2021-07-15 (THURSDAY) - TA551 (SHATHAK) TRICKBOT GTAG ZEV1 WITH COBALT STRIKE

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2021-07-15-IOCs-for-TA551-Trickbot-and-Cobalt-Strike.txt.zip   (4,007 bytes)

• 2021-07-15-IOCs-for-TA551-Trickbot-and-Cobalt-Strike.txt   (6,065 bytes)

• 2021-07-15-TA551-Trickbot-infection-with-Cobalt-Strike.pcap.zip   (8,353,231 bytes)

• 2021-07-15-TA551-Trickbot-infection-with-Cobalt-Strike.pcap   (10,359,639 bytes)

• 2021-07-15-TA551-Trickbot-and-Cobalt-Strike-malware-and-artifacts.zip   (4,040,358 bytes)

• docs/bid,07.21.doc   (89,215 bytes)
• docs/file,07.15.2021.doc   (89,198 bytes)
• docs/inquiry-07.15.2021.doc   (89,069 bytes)
• docs/instrument indenture-07.21.doc   (89,240 bytes)
• docs/ordain,07.21.doc   (89,296 bytes)
• docs/order_07.21.doc   (89,257 bytes)
• docs/prescribe .07.21.doc   (89,576 bytes)
• docs/statistics 07.15.2021.doc   (89,209 bytes)
• HTA-and-installer-DLL-files/boxDelInd.hta   (3,350 bytes)
• HTA-and-installer-DLL-files/boxDelInd.jpg   (608,387 bytes)
• HTA-and-installer-DLL-files/captionEx.hta   (3,039 bytes)
• HTA-and-installer-DLL-files/captionEx.jpg   (608,387 bytes)
• HTA-and-installer-DLL-files/ctrlCopy.hta   (3,005 bytes)
• HTA-and-installer-DLL-files/ctrlCopy.jpg   (608,387 bytes)
• HTA-and-installer-DLL-files/exceptionCollectProcedure.hta   (2,831 bytes)
• HTA-and-installer-DLL-files/exceptionCollectProcedure.jpg   (608,387 bytes)
• HTA-and-installer-DLL-files/linkLstLong.hta   (2,980 bytes)
• HTA-and-installer-DLL-files/linkLstLong.jpg   (608,387 bytes)
• HTA-and-installer-DLL-files/referenceSet.hta   (3,003 bytes)
• HTA-and-installer-DLL-files/referenceSet.jpg   (608,387 bytes)
• HTA-and-installer-DLL-files/requestCaptionCnt.hta   (3,006 bytes)
• HTA-and-installer-DLL-files/requestCaptionCnt.jpg   (608,387 bytes)
• HTA-and-installer-DLL-files/valRPointer.hta   (3,098 bytes)
• HTA-and-installer-DLL-files/valRPointer.jpg   (608,387 bytes)
• malware-from-an-infected-Windows-host/WiseFolderHiderT911HX/pkcs11.txt   (41,cd 518 bytes)
• malware-from-an-infected-Windows-host/WiseFolderHiderT911HX/ddboxDelIndxx.trd   (608,387 bytes)
• malware-from-an-infected-Windows-host/2021-07-15-Cobalt-Strike-from-Trickbot-infection.dll.bin   (186,336 bytes)
• malware-from-an-infected-Windows-host/2021-07-15-scheduled-task-for-Trickbot.txt   (3,960 bytes)

 

IMAGES

Shown above:  Screenshot from one of the English-template Word docs from TA551.

 

Shown above:  Traffic from an infection filtered in Wireshark.

 

Shown above:  HTA and Trickbot installer DLL seen during an infection.

 

Shown above:  Scheduled task to keep Trickbot persistent.

 

Shown above:  Traffic from the infection when Cobalt Strike starts.

 

Shown above:  Process Hacker showing how the Cobalt Strike DLL is being run.

 

Click here to return to the main page.