_malienist_

Looking at the current Trickbot campaign, found some interesting stuff. Look at the image above, this is a copy of the Trickbot executable that the malware reaches out to after execution. Using Onion TLDs: As you can see here, it’s using a dotOnion TLD to get the passwordGrabber module: 0x13ee8190f40 (222): http://lbw3dmfh56suk6fv.onion:448/wecan5/DESKTOP-XXXXX/5/pwgrab64/ And then the usual: 0xacc6c7f7a0 (92): http://93.95.97.44:443/wecan5/DESKTOP-.XXXX/81/ 0x1d86e511ed0 (194): http://170.238.117.187:8082/wecan5/DESKTOP-XXXX/81/ Other live images of trickbot that this malware can download at the time of this publication: hxxp://66.85.173[.]6/images/lastimg.png hxxp://66.85.173[.]6:80/images/mini.png Complete list of C2i  for this campaign is now available at the  Malienist TrickBot Tracker. Happy Holidays!

Follow the C2i tracker for block-lists.  Here’s a look at what good old Quant is serving at this time: Most of the modus operandi is same old — firewall rules, new processes etc. There isn’t much effort to hide: Haven’t looked at it much since I published this on  MalwareBytes blog  but here are a few things its still doing: “cmd /c echo Y|CACLS \”c:\\users\\rem\\appdata\\roaming\\92804119\\dwm.exe\” /P \”REM:R\”” Some good old registry tampering: “HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run [7]” Trick to write into the registry: 0061FE34 0040C8C8 “regini C:\\Users\\REM\\AppData\\Local\\Temp\\per” It is using this file that’s created ‘per’ to write the contents into the registry. 0060FE34 |0040B388; |CommandLine = "regini C:\Users\REM\AppData\Local\Temp\per" In order to write it, it used regini.exe with the above commandline. ‘Per’ is just a txt file. And after the registry e

If you are into malware/malware analysis, I bet you come across this particular one more than anything else. The thing is, most people don’t necessarily know what Emotet actually is. Or at least the details, as to what type of malware it is and what it actually does. Some of us in the industry have been known to get a bit riled up occasionally when this malware is being publicly discussed, in regards to the technical details of it. So I’m going to put down a few thoughts (and I anticipate backlash from those who’ve spent more time on this than me :) for obvious reasons) and hopefully that’ll help us keep the emphasis on the more important tasks (fighting malware). Emotet is a downloader  (I can literally feel temperatures rising in the cyberverse already) — ie. it executes on the victim machine and then connects back to a server somewhere in the cloud (literally) and downloads another malicious executable and then executes it. At this point, its job is pretty much done. Serious

Here’s a quick snapshot of how trickbot uses Windows commands to output the system domain information on the victim machine:

For quite sometime now the Feodo payload has been creating a service alongside a process.