{
	"id": "0917b08d-3e2b-4df1-b04b-906747f166b3",
	"created_at": "2026-04-06T00:21:12.101456Z",
	"updated_at": "2026-04-10T03:19:57.321994Z",
	"deleted_at": null,
	"sha1_hash": "769b6a3b02625c24228b40e69a9ceb5847b6a8c0",
	"title": "Quick Analysis of a Trickbot Sample with NSA's Ghidra SRE Framework",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 702966,
	"plain_text": "Quick Analysis of a Trickbot Sample with NSA's Ghidra SRE\r\nFramework\r\nArchived: 2026-04-05 20:41:53 UTC\r\nThis post is not a deep analysis of TrickBot. Here, I did a quick analysis of a TrickBot sample from early 2019 by\r\nusing the Ghidra Software Reverse Engineering (SRE) Framework, developed by the NSA, that was released\r\nsome hours ago. This is not a deep analysis of TrickBot, I only wanted to learn a bit about Ghidra and I used this\r\nframework to find some interesting parts of the code of TrickBot that were introduced in the newer versions of the\r\nmalware. Hope you enjoy it!\r\nStarting with Ghidra Framework\r\nAbout Ghidra, when you start the framework, you should create a project and a workspace:\r\nThen, we can import files, for example PE files:\r\nhttp://www.peppermalware.com/2019/03/quick-analysis-of-trickbot-sample-with.html\r\nPage 1 of 13\n\nGhidra CodeBrowser\r\nOnce PE file is imported, CodeBrowser can be launched:\r\nInitially, PE headers are parsed but code is not analyzed, the framework asks you if analyzers should be launched,\r\nand what analyzers should be launched. This is the list of analyzers (they are marked the analyzers that are marked\r\nhttp://www.peppermalware.com/2019/03/quick-analysis-of-trickbot-sample-with.html\r\nPage 2 of 13\n\nby default):\r\nOnce analyzers finish, CodeBrowser interface is like this:\r\nhttp://www.peppermalware.com/2019/03/quick-analysis-of-trickbot-sample-with.html\r\nPage 3 of 13\n\nCode is fully decompiled and while you browse each function, the decompiled code is showed in the right\r\nwindow.\r\nBrowsing Code\r\nBrowsing code is similar to IDA, you can double-click a name to jump there (for example double-clicking the\r\ndestination of a call \u003cdestination\u003e, would take you to the destination function). You can move easily to the\r\nprevious location with Alt+left (equivalent to Esc in IDA) and next location with Alt+right (equivalent to\r\nCtrl+Enter in IDA).\r\nOther navigation options:\r\nhttp://www.peppermalware.com/2019/03/quick-analysis-of-trickbot-sample-with.html\r\nPage 4 of 13\n\nYou can search for text, like IDA Alt+t, however (and I found this an interesting characteristic), you can select\r\nwhere do you want the text is going to be searched:\r\nhttp://www.peppermalware.com/2019/03/quick-analysis-of-trickbot-sample-with.html\r\nPage 5 of 13\n\nFind TrickBot Config Xor-layer Decryptor\r\nFor example, we can try to search for XOR instructions, and we get a list of matches:\r\nhttp://www.peppermalware.com/2019/03/quick-analysis-of-trickbot-sample-with.html\r\nPage 6 of 13\n\nIn the analyzed sample (a trickbot from early 2019), if we look for XOR instructions, we can find easily some\r\nXOR  instructions modifying memory, and one of them belongs to the function that decrypts the XOR layer of the\r\ntrickbot config:\r\nhttp://www.peppermalware.com/2019/03/quick-analysis-of-trickbot-sample-with.html\r\nPage 7 of 13\n\n(Btw, as we can see in the image, when you select with the mouse a line in the disassembly window, the\r\nequivalent line is highlighted in the decompiled window).\r\nUsing references to find more interesting parts of the code\r\nOnce you have located an interesting point in the code, you can show a tree of calls to that point:\r\nThe tree makes easy to follow the incoming or outgoing references to the interesting function:\r\nhttp://www.peppermalware.com/2019/03/quick-analysis-of-trickbot-sample-with.html\r\nPage 8 of 13\n\nAdditionally, you could highlight (select) back or forward refs to an address in the disassembly and decompiled\r\nwindows.\r\nTrickBot ECS signature and Config Xor Decryptor\r\nBy using the call trees, we can find easily the functions that decrypts the XOR layer of the elliptic curve signature\r\nor the XOR layer of the TrickBot Config:\r\nIn addition, you can open a function graph window, similar to IDA graphs. Here is the XOR decryptor loop of\r\nTrickBot:\r\nhttp://www.peppermalware.com/2019/03/quick-analysis-of-trickbot-sample-with.html\r\nPage 9 of 13\n\nYou can move easily on the graph, and zoom in/out with the mouse wheel:\r\nhttp://www.peppermalware.com/2019/03/quick-analysis-of-trickbot-sample-with.html\r\nPage 10 of 13\n\nTrickBot Strings Decryptor\r\nAbout strings.. All the strings used by the newer versions of TrickBot are encrypted. While IDA was able to\r\nconstruct a nice table of strings that makes easy to find the decryptor:\r\nhttp://www.peppermalware.com/2019/03/quick-analysis-of-trickbot-sample-with.html\r\nPage 11 of 13\n\nGhidra were not able to identify all the strings and construct a nice table, it is much lesser intuitive:\r\nMaybe I missed something with Ghidra, but I selected the option Analysis-\u003eOne shot-\u003eAscii Strings, and these\r\nare the results. This makes difficult, for example, to find strings' decryptors.\r\nConclussion\r\nhttp://www.peppermalware.com/2019/03/quick-analysis-of-trickbot-sample-with.html\r\nPage 12 of 13\n\nin spite of the fact that I really love IDA (and WinDbg), I liked this framework, and I will continue using it.\r\nSource: http://www.peppermalware.com/2019/03/quick-analysis-of-trickbot-sample-with.html\r\nhttp://www.peppermalware.com/2019/03/quick-analysis-of-trickbot-sample-with.html\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"http://www.peppermalware.com/2019/03/quick-analysis-of-trickbot-sample-with.html"
	],
	"report_names": [
		"quick-analysis-of-trickbot-sample-with.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434872,
	"ts_updated_at": 1775791197,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/769b6a3b02625c24228b40e69a9ceb5847b6a8c0.pdf",
		"text": "https://archive.orkl.eu/769b6a3b02625c24228b40e69a9ceb5847b6a8c0.txt",
		"img": "https://archive.orkl.eu/769b6a3b02625c24228b40e69a9ceb5847b6a8c0.jpg"
	}
}