{
	"id": "0355b453-2010-4ec0-888f-d784a573d066",
	"created_at": "2026-04-06T00:13:54.47866Z",
	"updated_at": "2026-04-10T13:12:04.836563Z",
	"deleted_at": null,
	"sha1_hash": "3375651c8abb4b3935829775b5f85991f3dea1aa",
	"title": "Revealing the Trick | A Deep Dive into TrickLoader Obfuscation - SentinelLabs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1146774,
	"plain_text": "Revealing the Trick | A Deep Dive into TrickLoader Obfuscation -\r\nSentinelLabs\r\nBy Jason Reaves\r\nPublished: 2020-02-26 · Archived: 2026-04-05 15:08:10 UTC\r\nWithin the TrickBot framework, there has historically been a loader component. This loader has had continued\r\ndevelopment over the years since TrickBot’s first release where the ECS key and bot binary were stored in the\r\nresource section of the loader [1]. However, the function obfuscation has received relatively little treatment until\r\nnow.\r\nExecutive Summary\r\nTrickBot developers have continued to be active over the years.\r\nLoader used by TrickBot has had continued development related to obfuscation for anti-analysis.\r\nThe TrickLoader leverages ‘minilzo’ compression, which comes from the LZO library and its usage by\r\nthese developers dates back to Dyre/Upatre timeframe.\r\nThe goal is to detail the loader and aid additional automation efforts to process the TrickLoader.\r\nResearch Insight\r\nTrickLoader obfuscation development timeline:\r\n2017 – Started obfuscating the resource section name\r\n2017 – Custom base64 of strings\r\n2018 – Adds user account control (UAC) bypass [5], Heaven’s Gate [2], function obfuscation and further hiding\r\nthe configuration\r\nMost of these have been reported on in detail with the exception of the function obfuscation, which has been\r\nmentioned but not really detailed. Researchers who write scripts for config retrieval have stopped putting them out\r\nas frequently as in the past, possibly due to the increased focus by TrickBot to obfuscate and hide the data.\r\nLet’s dive into the obfuscation. The function offsets are stored in a table. The first thing the loader does is execute\r\na call over that table that will push the address of the table onto the stack for the next block of code to use.\r\nhttps://labs.sentinelone.com/revealing-the-trick-a-deep-dive-into-trickloader-obfuscation/\r\nPage 1 of 7\n\nFigure 1: Call over offset table\r\nThe next section will then process the word values from the table in sequence by adding them to a value which is\r\ninitially the start address of the table and then being pushed onto the stack.\r\nFigure 2: Overview of rebuilding addresses from table\r\nReconstructing this process into Python code allows us to create the same table as long as we can recover certain\r\nvalues from the binary.\r\nhttps://labs.sentinelone.com/revealing-the-trick-a-deep-dive-into-trickloader-obfuscation/\r\nPage 2 of 7\n\nFigure 3: Python code to demonstrate rebuilding the table manually\r\nAfter the function table is rebuilt, a call is made to one of the functions that is responsible for decoding out the\r\nother functions and data blobs.\r\nFigure 4: Decode function after rebuilding table\r\nhttps://labs.sentinelone.com/revealing-the-trick-a-deep-dive-into-trickloader-obfuscation/\r\nPage 3 of 7\n\nFigure 5: Decode function\r\nThe function decodes the next function. The key is the last value in the rebuilt table address with 0x18 added to it,\r\nand the length of the key is 0x327 bytes. Using this we should be able to decode out all the addresses in the rebuilt\r\ntable.\r\nhttps://labs.sentinelone.com/revealing-the-trick-a-deep-dive-into-trickloader-obfuscation/\r\nPage 4 of 7\n\nFigure 6: Decode all the objects from the table\r\nAfter decoding all the objects, we can check the sizes of each by printing out the size of every element of the\r\ndecoded_data list.\r\nFigure 7: Check decoded object sizes\r\nMost of them look normal; however, there are a few that seem larger than what you would normally observe in the\r\nsize of a single function.\r\nFigure 8: Compressed objects\r\nThese larger decoded objects are actually compressed data. It turns out there are at least 3 compressed objects: a\r\n32 bit TrickBot binary, a large blob of 64-bit bytecode which is the 64 bit TrickBot binary, and a smaller 64-bit\r\nEXE file which is a loader for the 64-bit bytecode blob.\r\nThe compression is ‘minilzo’, which comes from the LZO library, and its usage by these developers dates back to\r\nDyre/Upatre timeframe. After decompressing the 32-bit binary and fixing the missing ‘MZ’, we have the 32-bit\r\nTrickBot binary.\r\nNow that we have the normal TrickBot binary, we can decode out the onboard configuration data which is hidden\r\nand XOR encoded inside the bot now. Taking an existing decoder from CAPE [4] and adjusting it a bit while\r\nadding in our deobfuscation works well!\r\nIndicators of Compromise (IOCs)\r\nSHA-256: ac27e0944ce794ebbb7e5fb8a851b9b0586b3b674dfa39e196a8cd47e9ee72b2\r\n\u003cmcconf\u003e\r\n\u003cver\u003e1000480\u003c/ver\u003e\r\nhttps://labs.sentinelone.com/revealing-the-trick-a-deep-dive-into-trickloader-obfuscation/\r\nPage 5 of 7\n\n\u003cgtag\u003etot598\u003c/gtag\u003e\r\n\u003cservs\u003e\r\n\u003csrv\u003e144.91.79.9:443\u003c/srv\u003e\r\n\u003csrv\u003e172.245.97.148:443\u003c/srv\u003e\r\n\u003csrv\u003e85.204.116.139:443\u003c/srv\u003e\r\n\u003csrv\u003e185.62.188.117:443\u003c/srv\u003e\r\n\u003csrv\u003e185.222.202.76:443\u003c/srv\u003e\r\n\u003csrv\u003e144.91.79.12:443\u003c/srv\u003e\r\n\u003csrv\u003e185.68.93.43:443\u003c/srv\u003e\r\n\u003csrv\u003e195.123.238.191:443\u003c/srv\u003e\r\n\u003csrv\u003e146.185.219.29:443\u003c/srv\u003e\r\n\u003csrv\u003e195.133.196.151:443\u003c/srv\u003e\r\n\u003csrv\u003e91.235.129.60:443\u003c/srv\u003e\r\n\u003csrv\u003e23.227.206.170:443\u003c/srv\u003e\r\n\u003csrv\u003e185.222.202.192:443\u003c/srv\u003e\r\n\u003csrv\u003e190.154.203.218:449\u003c/srv\u003e\r\n\u003csrv\u003e178.183.150.169:449\u003c/srv\u003e\r\n\u003csrv\u003e200.116.199.10:449\u003c/srv\u003e\r\n\u003csrv\u003e187.58.56.26:449\u003c/srv\u003e\r\n\u003csrv\u003e177.103.240.149:449\u003c/srv\u003e\r\n\u003csrv\u003e81.190.160.139:449\u003c/srv\u003e\r\n\u003csrv\u003e200.21.51.38:449\u003c/srv\u003e\r\n\u003csrv\u003e181.49.61.237:449\u003c/srv\u003e\r\n\u003csrv\u003e46.174.235.36:449\u003c/srv\u003e\r\n\u003csrv\u003e36.89.85.103:449\u003c/srv\u003e\r\n\u003csrv\u003e170.233.120.53:449\u003c/srv\u003e\r\n\u003csrv\u003e89.228.243.148:449\u003c/srv\u003e\r\n\u003csrv\u003e31.214.138.207:449\u003c/srv\u003e\r\n\u003csrv\u003e186.42.98.254:449\u003c/srv\u003e\r\n\u003csrv\u003e195.93.223.100:449\u003c/srv\u003e\r\n\u003csrv\u003e181.112.52.26:449\u003c/srv\u003e\r\n\u003csrv\u003e190.13.160.19:449\u003c/srv\u003e\r\n\u003csrv\u003e186.71.150.23:449\u003c/srv\u003e\r\n\u003csrv\u003e190.152.4.98:449\u003c/srv\u003e\r\n\u003csrv\u003e170.82.156.53:449\u003c/srv\u003e\r\n\u003csrv\u003e131.161.253.190:449\u003c/srv\u003e\r\n\u003csrv\u003e200.127.121.99:449\u003c/srv\u003e\r\n\u003csrv\u003e45.235.213.126:449\u003c/srv\u003e\r\n\u003csrv\u003e31.128.13.45:449\u003c/srv\u003e\r\n\u003csrv\u003e181.10.207.234:449\u003c/srv\u003e\r\n\u003csrv\u003e201.187.105.123:449\u003c/srv\u003e\r\n\u003csrv\u003e201.210.120.239:449\u003c/srv\u003e\r\n\u003csrv\u003e190.152.125.22:449\u003c/srv\u003e\r\n\u003csrv\u003e103.69.216.86:449\u003c/srv\u003e\r\n\u003csrv\u003e128.201.174.107:449\u003c/srv\u003e\r\nhttps://labs.sentinelone.com/revealing-the-trick-a-deep-dive-into-trickloader-obfuscation/\r\nPage 6 of 7\n\n101.108.92.111:449190.111.255.219:449 References\n1: https://www.fidelissecurity.com/threatgeek/archive/trickbot-we-missed-you-dyre/\n2: http://www.hexacorn.com/blog/2015/10/26/heavens-gate-and-a-chameleon-code-x8664/\n3: http://www.oberhumer.com/opensource/lzo/\n4: https://github.com/ctxis/CAPE\n5: https://sysopfb.github.io/malware/2018/04/16/trickbot-uacme.html\nSource: https://labs.sentinelone.com/revealing-the-trick-a-deep-dive-into-trickloader-obfuscation/\nhttps://labs.sentinelone.com/revealing-the-trick-a-deep-dive-into-trickloader-obfuscation/\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://labs.sentinelone.com/revealing-the-trick-a-deep-dive-into-trickloader-obfuscation/"
	],
	"report_names": [
		"revealing-the-trick-a-deep-dive-into-trickloader-obfuscation"
	],
	"threat_actors": [],
	"ts_created_at": 1775434434,
	"ts_updated_at": 1775826724,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3375651c8abb4b3935829775b5f85991f3dea1aa.pdf",
		"text": "https://archive.orkl.eu/3375651c8abb4b3935829775b5f85991f3dea1aa.txt",
		"img": "https://archive.orkl.eu/3375651c8abb4b3935829775b5f85991f3dea1aa.jpg"
	}
}