Skip to content

Hide Navigation Hide TOC

Edit

Tidal Software

Tidal Software Cluster

Authors
Authors and/or Contributors
Tidal Cyber

3PARA RAT

3PARA RAT is a remote access tool (RAT) programmed in C++ that has been used by Putter Panda. [CrowdStrike Putter Panda]

Internal MISP references

UUID 71d76208-c465-4447-8d6e-c54f142b65a4 which can be used as unique global reference for 3PARA RAT in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0066
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

4H RAT

4H RAT is malware that has been used by Putter Panda since at least 2007. [CrowdStrike Putter Panda]

Internal MISP references

UUID a15142a3-4797-4fef-8ec6-065e3322a69b which can be used as unique global reference for 4H RAT in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0065
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

7-Zip

7-Zip is a tool used to compress files into an archive.[U.S. CISA Understanding LockBit June 2023]

Internal MISP references

UUID 4665e52b-3c5c-4a7f-9432-c89ef26f2c93 which can be used as unique global reference for 7-Zip in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5023
source Tidal Cyber
tags ['e1af18e3-3224-4e4c-9d0f-533768474508', 'c45ce044-b5b9-426a-866c-130e9f2a4427', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '15b77e5c-2285-434d-9719-73c14beba8bd', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

8Base Ransomware

The 8Base ransomware operation began claiming significant numbers of victims on its data leak site in June 2023, including organizations in a range of sectors. Researchers have observed considerable similarities between aspects of 8Base's operations and those of other ransomware groups, leading them to suspect that 8Base may be an evolution or offshoot of existing operations. The language in 8Base's ransom notes is similar to the language seen in RansomHouse's notes, and there is strong overlap between the code of Phobos ransomware and 8Base.[VMWare 8Base June 28 2023][Acronis 8Base July 17 2023]

Internal MISP references

UUID 88a5435f-5586-4cb4-a9c0-1961ee060a67 which can be used as unique global reference for 8Base Ransomware in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5299
source Tidal Cyber
tags ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', '562e535e-19f5-4d6c-81ed-ce2aec544f09', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172', '2feda37d-5579-4102-a073-aa02e82cb49f']
type ['malware']
Related clusters

To see the related clusters, click here.

AADInternals

AADInternals is a PowerShell-based framework for administering, enumerating, and exploiting Azure Active Directory. The tool is publicly available on GitHub.[AADInternals Github][AADInternals Documentation]

Internal MISP references

UUID 3d33fbf5-c21e-4587-ba31-9aeec3cc10c0 which can be used as unique global reference for AADInternals in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Azure AD', 'Office 365', 'Windows']
software_attack_id S0677
source MITRE
tags ['c9c73000-30a5-4a16-8c8b-79169f9c24aa', 'cd1b5d44-226e-4405-8985-800492cf2865']
type ['tool']
Related clusters

To see the related clusters, click here.

ABK

ABK is a downloader that has been used by BRONZE BUTLER since at least 2019.[Trend Micro Tick November 2019]

Internal MISP references

UUID 394cadd0-bc4d-4181-ac53-858e84b8e3de which can be used as unique global reference for ABK in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0469
source MITRE
tags ['84615fe0-c2a5-4e07-8957-78ebc29b4635']
type ['malware']
Related clusters

To see the related clusters, click here.

AccCheckConsole

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Verifies UI accessibility requirements

Author: bohops

Paths: * C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x86\AccChecker\AccCheckConsole.exe * C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x64\AccChecker\AccCheckConsole.exe * C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\arm\AccChecker\AccCheckConsole.exe * C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\arm64\AccChecker\AccCheckConsole.exe

Resources: * https://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340 * https://twitter.com/bohops/status/1477717351017680899

Detection: * Sigma: proc_creation_win_lolbin_susp_acccheckconsole.yml * IOC: Sysmon Event ID 1 - Process Creation * Analysis: https://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340[AccCheckConsole.exe - LOLBAS Project]

Internal MISP references

UUID cce705c7-49f8-4b54-b854-fd4b3a32e6ff which can be used as unique global reference for AccCheckConsole in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5203
source Tidal Cyber
tags ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

AccountRestore

AccountRestore is a .NET executable that is used to brute force Active Directory accounts. The tool searches for a list of specific users and attempts to brute force the accounts based on a password file provided by the user.[Security Joes Sockbot March 09 2022]

Internal MISP references

UUID 6bc29df2-195e-410c-ad08-f3661575492f which can be used as unique global reference for AccountRestore in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5059
source Tidal Cyber
tags ['dcd6d78a-50e9-4fbd-a36a-06fbe6b7b40c']
type ['malware']
Related clusters

To see the related clusters, click here.

AcidRain

AcidRain is an ELF binary targeting modems and routers using MIPS architecture.[AcidRain JAGS 2022] AcidRain is associated with the ViaSat KA-SAT communication outage that took place during the initial phases of the 2022 full-scale invasion of Ukraine. Analysis indicates overlap with another network device-targeting malware, VPNFilter, associated with Sandworm Team.[AcidRain JAGS 2022] US and European government sources linked AcidRain to Russian government entities, while Ukrainian government sources linked AcidRain specifically to Sandworm Team.[AcidRain State Department 2022][Vincens AcidPour 2024]

Internal MISP references

UUID cf465790-3d6d-5767-bb8c-63a429f95d83 which can be used as unique global reference for AcidRain in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Network', 'Linux']
software_attack_id S1125
source MITRE
tags ['b20e7912-6a8d-46e3-8e13-9a3fc4813852']
type ['malware']
Related clusters

To see the related clusters, click here.

Action RAT

Action RAT is a remote access tool written in Delphi that has been used by SideCopy since at least December 2021 against Indian and Afghani government personnel.[MalwareBytes SideCopy Dec 2021]

Internal MISP references

UUID 202781a3-d481-4984-9e5a-31caafc20135 which can be used as unique global reference for Action RAT in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S1028
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

adbupd

adbupd is a backdoor used by PLATINUM that is similar to Dipsind. [Microsoft PLATINUM April 2016]

Internal MISP references

UUID f52e759a-a725-4b50-84f2-12bef89d369e which can be used as unique global reference for adbupd in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0202
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

AddinUtil

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: .NET Tool used for updating cache files for Microsoft Office Add-Ins.

Author: Michael McKinley @MckinleyMike

Paths: * C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddinUtil.exe * C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddinUtil.exe

Resources: * https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html

Detection: * Sigma: proc_creation_win_addinutil_suspicious_cmdline.yml * Sigma: proc_creation_win_addinutil_uncommon_child_process.yml * Sigma: proc_creation_win_addinutil_uncommon_cmdline.yml * Sigma: proc_creation_win_addinutil_uncommon_dir_exec.yml[AddinUtil.exe - LOLBAS Project]

Internal MISP references

UUID 253f97c3-ba35-4064-8ec0-892872432214 which can be used as unique global reference for AddinUtil in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5082
source Tidal Cyber
tags ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

AdFind

AdFind is a free command-line query tool that can be used for gathering information from Active Directory.[Red Canary Hospital Thwarted Ryuk October 2020][FireEye FIN6 Apr 2019][FireEye Ryuk and Trickbot January 2019]

Internal MISP references

UUID 70559096-2a6b-4388-97e6-c2b16f3be78e which can be used as unique global reference for AdFind in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0552
source MITRE
tags ['c5a258ce-9045-48d9-b254-ec2bf6437bb5', 'cc4ea215-87ce-4351-9579-cf527caf5992', 'e551ae97-d1b4-484e-9267-89f33829ec2c', 'e1af18e3-3224-4e4c-9d0f-533768474508', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', '3a633b73-9c2c-4293-8577-fb97be0cda37', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', 'cd1b5d44-226e-4405-8985-800492cf2865']
type ['tool']
Related clusters

To see the related clusters, click here.

adplus

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Debugging tool included with Windows Debugging Tools

Author: mr.d0x

Paths: * C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\adplus.exe * C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\adplus.exe

Resources: * https://mrd0x.com/adplus-debugging-tool-lsass-dump/ * https://twitter.com/nas_bench/status/1534916659676422152 * https://twitter.com/nas_bench/status/1534915321856917506

Detection: * Sigma: proc_creation_win_lolbin_adplus.yml * IOC: As a Windows SDK binary, execution on a system may be suspicious[adplus.exe - LOLBAS Project]

Internal MISP references

UUID 3f229fe8-4d03-48ba-97b5-d7132510e090 which can be used as unique global reference for adplus in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5204
source Tidal Cyber
tags ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

ADRecon

ADRecon is an open-source tool that can be used to gather a "holistic" view of a target Active Directory environment.[GitHub ADRecon]

Internal MISP references

UUID c227bea1-9996-49d6-97ca-10a2fc156747 which can be used as unique global reference for ADRecon in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5270
source Tidal Cyber
tags ['e1af18e3-3224-4e4c-9d0f-533768474508', 'cd1b5d44-226e-4405-8985-800492cf2865', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96']
type ['tool']
Related clusters

To see the related clusters, click here.

Advanced IP Scanner

Advanced IP Scanner is a tool used to perform network scans and show network devices.[U.S. CISA Understanding LockBit June 2023]

Internal MISP references

UUID ff0af6fd-e4a1-47c9-b4a1-7ce5074e089e which can be used as unique global reference for Advanced IP Scanner in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5024
source Tidal Cyber
tags ['c5a258ce-9045-48d9-b254-ec2bf6437bb5', 'cc4ea215-87ce-4351-9579-cf527caf5992', 'e551ae97-d1b4-484e-9267-89f33829ec2c', 'e1af18e3-3224-4e4c-9d0f-533768474508', 'cd1b5d44-226e-4405-8985-800492cf2865', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

Advanced Port Scanner

Advanced Port Scanner is a tool used to perform network scans.[U.S. CISA Understanding LockBit June 2023]

Internal MISP references

UUID f93b54cf-a17c-4739-a7af-4106055f868d which can be used as unique global reference for Advanced Port Scanner in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5006
source Tidal Cyber
tags ['e1af18e3-3224-4e4c-9d0f-533768474508', 'cd1b5d44-226e-4405-8985-800492cf2865', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

AdvancedRun

AdvancedRun is a tool used to enable software execution under user-defined settings.[U.S. CISA Understanding LockBit June 2023]

Internal MISP references

UUID 7ef15943-8061-4941-b14e-9634c0b95d28 which can be used as unique global reference for AdvancedRun in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5025
source Tidal Cyber
tags ['e1af18e3-3224-4e4c-9d0f-533768474508', '7de7d799-f836-4555-97a4-0db776eb6932', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

Advpack

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Utility for installing software and drivers with rundll32.exe

Author: LOLBAS Team

Paths: * c:\windows\system32\advpack.dll * c:\windows\syswow64\advpack.dll

Resources: * https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/ * https://twitter.com/ItsReallyNick/status/967859147977850880 * https://twitter.com/bohops/status/974497123101179904 * https://twitter.com/moriarty_meng/status/977848311603380224

Detection: * Sigma: proc_creation_win_rundll32_susp_activity.yml * Splunk: detect_rundll32_application_control_bypass___advpack.yml[Advpack.dll - LOLBAS Project]

Internal MISP references

UUID 6c82fc65-864a-4a8c-80ed-80a69920c44f which can be used as unique global reference for Advpack in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5187
source Tidal Cyber
tags ['7a457caf-c3b6-4a48-84cf-c1f50a2eda27', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

ADVSTORESHELL

ADVSTORESHELL is a spying backdoor that has been used by APT28 from at least 2012 to 2016. It is generally used for long-term espionage and is deployed on targets deemed interesting after a reconnaissance phase. [Kaspersky Sofacy] [ESET Sednit Part 2]

Internal MISP references

UUID ef7f4f5f-6f30-4059-87d1-cd8375bf1bee which can be used as unique global reference for ADVSTORESHELL in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0045
source MITRE
tags ['84615fe0-c2a5-4e07-8957-78ebc29b4635', '16b47583-1c54-431f-9f09-759df7b5ddb7', 'f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

Agent.btz

Agent.btz is a worm that primarily spreads itself via removable devices such as USB drives. It reportedly infected U.S. military networks in 2008. [Securelist Agent.btz]

Internal MISP references

UUID f27c9a91-c618-40c6-837d-089ba4d80f45 which can be used as unique global reference for Agent.btz in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0092
source MITRE
tags ['e809d252-12cc-494d-94f5-954c49eb87ce', 'f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']

AgentExecutor

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Intune Management Extension included on Intune Managed Devices

Author: Eleftherios Panos

Paths: * C:\Program Files (x86)\Microsoft Intune Management Extension

Resources:

Detection: * Sigma: proc_creation_win_lolbin_agentexecutor.yml * Sigma: proc_creation_win_lolbin_agentexecutor_susp_usage.yml[AgentExecutor.exe - LOLBAS Project]

Internal MISP references

UUID 27fa7573-c1d3-4857-8a45-ef501c8ea32c which can be used as unique global reference for AgentExecutor in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5205
source Tidal Cyber
tags ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

Agent Tesla

Agent Tesla is a spyware Trojan written for the .NET framework that has been observed since at least 2014.[Fortinet Agent Tesla April 2018][Bitdefender Agent Tesla April 2020][Malwarebytes Agent Tesla April 2020]

Internal MISP references

UUID 304650b1-a0b5-460c-9210-23a5b53815a4 which can be used as unique global reference for Agent Tesla in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0331
source MITRE
tags ['16b47583-1c54-431f-9f09-759df7b5ddb7', 'f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

Akira

Akira ransomware, written in C++, is most prominently (but not exclusively) associated with the a ransomware-as-a-service entity Akira.[Kersten Akira 2023]

Internal MISP references

UUID 96ae0e1e-975a-5e11-adbe-c79ee17cee11 which can be used as unique global reference for Akira in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S1129
source MITRE
tags ['c5a258ce-9045-48d9-b254-ec2bf6437bb5', 'cc4ea215-87ce-4351-9579-cf527caf5992', 'e551ae97-d1b4-484e-9267-89f33829ec2c', '15787198-6c8b-4f79-bf50-258d55072fee', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172', '562e535e-19f5-4d6c-81ed-ce2aec544f09']
type ['malware']
Related clusters

To see the related clusters, click here.

Akira Ransomware

A ransomware binary designed to encrypt victim files. More details about the TTPs typically observed during Akira ransomware attacks can be found in the associated Group object, "Akira Ransomware Actors".

Internal MISP references

UUID 59d598a9-e115-4d90-8fef-096015afa8d4 which can be used as unique global reference for Akira Ransomware in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5280
source Tidal Cyber
tags ['c5a258ce-9045-48d9-b254-ec2bf6437bb5', 'cc4ea215-87ce-4351-9579-cf527caf5992', 'e551ae97-d1b4-484e-9267-89f33829ec2c', '15787198-6c8b-4f79-bf50-258d55072fee', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172', '562e535e-19f5-4d6c-81ed-ce2aec544f09']
type ['malware']
Related clusters

To see the related clusters, click here.

Amadey

Amadey is a Trojan bot that has been used since at least October 2018.[Korean FSI TA505 2020][BlackBerry Amadey 2020]

Internal MISP references

UUID f173ec20-ef40-436b-a859-fef017e1e767 which can be used as unique global reference for Amadey in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S1025
source MITRE
tags ['fa84181d-fd9a-4c7b-8e18-e47011993b5e', '263adb48-051c-4384-90cf-1d4c937c3f05', 'f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

Anchor

Anchor is one of a family of backdoor malware that has been used in conjunction with TrickBot on selected high profile targets since at least 2018.[Cyberreason Anchor December 2019][Medium Anchor DNS July 2020]

Internal MISP references

UUID 9521c535-1043-4b82-ba5d-e5eaeca500ee which can be used as unique global reference for Anchor in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'Windows']
software_attack_id S0504
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

ANDROMEDA

ANDROMEDA is commodity malware that was widespread in the early 2010's and continues to be observed in infections across a wide variety of industries. During the 2022 C0026 campaign, threat actors re-registered expired ANDROMEDA C2 domains to spread malware to select targets in Ukraine.[Mandiant Suspected Turla Campaign February 2023]

Internal MISP references

UUID 69aac793-9e6a-5167-bc62-823189ee2f7b which can be used as unique global reference for ANDROMEDA in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S1074
source MITRE
type ['malware']

Angry IP Scanner

Angry IP Scanner is a tool that adversaries are known to use to search for vulnerable RDP ports.[U.S. CISA Phobos February 29 2024]

Internal MISP references

UUID 8efa90ac-a894-467d-8633-16a44d270358 which can be used as unique global reference for Angry IP Scanner in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['macOS', 'Linux', 'Windows']
software_attack_id S5274
source Tidal Cyber
tags ['d819ae1a-e385-49fd-88d5-f66660729ecb', 'e551ae97-d1b4-484e-9267-89f33829ec2c', '15787198-6c8b-4f79-bf50-258d55072fee', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'cd1b5d44-226e-4405-8985-800492cf2865', 'e1af18e3-3224-4e4c-9d0f-533768474508', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

AnyDesk

AnyDesk is a tool used to enable remote connections to network devices.[U.S. CISA Understanding LockBit June 2023]

Internal MISP references

UUID 922447fd-f41e-4bcf-b479-88137c81099c which can be used as unique global reference for AnyDesk in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5007
source Tidal Cyber
tags ['c5a258ce-9045-48d9-b254-ec2bf6437bb5', 'cc4ea215-87ce-4351-9579-cf527caf5992', 'e551ae97-d1b4-484e-9267-89f33829ec2c', 'e1af18e3-3224-4e4c-9d0f-533768474508', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207', 'fb06d216-f535-45c1-993a-8c1b7aa2111c', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '15b77e5c-2285-434d-9719-73c14beba8bd', 'e727eaa6-ef41-4965-b93a-8ad0c51d0236']
type ['tool']
Related clusters

To see the related clusters, click here.

AppInstaller

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Tool used for installation of AppX/MSIX applications on Windows 10

Author: Wade Hickey

Paths: * C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.11.2521.0_x64__8wekyb3d8bbwe\AppInstaller.exe

Resources: * https://twitter.com/notwhickey/status/1333900137232523264

Detection: * Sigma: dns_query_win_lolbin_appinstaller.yml[AppInstaller.exe - LOLBAS Project]

Internal MISP references

UUID 9fa7c759-172f-4ae3-ac3d-0070c3c4c439 which can be used as unique global reference for AppInstaller in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5083
source Tidal Cyber
tags ['837cf289-ad09-48ca-adf9-b46b07015666', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

AppleJeus

AppleJeus is a family of downloaders initially discovered in 2018 embedded within trojanized cryptocurrency applications. AppleJeus has been used by Lazarus Group, targeting companies in the energy, finance, government, industry, technology, and telecommunications sectors, and several countries including the United States, United Kingdom, South Korea, Australia, Brazil, New Zealand, and Russia. AppleJeus has been used to distribute the FALLCHILL RAT.[CISA AppleJeus Feb 2021]

Internal MISP references

UUID cdeb3110-07e5-4c3d-9eef-e6f2b760ef33 which can be used as unique global reference for AppleJeus in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['macOS', 'Windows']
software_attack_id S0584
source MITRE
tags ['8d95e4d6-9a1e-4920-9f5c-83d9fe07a66e', 'f8669b82-2194-49a9-8e20-92e7f9ab0a6f', '84615fe0-c2a5-4e07-8957-78ebc29b4635']
type ['malware']
Related clusters

To see the related clusters, click here.

AppleSeed

AppleSeed is a backdoor that has been used by Kimsuky to target South Korean government, academic, and commercial targets since at least 2021.[Malwarebytes Kimsuky June 2021]

Internal MISP references

UUID 9df2e42e-b454-46ea-b50d-2f7d999f3d42 which can be used as unique global reference for AppleSeed in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Android', 'Windows']
software_attack_id S0622
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

Appvlp

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Application Virtualization Utility Included with Microsoft Office 2016

Author: Oddvar Moe

Paths: * C:\Program Files\Microsoft Office\root\client\appvlp.exe * C:\Program Files (x86)\Microsoft Office\root\client\appvlp.exe

Resources: * https://github.com/MoooKitty/Code-Execution * https://twitter.com/moo_hax/status/892388990686347264 * https://enigma0x3.net/2018/06/11/the-tale-of-settingcontent-ms-files/ * https://securityboulevard.com/2018/07/attackers-test-new-document-attack-vector-that-slips-past-office-defenses/

Detection: * Sigma: proc_creation_win_lolbin_appvlp.yml[Appvlp.exe - LOLBAS Project]

Internal MISP references

UUID 1328ae5d-7220-46bb-a7ee-0c5a31eeda7f which can be used as unique global reference for Appvlp in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5206
source Tidal Cyber
tags ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

AresLoader

AresLoader is a loader malware distributed as malware-as-a-service. It has been observed being both dropped by and delivering SystemBC, a known ransomware precursor.[New loader on the bloc - AresLoader | Intel471]

Internal MISP references

UUID 5bf1ed41-8fe5-4c4b-8d80-a55980289e1f which can be used as unique global reference for AresLoader in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5286
source Tidal Cyber
tags ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', 'a2e000da-8181-4327-bacd-32013dbd3654', '84615fe0-c2a5-4e07-8957-78ebc29b4635', '2feda37d-5579-4102-a073-aa02e82cb49f']
type ['malware']

Aria-body

Aria-body is a custom backdoor that has been used by Naikon since approximately 2017.[CheckPoint Naikon May 2020]

Internal MISP references

UUID 7ba79887-d496-47aa-8b71-df7f46329322 which can be used as unique global reference for Aria-body in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0456
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Arp

Arp displays and modifies information about a system's Address Resolution Protocol (ARP) cache. [TechNet Arp]

Internal MISP references

UUID 45b51950-6190-4572-b1a2-7c69d865251e which can be used as unique global reference for Arp in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['macOS', 'Linux', 'Windows']
software_attack_id S0099
source MITRE
tags ['509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

Aspnet_Compiler

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: ASP.NET Compilation Tool

Author: Jimmy (@bohops)

Paths: * c:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe * c:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

Resources: * https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/ * https://docs.microsoft.com/en-us/dotnet/api/system.web.compilation.buildprovider.generatecode?view=netframework-4.8

Detection: * BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules * Sigma: proc_creation_win_lolbin_aspnet_compiler.yml[Aspnet_Compiler.exe - LOLBAS Project]

Internal MISP references

UUID 42763dde-8226-4f31-a3ba-face2da84dd2 which can be used as unique global reference for Aspnet_Compiler in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5084
source Tidal Cyber
tags ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

ASPXSpy

ASPXSpy is a Web shell. It has been modified by Threat Group-3390 actors to create the ASPXTool version. [Dell TG-3390]

Internal MISP references

UUID a0cce010-9158-45e5-978a-f002e5c31a03 which can be used as unique global reference for ASPXSpy in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0073
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

Astaroth

Astaroth is a Trojan and information stealer known to affect companies in Europe, Brazil, and throughout Latin America. It has been known publicly since at least late 2017. [Cybereason Astaroth Feb 2019][Cofense Astaroth Sept 2018][Securelist Brazilian Banking Malware July 2020]

Internal MISP references

UUID ea719a35-cbe9-4503-873d-164f68ab4544 which can be used as unique global reference for Astaroth in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0373
source MITRE
tags ['4d767e87-4cf6-438a-927a-43d2d0beaab7']
type ['malware']

AsyncRAT

AsyncRAT is an open-source remote access tool originally available through the NYANxCAT Github repository that has been used in malicious campaigns.[Morphisec Snip3 May 2021][Cisco Operation Layover September 2021][Telefonica Snip3 December 2021]

Internal MISP references

UUID d587efff-4699-51c7-a4cc-bdbd1b302ed4 which can be used as unique global reference for AsyncRAT in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S1087
source MITRE
tags ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', 'f8669b82-2194-49a9-8e20-92e7f9ab0a6f', '2feda37d-5579-4102-a073-aa02e82cb49f', 'fdd53e62-5bf1-41f1-8bd6-b970a866c39d', 'd431939f-2dc0-410b-83f7-86c458125444']
type ['tool']
Related clusters

To see the related clusters, click here.

at

at is used to schedule tasks on a system to run at a specified date or time.[TechNet At][Linux at]

Internal MISP references

UUID af01dc7b-a2bc-4fda-bbfe-d2be889c2860 which can be used as unique global reference for at in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['macOS', 'Linux', 'Windows']
software_attack_id S0110
source MITRE
tags ['5bc4c6c6-36df-4a53-920c-53e17d7027db', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

Atbroker

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Helper binary for Assistive Technology (AT)

Author: Oddvar Moe

Paths: * C:\Windows\System32\Atbroker.exe * C:\Windows\SysWOW64\Atbroker.exe

Resources: * http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/

Detection: * Sigma: proc_creation_win_lolbin_susp_atbroker.yml * Sigma: registry_event_susp_atbroker_change.yml * IOC: Changes to HKCU\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\Configuration * IOC: Changes to HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs * IOC: Unknown AT starting C:\Windows\System32\ATBroker.exe /start malware[Atbroker.exe - LOLBAS Project]

Internal MISP references

UUID 2efae55c-86f3-4234-af26-1c75e922d81a which can be used as unique global reference for Atbroker in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5085
source Tidal Cyber
tags ['85a29262-64bd-443c-9e08-3ee26aac859b', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

Atera Agent

Atera Agent is a legitimate remote administration tool (specifically a remote management and maintenance ("RMM") solution) that adversaries have used as a command and control tool for remote code execution, tool ingress, and persisting in victim environments.[U.S. CISA PaperCut May 2023]

Internal MISP references

UUID f8113a9f-a706-46df-8370-a9cef1c75f30 which can be used as unique global reference for Atera Agent in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5014
source Tidal Cyber
tags ['e1af18e3-3224-4e4c-9d0f-533768474508', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207', 'fdd53e62-5bf1-41f1-8bd6-b970a866c39d', 'd431939f-2dc0-410b-83f7-86c458125444', '9a5ed991-6fe7-49fe-8536-91defc449b18', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '15b77e5c-2285-434d-9719-73c14beba8bd', '992bdd33-4a47-495d-883a-58010a2f0efb', 'e727eaa6-ef41-4965-b93a-8ad0c51d0236']
type ['tool']
Related clusters

To see the related clusters, click here.

Atomic Stealer

Atomic Stealer is an information-stealing malware ("infostealer") designed to harvest passwords, cookies, and other sensitive information from macOS systems. It is often delivered via malicious download sites promoted via malvertising.[Malwarebytes 9 6 2023]

Internal MISP references

UUID ce914eea-8db9-425b-8ae2-a56a264b4951 which can be used as unique global reference for Atomic Stealer in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['macOS']
software_attack_id S5314
source Tidal Cyber
tags ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', '2feda37d-5579-4102-a073-aa02e82cb49f']
type ['malware']

Attor

Attor is a Windows-based espionage platform that has been seen in use since 2013. Attor has a loadable plugin architecture to customize functionality for specific targets.[ESET Attor Oct 2019]

Internal MISP references

UUID 89c35e9f-b435-4f58-9073-f24c1ee8754f which can be used as unique global reference for Attor in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0438
source MITRE
type ['malware']

AuditCred

AuditCred is a malicious DLL that has been used by Lazarus Group during their 2018 attacks.[TrendMicro Lazarus Nov 2018]

Internal MISP references

UUID d0c25f14-5eb3-40c1-a890-2ab1349dff53 which can be used as unique global reference for AuditCred in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0347
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

AutoIt backdoor

AutoIt backdoor is malware that has been used by the actors responsible for the MONSOON campaign. The actors frequently used it in weaponized .pps files exploiting CVE-2014-6352. [Forcepoint Monsoon] This malware makes use of the legitimate scripting language for Windows GUI automation with the same name.

Internal MISP references

UUID 3f927596-5219-49eb-bd0d-57068b0e04ed which can be used as unique global reference for AutoIt backdoor in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0129
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Automim

Researchers describe Automim as a "collection of .cmd, .vbs and .bat files that automate the execution" of the Mimikatz and LaZagne credential harvesting tools.[CrowdStrike Endpoint Security Testing Oct 2021]

Internal MISP references

UUID 984249bd-6421-4133-bd2a-25f330b4b441 which can be used as unique global reference for Automim in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5277
source Tidal Cyber
tags ['d819ae1a-e385-49fd-88d5-f66660729ecb', 'e551ae97-d1b4-484e-9267-89f33829ec2c', '15787198-6c8b-4f79-bf50-258d55072fee', 'e1af18e3-3224-4e4c-9d0f-533768474508', 'dcd6d78a-50e9-4fbd-a36a-06fbe6b7b40c']
type ['tool']
Related clusters

To see the related clusters, click here.

AuTo Stealer

AuTo Stealer is malware written in C++ has been used by SideCopy since at least December 2021 to target government agencies and personnel in India and Afghanistan.[MalwareBytes SideCopy Dec 2021]

Internal MISP references

UUID 649a4cfc-c0d0-412d-a28c-1bd4ed604ea8 which can be used as unique global reference for AuTo Stealer in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S1029
source MITRE
tags ['4d767e87-4cf6-438a-927a-43d2d0beaab7']
type ['malware']
Related clusters

To see the related clusters, click here.

Avaddon

Avaddon is ransomware written in C++ that has been offered as Ransomware-as-a-Service (RaaS) since at least June 2020.[Awake Security Avaddon][Arxiv Avaddon Feb 2021]

Internal MISP references

UUID bad92974-35f6-4183-8024-b629140c6ee6 which can be used as unique global reference for Avaddon in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0640
source MITRE
tags ['562e535e-19f5-4d6c-81ed-ce2aec544f09', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172']
type ['malware']

Avenger

Avenger is a downloader that has been used by BRONZE BUTLER since at least 2019.[Trend Micro Tick November 2019]

Internal MISP references

UUID e5ca0192-e905-46a1-abef-ce1119c1f967 which can be used as unique global reference for Avenger in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0473
source MITRE
tags ['84615fe0-c2a5-4e07-8957-78ebc29b4635']
type ['malware']
Related clusters

To see the related clusters, click here.

AvosLocker

AvosLocker is ransomware written in C++ that has been offered via the Ransomware-as-a-Service (RaaS) model. It was first observed in June 2021 and has been used against financial services, critical manufacturing, government facilities, and other critical infrastructure sectors in the United States. As of March 2022, AvosLocker had also been used against organizations in Belgium, Canada, China, Germany, Saudi Arabia, Spain, Syria, Taiwan, Turkey, the United Arab Emirates, and the United Kingdom.[Malwarebytes AvosLocker Jul 2021][Trend Micro AvosLocker Apr 2022][Joint CSA AvosLocker Mar 2022]

Internal MISP references

UUID e792dc8d-b0f4-5916-8850-a61ff53125d0 which can be used as unique global reference for AvosLocker in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'Windows']
software_attack_id S1053
source MITRE
tags ['562e535e-19f5-4d6c-81ed-ce2aec544f09', 'c3779a84-8132-4c62-be2f-9312ad41c273', 'ce9f1048-09c1-49b0-a109-dd604afbf3cd', 'fe3eb26d-6daa-4f82-b0dd-fc1e2fffbc2b', '9e4936f0-e3b7-4721-a638-58b2d093b2f2', '24448a05-2337-4bc9-a889-a83f2fd1f3ad', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172']
type ['malware']

Azorult

Azorult is a commercial Trojan that is used to steal information from compromised hosts. Azorult has been observed in the wild as early as 2016. In July 2018, Azorult was seen used in a spearphishing campaign against targets in North America. Azorult has been seen used for cryptocurrency theft. [Unit42 Azorult Nov 2018][Proofpoint Azorult July 2018]

Internal MISP references

UUID cc68a7f0-c955-465f-bee0-2dacbb179078 which can be used as unique global reference for Azorult in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0344
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

Babuk

Babuk is a Ransomware-as-a-service (RaaS) malware that has been used since at least 2021. The operators of Babuk employ a "Big Game Hunting" approach to targeting major enterprises and operate a leak site to post stolen data as part of their extortion scheme.[Sogeti CERT ESEC Babuk March 2021][McAfee Babuk February 2021][CyberScoop Babuk February 2021]

Internal MISP references

UUID 0dc07eb9-66df-4116-b1bc-7020ca6395a1 which can be used as unique global reference for Babuk in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'Windows']
software_attack_id S0638
source MITRE
tags ['562e535e-19f5-4d6c-81ed-ce2aec544f09', 'b5962a84-f1c7-4d0d-985c-86301db95129', '12124060-8392-49a3-b7b7-1dde3ebc8e67', '915e7ac2-b266-45d7-945c-cb04327d6246', 'd713747c-2d53-487e-9dac-259230f04460', 'fde4c246-7d2d-4d53-938b-44651cf273f1', '964c2590-4b52-48c6-afff-9a6d72e68908', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172', 'a2e000da-8181-4327-bacd-32013dbd3654']
type ['malware']

BabyShark

BabyShark is a Microsoft Visual Basic (VB) script-based malware family that is believed to be associated with several North Korean campaigns. [Unit42 BabyShark Feb 2019]

Internal MISP references

UUID ebb824a2-abff-4bfd-87f0-d63cb02b62e6 which can be used as unique global reference for BabyShark in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0414
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

BackConfig

BackConfig is a custom Trojan with a flexible plugin architecture that has been used by Patchwork.[Unit 42 BackConfig May 2020]

Internal MISP references

UUID 2763ad8c-cf4e-42eb-88db-a40ff8f96cf9 which can be used as unique global reference for BackConfig in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0475
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

Backdoor.Oldrea

Backdoor.Oldrea is a modular backdoor that used by Dragonfly against energy companies since at least 2013. Backdoor.Oldrea was distributed via supply chain compromise, and included specialized modules to enumerate and map ICS-specific systems, processes, and protocols.[Symantec Dragonfly][Gigamon Berserk Bear October 2021][Symantec Dragonfly Sept 2017]

Internal MISP references

UUID f7cc5974-767c-4cb4-acc7-36295a386ce5 which can be used as unique global reference for Backdoor.Oldrea in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0093
source MITRE
tags ['3ed3f7a6-b446-4fbc-a433-ff1d63c0e647']
type ['malware']
Related clusters

To see the related clusters, click here.

BACKSPACE

BACKSPACE is a backdoor used by APT30 that dates back to at least 2005. [FireEye APT30]

Internal MISP references

UUID d0daaa00-68e1-4568-bb08-3f28bcd82c63 which can be used as unique global reference for BACKSPACE in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0031
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

Backstab

Backstab is a tool used to terminate antimalware-protected processes.[U.S. CISA Understanding LockBit June 2023]

Internal MISP references

UUID 5a9a7a54-21cb-4a5c-bef0-d37f8678bf46 which can be used as unique global reference for Backstab in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5026
source Tidal Cyber
tags ['d903e38b-600d-4736-9e3b-cf1a6e436481', 'e551ae97-d1b4-484e-9267-89f33829ec2c', 'd819ae1a-e385-49fd-88d5-f66660729ecb', 'd469efcf-4feb-4149-9c0f-c4b7821960bd', 'e1af18e3-3224-4e4c-9d0f-533768474508', '39d6e8b7-6c8a-4ec5-a584-54ca32aa29fb', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

BADCALL

BADCALL is a Trojan malware variant used by the group Lazarus Group. [US-CERT BADCALL]

Internal MISP references

UUID d7aa53a5-0912-4952-8f7f-55698e933c3b which can be used as unique global reference for BADCALL in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0245
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

BADFLICK

BADFLICK is a backdoor used by Leviathan in spearphishing campaigns first reported in 2018 that targeted the U.S. engineering and maritime industries.[FireEye Periscope March 2018][Accenture MUDCARP March 2019]

Internal MISP references

UUID 8c454294-81cb-45d0-b299-818994ad3e6f which can be used as unique global reference for BADFLICK in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0642
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

BADHATCH

BADHATCH is a backdoor that has been utilized by FIN8 since at least 2019. BADHATCH has been used to target the insurance, retail, technology, and chemical industries in the United States, Canada, South Africa, Panama, and Italy.[Gigamon BADHATCH Jul 2019][BitDefender BADHATCH Mar 2021]

Internal MISP references

UUID 16481e0f-49d5-54c1-a1fe-16d9e7f8d08c which can be used as unique global reference for BADHATCH in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S1081
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

BADNEWS

BADNEWS is malware that has been used by the actors responsible for the Patchwork campaign. Its name was given due to its use of RSS feeds, forums, and blogs for command and control. [Forcepoint Monsoon] [TrendMicro Patchwork Dec 2017]

Internal MISP references

UUID 34c24d27-c779-42a4-9f61-3f0d3fea6fd4 which can be used as unique global reference for BADNEWS in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0128
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

BadPatch

BadPatch is a Windows Trojan that was used in a Gaza Hackers-linked campaign.[Unit 42 BadPatch Oct 2017]

Internal MISP references

UUID 10e76722-4b52-47f6-9276-70e95fecb26b which can be used as unique global reference for BadPatch in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0337
source MITRE
type ['malware']

BadPotato

BadPotato is an open-source software project that, according to its GitHub page, can be used for privilege escalation purposes.[GitHub BeichenDream BadPotato]

Internal MISP references

UUID 4b59bf81-d351-436e-aebc-f0111a892395 which can be used as unique global reference for BadPotato in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5304
source Tidal Cyber
tags ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', '2feda37d-5579-4102-a073-aa02e82cb49f']
type ['malware']
Related clusters

To see the related clusters, click here.

Bad Rabbit

Bad Rabbit is a self-propagating ransomware that affected the Ukrainian transportation sector in 2017. Bad Rabbit has also targeted organizations and consumers in Russia. [Secure List Bad Rabbit][ESET Bad Rabbit][Dragos IT ICS Ransomware]

Internal MISP references

UUID a1d86d8f-fa48-43aa-9833-7355750e455c which can be used as unique global reference for Bad Rabbit in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0606
source MITRE
tags ['3ed3f7a6-b446-4fbc-a433-ff1d63c0e647', '5a463cb3-451d-47f7-93e4-1886150697ce', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172']
type ['malware']
Related clusters

To see the related clusters, click here.

Bandook

Bandook is a commercially available RAT, written in Delphi and C++, that has been available since at least 2007. It has been used against government, financial, energy, healthcare, education, IT, and legal organizations in the US, South America, Europe, and Southeast Asia. Bandook has been used by Dark Caracal, as well as in a separate campaign referred to as "Operation Manul".[EFF Manul Aug 2016][Lookout Dark Caracal Jan 2018][CheckPoint Bandook Nov 2020]

Internal MISP references

UUID 5c0f8c35-88ff-40a1-977a-af5ce534e932 which can be used as unique global reference for Bandook in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0234
source MITRE
tags ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', '2feda37d-5579-4102-a073-aa02e82cb49f', 'f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

Bankshot

Bankshot is a remote access tool (RAT) that was first reported by the Department of Homeland Security in December of 2017. In 2018, Lazarus Group used the Bankshot implant in attacks against the Turkish financial sector. [McAfee Bankshot]

Internal MISP references

UUID 24b8471d-698f-48cc-b47a-8fbbaf28b293 which can be used as unique global reference for Bankshot in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0239
source MITRE
tags ['febea5b6-2ea2-402b-8bec-f3f5b3f73c59']
type ['malware']
Related clusters

To see the related clusters, click here.

Bash

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: File used by Windows subsystem for Linux

Author: Oddvar Moe

Paths: * C:\Windows\System32\bash.exe * C:\Windows\SysWOW64\bash.exe

Resources: * https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules

Detection: * BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules * Sigma: proc_creation_win_lolbin_bash.yml * IOC: Child process from bash.exe[Bash.exe - LOLBAS Project]

Internal MISP references

UUID cef3a09e-22ca-43dc-ad4a-95741a3b85ff which can be used as unique global reference for Bash in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5086
source Tidal Cyber
tags ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

Bat Armor

Bat Armor is a tool used to generate .bat files using PowerShell scripts.[U.S. CISA Understanding LockBit June 2023]

Internal MISP references

UUID 628037d4-962d-4f58-b32d-241d739bc62d which can be used as unique global reference for Bat Armor in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5027
source Tidal Cyber
tags ['e1af18e3-3224-4e4c-9d0f-533768474508', '39d6e8b7-6c8a-4ec5-a584-54ca32aa29fb', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

Bazar

Bazar is a downloader and backdoor that has been used since at least April 2020, with infections primarily against professional services, healthcare, manufacturing, IT, logistics and travel companies across the US and Europe. Bazar reportedly has ties to TrickBot campaigns and can be used to deploy additional malware, including ransomware, and to steal sensitive data.[Cybereason Bazar July 2020]

Internal MISP references

UUID b35d9817-6ead-4dbd-a2fa-4b8e217f8eac which can be used as unique global reference for Bazar in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0534
source MITRE
tags ['818c3d93-c010-44f4-82bc-b63b4bc6c3c2', '84615fe0-c2a5-4e07-8957-78ebc29b4635']
type ['malware']
Related clusters

To see the related clusters, click here.

BBK

BBK is a downloader that has been used by BRONZE BUTLER since at least 2019.[Trend Micro Tick November 2019]

Internal MISP references

UUID 3daa5ae1-464e-4c0a-aa46-15264a2a0126 which can be used as unique global reference for BBK in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0470
source MITRE
tags ['84615fe0-c2a5-4e07-8957-78ebc29b4635']
type ['malware']
Related clusters

To see the related clusters, click here.

BBSRAT

BBSRAT is malware with remote access tool functionality that has been used in targeted compromises. [Palo Alto Networks BBSRAT]

Internal MISP references

UUID be4dab36-d499-4ac3-b204-5e309e3a5331 which can be used as unique global reference for BBSRAT in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0127
source MITRE
type ['malware']

BendyBear

BendyBear is an x64 shellcode for a stage-zero implant designed to download malware from a C2 server. First discovered in August 2020, BendyBear shares a variety of features with Waterbear, malware previously attributed to the Chinese cyber espionage group BlackTech.[Unit42 BendyBear Feb 2021]

Internal MISP references

UUID a114a498-fcfd-4e0a-9d1e-e26750d71af8 which can be used as unique global reference for BendyBear in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0574
source MITRE
tags ['84615fe0-c2a5-4e07-8957-78ebc29b4635']
type ['malware']
Related clusters

To see the related clusters, click here.

Bginfo

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Background Information Utility included with SysInternals Suite

Author: Oddvar Moe

Paths: * No fixed path

Resources: * https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/

Detection: * Sigma: proc_creation_win_lolbin_bginfo.yml * Elastic: defense_evasion_unusual_process_network_connection.toml * Elastic: defense_evasion_network_connection_from_windows_binary.toml * BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules[Bginfo.exe - LOLBAS Project]

Internal MISP references

UUID fe926654-0cff-4e8e-b192-2fa1eb8a9a67 which can be used as unique global reference for Bginfo in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5207
source Tidal Cyber
tags ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

BianLian Ransomware (Backdoor)

This Software object represents the custom backdoor tool used during intrusions conducted by the BianLian Ransomware Group.[U.S. CISA BianLian Ransomware May 2023][BianLian Ransomware Gang Gives It a Go! | [redacted]]

Delivers: TeamViewer[U.S. CISA BianLian Ransomware May 2023], Atera Agent[U.S. CISA BianLian Ransomware May 2023], Splashtop[U.S. CISA BianLian Ransomware May 2023], AnyDesk[U.S. CISA BianLian Ransomware May 2023]

Internal MISP references

UUID a4fb341d-8010-433f-b8f1-a8781f961435 which can be used as unique global reference for BianLian Ransomware (Backdoor) in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5001
source Tidal Cyber
tags ['35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', 'f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

BianLian Ransomware (Encryptor)

This Software object represents the custom Go encryptor tool (encryptor.exe) used during intrusions conducted by the BianLian Ransomware Group.[U.S. CISA BianLian Ransomware May 2023]. The tool will skip encryption of files based on a hardcoded file extension exclusion list.[BianLian Ransomware Gang Gives It a Go! | [redacted]]

Internal MISP references

UUID 252f56c2-4c85-4a19-8451-371cb04c6ceb which can be used as unique global reference for BianLian Ransomware (Encryptor) in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5292
source Tidal Cyber
tags ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172', '2feda37d-5579-4102-a073-aa02e82cb49f']
type ['malware']
Related clusters

To see the related clusters, click here.

BISCUIT

BISCUIT is a backdoor that has been used by APT1 since as early as 2007. [Mandiant APT1]

Internal MISP references

UUID 3ad98097-2d10-4aa1-9594-7e74828a3643 which can be used as unique global reference for BISCUIT in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0017
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Bisonal

Bisonal is a remote access tool (RAT) that has been used by Tonto Team against public and private sector organizations in Russia, South Korea, and Japan since at least December 2010.[Unit 42 Bisonal July 2018][Talos Bisonal Mar 2020]

Internal MISP references

UUID b898816e-610f-4c2f-9045-d9f28a54ee58 which can be used as unique global reference for Bisonal in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0268
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

BitPaymer

BitPaymer is a ransomware variant first observed in August 2017 targeting hospitals in the U.K. BitPaymer uses a unique encryption key, ransom note, and contact information for each operation. BitPaymer has several indicators suggesting overlap with the Dridex malware and is often delivered via Dridex.[Crowdstrike Indrik November 2018]

Internal MISP references

UUID e7dec940-8701-4c06-9865-5b11c61c046d which can be used as unique global reference for BitPaymer in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0570
source MITRE
tags ['5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172']
type ['malware']
Related clusters

To see the related clusters, click here.

BITSAdmin

BITSAdmin is a command line tool used to create and manage BITS Jobs. [Microsoft BITSAdmin]

Internal MISP references

UUID 52a20d3d-1edd-4f17-87f0-b77c67d260b4 which can be used as unique global reference for BITSAdmin in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0190
source MITRE
tags ['d903e38b-600d-4736-9e3b-cf1a6e436481', 'e551ae97-d1b4-484e-9267-89f33829ec2c', 'd819ae1a-e385-49fd-88d5-f66660729ecb', '15787198-6c8b-4f79-bf50-258d55072fee', 'e1af18e3-3224-4e4c-9d0f-533768474508', 'fdd53e62-5bf1-41f1-8bd6-b970a866c39d', 'd431939f-2dc0-410b-83f7-86c458125444', '10d09438-9ea5-405d-9b3a-36d351b5a5d9', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

Black Basta

Black Basta is ransomware written in C++ that has been offered within the ransomware-as-a-service (RaaS) model since at least April 2022; there are variants that target Windows and VMWare ESXi servers. Black Basta operations have included the double extortion technique where in addition to demanding ransom for decrypting the files of targeted organizations the cyber actors also threaten to post sensitive information to a leak site if the ransom is not paid. Black Basta affiliates have targeted multiple high-value organizations, with the largest number of victims based in the U.S. Based on similarities in TTPs, leak sites, payment sites, and negotiation tactics, security researchers assess the Black Basta RaaS operators could include current or former members of the Conti group.[Palo Alto Networks Black Basta August 2022][Deep Instinct Black Basta August 2022][Minerva Labs Black Basta May 2022][Avertium Black Basta June 2022][NCC Group Black Basta June 2022][Cyble Black Basta May 2022]

Internal MISP references

UUID 0d5b24ba-68dc-50fa-8268-3012180fe374 which can be used as unique global reference for Black Basta in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S1070
source MITRE
tags ['89c5b94b-ecf4-4d53-9b74-3465086d4565', 'd903e38b-600d-4736-9e3b-cf1a6e436481', 'e551ae97-d1b4-484e-9267-89f33829ec2c', 'd819ae1a-e385-49fd-88d5-f66660729ecb', '15787198-6c8b-4f79-bf50-258d55072fee', '562e535e-19f5-4d6c-81ed-ce2aec544f09', 'fdd53e62-5bf1-41f1-8bd6-b970a866c39d', 'd431939f-2dc0-410b-83f7-86c458125444', 'dea4388a-b1f2-4f2a-9df9-108631d0d078', '2743d495-7728-4a75-9e5f-b64854039792', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172']
type ['malware']
Related clusters

To see the related clusters, click here.

BlackCat

BlackCat is ransomware written in Rust that has been offered via the Ransomware-as-a-Service (RaaS) model. First observed November 2021, BlackCat has been used to target multiple sectors and organizations in various countries and regions in Africa, the Americas, Asia, Australia, and Europe.[Microsoft BlackCat Jun 2022][Sophos BlackCat Jul 2022][ACSC BlackCat Apr 2022]

Internal MISP references

UUID 691369e5-ef74-5ff9-bc20-34efeb4b6c5b which can be used as unique global reference for BlackCat in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'Windows']
software_attack_id S1068
source MITRE
tags ['562e535e-19f5-4d6c-81ed-ce2aec544f09', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '5e7433ad-a894-4489-93bc-41e90da90019', '15787198-6c8b-4f79-bf50-258d55072fee', '7e7b0c67-bb85-4996-a289-da0e792d7172']
type ['malware']
Related clusters

To see the related clusters, click here.

BLACKCOFFEE

BLACKCOFFEE is malware that has been used by several Chinese groups since at least 2013. [FireEye APT17] [FireEye Periscope March 2018]

Internal MISP references

UUID e85e2fca-9347-4448-bfc1-342f29d5d6a1 which can be used as unique global reference for BLACKCOFFEE in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0069
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

BlackEnergy

BlackEnergy is a malware toolkit that has been used by both criminal and APT actors. It dates back to at least 2007 and was originally designed to create botnets for use in conducting Distributed Denial of Service (DDoS) attacks, but its use has evolved to support various plug-ins. It is well known for being used during the confrontation between Georgia and Russia in 2008, as well as in targeting Ukrainian institutions. Variants include BlackEnergy 2 and BlackEnergy 3. [F-Secure BlackEnergy 2014]

Internal MISP references

UUID 908216c7-3ad4-4e0c-9dd3-a7ed5d1c695f which can be used as unique global reference for BlackEnergy in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0089
source MITRE
tags ['3ed3f7a6-b446-4fbc-a433-ff1d63c0e647']
type ['malware']
Related clusters

To see the related clusters, click here.

BlackLotus

BlackLotus is a Unified Extensible Firmware Interface (UEFI) bootkit that enables bypass of Secure Boot, a UEFI feature that provides verification about the state of the boot chain, even on fully updated UEFI systems. It is considered the first “in-the-wild” UEFI bootkit, as it was observed for sale on underground forums in October 2022 and researchers were able to then confirm its existence. BlackLotus bypasses UEFI Secure Boot and establishes persistence by exploiting CVE-2022-21894, and after installation, it is designed to deploy a kernel driver for further persistence and an HTTP downloader, which allows communication with a command-and-control server and loading of additional user-mode or kernel-mode payloads. BlackLotus is also capable of disabling operating system security features, and some instances of the malware include a location-based check where it will terminate if the system uses a location associated with one of several Eastern European countries.[ESET BlackLotus March 01 2023]

Internal MISP references

UUID 4cd25fac-0b5d-44e2-8df1-2c7de06b4b39 which can be used as unique global reference for BlackLotus in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5306
source Tidal Cyber
tags ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', '1a5a32ac-1db6-46b1-b72e-18bc3d776aed', 'df78b317-ce5d-423c-ac42-1e328ab27ffd', '2feda37d-5579-4102-a073-aa02e82cb49f']
type ['malware']

BlackMould

BlackMould is a web shell based on China Chopper for servers running Microsoft IIS. First reported in December 2019, it has been used in malicious campaigns by GALLIUM against telecommunication providers.[Microsoft GALLIUM December 2019]

Internal MISP references

UUID da348a51-d047-4144-9ba4-34d2ce964a11 which can be used as unique global reference for BlackMould in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0564
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

BlackSuit Ransomware

BlackSuit is a ransomware capable of running on Windows and Linux systems. BlackSuit is believed to be a successor to Royal, a ransomware operation which itself derives from the notorious Russia-based Conti gang. BlackSuit operations were first observed in May 2023, and although they were relatively low in number, U.S. authorities issued a warning for healthcare sector organizations due to the ransomware's suspected pedigree.[HC3 Analyst Note BlackSuit Ransomware November 2023] The number of attacks claimed by BlackSuit operators increased notably in Q2 2024.[GitHub ransomwatch]

Internal MISP references

UUID 6e200813-4379-457b-9cce-2203bed4b072 which can be used as unique global reference for BlackSuit Ransomware in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Linux', 'Windows']
software_attack_id S5324
source Tidal Cyber
tags ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172', '2feda37d-5579-4102-a073-aa02e82cb49f']
type ['malware']

BLINDINGCAN

BLINDINGCAN is a remote access Trojan that has been used by the North Korean government since at least early 2020 in cyber operations against defense, engineering, and government organizations in Western Europe and the US.[US-CERT BLINDINGCAN Aug 2020][NHS UK BLINDINGCAN Aug 2020]

Internal MISP references

UUID 1af8ea81-40df-4fba-8d63-1858b8b31217 which can be used as unique global reference for BLINDINGCAN in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0520
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

BloodHound

BloodHound is an Active Directory (AD) reconnaissance tool that can reveal hidden relationships and identify attack paths within an AD environment.[GitHub Bloodhound][CrowdStrike BloodHound April 2018][FoxIT Wocao December 2019]

Internal MISP references

UUID 72658763-8077-451e-8572-38858f8cacf3 which can be used as unique global reference for BloodHound in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0521
source MITRE
tags ['d819ae1a-e385-49fd-88d5-f66660729ecb', 'e551ae97-d1b4-484e-9267-89f33829ec2c', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207', 'e1af18e3-3224-4e4c-9d0f-533768474508', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', 'cd1b5d44-226e-4405-8985-800492cf2865']
type ['tool']
Related clusters

To see the related clusters, click here.

BLUELIGHT

BLUELIGHT is a remote access Trojan used by APT37 that was first observed in early 2021.[Volexity InkySquid BLUELIGHT August 2021]

Internal MISP references

UUID 3aaaaf86-638b-4a65-be18-c6e6dcdcdb97 which can be used as unique global reference for BLUELIGHT in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0657
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

Bonadan

Bonadan is a malicious version of OpenSSH which acts as a custom backdoor. Bonadan has been active since at least 2018 and combines a new cryptocurrency-mining module with the same credential-stealing module used by the Onderon family of backdoors.[ESET ForSSHe December 2018]

Internal MISP references

UUID 3793db4b-f843-4cfd-89d2-ec28b62feda5 which can be used as unique global reference for Bonadan in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux']
software_attack_id S0486
source MITRE
type ['malware']

BONDUPDATER

BONDUPDATER is a PowerShell backdoor used by OilRig. It was first observed in November 2017 during targeting of a Middle Eastern government organization, and an updated version was observed in August 2018 being used to target a government organization with spearphishing emails.[FireEye APT34 Dec 2017][Palo Alto OilRig Sep 2018]

Internal MISP references

UUID d8690218-5272-47d8-8189-35d3b518e66f which can be used as unique global reference for BONDUPDATER in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0360
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

BoomBox

BoomBox is a downloader responsible for executing next stage components that has been used by APT29 since at least 2021.[MSTIC Nobelium Toolset May 2021]

Internal MISP references

UUID 9d393f6f-855e-4348-8a26-008174e3605a which can be used as unique global reference for BoomBox in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0635
source MITRE
tags ['84615fe0-c2a5-4e07-8957-78ebc29b4635']
type ['malware']
Related clusters

To see the related clusters, click here.

BOOSTWRITE

BOOSTWRITE is a loader crafted to be launched via abuse of the DLL search order of applications used by FIN7.[FireEye FIN7 Oct 2019]

Internal MISP references

UUID 74a73624-d53b-4c84-a14b-8ae964fd577c which can be used as unique global reference for BOOSTWRITE in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0415
source MITRE
tags ['84615fe0-c2a5-4e07-8957-78ebc29b4635']
type ['malware']
Related clusters

To see the related clusters, click here.

BOOTRASH

BOOTRASH is a Bootkit that targets Windows operating systems. It has been used by threat actors that target the financial sector.[Mandiant M Trends 2016][FireEye Bootkits][FireEye BOOTRASH SANS]

Internal MISP references

UUID d47a4753-80f5-494e-aad7-d033aaff0d6d which can be used as unique global reference for BOOTRASH in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0114
source MITRE
type ['malware']

BoxCaon

BoxCaon is a Windows backdoor that was used by IndigoZebra in a 2021 spearphishing campaign against Afghan government officials. BoxCaon's name stems from similarities shared with the malware family xCaon.[Checkpoint IndigoZebra July 2021]

Internal MISP references

UUID d3e46011-3433-426c-83b3-61c2576d5f71 which can be used as unique global reference for BoxCaon in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0651
source MITRE
tags ['4d767e87-4cf6-438a-927a-43d2d0beaab7']
type ['malware']
Related clusters

To see the related clusters, click here.

Brave Prince

Brave Prince is a Korean-language implant that was first observed in the wild in December 2017. It contains similar code and behavior to Gold Dragon, and was seen along with Gold Dragon and RunningRAT in operations surrounding the 2018 Pyeongchang Winter Olympics. [McAfee Gold Dragon]

Internal MISP references

UUID 51b27e2c-c737-4006-a657-195ea1a1f4f0 which can be used as unique global reference for Brave Prince in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0252
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Briba

Briba is a trojan used by Elderwood to open a backdoor and download files on to compromised hosts. [Symantec Elderwood Sept 2012] [Symantec Briba May 2012]

Internal MISP references

UUID 7942783c-73a7-413c-94d1-8981029a1c51 which can be used as unique global reference for Briba in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0204
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Brute Ratel C4

Brute Ratel C4 is a commercial red-teaming and adversarial attack simulation tool that first appeared in December 2020. Brute Ratel C4 was specifically designed to avoid detection by endpoint detection and response (EDR) and antivirus (AV) capabilities, and deploys agents called badgers to enable arbitrary command execution for lateral movement, privilege escalation, and persistence. In September 2022, a cracked version of Brute Ratel C4 was leaked in the cybercriminal underground, leading to its use by threat actors.[Dark Vortex Brute Ratel C4][Palo Alto Brute Ratel July 2022][MDSec Brute Ratel August 2022][SANS Brute Ratel October 2022][Trend Micro Black Basta October 2022]

Internal MISP references

UUID 23043b44-69a6-5cdf-8f60-5a68068680c7 which can be used as unique global reference for Brute Ratel C4 in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S1063
source MITRE
tags ['e1af18e3-3224-4e4c-9d0f-533768474508', 'e81ba503-60b0-4b64-8f20-ef93e7783796']
type ['tool']
Related clusters

To see the related clusters, click here.

BS2005

BS2005 is malware that was used by Ke3chang in spearphishing campaigns since at least 2011. [Mandiant Operation Ke3chang November 2014]

Internal MISP references

UUID c9e773de-0213-4b64-83fb-637060c8b5ed which can be used as unique global reference for BS2005 in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0014
source MITRE
type ['malware']

BUBBLEWRAP

BUBBLEWRAP is a full-featured, second-stage backdoor used by the admin@338 group. It is set to run when the system boots and includes functionality to check, upload, and register plug-ins that can further enhance its capabilities. [FireEye admin@338]

Internal MISP references

UUID 2be4e3d2-e8c5-4406-8041-2c17bdb3a547 which can be used as unique global reference for BUBBLEWRAP in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0043
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

build_downer

build_downer is a downloader that has been used by BRONZE BUTLER since at least 2019.[Trend Micro Tick November 2019]

Internal MISP references

UUID c21d3e6c-0f6d-44a8-bdd5-5b3180a641c9 which can be used as unique global reference for build_downer in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0471
source MITRE
tags ['84615fe0-c2a5-4e07-8957-78ebc29b4635']
type ['malware']
Related clusters

To see the related clusters, click here.

Bumblebee

Bumblebee is a custom loader written in C++ that has been used by multiple threat actors, including possible initial access brokers, to download and execute additional payloads since at least March 2022. Bumblebee has been linked to ransomware operations including Conti, Quantum, and Mountlocker and derived its name from the appearance of "bumblebee" in the user-agent.[Google EXOTIC LILY March 2022][Proofpoint Bumblebee April 2022][Symantec Bumblebee June 2022]

Internal MISP references

UUID cc155181-fb34-4aaf-b083-b7b57b140b7a which can be used as unique global reference for Bumblebee in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S1039
source MITRE
tags ['aa983c81-e54b-49b3-b0dd-53cf950825b8', 'f8669b82-2194-49a9-8e20-92e7f9ab0a6f', '84615fe0-c2a5-4e07-8957-78ebc29b4635']
type ['malware']
Related clusters

To see the related clusters, click here.

Bundlore

Bundlore is adware written for macOS that has been in use since at least 2015. Though categorized as adware, Bundlore has many features associated with more traditional backdoors.[MacKeeper Bundlore Apr 2019]

Internal MISP references

UUID e9873bf1-9619-4c62-b4cf-1009e83de186 which can be used as unique global reference for Bundlore in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['macOS']
software_attack_id S0482
source MITRE
tags ['4d767e87-4cf6-438a-927a-43d2d0beaab7']
type ['malware']

BUSHWALK

BUSHWALK is a web shell written in Perl that was inserted into the legitimate querymanifest.cgi file on compromised Ivanti Connect Secure VPNs during Cutting Edge.[Mandiant Cutting Edge Part 2 January 2024][Mandiant Cutting Edge Part 3 February 2024]

Internal MISP references

UUID 44ed9567-2cb6-590e-b332-154557fb93f9 which can be used as unique global reference for BUSHWALK in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Network']
software_attack_id S1118
source MITRE
type ['malware']

Cachedump

Cachedump is a publicly-available tool that program extracts cached password hashes from a system’s registry. [Mandiant APT1]

Internal MISP references

UUID 7c03fb92-3cd8-4ce4-a1e0-75e47465e4bc which can be used as unique global reference for Cachedump in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0119
source MITRE
type ['tool']
Related clusters

To see the related clusters, click here.

CACTUS Ransomware

This Software object reflects the TTPs associated with the CACTUS ransomware binary, a malware that researchers believe has been used since at least March 2023.[Kroll CACTUS Ransomware May 10 2023] Other pre- and post-exploit TTPs associated with threat actors known to deploy CACTUS can be found in the separate dedicated Group object.

Internal MISP references

UUID ad51e7c6-7d3c-4c5d-a7e2-e50afb11a0ca which can be used as unique global reference for CACTUS Ransomware in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5309
source Tidal Cyber
tags ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', 'a2e000da-8181-4327-bacd-32013dbd3654', '562e535e-19f5-4d6c-81ed-ce2aec544f09', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172', '2feda37d-5579-4102-a073-aa02e82cb49f']
type ['malware']
Related clusters

To see the related clusters, click here.

CaddyWiper

CaddyWiper is a destructive data wiper that has been used in attacks against organizations in Ukraine since at least March 2022.[ESET CaddyWiper March 2022][Cisco CaddyWiper March 2022]

Internal MISP references

UUID 62d0ddcd-790d-4d2d-9d94-276f54b40cf0 which can be used as unique global reference for CaddyWiper in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0693
source MITRE
tags ['2e621fc5-dea4-4cb9-987e-305845986cd3']
type ['malware']

Cadelspy

Cadelspy is a backdoor that has been used by APT39.[Symantec Chafer Dec 2015]

Internal MISP references

UUID c8a51b39-6906-4381-9bb4-4e9e612aa085 which can be used as unique global reference for Cadelspy in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0454
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

CALENDAR

CALENDAR is malware used by APT1 that mimics legitimate Gmail Calendar traffic. [Mandiant APT1]

Internal MISP references

UUID ad859a79-c183-44f6-a89a-f734710672a9 which can be used as unique global reference for CALENDAR in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0025
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Calisto

Calisto is a macOS Trojan that opens a backdoor on the compromised machine. Calisto is believed to have first been developed in 2016. [Securelist Calisto July 2018] [Symantec Calisto July 2018]

Internal MISP references

UUID 6b5b408c-4f9d-4137-bfb1-830d12e9736c which can be used as unique global reference for Calisto in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['macOS']
software_attack_id S0274
source MITRE
type ['malware']

CallMe

CallMe is a Trojan designed to run on Apple OSX. It is based on a publicly available tool called Tiny SHell. [Scarlet Mimic Jan 2016]

Internal MISP references

UUID 352ee271-89e6-4d3f-9c26-98dbab0e2986 which can be used as unique global reference for CallMe in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['macOS']
software_attack_id S0077
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Cannon

Cannon is a Trojan with variants written in C# and Delphi. It was first observed in April 2018. [Unit42 Cannon Nov 2018][Unit42 Sofacy Dec 2018]

Internal MISP references

UUID 790e931d-2571-496d-9f48-322774a7d482 which can be used as unique global reference for Cannon in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0351
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Carbanak

Carbanak is a full-featured, remote backdoor used by a group of the same name (Carbanak). It is intended for espionage, data exfiltration, and providing remote access to infected machines. [Kaspersky Carbanak] [FireEye CARBANAK June 2017]

Internal MISP references

UUID 4cb9294b-9e4c-41b9-b640-46213a01952d which can be used as unique global reference for Carbanak in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0030
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Carberp

Carberp is a credential and information stealing malware that has been active since at least 2009. Carberp's source code was leaked online in 2013, and subsequently used as the foundation for the Carbanak backdoor.[Trend Micro Carberp February 2014][KasperskyCarbanak][RSA Carbanak November 2017]

Internal MISP references

UUID df9491fd-5e24-4548-8e21-1268dce59d1f which can be used as unique global reference for Carberp in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0484
source MITRE
type ['malware']

Carbon

Carbon is a sophisticated, second-stage backdoor and framework that can be used to steal sensitive information from victims. Carbon has been selectively used by Turla to target government and foreign affairs-related organizations in Central Asia.[ESET Carbon Mar 2017][Securelist Turla Oct 2018]

Internal MISP references

UUID 61f5d19c-1da2-43d1-ab20-51eacbca71f2 which can be used as unique global reference for Carbon in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0335
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Cardinal RAT

Cardinal RAT is a potentially low volume remote access trojan (RAT) observed since December 2015. Cardinal RAT is notable for its unique utilization of uncompiled C# source code and the Microsoft Windows built-in csc.exe compiler.[PaloAlto CardinalRat Apr 2017]

Internal MISP references

UUID fa23acef-3034-43ee-9610-4fc322f0d80b which can be used as unique global reference for Cardinal RAT in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0348
source MITRE
tags ['febea5b6-2ea2-402b-8bec-f3f5b3f73c59']
type ['malware']

CARROTBALL

CARROTBALL is an FTP downloader utility that has been in use since at least 2019. CARROTBALL has been used as a downloader to install SYSCON.[Unit 42 CARROTBAT January 2020]

Internal MISP references

UUID 84bb4068-b441-435e-8535-02a458ffd50b which can be used as unique global reference for CARROTBALL in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0465
source MITRE
tags ['84615fe0-c2a5-4e07-8957-78ebc29b4635']
type ['tool']

CARROTBAT

CARROTBAT is a customized dropper that has been in use since at least 2017. CARROTBAT has been used to install SYSCON and has infrastructure overlap with KONNI.[Unit 42 CARROTBAT November 2018][Unit 42 CARROTBAT January 2020]

Internal MISP references

UUID aefa893d-fc6e-41a9-8794-2700049db9e5 which can be used as unique global reference for CARROTBAT in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0462
source MITRE
type ['malware']

Catchamas

Catchamas is a Windows Trojan that steals information from compromised systems. [Symantec Catchamas April 2018]

Internal MISP references

UUID 04deccb5-9850-45c3-a900-5d7039a94190 which can be used as unique global reference for Catchamas in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0261
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Caterpillar WebShell

Caterpillar WebShell is a self-developed Web Shell tool created by the group Volatile Cedar.[ClearSky Lebanese Cedar Jan 2021]

Internal MISP references

UUID ee88afaa-88bc-4c20-906f-332866388549 which can be used as unique global reference for Caterpillar WebShell in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0572
source MITRE
tags ['311abf64-a9cc-4c6a-b778-32c5df5658be']
type ['malware']
Related clusters

To see the related clusters, click here.

CC-Attack

CC-Attack is a publicly available script that automates the use of open, external proxy servers as part of denial of service flood attacks. Its use has been promoted among the members of the Killnet hacktivist collective.[Flashpoint Glossary Killnet]

Internal MISP references

UUID 7664bfa5-8477-4903-9103-1144113fca36 which can be used as unique global reference for CC-Attack in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Linux', 'Windows']
software_attack_id S5062
source Tidal Cyber
tags ['62bde669-3020-4682-be68-36c83b2588a4']
type ['malware']
Related clusters

To see the related clusters, click here.

CCBkdr

CCBkdr is malware that was injected into a signed version of CCleaner and distributed from CCleaner's distribution website. [Talos CCleanup 2017] [Intezer Aurora Sept 2017]

Internal MISP references

UUID 4eb0720c-7046-4ff1-adfd-ae603506e499 which can be used as unique global reference for CCBkdr in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0222
source MITRE
tags ['f2ae2283-f94d-4f8f-bbde-43f2bed66c55']
type ['malware']

ccf32

ccf32 is data collection malware that has been used since at least February 2019, most notably during the FunnyDream campaign; there is also a similar x64 version.[Bitdefender FunnyDream Campaign November 2020]

Internal MISP references

UUID e00c2a0c-bbe5-4eff-b0ad-b2543456a317 which can be used as unique global reference for ccf32 in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S1043
source MITRE
type ['malware']

Cdb

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Debugging tool included with Windows Debugging Tools.

Author: Oddvar Moe

Paths: * C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\cdb.exe * C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\cdb.exe

Resources: * http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html * https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/cdb-command-line-options * https://gist.github.com/mattifestation/94e2b0a9e3fe1ac0a433b5c3e6bd0bda * https://mrd0x.com/the-power-of-cdb-debugging-tool/ * https://twitter.com/nas_bench/status/1534957360032120833

Detection: * Sigma: proc_creation_win_lolbin_cdb.yml * Elastic: defense_evasion_unusual_process_network_connection.toml * Elastic: defense_evasion_network_connection_from_windows_binary.toml * BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules[Cdb.exe - LOLBAS Project]

Internal MISP references

UUID d9ea2696-7c47-44cd-8784-9aeef5e149ea which can be used as unique global reference for Cdb in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5208
source Tidal Cyber
tags ['4479b9e9-d912-451a-9ad5-08b3d922422d', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

CertOC

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Used for installing certificates

Author: Ensar Samil

Paths: * c:\windows\system32\certoc.exe * c:\windows\syswow64\certoc.exe

Resources: * https://twitter.com/sblmsrsn/status/1445758411803480072?s=20 * https://twitter.com/sblmsrsn/status/1452941226198671363?s=20

Detection: * Sigma: proc_creation_win_certoc_load_dll.yml * IOC: Process creation with given parameter * IOC: Unsigned DLL load via certoc.exe * IOC: Network connection via certoc.exe[CertOC.exe - LOLBAS Project]

Internal MISP references

UUID 34e1c197-ac43-4634-9a0d-9148c748f774 which can be used as unique global reference for CertOC in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5087
source Tidal Cyber
tags ['fb909648-ee44-4871-abe6-82c909c4d677', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

CertReq

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Used for requesting and managing certificates

Author: David Middlehurst

Paths: * C:\Windows\System32\certreq.exe * C:\Windows\SysWOW64\certreq.exe

Resources: * https://dtm.uk/certreq

Detection: * Sigma: proc_creation_win_lolbin_susp_certreq_download.yml * IOC: certreq creates new files * IOC: certreq makes POST requests[CertReq.exe - LOLBAS Project]

Internal MISP references

UUID 43050f80-ce28-49e3-aac6-cb3f4a07f4b4 which can be used as unique global reference for CertReq in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5088
source Tidal Cyber
tags ['35a798a2-eaab-48a3-9ee7-5538f36a4172', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

certutil

certutil is a command-line utility that can be used to obtain certificate authority information and configure Certificate Services. [TechNet Certutil]

Internal MISP references

UUID 2fe21578-ee31-4ee8-b6ab-b5f76f97d043 which can be used as unique global reference for certutil in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0160
source MITRE
tags ['e1af18e3-3224-4e4c-9d0f-533768474508', 'fdd53e62-5bf1-41f1-8bd6-b970a866c39d', 'd431939f-2dc0-410b-83f7-86c458125444', '412da5b4-fb41-40fc-a29a-78dc9119aa75', '758c3085-2f79-40a8-ab95-f8a684737927', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '35e694ec-5133-46e3-b7e1-5831867c3b55', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '15787198-6c8b-4f79-bf50-258d55072fee', '303a3675-4855-4323-b042-95bb1d907cca', '84615fe0-c2a5-4e07-8957-78ebc29b4635', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

Chaes

Chaes is a multistage information stealer written in several programming languages that collects login credentials, credit card numbers, and other financial information. Chaes was first observed in 2020, and appears to primarily target victims in Brazil as well as other e-commerce customers in Latin America.[Cybereason Chaes Nov 2020]

Internal MISP references

UUID 0c8efcd0-bfdf-4771-8754-18aac836c359 which can be used as unique global reference for Chaes in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0631
source MITRE
tags ['4d767e87-4cf6-438a-927a-43d2d0beaab7']
type ['malware']

Chaos

Chaos is Linux malware that compromises systems by brute force attacks against SSH services. Once installed, it provides a reverse shell to its controllers, triggered by unsolicited packets. [Chaos Stolen Backdoor]

Internal MISP references

UUID 92c88765-6b12-42cd-b1d7-f6a65b2236e2 which can be used as unique global reference for Chaos in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux']
software_attack_id S0220
source MITRE
tags ['5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172']
type ['malware']

CharmPower

CharmPower is a PowerShell-based, modular backdoor that has been used by Magic Hound since at least 2022.[Check Point APT35 CharmPower January 2022]

Internal MISP references

UUID b1e3b56f-2e83-4cab-a1c1-16999009d056 which can be used as unique global reference for CharmPower in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0674
source MITRE
tags ['4d767e87-4cf6-438a-927a-43d2d0beaab7']
type ['malware']
Related clusters

To see the related clusters, click here.

ChChes

ChChes is a Trojan that appears to be used exclusively by menuPass. It was used to target Japanese organizations in 2016. Its lack of persistence methods suggests it may be intended as a first-stage tool. [Palo Alto menuPass Feb 2017] [JPCERT ChChes Feb 2017] [PWC Cloud Hopper Technical Annex April 2017]

Internal MISP references

UUID 3f2283ef-67c2-49a3-98ac-1aa9f0499361 which can be used as unique global reference for ChChes in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0144
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Cheerscrypt

Cheerscrypt is a ransomware that was developed by Cinnamon Tempest and has been used in attacks against ESXi and Windows environments since at least 2022. Cheerscrypt was derived from the leaked Babuk source code and has infrastructure overlaps with deployments of Night Sky ransomware, which was also derived from Babuk.[Sygnia Emperor Dragonfly October 2022][Trend Micro Cheerscrypt May 2022]

Internal MISP references

UUID 6475bc8c-b95d-5cb3-92f0-aa7e2f18859a which can be used as unique global reference for Cheerscrypt in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S1096
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Cherry Picker

Cherry Picker is a point of sale (PoS) memory scraper. [Trustwave Cherry Picker]

Internal MISP references

UUID 2fd6f564-918e-4ee7-920a-2b4be858d11a which can be used as unique global reference for Cherry Picker in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0107
source MITRE
type ['malware']

China Chopper

China Chopper is a Web Shell hosted on Web servers to provide access back into an enterprise network that does not rely on an infected system calling back to a remote command and control server.[Lee 2013] It has been used by several threat groups.[Dell TG-3390][FireEye Periscope March 2018][CISA AA21-200A APT40 July 2021][Rapid7 HAFNIUM Mar 2021]

Internal MISP references

UUID 723c5ab7-23ca-46f2-83bb-f1d1e550122c which can be used as unique global reference for China Chopper in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0020
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f', '311abf64-a9cc-4c6a-b778-32c5df5658be']
type ['malware']
Related clusters

To see the related clusters, click here.

Chinoxy

Chinoxy is a backdoor that has been used since at least November 2018, during the FunnyDream campaign, to gain persistence and drop additional payloads. According to security researchers, Chinoxy has been used by Chinese-speaking threat actors.[Bitdefender FunnyDream Campaign November 2020]

Internal MISP references

UUID 7c36563a-9143-4766-8aef-4e1787e18d8c which can be used as unique global reference for Chinoxy in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S1041
source MITRE
type ['malware']

Chisel

Chisel is an open source tool that can be used for networking tunneling.[U.S. CISA AvosLocker October 11 2023] According to its GitHub project page, "Chisel is a fast TCP/UDP tunnel, transported over HTTP, secured via SSH".[GitHub Chisel] Threat actors including ransomware operators and nation-state-aligned espionage actors have used Chisel as part of their operations.[U.S. CISA AvosLocker October 11 2023][CISA AA20-259A Iran-Based Actor September 2020]

Internal MISP references

UUID bd2b2375-4f16-42b2-a862-959b5b41c2af which can be used as unique global reference for Chisel in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5063
source Tidal Cyber
tags ['e1af18e3-3224-4e4c-9d0f-533768474508', 'febea5b6-2ea2-402b-8bec-f3f5b3f73c59', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

Chocolatey

Chocolatey is a command-line package manager for Microsoft Windows.[U.S. CISA Understanding LockBit June 2023]

Internal MISP references

UUID 7a2b00ef-8a37-4901-bf0c-17da0ebf3d69 which can be used as unique global reference for Chocolatey in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5028
source Tidal Cyber
tags ['e1af18e3-3224-4e4c-9d0f-533768474508', '0d3ca5b9-2ea9-4daf-b3b5-11f1c6f9ebd3', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

CHOPSTICK

CHOPSTICK is a malware family of modular backdoors used by APT28. It has been used since at least 2012 and is usually dropped on victims as second-stage malware, though it has been used as first-stage malware in several cases. It has both Windows and Linux variants. [FireEye APT28] [ESET Sednit Part 2] [FireEye APT28 January 2017] [DOJ GRU Indictment Jul 2018] It is tracked separately from the X-Agent for Android.

Internal MISP references

UUID 01c6c49a-f7c8-44cd-a377-4dfd358ffeba which can be used as unique global reference for CHOPSTICK in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'Windows']
software_attack_id S0023
source MITRE
tags ['febea5b6-2ea2-402b-8bec-f3f5b3f73c59', 'f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

Chrommme

Chrommme is a backdoor tool written using the Microsoft Foundation Class (MFC) framework that was first reported in June 2021; security researchers noted infrastructure overlaps with Gelsemium malware.[ESET Gelsemium June 2021]

Internal MISP references

UUID df77ed2a-f135-4f00-9a5e-79b7a6a2ed14 which can be used as unique global reference for Chrommme in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0667
source MITRE
tags ['4d767e87-4cf6-438a-927a-43d2d0beaab7']
type ['malware']

Clambling

Clambling is a modular backdoor written in C++ that has been used by Threat Group-3390 since at least 2017.[Trend Micro DRBControl February 2020]

Internal MISP references

UUID 4bac93bd-7e58-4ddb-a205-d99597b9e65e which can be used as unique global reference for Clambling in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0660
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

CL_Invocation

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Aero diagnostics script

Author: Oddvar Moe

Paths: * C:\Windows\diagnostics\system\AERO\CL_Invocation.ps1 * C:\Windows\diagnostics\system\Audio\CL_Invocation.ps1 * C:\Windows\diagnostics\system\WindowsUpdate\CL_Invocation.ps1

Resources:

Detection: * Sigma: proc_creation_win_lolbin_cl_invocation.yml * Sigma: posh_ps_cl_invocation_lolscript.yml[CL_Invocation.ps1 - LOLBAS Project]

Internal MISP references

UUID 4bc36e22-6529-4a4a-a5d2-461f3925c5f3 which can be used as unique global reference for CL_Invocation in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5257
source Tidal Cyber
tags ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

CL_LoadAssembly

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: PowerShell Diagnostic Script

Author: Jimmy (@bohops)

Paths: * C:\Windows\diagnostics\system\Audio\CL_LoadAssembly.ps1

Resources: * https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/

Detection: * Sigma: proc_creation_win_lolbas_cl_loadassembly.yml[CL_LoadAssembly.ps1 - LOLBAS Project]

Internal MISP references

UUID cb950179-334d-4bd9-9cfb-87b09d279a3b which can be used as unique global reference for CL_LoadAssembly in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5255
source Tidal Cyber
tags ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

CL_Mutexverifiers

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Proxy execution with CL_Mutexverifiers.ps1

Author: Oddvar Moe

Paths: * C:\Windows\diagnostics\system\WindowsUpdate\CL_Mutexverifiers.ps1 * C:\Windows\diagnostics\system\Audio\CL_Mutexverifiers.ps1 * C:\Windows\diagnostics\system\WindowsUpdate\CL_Mutexverifiers.ps1 * C:\Windows\diagnostics\system\Video\CL_Mutexverifiers.ps1 * C:\Windows\diagnostics\system\Speech\CL_Mutexverifiers.ps1

Resources: * https://twitter.com/pabraeken/status/995111125447577600

Detection: * Sigma: proc_creation_win_lolbin_cl_mutexverifiers.yml[CL_Mutexverifiers.ps1 - LOLBAS Project]

Internal MISP references

UUID 3c63792a-1184-416e-aa9b-18da72e88327 which can be used as unique global reference for CL_Mutexverifiers in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5256
source Tidal Cyber
tags ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

Clop

Clop is a ransomware family that was first observed in February 2019 and has been used against retail, transportation and logistics, education, manufacturing, engineering, automotive, energy, financial, aerospace, telecommunications, professional and legal services, healthcare, and high tech industries. Clop is a variant of the CryptoMix ransomware.[Mcafee Clop Aug 2019][Cybereason Clop Dec 2020][Unit42 Clop April 2021]

Internal MISP references

UUID 5321aa75-924c-47ae-b97a-b36f023abf2a which can be used as unique global reference for Clop in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0611
source MITRE
tags ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', '2feda37d-5579-4102-a073-aa02e82cb49f', '562e535e-19f5-4d6c-81ed-ce2aec544f09', 'b15c16f7-b8c7-4962-9acc-a98a39f87b69', 'b18b5401-d88d-4f28-8f50-a884a5e58349', 'ac862a66-a4ec-4285-9a21-b63576a5867d', '5ab5f811-5c7e-4f77-ae90-59d3beb93346', '1b5da77a-bf84-4fba-a6d7-8b3b8f7699e0', 'e401022a-36ac-486d-8503-dd531410a927', '8a77c410-bed9-4376-87bf-5ac84fbc2c9d', 'ab64f2d8-8da3-48de-ac66-0fd91d634b22', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172']
type ['malware']
Related clusters

To see the related clusters, click here.

CloudChat Infostealer

CloudChat Infostealer is an information-stealing malware designed to harvest passwords, cookies, and other sensitive information from macOS systems.[Kandji 4 8 2024]

Internal MISP references

UUID 7a57e81b-2453-4aaf-94ad-c007bd7105a2 which can be used as unique global reference for CloudChat Infostealer in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['macOS']
software_attack_id S5316
source Tidal Cyber
tags ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', '2feda37d-5579-4102-a073-aa02e82cb49f']
type ['malware']

CloudDuke

CloudDuke is malware that was used by APT29 in 2015. [F-Secure The Dukes] [Securelist Minidionis July 2015]

Internal MISP references

UUID b3dd424b-ee96-449c-aa52-abbc7d4dfb86 which can be used as unique global reference for CloudDuke in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0054
source MITRE
tags ['84615fe0-c2a5-4e07-8957-78ebc29b4635']
type ['malware']
Related clusters

To see the related clusters, click here.

cmd

cmd is the Windows command-line interpreter that can be used to interact with systems and execute other processes and utilities. [TechNet Cmd]

Cmd.exe contains native functionality to perform many operations to interact with the system, including listing files in a directory (e.g., dir [TechNet Dir]), deleting files (e.g., del [TechNet Del]), and copying files (e.g., copy [TechNet Copy]).

Internal MISP references

UUID 98d89476-63ec-4baf-b2b3-86c52170f5d8 which can be used as unique global reference for cmd in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0106
source MITRE
tags ['e1af18e3-3224-4e4c-9d0f-533768474508', 'a968c9f3-c190-488f-bacc-92e8f1ce295c', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

Cmdkey

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: creates, lists, and deletes stored user names and passwords or credentials.

Author: Oddvar Moe

Paths: * C:\Windows\System32\cmdkey.exe * C:\Windows\SysWOW64\cmdkey.exe

Resources: * https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation * https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/cmdkey

Detection: * Sigma: proc_creation_win_cmdkey_recon.yml[Cmdkey.exe - LOLBAS Project]

Internal MISP references

UUID da252f67-2d4e-419f-b493-d4a1d024a01c which can be used as unique global reference for Cmdkey in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5089
source Tidal Cyber
tags ['96bff827-e51f-47de-bde6-d2eec0f99767', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

cmdl32

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Microsoft Connection Manager Auto-Download

Author: Elliot Killick

Paths: * C:\Windows\System32\cmdl32.exe * C:\Windows\SysWOW64\cmdl32.exe

Resources: * https://github.com/LOLBAS-Project/LOLBAS/pull/151 * https://twitter.com/ElliotKillick/status/1455897435063074824 * https://elliotonsecurity.com/living-off-the-land-reverse-engineering-methodology-plus-tips-and-tricks-cmdl32-case-study/

Detection: * Sigma: proc_creation_win_lolbin_cmdl32.yml * IOC: Reports of downloading from suspicious URLs in %TMP%\config.log * IOC: Useragent Microsoft(R) Connection Manager Vpn File Update[cmdl32.exe - LOLBAS Project]

Internal MISP references

UUID 44a523a8-9ed6-4f01-9a53-0e8ea1e15b51 which can be used as unique global reference for cmdl32 in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5090
source Tidal Cyber
tags ['4c8f8830-0b2c-4c79-b1db-8659ede492f0', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

Cmstp

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Installs or removes a Connection Manager service profile.

Author: Oddvar Moe

Paths: * C:\Windows\System32\cmstp.exe * C:\Windows\SysWOW64\cmstp.exe

Resources: * https://twitter.com/NickTyrer/status/958450014111633408 * https://gist.github.com/NickTyrer/bbd10d20a5bb78f64a9d13f399ea0f80 * https://gist.github.com/api0cradle/cf36fd40fa991c3a6f7755d1810cc61e * https://oddvar.moe/2017/08/15/research-on-cmstp-exe/ * https://gist.githubusercontent.com/tylerapplebaum/ae8cb38ed8314518d95b2e32a6f0d3f1/raw/3127ba7453a6f6d294cd422386cae1a5a2791d71/UACBypassCMSTP.ps1 * https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/cmstp

Detection: * Sigma: proc_creation_win_cmstp_execution_by_creation.yml * Sigma: proc_creation_win_uac_bypass_cmstp.yml * Splunk: cmlua_or_cmstplua_uac_bypass.yml * Elastic: defense_evasion_suspicious_managedcode_host_process.toml * Elastic: defense_evasion_unusual_process_network_connection.toml * IOC: Execution of cmstp.exe without a VPN use case is suspicious * IOC: DotNet CLR libraries loaded into cmstp.exe * IOC: DotNet CLR Usage Log - cmstp.exe.log[Cmstp.exe - LOLBAS Project]

Internal MISP references

UUID 6f848e15-5234-4445-9a05-2949e4c57f0b which can be used as unique global reference for Cmstp in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5091
source Tidal Cyber
tags ['65938118-2f00-48a1-856e-d1a75a08e3c6', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

COATHANGER

COATHANGER is a remote access tool (RAT) targeting FortiGate networking appliances. First used in 2023 in targeted intrusions against military and government entities in the Netherlands along with other victims, COATHANGER was disclosed in early 2024, with a high confidence assessment linking this malware to a state-sponsored entity in the People's Republic of China. COATHANGER is delivered after gaining access to a FortiGate device, with in-the-wild observations linked to exploitation of CVE-2022-42475. The name COATHANGER is based on a unique string in the malware used to encrypt configuration files on disk: “She took his coat and hung it up”.[NCSC-NL COATHANGER Feb 2024]

Internal MISP references

UUID fbd3f71a-e123-5527-908c-9e7ea0d646e8 which can be used as unique global reference for COATHANGER in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Network', 'Linux']
software_attack_id S1105
source MITRE
type ['malware']

Cobalt Strike

Cobalt Strike is a commercial, full-featured, remote access tool that bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strike’s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system.[cobaltstrike manual]

In addition to its own capabilities, Cobalt Strike leverages the capabilities of other well-known tools such as Metasploit and Mimikatz.[cobaltstrike manual]

Internal MISP references

UUID 9b6bcbba-3ab4-4a4c-a233-cd12254823f6 which can be used as unique global reference for Cobalt Strike in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['macOS', 'Linux', 'Windows']
software_attack_id S0154
source MITRE
tags ['d903e38b-600d-4736-9e3b-cf1a6e436481', 'e551ae97-d1b4-484e-9267-89f33829ec2c', 'd819ae1a-e385-49fd-88d5-f66660729ecb', 'e1af18e3-3224-4e4c-9d0f-533768474508', 'fdd53e62-5bf1-41f1-8bd6-b970a866c39d', 'd431939f-2dc0-410b-83f7-86c458125444', '56d89c06-23a0-4642-adfc-1fffd3524191', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '15787198-6c8b-4f79-bf50-258d55072fee', '992bdd33-4a47-495d-883a-58010a2f0efb', 'e81ba503-60b0-4b64-8f20-ef93e7783796']
type ['malware']
Related clusters

To see the related clusters, click here.

Cobalt Strike Random C2 Profile Generator

This is an open-source tool for creating Cobalt Strike Malleable C2 profiles with randomly generated variables.[GitHub random_c2_profile] According to a September 2023 CERT-FR advisory, during an intrusion in March 2023, actors attributed to FIN12 used the tool to generate a Cobalt Strike malleable C2 profile.[CERTFR-2023-CTI-007]

Internal MISP references

UUID cf47b3ce-1392-4904-a4e6-f65aebebddc6 which can be used as unique global reference for Cobalt Strike Random C2 Profile Generator in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Linux', 'macOS', 'Windows']
software_attack_id S5057
source Tidal Cyber
tags ['ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'e81ba503-60b0-4b64-8f20-ef93e7783796']
type ['malware']
Related clusters

To see the related clusters, click here.

Cobian RAT

Cobian RAT is a backdoor, remote access tool that has been observed since 2016.[Zscaler Cobian Aug 2017]

Internal MISP references

UUID d4e6f9f7-7f4d-47c2-be24-b267d9317303 which can be used as unique global reference for Cobian RAT in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0338
source MITRE
tags ['16b47583-1c54-431f-9f09-759df7b5ddb7']
type ['malware']

code

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: VSCode binary, also portable (CLI) version

Author: PfiatDe

Paths: * %LOCALAPPDATA%\Programs\Microsoft VS Code\Code.exe * C:\Program Files\Microsoft VS Code\Code.exe * C:\Program Files (x86)\Microsoft VS Code\Code.exe

Resources: * https://badoption.eu/blog/2023/01/31/code_c2.html * https://code.visualstudio.com/docs/remote/tunnels * https://code.visualstudio.com/blogs/2022/12/07/remote-even-better

Detection: * IOC: Websocket traffic to global.rel.tunnels.api.visualstudio.com * IOC: Process tree: code.exe -> cmd.exe -> node.exe -> winpty-agent.exe * IOC: File write of code_tunnel.json which is parametizable, but defaults to: %UserProfile%.vscode-cli\code_tunnel.json[code.exe - LOLBAS Project]

Internal MISP references

UUID 49d440e4-b2ea-4e7d-8ded-8589ddf679d9 which can be used as unique global reference for code in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5185
source Tidal Cyber
tags ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

CoinTicker

CoinTicker is a malicious application that poses as a cryptocurrency price ticker and installs components of the open source backdoors EvilOSX and EggShell.[CoinTicker 2019]

Internal MISP references

UUID b0d9b31a-072b-4744-8d2f-3a63256a932f which can be used as unique global reference for CoinTicker in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['macOS']
software_attack_id S0369
source MITRE
type ['malware']

Colorcpl

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Binary that handles color management

Author: Arjan Onwezen

Paths: * C:\Windows\System32\colorcpl.exe * C:\Windows\SysWOW64\colorcpl.exe

Resources: * https://twitter.com/eral4m/status/1480468728324231172

Detection: * Sigma: file_event_win_susp_colorcpl.yml * IOC: colorcpl.exe writing files[Colorcpl.exe - LOLBAS Project]

Internal MISP references

UUID 9f006b88-2f13-4c99-ade0-839da70d1e11 which can be used as unique global reference for Colorcpl in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5092
source Tidal Cyber
tags ['884eb1b1-aede-4db0-8443-ba50624682e1', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

Comnie

Comnie is a remote backdoor which has been used in attacks in East Asia. [Palo Alto Comnie]

Internal MISP references

UUID 341fc709-4908-4e41-8df3-554dae6d72b0 which can be used as unique global reference for Comnie in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0244
source MITRE
type ['malware']

ComRAT

ComRAT is a second stage implant suspected of being a descendant of Agent.btz and used by Turla. The first version of ComRAT was identified in 2007, but the tool has undergone substantial development for many years since.[Symantec Waterbug][NorthSec 2015 GData Uroburos Tools][ESET ComRAT May 2020]

Internal MISP references

UUID 300c5997-a486-4a61-8213-93a180c22849 which can be used as unique global reference for ComRAT in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0126
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

Comsvcs

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: COM+ Services

Author: LOLBAS Team

Paths: * c:\windows\system32\comsvcs.dll

Resources: * https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/

Detection: * Sigma: proc_creation_win_rundll32_process_dump_via_comsvcs.yml * Sigma: proc_access_win_lsass_dump_comsvcs_dll.yml * Elastic: credential_access_cmdline_dump_tool.toml * Splunk: dump_lsass_via_comsvcs_dll.yml[Comsvcs.dll - LOLBAS Project]

Internal MISP references

UUID 0448178d-fff1-4174-8339-e6bfca78fb84 which can be used as unique global reference for Comsvcs in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5202
source Tidal Cyber
tags ['758c3085-2f79-40a8-ab95-f8a684737927', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '35e694ec-5133-46e3-b7e1-5831867c3b55', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '15787198-6c8b-4f79-bf50-258d55072fee', '334b0ee4-5a0d-4634-91c8-236593b818a0', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

Conficker

Conficker is a computer worm first detected in October 2008 that targeted Microsoft Windows using the MS08-067 Windows vulnerability to spread.[SANS Conficker] In 2016, a variant of Conficker made its way on computers and removable disk drives belonging to a nuclear power plant.[Conficker Nuclear Power Plant]

Internal MISP references

UUID ef33f1fa-18a3-4b30-b359-17b7930f43a7 which can be used as unique global reference for Conficker in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0608
source MITRE
tags ['3ed3f7a6-b446-4fbc-a433-ff1d63c0e647']
type ['malware']

ConfigSecurityPolicy

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Binary part of Windows Defender. Used to manage settings in Windows Defender. you can configure different pilot collections for each of the co-management workloads. Being able to use different pilot collections allows you to take a more granular approach when shifting workloads.

Author: Ialle Teixeira

Paths: * C:\Program Files\Windows Defender\ConfigSecurityPolicy.exe * C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\ConfigSecurityPolicy.exe

Resources: * https://docs.microsoft.com/en-US/mem/configmgr/comanage/how-to-switch-workloads * https://docs.microsoft.com/en-US/mem/configmgr/comanage/workloads * https://docs.microsoft.com/en-US/mem/configmgr/comanage/how-to-monitor * https://twitter.com/NtSetDefault/status/1302589153570365440?s=20

Detection: * Sigma: proc_creation_win_lolbin_configsecuritypolicy.yml * IOC: ConfigSecurityPolicy storing data into alternate data streams. * IOC: Preventing/Detecting ConfigSecurityPolicy with non-RFC1918 addresses by Network IPS/IDS. * IOC: Monitor process creation for non-SYSTEM and non-LOCAL SERVICE accounts launching ConfigSecurityPolicy.exe. * IOC: User Agent is "MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)"[ConfigSecurityPolicy.exe - LOLBAS Project]

Internal MISP references

UUID 0e178275-4eb7-4fae-a703-d9730adf6a26 which can be used as unique global reference for ConfigSecurityPolicy in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5093
source Tidal Cyber
tags ['d99039e1-e677-4226-8b63-e698d6642535', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

Conhost

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Console Window host

Author: Wietze Beukema

Paths: * c:\windows\system32\conhost.exe

Resources: * https://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/ * https://twitter.com/Wietze/status/1511397781159751680 * https://twitter.com/embee_research/status/1559410767564181504 * https://twitter.com/ankit_anubhav/status/1561683123816972288

Detection: * IOC: conhost.exe spawning unexpected processes * Sigma: proc_creation_win_conhost_susp_child_process.yml[Conhost.exe - LOLBAS Project]

Internal MISP references

UUID d3f8a214-3e65-4b7d-aed6-97a3e38ef8e0 which can be used as unique global reference for Conhost in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5094
source Tidal Cyber
tags ['ea54037d-e07b-42b0-afe6-33576ec36f44', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

ConnectWise

ConnectWise is a legitimate remote administration tool that has been used since at least 2016 by threat actors including MuddyWater and GOLD SOUTHFIELD to connect to and conduct lateral movement in target environments.[Anomali Static Kitten February 2021][Trend Micro Muddy Water March 2021]

Internal MISP references

UUID 6f9bb24d-cce2-49de-bedd-1849d9bde7a0 which can be used as unique global reference for ConnectWise in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0591
source MITRE
tags ['d903e38b-600d-4736-9e3b-cf1a6e436481', 'e551ae97-d1b4-484e-9267-89f33829ec2c', 'd819ae1a-e385-49fd-88d5-f66660729ecb', 'e1af18e3-3224-4e4c-9d0f-533768474508', 'fdd53e62-5bf1-41f1-8bd6-b970a866c39d', 'd431939f-2dc0-410b-83f7-86c458125444', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '15b77e5c-2285-434d-9719-73c14beba8bd', 'e727eaa6-ef41-4965-b93a-8ad0c51d0236']
type ['tool']
Related clusters

To see the related clusters, click here.

Conti

Conti is a Ransomware-as-a-Service (RaaS) that was first observed in December 2019. Conti has been deployed via TrickBot and used against major corporations and government agencies, particularly those in North America. As with other ransomware families, actors using Conti steal sensitive files and information from compromised networks, and threaten to publish this data unless the ransom is paid.[Cybereason Conti Jan 2021][CarbonBlack Conti July 2020][Cybleinc Conti January 2020]

Internal MISP references

UUID 8e995c29-2759-4aeb-9a0f-bb7cd97b06e5 which can be used as unique global reference for Conti in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0575
source MITRE
tags ['89c5b94b-ecf4-4d53-9b74-3465086d4565', '562e535e-19f5-4d6c-81ed-ce2aec544f09', '0ed7d10c-c65b-4174-9edb-446bf301d250', '3d90eed2-862d-4f61-8c8f-0b8da3e45af0', '12a2e20a-7c27-46bb-954d-b372833a9925', '1b98f09a-7d93-4abb-8f3e-1eacdb9f9871', 'c2380542-36f2-4922-9ed2-80ced06645c9', 'dea4388a-b1f2-4f2a-9df9-108631d0d078', '24448a05-2337-4bc9-a889-a83f2fd1f3ad', '2743d495-7728-4a75-9e5f-b64854039792', 'd713747c-2d53-487e-9dac-259230f04460', 'fde4c246-7d2d-4d53-938b-44651cf273f1', '964c2590-4b52-48c6-afff-9a6d72e68908', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172']
type ['malware']
Related clusters

To see the related clusters, click here.

Control

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Binary used to launch controlpanel items in Windows

Author: Oddvar Moe

Paths: * C:\Windows\System32\control.exe * C:\Windows\SysWOW64\control.exe

Resources: * https://pentestlab.blog/2017/05/24/applocker-bypass-control-panel/ * https://www.contextis.com/resources/blog/applocker-bypass-registry-key-manipulation/ * https://twitter.com/bohops/status/955659561008017409 * https://docs.microsoft.com/en-us/windows/desktop/shell/executing-control-panel-items * https://bohops.com/2018/01/23/loading-alternate-data-stream-ads-dll-cpl-binaries-to-bypass-applocker/

Detection: * Sigma: proc_creation_win_exploit_cve_2021_40444.yml * Sigma: proc_creation_win_rundll32_susp_control_dll_load.yml * Elastic: defense_evasion_network_connection_from_windows_binary.toml * Elastic: defense_evasion_execution_control_panel_suspicious_args.toml * Elastic: defense_evasion_unusual_dir_ads.toml * IOC: Control.exe executing files from alternate data streams * IOC: Control.exe executing library file without cpl extension * IOC: Suspicious network connections from control.exe[Control.exe - LOLBAS Project]

Internal MISP references

UUID efc46430-b27f-4b05-bc36-1d5eba685ec7 which can be used as unique global reference for Control in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5095
source Tidal Cyber
tags ['53ac2b35-d302-4bdd-9931-5b6c6cb31b96', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

CookieMiner

CookieMiner is mac-based malware that targets information associated with cryptocurrency exchanges as well as enabling cryptocurrency mining on the victim system itself. It was first discovered in the wild in 2019.[Unit42 CookieMiner Jan 2019]

Internal MISP references

UUID 6e2c4aef-2f69-4507-9ee3-55432d76341e which can be used as unique global reference for CookieMiner in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['macOS']
software_attack_id S0492
source MITRE
type ['malware']

CORALDECK

CORALDECK is an exfiltration tool used by APT37. [FireEye APT37 Feb 2018]

Internal MISP references

UUID f13c8455-d615-4f8d-9d9c-5b31e593cd8a which can be used as unique global reference for CORALDECK in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0212
source MITRE
tags ['8bf128ad-288b-41bc-904f-093f4fdde745']
type ['malware']
Related clusters

To see the related clusters, click here.

coregen

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Binary coregen.exe (Microsoft CoreCLR Native Image Generator) loads exported function GetCLRRuntimeHost from coreclr.dll or from .DLL in arbitrary path. Coregen is located within "C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\" or another version of Silverlight. Coregen is signed by Microsoft and bundled with Microsoft Silverlight.

Author: Martin Sohn Christensen

Paths: * C:\Program Files\Microsoft Silverlight\5.1.50918.0\coregen.exe * C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\coregen.exe

Resources: * https://www.youtube.com/watch?v=75XImxOOInU * https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html

Detection: * Sigma: image_load_side_load_coregen.yml * IOC: coregen.exe loading .dll file not in "C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\" * IOC: coregen.exe loading .dll file not named coreclr.dll * IOC: coregen.exe command line containing -L or -l * IOC: coregen.exe command line containing unexpected/invald assembly name * IOC: coregen.exe application crash by invalid assembly name[coregen.exe - LOLBAS Project]

Internal MISP references

UUID b7dacd5c-eaba-48db-bdd7-e779a82b2ba7 which can be used as unique global reference for coregen in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5209
source Tidal Cyber
tags ['a19a158e-aec4-410a-8c3e-e9080b111183', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

CORESHELL

CORESHELL is a downloader used by APT28. The older versions of this malware are known as SOURFACE and newer versions as CORESHELL.[FireEye APT28] [FireEye APT28 January 2017]

Internal MISP references

UUID 3b193f62-2b49-4eff-bdf4-501fb8a28274 which can be used as unique global reference for CORESHELL in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0137
source MITRE
tags ['84615fe0-c2a5-4e07-8957-78ebc29b4635']
type ['malware']
Related clusters

To see the related clusters, click here.

CosmicDuke

CosmicDuke is malware that was used by APT29 from 2010 to 2015. [F-Secure The Dukes]

Internal MISP references

UUID 43b317c6-5b4f-47b8-b7b4-15cd6f455091 which can be used as unique global reference for CosmicDuke in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0050
source MITRE
tags ['16b47583-1c54-431f-9f09-759df7b5ddb7']
type ['malware']
Related clusters

To see the related clusters, click here.

CostaBricks

CostaBricks is a loader that was used to deploy 32-bit backdoors in the CostaRicto campaign.[BlackBerry CostaRicto November 2020]

Internal MISP references

UUID ea9e2d19-89fe-4039-a1e0-467b14554c6f which can be used as unique global reference for CostaBricks in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0614
source MITRE
type ['malware']

CozyCar

CozyCar is malware that was used by APT29 from 2010 to 2015. It is a modular malware platform, and its backdoor component can be instructed to download and execute a variety of modules with different functionality. [F-Secure The Dukes]

Internal MISP references

UUID c2353daa-fd4c-44e1-8013-55400439965a which can be used as unique global reference for CozyCar in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0046
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

CrackMapExec

CrackMapExec, or CME, is a post-exploitation tool developed in Python and designed for penetration testing against networks. CrackMapExec collects Active Directory information to conduct lateral movement through targeted networks.[CME Github September 2018]

Internal MISP references

UUID 47e710b4-1397-47cf-a979-20891192f313 which can be used as unique global reference for CrackMapExec in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0488
source MITRE
tags ['e1af18e3-3224-4e4c-9d0f-533768474508', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'e81ba503-60b0-4b64-8f20-ef93e7783796']
type ['tool']
Related clusters

To see the related clusters, click here.

Createdump

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Microsoft .NET Runtime Crash Dump Generator (included in .NET Core)

Author: mr.d0x, Daniel Santos

Paths: * C:\Program Files\dotnet\shared\Microsoft.NETCore.App*\createdump.exe * C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App*\createdump.exe * C:\Program Files\Microsoft Visual Studio*\Community\dotnet\runtime\shared\Microsoft.NETCore.App\6.0.0\createdump.exe * C:\Program Files (x86)\Microsoft Visual Studio*\Community\dotnet\runtime\shared\Microsoft.NETCore.App\6.0.0\createdump.exe

Resources: * https://twitter.com/bopin2020/status/1366400799199272960 * https://docs.microsoft.com/en-us/troubleshoot/developer/webapps/aspnetcore/practice-troubleshoot-linux/lab-1-3-capture-core-crash-dumps

Detection: * Sigma: proc_creation_win_proc_dump_createdump.yml * Sigma: proc_creation_win_renamed_createdump.yml * IOC: createdump.exe process with a command line containing the lsass.exe process id[Createdump.exe - LOLBAS Project]

Internal MISP references

UUID a574b315-523c-45c3-8743-feb3d541e81a which can be used as unique global reference for Createdump in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5210
source Tidal Cyber
tags ['7beee233-2b65-4593-88e6-a5c0c02c6a08', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

CredoMap

CredoMap is a credential-stealing malware developed by the Russian espionage actor APT28. The malware harvests cookies and credentials from select web browsers and exfiltrates the information via the IMAP email protocol. CredoMap was observed being used in attack campaigns in Ukraine in 2022.[CERTFR-2023-CTI-009][SecurityScorecard CredoMap September 2022]

Internal MISP references

UUID 516ffd19-72b9-43a1-b866-bb075fdcb137 which can be used as unique global reference for CredoMap in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5074
source Tidal Cyber
tags ['904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '4d767e87-4cf6-438a-927a-43d2d0beaab7']
type ['malware']
Related clusters

To see the related clusters, click here.

CreepyDrive

CreepyDrive is a custom implant has been used by POLONIUM since at least early 2022 for C2 with and exfiltration to actor-controlled OneDrive accounts.[Microsoft POLONIUM June 2022]

POLONIUM has used a similar implant called CreepyBox that relies on actor-controlled DropBox accounts.[Microsoft POLONIUM June 2022]

Internal MISP references

UUID 7f7f05c3-fbb1-475e-b672-2113709065c8 which can be used as unique global reference for CreepyDrive in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Office 365', 'Windows']
software_attack_id S1023
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

CreepySnail

CreepySnail is a custom PowerShell implant that has been used by POLONIUM since at least 2022.[Microsoft POLONIUM June 2022]

Internal MISP references

UUID 11ce380c-481b-4c9b-b44e-06f1a91c01c1 which can be used as unique global reference for CreepySnail in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S1024
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Crimson

Crimson is a remote access Trojan that has been used by Transparent Tribe since at least 2016.[Proofpoint Operation Transparent Tribe March 2016][Kaspersky Transparent Tribe August 2020]

Internal MISP references

UUID 3b3f296f-20a6-459a-98c5-62ebdee3701f which can be used as unique global reference for Crimson in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0115
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

CrossRAT

CrossRAT is a cross platform RAT.

Internal MISP references

UUID 38811c3b-f548-43fa-ab26-c7243b84a055 which can be used as unique global reference for CrossRAT in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['macOS', 'Linux', 'Windows']
software_attack_id S0235
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Crutch

Crutch is a backdoor designed for document theft that has been used by Turla since at least 2015.[ESET Crutch December 2020]

Internal MISP references

UUID e1ad229b-d750-4148-a1f3-36e767b03cd1 which can be used as unique global reference for Crutch in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0538
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Cryptoistic

Cryptoistic is a backdoor, written in Swift, that has been used by Lazarus Group.[SentinelOne Lazarus macOS July 2020]

Internal MISP references

UUID 12ce6d04-ebe5-440e-b342-0283b7c8a0c8 which can be used as unique global reference for Cryptoistic in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['macOS']
software_attack_id S0498
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Csc

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Binary file used by .NET to compile C# code

Author: Oddvar Moe

Paths: * C:\Windows\Microsoft.NET\Framework\v4.0.30319\Csc.exe * C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Csc.exe

Resources: * https://docs.microsoft.com/en-us/dotnet/csharp/language-reference/compiler-options/command-line-building-with-csc-exe

Detection: * Sigma: proc_creation_win_csc_susp_parent.yml * Sigma: proc_creation_win_csc_susp_folder.yml * Elastic: defense_evasion_dotnet_compiler_parent_process.toml * Elastic: defense_evasion_execution_msbuild_started_unusal_process.toml * IOC: Csc.exe should normally not run as System account unless it is used for development.[Csc.exe - LOLBAS Project]

Internal MISP references

UUID 939eeb6b-3f74-43b6-8ead-644457ee7d78 which can be used as unique global reference for Csc in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5096
source Tidal Cyber
tags ['2ee25dd6-256c-4659-b1b6-f5afc943ccc1', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

Cscript

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Binary used to execute scripts in Windows

Author: Oddvar Moe

Paths: * C:\Windows\System32\cscript.exe * C:\Windows\SysWOW64\cscript.exe

Resources: * https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f * https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/

Detection: * Sigma: proc_creation_win_wscript_cscript_script_exec.yml * Sigma: file_event_win_net_cli_artefact.yml * Elastic: defense_evasion_unusual_dir_ads.toml * Elastic: command_and_control_remote_file_copy_scripts.toml * Elastic: defense_evasion_suspicious_managedcode_host_process.toml * Splunk: wscript_or_cscript_suspicious_child_process.yml * BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules * IOC: Cscript.exe executing files from alternate data streams * IOC: DotNet CLR libraries loaded into cscript.exe * IOC: DotNet CLR Usage Log - cscript.exe.log[Cscript.exe - LOLBAS Project]

Internal MISP references

UUID 83036c61-d8cf-42f8-a9e5-dc3d26d75cdc which can be used as unique global reference for Cscript in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5097
source Tidal Cyber
tags ['7cae5f59-dbbf-406f-928d-118430d2bdd0', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

csi

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Command line interface included with Visual Studio.

Author: Oddvar Moe

Paths: * c:\Program Files (x86)\Microsoft Visual Studio\2017\Community\MSBuild\15.0\Bin\Roslyn\csi.exe * c:\Program Files (x86)\Microsoft Web Tools\Packages\Microsoft.Net.Compilers.X.Y.Z\tools\csi.exe

Resources: * https://twitter.com/subTee/status/781208810723549188 * https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/

Detection: * Sigma: proc_creation_win_csi_execution.yml * Sigma: proc_creation_win_csi_use_of_csharp_console.yml * Elastic: defense_evasion_unusual_process_network_connection.toml * Elastic: defense_evasion_network_connection_from_windows_binary.toml * BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules[csi.exe - LOLBAS Project]

Internal MISP references

UUID a11e4ebf-59e4-4b79-8a20-be1618dfbaed which can be used as unique global reference for csi in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5211
source Tidal Cyber
tags ['86bb7f3c-652c-4f77-af2a-34677ff42315', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

CSPY Downloader

CSPY Downloader is a tool designed to evade analysis and download additional payloads used by Kimsuky.[Cybereason Kimsuky November 2020]

Internal MISP references

UUID eb481db6-d7ba-4873-a171-76a228c9eb97 which can be used as unique global reference for CSPY Downloader in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0527
source MITRE
type ['tool']
Related clusters

To see the related clusters, click here.

Cuba

Cuba is a Windows-based ransomware family that has been used against financial institutions, technology, and logistics organizations in North and South America as well as Europe since at least December 2019.[McAfee Cuba April 2021]

Internal MISP references

UUID 095064c6-144e-4935-b878-f82151bc08e4 which can be used as unique global reference for Cuba in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0625
source MITRE
tags ['89c5b94b-ecf4-4d53-9b74-3465086d4565', '562e535e-19f5-4d6c-81ed-ce2aec544f09', '4bc9ab8f-7f57-4b1a-8857-ffaa7e5cc930', '17864218-bc4f-4564-8abf-97c988eea9f7', 'b6458e46-650e-4e96-8e68-8a9d70bcf045', 'bac51672-8240-4182-9087-23626023e509', 'c5c8f954-1bc0-45d5-9a4f-4385d0a720a1', '2743d495-7728-4a75-9e5f-b64854039792', 'd713747c-2d53-487e-9dac-259230f04460', 'fde4c246-7d2d-4d53-938b-44651cf273f1', '964c2590-4b52-48c6-afff-9a6d72e68908', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172']
type ['malware']
Related clusters

To see the related clusters, click here.

CustomShellHost

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: A host process that is used by custom shells when using Windows in Kiosk mode.

Author: Wietze Beukema

Paths: * C:\Windows\System32\CustomShellHost.exe

Resources: * https://twitter.com/YoSignals/status/1381353520088113154 * https://docs.microsoft.com/en-us/windows/configuration/kiosk-shelllauncher

Detection: * IOC: CustomShellHost.exe is unlikely to run on normal workstations * Sigma: proc_creation_win_lolbin_customshellhost.yml[CustomShellHost.exe - LOLBAS Project]

Internal MISP references

UUID 3ff0d4fc-6678-42f0-869b-f48906d98f82 which can be used as unique global reference for CustomShellHost in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5098
source Tidal Cyber
tags ['536c3d51-9fc4-445e-9723-e11b69f0d6d5', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

Cyclops Blink is a modular malware that has been used in widespread campaigns by Sandworm Team since at least 2019 to target Small/Home Office (SOHO) network devices, including WatchGuard and Asus.[NCSC Cyclops Blink February 2022][NCSC CISA Cyclops Blink Advisory February 2022][Trend Micro Cyclops Blink March 2022]

Internal MISP references

UUID 68792756-7dbf-41fd-8d48-ac3cc2b52712 which can be used as unique global reference for Cyclops Blink in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Network']
software_attack_id S0687
source MITRE
tags ['b20e7912-6a8d-46e3-8e13-9a3fc4813852', 'e809d252-12cc-494d-94f5-954c49eb87ce']
type ['malware']
Related clusters

To see the related clusters, click here.

Dacls

Dacls is a multi-platform remote access tool used by Lazarus Group since at least December 2019.[TrendMicro macOS Dacls May 2020][SentinelOne Lazarus macOS July 2020]

Internal MISP references

UUID 9d521c18-09f0-47be-bfe5-e1bf26f7b928 which can be used as unique global reference for Dacls in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Windows']
software_attack_id S0497
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

DanBot

DanBot is a first-stage remote access Trojan written in C# that has been used by HEXANE since at least 2018.[SecureWorks August 2019]

Internal MISP references

UUID 131c0eb2-9191-4ccd-a2d6-5f36046a8f2f which can be used as unique global reference for DanBot in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S1014
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

DarkComet

DarkComet is a Windows remote administration tool and backdoor.[TrendMicro DarkComet Sept 2014][Malwarebytes DarkComet March 2018]

Internal MISP references

UUID 74f88899-56d0-4de8-97de-539b3590ab90 which can be used as unique global reference for DarkComet in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0334
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

DarkGate - Duplicate

DarkGate first emerged in 2018 and has evolved into an initial access and data gathering tool associated with various criminal cyber operations. Written in Delphi and named "DarkGate" by its author, DarkGate is associated with credential theft, cryptomining, cryptotheft, and pre-ransomware actions.[Ensilo Darkgate 2018] DarkGate use increased significantly starting in 2022 and is under active development by its author, who provides it as a Malware-as-a-Service offering.[Trellix Darkgate 2023]

Internal MISP references

UUID 39d81c48-8f7c-54cb-8fac-485598e31a55 which can be used as unique global reference for DarkGate - Duplicate in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S1111
source MITRE
tags ['84615fe0-c2a5-4e07-8957-78ebc29b4635']
type ['malware']
Related clusters

To see the related clusters, click here.

DarkGate

Operationalize this intelligence by pivoting to relevant defensive resources via the Techniques below. Alternatively, use the Add to Matrix button above, then overlay entire sets of capabilities from your own defensive stack to identify threat overlaps & potential gaps (watch a 60-second tutorial here).

DarkGate is a commodity downloader. Researchers have often observed DarkGate samples making use of legitimate copies of AutoIt, a freeware BASIC-like scripting language, using it to run AutoIt scripts as part of its execution chain. Reports of DarkGate infections surged following the announcement of the disruption of the QakBot botnet by international authorities in late August 2023.[Bleeping Computer DarkGate October 14 2023] The delivery of DarkGate payloads via instant messaging platforms including Microsoft Teams and Skype was reported in September and October 2023.[DarkGate Loader delivered via Teams - Truesec][Trend Micro DarkGate October 12 2023]

Internal MISP references

UUID 7144b703-f471-4bde-bedc-e8b274854de5 which can be used as unique global reference for DarkGate in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5266
source Tidal Cyber
tags ['84615fe0-c2a5-4e07-8957-78ebc29b4635']
type ['malware']
Related clusters

To see the related clusters, click here.

DarkTortilla

DarkTortilla is a highly configurable .NET-based crypter that has been possibly active since at least August 2015. DarkTortilla has been used to deliver popular information stealers, RATs, and payloads such as Agent Tesla, AsyncRat, NanoCore, RedLine, Cobalt Strike, and Metasploit.[Secureworks DarkTortilla Aug 2022]

Internal MISP references

UUID 35abcb6b-3259-57c1-94fc-50cfd5bde786 which can be used as unique global reference for DarkTortilla in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S1066
source MITRE
type ['malware']

DarkWatchman

DarkWatchman is a lightweight JavaScript-based remote access tool (RAT) that avoids file operations; it was first observed in November 2021.[Prevailion DarkWatchman 2021]

Internal MISP references

UUID 740a0327-4caf-4d90-8b51-f3f9a4d59b37 which can be used as unique global reference for DarkWatchman in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0673
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']

Daserf

Daserf is a backdoor that has been used to spy on and steal from Japanese, South Korean, Russian, Singaporean, and Chinese victims. Researchers have identified versions written in both Visual C and Delphi. [Trend Micro Daserf Nov 2017] [Secureworks BRONZE BUTLER Oct 2017]

Internal MISP references

UUID fad65026-57c4-4d4f-8803-87178dd4b887 which can be used as unique global reference for Daserf in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0187
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

DataSvcUtil

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: DataSvcUtil.exe is a command-line tool provided by WCF Data Services that consumes an Open Data Protocol (OData) feed and generates the client data service classes that are needed to access a data service from a .NET Framework client application.

Author: Ialle Teixeira

Paths: * C:\Windows\Microsoft.NET\Framework64\v3.5\DataSvcUtil.exe

Resources: * https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe * https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/generating-the-data-service-client-library-wcf-data-services * https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services

Detection: * Sigma: proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml * IOC: The DataSvcUtil.exe tool is installed in the .NET Framework directory. * IOC: Preventing/Detecting DataSvcUtil with non-RFC1918 addresses by Network IPS/IDS. * IOC: Monitor process creation for non-SYSTEM and non-LOCAL SERVICE accounts launching DataSvcUtil.[DataSvcUtil.exe - LOLBAS Project]

Internal MISP references

UUID dd555a4c-3b04-48c1-988f-d530d699a5bf which can be used as unique global reference for DataSvcUtil in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5099
source Tidal Cyber
tags ['0576be43-65c6-4d1a-8a06-ed8232ca0120', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

DBatLoader

DBatLoader is a malware used for downloading/dropping purposes.

Internal MISP references

UUID 789791b7-1ea1-4b18-8253-4663bb7ec143 which can be used as unique global reference for DBatLoader in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5287
source Tidal Cyber
tags ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', '84615fe0-c2a5-4e07-8957-78ebc29b4635', '2feda37d-5579-4102-a073-aa02e82cb49f']
type ['malware']

DCSrv

DCSrv is destructive malware that has been used by Moses Staff since at least September 2021. Though DCSrv has ransomware-like capabilities, Moses Staff does not demand ransom or offer a decryption key.[Checkpoint MosesStaff Nov 2021]

Internal MISP references

UUID 26ae3cd1-6710-4807-b674-957bd67d3e76 which can be used as unique global reference for DCSrv in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S1033
source MITRE
tags ['5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172']
type ['malware']
Related clusters

To see the related clusters, click here.

DDKONG

DDKONG is a malware sample that was part of a campaign by Rancor. DDKONG was first seen used in February 2017. [Rancor Unit42 June 2018]

Internal MISP references

UUID 0657b804-a889-400a-97d7-a4989809a623 which can be used as unique global reference for DDKONG in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
software_attack_id S0255
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

DEADEYE

DEADEYE is a malware launcher that has been used by APT41 since at least May 2021. DEADEYE has variants that can either embed a payload inside a compiled binary (DEADEYE.EMBED) or append it to the end of a file (DEADEYE.APPEND).[Mandiant APT41]

Internal MISP references

UUID e9533664-90c5-5b40-a40e-a69a2eda8bc9 which can be used as unique global reference for DEADEYE in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S1052
source MITRE
tags ['84615fe0-c2a5-4e07-8957-78ebc29b4635']
type ['malware']

DealersChoice

DealersChoice is a Flash exploitation framework used by APT28. [Sofacy DealersChoice]

Internal MISP references

UUID 64dc5d44-2304-4875-b517-316ab98512c2 which can be used as unique global reference for DealersChoice in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0243
source MITRE
tags ['84615fe0-c2a5-4e07-8957-78ebc29b4635']
type ['malware']
Related clusters

To see the related clusters, click here.

DEATHRANSOM

DEATHRANSOM is ransomware written in C that has been used since at least 2020, and has potential overlap with FIVEHANDS and HELLOKITTY.[FireEye FiveHands April 2021]

Internal MISP references

UUID 832f5ab1-1267-40c9-84ef-f32d6373be4e which can be used as unique global reference for DEATHRANSOM in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0616
source MITRE
tags ['5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172']
type ['malware']

DefaultPack

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: This binary can be downloaded along side multiple software downloads on the microsoft website. It gets downloaded when the user forgets to uncheck the option to set Bing as the default search provider.

Author: @checkymander

Paths: * C:\Program Files (x86)\Microsoft\DefaultPack\

Resources: * https://twitter.com/checkymander/status/1311509470275604480.

Detection: * Sigma: proc_creation_win_lolbin_defaultpack.yml * IOC: DefaultPack.EXE spawned an unknown process[DefaultPack.EXE - LOLBAS Project]

Internal MISP references

UUID ff25ec03-1e8d-427e-b207-1e1ecca542ec which can be used as unique global reference for DefaultPack in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5212
source Tidal Cyber
tags ['4f7be515-680e-4375-81f6-c71c83dd440d', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

Defender Control

Defender Control is a tool purpose-built to disable Microsoft Defender.[U.S. CISA Understanding LockBit June 2023]

Internal MISP references

UUID e8830cf3-53f3-4d15-858c-584589405fad which can be used as unique global reference for Defender Control in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5029
source Tidal Cyber
tags ['e1af18e3-3224-4e4c-9d0f-533768474508', '39d6e8b7-6c8a-4ec5-a584-54ca32aa29fb', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

Denis

Denis is a Windows backdoor and Trojan used by APT32. Denis shares several similarities to the SOUNDBITE backdoor and has been used in conjunction with the Goopy backdoor.[Cybereason Oceanlotus May 2017]

Internal MISP references

UUID df4002d2-f557-4f95-af7a-9a4582fb7068 which can be used as unique global reference for Denis in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0354
source MITRE
tags ['febea5b6-2ea2-402b-8bec-f3f5b3f73c59']
type ['malware']
Related clusters

To see the related clusters, click here.

Denonia

Denonia is described as "the first malware specifically targeting Lambda", the AWS serverless computing platform. Early samples appeared to possess cryptomining capabilities, but researchers believe Denonia could be used to carry out other types of activities as well.[Cado Denonia April 3 2022]

Internal MISP references

UUID 3c14ea0a-c85f-41b3-acd0-15d2565e3e07 which can be used as unique global reference for Denonia in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['IaaS']
software_attack_id S5313
source Tidal Cyber
tags ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', '2e5f6e4a-4579-46f7-9997-6923180815dd', '8d95e4d6-9a1e-4920-9f5c-83d9fe07a66e', '2feda37d-5579-4102-a073-aa02e82cb49f']
type ['malware']

Derusbi

Derusbi is malware used by multiple Chinese APT groups.[Novetta-Axiom][ThreatConnect Anthem] Both Windows and Linux variants have been observed.[Fidelis Turbo]

Internal MISP references

UUID 9222aa77-922e-43c7-89ad-71067c428fb2 which can be used as unique global reference for Derusbi in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'Windows']
software_attack_id S0021
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

Desk

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Desktop Settings Control Panel

Author: Hai Vaknin

Paths: * C:\Windows\System32\desk.cpl * C:\Windows\SysWOW64\desk.cpl

Resources: * https://vxug.fakedoma.in/zines/29a/29a7/Articles/29A-7.030.txt * https://twitter.com/pabraeken/status/998627081360695297 * https://twitter.com/VakninHai/status/1517027824984547329 * https://jstnk9.github.io/jstnk9/research/InstallScreenSaver-SCR-files

Detection: * Sigma: file_event_win_new_src_file.yml * Sigma: proc_creation_win_lolbin_rundll32_installscreensaver.yml * Sigma: registry_set_scr_file_executed_by_rundll32.yml[Desk.cpl - LOLBAS Project]

Internal MISP references

UUID 1863a7e2-6212-48a0-b109-15d0198b93e2 which can be used as unique global reference for Desk in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5188
source Tidal Cyber
tags ['7ad2b1d5-c228-4bf5-bf8e-c80a8fef0079', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

Desktopimgdownldr

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Windows binary used to configure lockscreen/desktop image

Author: Gal Kristal

Paths: * c:\windows\system32\desktopimgdownldr.exe

Resources: * https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/

Detection: * Sigma: proc_creation_win_desktopimgdownldr_susp_execution.yml * Sigma: file_event_win_susp_desktopimgdownldr_file.yml * Elastic: command_and_control_remote_file_copy_desktopimgdownldr.toml * IOC: desktopimgdownldr.exe that creates non-image file * IOC: Change of HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\PersonalizationCSP\LockScreenImageUrl[Desktopimgdownldr.exe - LOLBAS Project]

Internal MISP references

UUID 1b31652d-30bb-4c6e-bfe1-f2921a0aa64e which can be used as unique global reference for Desktopimgdownldr in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5100
source Tidal Cyber
tags ['acc0e091-a071-4e83-b0b1-4f3adebeafa3', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

DeviceCredentialDeployment

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Device Credential Deployment

Author: Elliot Killick

Paths: * C:\Windows\System32\DeviceCredentialDeployment.exe

Resources: None Provided

Detection: * IOC: DeviceCredentialDeployment.exe should not be run on a normal workstation * Sigma: proc_creation_win_lolbin_device_credential_deployment.yml[DeviceCredentialDeployment.exe - LOLBAS Project]

Internal MISP references

UUID b99bdf39-8dcf-4bae-95af-b029d48cb579 which can be used as unique global reference for DeviceCredentialDeployment in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5101
source Tidal Cyber
tags ['2a08c2eb-e90e-4bdb-a2dd-9da06de7ed25', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

Devinit

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Visual Studio 2019 tool

Author: mr.d0x

Paths: * C:\Program Files\Microsoft Visual Studio*\Community\Common7\Tools\devinit\devinit.exe * C:\Program Files (x86)\Microsoft Visual Studio*\Community\Common7\Tools\devinit\devinit.exe

Resources: * https://twitter.com/mrd0x/status/1460815932402679809

Detection: * Sigma: proc_creation_win_devinit_lolbin_usage.yml[Devinit.exe - LOLBAS Project]

Internal MISP references

UUID 102714a0-6b18-4d05-83c2-dd2929ce685a which can be used as unique global reference for Devinit in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5213
source Tidal Cyber
tags ['bb814941-0155-49b1-8f93-39626d4f0ddd', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

Devtoolslauncher

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Binary will execute specified binary. Part of VS/VScode installation.

Author: felamos

Paths: * c:\windows\system32\devtoolslauncher.exe

Resources: * https://twitter.com/_felamos/status/1179811992841797632

Detection: * Sigma: proc_creation_win_lolbin_devtoolslauncher.yml * IOC: DeveloperToolsSvc.exe spawned an unknown process[Devtoolslauncher.exe - LOLBAS Project]

Internal MISP references

UUID 6e213e33-c2e5-494f-bc1a-bf672f95dcf8 which can be used as unique global reference for Devtoolslauncher in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5214
source Tidal Cyber
tags ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

devtunnel

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Binary to enable forwarded ports on windows operating systems.

Author: Kamran Saifullah

Paths: * C:\Users\\AppData\Local\Temp.net\devtunnel\ * C:\Users\\AppData\Local\Temp\DevTunnels

Resources: * https://code.visualstudio.com/docs/editor/port-forwarding

Detection: * IOC: devtunnel.exe binary spawned * IOC: .devtunnels.ms * IOC: .*.devtunnels.ms * Analysis: https://cydefops.com/vscode-data-exfiltration[devtunnel.exe - LOLBAS Project]

Internal MISP references

UUID 672d80fe-656e-4b1b-8234-ebf2c5339166 which can be used as unique global reference for devtunnel in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5252
source Tidal Cyber
tags ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

DEWMODE

According to joint Cybersecurity Advisory AA23-158A (June 2023), DEWMODE is a web shell written in PHP that is designed to interact with a MySQL database. During a campaign from 2020 to 2021, threat actors exploited multiple zero-day vulnerabilities in internet-facing Accellion File Transfer Appliance (FTA) devices, installing DEWMODE web shells to exfiltrate data from compromised networks.[Mandiant MOVEit Transfer June 2 2023]

Malpedia (Research): https://malpedia.caad.fkie.fraunhofer.de/details/php.dewmode

Malware Bazaar (Samples & IOCs): https://bazaar.abuse.ch/browse/tag/dewmode/

Internal MISP references

UUID ff0b0792-5dd0-4e10-8b84-8da93a0198aa which can be used as unique global reference for DEWMODE in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Linux']
software_attack_id S5021
source Tidal Cyber
tags ['a98d7a43-f227-478e-81de-e7299639a355', '311abf64-a9cc-4c6a-b778-32c5df5658be']
type ['malware']

Dfshim

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: ClickOnce engine in Windows used by .NET

Author: Oddvar Moe

Paths: * C:\Windows\Microsoft.NET\Framework\v2.0.50727\Dfsvc.exe * C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Dfsvc.exe * C:\Windows\Microsoft.NET\Framework\v4.0.30319\Dfsvc.exe * C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Dfsvc.exe

Resources: * https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf * https://stackoverflow.com/questions/13312273/clickonce-runtime-dfsvc-exe

Detection: * Sigma: proc_creation_win_rundll32_susp_activity.yml[Dfshim.dll - LOLBAS Project]

Internal MISP references

UUID b396eb52-3b6a-44e9-9534-d8b981a52192 which can be used as unique global reference for Dfshim in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5189
source Tidal Cyber
tags ['91fd24c3-f371-4c3b-b997-cd85e25c0967', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

Dfsvc

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: ClickOnce engine in Windows used by .NET

Author: Oddvar Moe

Paths: * C:\Windows\Microsoft.NET\Framework\v2.0.50727\Dfsvc.exe * C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Dfsvc.exe * C:\Windows\Microsoft.NET\Framework\v4.0.30319\Dfsvc.exe * C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Dfsvc.exe

Resources: * https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf * https://stackoverflow.com/questions/13312273/clickonce-runtime-dfsvc-exe

Detection: * Sigma: proc_creation_win_rundll32_susp_activity.yml[Dfsvc.exe - LOLBAS Project]

Internal MISP references

UUID f85966ec-0c4d-4f7e-949f-bb73828bf601 which can be used as unique global reference for Dfsvc in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5102
source Tidal Cyber
tags ['18d6d91d-7df0-44c8-88fe-986d9ba00b8d', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

Diantz

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Binary that package existing files into a cabinet (.cab) file

Author: Tamir Yehuda

Paths: * c:\windows\system32\diantz.exe * c:\windows\syswow64\diantz.exe

Resources: * https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/diantz

Detection: * Sigma: proc_creation_win_lolbin_diantz_ads.yml * Sigma: proc_creation_win_lolbin_diantz_remote_cab.yml * IOC: diantz storing data into alternate data streams. * IOC: diantz getting a file from a remote machine or the internet.[diantz.exe_lolbas]

Internal MISP references

UUID 054ddf05-e9f0-4d14-8493-2a1b2ddbefad which can be used as unique global reference for Diantz in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5103
source Tidal Cyber
tags ['96f9b39f-0c59-48a0-9702-01920c1293a7', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

Diavol

Diavol is a ransomware variant first observed in June 2021 that is capable of prioritizing file types to encrypt based on a pre-configured list of extensions defined by the attacker. The Diavol Ransomware-as-a Service (RaaS) program is managed by Wizard Spider and it has been observed being deployed by Bazar.[Fortinet Diavol July 2021][FBI Flash Diavol January 2022][DFIR Diavol Ransomware December 2021][Microsoft Ransomware as a Service]

Internal MISP references

UUID d057b6e7-1de4-4f2f-b374-7e879caecd67 which can be used as unique global reference for Diavol in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0659
source MITRE
tags ['5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172']
type ['malware']
Related clusters

To see the related clusters, click here.

Dipsind

Dipsind is a malware family of backdoors that appear to be used exclusively by PLATINUM. [Microsoft PLATINUM April 2016]

Internal MISP references

UUID 226ee563-4d49-48c2-aa91-82999f43ce30 which can be used as unique global reference for Dipsind in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0200
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Disco

Disco is a custom implant that has been used by MoustachedBouncer since at least 2020 including in campaigns using targeted malicious content injection for initial access and command and control.[MoustachedBouncer ESET August 2023]

Internal MISP references

UUID 194314e3-4edc-5346-96b6-d2d7bf5d830a which can be used as unique global reference for Disco in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S1088
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Diskshadow

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Diskshadow.exe is a tool that exposes the functionality offered by the volume shadow copy Service (VSS).

Author: Oddvar Moe

Paths: * C:\Windows\System32\diskshadow.exe * C:\Windows\SysWOW64\diskshadow.exe

Resources: * https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/

Detection: * Sigma: proc_creation_win_lolbin_diskshadow.yml * Sigma: proc_creation_win_susp_shadow_copies_deletion.yml * Elastic: credential_access_cmdline_dump_tool.toml * IOC: Child process from diskshadow.exe[Diskshadow.exe - LOLBAS Project]

Internal MISP references

UUID 07c49566-5bea-44dc-b81f-e6c90bda9c39 which can be used as unique global reference for Diskshadow in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5104
source Tidal Cyber
tags ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

Dnscmd

Dnscmd is a Windows command-line utility used to manage DNS servers.[Dnscmd Microsoft]

Internal MISP references

UUID 3fd09997-86e0-4dce-935e-421863e9bad0 which can be used as unique global reference for Dnscmd in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5016
source Tidal Cyber
tags ['a45f9597-09c4-4e70-a7d3-d8235d2451a3', '758c3085-2f79-40a8-ab95-f8a684737927', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '35e694ec-5133-46e3-b7e1-5831867c3b55', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '15787198-6c8b-4f79-bf50-258d55072fee', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

DnsSystem

DnsSystem is a .NET based DNS backdoor, which is a customized version of the open source tool DIG.net, that has been used by HEXANE since at least June 2022.[Zscaler Lyceum DnsSystem June 2022]

Internal MISP references

UUID e69a913d-4ddc-4d69-9961-25a31cae5899 which can be used as unique global reference for DnsSystem in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S1021
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

dnx

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: .Net Execution environment file included with .Net.

Author: Oddvar Moe

Paths: * N/A

Resources: * https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/

Detection: * Sigma: proc_creation_win_lolbin_dnx.yml * Elastic: defense_evasion_unusual_process_network_connection.toml * Elastic: defense_evasion_network_connection_from_windows_binary.toml * BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules[dnx.exe - LOLBAS Project]

Internal MISP references

UUID e2bdda2e-54b4-4d35-b7e5-4e20626a4481 which can be used as unique global reference for dnx in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5215
source Tidal Cyber
tags ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

DOGCALL

DOGCALL is a backdoor used by APT37 that has been used to target South Korean government and military organizations in 2017. It is typically dropped using a Hangul Word Processor (HWP) exploit. [FireEye APT37 Feb 2018]

Internal MISP references

UUID 81ce23c0-f505-4d75-9928-4fbd627d3bc2 which can be used as unique global reference for DOGCALL in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0213
source MITRE
tags ['16b47583-1c54-431f-9f09-759df7b5ddb7']
type ['malware']
Related clusters

To see the related clusters, click here.

Dok

Dok is a Trojan application disguised as a .zip file that is able to collect user credentials and install a malicious proxy server to redirect a user's network traffic (i.e. Adversary-in-the-Middle).[objsee mac malware 2017][hexed osx.dok analysis 2019][CheckPoint Dok]

Internal MISP references

UUID dfa14314-3c64-4a10-9889-0423b884f7aa which can be used as unique global reference for Dok in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['macOS']
software_attack_id S0281
source MITRE
type ['malware']

Doki

Doki is a backdoor that uses a unique Dogecoin-based Domain Generation Algorithm and was first observed in July 2020. Doki was used in conjunction with the ngrok Mining Botnet in a campaign that targeted Docker servers in cloud platforms. [Intezer Doki July 20]

Internal MISP references

UUID e6160c55-1868-47bd-bec6-7becbf236bbb which can be used as unique global reference for Doki in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Containers', 'Linux']
software_attack_id S0600
source MITRE
tags ['efa33611-88a5-40ba-9bc4-3d85c6c8819b']
type ['malware']

Donut

Donut is an open source framework used to generate position-independent shellcode.[Donut Github][Introducing Donut] Donut generated code has been used by multiple threat actors to inject and load malicious payloads into memory.[NCC Group WastedLocker June 2020]

Internal MISP references

UUID 40d25a38-91f4-4e07-bb97-8866bed8e44f which can be used as unique global reference for Donut in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0695
source MITRE
tags ['e1af18e3-3224-4e4c-9d0f-533768474508', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96']
type ['tool']
Related clusters

To see the related clusters, click here.

Dotnet

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: dotnet.exe comes with .NET Framework

Author: felamos

Paths: * C:\Program Files\dotnet\dotnet.exe

Resources: * https://twitter.com/_felamos/status/1204705548668555264 * https://gist.github.com/bohops/3f645a7238d8022830ecf5511b3ecfbc * https://bohops.com/2019/08/19/dotnet-core-a-vector-for-awl-bypass-defense-evasion/ * https://learn.microsoft.com/en-us/dotnet/fsharp/tools/fsharp-interactive/

Detection: * Sigma: proc_creation_win_lolbin_dotnet.yml * BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules * IOC: dotnet.exe spawned an unknown process[Dotnet.exe - LOLBAS Project]

Internal MISP references

UUID 1bcd9c93-0944-4671-ab01-cabc5ffe30bf which can be used as unique global reference for Dotnet in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5216
source Tidal Cyber
tags ['09c24b93-bf06-4cbb-acb0-d7b9657a41dc', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

Downdelph

Downdelph is a first-stage downloader written in Delphi that has been used by APT28 in rare instances between 2013 and 2015. [ESET Sednit Part 3]

Internal MISP references

UUID f7b64b81-f9e7-46bf-8f63-6d7520da832c which can be used as unique global reference for Downdelph in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0134
source MITRE
tags ['84615fe0-c2a5-4e07-8957-78ebc29b4635']
type ['malware']
Related clusters

To see the related clusters, click here.

down_new

down_new is a downloader that has been used by BRONZE BUTLER since at least 2019.[Trend Micro Tick November 2019]

Internal MISP references

UUID 20b796cf-6c90-4928-999e-88107078e15e which can be used as unique global reference for down_new in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0472
source MITRE
tags ['84615fe0-c2a5-4e07-8957-78ebc29b4635']
type ['malware']
Related clusters

To see the related clusters, click here.

DownPaper

DownPaper is a backdoor Trojan; its main functionality is to download and run second stage malware. [ClearSky Charming Kitten Dec 2017]

Internal MISP references

UUID fc433c9d-a7fe-4915-8aa0-06b58f288249 which can be used as unique global reference for DownPaper in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0186
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

DRATzarus

DRATzarus is a remote access tool (RAT) that has been used by Lazarus Group to target the defense and aerospace organizations globally since at least summer 2020. DRATzarus shares similarities with Bankshot, which was used by Lazarus Group in 2017 to target the Turkish financial sector.[ClearSky Lazarus Aug 2020]

Internal MISP references

UUID c6c79fc5-e4b1-4f6c-a71d-d22d699d5caf which can be used as unique global reference for DRATzarus in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0694
source MITRE
type ['malware']

Dridex

Dridex is a prolific banking Trojan that first appeared in 2014. By December 2019, the US Treasury estimated Dridex had infected computers in hundreds of banks and financial institutions in over 40 countries, leading to more than $100 million in theft. Dridex was created from the source code of the Bugat banking Trojan (also known as Cridex).[Dell Dridex Oct 2015][Kaspersky Dridex May 2017][Treasury EvilCorp Dec 2019]

Internal MISP references

UUID e3cd4405-b698-41d9-88e4-fff29e7a19e2 which can be used as unique global reference for Dridex in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0384
source MITRE
tags ['e809d252-12cc-494d-94f5-954c49eb87ce']
type ['malware']
Related clusters

To see the related clusters, click here.

DropBook

DropBook is a Python-based backdoor compiled with PyInstaller.[Cybereason Molerats Dec 2020]

Internal MISP references

UUID 9c44d3f9-7a7b-4716-9cfa-640b36548ab0 which can be used as unique global reference for DropBook in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0547
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Drovorub

Drovorub is a Linux malware toolset comprised of an agent, client, server, and kernel modules, that has been used by APT28.[NSA/FBI Drovorub August 2020]

Internal MISP references

UUID bb7f7c19-ffb5-4bfe-99b1-ead3525c5e7b which can be used as unique global reference for Drovorub in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux']
software_attack_id S0502
source MITRE
tags ['febea5b6-2ea2-402b-8bec-f3f5b3f73c59', '1efd43ee-5752-49f2-99fe-e3441f126b00', 'f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

dsdbutil

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Dsdbutil is a command-line tool that is built into Windows Server. It is available if you have the AD LDS server role installed. Can be used as a command line utility to export Active Directory.

Author: Ekitji

Paths: * C:\Windows\System32\dsdbutil.exe * C:\Windows\SysWOW64\dsdbutil.exe

Resources: * https://gist.github.com/bohops/88561ca40998e83deb3d1da90289e358 * https://www.netwrix.com/ntds_dit_security_active_directory.html

Detection: * IOC: Event ID 4688 * IOC: dsdbutil.exe process creation * IOC: Event ID 4663 * IOC: Regular and Volume Shadow Copy attempts to read or modify ntds.dit * IOC: Event ID 4656 * IOC: Regular and Volume Shadow Copy attempts to read or modify ntds.dit * Analysis: None Provided * Sigma: None Provided * Elastic: None Provided * Splunk: None Provided * BlockRule: None Provided[dsdbutil.exe - LOLBAS Project]

Internal MISP references

UUID 9139c12f-a6d9-4300-8735-9298bc46a0bf which can be used as unique global reference for dsdbutil in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5217
source Tidal Cyber
tags ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

dsquery

dsquery is a command-line utility that can be used to query Active Directory for information from a system within a domain. [TechNet Dsquery] It is typically installed only on Windows Server versions but can be installed on non-server variants through the Microsoft-provided Remote Server Administration Tools bundle.

Internal MISP references

UUID 06402bdc-a4a1-4e4a-bfc4-09f2c159af75 which can be used as unique global reference for dsquery in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0105
source MITRE
tags ['e1af18e3-3224-4e4c-9d0f-533768474508', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207', 'cb3d30b3-8cfc-4202-8615-58a9b8f7f118', 'cd1b5d44-226e-4405-8985-800492cf2865']
type ['tool']
Related clusters

To see the related clusters, click here.

Dtrack

Dtrack is spyware that was discovered in 2019 and has been used against Indian financial institutions, research facilities, and the Kudankulam Nuclear Power Plant. Dtrack shares similarities with the DarkSeoul campaign, which was attributed to Lazarus Group. [Kaspersky Dtrack][Securelist Dtrack][Dragos WASSONITE][CyberBit Dtrack][ZDNet Dtrack]

Internal MISP references

UUID aa21462d-9653-48eb-a82e-5c93c9db5f7a which can be used as unique global reference for Dtrack in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0567
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

Dump64

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Memory dump tool that comes with Microsoft Visual Studio

Author: mr.d0x

Paths: * C:\Program Files (x86)\Microsoft Visual Studio\Installer\Feedback\dump64.exe

Resources: * https://twitter.com/mrd0x/status/1460597833917251595

Detection: * Sigma: proc_creation_win_lolbin_dump64.yml * IOC: As a Windows SDK binary, execution on a system may be suspicious[Dump64.exe - LOLBAS Project]

Internal MISP references

UUID 13482336-e22b-48e9-bd49-c6e6fc6612ec which can be used as unique global reference for Dump64 in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5218
source Tidal Cyber
tags ['0f09c7f5-ba57-4ef0-a196-e85558804496', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

DumpMinitool

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Dump tool part Visual Studio 2022

Author: mr.d0x

Paths: * C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\Extensions\TestPlatform\Extensions

Resources: * https://twitter.com/mrd0x/status/1511415432888131586

Detection: * Sigma: proc_creation_win_dumpminitool_execution.yml * Sigma: proc_creation_win_dumpminitool_susp_execution.yml * Sigma: proc_creation_win_devinit_lolbin_usage.yml[DumpMinitool.exe - LOLBAS Project]

Internal MISP references

UUID 7f3bf76a-4e6a-45f1-a4bf-400d5a914e52 which can be used as unique global reference for DumpMinitool in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5219
source Tidal Cyber
tags ['3b6ad94f-83ce-47bf-b82d-b98358d23434', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

Duqu

Duqu is a malware platform that uses a modular approach to extend functionality after deployment within a target network. [Symantec W32.Duqu]

Internal MISP references

UUID d4a664e5-9819-4f33-8b2b-e6f8e6a64999 which can be used as unique global reference for Duqu in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0038
source MITRE
tags ['3ed3f7a6-b446-4fbc-a433-ff1d63c0e647']
type ['malware']

DustySky

DustySky is multi-stage malware written in .NET that has been used by Molerats since May 2015. [DustySky] [DustySky2][Kaspersky MoleRATs April 2019]

Internal MISP references

UUID 77506f02-104f-4aac-a4e0-9649bd7efe2e which can be used as unique global reference for DustySky in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0062
source MITRE
tags ['e809d252-12cc-494d-94f5-954c49eb87ce']
type ['malware']
Related clusters

To see the related clusters, click here.

Dxcap

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: DirectX diagnostics/debugger included with Visual Studio.

Author: Oddvar Moe

Paths: * C:\Windows\System32\dxcap.exe * C:\Windows\SysWOW64\dxcap.exe

Resources: * https://twitter.com/harr0ey/status/992008180904419328

Detection: * Sigma: proc_creation_win_lolbin_susp_dxcap.yml[Dxcap.exe - LOLBAS Project]

Internal MISP references

UUID 9b5039b9-c5f1-4516-88ef-f63966ec2b36 which can be used as unique global reference for Dxcap in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5220
source Tidal Cyber
tags ['6d065f28-e32d-4e87-b315-c43ebc45532a', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

Dyre

Dyre is a banking Trojan that has been used for financial gain. [Symantec Dyre June 2015][Malwarebytes Dyreza November 2015]

Internal MISP references

UUID 38e012f7-fb3a-4250-a129-92da3a488724 which can be used as unique global reference for Dyre in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0024
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Earthworm

Earthworm is an open-source tool. According to its project website, Earthworm is a "simple network tunnel with SOCKS v5 server and port transfer".[Elastic Docs Potential Protocol Tunneling via EarthWorm] According to joint Cybersecurity Advisory AA23-144a (May 2023), Volt Typhoon actors have used Earthworm in their attacks.[U.S. CISA Volt Typhoon May 24 2023]

Internal MISP references

UUID ee14e483-b5ef-4931-9c2a-72046b6555cc which can be used as unique global reference for Earthworm in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5013
source Tidal Cyber
tags ['ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', '758c3085-2f79-40a8-ab95-f8a684737927', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '35e694ec-5133-46e3-b7e1-5831867c3b55', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

Ebury

Ebury is an SSH backdoor targeting Linux operating systems. Attackers require root-level access, which allows them to replace SSH binaries (ssh, sshd, ssh-add, etc) or modify a shared library used by OpenSSH (libkeyutils).[ESET Ebury Feb 2014][BleepingComputer Ebury March 2017][ESET Ebury Oct 2017]

Internal MISP references

UUID 2375465a-e6a9-40ab-b631-a5b04cf5c689 which can be used as unique global reference for Ebury in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux']
software_attack_id S0377
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

ECCENTRICBANDWAGON

ECCENTRICBANDWAGON is a remote access Trojan (RAT) used by North Korean cyber actors that was first identified in August 2020. It is a reconnaissance tool--with keylogging and screen capture functionality--used for information gathering on compromised systems.[CISA EB Aug 2020]

Internal MISP references

UUID 70f703b3-0e24-4ffe-9772-f0e386ec607f which can be used as unique global reference for ECCENTRICBANDWAGON in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0593
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Ecipekac

Ecipekac is a multi-layer loader that has been used by menuPass since at least 2019 including use as a loader for P8RAT, SodaMaster, and FYAnti.[Securelist APT10 March 2021]

Internal MISP references

UUID 6508d3dc-eb22-468c-9122-dcf541caa69c which can be used as unique global reference for Ecipekac in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0624
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Egregor

Egregor is a Ransomware-as-a-Service (RaaS) tool that was first observed in September 2020. Researchers have noted code similarities between Egregor and Sekhmet ransomware, as well as Maze ransomware.[NHS Digital Egregor Nov 2020][Cyble Egregor Oct 2020][Security Boulevard Egregor Oct 2020]

Internal MISP references

UUID 0e36b62f-a6e2-4406-b3d9-e05204e14a66 which can be used as unique global reference for Egregor in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0554
source MITRE
tags ['562e535e-19f5-4d6c-81ed-ce2aec544f09', '3c3f9078-5d1e-4c29-a5eb-28f237bbd1ad', '0ed7d10c-c65b-4174-9edb-446bf301d250', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172']
type ['malware']

EKANS

EKANS is ransomware variant written in Golang that first appeared in mid-December 2019 and has been used against multiple sectors, including energy, healthcare, and automotive manufacturing, which in some cases resulted in significant operational disruptions. EKANS has used a hard-coded kill-list of processes, including some associated with common ICS software platforms (e.g., GE Proficy, Honeywell HMIWeb, etc), similar to those defined in MegaCortex.[Dragos EKANS][Palo Alto Unit 42 EKANS]

Internal MISP references

UUID cd7821cb-32f3-4d81-a5d1-0cdee94a15c4 which can be used as unique global reference for EKANS in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0605
source MITRE
tags ['3ed3f7a6-b446-4fbc-a433-ff1d63c0e647', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172']
type ['malware']

Elise

Elise is a custom backdoor Trojan that appears to be used exclusively by Lotus Blossom. It is part of a larger group of tools referred to as LStudio, ST Group, and APT0LSTU. [Lotus Blossom Jun 2015][Accenture Dragonfish Jan 2018]

Internal MISP references

UUID fd5efee9-8710-4536-861f-c88d882f4d24 which can be used as unique global reference for Elise in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0081
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

ELMER

ELMER is a non-persistent, proxy-aware HTTP backdoor written in Delphi that has been used by APT16. [FireEye EPS Awakens Part 2]

Internal MISP references

UUID 6a3ca97e-6dd6-44e5-a5f0-7225099ab474 which can be used as unique global reference for ELMER in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0064
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Emissary

Emissary is a Trojan that has been used by Lotus Blossom. It shares code with Elise, with both Trojans being part of a malware group referred to as LStudio. [Lotus Blossom Dec 2015]

Internal MISP references

UUID fd95d38d-83f9-4b31-8292-ba2b04275b36 which can be used as unique global reference for Emissary in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0082
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Emotet

Emotet is a modular malware variant which is primarily used as a downloader for other malware variants such as TrickBot and IcedID. Emotet first emerged in June 2014 and has been primarily used to target the banking sector. [Trend Micro Banking Malware Jan 2019]

Internal MISP references

UUID c987d255-a351-4736-913f-91e2f28d0654 which can be used as unique global reference for Emotet in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0367
source MITRE
tags ['71dfe8d1-666f-4e71-8761-d2876078fb3e', '84615fe0-c2a5-4e07-8957-78ebc29b4635', 'f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

Empire

Empire is an open source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents are written in pure PowerShell for Windows and Python for Linux/macOS. Empire was one of five tools singled out by a joint report on public hacking tools being widely used by adversaries.[NCSC Joint Report Public Tools][Github PowerShell Empire][GitHub ATTACK Empire]

Internal MISP references

UUID fea655ac-558f-4dd0-867f-9a5553626207 which can be used as unique global reference for Empire in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['macOS', 'Linux', 'Windows']
software_attack_id S0363
source MITRE
tags ['e1af18e3-3224-4e4c-9d0f-533768474508', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', '4f05a12d-f497-4081-acb9-9a257ab87886', '15787198-6c8b-4f79-bf50-258d55072fee', 'f8669b82-2194-49a9-8e20-92e7f9ab0a6f', 'e81ba503-60b0-4b64-8f20-ef93e7783796']
type ['tool']
Related clusters

To see the related clusters, click here.

EnvyScout

EnvyScout is a dropper that has been used by APT29 since at least 2021.[MSTIC Nobelium Toolset May 2021]

Internal MISP references

UUID 8da6fbf0-a18d-49a0-9235-101300d49d5e which can be used as unique global reference for EnvyScout in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0634
source MITRE
tags ['84615fe0-c2a5-4e07-8957-78ebc29b4635']
type ['malware']
Related clusters

To see the related clusters, click here.

Epic

Epic is a backdoor that has been used by Turla. [Kaspersky Turla]

Internal MISP references

UUID a7e71387-b276-413c-a0de-4cf07e39b158 which can be used as unique global reference for Epic in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0091
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

esentutl

esentutl is a command-line tool that provides database utilities for the Windows Extensible Storage Engine.[Microsoft Esentutl]

Internal MISP references

UUID a7589733-6b04-4215-a4e7-4b62cd4610fa which can be used as unique global reference for esentutl in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0404
source MITRE
tags ['ee88899a-2bf0-4b96-bf69-5b686fa463c3', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

Eventvwr

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Displays Windows Event Logs in a GUI window.

Author: Jacob Gajek

Paths: * C:\Windows\System32\eventvwr.exe * C:\Windows\SysWOW64\eventvwr.exe

Resources: * https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/ * https://github.com/enigma0x3/Misc-PowerShell-Stuff/blob/master/Invoke-EventVwrBypass.ps1 * https://twitter.com/orange_8361/status/1518970259868626944

Detection: * Sigma: proc_creation_win_uac_bypass_eventvwr.yml * Sigma: registry_set_uac_bypass_eventvwr.yml * Sigma: file_event_win_uac_bypass_eventvwr.yml * Elastic: privilege_escalation_uac_bypass_event_viewer.toml * Splunk: eventvwr_uac_bypass.yml * IOC: eventvwr.exe launching child process other than mmc.exe * IOC: Creation or modification of the registry value HKCU\Software\Classes\mscfile\shell\open\command[Eventvwr.exe - LOLBAS Project]

Internal MISP references

UUID 4c371bd9-c97c-42ab-b913-1e19cd409382 which can be used as unique global reference for Eventvwr in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5105
source Tidal Cyber
tags ['59d03fb8-0620-468a-951c-069473cb86bc', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

EvilBunny

EvilBunny is a C++ malware sample observed since 2011 that was designed to be a execution platform for Lua scripts.[Cyphort EvilBunny Dec 2014]

Internal MISP references

UUID 300e8176-e7ee-44ef-8d10-dff96502f6c6 which can be used as unique global reference for EvilBunny in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0396
source MITRE
type ['malware']

EvilGinx

EvilGinx is an open-source software project. According to its GitHub repository, EvilGinx is a "Standalone man-in-the-middle attack framework used for phishing login credentials along with session cookies, allowing for the bypass of 2-factor authentication".[GitHub evilginx2]

Internal MISP references

UUID 4892c22d-6fd4-4876-8e8a-af968cf61ecc which can be used as unique global reference for EvilGinx in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5078
source Tidal Cyber
tags ['e1af18e3-3224-4e4c-9d0f-533768474508', 'dcd6d78a-50e9-4fbd-a36a-06fbe6b7b40c', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96']
type ['malware']
Related clusters

To see the related clusters, click here.

EvilGrab

EvilGrab is a malware family with common reconnaissance capabilities. It has been deployed by menuPass via malicious Microsoft Office documents as part of spearphishing campaigns. [PWC Cloud Hopper Technical Annex April 2017]

Internal MISP references

UUID e862419c-d6b6-4433-a02a-c1cc98ea6f9e which can be used as unique global reference for EvilGrab in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0152
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

EVILNUM

EVILNUM is fully capable backdoor that was first identified in 2018. EVILNUM is used by the APT group Evilnum which has the same name.[ESET EvilNum July 2020][Prevailion EvilNum May 2020]

Internal MISP references

UUID e0eaae6d-5137-4053-bf37-ff90bf5767a9 which can be used as unique global reference for EVILNUM in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0568
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

Exaramel for Linux

Exaramel for Linux is a backdoor written in the Go Programming Language and compiled as a 64-bit ELF binary. The Windows version is tracked separately under Exaramel for Windows.[ESET TeleBots Oct 2018]

Internal MISP references

UUID c773f709-b5fe-4514-9d88-24ceb0dd8063 which can be used as unique global reference for Exaramel for Linux in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux']
software_attack_id S0401
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Exaramel for Windows

Exaramel for Windows is a backdoor used for targeting Windows systems. The Linux version is tracked separately under Exaramel for Linux.[ESET TeleBots Oct 2018]

Internal MISP references

UUID 21569dfb-c9f1-468e-903e-348f19dbae1f which can be used as unique global reference for Exaramel for Windows in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0343
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Excel

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Microsoft Office binary

Author: Reegun J (OCBC Bank)

Paths: * C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\Excel.exe * C:\Program Files\Microsoft Office 16\ClientX64\Root\Office16\Excel.exe * C:\Program Files (x86)\Microsoft Office\Office16\Excel.exe * C:\Program Files\Microsoft Office\Office16\Excel.exe * C:\Program Files (x86)\Microsoft Office 15\ClientX86\Root\Office15\Excel.exe * C:\Program Files\Microsoft Office 15\ClientX64\Root\Office15\Excel.exe * C:\Program Files (x86)\Microsoft Office\Office15\Excel.exe * C:\Program Files\Microsoft Office\Office15\Excel.exe * C:\Program Files (x86)\Microsoft Office 14\ClientX86\Root\Office14\Excel.exe * C:\Program Files\Microsoft Office 14\ClientX64\Root\Office14\Excel.exe * C:\Program Files (x86)\Microsoft Office\Office14\Excel.exe * C:\Program Files\Microsoft Office\Office14\Excel.exe * C:\Program Files (x86)\Microsoft Office\Office12\Excel.exe * C:\Program Files\Microsoft Office\Office12\Excel.exe * C:\Program Files\Microsoft Office\Office12\Excel.exe

Resources: * https://twitter.com/reegun21/status/1150032506504151040 * https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191

Detection: * Sigma: proc_creation_win_lolbin_office.yml * IOC: Suspicious Office application Internet/network traffic[Excel.exe - LOLBAS Project]

Internal MISP references

UUID 46efd94e-afd2-4536-8525-0619fc56966f which can be used as unique global reference for Excel in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5221
source Tidal Cyber
tags ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

ExMatter

ExMatter is a custom data exfiltration tool. It was first observed in November 2021 during intrusions involving BlackMatter ransomware, and more recently has been used during BlackCat ransomware attacks. In August 2022, researchers observed a “heavily updated” version of ExMatter, which featured expanded protocols for exfiltrating data, a data corruption capability, enhanced defense evasion abilities, and a narrower range of targeted file types.[Symantec Noberus September 22 2022]

Internal MISP references

UUID 068b26ae-39b5-4b4e-8faa-eb304a17687d which can be used as unique global reference for ExMatter in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5054
source Tidal Cyber
tags ['8bf128ad-288b-41bc-904f-093f4fdde745']
type ['malware']
Related clusters

To see the related clusters, click here.

Expand

Expand is a Windows utility used to expand one or more compressed CAB files.[Microsoft Expand Utility] It has been used by BBSRAT to decompress a CAB file into executable content.[Palo Alto Networks BBSRAT]

Internal MISP references

UUID 5d7a39e3-c667-45b3-987e-3b0ca49cff61 which can be used as unique global reference for Expand in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0361
source MITRE
tags ['182dd4be-bbda-404f-aad1-156a22bbe7a4', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

Explorer

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Binary used for managing files and system components within Windows

Author: Jai Minton

Paths: * C:\Windows\explorer.exe * C:\Windows\SysWOW64\explorer.exe

Resources: * https://twitter.com/CyberRaiju/status/1273597319322058752?s=20 * https://twitter.com/bohops/status/1276356245541335048 * https://twitter.com/bohops/status/986984122563391488

Detection: * Sigma: proc_creation_win_explorer_break_process_tree.yml * Sigma: proc_creation_win_explorer_lolbin_execution.yml * Elastic: initial_access_via_explorer_suspicious_child_parent_args.toml * IOC: Multiple instances of explorer.exe or explorer.exe using the /root command line is suspicious.[Explorer.exe - LOLBAS Project]

Internal MISP references

UUID b792d713-fbb4-46e6-94ae-8b9a1f4e794d which can be used as unique global reference for Explorer in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5106
source Tidal Cyber
tags ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

Explosive

Explosive is a custom-made remote access tool used by the group Volatile Cedar. It was first identified in the wild in 2015.[CheckPoint Volatile Cedar March 2015][ClearSky Lebanese Cedar Jan 2021]

Internal MISP references

UUID 572eec55-2855-49ac-a82e-2c21e9aca27e which can be used as unique global reference for Explosive in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0569
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Extexport

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Load a DLL located in the c:\test folder with a specific name.

Author: Oddvar Moe

Paths: * C:\Program Files\Internet Explorer\Extexport.exe * C:\Program Files (x86)\Internet Explorer\Extexport.exe

Resources: * http://www.hexacorn.com/blog/2018/04/24/extexport-yet-another-lolbin/

Detection: * Sigma: proc_creation_win_lolbin_extexport.yml * IOC: Extexport.exe loads dll and is execute from other folder the original path[Extexport.exe - LOLBAS Project]

Internal MISP references

UUID 2e6f1aed-a983-44fb-aed1-b4a3d9cb9488 which can be used as unique global reference for Extexport in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5107
source Tidal Cyber
tags ['5b81675a-742a-4ffd-b410-44ce3f1b0831', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

ExtPassword

ExtPassword is a tool used to recover passwords from Windows systems.[U.S. CISA Understanding LockBit June 2023]

Internal MISP references

UUID 363c38fc-8676-4a63-b3f4-f0237565a951 which can be used as unique global reference for ExtPassword in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5030
source Tidal Cyber
tags ['e1af18e3-3224-4e4c-9d0f-533768474508', 'dcd6d78a-50e9-4fbd-a36a-06fbe6b7b40c', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

Extrac32

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Extract to ADS, copy or overwrite a file with Extrac32.exe

Author: Oddvar Moe

Paths: * C:\Windows\System32\extrac32.exe * C:\Windows\SysWOW64\extrac32.exe

Resources: * https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/ * https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f * https://twitter.com/egre55/status/985994639202283520

Detection: * Elastic: defense_evasion_misc_lolbin_connecting_to_the_internet.toml * Sigma: proc_creation_win_lolbin_extrac32.yml * Sigma: proc_creation_win_lolbin_extrac32_ads.yml[Extrac32.exe - LOLBAS Project]

Internal MISP references

UUID 53dc0180-0309-4489-af75-9c76b2887359 which can be used as unique global reference for Extrac32 in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5108
source Tidal Cyber
tags ['92092803-19a9-4288-b7fb-08e92e8ea693', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

FakeM

FakeM is a shellcode-based Windows backdoor that has been used by Scarlet Mimic. [Scarlet Mimic Jan 2016]

Internal MISP references

UUID 8c64a330-1457-4c32-ab2f-12b6eb37d607 which can be used as unique global reference for FakeM in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0076
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

FakePenny

FakePenny is a ransomware, which includes both a loader and an encryptor, that is believed to have been developed by the North Korean threat actor Moonstone Sleet.[Microsoft Security Blog 5 28 2024]

Internal MISP references

UUID acbff463-ba1c-4d26-ab99-b9aa47b81c68 which can be used as unique global reference for FakePenny in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5321
source Tidal Cyber
tags ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172', '2feda37d-5579-4102-a073-aa02e82cb49f']
type ['malware']
Related clusters

To see the related clusters, click here.

FALLCHILL

FALLCHILL is a RAT that has been used by Lazarus Group since at least 2016 to target the aerospace, telecommunications, and finance industries. It is usually dropped by other Lazarus Group malware or delivered when a victim unknowingly visits a compromised website. [US-CERT FALLCHILL Nov 2017]

Internal MISP references

UUID ea47f1fd-0171-4254-8c92-92b7a5eec5e1 which can be used as unique global reference for FALLCHILL in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0181
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

FatDuke

FatDuke is a backdoor used by APT29 since at least 2016.[ESET Dukes October 2019]

Internal MISP references

UUID 997ff740-1b00-40b6-887a-ef4101e93295 which can be used as unique global reference for FatDuke in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0512
source MITRE
tags ['8bf128ad-288b-41bc-904f-093f4fdde745']
type ['malware']
Related clusters

To see the related clusters, click here.

Felismus

Felismus is a modular backdoor that has been used by Sowbug. [Symantec Sowbug Nov 2017] [Forcepoint Felismus Mar 2017]

Internal MISP references

UUID c66ed8ab-4692-4948-820e-5ce87cc78db5 which can be used as unique global reference for Felismus in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0171
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

FELIXROOT

FELIXROOT is a backdoor that has been used to target Ukrainian victims. [FireEye FELIXROOT July 2018]

Internal MISP references

UUID 4b1a07cd-4c1f-4d93-a454-07fd59b3039a which can be used as unique global reference for FELIXROOT in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0267
source MITRE
type ['malware']

Ferocious

Ferocious is a first stage implant composed of VBS and PowerShell scripts that has been used by WIRTE since at least 2021.[Kaspersky WIRTE November 2021]

Internal MISP references

UUID 3e54ba7a-fd4c-477f-9c2d-34b4f69fc091 which can be used as unique global reference for Ferocious in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0679
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Fgdump

Fgdump is a Windows password hash dumper. [Mandiant APT1]

Internal MISP references

UUID 1bbf04bb-d869-48c5-a538-70a25503de1d which can be used as unique global reference for Fgdump in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0120
source MITRE
type ['tool']

FileZilla

FileZilla is a tool used to perform cross-platform File Transfer Protocol (FTP) to a site, server, or host.[U.S. CISA Understanding LockBit June 2023]

Internal MISP references

UUID f2a6f899-15a8-4d77-bebd-14bc03958764 which can be used as unique global reference for FileZilla in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5031
source Tidal Cyber
tags ['c5a258ce-9045-48d9-b254-ec2bf6437bb5', 'cc4ea215-87ce-4351-9579-cf527caf5992', 'e551ae97-d1b4-484e-9267-89f33829ec2c', 'e1af18e3-3224-4e4c-9d0f-533768474508', '8bf128ad-288b-41bc-904f-093f4fdde745', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

Final1stspy

Final1stspy is a dropper family that has been used to deliver DOGCALL.[Unit 42 Nokki Oct 2018]

Internal MISP references

UUID eb4dc358-e353-47fc-8207-b7cb10d580f7 which can be used as unique global reference for Final1stspy in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0355
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Findstr

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Write to ADS, discover, or download files with Findstr.exe

Author: Oddvar Moe

Paths: * C:\Windows\System32\findstr.exe * C:\Windows\SysWOW64\findstr.exe

Resources: * https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/ * https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f

Detection: * Sigma: proc_creation_win_lolbin_findstr.yml[Findstr.exe - LOLBAS Project]

Internal MISP references

UUID a62634f8-8f42-4874-9669-bea2e053dfea which can be used as unique global reference for Findstr in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5109
source Tidal Cyber
tags ['6ca537bb-94b6-4b12-8978-6250baa6a5cb', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

FinFisher

FinFisher is a government-grade commercial surveillance spyware reportedly sold exclusively to government agencies for use in targeted and lawful criminal investigations. It is heavily obfuscated and uses multiple anti-analysis techniques. It has other variants including Wingbird. [FinFisher Citation] [Microsoft SIR Vol 21] [FireEye FinSpy Sept 2017] [Securelist BlackOasis Oct 2017] [Microsoft FinFisher March 2018]

Internal MISP references

UUID 41f54ce1-842c-428a-977f-518a5b63b4d7 which can be used as unique global reference for FinFisher in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Android', 'Windows']
software_attack_id S0182
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Finger

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Displays information about a user or users on a specified remote computer that is running the Finger service or daemon

Author: Ruben Revuelta

Paths: * c:\windows\system32\finger.exe * c:\windows\syswow64\finger.exe

Resources: * https://twitter.com/DissectMalware/status/997340270273409024 * https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/ff961508(v=ws.11)

Detection: * Sigma: proc_creation_win_finger_usage.yml * IOC: finger.exe should not be run on a normal workstation. * IOC: finger.exe connecting to external resources.[Finger.exe - LOLBAS Project]

Internal MISP references

UUID a9ce311d-dd8c-497d-b38f-b535d7318ed4 which can be used as unique global reference for Finger in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5110
source Tidal Cyber
tags ['1da4f610-4c54-46a3-b9b3-c38a002b623e', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

FIVEHANDS

FIVEHANDS is a customized version of DEATHRANSOM ransomware written in C++. FIVEHANDS has been used since at least 2021, including in Ransomware-as-a-Service (RaaS) campaigns, sometimes along with SombRAT.[FireEye FiveHands April 2021][NCC Group Fivehands June 2021]

Internal MISP references

UUID 84187393-2fe9-4136-8720-a6893734ee8c which can be used as unique global reference for FIVEHANDS in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0618
source MITRE
tags ['562e535e-19f5-4d6c-81ed-ce2aec544f09', 'f1ad9eba-f4fd-4aec-92c0-833ac14d741b', '5e7433ad-a894-4489-93bc-41e90da90019', '15787198-6c8b-4f79-bf50-258d55072fee', '7e7b0c67-bb85-4996-a289-da0e792d7172']
type ['malware']
Related clusters

To see the related clusters, click here.

Flagpro

Flagpro is a Windows-based, first-stage downloader that has been used by BlackTech since at least October 2020. It has primarily been used against defense, media, and communications companies in Japan.[NTT Security Flagpro new December 2021]

Internal MISP references

UUID 977aaf8a-2216-40f0-8682-61dd91638147 which can be used as unique global reference for Flagpro in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0696
source MITRE
tags ['84615fe0-c2a5-4e07-8957-78ebc29b4635']
type ['malware']
Related clusters

To see the related clusters, click here.

Flame

Flame is a sophisticated toolkit that has been used to collect information since at least 2010, largely targeting Middle East countries. [Kaspersky Flame]

Internal MISP references

UUID 87604333-638f-4f4a-94e0-16aa825dd5b8 which can be used as unique global reference for Flame in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0143
source MITRE
tags ['3ed3f7a6-b446-4fbc-a433-ff1d63c0e647']
type ['malware']

FLASHFLOOD

FLASHFLOOD is malware developed by APT30 that allows propagation and exfiltration of data over removable devices. APT30 may use this capability to exfiltrate data across air-gaps. [FireEye APT30]

Internal MISP references

UUID 44a5e62a-6de4-49d2-8f1b-e68ecdf9f332 which can be used as unique global reference for FLASHFLOOD in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0036
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

FlawedAmmyy

FlawedAmmyy is a remote access tool (RAT) that was first seen in early 2016. The code for FlawedAmmyy was based on leaked source code for a version of Ammyy Admin, a remote access software.[Proofpoint TA505 Mar 2018]

Internal MISP references

UUID 308dbe77-3d58-40bb-b0a5-cd00f152dc60 which can be used as unique global reference for FlawedAmmyy in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0381
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

FlawedGrace

FlawedGrace is a fully featured remote access tool (RAT) written in C++ that was first observed in late 2017.[Proofpoint TA505 Jan 2019]

Internal MISP references

UUID c558e948-c817-4494-a95d-ad3207f10e26 which can be used as unique global reference for FlawedGrace in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0383
source MITRE
tags ['1dc8fd1e-0737-405a-98a1-111dd557f1b5', '15787198-6c8b-4f79-bf50-258d55072fee', '84615fe0-c2a5-4e07-8957-78ebc29b4635', 'f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

FleetDeck

FleetDeck is a commercial remote monitoring and management (RMM) tool that enables remote desktop access and “virtual terminal” capabilities. Government and commercial reports indicate that financially motivated adversaries, including BlackCat (AKA ALPHV or Noberus) actors and Scattered Spider (AKA 0ktapus or UNC3944), have used FleetDeck for command and control and persistence purposes during intrusions.[Cyber Centre ALPHV/BlackCat July 25 2023][CrowdStrike Scattered Spider SIM Swapping December 22 2022]

Internal MISP references

UUID 68758d3a-ec4b-4c19-933d-b4c3000281b2 which can be used as unique global reference for FleetDeck in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5056
source Tidal Cyber
tags ['e1af18e3-3224-4e4c-9d0f-533768474508', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207', 'e727eaa6-ef41-4965-b93a-8ad0c51d0236']
type ['tool']
Related clusters

To see the related clusters, click here.

FLIPSIDE

FLIPSIDE is a simple tool similar to Plink that is used by FIN5 to maintain access to victims. [Mandiant FIN5 GrrCON Oct 2016]

Internal MISP references

UUID 18002747-ddcc-42c1-b0ca-1e598a9f1919 which can be used as unique global reference for FLIPSIDE in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0173
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

fltMC

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Filter Manager Control Program used by Windows

Author: John Lambert

Paths: * C:\Windows\System32\fltMC.exe

Resources: * https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon

Detection: * Sigma: proc_creation_win_fltmc_unload_driver_sysmon.yml * Elastic: defense_evasion_via_filter_manager.toml * Splunk: unload_sysmon_filter_driver.yml * IOC: 4688 events with fltMC.exe[fltMC.exe - LOLBAS Project]

Internal MISP references

UUID 43d57826-cd15-4154-8f04-38351c96986e which can be used as unique global reference for fltMC in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5111
source Tidal Cyber
tags ['49bbb074-2406-4f27-ad77-d2e433ba1ccb', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

FoggyWeb

FoggyWeb is a passive and highly-targeted backdoor capable of remotely exfiltrating sensitive information from a compromised Active Directory Federated Services (AD FS) server. It has been used by APT29 since at least early April 2021.[MSTIC FoggyWeb September 2021]

Internal MISP references

UUID bc11844e-0348-4eed-a48a-0554d68db38c which can be used as unique global reference for FoggyWeb in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0661
source MITRE
tags ['8bf128ad-288b-41bc-904f-093f4fdde745']
type ['malware']
Related clusters

To see the related clusters, click here.

Forfiles

Forfiles is a Windows utility commonly used in batch jobs to execute commands on one or more selected files or directories (ex: list all directories in a drive, read the first line of all files created yesterday, etc.). Forfiles can be executed from either the command line, Run window, or batch files/scripts. [Microsoft Forfiles Aug 2016]

Internal MISP references

UUID c6dc67a6-587d-4700-a7de-bee043a0031a which can be used as unique global reference for Forfiles in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
software_attack_id S0193
source MITRE
tags ['91804406-e20a-4455-8dbc-5528c35f8e20', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

Formbook

Formbook is an information-stealing malware, discovered in 2016, that is capable of stealing data entered into HTML website forms and logging keystrokes and also acting as a downloader for other malware.[What Is FormBook Malware?][What is FormBook Malware? - Check Point Software] xLoader is a JavaScript-based, cross-platform Formbook variant discovered in 2020 that is crafted to infect macOS as well as Windows systems. Check Point Research's 2022 Mid-Year Report released in August 2022 placed Formbook as the "most prevalent" infostealer malware globally (and second-most prevalent of all malware types globally, behind only Emotet).[Check Point Mid-Year Report 2022]

Internal MISP references

UUID 376d1383-17a7-48b0-8a8b-d6142b2f3003 which can be used as unique global reference for Formbook in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5288
source Tidal Cyber
tags ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', '84615fe0-c2a5-4e07-8957-78ebc29b4635', '2feda37d-5579-4102-a073-aa02e82cb49f']
type ['malware']

FRAMESTING

FRAMESTING is a Python web shell that was used during Cutting Edge to embed into an Ivanti Connect Secure Python package for command execution.[Mandiant Cutting Edge Part 2 January 2024]

Internal MISP references

UUID 83721b89-df58-50bf-be2a-0b696fb0da78 which can be used as unique global reference for FRAMESTING in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Network']
software_attack_id S1120
source MITRE
type ['malware']

FrameworkPOS

FrameworkPOS is a point of sale (POS) malware used by FIN6 to steal payment card data from sytems that run physical POS devices.[SentinelOne FrameworkPOS September 2019]

Internal MISP references

UUID aef7cbbc-5163-419c-8e4b-3f73bed50474 which can be used as unique global reference for FrameworkPOS in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
software_attack_id S0503
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

FreeFileSync

FreeFileSync is a tool used to facilitate cloud-based file synchronization.[U.S. CISA Understanding LockBit June 2023]

Internal MISP references

UUID 1d5c5822-3cb4-455a-9976-f6bc17e2820d which can be used as unique global reference for FreeFileSync in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5032
source Tidal Cyber
tags ['e1af18e3-3224-4e4c-9d0f-533768474508', '8bf128ad-288b-41bc-904f-093f4fdde745', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

FruitFly

FruitFly is designed to spy on mac users [objsee mac malware 2017].

Internal MISP references

UUID 3a05085e-5a1f-4a74-b489-d679b80e2c18 which can be used as unique global reference for FruitFly in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['macOS']
software_attack_id S0277
source MITRE
type ['malware']

Fsi

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: 64-bit FSharp (F#) Interpreter included with Visual Studio and DotNet Core SDK.

Author: Jimmy (@bohops)

Paths: * C:\Program Files\dotnet\sdk[sdk version]\FSharp\fsi.exe * C:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\CommonExtensions\Microsoft\FSharp\fsi.exe

Resources: * https://twitter.com/NickTyrer/status/904273264385589248 * https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/

Detection: * Elastic: defense_evasion_unusual_process_network_connection.toml * Elastic: defense_evasion_network_connection_from_windows_binary.toml * BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules * IOC: Fsi.exe execution may be suspicious on non-developer machines * Sigma: proc_creation_win_lolbin_fsharp_interpreters.yml[Fsi.exe - LOLBAS Project]

Internal MISP references

UUID f2a5e6cb-75fd-4108-9466-80471c7d0422 which can be used as unique global reference for Fsi in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5222
source Tidal Cyber
tags ['7a4b56fa-5419-411b-86fe-68c9b0ddd3c5', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

FsiAnyCpu

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: 32/64-bit FSharp (F#) Interpreter included with Visual Studio.

Author: Jimmy (@bohops)

Paths: * c:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\CommonExtensions\Microsoft\FSharp\fsianycpu.exe

Resources: * https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/

Detection: * BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules * IOC: FsiAnyCpu.exe execution may be suspicious on non-developer machines * Sigma: proc_creation_win_lolbin_fsharp_interpreters.yml[FsiAnyCpu.exe - LOLBAS Project]

Internal MISP references

UUID 9e5c41bb-f4cc-4132-8c7a-4a10a006190b which can be used as unique global reference for FsiAnyCpu in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5223
source Tidal Cyber
tags ['c5d1a687-8a36-4995-b8cb-415f33661821', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

Fsutil

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: File System Utility

Author: Elliot Killick

Paths: * C:\Windows\System32\fsutil.exe * C:\Windows\SysWOW64\fsutil.exe

Resources: * https://twitter.com/0gtweet/status/1720724516324704404

Detection: * IOC: fsutil.exe should not be run on a normal workstation * IOC: file setZeroData (not case-sensitive) in the process arguments * IOC: Sysmon Event ID 1 * IOC: Execution of process fsutil.exe with trace decode could be suspicious * IOC: Non-Windows netsh.exe execution * Sigma: proc_creation_win_susp_fsutil_usage.yml[Fsutil.exe - LOLBAS Project]

Internal MISP references

UUID 7a829dae-00cf-4321-95b4-276f7dfb5368 which can be used as unique global reference for Fsutil in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5112
source Tidal Cyber
tags ['76bb7541-94da-4d66-9a57-77f788330287', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

ftp

ftp is a utility commonly available with operating systems to transfer information over the File Transfer Protocol (FTP). Adversaries can use it to transfer other tools onto a system or to exfiltrate data.[Microsoft FTP][Linux FTP]

Internal MISP references

UUID 062deac9-8f05-44e2-b347-96b59ba166ca which can be used as unique global reference for ftp in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['macOS', 'Linux', 'Windows']
software_attack_id S0095
source MITRE
tags ['95d37388-4e95-4d7f-96ba-99d94c842299', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207', '8bf128ad-288b-41bc-904f-093f4fdde745']
type ['tool']
Related clusters

To see the related clusters, click here.

FunnyDream

FunnyDream is a backdoor with multiple components that was used during the FunnyDream campaign since at least 2019, primarily for execution and exfiltration.[Bitdefender FunnyDream Campaign November 2020]

Internal MISP references

UUID d0490e1d-8287-44d3-8342-944d1203b237 which can be used as unique global reference for FunnyDream in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S1044
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']

FYAnti

FYAnti is a loader that has been used by menuPass since at least 2020, including to deploy QuasarRAT.[Securelist APT10 March 2021]

Internal MISP references

UUID be9a2ae5-373a-4dee-9c1e-b54235dafed0 which can be used as unique global reference for FYAnti in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0628
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Fysbis

Fysbis is a Linux-based backdoor used by APT28 that dates back to at least 2014.[Fysbis Palo Alto Analysis]

Internal MISP references

UUID 317a7647-aee7-4ce1-a8f8-33a61190f55d which can be used as unique global reference for Fysbis in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux']
software_attack_id S0410
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

Gazer

Gazer is a backdoor used by Turla since at least 2016. [ESET Gazer Aug 2017]

Internal MISP references

UUID 7a60b984-b0c8-4acc-be24-841f4b652872 which can be used as unique global reference for Gazer in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0168
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

Gelsemium

Gelsemium is a modular malware comprised of a dropper (Gelsemine), a loader (Gelsenicine), and main (Gelsevirine) plug-ins written using the Microsoft Foundation Class (MFC) framework. Gelsemium has been used by the Gelsemium group since at least 2014.[ESET Gelsemium June 2021]

Internal MISP references

UUID 9a117508-1d22-4fea-aa65-db670c13a5c9 which can be used as unique global reference for Gelsemium in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0666
source MITRE
type ['malware']

GeminiDuke

GeminiDuke is malware that was used by APT29 from 2009 to 2012. [F-Secure The Dukes]

Internal MISP references

UUID 97f32f68-dcd2-4f80-9967-cc87305dc342 which can be used as unique global reference for GeminiDuke in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0049
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Get2

Get2 is a downloader written in C++ that has been used by TA505 to deliver FlawedGrace, FlawedAmmyy, Snatch and SDBbot.[Proofpoint TA505 October 2019]

Internal MISP references

UUID a997aaaf-edfc-4489-80a9-3f8d64545de1 which can be used as unique global reference for Get2 in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0460
source MITRE
tags ['84615fe0-c2a5-4e07-8957-78ebc29b4635']
type ['malware']
Related clusters

To see the related clusters, click here.

GfxDownloadWrapper

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path.

Author: Jesus Galvez

Paths: * c:\windows\system32\driverstore\filerepository\64kb6472.inf_amd64_3daef03bbe98572b\ * c:\windows\system32\driverstore\filerepository\cui_comp.inf_amd64_0e9c57ae3396e055\ * c:\windows\system32\driverstore\filerepository\cui_comp.inf_amd64_209bd95d56b1ac2d\ * c:\windows\system32\driverstore\filerepository\cui_comp.inf_amd64_3fa2a843f8b7f16d\ * c:\windows\system32\driverstore\filerepository\cui_comp.inf_amd64_85c860f05274baa0\ * c:\windows\system32\driverstore\filerepository\cui_comp.inf_amd64_f7412e3e3404de80\ * c:\windows\system32\driverstore\filerepository\cui_comp.inf_amd64_feb9f1cf05b0de58\ * c:\windows\system32\driverstore\filerepository\cui_component.inf_amd64_0219cc1c7085a93f\ * c:\windows\system32\driverstore\filerepository\cui_component.inf_amd64_df4f60b1cae9b14a\ * c:\windows\system32\driverstore\filerepository\cui_dc_comp.inf_amd64_16eb18b0e2526e57\ * c:\windows\system32\driverstore\filerepository\cui_dc_comp.inf_amd64_1c77f1231c19bc72\ * c:\windows\system32\driverstore\filerepository\cui_dc_comp.inf_amd64_31c60cc38cfcca28\ * c:\windows\system32\driverstore\filerepository\cui_dc_comp.inf_amd64_82f69cea8b2d928f\ * c:\windows\system32\driverstore\filerepository\cui_dc_comp.inf_amd64_b4d94f3e41ceb839\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_0606619cc97463de\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_0e95edab338ad669\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_22aac1442d387216\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_2461d914696db722\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_29d727269a34edf5\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_2caf76dbce56546d\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_353320edb98da643\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_4ea0ed0af1507894\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_56a48f4f1c2da7a7\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_64f23fdadb76a511\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_668dd0c6d3f9fa0e\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_6be8e5b7f731a6e5\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_6dad7e4e9a8fa889\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_6df442103a1937a4\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_767e7683f9ad126c\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_8644298f665a12c4\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_868acf86149aef5d\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_92cf9d9d84f1d3db\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_93239c65f222d453\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_9de8154b682af864\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_a7428663aca90897\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_ad7cb5e55a410add\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_afbf41cf8ab202d7\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_d193c96475eaa96e\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_db953c52208ada71\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_e7523682cc7528cc\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_e9f341319ca84274\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_f3a64c75ee4defb7\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_f51939e52b944f4b\ * c:\windows\system32\driverstore\filerepository\cui_dch_comp.inf_amd64_4938423c9b9639d7\ * c:\windows\system32\driverstore\filerepository\cui_dch_comp.inf_amd64_c8e108d4a62c59d5\ * c:\windows\system32\driverstore\filerepository\cui_dch_comp.inf_amd64_deecec7d232ced2b\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_01ee1299f4982efe\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_02edfc87000937e4\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_0541b698fc6e40b0\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_0707757077710fff\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_0b3e3ed3ace9602a\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_0cff362f9dff4228\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_16ed7d82b93e4f68\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_1a33d2f73651d989\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_1aca2a92a37fce23\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_1af2dd3e4df5fd61\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_1d571527c7083952\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_23f7302c2b9ee813\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_24de78387e6208e4\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_250db833a1cd577e\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_25e7c5a58c052bc5\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_28d80681d3523b1c\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_2dda3b1147a3a572\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_31ba00ea6900d67d\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_329877a66f240808\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_42af9f4718aa1395\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_4645af5c659ae51a\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_48c2e68e54c92258\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_48e7e903a369eae2\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_491d20003583dabe\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_4b34c18659561116\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_51ce968bf19942c2\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_555cfc07a674ecdd\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_561bd21d54545ed3\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_579a75f602cc2dce\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_57f66a4f0a97f1a3\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_587befb80671fb38\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_62f096fe77e085c0\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_6ae0ddbb4a38e23c\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_6bb02522ea3fdb0d\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_6d34ac0763025a06\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_712b6a0adbaabc0a\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_78b09d9681a2400f\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_842874489af34daa\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_88084eb1fe7cebc3\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_89033455cb08186f\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_8a9535cd18c90bc3\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_8c1fc948b5a01c52\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_9088b61921a6ff9f\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_90f68cd0dc48b625\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_95cb371d046d4b4c\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_a58de0cf5f3e9dca\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_abe9d37302f8b1ae\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_acb3edda7b82982f\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_aebc5a8535dd3184\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_b5d4c82c67b39358\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_b846bbf1e81ea3cf\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_babb2e8b8072ff3b\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_bc75cebf5edbbc50\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_be91293cf20d4372\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_c11f4d5f0bc4c592\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_c4e5173126d31cf0\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_c4f600ffe34acc7b\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_c8634ed19e331cda\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_c9081e50bcffa972\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_ceddadac8a2b489e\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_d4406f0ad6ec2581\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_d5877a2e0e6374b6\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_d8ca5f86add535ef\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_e8abe176c7b553b5\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_eabb3ac2c517211f\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_f8d8be8fea71e1a0\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_fe5e116bb07c0629\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_fe73d2ebaa05fb95\ * c:\windows\system32\driverstore\filerepository\igdlh64_kbl_kit127397.inf_amd64_e1da8ee9e92ccadb\ * c:\windows\system32\driverstore\filerepository\k127153.inf_amd64_364f43f2a27f7bd7\ * c:\windows\system32\driverstore\filerepository\k127153.inf_amd64_3f3936d8dec668b8\ * c:\windows\system32\driverstore\filerepository\k127793.inf_amd64_3ab7883eddccbf0f\ * c:\windows\system32\driverstore\filerepository\ki129523.inf_amd64_32947eecf8f3e231\ * c:\windows\system32\driverstore\filerepository\ki126950.inf_amd64_fa7f56314967630d\ * c:\windows\system32\driverstore\filerepository\ki126951.inf_amd64_94804e3918169543\ * c:\windows\system32\driverstore\filerepository\ki126973.inf_amd64_06dde156632145e3\ * c:\windows\system32\driverstore\filerepository\ki126974.inf_amd64_9168fc04b8275db9\ * c:\windows\system32\driverstore\filerepository\ki127005.inf_amd64_753576c4406c1193\ * c:\windows\system32\driverstore\filerepository\ki127018.inf_amd64_0f67ff47e9e30716\ * c:\windows\system32\driverstore\filerepository\ki127021.inf_amd64_0d68af55c12c7c17\ * c:\windows\system32\driverstore\filerepository\ki127171.inf_amd64_368f8c7337214025\ * c:\windows\system32\driverstore\filerepository\ki127176.inf_amd64_86c658cabfb17c9c\ * c:\windows\system32\driverstore\filerepository\ki127390.inf_amd64_e1ccb879ece8f084\ * c:\windows\system32\driverstore\filerepository\ki127678.inf_amd64_8427d3a09f47dfc1\ * c:\windows\system32\driverstore\filerepository\ki127727.inf_amd64_cf8e31692f82192e\ * c:\windows\system32\driverstore\filerepository\ki127807.inf_amd64_fc915899816dbc5d\ * c:\windows\system32\driverstore\filerepository\ki127850.inf_amd64_6ad8d99023b59fd5\ * c:\windows\system32\driverstore\filerepository\ki128602.inf_amd64_6ff790822fd674ab\ * c:\windows\system32\driverstore\filerepository\ki128916.inf_amd64_3509e1eb83b83cfb\ * c:\windows\system32\driverstore\filerepository\ki129407.inf_amd64_f26f36ac54ce3076\ * c:\windows\system32\driverstore\filerepository\ki129633.inf_amd64_d9b8af875f664a8c\ * c:\windows\system32\driverstore\filerepository\ki129866.inf_amd64_e7cdca9882c16f55\ * c:\windows\system32\driverstore\filerepository\ki130274.inf_amd64_bafd2440fa1ffdd6\ * c:\windows\system32\driverstore\filerepository\ki130350.inf_amd64_696b7c6764071b63\ * c:\windows\system32\driverstore\filerepository\ki130409.inf_amd64_0d8d61270dfb4560\ * c:\windows\system32\driverstore\filerepository\ki130471.inf_amd64_26ad6921447aa568\ * c:\windows\system32\driverstore\filerepository\ki130624.inf_amd64_d85487143eec5e1a\ * c:\windows\system32\driverstore\filerepository\ki130825.inf_amd64_ee3ba427c553f15f\ * c:\windows\system32\driverstore\filerepository\ki130871.inf_amd64_382f7c369d4bf777\ * c:\windows\system32\driverstore\filerepository\ki131064.inf_amd64_5d13f27a9a9843fa\ * c:\windows\system32\driverstore\filerepository\ki131176.inf_amd64_fb4fe914575fdd15\ * c:\windows\system32\driverstore\filerepository\ki131191.inf_amd64_d668106cb6f2eae0\ * c:\windows\system32\driverstore\filerepository\ki131622.inf_amd64_0058d71ace34db73\ * c:\windows\system32\driverstore\filerepository\ki132032.inf_amd64_f29660d80998e019\ * c:\windows\system32\driverstore\filerepository\ki132337.inf_amd64_223d6831ffa64ab1\ * c:\windows\system32\driverstore\filerepository\ki132535.inf_amd64_7875dff189ab2fa2\ * c:\windows\system32\driverstore\filerepository\ki132544.inf_amd64_b8c1f31373153db4\ * c:\windows\system32\driverstore\filerepository\ki132574.inf_amd64_54c9b905b975ee55\ * c:\windows\system32\driverstore\filerepository\ki132869.inf_amd64_052eb72d070df60f\ * c:\windows\system32\driverstore\filerepository\kit126731.inf_amd64_1905c9d5f38631d9\

Resources: * https://www.sothis.tech/author/jgalvez/

Detection: * Sigma: proc_creation_win_lolbin_gfxdownloadwrapper_file_download.yml * IOC: Usually GfxDownloadWrapper downloads a JSON file from https://gameplayapi.intel.com.[GfxDownloadWrapper.exe - LOLBAS Project]

Internal MISP references

UUID a83cfdbf-023a-4874-a3d8-9674149ceb53 which can be used as unique global reference for GfxDownloadWrapper in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5186
source Tidal Cyber
tags ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

gh0st RAT

gh0st RAT is a remote access tool (RAT). The source code is public and it has been used by multiple groups.[FireEye Hacking Team][Arbor Musical Chairs Feb 2018][Nccgroup Gh0st April 2018]

Internal MISP references

UUID 269ef8f5-35c8-44ba-afe4-63f4c6431427 which can be used as unique global reference for gh0st RAT in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['macOS', 'Windows']
software_attack_id S0032
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

GLASSTOKEN

GLASSTOKEN is a custom web shell used by threat actors during Cutting Edge to execute commands on compromised Ivanti Secure Connect VPNs.[Volexity Ivanti Zero-Day Exploitation January 2024]

Internal MISP references

UUID 5c1a1ce5-927c-5c79-8a14-2789756d41ee which can be used as unique global reference for GLASSTOKEN in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Network']
software_attack_id S1117
source MITRE
type ['malware']

GLOOXMAIL

GLOOXMAIL is malware used by APT1 that mimics legitimate Jabber/XMPP traffic. [Mandiant APT1]

Internal MISP references

UUID 09fdec78-5253-433d-8680-294ba6847be9 which can be used as unique global reference for GLOOXMAIL in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0026
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

GMER

GMER is a tool used to remove rootkits.[U.S. CISA Understanding LockBit June 2023]

Internal MISP references

UUID 83713f85-8b2f-4733-9fea-e6a1494d0bbb which can be used as unique global reference for GMER in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5033
source Tidal Cyber
tags ['e1af18e3-3224-4e4c-9d0f-533768474508', '39d6e8b7-6c8a-4ec5-a584-54ca32aa29fb', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

Gold Dragon

Gold Dragon is a Korean-language, data gathering implant that was first observed in the wild in South Korea in July 2017. Gold Dragon was used along with Brave Prince and RunningRAT in operations targeting organizations associated with the 2018 Pyeongchang Winter Olympics. [McAfee Gold Dragon]

Internal MISP references

UUID 348fdeb5-6a74-4803-ac6e-e0133ecd7263 which can be used as unique global reference for Gold Dragon in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0249
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

GoldenSpy

GoldenSpy is a backdoor malware which has been packaged with legitimate tax preparation software. GoldenSpy was discovered targeting organizations in China, being delivered with the "Intelligent Tax" software suite which is produced by the Golden Tax Department of Aisino Credit Information Co. and required to pay local taxes.[Trustwave GoldenSpy June 2020]

Internal MISP references

UUID 1b135393-c799-4698-a880-c6a86782adee which can be used as unique global reference for GoldenSpy in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0493
source MITRE
tags ['f2ae2283-f94d-4f8f-bbde-43f2bed66c55']
type ['malware']

GoldFinder

GoldFinder is a custom HTTP tracer tool written in Go that logs the route a packet takes between a compromised network and a C2 server. It can be used to inform threat actors of potential points of discovery or logging of their actions, including C2 related to other malware. GoldFinder was discovered in early 2021 during an investigation into the SolarWinds Compromise by APT29.[MSTIC NOBELIUM Mar 2021]

Internal MISP references

UUID 4e8c58c5-443e-4f73-91e9-89146f04e307 which can be used as unique global reference for GoldFinder in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0597
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

GoldMax

GoldMax is a second-stage C2 backdoor written in Go with Windows and Linux variants that are nearly identical in functionality. GoldMax was discovered in early 2021 during the investigation into the SolarWinds Compromise, and has likely been used by APT29 since at least mid-2019. GoldMax uses multiple defense evasion techniques, including avoiding virtualization execution and masking malicious traffic.[MSTIC NOBELIUM Mar 2021][FireEye SUNSHUTTLE Mar 2021][CrowdStrike StellarParticle January 2022]

Internal MISP references

UUID b05a9763-4288-4656-bf4e-ba02bb8b35d6 which can be used as unique global reference for GoldMax in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'Windows']
software_attack_id S0588
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

Goopy

Goopy is a Windows backdoor and Trojan used by APT32 and shares several similarities to another backdoor used by the group (Denis). Goopy is named for its impersonation of the legitimate Google Updater executable.[Cybereason Cobalt Kitty 2017]

Internal MISP references

UUID a75855fd-2b6b-43d8-99a5-2be03b544f34 which can be used as unique global reference for Goopy in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0477
source MITRE
tags ['febea5b6-2ea2-402b-8bec-f3f5b3f73c59']
type ['malware']
Related clusters

To see the related clusters, click here.

GooseEgg

GooseEgg is a custom tool developed by Russian espionage group Forest Blizzard that is designed for privilege escalation and credential access purposes. GooseEgg exploits CVE-2022-38028, a vulnerability in the Windows Print Spooler service. Researchers describe the tool as a "simple" launcher application, but a range of subsequent post-exploitation actions are possible, including remote code execution, backdoor deployment, and lateral movement within the compromised network.[Microsoft Security Blog 4 22 2024]

Internal MISP references

UUID f9c32a11-964c-4480-968b-e520b8c7b26e which can be used as unique global reference for GooseEgg in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5318
source Tidal Cyber
tags ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', 'dcd6d78a-50e9-4fbd-a36a-06fbe6b7b40c', '7de7d799-f836-4555-97a4-0db776eb6932', '2feda37d-5579-4102-a073-aa02e82cb49f']
type ['malware']
Related clusters

To see the related clusters, click here.

Gootloader

Gootloader is a highly active banking Trojan-turned-loader malware that has attacked organizations in a wide range of verticals and countries. Gootloader, also referred to by its related payload, Gootkit, first emerged in 2014 but has been especially active since 2020. In the past two years alone, verticals including finance, healthcare, defense, pharmaceutical, energy, & automotive have faced Gootloader campaigns, with victims across North America, Western Europe, & South Korea, and the malware is regularly used to deliver high-impact payloads, including Cobalt Strike, IcedID (a common ransomware precursor), & more. Cybereason indicates the financial & healthcare sectors are especially impacted.[Cybereason Gootloader February 2023] Red Canary & The DFIR Report provide tool-agnostic suggested detection logic for key behaviors observed during recent Gootloader campaigns.[Red Canary Gootloader April 2023][DFIR Report Gootloader]

Internal MISP references

UUID 3eec857e-dce3-4865-a65f-3ad5a559a3e6 which can be used as unique global reference for Gootloader in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5289
source Tidal Cyber
tags ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', '84615fe0-c2a5-4e07-8957-78ebc29b4635', '2feda37d-5579-4102-a073-aa02e82cb49f']
type ['malware']

Gpscript

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Used by group policy to process scripts

Author: Oddvar Moe

Paths: * C:\Windows\System32\gpscript.exe * C:\Windows\SysWOW64\gpscript.exe

Resources: * https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/

Detection: * Sigma: proc_creation_win_lolbin_gpscript.yml * IOC: Scripts added in local group policy * IOC: Execution of Gpscript.exe after logon[Gpscript.exe - LOLBAS Project]

Internal MISP references

UUID acf4a502-2730-4b36-aea3-652420390977 which can be used as unique global reference for Gpscript in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5113
source Tidal Cyber
tags ['2ca5c5e4-ee7f-4698-84ec-ce04d2c1e9cc', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

Grandoreiro

Grandoreiro is a banking trojan written in Delphi that was first observed in 2016 and uses a Malware-as-a-Service (MaaS) business model. Grandoreiro has confirmed victims in Brazil, Mexico, Portugal, and Spain.[Securelist Brazilian Banking Malware July 2020][ESET Grandoreiro April 2020]

Internal MISP references

UUID 61d277f2-abdc-4f2b-b50a-10d0fe91e588 which can be used as unique global reference for Grandoreiro in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0531
source MITRE
tags ['16b47583-1c54-431f-9f09-759df7b5ddb7']
type ['malware']

GraphicalProton

According to joint Cybersecurity Advisory AA23-347A (December 2023), GraphicalProton "is a simplistic backdoor that uses OneDrive, Dropbox, and randomly generated BMPs" to exchange data with its operators. During a 2023 campaign, authorities also observed a HTTPS variant of GraphicalProton that relies on HTTP requests instead of cloud-based services.[U.S. CISA SVR TeamCity Exploits December 2023]

Internal MISP references

UUID f77398ad-e043-4694-ade0-d6ea16a994e7 which can be used as unique global reference for GraphicalProton in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5077
source Tidal Cyber
type ['malware']
Related clusters

To see the related clusters, click here.

GravityRAT

GravityRAT is a remote access tool (RAT) and has been in ongoing development since 2016. The actor behind the tool remains unknown, but two usernames have been recovered that link to the author, which are "TheMartian" and "The Invincible." According to the National Computer Emergency Response Team (CERT) of India, the malware has been identified in attacks against organization and entities in India. [Talos GravityRAT]

Internal MISP references

UUID 08cb425d-7b7a-41dc-a897-9057ce57fea9 which can be used as unique global reference for GravityRAT in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0237
source MITRE
type ['malware']

Green Lambert

Green Lambert is a modular backdoor that security researchers assess has been used by an advanced threat group referred to as Longhorn and The Lamberts. First reported in 2017, the Windows variant of Green Lambert may have been used as early as 2008; a macOS version was uploaded to a multiscanner service in September 2014.[Kaspersky Lamberts Toolkit April 2017][Objective See Green Lambert for OSX Oct 2021]

Internal MISP references

UUID f5691425-6690-4e5e-8304-3ede9d2f5a90 which can be used as unique global reference for Green Lambert in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Windows', 'iOS']
software_attack_id S0690
source MITRE
type ['malware']

GreyEnergy

GreyEnergy is a backdoor written in C and compiled in Visual Studio. GreyEnergy shares similarities with the BlackEnergy malware and is thought to be the successor of it.[ESET GreyEnergy Oct 2018]

Internal MISP references

UUID f646e7f9-4d09-46f6-9831-54668fa20483 which can be used as unique global reference for GreyEnergy in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0342
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

GRIFFON

GRIFFON is a JavaScript backdoor used by FIN7. [SecureList Griffon May 2019]

Internal MISP references

UUID ad358082-d83a-4c22-81a1-6c34dd67af26 which can be used as unique global reference for GRIFFON in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0417
source MITRE
tags ['84615fe0-c2a5-4e07-8957-78ebc29b4635']
type ['malware']
Related clusters

To see the related clusters, click here.

GrimAgent

GrimAgent is a backdoor that has been used before the deployment of Ryuk ransomware since at least 2020; it is likely used by FIN6 and Wizard Spider.[Group IB GrimAgent July 2021]

Internal MISP references

UUID c40a71d4-8592-4f82-8af5-18f763e52caf which can be used as unique global reference for GrimAgent in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0632
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

Grixba

Grixba is a tool used by Play Ransomware operators to scan victim networks for information discovery purposes. Grixba compiles and saves collected information into CSV files, which are then compressed with WinRAR and exfiltrated to threat actors.[Symantec Play Ransomware April 19 2023]

Internal MISP references

UUID 3ff9e020-8a7a-4c6f-a607-117ce9e436c5 which can be used as unique global reference for Grixba in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5079
source Tidal Cyber
tags ['4d767e87-4cf6-438a-927a-43d2d0beaab7']
type ['malware']
Related clusters

To see the related clusters, click here.

gsecdump

gsecdump is a publicly-available credential dumper used to obtain password hashes and LSA secrets from Windows operating systems. [TrueSec Gsecdump]

Internal MISP references

UUID 5ffe662f-9da1-4b6f-ad3a-f296383e828c which can be used as unique global reference for gsecdump in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0008
source MITRE
tags ['4d767e87-4cf6-438a-927a-43d2d0beaab7']
type ['tool']
Related clusters

To see the related clusters, click here.

GuLoader

GuLoader is a file downloader that has been used since at least December 2019 to distribute a variety of remote administration tool (RAT) malware, including NETWIRE, Agent Tesla, NanoCore, FormBook, and Parallax RAT.[Unit 42 NETWIRE April 2020][Medium Eli Salem GuLoader April 2021]

Internal MISP references

UUID 03e985d6-870b-4533-af13-08b1e0511444 which can be used as unique global reference for GuLoader in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0561
source MITRE
tags ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', '2feda37d-5579-4102-a073-aa02e82cb49f', '84615fe0-c2a5-4e07-8957-78ebc29b4635']
type ['malware']

H1N1

H1N1 is a malware variant that has been distributed via a campaign using VBA macros to infect victims. Although it initially had only loader capabilities, it has evolved to include information-stealing functionality. [Cisco H1N1 Part 1]

Internal MISP references

UUID 5f1602fe-a4ce-4932-9cf9-ec842f2c58f1 which can be used as unique global reference for H1N1 in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0132
source MITRE
type ['malware']

Hacking Team UEFI Rootkit

Hacking Team UEFI Rootkit is a rootkit developed by the company Hacking Team as a method of persistence for remote access software. [TrendMicro Hacking Team UEFI]

Internal MISP references

UUID 75db2ac3-901e-4b1f-9a0d-bac6562d57a3 which can be used as unique global reference for Hacking Team UEFI Rootkit in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
software_attack_id S0047
source MITRE
type ['malware']

HALFBAKED

HALFBAKED is a malware family consisting of multiple components intended to establish persistence in victim networks. [FireEye FIN7 April 2017]

Internal MISP references

UUID 5edf0ef7-a960-4500-8a89-8c8b4fdf8824 which can be used as unique global reference for HALFBAKED in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
software_attack_id S0151
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

HAMMERTOSS

HAMMERTOSS is a backdoor that was used by APT29 in 2015. [FireEye APT29] [F-Secure The Dukes]

Internal MISP references

UUID cc07f03f-9919-4856-9b30-f4d88940b0ec which can be used as unique global reference for HAMMERTOSS in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0037
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

Hancitor

Hancitor is a downloader that has been used by Pony and other information stealing malware.[Threatpost Hancitor][FireEye Hancitor]

Internal MISP references

UUID 4eee3272-07fa-48ee-a7b9-9dfee3e4550a which can be used as unique global reference for Hancitor in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0499
source MITRE
tags ['84615fe0-c2a5-4e07-8957-78ebc29b4635']
type ['malware']

HAPPYWORK

HAPPYWORK is a downloader used by APT37 to target South Korean government and financial victims in November 2016. [FireEye APT37 Feb 2018]

Internal MISP references

UUID c2c31b2e-5da6-4feb-80e3-14ea6d0ea7e8 which can be used as unique global reference for HAPPYWORK in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
software_attack_id S0214
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

HARDRAIN

HARDRAIN is a Trojan malware variant reportedly used by the North Korean government. [US-CERT HARDRAIN March 2018]

Internal MISP references

UUID ad0ae3b7-88aa-48b3-86ca-6a5d8b5309a7 which can be used as unique global reference for HARDRAIN in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0246
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Havij

Havij is an automatic SQL Injection tool distributed by the Iranian ITSecTeam security company. Havij has been used by penetration testers and adversaries. [Check Point Havij Analysis]

Internal MISP references

UUID 8bd36306-bd4b-4a76-8842-44acb0cedbcc which can be used as unique global reference for Havij in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
software_attack_id S0224
source MITRE
type ['tool']
Related clusters

To see the related clusters, click here.

HAWKBALL

HAWKBALL is a backdoor that was observed in targeting of the government sector in Central Asia.[FireEye HAWKBALL Jun 2019]

Internal MISP references

UUID 392c5a32-53b5-4ce8-a946-226cb533cc4e which can be used as unique global reference for HAWKBALL in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0391
source MITRE
type ['malware']

hcdLoader

hcdLoader is a remote access tool (RAT) that has been used by APT18. [Dell Lateral Movement]

Internal MISP references

UUID a7ffe1bd-45ca-4ca4-94da-3b6c583a868d which can be used as unique global reference for hcdLoader in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0071
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

HDoor

HDoor is malware that has been customized and used by the Naikon group. [Baumgartner Naikon 2015]

Internal MISP references

UUID f155b6f9-258d-4446-8867-fe5ee26d8c72 which can be used as unique global reference for HDoor in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0061
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

HELLOKITTY

HELLOKITTY is a ransomware written in C++ that shares similar code structure and functionality with DEATHRANSOM and FIVEHANDS. HELLOKITTY has been used since at least 2020, targets have included a Polish video game developer and a Brazilian electric power company.[FireEye FiveHands April 2021]

Internal MISP references

UUID 813a4ca1-84fe-42dc-89de-5873d028f98d which can be used as unique global reference for HELLOKITTY in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0617
source MITRE
tags ['4ac8dcde-2665-4066-9ad9-b5572d5f0d28', '3535caad-a155-4996-b986-70bc3cd5ce1e', 'f1ad9eba-f4fd-4aec-92c0-833ac14d741b', '5e7433ad-a894-4489-93bc-41e90da90019', '15787198-6c8b-4f79-bf50-258d55072fee', '7e7b0c67-bb85-4996-a289-da0e792d7172']
type ['malware']
Related clusters

To see the related clusters, click here.

Helminth

Helminth is a backdoor that has at least two variants - one written in VBScript and PowerShell that is delivered via a macros in Excel spreadsheets, and one that is a standalone Windows executable. [Palo Alto OilRig May 2016]

Internal MISP references

UUID d6560c81-1e7e-4d01-9814-4be4fb43e655 which can be used as unique global reference for Helminth in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0170
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

HermeticWiper

HermeticWiper is a data wiper that has been used since at least early 2022, primarily against Ukraine with additional activity observed in Latvia and Lithuania. Some sectors targeted include government, financial, defense, aviation, and IT services.[SentinelOne Hermetic Wiper February 2022][Symantec Ukraine Wipers February 2022][Crowdstrike DriveSlayer February 2022][ESET Hermetic Wiper February 2022][Qualys Hermetic Wiper March 2022]

Internal MISP references

UUID f0456f14-4913-4861-b4ad-5e7f3960040e which can be used as unique global reference for HermeticWiper in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0697
source MITRE
tags ['2e621fc5-dea4-4cb9-987e-305845986cd3']
type ['malware']

HermeticWizard

HermeticWizard is a worm that has been used to spread HermeticWiper in attacks against organizations in Ukraine since at least 2022.[ESET Hermetic Wizard March 2022]

Internal MISP references

UUID 36ddc8cd-8f80-489e-a702-c682936b5393 which can be used as unique global reference for HermeticWizard in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0698
source MITRE
tags ['e809d252-12cc-494d-94f5-954c49eb87ce']
type ['malware']

Heyoka Backdoor

Heyoka Backdoor is a custom backdoor--based on the Heyoka open source exfiltration tool--that has been used by Aoqin Dragon since at least 2013.[SentinelOne Aoqin Dragon June 2022][Sourceforge Heyoka 2022]

Internal MISP references

UUID 1841a6e8-6c23-46a1-9c81-783746083764 which can be used as unique global reference for Heyoka Backdoor in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S1027
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

Hh

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Binary used for processing chm files in Windows

Author: Oddvar Moe

Paths: * C:\Windows\hh.exe * C:\Windows\SysWOW64\hh.exe

Resources: * https://oddvar.moe/2017/08/13/bypassing-device-guard-umci-using-chm-cve-2017-8625/

Detection: * Sigma: proc_creation_win_hh_chm_execution.yml * Sigma: proc_creation_win_hh_html_help_susp_child_process.yml * Elastic: execution_via_compiled_html_file.toml * Elastic: execution_html_help_executable_program_connecting_to_the_internet.toml * Splunk: detect_html_help_spawn_child_process.yml * Splunk: detect_html_help_url_in_command_line.yml[Hh.exe - LOLBAS Project]

Internal MISP references

UUID 5a0d0b83-5a10-425c-98f7-6cb8eb76fda4 which can be used as unique global reference for Hh in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5114
source Tidal Cyber
tags ['7d028d1e-7a95-47f0-9367-55517f9ef170', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

HiddenWasp

HiddenWasp is a Linux-based Trojan used to target systems for remote control. It comes in the form of a statically linked ELF binary with stdlibc++.[Intezer HiddenWasp Map 2019]

Internal MISP references

UUID ec02fb9c-bf9f-404d-bc54-819f2b3fb040 which can be used as unique global reference for HiddenWasp in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux']
software_attack_id S0394
source MITRE
type ['malware']

HIDEDRV

HIDEDRV is a rootkit used by APT28. It has been deployed along with Downdelph to execute and hide that malware. [ESET Sednit Part 3] [Sekoia HideDRV Oct 2016]

Internal MISP references

UUID ce1af464-0b14-4fe9-8591-a6fe58aa96c7 which can be used as unique global reference for HIDEDRV in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0135
source MITRE
tags ['1efd43ee-5752-49f2-99fe-e3441f126b00']
type ['malware']
Related clusters

To see the related clusters, click here.

Hikit

Hikit is malware that has been used by Axiom for late-stage persistence and exfiltration after the initial compromise.[Novetta-Axiom][FireEye Hikit Rootkit]

Internal MISP references

UUID 8046c80c-4339-4cfb-8bfd-464801db2bfe which can be used as unique global reference for Hikit in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0009
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Hildegard

Hildegard is malware that targets misconfigured kubelets for initial access and runs cryptocurrency miner operations. The malware was first observed in January 2021. The TeamTNT activity group is believed to be behind Hildegard. [Unit 42 Hildegard Malware]

Internal MISP references

UUID 7ef8cd3a-33cf-43bb-a3b8-a78fc844ce0c which can be used as unique global reference for Hildegard in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Containers', 'Linux', 'IaaS']
software_attack_id S0601
source MITRE
tags ['4fa6f8e1-b0d5-4169-8038-33e355c08bde', '8d95e4d6-9a1e-4920-9f5c-83d9fe07a66e']
type ['malware']
Related clusters

To see the related clusters, click here.

Hi-Zor

Hi-Zor is a remote access tool (RAT) that has characteristics similar to Sakula. It was used in a campaign named INOCNATION. [Fidelis Hi-Zor]

Internal MISP references

UUID 286184d9-f28a-4d5a-a9dd-2216b3c47809 which can be used as unique global reference for Hi-Zor in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0087
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']

HOMEFRY

HOMEFRY is a 64-bit Windows password dumper/cracker that has previously been used in conjunction with other Leviathan backdoors. [FireEye Periscope March 2018]

Internal MISP references

UUID 16db13f2-f350-4323-96cb-c5f4ac36c3e0 which can be used as unique global reference for HOMEFRY in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0232
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

HOPLIGHT

HOPLIGHT is a backdoor Trojan that has reportedly been used by the North Korean government.[US-CERT HOPLIGHT Apr 2019]

Internal MISP references

UUID 4d94594c-2224-46ca-8bc3-28b12ed139f9 which can be used as unique global reference for HOPLIGHT in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0376
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

HotCroissant

HotCroissant is a remote access trojan (RAT) attributed by U.S. government entities to malicious North Korean government cyber activity, tracked collectively as HIDDEN COBRA.[US-CERT HOTCROISSANT February 2020] HotCroissant shares numerous code similarities with Rifdoor.[Carbon Black HotCroissant April 2020]

Internal MISP references

UUID a00e7fcc-b4e8-4f64-83d2-f9db64f0f3fe which can be used as unique global reference for HotCroissant in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0431
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

HTRAN

HTRAN is a tool that proxies connections through intermediate hops and aids users in disguising their true geographical location. It can be used by adversaries to hide their location when interacting with the victim networks. [Operation Quantum Entanglement][NCSC Joint Report Public Tools]

Internal MISP references

UUID b98d9fe7-9aa3-409a-bf5c-eadb01bac948 which can be used as unique global reference for HTRAN in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'Windows']
software_attack_id S0040
source MITRE
tags ['febea5b6-2ea2-402b-8bec-f3f5b3f73c59']
type ['tool']
Related clusters

To see the related clusters, click here.

HTTPBrowser

HTTPBrowser is malware that has been used by several threat groups. [ThreatStream Evasion Analysis] [Dell TG-3390] It is believed to be of Chinese origin. [ThreatConnect Anthem]

Internal MISP references

UUID c4fe23f7-f18c-40f6-b431-0b104b497eaa which can be used as unique global reference for HTTPBrowser in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0070
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

httpclient

httpclient is malware used by Putter Panda. It is a simple tool that provides a limited range of functionality, suggesting it is likely used as a second-stage or supplementary/backup tool. [CrowdStrike Putter Panda]

Internal MISP references

UUID bf19eba4-7ea1-4c24-95c6-6bcfb44f4c49 which can be used as unique global reference for httpclient in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0068
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

HUI Loader

HUI Loader is a custom DLL loader that has been used since at least 2015 by China-based threat groups including Cinnamon Tempest and menuPass to deploy malware on compromised hosts. HUI Loader has been observed in campaigns loading SodaMaster, PlugX, Cobalt Strike, Komplex, and several strains of ransomware.[SecureWorks BRONZE STARLIGHT Ransomware Operations June 2022]

Internal MISP references

UUID 2df88e4e-5a89-5535-ae1a-4c68b19d9078 which can be used as unique global reference for HUI Loader in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S1097
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Hydraq

Hydraq is a data-theft trojan first used by Elderwood in the 2009 Google intrusion known as Operation Aurora, though variations of this trojan have been used in more recent campaigns by other Chinese actors, possibly including APT17.[MicroFocus 9002 Aug 2016][Symantec Elderwood Sept 2012][Symantec Trojan.Hydraq Jan 2010][ASERT Seven Pointed Dagger Aug 2015][FireEye DeputyDog 9002 November 2013][ProofPoint GoT 9002 Aug 2017][FireEye Sunshop Campaign May 2013][PaloAlto 3102 Sept 2015]

Internal MISP references

UUID 4ffbca79-358a-4ba5-bfbb-dc1694c45646 which can be used as unique global reference for Hydraq in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0203
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

HyperBro

HyperBro is a custom in-memory backdoor used by Threat Group-3390.[Unit42 Emissary Panda May 2019][Securelist LuckyMouse June 2018][Hacker News LuckyMouse June 2018]

Internal MISP references

UUID 57cec527-26fb-44a1-b1a9-506a3af2c9f2 which can be used as unique global reference for HyperBro in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0398
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

HyperStack

HyperStack is a RPC-based backdoor used by Turla since at least 2018. HyperStack has similarities to other backdoors used by Turla including Carbon.[Accenture HyperStack October 2020]

Internal MISP references

UUID ba3236e9-c86b-4b5d-89ed-7f71940a0588 which can be used as unique global reference for HyperStack in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0537
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

IceApple

IceApple is a modular Internet Information Services (IIS) post-exploitation framework, that has been used since at least 2021 against the technology, academic, and government sectors.[CrowdStrike IceApple May 2022]

Internal MISP references

UUID 5a73defd-6a1a-4132-8427-cec649e8267a which can be used as unique global reference for IceApple in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S1022
source MITRE
type ['malware']

IcedID

IcedID is a modular banking malware designed to steal financial information that has been observed in the wild since at least 2017. IcedID has been downloaded by Emotet in multiple campaigns.[IBM IcedID November 2017][Juniper IcedID June 2020]

Internal MISP references

UUID 7f59bb7c-5fa9-497d-9d8e-ba9349fd9433 which can be used as unique global reference for IcedID in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0483
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

Ie4uinit

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Executes commands from a specially prepared ie4uinit.inf file.

Author: Oddvar Moe

Paths: * c:\windows\system32\ie4uinit.exe * c:\windows\sysWOW64\ie4uinit.exe * c:\windows\system32\ieuinit.inf * c:\windows\sysWOW64\ieuinit.inf

Resources: * https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/

Detection: * IOC: ie4uinit.exe copied outside of %windir% * IOC: ie4uinit.exe loading an inf file (ieuinit.inf) from outside %windir% * Sigma: proc_creation_win_lolbin_ie4uinit.yml[Ie4uinit.exe - LOLBAS Project]

Internal MISP references

UUID 332e37c0-63fe-4e99-85a9-94210d42c21d which can be used as unique global reference for Ie4uinit in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5116
source Tidal Cyber
tags ['f32f1513-7277-4257-9c35-c8ab3da17c84', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

Ieadvpack

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: INF installer for Internet Explorer. Has much of the same functionality as advpack.dll.

Author: LOLBAS Team

Paths: * c:\windows\system32\ieadvpack.dll * c:\windows\syswow64\ieadvpack.dll

Resources: * https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/ * https://twitter.com/pabraeken/status/991695411902599168 * https://twitter.com/0rbz_/status/974472392012689408

Detection: * Sigma: proc_creation_win_rundll32_susp_activity.yml * Splunk: detect_rundll32_application_control_bypass___advpack.yml[Ieadvpack.dll - LOLBAS Project]

Internal MISP references

UUID e1aa3cbd-2337-47d6-b6b0-beb5d1bbfc1e which can be used as unique global reference for Ieadvpack in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5190
source Tidal Cyber
tags ['e794994d-c38a-44d9-9253-53191ca9e56b', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

iediagcmd

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Diagnostics Utility for Internet Explorer

Author: manasmbellani

Paths: * C:\Program Files\Internet Explorer\iediagcmd.exe

Resources: * https://twitter.com/Hexacorn/status/1507516393859731456

Detection: * Sigma: https://github.com/manasmbellani/mycode_public/blob/master/sigma/rules/win_proc_creation_lolbin_iediagcmd.yml * IOC: Sysmon Event ID 1 * IOC: Execution of process iediagcmd.exe with /out could be suspicious[iediagcmd.exe - LOLBAS Project]

Internal MISP references

UUID 1feba268-9fff-495f-94e9-5b46336bff3b which can be used as unique global reference for iediagcmd in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5117
source Tidal Cyber
tags ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

Ieexec

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: The IEExec.exe application is an undocumented Microsoft .NET Framework application that is included with the .NET Framework. You can use the IEExec.exe application as a host to run other managed applications that you start by using a URL.

Author: Oddvar Moe

Paths: * C:\Windows\Microsoft.NET\Framework\v2.0.50727\ieexec.exe * C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ieexec.exe

Resources: * https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/

Detection: * Sigma: proc_creation_win_lolbin_ieexec_download.yml * Elastic: defense_evasion_unusual_process_network_connection.toml * Elastic: defense_evasion_misc_lolbin_connecting_to_the_internet.toml * Elastic: defense_evasion_network_connection_from_windows_binary.toml * IOC: Network connections originating from ieexec.exe may be suspicious[Ieexec.exe - LOLBAS Project]

Internal MISP references

UUID e7ede205-4d50-42c3-92d0-4988aca5c4a1 which can be used as unique global reference for Ieexec in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5118
source Tidal Cyber
tags ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

Ieframe

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Internet Browser DLL for translating HTML code.

Author: LOLBAS Team

Paths: * c:\windows\system32\ieframe.dll * c:\windows\syswow64\ieframe.dll

Resources: * http://www.hexacorn.com/blog/2018/03/15/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline-part-5/ * https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/ * https://twitter.com/bohops/status/997690405092290561 * https://windows10dll.nirsoft.net/ieframe_dll.html

Detection: * Sigma: proc_creation_win_rundll32_susp_activity.yml[Ieframe.dll - LOLBAS Project]

Internal MISP references

UUID 57072f02-06c1-4267-b665-fbbf72b96bb4 which can be used as unique global reference for Ieframe in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5191
source Tidal Cyber
tags ['fc23fb85-8c48-4f0b-aeb6-b78fd6e25e0a', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

ifconfig

ifconfig is a Unix-based utility used to gather information about and interact with the TCP/IP settings on a system. [Wikipedia Ifconfig]

Internal MISP references

UUID 93ab16d1-625e-4b1c-bb28-28974c269c47 which can be used as unique global reference for ifconfig in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
software_attack_id S0101
source MITRE
type ['tool']

iKitten

iKitten is a macOS exfiltration agent [objsee mac malware 2017].

Internal MISP references

UUID 71098f6e-a2c0-434f-b991-6c079fd3e82d which can be used as unique global reference for iKitten in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['macOS']
software_attack_id S0278
source MITRE
type ['malware']

Ilasm

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: used for compile c# code into dll or exe.

Author: Hai vaknin (lux)

Paths: * C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe * C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe

Resources: * https://github.com/LuxNoBulIshit/BeforeCompileBy-ilasm/blob/master/hello_world.txt

Detection: * IOC: Ilasm may not be used often in production environments (such as on endpoints) * Sigma: proc_creation_win_lolbin_ilasm.yml[Ilasm.exe - LOLBAS Project]

Internal MISP references

UUID 492104c0-79d6-461e-9dc5-0e4bfd3f2387 which can be used as unique global reference for Ilasm in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5119
source Tidal Cyber
tags ['8bcce456-e1dc-4dd0-99a9-8334fd6f2847', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

IMAPLoader

IMAPLoader is a .NET downloader that uses email-based channels for command and control communication. It is believed to be developed and used by Yellow Liderc a threat actor group based in Iran and aligned with the Iranian Islamic Revolutionary Guard Corp (IRGC). IMAPLoader is delivered via drive-by compromises and phishing attacks.[PwC Yellow Liderc October 25 2023]

Internal MISP references

UUID 0832ffda-240a-4455-a53b-71b2683bea09 which can be used as unique global reference for IMAPLoader in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5308
source Tidal Cyber
tags ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', '84615fe0-c2a5-4e07-8957-78ebc29b4635', '2feda37d-5579-4102-a073-aa02e82cb49f']
type ['malware']
Related clusters

To see the related clusters, click here.

IMEWDBLD

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Microsoft IME Open Extended Dictionary Module

Author: Wade Hickey

Paths: * C:\Windows\System32\IME\SHARED\IMEWDBLD.exe

Resources: * https://twitter.com/notwhickey/status/1367493406835040265

Detection: * Sigma: net_connection_win_imewdbld.yml[IMEWDBLD.exe - LOLBAS Project]

Internal MISP references

UUID 2ef7c673-a0dc-4773-a9fd-337ed68d9b0b which can be used as unique global reference for IMEWDBLD in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5115
source Tidal Cyber
tags ['796962fe-56d7-4816-9193-153da0be7c10', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

Imminent Monitor

Imminent Monitor was a commodity remote access tool (RAT) offered for sale from 2012 until 2019, when an operation was conducted to take down the Imminent Monitor infrastructure. Various cracked versions and variations of this RAT are still in circulation.[Imminent Unit42 Dec2019]

Internal MISP references

UUID 925fc0db-9315-4703-9353-1d0e9ecb1439 which can be used as unique global reference for Imminent Monitor in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0434
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['tool']
Related clusters

To see the related clusters, click here.

Impacket

Impacket is an open source collection of modules written in Python for programmatically constructing and manipulating network protocols. Impacket contains several tools for remote service execution, Kerberos manipulation, Windows credential dumping, packet sniffing, and relay attacks.[Impacket Tools]

Internal MISP references

UUID cf2c5666-e8ad-49c1-ac8f-30ed65f9e52c which can be used as unique global reference for Impacket in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['macOS', 'Linux', 'Windows']
software_attack_id S0357
source MITRE
tags ['e1af18e3-3224-4e4c-9d0f-533768474508', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', '6070668f-1cbd-4878-8066-c636d1d8659c', 'd8f7e071-fbfd-46f8-b431-e241bb1513ac', '61cdbb28-cbfd-498b-9ab1-1f14337f9524', 'e551ae97-d1b4-484e-9267-89f33829ec2c', '6a80006a-ff1c-48e8-bb6f-d109d7b7a2fc', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '758c3085-2f79-40a8-ab95-f8a684737927', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '35e694ec-5133-46e3-b7e1-5831867c3b55', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '15787198-6c8b-4f79-bf50-258d55072fee', '4d767e87-4cf6-438a-927a-43d2d0beaab7', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

Industroyer

Industroyer is a sophisticated malware framework designed to cause an impact to the working processes of Industrial Control Systems (ICS), specifically components used in electrical substations.[ESET Industroyer] Industroyer was used in the attacks on the Ukrainian power grid in December 2016.[Dragos Crashoverride 2017] This is the first publicly known malware specifically designed to target and impact operations in the electric grid.[Dragos Crashoverride 2018]

Internal MISP references

UUID 09398a7c-aee5-44af-b99d-f73d3b39c299 which can be used as unique global reference for Industroyer in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0604
source MITRE
tags ['3ed3f7a6-b446-4fbc-a433-ff1d63c0e647', '37dff778-95a6-4e51-a26a-1d399ef713be']
type ['malware']
Related clusters

To see the related clusters, click here.

Industroyer2

Industroyer2 is a compiled and static piece of malware that has the ability to communicate over the IEC-104 protocol. It is similar to the IEC-104 module found in Industroyer. Security researchers assess that Industroyer2 was designed to cause impact to high-voltage electrical substations. The initial Industroyer2 sample was compiled on 03/23/2022 and scheduled to execute on 04/08/2022, however it was discovered before deploying, resulting in no impact.[Industroyer2 Blackhat ESET]

Internal MISP references

UUID 53c5fb76-a690-55c3-9e02-39577990da2a which can be used as unique global reference for Industroyer2 in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
software_attack_id S1072
source MITRE
tags ['3ed3f7a6-b446-4fbc-a433-ff1d63c0e647', '37dff778-95a6-4e51-a26a-1d399ef713be']
type ['malware']
Related clusters

To see the related clusters, click here.

Infdefaultinstall

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Binary used to perform installation based on content inside inf files

Author: Oddvar Moe

Paths: * C:\Windows\System32\Infdefaultinstall.exe * C:\Windows\SysWOW64\Infdefaultinstall.exe

Resources: * https://twitter.com/KyleHanslovan/status/911997635455852544 * https://blog.conscioushacker.io/index.php/2017/10/25/evading-microsofts-autoruns/ * https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/

Detection: * Sigma: proc_creation_win_infdefaultinstall_execute_sct_scripts.yml * BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules[Infdefaultinstall.exe - LOLBAS Project]

Internal MISP references

UUID e35b5513-4370-4f8c-b3a6-1f64c65f1e85 which can be used as unique global reference for Infdefaultinstall in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5120
source Tidal Cyber
tags ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

InnaputRAT

InnaputRAT is a remote access tool that can exfiltrate files from a victim’s machine. InnaputRAT has been seen out in the wild since 2016. [ASERT InnaputRAT April 2018]

Internal MISP references

UUID e42bf572-1e70-4467-a4b7-5e22c776c758 which can be used as unique global reference for InnaputRAT in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0259
source MITRE
type ['malware']

Installutil

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: The Installer tool is a command-line utility that allows you to install and uninstall server resources by executing the installer components in specified assemblies

Author: Oddvar Moe

Paths: * C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe * C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe * C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe * C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe

Resources: * https://pentestlab.blog/2017/05/08/applocker-bypass-installutil/ * https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_12 * https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md * https://www.blackhillsinfosec.com/powershell-without-powershell-how-to-bypass-application-whitelisting-environment-restrictions-av/ * https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/ * https://docs.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-installer-tool

Detection: * Sigma: proc_creation_win_instalutil_no_log_execution.yml * Sigma: proc_creation_win_lolbin_installutil_download.yml * Elastic: defense_evasion_installutil_beacon.toml * Elastic: defense_evasion_network_connection_from_windows_binary.toml[LOLBAS Installutil]

Internal MISP references

UUID c983bb77-b96c-44d5-b3f8-2540d7c604db which can be used as unique global reference for Installutil in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5121
source Tidal Cyber
tags ['a3f84674-3813-4993-9e34-39cdaa19cbd1', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

Interactsh

According to joint Cybersecurity Advisory AA23-250A (September 2023), Interactsh is "an open-source tool for detecting external interactions (communication)". The Advisory further states that the tool is "used to detect callbacks from target systems for specified vulnerabilities and commonly used during the reconnaissance stages of adversary activity".[U.S. CISA Zoho Exploits September 7 2023]

Internal MISP references

UUID 9ec3777d-9a36-4822-a3e2-a7ce5d296309 which can be used as unique global reference for Interactsh in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5049
source Tidal Cyber
tags ['ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', '15787198-6c8b-4f79-bf50-258d55072fee']
type ['tool']

Inveigh

Inveigh is an open-source utility. According to its GitHub project page, it is a "machine-in-the-middle" tool designed for penetration testing purposes.[GitHub Inveigh]

Internal MISP references

UUID 5658f260-8e96-4fa5-9863-189660048e5d which can be used as unique global reference for Inveigh in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5272
source Tidal Cyber
tags ['e1af18e3-3224-4e4c-9d0f-533768474508', 'dcd6d78a-50e9-4fbd-a36a-06fbe6b7b40c', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96']
type ['tool']

InvisiMole

InvisiMole is a modular spyware program that has been used by the InvisiMole Group since at least 2013. InvisiMole has two backdoor modules called RC2FM and RC2CL that are used to perform post-exploitation activities. It has been discovered on compromised victims in the Ukraine and Russia. Gamaredon Group infrastructure has been used to download and execute InvisiMole against a small number of victims.[ESET InvisiMole June 2018][ESET InvisiMole June 2020]

Internal MISP references

UUID 3ee4c49d-2f2c-4677-b193-69f16f2851a4 which can be used as unique global reference for InvisiMole in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0260
source MITRE
type ['malware']

Invoke-PSImage

Invoke-PSImage takes a PowerShell script and embeds the bytes of the script into the pixels of a PNG image. It generates a one liner for executing either from a file of from the web. Example of usage is embedding the PowerShell code from the Invoke-Mimikatz module and embed it into an image file. By calling the image file from a macro for example, the macro will download the picture and execute the PowerShell code, which in this case will dump the passwords. [GitHub Invoke-PSImage]

Internal MISP references

UUID 2200a647-3312-44c0-9691-4a26153febbb which can be used as unique global reference for Invoke-PSImage in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
software_attack_id S0231
source MITRE
type ['tool']
Related clusters

To see the related clusters, click here.

IOBit

IOBit is a self-described "freeware" tool that can ostensibly be used to "clean, optimize, speed up and secure" personal computers. According to U.S. cybersecurity authorities, IOBit has been used by adversaries, such as ransomware actors, as part of their operations, for example to disable anti-virus software.[U.S. CISA Play Ransomware December 2023]

Internal MISP references

UUID 9c955014-2d83-4b5b-9127-cfc49e86779f which can be used as unique global reference for IOBit in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5080
source Tidal Cyber
tags ['d819ae1a-e385-49fd-88d5-f66660729ecb', 'e551ae97-d1b4-484e-9267-89f33829ec2c', '15787198-6c8b-4f79-bf50-258d55072fee', 'e1af18e3-3224-4e4c-9d0f-533768474508', '39d6e8b7-6c8a-4ec5-a584-54ca32aa29fb', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

ipconfig

ipconfig is a Windows utility that can be used to find information about a system's TCP/IP, DNS, DHCP, and adapter configuration. [TechNet Ipconfig]

Internal MISP references

UUID 4f519002-0576-4f8e-8add-73ebac9a86e6 which can be used as unique global reference for ipconfig in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
software_attack_id S0100
source MITRE
tags ['e1af18e3-3224-4e4c-9d0f-533768474508', '758c3085-2f79-40a8-ab95-f8a684737927', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '35e694ec-5133-46e3-b7e1-5831867c3b55', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '15787198-6c8b-4f79-bf50-258d55072fee', 'cd1b5d44-226e-4405-8985-800492cf2865', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

IronNetInjector

IronNetInjector is a Turla toolchain that utilizes scripts from the open-source IronPython implementation of Python with a .NET injector to drop one or more payloads including ComRAT.[Unit 42 IronNetInjector February 2021 ]

Internal MISP references

UUID 9ca96281-8ff9-4619-a79d-16c5a9594eae which can be used as unique global reference for IronNetInjector in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0581
source MITRE
tags ['84615fe0-c2a5-4e07-8957-78ebc29b4635']
type ['tool']
Related clusters

To see the related clusters, click here.

ISMInjector

ISMInjector is a Trojan used to install another OilRig backdoor, ISMAgent. [OilRig New Delivery Oct 2017]

Internal MISP references

UUID 752ab0fc-7fa1-4e54-bd9a-7a280a38ed77 which can be used as unique global reference for ISMInjector in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0189
source MITRE
tags ['84615fe0-c2a5-4e07-8957-78ebc29b4635']
type ['malware']
Related clusters

To see the related clusters, click here.

Ixeshe

Ixeshe is a malware family that has been used since at least 2009 against targets in East Asia. [Moran 2013]

Internal MISP references

UUID 6dbf31cf-0ba0-48b4-be82-38889450845c which can be used as unique global reference for Ixeshe in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0015
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Jaguar Tooth

Jaguar Tooth is a malicious software bundle consisting of a series of payloads and patches. Russia-backed APT28 used Jaguar Tooth during a series of compromises involving vulnerable Cisco routers belonging to U.S., Ukrainian, and other entities in 2021.[U.S. CISA APT28 Cisco Routers April 18 2023]

According to an April 2023 UK National Cyber Security Centre technical report on Jaguar Tooth, the malware is deployed and executed via exploitation of CVE-2017-6742, a Simple Network Management Protocol (SNMP) vulnerability for which Cisco released a patch in 2017. Jaguar Tooth deployments allowed actors to collect further device information via execution of Cisco IOS Command Line Interface commands, discover other network devices, and achieve unauthenticated backdoor access to victim systems.[UK NCSC Jaguar Tooth April 18 2023]

Related Vulnerabilities: CVE-2017-6742[U.S. CISA APT28 Cisco Routers April 18 2023]

Internal MISP references

UUID 0eb47e25-56ec-42ba-9850-e50450b853e0 which can be used as unique global reference for Jaguar Tooth in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Network']
software_attack_id S5061
source Tidal Cyber
tags ['b20e7912-6a8d-46e3-8e13-9a3fc4813852', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '15787198-6c8b-4f79-bf50-258d55072fee', 'f01290d9-7160-44cb-949f-ee4947d04b6f', 'cd1b5d44-226e-4405-8985-800492cf2865']
type ['malware']
Related clusters

To see the related clusters, click here.

Janicab

Janicab is an OS X trojan that relied on a valid developer ID and oblivious users to install it. [Janicab]

Internal MISP references

UUID a4debf1f-8a37-4c89-8ebc-31de71d33f79 which can be used as unique global reference for Janicab in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['macOS']
software_attack_id S0163
source MITRE
type ['malware']

Javali

Javali is a banking trojan that has targeted Portuguese and Spanish-speaking countries since 2017, primarily focusing on customers of financial institutions in Brazil and Mexico.[Securelist Brazilian Banking Malware July 2020]

Internal MISP references

UUID 853d3d18-d746-4650-a9bd-c36a0e86dd02 which can be used as unique global reference for Javali in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0528
source MITRE
type ['malware']

JCry

JCry is ransomware written in Go. It was identified as apart of the #OpJerusalem 2019 campaign.[Carbon Black JCry May 2019]

Internal MISP references

UUID 41ec0bbc-65ca-4913-a763-1638215d7b2f which can be used as unique global reference for JCry in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
software_attack_id S0389
source MITRE
tags ['5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172']
type ['malware']

JHUHUGIT

JHUHUGIT is malware used by APT28. It is based on Carberp source code and serves as reconnaissance malware. [Kaspersky Sofacy] [F-Secure Sofacy 2015] [ESET Sednit Part 1] [FireEye APT28 January 2017]

Internal MISP references

UUID d50ef3fc-7d1c-4a82-b1cf-2319d83da3ae which can be used as unique global reference for JHUHUGIT in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0044
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

JPIN

JPIN is a custom-built backdoor family used by PLATINUM. Evidence suggests developers of JPIN and Dipsind code bases were related in some way. [Microsoft PLATINUM April 2016]

Internal MISP references

UUID c96fce69-6b9c-4bbc-bb42-f6a8fb6eb88f which can be used as unique global reference for JPIN in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0201
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

jRAT

jRAT is a cross-platform, Java-based backdoor originally available for purchase in 2012. Variants of jRAT have been distributed via a software-as-a-service platform, similar to an online subscription model.[Kaspersky Adwind Feb 2016] [jRAT Symantec Aug 2018]

Internal MISP references

UUID 42fe9795-5cf6-4ad7-b56e-2aa655377992 which can be used as unique global reference for jRAT in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['macOS', 'Linux', 'Android', 'Windows']
software_attack_id S0283
source MITRE
tags ['16b47583-1c54-431f-9f09-759df7b5ddb7']
type ['malware']
Related clusters

To see the related clusters, click here.

Jsc

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Binary file used by .NET to compile JavaScript code to .exe or .dll format

Author: Oddvar Moe

Paths: * C:\Windows\Microsoft.NET\Framework\v4.0.30319\Jsc.exe * C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Jsc.exe * C:\Windows\Microsoft.NET\Framework\v2.0.50727\Jsc.exe * C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Jsc.exe

Resources: * https://twitter.com/DissectMalware/status/998797808907046913 * https://www.phpied.com/make-your-javascript-a-windows-exe/

Detection: * Sigma: proc_creation_win_lolbin_jsc.yml * IOC: Jsc.exe should normally not run a system unless it is used for development.[Jsc.exe - LOLBAS Project]

Internal MISP references

UUID 1c67bf0b-22f8-4f57-8f91-f15b4923455f which can be used as unique global reference for Jsc in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5122
source Tidal Cyber
tags ['ee16a0c7-b3cf-4303-9681-b3076da9bff0', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

JSS Loader

JSS Loader is Remote Access Trojan (RAT) with .NET and C++ variants that has been used by FIN7 since at least 2020.[eSentire FIN7 July 2021][CrowdStrike Carbon Spider August 2021]

Internal MISP references

UUID c67f3029-a26c-4752-b7f1-8e3369c2f79d which can be used as unique global reference for JSS Loader in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0648
source MITRE
tags ['84615fe0-c2a5-4e07-8957-78ebc29b4635', 'f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

Juicy Potato

Juicy Potato is an open-source software project that, according to its GitHub page, can be used for privilege escalation purposes.[GitHub ohpe Juicy Potato]

Internal MISP references

UUID 57e9c32b-a1fa-45bc-9a57-098834a2c356 which can be used as unique global reference for Juicy Potato in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5303
source Tidal Cyber
tags ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', '2feda37d-5579-4102-a073-aa02e82cb49f']
type ['malware']
Related clusters

To see the related clusters, click here.

KARAE

KARAE is a backdoor typically used by APT37 as first-stage malware. [FireEye APT37 Feb 2018]

Internal MISP references

UUID ca883d21-97ca-420d-a66b-ef19a8355467 which can be used as unique global reference for KARAE in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0215
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Kasidet

Kasidet is a backdoor that has been dropped by using malicious VBA macros. [Zscaler Kasidet]

Internal MISP references

UUID 1896b9c9-a93e-4220-b4c2-6c4c9c5ca297 which can be used as unique global reference for Kasidet in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0088
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']

Kazuar

Kazuar is a fully featured, multi-platform backdoor Trojan written using the Microsoft .NET framework. [Unit 42 Kazuar May 2017]

Internal MISP references

UUID e93990a0-4841-4867-8b74-ac2806d787bf which can be used as unique global reference for Kazuar in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['macOS', 'Windows']
software_attack_id S0265
source MITRE
tags ['84615fe0-c2a5-4e07-8957-78ebc29b4635']
type ['malware']
Related clusters

To see the related clusters, click here.

Kerrdown

Kerrdown is a custom downloader that has been used by APT32 since at least 2018 to install spyware from a server on the victim's network.[Amnesty Intl. Ocean Lotus February 2021][Unit 42 KerrDown February 2019]

Internal MISP references

UUID 17c28e46-1005-4737-8567-d4ad9f1aefd1 which can be used as unique global reference for Kerrdown in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0585
source MITRE
tags ['84615fe0-c2a5-4e07-8957-78ebc29b4635']
type ['malware']
Related clusters

To see the related clusters, click here.

Kessel

Kessel is an advanced version of OpenSSH which acts as a custom backdoor, mainly acting to steal credentials and function as a bot. Kessel has been active since its C2 domain began resolving in August 2018.[ESET ForSSHe December 2018]

Internal MISP references

UUID 32f1e0d3-753f-4b51-aec5-cfaa393cedc3 which can be used as unique global reference for Kessel in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux']
software_attack_id S0487
source MITRE
type ['malware']

Kevin

Kevin is a backdoor implant written in C++ that has been used by HEXANE since at least June 2020, including in operations against organizations in Tunisia.[Kaspersky Lyceum October 2021]

Internal MISP references

UUID b9730d7c-aa57-4d6f-9125-57dcb65b02e0 which can be used as unique global reference for Kevin in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S1020
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

KeyBoy

KeyBoy is malware that has been used in targeted campaigns against members of the Tibetan Parliament in 2016.[CitizenLab KeyBoy Nov 2016][PWC KeyBoys Feb 2017]

Internal MISP references

UUID 6ec39371-d50b-43b6-937c-52de00491eab which can be used as unique global reference for KeyBoy in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0387
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Keydnap

This piece of malware steals the content of the user's keychain while maintaining a permanent backdoor [OSX Keydnap malware].

Internal MISP references

UUID aefbe6ff-7ce4-479e-916d-e8f0259d81f6 which can be used as unique global reference for Keydnap in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['macOS']
software_attack_id S0276
source MITRE
type ['malware']

KEYMARBLE

KEYMARBLE is a Trojan that has reportedly been used by the North Korean government. [US-CERT KEYMARBLE Aug 2018]

Internal MISP references

UUID a644f61e-6a9b-41ab-beca-72518351c27f which can be used as unique global reference for KEYMARBLE in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0271
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

KEYPLUG

KEYPLUG is a modular backdoor written in C++, with Windows and Linux variants, that has been used by APT41 since at least June 2021.[Mandiant APT41]

Internal MISP references

UUID ba9e56b9-7904-5ec8-bb39-7f82f7b2e89a which can be used as unique global reference for KEYPLUG in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'Windows']
software_attack_id S1051
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

KGH_SPY

KGH_SPY is a modular suite of tools used by Kimsuky for reconnaissance, information stealing, and backdoor capabilities. KGH_SPY derived its name from PDB paths and internal names found in samples containing "KGH".[Cybereason Kimsuky November 2020]

Internal MISP references

UUID c1e1ab6a-d5ce-4520-98c5-c6df41005fd9 which can be used as unique global reference for KGH_SPY in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0526
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

KillDisk

KillDisk is a disk-wiping tool designed to overwrite files with random data to render the OS unbootable. It was first observed as a component of BlackEnergy malware during cyber attacks against Ukraine in 2015. KillDisk has since evolved into stand-alone malware used by a variety of threat actors against additional targets in Europe and Latin America; in 2016 a ransomware component was also incorporated into some KillDisk variants.[KillDisk Ransomware][ESEST Black Energy Jan 2016][Trend Micro KillDisk 1][Trend Micro KillDisk 2]

Internal MISP references

UUID b5532e91-d267-4819-a05d-8c5358995add which can be used as unique global reference for KillDisk in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'Windows']
software_attack_id S0607
source MITRE
tags ['3ed3f7a6-b446-4fbc-a433-ff1d63c0e647', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172']
type ['malware']
Related clusters

To see the related clusters, click here.

Kinsing

Kinsing is Golang-based malware that runs a cryptocurrency miner and attempts to spread itself to other hosts in the victim environment. [Aqua Kinsing April 2020][Sysdig Kinsing November 2020][Aqua Security Cloud Native Threat Report June 2021]

Internal MISP references

UUID 7b4f157c-4b34-4f55-9c20-ff787495e9ba which can be used as unique global reference for Kinsing in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'Containers']
software_attack_id S0599
source MITRE
tags ['efa33611-88a5-40ba-9bc4-3d85c6c8819b', '8d95e4d6-9a1e-4920-9f5c-83d9fe07a66e']
type ['malware']

Kivars

Kivars is a modular remote access tool (RAT), derived from the Bifrost RAT, that was used by BlackTech in a 2010 campaign.[TrendMicro BlackTech June 2017]

Internal MISP references

UUID 673ed346-9562-4997-80b2-e701b1a99a58 which can be used as unique global reference for Kivars in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0437
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Koadic

Koadic is a Windows post-exploitation framework and penetration testing tool that is publicly available on GitHub. Koadic has several options for staging payloads and creating implants, and performs most of its operations using Windows Script Host.[Github Koadic][Palo Alto Sofacy 06-2018][MalwareBytes LazyScripter Feb 2021]

Internal MISP references

UUID 5e981594-d00a-4c7f-8ed0-3d4a60cc3fcd which can be used as unique global reference for Koadic in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0250
source MITRE
type ['tool']
Related clusters

To see the related clusters, click here.

Kobalos

Kobalos is a multi-platform backdoor that can be used against Linux, FreeBSD, and Solaris. Kobalos has been deployed against high profile targets, including high-performance computers, academic servers, an endpoint security vendor, and a large internet service provider; it has been found in Europe, North America, and Asia. Kobalos was first identified in late 2019.[ESET Kobalos Feb 2021][ESET Kobalos Jan 2021]

Internal MISP references

UUID bf918663-90bd-489e-91e7-6951a18a25fd which can be used as unique global reference for Kobalos in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux']
software_attack_id S0641
source MITRE
type ['malware']

KOCTOPUS

KOCTOPUS's batch variant is loader used by LazyScripter since 2018 to launch Octopus and Koadic and, in some cases, QuasarRAT. KOCTOPUS also has a VBA variant that has the same functionality as the batch version.[MalwareBytes LazyScripter Feb 2021]

Internal MISP references

UUID 3e13d07d-d9e1-4456-bec3-b2375e404753 which can be used as unique global reference for KOCTOPUS in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0669
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Komplex

Komplex is a backdoor that has been used by APT28 on OS X and appears to be developed in a similar manner to XAgentOSX [XAgentOSX 2017] [Sofacy Komplex Trojan].

Internal MISP references

UUID 2cf1be0d-2fba-4fd0-ab2f-3695716d1735 which can be used as unique global reference for Komplex in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['macOS']
software_attack_id S0162
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

KOMPROGO

KOMPROGO is a signature backdoor used by APT32 that is capable of process, file, and registry management. [FireEye APT32 May 2017]

Internal MISP references

UUID 3067f148-2e2b-4aac-9652-59823b3ad4f1 which can be used as unique global reference for KOMPROGO in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0156
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

KONNI

KONNI is a remote access tool that security researchers assess has been used by North Korean cyber actors since at least 2014. KONNI has significant code overlap with the NOKKI malware family, and has been linked to several suspected North Korean campaigns targeting political organizations in Russia, East Asia, Europe and the Middle East; there is some evidence potentially linking KONNI to APT37.[Talos Konni May 2017][Unit 42 NOKKI Sept 2018][Unit 42 Nokki Oct 2018][Medium KONNI Jan 2020][Malwarebytes Konni Aug 2021]

Internal MISP references

UUID d381de2a-30cb-4d50-bbce-fd1e489c4889 which can be used as unique global reference for KONNI in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0356
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']

KOPILUWAK

KOPILUWAK is a JavaScript-based reconnaissance tool that has been used for victim profiling and C2 since at least 2017.[Mandiant Suspected Turla Campaign February 2023]

Internal MISP references

UUID d09c4459-1aa3-547d-99f4-7ac73b8043f0 which can be used as unique global reference for KOPILUWAK in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S1075
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Kwampirs

Kwampirs is a backdoor Trojan used by Orangeworm. Kwampirs has been found on machines which had software installed for the use and control of high-tech imaging devices such as X-Ray and MRI machines.[Symantec Orangeworm April 2018] Kwampirs has multiple technical overlaps with Shamoon based on reverse engineering analysis.[Cylera Kwampirs 2022]

Internal MISP references

UUID 35ac4018-8506-4025-a9e3-bd017700b3b3 which can be used as unique global reference for Kwampirs in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0236
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Launch-VsDevShell

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Locates and imports a Developer PowerShell module and calls the Enter-VsDevShell cmdlet

Author: Nasreddine Bencherchali

Paths: * C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\Tools\Launch-VsDevShell.ps1 * C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\Tools\Launch-VsDevShell.ps1

Resources: * https://twitter.com/nas_bench/status/1535981653239255040

Detection: * Sigma: proc_creation_win_lolbin_launch_vsdevshell.yml[Launch-VsDevShell.ps1 - LOLBAS Project]

Internal MISP references

UUID 288b2ab2-255a-457a-a6eb-02ee4711d6b8 which can be used as unique global reference for Launch-VsDevShell in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5258
source Tidal Cyber
tags ['5be0da70-9249-44fa-8c3b-7394ef26b2e0', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

LaZagne

LaZagne is a post-exploitation, open-source tool used to recover stored passwords on a system. It has modules for Windows, Linux, and OSX, but is mainly focused on Windows systems. LaZagne is publicly available on GitHub.[GitHub LaZagne Dec 2018]

Internal MISP references

UUID f5558af4-e3e2-47c2-b8fe-72850bd30f37 which can be used as unique global reference for LaZagne in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['macOS', 'Linux', 'Windows']
software_attack_id S0349
source MITRE
tags ['c5a258ce-9045-48d9-b254-ec2bf6437bb5', 'cc4ea215-87ce-4351-9579-cf527caf5992', 'd819ae1a-e385-49fd-88d5-f66660729ecb', 'e551ae97-d1b4-484e-9267-89f33829ec2c', 'e1af18e3-3224-4e4c-9d0f-533768474508', '26c5dec7-3184-4873-ae20-9558a498a27f', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'dcd6d78a-50e9-4fbd-a36a-06fbe6b7b40c']
type ['tool']
Related clusters

To see the related clusters, click here.

Ldifde

Ldifde is a Windows command-line tool that is used to create, modify, and delete directory objects. Ldifde can also be used to "extend the schema, export Active Directory user and group information to other applications or services, and populate Active Directory Domain Services (AD DS) with data from other directory services".[Ldifde Microsoft]

Internal MISP references

UUID d0ff555f-ba74-457c-b6e4-02962c230b60 which can be used as unique global reference for Ldifde in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5017
source Tidal Cyber
tags ['cea43301-9f7a-46a5-be3a-3a09f0f3c09e', '758c3085-2f79-40a8-ab95-f8a684737927', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '35e694ec-5133-46e3-b7e1-5831867c3b55', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '15787198-6c8b-4f79-bf50-258d55072fee', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

LEMURLOOT

LEMURLOOT is a web shell written in C# that was used by threat actors after exploiting a MOVEit file transfer software vulnerability (CVE-2023-34362) during a campaign beginning in late May 2023. The malware supports staging and exfiltration of compressed victim data, including files and folders stored on vulnerable MOVEit servers.[Mandiant MOVEit Transfer June 2 2023]

Related Vulnerabilities: CVE-2023-34362[U.S. CISA CL0P CVE-2023-34362 Exploitation][Mandiant MOVEit Transfer June 2 2023]

Internal MISP references

UUID d5d79a51-3756-40de-81cd-4dac172fbb74 which can be used as unique global reference for LEMURLOOT in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5020
source Tidal Cyber
tags ['15787198-6c8b-4f79-bf50-258d55072fee', 'a98d7a43-f227-478e-81de-e7299639a355', '173e1480-8d9b-49c5-854d-594dde9740d6', '311abf64-a9cc-4c6a-b778-32c5df5658be']
type ['malware']
Related clusters

To see the related clusters, click here.

Level

According to joint Cybersecurity Advisory AA23-320A (November 2023), Level is a publicly available, legitimate tool that "enables remote monitoring and management of systems". According to the Advisory, Scattered Spider threat actors are known to abuse the tool during their intrusions.[U.S. CISA Scattered Spider November 16 2023]

Internal MISP references

UUID bce485ad-7d4f-45b6-b3c1-218f2f757611 which can be used as unique global reference for Level in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5067
source Tidal Cyber
tags ['e1af18e3-3224-4e4c-9d0f-533768474508', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207', 'e727eaa6-ef41-4965-b93a-8ad0c51d0236']
type ['tool']
Related clusters

To see the related clusters, click here.

LightNeuron

LightNeuron is a sophisticated backdoor that has targeted Microsoft Exchange servers since at least 2014. LightNeuron has been used by Turla to target diplomatic and foreign affairs-related organizations. The presence of certain strings in the malware suggests a Linux variant of LightNeuron exists.[ESET LightNeuron May 2019]

Internal MISP references

UUID c9d2f023-d54b-4d08-9598-a42fb92b3161 which can be used as unique global reference for LightNeuron in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'Windows']
software_attack_id S0395
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

LIGHTWIRE

LIGHTWIRE is a web shell written in Perl that was used during Cutting Edge to maintain access and enable command execution by imbedding into the legitimate compcheckresult.cgi component of Ivanti Secure Connect VPNs.[Mandiant Cutting Edge Part 2 January 2024][Mandiant Cutting Edge January 2024]

Internal MISP references

UUID 1b3af76f-f9a1-58ce-8c7d-aec535f8d0c0 which can be used as unique global reference for LIGHTWIRE in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Network']
software_attack_id S1119
source MITRE
type ['malware']

Ligolo

Ligolo is a tool used to establish SOCKS5 or TCP tunnels from a reverse connection.[U.S. CISA Understanding LockBit June 2023]

Internal MISP references

UUID 3113cb05-23b4-4f90-ab7a-623b800302ce which can be used as unique global reference for Ligolo in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5034
source Tidal Cyber
tags ['e1af18e3-3224-4e4c-9d0f-533768474508', 'febea5b6-2ea2-402b-8bec-f3f5b3f73c59', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

Line Dancer

Line Dancer is one of the two key tools used during the ArcaneDoor network device intrusions, serving as an in-memory implant used to upload capabilities permitting arbitrary code execution and persistence (Line Runner).[Cisco Talos ArcaneDoor April 24 2024]

Internal MISP references

UUID 80412b83-74e4-4bea-b05b-84b00f41db69 which can be used as unique global reference for Line Dancer in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Network']
software_attack_id S5284
source Tidal Cyber
tags ['a159c91c-5258-49ea-af7d-e803008d97d3', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '15787198-6c8b-4f79-bf50-258d55072fee', '6bb2f579-a5cd-4647-9dcd-eff05efe3679', '9768aada-9d63-4d46-ab9f-d41b8c8e4010', '0d3ca5b9-2ea9-4daf-b3b5-11f1c6f9ebd3']
type ['malware']

Line Runner

Line Runner is one of the two key tools (along with Line Dancer) used during the ArcaneDoor network device intrusion. Line Runner is used to maintain persistence and execute commands on compromised devices.[Cisco Talos ArcaneDoor April 24 2024]

Internal MISP references

UUID 60bb6282-9eb8-4640-9d79-69c0c8ee0e0b which can be used as unique global reference for Line Runner in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Network']
software_attack_id S5285
source Tidal Cyber
tags ['a159c91c-5258-49ea-af7d-e803008d97d3', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '15787198-6c8b-4f79-bf50-258d55072fee', 'c25f341a-7030-4688-a00b-6d637298e52e', '9768aada-9d63-4d46-ab9f-d41b8c8e4010', '0d3ca5b9-2ea9-4daf-b3b5-11f1c6f9ebd3', '2e85babc-77cd-4455-9c6e-312223a956de']
type ['malware']

Linfo

Linfo is a rootkit trojan used by Elderwood to open a backdoor on compromised hosts. [Symantec Elderwood Sept 2012] [Symantec Linfo May 2012]

Internal MISP references

UUID 925975f8-e8ff-411f-a40e-f799968046f7 which can be used as unique global reference for Linfo in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0211
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Linux Rabbit

Linux Rabbit is malware that targeted Linux servers and IoT devices in a campaign lasting from August to October 2018. It shares code with another strain of malware known as Rabbot. The goal of the campaign was to install cryptocurrency miners onto the targeted servers and devices.[Anomali Linux Rabbit 2018]

Internal MISP references

UUID d017e133-fce9-4982-a2df-6867a80089e7 which can be used as unique global reference for Linux Rabbit in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux']
software_attack_id S0362
source MITRE
tags ['b20e7912-6a8d-46e3-8e13-9a3fc4813852', '70dc52b0-f317-4134-8a42-71aea1443707']
type ['malware']

LiteDuke

LiteDuke is a third stage backdoor that was used by APT29, primarily in 2014-2015. LiteDuke used the same dropper as PolyglotDuke, and was found on machines also compromised by MiniDuke.[ESET Dukes October 2019]

Internal MISP references

UUID 71e4028c-9ca1-45ce-bc44-98209ae9f6bd which can be used as unique global reference for LiteDuke in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0513
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

LitePower

LitePower is a downloader and second stage malware that has been used by WIRTE since at least 2021.[Kaspersky WIRTE November 2021]

Internal MISP references

UUID cc568409-71ff-468b-9c38-d0dd9020e409 which can be used as unique global reference for LitePower in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0680
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

LITTLELAMB.WOOLTEA

LITTLELAMB.WOOLTEA is a backdoor that was used by UNC5325 during Cutting Edge to deploy malware on targeted Ivanti Connect Secure VPNs and to establish persistence across system upgrades and patches.[Mandiant Cutting Edge Part 3 February 2024]

Internal MISP references

UUID c9c5e7ad-6e95-5d53-b4db-f6b51c7167ca which can be used as unique global reference for LITTLELAMB.WOOLTEA in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Network']
software_attack_id S1121
source MITRE
type ['malware']

Lizar

Lizar is a modular remote access tool written using the .NET Framework that shares structural similarities to Carbanak. It has likely been used by FIN7 since at least February 2021.[BiZone Lizar May 2021][Threatpost Lizar May 2021][Gemini FIN7 Oct 2021]

Internal MISP references

UUID 65d46aab-b3ce-4f5b-b1fc-871db2573fa1 which can be used as unique global reference for Lizar in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0681
source MITRE
tags ['15787198-6c8b-4f79-bf50-258d55072fee', '992bdd33-4a47-495d-883a-58010a2f0efb', '84615fe0-c2a5-4e07-8957-78ebc29b4635', 'f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

LockBit 3.0

Ransomware labeled “LockBit” was first observed in 2020, and since that time, the LockBit group and its affiliates have carried out a very large number of attacks involving a wide range of victims around the world.[U.S. CISA Understanding LockBit June 2023]

LockBit developers have introduced multiple versions of the LockBit encryption tool. According to the U.S. Cybersecurity and Infrastructure Security Agency (“CISA”), the following major LockBit variants have been observed (first-observed dates in parentheses): ABCD (LockBit malware’s predecessor; September 2019), LockBit (January 2020), LockBit 2.0 (June 2021), LockBit Linux-ESXi Locker (October 2021), LockBit 3.0 (September 2022), LockBit Green (a variant that incorporates source code from Conti ransomware; January 2023), and variants capable of targeting macOS environments (April 2023). As of June 2023, CISA reported that the web panel that offers affiliates access to LockBit malware explicitly listed the LockBit 2.0, LockBit 3.0, LockBit Green, and LockBit Linux-ESXi Locker variants.[U.S. CISA Understanding LockBit June 2023] According to CISA, LockBit 3.0 (also known as “LockBit Black”) shares code similarities with Blackmatter and BlackCat ransomware and is “more modular and evasive" than previous LockBit strains.[U.S. CISA LockBit 3.0 March 2023]

According to data collected by the ransomwatch project and analyzed by Tidal, LockBit actors publicly claimed 970 victims in 2022 (394 associated with LockBit 3.0), the most of any extortion threat that year. Through April 2023, LockBit had claimed 406 victims (all associated with LockBit 3.0), more than double the number of the next threat (Clop, with 179 victims).[GitHub ransomwatch]

Delivered By: Cobalt Strike[Sentinel Labs LockBit 3.0 July 2022], PsExec[NCC Group Research Blog August 19 2022]

Malpedia (Research): https://malpedia.caad.fkie.fraunhofer.de/details/win.lockbit

Malware Bazaar (Samples & IOCs): https://bazaar.abuse.ch/browse/tag/lockbit/

PulseDive (IOCs): https://pulsedive.com/threat/LockBit

Internal MISP references

UUID 08c70ea5-9d4d-4146-826e-c5ebd5490378 which can be used as unique global reference for LockBit 3.0 in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5047
source Tidal Cyber
tags ['562e535e-19f5-4d6c-81ed-ce2aec544f09', 'fdd53e62-5bf1-41f1-8bd6-b970a866c39d', 'd431939f-2dc0-410b-83f7-86c458125444', '5e7433ad-a894-4489-93bc-41e90da90019', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '7e7b0c67-bb85-4996-a289-da0e792d7172']
type ['malware']
Related clusters

To see the related clusters, click here.

LockerGoga

LockerGoga is ransomware that was first reported in January 2019, and has been tied to various attacks on European companies, including industrial and manufacturing firms.[Unit42 LockerGoga 2019][CarbonBlack LockerGoga 2019]

Internal MISP references

UUID 65bc8e81-0a08-49f6-9d04-a2d63d512342 which can be used as unique global reference for LockerGoga in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0372
source MITRE
tags ['3ed3f7a6-b446-4fbc-a433-ff1d63c0e647', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172']
type ['malware']
Related clusters

To see the related clusters, click here.

LoFiSe

LoFiSe has been used by ToddyCat since at least 2023 to identify and collect files of interest on targeted systems.[Kaspersky ToddyCat Check Logs October 2023]

Internal MISP references

UUID d28c3706-df25-59e2-939f-131abaf8a1eb which can be used as unique global reference for LoFiSe in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S1101
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

LogMeIn

LogMeIn provides multiple freely available tools that can be used for remote access to systems, including the flagship Rescue tool.[LogMeIn Homepage] Adversary groups, including the Royal ransomware operation and LAPSUS$, have used LogMeIn remote access software for initial access to and persistence within victim networks.[CISA Royal AA23-061A March 2023][CSRB LAPSUS$ July 24 2023]

Internal MISP references

UUID 7b471178-30a1-4c48-bbff-c4d2fdbb35a9 which can be used as unique global reference for LogMeIn in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5073
source Tidal Cyber
tags ['e1af18e3-3224-4e4c-9d0f-533768474508', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207', 'e727eaa6-ef41-4965-b93a-8ad0c51d0236']
type ['tool']
Related clusters

To see the related clusters, click here.

LoJax

LoJax is a UEFI rootkit used by APT28 to persist remote access software on targeted systems.[ESET LoJax Sept 2018]

Internal MISP references

UUID 039f34e9-f379-4a24-a53f-b28ba579854c which can be used as unique global reference for LoJax in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0397
source MITRE
tags ['1efd43ee-5752-49f2-99fe-e3441f126b00']
type ['malware']
Related clusters

To see the related clusters, click here.

Lokibot

Lokibot is a widely distributed information stealer that was first reported in 2015. It is designed to steal sensitive information such as usernames, passwords, cryptocurrency wallets, and other credentials. Lokibot can also create a backdoor into infected systems to allow an attacker to install additional payloads.[Infoblox Lokibot January 2019][Morphisec Lokibot April 2020][CISA Lokibot September 2020]

Internal MISP references

UUID 4fead65c-499d-4f44-8879-2c35b24dac68 which can be used as unique global reference for Lokibot in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0447
source MITRE
tags ['84615fe0-c2a5-4e07-8957-78ebc29b4635']
type ['malware']
Related clusters

To see the related clusters, click here.

LookBack

LookBack is a remote access trojan written in C++ that was used against at least three US utility companies in July 2019. The TALONITE activity group has been observed using LookBack.[Proofpoint LookBack Malware Aug 2019][Dragos TALONITE][Dragos Threat Report 2020]

Internal MISP references

UUID bfd2a077-5000-4500-82c4-5c85fb98dd5a which can be used as unique global reference for LookBack in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0582
source MITRE
type ['malware']

LostMyPassword

LostMyPassword is a tool used to recover passwords from Windows systems.[U.S. CISA Understanding LockBit June 2023]

Internal MISP references

UUID 41041d5d-0866-4a57-92b7-d075d8b344ad which can be used as unique global reference for LostMyPassword in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5035
source Tidal Cyber
tags ['e1af18e3-3224-4e4c-9d0f-533768474508', 'dcd6d78a-50e9-4fbd-a36a-06fbe6b7b40c', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

LoudMiner

LoudMiner is a cryptocurrency miner which uses virtualization software to siphon system resources. The miner has been bundled with pirated copies of Virtual Studio Technology (VST) for Windows and macOS.[ESET LoudMiner June 2019]

Internal MISP references

UUID f503535b-406c-4e24-8123-0e22fec995bb which can be used as unique global reference for LoudMiner in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['macOS', 'Windows']
software_attack_id S0451
source MITRE
tags ['a2e000da-8181-4327-bacd-32013dbd3654']
type ['malware']

LOWBALL

LOWBALL is malware used by admin@338. It was used in August 2015 in email messages targeting Hong Kong-based media organizations. [FireEye admin@338]

Internal MISP references

UUID fce1117a-e699-4aef-b1fc-04c3967acc33 which can be used as unique global reference for LOWBALL in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0042
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Lslsass

Lslsass is a publicly-available tool that can dump active logon session password hashes from the lsass process. [Mandiant APT1]

Internal MISP references

UUID 37a5ae23-3da5-4cbc-a21a-a7ef98a3b7cc which can be used as unique global reference for Lslsass in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0121
source MITRE
tags ['4d767e87-4cf6-438a-927a-43d2d0beaab7']
type ['tool']
Related clusters

To see the related clusters, click here.

Lucifer

Lucifer is a crypto miner and DDoS hybrid malware that leverages well-known exploits to spread laterally on Windows platforms.[Unit 42 Lucifer June 2020]

Internal MISP references

UUID 723d9a27-74fd-4333-a8db-63df2a8b4dd4 which can be used as unique global reference for Lucifer in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0532
source MITRE
type ['malware']

Lurid

Lurid is a malware family that has been used by several groups, including PittyTiger, in targeted attacks as far back as 2006. [Villeneuve 2014] [Villeneuve 2011]

Internal MISP references

UUID 0cc9e24b-d458-4782-a332-4e4fd68c057b which can be used as unique global reference for Lurid in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0010
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Machete

Machete is a cyber espionage toolset used by Machete. It is a Python-based backdoor targeting Windows machines that was first observed in 2010.[ESET Machete July 2019][Securelist Machete Aug 2014][360 Machete Sep 2020]

Internal MISP references

UUID be8a1630-9562-41ad-a621-65989f961a10 which can be used as unique global reference for Machete in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0409
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

MacMa

MacMa is a macOS-based backdoor with a large set of functionalities to control and exfiltrate files from a compromised computer. MacMa has been observed in the wild since November 2021.[ESET DazzleSpy Jan 2022]

Internal MISP references

UUID 7e5a643d-ebfd-4ec6-9fdc-79d6f47fafdb which can be used as unique global reference for MacMa in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['macOS']
software_attack_id S1016
source MITRE
type ['malware']

macOS.OSAMiner

macOS.OSAMiner is a Monero mining trojan that was first observed in 2018; security researchers assessed macOS.OSAMiner may have been circulating since at least 2015. macOS.OSAMiner is known for embedding one run-only AppleScript into another, which helped the malware evade full analysis for five years due to a lack of Apple event (AEVT) analysis tools.[SentinelLabs reversing run-only applescripts 2021][VMRay OSAMiner dynamic analysis 2021]

Internal MISP references

UUID 74feb557-21bc-40fb-8ab5-45d3af84c380 which can be used as unique global reference for macOS.OSAMiner in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['macOS']
software_attack_id S1048
source MITRE
type ['malware']

MacSpy

MacSpy is a malware-as-a-service offered on the darkweb [objsee mac malware 2017].

Internal MISP references

UUID e5e67c67-e658-45b5-850b-044312be4258 which can be used as unique global reference for MacSpy in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['macOS']
software_attack_id S0282
source MITRE
type ['malware']

Mafalda

Mafalda is a flexible interactive implant that has been used by Metador. Security researchers assess the Mafalda name may be inspired by an Argentinian cartoon character that has been popular as a means of political commentary since the 1960s. [SentinelLabs Metador Sept 2022]

Internal MISP references

UUID 7506616c-b808-54fb-9982-072a0dcf8a04 which can be used as unique global reference for Mafalda in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S1060
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

MailSniper

MailSniper is a penetration testing tool for searching through email in a Microsoft Exchange environment for specific terms (passwords, insider intel, network architecture information, etc.). It can be used by a non-administrative user to search their own email, or by an Exchange administrator to search the mailboxes of every user in a domain.[GitHub MailSniper]

Internal MISP references

UUID d762974a-ca7e-45ee-bc1d-f5218bf46c84 which can be used as unique global reference for MailSniper in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Office 365', 'Windows', 'Azure AD']
software_attack_id S0413
source MITRE
tags ['15f2277a-a17e-4d85-8acd-480bf84f16b4', 'c9c73000-30a5-4a16-8c8b-79169f9c24aa']
type ['tool']
Related clusters

To see the related clusters, click here.

Makecab

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Binary to package existing files into a cabinet (.cab) file

Author: Oddvar Moe

Paths: * C:\Windows\System32\makecab.exe * C:\Windows\SysWOW64\makecab.exe

Resources: * https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f

Detection: * Sigma: proc_creation_win_susp_alternate_data_streams.yml * Elastic: defense_evasion_misc_lolbin_connecting_to_the_internet.toml * IOC: Makecab retrieving files from Internet * IOC: Makecab storing data into alternate data streams[Makecab.exe - LOLBAS Project]

Internal MISP references

UUID cf7f05a7-4093-4855-b9d9-b93226056aec which can be used as unique global reference for Makecab in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5123
source Tidal Cyber
tags ['758c3085-2f79-40a8-ab95-f8a684737927', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '35e694ec-5133-46e3-b7e1-5831867c3b55', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '15787198-6c8b-4f79-bf50-258d55072fee', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

Manage-bde

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Script for managing BitLocker

Author: Oddvar Moe

Paths: * C:\Windows\System32\manage-bde.wsf

Resources: * https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712 * https://twitter.com/bohops/status/980659399495741441 * https://twitter.com/JohnLaTwC/status/1223292479270600706

Detection: * Sigma: proc_creation_win_lolbin_manage_bde.yml * IOC: Manage-bde.wsf should not be invoked by a standard user under normal situations[Manage-bde.wsf - LOLBAS Project]

Internal MISP references

UUID 9b6b705e-55ae-4d9e-9c57-baf1358cc324 which can be used as unique global reference for Manage-bde in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5259
source Tidal Cyber
tags ['ff10869f-fed4-4f21-b83a-9939e7381d6e', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

MarkiRAT

MarkiRAT is a remote access Trojan (RAT) compiled with Visual Studio that has been used by Ferocious Kitten since at least 2015.[Kaspersky Ferocious Kitten Jun 2021]

Internal MISP references

UUID 40806539-1496-4a64-b740-66f6a1467f40 which can be used as unique global reference for MarkiRAT in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0652
source MITRE
tags ['16b47583-1c54-431f-9f09-759df7b5ddb7']
type ['malware']
Related clusters

To see the related clusters, click here.

MASSCAN

According to its GitHub project page, MASSCAN is an "Internet-scale" TCP port scanner. Its usage is similar to that of the popular nmap scanning tool, but it is designed to be operated at a larger scale.[GitHub masscan]

Internal MISP references

UUID 24862f72-a4e0-4a6b-90d7-2465aa86c402 which can be used as unique global reference for MASSCAN in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Linux', 'macOS', 'Windows']
software_attack_id S5282
source Tidal Cyber
tags ['e1af18e3-3224-4e4c-9d0f-533768474508', 'cd1b5d44-226e-4405-8985-800492cf2865', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

Matryoshka

Matryoshka is a malware framework used by CopyKittens that consists of a dropper, loader, and RAT. It has multiple versions; v1 was seen in the wild from July 2016 until January 2017. v2 has fewer commands and other minor differences. [ClearSky Wilted Tulip July 2017] [CopyKittens Nov 2015]

Internal MISP references

UUID eeb700ea-2819-46f4-936d-f7592f20dedc which can be used as unique global reference for Matryoshka in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0167
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Mavinject

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Used by App-v in Windows

Author: Oddvar Moe

Paths: * C:\Windows\System32\mavinject.exe * C:\Windows\SysWOW64\mavinject.exe

Resources: * https://twitter.com/gN3mes1s/status/941315826107510784 * https://twitter.com/Hexcorn/status/776122138063409152 * https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/

Detection: * Sigma: proc_creation_win_lolbin_mavinject_process_injection.yml * IOC: mavinject.exe should not run unless APP-v is in use on the workstation[LOLBAS Mavinject]

Internal MISP references

UUID aa472f81-7673-4545-89f9-1dd43cead4f1 which can be used as unique global reference for Mavinject in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5124
source Tidal Cyber
tags ['724c3509-ad5e-46a3-a72c-6f3807b13793', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

Maze

Maze ransomware, previously known as "ChaCha", was discovered in May 2019. In addition to encrypting files on victim machines for impact, Maze operators conduct information stealing campaigns prior to encryption and post the information online to extort affected companies.[FireEye Maze May 2020][McAfee Maze March 2020][Sophos Maze VM September 2020]

Internal MISP references

UUID 3c206491-45c0-4ff7-9f40-45f9aae4de64 which can be used as unique global reference for Maze in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0449
source MITRE
tags ['562e535e-19f5-4d6c-81ed-ce2aec544f09', '3c3f9078-5d1e-4c29-a5eb-28f237bbd1ad', '1cc90752-70a3-4a17-b370-e1473a212f79', '286918d5-0b48-4655-9118-907b53de0ee0', 'c5c8f954-1bc0-45d5-9a4f-4385d0a720a1', 'ab64f2d8-8da3-48de-ac66-0fd91d634b22', '5e7433ad-a894-4489-93bc-41e90da90019', 'a2e000da-8181-4327-bacd-32013dbd3654', '7e7b0c67-bb85-4996-a289-da0e792d7172']
type ['malware']
Related clusters

To see the related clusters, click here.

MBR Killer

MBR Killer is a wiper malware observed during a May 2023 data theft and wiper campaign and a 2016 attack on Banco de Chile.[The DFIR Report Truebot June 12 2023]

Internal MISP references

UUID fb879c66-92b1-4a43-8df8-987fc3bc1b1b which can be used as unique global reference for MBR Killer in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5297
source Tidal Cyber
tags ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', '2e621fc5-dea4-4cb9-987e-305845986cd3', '2feda37d-5579-4102-a073-aa02e82cb49f']
type ['malware']
Related clusters

To see the related clusters, click here.

MCMD

MCMD is a remote access tool that provides remote command shell capability used by Dragonfly 2.0.[Secureworks MCMD July 2019]

Internal MISP references

UUID 939cbe39-5b63-4651-b0c0-85ac39cb9f0e which can be used as unique global reference for MCMD in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0500
source MITRE
type ['tool']
Related clusters

To see the related clusters, click here.

MechaFlounder

MechaFlounder is a python-based remote access tool (RAT) that has been used by APT39. The payload uses a combination of actor developed code and code snippets freely available online in development communities.[Unit 42 MechaFlounder March 2019]

Internal MISP references

UUID 31cbe3c8-be88-4a4f-891d-04c3bb7ed482 which can be used as unique global reference for MechaFlounder in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0459
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

MedusaLocker Ransomware

MedusaLocker is a ransomware-as-a-service ("RaaS") operation that has been active since September 2019. U.S. cybersecurity authorities indicate that MedusaLocker operators have primarily targeted victims in the healthcare sector, among other unspecified sectors. Initial access for MedusaLocker intrusions originally came via phishing and spam email campaigns, but since 2022 has typically occurred via exploit of vulnerable Remote Desktop Protocol devices.[HC3 Analyst Note MedusaLocker Ransomware February 2023]

Malpedia (Research): https://malpedia.caad.fkie.fraunhofer.de/details/win.medusalocker

Malware Bazaar (Samples & IOCs): https://bazaar.abuse.ch/browse/tag/medusalocker/

Internal MISP references

UUID c9e824b2-554b-4f42-b4c3-48e0a841f589 which can be used as unique global reference for MedusaLocker Ransomware in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5022
source Tidal Cyber
tags ['562e535e-19f5-4d6c-81ed-ce2aec544f09', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172']
type ['malware']
Related clusters

To see the related clusters, click here.

meek

meek is an open-source Tor plugin that tunnels Tor traffic through HTTPS connections.

Internal MISP references

UUID 6c3bbcae-3217-43c7-b709-5c54bc7636b1 which can be used as unique global reference for meek in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['macOS', 'Linux', 'Windows']
software_attack_id S0175
source MITRE
tags ['febea5b6-2ea2-402b-8bec-f3f5b3f73c59']
type ['tool']
Related clusters

To see the related clusters, click here.

MegaCortex

MegaCortex is ransomware that first appeared in May 2019. [IBM MegaCortex] MegaCortex has mainly targeted industrial organizations. [FireEye Ransomware Disrupt Industrial Production][FireEye Financial Actors Moving into OT]

Internal MISP references

UUID d8a4a817-2914-47b0-867c-ad8eeb7efd10 which can be used as unique global reference for MegaCortex in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0576
source MITRE
tags ['5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172']
type ['malware']

MEGAsync

A legitimate binary that automates syncing between an endpoint and the MEGA Cloud Drive.[GitHub meganz MEGAsync] Adversaries are known to abuse the tool for data exfiltration purposes.[U.S. CISA BianLian Ransomware May 2023]

Internal MISP references

UUID eed908e5-a0b3-473f-bca4-0d3197af2168 which can be used as unique global reference for MEGAsync in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Linux', 'macOS', 'Windows']
software_attack_id S5005
source Tidal Cyber
tags ['c5a258ce-9045-48d9-b254-ec2bf6437bb5', 'cc4ea215-87ce-4351-9579-cf527caf5992', 'd819ae1a-e385-49fd-88d5-f66660729ecb', 'e551ae97-d1b4-484e-9267-89f33829ec2c', 'e1af18e3-3224-4e4c-9d0f-533768474508', '8bf128ad-288b-41bc-904f-093f4fdde745', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

Melcoz

Melcoz is a banking trojan family built from the open source tool Remote Access PC. Melcoz was first observed in attacks in Brazil and since 2018 has spread to Chile, Mexico, Spain, and Portugal.[Securelist Brazilian Banking Malware July 2020]

Internal MISP references

UUID aa844e6b-feda-4928-8c6d-c59f7be88da0 which can be used as unique global reference for Melcoz in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0530
source MITRE
type ['malware']

MESSAGETAP

MESSAGETAP is a data mining malware family deployed by APT41 into telecommunications networks to monitor and save SMS traffic from specific phone numbers, IMSI numbers, or that contain specific keywords. [FireEye MESSAGETAP October 2019]

Internal MISP references

UUID 15d7e478-349d-42e6-802d-f16302b98319 which can be used as unique global reference for MESSAGETAP in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux']
software_attack_id S0443
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

metaMain

metaMain is a backdoor used by Metador to maintain long-term access to compromised machines; it has also been used to decrypt Mafalda into memory.[SentinelLabs Metador Sept 2022][SentinelLabs Metador Technical Appendix Sept 2022]

Internal MISP references

UUID 0a9874bf-4f02-5fab-8ab6-d0f42c6bc71d which can be used as unique global reference for metaMain in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S1059
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Metamorfo

Metamorfo is a Latin-American banking trojan operated by a Brazilian cybercrime group that has been active since at least April 2018. The group focuses on targeting banks and cryptocurrency services in Brazil and Mexico.[Medium Metamorfo Apr 2020][ESET Casbaneiro Oct 2019]

Internal MISP references

UUID ca607087-25ad-4a91-af83-608646cccbcb which can be used as unique global reference for Metamorfo in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0455
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']

Metasploit

The Metasploit Framework is an open-source software project that aids in penetration testing.[Metasploit_Ref] The software is often abused by malicious actors to perform a range of post-exploitation activities.

Internal MISP references

UUID 8d3b1150-8bb3-49a8-8266-7023e3c5e50a which can be used as unique global reference for Metasploit in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Linux', 'macOS', 'Windows']
software_attack_id S5050
source Tidal Cyber
tags ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', '2feda37d-5579-4102-a073-aa02e82cb49f', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', '15787198-6c8b-4f79-bf50-258d55072fee', 'e81ba503-60b0-4b64-8f20-ef93e7783796']
type ['malware']
Related clusters

To see the related clusters, click here.

MetaStealer

MetaStealer is an information-stealing malware ("infostealer") designed to harvest passwords, cookies, and other sensitive information from victim systems.[SentinelOne 9 11 2023]

Internal MISP references

UUID e95281ef-a1b1-4da0-b7cc-fa0a9236a4fc which can be used as unique global reference for MetaStealer in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['macOS']
software_attack_id S5315
source Tidal Cyber
tags ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', '2feda37d-5579-4102-a073-aa02e82cb49f']
type ['malware']

Meteor

Meteor is a wiper that was used against Iranian government organizations, including Iranian Railways, the Ministry of Roads, and Urban Development systems, in July 2021. Meteor is likely a newer version of similar wipers called Stardust and Comet that were reportedly used by a group called "Indra" since at least 2019 against private companies in Syria.[Check Point Meteor Aug 2021]

Internal MISP references

UUID ee07030e-ff50-404b-ad27-ab999fc1a23a which can be used as unique global reference for Meteor in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0688
source MITRE
type ['malware']

Mftrace

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Trace log generation tool for Media Foundation Tools.

Author: Oddvar Moe

Paths: * C:\Program Files (x86)\Windows Kits\10\bin\10.0.16299.0\x86 * C:\Program Files (x86)\Windows Kits\10\bin\10.0.16299.0\x64 * C:\Program Files (x86)\Windows Kits\10\bin\x86 * C:\Program Files (x86)\Windows Kits\10\bin\x64

Resources: * https://twitter.com/0rbz_/status/988911181422186496

Detection: * Sigma: proc_creation_win_lolbin_mftrace.yml[Mftrace.exe - LOLBAS Project]

Internal MISP references

UUID 4184f447-6f74-487b-be08-6330a6b78992 which can be used as unique global reference for Mftrace in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5224
source Tidal Cyber
tags ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

Micropsia

Micropsia is a remote access tool written in Delphi.[Talos Micropsia June 2017][Radware Micropsia July 2018]

Internal MISP references

UUID 5879efc1-f122-43ec-a80d-e25aa449594d which can be used as unique global reference for Micropsia in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0339
source MITRE
tags ['16b47583-1c54-431f-9f09-759df7b5ddb7']
type ['malware']
Related clusters

To see the related clusters, click here.

Microsoft.NodejsTools.PressAnyKey

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Part of the NodeJS Visual Studio tools.

Author: mr.d0x

Paths: * C:\Program Files\Microsoft Visual Studio*\Community\Common7\IDE\Extensions\Microsoft\NodeJsTools\NodeJsTools\Microsoft.NodejsTools.PressAnyKey.exe * C:\Program Files (x86)\Microsoft Visual Studio*\Community\Common7\IDE\Extensions\Microsoft\NodeJsTools\NodeJsTools\Microsoft.NodejsTools.PressAnyKey.exe

Resources: * https://twitter.com/mrd0x/status/1463526834918854661

Detection: * Sigma: proc_creation_win_renamed_pressanykey.yml * Sigma: proc_creation_win_pressanykey_lolbin_execution.yml[Microsoft.NodejsTools.PressAnyKey.exe - LOLBAS Project]

Internal MISP references

UUID 370b00ba-1f91-4375-8a4c-5ca67066f4fd which can be used as unique global reference for Microsoft.NodejsTools.PressAnyKey in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5225
source Tidal Cyber
tags ['eb75bfce-e0d6-41b3-a3f0-df34e6e9b476', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

Microsoft.Workflow.Compiler

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: A utility included with .NET that is capable of compiling and executing C# or VB.net code.

Author: Conor Richard

Paths: * C:\Windows\Microsoft.Net\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe

Resources: * https://twitter.com/mattifestation/status/1030445200475185154 * https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb * https://gist.github.com/mattifestation/3e28d391adbd7fe3e0c722a107a25aba#file-workflowcompilerdetectiontests-ps1 * https://gist.github.com/mattifestation/7ba8fc8f724600a9f525714c9cf767fd#file-createcompilerinputxml-ps1 * https://www.forcepoint.com/blog/security-labs/using-c-post-powershell-attacks * https://www.fortynorthsecurity.com/microsoft-workflow-compiler-exe-veil-and-cobalt-strike/ * https://medium.com/@Bank_Security/undetectable-c-c-reverse-shells-fab4c0ec4f15

Detection: * Sigma: proc_creation_win_lolbin_workflow_compiler.yml * Splunk: suspicious_microsoft_workflow_compiler_usage.yml * Splunk: suspicious_microsoft_workflow_compiler_rename.yml * Elastic: defense_evasion_unusual_process_network_connection.toml * Elastic: defense_evasion_network_connection_from_windows_binary.toml * BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules * IOC: Microsoft.Workflow.Compiler.exe would not normally be run on workstations. * IOC: The presence of csc.exe or vbc.exe as child processes of Microsoft.Workflow.Compiler.exe * IOC: Presence of "<CompilerInput" in a text file.[Microsoft.Workflow.Compiler.exe - LOLBAS Project]

Internal MISP references

UUID 27bd5fc3-17d9-46fa-84ce-c772736512cd which can be used as unique global reference for Microsoft.Workflow.Compiler in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5125
source Tidal Cyber
tags ['b48e3fa8-25b4-42be-97e7-086068a150c5', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

Milan

Milan is a backdoor implant based on DanBot that was written in Visual C++ and .NET. Milan has been used by HEXANE since at least June 2020.[ClearSky Siamesekitten August 2021][Kaspersky Lyceum October 2021]

Internal MISP references

UUID 57545dbc-c72a-409d-a373-bc35e25160cd which can be used as unique global reference for Milan in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S1015
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

Mimikatz

Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of networks. [Deply Mimikatz] [Adsecurity Mimikatz Guide]

Internal MISP references

UUID b8e7c0b4-49e4-4e8d-9467-b17f305ddf16 which can be used as unique global reference for Mimikatz in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0002
source MITRE
tags ['d903e38b-600d-4736-9e3b-cf1a6e436481', 'c5a258ce-9045-48d9-b254-ec2bf6437bb5', 'cc4ea215-87ce-4351-9579-cf527caf5992', 'd819ae1a-e385-49fd-88d5-f66660729ecb', 'e551ae97-d1b4-484e-9267-89f33829ec2c', 'e1af18e3-3224-4e4c-9d0f-533768474508', '5fda51b0-dfda-49bd-8615-524b45d4cd44', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '758c3085-2f79-40a8-ab95-f8a684737927', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '35e694ec-5133-46e3-b7e1-5831867c3b55', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '15787198-6c8b-4f79-bf50-258d55072fee', '15b77e5c-2285-434d-9719-73c14beba8bd', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'dcd6d78a-50e9-4fbd-a36a-06fbe6b7b40c', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

MimiPenguin

MimiPenguin is a credential dumper, similar to Mimikatz, designed specifically for Linux platforms. [MimiPenguin GitHub May 2017]

Internal MISP references

UUID 42350632-b59a-4cc5-995e-d95d8c608553 which can be used as unique global reference for MimiPenguin in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux']
software_attack_id S0179
source MITRE
tags ['4d767e87-4cf6-438a-927a-43d2d0beaab7']
type ['tool']
Related clusters

To see the related clusters, click here.

Miner-C

Miner-C is malware that mines victims for the Monero cryptocurrency. It has targeted FTP servers and Network Attached Storage (NAS) devices to spread. [Softpedia MinerC]

Internal MISP references

UUID c0dea9db-1551-4f6c-8a19-182efc34093a which can be used as unique global reference for Miner-C in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
software_attack_id S0133
source MITRE
type ['malware']

MiniDuke

MiniDuke is malware that was used by APT29 from 2010 to 2015. The MiniDuke toolset consists of multiple downloader and backdoor components. The loader has been used with other MiniDuke components as well as in conjunction with CosmicDuke and PinchDuke. [F-Secure The Dukes]

Internal MISP references

UUID 2bb16809-6bc3-46c3-b28a-39cb49410340 which can be used as unique global reference for MiniDuke in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0051
source MITRE
tags ['84615fe0-c2a5-4e07-8957-78ebc29b4635']
type ['malware']
Related clusters

To see the related clusters, click here.

MirageFox

MirageFox is a remote access tool used against Windows systems. It appears to be an upgraded version of a tool known as Mirage, which is a RAT believed to originate in 2012. [APT15 Intezer June 2018]

Internal MISP references

UUID 535f1b97-7a70-4d18-be4e-3a9f74ccf78a which can be used as unique global reference for MirageFox in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0280
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

Misdat

Misdat is a backdoor that was used in Operation Dust Storm from 2010 to 2011.[Cylance Dust Storm]

Internal MISP references

UUID 4048afa2-79c8-4d38-8219-2207adddd884 which can be used as unique global reference for Misdat in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0083
source MITRE
type ['malware']

Mispadu

Mispadu is a banking trojan written in Delphi that was first observed in 2019 and uses a Malware-as-a-Service (MaaS) business model.[ESET Security Mispadu Facebook Ads 2019][SCILabs Malteiro 2021] This malware is operated, managed, and sold by the Malteiro cybercriminal group.[SCILabs Malteiro 2021] Mispadu has mainly been used to target victims in Brazil and Mexico, and has also had confirmed operations throughout Latin America and Europe.[SCILabs Malteiro 2021][SCILabs URSA/Mispadu Evolution 2023][Segurança Informática URSA Sophisticated Loader 2020]

Internal MISP references

UUID 758e5226-6015-5cc7-af4b-20fa35c9bac1 which can be used as unique global reference for Mispadu in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S1122
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

Mis-Type

Mis-Type is a backdoor hybrid that was used in Operation Dust Storm by 2012.[Cylance Dust Storm]

Internal MISP references

UUID fe554d2e-f974-41d6-8e7a-701bd758355d which can be used as unique global reference for Mis-Type in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0084
source MITRE
type ['malware']

Mivast

Mivast is a backdoor that has been used by Deep Panda. It was reportedly used in the Anthem breach. [Symantec Black Vine]

Internal MISP references

UUID f603ea32-91c3-4b62-a60f-57670433b080 which can be used as unique global reference for Mivast in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0080
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Mmc

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Load snap-ins to locally and remotely manage Windows systems

Author: @bohops

Paths: * C:\Windows\System32\mmc.exe * C:\Windows\SysWOW64\mmc.exe

Resources: * https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/ * https://offsec.almond.consulting/UAC-bypass-dotnet.html

Detection: * Sigma: proc_creation_win_mmc_susp_child_process.yml * Sigma: file_event_win_uac_bypass_dotnet_profiler.yml[Mmc.exe - LOLBAS Project]

Internal MISP references

UUID 8c7acae2-f844-4e01-86d8-18c3ea90963f which can be used as unique global reference for Mmc in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5126
source Tidal Cyber
tags ['f9e6382f-e41e-438e-bd7e-57a57046d9e6', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

MobileOrder

MobileOrder is a Trojan intended to compromise Android mobile devices. It has been used by Scarlet Mimic. [Scarlet Mimic Jan 2016]

Internal MISP references

UUID 116f913c-0d5e-43d1-ba0d-3a12127af8f6 which can be used as unique global reference for MobileOrder in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
software_attack_id S0079
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

MoleNet

MoleNet is a downloader tool with backdoor capabilities that has been observed in use since at least 2019.[Cybereason Molerats Dec 2020]

Internal MISP references

UUID 7ca5debb-f813-4e06-98f8-d1186552e5d2 which can be used as unique global reference for MoleNet in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0553
source MITRE
tags ['84615fe0-c2a5-4e07-8957-78ebc29b4635']
type ['malware']
Related clusters

To see the related clusters, click here.

Mongall

Mongall is a backdoor that has been used since at least 2013, including by Aoqin Dragon.[SentinelOne Aoqin Dragon June 2022]

Internal MISP references

UUID 7f5355b3-e819-4c82-a0fa-b80fda8fd6e6 which can be used as unique global reference for Mongall in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S1026
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

MoonWind

MoonWind is a remote access tool (RAT) that was used in 2016 to target organizations in Thailand. [Palo Alto MoonWind March 2017]

Internal MISP references

UUID a699f32f-6596-4060-8fcd-42587a844b80 which can be used as unique global reference for MoonWind in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0149
source MITRE
type ['malware']

More_eggs

More_eggs is a JScript backdoor used by Cobalt Group and FIN6. Its name was given based on the variable "More_eggs" being present in its code. There are at least two different versions of the backdoor being used, version 2.0 and version 4.4. [Talos Cobalt Group July 2018][Security Intelligence More Eggs Aug 2019]

Internal MISP references

UUID 69f202e7-4bc9-4f4f-943f-330c053ae977 which can be used as unique global reference for More_eggs in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0284
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

Mori

Mori is a backdoor that has been used by MuddyWater since at least January 2022.[DHS CISA AA22-055A MuddyWater February 2022][CYBERCOM Iranian Intel Cyber January 2022]

Internal MISP references

UUID 385e1eaf-9ba8-4381-981a-3c7af718a77d which can be used as unique global reference for Mori in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S1047
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Mosquito

Mosquito is a Win32 backdoor that has been used by Turla. Mosquito is made up of three parts: the installer, the launcher, and the backdoor. The main backdoor is called CommanderDLL and is launched by the loader program. [ESET Turla Mosquito Jan 2018]

Internal MISP references

UUID c3939dad-d728-4ddb-804e-cf1e3743a55d which can be used as unique global reference for Mosquito in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0256
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

MpCmdRun

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Binary part of Windows Defender. Used to manage settings in Windows Defender

Author: Oddvar Moe

Paths: * C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.4-0\MpCmdRun.exe * C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.7-0\MpCmdRun.exe * C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\MpCmdRun.exe

Resources: * https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus * https://twitter.com/mohammadaskar2/status/1301263551638761477 * https://twitter.com/Oddvarmoe/status/1301444858910052352 * https://twitter.com/NotMedic/status/1301506813242867720

Detection: * Sigma: win_susp_mpcmdrun_download.yml * Elastic: command_and_control_remote_file_copy_mpcmdrun.toml * IOC: MpCmdRun storing data into alternate data streams. * IOC: MpCmdRun retrieving a file from a remote machine or the internet that is not expected. * IOC: Monitor process creation for non-SYSTEM and non-LOCAL SERVICE accounts launching mpcmdrun.exe. * IOC: Monitor for the creation of %USERPROFILE%\AppData\Local\Temp\MpCmdRun.log * IOC: User Agent is "MpCommunication"[MpCmdRun.exe - LOLBAS Project]

Internal MISP references

UUID ec54a1e4-92d4-4503-a510-a18989f1f8f3 which can be used as unique global reference for MpCmdRun in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5127
source Tidal Cyber
tags ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

Msbuild

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Used to compile and execute code

Author: Oddvar Moe

Paths: * C:\Windows\Microsoft.NET\Framework\v2.0.50727\Msbuild.exe * C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Msbuild.exe * C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe * C:\Windows\Microsoft.NET\Framework64\v3.5\Msbuild.exe * C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe * C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Msbuild.exe * C:\Program Files (x86)\MSBuild\14.0\bin\MSBuild.exe

Resources: * https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127/T1127.md * https://github.com/Cn33liz/MSBuildShell * https://pentestlab.blog/2017/05/29/applocker-bypass-msbuild/ * https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/ * https://gist.github.com/bohops/4ffc43a281e87d108875f07614324191 * https://github.com/LOLBAS-Project/LOLBAS/issues/165 * https://docs.microsoft.com/en-us/visualstudio/msbuild/msbuild-response-files * https://www.daveaglick.com/posts/msbuild-loggers-and-logging-events

Detection: * Sigma: file_event_win_shell_write_susp_directory.yml * Sigma: proc_creation_win_msbuild_susp_parent_process.yml * Sigma: net_connection_win_silenttrinity_stager_msbuild_activity.yml * Splunk: suspicious_msbuild_spawn.yml * Splunk: suspicious_msbuild_rename.yml * Splunk: msbuild_suspicious_spawned_by_script_process.yml * Elastic: defense_evasion_msbuild_beacon_sequence.toml * Elastic: defense_evasion_msbuild_making_network_connections.toml * Elastic: defense_evasion_execution_msbuild_started_by_script.toml * Elastic: defense_evasion_execution_msbuild_started_by_office_app.toml * Elastic: defense_evasion_execution_msbuild_started_renamed.toml * BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules * IOC: Msbuild.exe should not normally be executed on workstations[LOLBAS Msbuild]

Internal MISP references

UUID 1f500e4c-25a1-4570-a3ba-5c9cd463afde which can be used as unique global reference for Msbuild in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5128
source Tidal Cyber
tags ['dfda978e-e0a0-4e1a-85c7-d9ab2cd7ccc5', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

Msconfig

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: MSConfig is a troubleshooting tool which is used to temporarily disable or re-enable software, device drivers or Windows services that run during startup process to help the user determine the cause of a problem with Windows

Author: Oddvar Moe

Paths: * C:\Windows\System32\msconfig.exe

Resources: * https://twitter.com/pabraeken/status/991314564896690177

Detection: * Sigma: proc_creation_win_uac_bypass_msconfig_gui.yml * Sigma: file_event_win_uac_bypass_msconfig_gui.yml * IOC: mscfgtlc.xml changes in system32 folder[Msconfig.exe - LOLBAS Project]

Internal MISP references

UUID 90c6cc43-d9dd-436c-b7ee-ede979765bdf which can be used as unique global reference for Msconfig in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5129
source Tidal Cyber
tags ['7e20fe4e-6883-457d-81f9-b4010e739f89', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

Msdeploy

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Microsoft tool used to deploy Web Applications.

Author: Oddvar Moe

Paths: * C:\Program Files (x86)\IIS\Microsoft Web Deploy V3\msdeploy.exe

Resources: * https://twitter.com/pabraeken/status/995837734379032576 * https://twitter.com/pabraeken/status/999090532839313408

Detection: * Sigma: proc_creation_win_lolbin_msdeploy.yml[Msdeploy.exe - LOLBAS Project]

Internal MISP references

UUID 175b32ed-bea6-491c-8aac-d088f642a6e1 which can be used as unique global reference for Msdeploy in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5226
source Tidal Cyber
tags ['11452158-b8d2-4a33-952a-8896f961a2f5', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

Msdt

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Microsoft diagnostics tool

Author: Oddvar Moe

Paths: * C:\Windows\System32\Msdt.exe * C:\Windows\SysWOW64\Msdt.exe

Resources: * https://web.archive.org/web/20160322142537/https://cybersyndicates.com/2015/10/a-no-bull-guide-to-malicious-windows-trouble-shooting-packs-and-application-whitelist-bypass/ * https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/ * https://twitter.com/harr0ey/status/991338229952598016 * https://twitter.com/nas_bench/status/1531944240271568896

Detection: * Sigma: proc_creation_win_lolbin_msdt_answer_file.yml * Sigma: proc_creation_win_msdt_arbitrary_command_execution.yml * Elastic: defense_evasion_network_connection_from_windows_binary.toml[Msdt.exe - LOLBAS Project]

Internal MISP references

UUID bc39280c-da92-4e78-ab37-7c54ff72a1ba which can be used as unique global reference for Msdt in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5130
source Tidal Cyber
tags ['8c30b46b-3651-4ccd-9d91-34fe89bc6843', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

Msedge

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Microsoft Edge browser

Author: mr.d0x

Paths: * c:\Program Files\Microsoft\Edge\Application\msedge.exe * c:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Resources: * https://twitter.com/mrd0x/status/1478116126005641220 * https://twitter.com/mrd0x/status/1478234484881436672

Detection: * Sigma: proc_creation_win_browsers_msedge_arbitrary_download.yml * Sigma: proc_creation_win_browsers_chromium_headless_file_download.yml[Msedge.exe - LOLBAS Project]

Internal MISP references

UUID d64d75ba-1722-4a39-ab7f-d46c5d5815ec which can be used as unique global reference for Msedge in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5131
source Tidal Cyber
tags ['5bd3af6b-cb96-4d96-9576-26521dd76513', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

msedge_proxy

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Microsoft Edge Browser

Author: Mert Daş

Paths: * C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe

Resources: None Provided

Detection: None Provided[msedge_proxy.exe - LOLBAS Project]

Internal MISP references

UUID e098413e-1d54-4d1f-bf63-1443b57bcc2f which can be used as unique global reference for msedge_proxy in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5182
source Tidal Cyber
tags ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

msedgewebview2

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: msedgewebview2.exe is the executable file for Microsoft Edge WebView2, which is a web browser control used by applications to display web content.

Author: Matan Bahar

Paths: * C:\Program Files (x86)\Microsoft\Edge\Application\114.0.1823.43\msedgewebview2.exe

Resources: * https://medium.com/@MalFuzzer/one-electron-to-rule-them-all-dc2e9b263daf

Detection: * IOC: msedgewebview2.exe spawned with any of the following: --gpu-launcher, --utility-cmd-prefix, --renderer-cmd-prefix, --browser-subprocess-path[msedgewebview2.exe - LOLBAS Project]

Internal MISP references

UUID ac6d4ab8-f34c-4b00-a943-cc2749b28a05 which can be used as unique global reference for msedgewebview2 in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5183
source Tidal Cyber
tags ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

Mshta

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Used by Windows to execute html applications. (.hta)

Author: Oddvar Moe

Paths: * C:\Windows\System32\mshta.exe * C:\Windows\SysWOW64\mshta.exe

Resources: * https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_4 * https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/mshta.sct * https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/ * https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/

Detection: * Sigma: proc_creation_win_mshta_susp_pattern.yml * Sigma: proc_creation_win_hktl_invoke_obfuscation_via_use_mhsta.yml * Sigma: proc_creation_win_mshta_lethalhta_technique.yml * Sigma: proc_creation_win_mshta_javascript.yml * Sigma: file_event_win_net_cli_artefact.yml * Sigma: image_load_susp_script_dotnet_clr_dll_load.yml * Elastic: defense_evasion_mshta_beacon.toml * Elastic: lateral_movement_dcom_hta.toml * Elastic: defense_evasion_suspicious_managedcode_host_process.toml * Splunk: suspicious_mshta_activity.yml * Splunk: detect_mshta_renamed.yml * Splunk: suspicious_mshta_spawn.yml * Splunk: suspicious_mshta_child_process.yml * Splunk: detect_mshta_url_in_command_line.yml * BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules * IOC: mshta.exe executing raw or obfuscated script within the command-line * IOC: General usage of HTA file * IOC: msthta.exe network connection to Internet/WWW resource * IOC: DotNet CLR libraries loaded into mshta.exe * IOC: DotNet CLR Usage Log - mshta.exe.log[LOLBAS Mshta]

Internal MISP references

UUID f552a5a4-49dd-4ba6-9916-e631df4d4457 which can be used as unique global reference for Mshta in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5132
source Tidal Cyber
tags ['d819ae1a-e385-49fd-88d5-f66660729ecb', 'e551ae97-d1b4-484e-9267-89f33829ec2c', '15787198-6c8b-4f79-bf50-258d55072fee', 'e1af18e3-3224-4e4c-9d0f-533768474508', 'fe0e2dd3-962e-41a3-9850-cea146b1301f', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

Mshtml

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Microsoft HTML Viewer

Author: LOLBAS Team

Paths: * c:\windows\system32\mshtml.dll * c:\windows\syswow64\mshtml.dll

Resources: * https://twitter.com/pabraeken/status/998567549670477824 * https://windows10dll.nirsoft.net/mshtml_dll.html

Detection: * Sigma: proc_creation_win_rundll32_susp_activity.yml[Mshtml.dll - LOLBAS Project]

Internal MISP references

UUID f94674b9-f924-4452-8516-49657ed40032 which can be used as unique global reference for Mshtml in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5192
source Tidal Cyber
tags ['46338353-52ee-4f8d-9f18-f1b32644dd76', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

Msiexec

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Used by Windows to execute msi files

Author: Oddvar Moe

Paths: * C:\Windows\System32\msiexec.exe * C:\Windows\SysWOW64\msiexec.exe

Resources: * https://pentestlab.blog/2017/06/16/applocker-bypass-msiexec/ * https://twitter.com/PhilipTsukerman/status/992021361106268161 * https://badoption.eu/blog/2023/10/03/MSIFortune.html

Detection: * Sigma: proc_creation_win_msiexec_web_install.yml * Sigma: proc_creation_win_msiexec_masquerading.yml * Elastic: defense_evasion_network_connection_from_windows_binary.toml * Splunk: uninstall_app_using_msiexec.yml * IOC: msiexec.exe retrieving files from Internet[LOLBAS Msiexec]

Internal MISP references

UUID 9d00d3c4-9a01-403a-9275-c94960fd871f which can be used as unique global reference for Msiexec in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5133
source Tidal Cyber
tags ['e1af18e3-3224-4e4c-9d0f-533768474508', 'fc2bbc6f-da5c-4afd-ae27-2fadf77c3bc4', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

MsoHtmEd

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Microsoft Office component

Author: Nir Chako

Paths: * C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\MSOHTMED.exe * C:\Program Files\Microsoft Office 16\ClientX64\Root\Office16\MSOHTMED.exe * C:\Program Files (x86)\Microsoft Office\Office16\MSOHTMED.exe * C:\Program Files\Microsoft Office\Office16\MSOHTMED.exe * C:\Program Files (x86)\Microsoft Office 15\ClientX86\Root\Office15\MSOHTMED.exe * C:\Program Files\Microsoft Office 15\ClientX64\Root\Office15\MSOHTMED.exe * C:\Program Files (x86)\Microsoft Office\Office15\MSOHTMED.exe * C:\Program Files\Microsoft Office\Office15\MSOHTMED.exe * C:\Program Files (x86)\Microsoft Office 14\ClientX86\Root\Office14\MSOHTMED.exe * C:\Program Files\Microsoft Office 14\ClientX64\Root\Office14\MSOHTMED.exe * C:\Program Files (x86)\Microsoft Office\Office14\MSOHTMED.exe * C:\Program Files\Microsoft Office\Office14\MSOHTMED.exe * C:\Program Files (x86)\Microsoft Office\Office12\MSOHTMED.exe * C:\Program Files\Microsoft Office\Office12\MSOHTMED.exe * C:\Program Files\Microsoft Office\Office12\MSOHTMED.exe

Resources: None Provided

Detection: * Sigma: proc_creation_win_lolbin_msohtmed_download.yml * IOC: Suspicious Office application internet/network traffic[MsoHtmEd.exe - LOLBAS Project]

Internal MISP references

UUID d316ab94-0420-4356-a3bb-f92f42a4247c which can be used as unique global reference for MsoHtmEd in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5227
source Tidal Cyber
tags ['874c053b-d6b8-42c2-accc-cd256bb4d350', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

Mspub

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Microsoft Publisher

Author: Nir Chako

Paths: * C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\MSPUB.exe * C:\Program Files\Microsoft Office 16\ClientX64\Root\Office16\MSPUB.exe * C:\Program Files (x86)\Microsoft Office\Office16\MSPUB.exe * C:\Program Files\Microsoft Office\Office16\MSPUB.exe * C:\Program Files (x86)\Microsoft Office 15\ClientX86\Root\Office15\MSPUB.exe * C:\Program Files\Microsoft Office 15\ClientX64\Root\Office15\MSPUB.exe * C:\Program Files (x86)\Microsoft Office\Office15\MSPUB.exe * C:\Program Files\Microsoft Office\Office15\MSPUB.exe * C:\Program Files (x86)\Microsoft Office 14\ClientX86\Root\Office14\MSPUB.exe * C:\Program Files\Microsoft Office 14\ClientX64\Root\Office14\MSPUB.exe * C:\Program Files (x86)\Microsoft Office\Office14\MSPUB.exe * C:\Program Files\Microsoft Office\Office14\MSPUB.exe

Resources: None Provided

Detection: * Sigma: proc_creation_win_lolbin_mspub_download.yml * IOC: Suspicious Office application internet/network traffic[Mspub.exe - LOLBAS Project]

Internal MISP references

UUID c07f48ee-4667-4dd3-aa8e-cb6d588c547c which can be used as unique global reference for Mspub in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5228
source Tidal Cyber
tags ['a523dcb0-9181-4170-a113-126df84594ca', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

msxsl

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Command line utility used to perform XSL transformations.

Author: Oddvar Moe

Paths: * no default

Resources: * https://twitter.com/subTee/status/877616321747271680 * https://github.com/3gstudent/Use-msxsl-to-bypass-AppLocker * https://github.com/RonnieSalomonsen/Use-msxsl-to-download-file

Detection: * Sigma: proc_creation_win_wmic_xsl_script_processing.yml * Elastic: defense_evasion_msxsl_beacon.toml * Elastic: defense_evasion_msxsl_network.toml * Elastic: defense_evasion_network_connection_from_windows_binary.toml[msxsl.exe - LOLBAS Project]

Internal MISP references

UUID 8cccbfed-3f78-45fd-b5d1-efe884d28f09 which can be used as unique global reference for msxsl in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5229
source Tidal Cyber
tags ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

MURKYTOP

MURKYTOP is a reconnaissance tool used by Leviathan. [FireEye Periscope March 2018]

Internal MISP references

UUID 768111f9-0948-474b-82a6-cd5455079513 which can be used as unique global reference for MURKYTOP in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0233
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Mythic

Mythic is an open source, cross-platform post-exploitation/command and control platform. Mythic is designed to "plug-n-play" with various agents and communication channels.[Mythic Github][Mythic SpecterOps][Mythc Documentation] Deployed Mythic C2 servers have been observed as part of potentially malicious infrastructure.[RecordedFuture 2021 Ad Infra]

Internal MISP references

UUID f1398367-a0af-4a89-b240-50cae4985ed9 which can be used as unique global reference for Mythic in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['macOS', 'Linux', 'Windows']
software_attack_id S0699
source MITRE
tags ['ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'e81ba503-60b0-4b64-8f20-ef93e7783796']
type ['tool']

Naid

Naid is a trojan used by Elderwood to open a backdoor on compromised hosts. [Symantec Elderwood Sept 2012] [Symantec Naid June 2012]

Internal MISP references

UUID 5cfd6135-c53b-4234-a17e-759494b2101f which can be used as unique global reference for Naid in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0205
source MITRE
tags ['84615fe0-c2a5-4e07-8957-78ebc29b4635']
type ['malware']
Related clusters

To see the related clusters, click here.

NanHaiShu

NanHaiShu is a remote access tool and JScript backdoor used by Leviathan. NanHaiShu has been used to target government and private-sector organizations that have relations to the South China Sea dispute. [Proofpoint Leviathan Oct 2017] [fsecure NanHaiShu July 2016]

Internal MISP references

UUID 0e28dfc9-8948-4c08-b7d8-9e80e19cc464 which can be used as unique global reference for NanHaiShu in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0228
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

NanoCore

NanoCore is a modular remote access tool developed in .NET that can be used to spy on victims and steal information. It has been used by threat actors since 2013.[DigiTrust NanoCore Jan 2017][Cofense NanoCore Mar 2018][PaloAlto NanoCore Feb 2016][Unit 42 Gorgon Group Aug 2018]

Internal MISP references

UUID db05dbaa-eb3a-4303-b37e-18d67e7e85a1 which can be used as unique global reference for NanoCore in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0336
source MITRE
tags ['4d767e87-4cf6-438a-927a-43d2d0beaab7', 'f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

NativeZone

NativeZone is the name given collectively to disposable custom Cobalt Strike loaders used by APT29 since at least 2021.[MSTIC Nobelium Toolset May 2021][SentinelOne NobleBaron June 2021]

Internal MISP references

UUID a814fd1d-8c2c-41b3-bb3a-30c4318c74c0 which can be used as unique global reference for NativeZone in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0637
source MITRE
tags ['84615fe0-c2a5-4e07-8957-78ebc29b4635']
type ['malware']
Related clusters

To see the related clusters, click here.

NavRAT is a remote access tool designed to upload, download, and execute files. It has been observed in attacks targeting South Korea. [Talos NavRAT May 2018]

Internal MISP references

UUID b410d30c-4db6-4239-950e-9b0e0521f0d2 which can be used as unique global reference for NavRAT in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0247
source MITRE
tags ['16b47583-1c54-431f-9f09-759df7b5ddb7']
type ['malware']
Related clusters

To see the related clusters, click here.

NBTscan

NBTscan is an open source tool that has been used by state groups to conduct internal reconnaissance within a compromised network.[Debian nbtscan Nov 2019][SecTools nbtscan June 2003][Symantec Waterbug Jun 2019][FireEye APT39 Jan 2019]

Internal MISP references

UUID 950f13e6-3ae3-411e-a2b2-4ba1afe6cb76 which can be used as unique global reference for NBTscan in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['macOS', 'Linux', 'Windows']
software_attack_id S0590
source MITRE
type ['tool']
Related clusters

To see the related clusters, click here.

nbtstat

nbtstat is a utility used to troubleshoot NetBIOS name resolution. [TechNet Nbtstat]

Internal MISP references

UUID 81c2fc9b-8c2c-40f6-a327-dcdd64b70a7e which can be used as unique global reference for nbtstat in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
software_attack_id S0102
source MITRE
type ['tool']
Related clusters

To see the related clusters, click here.

NDiskMonitor

NDiskMonitor is a custom backdoor written in .NET that appears to be unique to Patchwork. [TrendMicro Patchwork Dec 2017]

Internal MISP references

UUID 6d42e6c5-3056-4ff1-8d5d-a736807ec84c which can be used as unique global reference for NDiskMonitor in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0272
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Nebulae

Nebulae Is a backdoor that has been used by Naikon since at least 2020.[Bitdefender Naikon April 2021]

Internal MISP references

UUID 38510bab-aece-4d7b-b621-7594c2c4fe14 which can be used as unique global reference for Nebulae in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0630
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Neoichor

Neoichor is C2 malware used by Ke3chang since at least 2019; similar malware families used by the group include Leeson and Numbldea.[Microsoft NICKEL December 2021]

Internal MISP references

UUID 8662e29e-5766-4311-894e-5ca52515ccbe which can be used as unique global reference for Neoichor in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0691
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

Nerex

Nerex is a Trojan used by Elderwood to open a backdoor on compromised hosts. [Symantec Elderwood Sept 2012] [Symantec Nerex May 2012]

Internal MISP references

UUID de8b18c9-ebab-4126-96a9-282fa8829877 which can be used as unique global reference for Nerex in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0210
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Net

The Net utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. [Microsoft Net Utility]

Net has a great deal of functionality, [Savill 1999] much of which is useful for an adversary, such as gathering system and network information for Discovery, moving laterally through SMB/Windows Admin Shares using net use commands, and interacting with services. The net1.exe utility is executed for certain functionality when net.exe is run and can be used directly in commands such as net1 user.

Internal MISP references

UUID c9b8522f-126d-40ff-b44e-1f46098bd8cc which can be used as unique global reference for Net in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0039
source MITRE
tags ['c5a258ce-9045-48d9-b254-ec2bf6437bb5', 'cc4ea215-87ce-4351-9579-cf527caf5992', 'e551ae97-d1b4-484e-9267-89f33829ec2c', 'e1af18e3-3224-4e4c-9d0f-533768474508', 'cd1b5d44-226e-4405-8985-800492cf2865', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', '4e7ae33d-e040-4618-bccf-3b5e4aac81ed', '758c3085-2f79-40a8-ab95-f8a684737927', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '35e694ec-5133-46e3-b7e1-5831867c3b55', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

Net Crawler

Net Crawler is an intranet worm capable of extracting credentials using credential dumpers and spreading to systems on a network over SMB by brute forcing accounts with recovered passwords and using PsExec to execute a copy of Net Crawler. [Cylance Cleaver]

Internal MISP references

UUID 947c6212-4da8-48dd-9da9-ce4b077dd759 which can be used as unique global reference for Net Crawler in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0056
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

NETEAGLE

NETEAGLE is a backdoor developed by APT30 with compile dates as early as 2008. It has two main variants known as “Scout” and “Norton.” [FireEye APT30]

Internal MISP references

UUID 852c300d-9313-442d-9b49-9883522c3f4b which can be used as unique global reference for NETEAGLE in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0034
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

netsh

netsh is a scripting utility used to interact with networking components on local or remote systems. [TechNet Netsh]

Internal MISP references

UUID 803192b8-747b-4108-ae15-2d7481d39162 which can be used as unique global reference for netsh in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0108
source MITRE
tags ['e1af18e3-3224-4e4c-9d0f-533768474508', '064dc489-6b50-4cc1-bb9b-fe722f21aaf1', '758c3085-2f79-40a8-ab95-f8a684737927', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '35e694ec-5133-46e3-b7e1-5831867c3b55', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '15787198-6c8b-4f79-bf50-258d55072fee', '303a3675-4855-4323-b042-95bb1d907cca', '84615fe0-c2a5-4e07-8957-78ebc29b4635', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

netstat

netstat is an operating system utility that displays active TCP connections, listening ports, and network statistics. [TechNet Netstat]

Internal MISP references

UUID 132fb908-9f13-4bcf-aa64-74cbc72f5491 which can be used as unique global reference for netstat in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
software_attack_id S0104
source MITRE
tags ['758c3085-2f79-40a8-ab95-f8a684737927', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '35e694ec-5133-46e3-b7e1-5831867c3b55', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

NetSupport

NetSupport is a legitimate utility that has been long-used for remote management and monitoring (RMM) purposes. In recent years, it has been heavily abused by threat actors for maintaining persistent remote access to victim systems.[The DFIR Report NetSupport October 30 2023]

Internal MISP references

UUID 96ecdb59-b047-4557-b2a7-c9712e8c903b which can be used as unique global reference for NetSupport in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['macOS', 'Linux', 'Windows']
software_attack_id S5320
source Tidal Cyber
tags ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', 'e1af18e3-3224-4e4c-9d0f-533768474508', 'e727eaa6-ef41-4965-b93a-8ad0c51d0236', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207', '2feda37d-5579-4102-a073-aa02e82cb49f']
type ['tool']
Related clusters

To see the related clusters, click here.

NetTraveler

NetTraveler is malware that has been used in multiple cyber espionage campaigns for basic surveillance of victims. The earliest known samples have timestamps back to 2005, and the largest number of observed samples were created between 2010 and 2013. [Kaspersky NetTraveler]

Internal MISP references

UUID 1b8f9cf9-db8f-437d-800e-5ddd090fe30d which can be used as unique global reference for NetTraveler in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0033
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

Netwalker

Netwalker is fileless ransomware written in PowerShell and executed directly in memory.[TrendMicro Netwalker May 2020]

Internal MISP references

UUID 5b4b395f-f61a-4bd6-94c1-fb45ed3cd13d which can be used as unique global reference for Netwalker in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0457
source MITRE
tags ['89c5b94b-ecf4-4d53-9b74-3465086d4565', '562e535e-19f5-4d6c-81ed-ce2aec544f09', '242bc007-5ac5-4d96-8638-699a06d06d24', 'e554bd60-5de3-4162-9ed3-66073ae9d6b3', '0e948c57-6c10-4576-ad27-9832cc2af3a1', '3d90eed2-862d-4f61-8c8f-0b8da3e45af0', '2743d495-7728-4a75-9e5f-b64854039792', '4fb4824e-1995-4c65-8c71-e818c0aa1086', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172']
type ['malware']

NETWIRE

NETWIRE is a publicly available, multiplatform remote administration tool (RAT) that has been used by criminal and APT groups since at least 2012.[FireEye APT33 Sept 2017][McAfee Netwire Mar 2015][FireEye APT33 Webinar Sept 2017]

Internal MISP references

UUID c7d0e881-80a1-49ea-9c1f-b6e53cf399a8 which can be used as unique global reference for NETWIRE in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['macOS', 'Linux', 'Windows']
software_attack_id S0198
source MITRE
tags ['6c6c0125-9631-4c2c-90ab-cfef374d5198']
type ['malware']
Related clusters

To see the related clusters, click here.

Network Scanner

Network Scanner (NS.exe) is a utility that can be used to enumerate file shares within a given environment.[The DFIR Report Dharma Ransomware June 2020]

Internal MISP references

UUID 56018455-7644-4e59-845a-986f55efcad4 which can be used as unique global reference for Network Scanner in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5278
source Tidal Cyber
tags ['d819ae1a-e385-49fd-88d5-f66660729ecb', 'e551ae97-d1b4-484e-9267-89f33829ec2c', '15787198-6c8b-4f79-bf50-258d55072fee', 'cd1b5d44-226e-4405-8985-800492cf2865', 'e1af18e3-3224-4e4c-9d0f-533768474508']
type ['tool']
Related clusters

To see the related clusters, click here.

NGLite

NGLite is a backdoor Trojan that is only capable of running commands received through its C2 channel. While the capabilities are standard for a backdoor, NGLite uses a novel C2 channel that leverages a decentralized network based on the legitimate NKN to communicate between the backdoor and the actors.[NGLite Trojan]

Internal MISP references

UUID 48b161fe-3ae1-5551-9f26-d6f2d6b5afb9 which can be used as unique global reference for NGLite in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S1106
source MITRE
type ['malware']

ngrok

ngrok is a legitimate reverse proxy tool that can create a secure tunnel to servers located behind firewalls or on local machines that do not have a public IP. ngrok has been leveraged by threat actors in several campaigns including use for lateral movement and data exfiltration.[Zdnet Ngrok September 2018][FireEye Maze May 2020][Cyware Ngrok May 2019][MalwareBytes LazyScripter Feb 2021]

Internal MISP references

UUID 316ecd9d-ac0b-58c7-8083-5d9214c770f6 which can be used as unique global reference for ngrok in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0508
source MITRE
tags ['c5a258ce-9045-48d9-b254-ec2bf6437bb5', 'cc4ea215-87ce-4351-9579-cf527caf5992', 'e551ae97-d1b4-484e-9267-89f33829ec2c', 'e1af18e3-3224-4e4c-9d0f-533768474508', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207', '6070668f-1cbd-4878-8066-c636d1d8659c', 'd8f7e071-fbfd-46f8-b431-e241bb1513ac', 'd75c1a80-0cb8-4a64-8379-10514cd44b1e', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', 'febea5b6-2ea2-402b-8bec-f3f5b3f73c59']
type ['tool']
Related clusters

To see the related clusters, click here.

Nidiran

Nidiran is a custom backdoor developed and used by Suckfly. It has been delivered via strategic web compromise. [Symantec Suckfly March 2016]

Internal MISP references

UUID 3ae9acd7-39f8-45c6-b557-c7d9a40eed2c which can be used as unique global reference for Nidiran in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0118
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

NightClub

NightClub is a modular implant written in C++ that has been used by MoustachedBouncer since at least 2014.[MoustachedBouncer ESET August 2023]

Internal MISP references

UUID b1963876-dbdc-5beb-ace3-acb6d7705543 which can be used as unique global reference for NightClub in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S1090
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Ninja

Ninja is a malware developed in C++ that has been used by ToddyCat to penetrate networks and control remote systems since at least 2020. Ninja is possibly part of a post exploitation toolkit exclusively used by ToddyCat and allows multiple operators to work simultaneously on the same machine. Ninja has been used against government and military entities in Europe and Asia and observed in specific infection chains being deployed by Samurai.[Kaspersky ToddyCat June 2022]

Internal MISP references

UUID 2dd26ff0-22d6-591b-9054-78e84fa3e05c which can be used as unique global reference for Ninja in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S1100
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

NirSoft

NirSoft is a self-described "freeware" utility that can be used to recover passwords.[NirSoft Website] According to U.S. cybersecurity authorities, ransomware actors such as those associated with the Royal ransomware operation have used the NirSoft utility to harvest passwords for malicious purposes.[#StopRansomware: Royal Ransomware | CISA]

Internal MISP references

UUID efa5fff4-f6db-4719-91c7-97dbe93099a8 which can be used as unique global reference for NirSoft in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5271
source Tidal Cyber
tags ['d819ae1a-e385-49fd-88d5-f66660729ecb', 'e551ae97-d1b4-484e-9267-89f33829ec2c', '15787198-6c8b-4f79-bf50-258d55072fee', 'e1af18e3-3224-4e4c-9d0f-533768474508', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'dcd6d78a-50e9-4fbd-a36a-06fbe6b7b40c', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

njRAT

njRAT is a remote access tool (RAT) that was first observed in 2012. It has been used by threat actors in the Middle East.[Fidelis njRAT June 2013]

Internal MISP references

UUID 82996f6f-0575-45cd-8f7c-ba1b063d5b9f which can be used as unique global reference for njRAT in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0385
source MITRE
tags ['16b47583-1c54-431f-9f09-759df7b5ddb7', 'f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

NKAbuse

NKAbuse is a Go-based, multi-platform malware abusing NKN (New Kind of Network) technology for data exchange between peers, functioning as a potent implant, and equipped with both flooder and backdoor capabilities.[NKAbuse BC][NKAbuse SL]

Internal MISP references

UUID e26988e0-e755-54a4-8234-e8f961266d82 which can be used as unique global reference for NKAbuse in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['macOS', 'Linux', 'Windows']
software_attack_id S1107
source MITRE
type ['malware']

Nltest

Nltest is a Windows command-line utility used to list domain controllers and enumerate domain trusts.[Nltest Manual]

Internal MISP references

UUID fbb1546a-f288-4e43-9e5c-14c94423c4f6 which can be used as unique global reference for Nltest in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0359
source MITRE
tags ['c5a258ce-9045-48d9-b254-ec2bf6437bb5', 'cc4ea215-87ce-4351-9579-cf527caf5992', 'e551ae97-d1b4-484e-9267-89f33829ec2c', 'e1af18e3-3224-4e4c-9d0f-533768474508', '24f6ba0e-9230-4410-a9fb-b0f3b55de326', '15787198-6c8b-4f79-bf50-258d55072fee', 'cd1b5d44-226e-4405-8985-800492cf2865', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

Nmap

According to its project website, "Nmap ("Network Mapper") is a free and open source utility for network discovery and security auditing".[Nmap: the Network Mapper]

Internal MISP references

UUID 042e61cf-a8e1-42ec-8974-a3b2e2037c08 which can be used as unique global reference for Nmap in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5051
source Tidal Cyber
tags ['ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', '6ff40d11-214a-434b-b137-993e4ff5e34e', '15787198-6c8b-4f79-bf50-258d55072fee', 'cd1b5d44-226e-4405-8985-800492cf2865']
type ['tool']
Related clusters

To see the related clusters, click here.

NOKKI

NOKKI is a modular remote access tool. The earliest observed attack using NOKKI was in January 2018. NOKKI has significant code overlap with the KONNI malware family. There is some evidence potentially linking NOKKI to APT37.[Unit 42 NOKKI Sept 2018][Unit 42 Nokki Oct 2018]

Internal MISP references

UUID 31aa0433-fb6b-4290-8af5-a0d0c6c18548 which can be used as unique global reference for NOKKI in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0353
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

NotPetya

NotPetya is malware that was used by Sandworm Team in a worldwide attack starting on June 27, 2017. While NotPetya appears as a form of ransomware, its main purpose was to destroy data and disk structures on compromised systems; the attackers never intended to make the encrypted data recoverable. As such, NotPetya may be more appropriately thought of as a form of wiper malware. NotPetya contains worm-like features to spread itself across a computer network using the SMBv1 exploits EternalBlue and EternalRomance.[Talos Nyetya June 2017][US-CERT NotPetya 2017][ESET Telebots June 2017][US District Court Indictment GRU Unit 74455 October 2020]

Internal MISP references

UUID 2538e0fe-1290-4ae1-aef9-e55d83c9eb23 which can be used as unique global reference for NotPetya in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0368
source MITRE
tags ['3ed3f7a6-b446-4fbc-a433-ff1d63c0e647', '09de661e-60c4-43fb-bfef-df017215d1d8', '5a463cb3-451d-47f7-93e4-1886150697ce', 'c2380542-36f2-4922-9ed2-80ced06645c9', '7e7b0c67-bb85-4996-a289-da0e792d7172', 'e809d252-12cc-494d-94f5-954c49eb87ce']
type ['malware']
Related clusters

To see the related clusters, click here.

Npcap

According to its project website, "Npcap is the Nmap Project's packet capture (and sending) library for Microsoft Windows".[Npcap: Windows Packet Capture Library & Driver] Nmap is a utility used for network discovery and security auditing.

Internal MISP references

UUID d1817595-9186-4749-aeab-26c774c1885d which can be used as unique global reference for Npcap in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5052
source Tidal Cyber
tags ['15787198-6c8b-4f79-bf50-258d55072fee', 'cd1b5d44-226e-4405-8985-800492cf2865']
type ['tool']

Ntdsutil

Ntdsutil is a Windows command-line tool "that provides management facilities for Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS)."[Ntdsutil Microsoft]

Internal MISP references

UUID 9af571bb-f3c7-434b-8187-3e4ceb0ec6fc which can be used as unique global reference for Ntdsutil in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5018
source Tidal Cyber
tags ['e1af18e3-3224-4e4c-9d0f-533768474508', '1da5eb1e-7ac5-4284-99cb-ce227cad8983', '758c3085-2f79-40a8-ab95-f8a684737927', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '35e694ec-5133-46e3-b7e1-5831867c3b55', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '15787198-6c8b-4f79-bf50-258d55072fee', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

ObliqueRAT

ObliqueRAT is a remote access trojan, similar to Crimson, that has been in use by Transparent Tribe since at least 2020.[Talos Oblique RAT March 2021][Talos Transparent Tribe May 2021]

Internal MISP references

UUID 97e8148c-e146-444c-9de5-6e2fdbda2f9f which can be used as unique global reference for ObliqueRAT in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0644
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

OceanSalt

OceanSalt is a Trojan that was used in a campaign targeting victims in South Korea, United States, and Canada. OceanSalt shares code similarity with SpyNote RAT, which has been linked to APT1.[McAfee Oceansalt Oct 2018]

Internal MISP references

UUID f1723994-058b-4525-8e11-2f0c80d8f3a4 which can be used as unique global reference for OceanSalt in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0346
source MITRE
type ['malware']

Octopus

Octopus is a Windows Trojan written in the Delphi programming language that has been used by Nomadic Octopus to target government organizations in Central Asia since at least 2014.[Securelist Octopus Oct 2018][Security Affairs DustSquad Oct 2018][ESET Nomadic Octopus 2018]

Internal MISP references

UUID 8f04e609-8773-4529-b247-d32f530cc453 which can be used as unique global reference for Octopus in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0340
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Odbcconf

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Used in Windows for managing ODBC connections

Author: Oddvar Moe

Paths: * C:\Windows\System32\odbcconf.exe * C:\Windows\SysWOW64\odbcconf.exe

Resources: * https://gist.github.com/NickTyrer/6ef02ce3fd623483137b45f65017352b * https://github.com/woanware/application-restriction-bypasses * https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/

Detection: * Sigma: proc_creation_win_odbcconf_response_file.yml * Sigma: proc_creation_win_odbcconf_response_file_susp.yml * Elastic: defense_evasion_unusual_process_network_connection.toml * Elastic: defense_evasion_network_connection_from_windows_binary.toml[LOLBAS Odbcconf]

Internal MISP references

UUID 5e434819-7f4a-440c-a9bd-7675c0218be1 which can be used as unique global reference for Odbcconf in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5134
source Tidal Cyber
tags ['64825d12-3cd6-4446-a93c-ff7d8ec13dc8', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

OfflineScannerShell

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Windows Defender Offline Shell

Author: Elliot Killick

Paths: * C:\Program Files\Windows Defender\Offline\OfflineScannerShell.exe

Resources: None Provided

Detection: * Sigma: proc_creation_win_lolbas_offlinescannershell.yml * IOC: OfflineScannerShell.exe should not be run on a normal workstation[OfflineScannerShell.exe - LOLBAS Project]

Internal MISP references

UUID 8bc7c62a-110d-451b-9ca6-bc48a13e72d4 which can be used as unique global reference for OfflineScannerShell in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5135
source Tidal Cyber
tags ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

Okrum

Okrum is a Windows backdoor that has been seen in use since December 2016 with strong links to Ke3chang.[ESET Okrum July 2019]

Internal MISP references

UUID f9bcf0a1-f287-44ec-8f53-6859d41e041c which can be used as unique global reference for Okrum in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0439
source MITRE
tags ['8bf128ad-288b-41bc-904f-093f4fdde745']
type ['malware']
Related clusters

To see the related clusters, click here.

OLDBAIT

OLDBAIT is a credential harvester used by APT28. [FireEye APT28] [FireEye APT28 January 2017]

Internal MISP references

UUID 479814e2-2656-4ea2-9e79-fcdb818f703e which can be used as unique global reference for OLDBAIT in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0138
source MITRE
tags ['4d767e87-4cf6-438a-927a-43d2d0beaab7']
type ['malware']
Related clusters

To see the related clusters, click here.

Olympic Destroyer

Olympic Destroyer is malware that was used by Sandworm Team against the 2018 Winter Olympics, held in Pyeongchang, South Korea. The main purpose of the malware was to render infected computer systems inoperable. The malware leverages various native Windows utilities and API calls to carry out its destructive tasks. Olympic Destroyer has worm-like features to spread itself across a computer network in order to maximize its destructive impact.[Talos Olympic Destroyer 2018][US District Court Indictment GRU Unit 74455 October 2020]

Internal MISP references

UUID 073b5288-11d6-4db0-9f2c-a1816847d15c which can be used as unique global reference for Olympic Destroyer in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0365
source MITRE
tags ['e809d252-12cc-494d-94f5-954c49eb87ce']
type ['malware']
Related clusters

To see the related clusters, click here.

OneDriveStandaloneUpdater

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: OneDrive Standalone Updater

Author: Elliot Killick

Paths: * %localappdata%\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe

Resources: * https://github.com/LOLBAS-Project/LOLBAS/pull/153

Detection: * IOC: HKCU\Software\Microsoft\OneDrive\UpdateOfficeConfig\UpdateRingSettingURLFromOC being set to a suspicious non-Microsoft controlled URL * IOC: Reports of downloading from suspicious URLs in %localappdata%\OneDrive\setup\logs\StandaloneUpdate_*.log files * Sigma: registry_set_lolbin_onedrivestandaloneupdater.yml[OneDriveStandaloneUpdater.exe - LOLBAS Project]

Internal MISP references

UUID 49ef42bc-0958-4b61-9593-a4af69432410 which can be used as unique global reference for OneDriveStandaloneUpdater in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5136
source Tidal Cyber
tags ['b6116080-8fbf-4e9f-9206-20b025f2cf23', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

OnionDuke

OnionDuke is malware that was used by APT29 from 2013 to 2015. [F-Secure The Dukes]

Internal MISP references

UUID 6056bf36-fb45-498d-a285-5f98ae08b090 which can be used as unique global reference for OnionDuke in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0052
source MITRE
tags ['84615fe0-c2a5-4e07-8957-78ebc29b4635']
type ['malware']
Related clusters

To see the related clusters, click here.

OopsIE

OopsIE is a Trojan used by OilRig to remotely execute commands as well as upload/download files to/from victims. [Unit 42 OopsIE! Feb 2018]

Internal MISP references

UUID 4f1894d4-d085-4348-af50-dfda257a9e18 which can be used as unique global reference for OopsIE in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0264
source MITRE
tags ['8bf128ad-288b-41bc-904f-093f4fdde745']
type ['malware']
Related clusters

To see the related clusters, click here.

OpenConsole

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Console Window host for Windows Terminal

Author: Nasreddine Bencherchali

Paths: * C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\CommonExtensions\Microsoft\Terminal\ServiceHub\os64\OpenConsole.exe * C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\CommonExtensions\Microsoft\Terminal\ServiceHub\os86\OpenConsole.exe * C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\CommonExtensions\Microsoft\Terminal\ServiceHub\os64\OpenConsole.exe

Resources: * https://twitter.com/nas_bench/status/1537563834478645252

Detection: * IOC: OpenConsole.exe spawning unexpected processes * Sigma: proc_creation_win_lolbin_openconsole.yml[OpenConsole.exe - LOLBAS Project]

Internal MISP references

UUID 54030309-671d-4e4b-b9c0-619cd07f5e05 which can be used as unique global reference for OpenConsole in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5230
source Tidal Cyber
tags ['1dd2d703-fed1-41d2-9843-7b276ef3d6f2', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

OpenSSH

OpenSSH is a publicly available tool for traffic encryption and remote login using the Secure Shell ("SSH") protocol. According to its project website, it also "provides a large suite of secure tunneling capabilities, several authentication methods, and sophisticated configuration options".[OpenSSH Project Page]

Internal MISP references

UUID 5edec691-d2f1-4928-a12d-1ff59ba959a6 which can be used as unique global reference for OpenSSH in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5273
source Tidal Cyber
tags ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207', '2feda37d-5579-4102-a073-aa02e82cb49f', 'e1af18e3-3224-4e4c-9d0f-533768474508', 'febea5b6-2ea2-402b-8bec-f3f5b3f73c59', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96']
type ['tool']
Related clusters

To see the related clusters, click here.

Orz

Orz is a custom JavaScript backdoor used by Leviathan. It was observed being used in 2014 as well as in August 2017 when it was dropped by Microsoft Publisher files. [Proofpoint Leviathan Oct 2017] [FireEye Periscope March 2018]

Internal MISP references

UUID 45a52a29-00c0-458a-b705-1040e06a43f2 which can be used as unique global reference for Orz in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0229
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

OSInfo

OSInfo is a custom tool used by APT3 to do internal discovery on a victim's computer and network. [Symantec Buckeye]

Internal MISP references

UUID fa1e13b8-2fb7-42e8-b630-25f0edfbca65 which can be used as unique global reference for OSInfo in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0165
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

OSX_OCEANLOTUS.D

OSX_OCEANLOTUS.D is a macOS backdoor used by APT32. First discovered in 2015, APT32 has continued to make improvements using a plugin architecture to extend capabilities, specifically using .dylib files. OSX_OCEANLOTUS.D can also determine it's permission level and execute according to access type (root or user).[Unit42 OceanLotus 2017][TrendMicro MacOS April 2018][Trend Micro MacOS Backdoor November 2020]

Internal MISP references

UUID a45904b5-0ada-4567-be4c-947146c7f574 which can be used as unique global reference for OSX_OCEANLOTUS.D in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['macOS']
software_attack_id S0352
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

OSX/Shlayer

OSX/Shlayer is a Trojan designed to install adware on macOS that was first discovered in 2018.[Carbon Black Shlayer Feb 2019][Intego Shlayer Feb 2018]

Internal MISP references

UUID 4d91d625-21d8-484a-b63f-0a3daa4ed434 which can be used as unique global reference for OSX/Shlayer in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['macOS']
software_attack_id S0402
source MITRE
type ['malware']

Out1

Out1 is a remote access tool written in python and used by MuddyWater since at least 2021.[Trend Micro Muddy Water March 2021]

Internal MISP references

UUID 273b1e8d-a23d-4c22-8493-80f3d6639352 which can be used as unique global reference for Out1 in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0594
source MITRE
type ['tool']
Related clusters

To see the related clusters, click here.

OutSteel

OutSteel is a file uploader and document stealer developed with the scripting language AutoIT that has been used by Ember Bear since at least March 2021.[Palo Alto Unit 42 OutSteel SaintBot February 2022 ]

Internal MISP references

UUID 042fe42b-f60e-45e1-b47d-a913e0677976 which can be used as unique global reference for OutSteel in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S1017
source MITRE
tags ['8bf128ad-288b-41bc-904f-093f4fdde745', '4d767e87-4cf6-438a-927a-43d2d0beaab7']
type ['malware']
Related clusters

To see the related clusters, click here.

OwaAuth

OwaAuth is a Web shell and credential stealer deployed to Microsoft Exchange servers that appears to be exclusively used by Threat Group-3390. [Dell TG-3390]

Internal MISP references

UUID 6d8a8510-e6f1-49a7-b3a5-bd4664937147 which can be used as unique global reference for OwaAuth in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0072
source MITRE
type ['malware']

P2P ZeuS

P2P ZeuS is a closed-source fork of the leaked version of the ZeuS botnet. It presents improvements over the leaked version, including a peer-to-peer architecture. [Dell P2P ZeuS]

Internal MISP references

UUID 916f8a7c-e487-4446-b6ee-c8da712a9569 which can be used as unique global reference for P2P ZeuS in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0016
source MITRE
type ['malware']

P8RAT

P8RAT is a fileless malware used by menuPass to download and execute payloads since at least 2020.[Securelist APT10 March 2021]

Internal MISP references

UUID 1933ad3d-3085-4b1b-82b9-ac51b440e2bf which can be used as unique global reference for P8RAT in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0626
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

PACEMAKER

PACEMAKER is a credential stealer that was used by APT5 as early as 2020 including activity against US Defense Industrial Base (DIB) companies.[Mandiant Pulse Secure Zero-Day April 2021]

Internal MISP references

UUID 13856c51-d81c-5d75-bb6a-0bbdcc857cdd which can be used as unique global reference for PACEMAKER in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Network', 'Linux']
software_attack_id S1109
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Pacu

Pacu is an open-source AWS exploitation framework. The tool is written in Python and publicly available on GitHub.[GitHub Pacu]

Internal MISP references

UUID e90eb529-1665-5fd7-a44e-695715e4081b which can be used as unique global reference for Pacu in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['IaaS']
software_attack_id S1091
source MITRE
tags ['e1af18e3-3224-4e4c-9d0f-533768474508', 'e81ba503-60b0-4b64-8f20-ef93e7783796', 'a2e000da-8181-4327-bacd-32013dbd3654', '2e5f6e4a-4579-46f7-9997-6923180815dd', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96']
type ['tool']
Related clusters

To see the related clusters, click here.

Pandora

Pandora is a multistage kernel rootkit with backdoor functionality that has been in use by Threat Group-3390 since at least 2020.[Trend Micro Iron Tiger April 2021]

Internal MISP references

UUID 320b0784-4f0f-46ea-99e9-c34bfcca1c2e which can be used as unique global reference for Pandora in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0664
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

Pasam

Pasam is a trojan used by Elderwood to open a backdoor on compromised hosts. [Symantec Elderwood Sept 2012] [Symantec Pasam May 2012]

Internal MISP references

UUID 3f018e73-d09b-4c8d-815b-8b2c8faf7055 which can be used as unique global reference for Pasam in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0208
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Pass-The-Hash Toolkit

Pass-The-Hash Toolkit is a toolkit that allows an adversary to "pass" a password hash (without knowing the original password) to log in to systems. [Mandiant APT1]

Internal MISP references

UUID 8d007d52-8898-494c-8d72-354abd93da1e which can be used as unique global reference for Pass-The-Hash Toolkit in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
software_attack_id S0122
source MITRE
type ['tool']
Related clusters

To see the related clusters, click here.

PasswordFox

PasswordFox is a tool used to recover passwords from Firefox web browser.[U.S. CISA Understanding LockBit June 2023]

Internal MISP references

UUID e12e1de8-a0d9-4602-8264-5952106bd53c which can be used as unique global reference for PasswordFox in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5037
source Tidal Cyber
tags ['e1af18e3-3224-4e4c-9d0f-533768474508', 'dcd6d78a-50e9-4fbd-a36a-06fbe6b7b40c', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

P.A.S. Webshell

P.A.S. Webshell is a publicly available multifunctional PHP webshell in use since at least 2016 that provides remote access and execution on target web servers.[ANSSI Sandworm January 2021]

Internal MISP references

UUID 4d79530c-2fd9-4438-a8da-74f42119695a which can be used as unique global reference for P.A.S. Webshell in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'Windows']
software_attack_id S0598
source MITRE
tags ['311abf64-a9cc-4c6a-b778-32c5df5658be']
type ['malware']
Related clusters

To see the related clusters, click here.

Pay2Key

Pay2Key is a ransomware written in C++ that has been used by Fox Kitten since at least July 2020 including campaigns against Israeli companies. Pay2Key has been incorporated with a leak site to display stolen sensitive information to further pressure victims into payment.[ClearkSky Fox Kitten February 2020][Check Point Pay2Key November 2020]

Internal MISP references

UUID 9aa21e50-726e-4002-8b7b-75697a03eb2b which can be used as unique global reference for Pay2Key in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0556
source MITRE
tags ['562e535e-19f5-4d6c-81ed-ce2aec544f09', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172']
type ['malware']
Related clusters

To see the related clusters, click here.

Pcalua

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Program Compatibility Assistant

Author: Oddvar Moe

Paths: * C:\Windows\System32\pcalua.exe

Resources: * https://twitter.com/KyleHanslovan/status/912659279806640128

Detection: * Sigma: proc_creation_win_lolbin_pcalua.yml[Pcalua.exe - LOLBAS Project]

Internal MISP references

UUID 00daafc4-8bf1-4447-b24f-1580263124f5 which can be used as unique global reference for Pcalua in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5137
source Tidal Cyber
tags ['074533ec-e14a-4dc3-98ae-c029904e3d6d', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

Pcexter

Pcexter is an uploader that has been used by ToddyCat since at least 2023 to exfiltrate stolen files.[Kaspersky ToddyCat Check Logs October 2023]

Internal MISP references

UUID 873ede85-548b-5fc0-a29e-80bd5afc5bf4 which can be used as unique global reference for Pcexter in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S1102
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

PCHunter

PCHunter is a tool used to enable advanced task management, including for system processes and kernels.[U.S. CISA Understanding LockBit June 2023]

Internal MISP references

UUID 591acc39-1218-4710-aadc-150ae6475ee3 which can be used as unique global reference for PCHunter in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5038
source Tidal Cyber
tags ['c5a258ce-9045-48d9-b254-ec2bf6437bb5', 'cc4ea215-87ce-4351-9579-cf527caf5992', 'e551ae97-d1b4-484e-9267-89f33829ec2c', 'e1af18e3-3224-4e4c-9d0f-533768474508', '39d6e8b7-6c8a-4ec5-a584-54ca32aa29fb', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

PcShare

PcShare is an open source remote access tool that has been modified and used by Chinese threat actors, most notably during the FunnyDream campaign since late 2018.[Bitdefender FunnyDream Campaign November 2020][GitHub PcShare 2014]

Internal MISP references

UUID 71eb2211-39aa-4b89-bd51-9dcabd363149 which can be used as unique global reference for PcShare in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S1050
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['tool']
Related clusters

To see the related clusters, click here.

Pcwrun

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Program Compatibility Wizard

Author: Oddvar Moe

Paths: * C:\Windows\System32\pcwrun.exe

Resources: * https://twitter.com/pabraeken/status/991335019833708544 * https://twitter.com/nas_bench/status/1535663791362519040

Detection: * Sigma: proc_creation_win_lolbin_pcwrun_follina.yml[Pcwrun.exe - LOLBAS Project]

Internal MISP references

UUID 7babb537-ec29-425a-9108-43d1619e02b5 which can be used as unique global reference for Pcwrun in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5138
source Tidal Cyber
tags ['62496b72-7820-4512-b3f9-188464bb8161', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

Pcwutl

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Microsoft HTML Viewer

Author: LOLBAS Team

Paths: * c:\windows\system32\pcwutl.dll * c:\windows\syswow64\pcwutl.dll

Resources: * https://twitter.com/harr0ey/status/989617817849876488 * https://windows10dll.nirsoft.net/pcwutl_dll.html

Detection: * Analysis: https://redcanary.com/threat-detection-report/techniques/rundll32/ * Sigma: proc_creation_win_rundll32_susp_activity.yml[Pcwutl.dll - LOLBAS Project]

Internal MISP references

UUID 47ba2c2c-b4f3-48dc-878f-b8cab6d97f65 which can be used as unique global reference for Pcwutl in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5193
source Tidal Cyber
tags ['ff5c357e-6b9b-4ef3-a7ed-e5d4c0091c0c', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

Peirates

Peirates is a post-exploitation Kubernetes exploitation framework with a focus on gathering service account tokens for lateral movement and privilege escalation. The tool is written in GoLang and publicly available on GitHub.[Peirates GitHub]

Internal MISP references

UUID 52a19c73-2454-4893-8f84-8d05c37a9472 which can be used as unique global reference for Peirates in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Containers']
software_attack_id S0683
source MITRE
tags ['2e5f6e4a-4579-46f7-9997-6923180815dd', '4fa6f8e1-b0d5-4169-8038-33e355c08bde', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96']
type ['tool']
Related clusters

To see the related clusters, click here.

Penquin

Penquin is a remote access trojan (RAT) with multiple versions used by Turla to target Linux systems since at least 2014.[Kaspersky Turla Penquin December 2014][Leonardo Turla Penquin May 2020]

Internal MISP references

UUID 951fad62-f636-4c01-b924-bb0ce87f5b20 which can be used as unique global reference for Penquin in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux']
software_attack_id S0587
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Peppy

Peppy is a Python-based remote access Trojan, active since at least 2012, with similarities to Crimson.[Proofpoint Operation Transparent Tribe March 2016]

Internal MISP references

UUID 1f080577-c002-4b49-a342-fa70983c1d58 which can be used as unique global reference for Peppy in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0643
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Pester

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Used as part of the Powershell pester

Author: Oddvar Moe

Paths: * c:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\bin\Pester.bat * c:\Program Files\WindowsPowerShell\Modules\Pester*\bin\Pester.bat

Resources: * https://twitter.com/Oddvarmoe/status/993383596244258816 * https://twitter.com/st0pp3r/status/1560072680887525378 * https://twitter.com/st0pp3r/status/1560072680887525378

Detection: * Sigma: proc_creation_win_lolbin_pester_1.yml[Pester.bat - LOLBAS Project]

Internal MISP references

UUID 5028ed72-8e6b-48bd-b4f4-e42df926893d which can be used as unique global reference for Pester in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5264
source Tidal Cyber
tags ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

Phobos Ransomware

This object represents a collection of MITRE ATT&CK® Techniques associated with Phobos ransomware binaries, as highlighted in sources such as joint Cybersecurity Advisory AA24-060A.[U.S. CISA Phobos February 29 2024]

Internal MISP references

UUID d7015696-0aa1-4c13-a0e6-b9d8e027dabf which can be used as unique global reference for Phobos Ransomware in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5279
source Tidal Cyber
tags ['562e535e-19f5-4d6c-81ed-ce2aec544f09', 'd819ae1a-e385-49fd-88d5-f66660729ecb', 'e551ae97-d1b4-484e-9267-89f33829ec2c', '15787198-6c8b-4f79-bf50-258d55072fee', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172']
type ['malware']
Related clusters

To see the related clusters, click here.

PhonyC2

PhonyC2 is a command and control framework attributed to the MuddyWater group. Researchers believe the tool has existed since at least 2021 and has been regularly updated since that time. PhonyC2 is believed to have been used in a 2023 attack on an institute of technology in Israel, as well as in a MuddyWater campaign beginning in May 2023 that featured exploitation of a vulnerability in PaperCut print management software (CVE-2023-27350).[Deep Instinct PhonyC2 June 2023]

Internal MISP references

UUID c6fc073b-fa8a-4fff-a066-3fd788d3ac85 which can be used as unique global reference for PhonyC2 in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5307
source Tidal Cyber
tags ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', '992bdd33-4a47-495d-883a-58010a2f0efb', 'f8669b82-2194-49a9-8e20-92e7f9ab0a6f', '2feda37d-5579-4102-a073-aa02e82cb49f']
type ['malware']
Related clusters

To see the related clusters, click here.

PHOREAL

PHOREAL is a signature backdoor used by APT32. [FireEye APT32 May 2017]

Internal MISP references

UUID fd63cec1-9f72-4ed0-9926-2dbbb3d9cead which can be used as unique global reference for PHOREAL in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0158
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

Pikabot

Operationalize this intelligence by pivoting to relevant defensive resources via the Techniques below. Alternatively, use the Add to Matrix button above, then overlay entire sets of capabilities from your own defensive stack to identify threat overlaps & potential gaps (watch a 60-second tutorial here).

Pikabot is a malware first observed in early 2023 that has downloader/dropper and backdoor functionality. Researchers observed Pikabot distribution increase following the disruption of the QakBot botnet by authorities in August 2023. Originally distributed via spam email campaigns, researchers observed the threat actor TA577 (previously known for distributing payloads including QakBot, IcedID, SystemBC, and Cobalt Strike) distributing Pikabot starting in December 2023.[Malwarebytes Pikabot December 15 2023]

Internal MISP references

UUID d2a226a2-ffa1-4bb0-a090-96dc42f9c84c which can be used as unique global reference for Pikabot in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5265
source Tidal Cyber
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f', '84615fe0-c2a5-4e07-8957-78ebc29b4635']
type ['malware']
Related clusters

To see the related clusters, click here.

Pillowmint

Pillowmint is a point-of-sale malware used by FIN7 designed to capture credit card information.[Trustwave Pillowmint June 2020]

Internal MISP references

UUID db5d718b-1344-4aa2-8e6a-54e68d8adfb1 which can be used as unique global reference for Pillowmint in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0517
source MITRE
tags ['6c6c0125-9631-4c2c-90ab-cfef374d5198']
type ['malware']
Related clusters

To see the related clusters, click here.

PinchDuke

PinchDuke is malware that was used by APT29 from 2008 to 2010. [F-Secure The Dukes]

Internal MISP references

UUID ba2208c8-5e1e-46cd-bef1-ffa7a2be3be4 which can be used as unique global reference for PinchDuke in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0048
source MITRE
tags ['84615fe0-c2a5-4e07-8957-78ebc29b4635']
type ['malware']
Related clusters

To see the related clusters, click here.

Ping

Ping is an operating system utility commonly used to troubleshoot and verify network connections. [TechNet Ping]

Internal MISP references

UUID 4ea12106-c0a1-4546-bb64-a1675d9f5dc7 which can be used as unique global reference for Ping in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
software_attack_id S0097
source MITRE
tags ['e1af18e3-3224-4e4c-9d0f-533768474508', 'cd1b5d44-226e-4405-8985-800492cf2865', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

PingCastle

PingCastle is a tool that can be used to enumerate Active Directory and map trust relationships. BianLian Ransomware Group actors have used the tool for discovery purposes during attacks.[U.S. CISA BianLian Ransomware May 2023]

Internal MISP references

UUID 1debf242-3c91-4bdb-932c-27d61fe17474 which can be used as unique global reference for PingCastle in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5003
source Tidal Cyber
tags ['e1af18e3-3224-4e4c-9d0f-533768474508', 'cd1b5d44-226e-4405-8985-800492cf2865', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

PingPull

PingPull is a remote access Trojan (RAT) written in Visual C++ that has been used by GALLIUM since at least June 2022. PingPull has been used to target telecommunications companies, financial institutions, and government entities in Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam.[Unit 42 PingPull Jun 2022]

Internal MISP references

UUID 4360cc62-7263-48b2-bd2a-a7737563545c which can be used as unique global reference for PingPull in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S1031
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

PipeMon

PipeMon is a multi-stage modular backdoor used by Winnti Group.[ESET PipeMon May 2020]

Internal MISP references

UUID 92744f7b-9f1a-472c-bae0-2d4a7ce68bb4 which can be used as unique global reference for PipeMon in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0501
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Pisloader

Pisloader is a malware family that is notable due to its use of DNS as a C2 protocol as well as its use of anti-analysis tactics. It has been used by APT18 and is similar to another malware family, HTTPBrowser, that has been used by the group. [Palo Alto DNS Requests]

Internal MISP references

UUID 14e65c5d-5164-41a3-92de-67fdd1d529d2 which can be used as unique global reference for Pisloader in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0124
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

PITSTOP

PITSTOP is a backdoor that was deployed on compromised Ivanti Connect Secure VPNs during Cutting Edge to enable command execution and file read/write.[Mandiant Cutting Edge Part 3 February 2024]

Internal MISP references

UUID c0e56f14-9768-5547-abcb-aa3f220d0e40 which can be used as unique global reference for PITSTOP in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Network']
software_attack_id S1123
source MITRE
type ['malware']

Pktmon

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Capture Network Packets on the windows 10 with October 2018 Update or later.

Author: Derek Johnson

Paths: * c:\windows\system32\pktmon.exe * c:\windows\syswow64\pktmon.exe

Resources: * https://binar-x79.com/windows-10-secret-sniffer/

Detection: * Sigma: proc_creation_win_lolbin_pktmon.yml * IOC: .etl files found on system[Pktmon.exe - LOLBAS Project]

Internal MISP references

UUID 0b0ae21a-987c-44c5-93db-3b228544eb99 which can be used as unique global reference for Pktmon in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5139
source Tidal Cyber
tags ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

PLAINTEE

PLAINTEE is a malware sample that has been used by Rancor in targeted attacks in Singapore and Cambodia. [Rancor Unit42 June 2018]

Internal MISP references

UUID 9445f18a-a796-447a-a35f-94a9fb72411c which can be used as unique global reference for PLAINTEE in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0254
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Play Ransomware

Play is a ransomware operation first observed in July 2022. Security researchers have observed filename, filepath, and TTP overlaps between Play and Hive and Nokayawa ransomwares, which themselves are believed to be linked.[Trend Micro Play Playbook September 06 2022] According to publicly available ransomware extortion threat data, Play has claimed nearly 200 victims from a wide range of sectors on its data leak site since December 2022.[GitHub ransomwatch]

Internal MISP references

UUID aeafc9f4-e3b4-42ec-a156-4a05f1aa5ea3 which can be used as unique global reference for Play Ransomware in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5300
source Tidal Cyber
tags ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', '562e535e-19f5-4d6c-81ed-ce2aec544f09', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172', '2feda37d-5579-4102-a073-aa02e82cb49f']
type ['malware']
Related clusters

To see the related clusters, click here.

PLEAD

PLEAD is a remote access tool (RAT) and downloader used by BlackTech in targeted attacks in East Asia including Taiwan, Japan, and Hong Kong.[TrendMicro BlackTech June 2017][JPCert PLEAD Downloader June 2018] PLEAD has also been referred to as TSCookie, though more recent reporting indicates likely separation between the two. PLEAD was observed in use as early as March 2017.[JPCert TSCookie March 2018][JPCert PLEAD Downloader June 2018]

Internal MISP references

UUID 9a890a85-afbe-4c35-a3e7-1adad481bdf7 which can be used as unique global reference for PLEAD in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0435
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Plink is a tool used to automate Secure Shell (SSH) actions on Windows.[U.S. CISA Understanding LockBit June 2023]

Internal MISP references

UUID 6117e2b5-140b-49d2-89b7-76d91e6c798c which can be used as unique global reference for Plink in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5041
source Tidal Cyber
tags ['e1af18e3-3224-4e4c-9d0f-533768474508', 'febea5b6-2ea2-402b-8bec-f3f5b3f73c59', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'a1427c89-2ebd-440f-b7e0-9728e3ef2096', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '15b77e5c-2285-434d-9719-73c14beba8bd', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

PlugX

PlugX is a remote access tool (RAT) with modular plugins that has been used by multiple threat groups.[Lastline PlugX Analysis][FireEye Clandestine Fox Part 2][New DragonOK][Dell TG-3390]

Internal MISP references

UUID 070b56f4-7810-4dad-b85f-bdfce9c08c10 which can be used as unique global reference for PlugX in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0013
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

pngdowner

pngdowner is malware used by Putter Panda. It is a simple tool with limited functionality and no persistence mechanism, suggesting it is used only as a simple "download-and- execute" utility. [CrowdStrike Putter Panda]

Internal MISP references

UUID 95c273d2-3081-4cb5-8d41-37eb4e90264d which can be used as unique global reference for pngdowner in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0067
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Pnputil

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Used for installing drivers

Author: Hai vaknin (lux)

Paths: * C:\Windows\system32\pnputil.exe

Resources: None Provided

Detection: * Sigma: proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml[Pnputil.exe - LOLBAS Project]

Internal MISP references

UUID dd1e8b57-4900-4823-b194-1526c1e00099 which can be used as unique global reference for Pnputil in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5140
source Tidal Cyber
tags ['6d924d43-5de3-45de-8466-a8c47a5b9e68', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

PoetRAT

PoetRAT is a remote access trojan (RAT) that was first identified in April 2020. PoetRAT has been used in multiple campaigns against the private and public sectors in Azerbaijan, including ICS and SCADA systems in the energy sector. The STIBNITE activity group has been observed using the malware. PoetRAT derived its name from references in the code to poet William Shakespeare. [Talos PoetRAT April 2020][Talos PoetRAT October 2020][Dragos Threat Report 2020]

Internal MISP references

UUID 79b4f277-3b18-4aa7-9f96-44b35b23166b which can be used as unique global reference for PoetRAT in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0428
source MITRE
type ['malware']

PoisonIvy

PoisonIvy is a popular remote access tool (RAT) that has been used by many groups.[FireEye Poison Ivy][Symantec Elderwood Sept 2012][Symantec Darkmoon Aug 2005]

Internal MISP references

UUID 1d87a695-7989-49ae-ac1a-b6601db565c3 which can be used as unique global reference for PoisonIvy in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0012
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

PolyglotDuke

PolyglotDuke is a downloader that has been used by APT29 since at least 2013. PolyglotDuke has been used to drop MiniDuke.[ESET Dukes October 2019]

Internal MISP references

UUID 3b7179fa-7b8b-4068-b224-d8d9c642964d which can be used as unique global reference for PolyglotDuke in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0518
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

Pony

Pony is a credential stealing malware, though has also been used among adversaries for its downloader capabilities. The source code for Pony Loader 1.0 and 2.0 were leaked online, leading to their use by various threat actors.[Malwarebytes Pony April 2016]

Internal MISP references

UUID 555b612e-3f0d-421d-b2a7-63eb2d1ece5f which can be used as unique global reference for Pony in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0453
source MITRE
tags ['84615fe0-c2a5-4e07-8957-78ebc29b4635']
type ['malware']

POORAIM

POORAIM is a backdoor used by APT37 in campaigns since at least 2014. [FireEye APT37 Feb 2018]

Internal MISP references

UUID 1353d695-5bae-4593-988f-9bd07a6fd1bb which can be used as unique global reference for POORAIM in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0216
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

PoshC2

PoshC2 is an open source remote administration and post-exploitation framework that is publicly available on GitHub. The server-side components of the tool are primarily written in Python, while the implants are written in PowerShell. Although PoshC2 is primarily focused on Windows implantation, it does contain a basic Python dropper for Linux/macOS.[GitHub PoshC2]

Internal MISP references

UUID a3a03835-79bf-4558-8e80-7983aeb842fb which can be used as unique global reference for PoshC2 in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['macOS', 'Linux', 'Windows']
software_attack_id S0378
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['tool']
Related clusters

To see the related clusters, click here.

POSHSPY

POSHSPY is a backdoor that has been used by APT29 since at least 2015. It appears to be used as a secondary backdoor used if the actors lost access to their primary backdoors. [FireEye POSHSPY April 2017]

Internal MISP references

UUID b92f28c4-cbc8-4721-ac79-2d8bdf5247e5 which can be used as unique global reference for POSHSPY in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0150
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

PowerDuke

PowerDuke is a backdoor that was used by APT29 in 2016. It has primarily been delivered through Microsoft Word or Excel attachments containing malicious macros. [Volexity PowerDuke November 2016]

Internal MISP references

UUID d9e4f4a1-dd41-424e-986a-b9a39ebea805 which can be used as unique global reference for PowerDuke in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0139
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

PowerLess

PowerLess is a PowerShell-based modular backdoor that has been used by Magic Hound since at least 2022.[Cybereason PowerLess February 2022]

Internal MISP references

UUID 8b9159c1-db48-472b-9897-34325da5dca7 which can be used as unique global reference for PowerLess in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S1012
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Power Loader

Power Loader is modular code sold in the cybercrime market used as a downloader in malware families such as Carberp, Redyms and Gapz. [MalwareTech Power Loader Aug 2013] [WeLiveSecurity Gapz and Redyms Mar 2013]

Internal MISP references

UUID 018ee1d9-35af-49dc-a667-11b77cd76f46 which can be used as unique global reference for Power Loader in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
software_attack_id S0177
source MITRE
type ['malware']

Powerpnt

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Microsoft Office binary.

Author: Reegun J (OCBC Bank)

Paths: * C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\Powerpnt.exe * C:\Program Files\Microsoft Office 16\ClientX64\Root\Office16\Powerpnt.exe * C:\Program Files (x86)\Microsoft Office\Office16\Powerpnt.exe * C:\Program Files\Microsoft Office\Office16\Powerpnt.exe * C:\Program Files (x86)\Microsoft Office 15\ClientX86\Root\Office15\Powerpnt.exe * C:\Program Files\Microsoft Office 15\ClientX64\Root\Office15\Powerpnt.exe * C:\Program Files (x86)\Microsoft Office\Office15\Powerpnt.exe * C:\Program Files\Microsoft Office\Office15\Powerpnt.exe * C:\Program Files (x86)\Microsoft Office 14\ClientX86\Root\Office14\Powerpnt.exe * C:\Program Files\Microsoft Office 14\ClientX64\Root\Office14\Powerpnt.exe * C:\Program Files (x86)\Microsoft Office\Office14\Powerpnt.exe * C:\Program Files\Microsoft Office\Office14\Powerpnt.exe * C:\Program Files (x86)\Microsoft Office\Office12\Powerpnt.exe * C:\Program Files\Microsoft Office\Office12\Powerpnt.exe * C:\Program Files\Microsoft Office\Office12\Powerpnt.exe

Resources: * https://twitter.com/reegun21/status/1150032506504151040 * https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191

Detection: * Sigma: proc_creation_win_lolbin_office.yml * IOC: Suspicious Office application Internet/network traffic[Powerpnt.exe - LOLBAS Project]

Internal MISP references

UUID 155053be-8a2c-4d5e-8206-36d992c5651d which can be used as unique global reference for Powerpnt in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5231
source Tidal Cyber
tags ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

PowerPunch

PowerPunch is a lightweight downloader that has been used by Gamaredon Group since at least 2021.[Microsoft Actinium February 2022]

Internal MISP references

UUID e7cdaf70-5e28-442a-b34d-894484788dc5 which can be used as unique global reference for PowerPunch in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0685
source MITRE
tags ['84615fe0-c2a5-4e07-8957-78ebc29b4635']
type ['malware']
Related clusters

To see the related clusters, click here.

PowerShower

PowerShower is a PowerShell backdoor used by Inception for initial reconnaissance and to download and execute second stage payloads.[Unit 42 Inception November 2018][Kaspersky Cloud Atlas August 2019]

Internal MISP references

UUID 2ca245de-77a9-4857-ba93-fd0d6988df9d which can be used as unique global reference for PowerShower in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0441
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

POWERSOURCE

POWERSOURCE is a PowerShell backdoor that is a heavily obfuscated and modified version of the publicly available tool DNS_TXT_Pwnage. It was observed in February 2017 in spearphishing campaigns against personnel involved with United States Securities and Exchange Commission (SEC) filings at various organizations. The malware was delivered when macros were enabled by the victim and a VBS script was dropped. [FireEye FIN7 March 2017] [Cisco DNSMessenger March 2017]

Internal MISP references

UUID a4700431-6578-489f-9782-52e394277296 which can be used as unique global reference for POWERSOURCE in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0145
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

PowerSploit

PowerSploit is an open source, offensive security framework comprised of PowerShell modules and scripts that perform a wide range of tasks related to penetration testing such as code execution, persistence, bypassing anti-virus, recon, and exfiltration. [GitHub PowerSploit May 2012] [PowerShellMagazine PowerSploit July 2014] [PowerSploit Documentation]

Internal MISP references

UUID 82fad10d-c921-4a87-a533-49def83d002b which can be used as unique global reference for PowerSploit in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0194
source MITRE
tags ['e1af18e3-3224-4e4c-9d0f-533768474508', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'e81ba503-60b0-4b64-8f20-ef93e7783796']
type ['tool']
Related clusters

To see the related clusters, click here.

PowerStallion

PowerStallion is a lightweight PowerShell backdoor used by Turla, possibly as a recovery access tool to install other backdoors.[ESET Turla PowerShell May 2019]

Internal MISP references

UUID 837bcf97-37a7-4001-a466-306574fd7890 which can be used as unique global reference for PowerStallion in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0393
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

POWERSTATS

POWERSTATS is a PowerShell-based first stage backdoor used by MuddyWater. [Unit 42 MuddyWater Nov 2017]

Internal MISP references

UUID 39fc59c6-f1aa-4c93-8e43-1f41563e9d9e which can be used as unique global reference for POWERSTATS in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0223
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

POWERTON

POWERTON is a custom PowerShell backdoor first observed in 2018. It has typically been deployed as a late-stage backdoor by APT33. At least two variants of the backdoor have been identified, with the later version containing improved functionality.[FireEye APT33 Guardrail]

Internal MISP references

UUID b3c28750-3825-4e4d-ab92-f39a6b0827dd which can be used as unique global reference for POWERTON in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0371
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

PowerTool

PowerTool is a tool used to remove rootkits, as well as to detect, analyze, and fix kernel structure modifications.[U.S. CISA Understanding LockBit June 2023]

Internal MISP references

UUID b8a101e4-e0d2-4002-94c6-18ea30da7aa7 which can be used as unique global reference for PowerTool in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5039
source Tidal Cyber
tags ['c5a258ce-9045-48d9-b254-ec2bf6437bb5', 'cc4ea215-87ce-4351-9579-cf527caf5992', 'd819ae1a-e385-49fd-88d5-f66660729ecb', 'e551ae97-d1b4-484e-9267-89f33829ec2c', 'e1af18e3-3224-4e4c-9d0f-533768474508', '39d6e8b7-6c8a-4ec5-a584-54ca32aa29fb', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

POWERTRASH

A PowerShell-based, in-memory loader that executes embedded payloads.[Mandiant FIN7 April 4 2022] According to Mandiant, POWERTRASH is a "uniquely obfuscated" version of PowerSploit's Invoke-Shellcode.ps1 shellcode invoker module known to be used by FIN7.[GitHub - PowerSploit Invoke-Shellcode]

Internal MISP references

UUID 3192d79f-2a24-4461-b4c8-4b40ef7c163f which can be used as unique global reference for POWERTRASH in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5294
source Tidal Cyber
tags ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', '84615fe0-c2a5-4e07-8957-78ebc29b4635', '2feda37d-5579-4102-a073-aa02e82cb49f']
type ['malware']
Related clusters

To see the related clusters, click here.

PowGoop

PowGoop is a loader that consists of a DLL loader and a PowerShell-based downloader; it has been used by MuddyWater as their main loader.[DHS CISA AA22-055A MuddyWater February 2022][CYBERCOM Iranian Intel Cyber January 2022]

Internal MISP references

UUID 7ed984bb-d098-4d0a-90fd-b03e68842479 which can be used as unique global reference for PowGoop in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S1046
source MITRE
tags ['84615fe0-c2a5-4e07-8957-78ebc29b4635']
type ['malware']
Related clusters

To see the related clusters, click here.

POWRUNER

POWRUNER is a PowerShell script that sends and receives commands to and from the C2 server. [FireEye APT34 Dec 2017]

Internal MISP references

UUID 67cdb7a6-5142-43fa-8b8d-d9bdd2a4dae4 which can be used as unique global reference for POWRUNER in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0184
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

Presentationhost

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: File is used for executing Browser applications

Author: Oddvar Moe

Paths: * C:\Windows\System32\Presentationhost.exe * C:\Windows\SysWOW64\Presentationhost.exe

Resources: * https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf * https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/

Detection: * Sigma: proc_creation_win_lolbin_presentationhost_download.yml * Sigma: proc_creation_win_lolbin_presentationhost.yml * IOC: Execution of .xbap files may not be common on production workstations[Presentationhost.exe - LOLBAS Project]

Internal MISP references

UUID 8127f51d-dce0-405a-a785-83883ba19c23 which can be used as unique global reference for Presentationhost in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5141
source Tidal Cyber
tags ['0661bf1f-76ec-490c-937a-efa3f02bc59b', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

Prestige

Prestige ransomware has been used by Sandworm Team since at least March 2022, including against transportation and related logistics industries in Ukraine and Poland in October 2022.[Microsoft Prestige ransomware October 2022]

Internal MISP references

UUID 4fb5b109-5a5c-5441-a0f9-f639ead5405e which can be used as unique global reference for Prestige in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S1058
source MITRE
tags ['5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172']
type ['malware']
Related clusters

To see the related clusters, click here.

Prikormka

Prikormka is a malware family used in a campaign known as Operation Groundbait. It has predominantly been observed in Ukraine and was used as early as 2008. [ESET Operation Groundbait]

Internal MISP references

UUID 1da989a8-41cc-4e89-a435-a88acb72ae0d which can be used as unique global reference for Prikormka in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0113
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']

Print

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Used by Windows to send files to the printer

Author: Oddvar Moe

Paths: * C:\Windows\System32\print.exe * C:\Windows\SysWOW64\print.exe

Resources: * https://twitter.com/Oddvarmoe/status/985518877076541440 * https://www.youtube.com/watch?v=nPBcSP8M7KE&lc=z22fg1cbdkabdf3x404t1aokgwd2zxasf2j3rbozrswnrk0h00410

Detection: * Sigma: proc_creation_win_print_remote_file_copy.yml * IOC: Print.exe retrieving files from internet * IOC: Print.exe creating executable files on disk[Print.exe - LOLBAS Project]

Internal MISP references

UUID 8ad4945d-6c54-4472-a476-906a9860fb82 which can be used as unique global reference for Print in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5142
source Tidal Cyber
tags ['01aca077-8cfb-4d1d-9b83-3678cd26f050', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

PrintBrm

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Printer Migration Command-Line Tool

Author: Elliot Killick

Paths: * C:\Windows\System32\spool\tools\PrintBrm.exe

Resources: * https://twitter.com/elliotkillick/status/1404117015447670800

Detection: * Sigma: proc_creation_win_lolbin_printbrm.yml * IOC: PrintBrm.exe should not be run on a normal workstation[PrintBrm.exe - LOLBAS Project]

Internal MISP references

UUID 93ec2323-f93b-4d21-9930-f367948187f0 which can be used as unique global reference for PrintBrm in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5143
source Tidal Cyber
tags ['37a70ca8-a027-458c-9a48-7e0d307462be', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

ProcDump

ProcDump is a tool used to monitor applications for CPU spikes and generate crash dumps.[U.S. CISA Understanding LockBit June 2023]

Internal MISP references

UUID 0d6e00a3-6237-458a-85e5-1128bd7f4f50 which can be used as unique global reference for ProcDump in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5036
source Tidal Cyber
tags ['e1af18e3-3224-4e4c-9d0f-533768474508', 'c3eaf8a7-06e5-4e3a-9615-36316d9e10a8', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

Process Hacker

Process Hacker is a tool used to remove rootkits.[U.S. CISA Understanding LockBit June 2023]

Internal MISP references

UUID d390ea7d-0995-4069-924d-65d6c7c98e3c which can be used as unique global reference for Process Hacker in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5040
source Tidal Cyber
tags ['d819ae1a-e385-49fd-88d5-f66660729ecb', 'e551ae97-d1b4-484e-9267-89f33829ec2c', 'e1af18e3-3224-4e4c-9d0f-533768474508', '39d6e8b7-6c8a-4ec5-a584-54ca32aa29fb', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

ProLock

ProLock is a ransomware strain that has been used in Big Game Hunting (BGH) operations since at least 2020, often obtaining initial access with QakBot. ProLock is the successor to PwndLocker ransomware which was found to contain a bug allowing decryption without ransom payment in 2019.[Group IB Ransomware September 2020]

Internal MISP references

UUID c8af096e-c71e-4751-b203-70c285b7a7bd which can be used as unique global reference for ProLock in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0654
source MITRE
tags ['5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172']
type ['malware']

ProtocolHandler

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Microsoft Office binary

Author: Nir Chako

Paths: * C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\ProtocolHandler.exe * C:\Program Files\Microsoft Office 16\ClientX64\Root\Office16\ProtocolHandler.exe * C:\Program Files (x86)\Microsoft Office\Office16\ProtocolHandler.exe * C:\Program Files\Microsoft Office\Office16\ProtocolHandler.exe * C:\Program Files (x86)\Microsoft Office 15\ClientX86\Root\Office15\ProtocolHandler.exe * C:\Program Files\Microsoft Office 15\ClientX64\Root\Office15\ProtocolHandler.exe * C:\Program Files (x86)\Microsoft Office\Office15\ProtocolHandler.exe * C:\Program Files\Microsoft Office\Office15\ProtocolHandler.exe

Resources: None Provided

Detection: * Sigma: proc_creation_win_lolbin_protocolhandler_download.yml * IOC: Suspicious Office application Internet/network traffic[ProtocolHandler.exe - LOLBAS Project]

Internal MISP references

UUID 2ecf8041-8069-41a0-b6e8-5b328ae69e31 which can be used as unique global reference for ProtocolHandler in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5232
source Tidal Cyber
tags ['77131d00-b8b2-42ef-afbd-1fbfc12729df', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

Proton

Proton is a macOS backdoor focusing on data theft and credential access [objsee mac malware 2017].

Internal MISP references

UUID d3bcdbc4-5998-4e50-bd45-cba6a3278427 which can be used as unique global reference for Proton in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['macOS']
software_attack_id S0279
source MITRE
type ['malware']

Provlaunch

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Launcher process

Author: Grzegorz Tworek

Paths: * c:\windows\system32\provlaunch.exe

Resources: * https://twitter.com/0gtweet/status/1674399582162153472

Detection: * Sigma: proc_creation_win_provlaunch_potential_abuse.yml * Sigma: proc_creation_win_provlaunch_susp_child_process.yml * Sigma: proc_creation_win_registry_provlaunch_provisioning_command.yml * Sigma: registry_set_provisioning_command_abuse.yml * IOC: c:\windows\system32\provlaunch.exe executions * IOC: Creation/existence of HKLM\SOFTWARE\Microsoft\Provisioning\Commands subkeys[Provlaunch.exe - LOLBAS Project]

Internal MISP references

UUID 83e1ac24-3928-40ba-b701-d72549a9430c which can be used as unique global reference for Provlaunch in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5144
source Tidal Cyber
tags ['9e5ec91c-0d0f-4e40-846d-d7b7eb941e17', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

Proxysvc

Proxysvc is a malicious DLL used by Lazarus Group in a campaign known as Operation GhostSecret. It has appeared to be operating undetected since 2017 and was mostly observed in higher education organizations. The goal of Proxysvc is to deliver additional payloads to the target and to maintain control for the attacker. It is in the form of a DLL that can also be executed as a standalone process. [McAfee GhostSecret]

Internal MISP references

UUID 94f43629-243e-49dc-8c2b-cdf4fc15cf83 which can be used as unique global reference for Proxysvc in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0238
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

PS1

PS1 is a loader that was used to deploy 64-bit backdoors in the CostaRicto campaign.[BlackBerry CostaRicto November 2020]

Internal MISP references

UUID 8cd401ac-a233-4395-a8ae-d75db9d5b845 which can be used as unique global reference for PS1 in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0613
source MITRE
type ['malware']

PsExec

PsExec is a free Microsoft tool that can be used to execute a program on another computer. It is used by IT administrators and attackers.[Russinovich Sysinternals][SANS PsExec]

Internal MISP references

UUID 73eb32af-4bd3-4e21-8048-355edc55a9c6 which can be used as unique global reference for PsExec in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0029
source MITRE
tags ['d903e38b-600d-4736-9e3b-cf1a6e436481', 'e551ae97-d1b4-484e-9267-89f33829ec2c', 'd819ae1a-e385-49fd-88d5-f66660729ecb', 'e1af18e3-3224-4e4c-9d0f-533768474508', '5cd85fec-0e37-4892-9cd2-bb8c70139072', '0d3ca5b9-2ea9-4daf-b3b5-11f1c6f9ebd3', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', '950e8d3a-044b-43e3-b5db-bba61f70ff51', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '15b77e5c-2285-434d-9719-73c14beba8bd', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

Psr

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Windows Problem Steps Recorder, used to record screen and clicks.

Author: Leon Rodenko

Paths: * c:\windows\system32\psr.exe * c:\windows\syswow64\psr.exe

Resources: * https://social.technet.microsoft.com/wiki/contents/articles/51722.windows-problem-steps-recorder-psr-quick-and-easy-documenting-of-your-steps-and-procedures.aspx

Detection: * Sigma: proc_creation_win_psr_capture_screenshots.yml * IOC: psr.exe spawned * IOC: suspicious activity when running with "/gui 0" flag[Psr.exe - LOLBAS Project]

Internal MISP references

UUID 1945584b-bb16-48a2-902d-2a1c9591efcd which can be used as unique global reference for Psr in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5145
source Tidal Cyber
tags ['08f4ef8d-94bb-42f7-b76d-71bcc809bcc9', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

Psylo

Psylo is a shellcode-based Trojan that has been used by Scarlet Mimic. It has similar characteristics as FakeM. [Scarlet Mimic Jan 2016]

Internal MISP references

UUID 8c35d349-2f70-4edb-8668-e1cc2b67e4a0 which can be used as unique global reference for Psylo in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0078
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Pteranodon

Pteranodon is a custom backdoor used by Gamaredon Group. [Palo Alto Gamaredon Feb 2017]

Internal MISP references

UUID 7fed4276-807e-4656-95f5-90878b6e2dbb which can be used as unique global reference for Pteranodon in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0147
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

Pubprn

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Proxy execution with Pubprn.vbs

Author: Oddvar Moe

Paths: * C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs * C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\pubprn.vbs

Resources: * https://enigma0x3.net/2017/08/03/wsh-injection-a-case-study/ * https://www.slideshare.net/enigma0x3/windows-operating-system-archaeology * https://github.com/enigma0x3/windows-operating-system-archaeology

Detection: * BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules * Sigma: proc_creation_win_lolbin_pubprn.yml[Pubprn.vbs - LOLBAS Project]

Internal MISP references

UUID 58883c83-d5be-42fc-b4bd-9287e55cd499 which can be used as unique global reference for Pubprn in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5260
source Tidal Cyber
tags ['8177e8ac-f80d-477d-b0af-c2ea243ddf00', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

PULSECHECK

PULSECHECK is a web shell written in Perl that was used by APT5 as early as 2020 including against Pulse Secure VPNs at US Defense Industrial Base (DIB) companies.[Mandiant Pulse Secure Zero-Day April 2021]

Internal MISP references

UUID d777204c-f93c-54d9-b80e-41641a3d55ce which can be used as unique global reference for PULSECHECK in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Network', 'Linux']
software_attack_id S1108
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Pulseway

According to joint Cybersecurity Advisory AA23-320A (November 2023), Pulseway is a publicly available, legitimate tool that "enables remote monitoring and management of systems". According to the Advisory, Scattered Spider threat actors are known to abuse the tool during their intrusions.[U.S. CISA Scattered Spider November 16 2023]

Internal MISP references

UUID 74eb97b8-fc2c-41f0-b497-aad08a52777e which can be used as unique global reference for Pulseway in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5068
source Tidal Cyber
tags ['e1af18e3-3224-4e4c-9d0f-533768474508', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207', 'e727eaa6-ef41-4965-b93a-8ad0c51d0236']
type ['tool']
Related clusters

To see the related clusters, click here.

PUNCHBUGGY

PUNCHBUGGY is a backdoor malware used by FIN8 that has been observed targeting POS networks in the hospitality industry. [Morphisec ShellTea June 2019][FireEye Fin8 May 2016] [FireEye Know Your Enemy FIN8 Aug 2016]

Internal MISP references

UUID d8999d60-3818-4d75-8756-8a55531254d8 which can be used as unique global reference for PUNCHBUGGY in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0196
source MITRE
tags ['6c6c0125-9631-4c2c-90ab-cfef374d5198']
type ['malware']
Related clusters

To see the related clusters, click here.

PUNCHTRACK

PUNCHTRACK is non-persistent point of sale (POS) system malware utilized by FIN8 to scrape payment card data. [FireEye Fin8 May 2016] [FireEye Know Your Enemy FIN8 Aug 2016]

Internal MISP references

UUID 1638d99b-fbcf-40ec-ac48-802ce5be520a which can be used as unique global reference for PUNCHTRACK in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0197
source MITRE
tags ['6c6c0125-9631-4c2c-90ab-cfef374d5198']
type ['malware']
Related clusters

To see the related clusters, click here.

Pupy

Pupy is an open source, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool. [GitHub Pupy] It is written in Python and can be generated as a payload in several different ways (Windows exe, Python file, PowerShell oneliner/file, Linux elf, APK, Rubber Ducky, etc.). [GitHub Pupy] Pupy is publicly available on GitHub. [GitHub Pupy]

Internal MISP references

UUID 0a8bedc2-b404-4a9a-b4f5-ff90ff8294be which can be used as unique global reference for Pupy in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['macOS', 'Linux', 'Android', 'Windows']
software_attack_id S0192
source MITRE
type ['tool']
Related clusters

To see the related clusters, click here.

PureCrypter

PureCrypter is a malware used for downloading/dropping purposes.

Internal MISP references

UUID a381cec1-9e87-415e-9025-a6e31fc8a48d which can be used as unique global reference for PureCrypter in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5291
source Tidal Cyber
tags ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', '84615fe0-c2a5-4e07-8957-78ebc29b4635', '2feda37d-5579-4102-a073-aa02e82cb49f']
type ['malware']

PuTTy

PuTTy is an open-source SSH and telnet client.[PuTTY Download Page]

Internal MISP references

UUID 313c78e9-488d-4fbc-a6e5-05c0df3cb8a4 which can be used as unique global reference for PuTTy in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5065
source Tidal Cyber
tags ['e1af18e3-3224-4e4c-9d0f-533768474508', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', '15787198-6c8b-4f79-bf50-258d55072fee']
type ['tool']
Related clusters

To see the related clusters, click here.

pwdump

pwdump is a credential dumper. [Wikipedia pwdump]

Internal MISP references

UUID 77f629db-d971-49d8-8b73-c7c779b7de3e which can be used as unique global reference for pwdump in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0006
source MITRE
tags ['4d767e87-4cf6-438a-927a-43d2d0beaab7']
type ['tool']
Related clusters

To see the related clusters, click here.

PyDCrypt

PyDCrypt is malware written in Python designed to deliver DCSrv. It has been used by Moses Staff since at least September 2021, with each sample tailored for its intended victim organization.[Checkpoint MosesStaff Nov 2021]

Internal MISP references

UUID 51b2c56e-7d64-4e15-b1bd-45a980c9c44d which can be used as unique global reference for PyDCrypt in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S1032
source MITRE
tags ['84615fe0-c2a5-4e07-8957-78ebc29b4635']
type ['malware']
Related clusters

To see the related clusters, click here.

Pysa

Pysa is a ransomware that was first used in October 2018 and has been seen to target particularly high-value finance, government and healthcare organizations.[CERT-FR PYSA April 2020]

Internal MISP references

UUID e0d5ecce-eca0-4f01-afcc-0c8e92323016 which can be used as unique global reference for Pysa in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0583
source MITRE
tags ['562e535e-19f5-4d6c-81ed-ce2aec544f09', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172']
type ['malware']

QakBot

QakBot is a modular banking trojan that has been used primarily by financially-motivated actors since at least 2007. QakBot is continuously maintained and developed and has evolved from an information stealer into a delivery agent for ransomware, most notably ProLock and Egregor.[Trend Micro Qakbot December 2020][Red Canary Qbot][Kaspersky QakBot September 2021][ATT QakBot April 2021]

Internal MISP references

UUID 9050b418-5ffd-481a-a30d-f9059b0871ea which can be used as unique global reference for QakBot in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0650
source MITRE
tags ['d903e38b-600d-4736-9e3b-cf1a6e436481', 'e551ae97-d1b4-484e-9267-89f33829ec2c', 'd819ae1a-e385-49fd-88d5-f66660729ecb', '15787198-6c8b-4f79-bf50-258d55072fee', 'e096f0dd-fa2c-4771-8270-128c97c09f5b', 'e809d252-12cc-494d-94f5-954c49eb87ce']
type ['malware']
Related clusters

To see the related clusters, click here.

Qilin Ransomware

Qilin (also known as Agenda) is a ransomware discovered in 2022. Attacks by threat actors deploying Qilin increased considerably in Q1 2024, impacting organizations in a wide range of sectors and locations across the globe.[Trend Micro March 26 2024]

The ransomware's capabilities have evolved over time, and multiple Qilin/Agenda variants and versions have been observed. The techniques featured in this object mainly derive from a variant observed in February 2024 written in the Rust programming language. A variant focused on encrypting Linux-based virtual machine servers can be found in the separate "Qilin Ransomware (Linux)" Software object.

Internal MISP references

UUID 3b78dda9-d273-4ffc-9a9f-75e80178c7b2 which can be used as unique global reference for Qilin Ransomware in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Linux', 'Windows']
software_attack_id S5326
source Tidal Cyber
tags ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', 'a2e000da-8181-4327-bacd-32013dbd3654', '562e535e-19f5-4d6c-81ed-ce2aec544f09', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172', '2feda37d-5579-4102-a073-aa02e82cb49f']
type ['malware']

Qilin Ransomware (Linux)

Qilin is a Linux-based ransomware. The malware is technically capable of running on Linux, FreeBSD, and VMware ESXi servers, but researchers have most often observed Qilin being used to encrypt virtual machines. Qilin users can use various flags to customize its capabilities. Qilin operators maintain a website where they threaten to leak data exfiltrated during their attacks, in an attempt to pressure victims into paying a ransom.[BleepingComputer 12 3 2023]

Internal MISP references

UUID 01a33c16-7eb3-4494-8c05-b163f871b951 which can be used as unique global reference for Qilin Ransomware (Linux) in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Linux']
software_attack_id S5310
source Tidal Cyber
tags ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', 'a2e000da-8181-4327-bacd-32013dbd3654', '562e535e-19f5-4d6c-81ed-ce2aec544f09', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172', '2feda37d-5579-4102-a073-aa02e82cb49f']
type ['malware']

QUADAGENT

QUADAGENT is a PowerShell backdoor used by OilRig. [Unit 42 QUADAGENT July 2018]

Internal MISP references

UUID 2bf68242-1dbd-405b-ac35-330eda887081 which can be used as unique global reference for QUADAGENT in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0269
source MITRE
tags ['febea5b6-2ea2-402b-8bec-f3f5b3f73c59']
type ['malware']
Related clusters

To see the related clusters, click here.

QuasarRAT

QuasarRAT is an open-source, remote access tool that has been publicly available on GitHub since at least 2014. QuasarRAT is developed in the C# language.[GitHub QuasarRAT][Volexity Patchwork June 2018]

Internal MISP references

UUID 4bab7c2b-5ec4-467e-8df4-f2e6996e136b which can be used as unique global reference for QuasarRAT in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0262
source MITRE
tags ['febea5b6-2ea2-402b-8bec-f3f5b3f73c59']
type ['tool']
Related clusters

To see the related clusters, click here.

Quick Assist

Quick Assist is a built-in Windows utility that can be used to grant external users remote access to a particular system. Financially motivated adversaries abused Quick Assist during an April 2024 campaign that in some cases led to Black Basta ransomware deployment.[Microsoft Security Blog 5 15 2024]

Internal MISP references

UUID 9c4f3f26-c391-4b2c-9dd4-e4bb9bbc5ea3 which can be used as unique global reference for Quick Assist in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5319
source Tidal Cyber
tags ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', 'e1af18e3-3224-4e4c-9d0f-533768474508', 'e727eaa6-ef41-4965-b93a-8ad0c51d0236', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207', '2feda37d-5579-4102-a073-aa02e82cb49f']
type ['tool']
Related clusters

To see the related clusters, click here.

QUIETCANARY

QUIETCANARY is a backdoor tool written in .NET that has been used since at least 2022 to gather and exfiltrate data from victim networks.[Mandiant Suspected Turla Campaign February 2023]

Internal MISP references

UUID 52d3515c-5184-5257-bf24-56adccb4cccd which can be used as unique global reference for QUIETCANARY in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S1076
source MITRE
type ['malware']

QUIETEXIT

QUIETEXIT is a novel backdoor, based on the open-source Dropbear SSH client-server software, that has been used by APT29 since at least 2021. APT29 has deployed QUIETEXIT on opaque network appliances that typically don't support antivirus or endpoint detection and response tools within a victim environment.[Mandiant APT29 Eye Spy Email Nov 22]

Internal MISP references

UUID 947ab087-7550-577f-9ae9-5e82e9910610 which can be used as unique global reference for QUIETEXIT in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Network']
software_attack_id S1084
source MITRE
tags ['33d35d5e-f0cf-4c66-9be3-a3ffe6610b1a']
type ['malware']
Related clusters

To see the related clusters, click here.

QuietSieve

QuietSieve is an information stealer that has been used by Gamaredon Group since at least 2021.[Microsoft Actinium February 2022]

Internal MISP references

UUID dcdb74c5-4445-49bd-9f9c-236a7ecc7904 which can be used as unique global reference for QuietSieve in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0686
source MITRE
tags ['4d767e87-4cf6-438a-927a-43d2d0beaab7']
type ['malware']
Related clusters

To see the related clusters, click here.

Quser

According to joint Cybersecurity Advisory AA23-250A (September 2023), Quser is "a valid program on Windows machines that displays information about user sessions on a Remote Desktop Session Host server".[U.S. CISA Zoho Exploits September 7 2023]

Internal MISP references

UUID 7b78eb31-f251-493b-8058-14a3452e8ccc which can be used as unique global reference for Quser in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5053
source Tidal Cyber
tags ['e1af18e3-3224-4e4c-9d0f-533768474508', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207', '758c3085-2f79-40a8-ab95-f8a684737927', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', 'cd1b5d44-226e-4405-8985-800492cf2865']
type ['tool']
Related clusters

To see the related clusters, click here.

Raccoon Stealer 2.0

Raccoon Stealer is one of the most heavily used information & credential stealers (""infostealers"") in recent years. The ""2.0"" version of Raccoon Stealer was observed in mid-2022, featuring new capabilities designed to improve its stealth.[Sekoia.io Raccoon Stealer June 28 2022] Raccoon Stealer is licensed as a service, and like many other modern infostealer families, the relatively low cost of a Raccoon Stealer subscription (around $75 for weeklong access) contributes to the malware's popularity. Victim credentials acquired via Raccoon Stealer are often resold on illicit, automated marketplaces on the dark web.

More details on the shifting infostealer landscape, the rising threat posed by infostealers to large and small organizations, and defending against top infostealer TTPs can be found in the Tidal Cyber blog series: Part 1 (https://www.tidalcyber.com/blog/big-game-stealing-part-1-the-infostealer-landscape-rising-infostealer-threats-to-businesses-w), Part 2 (https://www.tidalcyber.com/blog/big-game-stealing-part-2-defenses-for-top-infostealer-techniques).

Internal MISP references

UUID 7046193b-96c2-462b-9ba1-ea39a938e8e9 which can be used as unique global reference for Raccoon Stealer 2.0 in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5070
source Tidal Cyber
tags ['15787198-6c8b-4f79-bf50-258d55072fee', '4d767e87-4cf6-438a-927a-43d2d0beaab7']
type ['malware']
Related clusters

To see the related clusters, click here.

Radmin

Radmin is a free remote desktop software application. It has been abused by cyber threat actors such as Akira ransomware operators to facilitate remote access into victim networks.[Sophos Akira May 9 2023]

Internal MISP references

UUID 33c0f985-3e1e-4901-bfee-d3c81bba0d71 which can be used as unique global reference for Radmin in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5281
source Tidal Cyber
tags ['c5a258ce-9045-48d9-b254-ec2bf6437bb5', 'cc4ea215-87ce-4351-9579-cf527caf5992', 'e551ae97-d1b4-484e-9267-89f33829ec2c', '15787198-6c8b-4f79-bf50-258d55072fee', 'e1af18e3-3224-4e4c-9d0f-533768474508', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207', 'e727eaa6-ef41-4965-b93a-8ad0c51d0236', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96']
type ['tool']
Related clusters

To see the related clusters, click here.

Ragnar Locker

Ragnar Locker is a ransomware that has been in use since at least December 2019.[Sophos Ragnar May 2020][Cynet Ragnar Apr 2020]

Internal MISP references

UUID d25f7acd-a995-4b8b-8ffe-ccc9703cdf5f which can be used as unique global reference for Ragnar Locker in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0481
source MITRE
tags ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', '2feda37d-5579-4102-a073-aa02e82cb49f', 'cb5803f0-8ab4-4ada-8540-7758dfc126e2', '5e7433ad-a894-4489-93bc-41e90da90019', 'a2e000da-8181-4327-bacd-32013dbd3654', '7e7b0c67-bb85-4996-a289-da0e792d7172']
type ['malware']
Related clusters

To see the related clusters, click here.

Raindrop

Raindrop is a loader used by APT29 that was discovered on some victim machines during investigations related to the SolarWinds Compromise. It was discovered in January 2021 and was likely used since at least May 2020.[Symantec RAINDROP January 2021][Microsoft Deep Dive Solorigate January 2021]

Internal MISP references

UUID 80295aeb-59e3-4c5d-ac39-9879158f8d23 which can be used as unique global reference for Raindrop in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0565
source MITRE
tags ['84615fe0-c2a5-4e07-8957-78ebc29b4635']
type ['malware']
Related clusters

To see the related clusters, click here.

RainyDay

RainyDay is a backdoor tool that has been used by Naikon since at least 2020.[Bitdefender Naikon April 2021]

Internal MISP references

UUID 42b775bd-0c1d-4ad3-8f7f-cbb0ba84e19e which can be used as unique global reference for RainyDay in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0629
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Ramsay

Ramsay is an information stealing malware framework designed to collect and exfiltrate sensitive documents, including from air-gapped systems. Researchers have identified overlaps between Ramsay and the Darkhotel-associated Retro malware.[Eset Ramsay May 2020][Antiy CERT Ramsay April 2020]

Internal MISP references

UUID dc307b3c-9bc5-4624-b0bc-4807fa1fc57b which can be used as unique global reference for Ramsay in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0458
source MITRE
type ['malware']

RansomHub (Payload)

This object represents the techniques associated with the payload binary used in attacks associated with the RansomHub ransomware-as-a-service ("RaaS") operation. The RansomHub gang is suspected of leaking victim data exfiltrated in attacks by other groups, but researchers have also observed an apparent original ransomware payload linked to the group.[BroadcomSW June 5 2024][The Record RansomHub June 3 2024] This payload displays a high degree of code similarity with Knight ransomware, whose source code was offered for sale in cybercriminal forums in February 2024.[BroadcomSW June 5 2024]

Internal MISP references

UUID a3044fb5-3aae-4590-b589-cc88bf0d1f34 which can be used as unique global reference for RansomHub (Payload) in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5325
source Tidal Cyber
tags ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', '89c5b94b-ecf4-4d53-9b74-3465086d4565', '562e535e-19f5-4d6c-81ed-ce2aec544f09', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172', '2feda37d-5579-4102-a073-aa02e82cb49f']
type ['malware']

RAPIDPULSE

RAPIDPULSE is a web shell that exists as a modification to a legitimate Pulse Secure file that has been used by APT5 since at least 2021.[Mandiant Pulse Secure Update May 2021]

Internal MISP references

UUID 129abb68-7992-554e-92fa-fa376279c0b6 which can be used as unique global reference for RAPIDPULSE in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Network', 'Linux']
software_attack_id S1113
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

RARSTONE

RARSTONE is malware used by the Naikon group that has some characteristics similar to PlugX. [Aquino RARSTONE]

Internal MISP references

UUID a9c9fda8-c156-44f2-bc7e-1b696f3fbaa2 which can be used as unique global reference for RARSTONE in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0055
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

Rasautou

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Windows Remote Access Dialer

Author: Tony Lambert

Paths: * C:\Windows\System32\rasautou.exe

Resources: * https://github.com/fireeye/DueDLLigence * https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html

Detection: * Sigma: win_rasautou_dll_execution.yml * IOC: rasautou.exe command line containing -d and -p[Rasautou.exe - LOLBAS Project]

Internal MISP references

UUID 8d34715e-1018-40fc-bf09-4eca69be830e which can be used as unique global reference for Rasautou in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5146
source Tidal Cyber
tags ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

Raspberry Robin

A highly active worm that spreads through removable media devices and abuses built-in Windows utilities after initial infection of the host. Raspberry Robin has evolved into a major malware delivery threat, with links to infections involving Cobalt Strike, SocGholish, Truebot, and ultimately ransomware.[Microsoft Security Raspberry Robin October 2022]

Delivers: Cobalt Strike[Microsoft Security Raspberry Robin October 2022], SocGholish[Microsoft Security Raspberry Robin October 2022], Truebot[Microsoft Security Raspberry Robin October 2022][U.S. CISA Increased Truebot Activity July 6 2023]

Malpedia (Research): https://malpedia.caad.fkie.fraunhofer.de/details/win.raspberry_robin

Malware Bazaar (Samples & IOCs): https://bazaar.abuse.ch/browse/tag/raspberryrobin/

PulseDive (IOCs): https://pulsedive.com/threat/Raspberry%20Robin

Internal MISP references

UUID dc0dbd15-0916-43c7-a3b9-6dc3ce0771be which can be used as unique global reference for Raspberry Robin in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5002
source Tidal Cyber
tags ['1dc8fd1e-0737-405a-98a1-111dd557f1b5', '15787198-6c8b-4f79-bf50-258d55072fee', 'e809d252-12cc-494d-94f5-954c49eb87ce']
type ['malware']
Related clusters

To see the related clusters, click here.

RATANKBA

RATANKBA is a remote controller tool used by Lazarus Group. RATANKBA has been used in attacks targeting financial institutions in Poland, Mexico, Uruguay, the United Kingdom, and Chile. It was also seen used against organizations related to telecommunications, management consulting, information technology, insurance, aviation, and education. RATANKBA has a graphical user interface to allow the attacker to issue jobs to perform on the infected machines. [Lazarus RATANKBA] [RATANKBA]

Internal MISP references

UUID 40466d7d-a107-46aa-a6fc-180e0eef2c6b which can be used as unique global reference for RATANKBA in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0241
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

RawDisk

RawDisk is a legitimate commercial driver from the EldoS Corporation that is used for interacting with files, disks, and partitions. The driver allows for direct modification of data on a local computer's hard drive. In some cases, the tool can enact these raw disk modifications from user-mode processes, circumventing Windows operating system security features.[EldoS RawDisk ITpro][Novetta Blockbuster Destructive Malware]

Internal MISP references

UUID d86a562d-d235-4481-9a3f-273fa3ebe89a which can be used as unique global reference for RawDisk in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0364
source MITRE
type ['tool']
Related clusters

To see the related clusters, click here.

RawPOS

RawPOS is a point-of-sale (POS) malware family that searches for cardholder data on victims. It has been in use since at least 2008. [Kroll RawPOS Jan 2017] [TrendMicro RawPOS April 2015] [Visa RawPOS March 2015] FireEye divides RawPOS into three components: FIENDCRY, DUEBREW, and DRIFTWOOD. [Mandiant FIN5 GrrCON Oct 2016] [DarkReading FireEye FIN5 Oct 2015]

Internal MISP references

UUID 6ea1bf95-fed8-4b94-8071-aa19a3af5e34 which can be used as unique global reference for RawPOS in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0169
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Rclone

Rclone is a command line program for syncing files with cloud storage services such as Dropbox, Google Drive, Amazon S3, and MEGA. Rclone has been used in a number of ransomware campaigns, including those associated with the Conti and DarkSide Ransomware-as-a-Service operations.[Rclone][Rclone Wars][Detecting Rclone][DarkSide Ransomware Gang][DFIR Conti Bazar Nov 2021]

Internal MISP references

UUID 1f3f15fa-1b4b-494d-abc8-c7f8a227b7b4 which can be used as unique global reference for Rclone in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['macOS', 'Linux', 'Windows']
software_attack_id S1040
source MITRE
tags ['d903e38b-600d-4736-9e3b-cf1a6e436481', 'd819ae1a-e385-49fd-88d5-f66660729ecb', 'c5a258ce-9045-48d9-b254-ec2bf6437bb5', 'cc4ea215-87ce-4351-9579-cf527caf5992', 'e551ae97-d1b4-484e-9267-89f33829ec2c', 'e1af18e3-3224-4e4c-9d0f-533768474508', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'a40b7316-bef6-4186-9764-58ce6f033850', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '8bf128ad-288b-41bc-904f-093f4fdde745', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

RCSession

RCSession is a backdoor written in C++ that has been in use since at least 2018 by Mustang Panda and by Threat Group-3390 (Type II Backdoor).[Secureworks BRONZE PRESIDENT December 2019][Trend Micro Iron Tiger April 2021][Trend Micro DRBControl February 2020]

Internal MISP references

UUID 38c4d208-fe38-4965-871c-709fa1479ba3 which can be used as unique global reference for RCSession in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0662
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

rcsi

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Non-Interactive command line inerface included with Visual Studio.

Author: Oddvar Moe

Paths: * no default

Resources: * https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/

Detection: * Sigma: proc_creation_win_csi_execution.yml * Elastic: defense_evasion_unusual_process_network_connection.toml * Elastic: defense_evasion_network_connection_from_windows_binary.toml * BlockRule: proc_creation_win_csi_execution.yml[rcsi.exe - LOLBAS Project]

Internal MISP references

UUID 9a5cff11-6bad-407a-a53c-2562a56ac024 which can be used as unique global reference for rcsi in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5233
source Tidal Cyber
tags ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

RDAT

RDAT is a backdoor used by the suspected Iranian threat group OilRig. RDAT was originally identified in 2017 and targeted companies in the telecommunications sector.[Unit42 RDAT July 2020]

Internal MISP references

UUID 567da30e-fd4d-4ec5-a308-bf08788f3bfb which can be used as unique global reference for RDAT in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0495
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

RDFSNIFFER

RDFSNIFFER is a module loaded by BOOSTWRITE which allows an attacker to monitor and tamper with legitimate connections made via an application designed to provide visibility and system management capabilities to remote IT techs.[FireEye FIN7 Oct 2019]

Internal MISP references

UUID ca4e973c-da15-46a9-8f3a-0b1560c9a783 which can be used as unique global reference for RDFSNIFFER in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0416
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

RDP Recognizer

RDP Recognizer is a tool that can be used to brute force RDP passwords and check for RDP vulnerabilities. U.S. authorities observed BianLian Ransomware Group actors downloading the tool during intrusions.[U.S. CISA BianLian Ransomware May 2023]

Internal MISP references

UUID 22d9f7be-7447-4cce-90f0-67a13d4b6a82 which can be used as unique global reference for RDP Recognizer in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5012
source Tidal Cyber
tags ['e1af18e3-3224-4e4c-9d0f-533768474508', 'dcd6d78a-50e9-4fbd-a36a-06fbe6b7b40c', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

rdrleakdiag

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Microsoft Windows resource leak diagnostic tool

Author: John Dwyer

Paths: * c:\windows\system32\rdrleakdiag.exe * c:\Windows\SysWOW64\rdrleakdiag.exe

Resources: * https://twitter.com/0gtweet/status/1299071304805560321?s=21 * https://www.pureid.io/dumping-abusing-windows-credentials-part-1/ * https://github.com/LOLBAS-Project/LOLBAS/issues/84

Detection: * Sigma: proc_creation_win_rdrleakdiag_process_dumping.yml * Elastic: https://www.elastic.co/guide/en/security/current/potential-credential-access-via-windows-utilities.html * Elastic: credential_access_cmdline_dump_tool.toml[rdrleakdiag.exe - LOLBAS Project]

Internal MISP references

UUID 3b37c81a-9574-4ac3-a996-d4cfe1e3ddb1 which can be used as unique global reference for rdrleakdiag in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5147
source Tidal Cyber
tags ['9fbc403c-bd2e-458a-a202-a65b8201e973', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

Reaver

Reaver is a malware family that has been in the wild since at least late 2016. Reporting indicates victims have primarily been associated with the "Five Poisons," which are movements the Chinese government considers dangerous. The type of malware is rare due to its final payload being in the form of Control Panel items.[Palo Alto Reaver Nov 2017]

Internal MISP references

UUID ca544771-d43e-4747-80e5-cf0f4a4836f3 which can be used as unique global reference for Reaver in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0172
source MITRE
type ['malware']

RedLeaves

RedLeaves is a malware family used by menuPass. The code overlaps with PlugX and may be based upon the open source tool Trochilus. [PWC Cloud Hopper Technical Annex April 2017] [FireEye APT10 April 2017]

Internal MISP references

UUID 5264c3ab-14e1-4ae1-854e-889ebde029b4 which can be used as unique global reference for RedLeaves in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0153
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Reg

Reg is a Windows utility used to interact with the Windows Registry. It can be used at the command-line interface to query, add, modify, and remove information. [Microsoft Reg]

Utilities such as Reg are known to be used by persistent threats. [Windows Commands JPCERT]

Internal MISP references

UUID d796615c-fa3d-4afd-817a-1a3db8c73532 which can be used as unique global reference for Reg in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0075
source MITRE
tags ['e1af18e3-3224-4e4c-9d0f-533768474508', 'ec4a7c87-051b-4b7d-8acc-03696fe2113e', '758c3085-2f79-40a8-ab95-f8a684737927', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '35e694ec-5133-46e3-b7e1-5831867c3b55', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '15787198-6c8b-4f79-bf50-258d55072fee', '303a3675-4855-4323-b042-95bb1d907cca', '8bf128ad-288b-41bc-904f-093f4fdde745', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

Regasm

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Part of .NET

Author: Oddvar Moe

Paths: * C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe * C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regasm.exe * C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe * C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe

Resources: * https://pentestlab.blog/2017/05/19/applocker-bypass-regasm-and-regsvcs/ * https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/ * https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md

Detection: * Sigma: proc_creation_win_lolbin_regasm.yml * Elastic: execution_register_server_program_connecting_to_the_internet.toml * Splunk: suspicious_regsvcs_regasm_activity.md * Splunk: detect_regasm_with_network_connection.yml * IOC: regasm.exe executing dll file[LOLBAS Regasm]

Internal MISP references

UUID 1e892f4b-5398-44ac-aeb4-2e50f70c5716 which can be used as unique global reference for Regasm in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5148
source Tidal Cyber
tags ['7d31d8f7-375b-4fb3-a631-51b42e58d95a', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

RegDuke

RegDuke is a first stage implant written in .NET and used by APT29 since at least 2017. RegDuke has been used to control a compromised machine when control of other implants on the machine was lost.[ESET Dukes October 2019]

Internal MISP references

UUID 52dc08d8-82cc-46dc-91ae-383193d72963 which can be used as unique global reference for RegDuke in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0511
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

Regedit

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Used by Windows to manipulate registry

Author: Oddvar Moe

Paths: * C:\Windows\regedit.exe

Resources: * https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f

Detection: * Sigma: proc_creation_win_regedit_import_keys_ads.yml * IOC: regedit.exe reading and writing to alternate data stream * IOC: regedit.exe should normally not be executed by end-users[Regedit.exe - LOLBAS Project]

Internal MISP references

UUID 16cc6ff2-8804-4863-aede-40c4376e0af3 which can be used as unique global reference for Regedit in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5149
source Tidal Cyber
tags ['36affa3d-c949-4e1b-8667-299490580dd5', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

Regin

Regin is a malware platform that has targeted victims in a range of industries, including telecom, government, and financial institutions. Some Regin timestamps date back to 2003. [Kaspersky Regin]

Internal MISP references

UUID e88bf527-bb9c-45c3-b86b-04a07dcd91fd which can be used as unique global reference for Regin in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0019
source MITRE
type ['malware']

Regini

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Used to manipulate the registry

Author: Oddvar Moe

Paths: * C:\Windows\System32\regini.exe * C:\Windows\SysWOW64\regini.exe

Resources: * https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f

Detection: * Sigma: proc_creation_win_regini_ads.yml * Sigma: proc_creation_win_regini_execution.yml * IOC: regini.exe reading from ADS[Regini.exe - LOLBAS Project]

Internal MISP references

UUID 92457f9e-c2e6-4d61-b927-0d8ff0f6d617 which can be used as unique global reference for Regini in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5150
source Tidal Cyber
tags ['288c6e19-cf6c-451a-aff3-547f371ff4ad', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

Register-cimprovider

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Used to register new wmi providers

Author: Oddvar Moe

Paths: * C:\Windows\System32\Register-cimprovider.exe * C:\Windows\SysWOW64\Register-cimprovider.exe

Resources: * https://twitter.com/PhilipTsukerman/status/992021361106268161

Detection: * Sigma: proc_creation_win_susp_register_cimprovider.yml * IOC: Register-cimprovider.exe execution and cmdline DLL load may be supsicious[Register-cimprovider.exe - LOLBAS Project]

Internal MISP references

UUID c80bac89-6b63-4860-9f66-260976a184e8 which can be used as unique global reference for Register-cimprovider in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5151
source Tidal Cyber
tags ['d379a1fb-1028-4986-ae6c-eb8cc068aa68', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

Regsvcs

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Regsvcs and Regasm are Windows command-line utilities that are used to register .NET Component Object Model (COM) assemblies

Author: Oddvar Moe

Paths: * c:\Windows\Microsoft.NET\Framework\v\regsvcs.exe * c:\Windows\Microsoft.NET\Framework64\v\regsvcs.exe

Resources: * https://pentestlab.blog/2017/05/19/applocker-bypass-regasm-and-regsvcs/ * https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/ * https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md

Detection: * Sigma: proc_creation_win_lolbin_regasm.yml * Elastic: execution_register_server_program_connecting_to_the_internet.toml * Splunk: detect_regsvcs_with_network_connection.yml[LOLBAS Regsvcs]

Internal MISP references

UUID 271dd92b-76ee-4a00-ba41-343c32fc084e which can be used as unique global reference for Regsvcs in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5152
source Tidal Cyber
tags ['141e4dce-00be-4bd7-9f81-6202939f0359', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

Regsvr32

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Used by Windows to register dlls

Author: Oddvar Moe

Paths: * C:\Windows\System32\regsvr32.exe * C:\Windows\SysWOW64\regsvr32.exe

Resources: * https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/ * https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/ * https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md

Detection: * Sigma: proc_creation_win_regsvr32_susp_parent.yml * Sigma: proc_creation_win_regsvr32_susp_child_process.yml * Sigma: proc_creation_win_regsvr32_susp_exec_path_1.yml * Sigma: proc_creation_win_regsvr32_network_pattern.yml * Sigma: net_connection_win_regsvr32_network_activity.yml * Sigma: dns_query_win_regsvr32_network_activity.yml * Sigma: proc_creation_win_regsvr32_flags_anomaly.yml * Sigma: file_event_win_net_cli_artefact.yml * Splunk: detect_regsvr32_application_control_bypass.yml * Elastic: defense_evasion_suspicious_managedcode_host_process.toml * Elastic: execution_register_server_program_connecting_to_the_internet.toml * IOC: regsvr32.exe retrieving files from Internet * IOC: regsvr32.exe executing scriptlet (sct) files * IOC: DotNet CLR libraries loaded into regsvr32.exe * IOC: DotNet CLR Usage Log - regsvr32.exe.log[LOLBAS Regsvr32]

Internal MISP references

UUID 533d2c42-45a7-456e-af75-b61e2aff98a7 which can be used as unique global reference for Regsvr32 in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5153
source Tidal Cyber
tags ['e1af18e3-3224-4e4c-9d0f-533768474508', '32be7240-e5ea-4e8a-8e95-7c1bd7869754', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

Remcos

Remcos is a closed-source tool that is marketed as a remote control and surveillance software by a company called Breaking Security. Remcos has been observed being used in malware campaigns.[Riskiq Remcos Jan 2018][Talos Remcos Aug 2018]

Internal MISP references

UUID 2eb92fa8-514e-4018-adc4-c9fe4f082567 which can be used as unique global reference for Remcos in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0332
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['tool']
Related clusters

To see the related clusters, click here.

Remexi

Remexi is a Windows-based Trojan that was developed in the C programming language.[Securelist Remexi Jan 2019]

Internal MISP references

UUID 82d0bb4d-4711-49e3-9fe5-c522bbe5e8bb which can be used as unique global reference for Remexi in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0375
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Remote

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Debugging tool included with Windows Debugging Tools

Author: mr.d0x

Paths: * C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\remote.exe * C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\remote.exe

Resources: * https://blog.thecybersecuritytutor.com/Exeuction-AWL-Bypass-Remote-exe-LOLBin/

Detection: * IOC: remote.exe process spawns * Sigma: proc_creation_win_lolbin_remote.yml[Remote.exe - LOLBAS Project]

Internal MISP references

UUID 3a1436e9-ce2c-449e-a670-c1b212ebd754 which can be used as unique global reference for Remote in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5234
source Tidal Cyber
tags ['828f1559-b13d-4426-9dcf-5f601fcb6ff0', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

RemoteCMD

RemoteCMD is a custom tool used by APT3 to execute commands on a remote system similar to SysInternal's PSEXEC functionality. [Symantec Buckeye]

Internal MISP references

UUID 57fa64ea-975a-470a-a194-3428148ae9ee which can be used as unique global reference for RemoteCMD in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0166
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

RemoteUtilities

RemoteUtilities is a legitimate remote administration tool that has been used by MuddyWater since at least 2021 for execution on target machines.[Trend Micro Muddy Water March 2021]

Internal MISP references

UUID 8a7fa0df-c688-46be-94bf-462fae33b788 which can be used as unique global reference for RemoteUtilities in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0592
source MITRE
type ['tool']
Related clusters

To see the related clusters, click here.

Remsec

Remsec is a modular backdoor that has been used by Strider and appears to have been designed primarily for espionage purposes. Many of its modules are written in Lua. [Symantec Strider Blog]

Internal MISP references

UUID e3729cff-f25e-4c01-a7a1-e8b83e903b30 which can be used as unique global reference for Remsec in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0125
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Replace

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Used to replace file with another file

Author: Oddvar Moe

Paths: * C:\Windows\System32\replace.exe * C:\Windows\SysWOW64\replace.exe

Resources: * https://twitter.com/elceef/status/986334113941655553 * https://twitter.com/elceef/status/986842299861782529

Detection: * IOC: Replace.exe retrieving files from remote server * Sigma: proc_creation_win_lolbin_replace.yml[Replace.exe - LOLBAS Project]

Internal MISP references

UUID 19a04c82-f816-464c-b050-a57269cba157 which can be used as unique global reference for Replace in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5154
source Tidal Cyber
tags ['accb4d24-4b40-41ce-ae2e-adcca7e80b41', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

Responder

Responder is an open source tool used for LLMNR, NBT-NS and MDNS poisoning, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication. [GitHub Responder]

Internal MISP references

UUID 2a5ea3a7-9873-4a2e-b4b5-4e27a80db305 which can be used as unique global reference for Responder in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
software_attack_id S0174
source MITRE
tags ['af5e9be5-b86e-47af-91dd-966a5e34a186', '6070668f-1cbd-4878-8066-c636d1d8659c', 'd8f7e071-fbfd-46f8-b431-e241bb1513ac', '61cdbb28-cbfd-498b-9ab1-1f14337f9524', 'e551ae97-d1b4-484e-9267-89f33829ec2c', 'dcd6d78a-50e9-4fbd-a36a-06fbe6b7b40c']
type ['tool']
Related clusters

To see the related clusters, click here.

Revenge RAT

Revenge RAT is a freely available remote access tool written in .NET (C#).[Cylance Shaheen Nov 2018][Cofense RevengeRAT Feb 2019]

Internal MISP references

UUID f99712b4-37a2-437c-92d7-fb4f94a1f892 which can be used as unique global reference for Revenge RAT in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0379
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

REvil

REvil is a ransomware family that has been linked to the GOLD SOUTHFIELD group and operated as ransomware-as-a-service (RaaS) since at least April 2019. REvil, which as been used against organizations in the manufacturing, transportation, and electric sectors, is highly configurable and shares code similarities with the GandCrab RaaS.[Secureworks REvil September 2019][Intel 471 REvil March 2020][Group IB Ransomware May 2020]

Internal MISP references

UUID 9314531e-bf46-4cba-9c19-198279ccf9cd which can be used as unique global reference for REvil in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0496
source MITRE
tags ['3ed3f7a6-b446-4fbc-a433-ff1d63c0e647', '562e535e-19f5-4d6c-81ed-ce2aec544f09', '286918d5-0b48-4655-9118-907b53de0ee0', '93c53801-5427-4678-a753-7fc761e9eda1', '1138181b-b2cf-4b6b-82da-10867aa4089d', '00ec2407-cc63-4b62-b967-c3e06bdddd2f', '1cc90752-70a3-4a17-b370-e1473a212f79', '0e948c57-6c10-4576-ad27-9832cc2af3a1', '0ed7d10c-c65b-4174-9edb-446bf301d250', '1b98f09a-7d93-4abb-8f3e-1eacdb9f9871', 'ab64f2d8-8da3-48de-ac66-0fd91d634b22', 'c8ce7130-e134-492c-a98a-ed1d25b57e4c', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172']
type ['malware']
Related clusters

To see the related clusters, click here.

RGDoor

RGDoor is a malicious Internet Information Services (IIS) backdoor developed in the C++ language. RGDoor has been seen deployed on webservers belonging to the Middle East government organizations. RGDoor provides backdoor access to compromised IIS servers. [Unit 42 RGDoor Jan 2018]

Internal MISP references

UUID d5649d69-52d4-4198-9683-b250348dea32 which can be used as unique global reference for RGDoor in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0258
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

Rhysida Ransomware

Rhysida is a ransomware-as-a-service (RaaS) operation that has been active since May 2023, claiming attacks on multiple sectors in several countries in North and South America, Western Europe, and Australia. Many alleged victims are education sector entities. Security researchers have observed TTP and victimology overlaps with the Vice Society extortion group.[HC3 Analyst Note Rhysida Ransomware August 2023]

Internal MISP references

UUID f7c1e1cd-cc64-4417-92c3-76afed55d38c which can be used as unique global reference for Rhysida Ransomware in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5302
source Tidal Cyber
tags ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', '562e535e-19f5-4d6c-81ed-ce2aec544f09', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172', '2feda37d-5579-4102-a073-aa02e82cb49f']
type ['malware']
Related clusters

To see the related clusters, click here.

Rifdoor

Rifdoor is a remote access trojan (RAT) that shares numerous code similarities with HotCroissant.[Carbon Black HotCroissant April 2020]

Internal MISP references

UUID ca5ae7c8-467a-4434-82fc-db50ce3fc671 which can be used as unique global reference for Rifdoor in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0433
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

RIPTIDE

RIPTIDE is a proxy-aware backdoor used by APT12. [Moran 2014]

Internal MISP references

UUID 00fa4cc2-6f99-4b18-b927-689964ef57e1 which can be used as unique global reference for RIPTIDE in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0003
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Rising Sun

Rising Sun is a modular backdoor that was used extensively in Operation Sharpshooter between 2017 and 2019. Rising Sun infected at least 87 organizations around the world, including nuclear, defense, energy, and financial service companies. Security researchers assessed Rising Sun included some source code from Lazarus Group's Trojan Duuzer.[McAfee Sharpshooter December 2018]

Internal MISP references

UUID 19b1f1c8-5ef3-4328-b605-38e0bafc084d which can be used as unique global reference for Rising Sun in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0448
source MITRE
type ['malware']

ROADTools

ROADTools is a framework for enumerating Azure Active Directory environments. The tool is written in Python and publicly available on GitHub.[ROADtools Github]

Internal MISP references

UUID 15bc8e94-64d1-4f1f-bc99-08cfbac417dc which can be used as unique global reference for ROADTools in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
software_attack_id S0684
source MITRE
tags ['c9c73000-30a5-4a16-8c8b-79169f9c24aa']
type ['tool']
Related clusters

To see the related clusters, click here.

RobbinHood

RobbinHood is ransomware that was first observed being used in an attack against the Baltimore city government's computer network.[CarbonBlack RobbinHood May 2019][BaltimoreSun RobbinHood May 2019]

Internal MISP references

UUID b65956ef-439a-463d-b85e-6606467f508a which can be used as unique global reference for RobbinHood in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0400
source MITRE
tags ['ce9f1048-09c1-49b0-a109-dd604afbf3cd', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172']
type ['malware']

ROCKBOOT

ROCKBOOT is a Bootkit that has been used by an unidentified, suspected China-based group. [FireEye Bootkits]

Internal MISP references

UUID cb7aa34e-312f-4210-be7b-47a1e3f5b7b5 which can be used as unique global reference for ROCKBOOT in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0112
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

RogueRobin

RogueRobin is a payload used by DarkHydrus that has been developed in PowerShell and C#. [Unit 42 DarkHydrus July 2018][Unit42 DarkHydrus Jan 2019]

Internal MISP references

UUID 852cf78d-9cdc-4971-a972-405921027436 which can be used as unique global reference for RogueRobin in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0270
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

ROKRAT

ROKRAT is a cloud-based remote access tool (RAT) used by APT37 to target victims in South Korea. APT37 has used ROKRAT during several campaigns from 2016 through 2021.[Talos ROKRAT][Talos Group123][Volexity InkySquid RokRAT August 2021]

Internal MISP references

UUID a3479628-af0b-4088-8d2a-fafa384731dd which can be used as unique global reference for ROKRAT in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0240
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

RomCom

RomCom is a custom backdoor believed to be developed and distributed by the Void Rabisu threat actor. It has been used in attacks that Trend Micro researchers assess to be geopolitically motivated.[Trend Micro Void Rabisu May 30 2023]

Internal MISP references

UUID 4af6326b-eba7-4446-83aa-8b98771d390f which can be used as unique global reference for RomCom in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5295
source Tidal Cyber
tags ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', 'f8669b82-2194-49a9-8e20-92e7f9ab0a6f', '2feda37d-5579-4102-a073-aa02e82cb49f']
type ['malware']
Related clusters

To see the related clusters, click here.

RotaJakiro

RotaJakiro is a 64-bit Linux backdoor used by APT32. First seen in 2018, it uses a plugin architecture to extend capabilities. RotaJakiro can determine it's permission level and execute according to access type (root or user).[RotaJakiro 2021 netlab360 analysis][netlab360 rotajakiro vs oceanlotus]

Internal MISP references

UUID 169bfcf6-544c-5824-a7cd-2d5070304b57 which can be used as unique global reference for RotaJakiro in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux']
software_attack_id S1078
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

route

route can be used to find or change information within the local system IP routing table. [TechNet Route]

Internal MISP references

UUID 3b755518-9085-474e-8bc4-4f9344d9c8af which can be used as unique global reference for route in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
software_attack_id S0103
source MITRE
type ['tool']
Related clusters

To see the related clusters, click here.

Rover

Rover is malware suspected of being used for espionage purposes. It was used in 2015 in a targeted email sent to an Indian Ambassador to Afghanistan. [Palo Alto Rover]

Internal MISP references

UUID ef38ff3e-fa36-46f2-a720-3abaca167b04 which can be used as unique global reference for Rover in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0090
source MITRE
type ['malware']

Royal

Royal is ransomware that first appeared in early 2022; a version that also targets ESXi servers was later observed in February 2023. Royal employs partial encryption and multiple threads to evade detection and speed encryption. Royal has been used in attacks against multiple industries worldwide--including critical infrastructure. Security researchers have identified similarities in the encryption routines and TTPs used in Royal and Conti attacks and noted a possible connection between their operators.[Microsoft Royal ransomware November 2022][Cybereason Royal December 2022][Kroll Royal Deep Dive February 2023][Trend Micro Royal Linux ESXi February 2023][CISA Royal AA23-061A March 2023]

Internal MISP references

UUID 221e24cb-910f-5988-9473-578ef350870c which can be used as unique global reference for Royal in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S1073
source MITRE
tags ['5e7433ad-a894-4489-93bc-41e90da90019', '15787198-6c8b-4f79-bf50-258d55072fee', '7e7b0c67-bb85-4996-a289-da0e792d7172']
type ['malware']
Related clusters

To see the related clusters, click here.

Rpcping

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Used to verify rpc connection

Author: Oddvar Moe

Paths: * C:\Windows\System32\rpcping.exe * C:\Windows\SysWOW64\rpcping.exe

Resources: * https://github.com/vysec/RedTips * https://twitter.com/vysecurity/status/974806438316072960 * https://twitter.com/vysecurity/status/873181705024266241 * https://twitter.com/splinter_code/status/1421144623678988298

Detection: * Sigma: proc_creation_win_rpcping_credential_capture.yml[Rpcping.exe - LOLBAS Project]

Internal MISP references

UUID 3e42b791-fb59-4a8e-a27e-1cc544f353ee which can be used as unique global reference for Rpcping in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5155
source Tidal Cyber
tags ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

Rsockstun

Rsockstun is an open-source software project. According to its GitHub repository, Rsockstun is a reverse socks5 tunneler with SSL, ntlm, and proxy support.[GitHub rsockstun]

Internal MISP references

UUID c3b9281b-5f18-4119-903e-c27f1a4004b4 which can be used as unique global reference for Rsockstun in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5076
source Tidal Cyber
tags ['ed2b3f47-3e07-4019-a9bf-ec9d87f28c96']
type ['tool']
Related clusters

To see the related clusters, click here.

RTM

RTM is custom malware written in Delphi. It is used by the group of the same name (RTM). Newer versions of the malware have been reported publicly as Redaman.[ESET RTM Feb 2017][Unit42 Redaman January 2019]

Internal MISP references

UUID 1836485e-a3a6-4fae-a15d-d0990788811a which can be used as unique global reference for RTM in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0148
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Rubeus

Rubeus is a C# toolset designed for raw Kerberos interaction that has been used since at least 2020, including in ransomware operations.[GitHub Rubeus March 2023][FireEye KEGTAP SINGLEMALT October 2020][DFIR Ryuk's Return October 2020][DFIR Ryuk 2 Hour Speed Run November 2020]

Internal MISP references

UUID 2e54f40c-ab62-535e-bbab-3f3a835ff55a which can be used as unique global reference for Rubeus in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S1071
source MITRE
tags ['e1af18e3-3224-4e4c-9d0f-533768474508', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', '4d767e87-4cf6-438a-927a-43d2d0beaab7']
type ['tool']
Related clusters

To see the related clusters, click here.

Ruler

Ruler is a tool to abuse Microsoft Exchange services. It is publicly available on GitHub and the tool is executed via the command line. The creators of Ruler have also released a defensive tool, NotRuler, to detect its usage.[SensePost Ruler GitHub][SensePost NotRuler]

Internal MISP references

UUID 69563cbd-7dc1-4396-b576-d5886df11046 which can be used as unique global reference for Ruler in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Office 365', 'Windows']
software_attack_id S0358
source MITRE
type ['tool']
Related clusters

To see the related clusters, click here.

Rundll32

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Used by Windows to execute dll files

Author: Oddvar Moe

Paths: * C:\Windows\System32\rundll32.exe * C:\Windows\SysWOW64\rundll32.exe

Resources: * https://pentestlab.blog/2017/05/23/applocker-bypass-rundll32/ * https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_7 * https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/ * https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/ * https://bohops.com/2018/06/28/abusing-com-registry-structure-clsid-localserver32-inprocserver32/ * https://github.com/sailay1996/expl-bin/blob/master/obfus.md * https://github.com/sailay1996/misc-bin/blob/master/rundll32.md * https://nasbench.medium.com/a-deep-dive-into-rundll32-exe-642344b41e90 * https://www.cybereason.com/blog/rundll32-the-infamous-proxy-for-executing-malicious-code

Detection: * Sigma: net_connection_win_rundll32_net_connections.yml * Sigma: proc_creation_win_rundll32_susp_activity.yml * Elastic: defense_evasion_unusual_network_connection_via_rundll32.toml * IOC: Outbount Internet/network connections made from rundll32 * IOC: Suspicious use of cmdline flags such as -sta[Rundll32.exe - LOLBAS Project]

Internal MISP references

UUID cd5a27c8-9611-41d9-b839-b0ba7daf58b5 which can be used as unique global reference for Rundll32 in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5156
source Tidal Cyber
tags ['e1af18e3-3224-4e4c-9d0f-533768474508', 'd28b269e-588d-49ed-b5c9-8e82077924c0', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

Runexehelper

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Launcher process

Author: Grzegorz Tworek

Paths: * c:\windows\system32\runexehelper.exe

Resources: * https://twitter.com/0gtweet/status/1206692239839289344

Detection: * Sigma: proc_creation_win_lolbin_runexehelper.yml * IOC: c:\windows\system32\runexehelper.exe is run * IOC: Existence of runexewithargs_output.txt file[Runexehelper.exe - LOLBAS Project]

Internal MISP references

UUID db516b7d-e5bd-4da8-a708-2fe5d2a2fdfd which can be used as unique global reference for Runexehelper in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5157
source Tidal Cyber
tags ['270a347d-d2e1-4d46-9b32-37e8d7264301', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

RunningRAT

RunningRAT is a remote access tool that appeared in operations surrounding the 2018 Pyeongchang Winter Olympics along with Gold Dragon and Brave Prince. [McAfee Gold Dragon]

Internal MISP references

UUID e8afda1f-fa83-4fc3-b6fb-7d5daca7173f which can be used as unique global reference for RunningRAT in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0253
source MITRE
type ['malware']

Runonce

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Executes a Run Once Task that has been configured in the registry

Author: Oddvar Moe

Paths: * C:\Windows\System32\runonce.exe * C:\Windows\SysWOW64\runonce.exe

Resources: * https://twitter.com/pabraeken/status/990717080805789697 * https://cmatskas.com/configure-a-runonce-task-on-windows/

Detection: * Sigma: registry_event_runonce_persistence.yml * Sigma: proc_creation_win_runonce_execution.yml * Elastic: persistence_run_key_and_startup_broad.toml * IOC: Registy key add - HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\YOURKEY[Runonce.exe - LOLBAS Project]

Internal MISP references

UUID ccad36ac-b526-44ec-840a-6f498c51781c which can be used as unique global reference for Runonce in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5158
source Tidal Cyber
tags ['065db33d-c152-4ba9-8bf9-13616f78ae05', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

Runscripthelper

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Execute target PowerShell script

Author: Oddvar Moe

Paths: * C:\Windows\WinSxS\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.15_none_c2df1bba78111118\Runscripthelper.exe * C:\Windows\WinSxS\amd64_microsoft-windows-u..ed-telemetry-client_31bf3856ad364e35_10.0.16299.192_none_ad4699b571e00c4a\Runscripthelper.exe

Resources: * https://posts.specterops.io/bypassing-application-whitelisting-with-runscripthelper-exe-1906923658fc

Detection: * Sigma: proc_creation_win_lolbin_runscripthelper.yml * BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules * IOC: Event 4014 - Powershell logging * IOC: Event 400[Runscripthelper.exe - LOLBAS Project]

Internal MISP references

UUID 035bae51-c1cc-46f0-8532-a5d01c4d4a52 which can be used as unique global reference for Runscripthelper in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5159
source Tidal Cyber
tags ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

Ryuk

Ryuk is a ransomware designed to target enterprise environments that has been used in attacks since at least 2018. Ryuk shares code similarities with Hermes ransomware.[CrowdStrike Ryuk January 2019][FireEye Ryuk and Trickbot January 2019][FireEye FIN6 Apr 2019]

Internal MISP references

UUID 8ae86854-4cdc-49eb-895a-d1fa742f7974 which can be used as unique global reference for Ryuk in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0446
source MITRE
tags ['89c5b94b-ecf4-4d53-9b74-3465086d4565', '3ed3f7a6-b446-4fbc-a433-ff1d63c0e647', '562e535e-19f5-4d6c-81ed-ce2aec544f09', '12a2e20a-7c27-46bb-954d-b372833a9925', 'c2380542-36f2-4922-9ed2-80ced06645c9', 'c8ce7130-e134-492c-a98a-ed1d25b57e4c', '2743d495-7728-4a75-9e5f-b64854039792', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172']
type ['malware']
Related clusters

To see the related clusters, click here.

Saint Bot

Saint Bot is a .NET downloader that has been used by Ember Bear since at least March 2021.[Malwarebytes Saint Bot April 2021][Palo Alto Unit 42 OutSteel SaintBot February 2022 ]

Internal MISP references

UUID d66e5d18-e9f5-4091-bdf4-acdac129e2e0 which can be used as unique global reference for Saint Bot in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S1018
source MITRE
tags ['84615fe0-c2a5-4e07-8957-78ebc29b4635']
type ['malware']
Related clusters

To see the related clusters, click here.

Sakula

Sakula is a remote access tool (RAT) that first surfaced in 2012 and was used in intrusions throughout 2015. [Dell Sakula]

Internal MISP references

UUID a316c704-144a-4d14-8e4e-685bb6ae391c which can be used as unique global reference for Sakula in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0074
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

SamSam

SamSam is ransomware that appeared in early 2016. Unlike some ransomware, its variants have required operators to manually interact with the malware to execute some of its core components.[US-CERT SamSam 2018][Talos SamSam Jan 2018][Sophos SamSam Apr 2018][Symantec SamSam Oct 2018]

Internal MISP references

UUID 88831e9f-453e-466f-9510-9acaa1f20368 which can be used as unique global reference for SamSam in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0370
source MITRE
tags ['5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172']
type ['malware']

Samurai

Samurai is a passive backdoor that has been used by ToddyCat since at least 2020. Samurai allows arbitrary C# code execution and is used with multiple modules for remote administration and lateral movement.[Kaspersky ToddyCat June 2022]

Internal MISP references

UUID bd75c822-7be6-5e6f-bd2e-0512be6d38d9 which can be used as unique global reference for Samurai in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S1099
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Sardonic

Sardonic is a backdoor written in C and C++ that is known to be used by FIN8, as early as August 2021 to target a financial institution in the United States. Sardonic has a plugin system that can load specially made DLLs and execute their functions.[Bitdefender Sardonic Aug 2021][Symantec FIN8 Jul 2023]

Internal MISP references

UUID 9ab0d523-3496-5e64-9ca1-bb756f5e64e0 which can be used as unique global reference for Sardonic in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S1085
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Sc

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Used by Windows to manage services

Author: Oddvar Moe

Paths: * C:\Windows\System32\sc.exe * C:\Windows\SysWOW64\sc.exe

Resources: * https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/

Detection: * Sigma: proc_creation_win_susp_service_creation.yml * Sigma: proc_creation_win_sc_change_sevice_image_path_by_non_admin.yml * Sigma: proc_creation_win_sc_service_path_modification.yml * Splunk: sc_exe_manipulating_windows_services.yml * Elastic: lateral_movement_cmd_service.toml * IOC: Unexpected service creation * IOC: Unexpected service modification[Sc.exe - LOLBAS Project]

Internal MISP references

UUID 41be663f-ecc9-4ab6-afeb-c52737f84858 which can be used as unique global reference for Sc in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5160
source Tidal Cyber
tags ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

schtasks

schtasks is used to schedule execution of programs or scripts on a Windows system to run at a specific date and time. [TechNet Schtasks]

Internal MISP references

UUID 2aacbf3a-a359-41d2-9a71-76447f0545b5 which can be used as unique global reference for schtasks in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0111
source MITRE
tags ['e1af18e3-3224-4e4c-9d0f-533768474508', 'f0c54030-956a-4bac-9f98-deb2349183ac', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

Scriptrunner

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Execute binary through proxy binary to evade defensive counter measures

Author: Oddvar Moe

Paths: * C:\Windows\System32\scriptrunner.exe * C:\Windows\SysWOW64\scriptrunner.exe

Resources: * https://twitter.com/KyleHanslovan/status/914800377580503040 * https://twitter.com/NickTyrer/status/914234924655312896 * https://github.com/MoooKitty/Code-Execution

Detection: * Sigma: proc_creation_win_servu_susp_child_process.yml * IOC: Scriptrunner.exe should not be in use unless App-v is deployed[Scriptrunner.exe - LOLBAS Project]

Internal MISP references

UUID ba4d8522-9656-462e-b25e-32a9bba85a60 which can be used as unique global reference for Scriptrunner in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5161
source Tidal Cyber
tags ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

Scrobj

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Windows Script Component Runtime

Author: Eral4m

Paths: * c:\windows\system32\scrobj.dll * c:\windows\syswow64\scrobj.dll

Resources: * https://twitter.com/eral4m/status/1479106975967240209

Detection: * IOC: Execution of rundll32.exe with 'GenerateTypeLib' and a protocol handler ('://') on the command line[Scrobj.dll - LOLBAS Project]

Internal MISP references

UUID 101f7867-9c5c-482e-b26e-9fdb8ff9b2c7 which can be used as unique global reference for Scrobj in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5194
source Tidal Cyber
tags ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

SDBbot

SDBbot is a backdoor with installer and loader components that has been used by TA505 since at least 2019.[Proofpoint TA505 October 2019][IBM TA505 April 2020]

Internal MISP references

UUID 046bbd0c-bff5-46fc-9028-cbe46a9f8ec5 which can be used as unique global reference for SDBbot in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0461
source MITRE
tags ['febea5b6-2ea2-402b-8bec-f3f5b3f73c59']
type ['malware']
Related clusters

To see the related clusters, click here.

SDelete

SDelete is an application that securely deletes data in a way that makes it unrecoverable. It is part of the Microsoft Sysinternals suite of tools. [Microsoft SDelete July 2016]

Internal MISP references

UUID 3d4be65d-231b-44bb-8d12-5038a3d48bae which can be used as unique global reference for SDelete in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0195
source MITRE
tags ['16b47583-1c54-431f-9f09-759df7b5ddb7']
type ['tool']
Related clusters

To see the related clusters, click here.

SeaDuke

SeaDuke is malware that was used by APT29 from 2014 to 2015. It was used primarily as a secondary backdoor for victims that were already compromised with CozyCar. [F-Secure The Dukes]

Internal MISP references

UUID ae30d58e-21c5-41a4-9ebb-081dc1f26863 which can be used as unique global reference for SeaDuke in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0053
source MITRE
tags ['8bf128ad-288b-41bc-904f-093f4fdde745']
type ['malware']
Related clusters

To see the related clusters, click here.

Seasalt

Seasalt is malware that has been linked to APT1's 2010 operations. It shares some code similarities with OceanSalt.[Mandiant APT1 Appendix][McAfee Oceansalt Oct 2018]

Internal MISP references

UUID 3527b09b-f3f6-4716-9f90-64ea7d3b9d8a which can be used as unique global reference for Seasalt in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0345
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

SEASHARPEE

SEASHARPEE is a Web shell that has been used by OilRig. [FireEye APT34 Webinar Dec 2017]

Internal MISP references

UUID 42c8504c-8a18-46d2-a145-35b0cd8ba669 which can be used as unique global reference for SEASHARPEE in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0185
source MITRE
tags ['311abf64-a9cc-4c6a-b778-32c5df5658be']
type ['malware']
Related clusters

To see the related clusters, click here.

Seatbelt

Seatbelt is a tool used to perform numerous security-oriented checks.[U.S. CISA Understanding LockBit June 2023]

Internal MISP references

UUID 74beac1c-8468-4f1e-8990-11a4eb7b0110 which can be used as unique global reference for Seatbelt in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5042
source Tidal Cyber
tags ['e1af18e3-3224-4e4c-9d0f-533768474508', 'cd1b5d44-226e-4405-8985-800492cf2865', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

secretsdump

According to joint Cybersecurity Advisory AA23-319A (November 2023), secretsdump is a Python script "used to extract credentials and other confidential information from a system".[U.S. CISA Rhysida Ransomware November 15 2023] Secretsdump is publicly available and included as a module of Impacket, a tool for working with network protocols.[GitHub secretsdump]

Internal MISP references

UUID a1fef846-cb22-4885-aa14-cb67ab38fce4 which can be used as unique global reference for secretsdump in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5072
source Tidal Cyber
tags ['e1af18e3-3224-4e4c-9d0f-533768474508', '61b7b81d-3f98-4bed-97a9-d6c536b8969b', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '15b77e5c-2285-434d-9719-73c14beba8bd', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'dcd6d78a-50e9-4fbd-a36a-06fbe6b7b40c']
type ['tool']
Related clusters

To see the related clusters, click here.

ServHelper

ServHelper is a backdoor first observed in late 2018. The backdoor is written in Delphi and is typically delivered as a DLL file.[Proofpoint TA505 Jan 2019]

Internal MISP references

UUID 704ed49d-103c-4b33-b85c-73670cc1d719 which can be used as unique global reference for ServHelper in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0382
source MITRE
tags ['84615fe0-c2a5-4e07-8957-78ebc29b4635']
type ['malware']
Related clusters

To see the related clusters, click here.

Seth-Locker

Seth-Locker is a ransomware with some remote control capabilities that has been in use since at least 2021. [Trend Micro Ransomware February 2021]

Internal MISP references

UUID fb47c051-d22b-4a05-94a7-cf979419b60a which can be used as unique global reference for Seth-Locker in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0639
source MITRE
tags ['5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172']
type ['malware']

Setres

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Configures display settings

Author: Grzegorz Tworek

Paths: * c:\windows\system32\setres.exe

Resources: * https://twitter.com/0gtweet/status/1583356502340870144

Detection: * Sigma: proc_creation_win_lolbin_setres.yml * IOC: Unusual location for choice.exe file * IOC: Process created from choice.com binary * IOC: Existence of choice.cmd file[Setres.exe - LOLBAS Project]

Internal MISP references

UUID ad872ead-f3be-49df-b2f3-2526246acdf5 which can be used as unique global reference for Setres in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5162
source Tidal Cyber
tags ['d75511ab-cbff-46d3-8268-427e3cff134a', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

SettingSyncHost

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Host Process for Setting Synchronization

Author: Elliot Killick

Paths: * C:\Windows\System32\SettingSyncHost.exe * C:\Windows\SysWOW64\SettingSyncHost.exe

Resources: * https://www.hexacorn.com/blog/2020/02/02/settingsynchost-exe-as-a-lolbin/

Detection: * Sigma: proc_creation_win_lolbin_settingsynchost.yml * IOC: SettingSyncHost.exe should not be run on a normal workstation[SettingSyncHost.exe - LOLBAS Project]

Internal MISP references

UUID e46a42d6-ca6e-4237-ab66-b0d102a580c7 which can be used as unique global reference for SettingSyncHost in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5163
source Tidal Cyber
tags ['8929bc83-9ed6-4579-b837-40236b59b383', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

Setupapi

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Windows Setup Application Programming Interface

Author: LOLBAS Team

Paths: * c:\windows\system32\setupapi.dll * c:\windows\syswow64\setupapi.dll

Resources: * https://github.com/huntresslabs/evading-autoruns * https://twitter.com/pabraeken/status/994742106852941825 * https://windows10dll.nirsoft.net/setupapi_dll.html

Detection: * Sigma: proc_creation_win_rundll32_setupapi_installhinfsection.yml * Sigma: proc_creation_win_rundll32_susp_activity.yml * Splunk: detect_rundll32_application_control_bypass___setupapi.yml[Setupapi.dll - LOLBAS Project]

Internal MISP references

UUID e7d450ec-dd29-455f-8d26-f8a563e1e88d which can be used as unique global reference for Setupapi in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5195
source Tidal Cyber
tags ['da405033-3571-4f98-9810-53d9df1ac0fb', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

ShadowPad

ShadowPad is a modular backdoor that was first identified in a supply chain compromise of the NetSarang software in mid-July 2017. The malware was originally thought to be exclusively used by APT41, but has since been observed to be used by various Chinese threat activity groups. [Recorded Future RedEcho Feb 2021][Securelist ShadowPad Aug 2017][Kaspersky ShadowPad Aug 2017]

Internal MISP references

UUID 5190f50d-7e54-410a-9961-79ab751ddbab which can be used as unique global reference for ShadowPad in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0596
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

Shamoon

Shamoon is wiper malware that was first used by an Iranian group known as the "Cutting Sword of Justice" in 2012. Other versions known as Shamoon 2 and Shamoon 3 were observed in 2016 and 2018. Shamoon has also been seen leveraging RawDisk and Filerase to carry out data wiping tasks. Analysis has linked Shamoon with Kwampirs based on multiple shared artifacts and coding patterns.[Cylera Kwampirs 2022] The term Shamoon is sometimes used to refer to the group using the malware as well as the malware itself.[Palo Alto Shamoon Nov 2016][Unit 42 Shamoon3 2018][Symantec Shamoon 2012][FireEye Shamoon Nov 2016]

Internal MISP references

UUID 840db1db-e262-4d6f-b6e3-2a64696a41c5 which can be used as unique global reference for Shamoon in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0140
source MITRE
tags ['e809d252-12cc-494d-94f5-954c49eb87ce']
type ['malware']

Shark

Shark is a backdoor malware written in C# and .NET that is an updated version of Milan; it has been used by HEXANE since at least July 2021.[ClearSky Siamesekitten August 2021][Accenture Lyceum Targets November 2021]

Internal MISP references

UUID 278da5e8-4d4c-4c45-ad72-8f078872fb4a which can be used as unique global reference for Shark in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S1019
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

SharpChromium

SharpChromium is an open-source software project. According to its GitHub repository, SharpChromium is a ".NET 4.0 CLR Project to retrieve Chromium data, such as cookies, history and saved logins."[GitHub SharpChromium]

Internal MISP references

UUID 311e8944-2157-4616-8b95-d75020e21c35 which can be used as unique global reference for SharpChromium in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5075
source Tidal Cyber
tags ['ed2b3f47-3e07-4019-a9bf-ec9d87f28c96']
type ['tool']
Related clusters

To see the related clusters, click here.

SharpDisco

SharpDisco is a dropper developed in C# that has been used by MoustachedBouncer since at least 2020 to load malicious plugins.[MoustachedBouncer ESET August 2023]

Internal MISP references

UUID 4ed1e83b-a208-5518-bed2-d07c1b289da2 which can be used as unique global reference for SharpDisco in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S1089
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

SharpHound

SharpHound is an open-source software utility incorporated into the BloodHound Active Directory (AD) reconnaissance tool.[GitHub SharpHound] Adversaries have used SharpHound for AD enumeration.[U.S. CISA Phobos February 29 2024]

Internal MISP references

UUID 0bcf0dae-315f-491f-bc65-b1772ffa31c1 which can be used as unique global reference for SharpHound in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5275
source Tidal Cyber
tags ['c5a258ce-9045-48d9-b254-ec2bf6437bb5', 'cc4ea215-87ce-4351-9579-cf527caf5992', 'd819ae1a-e385-49fd-88d5-f66660729ecb', 'e551ae97-d1b4-484e-9267-89f33829ec2c', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'cd1b5d44-226e-4405-8985-800492cf2865', 'e1af18e3-3224-4e4c-9d0f-533768474508']
type ['tool']
Related clusters

To see the related clusters, click here.

SharpRoast

SharpRoast is an open-source tool used to carry out Kerberoasting attacks. According to its GitHub project page, the tool is a C# port of specific functionality included in the PowerView module of the PowerSploit offensive security framework.[GitHub SharpRoast]

Internal MISP references

UUID 54a5c881-c1ad-40d0-88c0-6c32b9ef95cb which can be used as unique global reference for SharpRoast in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5060
source Tidal Cyber
tags ['ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'dcd6d78a-50e9-4fbd-a36a-06fbe6b7b40c']
type ['malware']
Related clusters

To see the related clusters, click here.

SharpShares

SharpShares is a tool that can be used to enumerate accessible network shares in a domain. BianLian Ransomware Group actors have used the tool for discovery purposes during attacks.[U.S. CISA BianLian Ransomware May 2023]

Internal MISP references

UUID a202b37f-5c61-410b-bb14-a3e6b2b82833 which can be used as unique global reference for SharpShares in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5004
source Tidal Cyber
tags ['e1af18e3-3224-4e4c-9d0f-533768474508', 'cd1b5d44-226e-4405-8985-800492cf2865', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

SharpStage

SharpStage is a .NET malware with backdoor capabilities.[Cybereason Molerats Dec 2020][BleepingComputer Molerats Dec 2020]

Internal MISP references

UUID 564643fd-7113-490e-9f6a-f0cc3f0e1a4c which can be used as unique global reference for SharpStage in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0546
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

SHARPSTATS

SHARPSTATS is a .NET backdoor used by MuddyWater since at least 2019.[TrendMicro POWERSTATS V3 June 2019]

Internal MISP references

UUID f655306f-f7b4-4eec-9bd6-ac75142fcb43 which can be used as unique global reference for SHARPSTATS in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0450
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

Shdocvw

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Shell Doc Object and Control Library.

Author: LOLBAS Team

Paths: * c:\windows\system32\shdocvw.dll * c:\windows\syswow64\shdocvw.dll

Resources: * http://www.hexacorn.com/blog/2018/03/15/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline-part-5/ * https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/ * https://twitter.com/bohops/status/997690405092290561 * https://windows10dll.nirsoft.net/shdocvw_dll.html

Detection: * Sigma: proc_creation_win_rundll32_susp_activity.yml[Shdocvw.dll - LOLBAS Project]

Internal MISP references

UUID 67323b8a-e805-4503-8a40-d47f229453a0 which can be used as unique global reference for Shdocvw in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5196
source Tidal Cyber
tags ['2c0f0b44-9b09-49a0-8dc5-d9fdcc515825', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

Shell32

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Windows Shell Common Dll

Author: LOLBAS Team

Paths: * c:\windows\system32\shell32.dll * c:\windows\syswow64\shell32.dll

Resources: * https://twitter.com/Hexacorn/status/885258886428725250 * https://twitter.com/pabraeken/status/991768766898941953 * https://twitter.com/mattifestation/status/776574940128485376 * https://twitter.com/KyleHanslovan/status/905189665120149506 * https://windows10dll.nirsoft.net/shell32_dll.html

Detection: * Sigma: proc_creation_win_rundll32_susp_activity.yml * Splunk: rundll32_control_rundll_hunt.yml[Shell32.dll - LOLBAS Project]

Internal MISP references

UUID edf31b62-e9db-43c8-b9ef-55afd6b0404c which can be used as unique global reference for Shell32 in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5197
source Tidal Cyber
tags ['e0b9882e-b9bb-4c16-b3d9-9268866eded0', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

Shimgvw

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Photo Gallery Viewer

Author: Eral4m

Paths: * c:\windows\system32\shimgvw.dll * c:\windows\syswow64\shimgvw.dll

Resources: * https://twitter.com/eral4m/status/1479080793003671557

Detection: * IOC: Execution of rundll32.exe with 'ImageView_Fullscreen' and a protocol handler ('://') on the command line[Shimgvw.dll - LOLBAS Project]

Internal MISP references

UUID 691b3a37-af46-47d2-a027-d93d901e0dac which can be used as unique global reference for Shimgvw in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5198
source Tidal Cyber
tags ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

ShimRat

ShimRat has been used by the suspected China-based adversary Mofang in campaigns targeting multiple countries and sectors including government, military, critical infrastructure, automobile, and weapons development. The name "ShimRat" comes from the malware's extensive use of Windows Application Shimming to maintain persistence. [FOX-IT May 2016 Mofang]

Internal MISP references

UUID a3287231-351f-472f-96cc-24db2e3829c7 which can be used as unique global reference for ShimRat in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0444
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

ShimRatReporter

ShimRatReporter is a tool used by suspected Chinese adversary Mofang to automatically conduct initial discovery. The details from this discovery are used to customize follow-on payloads (such as ShimRat) as well as set up faux infrastructure which mimics the adversary's targets. ShimRatReporter has been used in campaigns targeting multiple countries and sectors including government, military, critical infrastructure, automobile, and weapons development.[FOX-IT May 2016 Mofang]

Internal MISP references

UUID 77d9c948-93e3-4e12-9764-4da7570d9275 which can be used as unique global reference for ShimRatReporter in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0445
source MITRE
type ['tool']
Related clusters

To see the related clusters, click here.

SHIPSHAPE

SHIPSHAPE is malware developed by APT30 that allows propagation and exfiltration of data over removable devices. APT30 may use this capability to exfiltrate data across air-gaps. [FireEye APT30]

Internal MISP references

UUID 3db0b464-ec5d-4cdd-86c2-62eac9c8acd6 which can be used as unique global reference for SHIPSHAPE in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
software_attack_id S0028
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

SHOTPUT

SHOTPUT is a custom backdoor used by APT3. [FireEye Clandestine Wolf]

Internal MISP references

UUID 49351818-579e-4298-9137-03b3dc699e22 which can be used as unique global reference for SHOTPUT in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0063
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

SHUTTERSPEED

SHUTTERSPEED is a backdoor used by APT37. [FireEye APT37 Feb 2018]

Internal MISP references

UUID 5b2d82a6-ed96-485d-bca9-2320590de890 which can be used as unique global reference for SHUTTERSPEED in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
software_attack_id S0217
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Sibot

Sibot is dual-purpose malware written in VBScript designed to achieve persistence on a compromised system as well as download and execute additional payloads. Microsoft discovered three Sibot variants in early 2021 during its investigation of APT29 and the SolarWinds Compromise.[MSTIC NOBELIUM Mar 2021]

Internal MISP references

UUID ea0a1282-f2bf-4ae0-a19c-d7e379c2309b which can be used as unique global reference for Sibot in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0589
source MITRE
tags ['84615fe0-c2a5-4e07-8957-78ebc29b4635']
type ['malware']
Related clusters

To see the related clusters, click here.

SideTwist

SideTwist is a C-based backdoor that has been used by OilRig since at least 2021.[Check Point APT34 April 2021]

Internal MISP references

UUID 61227a76-d315-4339-803a-e024f96e089e which can be used as unique global reference for SideTwist in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0610
source MITRE
tags ['8bf128ad-288b-41bc-904f-093f4fdde745']
type ['malware']
Related clusters

To see the related clusters, click here.

SILENTTRINITY

SILENTTRINITY is an open source remote administration and post-exploitation framework primarily written in Python that includes stagers written in Powershell, C, and Boo. SILENTTRINITY was used in a 2019 campaign against Croatian government agencies by unidentified cyber actors.[GitHub SILENTTRINITY March 2022][Security Affairs SILENTTRINITY July 2019]

Internal MISP references

UUID 4765999f-c35e-4a9f-8284-9f10a17e6c34 which can be used as unique global reference for SILENTTRINITY in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0692
source MITRE
type ['tool']

Siloscape

Siloscape is malware that targets Kubernetes clusters through Windows containers. Siloscape was first observed in March 2021.[Unit 42 Siloscape Jun 2021]

Internal MISP references

UUID 8ea75674-cc08-40cf-824c-40eb5cd6097e which can be used as unique global reference for Siloscape in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Containers', 'Windows']
software_attack_id S0623
source MITRE
tags ['4fa6f8e1-b0d5-4169-8038-33e355c08bde']
type ['malware']

Skeleton Key

Skeleton Key is malware used to inject false credentials into domain controllers with the intent of creating a backdoor password. [Dell Skeleton] Functionality similar to Skeleton Key is included as a module in Mimikatz.

Internal MISP references

UUID 206453a4-a298-4cab-9fdf-f136a4e0c761 which can be used as unique global reference for Skeleton Key in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0007
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Skidmap

Skidmap is a kernel-mode rootkit used for cryptocurrency mining.[Trend Micro Skidmap]

Internal MISP references

UUID cc91d3d4-bbf5-4a9c-b43a-2ba034db4858 which can be used as unique global reference for Skidmap in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux']
software_attack_id S0468
source MITRE
type ['malware']

SLIGHTPULSE

SLIGHTPULSE is a web shell that was used by APT5 as early as 2020 including against Pulse Secure VPNs at US Defense Industrial Base (DIB) entities.[Mandiant Pulse Secure Zero-Day April 2021]

Internal MISP references

UUID c8fed4fc-5721-5db2-b107-b2a9b677244e which can be used as unique global reference for SLIGHTPULSE in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Network', 'Linux']
software_attack_id S1110
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Sliver

Sliver is an open source, cross-platform, red team command and control framework written in Golang.[Bishop Fox Sliver Framework August 2019]

Internal MISP references

UUID bbd16b7b-7e35-4a11-86ff-9b19e17bdab3 which can be used as unique global reference for Sliver in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['macOS', 'Linux', 'Windows']
software_attack_id S0633
source MITRE
tags ['e81ba503-60b0-4b64-8f20-ef93e7783796']
type ['tool']
Related clusters

To see the related clusters, click here.

SLOTHFULMEDIA

SLOTHFULMEDIA is a remote access Trojan written in C++ that has been used by an unidentified "sophisticated cyber actor" since at least January 2017.[CISA MAR SLOTHFULMEDIA October 2020][Costin Raiu IAmTheKing October 2020] It has been used to target government organizations, defense contractors, universities, and energy companies in Russia, India, Kazakhstan, Kyrgyzstan, Malaysia, Ukraine, and Eastern Europe.[USCYBERCOM SLOTHFULMEDIA October 2020][Kaspersky IAmTheKing October 2020]

In October 2020, Kaspersky Labs assessed SLOTHFULMEDIA is part of an activity cluster it refers to as "IAmTheKing".[Kaspersky IAmTheKing October 2020] ESET also noted code similarity between SLOTHFULMEDIA and droppers used by a group it refers to as "PowerPool".[ESET PowerPool Code October 2020]

Internal MISP references

UUID 563c6534-497e-4d65-828c-420d5bb2041a which can be used as unique global reference for SLOTHFULMEDIA in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0533
source MITRE
type ['malware']

SLOWDRIFT

SLOWDRIFT is a backdoor used by APT37 against academic and strategic victims in South Korea. [FireEye APT37 Feb 2018]

Internal MISP references

UUID 7c047a54-93cf-4dfc-ab20-d905791aebb2 which can be used as unique global reference for SLOWDRIFT in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0218
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

SLOWPULSE

SLOWPULSE is a malware that was used by APT5 as early as 2020 including against U.S. Defense Industrial Base (DIB) companies. SLOWPULSE has several variants and can modify legitimate Pulse Secure VPN files in order to log credentials and bypass single and two-factor authentication flows.[Mandiant Pulse Secure Zero-Day April 2021]

Internal MISP references

UUID 37e264a6-5ad3-5a79-bf2c-db725622206e which can be used as unique global reference for SLOWPULSE in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Network']
software_attack_id S1104
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Small Sieve

Small Sieve is a Telegram Bot API-based Python backdoor that has been distributed using a Nullsoft Scriptable Install System (NSIS) Installer; it has been used by MuddyWater since at least January 2022.[DHS CISA AA22-055A MuddyWater February 2022][NCSC GCHQ Small Sieve Jan 2022]

Security researchers have also noted Small Sieve's use by UNC3313, which may be associated with MuddyWater.[Mandiant UNC3313 Feb 2022]

Internal MISP references

UUID c58028b9-2e79-4bc9-9b04-d24ea4dd4948 which can be used as unique global reference for Small Sieve in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S1035
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

SMOKEDHAM

SMOKEDHAM is a Powershell-based .NET backdoor that was first reported in May 2021; it has been used by at least one ransomware-as-a-service affiliate.[FireEye Shining A Light on DARKSIDE May 2021][FireEye SMOKEDHAM June 2021]

Internal MISP references

UUID 9ae4154d-ee48-4aeb-b76f-6e40dbe18ff3 which can be used as unique global reference for SMOKEDHAM in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0649
source MITRE
tags ['16b47583-1c54-431f-9f09-759df7b5ddb7']
type ['malware']

Smoke Loader

Smoke Loader is a malicious bot application that can be used to load other malware. Smoke Loader has been seen in the wild since at least 2011 and has included a number of different payloads. It is notorious for its use of deception and self-protection. It also comes with several plug-ins. [Malwarebytes SmokeLoader 2016] [Microsoft Dofoil 2018]

Internal MISP references

UUID 2244253f-a4ad-4ea9-a4bf-fa2f4d895853 which can be used as unique global reference for Smoke Loader in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0226
source MITRE
tags ['d819ae1a-e385-49fd-88d5-f66660729ecb', 'e551ae97-d1b4-484e-9267-89f33829ec2c', '15787198-6c8b-4f79-bf50-258d55072fee', '84615fe0-c2a5-4e07-8957-78ebc29b4635']
type ['malware']
Related clusters

To see the related clusters, click here.

Snip3

Snip3 is a sophisticated crypter-as-a-service that has been used since at least 2021 to obfuscate and load numerous strains of malware including AsyncRAT, Revenge RAT, Agent Tesla, and NETWIRE.[Morphisec Snip3 May 2021][Telefonica Snip3 December 2021]

Internal MISP references

UUID f587dc27-92be-5894-a4a8-d6c8bbcf8ede which can be used as unique global reference for Snip3 in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S1086
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

SNUGRIDE

SNUGRIDE is a backdoor that has been used by menuPass as first stage malware. [FireEye APT10 April 2017]

Internal MISP references

UUID d6c24f7c-fe79-4094-8f3c-68c4446ae4c7 which can be used as unique global reference for SNUGRIDE in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0159
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

SocGholish

SocGholish is a JavaScript-based loader malware that has been used since at least 2017. It has been observed in use against multiple sectors globally for initial access, primarily through drive-by-downloads masquerading as software updates. SocGholish is operated by Mustard Tempest and its access has been sold to groups including Indrik Spider for downloading secondary RAT and ransomware payloads.[SentinelOne SocGholish Infrastructure November 2022][SocGholish-update][Red Canary SocGholish March 2024][Secureworks Gold Prelude Profile]

Internal MISP references

UUID ab84f259-9b9a-51d8-a68a-2bcd7512d760 which can be used as unique global reference for SocGholish in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S1124
source MITRE
tags ['84615fe0-c2a5-4e07-8957-78ebc29b4635']
type ['malware']
Related clusters

To see the related clusters, click here.

Socksbot

Socksbot is a backdoor that abuses Socket Secure (SOCKS) proxies. [TrendMicro Patchwork Dec 2017]

Internal MISP references

UUID c1906bb6-0b5b-4916-8b29-37f7e272f6b3 which can be used as unique global reference for Socksbot in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0273
source MITRE
type ['malware']

SodaMaster

SodaMaster is a fileless malware used by menuPass to download and execute payloads since at least 2020.[Securelist APT10 March 2021]

Internal MISP references

UUID 6ecd970c-427b-4421-a831-69f46047d22a which can be used as unique global reference for SodaMaster in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0627
source MITRE
tags ['84615fe0-c2a5-4e07-8957-78ebc29b4635']
type ['malware']
Related clusters

To see the related clusters, click here.

SoftEther VPN

SoftEther VPN is an open-source software project that, according to its GitHub page, is "cross-platform multi-protocol VPN software".[GitHub SoftEtherVPN SoftEtherVPN_Stable] In August 2023, Microsoft researchers reported how Flax Typhoon, a nation-state-sponsored espionage group based in China, used SoftEther VPN as a key element of its command and control infrastructure during attacks on targets in Taiwan and elsewhere.[Microsoft Flax Typhoon August 24 2023]

Internal MISP references

UUID 46a9ee9c-6c4a-4db9-9385-46d2617d8050 which can be used as unique global reference for SoftEther VPN in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['macOS', 'Linux', 'Windows']
software_attack_id S5305
source Tidal Cyber
tags ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', '2feda37d-5579-4102-a073-aa02e82cb49f']
type ['tool']
Related clusters

To see the related clusters, click here.

SoftPerfect Network Scanner

SoftPerfect Network Scanner is a tool used to perform network scans for systems management purposes.[U.S. CISA Understanding LockBit June 2023]

Internal MISP references

UUID 4272447f-8803-4947-b66f-051eecdd3385 which can be used as unique global reference for SoftPerfect Network Scanner in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5008
source Tidal Cyber
tags ['d903e38b-600d-4736-9e3b-cf1a6e436481', 'd819ae1a-e385-49fd-88d5-f66660729ecb', 'c5a258ce-9045-48d9-b254-ec2bf6437bb5', 'cc4ea215-87ce-4351-9579-cf527caf5992', 'e551ae97-d1b4-484e-9267-89f33829ec2c', 'e1af18e3-3224-4e4c-9d0f-533768474508', 'cd1b5d44-226e-4405-8985-800492cf2865', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '15b77e5c-2285-434d-9719-73c14beba8bd', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

SombRAT

SombRAT is a modular backdoor written in C++ that has been used since at least 2019 to download and execute malicious payloads, including FIVEHANDS ransomware.[BlackBerry CostaRicto November 2020][FireEye FiveHands April 2021][CISA AR21-126A FIVEHANDS May 2021]

Internal MISP references

UUID 0ec24158-d5d7-4d2e-b5a5-bc862328a317 which can be used as unique global reference for SombRAT in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0615
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']

SoreFang

SoreFang is first stage downloader used by APT29 for exfiltration and to load other malware.[NCSC APT29 July 2020][CISA SoreFang July 2016]

Internal MISP references

UUID 3e959586-14ff-407b-a0d0-4e9580546f3f which can be used as unique global reference for SoreFang in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0516
source MITRE
tags ['84615fe0-c2a5-4e07-8957-78ebc29b4635']
type ['malware']
Related clusters

To see the related clusters, click here.

SOUNDBITE

SOUNDBITE is a signature backdoor used by APT32. [FireEye APT32 May 2017]

Internal MISP references

UUID 069538a5-3cb8-4eb4-9fbb-83867bb4d826 which can be used as unique global reference for SOUNDBITE in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0157
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

SPACESHIP

SPACESHIP is malware developed by APT30 that allows propagation and exfiltration of data over removable devices. APT30 may use this capability to exfiltrate data across air-gaps. [FireEye APT30]

Internal MISP references

UUID 0f8d0a73-9cd3-475a-b31b-d457278c921a which can be used as unique global reference for SPACESHIP in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0035
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Spark

Spark is a Windows backdoor and has been in use since as early as 2017.[Unit42 Molerat Mar 2020]

Internal MISP references

UUID 93f8c180-6794-4e9c-b716-6b31f42eb72d which can be used as unique global reference for Spark in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0543
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

SpeakUp

SpeakUp is a Trojan backdoor that targets both Linux and OSX devices. It was first observed in January 2019. [CheckPoint SpeakUp Feb 2019]

Internal MISP references

UUID b9b67878-4eb1-4a0b-9b36-a798881ed566 which can be used as unique global reference for SpeakUp in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['macOS', 'Linux']
software_attack_id S0374
source MITRE
type ['malware']

SpectralBlur

SpectralBlur is a malware targeting macOS systems that has backdoor functionality. Researchers have linked the malware to "TA444/Bluenoroff" actors.[Objective_See 1 4 2024]

Internal MISP references

UUID 89e2bdbf-4839-4b35-bd19-316a953d7acf which can be used as unique global reference for SpectralBlur in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['macOS']
software_attack_id S5311
source Tidal Cyber
tags ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', 'f8669b82-2194-49a9-8e20-92e7f9ab0a6f', '2feda37d-5579-4102-a073-aa02e82cb49f']
type ['malware']
Related clusters

To see the related clusters, click here.

Sphynx

Sphynx is a variant of BlackCat ransomware (AKA ALPHV or Noberus) first observed in early 2023, which features multiple defense evasion-focused enhancements over the BlackCat strain. For example, Sphynx uses a more complex set of execution parameters, its configuration details are formatted as raw structures instead of JSON, and observed samples contain large amounts of “junk” code and encrypted strings.[X-Force BlackCat May 30 2023] Sphynx also features built-in versions of other tools to support specific functions, including the open-source Impacket tool for lateral movement and Remcom, a hacking tool that facilitates remote code execution.[Microsoft Threat Intelligence Tweet August 17 2023]

Internal MISP references

UUID cdbebd0a-3036-4a24-b1d5-a3f0ca9c758e which can be used as unique global reference for Sphynx in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5055
source Tidal Cyber
tags ['562e535e-19f5-4d6c-81ed-ce2aec544f09', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172']
type ['malware']
Related clusters

To see the related clusters, click here.

SpicyOmelette

SpicyOmelette is a JavaScript based remote access tool that has been used by Cobalt Group since at least 2018.[Secureworks GOLD KINGSWOOD September 2018]

Internal MISP references

UUID 2be9e22d-0af8-46f5-b30e-b3712ccf716d which can be used as unique global reference for SpicyOmelette in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0646
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

Splashtop

Splashtop is a tool used to enable remote connections to network devices for support and administration.[U.S. CISA Understanding LockBit June 2023]

Internal MISP references

UUID ecf8b878-19e5-425b-bc34-d5ed6e999fea which can be used as unique global reference for Splashtop in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5009
source Tidal Cyber
tags ['d903e38b-600d-4736-9e3b-cf1a6e436481', 'e551ae97-d1b4-484e-9267-89f33829ec2c', 'd819ae1a-e385-49fd-88d5-f66660729ecb', 'e1af18e3-3224-4e4c-9d0f-533768474508', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207', '9bc47297-864d-4f39-be37-ad9379102853', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '15b77e5c-2285-434d-9719-73c14beba8bd', 'e727eaa6-ef41-4965-b93a-8ad0c51d0236']
type ['tool']
Related clusters

To see the related clusters, click here.

SplitLoader

SplitLoader is an intermediate-stage malware used by the North Korean threat actor Moonstone Sleet mainly for payload execution purposes. It is also capable of performing system reconnaissance.[Microsoft Security Blog 5 28 2024]

Internal MISP references

UUID 9a20c7f3-4e17-4a79-994a-c577afef5c72 which can be used as unique global reference for SplitLoader in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5322
source Tidal Cyber
tags ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', '84615fe0-c2a5-4e07-8957-78ebc29b4635', '2feda37d-5579-4102-a073-aa02e82cb49f']
type ['malware']
Related clusters

To see the related clusters, click here.

spwebmember

spwebmember is a Microsoft SharePoint enumeration and data dumping tool written in .NET. [NCC Group APT15 Alive and Strong]

Internal MISP references

UUID 0fdabff3-d996-493c-af67-f3ac02e4b00b which can be used as unique global reference for spwebmember in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0227
source MITRE
tags ['cd1b5d44-226e-4405-8985-800492cf2865', '4d767e87-4cf6-438a-927a-43d2d0beaab7']
type ['tool']
Related clusters

To see the related clusters, click here.

Sqldumper

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Debugging utility included with Microsoft SQL.

Author: Oddvar Moe

Paths: * C:\Program Files\Microsoft SQL Server\90\Shared\SQLDumper.exe * C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis\AS OLEDB\140\SQLDumper.exe

Resources: * https://twitter.com/countuponsec/status/910969424215232518 * https://twitter.com/countuponsec/status/910977826853068800 * https://support.microsoft.com/en-us/help/917825/how-to-use-the-sqldumper-exe-utility-to-generate-a-dump-file-in-sql-se

Detection: * Sigma: proc_creation_win_lolbin_susp_sqldumper_activity.yml * Elastic: credential_access_lsass_memdump_file_created.toml * Elastic: credential_access_cmdline_dump_tool.toml[Sqldumper.exe - LOLBAS Project]

Internal MISP references

UUID 146bd853-166b-4859-b4d7-b70f51bfd8e9 which can be used as unique global reference for Sqldumper in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5235
source Tidal Cyber
tags ['e992169d-832d-44e9-8218-0f4ab0ff72b4', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

sqlmap

sqlmap is an open source penetration testing tool that can be used to automate the process of detecting and exploiting SQL injection flaws. [sqlmap Introduction]

Internal MISP references

UUID 96c224a6-6ca4-4ac1-9990-d863ec5a317a which can be used as unique global reference for sqlmap in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
software_attack_id S0225
source MITRE
type ['tool']
Related clusters

To see the related clusters, click here.

Sqlps

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Tool included with Microsoft SQL Server that loads SQL Server cmdlets. Microsoft SQL Server\100 and 110 are Powershell v2. Microsoft SQL Server\120 and 130 are Powershell version 4. Replaced by SQLToolsPS.exe in SQL Server 2016, but will be included with installation for compatability reasons.

Author: Oddvar Moe

Paths: * C:\Program files (x86)\Microsoft SQL Server\100\Tools\Binn\sqlps.exe * C:\Program files (x86)\Microsoft SQL Server\110\Tools\Binn\sqlps.exe * C:\Program files (x86)\Microsoft SQL Server\120\Tools\Binn\sqlps.exe * C:\Program files (x86)\Microsoft SQL Server\130\Tools\Binn\sqlps.exe * C:\Program Files (x86)\Microsoft SQL Server\150\Tools\Binn\SQLPS.exe

Resources: * https://twitter.com/ManuelBerrueta/status/1527289261350760455 * https://twitter.com/bryon_/status/975835709587075072 * https://docs.microsoft.com/en-us/sql/powershell/sql-server-powershell?view=sql-server-2017

Detection: * Sigma: proc_creation_win_mssql_sqlps_susp_execution.yml * Sigma: image_load_dll_system_management_automation_susp_load.yml * Elastic: execution_suspicious_powershell_imgload.toml * Splunk: 2021-10-05-suspicious_copy_on_system32.md[Sqlps.exe - LOLBAS Project]

Internal MISP references

UUID 5b3c03d3-9ea1-4322-a422-ab2401ffc294 which can be used as unique global reference for Sqlps in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5236
source Tidal Cyber
tags ['da7e88fd-2d71-4928-81ce-e3d455b3d418', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

SQLRat

SQLRat is malware that executes SQL scripts to avoid leaving traditional host artifacts. FIN7 has been observed using it.[Flashpoint FIN 7 March 2019]

Internal MISP references

UUID 612f780a-239a-4bd0-a29f-63beadf3ed22 which can be used as unique global reference for SQLRat in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
software_attack_id S0390
source MITRE
tags ['84615fe0-c2a5-4e07-8957-78ebc29b4635']
type ['malware']
Related clusters

To see the related clusters, click here.

SQLToolsPS

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Tool included with Microsoft SQL that loads SQL Server cmdlts. A replacement for sqlps.exe. Successor to sqlps.exe in SQL Server 2016+.

Author: Oddvar Moe

Paths: * C:\Program files (x86)\Microsoft SQL Server\130\Tools\Binn\sqlps.exe

Resources: * https://twitter.com/pabraeken/status/993298228840992768 * https://docs.microsoft.com/en-us/sql/powershell/sql-server-powershell?view=sql-server-2017

Detection: * Sigma: proc_creation_win_mssql_sqltoolsps_susp_execution.yml * Splunk: 2021-10-05-suspicious_copy_on_system32.md[SQLToolsPS.exe - LOLBAS Project]

Internal MISP references

UUID 9271e5cf-f788-4d7d-9c7a-8d5e37cbb9a6 which can be used as unique global reference for SQLToolsPS in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5237
source Tidal Cyber
tags ['f4867256-402a-4bcb-97d3-e071ee0993c1', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

Squirrel

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Binary to update the existing installed Nuget/squirrel package. Part of Microsoft Teams installation.

Author: Reegun J (OCBC Bank) - @reegun21

Paths: * %localappdata%\Microsoft\Teams\current\Squirrel.exe

Resources: * https://www.youtube.com/watch?v=rOP3hnkj7ls * https://twitter.com/reegun21/status/1144182772623269889 * http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/ * https://medium.com/@reegun/nuget-squirrel-uncontrolled-endpoints-leads-to-arbitrary-code-execution-80c9df51cf12 * https://medium.com/@reegun/update-nuget-squirrel-uncontrolled-endpoints-leads-to-arbitrary-code-execution-b55295144b56

Detection: * Sigma: proc_creation_win_lolbin_squirrel.yml[Squirrel.exe - LOLBAS Project]

Internal MISP references

UUID 13d5d060-8462-4592-8efb-2243fd2138d1 which can be used as unique global reference for Squirrel in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5238
source Tidal Cyber
tags ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

Squirrelwaffle

Squirrelwaffle is a loader that was first seen in September 2021. It has been used in spam email campaigns to deliver additional malware such as Cobalt Strike and the QakBot banking trojan.[ZScaler Squirrelwaffle Sep 2021][Netskope Squirrelwaffle Oct 2021]

Internal MISP references

UUID 46943a69-0b19-4d3a-b2a3-1302e85239a3 which can be used as unique global reference for Squirrelwaffle in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S1030
source MITRE
tags ['84615fe0-c2a5-4e07-8957-78ebc29b4635']
type ['malware']

ssh

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Ssh.exe is the OpenSSH compatible client can be used to connect to Windows 10 (build 1809 and later) and Windows Server 2019 devices.

Author: Akshat Pradhan

Paths: * c:\windows\system32\OpenSSH\ssh.exe

Resources: * https://gtfobins.github.io/gtfobins/ssh/

Detection: * Sigma: proc_creation_win_lolbin_ssh.yml * IOC: Event ID 4624 with process name C:\Windows\System32\OpenSSH\sshd.exe. * IOC: command line arguments specifying execution.[ssh.exe - LOLBAS Project]

Internal MISP references

UUID 7b607493-5035-4e29-9f95-55362f53b805 which can be used as unique global reference for ssh in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5164
source Tidal Cyber
tags ['6070668f-1cbd-4878-8066-c636d1d8659c', 'd8f7e071-fbfd-46f8-b431-e241bb1513ac', '64a55f86-15db-4599-b165-81be7f024397', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

SslMM

SslMM is a full-featured backdoor used by Naikon that has multiple variants. [Baumgartner Naikon 2015]

Internal MISP references

UUID 3334a124-3e74-4a90-8ed1-55eea3274b19 which can be used as unique global reference for SslMM in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0058
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Starloader

Starloader is a loader component that has been observed loading Felismus and associated tools. [Symantec Sowbug Nov 2017]

Internal MISP references

UUID fc18e220-2200-4d70-a426-0700ba14c4c0 which can be used as unique global reference for Starloader in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0188
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

STARWHALE

STARWHALE is Windows Script File (WSF) backdoor that has been used by MuddyWater, possibly since at least November 2021; there is also a STARWHALE variant written in Golang with similar capabilities. Security researchers have also noted the use of STARWHALE by UNC3313, which may be associated with MuddyWater.[Mandiant UNC3313 Feb 2022][DHS CISA AA22-055A MuddyWater February 2022]

Internal MISP references

UUID 764c6121-2d15-4a10-ac53-b1c431dc8b47 which can be used as unique global reference for STARWHALE in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S1037
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

STEADYPULSE

STEADYPULSE is a web shell that infects targeted Pulse Secure VPN servers through modification of a legitimate Perl script that was used as early as 2020 including in activity against US Defense Industrial Base (DIB) entities.[Mandiant Pulse Secure Zero-Day April 2021]

Internal MISP references

UUID ea561f0b-b891-5735-aa99-97cc8818fbef which can be used as unique global reference for STEADYPULSE in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Network']
software_attack_id S1112
source MITRE
type ['malware']

Stealc

Stealc is a credential and information stealer first discovered by researchers in January 2023. Researchers assess the malware contains code similarities to prominent stealer families including Vidar, Raccoon, Mars, and RedLine.[Sekoia.io Stealc February 20 2023] Red Canary researchers indicated in July 2023 that they observed a "surge" of Stealc activity during the second half of the preceding month.[Red Canary Intelligence Insights July 20 2023]

Internal MISP references

UUID 7ae6b9f0-3a50-4ebc-ae2c-9569f00dbd81 which can be used as unique global reference for Stealc in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5298
source Tidal Cyber
tags ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', '4d767e87-4cf6-438a-927a-43d2d0beaab7', '2feda37d-5579-4102-a073-aa02e82cb49f']
type ['malware']

STEALDEAL

STEALDEAL is a relatively simple information and credential stealer that is known to be downloaded by RomCom malware and used to collect and exfiltrate victim data, including locally stored web browser credentials, cookies, and history.[Trend Micro Void Rabisu May 30 2023]

Internal MISP references

UUID 39aaa970-8c33-4fd3-a7f0-4b769f301460 which can be used as unique global reference for STEALDEAL in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5296
source Tidal Cyber
tags ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', '4d767e87-4cf6-438a-927a-43d2d0beaab7', '2feda37d-5579-4102-a073-aa02e82cb49f']
type ['malware']
Related clusters

To see the related clusters, click here.

StoneDrill

StoneDrill is wiper malware discovered in destructive campaigns against both Middle Eastern and European targets in association with APT33.[FireEye APT33 Sept 2017][Kaspersky StoneDrill 2017]

Internal MISP references

UUID 9eee52a2-5ac1-4561-826c-23ec7fbc7876 which can be used as unique global reference for StoneDrill in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0380
source MITRE
tags ['2e621fc5-dea4-4cb9-987e-305845986cd3']
type ['malware']
Related clusters

To see the related clusters, click here.

Stordiag

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Storage diagnostic tool

Author: Eral4m

Paths: * c:\windows\system32\stordiag.exe * c:\windows\syswow64\stordiag.exe

Resources: * https://twitter.com/eral4m/status/1451112385041911809

Detection: * Sigma: proc_creation_win_stordiag_susp_child_process.yml * IOC: systeminfo.exe, fltmc.exe or schtasks.exe being executed outside of their normal path of c:\windows\system32\ or c:\windows\syswow64\[Stordiag.exe - LOLBAS Project]

Internal MISP references

UUID 7430c53f-41a0-4395-88c7-fc2c34ee52c7 which can be used as unique global reference for Stordiag in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5165
source Tidal Cyber
tags ['f0e3d6ea-d7ea-4d73-b868-1076fac744a8', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

StreamEx

StreamEx is a malware family that has been used by Deep Panda since at least 2015. In 2016, it was distributed via legitimate compromised Korean websites. [Cylance Shell Crew Feb 2017]

Internal MISP references

UUID 502b490c-2067-40a4-8f73-7245d7910851 which can be used as unique global reference for StreamEx in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0142
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

StrifeWater

StrifeWater is a remote-access tool that has been used by Moses Staff in the initial stages of their attacks since at least November 2021.[Cybereason StrifeWater Feb 2022]

Internal MISP references

UUID dd8bb0a3-6cb1-412d-adeb-cbaae98462a9 which can be used as unique global reference for StrifeWater in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S1034
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

StrongPity

StrongPity is an information stealing malware used by PROMETHIUM.[Bitdefender StrongPity June 2020][Talos Promethium June 2020]

Internal MISP references

UUID ed563524-235e-4e06-8c69-3f9d8ddbfd8a which can be used as unique global reference for StrongPity in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0491
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Stuxnet

Stuxnet was the first publicly reported piece of malware to specifically target industrial control systems devices. Stuxnet is a large and complex piece of malware that utilized multiple different behaviors including multiple zero-day vulnerabilities, a sophisticated Windows rootkit, and network infection routines.[Nicolas Falliere, Liam O Murchu, Eric Chien February 2011][CISA ICS Advisory ICSA-10-272-01][ESET Stuxnet Under the Microscope][Langer Stuxnet] Stuxnet was discovered in 2010, with some components being used as early as November 2008.[Nicolas Falliere, Liam O Murchu, Eric Chien February 2011]

Internal MISP references

UUID 3fdf3833-fca9-4414-8d2e-779dabc4ee31 which can be used as unique global reference for Stuxnet in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0603
source MITRE
tags ['3ed3f7a6-b446-4fbc-a433-ff1d63c0e647', 'a98d7a43-f227-478e-81de-e7299639a355']
type ['malware']

S-Type

S-Type is a backdoor that was used in Operation Dust Storm since at least 2013.[Cylance Dust Storm]

Internal MISP references

UUID b19b6c38-d38b-46f2-a535-d0bfc5790368 which can be used as unique global reference for S-Type in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0085
source MITRE
type ['malware']

SUGARDUMP

SUGARDUMP is a proprietary browser credential harvesting tool that was used by UNC3890 during the C0010 campaign. The first known SUGARDUMP version was used since at least early 2021, a second SMTP C2 version was used from late 2021-early 2022, and a third HTTP C2 variant was used since at least April 2022.[Mandiant UNC3890 Aug 2022]

Internal MISP references

UUID 6ff7bf2e-286c-4b1b-92a0-1e5322870c59 which can be used as unique global reference for SUGARDUMP in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S1042
source MITRE
type ['malware']

SUGARUSH

SUGARUSH is a small custom backdoor that can establish a reverse shell over TCP to a hard coded C2 address. SUGARUSH was first identified during analysis of UNC3890's C0010 campaign targeting Israeli companies, which began in late 2020.[Mandiant UNC3890 Aug 2022]

Internal MISP references

UUID 004c781a-3d7d-446b-9677-a042c8f6566e which can be used as unique global reference for SUGARUSH in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S1049
source MITRE
type ['malware']

SUNBURST

SUNBURST is a trojanized DLL designed to fit within the SolarWinds Orion software update framework. It was used by APT29 since at least February 2020.[SolarWinds Sunburst Sunspot Update January 2021][Microsoft Deep Dive Solorigate January 2021]

Internal MISP references

UUID 6b04e98e-c541-4958-a8a5-d433e575ce78 which can be used as unique global reference for SUNBURST in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0559
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

SUNSPOT

SUNSPOT is an implant that injected the SUNBURST backdoor into the SolarWinds Orion software update framework. It was used by APT29 since at least February 2020.[CrowdStrike SUNSPOT Implant January 2021]

Internal MISP references

UUID 66966a12-3db3-4e43-a7e8-6c6836ccd8fe which can be used as unique global reference for SUNSPOT in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0562
source MITRE
tags ['f2ae2283-f94d-4f8f-bbde-43f2bed66c55', 'f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

SUPERNOVA

SUPERNOVA is an in-memory web shell written in .NET C#. It was discovered in November 2020 during the investigation of APT29's SolarWinds cyber operation but determined to be unrelated. Subsequent analysis suggests SUPERNOVA may have been used by the China-based threat group SPIRAL.[Guidepoint SUPERNOVA Dec 2020][Unit42 SUPERNOVA Dec 2020][SolarWinds Advisory Dec 2020][CISA Supernova Jan 2021][Microsoft Analyzing Solorigate Dec 2020]

Internal MISP references

UUID f02abaee-237b-4891-bb5d-30ca86dfc2c8 which can be used as unique global reference for SUPERNOVA in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0578
source MITRE
type ['malware']

SVCReady

SVCReady is a loader that has been used since at least April 2022 in malicious spam campaigns. Security researchers have noted overlaps between TA551 activity and SVCReady distribution, including similarities in file names, lure images, and identical grammatical errors.[HP SVCReady Jun 2022]

Internal MISP references

UUID a8110f81-5ee9-5819-91ce-3a57aa330dcb which can be used as unique global reference for SVCReady in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S1064
source MITRE
tags ['84615fe0-c2a5-4e07-8957-78ebc29b4635']
type ['malware']

Sykipot

Sykipot is malware that has been used in spearphishing campaigns since approximately 2007 against victims primarily in the US. One variant of Sykipot hijacks smart cards on victims. [Alienvault Sykipot DOD Smart Cards] The group using this malware has also been referred to as Sykipot. [Blasco 2013]

Internal MISP references

UUID ae749f9c-cf46-42ce-b0b8-f0be8660e3f3 which can be used as unique global reference for Sykipot in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0018
source MITRE
type ['malware']

SynAck

SynAck is variant of Trojan ransomware targeting mainly English-speaking users since at least fall 2017. [SecureList SynAck Doppelgänging May 2018] [Kaspersky Lab SynAck May 2018]

Internal MISP references

UUID 19ae8345-745e-4872-8a29-d56c8800d626 which can be used as unique global reference for SynAck in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0242
source MITRE
tags ['5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172']
type ['malware']

Syncappvpublishingserver - Duplicate

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Script used related to app-v and publishing server

Author: Oddvar Moe

Paths: * C:\Windows\System32\SyncAppvPublishingServer.vbs

Resources: * https://twitter.com/monoxgas/status/895045566090010624 * https://twitter.com/subTee/status/855738126882316288

Detection: * Sigma: proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.yml[Syncappvpublishingserver.vbs - LOLBAS Project]

Internal MISP references

UUID 6af0eac2-c35f-4569-ae09-47f1ca846961 which can be used as unique global reference for Syncappvpublishingserver - Duplicate in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5261
source Tidal Cyber
tags ['9e504206-7a84-40a5-b896-8995d82e3586', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

SyncAppvPublishingServer

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Used by App-v to get App-v server lists

Author: Oddvar Moe

Paths: * C:\Windows\System32\SyncAppvPublishingServer.exe * C:\Windows\SysWOW64\SyncAppvPublishingServer.exe

Resources: * https://twitter.com/monoxgas/status/895045566090010624

Detection: * Sigma: posh_ps_syncappvpublishingserver_exe.yml * Sigma: posh_pm_syncappvpublishingserver_exe.yml * Sigma: proc_creation_win_lolbin_syncappvpublishingserver_execute_psh.yml * IOC: SyncAppvPublishingServer.exe should never be in use unless App-V is deployed[SyncAppvPublishingServer.exe - LOLBAS Project]

Internal MISP references

UUID f2928533-34e1-4599-a3ec-c8b4ef9d81b4 which can be used as unique global reference for SyncAppvPublishingServer in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5166
source Tidal Cyber
tags ['acda137a-d1c9-4216-9c08-d07c8d899725', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

SYNful Knock

SYNful Knock is a stealthy modification of the operating system of network devices that can be used to maintain persistence within a victim's network and provide new capabilities to the adversary.[Mandiant - Synful Knock][Cisco Synful Knock Evolution]

Internal MISP references

UUID 69ab291d-5066-4e47-9862-1f5c7bac7200 which can be used as unique global reference for SYNful Knock in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Network']
software_attack_id S0519
source MITRE
tags ['b20e7912-6a8d-46e3-8e13-9a3fc4813852']
type ['malware']

Sys10

Sys10 is a backdoor that was used throughout 2013 by Naikon. [Baumgartner Naikon 2015]

Internal MISP references

UUID 2df35a92-2295-417a-af5a-ba5c943ef40d which can be used as unique global reference for Sys10 in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0060
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

SYSCON

SYSCON is a backdoor that has been in use since at least 2017 and has been associated with campaigns involving North Korean themes. SYSCON has been delivered by the CARROTBALL and CARROTBAT droppers.[Unit 42 CARROTBAT November 2018][Unit 42 CARROTBAT January 2020]

Internal MISP references

UUID ea556a8d-4959-423f-a2dd-622d0497d484 which can be used as unique global reference for SYSCON in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0464
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']

Syssetup

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Windows NT System Setup

Author: LOLBAS Team

Paths: * c:\windows\system32\syssetup.dll * c:\windows\syswow64\syssetup.dll

Resources: * https://twitter.com/pabraeken/status/994392481927258113 * https://twitter.com/harr0ey/status/975350238184697857 * https://twitter.com/bohops/status/975549525938135040 * https://windows10dll.nirsoft.net/syssetup_dll.html

Detection: * Sigma: proc_creation_win_rundll32_susp_activity.yml * Splunk: detect_rundll32_application_control_bypass___syssetup.yml[Syssetup.dll - LOLBAS Project]

Internal MISP references

UUID 5d220e4f-db5f-4523-8dc5-63a604f3964b which can be used as unique global reference for Syssetup in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5199
source Tidal Cyber
tags ['9105775d-bdcb-45cc-895d-6c7bbb3d30ce', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

SystemBC

SystemBC is a commodity backdoor malware used as a Tor proxy and remote access Trojan (RAT). It was used during the high-profile 2021 Colonial Pipeline DarkSide ransomware attack and has since been used as a persistence & lateral movement tool during other ransomware compromises, including intrusions involving Ryuk, Egregor, and Play.[BlackBerry SystemBC June 10 2021][Sophos SystemBC December 16 2020][WithSecure SystemBC May 10 2021][Trend Micro Play Ransomware September 06 2022] According to Mandiant's 2023 M-Trends report, SystemBC was the second most frequently seen malware family in 2022 after only Cobalt Strike Beacon.[TechRepublic M-Trends 2023]

Malpedia (Research): https://malpedia.caad.fkie.fraunhofer.de/details/win.systembc

Malware Bazaar (Samples & IOCs): https://bazaar.abuse.ch/browse/tag/systembc/

PulseDive (IOCs): https://pulsedive.com/threat/SystemBC

Internal MISP references

UUID c30929fb-28a1-407c-a1c3-a83374c63267 which can be used as unique global reference for SystemBC in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5058
source Tidal Cyber
tags ['15787198-6c8b-4f79-bf50-258d55072fee', '84615fe0-c2a5-4e07-8957-78ebc29b4635']
type ['malware']
Related clusters

To see the related clusters, click here.

Systeminfo

Systeminfo is a Windows utility that can be used to gather detailed information about a computer. [TechNet Systeminfo]

Internal MISP references

UUID cecea681-a753-47b5-9d77-c10a5b4403ab which can be used as unique global reference for Systeminfo in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
software_attack_id S0096
source MITRE
tags ['7b918200-2c8d-4b86-a81b-b2bdec5b2c2b', '758c3085-2f79-40a8-ab95-f8a684737927', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '35e694ec-5133-46e3-b7e1-5831867c3b55', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

SysUpdate

SysUpdate is a backdoor written in C++ that has been used by Threat Group-3390 since at least 2020.[Trend Micro Iron Tiger April 2021]

Internal MISP references

UUID 148d587c-3b1e-4e71-bdfb-8c37005e7e77 which can be used as unique global reference for SysUpdate in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'Windows']
software_attack_id S0663
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

T9000

T9000 is a backdoor that is a newer variant of the T5000 malware family, also known as Plat1. Its primary function is to gather information about the victim. It has been used in multiple targeted attacks against U.S.-based organizations. [FireEye admin@338 March 2014] [Palo Alto T9000 Feb 2016]

Internal MISP references

UUID c5647cc4-0d46-4a41-8591-9179737747a2 which can be used as unique global reference for T9000 in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0098
source MITRE
type ['malware']

Tactical RMM

According to joint Cybersecurity Advisory AA23-320A (November 2023), Tactical RMM is a publicly available, legitimate tool that "enables remote monitoring and management of systems". According to the Advisory, Scattered Spider threat actors are known to abuse the tool during their intrusions.[U.S. CISA Scattered Spider November 16 2023]

Internal MISP references

UUID ba4777f9-bb3b-4143-8062-a510c30544ce which can be used as unique global reference for Tactical RMM in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5066
source Tidal Cyber
tags ['e1af18e3-3224-4e4c-9d0f-533768474508', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207', 'e727eaa6-ef41-4965-b93a-8ad0c51d0236']
type ['tool']
Related clusters

To see the related clusters, click here.

Taidoor

Taidoor is a remote access trojan (RAT) that has been used by Chinese government cyber actors to maintain access on victim networks.[CISA MAR-10292089-1.v2 TAIDOOR August 2021] Taidoor has primarily been used against Taiwanese government organizations since at least 2010.[TrendMicro Taidoor]

Internal MISP references

UUID 9334df79-9023-44bb-bc28-16c1f07b836b which can be used as unique global reference for Taidoor in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0011
source MITRE
type ['malware']

Tailscale

According to joint Cybersecurity Advisory AA23-320A (November 2023), Tailscale is a publicly available, legitimate tool that "provides virtual private networks (VPNs) to secure network communications". According to the Advisory, Scattered Spider threat actors are known to abuse the tool during their intrusions.[U.S. CISA Scattered Spider November 16 2023]

Internal MISP references

UUID 130a5491-1b93-45fd-bd72-9e5f8ddeba2a which can be used as unique global reference for Tailscale in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5069
source Tidal Cyber
tags ['e1af18e3-3224-4e4c-9d0f-533768474508', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207', 'e727eaa6-ef41-4965-b93a-8ad0c51d0236']
type ['tool']
Related clusters

To see the related clusters, click here.

TAINTEDSCRIBE

TAINTEDSCRIBE is a fully-featured beaconing implant integrated with command modules used by Lazarus Group. It was first reported in May 2020.[CISA MAR-10288834-2.v1 TAINTEDSCRIBE MAY 2020]

Internal MISP references

UUID 1548c94a-fb4d-43d8-9956-ea26f5cc552f which can be used as unique global reference for TAINTEDSCRIBE in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0586
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

TajMahal

TajMahal is a multifunctional spying framework that has been in use since at least 2014. TajMahal is comprised of two separate packages, named Tokyo and Yokohama, and can deploy up to 80 plugins.[Kaspersky TajMahal April 2019]

Internal MISP references

UUID b1b7a8d9-6df3-4e89-8622-a6eea3da729b which can be used as unique global reference for TajMahal in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0467
source MITRE
type ['malware']

Tar

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Used by Windows to extract and create archives.

Author: Brian Lucero

Paths: * C:\Windows\System32\tar.exe

Resources: * https://twitter.com/Cyber_Sorcery/status/1619819249886969856

Detection: * IOC: tar.exe extracting files from a remote host within the environment[Tar.exe - LOLBAS Project]

Internal MISP references

UUID 65e149a8-7c78-40d0-9cc5-9f420011facc which can be used as unique global reference for Tar in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5167
source Tidal Cyber
tags ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

Tarrask

Tarrask is malware that has been used by HAFNIUM since at least August 2021. Tarrask was designed to evade digital defenses and maintain persistence by generating concealed scheduled tasks.[Tarrask scheduled task]

Internal MISP references

UUID 7bb9d181-4405-4938-bafb-b13cc98b6cd8 which can be used as unique global reference for Tarrask in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S1011
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Tasklist

The Tasklist utility displays a list of applications and services with their Process IDs (PID) for all tasks running on either a local or a remote computer. It is packaged with Windows operating systems and can be executed from the command-line interface. [Microsoft Tasklist]

Internal MISP references

UUID abae8f19-9497-4a71-82b6-ae6edd26ad98 which can be used as unique global reference for Tasklist in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
software_attack_id S0057
source MITRE
tags ['758c3085-2f79-40a8-ab95-f8a684737927', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '35e694ec-5133-46e3-b7e1-5831867c3b55', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '15787198-6c8b-4f79-bf50-258d55072fee', 'cd1b5d44-226e-4405-8985-800492cf2865', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

tcpdump

tcpdump is an open-source network packet analyzer utility run from the command line.

Internal MISP references

UUID 7a5d457c-949c-4e8f-817a-7e2d33f6c618 which can be used as unique global reference for tcpdump in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Linux', 'macOS', 'Windows']
software_attack_id S5267
source Tidal Cyber
tags ['02495172-1563-48e7-8ac2-98463bd85e9d', '6070668f-1cbd-4878-8066-c636d1d8659c', 'd8f7e071-fbfd-46f8-b431-e241bb1513ac', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207', 'cd1b5d44-226e-4405-8985-800492cf2865']
type ['tool']

TDSSKiller

TDSSKiller is a tool used to remove rootkits.[U.S. CISA Understanding LockBit June 2023]

Internal MISP references

UUID c62b061a-b4d0-4b28-932c-3c9423443248 which can be used as unique global reference for TDSSKiller in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5044
source Tidal Cyber
tags ['e1af18e3-3224-4e4c-9d0f-533768474508', '39d6e8b7-6c8a-4ec5-a584-54ca32aa29fb', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

TDTESS

TDTESS is a 64-bit .NET binary backdoor used by CopyKittens. [ClearSky Wilted Tulip July 2017]

Internal MISP references

UUID e7116740-fe7c-45e2-b98d-0c594a7dff2f which can be used as unique global reference for TDTESS in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0164
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

te

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Testing tool included with Microsoft Test Authoring and Execution Framework (TAEF).

Author: Oddvar Moe

Paths: * no default

Resources: * https://twitter.com/gn3mes1s/status/927680266390384640?lang=bg

Detection: * Sigma: proc_creation_win_susp_use_of_te_bin.yml[te.exe - LOLBAS Project]

Internal MISP references

UUID 8eef4e4b-e294-47bb-befa-9cd97ceced57 which can be used as unique global reference for te in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5239
source Tidal Cyber
tags ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

Teams

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Electron runtime binary which runs the Teams application

Author: Andrew Kisliakov

Paths: * %LOCALAPPDATA%\Microsoft\Teams\current\Teams.exe

Resources: * https://l--k.uk/2022/01/16/microsoft-teams-and-other-electron-apps-as-lolbins/

Detection: * IOC: %LOCALAPPDATA%\Microsoft\Teams\current\app directory created * IOC: %LOCALAPPDATA%\Microsoft\Teams\current\app.asar file created/modified by non-Teams installer/updater * Sigma: proc_creation_win_susp_electron_exeuction_proxy.yml[Teams.exe - LOLBAS Project]

Internal MISP references

UUID 13221a7b-6c23-48a7-97bd-21e2c689a391 which can be used as unique global reference for Teams in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5240
source Tidal Cyber
tags ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

TeamViewer

TeamViewer is a tool used to enable remote connections to network devices for support and administration.[U.S. CISA Understanding LockBit June 2023]

Internal MISP references

UUID 6b5f6eb4-4cdd-4383-8623-d1f7de486865 which can be used as unique global reference for TeamViewer in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5010
source Tidal Cyber
tags ['e1af18e3-3224-4e4c-9d0f-533768474508', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '15b77e5c-2285-434d-9719-73c14beba8bd', 'e727eaa6-ef41-4965-b93a-8ad0c51d0236']
type ['tool']
Related clusters

To see the related clusters, click here.

TEARDROP

TEARDROP is a memory-only dropper that was discovered on some victim machines during investigations related to the SolarWinds Compromise. It was likely used by APT29 since at least May 2020.[FireEye SUNBURST Backdoor December 2020][Microsoft Deep Dive Solorigate January 2021]

Internal MISP references

UUID bae20f59-469c-451c-b4ca-70a9a04a1574 which can be used as unique global reference for TEARDROP in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0560
source MITRE
tags ['84615fe0-c2a5-4e07-8957-78ebc29b4635']
type ['malware']
Related clusters

To see the related clusters, click here.

Teleport

Teleport is a custom tool for data exfiltration. It has been observed in use during intrusions involving Truebot, a botnet and loader malware, in 2022 and 2023.[U.S. CISA Increased Truebot Activity July 6 2023]

Internal MISP references

UUID b9a98499-c984-4199-ae64-d1381ebbaa1f which can be used as unique global reference for Teleport in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5011
source Tidal Cyber
tags ['1dc8fd1e-0737-405a-98a1-111dd557f1b5', '15787198-6c8b-4f79-bf50-258d55072fee', '8bf128ad-288b-41bc-904f-093f4fdde745']
type ['malware']

Terminator

Terminator is an open-source software package that is designed to facilitate disabling of endpoint security/antivirus tools by abusing the zam64.sys driver.[GitHub Terminator]

Internal MISP references

UUID 5cd0db7a-d47d-479b-89ac-9e78dfc0cd9d which can be used as unique global reference for Terminator in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5283
source Tidal Cyber
tags ['e1af18e3-3224-4e4c-9d0f-533768474508', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', '39d6e8b7-6c8a-4ec5-a584-54ca32aa29fb']
type ['tool']
Related clusters

To see the related clusters, click here.

TestWindowRemoteAgent

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: TestWindowRemoteAgent.exe is the command-line tool to establish RPC

Author: Onat Uzunyayla

Paths: * C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\CommonExtensions\Microsoft\TestWindow\RemoteAgent\TestWindowRemoteAgent.exe

Resources: None Provided

Detection: * IOC: TestWindowRemoteAgent.exe spawning unexpectedly[TestWindowRemoteAgent.exe - LOLBAS Project]

Internal MISP references

UUID 2143f749-d7b8-43c0-8041-8aeb486142c2 which can be used as unique global reference for TestWindowRemoteAgent in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5241
source Tidal Cyber
tags ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

TEXTMATE

TEXTMATE is a second-stage PowerShell backdoor that is memory-resident. It was observed being used along with POWERSOURCE in February 2017. [FireEye FIN7 March 2017]

Internal MISP references

UUID 49d0ae81-d51b-4534-b1e0-08371a47ef79 which can be used as unique global reference for TEXTMATE in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0146
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

ThiefQuest

ThiefQuest is a virus, data stealer, and wiper that presents itself as ransomware targeting macOS systems. ThiefQuest was first seen in 2020 distributed via trojanized pirated versions of popular macOS software on Russian forums sharing torrent links.[Reed thiefquest fake ransom] Even though ThiefQuest presents itself as ransomware, since the dynamically generated encryption key is never sent to the attacker it may be more appropriately thought of as a form of wiper malware.[wardle evilquest partii][reed thiefquest ransomware analysis]

Internal MISP references

UUID 2ed5f691-68eb-49dd-b730-793dc8a7d134 which can be used as unique global reference for ThiefQuest in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['macOS']
software_attack_id S0595
source MITRE
tags ['5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172', '2e621fc5-dea4-4cb9-987e-305845986cd3']
type ['malware']

ThreatNeedle

ThreatNeedle is a backdoor that has been used by Lazarus Group since at least 2019 to target cryptocurrency, defense, and mobile gaming organizations. It is considered to be an advanced cluster of Lazarus Group's Manuscrypt (a.k.a. NukeSped) malware family.[Kaspersky ThreatNeedle Feb 2021]

Internal MISP references

UUID b31c7b8e-dbdd-4ad5-802e-dcdc72b7462e which can be used as unique global reference for ThreatNeedle in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0665
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

ThunderShell

ThunderShell is a tool used to facilitate remote access via HTTP requests.[U.S. CISA Understanding LockBit June 2023]

Internal MISP references

UUID 8fe38eda-30be-4c88-ae76-ac6ebc89d66b which can be used as unique global reference for ThunderShell in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5045
source Tidal Cyber
tags ['e1af18e3-3224-4e4c-9d0f-533768474508', 'be319849-fb2c-4b5f-8055-0bde562c280b', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

TightVNC

According to its project page, TightVNC is a free and open-source remote desktop software tool that is Virtual Network Computing (VNC)-compatible. It is designed to enable remote access to other systems.[TightVNC Software Project Page]

Internal MISP references

UUID 6b0d5be9-5305-4b45-bed9-43dee66b85e8 which can be used as unique global reference for TightVNC in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Linux', 'macOS', 'Windows']
software_attack_id S5015
source Tidal Cyber
tags ['e1af18e3-3224-4e4c-9d0f-533768474508', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207', 'e727eaa6-ef41-4965-b93a-8ad0c51d0236']
type ['tool']
Related clusters

To see the related clusters, click here.

TinyTurla

TinyTurla is a backdoor that has been used by Turla against targets in the US, Germany, and Afghanistan since at least 2020.[Talos TinyTurla September 2021]

Internal MISP references

UUID 39f0371c-b755-4655-a97e-82a572f2fae4 which can be used as unique global reference for TinyTurla in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0668
source MITRE
tags ['84615fe0-c2a5-4e07-8957-78ebc29b4635']
type ['malware']
Related clusters

To see the related clusters, click here.

TINYTYPHON

TINYTYPHON is a backdoor that has been used by the actors responsible for the MONSOON campaign. The majority of its code was reportedly taken from the MyDoom worm. [Forcepoint Monsoon]

Internal MISP references

UUID 0e009cb8-848e-427a-9581-d3a4fd9f6a87 which can be used as unique global reference for TINYTYPHON in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
software_attack_id S0131
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

TinyZBot

TinyZBot is a bot written in C# that was developed by Cleaver. [Cylance Cleaver]

Internal MISP references

UUID 277290fe-51f3-4822-bb46-8b69fd1c8ae5 which can be used as unique global reference for TinyZBot in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0004
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Tomiris

Tomiris is a backdoor written in Go that continuously queries its C2 server for executables to download and execute on a victim system. It was first reported in September 2021 during an investigation of a successful DNS hijacking campaign against a Commonwealth of Independent States (CIS) member. Security researchers assess there are similarities between Tomiris and GoldMax.[Kaspersky Tomiris Sep 2021]

Internal MISP references

UUID eff417ad-c775-4a95-9f36-a1b5a675ba82 which can be used as unique global reference for Tomiris in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
software_attack_id S0671
source MITRE
tags ['84615fe0-c2a5-4e07-8957-78ebc29b4635']
type ['malware']

Tor

Tor is a software suite and network that provides increased anonymity on the Internet. It creates a multi-hop proxy network and utilizes multilayer encryption to protect both the message and routing information. Tor utilizes "Onion Routing," in which messages are encrypted with multiple layers of encryption; at each step in the proxy network, the topmost layer is decrypted and the contents forwarded on to the next node until it reaches its destination. [Dingledine Tor The Second-Generation Onion Router]

Internal MISP references

UUID 8c70d85b-b06d-423c-8bab-ecff18f332d6 which can be used as unique global reference for Tor in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['macOS', 'Linux', 'Windows']
software_attack_id S0183
source MITRE
tags ['e1af18e3-3224-4e4c-9d0f-533768474508', 'be319849-fb2c-4b5f-8055-0bde562c280b', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

Torisma

Torisma is a second stage implant designed for specialized monitoring that has been used by Lazarus Group. Torisma was discovered during an investigation into the 2020 Operation North Star campaign that targeted the defense sector.[McAfee Lazarus Nov 2020]

Internal MISP references

UUID 4bce135b-91ba-45ae-88f9-09e01f983a74 which can be used as unique global reference for Torisma in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0678
source MITRE
type ['malware']

Tracker

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Tool included with Microsoft .Net Framework.

Author: Oddvar Moe

Paths: * no default

Resources: * https://twitter.com/subTee/status/793151392185589760 * https://attack.mitre.org/wiki/Execution

Detection: * Sigma: proc_creation_win_lolbin_tracker.yml[LOLBAS Tracker]

Internal MISP references

UUID 62ebde4b-4936-49f6-842b-8c0313ea26f5 which can be used as unique global reference for Tracker in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5242
source Tidal Cyber
tags ['3c9b26cf-9bda-4feb-ab42-ef7865cc80fd', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

TrailBlazer

TrailBlazer is a modular malware that has been used by APT29 since at least 2019.[CrowdStrike StellarParticle January 2022]

Internal MISP references

UUID 7a6ae9f8-5f8b-4e94-8716-d8ee82027197 which can be used as unique global reference for TrailBlazer in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0682
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

TrickBot

TrickBot is a Trojan spyware program written in C++ that first emerged in September 2016 as a possible successor to Dyre. TrickBot was developed and initially used by Wizard Spider for targeting banking sites in North America, Australia, and throughout Europe; it has since been used against all sectors worldwide as part of "big game hunting" ransomware campaigns.[S2 Grupo TrickBot June 2017][Fidelis TrickBot Oct 2016][IBM TrickBot Nov 2016][CrowdStrike Wizard Spider October 2020]

Internal MISP references

UUID c2bd4213-fc7b-474f-b5a0-28145b07c51d which can be used as unique global reference for TrickBot in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0266
source MITRE
tags ['e809d252-12cc-494d-94f5-954c49eb87ce']
type ['malware']
Related clusters

To see the related clusters, click here.

Trojan.Karagany

Trojan.Karagany is a modular remote access tool used for recon and linked to Dragonfly. The source code for Trojan.Karagany originated from Dream Loader malware which was leaked in 2010 and sold on underground forums. [Symantec Dragonfly][Secureworks Karagany July 2019][Dragos DYMALLOY ]

Internal MISP references

UUID b88c4891-40da-4832-ba42-6c6acd455bd1 which can be used as unique global reference for Trojan.Karagany in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0094
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Trojan.Mebromi

Trojan.Mebromi is BIOS-level malware that takes control of the victim before MBR. [Ge 2011]

Internal MISP references

UUID f8a4213d-633b-4e3d-8e59-a769e852b93b which can be used as unique global reference for Trojan.Mebromi in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0001
source MITRE
type ['malware']

Truebot

Truebot is a botnet often used as a loader for other malware. In July 2023, U.S. authorities released joint Cybersecurity Advisory AA23-187A, which detailed increased observations of new Truebot variants infecting organizations in the United States and Canada. Authorities assessed that Truebot infections are primarily motivated around collection and exfiltration of sensitive victim data for financial gain. Officials also assessed that actors were using both spearphishing emails containing malicious hyperlinks and exploitation of CVE-2022-31199 (a vulnerability in the IT auditing application Netwrix Auditor) to deliver Truebot during these attacks. Additional tools associated with the attacks included Raspberry Robin for initial infections; FlawedGrace and Cobalt Strike for various post-exploitation activities; and Teleport, a custom tool for data exfiltration.[U.S. CISA Increased Truebot Activity July 6 2023]

Malpedia (Research): https://malpedia.caad.fkie.fraunhofer.de/details/win.silence

Malware Bazaar (Samples & IOCs): https://bazaar.abuse.ch/browse/tag/truebot/

PulseDive (IOCs): https://pulsedive.com/threat/Truebot

Internal MISP references

UUID 669f8b7a-2404-47ab-843d-e63431faafec which can be used as unique global reference for Truebot in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5000
source Tidal Cyber
tags ['1dc8fd1e-0737-405a-98a1-111dd557f1b5', '15787198-6c8b-4f79-bf50-258d55072fee', 'a98d7a43-f227-478e-81de-e7299639a355', '992bdd33-4a47-495d-883a-58010a2f0efb', '84615fe0-c2a5-4e07-8957-78ebc29b4635']
type ['malware']
Related clusters

To see the related clusters, click here.

Truvasys

Truvasys is first-stage malware that has been used by PROMETHIUM. It is a collection of modules written in the Delphi programming language. [Microsoft Win Defender Truvasys Sep 2017] [Microsoft NEODYMIUM Dec 2016] [Microsoft SIR Vol 21]

Internal MISP references

UUID 50844dba-8999-42ba-ba29-511e3faf4bc3 which can be used as unique global reference for Truvasys in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0178
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

TSCookie

TSCookie is a remote access tool (RAT) that has been used by BlackTech in campaigns against Japanese targets.[JPCert TSCookie March 2018][JPCert BlackTech Malware September 2019]. TSCookie has been referred to as PLEAD though more recent reporting indicates a separation between the two.[JPCert PLEAD Downloader June 2018][JPCert BlackTech Malware September 2019]

Internal MISP references

UUID 9872ab5a-c76e-4404-91f9-5b745722443b which can be used as unique global reference for TSCookie in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0436
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

TShark

TShark is a network protocol analyzer utility.

Internal MISP references

UUID 57f9458f-4dad-411e-9971-8e3e166f173b which can be used as unique global reference for TShark in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Linux', 'macOS', 'Windows']
software_attack_id S5268
source Tidal Cyber
tags ['e1be4b53-7524-4e88-bf6d-358cfdf96772', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207', 'cd1b5d44-226e-4405-8985-800492cf2865']
type ['tool']

Ttdinject

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Used by Windows 1809 and newer to Debug Time Travel (Underlying call of tttracer.exe)

Author: Maxime Nadeau

Paths: * C:\Windows\System32\ttdinject.exe * C:\Windows\Syswow64\ttdinject.exe

Resources: * https://twitter.com/Oddvarmoe/status/1196333160470138880

Detection: * Sigma: create_remote_thread_win_ttdinjec.yml * Sigma: proc_creation_win_lolbin_ttdinject.yml * IOC: Parent child relationship. Ttdinject.exe parent for executed command * IOC: Multiple queries made to the IFEO registry key of an untrusted executable (Ex. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\payload.exe") from the ttdinject.exe process[Ttdinject.exe - LOLBAS Project]

Internal MISP references

UUID 7bd9859e-4260-4c86-903b-1f8bcf658da1 which can be used as unique global reference for Ttdinject in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5168
source Tidal Cyber
tags ['fc67aea7-f207-4cf5-8413-e33c76538cf6', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

Tttracer

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Used by Windows 1809 and newer to Debug Time Travel

Author: Oddvar Moe

Paths: * C:\Windows\System32\tttracer.exe * C:\Windows\SysWOW64\tttracer.exe

Resources: * https://twitter.com/oulusoyum/status/1191329746069655553 * https://twitter.com/mattifestation/status/1196390321783025666 * https://lists.samba.org/archive/cifs-protocol/2016-April/002877.html

Detection: * Sigma: proc_creation_win_lolbin_tttracer_mod_load.yml * Sigma: image_load_tttracer_mod_load.yml * Elastic: credential_access_cmdline_dump_tool.toml * IOC: Parent child relationship. Tttracer parent for executed command[Tttracer.exe - LOLBAS Project]

Internal MISP references

UUID ab06ccb0-21c7-4d84-99ff-3349ce476910 which can be used as unique global reference for Tttracer in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5169
source Tidal Cyber
tags ['3c4e3160-4e82-49ce-b6a3-17879dd4b83c', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

Turian

Turian is a backdoor that has been used by BackdoorDiplomacy to target Ministries of Foreign Affairs, telecommunication companies, and charities in Africa, Europe, the Middle East, and Asia. First reported in 2021, Turian is likely related to Quarian, an older backdoor that was last observed being used in 2013 against diplomatic targets in Syria and the United States.[ESET BackdoorDiplomacy Jun 2021]

Internal MISP references

UUID 571a45a7-68c9-452c-99bf-1d5b5fdd08b3 which can be used as unique global reference for Turian in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'Windows']
software_attack_id S0647
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

TURNEDUP

TURNEDUP is a non-public backdoor. It has been dropped by APT33's StoneDrill malware. [FireEye APT33 Sept 2017] [FireEye APT33 Webinar Sept 2017]

Internal MISP references

UUID c7f10715-cf13-4360-8511-aa3f93dd7688 which can be used as unique global reference for TURNEDUP in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0199
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

TYPEFRAME

TYPEFRAME is a remote access tool that has been used by Lazarus Group. [US-CERT TYPEFRAME June 2018]

Internal MISP references

UUID 6c93d3c4-cae5-48a9-948d-bc5264230316 which can be used as unique global reference for TYPEFRAME in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0263
source MITRE
tags ['84615fe0-c2a5-4e07-8957-78ebc29b4635']
type ['malware']
Related clusters

To see the related clusters, click here.

UACMe

UACMe is an open source assessment tool that contains many methods for bypassing Windows User Account Control on multiple versions of the operating system. [Github UACMe]

Internal MISP references

UUID 5788edee-d1b7-4406-9122-bee596362236 which can be used as unique global reference for UACMe in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
software_attack_id S0116
source MITRE
tags ['7de7d799-f836-4555-97a4-0db776eb6932', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96']
type ['tool']

UBoatRAT

UBoatRAT is a remote access tool that was identified in May 2017.[PaloAlto UBoatRAT Nov 2017]

Internal MISP references

UUID 5214ae01-ccd5-4e97-8f9c-14eb16e75544 which can be used as unique global reference for UBoatRAT in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0333
source MITRE
type ['malware']

Umbreon

A Linux rootkit that provides backdoor access and hides from defenders.

Internal MISP references

UUID 227c12df-8126-4e79-b9bd-0e4633fa12fa which can be used as unique global reference for Umbreon in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux']
software_attack_id S0221
source MITRE
type ['malware']

Universal Virus Sniffer

Universal Virus Sniffer is a tool that can be used for impairing and evading an environment's defenses.[U.S. CISA Phobos February 29 2024]

Internal MISP references

UUID d876bb61-3122-44e7-ace4-f473a7b30f58 which can be used as unique global reference for Universal Virus Sniffer in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5276
source Tidal Cyber
tags ['d819ae1a-e385-49fd-88d5-f66660729ecb', 'e551ae97-d1b4-484e-9267-89f33829ec2c', '15787198-6c8b-4f79-bf50-258d55072fee', '39d6e8b7-6c8a-4ec5-a584-54ca32aa29fb', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'e1af18e3-3224-4e4c-9d0f-533768474508']
type ['tool']
Related clusters

To see the related clusters, click here.

Unknown Logger

Unknown Logger is a publicly released, free backdoor. Version 1.5 of the backdoor has been used by the actors responsible for the MONSOON campaign. [Forcepoint Monsoon]

Internal MISP references

UUID 846b3762-3949-4501-b781-6dca22db088f which can be used as unique global reference for Unknown Logger in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0130
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Unregmp2

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Microsoft Windows Media Player Setup Utility

Author: Wade Hickey

Paths: * C:\Windows\System32\unregmp2.exe * C:\Windows\SysWOW64\unregmp2.exe

Resources: * https://twitter.com/notwhickey/status/1466588365336293385

Detection: * Sigma: proc_creation_win_lolbin_unregmp2.yml * IOC: Low-prevalence binaries, with filename 'wmpnscfg.exe', spawned as child-processes of unregmp2.exe /HideWMP[Unregmp2.exe - LOLBAS Project]

Internal MISP references

UUID 456fb5b3-76e5-47f4-b964-09d68adb889e which can be used as unique global reference for Unregmp2 in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5170
source Tidal Cyber
tags ['40f11d0d-09f2-4bd1-bc79-1430464a52a7', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

Update

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Binary to update the existing installed Nuget/squirrel package. Part of Microsoft Teams installation.

Author: Oddvar Moe

Paths: * %localappdata%\Microsoft\Teams\update.exe

Resources: * https://www.youtube.com/watch?v=rOP3hnkj7ls * https://twitter.com/reegun21/status/1144182772623269889 * https://twitter.com/MrUn1k0d3r/status/1143928885211537408 * https://twitter.com/reegun21/status/1291005287034281990 * http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/ * https://medium.com/@reegun/nuget-squirrel-uncontrolled-endpoints-leads-to-arbitrary-code-execution-80c9df51cf12 * https://medium.com/@reegun/update-nuget-squirrel-uncontrolled-endpoints-leads-to-arbitrary-code-execution-b55295144b56 * https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/microsoft-teams-updater-living-off-the-land/

Detection: * Sigma: proc_creation_win_lolbin_squirrel.yml * IOC: Update.exe spawned an unknown process[Update.exe - LOLBAS Project]

Internal MISP references

UUID 487d4c42-12ee-4c90-b284-cca04dadb951 which can be used as unique global reference for Update in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5243
source Tidal Cyber
tags ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

UPPERCUT

UPPERCUT is a backdoor that has been used by menuPass. [FireEye APT10 Sept 2018]

Internal MISP references

UUID a3c211f8-52aa-4bfd-8382-940f2194af28 which can be used as unique global reference for UPPERCUT in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0275
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Url

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Internet Shortcut Shell Extension DLL.

Author: LOLBAS Team

Paths: * c:\windows\system32\url.dll * c:\windows\syswow64\url.dll

Resources: * https://bohops.com/2018/03/17/abusing-exported-functions-and-exposed-dcom-interfaces-for-pass-thru-command-execution-and-lateral-movement/ * https://twitter.com/DissectMalware/status/995348436353470465 * https://twitter.com/bohops/status/974043815655956481 * https://twitter.com/yeyint_mth/status/997355558070927360 * https://twitter.com/Hexacorn/status/974063407321223168 * https://windows10dll.nirsoft.net/url_dll.html

Detection: * Sigma: proc_creation_win_rundll32_susp_activity.yml[Url.dll - LOLBAS Project]

Internal MISP references

UUID 96e24cc0-f1ce-4595-90c4-5a4976394db8 which can be used as unique global reference for Url in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5200
source Tidal Cyber
tags ['34505028-b7d8-4da4-8dee-9926f3dbd37a', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

Uroburos

Uroburos is a sophisticated cyber espionage tool written in C that has been used by units within Russia's Federal Security Service (FSB) associated with the Turla toolset to collect intelligence on sensitive targets worldwide. Uroburos has several variants and has undergone nearly constant upgrade since its initial development in 2003 to keep it viable after public disclosures. Uroburos is typically deployed to external-facing nodes on a targeted network and has the ability to leverage additional tools and TTPs to further exploit an internal network. Uroburos has interoperable implants for Windows, Linux, and macOS, employs a high level of stealth in communications and architecture, and can easily incorporate new or replacement components.[Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023][Kaspersky Turla]

Internal MISP references

UUID 89ffc27c-b81f-473a-87d6-907cacdce61c which can be used as unique global reference for Uroburos in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['macOS', 'Linux', 'Windows']
software_attack_id S0022
source MITRE
tags ['1efd43ee-5752-49f2-99fe-e3441f126b00']
type ['malware']
Related clusters

To see the related clusters, click here.

Ursnif

Ursnif is a banking trojan and variant of the Gozi malware observed being spread through various automated exploit kits, Spearphishing Attachments, and malicious links.[NJCCIC Ursnif Sept 2016][ProofPoint Ursnif Aug 2016] Ursnif is associated primarily with data theft, but variants also include components (backdoors, spyware, file injectors, etc.) capable of a wide variety of behaviors.[TrendMicro Ursnif Mar 2015]

Internal MISP references

UUID 3e501609-87e4-4c47-bd88-5054be0f1037 which can be used as unique global reference for Ursnif in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0386
source MITRE
tags ['15787198-6c8b-4f79-bf50-258d55072fee', '4d767e87-4cf6-438a-927a-43d2d0beaab7', 'f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

USBferry

USBferry is an information stealing malware and has been used by Tropic Trooper in targeted attacks against Taiwanese and Philippine air-gapped military environments. USBferry shares an overlapping codebase with YAHOYAH, though it has several features which makes it a distinct piece of malware.[TrendMicro Tropic Trooper May 2020]

Internal MISP references

UUID 26d93db8-dbc3-44b5-a393-2b219cef4f5b which can be used as unique global reference for USBferry in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0452
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

USBStealer

USBStealer is malware that has been used by APT28 since at least 2005 to extract information from air-gapped networks. It does not have the capability to communicate over the Internet and has been used in conjunction with ADVSTORESHELL. [ESET Sednit USBStealer 2014] [Kaspersky Sofacy]

Internal MISP references

UUID 50eab018-8d52-46f5-8252-95942c2c0a89 which can be used as unique global reference for USBStealer in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0136
source MITRE
tags ['4d767e87-4cf6-438a-927a-43d2d0beaab7']
type ['malware']
Related clusters

To see the related clusters, click here.

UtilityFunctions

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: PowerShell Diagnostic Script

Author: Jimmy (@bohops)

Paths: * C:\Windows\diagnostics\system\Networking\UtilityFunctions.ps1

Resources: * https://twitter.com/nickvangilder/status/1441003666274668546

Detection: * Sigma: proc_creation_win_lolbas_utilityfunctions.yml[UtilityFunctions.ps1 - LOLBAS Project]

Internal MISP references

UUID 50a57a6f-6597-42d1-b686-7003c631ddb0 which can be used as unique global reference for UtilityFunctions in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5262
source Tidal Cyber
tags ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

Valak

Valak is a multi-stage modular malware that can function as a standalone information stealer or downloader, first observed in 2019 targeting enterprises in the US and Germany.[Cybereason Valak May 2020][Unit 42 Valak July 2020]

Internal MISP references

UUID b149f12f-3cf4-4547-841d-c63b7677547d which can be used as unique global reference for Valak in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0476
source MITRE
tags ['4d767e87-4cf6-438a-927a-43d2d0beaab7']
type ['malware']
Related clusters

To see the related clusters, click here.

VaporRage

VaporRage is a shellcode downloader that has been used by APT29 since at least 2021.[MSTIC Nobelium Toolset May 2021]

Internal MISP references

UUID 63940761-8dea-4362-8795-7bc0653ce1d4 which can be used as unique global reference for VaporRage in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0636
source MITRE
tags ['84615fe0-c2a5-4e07-8957-78ebc29b4635']
type ['malware']
Related clusters

To see the related clusters, click here.

Vasport

Vasport is a trojan used by Elderwood to open a backdoor on compromised hosts. [Symantec Elderwood Sept 2012] [Symantec Vasport May 2012]

Internal MISP references

UUID fe116518-cd0c-4b10-8190-4f57208df4e4 which can be used as unique global reference for Vasport in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0207
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

vbc

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Binary file used for compile vbs code

Author: Lior Adar

Paths: * C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe * C:\Windows\Microsoft.NET\Framework64\v3.5\vbc.exe

Resources: None Provided

Detection: * Sigma: proc_creation_win_lolbin_visual_basic_compiler.yml * Elastic: defense_evasion_dotnet_compiler_parent_process.toml[vbc.exe - LOLBAS Project]

Internal MISP references

UUID 25ae056b-aa3d-4bfb-9b53-ba76bce0dad1 which can be used as unique global reference for vbc in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5171
source Tidal Cyber
tags ['bc6f5172-90af-491e-817d-2eaa522f93af', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

VBShower

VBShower is a backdoor that has been used by Inception since at least 2019. VBShower has been used as a downloader for second stage payloads, including PowerShower.[Kaspersky Cloud Atlas August 2019]

Internal MISP references

UUID 150b6079-bb10-48a8-b570-fbe8b0e3287c which can be used as unique global reference for VBShower in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0442
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Venus Ransomware

A prominent ransomware family.[HC3 Analyst Note Venus Ransomware November 2022]

Internal MISP references

UUID 2f33ae13-8ab2-4ec1-8358-c81218c1f3a5 which can be used as unique global reference for Venus Ransomware in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5293
source Tidal Cyber
tags ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', '562e535e-19f5-4d6c-81ed-ce2aec544f09', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172', '2feda37d-5579-4102-a073-aa02e82cb49f']
type ['malware']

Verclsid

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Used to verify a COM object before it is instantiated by Windows Explorer

Author: @bohops

Paths: * C:\Windows\System32\verclsid.exe * C:\Windows\SysWOW64\verclsid.exe

Resources: * https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5 * https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/

Detection: * Sigma: proc_creation_win_verclsid_runs_com.yml * Splunk: verclsid_clsid_execution.yml[LOLBAS Verclsid]

Internal MISP references

UUID 56dc0bea-bdfb-4731-b6c0-425fb7f9bf4d which can be used as unique global reference for Verclsid in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5172
source Tidal Cyber
tags ['4e91036d-809b-4eae-8a09-86bdc6cd1f0e', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

VERMIN

VERMIN is a remote access tool written in the Microsoft .NET framework. It is mostly composed of original code, but also has some open source code. [Unit 42 VERMIN Jan 2018]

Internal MISP references

UUID afa4023f-aa2e-45d6-bb3c-38e61f876eac which can be used as unique global reference for VERMIN in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0257
source MITRE
type ['malware']

Vidar Stealer

Vidar Stealer is one of the most heavily used information & credential stealers ("infostealers") in recent years. While many of today's most popular infostealers were developed relatively recently, Vidar is more established, having been released in 2018. Its developers continue to add new capabilities, however, for example to improve the malware's stealth.[Minerva Labs Vidar Stealer Evasion]

More details on the shifting infostealer landscape, the rising threat posed by infostealers to large and small organizations, and defending against top infostealer TTPs can be found in the Tidal Cyber blog series: Part 1 (https://www.tidalcyber.com/blog/big-game-stealing-part-1-the-infostealer-landscape-rising-infostealer-threats-to-businesses-w), Part 2 (https://www.tidalcyber.com/blog/big-game-stealing-part-2-defenses-for-top-infostealer-techniques).

Internal MISP references

UUID ced8364c-e0e2-429a-a029-300fa2f0d5be which can be used as unique global reference for Vidar Stealer in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5071
source Tidal Cyber
tags ['fdd53e62-5bf1-41f1-8bd6-b970a866c39d', 'd431939f-2dc0-410b-83f7-86c458125444', '15787198-6c8b-4f79-bf50-258d55072fee', '4d767e87-4cf6-438a-927a-43d2d0beaab7']
type ['malware']
Related clusters

To see the related clusters, click here.

VisualUiaVerifyNative

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: A Windows SDK binary for manual and automated testing of Microsoft UI Automation implementation and controls.

Author: Jimmy (@bohops)

Paths: * c:\Program Files (x86)\Windows Kits\10\bin[SDK version]\arm64\UIAVerify\VisualUiaVerifyNative.exe * c:\Program Files (x86)\Windows Kits\10\bin[SDK version]\x64\UIAVerify\VisualUiaVerifyNative.exe * c:\Program Files (x86)\Windows Kits\10\bin[SDK version]\UIAVerify\VisualUiaVerifyNative.exe

Resources: * https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative/ * https://github.com/MicrosoftDocs/windows-itpro-docs/commit/937db704b9148e9cee7c7010cad4d00ce9c4fdad

Detection: * BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules * Sigma: proc_creation_win_lolbin_visualuiaverifynative.yml * IOC: As a Windows SDK binary, execution on a system may be suspicious[VisualUiaVerifyNative.exe - LOLBAS Project]

Internal MISP references

UUID acfbcd12-25fd-41cd-83ef-c7af7cb59fff which can be used as unique global reference for VisualUiaVerifyNative in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5246
source Tidal Cyber
tags ['5e096dac-47b7-4657-a57b-752ef7da0263', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

Volgmer

Volgmer is a backdoor Trojan designed to provide covert access to a compromised system. It has been used since at least 2013 to target the government, financial, automotive, and media industries. Its primary delivery mechanism is suspected to be spearphishing. [US-CERT Volgmer Nov 2017]

Internal MISP references

UUID 7fcfba45-5752-4f0c-8023-db67729ae34e which can be used as unique global reference for Volgmer in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0180
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

VSDiagnostics

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Command-line tool used for performing diagnostics.

Author: Bobby Cooke

Paths: * C:\Program Files\Microsoft Visual Studio\2022\Community\Team Tools\DiagnosticsHub\Collector\VSDiagnostics.exe

Resources: * https://twitter.com/0xBoku/status/1679200664013135872

Detection: * Sigma: https://github.com/tsale/Sigma_rules/blob/d5b4a09418edfeeb3a2d654f556d5bca82003cd7/LOL_BINs/VSDiagnostics_LoLBin.yml[VSDiagnostics.exe - LOLBAS Project]

Internal MISP references

UUID fca6d378-bbe6-4418-b238-6a9a63aaabba which can be used as unique global reference for VSDiagnostics in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5244
source Tidal Cyber
tags ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

Vshadow

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: VShadow is a command-line tool that can be used to create and manage volume shadow copies.

Author: Ayberk Halaç

Paths: * C:\Program Files (x86)\Windows Kits\10\bin\10.0.XXXXX.0\x64\vshadow.exe

Resources: * https://learn.microsoft.com/en-us/windows/win32/vss/vshadow-tool-and-sample

Detection: * IOC: vshadow.exe usage with -exec parameter[Vshadow.exe - LOLBAS Project]

Internal MISP references

UUID f39988b4-acf7-4d56-a7e5-8e8fa0b8ccc2 which can be used as unique global reference for Vshadow in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5247
source Tidal Cyber
tags ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

VSIISExeLauncher

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Binary will execute specified binary. Part of VS/VScode installation.

Author: timwhite

Paths: * C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\Extensions\Microsoft\Web Tools\ProjectSystem\VSIISExeLauncher.exe

Resources: * https://github.com/timwhitez

Detection: * Sigma: proc_creation_win_lolbin_vsiisexelauncher.yml * IOC: VSIISExeLauncher.exe spawned an unknown process[VSIISExeLauncher.exe - LOLBAS Project]

Internal MISP references

UUID 2517da5a-11b1-4f77-b488-c096173b1b50 which can be used as unique global reference for VSIISExeLauncher in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5245
source Tidal Cyber
tags ['0bf195a2-c577-4317-973e-a72dde5a06e6', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

vsjitdebugger

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Just-In-Time (JIT) debugger included with Visual Studio

Author: Oddvar Moe

Paths: * c:\windows\system32\vsjitdebugger.exe

Resources: * https://twitter.com/pabraeken/status/990758590020452353

Detection: * Sigma: proc_creation_win_susp_use_of_vsjitdebugger_bin.yml[vsjitdebugger.exe - LOLBAS Project]

Internal MISP references

UUID 34ba500e-c37c-45ec-abf4-16e2f76d82c8 which can be used as unique global reference for vsjitdebugger in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5248
source Tidal Cyber
tags ['71bc284c-bfce-4191-80e0-ef70ff4315bf', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

vsls-agent

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Agent for Visual Studio Live Share (Code Collaboration)

Author: Jimmy (@bohops)

Paths: * c:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\Extensions\Microsoft\LiveShare\Agent\vsls-agent.exe

Resources: * https://twitter.com/bohops/status/1583916360404729857

Detection: * Sigma: proc_creation_win_vslsagent_agentextensionpath_load.yml[vsls-agent.exe - LOLBAS Project]

Internal MISP references

UUID 99f752db-12c4-45a7-9f7b-f4fcda033462 which can be used as unique global reference for vsls-agent in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5253
source Tidal Cyber
tags ['375cb8ad-2b6a-49b7-8eb3-757aaaf72d8b', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

VSS Copying Tool (Play Ransomware)

Play ransomware operators are known to use a custom tool that serves as an interface for interacting with Windows Volume Shadow Copy Service ("VSS") over APIs. The tool can enumerate and copy files and folders in a VSS snapshot prior to encryption to serve as backups.[Symantec Play Ransomware April 19 2023]

Internal MISP references

UUID a3ebc075-c87b-4400-9498-09bb95d47231 which can be used as unique global reference for VSS Copying Tool (Play Ransomware) in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5301
source Tidal Cyber
tags ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', '4d767e87-4cf6-438a-927a-43d2d0beaab7', '2feda37d-5579-4102-a073-aa02e82cb49f']
type ['malware']
Related clusters

To see the related clusters, click here.

vstest.console

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: VSTest.Console.exe is the command-line tool to run tests

Author: Onat Uzunyayla

Paths: * C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\CommonExtensions\Microsoft\TestWindow\vstest.console.exe * C:\Program Files (x86)\Microsoft Visual Studio\2022\TestAgent\Common7\IDE\CommonExtensions\Microsoft\TestWindow\vstest.console.exe

Resources: * https://learn.microsoft.com/en-us/visualstudio/test/vstest-console-options?view=vs-2022

Detection: * IOC: vstest.console.exe spawning unexpected processes[vstest.console.exe - LOLBAS Project]

Internal MISP references

UUID dfbe173f-5c36-4596-aefb-7ccf504e03c8 which can be used as unique global reference for vstest.console in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5254
source Tidal Cyber
tags ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

Wab

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Windows address book manager

Author: Oddvar Moe

Paths: * C:\Program Files\Windows Mail\wab.exe * C:\Program Files (x86)\Windows Mail\wab.exe

Resources: * https://twitter.com/Hexacorn/status/991447379864932352 * http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/

Detection: * Sigma: registry_set_wab_dllpath_reg_change.yml * IOC: WAB.exe should normally never be used[Wab.exe - LOLBAS Project]

Internal MISP references

UUID 6cbd62e8-9024-42d7-93d5-6b8b3409425b which can be used as unique global reference for Wab in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5173
source Tidal Cyber
tags ['a53c9f4b-6f0d-4afa-b1ac-8e2d91279210', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

WannaCry

WannaCry is ransomware that was first seen in a global attack during May 2017, which affected more than 150 countries. It contains worm-like features to spread itself across a computer network using the SMBv1 exploit EternalBlue.[LogRhythm WannaCry][US-CERT WannaCry 2017][Washington Post WannaCry 2017][FireEye WannaCry 2017]

Internal MISP references

UUID 6e7d1bcf-a308-4861-8aa5-0f4c6f126b0a which can be used as unique global reference for WannaCry in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0366
source MITRE
tags ['3ed3f7a6-b446-4fbc-a433-ff1d63c0e647', '45795633-a32b-4d9e-8620-4044ac056647', '09de661e-60c4-43fb-bfef-df017215d1d8', '5a463cb3-451d-47f7-93e4-1886150697ce', 'c2380542-36f2-4922-9ed2-80ced06645c9', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172', 'e809d252-12cc-494d-94f5-954c49eb87ce']
type ['malware']
Related clusters

To see the related clusters, click here.

WARPWIRE

WARPWIRE is a Javascript credential stealer that targets plaintext passwords and usernames for exfiltration that was used during Cutting Edge to target Ivanti Connect Secure VPNs.[Mandiant Cutting Edge January 2024][Mandiant Cutting Edge Part 2 January 2024]

Internal MISP references

UUID 9a592b49-1701-5e4c-95cf-9b8c98b80527 which can be used as unique global reference for WARPWIRE in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Network']
software_attack_id S1116
source MITRE
type ['malware']

WarzoneRAT

WarzoneRAT is a malware-as-a-service remote access tool (RAT) written in C++ that has been publicly available for purchase since at least late 2018.[Check Point Warzone Feb 2020][Uptycs Warzone UAC Bypass November 2020]

Internal MISP references

UUID cfebe868-15cb-4be5-b7ed-38b52f2a0722 which can be used as unique global reference for WarzoneRAT in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0670
source MITRE
tags ['15787198-6c8b-4f79-bf50-258d55072fee']
type ['malware']
Related clusters

To see the related clusters, click here.

WastedLocker

WastedLocker is a ransomware family attributed to Indrik Spider that has been used since at least May 2020. WastedLocker has been used against a broad variety of sectors, including manufacturing, information technology, and media.[Symantec WastedLocker June 2020][NCC Group WastedLocker June 2020][Sentinel Labs WastedLocker July 2020]

Internal MISP references

UUID 0ba6ee8d-2b29-4980-8e55-348ea05f00ad which can be used as unique global reference for WastedLocker in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0612
source MITRE
tags ['5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172']
type ['malware']
Related clusters

To see the related clusters, click here.

Waterbear

Waterbear is modular malware attributed to BlackTech that has been used primarily for lateral movement, decrypting, and triggering payloads and is capable of hiding network behaviors.[Trend Micro Waterbear December 2019]

Internal MISP references

UUID 56872a5b-dc01-455c-85d5-06c577abb030 which can be used as unique global reference for Waterbear in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0579
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

WEBC2

WEBC2 is a family of backdoor malware used by APT1 as early as July 2006. WEBC2 backdoors are designed to retrieve a webpage, with commands hidden in HTML comments or special tags, from a predetermined C2 server. [Mandiant APT1 Appendix][Mandiant APT1]

Internal MISP references

UUID f228af8f-8938-4836-9461-c6ca220ed7c5 which can be used as unique global reference for WEBC2 in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0109
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

WellMail

WellMail is a lightweight malware written in Golang used by APT29, similar in design and structure to WellMess.[CISA WellMail July 2020][NCSC APT29 July 2020]

Internal MISP references

UUID b936a1b3-5493-4d6c-9b69-29addeace418 which can be used as unique global reference for WellMail in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0515
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

WellMess

WellMess is lightweight malware family with variants written in .NET and Golang that has been in use since at least 2018 by APT29.[CISA WellMess July 2020][PWC WellMess July 2020][NCSC APT29 July 2020]

Internal MISP references

UUID 20725ec7-ee35-44cf-bed6-91158aa03ce4 which can be used as unique global reference for WellMess in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0514
source MITRE
tags ['8bf128ad-288b-41bc-904f-093f4fdde745', 'f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

Wevtutil

Wevtutil is a Windows command-line utility that enables administrators to retrieve information about event logs and publishers.[Wevtutil Microsoft Documentation]

Internal MISP references

UUID 2bcbcea6-192a-4501-aab1-1edde53875fa which can be used as unique global reference for Wevtutil in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0645
source MITRE
tags ['e1af18e3-3224-4e4c-9d0f-533768474508', '5db11c6f-cba4-4865-b993-7a3aafd0f037', '758c3085-2f79-40a8-ab95-f8a684737927', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '35e694ec-5133-46e3-b7e1-5831867c3b55', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '15787198-6c8b-4f79-bf50-258d55072fee', 'cd1b5d44-226e-4405-8985-800492cf2865', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

Wfc

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: The Workflow Command-line Compiler tool is included with the Windows Software Development Kit (SDK).

Author: Jimmy (@bohops)

Paths: * C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\wfc.exe

Resources: * https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/

Detection: * BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules * Sigma: proc_creation_win_lolbin_wfc.yml * IOC: As a Windows SDK binary, execution on a system may be suspicious[Wfc.exe - LOLBAS Project]

Internal MISP references

UUID dadd1243-6a4a-4ce2-9eea-1c530e7510d9 which can be used as unique global reference for Wfc in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5249
source Tidal Cyber
tags ['be621f15-1788-490f-b8bb-85511a5a8074', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

WhisperGate

WhisperGate is a multi-stage wiper designed to look like ransomware that has been used against multiple government, non-profit, and information technology organizations in Ukraine since at least January 2022.[Cybereason WhisperGate February 2022][Unit 42 WhisperGate January 2022][Microsoft WhisperGate January 2022]

Internal MISP references

UUID 791f0afd-c2c4-4e23-8aee-1d14462667f5 which can be used as unique global reference for WhisperGate in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0689
source MITRE
tags ['2e621fc5-dea4-4cb9-987e-305845986cd3']
type ['malware']
Related clusters

To see the related clusters, click here.

Wiarp

Wiarp is a trojan used by Elderwood to open a backdoor on compromised hosts. [Symantec Elderwood Sept 2012] [Symantec Wiarp May 2012]

Internal MISP references

UUID 7b393608-c141-48af-ae3d-3eff13c3e01c which can be used as unique global reference for Wiarp in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0206
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Windows Credential Editor

Windows Credential Editor is a password dumping tool. [Amplia WCE]

Internal MISP references

UUID 7c2c44d7-b307-4e13-b181-52352975a6f5 which can be used as unique global reference for Windows Credential Editor in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0005
source MITRE
tags ['1d306cbd-9894-4322-a233-b1576b8e25ba']
type ['tool']
Related clusters

To see the related clusters, click here.

WINDSHIELD

WINDSHIELD is a signature backdoor used by APT32. [FireEye APT32 May 2017]

Internal MISP references

UUID ed50dcf7-e283-451e-95b1-a8485f8dd214 which can be used as unique global reference for WINDSHIELD in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
software_attack_id S0155
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

WindTail

WindTail is a macOS surveillance implant used by Windshift. WindTail shares code similarities with Hack Back aka KitM OSX.[SANS Windshift August 2018][objective-see windtail1 dec 2018][objective-see windtail2 jan 2019]

Internal MISP references

UUID 3afe711d-ed58-4c94-a9b6-9c847e1e8a2f which can be used as unique global reference for WindTail in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['macOS']
software_attack_id S0466
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

WINERACK

WINERACK is a backdoor used by APT37. [FireEye APT37 Feb 2018]

Internal MISP references

UUID 5f994df7-55b0-4383-8ebc-506d4987292a which can be used as unique global reference for WINERACK in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
software_attack_id S0219
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Winexe

Winexe is a lightweight, open source tool similar to PsExec designed to allow system administrators to execute commands on remote servers. [Winexe Github Sept 2013] Winexe is unique in that it is a GNU/Linux based client. [Überwachung APT28 Forfiles June 2015]

Internal MISP references

UUID 65d5b524-0e84-417d-9884-e2c501abfacd which can be used as unique global reference for Winexe in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
software_attack_id S0191
source MITRE
type ['tool']
Related clusters

To see the related clusters, click here.

Wingbird

Wingbird is a backdoor that appears to be a version of commercial software FinFisher. It is reportedly used to attack individual computers instead of networks. It was used by NEODYMIUM in a May 2016 campaign. [Microsoft SIR Vol 21] [Microsoft NEODYMIUM Dec 2016]

Internal MISP references

UUID 3e70078f-407e-4b03-b604-bdc05b372f37 which can be used as unique global reference for Wingbird in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0176
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

winget

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Windows Package Manager tool

Author: Paul Sanders

Paths: * C:\Users\user\AppData\Local\Microsoft\WindowsApps\winget.exe

Resources: * https://saulpanders.github.io/2022/01/02/New-Year-New-LOLBAS.html * https://docs.microsoft.com/en-us/windows/package-manager/winget/#production-recommended

Detection: * IOC: winget.exe spawned with local manifest file * IOC: Sysmon Event ID 1 - Process Creation * Analysis: https://saulpanders.github.io/2022/01/02/New-Year-New-LOLBAS.html * Sigma: proc_creation_win_winget_local_install_via_manifest.yml[winget.exe - LOLBAS Project]

Internal MISP references

UUID 6c4e7a00-0151-490c-8a41-98981d355725 which can be used as unique global reference for winget in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5174
source Tidal Cyber
tags ['61f778ca-b2f1-4877-b0f5-fd5e87b6ddab', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

WinMM

WinMM is a full-featured, simple backdoor used by Naikon. [Baumgartner Naikon 2015]

Internal MISP references

UUID e10423c2-71a7-4878-96ba-343191136c19 which can be used as unique global reference for WinMM in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0059
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Winnti for Linux

Winnti for Linux is a trojan, seen since at least 2015, designed specifically for targeting Linux systems. Reporting indicates the winnti malware family is shared across a number of actors including Winnti Group. The Windows variant is tracked separately under Winnti for Windows.[Chronicle Winnti for Linux May 2019]

Internal MISP references

UUID e384e711-0796-4cbc-8854-8c3f939faf57 which can be used as unique global reference for Winnti for Linux in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux']
software_attack_id S0430
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Winnti for Windows

Winnti for Windows is a modular remote access Trojan (RAT) that has been used likely by multiple groups to carry out intrusions in various regions since at least 2010, including by one group referred to as the same name, Winnti Group.[Kaspersky Winnti April 2013][Microsoft Winnti Jan 2017][Novetta Winnti April 2015][401 TRG Winnti Umbrella May 2018]. The Linux variant is tracked separately under Winnti for Linux.[Chronicle Winnti for Linux May 2019]

Internal MISP references

UUID 245c216e-41c3-4dec-8b23-bfc7c6a46d6e which can be used as unique global reference for Winnti for Windows in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0141
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

WinRAR

According to its website, WinRAR is a "data compression, encryption and archiving tool for Windows", which is designed to process RAR and ZIP files.[WinRAR Website] It is known to be abused by threat actors in order to archive (compress) files prior to their exfiltration from victim environments.[U.S. CISA Play Ransomware December 2023]

Internal MISP references

UUID d9792748-b81a-4d82-a45e-de05c2a23dbf which can be used as unique global reference for WinRAR in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5081
source Tidal Cyber
tags ['c5a258ce-9045-48d9-b254-ec2bf6437bb5', 'cc4ea215-87ce-4351-9579-cf527caf5992', 'e551ae97-d1b4-484e-9267-89f33829ec2c', '15787198-6c8b-4f79-bf50-258d55072fee', 'e1af18e3-3224-4e4c-9d0f-533768474508', 'c45ce044-b5b9-426a-866c-130e9f2a4427', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207', '23d0545e-45fa-4f0a-957e-deb923039c80']
type ['tool']
Related clusters

To see the related clusters, click here.

winrm

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Script used for manage Windows RM settings

Author: Oddvar Moe

Paths: * C:\Windows\System32\winrm.vbs * C:\Windows\SysWOW64\winrm.vbs

Resources: * https://www.slideshare.net/enigma0x3/windows-operating-system-archaeology * https://www.youtube.com/watch?v=3gz1QmiMhss * https://github.com/enigma0x3/windows-operating-system-archaeology * https://redcanary.com/blog/lateral-movement-winrm-wmi/ * https://twitter.com/bohops/status/994405551751815170 * https://posts.specterops.io/application-whitelisting-bypass-and-arbitrary-unsigned-code-execution-technique-in-winrm-vbs-c8c24fb40404 * https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf

Detection: * Sigma: proc_creation_win_winrm_awl_bypass.yml * Sigma: proc_creation_win_winrm_execution_via_scripting_api_winrm_vbs.yml * Sigma: file_event_win_winrm_awl_bypass.yml * BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules[winrm.vbs - LOLBAS Project]

Internal MISP references

UUID 8807e10c-dc1b-4dab-8f60-c03a85c18873 which can be used as unique global reference for winrm in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5263
source Tidal Cyber
tags ['2eecd309-e75d-4f7b-8f6f-e11213f48b12', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

WinSCP

WinSCP is a tool used to facilitate file transfer using Secure Shell (SSH) File Transfer Protocol (FTP) for Microsoft Windows.[U.S. CISA Understanding LockBit June 2023]

Internal MISP references

UUID 3ded75ea-b253-48cd-94e7-aef53e0d1e31 which can be used as unique global reference for WinSCP in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5046
source Tidal Cyber
tags ['d903e38b-600d-4736-9e3b-cf1a6e436481', 'c5a258ce-9045-48d9-b254-ec2bf6437bb5', 'cc4ea215-87ce-4351-9579-cf527caf5992', 'd819ae1a-e385-49fd-88d5-f66660729ecb', 'e551ae97-d1b4-484e-9267-89f33829ec2c', 'e1af18e3-3224-4e4c-9d0f-533768474508', '8bf128ad-288b-41bc-904f-093f4fdde745', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

Winword

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Microsoft Office binary

Author: Reegun J (OCBC Bank)

Paths: * C:\Program Files\Microsoft Office\root\Office16\winword.exe * C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\winword.exe * C:\Program Files\Microsoft Office 16\ClientX64\Root\Office16\winword.exe * C:\Program Files (x86)\Microsoft Office\Office16\winword.exe * C:\Program Files\Microsoft Office\Office16\winword.exe * C:\Program Files (x86)\Microsoft Office 15\ClientX86\Root\Office15\winword.exe * C:\Program Files\Microsoft Office 15\ClientX64\Root\Office15\winword.exe * C:\Program Files (x86)\Microsoft Office\Office15\winword.exe * C:\Program Files\Microsoft Office\Office15\winword.exe * C:\Program Files (x86)\Microsoft Office 14\ClientX86\Root\Office14\winword.exe * C:\Program Files\Microsoft Office 14\ClientX64\Root\Office14\winword.exe * C:\Program Files (x86)\Microsoft Office\Office14\winword.exe * C:\Program Files\Microsoft Office\Office14\winword.exe * C:\Program Files (x86)\Microsoft Office\Office12\winword.exe * C:\Program Files\Microsoft Office\Office12\winword.exe * C:\Program Files\Microsoft Office\Office12\winword.exe

Resources: * https://twitter.com/reegun21/status/1150032506504151040 * https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191

Detection: * Sigma: proc_creation_win_office_arbitrary_cli_download.yml * IOC: Suspicious Office application Internet/network traffic[Winword.exe - LOLBAS Project]

Internal MISP references

UUID 7adaeb79-087f-4d65-8f8f-d4689755b107 which can be used as unique global reference for Winword in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5250
source Tidal Cyber
tags ['e1af18e3-3224-4e4c-9d0f-533768474508', '228354f0-c709-4a16-a489-c5098ae06c17', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

Wiper

Wiper is a family of destructive malware used in March 2013 during breaches of South Korean banks and media companies. [Dell Wiper]

Internal MISP references

UUID 627e05c2-c02e-433e-9288-c2d78bce156f which can be used as unique global reference for Wiper in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
software_attack_id S0041
source MITRE
tags ['2e621fc5-dea4-4cb9-987e-305845986cd3']
type ['malware']

WIREFIRE

WIREFIRE is a web shell written in Python that exists as trojanized logic to the visits.py component of Ivanti Connect Secure VPN appliances. WIREFIRE was used during Cutting Edge for downloading files and command execution.[Mandiant Cutting Edge January 2024]

Internal MISP references

UUID 93b02819-8acc-5d7d-ad11-abb33f9309cc which can be used as unique global reference for WIREFIRE in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Network']
software_attack_id S1115
source MITRE
type ['malware']

Wireshark

Wireshark is a popular open-source packet analyzer utility.

Internal MISP references

UUID 804da3b9-9c3a-4937-aa4a-efddfa5c176e which can be used as unique global reference for Wireshark in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Linux', 'macOS', 'Windows']
software_attack_id S5269
source Tidal Cyber
tags ['dbe18a6a-c8f9-451e-837e-5a7f25dcf913', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207', 'cd1b5d44-226e-4405-8985-800492cf2865']
type ['tool']

Wlrmdr

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Windows Logon Reminder executable

Author: Moshe Kaplan

Paths: * c:\windows\system32\wlrmdr.exe

Resources: * https://twitter.com/0gtweet/status/1493963591745220608 * https://twitter.com/Oddvarmoe/status/927437787242090496 * https://twitter.com/falsneg/status/1461625526640992260 * https://docs.microsoft.com/en-us/windows/win32/api/shellapi/ns-shellapi-notifyicondataw

Detection: * Sigma: proc_creation_win_lolbin_wlrmdr.yml * IOC: wlrmdr.exe spawning any new processes[Wlrmdr.exe - LOLBAS Project]

Internal MISP references

UUID f3eb99a8-b7b5-4e90-8e99-3f38309402c0 which can be used as unique global reference for Wlrmdr in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5175
source Tidal Cyber
tags ['ebf92004-6e43-434c-8380-3671cf3640a2', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

Wmic

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: The WMI command-line (WMIC) utility provides a command-line interface for WMI

Author: Oddvar Moe

Paths: * C:\Windows\System32\wbem\wmic.exe * C:\Windows\SysWOW64\wbem\wmic.exe

Resources: * https://stackoverflow.com/questions/24658745/wmic-how-to-use-process-call-create-with-a-specific-working-directory * https://subt0x11.blogspot.no/2018/04/wmicexe-whitelisting-bypass-hacking.html * https://twitter.com/subTee/status/986234811944648707

Detection: * Sigma: image_load_wmic_remote_xsl_scripting_dlls.yml * Sigma: proc_creation_win_wmic_xsl_script_processing.yml * Sigma: proc_creation_win_wmic_squiblytwo_bypass.yml * Sigma: proc_creation_win_wmic_eventconsumer_creation.yml * Elastic: defense_evasion_suspicious_wmi_script.toml * Elastic: persistence_via_windows_management_instrumentation_event_subscription.toml * Elastic: defense_evasion_suspicious_managedcode_host_process.toml * Splunk: xsl_script_execution_with_wmic.yml * Splunk: remote_wmi_command_attempt.yml * Splunk: remote_process_instantiation_via_wmi.yml * Splunk: process_execution_via_wmi.yml * BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules * IOC: Wmic retrieving scripts from remote system/Internet location * IOC: DotNet CLR libraries loaded into wmic.exe * IOC: DotNet CLR Usage Log - wmic.exe.log[LOLBAS Wmic]

Internal MISP references

UUID 24f3b066-a533-4b6c-a590-313a67154ba0 which can be used as unique global reference for Wmic in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5176
source Tidal Cyber
tags ['d819ae1a-e385-49fd-88d5-f66660729ecb', 'e551ae97-d1b4-484e-9267-89f33829ec2c', 'e1af18e3-3224-4e4c-9d0f-533768474508', '758c3085-2f79-40a8-ab95-f8a684737927', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '35e694ec-5133-46e3-b7e1-5831867c3b55', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '15787198-6c8b-4f79-bf50-258d55072fee', '9988b5fd-6235-4a8e-bb8e-d9124ead11d4', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

Woody RAT

Woody RAT is a remote access trojan (RAT) that has been used since at least August 2021 against Russian organizations.[MalwareBytes WoodyRAT Aug 2022]

Internal MISP references

UUID 1f374a54-c839-5139-b755-555c66a21c12 which can be used as unique global reference for Woody RAT in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S1065
source MITRE
type ['malware']

WorkFolders

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Work Folders

Author: Elliot Killick

Paths: * C:\Windows\System32\WorkFolders.exe

Resources: * https://www.ctus.io/2021/04/12/exploading/ * https://twitter.com/ElliotKillick/status/1449812843772227588

Detection: * Sigma: proc_creation_win_susp_workfolders.yml * IOC: WorkFolders.exe should not be run on a normal workstation[WorkFolders.exe - LOLBAS Project]

Internal MISP references

UUID 7720f60a-5c03-4241-b635-6313eceb3307 which can be used as unique global reference for WorkFolders in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5177
source Tidal Cyber
tags ['b5581207-a45f-4f7f-b637-14444d716ad1', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

Wscript

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Used by Windows to execute scripts

Author: Oddvar Moe

Paths: * C:\Windows\System32\wscript.exe * C:\Windows\SysWOW64\wscript.exe

Resources: * https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f

Detection: * Sigma: proc_creation_win_wscript_cscript_script_exec.yml * Sigma: file_event_win_net_cli_artefact.yml * Sigma: image_load_susp_script_dotnet_clr_dll_load.yml * Elastic: defense_evasion_unusual_dir_ads.toml * Elastic: command_and_control_remote_file_copy_scripts.toml * Elastic: defense_evasion_suspicious_managedcode_host_process.toml * Splunk: wscript_or_cscript_suspicious_child_process.yml * BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules * IOC: Wscript.exe executing code from alternate data streams * IOC: DotNet CLR libraries loaded into wscript.exe * IOC: DotNet CLR Usage Log - wscript.exe.log[Wscript.exe - LOLBAS Project]

Internal MISP references

UUID be8d1032-3452-4d44-83cb-c7ece7d5a052 which can be used as unique global reference for Wscript in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5178
source Tidal Cyber
tags ['b4520b56-73e3-43fd-9f0d-70191132b451', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

Wsl

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Windows subsystem for Linux executable

Author: Matthew Brown

Paths: * C:\Windows\System32\wsl.exe

Resources: * https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules * https://twitter.com/nas_bench/status/1535431474429808642

Detection: * Sigma: proc_creation_win_wsl_lolbin_execution.yml * BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules * IOC: Child process from wsl.exe[Wsl.exe - LOLBAS Project]

Internal MISP references

UUID 9663965e-0fd1-45c3-a138-c7539ed91832 which can be used as unique global reference for Wsl in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5251
source Tidal Cyber
tags ['96ebb518-7c1f-4011-a3ec-42aa78a95e4f', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

Wsreset

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Used to reset Windows Store settings according to its manifest file

Author: Oddvar Moe

Paths: * C:\Windows\System32\wsreset.exe

Resources: * https://www.activecyber.us/activelabs/windows-uac-bypass * https://twitter.com/ihack4falafel/status/1106644790114947073 * https://github.com/hfiref0x/UACME/blob/master/README.md

Detection: * Sigma: proc_creation_win_uac_bypass_wsreset_integrity_level.yml * Sigma: proc_creation_win_uac_bypass_wsreset.yml * Sigma: registry_event_bypass_via_wsreset.yml# * Splunk: wsreset_uac_bypass.yml * IOC: wsreset.exe launching child process other than mmc.exe * IOC: Creation or modification of the registry value HKCU\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command * IOC: Microsoft Defender Antivirus as Behavior:Win32/UACBypassExp.T!gen[Wsreset.exe - LOLBAS Project]

Internal MISP references

UUID b75e4dcf-62ed-44cc-b9d2-d6d1b90955a8 which can be used as unique global reference for Wsreset in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5179
source Tidal Cyber
tags ['291fab5d-e732-4b19-83e4-ee642b2ae0f0', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

wt

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Windows Terminal

Author: Nasreddine Bencherchali

Paths: * C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_\wt.exe

Resources: * https://twitter.com/nas_bench/status/1552100271668469761

Detection: * Sigma: proc_creation_win_windows_terminal_susp_children.yml[wt.exe - LOLBAS Project]

Internal MISP references

UUID a34b303e-e8bb-48b2-85e0-f6e2620d68ab which can be used as unique global reference for wt in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5184
source Tidal Cyber
tags ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

wuauclt

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Windows Update Client

Author: David Middlehurst

Paths: * C:\Windows\System32\wuauclt.exe

Resources: * https://dtm.uk/wuauclt/

Detection: * Sigma: net_connection_win_wuauclt_network_connection.yml * Sigma: proc_creation_win_lolbin_wuauclt.yml * Sigma: proc_creation_win_wuauclt_execution.yml * IOC: wuauclt run with a parameter of a DLL path * IOC: Suspicious wuauclt Internet/network connections[wuauclt.exe - LOLBAS Project]

Internal MISP references

UUID 06fe608d-a517-492f-8557-cfb820984146 which can be used as unique global reference for wuauclt in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5180
source Tidal Cyber
tags ['03f0e493-63ae-47b5-8353-238390a895a8', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

XAgentOSX

XAgentOSX is a trojan that has been used by APT28 on OS X and appears to be a port of their standard CHOPSTICK or XAgent trojan. [XAgentOSX 2017]

Internal MISP references

UUID 6f411b69-6643-4cc7-9cbd-e15d9219e99c which can be used as unique global reference for XAgentOSX in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['macOS']
software_attack_id S0161
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Xbash

Xbash is a malware family that has targeted Linux and Microsoft Windows servers. The malware has been tied to the Iron Group, a threat actor group known for previous ransomware attacks. Xbash was developed in Python and then converted into a self-contained Linux ELF executable by using PyInstaller.[Unit42 Xbash Sept 2018]

Internal MISP references

UUID ab442140-0761-4227-bd9e-151da5d0a04f which can be used as unique global reference for Xbash in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'Windows']
software_attack_id S0341
source MITRE
type ['malware']

xCaon

xCaon is an HTTP variant of the BoxCaon malware family that has used by IndigoZebra since at least 2014. xCaon has been used to target political entities in Central Asia, including Kyrgyzstan and Uzbekistan.[Checkpoint IndigoZebra July 2021][Securelist APT Trends Q2 2017]

Internal MISP references

UUID 11a0dff4-1dc8-4553-8a38-90a07b01bfcd which can be used as unique global reference for xCaon in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0653
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

xCmd

xCmd is an open source tool that is similar to PsExec and allows the user to execute applications on remote systems. [xCmd]

Internal MISP references

UUID d943d3d9-3a99-464f-94f0-95aa7963d858 which can be used as unique global reference for xCmd in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
software_attack_id S0123
source MITRE
type ['tool']
Related clusters

To see the related clusters, click here.

xcopy

xcopy is a Windows tool used to copy files and directories, including subdirectories, with a variety of options. According to Microsoft, the xcopy command "creates files with the archive attribute set, whether or not this attribute was set in the source file".[xcopy Microsoft]

Internal MISP references

UUID 84954209-1e2a-48dd-ba17-0f015f6de3ef which can be used as unique global reference for xcopy in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5019
source Tidal Cyber
tags ['758c3085-2f79-40a8-ab95-f8a684737927', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '35e694ec-5133-46e3-b7e1-5831867c3b55', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

XCSSET

XCSSET is a macOS modular backdoor that targets Xcode application developers. XCSSET was first observed in August 2020 and has been used to install a backdoor component, modify browser applications, conduct collection, and provide ransomware-like encryption capabilities.[trendmicro xcsset xcode project 2020]

Internal MISP references

UUID 3672ecfa-20bf-4d69-948d-876be343563f which can be used as unique global reference for XCSSET in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['macOS']
software_attack_id S0658
source MITRE
tags ['4a457eb3-e404-47e5-b349-8b1f743dc657', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172']
type ['malware']

Xloader (macOS Variant)

Researchers discovered an updated macOS variant of the XLoader stealer/botnet malware, which is programmed in C and Objective C and signed with an Apple developer signature.[SentinelOne 8 21 2023]

Internal MISP references

UUID 5ced31ef-8e03-4125-be9b-922dac49bfa2 which can be used as unique global reference for Xloader (macOS Variant) in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['macOS']
software_attack_id S5317
source Tidal Cyber
tags ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', '2feda37d-5579-4102-a073-aa02e82cb49f']
type ['malware']

XMRig

XMRig is an open-source tool that uses the resources of the running system to mine Monero cryptocurrency. According to U.S. cybersecurity authorities, "XMRig can cause a victim computer to overheat and perform poorly by using additional system resources that would otherwise not be active".[U.S. CISA Trends June 30 2020]

Internal MISP references

UUID 1491c020-6449-48e7-8ebf-abf7b71fbc97 which can be used as unique global reference for XMRig in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5064
source Tidal Cyber
tags ['ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', '15787198-6c8b-4f79-bf50-258d55072fee', '291c006e-f77a-4c9c-ae7e-084974c0e1eb', '4fa6f8e1-b0d5-4169-8038-33e355c08bde', 'efa33611-88a5-40ba-9bc4-3d85c6c8819b', '8d95e4d6-9a1e-4920-9f5c-83d9fe07a66e']
type ['tool']
Related clusters

To see the related clusters, click here.

Xpack

According to joint Cybersecurity Advisory AA23-250A (September 2023), Xpack is a malicious, "custom .NET loader that decrypts (AES), loads, and executes accompanying files".[U.S. CISA Zoho Exploits September 7 2023]

Internal MISP references

UUID 19e7e967-7d0a-4930-8ef9-11a43dcb081d which can be used as unique global reference for Xpack in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5048
source Tidal Cyber
tags ['15787198-6c8b-4f79-bf50-258d55072fee', '84615fe0-c2a5-4e07-8957-78ebc29b4635']
type ['malware']

XTunnel

XTunnel a VPN-like network proxy tool that can relay traffic between a C2 server and a victim. It was first seen in May 2013 and reportedly used by APT28 during the compromise of the Democratic National Committee. [Crowdstrike DNC June 2016] [Invincea XTunnel] [ESET Sednit Part 2]

Internal MISP references

UUID 133136f0-7254-4cec-8710-0ab99d5da4e5 which can be used as unique global reference for XTunnel in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0117
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Xwizard

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Execute custom class that has been added to the registry or download a file with Xwizard.exe

Author: Oddvar Moe

Paths: * C:\Windows\System32\xwizard.exe * C:\Windows\SysWOW64\xwizard.exe

Resources: * http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/ * https://www.youtube.com/watch?v=LwDHX7DVHWU * https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5 * https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/ * https://twitter.com/notwhickey/status/1306023056847110144

Detection: * Sigma: proc_creation_win_lolbin_class_exec_xwizard.yml * Sigma: proc_creation_win_lolbin_dll_sideload_xwizard.yml * Elastic: execution_com_object_xwizard.toml * Elastic: defense_evasion_unusual_process_network_connection.toml[Xwizard.exe - LOLBAS Project]

Internal MISP references

UUID d5663ff2-904b-42d6-b4d8-672017d91de2 which can be used as unique global reference for Xwizard in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5181
source Tidal Cyber
tags ['c37d2f5f-91da-43c6-869e-192bf0e0ae90', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

Xworm

XWorm is a Remote Access Trojan (RAT)/Backdoor malware.

Internal MISP references

UUID 15a19d45-8f31-4ee4-ba01-0c8c1f24a67b which can be used as unique global reference for Xworm in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5290
source Tidal Cyber
tags ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', 'fdd53e62-5bf1-41f1-8bd6-b970a866c39d', 'd431939f-2dc0-410b-83f7-86c458125444', 'f8669b82-2194-49a9-8e20-92e7f9ab0a6f', '2feda37d-5579-4102-a073-aa02e82cb49f']
type ['malware']

YAHOYAH

YAHOYAH is a Trojan used by Tropic Trooper as a second-stage backdoor.[TrendMicro TropicTrooper 2015]

Internal MISP references

UUID 0844bc42-5c29-47c3-b1b3-6bfffbf1732a which can be used as unique global reference for YAHOYAH in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0388
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

YouieLoad

YouieLoad is an intermediate-stage malware used by the North Korean threat actor Moonstone Sleet mainly for payload execution purposes. It is also capable of performing system reconnaissance.[Microsoft Security Blog 5 28 2024]

Internal MISP references

UUID 2992159c-d71c-48cf-8302-020f90332390 which can be used as unique global reference for YouieLoad in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5323
source Tidal Cyber
tags ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', '84615fe0-c2a5-4e07-8957-78ebc29b4635', '2feda37d-5579-4102-a073-aa02e82cb49f']
type ['malware']
Related clusters

To see the related clusters, click here.

yty

yty is a modular, plugin-based malware framework. The components of the framework are written in a variety of programming languages. [ASERT Donot March 2018]

Internal MISP references

UUID e0962ff7-5524-4683-9b95-0e4ba07dccb2 which can be used as unique global reference for yty in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0248
source MITRE
tags ['16b47583-1c54-431f-9f09-759df7b5ddb7']
type ['malware']

Zebrocy

Zebrocy is a Trojan that has been used by APT28 since at least November 2015. The malware comes in several programming language variants, including C++, Delphi, AutoIt, C#, VB.NET, and Golang. [Palo Alto Sofacy 06-2018][Unit42 Cannon Nov 2018][Unit42 Sofacy Dec 2018][CISA Zebrocy Oct 2020]

Internal MISP references

UUID e317b8a6-1722-4017-be33-717a5a93ef1c which can be used as unique global reference for Zebrocy in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0251
source MITRE
tags ['febea5b6-2ea2-402b-8bec-f3f5b3f73c59']
type ['malware']
Related clusters

To see the related clusters, click here.

Zeroaccess

Zeroaccess is a kernel-mode Rootkit that attempts to add victims to the ZeroAccess botnet, often for monetary gain. [Sophos ZeroAccess]

Internal MISP references

UUID 2f52b513-5293-4833-9c4d-b120e7a84341 which can be used as unique global reference for Zeroaccess in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
software_attack_id S0027
source MITRE
type ['malware']

ZeroT

ZeroT is a Trojan used by TA459, often in conjunction with PlugX. [Proofpoint TA459 April 2017] [Proofpoint ZeroT Feb 2017]

Internal MISP references

UUID f51df90e-ea1b-4eeb-9aff-ec5abf4a5dfd which can be used as unique global reference for ZeroT in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0230
source MITRE
tags ['84615fe0-c2a5-4e07-8957-78ebc29b4635']
type ['malware']
Related clusters

To see the related clusters, click here.

Zeus Panda

Zeus Panda is a Trojan designed to steal banking information and other sensitive credentials for exfiltration. Zeus Panda’s original source code was leaked in 2011, allowing threat actors to use its source code as a basis for new malware variants. It is mainly used to target Windows operating systems ranging from Windows XP through Windows 10.[Talos Zeus Panda Nov 2017][GDATA Zeus Panda June 2017]

Internal MISP references

UUID be8add13-40d7-495e-91eb-258d3a4711bc which can be used as unique global reference for Zeus Panda in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0330
source MITRE
tags ['4d767e87-4cf6-438a-927a-43d2d0beaab7']
type ['malware']

Zipfldr

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Compressed Folder library

Author: LOLBAS Team

Paths: * c:\windows\system32\zipfldr.dll * c:\windows\syswow64\zipfldr.dll

Resources: * https://twitter.com/moriarty_meng/status/977848311603380224 * https://twitter.com/bohops/status/997896811904929792 * https://windows10dll.nirsoft.net/zipfldr_dll.html

Detection: * Sigma: proc_creation_win_rundll32_susp_activity.yml[Zipfldr.dll - LOLBAS Project]

Internal MISP references

UUID 34d0c5b5-f6e1-41e9-9061-cf9d36fe61c8 which can be used as unique global reference for Zipfldr in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5201
source Tidal Cyber
tags ['0d0098b4-e159-4502-973d-714011ba605f', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

ZIPLINE

ZIPLINE is a passive backdoor that was used during Cutting Edge on compromised Secure Connect VPNs for reverse shell and proxy functionality.[Mandiant Cutting Edge January 2024]

Internal MISP references

UUID 976a7797-3008-5316-9e28-19c9a05959d0 which can be used as unique global reference for ZIPLINE in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Network']
software_attack_id S1114
source MITRE
type ['malware']

ZLib

ZLib is a full-featured backdoor that was used as a second-stage implant during Operation Dust Storm since at least 2014. ZLib is malware and should not be confused with the legitimate compression library from which its name is derived.[Cylance Dust Storm]

Internal MISP references

UUID 1ac8d363-2903-43da-9c1d-2b28179638c8 which can be used as unique global reference for ZLib in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0086
source MITRE
type ['malware']

Zloader

Zloader originated in 2016 as a modular banking trojan based on the popular Zeus malware. It has evolved in the years since to be used as an important distribution mechanism for various other malware, including ransomware.[WeLiveSecurity April 19 2022]

This object represents a collection of MITRE ATT&CK® Techniques associated with Zloader binaries. Techniques used by various actors to distribute Zloader can be found in the separate "Zloader Threat Actors" Group object.

Internal MISP references

UUID a106fb66-bd68-40cc-9374-8b59234a0cec which can be used as unique global reference for Zloader in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5312
source Tidal Cyber
tags ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', '39357cc1-dbb1-49e4-9fe0-ff24032b94d5', 'f8669b82-2194-49a9-8e20-92e7f9ab0a6f', '2feda37d-5579-4102-a073-aa02e82cb49f']
type ['malware']
Related clusters

To see the related clusters, click here.

Zox

Zox is a remote access tool that has been used by Axiom since at least 2008.[Novetta-Axiom]

Internal MISP references

UUID 75dd9acb-fcff-4b0b-b45b-f943fb589d78 which can be used as unique global reference for Zox in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0672
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

zwShell

zwShell is a remote access tool (RAT) written in Delphi that has been seen in the wild since the spring of 2010 and used by threat actors during Night Dragon.[McAfee Night Dragon]

Internal MISP references

UUID 49314d4e-dc04-456f-918e-a3bedfc3192a which can be used as unique global reference for zwShell in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0350
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']

ZxShell

ZxShell is a remote administration tool and backdoor that can be downloaded from the Internet, particularly from Chinese hacker websites. It has been used since at least 2004.[FireEye APT41 Aug 2019][Talos ZxShell Oct 2014]

Internal MISP references

UUID eea89ff2-036d-4fa6-bbed-f89502c62318 which can be used as unique global reference for ZxShell in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0412
source MITRE
tags ['febea5b6-2ea2-402b-8bec-f3f5b3f73c59']
type ['malware']
Related clusters

To see the related clusters, click here.

ZxxZ

ZxxZ is a trojan written in Visual C++ that has been used by BITTER since at least August 2021, including against Bangladeshi government personnel.[Cisco Talos Bitter Bangladesh May 2022]

Internal MISP references

UUID 91e1ee26-d6ae-4203-a466-93c9e5019b47 which can be used as unique global reference for ZxxZ in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S1013
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.