Win32/TrickBot [Threat Name] go to Threat

Win32/TrickBot.V [Threat Variant Name]

Category trojan
Aliases Trojan.DownLoader25.27249 (Dr.Web)
Short description

The trojan serves as a backdoor. It can be controlled remotely.


When executed, the trojan copies itself into the following location:

  • %appdata%\­winapp\­%variable%

A string with variable content is used instead of %variable% .

The trojan creates the following folders:

  • %appdata%\­winapp\­Modules\­

The trojan may create the following folders:

  • %appdata%\­winapp\­Modules\­injectDll32_configs\­
  • %appdata%\­winapp\­Modules\­mailsearcher32_configs\­

The trojan may create the following files:

  • %appdata%\­winapp\­client_id
  • %appdata%\­winapp\­group_tag
  • %appdata%\­winapp\­config.conf

The trojan schedules a task that causes the following file to be executed repeatedly:

  • %appdata%\­winapp\­%variable%
Information stealing

Win32/TrickBot.V is a trojan that steals sensitive information.

The trojan collects the following information:

  • operating system version
  • user name
  • computer name
  • computer IP address

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.

The malware configuration is passed as command line parameters or read from the file when the malware executable is launched.

Configuration is stored in the following file:

  • %appdata%\­winapp\­config.conf

The HTTPS protocol is used.

It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • update itself to a newer version
  • modify the content of websites

The trojan may create and run a new thread with its own program code within any running process.

The trojan is generally spread through spam emails that include malicious code in the attachment.

Please enable Javascript to ensure correct displaying of this content and refresh this page.