Overview

overview

9

Static

static

3

Heaven's Exploits.zip

windows10-1703-x64

1

Heaven's Exploits.zip

windows11-21h2-x64

1

Heaven's E...er.exe

windows10-1703-x64

9

Heaven's E...er.exe

windows11-21h2-x64

9

Heaven's E...O.json

windows10-1703-x64

3

Heaven's E...O.json

windows11-21h2-x64

3

Heaven's E...ANO.iy

windows10-1703-x64

3

Heaven's E...ANO.iy

windows11-21h2-x64

3

Heaven's E..._FE.iy

windows10-1703-x64

3

Heaven's E..._FE.iy

windows11-21h2-x64

3

Heaven's E...g.json

windows10-1703-x64

3

Heaven's E...g.json

windows11-21h2-x64

3

Heaven's E...ed.txt

windows10-1703-x64

1

Heaven's E...ed.txt

windows11-21h2-x64

3

Heaven's E...ary.js

windows10-1703-x64

3

Heaven's E...ary.js

windows11-21h2-x64

3

Heaven's E...ipt.js

windows10-1703-x64

3

Heaven's E...ipt.js

windows11-21h2-x64

3

Heaven's E...on.txt

windows10-1703-x64

1

Heaven's E...on.txt

windows11-21h2-x64

3

Heaven's E...sh.txt

windows10-1703-x64

1

Heaven's E...sh.txt

windows11-21h2-x64

3

Heaven's E...op.ini

windows10-1703-x64

1

Heaven's E...op.ini

windows11-21h2-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Heaven's Exploits.zip

  • Size

    336KB

  • Sample

    240705-ktzpdsvhkp

  • MD5

    5048bb4d5026d1039654a97c8378edf2

  • SHA1

    48d7de93c5fba06572515a109dc04f335310136f

  • SHA256

    2f79a30540e3f31d86819c9fbf4d4f3a91d5d83ae07bcda94b1388818aebc933

  • SHA512

    cf4df4da62e9107b19fd0d4a88ede0fab8e14b474aba159a9e133859b8b34751e13bbfa6cd58eac6c2bf73f24b16e20eb12b2384c5a2e029a2a4611115337b9e

  • SSDEEP

    6144:lBzZhyoFThwHDh2GfPZHx3X8STKeAX0kMxb/ENHPNbmLq5hauTW3gIBcT1Z3UR:lBzZMoFThMhx9MSTK+bsNvN2KsxmLER

Score
9/10
discoveryevasionexecutionpersistenceprivilege_escalationthemidatrojan

Malware Config

Targets

    • Target

      Heaven's Exploits.zip

    • Size

      336KB

    • MD5

      5048bb4d5026d1039654a97c8378edf2

    • SHA1

      48d7de93c5fba06572515a109dc04f335310136f

    • SHA256

      2f79a30540e3f31d86819c9fbf4d4f3a91d5d83ae07bcda94b1388818aebc933

    • SHA512

      cf4df4da62e9107b19fd0d4a88ede0fab8e14b474aba159a9e133859b8b34751e13bbfa6cd58eac6c2bf73f24b16e20eb12b2384c5a2e029a2a4611115337b9e

    • SSDEEP

      6144:lBzZhyoFThwHDh2GfPZHx3X8STKeAX0kMxb/ENHPNbmLq5hauTW3gIBcT1Z3UR:lBzZMoFThMhx9MSTK+bsNvN2KsxmLER

    Score
    1/10
    behavioral1behavioral2

    • Target

      Heaven's Exploits/Solara/SolaraBootstrapper.exe

    • Size

      797KB

    • MD5

      36b62ba7d1b5e149a2c297f11e0417ee

    • SHA1

      ce1b828476274375e632542c4842a6b002955603

    • SHA256

      8353c5ace62fda6aba330fb3396e4aab11d7e0476f815666bd96a978724b9e0c

    • SHA512

      fddec44631e7a800abf232648bbf417969cd5cc650f32c17b0cdc12a0a2afeb9a5dbf5c1f899bd2fa496bd22307bfc8d1237c94920fceafd84f47e13a6b98b94

    • SSDEEP

      12288:n1mzgHpbzEu8AgpQojA1j855xU9pHIRxSNN:1mzgH385QojA1j855xSHI

    Score
    9/10
    discoveryevasionpersistenceprivilege_escalationthemidatrojan

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Downloads MZ/PE file

    • Event Triggered Execution: Image File Execution Options Injection

      persistence

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation

    • Executes dropped EXE

    • Loads dropped DLL

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Blocklisted process makes network request

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral3behavioral4

    • Target

      Heaven's Exploits/Solara/workspace/CFA HUB/Battlegrounder_2_GPO.json

    • Size

      103B

    • MD5

      11a20fb3a36a44e6d84defc45e451137

    • SHA1

      953db601c550347c22e4fc24686d18dc5bf55812

    • SHA256

      5482c0ee2a7c556c1fbd2622e020c0df47e7d8d8e9ff4e2c6ae640fb90229ab4

    • SHA512

      1413708671b5b8fe8f0a0cb2315790d71866436098d93e905296b69c432c6bf61d009ad2a365e2f3452612e2791ed135dc71695c40fc98c9b1a00b2bad3895b4

    Score
    3/10
    behavioral5behavioral6

    • Target

      Heaven's Exploits/Solara/workspace/IY_ANO.iy

    • Size

      612B

    • MD5

      7ad904ec84ef2cdbce7cba0a00b1f7f9

    • SHA1

      7b18e4c265a35fb621154e436f62dbfae76b4de9

    • SHA256

      39bddd0f493244f3570f1b92784bb29d5c80e5c8ff3cbe795459944569c7a26c

    • SHA512

      2805c7aca717f89fbe8a5ec99abe1cfcabaf7278a129226522a5b1e2878e8c16dd7d610ebcd05dd391d4e582d1c4f71c8e5a341a4116a9e77d405953ddf6e737

    Score
    3/10
    behavioral7behavioral8

    • Target

      Heaven's Exploits/Solara/workspace/IY_FE.iy

    • Size

      662B

    • MD5

      24c8be244b2dbd69555f27437a7fa3c1

    • SHA1

      4da122e8a1c06e1e490230c7c88a7457f0958c9d

    • SHA256

      46fb07ba8a7a0d02bd1fb74bff1c5617416e60e7cde6a20b42c9fe49859b0b41

    • SHA512

      2c3fdd5f9af0d7c4b35cad5f6b905c361a08d1ef629fda6b6bd6f92d2901ddff4ac9839574461d581275e53e7f9ccfe8dfd7cb2ba88946a92d264b25d5e65618

    Score
    3/10
    behavioral10behavioral9

    • Target

      Heaven's Exploits/Solara/workspace/KavoConfig.JSON

    • Size

      2B

    • MD5

      99914b932bd37a50b983c5e7c90ae93b

    • SHA1

      bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

    • SHA256

      44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

    • SHA512

      27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

    Score
    3/10
    behavioral11behavioral12

    • Target

      Heaven's Exploits/Solara/workspace/vape/CustomModules/cachechecked.txt

    • Size

      8B

    • MD5

      723aa82a83c278d5e7e7be9b109b406a

    • SHA1

      ec734b651574683f36974c7f12847fbbe084dbe2

    • SHA256

      1c34f88707b55e6104c4eb20e71ffa3d33e414b71ef689a15fad0640d0ac58cb

    • SHA512

      4531c2506478afd163726a5d6ffd8c64c24819545d906526aa749361e634556595d3b0f6b606c2bfd069e4938168d7cde18c60ea44475e339707472729eff10d

    Score
    3/10
    behavioral13behavioral14

    • Target

      Heaven's Exploits/Solara/workspace/vape/GuiLibrary.lua

    • Size

      319KB

    • MD5

      ac1cee0caefeed479df85604e69873c6

    • SHA1

      204e0f0793fd1e707d06d957c57b7a4c6fa471fa

    • SHA256

      0521f91ffdfd8906464a0b79300b999335edb2f3cdb902093a2dfb25edf7beb1

    • SHA512

      c1793b507653f37ff2bb8abf8d212fda57edd738bdb0cc84196e7d7d064069b07d7b47a95ca6f8ec6db8bf9a39a4d0b6465a12133f9c3be04887dc1687ad7154

    • SSDEEP

      3072:6fmwRHjS0ObMPjVw+usbpNpz4hXwz5Ts45FjKbnFNMDnlaAXiUk81r89k:6fJhus5OAmhyfhwk

    Score
    3/10
    execution
    behavioral15behavioral16

    • Target

      Heaven's Exploits/Solara/workspace/vape/MainScript.lua

    • Size

      83KB

    • MD5

      4e3739d68f5985ab3797ab33e0975cdd

    • SHA1

      7c37faf5a8643a5190ba286b630c9d3fe5bf32af

    • SHA256

      3befe40113dd767799be851b50d23a56923ea296d2b50b3051a5764e18bd5641

    • SHA512

      679faf5fa0f189eef742360cd5efecc429760544a0a6002fab8ea66d04c59202113ca1df804cc50af2adb9dba5ce94407ff22f0f1e7074d3d2ff8f703b5d5d9e

    • SSDEEP

      768:aABxHBr9wodvBHW50nmXsWjk1jpVxjfjTIkjblSBd4UN6j0jo/QIIj8j8jLzYvDj:zh9lNDZL3QwxBXpEJxrSCNhPKydZlM

    Score
    3/10
    execution
    behavioral17behavioral18

    • Target

      Heaven's Exploits/Solara/workspace/vape/assetsversion.txt

    • Size

      2B

    • MD5

      1f0e3dad99908345f7439f8ffabdffc4

    • SHA1

      b3f0c7f6bb763af1be91d9e74eabfeb199dc1f1f

    • SHA256

      9400f1b21cb527d7fa3d3eabba93557a18ebe7a2ca4e471cfe5e4c5b4ca7f767

    • SHA512

      8d89aa701de5a35b24cfadbd2088986ae13311d1a7c63abe5c780c62bc939a0577c3a78cf7ee4951c1b09f6849074c21ca1f7023e89bee683c1dbb2134a984d0

    Score
    3/10
    behavioral19behavioral20

    • Target

      Heaven's Exploits/Solara/workspace/vape/commithash.txt

    • Size

      40B

    • MD5

      4c6cbef0698e3036ac126cf319a3c30e

    • SHA1

      d470501cb0673bec65506aa4078216138b20ed46

    • SHA256

      21c90014fcccd39e7ddf2d13be9cbd946ec2819bef3aa42a72cf75753bbcf0aa

    • SHA512

      1093a5d28072e34feb3dc96e85279a5513bc23239d278b08762f9302567959a367043a39fb8d170228e386609e0a07a1a0fa65ae8834aacabffed2e12ce2a0a0

    Score
    3/10
    behavioral21behavioral22

    • Target

      Heaven's Exploits/desktop.ini

    • Size

      115B

    • MD5

      237ae24d8a78e44b4b04bdf60d3b615b

    • SHA1

      c46f23018848fda2af873988bb912ba0902603cf

    • SHA256

      1e649ff90acd5e0c3fc1e9a91880239ddb63abd447a799d7897d493488749e62

    • SHA512

      f0d900342cbc3471643e7bec97f9d9b47e77aa04c85a7b64b281c09dfafa711f3f5e718437610ae8fd2f726f0d66e1771b6b21eac1bf31d4d9c8aab9dd81baca

    Score
    3/10
    behavioral23behavioral24

MITRE ATT&CK Enterprise v15

Tasks