Overview

overview

9

Static

static

3

Heist Edit...ty.exe

windows7-x64

9

Heist Edit...ty.exe

windows10-2004-x64

9

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Heist Editor 3.6.3.1Community.exe

  • Size

    8.4MB

  • Sample

    240701-d6k87svere

  • MD5

    e2a942481a3c1489bce0adea0bb9e8ce

  • SHA1

    29970574fe0f8c0f4597b4cd8c4694e9d746dd00

  • SHA256

    558a9fe5d58f6457f4d9fadd412c53e29d8748d41597df7c696f1353bd5a3f3f

  • SHA512

    18b1ad732b80f238f77ead0cb8ceabfcb54f8b766847abc748f4d273d2f7f03a56896efcee39f1f36c52c47db1526dbef5add33db5b996bed52e74556b1216ce

  • SSDEEP

    196608:RXdz2vbYWAsmIWCj6ckBVly956WZs80kcsn0ukU7p5:Hyv8UWTNyH6K6TsZP7p5

Score
9/10
bootkitevasionpersistencetrojan

Malware Config

Targets

    • Target

      Heist Editor 3.6.3.1Community.exe

    • Size

      8.4MB

    • MD5

      e2a942481a3c1489bce0adea0bb9e8ce

    • SHA1

      29970574fe0f8c0f4597b4cd8c4694e9d746dd00

    • SHA256

      558a9fe5d58f6457f4d9fadd412c53e29d8748d41597df7c696f1353bd5a3f3f

    • SHA512

      18b1ad732b80f238f77ead0cb8ceabfcb54f8b766847abc748f4d273d2f7f03a56896efcee39f1f36c52c47db1526dbef5add33db5b996bed52e74556b1216ce

    • SSDEEP

      196608:RXdz2vbYWAsmIWCj6ckBVly956WZs80kcsn0ukU7p5:Hyv8UWTNyH6K6TsZP7p5

    Score
    9/10
    bootkitevasionpersistencetrojan

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks whether UAC is enabled

      evasiontrojan

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks