2018-10-04 - QUICK POST: TRICKBOT SPREADS FROM CLIENT TO DC

ASSOCIATED FILES:

  • Incoming_CHAPS_Form.doc
  • Client/
  • Client/2018-10-04-downloaded-trickbot-binary-gtag-ser1004.exe
  • Client/2018-10-04-Trickbot-artifact-symbolqtring.bat.txt
  • Client/2018-10-04-Trickbot-scheduled-task-on-client-Msnetcs.xml.txt
  • Client/AMNI/
  • Client/AMNI/FAQ
  • Client/AMNI/grabber_temp.INTEG.RAW
  • Client/AMNI/Modules/
  • Client/AMNI/Modules/importDll64
  • Client/AMNI/Modules/injectDll64
  • Client/AMNI/Modules/injectDll64_configs/
  • Client/AMNI/Modules/injectDll64_configs/dinj
  • Client/AMNI/Modules/injectDll64_configs/dpost
  • Client/AMNI/Modules/injectDll64_configs/sinj
  • Client/AMNI/Modules/mailsearcher64
  • Client/AMNI/Modules/mailsearcher64_configs/
  • Client/AMNI/Modules/mailsearcher64_configs/mailconf
  • Client/AMNI/Modules/networkDll64
  • Client/AMNI/Modules/networkDll64_configs/
  • Client/AMNI/Modules/networkDll64_configs/dpost
  • Client/AMNI/Modules/shareDll64
  • Client/AMNI/Modules/systeminfo64
  • Client/AMNI/Modules/wormDll64
  • Client/AMNI/README.md
  • Client/AMNI/rrrrrrrrrrr.exe
  • Client/AMNI/tetup.exe
  • DC/
  • DC/2018-10-04-Trickbot-binary-C-Windows-System32-setup.exe
  • DC/2018-10-04-Trickbot-scheduled-task-on-DC-Msnetcs.xml.txt
  • DC/AMNI/
  • DC/AMNI/FAQ
  • DC/AMNI/Modules/
  • DC/AMNI/Modules/importDll64
  • DC/AMNI/Modules/injectDll64
  • DC/AMNI/Modules/injectDll64_configs/
  • DC/AMNI/Modules/injectDll64_configs/dinj
  • DC/AMNI/Modules/injectDll64_configs/dpost
  • DC/AMNI/Modules/injectDll64_configs/sinj
  • DC/AMNI/Modules/mailsearcher64
  • DC/AMNI/Modules/mailsearcher64_configs/
  • DC/AMNI/Modules/mailsearcher64_configs/mailconf
  • DC/AMNI/Modules/networkDll64
  • DC/AMNI/Modules/networkDll64_configs/
  • DC/AMNI/Modules/networkDll64_configs/dpost
  • DC/AMNI/Modules/shareDll64
  • DC/AMNI/Modules/systeminfo64
  • DC/AMNI/README.md
  • DC/AMNI/tetup.exe

NOTES:

 

IMAGES


Shown above:  Traffic from the infection filtered in Wireshark.

 


Shown above:  URL for the Trickbot binary to infect the DC sent over SMB from the client to the DC.

 

FINAL NOTES

Once again, here are the associated files:

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.