2020-02-25 - TRICKBOT GTAG RED4 DISTRIBUTED AS DLL FILE

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2020-02-25-Trickbot-gtag-red4-IOCs.txt.zip   1.8 kB (1,824 bytes)

• 2020-02-25-Trickbot-gtag-red4-IOCs.txt   (4,961 bytes)

• 2020-02-25-Trickbot-gtag-red4-infection-traffic.pcap.zip   15.2 MB (15,229,809 bytes)

• 2020-02-25-Trickbot-gtag-red4-infection-traffic.pcap   (17,088,784 bytes)

• 2020-02-25-malware-and-artifacts-from-Trickbot-infection.zip   1.4 MB (1,433,974 bytes)

• 2020-02-25-DOCX-file-with-macro-for-Trickbot-gtag-red4.bin   (146,376 bytes)
• 2020-02-25-Trickbot-gtag-red4-DLL.bin   (882,176 bytes)
• 2020-02-25-scheduled-task-for-Trickbot-gtag-red4.txt   (4,020 bytes)
• AprilReport/List1.jse   (348,539 bytes)
• AprilReport/LogsTsg/LogsTsg7/LogsTsg8/List1.bat   (43 bytes)
• DirectTools/d26db78f99749974.com   (882,176 bytes)
• DirectTools/settings.ini   (20,952 bytes)
• Users/Public/hg32j.bat   (39 bytes)
• Users/Public/kjh4ek/ban3j.bat   (192 bytes)
• Users/Public/kjh4ek/ndj34h.bat   (94 bytes)
• Users/Public/kjh4ek/winlogon.exe   (47,023 bytes)

 

IMAGES

Shown above:  Traffic from the infection filtered in Wireshark.

 

Shown above:  Certificate issuer data from the loader.

 

Shown above:  More traffic from the infection filtered in Wireshark.

 

Shown above:  Scheduled task for the Trickbot DLL so the infection survives a reboot.

 

Click here to return to the main page.