TrickBot infection of January 2019

Pubblicato da frtg il

TrickBot is a banking-trojan malware that steals the login credentials of targeted banking sites using webinjects.

Since June 2018 TrickBot features lateral movement capabilities in order to propagate itself from an infected client to a vulnerable domain controller.

TrickBot Screenshots

TrickBot Indicators Of Compromise (IOCs)

===========TRICKBOT DOWNLOADER===========

Downloader - "Transaction_Details_15503.xls"
	sha256	f1e068ac6c1ad490087c21c5affbcd475d107552c395a2d759337ddf68e6ded7	
	sha1	e831e18e96168b2af61cdcbf6d6d70fa31a6242e	
	md5	baccc45867ffe993cff15bfc7505ddda
	
Dropped executable file
	sha256	C:\Users\admin\AppData\Local\Temp\tmp0251.exe	d4c8edb3049197948a03382135b29beb2f99a85e77330c8ccfc090c52d4ea3ac
	
Connections
	ip	198.46.190.41	

HTTP/HTTPS requests
	url	http://198.46.190.41/knot1.php	
	url	http://198.46.190.41/largo.vin


===========TRICKBOT EXE===========

Main object- "largo.vin"
	sha256 d4c8edb3049197948a03382135b29beb2f99a85e77330c8ccfc090c52d4ea3ac 
	sha1 03b3f0b942bdf17c5da6b475c9a16fd7ebde3c86 
	md5 36098457b9433efe25f066cc9d0f1886 
Connections
	ip 201.251.18.28
=================================