{
	"id": "4c51b7ea-2456-49af-8187-eeecad9abda2",
	"created_at": "2026-04-06T00:19:15.339859Z",
	"updated_at": "2026-04-10T03:20:27.620286Z",
	"deleted_at": null,
	"sha1_hash": "6cdaf5b14fd3c994a0fbe4f40c03c4542604c349",
	"title": "What's new in TrickBot? Deobfuscating elements | Malwarebytes Labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 386632,
	"plain_text": "What's new in TrickBot? Deobfuscating elements | Malwarebytes\r\nLabs\r\nBy hasherezade\r\nPublished: 2018-11-11 · Archived: 2026-04-05 13:14:23 UTC\r\nTrojan.TrickBot has been present in the threat landscape from quite a while. We wrote about its first version in\r\nOctober 2016. From the beginning, it was a well organized modular malware, written by developers with mature\r\nskills. It is often called a banker, however its modular structure allows to freely add new functionalities without\r\nmodifying the core bot. In fact, the functionality of a banker is represented just by one of many of its modules.\r\nWith time, developers extended TrickBot capabilities by implementing new modules – for example, the one for\r\nstealing Outlook credentials. But the evolution of the core bot, that was used for the deployment of those modules,\r\nwas rather slow. The scripts written to decode modules from the first version worked till recent months, showing\r\nthat the encryption schema used to protect them stayed unchanged.\r\nOctober 2018 marks end of the second year since TrickBot’s appearance. Possibly the authors decided to celebrate\r\nthe anniversary by a makeover of some significant elements of the core.\r\nThis post will be an analysis of the updated obfuscation used by TrickBot’s main module.\r\nBehavioral analysis\r\nThe latest TrickBot starts its actions from disabling Windows Defender’s real-time monitoring. It is done by\r\ndeploying a PowerShell command:\r\nAfter that, we can observe behaviors typical for TrickBot.\r\nAs before, the main bot deploys multiple instances of svchost, where it injects the modules.\r\nhttps://blog.malwarebytes.com/threat-analysis/malware-threat-analysis/2018/11/whats-new-trickbot-deobfuscating-elements/\r\nPage 1 of 11\n\nPersistence is achieved by adding a scheduled task:\r\nIt installs itself in %APPDATA%, in a folder with a name that depends on the bot’s version.\r\nEncrypted modules are stored in the Data folder (old name: Modules), along with their configuration:\r\nAs it turns out, recently the encryption of the modules has changed (and we had to update the scripts for\r\ndecoding).\r\nThe new element in the main installation folder is the settings file, that comes under various names, that seems to\r\nbe randomly chosen from some hardcoded pool. It’s most commonly occurring name is settings.ini (hardcoded),\r\nhttps://blog.malwarebytes.com/threat-analysis/malware-threat-analysis/2018/11/whats-new-trickbot-deobfuscating-elements/\r\nPage 2 of 11\n\nbut there are other variants such as: profiles.ini, SecurityPreloadState.txt, pkcs11.txt. The format of the file looks\r\nnew for the TrickBot:\r\nWe can see many strings, that at first looks scrambled/encrypted. But as it turns out, they are junk entries that are\r\nadded for obfuscation. The real configuration is stored in between of them, in a string that looks like base64\r\nencoded. Its meaning will be explained in the further part of this post.\r\nInside\r\nIn order to better understand the changes, we need to take a deep dive in the code. As always, the\r\nThe main bot comes with 2 resources: RES and DIAL, that are analogical to the resources used before.\r\nRES – is an encrypted configuration file, in XML format. It is encrypted in the same way as before (using AES,\r\nwith key derived by hashing rounds), and we can decode it using an old script: trickbot_config_decoder.py. (Mind\r\nhttps://blog.malwarebytes.com/threat-analysis/malware-threat-analysis/2018/11/whats-new-trickbot-deobfuscating-elements/\r\nPage 3 of 11\n\nthe fact that the first DWORD in the resource is a size, and not a part of the encrypted data – so, it needs to be\r\nremoved before using the script).\r\nDIAL – is an elliptic curve public key (ECC curve p-384), that is used to verify the signature of the\r\naforementioned encrypted configuration, after it is decrypted.\r\nObfuscation\r\nIn the first edition, TrickBot was not at all obfuscated – we could even find all the strings in clear. During the two\r\nyears of evolution, it has slowly changed. Several months ago, the authors decided to obfuscate all the strings,\r\nusing a custom algorithm (based on base64). All the obfuscated strings are aggregated from a single hardcoded\r\nlist:\r\nWhen any of them is needed, it is selected by its index and passed to the decoding function:\r\nExample – string fetched by the index 162:\r\nhttps://blog.malwarebytes.com/threat-analysis/malware-threat-analysis/2018/11/whats-new-trickbot-deobfuscating-elements/\r\nPage 4 of 11\n\nThe deobfuscation process, along with the used utility, was described here. Due to the fact that the API of the\r\ndecoding functions didn’t change since then, the same method can be used until today. The list of deobfuscated\r\nstrings, extracted from the currently analyzed sample can be found here.\r\nAdditionally, we can find other, more popular methods of strings obfuscation. For example, some of the strings\r\nthat are divided into chunks, one DWORD per each:\r\nThe same method was used by GandCrab, and can be deobfuscated with the following script.\r\nSimilarly, the Unicode strings are divided:\r\nhttps://blog.malwarebytes.com/threat-analysis/malware-threat-analysis/2018/11/whats-new-trickbot-deobfuscating-elements/\r\nPage 5 of 11\n\nMost of the imports used by TrickBot are loaded dynamically. That makes static analysis more difficult, because\r\nwe cannot directly see the full picture: the pointers are retrieved just before they are used.\r\nWe can solve this problem in various ways, i.e. by adding tags by an automated tracer. Created CSV/tags file for\r\none of the analyzed samples is available here (it can be loaded to the IDA database with the help of IFL plugin).\r\nThe picture given below shows the fragment of TrickBot’s code after the tags are loaded. As we can see, the\r\naddresses of the imported functions are retrieved from the internal structure rather than from the standard Import\r\nTable, and then they are called via registers.\r\nhttps://blog.malwarebytes.com/threat-analysis/malware-threat-analysis/2018/11/whats-new-trickbot-deobfuscating-elements/\r\nPage 6 of 11\n\nApart from the mentioned obfuscation methods, on the way of its evolution, TrickBot is going in the direction of\r\nstring randomization. Many strings that were hardcoded in the initial versions are now randomized or generated\r\nper victim machine. For example the mutex name:\r\nUsed encryption\r\nhttps://blog.malwarebytes.com/threat-analysis/malware-threat-analysis/2018/11/whats-new-trickbot-deobfuscating-elements/\r\nPage 7 of 11\n\nIn the past, modules were encrypted by AES in CBC mode. The key used for encryption was derived by hashing\r\ninitial bytes of the buffer. Once knowing the algorithm, we could easily decrypt the stored modules along with\r\ntheir configuration.\r\nIn the recent update the authors decided to complicate it a bit. Yet they didn’t change the main algorithm, but just\r\nintroduced an additional XOR layer. Before the data is passed to the AES, it is first XORed with a 64 character\r\nlong, dynamically generated string, that we will refer as the bot key:\r\nThe mentioned bot key is generated per victim machine. First, GetAdapterInfo function is used:\r\nThe retrieved structure (194 bytes) is hashed by SHA256 and then the hash is converted into string:\r\nhttps://blog.malwarebytes.com/threat-analysis/malware-threat-analysis/2018/11/whats-new-trickbot-deobfuscating-elements/\r\nPage 8 of 11\n\nThe reconstructed algorithm to generate the Bot Key (and the utility to generate the keys) can be found here.\r\nThis key is then stored in the dropped settings file.\r\nEncoding settings\r\nAs mentioned before, new editions of TrickBot drop a new settings file, containing some encoded information.\r\nExample of the information that is stored in the settings:\r\n0441772F66559A1C71F4559DC4405438FC9B8383CE1229139257A7FE6D7B8DE9 1085117245 5 6 13\r\nThe elements:\r\n1. the BotKey (generated per machine)\r\n2. a checksum of a test string: (0-256 bytes encoded with the same charset) – used for the purpose of a charset\r\nvalidation\r\n3. three random numbers\r\nhttps://blog.malwarebytes.com/threat-analysis/malware-threat-analysis/2018/11/whats-new-trickbot-deobfuscating-elements/\r\nPage 9 of 11\n\nThe whole line is base64 encoded using a custom charset, that is generated basing on the hardcoded one:\r\n“HJIA/CB+FGKLNOP3RSlUVWXYZfbcdeaghi5kmn0pqrstuvwx89o12467MEDyzQjT”.\r\nYet, even at this point we can see the effort of the authors to avoid using repeatable patterns. The last 8 characters\r\nof the charset are swapped randomly. The pseudocode of the generation algorithm:\r\nRandomization of the n characters:\r\nExample of the transformation:\r\ninp: “HJIA/CB+FGKLNOP3RSlUVWXYZfbcdeaghi5kmn0pqrstuvwx89o12467MEDyzQjT“\r\nhttps://blog.malwarebytes.com/threat-analysis/malware-threat-analysis/2018/11/whats-new-trickbot-deobfuscating-elements/\r\nPage 10 of 11\n\nout: “HJIA/CB+FGKLNOP3RSlUVWXYZfbcdeaghi5kmn0pqrstuvwx89o12467jDEzTyQM“\r\nThe decoder can be found here: trick_settings_decoder.py\r\nSlowly improving obfuscation\r\nThe authors of TrickBot never cared much about obfuscation. With time they slowly started to introduce its\r\nelements, but, apart from some twists, it’s still nothing really complex. We can rather expect that this trend will not\r\nchange rapidly, and after updating the scripts for new additions, decoding Trick Bot elements will be as easy for\r\nthe analysts as it was before.\r\nIt seems that the authors believe in a success based on quantity of distribution, rather than on attempts of being\r\nstealthy in the system. They also focus on constant adding new modules, to diversify the functionality (i.e.\r\nrecently, they added a new module for attacking Point-Of-Sale systems).\r\nScripts\r\nUpdated scripts for decoding TrickBot modules for malware analysts:\r\nhttps://github.com/hasherezade/malware_analysis/tree/master/trickbot\r\nIndicators of compromise\r\nSample hash:\r\n9b6ff6f6f45a18bf3d05bba18945a83da2adfbe6e340a68d3f629c4b88b243a8\r\nAbout the author\r\nUnpacks malware with as much joy as a kid unpacking candies.\r\nSource: https://blog.malwarebytes.com/threat-analysis/malware-threat-analysis/2018/11/whats-new-trickbot-deobfuscating-elements/\r\nhttps://blog.malwarebytes.com/threat-analysis/malware-threat-analysis/2018/11/whats-new-trickbot-deobfuscating-elements/\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://blog.malwarebytes.com/threat-analysis/malware-threat-analysis/2018/11/whats-new-trickbot-deobfuscating-elements/"
	],
	"report_names": [
		"whats-new-trickbot-deobfuscating-elements"
	],
	"threat_actors": [],
	"ts_created_at": 1775434755,
	"ts_updated_at": 1775791227,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6cdaf5b14fd3c994a0fbe4f40c03c4542604c349.pdf",
		"text": "https://archive.orkl.eu/6cdaf5b14fd3c994a0fbe4f40c03c4542604c349.txt",
		"img": "https://archive.orkl.eu/6cdaf5b14fd3c994a0fbe4f40c03c4542604c349.jpg"
	}
}