{
	"id": "8cec39f8-8e9b-43fc-9202-33302aa97a0e",
	"created_at": "2026-04-06T01:32:23.334429Z",
	"updated_at": "2026-04-12T02:21:28.242887Z",
	"deleted_at": null,
	"sha1_hash": "9a34a9017e8f672da291a48aed09187609b70bec",
	"title": "TrickBooster – TrickBot’s Email-Based Infection Module",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 83831,
	"plain_text": "TrickBooster – TrickBot’s Email-Based Infection Module\r\nBy Deep Instinct\r\nPublished: 2019-07-12 · Archived: 2026-04-06 00:31:33 UTC\r\n250 million Email addresses harvested and counting…\r\nAuthor: Shaul Vilkomir-Preisman\r\nSupporting research: Tom Nipravski\r\nUpdate: Further developments on how TrickBooster operates is accessible here.\r\nEver since its discovery in 2016 TrickBot has remained a continuously active and very adaptive actor in the\r\ncybercrime threat landscape. What was once a malware family focused on financial data theft is now a robust,\r\nelaborate and sophisticated threat, multi-purposed for various types of malicious activity. Recent findings from a\r\ncurrently active and ongoing TrickBot campaign, which features extensive use of signed malware binaries,\r\nindicate that it now has a new variant. Alongside its recent addition of a cookie stealing module it has gained a\r\nnew partner in crime – a malicious email-based infection and distribution module that shares its code signing\r\ncertificates (details in IOC section below).\r\nThe module is employed to harvest Email credentials and contacts from a victim’s address book, inbox, outbox, it\r\ncan send out malicious spam Emails from the victim’s compromised account, and finally delete the sent messages\r\nfrom both outbox and the trash folder, so as to remain hidden from the user. We believe this module is used by\r\nTrickbot for several purposes; prorogation and infection, spreading spam for monetization purposes, and\r\nharvesting email accounts which can then be traded and used by other campaigns.\r\nDuring our investigation of this new module and the network infrastructure associated with it, we were able to\r\naccess infection servers from which the malware is downloaded onto victim machines, as well as command and\r\ncontrol servers. We managed to recover a data base containing 250 million e-mail accounts harvested by\r\nTrickBot operators, which most likely were also employed as lists of targets for malicious delivery and infection.\r\nThe data base includes millions of addresses from government departments and agencies in the US and the UK.\r\nIn this blog post we will present our main findings so far based on research conducted in the last 10 days. Our\r\nresearch and analysis into this module, its activity and capabilities continues, and we will update with more details\r\nas they become available.\r\nAttack Flow\r\nhttps://www.deepinstinct.com/2019/07/12/trickbooster-trickbots-email-based-infection-module/\r\nPage 1 of 7\n\nInfographic showing TrickBooster infection flow.\r\nStage 1 – Victim machine, infected with TrickBot, receives instruction from TrickBot command and\r\ncontrol to download TrickBooster, which is signed with a valid certificate.\r\nStage 2 – TrickBooster reports back to dedicated command and control server, sending lists of harvested e-mail credentials and addresses.\r\nStage 3 – TrickBooster command and control server instructs bot to send malicious spam e-mails.\r\nStage 4 – TrickBooster bot sends malicious infection and spam e-mails.\r\nDeep Instinct’s Investigation and Findings\r\nOur investigation started when Deep Instinct detected and prevented a TrickBooster infection attempt using a\r\nsigned malware binary at a customer environment in the US almost two weeks ago.\r\nSeeing a signed malware binary delivered to a customer environment prompted us to investigate further. We\r\nanalyzed the malware sample and found swaths of PowerShell code in its memory. Analysis of this PowerShell\r\ncode immediately led us to the conclusion that we are dealing with a mail-bot.\r\nhttps://www.deepinstinct.com/2019/07/12/trickbooster-trickbots-email-based-infection-module/\r\nPage 2 of 7\n\nPowerShell code snippets extracted from TrickBooster’s memory, showing functions to harvest e-mails addresses and send malicious spam e-mails.\r\nFollowing initial analysis, we started looking for more leads on the malware, cross referencing certificate\r\ninformation, sample similarity, and infrastructure used to both deliver and control the malware. We discovered\r\nhttps://www.deepinstinct.com/2019/07/12/trickbooster-trickbots-email-based-infection-module/\r\nPage 3 of 7\n\nmore samples of the malware, both signed and not, additional infrastructure used in the campaign – both to\r\ndistribute (infection points) and control the malware (C2 Servers). TrickBot samples were also found, signed using\r\nthe same code signing certificates.\r\nThese code signing certificates were apparently issued to various small-to-medium businesses based in the UK.\r\nOne of which seemingly has very little use for code signing certificates, an air-conditioning, heating and plumbing\r\ncompany, while others do indeed may have a legitimate use for them, according to their registrations.\r\nWe continued monitoring the campaign and the infrastructure involved in it, both its infection points and C2\r\nServers, which were going on and off line, and employing various Geo-IP restrictions and other mechanisms to\r\nhamper analysis. It was at one of these servers that we found something that made us realize how successful this\r\ncampaign is -  an Email dump containing approximately 250 million Email addresses.\r\nThe Email Database\r\nThe recovered Email dump contains massive amounts of commonly used mail provider addresses such as Gmail,\r\nYahoo, etc., but is not limited to these alone. It also contains large amounts of e-mail addresses from various\r\nGovernment departments and other high-profile targets in both the US and the UK.\r\nOther organizations found include universities in the UK and Canada, and several provincial agencies and\r\nGovernments in Canada.\r\nThe numbers of listing for common mail providers were as follows:\r\nGmail.com – 25,863,076 addresses\r\nYahoo.com – 19,079,339 addresses\r\nHotmail.com – 11,120,126 addresses\r\nAol.com – 7,135,831 addresses\r\nMsn.com – 3,512,034 addresses\r\nYahoo.co.uk – 2,070,848 addresses\r\nSpot checking a few thousands of these compromised Email addresses against previously recorded leaks and\r\nbreaches, leads us to believe that this is a new mass compromise of e-mails, not previously seen or reported\r\nbefore.\r\nThis case, and this significant finding, highlights the success and sophistication of TrickBot, an already very\r\naccomplished piece of malware. For a threat actor in the cybercrime sphere, collaborating with a spam malware\r\ncan bring many possible advantages. Chief among them is the increased ability to distribute your own malware, as\r\nspam-bots of all sorts, have been and will likely continue to be, a backbone of malware distribution in general.\r\nAs mentioned, TrickBooster is a powerful addition to TrickBot’s vast arsenal of tools, modules and collaborations\r\nwith other malware. This is not only due to the greatly increased spreading and information harvesting ability, but\r\nalso due to the cover-up of the ‘implant’ left behind. Following initial deployment of the malware on the victim\r\nmachine, the implant left behind by the malware, after it finishes initial execution and clean-up goes successfully\r\nundetected.\r\nhttps://www.deepinstinct.com/2019/07/12/trickbooster-trickbots-email-based-infection-module/\r\nPage 4 of 7\n\nThis clean-up is thorough and involves deleting the original infecting executable file, which is a very common\r\npractice employed by many malware families. The result is that it is missed by nearly all scanning security\r\nvendors, an impressive stealth factor that is much desired among malware operators.\r\nThis file, whose main functionality appears to be an e-mail collector targeting OUTLOOK.exe, begins its\r\nexecution by creating an additional thread where this module is looking for an OUTLOOK.exe window by using\r\n\"FindWindow\" function with \"rctrl_renwnd32\" as class name (an identifier of the OUTLOOK.exe window).\r\nOn the other thread - this module is using COM objects to interact with OUTLOOK.exe. It starts doing so by\r\ninitializing a COM object (CoInitializeEx) and continuing to interact with it by creating an instance of\r\n\"Microsoft.Office.Interop.Outlook\" with \"CoCreateInstance\". It then tries to start OUTLOOK.exe by using\r\n\"OleRun\" function.\r\nWhen OUTLOOK.exe is executed - this module knows to start interacting with it by using Microsoft Outlook\r\nMessaging API (MAPI).\r\nMAPI provides the messaging architecture for Microsoft Outlook 2013 and Outlook 2016. It provides a set of\r\ninterfaces, functions, and other data types to facilitate the development of Outlook messaging applications.\r\nApplications use MAPI to manipulate email data, to create email messages and the folders to store them in, and to\r\nsupport notifications of changes to existing MAPI-related data.\r\nThis, and more research and analysis of TrickBooster is still ongoing with more details to be published in the near\r\nfuture.\r\nDuring our investigation of TrickBooster, we have contacted DigiCert/Thawte, who issued the code signing\r\ncertificates used to sign both TrickBot and TrickBooster samples used in this campaign and requested their\r\nrevocation. The offending certificates have been revoked by DigiCert/Thawte.\r\nWe are also in the process of reporting and providing details to CERTs and other relevant authorities, and we will\r\nwork with partners in the community to make available the e-mail address dumps in a secure manner.\r\nIndicators of compromise (IOCs)\r\nShared Certificate Details\r\nShared Cert 1\r\nCert SHA1: 5DE6E48A350F60CE11D9D3AC437BE8CCBC3D415C\r\nIssued to: https://beta.companieshouse.gov.uk/company/08306316\r\nTrickBot signed sample (SHA256):\r\n3f651b525ceaa941c143b2adc3244b3d4b9af299ad09beea345867258dfbf5e7\r\nTrickBooster signed sample (SHA256):\r\n620020a21c8074d689e80fc1ae29acf8c34d3481ed380f20ad445b88a7bf442e\r\nShared Cert 2\r\nCert SHA1: 30A852583F8C2CA4710B431C800E4924C2C727EF\r\nIssued to: https://beta.companieshouse.gov.uk/company/08549469\r\nhttps://www.deepinstinct.com/2019/07/12/trickbooster-trickbots-email-based-infection-module/\r\nPage 5 of 7\n\nTrickBot signed samples (SHA256):\r\n33eed709eb06f57d371fa97097f821858ad4143900c7aa4c302ce190d51370ff\r\ndcaa278d0dbbd0b068615aeef5a87db1cbe664a6f51c5e9cc6a09fe354990fa6\r\nTrickBooster signed sample (SHA256):\r\n65596dd44caa7fa9e8d048dfb5a5e46b04874060eb888d320ee2ced752669f5e\r\nShared Cert 3\r\nCert SHA1: 67ED536B62CFE6855F1821DB1FE084616F0592E4\r\nIssued to: https://beta.companieshouse.gov.uk/company/08480288\r\nTrickBot signed sample (SHA256):\r\ne7e64753cf91d1d35c3098fcd491f53dda01e83c47f6bede3d5bfe6775fb20c8\r\nTrickBooster signed sample (SHA256):\r\nd96fd330c765b88f3503899755624cbe020ab3e2c53e28d7dee38e7b35f3eab2\r\nTrickBooster Infection servers (servers known to host TrickBooster executables in this campaign)\r\nhxxp://104.216.111.171/\r\nhxxp://85.204.116.92/\r\nTrickBooster Command \u0026 Control servers (servers controlling TrickBooster bots involved in this\r\ncampaign)\r\n185.86.148.63:2050\r\n178.156.202.242:2050\r\n62.109.25.254 (likely Command \u0026 Control Server)\r\nTrickBooster file hashes (SHA256, involved in this campaign)\r\n620020a21c8074d689e80fc1ae29acf8c34d3481ed380f20ad445b88a7bf442e\r\n65596dd44caa7fa9e8d048dfb5a5e46b04874060eb888d320ee2ced752669f5e\r\nd96fd330c765b88f3503899755624cbe020ab3e2c53e28d7dee38e7b35f3eab2\r\nf7eeaee88c68056ab4087b4a5c7c5797f9075d0384b271f136776ff5249cb497\r\n48d591518b306a91853ac65697dd888a0afa442014b878d777879064091f73e1\r\nfe527937e1e512b72111102d9e18c10120b77cd9832230950ce55a718e75a9f0\r\nFUD TrickBooster “Implant” file hashes (SHA256)\r\nhttps://www.deepinstinct.com/2019/07/12/trickbooster-trickbots-email-based-infection-module/\r\nPage 6 of 7\n\n4ba33bf8a5e8b065f5055dd2c655dc2a271e9587b037e9b3e548b6c51cab3e9e\r\n702e96fef5b2ad643a0f702b26a3fd237592f778e4fbc707c80e93326fd08d58\r\n6bf8f079021c8018f6ab37a29091e838918734bf9d1c532852561b6a0d71f12d\r\nAdditional File hash IOCs (SHA256)\r\n2787838d3eb2fd14e80eff102b3967c3e5f1ed9f26f0ecc856ee68dfa28b9fd5\r\n688b4a4ef3ac5de4f2c87bb5061f3f0729efe5818d2463437f4e742d9efbcf05\r\nef61dc27b55fb493c94ffd7022669c95e999fb6e60eb83a78fd462eab5f4b5d6\r\n98a60cb7e0a0337a132def0ad766b8c5dda0d6777bf531d2a5f2493bb3de4348\r\n00ba7cd7bb268fa6f6ef09fa679e5f5d68a27be512da24c556ea04673e852978\r\nb02494ffc1dab60510e6caee3c54695e24408e5bfa6621adcd19301cfc18e329\r\nfc0770975ca3337984c3d4912ef592c805333e8bdf76fd4d3256ebc4e5916be7\r\nf446f39223567f99ae2fb60f372583bc37d54ffe055f20eda8382c14eeea01f5\r\n688b4a4ef3ac5de4f2c87bb5061f3f0729efe5818d2463437f4e742d9efbcf05\r\n4abeab45c0503957e16373fe8f872d6055402614d317b1aa969becf07a6fdb05\r\n748891c0ea84b6f8e2b44ec78acd474338c16e8bc24a975b867ac56ad994d939\r\nddd9d1a3c2cf31e2d361922c91efc9be6a253ad5854bb2adfdb02bc21a43817b\r\nSource: https://www.deepinstinct.com/2019/07/12/trickbooster-trickbots-email-based-infection-module/\r\nhttps://www.deepinstinct.com/2019/07/12/trickbooster-trickbots-email-based-infection-module/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.deepinstinct.com/2019/07/12/trickbooster-trickbots-email-based-infection-module/"
	],
	"report_names": [
		"trickbooster-trickbots-email-based-infection-module"
	],
	"threat_actors": [],
	"ts_created_at": 1775439143,
	"ts_updated_at": 1775960488,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9a34a9017e8f672da291a48aed09187609b70bec.pdf",
		"text": "https://archive.orkl.eu/9a34a9017e8f672da291a48aed09187609b70bec.txt",
		"img": "https://archive.orkl.eu/9a34a9017e8f672da291a48aed09187609b70bec.jpg"
	}
}