Quick Analysis of a Trickbot Sample with NSA's Ghidra SRE Framework

This post is not a deep analysis of TrickBot. Here, I did a quick analysis of a TrickBot sample from early 2019 by using the Ghidra Software Reverse Engineering (SRE) Framework, developed by the NSA, that was released some hours ago. This is not a deep analysis of TrickBot, I only wanted to learn a bit about Ghidra and I used this framework to find some interesting parts of the code of TrickBot that were introduced in the newer versions of the malware. Hope you enjoy it!

Analysis of Neutrino Bot Sample (dated 2018-08-27)

In this post I analyze a Neutrino Bot sample. It was probably generated 2018-08-27. I will compare the analyzed Neutrino sample with the NukeBot's source code that was leaked on spring, 2017, and I will check that Neutrino Bot is probably an evolution (or, at least, it reuses parts) of the NukeBot leaked code.

• Original Packed Sample: 3F77B24C569600E73F9C112B9E7BE43F
• Automatic Generated Report: PepperMalware Report
• Virustotal First Submission: 2018-08-28 14:36:26
• Sample Creation Date:  2018-08-27
• Unpacked Banker Module: 896609A8EE8CC860C2214FCD1E3CF264
• Internal executable id: aug27
• Related links: 
• https://www.malware-traffic-analysis.net/2018/08/21/index2.html
• https://twitter.com/malware_traffic/status/1032066941953945600
• https://blog.malwarebytes.com/threat-analysis/2017/02/new-neutrino-bot-comes-in-a-protective-loader/
• https://securelist.com/jimmy-nukebot-from-neutrino-with-love/81667/