2018-04-17 - QUICK POST: TRICKBOT

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2018-04-17-Trickbot-malspam-3-examples.zip   74 kB (73,549 bytes)
• 2018-04-17-Trickbot-infection-traffic.pcap.zip   7.4 MB (7,437,694 bytes)
• 2018-04-17-malware-from-Trickbot-infection.zip   219 kB (218,617 bytes)

NOTES:

• Following up on today's post by My Online Security about Fake HSBC emails distributing Trickbot via Microsoft Equation Editor exploit.

 

IMAGES

Shown above:  Screenshot of the email.

 

Shown above:  Opening the attached file on a vulnerable Windows host.

 

Shown above:  Traffic from an infection filtered in Wireshark.

 

Shown above:  Initial artifacts seen on the infected Windows host.

 

Shown above:  Scheduled task to ensure persistence on the infected Windows host.

 

Shown above:  Final artifacts seen on the infected Windows host (1 of 2).

 

Shown above:  Final artifacts seen on the infected Windows host (2 of 2).

 

Click here to return to the main page.