{
	"id": "c257f004-7ac9-48cc-90df-eb65b27ddf5b",
	"created_at": "2026-04-06T00:09:37.629535Z",
	"updated_at": "2026-04-10T03:20:44.870621Z",
	"deleted_at": null,
	"sha1_hash": "7a2c745c00ce05c8242f8e5351482b925d4db7f3",
	"title": "TrickBot comes up with new tricks: attacking Outlook and browsing data | Malwarebytes Labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 359893,
	"plain_text": "TrickBot comes up with new tricks: attacking Outlook and\r\nbrowsing data | Malwarebytes Labs\r\nBy Malwarebytes Labs\r\nPublished: 2017-07-31 · Archived: 2026-04-02 12:00:43 UTC\r\nLast year, we reported on a new modular malware called TrickBot that uses a network protocol similar to\r\nDyreza. The malware was not particularly stealthy, and some parts looked to be still under development, but we\r\nnoticed its potential and capability to be easily extended.\r\nIndeed, the authors of TrickBot are persistent not only in spreading their malware but also in developing new\r\nfeatures.\r\nSome of the novel changes applied to TrickBot were noted in Spanish cybersecurity company S2Grupo’s June\r\n2017 report called the Evolution of Trickbot.\r\nIn addition, it has been found that developers added to the bot a worm module,  probably inspired by the success\r\nof other worm-equipped ransomware such as WannaCry and EternalPetya.\r\nBut authors of this malware didn’t stop there. Recently, we captured some additions that allow for TrickBot to\r\nattack Outlook and capture browsing data. For example, we noticed a new module called Outlook.dll, which was\r\nwritten in Delphi (while most of the other modules are written in C++). This may indicate that the team of\r\nTrickBot developers gained some new members that are more comfortable with this particular language.\r\nAnalyzed samples\r\n9aac1e00d62e0b4049781cc5eff99bc7 – main sample (packed)\r\n9b3659936354dceb1063a42f15d0f12a – main sample (unpacked)\r\n60bd4480035e82393636b0fb60d351ba – bot 32 bit\r\nba36cf1afb6b6eed38b0a8d54152335b – bot 64 bit\r\n74933912ad87ec0b3a1b570a0ea0832b – loader for 64 bit\r\nDownloaded modules (32 bit):\r\nb6f9ba3fd8af478147c59b2f3b3043c7 – OutlookX32.dll\r\nac32c723c94e2c311db78fb798f2dd63 – module.dll (importDll32)\r\nf8e58af3ffefd4037fef246e93a55dc8 – mailsearcher.dll (mailsearcher32)\r\n25570c3d943c0d83d69b12bc8df29b9d – SystemInfo.dll (systeminfo32)\r\n5ac93850e24e7f0be3831f1a7c463e9c – loader.dll (injectDll32), reflectively loads submodules:\r\n69086a1e935446067ecb1d20bfa99266 – core-dll.dll\r\nb34d36c1c76b08e7b8f28d74fbf808d8 – rtbroker_dll.dll\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/08/trickbot-comes-with-new-tricks-attacking-outlook-and-browsing-data/\r\nPage 1 of 13\n\nBehavioral analysis\r\nAs before, after being deployed, TrickBot installs itself in a new directory created in %APPDATA%. It runs a new\r\ninstance from the installation directory.\r\nInside, it creates another directory—Modules—where it drops downloaded modules and their configuration files in\r\nencrypted form:\r\nThe way in which the modules and configuration files are encrypted didn’t change. We can still use the same\r\nscripts to recover them.\r\nAfter decrypting config.conf, we got some more details about the current campaign: the version of the analyzed\r\nconfiguration is 1000030 and the given group tag is tt0002. Fragment:\r\nAs before, persistence is achieved with the help of a Scheduled Task:\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/08/trickbot-comes-with-new-tricks-attacking-outlook-and-browsing-data/\r\nPage 2 of 13\n\nThe task deploys the main bot that, after being run, decrypts and loads other modules. Each module is injected\r\ninto a new instance of svchost:\r\nInside the malware\r\nAs before, all the TrickBot modules follow a predefined API. They export four functions:\r\nControl\r\nFreeBuffer\r\nRelease\r\nStart\r\n“\u003e\r\nAs mentioned in “behavioral analysis,” we observed five modules in the current run. SystemInfo.dll and loader.dll\r\n(injectDll32) have been present in TrickBot since the very beginning. The module mailsearcher.dll was introduced\r\nin December 2016 (according to the F5 DevCentral’s article). But there are some modules in the set that we\r\nhaven’t seen described before: module.dll and Outlook.dll.\r\nmodule.dll/importDll32\r\nThis bulky module is written in C++, compiled with Qt5 and OpenSSL, and also incorporates SQLite. Inside the\r\nbinary, we can find the strings indicating particular versions of the libraries:\r\nQt 5.6.2 (i386-little_endian-ilp32 static release build; by GCC 6.2.0)\r\nOpenSSL 1.0.2k 26 Jan 2017\r\n2017-02-13 16:02:40 ada05cfa86ad7f5645450ac7a2a21c9aa6e57d2 (SQLite)\r\nWe can also find references in the code. In the given example, QAbstractSocket class from Qt library is used:\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/08/trickbot-comes-with-new-tricks-attacking-outlook-and-browsing-data/\r\nPage 3 of 13\n\nDLL’s compilation timestamp indicates that it is pretty fresh, written in May 2017:\r\n2017:05:27 14:27:06+01:00\r\nFunctionality-wise, this module is focused on stealing data from the browsers, such as:\r\nCookies\r\nHTML5 local storage\r\nBrowsing history\r\nFlash LSO (Local Shared Objects)\r\nURL hits\r\n…and more.\r\nAuthors didn’t put any effort into hiding their intentions. Debug strings informing about every action taken are\r\nbeing printed. Examples:\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/08/trickbot-comes-with-new-tricks-attacking-outlook-and-browsing-data/\r\nPage 4 of 13\n\nGrabbing URL hits:\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/08/trickbot-comes-with-new-tricks-attacking-outlook-and-browsing-data/\r\nPage 5 of 13\n\nIn contrast to loader.dll/injectDll (referenced here), which is modular and stores all the scripts and targets in\r\ndedicated configuration files, module.dll/importDll32 comes with all its data hardcoded. For example, inside the\r\nbinary we found a long list of targets—websites from countries all around the world, including France, Italy,\r\nJapan, Poland, Norway, Peru, and more:\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/08/trickbot-comes-with-new-tricks-attacking-outlook-and-browsing-data/\r\nPage 6 of 13\n\nBrowser fingerprinting\r\nDuring its run, the module creates a hidden desktop:\r\nThis desktop is used as a workspace where the malicious module can open and fingerprint browsers in a way that\r\nis not noticed by the user.\r\nInside the malware’s code, we found hardcoded HTML files with JavaScripts that are used for gathering\r\ninformation about the browser’s configuration. For example:\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/08/trickbot-comes-with-new-tricks-attacking-outlook-and-browsing-data/\r\nPage 7 of 13\n\nYou can see the full content here.\r\nThis script, while being executed, fills the text area with the data gathered about the environment and passes this\r\ndata to the malware:\r\nAnother script is used for gathering information on the plugins installed in Internet Explorer (compare with this\r\nscript):\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/08/trickbot-comes-with-new-tricks-attacking-outlook-and-browsing-data/\r\nPage 8 of 13\n\nYou can see the full content here.\r\nThe scripts send the collected data in the POST request in the variable called marker_:\r\nThe data is received by the handler inside the TrickBot module:\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/08/trickbot-comes-with-new-tricks-attacking-outlook-and-browsing-data/\r\nPage 9 of 13\n\nInterestingly, the malicious plugin also contains four base64-encoded pictures in PNG format:\r\nDecoded pictures:\r\nThe SQL part\r\nAmong the data hardcoded within the module.dll we can find a string referencing an SQLite release:\r\n2017-02-13 16:02:40 ada05cfa86ad7f5645450ac7a2a21c9aa6e57d2\r\nThe incorporated SQLite is used to retrieve and steal data such as cookies from locally stored databases (similar to\r\nTerdot Zbot, described here, that also incorporated SQLite for this purpose):”\u003e\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/08/trickbot-comes-with-new-tricks-attacking-outlook-and-browsing-data/\r\nPage 10 of 13\n\nSample strings and queries to the cookies database:\r\nWe can see also queries used for stealing the stored browsing history:\r\nOutlook.dll\r\nThis is the module written in Delphi. It contains a hardcoded configuration that follows a pattern\r\ntypical for TrickBot modules:\r\n no\r\nIts purpose is to steal data saved by Microsoft Outlook.\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/08/trickbot-comes-with-new-tricks-attacking-outlook-and-browsing-data/\r\nPage 11 of 13\n\nThe module opens relevant registry keys and tries to retrieve saved credentials:\r\nNot going away\r\nTrickBot’s new modules are not written well and are probably still under development. The overall\r\nquality of the design is much lower than the quality of the earlier code. For example, module.dll is\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/08/trickbot-comes-with-new-tricks-attacking-outlook-and-browsing-data/\r\nPage 12 of 13\n\nbulky and does not follow the clean modular structure introduced by TrickBot before. Also, they\r\nmake use of languages and libraries that are easier, using Qt instead of native sockets for module.dll,\r\nand Delphi language for Outlook.dll.\r\nThe differences in code, languages, and design may indicate that some changes were made to the development\r\nteam. Either they gained new members who have been delegated to the new tasks, or some of the previous\r\nmembers resigned and have been substituted with lower quality programmers. It may also be possible that the\r\nmalware authors are doing some prototyping and experimenting for the further development.\r\nWhichever is the case, it’s clear that TrickBot is still actively maintained, and is not going to leave the threat\r\nlandscape anytime soon.\r\nThis was a guest post written by hasherezade, an independent researcher and programmer with a strong interest\r\nin InfoSec. She loves describing malware in detail and sharing threat information with the community. Check her\r\nout on Twitter as well as on her personal blog, hasherezade’s 1001 nights.\r\nSource: https://blog.malwarebytes.com/threat-analysis/2017/08/trickbot-comes-with-new-tricks-attacking-outlook-and-browsing-data/\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/08/trickbot-comes-with-new-tricks-attacking-outlook-and-browsing-data/\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://blog.malwarebytes.com/threat-analysis/2017/08/trickbot-comes-with-new-tricks-attacking-outlook-and-browsing-data/"
	],
	"report_names": [
		"trickbot-comes-with-new-tricks-attacking-outlook-and-browsing-data"
	],
	"threat_actors": [],
	"ts_created_at": 1775434177,
	"ts_updated_at": 1775791244,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7a2c745c00ce05c8242f8e5351482b925d4db7f3.pdf",
		"text": "https://archive.orkl.eu/7a2c745c00ce05c8242f8e5351482b925d4db7f3.txt",
		"img": "https://archive.orkl.eu/7a2c745c00ce05c8242f8e5351482b925d4db7f3.jpg"
	}
}