General

  • Target

    TLauncher-2.879-Installer-1.1.1.exe

  • Size

    22.6MB

  • Sample

    230430-ln1vyahc87

  • MD5

    c4ceda8c435298d23cc40a842f426d61

  • SHA1

    c7337094f09852b00a815950e96f3292295e9e15

  • SHA256

    e132be19bc7ae8a96d3d620710fa26b614e022abecccc161ad733eff732afcd6

  • SHA512

    25e74422d3b7adeb0cc805bbe41298d4e0fcf984b038c63a3a4faeea16e10a18f113c9a7d946e16f377ad9e3a5ca0a6425d7650b62c1e5db9ee2299e9921f52b

  • SSDEEP

    393216:LXfgqusAgbGPfs/dQETVlOBbpFEjdGphRqV56Hpkf+V4scTKAjENq3:LvtDpsHExi73qqHpg+Vvc+Amc

Malware Config

Targets

    • Target

      TLauncher-2.879-Installer-1.1.1.exe

    • Size

      22.6MB

    • MD5

      c4ceda8c435298d23cc40a842f426d61

    • SHA1

      c7337094f09852b00a815950e96f3292295e9e15

    • SHA256

      e132be19bc7ae8a96d3d620710fa26b614e022abecccc161ad733eff732afcd6

    • SHA512

      25e74422d3b7adeb0cc805bbe41298d4e0fcf984b038c63a3a4faeea16e10a18f113c9a7d946e16f377ad9e3a5ca0a6425d7650b62c1e5db9ee2299e9921f52b

    • SSDEEP

      393216:LXfgqusAgbGPfs/dQETVlOBbpFEjdGphRqV56Hpkf+V4scTKAjENq3:LvtDpsHExi73qqHpg+Vvc+Amc

    • BazarBackdoor

      Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.

    • Bazar/Team9 Backdoor payload

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

MITRE ATT&CK Enterprise v6

Tasks