{
	"id": "1e5a1581-2eb5-4140-a63a-89241b5b27f6",
	"created_at": "2026-04-06T00:19:56.295933Z",
	"updated_at": "2026-04-10T03:20:36.836814Z",
	"deleted_at": null,
	"sha1_hash": "fd03aef88304c81f6ebf2f806939cc97dca1dcde",
	"title": "24/7 managed detection, response, and expert cybersecurity services - GoSecure",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 110357,
	"plain_text": "24/7 managed detection, response, and expert cybersecurity services -\r\nGoSecure\r\nArchived: 2026-04-05 21:47:34 UTC\r\nThe team of expert analysts at GoSecure Titan labs have reverse-engineered a new TrickBot cleverly hidden in a Zoom\r\njob interview email through a sample obtained from GoSecure Titan Inbox Detection and Response (IDR). The email\r\nmessage contained a shortcut (LNK) file entitled Interview_details.lnk and that LNK file downloads a loader which will\r\nbe examined in this blog. GoSecure Titan Labs named the loader TrickGate because it uses the Heaven's Gate technique\r\nto load TrickBot, one of the world's most prevalent botnets.\r\nAnalysis\r\nInfection Chain\r\nThe initial infection vector is via malspam. The email (906379938be59269713995cf29058f42), shown in Figure 1, is\r\nentitled FINAL interview - September 3 and congratulates the user on passing an internal interview. It provides a link\r\npurporting to be zoom details for a final interview. The link downloads an LNK file\r\n(6e49d82395b641a449c85bfa37dbbbc2) from\r\nhxxps://workdrive[.]zohoexternal[.]com/file/6c8ha295582e90c3e4655b87b82bb100f011b.\r\nFigure 1: Zoom Interview Malspam\r\nOnce executed, the LNK file, displayed in Figure 2, opens Notepad as a decoy, then uses curl –silent to download\r\nTrickGate, a 32-bit C/C++ compiled portable executable (PE), from\r\nhxxp://185[.]14[.]31[.]112/images/moonfrontmars[.]png. The LNK file then saves TrickGate\r\n(442f1e3d2825d51810bf9929f46439d2) in the %TEMP% directory as tmp.exe and executes it using the start command.\r\nFigure 2: LNK Contents\r\nTrickGate\r\nIn TrickGate's .rsrc section, the file HTML/DATA contains over 255 KB of encrypted shellcode. The shellcode is\r\ndecrypted directly in the .rsrc section using the decryption key planbetufernasoberpalade. It should be noted that the\r\ndecryption key varies from sample to sample. The decryption routine is depicted in Figure 3.\r\nFigure 3: TrickGate's Initial Decryption Routine\r\nOnce decrypted, the shellcode (87dc309108bbf70e3e67efbf9d4c09da) is copied to memory and executed there. Besides\r\nexecutable code, the shellcode also contains an encrypted 64-bit portable executable. Figure 4 shows the PE in the\r\nprocess of being decrypted. As can be observed from the decryption routine, the decryption simply involves XORing a\r\nbyte from the decryption key with a byte from the encrypted PE. The decrypted PE\r\n(8da11d870336c1c32ba521fd62e6f55b) only contains headers and a .text section, which is later written to yet another\r\nsection of memory.\r\nhttps://www.gosecure.net/blog/2021/12/03/trickbot-leverages-zoom-work-from-home-interview-malspam-heavens-gate-and-spamhaus/\r\nPage 1 of 12\n\nFigure 4: 64-bit PE Decryption Routine\r\nNext, the shellcode calls kernel32.CreateProcessInternalW, as depicted in Figure 5. Since the second parameter,\r\nlpApplicationName, is null, the process to be created is specified by the third parameter, lpCommandLine, which\r\ncontains a pointer to the path for Windows Error Reporting Manager (wermgr.exe). The seventh parameter,\r\ndwCreationFlags, which specifies flags that define options for the created process, contains the value 0x800000C. This\r\nvalue corresponds to the flags CREATE_NO_WINDOW, DETACHED_PROCESS, and CREATE_SUSPENDED. Thus,\r\nwermgr.exe will be created in a suspended state, without a console window. This is the beginning of process hollowing,\r\na technique used to inject and execute malware in a legitimate process.\r\nFigure 5: Create Suspended wermgr.exe Process\r\nAt this point, we expected to simply continue stepping through the disassembled code and observe the remaining\r\nprocess hollowing steps. However, as displayed in Figure 6, the shellcode makes a far call to 0x33:2F60011, which in\r\nturn, makes a call to 0x10001000, which is where the 64-bit code from the decrypted PE's .text section is located. Also\r\ndisplayed in Figure 6, on the left, is Process Hacker, which shows the process wermgr.exe outlined in black, signifying\r\nthat it is suspended. When we try to step into the far call, instead of stepping into the instructions at address 0x2F60011,\r\nthe debugger executes for a few moments, then the instruction pointer returns to the previous function. Afterwards,\r\nwermgr.exe is no longer outlined in black, meaning that something has resumed the process, but we could not observe it\r\nbeing resumed or whether code was injected into it before it was resumed. Furthermore, setting breakpoints on API calls\r\nassociated with process hollowing did not cause the debugger to pause. So, what just happened? Enter Heaven's Gate.\r\nFigure 6: Far Call\r\nHeaven's Gate\r\nHeaven's Gate, first introduced in 2009, is a technique used to execute 64-bit code from a 32-bit process by using a far\r\ncall, far return, or far jump. Unlike regular calls, jumps, and returns, which only specify the memory address, far ones\r\nalso specify the code segment, allowing them to call, jump, or return to a different code segment. 0x23 specifies a 32-bit\r\ncode segment whereas 0x33 specifies a 64-bit code segment. Thus, when 0x33 is specified with a far call within a 32-bit\r\nprocess, it switches the context of the 32-bit process to that of a 64-bit process. Since we are analyzing the sample with\r\nx32dbg, which can only analyze 32-bit code, the debugger is not capable of handling the process after it switches to 64-\r\nbit, and we only regain control of the process when it returns from the far call and reverts back to 32-bit. Most\r\ndebuggers will behave in the same manner, except for WinDbg, a debugger created by Microsoft that can debug both\r\n32-bit and 64-bit code. Using WinDbg, we can step seamlessly through Heaven's Gate and analyze the 64-bit code being\r\nexecuted. Figure 7 displays the disassembly in WinDbg before and after crossing Heaven's Gate. We can see that the\r\nregisters before the call pertain to a 32-bit architecture whereas 64-bit registers are being used after the call. Moreover,\r\nthe code segment (CS) register now holds the value 0x33.\r\nFigure 7: Stepping Through Heaven's Gate\r\nEven though WinDbg can handle the context switch, it is still confused in regard to breakpoints on API calls. This fact is\r\nillustrated in Figure 8. When a breakpoint is set for ntdll.NtWriteVirtualMemory, WinDbg sets it for the 32-bit ntdll.dll,\r\nas revealed by the x86 identifier and ntdll.dll's address, 0x77912d70, which falls in the 32-bit address space. However,\r\nthe actual version of ntdll.NtWriteVirtualMemory being called by TrickGate is 64-bit, as its address, 0x7ff8'570ed4a0,\r\nlies in the 64-bit address space. Therefore, the debugger will not pause at the requested breakpoint unless it is manually\r\nset at the appropriate address. This exemplifies just how pernicious Heaven's Gate can be. By hiding API calls, it makes\r\nhttps://www.gosecure.net/blog/2021/12/03/trickbot-leverages-zoom-work-from-home-interview-malspam-heavens-gate-and-spamhaus/\r\nPage 2 of 12\n\nmalware detection and analysis very difficult. This is why Heaven's Gate was initially used by many malware authors.\r\nHowever, the use of Heaven's Gate has greatly declined since Microsoft introduced Control Flow Guard (CFG) in\r\nWindows 8.1. CFG places restrictions on addresses called by executing code and, as such, can mitigate Heaven's Gate.\r\nThere has been some malware in recent years, such as HawkEye Reborn Keylogger and Remcos RAT, abusing Heaven's\r\nGate to avoid detection. Publications on the topic state that malware still using Heaven's Gate does so to target legacy\r\nmachines, since CFG should terminate the execution on modern systems. However, we at GoSecure Titan Labs ran\r\nTrickGate on a Windows 10 machine with CFG enabled, and it fully executed.\r\nFigure 8: Call to ntdll.NtWriteVirtualMemory\r\nAs anticipated, the 64-bit shellcode in Heaven's Gate completes the process hollowing that begin in the 32-bit shellcode.\r\nLooking once again at Figure 8, we see that the value in rdx is 0x7ff7a77a650. This is the second argument passed to\r\nntdll.NtWriteVirtualMemory and it specifies the base address to where data should be written. Also displayed in Figure 8\r\nis the memory map view in x64dbg, which we had opened at this point and attached the suspended wermgr.exe process\r\nto. It can be seen that the base address to be written to falls within the .text section of wermgr.exe. r8 contains an address\r\nto the buffer containing the bytes to be written and r9 contains the number of bytes to be written, which is 0x10, or 16 in\r\ndecimal. The memory window in the top right corner displays the data stored at the address in r8. Therefore, the call to\r\nntdll.NtWriteVirtualMemory writes the bytes 48 b8 00 10 6f 9d d0 01 00 00 40 0b c0 50 c3 00 to the .text section of\r\nwermgr.exe. The 64-bit shellcode then calls ntdll.NtResumeThread to resume the execution of wermgr.exe, completing\r\nthe process hollowing. Before wermgr.exe was resumed, we placed a breakpoint on the address in wermgr.exe where the\r\nbytes were written. As displayed in Figure 9, these bytes replace the return address of the current function with the\r\naddress 0x1D09D6f1000 and then returns, passing execution to that address.\r\nFigure 9: Injected Code in wermgr.exe\r\nSo, what exactly is stored at this address? Back in Trickgate's 64-bit shellcode, another call to\r\nntdll.NtWriteVirtualMemory was made before resuming wermgr.exe. As can be observed from Figure 10, 0x28bd4\r\nbytes, which is a little over 166 KB, was written to memory beginning at address 0x1D09D6f0000. This written\r\nshellcode is TrickBot (8da11d870336c1c32ba521fd62e6f55b), the entry point to which is at address 0x1D09D6f1000.\r\nThus, TrickGate's 64-bit shellcode injected code into wermgr.exe so that it would execute a section of memory\r\ncontaining TrickBot. Therefore, TrickBot is executed disguised as Microsoft's Windows Error Reporting Manager.\r\nFigure 10: ntdll.NtWriteVirtualMemory Writing TrickBot To Memory\r\nTrickBot's Latest Variant\r\nAs TrickBot is very well-known malware, discussed in many publications, we will only focus on interesting aspects of\r\nthe current TrickBot variant. It creates a folder in the *C:\\Users\u003cusername\u003eAppData\\Roaming* directory. The folder's\r\nname is UniLiteGames with 4 characters appended to it, such as UniLiteGames5UIH. It then copies the original PE,\r\nTrickGate, and an obfuscated batch file, named command.bat to this folder. The batch file, shown in Figure 11, is\r\nobfuscated with simple string replacements. Once deobfuscated, the file contains the command start\r\nC:\\Users\u003cusername\u003e\\AppData\\Roaming\\UniLiteGames\u003c4-characters\u003e\u003ctrickgate-pe-name\u003e.\r\nFigure 11: Obfuscated Batch File\r\nTrickBot then creates a COM object for an interface of Task Scheduler, which it uses to create a scheduled task to run\r\ncommand.bat every time the user logs on, as depicted in Figure 12. The name of the scheduled task is UniGamesSoft\r\nhttps://www.gosecure.net/blog/2021/12/03/trickbot-leverages-zoom-work-from-home-interview-malspam-heavens-gate-and-spamhaus/\r\nPage 3 of 12\n\nfollowed by the same 4 characters used when creating the aforementioned folder, and the Author is UniGamesSoft.\r\n*Figure 12: TrickGate Scheduled To Execute at Logon\r\n*\r\nTrickBot contains 18 command and control (C2) IP addresses, listed in the IoCs section below. All C2 communication\r\noccurs over HTTPS and uses Windows HTTP Services (WinHTTP), as can be seen in Figure 13, which displays the\r\ninitial check-in. The third argument passed to winhttp.HttpOpenRequest, which creates the HTTP request handle, is\r\n/rob128/_W10019077.19D16C537142D197E33B9D65DF03B33E/5/file/, which specifies the path on the target server.\r\nAll following information sent to the C2 server is sent in similar GET requests. For example, information pertaining to\r\nthe victim machine's network address translation (NAT) status is sent as\r\n/rob128/_W10019077.33A1A5DD03BBFF0FD7BA9BB14F9FBCDF/14/NAT%20status/client%20is%20behind%20NAT/0/.\r\nAs this demonstrates, the data sent to and from the C2 server is not encrypted or obfuscated in any way, presumably\r\nsince TrickBot is using HTTPS to encrypt communication.\r\nFigure 13: TrickBot's Check-in Request\r\nThe C2 URL path follows the same format observed in previous variants of TrickBot. rob128 follows TrickBot's\r\nconvention of using alphabetic characters followed by a decimal value at the beginning of the path. rob128 was\r\nobserved in all other samples of the current campaign. Next is the computer name of the compromised machine,\r\nfollowed by _W, which is hardcoded in all TrickBot samples we have encountered. A decimal number always follows\r\nthe _W. Next is a decimal followed by a hexidecimal string 32 characters long. This string is created based on system\r\ntime and involves using the function kernel32.GetTickCount and the instruction RDTSC, which is a time stamp counter.\r\nThe next value in the path appears to signify the type of request being made and corresponds to values used in a switch\r\nstatement that controls the flow of requests, displayed in Figure 14. For example, the initial check-in, which was created\r\nin case 5, has the value 5 for this part of its path. Likewise, the URL containing the NAT status uses the value 14, as it\r\nwas created in the function corresponding to case 14.\r\nFigure 14: C2 Communication Switch Statement\r\nAn interesting feature observed in this variant is that after TrickBot obtains the public IP address of the victim machine,\r\nit will query IP blacklist services to determine the reputation of the IP address. As we can see in Figure 15, TrickBot\r\ncalls ws2_32.getaddrinfo, which queries information about a specified IP. The value passed to its first parameter is\r\n.zen.spamhaus.org. zen.spamhaus.org is a domain name system blacklist (DNSBL) service. Prepended to this is the\r\nvictim machine's IP address in reverse order. TrickBot also uses other DNSBL services to check the victim machine's IP\r\naddress. These include cbl.abuseat.org, b.barracudacentral.org, dnsbl-1.uceprotect.net, and spam.dnsbl.sorbs.net.\r\nFigure 15: IP Reputation Check\r\nTrickBot will then send a request to its C2 server stating the results of the reputation checks. As displayed in Figure 16,\r\nan example of the URL path generated for such requests is rob128/_W10019077.33A1A5DD03BBFF0FD\r\n7BA9BB14F9FBCDF/14/DNSBL/not%20listed/0/. Of course, if any of the DNSBL services report the IP as blacklisted,\r\nnot%20listed will be changed to listed in the URL path.\r\nFigure 16: Reporting DNSBL Status to C2 Server\r\nConclusion\r\nhttps://www.gosecure.net/blog/2021/12/03/trickbot-leverages-zoom-work-from-home-interview-malspam-heavens-gate-and-spamhaus/\r\nPage 4 of 12\n\nThe notorious botnet and information stealer, TrickBot, has remained active since 2016 and continues to live up to its\r\nname, as it regularly incorporates new tricks into its already long list of abilities. TrickGate Loader is the latest addition\r\nto those tricks, and a very impressive one at that, since its use of Heaven's Gate allows it to effectively conceal API calls\r\nused to load TrickBot.\r\nThrough close monitoring, analyzing, and reverse engineering, GoSecure Titan Labs, as part of our GoSecure Titan\r\nManaged Detection and Response offering, have created signatures to detect the emerging threats discussed in this\r\nreport. One such signature, listed below in the Detection section, is a file detection signature for the TrickBot shellcode\r\nentitled malware_trickbot_4, which was created using binlex, an opensource genetic binary trait lexer library and utility.\r\nBy unpacking TrickBot shellcode from numerous samples of TrickGate, we were able to utilize binlex to extract the\r\ncommon traits and thus, to create an effective signature.\r\nIncreased work from home and remote work have led to a rise in these types of threats for users. Tools like GoSecure\r\nTitan IDR, which can be installed in desktop, mobile and web applications, allow users to send suspicious emails for\r\nexpert analysis. This can help identify and remove potentially harmful threats from the environment before they spread\r\n—while also delivering samples to experts for documentation and reverse-engineering.\r\nMalware Analyst: Sean Mahoney\r\nIndicators of Compromise\r\n+======+==================================+============================+\r\n| type | indicator | decription |\r\n+======+==================================+============================+\r\n| md5 | 906379938be59269713995cf29058f42 | Malspam Email |\r\n+------+----------------------------------+----------------------------+\r\n| md5 | 6e49d82395b641a449c85bfa37dbbbc2 | LNK Downloader |\r\n+------+----------------------------------+----------------------------+\r\n| md5 | 442f1e3d2825d51810bf9929f46439d2 | TrickGate Loader |\r\n+------+----------------------------------+----------------------------+\r\n| md5 | 87dc309108bbf70e3e67efbf9d4c09da | TrickGate Loader Shellcode |\r\n+------+----------------------------------+----------------------------+\r\n| md5 | 8da11d870336c1c32ba521fd62e6f55b | 64-bit PE |\r\n+------+----------------------------------+----------------------------+\r\n| md5 | 0d9febdee78018daea87101c0d1a5362 | Trickbot Shellcode |\r\n+------+----------------------------------+----------------------------+\r\n| ip | 97[.]83[.]40[.]67 | TrickBot C2 |\r\n+------+----------------------------------+----------------------------+\r\n| ip | 46[.]99[.]175[.]217 | TrickBot C2 |\r\n+------+----------------------------------+----------------------------+\r\n| ip | 46[.]99[.]175[.]149 | TrickBot C2 |\r\n+------+----------------------------------+----------------------------+\r\n| ip | 128[.]201[.]76[.]252 | TrickBot C2 |\r\n+------+----------------------------------+----------------------------+\r\n| ip | 103[.]105[.]254[.]17 | TrickBot C2 |\r\n+------+----------------------------------+----------------------------+\r\n| ip | 179[.]189[.]229[.]254 | TrickBot C2 |\r\n+------+----------------------------------+----------------------------+\r\nhttps://www.gosecure.net/blog/2021/12/03/trickbot-leverages-zoom-work-from-home-interview-malspam-heavens-gate-and-spamhaus/\r\nPage 5 of 12\n\n| ip | 24[.]162[.]214[.]166 | TrickBot C2 |\r\n+------+----------------------------------+----------------------------+\r\n| ip | 65[.]152[.]201[.]203 | TrickBot C2 |\r\n+------+----------------------------------+----------------------------+\r\n| ip | 62[.]99[.]76[.]213 | TrickBot C2 |\r\n+------+----------------------------------+----------------------------+\r\n| ip | 216[.]166[.]148[.]187 | TrickBot C2 |\r\n+------+----------------------------------+----------------------------+\r\n| ip | 184[.]74[.]99[.]214 | TrickBot C2 |\r\n+------+----------------------------------+----------------------------+\r\n| ip | 185[.]56[.]175[.]122 | TrickBot C2 |\r\n+------+----------------------------------+----------------------------+\r\n| ip | 181[.]129[.]167[.]82 | TrickBot C2 |\r\n+------+----------------------------------+----------------------------+\r\n| ip | 60[.]51[.]47[.]65 | TrickBot C2 |\r\n+------+----------------------------------+----------------------------+\r\n| ip | 46[.]99[.]188[.]223 | TrickBot C2 |\r\n+------+----------------------------------+----------------------------+\r\n| ip | 82[.]159[.]149[.]52 | TrickBot C2 |\r\n+------+----------------------------------+----------------------------+\r\n| ip | 45[.]36[.]99[.]184 | TrickBot C2 |\r\n+------+----------------------------------+----------------------------+\r\n| ip | 62[.]99[.]79[.]77 | TrickBot C2 |\r\n+======+==================================+============================+\r\nDetection\r\nGoSecure Titan Labs are providing the following signatures to help the community in detecting and identifying the\r\nthreats discussed in this report.\r\nrule other_lnk_download_and_execute_0{\r\n meta:\r\n author = \"Titan Labs\"\r\n company = \"GoSecure\"\r\n description = \"LNK downloading and executing a file\"\r\n hash = \"6e49d82395b641a449c85bfa37dbbbc2\"\r\n created = \"2021-10-14\"\r\n tlp = \"white\"\r\n os = \"windows\"\r\n type = \"other\"\r\n rev = 1\r\n strings:\r\n $lnk = { 4C 00 00 00 01 14 02 00 }\r\n $file_1 = \".exe\" ascii wide nocase\r\n $file_2 = \".dll\" ascii wide nocase\r\n $file_3 = \".scr\" ascii wide nocase\r\n $file_4 = \".pif\" ascii wide nocase\r\n $file_5 = \"This program\" ascii wide nocase\r\nhttps://www.gosecure.net/blog/2021/12/03/trickbot-leverages-zoom-work-from-home-interview-malspam-heavens-gate-and-spamhaus/\r\nPage 6 of 12\n\n$file_6 = \"TVqQAA\" ascii wide nocase\r\n $execute_1 = \"cmd.exe\" ascii wide nocase\r\n $execute_2 = \"/c echo\" ascii wide nocase\r\n $execute_3 = \"/c start\" ascii wide nocase\r\n $execute_4 = \"/c set\" ascii wide nocase\r\n $execute_5 = \"%COMSPEC%\" ascii wide nocase\r\n $execute_6 = \"rundll32.exe\" ascii wide nocase\r\n $execute_7 = \"regsvr32.exe\" ascii wide nocase\r\n $execute_8 = \"Assembly.Load\" ascii wide nocase\r\n $execute_9 = \"[Reflection.Assembly]::Load\" ascii wide nocase\r\n $execute_10 = \"process call\" ascii wide nocase\r\n $download_1 = \"bitsadmin\" ascii wide nocase\r\n $download_2 = \"certutil\" ascii wide nocase\r\n $download_3 = \"ServerXMLHTTP\" ascii wide nocase\r\n $download_4 = \"http\" ascii wide nocase\r\n $download_5 = \"ftp\" ascii wide nocase\r\n $download_6 = \".url\" ascii wide nocase\r\n $download_7 = \"curl\" ascii wide nocase\r\n condition:\r\n $lnk at 0 and\r\n any of ($file_*) and\r\n any of ($execute_*) and\r\n any of ($download_*)\r\n}\r\nrule malware_trick_gate_loader_0 {\r\n meta:\r\n author = \"Titan Labs\"\r\n company = \"GoSecure\"\r\n description = \"Tickbot Loader using Heaven's Gate\"\r\n hash = \"442f1e3d2825d51810bf9929f46439d2\"\r\n created = \"2021-11-04\"\r\n os = \"windows\"\r\n type = \"malware.loader\"\r\n tlp = \"white\"\r\n rev = 1\r\n strings:\r\n $get_base_address = {\r\n 55 8b ec 83 ec 14 89 4? ?? 8b 4? ?? 8b 4? ?? 89\r\n 48 08 6a 40 8b 5? ?? 8b 42 08 50 ff 15 ?? ?? ??\r\n ?? 85 c0 74 ?? 8b 4? ?? c7 01 00 00 00 00 8b 5?\r\n ?? c7 42 04 00 00 00 00 e9 ?? ?? ?? ?? 8b 4? ??\r\n 8b 4? ?? 8b 51 08 89 10 8b 4? ?? 8b 08 8b 51 3c\r\n 89 5? ?? 8b 4? ?? 83 78 08 00 74 ?? 83 7? ?? 00\r\n 74 ?? 8b 4? ?? 8b 51 08 03 5? ?? 89 5? ?? eb ??\r\n eb 07 c7 4? ?? 00 00 00 00 68 f8 00 00 00 8b 4?\r\n ?? 50 ff 15 ?? ?? ?? ?? 85 c0 74 ?? 8b 4? ?? c7\r\n 41 04 00 00 00 00 eb ?? 8b 5? ?? 8b 02 8b 48 3c\r\n 89 4? ?? 8b 5? ?? 83 7a 08 00 74 ?? 83 7? ?? 00\r\n 74 ?? 8b 4? ?? 8b 48 08 03 4? ?? 89 4? ?? eb ??\r\nhttps://www.gosecure.net/blog/2021/12/03/trickbot-leverages-zoom-work-from-home-interview-malspam-heavens-gate-and-spamhaus/\r\nPage 7 of 12\n\neb 07 c7 4? ?? 00 00 00 00 8b 5? ?? 8b 4? ?? 89\r\n 42 04 8b 4? ?? 8b e5 5d c2 04 00}\r\n $resolve_api_call = {\r\n 55 8b ec 6a ff 68 ?? ?? ?? ?? 64 a1 00 00 00 00\r\n 50 64 89 25 00 00 00 00 81 ec 94 00 00 00 89 8?\r\n ?? ?? ?? ?? 8b 4? ?? 50 8b 8? ?? ?? ?? ?? e8 ??\r\n ?? ?? ?? c7 4? ?? 00 00 00 00 8b 4? ?? 8b 11 8b\r\n 42 04 8b 4? ?? 8b 54 01 0c 89 5? ?? 33 c0 83 7?\r\n ?? 00 0f 94 ?? 0f b6 c8 85 c9 74 ?? 8b 5? ?? 8b\r\n 02 8b 48 04 8b 5? ?? 8b 44 0a 3c 89 4? ?? 83 7?\r\n ?? 00 74 ?? 8b 4? ?? 8b 11 8b 42 04 8b 4? ?? 8b\r\n 54 01 3c 89 5? ?? 8b 4? ?? e8 ?? ?? ?? ?? 8b 4?\r\n ?? 8b 08 8b 51 04 8b 4? ?? 8b 4c 10 0c 89 8? ??\r\n ?? ?? ?? 33 d2 83 b? ?? ?? ?? ?? 00 0f 94 ?? 8b\r\n 8? ?? ?? ?? ?? 88 50 04 c7 4? ?? ff ff ff ff 8b\r\n 8? ?? ?? ?? ?? 8b 4? ?? 64 89 0d 00 00 00 00 8b\r\n e5 5d c2 04 00}\r\n $heap_writing_function = {\r\n 5? 8b ?? 6a ?? 68 ?? ?? ?? ?? 64 a1 ?? ?? ?? ??\r\n 5? 64 89 ?? ?? ?? ?? ?? 5? 81 e? ?? ?? ?? ?? 5?\r\n 5? 5? 89 ?? ?? c7 4? ?? ?? ?? ?? ?? 8b ?? ?? 89\r\n ?? ?? ?? ?? ?? 8b ?? ?? ?? ?? ?? 83 c? ?? 89 ??\r\n ?? ?? ?? ?? 8b ?? ?? ?? ?? ?? 8a ?? 88 ?? ?? ??\r\n ?? ?? 83 8? ?? ?? ?? ?? ?? 80 b? ?? ?? ?? ?? ??\r\n 75 ?? 8b ?? ?? ?? ?? ?? 2b ?? ?? ?? ?? ?? 89 ??\r\n ?? ?? ?? ?? 8b ?? ?? ?? ?? ?? 33 ?? 89 ?? ?? 89\r\n ?? ?? 8b ?? ?? 8b ?? 8b ?? ?? 8b ?? ?? 8b ?? ??\r\n ?? 89 ?? ?? 8b ?? ?? ?? 89 ?? ?? 83 7? ?? ?? 7c\r\n ?? 7f ?? 83 7? ?? ?? 76 ?? 8b ?? ?? 8b ?? 8b ??\r\n ?? 8b ?? ?? 8b ?? ?? ?? 89 ?? ?? 8b ?? ?? ?? 89\r\n ?? ?? 8b ?? ?? 3b ?? ?? 7c ?? 7f ?? 8b ?? ?? 3b\r\n ?? ?? 76 ?? 8b ?? ?? 8b ?? 8b ?? ?? 8b ?? ?? 8b\r\n ?? ?? ?? 89 ?? ?? 8b ?? ?? ?? 89 ?? ?? 8b ?? ??\r\n 2b ?? ?? 8b ?? ?? 1b ?? ?? 89 ?? ?? ?? ?? ?? 89\r\n ?? ?? ?? ?? ?? eb ?? c7 8? ?? ?? ?? ?? ?? ?? ??\r\n ?? c7 8? ?? ?? ?? ?? ?? ?? ?? ?? 8b ?? ?? ?? ??\r\n ?? 89 ?? ?? 8b ?? ?? ?? ?? ?? 89 ?? ?? 8b ?? ??\r\n 5? 8d ?? ?? e8 ?? ?? ?? ?? c7 4? ?? ?? ?? ?? ??\r\n 0f b6 ?? ?? f7 d? 1b ?? f7 d? 83 e? ?? 83 f? ??\r\n 75 ?? 8b ?? ?? 83 c? ?? 89 ?? ?? e9 ?? ?? ?? ??}\r\n condition:\r\n uint16(0) == 0x5a4d and\r\n uint32(uint32(0x3c)) == 0x00004550 and\r\n all of them\r\n}\r\nrule malware_trick_gate_loader_shellcode_0 {\r\n meta:\r\nhttps://www.gosecure.net/blog/2021/12/03/trickbot-leverages-zoom-work-from-home-interview-malspam-heavens-gate-and-spamhaus/\r\nPage 8 of 12\n\nauthor = \"Titan Labs\"\r\n company = \"GoSecure\"\r\n description = \"Shellcode decrypted from TrickGate's resource section\"\r\n hash = \"87dc309108bbf70e3e67efbf9d4c09da\"\r\n created = \"2021-11-04\"\r\n os = \"windows\"\r\n type = \"malware.loader\"\r\n tlp = \"white\"\r\n rev = 1\r\n strings:\r\n $decryption_routine = {\r\n 5? 4? 75 ?? 5? 8b ?? 8b ?? 05 ?? ?? ?? ?? 68 ??\r\n ?? ?? ?? 89 ?? ?? 5? 8b ?? 4? 8b ?? 4? 8b ?? 66\r\n ad 85 ?? 74 ?? 3b ?? 77 ?? 2b ?? c1 e? ?? 5? 8b\r\n ?? 03 ?? 81 c? ?? ?? ?? ?? 8b ?? 5? 03 ?? 5? eb\r\n ?? 89 ?? ?? b? ?? ?? ?? ?? 03 ?? 8b ?? 2b ?? 2b\r\n ?? 8b ?? 89 ?? ?? 8b ?? 83 e? ?? 8b ?? c7 4? ??\r\n ?? ?? ?? ?? 89 ?? 5? ff d?}\r\n condition:\r\n $decryption_routine\r\n}\r\nrule malware_trickbot_4 {\r\n meta:\r\n author = \"Titan Labs\"\r\n company = \"GoSecure\"\r\n description = \"Unpacked Trickbot Shellcode\"\r\n created = \"2021-11-26\"\r\n type = \"malware.botnet\"\r\n os = \"windows\"\r\n tlp = \"white\"\r\n hash = \"0d9febdee78018daea87101c0d1a5362\"\r\n rev = 1\r\n strings:\r\n $heap_write = {\r\n 90 90 90 90 90 90 90 90 90 90 90 90 90 0f b6 1a\r\n 88 18 0f b6 5a ?? 88 58 ?? 0f b6 5a ?? 88 58 ??\r\n 0f b6 5a ?? 88 58 ?? 0f b6 5a ?? 88 58 ?? 0f b6\r\n 5a ?? 88 58 ?? 0f b6 5a ?? 88 58 ?? 49 83 c0 f8\r\n 0f b6 5a ?? 48 8d 52 ?? 88 58 ?? 48 8d 40 ?? 75\r\n bc}\r\n $requestOptions = {\r\n c7 44 24 ?? 00 33 ?? ?? 4c 8d 44 24 ?? ba 1f ??\r\n ?? ?? 41 b9 04 ?? ?? ?? 48 8b c8 ff 15 ?? ?? ??\r\n ?? 85 c0 0f 84 96}\r\n $createProcess = {\r\n c7 44 24 ?? 68 ?? ?? ?? 48 8b ce ff 15 ?? ?? ??\r\n ?? 48 8b 8c 24 ?? ?? ?? ?? ?? 89 7c 24 48 48 89\r\n 74 24 ?? 48 c7 44 24 ?? ?? ?? ?? ?? 48 c7 44 24\r\n ?? ?? ?? ?? ?? c7 44 24 ?? ?? ?? ?? ?? c7 44 24\r\nhttps://www.gosecure.net/blog/2021/12/03/trickbot-leverages-zoom-work-from-home-interview-malspam-heavens-gate-and-spamhaus/\r\nPage 9 of 12\n\n?? ?? ?? ?? ?? 33 d2 45 33 c0 45 33 c9 ff 15 ??\r\n ?? ?? ?? 85 c0 74 68}\r\n $get_path = {\r\n 33 db 48 8d 8c 24 ?? ?? ?? ?? ba 05 01 ?? ?? 45\r\n 33 c9 4c 8b c6 ff 15 ?? ?? ?? ?? 85 c0 48 8b fe\r\n 48 0f 44 fb 48 85 ff 75 0a}\r\n $incrementVars = {\r\n 33 ff 48 8d 6c 24 ?? 90 90 90 90 90 90 90 90 90\r\n 90 ff c7 66 83 7d ?? ?? 48 8d 6d ?? 75 f3}\r\n $readFile_1 = {\r\n 48 c7 44 24 ?? ?? ?? ?? ?? 4c 8d 4c 24 ?? 48 8b\r\n cb 49 8b d4 44 8b c5 ff 15 ?? ?? ?? ?? 33 ff 85\r\n c0 0f 95 c0 74 08}\r\n $readFile_2 = {\r\n 4c 8b 25 ?? ?? ?? ?? 33 f6 33 d2 45 33 c0 41 b9\r\n 02 ?? ?? ?? 48 8b cb 41 ff d4 8b e8 89 6c 24 ??\r\n 33 d2 45 33 c0 45 33 c9 48 8b cb 41 ff d4 85 ed\r\n 74 58}\r\n $query_headers = {\r\n 48 8b 4f ?? 48 8d 44 24 ?? 48 89 44 24 ?? 48 c7\r\n 44 24 ?? ?? ?? ?? ?? 4c 8d 4c 24 ?? ba 13 00 00\r\n 20 45 33 c0 ff 15 ?? ?? ?? ?? 8b c8 b8 01 ?? ??\r\n ?? 85 c9 75 38}\r\n $return_static = {\r\n 55 48 8b ec 48 83 e4 f8 48 8d 0d ?? ?? ff ff 48\r\n 8d 05 ?? ff ff ff 48 2b c1 48 8b e5 5d c3}\r\n $logic_1 = {\r\n 44 89 5c 24 ?? 4c 89 7c 24 ?? 48 89 54 24 ?? 48\r\n 8b 44 24 ?? 48 8b 6c 24 ?? 48 3b e8 bd 4a c7 43\r\n 0a 41 0f 42 ee 48 8b 44 24 ?? 81 fd af b7 12 f5\r\n 7f 43}\r\n $logic_2 = {\r\n 48 83 7c 24 ?? ?? b8 95 6a 7d b9 b9 9f f8 cd a9\r\n 0f 45 c1 e9 73 fb ff ff}\r\n $logic_3 = {\r\n 48 89 9c 24 ?? ?? ?? ?? 89 74 24 ?? 48 8b 84 24\r\n ?? ?? ?? ?? 80 38 ?? b8 0d 1a 75 84 b9 e1 21 8b\r\n 44 0f 45 c1 e9 6f fa ff ff}\r\n $logic_4 = {\r\n 48 8b 44 24 ?? 48 89 44 24 ?? 48 8b 84 24 ?? ??\r\n ?? ?? 48 89 84 24 ?? ?? ?? ?? 48 8b 84 24 ?? ??\r\n ?? ?? 48 89 84 24 00 ?? ?? ?? 48 8b 84 24 ?? ??\r\n ?? ?? 48 89 84 24 ?? ?? ?? ?? 48 8b 84 24 ?? ??\r\n ?? ?? 48 89 84 24 ?? ?? ?? ?? 49 8b 07 0f b7 08\r\n 89 4c ?? 24 48 83 c0 02 49 89 07 48 89 84 24 ??\r\n ?? ?? ?? 83 7c ?? 24 ?? b8 6b 7f a2 a5 b9 96 d1\r\n 66 15 0f 45 c1 e9 a0 fc ff ff}\r\n $logic_5 = {\r\n 48 8b 44 24 ?? 8a ?? 48 8b 6c 24 ?? 88 45 ?? 48\r\nhttps://www.gosecure.net/blog/2021/12/03/trickbot-leverages-zoom-work-from-home-interview-malspam-heavens-gate-and-spamhaus/\r\nPage 10 of 12\n\n8b 44 24 ?? 80 38 ?? bd 9e 58 3a b3 41 0f 44 e9\r\n 48 8b 44 24 ?? eb b5}\r\n $logic_6 = {\r\n 48 8b 6c 24 ?? 48 ff c5 48 89 6c 24 ?? 48 8b 6c\r\n 24 ?? 48 ff c5 48 89 6c 24 ?? 48 8b 6c 24 ?? 8a\r\n 5d ?? 88 5c 24 ?? 80 7c 24 ?? ?? bd 64 55 26 9d\r\n 41 0f 45 ea e9 33 ff ff ff}\r\n $logic_7 = {\r\n 48 8b 84 24 ?? ?? ?? ?? 8b ?? 48 8b 4c 24 ?? 48\r\n 8d 14 01 48 89 94 24 ?? ?? ?? ?? 8b 54 01 ?? 4c\r\n 8b c3 8b df 44 8b ce 48 8b 74 24 ?? 48 03 f2 48\r\n 89 b4 24 ?? ?? ?? ?? 49 8b d8 8b 54 01 ?? 48 8b\r\n 74 24 ?? 48 03 f2 48 89 b4 24 ?? ?? ?? ?? 41 8b\r\n f1 8b 44 01 ?? 48 03 44 24 ?? 48 89 84 24 ?? ??\r\n ?? ?? b8 f7 db c4 c5 49 8b cd 48 89 4c 24 ?? e9\r\n 96 f9 ff ff}\r\n $logic_8 = {\r\n 49 63 45 ?? 4c 89 6c 24 ?? 48 8b 4c 24 ?? 48 8d\r\n 84 01 ?? ?? ?? ?? 48 89 84 24 ?? ?? ?? ?? 48 8b\r\n 84 24 ?? ?? ?? ?? 48 89 84 24 ?? ?? ?? ?? 48 8b\r\n 84 24 ?? ?? ?? ?? 83 38 ?? b8 4d 1d f8 fb b9 c3\r\n f8 ec ?? 0f 45 c1 e9 05 f7 ff ff}\r\n $logic_9 = {\r\n 49 8b 07 0f b7 08 89 4c 24 ?? 48 83 c0 02 48 89\r\n 84 24 ?? ?? ?? ?? 48 8b 84 24 ?? ?? ?? ?? 49 89\r\n 07 83 7c 24 ?? ?? b8 18 ab 0a 99 b9 28 86 7a 7a\r\n 0f 45 c1 e9 76 f8 ff ff}\r\n $logic_10 = {\r\n 83 7c 24 ?? ?? b8 79 5c ba 4b b9 a9 a6 56 b9 0f\r\n 4f c1 8b 4c 24 ?? 89 4c 24 ?? e9 50 fa ff ff}\r\n $logic_11 = {\r\n 8b 44 24 ?? 48 89 84 24 ?? ?? ?? ?? 48 8b 84 24\r\n ?? ?? ?? ?? 48 8b 8c 24 ?? ?? ?? ?? 48 8d 04 88\r\n 48 89 84 24 ?? ?? ?? ?? 48 8b 84 24 ?? ?? ?? ??\r\n 8b ?? 89 44 24 ?? 83 7c 24 ?? ?? b8 38 55 90 88\r\n b9 29 a5 0e be 0f 45 c1 e9 12 fe ff ff}\r\n $logic_12 = {\r\n 8b 44 24 ?? 48 89 84 24 ?? ?? ?? ?? 48 8b 84 24\r\n ?? ?? ?? ?? 48 8b 8c 24 ?? ?? ?? ?? 8b 04 81 48\r\n 03 44 24 ?? 48 89 84 24 ?? ?? ?? ?? b8 b9 23 c7\r\n 33 33 f6 48 8b 9c 24 ?? ?? ?? ?? e9 96 fe ff ff\r\n }\r\n $logic_13 = {\r\n 8b 44 24 ?? 89 44 24 ?? 48 8b 84 24 ?? ?? ?? ??\r\n 48 83 c0 18 48 89 84 24 ?? ?? ?? ?? 48 8b 84 24\r\n ?? ?? ?? ?? 8b 4c 24 ?? 3b 08 b8 5c b1 a7 79 b9\r\n 26 e6 ba 02 0f 42 c1 e9 21 fb ff ff}\r\n $logic_14 = {\r\n 8b 44 24 ?? 89 44 24 ?? 8b 44 ?? 24 8b 4c 24 ??\r\nhttps://www.gosecure.net/blog/2021/12/03/trickbot-leverages-zoom-work-from-home-interview-malspam-heavens-gate-and-spamhaus/\r\nPage 11 of 12\n\n3b c8 b8 d0 78 7a 87 b9 07 2b 67 eb 0f 42 c1 c7\r\n 44 24 ?? ?? ?? ?? ?? e9 58 f9 ff ff}\r\n $logic_15 = {\r\n 8b 44 ?? 24 8b 4c 24 ?? 3b c8 b8 65 79 3f 9a b9\r\n 3c 26 ab 78 0f 44 c1 8b 4c 24 ?? 89 4c 24 ?? e9\r\n ff f7 ff ff}\r\n $logic_16 = {\r\n 8b 44 24 ?? 8b c8 f7 d1 81 e1 4d 5e 9b 89 25 b2\r\n a1 64 76 0b c1 35 dc fe ed bc 89 84 24 ?? ?? ??\r\n ?? b8 e1 65 b5 e3 33 ff e9 85 f7 ff ff}\r\n $logic_17 = {\r\n 8b 74 24 ?? f7 de bf 01 ?? ?? ?? 2b fe 48 8b 74\r\n 24 ?? 8a 5c 24 ?? 88 1e 48 8b 74 24 ?? 48 ff c6\r\n bd f3 dc 32 70 eb 2a}\r\n $logic_18 = {\r\n f6 44 24 ?? 01 b8 5d ff b5 c1 b9 7a 22 79 97 0f\r\n 45 c1 e9 0d ff ff ff}\r\n condition:\r\n filesize \u003c 328KB and 10 of them\r\n}\r\nalert http any any -\u003e $EXTERNAL_NET any (\r\n msg:\"GS MALWARE Trickbot C2 Communication\";\r\n content:\"_W\"; http_uri; fast_pattern;\r\n pcre:\"/^\\/\\w+\\d+\\/[^\\/]+_W\\d+\\.[A-F0-9]{32}\\/\\d+\\//U\";\r\n flow:to_server, established;\r\n metadata:created 2019-06-06, updated 2021-11-25, type malware.botnet, os windows, tlp white, id 3;\r\n classtype:trojan-activity;\r\n sid:300000464;\r\n rev:3;\r\n)\r\nSource: https://www.gosecure.net/blog/2021/12/03/trickbot-leverages-zoom-work-from-home-interview-malspam-heavens-gate-and-spamhaus/\r\nhttps://www.gosecure.net/blog/2021/12/03/trickbot-leverages-zoom-work-from-home-interview-malspam-heavens-gate-and-spamhaus/\r\nPage 12 of 12\n\nstrings: $get_base_address = {  \n55 8b ec 83 ec 14 89 4? ?? 8b 4? ?? 8b 4? ?? 89\n48 08 6a 40 8b 5? ?? 8b 42 08 50 ff 15 ?? ?? ??\n?? 85 c0 74 ?? 8b 4? ?? c7 01 00 00 00 00 8b 5?\n?? c7 42 04 00 00 00 00 e9 ?? ?? ?? ?? 8b 4? ??\n8b 4? ?? 8b 51 08 89 10 8b 4? ?? 8b 08 8b 51 3c\n89 5? ?? 8b 4? ?? 83 78 08 00 74 ?? 83 7? ?? 00\n74 ?? 8b 4? ?? 8b 51 08 03 5? ?? 89 5? ?? eb ??\neb 07 c7 4? ?? 00 00 00 00 68 f8 00 00 00 8b 4?\n?? 50 ff 15 ?? ?? ?? ?? 85 c0 74 ?? 8b 4? ?? c7\n41 04 00 00 00 00 eb ?? 8b 5? ?? 8b 02 8b 48 3c\n89 4? ?? 8b 5? ?? 83 7a 08 00 74 ?? 83 7? ?? 00\n74 ?? 8b 4? ?? 8b 48 08 03 4? ?? 89 4? ?? eb ??\n   Page 7 of 12\n\nhttps://www.gosecure.net/blog/2021/12/03/trickbot-leverages-zoom-work-from-home-interview-malspam-heavens-gate-and-spamhaus/   \neb 07 c7 4? ?? 00 00 00 00 8b 5? ?? 8b 4? ?? 89\n42 04 8b 4? ?? 8b e5 5d c2 04 00} \n$resolve_api_call = {  \n55 8b ec 6a ff 68 ?? ?? ?? ?? 64 a1 00 00 00 00\n50 64 89 25 00 00 00 00 81 ec 94 00 00 00 89 8?\n?? ?? ?? ?? 8b 4? ?? 50 8b 8? ?? ?? ?? ?? e8 ??\n?? ?? ?? c7 4? ?? 00 00 00 00 8b 4? ?? 8b 11 8b\n42 04 8b 4? ?? 8b 54 01 0c 89 5? ?? 33 c0 83 7?\n?? 00 0f 94 ?? 0f b6 c8 85 c9 74 ?? 8b 5? ?? 8b\n02 8b 48 04 8b 5? ?? 8b 44 0a 3c 89 4? ?? 83 7?\n?? 00 74 ?? 8b 4? ?? 8b 11 8b 42 04 8b 4? ?? 8b\n54 01 3c 89 5? ?? 8b 4? ?? e8 ?? ?? ?? ?? 8b 4?\n?? 8b 08 8b 51 04 8b 4? ?? 8b 4c 10 0c 89 8? ??\n?? ?? ?? 33 d2 83 b? ?? ?? ?? ?? 00 0f 94 ?? 8b\n8? ?? ?? ?? ?? 88 50 04 c7 4? ?? ff ff ff ff 8b\n8? ?? ?? ?? ?? 8b 4? ?? 64 89 0d 00 00 00 00 8b\ne5 5d c2 04 00}   \n$heap_writing_function = {  \n5? 8b ?? 6a ?? 68 ?? ?? ?? ?? 64 a1 ?? ?? ?? ??\n5? 64 89 ?? ?? ?? ?? ?? 5? 81 e? ?? ?? ?? ?? 5?\n5? 5? 89 ?? ?? c7 4? ?? ?? ?? ?? ?? 8b ?? ?? 89\n?? ?? ?? ?? ?? 8b ?? ?? ?? ?? ?? 83 c? ?? 89 ??\n?? ?? ?? ?? 8b ?? ?? ?? ?? ?? 8a ?? 88 ?? ?? ??\n?? ?? 83 8? ?? ?? ?? ?? ?? 80 b? ?? ?? ?? ?? ??\n75 ?? 8b ?? ?? ?? ?? ?? 2b ?? ?? ?? ?? ?? 89 ??\n?? ?? ?? ?? 8b ?? ?? ?? ?? ?? 33 ?? 89 ?? ?? 89\n?? ?? 8b ?? ?? 8b ?? 8b ?? ?? 8b ?? ?? 8b ?? ??\n?? 89 ?? ?? 8b ?? ?? ?? 89 ?? ?? 83 7? ?? ?? 7c\n?? 7f ?? 83 7? ?? ?? 76 ?? 8b ?? ?? 8b ?? 8b ??\n?? 8b ?? ?? 8b ?? ?? ?? 89 ?? ?? 8b ?? ?? ?? 89\n?? ?? 8b ?? ?? 3b ?? ?? 7c ?? 7f ?? 8b ?? ?? 3b\n?? ?? 76 ?? 8b ?? ?? 8b ?? 8b ?? ?? 8b ?? ?? 8b\n?? ?? ?? 89 ?? ?? 8b ?? ?? ?? 89 ?? ?? 8b ?? ??\n2b ?? ?? 8b ?? ?? 1b ?? ?? 89 ?? ?? ?? ?? ?? 89\n?? ?? ?? ?? ?? eb ?? c7 8? ?? ?? ?? ?? ?? ?? ??\n?? c7 8? ?? ?? ?? ?? ?? ?? ?? ?? 8b ?? ?? ?? ??\n?? 89 ?? ?? 8b ?? ?? ?? ?? ?? 89 ?? ?? 8b ?? ??\n5? 8d ?? ?? e8 ?? ?? ?? ?? c7 4? ?? ?? ?? ?? ??\n0f b6 ?? ?? f7 d? 1b ?? f7 d? 83 e? ?? 83 f? ??\n75 ?? 8b ?? ?? 83 c? ?? 89 ?? ?? e9 ?? ?? ?? ??}\ncondition:   \nuint16(0) == 0x5a4d and  \nuint32(uint32(0x3c)) == 0x00004550 and \nall of them   \n}   \nrule malware_trick_gate_loader_shellcode_0  { \nmeta:   \n   Page 8 of 12\n\nhttps://www.gosecure.net/blog/2021/12/03/trickbot-leverages-zoom-work-from-home-interview-malspam-heavens-gate-and-spamhaus/   \n?? ?? ?? ?? ?? 33 d2 45 33 c0 45 33 c9 ff 15 ??\n?? ?? ?? 85 c0 74 68}  \n$get_path = {  \n33 db 48 8d 8c 24 ?? ?? ?? ?? ba 05 01 ?? ?? 45\n33 c9 4c 8b c6 ff 15 ?? ?? ?? ?? 85 c0 48 8b fe\n48 0f 44 fb 48 85 ff 75 0a}  \n$incrementVars = {  \n33 ff 48 8d 6c 24 ?? 90 90 90 90 90 90 90 90 90\n90 ff c7 66 83 7d ?? ?? 48 8d 6d ?? 75 f3} \n$readFile_1 = {  \n48 c7 44 24 ?? ?? ?? ?? ?? 4c 8d 4c 24 ?? 48 8b\ncb 49 8b d4 44 8b c5 ff 15 ?? ?? ?? ?? 33 ff 85\nc0 0f 95 c0 74 08}  \n$readFile_2 = {  \n4c 8b 25 ?? ?? ?? ?? 33 f6 33 d2 45 33 c0 41 b9\n02 ?? ?? ?? 48 8b cb 41 ff d4 8b e8 89 6c 24 ??\n33 d2 45 33 c0 45 33 c9 48 8b cb 41 ff d4 85 ed\n74 58}   \n$query_headers = {  \n48 8b 4f ?? 48 8d 44 24 ?? 48 89 44 24 ?? 48 c7\n44 24 ?? ?? ?? ?? ?? 4c 8d 4c 24 ?? ba 13 00 00\n20 45 33 c0 ff 15 ?? ?? ?? ?? 8b c8 b8 01 ?? ??\n?? 85 c9 75 38}   \n$return_static = {  \n55 48 8b ec 48 83 e4 f8 48 8d 0d ?? ?? ff ff 48\n8d 05 ?? ff ff ff 48 2b c1 48 8b e5 5d c3} \n$logic_1 = {  \n44 89 5c 24 ?? 4c 89 7c 24 ?? 48 89 54 24 ?? 48\n8b 44 24 ?? 48 8b 6c 24 ?? 48 3b e8 bd 4a c7 43\n0a 41 0f 42 ee 48 8b 44 24 ?? 81 fd af b7 12 f5\n7f 43}   \n$logic_2 = {  \n48 83 7c 24 ?? ?? b8 95 6a 7d b9 b9 9f f8 cd a9\n0f 45 c1 e9 73 fb ff ff}  \n$logic_3 = {  \n48 89 9c 24 ?? ?? ?? ?? 89 74 24 ?? 48 8b 84 24\n?? ?? ?? ?? 80 38 ?? b8 0d 1a 75 84 b9 e1 21 8b\n44 0f 45 c1 e9 6f fa ff ff}  \n$logic_4 = {  \n48 8b 44 24 ?? 48 89 44 24 ?? 48 8b 84 24 ?? ??\n?? ?? 48 89 84 24 ?? ?? ?? ?? 48 8b 84 24 ?? ??\n?? ?? 48 89 84 24 00 ?? ?? ?? 48 8b 84 24 ?? ??\n?? ?? 48 89 84 24 ?? ?? ?? ?? 48 8b 84 24 ?? ??\n?? ?? 48 89 84 24 ?? ?? ?? ?? 49 8b 07 0f b7 08\n89 4c ?? 24 48 83 c0 02 49 89 07 48 89 84 24 ??\n?? ?? ?? 83 7c ?? 24 ?? b8 6b 7f a2 a5 b9 96 d1\n66 15 0f 45 c1 e9 a0 fc ff ff}  \n$logic_5 = {  \n48 8b 44 24 ?? 8a ?? 48 8b 6c 24 ?? 88 45 ?? 48\n   Page 10 of 12\n\nhttps://www.gosecure.net/blog/2021/12/03/trickbot-leverages-zoom-work-from-home-interview-malspam-heavens-gate-and-spamhaus/   \n8b 44 24 ?? 80 38 ?? bd 9e 58 3a b3 41 0f 44 e9\n48 8b 44 24 ?? eb b5}  \n$logic_6 = {  \n48 8b 6c 24 ?? 48 ff c5 48 89 6c 24 ?? 48 8b 6c\n24 ?? 48 ff c5 48 89 6c 24 ?? 48 8b 6c 24 ?? 8a\n5d ?? 88 5c 24 ?? 80 7c 24 ?? ?? bd 64 55 26 9d\n41 0f 45 ea e9 33 ff ff ff}  \n$logic_7 = {  \n48 8b 84 24 ?? ?? ?? ?? 8b ?? 48 8b 4c 24 ?? 48\n8d 14 01 48 89 94 24 ?? ?? ?? ?? 8b 54 01 ?? 4c\n8b c3 8b df 44 8b ce 48 8b 74 24 ?? 48 03 f2 48\n89 b4 24 ?? ?? ?? ?? 49 8b d8 8b 54 01 ?? 48 8b\n74 24 ?? 48 03 f2 48 89 b4 24 ?? ?? ?? ?? 41 8b\nf1 8b 44 01 ?? 48 03 44 24 ?? 48 89 84 24 ?? ??\n?? ?? b8 f7 db c4 c5 49 8b cd 48 89 4c 24 ?? e9\n96 f9 ff ff}   \n$logic_8 = {  \n49 63 45 ?? 4c 89 6c 24 ?? 48 8b 4c 24 ?? 48 8d\n84 01 ?? ?? ?? ?? 48 89 84 24 ?? ?? ?? ?? 48 8b\n84 24 ?? ?? ?? ?? 48 89 84 24 ?? ?? ?? ?? 48 8b\n84 24 ?? ?? ?? ?? 83 38 ?? b8 4d 1d f8 fb b9 c3\nf8 ec ?? 0f 45 c1 e9 05 f7 ff ff} \n$logic_9 = {  \n49 8b 07 0f b7 08 89 4c 24 ?? 48 83 c0 02 48 89\n84 24 ?? ?? ?? ?? 48 8b 84 24 ?? ?? ?? ?? 49 89\n07 83 7c 24 ?? ?? b8 18 ab 0a 99 b9 28 86 7a 7a\n0f 45 c1 e9 76 f8 ff ff}  \n$logic_10 = {  \n83 7c 24 ?? ?? b8 79 5c ba 4b b9 a9 a6 56 b9 0f\n4f c1 8b 4c 24 ?? 89 4c 24 ?? e9 50 fa ff ff}\n$logic_11 = {  \n8b 44 24 ?? 48 89 84 24 ?? ?? ?? ?? 48 8b 84 24\n?? ?? ?? ?? 48 8b 8c 24 ?? ?? ?? ?? 48 8d 04 88\n48 89 84 24 ?? ?? ?? ?? 48 8b 84 24 ?? ?? ?? ??\n8b ?? 89 44 24 ?? 83 7c 24 ?? ?? b8 38 55 90 88\nb9 29 a5 0e be 0f 45 c1 e9 12 fe ff ff} \n$logic_12 = {  \n8b 44 24 ?? 48 89 84 24 ?? ?? ?? ?? 48 8b 84 24\n?? ?? ?? ?? 48 8b 8c 24 ?? ?? ?? ?? 8b 04 81 48\n03 44 24 ?? 48 89 84 24 ?? ?? ?? ?? b8 b9 23 c7\n33 33 f6 48 8b 9c 24 ?? ?? ?? ?? e9 96 fe ff ff\n}   \n$logic_13 = {  \n8b 44 24 ?? 89 44 24 ?? 48 8b 84 24 ?? ?? ?? ??\n48 83 c0 18 48 89 84 24 ?? ?? ?? ?? 48 8b 84 24\n?? ?? ?? ?? 8b 4c 24 ?? 3b 08 b8 5c b1 a7 79 b9\n26 e6 ba 02 0f 42 c1 e9 21 fb ff ff} \n$logic_14 = {  \n8b 44 24 ?? 89 44 24 ?? 8b 44 ?? 24 8b 4c 24 ??\n   Page 11 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.gosecure.net/blog/2021/12/03/trickbot-leverages-zoom-work-from-home-interview-malspam-heavens-gate-and-spamhaus/"
	],
	"report_names": [
		"trickbot-leverages-zoom-work-from-home-interview-malspam-heavens-gate-and-spamhaus"
	],
	"threat_actors": [],
	"ts_created_at": 1775434796,
	"ts_updated_at": 1775791236,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fd03aef88304c81f6ebf2f806939cc97dca1dcde.pdf",
		"text": "https://archive.orkl.eu/fd03aef88304c81f6ebf2f806939cc97dca1dcde.txt",
		"img": "https://archive.orkl.eu/fd03aef88304c81f6ebf2f806939cc97dca1dcde.jpg"
	}
}