2020-09-08 - TRICKBOT GTAG ONO72

ASSOCIATED FILES:

  • 2020-09-08-Trickbot-gtag-ono72-IOCs.txt   (4,515 bytes)
  • 2020-09-08-Trickbot-gtag-ono72-infection-traffic.pcap   (5,674,932 bytes)
  • 2020-09-08-Trickbot-EXE-gtag-ono72.bin   (672,166 bytes)
  • 2020-09-08-Word-doc-with-macros-for-Trickbot.bin   (146,432 bytes)
  • 2020-09-08-longrip.png-EXE-from-45.67.228.196.bin   (774,144 bytes)
  • 2020-09-08-parodyud.vbs-dropped-by-Word-macro.txt   (10,490 bytes)
  • 2020-09-08-scheduled-task-to-keep-Trickbot-persistent.txt   (3,518 bytes)
  • 2020-09-08-shortwave.png-EXE-from-45.67.228.196-1-of-2.bin   (774,144 bytes)
  • 2020-09-08-shortwave.png-EXE-from-45.67.228.196-2-of-2.bin   (774,144 bytes)

NOTES:

 

IMAGES


Shown above:  Word document with macros for Trickbot.

 


Shown above:  EXEE and VBS files from the infected Windows host.

 


Shown above:  Scheduled task to keep the infection persistent.

 


Shown above:  Traffic from the infection filtered in Wireshark.

 

Click here to return to the main page.