Here’s a quick snapshot of how trickbot uses Windows commands to output the system domain information on the victim machine:
There are some new additions in the latest target list. These are the targeted URIs extracted from the complete configs. Some of the regex'd URIs are very interesting and highly effective. Article by Vishal Thakur C2: http://184.108.40.206:8082 http://220.127.116.11:8082 http://18.104.22.168:8082 http://22.214.171.124:8082 http://126.96.36.199:8082 http://188.8.131.52:8082 http://184.108.40.206:80 http://220.127.116.11:80 http://18.104.22.168:80 http://22.214.171.124:80 http://126.96.36.199:80 http://188.8.131.52:443 http://184.108.40.206:443 http://220.127.116.11:443 http://18.104.22.168:443 http://22.214.171.124:443 http://126.96.36.199:443 Target list: <lm>https://us.etrade.com/webapiagg/aggregator</lm> <lm>https://us.etrade.com/etx/hw/0/accountshome.json</lm> <lm>https://www.nwolb.com/*.aspx*</lm> <lm>https://www.rbsdigital.com/*.aspx*</lm> <lm>https://www.ulsterbankanytimebanking.