Home / malware Trojan:Win32/Trickbot
First posted on 15 September 2018.
Source: MicrosoftAliases :
There are no other names known for Trojan:Win32/Trickbot.
Explanation :
Injects its code to svchost to appear as if it is a clean process.
When run, this trojan connects to the following URLs:
- hxxp://ayuhas.com/neam.meow
- hxxp://driveearnings.com/neam.meow
It downloads the following file to the temp folder and runs it:
%TEMP%\stack_t.exe (05EEFF98010B18E2000B7D5C48EEEA68D43B8BEC89E92B49369763C91B5CE6E5)
Then, it copies the above file to the following location:
%APPDATA%\Roaming\smcatd\ttack_t.exe
To stay persistent, this threat creates a variably named registry entry:
In subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: %APPDATA%\Roaming\smcatd\ttack_t.exe
With data: %APPDATA%\Roaming\smcatd\ttack_t.exe
It also creates a schedule to run itself.
Payload
Stops processes from running
This threat stops and deletes the Windows Defender service.
Connects to remote host
This threat loads the trojan by connecting to the following servers in its configuration list:
It then connects to the following remote host to post the victims' data: 84.217.20.108:8082
- 181.174.112.74:449
- 178.116.83.49:443
- 121[.]58[.]242[.]206:449
- 182.50.64.148:449
- 178.116.83.49:443
- 82.222.40.119:449
- 97.78.222.18:449
- 67.79.15.106:449
- 41.211.9.234:449
- 103.111.53.126:449
- 182.253.20.66:449
- 212.225.214.249:449
- 81.17.86.112:443
- 78.47.156.178:449
- 46.149.182.112:449
- 197[.]232[.]243[.]36:449
- 94.232.20.113:443
- 47.49.168.50:443
- 70.79.178.120:449
- 68.109.83.22:443
- 176.10.170.65:443
- 62.141.94.107:443
- 96.43.40.221:443
- 197[.]232[.]243[.]36:449
- 109.234.34.90:443
- 92.223.105.147:443
- 185.222.202.127:443
- 5.135.202.105:443
- 192.3.110.188:443
- 193[.]111[.]63.[]181:443
- 185.251.38.109:443
Last update 15 September 2018
