2021-07-12 (MONDAY) - TRICKBOT GTAG ROB106
ASSOCIATED FILES:
- 2021-07-12-Trickbot-gtag-rob106-malspam-2-examples.zip (68,718 bytes)
- 2021-07-12-Trickbot-malspam-1610-UTC.eml (51,382 bytes)
- 2021-07-12-Trickbot-malspam-1613-UTC.eml (38,977 bytes)
- 2021-07-12-Trickbot-gtag-rob106-infection-traffic.pcap.zip (7,992,365 bytes)
- 2021-07-12-Trickbot-gtag-rob106-infection-traffic.pcap (9,058,261 bytes)
- 2021-07-12-malware-and-artifacts-for-Trickbot-gtag-rob106.zip (6,828,615 bytes)
- 2021-07-12-scheduled-task-for-Trickbot-gtag-rob106.txt (3,592 bytes)
- AppData/Local/Temp/lKVdXIL.bin (808,448 bytes)
- AppData/Roaming/nvidiaRaysL1TF19/grabber_temp.INTEG.RAW (19,563 bytes)
- AppData/Roaming/nvidiaRaysL1TF19/importDll.txt (23,397 bytes)
- AppData/Roaming/nvidiaRaysL1TF19/cn/juewqd.txt (1,931,824 bytes)
- AppData/Roaming/nvidiaRaysL1TF19/en-EN/importDll64 (1,819,936 bytes)
- AppData/Roaming/nvidiaRaysL1TF19/en-EN/pwgrabb64 (473,984 bytes)
- AppData/Roaming/nvidiaRaysL1TF19/en-EN/pwgrabc64 (166,736 bytes)
- AppData/Roaming/nvidiaRaysL1TF19/en-EN/injectDll64 (756,592 bytes)
- AppData/Roaming/nvidiaRaysL1TF19/en-EN/networkDll64 (519,536 bytes)
- AppData/Roaming/nvidiaRaysL1TF19/settings.ini (36,944 bytes)
- AppData/Roaming/nvidiaRaysL1TF19/jplKVdXILhn.htb (808,448 bytes)
- Zoom_Conference_Invitation_1625.js (73,212 bytes)
- Zoom_Conference_Invitation_1625.zip (36,563 bytes)
- Zoom_Conference_Invitation_4152.js (59,330 bytes)
- Zoom_Conference_Invitation_4152.zip (27,191 bytes)
NOTES:
- Starting this week, I've noticed some unusual activity with Trickbot modules related to the web browsers on an infected Windows host.
- I'm seeing one of the Trickbot modules check for and access the following browsers: Internet Exporer, Edge, Chrome, and Firefox.
- This infection was done on a Windows 7 host in an Active Directory environment, so encoded/encrypted artifacts for the modules were saved to disk.
- All zip archives on this site are password-protected. If you don't know the password, see the "about" page of this website.
IMAGES
Shown above: Screenshot from one of the emails.
Shown above: Traffic from an infection filtered in Wireshark.
Shown above: Some artifacts from the infected Windows host.
Shown above: Scheduled task to keep Trickbot infection persistent.
Click here to return to the main page.