{ "id": "b365b5d3-3123-4b0b-a51a-f753ae95be8d", "created_at": "2026-04-06T00:21:09.077246Z", "updated_at": "2026-04-10T13:12:58.982048Z", "deleted_at": null, "sha1_hash": "bf821c295cc40114cc7205ffaad5769917ade5f6", "title": "TrickBot malware now checks screen resolution to evade analysis", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1316004, "plain_text": "TrickBot malware now checks screen resolution to evade analysis\r\nBy Lawrence Abrams\r\nPublished: 2020-07-01 · Archived: 2026-04-05 13:46:51 UTC\r\nThe infamous TrickBot trojan has started to check the screen resolutions of victims to detect whether the malware is running\r\nin a virtual machine.\r\nWhen researchers analyze malware, they typically do it in a virtual machine that is configured with various analysis tools.\r\nDue to this, malware commonly uses anti-VM techniques to detect whether the malware is running in a virtual machine. If it\r\nis, it is most likely being analyzed by a researcher or an automated sandbox system.\r\nhttps://www.bleepingcomputer.com/news/security/trickbot-malware-now-checks-screen-resolution-to-evade-analysis/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/trickbot-malware-now-checks-screen-resolution-to-evade-analysis/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nThese anti-VM techniques include looking for particular processes, Windows services, or machine names, and even\r\nchecking network card MAC addresses or CPU features.\r\nTrickBot uses screen resolution as anti-VM checks\r\nIn a new sample of the TrickBot Trojan discovered by cybersecurity firm MalwareLab's Maciej Kotowicz, the malware is\r\nnow checking an infected computer's screen resolution to determine if it's a virtual machine.\r\nStarted as a banking Trojan, the TrickBot has evolved over time to perform a variety of malicious behavior.\r\nThis behavior includes spreading laterally through a network, stealing saved credentials in browsers, stealing Active\r\nDirectory Services databases, stealing cookies and OpenSSH keys, stealing RDP, VNC, and PuTTY Credentials, and more.\r\nIn a tweet, Kotowicz stated that a new sample of TrickBot is checking if the computer's screen resolution is 800x600 or\r\n1024x768, and if it is, TrickBot will terminate.\r\nTrickBot is checking for these particular resolutions because of how the researchers commonly configure their malware\r\nanalysis virtual machines.\r\nWhen configuring a virtual machine, most researchers will not install the VM guest software that allows for better screen\r\nresolutions, better mouse control, improved networking, and other features.\r\nThe software is not installed as malware commonly checks for files, registry keys, and processes used by the virtual machine\r\nguest software.\r\nWithout the guest software, though, a virtual machine will typically not allow any resolutions other than 800x600 and\r\n1024x768, compared to ordinary screen resolutions that are much higher.\r\nAs an example, the popular free virtual machine software VirtualBox has a default resolution of 1024x768 when its guest\r\nadditions software is not installed.\r\nAdvanced Intel's Vitali Kremez also told BleepingComputer that virtual machines used in automatic sandbox malware\r\nanalysis solutions utilize this default resolution as well.\r\n\"Cuckoo VMs commonly have this exact resolution. Other sandbox engines such as JoeSandbox and Any App Run also rely\r\non the exact same methodology with the default VM resolution,\" Kremez told BleepingComputer.\r\nKnowing this, the TrickBot developers are using these screen resolution checks as another anti-VM check.\r\nThe good news is that if you are using these resolutions, you are safe from TrickBot. The bad news is that you are using\r\nthese resolutions.\r\nhttps://www.bleepingcomputer.com/news/security/trickbot-malware-now-checks-screen-resolution-to-evade-analysis/\r\nPage 3 of 4\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/trickbot-malware-now-checks-screen-resolution-to-evade-analysis/\r\nhttps://www.bleepingcomputer.com/news/security/trickbot-malware-now-checks-screen-resolution-to-evade-analysis/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.bleepingcomputer.com/news/security/trickbot-malware-now-checks-screen-resolution-to-evade-analysis/" ], "report_names": [ "trickbot-malware-now-checks-screen-resolution-to-evade-analysis" ], "threat_actors": [ { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434869, "ts_updated_at": 1775826778, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/bf821c295cc40114cc7205ffaad5769917ade5f6.pdf", "text": "https://archive.orkl.eu/bf821c295cc40114cc7205ffaad5769917ade5f6.txt", "img": "https://archive.orkl.eu/bf821c295cc40114cc7205ffaad5769917ade5f6.jpg" } }