{
	"id": "ef5be4d9-58e3-4f4b-9c73-342f7d349c70",
	"created_at": "2026-04-06T00:17:18.547502Z",
	"updated_at": "2026-04-10T03:21:44.963091Z",
	"deleted_at": null,
	"sha1_hash": "065a92f4823f1fe280a623973af44d08cc223507",
	"title": "Trickbot module descriptions",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 315815,
	"plain_text": "Trickbot module descriptions\r\nBy Oleg Kupreev\r\nPublished: 2021-10-19 · Archived: 2026-04-05 16:00:49 UTC\r\nTrickbot (aka TrickLoader or Trickster), is a successor of the Dyre banking Trojan that was active from 2014 to\r\n2016 and performed man-in-the-browser attacks in order to steal banking credentials. Trickbot was first\r\ndiscovered in October 2016. Just like Dyre, its main functionality was initially the theft of online banking data.\r\nHowever, over time, its tactics and goals have changed. Currently Trickbot is focused on penetration and\r\ndistribution over the local network, providing other malware (such as Ryuk ransomware) with access to the\r\ninfected system, though that’s not the only functionality it supports.\r\nOver the years, Trickbot has acquired dozens of auxiliary modules that steal credentials and sensitive information,\r\nspread it over the local network using stolen credentials and vulnerabilities, provide remote access, proxy network\r\ntraffic, perform brute-force attacks and download other malware. In this document, we decided to provide a brief\r\ndescription of the Trickbot modules. Despite the fact the dates indicated in the PE headers of some modules are\r\nquite old, these modules are still available for download and can be used by threat actors. Such information should\r\nsimplify analysis of any activity related to Trickbot.\r\nTechnical details\r\nHow to obtain Trickbot modules for analysis\r\nModules can be downloaded from one of Trickbot’s C2s using simple GET requests like https://\u003cCC_IP\u003e:\r\n\u003cCC_PORT\u003e/\u003cgtag\u003e/\u003cbot_ID\u003e/5/\u003cmodule_name\u003e/. Keep in mind that module names are case sensitive, and\r\nalthough we describe 32-bit modules in this article in most cases 64-bit versions can be downloaded by replacing\r\n’32’ with ’64’ in the module name. In most cases valid values of \u003cgtag\u003e and \u003cbot_ID\u003e are not needed for\r\nsuccessful download. Here is an example of the URL to download the pwgrab64 module:\r\nhttps[:]//87.97.178[.]92:447/asdasdasd/asdasdasd_asdasdasd.asdasdasd/5/pwgrab64/\r\nDownloaded modules are encrypted, and can be decrypted with the Python script below.\r\nhttps://securelist.com/trickbot-module-descriptions/104603/\r\nPage 1 of 18\n\nPython script with modules decryption routine\r\nThe table below contains the list of modules, and simplifies module description searches. Please keep in mind that\r\nthese modules were received at the end of May and their functionality and names may differ at the time of\r\npublication.\r\nModule Name PE TimeStamp PE Internal Name Description link\r\nadll32 14.11.2019 ADll.dll adll32\r\nadllog32 14.11.2019 ADll.dll adll32\r\nbexecDll32 13.04.2020 mexec.dll aexecDll32\r\nmexecDll32 29.11.2019 mexec.dll aexecDll32\r\nonixDll32 29.11.2019 mexec.dll aexecDll32\r\naexecDll32 17.06.2020 m001c.dll aexecDll32\r\nshadnewDll32 13.06.2019 inj_32.dll anubisDll32\r\nanubisDll32 08.10.2019 tbmf_32.dll anubisDll32\r\nbcClientDllNew32 05.02.2019 socks5dll.dll bcClientDll32\r\nbcClientDllTestTest32 29.08.2019 socks5dll.dll bcClientDll32\r\nTwoBCtestDll32 06.10.2019 client.dll bcClientDll32\r\nbcClientDll32 20.04.2017 bcClientDll.dll bcClientDll32\r\ntvncDll32 17.05.2021 VNCSRV.dll bvncDll32\r\nhttps://securelist.com/trickbot-module-descriptions/104603/\r\nPage 2 of 18\n\nvncDll32 20.04.2021 VNCSRV.dll bvncDll32\r\nbvncDll32 11.02.2020 VNCSRV.dll bvncDll32\r\ncookiesDll32 04.07.2019 Cookies.dll cookiesDll32\r\ndomainDll32 16.01.2018 module32.dll domainDll32\r\nfscanDll32 23.12.2019 TestLib.dll fscanDll32\r\noimportDll32 24.07.2020 grabber.dll importDll32\r\ntimportDll32 22.03.2021 grabber.dll importDll32\r\nimportDll32 24.03.2021 grabber.dll importDll32\r\ntotinjectDll32 14.06.2019 webinject32.dll injectDll32\r\ninjectDll32 17.09.2020 \u003cnone\u003e injectDll32\r\nsokinjectDll32 14.06.2019 webinject32.dll injectDll32\r\ntinjectDll32 25.02.2021 webinject32.dll injectDll32\r\nmailsearcher32 22.04.2019 mailsearcher.dll mailsearcher32\r\nmasrvDll32 04.12.2020 masrv.dll masrvDll32\r\nmlcDll32 18.11.2019 MailClient.dll mlcDll32\r\nnetworkDll32 14.12.2020 dll.dll networkDll32\r\nnetworknewDll32 06.04.2020 dll.dll networkDll32\r\ntnetworkDll32 14.12.2020 dll.dll networkDll32\r\nsocksDll32 07.04.2021 socksbot.dll NewBCtestnDll32\r\nNewBCtestnDll32 07.04.2021 socksbot.dll NewBCtestnDll32\r\noutlookDll32 \u003cnone\u003e OutlookX32.dll outlookDll32\r\nowaDll32 21.10.2019 owa.dll owaDll32\r\npermaDll32 19.10.2020 user_platform_check.dll permaDll32\r\npsfin32 05.11.2018 dll.dll psfin32\r\nrdpscanDll32 10.06.2020 rdpscan.dll rdpscanDll32\r\ntrdpscanDll32 10.07.2020 rdpscan.dll rdpscanDll32\r\nshadDll32 12.03.2019 inj_32.dll shadDll32\r\nhttps://securelist.com/trickbot-module-descriptions/104603/\r\nPage 3 of 18\n\ntshareDll32 21.04.2020 templ.dll shareDll32\r\nshareDll32 01.02.2021 \u003cnone\u003e shareDll32\r\nsharesinDll32 22.01.2020 dlltest1.dll sharesinDll32\r\nsqlscanDll32 14.12.2019 sqlscan.dll sqlscanDll32\r\nsquDll32 23.04.2020 mailFinder_x86.dll squDll32\r\nsqulDll32 19.04.2018 mailFinder_x86.dll squlDll32\r\nsysteminfo32 13.09.2019 SystemInfo.dll systeminfo32\r\nstabDll32 02.07.2020 \u003crandom\u003e tabDll32\r\ntabDll32 03.08.2020 tabdll_x86.dll tabDll32\r\ntesttabDll32 04.06.2019 tabdll_x86.dll tabDll32\r\nttabDll32 30.07.2020 tabdll.dll tabDll32\r\npwgrab32 19.03.2021 \u003crandom\u003e tdpwgrab32\r\npwgrabb32 19.03.2021 \u003crandom\u003e tdpwgrab32\r\ntpwgrab32 26.02.2021 \u003crandom\u003e tdpwgrab32\r\ndpwgrab32 19.03.2020 pwgrab.dll tdpwgrab32\r\ntdpwgrab32 26.02.2021 \u003crandom\u003e tdpwgrab32\r\nvpnDll32 04.06.2020 vpnDll.dll vpnDll32\r\nwebiDll32 11.05.2021 webinject32.dll webiDll32\r\ntwormDll32 15.10.2019 testinfo.dll wormDll32\r\nwormDll32 18.02.2021 \u003crandom\u003e wormDll32\r\nwormwinDll32 22.01.2020 \u003crandom\u003e wormDll32\r\nadll32\r\nThe new Trickbot module ADLL dumps Active Directory database files (ntds.dit and ntds.jfm) and registry hives\r\nusing the ntdsutil and reg tools. For example, it utilizes the “Install from Media (IFM)” ntdsutil command to dump\r\nthe Active Directory database and various registry hives to the %Temp% folder. These files are then compressed\r\nand sent back to the attackers.\r\nhttps://securelist.com/trickbot-module-descriptions/104603/\r\nPage 4 of 18\n\nPart of the adll32 function of collecting information using the ntdsutil tool\r\nPart of the adll32 function collecting information using the reg tool\r\nThe module uses the ntdsutil and reg tools with the following command line arguments:\r\nntdsutil “ac in ntds” “ifm” “cr fu %TEMP%\\\u003crandom\u003e0.dat” q q\r\nreg save HKLM\\SAM %TEMP%\\\u003crandom\u003e1.dat /y\r\nreg save HKLM\\SECURITY %TEMP%\\\u003crandom\u003e2.dat /y\r\nreg save HKLM\\SYSTEM %TEMP%\\\u003crandom\u003e3.dat /y\r\nThese commands will dump the Active Directory database as well as the SAM, SECURITY, and SYSTEM hives.\r\nThreat actors can decrypt these files and dump the usernames, password hashes, computer names, groups, and\r\nother data. This data can then be used for spreading further across the network.\r\naexecDll32\r\nThis module is a simple downloader. It downloads a payload (e.g., another Trickbot module or third-party\r\nmalware) by hardcoded URL and executes it.\r\nPart of the aexecDll32 download routine\r\nhttps://securelist.com/trickbot-module-descriptions/104603/\r\nPage 5 of 18\n\nanubisDll32\r\nThis is a man-in-the-browser module. It contains a full implementation of the IcedID main module. It can\r\nintercept web traffic on the victim machine. This module also contains embedded binary Anubis VNC (also\r\nknown as HDESK Bot), which is a custom RAT based on the VNC (Virtual Network Computing) protocol that’s\r\nused by IcedID for remote control.\r\nbcClientDll32\r\nThis is a reverse proxy module with custom implementation of SOCKS5 protocol. It is used to bypass traffic\r\nthrough the compromised host.\r\nbvncDll32\r\nThis module is an implementation of Hidden VNC, which is a custom remote administration tool based on the\r\nVNC (Virtual Network Computing) protocol. Hidden means that this modification of the VNC creates an\r\nadditional desktop hidden from the user, allowing attackers to work with the compromised system in the same\r\nway as via an RDP connection without attracting the user’s attention. Web sessions and user passwords saved in\r\nthe browser are available in hVNC sessions. An attacker can freely run a web browser on a remote system,\r\naccessing any web service when there is an active user session.\r\ncookiesDll32\r\nThe module steals cookie data from web browsers. It targets the storage databases of Chrome, Firefox, Internet\r\nExplorer and Microsoft Edge.\r\ndomainDll32\r\nThe module is also called DomainGrabber. It collects domain controller information on compromised systems by\r\naccessing the SYSVOL folder. The first modification of this module was querying for groups.xml, services.xml,\r\nscheduledtasks.xml, datasources.xml, printers.xml and drives.xml files. The current modification of this module\r\nonly queries for group policies (groups.xml).\r\nhttps://securelist.com/trickbot-module-descriptions/104603/\r\nPage 6 of 18\n\nRoutines for group policies collecting in DomainGrabber module\r\ntdpwgrab32\r\nThis module is a password stealer module. It can steal credentials stored in registry, databases of different\r\napplications, configuration and “precious files”, i.e., private keys, SSL certificates and crypto wallet data files. It is\r\nalso able to grab autofill information from web browsers. The module is capable of stealing data from the\r\nfollowing applications: Git, TeamViewer, OpenSSH, OpenVPN, KeePass, Outlook, FileZilla, Internet Explorer,\r\nMozilla Firefox, Google Chrome, Microsoft Edge, RDP, WinSCP, VNC, UltraVNC, RealVNC, TigerVNC,\r\nPuTTY, AnyConnect. Note that newer module versions may also target other applications.\r\nfscanDll32\r\nThis is an FTP (File Transfer Protocol) and SFTP (SSH File Transfer Protocol) file scanner based on the open-source software project cURL. The module receives a list of rules for matching files and FTP/SSH resources,\r\nenumerates the files on the targeted resource and reports back to the C2.\r\nPart of SFTP read routine\r\nimportDll32\r\nThis module steals data from web browsers, including browser configuration, cookies, history, title, visit count,\r\nHTML5 local storage. The browsers Internet Explorer, Mozilla Firefox, Google Chrome, and Microsoft Edge are\r\ntargeted. The module also gathers information about installed browser plugins and components.\r\nhttps://securelist.com/trickbot-module-descriptions/104603/\r\nPage 7 of 18\n\nFragment of the browser information grabbing routine\r\ninjectDll32\r\nThis module is used to intercept activity related to banking websites in browsers. It uses web injects to steal\r\nfinancial information. Two types of attack are supported: “static” and “dynamic”. Static attacks redirect user\r\nrequests to a malicious phishing page, while dynamic attacks pass all traffic through the malicious proxy server,\r\nmaking it possible to grab information from input forms and modify banking website responses by injecting\r\nadditional malicious scripts in returned pages.\r\nExamples of “static” and “dynamic” configs\r\nIn order to intercept traffic, an old version of the module (active before 2019) used to inject itself into numerous\r\nbrowser processes and hook networking API functions responsible for an SSL cipher routine and website\r\ncertificate validation: HttpSendRequest, InternetReadFile for Internet Explorer, PR_Read, PR_Write for Mozilla\r\nFirefox, SSL_read, SSL_write for Google Chrome.\r\nhttps://securelist.com/trickbot-module-descriptions/104603/\r\nPage 8 of 18\n\nHowever, in early 2019 an updated module was released. The developers abandoned the interception of multiple\r\nfunctions in different browsers and concentrated on hooking just a few basic Microsoft Windows network\r\nfunctions: the ws2_32::connect() function and WSA extension function mswsock::ConnectEx(). In order to\r\nperform an attack on SSL connections, the module generates a self-signed certificate, and inserts it into the\r\ncertificate store. Different internal browser APIs are used to install self-signed certificate in different browsers.\r\nThe functions crypt32::CertGetCertificateChain() and crypt32::CertVerifyCertificateChainPolicy() are also\r\nhooked to bypass certificate validation.\r\nEMBEDDED MODULE PE timestamp:2020-09-17 InternalName:\u003cpayload32.dll\u003e\r\nThis submodule injects itself into browser processes (Internet Explorer, Mozilla Firefox, Google Chrome,\r\nMicrosoft Edge) and intercepts a networking API in order to redirect browser traffic through a local proxy based\r\non a modified SOCKS protocol. It also intercepts APIs responsible for certificate chain validation, in order to\r\nspoof the results of checking.\r\nmailsearcher32\r\nThis module enumerates all disks and folders, and searches for email patterns in files. It ignores files with selected\r\nextensions: .avi, .mov, .mkv, .mpeg, .mpeg4, .mp4, .mp3, .wav’, .ogg, .jpeg, .jpg, .png, .bmp, .gif, .tiff, .ico. In\r\naddition it unpacks files with .xlsx, .docx, and .zip extensions, and performs the same email patterns search in the\r\nextracted file. Every time scanning of a disk ends, the module sends the list of found addresses back to the C2\r\nserver.\r\nmasrvDll32\r\nThis module is a network scanner based on source code of the Masscan software project. The module requests the\r\nrange of IP addresses from the C2, scans all IPs in this range for the opened port, and sends the list of found\r\naddresses and ports back to the C2 server.\r\nmlcDll32\r\nThis module implements the main functionality of the Gophe spambot. The Gophe spambot was used to propagate\r\nDyre malware. As the successor to Dyre, it comes as no surprise that Trickbot has also inherited Gophe’s source\r\ncode. It can grab emails from Outlook and send spam through Outlook using MAPI. It also removes traces of\r\nspamming by deleting emails from the Outlook Sent Items folder. This module is also propagated by Trickbot as a\r\nstandalone executable known as TrickBooster.\r\nnetworkDll32\r\nThis module gets information about the network from the local system. It uses the following ADSI (Active\r\nDirectory Service Interfaces) property methods to gather information:\r\nComputerName;\r\nSiteName;\r\nDomainShortName;\r\nDomainDNSName;\r\nhttps://securelist.com/trickbot-module-descriptions/104603/\r\nPage 9 of 18\n\nForestDNSName;\r\nDomainController.\r\nIt retrieves the DNS names of all the directory trees in the local computer’s forest. It also gets a full process list\r\nand system information snapshot (OS Architecture / ProductType / Version / Build / InstalationDate /\r\nLastBootUpTime / SerialNumber / User / Organization / TotalPhysicalMemory).\r\nThe module executes and gathers the results of selected commands:\r\n“ipconfig /all”\r\n“net config workstation”\r\n“net view /all”\r\n“net view /all /domain”\r\n“nltest /domain_trusts”\r\n“nltest /domain_trusts /all_trusts”\r\nNewBCtestnDll32\r\nThis module is a reverse proxy module with custom implementation of the SOCKS5 protocol. It’s used to bypass\r\ntraffic through the compromised host. The module can determine the external network IP address by STUN\r\nprotocol using Google’s STUN servers. It can also create new processes by receiving a command line from a\r\nproxy-C2. It can’t download binaries for execution, but the ability to create new processes by starting\r\npowershell.exe with a Base64 encoded script in the command line transforms this module into a backdoor. Note\r\nthat this is a common tactic for many actors.\r\noutlookDll32\r\nThis module is written in Delphi, which is uncommon. The module tries to retrieve credentials from the Outlook\r\nprofile stored in the system registry.\r\nowaDll32\r\nThis module receives a list of domains, logins and passwords from the C2, and tries to find an OWA service on\r\nselected domains. To do so, it creates a URL by adding subdomains (‘webmail.’, ‘mail.’, ‘outlook.’) to domains\r\nfrom the list, and setting the URL path to ‘/owa’. After that it makes a POST request to the crafted URL, and\r\nchecks the response for strings, tags or headers that are specific to an OWA service. The module then reports back\r\nto the C2 about the OWA URLs it finds. It can also perform a brute-force attack on the OWA URLs with logins\r\nand passwords received from the C2.\r\nhttps://securelist.com/trickbot-module-descriptions/104603/\r\nPage 10 of 18\n\nPart of the C2 report routine in owaDll32 module\r\npermaDll32\r\nThis module contains the encrypted embedded module RwDrv.sys. It installs RwDrv.sys driver to get low-level\r\naccess to hardware. It identifies the hardware platform, checks the UEFI/BIOS write protection, and reports back\r\nto the C2. It can’t write any implants to UEFI or any shellcode into physical memory. However, the code of the\r\nmodule can easily be updated with this functionality.\r\nEMBEDDED SYS MODULE timestamp:2013-03-25 InternalName:RwDrv.sys\r\nThis is a driver from the RWEverything utility. This utility enables access to computer hardware.\r\npsfin32\r\nUsing Active Directory Service Interfaces (ADSI), this module makes Lightweight Directory Access Protocol\r\n(LDAP) and GlobalCatalog (GC) queries for organizational unit names, site name, group account name, personal\r\naccount name, computer host name, with selected masks ‘*POS*’, ‘*REG*’, ‘*CASH*’, ‘*LANE*’, ‘*STORE*’,\r\n‘*RETAIL*’, ‘*BOH*’, ‘*ALOHA*’, ‘*MICROS*’, ‘*TERM*’.\r\nhttps://securelist.com/trickbot-module-descriptions/104603/\r\nPage 11 of 18\n\nPart of C2 report routine in psfin32 module\r\nGlobalCatalog (GC) queries using ADSI\r\nrdpscanDll32\r\nhttps://securelist.com/trickbot-module-descriptions/104603/\r\nPage 12 of 18\n\nThis module receives a list of domains, IPs, logins and passwords from the C2, performs a check for RDP\r\nconnection on the list of targets, and reports back to the C2 about the online status of targets. It can perform brute-force attacks on targeted systems, using the received logins and passwords. It also has the ability to brute force\r\ncredentials by mutating IPs, domain names and logins, for instance, by replacing, swapping or removing letters,\r\nnumbers, dots, switching from lower to upper case or vice versa, performing string inversion, etc.\r\nshadDll32\r\nThis is the first implementation of the anubisDll32 module. It does not include the Anubis VNC embedded binary.\r\nshareDll32\r\nThis module is used to spread Trickbot over the network. It downloads Trickbot from the URL\r\nhttp[:]//172[.]245.6.107/images/control.png and saves it as tempodile21.rec. It then enumerates network resources\r\nand tries to copy the downloaded Trickbot to selected shares C$ or ADMIN$ as nats21.exe. It then creates and\r\nstarts a remote service on the compromised system in the following paths:\r\n%SystemDrive%\\nats21.exe\r\n%SystemRoot%\\system32\\nats21.exe\r\nThe following service names are used to hide the presence of nats21.exe:\r\nSystemServiceHnet\r\nHnetSystemService\r\nTechnoHnetService\r\nAdvancedHnexTechnic\r\nServiceTechnoSysHnex\r\nHnexDesktop\r\nsharesinDll32\r\nThis module has the same functionality as shareDll32. However, the Trickbot binary dropped by this module has\r\nthe name nicossc.exe, and the URL it uses to get Trickbot is http[:]//185[.]142.99.26/image/sdocuprint.pdf. The\r\nservice names are also different:\r\nCseServiceControl\r\nControlServiceCse\r\nBoxCseService\r\nTechCseService\r\nAdvanceCseService\r\nServiceCseControl\r\nCseServiceTech\r\nTechCseServiceControl\r\nsqlscanDll32\r\nhttps://securelist.com/trickbot-module-descriptions/104603/\r\nPage 13 of 18\n\nThis module tries to implement the SQLi vulnerability scanner. It receives list of target domains, and tries to\r\nextend it with subdomains by querying the Entrust web interface\r\nhttps[:]//ctsearch.entrust[.]com/api/v1/certificates?fields=subjectDN\u0026domain=\u003ctargeted_doma\r\nin\u003e\u0026includeExpired=true\u0026exactMatch=false\u0026limit=100. It then performs multiple HTTP queries with\r\nmalformed data on pages and forms of the targeted domains, measures the time or difference in responses in order\r\nto check if the targeted resource is potentially vulnerable.\r\nsquDll32\r\nThis module gathers addresses of SQL servers. It enumerates registry values at\r\nHKLM\\SOFTWARE\\Microsoft\\Microsoft SQL Server\\Instance Names\\SQL to obtain SQL server instances. It\r\nalso makes a broadcast UDP request on ports 1433 and 1434 to obtain SQL server instances from the SQL Server\r\nBrowser service that usually runs on these ports. After gathering SQL server instances, it drops the submodule\r\nmailCollector and passes the collected targets to it.\r\nEMBEDDED EXE MODULE timestamp:2020-04-23 InternalName:\u003cnone\u003eAliasName:mailCollector\r\nThis submodule uses the ADODBI interface to communicate with SQL servers, enumerate databases, and make\r\nsearch queries for the extraction of email addresses. The following query templates are used:\r\nselect COUNT(*) from [%s] where [%s] like ‘%%@%%.%%’\r\nselect [%s] as MAIL from [%s] where [%s] like ‘%%@%%.%%’\r\nsqulDll32\r\nThis is an old version of squDll32. It uses SQLDMO.dll to enumerate the available SQL server instances.\r\ntabDll32\r\nThis module propagates Trickbot via the EternalRomance exploit. It enables WDigest Authentication by\r\nmodifying the UseLogonCredential value in the\r\nHKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest registry key. This modification is forced\r\nto save credentials in lsass.exe memory (Local Security Authority Subsystem Service). The tabDll32 module then\r\ninjects the embedded module screenLocker in explorer.exe and locks the workstation with the lock screen, forcing\r\nthe user to login again. It waits for next user login and scrapes the credentials from LSASS memory utilizing\r\nMimikatz functionality. Stolen credentials are sent back to the C2. After that tabDll32 downloads the payload from\r\nhardcoded URLs – usually the Trickbot loader (downloader) – starts up to 256 threads and uses the\r\nEternalRomance exploit to rapidly spread the downloaded payload over the network. Another embedded module,\r\nssExecutor_x86, is used to set up persistence for the downloaded payload on exploited systems. This module also\r\ncontains the main code of the shareDll32 module, and uses it to spread over the network.\r\nThe module ssExecutor_x86 copies the payload into the C:\\WINDOWS\\SYSTEM32\\ and\r\nC:\\WINDOWS\\SYSTEM32\\TASKS folders, and executes the payload. It enumerates user profiles in registry,\r\ncopies the payload to C:\\Users\\\u003cUser Profile\u003e\\AppData\\Roaming\\ and establishes persistence by creating\r\nshortcuts in the profile’s Startup folder and creating a ‘Run’ key in the profile’s registry.\r\nhttps://securelist.com/trickbot-module-descriptions/104603/\r\nPage 14 of 18\n\nThe tabDll32 module also exists in the form of a standalone executable with the alias ‘spreader’.\r\nsysteminfo32\r\nThis module gathers basic system information. It uses WQL to get information about the OS name, architecture,\r\nversion, CPU and RAM information. It also collects user account names on the local computer and gathers\r\ninformation about installed software and services by enumerating\r\nHKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall’ and\r\n‘HKLM\\SYSTEM\\CurrentControlSet\\Services registry keys.\r\nvpnDll32\r\nThis module uses an RAS (Remote Access Service) API to establish a VPN (Virtual Private Network) connection.\r\nThe destination VPN server, and credentials for connection are provided by the C2’s command and configuration\r\nfiles.\r\nSetting the RAS (Remote Access Service) entry.\r\n\u003c\r\nThe vpnDll32 module establishes a VPN connection\r\nwebiDll32\r\nThis module is used to intercept activity related to banking websites in browsers. It uses web injects to steal\r\nfinancial information. In addition to typical static and dynamic injections, this modification also supports web\r\ninjects in the Zeus format, and can modify pages on the client side.\r\nhttps://securelist.com/trickbot-module-descriptions/104603/\r\nPage 15 of 18\n\nTrickbot web inject configuration file in Zeus format\r\nwormDll32\r\nThis module propagates Trickbot with the EternalBlue exploit. It enumerates computers using Network\r\nManagement API and Active Directory Service Interfaces. It uses the EternalBlue exploit to inject shellcode in\r\nLSASS process memory. The injected shellcode downloads Trickbot from a hardcoded URL and executes it.\r\nDescription of other modules\r\nModule Description\r\nadllog32 Debug version of adll32 module\r\nbcClientDllNew32 Same as bcClientDll32\r\nbcClientDllTestTest32 Same as bcClientDll32\r\nbexecDll32 Same as aexecDll32\r\ndpwgrab32 Same as tdpwgrab32\r\npwgrab32 Same as tdpwgrab32\r\npwgrabb32 Same as tdpwgrab32\r\nsokinjectDll32 Same as injectDll32\r\ntinjectDll32 Same as injectDll32\r\ntotinjectDll32 Same as injectDll32\r\nmexecDll32 Same as aexecDll32\r\nhttps://securelist.com/trickbot-module-descriptions/104603/\r\nPage 16 of 18\n\nnetworknewDll32 Same as networkDll32\r\nsocksDll32 Same as NewBCtestnDll32\r\noimportDll32 Same as importDll32\r\nonixDll32 Same as aexecDll32\r\npwgrab32 Same as dpwgrab32\r\npwgrabb32 Same as dpwgrab32\r\nshadnewDll32 Same as anubisDll32\r\nsocksDll32 Same as NewBCtestnDll32\r\nsokinjectDll32 Same as injectDll32\r\nstabDll32 Same as tabDll32\r\ntabtinDll32 Same as tabDll32\r\ntesttabDll32 Same as tabDll32\r\nttabDll32 Previous modification of tabDll32\r\ntimportDll32 Same as importDll32\r\ntinjectDll32 Same as injectDll32\r\ntnetworkDll32 Same as networkDll32\r\ntotinjectDll32 Same as injectDll32\r\ntpwgrab32 Same as dpwgrab32\r\ntrdpscanDll32 Same as rdpscanDll32\r\ntshareDll32 Same as shareDll32\r\nttabDll32 Same as tabDll32\r\ntvncDll32 Same as bvncDll32\r\nTwoBCtestDll32 Same as bcClientDll32\r\ntwormDll32 Same as wormDll32\r\nwormwinDll32 Same as wormDll32\r\nvncDll32 Same as bvncDll32\r\nhttps://securelist.com/trickbot-module-descriptions/104603/\r\nPage 17 of 18\n\nGeography of Trickbot attacks\r\n(download)\r\nWe analyzed Trickbot detections that occurred between January 2021 and early October 2021. Most of the\r\naffected users were located in the USA (13.21%), Australia (10.25%) and China (9.77%), followed by Mexico\r\n(6.61%) and France (6.30%).\r\nIndicators of compromise (Trickbot C2 servers)\r\nSource: https://securelist.com/trickbot-module-descriptions/104603/\r\nhttps://securelist.com/trickbot-module-descriptions/104603/\r\nPage 18 of 18",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://securelist.com/trickbot-module-descriptions/104603/"
	],
	"report_names": [
		"104603"
	],
	"threat_actors": [],
	"ts_created_at": 1775434638,
	"ts_updated_at": 1775791304,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/065a92f4823f1fe280a623973af44d08cc223507.pdf",
		"text": "https://archive.orkl.eu/065a92f4823f1fe280a623973af44d08cc223507.txt",
		"img": "https://archive.orkl.eu/065a92f4823f1fe280a623973af44d08cc223507.jpg"
	}
}