2018-08-07 - QUICK POST: TRICKBOT (GTAG: TOT284) MOVES FROM CLIENT TO DC

ASSOCIATED FILES:

NOTES:

 

IMAGES


Shown above:  Traffic from the infection filtered in Wireshark.

 


Shown above:  Trickbot sent from Windows client to the DC over SMB on TCP port 445.

 


Shown above:  In Wireshark, you can export the Trickbot malware from the SMB traffic as shown above.

 


Shown above:  Trickbot on the DC shows as gtag lib284.

 

Click here to return to the main page.