2019-09-25 - DATA DUMP: EMOTET INFECTION WITH TRICKBOT IN AD ENVIRONMENT

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2019-09-25-Emotet-infection-with-Trickbot-in-AD-environment.pcap.zip   29.5 MB (29,504,346 bytes)
• 2019-09-25-malware-and-artifacts-from-Emotet-infection-with-Trickbot.zip   25.9 MB (25,889,299 bytes)

NOTES:

• Today's Trickbot infection spread from the infected Windows client to the Domain Controller (DC), and I think it was caused by Trickbot's mwormDll64 module.
• As early as 2019-09-16, Trickbot modules mshareDll64 and mwormDll64 replaced the old shareDll64 and wormDll64 modules.
• Since then, this is the first time I've run a Trickbot infection within an Active Directory (AD) environment.
• With the old modules, an infected client would download a Trickbot EXE from a .png URL and send that over SMB to a vulnerable DC.
• In today's example with the new mshareDll64 and mwormDll64 modules, the vulnerable DC downloaded Trickbot from a .png URL.
• No Trickbot EXE was sent from the infected client to the DC, like I'd seen before.

 

Click here to return to the main page.