{
	"id": "bec56b66-0ea3-4267-8fa9-bf63eef87e86",
	"created_at": "2026-04-06T00:21:41.949388Z",
	"updated_at": "2026-04-10T03:21:53.151211Z",
	"deleted_at": null,
	"sha1_hash": "6048105cc72aad2a7621f4df6b1a5ed6f6217cfb",
	"title": "Trickbot Shows Off New Trick: Password Grabber Module",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 83975,
	"plain_text": "Trickbot Shows Off New Trick: Password Grabber Module\r\nPublished: 2018-11-01 · Archived: 2026-04-05 17:30:51 UTC\r\nTrickbot, which used to be a simple banking trojan, has come a long way. Over time, we’ve seen how\r\ncybercriminals continue to add more features to this malware. Last March, Trickbot added a new modulenews-cybercrime-and-digital-threats that gave it increased detection evasion and a screen-locking feature. This month,\r\nwe saw that Trickbot (detected by Trend Micro as TSPY_TRICKBOT.THOIBEAI) now has a password grabber\r\nmodule (pwgrab32) that steals access from several applications and browsers, such as Microsoft Outlook,\r\nFilezilla, WinSCP, Google Chrome, Mozilla Firefox, Internet Explorer, and Microsoft Edge. Based on our\r\ntelemetry, we saw that this Trickbot variant has affected users mainly in the United States, Canada, and the\r\nPhilippines.\r\nAnalyzing Trickbot’s modules\r\nMalware authors continue to cash in on Trickbot’s modular structure — its ability to continually update itself by\r\ndownloading new modules from a C\u0026C server and change its configuration make for a malware that’s ripe for\r\nupdating. To gain a better understanding of this threat, we analyzed Trickbot’s different modules, starting with the\r\nnew pwgrab32 module that we saw this month.\r\npwgrab32 module\r\nTrickbot’s new module, called pwgrab32 or PasswordGrabber, steals credentials from applications such as\r\nFilezilla, Microsoft Outlook, and WinSCP.\r\nintel\r\nFigure 1. A screen capture of Trickbot’s new module, pwgrab32, in an affected system\r\nintel\r\nFigure 2. A screen capture of the new module’s code that steals FTP passwords from FileZilla\r\nintel\r\nFigure 3. A screen capture of the new module’s code that steals Microsoft Outlook credentials\r\nintel\r\nFigure 4. A screen capture of Trickbot harvesting passwords from open-source FTP WinSCP\r\nAside from stealing credentials from applications, it also steals the following information from several popular\r\nweb browsers such as Google Chrome, Mozilla Firefox, Internet Explorer, and Microsoft Edge:\r\nUsernames and Passwords\r\nInternet Cookies\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/trickbot-shows-off-new-trick-password-grabber-module/\r\nPage 1 of 6\n\nBrowsing History\r\nAutofills\r\nHTTP Posts\r\nintel\r\nFigure 5. A screen capture of Trickbot’s code that is structured to steal passwords from popular web browsers\r\nIt should be noted that this Trickbot variant is not capable of stealing passwords from third-party password\r\nmanager applications. We are studying this malware further to see if it is able to steal passwords from password\r\nmanagers that have browser plugins.\r\nshareDll32 module\r\nTrickbot uses the shareDll32 module to help propagate itself throughout the network. It connects to a C\u0026C server\r\nhttp[:]//185[.]251[.]39[.]251/radiance[.]png to download a copy of itself and save it as setuplog.tmp.\r\nintel\r\nFigure 6. Trickbot’s shareDll32 module allows it to connect to a C\u0026C server to download a copy of itself\r\nintel\r\nFigure 7. The downloaded file is saved as setuplog.tmp\r\nThe shareDll32 module then enumerates and identifies systems connected on the same domain using\r\nWNetEnumResource and GetComputerNameW. intel\r\nFigure 8. Screen capture of code that enumerates and identifies connected systems using WNetEnumResourceW\r\nand GetComputerNameW\r\nThe file setuplog.tmp is then copied in the administrative shares of the discovered machines or systems.\r\nintel\r\nFigure 9. A screenshot of setuplog.tmp copied in the administrative shares\r\nTo make the malware more persistent, it has an auto-start service that allows Trickbot to run whenever the\r\nmachine boots. This service can have the following display names:\r\nService Techno\r\nService_Techno2\r\nTechnics-service2\r\nTechnoservices\r\nAdvanced-Technic-Service\r\nServiceTechno5\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/trickbot-shows-off-new-trick-password-grabber-module/\r\nPage 2 of 6\n\nwormDll module\r\nThe wormDll32 module attempts to identify servers and domain controllers in the network using NetServerEnum\r\nand LDAP queries. Trickbot’s worm-like propagation capability was first observedopen on a new tab by security\r\nresearchers from Flashpoint in 2017. intel\r\nFigure 10. Screen capture of code that identifies workstations and servers in a domain using NetServerEnum\r\nintel\r\nFigure 11. Screen capture of code that identifies domain controllers in a network using LDAP queries\r\nintel\r\nFigure 12. Screen capture of code that identifies machines which are not domain controllers in a network using\r\nLDAP queries\r\nWe also discovered that there is a possible SMB protocol implementation using “pysmb,” utilizing the NT LM\r\n0.12 query for older Windows operating systems and IPC shares. It should be noted that this function seems to still\r\nbe in development. intel\r\nFigure13. Screen capture of code showing possible SMB communication\r\nnetworkDll32\r\nTrickbot uses this encrypted module to scan the network and steal relevant network information. It executes the\r\nfollowing commands to gather information on the infected system:\r\nintel\r\nFigure 14. Screen capture of the commands executed by the networkDll32 module to gather network information\r\nWormdll32 module\r\nWormdll32 is an encrypted module that Trickbot uses to propagate itself via SMB and LDAP queries. It is used\r\ntogether with the module “wormDll” to propagate across the network.\r\nimportDll32 module\r\nThis module is responsible for stealing browser data such as browsing history, cookies, and plug-ins, among\r\nothers.\r\nsysteminfo32 module\r\nOnce successfully installed in a system, Trickbot will gather system information such as OS, CPU, and memory\r\ninformation, user accounts, lists of installed programs and services.\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/trickbot-shows-off-new-trick-password-grabber-module/\r\nPage 3 of 6\n\nmailsearcher32 module\r\nThis module searches the infected system’s files to gather email addresses for information-stealing purposes.\r\nCollecting email addresses for spam campaign-related needs is usual malware behavior, however, Kryptos\r\nResearch recently reportedopen on a new tab that the Emotet banking trojan doesn't just steal email addresses; it\r\nalso harvests emails sent and received via Microsoft Outlook on an Emotet-infected device. Emotet, according to\r\nprevious researchopen on a new tab by Brad Duncan, is also responsible for delivering this password-grabbing\r\nTrickbot variant, as well as Azorult, to users.\r\ninjectDll32 module\r\nThis encrypted module monitors websites that banking applications might use. It's also used to inject code into its\r\ntarget processes using the Reflective DLL Injectionopen on a new tab technique.\r\nThe injectDll32 monitors banking-related websites for two different credential-stealing methods:\r\nFirst, when a user logs in to any of the monitored banking websites on its list such as Chase, Citi, Bank of\r\nAmerica, Sparda-Bank, Santander, HSBC, Canadian Imperial Bank of Commerce (CIBC), and Metrobank,\r\nTrickbot will then send a POST response to the C\u0026C server to extract the user’s login credentials.\r\nSecond, Trickbot monitors if a user accesses certain banking-related websites on its list, such as C. Hoare \u0026 Co\r\nbank, St. James’s Place Bank, and Royal Bank of Scotland, and will redirect users to fake phishing websites.\r\nThe banking URLs Trickbot monitors include websites from the United States, Canada, UK, Germany, Australia,\r\nAustria, Ireland, London, Switzerland, and Scotland.\r\nTrickbot’s other notable tricks\r\nTrickbot is usually sent via malicious spam campaigns. The malware disables Microsoft’s built-in antivirus\r\nWindows Defender by executing certain commands and modifying registry entries. Additionally, it also terminates\r\nWindows Defender-related processes such as MSASCuil.exe, MSASCui.exe, and antispyware utility\r\nMsmpeng.exe. It also has an autostart mechanism (Msntcs) that is triggered at system startup and every ten\r\nminutes after it is first executed.\r\nIt disables the following anti-malware services:\r\nMBamService (Malwarebytes-related Process)\r\nSAVService (Sophos AV-related process)\r\n \r\nIts anti-analysis capability checks the system and terminates itself when it finds certain modules, such as\r\npstorec.dll, vmcheck.dll, wpespy.dll, and dbghelp.dll.\r\nDefending against Trickbot’s tricks: Trend Micro solutions\r\nMalware authors continue to update banking trojans like Trickbot and Emotet with new modules that make it more\r\ndifficult to detect and combat. Users and enterprises can benefit from protection that use a multi-layered approach\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/trickbot-shows-off-new-trick-password-grabber-module/\r\nPage 4 of 6\n\nto mitigate the risks brought by threats like banking trojans.\r\nTrend Micro Smart Protection Suitesproducts provide a cross-generational blend of threat defense techniques to\r\nprotect systems from all types of threats, including banking trojans, ransomware, and cryptocurrency-mining\r\nmalware. It features high-fidelity machine learning on gateways and endpoints, and protects physical, virtual, and\r\ncloud workloads. With capabilities like web/URL filtering, behavioral analysis, and custom sandboxing, XGen\r\nsecurity protects against today’s threats that bypass traditional controls; exploit known, unknown, or undisclosed\r\nvulnerabilities; either steal or encrypt personally identifiable data; or conduct malicious cryptocurrency mining.\r\nSmart, optimized, and connected, XGen security powers Trend Micro’s suite.\r\nIndicators of Compromise\r\nTrickbot C\u0026C servers\r\n103[.]10[.]145[.]197:449\r\n103[.]110[.]91[.]118:449\r\n103[.]111[.]53[.]126:449\r\n107[.]173[.]102[.]231:443\r\n107[.]175[.]127[.]147:443\r\n115[.]78[.]3[.]170:443\r\n116[.]212[.]152[.]12:449\r\n121[.]58[.]242[.]206:449\r\n128[.]201[.]92[.]41:449\r\n167[.]114[.]13[.]91:443\r\n170[.]81[.]32[.]66:449\r\n173[.]239[.]128[.]74:443\r\n178[.]116[.]83[.]49:443\r\n181[.]113[.]17[.]230:449\r\n182[.]253[.]20[.]66:449\r\n182[.]50[.]64[.]148:449\r\n185[.]66[.]227[.]183:443\r\n187[.]190[.]249[.]230:443\r\n190[.]145[.]74[.]84:449\r\n192[.]252[.]209[.]44:443\r\n197[.]232[.]50[.]85:443\r\n198[.]100[.]157[.]163:443\r\n212[.]23[.]70[.]149:443\r\n23[.]226[.]138[.]169:443\r\n23[.]92[.]93[.]229:443\r\n23[.]94[.]233[.]142:443\r\n23[.]94[.]41[.]215:443\r\n42[.]115[.]91[.]177:443\r\n46[.]149[.]182[.]112:449\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/trickbot-shows-off-new-trick-password-grabber-module/\r\nPage 5 of 6\n\n47[.]49[.]168[.]50:443\r\n62[.]141[.]94[.]107:443\r\n68[.]109[.]83[.]22:443\r\n70[.]48[.]101[.]54:443\r\n71[.]13[.]140[.]89:443\r\n75[.]103[.]4[.]186:443\r\n81[.]17[.]86[.]112:443\r\n82[.]222[.]40[.]119:449\r\n94[.]181[.]47[.]198:449\r\n TSPY_TRICKBOT.THOIBEAI:\r\n806bc3a91b86dbc5c367ecc259136f77482266d9fedca009e4e78f7465058d16\r\nSource: https://blog.trendmicro.com/trendlabs-security-intelligence/trickbot-shows-off-new-trick-password-grabber-module/\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/trickbot-shows-off-new-trick-password-grabber-module/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://blog.trendmicro.com/trendlabs-security-intelligence/trickbot-shows-off-new-trick-password-grabber-module/"
	],
	"report_names": [
		"trickbot-shows-off-new-trick-password-grabber-module"
	],
	"threat_actors": [],
	"ts_created_at": 1775434901,
	"ts_updated_at": 1775791313,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6048105cc72aad2a7621f4df6b1a5ed6f6217cfb.pdf",
		"text": "https://archive.orkl.eu/6048105cc72aad2a7621f4df6b1a5ed6f6217cfb.txt",
		"img": "https://archive.orkl.eu/6048105cc72aad2a7621f4df6b1a5ed6f6217cfb.jpg"
	}
}