{ "id": "e4b918d2-4e75-4f34-80a2-1c5660312183", "created_at": "2026-04-06T00:15:49.094192Z", "updated_at": "2026-04-10T13:12:38.259416Z", "deleted_at": null, "sha1_hash": "871c229eff3707bd8b9f423b8a5b157242f36321", "title": "TrueBot Analysis Part I - A short glimpse into packed TrueBot samples", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3444725, "plain_text": "TrueBot Analysis Part I - A short glimpse into packed TrueBot\r\nsamples\r\nBy Robert Giczewski\r\nPublished: 2023-02-12 · Archived: 2026-04-05 20:26:56 UTC\r\nIn October 2022, Microsoft published a blog post about Raspberry Robin and it’s role in the current cyber crime\r\necosystem. Microsoft reported, among other things, that they have observed Raspberry Robin delivering the well-known malware families IcedID, Bumblebee and TrueBot besides the already known delivery of\r\nFakeUpdates/SocGholish. At this time I was not really aware of TrueBot or I simply had forgotten about it.\r\nIn December 2022, Cisco Talos published a blog post in which they reported increased activity from TrueBot and\r\nmentioned that TrueBot might be related to TA505. They have observed TrueBot delivering Grace (aka\r\nFlawedGrace and GraceWire) as a follow-up payload, which is known to be exclusive tooling of TA505.\r\nSince I have already analyzed some TA505 campaigns a few years ago and anything related to Raspberry Robin is\r\nof interest to me, TrueBot now had my attention and I finally found some time to take a closer look and here we\r\nare.\r\nI have decided to start a small blog series that will cover the following points:\r\n1. Analyzing different packed samples and identifying decryption/unpacking code\r\n2. How to statically unpack with Python using Malduck?\r\n3. Analyzing TrueBot Capabilities\r\n4. IOC/Config extraction with Python using Malduck\r\n5. C2/Bot Emulation\r\n6. Bonus (maybe): Infrastructure analysis\r\nThe blog series is structured so that we gain the knowledge step by step to be able to take the next step.\r\nIn this first post, we’ll look at some packed samples and gain enough knowledge to write a static unpacker in the\r\nnext step.\r\nIdentifying decryption/unpacking code\r\nWe are primarily looking at the packed samples that Talos also mentioned in their blog post including one sample\r\nthat I have found on VirusTotal. All of these files are 32 Bit samples, mostly DLLs except for one sample which is\r\na regular executable.\r\n092910024190a2521f21658be849c4ac9ae6fa4d5f2ecd44c9055cc353a26875\r\n1ef8cdbd3773bd82e5be25d4ba61e5e59371c6331726842107c0f1eb7d4d1f49\r\n2d50b03a92445ba53ae147d0b97c494858c86a56fe037c44bc0edabb902420f7\r\n31272235fcdce1d28542c0bc30c069cdb861ff34dd645fe5143ad911fdb1e8a9\r\nhttps://malware.love/malware_analysis/reverse_engineering/2023/02/12/analyzing-truebot-packer.html\r\nPage 1 of 6\n\n55d1480cd023b74f10692c689b56e7fd6cc8139fb6322762181daead55a62b9e\r\n58b671915e239e9682d50a026e46db0d775624a61a56199f7fd576b0cef4564d\r\n6210a9f5a5e1dc27e68ecd61c092d2667609e318a95b5dade3c28f5634a89727\r\n68a86858b4638b43d63e8e2aaec15a9ebd8fc14d460dd74463db42e59c4c6f89\r\n72813522a065e106ac10aa96e835c47aa9f34e981db20fa46a8f36c4543bb85d\r\n7a64bc69b60e3cd3fd00d4424b411394465640f499e56563447fe70579ccdd00\r\n7e39dcd15307e7de862b9b42bf556f2836bf7916faab0604a052c82c19e306ca\r\nbf3c7f0ba324c96c9a9bff6cf21650a4b78edbc0076c68a9a125ebcba0e523c9\r\nc3743a8c944f5c9b17528418bf49b153b978946838f56e5fca0a3f6914bee887\r\nc3b3640ddf53b26f4ebd4eedf929540edb452c413ca54d0d21cc405c7263f490\r\nc6c4f690f0d15b96034b4258bdfaf797432a3ec4f73fbc920384d27903143cb0\r\nIf you look at the binary, you will relatively quickly stumble upon a large binary blob that is referenced in only\r\none function in the binary. The two loops in which the blob is referenced should give you a good indication that\r\nsomething might be decrypted here, see the screenshot below.\r\nI have checked all available samples and the decryption algorithm is identical in each case, however, there are a\r\nfew different variations, how the decryption function is called. In the most common variant there is an export,\r\nwhich calls a wrapper function, which in turn calls the decryption function. Sometimes there is only one wrapper\r\nfunction, sometimes several, and sometimes the decryption code is directly in the export of the DLL.\r\nhttps://malware.love/malware_analysis/reverse_engineering/2023/02/12/analyzing-truebot-packer.html\r\nPage 2 of 6\n\nRegular executable where the call to decryption function is located in WinMain :\r\nhttps://malware.love/malware_analysis/reverse_engineering/2023/02/12/analyzing-truebot-packer.html\r\nPage 3 of 6\n\nDecryption code directly in an exported function:\r\nhttps://malware.love/malware_analysis/reverse_engineering/2023/02/12/analyzing-truebot-packer.html\r\nPage 4 of 6\n\nThe decryption algorithm uses a hardcoded key and is XOR’ing through the entire binary blob, with incrementing\r\nthe iterator by the length of the key. Additionally, another part of the decryption “formula” is a boolean and\r\noperation with a hardcoded value. By using a debugger, it’s pretty easy to get to the unpacked code. However,\r\nsince we want a have static unpacker, I reimplemented the function in Python.\r\ndef decrypt(data_blob, key, param):\r\n result = list(data_blob)\r\n i = 0\r\n while i \u003c len(key):\r\n x = i\r\nhttps://malware.love/malware_analysis/reverse_engineering/2023/02/12/analyzing-truebot-packer.html\r\nPage 5 of 6\n\nkey_xor = key[i] ^ param\r\n while x \u003c= len(result) - 1:\r\n result[x] = result[x] ^ key_xor ^ ((x \u0026 0xff) \u0026 param)\r\n x += len(key)\r\n i += 1\r\n return result\r\nNow, all we need to decrypt is the binary blob, the decryption key and the parameter for the and operation. In\r\nmy next blog post, I will describe how to get these values with help of Python and Malduck.\r\nSource: https://malware.love/malware_analysis/reverse_engineering/2023/02/12/analyzing-truebot-packer.html\r\nhttps://malware.love/malware_analysis/reverse_engineering/2023/02/12/analyzing-truebot-packer.html\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://malware.love/malware_analysis/reverse_engineering/2023/02/12/analyzing-truebot-packer.html" ], "report_names": [ "analyzing-truebot-packer.html" ], "threat_actors": [ { "id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59", "created_at": "2024-06-19T02:03:08.128175Z", "updated_at": "2026-04-10T02:00:03.636663Z", "deleted_at": null, "main_name": "GOLD TAHOE", "aliases": [ "Cl0P Group Identity", "FIN11 ", "GRACEFUL SPIDER ", "SectorJ04 ", "Spandex Tempest ", "TA505 " ], "source_name": "Secureworks:GOLD TAHOE", "tools": [ "Clop", "Cobalt Strike", "FlawedAmmy", "Get2", "GraceWire", "Malichus", "SDBbot", "ServHelper", "TrueBot" ], "source_id": "Secureworks", "reports": null }, { "id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4", "created_at": "2022-10-25T15:50:23.5188Z", "updated_at": "2026-04-10T02:00:05.26565Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "TA505", "Hive0065", "Spandex Tempest", "CHIMBORAZO" ], "source_name": "MITRE:TA505", "tools": [ "AdFind", "Azorult", "FlawedAmmyy", "Mimikatz", "Dridex", "TrickBot", "Get2", "FlawedGrace", "Cobalt Strike", "ServHelper", "Amadey", "SDBbot", "PowerSploit" ], "source_id": "MITRE", "reports": null }, { "id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3", "created_at": "2023-01-06T13:46:38.860754Z", "updated_at": "2026-04-10T02:00:03.125179Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "SectorJ04", "SectorJ04 Group", "ATK103", "GRACEFUL SPIDER", "GOLD TAHOE", "Dudear", "G0092", "Hive0065", "CHIMBORAZO", "Spandex Tempest" ], "source_name": "MISPGALAXY:TA505", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e447d393-c259-46e2-9932-19be2ba67149", "created_at": "2022-10-25T16:07:24.28282Z", "updated_at": "2026-04-10T02:00:04.921616Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "ATK 103", "Chimborazo", "G0092", "Gold Evergreen", "Gold Tahoe", "Graceful Spider", "Hive0065", "Operation Tovar", "Operation Trident Breach", "SectorJ04", "Spandex Tempest", "TA505", "TEMP.Warlock" ], "source_name": "ETDA:TA505", "tools": [ "Amadey", "AmmyyRAT", "AndroMut", "Azer", "Bart", "Bugat v5", "CryptFile2", "CryptoLocker", "CryptoMix", "CryptoShield", "Dridex", "Dudear", "EmailStealer", "FRIENDSPEAK", "Fake Globe", "Fareit", "FlawedAmmyy", "FlawedGrace", "FlowerPippi", "GOZ", "GameOver Zeus", "GazGolder", "Gelup", "Get2", "GetandGo", "GlobeImposter", "Gorhax", "GraceWire", "Gussdoor", "Jaff", "Kasidet", "Kegotip", "Kneber", "LOLBAS", "LOLBins", "Living off the Land", "Locky", "MINEBRIDGE", "MINEBRIDGE RAT", "MirrorBlast", "Neutrino Bot", "Neutrino Exploit Kit", "P2P Zeus", "Peer-to-Peer Zeus", "Philadelphia", "Philadephia Ransom", "Pony Loader", "Rakhni", "ReflectiveGnome", "Remote Manipulator System", "RockLoader", "RuRAT", "SDBbot", "ServHelper", "Shifu", "Siplog", "TeslaGun", "TiniMet", "TinyMet", "Trojan.Zbot", "Wsnpoem", "Zbot", "Zeta", "ZeuS", "Zeus" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434549, "ts_updated_at": 1775826758, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/871c229eff3707bd8b9f423b8a5b157242f36321.pdf", "text": "https://archive.orkl.eu/871c229eff3707bd8b9f423b8a5b157242f36321.txt", "img": "https://archive.orkl.eu/871c229eff3707bd8b9f423b8a5b157242f36321.jpg" } }