2018-06-26 - QUICK POST: TRICKBOT INFECTION TRAFFIC

ASSOCIATED FILES:

 

NOTES:

  • LAN segment:  172.16.9.0/24
  • Gateway:  172.16.9.1
  • Broadcast address:  172.16.9.255
  • Domain controller IP address:  172.16.9.4
  • Domain controller host name:  BRISKETHOUSE-DC
  • Domain name:  briskethouse.net
  • Windows client IP address:  172.16.5.217
  • Windows client host name:  Scarlet-Win-PC
  • Windows client user account name:  alonso.beckwith

 


Shown above:  Email headers from an example of Trickbot malspam.

 


Shown above:  Traffic from an infection filtered in Wireshark.

 


Shown above:  Malware and artifacts located on an infected Windows host.

 


Shown above:  Example of login credentials from the browser cache sent out by an infected Windows host.

 


Shown above:  Example of URL history from the browser cache sent out by an infected Windows host.

 

Click here to return to the main page.