2018-10-08 - QUICK POST: TRICKBOT SAT75 INFECTION WITH POWERSHELL EMPIRE TRAFFIC

ASSOCIATED FILES:

  • 2018-10-08-Trickbot-sat75-infection-with-powershell-empire-traffic.pcap   (22,206,323 bytes)
  • 2018-10-08-Trickbot-artifact.bat.txt
  • 2018-10-08-Trickbot-malware-binary-gtag-sat75.exe
  • 2018-10-08-attached-Word-doc-with-macro-for-Trickbot.doc
  • 2018-10-08-scheduled-task-to-keep-Trickbot-persistent-Msnetcs.xml.txt
  • AIMY/
  • AIMY/FAQ
  • AIMY/grabber_temp.INTEG.RAW
  • AIMY/info.dat
  • AIMY/README.md
  • AIMY/rrrrrrrrrr74.exe
  • AIMY/Modules/
  • AIMY/Modules/importDll64
  • AIMY/Modules/injectDll64
  • AIMY/Modules/injectDll64_configs/
  • AIMY/Modules/injectDll64_configs/dinj
  • AIMY/Modules/injectDll64_configs/dpost
  • AIMY/Modules/injectDll64_configs/sinj
  • AIMY/Modules/mailsearcher64
  • AIMY/Modules/mailsearcher64_configs/
  • AIMY/Modules/mailsearcher64_configs/mailconf
  • AIMY/Modules/networkDll64
  • AIMY/Modules/networkDll64_configs/
  • AIMY/Modules/networkDll64_configs/dpost
  • AIMY/Modules/NewBCtestDll64
  • AIMY/Modules/NewBCtestDll64_configs/
  • AIMY/Modules/NewBCtestDll64_configs/bcconfig
  • AIMY/Modules/systeminfo64
  • decoded-Trickbot-modules/
  • decoded-Trickbot-modules/2018-10-08-importDll64_module_decoded.dll
  • decoded-Trickbot-modules/2018-10-08-injectDll64_module_decoded.dll
  • decoded-Trickbot-modules/2018-10-08-mailsercher64_module_decoded.dll
  • decoded-Trickbot-modules/2018-10-08-networkDll64_module_decoded.dll
  • decoded-Trickbot-modules/2018-10-08-NewBCtestDll64_module_decoded.dll
  • decoded-Trickbot-modules/2018-10-08-systeminfo64_module_decoded.dll

NOTES:

 

IMAGES


Shown above:  Infection traffic filtered in Wireshark (1 of 2).

 


Shown above:  Infection traffic filtered in Wireshark (2 of 2).

 


Shown above:  Trickbot modules on the infected Windows host.

 

FINAL NOTES

Once again, here are the associated files:

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.