TrickBotMultiDropper
Multi-purpose dropper including TrickBot XMR miner module + BrokenShield + revShell + SteamGhost injection. api.foxovsky.ru/gate/connection.php TrickBot C2 gate. XMR mining with CPUMinerThread. Lots of payload URLs. 12 PE section. Developer signatures: Meister (BrokenShield), x (Trik builder).
Threat Profile
Type
Loader
Programming LanguageC++
C2 ProtocolHTTP
First Seen2024
Targets
Kuresel/Oyuncu
Purpose / Capabilities
- Loader/Miner/Dropper/Injection
C2 Servers 5
| Address | Port | Protocol | Status | Action |
|---|---|---|---|---|
api.foxovsky.ru
TrickBot XMR miner C2 gate /gate/connection.php CPUMinerThre
|
80 | HTTP | INACTIVE | |
185.185.25.175
C2 gate /ref45.php
|
80 | HTTP | INACTIVE | |
138.204.171.108
Payload download /BxjL5iKld8.zip
|
80 | HTTP | INACTIVE | |
92.63.197.153
Payload download /good.exe
|
80 | HTTP | INACTIVE | |
1226bye.xyz
SCR+DLL payload /v.sctscrobj.dll port 280
|
280 | HTTP | INACTIVE |
⚠ C2 addresses are shared solely for threat intelligence and defensive purposes. Unauthorized access to these addresses constitutes a criminal offense.
Research Reports (1)
TrickBotMultiDropper 12454a32 -- TrickBotXMRMiner apifoxovskyru CPUMinerThread BrokenShield revShell SteamGhost AsusShellcode PayloadDownload 1226byexyz | Kritik
TrickBotMultiDropper 12454a32 PE32+ x64 332KB. TrickBot miner api.foxovsky.ru/gate/connection.php. CPUMinerThread. BrokenShield PDB. 8 C2 IP. 1226bye.xyz:280.
Read Report →