2017-06-14 - TRICKBOT INFECTION

NOTICE:

ASSOCIATED FILES:

 

TWEETS ABOUT TODAY'S #TRICKBOT ACTIVITY:

 

OTHER NOTES:

 

EMAILS


Shown above:  An example of the emails.

 

8 EXAMPLES FROM THE FIRST WAVE:

READ: DATE/TIME -- SENDING ADDRESS (SPOOFED) -- SUBJECT -- ATTACHMENT NAME (PDF) -- EMBEDDED .XLSM FILE

 

4 EXAMPLES FROM THE NEXT WAVE:

READ: DATE/TIME -- SENDING ADDRESS (SPOOFED) -- SUBJECT -- ATTACHMENT NAME (ZIP) -- EXTRACTED .EXE FILE

 

MALWARE


Shown above:  An example of the PDF files attached to the malspam.

 


Shown above:  An example of the embedded Excel spreadsheets seen when opening the PDF files.

 

SHA256 HASHES FOR THE PDF ATTACHMENTS:

 

SHA256 HASHES FOR THE EXTRACTED .XLSM FILES:

 

MALWARE RETRIEVED FROM INFECTED HOST:

 

TRAFFIC

URLS FROM THE EXCEL MACROS FILES TO DOWNLOAD TRICKBOT:

 

TRICKBOT POST-INFECTION TRAFFIC:

 


Shown above:  Traffic from the infection filtered in Wireshark.

 


Shown above:  Certificate data from traffic to 186.103.161[.]204 port 443.

 


Shown above:  Certificate data from traffic to 195.69.196[.]77 port 447.

 

IMAGES


Shown above:  Malware copies itself and does a ROT1 on the filename (minus the .exe file extension).

 

Click here to return to the main page.