2021-07-15 (THURSDAY) - TA551 (SHATHAK) TRICKBOT GTAG ZEV1 WITH COBALT STRIKE

ASSOCIATED FILES:

  • 2021-07-15-IOCs-for-TA551-Trickbot-and-Cobalt-Strike.txt   (6,065 bytes)
  • 2021-07-15-TA551-Trickbot-infection-with-Cobalt-Strike.pcap   (10,359,639 bytes)
  • docs/bid,07.21.doc   (89,215 bytes)
  • docs/file,07.15.2021.doc   (89,198 bytes)
  • docs/inquiry-07.15.2021.doc   (89,069 bytes)
  • docs/instrument indenture-07.21.doc   (89,240 bytes)
  • docs/ordain,07.21.doc   (89,296 bytes)
  • docs/order_07.21.doc   (89,257 bytes)
  • docs/prescribe .07.21.doc   (89,576 bytes)
  • docs/statistics 07.15.2021.doc   (89,209 bytes)
  • HTA-and-installer-DLL-files/boxDelInd.hta   (3,350 bytes)
  • HTA-and-installer-DLL-files/boxDelInd.jpg   (608,387 bytes)
  • HTA-and-installer-DLL-files/captionEx.hta   (3,039 bytes)
  • HTA-and-installer-DLL-files/captionEx.jpg   (608,387 bytes)
  • HTA-and-installer-DLL-files/ctrlCopy.hta   (3,005 bytes)
  • HTA-and-installer-DLL-files/ctrlCopy.jpg   (608,387 bytes)
  • HTA-and-installer-DLL-files/exceptionCollectProcedure.hta   (2,831 bytes)
  • HTA-and-installer-DLL-files/exceptionCollectProcedure.jpg   (608,387 bytes)
  • HTA-and-installer-DLL-files/linkLstLong.hta   (2,980 bytes)
  • HTA-and-installer-DLL-files/linkLstLong.jpg   (608,387 bytes)
  • HTA-and-installer-DLL-files/referenceSet.hta   (3,003 bytes)
  • HTA-and-installer-DLL-files/referenceSet.jpg   (608,387 bytes)
  • HTA-and-installer-DLL-files/requestCaptionCnt.hta   (3,006 bytes)
  • HTA-and-installer-DLL-files/requestCaptionCnt.jpg   (608,387 bytes)
  • HTA-and-installer-DLL-files/valRPointer.hta   (3,098 bytes)
  • HTA-and-installer-DLL-files/valRPointer.jpg   (608,387 bytes)
  • malware-from-an-infected-Windows-host/WiseFolderHiderT911HX/pkcs11.txt   (41,cd 518 bytes)
  • malware-from-an-infected-Windows-host/WiseFolderHiderT911HX/ddboxDelIndxx.trd   (608,387 bytes)
  • malware-from-an-infected-Windows-host/2021-07-15-Cobalt-Strike-from-Trickbot-infection.dll.bin   (186,336 bytes)
  • malware-from-an-infected-Windows-host/2021-07-15-scheduled-task-for-Trickbot.txt   (3,960 bytes)

NOTES:

 

IMAGES


Shown above:  Screenshot from one of the English-template Word docs from TA551.

 


Shown above:  Traffic from an infection filtered in Wireshark.

 


Shown above:  HTA and Trickbot installer DLL seen during an infection.

 


Shown above:  Scheduled task to keep Trickbot persistent.

 


Shown above:  Traffic from the infection when Cobalt Strike starts.

 


Shown above:  Process Hacker showing how the Cobalt Strike DLL is being run.

 

Click here to return to the main page.