Skip to content

Hide Navigation Hide TOC

Chaes - S0631 (77e0ecf7-ca91-4c06-8012-8e728986a87a)

Chaes is a multistage information stealer written in several programming languages that collects login credentials, credit card numbers, and other financial information. Chaes was first observed in 2020, and appears to primarily target victims in Brazil as well as other e-commerce customers in Latin America.(Citation: Cybereason Chaes Nov 2020)

Cluster A Galaxy A Cluster B Galaxy B Level
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67) Attack Pattern Chaes - S0631 (77e0ecf7-ca91-4c06-8012-8e728986a87a) Malware 1
Chaes - S0631 (77e0ecf7-ca91-4c06-8012-8e728986a87a) Malware InstallUtil - T1218.004 (2cd950a6-16c4-404a-aa01-044322395107) Attack Pattern 1
Exfiltration Over Alternative Protocol - T1048 (a19e86f8-1c0a-4fea-8407-23b73d615776) Attack Pattern Chaes - S0631 (77e0ecf7-ca91-4c06-8012-8e728986a87a) Malware 1
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8) Attack Pattern Chaes - S0631 (77e0ecf7-ca91-4c06-8012-8e728986a87a) Malware 1
Msiexec - T1218.007 (365be77f-fc0e-42ee-bac8-4faf806d9336) Attack Pattern Chaes - S0631 (77e0ecf7-ca91-4c06-8012-8e728986a87a) Malware 1
Chaes - S0631 (77e0ecf7-ca91-4c06-8012-8e728986a87a) Malware Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c) Attack Pattern 1
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern Chaes - S0631 (77e0ecf7-ca91-4c06-8012-8e728986a87a) Malware 1
Fileless Storage - T1027.011 (02c5abff-30bf-4703-ab92-1f6072fae939) Attack Pattern Chaes - S0631 (77e0ecf7-ca91-4c06-8012-8e728986a87a) Malware 1
DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34) Attack Pattern Chaes - S0631 (77e0ecf7-ca91-4c06-8012-8e728986a87a) Malware 1
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern Chaes - S0631 (77e0ecf7-ca91-4c06-8012-8e728986a87a) Malware 1
Chaes - S0631 (77e0ecf7-ca91-4c06-8012-8e728986a87a) Malware Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern 1
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597) Attack Pattern Chaes - S0631 (77e0ecf7-ca91-4c06-8012-8e728986a87a) Malware 1
Chaes - S0631 (77e0ecf7-ca91-4c06-8012-8e728986a87a) Malware Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2) Attack Pattern 1
Chaes - S0631 (77e0ecf7-ca91-4c06-8012-8e728986a87a) Malware Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern 1
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern Chaes - S0631 (77e0ecf7-ca91-4c06-8012-8e728986a87a) Malware 1
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern Chaes - S0631 (77e0ecf7-ca91-4c06-8012-8e728986a87a) Malware 1
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern Chaes - S0631 (77e0ecf7-ca91-4c06-8012-8e728986a87a) Malware 1
Chaes - S0631 (77e0ecf7-ca91-4c06-8012-8e728986a87a) Malware Steal Web Session Cookie - T1539 (10ffac09-e42d-4f56-ab20-db94c67d76ff) Attack Pattern 1
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern Chaes - S0631 (77e0ecf7-ca91-4c06-8012-8e728986a87a) Malware 1
Chaes - S0631 (77e0ecf7-ca91-4c06-8012-8e728986a87a) Malware Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) Attack Pattern 1
Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688) Attack Pattern Chaes - S0631 (77e0ecf7-ca91-4c06-8012-8e728986a87a) Malware 1
Browser Session Hijacking - T1185 (544b0346-29ad-41e1-a808-501bb4193f47) Attack Pattern Chaes - S0631 (77e0ecf7-ca91-4c06-8012-8e728986a87a) Malware 1
Python - T1059.006 (cc3502b5-30cc-4473-ad48-42d51a6ef6d1) Attack Pattern Chaes - S0631 (77e0ecf7-ca91-4c06-8012-8e728986a87a) Malware 1
Chaes - S0631 (77e0ecf7-ca91-4c06-8012-8e728986a87a) Malware JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d) Attack Pattern 1
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern Chaes - S0631 (77e0ecf7-ca91-4c06-8012-8e728986a87a) Malware 1
Chaes - S0631 (77e0ecf7-ca91-4c06-8012-8e728986a87a) Malware Template Injection - T1221 (dc31fe1e-d722-49da-8f5f-92c7b5aff534) Attack Pattern 1
Chaes - S0631 (77e0ecf7-ca91-4c06-8012-8e728986a87a) Malware System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern 1
Chaes - S0631 (77e0ecf7-ca91-4c06-8012-8e728986a87a) Malware Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 1
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 2
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern InstallUtil - T1218.004 (2cd950a6-16c4-404a-aa01-044322395107) Attack Pattern 2
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8) Attack Pattern 2
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern Msiexec - T1218.007 (365be77f-fc0e-42ee-bac8-4faf806d9336) Attack Pattern 2
Data Encoding - T1132 (cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f) Attack Pattern Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c) Attack Pattern 2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Fileless Storage - T1027.011 (02c5abff-30bf-4703-ab92-1f6072fae939) Attack Pattern 2
DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34) Attack Pattern Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern 2
User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern 2
Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern 2
Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b) Attack Pattern Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597) Attack Pattern 2
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern 2
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 2
Python - T1059.006 (cc3502b5-30cc-4473-ad48-42d51a6ef6d1) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d) Attack Pattern 2
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 2