Clase: Trojan-Dropper
Los programas Trojan-Dropper están diseñados para instalar en secreto programas maliciosos integrados en su código en las computadoras de las víctimas. Este tipo de programa malicioso generalmente guarda un rango de archivos en el disco de la víctima (generalmente en el directorio de Windows, el directorio del sistema de Windows, el directorio temporal, etc.) y los lanza sin ninguna notificación (o con notificación falsa de un error de archivo, versión obsoleta del sistema operativo, etc.). Tales programas son utilizados por los piratas informáticos para: instalar en secreto programas troyanos y / o virus para evitar que los programas maliciosos conocidos sean detectados por las soluciones antivirus; no todos los programas antivirus son capaces de escanear todos los componentes dentro de este tipo de troyanos.Más información
Plataforma: Win32
Win32 es una API en sistemas operativos basados en Windows NT (Windows XP, Windows 7, etc.) que admite la ejecución de aplicaciones de 32 bits. Una de las plataformas de programación más extendidas en el mundo.Familia: Trojan-Dropper.Win32.Pasnaino
No family descriptionExamples
8102D854F80476002861614CD758A85052DE16442E081515380851C2FB51786C
79159BDABA639B232BE158BD11A508A5
7559BB91082CA76D89B5939BEA164A7A
954084FF917C22993DB61C3526150619
Tactics and Techniques: Mitre*
TA0005
Defense Evasion
The adversary is trying to avoid being detected.
Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses.
Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses.
T1070.006
Indicator Removal: Timestomp
Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Timestomping may be used along with file name Masquerading to hide malware and tools.(Citation: WindowsIR Anti-Forensic Techniques)
Timestomping may be used along with file name Masquerading to hide malware and tools.(Citation: WindowsIR Anti-Forensic Techniques)
TA0009
Collection
The adversary is trying to gather data of interest to their goal.
Collection consists of techniques adversaries may use to gather information and the sources information is collected from that are relevant to following through on the adversary's objectives. Frequently, the next goal after collecting data is to steal (exfiltrate) the data. Common target sources include various drive types, browsers, audio, video, and email. Common collection methods include capturing screenshots and keyboard input.
Collection consists of techniques adversaries may use to gather information and the sources information is collected from that are relevant to following through on the adversary's objectives. Frequently, the next goal after collecting data is to steal (exfiltrate) the data. Common target sources include various drive types, browsers, audio, video, and email. Common collection methods include capturing screenshots and keyboard input.
T1560.001
Archive Collected Data: Archive via Utility
Adversaries may use utilities to compress and/or encrypt collected data prior to exfiltration. Many utilities include functionalities to compress, encrypt, or otherwise package data into a format that is easier/more secure to transport.
Adversaries may abuse various utilities to compress or encrypt data before exfiltration. Some third party utilities may be preinstalled, such as
On Windows,
Adversaries may use also third party utilities, such as 7-Zip, WinRAR, and WinZip, to perform similar activities.(Citation: 7zip Homepage)(Citation: WinRAR Homepage)(Citation: WinZip Homepage)
Adversaries may abuse various utilities to compress or encrypt data before exfiltration. Some third party utilities may be preinstalled, such as
tar on Linux and macOS or zip on Windows systems. On Windows,
diantz or makecab may be used to package collected files into a cabinet (.cab) file. diantz may also be used to download and compress files from remote locations (i.e. Remote Data Staging).(Citation: diantz.exe_lolbas) xcopy on Windows can copy files and directories with a variety of options. Additionally, adversaries may use certutil to Base64 encode collected data before exfiltration. Adversaries may use also third party utilities, such as 7-Zip, WinRAR, and WinZip, to perform similar activities.(Citation: 7zip Homepage)(Citation: WinRAR Homepage)(Citation: WinZip Homepage)
* © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.