eadaf26df948f0fd541f297e2f0bad435aa4bee5c97e4324ad767dacca77e29d

Target

trojan-leaks-main.zip
Size

501.8MB
Sample

230509-xxqxwadg39
MD5

5989c04ee5327d6e7185985f4a7fb933
SHA1

51826110b35fc7b0984eae57c8e143900b29a38f
SHA256

eadaf26df948f0fd541f297e2f0bad435aa4bee5c97e4324ad767dacca77e29d
SHA512

089b2cf3836852d52a8b1da951702d2e2101eee915ddfa72bd967123d1a52d98baae6c0f68f2fd24fb4f1a111b8bfcf6cc57421e76a11f5554a80d372e77587e
SSDEEP

12582912:4vZS6yP56fA74t343nX8dn++/RNk8nnqKIEX1b62gOZsX:qZS6yDcJ43sd++//k8nnqKI214

Score

7^/10

Malware Config

Targets

- Target
  
  trojan-leaks-main/TheEye-x64.exe
- Size
  
  17.8MB
- MD5
  
  914d34ecdfa0ef6430ca4809e7a8c10c
- SHA1
  
  0e00f756f0997414af61b0ba2e1ea78a44619e9d
- SHA256
  
  fe79fb788f0fc6c4752f7bab66a52d8a4a1d15aa3821a919b9af6ba2c03aa5ae
- SHA512
  
  cee271e233c472ae2bbc298ca8cf9de08993f7db2f8d8503025e9a644af6ccfc1290a3c02d91854788c316fa2240a155609edb9c87be5470fde1d5abae546e11
- SSDEEP
  
  196608:WqIr4FXznyIwrgF9SrrHwybB28XiJtROJHgBtD22fgwAPIUh4vr2c1FFr2D51p:pIr4hOIwrgF9SrDwyAC2sMtfM4vrC5X
Score

7^/10

agilenet
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
behavioral1 behavioral2 behavioral3
- Target
  
  trojan-leaks-main/Win32.SAW-by_DesConnet.7z
- Size
  
  10.7MB
- MD5
  
  381ce7a5170399cc4f44f4f2da10112f
- SHA1
  
  02ee8b4ac3833993e88f4c2bde1fd3c5b5998e23
- SHA256
  
  3935461216e52537f6756cc903d47491ccc49f182d1337529cbf3f496beae2da
- SHA512
  
  00aac6ee4d1bb8b5d526d02e312347875bdafa6bfc12aa47cce62c8b5d6b27d2325e423f302e068cfd45e2272c14c496f3d4fe321b19e87562e325289c2c743a
- SSDEEP
  
  196608:N8yv1c48RFA6TiVm4uyD97tubRfQ952GPZjwSzyKuOfqdZUjAR6E+Hry:N8Q1c48RFAEfw5MIHhzyKfMUjdK
Score

3^/10
behavioral4 behavioral5 behavioral6
- Target
  
  trojan-leaks-main/Win32.Trojan.Amnesia (pass AnCoMalware).rar
- Size
  
  1.3MB
- MD5
  
  ef992855a23faeb26ce30e84aa851538
- SHA1
  
  f27dfe492355513e25c1b0a42cee546e3d1bca2b
- SHA256
  
  0fb061cdf90e63a96f7ba2b9a5c460543618a7101c6c080091ad59b13ba15aae
- SHA512
  
  f7378cd42b6d7479a3c34b864a06962a33490d9bce78e0987573679a8c266c19ac9541b87d8d834bb7c3c52e0a68523cac9b34b4fb3ce8ca081a86921e115a65
- SSDEEP
  
  24576:sxq1DRO5O7rk4gWaMzJqdRRFPKYI4i+sDbwwo1ehoUh4Lq2c18oPqWXE37nq:cq7O8XJ4FPKn+sDbwbehoUA+1xqW0Lnq
Score

3^/10
behavioral7 behavioral8 behavioral9
- Target
  
  trojan-leaks-main/cleansaturn.exe
- Size
  
  3.8MB
- MD5
  
  0f597e254135a708137a52470943316c
- SHA1
  
  86240613459d76fff43d9995f73c97f75ee680c1
- SHA256
  
  8763150d50e887141961f8c027acf92d5698e8e925cc5e76515d6d8fe330cb26
- SHA512
  
  408fe3bd85921cdf5576caa55e28213849c07340817c33605a68fa3da72ae512c0ac710b3a3cb4cbff44c5f64cfb0715034604a5de7bf9c5b6adce4919a2f6eb
- SSDEEP
  
  24576:QZ+4JwLcEVrX0VlkxDXMluVGOVCuaYE2IrUOUOqpUKKskz22ETGKJ8QeKzG+9eX:QZoLpXVxgKVCurqZJqhKskzLgGKp5e
Score

1^/10
behavioral10 behavioral11 behavioral12
- Target
  
  trojan-leaks-main/deckufniw 1.1.zip
- Size
  
  44KB
- MD5
  
  75a36eb2426e927dc34e16dc74654c94
- SHA1
  
  a2fbae9ef23ba8045617023e137831578bc0dec1
- SHA256
  
  840a4f08c3c8266017d84d53d0c749bb72d36942b16a1d314851d0804d7e3b46
- SHA512
  
  572cda1af7cad05027a3d01957b102645527598b322cd6d6554ec42ad1f6ea933365dd23fc41c25954bf0563804bf393681f483c90d98dfc0712bd87dbe8ff72
- SSDEEP
  
  768:CDmXC7mAR1R1FnTNvNW2KzsqRCZeA/JxKGkOX9IOWxSJ9Tcfn+:CqXZAR1RrTNvN/KzbKjKGkOX9XISjYG
Score

1^/10
behavioral13 behavioral14 behavioral15
- Target
  
  trojan-leaks-main/dobrota/Clean/README.txt
- Size
  
  40B
- MD5
  
  5a4bea29423673c5ff5b0f33b643e82f
- SHA1
  
  0e97de1a69b08b80a78580c5acc4f9c50a20bad2
- SHA256
  
  20d44dc71ed3e3a0426e62dab307515cfc9fc25ddd3c84c2f19befb0cffebac0
- SHA512
  
  fdbec79fc9e2dcc8ccaf666a278ed95a4f17f282ef419055312404cb38268c74dbb982e2e6936b8e9fd62ed8b0aa01e4e3093c6e6e430f6a4fa2bdc0f7a907d8
Score

1^/10
behavioral16 behavioral17 behavioral18
- Target
  
  trojan-leaks-main/dobrota/Clean/dobrota_clean.exe
- Size
  
  7.7MB
- MD5
  
  c8b999419a3c103270290e99189f794c
- SHA1
  
  90148745b61d2c77c1694e43f11faaa9a3d05a0a
- SHA256
  
  9093ff3bc7e78cfe84cadc3a993eeb1c15ce497e94efdcf51c1adcafd0aedf18
- SHA512
  
  6e95c693eef199c511c81052b1b4e9bdbd94bcd2fee2b16660ece026e86e3535c2389fe91049407842c2cad81ab9f0521865edb28708f961d804f32111d4c47c
- SSDEEP
  
  98304:JJx19RrCwXU7tTao36KJt6Oe2NhqCZao4+Axhy4V7FLEMUH82Z3dFRsFVsKtOepA:9thk7IInbrIh17FFWZnR0VsAHndDNE
Score

7^/10
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral19 behavioral20 behavioral21
- Target
  
  trojan-leaks-main/dobrota/README.txt
- Size
  
  160B
- MD5
  
  d9315a6f578c17343bbc3b576e5a6f5b
- SHA1
  
  0ed82af2ac51c7b2332b610535713cbec9ebc415
- SHA256
  
  cade81c198017a138cd11ebbae22f9e7071c9eb1c811772df08dcc75779349fd
- SHA512
  
  8c87fa793629d08ebd7a11df70176ec4d8033d0a134ca99ebe71f60becb0de428b4e265ad5c6d8120a2d7a660530177b64fab0b22143350806aebf77ad98a8ef
Score

1^/10
behavioral22 behavioral23 behavioral24
- Target
  
  trojan-leaks-main/dobrota/VC_redist.x86.exe
- Size
  
  13.1MB
- MD5
  
  ca778a97f31d6ab131f1e0bb58a466fb
- SHA1
  
  5b8637acc24f11e9bf83c77aacc8d529ea62d173
- SHA256
  
  91c21c93a88dd82e8ae429534dacbc7a4885198361eae18d82920c714e328cf9
- SHA512
  
  e2de89cb69803339f765bc1b29a7d6b24effd079f8296463ae6be0a0fdc99d2df2bc742c77b1e22ec320366ada672c022605c26ce21f7a59ba9246df8be9e27d
- SSDEEP
  
  393216:T1HRlptVYmfr7yBG/4YBOdojQ1GTp8Pg5kKE:T5DpttD7yBG/1xkCp/kKE
Score

7^/10

discovery
- Executes dropped EXE
- Loads dropped DLL
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral25 behavioral26 behavioral27
- Target
  
  trojan-leaks-main/dobrota/dobrota.exe
- Size
  
  7.8MB
- MD5
  
  1c33f964fbf5b3642d02e4b20ba6f2ac
- SHA1
  
  dcec14364a4548ce394906487a37f98bb1d12198
- SHA256
  
  10a45dc010df96cbd65bfd8a59e906ca5f98dd6f7541cf02bdfc17df8384bb8f
- SHA512
  
  ea3268a85ff2dfe7c94c6eb670f4aa3a13ec3019cf47bbcfa7e31eaa48dea0c8ee7dd0ebd020785942063e8acee7e2df62cd0c1eadf46a0208ebea29e146462b
- SSDEEP
  
  98304:Jqx1gyR0CwX6T036KJt6Oe2NhqCZao4+Axhy4V7FLEMUH82Z3dFRsFVsKtOep1eT:6WhwInbrIh17FFWZnR0VsAHndDNc7T
Score

7^/10

bootkit persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
behavioral28 behavioral29 behavioral30

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Resubmissions

Sharing

General

Malware Config

Targets

Obfuscated with Agile.Net obfuscator

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Enumerates connected drives

Executes dropped EXE

Loads dropped DLL

Checks installed software on the system

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Enumerates connected drives

Writes to the Master Boot Record (MBR)

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26

behavioral27

behavioral28

behavioral29

behavioral30