TRISIS / TRITON / HatMan Malware Repository
#Security Testing#Malware Analysis
A comprehensive guide to malware analysis and reverse engineering, covering topics such as lab setup, debugging, and anti-debugging.
This Repository Contains Original Samples and Decompiled Sources of Malware
This repository includes original samples and decompiled sources of malware that targets commonly used Industrial Control Systems (ICS), specifically the Triconex Safety Instrumented System (SIS) controllers. Different organizations that have reported on this malware have referred to it by various names, including TRISIS, TRITON, and HatMan.
For More Information, Scroll to 'Learn More'
The folder named original_samples contains the original files used by the malware that may be encountered in the wild:
- trilog.7z MD5: 0b4e76e84fa4d6a9716d89107626da9b
- trilog.exe MD5: 6c39c3f4a08d3d78f2eb973a94bd7718
- library.7z MD5: 76f84d3aee53b2856575c9f55a9487e7
- library.zip MD5: 0face841f7b2953e7c29c064d6886523
- imain.7z MD5: d173e8016e73f0f2c17b5217a31153be
- imain.bin MD5: 437f135ba179959a580412e564d3107f
- inject.7z MD5: 80fdda5ea7eec98bfdd07fec8f644c2d
- inject.bin MD5: 0544d425c7555dc4e9d76b571f31f500
- all.7z MD5: c382f242f62a3c5f4aab2093f6e0fb2f
All archives are protected with the password: infected.
The folder named decompiled_code contains decompiled Python files that originated from the trilog.exe file and the library.zip archive mentioned above:
- Origin: trilog.exe
- Result: script_test.py
- Method: N/A
