Trickbot is computer malware, a trojan for Microsoft Windows and other operating systems. Its major function was originally the theft of banking details and other credentials, but its operators have extended its capabilities to create a complete modular malware ecosystem. Below are the latest signs of indicators.
Credits : Research by ExecuteMalware
Indicators of compromise
THREAT IDENTIFICATION: TRICKBOT
ANALYST NOTES
Downloaded modules:
pwgrab64
shareDll64
tabDll64
wormDll64
SUBJECTS OBSERVED
[STK] Hadfields INVOICE- Ref: 739241 A
SENDERS OBSERVED
sales@globextratech [.]com
MALDOC FILE NAMES
Upload_737160487_1591215127 [.]xls
4023f96dfa75f5ab44da157f085e8db1
Upload_747556100_1817075317 [.]xls
d38d3ee1983b5d2bb504b341846f4cea
MALDOC FILE HASHES
4023f96dfa75f5ab44da157f085e8db1
d38d3ee1983b5d2bb504b341846f4cea
TRICKBOT PAYLOAD URLS
http://beachtreepestcontrol [.]com/viewer/counter [.]php
TRICKBOT PAYLOAD FILE HASHES
10 [.]counter
5e3ac60f9af6bd3b89111fc54fb64293
TRICKBOT C2
https://103 [.]76 [.]20 [.]226
https://114 [.]34 [.]226 [.]52:447
TRICKBOT ADDITONAL PAYLOAD URL
http://194 [.]5 [.]249 [.]113/images/control [.]png
ADDITIONAL PAYLOAD FILE HASH
control [.]png
7546faae3f2b31e132ea54ac9fabdd15
FIDDLER TRAFFIC CAPTURE
http://beachtreepestcontrol [.]com/viewer/counter [.]php
http://0php/
http://179 [.]191 [.]108 [.]58:449
http://190 [.]152 [.]71 [.]230:443
http://103 [.]76 [.]20 [.]226:443
https://103 [.]76 [.]20 [.]226/rob20/WIN7PC_W617601 [.]23367CF7354BBEE6FF12C3FBD39F9351/5/kps/
https://103 [.]76 [.]20 [.]226/rob20/WIN7PC_W617601 [.]23367CF7354BBEE6FF12C3FBD39F9351/0/Windows%207%20×64%20SP1/1104/62 [.]182 [.]99 [.]61/B7E4CBA0AC3BFD329AB910D91B19E896CD3FC46BD43AB29ED7A447624A92BB20/lvHnrrDdvzXXtxxJJf5ddzz3LPllNj/
https://103 [.]76 [.]20 [.]226/rob20/WIN7PC_W617601 [.]23367CF7354BBEE6FF12C3FBD39F9351/14/user/analyst/0/
https://103 [.]76 [.]20 [.]226/rob20/WIN7PC_W617601 [.]23367CF7354BBEE6FF12C3FBD39F9351/14/path/C:%5CUsers%5Canalyst%5CAppData%5CRoaming%5CWInternetDownloadManager8868080426%5Cmwgrtfem [.]dwn/0/
https://103 [.]76 [.]20 [.]226/rob20/WIN7PC_W617601 [.]23367CF7354BBEE6FF12C3FBD39F9351/23/2000026/
https://103 [.]76 [.]20 [.]226/rob20/WIN7PC_W617601 [.]23367CF7354BBEE6FF12C3FBD39F9351/14/DNSBL/not%20listed/0/
https://103 [.]76 [.]20 [.]226/rob20/WIN7PC_W617601 [.]23367CF7354BBEE6FF12C3FBD39F9351/14/NAT%20status/client%20is%20behind%20NAT/0/
https://114 [.]34 [.]226 [.]52:447/rob20/WIN7PC_W617601 [.]23367CF7354BBEE6FF12C3FBD39F9351/5/pwgrab64/
https://103 [.]76 [.]20 [.]226/rob20/WIN7PC_W617601 [.]23367CF7354BBEE6FF12C3FBD39F9351/5/dpost/
https://103 [.]76 [.]20 [.]226/rob20/WIN7PC_W617601 [.]23367CF7354BBEE6FF12C3FBD39F9351/64/pwgrab/VERS//
https://103 [.]76 [.]20 [.]226/rob20/WIN7PC_W617601 [.]23367CF7354BBEE6FF12C3FBD39F9351/10/62/VPXZFFBXPHLLBNZFFVV/1/
https://103 [.]76 [.]20 [.]226/rob20/WIN7PC_W617601 [.]23367CF7354BBEE6FF12C3FBD39F9351/1/IQUEyiSUEyiSCEyiSCwyiSCwgiSC/
https://103 [.]76 [.]20 [.]226/rob20/WIN7PC_W617601 [.]23367CF7354BBEE6FF12C3FBD39F9351/10/62/541889/1/
https://103 [.]76 [.]20 [.]226/rob20/WIN7PC_W617601 [.]23367CF7354BBEE6FF12C3FBD39F9351/64/pwgrab/DEBG//
https://103 [.]76 [.]20 [.]226/rob20/WIN7PC_W617601 [.]23367CF7354BBEE6FF12C3FBD39F9351/14/pwgrab/sTart%20pwgrab%20working/0/
https://103 [.]76 [.]20 [.]226/rob20/WIN7PC_W617601 [.]23367CF7354BBEE6FF12C3FBD39F9351/64/pwgrab/DPST//
https://103 [.]76 [.]20 [.]226/rob20/WIN7PC_W617601 [.]23367CF7354BBEE6FF12C3FBD39F9351/1/EJMe0Qi4Um8QmCUqGYuKcyGc2Kg6Ok2/
https://114 [.]34 [.]226 [.]52:447/rob20/WIN7PC_W617601 [.]23367CF7354BBEE6FF12C3FBD39F9351/5/tabDll64/
https://103 [.]76 [.]20 [.]226/rob20/WIN7PC_W617601 [.]23367CF7354BBEE6FF12C3FBD39F9351/64/tabDll/InfMach/infect/
https://103 [.]76 [.]20 [.]226/rob20/WIN7PC_W617601 [.]23367CF7354BBEE6FF12C3FBD39F9351/10/62/541904/1/
https://103 [.]76 [.]20 [.]226/rob20/WIN7PC_W617601 [.]23367CF7354BBEE6FF12C3FBD39F9351/63/tabDll/infect///
https://103 [.]76 [.]20 [.]226/rob20/WIN7PC_W617601 [.]23367CF7354BBEE6FF12C3FBD39F9351/14/tabDll64/reload1/0/
https://103 [.]76 [.]20 [.]226/rob20/WIN7PC_W617601 [.]23367CF7354BBEE6FF12C3FBD39F9351/1/9LRhJZl1VhxDp1pP1/
https://114 [.]34 [.]226 [.]52:447/rob20/WIN7PC_W617601 [.]23367CF7354BBEE6FF12C3FBD39F9351/5/wormDll64/
https://103 [.]76 [.]20 [.]226/rob20/WIN7PC_W617601 [.]23367CF7354BBEE6FF12C3FBD39F9351/10/62/541910/1/
https://103 [.]76 [.]20 [.]226/rob20/WIN7PC_W617601 [.]23367CF7354BBEE6FF12C3FBD39F9351/63/wormDll/infect///
https://103 [.]76 [.]20 [.]226/rob20/WIN7PC_W617601 [.]23367CF7354BBEE6FF12C3FBD39F9351/1/lJxZFjL1V7bDtNzf9lFvX1dJnP5Z/
https://114 [.]34 [.]226 [.]52:447/rob20/WIN7PC_W617601 [.]23367CF7354BBEE6FF12C3FBD39F9351/5/shareDll64/
https://103 [.]76 [.]20 [.]226/rob20/WIN7PC_W617601 [.]23367CF7354BBEE6FF12C3FBD39F9351/10/62/541911/1/
https://103 [.]76 [.]20 [.]226/rob20/WIN7PC_W617601 [.]23367CF7354BBEE6FF12C3FBD39F9351/63/shareDll/infect///
https://103 [.]76 [.]20 [.]226/rob20/WIN7PC_W617601 [.]23367CF7354BBEE6FF12C3FBD39F9351/1/xZ9vLvh7dTtPf5fRrRDd/
https://103 [.]76 [.]20 [.]226/rob20/WIN7PC_W617601 [.]23367CF7354BBEE6FF12C3FBD39F9351/1/ZDRfhhfhhfhhffdf/
https://103 [.]76 [.]20 [.]226/rob20/WIN7PC_W617601 [.]23367CF7354BBEE6FF12C3FBD39F9351/1/D1wQ2WCoIya4gMqSwcEiO0U6a/
https://103 [.]76 [.]20 [.]226/rob20/WIN7PC_W617601 [.]23367CF7354BBEE6FF12C3FBD39F9351/1/vXnR5N1bFtBpT3hLdHvV9n5j/
https://103 [.]76 [.]20 [.]226/rob20/WIN7PC_W617601 [.]23367CF7354BBEE6FF12C3FBD39F9351/1/DpHpPXFB9DvVDLXFxxfJFd/
https://103 [.]76 [.]20 [.]226/rob20/WIN7PC_W617601 [.]23367CF7354BBEE6FF12C3FBD39F9351/1/mlWcACkqsQSY68EmoMSU2/
https://103 [.]76 [.]20 [.]226/rob20/WIN7PC_W617601 [.]23367CF7354BBEE6FF12C3FBD39F9351/1/ZPNVlTBXFtnvZHDL3tbfbJ1Hz/
https://103 [.]76 [.]20 [.]226/rob20/WIN7PC_W617601 [.]23367CF7354BBEE6FF12C3FBD39F9351/1/1phdbZPNLxvt3hfdZDB/
https://103 [.]76 [.]20 [.]226/rob20/WIN7PC_W617601 [.]23367CF7354BBEE6FF12C3FBD39F9351/1/06tf9dPtN9dTtN9d7tNDd/
https://103 [.]76 [.]20 [.]226/rob20/WIN7PC_W617601 [.]23367CF7354BBEE6FF12C3FBD39F9351/1/gKKGmIoIoKqMqMsOuQuQwSy/
https://103 [.]76 [.]20 [.]226/rob20/WIN7PC_W617601 [.]23367CF7354BBEE6FF12C3FBD39F9351/1/rjfBTbtl3LHLdvb5Nf/
SUPPORTING EVIDENCE
https://urlhaus [.]abuse [.]ch/browse [.]php?search=http%3A%2F%2Fbeachtreepestcontrol [.]com%2Fviewer%2Fcounter [.]php
https://urlhaus [.]abuse [.]ch/browse [.]php?search=control [.]png