2020-06-16 - TRICKBOT GTAG ONO47 INFECTION

ASSOCIATED FILES:

NOTES:

 

IMAGES


Shown above:  Screenshot from one of the spreadsheets with macros for Trickbot.

 


Shown above:  HTTPS traffic used to retrieve a Windows EXE for Trickbot.

 


Shown above:  Initial location of Trickbot EXE on the infected Windows host.

 


Shown above:  Final location of Trickbot EXE on the infected Windows host.

 


Shown above:  Scheduled task to keep Trickbot persistent.

 


Shown above:  Traffic from an infection filtered in Wireshark.

 

Click here to return to the main page.