Imports rebuilding - another issue with another sample of Trickbot

[hodgav]

Hi, SHA256: fcfb911e57e71174a31eae79433f12c73f72b7e6d088f2f35125cfdf10d2e1af This sample of Trickbot spawns after approximately 60-90 minutes an instance of svchost.exe with the module importdll32.dll - which is responsible for stealing browsing data. Tested on Windows 7 32-bit When using pesieve to dump it, imports were not rebuild correctly.

To verify this - i decrypted the original importdll32 on the disk with trickbot_config_decoder The decrypted module has the correct imports.

This zip file contains: the original trickbot sample, the decrypted importdll32, dumps of both pesieve and process dump and the pesieve log when trying to dump importdll32 from svchost.exe password is: trickbot https://ufile.io/yqr7u

[hasherezade]

Thank you! I didn't reproduce it so far, but looking at the output I think I found the root cause. This is IAT in the original DLL -at RVA 75278C (bigger address): And this is IAT found by PE-sieve - at RVA 71831C (smaller address):

The second one is not the original IAT, just a secondary IAT constructed for the functions that are loaded later. But PE-sieve stopped searching on this - and just tried to find an import table that could cover this IAT. However, such import table does not exist, so we have in logs:

[*] Trying to find ImportTable for module: 615c0000
[!] Overwriting IAT address!
[-] ImportTable NOT found!

It will be fixed soon, stay tuned!

[hasherezade]

Please check the latest builds (attached to the README) and let me know if it helps.

[hodgav]

It helped, works fine now. Thanks!