The sub-techniques beta is now live! Read the release blog post for more info.


TrickBot is a Trojan spyware program that has mainly been used for targeting banking sites in United States, Canada, UK, Germany, Australia, Austria, Ireland, London, Switzerland, and Scotland. TrickBot first emerged in the wild in September 2016 and appears to be a successor to Dyre. TrickBot is developed in the C++ programming language. [1] [2] [3]

ID: S0266
Associated Software: Totbrick, TSPY_TRICKLOAD
Platforms: Windows
Contributors: Omkar Gudhate, FS-ISAC
Version: 1.1
Created: 17 October 2018
Last Modified: 24 June 2019

Associated Software Descriptions

Name Description
Totbrick [5] [6]

Techniques Used

Domain ID Name Use
Enterprise T1087 Account Discovery

TrickBot collects the users of the system.[1][4]

Enterprise T1043 Commonly Used Port

TrickBot uses port 443 for C2 communications.[1][5]

Enterprise T1503 Credentials from Web Browsers

TrickBot can obtain passwords stored in files from web browsers such as Chrome, Firefox, Internet Explorer, and Microsoft Edge.[4]

Enterprise T1081 Credentials in Files

TrickBot can obtain passwords stored in files from several applications such as Outlook, Filezilla, and WinSCP. Additionally, it searches for the ".vnc.lnk" affix to steal VNC credentials.[4][7]

Enterprise T1214 Credentials in Registry

TrickBot has retrieved PuTTY credentials by querying the Software\SimonTatham\Putty\Sessions registry key[7]

Enterprise T1024 Custom Cryptographic Protocol

TrickBot uses a custom crypter leveraging Microsoft’s CryptoAPI to encrypt C2 traffic.[2]

Enterprise T1005 Data from Local System

TrickBot collects local files and information from the victim’s local machine.[1]

Enterprise T1140 Deobfuscate/Decode Files or Information

TrickBot decodes the configuration data and modules.[2]

Enterprise T1089 Disabling Security Tools

TrickBot can disable Windows Defender.[4]

Enterprise T1482 Domain Trust Discovery

TrickBot can gather information about domain trusts by utilizing Nltest.[8]

Enterprise T1114 Email Collection

TrickBot collects email addresses from Outlook.[4]

Enterprise T1106 Execution through API

TrickBot uses the Windows API call, CreateProcessW(), to manage execution flow.[1]

Enterprise T1083 File and Directory Discovery

TrickBot searches the system for all of the following file extensions: .avi, .mov, .mkv, .mpeg, .mpeg4, .mp4, .mp3, .wav, .ogg, .jpeg, .jpg, .png, .bmp, .gif, .tiff, .ico, .xlsx, and .zip. It can also obtain browsing history, cookies, and plug-in information.[1][4]

Enterprise T1179 Hooking

TrickBot has the ability to capture RDP credentials by capturing the CredEnumerateA API [7]

Enterprise T1185 Man in the Browser

TrickBot uses web injects and browser redirection to trick the user into providing their login credentials on a fake or modified web page.[2][3][6][4]

Enterprise T1112 Modify Registry

TrickBot can modify registry entries.[4]

Enterprise T1027 Obfuscated Files or Information

TrickBot uses non-descriptive names to hide functionality and uses an AES CBC (256 bits) encryption algorithm for its loader and configuration files.[1]

Enterprise T1055 Process Injection

TrickBot injects into the svchost.exe process.[1][5][6]

Enterprise T1060 Registry Run Keys / Startup Folder

TrickBot establishes persistence in the Startup folder.[4]

Enterprise T1105 Remote File Copy

TrickBot downloads several additional files and saves them to the victim's machine.[5]

Enterprise T1053 Scheduled Task

TrickBot creates a scheduled task on the system that provides persistence.[1][5][6]

Enterprise T1064 Scripting

TrickBot has used macros in Excel documents to download and deploy the malware on the user’s machine.[7]

Enterprise T1045 Software Packing

TrickBot leverages a custom packer to obfuscate its functionality.[1]

Enterprise T1193 Spearphishing Attachment

TrickBot has used an email with an Excel sheet containing a malicious macro to deploy the malware[7]

Enterprise T1071 Standard Application Layer Protocol

TrickBot uses HTTPS to communicate with its C2 servers, to get malware updates, modules that perform most of the malware logic and various configuration files.[1]

Enterprise T1082 System Information Discovery

TrickBot gathers the OS version, CPU type, amount of RAM available from the victim’s machine.[1][2]

Enterprise T1016 System Network Configuration Discovery

TrickBot obtains the IP address and other relevant network information from the victim’s machine.[1][4]

Enterprise T1007 System Service Discovery

TrickBot collects a list of install programs and services on the system’s machine.[1]

Enterprise T1065 Uncommonly Used Port

TrickBot uses ports 447 and 8082 for C2 communications.[1][2][5]

Enterprise T1204 User Execution

TrickBot has attempted to get users to launch a malicious Excel attachment to deliver its payload.[7]

Groups That Use This Software

ID Name References
G0092 TA505 [9]