Trojan.TrickBot

Trojan.TrickBot Description

Trojan.Trickbot Screenshot
Trojan.TrickBot is a Trojan that compromises bank accounts by monitoring bank site-specific data transactions, recording the user's input devices, or redirecting you to phishing sites. Like the Dyreza Trojan, a closely related threat, Trojan.TrickBot may not display symptoms before collecting your data and compromising your account. Rely on your anti-malware products for blocking this program's installation exploits or, in worst cases, removing Trojan.TrickBot before it hijacks your account.

When Trojan Tricks Trigger Twice

The path of a threat campaign's development often crosses with those of other threats, particularly ones with similar, widely-applicable payloads, such as a banking Trojan. With most copycats, malware experts can trace copy-pasted code or updates to an earlier threat, without which the authors would have few resources. Trojan.TrickBot, a new banking Trojan, blurs the lines of what constitutes an update for old threats by using the philosophy, but not necessarily the code, already seen in the Dyreza Trojan's campaign.

The Dyreza Trojan was a banking Trojan under maintenance by Russian con artists who were believed to be apprehended by the authorities after gathering millions of dollars. Now, the appearance of Trojan.TrickBot shows that at least one threat author related to the team may have escaped capture, or, alternately, been able to leak resources related to the Dyreza Trojan to other coders. Trojan.TrickBot shares many of the Dyreza Trojan's functions, but with all-new code written in C++, as opposed to the latter's C.

Trojan.TrickBot continues using a modular approach to compromising PCs, giving con artists the ability to add or remove features contained in specific modules between attacks. Malware experts saw the latest versions of Trojan.TrickBot, such as those targeting Australian bank users in September, using only one data-collecting modular component meant for siphoning account passwords and similar information.

However, Trojan.TrickBot's campaign also appears to be testing other attacks, such as HTML injection exploits that could modify a bank website page in the victim's browser (by asking for valuable information or redirecting you to seemingly legitimate phishing domains).

Putting the 'Treat' Bank into Your Bank Browsing

Trojan.TrickBot is an unusual example of a Trojan whose attacks borrow the implementation philosophy and hallmarks, but not necessarily the actual, underlying code of a past threat campaign. Since the coder maintaining Trojan.TrickBot is showing signs of being at least as competent as those of the Dyreza Trojan (also Dyre), similar sums of millions of dollars from hundreds of bank chains most likely are at risk.

Some of Trojan.TrickBot's infrastructure also harbors potential associations with threats connected to both the Dyreza Trojan and other banking Trojans previously. Victims may wish to refer to resources on the Cutwail spam botnet and the Pushdo Trojan downloader for further information. Spam is a particularly likely infection vector for Trojan.TrickBot, which installs itself with no symptoms and commits its data-collecting attacks without alerting the PC user, when possible.

PC users should patch their anti-malware threat databases in cases where their security software only has incorporated definitions for Trojan. TrickBot (whose first deployment dates to no earlier than September of 2016) in recent updates. Because of its high stealth features and a potential for committing other attacks not covered in full here, removing Trojan.TrickBot should always conclude with consulting your bank on additional security measures, when appropriate.

Although the Dyreza Trojan may be 'dead,' its spirit lives on in new threats accomplishing the same misdeeds with brand-new code.

Use SpyHunter to Detect and Remove PC Threats

If you are concerned that malware or PC threats similar to Trojan.TrickBot may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.

Download SpyHunter's Malware Scanner

Note: SpyHunter's free version is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware tool to remove the malware threats. Learn more on SpyHunter. If you would like to uninstall SpyHunter for any reason, please follow these uninstall instructions. To learn more about our policies and practices, visit our EULA, Privacy Policy and Threat Assessment Criteria.

Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:



%SYSTEMDRIVE%\Users\BGauntt\appdata\roaming\g5oh55whi0gwuxpxgzk4eor6b13mic147vjm66pab5x8f1oc76rp76vnsbbx_26t.exe\g5oh55whi0gwuxpxgzk4eor6b13mic147vjm66pab5x8f1oc76rp76vnsbbx_26t.exe File name: g5oh55whi0gwuxpxgzk4eor6b13mic147vjm66pab5x8f1oc76rp76vnsbbx_26t.exe
Size: 546.61 KB (546612 bytes)
MD5: 00701daadc3d41e975f0b307954b75bf
Detection count: 590
File type: Executable File
Mime Type: unknown/exe
Path: %SYSTEMDRIVE%\Users\BGauntt\appdata\roaming\g5oh55whi0gwuxpxgzk4eor6b13mic147vjm66pab5x8f1oc76rp76vnsbbx_26t.exe\
Group: Malware file
Last Updated: May 23, 2019
%SYSTEMDRIVE%\tumpex.exe\tumpex.exe File name: tumpex.exe
Size: 446.46 KB (446464 bytes)
MD5: 295945614fbdb1f363340c3a778a753d
Detection count: 475
File type: Executable File
Mime Type: unknown/exe
Path: %SYSTEMDRIVE%\tumpex.exe\
Group: Malware file
Last Updated: December 17, 2019
%SYSTEMDRIVE%\grahic.exe\grahic.exe File name: grahic.exe
Size: 401.92 KB (401920 bytes)
MD5: 58c5675a26dc8f81670a75e4d01b2150
Detection count: 471
File type: Executable File
Mime Type: unknown/exe
Path: %SYSTEMDRIVE%\grahic.exe\
Group: Malware file
Last Updated: December 10, 2019
c:tmpax.exe File name: tmpax.exe
Size: 709.24 KB (709248 bytes)
MD5: 8f29d0d9e64b2c60ee7406a1b4e6e533
Detection count: 410
File type: Executable File
Mime Type: unknown/exe
Path: c:
Group: Malware file
Last Updated: January 12, 2020
%SYSTEMDRIVE%\swupd.exe\swupd.exe File name: swupd.exe
Size: 630.78 KB (630784 bytes)
MD5: ab2685a8c4ad66e3c959aa625117f965
Detection count: 391
File type: Executable File
Mime Type: unknown/exe
Path: %SYSTEMDRIVE%\swupd.exe\
Group: Malware file
Last Updated: January 25, 2020
%SYSTEMDRIVE%\Users\BGauntt\appdata\roaming\s31c9enber4pm5jpxok3djjv49n4r9bwcnyd1_l09v9yh07d33vn1dy47uwjiyxb.exe\s31c9enber4pm5jpxok3djjv49n4r9bwcnyd1_l09v9yh07d33vn1dy47uwjiyxb.exe File name: s31c9enber4pm5jpxok3djjv49n4r9bwcnyd1_l09v9yh07d33vn1dy47uwjiyxb.exe
Size: 630.78 KB (630784 bytes)
MD5: 9921475a696aadbb0956bec618dd990d
Detection count: 337
File type: Executable File
Mime Type: unknown/exe
Path: %SYSTEMDRIVE%\Users\BGauntt\appdata\roaming\s31c9enber4pm5jpxok3djjv49n4r9bwcnyd1_l09v9yh07d33vn1dy47uwjiyxb.exe\
Group: Malware file
Last Updated: November 11, 2019
%SYSTEMDRIVE%detar.exe File name: detar.exe
Size: 606.2 KB (606208 bytes)
MD5: 5d5370e2a5b0a36263c83604f18edb94
Detection count: 251
File type: Executable File
Mime Type: unknown/exe
Path: %SYSTEMDRIVE%
Group: Malware file
Last Updated: May 17, 2019
%SYSTEMDRIVE%\shera.exe\shera.exe File name: shera.exe
Size: 546.61 KB (546612 bytes)
MD5: ca5a2501c7eba21240665901b1b033c2
Detection count: 239
File type: Executable File
Mime Type: unknown/exe
Path: %SYSTEMDRIVE%\shera.exe\
Group: Malware file
Last Updated: December 17, 2019
c:swepe.exe File name: swepe.exe
Size: 499.71 KB (499712 bytes)
MD5: bbfc3c507f4368744936114435b47af1
Detection count: 208
File type: Executable File
Mime Type: unknown/exe
Path: c:
Group: Malware file
Last Updated: December 10, 2019
%SYSTEMDRIVE%\compar.exe\compar.exe File name: compar.exe
Size: 396.8 KB (396800 bytes)
MD5: 8897352420f4ae8d9b49c66aeac503e7
Detection count: 178
File type: Executable File
Mime Type: unknown/exe
Path: %SYSTEMDRIVE%\compar.exe\
Group: Malware file
Last Updated: December 10, 2019
%SYSTEMDRIVE%\Users\BGauntt\appdata\roaming\okw1q1dy2p7agx5r124xjev2siuue2f2yo135qs26f3atzci7u2g3s71b7riqjpq.exe\okw1q1dy2p7agx5r124xjev2siuue2f2yo135qs26f3atzci7u2g3s71b7riqjpq.exe File name: okw1q1dy2p7agx5r124xjev2siuue2f2yo135qs26f3atzci7u2g3s71b7riqjpq.exe
Size: 482.76 KB (482766 bytes)
MD5: 68cabfe9cff08560addda0af513262f4
Detection count: 108
File type: Executable File
Mime Type: unknown/exe
Path: %SYSTEMDRIVE%\Users\BGauntt\appdata\roaming\okw1q1dy2p7agx5r124xjev2siuue2f2yo135qs26f3atzci7u2g3s71b7riqjpq.exe\
Group: Malware file
Last Updated: April 25, 2019
7dfc76beb5d8fc3b1ecf4de9ac204ad2 File name: 7dfc76beb5d8fc3b1ecf4de9ac204ad2
Size: 3.39 KB (3396 bytes)
MD5: 7dfc76beb5d8fc3b1ecf4de9ac204ad2
Detection count: 93
Group: Malware file
c:monter.exe File name: monter.exe
Size: 323.58 KB (323584 bytes)
MD5: 25a2930568080b56c849557993062735
Detection count: 36
File type: Executable File
Mime Type: unknown/exe
Path: c:
Group: Malware file
Last Updated: July 4, 2019
c:fudpe.exe File name: fudpe.exe
Size: 256.51 KB (256512 bytes)
MD5: 514274e4a6af9ff841e67fd9a464ee12
Detection count: 30
File type: Executable File
Mime Type: unknown/exe
Path: c:
Group: Malware file
Last Updated: May 17, 2019
%WINDIR%\system32\config\systemprofile\boof.exe File name: boof.exe
Size: 306.17 KB (306176 bytes)
MD5: 6d50ff0c945099137dd830303f7aa664
Detection count: 19
File type: Executable File
Mime Type: unknown/exe
Path: %WINDIR%\system32\config\systemprofile\
Group: Malware file
Last Updated: April 25, 2019
%SYSTEMDRIVE%stsvc.exe File name: stsvc.exe
Size: 556.03 KB (556032 bytes)
MD5: 31edfed69186b203531b81bf50561949
Detection count: 14
File type: Executable File
Mime Type: unknown/exe
Path: %SYSTEMDRIVE%
Group: Malware file
Last Updated: April 24, 2019
c:\users\default\appdata\roaming\appnet\tetuq.exe File name: tetuq.exe
Size: 299 KB (299008 bytes)
MD5: 6bb1e2585207ee171c7609cf79fdaea8
Detection count: 9
File type: Executable File
Mime Type: unknown/exe
Path: c:\users\default\appdata\roaming\appnet\
Group: Malware file
Last Updated: April 25, 2019

More files

Registry Modifications


The following newly produced Registry Values are:

Directory%APPDATA%\adirecttools%APPDATA%\AMNI%APPDATA%\anydeskadserv%APPDATA%\cashcore%APPDATA%\chromedata%APPDATA%\cleanmem%APPDATA%\CloudApp%APPDATA%\cmdcache%APPDATA%\cpumon%APPDATA%\diskram%APPDATA%\dllsyslib%APPDATA%\extvisual%APPDATA%\gpudriver%APPDATA%\gpuhealth%APPDATA%\GpuSettings%APPDATA%\gpuTools%APPDATA%\iCloud%APPDATA%\mscache%APPDATA%\mscloud%APPDATA%\mslibrary%APPDATA%\netcache%APPDATA%\netrest%APPDATA%\NetSocket%APPDATA%\nocsys%APPDATA%\NuiGet%APPDATA%\safessd%appdata%\services%APPDATA%\smcvs%APPDATA%\speedlan%APPDATA%\speedlink%APPDATA%\syscache%appdata%\sysdefragler%APPDATA%\sysexts%APPDATA%\syshealth%APPDATA%\sysswap%APPDATA%\SystemApps%APPDATA%\taskhealth%APPDATA%\temporx%APPDATA%\vcneo%appdata%\vpnpr%APPDATA%\winnet%APPDATA%\WinNetCore%APPDATA%\WinSocket%APPDATA%\WNetval%APPDATA%\wnetwork%APPDATA%\WSOG%localappdata%\deploytexas%LOCALAPPDATA%\runningpost%LOCALAPPDATA%\wnetwork%UserProfile%\Local Settings\Application Data\wnetwork%WINDIR%\System32\config\systemprofile\AppData\Roaming\AMNI%WINDIR%\System32\config\systemprofile\AppData\Roaming\GpuSettings%WINDIR%\System32\config\systemprofile\AppData\Roaming\gpuTools%WINDIR%\System32\config\systemprofile\AppData\Roaming\services%WINDIR%\System32\config\systemprofile\AppData\Roaming\vcneo%WINDIR%\System32\config\systemprofile\AppData\Roaming\wnetwork%WINDIR%\System32\config\systemprofile\AppData\Roaming\WSOGRegexp file mask%APPDATA%\[RANDOM CHARACTERS].exe%HOMEDRIVE%\mssvca.exe%HOMEDRIVE%\mswvc.exe%HOMEDRIVE%\stcvc.exe%HOMEDRIVE%\stsvc.exe%LOCALAPPDATA%\TempQce34.exE%UserProfile%\Local Settings\Application Data\TempQce34.exEFile name without path44893m9uh88g9l9_nkubyhu6vfxxbh989xo7hlttkppzf29ttdu6kwppk_11c1jl.exe
Posted: October 17, 2016
Threat Metric
Threat Level: 8/10
Infected PCs 36,469
Home Malware Programs Trojans Trojan.TrickBot

Leave a Reply

Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter. If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.