TrickBotMultiDropper

Multi-purpose dropper including TrickBot XMR miner module + BrokenShield + revShell + SteamGhost injection. api.foxovsky.ru/gate/connection.php TrickBot C2 gate. XMR mining with CPUMinerThread. Lots of payload URLs. 12 PE section. Developer signatures: Meister (BrokenShield), x (Trik builder).

Threat Profile
Type Loader
Programming LanguageC++
C2 ProtocolHTTP
First Seen2024
Targets Kuresel/Oyuncu
Purpose / Capabilities
  • Loader/Miner/Dropper/Injection

C2 Servers 5

Address Port Protocol Status Action
api.foxovsky.ru
TrickBot XMR miner C2 gate /gate/connection.php CPUMinerThre
80 HTTP INACTIVE
185.185.25.175
C2 gate /ref45.php
80 HTTP INACTIVE
138.204.171.108
Payload download /BxjL5iKld8.zip
80 HTTP INACTIVE
92.63.197.153
Payload download /good.exe
80 HTTP INACTIVE
1226bye.xyz
SCR+DLL payload /v.sctscrobj.dll port 280
280 HTTP INACTIVE

⚠ C2 addresses are shared solely for threat intelligence and defensive purposes. Unauthorized access to these addresses constitutes a criminal offense.

Research Reports (1)

Critical

TrickBotMultiDropper 12454a32 -- TrickBotXMRMiner apifoxovskyru CPUMinerThread BrokenShield revShell SteamGhost AsusShellcode PayloadDownload 1226byexyz | Kritik

TrickBotMultiDropper 12454a32 PE32+ x64 332KB. TrickBot miner api.foxovsky.ru/gate/connection.php. CPUMinerThread. BrokenShield PDB. 8 C2 IP. 1226bye.xyz:280.

Read Report →