2019-09-25 - DATA DUMP: EMOTET INFECTION WITH TRICKBOT IN AD ENVIRONMENT
- 2019-09-25-Emotet-infection-with-Trickbot-in-AD-environment.pcap.zip 29.5 MB (29,504,346 bytes)
- 2019-09-25-malware-and-artifacts-from-Emotet-infection-with-Trickbot.zip 25.9 MB (25,880,201 bytes)
- Zip archives are password-protected with the standard password. If you don't know it, see the "about" page of this website.
- Today's Trickbot infection spread from the infected Windows client to the Domain Controller (DC), and I think it was caused by Trickbot's mwormDll64 module.
- As early as 2019-09-16, Trickbot modules mshareDll64 and mwormDll64 replaced the old shareDll64 and wormDll64 modules.
- Since then, this is the first time I've run a Trickbot infection within an Active Directory (AD) environment.
- With the old modules, an infected client would download a Trickbot EXE from a .png URL and send that over SMB to a vulnerable DC.
- In today's example with the new mshareDll64 and mwormDll64 modules, the vulnerable DC downloaded Trickbot from a .png URL.
- No Trickbot EXE was sent from the infected client to the DC, like I'd seen before.
Click here to return to the main page.