{
	"id": "bd6a57d9-2c0b-4a96-ac7f-1c950bf8c449",
	"created_at": "2026-04-06T00:08:32.729628Z",
	"updated_at": "2026-04-10T03:24:39.571652Z",
	"deleted_at": null,
	"sha1_hash": "2dbb5ea33ab428e620362f20ef19ad9f25288b1e",
	"title": "TrickBot Banking Trojan Adapts with New Module | Webroot",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 70485,
	"plain_text": "TrickBot Banking Trojan Adapts with New Module | Webroot\r\nBy Jason Davison\r\nPublished: 2018-03-21 · Archived: 2026-04-02 10:38:39 UTC\r\nSince inception in late 2016, the TrickBot banking trojan has continually undergone updates and changes in\r\nattempts to stay one step ahead of defenders and internet security providers. While TrickBot has not always been\r\nthe stealthiest trojan, its authors have remained consistent in the use of new distribution vectors and development\r\nof new features for their product. On March 15, 2018, Webroot observed a module (tabDll32 / tabDll64) being\r\ndownloaded by TrickBot that has not been seen in the wild before this time.\r\nIt appears that the TrickBot authors are still attempting to leverage MS17-010 and other lateral movement\r\nmethods coupled with this module in an attempt to create a new monetization scheme for the group.\r\nYou can teach an old bot older tricks\r\nAnalyzed samples\r\n0058430e00d2ea329b98cbe208bc1dad – main sample (packed)\r\n0069430e00d2ea329b99cbe209bc1dad – bot 32 bit\r\nDownloaded Modules\r\n711287e1bd88deacda048424128bdfaf – systeminfo32.dll\r\n58615f97d28c0848c140d5e78ffb2add – injectDll32.dll\r\n30fc6b88d781e52f543edbe36f1ad03b – wormDll32.dll\r\n5be0737a49d54345643c8bd0d5b0a79f – shareDll32.dll\r\n88384ba81a89f8000a124189ed69af5c – importDll32.dll\r\n3def0db658d9a0ab5b98bb3c5617afa3 – mailsearcher32.dll\r\n311fdc24ce8dd700f951a628b805b5e5 – tabDll32.dll\r\nBehavioral Analysis\r\nUpon execution, this iteration of TrickBot will install itself into the %APPDATA%\\TeamViewer\\ directory. If the\r\nbot has not been executed from its installation directory, it will restart itself from this directory and continue\r\noperation. Once running from its installation directory, TrickBot will write to the usual group_tag and client_id\r\nfiles along with creating a “Modules” folder used to store the encrypted plug and play modules and configuration\r\nfiles for the bot.\r\nhttps://www.webroot.com/blog/2018/03/21/trickbot-banking-trojan-adapts-new-module/\r\nPage 1 of 10\n\nImage 1: TrickBot’s plug and play modules used to extend the bots functionality\r\nMany of the modules shown above have been previously documented. The systeminfo and injectDll module have\r\nbeen coupled with the bot since its inception. The mailsearcher module was added in December 2016 and the\r\nworm module was discovered in late July 2017. The module of interest here is tabDll32 as this module has been\r\npreviously undocumented. Internally, the module is named spreader_x86.dll and exports four functions similar to\r\nthe other TrickBot modules.\r\nhttps://www.webroot.com/blog/2018/03/21/trickbot-banking-trojan-adapts-new-module/\r\nPage 2 of 10\n\nImage 2a: Peering inside tabDll.dll\r\nImage 2b: Abnormally large .rdata section\r\nThe file has an abnormally large rdata section which proves to be quite interesting because it contains two\r\nadditional files intended to be used by spreader_x86.dll. The spreader module contains an additional executable\r\nSsExecutor_x86.exe and an additional module screenLocker_x86.dll. Each module will be described in more\r\ndetail in its respective section below.\r\nSpreader_x86.dll\r\nhttps://www.webroot.com/blog/2018/03/21/trickbot-banking-trojan-adapts-new-module/\r\nPage 3 of 10\n\nWhen loading the new TrickBot module in IDA, you are presented with the option of loading the debug symbol\r\nfilename.\r\nImage 3: Debug symbol filename of the downloaded module tabDll.dll\r\nThis gives us a preview of how the TrickBot developers structure new modules that are currently under\r\ndevelopment. When digging deeper into the module, it becomes evident that this module is used to spread laterally\r\nthrough an infected network making use of MS17-010.\r\nImage 4: String references to EternalRomance exploit used for lateral movement\r\nThis module appears to make use of lateral movement in an attempt to set up the embedded executable as a\r\nservice on the exploited system. Additionally, the TrickBot authors appear to be still developing this module as\r\nparts of the modules reflective dll injection mechanism are stolen from GitHub.\r\nImage 5: Copied code from ImprovedReflectiveDLLInjection\r\nhttps://www.webroot.com/blog/2018/03/21/trickbot-banking-trojan-adapts-new-module/\r\nPage 4 of 10\n\nImage 6: Printf statements from the copied project on GitHub\r\nSsExecutor_x86.exe \r\nThe second phase of the new module comes in the form of an executable meant to run after post exploitation.\r\nAgain, it was very nice of the TrickBot authors to give us a look at the debug symbols file path.\r\nImage 7: Debug symbol filename of the embedded PE file.\r\nWhen run, this executable will iterate over the use profiles in registry and goes to each profile to add a link to the\r\ncopied binary to the start up path. This occurs after lateral movement takes place.\r\nhttps://www.webroot.com/blog/2018/03/21/trickbot-banking-trojan-adapts-new-module/\r\nPage 5 of 10\n\nImage 8: Iterate over user profiles and create\r\nhttps://www.webroot.com/blog/2018/03/21/trickbot-banking-trojan-adapts-new-module/\r\nPage 6 of 10\n\nImage 9: Execution of the copied binary\r\nScreenLocker_x86.dll\r\nSimilarly, to the other TrickBot modules, this module was written in Delphi. This is the first time TrickBot has\r\nshown any attempt at “locking” the victims machine.\r\nImage 10: Peering inside screenLocker_x86.dll \r\nThis Module exports two functions, “MyFunction” and a reflective DLL loading function. “MyFunction” appears\r\nto be the work in progress:\r\nhttps://www.webroot.com/blog/2018/03/21/trickbot-banking-trojan-adapts-new-module/\r\nPage 7 of 10\n\nImage 11: Peering inside “MyFunction”\r\nhttps://www.webroot.com/blog/2018/03/21/trickbot-banking-trojan-adapts-new-module/\r\nPage 8 of 10\n\nImage 12: Creation of the Locker Window\r\nIf the TrickBot developers are attempting to complete this locking functionality, this generates interesting\r\nspeculation around the group’s business model. Locking a victim’s computer before you are able to steal their\r\nbanking credentials alerts the victim that they are infected, thus limiting the potential for credit card or bank theft.\r\nHowever, extorting victims to unlock their computer is a much simpler monetization scheme.\r\nIt is notable that this locking functionality is only deployed after lateral movement, meaning that it would be used\r\nto primarily target unpatched corporate networks. In a corporate setting (with unpatched machines) it is highly\r\nlikely that backups would not exist as well. The authors appear to be getting to know their target audience and\r\nhow to best extract money from them. On a corporate network, where users are unlikely to be regularly visiting\r\ntargeted banking URLs, exfiltrating banking credentials is a less successful money-making model compared to the\r\nlocking of potentially hundreds of machines. \r\nThe TrickBot authors continue to target various financial institutions across the world, using MS17-010 exploits in\r\nan attempt to successfully laterally move throughout a victim’s network. This is being coupled with an unfinished\r\n“screenLocker” module in a new possible attempt to extort money from victims. The TrickBot banking trojan\r\nremains under continual development and testing in a constant effort by its developers to stay one step ahead of\r\ncybersecurity professionals.\r\nhttps://www.webroot.com/blog/2018/03/21/trickbot-banking-trojan-adapts-new-module/\r\nPage 9 of 10\n\nJason Davison\r\nAbout the Author\r\nJason Davison\r\nAdvanced Threat Research Analyst\r\nJason is a Malware Threat Researcher, investigating the latest techniques used in modern malware. Working for\r\nWebroot, he researches and reverses the latest malware families identifying new functionality and TTP’s.\r\nSource: https://www.webroot.com/blog/2018/03/21/trickbot-banking-trojan-adapts-new-module/\r\nhttps://www.webroot.com/blog/2018/03/21/trickbot-banking-trojan-adapts-new-module/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://www.webroot.com/blog/2018/03/21/trickbot-banking-trojan-adapts-new-module/"
	],
	"report_names": [
		"trickbot-banking-trojan-adapts-new-module"
	],
	"threat_actors": [
		{
			"id": "77b28afd-8187-4917-a453-1d5a279cb5e4",
			"created_at": "2022-10-25T15:50:23.768278Z",
			"updated_at": "2026-04-10T02:00:05.266635Z",
			"deleted_at": null,
			"main_name": "Inception",
			"aliases": [
				"Inception Framework",
				"Cloud Atlas"
			],
			"source_name": "MITRE:Inception",
			"tools": [
				"PowerShower",
				"VBShower",
				"LaZagne"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434112,
	"ts_updated_at": 1775791479,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2dbb5ea33ab428e620362f20ef19ad9f25288b1e.pdf",
		"text": "https://archive.orkl.eu/2dbb5ea33ab428e620362f20ef19ad9f25288b1e.txt",
		"img": "https://archive.orkl.eu/2dbb5ea33ab428e620362f20ef19ad9f25288b1e.jpg"
	}
}