Open in app

Sign in

Write

Sign in

TrickBot LIVE Dec 19

Vishal Thakur
1 min readDec 24, 2019

--

Looking at the current Trickbot campaign, found some interesting stuff. Look at the image above, this is a copy of the Trickbot executable that the malware reaches out to after execution.

Using Onion TLDs:

As you can see here, it’s using a dotOnion TLD to get the passwordGrabber module:

0x13ee8190f40 (222): http://lbw3dmfh56suk6fv.onion:448/wecan5/DESKTOP-XXXXX/5/pwgrab64/

And then the usual:

0xacc6c7f7a0 (92): http://93.95.97.44:443/wecan5/DESKTOP-.XXXX/81/
0x1d86e511ed0 (194): http://170.238.117.187:8082/wecan5/DESKTOP-XXXX/81/

Other live images of trickbot that this malware can download at the time of this publication:

hxxp://66.85.173[.]6/images/lastimg.png
hxxp://66.85.173[.]6:80/images/mini.png

Complete list of C2i for this campaign is now available at the Malienist TrickBot Tracker.

Happy Holidays!

Malware
Trickbot
Malware Analysis
Security
Malienist

--

--

Vishal Thakur
Vishal Thakur

Written by Vishal Thakur

200 Followers
13 Following

DFIR enthusiast. Founder of HCKSYD. Founder of Security BSides Sydney Australia. Malware Analyst.

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams