2018-09-03 - QUICK POST: TRICKBOT MALSPAM AND INFECTION TRAFFIC

ASSOCIATED FILES:

• 2018-09-03-Trickbot-malspam-example-1134-UTC.eml.zip   39 kB (38,989 bytes)
• 2018-09-03-Trickbot-malspam-infection-traffic.pcap.zip   6.2 MB (6,219,746 bytes)
• 2018-09-03-Trickbot-malware-and-artifacts.zip   2.8 MB (2,775,659 bytes)

NOTES:

• Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.
• For more info, see this blog post from myonlinesecurity.co.uk.

 

Shown above:  Start of traffic from the infection filtered in Wireshark.  Saw some Tor traffic, which is sometimes seen with Trickbot post-infection activity.

 

Shown above:  End of pcap from the infection filtered in Wireshark.  Saw several "500 Internal Server Error" messages when the infected host was trying to exfiltrate
password data stolen from the browser cache.

 

Shown above:  Example of password data stolen from the browser cache.

 

Click here to return to the main page.