{
	"id": "eb45f9d0-8f35-42f6-8ccb-08a64a9ceed7",
	"created_at": "2026-04-06T00:13:33.693535Z",
	"updated_at": "2026-04-10T13:11:49.795916Z",
	"deleted_at": null,
	"sha1_hash": "ef186ed4cac1405c767b9aa9785d4fb5fb751824",
	"title": "Malware-Traffic-Analysis.net - 2018-02-01 - Quick test-drive of Trickbot (it now has a Monero module)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2241389,
	"plain_text": "Malware-Traffic-Analysis.net - 2018-02-01 - Quick test-drive of\r\nTrickbot (it now has a Monero module)\r\nArchived: 2026-04-05 15:57:27 UTC\r\nNOTICE:\r\nThe zip archives on this page have been updated, and they now use the new password scheme.  For the new\r\npassword, see the \"about\" page of this website.\r\nASSOCIATED FILES:\r\nZip archive of the pcaps:  2018-02-01-Trickbot-infection-traffic.pcap.zip   9.5 MB (9,472,261 bytes)\r\nZip archive of the malware:  2018-02-01-Trickbot-malware-samples.zip   542.2 kB (542,161 bytes)\r\nINTRODUCTION\r\nI infected a Windows host with the Trickbot malware from 2018-02-01 mentioned in this blog post from My\r\nOnline Security.  I extracted the Trickbot binary located in a pcap from the Any.run analysis of the associated\r\nmalicious Word document.\r\nThe chain of events led from the email to --\u003e link to a Word document --\u003e enable Word document macro --\u003e\r\nSmoke Loader --\u003e Trickbot.\r\nhttp://www.malware-traffic-analysis.net/2018/02/01/\r\nPage 1 of 7\n\nShown above:  Trickbot binary extracted from the Any.run pcap.\r\nI wanted to see what the Trickbot binary was doing, since I haven't looked at it in a while.  This blog post only\r\nreviews traffic and artifacts from a Windows host infected with the Trickbot binary, SHA256 hash\r\n91f78068e996b1b32a3539746b6b683f5fa40e7be009b779c56e215b521df6c5.\r\nTRICKBOT TRAFFIC\r\nTrickbot network traffic in February 2018 is similar to what I saw in this ISC diary I wrote in August 2017.  The\r\nonly difference is a Monero cryptocurrency miner (coin miner) in post-infection traffic in February 2018, which I\r\nhadn't noticed before.\r\nhttp://www.malware-traffic-analysis.net/2018/02/01/\r\nPage 2 of 7\n\nShown above:  Trickbot traffic (from the Trickbot binary) on 2018-02-01.\r\nTrickbot SSL traffic is somewhat similar to what we've seen with Dridex SSL traffic in recent weeks.  Today's\r\nTrickbot traffic triggered Emerging Threats alerts for ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL\r\ncertificates detected (Dridex CnC), which I've seen with Trickbot traffic before.  More importantly, rules from the\r\nSnort subscriber's ruleset detected Trickbot SSL certificates, which better fits what I saw on 2018-02-01.\r\nShown above:  Snort alerts on Trickbot certificates in SSL traffic.\r\nhttp://www.malware-traffic-analysis.net/2018/02/01/\r\nPage 3 of 7\n\nShown above:  Emerging Threats alerts on the infection traffic from Sguil using Suricata on Security\r\nOnion.\r\nShown above:  Post-infection traffic caused by malware based on Monero (XMRig) coin miner.\r\nFORENSICS ON THE INFECTED WINDOWS HOST\r\nMy Trickbot binary was named 2018-02-01-Trickbot-malware-sample.exe, and I ran it from the user's\r\nAppData\\Local\\Temp directory.  As we saw with Trickbot back in August 2017, the malware copied itself to a\r\nnew folder in the user's AppData\\Roaming directory.  Today's file was re-named, with some (but not all) of the\r\ncharacters in the file name shifted one character.  Like we saw back in August 2017, there's a file named\r\ngroup_tag.  This time, it contained the text: 3101uk.  Below are images showing some of the artifacts.\r\nhttp://www.malware-traffic-analysis.net/2018/02/01/\r\nPage 4 of 7\n\nShown above:  Artifacts on the infected Windows host.\r\nhttp://www.malware-traffic-analysis.net/2018/02/01/\r\nPage 5 of 7\n\nShown above:  Per @VK_Intel, decoded Worm32Dll module is a Monero coin miner (link).\r\nFINAL WORDS\r\nLooks like Trickbot has changed a bit since I last examined it.  Traffic and artifacts familiar, but Trickbot has\r\napparently jumped on the cryptocurrency bandwagon by adding a Monero (XMRig) coin mining module.  I\r\nimagine someone will do a more in-depth write-up on the new Trickbot, but I wanted to get some traffic and\r\nmalware samples out.\r\nClick here to return to the main page.\r\nhttp://www.malware-traffic-analysis.net/2018/02/01/\r\nPage 6 of 7\n\nSource: http://www.malware-traffic-analysis.net/2018/02/01/\r\nhttp://www.malware-traffic-analysis.net/2018/02/01/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"http://www.malware-traffic-analysis.net/2018/02/01/"
	],
	"report_names": [
		"01"
	],
	"threat_actors": [],
	"ts_created_at": 1775434413,
	"ts_updated_at": 1775826709,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ef186ed4cac1405c767b9aa9785d4fb5fb751824.pdf",
		"text": "https://archive.orkl.eu/ef186ed4cac1405c767b9aa9785d4fb5fb751824.txt",
		"img": "https://archive.orkl.eu/ef186ed4cac1405c767b9aa9785d4fb5fb751824.jpg"
	}
}