WellMail - S0515 (959f3b19-2dc8-48d5-8942-c66813a5101a)

WellMail is a lightweight malware written in Golang used by APT29, similar in design and structure to WellMess.(Citation: CISA WellMail July 2020)(Citation: NCSC APT29 July 2020)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada)	Attack Pattern	WellMail - S0515 (959f3b19-2dc8-48d5-8942-c66813a5101a)	Malware	1
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	WellMail - S0515 (959f3b19-2dc8-48d5-8942-c66813a5101a)	Malware	1
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	WellMail - S0515 (959f3b19-2dc8-48d5-8942-c66813a5101a)	Malware	1
Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a)	Attack Pattern	WellMail - S0515 (959f3b19-2dc8-48d5-8942-c66813a5101a)	Malware	1
Non-Standard Port - T1571 (b18eae87-b469-4e14-b454-b171b416bc18)	Attack Pattern	WellMail - S0515 (959f3b19-2dc8-48d5-8942-c66813a5101a)	Malware	1
WellMail - S0515 (959f3b19-2dc8-48d5-8942-c66813a5101a)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	1
WellMail - S0515 (959f3b19-2dc8-48d5-8942-c66813a5101a)	Malware	Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b)	Attack Pattern	1
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	WellMail - S0515 (959f3b19-2dc8-48d5-8942-c66813a5101a)	Malware	1
WellMail - S0515 (959f3b19-2dc8-48d5-8942-c66813a5101a)	Malware	System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	1
Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada)	Attack Pattern	Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118)	Attack Pattern	2