{
	"id": "11c8f757-d5fa-46e0-a2fe-175799d233a8",
	"created_at": "2026-04-06T00:17:39.126238Z",
	"updated_at": "2026-04-10T03:20:44.060926Z",
	"deleted_at": null,
	"sha1_hash": "5cb2b5ad1f71c18dd076a1847a3ebe37f7622f34",
	"title": "Deep Analysis of TrickBot New Module pwgrab",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2039991,
	"plain_text": "Deep Analysis of TrickBot New Module pwgrab\r\nBy Xiaopeng Zhang\r\nPublished: 2018-11-08 · Archived: 2026-04-05 17:35:55 UTC\r\nThe TrickBot malware family has been live for several years, mainly focused on stealing victim’s online banking\r\ninformation. In new samples recently collected by FortiGuard Labs, we found a new TrickBot variant, with a new\r\nmodule pwgrab, which attempt to steal credentials, autofill data, history and so on from browsers as well as\r\nseveral software applications. I did a deep analysis on this pwgrab module, and in this blog I will explain how it\r\nworks on a victim’s system. \r\nTrickBot downloaded by opening an excel file\r\nThe new TrickBot variant is spread by an Excel file (originally named “Sep_report.xls”) using a malicious Macro\r\nVBS code that is executed when the victim opens the file in Microsoft Excel. We captured this sample on October\r\n19th, 2018. Figure 1 shows that “Sep_report.xls” is opened in Microsoft Excel where it requests that the victim\r\nenable the embedded Macro by clicking on the “Enable Content” button.\r\nFigure 1. Sep_report.xls opened in Microsoft Excel\r\nThe VBA code is password protected for viewing. To analyze the code, I manually modified the protected flag to\r\nbypass the password protection.\r\nhttps://www.fortinet.com/blog/threat-research/deep-analysis-of-trickbot-new-module-pwgrab.html\r\nPage 1 of 16\n\nThe VBA code starts with the function “Workbook_Open”, which is called automatically when the Excel file is\r\nopened. It then reads data from Text control, which is encoded Powershell code. In Figure 2 you can see part of\r\nthe decoded Powershell code.\r\nFigure 2. Decoded Powershell code\r\nFinally, the Powershell code is executed to download the file from “hxxp://excel-office.com/secure.excel” and save\r\nit to a local temporary folder with the name “pointer.exe” whereupon it runs it.  As you may have guessed, the\r\n“pointer.exe” file is actually TrickBot.\r\nTask Schduler Starts TrickBot to load pwgrab32\r\nWhen “pointer.exe” runs for the very first time, it creates the “%AppData%\\VsCard” folder as its home folder,\r\nthen copies “pointer.exe” into it and renames it as “pointes.exe”. In this version it also changes its module folder:\r\nthe new one is “%AppData%\\VsCard\\Data” instead of the previous “%AppData%\\[random folder\r\nname]\\Modules”. Figure 3 is a screenshot of the new folder.\r\nhttps://www.fortinet.com/blog/threat-research/deep-analysis-of-trickbot-new-module-pwgrab.html\r\nPage 2 of 16\n\nFigure 3. Screenshot of the new module folder “Data”\r\nAs with its previous version, it installs itself into the system “Task Scheduler” so it can run automatically by “Task\r\nScheduler”.\r\nAfter “pointes.exe” runs for a little while, it sends the command “5” request to its C\u0026C server with the string\r\n“pwgrab32” for a 32-bit platform (or “pwgrab64” for a 64-bit platform) asking to download the new module of\r\n“pwgrab32”, just as it does for downloading other module files such as “systeminfo32” and “injectdll32”.\r\nTo learn more about the packet format of command “5” and the command’s purpose, you can refer to my previous\r\nblog. All files downloaded through command “5” in older versions are AES encrypted. Recent versions have\r\nadded one more XOR encryption on AES encrypted data .So to get to the original pwgrab32 module we had to go\r\nthrough two-layer decryption. The pwgrab32 module was generated on October 16th, 2018 and was developed\r\nwith Borland Delphi 3.0.  Figure 4 shows the pwgrab32 module analyzed in a PE tool.\r\nhttps://www.fortinet.com/blog/threat-research/deep-analysis-of-trickbot-new-module-pwgrab.html\r\nPage 3 of 16\n\nFigure 4. Decrypted pwgrab32 being analyzed in CFF Explorer\r\nDuring my analysis of “pointes.exe” I can see that it uses some anti-analysis techniques to make it harder to be\r\nanalyzed. For example, it encrypts all string information to protect itself from being analyzed statically and\r\ndynamically loads APIs during running time.\r\nFrom the file name of “pwgrab32” we can guess it will grab password information from the victim’s system. Let’s\r\ngo on to see how it will do this.\r\nAfter downloading and decrypting “pwgrab32”, “pointes.exe” continues to load “pwgrab32”. Just like when\r\nloading other modules, it calls the API “CreateProcessAsUserW” to create a suspended “svchost.exe” process. It\r\nthen injects a piece of code from the “pointes.exe” memory to this svchost.exe process memory by calling the API\r\n“WriteProcessMemory”. By calling the API “ZwQueryInformationProcess”, “pointes.exe” can get “svchost.exe”’s\r\nProcessBasicInformation from which it can locate the OEP (Original Entry Point) of “svchost.exe” in its PE\r\nstructure. Furthermore, it can modify the code at OEP to execute the copied piece of code. It then calls\r\n“ResumeThread” to resume running “svchost.exe”.  Figure 5 is a code snippet of finding “svchost.exe”’s OEP.\r\nhttps://www.fortinet.com/blog/threat-research/deep-analysis-of-trickbot-new-module-pwgrab.html\r\nPage 4 of 16\n\nFigure 5. Find svchost.exe OEP\r\nNext, API “WriteProcessMemory”, “SignalObjectAndWait”, and “WaitForSingleObject” are called a number of\r\ntimes by both “pointes.exe” and “svchost.exe” to maintain synchronicity to finish copying the decrypted\r\npwgrab32 and related information, such as copying the C\u0026C server IP list from “pointes.exe” onto “svchost.exe”.\r\nFinally, “pwgrab32!10006634” (the OEP of pwgrab32) is called by the copied piece of code mentioned above.\r\nFrom this point on, the pwgrab32 takes over the work to collect any password related data.\r\npwgrab32 Collects Credentials from Browsers of Victim’s System\r\nAt first “pwgrab32” decodes the “core-parser.dll” module , loads into the memory, and makes it ready for use. It\r\nhas several export functions, as shown in Figure 6.\r\nhttps://www.fortinet.com/blog/threat-research/deep-analysis-of-trickbot-new-module-pwgrab.html\r\nPage 5 of 16\n\nFigure 6. core-parser.dll export function list\r\nFunction “EnumDpostServer” returns the C\u0026C server IP address, which will be called by “pwgrab32” when it\r\nwants to send data to the C\u0026C server.\r\nIt launches three threads to grab credentials from three different browsers. They all share the same thread function\r\nbut different parameters.  From my analysis, parameter 1 is for Internet Explorer, 2 is for Firefox, 3 is for Chrome,\r\nand 4 is for Edge.  However, in this version Edge is disabled.\r\nThere is also a very huge function, “pwgrab32!sub_100137F8”, which executes the operation of collecting saved\r\ncredentials from all browsers. There are different code branches for different browsers. I will show you how it\r\nworks.\r\nOne interesting thing I found in the “pwgrab32” code is that it encrypts plain text byte by byte, decrypts it back to\r\nplain text, and uses that decrypted plain text. Is this a joke by the Trickbot author? No, it should be an anti-analysis technique to hide plain text. However, I think the author simply forgot to remove the decryption function\r\nand replace the plain text with the encrypted one before compiling this module. This error appears many times\r\nthroughout the pwgrab32 module. Figure 7 shows a code snippet of that. \r\nhttps://www.fortinet.com/blog/threat-research/deep-analysis-of-trickbot-new-module-pwgrab.html\r\nPage 6 of 16\n\nFigure 7. Plain text “IE password” being encrypted first and decrypted later\r\n1\u003e   Thread Parameter 1 for Internet Explorer:\r\nAccording to the Windows system version, there are two different code branches for IE.\r\nIf a victim’s system version is Windows 2000, Windows XP, Windows Vista, Windows Server 2008, Windows 7,\r\nWindows 10, or Windows  Server 2016, it reads and enumerates values from the system registry sub-key\r\n“HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\IntelliForms\\Storage2”, which contains the\r\nSHA1 hash code list of saved website hosts and saved credentials for this website.  Figure 8 is a screenshot of the\r\n“Storage2” sub-key on my Windows 7 system. Calling the APIs “FindFirstUrlCacheEntryW” and\r\n“FindNextUrlCacheEntryW”, this malware can enumerate all cached websites. Furthermore it can calculate SHA1\r\nhash code for each website host (for example “http://www.fortinet.com/”) through comparison with the hash code\r\nfrom the sub-key “Storage2”, whereupon it can obtain the website’s host. It then parses the third column data to\r\nget the credential for the website. Finally, it saves the collected credentials in this format:\r\n“Website host|Login ID|Login password”. \r\nhttps://www.fortinet.com/blog/threat-research/deep-analysis-of-trickbot-new-module-pwgrab.html\r\nPage 7 of 16\n\nFigure 8. Screenshot of sub-key “Storage2”\r\nWhen the victim’s system is another version, it calls some additional APIs to get credentials. Here is a pseudo\r\ncode of this process for getting credentials.  \r\n \r\nif ( VaultEnumerateVaults(0, \u0026a4, \u0026a5) )\r\nreturn 0;\r\n v70 = 0; a2 = 0;\r\n if ( a4 ) { v71 = 0; a3 = 0;\r\nwhile ( !VaultOpenVault(v71 + a5, 0, \u0026vars0) \u0026\u0026 !VaultEnumerateItems(vars0, 512, \u0026a1, \u0026retaddr) )\r\n { v72 = 0;\r\n if ( a1 ) {\r\n v73 = lpCriticalSection;\r\n v74 = a7;\r\n do {\r\n memset(\u0026a65, 0, 0xE08u);\r\n if ( v74 )\r\n v75 = sub_100133F2(v72, \u0026a65);\r\n else\r\n v75 = sub_1001329C(v72, \u0026a65);\r\n if ( v75 ) {\r\n wnsprintfA(\u0026String, 1024, \"%S|%S|%S\\n\", \u0026a66, \u0026a67, \u0026a68);\r\n v76 = sub_1000CBB8(\u0026String);\r\n sub_1000D1AA(v73, \u0026String, v76);\r\n }\r\nhttps://www.fortinet.com/blog/threat-research/deep-analysis-of-trickbot-new-module-pwgrab.html\r\nPage 8 of 16\n\n++v72;\r\n }\r\n while ( v72 \u003c a1 );\r\n v70 = a2; v71 = a3;\r\n }\r\n VaultFree(retaddr);\r\n VaultCloseVault(vars0);\r\n \r\n \r\n2\u003e Thread Parameter 2 for Mozilla Firefox:\r\nThis code thread reads the Firefox installation path from the system registry, and then calls the API\r\n“SetCurrentDirectoryA” with the installation path to set the current directory to the Firefox installation path so it\r\ncan easily read the credential files of Firefox and load a dll which is used to handle Firefox credentials.\r\n“pwgrab32” continues to load nss3.dll of Firefox and read some Firefox files from its AppData folder, such as\r\n\"%AppData%\\Mozilla\\Firefox\\Profiles\\e375zm7t.default\\logins.json\". It then calls the APIs of nss3.dll, like\r\n“PK11_GetInternalKeySlot”, “PK11_Authenticate”, and “PK11SDR_Decrypt” to parse saved credentials in the\r\nfile, “logins.json”. Below is a piece of data from “logins.json”.\r\n{\"id\":5,\"hostname\":\"https://api.twitter.com\",\"httpRealm\":null,\"formSubmitURL\":\"https://api.twitter.com\",\"userna\r\nFinally, it saves the credentials in a format like IE’s.\r\n3\u003e Thread Parameter 3 for Google Chrome:\r\nBefore the thread function is created, pwgrab32 makes two file backups of the files “Login Data” and “Web\r\nData”.  Both of them are located in the \"%LocalAppData%\\Google\\Chrome\\User Data\\Default\\” folder. Chrome\r\nstores the login credentials of the victim in the file “Login Data”, and saved autofill and credit card information is\r\nstored in the file “Web Data”. It makes a backup of the two files so it can read data from backup files instead of\r\nthe original files to avoid a reading conflict when the victim is using Chrome. The two backup files are “Login\r\nData.bak” and “Web Data.bak”.  They are both SQLite database files.\r\n“pwgrab32” uses the open source project SQLite database engine to handle the two SQLite files. In Figure 9, you\r\ncan see that the data of the SQLite database engine is linked in “pwgrab32”.\r\nhttps://www.fortinet.com/blog/threat-research/deep-analysis-of-trickbot-new-module-pwgrab.html\r\nPage 9 of 16\n\nFigure 9. SQLite database engine’s code\r\nNext, “pwgrab32” executes an SQL expression like \"select origin_url, username_value, password_value,\r\nlength(d_value) from logins where blacklisted_by_user = 0\" to obtain the credentials from “Login Data.bak”. \r\n“pwgrab32” continues to execute three SQL expressions to grab autofill information, credit card information,\r\nemail address, country, company, street address, full name, phone number, etc. from “Web Data.bak”.\r\nThe SQL expressions are decrypted from three local variables:\r\n“SELECT name, value FROM autofill WHERE name\u003c\u003e\"cd[Meta]\"\" AND name\u003c\u003e\"cd[OpenGraph]\" AND name\u003c\u003e\"cd[Schema.org]\"\r\n“SELECT expiration_month, expiration_year, card_number_encrypted, use_date, origin FROM credit_cards ORDER BY or\r\n“SELECT profiles.origin, profiles.company_name, profiles.street_address, profiles.city, profiles.state, profiles\r\nThe grabbed credentials and form autofill information collected from the browsers is sent to the C\u0026C server\r\nimmediately when one is done.\r\nhttps://www.fortinet.com/blog/threat-research/deep-analysis-of-trickbot-new-module-pwgrab.html\r\nPage 10 of 16\n\nNext, I’ll discuss the packet format and how it’s sent to its C\u0026C server in the “Report Credentials” section below.\r\npwgrab32 Collects Credentials from some Clients\r\nAfter all of the three threads above are finished, “pwgrab32” steals credentials from three client software sources:\r\n“Outlook”, “FileZilla”, and “WinSCP”. In Figure 10 you can see the functions being called to collect credentials\r\nfrom them.\r\nFigure 10. Functions to collect credential from Outlook, FileZilla and WinSCP\r\n“Outlook”’s profile is stored in the system registry. According to different versions, its registry paths are\r\n\"HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\",\r\n\"HKCU\\Software\\Microsoft\\Office\\15.0\\Outlook\\Profiles\\Outlook\" and\r\n\"HKCU\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\".\r\n“pwgrab32” then goes through all the keys and reads and parses the values to grab the credentials.\r\nFigure 11 shows an Outlook credential grabbed by “pwgrab32” from my test system. The format is “Host|Account\r\nname|Password”.\r\nhttps://www.fortinet.com/blog/threat-research/deep-analysis-of-trickbot-new-module-pwgrab.html\r\nPage 11 of 16\n\nFigure 11. Grabbed credentials from Outlook\r\nFileZilla is an FTP client software that stores its history as plain text in file\r\n\"%APPDATA%\\\\filezilla\\\\recentservers.xml\", and stores its login data as plain text in file\r\n\"%APPDATA%\\\\filezilla\\\\sitemanager.xml\".  “pwgrab32” can easily obtain their history records and credentials\r\nby parsing these two XML files.\r\nWinSCP is another FTP client software. Its credentials are stored in the system registry under the registry path\r\n“HKCU\\Software\\Martin Prikryl\\WinSCP 2\\Sessions\\”. “pwgrab32” can grab its credentials by enumerating all of\r\nthe sub-keys and reading out their values “HostName”, “PortNumber”, “UserName”, “Password”, and\r\n“FSProtocol”.\r\nReport Credentials\r\nTrickbot has many C\u0026C commands. I have talked about these commands in detail in my previous blog.\r\nIn module “pwgrab32”, however, I observed that it has new command numbers: 81 and 83.\r\n    Command 81 is for reporting grabbed credentials of Browsers, FTP clients, and Outlook.\r\n    Command 83 is for reporting grabbed form autofill information from Google Chrome.\r\nIt uses HTTP POST method to report the plain text credentials to the C\u0026C server.\r\nThe POST URI format is like this:\r\n    POST /[group tag]/[Client_ID]/[Command number]/\r\nThe body part is the grabbed credentials or form autofill information in plain text.\r\n    “group tag” is “auto1”.\r\n    “Client_ID” is generated with the computer name, Windows version and random string.\r\nFigure 12 shows reporting “chrome password” using command 81.\r\nhttps://www.fortinet.com/blog/threat-research/deep-analysis-of-trickbot-new-module-pwgrab.html\r\nPage 12 of 16\n\nFigure 13 shows reporting “chrome autofill information” using command 83. \r\nFigure 12. Report grabbed credential data from Chrome\r\nhttps://www.fortinet.com/blog/threat-research/deep-analysis-of-trickbot-new-module-pwgrab.html\r\nPage 13 of 16\n\nFigure 13. Report form autofill data from Chrome\r\nBelow is an IP list of the C\u0026C servers that are used to handle the credential data. The IP list was decrypted by\r\n“pointes.exe” from the file “dpost”, and was passed to “pwgrab32” by calling the API WriteProcessMemory.\r\nCalling the API EnumDpostServer(fun_index) of core-parser.dll, we can get one IP of them by using the\r\nfun_index.\r\n\u003cdpost\u003e\r\n\u003chandler\u003ehttp://173.171.132.82:8082\u003c/handler\u003e\r\n\u003chandler\u003ehttp://66.181.167.72:8082\u003c/handler\u003e\r\n\u003chandler\u003ehttp://46.146.252.178:8082\u003c/handler\u003e\r\n\u003chandler\u003ehttp://97.88.100.152:8082\u003c/handler\u003e\r\n\u003chandler\u003ehttp://174.105.232.193:8082\u003c/handler\u003e\r\n\u003chandler\u003ehttp://23.142.128.34:80\u003c/handler\u003e\r\n\u003chandler\u003ehttp://177.0.69.68:80\u003c/handler\u003e\r\nhttps://www.fortinet.com/blog/threat-research/deep-analysis-of-trickbot-new-module-pwgrab.html\r\nPage 14 of 16\n\n\u003chandler\u003ehttp://5.228.72.17:80\u003c/handler\u003e\r\n\u003chandler\u003ehttp://174.105.232.193:80\u003c/handler\u003e\r\n\u003chandler\u003ehttp://177.0.69.68:80\u003c/handler\u003e\r\n\u003chandler\u003ehttp://23.226.138.220:443\u003c/handler\u003e\r\n\u003chandler\u003ehttp://23.226.138.196:443\u003c/handler\u003e\r\n\u003chandler\u003ehttp://23.226.138.221:443\u003c/handler\u003e\r\n\u003chandler\u003ehttp://92.38.135.151:443\u003c/handler\u003e\r\n\u003chandler\u003ehttp://198.23.252.204:443\u003c/handler\u003e\r\n\u003c/dpost\u003e  \r\nSolutions\r\n\"hxxp://excel-office.com/secure.excel \" is rated as Malicious Websites by the FortiGuard Webfilter service, and\r\nSep_report.xls is detected as VBA/Agent.JHAZ!tr.dldr and pointer.exe as W32/GenKryptik.COMA!tr by the\r\nFortiGuard Antivirus service.\r\nHow to remove this malware:\r\n1) Open Task Scheduler and go to Task Scheduler(Local) -\u003e Task Scheduler Library\r\n2) Select the item named “Msnetcs”, press the Delete key, and then click Yes.\r\n3) Restart your system and delete the entire folder of %AppData%\\VsCard.\r\nIoC\r\nURL:\r\n\"hxxp://excel-office.com/secure.excel \"\r\nSample SHA256:\r\n[Sep_report.xls]\r\n41288C8A4E58078DC2E905C07505E8C317D6CC60E2539BFA4DF5D557E874CDEC\r\n [secure.excel] or [pointer.exe] or [pointes.exe]\r\nD5CADEF60EDD2C4DE115FFD69328921D9438ACD76FB42F3FEC50BDAAB225620D\r\nReference\r\nhttps://www.fortinet.com/blog/threat-research/deep-analysis-of-the-online-banking-botnet-trickbot.html\r\nhttps://www.fortinet.com/blog/threat-research/deep-analysis-of-trickbot-new-module-pwgrab.html\r\nPage 15 of 16\n\nhttps://www.fortinet.com/blog/threat-research/new-trickbot-plugin-harvests-email-addresses-from-sql-servers-screenlocker-module-not-for-ransom.html\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/08/trickbot-comes-with-new-tricks-attacking-outlook-and-browsing-data/\r\nhttps://www.webroot.com/blog/2018/03/21/trickbot-banking-trojan-adapts-new-module/\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/trickbot-shows-off-new-trick-password-grabber-module/\r\nSign up for our weekly FortiGuard Threat Brief.\r\nKnow your vulnerabilities – get the facts about your network security. A Fortinet Cyber Threat Assessment can\r\nhelp you better understand: Security and Threat Prevention, User Productivity, and Network Utilization and\r\nPerformance.\r\nSource: https://www.fortinet.com/blog/threat-research/deep-analysis-of-trickbot-new-module-pwgrab.html\r\nhttps://www.fortinet.com/blog/threat-research/deep-analysis-of-trickbot-new-module-pwgrab.html\r\nPage 16 of 16",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://www.fortinet.com/blog/threat-research/deep-analysis-of-trickbot-new-module-pwgrab.html"
	],
	"report_names": [
		"deep-analysis-of-trickbot-new-module-pwgrab.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434659,
	"ts_updated_at": 1775791244,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5cb2b5ad1f71c18dd076a1847a3ebe37f7622f34.pdf",
		"text": "https://archive.orkl.eu/5cb2b5ad1f71c18dd076a1847a3ebe37f7622f34.txt",
		"img": "https://archive.orkl.eu/5cb2b5ad1f71c18dd076a1847a3ebe37f7622f34.jpg"
	}
}