Weekly TrickBot Analysis - End of w/c 16-Oct-2017 to 1000073

Here are the results of my analysis of TrickBot Banking Trojan mcconfs shared up to the end of the week commencing 16th October 2017. The latest version shared in this time is 1000073.

The following graph shows the number of server entries across 54 versions using ports:

  • 443 (HTTPS);
  • 445 (IBM AS Server Mapper);
  • 449 (Cray Network Semaphore Server); and 
  • 451 (SMB).

The following table shows the top 25 servers (of 618 unique) used within the 54 versions.

The 618 unique server IP addresses are allocated across a wide variety of countries according to their BGP prefix registrations. The top 5 countries are RU > US > PL > RO > FR.

Thanks to @mpvillafranca94, @VK_Intel, @K_N1kolenko, @hasherezade, @ArnaudDlms, @StackGazer, @0bscureC0de, @voidm4p, @James_inthe_box, @MakFLwana, @spalomaresg, and @virsoz, for sharing the mcconfs.

Article Link: http://escinsecurity.blogspot.com/2017/10/weekly-trickbot-analysis-end-of-wc-16.html