Looking at the current Trickbot campaign, found some interesting stuff. Look at the image above, this is a copy of the Trickbot executable that the malware reaches out to after execution. Using Onion TLDs: As you can see here, it’s using a dotOnion TLD to get the passwordGrabber module: 0x13ee8190f40 (222): http://lbw3dmfh56suk6fv.onion:448/wecan5/DESKTOP-XXXXX/5/pwgrab64/ And then the usual: 0xacc6c7f7a0 (92): http://93.95.97.44:443/wecan5/DESKTOP-.XXXX/81/ 0x1d86e511ed0 (194): http://170.238.117.187:8082/wecan5/DESKTOP-XXXX/81/ Other live images of trickbot that this malware can download at the time of this publication: hxxp://66.85.173[.]6/images/lastimg.png hxxp://66.85.173[.]6:80/images/mini.png Complete list of C2i for this campaign is now available at the Malienist TrickBot Tracker. Happy Holidays!
Malware Analysis for Incident Response