2020-09-08 - TRICKBOT GTAG ONO72

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2020-09-08-Trickbot-gtag-ono72-IOCs.txt.zip   1.5 kB   (1,536 bytes)

• 2020-09-08-Trickbot-gtag-ono72-IOCs.txt   (4,515 bytes)

• 2020-09-08-Trickbot-gtag-ono72-infection-traffic.pcap.zip   3.5 MB   (3,511,464 bytes)

• 2020-09-08-Trickbot-gtag-ono72-infection-traffic.pcap   (5,674,932 bytes)

• 2020-09-08-Trickbot-gtag-ono72-malware-and-artifacts.zip   1.3 MB   (1,250,885 bytes)

• 2020-09-08-Trickbot-EXE-gtag-ono72.bin   (672,166 bytes)
• 2020-09-08-Word-doc-with-macros-for-Trickbot.bin   (146,432 bytes)
• 2020-09-08-longrip.png-EXE-from-45.67.228.196.bin   (774,144 bytes)
• 2020-09-08-parodyud.vbs-dropped-by-Word-macro.txt   (10,490 bytes)
• 2020-09-08-scheduled-task-to-keep-Trickbot-persistent.txt   (3,518 bytes)
• 2020-09-08-shortwave.png-EXE-from-45.67.228.196-1-of-2.bin   (774,144 bytes)
• 2020-09-08-shortwave.png-EXE-from-45.67.228.196-2-of-2.bin   (774,144 bytes)

 

IMAGES

Shown above:  Word document with macros for Trickbot.

 

Shown above:  EXEE and VBS files from the infected Windows host.

 

Shown above:  Scheduled task to keep the infection persistent.

 

Shown above:  Traffic from the infection filtered in Wireshark.

 

Click here to return to the main page.