Static Malware analysis of TrickBot Trojan using DIE, HashCalc, and Strings tools.

In this article, I’ll show you how to analyze a malware sample statically.?I use TrickBot trojan for Static malware analysis and I use only DIE, HashCalc, and Strings tools in this article.?

What is TrickBot??

A TrickBot is a banking credential theft trojan. It has persistence capabilities, sophisticated system reconnaissance, cryptomining and is associated with ransomware infections.?

?

How It’s delivered??

A TrickBot is disseminated via malspam campaigns or dropped by other malwares Like Emotet trojan. The most common infection vector is malspam containing malicious macro Microsoft office documents. Once opened and enable content by the user, it executes obfuscated VBA script to install TrickBot binary from the hacker server. Once executed, it writes itself to disk in the %AppData%Roaming% folder. It also attempts to disable anti-virus protection like windows defender.?

?

Static malware analysis of TrickBot trojan:?

In this static analysis, we will gather information about the TrickBot trojan without running it. like suspicious URLs, IP addresses, Imports, Exports, metadata, indicators, references, file signatures, etc.

This sample has no extension.?

We don’t know what type of file it is.?So, we need to know the file type.?

Use DIE (Detect It Easy):?

Let’s open the DIE tool. This tool gives some information about file type, entry point, architecture, hashes, strings, signatures, and disassembly view of this malware sample.?

This is the interface of this DIE tool. You can see this in the given image below.?

Then select the malware sample, after loads, it looks like this,?

In the above image, you can see the file type of this sample. It shows PE32, which means it is a portable executable 32-bit version. ?

Then we need to know whether it is packed or not. Packing is a kind of technique used by malware authors to make analysis difficult for malware analysts?

It doesn’t show any packers used by the TrickBot trojan. Then you can use the entropy value to find whether it’s packed or not. Click the Entropy button,?

The entropy value is 6.69. If the entropy value is nearly 7-8, it's packed. It shows Packed in the status bar. You can see this in the given image below.?

Close it and click the String button, It shows all the strings used by this malware.

You can see the string “This program cannot run in dos mode”?in the above image. This string shows in the DOS Stub Header of the PE file. We can double confirm it is a .exe file.?

And you can see some encoded strings in the given image below, so we confirm it is packed. ?

and also you can see some customized APIs in this strings tab. you can see this in the given image below.

Close this tab.

The bottom of this tool shows the linker and compiler, you can get which compiler was used to compile this sample.?This trojan is compiled by the MinGW compiler.

Then click the Hex button to get a binary view of this sample.

It shows the binary view of Trickbot trojan and also you can see the ASCII column, it shows "MZ", "This program cannot be run in DOS mode", and "PE" strings, so we confirm it is an executable file.

close this tab.

Then click the Hash button to get the hash value of this sample. Some important hashes are MD5, SHA1, and SHA256.?You can use these hash values to check in Virustotal.?

Use HashCalc:?

Using this tool to get the hash values of this sample. Hashes are?MD2, MD4, MD5, SHA1, SHA256, SHA384, SHA512, RIPEMD160, CRC32, PANAMA, ADLER32, TIGER.?

Click the calculate button to get hash values for this sample, then go to google and search virtual total then paste the hash values to get the details of this sample. Whether it is malicious or not, which antivirus detects this sample, gives hints of this sample, etc.

Use String tool:?

It is a command line tool, using this to get strings within the malware sample.?

Press Windows + R key, then type cmd and click ok.?

It opens a command prompt in our system, just type String [File_name] to get strings within this malware sample.?

Also, you can save these strings into another file,

just type Strings [File_name] > [new_file.txt]?and run.

Conclusion:

In this article, I statically analyzed Trickbot trojan with DIE, HashCalc, and Strings tool. I'll show you how to analyze this TrickBot trojan with PeStudio, and the PeBear tool in my upcoming article.