Trojan.TrickBot
Posted: October 17, 2016
Threat Metric
The following fields listed on the Threat Meter containing a specific value, are explained in detail below:
Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.
Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.
Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.
Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.
% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.
| Ranking: | 3,893 |
|---|---|
| Threat Level: | 8/10 |
| Infected PCs: | 68,586 |
| First Seen: | October 17, 2016 |
|---|---|
| Last Seen: | October 17, 2023 |
| OS(es) Affected: | Windows |
Trojan.TrickBot is a Trojan that compromises bank accounts by monitoring bank site-specific data transactions, recording the user's input devices, or redirecting you to phishing sites. Like the Dyreza Trojan, a closely related threat, Trojan.TrickBot may not display symptoms before collecting your data and compromising your account. Rely on your anti-malware products for blocking this program's installation exploits or, in worst cases, removing Trojan.TrickBot before it hijacks your account.
When Trojan Tricks Trigger Twice
The path of a threat campaign's development often crosses with those of other threats, particularly ones with similar, widely-applicable payloads, such as a banking Trojan. With most copycats, malware experts can trace copy-pasted code or updates to an earlier threat, without which the authors would have few resources. Trojan.TrickBot, a new banking Trojan, blurs the lines of what constitutes an update for old threats by using the philosophy, but not necessarily the code, already seen in the Dyreza Trojan's campaign.
The Dyreza Trojan was a banking Trojan under maintenance by Russian con artists who were believed to be apprehended by the authorities after gathering millions of dollars. Now, the appearance of Trojan.TrickBot shows that at least one threat author related to the team may have escaped capture, or, alternately, been able to leak resources related to the Dyreza Trojan to other coders. Trojan.TrickBot shares many of the Dyreza Trojan's functions, but with all-new code written in C++, as opposed to the latter's C.
Trojan.TrickBot continues using a modular approach to compromising PCs, giving con artists the ability to add or remove features contained in specific modules between attacks. Malware experts saw the latest versions of Trojan.TrickBot, such as those targeting Australian bank users in September, using only one data-collecting modular component meant for siphoning account passwords and similar information.
However, Trojan.TrickBot's campaign also appears to be testing other attacks, such as HTML injection exploits that could modify a bank website page in the victim's browser (by asking for valuable information or redirecting you to seemingly legitimate phishing domains).
Putting the 'Treat' Bank into Your Bank Browsing
Trojan.TrickBot is an unusual example of a Trojan whose attacks borrow the implementation philosophy and hallmarks, but not necessarily the actual, underlying code of a past threat campaign. Since the coder maintaining Trojan.TrickBot is showing signs of being at least as competent as those of the Dyreza Trojan (also Dyre), similar sums of millions of dollars from hundreds of bank chains most likely are at risk.
Some of Trojan.TrickBot's infrastructure also harbors potential associations with threats connected to both the Dyreza Trojan and other banking Trojans previously. Victims may wish to refer to resources on the Cutwail spam botnet and the Pushdo Trojan downloader for further information. Spam is a particularly likely infection vector for Trojan.TrickBot, which installs itself with no symptoms and commits its data-collecting attacks without alerting the PC user, when possible.
PC users should patch their anti-malware threat databases in cases where their security software only has incorporated definitions for Trojan. TrickBot (whose first deployment dates to no earlier than September of 2016) in recent updates. Because of its high stealth features and a potential for committing other attacks not covered in full here, removing Trojan.TrickBot should always conclude with consulting your bank on additional security measures, when appropriate.
Although the Dyreza Trojan may be 'dead,' its spirit lives on in new threats accomplishing the same misdeeds with brand-new code.
Technical Details
File System Modifications
Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.
The following files were created in the system:%SYSTEMDRIVE%\Users\<username>\appdata\roaming\osqtfgwbhddfk_6uuom5e_whpvlf1aykllyyz_bds5ifmrgqrqih0yrdnnwxs437.exe
File name: osqtfgwbhddfk_6uuom5e_whpvlf1aykllyyz_bds5ifmrgqrqih0yrdnnwxs437.exeSize: 847.87 KB (847872 bytes)
MD5: b33d85ace606ae9ba59921d45b755cf8
Detection count: 150
File type: Executable File
Mime Type: unknown/exe
Path: %SYSTEMDRIVE%\Users\<username>\appdata\roaming\osqtfgwbhddfk_6uuom5e_whpvlf1aykllyyz_bds5ifmrgqrqih0yrdnnwxs437.exe
Group: Malware file
Last Updated: September 15, 2021
%SYSTEMDRIVE%\monter.exe
File name: monter.exeSize: 282.11 KB (282112 bytes)
MD5: 8dd6747e7ff790723a9449d085c86fc8
Detection count: 148
File type: Executable File
Mime Type: unknown/exe
Path: %SYSTEMDRIVE%\monter.exe
Group: Malware file
Last Updated: June 27, 2020
%SYSTEMDRIVE%\cmslase.exe
File name: cmslase.exeSize: 299 KB (299008 bytes)
MD5: c2703692c92cd9acb42a6112a2c990ac
Detection count: 143
File type: Executable File
Mime Type: unknown/exe
Path: %SYSTEMDRIVE%\cmslase.exe
Group: Malware file
Last Updated: June 26, 2020
%SYSTEMDRIVE%\Users\<username>\appdata\roaming\alixqbuzlh7q0_rgjq0uxei67anelu_5fyn_wfzoza3e7yqb83gq8yfoasue4ckm.exe
File name: alixqbuzlh7q0_rgjq0uxei67anelu_5fyn_wfzoza3e7yqb83gq8yfoasue4ckm.exeSize: 487.42 KB (487424 bytes)
MD5: e0b6bbd9bc80c81573743aba3a1494ba
Detection count: 105
File type: Executable File
Mime Type: unknown/exe
Path: %SYSTEMDRIVE%\Users\<username>\appdata\roaming\alixqbuzlh7q0_rgjq0uxei67anelu_5fyn_wfzoza3e7yqb83gq8yfoasue4ckm.exe
Group: Malware file
Last Updated: September 15, 2021
7dfc76beb5d8fc3b1ecf4de9ac204ad2
File name: 7dfc76beb5d8fc3b1ecf4de9ac204ad2Size: 3.39 KB (3396 bytes)
MD5: 7dfc76beb5d8fc3b1ecf4de9ac204ad2
Detection count: 93
Group: Malware file
%SYSTEMDRIVE%\Users\<username>\appdata\roaming\7ejs9huc_16gtr8iopvqa5nokd6r9gnf8udwm9knch_wt2od9ea45drh1g6348ck.exe
File name: 7ejs9huc_16gtr8iopvqa5nokd6r9gnf8udwm9knch_wt2od9ea45drh1g6348ck.exeSize: 901.12 KB (901120 bytes)
MD5: d2ba8d47e97e896f1c96eb063b488fce
Detection count: 80
File type: Executable File
Mime Type: unknown/exe
Path: %SYSTEMDRIVE%\Users\<username>\appdata\roaming
Group: Malware file
Last Updated: September 15, 2021
%SYSTEMDRIVE%\wotrer.exe
File name: wotrer.exeSize: 512 KB (512000 bytes)
MD5: dec56a7ec9115ff81a098f2a4170504b
Detection count: 77
File type: Executable File
Mime Type: unknown/exe
Path: %SYSTEMDRIVE%\wotrer.exe
Group: Malware file
Last Updated: June 27, 2020
%SYSTEMDRIVE%\monter.exe
File name: monter.exeSize: 663.55 KB (663552 bytes)
MD5: b212e24c37596cab9338cfdd78566395
Detection count: 59
File type: Executable File
Mime Type: unknown/exe
Path: %SYSTEMDRIVE%\monter.exe
Group: Malware file
Last Updated: June 27, 2020
c:\cmslase.exe
File name: cmslase.exeSize: 443.39 KB (443392 bytes)
MD5: 26d27317025124ac585c1a463e2986e4
Detection count: 56
File type: Executable File
Mime Type: unknown/exe
Path: c:
Group: Malware file
Last Updated: January 25, 2020
C:\Users\<username>\AppData\Roaming\9nqgwv8fbtif4uwo0doaf_soay33wbvced8qyhz_gdfvk5sim8qss2lg3xls85ud.exe
File name: 9nqgwv8fbtif4uwo0doaf_soay33wbvced8qyhz_gdfvk5sim8qss2lg3xls85ud.exeSize: 632.32 KB (632320 bytes)
MD5: 682d94a60e5e5a360a1c4c5a00c45f3f
Detection count: 44
File type: Executable File
Mime Type: unknown/exe
Path: C:\Users\<username>\AppData\Roaming
Group: Malware file
Last Updated: September 15, 2021
%SYSTEMDRIVE%\Users\<username>\appdata\roaming\a0jcwvsyoru6vrdxkehkrjemn67g5vdzx8rm6zbhjeghyrphjasentbjs8k2bdtw.exe
File name: a0jcwvsyoru6vrdxkehkrjemn67g5vdzx8rm6zbhjeghyrphjasentbjs8k2bdtw.exeSize: 393.21 KB (393216 bytes)
MD5: 33e022862d91a662d0f979ff57e0a048
Detection count: 44
File type: Executable File
Mime Type: unknown/exe
Path: %SYSTEMDRIVE%\Users\<username>\appdata\roaming
Group: Malware file
Last Updated: September 15, 2021
%SYSTEMDRIVE%\Users\<username>\appdata\roaming\msnetsys\44983o8uh99g8n8_pmubyhu7vfxxbh898xq8hnttmrrzf28tudu7mwrrm_11c1jn.exe
File name: 44983o8uh99g8n8_pmubyhu7vfxxbh898xq8hnttmrrzf28tudu7mwrrm_11c1jn.exeSize: 294.91 KB (294912 bytes)
MD5: 1cd7efb64b3e7bf1daaf857ba3ae4663
Detection count: 40
File type: Executable File
Mime Type: unknown/exe
Path: %SYSTEMDRIVE%\Users\<username>\appdata\roaming\msnetsys
Group: Malware file
Last Updated: September 15, 2021
c:\monter.exe
File name: monter.exeSize: 323.58 KB (323584 bytes)
MD5: 25a2930568080b56c849557993062735
Detection count: 36
File type: Executable File
Mime Type: unknown/exe
Path: c:
Group: Malware file
Last Updated: July 4, 2019
%SYSTEMDRIVE%\Users\<username>\appdata\roaming\44783m8uh77g8l8_nkubyhu5vfxxbh878xo6hlttkppzf28tsdu5kwppk_11c1jl.exe
File name: 44783m8uh77g8l8_nkubyhu5vfxxbh878xo6hlttkppzf28tsdu5kwppk_11c1jl.exeSize: 733.18 KB (733184 bytes)
MD5: d4843dd4f0545ff524522a9f044e1d0f
Detection count: 35
File type: Executable File
Mime Type: unknown/exe
Path: %SYSTEMDRIVE%\Users\<username>\appdata\roaming
Group: Malware file
Last Updated: September 15, 2021
%SYSTEMDRIVE%\Users\<username>\appdata\roaming\qsdruqrqvj_g8va_3dr6hwg0zee8pm43bt_gzhxj9l_1r99orqjfmvtchz2a_6p5.exe
File name: qsdruqrqvj_g8va_3dr6hwg0zee8pm43bt_gzhxj9l_1r99orqjfmvtchz2a_6p5.exeSize: 360.44 KB (360448 bytes)
MD5: 2b218368b427eca6cc2ee35a4d03a7bc
Detection count: 33
File type: Executable File
Mime Type: unknown/exe
Path: %SYSTEMDRIVE%\Users\<username>\appdata\roaming
Group: Malware file
Last Updated: September 15, 2021
%SYSTEMDRIVE%\Users\<username>\appdata\roaming\_nnmyw203hl_2jipz8eiamg3qzxllt7whil9egmynr8b6_irqjccbo7spo8co8nm.exe
File name: _nnmyw203hl_2jipz8eiamg3qzxllt7whil9egmynr8b6_irqjccbo7spo8co8nm.exeSize: 233.47 KB (233472 bytes)
MD5: dd8039995c5c218eae97b0bd1f2e65b0
Detection count: 28
File type: Executable File
Mime Type: unknown/exe
Path: %SYSTEMDRIVE%\Users\<username>\appdata\roaming
Group: Malware file
Last Updated: September 15, 2021
%SYSTEMDRIVE%\Users\<username>\appdata\roaming\jqdhq7n98xuae9b_j6ys2aayb8jbg62tsxjck9qs85ud2fz29np_yyrrvabferaf.exe
File name: jqdhq7n98xuae9b_j6ys2aayb8jbg62tsxjck9qs85ud2fz29np_yyrrvabferaf.exeSize: 299 KB (299008 bytes)
MD5: 1495cc33f092057224f04dccef9d8219
Detection count: 26
File type: Executable File
Mime Type: unknown/exe
Path: %SYSTEMDRIVE%\Users\<username>\appdata\roaming\jqdhq7n98xuae9b_j6ys2aayb8jbg62tsxjck9qs85ud2fz29np_yyrrvabferaf.exe
Group: Malware file
Last Updated: September 15, 2021
%SYSTEMDRIVE%\monter.exe
File name: monter.exeSize: 940B (940 bytes)
MD5: 835a3ed7cab69a3cde75402a59a843e6
Detection count: 14
File type: Executable File
Mime Type: unknown/exe
Path: %SYSTEMDRIVE%\monter.exe
Group: Malware file
Last Updated: June 27, 2020
More files
Registry Modifications
File name without path44893m9uh88g9l9_nkubyhu6vfxxbh989xo7hlttkppzf29ttdu6kwppk_11c1jl.exeRegexp file mask%APPDATA%\[RANDOM CHARACTERS].exe%HOMEDRIVE%\mssvca.exe%HOMEDRIVE%\mswvc.exe%HOMEDRIVE%\stcvc.exe%HOMEDRIVE%\stsvc.exe%LOCALAPPDATA%\TempQce34.exE
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.