{
	"id": "7cc953d5-9158-4485-9922-7652560a3643",
	"created_at": "2026-04-06T00:20:16.32003Z",
	"updated_at": "2026-04-10T03:20:31.589428Z",
	"deleted_at": null,
	"sha1_hash": "62c7ab321d7cf21d7dedd553ba9e35a4e80d927a",
	"title": "TrickBot masrv Module",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 254295,
	"plain_text": "TrickBot masrv Module\r\nPublished: 2021-02-01 · Archived: 2026-04-05 14:05:45 UTC\r\nOverview\r\nActive since 2016, TrickBot is one of the most prevalent modular banking trojans. The botnet’s modules carry out\r\nobjectives such as credential harvesting, propagating via the network, web injection and others. Being an actively\r\ndeveloped botnet, we often come across updated modules and in some cases new tools that are added as part of its\r\narsenal.\r\nRecently we have discovered a relatively new module that goes by the name masrv . The module is a network\r\nscanner that incorporates the Masscan open-source tool. Additionally, the module contains an unreferenced\r\nAnchor C2 communication function and a list of hardcoded IPs which have previously been associated with\r\nAnchor and Bazar 12.\r\nWe believe this module is used as one of TrickBot’s network reconnaissance tools to gather more information\r\nabout the victim’s network.\r\nThe module arrives as either a 32-bit or 64-bit DLL, depending on the Windows OS version of the victim machine\r\nthe bot is running on. Both DLLs we observed are debug builds and log their execution into standard output.\r\nAs with other TrickBot modules, the module is executed via its export functions Start and Control\r\n3\r\n.\r\nCommands for the Module’s C2\r\nThe module makes requests to the C2 to receive information that it requires to pass as parameters to Masscan.\r\nCommand HTTP Method Description\r\n81 POST send results\r\nfreq GET Get frequency for running Masscan\r\ndomains GET Get a List of IP address ranges followed by port range\r\nover GET Signal to the C2 that scan is complete\r\nrate GET Get rate value for transmitting packets\r\nnpcap.exe GET Get Nmap’s packet sniffing library installer\r\nThe URI construction for the GET requests follows this format:\r\nhttps://www.kryptoslogic.com/blog/2021/02/trickbot-masrv-module/\r\nPage 1 of 6\n\nhttp://\u003cc2\u003e:\u003cport\u003e/\u003cgtag\u003e/\u003cbotID\u003e/mass/\u003ccommand_string\u003e\r\ngtag - The Campaign ID that is seen in the config4\r\n present in the main bot.\r\nbotID - The Bot ID created in the victim machine by the main bot.\r\ncommand_string - One of the string commands from the above table.\r\nAt the time of researching this module, we were unable to pull down the config associated with masrv . So, in\r\norder to observe a dynamic run, we have implemented a mock server on localhost at port 8080 , to be able to\r\nfeed responses back to the module. Below is an example of one of the GET request being made for the command\r\nfreq .\r\nNetwork capture of the Module traffic\r\nInformation Gathering\r\nAt first, the module makes GET requests for information from the commands freq , domains and rate . If\r\nsuccessful, the module executes Masscan’s main function routine which is compiled within the DLL. Below we\r\ncan see the execution result of the log from standard output. The date mentioned in the logs is that of when the\r\nmodule was compiled.\r\nSendEvent(VERS, MASS scanner build Dec 4 2020 13:19:27 started)\r\nExecute Control(masrv) CtlArg=127.0.0.1:8080\r\n \r\nSend cmd to server: freq\r\nResponse buf: 1\r\nHTTP message success: URI=127.0.0.1:8080/mor2/JOHN-PC_W617601.CC081DEDCA3EE2CECFA265AF5C904BF3/mass/freq DATA=1\r\nSendEvent(DBG, Successfully executed command: freq)\r\n \r\nSend cmd to server: domains\r\nResponse buf: 127.0.0.0/16\r\n80-81,53\r\nHTTP message success: URI=127.0.0.1:8080/mor2/JOHN-PC_W617601.CC081DEDCA3EE2CECFA265AF5C904BF3/mass/domains DATA\r\n80-81,53\r\nhttps://www.kryptoslogic.com/blog/2021/02/trickbot-masrv-module/\r\nPage 2 of 6\n\nSendEvent(DBG, Successfully executed command: domains)\r\n \r\nSend cmd to server: rate\r\nResponse buf: 1000\r\nHTTP message success: URI=127.0.0.1:8080/mor2/JOHN-PC_W617601.CC081DEDCA3EE2CECFA265AF5C904BF3/mass/rate DATA=10\r\nSendEvent(DBG, Successfully executed command: rate)\r\nThe Masscan tool has its own network stack and doesn’t rely on that of the OS. In order for it to be able to retrieve\r\nthe results, Masscan requires a low-level packet filter and on a Windows OS it attempts to load\r\nNPcap\\Packet.dll . If Packet.dll doesn’t exist, then the module makes a request to download the NPcap\r\nexecutable from the C2. NPcap is silently installed on the machine by passing the parameter /S . It gets\r\nexecuted by invoking CreateProcessA or ShellExecuteExA (if the first API is unsuccessful).\r\nThe Masscan tool also attempts to initialize the network adapter. If the tool fails to detect any interface, a module-specific function is called that tries to get a MAC address from the ARP table, to pass to Masscan as --router-mac \u003cmac\u003e . For each ARP entry in the MIB_IPNETTABLE\r\n5\r\n, the module finds the corresponding index of the IPv4\r\nentry in the MIB_IPADDRTABLE\r\n6\r\n. It leverages the APIs GetIpNetTable and GetIpAddrTable respectively to\r\nretrieve this information. If successful, it gets the dotted-decimal format of the IPv4 address and logs the results of\r\nthe ping command that is run on the target 8.8.8.8 from that IPv4 address. If the ping ran successfully, the\r\nmodule gathers the ARP type information and logs the ARP entry of the IPv4 address. Then it queries for the\r\nMAC address from the MIB_IPNETROW entry. Below is an example of the ping command.\r\nping 8.8.8.8 -S 127.0.0.1\r\nThe module sends results from the Masscan run if it has discovered open ports on any of the IP ranges that were\r\nprovided. Results are aggregated by calling a module-specific function from the Masscan function\r\noutput_report_status which adds discovered ports to a global string. These results are posted back (via the\r\n81 message) regularly, with the frequency, in seconds, determined by the freq value queried at the beginning.\r\nhttps://www.kryptoslogic.com/blog/2021/02/trickbot-masrv-module/\r\nPage 3 of 6\n\nPOST Request\r\nAnchor/Bazar reference\r\nBoth the 32-bit and 64-bit DLLs have an unreferenced function that share similarities to Anchor’s C2\r\ncommunication subroutine. It is not uncommon for this actor to be seen sharing code between its toolset.\r\nAdditionally, this function references a list of hardcoded IPs from the binary which have previously been\r\nassociated with both Anchor and Bazar.\r\n51[.]254[.]25[.]115\r\n193[.]183[.]98[.]66\r\n91[.]217[.]137[.]37\r\n87[.]98[.]175[.]85\r\n185[.]121[.]177[.]177\r\n169[.]239[.]202[.]202\r\n198[.]251[.]90[.]143\r\nhttps://www.kryptoslogic.com/blog/2021/02/trickbot-masrv-module/\r\nPage 4 of 6\n\n5[.]132[.]191[.]104\r\n111[.]67[.]20[.]8\r\n163[.]53[.]248[.]170\r\n142[.]4[.]204[.]111\r\n142[.]4[.]205[.]47\r\n158[.]69[.]239[.]167\r\n104[.]37[.]195[.]178\r\n192[.]99[.]85[.]244\r\n158[.]69[.]160[.]164\r\n46[.]28[.]207[.]199\r\n31[.]171[.]251[.]118\r\n81[.]2[.]241[.]148\r\n51[.]254[.]25[.]115\r\n82[.]141[.]39[.]32\r\n50[.]3[.]82[.]215\r\n46[.]101[.]70[.]183\r\n5[.]45[.]97[.]127\r\n130[.]255[.]78[.]223\r\n144[.]76[.]133[.]38\r\n139[.]59[.]208[.]246\r\n172[.]104[.]136[.]243\r\n45[.]71[.]112[.]70\r\n163[.]172[.]185[.]51\r\n87[.]98[.]175[.]85\r\n5[.]135[.]183[.]146\r\nConclusion\r\nThis new module is an indication of the actor’s continued investment in improving their network reconnaissance\r\ntoolkit, even after recent disruption efforts7. We provide some IOCs and a YARA rule related to this module\r\nbelow.\r\nIOCs\r\nPDB paths:\r\nD:\\Project\\masrv\\build-masrv\\debug\\Desktop_msvc_15_0_32bit\\masrv.pdb\r\nD:\\Project\\masrv\\build-masrv\\debug\\Desktop_msvc_15_0_64bit\\masrv.pdb\r\nModule\r\nName\r\nSHA256 Description\r\nmasrvDll32 2c29de91a5be3bffafb521e04b88819d23c6f71843c8f2d54516ec2afefd24c6 32-bit DLL\r\nhttps://www.kryptoslogic.com/blog/2021/02/trickbot-masrv-module/\r\nPage 5 of 6\n\nModule\r\nName\r\nSHA256 Description\r\nmasrvDll64 e1c5a377450d04372bfe9d943d322fbdd53c274c3772836eb044fd2a4b08a870 64-bit DLL\r\nYARA\r\nrule TrickBot__masrvDll\r\n{\r\n meta:\r\n id = \"4kWjG0InTDyHiur8cCzPeG\"\r\n fingerprint = \"3e91c19602340a43e026ffdb23b1d6a0c4e186d67f743e962c75aa51ea0c4d1c\"\r\n version = \"1.0\"\r\n first_imported = \"2021-01-29\"\r\n last_modified = \"2021-01-29\"\r\n status = \"RELEASED\"\r\n sharing = \"TLP:WHITE\"\r\n source = \"KRYPTOS LOGIC\"\r\n description = \"Detects TrickBot masrvDll module\"\r\n category = \"MALWARE\"\r\n malware = \"BOT\"\r\n strings:\r\n $a = \"http://127.0.0.1:8080/gid/uid/pcap.exe\"\r\n $b = \"c:\\\\\\\\temp\\\\\\\\maserv.txt\"\r\n $c = \"Send cmd to server: %s\\\\r\\\\n\"\r\n $d = \"HTTP message success: URI=%s DATA=%.*s\\\\r\\\\n\"\r\n condition:\r\n all of them\r\n}\r\nReferences\r\nSource: https://www.kryptoslogic.com/blog/2021/02/trickbot-masrv-module/\r\nhttps://www.kryptoslogic.com/blog/2021/02/trickbot-masrv-module/\r\nPage 6 of 6\n\nName SHA256  Description\nmasrvDll32 2c29de91a5be3bffafb521e04b88819d23c6f71843c8f2d54516ec2afefd24c6  32-bit DLL\n  Page 5 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://www.kryptoslogic.com/blog/2021/02/trickbot-masrv-module/"
	],
	"report_names": [
		"trickbot-masrv-module"
	],
	"threat_actors": [],
	"ts_created_at": 1775434816,
	"ts_updated_at": 1775791231,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/62c7ab321d7cf21d7dedd553ba9e35a4e80d927a.pdf",
		"text": "https://archive.orkl.eu/62c7ab321d7cf21d7dedd553ba9e35a4e80d927a.txt",
		"img": "https://archive.orkl.eu/62c7ab321d7cf21d7dedd553ba9e35a4e80d927a.jpg"
	}
}