{
	"id": "54b7daac-4912-4693-b446-d9e6870b341f",
	"created_at": "2026-04-06T00:16:40.896268Z",
	"updated_at": "2026-04-10T03:21:22.178903Z",
	"deleted_at": null,
	"sha1_hash": "2f14329a1e7db8a015109cdd774c965712677db2",
	"title": "Deep Dive Into TrickBot Executor Module \"mexec\": Reversing the Dropper Variant - SentinelLabs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1188287,
	"plain_text": "Deep Dive Into TrickBot Executor Module \"mexec\": Reversing the\r\nDropper Variant - SentinelLabs\r\nBy Jason Reaves\r\nPublished: 2020-05-14 · Archived: 2026-04-05 15:42:03 UTC\r\nIn a recent post [1], we disclosed details of a new Trickbot executor module “mexec” and analyzed the\r\ndownloader variant of this module. In this follow up post, we provide the first analysis the dropper version of the\r\nmexec module.\r\nSee the report for the full list of IOCs and further details on the TrickBot executor module “mexec”.\r\nRead the Full Report\r\nBackground\r\nTrickBot is the successor of Dyre [2,3], and at first was primarily focused on banking fraud and utilized injection\r\nsystems in the same manner. Over the years, TrickBot has shifted focus to enterprise environments to incorporate\r\neverything from network profiling and mass data collection to lateral traversal exploits. This focus shift is also\r\nprevalent in their incorporation of malware and techniques in their tertiary deliveries that are targeting enterprise\r\nenvironments. Such behavior is similar to a company where the focus will shift depending on what generates the\r\nbest revenue.\r\nResearch Insights\r\nThe dropper version of mexec is very similar to the downloader except that the payload is carried onboard, which\r\nmakes the module substantially larger than its downloader counterpart. The dropper variant is also very similar to\r\nTrickBot’s loader but was written to be able to accommodate more generic deliveries.\r\nThe dropper version of mexec functionally overlaps with how TrickLoader works:\r\nCustom Base64 alphabet string encoding\r\nUsage of MiniLZO\r\nFunction obfuscation using a table of offsets\r\nThis version of mexec could easily be misidentified as TrickLoader, but mexec is not used to deliver TrickBot and\r\nis simply setup as a dropper piece that will write and execute an onboard hidden executable. It’s also a DLL and\r\ndesigned to be executed in memory to perform its task or to deliver another piece of malware.\r\nWhile the strings are encoded in the same manner you would expect in a Trickbot sample, there are noticeably\r\nfewer of them.\r\nhttps://labs.sentinelone.com/deep-dive-into-trickbot-executor-module-mexec-reversing-the-dropper-variant/\r\nPage 1 of 9\n\nDecoding them is the same process as you would find in a TrickBot sample.\r\nThe first thing the sample does is spin up multiple threads, but the interesting one is the second one.\r\nIn the main thread that is spun up as the second one, it performs the normal deobfuscation routine that you find in\r\na Trickbot loader sample. If you are unfamiliar with this process of deobfuscation, you can find more details in our\r\nreport on TrickLoader Deobfuscation. \r\nhttps://labs.sentinelone.com/deep-dive-into-trickbot-executor-module-mexec-reversing-the-dropper-variant/\r\nPage 2 of 9\n\nThe above code is the start of the process of building out the function address table; it jumps over a table of offsets\r\nto kick off the process.\r\nhttps://labs.sentinelone.com/deep-dive-into-trickbot-executor-module-mexec-reversing-the-dropper-variant/\r\nPage 3 of 9\n\nAfter rebuilding the address table, the function responsible for decoding functions is called.\r\nhttps://labs.sentinelone.com/deep-dive-into-trickbot-executor-module-mexec-reversing-the-dropper-variant/\r\nPage 4 of 9\n\nIn the exact same way that we go over deobfuscating the TrickLoader binary, we can do the same with this\r\nsample. This will then leave us with all of the decoded functions.\r\nhttps://labs.sentinelone.com/deep-dive-into-trickbot-executor-module-mexec-reversing-the-dropper-variant/\r\nPage 5 of 9\n\nOne of the decoded addresses from the table does not appear to be a function; in fact, much like TrickLoader, this\r\nis a LZO compressed PE file.\r\nAfter decompressing and analyzing the PE file, we discover this version of mexec is dropping the DNS variant of\r\nAnchor TrickBot[4].\r\nhttps://labs.sentinelone.com/deep-dive-into-trickbot-executor-module-mexec-reversing-the-dropper-variant/\r\nPage 6 of 9\n\nAnother variant recovered was also dropping the normal variant of Anchor TrickBot.\r\nhttps://labs.sentinelone.com/deep-dive-into-trickbot-executor-module-mexec-reversing-the-dropper-variant/\r\nPage 7 of 9\n\nPivoting on the decoding string of “futuresx.exe” from above also leads to a sandbox report[4] on an Anchor DNS\r\nsample. In VirusTotal, we can see this same hash was also delivered through the downloader variant:\r\nRead the Full Report\r\nSee the report for the full list of IOCs and further details on the TrickBot executor module “mexec”.\r\nRead the Full Report\r\nReferences\r\nhttps://labs.sentinelone.com/deep-dive-into-trickbot-executor-module-mexec-reversing-the-dropper-variant/\r\nPage 8 of 9\n\n1: Deep Dive Into TrickBot Executor Module “mexec”: Hidden “Anchor” Bot Nexus Operations\r\n2: https://blog.malwarebytes.com/threat-analysis/2016/10/trick-bot-dyrezas-successor/\r\n3: https://www.fidelissecurity.com/threatgeek/archive/trickbot-we-missed-you-dyre/\r\n4: https://www.sentinelone.com/labs/anchor-project-the-deadly-planeswalker-how-the-trickbot-group-united-high-tech-crimeware-apt/\r\nSource: https://labs.sentinelone.com/deep-dive-into-trickbot-executor-module-mexec-reversing-the-dropper-variant/\r\nhttps://labs.sentinelone.com/deep-dive-into-trickbot-executor-module-mexec-reversing-the-dropper-variant/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://labs.sentinelone.com/deep-dive-into-trickbot-executor-module-mexec-reversing-the-dropper-variant/"
	],
	"report_names": [
		"deep-dive-into-trickbot-executor-module-mexec-reversing-the-dropper-variant"
	],
	"threat_actors": [],
	"ts_created_at": 1775434600,
	"ts_updated_at": 1775791282,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2f14329a1e7db8a015109cdd774c965712677db2.pdf",
		"text": "https://archive.orkl.eu/2f14329a1e7db8a015109cdd774c965712677db2.txt",
		"img": "https://archive.orkl.eu/2f14329a1e7db8a015109cdd774c965712677db2.jpg"
	}
}