2020-06-16 - TRICKBOT GTAG ONO47 INFECTION

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2020-06-16-IOCs-for-Trickbot-gtag-ono47.txt.zip   1.3 kB (1,332 bytes)
• 2020-06-16-Trickbot-gtag-ono47-infection-traffic.pcap.zip   3.7 MB (3,668,025 bytes)
• 2020-06-16-malware-and-artifacts-for-Trickbot-gtag-ono47-infection.zip   4.3 MB (4,317,512 bytes)

 

IMAGES

Shown above:  Screenshot from one of the spreadsheets with macros for Trickbot.

 

Shown above:  HTTPS traffic used to retrieve a Windows EXE for Trickbot.

 

Shown above:  Initial location of Trickbot EXE on the infected Windows host.

 

Shown above:  Final location of Trickbot EXE on the infected Windows host.

 

Shown above:  Scheduled task to keep Trickbot persistent.

 

Shown above:  Traffic from an infection filtered in Wireshark.

 

Click here to return to the main page.