eadaf26df948f0fd541f297e2f0bad435aa4bee5c97e4324ad767dacca77e29d

Target

trojan-leaks-main.zip
Size

501.8MB
Sample

230509-x3fn4adg58
MD5

5989c04ee5327d6e7185985f4a7fb933
SHA1

51826110b35fc7b0984eae57c8e143900b29a38f
SHA256

eadaf26df948f0fd541f297e2f0bad435aa4bee5c97e4324ad767dacca77e29d
SHA512

089b2cf3836852d52a8b1da951702d2e2101eee915ddfa72bd967123d1a52d98baae6c0f68f2fd24fb4f1a111b8bfcf6cc57421e76a11f5554a80d372e77587e
SSDEEP

12582912:4vZS6yP56fA74t343nX8dn++/RNk8nnqKIEX1b62gOZsX:qZS6yDcJ43sd++//k8nnqKI214

Score

10^/10

Malware Config

Targets

- Target
  
  trojan-leaks-main/0.950095298700035.exe
- Size
  
  134KB
- MD5
  
  aedbbccb355b4b671b260ddae4caf48a
- SHA1
  
  fac537787c1c197c1eeff3776f18286c93fb62aa
- SHA256
  
  f87e7c558f070aba0493468837fcc6dacd76e5cc855a7f460c798af6fe8f0120
- SHA512
  
  09a412edfe005ab34006032fabcf7b12b18c1ff2aafdaa4a551a7da929c866532ff2d544dff55e2d6fbfbb52cca270481c9853652d6299eb077328d52dbee22a
- SSDEEP
  
  3072:s4/hNEFqgwt4AfLKUM3/oY+IUTzrojcbWy:ARATu3/Agcb
Score

8^/10

bootkit evasion persistence
- Disables RegEdit via registry modification
  evasion
- Disables Task Manager via registry modification
  evasion
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
behavioral1 behavioral2
- Target
  
  trojan-leaks-main/0x07.exe
- Size
  
  247KB
- MD5
  
  733eb0ab951ae42a8d8cca413201e428
- SHA1
  
  640ffb3ee44eb86afaea92e6c5aa158a5d4aafd1
- SHA256
  
  52d6d769eb474d4138ac31e05634a6ca7a4ebef5920f8356c1cd70d9fa42c2fb
- SHA512
  
  c7cdf77aa881c5dbb2abf17913dbf645fe88e16fa11fa055392d36ccf936fc43050c48feb631e193fe044123a190f123d2d6ff12234c0ff7c8c7c6e290209d8f
- SSDEEP
  
  3072:xaWEHnqlm+0FEaJSq6+ouCpk2mpcWJ0r+QNTBfZnazJ9k3kxMC+89+aPyXiwQ9M1:cWCMm8aMldk1cWQRNTBhz3Yz/qc9M1
Score

8^/10

bootkit discovery exploit persistence
- Drops file in Drivers directory
- Possible privilege escalation attempt
  exploit
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Modifies boot configuration data using bcdedit
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
behavioral3 behavioral4
- Target
  
  trojan-leaks-main/AIDS_NT.rar
- Size
  
  634KB
- MD5
  
  6130816a444466d3ef237bfefae80c2c
- SHA1
  
  bd5e7be0fd74d424191cf9dddf0f6b4e0a2871b0
- SHA256
  
  52e0a1c02a0378774da69231586464c8c9fee1b36575786b5424fefda2f90418
- SHA512
  
  e83d352d104eeb89731bc0578384b5265b6270169aa4d198567f87334114850cfd453963891b47d581948a7d2d0e9ba511c5c01b7b6d6835f1b2ca376269182a
- SSDEEP
  
  12288:iA1HETk8ZRVmIUuSZmnoBXboLNy2f7MnLT9xaUnkLrCO2Hf6Y2A:iUG7YjVZhBXMLNP7oLBAH2/NV
Score

3^/10
behavioral5 behavioral6
- Target
  
  trojan-leaks-main/Abantes (1).zip
- Size
  
  2.1MB
- MD5
  
  406aa989db6c5b5cbe736f8aabd73042
- SHA1
  
  608382d2558191b0b87aaaee3e870569954d538f
- SHA256
  
  f476cd6127f6607fb58ef10bf36b6c89619f1f7d73cf0bfc1f0215b92135dd34
- SHA512
  
  42dcc0a3748eeead6b5fd6daf40442dac43e02456557b3167b89800a911f7a896ad4342b03170ce25ced1f3183c46835b1eb2426d2134f2c3e6fc8dfb0d6c315
- SSDEEP
  
  49152:CwmHvJlpSmfMs2eLLHcSpJdUGwr+2gjhugOpf6C9+VflO2qYVjmV:sHvJlpJkkLLH7pcGaDgJXxmV
Score

1^/10
behavioral7 behavioral8
- Target
  
  trojan-leaks-main/AjarSys.exe
- Size
  
  5.8MB
- MD5
  
  0816a1e816f9737a1fd3eaa7493aa075
- SHA1
  
  682405e63e3cfa28f955ea4eee2890b93fa6414d
- SHA256
  
  418f6ff813bbbbe5344b9f8fea28948259bcfd28d424f1354289f5071c85d6ca
- SHA512
  
  640000c30a3c1e8d05bc5383daa405303596b8694e11a17a04a77e3cf0688a887f35a7f8d38ffea89e8a3ba6e36e63c4b39285b83bfffa55e9fab5cc595484a8
- SSDEEP
  
  98304:wYOgp0AsZKigPWKQ/HVRBH9vYewem9lTTdxlN7/c3DgPY9rT6Bl1tF:wYL0rtC3Q/pdePbH7/0DIYNT6LbF
Score

7^/10
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral10 behavioral9
- Target
  
  trojan-leaks-main/AnCo250S.z01
- Size
  
  24.0MB
- MD5
  
  caf52c6eeabe95f8d3f8f8923a2977d6
- SHA1
  
  5470d110ef71c8be4341a3f40d066b938b989b5c
- SHA256
  
  1c94a2385b950919ba3760d551ddba9e471c6706a4b8b26504b1dd048d8abf37
- SHA512
  
  175417b60d8c40c5761c858199aac5ac308085dcfeb4e4284542d0e2d3b92b4e218eedcae85f0a8e0fe9d1e9c018c05701241b449fd2191088d580de99f80941
- SSDEEP
  
  393216:kJVfn85zXCJ5P3+ix6+fOigTl1odisR7QLMvLj0qO0SmUVWUdOVi3/dKtrvK9t2P:kWuSj+puodisRkQSmnfs3Kry9ti
Score

3^/10
behavioral11 behavioral12
- Target
  
  trojan-leaks-main/AnCo250S.z02
- Size
  
  24.0MB
- MD5
  
  5df1203bb287ca15a9e913cec9ec3880
- SHA1
  
  1770e794fada020413beefcf188162394160b9be
- SHA256
  
  7d99de4ee2ceb3f1b04e12aae16f00923fd03f75e16abed8b8941e4d6d1e1eeb
- SHA512
  
  95c8b215ac7b2a6036965d4d5d31a854b0443a6b9cb339a918322b34ef2cf6a1ad014ff579178ff5ec158f854d1b2866dbb325ae4b0076698a7b328f4b0f97a5
- SSDEEP
  
  393216:jDbc9ROt8uvFD6QTqzln5OJnrV+ewzYDDm/QudNNpynZoeEnLztCPYQgHRia5Gpu:jvswbTqzl8RcewzYDnmPpQzELzAwbHRx
Score

3^/10
behavioral13 behavioral14
- Target
  
  trojan-leaks-main/AnCo250S.z03
- Size
  
  24.0MB
- MD5
  
  fc4da9d715e9fb4f7d358194fad6f107
- SHA1
  
  34222f1ffb6f76d17fdc6052d5c6b1e0bf658880
- SHA256
  
  8d2003cf8b225cc2e8f29bf73c232faf5898631171123ff2c8d3f0523ef58ba6
- SHA512
  
  c8ae7abaa4e15fe58d419870d597dc298219d96562d5405e3c6fc40908e81950e197d6d6978e77c9fdd46cd26e1341ac2dd6315ff196a5b90f52d9efbf70b316
- SSDEEP
  
  393216:u3SBJFgGJMZXQHOLV7eMzOPLzTtUp7Qu+2qVN+Q/wMdIDc/DaEiTU9GVrQa/HE72:ISpgGJkQHOLV7enuUT+ird6EifrQcHVP
Score

3^/10
behavioral15 behavioral16
- Target
  
  trojan-leaks-main/AnCo250S.zip
- Size
  
  9.9MB
- MD5
  
  df853fc57bf707e18a5394d076da98c6
- SHA1
  
  376cd14b63bbe4d0625e58b62a6eee68539752e5
- SHA256
  
  fc1d3634589fdd995c90a34dd52b03e62addc5b6e3cdf675c3f3fb4ab1b6ef82
- SHA512
  
  79eae21480454f2b3cb7286e16285c351967a7948b6e9700ef13d0f6db9ced4885ea9afc732825d7429f607bb5997d58f80c365345025a0db6351dcdc32d0ad5
- SSDEEP
  
  196608:XvRhjKD6uRcdJ0KgdSy/RMPCRAnSD6b7WbgJzxoGG/xTQuT03DzGp4VFe+3V5d:5geuRNX9C6RYf1oGG50V2pPq5d
Score

1^/10
behavioral17 behavioral18
- Target
  
  trojan-leaks-main/Antivirus_Installer.exe
- Size
  
  89KB
- MD5
  
  70ec6f9bec87d67c435a2b8505a72629
- SHA1
  
  8dae4c1727c73b3c1135b633e4db69e60ed522f1
- SHA256
  
  1bfef2733f357e531be53b406b65661893b97a8b18a699b6e65f201dd0eeeae8
- SHA512
  
  4a164019ae25e21007f2678bdf0e002b2e1eee115ddc4e101a909712d2bbaff3987339b6059c9db69988918296692839c47c49da9ca9ff3310a9e0088ab7d56c
- SSDEEP
  
  1536:X7fbN3eEDhDPA/pICdUkbBtW7upvaLU0bI5taxKo0IOlnToIfrwFOO:L7DhdC6kzWypvaQ0FxyNTBfrS
Score

8^/10
- Downloads MZ/PE file
behavioral19 behavioral20
- Target
  
  trojan-leaks-main/Aramaware.zip
- Size
  
  179KB
- MD5
  
  d46345e6a112048ce7fb0cc1be021119
- SHA1
  
  86744fb58f947c499650abd9867956ac77dcb333
- SHA256
  
  fe4252a3a0c952a7bbce8bd9f20e13fbfae6e694989b117947dacc609505a0b6
- SHA512
  
  249c8ab3adc3cecfcd4d569868e13904a014fb035ba8c24785d17769639a2b938ec8d271373f8c9718f1427def37d0615eb4313aed35127c4abad66fea132203
- SSDEEP
  
  3072:GLbMP2OQnsmgzcoQicb0US51S5JZLS8GXHpgYyRX8AGTi0kndHJiz0d:GLUJcgz/cb4wvOaYOsAycHd
Score

1^/10
behavioral21 behavioral22
- Target
  
  trojan-leaks-main/BUG32.exe
- Size
  
  3.0MB
- MD5
  
  149cc2ec1900cb778afb50d8026eadf5
- SHA1
  
  a7bc1bbc7bdc970757ec369ef0b51dc53989f131
- SHA256
  
  817a695e53a1d6e24f2c701751b4d18468f20698f30fada420dfba6e21a09797
- SHA512
  
  d617654478beb6325d86c108cddaff8f8d658a235d26b8e0282ed85dca826bdb62b0b67e749c7cd421dbae1d98084220e2f4d5779badb8fd7ab07ff333a35553
- SSDEEP
  
  49152:Or2U5IahDUGN97rkqOAackLjQ0rZEAh3oA6wHE+K60Kk0aCLkfAZKt0OJTcL:4H2ahFNNrg3QbQoA6wHEnFN4IJu
Score

10^/10

evasion persistence spyware stealer trojan ransomware
- Modifies WinLogon for persistence
  persistence
- UAC bypass
  evasion trojan
- Disables RegEdit via registry modification
  evasion
- Disables Task Manager via registry modification
  evasion
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Modifies system executable filetype association
  persistence
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral23 behavioral24
- Target
  
  trojan-leaks-main/BaldiTrojan-x32.exe
- Size
  
  4.2MB
- MD5
  
  0aeaafa78906f0977c4af8963bcd84c2
- SHA1
  
  59a4a0e73d646349c4dde83ceb996e20167cfcc0
- SHA256
  
  822023abab19f62e0b5243390df4639cb7697dac75a323682f7478db477dee24
- SHA512
  
  82ac5b2e225c30ee4f2197562b77ca1ec1b5c5cd438bf819d3b91adb9cca6421943afdf43b4748a3f9a321c30a274d145e248ac9da5bf76799440612ec13419d
- SSDEEP
  
  98304:fKgez/S9bL+M0QVtYD0JCqfZlVcc9uNSwfrNaSQMU0qay9jT:uzk0mtyTqj6W4SGYSQcqD9P
Score

10^/10

evasion persistence ransomware trojan
- UAC bypass
  evasion trojan
- Disables Task Manager via registry modification
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Sets desktop wallpaper using registry
  ransomware
behavioral25 behavioral26
- Target
  
  trojan-leaks-main/BaldiTrojan-x64.exe
- Size
  
  4.2MB
- MD5
  
  e2c4c4dd8c6a357eca164955a8fe040c
- SHA1
  
  f4114815bce62efbc78c79f9a83ccf74a4ea075c
- SHA256
  
  f3efe3b57a0f5cc46963dbd8832ceecd5768117685b4cee684b1235d9e74ebe5
- SHA512
  
  389bf398f9f9f6ae7e6dfca835f5877befa4ebfee5938d4b50728d77fb0450b2eb2cb67e3f4d9abaaad77231754968b27c69a510448dfd7f52c63b1ce3a1c3e1
- SSDEEP
  
  98304:3c9jNgez/S9bL+M0QVtYD0JCqfZlVcc9uNSwfrNaSQHbfU0qC:s95zk0mtyTqj6W4SGYSQ/qC
Score

10^/10

evasion persistence ransomware trojan
- UAC bypass
  evasion trojan
- Disables Task Manager via registry modification
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Sets desktop wallpaper using registry
  ransomware
behavioral27 behavioral28
- Target
  
  trojan-leaks-main/Benzene.exe
- Size
  
  55KB
- MD5
  
  d6e6e2fb2e45c7a2ca6585d86b39d2d0
- SHA1
  
  0f64d36122ea98d09b504041b5a511dc4a0b5275
- SHA256
  
  942f4aca0316e529d0b7c721b774f37738fb99d27fb4adc034d08cb31fd72924
- SHA512
  
  9493b05deed8e0bfdf590c60d7aa7894420b192fdfbd979d321aae9c9cc1d5104fa6125ae8139b12ba1e0c227727375fe046456733c20198f20508321d8adaa1
- SSDEEP
  
  768:VglgFHa1vlmz3ggcRLgHLT0ztbjZMJfdZjpYwOxF3iCX85:3F69lmzQ5uT0nMJDjKwOxFZ85
Score

1^/10
behavioral29 behavioral30
- Target
  
  trojan-leaks-main/Benzene_x64.exe
- Size
  
  234KB
- MD5
  
  4abcf3f7124adbbb7aa59a1f128f5b16
- SHA1
  
  64e82614e15cd9102f9ab594d05b0c17549b0618
- SHA256
  
  40d98c6d729f998614934cec341440c11c9cbdfcb7bd9c649d83f915eeac4138
- SHA512
  
  58a603da4a6a6be5f52fd4e33e87d1dfeb03c8404cf422b7afec0487723c9cf6c34d3b363e684ed9c3e13d8748ec8affeafd8b5e1df88f2393f66275b1b37fde
- SSDEEP
  
  6144:8cpsByyZtP/Gxqw44Y5yjaGLqSKExm7WWIQ:8cpsBnZ1/GXc5YX2SKExNWf
Score

1^/10
behavioral31 behavioral32

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

T1067

Winlogon Helper DLL

T1004

Change Default File Association

T1042

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Modify Registry

T1112

File Permissions Modification

T1222

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Defacement

T1491

Tasks

Resubmissions

Sharing

General

Malware Config

Targets

Disables RegEdit via registry modification

Disables Task Manager via registry modification

Writes to the Master Boot Record (MBR)

Drops file in Drivers directory

Possible privilege escalation attempt

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Modifies file permissions

Modifies boot configuration data using bcdedit

Writes to the Master Boot Record (MBR)

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Enumerates connected drives

Downloads MZ/PE file

Modifies WinLogon for persistence

UAC bypass

Disables RegEdit via registry modification

Disables Task Manager via registry modification

Modifies extensions of user files

Checks computer location settings

Modifies system executable filetype association

Reads user/profile data of web browsers

Drops desktop.ini file(s)

Enumerates connected drives

UAC bypass

Disables Task Manager via registry modification

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Sets desktop wallpaper using registry

UAC bypass

Disables Task Manager via registry modification

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Sets desktop wallpaper using registry

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26

behavioral27

behavioral28

behavioral29

behavioral30

behavioral31

behavioral32