Skip to content
/ TrickBot-loader-analysis Public

Professional malware analysis report of TrickBot sanitized, with IOCs, YARA rules, MITRE ATT&CK mapping, and screenshots.

1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

Zedocun/TrickBot-loader-analysis

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

23 Commits
IOC
IOC
 
 
Images
Images
 
 
Yara
Yara
 
 
.gitignore
.gitignore
 
 
Contributing.md
Contributing.md
 
 
README.md
README.md
 
 

Repository files navigation

Read on Medium

TrickBot Loader - Fragmented Memory Analysis

🧩 Overview

This repository documents the in-depth reverse engineering of a Go-based TrickBot loader. The analysis reveals that instead of unpacking into a single PE, the loader fragments its payload across multiple memory regions and system DLLs (e.g., powrprof.dll, apphelp.dll, umpdc.dll), leveraging anti-analysis and hooking techniques.

All research was conducted in an isolated environment with no network exposure.

🧰 Tools Used

Procmon · Process Explorer · Sysmon · Wireshark/FakeNet · x64dbg · Scylla · PE-bear · DIE · HxD · Strings

🧠 Key Findings

1. Fragmented Runtime

  • No single "final PE" file was found - memory regions across .rdata/.idata and private RWX blocks each held portions of the runtime.
  • Key Go runtime artifacts: pclntab, runtime.main, and packages like gorilla/websocket, crypto/tls, gopsutil.

Memory fragmentation

2. Anti-Analysis & Hooking

  • Hooked APIs: NtQuerySystemInformation, NtWriteVirtualMemory, NtCreateThreadEx, etc.
  • Detected tools: x64dbg, IDA, Scylla, Procmon, WinDbg, OllyDbg.
  • Demonstrates an advanced anti-RE shield using API patching and tool scanning.

Hooked functions

3. Networking & C2

  • Outbound TCP SYN_SENT to EC2 host on port 8080 (blocked in lab).
  • Memory contained Go networking and IP discovery references (gorilla/websocket, api.ipify.org).

C2 attempt

4. DLL & Telemetry Interaction

  • AppHelp.dll: indicates possible Application Compatibility abuse (shimming persistence).
  • Powrprof.dll / Umpdc.dll: contain power/telemetry strings, likely for timing or sandbox evasion.

AppHelp region
Powrprof access

Author: Ben Rubin
Environment: (Windows 10, isolated lab)
Scope: Static, Dynamic & Memory Analysis

5. Registry Reconnaissance

The loader accessed multiple registry keys:

Registry

MITRE ATT&CK Mapping (observed)

Tactic Technique (ID) Evidence
Defense Evasion Hooking / API Patching (T1055/T1562-like) Hook lists; tool detection strings
Persistence / Evasion Application Shimming (T1546.011) apphelp .rdata/.rsrc indicators
Privilege/Evasion Memory protection changes (T1055-like) Private RWX regions; VirtualProtect calls
Credential Access Registry reconnaissance (T1003-family evidence) LSA/Winlogon/RPC registry touches
Command & Control App Layer Protocol (T1071) Go net libs; outbound EC2:8080 SYN_SENT

About

Professional malware analysis report of TrickBot sanitized, with IOCs, YARA rules, MITRE ATT&CK mapping, and screenshots.

Topics

ioc static-analysis reverse-engineering malware cybersecurity dynamic-analysis malware-analysis yara trickbot

Resources

Readme

Contributing

Contributing
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages