win.trickbot (Back to overview)

TrickBot

aka: Trickster, TheTrick, TrickLoader

Actor(s): WIZARD SPIDER

URLhaus      

A financial Trojan believed to be a derivative of Dyre: the bot uses very similar code, web injects, and operational tactics. Has multiple modules including VNC and Socks5 Proxy. Uses SSL for C2 communication.

- Q4 2016 - Detected in wild
Oct 2016 - 1st Report
Jan 2018 - Use XMRIG (Monero) miner
Feb 2018 - Theft Bitcoin
Mar 2018 - Unfinished ransomware module

Infection Vector
1. Phish > Link MS Office > Macro Enabled > Downloader > Trickbot
2. Phish > Attached MS Office > Macro Enabled > Downloader > Trickbot
3. Phish > Attached MS Office > Macro enabled > Trickbot installed

References
2020-01-17 ⋅ Ken Sajo, Yasuhiro Takeda, Yusuke Niwa
@techreport{sajo:20200117:battle:2b146f5, author = {Ken Sajo and Yasuhiro Takeda and Yusuke Niwa}, title = {{Battle Against Ursnif Malspam Campaign targeting Japan}}, date = {2020-01-17}, institution = {}, url = {https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_5_sajo-takeda-niwa_en.pdf}, language = {English}, urldate = {2020-01-17} } Battle Against Ursnif Malspam Campaign targeting Japan
Cutwail ISFB TrickBot UrlZone
2020-01-16 ⋅ Bleeping ComputerLawrence Abrams
@online{abrams:20200116:trickbot:ed6fdb3, author = {Lawrence Abrams}, title = {{TrickBot Now Uses a Windows 10 UAC Bypass to Evade Detection}}, date = {2020-01-16}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/trickbot-now-uses-a-windows-10-uac-bypass-to-evade-detection/}, language = {English}, urldate = {2020-01-20} } TrickBot Now Uses a Windows 10 UAC Bypass to Evade Detection
TrickBot
2020-01-10 ⋅ CSISCSIS
@techreport{csis:20200110:threat:7454f36, author = {CSIS}, title = {{Threat Matrix H1 2019}}, date = {2020-01-10}, institution = {CSIS}, url = {https://gallery.mailchimp.com/c35aef82661dad887b8162a4f/files/e24e8206-a157-4796-a8cb-2b7262cc76e8/CSIS_Threat_Matrix_H1_2019.pdf}, language = {English}, urldate = {2020-01-22} } Threat Matrix H1 2019
Gustuff magecart Emotet Gandcrab Ramnit TrickBot
2020-01-09 ⋅ SentinelOneVitali Kremez, Joshua Platt, Jason Reaves
@online{kremez:20200109:toptier:4f8de90, author = {Vitali Kremez and Joshua Platt and Jason Reaves}, title = {{Top-Tier Russian Organized Cybercrime Group Unveils Fileless Stealthy “PowerTrick” Backdoor for High-Value Targets}}, date = {2020-01-09}, organization = {SentinelOne}, url = {https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/}, language = {English}, urldate = {2020-01-13} } Top-Tier Russian Organized Cybercrime Group Unveils Fileless Stealthy “PowerTrick” Backdoor for High-Value Targets
TrickBot WIZARD SPIDER
2019-12-09 ⋅ Palo Alto Networks Unit 42Bryan Lee, Brittany Ash, Mike Harbison
@online{lee:20191209:trickbot:48d9da3, author = {Bryan Lee and Brittany Ash and Mike Harbison}, title = {{TrickBot Campaign Uses Fake Payroll Emails to Conduct Phishing Attacks}}, date = {2019-12-09}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/trickbot-campaign-uses-fake-payroll-emails-to-conduct-phishing-attacks/}, language = {English}, urldate = {2020-01-22} } TrickBot Campaign Uses Fake Payroll Emails to Conduct Phishing Attacks
TrickBot
2019-11-22 ⋅ Palo Alto Networks Unit 42Brad Duncan
@online{duncan:20191122:trickbot:e14933b, author = {Brad Duncan}, title = {{Trickbot Updates Password Grabber Module}}, date = {2019-11-22}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/trickbot-updates-password-grabber-module/}, language = {English}, urldate = {2020-01-22} } Trickbot Updates Password Grabber Module
TrickBot
2019-11-08 ⋅ Palo Alto Networks Unit 42Brad Duncan
@online{duncan:20191108:wireshark:f37b983, author = {Brad Duncan}, title = {{Wireshark Tutorial: Examining Trickbot Infections}}, date = {2019-11-08}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/wireshark-tutorial-examining-trickbot-infections/}, language = {English}, urldate = {2020-01-06} } Wireshark Tutorial: Examining Trickbot Infections
TrickBot
2019-11-06 ⋅ Heise SecurityThomas Hungenberg
@online{hungenberg:20191106:emotet:1605954, author = {Thomas Hungenberg}, title = {{Emotet, Trickbot, Ryuk – ein explosiver Malware-Cocktail}}, date = {2019-11-06}, organization = {Heise Security}, url = {https://www.heise.de/security/artikel/Emotet-Trickbot-Ryuk-ein-explosiver-Malware-Cocktail-4573848.html}, language = {German}, urldate = {2020-01-06} } Emotet, Trickbot, Ryuk – ein explosiver Malware-Cocktail
Emotet Ryuk TrickBot
2019-10-29 ⋅ SneakyMonkey BlogSneakyMonkey
@online{sneakymonkey:20191029:trickbot:bd7249c, author = {SneakyMonkey}, title = {{TRICKBOT - Analysis Part II}}, date = {2019-10-29}, organization = {SneakyMonkey Blog}, url = {https://www.sneakymonkey.net/2019/10/29/trickbot-analysis-part-ii/}, language = {English}, urldate = {2019-12-17} } TRICKBOT - Analysis Part II
TrickBot
2019-09-25 ⋅ GovCERT.chGovCERT.ch
@online{govcertch:20190925:trickbot:8346dd7, author = {GovCERT.ch}, title = {{Trickbot - An analysis of data collected from the botnet}}, date = {2019-09-25}, organization = {GovCERT.ch}, url = {https://www.govcert.ch/blog/37/trickbot-an-analysis-of-data-collected-from-the-botnet}, language = {English}, urldate = {2020-01-08} } Trickbot - An analysis of data collected from the botnet
TrickBot
2019-08-27 ⋅ SecureworksCTU Research Team
@online{team:20190827:trickbot:fa5f95b, author = {CTU Research Team}, title = {{TrickBot Modifications Target U.S. Mobile Users}}, date = {2019-08-27}, organization = {Secureworks}, url = {https://www.secureworks.com/blog/trickbot-modifications-target-us-mobile-users}, language = {English}, urldate = {2020-01-09} } TrickBot Modifications Target U.S. Mobile Users
TrickBot
2019-08-26 ⋅ InQuestJosiah Smith
@online{smith:20190826:memory:c4cea9b, author = {Josiah Smith}, title = {{Memory Analysis of TrickBot}}, date = {2019-08-26}, organization = {InQuest}, url = {https://inquest.net/blog/2019/08/26/TrickBot-Memory-Analysis}, language = {English}, urldate = {2020-01-10} } Memory Analysis of TrickBot
TrickBot
2019-08-05 ⋅ Trend MicroNoel Anthony Llimos, Michael Jhon Ofiaza
@online{llimos:20190805:latest:62ba94b, author = {Noel Anthony Llimos and Michael Jhon Ofiaza}, title = {{Latest Trickbot Campaign Delivered via Highly Obfuscated JS File}}, date = {2019-08-05}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/latest-trickbot-campaign-delivered-via-highly-obfuscated-js-file/}, language = {English}, urldate = {2020-01-23} } Latest Trickbot Campaign Delivered via Highly Obfuscated JS File
ostap TrickBot
2019-07-11 ⋅ NTT SecurityNTT Security
@online{security:20190711:targeted:a48e692, author = {NTT Security}, title = {{Targeted TrickBot activity drops 'PowerBrace' backdoor}}, date = {2019-07-11}, organization = {NTT Security}, url = {https://technical.nttsecurity.com/post/102fnog/targeted-trickbot-activity-drops-powerbrace-backdoor}, language = {English}, urldate = {2019-12-18} } Targeted TrickBot activity drops 'PowerBrace' backdoor
PowerBrace TrickBot
2019-06-04 ⋅ SlideShareVitali Kremez
@online{kremez:20190604:inside:d633c6f, author = {Vitali Kremez}, title = {{Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vitali Kremez}}, date = {2019-06-04}, organization = {SlideShare}, url = {https://www.slideshare.net/proidea_conferences/inside-cybercrime-groups-harvesting-active-directory-for-fun-and-profit-vitali-kremez}, language = {English}, urldate = {2020-01-13} } Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vitali Kremez
TrickBot
2019-05-22 ⋅ sneakymonk3y (Mark)
@online{mark:20190522:trickbot:277256b, author = {sneakymonk3y (Mark)}, title = {{TRICKBOT - Analysis}}, date = {2019-05-22}, url = {https://www.sneakymonkey.net/2019/05/22/trickbot-analysis/}, language = {English}, urldate = {2020-01-06} } TRICKBOT - Analysis
TrickBot
2019-05-09 ⋅ GovCERT.chGovCERT.ch
@online{govcertch:20190509:severe:2767782, author = {GovCERT.ch}, title = {{Severe Ransomware Attacks Against Swiss SMEs}}, date = {2019-05-09}, organization = {GovCERT.ch}, url = {https://www.govcert.admin.ch/blog/36/severe-ransomware-attacks-against-swiss-smes}, language = {English}, urldate = {2019-07-11} } Severe Ransomware Attacks Against Swiss SMEs
Emotet LockerGoga Ryuk TrickBot
2019-05-02 ⋅ CERT.PLMichał Praszmo
@online{praszmo:20190502:detricking:43a7dc1, author = {Michał Praszmo}, title = {{Detricking TrickBot Loader}}, date = {2019-05-02}, organization = {CERT.PL}, url = {https://www.cert.pl/en/news/single/detricking-trickbot-loader/}, language = {English}, urldate = {2020-01-08} } Detricking TrickBot Loader
TrickBot
2019-04-05 ⋅ Medium vishal_thakurVishal Thakur
@online{thakur:20190405:trickbot:d1c4891, author = {Vishal Thakur}, title = {{Trickbot — a concise treatise}}, date = {2019-04-05}, organization = {Medium vishal_thakur}, url = {https://medium.com/@vishal_29486/trickbot-a-concise-treatise-d7e4cc97f737}, language = {English}, urldate = {2020-01-13} } Trickbot — a concise treatise
TrickBot
2019-04-02 ⋅ CybereasonNoa Pinkas, Lior Rochberger, Matan Zatz
@online{pinkas:20190402:triple:10a3e37, author = {Noa Pinkas and Lior Rochberger and Matan Zatz}, title = {{Triple Threat: Emotet Deploys Trickbot to Steal Data & Spread Ryuk}}, date = {2019-04-02}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware}, language = {English}, urldate = {2020-01-09} } Triple Threat: Emotet Deploys Trickbot to Steal Data & Spread Ryuk
Ryuk TrickBot
2019-03-05 ⋅ PepperMalware BlogPepper Potts
@online{potts:20190305:quick:773aabc, author = {Pepper Potts}, title = {{Quick Analysis of a Trickbot Sample with NSA's Ghidra SRE Framework}}, date = {2019-03-05}, organization = {PepperMalware Blog}, url = {http://www.peppermalware.com/2019/03/quick-analysis-of-trickbot-sample-with.html}, language = {English}, urldate = {2019-12-19} } Quick Analysis of a Trickbot Sample with NSA's Ghidra SRE Framework
TrickBot
2019-02-15 ⋅ CrowdStrikeBrendon Feeley, Bex Hartley
@online{feeley:20190215:sinful:729f693, author = {Brendon Feeley and Bex Hartley}, title = {{“Sin”-ful SPIDERS: WIZARD SPIDER and LUNAR SPIDER Sharing the Same Web}}, date = {2019-02-15}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/}, language = {English}, urldate = {2019-12-20} } “Sin”-ful SPIDERS: WIZARD SPIDER and LUNAR SPIDER Sharing the Same Web
Dyre IcedID TrickBot Vawtrak Lunar Spider WIZARD SPIDER
2019-02-12 ⋅ Trend MicroTrend Micro
@online{micro:20190212:trickbot:73576ba, author = {Trend Micro}, title = {{Trickbot Adds Remote Application Credential-Grabbing Capabilities to Its Repertoire}}, date = {2019-02-12}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/trickbot-adds-remote-application-credential-grabbing-capabilities-to-its-repertoire/}, language = {English}, urldate = {2020-01-12} } Trickbot Adds Remote Application Credential-Grabbing Capabilities to Its Repertoire
TrickBot
2019-01-11 ⋅ FireEyeKimberly Goody, Jeremy Kennelly, Jaideep Natu, Christopher Glyer
@online{goody:20190111:nasty:3c872d4, author = {Kimberly Goody and Jeremy Kennelly and Jaideep Natu and Christopher Glyer}, title = {{A Nasty Trick: From Credential Theft Malware to Business Disruption}}, date = {2019-01-11}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html}, language = {English}, urldate = {2019-12-20} } A Nasty Trick: From Credential Theft Malware to Business Disruption
Ryuk TrickBot GRIM SPIDER WIZARD SPIDER
2019 ⋅ SecureDataWicus Ross
@online{ross:2019:trickbot:7a0e2a6, author = {Wicus Ross}, title = {{The TrickBot and MikroTik connection}}, date = {2019}, organization = {SecureData}, url = {https://www.secdata.com/the-trickbot-and-mikrotik/}, language = {English}, urldate = {2020-01-08} } The TrickBot and MikroTik connection
TrickBot
2018-12-05 ⋅ VIPREVIPRE Labs
@online{labs:20181205:trickbots:b45d588, author = {VIPRE Labs}, title = {{Trickbot’s Tricks}}, date = {2018-12-05}, organization = {VIPRE}, url = {https://labs.vipre.com/trickbots-tricks/}, language = {English}, urldate = {2020-01-09} } Trickbot’s Tricks
TrickBot
2018-11-12 ⋅ Malwarebyteshasherezade
@online{hasherezade:20181112:whats:e44d5f3, author = {hasherezade}, title = {{What’s new in TrickBot? Deobfuscating elements}}, date = {2018-11-12}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/malware-threat-analysis/2018/11/whats-new-trickbot-deobfuscating-elements/}, language = {English}, urldate = {2019-12-20} } What’s new in TrickBot? Deobfuscating elements
TrickBot
2018-11-08 ⋅ FortinetXiaopeng Zhang
@online{zhang:20181108:deep:fca360c, author = {Xiaopeng Zhang}, title = {{Deep Analysis of TrickBot New Module pwgrab}}, date = {2018-11-08}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/deep-analysis-of-trickbot-new-module-pwgrab.html}, language = {English}, urldate = {2019-11-17} } Deep Analysis of TrickBot New Module pwgrab
TrickBot
2018-11-01 ⋅ Trend MicroNoel Anthony Llimos, Carl Maverick Pascual
@online{llimos:20181101:trickbot:7d0ea94, author = {Noel Anthony Llimos and Carl Maverick Pascual}, title = {{Trickbot Shows Off New Trick: Password Grabber Module}}, date = {2018-11-01}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/trickbot-shows-off-new-trick-password-grabber-module}, language = {English}, urldate = {2020-01-06} } Trickbot Shows Off New Trick: Password Grabber Module
TrickBot
2018-08-14 ⋅ CyberbitHod Gavriel
@online{gavriel:20180814:latest:7df6364, author = {Hod Gavriel}, title = {{Latest Trickbot Variant has New Tricks Up Its Sleeve}}, date = {2018-08-14}, organization = {Cyberbit}, url = {https://www.cyberbit.com/blog/endpoint-security/latest-trickbot-variant-has-new-tricks-up-its-sleeve/}, language = {English}, urldate = {2019-11-26} } Latest Trickbot Variant has New Tricks Up Its Sleeve
TrickBot
2018-07-03 ⋅ Talos IntelligenceBen Baker, Holger Unterbrink
@online{baker:20180703:smoking:067be1f, author = {Ben Baker and Holger Unterbrink}, title = {{Smoking Guns - Smoke Loader learned new tricks}}, date = {2018-07-03}, organization = {Talos Intelligence}, url = {https://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learned-new.html}, language = {English}, urldate = {2019-10-14} } Smoking Guns - Smoke Loader learned new tricks
SmokeLoader TrickBot
2018-06-20 ⋅ OALabs
@online{oalabs:20180620:unpacking:e4d59a4, author = {OALabs}, title = {{Unpacking and Extracting TrickBot Malware Configuration With x64dbg and Python}}, date = {2018-06-20}, url = {https://www.youtube.com/watch?v=EdchPEHnohw}, language = {English}, urldate = {2019-12-24} } Unpacking and Extracting TrickBot Malware Configuration With x64dbg and Python
TrickBot
2018-06-13 ⋅ Github (JR0driguezB)Jorge Rodriguez
@online{rodriguez:20180613:trickbot:e004ae8, author = {Jorge Rodriguez}, title = {{TrickBot config files}}, date = {2018-06-13}, organization = {Github (JR0driguezB)}, url = {https://github.com/JR0driguezB/malware_configs/tree/master/TrickBot}, language = {English}, urldate = {2019-07-11} } TrickBot config files
TrickBot
2018-04-16 ⋅ Random REsysopfb
@online{sysopfb:20180416:trickbot:5305f46, author = {sysopfb}, title = {{TrickBot & UACME}}, date = {2018-04-16}, organization = {Random RE}, url = {https://sysopfb.github.io/malware/2018/04/16/trickbot-uacme.html}, language = {English}, urldate = {2020-01-09} } TrickBot & UACME
TrickBot
2018-04-03 ⋅ Vitali Kremez BlogVitali Kremez
@online{kremez:20180403:lets:b45dd50, author = {Vitali Kremez}, title = {{Let's Learn: Trickbot Implements Network Collector Module Leveraging CMD, WMI & LDAP}}, date = {2018-04-03}, organization = {Vitali Kremez Blog}, url = {http://www.vkremez.com/2018/04/lets-learn-trickbot-implements-network.html}, language = {English}, urldate = {2019-07-27} } Let's Learn: Trickbot Implements Network Collector Module Leveraging CMD, WMI & LDAP
TrickBot
2018-03-31 ⋅ Youtube (hasherezade)hasherezade
@online{hasherezade:20180331:deobfuscating:39c1be0, author = {hasherezade}, title = {{Deobfuscating TrickBot's strings with libPeConv}}, date = {2018-03-31}, organization = {Youtube (hasherezade)}, url = {https://www.youtube.com/watch?v=KMcSAlS9zGE}, language = {English}, urldate = {2020-01-13} } Deobfuscating TrickBot's strings with libPeConv
TrickBot
2018-03-27 ⋅ Trend MicroTrendmicro
@online{trendmicro:20180327:evolving:faa2e54, author = {Trendmicro}, title = {{Evolving Trickbot Adds Detection Evasion and Screen-Locking Features}}, date = {2018-03-27}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/evolving-trickbot-adds-detection-evasion-and-screen-locking-features}, language = {English}, urldate = {2020-01-07} } Evolving Trickbot Adds Detection Evasion and Screen-Locking Features
TrickBot
2018-03-21 ⋅ WebrootJason Davison
@online{davison:20180321:trickbot:1f0576e, author = {Jason Davison}, title = {{TrickBot Banking Trojan Adapts with New Module}}, date = {2018-03-21}, organization = {Webroot}, url = {https://www.webroot.com/blog/2018/03/21/trickbot-banking-trojan-adapts-new-module/}, language = {English}, urldate = {2020-01-13} } TrickBot Banking Trojan Adapts with New Module
TrickBot
2018-02-15 ⋅ SecurityIntelligenceOphir Harpaz, Magal Baz, Limor Kessem
@online{harpaz:20180215:trickbots:2cf1b53, author = {Ophir Harpaz and Magal Baz and Limor Kessem}, title = {{TrickBot’s Cryptocurrency Hunger: Tricking the Bitcoin Out of Wallets}}, date = {2018-02-15}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/trickbots-cryptocurrency-hunger-tricking-the-bitcoin-out-of-wallets/}, language = {English}, urldate = {2020-01-06} } TrickBot’s Cryptocurrency Hunger: Tricking the Bitcoin Out of Wallets
TrickBot
2018-02-01 ⋅ Malware Traffic AnalysisBrad Duncan
@online{duncan:20180201:quick:320f855, author = {Brad Duncan}, title = {{Quick Test Drive of Trickbot (It now has a Monero Module)}}, date = {2018-02-01}, organization = {Malware Traffic Analysis}, url = {http://www.malware-traffic-analysis.net/2018/02/01/}, language = {English}, urldate = {2019-07-09} } Quick Test Drive of Trickbot (It now has a Monero Module)
TrickBot
2017-12-30 ⋅ Youtube (hasherezade)hasherezade
@online{hasherezade:20171230:unpacking:5477bb2, author = {hasherezade}, title = {{Unpacking TrickBot with PE-sieve}}, date = {2017-12-30}, organization = {Youtube (hasherezade)}, url = {https://www.youtube.com/watch?v=lTywPmZEU1A}, language = {English}, urldate = {2020-01-06} } Unpacking TrickBot with PE-sieve
TrickBot
2017-12-19 ⋅ Vitali Kremez BlogVitali Kremez
@online{kremez:20171219:lets:030e09a, author = {Vitali Kremez}, title = {{Let's Learn: Introducing New Trickbot LDAP "DomainGrabber" Module}}, date = {2017-12-19}, organization = {Vitali Kremez Blog}, url = {http://www.vkremez.com/2017/12/lets-learn-introducing-new-trickbot.html}, language = {English}, urldate = {2019-11-23} } Let's Learn: Introducing New Trickbot LDAP "DomainGrabber" Module
TrickBot
2017-11-22 ⋅ FlashpointVitali Kremez
@online{kremez:20171122:trickbot:faea11e, author = {Vitali Kremez}, title = {{Trickbot Gang Evolves, Incorporates Account Checking Into Hybrid Attack Model}}, date = {2017-11-22}, organization = {Flashpoint}, url = {https://www.flashpoint-intel.com/blog/trickbot-account-checking-hybrid-attack-model/}, language = {English}, urldate = {2019-12-10} } Trickbot Gang Evolves, Incorporates Account Checking Into Hybrid Attack Model
TrickBot
2017-11-21 ⋅ Vitali Kremez
@online{kremez:20171121:lets:5fb17b0, author = {Vitali Kremez}, title = {{Let's Learn: Trickbot Socks5 Backconnect Module In Detail}}, date = {2017-11-21}, url = {http://www.vkremez.com/2017/11/lets-learn-trickbot-socks5-backconnect.html}, language = {English}, urldate = {2019-11-22} } Let's Learn: Trickbot Socks5 Backconnect Module In Detail
TrickBot
2017-10-06 ⋅ BluelivBlueliv
@online{blueliv:20171006:trickbot:a2a9ac8, author = {Blueliv}, title = {{TrickBot banking trojan using EFLAGS as an anti-hook technique}}, date = {2017-10-06}, organization = {Blueliv}, url = {https://www.blueliv.com/research/trickbot-banking-trojan-using-eflags-as-an-anti-hook-technique/}, language = {English}, urldate = {2020-01-08} } TrickBot banking trojan using EFLAGS as an anti-hook technique
TrickBot
2017-08-01 ⋅ MalwarebytesMalwarebytes Labs
@online{labs:20170801:trickbot:222d8bc, author = {Malwarebytes Labs}, title = {{TrickBot comes up with new tricks: attacking Outlook and browsing data}}, date = {2017-08-01}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2017/08/trickbot-comes-with-new-tricks-attacking-outlook-and-browsing-data/}, language = {English}, urldate = {2019-12-20} } TrickBot comes up with new tricks: attacking Outlook and browsing data
TrickBot
2017-07-27 ⋅ FlashpointFlashpoint
@online{flashpoint:20170727:new:bb5c883, author = {Flashpoint}, title = {{New Version of “Trickbot” Adds Worm Propagation Module}}, date = {2017-07-27}, organization = {Flashpoint}, url = {https://www.flashpoint-intel.com/blog/new-version-trickbot-adds-worm-propagation-module/}, language = {English}, urldate = {2020-01-13} } New Version of “Trickbot” Adds Worm Propagation Module
TrickBot
2017-07 ⋅ Ring Zero LabsRing Zero Labs
@online{labs:201707:trickbot:e738eaf, author = {Ring Zero Labs}, title = {{TrickBot Banking Trojan - DOC00039217.doc}}, date = {2017-07}, organization = {Ring Zero Labs}, url = {https://www.ringzerolabs.com/2017/07/trickbot-banking-trojan-doc00039217doc.html}, language = {English}, urldate = {2020-01-10} } TrickBot Banking Trojan - DOC00039217.doc
TrickBot
2017-06-15 ⋅ F5Sara Boddy, Jesse Smith, Doron Voolf
@online{boddy:20170615:trickbot:6eb1db4, author = {Sara Boddy and Jesse Smith and Doron Voolf}, title = {{Trickbot Expands Global Targets Beyond Banks and Payment Processors to CRMs}}, date = {2017-06-15}, organization = {F5}, url = {https://f5.com/labs/articles/threat-intelligence/malware/trickbot-expands-global-targets-beyond-banks-and-payment-processors-to-crms}, language = {English}, urldate = {2019-12-24} } Trickbot Expands Global Targets Beyond Banks and Payment Processors to CRMs
TrickBot
2017-06-12 ⋅ Security Art WorkMarc Salinas, JoséMiguel Holguín
@techreport{salinas:20170612:evolucin:9930231, author = {Marc Salinas and JoséMiguel Holguín}, title = {{Evolución de Trickbot}}, date = {2017-06-12}, institution = {Security Art Work}, url = {https://www.securityartwork.es/wp-content/uploads/2017/06/Informe_Evoluci%C3%B3n_Trickbot.pdf}, language = {Spanish}, urldate = {2020-01-10} } Evolución de Trickbot
TrickBot
2017-05-26 ⋅ PWCPWC
@online{pwc:20170526:trickbots:c1b84e1, author = {PWC}, title = {{TrickBot’s bag of tricks}}, date = {2017-05-26}, organization = {PWC}, url = {http://www.pwc.co.uk/issues/cyber-security-data-privacy/research/trickbots-bag-of-tricks.html}, language = {English}, urldate = {2020-01-09} } TrickBot’s bag of tricks
TrickBot
2017-03-01 ⋅ FraudWatch InternationalFraudWatch International
@online{international:20170301:how:fb75ef9, author = {FraudWatch International}, title = {{How Does the Trickbot Malware Work?}}, date = {2017-03-01}, organization = {FraudWatch International}, url = {https://blog.fraudwatchinternational.com/malware/trickbot-malware-works}, language = {English}, urldate = {2020-01-08} } How Does the Trickbot Malware Work?
TrickBot
2016-12-07 ⋅ BotconfJoshua Adams
@techreport{adams:20161207:trickbot:fc3427c, author = {Joshua Adams}, title = {{The TrickBot Evolution}}, date = {2016-12-07}, institution = {Botconf}, url = {https://www.botconf.eu/wp-content/uploads/2016/11/2016-LT09-TrickBot-Adams.pdf}, language = {English}, urldate = {2020-01-09} } The TrickBot Evolution
TrickBot
2016-12-06 ⋅ FortinetXiaopeng Zhang
@online{zhang:20161206:deep:1f1521f, author = {Xiaopeng Zhang}, title = {{Deep Analysis of the Online Banking Botnet TrickBot}}, date = {2016-12-06}, organization = {Fortinet}, url = {http://blog.fortinet.com/2016/12/06/deep-analysis-of-the-online-banking-botnet-trickbot}, language = {English}, urldate = {2020-01-08} } Deep Analysis of the Online Banking Botnet TrickBot
TrickBot
2016-11-09 ⋅ Lior Keshet
@online{keshet:20161109:tricks:c3ab510, author = {Lior Keshet}, title = {{Tricks of the Trade: A Deeper Look Into TrickBot’s Machinations}}, date = {2016-11-09}, url = {https://securityintelligence.com/tricks-of-the-trade-a-deeper-look-into-trickbots-machinations/}, language = {English}, urldate = {2019-10-17} } Tricks of the Trade: A Deeper Look Into TrickBot’s Machinations
TrickBot
2016-11-07 ⋅ F5 LabsJulia Karpin, Shaul Vilkomir-Preisman, Anna Dorfman
@online{karpin:20161107:little:598f939, author = {Julia Karpin and Shaul Vilkomir-Preisman and Anna Dorfman}, title = {{Little Trickbot Growing Up: New Campaign}}, date = {2016-11-07}, organization = {F5 Labs}, url = {https://f5.com/labs/articles/threat-intelligence/malware/little-trickbot-growing-up-new-campaign-24412}, language = {English}, urldate = {2020-01-06} } Little Trickbot Growing Up: New Campaign
TrickBot
2016-10-25 ⋅ NetScoutASERT Team
@online{team:20161025:trickbot:dd465d9, author = {ASERT Team}, title = {{TrickBot Banker Insights}}, date = {2016-10-25}, organization = {NetScout}, url = {https://www.arbornetworks.com/blog/asert/trickbot-banker-insights/}, language = {English}, urldate = {2019-07-11} } TrickBot Banker Insights
TrickBot
2016-10-24 ⋅ MalwarebytesMalwarebytes Labs
@online{labs:20161024:introducing:e59ac27, author = {Malwarebytes Labs}, title = {{Introducing TrickBot, Dyreza’s successor}}, date = {2016-10-24}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2016/10/trick-bot-dyrezas-successor/}, language = {English}, urldate = {2019-12-20} } Introducing TrickBot, Dyreza’s successor
TrickBot
2016-10-15 ⋅ Fidelis CybersecurityThreat Research Team
@online{team:20161015:trickbot:cc9f48f, author = {Threat Research Team}, title = {{TrickBot: We Missed you, Dyre}}, date = {2016-10-15}, organization = {Fidelis Cybersecurity}, url = {https://www.fidelissecurity.com/threatgeek/2016/10/trickbot-we-missed-you-dyre}, language = {English}, urldate = {2019-11-28} } TrickBot: We Missed you, Dyre
TrickBot
Yara Rules
[TLP:WHITE] win_trickbot_auto (20190204 | autogenerated rule brought to you by yara-signator)
rule win_trickbot_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2019-11-26"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator 0.1a"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.trickbot"
        malpedia_version = "20190204"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach will be published in the near future here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */

    strings:
        $sequence_0 = { f7d8 1bc0 83e070 83c010 }
            // n = 4, score = 2900
            //   f7d8                 | neg                 eax
            //   1bc0                 | sbb                 eax, eax
            //   83e070               | and                 eax, 0x70
            //   83c010               | add                 eax, 0x10

        $sequence_1 = { 1bc0 83e020 83c020 eb36 2500000080 f7d8 1bc0 }
            // n = 7, score = 2800
            //   1bc0                 | sbb                 eax, eax
            //   83e020               | and                 eax, 0x20
            //   83c020               | add                 eax, 0x20
            //   eb36                 | jmp                 0x38
            //   2500000080           | and                 eax, 0x80000000
            //   f7d8                 | neg                 eax
            //   1bc0                 | sbb                 eax, eax

        $sequence_2 = { eb0d 2500000080 f7d8 1bc0 83e007 40 }
            // n = 6, score = 2800
            //   eb0d                 | jmp                 0xf
            //   2500000080           | and                 eax, 0x80000000
            //   f7d8                 | neg                 eax
            //   1bc0                 | sbb                 eax, eax
            //   83e007               | and                 eax, 7
            //   40                   | inc                 eax

        $sequence_3 = { 83c010 eb25 a900000040 7411 }
            // n = 4, score = 2800
            //   83c010               | add                 eax, 0x10
            //   eb25                 | jmp                 0x27
            //   a900000040           | test                eax, 0x40000000
            //   7411                 | je                  0x13

        $sequence_4 = { 7429 a900000040 7411 2500000080 }
            // n = 4, score = 2800
            //   7429                 | je                  0x2b
            //   a900000040           | test                eax, 0x40000000
            //   7411                 | je                  0x13
            //   2500000080           | and                 eax, 0x80000000

        $sequence_5 = { f7d8 1bc0 83e002 83c002 eb0d 2500000080 }
            // n = 6, score = 2800
            //   f7d8                 | neg                 eax
            //   1bc0                 | sbb                 eax, eax
            //   83e002               | and                 eax, 2
            //   83c002               | add                 eax, 2
            //   eb0d                 | jmp                 0xf
            //   2500000080           | and                 eax, 0x80000000

        $sequence_6 = { 8b07 a900000020 7429 a900000040 }
            // n = 4, score = 2700
            //   8b07                 | mov                 eax, dword ptr [edi]
            //   a900000020           | test                eax, 0x20000000
            //   7429                 | je                  0x2b
            //   a900000040           | test                eax, 0x40000000

        $sequence_7 = { 895df4 895dec 66c745f00005 895dfc }
            // n = 4, score = 1800
            //   895df4               | and                 eax, 7
            //   895dec               | inc                 eax
            //   66c745f00005         | jmp                 0x36
            //   895dfc               | test                eax, 0x40000000

        $sequence_8 = { 33c9 3dc4431cfc 0f94c1 83e101 }
            // n = 4, score = 1800
            //   33c9                 | xor                 ecx, ecx
            //   3dc4431cfc           | cmp                 eax, 0xfc1c43c4
            //   0f94c1               | sete                cl
            //   83e101               | and                 ecx, 1

        $sequence_9 = { 8b45fc 8d1489 8d0cd0 8b4114 2b410c }
            // n = 5, score = 1700
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   8d1489               | lea                 edx, [ecx + ecx*4]
            //   8d0cd0               | lea                 ecx, [eax + edx*8]
            //   8b4114               | mov                 eax, dword ptr [ecx + 0x14]
            //   2b410c               | sub                 eax, dword ptr [ecx + 0xc]

        $sequence_10 = { c3 6a01 ff15???????? 50 }
            // n = 4, score = 1100
            //   c3                   | and                 eax, 2
            //   6a01                 | add                 eax, 2
            //   ff15????????         |                     
            //   50                   | jmp                 0x15

        $sequence_11 = { 4c8b4120 488b5118 4889442440 488b4148 4889442438 }
            // n = 5, score = 600
            //   4c8b4120             | dec                 eax
            //   488b5118             | mov                 eax, dword ptr [ecx + 0x40]
            //   4889442440           | dec                 eax
            //   488b4148             | mov                 edx, dword ptr [ecx + 0x18]
            //   4889442438           | dec                 eax

        $sequence_12 = { 488b01 4c8b4120 488b5118 488b4910 }
            // n = 4, score = 600
            //   488b01               | je                  0x3d
            //   4c8b4120             | add                 eax, 0x10
            //   488b5118             | jmp                 0x2a
            //   488b4910             | test                eax, 0x40000000

        $sequence_13 = { 4c8b4928 4c8b4120 488b5118 4889442438 }
            // n = 4, score = 600
            //   4c8b4928             | mov                 eax, dword ptr [ecx + 0x40]
            //   4c8b4120             | dec                 eax
            //   488b5118             | mov                 dword ptr [esp + 0x30], eax
            //   4889442438           | dec                 eax

        $sequence_14 = { 8bc1 66ad 85c0 741c }
            // n = 4, score = 600
            //   8bc1                 | mov                 eax, ecx
            //   66ad                 | lodsw               ax, word ptr [esi]
            //   85c0                 | test                eax, eax
            //   741c                 | je                  0x1e

        $sequence_15 = { 488b4148 4889442438 488b4140 4889442430 488b4138 }
            // n = 5, score = 600
            //   488b4148             | dec                 eax
            //   4889442438           | mov                 eax, dword ptr [ecx + 0x48]
            //   488b4140             | dec                 eax
            //   4889442430           | mov                 dword ptr [esp + 0x38], eax
            //   488b4138             | dec                 eax

        $sequence_16 = { 85c0 741c 3bc1 7213 }
            // n = 4, score = 600
            //   85c0                 | test                eax, eax
            //   741c                 | je                  0x1e
            //   3bc1                 | cmp                 eax, ecx
            //   7213                 | jb                  0x15

        $sequence_17 = { 488b01 488b5118 488b4910 ffd0 }
            // n = 4, score = 600
            //   488b01               | and                 eax, 0x80000000
            //   488b5118             | neg                 eax
            //   488b4910             | sbb                 eax, eax
            //   ffd0                 | and                 eax, 7

        $sequence_18 = { c1e102 2bc1 8b00 894508 }
            // n = 4, score = 600
            //   c1e102               | shl                 ecx, 2
            //   2bc1                 | sub                 eax, ecx
            //   8b00                 | mov                 eax, dword ptr [eax]
            //   894508               | mov                 dword ptr [ebp + 8], eax

        $sequence_19 = { 59 03d0 52 ebdc 89450c }
            // n = 5, score = 600
            //   59                   | pop                 ecx
            //   03d0                 | add                 edx, eax
            //   52                   | push                edx
            //   ebdc                 | jmp                 0xffffffde
            //   89450c               | mov                 dword ptr [ebp + 0xc], eax

        $sequence_20 = { 488b4150 4c8b11 4c8b4928 4c8b4120 }
            // n = 4, score = 600
            //   488b4150             | dec                 eax
            //   4c8b11               | mov                 dword ptr [esp + 0x30], eax
            //   4c8b4928             | dec                 esp
            //   4c8b4120             | mov                 edx, dword ptr [ecx]

        $sequence_21 = { 0f94c3 8bc3 488b5c2450 4883c440 }
            // n = 4, score = 600
            //   0f94c3               | dec                 eax
            //   8bc3                 | mov                 dword ptr [esp + 0x20], eax
            //   488b5c2450           | inc                 ecx
            //   4883c440             | call                edx

        $sequence_22 = { 488b4138 4889442428 488b4130 488b4910 4889442420 }
            // n = 5, score = 600
            //   488b4138             | mov                 eax, dword ptr [ecx + 0x40]
            //   4889442428           | dec                 eax
            //   488b4130             | mov                 dword ptr [esp + 0x30], eax
            //   488b4910             | dec                 eax
            //   4889442420           | mov                 eax, dword ptr [ecx + 0x38]

        $sequence_23 = { 85c0 7525 8d483f e8???????? }
            // n = 4, score = 600
            //   85c0                 | test                eax, eax
            //   7525                 | jne                 0x27
            //   8d483f               | lea                 ecx, [eax + 0x3f]
            //   e8????????           |                     

        $sequence_24 = { 8b450c ff4d0c ba28000000 f7e2 }
            // n = 4, score = 500
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   ff4d0c               | dec                 dword ptr [ebp + 0xc]
            //   ba28000000           | mov                 edx, 0x28
            //   f7e2                 | mul                 edx

        $sequence_25 = { 0fbae01d 732b 0fbae01e 7315 0fbae01f }
            // n = 5, score = 500
            //   0fbae01d             | je                  0x30
            //   732b                 | test                eax, 0x40000000
            //   0fbae01e             | mov                 eax, dword ptr [edi]
            //   7315                 | test                eax, 0x20000000
            //   0fbae01f             | je                  0x3e

        $sequence_26 = { 8b4728 8bd6 83f801 0f8543010000 }
            // n = 4, score = 500
            //   8b4728               | je                  0x32
            //   8bd6                 | and                 eax, 0x80000000
            //   83f801               | neg                 eax
            //   0f8543010000         | and                 eax, 0x70

        $sequence_27 = { 41 41 41 50 2bc1 8b00 }
            // n = 6, score = 500
            //   41                   | inc                 ecx
            //   41                   | inc                 ecx
            //   41                   | inc                 ecx
            //   50                   | push                eax
            //   2bc1                 | sub                 eax, ecx
            //   8b00                 | mov                 eax, dword ptr [eax]

        $sequence_28 = { 8bd8 85c0 740f 8bc8 e8???????? 8bc3 }
            // n = 6, score = 500
            //   8bd8                 | add                 eax, 0x10
            //   85c0                 | jmp                 0x2d
            //   740f                 | test                eax, 0x40000000
            //   8bc8                 | je                  0x20
            //   e8????????           |                     
            //   8bc3                 | and                 eax, 0x80000000

        $sequence_29 = { 745b 3bd1 0f8293000000 038e8c000000 3bd1 }
            // n = 5, score = 500
            //   745b                 | and                 eax, 0x80000000
            //   3bd1                 | neg                 eax
            //   0f8293000000         | add                 eax, 0x10
            //   038e8c000000         | jmp                 0x3f
            //   3bd1                 | test                eax, 0x40000000

        $sequence_30 = { 66894c2432 33c9 33d2 ff15???????? }
            // n = 4, score = 500
            //   66894c2432           | sbb                 eax, eax
            //   33c9                 | and                 eax, 7
            //   33d2                 | jmp                 0x4b
            //   ff15????????         |                     

        $sequence_31 = { 3bc7 72f2 58 c1e902 }
            // n = 4, score = 500
            //   3bc7                 | cmp                 eax, edi
            //   72f2                 | jb                  0xfffffff4
            //   58                   | pop                 eax
            //   c1e902               | shr                 ecx, 2

        $sequence_32 = { ff5508 8b5510 8b4a04 ff5508 50 51 }
            // n = 6, score = 500
            //   ff5508               | call                dword ptr [ebp + 8]
            //   8b5510               | mov                 edx, dword ptr [ebp + 0x10]
            //   8b4a04               | mov                 ecx, dword ptr [edx + 4]
            //   ff5508               | call                dword ptr [ebp + 8]
            //   50                   | push                eax
            //   51                   | push                ecx

        $sequence_33 = { 3c30 7c22 3c39 7f1e 0fbec0 }
            // n = 5, score = 500
            //   3c30                 | je                  0x37
            //   7c22                 | test                eax, 0x40000000
            //   3c39                 | je                  0x26
            //   7f1e                 | and                 eax, 0x80000000
            //   0fbec0               | neg                 eax

        $sequence_34 = { 0f89d2000000 8bc8 e8???????? bb17000000 }
            // n = 4, score = 500
            //   0f89d2000000         | je                  0x30
            //   8bc8                 | test                eax, 0x40000000
            //   e8????????           |                     
            //   bb17000000           | je                  0x1f

        $sequence_35 = { ffc1 663938 75f5 6603c9 }
            // n = 4, score = 500
            //   ffc1                 | sbb                 eax, eax
            //   663938               | and                 eax, 0x20
            //   75f5                 | add                 eax, 0x20
            //   6603c9               | jmp                 0x42

        $sequence_36 = { c1e002 03c8 8b01 59 03d0 }
            // n = 5, score = 400
            //   c1e002               | dec                 eax
            //   03c8                 | mov                 dword ptr [esp + 0x20], eax
            //   8b01                 | dec                 eax
            //   59                   | mov                 dword ptr [esp + 0x40], eax
            //   03d0                 | dec                 eax

        $sequence_37 = { 59 50 e2fd 8bc7 57 8bec }
            // n = 6, score = 400
            //   59                   | dec                 eax
            //   50                   | mov                 dword ptr [esp + 0x38], eax
            //   e2fd                 | dec                 eax
            //   8bc7                 | mov                 eax, dword ptr [ecx + 0x40]
            //   57                   | dec                 eax
            //   8bec                 | mov                 dword ptr [esp + 0x30], eax

        $sequence_38 = { 7213 2bc1 51 8bcf }
            // n = 4, score = 400
            //   7213                 | dec                 eax
            //   2bc1                 | mov                 eax, dword ptr [ecx + 0x38]
            //   51                   | dec                 eax
            //   8bcf                 | mov                 edx, dword ptr [ecx + 0x18]

        $sequence_39 = { 59 8bf7 8bd7 fc }
            // n = 4, score = 400
            //   59                   | mov                 edx, dword ptr [ecx]
            //   8bf7                 | dec                 esp
            //   8bd7                 | mov                 ecx, dword ptr [ecx + 0x28]
            //   fc                   | dec                 esp

        $sequence_40 = { 75bd 6894cc0001 be14030000 56 57 }
            // n = 5, score = 100
            //   75bd                 | je                  0x21
            //   6894cc0001           | and                 eax, 0x80000000
            //   be14030000           | mov                 eax, dword ptr [edi]
            //   56                   | test                eax, 0x20000000
            //   57                   | je                  0x32

        $sequence_41 = { c7450806000000 817ff8f8f90001 7411 8b07 3bc3 }
            // n = 5, score = 100
            //   c7450806000000       | sbb                 eax, eax
            //   817ff8f8f90001       | mov                 eax, dword ptr [edi]
            //   7411                 | test                eax, 0x20000000
            //   8b07                 | je                  0x32
            //   3bc3                 | test                eax, 0x40000000

        $sequence_42 = { c7465c08cd0001 83660800 33ff 47 }
            // n = 4, score = 100
            //   c7465c08cd0001       | je                  0x32
            //   83660800             | test                eax, 0x40000000
            //   33ff                 | mov                 eax, dword ptr [edi]
            //   47                   | test                eax, 0x20000000

        $sequence_43 = { 42 83f90b 0f871c020000 ff248d2a930001 8d48cf }
            // n = 5, score = 100
            //   42                   | and                 eax, 0x80000000
            //   83f90b               | add                 eax, 2
            //   0f871c020000         | jmp                 0xf
            //   ff248d2a930001       | and                 eax, 0x80000000
            //   8d48cf               | neg                 eax

        $sequence_44 = { 83f908 7229 f3a5 ff2495d0160001 8bc7 ba03000000 }
            // n = 6, score = 100
            //   83f908               | test                eax, 0x40000000
            //   7229                 | je                  0x21
            //   f3a5                 | and                 eax, 0x80000000
            //   ff2495d0160001       | neg                 eax
            //   8bc7                 | mov                 eax, dword ptr [edi]
            //   ba03000000           | test                eax, 0x20000000

        $sequence_45 = { ff7508 8bf1 e8???????? c706c8e20001 8bc6 }
            // n = 5, score = 100
            //   ff7508               | and                 eax, 0x80000000
            //   8bf1                 | neg                 eax
            //   e8????????           |                     
            //   c706c8e20001         | sbb                 eax, eax
            //   8bc6                 | and                 eax, 7

        $sequence_46 = { 1a00 01e4 1a00 0123 d18a0688078a 46 018847018a46 }
            // n = 7, score = 100
            //   1a00                 | je                  0x32
            //   01e4                 | test                eax, 0x40000000
            //   1a00                 | je                  0x21
            //   0123                 | add                 edi, 0x24
            //   d18a0688078a         | mov                 eax, dword ptr [edi]
            //   46                   | test                eax, 0x20000000
            //   018847018a46         | je                  0x30

        $sequence_47 = { 5b c9 c3 6a0c 6828e60001 e8???????? }
            // n = 6, score = 100
            //   5b                   | inc                 eax
            //   c9                   | sbb                 eax, eax
            //   c3                   | and                 eax, 0x20
            //   6a0c                 | add                 eax, 0x20
            //   6828e60001           | jmp                 0x40
            //   e8????????           |                     

    condition:
        7 of them
}
[TLP:WHITE] win_trickbot_w0   (20170613 | Detects mailsearcher module from Trickbot Trojan)
rule win_trickbot_w0 {
    meta:
        author = "Marc Salinas @Bondey_m"
        description = "Detects mailsearcher module from Trickbot Trojan"
        reference = "https://www.securityartwork.es/wp-content/uploads/2017/06/Informe_Evoluci%C3%B3n_Trickbot.pdf"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.trickbot"
        malpedia_version = "20170613"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $str_mails_01 = "mailsearcher"
        $str_mails_02 = "handler"
        $str_mails_03 = "conf"
        $str_mails_04 = "ctl"
        $str_mails_05 = "SetConf"
        $str_mails_06 = "file"
        $str_mails_07 = "needinfo"
        $str_mails_08 = "mailconf"
    condition:
        all of ($str_mails_*)
}
[TLP:WHITE] win_trickbot_w1   (20171214 | Trickbot Socks5 bckconnect module)
rule win_trickbot_w1 {
    meta:
        description = "Trickbot Socks5 bckconnect module"
        author = "@VK_Intel"
        reference = "Detects the unpacked Trickbot backconnect in memory"
        date = "2017-11-19"
        hash = "f2428d5ff8c93500da92f90154eebdf0"
        source = "http://www.vkremez.com/2017/11/lets-learn-trickbot-socks5-backconnect.html"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.trickbot"
        malpedia_version = "20171214"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $s0 = "socks5dll.dll" fullword ascii
        $s1 = "auth_login" fullword ascii
        $s2 = "auth_ip" fullword ascii
        $s3 = "connect" fullword ascii
        $s4 = "auth_ip" fullword ascii
        $s5 = "auth_pass" fullword ascii
        $s6 = "thread.entry_event" fullword ascii
        $s7 = "thread.exit_event" fullword ascii
        $s8 = "</moduleconfig>" fullword ascii
        $s9 = "<moduleconfig>" fullword ascii
        $s10 = "<autostart>yes</autostart>" fullword ascii
    condition:
        all of them
}
Download all Yara Rules