{
	"id": "be0230b4-ff69-41a4-8f20-47004b16c389",
	"created_at": "2026-04-06T01:32:27.473494Z",
	"updated_at": "2026-04-10T03:20:54.906166Z",
	"deleted_at": null,
	"sha1_hash": "28419b181eed897abcccf15d98f0d11a2df47082",
	"title": "Deep Dive Into TrickBot Executor Module \"mexec\": Hidden \"Anchor\" Bot Nexus Operations - SentinelLabs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2159295,
	"plain_text": "Deep Dive Into TrickBot Executor Module \"mexec\": Hidden\r\n\"Anchor\" Bot Nexus Operations - SentinelLabs\r\nBy Jason Reaves\r\nPublished: 2020-04-08 · Archived: 2026-04-06 01:22:45 UTC\r\nNew “mexec” module delivers tertiary malware and allows TrickBot to pivot within a network, deploy a variety of\r\npayloads and evade common detection methods.\r\nBy Jason Reaves, Joshua Platt \u0026 Vitali Kremez\r\nExecutive Summary\r\nTrickBot continues to be one of the most potent and actively developed malware frameworks in use on the\r\ncrimeware landscape.\r\nTrickBot loads many modules leveraged for various tasks such as secondary tasks that normally revolve\r\naround credential loss, system and network profiling, data harvesting and propagation.\r\nThe new executor mexec module is special in that it is primarily deployed for delivering tertiary malware\r\nwhich allows the TrickBot group threat actors to pivot within the compromised network environment while\r\ndeploying different-purpose malware payloads and evading detection.\r\nThe mexec module is primarily considered to be a loading module as its job is to load another malware\r\npayload onto the system.\r\nThe module comes in two flavors: one as a “downloader” that will download and execute an arbitrary file\r\nand another as a “dropper” that embeds another malware within the mexec body to be dropped on the\r\nsystem.\r\nBackground\r\nTrickBot is the successor of Dyre [1,2], and at first was primarily focused on banking fraud and utilized injection\r\nsystems in the same manner. Over the years, TrickBot has shifted focus to enterprise environments to incorporate\r\neverything from network profiling and mass data collection to lateral traversal exploits. This focus shift is also\r\nprevalent in their incorporation of malware and techniques in their tertiary deliveries that are targeting enterprise\r\nenvironments. Such behavior is similar to a company where the focus will shift depending on what generates the\r\nbest revenue.\r\nResearch Insights\r\nhttps://labs.sentinelone.com/deep-dive-into-trickbot-executor-module-mexec-hidden-anchor-bot-nexus-operations/\r\nPage 1 of 9\n\nThe mexec module, a possible initial internal naming for “memory executor”, acts as a downloader and can be\r\ndescribed as a tool that can be detonated in memory designed to download and execute another executable. Most\r\nof the important strings are obfuscated as unicode strings that will be loaded in chunks.\r\nhttps://labs.sentinelone.com/deep-dive-into-trickbot-executor-module-mexec-hidden-anchor-bot-nexus-operations/\r\nPage 2 of 9\n\nIn the screenshot above we can see the IP and URI that will be used as well as the obfuscation of dynamically\r\nrebuilding the strings on the fly that was previously mentioned.\r\nAfter downloading, the file will be written to disk:\r\nhttps://labs.sentinelone.com/deep-dive-into-trickbot-executor-module-mexec-hidden-anchor-bot-nexus-operations/\r\nPage 3 of 9\n\nThe filename itself is hardcoded in the sample and remains static for all variants and samples we have so far\r\nrecovered.\r\nThe folder the file will be written to will depend on what the module has access to. First, it checks if it can write to\r\nthe Windows system folder; if not it tries the AppData folder and finally tries the Temp folder.\r\nhttps://labs.sentinelone.com/deep-dive-into-trickbot-executor-module-mexec-hidden-anchor-bot-nexus-operations/\r\nPage 4 of 9\n\nNotably, the downloader also sets up process security information to adjust downloader permission leveraging via\r\na sequence of Windows API GetNamedSecurityInfoW, SetEntriesInAclW, SetNamedSecurityInfoW. The possible\r\nsecurity control list implementation is aimed to bypass file execution prevention as downloaded from a remote\r\nlocation.\r\nhttps://labs.sentinelone.com/deep-dive-into-trickbot-executor-module-mexec-hidden-anchor-bot-nexus-operations/\r\nPage 5 of 9\n\nTwo other samples of mexec were recovered during our ongoing research:\r\nSHA256: 5b729cd36cf3f0fdcfa0020b1f0f3bb98f9b456005814e61349bfdc50f390a7e\r\nSHA1: f82753b1d526da357e4cbcfa24e80e79422b8bce\r\nURL: 172.82[.]152[.]15/blueberry.exe\r\nSHA256: cd2e0341119cfbf734917f83d91a14d5855906a83066649bd49689e504181330\r\nSHA1: d0a1bcc0df0ff70b5fb90704adab7fee734fc21d\r\nURL: 172.82[.]152[.]15/aspen.exe\r\nPivoting on this IP in VirusTotal shows a number of URLs that look like TrickBot deliveries but also an EXE file\r\nthat has the same naming structure as previously seen.\r\nhttps://labs.sentinelone.com/deep-dive-into-trickbot-executor-module-mexec-hidden-anchor-bot-nexus-operations/\r\nPage 6 of 9\n\nThe sample downloaded as cloudberry.exe turns out to be the DNS variant of Anchor TrickBot[3], which is\r\nreferenced as the gtag ‘anchor_dns’.\r\nThe discovery of a mexec module used by TrickBot that is designed to be a loader is notable and is further\r\nevidence of the link between TrickBot and Anchor operations. In many aspects, the Anchor malware remains to be\r\nthe adopted custom flexible version of the TrickBot fork codebase deployed on some of the most notable high-value government and corporate targets.\r\nThe new module also brings to light a feature within TrickBot that is commonly taken for granted: its ability to\r\ndeliver other malware. This module adds another loading avenue to the existing arsenal present within TrickBot.\r\nIn a follow up to this report, we will discuss a variant of mexec that delivers malware samples that are onboard\r\ninstead of downloading them, which sheds more light on this connection between TrickBot and Anchor.\r\nDelivery Names Discovered for mexec Downloader Variant\r\nmexecDll(32|64)\r\nmexectDll(32|64)\r\naexecDll(32|64)\r\nonixDll(32|64)\r\nTrickBot File Indicators\r\nAppDataRoaming[^]+injectDll(32|64).dll\r\nAppDataRoaming[^]+systeminfo(32|64).dll\r\nAppDataRoaming[^]+pwgrab(32|64).dll\r\nAppDataRoaming[^]+anubis(32|64).dll\r\nhttps://labs.sentinelone.com/deep-dive-into-trickbot-executor-module-mexec-hidden-anchor-bot-nexus-operations/\r\nPage 7 of 9\n\nAppDataRoaming[^]+shadnew(32|64).dll\r\nAppDataRoaming[^]+onixDll(32|64).dll\r\nGeneric\r\nAppDataRoaming[^]+[a-zA-Z]+(32|64).dll$\r\nAppDataRoaming[^]+[a-zA-Z]+(32|64)_configs*\r\nObserved mexec Filenames\r\nWindowssystem32installapp.exe\r\nWindowssyswow64installapp.exe\r\n%AppData%installapp.exe\r\nTempinstallapp.exe\r\nIndicators of Compromise\r\nDownload URLs\r\nhxxp:\r\nhxxp:\r\nhxxp:\r\nhxxp:\r\nhxxp:\r\nhxxp:\r\nhxxp:\r\nhxxp:\r\nOSINT mexec samples\r\nSHA1: 3ef000cb90ab638ab0bae542c2d6e8e6ec146c53\r\nSHA1: 0e29a1f93b003c31af46ab1ab7c8d3df150123e0\r\nSHA1: dacd5b49ac628157fcb9cf8d6e537e851ef29a64\r\nYARA\r\nrule anchor_dns_32\r\n{\r\nmeta:\r\nauthor=\"Jason Reaves\"\r\nstrings:\r\n $a1 = \"/1001/\" ascii wide\r\n $a2 = \":$GUID\" ascii wide\r\nhttps://labs.sentinelone.com/deep-dive-into-trickbot-executor-module-mexec-hidden-anchor-bot-nexus-operations/\r\nPage 8 of 9\n\n$a3 = \":$TASK\" ascii wide\r\n $ua = \"WinHTTP loader/1.0\" ascii wide\r\n $hexlify = {0f be ?? ?? b8 f0 00 00 00 0f 45 ?? 8b ?? c1 e1 02 23 d0}\r\n $sdecode = {8a 04 0a 0f be c0 83 e8 ?? 88 04 0a 42 83}\r\n $xor_data = {80 b4 05 ?? ?? ff ff ?? 40 3b c6}\r\ncondition:\r\n 3 of them\r\n}\r\nrule anchor_dns_64\r\n{\r\nmeta:\r\nauthor=\"Jason Reaves\"\r\nstrings:\r\n $xor_data = {80 ?4 0? ?? ?? 48 ?? c? 48}\r\n $hexlify = {81 c1 f0 00 00 00 23 d1 41 8? ?? c1 e1 02}\r\n $a1 = \"/1001/\" ascii wide\r\n $a2 = \":$GUID\" ascii wide\r\n $a3 = \":$TASK\" ascii wide\r\n $ua = \"WinHTTP loader/1.0\" ascii wide\r\ncondition:\r\n 3 of them\r\n}\r\nReferences\r\n1: https://blog.malwarebytes.com/threat-analysis/2016/10/trick-bot-dyrezas-successor/\r\n2: https://www.fidelissecurity.com/threatgeek/archive/trickbot-we-missed-you-dyre/\r\n3: https://www.sentinelone.com/labs/the-deadly-planeswalker-how-the-trickbot-group-united-high-tech-crimeware-apt/\r\nSource: https://labs.sentinelone.com/deep-dive-into-trickbot-executor-module-mexec-hidden-anchor-bot-nexus-operations/\r\nhttps://labs.sentinelone.com/deep-dive-into-trickbot-executor-module-mexec-hidden-anchor-bot-nexus-operations/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://labs.sentinelone.com/deep-dive-into-trickbot-executor-module-mexec-hidden-anchor-bot-nexus-operations/"
	],
	"report_names": [
		"deep-dive-into-trickbot-executor-module-mexec-hidden-anchor-bot-nexus-operations"
	],
	"threat_actors": [],
	"ts_created_at": 1775439147,
	"ts_updated_at": 1775791254,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/28419b181eed897abcccf15d98f0d11a2df47082.pdf",
		"text": "https://archive.orkl.eu/28419b181eed897abcccf15d98f0d11a2df47082.txt",
		"img": "https://archive.orkl.eu/28419b181eed897abcccf15d98f0d11a2df47082.jpg"
	}
}