Overview

overview

10

Static

static

7

trojan-lea...35.exe

windows7-x64

8

trojan-lea...35.exe

windows10-2004-x64

8

trojan-lea...07.exe

windows7-x64

8

trojan-lea...07.exe

windows10-2004-x64

AIDS_NT.exe

windows7-x64

AIDS_NT.exe

windows10-2004-x64

Abantes.exe

windows7-x64

10

Abantes.exe

windows10-2004-x64

10

trojan-lea...ys.exe

windows7-x64

7

trojan-lea...ys.exe

windows10-2004-x64

7

trojan-lea...er.exe

windows7-x64

3

trojan-lea...er.exe

windows10-2004-x64

8

trojan-lea...32.exe

windows7-x64

10

trojan-lea...32.exe

windows10-2004-x64

10

trojan-lea...32.exe

windows7-x64

trojan-lea...32.exe

windows10-2004-x64

trojan-lea...64.exe

windows7-x64

trojan-lea...64.exe

windows10-2004-x64

trojan-lea...ne.exe

windows7-x64

1

trojan-lea...ne.exe

windows10-2004-x64

1

trojan-lea...64.exe

windows7-x64

1

trojan-lea...64.exe

windows10-2004-x64

1

trojan-lea...er.exe

windows7-x64

trojan-lea...er.exe

windows10-2004-x64

trojan-lea...ks.exe

windows7-x64

1

trojan-lea...ks.exe

windows10-2004-x64

trojan-lea...ix.exe

windows7-x64

6

trojan-lea...ix.exe

windows10-2004-x64

6

trojan-lea...V).exe

windows7-x64

10

trojan-lea...V).exe

windows10-2004-x64

10

trojan-lea...23.exe

windows7-x64

1

trojan-lea...23.exe

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    trojan-leaks-main.zip

  • Size

    501.8MB

  • Sample

    230509-xy537adg49

  • MD5

    5989c04ee5327d6e7185985f4a7fb933

  • SHA1

    51826110b35fc7b0984eae57c8e143900b29a38f

  • SHA256

    eadaf26df948f0fd541f297e2f0bad435aa4bee5c97e4324ad767dacca77e29d

  • SHA512

    089b2cf3836852d52a8b1da951702d2e2101eee915ddfa72bd967123d1a52d98baae6c0f68f2fd24fb4f1a111b8bfcf6cc57421e76a11f5554a80d372e77587e

  • SSDEEP

    12582912:4vZS6yP56fA74t343nX8dn++/RNk8nnqKIEX1b62gOZsX:qZS6yDcJ43sd++//k8nnqKI214

Score
10/10
agilenetbootkitdiscoveryevasionexploitpersistenceransomwarespywarestealertrojanupx

Malware Config

Targets

    • Target

      trojan-leaks-main/0.950095298700035.exe

    • Size

      134KB

    • MD5

      aedbbccb355b4b671b260ddae4caf48a

    • SHA1

      fac537787c1c197c1eeff3776f18286c93fb62aa

    • SHA256

      f87e7c558f070aba0493468837fcc6dacd76e5cc855a7f460c798af6fe8f0120

    • SHA512

      09a412edfe005ab34006032fabcf7b12b18c1ff2aafdaa4a551a7da929c866532ff2d544dff55e2d6fbfbb52cca270481c9853652d6299eb077328d52dbee22a

    • SSDEEP

      3072:s4/hNEFqgwt4AfLKUM3/oY+IUTzrojcbWy:ARATu3/Agcb

    Score
    8/10
    bootkitevasionpersistence

    • Disables RegEdit via registry modification

      evasion

    • Disables Task Manager via registry modification

      evasion

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence
    behavioral1behavioral2

    • Target

      trojan-leaks-main/0x07.exe

    • Size

      247KB

    • MD5

      733eb0ab951ae42a8d8cca413201e428

    • SHA1

      640ffb3ee44eb86afaea92e6c5aa158a5d4aafd1

    • SHA256

      52d6d769eb474d4138ac31e05634a6ca7a4ebef5920f8356c1cd70d9fa42c2fb

    • SHA512

      c7cdf77aa881c5dbb2abf17913dbf645fe88e16fa11fa055392d36ccf936fc43050c48feb631e193fe044123a190f123d2d6ff12234c0ff7c8c7c6e290209d8f

    • SSDEEP

      3072:xaWEHnqlm+0FEaJSq6+ouCpk2mpcWJ0r+QNTBfZnazJ9k3kxMC+89+aPyXiwQ9M1:cWCMm8aMldk1cWQRNTBhz3Yz/qc9M1

    Score
    8/10
    bootkitdiscoveryexploitpersistence

    • Possible privilege escalation attempt

      exploit

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Modifies boot configuration data using bcdedit

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence
    behavioral3behavioral4

    • Target

      AIDS_NT.exe

    • Size

      924KB

    • MD5

      14eefb80a0813abbf8710387a5383f08

    • SHA1

      d3fa355cc1d184be20b441143fa34e4ae1a4bdb2

    • SHA256

      61ee3bd82bed03dd0f3fb9bc9b76b7da972a90d3c12c8e4d5e967440a2f04c00

    • SHA512

      a3174a80c47a02b6deed6eb390a999fa486f7a4cda7ab614d93589f614a60ba500aa8f42346e80cc53b7e1a5af0f0e515e4b014d23e5af90fabeae504f43f130

    • SSDEEP

      12288:/GqN/XdctpVtkkKICgvDkBLab3Xldfr4oSsFsA0cO4KfRErkYzWaMSDncS:pNcBtkUHf9ace3sJTcS

    Score
    10/10
    evasionpersistenceransomwareupx

    • Modifies WinLogon for persistence

      persistence

    • Nirsoft

    • Blocks application from running via registry modification

      Adds application to list of disallowed applications.

      evasion

    • Disables RegEdit via registry modification

      evasion

    • Disables Task Manager via registry modification

      evasion

    • Disables use of System Restore points

      evasion

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies system executable filetype association

      persistence

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Sets desktop wallpaper using registry

      ransomware
    behavioral5behavioral6

    • Target

      Abantes.exe

    • Size

      2.7MB

    • MD5

      cd2e58136d3049e9be40ae29f9250c93

    • SHA1

      e97beb8b87d130e5c5745981e3614ed6aa3caae3

    • SHA256

      dac4b5511343cf863832e38886af8a3e1d55529648314eb02cc21fa3979f6419

    • SHA512

      3ad23ad35d23acfa9edc187f443f28c4bb11279472632726f450b10cc09a653e10f4832f9cca44d063ad1259de6c7017ca6ca8f64ed07d302c3b2d06628f0ba7

    • SSDEEP

      49152:yi98eUDa7+tCg3e+zNWZjUDa7+tCg3e+zNWyUDa7+tCg3e+zNWR9Bh:yAC+7+p3ej2+7+p3ejh+7+p3ejDBh

    Score
    10/10
    discoveryevasionexploitpersistenceransomwaretrojan
    behavioral7behavioral8

    • Target

      trojan-leaks-main/AjarSys.exe

    • Size

      5.8MB

    • MD5

      0816a1e816f9737a1fd3eaa7493aa075

    • SHA1

      682405e63e3cfa28f955ea4eee2890b93fa6414d

    • SHA256

      418f6ff813bbbbe5344b9f8fea28948259bcfd28d424f1354289f5071c85d6ca

    • SHA512

      640000c30a3c1e8d05bc5383daa405303596b8694e11a17a04a77e3cf0688a887f35a7f8d38ffea89e8a3ba6e36e63c4b39285b83bfffa55e9fab5cc595484a8

    • SSDEEP

      98304:wYOgp0AsZKigPWKQ/HVRBH9vYewem9lTTdxlN7/c3DgPY9rT6Bl1tF:wYL0rtC3Q/pdePbH7/0DIYNT6LbF

    Score
    7/10

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral10behavioral9

    • Target

      trojan-leaks-main/Antivirus_Installer.exe

    • Size

      89KB

    • MD5

      70ec6f9bec87d67c435a2b8505a72629

    • SHA1

      8dae4c1727c73b3c1135b633e4db69e60ed522f1

    • SHA256

      1bfef2733f357e531be53b406b65661893b97a8b18a699b6e65f201dd0eeeae8

    • SHA512

      4a164019ae25e21007f2678bdf0e002b2e1eee115ddc4e101a909712d2bbaff3987339b6059c9db69988918296692839c47c49da9ca9ff3310a9e0088ab7d56c

    • SSDEEP

      1536:X7fbN3eEDhDPA/pICdUkbBtW7upvaLU0bI5taxKo0IOlnToIfrwFOO:L7DhdC6kzWypvaQ0FxyNTBfrS

    Score
    8/10

    • Downloads MZ/PE file

    behavioral11behavioral12

    • Target

      trojan-leaks-main/BUG32.exe

    • Size

      3.0MB

    • MD5

      149cc2ec1900cb778afb50d8026eadf5

    • SHA1

      a7bc1bbc7bdc970757ec369ef0b51dc53989f131

    • SHA256

      817a695e53a1d6e24f2c701751b4d18468f20698f30fada420dfba6e21a09797

    • SHA512

      d617654478beb6325d86c108cddaff8f8d658a235d26b8e0282ed85dca826bdb62b0b67e749c7cd421dbae1d98084220e2f4d5779badb8fd7ab07ff333a35553

    • SSDEEP

      49152:Or2U5IahDUGN97rkqOAackLjQ0rZEAh3oA6wHE+K60Kk0aCLkfAZKt0OJTcL:4H2ahFNNrg3QbQoA6wHEnFN4IJu

    Score
    10/10
    evasionpersistencespywarestealertrojan

    • Modifies WinLogon for persistence

      persistence

    • UAC bypass

      evasiontrojan

    • Disables RegEdit via registry modification

      evasion

    • Disables Task Manager via registry modification

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Modifies system executable filetype association

      persistence

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    behavioral13behavioral14

    • Target

      trojan-leaks-main/BaldiTrojan-x32.exe

    • Size

      4.2MB

    • MD5

      0aeaafa78906f0977c4af8963bcd84c2

    • SHA1

      59a4a0e73d646349c4dde83ceb996e20167cfcc0

    • SHA256

      822023abab19f62e0b5243390df4639cb7697dac75a323682f7478db477dee24

    • SHA512

      82ac5b2e225c30ee4f2197562b77ca1ec1b5c5cd438bf819d3b91adb9cca6421943afdf43b4748a3f9a321c30a274d145e248ac9da5bf76799440612ec13419d

    • SSDEEP

      98304:fKgez/S9bL+M0QVtYD0JCqfZlVcc9uNSwfrNaSQMU0qay9jT:uzk0mtyTqj6W4SGYSQcqD9P

    Score
    10/10
    evasionpersistenceransomwaretrojan

    • UAC bypass

      evasiontrojan

    • Disables Task Manager via registry modification

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Sets desktop wallpaper using registry

      ransomware
    behavioral15behavioral16

    • Target

      trojan-leaks-main/BaldiTrojan-x64.exe

    • Size

      4.2MB

    • MD5

      e2c4c4dd8c6a357eca164955a8fe040c

    • SHA1

      f4114815bce62efbc78c79f9a83ccf74a4ea075c

    • SHA256

      f3efe3b57a0f5cc46963dbd8832ceecd5768117685b4cee684b1235d9e74ebe5

    • SHA512

      389bf398f9f9f6ae7e6dfca835f5877befa4ebfee5938d4b50728d77fb0450b2eb2cb67e3f4d9abaaad77231754968b27c69a510448dfd7f52c63b1ce3a1c3e1

    • SSDEEP

      98304:3c9jNgez/S9bL+M0QVtYD0JCqfZlVcc9uNSwfrNaSQHbfU0qC:s95zk0mtyTqj6W4SGYSQ/qC

    Score
    10/10
    evasionpersistenceransomwaretrojan

    • UAC bypass

      evasiontrojan

    • Disables Task Manager via registry modification

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Sets desktop wallpaper using registry

      ransomware
    behavioral17behavioral18

    • Target

      trojan-leaks-main/Benzene.exe

    • Size

      55KB

    • MD5

      d6e6e2fb2e45c7a2ca6585d86b39d2d0

    • SHA1

      0f64d36122ea98d09b504041b5a511dc4a0b5275

    • SHA256

      942f4aca0316e529d0b7c721b774f37738fb99d27fb4adc034d08cb31fd72924

    • SHA512

      9493b05deed8e0bfdf590c60d7aa7894420b192fdfbd979d321aae9c9cc1d5104fa6125ae8139b12ba1e0c227727375fe046456733c20198f20508321d8adaa1

    • SSDEEP

      768:VglgFHa1vlmz3ggcRLgHLT0ztbjZMJfdZjpYwOxF3iCX85:3F69lmzQ5uT0nMJDjKwOxFZ85

    Score
    1/10
    behavioral19behavioral20

    • Target

      trojan-leaks-main/Benzene_x64.exe

    • Size

      234KB

    • MD5

      4abcf3f7124adbbb7aa59a1f128f5b16

    • SHA1

      64e82614e15cd9102f9ab594d05b0c17549b0618

    • SHA256

      40d98c6d729f998614934cec341440c11c9cbdfcb7bd9c649d83f915eeac4138

    • SHA512

      58a603da4a6a6be5f52fd4e33e87d1dfeb03c8404cf422b7afec0487723c9cf6c34d3b363e684ed9c3e13d8748ec8affeafd8b5e1df88f2393f66275b1b37fde

    • SSDEEP

      6144:8cpsByyZtP/Gxqw44Y5yjaGLqSKExm7WWIQ:8cpsBnZ1/GXc5YX2SKExNWf

    Score
    1/10
    behavioral21behavioral22

    • Target

      trojan-leaks-main/CoViper.exe

    • Size

      286KB

    • MD5

      e20ee9bbbd1ebe131f973fe3706ca799

    • SHA1

      4e92e5cbe9092f94b4f4951893b5d9ca304d292c

    • SHA256

      f632b6e822d69fb54b41f83a357ff65d8bfc67bc3e304e88bf4d9f0c4aedc224

    • SHA512

      d50524992662aa84d5b4340525a25d915e91e464a725aa6851de206fd294aa7f4fcefe695ce463ce652b0a03874b75c0678b4c708d2b71f7c18804d1365d3458

    • SSDEEP

      6144:egtJZ0NSt7Jb/Is8vIfYg6KcZQV7GdRMrKUIvcgfoS3Qz89r:egWNStd7R8cYgsZK7qCrqfoS3Mcr

    Score
    10/10
    evasionpersistencetrojanupx

    • UAC bypass

      evasiontrojan

    • Disables Task Manager via registry modification

      evasion

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence
    behavioral23behavioral24

    • Target

      trojan-leaks-main/Cs_Hacks_Free_no_hacks.exe

    • Size

      105KB

    • MD5

      06ea97fe57005515dcac13901efb3d9d

    • SHA1

      48e42f95e5d7fc1a572f7d50e7e07af462b03f4c

    • SHA256

      5bb7129469665dc7125d27cbd97cc65c17c3cbed91beffc63214b65a970332f6

    • SHA512

      07b15e991c3f0d382052a2faedf6f634dfcdaf18051113fe1300118ac67223c16b218195734894f5477dc36ef3799acda7af8fc23ab990955468505bd74f82da

    • SSDEEP

      1536:BY9V5I5iTSrWc3YiyCmOJu3yUyJCbX40K78JZ:BYzgWcpyCnWbJZ

    Score
    1/10
    behavioral25behavioral26

    • Target

      trojan-leaks-main/Glodrix.exe

    • Size

      416KB

    • MD5

      766e0dceb95f26a79300e786669fd4c3

    • SHA1

      56bd2f5f37d012059e44185a4405332891b8efb6

    • SHA256

      a2d0fcecb809ae416d8d532f7eb58505977aeb00c66f0d51b70025946bc599b3

    • SHA512

      9cc4ab1466de58815ea48350f5e31135d9acfce87ba58863eb5632b6b56b5b512cae5b9a512b0400f45e982ad711a3c637bd79a3fe721df9ab0e659b8dd2a204

    • SSDEEP

      6144:23nEFPjLXbeQHD0wyqwYxKk+CKEEwL1fFx++/BsPZ:EnEFPjLtHvyqwYg3Tsj6

    Score
    6/10
    bootkitpersistence

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence
    behavioral27behavioral28

    • Target

      trojan-leaks-main/Halloware (BerkayV).exe

    • Size

      23.1MB

    • MD5

      2701cf0c52d8d8d961f21f9952af15e7

    • SHA1

      d8b9de327f95ba090e5606862003419388fc3dc7

    • SHA256

      616830e93c33240ff157b4eeeab1d1a3e9891d6410139afdbd4d01f075da0933

    • SHA512

      b4798cd526b116e943f3cba6f58175185898e374efd4ab7afe012495858c7997fb1fba1dac284ae4aa484dfc5f70b6240ad1281d90c9a3642e49edd95ab39110

    • SSDEEP

      196608:puv1iLrYSZWLN0dLeGyI8bMU+Ns3tlHO8:UdiHZZWLN1cu3tlHF

    Score
    10/10
    discoveryevasionexploitpersistencetrojan

    • Modifies WinLogon for persistence

      persistence

    • UAC bypass

      evasiontrojan

    • Disables RegEdit via registry modification

      evasion

    • Disables Task Manager via registry modification

      evasion

    • Possible privilege escalation attempt

      exploit

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Modifies file permissions

      discovery

    • Modifies system executable filetype association

      persistence

    • Drops file in System32 directory

    behavioral29behavioral30

    • Target

      trojan-leaks-main/HorrorTrojan123.exe

    • Size

      8.4MB

    • MD5

      2b71cc65cc949cfce47107383f9bce29

    • SHA1

      a57d725a4cb391d4ea02a3c4b5680935f72669cf

    • SHA256

      a513325690cf5bf2302ccc34e2264a8a48270de49a1863c018afed246472e37a

    • SHA512

      158d6e92839b4d83827832e870b4e3d2c8d388894dd5a194abbfcf4ad228fea7e83543b6278cedd6fb2b92801ba102178a962c4d4f0868e1aac62f50d668a824

    • SSDEEP

      196608:5MBEQlWRG1ywPTazB6S5KJ7lsL2jXdFTOJkJlJ0dN:qBEQl2G1yzB6HJ7GSjXjGx

    Score
    1/10
    behavioral31behavioral32

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

3
T1067

Winlogon Helper DLL

5
T1004

Hidden Files and Directories

3
T1158

Change Default File Association

4
T1042

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

4
T1060

Privilege Escalation

Bypass User Account Control

6
T1088

Defense Evasion

Modify Registry

30
T1112

File Permissions Modification

3
T1222

Hidden Files and Directories

3
T1158

Bypass User Account Control

6
T1088

Disabling Security Tools

6
T1089

File Deletion

2
T1107

Credential Access

Credentials in Files

1
T1081

Discovery

System Information Discovery

18
T1082

Query Registry

9
T1012

Peripheral Device Discovery

1
T1120

Process Discovery

1
T1057

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

3
T1490

Defacement

4
T1491

Tasks

static1

upxagilenet
Score
7/10

behavioral1

bootkitevasionpersistence
Score
8/10

behavioral2

bootkitevasionpersistence
Score
8/10

behavioral3

bootkitdiscoveryexploitpersistence
Score
8/10

behavioral4

Score
1/10

behavioral5

evasionpersistenceransomwareupx
Score
10/10

behavioral6

evasionpersistenceransomwareupx
Score
10/10

behavioral7

discoveryevasionexploitpersistenceransomwaretrojan
Score
10/10

behavioral8

discoveryevasionexploitpersistenceransomwaretrojan
Score
10/10

behavioral9

Score
7/10

behavioral10

Score
7/10

behavioral11

Score
3/10

behavioral12

Score
8/10

behavioral13

evasionpersistencespywarestealertrojan
Score
10/10

behavioral14

evasionpersistencetrojan
Score
10/10

behavioral15

evasionpersistenceransomwaretrojan
Score
10/10

behavioral16

evasionpersistenceransomwaretrojan
Score
10/10

behavioral17

evasionpersistenceransomwaretrojan
Score
10/10

behavioral18

evasionpersistenceransomwaretrojan
Score
10/10

behavioral19

Score
1/10

behavioral20

Score
1/10

behavioral21

Score
1/10

behavioral22

Score
1/10

behavioral23

evasionpersistencetrojanupx
Score
10/10

behavioral24

evasionpersistencetrojanupx
Score
10/10

behavioral25

Score
1/10

behavioral26

Score
1/10

behavioral27

bootkitpersistence
Score
6/10

behavioral28

bootkitpersistence
Score
6/10

behavioral29

discoveryevasionexploitpersistencetrojan
Score
10/10

behavioral30

discoveryevasionexploitpersistencetrojan
Score
10/10

behavioral31

Score
1/10

behavioral32

Score
1/10