Hi-Zor
ID: S0087
ⓘ
Type: MALWARE
ⓘ
Platforms: Windows
Version: 1.2
Created: 31 May 2017
Last Modified: 11 April 2024
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1573 | .001 | 加密通道: Symmetric Cryptography |
Hi-Zor encrypts C2 traffic with a double XOR using two distinct single-byte keys.[1] |
| .002 | 加密通道: Asymmetric Cryptography | |||
| Enterprise | T1547 | .001 | 启动或登录自动启动执行: Registry Run Keys / Startup Folder |
Hi-Zor creates a Registry Run key to establish persistence.[2] |
| Enterprise | T1059 | .003 | 命令与脚本解释器: Windows Command Shell | |
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols | |
| Enterprise | T1027 | .013 | 混淆文件或信息: Encrypted/Encoded File |
Hi-Zor uses various XOR techniques to obfuscate its components.[2] |
| Enterprise | T1070 | .004 | 移除指标: File Deletion |
Hi-Zor deletes its RAT installer file as it executes its DLL payload file.[2] |
| Enterprise | T1218 | .010 | 系统二进制代理执行: Regsvr32 |
Hi-Zor executes using regsvr32.exe called from the Registry Run Keys / Startup Folder persistence mechanism.[2] |
| Enterprise | T1105 | 输入工具传输 |
Hi-Zor has the ability to upload and download files from its C2 server.[2] |
|