Skip to content

Hide Navigation Hide TOC

StreamEx (9991ace8-1a62-498c-a9ef-19d474deb505)

Cylance dubbed this family of malware StreamEx, based upon a common exported function used across all samples ‘stream’, combined with the dropper functionality to append ‘ex’ to the DLL file name. The StreamEx family has the ability to access and modify the user’s file system, modify the registry, create system services, enumerate process and system information, enumerate network resources and drive types, scan for security tools such as firewall products and antivirus products, change browser security settings, and remotely execute commands. The malware documented in this post was predominantly 64-bit, however, there are 32-bit versions of the malware in the wild.

Cluster A Galaxy A Cluster B Galaxy B Level
StreamEx - S0142 (91000a8a-58cc-4aba-9ad0-993ad6302b86) Malware StreamEx (9991ace8-1a62-498c-a9ef-19d474deb505) Tool 1
StreamEx - S0142 (91000a8a-58cc-4aba-9ad0-993ad6302b86) Malware Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 2
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern StreamEx - S0142 (91000a8a-58cc-4aba-9ad0-993ad6302b86) Malware 2
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern StreamEx - S0142 (91000a8a-58cc-4aba-9ad0-993ad6302b86) Malware 2
Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern StreamEx - S0142 (91000a8a-58cc-4aba-9ad0-993ad6302b86) Malware 2
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern StreamEx - S0142 (91000a8a-58cc-4aba-9ad0-993ad6302b86) Malware 2
StreamEx - S0142 (91000a8a-58cc-4aba-9ad0-993ad6302b86) Malware System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 2
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern StreamEx - S0142 (91000a8a-58cc-4aba-9ad0-993ad6302b86) Malware 2
StreamEx - S0142 (91000a8a-58cc-4aba-9ad0-993ad6302b86) Malware Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5) Attack Pattern 2
StreamEx - S0142 (91000a8a-58cc-4aba-9ad0-993ad6302b86) Malware Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 3
Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58) Attack Pattern 3
Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern 3
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5) Attack Pattern System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern 3