A collection of tools for dealing with TrickBot
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.
FileDownloader.py Added code to keep server list up to date Nov 10, 2017
config.conf Added example encrypted config Nov 10, 2017



A collection of tools for working with TrickBot


Used to decrypt TrickBot configs (found in install directory under then name config.conf)

Example usage: ConfigDecrypter.py -input config.conf -output config.txt


Used to download files from command and control server

For it to work you'll need to fill servers.txt with a list of recent servers (TrickBot servers die very quickly)

-o (--output) is the file to save to.

-f (--file) specifes the file to download, here is a list of files available:

  • Modules

    • systeminfo32 - gather information about the infected system (32-bit module)
    • injectdll32 - injects into the browser and performs webinjects (32-bit module)
    • mailsearcher32 - searches through files to gather a list of email addresses (32-bit module)
    • sharedll32 - allows the malware to move laterally via network shares (32-bit module)
  • Config Files

    • main - main TrickBot config which includes the latest server list
    • dinj - dynamic webinject configuration
    • sinj - static webinject configuration
    • dpost - server which the dynamic webinjects will send intercepted requests to
    • mailconf - server to send harvested email list to