the malware stays running, TrickBot will create a new Scheduled Task to re-run the main payload every 10 minutes.

Scheduled Task

<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
  <RegistrationInfo>
    <Version>1.0.1</Version>
    <Description>MsNetCash</Description>
  </RegistrationInfo>
  <Triggers>
    <BootTrigger>
      <Enabled>true</Enabled>
    </BootTrigger>
    <TimeTrigger>
      <Repetition>
        <Interval>PT10M</Interval>
        <Duration>P415DT15H59M</Duration>
        <StopAtDurationEnd>false</StopAtDurationEnd>
      </Repetition>
      <StartBoundary>2018-10-02T10:41:04</StartBoundary>
      <Enabled>true</Enabled>
    </TimeTrigger>
  </Triggers>
  <Principals>
    <Principal id="Author">
      <UserId>S-1-5-18</UserId>
      <RunLevel>HighestAvailable</RunLevel>
    </Principal>
  </Principals>
  <Settings>
    <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>
    <AllowHardTerminate>false</AllowHardTerminate>
    <StartWhenAvailable>true</StartWhenAvailable>
    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
    <IdleSettings>
      <StopOnIdleEnd>true</StopOnIdleEnd>
      <RestartOnIdle>false</RestartOnIdle>
    </IdleSettings>
    <AllowStartOnDemand>true</AllowStartOnDemand>
    <Enabled>true</Enabled>
    <Hidden>true</Hidden>
    <RunOnlyIfIdle>false</RunOnlyIfIdle>
    <WakeToRun>false</WakeToRun>
    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>
    <Priority>7</Priority>
  </Settings>
  <Actions Context="Author">
    <Exec>
      <Command>C:\Users\adam\AppData\Roaming\AIMT\tsickbot.exe</Command>
    </Exec>
  </Actions>
</Task>

Command & Control

Once the victim environment has been staged, TrickBot will contact a C&C server to perform a check-in. The server will respond with an encrypted list of additional Command and Control servers and any configuration data needed by the malware.

All HTTP requests to the C&C servers use a URL format of /<group ID>/<client ID>/<command>/. When modules and configuration files are requested, an additional string to identify the component is appended to the URL.

A complete list of all C&C servers for this payload is available in the Indicators of Compromise section at the end of this blog.


TrickBot Modules

TrickBot functionality can be expanded through the use of modules fetched from the Command and Control server. Each module serves a distinct purpose, such as injecting into a web browser, capturing credentials, gathering system information, and more. The modules are stored in a directory named Modules within the path %APPDATA\Roaming\AIMT\ and they are executed by the main TrickBot svchost.exe process. Another interesting note about the TrickBot module is that each one appears to use the same DLL export functions of Control, Release, FreeBuffer, and Start.

If a module requires a configuration file, a new directory will be created inside the Modules folder using the pattern of <module name>_configs. Both the modules themselves and their configuration files are downloaded and stored as AES encrypted files.

Other than the encrypted content, there is not much in the way of hiding the modules' intentions. The file name of each module is labeled after the action it performs. For example, the network collection module is named as networkDll and the dynamic web inject module is named dinj. The names will also include a suffix of either "32" or "64" to indicate whether they were meant for a 32bit or 64bit system.

While not every module was delivered during this analysis session, we've compiled a list of known TrickBot modules for public knowledge.

Module List

Module Purpose
systeminfo Collect system information
networkDll Collect network and system information
injectDll Perform web browser injection and data theft
wormDll Propagate TrickBot via SMB
shareDll Propagate TrickBot via SMB
tabDll Propagate TrickBot via EternalRomance exploit
importDll Collect sensitive browser data
mailsearcher Search file system
outlookDll Collect Outlook credentials
domainDll Collect credentials from Domain Controller

The following list contains the file names and hashes of each module and configuration file dropped to disk during this analysis session.

  • Filename: AIMT\Modules\injectDll32
  • MD5: 24C7F2A2B7A519B42A33B12D581C2899
  • SHA1: E6F163A68D80C07F10BDFF68CD9253781EFEDC1A
  • SHA256: EEF0F52D917A55B115FE611DACC3CB8077CA064FBB419186E38F4BA2CE8E97D7

  • Filename: AIMT\Modules\injectDll32_configs\dinj
  • MD5: 21CF2555529938092C973D72DC891FEF
  • SHA1: 30C7387F8F6A22B02B914E9493F264D3A2BA9C62
  • SHA256: 2EF989ED97B38775B0355871FB896F185D201933ED75FEDDB0BD94C0B408185C

  • Filename: AIMT\Modules\injectDll32_configs\sinj
  • MD5: 985DC4A6681ABCAA3439E5C6DFBCAA86
  • SHA1: 9FF18B134EF52CBA056CD469FC02FC4DC59E7F81
  • SHA256: 2C0DFEC67D67BD4B6C1B8F10E44C24A72AB75FE727E3056617765B15C98B60DD

  • Filename: AIMT\Modules\networkDll32
  • MD5: E7BD5C2CA5CB694F4A513E7A021BDD11
  • SHA1: 9ED57AA9CF17D1E879DB8704F0209A7EB45D9CA6
  • SHA256: 30AABBB530124B5B1706CC665D830F528B68D818070A88F3B6763DFDE65CDCA0

  • Filename: AIMT\Modules\networkDll32_configs\dpost
  • MD5: 47047BC463859F29116F930CC8AFB7DF
  • SHA1: 4EAE2A8E40AA6684C86EE699553373E2C8454618
  • SHA256: 8DBF252370D6437B498B135AEF8AD4A476F7586BC5E770372A2B6B83572D644F

Decoding Modules & Configs

Using the script trick_config_decoder.py created by hasherezade, it is trivial to decode the dropped modules and configuration files.

In the example below the decoder script is ran against the injectDll32 module and given the name trick_module.dll as output. This same process can be repeated for each module and config.

$ ./decoder.py --datafile injectdll32 --outfile out.bin --pe_name inject_module.dll
1390000
Dumped decoded to: out.bin
Extracted Module to: trick_module.dll

$ file inject_module.dll
inject_module.dll: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

When decoded, each modules configuration will be in XML format and start with <moduleconfig> as seen in the injectDll32 data below.

Decrypted injectDll32 Config

<moduleconfig>
  <autostart>yes</autostart>
  <needinfo name="id"/>
  <needinfo name="ip"/>
  <autoconf>
    <conf ctl="dinj" file="dinj" period="20"/>
    <conf ctl="sinj" file="sinj" period="20"/>
    <conf ctl="dpost" file="dpost" period="60"/>
  </autoconf>
</moduleconfig>

Network Module

Network environment information is collected by aptly named networkDll module. This is done through the use of built-in Windows commands like ipconfig, net, and nltest. The module is rather small in size, coming in at only 19 KB.

A configuration file for this module is also dropped and stored in the directory AIMT\Modules\networkDll32_configs\ with a filename of dpost. This file contains a list of C&C servers that can receive exfiltrated data from a victim. The decrypted content of this file can be seen below.

Decrypted dpost Config

<dpost>
<handler>http://200.29.24[.]36:8082</handler>
<handler>http://66.181.167[.]72:8082</handler>
<handler>http://46.146.252[.]178:8082</handler>
<handler>http://77.37.142[.]203:8082</handler>
<handler>http://70.48.101[.]54:8082</handler>
<handler>http://24.130.135[.]200:80</handler>
<handler>http://177.0.69[.]68:80</handler>
<handler>http://5.228.72[.]17:80</handler>
<handler>http://209.170.226[.]82:80</handler>
<handler>http://200.111.97[.]235:80</handler>
<handler>http://107.175.247[.]166:443</handler>
<handler>http://54.39.126[.]228:443</handler>
<handler>http://185.251.39[.]199:443</handler>
<handler>http://195.123.225[.]67:443</handler>
</dpost>

If the HTTP requests fail to contact the provided servers, an error message of "Dpost server unavailable" will be logged while a successful HTTP POST results in the message "Report successfully sent".


The following commands are used to gather network information and are executed through cmd.exe:

  • /c ipconfig /all
  • /c net config workstation
  • /c net view /all
  • /c net view /all /domain
  • /c nltest /domain_trusts
  • /c nltest /domain_trusts /all_trusts

This module will also attempt to gather information from LDAP, as well as some system information including a list of all processes, available memory, operating system information, OS installation date, last boot time, and more. After collection, the data is sent back to the C&C server using three separate HTTP POST requests with customized Content-Disposition headers to identify the content of the data.

  • Content-Disposition: form-data; name="proclist"
  • Content-Disposition: form-data; name="sysinfo"
  • Content-Type: multipart/form-data; boundary=Arasfjasu7

Browser Injection

TrickBots' primary functionality is the ability to capture credentials for financial institutions and other websites directly from a victim's browser. This is done through the use of the injectDll module and its two configuration files dinj and sinj. The configuration files define the targeted websites and C&C servers that will receive the stolen data.

The DLL is responsible for enumerating all running processes to identify running web browsers. If "chrome.exe", "iexplore.exe", "edge.exe", or "firefox.exe" is found, TrickBot will inject code into the discovered process using the VirtualAlloc + WriteProcessMemory + CreateRemoteThread method.

Once running within the browser, TrickBot hooks various API calls in order to intercept HTTP traffic. The hooked APIs differ depending on which browser it is running within.

In addition to web injects, this module is also responsible for collecting passwords, history, and credit card data stored in the target web browsers. The data is sent back to the C&C servers listed in the dpost configuration file.

Much like the network module, if injectDll fails to perform various actions an error message will be logged. This occurs when the module fails to grab passwords, billing information, credit card data, and autofill information from a browser, or when it fails to send stolen information back to the DPost servers.

Static Web Injections

The complete static injection config contains a total of 544 target URLs. A very small excerpt is shown below.

<slist>
<sinj>
<mm>https://www.rbsidigital.com*</mm>
<sm>https://www.rbsidigital.com/default.aspx*</sm>
<nh>krsajxnbficgmrhtwsoezpklqvyd[.]net</nh>
<url404></url404>
<srv>31.131.27[.]144:443</srv>
</sinj>
<sinj>
<mm>https://www.bankline.rbs.com*</mm>
<sm>https://www.bankline.rbs.com/CWSLogon/logon.do*</sm>
<nh>cdsabpclzowrnyfeaukjmxsvqtid[.]net</nh>
<url404></url404>
<srv>31.131.27[.]144:443</srv>
</sinj>
<sinj>
<mm>https://lloydslink.online.lloydsbank.com*</mm>
<sm>https://lloydslink.online.lloydsbank.com/Logon*</sm>
<nh>dcsaavcktpwhbgfsdqenylxujzir[.]net</nh>
<url404></url404>
<srv>31.131.27[.]144:443</srv>
</sinj>
<sinj>
<mm>https://www.bankline.ulsterbank.ie*</mm>
<sm>https://www.bankline.ulsterbank.ie/CWSLogon/logon.do*</sm>
<nh>cbsapjarxqombyuewvgkhsdlznit[.]net</nh>
<url404></url404>
<srv>31.131.27[.]144:443</srv>
</sinj>

Dynamic Injects

The dynamic web injects configuration data is saved to the AIMT\Modules\injectDll32_configs\ directory using the filename dinj. This file acts as another configuration for the injectDll module. Below is an excerpt of the decoded data.

<igroup>
<dinj>
<lm>*netteller.com/login2008/Authentication*</lm>
<hl>http://51.254.241[.]249/response.php</hl>
<pri>100</pri>
<sq>2</sq>
</dinj>
<dinj>
<lm>https://*.netteller.com/favicon.ico?*</lm>
<hl>http://51.254.241[.]249/response.php</hl>
<pri>100</pri>
<sq>2</sq>
</dinj>
<dinj>
<lm>*favicon.ico=2dd2038048c763fc5f9174ae466cdb9c*</lm>
<hl>http://51.254.241[.]249/response.php</hl>
<pri>100</pri>
<sq>1</sq>
</dinj>
</igroup>

Conclusion

InQuest provides protection for its customers against the TrickBot malware family and several of its modules. Customers can use the following signatures to identify activity associated with this threat in their environment.

TrickBot Signatures

  • MC_TrickBot_Network_Module
  • MC_TrickBot_Injection_Config
  • MC_TrickBot_Server_Config
  • MC_TrickBot_Injection_Module
  • MC_Trickbot_Worm_Module
  • MC_TrickBot_Shares_Module
  • MC_TrickBot_Tabs_Module
  • MC_TrickBot_Spreader

Indicators of Compromise

To quickly extract the indicators from this blog, check out our open source Python project iocextract. It can easily handle extracting defanged indicators like the ones below.

Command and Control Servers

  • 31.131.27[.]144:443
  • 23.92.93[.]229:443
  • 94.181.47[.]198:449
  • 75.103.4[.]186:443
  • 23.94.41[.]215:443
  • 181.113.17[.]230:449
  • 212.23.70[.]149:443
  • 23.94.233[.]142:443
  • 170.81.32[.]66:449
  • 42.115.91[.]177:443
  • 107.173.102[.]231:443
  • 121.58.242[.]206:449
  • 167.114.13[.]91:443
  • 192.252.209[.]44:443
  • 182.50.64[.]148:449
  • 187.190.249[.]230:443
  • 107.175.127[.]147:443
  • 82.222.40[.]119:449
  • 198.100.157[.]163:443
  • 23.226.138[.]169:443
  • 103.110.91[.]118:449
  • 173.239.128[.]74:443
  • 128.201.92[.]41:449
  • 70.48.101[.]54:443
  • 103.111.53[.]126:449
  • 185.66.227[.]183:443
  • 182.253.20[.]66:449
  • 71.13.140[.]89:443
  • 103.10.145[.]197:449
  • 178.116.83[.]49:443
  • 46.149.182[.]112:449
  • 81.17.86[.]112:443
  • 62.141.94[.]107:443
  • 115.78.3[.]170:443
  • 197.232.50[.]85:443
  • 94.232.20[.]113:443
  • 190.145.74[.]84:449
  • 47.49.168[.]50:443
  • 116.212.152[.]12:449
  • 68.109.83[.]22:443
  • hxxp://200.29.24.36:8082
  • hxxp://66.181.167.72:8082
  • hxxp://46.146.252.178:8082
  • hxxp://77.37.142.203:8082
  • hxxp://70.48.101.54:8082
  • hxxp://24.130.135.200:80
  • hxxp://177.0.69.68:80
  • hxxp://5.228.72.17:80
  • hxxp://209.170.226.82:80
  • hxxp://200.111.97.235:80
  • hxxp://107.175.247.166:443
  • hxxp://54.39.126.228:443
  • hxxp://185.251.39.199:443
  • hxxp://195.123.225.67:443
  • hxxps://51.254.241.249:446/response.php
  • krsajxnbficgmrhtwsoezpklqvyd[.]net
  • cdsabpclzowrnyfeaukjmxsvqtid[.]net
  • dcsaavcktpwhbgfsdqenylxujzir[.]net
  • cbsapjarxqombyuewvgkhsdlznit[.]net
  • crsazobrvtfkjplaehwqgdiysunx[.]net
  • dbsaxdcigrkamspqubtlwyvfzhje[.]net
  • ccsaqwveotdnxcylmfgabiszpkur[.]net
  • bcsayvtnzfcrdhlqsxgwjmoiaupb[.]net
  • rksaexarsftnibhvudlzqoyjcmwg[.]net
  • qhsafgxbjzmkyhsreduolvwpniat[.]net
  • hqsaszutylfcbgjixvamhroqwkdn[.]net
  • bosafgjzkvluxdbesynthcromiaw[.]com
  • hcsaxsuezwpdnamyqrgbfvklhtic[.]net
  • dbsbkrplohtmcuydxniwbjafqsvg[.]net
  • arsauorwyzmakihxjgedlsntqpbc[.]com
  • aqsaugrztmbjlvoshdnepqfkiayw[.]com
  • ahsategbqzxhdounysfwcmavpjil[.]com
  • oosacbdgvkqzwsuyaoflrnmxheit[.]com
  • orsaetsokpjfabvdqxhyzrclwmng[.]com
  • assaghqtnbirjofsvkxulyedcwpa[.]com
  • aosarsikxzpdgefwcyhjolqmatuv[.]com
  • acsalovtgzpxbqfcahjmnwsukeiy[.]com
  • ohsanfmhrgozeksutqlwivjcdbay[.]com
  • ossagoreidauywltshfnmbpxqczv[.]com
  • absaqjdkapirmxfgvlhszuboctey[.]com
  • cssanvehqksxultzcijopgybrmwa[.]com
  • cksavnriyklqfgbtmwujacosehdp[.]com
  • dosaczgfspykhumxaqverwlotbdn[.]com
  • dasajwuxclzdhnryokatembpqvsg[.]com
  • dcsaagfhpjwsudceivtokmlbzyrn[.]com
  • cosabvjcfxudkaiepghzsryotwqn[.]com
  • casabtzqayocpiwldrsmxuegfhjk[.]com
  • ccsaisrqugzytachdxklfjenopbw[.]com
  • cbsaepjkrbloqcfuysiamxzwgndh[.]com
  • crsaqoxdeghusfljtayrzwnibcpv[.]com
  • chsadpqgehjstnrmxcbulkafyivw[.]com
  • rssaqtwfrnlxcobeuhzdskapimjv[.]com
  • kasafvomibchaxewryzntdjlkgqp[.]com
  • kcsagzefqsplbxvwutnmdcoraijh[.]com
  • sbsaroqughcnmxbdtwlzipjakvfe[.]com
  • sdsavjapqtmrkhefxcsbiwdoylng[.]com
  • srsapuijqxewmhkdyfosvbtrnacl[.]com
  • sqsakbtnajmxzulsdhqyrwfvogce[.]com
  • shsacfgevxzuqrjbpiktnmwladsh[.]com
  • sksajmftdiswqpyrhobunzxckelv[.]com
  • dosaticbuhfndreyvlpzksqwoaxg[.]org
  • qrsabtlahkxcvesqzwoidjpnuyrf[.]org
  • cssapquydwxjavczbginmlrkhets[.]org
  • dbsapgslxizowhcbqftramyvujde[.]org
  • qqsauthxriamjyoqegnlsfbcdvzk[.]inf
  • ocsasuqiwkzxpgmfbtacjvlodhey[.]edu
  • oasaeztqcxnrpgjukhbvymsodfwa[.]edu
  • oosahbkgoelntpsriqzuvfxcmjwy[.]edu
  • casabenohwydxgavuflrzqsimkjt[.]nzo
  • dosamdjrcopuehfivzlawbsgtqyn[.]nzo
  • cdsacpytmwoervjhdzlsgqainkxb[.]nzo
  • obscidxlgmuszefkwjoanrbhpvqt[.]com
  • orscewjmbgpzrytqaokuxvdihncs[.]com
  • casdkhjyxdunvfoegptsqbzwcram[.]org
  • brsduzgfxcnrahvisjymqweblpko[.]org
  • bqsdzeykpoqxdgmfbshcuvtiralw[.]org
  • dosdndeogfxhqtiljvmrywpsazcb[.]org
  • dcsdfcxwgiseadmlzbuknpjyqhrt[.]org
  • dasdotpgqasymfbkehvwdzcrlniu[.]org
  • ddsdwetxmcrqhbpzigvydnlaukfo[.]org
  • drsdlpvdfkawbsreiuoqtyxnhmcz[.]org
  • dqsdbowjuerzpgihftxdaslymnqv[.]org
  • dhsdsudnkrwgoxcbzjfhalmitevq[.]org
  • dcsbcdfxijvsayepzlkoghnbruwt[.]net
  • ddsbtlewucfhksgrvjpmxqyzodai[.]net
  • dqsbobceatrqnszyluwfvxmkgjph[.]net
  • dssbhlwfqmutxavzrekjiopbcyns[.]net
  • dksbwpmtszlneofrqahbxucivkgy[.]net
  • bosbiysnkhpatvwcfeudbrmjqxog[.]net
  • basbovkrmnidsabqclpuzyjftehg[.]net
  • cdsbdnzxgqikcjsauephmorltfvw[.]net
  • chsbldunxofyhbktpczvwgqjiser[.]net
  • cqsbrteqvolgjykwbpamhszcdnfu[.]net
  • cssbduntqrlwhgkapozexbvfysic[.]net
  • cksbhzbxavstdelmurkwifgcpjqy[.]net
  • dosbsvuacoitgqbypfxhwljnzked[.]net
  • dasbvcqobdtfrwulmhzjeanypxkg[.]net
  • bqsbdgeuranjctqlpzfmhxvosbwy[.]net
  • bcsbdkoajtzfcsqylepugnvrbixw[.]net
  • bdsbsbkjygrowufvxpilndcqtezh[.]net
  • bhsbcqzkxyptbfgurhisonmwalej[.]net
  • bssbkrfpazmybdseviwuxoqhcjng[.]net
  • bhsdlmevnoipyqgafbhuwtxkcjzs[.]org
  • bbsbabftizqougprynjhmkwvexdc[.]net
  • brsbcejshvropyqlgamnztibfdku[.]net
  • kdsajnsthbvprygaxulkfimdczwe[.]net
  • cqsabkwpuczsmvlatxndforejqgh[.]com
  • qcsaprevkhjbutoagdfwcsqyxnim[.]net
  • hdsalfkcvqrwjabighyotzpudxnm[.]net
  • sbsaekoqaczygtdnuvhwxbfmisrj[.]net
  • qosacktjqdryglziebfpvwhonasm[.]net
  • hrsaudgmskijzpntlcaqxhyfbore[.]net
  • qasaifgwptkomvyasqjclrhxuezd[.]net
  • hbsazwfsaieumpdbcqkyxtnhrjvo[.]net
  • qksahlrobycaktfgmdqujniwzxpv[.]com
  • aksanwizvduotfjlhqxgacpykmbr[.]com
  • qssamtlweuydbznichosjkfvxgrp[.]com
  • odsakosdvpmuexahgwzcblfntrqi[.]org
  • kssclbrhyngutqikmoczpwefajvs[.]net
  • rsscqizarpmsubftehwjnokclgvy[.]net
  • rcsanxvhwtdlbeaqrukpfscjmyog[.]com
  • cqsafrmudcxzknaholtspvjieygw[.]net
  • rhsatehcjxymqvkafbizduglnowr[.]net
  • qksakmixohyaquzjpwgtdsrfvenb[.]net
  • kosaaozcvjthqsxbnrfegkdywilp[.]net
  • ocsawvflbpzdmnhgitcqejrkauyo[.]com
  • odsareuvgacnmypwohsbxktidjfz[.]com
  • obsawoidhzfqglytvmerkbxpjucn[.]com
  • drsaotjrnyqfpbckuahldvzmiexw[.]com
  • dhsamyfzwurilnbhagkxvjsdcqto[.]com
  • dksaervxynpdzbtfquagwsmlhjoc[.]com
  • sasaeyirubalpfzsjqmdhxgovtkn[.]com
  • qhsaxmgibrvtncuaeqwhsjodlkyp[.]com
  • kosaceptuwviohksbqlrzxagjnmf[.]com
  • ocsaxcysjfgbzdqhtlevakowipmn[.]org
  • ohsasribkfhvpldntauzexqwcojg[.]org
  • cksaaysrkezwinbohgvfcpqxludt[.]org
  • kdsaakguytexqlhvfmwnsbjozdir[.]org
  • qhsaoabwvjcqhpersgftximzlnuy[.]inf
  • qssaaujrqthyzbpxilwvnmgofkes[.]inf
  • shsauwaqdmnxrlojtbhgefvkziys[.]inf
  • ahsaadpjbxeslqnucgwvhizokrmf[.]edu
  • khscoxkhqasndtwuyibmpgcjvlrf[.]net
  • hrsarfytbdxnaslwmjvckeiugpqz[.]edu
  • ahsabhndsquekcagwrvtioxpyflz[.]nzo
  • kdsdjfytgvhsobcdwxprkmqaleui[.]net
  • ccsbfbwtukrqyjnmlpxchsgoizva[.]net
  • cssaedmnwgthlbpfquisycvzoxak[.]net
  • dksdgtepaulkfhqzbmjocvxwndsi[.]net
  • bqsaoljzcnyrdskwhgpvbxqfieum[.]edu
  • chsavrqxugtaksewlcifnhmopjyd[.]net
  • basatkwipzbhruvgjenocysmaxld[.]net
  • bosdpfqxeyvjtanzioumsdclrwkg[.]org
  • basdnzdcfojibamhuylxgerptskq[.]org
  • bcsdvbzljwecnsagufihmptkrody[.]org
  • krscvdicwkameftszhbroujynlgq[.]net
  • kbscxcvlbmrfquhyewzaikdgpsnt[.]net
  • bosdpfqxeyvjtanzioumsdclrwkg[.]org
  • bosdpfqxeyvjtanzioumsdclrwkg[.]org
  • cdsaagnvluoeriqtdxhmpzjwyfkc[.]org
  • bhsdruyhaxmginplwejobfqdsvkz[.]org
  • bssdavwhokitsypqlrbdxnuzfcge[.]org
  • bksduzrlosiwakmnhtxyvfeqcpgb[.]org
  • rosdvygpfblnewriqmzakschtodu[.]org
  • rasdjkfiulxhgptewdavzbnsyqco[.]org
  • rcsdwnlexkpsagjcuridhqyfmzvo[.]org
  • rdsdbvaqoepkzjglnruywtdfichs[.]org
  • rbsduyaslromvgjkfdewxhzptnbi[.]org
  • rrsdhbofnatcjzxqvdmruyegiskp[.]org
  • rqsdvaxsktgjylzhqiwdmcponber[.]org
  • rhsdlhczogwrviqmbasftdxjknep[.]org
  • rssdypfrmjqlzocgustkdiwabehx[.]org
  • qasdrzbjmhapcxyfigesntolkvdu[.]org
  • sdsafbvqczxlkjphiagemuoyrnwt[.]net
  • ccsavcazgiqxrkowhsuljdpybfme[.]nzo
  • bbsduxbtgedpkvociyjazlrnqfhm[.]org
  • drsbnkcobfuarqigjzyhvtmxwpld[.]net
  • dhsbbqkharywovltjcifspedzxum[.]net
  • kssabontmchegrkjsdxlqpafuwiz[.]net
  • qksaoiuxbjemtncwkvyarqslzdpf[.]inf
  • kksambnjafwkurqdzloghepcxviy[.]inf
  • cksaeczguioymvdrhlkfpajqtwsn[.]net
  • ddsagswohtpqbnmcfliyzuevrjkx[.]net
  • oasaukwzsbcypovqjmifgrxlathn[.]com
  • acsaudfgavmlwpnteqhokjyscbir[.]inf
  • cosafkoiesgwxlcjuybaqzrhdnmt[.]nzo
  • rksdvjbnmsxhauyptozfdeicgkrl[.]org
  • qosdiwoncqlbfehavrtjzxsymdgk[.]org
  • kbsabiedxvtqhrlkufanozcpswmj[.]net
  • cdsazqgptyuesoldhrmwxvjcikbn[.]com
  • scsaqahpbejdszofwirulxtkcgvn[.]com
  • qcsdthgymaxpjuzoqclrebvsnfwd[.]org
  • bdsdkjnaswfdzetlipgmquxbyrcv[.]org
  • qbsamokvsziugxlwrtdnqjyecfah[.]net
  • qssarwujkmptxaebqcnsigzvyold[.]net
  • hssarmdqezloaysvpbujckxifthg[.]net
  • rosaswkvizdrcefyajmptxbglouh[.]net
  • rcsakyibwntgvmaujpzlcxesfhdq[.]net
  • rdsajdnefbiglqkphczvsymwouar[.]net
  • rrsaczrvmasulfnwthbykpoxdjie[.]net
  • aasafzedqbinuxmcvlhgtyapjwko[.]inf
  • dosanqhbulvtawmdipzrsjxgfoke[.]net
  • drsafeyinqbzxhgcklrovjpwtumd[.]net
  • dqsacjrfzkoeaubiptgnqmxdshyw[.]net
  • bosajigrbesfctqludnzawxhopmv[.]net
  • bbsarutgmlkypivhscqznwjbfdox[.]net
  • bdsaficzmprvxebloqnujtywdskg[.]net
  • bqsackoejrmtbnvphdaixlsyzuqf[.]net
  • sssaxuqoawsjrglvcmifynpekdth[.]com
  • kssaxuzsetyiopbwrkljvhfadqnm[.]org
  • kasarkclwbfqdvohmeitgzxsajyp[.]net
  • kqsaoxfzgkrpjnulaybsecqhwimd[.]net
  • oqsarqnjfxodwuzbckyhgvilmpes[.]com
  • arsanpdizrlsjoymwxavhukeqbct[.]org
  • rasaohjtqazspkiubcvxyrgdlewn[.]org
  • kksanjrfqdxyucewasivbzhpgmlt[.]org
  • oasajdwkgnfypebhmtvxczaosirq[.]inf
  • ohsanpktuazcyxflvijrwdqmgsob[.]inf
  • sosakgzypvcjrhaoneiuqdwftsxb[.]net
  • scsalaesnkvmthurcfpqdjioxywg[.]net
  • sqsavrobpeczdxngisyafjmthwuk[.]net
  • sksapyexncfjrovitqlbgmskzuhw[.]net
  • orsazdixfcgpjqaebuwyvtonmlrh[.]edu
  • brsayhfugjkacpmbrdxvlsqwnzto[.]edu
  • crsahbuedmyzlvnxsjigtwqpofra[.]nzo
  • basaksupenrgvwtbyxdifazmhqcl[.]nzo
  • bcsabxqezosmkgpdachwylnvtjfu[.]nzo
  • kasckulzjsryhmxpoeciwbqtfdga[.]net
  • kcscblitrzwxnpdqomgchyvefjsu[.]net
  • kdscvsicunafkgmrwxyoljdqptbe[.]net
  • kssdamdsieurczyklfptjvnbqohw[.]net
  • oqsdlqaxtfkgmwyvcpbneiohjrzd[.]com
  • aqsaxgdcsizlovhmjktuafybqrep[.]inf
  • aksagiyltmhsqkpcfxdarnwejbuv[.]inf
  • qbsaublxqwvfronckejthipsmyzg[.]inf
  • bksatksiwafmdqhjceoburylgpvz[.]edu
  • obsadzscxgrtpnvyoahmwluikfjb[.]edu
  • skscguixbevymzswafndocrtkjlp[.]net
  • ccsdqyhiulrjfasngkdzwmbvpoct[.]org
  • bdsdflkzgyhpcmbvioextnwjusad[.]org
  • cbsbgiyurncjblofsmhxzewtkpva[.]net
  • bssavxmhkgyutidzpjwbcslrfnoq[.]nzo
  • hosafuslrzmtcyhipnqxvjkoabeg[.]net
  • rssaniahqpfvjlcskyedbzwxtgor[.]net
  • adsavgoflcbtsxwyezmqhdpkaiur[.]inf
  • bbsakvmobxcsqypfeghriuawnjzl[.]nzo
  • aasddapkxircuevbtjzgnsymlwhq[.]org
  • acsdthqwpyjmsrkvgonziafdbeux[.]org
  • sssaazxmtriowvudnqpegshcybkf[.]net
  • kbsabpiwykjqnuseacgxhofdvzmt[.]org
  • aosdychjbulizowsenfqgvktdxar[.]org
  • rbsatjihxqdevpyzagncskurblfm[.]net
  • bksauwgzpikdjnefhcxloabqsrtm[.]net
  • khsaiazwegrsdmoqytunbfvpcjkh[.]inf
  • bbsabqmjluxhytsvikzpcgnrdewf[.]edu
  • ssscprkdsygjvinfeoluwmbhqtzx[.]net
  • dksahyjonpzgkbvqlferacudwsxm[.]nzo
  • hdsazuihwlckjrfysbdtagnpqxme[.]edu
  • kqscfvcjwlpboaiunzhkgrmxqsyd[.]net
  • cosaawhejusrtdlfxvmqzibkogcn[.]net
  • shsapyjhtrlsufmdwxvcibgneaoz[.]net
  • cqsaijspquyownrfzcakvhegdxtb[.]inf
  • bssazpmjcknxatyswhuifvqebrgl[.]net
  • casafuxkiybjwostncdrmplhqezv[.]net
  • qrsacetougfwjaqvbnrhdzpskixy[.]net
  • rasaikjbtaufsgchroxzmvnywpde[.]net
  • ocsanxsalwcmprjbtvqyuehkzoid[.]inf
  • ooscktqvslzfechirbdmnogjypux[.]edu
  • okscufmklecdyobrwqhvpjaxgzit[.]com
  • sosakjnuewlzybhaiqmxpftcdrgo[.]inf
  • rqsarfdbeupijcqxlkhvonwasytm[.]net
  • chsabqsuxamypldofhntewczkjiv[.]inf
  • hbsapbzatmhilokwsejyudvrgqcf[.]edu
  • bhsaxgniwfestvdkprjzacoubqml[.]net
  • qdsalhkzqbyoexptfgrismnajucv[.]net
  • sasahfpjklgmrywvebtaxuqzdios[.]net
  • cbsatrgomfezswhqaxbuynlvjdkp[.]org
  • kqsazhvqgxwyatfenkolsimprjdu[.]org
  • cbsatqrzjiamdnfpvcxgbwyheskl[.]nzo
  • crsbnvwxgmjcltpidsbkfuroehya[.]net
  • qrsahkregbxylndcvaqjwutfpimo[.]inf
  • oksdqodyszxiuavejcmklthrwngf[.]org
  • dssajvtyqmgneswoixduczfprkab[.]net
  • krsaxemdhpngrajtvyculwsikofq[.]org
  • bdsaywlkbpfqajhoedgxuscztvnm[.]nzo
  • dssalucexwonmipvksqbdzharytf[.]com
  • qcscvquayxbckdlmwrofnzjetgsi[.]com

malware-analysis