{
	"id": "5c2162a8-7dc7-4d46-86ea-65de38b1d373",
	"created_at": "2026-04-06T00:08:46.477793Z",
	"updated_at": "2026-04-10T03:24:39.705173Z",
	"deleted_at": null,
	"sha1_hash": "080eae2165a5dae2f006dfff47b0f31b56814042",
	"title": "Trickbot Brief: Creds and Beacons",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 749531,
	"plain_text": "Trickbot Brief: Creds and Beacons\r\nBy editor\r\nPublished: 2021-05-02 · Archived: 2026-04-05 19:13:51 UTC\r\nIntro\r\n“TrickBot malware—first identified in 2016—is a Trojan developed and operated by a sophisticated group of\r\ncybercrime actors. The cybercrime group initially designed TrickBot as a banking trojan to steal financial data.\r\nThrough continued development and new functionality, TrickBot has become a highly modular, multi-stage\r\nmalware that provides its operators a full suite of tools to conduct a myriad of illegal cyber activities. Since\r\nTrickBot’s inception, the cybercrime group has used the malware to attack individuals and businesses globally\r\nacross a wide range of sectors.”\r\nSource – Fact Sheet: TrickBot Malware Source\r\nIn an intrusion this past month, threat actors were seen enumerating and collecting information related to the domain as well\r\nas dumping passwords before leaving the network. Multiple Cobalt Strike Beacons were deployed and remained connected\r\ndespite the lack of activity from the threat actors. \r\nCase Summary\r\nWe assess, with moderate confidence, the Trickbot DLL that we executed was originally delivered via a malicious Office\r\ndocument. The threat actors were observed leveraging Trickbot and Cobalt Strike for C2 communication. They began their\r\ndiscovery by running net and nltest commands as well as PowerView domain discovery modules. Minutes later, Lazagne\r\n(“retrieve lots of passwords”) was executed using the “all” switch. A registry value was set to enable storing logon\r\ncredentials in plaintext in memory (WDigest), likely to facilitate future activity as the host was not restarted for this change\r\nto take effect. \r\nBefore the threat actors departed the network, they successfully accessed the LSASS process and retrieved credentials from\r\nmemory. No lateral movement or execution on mission was observed.\r\nTimeline\r\nhttps://thedfirreport.com/2021/05/02/trickbot-brief-creds-and-beacons/\r\nPage 1 of 10\n\nAnalysis and reporting completed by @kostastsale, @ICSNick, and @RoxpinTeddy.\r\nReviewed by @TheDFIRReport\r\nMITRE ATT\u0026CK\r\nInitial Access\r\nWe assess with moderate confidence that this DLL was dropped by a malicious Office document. \r\nExecution\r\nTrickbot (click.php.dll) was manually executed on a single endpoint.\r\nSource: https://tria.ge/210412-wmdnkzp5la \r\nhttps://thedfirreport.com/2021/05/02/trickbot-brief-creds-and-beacons/\r\nPage 2 of 10\n\nTrickbot, from its injected wermgr process, spawned a command process to then run a PowerShell Cobalt Strike Beacon.\r\nReviewing the above PowerShell code, we can extract the shellcode to discover the IP and User-agent string, the beacon will\r\ncommunicate with.\r\nGetting the IP and port using scdbg.\r\nThe threat actor also executed a second Cobalt Strike Beacon (wsuC3C.tmp) using the injected wermgr.exe process.\r\nhttps://thedfirreport.com/2021/05/02/trickbot-brief-creds-and-beacons/\r\nPage 3 of 10\n\nrundll32.exe C:\\Users\\redacted\\AppData\\Local\\Temp\\wsuC3C.tmp,ControlUnitSpeed\r\nPersistence\r\nA scheduled task was created to keep the Trickbot malware persistent on the system.\r\nC:\\Windows\\system32\\rundll32.exe\" \"C:\\Users\\redacted\\AppData\\Roaming\\DownloadMngNet5353711913\\xxclickdr.dwn\",#\r\nDefense Evasion\r\nTrickbot injected into wermgr.exe processes and used this for communication to command and control infrastructure.\r\nCredential Access\r\nLazagne was used with the “all” switch, which runs all modules.\r\nhttps://thedfirreport.com/2021/05/02/trickbot-brief-creds-and-beacons/\r\nPage 4 of 10\n\nBelow we can see registry hives being saved to disk.\r\nLSASS was accessed by rundll32, but we did not see anything written to disk.\r\nTrickbot was used to enable the storage of clear text credentials (WDigest) by setting UseLogonCredential to 1.\r\nKey - SYSTEM\\ControlSet001\\Control\\SecurityProviders\\WDigest\r\nValue name - UseLogonCredential\r\nSet value data - 1\r\nDiscovery\r\nThe following net commands were used by the threat actor from the injected Trickbot process. \r\nnet config workstation\r\nnet view /all \r\nnet view /all /domain\r\nnet group “Domain Computers” /domain \r\nhttps://thedfirreport.com/2021/05/02/trickbot-brief-creds-and-beacons/\r\nPage 5 of 10\n\nThe following nltest commands were used by the threat actor from the injected Trickbot process. \r\nnltest /domain_trusts\r\nnltest /domain_trusts /all_trusts\r\nPowerView modules were also used by the threat actor executed from the Cobalt Strike beacons. \r\nGet-DomainSearcher\r\nGet-NetComputer\r\nGet-NetDomain\r\nThe local network was scanned for port 445/SMB. \r\nipconfig was used to show all IP info.\r\nipconfig /all\r\nCommand and Control\r\nTrickbot\r\ngtag: rob52\r\nCobalt Strike C2 #1 \r\nhttps://thedfirreport.com/2021/05/02/trickbot-brief-creds-and-beacons/\r\nPage 6 of 10\n\n147.135.78[.]200:80 (Our Threat Feed service has known about this Cobalt Strike server since at least 4-4-2021)\r\nCS Config: \r\n\"x64\": {\r\n\"md5\": \"d963ff232b5b519014cbca17e7e9d512\",\r\n\"sha256\": \"0f0cf5e9b35012fc51306179ba4c8cfdaa4f60bf293d8140a77a74db548182e5\",\r\n\"sha1\": \"77430b1da03bf6fee12d12abd810666a7751e3c0\",\r\n\"config\": {\r\n\"HTTP Method Path 2\": \"/submit.php\",\r\n\"Method 2\": \"POST\",\r\n\"C2 Server\": \"147.135.78.200,/cx\",\r\n\"Method 1\": \"GET\",\r\n\"Polling\": 60000,\r\n\"Spawn To x86\": \"%windir%\\\\syswow64\\\\rundll32.exe\",\r\n\"Beacon Type\": \"0 (HTTP)\",\r\n\"Spawn To x64\": \"%windir%\\\\sysnative\\\\rundll32.exe\",\r\n\"Jitter\": 0,\r\n\"Port\": 80\r\n\"x86\": {\r\n\"md5\": \"ec2fc2b33d60ddc829c9aeabb6ce0bbe\",\r\n\"sha256\": \"93008b078e8358c948877c7fde261231fc72bcd45143132070761550046701f2\",\r\n\"sha1\": \"91ea27632c363b821d8f84b8320b1d76f1d91899\",\r\n\"config\": {\r\n\"HTTP Method Path 2\": \"/submit.php\",\r\n\"Method 2\": \"POST\",\r\n\"C2 Server\": \"147.135.78.200,/push\",\r\n\"Method 1\": \"GET\",\r\n\"Polling\": 60000,\r\n\"Spawn To x86\": \"%windir%\\\\syswow64\\\\rundll32.exe\",\r\n\"Beacon Type\": \"0 (HTTP)\",\r\n\"Spawn To x64\": \"%windir%\\\\sysnative\\\\rundll32.exe\",\r\n\"Jitter\": 0,\r\n\"Port\": 80\r\nCobalt Strike C2 #2 \r\n23.108.57[.]39:443 (Our Threat Feed service has known about this Cobalt Strike server since at least 4-12-2021)\r\nwideri[.]com \r\nJA3s:ae4edc6faf64d08308082ad26be60767\r\nJA3:a0e9f5d64349fb13191bc781f81f42e1\r\nCertificate:[10:cd:12:74:dc:9d:3d:15:b5:e9:f1:f1:22:e1:ff:65:77:a3:c9:93]\r\nNot Before: 2021/04/04 00:00:00 \r\nNot After: 2022/04/04 23:59:59 \r\nIssuer Org: Sectigo Limited \r\nSubject Common: wideri.com \r\nPublic Algorithm:rsaEncryption\r\nJARM:07d14d16d21d21d07c42d41d00041d58c7162162b6a603d3d90a2b76865b53\r\nCS Config: \r\n\"x64\": {\r\n\"time\": 1618262029857.8,\r\n\"config\": {\r\n\"Jitter\": 46,\r\n\"Spawn To x86\": \"%windir%\\\\syswow64\\\\wusa.exe\",\r\n\"Beacon Type\": \"8 (HTTPS)\",\r\n\"Method 1\": \"GET\",\r\n\"Method 2\": \"POST\",\r\n\"C2 Server\": \"wideri.com,/tab_shop.css\",\r\n\"Spawn To x64\": \"%windir%\\\\sysnative\\\\wusa.exe\",\r\n\"Port\": 443,\r\nhttps://thedfirreport.com/2021/05/02/trickbot-brief-creds-and-beacons/\r\nPage 7 of 10\n\n\"Polling\": 5000,\r\n\"HTTP Method Path 2\": \"/language\"\r\n},\r\n\"md5\": \"249f38615a76d47892fc530102a8a178\",\r\n\"sha256\": \"91d6230999853424f158fd58bd343c781fd687c71173ee39ed98429181d3cdb4\",\r\n\"sha1\": \"9b1f5d93af2344529b37055af8e3db0d3867c5bc\"\r\n\"x86\": {\r\n\"time\": 1618262025634.5,\r\n\"config\": {\r\n\"Jitter\": 46,\r\n\"Spawn To x86\": \"%windir%\\\\syswow64\\\\wusa.exe\",\r\n\"Beacon Type\": \"8 (HTTPS)\",\r\n\"Method 1\": \"GET\",\r\n\"Method 2\": \"POST\",\r\n\"C2 Server\": \"wideri.com,/language.css\",\r\n\"Spawn To x64\": \"%windir%\\\\sysnative\\\\wusa.exe\",\r\n\"Port\": 443,\r\n\"Polling\": 5000,\r\n\"HTTP Method Path 2\": \"/sq\"\r\n},\r\n\"md5\": \"46a3380418ce59563c3adfa8f6624d3f\",\r\n\"sha256\": \"8cf43734e0d187aaad93e950646a883820b20ca2837480c1140e1751cf6557b2\",\r\n\"sha1\": \"44e19c7f2534226e6774591713fbd659931d2e10\"\r\nImpact\r\nAside from the initial compromise on the beachhead host and the stolen credentials, no further impact was observed during\r\nthis intrusion. No lateral movement or execution on mission was observed.\r\nIOCs\r\nNetwork\r\nCobalt Strike:  \r\n147.135.78.200|80\r\n23.108.57.39|443\r\nwideri[.]com\r\nhttp://172.82.179.170/w.dll\r\nTrickbot: \r\n102.68.17.97|443\r\n103.76.150.14|443 \r\n103.9.188.23|449\r\n109.185.139.90|449\r\n138.185.72.142|443\r\n148.216.32.55|443\r\n173.81.4.147|443\r\n182.253.184.130|449\r\n185.205.250.162|443\r\n190.122.168.219|443\r\n196.41.57.46|449\r\n200.90.11.177|449\r\n202.166.211.197|443\r\n31.134.124.90|443\r\n31.211.85.110|443\r\n41.77.134.250|443\r\n5.59.205.32|443\r\n62.213.14.166|443\r\n77.95.93.132|449\r\n78.138.187.231|443\r\n81.95.45.234|449\r\nhttps://thedfirreport.com/2021/05/02/trickbot-brief-creds-and-beacons/\r\nPage 8 of 10\n\n84.21.206.164|449\r\n85.112.74.178|449\r\n87.116.151.237|449\r\n87.76.1.81|449\r\n89.250.208.42|449\r\n91.185.236.170|449\r\n91.225.231.120|443\r\n96.9.77.142|443\r\nFile\r\nclick.php.dll\r\n8c0d352934271350cfe6c00b7587e8dc8d062817\r\n0ae86e5abbc09e96f8c1155556ca6598c22aebd73acbba8d59f2ce702d3115f8\r\nxxclickdr.dwn\r\n8c0d352934271350cfe6c00b7587e8dc8d062817\r\n0ae86e5abbc09e96f8c1155556ca6598c22aebd73acbba8d59f2ce702d3115f8\r\nwsuC3C.tmp\r\nb7d9f3e387021bba138dbe3d153fef4e7e2196ad\r\n97dedd5ca85a13ab1a8910416b13ffd088b1c7e3486d6629a71f5c118d56fbea\r\nlazagne.exe\r\n75f4115024b5d0818f0696345eef98d92db92118\r\n61deb3a206cc203252418b431f6556e3f7efd9556fc685eeda7281d9baf89851\r\nDetections\r\nNetwork\r\nET CNC Feodo Tracker Reported CnC Server group 11\r\nET MALWARE Trickbot Checkin Response\r\nET INFO SUSPICIOUS Dotted Quad Host MZ Response\r\nSigma\r\nhttps://github.com/SigmaHQ/sigma/blob/084cd39505861188d9d8f2d5c0f2835e4f750a3f/rules/windows/process_creation/win_malware_trickbot_re\r\nhttps://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_grabbing_sensitive_\r\nhttps://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml\r\nYara\r\n/*\r\nYARA Rule Set\r\nAuthor: The DFIR Report\r\nDate: 2021-04-27\r\nIdentifier: Case 3521 Trickbot\r\nReference: https://thedfirreport.com/\r\n*/\r\n/* Rule Set ----------------------------------------------------------------- */\r\nimport \"pe\"\r\nrule click_php {\r\nmeta:\r\ndescription = \"files - file click.php.dll\"\r\nauthor = \"The DFIR Report\"\r\nreference = \"https://thedfirreport.com/\"\r\ndate = \"2021-04-27\"\r\nhash1 = \"0ae86e5abbc09e96f8c1155556ca6598c22aebd73acbba8d59f2ce702d3115f8\"\r\nstrings:\r\nhttps://thedfirreport.com/2021/05/02/trickbot-brief-creds-and-beacons/\r\nPage 9 of 10\n\n$s1 = \"f_+ (Q\" fullword wide\r\n$s2 = \"'/l~;2m\" fullword wide\r\n$s3 = \"y'L])[\" fullword wide\r\n$s4 = \"1!1I1m1s1\" fullword ascii\r\n$s5 = \"\u0026+B\\\"wm\" fullword wide\r\n$s6 = \"\u003ejWR=C\" fullword wide\r\n$s7 = \"W!\\\\R.S\" fullword wide\r\n$s8 = \"r-`4?b6\" fullword wide\r\n$s9 = \"]Iip!x\" fullword wide\r\n$s10 = \"!k{l`\u003c\" fullword wide\r\n$s11 = \"D~C:RA\" fullword wide\r\n$s12 = \"]{T~as\" fullword wide\r\n$s13 = \"7%8+8^8\" fullword ascii\r\n$s14 = \"f]-hKa\" fullword wide\r\n$s15 = \"StartW\" fullword ascii /* Goodware String - occured 5 times */\r\ncondition:\r\nuint16(0) == 0x5a4d and filesize \u003c 1000KB and\r\n( pe.imphash() == \"8948fb754b7c37bc4119606e044f204c\" and pe.exports(\"StartW\") or 10 of them )\r\n}\r\nMITRE\r\nUser Execution – T1204\r\nCommand and Scripting Interpreter – T1059\r\nPowerShell – T1059.001\r\nWindows Command Shell – T1059.003\r\nDomain Trust Discovery – T1482\r\nNetwork Service Scanning – T1046\r\nRemote System Discovery – T1018\r\nSystem Network Configuration Discovery – T1016\r\nSystem Information Discovery – T1082\r\nProcess Injection – T1055\r\nCredentials from Web Browsers – T1555.003\r\nOS Credential Dumping – T1003\r\nLSASS Memory – T1003.001\r\nExfiltration Over C2 Channel – T1041\r\nNon-Standard Port – T1571\r\nInternal case #3521\r\nSource: https://thedfirreport.com/2021/05/02/trickbot-brief-creds-and-beacons/\r\nhttps://thedfirreport.com/2021/05/02/trickbot-brief-creds-and-beacons/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://thedfirreport.com/2021/05/02/trickbot-brief-creds-and-beacons/"
	],
	"report_names": [
		"trickbot-brief-creds-and-beacons"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "77b28afd-8187-4917-a453-1d5a279cb5e4",
			"created_at": "2022-10-25T15:50:23.768278Z",
			"updated_at": "2026-04-10T02:00:05.266635Z",
			"deleted_at": null,
			"main_name": "Inception",
			"aliases": [
				"Inception Framework",
				"Cloud Atlas"
			],
			"source_name": "MITRE:Inception",
			"tools": [
				"PowerShower",
				"VBShower",
				"LaZagne"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434126,
	"ts_updated_at": 1775791479,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/080eae2165a5dae2f006dfff47b0f31b56814042.pdf",
		"text": "https://archive.orkl.eu/080eae2165a5dae2f006dfff47b0f31b56814042.txt",
		"img": "https://archive.orkl.eu/080eae2165a5dae2f006dfff47b0f31b56814042.jpg"
	}
}