Looking at the current Trickbot campaign, found some interesting stuff. Look at the image above, this is a copy of the Trickbot executable that the malware reaches out to after execution.
Using Onion TLDs:
As you can see here, it’s using a dotOnion TLD to get the passwordGrabber module:
0x13ee8190f40 (222): http://lbw3dmfh56suk6fv.onion:448/wecan5/DESKTOP-XXXXX/5/pwgrab64/
And then the usual:
0xacc6c7f7a0 (92): http://126.96.36.199:443/wecan5/DESKTOP-.XXXX/81/ 0x1d86e511ed0 (194): http://188.8.131.52:8082/wecan5/DESKTOP-XXXX/81/
Other live images of trickbot that this malware can download at the time of this publication: