2020-02-25 - TRICKBOT GTAG RED4 DISTRIBUTED AS DLL FILE

ASSOCIATED FILES:

  • 2020-02-25-Trickbot-gtag-red4-IOCs.txt   (4,961 bytes)
  • 2020-02-25-Trickbot-gtag-red4-infection-traffic.pcap   (17,088,784 bytes)
  • 2020-02-25-DOCX-file-with-macro-for-Trickbot-gtag-red4.bin   (146,376 bytes)
  • 2020-02-25-Trickbot-gtag-red4-DLL.bin   (882,176 bytes)
  • 2020-02-25-scheduled-task-for-Trickbot-gtag-red4.txt   (4,020 bytes)
  • AprilReport/List1.jse   (348,539 bytes)
  • AprilReport/LogsTsg/LogsTsg7/LogsTsg8/List1.bat   (43 bytes)
  • DirectTools/d26db78f99749974.com   (882,176 bytes)
  • DirectTools/settings.ini   (20,952 bytes)
  • Users/Public/hg32j.bat   (39 bytes)
  • Users/Public/kjh4ek/ban3j.bat   (192 bytes)
  • Users/Public/kjh4ek/ndj34h.bat   (94 bytes)
  • Users/Public/kjh4ek/winlogon.exe   (47,023 bytes)

NOTES:

 

IMAGES


Shown above:  Traffic from the infection filtered in Wireshark.

 


Shown above:  Certificate issuer data from the loader.

 


Shown above:  More traffic from the infection filtered in Wireshark.

 


Shown above:  Scheduled task for the Trickbot DLL so the infection survives a reboot.

 

Click here to return to the main page.