{
	"id": "1c807e14-73ab-4efb-b26c-e269f6934296",
	"created_at": "2026-04-06T00:08:47.594757Z",
	"updated_at": "2026-04-10T03:21:20.124104Z",
	"deleted_at": null,
	"sha1_hash": "bcf8f303aee44277613c7cd8196f3920cacc2e08",
	"title": "Latest Trickbot Variant has New Tricks Up Its Sleeve",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 79783,
	"plain_text": "Latest Trickbot Variant has New Tricks Up Its Sleeve\r\nBy sharon\r\nPublished: 2018-08-14 · Archived: 2026-04-05 15:12:46 UTC\r\nTrickbot is well-known financial Trojan that targets customers of large banks and steals their credentials.” It is a\r\nmodular malware that includes different modules for its malicious activities. It has been around since 2016 and\r\nsince then new variants have appeared on an ongoing basis, each time updated with new tricks and modules.\r\nTrickbot includes modules for stealing data from browsers, stealing data from Microsoft Outlook, locking the\r\nvictim’s computer, system information gathering, network information gathering and domain credentials stealing.\r\nCyberbit malware research team researched the latest Trickbot variant to understand how it differs from previous\r\nvariants and fully understand its new behaviors and tricks.  The new variant of Trickbot comes with a stealthy\r\ncode injection technique that performs process hollowing using direct system calls, anti-analysis techniques and\r\ndisabling of security tools. The behavior patterns of this new Trickbot variant somewhat resemble those of the\r\nFlokibot banking Trojan.\r\nIn this report we analyze the new variant and its infection vector – a malicious Word document.\r\nZooming in to the infection vector\r\nThis variant of Trickbot is downloaded by a Word document (SHA256:\r\naef2020534f81bbebec6c9b842b3de6fd4f5b55fe5aeb3d9e79e16c0a3ff37ab) which contains a macro code. We first\r\nlearned about it from a Twitter post. However, this document will not execute its macro until the user had both\r\nclicked “enable content” to enable execution of macros and zoomed in/out of the document.  While this will\r\nprobably evade sandboxes, it may also evade humans who don’t zoom the document.\r\nTrickbot doc zoom\r\nFigure 1 – The zoom in/out bar is highlighted in red\r\nTrickbot Private Sub\r\nFigure 2 – Macro executes only if the window was resized. The method InkPicture1_Resize triggers when the user\r\nzooms in/out.\r\nThe macro is obfuscated as are most malicious macros and ends up executing a PowerShell script that downloads\r\nand executes Trickbot. After deobfuscation and renaming, the PowerShell script looks like this:\r\nTrickbot ps script\r\nFigure 3 – PowerShell script download and executes Trickbot\r\nhttps://www.cyberbit.com/blog/endpoint-security/latest-trickbot-variant-has-new-tricks-up-its-sleeve/\r\nPage 1 of 6\n\nPayload analysis – Trickbot variant\r\nSHA256: 1c81272ffc28b29a82d8313bd74d1c6030c2af1ba4b165c44dc8ea6376679d9f\r\nBy initial examination of the malware, we can see the debug path is\r\n“c:\\users\\exploitdb\\desktop\\esetfuck\\release\\esetfuck.pdb”\r\nThe malware’s author probably dislikes ESET – A well-known IT security company.\r\nAnti-analysis, resource decryption \u0026 execution\r\nUpon execution, the malware sleeps for 30 seconds to evade sandboxes by calling Sleep(30000). Then it decrypts\r\nits resource using the RSA algorithm.\r\nTrickbot main\r\nFigure 4 – Sleep of 30 seconds is marked in red. The call to the resource decryption function is marked in purple\r\nDecryption procedure description\r\n1. The function at 0x405680 receives a key (private_key), key size (16), a pointer to the encrypted buffer and\r\nits size\r\n2. A handle to a cryptographic service provider is acquired by CryptAcquireContextW, with chosen provider\r\nPROV_RSA_FULL\r\n3. The public key is imported from a key BLOB that is embedded within the executable\r\n4. the private_key is copied right after a BLOB header in the memory, to form a key BLOB\r\n5. CryptImportKey is called again, with the key BLOB being the one formed at step 4, and the decryption key\r\nas the public key from step 3. The output key is saved (output_decryption_key)\r\n6. CryptEncrypt is called with the output_decryption_key saved from step 5 for the decryption of the resource\r\n7. The public key and the output_decryption_key are destroyed using CryptDestroyKey\r\nThe decrypted resource is a DLL (SHA256:\r\n31A4065460CEF51C8B4495EFC9827926A789F602F5AD5C735EA1D88CAFAC135A) with an exported\r\nfunction named “shellcode_main”\r\nTrickbot decryption function\r\nFigure 5 – Inside the resource decryption function\r\nThen, there are lots of calls to:\r\nCreateWindowEx with garbage-looking class names and windows names\r\nSendMessageW with undefined message code (0x64 and 0xfa) and non-existent window\r\nGetLastError\r\nInSendMessage\r\nThe calls to CreateWindowEx are never executed and the logic of this code leads eventually to 27 calls to\r\nSendMessageW with undefined message code – 0x64 and nonexistent window. The calls to InSendMessage are\r\nhttps://www.cyberbit.com/blog/endpoint-security/latest-trickbot-variant-has-new-tricks-up-its-sleeve/\r\nPage 2 of 6\n\nalso never executed.\r\nTrickbot createwindowex\r\nFigure 6 – These are only part of the calls, there are many more below\r\nAfter jumping from one call to another (which seems to have no purpose at all other than confusing the analyst),\r\nthe malware continues its malicious intent: the decrypted DLL is mapped to a buffer located at starting address\r\n0x10000000.\r\nThen it calls Sleep(3) 3890 times which results in 11 seconds of delay in execution. The large amount of calls with\r\na short sleep time might be good for sandbox evasion, because a short sleep time doesn’t look suspicious. Finally,\r\nthe exported shellcode_main function, located at 0x10001900, is executed.\r\nTrickbot tonsofsleep\r\nFigure 7 – Sleeping and waking up every 3 milliseconds\r\nNow let’s skip to the Trickbot’s process hollowing which is implemented differently in this variant.\r\nTrickbot process hollowing using direct system calls\r\nThis new variant makes use of process hollowing (a.k.a RunPE) – as in older samples of Trickbot. The process\r\nhollowing technique is used for unpacking.\r\nWe observed that in this case the process hollowing is done using direct system calls, in a way that is very similar\r\nto the Flokibot malware. We suspect that some piece of code is shared between these malwares.\r\nAs in the Flokibot malware – not all the functions used for the process hollowing were directly called using\r\nsystem calls – some of them were called from the functions addresses that were saved on the stack earlier.\r\nAt the end of this section we show some similarities and differences between Flokibot and Trickbot.\r\nLet’s dive into Trickbot to see the hollowing in action.\r\nAs usual, a suspended process is created using CreateProcessW. The chosen process is the malware’s process\r\nitself. The thread context structure of the main thread of that process is saved using GetThreadContext.\r\nTrickbot createprocess1\r\nFigure 8 – Creating the suspended process\r\nThen, the malware uses CreateFileW to obtain a handle to ntdll.dll it copies it a buffer allocated by VirtualAlloc\r\nusing ReadFile, and then allocates another buffer for mapping it to the memory from its raw copy:\r\nTrickbot createfileNTDLL\r\nFigure 9 – Reading ntdll.dll from the disk\r\nhttps://www.cyberbit.com/blog/endpoint-security/latest-trickbot-variant-has-new-tricks-up-its-sleeve/\r\nPage 3 of 6\n\nTrickbot mapntdll\r\nFigure 10 – Manually mapping ntdll.dll\r\nThe last call instruction in the above figure is a call to a function that receives a pointer to the mapped ntdll.dll\r\nbuffer and a CRC32 value of the function’s name.\r\nThis function performs CRC32 on each function name from the mapped ntdll.dll and compares it to the input\r\nCRC32 value. If it matches – it returns the offset in that buffer where the desired function starts.\r\nFor example, in the following screenshot, the address of UnmapViewOfSection is resolved:\r\nTrickbot umapviewofsection\r\nFigure 11 – A pointer to a buffer containing the mapped ntdll.dll (0x1cd0000) and 0x90483ff6 =\r\nCRC32(NtUnmapViewOfSection)\r\nOne piece of evidence in the code for the use of the CRC32 algorithm is the constant value 0xedb88320, the hex\r\nrepresentation of the reverse CRC32 polynomial, being used.\r\nTrickbot crc32\r\nFigure 12 – Calculating the CRC32 value of the string NtAllocateVirtualMemory. The value 0xedb88320 is the\r\nbinary representation of the CRC32 polynomial.\r\nLater, the system call number is extracted, the parameters are placed on the stack and the appropriate function is\r\ncalled by placing the system call number on EAX, making a transition to the kernel with the sysenter instruction.\r\nTrickbot syscall_extraction\r\nFigure 13 – system call number extraction\r\nTrickbot sysenter\r\nFigure 14 – sysenter command. EAX contains the system call number and the stack contains the appropriate\r\nparameters\r\nThe procedure above (including re-reading and re-mapping ntdll.dll for each function) is performed for the\r\nfollowing functions:\r\nNtUnmapViewOfSection – Unmapping the original malware module\r\nNtCreateSection – Creating a section to write the malicious code to\r\nNtMapViewOfSection – Mapping the above section to the hollowed process\r\nNtWriteVirtualMemory – Writing the ImageBaseAddress of the current process to the ImageBaseAddress\r\nof the hollowed process (in its PEB)\r\nNtResumeThread – Resume the suspended process and starts execution\r\nAs mentioned above, these are not all the functions used for the hollowing. Some functions are called from the\r\naddresses saved on the stack earlier. The complete hollowing sequence looks as follows. Functions called using\r\nhttps://www.cyberbit.com/blog/endpoint-security/latest-trickbot-variant-has-new-tricks-up-its-sleeve/\r\nPage 4 of 6\n\ndirect system calls are marked in red. Functions called from saved addresses on the stack are marked in blue.\r\nCreateProcessW → GetThreadContext → NtUnmapViewOfSection → NtCreateSection → NtMapViewOfSection\r\n→ NtWriteVirtualMemory → SetThreadContext → NtResumeThread\r\nAfter running the malware, we can see, as in previous variants, it copied itself and its encrypted modules to\r\nC:\\Users\\%USERNAME%\\AppData\\Roaming\\msnet\r\nTrickbot msnetfolder\r\nFigure 15 – Trickbot (1c9_patched.exe) \u0026 its modules\r\nThis variant also disables and deletes the Windows Defender service via the following commands:\r\nexe /c sc stop WinDefend\r\nexe /c sc delete WinDefend\r\nexe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true\r\nThe last one being a PowerShell command for disabling Windows Defender real time monitoring.\r\nTrickbot: Similarities/Differences to Flokibot\r\nMalware\r\nFunctions called via direct\r\nsystem calls\r\nFunctions called\r\nfrom kernel32.dll\r\nCommand used\r\nfor entering\r\nkernel mode\r\nSuspended\r\nprocess\r\nFlokibot\r\nNtCreateSection\r\nNtMapViewOfSection\r\nNtResumeThread\r\nCreateProcessW\r\nGetThreadContext\r\nSetThreadContext\r\nint 2e explorer.exe\r\nTrickbot\r\n(same as above)\r\n+\r\nNtUnmapViewOfSection\r\nNtWriteVirtualMemory\r\n(Same as above) sysenter\r\nThe malware\r\nitself\r\nYou can see here that Trickbot called two additional functions via direct system calls. However, it didn’t\r\nimplement the direct system calls to the 3 functions mentioned in the table above – and could have been stealthier\r\nif it did. Oddly enough – these are the exact same functions that didn’t have this implementation in Flokibot either.\r\nAnother similarity to note is the use of the CRC32 algorithm for hashing the function names. In Flokibot the\r\nCRC32 is used in conjunction with XOR of 2-bytes value while in Trickbot the CRC32 is used without any\r\nhttps://www.cyberbit.com/blog/endpoint-security/latest-trickbot-variant-has-new-tricks-up-its-sleeve/\r\nPage 5 of 6\n\nadditional XORing.\r\nSummary of Trickbot Evolution\r\nTrickbot is constantly evolving, adopting new tricks and becoming stealthier. It still has some way to go since it\r\ndidn’t implement all its process hollowing function calls via direct system calls. To avoid being analyzed, it added\r\nsome very simple and ineffective techniques such as sleep (for a long/short time) and useless function calls. To\r\navoid detection, it disabled and deleted the Windows defender service.\r\nOrganizations should be aware of this new trend to directly call functions via system calls. This technique\r\nbypasses security tool hooks and therefore most security products will not detect this threat. Cyberbit EDR\r\n detects this kind of threat by using pure-behavioral detection which surfaces Trickbot and other threats regardless\r\nof indicators of compromise (IoCs).\r\nHod Gavriel is a Malware Analyst at Cyberbit.\r\nLearn more about Cyberbit EDR Kernel-Based Endpoint Detection vs. Whitelisting\r\nSource: https://www.cyberbit.com/blog/endpoint-security/latest-trickbot-variant-has-new-tricks-up-its-sleeve/\r\nhttps://www.cyberbit.com/blog/endpoint-security/latest-trickbot-variant-has-new-tricks-up-its-sleeve/\r\nPage 6 of 6\n\nif it did. Oddly Another similarity enough – these to note is are the exact the use of the CRC32 same functions algorithm that didn’t have for hashing this implementation the function names. in Flokibot In Flokibot either. the\nCRC32 is used in conjunction with XOR of 2-bytes value while in Trickbot the CRC32 is used without any\n   Page 5 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://www.cyberbit.com/blog/endpoint-security/latest-trickbot-variant-has-new-tricks-up-its-sleeve/"
	],
	"report_names": [
		"latest-trickbot-variant-has-new-tricks-up-its-sleeve"
	],
	"threat_actors": [],
	"ts_created_at": 1775434127,
	"ts_updated_at": 1775791280,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/bcf8f303aee44277613c7cd8196f3920cacc2e08.pdf",
		"text": "https://archive.orkl.eu/bcf8f303aee44277613c7cd8196f3920cacc2e08.txt",
		"img": "https://archive.orkl.eu/bcf8f303aee44277613c7cd8196f3920cacc2e08.jpg"
	}
}