Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now
42
Global rank
64 infographic chevron month
Month rank
71 infographic chevron week
Week rank
0
IOCs

TrickBot is an advanced banking trojan that attackers can use to steal payment credentials from the victims. It can redirect the victim to a fake banking cabinet and retrieve credentials typed in on the webpage.

Trojan
Type
Unknown
Origin
1 September, 2016
First seen
1 October, 2025
Last seen
Also known as
TrickLoader

How to analyze Trickbot with ANY.RUN

Type
Unknown
Origin
1 September, 2016
First seen
1 October, 2025
Last seen

IOCs

IP addresses
62.108.35.204
62.108.35.215
45.115.174.234
196.44.109.73
96.9.74.169
96.9.69.207
27.109.116.144
116.206.62.138
103.111.83.86
45.116.68.109
110.38.58.198
45.115.174.60
114.7.243.26
80.210.26.17
103.11.218.199
190.183.60.164
186.96.153.223
64.64.150.203
36.95.73.109
175.184.232.234
Hashes
bd70461d3f82382be4a8f7cc098a9973624a72209b1f35dc32ecd631d36b34b1
efb75ce7030fc32190909048fcb3fab024cb8779b9559a417b8d397352ae6ea2
dd20506b3c65472d58ccc0a018cb67c65fab6718023fd4b16e148e64e69e5740
c6b0a61d94bebf61ecb16a34ce9bd7e2aa6afcc29754e0083f33541894dce012
c6666cc7d899ae448b5e134e924e602ff4fc4c68d9d4a59ea9433fe1a55ae348
a75f8b749060b7bbd806c9dd6a9b7da940f375fa68c9df68e87ed893b0b99d24
4c04ed3c6828482e46ff832b8262a74d216024d5e2fab51438eab9f3dbdd1326
08b86e56cd82ff11a4cb1e85e5b7aad14533c158e32d2b6494cc2629230ec6ae
318f5511ec609a89dd613bb6058a9b6cf2a962db3d528a5ac00e8850fc02b941
351d9a9a6d8350d8a643f079417df24500eb19c8cb985872ab4699b92534c5b6
ac27e0944ce794ebbb7e5fb8a851b9b0586b3b674dfa39e196a8cd47e9ee72b2
dca37b13c4b4ca828c8a89a76fe2ac3e52cafa0484383026bd2138a0d45bfdcd
0a50d7bfc833a5080ed187c81953fec681e74fca854e224e9f38037da4118977
6639342e99ef75e970b2e4d63ba00cfb106f925f2c63a6d4def5b0ee9f942cf9
4d478d444633614431e232d8c11a9425cab39a7109e1fad8b470cf55ed2c1b4d
01a4fb177e04eeee392afbe6a73a681c3f77f095e862bbc03be3c70acab1f5c3
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
5495992399e55c9e0b95524deceda9e6712ee7413d2df18573a952f7a4e061ad
b465cb3eec5644b9e0898bff7cf05a28f131394acfd5674d55c78813ca9b111c
dfd83d1ece6356d0ff6a32f07687443b9e554f2450605fb5bf39d6843c6d2a49
Domains
ghostrider.mine.zergpool.com
load3rd.casa
qxq.ddns.net
magichere.icu
util98.com
excelestimation.com
carambaneed.club
t7763jykqeiy.com
qfcallc.com
luxjewelleries.com
vatonly.com
luxuryvailrentals.com
wex-notdead.ru
netsecuressl.com
northracing.net
driverconnectsearch.info
bootiky.com
doha-media.com
spirrits.com
sslnetsecurity.com
Last Seen at

Recent blog posts

post image
FunkSec’s FunkLocker: How AI Is Powering the...
watchers 816
comments 0
post image
ANY.RUN & MS Defender: Enrich Alerts Faster,...
watchers 1081
comments 0
post image
ANY.RUN Sandbox & Microsoft Sentinel: Les...
watchers 726
comments 0

What is TrickBot malware?

TrickBot, AKA TrickLoader, is a banking trojan – a malware designed to steal banking credentials. It is aimed at corporate and private victims and utilizes techniques such as redirection attacks. It manipulates what the victim sees in the browser and redirects to a bank cabinet webpage forged by the hackers.

Reportedly, TrickBot tries to follow ransomware and has already stolen millions of dollars from banks in the United States of America, England, Australia, New Zealand, Canada, and Germany.

General description of TrickBot malware

The first versions of this trojan used to target mostly corporate bank accounts, the same as ransomware, aiming at a specific regional banking platform used by American banks.

The malicious software is thought to be created by the same team of criminals known for developing another dangerous trojan – Dyre, which has been active until 2015 and reportedly successfully stolen millions of dollars for the Ryanair airline. Dyre rapidly stopped operating in 2015 after Russian authorities seized a group of hackers. However, this connection has never been proven definitively.

It’s speculated that some hackers from the group managed to avoid Russian authorities and came together to create Dyre's successor – TrickBot. This version is supported by the fact that TrickBot’s source code appears to be a rewrite of Dyre, albeit upgraded and refined utilizing C++ instead of Dyre, which mostly utilized C.

Through its lifespan, TrickBot malware developers have upgraded the functionality of the virus multiple times, creating new versions, adding new features and improving the banking trojan, and changing target banks, making their attacks highly unpredictable. Among other updates, TrickBot received support for the EternalBlue exploit, thus allowing it to spread over corporate networks. By August 2016, the malware gained email and browser history theft functionality. In September 2016, the virus learned to steal cryptocurrency by interjecting the normal payment process and stealing the coins when the user fills in personal and payment information on a payment gateway, grabbing the valuable tokens and redirecting them to a wallet that belongs to the hackers.

Trickbot malware analysis

The video was created by ANY.RUN malware hunting service allows us to see the incident as it unfolds.

process graph of trickbot analysis Figure 1: TrickBot’s lifecycle diagram created in ANY.RUN

ANY.RUN is an interactive malware sandbox that allows to watch the simulation in a safe environment and control it with direct human input when necessary. In addition to video simulation, the service provides various useful tools, such as comprehensive text reports. You can research other malicious objects there like IcedID or Emotet.

text report of trickbot banking trojan analysis Figure 2: A text report generated by ANY.RUN

The artifacts can appear in AppData\Local\Temp and AppData\Roaming directories on a contaminated machine. In addition, the malware is sometimes downloaded to the user's PC using a batch file. After achieving persistence, the malware can reportedly be found in a winapp folder located in the AppData\Roaming directory.

The virus utilizes a sophisticated method for infections which allows it to stay undetected by antivirus software. Instead of keeping configuration files locally on the user's machine, TrickBot is able to receive this data from C2 in real-time, which may complicate the removal process. Particularly, when a victim heads to one of the target web pages, TrickBot intersects the HTTP response of the website while sending the following information to C2:

  • A complete URL of the target bank website that the user navigates to
  • A whole HTTP query
  • HTML code of the webpage that the victim is trying to view

The C2 server then sends a new HTML markup that includes the malicious parts to the user, and instead of visiting a bank account, the user ends up on a forged page.

How to avoid infection by TrickBot?

Since the virus is often distributed in Microsoft Office files, it needs macros or the Microsoft Office's editing mode to be activated to enter an active phase. As long as both macros are deactivated, and the editing mode is switched off, the virus will pose no danger to a PC.

Distribution of TrickBot

TrickBot trojan is distributed with malspam and phishing campaigns but unlike ransomware, it is powered by the Necurs botnet, which has become extremely popular among attackers who utilize the malware-as-a-service business model.

Attackers will usually try to threaten and scare the victim to make the victim read the email and download any attached files. Finally, the trojan itself manages to get on a victim's machine through an Excel document that contains a macro programmed to download and start the execution of the banking trojan. However, in some of the more recent campaigns, HTML attachments have been included in the emails. Programmed to download Microsoft Office documents, the use of HTML attachments helps to avoid detection by antivirus software but their functionality becomes apparent after subjecting them to a thorough analysis in a sandbox. What’s more, In the very last distribution campaigns, the attackers have started utilizing eFax ploys, tricking victims into clicking on VBS extensions that contain the virus.

TrickBot execution process

The given malware sample analysis of the executable file was performed using the ANY.RUN malware hunting service.

After the file was run, it immediately launched the command prompt with commands to stop and delete Windows Defender and turn off Windows Defender Real-time Protection using PowerShell.

process tree of trickbot execution

The analysis shows that the malware then utilized CMSTP.exe to bypass user account control and execute the same commands through an auto-elevated COM interface.

After performing the initial steps, the malware added itself to Task Scheduler, thus ensuring that it will be executed later. After a while, Task Scheduler ran the malicious code, which started the contaminated svchost.exe processes. The svchost.exe process then started the malicious activity, launching itself and stealing credential data. This information on the execution flow of TrickBot is crucial for a successful removal of the malware from compromised systems.

process tree of trickbot execution

How to detect Trickbot using ANY.RUN?

This malware creates files that allow analysts to say for sure that this is Trickbot. Open the "Files" tab in the lower part of the task's window and take a look at the created files. Filenames vary according to the bitness of the operating system. You can be sure this is Trickbot if you find these files and folder: systeminfo32 or systeminfo64, injectDll32 or injectDll64 and folder injectDll32_config or injectDll64_config. This can help you start the removal process.

files created by trickbot Figure 3: Files created by Trickbot

Conclusion

Clever attack techniques utilized by TrickBot creators make this banking trojan extremely dangerous both to corporate and personal victims, similar to ransomware behavior. Once infected, a general person is extremely unlikely to find out about the trojan and identify that the bank account the user is visiting is, in fact, a forged one.

Thankfully, modern malware analysis services like ANY.RUN allows professionals to study the threat and deploy appropriate security measures.

HAVE A LOOK AT

Keylogger screenshot
Keylogger
keylogger
A keylogger is a type of spyware that infects a system and has the ability to record every keystroke made on the device. This lets attackers collect personal information of victims, which may include their online banking credentials, as well as personal conversations. The most widespread vector of attack leading to a keylogger infection begins with a phishing email or link. Keylogging is also often present in remote access trojans as part of an extended set of malicious tools.
Read More
Balada Injector screenshot
Balada Injector is a long-running malware campaign that targets WordPress websites by exploiting vulnerabilities in plugins and themes. The attackers inject malicious code into compromised sites, leading to unauthorized redirects, data theft, and the creation of [backdoors](https://any.run/malware-trends/backdoor) for persistent access. The campaign operates in waves, with spikes in activity observed every few weeks, continually adapting to exploit newly discovered vulnerabilities.
Read More
BlackMoon screenshot
BlackMoon
blackmoon
BlackMoon also known as KrBanker is a trojan aimed at stealing payment credentials. It specializes in man-in-the-browser (MitB) attacks, web injection, and credential theft to compromise users' online banking accounts. It was first noticed in early 2014 attacking banks in South Korea and has impressively evolved since by adding a number of new infiltration techniques and information stealing methods.
Read More
BlackMatter screenshot
BlackMatter
blackmatter
BlackMatter is a ransomware strain operating as a Ransomware-as-a-Service (RaaS), designed to encrypt files, remove recovery options, and extort victims across critical industries. Emerging in 2021, it quickly became a major concern due to its ability to evade defenses, spread across networks, and cause large-scale operational disruption, forcing security teams to act against a highly destructive and persistent threat.
Read More
Sneaky 2FA screenshot
Sneaky 2FA
sneaky2fa
Sneaky 2FA is an Adversary-in-the-Middle (AiTM) phishing kit targeting Microsoft 365 accounts. Distributed as a Phishing-as-a-Service (PhaaS) through a Telegram bot, this malware bypasses two-factor authentication (2FA) to steal credentials and session cookies, posing a significant threat to individuals and organizations.
Read More
Netwalker screenshot
Netwalker
netwalker ransomware
Netwalker is ransomware — it belongs to a malware family which encrypts files and demands users to pay a ransom to get their data back. Netwalker utilizes several sophisticated techniques, such as process hollowing and code obfuscation to target corporate victims.
Read More