2018-11-12 - TRICKBOT MALSPAM TARGETING UNITED STATES RECIPIENTS (GTAG: SAT100)

ASSOCIATED FILES:

  • 2018-11-12-example-of-malspam-pushing-Trickbot.eml   (290,084 bytes)
  • 2018-11-12-Trickbot-infection-traffic-gtag-sat100.pcap   (9,908,247 bytes)
  • 2018-11-12-attached-Word-doc-with-macro-for-Trickbot.doc   (209,920 bytes)
  • 2018-11-12-Trickbot-malware-binary.exe   (592,384 bytes)
  • socketvision/compatibility.ini   (36,031 bytes)
  • socketvision/tmp119.exe   (592,384 bytes)
  • socketvision/Data/importDll64   (8,952,080 bytes)
  • socketvision/Data/injectDll64   (982,992 bytes)
  • socketvision/Data/injectDll64_configs/dinj   (70,960 bytes)
  • socketvision/Data/injectDll64_configs/dpost   (880 bytes)
  • socketvision/Data/injectDll64_configs/sinj   (73,312 bytes)
  • socketvision/Data/mailsearcher64   (27,824 bytes)
  • socketvision/Data/mailsearcher64_configs/mailconf   (240 bytes)
  • socketvision/Data/networkDll64   (22,704 bytes)
  • socketvision/Data/networkDll64_configs/dpost   (880 bytes)
  • socketvision/Data/pwgrab64   (1,106,256 bytes)
  • socketvision/Data/pwgrab64_configs/dpost   (880 bytes)
  • socketvision/Data/shareDll64   (45,280 bytes)
  • socketvision/Data/systeminfo64   (87,728 bytes)
  • socketvision/Data/tabDll64   (2,432,864 bytes)
  • socketvision/Data/tabDll64_configs/dpost   (880 bytes)
  • socketvision/Data/wormDll64   (59,168 bytes)

NOTES:

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following URLs and partial URL:

 

EMAIL


Shown above:  Example of an email pushing Trickbot on Monday, 2018-11-12.

 

EXAMPLES OF THE MALSPAM (READ: DATE/TIME -- ATTACHMENT NAME -- SUBJECT LINE):

 

TRAFFIC


Shown above:  Traffic from an infection filtered in Wireshark.

 

TRAFFIC FROM AN INFECTED WINDOWS HOST:

 

MALWARE

SHA256 HASHES FOR THE ATTACHED WORD DOCUMENTS:

TRICKBOT MALWARE BINARY (GTAG: SAT100):

 

IMAGES


Shown above:  Trickbot persistent on an infected Windows host.

 


Shown above:  Trickbot modules on an infected Windows host.

 

FINAL NOTES

Once again, here are the associated files:

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.