2018-10-22 - QUICK POST: TRICKBOT MALSPAM GTAG: SER1022

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• Traffic:  2018-10-22-Trickbot-ser1022-infection-traffic.pcap.zip 14.9 MB   (14,857,588 bytes)

• 2018-10-22-Trickbot-ser1022-infection-traffic.pcap   (16,433,111 bytes)

• Malware:  2018-10-22-Trickbot-malware-and-artifacts.zip 13.2 MB   (13,242,439 bytes)

• Sep_report-example-1-of-3.xls   (53,760 bytes)
• Sep_report-example-2-of-3.xls   (53,760 bytes)
• Sep_report-example-3-of-3.xls   (53,760 bytes)
• 2018-10-22-Trickbot-binary-radiance.png   (409,600 bytes)
• 2018-10-22-Trickbot-binary-table.png   (413,696 bytes)
• 2018-10-22-Trickbot-binary-worming.png   (413,696 bytes)
• 2018-10-22-Trickbot-ser1022-binary_pointer.exe   (378,880 bytes)
• 2018-10-22-Trickbot-ser1022-artifact-Msnetcs.xml.txt   (3,702 bytes)
• 2018-10-22-Trickbot-ser1022-artifact-_r_qt99.bat.txt   (330 bytes)
• WSOG/Data/importDll64   (8,952,080 bytes)
• WSOG/Data/injectDll64   (985,040 bytes)
• WSOG/Data/injectDll64_configs/dinj   (71,200 bytes)
• WSOG/Data/injectDll64_configs/dpost   (880 bytes)
• WSOG/Data/injectDll64_configs/sinj   (59,200 bytes)
• WSOG/Data/mailsearcher64   (27,824 bytes)
• WSOG/Data/mailsearcher64_configs/mailconf   (240 bytes)
• WSOG/Data/networkDll64   (22,704 bytes)
• WSOG/Data/networkDll64_configs/dpost   (880 bytes)
• WSOG/Data/pwgrab64   (1,106,256 bytes)
• WSOG/Data/pwgrab64_configs/dpost   (880 bytes)
• WSOG/Data/systeminfo64   (87,728 bytes)
• WSOG/Data/wormDll64   (59,168 bytes)

NOTES:

• Looks like Trickbot malspam targeting the UK (gtag: ser1022) used links for .xls files hosted on excel-office[.]com instead of attachments in the emails.
• Unfortunately, I don't have an example of these emails targeting the UK.
• A later wave of Trickbot malspam targeting the US (gtag: ser1022us) used .xls files directly attached to the emails.
• Follow-up Trickbot binaries named radiance.png, table.png, and worming.png came from 104.93.252[.]187 today.

 

Click here to return to the main page.