TRISIS / TRITON / HatMan Malware Repository Logo

TRISIS / TRITON / HatMan Malware Repository

0
Free
Visit Website

This repository contains original samples and decompiled sources of malware attacking commonly used in Industrial Control Systems (ICS) Triconex Safety Instrumented System (SIS) controllers. Each organization describing this malware in reports used a different name (TRISIS/TRITON/HatMan). For more information scroll to 'Learn More'. Folder original_samples contains original files used by the malware that could be found in the wild: - trilog.7z MD5: 0b4e76e84fa4d6a9716d89107626da9b - trilog.exe MD5: 6c39c3f4a08d3d78f2eb973a94bd7718 - library.7z MD5: 76f84d3aee53b2856575c9f55a9487e7 - library.zip MD5: 0face841f7b2953e7c29c064d6886523 - imain.7z MD5: d173e8016e73f0f2c17b5217a31153be - imain.bin MD5: 437f135ba179959a580412e564d3107f - inject.7z MD5: 80fdda5ea7eec98bfdd07fec8f644c2d - inject.bin MD5: 0544d425c7555dc4e9d76b571f31f500 - all.7z MD5: c382f242f62a3c5f4aab2093f6e0fb2f All archives are secured with password: infected Folder decompiled_code contains decompiled python files, originating from trilog.exe file and library.zip archive described above: - Origin: trilog.exe - Result: script_test.py - Method: N/A

FEATURES

ALTERNATIVES

A Linux process injection tool that injects shellcode into a running process

FLARE-VM is a collection of software installation scripts for Windows systems designed for setting up and maintaining a reverse engineering environment on a virtual machine.

IDA Pro plugin for finding crypto constants

Binwalk is a tool for analyzing, reverse engineering, and extracting firmware images with security and Python 2.7 deprecation notices.

YARA is a tool for identifying and classifying malware samples based on textual or binary patterns.

Repository of scripts, signatures, and IOCs related to various malware analysis topics.

A Python script that converts shellcode into a PE32 or PE32+ file.

Scans running processes for potentially malicious implants and dumps them.

PINNED