| ID | X0026 |
| Type | Backdoor, Trojan |
| Aliases | None |
| Platforms | Windows |
| Year | 2012 |
| Associated ATT&CK Software | None |
This Trojan is associated with the Energetic Bear group [1].
| Name | Use |
|---|---|
| Execution::Shared Modules (T1129) | Heriplor accesses PEB ldr_data. [3] |
| Name | Use |
|---|---|
| Anti-Static Analysis::Executable Code Obfuscation::API Hashing (B0032.001) | Malware uses API hashing method. [1] |
| Command and Control::C2 Communication::Receive Data (B0030.002) | Malware has the capability to connect with a C2 to download arbitrary code. [2] |
SHA256 Hashes
- 1b17ce735512f3104557afe3becacd05ac802b2af79dab5bb1a7ac8d10dccffd
- b051a5997267a5d7fa8316005124f3506574807ab2b25b037086e2e971564291
[1] https://insights.sei.cmu.edu/blog/api-hashing-tool-imagine-that/
[2] https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_heriplor.a
[3] capa v4.0, analyzed at MITRE on 10/12/2022