2017-08-12 - TRICKBOT ACTIVITY

NOTICE:

ASSOCIATED FILES:

NOTES:

 

EMAILS

8 EXAMPLES FROM 2017-07-26 THROUGH 2017-08-11:

READ: DATE/TIME -- SENDING ADDRESS (SPOOFED) -- SUBJECT -- ATTACHMENT NAME

 

TRAFFIC


Shown above:  Traffic from an infection filtered in Wireshark.

 


Shown above:  Macros from Word or Excel retrieving a Trickbot binary.

 


Shown above:  Certificate data typical for Trickbot post-infection traffic.

 

URLS GENERATED BY MACROS FROM THE ASSOCIATED WORD OR EXCEL DOCUMENTS TO RETRIEVE TRICKBOT:

 

URL FROM HTML ATTACHMENT ON 2017-08-11 EMAIL TO RETRIEVE WORD DOCUMENT:

 

TRICKBOT POST-INFECTION IP ADDRESSES AND PORTS:

 

MALWARE


Shown above:  One of the malicious Word documents associated with this malspam.

 

SHA256 HASHES FOR THE MALSPAM ATTACHMENTS:

 

SHA256 HASHES FOR THE TRICKBOT BINARIES I RECOVERED:

 


Shown above:  Artifacts from an infected Windows host.

 

IMAGES


Shown above:  Screenshot from one of the emails (1 of 8).

 


Shown above:  Screenshot from one of the emails (2 of 8).

 


Shown above:  Screenshot from one of the emails (3 of 8).

 


Shown above:  Screenshot from one of the emails (4 of 8).

 


Shown above:  Screenshot from one of the emails (5 of 8).

 


Shown above:  Screenshot from one of the emails (6 of 8).

 


Shown above:  Screenshot from one of the emails (7 of 8).

 


Shown above:  Screenshot from one of the emails (8 of 8).

 

Click here to return to the main page.