TrickBot malware now checks screen resolution to evade analysis


Level 83
Thread author
Top poster
Content Creator
Malware Hunter
Aug 17, 2014
The infamous TrickBot trojan has started to check the screen resolutions of victims to detect whether the malware is running in a virtual machine. [....]

In a new sample of the TrickBot Trojan discovered by cybersecurity firm MalwareLab's Maciej Kotowicz, the malware is now checking an infected computer's screen resolution to determine if it's a virtual machine. In a tweet, Kotowicz stated that a new sample of TrickBot is checking if the computer's screen resolution is 800x600 or 1024x768, and if it is, TrickBot will terminate. TrickBot is checking for these particular resolutions because of how the researchers commonly configure their malware analysis virtual machines.

When configuring a virtual machine, most researchers will not install the VM guest software that allows for better screen resolutions, better mouse control, improved networking, and other features. Without the guest software, though, a virtual machine will typically not allow any resolutions other than 800x600 and 1024x768, compared to ordinary screen resolutions that are much higher.
Last edited: