Deep Malware and Phishing Analysis
By Joe Security LLC
Archived: 2026-04-06 01:37:20 UTC
As usual, at Joe Security, we keep a close eye on evasive malware. Some days ago we detected an interesting
sample, MD5: b32d28ebab62e99cd2d46aca8b2ffb81. It turned out to be a new TrickBot sample using API
hammering to bypass analysis. In this blog post, we will outline the evasion and explain how it works.
The full analysis report of the TrickBot variant is available here.
Two Stage API Hammering
Right after the entry point, the sample tries to load taskmgr.exe as a DLL:
This is likely a trick to bypass emulators that do not check if a given DLL exists if LoadLibraryEx is called. Next,
it performs a massive printf loop - the first stage. Since before the loop FreeConsole has been called all printf calls
do basically nothing:
https://www.joesecurity.org/blog/498839998833561473
Page 1 of 7

This code has been directly copied from the documentation of printf:
https://www.joesecurity.org/blog/498839998833561473
Page 2 of 7

So what is the purpose of those numerous printf loops? Well, sandboxes are designed to log all behavior including
the 1.8M calls. As a result, the massive amount of calls delay the execution process and overload the sandbox with
junk data. As a result, the final payload is never called. 
This behavior is called API Hammering. API Hammering is not a new technique, we have already seen it several
years ago e.g. in the Nymaim Loader. Joe Sandbox detects the API hammering successfully and rates it as
malicious:
Right after the printf flood, the sample performs another loop to delay execution by creating and writing to a
temporary file - the second stage. In between it performs random sleeps:
https://www.joesecurity.org/blog/498839998833561473
Page 3 of 7

Again, the purpose is to overload the sandbox and delay the execution. This time however the all calls are valid. 
WERMGR
Finally, when this loop is passed, the sample starts and injects TrickBot (by using directly Nt* APIs) into legit
wermgr.exe - the process responsible for Windows error handling and reporting:
https://www.joesecurity.org/blog/498839998833561473
Page 4 of 7

It's noticeable that a 32bit sample is able to inject successfully into 64bit wermgr.exe on a Windows 64bit.
In wermgr.exe TrickBot fully unpacks itself:
This enables Joe Sandbox to successfully detect TrickBot and extract full configurations:
https://www.joesecurity.org/blog/498839998833561473
Page 5 of 7

Conclusion
In contrast to many other evasions, API Hammering is one of the more interesting techniques since it directly
exploits the design of a sandbox. No matter what technology your favorite sandbox uses, it has to handle API
Hammering correctly. 
https://www.joesecurity.org/blog/498839998833561473
Page 6 of 7

You are interested to get a list of other evasive malware analyses? Check out these other blogs:
New Sandbox Evasions spot in VBS samples
Analyzing Azorult's Anti-Analysis Tricks with Joe Sandbox Hypervisor
Fighting Country Aware Microsoft Office Macro Droppers with VBA Instrumentation
Malicious Documents: The Evolution of country-aware VBA Macros
or this extensive list of evasive samples.
Interested in Joe Sandbox? Register for free at Joe Sandbox Cloud Basic or contact us for an in-depth technical
demo!
Source: https://www.joesecurity.org/blog/498839998833561473
https://www.joesecurity.org/blog/498839998833561473
Page 7 of 7