2020-06-10 - QUICK POST: TRICKBOT GTAG GI6 INFECTION IN AD ENVIRONMENT

ASSOCIATED FILES:

NOTES:

 

IMAGES


Shown above:  Screenshot of the Word doc used to generate this infection traffic.

 


Shown above:  Traffic from the infection filtered in Wireshark.

 


Shown above:  Initial location of the Trickbot DLL downloaded over HTTPS after enabling Word macros.

 


Shown above:  Scheduled task to keep the Trickbot infection persistent.

 


Shown above:  Directory with the persistent Trickbot DLL.

 


Shown above:  Trickbot modules on the infected Win7 host.

 

Click here to return to the main page.