{
	"id": "a39c3464-f3af-4aeb-a64a-16e9318a2af6",
	"created_at": "2026-04-06T02:11:22.100953Z",
	"updated_at": "2026-04-10T03:21:24.926814Z",
	"deleted_at": null,
	"sha1_hash": "8be414e6d22c56d08320433210eff8f30b5e4e07",
	"title": "Deep Malware and Phishing Analysis",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 765770,
	"plain_text": "Deep Malware and Phishing Analysis\r\nBy Joe Security LLC\r\nArchived: 2026-04-06 01:37:20 UTC\r\nAs usual, at Joe Security, we keep a close eye on evasive malware. Some days ago we detected an interesting\r\nsample, MD5: b32d28ebab62e99cd2d46aca8b2ffb81. It turned out to be a new TrickBot sample using API\r\nhammering to bypass analysis. In this blog post, we will outline the evasion and explain how it works.\r\nThe full analysis report of the TrickBot variant is available here.\r\nTwo Stage API Hammering\r\nRight after the entry point, the sample tries to load taskmgr.exe as a DLL:\r\nThis is likely a trick to bypass emulators that do not check if a given DLL exists if LoadLibraryEx is called. Next,\r\nit performs a massive printf loop - the first stage. Since before the loop FreeConsole has been called all printf calls\r\ndo basically nothing:\r\nhttps://www.joesecurity.org/blog/498839998833561473\r\nPage 1 of 7\n\nThis code has been directly copied from the documentation of printf:\r\nhttps://www.joesecurity.org/blog/498839998833561473\r\nPage 2 of 7\n\nSo what is the purpose of those numerous printf loops? Well, sandboxes are designed to log all behavior including\r\nthe 1.8M calls. As a result, the massive amount of calls delay the execution process and overload the sandbox with\r\njunk data. As a result, the final payload is never called. \r\nThis behavior is called API Hammering. API Hammering is not a new technique, we have already seen it several\r\nyears ago e.g. in the Nymaim Loader. Joe Sandbox detects the API hammering successfully and rates it as\r\nmalicious:\r\nRight after the printf flood, the sample performs another loop to delay execution by creating and writing to a\r\ntemporary file - the second stage. In between it performs random sleeps:\r\nhttps://www.joesecurity.org/blog/498839998833561473\r\nPage 3 of 7\n\nAgain, the purpose is to overload the sandbox and delay the execution. This time however the all calls are valid. \r\nWERMGR\r\nFinally, when this loop is passed, the sample starts and injects TrickBot (by using directly Nt* APIs) into legit\r\nwermgr.exe - the process responsible for Windows error handling and reporting:\r\nhttps://www.joesecurity.org/blog/498839998833561473\r\nPage 4 of 7\n\nIt's noticeable that a 32bit sample is able to inject successfully into 64bit wermgr.exe on a Windows 64bit.\r\nIn wermgr.exe TrickBot fully unpacks itself:\r\nThis enables Joe Sandbox to successfully detect TrickBot and extract full configurations:\r\nhttps://www.joesecurity.org/blog/498839998833561473\r\nPage 5 of 7\n\nConclusion\r\nIn contrast to many other evasions, API Hammering is one of the more interesting techniques since it directly\r\nexploits the design of a sandbox. No matter what technology your favorite sandbox uses, it has to handle API\r\nHammering correctly. \r\nhttps://www.joesecurity.org/blog/498839998833561473\r\nPage 6 of 7\n\nYou are interested to get a list of other evasive malware analyses? Check out these other blogs:\r\nNew Sandbox Evasions spot in VBS samples\r\nAnalyzing Azorult's Anti-Analysis Tricks with Joe Sandbox Hypervisor\r\nFighting Country Aware Microsoft Office Macro Droppers with VBA Instrumentation\r\nMalicious Documents: The Evolution of country-aware VBA Macros\r\nor this extensive list of evasive samples.\r\nInterested in Joe Sandbox? Register for free at Joe Sandbox Cloud Basic or contact us for an in-depth technical\r\ndemo!\r\nSource: https://www.joesecurity.org/blog/498839998833561473\r\nhttps://www.joesecurity.org/blog/498839998833561473\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MITRE"
	],
	"references": [
		"https://www.joesecurity.org/blog/498839998833561473"
	],
	"report_names": [
		"498839998833561473"
	],
	"threat_actors": [],
	"ts_created_at": 1775441482,
	"ts_updated_at": 1775791284,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8be414e6d22c56d08320433210eff8f30b5e4e07.pdf",
		"text": "https://archive.orkl.eu/8be414e6d22c56d08320433210eff8f30b5e4e07.txt",
		"img": "https://archive.orkl.eu/8be414e6d22c56d08320433210eff8f30b5e4e07.jpg"
	}
}