2021-07-12 (MONDAY) - TRICKBOT GTAG ROB106

ASSOCIATED FILES:

  • 2021-07-12-Trickbot-malspam-1610-UTC.eml   (51,382 bytes)
  • 2021-07-12-Trickbot-malspam-1613-UTC.eml   (38,977 bytes)
  • 2021-07-12-Trickbot-gtag-rob106-infection-traffic.pcap   (9,058,261 bytes)
  • 2021-07-12-scheduled-task-for-Trickbot-gtag-rob106.txt   (3,592 bytes)
  • AppData/Local/Temp/lKVdXIL.bin   (808,448 bytes)
  • AppData/Roaming/nvidiaRaysL1TF19/grabber_temp.INTEG.RAW   (19,563 bytes)
  • AppData/Roaming/nvidiaRaysL1TF19/importDll.txt   (23,397 bytes)
  • AppData/Roaming/nvidiaRaysL1TF19/cn/juewqd.txt   (1,931,824 bytes)
  • AppData/Roaming/nvidiaRaysL1TF19/en-EN/importDll64   (1,819,936 bytes)
  • AppData/Roaming/nvidiaRaysL1TF19/en-EN/pwgrabb64   (473,984 bytes)
  • AppData/Roaming/nvidiaRaysL1TF19/en-EN/pwgrabc64   (166,736 bytes)
  • AppData/Roaming/nvidiaRaysL1TF19/en-EN/injectDll64   (756,592 bytes)
  • AppData/Roaming/nvidiaRaysL1TF19/en-EN/networkDll64   (519,536 bytes)
  • AppData/Roaming/nvidiaRaysL1TF19/settings.ini   (36,944 bytes)
  • AppData/Roaming/nvidiaRaysL1TF19/jplKVdXILhn.htb   (808,448 bytes)
  • Zoom_Conference_Invitation_1625.js   (73,212 bytes)
  • Zoom_Conference_Invitation_1625.zip   (36,563 bytes)
  • Zoom_Conference_Invitation_4152.js   (59,330 bytes)
  • Zoom_Conference_Invitation_4152.zip   (27,191 bytes)

NOTES:

 

IMAGES


Shown above:  Screenshot from one of the emails.

 


Shown above:  Traffic from an infection filtered in Wireshark.

 


Shown above:  Some artifacts from the infected Windows host.

 


Shown above:  Scheduled task to keep Trickbot infection persistent.

 

Click here to return to the main page.