{
	"id": "7eac8711-1013-4298-a143-551504d16201",
	"created_at": "2026-04-06T00:12:15.011194Z",
	"updated_at": "2026-04-10T13:11:18.02155Z",
	"deleted_at": null,
	"sha1_hash": "047992e9b3c804af0e4e78ad4d99c8078f093d53",
	"title": "TrickBot ... many tricks - VinCSS Blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 151129,
	"plain_text": "TrickBot ... many tricks - VinCSS Blog\r\nBy Yến Hứa\r\nPublished: 2021-10-26 · Archived: 2026-04-05 23:39:15 UTC\r\nTable of Contents\r\n1. Introduction\r\n2. Analyze malicious document\r\n3. Analyze easyMicrosoftHop.jpg payload (RCSeparator.dll – 48cba467be618d42896f89d79d211121)\r\n4. Analyze shellcode\r\n5. Analyze the first Dll (b67694dddf98298b539bddc8cabc255d)\r\n6. Analyze the second Dll (34d6a6bffa656c6b0c7b588e111dbed1)\r\n7. Analyze the third Dll (templ.dll – 3409f865936a247957955ad2df45a2cd)\r\n8. Analyze the final shellcode\r\n9. Dump Trickbot core payload 32-bit and extract C2 configuration\r\n9.1. Dump payload 32-bit\r\n9.2. Analyze Trickbot core payload and extract C2s configuration\r\n9.2.1. Dynamic APIs resolve\r\n9.2.2. Decrypt strings\r\n9.3. Decrypt the configuration and extract the C2s list\r\n9.3.1. Decrypt the configuration\r\n9.3.2. Extract C2s list\r\n10. References\r\n11. Appendix 1 – Complete list of decrypted strings\r\n12. Appendix 2 – C2s list\r\n1. Introduction\r\nFirst discovered in 2016, until now TrickBot (aka TrickLoader or Trickster) has become one of the most popular and\r\ndangerous malware in today’s threat landscape. The gangs behind TrickBot are constantly evolving to add new features and\r\ntricks. Trickbot is multi-modular malware, with a main payload will be responsible for loading other plugins capable of\r\nperforming specific tasks such as steal credentials and sensitive information, provide remote access, spread it over the local\r\nnetwork, and download other malwares.\r\nTrickbot roots are being traced to elite Russian-speaking cybercriminals. According to these reports (1, 2), up to now, at least\r\ntwo people believed to be members of this group have been arrested. Even so, other gang members are currently continuing\r\nto operate as normal.\r\nThrough continuous cyber security monitoring and system protection for customer recently, VinCSS has successfully\r\ndetected and prevented a phishing attack campaign to distribute malware to customer that was protected by us. After the\r\ndeep dive analysis and dissection of the malware techniques, we can confirm that this is a sample of the Trickbot malware\r\nfamily.\r\nIn this article, we decided to provide a detail analysis of how Trickbot infects after launching by a malicious Word\r\ndocument, the techniques the malware uses to make it difficult to analyze. Unlike Emotet or Qakbot, Trickbot hides C2\r\naddresses by using fake C2 addresses mixed together with real C2 addresses in the configuration, we will cover how to\r\nextract the final C2 list at the end of this article. In addition, we present the method to recover the APIs as well as decode the\r\nstrings of Trickbot based on IDA AppCall feature to make the analysis process easier.\r\nhttps://blog.vincss.net/re025-trickbot-many-tricks/\r\nPage 1 of 38\n\n2. Analyze malicious document\r\nThe attacker somehow infected the partner’s mail server system, thereby taking control of the email account on the server,\r\ninserting email with attachment containing malware into the email exchange flow between the two parties. The content of\r\nthis email is as follows:\r\nAfter extracting the request.zip with the password provided in the email, I obtained require 010.04.2021.doc:\r\nhttps://blog.vincss.net/re025-trickbot-many-tricks/\r\nPage 2 of 38\n\nCheck the require 010.04.2021.doc file and found that this file contains VBA code:\r\nhttps://blog.vincss.net/re025-trickbot-many-tricks/\r\nPage 3 of 38\n\nI focus to the red highlight code in the above image. Extract the relevant data area and do the corresponding replacement,\r\nobtain the html content containing JavaScript as the figure below:\r\nThe JavaScript code in the figure will do the decoding of the base64 blob assigned to the rockCleanJump and\r\nrapHopWindows variables. With the first base64 blob, it will download the payload to the victim’s computer and save it as\r\neasyMicrosoftHop.jpg:\r\nhttps://blog.vincss.net/re025-trickbot-many-tricks/\r\nPage 4 of 38\n\nWith the second base64 blob, it will use regsvr32 to execute the downloaded payload.\r\nWith the above information, I can conclude that easyMicrosoftHop.jpg is a Dll file.\r\n3. Analyze easyMicrosoftHop.jpg payload (RCSeparator.dll –\r\n48cba467be618d42896f89d79d211121)\r\nhttps://blog.vincss.net/re025-trickbot-many-tricks/\r\nPage 5 of 38\n\nThis file is not available on VT, however if search by imphash: f34a0f23e05f2c2a829565c932b87430 will get the same\r\npayloads. These payloads have been uploaded to VT recently:\r\nExamining this payload, this is a Dll with the original name is RCSeparator.dll, and it has one exported function is\r\nDllRegisterServer.\r\nThe file’s metadata info is as follows:\r\nhttps://blog.vincss.net/re025-trickbot-many-tricks/\r\nPage 6 of 38\n\nThe sample is not packed, but through a quick check the sections information, it can be seen that its code has been\r\nobfuscated, and the .rsrc section is likely to contain an encrypted payload.\r\nBy viewing resources in this sample, I found a resource named HTML, size 0x38333 bytes, containing random bytes. I\r\nguess that it will use this resource to decode a new payload.\r\nhttps://blog.vincss.net/re025-trickbot-many-tricks/\r\nPage 7 of 38\n\nAnalysis code of the payload at the DllRegisterServer function shows that it does the following:\r\nFind the base address of kernel32.dll, ntdll.dll:\r\nGet the addresses of APIs for later use in kernel32.dll, ntdll.dll based on pre-computed hashes.\r\nhttps://blog.vincss.net/re025-trickbot-many-tricks/\r\nPage 8 of 38\n\nUse the resolved APIs to access and get the entire content of the resource that was mentioned above:\r\nDecode to shellcode and execute this shellcode by using QueueUserAPC and NtTestAlert functions.\r\nhttps://blog.vincss.net/re025-trickbot-many-tricks/\r\nPage 9 of 38\n\nDump shellcode for further analysis. Parse this shellcode and found that it has 3 embedded Dlls as following:\r\n4. Analyze shellcode\r\nThe code of the above shellcode will call the f_dll_loader function to load the first Dll into memory with the following\r\nparameter:\r\nhttps://blog.vincss.net/re025-trickbot-many-tricks/\r\nPage 10 of 38\n\nAt the function f_dll_loader, the shellcode finds the addresses of Windows API functions on runtime according to the pre-computed hashes:\r\nThe entire f_dll_loader function will perform the task of a loader, after mapping the Dll into memory will find the Dll’s\r\nDllEntryPoint address and call this address to execute the code of first Dll:\r\nhttps://blog.vincss.net/re025-trickbot-many-tricks/\r\nPage 11 of 38\n\nHere, I dumped the first Dll to disk for further analysis.\r\n5. Analyze the first Dll (b67694dddf98298b539bddc8cabc255d)\r\nThis file is not available on VT, however if search by imphash: 1f6199c52a5d3ffac2a25f6b3601dd22 thì will get the same\r\npayloads:\r\nhttps://blog.vincss.net/re025-trickbot-many-tricks/\r\nPage 12 of 38\n\nAccording to the information that Import Directory provides, it can be guessed that this Dll will also do the job of a loader:\r\nThe code at DllEntryPoint will call the function responsible for loading and executing the second Dll:\r\nThe entire f_dll_loader function has the same code as the shellcode analyzed above, after mapping the entire second Dll\r\ninto memory, it will retrieve the Dll’s DllEntryPoint address and call this address to execute the next stage:\r\nhttps://blog.vincss.net/re025-trickbot-many-tricks/\r\nPage 13 of 38\n\nI dumped the second Dll to disk for easier analysis.\r\n6. Analyze the second Dll (34d6a6bffa656c6b0c7b588e111dbed1)\r\nThis Dll has already been uploaded to VirusTotal. Imports of the second Dll are the same as the first one:\r\nThe code at the DllEntryPoint function of this Dll performs the following task:\r\nhttps://blog.vincss.net/re025-trickbot-many-tricks/\r\nPage 14 of 38\n\nMapping the third Dll into memory.\r\nFind the DllRegisterServer function and call to this function:\r\nI again dumped the third Dll to disk for further analysis.\r\n7. Analyze the third Dll (templ.dll – 3409f865936a247957955ad2df45a2cd)\r\nhttps://blog.vincss.net/re025-trickbot-many-tricks/\r\nPage 15 of 38\n\nExamining the above dumped Dll, its original name is templ.dll, and it has one exported function is DllRegisterServer.\r\nThis dll is also not available on VT, but searching by imphash: b79a86dfbbbe6d8e177dfb7ae70d4922 will returns some\r\nsimilar files.\r\nThe file is not packed, its code is obfuscated or will decode the new payload:\r\nhttps://blog.vincss.net/re025-trickbot-many-tricks/\r\nPage 16 of 38\n\nThe code at the DllRegisterServer function of this Dll performs the following tasks:\r\nAllocate a memory area to store the decrypted payload.\r\nPerform the decryption routine to decrypt new payload into the allocated memory area. This payload is a shellcode.\r\nCall to shellcode to execute the final stage.\r\nThe decryption function uses a loop to xor the data as follows:\r\nhttps://blog.vincss.net/re025-trickbot-many-tricks/\r\nPage 17 of 38\n\nTo be quick, I use x64dbg for debugging. Shellcode after decoding will be as follows:\r\n8. Analyze the final shellcode\r\nObserve this shellcode and I see that it stores strings near the end of the file. In my personal experience these are likely\r\nbase64 strings and keys for decoding\r\nhttps://blog.vincss.net/re025-trickbot-many-tricks/\r\nPage 18 of 38\n\nPerform decoding, I got the following strings:\r\nBased on the above decoding information, I guess that this shellcode will continue to inject the payload into the\r\nwermgr.exeprocess. To verify, I debug this shellcode right after the templ.dll does the decoding and calls to the shellcode.\r\nSet breakpoint at CreateProcessInternalW function and execute:\r\nhttps://blog.vincss.net/re025-trickbot-many-tricks/\r\nPage 19 of 38\n\nSo, as you can see in the above figure, the shellcode injects the payload into the wermgr.exe (64-bit) process. Under the\r\ncover of the wermgr.exe system process, the malicious code will now make connections to many C2 addresses as the\r\nfollowing picture below:\r\n9. Dump Trickbot core payload 32-bit and extract C2 configuration\r\nhttps://blog.vincss.net/re025-trickbot-many-tricks/\r\nPage 20 of 38\n\n9.1. Dump payload 32-bit\r\nAccording to the above shellcode analysis results, it can be seen that the final payload has been injected into the wermgr.exe\r\n(64-bit) process, so this payload is also 64-bit. However, templ.dll is a 32-bit Dll, so to make it easier to gain an understand\r\nof the payload’s code as well as extract the C2 configuration, we will dump the core 32-bit payload of malware. I debug\r\nshellcode when it is called by templ.dll, set breakpoints at VirtualAlloc, GetNativeSystemInfo functions. Execute\r\nshellcode, break at GetNativeSystemInfo function:\r\nFollow in Dump the address will receive information about SystemInfo, execute the function and return to malware code.\r\nModify the return result of wProcessorArchitecture:\r\nhttps://blog.vincss.net/re025-trickbot-many-tricks/\r\nPage 21 of 38\n\nContinuing to execute and follow the address allocated by the VirtualAlloc function, shellcode will unpack the main\r\npayload into the allocated memory, but the “MZ” signature has been wiped.\r\nDump payload to disk and fix MZ signature. I have the core binary (32-bit) of Trickbot:\r\nhttps://blog.vincss.net/re025-trickbot-many-tricks/\r\nPage 22 of 38\n\nPayload has no information about Imports, so it will retrieve the addresses of APIs during runtime.\r\n9.2. Analyze Trickbot core payload and extract C2s configuration\r\n9.2.1. Dynamic APIs resolve\r\nSimilar to the Emotet, Qakbot, … Trickbot payload also finds the address of the API function(s) through searching the pre-computed hash based on the API function name. Information about the Dlls as well as the pre-computed hashes is stored in\r\nthe global variable with the following structure:\r\nhttps://blog.vincss.net/re025-trickbot-many-tricks/\r\nPage 23 of 38\n\nThese fields have the following meanings:\r\ndll_str_idx: is used to decode the name of the Dll that Trickbot will use. And then, get the base address of this Dll.\r\nnHashValue: number of hash is pre-computed, corresponding to the number of API functions to find.\r\npre-computed hash: are the pre-computed hash values of the API function.\r\nnOrdinalVal: number of ordinal values, corresponding to functions that will be retrieved the address based on the\r\ncalculated ordinal’s information.\r\nOrinal_value: values are used to calculate the actual ordinal value of the API function that need to retrieve address.\r\nBased on these fields, Trickbot will retrieving the addresses of the APIs as following:\r\nhttps://blog.vincss.net/re025-trickbot-many-tricks/\r\nPage 24 of 38\n\nThe pseudocode of the function that calculates the hash based on the name of the API function:\r\nBased on the above pseudocode, I can rewrite the hash calculation code in Python as follows:\r\nhttps://blog.vincss.net/re025-trickbot-many-tricks/\r\nPage 25 of 38\n\nAll real addresses of APIs after being obtained will be stored at the address 0x00420000 as shown in the picture. Therefore,\r\nin order to get all the information about the APIs that Trickbot will use, I apply the method described in this article. The\r\nresult after restore the API(s) functions as the figure below:\r\n9.2.2. Decrypt strings\r\nAll the main strings that used by payload are encrypted and stored at the .data section as following:\r\nhttps://blog.vincss.net/re025-trickbot-many-tricks/\r\nPage 26 of 38\n\nThe decode function receives the input parameter as the index value of the string, then decodes the string using the base64\r\nalgorithm with the custom character set:\r\nTo be able to decode these strings and add related annotations in IDA, I use IDA’s Appcall feature and refer to the code here.\r\nThe entire python code is as follows:\r\nhttps://blog.vincss.net/re025-trickbot-many-tricks/\r\nPage 27 of 38\n\nThe results before and after the script execution will make the analysis easier:\r\nhttps://blog.vincss.net/re025-trickbot-many-tricks/\r\nPage 28 of 38\n\nIn addition, for easy tracking and comparison, we can also write a standalone decryption script to get the entire list of\r\nstrings. Please see the Appendix 1 – Complete list of decrypted strings below.\r\n9.3. Decrypt the configuration and extract the C2s list\r\n9.3.1. Decrypt the configuration\r\nTrickbot stores encrypted configuration information in the .text section, when executed it will get information about the size\r\nof the data and allocate memory accordingly. After that will perform data decryption by using a xor loop.\r\nhttps://blog.vincss.net/re025-trickbot-many-tricks/\r\nPage 29 of 38\n\nThe data obtained after the above step will be decrypted again by using AES algorithm (MODE_CBC) to get the C2s list.\r\nBefore decryption, Trickbot will generate the AES key and IV:\r\nThe calculated aes_key and aes_iv values will then be used for data decryption as followings:\r\nhttps://blog.vincss.net/re025-trickbot-many-tricks/\r\nPage 30 of 38\n\nBased on the pseudocodes above, combined with the hashherezade code reference here, I can rewrite the python code that\r\ndecrypts the C2 configuration that Trickbot uses in this sample:\r\nWith the above decrypted configuration, we get the C2s list as shown above. However, in this list:\r\nIP addresses in the \u003csrv\u003e \u003c/srv\u003e tag are real C2 addresses.\r\nIP addresses in the \u003csrva\u003e \u003c/srva\u003e tag will be later transformed by Trickbot.\r\nhttps://blog.vincss.net/re025-trickbot-many-tricks/\r\nPage 31 of 38\n\nTrickbot use the following code to convert the addresses in the \u003csrva\u003e \u003c/srva\u003e tag to real C2 addresses.\r\nThe above pseudocode is converted to python code as below:\r\nhttps://blog.vincss.net/re025-trickbot-many-tricks/\r\nPage 32 of 38\n\nHere is the C2 list after the transformation:\r\nPlease see Appendix 2 – C2s list below for the complete list.\r\n10. References\r\nTrickbot Still Alive and Well\r\nhttps://blog.vincss.net/re025-trickbot-many-tricks/\r\nPage 33 of 38\n\nTrickbot Brief: Creds and Beacons\r\nImporting Ollydbg Addresses into IDA\r\nhttps://github.com/hasherezade/malware_analysis/tree/master/trickbot\r\nIntroducing the Appcall feature in IDA Pro 5.6\r\nhttps://github.com/coldshell/IDA-appcall\r\nDetricking TrickBot Loader\r\n11. Appendix 1 – Complete list of decrypted strings\r\nAll decrypted strings\r\nindex : 0 –\u003e Decoded string : b’checkip.amazonaws.com’\r\nindex : 1 –\u003e Decoded string : b’ipecho.net’\r\nindex : 2 –\u003e Decoded string : b’ipinfo.io’\r\nindex : 3 –\u003e Decoded string : b’api.ipify.org’\r\nindex : 4 –\u003e Decoded string : b’icanhazip.com’\r\nindex : 5 –\u003e Decoded string : b’myexternalip.com’\r\nindex : 6 –\u003e Decoded string : b’wtfismyip.com’\r\nindex : 7 –\u003e Decoded string : b’ip.anysrc.net’i\r\nndex : 8 –\u003e Decoded string : b’api.ipify.org’\r\nindex : 9 –\u003e Decoded string : b’api.ip.sb’\r\nindex : 10 –\u003e Decoded string : b’ident.me’\r\nindex : 11 –\u003e Decoded string : b’www.myexternalip.com’\r\nindex : 12 –\u003e Decoded string : b’/plain’\r\nindex : 13 –\u003e Decoded string : b’/ip’\r\nindex : 14 –\u003e Decoded string : b’/raw’\r\nindex : 15 –\u003e Decoded string : b’/text’\r\nindex : 16 –\u003e Decoded string : b’/?format=text’\r\nindex : 17 –\u003e Decoded string : b’zen.spamhaus.org’\r\nindex : 18 –\u003e Decoded string : b’cbl.abuseat.org’\r\nindex : 19 –\u003e Decoded string : b’b.barracudacentral.org’\r\nindex : 20 –\u003e Decoded string : b’dnsbl-1.uceprotect.net’\r\nindex : 21 –\u003e Decoded string : b’spam.dnsbl.sorbs.net’\r\nindex : 22 –\u003e Decoded string : b’bdns.at’\r\nindex : 23 –\u003e Decoded string : b’bdns.by’\r\nindex : 24 –\u003e Decoded string : b’bdns.co’\r\nindex : 25 –\u003e Decoded string : b’bdns.im’\r\nindex : 26 –\u003e Decoded string : b’bdns.link’\r\nindex : 27 –\u003e Decoded string : b’bdns.nu’\r\nindex : 28 –\u003e Decoded string : b’bdns.pro’\r\nindex : 29 –\u003e Decoded string : b’b-dns.se’\r\nindex : 30 –\u003e Decoded string : b’ruv_’\r\nindex : 31 –\u003e Decoded string : b'\u003cUserId\u003e’\r\nindex : 32 –\u003e Decoded string : b’rundll32.exe ‘\r\nindex : 33 –\u003e Decoded string : b’control’\r\nindex : 34 –\u003e Decoded string : b’ %u %u %u %u’\r\nindex : 35 –\u003e Decoded string : b'\u003c/BootTrigger\u003en’\r\nindex : 36 –\u003e Decoded string : b’path’\r\nindex : 37 –\u003e Decoded string : b’Toolwiz Cleaner’\r\nindex : 38 –\u003e Decoded string : b’GET’\r\nindex : 39 –\u003e Decoded string : b’WTSGetActiveConsoleSessionId’\r\nindex : 40 –\u003e Decoded string : b’Param 0′\r\nindex : 41 –\u003e Decoded string : b’Create ZP failed’\r\nindex : 42 –\u003e Decoded string : b’%s/%s/64/%s/%s/%s/’\r\nindex : 43 –\u003e Decoded string : b’Decode param64 error’\r\nindex : 44 –\u003e Decoded string : b’client is not behind NAT’\r\nindex : 45 –\u003e Decoded string : b’Windows Server 2003′\r\nindex : 46 –\u003e Decoded string : b’start’\r\nindex : 47 –\u003e Decoded string : b’SYSTEM’\r\nindex : 48 –\u003e Decoded string : b’kernel32.dll’\r\nindex : 49 –\u003e Decoded string : b’SeDebugPrivilege’\r\nindex : 50 –\u003e Decoded string : b’.txt’\r\nindex : 51 –\u003e Decoded string : b’Load to M failed’\r\nindex : 52 –\u003e Decoded string : b’winsta0\\default’\r\nhttps://blog.vincss.net/re025-trickbot-many-tricks/\r\nPage 34 of 38\n\nindex : 53 –\u003e Decoded string : b’eventfail’\r\nindex : 54 –\u003e Decoded string : b’Windows 10 Server’\r\nindex : 55 –\u003e Decoded string : b’data’\r\nindex : 56 –\u003e Decoded string : b’ working’\r\nindex : 57 –\u003e Decoded string : b’%u%u%u.’\r\nindex : 58 –\u003e Decoded string : b'\u003c/LogonTrigger\u003en’\r\nindex : 59 –\u003e Decoded string : b’shlwapi’\r\nindex : 60 –\u003e Decoded string : b’cn\\’\r\nindex : 61 –\u003e Decoded string : b’——Boundary%08X’\r\nindex : 62 –\u003e Decoded string : b’curl/7.78.0′\r\nindex : 63 –\u003e Decoded string : b’GetProcAddress’\r\nindex : 64 –\u003e Decoded string : b'\u003c/Command\u003en\u003cArguments\u003e’\r\nindex : 65 –\u003e Decoded string : b’\\svchost.exe’\r\nindex : 66 –\u003e Decoded string : b’–%s–rnrn’\r\nindex : 67 –\u003e Decoded string : b’SignatureLength’\r\nindex : 68 –\u003e Decoded string : b’tmp’\r\nindex : 69 –\u003e Decoded string : b’in’\r\nindex : 70 –\u003e Decoded string : b’SeTcbPrivilege’\r\nindex : 71 –\u003e Decoded string : b’52’\r\nindex : 72 –\u003e Decoded string : b’\\*’\r\nindex : 73 –\u003e Decoded string : b’0.0.0.0′\r\nindex : 74 –\u003e Decoded string : b'\u003c/Exec\u003en\u003c/Actions\u003en\u003c/Task\u003en’\r\nindex : 75 –\u003e Decoded string : b’ModuleQuery’\r\nindex : 76 –\u003e Decoded string : b’No params’\r\nindex : 77 –\u003e Decoded string : b’DNSBL’\r\nindex : 78 –\u003e Decoded string : b’%02X’\r\nindex : 79 –\u003e Decoded string : b’VERS’\r\nindex : 80 –\u003e Decoded string : b’cmd.exe’\r\nindex : 81 –\u003e Decoded string : b’/%s/%s/0/%s/%s/%s/%s/%s/’\r\nindex : 82 –\u003e Decoded string : b’noname’\r\nindex : 83 –\u003e Decoded string : b’Control failed’\r\nindex : 84 –\u003e Decoded string : b’LoadLibraryW’\r\nindex : 85 –\u003e Decoded string : b’InitializeCriticalSection’\r\nindex : 86 –\u003e Decoded string : b’Create xml2 failed’\r\nindex : 87 –\u003e Decoded string : b'\u003c/Triggers\u003en\u003cPrincipals\u003en\u003cPrincipal id=”Author”\u003en’\r\nindex : 88 –\u003e Decoded string : b’not listed’\r\nindex : 89 –\u003e Decoded string : b’Create xml failed’\r\nindex : 90 –\u003e Decoded string : b’Windows Server 2012′\r\nindex : 91 –\u003e Decoded string : b’CloseHandle’\r\nindex : 92 –\u003e Decoded string : b’pIT connect failed, 0x%x’\r\nindex : 93 –\u003e Decoded string : b’Windows Server 2008′\r\nindex : 94 –\u003e Decoded string : b’WantRelease’\r\nindex : 95 –\u003e Decoded string : b’i:’\r\nindex : 96 –\u003e Decoded string : b'\u003c/Command\u003e’\r\nindex : 97 –\u003e Decoded string : b’client is behind NAT’\r\nindex : 98 –\u003e Decoded string : b’Register u failed, 0x%x’\r\nindex : 99 –\u003e Decoded string : b’/%s/%s/25/%s/’\r\nindex : 100 –\u003e Decoded string : b’/%s/%s/14/%s/%s/0/’\r\nindex : 101 –\u003e Decoded string : b’1108′\r\nindex : 102 –\u003e Decoded string : b’ExitProcess’\r\nindex : 103 –\u003e Decoded string : b’POST’\r\nindex : 104 –\u003e Decoded string : b’\\cmd.exe’\r\nindex : 105 –\u003e Decoded string : b’PROMPT’\r\nindex : 106 –\u003e Decoded string : b’x64′\r\nindex : 107 –\u003e Decoded string : b’Windows 2000′\r\nindex : 108 –\u003e Decoded string : b’user’\r\nindex : 109 –\u003e Decoded string : b’Unable to load module from server’\r\nindex : 110 –\u003e Decoded string : b’/%s/%s/10/%s/%s/%u/’\r\nindex : 111 –\u003e Decoded string : b’Process has been finishedn’\r\nindex : 112 –\u003e Decoded string : b’–%srnContent-Disposition: form-data; name=”%S”rnrn’\r\nindex : 113 –\u003e Decoded string : b’Process was unloaded’\r\nindex : 114 –\u003e Decoded string : b’testscript’\r\nindex : 115 –\u003e Decoded string : b’CI failed, 0x%x’\r\nindex : 116 –\u003e Decoded string : b’%08lX%04lX%u’\r\nhttps://blog.vincss.net/re025-trickbot-many-tricks/\r\nPage 35 of 38\n\nindex : 117 –\u003e Decoded string : b’Invalid params count’\r\nindex : 118 –\u003e Decoded string : b’WTSQueryUserToken’\r\nindex : 119 –\u003e Decoded string : b’S-1-5-18′\r\nindex : 120 –\u003e Decoded string : b’\\Toolwiz-Cleaner’\r\nindex : 121 –\u003e Decoded string : b’dsize:%u’\r\nindex : 122 –\u003e Decoded string : b’GetParentInfo error’\r\nindex : 123 –\u003e Decoded string : b’reload%d’\r\nindex : 124 –\u003e Decoded string : b’/%s/%s/5/%s/’\r\nindex : 125 –\u003e Decoded string : b’ ‘\r\nindex : 126 –\u003e Decoded string : b’D:(A;;GA;;;WD)(A;;GA;;;BA)(A;;GA;;;SY)(A;;GA;;;RC)’\r\nindex : 127 –\u003e Decoded string : b’explorer.exe’\r\nindex : 128 –\u003e Decoded string : b’Unknown’\r\nindex : 129 –\u003e Decoded string : b’x86′\r\nindex : 130 –\u003e Decoded string : b’Content-Type: multipart/form-data; boundary=%srnContent-Length: %drnrn’\r\nindex : 131 –\u003e Decoded string : b’pIT GetFolder failed, 0x%x’\r\nindex : 132 –\u003e Decoded string : b’%s %s’\r\nindex : 133 –\u003e Decoded string : b’Windows 7′\r\nindex : 134 –\u003e Decoded string : b’en-EN\\’\r\nindex : 135 –\u003e Decoded string : b’t:’\r\nindex : 136 –\u003e Decoded string : b’Execute from user’\r\nindex : 137 –\u003e Decoded string :\r\nb'\u003c/Principal\u003en\u003c/Principals\u003en\u003cSettings\u003en\u003cMultipleInstancesPolicy\u003eIgnoreNew\u003c/MultipleInstancesPolicy\u003en\u003cDisallowStartIfOnBatteries\u003efalse\r\nContext=”Author”\u003en\u003cExec\u003ent\u003cCommand\u003e’\r\nindex : 138 –\u003e Decoded string : b’Windows Server 2008 R2′\r\nindex : 139 –\u003e Decoded string : b’Windows Vista’\r\nindex : 140 –\u003e Decoded string : b’Run D failed’\r\nindex : 141 –\u003e Decoded string : b’Win32 error’\r\nindex : 142 –\u003e Decoded string : b’/%s/%s/1/%s/’\r\nindex : 143 –\u003e Decoded string : b’SINJ’\r\nindex : 144 –\u003e Decoded string : b’Module already unloaded’\r\nindex : 145 –\u003e Decoded string : b’%016llX%016llX’\r\nindex : 146 –\u003e Decoded string : b'\u003c/Arguments\u003en’\r\nindex : 147 –\u003e Decoded string : b’Load to P failed’\r\nindex : 148 –\u003e Decoded string : b’Module is not valid’\r\nindex : 149 –\u003e Decoded string : b'\u003cLogonTrigger\u003en\u003cEnabled\u003etrue\u003c/Enabled\u003en’\r\nindex : 150 –\u003e Decoded string : b'\u003cmoduleconfig\u003e*\u003c/moduleconfig\u003e’\r\nindex : 151 –\u003e Decoded string : b’freebuffer’\r\nindex : 152 –\u003e Decoded string : b’failed’\r\nindex : 153 –\u003e Decoded string : b’listed’\r\nindex : 154 –\u003e Decoded string : b’Windows Server 2012 R2′\r\nindex : 155 –\u003e Decoded string : b’50’\r\nindex : 156 –\u003e Decoded string : b’LeaveCriticalSection’\r\nindex : 157 –\u003e Decoded string : b’info’\r\nindex : 158 –\u003e Decoded string : b’ver.txt’\r\nindex : 159 –\u003e Decoded string : b’ /C cscript ‘\r\nindex : 160 –\u003e Decoded string : b’ECCPUBLICBLOB’\r\nindex : 161 –\u003e Decoded string : b’delete’\r\nindex : 162 –\u003e Decoded string : b’m:’\r\nindex : 163 –\u003e Decoded string : b’First’\r\nindex : 164 –\u003e Decoded string : b’/C powershell -executionpolicy bypass -File ‘\r\nindex : 165 –\u003e Decoded string : b’Global\\’\r\nindex : 166 –\u003e Decoded string : b’kps’\r\nindex : 167 –\u003e Decoded string : b’%s/%s/63/%s/%s/%s/%s/’\r\nindex : 168 –\u003e Decoded string : b’%s%s’\r\nindex : 169 –\u003e Decoded string : b’.reloc’\r\nindex : 170 –\u003e Decoded string : b’rundll32′\r\nindex : 171 –\u003e Decoded string : b'\u003c?xml version=”1.0″ encoding=”UTF-16″?\u003en\u003cTask version=”1.2″ \u003en\u003cRegistrationInfo\u003en\u003cVersion\u003e1.1.1\u003c/Ve\r\nindex : 172 –\u003e Decoded string : b'\u003cLogonType\u003eInteractiveToken\u003c/LogonType\u003en\u003cRunLevel\u003eLeastPrivilege\u003c/RunLevel\u003e’\r\nindex : 173 –\u003e Decoded string : b’SignalObjectAndWait’\r\nindex : 174 –\u003e Decoded string : b’%s.%s.%s.%s’\r\nindex : 175 –\u003e Decoded string : b’Windows 8′\r\nindex : 176 –\u003e Decoded string : b’exc’\r\nindex : 177 –\u003e Decoded string : b’Launch USER failed’\r\nindex : 178 –\u003e Decoded string : b’regsvr32′\r\nhttps://blog.vincss.net/re025-trickbot-many-tricks/\r\nPage 36 of 38\n\nindex : 179 –\u003e Decoded string : b’settings.ini’\r\nindex : 180 –\u003e Decoded string : b’/%s/%s/23/%u/’\r\nindex : 181 –\u003e Decoded string : b’ECDSA_P384′\r\nindex : 182 –\u003e Decoded string : b’%u.%u.%u.%u’\r\nindex : 183 –\u003e Decoded string : b’ResetEvent’\r\nindex : 184 –\u003e Decoded string : b’%s sTart’\r\nindex : 185 –\u003e Decoded string : b’%s %s SP%u’\r\nindex : 186 –\u003e Decoded string : b’.tmp’\r\nindex : 187 –\u003e Decoded string : b'\u003c/UserId\u003e’\r\nindex : 188 –\u003e Decoded string : b’%s.%s’\r\nindex : 189 –\u003e Decoded string : b’/’\r\nindex : 190 –\u003e Decoded string : b’Register s failed, 0x%x’\r\nindex : 191 –\u003e Decoded string : b’mutant’\r\nindex : 192 –\u003e Decoded string : b’e:’\r\nindex : 193 –\u003e Decoded string : b’release’\r\nindex : 194 –\u003e Decoded string : b’wtsapi32′\r\nindex : 195 –\u003e Decoded string : b’Windows XP’\r\nindex : 196 –\u003e Decoded string : b'\u003cBootTrigger\u003en\u003cEnabled\u003etrue\u003c/Enabled\u003en’\r\nindex : 197 –\u003e Decoded string : b’E: 0x%x A: 0x%p’\r\nindex : 198 –\u003e Decoded string : b’Find P failed’\r\nindex : 199 –\u003e Decoded string : b’Module has already been loaded’\r\nindex : 200 –\u003e Decoded string : b’Windows 8.1′\r\nindex : 201 –\u003e Decoded string : b’EnterCriticalSection’\r\nindex : 202 –\u003e Decoded string : b’Windows 10′\r\nindex : 203 –\u003e Decoded string : b’Execute from system’\r\nindex : 204 –\u003e Decoded string : b'\u003cRunLevel\u003eHighestAvailable\u003c/RunLevel\u003en\u003cGroupId\u003eNT AUTHORITY\\SYSTEM\u003c/GroupId\u003en\u003cLogonType\r\nindex : 205 –\u003e Decoded string : b’NAT status’\r\nindex : 206 –\u003e Decoded string : b’Start failed’\r\nindex : 207 –\u003e Decoded string : b’WTSEnumerateSessionsA’\r\nindex : 208 –\u003e Decoded string : b’ps1′\r\nindex : 209 –\u003e Decoded string : b’WaitForSingleObject’\r\nindex : 210 –\u003e Decoded string : b’UrlEscapeW’\r\nindex : 211 –\u003e Decoded string : b’pIT NULL’\r\nindex : 212 –\u003e Decoded string : b’WTSFreeMemory’\r\nindex : 213 –\u003e Decoded string : b’USER32.dll’\r\nindex : 214 –\u003e Decoded string : b’WS2_32.dll’\r\nindex : 215 –\u003e Decoded string : b’IPHLPAPI.DLL’\r\nindex : 216 –\u003e Decoded string : b’WINHTTP.dll’\r\nindex : 217 –\u003e Decoded string : b’bcrypt.dll’\r\nindex : 218 –\u003e Decoded string : b’CRYPT32.dll’\r\nindex : 219 –\u003e Decoded string : b’OLEAUT32.dll’\r\nindex : 220 –\u003e Decoded string : b’SHELL32.dll’\r\nindex : 221 –\u003e Decoded string : b’USERENV.dll’\r\nindex : 222 –\u003e Decoded string : b’SHLWAPI.dll’\r\nindex : 223 –\u003e Decoded string : b’ole32.dll’\r\nindex : 224 –\u003e Decoded string : b’ADVAPI32.dll’\r\nindex : 225 –\u003e Decoded string : b’ntdll.dll’\r\nindex : 226 –\u003e Decoded string : b’ncrypt.dll’\r\n12. Appendix 2 – C2s list\r\nTrickbot C2 List\r\n36.91.117.231:443\r\n36.89.228.201:443\r\n103.75.32.173:443\r\n45.115.172.105:443\r\n36.95.23.89:443\r\n103.123.86.104:443\r\n202.65.119.162:443\r\n202.9.121.143:443\r\n139.255.65.170:443\r\n110.172.137.20:443\r\n103.146.232.154:443\r\nhttps://blog.vincss.net/re025-trickbot-many-tricks/\r\nPage 37 of 38\n\n36.91.88.164:443\r\n103.47.170.131:443\r\n122.117.90.133:443\r\n103.9.188.78:443\r\n210.2.149.202:443\r\n118.91.190.42:443\r\n117.222.61.115:443\r\n117.222.57.92:443\r\n136.228.128.21:443\r\n103.47.170.130:443\r\n36.91.186.235:443\r\n103.194.88.4:443\r\n116.206.153.212:443\r\n58.97.72.83:443\r\n139.255.6.2:443\r\nClick here for Vietnamese version.\r\nTran Trung Kien (aka m4n0w4r) \r\nMalware Analysis Expert\r\nR\u0026D Center – VinCSS (a member of Vingroup)\r\nSource: https://blog.vincss.net/re025-trickbot-many-tricks/\r\nhttps://blog.vincss.net/re025-trickbot-many-tricks/\r\nPage 38 of 38\n\n https://blog.vincss.net/re025-trickbot-many-tricks/   \nCheck the require 010.04.2021.doc file and found that this file contains VBA code:\n  Page 3 of 38 \n\n https://blog.vincss.net/re025-trickbot-many-tricks/  \nWith the second base64 blob, it will use regsvr32 to execute the downloaded payload.\nWith the above information, I can conclude that easyMicrosoftHop.jpg is a Dll file.\n3. Analyze easyMicrosoftHop.jpg  payload (RCSeparator.dll \n48cba467be618d42896f89d79d211121)   \n  Page 5 of 38 \n\n https://blog.vincss.net/re025-trickbot-many-tricks/   \nUse the resolved APIs to access and get the entire content of the resource that was mentioned above:\nDecode to shellcode and execute this shellcode by using QueueUserAPC and NtTestAlert functions.\n  Page 9 of 38  \n\ncover of the wermgr.exe following picture system process, below: the malicious code will now make connections to many C2 addresses as the\n9. Dump Trickbot core payload 32-bit and extract C2 configuration\n   Page 20 of 38\n\n https://blog.vincss.net/re025-trickbot-many-tricks/   \nThe pseudocode of the function that calculates the hash based on the name of the API function:\nBased on the above pseudocode, I can rewrite the hash calculation code in Python as follows:\n  Page 25 of 38",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.vincss.net/re025-trickbot-many-tricks/"
	],
	"report_names": [
		"re025-trickbot-many-tricks"
	],
	"threat_actors": [],
	"ts_created_at": 1775434335,
	"ts_updated_at": 1775826678,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/047992e9b3c804af0e4e78ad4d99c8078f093d53.pdf",
		"text": "https://archive.orkl.eu/047992e9b3c804af0e4e78ad4d99c8078f093d53.txt",
		"img": "https://archive.orkl.eu/047992e9b3c804af0e4e78ad4d99c8078f093d53.jpg"
	}
}