Skip to main content

Trickbot and AdFind Recon

Low
Published: Tue Feb 18 2020 (02/18/2020, 00:00:00 UTC)
Source: CIRCL
Vendor/Project: tlp
Product: green

Description

Trickbot and AdFind Recon

AI-Powered Analysis

AILast updated: 06/19/2025, 14:34:44 UTC

Technical Analysis

The threat involves the Trickbot malware combined with the use of AdFind for reconnaissance activities within compromised networks. Trickbot is a modular banking Trojan primarily designed to steal financial information, but it has evolved to include various capabilities such as credential harvesting, lateral movement, and payload delivery. AdFind is a legitimate command-line Active Directory query tool often abused by attackers to gather detailed information about network environments, including user accounts, group memberships, and domain controllers. In this context, Trickbot operators leverage AdFind to perform external analysis and network reconnaissance, enabling them to map out the internal network structure and identify high-value targets for further exploitation or data exfiltration. The combination of Trickbot’s payload delivery and AdFind’s reconnaissance capabilities facilitates a multi-stage attack process, where initial infection is followed by detailed network enumeration to maximize impact. Although no specific affected versions are listed, the presence of a patch indicates that mitigations or detection improvements have been developed. The threat is categorized under payload delivery, external analysis, and network activity, highlighting its role in both initial compromise and subsequent network exploitation. No known exploits in the wild have been reported at the time of publication, and the severity is marked as low by the source, likely reflecting the need for initial infection and the complexity of the attack chain. However, the use of legitimate tools like AdFind complicates detection and response efforts, as such tools blend with normal administrative activity. The provided patch link offers detailed guidance on detection and mitigation strategies.

Potential Impact

For European organizations, the Trickbot and AdFind reconnaissance threat poses a significant risk primarily to financial institutions, enterprises with complex Active Directory environments, and organizations with valuable intellectual property. The malware’s ability to deliver payloads and perform detailed network reconnaissance can lead to credential theft, lateral movement, and potential data breaches. This can result in financial losses, reputational damage, and regulatory penalties, especially under GDPR requirements for data protection. The use of AdFind for reconnaissance means attackers can efficiently identify privileged accounts and critical infrastructure, increasing the likelihood of targeted attacks on sensitive systems. Given the modular nature of Trickbot, once inside the network, attackers can deploy additional malware or ransomware, escalating the impact. The threat also complicates incident response due to the legitimate nature of the reconnaissance tool, potentially delaying detection and containment. European organizations with extensive Active Directory deployments and those in sectors such as banking, telecommunications, and government are particularly at risk due to the strategic value of their data and infrastructure.

Mitigation Recommendations

1. Implement strict monitoring and logging of Active Directory query tools usage, including AdFind, to detect anomalous or unauthorized reconnaissance activities. 2. Employ endpoint detection and response (EDR) solutions capable of identifying Trickbot’s modular payloads and suspicious process behaviors, including the execution of known reconnaissance tools by non-administrative users. 3. Enforce the principle of least privilege across user accounts to limit the scope of credential theft and lateral movement. 4. Regularly update and patch systems, including applying the specific mitigations referenced in the linked advisory (https://www.wilbursecurity.com/2020/02/trickbot-and-adfind-recon/), to close vulnerabilities exploited by Trickbot. 5. Conduct network segmentation to isolate critical assets and reduce the attack surface available to malware post-infection. 6. Use multi-factor authentication (MFA) for all privileged accounts to mitigate the risk of credential compromise. 7. Train security teams to recognize the dual use of legitimate tools like AdFind in attack scenarios and develop tailored detection rules to distinguish malicious from benign usage. 8. Perform regular threat hunting exercises focusing on Trickbot indicators and unusual Active Directory queries to identify early signs of compromise.

Need more detailed analysis?Get Pro

Technical Details

Threat Level
3
Analysis
2
Uuid
5e4b486e-9968-4af1-87dc-4ff4950d210f
Original Timestamp
1582857280

Indicators of Compromise

Url

ValueDescriptionCopy
urlhttp://support-it.online/upl/data/enter.exe
enter.exe which loads Trickbot
urlhttp://support-it.online/upl/data/socks.exe
urlhttp://support-it.online/upl/data/addUser.bat
urlhttp://support-it.online/upl/data/adf.bat
urlhttp://support-it.online/upl/data/AdFind.exe
urlhttp://support-it.online/upl/data/test_64.exe
urlhttp://support-it.online/upl/data/test_32.exe

Link

ValueDescriptionCopy
linkhttps://app.any.run/tasks/dc8771c7-04fd-47f5-b273-c8d433862c2e/
Any.Run sandbox run of enter.exe
linkhttps://www.wilbursecurity.com/2020/02/trickbot-and-adfind-recon/
Blog write-up

Ip

ValueDescriptionCopy
ip216.170.123.19
Login from this IP minutes before activity started
ip195.133.145.31
Trickbot C2

Malware sample

ValueDescriptionCopy
malware-samplesocks.exe|9efb4a465942dc094a5a57e055fd608a
malware-sampletest_32.exe|538a9f7e97c6b02e3ecfc9f831ce600b
malware-sample.exe|3694432ff283b6d928fc9d97e18dee92
malware-sampleAdFind.exe|9b02dd2a1a15e94922be3f85129083ac
malware-sampleadf.bat|dbbdb5aa4a033fcae3b699e169706bfd
malware-sampleaddUser.bat|c872ffd205753b7331e18c96e5274393
malware-sampledxgmtdk.exe|9efb4a465942dc094a5a57e055fd608a

File

ValueDescriptionCopy
filesocks.exe
filetest_32.exe
file.exe
fileAdFind.exe
fileadf.bat
fileaddUser.bat
filedxgmtdk.exe

Hash

ValueDescriptionCopy
hash9efb4a465942dc094a5a57e055fd608a
hashe1348386da5af1903766352d4a224d859933e941
hashc93a357ea1772eb376ec4528d7a6bf8cfac31d9b9b4fc5455dbc369d6bde3583
hash538a9f7e97c6b02e3ecfc9f831ce600b
hash3a5d3069e607b2da534964e8b6ceb698357ebba6
hash5c9b25611b59d453b9b1ae2e88ffd83a87a4546ea7e6b61bf4e079701ee729b2
hash3694432ff283b6d928fc9d97e18dee92
hash2baff313b0db9363816a799f4d2f14b69b420421
hashe5591269b1ead7a5bb8d50f6a465e479f3010a611aae1b33caa78a4f7ec16922
hash9b02dd2a1a15e94922be3f85129083ac
hash2cb6ff75b38a3f24f3b60a2742b6f4d6027f0f2a
hashb1102ed4bca6dae6f2f498ade2f73f76af527fa803f0e0b46e100d4cf5150682
hashdbbdb5aa4a033fcae3b699e169706bfd
hash73c0b77442e5aa91fdefcfedf0e43efa7b7cac04
hash2f49676e70ad99b0136132183e197cbd88eb294d3ed4048da7f607f2c21f6df9
hashc872ffd205753b7331e18c96e5274393
hash6529f55f28cc1411af98db6586a965df49479573
hash77aebf8c0fc3caa445c5b8130cf69a988e625ccf45d89118cd30d90021a58436
hash9efb4a465942dc094a5a57e055fd608a
hashe1348386da5af1903766352d4a224d859933e941
hashc93a357ea1772eb376ec4528d7a6bf8cfac31d9b9b4fc5455dbc369d6bde3583

Size in-bytes

ValueDescriptionCopy
size-in-bytes139264
size-in-bytes122880
size-in-bytes307200
size-in-bytes1394176
size-in-bytes493
size-in-bytes1785
size-in-bytes139264

Threat ID: 682c7af2e3e6de8ceb77d777

Added to database: 5/20/2025, 12:52:02 PM

Last enriched: 6/19/2025, 2:34:44 PM

Last updated: 8/17/2025, 6:19:43 PM

Views: 19

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

External Links

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats