{
	"id": "0c592685-714b-4e70-95c2-c1151d628eef",
	"created_at": "2026-04-06T01:31:18.763621Z",
	"updated_at": "2026-04-10T13:12:47.614145Z",
	"deleted_at": null,
	"sha1_hash": "9253cd42d4b9426f3664752bd7f9e7ae5b6b9dad",
	"title": "Wireshark Tutorial: Examining Trickbot Infections",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 11472286,
	"plain_text": "Wireshark Tutorial: Examining Trickbot Infections\r\nBy Brad Duncan\r\nPublished: 2019-11-08 · Archived: 2026-04-06 00:41:49 UTC\r\nExecutive Summary\r\nWhen a host is infected or otherwise compromised, security professionals with access to packet captures (pcaps)\r\nof the network traffic need to understand the activity and identify the type of infection.\r\nThis tutorial offers tips on how to identify Trickbot, an information stealer and banking malware that has been\r\ninfecting victims since 2016. Trickbot is distributed through malicious spam (malspam), and it is also distributed\r\nby other malware such as Emotet, IcedID, or Ursnif.\r\nTrickbot has distinct traffic patterns. This tutorial reviews pcaps of Trickbot infections caused by two different\r\nmethods: a Trickbot infection from malspam and Trickbot when it is distributed through other malware.\r\nNote: Today’s tutorial requires Wireshark with a column display customized according to this previous tutorial.\r\nYou should already have implemented Wireshark display filters as described here.\r\nTrickbot from malspam\r\nTrickbot is often distributed through malspam. Emails from these campaigns contain links to download malicious\r\nfiles disguised as invoices or documents. These files may be Windows executable files for Trickbot, or they may\r\nbe some sort of downloader for the Trickbot executable. In some cases, links from these emails return a zip\r\narchive that contains a Trickbot executable or downloader.\r\nFigure 1 shows an example from September 2019. In this example, the email contained a link that returned a zip\r\narchive. The zip archive contained a Windows shortcut file that downloaded a Trickbot executable. A pcap for the\r\nassociated Trickbot infection is available here.\r\nhttps://unit42.paloaltonetworks.com/wireshark-tutorial-examining-trickbot-infections/\r\nPage 1 of 22\n\nFigure 1: Flowchart from a Trickbot infection from malspam in September 2019.\r\nDownload the pcap from this page. The pcap is contained in a password-protected zip archive named 2019-09-25-\r\nTrickbot-gtag-ono19-infection-traffic.pcap.zip. Extract the pcap from the zip archive using the password infected\r\nand open it in Wireshark. Use your basic filter to review the web-based infection traffic as shown in Figure 2.\r\nFigure 2: Pcap of the Trickbot infection viewed in Wireshark.\r\nReview the traffic, and you will find the following activity common in recent Trickbot infections:\r\nAn IP address check by the infected Windows host\r\nhttps://unit42.paloaltonetworks.com/wireshark-tutorial-examining-trickbot-infections/\r\nPage 2 of 22\n\nHTTPS/SSL/TLS traffic over TCP ports 447 and 449\r\nHTTP traffic over TCP port 8082\r\nHTTP requests ending in .png that return Windows executable files\r\nUnique to this Trickbot infection is an HTTP request to www.dchristjan[.]com that returned a zip archive and an\r\nHTTP request to 144.91.69[.]195 that returned a Windows executable file. Follow the HTTP stream for the request\r\nto www.dchristjan[.]com as shown in Figure 3 to review the traffic. In the HTTP stream, you will find indicators\r\nthat a zip archive was returned as shown in Figure 4.\r\nFigure 3: Following the HTTP stream for the request to www.dchristjan[.]com.\r\nhttps://unit42.paloaltonetworks.com/wireshark-tutorial-examining-trickbot-infections/\r\nPage 3 of 22\n\nFigure 4: Indicators the HTTP request returned a zip archive.\r\nIn Figure 4, you can also see the name of the file contained in the zip archive, InvoiceAndStatement.lnk. You can\r\nexport the zip archive from the traffic using Wireshark as shown in Figure 5 and Figure 6 using the following\r\npath:\r\n     File → Export Objects → HTTP…\r\nhttps://unit42.paloaltonetworks.com/wireshark-tutorial-examining-trickbot-infections/\r\nPage 4 of 22\n\nFigure 5: Exporting HTTP objects from the pcap.\r\nFigure 6: Exporting the zip archive from the pcap.\r\nIn a BSD, Linux, or Mac environment, you can easily confirm the extracted file is a zip archive, get the SHA256\r\nhash of the file, and extract the contents of the archive in a command line environment. In this case, the content is\r\na Windows shortcut file, which you can also confirm and get the SHA256 hash as shown in Figure 7.\r\nThe command to identify the file type is file [filename], while the command to find the SHA256 hash of the file is\r\nshasum -a 256 [filename].\r\nhttps://unit42.paloaltonetworks.com/wireshark-tutorial-examining-trickbot-infections/\r\nPage 5 of 22\n\nFigure 7: Checking the extracted zip archive and its contents.\r\nAn HTTP request to 144.91.69[.]195 returned a Windows executable file. This is the initial Windows executable\r\nfor Trickbot. You can follow the HTTP stream for this HTTP request and find indicators this is an executable file\r\nas shown in Figure 8 and Figure 9. You can extract the executable file from the pcap as shown in Figure 10.\r\nFigure 8: Following the HTTP stream for the HTTP request to 144.91.69[.]195.\r\nhttps://unit42.paloaltonetworks.com/wireshark-tutorial-examining-trickbot-infections/\r\nPage 6 of 22\n\nFigure 9: Indicators the returned file is a Windows executable or DLL file.\r\nFigure 10: Exporting the Windows executable from the pcap.\r\nPost infection traffic initially consists of HTTPS/SSL/TLS traffic over TCP port 443, 447, or 449 and an IP\r\naddress check by the infected Windows host. In this infection, shortly after the HTTP request for the Trickbot\r\nhttps://unit42.paloaltonetworks.com/wireshark-tutorial-examining-trickbot-infections/\r\nPage 7 of 22\n\nexecutable, we can see several attempted TCP connections over port 443 to different IP addresses before the\r\nsuccessful TCP connection to 187.58.56[.]26 over TCP port 449. If you use your basic+ filter, you can see these\r\nattempted connections as shown in Figure 11 and Figure 12.\r\nFigure 11: Attempted TCP connections over port 443 by the infected Windows host.\r\nhttps://unit42.paloaltonetworks.com/wireshark-tutorial-examining-trickbot-infections/\r\nPage 8 of 22\n\nFigure 12: Scrolling down to see more TCP connections over port 443 before a successful connection to\r\n187.58.56[.]26 over TCP port 449.\r\nThe HTTPS/SSL/TLS traffic to various IP addresses over TCP port 447 and TCP port 449 has unusual certificate\r\ndata. We can review the certificate issuer by filtering on ssl.handshake.type == 11 when using Wireshark 2.x or\r\ntls.handshake.type == 11 when using Wireshark 3.x. Then go to the frame details section and expand the\r\ninformation, finding your way to the certificate issuer data as seen in Figure 13 and Figure 14.\r\nhttps://unit42.paloaltonetworks.com/wireshark-tutorial-examining-trickbot-infections/\r\nPage 9 of 22\n\nFigure 13: Filtering for the certificate data in the HTTPS/SSL/TLS traffic, then expanding lines the frame details\r\nfor the first result under TCP port 449.\r\nhttps://unit42.paloaltonetworks.com/wireshark-tutorial-examining-trickbot-infections/\r\nPage 10 of 22\n\nFigure 14: Drilling down to the certificate issuer data on the first result over TCP port 449.\r\nIn Figure 14, we see the following certificate issuer data used in HTTPS/SSL/TLS traffic to 187.58.56[.]26 over\r\nTCP port 449:\r\nid-at-countryName=AU\r\nid-at-stateOrProvinceName=Some-State\r\nid-at-organizationName=Internet Widgits Pty Ltd\r\nThe state or province name (Some-State) and the organization name (Internet Widgits Pty Ltd) are not used for\r\nlegitimate HTTPS/SSL/TLS traffic. This is an indicator of malicious traffic, and this type of unusual certificate\r\nissuer data is not limited to Trickbot. What does a normal certificate issuer look like in legitimate\r\nHTTPS/SSL/TLS traffic? If we look at earlier traffic to Microsoft domains at 72.21.81.200 over TCP port 443, we\r\nfind the following as seen in Figure 15.\r\nid-at-countryName=US\r\nid-at-stateOrProvinceName=Washington\r\nid-at-localityName=Redmond\r\nid-at-organizationName=Microsoft Corporation\r\nid-at-organizationUnitName=Microsoft IT\r\nid-at-commonName=Microsoft IT TLS CA 2\r\nhttps://unit42.paloaltonetworks.com/wireshark-tutorial-examining-trickbot-infections/\r\nPage 11 of 22\n\nFigure 15: Certificate data from legitimate HTTPS traffic to a Microsoft domain.\r\nThe Trickbot-infected Windows host will check its IP address using a number of different IP address checking\r\nsites. These sites are not malicious, and the traffic is not inherently malicious. However, this type of IP address\r\ncheck is common with Trickbot and other families of malware. Various legitimate IP address checking services\r\nused by Trickbot include:\r\napi.ip[.]sb\r\ncheckip.amazonaws[.]com\r\nicanhazip[.]com\r\nident[.]me\r\nip.anysrc[.]net\r\nipecho[.]net\r\nipinfo[.]io\r\nmyexternalip[.]com\r\nwtfismyip[.]com\r\nAgain, an IP address check by itself is not malicious. However, this type of activity combined with other network\r\ntraffic can provide indicators of an infection, like we see in this case.\r\nhttps://unit42.paloaltonetworks.com/wireshark-tutorial-examining-trickbot-infections/\r\nPage 12 of 22\n\nFigure 16: IP address check by the infected Windows host, right after HTTPS/SSL/TLS traffic over TCP port 449.\r\nNot inherently malicious, but this is part of a Trickbot infection.\r\nA Trickbot infection currently generates HTTP traffic over TCP port 8082 this traffic sends information from the\r\ninfected host like system information and passwords from the browser cache and email clients. This information is\r\nsent from the infected host to command and control servers used by Trickbot.\r\nTo review this traffic, use the following Wireshark filter:\r\nhttp.request and tcp.port eq 8082\r\nThis reveals the following HTTP requests as seen in Figure 17:\r\n170.238.117[.]187 port 8082 - 170.238.117[.]187 - POST\r\n/ono19/BACHMANN-BTO-PC_W617601.AC3B679F4A22738281E6D7B0C5946\r\nE42/81/\r\n170.238.117[.]187 port 8082 - 170.238.117[.]187 - POST\r\n/ono19/BACHMANN-BTO-PC_W617601.AC3B679F4A22738281E6D7B0C5946\r\nE42/83/\r\n170.238.117[.]187 port 8082 - 170.238.117[.]187 - POST\r\n/ono19/BACHMANN-BTO-PC_W617601.AC3B679F4A22738281E6D7B0C5946\r\nE42/81/\r\n170.238.117[.]187 port 8082 - 170.238.117[.]187:8082 - POST\r\n/ono19/BACHMANN-BTO-PC_W617601.AC3B679F4A22738281E6D7B0C5946\r\nE42/81/\r\n170.238.117[.]187 port 8082 - 170.238.117[.]187:8082 - POST\r\n/ono19/BACHMANN-BTO-PC_W617601.AC3B679F4A22738281E6D7B0C5946\r\nhttps://unit42.paloaltonetworks.com/wireshark-tutorial-examining-trickbot-infections/\r\nPage 13 of 22\n\nE42/90\r\n170.238.117[.]187 port 8082 - 170.238.117[.]187:8082 - POST\r\n/ono19/BACHMANN-BTO-PC_W617601.AC3B679F4A22738281E6D7B0C5946\r\nE42/90\r\nFigure 17: HTTP traffic over TCP port 8082 caused by Trickbot.\r\nHTTP POST requests ending in 81 send cached password data from web browsers, email clients, and other\r\napplications. HTTP POST requests ending in 83 send form data submitted by applications like web browsers. We\r\ncan find system information sent through HTTP POST requests ending in 90. Follow the TCP or HTTP streams\r\nfor any of these HTTP POST requests to review data stolen by this infection.\r\nhttps://unit42.paloaltonetworks.com/wireshark-tutorial-examining-trickbot-infections/\r\nPage 14 of 22\n\nFigure 18: Login credentials stolen by Trickbot from the Chrome web browser. This data was sent by the Trickbot-infected host using HTTP traffic over TCP port 8082.\r\nhttps://unit42.paloaltonetworks.com/wireshark-tutorial-examining-trickbot-infections/\r\nPage 15 of 22\n\nFigure 19: System data sent by a Trickbot-infected host using HTTP traffic over TCP port 8082. It starts with a\r\nlist of running processes.\r\nhttps://unit42.paloaltonetworks.com/wireshark-tutorial-examining-trickbot-infections/\r\nPage 16 of 22\n\nFigure 20: More system data sent by a Trickbot-infected host using HTTP traffic over TCP port 8082. This is later\r\nfrom the same HTTP stream that started in Figure 19.\r\nTrickbot sends more Windows executable files over HTTP GET requests ending in .png. These follow-up Trickbot\r\nexecutables are used to infect a vulnerable domain controller (DC) when the infected Windows host is a client in\r\nan Active Directory environment.\r\nYou can find these URLs in the pcap by using the following Wireshark filter:\r\n     http.request and ip contains .png\r\nFigure 21: Filtering to find follow-up Trickbot EXE files sent using URLs ending with .png.\r\nhttps://unit42.paloaltonetworks.com/wireshark-tutorial-examining-trickbot-infections/\r\nPage 17 of 22\n\nFollow the TCP or HTTP stream in each of the three requests as shown in Figure 21. You should see indicators of\r\nwindows executable files similar to what we saw in Figure 9. However, in this case, the HTTP response headers\r\nidentify the returned file as image/png even though it clearly is a Windows executable or DLL file.\r\nFigure 22: Windows executable sent through URL ending in .png.\r\nYou can export these files from Wireshark, confirm they are Windows executable files, and get the SHA256 file\r\nhashes as we covered earlier in this tutorial.\r\nTrickbot Distributed Through Other Malware\r\nTrickbot is frequently distributed through other malware. Trickbot is commonly seen as follow-up malware to\r\nEmotet infections, but we have also seen it as follow-up malware from IcedID and Ursnif infections\r\nSince Emotet frequently distributes Trickbot, lets review an Emotet with Trickbot infection in September 2019\r\ndocumented here. We already covered Emotet with Trickbot infections last year in this Palo Alto Networks blog\r\npost, so this tutorial will focus on the Trickbot activity.\r\nhttps://unit42.paloaltonetworks.com/wireshark-tutorial-examining-trickbot-infections/\r\nPage 18 of 22\n\nFigure 23: Simplified flow chart for Emotet with Trickbot activity.\r\nDownload the pcap from this page. The pcap is contained in a password-protected zip archive named 2019-09-25-\r\nEmotet-infection-with-Trickbot-in-AD-environment.pcap.zip. Extract the pcap from the zip archive using the\r\npassword infected and open it in Wireshark. Use your basic filter to review the web-based infection traffic as\r\nshown in Figure 24.\r\nFigure 24: Filtering on web traffic in an Emotet+Trickbot infection.\r\nExperienced analysts can usually identify the Emotet-generated traffic and the Trickbot-generated traffic. Post-infection Emotet activity consists HTTP traffic with encoded data returned by the server. This is distinctly\r\ndifferent than post-infection Trickbot activity which generally relies on HTTPS/SSL/TLS traffic for command and\r\ncontrol communications. Figure 25 points out the different infection traffic between Emotet and Trickbot for this\r\nspecific infection.\r\nhttps://unit42.paloaltonetworks.com/wireshark-tutorial-examining-trickbot-infections/\r\nPage 19 of 22\n\nFigure 25: The differences in Emotet and Trickbot traffic.\r\nThis infection happened in an Active Directory environment with 10.9.25.102 as the infected Windows client and\r\n10.9.25.9 as the DC. Later in the traffic, we see the DC exhibit signs of Trickbot infection as shown in Figure 26.\r\nFigure 26: Trickbot activity on the DC.\r\nHow did the infection move from client to DC? Trickbot uses a version of the EternalBlue exploit to move\r\nlaterally using Microsoft’s SMB protocol. In this case, the infected Windows client sent information several times\r\nover TCP port 445 to the DC at 10.9.25.9, which then retrieved a Trickbot executable from\r\nhttps://unit42.paloaltonetworks.com/wireshark-tutorial-examining-trickbot-infections/\r\nPage 20 of 22\n\n185.98.87[.]185/wredneg2.png. Use the basic+ filter to see the SYN segments for the traffic between the client at\r\n10.9.25.102 and the DC at 10.9.25.9 right before the DC calls out to 185.98.87[.]185 as shown in Figure 27\r\nFigure 27: Finding traffic from the client at 10.9.25.102) to the DC at 10.9.25.9 (shown in grey) before the DC\r\nretrieved a Trickbot EXE from 196.98.87[.]185/wredneg2.png.\r\nFollow one of the TCP streams, for example the line with a source as 10.9.25.102 over TCP port 49321 and\r\ndestination as 10.9.35.9 over TCP port 445. This is highly unusual traffic for a client to send to a DC, so it is likely\r\nrelated to the EternalBlue exploit. See Figure 28 for an example of this traffic\r\nhttps://unit42.paloaltonetworks.com/wireshark-tutorial-examining-trickbot-infections/\r\nPage 21 of 22\n\nFigure 28: Example of the unusual traffic from a client to DC over TCP port 445, possibly related to an\r\nEternalBlue-based exploit.\r\nOther than this unusual SMB traffic and the DC getting infected, any Trickbot-specific activity in this pcap is\r\nremarkably similar to our previous example.\r\nSource: https://unit42.paloaltonetworks.com/wireshark-tutorial-examining-trickbot-infections/\r\nhttps://unit42.paloaltonetworks.com/wireshark-tutorial-examining-trickbot-infections/\r\nPage 22 of 22",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/wireshark-tutorial-examining-trickbot-infections/"
	],
	"report_names": [
		"wireshark-tutorial-examining-trickbot-infections"
	],
	"threat_actors": [],
	"ts_created_at": 1775439078,
	"ts_updated_at": 1775826767,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9253cd42d4b9426f3664752bd7f9e7ae5b6b9dad.pdf",
		"text": "https://archive.orkl.eu/9253cd42d4b9426f3664752bd7f9e7ae5b6b9dad.txt",
		"img": "https://archive.orkl.eu/9253cd42d4b9426f3664752bd7f9e7ae5b6b9dad.jpg"
	}
}