Skip to content

Hide Navigation Hide TOC

Edit

Tidal Software

Tidal Software Cluster

Authors
Authors and/or Contributors
Tidal Cyber

3PARA RAT

3PARA RAT is a remote access tool (RAT) programmed in C++ that has been used by Putter Panda. [CrowdStrike Putter Panda]

Internal MISP references

UUID 71d76208-c465-4447-8d6e-c54f142b65a4 which can be used as unique global reference for 3PARA RAT in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0066
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

4H RAT

4H RAT is malware that has been used by Putter Panda since at least 2007. [CrowdStrike Putter Panda]

Internal MISP references

UUID a15142a3-4797-4fef-8ec6-065e3322a69b which can be used as unique global reference for 4H RAT in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0065
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

7-zip - Associated Software

Internal MISP references

UUID b7942342-d390-408d-8d11-edff76322ff3 which can be used as unique global reference for 7-zip - Associated Software in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id cdfe3925-aa4a-4d22-940e-2aa6697a9911
owner TidalCyberIan
owner_id bebdd211-52f4-4abc-94ff-b3a7df904561
Related clusters

To see the related clusters, click here.

7-Zip

7-Zip is a tool used to compress files into an archive.[U.S. CISA Understanding LockBit June 2023]

Internal MISP references

UUID 4665e52b-3c5c-4a7f-9432-c89ef26f2c93 which can be used as unique global reference for 7-Zip in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5023
source Tidal Cyber
tags ['af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '15b77e5c-2285-434d-9719-73c14beba8bd', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

AADInternals

AADInternals is a PowerShell-based framework for administering, enumerating, and exploiting Azure Active Directory. The tool is publicly available on GitHub.[AADInternals Github][AADInternals Documentation]

Internal MISP references

UUID 3d33fbf5-c21e-4587-ba31-9aeec3cc10c0 which can be used as unique global reference for AADInternals in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Azure AD', 'Office 365', 'Windows']
software_attack_id S0677
source MITRE
tags ['c9c73000-30a5-4a16-8c8b-79169f9c24aa', 'cd1b5d44-226e-4405-8985-800492cf2865']
type ['tool']
Related clusters

To see the related clusters, click here.

ABK

ABK is a downloader that has been used by BRONZE BUTLER since at least 2019.[Trend Micro Tick November 2019]

Internal MISP references

UUID 394cadd0-bc4d-4181-ac53-858e84b8e3de which can be used as unique global reference for ABK in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0469
source MITRE
tags ['84615fe0-c2a5-4e07-8957-78ebc29b4635']
type ['malware']
Related clusters

To see the related clusters, click here.

AccCheckConsole.exe - Associated Software

[AccCheckConsole.exe - LOLBAS Project]

Internal MISP references

UUID 9a77d9ce-dd34-4ff9-8b26-c74ef5055a2f which can be used as unique global reference for AccCheckConsole.exe - Associated Software in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id d9cee454-5016-40f4-9c75-2b8eb684724d
owner TidalCyberIan
owner_id bebdd211-52f4-4abc-94ff-b3a7df904561
Related clusters

To see the related clusters, click here.

AccCheckConsole

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Verifies UI accessibility requirements

Author: bohops

Paths: * C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x86\AccChecker\AccCheckConsole.exe * C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x64\AccChecker\AccCheckConsole.exe * C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\arm\AccChecker\AccCheckConsole.exe * C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\arm64\AccChecker\AccCheckConsole.exe

Resources: * https://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340 * https://twitter.com/bohops/status/1477717351017680899

Detection: * Sigma: proc_creation_win_lolbin_susp_acccheckconsole.yml * IOC: Sysmon Event ID 1 - Process Creation * Analysis: https://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340[AccCheckConsole.exe - LOLBAS Project]

Internal MISP references

UUID cce705c7-49f8-4b54-b854-fd4b3a32e6ff which can be used as unique global reference for AccCheckConsole in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5203
source Tidal Cyber
tags ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

AccountRestore

AccountRestore is a .NET executable that is used to brute force Active Directory accounts. The tool searches for a list of specific users and attempts to brute force the accounts based on a password file provided by the user.[Security Joes Sockbot March 09 2022]

Internal MISP references

UUID 6bc29df2-195e-410c-ad08-f3661575492f which can be used as unique global reference for AccountRestore in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5059
source Tidal Cyber
tags ['dcd6d78a-50e9-4fbd-a36a-06fbe6b7b40c']
type ['malware']
Related clusters

To see the related clusters, click here.

Action RAT

Action RAT is a remote access tool written in Delphi that has been used by SideCopy since at least December 2021 against Indian and Afghani government personnel.[MalwareBytes SideCopy Dec 2021]

Internal MISP references

UUID 202781a3-d481-4984-9e5a-31caafc20135 which can be used as unique global reference for Action RAT in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S1028
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

adbupd

adbupd is a backdoor used by PLATINUM that is similar to Dipsind. [Microsoft PLATINUM April 2016]

Internal MISP references

UUID f52e759a-a725-4b50-84f2-12bef89d369e which can be used as unique global reference for adbupd in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0202
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

AddinUtil.exe - Associated Software

[AddinUtil.exe - LOLBAS Project]

Internal MISP references

UUID 200ecd1e-c1a6-41a3-bb9a-ee687334c2c1 which can be used as unique global reference for AddinUtil.exe - Associated Software in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id d09bd642-055d-4626-8324-ff5d97488672
owner TidalCyberIan
owner_id bebdd211-52f4-4abc-94ff-b3a7df904561
Related clusters

To see the related clusters, click here.

AddinUtil

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: .NET Tool used for updating cache files for Microsoft Office Add-Ins.

Author: Michael McKinley @MckinleyMike

Paths: * C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddinUtil.exe * C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddinUtil.exe

Resources: * https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html

Detection: * Sigma: proc_creation_win_addinutil_suspicious_cmdline.yml * Sigma: proc_creation_win_addinutil_uncommon_child_process.yml * Sigma: proc_creation_win_addinutil_uncommon_cmdline.yml * Sigma: proc_creation_win_addinutil_uncommon_dir_exec.yml[AddinUtil.exe - LOLBAS Project]

Internal MISP references

UUID 253f97c3-ba35-4064-8ec0-892872432214 which can be used as unique global reference for AddinUtil in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5082
source Tidal Cyber
tags ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

AdFind

AdFind is a free command-line query tool that can be used for gathering information from Active Directory.[Red Canary Hospital Thwarted Ryuk October 2020][FireEye FIN6 Apr 2019][FireEye Ryuk and Trickbot January 2019]

Internal MISP references

UUID 70559096-2a6b-4388-97e6-c2b16f3be78e which can be used as unique global reference for AdFind in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0552
source MITRE
tags ['3a633b73-9c2c-4293-8577-fb97be0cda37', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', 'cd1b5d44-226e-4405-8985-800492cf2865']
type ['tool']
Related clusters

To see the related clusters, click here.

adplus.exe - Associated Software

[adplus.exe - LOLBAS Project]

Internal MISP references

UUID 1db1d4d7-d442-457d-afb9-5c3dcb21645a which can be used as unique global reference for adplus.exe - Associated Software in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 86e4b24f-f2fd-428e-a1bc-5ce17899e6e9
owner TidalCyberIan
owner_id bebdd211-52f4-4abc-94ff-b3a7df904561
Related clusters

To see the related clusters, click here.

adplus

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Debugging tool included with Windows Debugging Tools

Author: mr.d0x

Paths: * C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\adplus.exe * C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\adplus.exe

Resources: * https://mrd0x.com/adplus-debugging-tool-lsass-dump/ * https://twitter.com/nas_bench/status/1534916659676422152 * https://twitter.com/nas_bench/status/1534915321856917506

Detection: * Sigma: proc_creation_win_lolbin_adplus.yml * IOC: As a Windows SDK binary, execution on a system may be suspicious[adplus.exe - LOLBAS Project]

Internal MISP references

UUID 3f229fe8-4d03-48ba-97b5-d7132510e090 which can be used as unique global reference for adplus in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5204
source Tidal Cyber
tags ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

Advanced IP Scanner

Advanced IP Scanner is a tool used to perform network scans and show network devices.[U.S. CISA Understanding LockBit June 2023]

Internal MISP references

UUID ff0af6fd-e4a1-47c9-b4a1-7ce5074e089e which can be used as unique global reference for Advanced IP Scanner in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5024
source Tidal Cyber
tags ['af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

Advanced Port Scanner

Advanced Port Scanner is a tool used to perform network scans.[U.S. CISA Understanding LockBit June 2023]

Internal MISP references

UUID f93b54cf-a17c-4739-a7af-4106055f868d which can be used as unique global reference for Advanced Port Scanner in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5006
source Tidal Cyber
tags ['af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

AdvancedRun

AdvancedRun is a tool used to enable software execution under user-defined settings.[U.S. CISA Understanding LockBit June 2023]

Internal MISP references

UUID 7ef15943-8061-4941-b14e-9634c0b95d28 which can be used as unique global reference for AdvancedRun in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5025
source Tidal Cyber
tags ['af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

Advpack.dll - Associated Software

[Advpack.dll - LOLBAS Project]

Internal MISP references

UUID 0c7f7926-3935-46ea-b430-3841acab3120 which can be used as unique global reference for Advpack.dll - Associated Software in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 44a4a888-434d-46fa-998d-621999a2f99a
owner TidalCyberIan
owner_id bebdd211-52f4-4abc-94ff-b3a7df904561
Related clusters

To see the related clusters, click here.

Advpack

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Utility for installing software and drivers with rundll32.exe

Author: LOLBAS Team

Paths: * c:\windows\system32\advpack.dll * c:\windows\syswow64\advpack.dll

Resources: * https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/ * https://twitter.com/ItsReallyNick/status/967859147977850880 * https://twitter.com/bohops/status/974497123101179904 * https://twitter.com/moriarty_meng/status/977848311603380224

Detection: * Sigma: proc_creation_win_rundll32_susp_activity.yml * Splunk: detect_rundll32_application_control_bypass___advpack.yml[Advpack.dll - LOLBAS Project]

Internal MISP references

UUID 6c82fc65-864a-4a8c-80ed-80a69920c44f which can be used as unique global reference for Advpack in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5187
source Tidal Cyber
tags ['7a457caf-c3b6-4a48-84cf-c1f50a2eda27', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

AZZY - Associated Software

Internal MISP references

UUID 60d36859-4803-4a84-8ce6-b7aead8b0dd8 which can be used as unique global reference for AZZY - Associated Software in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 3301e250-f632-4680-897c-137c01399ffb
Related clusters

To see the related clusters, click here.

EVILTOSS - Associated Software

Internal MISP references

UUID 87b3c2d9-49fa-4f4d-bcc0-91c610aafd3e which can be used as unique global reference for EVILTOSS - Associated Software in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 2d1033ed-dcb0-4ff8-b994-c27c7472e4e5
Related clusters

To see the related clusters, click here.

NETUI - Associated Software

Internal MISP references

UUID aee4bdbe-dcdb-456e-b198-a9ec4dd0dea9 which can be used as unique global reference for NETUI - Associated Software in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id ae90ab5b-29e8-41c2-b814-686e7e6f40f6
Related clusters

To see the related clusters, click here.

Sedreco - Associated Software

Internal MISP references

UUID 66cd7902-e578-4054-8dc4-a5e027e914b4 which can be used as unique global reference for Sedreco - Associated Software in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 404e76ad-994c-4cc3-b20a-3d3d2143d8bf
Related clusters

To see the related clusters, click here.

ADVSTORESHELL

ADVSTORESHELL is a spying backdoor that has been used by APT28 from at least 2012 to 2016. It is generally used for long-term espionage and is deployed on targets deemed interesting after a reconnaissance phase. [Kaspersky Sofacy] [ESET Sednit Part 2]

Internal MISP references

UUID ef7f4f5f-6f30-4059-87d1-cd8375bf1bee which can be used as unique global reference for ADVSTORESHELL in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0045
source MITRE
tags ['84615fe0-c2a5-4e07-8957-78ebc29b4635', '16b47583-1c54-431f-9f09-759df7b5ddb7', 'f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

Agent.btz

Agent.btz is a worm that primarily spreads itself via removable devices such as USB drives. It reportedly infected U.S. military networks in 2008. [Securelist Agent.btz]

Internal MISP references

UUID f27c9a91-c618-40c6-837d-089ba4d80f45 which can be used as unique global reference for Agent.btz in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0092
source MITRE
tags ['e809d252-12cc-494d-94f5-954c49eb87ce', 'f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

AgentExecutor.exe - Associated Software

[AgentExecutor.exe - LOLBAS Project]

Internal MISP references

UUID 15123fcb-0ba8-492a-bada-552d828af096 which can be used as unique global reference for AgentExecutor.exe - Associated Software in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id c58bc73c-1b0a-4a56-9ba4-e79db95da968
owner TidalCyberIan
owner_id bebdd211-52f4-4abc-94ff-b3a7df904561
Related clusters

To see the related clusters, click here.

AgentExecutor

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Intune Management Extension included on Intune Managed Devices

Author: Eleftherios Panos

Paths: * C:\Program Files (x86)\Microsoft Intune Management Extension

Resources:

Detection: * Sigma: proc_creation_win_lolbin_agentexecutor.yml * Sigma: proc_creation_win_lolbin_agentexecutor_susp_usage.yml[AgentExecutor.exe - LOLBAS Project]

Internal MISP references

UUID 27fa7573-c1d3-4857-8a45-ef501c8ea32c which can be used as unique global reference for AgentExecutor in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5205
source Tidal Cyber
tags ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

Agent Tesla

Agent Tesla is a spyware Trojan written for the .NET framework that has been observed since at least 2014.[Fortinet Agent Tesla April 2018][Bitdefender Agent Tesla April 2020][Malwarebytes Agent Tesla April 2020]

Internal MISP references

UUID 304650b1-a0b5-460c-9210-23a5b53815a4 which can be used as unique global reference for Agent Tesla in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0331
source MITRE
tags ['16b47583-1c54-431f-9f09-759df7b5ddb7', 'f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

Amadey

Amadey is a Trojan bot that has been used since at least October 2018.[Korean FSI TA505 2020][BlackBerry Amadey 2020]

Internal MISP references

UUID f173ec20-ef40-436b-a859-fef017e1e767 which can be used as unique global reference for Amadey in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S1025
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

Anchor_DNS - Associated Software

[Cyberreason Anchor December 2019][Medium Anchor DNS July 2020]

Internal MISP references

UUID 4c66b92a-bfac-4f12-a319-3a16b59f9408 which can be used as unique global reference for Anchor_DNS - Associated Software in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 11d8729e-7635-465f-8629-e4a15e317e02
Related clusters

To see the related clusters, click here.

Anchor

Anchor is one of a family of backdoor malware that has been used in conjunction with TrickBot on selected high profile targets since at least 2018.[Cyberreason Anchor December 2019][Medium Anchor DNS July 2020]

Internal MISP references

UUID 9521c535-1043-4b82-ba5d-e5eaeca500ee which can be used as unique global reference for Anchor in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'Windows']
software_attack_id S0504
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

ANDROMEDA

ANDROMEDA is commodity malware that was widespread in the early 2010's and continues to be observed in infections across a wide variety of industries. During the 2022 C0026 campaign, threat actors re-registered expired ANDROMEDA C2 domains to spread malware to select targets in Ukraine.[Mandiant Suspected Turla Campaign February 2023]

Internal MISP references

UUID 69aac793-9e6a-5167-bc62-823189ee2f7b which can be used as unique global reference for ANDROMEDA in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S1074
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

AnyDesk

AnyDesk is a tool used to enable remote connections to network devices.[U.S. CISA Understanding LockBit June 2023]

Internal MISP references

UUID 922447fd-f41e-4bcf-b479-88137c81099c which can be used as unique global reference for AnyDesk in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5007
source Tidal Cyber
tags ['fb06d216-f535-45c1-993a-8c1b7aa2111c', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '15b77e5c-2285-434d-9719-73c14beba8bd', 'e727eaa6-ef41-4965-b93a-8ad0c51d0236']
type ['tool']
Related clusters

To see the related clusters, click here.

AppInstaller.exe - Associated Software

[AppInstaller.exe - LOLBAS Project]

Internal MISP references

UUID 705af422-c1e8-48e4-97e1-8693ac97e3da which can be used as unique global reference for AppInstaller.exe - Associated Software in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id a0005bf8-6217-4556-9f3e-a4578669d4b8
owner TidalCyberIan
owner_id bebdd211-52f4-4abc-94ff-b3a7df904561
Related clusters

To see the related clusters, click here.

AppInstaller

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Tool used for installation of AppX/MSIX applications on Windows 10

Author: Wade Hickey

Paths: * C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.11.2521.0_x64__8wekyb3d8bbwe\AppInstaller.exe

Resources: * https://twitter.com/notwhickey/status/1333900137232523264

Detection: * Sigma: dns_query_win_lolbin_appinstaller.yml[AppInstaller.exe - LOLBAS Project]

Internal MISP references

UUID 9fa7c759-172f-4ae3-ac3d-0070c3c4c439 which can be used as unique global reference for AppInstaller in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5083
source Tidal Cyber
tags ['837cf289-ad09-48ca-adf9-b46b07015666', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

AppleJeus

AppleJeus is a family of downloaders initially discovered in 2018 embedded within trojanized cryptocurrency applications. AppleJeus has been used by Lazarus Group, targeting companies in the energy, finance, government, industry, technology, and telecommunications sectors, and several countries including the United States, United Kingdom, South Korea, Australia, Brazil, New Zealand, and Russia. AppleJeus has been used to distribute the FALLCHILL RAT.[CISA AppleJeus Feb 2021]

Internal MISP references

UUID cdeb3110-07e5-4c3d-9eef-e6f2b760ef33 which can be used as unique global reference for AppleJeus in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['macOS', 'Windows']
software_attack_id S0584
source MITRE
tags ['8d95e4d6-9a1e-4920-9f5c-83d9fe07a66e', 'f8669b82-2194-49a9-8e20-92e7f9ab0a6f', '84615fe0-c2a5-4e07-8957-78ebc29b4635']
type ['malware']
Related clusters

To see the related clusters, click here.

AppleSeed

AppleSeed is a backdoor that has been used by Kimsuky to target South Korean government, academic, and commercial targets since at least 2021.[Malwarebytes Kimsuky June 2021]

Internal MISP references

UUID 9df2e42e-b454-46ea-b50d-2f7d999f3d42 which can be used as unique global reference for AppleSeed in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Android', 'Windows']
software_attack_id S0622
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

Appvlp.exe - Associated Software

[Appvlp.exe - LOLBAS Project]

Internal MISP references

UUID b2e6135b-4a85-48a4-b654-8348a9e6a9b7 which can be used as unique global reference for Appvlp.exe - Associated Software in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 82eb4e28-3b8c-4f30-8524-c57d6bbf3500
owner TidalCyberIan
owner_id bebdd211-52f4-4abc-94ff-b3a7df904561
Related clusters

To see the related clusters, click here.

Appvlp

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Application Virtualization Utility Included with Microsoft Office 2016

Author: Oddvar Moe

Paths: * C:\Program Files\Microsoft Office\root\client\appvlp.exe * C:\Program Files (x86)\Microsoft Office\root\client\appvlp.exe

Resources: * https://github.com/MoooKitty/Code-Execution * https://twitter.com/moo_hax/status/892388990686347264 * https://enigma0x3.net/2018/06/11/the-tale-of-settingcontent-ms-files/ * https://securityboulevard.com/2018/07/attackers-test-new-document-attack-vector-that-slips-past-office-defenses/

Detection: * Sigma: proc_creation_win_lolbin_appvlp.yml[Appvlp.exe - LOLBAS Project]

Internal MISP references

UUID 1328ae5d-7220-46bb-a7ee-0c5a31eeda7f which can be used as unique global reference for Appvlp in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5206
source Tidal Cyber
tags ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

Aria-body

Aria-body is a custom backdoor that has been used by Naikon since approximately 2017.[CheckPoint Naikon May 2020]

Internal MISP references

UUID 7ba79887-d496-47aa-8b71-df7f46329322 which can be used as unique global reference for Aria-body in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0456
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

arp.exe - Associated Software

Internal MISP references

UUID 993a4563-9d3f-41b3-b677-430dbaf9bf30 which can be used as unique global reference for arp.exe - Associated Software in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 1a897efb-d18b-4e39-a7e0-73d995ee0e5a
Related clusters

To see the related clusters, click here.

Arp

Arp displays and modifies information about a system's Address Resolution Protocol (ARP) cache. [TechNet Arp]

Internal MISP references

UUID 45b51950-6190-4572-b1a2-7c69d865251e which can be used as unique global reference for Arp in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Windows']
software_attack_id S0099
source MITRE
tags ['509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

Aspnet_Compiler.exe - Associated Software

[Aspnet_Compiler.exe - LOLBAS Project]

Internal MISP references

UUID dd35fa20-68de-455d-8994-914b23cf51a6 which can be used as unique global reference for Aspnet_Compiler.exe - Associated Software in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 6274b140-4eaf-42ed-9b08-ed971779ac2e
owner TidalCyberIan
owner_id bebdd211-52f4-4abc-94ff-b3a7df904561
Related clusters

To see the related clusters, click here.

Aspnet_Compiler

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: ASP.NET Compilation Tool

Author: Jimmy (@bohops)

Paths: * c:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe * c:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

Resources: * https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/ * https://docs.microsoft.com/en-us/dotnet/api/system.web.compilation.buildprovider.generatecode?view=netframework-4.8

Detection: * BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules * Sigma: proc_creation_win_lolbin_aspnet_compiler.yml[Aspnet_Compiler.exe - LOLBAS Project]

Internal MISP references

UUID 42763dde-8226-4f31-a3ba-face2da84dd2 which can be used as unique global reference for Aspnet_Compiler in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5084
source Tidal Cyber
tags ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

ASPXTool - Associated Software

Internal MISP references

UUID 70694414-648a-487b-8eaf-beb2cc5ea348 which can be used as unique global reference for ASPXTool - Associated Software in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 22f3ef46-ae31-45c9-8c4a-7be682c2a7ea
Related clusters

To see the related clusters, click here.

ASPXSpy

ASPXSpy is a Web shell. It has been modified by Threat Group-3390 actors to create the ASPXTool version. [Dell TG-3390]

Internal MISP references

UUID a0cce010-9158-45e5-978a-f002e5c31a03 which can be used as unique global reference for ASPXSpy in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0073
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

Guildma - Associated Software

[Securelist Brazilian Banking Malware July 2020]

Internal MISP references

UUID 02f01a87-3a6f-4344-9241-653118990361 which can be used as unique global reference for Guildma - Associated Software in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id f49f4dfa-0011-4a27-9f13-ebd4b7b6eb0a
Related clusters

To see the related clusters, click here.

Astaroth

Astaroth is a Trojan and information stealer known to affect companies in Europe, Brazil, and throughout Latin America. It has been known publicly since at least late 2017. [Cybereason Astaroth Feb 2019][Cofense Astaroth Sept 2018][Securelist Brazilian Banking Malware July 2020]

Internal MISP references

UUID ea719a35-cbe9-4503-873d-164f68ab4544 which can be used as unique global reference for Astaroth in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0373
source MITRE
tags ['4d767e87-4cf6-438a-927a-43d2d0beaab7']
type ['malware']
Related clusters

To see the related clusters, click here.

AsyncRAT

AsyncRAT is an open-source remote access tool originally available through the NYANxCAT Github repository that has been used in malicious campaigns.[Morphisec Snip3 May 2021][Cisco Operation Layover September 2021][Telefonica Snip3 December 2021]

Internal MISP references

UUID d587efff-4699-51c7-a4cc-bdbd1b302ed4 which can be used as unique global reference for AsyncRAT in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S1087
source MITRE
tags ['fdd53e62-5bf1-41f1-8bd6-b970a866c39d', 'd431939f-2dc0-410b-83f7-86c458125444']
type ['tool']
Related clusters

To see the related clusters, click here.

at.exe - Associated Software

Internal MISP references

UUID 96ce505e-9144-473a-b197-0846ae712de8 which can be used as unique global reference for at.exe - Associated Software in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id d731100e-185c-488b-8861-cd5a71f11475
Related clusters

To see the related clusters, click here.

at

at is used to schedule tasks on a system to run at a specified date or time.[TechNet At][Linux at]

Internal MISP references

UUID af01dc7b-a2bc-4fda-bbfe-d2be889c2860 which can be used as unique global reference for at in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Windows']
software_attack_id S0110
source MITRE
tags ['5bc4c6c6-36df-4a53-920c-53e17d7027db', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

Atbroker.exe - Associated Software

[Atbroker.exe - LOLBAS Project]

Internal MISP references

UUID 15e08d84-1977-4cc5-a73a-bd1cadff4bf0 which can be used as unique global reference for Atbroker.exe - Associated Software in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 501b5a8f-93c2-4627-8944-52d0b80d91ad
owner TidalCyberIan
owner_id bebdd211-52f4-4abc-94ff-b3a7df904561
Related clusters

To see the related clusters, click here.

Atbroker

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Helper binary for Assistive Technology (AT)

Author: Oddvar Moe

Paths: * C:\Windows\System32\Atbroker.exe * C:\Windows\SysWOW64\Atbroker.exe

Resources: * http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/

Detection: * Sigma: proc_creation_win_lolbin_susp_atbroker.yml * Sigma: registry_event_susp_atbroker_change.yml * IOC: Changes to HKCU\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\Configuration * IOC: Changes to HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs * IOC: Unknown AT starting C:\Windows\System32\ATBroker.exe /start malware[Atbroker.exe - LOLBAS Project]

Internal MISP references

UUID 2efae55c-86f3-4234-af26-1c75e922d81a which can be used as unique global reference for Atbroker in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5085
source Tidal Cyber
tags ['85a29262-64bd-443c-9e08-3ee26aac859b', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

Atera Agent

Atera Agent is a legitimate remote administration tool (specifically a remote management and maintenance ("RMM") solution) that adversaries have used as a command and control tool for remote code execution, tool ingress, and persisting in victim environments.[U.S. CISA PaperCut May 2023]

Internal MISP references

UUID f8113a9f-a706-46df-8370-a9cef1c75f30 which can be used as unique global reference for Atera Agent in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5014
source Tidal Cyber
tags ['fdd53e62-5bf1-41f1-8bd6-b970a866c39d', 'd431939f-2dc0-410b-83f7-86c458125444', '9a5ed991-6fe7-49fe-8536-91defc449b18', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '15b77e5c-2285-434d-9719-73c14beba8bd', '992bdd33-4a47-495d-883a-58010a2f0efb', 'e727eaa6-ef41-4965-b93a-8ad0c51d0236']
type ['tool']
Related clusters

To see the related clusters, click here.

Attor

Attor is a Windows-based espionage platform that has been seen in use since 2013. Attor has a loadable plugin architecture to customize functionality for specific targets.[ESET Attor Oct 2019]

Internal MISP references

UUID 89c35e9f-b435-4f58-9073-f24c1ee8754f which can be used as unique global reference for Attor in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0438
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Roptimizer - Associated Software

[TrendMicro Lazarus Nov 2018]

Internal MISP references

UUID cf4b3cc1-c60a-43ac-8599-fce5dbade473 which can be used as unique global reference for Roptimizer - Associated Software in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 259e2844-8b29-4310-abbb-44e3985586a0
Related clusters

To see the related clusters, click here.

AuditCred

AuditCred is a malicious DLL that has been used by Lazarus Group during their 2018 attacks.[TrendMicro Lazarus Nov 2018]

Internal MISP references

UUID d0c25f14-5eb3-40c1-a890-2ab1349dff53 which can be used as unique global reference for AuditCred in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0347
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

AutoIt backdoor

AutoIt backdoor is malware that has been used by the actors responsible for the MONSOON campaign. The actors frequently used it in weaponized .pps files exploiting CVE-2014-6352. [Forcepoint Monsoon] This malware makes use of the legitimate scripting language for Windows GUI automation with the same name.

Internal MISP references

UUID 3f927596-5219-49eb-bd0d-57068b0e04ed which can be used as unique global reference for AutoIt backdoor in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0129
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

AuTo Stealer

AuTo Stealer is malware written in C++ has been used by SideCopy since at least December 2021 to target government agencies and personnel in India and Afghanistan.[MalwareBytes SideCopy Dec 2021]

Internal MISP references

UUID 649a4cfc-c0d0-412d-a28c-1bd4ed604ea8 which can be used as unique global reference for AuTo Stealer in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S1029
source MITRE
tags ['4d767e87-4cf6-438a-927a-43d2d0beaab7']
type ['malware']
Related clusters

To see the related clusters, click here.

Avaddon

Avaddon is ransomware written in C++ that has been offered as Ransomware-as-a-Service (RaaS) since at least June 2020.[Awake Security Avaddon][Arxiv Avaddon Feb 2021]

Internal MISP references

UUID bad92974-35f6-4183-8024-b629140c6ee6 which can be used as unique global reference for Avaddon in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0640
source MITRE
tags ['5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172']
type ['malware']
Related clusters

To see the related clusters, click here.

Avenger

Avenger is a downloader that has been used by BRONZE BUTLER since at least 2019.[Trend Micro Tick November 2019]

Internal MISP references

UUID e5ca0192-e905-46a1-abef-ce1119c1f967 which can be used as unique global reference for Avenger in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0473
source MITRE
tags ['84615fe0-c2a5-4e07-8957-78ebc29b4635']
type ['malware']
Related clusters

To see the related clusters, click here.

AvosLocker

AvosLocker is ransomware written in C++ that has been offered via the Ransomware-as-a-Service (RaaS) model. It was first observed in June 2021 and has been used against financial services, critical manufacturing, government facilities, and other critical infrastructure sectors in the United States. As of March 2022, AvosLocker had also been used against organizations in Belgium, Canada, China, Germany, Saudi Arabia, Spain, Syria, Taiwan, Turkey, the United Arab Emirates, and the United Kingdom.[Malwarebytes AvosLocker Jul 2021][Trend Micro AvosLocker Apr 2022][Joint CSA AvosLocker Mar 2022]

Internal MISP references

UUID e792dc8d-b0f4-5916-8850-a61ff53125d0 which can be used as unique global reference for AvosLocker in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'Windows']
software_attack_id S1053
source MITRE
tags ['c3779a84-8132-4c62-be2f-9312ad41c273', 'ce9f1048-09c1-49b0-a109-dd604afbf3cd', 'fe3eb26d-6daa-4f82-b0dd-fc1e2fffbc2b', '9e4936f0-e3b7-4721-a638-58b2d093b2f2', '24448a05-2337-4bc9-a889-a83f2fd1f3ad', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172']
type ['malware']
Related clusters

To see the related clusters, click here.

Azorult

Azorult is a commercial Trojan that is used to steal information from compromised hosts. Azorult has been observed in the wild as early as 2016. In July 2018, Azorult was seen used in a spearphishing campaign against targets in North America. Azorult has been seen used for cryptocurrency theft. [Unit42 Azorult Nov 2018][Proofpoint Azorult July 2018]

Internal MISP references

UUID cc68a7f0-c955-465f-bee0-2dacbb179078 which can be used as unique global reference for Azorult in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0344
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

Babyk - Associated Software

[Sogeti CERT ESEC Babuk March 2021][McAfee Babuk February 2021][Trend Micro Ransomware February 2021]

Internal MISP references

UUID b9d20905-d9b0-41e8-8012-52cab3e626f1 which can be used as unique global reference for Babyk - Associated Software in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id b3ed8082-31ae-4614-8562-07f5ae639e0d
Related clusters

To see the related clusters, click here.

Vasa Locker - Associated Software

[Sogeti CERT ESEC Babuk March 2021][McAfee Babuk February 2021]

Internal MISP references

UUID 30583664-1270-4dab-bff3-83f394740ca8 which can be used as unique global reference for Vasa Locker - Associated Software in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 4112f232-14ce-4bc8-b340-4f1614ceef03
Related clusters

To see the related clusters, click here.

Babuk

Babuk is a Ransomware-as-a-service (RaaS) malware that has been used since at least 2021. The operators of Babuk employ a "Big Game Hunting" approach to targeting major enterprises and operate a leak site to post stolen data as part of their extortion scheme.[Sogeti CERT ESEC Babuk March 2021][McAfee Babuk February 2021][CyberScoop Babuk February 2021]

Internal MISP references

UUID 0dc07eb9-66df-4116-b1bc-7020ca6395a1 which can be used as unique global reference for Babuk in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'Windows']
software_attack_id S0638
source MITRE
tags ['b5962a84-f1c7-4d0d-985c-86301db95129', '12124060-8392-49a3-b7b7-1dde3ebc8e67', '915e7ac2-b266-45d7-945c-cb04327d6246', 'd713747c-2d53-487e-9dac-259230f04460', 'fde4c246-7d2d-4d53-938b-44651cf273f1', '964c2590-4b52-48c6-afff-9a6d72e68908', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172', 'a2e000da-8181-4327-bacd-32013dbd3654']
type ['malware']
Related clusters

To see the related clusters, click here.

BabyShark

BabyShark is a Microsoft Visual Basic (VB) script-based malware family that is believed to be associated with several North Korean campaigns. [Unit42 BabyShark Feb 2019]

Internal MISP references

UUID ebb824a2-abff-4bfd-87f0-d63cb02b62e6 which can be used as unique global reference for BabyShark in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0414
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

BackConfig

BackConfig is a custom Trojan with a flexible plugin architecture that has been used by Patchwork.[Unit 42 BackConfig May 2020]

Internal MISP references

UUID 2763ad8c-cf4e-42eb-88db-a40ff8f96cf9 which can be used as unique global reference for BackConfig in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0475
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

Havex - Associated Software

Internal MISP references

UUID 044ca42d-c9cf-4f75-b119-1df3c80a3afd which can be used as unique global reference for Havex - Associated Software in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id cefb8684-f2de-48a7-a76f-15823a6f5410
Related clusters

To see the related clusters, click here.

Backdoor.Oldrea

Backdoor.Oldrea is a modular backdoor that used by Dragonfly against energy companies since at least 2013. Backdoor.Oldrea was distributed via supply chain compromise, and included specialized modules to enumerate and map ICS-specific systems, processes, and protocols.[Symantec Dragonfly][Gigamon Berserk Bear October 2021][Symantec Dragonfly Sept 2017]

Internal MISP references

UUID f7cc5974-767c-4cb4-acc7-36295a386ce5 which can be used as unique global reference for Backdoor.Oldrea in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0093
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Lecna - Associated Software

Internal MISP references

UUID 4f538bd5-3e2a-44f7-b58e-97219284df55 which can be used as unique global reference for Lecna - Associated Software in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id a258d65f-c9ee-4074-9cfd-710dbb0d2c05
Related clusters

To see the related clusters, click here.

BACKSPACE

BACKSPACE is a backdoor used by APT30 that dates back to at least 2005. [FireEye APT30]

Internal MISP references

UUID d0daaa00-68e1-4568-bb08-3f28bcd82c63 which can be used as unique global reference for BACKSPACE in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0031
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

Backstab

Backstab is a tool used to terminate antimalware-protected processes.[U.S. CISA Understanding LockBit June 2023]

Internal MISP references

UUID 5a9a7a54-21cb-4a5c-bef0-d37f8678bf46 which can be used as unique global reference for Backstab in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5026
source Tidal Cyber
tags ['af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

BADCALL

BADCALL is a Trojan malware variant used by the group Lazarus Group. [US-CERT BADCALL]

Internal MISP references

UUID d7aa53a5-0912-4952-8f7f-55698e933c3b which can be used as unique global reference for BADCALL in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0245
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

BADFLICK

BADFLICK is a backdoor used by Leviathan in spearphishing campaigns first reported in 2018 that targeted the U.S. engineering and maritime industries.[FireEye Periscope March 2018][Accenture MUDCARP March 2019]

Internal MISP references

UUID 8c454294-81cb-45d0-b299-818994ad3e6f which can be used as unique global reference for BADFLICK in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0642
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

BADHATCH

BADHATCH is a backdoor that has been utilized by FIN8 since at least 2019. BADHATCH has been used to target the insurance, retail, technology, and chemical industries in the United States, Canada, South Africa, Panama, and Italy.[Gigamon BADHATCH Jul 2019][BitDefender BADHATCH Mar 2021]

Internal MISP references

UUID 16481e0f-49d5-54c1-a1fe-16d9e7f8d08c which can be used as unique global reference for BADHATCH in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S1081
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

BADNEWS

BADNEWS is malware that has been used by the actors responsible for the Patchwork campaign. Its name was given due to its use of RSS feeds, forums, and blogs for command and control. [Forcepoint Monsoon] [TrendMicro Patchwork Dec 2017]

Internal MISP references

UUID 34c24d27-c779-42a4-9f61-3f0d3fea6fd4 which can be used as unique global reference for BADNEWS in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0128
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

BadPatch

BadPatch is a Windows Trojan that was used in a Gaza Hackers-linked campaign.[Unit 42 BadPatch Oct 2017]

Internal MISP references

UUID 10e76722-4b52-47f6-9276-70e95fecb26b which can be used as unique global reference for BadPatch in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0337
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Win32/Diskcoder.D - Associated Software

Internal MISP references

UUID 1679c995-7141-40ac-a327-b5afc8f275c8 which can be used as unique global reference for Win32/Diskcoder.D - Associated Software in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 98c81574-1f3f-49fa-8f03-b5462bb3fc5d
Related clusters

To see the related clusters, click here.

Bad Rabbit

Bad Rabbit is a self-propagating ransomware that affected the Ukrainian transportation sector in 2017. Bad Rabbit has also targeted organizations and consumers in Russia. [Secure List Bad Rabbit][ESET Bad Rabbit][Dragos IT ICS Ransomware]

Internal MISP references

UUID a1d86d8f-fa48-43aa-9833-7355750e455c which can be used as unique global reference for Bad Rabbit in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0606
source MITRE
tags ['5a463cb3-451d-47f7-93e4-1886150697ce', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172']
type ['malware']
Related clusters

To see the related clusters, click here.

Bandook

Bandook is a commercially available RAT, written in Delphi and C++, that has been available since at least 2007. It has been used against government, financial, energy, healthcare, education, IT, and legal organizations in the US, South America, Europe, and Southeast Asia. Bandook has been used by Dark Caracal, as well as in a separate campaign referred to as "Operation Manul".[EFF Manul Aug 2016][Lookout Dark Caracal Jan 2018][CheckPoint Bandook Nov 2020]

Internal MISP references

UUID 5c0f8c35-88ff-40a1-977a-af5ce534e932 which can be used as unique global reference for Bandook in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0234
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

Trojan Manuscript - Associated Software

[McAfee Bankshot]

Internal MISP references

UUID 0bcd5b61-4408-4a35-9b8f-310cd23a4ca2 which can be used as unique global reference for Trojan Manuscript - Associated Software in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id d00a70a9-1cc3-4a56-8977-43071092e5bc
Related clusters

To see the related clusters, click here.

Bankshot

Bankshot is a remote access tool (RAT) that was first reported by the Department of Homeland Security in December of 2017. In 2018, Lazarus Group used the Bankshot implant in attacks against the Turkish financial sector. [McAfee Bankshot]

Internal MISP references

UUID 24b8471d-698f-48cc-b47a-8fbbaf28b293 which can be used as unique global reference for Bankshot in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0239
source MITRE
tags ['febea5b6-2ea2-402b-8bec-f3f5b3f73c59']
type ['malware']
Related clusters

To see the related clusters, click here.

Bash.exe - Associated Software

[Bash.exe - LOLBAS Project]

Internal MISP references

UUID fe0ff225-66b8-4629-86e3-9b4ce9bf6eb8 which can be used as unique global reference for Bash.exe - Associated Software in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 233f9470-8e08-4b6a-830e-0a7c2e155a12
owner TidalCyberIan
owner_id bebdd211-52f4-4abc-94ff-b3a7df904561
Related clusters

To see the related clusters, click here.

Bash

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: File used by Windows subsystem for Linux

Author: Oddvar Moe

Paths: * C:\Windows\System32\bash.exe * C:\Windows\SysWOW64\bash.exe

Resources: * https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules

Detection: * BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules * Sigma: proc_creation_win_lolbin_bash.yml * IOC: Child process from bash.exe[Bash.exe - LOLBAS Project]

Internal MISP references

UUID cef3a09e-22ca-43dc-ad4a-95741a3b85ff which can be used as unique global reference for Bash in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5086
source Tidal Cyber
tags ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

Bat Armor

Bat Armor is a tool used to generate .bat files using PowerShell scripts.[U.S. CISA Understanding LockBit June 2023]

Internal MISP references

UUID 628037d4-962d-4f58-b32d-241d739bc62d which can be used as unique global reference for Bat Armor in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5027
source Tidal Cyber
tags ['af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

Team9 - Associated Software

[Cybereason Bazar July 2020][NCC Group Team9 June 2020]

Internal MISP references

UUID 480398ef-e3b0-4434-b409-bc6bae0a56ea which can be used as unique global reference for Team9 - Associated Software in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 471782a4-33da-4135-bf78-36c8edc02d02
Related clusters

To see the related clusters, click here.

KEGTAP - Associated Software

[FireEye KEGTAP SINGLEMALT October 2020][CrowdStrike Wizard Spider October 2020]

Internal MISP references

UUID 7de93c0d-efb9-481c-b1dc-ea5d786c47f9 which can be used as unique global reference for KEGTAP - Associated Software in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id cbebbbcc-31a5-4434-9f0a-4c88ae9a6044
Related clusters

To see the related clusters, click here.

Bazar

Bazar is a downloader and backdoor that has been used since at least April 2020, with infections primarily against professional services, healthcare, manufacturing, IT, logistics and travel companies across the US and Europe. Bazar reportedly has ties to TrickBot campaigns and can be used to deploy additional malware, including ransomware, and to steal sensitive data.[Cybereason Bazar July 2020]

Internal MISP references

UUID b35d9817-6ead-4dbd-a2fa-4b8e217f8eac which can be used as unique global reference for Bazar in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0534
source MITRE
tags ['818c3d93-c010-44f4-82bc-b63b4bc6c3c2', '84615fe0-c2a5-4e07-8957-78ebc29b4635']
type ['malware']
Related clusters

To see the related clusters, click here.

BBK

BBK is a downloader that has been used by BRONZE BUTLER since at least 2019.[Trend Micro Tick November 2019]

Internal MISP references

UUID 3daa5ae1-464e-4c0a-aa46-15264a2a0126 which can be used as unique global reference for BBK in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0470
source MITRE
tags ['84615fe0-c2a5-4e07-8957-78ebc29b4635']
type ['malware']
Related clusters

To see the related clusters, click here.

BBSRAT

BBSRAT is malware with remote access tool functionality that has been used in targeted compromises. [Palo Alto Networks BBSRAT]

Internal MISP references

UUID be4dab36-d499-4ac3-b204-5e309e3a5331 which can be used as unique global reference for BBSRAT in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0127
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

BendyBear

BendyBear is an x64 shellcode for a stage-zero implant designed to download malware from a C2 server. First discovered in August 2020, BendyBear shares a variety of features with Waterbear, malware previously attributed to the Chinese cyber espionage group BlackTech.[Unit42 BendyBear Feb 2021]

Internal MISP references

UUID a114a498-fcfd-4e0a-9d1e-e26750d71af8 which can be used as unique global reference for BendyBear in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0574
source MITRE
tags ['84615fe0-c2a5-4e07-8957-78ebc29b4635']
type ['malware']
Related clusters

To see the related clusters, click here.

Bginfo.exe - Associated Software

[Bginfo.exe - LOLBAS Project]

Internal MISP references

UUID 0a62aa36-aeba-4d97-bddb-d24cdb7d6093 which can be used as unique global reference for Bginfo.exe - Associated Software in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id e85eca74-ca92-4480-8a4b-4a82efdbcd9c
owner TidalCyberIan
owner_id bebdd211-52f4-4abc-94ff-b3a7df904561
Related clusters

To see the related clusters, click here.

Bginfo

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Background Information Utility included with SysInternals Suite

Author: Oddvar Moe

Paths: * No fixed path

Resources: * https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/

Detection: * Sigma: proc_creation_win_lolbin_bginfo.yml * Elastic: defense_evasion_unusual_process_network_connection.toml * Elastic: defense_evasion_network_connection_from_windows_binary.toml * BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules[Bginfo.exe - LOLBAS Project]

Internal MISP references

UUID fe926654-0cff-4e8e-b192-2fa1eb8a9a67 which can be used as unique global reference for Bginfo in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5207
source Tidal Cyber
tags ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

BianLian Ransomware (Backdoor)

This Software object represents the custom backdoor tool used during intrusions conducted by the BianLian Ransomware Group.[U.S. CISA BianLian Ransomware May 2023][BianLian Ransomware Gang Gives It a Go! | [redacted]]

Delivers: TeamViewer[U.S. CISA BianLian Ransomware May 2023], Atera Agent[U.S. CISA BianLian Ransomware May 2023], Splashtop[U.S. CISA BianLian Ransomware May 2023], AnyDesk[U.S. CISA BianLian Ransomware May 2023]

Internal MISP references

UUID a4fb341d-8010-433f-b8f1-a8781f961435 which can be used as unique global reference for BianLian Ransomware (Backdoor) in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5001
source Tidal Cyber
tags ['35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', 'f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

BISCUIT

BISCUIT is a backdoor that has been used by APT1 since as early as 2007. [Mandiant APT1]

Internal MISP references

UUID 3ad98097-2d10-4aa1-9594-7e74828a3643 which can be used as unique global reference for BISCUIT in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0017
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Bisonal

Bisonal is a remote access tool (RAT) that has been used by Tonto Team against public and private sector organizations in Russia, South Korea, and Japan since at least December 2010.[Unit 42 Bisonal July 2018][Talos Bisonal Mar 2020]

Internal MISP references

UUID b898816e-610f-4c2f-9045-d9f28a54ee58 which can be used as unique global reference for Bisonal in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0268
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

FriedEx - Associated Software

[Crowdstrike Indrik November 2018]

Internal MISP references

UUID cf8ab2a9-cef3-450b-ba43-5611d3202347 which can be used as unique global reference for FriedEx - Associated Software in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 3e6794a0-c8bb-4163-990b-4bfad4a7d30b
Related clusters

To see the related clusters, click here.

wp_encrypt - Associated Software

[Crowdstrike Indrik November 2018]

Internal MISP references

UUID 3591563f-70f1-4bbc-aef8-7aa686e0fd48 which can be used as unique global reference for wp_encrypt - Associated Software in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 30685f08-6fdb-42f6-88df-abf40c6afdd5
Related clusters

To see the related clusters, click here.

BitPaymer

BitPaymer is a ransomware variant first observed in August 2017 targeting hospitals in the U.K. BitPaymer uses a unique encryption key, ransom note, and contact information for each operation. BitPaymer has several indicators suggesting overlap with the Dridex malware and is often delivered via Dridex.[Crowdstrike Indrik November 2018]

Internal MISP references

UUID e7dec940-8701-4c06-9865-5b11c61c046d which can be used as unique global reference for BitPaymer in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0570
source MITRE
tags ['5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172']
type ['malware']
Related clusters

To see the related clusters, click here.

Bitsadmin.exe - Associated Software

Internal MISP references

UUID 0f4e83eb-bc61-485f-8e30-f28a051996fa which can be used as unique global reference for Bitsadmin.exe - Associated Software in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 782fe1fa-34e1-46b2-9c5c-e25c2f1ffb63
owner TidalCyberIan
owner_id bebdd211-52f4-4abc-94ff-b3a7df904561
Related clusters

To see the related clusters, click here.

BITSAdmin

BITSAdmin is a command line tool used to create and manage BITS Jobs. [Microsoft BITSAdmin]

Internal MISP references

UUID 52a20d3d-1edd-4f17-87f0-b77c67d260b4 which can be used as unique global reference for BITSAdmin in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0190
source MITRE
tags ['fdd53e62-5bf1-41f1-8bd6-b970a866c39d', 'd431939f-2dc0-410b-83f7-86c458125444', '10d09438-9ea5-405d-9b3a-36d351b5a5d9', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

Black Basta

Black Basta is ransomware written in C++ that has been offered within the ransomware-as-a-service (RaaS) model since at least April 2022; there are variants that target Windows and VMWare ESXi servers. Black Basta operations have included the double extortion technique where in addition to demanding ransom for decrypting the files of targeted organizations the cyber actors also threaten to post sensitive information to a leak site if the ransom is not paid. Black Basta affiliates have targeted multiple high-value organizations, with the largest number of victims based in the U.S. Based on similarities in TTPs, leak sites, payment sites, and negotiation tactics, security researchers assess the Black Basta RaaS operators could include current or former members of the Conti group.[Palo Alto Networks Black Basta August 2022][Deep Instinct Black Basta August 2022][Minerva Labs Black Basta May 2022][Avertium Black Basta June 2022][NCC Group Black Basta June 2022][Cyble Black Basta May 2022]

Internal MISP references

UUID 0d5b24ba-68dc-50fa-8268-3012180fe374 which can be used as unique global reference for Black Basta in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S1070
source MITRE
tags ['fdd53e62-5bf1-41f1-8bd6-b970a866c39d', 'd431939f-2dc0-410b-83f7-86c458125444', 'dea4388a-b1f2-4f2a-9df9-108631d0d078', '2743d495-7728-4a75-9e5f-b64854039792', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172']
type ['malware']
Related clusters

To see the related clusters, click here.

ALPHV - Associated Software

[Microsoft BlackCat Jun 2022][ACSC BlackCat Apr 2022]

Internal MISP references

UUID e7af71b4-73c3-405a-9521-d239aa60eb20 which can be used as unique global reference for ALPHV - Associated Software in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 542586e8-8af1-5926-a8af-3873ab660aa7
Related clusters

To see the related clusters, click here.

Noberus - Associated Software

[ACSC BlackCat Apr 2022]

Internal MISP references

UUID 1db491da-16a4-4a9c-9b7c-c7e46f1a1dd0 which can be used as unique global reference for Noberus - Associated Software in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id a06013db-96b2-55d3-b677-bcb3a0c2b178
Related clusters

To see the related clusters, click here.

BlackCat

BlackCat is ransomware written in Rust that has been offered via the Ransomware-as-a-Service (RaaS) model. First observed November 2021, BlackCat has been used to target multiple sectors and organizations in various countries and regions in Africa, the Americas, Asia, Australia, and Europe.[Microsoft BlackCat Jun 2022][Sophos BlackCat Jul 2022][ACSC BlackCat Apr 2022]

Internal MISP references

UUID 691369e5-ef74-5ff9-bc20-34efeb4b6c5b which can be used as unique global reference for BlackCat in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'Windows']
software_attack_id S1068
source MITRE
tags ['1dc8fd1e-0737-405a-98a1-111dd557f1b5', '5e7433ad-a894-4489-93bc-41e90da90019', '15787198-6c8b-4f79-bf50-258d55072fee', '7e7b0c67-bb85-4996-a289-da0e792d7172']
type ['malware']
Related clusters

To see the related clusters, click here.

BLACKCOFFEE

BLACKCOFFEE is malware that has been used by several Chinese groups since at least 2013. [FireEye APT17] [FireEye Periscope March 2018]

Internal MISP references

UUID e85e2fca-9347-4448-bfc1-342f29d5d6a1 which can be used as unique global reference for BLACKCOFFEE in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0069
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Black Energy - Associated Software

Internal MISP references

UUID 2efd4571-2913-4ea3-95f8-b2e1aef4f953 which can be used as unique global reference for Black Energy - Associated Software in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 8e7fda99-b472-456c-a777-fe2163aa9a94
Related clusters

To see the related clusters, click here.

BlackEnergy

BlackEnergy is a malware toolkit that has been used by both criminal and APT actors. It dates back to at least 2007 and was originally designed to create botnets for use in conducting Distributed Denial of Service (DDoS) attacks, but its use has evolved to support various plug-ins. It is well known for being used during the confrontation between Georgia and Russia in 2008, as well as in targeting Ukrainian institutions. Variants include BlackEnergy 2 and BlackEnergy 3. [F-Secure BlackEnergy 2014]

Internal MISP references

UUID 908216c7-3ad4-4e0c-9dd3-a7ed5d1c695f which can be used as unique global reference for BlackEnergy in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0089
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

BlackMould

BlackMould is a web shell based on China Chopper for servers running Microsoft IIS. First reported in December 2019, it has been used in malicious campaigns by GALLIUM against telecommunication providers.[Microsoft GALLIUM December 2019]

Internal MISP references

UUID da348a51-d047-4144-9ba4-34d2ce964a11 which can be used as unique global reference for BlackMould in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0564
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

BLINDINGCAN

BLINDINGCAN is a remote access Trojan that has been used by the North Korean government since at least early 2020 in cyber operations against defense, engineering, and government organizations in Western Europe and the US.[US-CERT BLINDINGCAN Aug 2020][NHS UK BLINDINGCAN Aug 2020]

Internal MISP references

UUID 1af8ea81-40df-4fba-8d63-1858b8b31217 which can be used as unique global reference for BLINDINGCAN in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0520
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

BloodHound

BloodHound is an Active Directory (AD) reconnaissance tool that can reveal hidden relationships and identify attack paths within an AD environment.[GitHub Bloodhound][CrowdStrike BloodHound April 2018][FoxIT Wocao December 2019]

Internal MISP references

UUID 72658763-8077-451e-8572-38858f8cacf3 which can be used as unique global reference for BloodHound in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0521
source MITRE
tags ['af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', 'cd1b5d44-226e-4405-8985-800492cf2865']
type ['tool']
Related clusters

To see the related clusters, click here.

BLUELIGHT

BLUELIGHT is a remote access Trojan used by APT37 that was first observed in early 2021.[Volexity InkySquid BLUELIGHT August 2021]

Internal MISP references

UUID 3aaaaf86-638b-4a65-be18-c6e6dcdcdb97 which can be used as unique global reference for BLUELIGHT in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0657
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

Bonadan

Bonadan is a malicious version of OpenSSH which acts as a custom backdoor. Bonadan has been active since at least 2018 and combines a new cryptocurrency-mining module with the same credential-stealing module used by the Onderon family of backdoors.[ESET ForSSHe December 2018]

Internal MISP references

UUID 3793db4b-f843-4cfd-89d2-ec28b62feda5 which can be used as unique global reference for Bonadan in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux']
software_attack_id S0486
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

BONDUPDATER

BONDUPDATER is a PowerShell backdoor used by OilRig. It was first observed in November 2017 during targeting of a Middle Eastern government organization, and an updated version was observed in August 2018 being used to target a government organization with spearphishing emails.[FireEye APT34 Dec 2017][Palo Alto OilRig Sep 2018]

Internal MISP references

UUID d8690218-5272-47d8-8189-35d3b518e66f which can be used as unique global reference for BONDUPDATER in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0360
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

BoomBox

BoomBox is a downloader responsible for executing next stage components that has been used by APT29 since at least 2021.[MSTIC Nobelium Toolset May 2021]

Internal MISP references

UUID 9d393f6f-855e-4348-8a26-008174e3605a which can be used as unique global reference for BoomBox in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0635
source MITRE
tags ['84615fe0-c2a5-4e07-8957-78ebc29b4635']
type ['malware']
Related clusters

To see the related clusters, click here.

BOOSTWRITE

BOOSTWRITE is a loader crafted to be launched via abuse of the DLL search order of applications used by FIN7.[FireEye FIN7 Oct 2019]

Internal MISP references

UUID 74a73624-d53b-4c84-a14b-8ae964fd577c which can be used as unique global reference for BOOSTWRITE in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0415
source MITRE
tags ['84615fe0-c2a5-4e07-8957-78ebc29b4635']
type ['malware']
Related clusters

To see the related clusters, click here.

BOOTRASH

BOOTRASH is a Bootkit that targets Windows operating systems. It has been used by threat actors that target the financial sector.[Mandiant M Trends 2016][FireEye Bootkits][FireEye BOOTRASH SANS]

Internal MISP references

UUID d47a4753-80f5-494e-aad7-d033aaff0d6d which can be used as unique global reference for BOOTRASH in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0114
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

BoxCaon

BoxCaon is a Windows backdoor that was used by IndigoZebra in a 2021 spearphishing campaign against Afghan government officials. BoxCaon's name stems from similarities shared with the malware family xCaon.[Checkpoint IndigoZebra July 2021]

Internal MISP references

UUID d3e46011-3433-426c-83b3-61c2576d5f71 which can be used as unique global reference for BoxCaon in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0651
source MITRE
tags ['4d767e87-4cf6-438a-927a-43d2d0beaab7']
type ['malware']
Related clusters

To see the related clusters, click here.

Brave Prince

Brave Prince is a Korean-language implant that was first observed in the wild in December 2017. It contains similar code and behavior to Gold Dragon, and was seen along with Gold Dragon and RunningRAT in operations surrounding the 2018 Pyeongchang Winter Olympics. [McAfee Gold Dragon]

Internal MISP references

UUID 51b27e2c-c737-4006-a657-195ea1a1f4f0 which can be used as unique global reference for Brave Prince in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0252
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Briba

Briba is a trojan used by Elderwood to open a backdoor and download files on to compromised hosts. [Symantec Elderwood Sept 2012] [Symantec Briba May 2012]

Internal MISP references

UUID 7942783c-73a7-413c-94d1-8981029a1c51 which can be used as unique global reference for Briba in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0204
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

BRc4 - Associated Software

[Palo Alto Brute Ratel July 2022]

Internal MISP references

UUID afc6d47c-4375-47c6-bc69-ae0faf2df0bd which can be used as unique global reference for BRc4 - Associated Software in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id dba68385-7251-5f62-a90d-391e1e47ee70
Related clusters

To see the related clusters, click here.

Brute Ratel C4

Brute Ratel C4 is a commercial red-teaming and adversarial attack simulation tool that first appeared in December 2020. Brute Ratel C4 was specifically designed to avoid detection by endpoint detection and response (EDR) and antivirus (AV) capabilities, and deploys agents called badgers to enable arbitrary command execution for lateral movement, privilege escalation, and persistence. In September 2022, a cracked version of Brute Ratel C4 was leaked in the cybercriminal underground, leading to its use by threat actors.[Dark Vortex Brute Ratel C4][Palo Alto Brute Ratel July 2022][MDSec Brute Ratel August 2022][SANS Brute Ratel October 2022][Trend Micro Black Basta October 2022]

Internal MISP references

UUID 23043b44-69a6-5cdf-8f60-5a68068680c7 which can be used as unique global reference for Brute Ratel C4 in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S1063
source MITRE
type ['tool']
Related clusters

To see the related clusters, click here.

BS2005

BS2005 is malware that was used by Ke3chang in spearphishing campaigns since at least 2011. [Mandiant Operation Ke3chang November 2014]

Internal MISP references

UUID c9e773de-0213-4b64-83fb-637060c8b5ed which can be used as unique global reference for BS2005 in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0014
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Backdoor.APT.FakeWinHTTPHelper - Associated Software

Internal MISP references

UUID ad8fc8bb-3562-4a56-b132-be625b1dc208 which can be used as unique global reference for Backdoor.APT.FakeWinHTTPHelper - Associated Software in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id bc902752-8e2e-4037-9147-b3c6ff297539
Related clusters

To see the related clusters, click here.

BUBBLEWRAP

BUBBLEWRAP is a full-featured, second-stage backdoor used by the admin@338 group. It is set to run when the system boots and includes functionality to check, upload, and register plug-ins that can further enhance its capabilities. [FireEye admin@338]

Internal MISP references

UUID 2be4e3d2-e8c5-4406-8041-2c17bdb3a547 which can be used as unique global reference for BUBBLEWRAP in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0043
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

build_downer

build_downer is a downloader that has been used by BRONZE BUTLER since at least 2019.[Trend Micro Tick November 2019]

Internal MISP references

UUID c21d3e6c-0f6d-44a8-bdd5-5b3180a641c9 which can be used as unique global reference for build_downer in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0471
source MITRE
tags ['84615fe0-c2a5-4e07-8957-78ebc29b4635']
type ['malware']
Related clusters

To see the related clusters, click here.

Bumblebee

Bumblebee is a custom loader written in C++ that has been used by multiple threat actors, including possible initial access brokers, to download and execute additional payloads since at least March 2022. Bumblebee has been linked to ransomware operations including Conti, Quantum, and Mountlocker and derived its name from the appearance of "bumblebee" in the user-agent.[Google EXOTIC LILY March 2022][Proofpoint Bumblebee April 2022][Symantec Bumblebee June 2022]

Internal MISP references

UUID cc155181-fb34-4aaf-b083-b7b57b140b7a which can be used as unique global reference for Bumblebee in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S1039
source MITRE
tags ['aa983c81-e54b-49b3-b0dd-53cf950825b8', 'f8669b82-2194-49a9-8e20-92e7f9ab0a6f', '84615fe0-c2a5-4e07-8957-78ebc29b4635']
type ['malware']
Related clusters

To see the related clusters, click here.

OSX.Bundlore - Associated Software

[MacKeeper Bundlore Apr 2019]

Internal MISP references

UUID 2fc667d6-96ca-4414-95d7-3ce49383508a which can be used as unique global reference for OSX.Bundlore - Associated Software in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 2c496adc-9061-4675-83a6-e53a8a5e6088
Related clusters

To see the related clusters, click here.

Bundlore

Bundlore is adware written for macOS that has been in use since at least 2015. Though categorized as adware, Bundlore has many features associated with more traditional backdoors.[MacKeeper Bundlore Apr 2019]

Internal MISP references

UUID e9873bf1-9619-4c62-b4cf-1009e83de186 which can be used as unique global reference for Bundlore in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['macOS']
software_attack_id S0482
source MITRE
tags ['4d767e87-4cf6-438a-927a-43d2d0beaab7']
type ['malware']
Related clusters

To see the related clusters, click here.

Cachedump

Cachedump is a publicly-available tool that program extracts cached password hashes from a system’s registry. [Mandiant APT1]

Internal MISP references

UUID 7c03fb92-3cd8-4ce4-a1e0-75e47465e4bc which can be used as unique global reference for Cachedump in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0119
source MITRE
type ['tool']
Related clusters

To see the related clusters, click here.

CaddyWiper

CaddyWiper is a destructive data wiper that has been used in attacks against organizations in Ukraine since at least March 2022.[ESET CaddyWiper March 2022][Cisco CaddyWiper March 2022]

Internal MISP references

UUID 62d0ddcd-790d-4d2d-9d94-276f54b40cf0 which can be used as unique global reference for CaddyWiper in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0693
source MITRE
tags ['2e621fc5-dea4-4cb9-987e-305845986cd3']
type ['malware']
Related clusters

To see the related clusters, click here.

Cadelspy

Cadelspy is a backdoor that has been used by APT39.[Symantec Chafer Dec 2015]

Internal MISP references

UUID c8a51b39-6906-4381-9bb4-4e9e612aa085 which can be used as unique global reference for Cadelspy in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0454
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

CALENDAR

CALENDAR is malware used by APT1 that mimics legitimate Gmail Calendar traffic. [Mandiant APT1]

Internal MISP references

UUID ad859a79-c183-44f6-a89a-f734710672a9 which can be used as unique global reference for CALENDAR in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0025
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Calisto

Calisto is a macOS Trojan that opens a backdoor on the compromised machine. Calisto is believed to have first been developed in 2016. [Securelist Calisto July 2018] [Symantec Calisto July 2018]

Internal MISP references

UUID 6b5b408c-4f9d-4137-bfb1-830d12e9736c which can be used as unique global reference for Calisto in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['macOS']
software_attack_id S0274
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

CallMe

CallMe is a Trojan designed to run on Apple OSX. It is based on a publicly available tool called Tiny SHell. [Scarlet Mimic Jan 2016]

Internal MISP references

UUID 352ee271-89e6-4d3f-9c26-98dbab0e2986 which can be used as unique global reference for CallMe in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['macOS']
software_attack_id S0077
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Cannon

Cannon is a Trojan with variants written in C# and Delphi. It was first observed in April 2018. [Unit42 Cannon Nov 2018][Unit42 Sofacy Dec 2018]

Internal MISP references

UUID 790e931d-2571-496d-9f48-322774a7d482 which can be used as unique global reference for Cannon in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0351
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Anunak - Associated Software

[Fox-It Anunak Feb 2015] [FireEye CARBANAK June 2017]

Internal MISP references

UUID b0ac8d42-1536-4b96-b0d5-8052308d2177 which can be used as unique global reference for Anunak - Associated Software in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id be99b5bb-731e-4040-9912-985c893fab6b
Related clusters

To see the related clusters, click here.

Carbanak

Carbanak is a full-featured, remote backdoor used by a group of the same name (Carbanak). It is intended for espionage, data exfiltration, and providing remote access to infected machines. [Kaspersky Carbanak] [FireEye CARBANAK June 2017]

Internal MISP references

UUID 4cb9294b-9e4c-41b9-b640-46213a01952d which can be used as unique global reference for Carbanak in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0030
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Carberp

Carberp is a credential and information stealing malware that has been active since at least 2009. Carberp's source code was leaked online in 2013, and subsequently used as the foundation for the Carbanak backdoor.[Trend Micro Carberp February 2014][KasperskyCarbanak][RSA Carbanak November 2017]

Internal MISP references

UUID df9491fd-5e24-4548-8e21-1268dce59d1f which can be used as unique global reference for Carberp in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0484
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Carbon

Carbon is a sophisticated, second-stage backdoor and framework that can be used to steal sensitive information from victims. Carbon has been selectively used by Turla to target government and foreign affairs-related organizations in Central Asia.[ESET Carbon Mar 2017][Securelist Turla Oct 2018]

Internal MISP references

UUID 61f5d19c-1da2-43d1-ab20-51eacbca71f2 which can be used as unique global reference for Carbon in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0335
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Cardinal RAT

Cardinal RAT is a potentially low volume remote access trojan (RAT) observed since December 2015. Cardinal RAT is notable for its unique utilization of uncompiled C# source code and the Microsoft Windows built-in csc.exe compiler.[PaloAlto CardinalRat Apr 2017]

Internal MISP references

UUID fa23acef-3034-43ee-9610-4fc322f0d80b which can be used as unique global reference for Cardinal RAT in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0348
source MITRE
tags ['febea5b6-2ea2-402b-8bec-f3f5b3f73c59']
type ['malware']
Related clusters

To see the related clusters, click here.

CARROTBALL

CARROTBALL is an FTP downloader utility that has been in use since at least 2019. CARROTBALL has been used as a downloader to install SYSCON.[Unit 42 CARROTBAT January 2020]

Internal MISP references

UUID 84bb4068-b441-435e-8535-02a458ffd50b which can be used as unique global reference for CARROTBALL in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0465
source MITRE
tags ['84615fe0-c2a5-4e07-8957-78ebc29b4635']
type ['tool']
Related clusters

To see the related clusters, click here.

CARROTBAT

CARROTBAT is a customized dropper that has been in use since at least 2017. CARROTBAT has been used to install SYSCON and has infrastructure overlap with KONNI.[Unit 42 CARROTBAT November 2018][Unit 42 CARROTBAT January 2020]

Internal MISP references

UUID aefa893d-fc6e-41a9-8794-2700049db9e5 which can be used as unique global reference for CARROTBAT in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0462
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Catchamas

Catchamas is a Windows Trojan that steals information from compromised systems. [Symantec Catchamas April 2018]

Internal MISP references

UUID 04deccb5-9850-45c3-a900-5d7039a94190 which can be used as unique global reference for Catchamas in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0261
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Caterpillar WebShell

Caterpillar WebShell is a self-developed Web Shell tool created by the group Volatile Cedar.[ClearSky Lebanese Cedar Jan 2021]

Internal MISP references

UUID ee88afaa-88bc-4c20-906f-332866388549 which can be used as unique global reference for Caterpillar WebShell in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0572
source MITRE
tags ['311abf64-a9cc-4c6a-b778-32c5df5658be']
type ['malware']
Related clusters

To see the related clusters, click here.

CC-Attack

CC-Attack is a publicly available script that automates the use of open, external proxy servers as part of denial of service flood attacks. Its use has been promoted among the members of the Killnet hacktivist collective.[Flashpoint Glossary Killnet]

Internal MISP references

UUID 7664bfa5-8477-4903-9103-1144113fca36 which can be used as unique global reference for CC-Attack in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Linux', 'Windows']
software_attack_id S5062
source Tidal Cyber
tags ['62bde669-3020-4682-be68-36c83b2588a4']
type ['malware']
Related clusters

To see the related clusters, click here.

CCBkdr

CCBkdr is malware that was injected into a signed version of CCleaner and distributed from CCleaner's distribution website. [Talos CCleanup 2017] [Intezer Aurora Sept 2017]

Internal MISP references

UUID 4eb0720c-7046-4ff1-adfd-ae603506e499 which can be used as unique global reference for CCBkdr in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0222
source MITRE
tags ['f2ae2283-f94d-4f8f-bbde-43f2bed66c55']
type ['malware']
Related clusters

To see the related clusters, click here.

ccf32

ccf32 is data collection malware that has been used since at least February 2019, most notably during the FunnyDream campaign; there is also a similar x64 version.[Bitdefender FunnyDream Campaign November 2020]

Internal MISP references

UUID e00c2a0c-bbe5-4eff-b0ad-b2543456a317 which can be used as unique global reference for ccf32 in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S1043
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Cdb.exe - Associated Software

[Cdb.exe - LOLBAS Project]

Internal MISP references

UUID 4e9c6329-2df3-4815-bf21-8f18de3046b0 which can be used as unique global reference for Cdb.exe - Associated Software in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 0b731b6d-60a7-4944-bf04-834591161b22
owner TidalCyberIan
owner_id bebdd211-52f4-4abc-94ff-b3a7df904561
Related clusters

To see the related clusters, click here.

Cdb

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Debugging tool included with Windows Debugging Tools.

Author: Oddvar Moe

Paths: * C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\cdb.exe * C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\cdb.exe

Resources: * http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html * https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/cdb-command-line-options * https://gist.github.com/mattifestation/94e2b0a9e3fe1ac0a433b5c3e6bd0bda * https://mrd0x.com/the-power-of-cdb-debugging-tool/ * https://twitter.com/nas_bench/status/1534957360032120833

Detection: * Sigma: proc_creation_win_lolbin_cdb.yml * Elastic: defense_evasion_unusual_process_network_connection.toml * Elastic: defense_evasion_network_connection_from_windows_binary.toml * BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules[Cdb.exe - LOLBAS Project]

Internal MISP references

UUID d9ea2696-7c47-44cd-8784-9aeef5e149ea which can be used as unique global reference for Cdb in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5208
source Tidal Cyber
tags ['4479b9e9-d912-451a-9ad5-08b3d922422d', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

CertOC.exe - Associated Software

[CertOC.exe - LOLBAS Project]

Internal MISP references

UUID 53a36e49-d37d-4572-9f4c-f738db27d9a5 which can be used as unique global reference for CertOC.exe - Associated Software in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id fbc3a6a8-5031-4aa5-8514-efbad5f87d4b
owner TidalCyberIan
owner_id bebdd211-52f4-4abc-94ff-b3a7df904561
Related clusters

To see the related clusters, click here.

CertOC

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Used for installing certificates

Author: Ensar Samil

Paths: * c:\windows\system32\certoc.exe * c:\windows\syswow64\certoc.exe

Resources: * https://twitter.com/sblmsrsn/status/1445758411803480072?s=20 * https://twitter.com/sblmsrsn/status/1452941226198671363?s=20

Detection: * Sigma: proc_creation_win_certoc_load_dll.yml * IOC: Process creation with given parameter * IOC: Unsigned DLL load via certoc.exe * IOC: Network connection via certoc.exe[CertOC.exe - LOLBAS Project]

Internal MISP references

UUID 34e1c197-ac43-4634-9a0d-9148c748f774 which can be used as unique global reference for CertOC in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5087
source Tidal Cyber
tags ['fb909648-ee44-4871-abe6-82c909c4d677', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

CertReq.exe - Associated Software

[CertReq.exe - LOLBAS Project]

Internal MISP references

UUID e15e8ff8-4ca9-4c89-9a3a-b89e41623204 which can be used as unique global reference for CertReq.exe - Associated Software in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 179f9b33-8cc6-489f-9239-e16cb337b1a1
owner TidalCyberIan
owner_id bebdd211-52f4-4abc-94ff-b3a7df904561
Related clusters

To see the related clusters, click here.

CertReq

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Used for requesting and managing certificates

Author: David Middlehurst

Paths: * C:\Windows\System32\certreq.exe * C:\Windows\SysWOW64\certreq.exe

Resources: * https://dtm.uk/certreq

Detection: * Sigma: proc_creation_win_lolbin_susp_certreq_download.yml * IOC: certreq creates new files * IOC: certreq makes POST requests[CertReq.exe - LOLBAS Project]

Internal MISP references

UUID 43050f80-ce28-49e3-aac6-cb3f4a07f4b4 which can be used as unique global reference for CertReq in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5088
source Tidal Cyber
tags ['35a798a2-eaab-48a3-9ee7-5538f36a4172', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

certutil.exe - Associated Software

Internal MISP references

UUID 9d959b69-ce56-418b-b074-90d83062ca28 which can be used as unique global reference for certutil.exe - Associated Software in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id dc2187c3-8ad1-4d87-9c76-2618db516ec0
Related clusters

To see the related clusters, click here.

certutil

certutil is a command-line utility that can be used to obtain certificate authority information and configure Certificate Services. [TechNet Certutil]

Internal MISP references

UUID 2fe21578-ee31-4ee8-b6ab-b5f76f97d043 which can be used as unique global reference for certutil in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0160
source MITRE
tags ['fdd53e62-5bf1-41f1-8bd6-b970a866c39d', 'd431939f-2dc0-410b-83f7-86c458125444', '412da5b4-fb41-40fc-a29a-78dc9119aa75', '758c3085-2f79-40a8-ab95-f8a684737927', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '35e694ec-5133-46e3-b7e1-5831867c3b55', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '15787198-6c8b-4f79-bf50-258d55072fee', '303a3675-4855-4323-b042-95bb1d907cca', '84615fe0-c2a5-4e07-8957-78ebc29b4635', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

Chaes

Chaes is a multistage information stealer written in several programming languages that collects login credentials, credit card numbers, and other financial information. Chaes was first observed in 2020, and appears to primarily target victims in Brazil as well as other e-commerce customers in Latin America.[Cybereason Chaes Nov 2020]

Internal MISP references

UUID 0c8efcd0-bfdf-4771-8754-18aac836c359 which can be used as unique global reference for Chaes in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0631
source MITRE
tags ['4d767e87-4cf6-438a-927a-43d2d0beaab7']
type ['malware']
Related clusters

To see the related clusters, click here.

Chaos

Chaos is Linux malware that compromises systems by brute force attacks against SSH services. Once installed, it provides a reverse shell to its controllers, triggered by unsolicited packets. [Chaos Stolen Backdoor]

Internal MISP references

UUID 92c88765-6b12-42cd-b1d7-f6a65b2236e2 which can be used as unique global reference for Chaos in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux']
software_attack_id S0220
source MITRE
tags ['5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172']
type ['malware']
Related clusters

To see the related clusters, click here.

CharmPower

CharmPower is a PowerShell-based, modular backdoor that has been used by Magic Hound since at least 2022.[Check Point APT35 CharmPower January 2022]

Internal MISP references

UUID b1e3b56f-2e83-4cab-a1c1-16999009d056 which can be used as unique global reference for CharmPower in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0674
source MITRE
tags ['4d767e87-4cf6-438a-927a-43d2d0beaab7']
type ['malware']
Related clusters

To see the related clusters, click here.

HAYMAKER - Associated Software

Based on similarities in reported malware behavior and open source reporting, it is assessed that the malware named HAYMAKER by FireEye is likely the same as the malware ChChes. [FireEye APT10 April 2017] [Twitter Nick Carr APT10]

Internal MISP references

UUID c65b2f44-b691-46e9-90da-2014a929ab35 which can be used as unique global reference for HAYMAKER - Associated Software in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 9ee89ef4-89b7-48c8-ba66-881269735924
Related clusters

To see the related clusters, click here.

Scorpion - Associated Software

[PWC Cloud Hopper Technical Annex April 2017]

Internal MISP references

UUID 0b494f14-2546-4b8f-b688-9472f7e8dc7d which can be used as unique global reference for Scorpion - Associated Software in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 846bba3c-1b5c-4ee7-a31c-d58080beec72
Related clusters

To see the related clusters, click here.

ChChes

ChChes is a Trojan that appears to be used exclusively by menuPass. It was used to target Japanese organizations in 2016. Its lack of persistence methods suggests it may be intended as a first-stage tool. [Palo Alto menuPass Feb 2017] [JPCERT ChChes Feb 2017] [PWC Cloud Hopper Technical Annex April 2017]

Internal MISP references

UUID 3f2283ef-67c2-49a3-98ac-1aa9f0499361 which can be used as unique global reference for ChChes in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0144
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Cherry Picker

Cherry Picker is a point of sale (PoS) memory scraper. [Trustwave Cherry Picker]

Internal MISP references

UUID 2fd6f564-918e-4ee7-920a-2b4be858d11a which can be used as unique global reference for Cherry Picker in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0107
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

China Chopper

China Chopper is a Web Shell hosted on Web servers to provide access back into an enterprise network that does not rely on an infected system calling back to a remote command and control server.[Lee 2013] It has been used by several threat groups.[Dell TG-3390][FireEye Periscope March 2018][CISA AA21-200A APT40 July 2021][Rapid7 HAFNIUM Mar 2021]

Internal MISP references

UUID 723c5ab7-23ca-46f2-83bb-f1d1e550122c which can be used as unique global reference for China Chopper in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0020
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f', '311abf64-a9cc-4c6a-b778-32c5df5658be']
type ['malware']
Related clusters

To see the related clusters, click here.

Chinoxy

Chinoxy is a backdoor that has been used since at least November 2018, during the FunnyDream campaign, to gain persistence and drop additional payloads. According to security researchers, Chinoxy has been used by Chinese-speaking threat actors.[Bitdefender FunnyDream Campaign November 2020]

Internal MISP references

UUID 7c36563a-9143-4766-8aef-4e1787e18d8c which can be used as unique global reference for Chinoxy in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S1041
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Chisel

Chisel is an open source tool that can be used for networking tunneling.[U.S. CISA AvosLocker October 11 2023] According to its GitHub project page, "Chisel is a fast TCP/UDP tunnel, transported over HTTP, secured via SSH".[GitHub Chisel] Threat actors including ransomware operators and nation-state-aligned espionage actors have used Chisel as part of their operations.[U.S. CISA AvosLocker October 11 2023][CISA AA20-259A Iran-Based Actor September 2020]

Internal MISP references

UUID bd2b2375-4f16-42b2-a862-959b5b41c2af which can be used as unique global reference for Chisel in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5063
source Tidal Cyber
tags ['ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

Chocolatey

Chocolatey is a command-line package manager for Microsoft Windows.[U.S. CISA Understanding LockBit June 2023]

Internal MISP references

UUID 7a2b00ef-8a37-4901-bf0c-17da0ebf3d69 which can be used as unique global reference for Chocolatey in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5028
source Tidal Cyber
tags ['af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

Backdoor.SofacyX - Associated Software

[Symantec APT28 Oct 2018]

Internal MISP references

UUID cbdaa2bf-7ffb-4e48-9e8e-c06b42199d44 which can be used as unique global reference for Backdoor.SofacyX - Associated Software in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 0e7b706f-c6c5-4ea2-8d35-581e9448f229
Related clusters

To see the related clusters, click here.

SPLM - Associated Software

[ESET Sednit Part 2] [FireEye APT28 January 2017]

Internal MISP references

UUID 14492dd1-4146-47ad-9ea0-5e6e934b625c which can be used as unique global reference for SPLM - Associated Software in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 5df20e72-bf08-4a95-b81b-a5ea73905b3e
Related clusters

To see the related clusters, click here.

Xagent - Associated Software

[ESET Sednit Part 2] [FireEye APT28 January 2017]

Internal MISP references

UUID ceb44e2f-ffbb-4316-90a2-f011a3dcad57 which can be used as unique global reference for Xagent - Associated Software in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 3f5b77e7-28ef-4e06-a2ba-d7188a5c4ab3
Related clusters

To see the related clusters, click here.

X-Agent - Associated Software

[ESET Sednit Part 2] [FireEye APT28 January 2017]

Internal MISP references

UUID fabf19bb-0fc7-451c-8c69-4b6c706b4e3f which can be used as unique global reference for X-Agent - Associated Software in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id f4762139-a9d6-4813-a6f8-168010eeec40
Related clusters

To see the related clusters, click here.

webhp - Associated Software

[FireEye APT28 January 2017]

Internal MISP references

UUID 472502d3-e94a-4045-a232-33733d6e30aa which can be used as unique global reference for webhp - Associated Software in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 4f9ad7bb-c277-4e1d-bf70-9711dbfa1334
Related clusters

To see the related clusters, click here.

CHOPSTICK

CHOPSTICK is a malware family of modular backdoors used by APT28. It has been used since at least 2012 and is usually dropped on victims as second-stage malware, though it has been used as first-stage malware in several cases. It has both Windows and Linux variants. [FireEye APT28] [ESET Sednit Part 2] [FireEye APT28 January 2017] [DOJ GRU Indictment Jul 2018] It is tracked separately from the X-Agent for Android.

Internal MISP references

UUID 01c6c49a-f7c8-44cd-a377-4dfd358ffeba which can be used as unique global reference for CHOPSTICK in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'Windows']
software_attack_id S0023
source MITRE
tags ['febea5b6-2ea2-402b-8bec-f3f5b3f73c59', 'f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

Chrommme

Chrommme is a backdoor tool written using the Microsoft Foundation Class (MFC) framework that was first reported in June 2021; security researchers noted infrastructure overlaps with Gelsemium malware.[ESET Gelsemium June 2021]

Internal MISP references

UUID df77ed2a-f135-4f00-9a5e-79b7a6a2ed14 which can be used as unique global reference for Chrommme in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0667
source MITRE
tags ['4d767e87-4cf6-438a-927a-43d2d0beaab7']
type ['malware']
Related clusters

To see the related clusters, click here.

Clambling

Clambling is a modular backdoor written in C++ that has been used by Threat Group-3390 since at least 2017.[Trend Micro DRBControl February 2020]

Internal MISP references

UUID 4bac93bd-7e58-4ddb-a205-d99597b9e65e which can be used as unique global reference for Clambling in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0660
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

CL_Invocation.ps1 - Associated Software

[CL_Invocation.ps1 - LOLBAS Project]

Internal MISP references

UUID 351a3856-6bc0-4712-923b-8e921785b95b which can be used as unique global reference for CL_Invocation.ps1 - Associated Software in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 22caac14-075b-404d-a35c-d987cc9a62a1
owner TidalCyberIan
owner_id bebdd211-52f4-4abc-94ff-b3a7df904561
Related clusters

To see the related clusters, click here.

CL_Invocation

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Aero diagnostics script

Author: Oddvar Moe

Paths: * C:\Windows\diagnostics\system\AERO\CL_Invocation.ps1 * C:\Windows\diagnostics\system\Audio\CL_Invocation.ps1 * C:\Windows\diagnostics\system\WindowsUpdate\CL_Invocation.ps1

Resources:

Detection: * Sigma: proc_creation_win_lolbin_cl_invocation.yml * Sigma: posh_ps_cl_invocation_lolscript.yml[CL_Invocation.ps1 - LOLBAS Project]

Internal MISP references

UUID 4bc36e22-6529-4a4a-a5d2-461f3925c5f3 which can be used as unique global reference for CL_Invocation in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5257
source Tidal Cyber
tags ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

CL_LoadAssembly.ps1 - Associated Software

[CL_LoadAssembly.ps1 - LOLBAS Project]

Internal MISP references

UUID 9c4d1519-33eb-4280-aa2e-aca22b8e822c which can be used as unique global reference for CL_LoadAssembly.ps1 - Associated Software in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id a30c2c43-f823-466f-bfd4-45b2a58b2bec
owner TidalCyberIan
owner_id bebdd211-52f4-4abc-94ff-b3a7df904561
Related clusters

To see the related clusters, click here.

CL_LoadAssembly

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: PowerShell Diagnostic Script

Author: Jimmy (@bohops)

Paths: * C:\Windows\diagnostics\system\Audio\CL_LoadAssembly.ps1

Resources: * https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/

Detection: * Sigma: proc_creation_win_lolbas_cl_loadassembly.yml[CL_LoadAssembly.ps1 - LOLBAS Project]

Internal MISP references

UUID cb950179-334d-4bd9-9cfb-87b09d279a3b which can be used as unique global reference for CL_LoadAssembly in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5255
source Tidal Cyber
tags ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

CL_Mutexverifiers.ps1 - Associated Software

[CL_Mutexverifiers.ps1 - LOLBAS Project]

Internal MISP references

UUID 06c669e0-0111-45c3-868d-0b5fad1d1b42 which can be used as unique global reference for CL_Mutexverifiers.ps1 - Associated Software in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 5c75fd56-0471-4dc0-9fb2-3dda8269e59d
owner TidalCyberIan
owner_id bebdd211-52f4-4abc-94ff-b3a7df904561
Related clusters

To see the related clusters, click here.

CL_Mutexverifiers

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Proxy execution with CL_Mutexverifiers.ps1

Author: Oddvar Moe

Paths: * C:\Windows\diagnostics\system\WindowsUpdate\CL_Mutexverifiers.ps1 * C:\Windows\diagnostics\system\Audio\CL_Mutexverifiers.ps1 * C:\Windows\diagnostics\system\WindowsUpdate\CL_Mutexverifiers.ps1 * C:\Windows\diagnostics\system\Video\CL_Mutexverifiers.ps1 * C:\Windows\diagnostics\system\Speech\CL_Mutexverifiers.ps1

Resources: * https://twitter.com/pabraeken/status/995111125447577600

Detection: * Sigma: proc_creation_win_lolbin_cl_mutexverifiers.yml[CL_Mutexverifiers.ps1 - LOLBAS Project]

Internal MISP references

UUID 3c63792a-1184-416e-aa9b-18da72e88327 which can be used as unique global reference for CL_Mutexverifiers in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5256
source Tidal Cyber
tags ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

Clop

Clop is a ransomware family that was first observed in February 2019 and has been used against retail, transportation and logistics, education, manufacturing, engineering, automotive, energy, financial, aerospace, telecommunications, professional and legal services, healthcare, and high tech industries. Clop is a variant of the CryptoMix ransomware.[Mcafee Clop Aug 2019][Cybereason Clop Dec 2020][Unit42 Clop April 2021]

Internal MISP references

UUID 5321aa75-924c-47ae-b97a-b36f023abf2a which can be used as unique global reference for Clop in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0611
source MITRE
tags ['b15c16f7-b8c7-4962-9acc-a98a39f87b69', 'b18b5401-d88d-4f28-8f50-a884a5e58349', 'ac862a66-a4ec-4285-9a21-b63576a5867d', '5ab5f811-5c7e-4f77-ae90-59d3beb93346', '1b5da77a-bf84-4fba-a6d7-8b3b8f7699e0', 'e401022a-36ac-486d-8503-dd531410a927', '8a77c410-bed9-4376-87bf-5ac84fbc2c9d', 'ab64f2d8-8da3-48de-ac66-0fd91d634b22', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172']
type ['malware']
Related clusters

To see the related clusters, click here.

MiniDionis - Associated Software

Internal MISP references

UUID 4f8334fd-987a-4d3a-b7cf-e5e1800eee90 which can be used as unique global reference for MiniDionis - Associated Software in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 59d0f44a-2aad-42c3-97cc-4c92e8527f00
Related clusters

To see the related clusters, click here.

CloudLook - Associated Software

Internal MISP references

UUID f714e1f8-1a16-46cc-981c-26729d500770 which can be used as unique global reference for CloudLook - Associated Software in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 941f9757-9100-4791-9a6e-77843e6d1e5d
Related clusters

To see the related clusters, click here.

CloudDuke

CloudDuke is malware that was used by APT29 in 2015. [F-Secure The Dukes] [Securelist Minidionis July 2015]

Internal MISP references

UUID b3dd424b-ee96-449c-aa52-abbc7d4dfb86 which can be used as unique global reference for CloudDuke in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0054
source MITRE
tags ['84615fe0-c2a5-4e07-8957-78ebc29b4635']
type ['malware']
Related clusters

To see the related clusters, click here.

cmd.exe - Associated Software

Internal MISP references

UUID 2757101d-84c7-4acc-be12-2f2a7b79bc2e which can be used as unique global reference for cmd.exe - Associated Software in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 94b63e82-16a8-4bc0-a239-2c28cabfa131
Related clusters

To see the related clusters, click here.

cmd

cmd is the Windows command-line interpreter that can be used to interact with systems and execute other processes and utilities. [TechNet Cmd]

Cmd.exe contains native functionality to perform many operations to interact with the system, including listing files in a directory (e.g., dir [TechNet Dir]), deleting files (e.g., del [TechNet Del]), and copying files (e.g., copy [TechNet Copy]).

Internal MISP references

UUID 98d89476-63ec-4baf-b2b3-86c52170f5d8 which can be used as unique global reference for cmd in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0106
source MITRE
tags ['a968c9f3-c190-488f-bacc-92e8f1ce295c', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

Cmdkey.exe - Associated Software

[Cmdkey.exe - LOLBAS Project]

Internal MISP references

UUID adcf033c-3514-40b4-81fc-d0534cd0d050 which can be used as unique global reference for Cmdkey.exe - Associated Software in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id f20ab947-efa4-42ce-84ee-5b7fc4bc3984
owner TidalCyberIan
owner_id bebdd211-52f4-4abc-94ff-b3a7df904561
Related clusters

To see the related clusters, click here.

Cmdkey

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: creates, lists, and deletes stored user names and passwords or credentials.

Author: Oddvar Moe

Paths: * C:\Windows\System32\cmdkey.exe * C:\Windows\SysWOW64\cmdkey.exe

Resources: * https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation * https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/cmdkey

Detection: * Sigma: proc_creation_win_cmdkey_recon.yml[Cmdkey.exe - LOLBAS Project]

Internal MISP references

UUID da252f67-2d4e-419f-b493-d4a1d024a01c which can be used as unique global reference for Cmdkey in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5089
source Tidal Cyber
tags ['96bff827-e51f-47de-bde6-d2eec0f99767', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

cmdl32.exe - Associated Software

[cmdl32.exe - LOLBAS Project]

Internal MISP references

UUID ceb926c4-0b32-4073-bfd8-b7fc05cd1d62 which can be used as unique global reference for cmdl32.exe - Associated Software in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 979b6530-dd16-4d7f-aaca-166b5996304b
owner TidalCyberIan
owner_id bebdd211-52f4-4abc-94ff-b3a7df904561
Related clusters

To see the related clusters, click here.

cmdl32

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Microsoft Connection Manager Auto-Download

Author: Elliot Killick

Paths: * C:\Windows\System32\cmdl32.exe * C:\Windows\SysWOW64\cmdl32.exe

Resources: * https://github.com/LOLBAS-Project/LOLBAS/pull/151 * https://twitter.com/ElliotKillick/status/1455897435063074824 * https://elliotonsecurity.com/living-off-the-land-reverse-engineering-methodology-plus-tips-and-tricks-cmdl32-case-study/

Detection: * Sigma: proc_creation_win_lolbin_cmdl32.yml * IOC: Reports of downloading from suspicious URLs in %TMP%\config.log * IOC: Useragent Microsoft(R) Connection Manager Vpn File Update[cmdl32.exe - LOLBAS Project]

Internal MISP references

UUID 44a523a8-9ed6-4f01-9a53-0e8ea1e15b51 which can be used as unique global reference for cmdl32 in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5090
source Tidal Cyber
tags ['4c8f8830-0b2c-4c79-b1db-8659ede492f0', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

Cmstp.exe - Associated Software

[Cmstp.exe - LOLBAS Project]

Internal MISP references

UUID 7daa8928-e3ff-4e2c-9a33-df39bec265e1 which can be used as unique global reference for Cmstp.exe - Associated Software in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 7cc16603-ebbc-4cad-910b-5b94b16438a9
owner TidalCyberIan
owner_id bebdd211-52f4-4abc-94ff-b3a7df904561
Related clusters

To see the related clusters, click here.

Cmstp

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Installs or removes a Connection Manager service profile.

Author: Oddvar Moe

Paths: * C:\Windows\System32\cmstp.exe * C:\Windows\SysWOW64\cmstp.exe

Resources: * https://twitter.com/NickTyrer/status/958450014111633408 * https://gist.github.com/NickTyrer/bbd10d20a5bb78f64a9d13f399ea0f80 * https://gist.github.com/api0cradle/cf36fd40fa991c3a6f7755d1810cc61e * https://oddvar.moe/2017/08/15/research-on-cmstp-exe/ * https://gist.githubusercontent.com/tylerapplebaum/ae8cb38ed8314518d95b2e32a6f0d3f1/raw/3127ba7453a6f6d294cd422386cae1a5a2791d71/UACBypassCMSTP.ps1 * https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/cmstp

Detection: * Sigma: proc_creation_win_cmstp_execution_by_creation.yml * Sigma: proc_creation_win_uac_bypass_cmstp.yml * Splunk: cmlua_or_cmstplua_uac_bypass.yml * Elastic: defense_evasion_suspicious_managedcode_host_process.toml * Elastic: defense_evasion_unusual_process_network_connection.toml * IOC: Execution of cmstp.exe without a VPN use case is suspicious * IOC: DotNet CLR libraries loaded into cmstp.exe * IOC: DotNet CLR Usage Log - cmstp.exe.log[Cmstp.exe - LOLBAS Project]

Internal MISP references

UUID 6f848e15-5234-4445-9a05-2949e4c57f0b which can be used as unique global reference for Cmstp in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5091
source Tidal Cyber
tags ['65938118-2f00-48a1-856e-d1a75a08e3c6', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

Cobalt Strike

Cobalt Strike is a commercial, full-featured, remote access tool that bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strike’s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system.[cobaltstrike manual]

In addition to its own capabilities, Cobalt Strike leverages the capabilities of other well-known tools such as Metasploit and Mimikatz.[cobaltstrike manual]

Internal MISP references

UUID 9b6bcbba-3ab4-4a4c-a233-cd12254823f6 which can be used as unique global reference for Cobalt Strike in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Windows']
software_attack_id S0154
source MITRE
tags ['fdd53e62-5bf1-41f1-8bd6-b970a866c39d', 'd431939f-2dc0-410b-83f7-86c458125444', '56d89c06-23a0-4642-adfc-1fffd3524191', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '15787198-6c8b-4f79-bf50-258d55072fee', '992bdd33-4a47-495d-883a-58010a2f0efb', 'e81ba503-60b0-4b64-8f20-ef93e7783796']
type ['malware']
Related clusters

To see the related clusters, click here.

Cobalt Strike Random C2 Profile Generator

This is an open-source tool for creating Cobalt Strike Malleable C2 profiles with randomly generated variables.[GitHub random_c2_profile] According to a September 2023 CERT-FR advisory, during an intrusion in March 2023, actors attributed to FIN12 used the tool to generate a Cobalt Strike malleable C2 profile.[CERTFR-2023-CTI-007]

Internal MISP references

UUID cf47b3ce-1392-4904-a4e6-f65aebebddc6 which can be used as unique global reference for Cobalt Strike Random C2 Profile Generator in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Linux', 'macOS', 'Windows']
software_attack_id S5057
source Tidal Cyber
tags ['ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'e81ba503-60b0-4b64-8f20-ef93e7783796']
type ['malware']
Related clusters

To see the related clusters, click here.

Cobian RAT

Cobian RAT is a backdoor, remote access tool that has been observed since 2016.[Zscaler Cobian Aug 2017]

Internal MISP references

UUID d4e6f9f7-7f4d-47c2-be24-b267d9317303 which can be used as unique global reference for Cobian RAT in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0338
source MITRE
tags ['16b47583-1c54-431f-9f09-759df7b5ddb7']
type ['malware']
Related clusters

To see the related clusters, click here.

code.exe - Associated Software

[code.exe - LOLBAS Project]

Internal MISP references

UUID 74673d53-5fe4-4e98-ade5-b4a545d2373c which can be used as unique global reference for code.exe - Associated Software in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id ae8da2a7-2ce7-4aa5-8256-1962ec754428
owner TidalCyberIan
owner_id bebdd211-52f4-4abc-94ff-b3a7df904561
Related clusters

To see the related clusters, click here.

code

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: VSCode binary, also portable (CLI) version

Author: PfiatDe

Paths: * %LOCALAPPDATA%\Programs\Microsoft VS Code\Code.exe * C:\Program Files\Microsoft VS Code\Code.exe * C:\Program Files (x86)\Microsoft VS Code\Code.exe

Resources: * https://badoption.eu/blog/2023/01/31/code_c2.html * https://code.visualstudio.com/docs/remote/tunnels * https://code.visualstudio.com/blogs/2022/12/07/remote-even-better

Detection: * IOC: Websocket traffic to global.rel.tunnels.api.visualstudio.com * IOC: Process tree: code.exe -> cmd.exe -> node.exe -> winpty-agent.exe * IOC: File write of code_tunnel.json which is parametizable, but defaults to: %UserProfile%.vscode-cli\code_tunnel.json[code.exe - LOLBAS Project]

Internal MISP references

UUID 49d440e4-b2ea-4e7d-8ded-8589ddf679d9 which can be used as unique global reference for code in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5185
source Tidal Cyber
tags ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

CoinTicker

CoinTicker is a malicious application that poses as a cryptocurrency price ticker and installs components of the open source backdoors EvilOSX and EggShell.[CoinTicker 2019]

Internal MISP references

UUID b0d9b31a-072b-4744-8d2f-3a63256a932f which can be used as unique global reference for CoinTicker in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['macOS']
software_attack_id S0369
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Colorcpl.exe - Associated Software

[Colorcpl.exe - LOLBAS Project]

Internal MISP references

UUID 6044424d-3732-4cac-85a8-b4059f4e0af4 which can be used as unique global reference for Colorcpl.exe - Associated Software in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 4719e863-dac0-409d-b6d3-52d7ce388044
owner TidalCyberIan
owner_id bebdd211-52f4-4abc-94ff-b3a7df904561
Related clusters

To see the related clusters, click here.

Colorcpl

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Binary that handles color management

Author: Arjan Onwezen

Paths: * C:\Windows\System32\colorcpl.exe * C:\Windows\SysWOW64\colorcpl.exe

Resources: * https://twitter.com/eral4m/status/1480468728324231172

Detection: * Sigma: file_event_win_susp_colorcpl.yml * IOC: colorcpl.exe writing files[Colorcpl.exe - LOLBAS Project]

Internal MISP references

UUID 9f006b88-2f13-4c99-ade0-839da70d1e11 which can be used as unique global reference for Colorcpl in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5092
source Tidal Cyber
tags ['884eb1b1-aede-4db0-8443-ba50624682e1', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

Comnie

Comnie is a remote backdoor which has been used in attacks in East Asia. [Palo Alto Comnie]

Internal MISP references

UUID 341fc709-4908-4e41-8df3-554dae6d72b0 which can be used as unique global reference for Comnie in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0244
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

ComRAT

ComRAT is a second stage implant suspected of being a descendant of Agent.btz and used by Turla. The first version of ComRAT was identified in 2007, but the tool has undergone substantial development for many years since.[Symantec Waterbug][NorthSec 2015 GData Uroburos Tools][ESET ComRAT May 2020]

Internal MISP references

UUID 300c5997-a486-4a61-8213-93a180c22849 which can be used as unique global reference for ComRAT in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0126
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

Comsvcs.dll - Associated Software

[Comsvcs.dll - LOLBAS Project]

Internal MISP references

UUID 07f103cf-9a8a-4f68-a96b-877113e6c538 which can be used as unique global reference for Comsvcs.dll - Associated Software in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 1fa287c7-a4a3-4072-9dd0-ba7b634c0880
owner TidalCyberIan
owner_id bebdd211-52f4-4abc-94ff-b3a7df904561
Related clusters

To see the related clusters, click here.

Comsvcs

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: COM+ Services

Author: LOLBAS Team

Paths: * c:\windows\system32\comsvcs.dll

Resources: * https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/

Detection: * Sigma: proc_creation_win_rundll32_process_dump_via_comsvcs.yml * Sigma: proc_access_win_lsass_dump_comsvcs_dll.yml * Elastic: credential_access_cmdline_dump_tool.toml * Splunk: dump_lsass_via_comsvcs_dll.yml[Comsvcs.dll - LOLBAS Project]

Internal MISP references

UUID 0448178d-fff1-4174-8339-e6bfca78fb84 which can be used as unique global reference for Comsvcs in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5202
source Tidal Cyber
tags ['758c3085-2f79-40a8-ab95-f8a684737927', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '35e694ec-5133-46e3-b7e1-5831867c3b55', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '15787198-6c8b-4f79-bf50-258d55072fee', '334b0ee4-5a0d-4634-91c8-236593b818a0', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

Kido - Associated Software

[SANS Conficker]

Internal MISP references

UUID a8d8ea16-3ec8-41bb-a27a-7f67511a78ee which can be used as unique global reference for Kido - Associated Software in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 2d9c5a54-c465-46b8-b0f1-9c1e6eb3a4fb
Related clusters

To see the related clusters, click here.

Downadup - Associated Software

[SANS Conficker]

Internal MISP references

UUID 2871c307-fede-464e-b25e-ad6051d25c63 which can be used as unique global reference for Downadup - Associated Software in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id b663e730-924d-4332-ae78-165cd782bb72
Related clusters

To see the related clusters, click here.

Conficker

Conficker is a computer worm first detected in October 2008 that targeted Microsoft Windows using the MS08-067 Windows vulnerability to spread.[SANS Conficker] In 2016, a variant of Conficker made its way on computers and removable disk drives belonging to a nuclear power plant.[Conficker Nuclear Power Plant]

Internal MISP references

UUID ef33f1fa-18a3-4b30-b359-17b7930f43a7 which can be used as unique global reference for Conficker in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0608
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

ConfigSecurityPolicy.exe - Associated Software

[ConfigSecurityPolicy.exe - LOLBAS Project]

Internal MISP references

UUID 45ba655d-a1fc-4305-abed-38f72ef3a832 which can be used as unique global reference for ConfigSecurityPolicy.exe - Associated Software in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id eb5bb379-c403-4f10-8d49-c3d7020d634e
owner TidalCyberIan
owner_id bebdd211-52f4-4abc-94ff-b3a7df904561
Related clusters

To see the related clusters, click here.

ConfigSecurityPolicy

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Binary part of Windows Defender. Used to manage settings in Windows Defender. you can configure different pilot collections for each of the co-management workloads. Being able to use different pilot collections allows you to take a more granular approach when shifting workloads.

Author: Ialle Teixeira

Paths: * C:\Program Files\Windows Defender\ConfigSecurityPolicy.exe * C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\ConfigSecurityPolicy.exe

Resources: * https://docs.microsoft.com/en-US/mem/configmgr/comanage/how-to-switch-workloads * https://docs.microsoft.com/en-US/mem/configmgr/comanage/workloads * https://docs.microsoft.com/en-US/mem/configmgr/comanage/how-to-monitor * https://twitter.com/NtSetDefault/status/1302589153570365440?s=20

Detection: * Sigma: proc_creation_win_lolbin_configsecuritypolicy.yml * IOC: ConfigSecurityPolicy storing data into alternate data streams. * IOC: Preventing/Detecting ConfigSecurityPolicy with non-RFC1918 addresses by Network IPS/IDS. * IOC: Monitor process creation for non-SYSTEM and non-LOCAL SERVICE accounts launching ConfigSecurityPolicy.exe. * IOC: User Agent is "MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)"[ConfigSecurityPolicy.exe - LOLBAS Project]

Internal MISP references

UUID 0e178275-4eb7-4fae-a703-d9730adf6a26 which can be used as unique global reference for ConfigSecurityPolicy in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5093
source Tidal Cyber
tags ['d99039e1-e677-4226-8b63-e698d6642535', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

Conhost.exe - Associated Software

[Conhost.exe - LOLBAS Project]

Internal MISP references

UUID 8a24ebd6-9351-4197-8728-6aa45e3dfce3 which can be used as unique global reference for Conhost.exe - Associated Software in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 7829c614-b785-49cf-adf0-21017cd710e4
owner TidalCyberIan
owner_id bebdd211-52f4-4abc-94ff-b3a7df904561
Related clusters

To see the related clusters, click here.

Conhost

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Console Window host

Author: Wietze Beukema

Paths: * c:\windows\system32\conhost.exe

Resources: * https://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/ * https://twitter.com/Wietze/status/1511397781159751680 * https://twitter.com/embee_research/status/1559410767564181504 * https://twitter.com/ankit_anubhav/status/1561683123816972288

Detection: * IOC: conhost.exe spawning unexpected processes * Sigma: proc_creation_win_conhost_susp_child_process.yml[Conhost.exe - LOLBAS Project]

Internal MISP references

UUID d3f8a214-3e65-4b7d-aed6-97a3e38ef8e0 which can be used as unique global reference for Conhost in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5094
source Tidal Cyber
tags ['ea54037d-e07b-42b0-afe6-33576ec36f44', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

ScreenConnect - Associated Software

[Anomali Static Kitten February 2021]

Internal MISP references

UUID 0280eeae-b087-48c3-937c-2edf419f6835 which can be used as unique global reference for ScreenConnect - Associated Software in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 88e96478-a49a-4cf5-b88d-04221550794d
Related clusters

To see the related clusters, click here.

ConnectWise

ConnectWise is a legitimate remote administration tool that has been used since at least 2016 by threat actors including MuddyWater and GOLD SOUTHFIELD to connect to and conduct lateral movement in target environments.[Anomali Static Kitten February 2021][Trend Micro Muddy Water March 2021]

Internal MISP references

UUID 6f9bb24d-cce2-49de-bedd-1849d9bde7a0 which can be used as unique global reference for ConnectWise in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0591
source MITRE
tags ['fdd53e62-5bf1-41f1-8bd6-b970a866c39d', 'd431939f-2dc0-410b-83f7-86c458125444', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '15b77e5c-2285-434d-9719-73c14beba8bd', 'e727eaa6-ef41-4965-b93a-8ad0c51d0236']
type ['tool']
Related clusters

To see the related clusters, click here.

Conti

Conti is a Ransomware-as-a-Service (RaaS) that was first observed in December 2019. Conti has been deployed via TrickBot and used against major corporations and government agencies, particularly those in North America. As with other ransomware families, actors using Conti steal sensitive files and information from compromised networks, and threaten to publish this data unless the ransom is paid.[Cybereason Conti Jan 2021][CarbonBlack Conti July 2020][Cybleinc Conti January 2020]

Internal MISP references

UUID 8e995c29-2759-4aeb-9a0f-bb7cd97b06e5 which can be used as unique global reference for Conti in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0575
source MITRE
tags ['0ed7d10c-c65b-4174-9edb-446bf301d250', '3d90eed2-862d-4f61-8c8f-0b8da3e45af0', '12a2e20a-7c27-46bb-954d-b372833a9925', '1b98f09a-7d93-4abb-8f3e-1eacdb9f9871', 'c2380542-36f2-4922-9ed2-80ced06645c9', 'dea4388a-b1f2-4f2a-9df9-108631d0d078', '24448a05-2337-4bc9-a889-a83f2fd1f3ad', '2743d495-7728-4a75-9e5f-b64854039792', 'd713747c-2d53-487e-9dac-259230f04460', 'fde4c246-7d2d-4d53-938b-44651cf273f1', '964c2590-4b52-48c6-afff-9a6d72e68908', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172']
type ['malware']
Related clusters

To see the related clusters, click here.

Control.exe - Associated Software

[Control.exe - LOLBAS Project]

Internal MISP references

UUID 94e2981f-681e-4bb8-bcef-98f8ed60f4ed which can be used as unique global reference for Control.exe - Associated Software in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 4b684811-8f00-4b38-8496-95146a80c07b
owner TidalCyberIan
owner_id bebdd211-52f4-4abc-94ff-b3a7df904561
Related clusters

To see the related clusters, click here.

Control

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Binary used to launch controlpanel items in Windows

Author: Oddvar Moe

Paths: * C:\Windows\System32\control.exe * C:\Windows\SysWOW64\control.exe

Resources: * https://pentestlab.blog/2017/05/24/applocker-bypass-control-panel/ * https://www.contextis.com/resources/blog/applocker-bypass-registry-key-manipulation/ * https://twitter.com/bohops/status/955659561008017409 * https://docs.microsoft.com/en-us/windows/desktop/shell/executing-control-panel-items * https://bohops.com/2018/01/23/loading-alternate-data-stream-ads-dll-cpl-binaries-to-bypass-applocker/

Detection: * Sigma: proc_creation_win_exploit_cve_2021_40444.yml * Sigma: proc_creation_win_rundll32_susp_control_dll_load.yml * Elastic: defense_evasion_network_connection_from_windows_binary.toml * Elastic: defense_evasion_execution_control_panel_suspicious_args.toml * Elastic: defense_evasion_unusual_dir_ads.toml * IOC: Control.exe executing files from alternate data streams * IOC: Control.exe executing library file without cpl extension * IOC: Suspicious network connections from control.exe[Control.exe - LOLBAS Project]

Internal MISP references

UUID efc46430-b27f-4b05-bc36-1d5eba685ec7 which can be used as unique global reference for Control in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5095
source Tidal Cyber
tags ['53ac2b35-d302-4bdd-9931-5b6c6cb31b96', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

CookieMiner

CookieMiner is mac-based malware that targets information associated with cryptocurrency exchanges as well as enabling cryptocurrency mining on the victim system itself. It was first discovered in the wild in 2019.[Unit42 CookieMiner Jan 2019]

Internal MISP references

UUID 6e2c4aef-2f69-4507-9ee3-55432d76341e which can be used as unique global reference for CookieMiner in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['macOS']
software_attack_id S0492
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

CORALDECK

CORALDECK is an exfiltration tool used by APT37. [FireEye APT37 Feb 2018]

Internal MISP references

UUID f13c8455-d615-4f8d-9d9c-5b31e593cd8a which can be used as unique global reference for CORALDECK in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0212
source MITRE
tags ['8bf128ad-288b-41bc-904f-093f4fdde745']
type ['malware']
Related clusters

To see the related clusters, click here.

coregen.exe - Associated Software

[coregen.exe - LOLBAS Project]

Internal MISP references

UUID 462f4c43-12e3-4901-b741-72e8c6e6e98a which can be used as unique global reference for coregen.exe - Associated Software in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 9cb45e94-99bf-46a7-94c5-29d6e5658074
owner TidalCyberIan
owner_id bebdd211-52f4-4abc-94ff-b3a7df904561
Related clusters

To see the related clusters, click here.

coregen

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Binary coregen.exe (Microsoft CoreCLR Native Image Generator) loads exported function GetCLRRuntimeHost from coreclr.dll or from .DLL in arbitrary path. Coregen is located within "C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\" or another version of Silverlight. Coregen is signed by Microsoft and bundled with Microsoft Silverlight.

Author: Martin Sohn Christensen

Paths: * C:\Program Files\Microsoft Silverlight\5.1.50918.0\coregen.exe * C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\coregen.exe

Resources: * https://www.youtube.com/watch?v=75XImxOOInU * https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html

Detection: * Sigma: image_load_side_load_coregen.yml * IOC: coregen.exe loading .dll file not in "C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\" * IOC: coregen.exe loading .dll file not named coreclr.dll * IOC: coregen.exe command line containing -L or -l * IOC: coregen.exe command line containing unexpected/invald assembly name * IOC: coregen.exe application crash by invalid assembly name[coregen.exe - LOLBAS Project]

Internal MISP references

UUID b7dacd5c-eaba-48db-bdd7-e779a82b2ba7 which can be used as unique global reference for coregen in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5209
source Tidal Cyber
tags ['a19a158e-aec4-410a-8c3e-e9080b111183', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

Sofacy - Associated Software

This designation has been used in reporting both to refer to the threat group (APT28) and its associated malware.[FireEye APT28] [FireEye APT28 January 2017][Securelist Sofacy Feb 2018]

Internal MISP references

UUID 8af3037f-732c-433e-8689-701593604bae which can be used as unique global reference for Sofacy - Associated Software in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id e66db2f3-651c-44d4-91ad-fb4b6065ecbf
Related clusters

To see the related clusters, click here.

SOURFACE - Associated Software

[FireEye APT28] [FireEye APT28 January 2017][Securelist Sofacy Feb 2018]

Internal MISP references

UUID 36d5d0ca-1bfc-45b1-ac54-2da2e1b2a5c7 which can be used as unique global reference for SOURFACE - Associated Software in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id c75a41d8-df0f-4607-8b07-76747810a7d9
Related clusters

To see the related clusters, click here.

CORESHELL

CORESHELL is a downloader used by APT28. The older versions of this malware are known as SOURFACE and newer versions as CORESHELL.[FireEye APT28] [FireEye APT28 January 2017]

Internal MISP references

UUID 3b193f62-2b49-4eff-bdf4-501fb8a28274 which can be used as unique global reference for CORESHELL in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0137
source MITRE
tags ['84615fe0-c2a5-4e07-8957-78ebc29b4635']
type ['malware']
Related clusters

To see the related clusters, click here.

TinyBaron - Associated Software

Internal MISP references

UUID b46da8df-d944-4bf0-b715-dad7dbc6d658 which can be used as unique global reference for TinyBaron - Associated Software in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 3f0427ff-2b73-4275-b612-ba4f2d2d77c7
Related clusters

To see the related clusters, click here.

BotgenStudios - Associated Software

Internal MISP references

UUID f5f9ef72-8f34-47d6-a767-86b3b07ce00e which can be used as unique global reference for BotgenStudios - Associated Software in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 8df5fe1b-184a-4a87-9244-244eb3c5f92a
Related clusters

To see the related clusters, click here.

NemesisGemina - Associated Software

Internal MISP references

UUID d7724aad-70a0-40a8-ad43-a92bedb8f8fd which can be used as unique global reference for NemesisGemina - Associated Software in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 9fafca05-8cff-41ae-beba-dd50db7d9c15
Related clusters

To see the related clusters, click here.

CosmicDuke

CosmicDuke is malware that was used by APT29 from 2010 to 2015. [F-Secure The Dukes]

Internal MISP references

UUID 43b317c6-5b4f-47b8-b7b4-15cd6f455091 which can be used as unique global reference for CosmicDuke in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0050
source MITRE
tags ['16b47583-1c54-431f-9f09-759df7b5ddb7']
type ['malware']
Related clusters

To see the related clusters, click here.

CostaBricks

CostaBricks is a loader that was used to deploy 32-bit backdoors in the CostaRicto campaign.[BlackBerry CostaRicto November 2020]

Internal MISP references

UUID ea9e2d19-89fe-4039-a1e0-467b14554c6f which can be used as unique global reference for CostaBricks in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0614
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

CozyDuke - Associated Software

Internal MISP references

UUID 58e77779-2cc6-4570-95a7-fb59b089ab28 which can be used as unique global reference for CozyDuke - Associated Software in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id e1880d53-16e2-4055-9da9-61fc13118bef
Related clusters

To see the related clusters, click here.

CozyBear - Associated Software

Internal MISP references

UUID 49b8f0f4-77aa-4c7e-925d-054102c7178b which can be used as unique global reference for CozyBear - Associated Software in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id d3c41287-ead9-42bd-9657-0280e926633f
Related clusters

To see the related clusters, click here.

Cozer - Associated Software

Internal MISP references

UUID 60187172-ade3-4d87-8d51-3b064838867d which can be used as unique global reference for Cozer - Associated Software in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 5694df56-a690-4ff9-9b19-467a190d26a9
Related clusters

To see the related clusters, click here.

EuroAPT - Associated Software

Internal MISP references

UUID 8b01f729-fa16-4bd7-b5d3-2d84a1ecb32b which can be used as unique global reference for EuroAPT - Associated Software in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id d541afa1-c54a-4dc9-939b-aacc5251fc44
Related clusters

To see the related clusters, click here.

CozyCar

CozyCar is malware that was used by APT29 from 2010 to 2015. It is a modular malware platform, and its backdoor component can be instructed to download and execute a variety of modules with different functionality. [F-Secure The Dukes]

Internal MISP references

UUID c2353daa-fd4c-44e1-8013-55400439965a which can be used as unique global reference for CozyCar in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0046
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

CrackMapExec

CrackMapExec, or CME, is a post-exploitation tool developed in Python and designed for penetration testing against networks. CrackMapExec collects Active Directory information to conduct lateral movement through targeted networks.[CME Github September 2018]

Internal MISP references

UUID 47e710b4-1397-47cf-a979-20891192f313 which can be used as unique global reference for CrackMapExec in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0488
source MITRE
tags ['e81ba503-60b0-4b64-8f20-ef93e7783796']
type ['tool']
Related clusters

To see the related clusters, click here.

Createdump.exe - Associated Software

[Createdump.exe - LOLBAS Project]

Internal MISP references

UUID 8a49e7dc-04ce-44d3-919d-91700e11e1c9 which can be used as unique global reference for Createdump.exe - Associated Software in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 47df2f27-f2a2-4857-8f0c-e75179b93b8c
owner TidalCyberIan
owner_id bebdd211-52f4-4abc-94ff-b3a7df904561
Related clusters

To see the related clusters, click here.

Createdump

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Microsoft .NET Runtime Crash Dump Generator (included in .NET Core)

Author: mr.d0x, Daniel Santos

Paths: * C:\Program Files\dotnet\shared\Microsoft.NETCore.App*\createdump.exe * C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App*\createdump.exe * C:\Program Files\Microsoft Visual Studio*\Community\dotnet\runtime\shared\Microsoft.NETCore.App\6.0.0\createdump.exe * C:\Program Files (x86)\Microsoft Visual Studio*\Community\dotnet\runtime\shared\Microsoft.NETCore.App\6.0.0\createdump.exe

Resources: * https://twitter.com/bopin2020/status/1366400799199272960 * https://docs.microsoft.com/en-us/troubleshoot/developer/webapps/aspnetcore/practice-troubleshoot-linux/lab-1-3-capture-core-crash-dumps

Detection: * Sigma: proc_creation_win_proc_dump_createdump.yml * Sigma: proc_creation_win_renamed_createdump.yml * IOC: createdump.exe process with a command line containing the lsass.exe process id[Createdump.exe - LOLBAS Project]

Internal MISP references

UUID a574b315-523c-45c3-8743-feb3d541e81a which can be used as unique global reference for Createdump in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5210
source Tidal Cyber
tags ['7beee233-2b65-4593-88e6-a5c0c02c6a08', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

CredoMap

CredoMap is a credential-stealing malware developed by the Russian espionage actor APT28. The malware harvests cookies and credentials from select web browsers and exfiltrates the information via the IMAP email protocol. CredoMap was observed being used in attack campaigns in Ukraine in 2022.[CERTFR-2023-CTI-009][SecurityScorecard CredoMap September 2022]

Internal MISP references

UUID 516ffd19-72b9-43a1-b866-bb075fdcb137 which can be used as unique global reference for CredoMap in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5074
source Tidal Cyber
tags ['904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '4d767e87-4cf6-438a-927a-43d2d0beaab7']
type ['malware']
Related clusters

To see the related clusters, click here.

CreepyDrive

CreepyDrive is a custom implant has been used by POLONIUM since at least early 2022 for C2 with and exfiltration to actor-controlled OneDrive accounts.[Microsoft POLONIUM June 2022]

POLONIUM has used a similar implant called CreepyBox that relies on actor-controlled DropBox accounts.[Microsoft POLONIUM June 2022]

Internal MISP references

UUID 7f7f05c3-fbb1-475e-b672-2113709065c8 which can be used as unique global reference for CreepyDrive in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Office 365', 'Windows']
software_attack_id S1023
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

CreepySnail

CreepySnail is a custom PowerShell implant that has been used by POLONIUM since at least 2022.[Microsoft POLONIUM June 2022]

Internal MISP references

UUID 11ce380c-481b-4c9b-b44e-06f1a91c01c1 which can be used as unique global reference for CreepySnail in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S1024
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

MSIL/Crimson - Associated Software

[Proofpoint Operation Transparent Tribe March 2016]

Internal MISP references

UUID 349d3f77-068f-4300-98b9-05245f5f3a7a which can be used as unique global reference for MSIL/Crimson - Associated Software in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id b5691880-3483-4eb2-8075-a6232299f4bd
Related clusters

To see the related clusters, click here.

Crimson

Crimson is a remote access Trojan that has been used by Transparent Tribe since at least 2016.[Proofpoint Operation Transparent Tribe March 2016][Kaspersky Transparent Tribe August 2020]

Internal MISP references

UUID 3b3f296f-20a6-459a-98c5-62ebdee3701f which can be used as unique global reference for Crimson in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0115
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

CrossRAT

CrossRAT is a cross platform RAT.

Internal MISP references

UUID 38811c3b-f548-43fa-ab26-c7243b84a055 which can be used as unique global reference for CrossRAT in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Windows']
software_attack_id S0235
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Crutch

Crutch is a backdoor designed for document theft that has been used by Turla since at least 2015.[ESET Crutch December 2020]

Internal MISP references

UUID e1ad229b-d750-4148-a1f3-36e767b03cd1 which can be used as unique global reference for Crutch in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0538
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Cryptoistic

Cryptoistic is a backdoor, written in Swift, that has been used by Lazarus Group.[SentinelOne Lazarus macOS July 2020]

Internal MISP references

UUID 12ce6d04-ebe5-440e-b342-0283b7c8a0c8 which can be used as unique global reference for Cryptoistic in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['macOS']
software_attack_id S0498
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Csc.exe - Associated Software

[Csc.exe - LOLBAS Project]

Internal MISP references

UUID 909a545e-eec1-4c0d-a57e-a183bf036bb6 which can be used as unique global reference for Csc.exe - Associated Software in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 2f3dd328-c1cb-4711-92a8-c1762925f427
owner TidalCyberIan
owner_id bebdd211-52f4-4abc-94ff-b3a7df904561
Related clusters

To see the related clusters, click here.

Csc

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Binary file used by .NET to compile C# code

Author: Oddvar Moe

Paths: * C:\Windows\Microsoft.NET\Framework\v4.0.30319\Csc.exe * C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Csc.exe

Resources: * https://docs.microsoft.com/en-us/dotnet/csharp/language-reference/compiler-options/command-line-building-with-csc-exe

Detection: * Sigma: proc_creation_win_csc_susp_parent.yml * Sigma: proc_creation_win_csc_susp_folder.yml * Elastic: defense_evasion_dotnet_compiler_parent_process.toml * Elastic: defense_evasion_execution_msbuild_started_unusal_process.toml * IOC: Csc.exe should normally not run as System account unless it is used for development.[Csc.exe - LOLBAS Project]

Internal MISP references

UUID 939eeb6b-3f74-43b6-8ead-644457ee7d78 which can be used as unique global reference for Csc in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5096
source Tidal Cyber
tags ['2ee25dd6-256c-4659-b1b6-f5afc943ccc1', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

Cscript.exe - Associated Software

[Cscript.exe - LOLBAS Project]

Internal MISP references

UUID 589c7b11-190b-4cd3-b8c4-cf623697d207 which can be used as unique global reference for Cscript.exe - Associated Software in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 85524fce-888e-4754-ad46-8635c24c0d12
owner TidalCyberIan
owner_id bebdd211-52f4-4abc-94ff-b3a7df904561
Related clusters

To see the related clusters, click here.

Cscript

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Binary used to execute scripts in Windows

Author: Oddvar Moe

Paths: * C:\Windows\System32\cscript.exe * C:\Windows\SysWOW64\cscript.exe

Resources: * https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f * https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/

Detection: * Sigma: proc_creation_win_wscript_cscript_script_exec.yml * Sigma: file_event_win_net_cli_artefact.yml * Elastic: defense_evasion_unusual_dir_ads.toml * Elastic: command_and_control_remote_file_copy_scripts.toml * Elastic: defense_evasion_suspicious_managedcode_host_process.toml * Splunk: wscript_or_cscript_suspicious_child_process.yml * BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules * IOC: Cscript.exe executing files from alternate data streams * IOC: DotNet CLR libraries loaded into cscript.exe * IOC: DotNet CLR Usage Log - cscript.exe.log[Cscript.exe - LOLBAS Project]

Internal MISP references

UUID 83036c61-d8cf-42f8-a9e5-dc3d26d75cdc which can be used as unique global reference for Cscript in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5097
source Tidal Cyber
tags ['7cae5f59-dbbf-406f-928d-118430d2bdd0', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

csi.exe - Associated Software

[csi.exe - LOLBAS Project]

Internal MISP references

UUID bebeee27-af58-4daa-ae34-c432ba0aaf0d which can be used as unique global reference for csi.exe - Associated Software in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id adf2b27f-3e99-42a9-8d00-45d15feb8b05
owner TidalCyberIan
owner_id bebdd211-52f4-4abc-94ff-b3a7df904561
Related clusters

To see the related clusters, click here.

csi

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Command line interface included with Visual Studio.

Author: Oddvar Moe

Paths: * c:\Program Files (x86)\Microsoft Visual Studio\2017\Community\MSBuild\15.0\Bin\Roslyn\csi.exe * c:\Program Files (x86)\Microsoft Web Tools\Packages\Microsoft.Net.Compilers.X.Y.Z\tools\csi.exe

Resources: * https://twitter.com/subTee/status/781208810723549188 * https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/

Detection: * Sigma: proc_creation_win_csi_execution.yml * Sigma: proc_creation_win_csi_use_of_csharp_console.yml * Elastic: defense_evasion_unusual_process_network_connection.toml * Elastic: defense_evasion_network_connection_from_windows_binary.toml * BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules[csi.exe - LOLBAS Project]

Internal MISP references

UUID a11e4ebf-59e4-4b79-8a20-be1618dfbaed which can be used as unique global reference for csi in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5211
source Tidal Cyber
tags ['86bb7f3c-652c-4f77-af2a-34677ff42315', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

CSPY Downloader

CSPY Downloader is a tool designed to evade analysis and download additional payloads used by Kimsuky.[Cybereason Kimsuky November 2020]

Internal MISP references

UUID eb481db6-d7ba-4873-a171-76a228c9eb97 which can be used as unique global reference for CSPY Downloader in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0527
source MITRE
type ['tool']
Related clusters

To see the related clusters, click here.

Cuba

Cuba is a Windows-based ransomware family that has been used against financial institutions, technology, and logistics organizations in North and South America as well as Europe since at least December 2019.[McAfee Cuba April 2021]

Internal MISP references

UUID 095064c6-144e-4935-b878-f82151bc08e4 which can be used as unique global reference for Cuba in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0625
source MITRE
tags ['4bc9ab8f-7f57-4b1a-8857-ffaa7e5cc930', '17864218-bc4f-4564-8abf-97c988eea9f7', 'b6458e46-650e-4e96-8e68-8a9d70bcf045', 'bac51672-8240-4182-9087-23626023e509', 'c5c8f954-1bc0-45d5-9a4f-4385d0a720a1', '2743d495-7728-4a75-9e5f-b64854039792', 'd713747c-2d53-487e-9dac-259230f04460', 'fde4c246-7d2d-4d53-938b-44651cf273f1', '964c2590-4b52-48c6-afff-9a6d72e68908', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172']
type ['malware']
Related clusters

To see the related clusters, click here.

CustomShellHost.exe - Associated Software

[CustomShellHost.exe - LOLBAS Project]

Internal MISP references

UUID 642284c2-5216-47f6-994b-98ff2fa839b9 which can be used as unique global reference for CustomShellHost.exe - Associated Software in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id a45110a8-8c68-4aeb-87b9-668376785df5
owner TidalCyberIan
owner_id bebdd211-52f4-4abc-94ff-b3a7df904561
Related clusters

To see the related clusters, click here.

CustomShellHost

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: A host process that is used by custom shells when using Windows in Kiosk mode.

Author: Wietze Beukema

Paths: * C:\Windows\System32\CustomShellHost.exe

Resources: * https://twitter.com/YoSignals/status/1381353520088113154 * https://docs.microsoft.com/en-us/windows/configuration/kiosk-shelllauncher

Detection: * IOC: CustomShellHost.exe is unlikely to run on normal workstations * Sigma: proc_creation_win_lolbin_customshellhost.yml[CustomShellHost.exe - LOLBAS Project]

Internal MISP references

UUID 3ff0d4fc-6678-42f0-869b-f48906d98f82 which can be used as unique global reference for CustomShellHost in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5098
source Tidal Cyber
tags ['536c3d51-9fc4-445e-9723-e11b69f0d6d5', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

Cyclops Blink is a modular malware that has been used in widespread campaigns by Sandworm Team since at least 2019 to target Small/Home Office (SOHO) network devices, including WatchGuard and Asus.[NCSC Cyclops Blink February 2022][NCSC CISA Cyclops Blink Advisory February 2022][Trend Micro Cyclops Blink March 2022]

Internal MISP references

UUID 68792756-7dbf-41fd-8d48-ac3cc2b52712 which can be used as unique global reference for Cyclops Blink in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Network']
software_attack_id S0687
source MITRE
tags ['b20e7912-6a8d-46e3-8e13-9a3fc4813852', 'e809d252-12cc-494d-94f5-954c49eb87ce']
type ['malware']
Related clusters

To see the related clusters, click here.

Dacls

Dacls is a multi-platform remote access tool used by Lazarus Group since at least December 2019.[TrendMicro macOS Dacls May 2020][SentinelOne Lazarus macOS July 2020]

Internal MISP references

UUID 9d521c18-09f0-47be-bfe5-e1bf26f7b928 which can be used as unique global reference for Dacls in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Windows']
software_attack_id S0497
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

DanBot

DanBot is a first-stage remote access Trojan written in C# that has been used by HEXANE since at least 2018.[SecureWorks August 2019]

Internal MISP references

UUID 131c0eb2-9191-4ccd-a2d6-5f36046a8f2f which can be used as unique global reference for DanBot in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S1014
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

Krademok - Associated Software

[TrendMicro DarkComet Sept 2014]

Internal MISP references

UUID cc96486b-d19d-4819-8265-9203a28ba6c9 which can be used as unique global reference for Krademok - Associated Software in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id bdc84346-035e-4ca7-8180-777849982524
Related clusters

To see the related clusters, click here.

DarkKomet - Associated Software

[TrendMicro DarkComet Sept 2014]

Internal MISP references

UUID afb90bbd-2299-4f3a-a9a8-792f4401e08f which can be used as unique global reference for DarkKomet - Associated Software in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id fdd52ea2-a313-490e-9492-a4acd2017344
Related clusters

To see the related clusters, click here.

Fynloski - Associated Software

[TrendMicro DarkComet Sept 2014]

Internal MISP references

UUID f319bc98-ef43-47ef-8572-601f0be6fb68 which can be used as unique global reference for Fynloski - Associated Software in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id bb346f9a-7140-46c4-b6d7-cd3ba3c96c16
Related clusters

To see the related clusters, click here.

FYNLOS - Associated Software

[TrendMicro DarkComet Sept 2014]

Internal MISP references

UUID abbedb20-272b-4278-ab46-8e46e7cd70ed which can be used as unique global reference for FYNLOS - Associated Software in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id b4d8fb4a-4130-4eec-aabc-6949f48ca918
Related clusters

To see the related clusters, click here.

DarkComet

DarkComet is a Windows remote administration tool and backdoor.[TrendMicro DarkComet Sept 2014][Malwarebytes DarkComet March 2018]

Internal MISP references

UUID 74f88899-56d0-4de8-97de-539b3590ab90 which can be used as unique global reference for DarkComet in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0334
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

DarkGate

Operationalize this intelligence by pivoting to relevant defensive resources via the Techniques below. Alternatively, use the Add to Matrix button above, then overlay entire sets of capabilities from your own defensive stack to identify threat overlaps & potential gaps (watch a 60-second tutorial here).

DarkGate is a commodity downloader. Researchers have often observed DarkGate samples making use of legitimate copies of AutoIt, a freeware BASIC-like scripting language, using it to run AutoIt scripts as part of its execution chain. Reports of DarkGate infections surged following the announcement of the disruption of the QakBot botnet by international authorities in late August 2023.[Bleeping Computer DarkGate October 14 2023] The delivery of DarkGate payloads via instant messaging platforms including Microsoft Teams and Skype was reported in September and October 2023.[DarkGate Loader delivered via Teams - Truesec][Trend Micro DarkGate October 12 2023]

Internal MISP references

UUID 7144b703-f471-4bde-bedc-e8b274854de5 which can be used as unique global reference for DarkGate in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5266
source Tidal Cyber
tags ['84615fe0-c2a5-4e07-8957-78ebc29b4635']
type ['malware']
Related clusters

To see the related clusters, click here.

DarkTortilla

DarkTortilla is a highly configurable .NET-based crypter that has been possibly active since at least August 2015. DarkTortilla has been used to deliver popular information stealers, RATs, and payloads such as Agent Tesla, AsyncRat, NanoCore, RedLine, Cobalt Strike, and Metasploit.[Secureworks DarkTortilla Aug 2022]

Internal MISP references

UUID 35abcb6b-3259-57c1-94fc-50cfd5bde786 which can be used as unique global reference for DarkTortilla in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S1066
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

DarkWatchman

DarkWatchman is a lightweight JavaScript-based remote access tool (RAT) that avoids file operations; it was first observed in November 2021.[Prevailion DarkWatchman 2021]

Internal MISP references

UUID 740a0327-4caf-4d90-8b51-f3f9a4d59b37 which can be used as unique global reference for DarkWatchman in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0673
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

Nioupale - Associated Software

[Trend Micro Daserf Nov 2017]

Internal MISP references

UUID dae98258-e7d1-4e13-9c88-13d5fe07bf89 which can be used as unique global reference for Nioupale - Associated Software in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id c3e307a0-015c-425b-86e8-1e10e473dde3
Related clusters

To see the related clusters, click here.

Muirim - Associated Software

[Trend Micro Daserf Nov 2017]

Internal MISP references

UUID 82694e7e-140d-4ee6-93a0-03af069029cf which can be used as unique global reference for Muirim - Associated Software in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id b4266b69-f6d1-4b1a-b8d1-13fa716d7820
Related clusters

To see the related clusters, click here.

Daserf

Daserf is a backdoor that has been used to spy on and steal from Japanese, South Korean, Russian, Singaporean, and Chinese victims. Researchers have identified versions written in both Visual C and Delphi. [Trend Micro Daserf Nov 2017] [Secureworks BRONZE BUTLER Oct 2017]

Internal MISP references

UUID fad65026-57c4-4d4f-8803-87178dd4b887 which can be used as unique global reference for Daserf in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0187
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

DataSvcUtil.exe - Associated Software

[DataSvcUtil.exe - LOLBAS Project]

Internal MISP references

UUID c64f5d2e-d645-4dd8-bc8f-9e515f8f80c3 which can be used as unique global reference for DataSvcUtil.exe - Associated Software in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 19ffd64e-a0bb-4dc2-be9d-f592cc81b9b8
owner TidalCyberIan
owner_id bebdd211-52f4-4abc-94ff-b3a7df904561
Related clusters

To see the related clusters, click here.

DataSvcUtil

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: DataSvcUtil.exe is a command-line tool provided by WCF Data Services that consumes an Open Data Protocol (OData) feed and generates the client data service classes that are needed to access a data service from a .NET Framework client application.

Author: Ialle Teixeira

Paths: * C:\Windows\Microsoft.NET\Framework64\v3.5\DataSvcUtil.exe

Resources: * https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe * https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/generating-the-data-service-client-library-wcf-data-services * https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services

Detection: * Sigma: proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml * IOC: The DataSvcUtil.exe tool is installed in the .NET Framework directory. * IOC: Preventing/Detecting DataSvcUtil with non-RFC1918 addresses by Network IPS/IDS. * IOC: Monitor process creation for non-SYSTEM and non-LOCAL SERVICE accounts launching DataSvcUtil.[DataSvcUtil.exe - LOLBAS Project]

Internal MISP references

UUID dd555a4c-3b04-48c1-988f-d530d699a5bf which can be used as unique global reference for DataSvcUtil in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5099
source Tidal Cyber
tags ['0576be43-65c6-4d1a-8a06-ed8232ca0120', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

DCSrv

DCSrv is destructive malware that has been used by Moses Staff since at least September 2021. Though DCSrv has ransomware-like capabilities, Moses Staff does not demand ransom or offer a decryption key.[Checkpoint MosesStaff Nov 2021]

Internal MISP references

UUID 26ae3cd1-6710-4807-b674-957bd67d3e76 which can be used as unique global reference for DCSrv in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S1033
source MITRE
tags ['5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172']
type ['malware']
Related clusters

To see the related clusters, click here.

DDKONG

DDKONG is a malware sample that was part of a campaign by Rancor. DDKONG was first seen used in February 2017. [Rancor Unit42 June 2018]

Internal MISP references

UUID 0657b804-a889-400a-97d7-a4989809a623 which can be used as unique global reference for DDKONG in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
software_attack_id S0255
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

DEADEYE.EMBED - Associated Software

[Mandiant APT41]

Internal MISP references

UUID a5895370-3911-4fd5-a61d-5e7cdf4eaa7b which can be used as unique global reference for DEADEYE.EMBED - Associated Software in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 27732d5a-fe42-5727-8345-e2e0051ae1d3
Related clusters

To see the related clusters, click here.

DEADEYE.APPEND - Associated Software

[Mandiant APT41]

Internal MISP references

UUID f55765f5-c5b6-4b6d-a50d-f96793569149 which can be used as unique global reference for DEADEYE.APPEND - Associated Software in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 549c4c79-c0e1-5768-ac75-0e60d807afe2
Related clusters

To see the related clusters, click here.

DEADEYE

DEADEYE is a malware launcher that has been used by APT41 since at least May 2021. DEADEYE has variants that can either embed a payload inside a compiled binary (DEADEYE.EMBED) or append it to the end of a file (DEADEYE.APPEND).[Mandiant APT41]

Internal MISP references

UUID e9533664-90c5-5b40-a40e-a69a2eda8bc9 which can be used as unique global reference for DEADEYE in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S1052
source MITRE
tags ['84615fe0-c2a5-4e07-8957-78ebc29b4635']
type ['malware']
Related clusters

To see the related clusters, click here.

DealersChoice

DealersChoice is a Flash exploitation framework used by APT28. [Sofacy DealersChoice]

Internal MISP references

UUID 64dc5d44-2304-4875-b517-316ab98512c2 which can be used as unique global reference for DealersChoice in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0243
source MITRE
tags ['84615fe0-c2a5-4e07-8957-78ebc29b4635']
type ['malware']
Related clusters

To see the related clusters, click here.

DEATHRANSOM

DEATHRANSOM is ransomware written in C that has been used since at least 2020, and has potential overlap with FIVEHANDS and HELLOKITTY.[FireEye FiveHands April 2021]

Internal MISP references

UUID 832f5ab1-1267-40c9-84ef-f32d6373be4e which can be used as unique global reference for DEATHRANSOM in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0616
source MITRE
tags ['5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172']
type ['malware']
Related clusters

To see the related clusters, click here.

DefaultPack.EXE - Associated Software

[DefaultPack.EXE - LOLBAS Project]

Internal MISP references

UUID 95c59305-52c1-4d55-a9cd-8ce48e7a3a30 which can be used as unique global reference for DefaultPack.EXE - Associated Software in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id b15fb2b8-f182-4e11-95ad-41686c2c0c64
owner TidalCyberIan
owner_id bebdd211-52f4-4abc-94ff-b3a7df904561
Related clusters

To see the related clusters, click here.

DefaultPack

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: This binary can be downloaded along side multiple software downloads on the microsoft website. It gets downloaded when the user forgets to uncheck the option to set Bing as the default search provider.

Author: @checkymander

Paths: * C:\Program Files (x86)\Microsoft\DefaultPack\

Resources: * https://twitter.com/checkymander/status/1311509470275604480.

Detection: * Sigma: proc_creation_win_lolbin_defaultpack.yml * IOC: DefaultPack.EXE spawned an unknown process[DefaultPack.EXE - LOLBAS Project]

Internal MISP references

UUID ff25ec03-1e8d-427e-b207-1e1ecca542ec which can be used as unique global reference for DefaultPack in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5212
source Tidal Cyber
tags ['4f7be515-680e-4375-81f6-c71c83dd440d', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

Defender Control

Defender Control is a tool purpose-built to disable Microsoft Defender.[U.S. CISA Understanding LockBit June 2023]

Internal MISP references

UUID e8830cf3-53f3-4d15-858c-584589405fad which can be used as unique global reference for Defender Control in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5029
source Tidal Cyber
tags ['af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

Denis

Denis is a Windows backdoor and Trojan used by APT32. Denis shares several similarities to the SOUNDBITE backdoor and has been used in conjunction with the Goopy backdoor.[Cybereason Oceanlotus May 2017]

Internal MISP references

UUID df4002d2-f557-4f95-af7a-9a4582fb7068 which can be used as unique global reference for Denis in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0354
source MITRE
tags ['febea5b6-2ea2-402b-8bec-f3f5b3f73c59']
type ['malware']
Related clusters

To see the related clusters, click here.

PHOTO - Associated Software

[FireEye Periscope March 2018]

Internal MISP references

UUID 92b622fe-1002-49f7-87ca-e97046f6ed40 which can be used as unique global reference for PHOTO - Associated Software in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id b737bb44-6f18-412c-a84d-a08d66f7a0b2
Related clusters

To see the related clusters, click here.

Derusbi

Derusbi is malware used by multiple Chinese APT groups.[Novetta-Axiom][ThreatConnect Anthem] Both Windows and Linux variants have been observed.[Fidelis Turbo]

Internal MISP references

UUID 9222aa77-922e-43c7-89ad-71067c428fb2 which can be used as unique global reference for Derusbi in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'Windows']
software_attack_id S0021
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

Desk.cpl - Associated Software

[Desk.cpl - LOLBAS Project]

Internal MISP references

UUID 670ed300-364b-45ad-ad7f-732d13365571 which can be used as unique global reference for Desk.cpl - Associated Software in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 83c48bfd-5c8f-406f-ab7f-63a9bd17dcbd
owner TidalCyberIan
owner_id bebdd211-52f4-4abc-94ff-b3a7df904561
Related clusters

To see the related clusters, click here.

Desk

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Desktop Settings Control Panel

Author: Hai Vaknin

Paths: * C:\Windows\System32\desk.cpl * C:\Windows\SysWOW64\desk.cpl

Resources: * https://vxug.fakedoma.in/zines/29a/29a7/Articles/29A-7.030.txt * https://twitter.com/pabraeken/status/998627081360695297 * https://twitter.com/VakninHai/status/1517027824984547329 * https://jstnk9.github.io/jstnk9/research/InstallScreenSaver-SCR-files

Detection: * Sigma: file_event_win_new_src_file.yml * Sigma: proc_creation_win_lolbin_rundll32_installscreensaver.yml * Sigma: registry_set_scr_file_executed_by_rundll32.yml[Desk.cpl - LOLBAS Project]

Internal MISP references

UUID 1863a7e2-6212-48a0-b109-15d0198b93e2 which can be used as unique global reference for Desk in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5188
source Tidal Cyber
tags ['7ad2b1d5-c228-4bf5-bf8e-c80a8fef0079', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

Desktopimgdownldr.exe - Associated Software

[Desktopimgdownldr.exe - LOLBAS Project]

Internal MISP references

UUID 75e0d2df-7f93-4b5a-b085-4d2dfdac1348 which can be used as unique global reference for Desktopimgdownldr.exe - Associated Software in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 7c4bf9f5-dfaa-46df-8803-83ae323f9f58
owner TidalCyberIan
owner_id bebdd211-52f4-4abc-94ff-b3a7df904561
Related clusters

To see the related clusters, click here.

Desktopimgdownldr

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Windows binary used to configure lockscreen/desktop image

Author: Gal Kristal

Paths: * c:\windows\system32\desktopimgdownldr.exe

Resources: * https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/

Detection: * Sigma: proc_creation_win_desktopimgdownldr_susp_execution.yml * Sigma: file_event_win_susp_desktopimgdownldr_file.yml * Elastic: command_and_control_remote_file_copy_desktopimgdownldr.toml * IOC: desktopimgdownldr.exe that creates non-image file * IOC: Change of HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\PersonalizationCSP\LockScreenImageUrl[Desktopimgdownldr.exe - LOLBAS Project]

Internal MISP references

UUID 1b31652d-30bb-4c6e-bfe1-f2921a0aa64e which can be used as unique global reference for Desktopimgdownldr in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5100
source Tidal Cyber
tags ['acc0e091-a071-4e83-b0b1-4f3adebeafa3', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

DeviceCredentialDeployment.exe - Associated Software

[DeviceCredentialDeployment.exe - LOLBAS Project]

Internal MISP references

UUID 5a91980c-cdb3-4dde-b38d-175c5af960f3 which can be used as unique global reference for DeviceCredentialDeployment.exe - Associated Software in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 28423085-6247-4ae2-94bd-b4a66e148456
owner TidalCyberIan
owner_id bebdd211-52f4-4abc-94ff-b3a7df904561
Related clusters

To see the related clusters, click here.

DeviceCredentialDeployment

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Device Credential Deployment

Author: Elliot Killick

Paths: * C:\Windows\System32\DeviceCredentialDeployment.exe

Resources: None Provided

Detection: * IOC: DeviceCredentialDeployment.exe should not be run on a normal workstation * Sigma: proc_creation_win_lolbin_device_credential_deployment.yml[DeviceCredentialDeployment.exe - LOLBAS Project]

Internal MISP references

UUID b99bdf39-8dcf-4bae-95af-b029d48cb579 which can be used as unique global reference for DeviceCredentialDeployment in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5101
source Tidal Cyber
tags ['2a08c2eb-e90e-4bdb-a2dd-9da06de7ed25', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

Devinit.exe - Associated Software

[Devinit.exe - LOLBAS Project]

Internal MISP references

UUID 34e99ddb-8992-4b3a-acaf-e95bf601777e which can be used as unique global reference for Devinit.exe - Associated Software in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id bb16053d-2311-404e-84e3-64574e4ad3ad
owner TidalCyberIan
owner_id bebdd211-52f4-4abc-94ff-b3a7df904561
Related clusters

To see the related clusters, click here.

Devinit

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Visual Studio 2019 tool

Author: mr.d0x

Paths: * C:\Program Files\Microsoft Visual Studio*\Community\Common7\Tools\devinit\devinit.exe * C:\Program Files (x86)\Microsoft Visual Studio*\Community\Common7\Tools\devinit\devinit.exe

Resources: * https://twitter.com/mrd0x/status/1460815932402679809

Detection: * Sigma: proc_creation_win_devinit_lolbin_usage.yml[Devinit.exe - LOLBAS Project]

Internal MISP references

UUID 102714a0-6b18-4d05-83c2-dd2929ce685a which can be used as unique global reference for Devinit in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5213
source Tidal Cyber
tags ['bb814941-0155-49b1-8f93-39626d4f0ddd', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

Devtoolslauncher.exe - Associated Software

[Devtoolslauncher.exe - LOLBAS Project]

Internal MISP references

UUID 9fcdac31-4219-4b10-83e6-b1c85f96de60 which can be used as unique global reference for Devtoolslauncher.exe - Associated Software in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id ece06fad-6fc1-4e81-a01d-16983b867a82
owner TidalCyberIan
owner_id bebdd211-52f4-4abc-94ff-b3a7df904561
Related clusters

To see the related clusters, click here.

Devtoolslauncher

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Binary will execute specified binary. Part of VS/VScode installation.

Author: felamos

Paths: * c:\windows\system32\devtoolslauncher.exe

Resources: * https://twitter.com/_felamos/status/1179811992841797632

Detection: * Sigma: proc_creation_win_lolbin_devtoolslauncher.yml * IOC: DeveloperToolsSvc.exe spawned an unknown process[Devtoolslauncher.exe - LOLBAS Project]

Internal MISP references

UUID 6e213e33-c2e5-494f-bc1a-bf672f95dcf8 which can be used as unique global reference for Devtoolslauncher in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5214
source Tidal Cyber
tags ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

devtunnel.exe - Associated Software

[devtunnel.exe - LOLBAS Project]

Internal MISP references

UUID 02bce9ff-2975-4b0a-a8ab-8aaba3660803 which can be used as unique global reference for devtunnel.exe - Associated Software in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id dbe1da7a-4233-4a8e-84a1-daa8e7422edb
owner TidalCyberIan
owner_id bebdd211-52f4-4abc-94ff-b3a7df904561
Related clusters

To see the related clusters, click here.

devtunnel

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Binary to enable forwarded ports on windows operating systems.

Author: Kamran Saifullah

Paths: * C:\Users\\AppData\Local\Temp.net\devtunnel\ * C:\Users\\AppData\Local\Temp\DevTunnels

Resources: * https://code.visualstudio.com/docs/editor/port-forwarding

Detection: * IOC: devtunnel.exe binary spawned * IOC: .devtunnels.ms * IOC: .*.devtunnels.ms * Analysis: https://cydefops.com/vscode-data-exfiltration[devtunnel.exe - LOLBAS Project]

Internal MISP references

UUID 672d80fe-656e-4b1b-8234-ebf2c5339166 which can be used as unique global reference for devtunnel in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5252
source Tidal Cyber
tags ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

DEWMODE

According to joint Cybersecurity Advisory AA23-158A (June 2023), DEWMODE is a web shell written in PHP that is designed to interact with a MySQL database. During a campaign from 2020 to 2021, threat actors exploited multiple zero-day vulnerabilities in internet-facing Accellion File Transfer Appliance (FTA) devices, installing DEWMODE web shells to exfiltrate data from compromised networks.[Mandiant MOVEit Transfer June 2 2023]

Malpedia (Research): https://malpedia.caad.fkie.fraunhofer.de/details/php.dewmode

Malware Bazaar (Samples & IOCs): https://bazaar.abuse.ch/browse/tag/dewmode/

Internal MISP references

UUID ff0b0792-5dd0-4e10-8b84-8da93a0198aa which can be used as unique global reference for DEWMODE in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Linux']
software_attack_id S5021
source Tidal Cyber
tags ['a98d7a43-f227-478e-81de-e7299639a355', '311abf64-a9cc-4c6a-b778-32c5df5658be']
type ['malware']

Dfshim.dll - Associated Software

[Dfshim.dll - LOLBAS Project]

Internal MISP references

UUID 92344064-ad27-4fa5-8d50-fa56ff279213 which can be used as unique global reference for Dfshim.dll - Associated Software in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 26a2d51b-6d8b-45fa-a796-9d0453f3d5a7
owner TidalCyberIan
owner_id bebdd211-52f4-4abc-94ff-b3a7df904561
Related clusters

To see the related clusters, click here.

Dfshim

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: ClickOnce engine in Windows used by .NET

Author: Oddvar Moe

Paths: * C:\Windows\Microsoft.NET\Framework\v2.0.50727\Dfsvc.exe * C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Dfsvc.exe * C:\Windows\Microsoft.NET\Framework\v4.0.30319\Dfsvc.exe * C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Dfsvc.exe

Resources: * https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf * https://stackoverflow.com/questions/13312273/clickonce-runtime-dfsvc-exe

Detection: * Sigma: proc_creation_win_rundll32_susp_activity.yml[Dfshim.dll - LOLBAS Project]

Internal MISP references

UUID b396eb52-3b6a-44e9-9534-d8b981a52192 which can be used as unique global reference for Dfshim in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5189
source Tidal Cyber
tags ['91fd24c3-f371-4c3b-b997-cd85e25c0967', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

Dfsvc.exe - Associated Software

[Dfsvc.exe - LOLBAS Project]

Internal MISP references

UUID a9e71535-14ff-4715-a9f4-fac62b04753e which can be used as unique global reference for Dfsvc.exe - Associated Software in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
id 6ff08a83-bfb2-44e6-b1da-596c71171e47
owner TidalCyberIan
owner_id bebdd211-52f4-4abc-94ff-b3a7df904561
Related clusters

To see the related clusters, click here.

Dfsvc

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: ClickOnce engine in Windows used by .NET

Author: Oddvar Moe

Paths: * C:\Windows\Microsoft.NET\Framework\v2.0.50727\Dfsvc.exe * C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Dfsvc.exe * C:\Windows\Microsoft.NET\Framework\v4.0.30319\Dfsvc.exe * C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Dfsvc.exe

Resources: * https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf * https://stackoverflow.com/questions/13312273/clickonce-runtime-dfsvc-exe

Detection: * Sigma: proc_creation_win_rundll32_susp_activity.yml[Dfsvc.exe - LOLBAS Project]

Internal MISP references

UUID f85966ec-0c4d-4f7e-949f-bb73828bf601 which can be used as unique global reference for Dfsvc in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5102
source Tidal Cyber
tags ['18d6d91d-7df0-44c8-88fe-986d9ba00b8d', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

Diantz.exe - Associated Software

[diantz.exe_lolbas]

Internal MISP references

UUID 6e