Tidal Software
Tidal Software Cluster
Authors
Authors and/or Contributors |
---|
Tidal Cyber |
3PARA RAT
3PARA RAT is a remote access tool (RAT) programmed in C++ that has been used by Putter Panda. [CrowdStrike Putter Panda]
Internal MISP references
UUID 71d76208-c465-4447-8d6e-c54f142b65a4
which can be used as unique global reference for 3PARA RAT
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0066 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
4H RAT
4H RAT is malware that has been used by Putter Panda since at least 2007. [CrowdStrike Putter Panda]
Internal MISP references
UUID a15142a3-4797-4fef-8ec6-065e3322a69b
which can be used as unique global reference for 4H RAT
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0065 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
7-Zip
7-Zip is a tool used to compress files into an archive.[U.S. CISA Understanding LockBit June 2023]
Internal MISP references
UUID 4665e52b-3c5c-4a7f-9432-c89ef26f2c93
which can be used as unique global reference for 7-Zip
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S3023 |
source | Tidal Cyber |
tags | ['e551ae97-d1b4-484e-9267-89f33829ec2c', 'e1af18e3-3224-4e4c-9d0f-533768474508', 'c45ce044-b5b9-426a-866c-130e9f2a4427', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '15b77e5c-2285-434d-9719-73c14beba8bd', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
8Base Ransomware
The 8Base ransomware operation began claiming significant numbers of victims on its data leak site in June 2023, including organizations in a range of sectors. Researchers have observed considerable similarities between aspects of 8Base's operations and those of other ransomware groups, leading them to suspect that 8Base may be an evolution or offshoot of existing operations. The language in 8Base's ransom notes is similar to the language seen in RansomHouse's notes, and there is strong overlap between the code of Phobos ransomware and 8Base.[VMWare 8Base June 28 2023][Acronis 8Base July 17 2023]
Internal MISP references
UUID 88a5435f-5586-4cb4-a9c0-1961ee060a67
which can be used as unique global reference for 8Base Ransomware
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S3061 |
source | Tidal Cyber |
tags | ['51946995-71d4-4bd3-9f7f-491b450f018b', 'c6e1f516-1a18-4ff9-b563-e6ac8103b104', '562e535e-19f5-4d6c-81ed-ce2aec544f09', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172', '2feda37d-5579-4102-a073-aa02e82cb49f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
AADInternals
AADInternals is a PowerShell-based framework for administering, enumerating, and exploiting Azure Active Directory. The tool is publicly available on GitHub.[AADInternals Github][AADInternals Documentation]
Internal MISP references
UUID 3d33fbf5-c21e-4587-ba31-9aeec3cc10c0
which can be used as unique global reference for AADInternals
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Identity Provider', 'Office Suite', 'Office 365', 'Google Workspace', 'Windows', 'Azure AD'] |
software_attack_id | S0677 |
source | MITRE |
tags | ['ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'c9c73000-30a5-4a16-8c8b-79169f9c24aa', 'cd1b5d44-226e-4405-8985-800492cf2865'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
ABK
ABK is a downloader that has been used by BRONZE BUTLER since at least 2019.[Trend Micro Tick November 2019]
Internal MISP references
UUID 394cadd0-bc4d-4181-ac53-858e84b8e3de
which can be used as unique global reference for ABK
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0469 |
source | MITRE |
tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
AccCheckConsole
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Verifies UI accessibility requirements
Author: bohops
Paths: * C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x86\AccChecker\AccCheckConsole.exe * C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x64\AccChecker\AccCheckConsole.exe * C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\arm\AccChecker\AccCheckConsole.exe * C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\arm64\AccChecker\AccCheckConsole.exe
Resources: * https://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340 * https://twitter.com/bohops/status/1477717351017680899
Detection: * Sigma: proc_creation_win_lolbin_susp_acccheckconsole.yml * IOC: Sysmon Event ID 1 - Process Creation * Analysis: https://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340[AccCheckConsole.exe - LOLBAS Project]
Internal MISP references
UUID cce705c7-49f8-4b54-b854-fd4b3a32e6ff
which can be used as unique global reference for AccCheckConsole
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S3324 |
source | Tidal Cyber |
tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
AccountRestore
AccountRestore is a .NET executable that is used to brute force Active Directory accounts. The tool searches for a list of specific users and attempts to brute force the accounts based on a password file provided by the user.[Security Joes Sockbot March 09 2022]
Internal MISP references
UUID 6bc29df2-195e-410c-ad08-f3661575492f
which can be used as unique global reference for AccountRestore
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S3082 |
source | Tidal Cyber |
tags | ['dcd6d78a-50e9-4fbd-a36a-06fbe6b7b40c'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
AcidRain
AcidRain is an ELF binary targeting modems and routers using MIPS architecture.[AcidRain JAGS 2022] AcidRain is associated with the ViaSat KA-SAT communication outage that took place during the initial phases of the 2022 full-scale invasion of Ukraine. Analysis indicates overlap with another network device-targeting malware, VPNFilter, associated with Sandworm Team.[AcidRain JAGS 2022] US and European government sources linked AcidRain to Russian government entities, while Ukrainian government sources linked AcidRain specifically to Sandworm Team.[AcidRain State Department 2022][Vincens AcidPour 2024]
Internal MISP references
UUID cf465790-3d6d-5767-bb8c-63a429f95d83
which can be used as unique global reference for AcidRain
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Network', 'Linux'] |
software_attack_id | S1125 |
source | MITRE |
tags | ['b20e7912-6a8d-46e3-8e13-9a3fc4813852'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Action RAT
Action RAT is a remote access tool written in Delphi that has been used by SideCopy since at least December 2021 against Indian and Afghani government personnel.[MalwareBytes SideCopy Dec 2021]
Internal MISP references
UUID 202781a3-d481-4984-9e5a-31caafc20135
which can be used as unique global reference for Action RAT
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S1028 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
adbupd
adbupd is a backdoor used by PLATINUM that is similar to Dipsind. [Microsoft PLATINUM April 2016]
Internal MISP references
UUID f52e759a-a725-4b50-84f2-12bef89d369e
which can be used as unique global reference for adbupd
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0202 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
AddinUtil
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: .NET Tool used for updating cache files for Microsoft Office Add-Ins.
Author: Michael McKinley @MckinleyMike
Paths: * C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddinUtil.exe * C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddinUtil.exe
Resources: * https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html
Detection: * Sigma: proc_creation_win_addinutil_suspicious_cmdline.yml * Sigma: proc_creation_win_addinutil_uncommon_child_process.yml * Sigma: proc_creation_win_addinutil_uncommon_cmdline.yml * Sigma: proc_creation_win_addinutil_uncommon_dir_exec.yml[AddinUtil.exe - LOLBAS Project]
Internal MISP references
UUID 253f97c3-ba35-4064-8ec0-892872432214
which can be used as unique global reference for AddinUtil
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S3190 |
source | Tidal Cyber |
tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
AdFind
AdFind is a free command-line query tool that can be used for gathering information from Active Directory.[Red Canary Hospital Thwarted Ryuk October 2020][FireEye FIN6 Apr 2019][FireEye Ryuk and Trickbot January 2019]
Internal MISP references
UUID 70559096-2a6b-4388-97e6-c2b16f3be78e
which can be used as unique global reference for AdFind
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0552 |
source | MITRE |
tags | ['27a117ce-bb19-4f79-9bc2-a851b69c5c50', '6070668f-1cbd-4878-8066-c636d1d8659c', '61cdbb28-cbfd-498b-9ab1-1f14337f9524', 'c5a258ce-9045-48d9-b254-ec2bf6437bb5', 'cc4ea215-87ce-4351-9579-cf527caf5992', 'e551ae97-d1b4-484e-9267-89f33829ec2c', 'e1af18e3-3224-4e4c-9d0f-533768474508', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', '3a633b73-9c2c-4293-8577-fb97be0cda37', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', 'cd1b5d44-226e-4405-8985-800492cf2865'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
adplus
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Debugging tool included with Windows Debugging Tools
Author: mr.d0x
Paths: * C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\adplus.exe * C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\adplus.exe
Resources: * https://mrd0x.com/adplus-debugging-tool-lsass-dump/ * https://twitter.com/nas_bench/status/1534916659676422152 * https://twitter.com/nas_bench/status/1534915321856917506
Detection: * Sigma: proc_creation_win_lolbin_adplus.yml * IOC: As a Windows SDK binary, execution on a system may be suspicious[adplus.exe - LOLBAS Project]
Internal MISP references
UUID 3f229fe8-4d03-48ba-97b5-d7132510e090
which can be used as unique global reference for adplus
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S3325 |
source | Tidal Cyber |
tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
ADRecon
ADRecon is an open-source tool that can be used to gather a "holistic" view of a target Active Directory environment.[GitHub ADRecon]
Internal MISP references
UUID c227bea1-9996-49d6-97ca-10a2fc156747
which can be used as unique global reference for ADRecon
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S3111 |
source | Tidal Cyber |
tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', 'cd1b5d44-226e-4405-8985-800492cf2865', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
Advanced IP Scanner
Advanced IP Scanner is a tool used to perform network scans and show network devices.[U.S. CISA Understanding LockBit June 2023]
Internal MISP references
UUID ff0af6fd-e4a1-47c9-b4a1-7ce5074e089e
which can be used as unique global reference for Advanced IP Scanner
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S3024 |
source | Tidal Cyber |
tags | ['da180b04-2897-4416-a904-9d7e336d9ee4', 'c5a258ce-9045-48d9-b254-ec2bf6437bb5', 'cc4ea215-87ce-4351-9579-cf527caf5992', 'e551ae97-d1b4-484e-9267-89f33829ec2c', 'e1af18e3-3224-4e4c-9d0f-533768474508', 'cd1b5d44-226e-4405-8985-800492cf2865', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
Advanced Port Scanner
Advanced Port Scanner is a tool used to perform network scans.[U.S. CISA Understanding LockBit June 2023]
Internal MISP references
UUID f93b54cf-a17c-4739-a7af-4106055f868d
which can be used as unique global reference for Advanced Port Scanner
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S3025 |
source | Tidal Cyber |
tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', 'cd1b5d44-226e-4405-8985-800492cf2865', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
AdvancedRun
AdvancedRun is a tool used to enable software execution under user-defined settings.[U.S. CISA Understanding LockBit June 2023]
Internal MISP references
UUID 7ef15943-8061-4941-b14e-9634c0b95d28
which can be used as unique global reference for AdvancedRun
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S3026 |
source | Tidal Cyber |
tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', '7de7d799-f836-4555-97a4-0db776eb6932', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
Advpack
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Utility for installing software and drivers with rundll32.exe
Author: LOLBAS Team
Paths: * c:\windows\system32\advpack.dll * c:\windows\syswow64\advpack.dll
Resources: * https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/ * https://twitter.com/ItsReallyNick/status/967859147977850880 * https://twitter.com/bohops/status/974497123101179904 * https://twitter.com/moriarty_meng/status/977848311603380224
Detection: * Sigma: proc_creation_win_rundll32_susp_activity.yml * Splunk: detect_rundll32_application_control_bypass___advpack.yml[Advpack.dll - LOLBAS Project]
Internal MISP references
UUID 6c82fc65-864a-4a8c-80ed-80a69920c44f
which can be used as unique global reference for Advpack
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S3308 |
source | Tidal Cyber |
tags | ['7a457caf-c3b6-4a48-84cf-c1f50a2eda27', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
ADVSTORESHELL
ADVSTORESHELL is a spying backdoor that has been used by APT28 from at least 2012 to 2016. It is generally used for long-term espionage and is deployed on targets deemed interesting after a reconnaissance phase. [Kaspersky Sofacy] [ESET Sednit Part 2]
Internal MISP references
UUID ef7f4f5f-6f30-4059-87d1-cd8375bf1bee
which can be used as unique global reference for ADVSTORESHELL
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0045 |
source | MITRE |
tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635', '16b47583-1c54-431f-9f09-759df7b5ddb7', 'f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Agent.btz
Agent.btz is a worm that primarily spreads itself via removable devices such as USB drives. It reportedly infected U.S. military networks in 2008. [Securelist Agent.btz]
Internal MISP references
UUID f27c9a91-c618-40c6-837d-089ba4d80f45
which can be used as unique global reference for Agent.btz
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0092 |
source | MITRE |
tags | ['e809d252-12cc-494d-94f5-954c49eb87ce', 'f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
AgentExecutor
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Intune Management Extension included on Intune Managed Devices
Author: Eleftherios Panos
Paths: * C:\Program Files (x86)\Microsoft Intune Management Extension
Resources:
Detection: * Sigma: proc_creation_win_lolbin_agentexecutor.yml * Sigma: proc_creation_win_lolbin_agentexecutor_susp_usage.yml[AgentExecutor.exe - LOLBAS Project]
Internal MISP references
UUID 27fa7573-c1d3-4857-8a45-ef501c8ea32c
which can be used as unique global reference for AgentExecutor
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S3326 |
source | Tidal Cyber |
tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Agent Tesla
Agent Tesla is a spyware Trojan written for the .NET framework that has been observed since at least 2014.[Fortinet Agent Tesla April 2018][Bitdefender Agent Tesla April 2020][Malwarebytes Agent Tesla April 2020]
Internal MISP references
UUID 304650b1-a0b5-460c-9210-23a5b53815a4
which can be used as unique global reference for Agent Tesla
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0331 |
source | MITRE |
tags | ['d11d22a2-518d-4727-975b-d04d8826e4c0', '16b47583-1c54-431f-9f09-759df7b5ddb7', 'f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Akira
Akira ransomware, written in C++, is most prominently (but not exclusively) associated with the a ransomware-as-a-service entity Akira.[Kersten Akira 2023]
Internal MISP references
UUID 96ae0e1e-975a-5e11-adbe-c79ee17cee11
which can be used as unique global reference for Akira
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S1129 |
source | MITRE |
tags | ['fde14c10-e749-4c04-b97f-1d9fbd6e72e7', 'c5a258ce-9045-48d9-b254-ec2bf6437bb5', 'cc4ea215-87ce-4351-9579-cf527caf5992', 'e551ae97-d1b4-484e-9267-89f33829ec2c', '15787198-6c8b-4f79-bf50-258d55072fee', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172', '562e535e-19f5-4d6c-81ed-ce2aec544f09'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Akira Ransomware (Deprecated)
We are no longer maintaining this object in favor of a similar object subsequently published by MITRE: "Akira" (Software). All relevant Tidal content extensions (e.g. additional Technique and Object relationships and metadata) have been added to the MITRE-authored object.
A ransomware binary designed to encrypt victim files. More details about the TTPs typically observed during Akira ransomware attacks can be found in the associated Group object, "Akira Ransomware Actors".
Internal MISP references
UUID 59d598a9-e115-4d90-8fef-096015afa8d4
which can be used as unique global reference for Akira Ransomware (Deprecated)
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5280 |
source | Tidal Cyber |
tags | ['c5a258ce-9045-48d9-b254-ec2bf6437bb5', 'cc4ea215-87ce-4351-9579-cf527caf5992', 'e551ae97-d1b4-484e-9267-89f33829ec2c', '15787198-6c8b-4f79-bf50-258d55072fee', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172', '562e535e-19f5-4d6c-81ed-ce2aec544f09'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Amadey
Amadey is a Trojan bot that has been used since at least October 2018.[Korean FSI TA505 2020][BlackBerry Amadey 2020]
Internal MISP references
UUID f173ec20-ef40-436b-a859-fef017e1e767
which can be used as unique global reference for Amadey
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S1025 |
source | MITRE |
tags | ['fa84181d-fd9a-4c7b-8e18-e47011993b5e', '263adb48-051c-4384-90cf-1d4c937c3f05', 'f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Anchor
Anchor is one of a family of backdoor malware that has been used in conjunction with TrickBot on selected high profile targets since at least 2018.[Cyberreason Anchor December 2019][Medium Anchor DNS July 2020]
Internal MISP references
UUID 9521c535-1043-4b82-ba5d-e5eaeca500ee
which can be used as unique global reference for Anchor
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Linux', 'Windows'] |
software_attack_id | S0504 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
ANDROMEDA
ANDROMEDA is commodity malware that was widespread in the early 2010's and continues to be observed in infections across a wide variety of industries. During the 2022 C0026 campaign, threat actors re-registered expired ANDROMEDA C2 domains to spread malware to select targets in Ukraine.[Mandiant Suspected Turla Campaign February 2023]
Internal MISP references
UUID 69aac793-9e6a-5167-bc62-823189ee2f7b
which can be used as unique global reference for ANDROMEDA
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S1074 |
source | MITRE |
type | ['malware'] |
Angry IP Scanner
Angry IP Scanner is a tool that adversaries are known to use to search for vulnerable RDP ports.[U.S. CISA Phobos February 29 2024]
Internal MISP references
UUID 8efa90ac-a894-467d-8633-16a44d270358
which can be used as unique global reference for Angry IP Scanner
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['macOS', 'Linux', 'Windows'] |
software_attack_id | S3114 |
source | Tidal Cyber |
tags | ['d903e38b-600d-4736-9e3b-cf1a6e436481', 'd819ae1a-e385-49fd-88d5-f66660729ecb', 'e551ae97-d1b4-484e-9267-89f33829ec2c', '15787198-6c8b-4f79-bf50-258d55072fee', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'cd1b5d44-226e-4405-8985-800492cf2865', 'e1af18e3-3224-4e4c-9d0f-533768474508', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
AnyDesk
AnyDesk is a tool used to enable remote connections to network devices.[U.S. CISA Understanding LockBit June 2023]
Internal MISP references
UUID 922447fd-f41e-4bcf-b479-88137c81099c
which can be used as unique global reference for AnyDesk
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S3027 |
source | Tidal Cyber |
tags | ['d903e38b-600d-4736-9e3b-cf1a6e436481', 'd819ae1a-e385-49fd-88d5-f66660729ecb', 'c5a258ce-9045-48d9-b254-ec2bf6437bb5', 'cc4ea215-87ce-4351-9579-cf527caf5992', 'e551ae97-d1b4-484e-9267-89f33829ec2c', 'e1af18e3-3224-4e4c-9d0f-533768474508', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207', 'fb06d216-f535-45c1-993a-8c1b7aa2111c', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '15b77e5c-2285-434d-9719-73c14beba8bd', 'e727eaa6-ef41-4965-b93a-8ad0c51d0236'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
Apostle
Apostle is malware that has functioned as both a wiper and, in more recent versions, as ransomware. Apostle is written in .NET and shares various programming and functional overlaps with IPsec Helper.[SentinelOne Agrius 2021]
Internal MISP references
UUID f525a28f-2500-585c-a1c7-063ecec8376e
which can be used as unique global reference for Apostle
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S1133 |
source | MITRE |
tags | ['7e7b0c67-bb85-4996-a289-da0e792d7172', '2e621fc5-dea4-4cb9-987e-305845986cd3'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
AppInstaller
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Tool used for installation of AppX/MSIX applications on Windows 10
Author: Wade Hickey
Paths: * C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.11.2521.0_x64__8wekyb3d8bbwe\AppInstaller.exe
Resources: * https://twitter.com/notwhickey/status/1333900137232523264
Detection: * Sigma: dns_query_win_lolbin_appinstaller.yml[AppInstaller.exe - LOLBAS Project]
Internal MISP references
UUID 9fa7c759-172f-4ae3-ac3d-0070c3c4c439
which can be used as unique global reference for AppInstaller
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S3191 |
source | Tidal Cyber |
tags | ['837cf289-ad09-48ca-adf9-b46b07015666', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
AppleJeus
AppleJeus is a family of downloaders initially discovered in 2018 embedded within trojanized cryptocurrency applications. AppleJeus has been used by Lazarus Group, targeting companies in the energy, finance, government, industry, technology, and telecommunications sectors, and several countries including the United States, United Kingdom, South Korea, Australia, Brazil, New Zealand, and Russia. AppleJeus has been used to distribute the FALLCHILL RAT.[CISA AppleJeus Feb 2021]
Internal MISP references
UUID cdeb3110-07e5-4c3d-9eef-e6f2b760ef33
which can be used as unique global reference for AppleJeus
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['macOS', 'Windows'] |
software_attack_id | S0584 |
source | MITRE |
tags | ['8d95e4d6-9a1e-4920-9f5c-83d9fe07a66e', 'f8669b82-2194-49a9-8e20-92e7f9ab0a6f', '84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
AppleSeed
AppleSeed is a backdoor that has been used by Kimsuky to target South Korean government, academic, and commercial targets since at least 2021.[Malwarebytes Kimsuky June 2021]
Internal MISP references
UUID 9df2e42e-b454-46ea-b50d-2f7d999f3d42
which can be used as unique global reference for AppleSeed
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0622 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Appvlp
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Application Virtualization Utility Included with Microsoft Office 2016
Author: Oddvar Moe
Paths: * C:\Program Files\Microsoft Office\root\client\appvlp.exe * C:\Program Files (x86)\Microsoft Office\root\client\appvlp.exe
Resources: * https://github.com/MoooKitty/Code-Execution * https://twitter.com/moo_hax/status/892388990686347264 * https://enigma0x3.net/2018/06/11/the-tale-of-settingcontent-ms-files/ * https://securityboulevard.com/2018/07/attackers-test-new-document-attack-vector-that-slips-past-office-defenses/
Detection: * Sigma: proc_creation_win_lolbin_appvlp.yml[Appvlp.exe - LOLBAS Project]
Internal MISP references
UUID 1328ae5d-7220-46bb-a7ee-0c5a31eeda7f
which can be used as unique global reference for Appvlp
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S3327 |
source | Tidal Cyber |
tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
AresLoader
AresLoader is a loader malware distributed as malware-as-a-service. It has been observed being both dropped by and delivering SystemBC, a known ransomware precursor.[New loader on the bloc - AresLoader | Intel471]
Internal MISP references
UUID 5bf1ed41-8fe5-4c4b-8d80-a55980289e1f
which can be used as unique global reference for AresLoader
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S3001 |
source | Tidal Cyber |
tags | ['c545270e-a6d4-4d89-af6e-d8be7219405d', 'c6e1f516-1a18-4ff9-b563-e6ac8103b104', '84615fe0-c2a5-4e07-8957-78ebc29b4635', '2feda37d-5579-4102-a073-aa02e82cb49f'] |
type | ['malware'] |
Aria-body
Aria-body is a custom backdoor that has been used by Naikon since approximately 2017.[CheckPoint Naikon May 2020]
Internal MISP references
UUID 7ba79887-d496-47aa-8b71-df7f46329322
which can be used as unique global reference for Aria-body
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0456 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Arp
Arp displays and modifies information about a system's Address Resolution Protocol (ARP) cache. [TechNet Arp]
Internal MISP references
UUID 45b51950-6190-4572-b1a2-7c69d865251e
which can be used as unique global reference for Arp
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['macOS', 'Linux', 'Windows'] |
software_attack_id | S0099 |
source | MITRE |
tags | ['509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
Aspnet_Compiler
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: ASP.NET Compilation Tool
Author: Jimmy (@bohops)
Paths: * c:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe * c:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
Resources: * https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/ * https://docs.microsoft.com/en-us/dotnet/api/system.web.compilation.buildprovider.generatecode?view=netframework-4.8
Detection: * BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules * Sigma: proc_creation_win_lolbin_aspnet_compiler.yml[Aspnet_Compiler.exe - LOLBAS Project]
Internal MISP references
UUID 42763dde-8226-4f31-a3ba-face2da84dd2
which can be used as unique global reference for Aspnet_Compiler
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S3192 |
source | Tidal Cyber |
tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
ASPXSpy
ASPXSpy is a Web shell. It has been modified by Threat Group-3390 actors to create the ASPXTool version. [Dell TG-3390]
Internal MISP references
UUID a0cce010-9158-45e5-978a-f002e5c31a03
which can be used as unique global reference for ASPXSpy
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0073 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Astaroth
Astaroth is a Trojan and information stealer known to affect companies in Europe, Brazil, and throughout Latin America. It has been known publicly since at least late 2017. [Cybereason Astaroth Feb 2019][Cofense Astaroth Sept 2018][Securelist Brazilian Banking Malware July 2020]
Internal MISP references
UUID ea719a35-cbe9-4503-873d-164f68ab4544
which can be used as unique global reference for Astaroth
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0373 |
source | MITRE |
tags | ['84d9893e-e338-442a-bfc0-3148ad5f716d', '4d767e87-4cf6-438a-927a-43d2d0beaab7'] |
type | ['malware'] |
AsyncRAT
AsyncRAT is an open-source remote access tool originally available through the NYANxCAT Github repository that has been used in malicious campaigns.[Morphisec Snip3 May 2021][Cisco Operation Layover September 2021][Telefonica Snip3 December 2021]
Internal MISP references
UUID d587efff-4699-51c7-a4cc-bdbd1b302ed4
which can be used as unique global reference for AsyncRAT
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S1087 |
source | MITRE |
tags | ['9eaf6107-4d57-4bc7-b6d2-4541d5936672', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '27a117ce-bb19-4f79-9bc2-a851b69c5c50', '6070668f-1cbd-4878-8066-c636d1d8659c', '61cdbb28-cbfd-498b-9ab1-1f14337f9524', 'e551ae97-d1b4-484e-9267-89f33829ec2c', '15787198-6c8b-4f79-bf50-258d55072fee', 'f8669b82-2194-49a9-8e20-92e7f9ab0a6f', 'fdd53e62-5bf1-41f1-8bd6-b970a866c39d', 'd431939f-2dc0-410b-83f7-86c458125444'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
at
at is used to schedule tasks on a system to run at a specified date or time.[TechNet At][Linux at]
Internal MISP references
UUID af01dc7b-a2bc-4fda-bbfe-d2be889c2860
which can be used as unique global reference for at
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['macOS', 'Linux', 'Windows'] |
software_attack_id | S0110 |
source | MITRE |
tags | ['5bc4c6c6-36df-4a53-920c-53e17d7027db', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
Atbroker
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Helper binary for Assistive Technology (AT)
Author: Oddvar Moe
Paths: * C:\Windows\System32\Atbroker.exe * C:\Windows\SysWOW64\Atbroker.exe
Resources: * http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/
Detection: * Sigma: proc_creation_win_lolbin_susp_atbroker.yml * Sigma: registry_event_susp_atbroker_change.yml * IOC: Changes to HKCU\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\Configuration * IOC: Changes to HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs * IOC: Unknown AT starting C:\Windows\System32\ATBroker.exe /start malware[Atbroker.exe - LOLBAS Project]
Internal MISP references
UUID 2efae55c-86f3-4234-af26-1c75e922d81a
which can be used as unique global reference for Atbroker
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S3194 |
source | Tidal Cyber |
tags | ['85a29262-64bd-443c-9e08-3ee26aac859b', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Atera Agent
Atera Agent is a legitimate remote administration tool (specifically a remote management and maintenance ("RMM") solution) that adversaries have used as a command and control tool for remote code execution, tool ingress, and persisting in victim environments.[U.S. CISA PaperCut May 2023]
Internal MISP references
UUID f8113a9f-a706-46df-8370-a9cef1c75f30
which can be used as unique global reference for Atera Agent
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S3008 |
source | Tidal Cyber |
tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207', 'fdd53e62-5bf1-41f1-8bd6-b970a866c39d', 'd431939f-2dc0-410b-83f7-86c458125444', '9a5ed991-6fe7-49fe-8536-91defc449b18', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '15b77e5c-2285-434d-9719-73c14beba8bd', '992bdd33-4a47-495d-883a-58010a2f0efb', 'e727eaa6-ef41-4965-b93a-8ad0c51d0236'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
Atomic Stealer
Atomic Stealer is an information-stealing malware ("infostealer") designed to harvest passwords, cookies, and other sensitive information from macOS systems. It is often delivered via malicious download sites promoted via malvertising.[Malwarebytes 9 6 2023]
Internal MISP references
UUID ce914eea-8db9-425b-8ae2-a56a264b4951
which can be used as unique global reference for Atomic Stealer
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['macOS'] |
software_attack_id | S3127 |
source | Tidal Cyber |
tags | ['4d767e87-4cf6-438a-927a-43d2d0beaab7', 'c6e1f516-1a18-4ff9-b563-e6ac8103b104', '2feda37d-5579-4102-a073-aa02e82cb49f'] |
type | ['malware'] |
Attor
Attor is a Windows-based espionage platform that has been seen in use since 2013. Attor has a loadable plugin architecture to customize functionality for specific targets.[ESET Attor Oct 2019]
Internal MISP references
UUID 89c35e9f-b435-4f58-9073-f24c1ee8754f
which can be used as unique global reference for Attor
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0438 |
source | MITRE |
type | ['malware'] |
AuditCred
AuditCred is a malicious DLL that has been used by Lazarus Group during their 2018 attacks.[TrendMicro Lazarus Nov 2018]
Internal MISP references
UUID d0c25f14-5eb3-40c1-a890-2ab1349dff53
which can be used as unique global reference for AuditCred
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0347 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
AutoIt backdoor
AutoIt backdoor is malware that has been used by the actors responsible for the MONSOON campaign. The actors frequently used it in weaponized .pps files exploiting CVE-2014-6352. [Forcepoint Monsoon] This malware makes use of the legitimate scripting language for Windows GUI automation with the same name.
Internal MISP references
UUID 3f927596-5219-49eb-bd0d-57068b0e04ed
which can be used as unique global reference for AutoIt backdoor
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0129 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Automim
Researchers describe Automim as a "collection of .cmd, .vbs and .bat files that automate the execution" of the Mimikatz and LaZagne credential harvesting tools.[CrowdStrike Endpoint Security Testing Oct 2021]
Internal MISP references
UUID 984249bd-6421-4133-bd2a-25f330b4b441
which can be used as unique global reference for Automim
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S3117 |
source | Tidal Cyber |
tags | ['d819ae1a-e385-49fd-88d5-f66660729ecb', 'e551ae97-d1b4-484e-9267-89f33829ec2c', '15787198-6c8b-4f79-bf50-258d55072fee', 'e1af18e3-3224-4e4c-9d0f-533768474508', 'dcd6d78a-50e9-4fbd-a36a-06fbe6b7b40c'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
AuTo Stealer
AuTo Stealer is malware written in C++ has been used by SideCopy since at least December 2021 to target government agencies and personnel in India and Afghanistan.[MalwareBytes SideCopy Dec 2021]
Internal MISP references
UUID 649a4cfc-c0d0-412d-a28c-1bd4ed604ea8
which can be used as unique global reference for AuTo Stealer
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S1029 |
source | MITRE |
tags | ['4d767e87-4cf6-438a-927a-43d2d0beaab7'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Avaddon
Avaddon is ransomware written in C++ that has been offered as Ransomware-as-a-Service (RaaS) since at least June 2020.[Awake Security Avaddon][Arxiv Avaddon Feb 2021]
Internal MISP references
UUID bad92974-35f6-4183-8024-b629140c6ee6
which can be used as unique global reference for Avaddon
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0640 |
source | MITRE |
tags | ['8c65cb23-442d-4855-9d80-e0ac27bcfc48', '562e535e-19f5-4d6c-81ed-ce2aec544f09', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172'] |
type | ['malware'] |
Avenger
Avenger is a downloader that has been used by BRONZE BUTLER since at least 2019.[Trend Micro Tick November 2019]
Internal MISP references
UUID e5ca0192-e905-46a1-abef-ce1119c1f967
which can be used as unique global reference for Avenger
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0473 |
source | MITRE |
tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
AvosLocker
AvosLocker is ransomware written in C++ that has been offered via the Ransomware-as-a-Service (RaaS) model. It was first observed in June 2021 and has been used against financial services, critical manufacturing, government facilities, and other critical infrastructure sectors in the United States. As of March 2022, AvosLocker had also been used against organizations in Belgium, Canada, China, Germany, Saudi Arabia, Spain, Syria, Taiwan, Turkey, the United Arab Emirates, and the United Kingdom.[Malwarebytes AvosLocker Jul 2021][Trend Micro AvosLocker Apr 2022][Joint CSA AvosLocker Mar 2022]
Internal MISP references
UUID e792dc8d-b0f4-5916-8850-a61ff53125d0
which can be used as unique global reference for AvosLocker
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Linux', 'Windows'] |
software_attack_id | S1053 |
source | MITRE |
tags | ['b802443a-37b2-4c38-addd-75e4efb1defd', '562e535e-19f5-4d6c-81ed-ce2aec544f09', 'c3779a84-8132-4c62-be2f-9312ad41c273', 'ce9f1048-09c1-49b0-a109-dd604afbf3cd', 'fe3eb26d-6daa-4f82-b0dd-fc1e2fffbc2b', '9e4936f0-e3b7-4721-a638-58b2d093b2f2', '24448a05-2337-4bc9-a889-a83f2fd1f3ad', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172'] |
type | ['malware'] |
AzCopy
AzCopy is a command line tool that enables Azure storage data transfers. It facilitates file transfer activity for Azure Storage Explorer, another legitimate utility that has been abused by ransomware operations like the BianLian and Rhysida gangs.[modePUSH Azure Storage Explorer September 14 2024]
Internal MISP references
UUID aab3287b-932a-4208-af5e-d10abffb188b
which can be used as unique global reference for AzCopy
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Azure AD', 'Linux', 'macOS', 'Windows'] |
software_attack_id | S3187 |
source | Tidal Cyber |
tags | ['c9c73000-30a5-4a16-8c8b-79169f9c24aa', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207', '8bf128ad-288b-41bc-904f-093f4fdde745', 'e1af18e3-3224-4e4c-9d0f-533768474508'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
Azorult
Azorult is a commercial Trojan that is used to steal information from compromised hosts. Azorult has been observed in the wild as early as 2016. In July 2018, Azorult was seen used in a spearphishing campaign against targets in North America. Azorult has been seen used for cryptocurrency theft. [Unit42 Azorult Nov 2018][Proofpoint Azorult July 2018]
Internal MISP references
UUID cc68a7f0-c955-465f-bee0-2dacbb179078
which can be used as unique global reference for Azorult
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0344 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Azure Storage Explorer
Azure Storage Explorer is a Microsoft application that provides a graphical interface for managing Azure storage elements, as well as file and folder download and upload capabilities. The associated AzCopy tool facilitates actual Azure Storage Explorer file transfer capabilities.[modePUSH Azure Storage Explorer September 14 2024]
Internal MISP references
UUID 1674b306-aa70-44f5-b373-24bb5fc51cfa
which can be used as unique global reference for Azure Storage Explorer
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Azure AD', 'Linux', 'macOS', 'Windows'] |
software_attack_id | S3186 |
source | Tidal Cyber |
tags | ['c9c73000-30a5-4a16-8c8b-79169f9c24aa', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207', '8bf128ad-288b-41bc-904f-093f4fdde745', 'e1af18e3-3224-4e4c-9d0f-533768474508'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
Babuk
Babuk is a Ransomware-as-a-service (RaaS) malware that has been used since at least 2021. The operators of Babuk employ a "Big Game Hunting" approach to targeting major enterprises and operate a leak site to post stolen data as part of their extortion scheme.[Sogeti CERT ESEC Babuk March 2021][McAfee Babuk February 2021][CyberScoop Babuk February 2021]
Internal MISP references
UUID 0dc07eb9-66df-4116-b1bc-7020ca6395a1
which can be used as unique global reference for Babuk
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Linux', 'Windows'] |
software_attack_id | S0638 |
source | MITRE |
tags | ['c545270e-a6d4-4d89-af6e-d8be7219405d', 'b802443a-37b2-4c38-addd-75e4efb1defd', '64d3f7d8-30b7-4b03-bee2-a6029672216c', '375983b3-6e87-4281-99e2-1561519dd17b', '3ed2343c-a29c-42e2-8259-410381164c6a', '562e535e-19f5-4d6c-81ed-ce2aec544f09', 'b5962a84-f1c7-4d0d-985c-86301db95129', '12124060-8392-49a3-b7b7-1dde3ebc8e67', '915e7ac2-b266-45d7-945c-cb04327d6246', 'd713747c-2d53-487e-9dac-259230f04460', 'fde4c246-7d2d-4d53-938b-44651cf273f1', '964c2590-4b52-48c6-afff-9a6d72e68908', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172'] |
type | ['malware'] |
BabyShark
BabyShark is a Microsoft Visual Basic (VB) script-based malware family that is believed to be associated with several North Korean campaigns. [Unit42 BabyShark Feb 2019]
Internal MISP references
UUID ebb824a2-abff-4bfd-87f0-d63cb02b62e6
which can be used as unique global reference for BabyShark
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0414 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
BackConfig
BackConfig is a custom Trojan with a flexible plugin architecture that has been used by Patchwork.[Unit 42 BackConfig May 2020]
Internal MISP references
UUID 2763ad8c-cf4e-42eb-88db-a40ff8f96cf9
which can be used as unique global reference for BackConfig
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0475 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Backdoor.Oldrea
Backdoor.Oldrea is a modular backdoor that used by Dragonfly against energy companies since at least 2013. Backdoor.Oldrea was distributed via supply chain compromise, and included specialized modules to enumerate and map ICS-specific systems, processes, and protocols.[Symantec Dragonfly][Gigamon Berserk Bear October 2021][Symantec Dragonfly Sept 2017]
Internal MISP references
UUID f7cc5974-767c-4cb4-acc7-36295a386ce5
which can be used as unique global reference for Backdoor.Oldrea
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0093 |
source | MITRE |
tags | ['3ed3f7a6-b446-4fbc-a433-ff1d63c0e647'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
BACKSPACE
BACKSPACE is a backdoor used by APT30 that dates back to at least 2005. [FireEye APT30]
Internal MISP references
UUID d0daaa00-68e1-4568-bb08-3f28bcd82c63
which can be used as unique global reference for BACKSPACE
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0031 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Backstab
Backstab is a tool used to terminate antimalware-protected processes.[U.S. CISA Understanding LockBit June 2023]
Internal MISP references
UUID 5a9a7a54-21cb-4a5c-bef0-d37f8678bf46
which can be used as unique global reference for Backstab
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S3028 |
source | Tidal Cyber |
tags | ['d903e38b-600d-4736-9e3b-cf1a6e436481', 'e551ae97-d1b4-484e-9267-89f33829ec2c', 'd819ae1a-e385-49fd-88d5-f66660729ecb', 'd469efcf-4feb-4149-9c0f-c4b7821960bd', 'e1af18e3-3224-4e4c-9d0f-533768474508', '39d6e8b7-6c8a-4ec5-a584-54ca32aa29fb', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
BADCALL
BADCALL is a Trojan malware variant used by the group Lazarus Group. [US-CERT BADCALL]
Internal MISP references
UUID d7aa53a5-0912-4952-8f7f-55698e933c3b
which can be used as unique global reference for BADCALL
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0245 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
BADFLICK
BADFLICK is a backdoor used by Leviathan in spearphishing campaigns first reported in 2018 that targeted the U.S. engineering and maritime industries.[FireEye Periscope March 2018][Accenture MUDCARP March 2019]
Internal MISP references
UUID 8c454294-81cb-45d0-b299-818994ad3e6f
which can be used as unique global reference for BADFLICK
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0642 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
BADHATCH
BADHATCH is a backdoor that has been utilized by FIN8 since at least 2019. BADHATCH has been used to target the insurance, retail, technology, and chemical industries in the United States, Canada, South Africa, Panama, and Italy.[Gigamon BADHATCH Jul 2019][BitDefender BADHATCH Mar 2021]
Internal MISP references
UUID 16481e0f-49d5-54c1-a1fe-16d9e7f8d08c
which can be used as unique global reference for BADHATCH
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S1081 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
BADNEWS
BADNEWS is malware that has been used by the actors responsible for the Patchwork campaign. Its name was given due to its use of RSS feeds, forums, and blogs for command and control. [Forcepoint Monsoon] [TrendMicro Patchwork Dec 2017]
Internal MISP references
UUID 34c24d27-c779-42a4-9f61-3f0d3fea6fd4
which can be used as unique global reference for BADNEWS
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0128 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
BadPatch
BadPatch is a Windows Trojan that was used in a Gaza Hackers-linked campaign.[Unit 42 BadPatch Oct 2017]
Internal MISP references
UUID 10e76722-4b52-47f6-9276-70e95fecb26b
which can be used as unique global reference for BadPatch
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0337 |
source | MITRE |
type | ['malware'] |
BadPotato
BadPotato is an open-source software project that, according to its GitHub page, can be used for privilege escalation purposes.[GitHub BeichenDream BadPotato]
Internal MISP references
UUID 4b59bf81-d351-436e-aebc-f0111a892395
which can be used as unique global reference for BadPotato
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S3070 |
source | Tidal Cyber |
tags | ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', '2feda37d-5579-4102-a073-aa02e82cb49f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Bad Rabbit
Bad Rabbit is a self-propagating ransomware that affected the Ukrainian transportation sector in 2017. Bad Rabbit has also targeted organizations and consumers in Russia. [Secure List Bad Rabbit][ESET Bad Rabbit][Dragos IT ICS Ransomware]
Internal MISP references
UUID a1d86d8f-fa48-43aa-9833-7355750e455c
which can be used as unique global reference for Bad Rabbit
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0606 |
source | MITRE |
tags | ['3ed3f7a6-b446-4fbc-a433-ff1d63c0e647', '5a463cb3-451d-47f7-93e4-1886150697ce', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Bandook
Bandook is a commercially available RAT, written in Delphi and C++, that has been available since at least 2007. It has been used against government, financial, energy, healthcare, education, IT, and legal organizations in the US, South America, Europe, and Southeast Asia. Bandook has been used by Dark Caracal, as well as in a separate campaign referred to as "Operation Manul".[EFF Manul Aug 2016][Lookout Dark Caracal Jan 2018][CheckPoint Bandook Nov 2020]
Internal MISP references
UUID 5c0f8c35-88ff-40a1-977a-af5ce534e932
which can be used as unique global reference for Bandook
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0234 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Bankshot
Bankshot is a remote access tool (RAT) that was first reported by the Department of Homeland Security in December of 2017. In 2018, Lazarus Group used the Bankshot implant in attacks against the Turkish financial sector. [McAfee Bankshot]
Internal MISP references
UUID 24b8471d-698f-48cc-b47a-8fbbaf28b293
which can be used as unique global reference for Bankshot
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0239 |
source | MITRE |
tags | ['febea5b6-2ea2-402b-8bec-f3f5b3f73c59'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Bash
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: File used by Windows subsystem for Linux
Author: Oddvar Moe
Paths: * C:\Windows\System32\bash.exe * C:\Windows\SysWOW64\bash.exe
Detection: * BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules * Sigma: proc_creation_win_lolbin_bash.yml * IOC: Child process from bash.exe[Bash.exe - LOLBAS Project]
Internal MISP references
UUID cef3a09e-22ca-43dc-ad4a-95741a3b85ff
which can be used as unique global reference for Bash
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S3195 |
source | Tidal Cyber |
tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Bat Armor
Bat Armor is a tool used to generate .bat files using PowerShell scripts.[U.S. CISA Understanding LockBit June 2023]
Internal MISP references
UUID 628037d4-962d-4f58-b32d-241d739bc62d
which can be used as unique global reference for Bat Armor
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S3029 |
source | Tidal Cyber |
tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', '39d6e8b7-6c8a-4ec5-a584-54ca32aa29fb', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
Bazar
Bazar is a downloader and backdoor that has been used since at least April 2020, with infections primarily against professional services, healthcare, manufacturing, IT, logistics and travel companies across the US and Europe. Bazar reportedly has ties to TrickBot campaigns and can be used to deploy additional malware, including ransomware, and to steal sensitive data.[Cybereason Bazar July 2020]
Internal MISP references
UUID b35d9817-6ead-4dbd-a2fa-4b8e217f8eac
which can be used as unique global reference for Bazar
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0534 |
source | MITRE |
tags | ['818c3d93-c010-44f4-82bc-b63b4bc6c3c2', '84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
BBK
BBK is a downloader that has been used by BRONZE BUTLER since at least 2019.[Trend Micro Tick November 2019]
Internal MISP references
UUID 3daa5ae1-464e-4c0a-aa46-15264a2a0126
which can be used as unique global reference for BBK
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0470 |
source | MITRE |
tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
BBSRAT
BBSRAT is malware with remote access tool functionality that has been used in targeted compromises. [Palo Alto Networks BBSRAT]
Internal MISP references
UUID be4dab36-d499-4ac3-b204-5e309e3a5331
which can be used as unique global reference for BBSRAT
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0127 |
source | MITRE |
type | ['malware'] |
BendyBear
BendyBear is an x64 shellcode for a stage-zero implant designed to download malware from a C2 server. First discovered in August 2020, BendyBear shares a variety of features with Waterbear, malware previously attributed to the Chinese cyber espionage group BlackTech.[Unit42 BendyBear Feb 2021]
Internal MISP references
UUID a114a498-fcfd-4e0a-9d1e-e26750d71af8
which can be used as unique global reference for BendyBear
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0574 |
source | MITRE |
tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
BFG Agonizer
BFG Agonizer is a wiper related to the open-source project CRYLINE-v.5.0. The malware is associated with wiping operations conducted by the Agrius threat actor.[Unit42 Agrius 2023]
Internal MISP references
UUID 99005f44-fb72-5c19-80c6-3b660daf9b11
which can be used as unique global reference for BFG Agonizer
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S1136 |
source | MITRE |
tags | ['2e621fc5-dea4-4cb9-987e-305845986cd3'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Bginfo
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Background Information Utility included with SysInternals Suite
Author: Oddvar Moe
Paths: * No fixed path
Resources: * https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/
Detection: * Sigma: proc_creation_win_lolbin_bginfo.yml * Elastic: defense_evasion_unusual_process_network_connection.toml * Elastic: defense_evasion_network_connection_from_windows_binary.toml * BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules[Bginfo.exe - LOLBAS Project]
Internal MISP references
UUID fe926654-0cff-4e8e-b192-2fa1eb8a9a67
which can be used as unique global reference for Bginfo
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S3328 |
source | Tidal Cyber |
tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
BianLian Ransomware (Backdoor)
This Software object represents the custom backdoor tool used during intrusions conducted by the BianLian Ransomware Group.[U.S. CISA BianLian Ransomware May 2023][BianLian Ransomware Gang Gives It a Go! | [redacted]]
Delivers: TeamViewer[U.S. CISA BianLian Ransomware May 2023], Atera Agent[U.S. CISA BianLian Ransomware May 2023], Splashtop[U.S. CISA BianLian Ransomware May 2023], AnyDesk[U.S. CISA BianLian Ransomware May 2023]
Internal MISP references
UUID a4fb341d-8010-433f-b8f1-a8781f961435
which can be used as unique global reference for BianLian Ransomware (Backdoor)
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S3010 |
source | Tidal Cyber |
tags | ['35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', 'f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
BianLian Ransomware (Encryptor)
This Software object represents the custom Go encryptor tool (encryptor.exe
) used during intrusions conducted by the BianLian Ransomware Group.[U.S. CISA BianLian Ransomware May 2023]. The tool will skip encryption of files based on a hardcoded file extension exclusion list.[BianLian Ransomware Gang Gives It a Go! | [redacted]]
Internal MISP references
UUID 252f56c2-4c85-4a19-8451-371cb04c6ceb
which can be used as unique global reference for BianLian Ransomware (Encryptor)
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S3009 |
source | Tidal Cyber |
tags | ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172', '2feda37d-5579-4102-a073-aa02e82cb49f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
BISCUIT
BISCUIT is a backdoor that has been used by APT1 since as early as 2007. [Mandiant APT1]
Internal MISP references
UUID 3ad98097-2d10-4aa1-9594-7e74828a3643
which can be used as unique global reference for BISCUIT
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0017 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Bisonal
Bisonal is a remote access tool (RAT) that has been used by Tonto Team against public and private sector organizations in Russia, South Korea, and Japan since at least December 2010.[Unit 42 Bisonal July 2018][Talos Bisonal Mar 2020]
Internal MISP references
UUID b898816e-610f-4c2f-9045-d9f28a54ee58
which can be used as unique global reference for Bisonal
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0268 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
BitPaymer
BitPaymer is a ransomware variant first observed in August 2017 targeting hospitals in the U.K. BitPaymer uses a unique encryption key, ransom note, and contact information for each operation. BitPaymer has several indicators suggesting overlap with the Dridex malware and is often delivered via Dridex.[Crowdstrike Indrik November 2018]
Internal MISP references
UUID e7dec940-8701-4c06-9865-5b11c61c046d
which can be used as unique global reference for BitPaymer
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0570 |
source | MITRE |
tags | ['5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
BITSAdmin
BITSAdmin is a command line tool used to create and manage BITS Jobs. [Microsoft BITSAdmin]
Internal MISP references
UUID 52a20d3d-1edd-4f17-87f0-b77c67d260b4
which can be used as unique global reference for BITSAdmin
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0190 |
source | MITRE |
tags | ['d903e38b-600d-4736-9e3b-cf1a6e436481', 'e551ae97-d1b4-484e-9267-89f33829ec2c', 'd819ae1a-e385-49fd-88d5-f66660729ecb', '15787198-6c8b-4f79-bf50-258d55072fee', 'e1af18e3-3224-4e4c-9d0f-533768474508', 'fdd53e62-5bf1-41f1-8bd6-b970a866c39d', 'd431939f-2dc0-410b-83f7-86c458125444', '10d09438-9ea5-405d-9b3a-36d351b5a5d9', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
Black Basta
Black Basta is ransomware written in C++ that has been offered within the ransomware-as-a-service (RaaS) model since at least April 2022; there are variants that target Windows and VMWare ESXi servers. Black Basta operations have included the double extortion technique where in addition to demanding ransom for decrypting the files of targeted organizations the cyber actors also threaten to post sensitive information to a leak site if the ransom is not paid. Black Basta affiliates have targeted multiple high-value organizations, with the largest number of victims based in the U.S. Based on similarities in TTPs, leak sites, payment sites, and negotiation tactics, security researchers assess the Black Basta RaaS operators could include current or former members of the Conti group.[Palo Alto Networks Black Basta August 2022][Deep Instinct Black Basta August 2022][Minerva Labs Black Basta May 2022][Avertium Black Basta June 2022][NCC Group Black Basta June 2022][Cyble Black Basta May 2022]
Internal MISP references
UUID 0d5b24ba-68dc-50fa-8268-3012180fe374
which can be used as unique global reference for Black Basta
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S1070 |
source | MITRE |
tags | ['b802443a-37b2-4c38-addd-75e4efb1defd', 'da5af5bf-d4f3-4bbb-9638-57ea2dc2c776', '89c5b94b-ecf4-4d53-9b74-3465086d4565', 'd903e38b-600d-4736-9e3b-cf1a6e436481', 'e551ae97-d1b4-484e-9267-89f33829ec2c', 'd819ae1a-e385-49fd-88d5-f66660729ecb', '15787198-6c8b-4f79-bf50-258d55072fee', '562e535e-19f5-4d6c-81ed-ce2aec544f09', 'fdd53e62-5bf1-41f1-8bd6-b970a866c39d', 'd431939f-2dc0-410b-83f7-86c458125444', 'dea4388a-b1f2-4f2a-9df9-108631d0d078', '2743d495-7728-4a75-9e5f-b64854039792', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
BlackCat
BlackCat is ransomware written in Rust that has been offered via the Ransomware-as-a-Service (RaaS) model. First observed November 2021, BlackCat has been used to target multiple sectors and organizations in various countries and regions in Africa, the Americas, Asia, Australia, and Europe.[Microsoft BlackCat Jun 2022][Sophos BlackCat Jul 2022][ACSC BlackCat Apr 2022]
Internal MISP references
UUID 691369e5-ef74-5ff9-bc20-34efeb4b6c5b
which can be used as unique global reference for BlackCat
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Linux', 'Windows'] |
software_attack_id | S1068 |
source | MITRE |
tags | ['b802443a-37b2-4c38-addd-75e4efb1defd', 'd5248609-d9ed-4aad-849a-aa0476f85dea', '562e535e-19f5-4d6c-81ed-ce2aec544f09', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '5e7433ad-a894-4489-93bc-41e90da90019', '15787198-6c8b-4f79-bf50-258d55072fee', '7e7b0c67-bb85-4996-a289-da0e792d7172'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
BLACKCOFFEE
BLACKCOFFEE is malware that has been used by several Chinese groups since at least 2013. [FireEye APT17] [FireEye Periscope March 2018]
Internal MISP references
UUID e85e2fca-9347-4448-bfc1-342f29d5d6a1
which can be used as unique global reference for BLACKCOFFEE
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0069 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
BlackEnergy
BlackEnergy is a malware toolkit that has been used by both criminal and APT actors. It dates back to at least 2007 and was originally designed to create botnets for use in conducting Distributed Denial of Service (DDoS) attacks, but its use has evolved to support various plug-ins. It is well known for being used during the confrontation between Georgia and Russia in 2008, as well as in targeting Ukrainian institutions. Variants include BlackEnergy 2 and BlackEnergy 3. [F-Secure BlackEnergy 2014]
Internal MISP references
UUID 908216c7-3ad4-4e0c-9dd3-a7ed5d1c695f
which can be used as unique global reference for BlackEnergy
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0089 |
source | MITRE |
tags | ['3ed3f7a6-b446-4fbc-a433-ff1d63c0e647'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
BlackLotus
BlackLotus is a Unified Extensible Firmware Interface (UEFI) bootkit that enables bypass of Secure Boot, a UEFI feature that provides verification about the state of the boot chain, even on fully updated UEFI systems. It is considered the first “in-the-wild” UEFI bootkit, as it was observed for sale on underground forums in October 2022 and researchers were able to then confirm its existence. BlackLotus bypasses UEFI Secure Boot and establishes persistence by exploiting CVE-2022-21894, and after installation, it is designed to deploy a kernel driver for further persistence and an HTTP downloader, which allows communication with a command-and-control server and loading of additional user-mode or kernel-mode payloads. BlackLotus is also capable of disabling operating system security features, and some instances of the malware include a location-based check where it will terminate if the system uses a location associated with one of several Eastern European countries.[ESET BlackLotus March 01 2023]
Internal MISP references
UUID 4cd25fac-0b5d-44e2-8df1-2c7de06b4b39
which can be used as unique global reference for BlackLotus
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S3084 |
source | Tidal Cyber |
tags | ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', '1a5a32ac-1db6-46b1-b72e-18bc3d776aed', 'df78b317-ce5d-423c-ac42-1e328ab27ffd', '2feda37d-5579-4102-a073-aa02e82cb49f'] |
type | ['malware'] |
BlackMould
BlackMould is a web shell based on China Chopper for servers running Microsoft IIS. First reported in December 2019, it has been used in malicious campaigns by GALLIUM against telecommunication providers.[Microsoft GALLIUM December 2019]
Internal MISP references
UUID da348a51-d047-4144-9ba4-34d2ce964a11
which can be used as unique global reference for BlackMould
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0564 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
BlackSuit Ransomware
BlackSuit is a ransomware capable of running on Windows and Linux systems. BlackSuit is believed to be a successor to Royal, a ransomware operation which itself derives from the notorious Russia-based Conti gang. BlackSuit operations were first observed in May 2023, and although they were relatively low in number, U.S. authorities issued a warning for healthcare sector organizations due to the ransomware's suspected pedigree.[HC3 Analyst Note BlackSuit Ransomware November 2023] The number of attacks claimed by BlackSuit operators increased notably in Q2 2024.[GitHub ransomwatch]
Internal MISP references
UUID 6e200813-4379-457b-9cce-2203bed4b072
which can be used as unique global reference for BlackSuit Ransomware
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Linux', 'Windows'] |
software_attack_id | S3139 |
source | Tidal Cyber |
tags | ['c545270e-a6d4-4d89-af6e-d8be7219405d', 'b802443a-37b2-4c38-addd-75e4efb1defd', '2917207f-aa63-4c4a-b2d2-be7e16d1f25c', 'e551ae97-d1b4-484e-9267-89f33829ec2c', '15787198-6c8b-4f79-bf50-258d55072fee', 'c6e1f516-1a18-4ff9-b563-e6ac8103b104', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172', '2feda37d-5579-4102-a073-aa02e82cb49f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
BLINDINGCAN
BLINDINGCAN is a remote access Trojan that has been used by the North Korean government since at least early 2020 in cyber operations against defense, engineering, and government organizations in Western Europe and the US.[US-CERT BLINDINGCAN Aug 2020][NHS UK BLINDINGCAN Aug 2020]
Internal MISP references
UUID 1af8ea81-40df-4fba-8d63-1858b8b31217
which can be used as unique global reference for BLINDINGCAN
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0520 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
BloodHound
BloodHound is an Active Directory (AD) reconnaissance tool that can reveal hidden relationships and identify attack paths within an AD environment.[GitHub Bloodhound][CrowdStrike BloodHound April 2018][FoxIT Wocao December 2019]
Internal MISP references
UUID 72658763-8077-451e-8572-38858f8cacf3
which can be used as unique global reference for BloodHound
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0521 |
source | MITRE |
tags | ['d8f7e071-fbfd-46f8-b431-e241bb1513ac', '61cdbb28-cbfd-498b-9ab1-1f14337f9524', 'd819ae1a-e385-49fd-88d5-f66660729ecb', 'e551ae97-d1b4-484e-9267-89f33829ec2c', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207', 'e1af18e3-3224-4e4c-9d0f-533768474508', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', 'cd1b5d44-226e-4405-8985-800492cf2865'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
BLUELIGHT
BLUELIGHT is a remote access Trojan used by APT37 that was first observed in early 2021.[Volexity InkySquid BLUELIGHT August 2021]
Internal MISP references
UUID 3aaaaf86-638b-4a65-be18-c6e6dcdcdb97
which can be used as unique global reference for BLUELIGHT
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0657 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Bonadan
Bonadan is a malicious version of OpenSSH which acts as a custom backdoor. Bonadan has been active since at least 2018 and combines a new cryptocurrency-mining module with the same credential-stealing module used by the Onderon family of backdoors.[ESET ForSSHe December 2018]
Internal MISP references
UUID 3793db4b-f843-4cfd-89d2-ec28b62feda5
which can be used as unique global reference for Bonadan
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Linux'] |
software_attack_id | S0486 |
source | MITRE |
type | ['malware'] |
BONDUPDATER
BONDUPDATER is a PowerShell backdoor used by OilRig. It was first observed in November 2017 during targeting of a Middle Eastern government organization, and an updated version was observed in August 2018 being used to target a government organization with spearphishing emails.[FireEye APT34 Dec 2017][Palo Alto OilRig Sep 2018]
Internal MISP references
UUID d8690218-5272-47d8-8189-35d3b518e66f
which can be used as unique global reference for BONDUPDATER
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0360 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
BoomBox
BoomBox is a downloader responsible for executing next stage components that has been used by APT29 since at least 2021.[MSTIC Nobelium Toolset May 2021]
Internal MISP references
UUID 9d393f6f-855e-4348-8a26-008174e3605a
which can be used as unique global reference for BoomBox
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0635 |
source | MITRE |
tags | ['15126457-d8bb-4799-9cee-b18e17ef9703', '84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
BOOSTWRITE
BOOSTWRITE is a loader crafted to be launched via abuse of the DLL search order of applications used by FIN7.[FireEye FIN7 Oct 2019]
Internal MISP references
UUID 74a73624-d53b-4c84-a14b-8ae964fd577c
which can be used as unique global reference for BOOSTWRITE
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0415 |
source | MITRE |
tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
BOOTRASH
BOOTRASH is a Bootkit that targets Windows operating systems. It has been used by threat actors that target the financial sector.[Mandiant M Trends 2016][FireEye Bootkits][FireEye BOOTRASH SANS]
Internal MISP references
UUID d47a4753-80f5-494e-aad7-d033aaff0d6d
which can be used as unique global reference for BOOTRASH
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0114 |
source | MITRE |
type | ['malware'] |
BoxCaon
BoxCaon is a Windows backdoor that was used by IndigoZebra in a 2021 spearphishing campaign against Afghan government officials. BoxCaon's name stems from similarities shared with the malware family xCaon.[Checkpoint IndigoZebra July 2021]
Internal MISP references
UUID d3e46011-3433-426c-83b3-61c2576d5f71
which can be used as unique global reference for BoxCaon
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0651 |
source | MITRE |
tags | ['4d767e87-4cf6-438a-927a-43d2d0beaab7'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
BPFDoor
BPFDoor is a Linux based passive long-term backdoor used by China-based threat actors. First seen in 2021, BPFDoor is named after its usage of Berkley Packet Filter (BPF) to execute single task instructions. BPFDoor supports multiple protocols for communicating with a C2 including TCP, UDP, and ICMP and can start local or reverse shells that bypass firewalls using iptables.[Sandfly BPFDoor 2022][Deep Instinct BPFDoor 2023]
Internal MISP references
UUID 1c75c6dc-7b74-5b15-ae9a-59f9cc98e662
which can be used as unique global reference for BPFDoor
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Linux'] |
software_attack_id | S1161 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Brave Prince
Brave Prince is a Korean-language implant that was first observed in the wild in December 2017. It contains similar code and behavior to Gold Dragon, and was seen along with Gold Dragon and RunningRAT in operations surrounding the 2018 Pyeongchang Winter Olympics. [McAfee Gold Dragon]
Internal MISP references
UUID 51b27e2c-c737-4006-a657-195ea1a1f4f0
which can be used as unique global reference for Brave Prince
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0252 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Briba
Briba is a trojan used by Elderwood to open a backdoor and download files on to compromised hosts. [Symantec Elderwood Sept 2012] [Symantec Briba May 2012]
Internal MISP references
UUID 7942783c-73a7-413c-94d1-8981029a1c51
which can be used as unique global reference for Briba
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0204 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Brute Ratel C4
Brute Ratel C4 is a commercial red-teaming and adversarial attack simulation tool that first appeared in December 2020. Brute Ratel C4 was specifically designed to avoid detection by endpoint detection and response (EDR) and antivirus (AV) capabilities, and deploys agents called badgers to enable arbitrary command execution for lateral movement, privilege escalation, and persistence. In September 2022, a cracked version of Brute Ratel C4 was leaked in the cybercriminal underground, leading to its use by threat actors.[Dark Vortex Brute Ratel C4][Palo Alto Brute Ratel July 2022][MDSec Brute Ratel August 2022][SANS Brute Ratel October 2022][Trend Micro Black Basta October 2022]
Internal MISP references
UUID 23043b44-69a6-5cdf-8f60-5a68068680c7
which can be used as unique global reference for Brute Ratel C4
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S1063 |
source | MITRE |
tags | ['599dd679-c6a6-42b6-8b7a-29d840db2028', 'e1af18e3-3224-4e4c-9d0f-533768474508', 'e81ba503-60b0-4b64-8f20-ef93e7783796'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
BS2005
BS2005 is malware that was used by Ke3chang in spearphishing campaigns since at least 2011. [Mandiant Operation Ke3chang November 2014]
Internal MISP references
UUID c9e773de-0213-4b64-83fb-637060c8b5ed
which can be used as unique global reference for BS2005
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0014 |
source | MITRE |
type | ['malware'] |
BUBBLEWRAP
BUBBLEWRAP is a full-featured, second-stage backdoor used by the admin@338 group. It is set to run when the system boots and includes functionality to check, upload, and register plug-ins that can further enhance its capabilities. [FireEye admin@338]
Internal MISP references
UUID 2be4e3d2-e8c5-4406-8041-2c17bdb3a547
which can be used as unique global reference for BUBBLEWRAP
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0043 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
build_downer
build_downer is a downloader that has been used by BRONZE BUTLER since at least 2019.[Trend Micro Tick November 2019]
Internal MISP references
UUID c21d3e6c-0f6d-44a8-bdd5-5b3180a641c9
which can be used as unique global reference for build_downer
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0471 |
source | MITRE |
tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Bumblebee
Bumblebee is a custom loader written in C++ that has been used by multiple threat actors, including possible initial access brokers, to download and execute additional payloads since at least March 2022. Bumblebee has been linked to ransomware operations including Conti, Quantum, and Mountlocker and derived its name from the appearance of "bumblebee" in the user-agent.[Google EXOTIC LILY March 2022][Proofpoint Bumblebee April 2022][Symantec Bumblebee June 2022]
Internal MISP references
UUID cc155181-fb34-4aaf-b083-b7b57b140b7a
which can be used as unique global reference for Bumblebee
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S1039 |
source | MITRE |
tags | ['aa983c81-e54b-49b3-b0dd-53cf950825b8', 'f8669b82-2194-49a9-8e20-92e7f9ab0a6f', '84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Bundlore
Bundlore is adware written for macOS that has been in use since at least 2015. Though categorized as adware, Bundlore has many features associated with more traditional backdoors.[MacKeeper Bundlore Apr 2019]
Internal MISP references
UUID e9873bf1-9619-4c62-b4cf-1009e83de186
which can be used as unique global reference for Bundlore
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['macOS'] |
software_attack_id | S0482 |
source | MITRE |
tags | ['707e8a2b-e223-4d99-91c2-43de4b4459f6', '4d767e87-4cf6-438a-927a-43d2d0beaab7'] |
type | ['malware'] |
BUSHWALK
BUSHWALK is a web shell written in Perl that was inserted into the legitimate querymanifest.cgi file on compromised Ivanti Connect Secure VPNs during Cutting Edge.[Mandiant Cutting Edge Part 2 January 2024][Mandiant Cutting Edge Part 3 February 2024]
Internal MISP references
UUID 44ed9567-2cb6-590e-b332-154557fb93f9
which can be used as unique global reference for BUSHWALK
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Network'] |
software_attack_id | S1118 |
source | MITRE |
type | ['malware'] |
Cachedump
Cachedump is a publicly-available tool that program extracts cached password hashes from a system’s registry. [Mandiant APT1]
Internal MISP references
UUID 7c03fb92-3cd8-4ce4-a1e0-75e47465e4bc
which can be used as unique global reference for Cachedump
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0119 |
source | MITRE |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
CACTUS Ransomware
This Software object reflects the TTPs associated with the CACTUS ransomware binary, a malware that researchers believe has been used since at least March 2023.[Kroll CACTUS Ransomware May 10 2023] Other pre- and post-exploit TTPs associated with threat actors known to deploy CACTUS can be found in the separate dedicated Group object.
Internal MISP references
UUID ad51e7c6-7d3c-4c5d-a7e2-e50afb11a0ca
which can be used as unique global reference for CACTUS Ransomware
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S3107 |
source | Tidal Cyber |
tags | ['c545270e-a6d4-4d89-af6e-d8be7219405d', 'b802443a-37b2-4c38-addd-75e4efb1defd', '83a25621-55a6-4b0d-be67-4905b6d3a1c6', 'c6e1f516-1a18-4ff9-b563-e6ac8103b104', '562e535e-19f5-4d6c-81ed-ce2aec544f09', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172', '2feda37d-5579-4102-a073-aa02e82cb49f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
CaddyWiper
CaddyWiper is a destructive data wiper that has been used in attacks against organizations in Ukraine since at least March 2022.[ESET CaddyWiper March 2022][Cisco CaddyWiper March 2022]
Internal MISP references
UUID 62d0ddcd-790d-4d2d-9d94-276f54b40cf0
which can be used as unique global reference for CaddyWiper
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0693 |
source | MITRE |
tags | ['2e621fc5-dea4-4cb9-987e-305845986cd3'] |
type | ['malware'] |
Cadelspy
Cadelspy is a backdoor that has been used by APT39.[Symantec Chafer Dec 2015]
Internal MISP references
UUID c8a51b39-6906-4381-9bb4-4e9e612aa085
which can be used as unique global reference for Cadelspy
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0454 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
CALENDAR
CALENDAR is malware used by APT1 that mimics legitimate Gmail Calendar traffic. [Mandiant APT1]
Internal MISP references
UUID ad859a79-c183-44f6-a89a-f734710672a9
which can be used as unique global reference for CALENDAR
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0025 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Calisto
Calisto is a macOS Trojan that opens a backdoor on the compromised machine. Calisto is believed to have first been developed in 2016. [Securelist Calisto July 2018] [Symantec Calisto July 2018]
Internal MISP references
UUID 6b5b408c-4f9d-4137-bfb1-830d12e9736c
which can be used as unique global reference for Calisto
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['macOS'] |
software_attack_id | S0274 |
source | MITRE |
type | ['malware'] |
CallMe
CallMe is a Trojan designed to run on Apple OSX. It is based on a publicly available tool called Tiny SHell. [Scarlet Mimic Jan 2016]
Internal MISP references
UUID 352ee271-89e6-4d3f-9c26-98dbab0e2986
which can be used as unique global reference for CallMe
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['macOS'] |
software_attack_id | S0077 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Cannon
Cannon is a Trojan with variants written in C# and Delphi. It was first observed in April 2018. [Unit42 Cannon Nov 2018][Unit42 Sofacy Dec 2018]
Internal MISP references
UUID 790e931d-2571-496d-9f48-322774a7d482
which can be used as unique global reference for Cannon
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0351 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Carbanak
Carbanak is a full-featured, remote backdoor used by a group of the same name (Carbanak). It is intended for espionage, data exfiltration, and providing remote access to infected machines. [Kaspersky Carbanak] [FireEye CARBANAK June 2017]
Internal MISP references
UUID 4cb9294b-9e4c-41b9-b640-46213a01952d
which can be used as unique global reference for Carbanak
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0030 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Carberp
Carberp is a credential and information stealing malware that has been active since at least 2009. Carberp's source code was leaked online in 2013, and subsequently used as the foundation for the Carbanak backdoor.[Trend Micro Carberp February 2014][KasperskyCarbanak][RSA Carbanak November 2017]
Internal MISP references
UUID df9491fd-5e24-4548-8e21-1268dce59d1f
which can be used as unique global reference for Carberp
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0484 |
source | MITRE |
type | ['malware'] |
Carbon
Carbon is a sophisticated, second-stage backdoor and framework that can be used to steal sensitive information from victims. Carbon has been selectively used by Turla to target government and foreign affairs-related organizations in Central Asia.[ESET Carbon Mar 2017][Securelist Turla Oct 2018]
Internal MISP references
UUID 61f5d19c-1da2-43d1-ab20-51eacbca71f2
which can be used as unique global reference for Carbon
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0335 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Cardinal RAT
Cardinal RAT is a potentially low volume remote access trojan (RAT) observed since December 2015. Cardinal RAT is notable for its unique utilization of uncompiled C# source code and the Microsoft Windows built-in csc.exe compiler.[PaloAlto CardinalRat Apr 2017]
Internal MISP references
UUID fa23acef-3034-43ee-9610-4fc322f0d80b
which can be used as unique global reference for Cardinal RAT
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0348 |
source | MITRE |
tags | ['febea5b6-2ea2-402b-8bec-f3f5b3f73c59'] |
type | ['malware'] |
CARROTBALL
CARROTBALL is an FTP downloader utility that has been in use since at least 2019. CARROTBALL has been used as a downloader to install SYSCON.[Unit 42 CARROTBAT January 2020]
Internal MISP references
UUID 84bb4068-b441-435e-8535-02a458ffd50b
which can be used as unique global reference for CARROTBALL
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0465 |
source | MITRE |
tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
type | ['tool'] |
CARROTBAT
CARROTBAT is a customized dropper that has been in use since at least 2017. CARROTBAT has been used to install SYSCON and has infrastructure overlap with KONNI.[Unit 42 CARROTBAT November 2018][Unit 42 CARROTBAT January 2020]
Internal MISP references
UUID aefa893d-fc6e-41a9-8794-2700049db9e5
which can be used as unique global reference for CARROTBAT
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0462 |
source | MITRE |
type | ['malware'] |
Catchamas
Catchamas is a Windows Trojan that steals information from compromised systems. [Symantec Catchamas April 2018]
Internal MISP references
UUID 04deccb5-9850-45c3-a900-5d7039a94190
which can be used as unique global reference for Catchamas
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0261 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Caterpillar WebShell
Caterpillar WebShell is a self-developed Web Shell tool created by the group Volatile Cedar.[ClearSky Lebanese Cedar Jan 2021]
Internal MISP references
UUID ee88afaa-88bc-4c20-906f-332866388549
which can be used as unique global reference for Caterpillar WebShell
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0572 |
source | MITRE |
tags | ['311abf64-a9cc-4c6a-b778-32c5df5658be'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
CBROVER
CBROVER is a first-stage backdoor, one of a series of software associated with China-based espionage actor Earth Preta (aka Mustang Panda) reported by researchers in September 2024.[Trend Micro September 9 2024]
Internal MISP references
UUID 73ff6a0c-12fd-43d6-b2ea-2949a7f748b1
which can be used as unique global reference for CBROVER
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S3172 |
source | Tidal Cyber |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f', 'c6e1f516-1a18-4ff9-b563-e6ac8103b104', '2feda37d-5579-4102-a073-aa02e82cb49f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
CC-Attack
CC-Attack is a publicly available script that automates the use of open, external proxy servers as part of denial of service flood attacks. Its use has been promoted among the members of the Killnet hacktivist collective.[Flashpoint Glossary Killnet]
Internal MISP references
UUID 7664bfa5-8477-4903-9103-1144113fca36
which can be used as unique global reference for CC-Attack
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Linux', 'Windows'] |
software_attack_id | S3085 |
source | Tidal Cyber |
tags | ['62bde669-3020-4682-be68-36c83b2588a4'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
CCBkdr
CCBkdr is malware that was injected into a signed version of CCleaner and distributed from CCleaner's distribution website. [Talos CCleanup 2017] [Intezer Aurora Sept 2017]
Internal MISP references
UUID 4eb0720c-7046-4ff1-adfd-ae603506e499
which can be used as unique global reference for CCBkdr
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0222 |
source | MITRE |
tags | ['f2ae2283-f94d-4f8f-bbde-43f2bed66c55'] |
type | ['malware'] |
ccf32
ccf32 is data collection malware that has been used since at least February 2019, most notably during the FunnyDream campaign; there is also a similar x64 version.[Bitdefender FunnyDream Campaign November 2020]
Internal MISP references
UUID e00c2a0c-bbe5-4eff-b0ad-b2543456a317
which can be used as unique global reference for ccf32
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S1043 |
source | MITRE |
type | ['malware'] |
Cdb
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Debugging tool included with Windows Debugging Tools.
Author: Oddvar Moe
Paths: * C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\cdb.exe * C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\cdb.exe
Resources: * http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html * https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/cdb-command-line-options * https://gist.github.com/mattifestation/94e2b0a9e3fe1ac0a433b5c3e6bd0bda * https://mrd0x.com/the-power-of-cdb-debugging-tool/ * https://twitter.com/nas_bench/status/1534957360032120833
Detection: * Sigma: proc_creation_win_lolbin_cdb.yml * Elastic: defense_evasion_unusual_process_network_connection.toml * Elastic: defense_evasion_network_connection_from_windows_binary.toml * BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules[Cdb.exe - LOLBAS Project]
Internal MISP references
UUID d9ea2696-7c47-44cd-8784-9aeef5e149ea
which can be used as unique global reference for Cdb
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S3329 |
source | Tidal Cyber |
tags | ['4479b9e9-d912-451a-9ad5-08b3d922422d', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
CDumper
A credential dumping tool associated with Iran-linked espionage group OilRig.[ESET OilRig September 21 2023]
Internal MISP references
UUID 0dc7a5a5-c304-40bb-87d7-c0f77dd84b29
which can be used as unique global reference for CDumper
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S3158 |
source | Tidal Cyber |
tags | ['dcd6d78a-50e9-4fbd-a36a-06fbe6b7b40c', 'c6e1f516-1a18-4ff9-b563-e6ac8103b104', '2feda37d-5579-4102-a073-aa02e82cb49f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
CertOC
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Used for installing certificates
Author: Ensar Samil
Paths: * c:\windows\system32\certoc.exe * c:\windows\syswow64\certoc.exe
Resources: * https://twitter.com/sblmsrsn/status/1445758411803480072?s=20 * https://twitter.com/sblmsrsn/status/1452941226198671363?s=20
Detection: * Sigma: proc_creation_win_certoc_load_dll.yml * IOC: Process creation with given parameter * IOC: Unsigned DLL load via certoc.exe * IOC: Network connection via certoc.exe[CertOC.exe - LOLBAS Project]
Internal MISP references
UUID 34e1c197-ac43-4634-9a0d-9148c748f774
which can be used as unique global reference for CertOC
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S3197 |
source | Tidal Cyber |
tags | ['fb909648-ee44-4871-abe6-82c909c4d677', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
CertReq
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Used for requesting and managing certificates
Author: David Middlehurst
Paths: * C:\Windows\System32\certreq.exe * C:\Windows\SysWOW64\certreq.exe
Resources: * https://dtm.uk/certreq
Detection: * Sigma: proc_creation_win_lolbin_susp_certreq_download.yml * IOC: certreq creates new files * IOC: certreq makes POST requests[CertReq.exe - LOLBAS Project]
Internal MISP references
UUID 43050f80-ce28-49e3-aac6-cb3f4a07f4b4
which can be used as unique global reference for CertReq
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S3198 |
source | Tidal Cyber |
tags | ['35a798a2-eaab-48a3-9ee7-5538f36a4172', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
certutil
certutil is a command-line utility that can be used to obtain certificate authority information and configure Certificate Services. [TechNet Certutil]
Internal MISP references
UUID 2fe21578-ee31-4ee8-b6ab-b5f76f97d043
which can be used as unique global reference for certutil
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0160 |
source | MITRE |
tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', 'fdd53e62-5bf1-41f1-8bd6-b970a866c39d', 'd431939f-2dc0-410b-83f7-86c458125444', '412da5b4-fb41-40fc-a29a-78dc9119aa75', '758c3085-2f79-40a8-ab95-f8a684737927', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '35e694ec-5133-46e3-b7e1-5831867c3b55', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '15787198-6c8b-4f79-bf50-258d55072fee', '303a3675-4855-4323-b042-95bb1d907cca', '84615fe0-c2a5-4e07-8957-78ebc29b4635', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
Chaes
Chaes is a multistage information stealer written in several programming languages that collects login credentials, credit card numbers, and other financial information. Chaes was first observed in 2020, and appears to primarily target victims in Brazil as well as other e-commerce customers in Latin America.[Cybereason Chaes Nov 2020]
Internal MISP references
UUID 0c8efcd0-bfdf-4771-8754-18aac836c359
which can be used as unique global reference for Chaes
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0631 |
source | MITRE |
tags | ['4d767e87-4cf6-438a-927a-43d2d0beaab7'] |
type | ['malware'] |
Chaos
Chaos is Linux malware that compromises systems by brute force attacks against SSH services. Once installed, it provides a reverse shell to its controllers, triggered by unsolicited packets. [Chaos Stolen Backdoor]
Internal MISP references
UUID 92c88765-6b12-42cd-b1d7-f6a65b2236e2
which can be used as unique global reference for Chaos
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Linux'] |
software_attack_id | S0220 |
source | MITRE |
tags | ['5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172'] |
type | ['malware'] |
CharmPower
CharmPower is a PowerShell-based, modular backdoor that has been used by Magic Hound since at least 2022.[Check Point APT35 CharmPower January 2022]
Internal MISP references
UUID b1e3b56f-2e83-4cab-a1c1-16999009d056
which can be used as unique global reference for CharmPower
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0674 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f', '4d767e87-4cf6-438a-927a-43d2d0beaab7'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
ChChes
ChChes is a Trojan that appears to be used exclusively by menuPass. It was used to target Japanese organizations in 2016. Its lack of persistence methods suggests it may be intended as a first-stage tool. [Palo Alto menuPass Feb 2017] [JPCERT ChChes Feb 2017] [PWC Cloud Hopper Technical Annex April 2017]
Internal MISP references
UUID 3f2283ef-67c2-49a3-98ac-1aa9f0499361
which can be used as unique global reference for ChChes
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0144 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Cheerscrypt
Cheerscrypt is a ransomware that was developed by Cinnamon Tempest and has been used in attacks against ESXi and Windows environments since at least 2022. Cheerscrypt was derived from the leaked Babuk source code and has infrastructure overlaps with deployments of Night Sky ransomware, which was also derived from Babuk.[Sygnia Emperor Dragonfly October 2022][Trend Micro Cheerscrypt May 2022]
Internal MISP references
UUID 6475bc8c-b95d-5cb3-92f0-aa7e2f18859a
which can be used as unique global reference for Cheerscrypt
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S1096 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Cherry Picker
Cherry Picker is a point of sale (PoS) memory scraper. [Trustwave Cherry Picker]
Internal MISP references
UUID 2fd6f564-918e-4ee7-920a-2b4be858d11a
which can be used as unique global reference for Cherry Picker
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0107 |
source | MITRE |
type | ['malware'] |
CHIMNEYSWEEP
CHIMNEYSWEEP is a backdoor malware that was deployed during HomeLand Justice along with ROADSWEEP ransomware, and has been used to target Farsi and Arabic speakers since at least 2012.[Mandiant ROADSWEEP August 2022]
Internal MISP references
UUID 966f4b5c-e5f3-598e-9ac0-a5174c56827b
which can be used as unique global reference for CHIMNEYSWEEP
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S1149 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
China Chopper
China Chopper is a Web Shell hosted on Web servers to provide access back into an enterprise network that does not rely on an infected system calling back to a remote command and control server.[Lee 2013] It has been used by several threat groups.[Dell TG-3390][FireEye Periscope March 2018][CISA AA21-200A APT40 July 2021][Rapid7 HAFNIUM Mar 2021]
Internal MISP references
UUID 723c5ab7-23ca-46f2-83bb-f1d1e550122c
which can be used as unique global reference for China Chopper
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0020 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f', '311abf64-a9cc-4c6a-b778-32c5df5658be'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Chinoxy
Chinoxy is a backdoor that has been used since at least November 2018, during the FunnyDream campaign, to gain persistence and drop additional payloads. According to security researchers, Chinoxy has been used by Chinese-speaking threat actors.[Bitdefender FunnyDream Campaign November 2020]
Internal MISP references
UUID 7c36563a-9143-4766-8aef-4e1787e18d8c
which can be used as unique global reference for Chinoxy
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S1041 |
source | MITRE |
type | ['malware'] |
Chisel
Chisel is an open source tool that can be used for networking tunneling.[U.S. CISA AvosLocker October 11 2023] According to its GitHub project page, "Chisel is a fast TCP/UDP tunnel, transported over HTTP, secured via SSH".[GitHub Chisel] Threat actors including ransomware operators and nation-state-aligned espionage actors have used Chisel as part of their operations.[U.S. CISA AvosLocker October 11 2023][CISA AA20-259A Iran-Based Actor September 2020]
Internal MISP references
UUID bd2b2375-4f16-42b2-a862-959b5b41c2af
which can be used as unique global reference for Chisel
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S3087 |
source | Tidal Cyber |
tags | ['e551ae97-d1b4-484e-9267-89f33829ec2c', 'e1af18e3-3224-4e4c-9d0f-533768474508', 'febea5b6-2ea2-402b-8bec-f3f5b3f73c59', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
Chocolatey
Chocolatey is a command-line package manager for Microsoft Windows.[U.S. CISA Understanding LockBit June 2023]
Internal MISP references
UUID 7a2b00ef-8a37-4901-bf0c-17da0ebf3d69
which can be used as unique global reference for Chocolatey
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S3030 |
source | Tidal Cyber |
tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', '0d3ca5b9-2ea9-4daf-b3b5-11f1c6f9ebd3', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
CHOPSTICK
CHOPSTICK is a malware family of modular backdoors used by APT28. It has been used since at least 2012 and is usually dropped on victims as second-stage malware, though it has been used as first-stage malware in several cases. It has both Windows and Linux variants. [FireEye APT28] [ESET Sednit Part 2] [FireEye APT28 January 2017] [DOJ GRU Indictment Jul 2018] It is tracked separately from the X-Agent for Android.
Internal MISP references
UUID 01c6c49a-f7c8-44cd-a377-4dfd358ffeba
which can be used as unique global reference for CHOPSTICK
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Linux', 'Windows'] |
software_attack_id | S0023 |
source | MITRE |
tags | ['febea5b6-2ea2-402b-8bec-f3f5b3f73c59', 'f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
ChromeLoader
ChromeLoader is a "browser hijacking" malware that is capable of adjusting victim web browser settings and in order to redirect user traffic to advertisement websites. ChromeLoader is notable for using a relatively uncommon technique whereby PowerShell is leveraged to inject the malware into the browser and add a malicious extension to it.[Red Canary May 25 2022]
Internal MISP references
UUID 1523b0d7-9c95-4f39-a23b-7ca347748dc6
which can be used as unique global reference for ChromeLoader
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['macOS', 'Windows'] |
software_attack_id | S3386 |
source | Tidal Cyber |
tags | ['9775efc2-e8ac-47de-bd2a-bb08202b48fd', '707e8a2b-e223-4d99-91c2-43de4b4459f6', 'c6e1f516-1a18-4ff9-b563-e6ac8103b104', '2feda37d-5579-4102-a073-aa02e82cb49f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Chrommme
Chrommme is a backdoor tool written using the Microsoft Foundation Class (MFC) framework that was first reported in June 2021; security researchers noted infrastructure overlaps with Gelsemium malware.[ESET Gelsemium June 2021]
Internal MISP references
UUID df77ed2a-f135-4f00-9a5e-79b7a6a2ed14
which can be used as unique global reference for Chrommme
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0667 |
source | MITRE |
tags | ['4d767e87-4cf6-438a-927a-43d2d0beaab7'] |
type | ['malware'] |
Cicada3301
A ransomware binary used by the ransomware-as-a-service ("RaaS") group of the same name, which was first observed in June 2024. This ransomware is written in Rust and can run on Windows and Linux/ESXi hosts. Researchers have highlighted several notable overlaps between Cicada3301 and ALPHV/BlackCat ransomware.[Truesec AB August 30 2024][Morphisec September 3 2024]
Internal MISP references
UUID a45b2ee6-43dd-47e8-9846-385a06c0c9ac
which can be used as unique global reference for Cicada3301
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Linux', 'Windows'] |
software_attack_id | S3164 |
source | Tidal Cyber |
tags | ['c545270e-a6d4-4d89-af6e-d8be7219405d', 'b802443a-37b2-4c38-addd-75e4efb1defd', '562e535e-19f5-4d6c-81ed-ce2aec544f09', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172', 'c6e1f516-1a18-4ff9-b563-e6ac8103b104', '2feda37d-5579-4102-a073-aa02e82cb49f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Clambling
Clambling is a modular backdoor written in C++ that has been used by Threat Group-3390 since at least 2017.[Trend Micro DRBControl February 2020]
Internal MISP references
UUID 4bac93bd-7e58-4ddb-a205-d99597b9e65e
which can be used as unique global reference for Clambling
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0660 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
CL_Invocation
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Aero diagnostics script
Author: Oddvar Moe
Paths: * C:\Windows\diagnostics\system\AERO\CL_Invocation.ps1 * C:\Windows\diagnostics\system\Audio\CL_Invocation.ps1 * C:\Windows\diagnostics\system\WindowsUpdate\CL_Invocation.ps1
Resources:
Detection: * Sigma: proc_creation_win_lolbin_cl_invocation.yml * Sigma: posh_ps_cl_invocation_lolscript.yml[CL_Invocation.ps1 - LOLBAS Project]
Internal MISP references
UUID 4bc36e22-6529-4a4a-a5d2-461f3925c5f3
which can be used as unique global reference for CL_Invocation
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S3378 |
source | Tidal Cyber |
tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
CL_LoadAssembly
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: PowerShell Diagnostic Script
Author: Jimmy (@bohops)
Paths: * C:\Windows\diagnostics\system\Audio\CL_LoadAssembly.ps1
Resources: * https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/
Detection: * Sigma: proc_creation_win_lolbas_cl_loadassembly.yml[CL_LoadAssembly.ps1 - LOLBAS Project]
Internal MISP references
UUID cb950179-334d-4bd9-9cfb-87b09d279a3b
which can be used as unique global reference for CL_LoadAssembly
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S3376 |
source | Tidal Cyber |
tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
CL_Mutexverifiers
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Proxy execution with CL_Mutexverifiers.ps1
Author: Oddvar Moe
Paths: * C:\Windows\diagnostics\system\WindowsUpdate\CL_Mutexverifiers.ps1 * C:\Windows\diagnostics\system\Audio\CL_Mutexverifiers.ps1 * C:\Windows\diagnostics\system\WindowsUpdate\CL_Mutexverifiers.ps1 * C:\Windows\diagnostics\system\Video\CL_Mutexverifiers.ps1 * C:\Windows\diagnostics\system\Speech\CL_Mutexverifiers.ps1
Resources: * https://twitter.com/pabraeken/status/995111125447577600
Detection: * Sigma: proc_creation_win_lolbin_cl_mutexverifiers.yml[CL_Mutexverifiers.ps1 - LOLBAS Project]
Internal MISP references
UUID 3c63792a-1184-416e-aa9b-18da72e88327
which can be used as unique global reference for CL_Mutexverifiers
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S3377 |
source | Tidal Cyber |
tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Clop
Clop is a ransomware family that was first observed in February 2019 and has been used against retail, transportation and logistics, education, manufacturing, engineering, automotive, energy, financial, aerospace, telecommunications, professional and legal services, healthcare, and high tech industries. Clop is a variant of the CryptoMix ransomware.[Mcafee Clop Aug 2019][Cybereason Clop Dec 2020][Unit42 Clop April 2021]
Internal MISP references
UUID 5321aa75-924c-47ae-b97a-b36f023abf2a
which can be used as unique global reference for Clop
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0611 |
source | MITRE |
tags | ['0629ccb3-83b1-4aeb-a9cb-1585b6b21542', '562e535e-19f5-4d6c-81ed-ce2aec544f09', 'b15c16f7-b8c7-4962-9acc-a98a39f87b69', 'b18b5401-d88d-4f28-8f50-a884a5e58349', 'ac862a66-a4ec-4285-9a21-b63576a5867d', '5ab5f811-5c7e-4f77-ae90-59d3beb93346', '1b5da77a-bf84-4fba-a6d7-8b3b8f7699e0', 'e401022a-36ac-486d-8503-dd531410a927', '8a77c410-bed9-4376-87bf-5ac84fbc2c9d', 'ab64f2d8-8da3-48de-ac66-0fd91d634b22', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
CloudChat Infostealer
CloudChat Infostealer is an information-stealing malware designed to harvest passwords, cookies, and other sensitive information from macOS systems.[Kandji 4 8 2024]
Internal MISP references
UUID 7a57e81b-2453-4aaf-94ad-c007bd7105a2
which can be used as unique global reference for CloudChat Infostealer
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['macOS'] |
software_attack_id | S3129 |
source | Tidal Cyber |
tags | ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', '2feda37d-5579-4102-a073-aa02e82cb49f'] |
type | ['malware'] |
CloudDuke
CloudDuke is malware that was used by APT29 in 2015. [F-Secure The Dukes] [Securelist Minidionis July 2015]
Internal MISP references
UUID b3dd424b-ee96-449c-aa52-abbc7d4dfb86
which can be used as unique global reference for CloudDuke
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0054 |
source | MITRE |
tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
cmd
cmd is the Windows command-line interpreter that can be used to interact with systems and execute other processes and utilities. [TechNet Cmd]
Cmd.exe contains native functionality to perform many operations to interact with the system, including listing files in a directory (e.g., dir
[TechNet Dir]), deleting files (e.g., del
[TechNet Del]), and copying files (e.g., copy
[TechNet Copy]).
Internal MISP references
UUID 98d89476-63ec-4baf-b2b3-86c52170f5d8
which can be used as unique global reference for cmd
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0106 |
source | MITRE |
tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', 'a968c9f3-c190-488f-bacc-92e8f1ce295c', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
Cmdkey
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: creates, lists, and deletes stored user names and passwords or credentials.
Author: Oddvar Moe
Paths: * C:\Windows\System32\cmdkey.exe * C:\Windows\SysWOW64\cmdkey.exe
Resources: * https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation * https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/cmdkey
Detection: * Sigma: proc_creation_win_cmdkey_recon.yml[Cmdkey.exe - LOLBAS Project]
Internal MISP references
UUID da252f67-2d4e-419f-b493-d4a1d024a01c
which can be used as unique global reference for Cmdkey
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S3201 |
source | Tidal Cyber |
tags | ['51006447-540b-4b9d-bdba-1cbff8038ae9', '35e694ec-5133-46e3-b7e1-5831867c3b55', '61cdbb28-cbfd-498b-9ab1-1f14337f9524', '15787198-6c8b-4f79-bf50-258d55072fee', '96bff827-e51f-47de-bde6-d2eec0f99767', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
cmdl32
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Microsoft Connection Manager Auto-Download
Author: Elliot Killick
Paths: * C:\Windows\System32\cmdl32.exe * C:\Windows\SysWOW64\cmdl32.exe
Resources: * https://github.com/LOLBAS-Project/LOLBAS/pull/151 * https://twitter.com/ElliotKillick/status/1455897435063074824 * https://elliotonsecurity.com/living-off-the-land-reverse-engineering-methodology-plus-tips-and-tricks-cmdl32-case-study/
Detection: * Sigma: proc_creation_win_lolbin_cmdl32.yml * IOC: Reports of downloading from suspicious URLs in %TMP%\config.log * IOC: Useragent Microsoft(R) Connection Manager Vpn File Update[cmdl32.exe - LOLBAS Project]
Internal MISP references
UUID 44a523a8-9ed6-4f01-9a53-0e8ea1e15b51
which can be used as unique global reference for cmdl32
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S3202 |
source | Tidal Cyber |
tags | ['4c8f8830-0b2c-4c79-b1db-8659ede492f0', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Cmstp
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Installs or removes a Connection Manager service profile.
Author: Oddvar Moe
Paths: * C:\Windows\System32\cmstp.exe * C:\Windows\SysWOW64\cmstp.exe
Resources: * https://twitter.com/NickTyrer/status/958450014111633408 * https://gist.github.com/NickTyrer/bbd10d20a5bb78f64a9d13f399ea0f80 * https://gist.github.com/api0cradle/cf36fd40fa991c3a6f7755d1810cc61e * https://oddvar.moe/2017/08/15/research-on-cmstp-exe/ * https://gist.githubusercontent.com/tylerapplebaum/ae8cb38ed8314518d95b2e32a6f0d3f1/raw/3127ba7453a6f6d294cd422386cae1a5a2791d71/UACBypassCMSTP.ps1 * https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/cmstp
Detection: * Sigma: proc_creation_win_cmstp_execution_by_creation.yml * Sigma: proc_creation_win_uac_bypass_cmstp.yml * Splunk: cmlua_or_cmstplua_uac_bypass.yml * Elastic: defense_evasion_suspicious_managedcode_host_process.toml * Elastic: defense_evasion_unusual_process_network_connection.toml * IOC: Execution of cmstp.exe without a VPN use case is suspicious * IOC: DotNet CLR libraries loaded into cmstp.exe * IOC: DotNet CLR Usage Log - cmstp.exe.log[Cmstp.exe - LOLBAS Project]
Internal MISP references
UUID 6f848e15-5234-4445-9a05-2949e4c57f0b
which can be used as unique global reference for Cmstp
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S3203 |
source | Tidal Cyber |
tags | ['65938118-2f00-48a1-856e-d1a75a08e3c6', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
COATHANGER
COATHANGER is a remote access tool (RAT) targeting FortiGate networking appliances. First used in 2023 in targeted intrusions against military and government entities in the Netherlands along with other victims, COATHANGER was disclosed in early 2024, with a high confidence assessment linking this malware to a state-sponsored entity in the People's Republic of China. COATHANGER is delivered after gaining access to a FortiGate device, with in-the-wild observations linked to exploitation of CVE-2022-42475. The name COATHANGER is based on a unique string in the malware used to encrypt configuration files on disk: “She took his coat and hung it up”
.[NCSC-NL COATHANGER Feb 2024]
Internal MISP references
UUID fbd3f71a-e123-5527-908c-9e7ea0d646e8
which can be used as unique global reference for COATHANGER
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Network', 'Linux'] |
software_attack_id | S1105 |
source | MITRE |
type | ['malware'] |
Cobalt Strike
Cobalt Strike is a commercial, full-featured, remote access tool that bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strike’s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system.[cobaltstrike manual]
In addition to its own capabilities, Cobalt Strike leverages the capabilities of other well-known tools such as Metasploit and Mimikatz.[cobaltstrike manual]
Internal MISP references
UUID 9b6bcbba-3ab4-4a4c-a233-cd12254823f6
which can be used as unique global reference for Cobalt Strike
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['macOS', 'Linux', 'Windows'] |
software_attack_id | S0154 |
source | MITRE |
tags | ['d903e38b-600d-4736-9e3b-cf1a6e436481', 'e551ae97-d1b4-484e-9267-89f33829ec2c', 'd819ae1a-e385-49fd-88d5-f66660729ecb', 'e1af18e3-3224-4e4c-9d0f-533768474508', 'fdd53e62-5bf1-41f1-8bd6-b970a866c39d', 'd431939f-2dc0-410b-83f7-86c458125444', '56d89c06-23a0-4642-adfc-1fffd3524191', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '15787198-6c8b-4f79-bf50-258d55072fee', '992bdd33-4a47-495d-883a-58010a2f0efb', 'e81ba503-60b0-4b64-8f20-ef93e7783796'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Cobalt Strike Random C2 Profile Generator
This is an open-source tool for creating Cobalt Strike Malleable C2 profiles with randomly generated variables.[GitHub random_c2_profile] According to a September 2023 CERT-FR advisory, during an intrusion in March 2023, actors attributed to FIN12 used the tool to generate a Cobalt Strike malleable C2 profile.[CERTFR-2023-CTI-007]
Internal MISP references
UUID cf47b3ce-1392-4904-a4e6-f65aebebddc6
which can be used as unique global reference for Cobalt Strike Random C2 Profile Generator
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Linux', 'macOS', 'Windows'] |
software_attack_id | S3080 |
source | Tidal Cyber |
tags | ['ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'e81ba503-60b0-4b64-8f20-ef93e7783796'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Cobian RAT
Cobian RAT is a backdoor, remote access tool that has been observed since 2016.[Zscaler Cobian Aug 2017]
Internal MISP references
UUID d4e6f9f7-7f4d-47c2-be24-b267d9317303
which can be used as unique global reference for Cobian RAT
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0338 |
source | MITRE |
tags | ['16b47583-1c54-431f-9f09-759df7b5ddb7'] |
type | ['malware'] |
code
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: VSCode binary, also portable (CLI) version
Author: PfiatDe
Paths: * %LOCALAPPDATA%\Programs\Microsoft VS Code\Code.exe * C:\Program Files\Microsoft VS Code\Code.exe * C:\Program Files (x86)\Microsoft VS Code\Code.exe
Resources: * https://badoption.eu/blog/2023/01/31/code_c2.html * https://code.visualstudio.com/docs/remote/tunnels * https://code.visualstudio.com/blogs/2022/12/07/remote-even-better
Detection: * IOC: Websocket traffic to global.rel.tunnels.api.visualstudio.com * IOC: Process tree: code.exe -> cmd.exe -> node.exe -> winpty-agent.exe * IOC: File write of code_tunnel.json which is parametizable, but defaults to: %UserProfile%.vscode-cli\code_tunnel.json[code.exe - LOLBAS Project]
Internal MISP references
UUID 49d440e4-b2ea-4e7d-8ded-8589ddf679d9
which can be used as unique global reference for code
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S3306 |
source | Tidal Cyber |
tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
CoinTicker
CoinTicker is a malicious application that poses as a cryptocurrency price ticker and installs components of the open source backdoors EvilOSX and EggShell.[CoinTicker 2019]
Internal MISP references
UUID b0d9b31a-072b-4744-8d2f-3a63256a932f
which can be used as unique global reference for CoinTicker
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['macOS'] |
software_attack_id | S0369 |
source | MITRE |
type | ['malware'] |
Colorcpl
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Binary that handles color management
Author: Arjan Onwezen
Paths: * C:\Windows\System32\colorcpl.exe * C:\Windows\SysWOW64\colorcpl.exe
Resources: * https://twitter.com/eral4m/status/1480468728324231172
Detection: * Sigma: file_event_win_susp_colorcpl.yml * IOC: colorcpl.exe writing files[Colorcpl.exe - LOLBAS Project]
Internal MISP references
UUID 9f006b88-2f13-4c99-ade0-839da70d1e11
which can be used as unique global reference for Colorcpl
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S3204 |
source | Tidal Cyber |
tags | ['884eb1b1-aede-4db0-8443-ba50624682e1', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Comnie
Comnie is a remote backdoor which has been used in attacks in East Asia. [Palo Alto Comnie]
Internal MISP references
UUID 341fc709-4908-4e41-8df3-554dae6d72b0
which can be used as unique global reference for Comnie
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0244 |
source | MITRE |
type | ['malware'] |
ComRAT
ComRAT is a second stage implant suspected of being a descendant of Agent.btz and used by Turla. The first version of ComRAT was identified in 2007, but the tool has undergone substantial development for many years since.[Symantec Waterbug][NorthSec 2015 GData Uroburos Tools][ESET ComRAT May 2020]
Internal MISP references
UUID 300c5997-a486-4a61-8213-93a180c22849
which can be used as unique global reference for ComRAT
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0126 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Comsvcs
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: COM+ Services
Author: LOLBAS Team
Paths: * c:\windows\system32\comsvcs.dll
Resources: * https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/
Detection: * Sigma: proc_creation_win_rundll32_process_dump_via_comsvcs.yml * Sigma: proc_access_win_lsass_dump_comsvcs_dll.yml * Elastic: credential_access_cmdline_dump_tool.toml * Splunk: dump_lsass_via_comsvcs_dll.yml[Comsvcs.dll - LOLBAS Project]
Internal MISP references
UUID 0448178d-fff1-4174-8339-e6bfca78fb84
which can be used as unique global reference for Comsvcs
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S3323 |
source | Tidal Cyber |
tags | ['758c3085-2f79-40a8-ab95-f8a684737927', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '35e694ec-5133-46e3-b7e1-5831867c3b55', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '15787198-6c8b-4f79-bf50-258d55072fee', '334b0ee4-5a0d-4634-91c8-236593b818a0', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
Conficker
Conficker is a computer worm first detected in October 2008 that targeted Microsoft Windows using the MS08-067 Windows vulnerability to spread.[SANS Conficker] In 2016, a variant of Conficker made its way on computers and removable disk drives belonging to a nuclear power plant.[Conficker Nuclear Power Plant]
Internal MISP references
UUID ef33f1fa-18a3-4b30-b359-17b7930f43a7
which can be used as unique global reference for Conficker
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0608 |
source | MITRE |
tags | ['3ed3f7a6-b446-4fbc-a433-ff1d63c0e647'] |
type | ['malware'] |
ConfigSecurityPolicy
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Binary part of Windows Defender. Used to manage settings in Windows Defender. you can configure different pilot collections for each of the co-management workloads. Being able to use different pilot collections allows you to take a more granular approach when shifting workloads.
Author: Ialle Teixeira
Paths: * C:\Program Files\Windows Defender\ConfigSecurityPolicy.exe * C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\ConfigSecurityPolicy.exe
Resources: * https://docs.microsoft.com/en-US/mem/configmgr/comanage/how-to-switch-workloads * https://docs.microsoft.com/en-US/mem/configmgr/comanage/workloads * https://docs.microsoft.com/en-US/mem/configmgr/comanage/how-to-monitor * https://twitter.com/NtSetDefault/status/1302589153570365440?s=20
Detection: * Sigma: proc_creation_win_lolbin_configsecuritypolicy.yml * IOC: ConfigSecurityPolicy storing data into alternate data streams. * IOC: Preventing/Detecting ConfigSecurityPolicy with non-RFC1918 addresses by Network IPS/IDS. * IOC: Monitor process creation for non-SYSTEM and non-LOCAL SERVICE accounts launching ConfigSecurityPolicy.exe. * IOC: User Agent is "MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)"[ConfigSecurityPolicy.exe - LOLBAS Project]
Internal MISP references
UUID 0e178275-4eb7-4fae-a703-d9730adf6a26
which can be used as unique global reference for ConfigSecurityPolicy
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S3205 |
source | Tidal Cyber |
tags | ['d99039e1-e677-4226-8b63-e698d6642535', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Conhost
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Console Window host
Author: Wietze Beukema
Paths: * c:\windows\system32\conhost.exe
Resources: * https://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/ * https://twitter.com/Wietze/status/1511397781159751680 * https://twitter.com/embee_research/status/1559410767564181504 * https://twitter.com/ankit_anubhav/status/1561683123816972288
Detection: * IOC: conhost.exe spawning unexpected processes * Sigma: proc_creation_win_conhost_susp_child_process.yml[Conhost.exe - LOLBAS Project]
Internal MISP references
UUID d3f8a214-3e65-4b7d-aed6-97a3e38ef8e0
which can be used as unique global reference for Conhost
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S3206 |
source | Tidal Cyber |
tags | ['ea54037d-e07b-42b0-afe6-33576ec36f44', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
ConnectWise
ConnectWise is a legitimate remote administration tool that has been used since at least 2016 by threat actors including MuddyWater and GOLD SOUTHFIELD to connect to and conduct lateral movement in target environments.[Anomali Static Kitten February 2021][Trend Micro Muddy Water March 2021]
Internal MISP references
UUID 6f9bb24d-cce2-49de-bedd-1849d9bde7a0
which can be used as unique global reference for ConnectWise
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0591 |
source | MITRE |
tags | ['6b4ccbb1-d9a9-4ca3-9178-7d332c2c8a14', 'd903e38b-600d-4736-9e3b-cf1a6e436481', 'e551ae97-d1b4-484e-9267-89f33829ec2c', 'd819ae1a-e385-49fd-88d5-f66660729ecb', 'e1af18e3-3224-4e4c-9d0f-533768474508', 'fdd53e62-5bf1-41f1-8bd6-b970a866c39d', 'd431939f-2dc0-410b-83f7-86c458125444', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '15b77e5c-2285-434d-9719-73c14beba8bd', 'e727eaa6-ef41-4965-b93a-8ad0c51d0236'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
Conti
Conti is a Ransomware-as-a-Service (RaaS) that was first observed in December 2019. Conti has been deployed via TrickBot and used against major corporations and government agencies, particularly those in North America. As with other ransomware families, actors using Conti steal sensitive files and information from compromised networks, and threaten to publish this data unless the ransom is paid.[Cybereason Conti Jan 2021][CarbonBlack Conti July 2020][Cybleinc Conti January 2020]
Internal MISP references
UUID 8e995c29-2759-4aeb-9a0f-bb7cd97b06e5
which can be used as unique global reference for Conti
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0575 |
source | MITRE |
tags | ['a3d78265-f5b3-4254-8af5-c629dbb795d4', '64d3f7d8-30b7-4b03-bee2-a6029672216c', '375983b3-6e87-4281-99e2-1561519dd17b', '3ed2343c-a29c-42e2-8259-410381164c6a', '89c5b94b-ecf4-4d53-9b74-3465086d4565', '562e535e-19f5-4d6c-81ed-ce2aec544f09', '0ed7d10c-c65b-4174-9edb-446bf301d250', '3d90eed2-862d-4f61-8c8f-0b8da3e45af0', '12a2e20a-7c27-46bb-954d-b372833a9925', '1b98f09a-7d93-4abb-8f3e-1eacdb9f9871', 'c2380542-36f2-4922-9ed2-80ced06645c9', 'dea4388a-b1f2-4f2a-9df9-108631d0d078', '24448a05-2337-4bc9-a889-a83f2fd1f3ad', '2743d495-7728-4a75-9e5f-b64854039792', 'd713747c-2d53-487e-9dac-259230f04460', 'fde4c246-7d2d-4d53-938b-44651cf273f1', '964c2590-4b52-48c6-afff-9a6d72e68908', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Control
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Binary used to launch controlpanel items in Windows
Author: Oddvar Moe
Paths: * C:\Windows\System32\control.exe * C:\Windows\SysWOW64\control.exe
Resources: * https://pentestlab.blog/2017/05/24/applocker-bypass-control-panel/ * https://www.contextis.com/resources/blog/applocker-bypass-registry-key-manipulation/ * https://twitter.com/bohops/status/955659561008017409 * https://docs.microsoft.com/en-us/windows/desktop/shell/executing-control-panel-items * https://bohops.com/2018/01/23/loading-alternate-data-stream-ads-dll-cpl-binaries-to-bypass-applocker/
Detection: * Sigma: proc_creation_win_exploit_cve_2021_40444.yml * Sigma: proc_creation_win_rundll32_susp_control_dll_load.yml * Elastic: defense_evasion_network_connection_from_windows_binary.toml * Elastic: defense_evasion_execution_control_panel_suspicious_args.toml * Elastic: defense_evasion_unusual_dir_ads.toml * IOC: Control.exe executing files from alternate data streams * IOC: Control.exe executing library file without cpl extension * IOC: Suspicious network connections from control.exe[Control.exe - LOLBAS Project]
Internal MISP references
UUID efc46430-b27f-4b05-bc36-1d5eba685ec7
which can be used as unique global reference for Control
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S3207 |
source | Tidal Cyber |
tags | ['53ac2b35-d302-4bdd-9931-5b6c6cb31b96', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
CookieMiner
CookieMiner is mac-based malware that targets information associated with cryptocurrency exchanges as well as enabling cryptocurrency mining on the victim system itself. It was first discovered in the wild in 2019.[Unit42 CookieMiner Jan 2019]
Internal MISP references
UUID 6e2c4aef-2f69-4507-9ee3-55432d76341e
which can be used as unique global reference for CookieMiner
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['macOS'] |
software_attack_id | S0492 |
source | MITRE |
type | ['malware'] |
CORALDECK
CORALDECK is an exfiltration tool used by APT37. [FireEye APT37 Feb 2018]
Internal MISP references
UUID f13c8455-d615-4f8d-9d9c-5b31e593cd8a
which can be used as unique global reference for CORALDECK
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0212 |
source | MITRE |
tags | ['8bf128ad-288b-41bc-904f-093f4fdde745'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
coregen
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Binary coregen.exe (Microsoft CoreCLR Native Image Generator) loads exported function GetCLRRuntimeHost from coreclr.dll or from .DLL in arbitrary path. Coregen is located within "C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\" or another version of Silverlight. Coregen is signed by Microsoft and bundled with Microsoft Silverlight.
Author: Martin Sohn Christensen
Paths: * C:\Program Files\Microsoft Silverlight\5.1.50918.0\coregen.exe * C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\coregen.exe
Resources: * https://www.youtube.com/watch?v=75XImxOOInU * https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html
Detection: * Sigma: image_load_side_load_coregen.yml * IOC: coregen.exe loading .dll file not in "C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\" * IOC: coregen.exe loading .dll file not named coreclr.dll * IOC: coregen.exe command line containing -L or -l * IOC: coregen.exe command line containing unexpected/invald assembly name * IOC: coregen.exe application crash by invalid assembly name[coregen.exe - LOLBAS Project]
Internal MISP references
UUID b7dacd5c-eaba-48db-bdd7-e779a82b2ba7
which can be used as unique global reference for coregen
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S3330 |
source | Tidal Cyber |
tags | ['a19a158e-aec4-410a-8c3e-e9080b111183', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
CORESHELL
CORESHELL is a downloader used by APT28. The older versions of this malware are known as SOURFACE and newer versions as CORESHELL.[FireEye APT28] [FireEye APT28 January 2017]
Internal MISP references
UUID 3b193f62-2b49-4eff-bdf4-501fb8a28274
which can be used as unique global reference for CORESHELL
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0137 |
source | MITRE |
tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Corona (Mirai Botnet Variant)
Corona is a suspected variant of the popular Mirai botnet, which has been observed since at least 2020 (its name likely relates to the COVID-19 pandemic).[Akamai Corona Zero-Day August 28 2024]
Internal MISP references
UUID e4e37a06-ee31-44bf-a818-efa236ada136
which can be used as unique global reference for Corona (Mirai Botnet Variant)
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Linux'] |
software_attack_id | S3167 |
source | Tidal Cyber |
tags | ['55cb344a-cbd5-4fd1-a1e9-30bbc956527e', 'f925e659-1120-4b76-92b6-071a7fb757d6', '06236145-e9d6-461c-b7e4-284b3de5f561', 'a98d7a43-f227-478e-81de-e7299639a355', '33d35d5e-f0cf-4c66-9be3-a3ffe6610b1a', 'e809d252-12cc-494d-94f5-954c49eb87ce'] |
type | ['malware'] |
CosmicDuke
CosmicDuke is malware that was used by APT29 from 2010 to 2015. [F-Secure The Dukes]
Internal MISP references
UUID 43b317c6-5b4f-47b8-b7b4-15cd6f455091
which can be used as unique global reference for CosmicDuke
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0050 |
source | MITRE |
tags | ['16b47583-1c54-431f-9f09-759df7b5ddb7'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
CostaBricks
CostaBricks is a loader that was used to deploy 32-bit backdoors in the CostaRicto campaign.[BlackBerry CostaRicto November 2020]
Internal MISP references
UUID ea9e2d19-89fe-4039-a1e0-467b14554c6f
which can be used as unique global reference for CostaBricks
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0614 |
source | MITRE |
type | ['malware'] |
Covenant
Covenant is a multi-platform command and control framework written in .NET. While designed for penetration testing and security research, the tool has also been used by threat actors such as HAFNIUM during operations. Covenant functions through a central listener managing multiple deployed "Grunts" that communicate back to the controller.[Github Covenant][Microsoft HAFNIUM March 2020]
Internal MISP references
UUID c9cea5ac-b426-5484-a228-6eeffa173611
which can be used as unique global reference for Covenant
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['macOS', 'Linux', 'Windows'] |
software_attack_id | S1155 |
source | MITRE |
tags | ['e81ba503-60b0-4b64-8f20-ef93e7783796'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
CozyCar
CozyCar is malware that was used by APT29 from 2010 to 2015. It is a modular malware platform, and its backdoor component can be instructed to download and execute a variety of modules with different functionality. [F-Secure The Dukes]
Internal MISP references
UUID c2353daa-fd4c-44e1-8013-55400439965a
which can be used as unique global reference for CozyCar
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0046 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
CrackMapExec
CrackMapExec, or CME, is a post-exploitation tool developed in Python and designed for penetration testing against networks. CrackMapExec collects Active Directory information to conduct lateral movement through targeted networks.[CME Github September 2018]
Internal MISP references
UUID 47e710b4-1397-47cf-a979-20891192f313
which can be used as unique global reference for CrackMapExec
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0488 |
source | MITRE |
tags | ['f683d62f-15d4-43c0-a8a3-7d6310e552f3', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '35e694ec-5133-46e3-b7e1-5831867c3b55', 'd8f7e071-fbfd-46f8-b431-e241bb1513ac', '61cdbb28-cbfd-498b-9ab1-1f14337f9524', 'e551ae97-d1b4-484e-9267-89f33829ec2c', '15787198-6c8b-4f79-bf50-258d55072fee', 'e1af18e3-3224-4e4c-9d0f-533768474508', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'e81ba503-60b0-4b64-8f20-ef93e7783796'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
Createdump
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Microsoft .NET Runtime Crash Dump Generator (included in .NET Core)
Author: mr.d0x, Daniel Santos
Paths: * C:\Program Files\dotnet\shared\Microsoft.NETCore.App*\createdump.exe * C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App*\createdump.exe * C:\Program Files\Microsoft Visual Studio*\Community\dotnet\runtime\shared\Microsoft.NETCore.App\6.0.0\createdump.exe * C:\Program Files (x86)\Microsoft Visual Studio*\Community\dotnet\runtime\shared\Microsoft.NETCore.App\6.0.0\createdump.exe
Resources: * https://twitter.com/bopin2020/status/1366400799199272960 * https://docs.microsoft.com/en-us/troubleshoot/developer/webapps/aspnetcore/practice-troubleshoot-linux/lab-1-3-capture-core-crash-dumps
Detection: * Sigma: proc_creation_win_proc_dump_createdump.yml * Sigma: proc_creation_win_renamed_createdump.yml * IOC: createdump.exe process with a command line containing the lsass.exe process id[Createdump.exe - LOLBAS Project]
Internal MISP references
UUID a574b315-523c-45c3-8743-feb3d541e81a
which can be used as unique global reference for Createdump
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S3331 |
source | Tidal Cyber |
tags | ['7beee233-2b65-4593-88e6-a5c0c02c6a08', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
CredoMap
CredoMap is a credential-stealing malware developed by the Russian espionage actor APT28. The malware harvests cookies and credentials from select web browsers and exfiltrates the information via the IMAP email protocol. CredoMap was observed being used in attack campaigns in Ukraine in 2022.[CERTFR-2023-CTI-009][SecurityScorecard CredoMap September 2022]
Internal MISP references
UUID 516ffd19-72b9-43a1-b866-bb075fdcb137
which can be used as unique global reference for CredoMap
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S3099 |
source | Tidal Cyber |
tags | ['904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '4d767e87-4cf6-438a-927a-43d2d0beaab7'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
CreepyDrive
CreepyDrive is a custom implant has been used by POLONIUM since at least early 2022 for C2 with and exfiltration to actor-controlled OneDrive accounts.[Microsoft POLONIUM June 2022]
POLONIUM has used a similar implant called CreepyBox that relies on actor-controlled DropBox accounts.[Microsoft POLONIUM June 2022]
Internal MISP references
UUID 7f7f05c3-fbb1-475e-b672-2113709065c8
which can be used as unique global reference for CreepyDrive
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Office 365', 'Google Workspace', 'Office Suite', 'Windows'] |
software_attack_id | S1023 |
source | MITRE |
tags | ['15f2277a-a17e-4d85-8acd-480bf84f16b4', 'be319849-fb2c-4b5f-8055-0bde562c280b', '8bf128ad-288b-41bc-904f-093f4fdde745'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
CreepySnail
CreepySnail is a custom PowerShell implant that has been used by POLONIUM since at least 2022.[Microsoft POLONIUM June 2022]
Internal MISP references
UUID 11ce380c-481b-4c9b-b44e-06f1a91c01c1
which can be used as unique global reference for CreepySnail
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S1024 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Crimson
Crimson is a remote access Trojan that has been used by Transparent Tribe since at least 2016.[Proofpoint Operation Transparent Tribe March 2016][Kaspersky Transparent Tribe August 2020]
Internal MISP references
UUID 3b3f296f-20a6-459a-98c5-62ebdee3701f
which can be used as unique global reference for Crimson
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0115 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
CrossRAT
CrossRAT is a cross platform RAT.
Internal MISP references
UUID 38811c3b-f548-43fa-ab26-c7243b84a055
which can be used as unique global reference for CrossRAT
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['macOS', 'Linux', 'Windows'] |
software_attack_id | S0235 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Crutch
Crutch is a backdoor designed for document theft that has been used by Turla since at least 2015.[ESET Crutch December 2020]
Internal MISP references
UUID e1ad229b-d750-4148-a1f3-36e767b03cd1
which can be used as unique global reference for Crutch
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0538 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Cryptoistic
Cryptoistic is a backdoor, written in Swift, that has been used by Lazarus Group.[SentinelOne Lazarus macOS July 2020]
Internal MISP references
UUID 12ce6d04-ebe5-440e-b342-0283b7c8a0c8
which can be used as unique global reference for Cryptoistic
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['macOS'] |
software_attack_id | S0498 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Csc
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Binary file used by .NET to compile C# code
Author: Oddvar Moe
Paths: * C:\Windows\Microsoft.NET\Framework\v4.0.30319\Csc.exe * C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Csc.exe
Resources: * https://docs.microsoft.com/en-us/dotnet/csharp/language-reference/compiler-options/command-line-building-with-csc-exe
Detection: * Sigma: proc_creation_win_csc_susp_parent.yml * Sigma: proc_creation_win_csc_susp_folder.yml * Elastic: defense_evasion_dotnet_compiler_parent_process.toml * Elastic: defense_evasion_execution_msbuild_started_unusal_process.toml * IOC: Csc.exe should normally not run as System account unless it is used for development.[Csc.exe - LOLBAS Project]
Internal MISP references
UUID 939eeb6b-3f74-43b6-8ead-644457ee7d78
which can be used as unique global reference for Csc
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S3208 |
source | Tidal Cyber |
tags | ['2ee25dd6-256c-4659-b1b6-f5afc943ccc1', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
Cscript
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Binary used to execute scripts in Windows
Author: Oddvar Moe
Paths: * C:\Windows\System32\cscript.exe * C:\Windows\SysWOW64\cscript.exe
Resources: * https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f * https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/
Detection: * Sigma: proc_creation_win_wscript_cscript_script_exec.yml * Sigma: file_event_win_net_cli_artefact.yml * Elastic: defense_evasion_unusual_dir_ads.toml * Elastic: command_and_control_remote_file_copy_scripts.toml * Elastic: defense_evasion_suspicious_managedcode_host_process.toml * Splunk: wscript_or_cscript_suspicious_child_process.yml * BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules * IOC: Cscript.exe executing files from alternate data streams * IOC: DotNet CLR libraries loaded into cscript.exe * IOC: DotNet CLR Usage Log - cscript.exe.log[Cscript.exe - LOLBAS Project]
Internal MISP references
UUID 83036c61-d8cf-42f8-a9e5-dc3d26d75cdc
which can be used as unique global reference for Cscript
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S3209 |
source | Tidal Cyber |
tags | ['7cae5f59-dbbf-406f-928d-118430d2bdd0', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
csi
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Command line interface included with Visual Studio.
Author: Oddvar Moe
Paths: * c:\Program Files (x86)\Microsoft Visual Studio\2017\Community\MSBuild\15.0\Bin\Roslyn\csi.exe * c:\Program Files (x86)\Microsoft Web Tools\Packages\Microsoft.Net.Compilers.X.Y.Z\tools\csi.exe
Resources: * https://twitter.com/subTee/status/781208810723549188 * https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/
Detection: * Sigma: proc_creation_win_csi_execution.yml * Sigma: proc_creation_win_csi_use_of_csharp_console.yml * Elastic: defense_evasion_unusual_process_network_connection.toml * Elastic: defense_evasion_network_connection_from_windows_binary.toml * BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules[csi.exe - LOLBAS Project]
Internal MISP references
UUID a11e4ebf-59e4-4b79-8a20-be1618dfbaed
which can be used as unique global reference for csi
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S3332 |
source | Tidal Cyber |
tags | ['86bb7f3c-652c-4f77-af2a-34677ff42315', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
CSPY Downloader
CSPY Downloader is a tool designed to evade analysis and download additional payloads used by Kimsuky.[Cybereason Kimsuky November 2020]
Internal MISP references
UUID eb481db6-d7ba-4873-a171-76a228c9eb97
which can be used as unique global reference for CSPY Downloader
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0527 |
source | MITRE |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
Cuba
Cuba is a Windows-based ransomware family that has been used against financial institutions, technology, and logistics organizations in North and South America as well as Europe since at least December 2019.[McAfee Cuba April 2021]
Internal MISP references
UUID 095064c6-144e-4935-b878-f82151bc08e4
which can be used as unique global reference for Cuba
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0625 |
source | MITRE |
tags | ['64d3f7d8-30b7-4b03-bee2-a6029672216c', '375983b3-6e87-4281-99e2-1561519dd17b', '3ed2343c-a29c-42e2-8259-410381164c6a', '89c5b94b-ecf4-4d53-9b74-3465086d4565', '562e535e-19f5-4d6c-81ed-ce2aec544f09', '4bc9ab8f-7f57-4b1a-8857-ffaa7e5cc930', '17864218-bc4f-4564-8abf-97c988eea9f7', 'b6458e46-650e-4e96-8e68-8a9d70bcf045', 'bac51672-8240-4182-9087-23626023e509', 'c5c8f954-1bc0-45d5-9a4f-4385d0a720a1', '2743d495-7728-4a75-9e5f-b64854039792', 'd713747c-2d53-487e-9dac-259230f04460', 'fde4c246-7d2d-4d53-938b-44651cf273f1', '964c2590-4b52-48c6-afff-9a6d72e68908', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Cuckoo Stealer
Cuckoo Stealer is a macOS malware with characteristics of spyware and an infostealer that has been in use since at least 2024. Cuckoo Stealer is a universal Mach-O binary that can run on Intel or ARM-based Macs and has been spread through trojanized versions of various potentially unwanted programs or PUP's such as converters, cleaners, and uninstallers.[Kandji Cuckoo April 2024][SentinelOne Cuckoo Stealer May 2024]
Internal MISP references
UUID 6e8c24c1-1cbd-5698-9a91-c3e0d937adf4
which can be used as unique global reference for Cuckoo Stealer
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['macOS'] |
software_attack_id | S1153 |
source | MITRE |
tags | ['4d767e87-4cf6-438a-927a-43d2d0beaab7'] |
type | ['malware'] |
CustomShellHost
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: A host process that is used by custom shells when using Windows in Kiosk mode.
Author: Wietze Beukema
Paths: * C:\Windows\System32\CustomShellHost.exe
Resources: * https://twitter.com/YoSignals/status/1381353520088113154 * https://docs.microsoft.com/en-us/windows/configuration/kiosk-shelllauncher
Detection: * IOC: CustomShellHost.exe is unlikely to run on normal workstations * Sigma: proc_creation_win_lolbin_customshellhost.yml[CustomShellHost.exe - LOLBAS Project]
Internal MISP references
UUID 3ff0d4fc-6678-42f0-869b-f48906d98f82
which can be used as unique global reference for CustomShellHost
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S3210 |
source | Tidal Cyber |
tags | ['536c3d51-9fc4-445e-9723-e11b69f0d6d5', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Cyclops Blink
Cyclops Blink is a modular malware that has been used in widespread campaigns by Sandworm Team since at least 2019 to target Small/Home Office (SOHO) network devices, including WatchGuard and Asus. Cyclops Blink is assessed to be a replacement for VPNFilter, a similar platform targeting network devices.[NCSC Cyclops Blink February 2022][NCSC CISA Cyclops Blink Advisory February 2022][Trend Micro Cyclops Blink March 2022]
Internal MISP references
UUID 68792756-7dbf-41fd-8d48-ac3cc2b52712
which can be used as unique global reference for Cyclops Blink
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Network'] |
software_attack_id | S0687 |
source | MITRE |
tags | ['b20e7912-6a8d-46e3-8e13-9a3fc4813852', 'e809d252-12cc-494d-94f5-954c49eb87ce'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Dacls
Dacls is a multi-platform remote access tool used by Lazarus Group since at least December 2019.[TrendMicro macOS Dacls May 2020][SentinelOne Lazarus macOS July 2020]
Internal MISP references
UUID 9d521c18-09f0-47be-bfe5-e1bf26f7b928
which can be used as unique global reference for Dacls
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Linux', 'macOS', 'Windows'] |
software_attack_id | S0497 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
DanBot
DanBot is a first-stage remote access Trojan written in C# that has been used by HEXANE since at least 2018.[SecureWorks August 2019]
Internal MISP references
UUID 131c0eb2-9191-4ccd-a2d6-5f36046a8f2f
which can be used as unique global reference for DanBot
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S1014 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
DarkComet
DarkComet is a Windows remote administration tool and backdoor.[TrendMicro DarkComet Sept 2014][Malwarebytes DarkComet March 2018]
Internal MISP references
UUID 74f88899-56d0-4de8-97de-539b3590ab90
which can be used as unique global reference for DarkComet
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0334 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
DarkGate - Duplicate
DarkGate first emerged in 2018 and has evolved into an initial access and data gathering tool associated with various criminal cyber operations. Written in Delphi and named "DarkGate" by its author, DarkGate is associated with credential theft, cryptomining, cryptotheft, and pre-ransomware actions.[Ensilo Darkgate 2018] DarkGate use increased significantly starting in 2022 and is under active development by its author, who provides it as a Malware-as-a-Service offering.[Trellix Darkgate 2023]
Internal MISP references
UUID 39d81c48-8f7c-54cb-8fac-485598e31a55
which can be used as unique global reference for DarkGate - Duplicate
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S1111 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f', '7b774e30-5065-41bd-85e2-e02d09e419ed', '84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
DarkGate (Deprecated)
We are no longer maintaining this object in favor of a similar object subsequently published by MITRE: "DarkGate" (Software). All relevant Tidal content extensions (e.g. additional Technique and Object relationships and metadata) have been added to the MITRE-authored object.
Operationalize this intelligence by pivoting to relevant defensive resources via the Techniques below. Alternatively, use the Add to Matrix button above, then overlay entire sets of capabilities from your own defensive stack to identify threat overlaps & potential gaps (watch a 60-second tutorial here).
DarkGate is a commodity downloader. Researchers have often observed DarkGate samples making use of legitimate copies of AutoIt, a freeware BASIC-like scripting language, using it to run AutoIt scripts as part of its execution chain. Reports of DarkGate infections surged following the announcement of the disruption of the QakBot botnet by international authorities in late August 2023.[Bleeping Computer DarkGate October 14 2023] The delivery of DarkGate payloads via instant messaging platforms including Microsoft Teams and Skype was reported in September and October 2023.[DarkGate Loader delivered via Teams - Truesec][Trend Micro DarkGate October 12 2023]
Internal MISP references
UUID 7144b703-f471-4bde-bedc-e8b274854de5
which can be used as unique global reference for DarkGate (Deprecated)
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S5266 |
source | Tidal Cyber |
tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
DarkTortilla
DarkTortilla is a highly configurable .NET-based crypter that has been possibly active since at least August 2015. DarkTortilla has been used to deliver popular information stealers, RATs, and payloads such as Agent Tesla, AsyncRat, NanoCore, RedLine, Cobalt Strike, and Metasploit.[Secureworks DarkTortilla Aug 2022]
Internal MISP references
UUID 35abcb6b-3259-57c1-94fc-50cfd5bde786
which can be used as unique global reference for DarkTortilla
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S1066 |
source | MITRE |
type | ['malware'] |
DarkWatchman
DarkWatchman is a lightweight JavaScript-based remote access tool (RAT) that avoids file operations; it was first observed in November 2021.[Prevailion DarkWatchman 2021]
Internal MISP references
UUID 740a0327-4caf-4d90-8b51-f3f9a4d59b37
which can be used as unique global reference for DarkWatchman
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0673 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Daserf
Daserf is a backdoor that has been used to spy on and steal from Japanese, South Korean, Russian, Singaporean, and Chinese victims. Researchers have identified versions written in both Visual C and Delphi. [Trend Micro Daserf Nov 2017] [Secureworks BRONZE BUTLER Oct 2017]
Internal MISP references
UUID fad65026-57c4-4d4f-8803-87178dd4b887
which can be used as unique global reference for Daserf
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0187 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
DataSvcUtil
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: DataSvcUtil.exe is a command-line tool provided by WCF Data Services that consumes an Open Data Protocol (OData) feed and generates the client data service classes that are needed to access a data service from a .NET Framework client application.
Author: Ialle Teixeira
Paths: * C:\Windows\Microsoft.NET\Framework64\v3.5\DataSvcUtil.exe
Resources: * https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe * https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/generating-the-data-service-client-library-wcf-data-services * https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services
Detection: * Sigma: proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml * IOC: The DataSvcUtil.exe tool is installed in the .NET Framework directory. * IOC: Preventing/Detecting DataSvcUtil with non-RFC1918 addresses by Network IPS/IDS. * IOC: Monitor process creation for non-SYSTEM and non-LOCAL SERVICE accounts launching DataSvcUtil.[DataSvcUtil.exe - LOLBAS Project]
Internal MISP references
UUID dd555a4c-3b04-48c1-988f-d530d699a5bf
which can be used as unique global reference for DataSvcUtil
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S3211 |
source | Tidal Cyber |
tags | ['0576be43-65c6-4d1a-8a06-ed8232ca0120', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
DBatLoader
DBatLoader is a malware used for downloading/dropping purposes.
Internal MISP references
UUID 789791b7-1ea1-4b18-8253-4663bb7ec143
which can be used as unique global reference for DBatLoader
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S3002 |
source | Tidal Cyber |
tags | ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', '84615fe0-c2a5-4e07-8957-78ebc29b4635', '2feda37d-5579-4102-a073-aa02e82cb49f'] |
type | ['malware'] |
DCSrv
DCSrv is destructive malware that has been used by Moses Staff since at least September 2021. Though DCSrv has ransomware-like capabilities, Moses Staff does not demand ransom or offer a decryption key.[Checkpoint MosesStaff Nov 2021]
Internal MISP references
UUID 26ae3cd1-6710-4807-b674-957bd67d3e76
which can be used as unique global reference for DCSrv
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S1033 |
source | MITRE |
tags | ['5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
DDKONG
DDKONG is a malware sample that was part of a campaign by Rancor. DDKONG was first seen used in February 2017. [Rancor Unit42 June 2018]
Internal MISP references
UUID 0657b804-a889-400a-97d7-a4989809a623
which can be used as unique global reference for DDKONG
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
software_attack_id | S0255 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
DEADEYE
DEADEYE is a malware launcher that has been used by APT41 since at least May 2021. DEADEYE has variants that can either embed a payload inside a compiled binary (DEADEYE.EMBED) or append it to the end of a file (DEADEYE.APPEND).[Mandiant APT41]
Internal MISP references
UUID e9533664-90c5-5b40-a40e-a69a2eda8bc9
which can be used as unique global reference for DEADEYE
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S1052 |
source | MITRE |
tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
type | ['malware'] |
DEADWOOD
DEADWOOD is wiper malware written in C++ using Boost libraries. DEADWOOD was first observed in an unattributed wiping event in Saudi Arabia in 2019, and has since been incorporated into Agrius operations.[SentinelOne Agrius 2021]
Internal MISP references
UUID 787609d5-43b0-5c79-9b88-9788de1a5f6f
which can be used as unique global reference for DEADWOOD
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S1134 |
source | MITRE |
tags | ['2e621fc5-dea4-4cb9-987e-305845986cd3'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
DealersChoice
DealersChoice is a Flash exploitation framework used by APT28. [Sofacy DealersChoice]
Internal MISP references
UUID 64dc5d44-2304-4875-b517-316ab98512c2
which can be used as unique global reference for DealersChoice
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0243 |
source | MITRE |
tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
DEATHRANSOM
DEATHRANSOM is ransomware written in C that has been used since at least 2020, and has potential overlap with FIVEHANDS and HELLOKITTY.[FireEye FiveHands April 2021]
Internal MISP references
UUID 832f5ab1-1267-40c9-84ef-f32d6373be4e
which can be used as unique global reference for DEATHRANSOM
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0616 |
source | MITRE |
tags | ['5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172'] |
type | ['malware'] |
DefaultPack
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: This binary can be downloaded along side multiple software downloads on the microsoft website. It gets downloaded when the user forgets to uncheck the option to set Bing as the default search provider.
Author: @checkymander
Paths: * C:\Program Files (x86)\Microsoft\DefaultPack\
Resources: * https://twitter.com/checkymander/status/1311509470275604480.
Detection: * Sigma: proc_creation_win_lolbin_defaultpack.yml * IOC: DefaultPack.EXE spawned an unknown process[DefaultPack.EXE - LOLBAS Project]
Internal MISP references
UUID ff25ec03-1e8d-427e-b207-1e1ecca542ec
which can be used as unique global reference for DefaultPack
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S3333 |
source | Tidal Cyber |
tags | ['4f7be515-680e-4375-81f6-c71c83dd440d', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Defender Control
Defender Control is a tool purpose-built to disable Microsoft Defender.[U.S. CISA Understanding LockBit June 2023]
Internal MISP references
UUID e8830cf3-53f3-4d15-858c-584589405fad
which can be used as unique global reference for Defender Control
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S3031 |
source | Tidal Cyber |
tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', '39d6e8b7-6c8a-4ec5-a584-54ca32aa29fb', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
Demodex
Demodex is a rootkit observed during attacks linked to the GhostEmperor (AKA FamousSparrow and Salt Typhoon) China-backed cyberespionage group.[Kaspersky September 30 2021]
Internal MISP references
UUID f484fae4-53ca-456b-89f1-3a583beacb9e
which can be used as unique global reference for Demodex
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S3407 |
source | Tidal Cyber |
tags | ['1efd43ee-5752-49f2-99fe-e3441f126b00', 'c6e1f516-1a18-4ff9-b563-e6ac8103b104', '2feda37d-5579-4102-a073-aa02e82cb49f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Denis
Denis is a Windows backdoor and Trojan used by APT32. Denis shares several similarities to the SOUNDBITE backdoor and has been used in conjunction with the Goopy backdoor.[Cybereason Oceanlotus May 2017]
Internal MISP references
UUID df4002d2-f557-4f95-af7a-9a4582fb7068
which can be used as unique global reference for Denis
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0354 |
source | MITRE |
tags | ['febea5b6-2ea2-402b-8bec-f3f5b3f73c59'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Denonia
Denonia is described as "the first malware specifically targeting Lambda", the AWS serverless computing platform. Early samples appeared to possess cryptomining capabilities, but researchers believe Denonia could be used to carry out other types of activities as well.[Cado Denonia April 3 2022]
Internal MISP references
UUID 3c14ea0a-c85f-41b3-acd0-15d2565e3e07
which can be used as unique global reference for Denonia
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['IaaS'] |
software_attack_id | S3126 |
source | Tidal Cyber |
tags | ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', '2e5f6e4a-4579-46f7-9997-6923180815dd', '8d95e4d6-9a1e-4920-9f5c-83d9fe07a66e', '2feda37d-5579-4102-a073-aa02e82cb49f'] |
type | ['malware'] |
Derusbi
Derusbi is malware used by multiple Chinese APT groups.[Novetta-Axiom][ThreatConnect Anthem] Both Windows and Linux variants have been observed.[Fidelis Turbo]
Internal MISP references
UUID 9222aa77-922e-43c7-89ad-71067c428fb2
which can be used as unique global reference for Derusbi
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Linux', 'Windows'] |
software_attack_id | S0021 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Desk
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Desktop Settings Control Panel
Author: Hai Vaknin
Paths: * C:\Windows\System32\desk.cpl * C:\Windows\SysWOW64\desk.cpl
Resources: * https://vxug.fakedoma.in/zines/29a/29a7/Articles/29A-7.030.txt * https://twitter.com/pabraeken/status/998627081360695297 * https://twitter.com/VakninHai/status/1517027824984547329 * https://jstnk9.github.io/jstnk9/research/InstallScreenSaver-SCR-files
Detection: * Sigma: file_event_win_new_src_file.yml * Sigma: proc_creation_win_lolbin_rundll32_installscreensaver.yml * Sigma: registry_set_scr_file_executed_by_rundll32.yml[Desk.cpl - LOLBAS Project]
Internal MISP references
UUID 1863a7e2-6212-48a0-b109-15d0198b93e2
which can be used as unique global reference for Desk
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S3309 |
source | Tidal Cyber |
tags | ['7ad2b1d5-c228-4bf5-bf8e-c80a8fef0079', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Desktopimgdownldr
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Windows binary used to configure lockscreen/desktop image
Author: Gal Kristal
Paths: * c:\windows\system32\desktopimgdownldr.exe
Resources: * https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/
Detection: * Sigma: proc_creation_win_desktopimgdownldr_susp_execution.yml * Sigma: file_event_win_susp_desktopimgdownldr_file.yml * Elastic: command_and_control_remote_file_copy_desktopimgdownldr.toml * IOC: desktopimgdownldr.exe that creates non-image file * IOC: Change of HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\PersonalizationCSP\LockScreenImageUrl[Desktopimgdownldr.exe - LOLBAS Project]
Internal MISP references
UUID 1b31652d-30bb-4c6e-bfe1-f2921a0aa64e
which can be used as unique global reference for Desktopimgdownldr
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S3212 |
source | Tidal Cyber |
tags | ['acc0e091-a071-4e83-b0b1-4f3adebeafa3', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
DeviceCredentialDeployment
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Device Credential Deployment
Author: Elliot Killick
Paths: * C:\Windows\System32\DeviceCredentialDeployment.exe
Resources: None Provided
Detection: * IOC: DeviceCredentialDeployment.exe should not be run on a normal workstation * Sigma: proc_creation_win_lolbin_device_credential_deployment.yml[DeviceCredentialDeployment.exe - LOLBAS Project]
Internal MISP references
UUID b99bdf39-8dcf-4bae-95af-b029d48cb579
which can be used as unique global reference for DeviceCredentialDeployment
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S3213 |
source | Tidal Cyber |
tags | ['2a08c2eb-e90e-4bdb-a2dd-9da06de7ed25', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Devinit
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Visual Studio 2019 tool
Author: mr.d0x
Paths: * C:\Program Files\Microsoft Visual Studio*\Community\Common7\Tools\devinit\devinit.exe * C:\Program Files (x86)\Microsoft Visual Studio*\Community\Common7\Tools\devinit\devinit.exe
Resources: * https://twitter.com/mrd0x/status/1460815932402679809
Detection: * Sigma: proc_creation_win_devinit_lolbin_usage.yml[Devinit.exe - LOLBAS Project]
Internal MISP references
UUID 102714a0-6b18-4d05-83c2-dd2929ce685a
which can be used as unique global reference for Devinit
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S3334 |
source | Tidal Cyber |
tags | ['bb814941-0155-49b1-8f93-39626d4f0ddd', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Devtoolslauncher
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Binary will execute specified binary. Part of VS/VScode installation.
Author: felamos
Paths: * c:\windows\system32\devtoolslauncher.exe
Resources: * https://twitter.com/_felamos/status/1179811992841797632
Detection: * Sigma: proc_creation_win_lolbin_devtoolslauncher.yml * IOC: DeveloperToolsSvc.exe spawned an unknown process[Devtoolslauncher.exe - LOLBAS Project]
Internal MISP references
UUID 6e213e33-c2e5-494f-bc1a-bf672f95dcf8
which can be used as unique global reference for Devtoolslauncher
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S3335 |
source | Tidal Cyber |
tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
devtunnel
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Binary to enable forwarded ports on windows operating systems.
Author: Kamran Saifullah
Paths:
* C:\Users\
Resources: * https://code.visualstudio.com/docs/editor/port-forwarding
Detection: * IOC: devtunnel.exe binary spawned * IOC: .devtunnels.ms * IOC: .*.devtunnels.ms * Analysis: https://cydefops.com/vscode-data-exfiltration[devtunnel.exe - LOLBAS Project]
Internal MISP references
UUID 672d80fe-656e-4b1b-8234-ebf2c5339166
which can be used as unique global reference for devtunnel
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S3373 |
source | Tidal Cyber |
tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
DEWMODE
According to joint Cybersecurity Advisory AA23-158A (June 2023), DEWMODE is a web shell written in PHP that is designed to interact with a MySQL database. During a campaign from 2020 to 2021, threat actors exploited multiple zero-day vulnerabilities in internet-facing Accellion File Transfer Appliance (FTA) devices, installing DEWMODE web shells to exfiltrate data from compromised networks.[Mandiant MOVEit Transfer June 2 2023]
Malpedia (Research): https://malpedia.caad.fkie.fraunhofer.de/details/php.dewmode
Malware Bazaar (Samples & IOCs): https://bazaar.abuse.ch/browse/tag/dewmode/
Internal MISP references
UUID ff0b0792-5dd0-4e10-8b84-8da93a0198aa
which can be used as unique global reference for DEWMODE
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Linux'] |
software_attack_id | S3059 |
source | Tidal Cyber |
tags | ['a98d7a43-f227-478e-81de-e7299639a355', '311abf64-a9cc-4c6a-b778-32c5df5658be'] |
type | ['malware'] |
Dfshim
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: ClickOnce engine in Windows used by .NET
Author: Oddvar Moe
Paths: * C:\Windows\Microsoft.NET\Framework\v2.0.50727\Dfsvc.exe * C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Dfsvc.exe * C:\Windows\Microsoft.NET\Framework\v4.0.30319\Dfsvc.exe * C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Dfsvc.exe
Resources: * https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf * https://stackoverflow.com/questions/13312273/clickonce-runtime-dfsvc-exe
Detection: * Sigma: proc_creation_win_rundll32_susp_activity.yml[Dfshim.dll - LOLBAS Project]
Internal MISP references
UUID b396eb52-3b6a-44e9-9534-d8b981a52192
which can be used as unique global reference for Dfshim
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S3310 |
source | Tidal Cyber |
tags | ['91fd24c3-f371-4c3b-b997-cd85e25c0967', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Dfsvc
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: ClickOnce engine in Windows used by .NET
Author: Oddvar Moe
Paths: * C:\Windows\Microsoft.NET\Framework\v2.0.50727\Dfsvc.exe * C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Dfsvc.exe * C:\Windows\Microsoft.NET\Framework\v4.0.30319\Dfsvc.exe * C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Dfsvc.exe
Resources: * https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf * https://stackoverflow.com/questions/13312273/clickonce-runtime-dfsvc-exe
Detection: * Sigma: proc_creation_win_rundll32_susp_activity.yml[Dfsvc.exe - LOLBAS Project]
Internal MISP references
UUID f85966ec-0c4d-4f7e-949f-bb73828bf601
which can be used as unique global reference for Dfsvc
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S3214 |
source | Tidal Cyber |
tags | ['18d6d91d-7df0-44c8-88fe-986d9ba00b8d', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Diantz
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Binary that package existing files into a cabinet (.cab) file
Author: Tamir Yehuda
Paths: * c:\windows\system32\diantz.exe * c:\windows\syswow64\diantz.exe
Resources: * https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/diantz
Detection: * Sigma: proc_creation_win_lolbin_diantz_ads.yml * Sigma: proc_creation_win_lolbin_diantz_remote_cab.yml * IOC: diantz storing data into alternate data streams. * IOC: diantz getting a file from a remote machine or the internet.[diantz.exe_lolbas]
Internal MISP references
UUID 054ddf05-e9f0-4d14-8493-2a1b2ddbefad
which can be used as unique global reference for Diantz
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S3215 |
source | Tidal Cyber |
tags | ['96f9b39f-0c59-48a0-9702-01920c1293a7', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Diavol
Diavol is a ransomware variant first observed in June 2021 that is capable of prioritizing file types to encrypt based on a pre-configured list of extensions defined by the attacker. The Diavol Ransomware-as-a Service (RaaS) program is managed by Wizard Spider and it has been observed being deployed by Bazar.[Fortinet Diavol July 2021][FBI Flash Diavol January 2022][DFIR Diavol Ransomware December 2021][Microsoft Ransomware as a Service]
Internal MISP references
UUID d057b6e7-1de4-4f2f-b374-7e879caecd67
which can be used as unique global reference for Diavol
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0659 |
source | MITRE |
tags | ['5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Dipsind
Dipsind is a malware family of backdoors that appear to be used exclusively by PLATINUM. [Microsoft PLATINUM April 2016]
Internal MISP references
UUID 226ee563-4d49-48c2-aa91-82999f43ce30
which can be used as unique global reference for Dipsind
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0200 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Disco
Disco is a custom implant that has been used by MoustachedBouncer since at least 2020 including in campaigns using targeted malicious content injection for initial access and command and control.[MoustachedBouncer ESET August 2023]
Internal MISP references
UUID 194314e3-4edc-5346-96b6-d2d7bf5d830a
which can be used as unique global reference for Disco
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S1088 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Diskshadow
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Diskshadow.exe is a tool that exposes the functionality offered by the volume shadow copy Service (VSS).
Author: Oddvar Moe
Paths: * C:\Windows\System32\diskshadow.exe * C:\Windows\SysWOW64\diskshadow.exe
Detection: * Sigma: proc_creation_win_lolbin_diskshadow.yml * Sigma: proc_creation_win_susp_shadow_copies_deletion.yml * Elastic: credential_access_cmdline_dump_tool.toml * IOC: Child process from diskshadow.exe[Diskshadow.exe - LOLBAS Project]
Internal MISP references
UUID 07c49566-5bea-44dc-b81f-e6c90bda9c39
which can be used as unique global reference for Diskshadow
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S3216 |
source | Tidal Cyber |
tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Dnscmd
Dnscmd is a Windows command-line utility used to manage DNS servers.[Dnscmd Microsoft]
Internal MISP references
UUID 3fd09997-86e0-4dce-935e-421863e9bad0
which can be used as unique global reference for Dnscmd
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S3217 |
source | Tidal Cyber |
tags | ['a45f9597-09c4-4e70-a7d3-d8235d2451a3', '758c3085-2f79-40a8-ab95-f8a684737927', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '35e694ec-5133-46e3-b7e1-5831867c3b55', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '15787198-6c8b-4f79-bf50-258d55072fee', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
DnsSystem
DnsSystem is a .NET based DNS backdoor, which is a customized version of the open source tool DIG.net, that has been used by HEXANE since at least June 2022.[Zscaler Lyceum DnsSystem June 2022]
Internal MISP references
UUID e69a913d-4ddc-4d69-9961-25a31cae5899
which can be used as unique global reference for DnsSystem
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S1021 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
dnx
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: .Net Execution environment file included with .Net.
Author: Oddvar Moe
Paths: * N/A
Resources: * https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/
Detection: * Sigma: proc_creation_win_lolbin_dnx.yml * Elastic: defense_evasion_unusual_process_network_connection.toml * Elastic: defense_evasion_network_connection_from_windows_binary.toml * BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules[dnx.exe - LOLBAS Project]
Internal MISP references
UUID e2bdda2e-54b4-4d35-b7e5-4e20626a4481
which can be used as unique global reference for dnx
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S3336 |
source | Tidal Cyber |
tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
DOGCALL
DOGCALL is a backdoor used by APT37 that has been used to target South Korean government and military organizations in 2017. It is typically dropped using a Hangul Word Processor (HWP) exploit. [FireEye APT37 Feb 2018]
Internal MISP references
UUID 81ce23c0-f505-4d75-9928-4fbd627d3bc2
which can be used as unique global reference for DOGCALL
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0213 |
source | MITRE |
tags | ['16b47583-1c54-431f-9f09-759df7b5ddb7'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Dok
Dok is a Trojan application disguised as a .zip file that is able to collect user credentials and install a malicious proxy server to redirect a user's network traffic (i.e. Adversary-in-the-Middle).[objsee mac malware 2017][hexed osx.dok analysis 2019][CheckPoint Dok]
Internal MISP references
UUID dfa14314-3c64-4a10-9889-0423b884f7aa
which can be used as unique global reference for Dok
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['macOS'] |
software_attack_id | S0281 |
source | MITRE |
type | ['malware'] |
Doki
Doki is a backdoor that uses a unique Dogecoin-based Domain Generation Algorithm and was first observed in July 2020. Doki was used in conjunction with the ngrok Mining Botnet in a campaign that targeted Docker servers in cloud platforms. [Intezer Doki July 20]
Internal MISP references
UUID e6160c55-1868-47bd-bec6-7becbf236bbb
which can be used as unique global reference for Doki
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Containers', 'Linux'] |
software_attack_id | S0600 |
source | MITRE |
tags | ['efa33611-88a5-40ba-9bc4-3d85c6c8819b'] |
type | ['malware'] |
DomainPasswordSpray
DomainPasswordSpray is an openly available GitHub project containing a PowerShell-based tool that can be used to conduct password spraying attacks.[U.S. CISA Iranian Actors Critical Infrastructure October 16 2024]
Internal MISP references
UUID 49a5c24f-98f5-47ea-8e29-7ff723883341
which can be used as unique global reference for DomainPasswordSpray
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S3404 |
source | Tidal Cyber |
tags | ['51006447-540b-4b9d-bdba-1cbff8038ae9', '35e694ec-5133-46e3-b7e1-5831867c3b55', '61cdbb28-cbfd-498b-9ab1-1f14337f9524', '15787198-6c8b-4f79-bf50-258d55072fee', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'dcd6d78a-50e9-4fbd-a36a-06fbe6b7b40c'] |
type | ['tool'] |
Donut
Donut is an open source framework used to generate position-independent shellcode.[Donut Github][Introducing Donut] Donut generated code has been used by multiple threat actors to inject and load malicious payloads into memory.[NCC Group WastedLocker June 2020]
Internal MISP references
UUID 40d25a38-91f4-4e07-bb97-8866bed8e44f
which can be used as unique global reference for Donut
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0695 |
source | MITRE |
tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
Dotnet
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: dotnet.exe comes with .NET Framework
Author: felamos
Paths: * C:\Program Files\dotnet\dotnet.exe
Resources: * https://twitter.com/_felamos/status/1204705548668555264 * https://gist.github.com/bohops/3f645a7238d8022830ecf5511b3ecfbc * https://bohops.com/2019/08/19/dotnet-core-a-vector-for-awl-bypass-defense-evasion/ * https://learn.microsoft.com/en-us/dotnet/fsharp/tools/fsharp-interactive/
Detection: * Sigma: proc_creation_win_lolbin_dotnet.yml * BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules * IOC: dotnet.exe spawned an unknown process[Dotnet.exe - LOLBAS Project]
Internal MISP references
UUID 1bcd9c93-0944-4671-ab01-cabc5ffe30bf
which can be used as unique global reference for Dotnet
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S3337 |
source | Tidal Cyber |
tags | ['09c24b93-bf06-4cbb-acb0-d7b9657a41dc', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
DOWNBAIT
DOWNBAIT is a downloader, one of a series of software associated with China-based espionage actor Earth Preta (aka Mustang Panda) reported by researchers in September 2024.[Trend Micro September 9 2024]
Internal MISP references
UUID bd55fa7c-7747-4d3d-8176-e6c56870b2a3
which can be used as unique global reference for DOWNBAIT
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S3177 |
source | Tidal Cyber |
tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635', 'c6e1f516-1a18-4ff9-b563-e6ac8103b104', '2feda37d-5579-4102-a073-aa02e82cb49f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Downdelph
Downdelph is a first-stage downloader written in Delphi that has been used by APT28 in rare instances between 2013 and 2015. [ESET Sednit Part 3]
Internal MISP references
UUID f7b64b81-f9e7-46bf-8f63-6d7520da832c
which can be used as unique global reference for Downdelph
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0134 |
source | MITRE |
tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
down_new
down_new is a downloader that has been used by BRONZE BUTLER since at least 2019.[Trend Micro Tick November 2019]
Internal MISP references
UUID 20b796cf-6c90-4928-999e-88107078e15e
which can be used as unique global reference for down_new
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0472 |
source | MITRE |
tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
DownPaper
DownPaper is a backdoor Trojan; its main functionality is to download and run second stage malware. [ClearSky Charming Kitten Dec 2017]
Internal MISP references
UUID fc433c9d-a7fe-4915-8aa0-06b58f288249
which can be used as unique global reference for DownPaper
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0186 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
DRATzarus
DRATzarus is a remote access tool (RAT) that has been used by Lazarus Group to target the defense and aerospace organizations globally since at least summer 2020. DRATzarus shares similarities with Bankshot, which was used by Lazarus Group in 2017 to target the Turkish financial sector.[ClearSky Lazarus Aug 2020]
Internal MISP references
UUID c6c79fc5-e4b1-4f6c-a71d-d22d699d5caf
which can be used as unique global reference for DRATzarus
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0694 |
source | MITRE |
type | ['malware'] |
Dridex
Dridex is a prolific banking Trojan that first appeared in 2014. By December 2019, the US Treasury estimated Dridex had infected computers in hundreds of banks and financial institutions in over 40 countries, leading to more than $100 million in theft. Dridex was created from the source code of the Bugat banking Trojan (also known as Cridex).[Dell Dridex Oct 2015][Kaspersky Dridex May 2017][Treasury EvilCorp Dec 2019]
Internal MISP references
UUID e3cd4405-b698-41d9-88e4-fff29e7a19e2
which can be used as unique global reference for Dridex
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0384 |
source | MITRE |
tags | ['e809d252-12cc-494d-94f5-954c49eb87ce'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
DropBook
DropBook is a Python-based backdoor compiled with PyInstaller.[Cybereason Molerats Dec 2020]
Internal MISP references
UUID 9c44d3f9-7a7b-4716-9cfa-640b36548ab0
which can be used as unique global reference for DropBook
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0547 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Drovorub
Drovorub is a Linux malware toolset comprised of an agent, client, server, and kernel modules, that has been used by APT28.[NSA/FBI Drovorub August 2020]
Internal MISP references
UUID bb7f7c19-ffb5-4bfe-99b1-ead3525c5e7b
which can be used as unique global reference for Drovorub
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Linux'] |
software_attack_id | S0502 |
source | MITRE |
tags | ['febea5b6-2ea2-402b-8bec-f3f5b3f73c59', '1efd43ee-5752-49f2-99fe-e3441f126b00', 'f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
dsdbutil
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Dsdbutil is a command-line tool that is built into Windows Server. It is available if you have the AD LDS server role installed. Can be used as a command line utility to export Active Directory.
Author: Ekitji
Paths: * C:\Windows\System32\dsdbutil.exe * C:\Windows\SysWOW64\dsdbutil.exe
Resources: * https://gist.github.com/bohops/88561ca40998e83deb3d1da90289e358 * https://www.netwrix.com/ntds_dit_security_active_directory.html
Detection: * IOC: Event ID 4688 * IOC: dsdbutil.exe process creation * IOC: Event ID 4663 * IOC: Regular and Volume Shadow Copy attempts to read or modify ntds.dit * IOC: Event ID 4656 * IOC: Regular and Volume Shadow Copy attempts to read or modify ntds.dit * Analysis: None Provided * Sigma: None Provided * Elastic: None Provided * Splunk: None Provided * BlockRule: None Provided[dsdbutil.exe - LOLBAS Project]
Internal MISP references
UUID 9139c12f-a6d9-4300-8735-9298bc46a0bf
which can be used as unique global reference for dsdbutil
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S3338 |
source | Tidal Cyber |
tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
dsquery
dsquery is a command-line utility that can be used to query Active Directory for information from a system within a domain. [TechNet Dsquery] It is typically installed only on Windows Server versions but can be installed on non-server variants through the Microsoft-provided Remote Server Administration Tools bundle.
Internal MISP references
UUID 06402bdc-a4a1-4e4a-bfc4-09f2c159af75
which can be used as unique global reference for dsquery
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0105 |
source | MITRE |
tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207', 'cb3d30b3-8cfc-4202-8615-58a9b8f7f118', 'cd1b5d44-226e-4405-8985-800492cf2865'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
Dtrack
Dtrack is spyware that was discovered in 2019 and has been used against Indian financial institutions, research facilities, and the Kudankulam Nuclear Power Plant. Dtrack shares similarities with the DarkSeoul campaign, which was attributed to Lazarus Group. [Kaspersky Dtrack][Securelist Dtrack][Dragos WASSONITE][CyberBit Dtrack][ZDNet Dtrack]
Internal MISP references
UUID aa21462d-9653-48eb-a82e-5c93c9db5f7a
which can be used as unique global reference for Dtrack
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0567 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Dump64
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Memory dump tool that comes with Microsoft Visual Studio
Author: mr.d0x
Paths: * C:\Program Files (x86)\Microsoft Visual Studio\Installer\Feedback\dump64.exe
Resources: * https://twitter.com/mrd0x/status/1460597833917251595
Detection: * Sigma: proc_creation_win_lolbin_dump64.yml * IOC: As a Windows SDK binary, execution on a system may be suspicious[Dump64.exe - LOLBAS Project]
Internal MISP references
UUID 13482336-e22b-48e9-bd49-c6e6fc6612ec
which can be used as unique global reference for Dump64
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S3339 |
source | Tidal Cyber |
tags | ['0f09c7f5-ba57-4ef0-a196-e85558804496', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Dumpert
Dumpert is an open-source tool that provides credential dumping capabilities. It has been leveraged by adversaries including North Korean state-sponsored espionage groups.[GitHub outflanknl Dumpert][U.S. CISA Andariel July 25 2024]
Internal MISP references
UUID 0ffc1b99-5ca1-4af4-95c7-7a311a32f911
which can be used as unique global reference for Dumpert
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S3166 |
source | Tidal Cyber |
tags | ['bdeef9bf-b9d5-41ec-9d4c-0315709639a2', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '27a117ce-bb19-4f79-9bc2-a851b69c5c50', '6070668f-1cbd-4878-8066-c636d1d8659c', '61cdbb28-cbfd-498b-9ab1-1f14337f9524', 'e551ae97-d1b4-484e-9267-89f33829ec2c', '15787198-6c8b-4f79-bf50-258d55072fee', 'dcd6d78a-50e9-4fbd-a36a-06fbe6b7b40c', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96'] |
type | ['tool'] |
DumpMinitool
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Dump tool part Visual Studio 2022
Author: mr.d0x
Paths: * C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\Extensions\TestPlatform\Extensions
Resources: * https://twitter.com/mrd0x/status/1511415432888131586
Detection: * Sigma: proc_creation_win_dumpminitool_execution.yml * Sigma: proc_creation_win_dumpminitool_susp_execution.yml * Sigma: proc_creation_win_devinit_lolbin_usage.yml[DumpMinitool.exe - LOLBAS Project]
Internal MISP references
UUID 7f3bf76a-4e6a-45f1-a4bf-400d5a914e52
which can be used as unique global reference for DumpMinitool
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S3340 |
source | Tidal Cyber |
tags | ['3b6ad94f-83ce-47bf-b82d-b98358d23434', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Duqu
Duqu is a malware platform that uses a modular approach to extend functionality after deployment within a target network. [Symantec W32.Duqu]
Internal MISP references
UUID d4a664e5-9819-4f33-8b2b-e6f8e6a64999
which can be used as unique global reference for Duqu
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0038 |
source | MITRE |
tags | ['3ed3f7a6-b446-4fbc-a433-ff1d63c0e647'] |
type | ['malware'] |
DUSTPAN
DUSTPAN is an in-memory dropper written in C/C++ used by APT41 since 2021 that decrypts and executes an embedded payload.[Google Cloud APT41 2024][Google Cloud APT41 2022]
Internal MISP references
UUID 78454d3f-fa12-5b6f-9390-6412064d7c8d
which can be used as unique global reference for DUSTPAN
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S1158 |
source | MITRE |
tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
DUSTTRAP
DUSTTRAP is a multi-stage plugin framework associated with APT41 operations with multiple components.[Google Cloud APT41 2024]
Internal MISP references
UUID ed72d5bb-2cf7-51a4-9d76-97fbd11c54d0
which can be used as unique global reference for DUSTTRAP
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S1159 |
source | MITRE |
tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
DustySky
DustySky is multi-stage malware written in .NET that has been used by Molerats since May 2015. [DustySky] [DustySky2][Kaspersky MoleRATs April 2019]
Internal MISP references
UUID 77506f02-104f-4aac-a4e0-9649bd7efe2e
which can be used as unique global reference for DustySky
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0062 |
source | MITRE |
tags | ['e809d252-12cc-494d-94f5-954c49eb87ce'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Dxcap
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: DirectX diagnostics/debugger included with Visual Studio.
Author: Oddvar Moe
Paths: * C:\Windows\System32\dxcap.exe * C:\Windows\SysWOW64\dxcap.exe
Resources: * https://twitter.com/harr0ey/status/992008180904419328
Detection: * Sigma: proc_creation_win_lolbin_susp_dxcap.yml[Dxcap.exe - LOLBAS Project]
Internal MISP references
UUID 9b5039b9-c5f1-4516-88ef-f63966ec2b36
which can be used as unique global reference for Dxcap
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S3341 |
source | Tidal Cyber |
tags | ['6d065f28-e32d-4e87-b315-c43ebc45532a', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Dyre
Dyre is a banking Trojan that has been used for financial gain. [Symantec Dyre June 2015][Malwarebytes Dyreza November 2015]
Internal MISP references
UUID 38e012f7-fb3a-4250-a129-92da3a488724
which can be used as unique global reference for Dyre
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0024 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Earthworm
Earthworm is an open-source tool. According to its project website, Earthworm is a "simple network tunnel with SOCKS v5 server and port transfer".[Elastic Docs Potential Protocol Tunneling via EarthWorm] According to joint Cybersecurity Advisory AA23-144a (May 2023), Volt Typhoon actors have used Earthworm in their attacks.[U.S. CISA Volt Typhoon May 24 2023]
Internal MISP references
UUID ee14e483-b5ef-4931-9c2a-72046b6555cc
which can be used as unique global reference for Earthworm
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S3053 |
source | Tidal Cyber |
tags | ['ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', '758c3085-2f79-40a8-ab95-f8a684737927', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '35e694ec-5133-46e3-b7e1-5831867c3b55', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
Ebury
Ebury is an OpenSSH backdoor and credential stealer targeting Linux servers and container hosts developed by Windigo. Ebury is primarily installed through modifying shared libraries (.so
files) executed by the legitimate OpenSSH program. First seen in 2009, Ebury has been used to maintain a botnet of servers, deploy additional malware, and steal cryptocurrency wallets, credentials, and credit card details.[ESET Ebury Feb 2014][BleepingComputer Ebury March 2017][ESET Ebury Oct 2017][ESET Ebury May 2024]
Internal MISP references
UUID 2375465a-e6a9-40ab-b631-a5b04cf5c689
which can be used as unique global reference for Ebury
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Linux'] |
software_attack_id | S0377 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
ECCENTRICBANDWAGON
ECCENTRICBANDWAGON is a remote access Trojan (RAT) used by North Korean cyber actors that was first identified in August 2020. It is a reconnaissance tool--with keylogging and screen capture functionality--used for information gathering on compromised systems.[CISA EB Aug 2020]
Internal MISP references
UUID 70f703b3-0e24-4ffe-9772-f0e386ec607f
which can be used as unique global reference for ECCENTRICBANDWAGON
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0593 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Ecipekac
Ecipekac is a multi-layer loader that has been used by menuPass since at least 2019 including use as a loader for P8RAT, SodaMaster, and FYAnti.[Securelist APT10 March 2021]
Internal MISP references
UUID 6508d3dc-eb22-468c-9122-dcf541caa69c
which can be used as unique global reference for Ecipekac
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0624 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
EDRKillShifter
EDRKillShifter is a suspected threat actor-developed tool that is designed to disable victim endpoint detection & response (EDR) software. In August 2024, security researchers reported that the RansomHub ransomware group had deployed EDRKillShifter during attacks in May. The researchers also noted that EDRKillShifter primarily functions as a loader for payloads that could vary. This object mainly reflects ATT&CK Techniques associated with observed EDRKillShifter loader and payload deployments reported in August 2024.[Sophos News August 14 2024]
Internal MISP references
UUID 1233436f-2a00-4557-89a4-8cbc45e6f9f7
which can be used as unique global reference for EDRKillShifter
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S3147 |
source | Tidal Cyber |
tags | ['39d6e8b7-6c8a-4ec5-a584-54ca32aa29fb', 'c6e1f516-1a18-4ff9-b563-e6ac8103b104', '2feda37d-5579-4102-a073-aa02e82cb49f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
EDRSandBlast
An open-source, multi-purpose tool with defense evasion, credential dumping, and privilege escalation capabilities, observed in use during ransomware intrusions.[GitHub wavestone-cdt EDRSandBlast][Morphisec September 3 2024]
Internal MISP references
UUID fbd2d7b0-0aa8-459f-8bfa-16daae769282
which can be used as unique global reference for EDRSandBlast
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S3165 |
source | Tidal Cyber |
tags | ['835c9c79-3824-41ec-8d5a-1e2526e89e0b', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', '7de7d799-f836-4555-97a4-0db776eb6932', 'dcd6d78a-50e9-4fbd-a36a-06fbe6b7b40c', 'e1af18e3-3224-4e4c-9d0f-533768474508', '39d6e8b7-6c8a-4ec5-a584-54ca32aa29fb'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
EDRSilencer
EDRSilencer is an open-source tool designed to disrupt the functionality of endpoint detection and response (EDR) solutions by leveraging the Windows Filtering Platform (WFP), a Microsoft Windows framework specifically created to facilitate security solution operations.[Trend Micro October 15 2024]
Internal MISP references
UUID 9c62329b-d02e-457a-9add-4df749eb7f54
which can be used as unique global reference for EDRSilencer
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S3405 |
source | Tidal Cyber |
tags | ['3eb94192-3889-4cde-8c5f-460afa2fccce', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', '39d6e8b7-6c8a-4ec5-a584-54ca32aa29fb'] |
type | ['tool'] |
Edumper
A credential dumping tool associated with Iran-linked espionage group OilRig.[ESET OilRig September 21 2023]
Internal MISP references
UUID d1279b84-11f4-4804-9e5e-05c650960aac
which can be used as unique global reference for Edumper
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S3157 |
source | Tidal Cyber |
tags | ['dcd6d78a-50e9-4fbd-a36a-06fbe6b7b40c', 'c6e1f516-1a18-4ff9-b563-e6ac8103b104', '2feda37d-5579-4102-a073-aa02e82cb49f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Egregor
Egregor is a Ransomware-as-a-Service (RaaS) tool that was first observed in September 2020. Researchers have noted code similarities between Egregor and Sekhmet ransomware, as well as Maze ransomware.[NHS Digital Egregor Nov 2020][Cyble Egregor Oct 2020][Security Boulevard Egregor Oct 2020]
Internal MISP references
UUID 0e36b62f-a6e2-4406-b3d9-e05204e14a66
which can be used as unique global reference for Egregor
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0554 |
source | MITRE |
tags | ['562e535e-19f5-4d6c-81ed-ce2aec544f09', '3c3f9078-5d1e-4c29-a5eb-28f237bbd1ad', '0ed7d10c-c65b-4174-9edb-446bf301d250', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172'] |
type | ['malware'] |
EKANS
EKANS is ransomware variant written in Golang that first appeared in mid-December 2019 and has been used against multiple sectors, including energy, healthcare, and automotive manufacturing, which in some cases resulted in significant operational disruptions. EKANS has used a hard-coded kill-list of processes, including some associated with common ICS software platforms (e.g., GE Proficy, Honeywell HMIWeb, etc), similar to those defined in MegaCortex.[Dragos EKANS][Palo Alto Unit 42 EKANS]
Internal MISP references
UUID cd7821cb-32f3-4d81-a5d1-0cdee94a15c4
which can be used as unique global reference for EKANS
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0605 |
source | MITRE |
tags | ['3ed3f7a6-b446-4fbc-a433-ff1d63c0e647', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172'] |
type | ['malware'] |
Eldorado Ransomware
This object reflects the ATT&CK Techniques associated with binaries of Eldorado, a ransomware-as-a-service ("RaaS") first observed in March 2024.[Group-IB July 3 2024] A small number of Techniques associated with threat actors who deploy Eldorado can be found in the "Eldorado Ransomware Operators" Group object.
Eldorado is written in the cross-platform Golang language. A custom "builder" allows threat actors to create both Windows- and Linux-focused versions of the ransomware. Researchers indicate that the Linux version has a relatively simple set of capabilities, lacking any native discovery, defense evasion, or other common post-exploit abilities common in many modern (Windows) ransomware. The operator must have access to the target system(s) and must provide a target directory path, after which the ransomware will recursively loop through the files within that path and encrypt them (T1486).[Group-IB July 3 2024]
Internal MISP references
UUID a2ad5253-e31b-432c-804d-971be8652344
which can be used as unique global reference for Eldorado Ransomware
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Linux', 'Windows'] |
software_attack_id | S3145 |
source | Tidal Cyber |
tags | ['c545270e-a6d4-4d89-af6e-d8be7219405d', 'b802443a-37b2-4c38-addd-75e4efb1defd', '5e7433ad-a894-4489-93bc-41e90da90019', '562e535e-19f5-4d6c-81ed-ce2aec544f09', '7e7b0c67-bb85-4996-a289-da0e792d7172', 'c6e1f516-1a18-4ff9-b563-e6ac8103b104', '2feda37d-5579-4102-a073-aa02e82cb49f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Elise
Elise is a custom backdoor Trojan that appears to be used exclusively by Lotus Blossom. It is part of a larger group of tools referred to as LStudio, ST Group, and APT0LSTU. [Lotus Blossom Jun 2015][Accenture Dragonfish Jan 2018]
Internal MISP references
UUID fd5efee9-8710-4536-861f-c88d882f4d24
which can be used as unique global reference for Elise
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0081 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
ELMER
ELMER is a non-persistent, proxy-aware HTTP backdoor written in Delphi that has been used by APT16. [FireEye EPS Awakens Part 2]
Internal MISP references
UUID 6a3ca97e-6dd6-44e5-a5f0-7225099ab474
which can be used as unique global reference for ELMER
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0064 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Embargo Ransomware
Embargo is a ransomware strain written in Rust, which Microsoft researchers described as leveraging "advanced encryption methods". The Storm-0501 group was observed deploying Embargo during a compromise of a U.S. victim's hybrid on-premise/cloud environment in Q3 2024.[Microsoft Security Blog September 26 2024]
Internal MISP references
UUID 2470a398-4507-4e82-bcc4-1a70ee6efb4c
which can be used as unique global reference for Embargo Ransomware
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S3389 |
source | Tidal Cyber |
tags | ['562e535e-19f5-4d6c-81ed-ce2aec544f09', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172', 'c6e1f516-1a18-4ff9-b563-e6ac8103b104', '2feda37d-5579-4102-a073-aa02e82cb49f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Emissary
Emissary is a Trojan that has been used by Lotus Blossom. It shares code with Elise, with both Trojans being part of a malware group referred to as LStudio. [Lotus Blossom Dec 2015]
Internal MISP references
UUID fd95d38d-83f9-4b31-8292-ba2b04275b36
which can be used as unique global reference for Emissary
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0082 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Emotet
Emotet is a modular malware variant which is primarily used as a downloader for other malware variants such as TrickBot and IcedID. Emotet first emerged in June 2014, initially targeting the financial sector, and has expanded to multiple verticals over time.[Trend Micro Banking Malware Jan 2019]
Internal MISP references
UUID c987d255-a351-4736-913f-91e2f28d0654
which can be used as unique global reference for Emotet
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0367 |
source | MITRE |
tags | ['71dfe8d1-666f-4e71-8761-d2876078fb3e', '84615fe0-c2a5-4e07-8957-78ebc29b4635', 'f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Empire
Empire is an open source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents are written in pure PowerShell for Windows and Python for Linux/macOS. Empire was one of five tools singled out by a joint report on public hacking tools being widely used by adversaries.[NCSC Joint Report Public Tools][Github PowerShell Empire][GitHub ATTACK Empire]
Internal MISP references
UUID fea655ac-558f-4dd0-867f-9a5553626207
which can be used as unique global reference for Empire
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['macOS', 'Linux', 'Windows'] |
software_attack_id | S0363 |
source | MITRE |
tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', '4f05a12d-f497-4081-acb9-9a257ab87886', '15787198-6c8b-4f79-bf50-258d55072fee', 'f8669b82-2194-49a9-8e20-92e7f9ab0a6f', 'e81ba503-60b0-4b64-8f20-ef93e7783796'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
EnvyScout
EnvyScout is a dropper that has been used by APT29 since at least 2021.[MSTIC Nobelium Toolset May 2021]
Internal MISP references
UUID 8da6fbf0-a18d-49a0-9235-101300d49d5e
which can be used as unique global reference for EnvyScout
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0634 |
source | MITRE |
tags | ['542316f4-baf4-4cf7-929b-b1deed09d23b', '84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Epic
Epic is a backdoor that has been used by Turla. [Kaspersky Turla]
Internal MISP references
UUID a7e71387-b276-413c-a0de-4cf07e39b158
which can be used as unique global reference for Epic
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0091 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
esentutl
esentutl is a command-line tool that provides database utilities for the Windows Extensible Storage Engine.[Microsoft Esentutl]
Internal MISP references
UUID a7589733-6b04-4215-a4e7-4b62cd4610fa
which can be used as unique global reference for esentutl
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0404 |
source | MITRE |
tags | ['ee88899a-2bf0-4b96-bf69-5b686fa463c3', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
Eventvwr
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Displays Windows Event Logs in a GUI window.
Author: Jacob Gajek
Paths: * C:\Windows\System32\eventvwr.exe * C:\Windows\SysWOW64\eventvwr.exe
Resources: * https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/ * https://github.com/enigma0x3/Misc-PowerShell-Stuff/blob/master/Invoke-EventVwrBypass.ps1 * https://twitter.com/orange_8361/status/1518970259868626944
Detection: * Sigma: proc_creation_win_uac_bypass_eventvwr.yml * Sigma: registry_set_uac_bypass_eventvwr.yml * Sigma: file_event_win_uac_bypass_eventvwr.yml * Elastic: privilege_escalation_uac_bypass_event_viewer.toml * Splunk: eventvwr_uac_bypass.yml * IOC: eventvwr.exe launching child process other than mmc.exe * IOC: Creation or modification of the registry value HKCU\Software\Classes\mscfile\shell\open\command[Eventvwr.exe - LOLBAS Project]
Internal MISP references
UUID 4c371bd9-c97c-42ab-b913-1e19cd409382
which can be used as unique global reference for Eventvwr
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S3219 |
source | Tidal Cyber |
tags | ['59d03fb8-0620-468a-951c-069473cb86bc', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
EvilBunny
EvilBunny is a C++ malware sample observed since 2011 that was designed to be a execution platform for Lua scripts.[Cyphort EvilBunny Dec 2014]
Internal MISP references
UUID 300e8176-e7ee-44ef-8d10-dff96502f6c6
which can be used as unique global reference for EvilBunny
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0396 |
source | MITRE |
type | ['malware'] |
EvilGinx
EvilGinx is an open-source software project. According to its GitHub repository, EvilGinx is a "Standalone man-in-the-middle attack framework used for phishing login credentials along with session cookies, allowing for the bypass of 2-factor authentication".[GitHub evilginx2]
Internal MISP references
UUID 4892c22d-6fd4-4876-8e8a-af968cf61ecc
which can be used as unique global reference for EvilGinx
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S3103 |
source | Tidal Cyber |
tags | ['758c3085-2f79-40a8-ab95-f8a684737927', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '61cdbb28-cbfd-498b-9ab1-1f14337f9524', 'af5e9be5-b86e-47af-91dd-966a5e34a186', 'e551ae97-d1b4-484e-9267-89f33829ec2c', '15787198-6c8b-4f79-bf50-258d55072fee', 'fe28cf32-a15c-44cf-892c-faa0360d6109', 'e1af18e3-3224-4e4c-9d0f-533768474508', 'dcd6d78a-50e9-4fbd-a36a-06fbe6b7b40c', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
EvilGrab
EvilGrab is a malware family with common reconnaissance capabilities. It has been deployed by menuPass via malicious Microsoft Office documents as part of spearphishing campaigns. [PWC Cloud Hopper Technical Annex April 2017]
Internal MISP references
UUID e862419c-d6b6-4433-a02a-c1cc98ea6f9e
which can be used as unique global reference for EvilGrab
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0152 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
EVILNUM
EVILNUM is fully capable backdoor that was first identified in 2018. EVILNUM is used by the APT group Evilnum which has the same name.[ESET EvilNum July 2020][Prevailion EvilNum May 2020]
Internal MISP references
UUID e0eaae6d-5137-4053-bf37-ff90bf5767a9
which can be used as unique global reference for EVILNUM
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0568 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Exaramel for Linux
Exaramel for Linux is a backdoor written in the Go Programming Language and compiled as a 64-bit ELF binary. The Windows version is tracked separately under Exaramel for Windows.[ESET TeleBots Oct 2018]
Internal MISP references
UUID c773f709-b5fe-4514-9d88-24ceb0dd8063
which can be used as unique global reference for Exaramel for Linux
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Linux'] |
software_attack_id | S0401 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Exaramel for Windows
Exaramel for Windows is a backdoor used for targeting Windows systems. The Linux version is tracked separately under Exaramel for Linux.[ESET TeleBots Oct 2018]
Internal MISP references
UUID 21569dfb-c9f1-468e-903e-348f19dbae1f
which can be used as unique global reference for Exaramel for Windows
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0343 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Excel
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Microsoft Office binary
Author: Reegun J (OCBC Bank)
Paths: * C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\Excel.exe * C:\Program Files\Microsoft Office 16\ClientX64\Root\Office16\Excel.exe * C:\Program Files (x86)\Microsoft Office\Office16\Excel.exe * C:\Program Files\Microsoft Office\Office16\Excel.exe * C:\Program Files (x86)\Microsoft Office 15\ClientX86\Root\Office15\Excel.exe * C:\Program Files\Microsoft Office 15\ClientX64\Root\Office15\Excel.exe * C:\Program Files (x86)\Microsoft Office\Office15\Excel.exe * C:\Program Files\Microsoft Office\Office15\Excel.exe * C:\Program Files (x86)\Microsoft Office 14\ClientX86\Root\Office14\Excel.exe * C:\Program Files\Microsoft Office 14\ClientX64\Root\Office14\Excel.exe * C:\Program Files (x86)\Microsoft Office\Office14\Excel.exe * C:\Program Files\Microsoft Office\Office14\Excel.exe * C:\Program Files (x86)\Microsoft Office\Office12\Excel.exe * C:\Program Files\Microsoft Office\Office12\Excel.exe * C:\Program Files\Microsoft Office\Office12\Excel.exe
Resources: * https://twitter.com/reegun21/status/1150032506504151040 * https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191
Detection: * Sigma: proc_creation_win_lolbin_office.yml * IOC: Suspicious Office application Internet/network traffic[Excel.exe - LOLBAS Project]
Internal MISP references
UUID 46efd94e-afd2-4536-8525-0619fc56966f
which can be used as unique global reference for Excel
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S3342 |
source | Tidal Cyber |
tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
ExMatter
ExMatter is a custom data exfiltration tool. It was first observed in November 2021 during intrusions involving BlackMatter ransomware, and more recently has been used during BlackCat ransomware attacks. In August 2022, researchers observed a “heavily updated” version of ExMatter, which featured expanded protocols for exfiltrating data, a data corruption capability, enhanced defense evasion abilities, and a narrower range of targeted file types.[Symantec Noberus September 22 2022]
Internal MISP references
UUID 068b26ae-39b5-4b4e-8faa-eb304a17687d
which can be used as unique global reference for ExMatter
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S3077 |
source | Tidal Cyber |
tags | ['8bf128ad-288b-41bc-904f-093f4fdde745'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Expand
Expand is a Windows utility used to expand one or more compressed CAB files.[Microsoft Expand Utility] It has been used by BBSRAT to decompress a CAB file into executable content.[Palo Alto Networks BBSRAT]
Internal MISP references
UUID 5d7a39e3-c667-45b3-987e-3b0ca49cff61
which can be used as unique global reference for Expand
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0361 |
source | MITRE |
tags | ['182dd4be-bbda-404f-aad1-156a22bbe7a4', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Explorer
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Binary used for managing files and system components within Windows
Author: Jai Minton
Paths: * C:\Windows\explorer.exe * C:\Windows\SysWOW64\explorer.exe
Resources: * https://twitter.com/CyberRaiju/status/1273597319322058752?s=20 * https://twitter.com/bohops/status/1276356245541335048 * https://twitter.com/bohops/status/986984122563391488
Detection: * Sigma: proc_creation_win_explorer_break_process_tree.yml * Sigma: proc_creation_win_explorer_lolbin_execution.yml * Elastic: initial_access_via_explorer_suspicious_child_parent_args.toml * IOC: Multiple instances of explorer.exe or explorer.exe using the /root command line is suspicious.[Explorer.exe - LOLBAS Project]
Internal MISP references
UUID b792d713-fbb4-46e6-94ae-8b9a1f4e794d
which can be used as unique global reference for Explorer
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S3221 |
source | Tidal Cyber |
tags | ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
Explosive
Explosive is a custom-made remote access tool used by the group Volatile Cedar. It was first identified in the wild in 2015.[CheckPoint Volatile Cedar March 2015][ClearSky Lebanese Cedar Jan 2021]
Internal MISP references
UUID 572eec55-2855-49ac-a82e-2c21e9aca27e
which can be used as unique global reference for Explosive
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0569 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Extexport
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Load a DLL located in the c:\test folder with a specific name.
Author: Oddvar Moe
Paths: * C:\Program Files\Internet Explorer\Extexport.exe * C:\Program Files (x86)\Internet Explorer\Extexport.exe
Resources: * http://www.hexacorn.com/blog/2018/04/24/extexport-yet-another-lolbin/
Detection: * Sigma: proc_creation_win_lolbin_extexport.yml * IOC: Extexport.exe loads dll and is execute from other folder the original path[Extexport.exe - LOLBAS Project]
Internal MISP references
UUID 2e6f1aed-a983-44fb-aed1-b4a3d9cb9488
which can be used as unique global reference for Extexport
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S3222 |
source | Tidal Cyber |
tags | ['5b81675a-742a-4ffd-b410-44ce3f1b0831', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
ExtPassword
ExtPassword is a tool used to recover passwords from Windows systems.[U.S. CISA Understanding LockBit June 2023]
Internal MISP references
UUID 363c38fc-8676-4a63-b3f4-f0237565a951
which can be used as unique global reference for ExtPassword
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S3032 |
source | Tidal Cyber |
tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', 'dcd6d78a-50e9-4fbd-a36a-06fbe6b7b40c', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
Extrac32
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Extract to ADS, copy or overwrite a file with Extrac32.exe
Author: Oddvar Moe
Paths: * C:\Windows\System32\extrac32.exe * C:\Windows\SysWOW64\extrac32.exe
Resources: * https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/ * https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f * https://twitter.com/egre55/status/985994639202283520
Detection: * Elastic: defense_evasion_misc_lolbin_connecting_to_the_internet.toml * Sigma: proc_creation_win_lolbin_extrac32.yml * Sigma: proc_creation_win_lolbin_extrac32_ads.yml[Extrac32.exe - LOLBAS Project]
Internal MISP references
UUID 53dc0180-0309-4489-af75-9c76b2887359
which can be used as unique global reference for Extrac32
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S3223 |
source | Tidal Cyber |
tags | ['92092803-19a9-4288-b7fb-08e92e8ea693', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
FakeM
FakeM is a shellcode-based Windows backdoor that has been used by Scarlet Mimic. [Scarlet Mimic Jan 2016]
Internal MISP references
UUID 8c64a330-1457-4c32-ab2f-12b6eb37d607
which can be used as unique global reference for FakeM
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0076 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
FakePenny
FakePenny is a ransomware, which includes both a loader and an encryptor, that is believed to have been developed by the North Korean threat actor Moonstone Sleet.[Microsoft Security Blog 5 28 2024]
Internal MISP references
UUID acbff463-ba1c-4d26-ab99-b9aa47b81c68
which can be used as unique global reference for FakePenny
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S3136 |
source | Tidal Cyber |
tags | ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172', '2feda37d-5579-4102-a073-aa02e82cb49f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
FALLCHILL
FALLCHILL is a RAT that has been used by Lazarus Group since at least 2016 to target the aerospace, telecommunications, and finance industries. It is usually dropped by other Lazarus Group malware or delivered when a victim unknowingly visits a compromised website. [US-CERT FALLCHILL Nov 2017]
Internal MISP references
UUID ea47f1fd-0171-4254-8c92-92b7a5eec5e1
which can be used as unique global reference for FALLCHILL
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0181 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
FatDuke
FatDuke is a backdoor used by APT29 since at least 2016.[ESET Dukes October 2019]
Internal MISP references
UUID 997ff740-1b00-40b6-887a-ef4101e93295
which can be used as unique global reference for FatDuke
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0512 |
source | MITRE |
tags | ['8bf128ad-288b-41bc-904f-093f4fdde745'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
FDMTP
FDMTP is a downloader, one of a series of software associated with China-based espionage actor Earth Preta (aka Mustang Panda) reported by researchers in September 2024.[Trend Micro September 9 2024]
Internal MISP references
UUID 8e623e62-524f-43de-934c-3792bfd69d3f
which can be used as unique global reference for FDMTP
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S3173 |
source | Tidal Cyber |
tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635', 'c6e1f516-1a18-4ff9-b563-e6ac8103b104', '2feda37d-5579-4102-a073-aa02e82cb49f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Felismus
Felismus is a modular backdoor that has been used by Sowbug. [Symantec Sowbug Nov 2017] [Forcepoint Felismus Mar 2017]
Internal MISP references
UUID c66ed8ab-4692-4948-820e-5ce87cc78db5
which can be used as unique global reference for Felismus
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0171 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
FELIXROOT
FELIXROOT is a backdoor that has been used to target Ukrainian victims. [FireEye FELIXROOT July 2018]
Internal MISP references
UUID 4b1a07cd-4c1f-4d93-a454-07fd59b3039a
which can be used as unique global reference for FELIXROOT
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0267 |
source | MITRE |
type | ['malware'] |
Ferocious
Ferocious is a first stage implant composed of VBS and PowerShell scripts that has been used by WIRTE since at least 2021.[Kaspersky WIRTE November 2021]
Internal MISP references
UUID 3e54ba7a-fd4c-477f-9c2d-34b4f69fc091
which can be used as unique global reference for Ferocious
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0679 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Fgdump
Fgdump is a Windows password hash dumper. [Mandiant APT1]
Internal MISP references
UUID 1bbf04bb-d869-48c5-a538-70a25503de1d
which can be used as unique global reference for Fgdump
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0120 |
source | MITRE |
type | ['tool'] |
FileZilla
FileZilla is a tool used to perform cross-platform File Transfer Protocol (FTP) to a site, server, or host.[U.S. CISA Understanding LockBit June 2023]
Internal MISP references
UUID f2a6f899-15a8-4d77-bebd-14bc03958764
which can be used as unique global reference for FileZilla
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S3033 |
source | Tidal Cyber |
tags | ['c5a258ce-9045-48d9-b254-ec2bf6437bb5', 'cc4ea215-87ce-4351-9579-cf527caf5992', 'e551ae97-d1b4-484e-9267-89f33829ec2c', 'e1af18e3-3224-4e4c-9d0f-533768474508', '8bf128ad-288b-41bc-904f-093f4fdde745', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
Final1stspy
Final1stspy is a dropper family that has been used to deliver DOGCALL.[Unit 42 Nokki Oct 2018]
Internal MISP references
UUID eb4dc358-e353-47fc-8207-b7cb10d580f7
which can be used as unique global reference for Final1stspy
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0355 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Findstr
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Write to ADS, discover, or download files with Findstr.exe
Author: Oddvar Moe
Paths: * C:\Windows\System32\findstr.exe * C:\Windows\SysWOW64\findstr.exe
Resources: * https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/ * https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
Detection: * Sigma: proc_creation_win_lolbin_findstr.yml[Findstr.exe - LOLBAS Project]
Internal MISP references
UUID a62634f8-8f42-4874-9669-bea2e053dfea
which can be used as unique global reference for Findstr
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S3224 |
source | Tidal Cyber |
tags | ['6ca537bb-94b6-4b12-8978-6250baa6a5cb', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
FinFisher
FinFisher is a government-grade commercial surveillance spyware reportedly sold exclusively to government agencies for use in targeted and lawful criminal investigations. It is heavily obfuscated and uses multiple anti-analysis techniques. It has other variants including Wingbird. [FinFisher Citation] [Microsoft SIR Vol 21] [FireEye FinSpy Sept 2017] [Securelist BlackOasis Oct 2017] [Microsoft FinFisher March 2018]
Internal MISP references
UUID 41f54ce1-842c-428a-977f-518a5b63b4d7
which can be used as unique global reference for FinFisher
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0182 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Finger
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Displays information about a user or users on a specified remote computer that is running the Finger service or daemon
Author: Ruben Revuelta
Paths: * c:\windows\system32\finger.exe * c:\windows\syswow64\finger.exe
Resources: * https://twitter.com/DissectMalware/status/997340270273409024 * https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/ff961508(v=ws.11)
Detection: * Sigma: proc_creation_win_finger_usage.yml * IOC: finger.exe should not be run on a normal workstation. * IOC: finger.exe connecting to external resources.[Finger.exe - LOLBAS Project]
Internal MISP references
UUID a9ce311d-dd8c-497d-b38f-b535d7318ed4
which can be used as unique global reference for Finger
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S3225 |
source | Tidal Cyber |
tags | ['1da4f610-4c54-46a3-b9b3-c38a002b623e', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
FIVEHANDS
FIVEHANDS is a customized version of DEATHRANSOM ransomware written in C++. FIVEHANDS has been used since at least 2021, including in Ransomware-as-a-Service (RaaS) campaigns, sometimes along with SombRAT.[FireEye FiveHands April 2021][NCC Group Fivehands June 2021]
Internal MISP references
UUID 84187393-2fe9-4136-8720-a6893734ee8c
which can be used as unique global reference for FIVEHANDS
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0618 |
source | MITRE |
tags | ['562e535e-19f5-4d6c-81ed-ce2aec544f09', 'f1ad9eba-f4fd-4aec-92c0-833ac14d741b', '5e7433ad-a894-4489-93bc-41e90da90019', '15787198-6c8b-4f79-bf50-258d55072fee', '7e7b0c67-bb85-4996-a289-da0e792d7172'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Flagpro
Flagpro is a Windows-based, first-stage downloader that has been used by BlackTech since at least October 2020. It has primarily been used against defense, media, and communications companies in Japan.[NTT Security Flagpro new December 2021]
Internal MISP references
UUID 977aaf8a-2216-40f0-8682-61dd91638147
which can be used as unique global reference for Flagpro
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0696 |
source | MITRE |
tags | ['84615fe0-c2a5-4e07-8957-78ebc29b4635'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Flame
Flame is a sophisticated toolkit that has been used to collect information since at least 2010, largely targeting Middle East countries. [Kaspersky Flame]
Internal MISP references
UUID 87604333-638f-4f4a-94e0-16aa825dd5b8
which can be used as unique global reference for Flame
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0143 |
source | MITRE |
tags | ['3ed3f7a6-b446-4fbc-a433-ff1d63c0e647'] |
type | ['malware'] |
FLASHFLOOD
FLASHFLOOD is malware developed by APT30 that allows propagation and exfiltration of data over removable devices. APT30 may use this capability to exfiltrate data across air-gaps. [FireEye APT30]
Internal MISP references
UUID 44a5e62a-6de4-49d2-8f1b-e68ecdf9f332
which can be used as unique global reference for FLASHFLOOD
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0036 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
FlawedAmmyy
FlawedAmmyy is a remote access tool (RAT) that was first seen in early 2016. The code for FlawedAmmyy was based on leaked source code for a version of Ammyy Admin, a remote access software.[Proofpoint TA505 Mar 2018]
Internal MISP references
UUID 308dbe77-3d58-40bb-b0a5-cd00f152dc60
which can be used as unique global reference for FlawedAmmyy
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0381 |
source | MITRE |
tags | ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
FlawedGrace
FlawedGrace is a fully featured remote access tool (RAT) written in C++ that was first observed in late 2017.[Proofpoint TA505 Jan 2019]
Internal MISP references
UUID c558e948-c817-4494-a95d-ad3207f10e26
which can be used as unique global reference for FlawedGrace
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0383 |
source | MITRE |
tags | ['ede6e717-5e5f-4321-9ddd-d0d7ab315a89', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '15787198-6c8b-4f79-bf50-258d55072fee', '84615fe0-c2a5-4e07-8957-78ebc29b4635', 'f8669b82-2194-49a9-8e20-92e7f9ab0a6f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
FleetDeck
FleetDeck is a commercial remote monitoring and management (RMM) tool that enables remote desktop access and “virtual terminal” capabilities. Government and commercial reports indicate that financially motivated adversaries, including BlackCat (AKA ALPHV or Noberus) actors and Scattered Spider (AKA 0ktapus or UNC3944), have used FleetDeck for command and control and persistence purposes during intrusions.[Cyber Centre ALPHV/BlackCat July 25 2023][CrowdStrike Scattered Spider SIM Swapping December 22 2022]
Internal MISP references
UUID 68758d3a-ec4b-4c19-933d-b4c3000281b2
which can be used as unique global reference for FleetDeck
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S3079 |
source | Tidal Cyber |
tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207', 'e727eaa6-ef41-4965-b93a-8ad0c51d0236'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
FLIPSIDE
FLIPSIDE is a simple tool similar to Plink that is used by FIN5 to maintain access to victims. [Mandiant FIN5 GrrCON Oct 2016]
Internal MISP references
UUID 18002747-ddcc-42c1-b0ca-1e598a9f1919
which can be used as unique global reference for FLIPSIDE
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0173 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
fltMC
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Filter Manager Control Program used by Windows
Author: John Lambert
Paths: * C:\Windows\System32\fltMC.exe
Resources: * https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon
Detection: * Sigma: proc_creation_win_fltmc_unload_driver_sysmon.yml * Elastic: defense_evasion_via_filter_manager.toml * Splunk: unload_sysmon_filter_driver.yml * IOC: 4688 events with fltMC.exe[fltMC.exe - LOLBAS Project]
Internal MISP references
UUID 43d57826-cd15-4154-8f04-38351c96986e
which can be used as unique global reference for fltMC
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S3226 |
source | Tidal Cyber |
tags | ['49bbb074-2406-4f27-ad77-d2e433ba1ccb', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
FoggyWeb
FoggyWeb is a passive and highly-targeted backdoor capable of remotely exfiltrating sensitive information from a compromised Active Directory Federated Services (AD FS) server. It has been used by APT29 since at least early April 2021.[MSTIC FoggyWeb September 2021]
Internal MISP references
UUID bc11844e-0348-4eed-a48a-0554d68db38c
which can be used as unique global reference for FoggyWeb
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Windows'] |
software_attack_id | S0661 |
source | MITRE |
tags | ['8bf128ad-288b-41bc-904f-093f4fdde745'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Fog Ransomware
Fog is a ransomware family first observed in May 2024. Its distribution has been linked to Storm-0844, a threat actor that also leverages suspected valid credentials and freely available tools for initial access and post-exploit activity prior to ransomware deployment.[Arctic Wolf Fog Ransomware June 4 2024]
Internal MISP references
UUID 3480069a-13eb-4f1e-9967-57ecac415c52
which can be used as unique global reference for Fog Ransomware
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S3146 |
source | Tidal Cyber |
tags | ['562e535e-19f5-4d6c-81ed-ce2aec544f09', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172', 'c6e1f516-1a18-4ff9-b563-e6ac8103b104', '2feda37d-5579-4102-a073-aa02e82cb49f'] |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
Forfiles
Forfiles is a Windows utility commonly used in batch jobs to execute commands on one or more selected files or directories (ex: list all directories in a drive, read the first line of all files created yesterday, etc.). Forfiles can be executed from either the command line, Run window, or batch files/scripts. [Microsoft Forfiles Aug 2016]
Internal MISP references
UUID c6dc67a6-587d-4700-a7de-bee043a0031a
which can be used as unique global reference for Forfiles
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
software_attack_id | S0193 |
source | MITRE |
tags | ['91804406-e20a-4455-8dbc-5528c35f8e20', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
Formbook
Formbook is an information-stealing malware, discovered in 2016, that is capable of stealing data entered into HTML website forms and logging keystrokes and also acting as a downloader for other malware.[What Is FormBook Malware?][What is FormBook Malware? - Check Point Software] xLoader is a JavaScript-based, cross-platform Formbook variant discovered in 2020 that is crafted to infect macOS as well as Windows systems. Check Point Research's 2022 Mid-Year Report released in August 2022 placed Formbook as the "most prevalent" infostealer malware globally (and second-most prevalent of all malware types globally, behind only Emotet).[Check Point Mid-Year Report 2022]
Internal MISP references
UUID 376d1383-17a7-48b0-8a8b-d6142b2f3003
which can be used as unique global reference for Formbook
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S3003 |
source | Tidal Cyber |
tags | ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', '84615fe0-c2a5-4e07-8957-78ebc29b4635', '2feda37d-5579-4102-a073-aa02e82cb49f'] |
type | ['malware'] |
FRAMESTING
FRAMESTING is a Python web shell that was used during Cutting Edge to embed into an Ivanti Connect Secure Python package for command execution.[Mandiant Cutting Edge Part 2 January 2024]
Internal MISP references
UUID 83721b89-df58-50bf-be2a-0b696fb0da78
which can be used as unique global reference for FRAMESTING
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['Network'] |
software_attack_id | S1120 |
source | MITRE |
type | ['malware'] |
FrameworkPOS
FrameworkPOS is a point of sale (POS) malware used by FIN6 to steal payment card data from sytems that run physical POS devices.[SentinelOne FrameworkPOS September 2019]
Internal MISP references
UUID aef7cbbc-5163-419c-8e4b-3f73bed50474
which can be used as unique global reference for FrameworkPOS
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
software_attack_id | S0503 |
source | MITRE |
type | ['malware'] |
Related clusters
To see the related clusters, click here.
FreeFileSync
FreeFileSync is a tool used to facilitate cloud-based file synchronization.[U.S. CISA Understanding LockBit June 2023]
Internal MISP references
UUID 1d5c5822-3cb4-455a-9976-f6bc17e2820d
which can be used as unique global reference for FreeFileSync
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
owner | TidalCyberIan |
platforms | ['Windows'] |
software_attack_id | S3034 |
source | Tidal Cyber |
tags | ['e1af18e3-3224-4e4c-9d0f-533768474508', '8bf128ad-288b-41bc-904f-093f4fdde745', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
FRP
FRP, which stands for Fast Reverse Proxy, is an openly available tool that is capable of exposing a server located behind a firewall or Network Address Translation (NAT) to the Internet. FRP can support multiple protocols including TCP, UDP, and HTTP(S) and has been abused by threat actors to proxy command and control communications.[FRP GitHub][Joint Cybersecurity Advisory Volt Typhoon June 2023][RedCanary Mockingbird May 2020][DFIR Phosphorus November 2021]
Internal MISP references
UUID 5d83dd11-3928-5d7e-a50c-5c06594a5229
which can be used as unique global reference for FRP
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['macOS', 'Linux', 'Windows'] |
software_attack_id | S1144 |
source | MITRE |
tags | ['be319849-fb2c-4b5f-8055-0bde562c280b', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96'] |
type | ['tool'] |
Related clusters
To see the related clusters, click here.
FruitFly
FruitFly is designed to spy on mac users [objsee mac malware 2017].
Internal MISP references
UUID 3a05085e-5a1f-4a74-b489-d679b80e2c18
which can be used as unique global reference for FruitFly
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
platforms | ['macOS'] |
software_attack_id | S0277 |
source | MITRE |
type | ['malware'] |
Fsi
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: 64-bit FSharp (F#) Interpreter included with Visual Studio and DotNet Core SDK.
Author: Jimmy (@bohops)
Paths: * C:\Program Files\dotnet\sdk[sdk version]\FSharp\fsi.exe * C:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\CommonExtensions\Microsoft\FSharp\fsi.exe
Resources: * https://twitter.com/NickTyrer/status/904273264385589248 * https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/
Detection: * Elastic: defense_evasion_unusual_process_network_connection.toml * Elastic: defense_evasion_network_connection_from_windows_binary.toml * BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules * IOC: Fsi.exe execution may be suspicious on non-developer machines * Sigma: proc_creation_win_lolbin_fsharp_interpreters.yml[Fsi.exe - LOLBAS Project]
Internal MISP references
UUID f2a5e6cb-75fd-4108-9466-80471c7d0422
which can be used as unique global reference for Fsi
in MISP communities and other software using the MISP galaxy