Figure 4: Dynamically resolving Windows API functions

In conclusion, sometimes changes, even minor ones such as this one, are enough to break a working automation process, and they require some time to investigate. That’s how the malware’s authors gain precious time to defraud unsuspecting victims before security vendors can denylist their servers.

As a reminder, Trickbot consistently uses email spam and phishing campaigns as its initial attack pattern, so it’s imperative that organizations train their users how to recognize potentially faked emails, and not to open suspicious file attachments or click on questionable embedded links. A web application firewall can also help your organization detect and mitigate banking trojans.

MD5: 06ac8be899d6deb26401417ce0d54389

Appendix

Python script to automate the decryption process:

import struct

def decrypt_first_stage(in_file, out_file):

      with open(in_file, 'rb') as f:

            encrypted_data = f.read()

      key = struct.unpack('<I', encrypted_data[:4])[0]

      size = struct.unpack('<I', encrypted_data[4:8])[0]

      res=""

      for i in range(8, size, 4):

            decrypted_bytes="".join(map("{:08x}".format, [struct.unpack('<I', encrypted_data[i:i+4])[0] ^ key]))

            res += "".join(reversed([decrypted_bytes[i:i+2] for i in range(0, len(decrypted_bytes), 2)]))

            key -= 1

      with open(out_file, 'w') as f:

            f.write("".join([chr(int(res[i:i+2], 16)) for i in range(0, len(res), 2)]))s