Skip to content

Hide Navigation Hide TOC

Carberp - S0484 (bbcd7a02-ef24-4171-ac94-a93540173b94)

Carberp is a credential and information stealing malware that has been active since at least 2009. Carberp's source code was leaked online in 2013, and subsequently used as the foundation for the Carbanak backdoor.(Citation: Trend Micro Carberp February 2014)(Citation: KasperskyCarbanak)(Citation: RSA Carbanak November 2017)

Cluster A Galaxy A Cluster B Galaxy B Level
Carberp - S0484 (bbcd7a02-ef24-4171-ac94-a93540173b94) Malware VNC - T1021.005 (01327cde-66c4-4123-bf34-5f258d59457b) Attack Pattern 1
Carberp - S0484 (bbcd7a02-ef24-4171-ac94-a93540173b94) Malware Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896) Attack Pattern 1
Asynchronous Procedure Call - T1055.004 (7c0f17c9-1af6-4628-9cbd-9e45482dd605) Attack Pattern Carberp - S0484 (bbcd7a02-ef24-4171-ac94-a93540173b94) Malware 1
Carberp - S0484 (bbcd7a02-ef24-4171-ac94-a93540173b94) Malware Match Legitimate Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern 1
Carberp - S0484 (bbcd7a02-ef24-4171-ac94-a93540173b94) Malware Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern 1
Carberp - S0484 (bbcd7a02-ef24-4171-ac94-a93540173b94) Malware Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern 1
Carberp - S0484 (bbcd7a02-ef24-4171-ac94-a93540173b94) Malware Credential API Hooking - T1056.004 (f5946b5e-9408-485f-a7f7-b5efc88909b6) Attack Pattern 1
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern Carberp - S0484 (bbcd7a02-ef24-4171-ac94-a93540173b94) Malware 1
Carberp - S0484 (bbcd7a02-ef24-4171-ac94-a93540173b94) Malware Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern 1
Carberp - S0484 (bbcd7a02-ef24-4171-ac94-a93540173b94) Malware Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern 1
Carberp - S0484 (bbcd7a02-ef24-4171-ac94-a93540173b94) Malware Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern 1
Carberp - S0484 (bbcd7a02-ef24-4171-ac94-a93540173b94) Malware Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) Attack Pattern 1
Carberp - S0484 (bbcd7a02-ef24-4171-ac94-a93540173b94) Malware Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688) Attack Pattern 1
Carberp - S0484 (bbcd7a02-ef24-4171-ac94-a93540173b94) Malware Hidden Files and Directories - T1564.001 (ec8fc7e2-b356-455c-8db5-2e37be158e7d) Attack Pattern 1
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern Carberp - S0484 (bbcd7a02-ef24-4171-ac94-a93540173b94) Malware 1
Carberp - S0484 (bbcd7a02-ef24-4171-ac94-a93540173b94) Malware Rootkit - T1014 (0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b) Attack Pattern 1
Browser Session Hijacking - T1185 (544b0346-29ad-41e1-a808-501bb4193f47) Attack Pattern Carberp - S0484 (bbcd7a02-ef24-4171-ac94-a93540173b94) Malware 1
Carberp - S0484 (bbcd7a02-ef24-4171-ac94-a93540173b94) Malware Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern 1
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern Carberp - S0484 (bbcd7a02-ef24-4171-ac94-a93540173b94) Malware 1
Carberp - S0484 (bbcd7a02-ef24-4171-ac94-a93540173b94) Malware Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945) Attack Pattern 1
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8) Attack Pattern Carberp - S0484 (bbcd7a02-ef24-4171-ac94-a93540173b94) Malware 1
Carberp - S0484 (bbcd7a02-ef24-4171-ac94-a93540173b94) Malware Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d) Attack Pattern 1
Carberp - S0484 (bbcd7a02-ef24-4171-ac94-a93540173b94) Malware Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 1
Carberp - S0484 (bbcd7a02-ef24-4171-ac94-a93540173b94) Malware Bootkit - T1542.003 (1b7b1806-7746-41a1-a35d-e48dae25ddba) Attack Pattern 1
Carberp - S0484 (bbcd7a02-ef24-4171-ac94-a93540173b94) Malware Exploitation for Privilege Escalation - T1068 (b21c3b2d-02e6-45b1-980b-e69051040839) Attack Pattern 1
VNC - T1021.005 (01327cde-66c4-4123-bf34-5f258d59457b) Attack Pattern Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern 2
Asynchronous Procedure Call - T1055.004 (7c0f17c9-1af6-4628-9cbd-9e45482dd605) Attack Pattern Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern 2
Match Legitimate Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern 2
Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2) Attack Pattern Credential API Hooking - T1056.004 (f5946b5e-9408-485f-a7f7-b5efc88909b6) Attack Pattern 2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern 2
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern 2
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern 2
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern Hidden Files and Directories - T1564.001 (ec8fc7e2-b356-455c-8db5-2e37be158e7d) Attack Pattern 2
Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58) Attack Pattern Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern 2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern 2
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945) Attack Pattern 2
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8) Attack Pattern 2
Bootkit - T1542.003 (1b7b1806-7746-41a1-a35d-e48dae25ddba) Attack Pattern Pre-OS Boot - T1542 (7f0ca133-88c4-40c6-a62f-b3083a7fbc2e) Attack Pattern 2