TrickBot Downloader Deep Dive Analysis

The downloader comes as a Microsoft Office doc - word or excel, with Macro code.

Upon macro enablement, then VB code is executed and the payload is downloaded and executed.

Flow:

Downloader execution - document is opened in word or excel
The Macro-code is enabled and executed
Script makes a call to download the payload from the internet
Encrypted payload is downloaded
Payload is decrypted using the running XOR key
Decrypted payload is saved as a different file and then executed

Step by step analysis:

Declarations >

Public MarkusPils() As String
Public BladeRunner_4 As String

Public Const BladeRunner_System = "User-Agent"
Public SubProperty As Object

Public BladeRunner_VEAM As Object
Public BladeRunner_Fish As Integer

Public AlertN() As String

Public AlertNE As String

Public BladeRunner_PokerFace As Variant
Public BladeRunner_aifde As Object
Public BladeRunner_FLAME As String
Public BladeRunner_avatar As Object

Public smbi As String
Public BladeRunner_2 As String
Public Const Quubo = 0

Public Stocke As Integer
Public BladeRunner_Project As String
Public C2H5OHName As String
Public BladeRunner_PathTo2 As String
Public CofeeShop As Object

Start >

Grabs all the variables from the doc properties >

And here's the complete string:

And you can also see this in the properties window, under Status:

The variables extracted from the properties are then used as Array values for 'AlertN' >

C2H5OHName : "Microsoft.XMLHTTP" : String : Asck.PropellersHead

Insert BreakPoint >

CofeeShop : : Object/IServerXMLHTTPRequest2 : Module2.C2H5OH

smbi : "rundll32.exe " : String : Module2.C2H5OH

AlertN(2) : "shell.Application" : String : Asck.PropellersHead

BladeRunner_avatar : : Object/IWshShell3 : Module2.AnimTransferMap

Shtefin has three URLs hard-coded, they will all be called in succession if the previous one fails.

Shtefin : "fondazioneprogenies.com/38rh76fCHASluxurious-ss.com/38rh76fCHASurban-dna.pt/38rh76f" : Variant/String : Module2.AnimTransferMap

URLs from Stefan are passed into MarkusPils as array values:

Stocke : 6 : Integer : Module2.C2H5OH

BladeRunner_FLAME : "C:\Users\RAGNAR~1\AppData\Local\Temp" : String : Module2.C2H5OH

LBound is 0 and UBound is 2 - which means that the URLs will be picked through a loop, 1 to 3:

If the server gives anything other than a 200 response code, it'll through an error and move to the next URL. If not, that means the download was successful and it'll move on the next routine.

'ShugarMilk' is given the value of 64 above - this will translate into 'e', which needs to be less than 300 in order to execute the program to get the desired output:

BladeRunner_4 : "http://fondazioneprogenies.com/38rh76f" : String : Module1.ShugarMilk

PlayCry 1 and PlayCry 2 execute different parts of the code:

PlayCry = 1
This will execute:

PlayCry = 2

This will take the 'Else' statement and execute a different part of the code, at lab1:

'sinus' is where all the downloaded data is processed:

BladeRunner_FLAME : "C:\Users\RAGNAR~1\AppData\Local\Temp" : String : Module2.C2H5OH

BladeRunner_PathTo2 : "C:\Users\RAGNAR~1\AppData\Local\Temp\hromberght8" : String : Module1.mapRender

More processing:

BladeRunner_Project : "C:\Users\RAGNAR~1\AppData\Local\Temp" : String : Module1.mapRender

The file is being loaded:

And now the data will be decrypted, using the running XOR key as shown below:

These are the events that are executed from here on:

Function WidthA will be called
Dbbb is the file loaded as the encrypted payload (hromberght8)
Dbbb is opened as bbb, for binary operations
Gbbb will be ReDim - reading the bbb file from 0 To LOF (complete file)
bbb will be saved as Gbbb
PuWord function will now be called, which will have the Gbbb() and decryption key
bbb will be PUT in Gbbb() for decryption and function WidthA will be called at this point
bbb will now be GET from Gbbb() - this is the decrypted version - as be
WidthA will process the file bbbJ (write it to disk as amigobro8.exe)
This new file is the decrypted payload - ready to execute.