Skip to content

Hide Navigation Hide TOC

Edit

Tidal Software

Tidal Software Cluster

Authors
Authors and/or Contributors
Tidal Cyber

3PARA RAT

3PARA RAT is a remote access tool (RAT) programmed in C++ that has been used by Putter Panda. [CrowdStrike Putter Panda]

Internal MISP references

UUID 71d76208-c465-4447-8d6e-c54f142b65a4 which can be used as unique global reference for 3PARA RAT in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0066
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

4H RAT

4H RAT is malware that has been used by Putter Panda since at least 2007. [CrowdStrike Putter Panda]

Internal MISP references

UUID a15142a3-4797-4fef-8ec6-065e3322a69b which can be used as unique global reference for 4H RAT in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0065
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

7-Zip

7-Zip is a tool used to compress files into an archive.[U.S. CISA Understanding LockBit June 2023]

Internal MISP references

UUID 4665e52b-3c5c-4a7f-9432-c89ef26f2c93 which can be used as unique global reference for 7-Zip in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5023
source Tidal Cyber
tags ['e1af18e3-3224-4e4c-9d0f-533768474508', 'c45ce044-b5b9-426a-866c-130e9f2a4427', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '15b77e5c-2285-434d-9719-73c14beba8bd', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

8Base Ransomware

The 8Base ransomware operation began claiming significant numbers of victims on its data leak site in June 2023, including organizations in a range of sectors. Researchers have observed considerable similarities between aspects of 8Base's operations and those of other ransomware groups, leading them to suspect that 8Base may be an evolution or offshoot of existing operations. The language in 8Base's ransom notes is similar to the language seen in RansomHouse's notes, and there is strong overlap between the code of Phobos ransomware and 8Base.[VMWare 8Base June 28 2023][Acronis 8Base July 17 2023]

Internal MISP references

UUID 88a5435f-5586-4cb4-a9c0-1961ee060a67 which can be used as unique global reference for 8Base Ransomware in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5299
source Tidal Cyber
tags ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', '562e535e-19f5-4d6c-81ed-ce2aec544f09', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172', '2feda37d-5579-4102-a073-aa02e82cb49f']
type ['malware']
Related clusters

To see the related clusters, click here.

AADInternals

AADInternals is a PowerShell-based framework for administering, enumerating, and exploiting Azure Active Directory. The tool is publicly available on GitHub.[AADInternals Github][AADInternals Documentation]

Internal MISP references

UUID 3d33fbf5-c21e-4587-ba31-9aeec3cc10c0 which can be used as unique global reference for AADInternals in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Azure AD', 'Office 365', 'Windows']
software_attack_id S0677
source MITRE
tags ['c9c73000-30a5-4a16-8c8b-79169f9c24aa', 'cd1b5d44-226e-4405-8985-800492cf2865']
type ['tool']
Related clusters

To see the related clusters, click here.

ABK

ABK is a downloader that has been used by BRONZE BUTLER since at least 2019.[Trend Micro Tick November 2019]

Internal MISP references

UUID 394cadd0-bc4d-4181-ac53-858e84b8e3de which can be used as unique global reference for ABK in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0469
source MITRE
tags ['84615fe0-c2a5-4e07-8957-78ebc29b4635']
type ['malware']
Related clusters

To see the related clusters, click here.

AccCheckConsole

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Verifies UI accessibility requirements

Author: bohops

Paths: * C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x86\AccChecker\AccCheckConsole.exe * C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x64\AccChecker\AccCheckConsole.exe * C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\arm\AccChecker\AccCheckConsole.exe * C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\arm64\AccChecker\AccCheckConsole.exe

Resources: * https://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340 * https://twitter.com/bohops/status/1477717351017680899

Detection: * Sigma: proc_creation_win_lolbin_susp_acccheckconsole.yml * IOC: Sysmon Event ID 1 - Process Creation * Analysis: https://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340[AccCheckConsole.exe - LOLBAS Project]

Internal MISP references

UUID cce705c7-49f8-4b54-b854-fd4b3a32e6ff which can be used as unique global reference for AccCheckConsole in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5203
source Tidal Cyber
tags ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

AccountRestore

AccountRestore is a .NET executable that is used to brute force Active Directory accounts. The tool searches for a list of specific users and attempts to brute force the accounts based on a password file provided by the user.[Security Joes Sockbot March 09 2022]

Internal MISP references

UUID 6bc29df2-195e-410c-ad08-f3661575492f which can be used as unique global reference for AccountRestore in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5059
source Tidal Cyber
tags ['dcd6d78a-50e9-4fbd-a36a-06fbe6b7b40c']
type ['malware']
Related clusters

To see the related clusters, click here.

AcidRain

AcidRain is an ELF binary targeting modems and routers using MIPS architecture.[AcidRain JAGS 2022] AcidRain is associated with the ViaSat KA-SAT communication outage that took place during the initial phases of the 2022 full-scale invasion of Ukraine. Analysis indicates overlap with another network device-targeting malware, VPNFilter, associated with Sandworm Team.[AcidRain JAGS 2022] US and European government sources linked AcidRain to Russian government entities, while Ukrainian government sources linked AcidRain specifically to Sandworm Team.[AcidRain State Department 2022][Vincens AcidPour 2024]

Internal MISP references

UUID cf465790-3d6d-5767-bb8c-63a429f95d83 which can be used as unique global reference for AcidRain in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Network', 'Linux']
software_attack_id S1125
source MITRE
tags ['b20e7912-6a8d-46e3-8e13-9a3fc4813852']
type ['malware']
Related clusters

To see the related clusters, click here.

Action RAT

Action RAT is a remote access tool written in Delphi that has been used by SideCopy since at least December 2021 against Indian and Afghani government personnel.[MalwareBytes SideCopy Dec 2021]

Internal MISP references

UUID 202781a3-d481-4984-9e5a-31caafc20135 which can be used as unique global reference for Action RAT in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S1028
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

adbupd

adbupd is a backdoor used by PLATINUM that is similar to Dipsind. [Microsoft PLATINUM April 2016]

Internal MISP references

UUID f52e759a-a725-4b50-84f2-12bef89d369e which can be used as unique global reference for adbupd in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0202
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

AddinUtil

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: .NET Tool used for updating cache files for Microsoft Office Add-Ins.

Author: Michael McKinley @MckinleyMike

Paths: * C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddinUtil.exe * C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddinUtil.exe

Resources: * https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html

Detection: * Sigma: proc_creation_win_addinutil_suspicious_cmdline.yml * Sigma: proc_creation_win_addinutil_uncommon_child_process.yml * Sigma: proc_creation_win_addinutil_uncommon_cmdline.yml * Sigma: proc_creation_win_addinutil_uncommon_dir_exec.yml[AddinUtil.exe - LOLBAS Project]

Internal MISP references

UUID 253f97c3-ba35-4064-8ec0-892872432214 which can be used as unique global reference for AddinUtil in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5082
source Tidal Cyber
tags ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

AdFind

AdFind is a free command-line query tool that can be used for gathering information from Active Directory.[Red Canary Hospital Thwarted Ryuk October 2020][FireEye FIN6 Apr 2019][FireEye Ryuk and Trickbot January 2019]

Internal MISP references

UUID 70559096-2a6b-4388-97e6-c2b16f3be78e which can be used as unique global reference for AdFind in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0552
source MITRE
tags ['c5a258ce-9045-48d9-b254-ec2bf6437bb5', 'cc4ea215-87ce-4351-9579-cf527caf5992', 'e551ae97-d1b4-484e-9267-89f33829ec2c', 'e1af18e3-3224-4e4c-9d0f-533768474508', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', '3a633b73-9c2c-4293-8577-fb97be0cda37', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', 'cd1b5d44-226e-4405-8985-800492cf2865']
type ['tool']
Related clusters

To see the related clusters, click here.

adplus

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Debugging tool included with Windows Debugging Tools

Author: mr.d0x

Paths: * C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\adplus.exe * C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\adplus.exe

Resources: * https://mrd0x.com/adplus-debugging-tool-lsass-dump/ * https://twitter.com/nas_bench/status/1534916659676422152 * https://twitter.com/nas_bench/status/1534915321856917506

Detection: * Sigma: proc_creation_win_lolbin_adplus.yml * IOC: As a Windows SDK binary, execution on a system may be suspicious[adplus.exe - LOLBAS Project]

Internal MISP references

UUID 3f229fe8-4d03-48ba-97b5-d7132510e090 which can be used as unique global reference for adplus in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5204
source Tidal Cyber
tags ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

ADRecon

ADRecon is an open-source tool that can be used to gather a "holistic" view of a target Active Directory environment.[GitHub ADRecon]

Internal MISP references

UUID c227bea1-9996-49d6-97ca-10a2fc156747 which can be used as unique global reference for ADRecon in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5270
source Tidal Cyber
tags ['e1af18e3-3224-4e4c-9d0f-533768474508', 'cd1b5d44-226e-4405-8985-800492cf2865', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96']
type ['tool']
Related clusters

To see the related clusters, click here.

Advanced IP Scanner

Advanced IP Scanner is a tool used to perform network scans and show network devices.[U.S. CISA Understanding LockBit June 2023]

Internal MISP references

UUID ff0af6fd-e4a1-47c9-b4a1-7ce5074e089e which can be used as unique global reference for Advanced IP Scanner in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5024
source Tidal Cyber
tags ['c5a258ce-9045-48d9-b254-ec2bf6437bb5', 'cc4ea215-87ce-4351-9579-cf527caf5992', 'e551ae97-d1b4-484e-9267-89f33829ec2c', 'e1af18e3-3224-4e4c-9d0f-533768474508', 'cd1b5d44-226e-4405-8985-800492cf2865', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

Advanced Port Scanner

Advanced Port Scanner is a tool used to perform network scans.[U.S. CISA Understanding LockBit June 2023]

Internal MISP references

UUID f93b54cf-a17c-4739-a7af-4106055f868d which can be used as unique global reference for Advanced Port Scanner in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5006
source Tidal Cyber
tags ['e1af18e3-3224-4e4c-9d0f-533768474508', 'cd1b5d44-226e-4405-8985-800492cf2865', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

AdvancedRun

AdvancedRun is a tool used to enable software execution under user-defined settings.[U.S. CISA Understanding LockBit June 2023]

Internal MISP references

UUID 7ef15943-8061-4941-b14e-9634c0b95d28 which can be used as unique global reference for AdvancedRun in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5025
source Tidal Cyber
tags ['e1af18e3-3224-4e4c-9d0f-533768474508', '7de7d799-f836-4555-97a4-0db776eb6932', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

Advpack

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Utility for installing software and drivers with rundll32.exe

Author: LOLBAS Team

Paths: * c:\windows\system32\advpack.dll * c:\windows\syswow64\advpack.dll

Resources: * https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/ * https://twitter.com/ItsReallyNick/status/967859147977850880 * https://twitter.com/bohops/status/974497123101179904 * https://twitter.com/moriarty_meng/status/977848311603380224

Detection: * Sigma: proc_creation_win_rundll32_susp_activity.yml * Splunk: detect_rundll32_application_control_bypass___advpack.yml[Advpack.dll - LOLBAS Project]

Internal MISP references

UUID 6c82fc65-864a-4a8c-80ed-80a69920c44f which can be used as unique global reference for Advpack in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5187
source Tidal Cyber
tags ['7a457caf-c3b6-4a48-84cf-c1f50a2eda27', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

ADVSTORESHELL

ADVSTORESHELL is a spying backdoor that has been used by APT28 from at least 2012 to 2016. It is generally used for long-term espionage and is deployed on targets deemed interesting after a reconnaissance phase. [Kaspersky Sofacy] [ESET Sednit Part 2]

Internal MISP references

UUID ef7f4f5f-6f30-4059-87d1-cd8375bf1bee which can be used as unique global reference for ADVSTORESHELL in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0045
source MITRE
tags ['84615fe0-c2a5-4e07-8957-78ebc29b4635', '16b47583-1c54-431f-9f09-759df7b5ddb7', 'f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

Agent.btz

Agent.btz is a worm that primarily spreads itself via removable devices such as USB drives. It reportedly infected U.S. military networks in 2008. [Securelist Agent.btz]

Internal MISP references

UUID f27c9a91-c618-40c6-837d-089ba4d80f45 which can be used as unique global reference for Agent.btz in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0092
source MITRE
tags ['e809d252-12cc-494d-94f5-954c49eb87ce', 'f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']

AgentExecutor

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Intune Management Extension included on Intune Managed Devices

Author: Eleftherios Panos

Paths: * C:\Program Files (x86)\Microsoft Intune Management Extension

Resources:

Detection: * Sigma: proc_creation_win_lolbin_agentexecutor.yml * Sigma: proc_creation_win_lolbin_agentexecutor_susp_usage.yml[AgentExecutor.exe - LOLBAS Project]

Internal MISP references

UUID 27fa7573-c1d3-4857-8a45-ef501c8ea32c which can be used as unique global reference for AgentExecutor in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5205
source Tidal Cyber
tags ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

Agent Tesla

Agent Tesla is a spyware Trojan written for the .NET framework that has been observed since at least 2014.[Fortinet Agent Tesla April 2018][Bitdefender Agent Tesla April 2020][Malwarebytes Agent Tesla April 2020]

Internal MISP references

UUID 304650b1-a0b5-460c-9210-23a5b53815a4 which can be used as unique global reference for Agent Tesla in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0331
source MITRE
tags ['16b47583-1c54-431f-9f09-759df7b5ddb7', 'f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

Akira

Akira ransomware, written in C++, is most prominently (but not exclusively) associated with the a ransomware-as-a-service entity Akira.[Kersten Akira 2023]

Internal MISP references

UUID 96ae0e1e-975a-5e11-adbe-c79ee17cee11 which can be used as unique global reference for Akira in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S1129
source MITRE
tags ['c5a258ce-9045-48d9-b254-ec2bf6437bb5', 'cc4ea215-87ce-4351-9579-cf527caf5992', 'e551ae97-d1b4-484e-9267-89f33829ec2c', '15787198-6c8b-4f79-bf50-258d55072fee', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172', '562e535e-19f5-4d6c-81ed-ce2aec544f09']
type ['malware']
Related clusters

To see the related clusters, click here.

Akira Ransomware

A ransomware binary designed to encrypt victim files. More details about the TTPs typically observed during Akira ransomware attacks can be found in the associated Group object, "Akira Ransomware Actors".

Internal MISP references

UUID 59d598a9-e115-4d90-8fef-096015afa8d4 which can be used as unique global reference for Akira Ransomware in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5280
source Tidal Cyber
tags ['c5a258ce-9045-48d9-b254-ec2bf6437bb5', 'cc4ea215-87ce-4351-9579-cf527caf5992', 'e551ae97-d1b4-484e-9267-89f33829ec2c', '15787198-6c8b-4f79-bf50-258d55072fee', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172', '562e535e-19f5-4d6c-81ed-ce2aec544f09']
type ['malware']
Related clusters

To see the related clusters, click here.

Amadey

Amadey is a Trojan bot that has been used since at least October 2018.[Korean FSI TA505 2020][BlackBerry Amadey 2020]

Internal MISP references

UUID f173ec20-ef40-436b-a859-fef017e1e767 which can be used as unique global reference for Amadey in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S1025
source MITRE
tags ['fa84181d-fd9a-4c7b-8e18-e47011993b5e', '263adb48-051c-4384-90cf-1d4c937c3f05', 'f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

Anchor

Anchor is one of a family of backdoor malware that has been used in conjunction with TrickBot on selected high profile targets since at least 2018.[Cyberreason Anchor December 2019][Medium Anchor DNS July 2020]

Internal MISP references

UUID 9521c535-1043-4b82-ba5d-e5eaeca500ee which can be used as unique global reference for Anchor in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'Windows']
software_attack_id S0504
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

ANDROMEDA

ANDROMEDA is commodity malware that was widespread in the early 2010's and continues to be observed in infections across a wide variety of industries. During the 2022 C0026 campaign, threat actors re-registered expired ANDROMEDA C2 domains to spread malware to select targets in Ukraine.[Mandiant Suspected Turla Campaign February 2023]

Internal MISP references

UUID 69aac793-9e6a-5167-bc62-823189ee2f7b which can be used as unique global reference for ANDROMEDA in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S1074
source MITRE
type ['malware']

Angry IP Scanner

Angry IP Scanner is a tool that adversaries are known to use to search for vulnerable RDP ports.[U.S. CISA Phobos February 29 2024]

Internal MISP references

UUID 8efa90ac-a894-467d-8633-16a44d270358 which can be used as unique global reference for Angry IP Scanner in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['macOS', 'Linux', 'Windows']
software_attack_id S5274
source Tidal Cyber
tags ['d819ae1a-e385-49fd-88d5-f66660729ecb', 'e551ae97-d1b4-484e-9267-89f33829ec2c', '15787198-6c8b-4f79-bf50-258d55072fee', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'cd1b5d44-226e-4405-8985-800492cf2865', 'e1af18e3-3224-4e4c-9d0f-533768474508', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

AnyDesk

AnyDesk is a tool used to enable remote connections to network devices.[U.S. CISA Understanding LockBit June 2023]

Internal MISP references

UUID 922447fd-f41e-4bcf-b479-88137c81099c which can be used as unique global reference for AnyDesk in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5007
source Tidal Cyber
tags ['c5a258ce-9045-48d9-b254-ec2bf6437bb5', 'cc4ea215-87ce-4351-9579-cf527caf5992', 'e551ae97-d1b4-484e-9267-89f33829ec2c', 'e1af18e3-3224-4e4c-9d0f-533768474508', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207', 'fb06d216-f535-45c1-993a-8c1b7aa2111c', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '15b77e5c-2285-434d-9719-73c14beba8bd', 'e727eaa6-ef41-4965-b93a-8ad0c51d0236']
type ['tool']
Related clusters

To see the related clusters, click here.

AppInstaller

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Tool used for installation of AppX/MSIX applications on Windows 10

Author: Wade Hickey

Paths: * C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.11.2521.0_x64__8wekyb3d8bbwe\AppInstaller.exe

Resources: * https://twitter.com/notwhickey/status/1333900137232523264

Detection: * Sigma: dns_query_win_lolbin_appinstaller.yml[AppInstaller.exe - LOLBAS Project]

Internal MISP references

UUID 9fa7c759-172f-4ae3-ac3d-0070c3c4c439 which can be used as unique global reference for AppInstaller in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5083
source Tidal Cyber
tags ['837cf289-ad09-48ca-adf9-b46b07015666', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

AppleJeus

AppleJeus is a family of downloaders initially discovered in 2018 embedded within trojanized cryptocurrency applications. AppleJeus has been used by Lazarus Group, targeting companies in the energy, finance, government, industry, technology, and telecommunications sectors, and several countries including the United States, United Kingdom, South Korea, Australia, Brazil, New Zealand, and Russia. AppleJeus has been used to distribute the FALLCHILL RAT.[CISA AppleJeus Feb 2021]

Internal MISP references

UUID cdeb3110-07e5-4c3d-9eef-e6f2b760ef33 which can be used as unique global reference for AppleJeus in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['macOS', 'Windows']
software_attack_id S0584
source MITRE
tags ['8d95e4d6-9a1e-4920-9f5c-83d9fe07a66e', 'f8669b82-2194-49a9-8e20-92e7f9ab0a6f', '84615fe0-c2a5-4e07-8957-78ebc29b4635']
type ['malware']
Related clusters

To see the related clusters, click here.

AppleSeed

AppleSeed is a backdoor that has been used by Kimsuky to target South Korean government, academic, and commercial targets since at least 2021.[Malwarebytes Kimsuky June 2021]

Internal MISP references

UUID 9df2e42e-b454-46ea-b50d-2f7d999f3d42 which can be used as unique global reference for AppleSeed in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Android', 'Windows']
software_attack_id S0622
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

Appvlp

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Application Virtualization Utility Included with Microsoft Office 2016

Author: Oddvar Moe

Paths: * C:\Program Files\Microsoft Office\root\client\appvlp.exe * C:\Program Files (x86)\Microsoft Office\root\client\appvlp.exe

Resources: * https://github.com/MoooKitty/Code-Execution * https://twitter.com/moo_hax/status/892388990686347264 * https://enigma0x3.net/2018/06/11/the-tale-of-settingcontent-ms-files/ * https://securityboulevard.com/2018/07/attackers-test-new-document-attack-vector-that-slips-past-office-defenses/

Detection: * Sigma: proc_creation_win_lolbin_appvlp.yml[Appvlp.exe - LOLBAS Project]

Internal MISP references

UUID 1328ae5d-7220-46bb-a7ee-0c5a31eeda7f which can be used as unique global reference for Appvlp in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5206
source Tidal Cyber
tags ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

AresLoader

AresLoader is a loader malware distributed as malware-as-a-service. It has been observed being both dropped by and delivering SystemBC, a known ransomware precursor.[New loader on the bloc - AresLoader | Intel471]

Internal MISP references

UUID 5bf1ed41-8fe5-4c4b-8d80-a55980289e1f which can be used as unique global reference for AresLoader in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5286
source Tidal Cyber
tags ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', 'a2e000da-8181-4327-bacd-32013dbd3654', '84615fe0-c2a5-4e07-8957-78ebc29b4635', '2feda37d-5579-4102-a073-aa02e82cb49f']
type ['malware']

Aria-body

Aria-body is a custom backdoor that has been used by Naikon since approximately 2017.[CheckPoint Naikon May 2020]

Internal MISP references

UUID 7ba79887-d496-47aa-8b71-df7f46329322 which can be used as unique global reference for Aria-body in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0456
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Arp

Arp displays and modifies information about a system's Address Resolution Protocol (ARP) cache. [TechNet Arp]

Internal MISP references

UUID 45b51950-6190-4572-b1a2-7c69d865251e which can be used as unique global reference for Arp in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['macOS', 'Linux', 'Windows']
software_attack_id S0099
source MITRE
tags ['509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

Aspnet_Compiler

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: ASP.NET Compilation Tool

Author: Jimmy (@bohops)

Paths: * c:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe * c:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

Resources: * https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/ * https://docs.microsoft.com/en-us/dotnet/api/system.web.compilation.buildprovider.generatecode?view=netframework-4.8

Detection: * BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules * Sigma: proc_creation_win_lolbin_aspnet_compiler.yml[Aspnet_Compiler.exe - LOLBAS Project]

Internal MISP references

UUID 42763dde-8226-4f31-a3ba-face2da84dd2 which can be used as unique global reference for Aspnet_Compiler in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5084
source Tidal Cyber
tags ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

ASPXSpy

ASPXSpy is a Web shell. It has been modified by Threat Group-3390 actors to create the ASPXTool version. [Dell TG-3390]

Internal MISP references

UUID a0cce010-9158-45e5-978a-f002e5c31a03 which can be used as unique global reference for ASPXSpy in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0073
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

Astaroth

Astaroth is a Trojan and information stealer known to affect companies in Europe, Brazil, and throughout Latin America. It has been known publicly since at least late 2017. [Cybereason Astaroth Feb 2019][Cofense Astaroth Sept 2018][Securelist Brazilian Banking Malware July 2020]

Internal MISP references

UUID ea719a35-cbe9-4503-873d-164f68ab4544 which can be used as unique global reference for Astaroth in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0373
source MITRE
tags ['4d767e87-4cf6-438a-927a-43d2d0beaab7']
type ['malware']

AsyncRAT

AsyncRAT is an open-source remote access tool originally available through the NYANxCAT Github repository that has been used in malicious campaigns.[Morphisec Snip3 May 2021][Cisco Operation Layover September 2021][Telefonica Snip3 December 2021]

Internal MISP references

UUID d587efff-4699-51c7-a4cc-bdbd1b302ed4 which can be used as unique global reference for AsyncRAT in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S1087
source MITRE
tags ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', 'f8669b82-2194-49a9-8e20-92e7f9ab0a6f', '2feda37d-5579-4102-a073-aa02e82cb49f', 'fdd53e62-5bf1-41f1-8bd6-b970a866c39d', 'd431939f-2dc0-410b-83f7-86c458125444']
type ['tool']
Related clusters

To see the related clusters, click here.

at

at is used to schedule tasks on a system to run at a specified date or time.[TechNet At][Linux at]

Internal MISP references

UUID af01dc7b-a2bc-4fda-bbfe-d2be889c2860 which can be used as unique global reference for at in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['macOS', 'Linux', 'Windows']
software_attack_id S0110
source MITRE
tags ['5bc4c6c6-36df-4a53-920c-53e17d7027db', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

Atbroker

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Helper binary for Assistive Technology (AT)

Author: Oddvar Moe

Paths: * C:\Windows\System32\Atbroker.exe * C:\Windows\SysWOW64\Atbroker.exe

Resources: * http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/

Detection: * Sigma: proc_creation_win_lolbin_susp_atbroker.yml * Sigma: registry_event_susp_atbroker_change.yml * IOC: Changes to HKCU\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\Configuration * IOC: Changes to HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs * IOC: Unknown AT starting C:\Windows\System32\ATBroker.exe /start malware[Atbroker.exe - LOLBAS Project]

Internal MISP references

UUID 2efae55c-86f3-4234-af26-1c75e922d81a which can be used as unique global reference for Atbroker in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5085
source Tidal Cyber
tags ['85a29262-64bd-443c-9e08-3ee26aac859b', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

Atera Agent

Atera Agent is a legitimate remote administration tool (specifically a remote management and maintenance ("RMM") solution) that adversaries have used as a command and control tool for remote code execution, tool ingress, and persisting in victim environments.[U.S. CISA PaperCut May 2023]

Internal MISP references

UUID f8113a9f-a706-46df-8370-a9cef1c75f30 which can be used as unique global reference for Atera Agent in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5014
source Tidal Cyber
tags ['e1af18e3-3224-4e4c-9d0f-533768474508', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207', 'fdd53e62-5bf1-41f1-8bd6-b970a866c39d', 'd431939f-2dc0-410b-83f7-86c458125444', '9a5ed991-6fe7-49fe-8536-91defc449b18', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '15b77e5c-2285-434d-9719-73c14beba8bd', '992bdd33-4a47-495d-883a-58010a2f0efb', 'e727eaa6-ef41-4965-b93a-8ad0c51d0236']
type ['tool']
Related clusters

To see the related clusters, click here.

Atomic Stealer

Atomic Stealer is an information-stealing malware ("infostealer") designed to harvest passwords, cookies, and other sensitive information from macOS systems. It is often delivered via malicious download sites promoted via malvertising.[Malwarebytes 9 6 2023]

Internal MISP references

UUID ce914eea-8db9-425b-8ae2-a56a264b4951 which can be used as unique global reference for Atomic Stealer in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['macOS']
software_attack_id S5314
source Tidal Cyber
tags ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', '2feda37d-5579-4102-a073-aa02e82cb49f']
type ['malware']

Attor

Attor is a Windows-based espionage platform that has been seen in use since 2013. Attor has a loadable plugin architecture to customize functionality for specific targets.[ESET Attor Oct 2019]

Internal MISP references

UUID 89c35e9f-b435-4f58-9073-f24c1ee8754f which can be used as unique global reference for Attor in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0438
source MITRE
type ['malware']

AuditCred

AuditCred is a malicious DLL that has been used by Lazarus Group during their 2018 attacks.[TrendMicro Lazarus Nov 2018]

Internal MISP references

UUID d0c25f14-5eb3-40c1-a890-2ab1349dff53 which can be used as unique global reference for AuditCred in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0347
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

AutoIt backdoor

AutoIt backdoor is malware that has been used by the actors responsible for the MONSOON campaign. The actors frequently used it in weaponized .pps files exploiting CVE-2014-6352. [Forcepoint Monsoon] This malware makes use of the legitimate scripting language for Windows GUI automation with the same name.

Internal MISP references

UUID 3f927596-5219-49eb-bd0d-57068b0e04ed which can be used as unique global reference for AutoIt backdoor in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0129
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Automim

Researchers describe Automim as a "collection of .cmd, .vbs and .bat files that automate the execution" of the Mimikatz and LaZagne credential harvesting tools.[CrowdStrike Endpoint Security Testing Oct 2021]

Internal MISP references

UUID 984249bd-6421-4133-bd2a-25f330b4b441 which can be used as unique global reference for Automim in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5277
source Tidal Cyber
tags ['d819ae1a-e385-49fd-88d5-f66660729ecb', 'e551ae97-d1b4-484e-9267-89f33829ec2c', '15787198-6c8b-4f79-bf50-258d55072fee', 'e1af18e3-3224-4e4c-9d0f-533768474508', 'dcd6d78a-50e9-4fbd-a36a-06fbe6b7b40c']
type ['tool']
Related clusters

To see the related clusters, click here.

AuTo Stealer

AuTo Stealer is malware written in C++ has been used by SideCopy since at least December 2021 to target government agencies and personnel in India and Afghanistan.[MalwareBytes SideCopy Dec 2021]

Internal MISP references

UUID 649a4cfc-c0d0-412d-a28c-1bd4ed604ea8 which can be used as unique global reference for AuTo Stealer in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S1029
source MITRE
tags ['4d767e87-4cf6-438a-927a-43d2d0beaab7']
type ['malware']
Related clusters

To see the related clusters, click here.

Avaddon

Avaddon is ransomware written in C++ that has been offered as Ransomware-as-a-Service (RaaS) since at least June 2020.[Awake Security Avaddon][Arxiv Avaddon Feb 2021]

Internal MISP references

UUID bad92974-35f6-4183-8024-b629140c6ee6 which can be used as unique global reference for Avaddon in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0640
source MITRE
tags ['562e535e-19f5-4d6c-81ed-ce2aec544f09', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172']
type ['malware']

Avenger

Avenger is a downloader that has been used by BRONZE BUTLER since at least 2019.[Trend Micro Tick November 2019]

Internal MISP references

UUID e5ca0192-e905-46a1-abef-ce1119c1f967 which can be used as unique global reference for Avenger in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0473
source MITRE
tags ['84615fe0-c2a5-4e07-8957-78ebc29b4635']
type ['malware']
Related clusters

To see the related clusters, click here.

AvosLocker

AvosLocker is ransomware written in C++ that has been offered via the Ransomware-as-a-Service (RaaS) model. It was first observed in June 2021 and has been used against financial services, critical manufacturing, government facilities, and other critical infrastructure sectors in the United States. As of March 2022, AvosLocker had also been used against organizations in Belgium, Canada, China, Germany, Saudi Arabia, Spain, Syria, Taiwan, Turkey, the United Arab Emirates, and the United Kingdom.[Malwarebytes AvosLocker Jul 2021][Trend Micro AvosLocker Apr 2022][Joint CSA AvosLocker Mar 2022]

Internal MISP references

UUID e792dc8d-b0f4-5916-8850-a61ff53125d0 which can be used as unique global reference for AvosLocker in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'Windows']
software_attack_id S1053
source MITRE
tags ['562e535e-19f5-4d6c-81ed-ce2aec544f09', 'c3779a84-8132-4c62-be2f-9312ad41c273', 'ce9f1048-09c1-49b0-a109-dd604afbf3cd', 'fe3eb26d-6daa-4f82-b0dd-fc1e2fffbc2b', '9e4936f0-e3b7-4721-a638-58b2d093b2f2', '24448a05-2337-4bc9-a889-a83f2fd1f3ad', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172']
type ['malware']

Azorult

Azorult is a commercial Trojan that is used to steal information from compromised hosts. Azorult has been observed in the wild as early as 2016. In July 2018, Azorult was seen used in a spearphishing campaign against targets in North America. Azorult has been seen used for cryptocurrency theft. [Unit42 Azorult Nov 2018][Proofpoint Azorult July 2018]

Internal MISP references

UUID cc68a7f0-c955-465f-bee0-2dacbb179078 which can be used as unique global reference for Azorult in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0344
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

Babuk

Babuk is a Ransomware-as-a-service (RaaS) malware that has been used since at least 2021. The operators of Babuk employ a "Big Game Hunting" approach to targeting major enterprises and operate a leak site to post stolen data as part of their extortion scheme.[Sogeti CERT ESEC Babuk March 2021][McAfee Babuk February 2021][CyberScoop Babuk February 2021]

Internal MISP references

UUID 0dc07eb9-66df-4116-b1bc-7020ca6395a1 which can be used as unique global reference for Babuk in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'Windows']
software_attack_id S0638
source MITRE
tags ['562e535e-19f5-4d6c-81ed-ce2aec544f09', 'b5962a84-f1c7-4d0d-985c-86301db95129', '12124060-8392-49a3-b7b7-1dde3ebc8e67', '915e7ac2-b266-45d7-945c-cb04327d6246', 'd713747c-2d53-487e-9dac-259230f04460', 'fde4c246-7d2d-4d53-938b-44651cf273f1', '964c2590-4b52-48c6-afff-9a6d72e68908', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172', 'a2e000da-8181-4327-bacd-32013dbd3654']
type ['malware']

BabyShark

BabyShark is a Microsoft Visual Basic (VB) script-based malware family that is believed to be associated with several North Korean campaigns. [Unit42 BabyShark Feb 2019]

Internal MISP references

UUID ebb824a2-abff-4bfd-87f0-d63cb02b62e6 which can be used as unique global reference for BabyShark in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0414
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

BackConfig

BackConfig is a custom Trojan with a flexible plugin architecture that has been used by Patchwork.[Unit 42 BackConfig May 2020]

Internal MISP references

UUID 2763ad8c-cf4e-42eb-88db-a40ff8f96cf9 which can be used as unique global reference for BackConfig in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0475
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

Backdoor.Oldrea

Backdoor.Oldrea is a modular backdoor that used by Dragonfly against energy companies since at least 2013. Backdoor.Oldrea was distributed via supply chain compromise, and included specialized modules to enumerate and map ICS-specific systems, processes, and protocols.[Symantec Dragonfly][Gigamon Berserk Bear October 2021][Symantec Dragonfly Sept 2017]

Internal MISP references

UUID f7cc5974-767c-4cb4-acc7-36295a386ce5 which can be used as unique global reference for Backdoor.Oldrea in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0093
source MITRE
tags ['3ed3f7a6-b446-4fbc-a433-ff1d63c0e647']
type ['malware']
Related clusters

To see the related clusters, click here.

BACKSPACE

BACKSPACE is a backdoor used by APT30 that dates back to at least 2005. [FireEye APT30]

Internal MISP references

UUID d0daaa00-68e1-4568-bb08-3f28bcd82c63 which can be used as unique global reference for BACKSPACE in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0031
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

Backstab

Backstab is a tool used to terminate antimalware-protected processes.[U.S. CISA Understanding LockBit June 2023]

Internal MISP references

UUID 5a9a7a54-21cb-4a5c-bef0-d37f8678bf46 which can be used as unique global reference for Backstab in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5026
source Tidal Cyber
tags ['d903e38b-600d-4736-9e3b-cf1a6e436481', 'e551ae97-d1b4-484e-9267-89f33829ec2c', 'd819ae1a-e385-49fd-88d5-f66660729ecb', 'd469efcf-4feb-4149-9c0f-c4b7821960bd', 'e1af18e3-3224-4e4c-9d0f-533768474508', '39d6e8b7-6c8a-4ec5-a584-54ca32aa29fb', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

BADCALL

BADCALL is a Trojan malware variant used by the group Lazarus Group. [US-CERT BADCALL]

Internal MISP references

UUID d7aa53a5-0912-4952-8f7f-55698e933c3b which can be used as unique global reference for BADCALL in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0245
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

BADFLICK

BADFLICK is a backdoor used by Leviathan in spearphishing campaigns first reported in 2018 that targeted the U.S. engineering and maritime industries.[FireEye Periscope March 2018][Accenture MUDCARP March 2019]

Internal MISP references

UUID 8c454294-81cb-45d0-b299-818994ad3e6f which can be used as unique global reference for BADFLICK in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0642
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

BADHATCH

BADHATCH is a backdoor that has been utilized by FIN8 since at least 2019. BADHATCH has been used to target the insurance, retail, technology, and chemical industries in the United States, Canada, South Africa, Panama, and Italy.[Gigamon BADHATCH Jul 2019][BitDefender BADHATCH Mar 2021]

Internal MISP references

UUID 16481e0f-49d5-54c1-a1fe-16d9e7f8d08c which can be used as unique global reference for BADHATCH in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S1081
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

BADNEWS

BADNEWS is malware that has been used by the actors responsible for the Patchwork campaign. Its name was given due to its use of RSS feeds, forums, and blogs for command and control. [Forcepoint Monsoon] [TrendMicro Patchwork Dec 2017]

Internal MISP references

UUID 34c24d27-c779-42a4-9f61-3f0d3fea6fd4 which can be used as unique global reference for BADNEWS in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0128
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

BadPatch

BadPatch is a Windows Trojan that was used in a Gaza Hackers-linked campaign.[Unit 42 BadPatch Oct 2017]

Internal MISP references

UUID 10e76722-4b52-47f6-9276-70e95fecb26b which can be used as unique global reference for BadPatch in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0337
source MITRE
type ['malware']

BadPotato

BadPotato is an open-source software project that, according to its GitHub page, can be used for privilege escalation purposes.[GitHub BeichenDream BadPotato]

Internal MISP references

UUID 4b59bf81-d351-436e-aebc-f0111a892395 which can be used as unique global reference for BadPotato in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5304
source Tidal Cyber
tags ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', '2feda37d-5579-4102-a073-aa02e82cb49f']
type ['malware']
Related clusters

To see the related clusters, click here.

Bad Rabbit

Bad Rabbit is a self-propagating ransomware that affected the Ukrainian transportation sector in 2017. Bad Rabbit has also targeted organizations and consumers in Russia. [Secure List Bad Rabbit][ESET Bad Rabbit][Dragos IT ICS Ransomware]

Internal MISP references

UUID a1d86d8f-fa48-43aa-9833-7355750e455c which can be used as unique global reference for Bad Rabbit in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0606
source MITRE
tags ['3ed3f7a6-b446-4fbc-a433-ff1d63c0e647', '5a463cb3-451d-47f7-93e4-1886150697ce', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172']
type ['malware']
Related clusters

To see the related clusters, click here.

Bandook

Bandook is a commercially available RAT, written in Delphi and C++, that has been available since at least 2007. It has been used against government, financial, energy, healthcare, education, IT, and legal organizations in the US, South America, Europe, and Southeast Asia. Bandook has been used by Dark Caracal, as well as in a separate campaign referred to as "Operation Manul".[EFF Manul Aug 2016][Lookout Dark Caracal Jan 2018][CheckPoint Bandook Nov 2020]

Internal MISP references

UUID 5c0f8c35-88ff-40a1-977a-af5ce534e932 which can be used as unique global reference for Bandook in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0234
source MITRE
tags ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', '2feda37d-5579-4102-a073-aa02e82cb49f', 'f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

Bankshot

Bankshot is a remote access tool (RAT) that was first reported by the Department of Homeland Security in December of 2017. In 2018, Lazarus Group used the Bankshot implant in attacks against the Turkish financial sector. [McAfee Bankshot]

Internal MISP references

UUID 24b8471d-698f-48cc-b47a-8fbbaf28b293 which can be used as unique global reference for Bankshot in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0239
source MITRE
tags ['febea5b6-2ea2-402b-8bec-f3f5b3f73c59']
type ['malware']
Related clusters

To see the related clusters, click here.

Bash

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: File used by Windows subsystem for Linux

Author: Oddvar Moe

Paths: * C:\Windows\System32\bash.exe * C:\Windows\SysWOW64\bash.exe

Resources: * https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules

Detection: * BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules * Sigma: proc_creation_win_lolbin_bash.yml * IOC: Child process from bash.exe[Bash.exe - LOLBAS Project]

Internal MISP references

UUID cef3a09e-22ca-43dc-ad4a-95741a3b85ff which can be used as unique global reference for Bash in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5086
source Tidal Cyber
tags ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

Bat Armor

Bat Armor is a tool used to generate .bat files using PowerShell scripts.[U.S. CISA Understanding LockBit June 2023]

Internal MISP references

UUID 628037d4-962d-4f58-b32d-241d739bc62d which can be used as unique global reference for Bat Armor in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5027
source Tidal Cyber
tags ['e1af18e3-3224-4e4c-9d0f-533768474508', '39d6e8b7-6c8a-4ec5-a584-54ca32aa29fb', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

Bazar

Bazar is a downloader and backdoor that has been used since at least April 2020, with infections primarily against professional services, healthcare, manufacturing, IT, logistics and travel companies across the US and Europe. Bazar reportedly has ties to TrickBot campaigns and can be used to deploy additional malware, including ransomware, and to steal sensitive data.[Cybereason Bazar July 2020]

Internal MISP references

UUID b35d9817-6ead-4dbd-a2fa-4b8e217f8eac which can be used as unique global reference for Bazar in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0534
source MITRE
tags ['818c3d93-c010-44f4-82bc-b63b4bc6c3c2', '84615fe0-c2a5-4e07-8957-78ebc29b4635']
type ['malware']
Related clusters

To see the related clusters, click here.

BBK

BBK is a downloader that has been used by BRONZE BUTLER since at least 2019.[Trend Micro Tick November 2019]

Internal MISP references

UUID 3daa5ae1-464e-4c0a-aa46-15264a2a0126 which can be used as unique global reference for BBK in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0470
source MITRE
tags ['84615fe0-c2a5-4e07-8957-78ebc29b4635']
type ['malware']
Related clusters

To see the related clusters, click here.

BBSRAT

BBSRAT is malware with remote access tool functionality that has been used in targeted compromises. [Palo Alto Networks BBSRAT]

Internal MISP references

UUID be4dab36-d499-4ac3-b204-5e309e3a5331 which can be used as unique global reference for BBSRAT in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0127
source MITRE
type ['malware']

BendyBear

BendyBear is an x64 shellcode for a stage-zero implant designed to download malware from a C2 server. First discovered in August 2020, BendyBear shares a variety of features with Waterbear, malware previously attributed to the Chinese cyber espionage group BlackTech.[Unit42 BendyBear Feb 2021]

Internal MISP references

UUID a114a498-fcfd-4e0a-9d1e-e26750d71af8 which can be used as unique global reference for BendyBear in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0574
source MITRE
tags ['84615fe0-c2a5-4e07-8957-78ebc29b4635']
type ['malware']
Related clusters

To see the related clusters, click here.

Bginfo

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Background Information Utility included with SysInternals Suite

Author: Oddvar Moe

Paths: * No fixed path

Resources: * https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/

Detection: * Sigma: proc_creation_win_lolbin_bginfo.yml * Elastic: defense_evasion_unusual_process_network_connection.toml * Elastic: defense_evasion_network_connection_from_windows_binary.toml * BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules[Bginfo.exe - LOLBAS Project]

Internal MISP references

UUID fe926654-0cff-4e8e-b192-2fa1eb8a9a67 which can be used as unique global reference for Bginfo in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5207
source Tidal Cyber
tags ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

BianLian Ransomware (Backdoor)

This Software object represents the custom backdoor tool used during intrusions conducted by the BianLian Ransomware Group.[U.S. CISA BianLian Ransomware May 2023][BianLian Ransomware Gang Gives It a Go! | [redacted]]

Delivers: TeamViewer[U.S. CISA BianLian Ransomware May 2023], Atera Agent[U.S. CISA BianLian Ransomware May 2023], Splashtop[U.S. CISA BianLian Ransomware May 2023], AnyDesk[U.S. CISA BianLian Ransomware May 2023]

Internal MISP references

UUID a4fb341d-8010-433f-b8f1-a8781f961435 which can be used as unique global reference for BianLian Ransomware (Backdoor) in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5001
source Tidal Cyber
tags ['35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', 'f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

BianLian Ransomware (Encryptor)

This Software object represents the custom Go encryptor tool (encryptor.exe) used during intrusions conducted by the BianLian Ransomware Group.[U.S. CISA BianLian Ransomware May 2023]. The tool will skip encryption of files based on a hardcoded file extension exclusion list.[BianLian Ransomware Gang Gives It a Go! | [redacted]]

Internal MISP references

UUID 252f56c2-4c85-4a19-8451-371cb04c6ceb which can be used as unique global reference for BianLian Ransomware (Encryptor) in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5292
source Tidal Cyber
tags ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172', '2feda37d-5579-4102-a073-aa02e82cb49f']
type ['malware']
Related clusters

To see the related clusters, click here.

BISCUIT

BISCUIT is a backdoor that has been used by APT1 since as early as 2007. [Mandiant APT1]

Internal MISP references

UUID 3ad98097-2d10-4aa1-9594-7e74828a3643 which can be used as unique global reference for BISCUIT in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0017
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Bisonal

Bisonal is a remote access tool (RAT) that has been used by Tonto Team against public and private sector organizations in Russia, South Korea, and Japan since at least December 2010.[Unit 42 Bisonal July 2018][Talos Bisonal Mar 2020]

Internal MISP references

UUID b898816e-610f-4c2f-9045-d9f28a54ee58 which can be used as unique global reference for Bisonal in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0268
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

BitPaymer

BitPaymer is a ransomware variant first observed in August 2017 targeting hospitals in the U.K. BitPaymer uses a unique encryption key, ransom note, and contact information for each operation. BitPaymer has several indicators suggesting overlap with the Dridex malware and is often delivered via Dridex.[Crowdstrike Indrik November 2018]

Internal MISP references

UUID e7dec940-8701-4c06-9865-5b11c61c046d which can be used as unique global reference for BitPaymer in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0570
source MITRE
tags ['5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172']
type ['malware']
Related clusters

To see the related clusters, click here.

BITSAdmin

BITSAdmin is a command line tool used to create and manage BITS Jobs. [Microsoft BITSAdmin]

Internal MISP references

UUID 52a20d3d-1edd-4f17-87f0-b77c67d260b4 which can be used as unique global reference for BITSAdmin in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0190
source MITRE
tags ['d903e38b-600d-4736-9e3b-cf1a6e436481', 'e551ae97-d1b4-484e-9267-89f33829ec2c', 'd819ae1a-e385-49fd-88d5-f66660729ecb', '15787198-6c8b-4f79-bf50-258d55072fee', 'e1af18e3-3224-4e4c-9d0f-533768474508', 'fdd53e62-5bf1-41f1-8bd6-b970a866c39d', 'd431939f-2dc0-410b-83f7-86c458125444', '10d09438-9ea5-405d-9b3a-36d351b5a5d9', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

Black Basta

Black Basta is ransomware written in C++ that has been offered within the ransomware-as-a-service (RaaS) model since at least April 2022; there are variants that target Windows and VMWare ESXi servers. Black Basta operations have included the double extortion technique where in addition to demanding ransom for decrypting the files of targeted organizations the cyber actors also threaten to post sensitive information to a leak site if the ransom is not paid. Black Basta affiliates have targeted multiple high-value organizations, with the largest number of victims based in the U.S. Based on similarities in TTPs, leak sites, payment sites, and negotiation tactics, security researchers assess the Black Basta RaaS operators could include current or former members of the Conti group.[Palo Alto Networks Black Basta August 2022][Deep Instinct Black Basta August 2022][Minerva Labs Black Basta May 2022][Avertium Black Basta June 2022][NCC Group Black Basta June 2022][Cyble Black Basta May 2022]

Internal MISP references

UUID 0d5b24ba-68dc-50fa-8268-3012180fe374 which can be used as unique global reference for Black Basta in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S1070
source MITRE
tags ['89c5b94b-ecf4-4d53-9b74-3465086d4565', 'd903e38b-600d-4736-9e3b-cf1a6e436481', 'e551ae97-d1b4-484e-9267-89f33829ec2c', 'd819ae1a-e385-49fd-88d5-f66660729ecb', '15787198-6c8b-4f79-bf50-258d55072fee', '562e535e-19f5-4d6c-81ed-ce2aec544f09', 'fdd53e62-5bf1-41f1-8bd6-b970a866c39d', 'd431939f-2dc0-410b-83f7-86c458125444', 'dea4388a-b1f2-4f2a-9df9-108631d0d078', '2743d495-7728-4a75-9e5f-b64854039792', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172']
type ['malware']
Related clusters

To see the related clusters, click here.

BlackCat

BlackCat is ransomware written in Rust that has been offered via the Ransomware-as-a-Service (RaaS) model. First observed November 2021, BlackCat has been used to target multiple sectors and organizations in various countries and regions in Africa, the Americas, Asia, Australia, and Europe.[Microsoft BlackCat Jun 2022][Sophos BlackCat Jul 2022][ACSC BlackCat Apr 2022]

Internal MISP references

UUID 691369e5-ef74-5ff9-bc20-34efeb4b6c5b which can be used as unique global reference for BlackCat in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'Windows']
software_attack_id S1068
source MITRE
tags ['562e535e-19f5-4d6c-81ed-ce2aec544f09', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '5e7433ad-a894-4489-93bc-41e90da90019', '15787198-6c8b-4f79-bf50-258d55072fee', '7e7b0c67-bb85-4996-a289-da0e792d7172']
type ['malware']
Related clusters

To see the related clusters, click here.

BLACKCOFFEE

BLACKCOFFEE is malware that has been used by several Chinese groups since at least 2013. [FireEye APT17] [FireEye Periscope March 2018]

Internal MISP references

UUID e85e2fca-9347-4448-bfc1-342f29d5d6a1 which can be used as unique global reference for BLACKCOFFEE in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0069
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

BlackEnergy

BlackEnergy is a malware toolkit that has been used by both criminal and APT actors. It dates back to at least 2007 and was originally designed to create botnets for use in conducting Distributed Denial of Service (DDoS) attacks, but its use has evolved to support various plug-ins. It is well known for being used during the confrontation between Georgia and Russia in 2008, as well as in targeting Ukrainian institutions. Variants include BlackEnergy 2 and BlackEnergy 3. [F-Secure BlackEnergy 2014]

Internal MISP references

UUID 908216c7-3ad4-4e0c-9dd3-a7ed5d1c695f which can be used as unique global reference for BlackEnergy in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0089
source MITRE
tags ['3ed3f7a6-b446-4fbc-a433-ff1d63c0e647']
type ['malware']
Related clusters

To see the related clusters, click here.

BlackLotus

BlackLotus is a Unified Extensible Firmware Interface (UEFI) bootkit that enables bypass of Secure Boot, a UEFI feature that provides verification about the state of the boot chain, even on fully updated UEFI systems. It is considered the first “in-the-wild” UEFI bootkit, as it was observed for sale on underground forums in October 2022 and researchers were able to then confirm its existence. BlackLotus bypasses UEFI Secure Boot and establishes persistence by exploiting CVE-2022-21894, and after installation, it is designed to deploy a kernel driver for further persistence and an HTTP downloader, which allows communication with a command-and-control server and loading of additional user-mode or kernel-mode payloads. BlackLotus is also capable of disabling operating system security features, and some instances of the malware include a location-based check where it will terminate if the system uses a location associated with one of several Eastern European countries.[ESET BlackLotus March 01 2023]

Internal MISP references

UUID 4cd25fac-0b5d-44e2-8df1-2c7de06b4b39 which can be used as unique global reference for BlackLotus in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5306
source Tidal Cyber
tags ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', '1a5a32ac-1db6-46b1-b72e-18bc3d776aed', 'df78b317-ce5d-423c-ac42-1e328ab27ffd', '2feda37d-5579-4102-a073-aa02e82cb49f']
type ['malware']

BlackMould

BlackMould is a web shell based on China Chopper for servers running Microsoft IIS. First reported in December 2019, it has been used in malicious campaigns by GALLIUM against telecommunication providers.[Microsoft GALLIUM December 2019]

Internal MISP references

UUID da348a51-d047-4144-9ba4-34d2ce964a11 which can be used as unique global reference for BlackMould in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0564
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

BlackSuit Ransomware

BlackSuit is a ransomware capable of running on Windows and Linux systems. BlackSuit is believed to be a successor to Royal, a ransomware operation which itself derives from the notorious Russia-based Conti gang. BlackSuit operations were first observed in May 2023, and although they were relatively low in number, U.S. authorities issued a warning for healthcare sector organizations due to the ransomware's suspected pedigree.[HC3 Analyst Note BlackSuit Ransomware November 2023] The number of attacks claimed by BlackSuit operators increased notably in Q2 2024.[GitHub ransomwatch]

Internal MISP references

UUID 6e200813-4379-457b-9cce-2203bed4b072 which can be used as unique global reference for BlackSuit Ransomware in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Linux', 'Windows']
software_attack_id S5324
source Tidal Cyber
tags ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172', '2feda37d-5579-4102-a073-aa02e82cb49f']
type ['malware']

BLINDINGCAN

BLINDINGCAN is a remote access Trojan that has been used by the North Korean government since at least early 2020 in cyber operations against defense, engineering, and government organizations in Western Europe and the US.[US-CERT BLINDINGCAN Aug 2020][NHS UK BLINDINGCAN Aug 2020]

Internal MISP references

UUID 1af8ea81-40df-4fba-8d63-1858b8b31217 which can be used as unique global reference for BLINDINGCAN in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0520
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

BloodHound

BloodHound is an Active Directory (AD) reconnaissance tool that can reveal hidden relationships and identify attack paths within an AD environment.[GitHub Bloodhound][CrowdStrike BloodHound April 2018][FoxIT Wocao December 2019]

Internal MISP references

UUID 72658763-8077-451e-8572-38858f8cacf3 which can be used as unique global reference for BloodHound in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0521
source MITRE
tags ['d819ae1a-e385-49fd-88d5-f66660729ecb', 'e551ae97-d1b4-484e-9267-89f33829ec2c', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207', 'e1af18e3-3224-4e4c-9d0f-533768474508', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', 'cd1b5d44-226e-4405-8985-800492cf2865']
type ['tool']
Related clusters

To see the related clusters, click here.

BLUELIGHT

BLUELIGHT is a remote access Trojan used by APT37 that was first observed in early 2021.[Volexity InkySquid BLUELIGHT August 2021]

Internal MISP references

UUID 3aaaaf86-638b-4a65-be18-c6e6dcdcdb97 which can be used as unique global reference for BLUELIGHT in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0657
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

Bonadan

Bonadan is a malicious version of OpenSSH which acts as a custom backdoor. Bonadan has been active since at least 2018 and combines a new cryptocurrency-mining module with the same credential-stealing module used by the Onderon family of backdoors.[ESET ForSSHe December 2018]

Internal MISP references

UUID 3793db4b-f843-4cfd-89d2-ec28b62feda5 which can be used as unique global reference for Bonadan in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux']
software_attack_id S0486
source MITRE
type ['malware']

BONDUPDATER

BONDUPDATER is a PowerShell backdoor used by OilRig. It was first observed in November 2017 during targeting of a Middle Eastern government organization, and an updated version was observed in August 2018 being used to target a government organization with spearphishing emails.[FireEye APT34 Dec 2017][Palo Alto OilRig Sep 2018]

Internal MISP references

UUID d8690218-5272-47d8-8189-35d3b518e66f which can be used as unique global reference for BONDUPDATER in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0360
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

BoomBox

BoomBox is a downloader responsible for executing next stage components that has been used by APT29 since at least 2021.[MSTIC Nobelium Toolset May 2021]

Internal MISP references

UUID 9d393f6f-855e-4348-8a26-008174e3605a which can be used as unique global reference for BoomBox in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0635
source MITRE
tags ['84615fe0-c2a5-4e07-8957-78ebc29b4635']
type ['malware']
Related clusters

To see the related clusters, click here.

BOOSTWRITE

BOOSTWRITE is a loader crafted to be launched via abuse of the DLL search order of applications used by FIN7.[FireEye FIN7 Oct 2019]

Internal MISP references

UUID 74a73624-d53b-4c84-a14b-8ae964fd577c which can be used as unique global reference for BOOSTWRITE in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0415
source MITRE
tags ['84615fe0-c2a5-4e07-8957-78ebc29b4635']
type ['malware']
Related clusters

To see the related clusters, click here.

BOOTRASH

BOOTRASH is a Bootkit that targets Windows operating systems. It has been used by threat actors that target the financial sector.[Mandiant M Trends 2016][FireEye Bootkits][FireEye BOOTRASH SANS]

Internal MISP references

UUID d47a4753-80f5-494e-aad7-d033aaff0d6d which can be used as unique global reference for BOOTRASH in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0114
source MITRE
type ['malware']

BoxCaon

BoxCaon is a Windows backdoor that was used by IndigoZebra in a 2021 spearphishing campaign against Afghan government officials. BoxCaon's name stems from similarities shared with the malware family xCaon.[Checkpoint IndigoZebra July 2021]

Internal MISP references

UUID d3e46011-3433-426c-83b3-61c2576d5f71 which can be used as unique global reference for BoxCaon in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0651
source MITRE
tags ['4d767e87-4cf6-438a-927a-43d2d0beaab7']
type ['malware']
Related clusters

To see the related clusters, click here.

Brave Prince

Brave Prince is a Korean-language implant that was first observed in the wild in December 2017. It contains similar code and behavior to Gold Dragon, and was seen along with Gold Dragon and RunningRAT in operations surrounding the 2018 Pyeongchang Winter Olympics. [McAfee Gold Dragon]

Internal MISP references

UUID 51b27e2c-c737-4006-a657-195ea1a1f4f0 which can be used as unique global reference for Brave Prince in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0252
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Briba

Briba is a trojan used by Elderwood to open a backdoor and download files on to compromised hosts. [Symantec Elderwood Sept 2012] [Symantec Briba May 2012]

Internal MISP references

UUID 7942783c-73a7-413c-94d1-8981029a1c51 which can be used as unique global reference for Briba in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0204
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Brute Ratel C4

Brute Ratel C4 is a commercial red-teaming and adversarial attack simulation tool that first appeared in December 2020. Brute Ratel C4 was specifically designed to avoid detection by endpoint detection and response (EDR) and antivirus (AV) capabilities, and deploys agents called badgers to enable arbitrary command execution for lateral movement, privilege escalation, and persistence. In September 2022, a cracked version of Brute Ratel C4 was leaked in the cybercriminal underground, leading to its use by threat actors.[Dark Vortex Brute Ratel C4][Palo Alto Brute Ratel July 2022][MDSec Brute Ratel August 2022][SANS Brute Ratel October 2022][Trend Micro Black Basta October 2022]

Internal MISP references

UUID 23043b44-69a6-5cdf-8f60-5a68068680c7 which can be used as unique global reference for Brute Ratel C4 in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S1063
source MITRE
tags ['e1af18e3-3224-4e4c-9d0f-533768474508', 'e81ba503-60b0-4b64-8f20-ef93e7783796']
type ['tool']
Related clusters

To see the related clusters, click here.

BS2005

BS2005 is malware that was used by Ke3chang in spearphishing campaigns since at least 2011. [Mandiant Operation Ke3chang November 2014]

Internal MISP references

UUID c9e773de-0213-4b64-83fb-637060c8b5ed which can be used as unique global reference for BS2005 in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0014
source MITRE
type ['malware']

BUBBLEWRAP

BUBBLEWRAP is a full-featured, second-stage backdoor used by the admin@338 group. It is set to run when the system boots and includes functionality to check, upload, and register plug-ins that can further enhance its capabilities. [FireEye admin@338]

Internal MISP references

UUID 2be4e3d2-e8c5-4406-8041-2c17bdb3a547 which can be used as unique global reference for BUBBLEWRAP in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0043
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

build_downer

build_downer is a downloader that has been used by BRONZE BUTLER since at least 2019.[Trend Micro Tick November 2019]

Internal MISP references

UUID c21d3e6c-0f6d-44a8-bdd5-5b3180a641c9 which can be used as unique global reference for build_downer in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0471
source MITRE
tags ['84615fe0-c2a5-4e07-8957-78ebc29b4635']
type ['malware']
Related clusters

To see the related clusters, click here.

Bumblebee

Bumblebee is a custom loader written in C++ that has been used by multiple threat actors, including possible initial access brokers, to download and execute additional payloads since at least March 2022. Bumblebee has been linked to ransomware operations including Conti, Quantum, and Mountlocker and derived its name from the appearance of "bumblebee" in the user-agent.[Google EXOTIC LILY March 2022][Proofpoint Bumblebee April 2022][Symantec Bumblebee June 2022]

Internal MISP references

UUID cc155181-fb34-4aaf-b083-b7b57b140b7a which can be used as unique global reference for Bumblebee in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S1039
source MITRE
tags ['aa983c81-e54b-49b3-b0dd-53cf950825b8', 'f8669b82-2194-49a9-8e20-92e7f9ab0a6f', '84615fe0-c2a5-4e07-8957-78ebc29b4635']
type ['malware']
Related clusters

To see the related clusters, click here.

Bundlore

Bundlore is adware written for macOS that has been in use since at least 2015. Though categorized as adware, Bundlore has many features associated with more traditional backdoors.[MacKeeper Bundlore Apr 2019]

Internal MISP references

UUID e9873bf1-9619-4c62-b4cf-1009e83de186 which can be used as unique global reference for Bundlore in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['macOS']
software_attack_id S0482
source MITRE
tags ['4d767e87-4cf6-438a-927a-43d2d0beaab7']
type ['malware']

BUSHWALK

BUSHWALK is a web shell written in Perl that was inserted into the legitimate querymanifest.cgi file on compromised Ivanti Connect Secure VPNs during Cutting Edge.[Mandiant Cutting Edge Part 2 January 2024][Mandiant Cutting Edge Part 3 February 2024]

Internal MISP references

UUID 44ed9567-2cb6-590e-b332-154557fb93f9 which can be used as unique global reference for BUSHWALK in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Network']
software_attack_id S1118
source MITRE
type ['malware']

Cachedump

Cachedump is a publicly-available tool that program extracts cached password hashes from a system’s registry. [Mandiant APT1]

Internal MISP references

UUID 7c03fb92-3cd8-4ce4-a1e0-75e47465e4bc which can be used as unique global reference for Cachedump in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0119
source MITRE
type ['tool']
Related clusters

To see the related clusters, click here.

CACTUS Ransomware

This Software object reflects the TTPs associated with the CACTUS ransomware binary, a malware that researchers believe has been used since at least March 2023.[Kroll CACTUS Ransomware May 10 2023] Other pre- and post-exploit TTPs associated with threat actors known to deploy CACTUS can be found in the separate dedicated Group object.

Internal MISP references

UUID ad51e7c6-7d3c-4c5d-a7e2-e50afb11a0ca which can be used as unique global reference for CACTUS Ransomware in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5309
source Tidal Cyber
tags ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', 'a2e000da-8181-4327-bacd-32013dbd3654', '562e535e-19f5-4d6c-81ed-ce2aec544f09', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172', '2feda37d-5579-4102-a073-aa02e82cb49f']
type ['malware']
Related clusters

To see the related clusters, click here.

CaddyWiper

CaddyWiper is a destructive data wiper that has been used in attacks against organizations in Ukraine since at least March 2022.[ESET CaddyWiper March 2022][Cisco CaddyWiper March 2022]

Internal MISP references

UUID 62d0ddcd-790d-4d2d-9d94-276f54b40cf0 which can be used as unique global reference for CaddyWiper in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0693
source MITRE
tags ['2e621fc5-dea4-4cb9-987e-305845986cd3']
type ['malware']

Cadelspy

Cadelspy is a backdoor that has been used by APT39.[Symantec Chafer Dec 2015]

Internal MISP references

UUID c8a51b39-6906-4381-9bb4-4e9e612aa085 which can be used as unique global reference for Cadelspy in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0454
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

CALENDAR

CALENDAR is malware used by APT1 that mimics legitimate Gmail Calendar traffic. [Mandiant APT1]

Internal MISP references

UUID ad859a79-c183-44f6-a89a-f734710672a9 which can be used as unique global reference for CALENDAR in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0025
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Calisto

Calisto is a macOS Trojan that opens a backdoor on the compromised machine. Calisto is believed to have first been developed in 2016. [Securelist Calisto July 2018] [Symantec Calisto July 2018]

Internal MISP references

UUID 6b5b408c-4f9d-4137-bfb1-830d12e9736c which can be used as unique global reference for Calisto in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['macOS']
software_attack_id S0274
source MITRE
type ['malware']

CallMe

CallMe is a Trojan designed to run on Apple OSX. It is based on a publicly available tool called Tiny SHell. [Scarlet Mimic Jan 2016]

Internal MISP references

UUID 352ee271-89e6-4d3f-9c26-98dbab0e2986 which can be used as unique global reference for CallMe in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['macOS']
software_attack_id S0077
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Cannon

Cannon is a Trojan with variants written in C# and Delphi. It was first observed in April 2018. [Unit42 Cannon Nov 2018][Unit42 Sofacy Dec 2018]

Internal MISP references

UUID 790e931d-2571-496d-9f48-322774a7d482 which can be used as unique global reference for Cannon in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0351
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Carbanak

Carbanak is a full-featured, remote backdoor used by a group of the same name (Carbanak). It is intended for espionage, data exfiltration, and providing remote access to infected machines. [Kaspersky Carbanak] [FireEye CARBANAK June 2017]

Internal MISP references

UUID 4cb9294b-9e4c-41b9-b640-46213a01952d which can be used as unique global reference for Carbanak in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0030
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Carberp

Carberp is a credential and information stealing malware that has been active since at least 2009. Carberp's source code was leaked online in 2013, and subsequently used as the foundation for the Carbanak backdoor.[Trend Micro Carberp February 2014][KasperskyCarbanak][RSA Carbanak November 2017]

Internal MISP references

UUID df9491fd-5e24-4548-8e21-1268dce59d1f which can be used as unique global reference for Carberp in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0484
source MITRE
type ['malware']

Carbon

Carbon is a sophisticated, second-stage backdoor and framework that can be used to steal sensitive information from victims. Carbon has been selectively used by Turla to target government and foreign affairs-related organizations in Central Asia.[ESET Carbon Mar 2017][Securelist Turla Oct 2018]

Internal MISP references

UUID 61f5d19c-1da2-43d1-ab20-51eacbca71f2 which can be used as unique global reference for Carbon in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0335
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Cardinal RAT

Cardinal RAT is a potentially low volume remote access trojan (RAT) observed since December 2015. Cardinal RAT is notable for its unique utilization of uncompiled C# source code and the Microsoft Windows built-in csc.exe compiler.[PaloAlto CardinalRat Apr 2017]

Internal MISP references

UUID fa23acef-3034-43ee-9610-4fc322f0d80b which can be used as unique global reference for Cardinal RAT in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0348
source MITRE
tags ['febea5b6-2ea2-402b-8bec-f3f5b3f73c59']
type ['malware']

CARROTBALL

CARROTBALL is an FTP downloader utility that has been in use since at least 2019. CARROTBALL has been used as a downloader to install SYSCON.[Unit 42 CARROTBAT January 2020]

Internal MISP references

UUID 84bb4068-b441-435e-8535-02a458ffd50b which can be used as unique global reference for CARROTBALL in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0465
source MITRE
tags ['84615fe0-c2a5-4e07-8957-78ebc29b4635']
type ['tool']

CARROTBAT

CARROTBAT is a customized dropper that has been in use since at least 2017. CARROTBAT has been used to install SYSCON and has infrastructure overlap with KONNI.[Unit 42 CARROTBAT November 2018][Unit 42 CARROTBAT January 2020]

Internal MISP references

UUID aefa893d-fc6e-41a9-8794-2700049db9e5 which can be used as unique global reference for CARROTBAT in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0462
source MITRE
type ['malware']

Catchamas

Catchamas is a Windows Trojan that steals information from compromised systems. [Symantec Catchamas April 2018]

Internal MISP references

UUID 04deccb5-9850-45c3-a900-5d7039a94190 which can be used as unique global reference for Catchamas in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0261
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Caterpillar WebShell

Caterpillar WebShell is a self-developed Web Shell tool created by the group Volatile Cedar.[ClearSky Lebanese Cedar Jan 2021]

Internal MISP references

UUID ee88afaa-88bc-4c20-906f-332866388549 which can be used as unique global reference for Caterpillar WebShell in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0572
source MITRE
tags ['311abf64-a9cc-4c6a-b778-32c5df5658be']
type ['malware']
Related clusters

To see the related clusters, click here.

CC-Attack

CC-Attack is a publicly available script that automates the use of open, external proxy servers as part of denial of service flood attacks. Its use has been promoted among the members of the Killnet hacktivist collective.[Flashpoint Glossary Killnet]

Internal MISP references

UUID 7664bfa5-8477-4903-9103-1144113fca36 which can be used as unique global reference for CC-Attack in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Linux', 'Windows']
software_attack_id S5062
source Tidal Cyber
tags ['62bde669-3020-4682-be68-36c83b2588a4']
type ['malware']
Related clusters

To see the related clusters, click here.

CCBkdr

CCBkdr is malware that was injected into a signed version of CCleaner and distributed from CCleaner's distribution website. [Talos CCleanup 2017] [Intezer Aurora Sept 2017]

Internal MISP references

UUID 4eb0720c-7046-4ff1-adfd-ae603506e499 which can be used as unique global reference for CCBkdr in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0222
source MITRE
tags ['f2ae2283-f94d-4f8f-bbde-43f2bed66c55']
type ['malware']

ccf32

ccf32 is data collection malware that has been used since at least February 2019, most notably during the FunnyDream campaign; there is also a similar x64 version.[Bitdefender FunnyDream Campaign November 2020]

Internal MISP references

UUID e00c2a0c-bbe5-4eff-b0ad-b2543456a317 which can be used as unique global reference for ccf32 in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S1043
source MITRE
type ['malware']

Cdb

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Debugging tool included with Windows Debugging Tools.

Author: Oddvar Moe

Paths: * C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\cdb.exe * C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\cdb.exe

Resources: * http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html * https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/cdb-command-line-options * https://gist.github.com/mattifestation/94e2b0a9e3fe1ac0a433b5c3e6bd0bda * https://mrd0x.com/the-power-of-cdb-debugging-tool/ * https://twitter.com/nas_bench/status/1534957360032120833

Detection: * Sigma: proc_creation_win_lolbin_cdb.yml * Elastic: defense_evasion_unusual_process_network_connection.toml * Elastic: defense_evasion_network_connection_from_windows_binary.toml * BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules[Cdb.exe - LOLBAS Project]

Internal MISP references

UUID d9ea2696-7c47-44cd-8784-9aeef5e149ea which can be used as unique global reference for Cdb in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5208
source Tidal Cyber
tags ['4479b9e9-d912-451a-9ad5-08b3d922422d', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

CertOC

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Used for installing certificates

Author: Ensar Samil

Paths: * c:\windows\system32\certoc.exe * c:\windows\syswow64\certoc.exe

Resources: * https://twitter.com/sblmsrsn/status/1445758411803480072?s=20 * https://twitter.com/sblmsrsn/status/1452941226198671363?s=20

Detection: * Sigma: proc_creation_win_certoc_load_dll.yml * IOC: Process creation with given parameter * IOC: Unsigned DLL load via certoc.exe * IOC: Network connection via certoc.exe[CertOC.exe - LOLBAS Project]

Internal MISP references

UUID 34e1c197-ac43-4634-9a0d-9148c748f774 which can be used as unique global reference for CertOC in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5087
source Tidal Cyber
tags ['fb909648-ee44-4871-abe6-82c909c4d677', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

CertReq

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Used for requesting and managing certificates

Author: David Middlehurst

Paths: * C:\Windows\System32\certreq.exe * C:\Windows\SysWOW64\certreq.exe

Resources: * https://dtm.uk/certreq

Detection: * Sigma: proc_creation_win_lolbin_susp_certreq_download.yml * IOC: certreq creates new files * IOC: certreq makes POST requests[CertReq.exe - LOLBAS Project]

Internal MISP references

UUID 43050f80-ce28-49e3-aac6-cb3f4a07f4b4 which can be used as unique global reference for CertReq in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5088
source Tidal Cyber
tags ['35a798a2-eaab-48a3-9ee7-5538f36a4172', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

certutil

certutil is a command-line utility that can be used to obtain certificate authority information and configure Certificate Services. [TechNet Certutil]

Internal MISP references

UUID 2fe21578-ee31-4ee8-b6ab-b5f76f97d043 which can be used as unique global reference for certutil in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0160
source MITRE
tags ['e1af18e3-3224-4e4c-9d0f-533768474508', 'fdd53e62-5bf1-41f1-8bd6-b970a866c39d', 'd431939f-2dc0-410b-83f7-86c458125444', '412da5b4-fb41-40fc-a29a-78dc9119aa75', '758c3085-2f79-40a8-ab95-f8a684737927', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '35e694ec-5133-46e3-b7e1-5831867c3b55', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '15787198-6c8b-4f79-bf50-258d55072fee', '303a3675-4855-4323-b042-95bb1d907cca', '84615fe0-c2a5-4e07-8957-78ebc29b4635', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

Chaes

Chaes is a multistage information stealer written in several programming languages that collects login credentials, credit card numbers, and other financial information. Chaes was first observed in 2020, and appears to primarily target victims in Brazil as well as other e-commerce customers in Latin America.[Cybereason Chaes Nov 2020]

Internal MISP references

UUID 0c8efcd0-bfdf-4771-8754-18aac836c359 which can be used as unique global reference for Chaes in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0631
source MITRE
tags ['4d767e87-4cf6-438a-927a-43d2d0beaab7']
type ['malware']

Chaos

Chaos is Linux malware that compromises systems by brute force attacks against SSH services. Once installed, it provides a reverse shell to its controllers, triggered by unsolicited packets. [Chaos Stolen Backdoor]

Internal MISP references

UUID 92c88765-6b12-42cd-b1d7-f6a65b2236e2 which can be used as unique global reference for Chaos in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux']
software_attack_id S0220
source MITRE
tags ['5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172']
type ['malware']

CharmPower

CharmPower is a PowerShell-based, modular backdoor that has been used by Magic Hound since at least 2022.[Check Point APT35 CharmPower January 2022]

Internal MISP references

UUID b1e3b56f-2e83-4cab-a1c1-16999009d056 which can be used as unique global reference for CharmPower in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0674
source MITRE
tags ['4d767e87-4cf6-438a-927a-43d2d0beaab7']
type ['malware']
Related clusters

To see the related clusters, click here.

ChChes

ChChes is a Trojan that appears to be used exclusively by menuPass. It was used to target Japanese organizations in 2016. Its lack of persistence methods suggests it may be intended as a first-stage tool. [Palo Alto menuPass Feb 2017] [JPCERT ChChes Feb 2017] [PWC Cloud Hopper Technical Annex April 2017]

Internal MISP references

UUID 3f2283ef-67c2-49a3-98ac-1aa9f0499361 which can be used as unique global reference for ChChes in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0144
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Cheerscrypt

Cheerscrypt is a ransomware that was developed by Cinnamon Tempest and has been used in attacks against ESXi and Windows environments since at least 2022. Cheerscrypt was derived from the leaked Babuk source code and has infrastructure overlaps with deployments of Night Sky ransomware, which was also derived from Babuk.[Sygnia Emperor Dragonfly October 2022][Trend Micro Cheerscrypt May 2022]

Internal MISP references

UUID 6475bc8c-b95d-5cb3-92f0-aa7e2f18859a which can be used as unique global reference for Cheerscrypt in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S1096
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Cherry Picker

Cherry Picker is a point of sale (PoS) memory scraper. [Trustwave Cherry Picker]

Internal MISP references

UUID 2fd6f564-918e-4ee7-920a-2b4be858d11a which can be used as unique global reference for Cherry Picker in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0107
source MITRE
type ['malware']

China Chopper

China Chopper is a Web Shell hosted on Web servers to provide access back into an enterprise network that does not rely on an infected system calling back to a remote command and control server.[Lee 2013] It has been used by several threat groups.[Dell TG-3390][FireEye Periscope March 2018][CISA AA21-200A APT40 July 2021][Rapid7 HAFNIUM Mar 2021]

Internal MISP references

UUID 723c5ab7-23ca-46f2-83bb-f1d1e550122c which can be used as unique global reference for China Chopper in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0020
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f', '311abf64-a9cc-4c6a-b778-32c5df5658be']
type ['malware']
Related clusters

To see the related clusters, click here.

Chinoxy

Chinoxy is a backdoor that has been used since at least November 2018, during the FunnyDream campaign, to gain persistence and drop additional payloads. According to security researchers, Chinoxy has been used by Chinese-speaking threat actors.[Bitdefender FunnyDream Campaign November 2020]

Internal MISP references

UUID 7c36563a-9143-4766-8aef-4e1787e18d8c which can be used as unique global reference for Chinoxy in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S1041
source MITRE
type ['malware']

Chisel

Chisel is an open source tool that can be used for networking tunneling.[U.S. CISA AvosLocker October 11 2023] According to its GitHub project page, "Chisel is a fast TCP/UDP tunnel, transported over HTTP, secured via SSH".[GitHub Chisel] Threat actors including ransomware operators and nation-state-aligned espionage actors have used Chisel as part of their operations.[U.S. CISA AvosLocker October 11 2023][CISA AA20-259A Iran-Based Actor September 2020]

Internal MISP references

UUID bd2b2375-4f16-42b2-a862-959b5b41c2af which can be used as unique global reference for Chisel in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5063
source Tidal Cyber
tags ['e1af18e3-3224-4e4c-9d0f-533768474508', 'febea5b6-2ea2-402b-8bec-f3f5b3f73c59', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

Chocolatey

Chocolatey is a command-line package manager for Microsoft Windows.[U.S. CISA Understanding LockBit June 2023]

Internal MISP references

UUID 7a2b00ef-8a37-4901-bf0c-17da0ebf3d69 which can be used as unique global reference for Chocolatey in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5028
source Tidal Cyber
tags ['e1af18e3-3224-4e4c-9d0f-533768474508', '0d3ca5b9-2ea9-4daf-b3b5-11f1c6f9ebd3', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

CHOPSTICK

CHOPSTICK is a malware family of modular backdoors used by APT28. It has been used since at least 2012 and is usually dropped on victims as second-stage malware, though it has been used as first-stage malware in several cases. It has both Windows and Linux variants. [FireEye APT28] [ESET Sednit Part 2] [FireEye APT28 January 2017] [DOJ GRU Indictment Jul 2018] It is tracked separately from the X-Agent for Android.

Internal MISP references

UUID 01c6c49a-f7c8-44cd-a377-4dfd358ffeba which can be used as unique global reference for CHOPSTICK in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'Windows']
software_attack_id S0023
source MITRE
tags ['febea5b6-2ea2-402b-8bec-f3f5b3f73c59', 'f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

Chrommme

Chrommme is a backdoor tool written using the Microsoft Foundation Class (MFC) framework that was first reported in June 2021; security researchers noted infrastructure overlaps with Gelsemium malware.[ESET Gelsemium June 2021]

Internal MISP references

UUID df77ed2a-f135-4f00-9a5e-79b7a6a2ed14 which can be used as unique global reference for Chrommme in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0667
source MITRE
tags ['4d767e87-4cf6-438a-927a-43d2d0beaab7']
type ['malware']

Clambling

Clambling is a modular backdoor written in C++ that has been used by Threat Group-3390 since at least 2017.[Trend Micro DRBControl February 2020]

Internal MISP references

UUID 4bac93bd-7e58-4ddb-a205-d99597b9e65e which can be used as unique global reference for Clambling in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0660
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

CL_Invocation

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Aero diagnostics script

Author: Oddvar Moe

Paths: * C:\Windows\diagnostics\system\AERO\CL_Invocation.ps1 * C:\Windows\diagnostics\system\Audio\CL_Invocation.ps1 * C:\Windows\diagnostics\system\WindowsUpdate\CL_Invocation.ps1

Resources:

Detection: * Sigma: proc_creation_win_lolbin_cl_invocation.yml * Sigma: posh_ps_cl_invocation_lolscript.yml[CL_Invocation.ps1 - LOLBAS Project]

Internal MISP references

UUID 4bc36e22-6529-4a4a-a5d2-461f3925c5f3 which can be used as unique global reference for CL_Invocation in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5257
source Tidal Cyber
tags ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

CL_LoadAssembly

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: PowerShell Diagnostic Script

Author: Jimmy (@bohops)

Paths: * C:\Windows\diagnostics\system\Audio\CL_LoadAssembly.ps1

Resources: * https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/

Detection: * Sigma: proc_creation_win_lolbas_cl_loadassembly.yml[CL_LoadAssembly.ps1 - LOLBAS Project]

Internal MISP references

UUID cb950179-334d-4bd9-9cfb-87b09d279a3b which can be used as unique global reference for CL_LoadAssembly in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5255
source Tidal Cyber
tags ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

CL_Mutexverifiers

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Proxy execution with CL_Mutexverifiers.ps1

Author: Oddvar Moe

Paths: * C:\Windows\diagnostics\system\WindowsUpdate\CL_Mutexverifiers.ps1 * C:\Windows\diagnostics\system\Audio\CL_Mutexverifiers.ps1 * C:\Windows\diagnostics\system\WindowsUpdate\CL_Mutexverifiers.ps1 * C:\Windows\diagnostics\system\Video\CL_Mutexverifiers.ps1 * C:\Windows\diagnostics\system\Speech\CL_Mutexverifiers.ps1

Resources: * https://twitter.com/pabraeken/status/995111125447577600

Detection: * Sigma: proc_creation_win_lolbin_cl_mutexverifiers.yml[CL_Mutexverifiers.ps1 - LOLBAS Project]

Internal MISP references

UUID 3c63792a-1184-416e-aa9b-18da72e88327 which can be used as unique global reference for CL_Mutexverifiers in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5256
source Tidal Cyber
tags ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

Clop

Clop is a ransomware family that was first observed in February 2019 and has been used against retail, transportation and logistics, education, manufacturing, engineering, automotive, energy, financial, aerospace, telecommunications, professional and legal services, healthcare, and high tech industries. Clop is a variant of the CryptoMix ransomware.[Mcafee Clop Aug 2019][Cybereason Clop Dec 2020][Unit42 Clop April 2021]

Internal MISP references

UUID 5321aa75-924c-47ae-b97a-b36f023abf2a which can be used as unique global reference for Clop in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0611
source MITRE
tags ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', '2feda37d-5579-4102-a073-aa02e82cb49f', '562e535e-19f5-4d6c-81ed-ce2aec544f09', 'b15c16f7-b8c7-4962-9acc-a98a39f87b69', 'b18b5401-d88d-4f28-8f50-a884a5e58349', 'ac862a66-a4ec-4285-9a21-b63576a5867d', '5ab5f811-5c7e-4f77-ae90-59d3beb93346', '1b5da77a-bf84-4fba-a6d7-8b3b8f7699e0', 'e401022a-36ac-486d-8503-dd531410a927', '8a77c410-bed9-4376-87bf-5ac84fbc2c9d', 'ab64f2d8-8da3-48de-ac66-0fd91d634b22', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172']
type ['malware']
Related clusters

To see the related clusters, click here.

CloudChat Infostealer

CloudChat Infostealer is an information-stealing malware designed to harvest passwords, cookies, and other sensitive information from macOS systems.[Kandji 4 8 2024]

Internal MISP references

UUID 7a57e81b-2453-4aaf-94ad-c007bd7105a2 which can be used as unique global reference for CloudChat Infostealer in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['macOS']
software_attack_id S5316
source Tidal Cyber
tags ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', '2feda37d-5579-4102-a073-aa02e82cb49f']
type ['malware']

CloudDuke

CloudDuke is malware that was used by APT29 in 2015. [F-Secure The Dukes] [Securelist Minidionis July 2015]

Internal MISP references

UUID b3dd424b-ee96-449c-aa52-abbc7d4dfb86 which can be used as unique global reference for CloudDuke in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0054
source MITRE
tags ['84615fe0-c2a5-4e07-8957-78ebc29b4635']
type ['malware']
Related clusters

To see the related clusters, click here.

cmd

cmd is the Windows command-line interpreter that can be used to interact with systems and execute other processes and utilities. [TechNet Cmd]

Cmd.exe contains native functionality to perform many operations to interact with the system, including listing files in a directory (e.g., dir [TechNet Dir]), deleting files (e.g., del [TechNet Del]), and copying files (e.g., copy [TechNet Copy]).

Internal MISP references

UUID 98d89476-63ec-4baf-b2b3-86c52170f5d8 which can be used as unique global reference for cmd in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0106
source MITRE
tags ['e1af18e3-3224-4e4c-9d0f-533768474508', 'a968c9f3-c190-488f-bacc-92e8f1ce295c', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

Cmdkey

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: creates, lists, and deletes stored user names and passwords or credentials.

Author: Oddvar Moe

Paths: * C:\Windows\System32\cmdkey.exe * C:\Windows\SysWOW64\cmdkey.exe

Resources: * https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation * https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/cmdkey

Detection: * Sigma: proc_creation_win_cmdkey_recon.yml[Cmdkey.exe - LOLBAS Project]

Internal MISP references

UUID da252f67-2d4e-419f-b493-d4a1d024a01c which can be used as unique global reference for Cmdkey in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5089
source Tidal Cyber
tags ['96bff827-e51f-47de-bde6-d2eec0f99767', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

cmdl32

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Microsoft Connection Manager Auto-Download

Author: Elliot Killick

Paths: * C:\Windows\System32\cmdl32.exe * C:\Windows\SysWOW64\cmdl32.exe

Resources: * https://github.com/LOLBAS-Project/LOLBAS/pull/151 * https://twitter.com/ElliotKillick/status/1455897435063074824 * https://elliotonsecurity.com/living-off-the-land-reverse-engineering-methodology-plus-tips-and-tricks-cmdl32-case-study/

Detection: * Sigma: proc_creation_win_lolbin_cmdl32.yml * IOC: Reports of downloading from suspicious URLs in %TMP%\config.log * IOC: Useragent Microsoft(R) Connection Manager Vpn File Update[cmdl32.exe - LOLBAS Project]

Internal MISP references

UUID 44a523a8-9ed6-4f01-9a53-0e8ea1e15b51 which can be used as unique global reference for cmdl32 in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5090
source Tidal Cyber
tags ['4c8f8830-0b2c-4c79-b1db-8659ede492f0', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

Cmstp

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Installs or removes a Connection Manager service profile.

Author: Oddvar Moe

Paths: * C:\Windows\System32\cmstp.exe * C:\Windows\SysWOW64\cmstp.exe

Resources: * https://twitter.com/NickTyrer/status/958450014111633408 * https://gist.github.com/NickTyrer/bbd10d20a5bb78f64a9d13f399ea0f80 * https://gist.github.com/api0cradle/cf36fd40fa991c3a6f7755d1810cc61e * https://oddvar.moe/2017/08/15/research-on-cmstp-exe/ * https://gist.githubusercontent.com/tylerapplebaum/ae8cb38ed8314518d95b2e32a6f0d3f1/raw/3127ba7453a6f6d294cd422386cae1a5a2791d71/UACBypassCMSTP.ps1 * https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/cmstp

Detection: * Sigma: proc_creation_win_cmstp_execution_by_creation.yml * Sigma: proc_creation_win_uac_bypass_cmstp.yml * Splunk: cmlua_or_cmstplua_uac_bypass.yml * Elastic: defense_evasion_suspicious_managedcode_host_process.toml * Elastic: defense_evasion_unusual_process_network_connection.toml * IOC: Execution of cmstp.exe without a VPN use case is suspicious * IOC: DotNet CLR libraries loaded into cmstp.exe * IOC: DotNet CLR Usage Log - cmstp.exe.log[Cmstp.exe - LOLBAS Project]

Internal MISP references

UUID 6f848e15-5234-4445-9a05-2949e4c57f0b which can be used as unique global reference for Cmstp in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5091
source Tidal Cyber
tags ['65938118-2f00-48a1-856e-d1a75a08e3c6', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

COATHANGER

COATHANGER is a remote access tool (RAT) targeting FortiGate networking appliances. First used in 2023 in targeted intrusions against military and government entities in the Netherlands along with other victims, COATHANGER was disclosed in early 2024, with a high confidence assessment linking this malware to a state-sponsored entity in the People's Republic of China. COATHANGER is delivered after gaining access to a FortiGate device, with in-the-wild observations linked to exploitation of CVE-2022-42475. The name COATHANGER is based on a unique string in the malware used to encrypt configuration files on disk: “She took his coat and hung it up”.[NCSC-NL COATHANGER Feb 2024]

Internal MISP references

UUID fbd3f71a-e123-5527-908c-9e7ea0d646e8 which can be used as unique global reference for COATHANGER in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Network', 'Linux']
software_attack_id S1105
source MITRE
type ['malware']

Cobalt Strike

Cobalt Strike is a commercial, full-featured, remote access tool that bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strike’s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system.[cobaltstrike manual]

In addition to its own capabilities, Cobalt Strike leverages the capabilities of other well-known tools such as Metasploit and Mimikatz.[cobaltstrike manual]

Internal MISP references

UUID 9b6bcbba-3ab4-4a4c-a233-cd12254823f6 which can be used as unique global reference for Cobalt Strike in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['macOS', 'Linux', 'Windows']
software_attack_id S0154
source MITRE
tags ['d903e38b-600d-4736-9e3b-cf1a6e436481', 'e551ae97-d1b4-484e-9267-89f33829ec2c', 'd819ae1a-e385-49fd-88d5-f66660729ecb', 'e1af18e3-3224-4e4c-9d0f-533768474508', 'fdd53e62-5bf1-41f1-8bd6-b970a866c39d', 'd431939f-2dc0-410b-83f7-86c458125444', '56d89c06-23a0-4642-adfc-1fffd3524191', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '15787198-6c8b-4f79-bf50-258d55072fee', '992bdd33-4a47-495d-883a-58010a2f0efb', 'e81ba503-60b0-4b64-8f20-ef93e7783796']
type ['malware']
Related clusters

To see the related clusters, click here.

Cobalt Strike Random C2 Profile Generator

This is an open-source tool for creating Cobalt Strike Malleable C2 profiles with randomly generated variables.[GitHub random_c2_profile] According to a September 2023 CERT-FR advisory, during an intrusion in March 2023, actors attributed to FIN12 used the tool to generate a Cobalt Strike malleable C2 profile.[CERTFR-2023-CTI-007]

Internal MISP references

UUID cf47b3ce-1392-4904-a4e6-f65aebebddc6 which can be used as unique global reference for Cobalt Strike Random C2 Profile Generator in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Linux', 'macOS', 'Windows']
software_attack_id S5057
source Tidal Cyber
tags ['ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'e81ba503-60b0-4b64-8f20-ef93e7783796']
type ['malware']
Related clusters

To see the related clusters, click here.

Cobian RAT

Cobian RAT is a backdoor, remote access tool that has been observed since 2016.[Zscaler Cobian Aug 2017]

Internal MISP references

UUID d4e6f9f7-7f4d-47c2-be24-b267d9317303 which can be used as unique global reference for Cobian RAT in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0338
source MITRE
tags ['16b47583-1c54-431f-9f09-759df7b5ddb7']
type ['malware']

code

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: VSCode binary, also portable (CLI) version

Author: PfiatDe

Paths: * %LOCALAPPDATA%\Programs\Microsoft VS Code\Code.exe * C:\Program Files\Microsoft VS Code\Code.exe * C:\Program Files (x86)\Microsoft VS Code\Code.exe

Resources: * https://badoption.eu/blog/2023/01/31/code_c2.html * https://code.visualstudio.com/docs/remote/tunnels * https://code.visualstudio.com/blogs/2022/12/07/remote-even-better

Detection: * IOC: Websocket traffic to global.rel.tunnels.api.visualstudio.com * IOC: Process tree: code.exe -> cmd.exe -> node.exe -> winpty-agent.exe * IOC: File write of code_tunnel.json which is parametizable, but defaults to: %UserProfile%.vscode-cli\code_tunnel.json[code.exe - LOLBAS Project]

Internal MISP references

UUID 49d440e4-b2ea-4e7d-8ded-8589ddf679d9 which can be used as unique global reference for code in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5185
source Tidal Cyber
tags ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

CoinTicker

CoinTicker is a malicious application that poses as a cryptocurrency price ticker and installs components of the open source backdoors EvilOSX and EggShell.[CoinTicker 2019]

Internal MISP references

UUID b0d9b31a-072b-4744-8d2f-3a63256a932f which can be used as unique global reference for CoinTicker in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['macOS']
software_attack_id S0369
source MITRE
type ['malware']

Colorcpl

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Binary that handles color management

Author: Arjan Onwezen

Paths: * C:\Windows\System32\colorcpl.exe * C:\Windows\SysWOW64\colorcpl.exe

Resources: * https://twitter.com/eral4m/status/1480468728324231172

Detection: * Sigma: file_event_win_susp_colorcpl.yml * IOC: colorcpl.exe writing files[Colorcpl.exe - LOLBAS Project]

Internal MISP references

UUID 9f006b88-2f13-4c99-ade0-839da70d1e11 which can be used as unique global reference for Colorcpl in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5092
source Tidal Cyber
tags ['884eb1b1-aede-4db0-8443-ba50624682e1', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

Comnie

Comnie is a remote backdoor which has been used in attacks in East Asia. [Palo Alto Comnie]

Internal MISP references

UUID 341fc709-4908-4e41-8df3-554dae6d72b0 which can be used as unique global reference for Comnie in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0244
source MITRE
type ['malware']

ComRAT

ComRAT is a second stage implant suspected of being a descendant of Agent.btz and used by Turla. The first version of ComRAT was identified in 2007, but the tool has undergone substantial development for many years since.[Symantec Waterbug][NorthSec 2015 GData Uroburos Tools][ESET ComRAT May 2020]

Internal MISP references

UUID 300c5997-a486-4a61-8213-93a180c22849 which can be used as unique global reference for ComRAT in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0126
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

Comsvcs

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: COM+ Services

Author: LOLBAS Team

Paths: * c:\windows\system32\comsvcs.dll

Resources: * https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/

Detection: * Sigma: proc_creation_win_rundll32_process_dump_via_comsvcs.yml * Sigma: proc_access_win_lsass_dump_comsvcs_dll.yml * Elastic: credential_access_cmdline_dump_tool.toml * Splunk: dump_lsass_via_comsvcs_dll.yml[Comsvcs.dll - LOLBAS Project]

Internal MISP references

UUID 0448178d-fff1-4174-8339-e6bfca78fb84 which can be used as unique global reference for Comsvcs in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5202
source Tidal Cyber
tags ['758c3085-2f79-40a8-ab95-f8a684737927', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '35e694ec-5133-46e3-b7e1-5831867c3b55', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '15787198-6c8b-4f79-bf50-258d55072fee', '334b0ee4-5a0d-4634-91c8-236593b818a0', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

Conficker

Conficker is a computer worm first detected in October 2008 that targeted Microsoft Windows using the MS08-067 Windows vulnerability to spread.[SANS Conficker] In 2016, a variant of Conficker made its way on computers and removable disk drives belonging to a nuclear power plant.[Conficker Nuclear Power Plant]

Internal MISP references

UUID ef33f1fa-18a3-4b30-b359-17b7930f43a7 which can be used as unique global reference for Conficker in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0608
source MITRE
tags ['3ed3f7a6-b446-4fbc-a433-ff1d63c0e647']
type ['malware']

ConfigSecurityPolicy

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Binary part of Windows Defender. Used to manage settings in Windows Defender. you can configure different pilot collections for each of the co-management workloads. Being able to use different pilot collections allows you to take a more granular approach when shifting workloads.

Author: Ialle Teixeira

Paths: * C:\Program Files\Windows Defender\ConfigSecurityPolicy.exe * C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\ConfigSecurityPolicy.exe

Resources: * https://docs.microsoft.com/en-US/mem/configmgr/comanage/how-to-switch-workloads * https://docs.microsoft.com/en-US/mem/configmgr/comanage/workloads * https://docs.microsoft.com/en-US/mem/configmgr/comanage/how-to-monitor * https://twitter.com/NtSetDefault/status/1302589153570365440?s=20

Detection: * Sigma: proc_creation_win_lolbin_configsecuritypolicy.yml * IOC: ConfigSecurityPolicy storing data into alternate data streams. * IOC: Preventing/Detecting ConfigSecurityPolicy with non-RFC1918 addresses by Network IPS/IDS. * IOC: Monitor process creation for non-SYSTEM and non-LOCAL SERVICE accounts launching ConfigSecurityPolicy.exe. * IOC: User Agent is "MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)"[ConfigSecurityPolicy.exe - LOLBAS Project]

Internal MISP references

UUID 0e178275-4eb7-4fae-a703-d9730adf6a26 which can be used as unique global reference for ConfigSecurityPolicy in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5093
source Tidal Cyber
tags ['d99039e1-e677-4226-8b63-e698d6642535', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

Conhost

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Console Window host

Author: Wietze Beukema

Paths: * c:\windows\system32\conhost.exe

Resources: * https://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/ * https://twitter.com/Wietze/status/1511397781159751680 * https://twitter.com/embee_research/status/1559410767564181504 * https://twitter.com/ankit_anubhav/status/1561683123816972288

Detection: * IOC: conhost.exe spawning unexpected processes * Sigma: proc_creation_win_conhost_susp_child_process.yml[Conhost.exe - LOLBAS Project]

Internal MISP references

UUID d3f8a214-3e65-4b7d-aed6-97a3e38ef8e0 which can be used as unique global reference for Conhost in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5094
source Tidal Cyber
tags ['ea54037d-e07b-42b0-afe6-33576ec36f44', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

ConnectWise

ConnectWise is a legitimate remote administration tool that has been used since at least 2016 by threat actors including MuddyWater and GOLD SOUTHFIELD to connect to and conduct lateral movement in target environments.[Anomali Static Kitten February 2021][Trend Micro Muddy Water March 2021]

Internal MISP references

UUID 6f9bb24d-cce2-49de-bedd-1849d9bde7a0 which can be used as unique global reference for ConnectWise in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0591
source MITRE
tags ['d903e38b-600d-4736-9e3b-cf1a6e436481', 'e551ae97-d1b4-484e-9267-89f33829ec2c', 'd819ae1a-e385-49fd-88d5-f66660729ecb', 'e1af18e3-3224-4e4c-9d0f-533768474508', 'fdd53e62-5bf1-41f1-8bd6-b970a866c39d', 'd431939f-2dc0-410b-83f7-86c458125444', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '15b77e5c-2285-434d-9719-73c14beba8bd', 'e727eaa6-ef41-4965-b93a-8ad0c51d0236']
type ['tool']
Related clusters

To see the related clusters, click here.

Conti

Conti is a Ransomware-as-a-Service (RaaS) that was first observed in December 2019. Conti has been deployed via TrickBot and used against major corporations and government agencies, particularly those in North America. As with other ransomware families, actors using Conti steal sensitive files and information from compromised networks, and threaten to publish this data unless the ransom is paid.[Cybereason Conti Jan 2021][CarbonBlack Conti July 2020][Cybleinc Conti January 2020]

Internal MISP references

UUID 8e995c29-2759-4aeb-9a0f-bb7cd97b06e5 which can be used as unique global reference for Conti in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0575
source MITRE
tags ['89c5b94b-ecf4-4d53-9b74-3465086d4565', '562e535e-19f5-4d6c-81ed-ce2aec544f09', '0ed7d10c-c65b-4174-9edb-446bf301d250', '3d90eed2-862d-4f61-8c8f-0b8da3e45af0', '12a2e20a-7c27-46bb-954d-b372833a9925', '1b98f09a-7d93-4abb-8f3e-1eacdb9f9871', 'c2380542-36f2-4922-9ed2-80ced06645c9', 'dea4388a-b1f2-4f2a-9df9-108631d0d078', '24448a05-2337-4bc9-a889-a83f2fd1f3ad', '2743d495-7728-4a75-9e5f-b64854039792', 'd713747c-2d53-487e-9dac-259230f04460', 'fde4c246-7d2d-4d53-938b-44651cf273f1', '964c2590-4b52-48c6-afff-9a6d72e68908', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172']
type ['malware']
Related clusters

To see the related clusters, click here.

Control

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Binary used to launch controlpanel items in Windows

Author: Oddvar Moe

Paths: * C:\Windows\System32\control.exe * C:\Windows\SysWOW64\control.exe

Resources: * https://pentestlab.blog/2017/05/24/applocker-bypass-control-panel/ * https://www.contextis.com/resources/blog/applocker-bypass-registry-key-manipulation/ * https://twitter.com/bohops/status/955659561008017409 * https://docs.microsoft.com/en-us/windows/desktop/shell/executing-control-panel-items * https://bohops.com/2018/01/23/loading-alternate-data-stream-ads-dll-cpl-binaries-to-bypass-applocker/

Detection: * Sigma: proc_creation_win_exploit_cve_2021_40444.yml * Sigma: proc_creation_win_rundll32_susp_control_dll_load.yml * Elastic: defense_evasion_network_connection_from_windows_binary.toml * Elastic: defense_evasion_execution_control_panel_suspicious_args.toml * Elastic: defense_evasion_unusual_dir_ads.toml * IOC: Control.exe executing files from alternate data streams * IOC: Control.exe executing library file without cpl extension * IOC: Suspicious network connections from control.exe[Control.exe - LOLBAS Project]

Internal MISP references

UUID efc46430-b27f-4b05-bc36-1d5eba685ec7 which can be used as unique global reference for Control in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5095
source Tidal Cyber
tags ['53ac2b35-d302-4bdd-9931-5b6c6cb31b96', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

CookieMiner

CookieMiner is mac-based malware that targets information associated with cryptocurrency exchanges as well as enabling cryptocurrency mining on the victim system itself. It was first discovered in the wild in 2019.[Unit42 CookieMiner Jan 2019]

Internal MISP references

UUID 6e2c4aef-2f69-4507-9ee3-55432d76341e which can be used as unique global reference for CookieMiner in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['macOS']
software_attack_id S0492
source MITRE
type ['malware']

CORALDECK

CORALDECK is an exfiltration tool used by APT37. [FireEye APT37 Feb 2018]

Internal MISP references

UUID f13c8455-d615-4f8d-9d9c-5b31e593cd8a which can be used as unique global reference for CORALDECK in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0212
source MITRE
tags ['8bf128ad-288b-41bc-904f-093f4fdde745']
type ['malware']
Related clusters

To see the related clusters, click here.

coregen

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Binary coregen.exe (Microsoft CoreCLR Native Image Generator) loads exported function GetCLRRuntimeHost from coreclr.dll or from .DLL in arbitrary path. Coregen is located within "C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\" or another version of Silverlight. Coregen is signed by Microsoft and bundled with Microsoft Silverlight.

Author: Martin Sohn Christensen

Paths: * C:\Program Files\Microsoft Silverlight\5.1.50918.0\coregen.exe * C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\coregen.exe

Resources: * https://www.youtube.com/watch?v=75XImxOOInU * https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html

Detection: * Sigma: image_load_side_load_coregen.yml * IOC: coregen.exe loading .dll file not in "C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\" * IOC: coregen.exe loading .dll file not named coreclr.dll * IOC: coregen.exe command line containing -L or -l * IOC: coregen.exe command line containing unexpected/invald assembly name * IOC: coregen.exe application crash by invalid assembly name[coregen.exe - LOLBAS Project]

Internal MISP references

UUID b7dacd5c-eaba-48db-bdd7-e779a82b2ba7 which can be used as unique global reference for coregen in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5209
source Tidal Cyber
tags ['a19a158e-aec4-410a-8c3e-e9080b111183', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

CORESHELL

CORESHELL is a downloader used by APT28. The older versions of this malware are known as SOURFACE and newer versions as CORESHELL.[FireEye APT28] [FireEye APT28 January 2017]

Internal MISP references

UUID 3b193f62-2b49-4eff-bdf4-501fb8a28274 which can be used as unique global reference for CORESHELL in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0137
source MITRE
tags ['84615fe0-c2a5-4e07-8957-78ebc29b4635']
type ['malware']
Related clusters

To see the related clusters, click here.

CosmicDuke

CosmicDuke is malware that was used by APT29 from 2010 to 2015. [F-Secure The Dukes]

Internal MISP references

UUID 43b317c6-5b4f-47b8-b7b4-15cd6f455091 which can be used as unique global reference for CosmicDuke in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0050
source MITRE
tags ['16b47583-1c54-431f-9f09-759df7b5ddb7']
type ['malware']
Related clusters

To see the related clusters, click here.

CostaBricks

CostaBricks is a loader that was used to deploy 32-bit backdoors in the CostaRicto campaign.[BlackBerry CostaRicto November 2020]

Internal MISP references

UUID ea9e2d19-89fe-4039-a1e0-467b14554c6f which can be used as unique global reference for CostaBricks in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0614
source MITRE
type ['malware']

CozyCar

CozyCar is malware that was used by APT29 from 2010 to 2015. It is a modular malware platform, and its backdoor component can be instructed to download and execute a variety of modules with different functionality. [F-Secure The Dukes]

Internal MISP references

UUID c2353daa-fd4c-44e1-8013-55400439965a which can be used as unique global reference for CozyCar in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0046
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

CrackMapExec

CrackMapExec, or CME, is a post-exploitation tool developed in Python and designed for penetration testing against networks. CrackMapExec collects Active Directory information to conduct lateral movement through targeted networks.[CME Github September 2018]

Internal MISP references

UUID 47e710b4-1397-47cf-a979-20891192f313 which can be used as unique global reference for CrackMapExec in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0488
source MITRE
tags ['e1af18e3-3224-4e4c-9d0f-533768474508', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'e81ba503-60b0-4b64-8f20-ef93e7783796']
type ['tool']
Related clusters

To see the related clusters, click here.

Createdump

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Microsoft .NET Runtime Crash Dump Generator (included in .NET Core)

Author: mr.d0x, Daniel Santos

Paths: * C:\Program Files\dotnet\shared\Microsoft.NETCore.App*\createdump.exe * C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App*\createdump.exe * C:\Program Files\Microsoft Visual Studio*\Community\dotnet\runtime\shared\Microsoft.NETCore.App\6.0.0\createdump.exe * C:\Program Files (x86)\Microsoft Visual Studio*\Community\dotnet\runtime\shared\Microsoft.NETCore.App\6.0.0\createdump.exe

Resources: * https://twitter.com/bopin2020/status/1366400799199272960 * https://docs.microsoft.com/en-us/troubleshoot/developer/webapps/aspnetcore/practice-troubleshoot-linux/lab-1-3-capture-core-crash-dumps

Detection: * Sigma: proc_creation_win_proc_dump_createdump.yml * Sigma: proc_creation_win_renamed_createdump.yml * IOC: createdump.exe process with a command line containing the lsass.exe process id[Createdump.exe - LOLBAS Project]

Internal MISP references

UUID a574b315-523c-45c3-8743-feb3d541e81a which can be used as unique global reference for Createdump in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5210
source Tidal Cyber
tags ['7beee233-2b65-4593-88e6-a5c0c02c6a08', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

CredoMap

CredoMap is a credential-stealing malware developed by the Russian espionage actor APT28. The malware harvests cookies and credentials from select web browsers and exfiltrates the information via the IMAP email protocol. CredoMap was observed being used in attack campaigns in Ukraine in 2022.[CERTFR-2023-CTI-009][SecurityScorecard CredoMap September 2022]

Internal MISP references

UUID 516ffd19-72b9-43a1-b866-bb075fdcb137 which can be used as unique global reference for CredoMap in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5074
source Tidal Cyber
tags ['904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '4d767e87-4cf6-438a-927a-43d2d0beaab7']
type ['malware']
Related clusters

To see the related clusters, click here.

CreepyDrive

CreepyDrive is a custom implant has been used by POLONIUM since at least early 2022 for C2 with and exfiltration to actor-controlled OneDrive accounts.[Microsoft POLONIUM June 2022]

POLONIUM has used a similar implant called CreepyBox that relies on actor-controlled DropBox accounts.[Microsoft POLONIUM June 2022]

Internal MISP references

UUID 7f7f05c3-fbb1-475e-b672-2113709065c8 which can be used as unique global reference for CreepyDrive in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Office 365', 'Windows']
software_attack_id S1023
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

CreepySnail

CreepySnail is a custom PowerShell implant that has been used by POLONIUM since at least 2022.[Microsoft POLONIUM June 2022]

Internal MISP references

UUID 11ce380c-481b-4c9b-b44e-06f1a91c01c1 which can be used as unique global reference for CreepySnail in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S1024
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Crimson

Crimson is a remote access Trojan that has been used by Transparent Tribe since at least 2016.[Proofpoint Operation Transparent Tribe March 2016][Kaspersky Transparent Tribe August 2020]

Internal MISP references

UUID 3b3f296f-20a6-459a-98c5-62ebdee3701f which can be used as unique global reference for Crimson in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0115
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

CrossRAT

CrossRAT is a cross platform RAT.

Internal MISP references

UUID 38811c3b-f548-43fa-ab26-c7243b84a055 which can be used as unique global reference for CrossRAT in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['macOS', 'Linux', 'Windows']
software_attack_id S0235
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Crutch

Crutch is a backdoor designed for document theft that has been used by Turla since at least 2015.[ESET Crutch December 2020]

Internal MISP references

UUID e1ad229b-d750-4148-a1f3-36e767b03cd1 which can be used as unique global reference for Crutch in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0538
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Cryptoistic

Cryptoistic is a backdoor, written in Swift, that has been used by Lazarus Group.[SentinelOne Lazarus macOS July 2020]

Internal MISP references

UUID 12ce6d04-ebe5-440e-b342-0283b7c8a0c8 which can be used as unique global reference for Cryptoistic in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['macOS']
software_attack_id S0498
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Csc

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Binary file used by .NET to compile C# code

Author: Oddvar Moe

Paths: * C:\Windows\Microsoft.NET\Framework\v4.0.30319\Csc.exe * C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Csc.exe

Resources: * https://docs.microsoft.com/en-us/dotnet/csharp/language-reference/compiler-options/command-line-building-with-csc-exe

Detection: * Sigma: proc_creation_win_csc_susp_parent.yml * Sigma: proc_creation_win_csc_susp_folder.yml * Elastic: defense_evasion_dotnet_compiler_parent_process.toml * Elastic: defense_evasion_execution_msbuild_started_unusal_process.toml * IOC: Csc.exe should normally not run as System account unless it is used for development.[Csc.exe - LOLBAS Project]

Internal MISP references

UUID 939eeb6b-3f74-43b6-8ead-644457ee7d78 which can be used as unique global reference for Csc in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5096
source Tidal Cyber
tags ['2ee25dd6-256c-4659-b1b6-f5afc943ccc1', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

Cscript

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Binary used to execute scripts in Windows

Author: Oddvar Moe

Paths: * C:\Windows\System32\cscript.exe * C:\Windows\SysWOW64\cscript.exe

Resources: * https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f * https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/

Detection: * Sigma: proc_creation_win_wscript_cscript_script_exec.yml * Sigma: file_event_win_net_cli_artefact.yml * Elastic: defense_evasion_unusual_dir_ads.toml * Elastic: command_and_control_remote_file_copy_scripts.toml * Elastic: defense_evasion_suspicious_managedcode_host_process.toml * Splunk: wscript_or_cscript_suspicious_child_process.yml * BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules * IOC: Cscript.exe executing files from alternate data streams * IOC: DotNet CLR libraries loaded into cscript.exe * IOC: DotNet CLR Usage Log - cscript.exe.log[Cscript.exe - LOLBAS Project]

Internal MISP references

UUID 83036c61-d8cf-42f8-a9e5-dc3d26d75cdc which can be used as unique global reference for Cscript in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5097
source Tidal Cyber
tags ['7cae5f59-dbbf-406f-928d-118430d2bdd0', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

csi

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Command line interface included with Visual Studio.

Author: Oddvar Moe

Paths: * c:\Program Files (x86)\Microsoft Visual Studio\2017\Community\MSBuild\15.0\Bin\Roslyn\csi.exe * c:\Program Files (x86)\Microsoft Web Tools\Packages\Microsoft.Net.Compilers.X.Y.Z\tools\csi.exe

Resources: * https://twitter.com/subTee/status/781208810723549188 * https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/

Detection: * Sigma: proc_creation_win_csi_execution.yml * Sigma: proc_creation_win_csi_use_of_csharp_console.yml * Elastic: defense_evasion_unusual_process_network_connection.toml * Elastic: defense_evasion_network_connection_from_windows_binary.toml * BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules[csi.exe - LOLBAS Project]

Internal MISP references

UUID a11e4ebf-59e4-4b79-8a20-be1618dfbaed which can be used as unique global reference for csi in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5211
source Tidal Cyber
tags ['86bb7f3c-652c-4f77-af2a-34677ff42315', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

CSPY Downloader

CSPY Downloader is a tool designed to evade analysis and download additional payloads used by Kimsuky.[Cybereason Kimsuky November 2020]

Internal MISP references

UUID eb481db6-d7ba-4873-a171-76a228c9eb97 which can be used as unique global reference for CSPY Downloader in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0527
source MITRE
type ['tool']
Related clusters

To see the related clusters, click here.

Cuba

Cuba is a Windows-based ransomware family that has been used against financial institutions, technology, and logistics organizations in North and South America as well as Europe since at least December 2019.[McAfee Cuba April 2021]

Internal MISP references

UUID 095064c6-144e-4935-b878-f82151bc08e4 which can be used as unique global reference for Cuba in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0625
source MITRE
tags ['89c5b94b-ecf4-4d53-9b74-3465086d4565', '562e535e-19f5-4d6c-81ed-ce2aec544f09', '4bc9ab8f-7f57-4b1a-8857-ffaa7e5cc930', '17864218-bc4f-4564-8abf-97c988eea9f7', 'b6458e46-650e-4e96-8e68-8a9d70bcf045', 'bac51672-8240-4182-9087-23626023e509', 'c5c8f954-1bc0-45d5-9a4f-4385d0a720a1', '2743d495-7728-4a75-9e5f-b64854039792', 'd713747c-2d53-487e-9dac-259230f04460', 'fde4c246-7d2d-4d53-938b-44651cf273f1', '964c2590-4b52-48c6-afff-9a6d72e68908', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172']
type ['malware']
Related clusters

To see the related clusters, click here.

CustomShellHost

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: A host process that is used by custom shells when using Windows in Kiosk mode.

Author: Wietze Beukema

Paths: * C:\Windows\System32\CustomShellHost.exe

Resources: * https://twitter.com/YoSignals/status/1381353520088113154 * https://docs.microsoft.com/en-us/windows/configuration/kiosk-shelllauncher

Detection: * IOC: CustomShellHost.exe is unlikely to run on normal workstations * Sigma: proc_creation_win_lolbin_customshellhost.yml[CustomShellHost.exe - LOLBAS Project]

Internal MISP references

UUID 3ff0d4fc-6678-42f0-869b-f48906d98f82 which can be used as unique global reference for CustomShellHost in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5098
source Tidal Cyber
tags ['536c3d51-9fc4-445e-9723-e11b69f0d6d5', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

Cyclops Blink is a modular malware that has been used in widespread campaigns by Sandworm Team since at least 2019 to target Small/Home Office (SOHO) network devices, including WatchGuard and Asus.[NCSC Cyclops Blink February 2022][NCSC CISA Cyclops Blink Advisory February 2022][Trend Micro Cyclops Blink March 2022]

Internal MISP references

UUID 68792756-7dbf-41fd-8d48-ac3cc2b52712 which can be used as unique global reference for Cyclops Blink in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Network']
software_attack_id S0687
source MITRE
tags ['b20e7912-6a8d-46e3-8e13-9a3fc4813852', 'e809d252-12cc-494d-94f5-954c49eb87ce']
type ['malware']
Related clusters

To see the related clusters, click here.

Dacls

Dacls is a multi-platform remote access tool used by Lazarus Group since at least December 2019.[TrendMicro macOS Dacls May 2020][SentinelOne Lazarus macOS July 2020]

Internal MISP references

UUID 9d521c18-09f0-47be-bfe5-e1bf26f7b928 which can be used as unique global reference for Dacls in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Windows']
software_attack_id S0497
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

DanBot

DanBot is a first-stage remote access Trojan written in C# that has been used by HEXANE since at least 2018.[SecureWorks August 2019]

Internal MISP references

UUID 131c0eb2-9191-4ccd-a2d6-5f36046a8f2f which can be used as unique global reference for DanBot in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S1014
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

DarkComet

DarkComet is a Windows remote administration tool and backdoor.[TrendMicro DarkComet Sept 2014][Malwarebytes DarkComet March 2018]

Internal MISP references

UUID 74f88899-56d0-4de8-97de-539b3590ab90 which can be used as unique global reference for DarkComet in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0334
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

DarkGate - Duplicate

DarkGate first emerged in 2018 and has evolved into an initial access and data gathering tool associated with various criminal cyber operations. Written in Delphi and named "DarkGate" by its author, DarkGate is associated with credential theft, cryptomining, cryptotheft, and pre-ransomware actions.[Ensilo Darkgate 2018] DarkGate use increased significantly starting in 2022 and is under active development by its author, who provides it as a Malware-as-a-Service offering.[Trellix Darkgate 2023]

Internal MISP references

UUID 39d81c48-8f7c-54cb-8fac-485598e31a55 which can be used as unique global reference for DarkGate - Duplicate in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S1111
source MITRE
tags ['84615fe0-c2a5-4e07-8957-78ebc29b4635']
type ['malware']
Related clusters

To see the related clusters, click here.

DarkGate

Operationalize this intelligence by pivoting to relevant defensive resources via the Techniques below. Alternatively, use the Add to Matrix button above, then overlay entire sets of capabilities from your own defensive stack to identify threat overlaps & potential gaps (watch a 60-second tutorial here).

DarkGate is a commodity downloader. Researchers have often observed DarkGate samples making use of legitimate copies of AutoIt, a freeware BASIC-like scripting language, using it to run AutoIt scripts as part of its execution chain. Reports of DarkGate infections surged following the announcement of the disruption of the QakBot botnet by international authorities in late August 2023.[Bleeping Computer DarkGate October 14 2023] The delivery of DarkGate payloads via instant messaging platforms including Microsoft Teams and Skype was reported in September and October 2023.[DarkGate Loader delivered via Teams - Truesec][Trend Micro DarkGate October 12 2023]

Internal MISP references

UUID 7144b703-f471-4bde-bedc-e8b274854de5 which can be used as unique global reference for DarkGate in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5266
source Tidal Cyber
tags ['84615fe0-c2a5-4e07-8957-78ebc29b4635']
type ['malware']
Related clusters

To see the related clusters, click here.

DarkTortilla

DarkTortilla is a highly configurable .NET-based crypter that has been possibly active since at least August 2015. DarkTortilla has been used to deliver popular information stealers, RATs, and payloads such as Agent Tesla, AsyncRat, NanoCore, RedLine, Cobalt Strike, and Metasploit.[Secureworks DarkTortilla Aug 2022]

Internal MISP references

UUID 35abcb6b-3259-57c1-94fc-50cfd5bde786 which can be used as unique global reference for DarkTortilla in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S1066
source MITRE
type ['malware']

DarkWatchman

DarkWatchman is a lightweight JavaScript-based remote access tool (RAT) that avoids file operations; it was first observed in November 2021.[Prevailion DarkWatchman 2021]

Internal MISP references

UUID 740a0327-4caf-4d90-8b51-f3f9a4d59b37 which can be used as unique global reference for DarkWatchman in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0673
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']

Daserf

Daserf is a backdoor that has been used to spy on and steal from Japanese, South Korean, Russian, Singaporean, and Chinese victims. Researchers have identified versions written in both Visual C and Delphi. [Trend Micro Daserf Nov 2017] [Secureworks BRONZE BUTLER Oct 2017]

Internal MISP references

UUID fad65026-57c4-4d4f-8803-87178dd4b887 which can be used as unique global reference for Daserf in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0187
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

DataSvcUtil

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: DataSvcUtil.exe is a command-line tool provided by WCF Data Services that consumes an Open Data Protocol (OData) feed and generates the client data service classes that are needed to access a data service from a .NET Framework client application.

Author: Ialle Teixeira

Paths: * C:\Windows\Microsoft.NET\Framework64\v3.5\DataSvcUtil.exe

Resources: * https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe * https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/generating-the-data-service-client-library-wcf-data-services * https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services

Detection: * Sigma: proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml * IOC: The DataSvcUtil.exe tool is installed in the .NET Framework directory. * IOC: Preventing/Detecting DataSvcUtil with non-RFC1918 addresses by Network IPS/IDS. * IOC: Monitor process creation for non-SYSTEM and non-LOCAL SERVICE accounts launching DataSvcUtil.[DataSvcUtil.exe - LOLBAS Project]

Internal MISP references

UUID dd555a4c-3b04-48c1-988f-d530d699a5bf which can be used as unique global reference for DataSvcUtil in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5099
source Tidal Cyber
tags ['0576be43-65c6-4d1a-8a06-ed8232ca0120', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

DBatLoader

DBatLoader is a malware used for downloading/dropping purposes.

Internal MISP references

UUID 789791b7-1ea1-4b18-8253-4663bb7ec143 which can be used as unique global reference for DBatLoader in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5287
source Tidal Cyber
tags ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', '84615fe0-c2a5-4e07-8957-78ebc29b4635', '2feda37d-5579-4102-a073-aa02e82cb49f']
type ['malware']

DCSrv

DCSrv is destructive malware that has been used by Moses Staff since at least September 2021. Though DCSrv has ransomware-like capabilities, Moses Staff does not demand ransom or offer a decryption key.[Checkpoint MosesStaff Nov 2021]

Internal MISP references

UUID 26ae3cd1-6710-4807-b674-957bd67d3e76 which can be used as unique global reference for DCSrv in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S1033
source MITRE
tags ['5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172']
type ['malware']
Related clusters

To see the related clusters, click here.

DDKONG

DDKONG is a malware sample that was part of a campaign by Rancor. DDKONG was first seen used in February 2017. [Rancor Unit42 June 2018]

Internal MISP references

UUID 0657b804-a889-400a-97d7-a4989809a623 which can be used as unique global reference for DDKONG in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
software_attack_id S0255
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

DEADEYE

DEADEYE is a malware launcher that has been used by APT41 since at least May 2021. DEADEYE has variants that can either embed a payload inside a compiled binary (DEADEYE.EMBED) or append it to the end of a file (DEADEYE.APPEND).[Mandiant APT41]

Internal MISP references

UUID e9533664-90c5-5b40-a40e-a69a2eda8bc9 which can be used as unique global reference for DEADEYE in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S1052
source MITRE
tags ['84615fe0-c2a5-4e07-8957-78ebc29b4635']
type ['malware']

DealersChoice

DealersChoice is a Flash exploitation framework used by APT28. [Sofacy DealersChoice]

Internal MISP references

UUID 64dc5d44-2304-4875-b517-316ab98512c2 which can be used as unique global reference for DealersChoice in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0243
source MITRE
tags ['84615fe0-c2a5-4e07-8957-78ebc29b4635']
type ['malware']
Related clusters

To see the related clusters, click here.

DEATHRANSOM

DEATHRANSOM is ransomware written in C that has been used since at least 2020, and has potential overlap with FIVEHANDS and HELLOKITTY.[FireEye FiveHands April 2021]

Internal MISP references

UUID 832f5ab1-1267-40c9-84ef-f32d6373be4e which can be used as unique global reference for DEATHRANSOM in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0616
source MITRE
tags ['5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172']
type ['malware']

DefaultPack

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: This binary can be downloaded along side multiple software downloads on the microsoft website. It gets downloaded when the user forgets to uncheck the option to set Bing as the default search provider.

Author: @checkymander

Paths: * C:\Program Files (x86)\Microsoft\DefaultPack\

Resources: * https://twitter.com/checkymander/status/1311509470275604480.

Detection: * Sigma: proc_creation_win_lolbin_defaultpack.yml * IOC: DefaultPack.EXE spawned an unknown process[DefaultPack.EXE - LOLBAS Project]

Internal MISP references

UUID ff25ec03-1e8d-427e-b207-1e1ecca542ec which can be used as unique global reference for DefaultPack in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5212
source Tidal Cyber
tags ['4f7be515-680e-4375-81f6-c71c83dd440d', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

Defender Control

Defender Control is a tool purpose-built to disable Microsoft Defender.[U.S. CISA Understanding LockBit June 2023]

Internal MISP references

UUID e8830cf3-53f3-4d15-858c-584589405fad which can be used as unique global reference for Defender Control in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5029
source Tidal Cyber
tags ['e1af18e3-3224-4e4c-9d0f-533768474508', '39d6e8b7-6c8a-4ec5-a584-54ca32aa29fb', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

Denis

Denis is a Windows backdoor and Trojan used by APT32. Denis shares several similarities to the SOUNDBITE backdoor and has been used in conjunction with the Goopy backdoor.[Cybereason Oceanlotus May 2017]

Internal MISP references

UUID df4002d2-f557-4f95-af7a-9a4582fb7068 which can be used as unique global reference for Denis in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0354
source MITRE
tags ['febea5b6-2ea2-402b-8bec-f3f5b3f73c59']
type ['malware']
Related clusters

To see the related clusters, click here.

Denonia

Denonia is described as "the first malware specifically targeting Lambda", the AWS serverless computing platform. Early samples appeared to possess cryptomining capabilities, but researchers believe Denonia could be used to carry out other types of activities as well.[Cado Denonia April 3 2022]

Internal MISP references

UUID 3c14ea0a-c85f-41b3-acd0-15d2565e3e07 which can be used as unique global reference for Denonia in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['IaaS']
software_attack_id S5313
source Tidal Cyber
tags ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', '2e5f6e4a-4579-46f7-9997-6923180815dd', '8d95e4d6-9a1e-4920-9f5c-83d9fe07a66e', '2feda37d-5579-4102-a073-aa02e82cb49f']
type ['malware']

Derusbi

Derusbi is malware used by multiple Chinese APT groups.[Novetta-Axiom][ThreatConnect Anthem] Both Windows and Linux variants have been observed.[Fidelis Turbo]

Internal MISP references

UUID 9222aa77-922e-43c7-89ad-71067c428fb2 which can be used as unique global reference for Derusbi in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'Windows']
software_attack_id S0021
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

Desk

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Desktop Settings Control Panel

Author: Hai Vaknin

Paths: * C:\Windows\System32\desk.cpl * C:\Windows\SysWOW64\desk.cpl

Resources: * https://vxug.fakedoma.in/zines/29a/29a7/Articles/29A-7.030.txt * https://twitter.com/pabraeken/status/998627081360695297 * https://twitter.com/VakninHai/status/1517027824984547329 * https://jstnk9.github.io/jstnk9/research/InstallScreenSaver-SCR-files

Detection: * Sigma: file_event_win_new_src_file.yml * Sigma: proc_creation_win_lolbin_rundll32_installscreensaver.yml * Sigma: registry_set_scr_file_executed_by_rundll32.yml[Desk.cpl - LOLBAS Project]

Internal MISP references

UUID 1863a7e2-6212-48a0-b109-15d0198b93e2 which can be used as unique global reference for Desk in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5188
source Tidal Cyber
tags ['7ad2b1d5-c228-4bf5-bf8e-c80a8fef0079', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

Desktopimgdownldr

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Windows binary used to configure lockscreen/desktop image

Author: Gal Kristal

Paths: * c:\windows\system32\desktopimgdownldr.exe

Resources: * https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/

Detection: * Sigma: proc_creation_win_desktopimgdownldr_susp_execution.yml * Sigma: file_event_win_susp_desktopimgdownldr_file.yml * Elastic: command_and_control_remote_file_copy_desktopimgdownldr.toml * IOC: desktopimgdownldr.exe that creates non-image file * IOC: Change of HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\PersonalizationCSP\LockScreenImageUrl[Desktopimgdownldr.exe - LOLBAS Project]

Internal MISP references

UUID 1b31652d-30bb-4c6e-bfe1-f2921a0aa64e which can be used as unique global reference for Desktopimgdownldr in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5100
source Tidal Cyber
tags ['acc0e091-a071-4e83-b0b1-4f3adebeafa3', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

DeviceCredentialDeployment

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Device Credential Deployment

Author: Elliot Killick

Paths: * C:\Windows\System32\DeviceCredentialDeployment.exe

Resources: None Provided

Detection: * IOC: DeviceCredentialDeployment.exe should not be run on a normal workstation * Sigma: proc_creation_win_lolbin_device_credential_deployment.yml[DeviceCredentialDeployment.exe - LOLBAS Project]

Internal MISP references

UUID b99bdf39-8dcf-4bae-95af-b029d48cb579 which can be used as unique global reference for DeviceCredentialDeployment in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5101
source Tidal Cyber
tags ['2a08c2eb-e90e-4bdb-a2dd-9da06de7ed25', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

Devinit

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Visual Studio 2019 tool

Author: mr.d0x

Paths: * C:\Program Files\Microsoft Visual Studio*\Community\Common7\Tools\devinit\devinit.exe * C:\Program Files (x86)\Microsoft Visual Studio*\Community\Common7\Tools\devinit\devinit.exe

Resources: * https://twitter.com/mrd0x/status/1460815932402679809

Detection: * Sigma: proc_creation_win_devinit_lolbin_usage.yml[Devinit.exe - LOLBAS Project]

Internal MISP references

UUID 102714a0-6b18-4d05-83c2-dd2929ce685a which can be used as unique global reference for Devinit in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5213
source Tidal Cyber
tags ['bb814941-0155-49b1-8f93-39626d4f0ddd', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

Devtoolslauncher

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Binary will execute specified binary. Part of VS/VScode installation.

Author: felamos

Paths: * c:\windows\system32\devtoolslauncher.exe

Resources: * https://twitter.com/_felamos/status/1179811992841797632

Detection: * Sigma: proc_creation_win_lolbin_devtoolslauncher.yml * IOC: DeveloperToolsSvc.exe spawned an unknown process[Devtoolslauncher.exe - LOLBAS Project]

Internal MISP references

UUID 6e213e33-c2e5-494f-bc1a-bf672f95dcf8 which can be used as unique global reference for Devtoolslauncher in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5214
source Tidal Cyber
tags ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

devtunnel

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Binary to enable forwarded ports on windows operating systems.

Author: Kamran Saifullah

Paths: * C:\Users\\AppData\Local\Temp.net\devtunnel\ * C:\Users\\AppData\Local\Temp\DevTunnels

Resources: * https://code.visualstudio.com/docs/editor/port-forwarding

Detection: * IOC: devtunnel.exe binary spawned * IOC: .devtunnels.ms * IOC: .*.devtunnels.ms * Analysis: https://cydefops.com/vscode-data-exfiltration[devtunnel.exe - LOLBAS Project]

Internal MISP references

UUID 672d80fe-656e-4b1b-8234-ebf2c5339166 which can be used as unique global reference for devtunnel in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5252
source Tidal Cyber
tags ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

DEWMODE

According to joint Cybersecurity Advisory AA23-158A (June 2023), DEWMODE is a web shell written in PHP that is designed to interact with a MySQL database. During a campaign from 2020 to 2021, threat actors exploited multiple zero-day vulnerabilities in internet-facing Accellion File Transfer Appliance (FTA) devices, installing DEWMODE web shells to exfiltrate data from compromised networks.[Mandiant MOVEit Transfer June 2 2023]

Malpedia (Research): https://malpedia.caad.fkie.fraunhofer.de/details/php.dewmode

Malware Bazaar (Samples & IOCs): https://bazaar.abuse.ch/browse/tag/dewmode/

Internal MISP references

UUID ff0b0792-5dd0-4e10-8b84-8da93a0198aa which can be used as unique global reference for DEWMODE in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Linux']
software_attack_id S5021
source Tidal Cyber
tags ['a98d7a43-f227-478e-81de-e7299639a355', '311abf64-a9cc-4c6a-b778-32c5df5658be']
type ['malware']

Dfshim

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: ClickOnce engine in Windows used by .NET

Author: Oddvar Moe

Paths: * C:\Windows\Microsoft.NET\Framework\v2.0.50727\Dfsvc.exe * C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Dfsvc.exe * C:\Windows\Microsoft.NET\Framework\v4.0.30319\Dfsvc.exe * C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Dfsvc.exe

Resources: * https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf * https://stackoverflow.com/questions/13312273/clickonce-runtime-dfsvc-exe

Detection: * Sigma: proc_creation_win_rundll32_susp_activity.yml[Dfshim.dll - LOLBAS Project]

Internal MISP references

UUID b396eb52-3b6a-44e9-9534-d8b981a52192 which can be used as unique global reference for Dfshim in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5189
source Tidal Cyber
tags ['91fd24c3-f371-4c3b-b997-cd85e25c0967', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

Dfsvc

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: ClickOnce engine in Windows used by .NET

Author: Oddvar Moe

Paths: * C:\Windows\Microsoft.NET\Framework\v2.0.50727\Dfsvc.exe * C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Dfsvc.exe * C:\Windows\Microsoft.NET\Framework\v4.0.30319\Dfsvc.exe * C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Dfsvc.exe

Resources: * https://github.com/api0cradle/ShmooCon-2015/blob/master/ShmooCon-2015-Simple-WLEvasion.pdf * https://stackoverflow.com/questions/13312273/clickonce-runtime-dfsvc-exe

Detection: * Sigma: proc_creation_win_rundll32_susp_activity.yml[Dfsvc.exe - LOLBAS Project]

Internal MISP references

UUID f85966ec-0c4d-4f7e-949f-bb73828bf601 which can be used as unique global reference for Dfsvc in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5102
source Tidal Cyber
tags ['18d6d91d-7df0-44c8-88fe-986d9ba00b8d', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

Diantz

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Binary that package existing files into a cabinet (.cab) file

Author: Tamir Yehuda

Paths: * c:\windows\system32\diantz.exe * c:\windows\syswow64\diantz.exe

Resources: * https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/diantz

Detection: * Sigma: proc_creation_win_lolbin_diantz_ads.yml * Sigma: proc_creation_win_lolbin_diantz_remote_cab.yml * IOC: diantz storing data into alternate data streams. * IOC: diantz getting a file from a remote machine or the internet.[diantz.exe_lolbas]

Internal MISP references

UUID 054ddf05-e9f0-4d14-8493-2a1b2ddbefad which can be used as unique global reference for Diantz in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5103
source Tidal Cyber
tags ['96f9b39f-0c59-48a0-9702-01920c1293a7', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

Diavol

Diavol is a ransomware variant first observed in June 2021 that is capable of prioritizing file types to encrypt based on a pre-configured list of extensions defined by the attacker. The Diavol Ransomware-as-a Service (RaaS) program is managed by Wizard Spider and it has been observed being deployed by Bazar.[Fortinet Diavol July 2021][FBI Flash Diavol January 2022][DFIR Diavol Ransomware December 2021][Microsoft Ransomware as a Service]

Internal MISP references

UUID d057b6e7-1de4-4f2f-b374-7e879caecd67 which can be used as unique global reference for Diavol in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0659
source MITRE
tags ['5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172']
type ['malware']
Related clusters

To see the related clusters, click here.

Dipsind

Dipsind is a malware family of backdoors that appear to be used exclusively by PLATINUM. [Microsoft PLATINUM April 2016]

Internal MISP references

UUID 226ee563-4d49-48c2-aa91-82999f43ce30 which can be used as unique global reference for Dipsind in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0200
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Disco

Disco is a custom implant that has been used by MoustachedBouncer since at least 2020 including in campaigns using targeted malicious content injection for initial access and command and control.[MoustachedBouncer ESET August 2023]

Internal MISP references

UUID 194314e3-4edc-5346-96b6-d2d7bf5d830a which can be used as unique global reference for Disco in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S1088
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Diskshadow

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Diskshadow.exe is a tool that exposes the functionality offered by the volume shadow copy Service (VSS).

Author: Oddvar Moe

Paths: * C:\Windows\System32\diskshadow.exe * C:\Windows\SysWOW64\diskshadow.exe

Resources: * https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/

Detection: * Sigma: proc_creation_win_lolbin_diskshadow.yml * Sigma: proc_creation_win_susp_shadow_copies_deletion.yml * Elastic: credential_access_cmdline_dump_tool.toml * IOC: Child process from diskshadow.exe[Diskshadow.exe - LOLBAS Project]

Internal MISP references

UUID 07c49566-5bea-44dc-b81f-e6c90bda9c39 which can be used as unique global reference for Diskshadow in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5104
source Tidal Cyber
tags ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

Dnscmd

Dnscmd is a Windows command-line utility used to manage DNS servers.[Dnscmd Microsoft]

Internal MISP references

UUID 3fd09997-86e0-4dce-935e-421863e9bad0 which can be used as unique global reference for Dnscmd in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5016
source Tidal Cyber
tags ['a45f9597-09c4-4e70-a7d3-d8235d2451a3', '758c3085-2f79-40a8-ab95-f8a684737927', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '35e694ec-5133-46e3-b7e1-5831867c3b55', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '15787198-6c8b-4f79-bf50-258d55072fee', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

DnsSystem

DnsSystem is a .NET based DNS backdoor, which is a customized version of the open source tool DIG.net, that has been used by HEXANE since at least June 2022.[Zscaler Lyceum DnsSystem June 2022]

Internal MISP references

UUID e69a913d-4ddc-4d69-9961-25a31cae5899 which can be used as unique global reference for DnsSystem in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S1021
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

dnx

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: .Net Execution environment file included with .Net.

Author: Oddvar Moe

Paths: * N/A

Resources: * https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/

Detection: * Sigma: proc_creation_win_lolbin_dnx.yml * Elastic: defense_evasion_unusual_process_network_connection.toml * Elastic: defense_evasion_network_connection_from_windows_binary.toml * BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules[dnx.exe - LOLBAS Project]

Internal MISP references

UUID e2bdda2e-54b4-4d35-b7e5-4e20626a4481 which can be used as unique global reference for dnx in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5215
source Tidal Cyber
tags ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

DOGCALL

DOGCALL is a backdoor used by APT37 that has been used to target South Korean government and military organizations in 2017. It is typically dropped using a Hangul Word Processor (HWP) exploit. [FireEye APT37 Feb 2018]

Internal MISP references

UUID 81ce23c0-f505-4d75-9928-4fbd627d3bc2 which can be used as unique global reference for DOGCALL in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0213
source MITRE
tags ['16b47583-1c54-431f-9f09-759df7b5ddb7']
type ['malware']
Related clusters

To see the related clusters, click here.

Dok

Dok is a Trojan application disguised as a .zip file that is able to collect user credentials and install a malicious proxy server to redirect a user's network traffic (i.e. Adversary-in-the-Middle).[objsee mac malware 2017][hexed osx.dok analysis 2019][CheckPoint Dok]

Internal MISP references

UUID dfa14314-3c64-4a10-9889-0423b884f7aa which can be used as unique global reference for Dok in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['macOS']
software_attack_id S0281
source MITRE
type ['malware']

Doki

Doki is a backdoor that uses a unique Dogecoin-based Domain Generation Algorithm and was first observed in July 2020. Doki was used in conjunction with the ngrok Mining Botnet in a campaign that targeted Docker servers in cloud platforms. [Intezer Doki July 20]

Internal MISP references

UUID e6160c55-1868-47bd-bec6-7becbf236bbb which can be used as unique global reference for Doki in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Containers', 'Linux']
software_attack_id S0600
source MITRE
tags ['efa33611-88a5-40ba-9bc4-3d85c6c8819b']
type ['malware']

Donut

Donut is an open source framework used to generate position-independent shellcode.[Donut Github][Introducing Donut] Donut generated code has been used by multiple threat actors to inject and load malicious payloads into memory.[NCC Group WastedLocker June 2020]

Internal MISP references

UUID 40d25a38-91f4-4e07-bb97-8866bed8e44f which can be used as unique global reference for Donut in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0695
source MITRE
tags ['e1af18e3-3224-4e4c-9d0f-533768474508', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96']
type ['tool']
Related clusters

To see the related clusters, click here.

Dotnet

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: dotnet.exe comes with .NET Framework

Author: felamos

Paths: * C:\Program Files\dotnet\dotnet.exe

Resources: * https://twitter.com/_felamos/status/1204705548668555264 * https://gist.github.com/bohops/3f645a7238d8022830ecf5511b3ecfbc * https://bohops.com/2019/08/19/dotnet-core-a-vector-for-awl-bypass-defense-evasion/ * https://learn.microsoft.com/en-us/dotnet/fsharp/tools/fsharp-interactive/

Detection: * Sigma: proc_creation_win_lolbin_dotnet.yml * BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules * IOC: dotnet.exe spawned an unknown process[Dotnet.exe - LOLBAS Project]

Internal MISP references

UUID 1bcd9c93-0944-4671-ab01-cabc5ffe30bf which can be used as unique global reference for Dotnet in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5216
source Tidal Cyber
tags ['09c24b93-bf06-4cbb-acb0-d7b9657a41dc', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

Downdelph

Downdelph is a first-stage downloader written in Delphi that has been used by APT28 in rare instances between 2013 and 2015. [ESET Sednit Part 3]

Internal MISP references

UUID f7b64b81-f9e7-46bf-8f63-6d7520da832c which can be used as unique global reference for Downdelph in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0134
source MITRE
tags ['84615fe0-c2a5-4e07-8957-78ebc29b4635']
type ['malware']
Related clusters

To see the related clusters, click here.

down_new

down_new is a downloader that has been used by BRONZE BUTLER since at least 2019.[Trend Micro Tick November 2019]

Internal MISP references

UUID 20b796cf-6c90-4928-999e-88107078e15e which can be used as unique global reference for down_new in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0472
source MITRE
tags ['84615fe0-c2a5-4e07-8957-78ebc29b4635']
type ['malware']
Related clusters

To see the related clusters, click here.

DownPaper

DownPaper is a backdoor Trojan; its main functionality is to download and run second stage malware. [ClearSky Charming Kitten Dec 2017]

Internal MISP references

UUID fc433c9d-a7fe-4915-8aa0-06b58f288249 which can be used as unique global reference for DownPaper in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0186
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

DRATzarus

DRATzarus is a remote access tool (RAT) that has been used by Lazarus Group to target the defense and aerospace organizations globally since at least summer 2020. DRATzarus shares similarities with Bankshot, which was used by Lazarus Group in 2017 to target the Turkish financial sector.[ClearSky Lazarus Aug 2020]

Internal MISP references

UUID c6c79fc5-e4b1-4f6c-a71d-d22d699d5caf which can be used as unique global reference for DRATzarus in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0694
source MITRE
type ['malware']

Dridex

Dridex is a prolific banking Trojan that first appeared in 2014. By December 2019, the US Treasury estimated Dridex had infected computers in hundreds of banks and financial institutions in over 40 countries, leading to more than $100 million in theft. Dridex was created from the source code of the Bugat banking Trojan (also known as Cridex).[Dell Dridex Oct 2015][Kaspersky Dridex May 2017][Treasury EvilCorp Dec 2019]

Internal MISP references

UUID e3cd4405-b698-41d9-88e4-fff29e7a19e2 which can be used as unique global reference for Dridex in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0384
source MITRE
tags ['e809d252-12cc-494d-94f5-954c49eb87ce']
type ['malware']
Related clusters

To see the related clusters, click here.

DropBook

DropBook is a Python-based backdoor compiled with PyInstaller.[Cybereason Molerats Dec 2020]

Internal MISP references

UUID 9c44d3f9-7a7b-4716-9cfa-640b36548ab0 which can be used as unique global reference for DropBook in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0547
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Drovorub

Drovorub is a Linux malware toolset comprised of an agent, client, server, and kernel modules, that has been used by APT28.[NSA/FBI Drovorub August 2020]

Internal MISP references

UUID bb7f7c19-ffb5-4bfe-99b1-ead3525c5e7b which can be used as unique global reference for Drovorub in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux']
software_attack_id S0502
source MITRE
tags ['febea5b6-2ea2-402b-8bec-f3f5b3f73c59', '1efd43ee-5752-49f2-99fe-e3441f126b00', 'f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

dsdbutil

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Dsdbutil is a command-line tool that is built into Windows Server. It is available if you have the AD LDS server role installed. Can be used as a command line utility to export Active Directory.

Author: Ekitji

Paths: * C:\Windows\System32\dsdbutil.exe * C:\Windows\SysWOW64\dsdbutil.exe

Resources: * https://gist.github.com/bohops/88561ca40998e83deb3d1da90289e358 * https://www.netwrix.com/ntds_dit_security_active_directory.html

Detection: * IOC: Event ID 4688 * IOC: dsdbutil.exe process creation * IOC: Event ID 4663 * IOC: Regular and Volume Shadow Copy attempts to read or modify ntds.dit * IOC: Event ID 4656 * IOC: Regular and Volume Shadow Copy attempts to read or modify ntds.dit * Analysis: None Provided * Sigma: None Provided * Elastic: None Provided * Splunk: None Provided * BlockRule: None Provided[dsdbutil.exe - LOLBAS Project]

Internal MISP references

UUID 9139c12f-a6d9-4300-8735-9298bc46a0bf which can be used as unique global reference for dsdbutil in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5217
source Tidal Cyber
tags ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

dsquery

dsquery is a command-line utility that can be used to query Active Directory for information from a system within a domain. [TechNet Dsquery] It is typically installed only on Windows Server versions but can be installed on non-server variants through the Microsoft-provided Remote Server Administration Tools bundle.

Internal MISP references

UUID 06402bdc-a4a1-4e4a-bfc4-09f2c159af75 which can be used as unique global reference for dsquery in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0105
source MITRE
tags ['e1af18e3-3224-4e4c-9d0f-533768474508', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207', 'cb3d30b3-8cfc-4202-8615-58a9b8f7f118', 'cd1b5d44-226e-4405-8985-800492cf2865']
type ['tool']
Related clusters

To see the related clusters, click here.

Dtrack

Dtrack is spyware that was discovered in 2019 and has been used against Indian financial institutions, research facilities, and the Kudankulam Nuclear Power Plant. Dtrack shares similarities with the DarkSeoul campaign, which was attributed to Lazarus Group. [Kaspersky Dtrack][Securelist Dtrack][Dragos WASSONITE][CyberBit Dtrack][ZDNet Dtrack]

Internal MISP references

UUID aa21462d-9653-48eb-a82e-5c93c9db5f7a which can be used as unique global reference for Dtrack in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0567
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

Dump64

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Memory dump tool that comes with Microsoft Visual Studio

Author: mr.d0x

Paths: * C:\Program Files (x86)\Microsoft Visual Studio\Installer\Feedback\dump64.exe

Resources: * https://twitter.com/mrd0x/status/1460597833917251595

Detection: * Sigma: proc_creation_win_lolbin_dump64.yml * IOC: As a Windows SDK binary, execution on a system may be suspicious[Dump64.exe - LOLBAS Project]

Internal MISP references

UUID 13482336-e22b-48e9-bd49-c6e6fc6612ec which can be used as unique global reference for Dump64 in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5218
source Tidal Cyber
tags ['0f09c7f5-ba57-4ef0-a196-e85558804496', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

DumpMinitool

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Dump tool part Visual Studio 2022

Author: mr.d0x

Paths: * C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\Extensions\TestPlatform\Extensions

Resources: * https://twitter.com/mrd0x/status/1511415432888131586

Detection: * Sigma: proc_creation_win_dumpminitool_execution.yml * Sigma: proc_creation_win_dumpminitool_susp_execution.yml * Sigma: proc_creation_win_devinit_lolbin_usage.yml[DumpMinitool.exe - LOLBAS Project]

Internal MISP references

UUID 7f3bf76a-4e6a-45f1-a4bf-400d5a914e52 which can be used as unique global reference for DumpMinitool in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5219
source Tidal Cyber
tags ['3b6ad94f-83ce-47bf-b82d-b98358d23434', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

Duqu

Duqu is a malware platform that uses a modular approach to extend functionality after deployment within a target network. [Symantec W32.Duqu]

Internal MISP references

UUID d4a664e5-9819-4f33-8b2b-e6f8e6a64999 which can be used as unique global reference for Duqu in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0038
source MITRE
tags ['3ed3f7a6-b446-4fbc-a433-ff1d63c0e647']
type ['malware']

DustySky

DustySky is multi-stage malware written in .NET that has been used by Molerats since May 2015. [DustySky] [DustySky2][Kaspersky MoleRATs April 2019]

Internal MISP references

UUID 77506f02-104f-4aac-a4e0-9649bd7efe2e which can be used as unique global reference for DustySky in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0062
source MITRE
tags ['e809d252-12cc-494d-94f5-954c49eb87ce']
type ['malware']
Related clusters

To see the related clusters, click here.

Dxcap

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: DirectX diagnostics/debugger included with Visual Studio.

Author: Oddvar Moe

Paths: * C:\Windows\System32\dxcap.exe * C:\Windows\SysWOW64\dxcap.exe

Resources: * https://twitter.com/harr0ey/status/992008180904419328

Detection: * Sigma: proc_creation_win_lolbin_susp_dxcap.yml[Dxcap.exe - LOLBAS Project]

Internal MISP references

UUID 9b5039b9-c5f1-4516-88ef-f63966ec2b36 which can be used as unique global reference for Dxcap in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5220
source Tidal Cyber
tags ['6d065f28-e32d-4e87-b315-c43ebc45532a', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

Dyre

Dyre is a banking Trojan that has been used for financial gain. [Symantec Dyre June 2015][Malwarebytes Dyreza November 2015]

Internal MISP references

UUID 38e012f7-fb3a-4250-a129-92da3a488724 which can be used as unique global reference for Dyre in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0024
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Earthworm

Earthworm is an open-source tool. According to its project website, Earthworm is a "simple network tunnel with SOCKS v5 server and port transfer".[Elastic Docs Potential Protocol Tunneling via EarthWorm] According to joint Cybersecurity Advisory AA23-144a (May 2023), Volt Typhoon actors have used Earthworm in their attacks.[U.S. CISA Volt Typhoon May 24 2023]

Internal MISP references

UUID ee14e483-b5ef-4931-9c2a-72046b6555cc which can be used as unique global reference for Earthworm in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5013
source Tidal Cyber
tags ['ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', '758c3085-2f79-40a8-ab95-f8a684737927', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '35e694ec-5133-46e3-b7e1-5831867c3b55', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

Ebury

Ebury is an SSH backdoor targeting Linux operating systems. Attackers require root-level access, which allows them to replace SSH binaries (ssh, sshd, ssh-add, etc) or modify a shared library used by OpenSSH (libkeyutils).[ESET Ebury Feb 2014][BleepingComputer Ebury March 2017][ESET Ebury Oct 2017]

Internal MISP references

UUID 2375465a-e6a9-40ab-b631-a5b04cf5c689 which can be used as unique global reference for Ebury in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux']
software_attack_id S0377
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

ECCENTRICBANDWAGON

ECCENTRICBANDWAGON is a remote access Trojan (RAT) used by North Korean cyber actors that was first identified in August 2020. It is a reconnaissance tool--with keylogging and screen capture functionality--used for information gathering on compromised systems.[CISA EB Aug 2020]

Internal MISP references

UUID 70f703b3-0e24-4ffe-9772-f0e386ec607f which can be used as unique global reference for ECCENTRICBANDWAGON in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0593
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Ecipekac

Ecipekac is a multi-layer loader that has been used by menuPass since at least 2019 including use as a loader for P8RAT, SodaMaster, and FYAnti.[Securelist APT10 March 2021]

Internal MISP references

UUID 6508d3dc-eb22-468c-9122-dcf541caa69c which can be used as unique global reference for Ecipekac in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0624
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Egregor

Egregor is a Ransomware-as-a-Service (RaaS) tool that was first observed in September 2020. Researchers have noted code similarities between Egregor and Sekhmet ransomware, as well as Maze ransomware.[NHS Digital Egregor Nov 2020][Cyble Egregor Oct 2020][Security Boulevard Egregor Oct 2020]

Internal MISP references

UUID 0e36b62f-a6e2-4406-b3d9-e05204e14a66 which can be used as unique global reference for Egregor in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0554
source MITRE
tags ['562e535e-19f5-4d6c-81ed-ce2aec544f09', '3c3f9078-5d1e-4c29-a5eb-28f237bbd1ad', '0ed7d10c-c65b-4174-9edb-446bf301d250', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172']
type ['malware']

EKANS

EKANS is ransomware variant written in Golang that first appeared in mid-December 2019 and has been used against multiple sectors, including energy, healthcare, and automotive manufacturing, which in some cases resulted in significant operational disruptions. EKANS has used a hard-coded kill-list of processes, including some associated with common ICS software platforms (e.g., GE Proficy, Honeywell HMIWeb, etc), similar to those defined in MegaCortex.[Dragos EKANS][Palo Alto Unit 42 EKANS]

Internal MISP references

UUID cd7821cb-32f3-4d81-a5d1-0cdee94a15c4 which can be used as unique global reference for EKANS in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0605
source MITRE
tags ['3ed3f7a6-b446-4fbc-a433-ff1d63c0e647', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172']
type ['malware']

Elise

Elise is a custom backdoor Trojan that appears to be used exclusively by Lotus Blossom. It is part of a larger group of tools referred to as LStudio, ST Group, and APT0LSTU. [Lotus Blossom Jun 2015][Accenture Dragonfish Jan 2018]

Internal MISP references

UUID fd5efee9-8710-4536-861f-c88d882f4d24 which can be used as unique global reference for Elise in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0081
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

ELMER

ELMER is a non-persistent, proxy-aware HTTP backdoor written in Delphi that has been used by APT16. [FireEye EPS Awakens Part 2]

Internal MISP references

UUID 6a3ca97e-6dd6-44e5-a5f0-7225099ab474 which can be used as unique global reference for ELMER in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0064
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Emissary

Emissary is a Trojan that has been used by Lotus Blossom. It shares code with Elise, with both Trojans being part of a malware group referred to as LStudio. [Lotus Blossom Dec 2015]

Internal MISP references

UUID fd95d38d-83f9-4b31-8292-ba2b04275b36 which can be used as unique global reference for Emissary in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0082
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Emotet

Emotet is a modular malware variant which is primarily used as a downloader for other malware variants such as TrickBot and IcedID. Emotet first emerged in June 2014 and has been primarily used to target the banking sector. [Trend Micro Banking Malware Jan 2019]

Internal MISP references

UUID c987d255-a351-4736-913f-91e2f28d0654 which can be used as unique global reference for Emotet in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0367
source MITRE
tags ['71dfe8d1-666f-4e71-8761-d2876078fb3e', '84615fe0-c2a5-4e07-8957-78ebc29b4635', 'f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

Empire

Empire is an open source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents are written in pure PowerShell for Windows and Python for Linux/macOS. Empire was one of five tools singled out by a joint report on public hacking tools being widely used by adversaries.[NCSC Joint Report Public Tools][Github PowerShell Empire][GitHub ATTACK Empire]

Internal MISP references

UUID fea655ac-558f-4dd0-867f-9a5553626207 which can be used as unique global reference for Empire in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['macOS', 'Linux', 'Windows']
software_attack_id S0363
source MITRE
tags ['e1af18e3-3224-4e4c-9d0f-533768474508', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', '4f05a12d-f497-4081-acb9-9a257ab87886', '15787198-6c8b-4f79-bf50-258d55072fee', 'f8669b82-2194-49a9-8e20-92e7f9ab0a6f', 'e81ba503-60b0-4b64-8f20-ef93e7783796']
type ['tool']
Related clusters

To see the related clusters, click here.

EnvyScout

EnvyScout is a dropper that has been used by APT29 since at least 2021.[MSTIC Nobelium Toolset May 2021]

Internal MISP references

UUID 8da6fbf0-a18d-49a0-9235-101300d49d5e which can be used as unique global reference for EnvyScout in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0634
source MITRE
tags ['84615fe0-c2a5-4e07-8957-78ebc29b4635']
type ['malware']
Related clusters

To see the related clusters, click here.

Epic

Epic is a backdoor that has been used by Turla. [Kaspersky Turla]

Internal MISP references

UUID a7e71387-b276-413c-a0de-4cf07e39b158 which can be used as unique global reference for Epic in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0091
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

esentutl

esentutl is a command-line tool that provides database utilities for the Windows Extensible Storage Engine.[Microsoft Esentutl]

Internal MISP references

UUID a7589733-6b04-4215-a4e7-4b62cd4610fa which can be used as unique global reference for esentutl in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0404
source MITRE
tags ['ee88899a-2bf0-4b96-bf69-5b686fa463c3', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

Eventvwr

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Displays Windows Event Logs in a GUI window.

Author: Jacob Gajek

Paths: * C:\Windows\System32\eventvwr.exe * C:\Windows\SysWOW64\eventvwr.exe

Resources: * https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/ * https://github.com/enigma0x3/Misc-PowerShell-Stuff/blob/master/Invoke-EventVwrBypass.ps1 * https://twitter.com/orange_8361/status/1518970259868626944

Detection: * Sigma: proc_creation_win_uac_bypass_eventvwr.yml * Sigma: registry_set_uac_bypass_eventvwr.yml * Sigma: file_event_win_uac_bypass_eventvwr.yml * Elastic: privilege_escalation_uac_bypass_event_viewer.toml * Splunk: eventvwr_uac_bypass.yml * IOC: eventvwr.exe launching child process other than mmc.exe * IOC: Creation or modification of the registry value HKCU\Software\Classes\mscfile\shell\open\command[Eventvwr.exe - LOLBAS Project]

Internal MISP references

UUID 4c371bd9-c97c-42ab-b913-1e19cd409382 which can be used as unique global reference for Eventvwr in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5105
source Tidal Cyber
tags ['59d03fb8-0620-468a-951c-069473cb86bc', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

EvilBunny

EvilBunny is a C++ malware sample observed since 2011 that was designed to be a execution platform for Lua scripts.[Cyphort EvilBunny Dec 2014]

Internal MISP references

UUID 300e8176-e7ee-44ef-8d10-dff96502f6c6 which can be used as unique global reference for EvilBunny in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0396
source MITRE
type ['malware']

EvilGinx

EvilGinx is an open-source software project. According to its GitHub repository, EvilGinx is a "Standalone man-in-the-middle attack framework used for phishing login credentials along with session cookies, allowing for the bypass of 2-factor authentication".[GitHub evilginx2]

Internal MISP references

UUID 4892c22d-6fd4-4876-8e8a-af968cf61ecc which can be used as unique global reference for EvilGinx in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5078
source Tidal Cyber
tags ['e1af18e3-3224-4e4c-9d0f-533768474508', 'dcd6d78a-50e9-4fbd-a36a-06fbe6b7b40c', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96']
type ['malware']
Related clusters

To see the related clusters, click here.

EvilGrab

EvilGrab is a malware family with common reconnaissance capabilities. It has been deployed by menuPass via malicious Microsoft Office documents as part of spearphishing campaigns. [PWC Cloud Hopper Technical Annex April 2017]

Internal MISP references

UUID e862419c-d6b6-4433-a02a-c1cc98ea6f9e which can be used as unique global reference for EvilGrab in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0152
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

EVILNUM

EVILNUM is fully capable backdoor that was first identified in 2018. EVILNUM is used by the APT group Evilnum which has the same name.[ESET EvilNum July 2020][Prevailion EvilNum May 2020]

Internal MISP references

UUID e0eaae6d-5137-4053-bf37-ff90bf5767a9 which can be used as unique global reference for EVILNUM in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0568
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

Exaramel for Linux

Exaramel for Linux is a backdoor written in the Go Programming Language and compiled as a 64-bit ELF binary. The Windows version is tracked separately under Exaramel for Windows.[ESET TeleBots Oct 2018]

Internal MISP references

UUID c773f709-b5fe-4514-9d88-24ceb0dd8063 which can be used as unique global reference for Exaramel for Linux in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux']
software_attack_id S0401
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Exaramel for Windows

Exaramel for Windows is a backdoor used for targeting Windows systems. The Linux version is tracked separately under Exaramel for Linux.[ESET TeleBots Oct 2018]

Internal MISP references

UUID 21569dfb-c9f1-468e-903e-348f19dbae1f which can be used as unique global reference for Exaramel for Windows in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0343
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Excel

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Microsoft Office binary

Author: Reegun J (OCBC Bank)

Paths: * C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\Excel.exe * C:\Program Files\Microsoft Office 16\ClientX64\Root\Office16\Excel.exe * C:\Program Files (x86)\Microsoft Office\Office16\Excel.exe * C:\Program Files\Microsoft Office\Office16\Excel.exe * C:\Program Files (x86)\Microsoft Office 15\ClientX86\Root\Office15\Excel.exe * C:\Program Files\Microsoft Office 15\ClientX64\Root\Office15\Excel.exe * C:\Program Files (x86)\Microsoft Office\Office15\Excel.exe * C:\Program Files\Microsoft Office\Office15\Excel.exe * C:\Program Files (x86)\Microsoft Office 14\ClientX86\Root\Office14\Excel.exe * C:\Program Files\Microsoft Office 14\ClientX64\Root\Office14\Excel.exe * C:\Program Files (x86)\Microsoft Office\Office14\Excel.exe * C:\Program Files\Microsoft Office\Office14\Excel.exe * C:\Program Files (x86)\Microsoft Office\Office12\Excel.exe * C:\Program Files\Microsoft Office\Office12\Excel.exe * C:\Program Files\Microsoft Office\Office12\Excel.exe

Resources: * https://twitter.com/reegun21/status/1150032506504151040 * https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191

Detection: * Sigma: proc_creation_win_lolbin_office.yml * IOC: Suspicious Office application Internet/network traffic[Excel.exe - LOLBAS Project]

Internal MISP references

UUID 46efd94e-afd2-4536-8525-0619fc56966f which can be used as unique global reference for Excel in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5221
source Tidal Cyber
tags ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

ExMatter

ExMatter is a custom data exfiltration tool. It was first observed in November 2021 during intrusions involving BlackMatter ransomware, and more recently has been used during BlackCat ransomware attacks. In August 2022, researchers observed a “heavily updated” version of ExMatter, which featured expanded protocols for exfiltrating data, a data corruption capability, enhanced defense evasion abilities, and a narrower range of targeted file types.[Symantec Noberus September 22 2022]

Internal MISP references

UUID 068b26ae-39b5-4b4e-8faa-eb304a17687d which can be used as unique global reference for ExMatter in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5054
source Tidal Cyber
tags ['8bf128ad-288b-41bc-904f-093f4fdde745']
type ['malware']
Related clusters

To see the related clusters, click here.

Expand

Expand is a Windows utility used to expand one or more compressed CAB files.[Microsoft Expand Utility] It has been used by BBSRAT to decompress a CAB file into executable content.[Palo Alto Networks BBSRAT]

Internal MISP references

UUID 5d7a39e3-c667-45b3-987e-3b0ca49cff61 which can be used as unique global reference for Expand in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0361
source MITRE
tags ['182dd4be-bbda-404f-aad1-156a22bbe7a4', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

Explorer

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Binary used for managing files and system components within Windows

Author: Jai Minton

Paths: * C:\Windows\explorer.exe * C:\Windows\SysWOW64\explorer.exe

Resources: * https://twitter.com/CyberRaiju/status/1273597319322058752?s=20 * https://twitter.com/bohops/status/1276356245541335048 * https://twitter.com/bohops/status/986984122563391488

Detection: * Sigma: proc_creation_win_explorer_break_process_tree.yml * Sigma: proc_creation_win_explorer_lolbin_execution.yml * Elastic: initial_access_via_explorer_suspicious_child_parent_args.toml * IOC: Multiple instances of explorer.exe or explorer.exe using the /root command line is suspicious.[Explorer.exe - LOLBAS Project]

Internal MISP references

UUID b792d713-fbb4-46e6-94ae-8b9a1f4e794d which can be used as unique global reference for Explorer in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5106
source Tidal Cyber
tags ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

Explosive

Explosive is a custom-made remote access tool used by the group Volatile Cedar. It was first identified in the wild in 2015.[CheckPoint Volatile Cedar March 2015][ClearSky Lebanese Cedar Jan 2021]

Internal MISP references

UUID 572eec55-2855-49ac-a82e-2c21e9aca27e which can be used as unique global reference for Explosive in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0569
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Extexport

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Load a DLL located in the c:\test folder with a specific name.

Author: Oddvar Moe

Paths: * C:\Program Files\Internet Explorer\Extexport.exe * C:\Program Files (x86)\Internet Explorer\Extexport.exe

Resources: * http://www.hexacorn.com/blog/2018/04/24/extexport-yet-another-lolbin/

Detection: * Sigma: proc_creation_win_lolbin_extexport.yml * IOC: Extexport.exe loads dll and is execute from other folder the original path[Extexport.exe - LOLBAS Project]

Internal MISP references

UUID 2e6f1aed-a983-44fb-aed1-b4a3d9cb9488 which can be used as unique global reference for Extexport in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5107
source Tidal Cyber
tags ['5b81675a-742a-4ffd-b410-44ce3f1b0831', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

ExtPassword

ExtPassword is a tool used to recover passwords from Windows systems.[U.S. CISA Understanding LockBit June 2023]

Internal MISP references

UUID 363c38fc-8676-4a63-b3f4-f0237565a951 which can be used as unique global reference for ExtPassword in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5030
source Tidal Cyber
tags ['e1af18e3-3224-4e4c-9d0f-533768474508', 'dcd6d78a-50e9-4fbd-a36a-06fbe6b7b40c', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

Extrac32

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Extract to ADS, copy or overwrite a file with Extrac32.exe

Author: Oddvar Moe

Paths: * C:\Windows\System32\extrac32.exe * C:\Windows\SysWOW64\extrac32.exe

Resources: * https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/ * https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f * https://twitter.com/egre55/status/985994639202283520

Detection: * Elastic: defense_evasion_misc_lolbin_connecting_to_the_internet.toml * Sigma: proc_creation_win_lolbin_extrac32.yml * Sigma: proc_creation_win_lolbin_extrac32_ads.yml[Extrac32.exe - LOLBAS Project]

Internal MISP references

UUID 53dc0180-0309-4489-af75-9c76b2887359 which can be used as unique global reference for Extrac32 in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5108
source Tidal Cyber
tags ['92092803-19a9-4288-b7fb-08e92e8ea693', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

FakeM

FakeM is a shellcode-based Windows backdoor that has been used by Scarlet Mimic. [Scarlet Mimic Jan 2016]

Internal MISP references

UUID 8c64a330-1457-4c32-ab2f-12b6eb37d607 which can be used as unique global reference for FakeM in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0076
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

FakePenny

FakePenny is a ransomware, which includes both a loader and an encryptor, that is believed to have been developed by the North Korean threat actor Moonstone Sleet.[Microsoft Security Blog 5 28 2024]

Internal MISP references

UUID acbff463-ba1c-4d26-ab99-b9aa47b81c68 which can be used as unique global reference for FakePenny in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5321
source Tidal Cyber
tags ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', '5e7433ad-a894-4489-93bc-41e90da90019', '7e7b0c67-bb85-4996-a289-da0e792d7172', '2feda37d-5579-4102-a073-aa02e82cb49f']
type ['malware']
Related clusters

To see the related clusters, click here.

FALLCHILL

FALLCHILL is a RAT that has been used by Lazarus Group since at least 2016 to target the aerospace, telecommunications, and finance industries. It is usually dropped by other Lazarus Group malware or delivered when a victim unknowingly visits a compromised website. [US-CERT FALLCHILL Nov 2017]

Internal MISP references

UUID ea47f1fd-0171-4254-8c92-92b7a5eec5e1 which can be used as unique global reference for FALLCHILL in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0181
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

FatDuke

FatDuke is a backdoor used by APT29 since at least 2016.[ESET Dukes October 2019]

Internal MISP references

UUID 997ff740-1b00-40b6-887a-ef4101e93295 which can be used as unique global reference for FatDuke in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0512
source MITRE
tags ['8bf128ad-288b-41bc-904f-093f4fdde745']
type ['malware']
Related clusters

To see the related clusters, click here.

Felismus

Felismus is a modular backdoor that has been used by Sowbug. [Symantec Sowbug Nov 2017] [Forcepoint Felismus Mar 2017]

Internal MISP references

UUID c66ed8ab-4692-4948-820e-5ce87cc78db5 which can be used as unique global reference for Felismus in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0171
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

FELIXROOT

FELIXROOT is a backdoor that has been used to target Ukrainian victims. [FireEye FELIXROOT July 2018]

Internal MISP references

UUID 4b1a07cd-4c1f-4d93-a454-07fd59b3039a which can be used as unique global reference for FELIXROOT in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0267
source MITRE
type ['malware']

Ferocious

Ferocious is a first stage implant composed of VBS and PowerShell scripts that has been used by WIRTE since at least 2021.[Kaspersky WIRTE November 2021]

Internal MISP references

UUID 3e54ba7a-fd4c-477f-9c2d-34b4f69fc091 which can be used as unique global reference for Ferocious in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0679
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Fgdump

Fgdump is a Windows password hash dumper. [Mandiant APT1]

Internal MISP references

UUID 1bbf04bb-d869-48c5-a538-70a25503de1d which can be used as unique global reference for Fgdump in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0120
source MITRE
type ['tool']

FileZilla

FileZilla is a tool used to perform cross-platform File Transfer Protocol (FTP) to a site, server, or host.[U.S. CISA Understanding LockBit June 2023]

Internal MISP references

UUID f2a6f899-15a8-4d77-bebd-14bc03958764 which can be used as unique global reference for FileZilla in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5031
source Tidal Cyber
tags ['c5a258ce-9045-48d9-b254-ec2bf6437bb5', 'cc4ea215-87ce-4351-9579-cf527caf5992', 'e551ae97-d1b4-484e-9267-89f33829ec2c', 'e1af18e3-3224-4e4c-9d0f-533768474508', '8bf128ad-288b-41bc-904f-093f4fdde745', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

Final1stspy

Final1stspy is a dropper family that has been used to deliver DOGCALL.[Unit 42 Nokki Oct 2018]

Internal MISP references

UUID eb4dc358-e353-47fc-8207-b7cb10d580f7 which can be used as unique global reference for Final1stspy in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0355
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Findstr

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Write to ADS, discover, or download files with Findstr.exe

Author: Oddvar Moe

Paths: * C:\Windows\System32\findstr.exe * C:\Windows\SysWOW64\findstr.exe

Resources: * https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/ * https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f

Detection: * Sigma: proc_creation_win_lolbin_findstr.yml[Findstr.exe - LOLBAS Project]

Internal MISP references

UUID a62634f8-8f42-4874-9669-bea2e053dfea which can be used as unique global reference for Findstr in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5109
source Tidal Cyber
tags ['6ca537bb-94b6-4b12-8978-6250baa6a5cb', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

FinFisher

FinFisher is a government-grade commercial surveillance spyware reportedly sold exclusively to government agencies for use in targeted and lawful criminal investigations. It is heavily obfuscated and uses multiple anti-analysis techniques. It has other variants including Wingbird. [FinFisher Citation] [Microsoft SIR Vol 21] [FireEye FinSpy Sept 2017] [Securelist BlackOasis Oct 2017] [Microsoft FinFisher March 2018]

Internal MISP references

UUID 41f54ce1-842c-428a-977f-518a5b63b4d7 which can be used as unique global reference for FinFisher in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Android', 'Windows']
software_attack_id S0182
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Finger

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Displays information about a user or users on a specified remote computer that is running the Finger service or daemon

Author: Ruben Revuelta

Paths: * c:\windows\system32\finger.exe * c:\windows\syswow64\finger.exe

Resources: * https://twitter.com/DissectMalware/status/997340270273409024 * https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/ff961508(v=ws.11)

Detection: * Sigma: proc_creation_win_finger_usage.yml * IOC: finger.exe should not be run on a normal workstation. * IOC: finger.exe connecting to external resources.[Finger.exe - LOLBAS Project]

Internal MISP references

UUID a9ce311d-dd8c-497d-b38f-b535d7318ed4 which can be used as unique global reference for Finger in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5110
source Tidal Cyber
tags ['1da4f610-4c54-46a3-b9b3-c38a002b623e', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

FIVEHANDS

FIVEHANDS is a customized version of DEATHRANSOM ransomware written in C++. FIVEHANDS has been used since at least 2021, including in Ransomware-as-a-Service (RaaS) campaigns, sometimes along with SombRAT.[FireEye FiveHands April 2021][NCC Group Fivehands June 2021]

Internal MISP references

UUID 84187393-2fe9-4136-8720-a6893734ee8c which can be used as unique global reference for FIVEHANDS in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0618
source MITRE
tags ['562e535e-19f5-4d6c-81ed-ce2aec544f09', 'f1ad9eba-f4fd-4aec-92c0-833ac14d741b', '5e7433ad-a894-4489-93bc-41e90da90019', '15787198-6c8b-4f79-bf50-258d55072fee', '7e7b0c67-bb85-4996-a289-da0e792d7172']
type ['malware']
Related clusters

To see the related clusters, click here.

Flagpro

Flagpro is a Windows-based, first-stage downloader that has been used by BlackTech since at least October 2020. It has primarily been used against defense, media, and communications companies in Japan.[NTT Security Flagpro new December 2021]

Internal MISP references

UUID 977aaf8a-2216-40f0-8682-61dd91638147 which can be used as unique global reference for Flagpro in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0696
source MITRE
tags ['84615fe0-c2a5-4e07-8957-78ebc29b4635']
type ['malware']
Related clusters

To see the related clusters, click here.

Flame

Flame is a sophisticated toolkit that has been used to collect information since at least 2010, largely targeting Middle East countries. [Kaspersky Flame]

Internal MISP references

UUID 87604333-638f-4f4a-94e0-16aa825dd5b8 which can be used as unique global reference for Flame in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0143
source MITRE
tags ['3ed3f7a6-b446-4fbc-a433-ff1d63c0e647']
type ['malware']

FLASHFLOOD

FLASHFLOOD is malware developed by APT30 that allows propagation and exfiltration of data over removable devices. APT30 may use this capability to exfiltrate data across air-gaps. [FireEye APT30]

Internal MISP references

UUID 44a5e62a-6de4-49d2-8f1b-e68ecdf9f332 which can be used as unique global reference for FLASHFLOOD in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0036
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

FlawedAmmyy

FlawedAmmyy is a remote access tool (RAT) that was first seen in early 2016. The code for FlawedAmmyy was based on leaked source code for a version of Ammyy Admin, a remote access software.[Proofpoint TA505 Mar 2018]

Internal MISP references

UUID 308dbe77-3d58-40bb-b0a5-cd00f152dc60 which can be used as unique global reference for FlawedAmmyy in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0381
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

FlawedGrace

FlawedGrace is a fully featured remote access tool (RAT) written in C++ that was first observed in late 2017.[Proofpoint TA505 Jan 2019]

Internal MISP references

UUID c558e948-c817-4494-a95d-ad3207f10e26 which can be used as unique global reference for FlawedGrace in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0383
source MITRE
tags ['1dc8fd1e-0737-405a-98a1-111dd557f1b5', '15787198-6c8b-4f79-bf50-258d55072fee', '84615fe0-c2a5-4e07-8957-78ebc29b4635', 'f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

FleetDeck

FleetDeck is a commercial remote monitoring and management (RMM) tool that enables remote desktop access and “virtual terminal” capabilities. Government and commercial reports indicate that financially motivated adversaries, including BlackCat (AKA ALPHV or Noberus) actors and Scattered Spider (AKA 0ktapus or UNC3944), have used FleetDeck for command and control and persistence purposes during intrusions.[Cyber Centre ALPHV/BlackCat July 25 2023][CrowdStrike Scattered Spider SIM Swapping December 22 2022]

Internal MISP references

UUID 68758d3a-ec4b-4c19-933d-b4c3000281b2 which can be used as unique global reference for FleetDeck in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5056
source Tidal Cyber
tags ['e1af18e3-3224-4e4c-9d0f-533768474508', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207', 'e727eaa6-ef41-4965-b93a-8ad0c51d0236']
type ['tool']
Related clusters

To see the related clusters, click here.

FLIPSIDE

FLIPSIDE is a simple tool similar to Plink that is used by FIN5 to maintain access to victims. [Mandiant FIN5 GrrCON Oct 2016]

Internal MISP references

UUID 18002747-ddcc-42c1-b0ca-1e598a9f1919 which can be used as unique global reference for FLIPSIDE in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0173
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

fltMC

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Filter Manager Control Program used by Windows

Author: John Lambert

Paths: * C:\Windows\System32\fltMC.exe

Resources: * https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon

Detection: * Sigma: proc_creation_win_fltmc_unload_driver_sysmon.yml * Elastic: defense_evasion_via_filter_manager.toml * Splunk: unload_sysmon_filter_driver.yml * IOC: 4688 events with fltMC.exe[fltMC.exe - LOLBAS Project]

Internal MISP references

UUID 43d57826-cd15-4154-8f04-38351c96986e which can be used as unique global reference for fltMC in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5111
source Tidal Cyber
tags ['49bbb074-2406-4f27-ad77-d2e433ba1ccb', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

FoggyWeb

FoggyWeb is a passive and highly-targeted backdoor capable of remotely exfiltrating sensitive information from a compromised Active Directory Federated Services (AD FS) server. It has been used by APT29 since at least early April 2021.[MSTIC FoggyWeb September 2021]

Internal MISP references

UUID bc11844e-0348-4eed-a48a-0554d68db38c which can be used as unique global reference for FoggyWeb in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0661
source MITRE
tags ['8bf128ad-288b-41bc-904f-093f4fdde745']
type ['malware']
Related clusters

To see the related clusters, click here.

Forfiles

Forfiles is a Windows utility commonly used in batch jobs to execute commands on one or more selected files or directories (ex: list all directories in a drive, read the first line of all files created yesterday, etc.). Forfiles can be executed from either the command line, Run window, or batch files/scripts. [Microsoft Forfiles Aug 2016]

Internal MISP references

UUID c6dc67a6-587d-4700-a7de-bee043a0031a which can be used as unique global reference for Forfiles in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
software_attack_id S0193
source MITRE
tags ['91804406-e20a-4455-8dbc-5528c35f8e20', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

Formbook

Formbook is an information-stealing malware, discovered in 2016, that is capable of stealing data entered into HTML website forms and logging keystrokes and also acting as a downloader for other malware.[What Is FormBook Malware?][What is FormBook Malware? - Check Point Software] xLoader is a JavaScript-based, cross-platform Formbook variant discovered in 2020 that is crafted to infect macOS as well as Windows systems. Check Point Research's 2022 Mid-Year Report released in August 2022 placed Formbook as the "most prevalent" infostealer malware globally (and second-most prevalent of all malware types globally, behind only Emotet).[Check Point Mid-Year Report 2022]

Internal MISP references

UUID 376d1383-17a7-48b0-8a8b-d6142b2f3003 which can be used as unique global reference for Formbook in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5288
source Tidal Cyber
tags ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', '84615fe0-c2a5-4e07-8957-78ebc29b4635', '2feda37d-5579-4102-a073-aa02e82cb49f']
type ['malware']

FRAMESTING

FRAMESTING is a Python web shell that was used during Cutting Edge to embed into an Ivanti Connect Secure Python package for command execution.[Mandiant Cutting Edge Part 2 January 2024]

Internal MISP references

UUID 83721b89-df58-50bf-be2a-0b696fb0da78 which can be used as unique global reference for FRAMESTING in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Network']
software_attack_id S1120
source MITRE
type ['malware']

FrameworkPOS

FrameworkPOS is a point of sale (POS) malware used by FIN6 to steal payment card data from sytems that run physical POS devices.[SentinelOne FrameworkPOS September 2019]

Internal MISP references

UUID aef7cbbc-5163-419c-8e4b-3f73bed50474 which can be used as unique global reference for FrameworkPOS in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
software_attack_id S0503
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

FreeFileSync

FreeFileSync is a tool used to facilitate cloud-based file synchronization.[U.S. CISA Understanding LockBit June 2023]

Internal MISP references

UUID 1d5c5822-3cb4-455a-9976-f6bc17e2820d which can be used as unique global reference for FreeFileSync in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5032
source Tidal Cyber
tags ['e1af18e3-3224-4e4c-9d0f-533768474508', '8bf128ad-288b-41bc-904f-093f4fdde745', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

FruitFly

FruitFly is designed to spy on mac users [objsee mac malware 2017].

Internal MISP references

UUID 3a05085e-5a1f-4a74-b489-d679b80e2c18 which can be used as unique global reference for FruitFly in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['macOS']
software_attack_id S0277
source MITRE
type ['malware']

Fsi

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: 64-bit FSharp (F#) Interpreter included with Visual Studio and DotNet Core SDK.

Author: Jimmy (@bohops)

Paths: * C:\Program Files\dotnet\sdk[sdk version]\FSharp\fsi.exe * C:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\CommonExtensions\Microsoft\FSharp\fsi.exe

Resources: * https://twitter.com/NickTyrer/status/904273264385589248 * https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/

Detection: * Elastic: defense_evasion_unusual_process_network_connection.toml * Elastic: defense_evasion_network_connection_from_windows_binary.toml * BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules * IOC: Fsi.exe execution may be suspicious on non-developer machines * Sigma: proc_creation_win_lolbin_fsharp_interpreters.yml[Fsi.exe - LOLBAS Project]

Internal MISP references

UUID f2a5e6cb-75fd-4108-9466-80471c7d0422 which can be used as unique global reference for Fsi in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5222
source Tidal Cyber
tags ['7a4b56fa-5419-411b-86fe-68c9b0ddd3c5', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

FsiAnyCpu

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: 32/64-bit FSharp (F#) Interpreter included with Visual Studio.

Author: Jimmy (@bohops)

Paths: * c:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\CommonExtensions\Microsoft\FSharp\fsianycpu.exe

Resources: * https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/

Detection: * BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules * IOC: FsiAnyCpu.exe execution may be suspicious on non-developer machines * Sigma: proc_creation_win_lolbin_fsharp_interpreters.yml[FsiAnyCpu.exe - LOLBAS Project]

Internal MISP references

UUID 9e5c41bb-f4cc-4132-8c7a-4a10a006190b which can be used as unique global reference for FsiAnyCpu in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5223
source Tidal Cyber
tags ['c5d1a687-8a36-4995-b8cb-415f33661821', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

Fsutil

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: File System Utility

Author: Elliot Killick

Paths: * C:\Windows\System32\fsutil.exe * C:\Windows\SysWOW64\fsutil.exe

Resources: * https://twitter.com/0gtweet/status/1720724516324704404

Detection: * IOC: fsutil.exe should not be run on a normal workstation * IOC: file setZeroData (not case-sensitive) in the process arguments * IOC: Sysmon Event ID 1 * IOC: Execution of process fsutil.exe with trace decode could be suspicious * IOC: Non-Windows netsh.exe execution * Sigma: proc_creation_win_susp_fsutil_usage.yml[Fsutil.exe - LOLBAS Project]

Internal MISP references

UUID 7a829dae-00cf-4321-95b4-276f7dfb5368 which can be used as unique global reference for Fsutil in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5112
source Tidal Cyber
tags ['76bb7541-94da-4d66-9a57-77f788330287', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

ftp

ftp is a utility commonly available with operating systems to transfer information over the File Transfer Protocol (FTP). Adversaries can use it to transfer other tools onto a system or to exfiltrate data.[Microsoft FTP][Linux FTP]

Internal MISP references

UUID 062deac9-8f05-44e2-b347-96b59ba166ca which can be used as unique global reference for ftp in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['macOS', 'Linux', 'Windows']
software_attack_id S0095
source MITRE
tags ['95d37388-4e95-4d7f-96ba-99d94c842299', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207', '8bf128ad-288b-41bc-904f-093f4fdde745']
type ['tool']
Related clusters

To see the related clusters, click here.

FunnyDream

FunnyDream is a backdoor with multiple components that was used during the FunnyDream campaign since at least 2019, primarily for execution and exfiltration.[Bitdefender FunnyDream Campaign November 2020]

Internal MISP references

UUID d0490e1d-8287-44d3-8342-944d1203b237 which can be used as unique global reference for FunnyDream in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S1044
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']

FYAnti

FYAnti is a loader that has been used by menuPass since at least 2020, including to deploy QuasarRAT.[Securelist APT10 March 2021]

Internal MISP references

UUID be9a2ae5-373a-4dee-9c1e-b54235dafed0 which can be used as unique global reference for FYAnti in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0628
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Fysbis

Fysbis is a Linux-based backdoor used by APT28 that dates back to at least 2014.[Fysbis Palo Alto Analysis]

Internal MISP references

UUID 317a7647-aee7-4ce1-a8f8-33a61190f55d which can be used as unique global reference for Fysbis in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux']
software_attack_id S0410
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

Gazer

Gazer is a backdoor used by Turla since at least 2016. [ESET Gazer Aug 2017]

Internal MISP references

UUID 7a60b984-b0c8-4acc-be24-841f4b652872 which can be used as unique global reference for Gazer in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0168
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

Gelsemium

Gelsemium is a modular malware comprised of a dropper (Gelsemine), a loader (Gelsenicine), and main (Gelsevirine) plug-ins written using the Microsoft Foundation Class (MFC) framework. Gelsemium has been used by the Gelsemium group since at least 2014.[ESET Gelsemium June 2021]

Internal MISP references

UUID 9a117508-1d22-4fea-aa65-db670c13a5c9 which can be used as unique global reference for Gelsemium in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0666
source MITRE
type ['malware']

GeminiDuke

GeminiDuke is malware that was used by APT29 from 2009 to 2012. [F-Secure The Dukes]

Internal MISP references

UUID 97f32f68-dcd2-4f80-9967-cc87305dc342 which can be used as unique global reference for GeminiDuke in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0049
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Get2

Get2 is a downloader written in C++ that has been used by TA505 to deliver FlawedGrace, FlawedAmmyy, Snatch and SDBbot.[Proofpoint TA505 October 2019]

Internal MISP references

UUID a997aaaf-edfc-4489-80a9-3f8d64545de1 which can be used as unique global reference for Get2 in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0460
source MITRE
tags ['84615fe0-c2a5-4e07-8957-78ebc29b4635']
type ['malware']
Related clusters

To see the related clusters, click here.

GfxDownloadWrapper

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path.

Author: Jesus Galvez

Paths: * c:\windows\system32\driverstore\filerepository\64kb6472.inf_amd64_3daef03bbe98572b\ * c:\windows\system32\driverstore\filerepository\cui_comp.inf_amd64_0e9c57ae3396e055\ * c:\windows\system32\driverstore\filerepository\cui_comp.inf_amd64_209bd95d56b1ac2d\ * c:\windows\system32\driverstore\filerepository\cui_comp.inf_amd64_3fa2a843f8b7f16d\ * c:\windows\system32\driverstore\filerepository\cui_comp.inf_amd64_85c860f05274baa0\ * c:\windows\system32\driverstore\filerepository\cui_comp.inf_amd64_f7412e3e3404de80\ * c:\windows\system32\driverstore\filerepository\cui_comp.inf_amd64_feb9f1cf05b0de58\ * c:\windows\system32\driverstore\filerepository\cui_component.inf_amd64_0219cc1c7085a93f\ * c:\windows\system32\driverstore\filerepository\cui_component.inf_amd64_df4f60b1cae9b14a\ * c:\windows\system32\driverstore\filerepository\cui_dc_comp.inf_amd64_16eb18b0e2526e57\ * c:\windows\system32\driverstore\filerepository\cui_dc_comp.inf_amd64_1c77f1231c19bc72\ * c:\windows\system32\driverstore\filerepository\cui_dc_comp.inf_amd64_31c60cc38cfcca28\ * c:\windows\system32\driverstore\filerepository\cui_dc_comp.inf_amd64_82f69cea8b2d928f\ * c:\windows\system32\driverstore\filerepository\cui_dc_comp.inf_amd64_b4d94f3e41ceb839\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_0606619cc97463de\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_0e95edab338ad669\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_22aac1442d387216\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_2461d914696db722\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_29d727269a34edf5\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_2caf76dbce56546d\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_353320edb98da643\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_4ea0ed0af1507894\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_56a48f4f1c2da7a7\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_64f23fdadb76a511\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_668dd0c6d3f9fa0e\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_6be8e5b7f731a6e5\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_6dad7e4e9a8fa889\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_6df442103a1937a4\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_767e7683f9ad126c\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_8644298f665a12c4\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_868acf86149aef5d\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_92cf9d9d84f1d3db\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_93239c65f222d453\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_9de8154b682af864\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_a7428663aca90897\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_ad7cb5e55a410add\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_afbf41cf8ab202d7\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_d193c96475eaa96e\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_db953c52208ada71\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_e7523682cc7528cc\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_e9f341319ca84274\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_f3a64c75ee4defb7\ * c:\windows\system32\driverstore\filerepository\cui_dch.inf_amd64_f51939e52b944f4b\ * c:\windows\system32\driverstore\filerepository\cui_dch_comp.inf_amd64_4938423c9b9639d7\ * c:\windows\system32\driverstore\filerepository\cui_dch_comp.inf_amd64_c8e108d4a62c59d5\ * c:\windows\system32\driverstore\filerepository\cui_dch_comp.inf_amd64_deecec7d232ced2b\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_01ee1299f4982efe\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_02edfc87000937e4\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_0541b698fc6e40b0\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_0707757077710fff\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_0b3e3ed3ace9602a\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_0cff362f9dff4228\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_16ed7d82b93e4f68\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_1a33d2f73651d989\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_1aca2a92a37fce23\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_1af2dd3e4df5fd61\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_1d571527c7083952\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_23f7302c2b9ee813\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_24de78387e6208e4\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_250db833a1cd577e\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_25e7c5a58c052bc5\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_28d80681d3523b1c\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_2dda3b1147a3a572\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_31ba00ea6900d67d\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_329877a66f240808\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_42af9f4718aa1395\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_4645af5c659ae51a\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_48c2e68e54c92258\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_48e7e903a369eae2\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_491d20003583dabe\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_4b34c18659561116\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_51ce968bf19942c2\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_555cfc07a674ecdd\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_561bd21d54545ed3\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_579a75f602cc2dce\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_57f66a4f0a97f1a3\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_587befb80671fb38\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_62f096fe77e085c0\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_6ae0ddbb4a38e23c\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_6bb02522ea3fdb0d\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_6d34ac0763025a06\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_712b6a0adbaabc0a\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_78b09d9681a2400f\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_842874489af34daa\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_88084eb1fe7cebc3\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_89033455cb08186f\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_8a9535cd18c90bc3\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_8c1fc948b5a01c52\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_9088b61921a6ff9f\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_90f68cd0dc48b625\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_95cb371d046d4b4c\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_a58de0cf5f3e9dca\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_abe9d37302f8b1ae\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_acb3edda7b82982f\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_aebc5a8535dd3184\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_b5d4c82c67b39358\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_b846bbf1e81ea3cf\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_babb2e8b8072ff3b\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_bc75cebf5edbbc50\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_be91293cf20d4372\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_c11f4d5f0bc4c592\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_c4e5173126d31cf0\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_c4f600ffe34acc7b\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_c8634ed19e331cda\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_c9081e50bcffa972\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_ceddadac8a2b489e\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_d4406f0ad6ec2581\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_d5877a2e0e6374b6\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_d8ca5f86add535ef\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_e8abe176c7b553b5\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_eabb3ac2c517211f\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_f8d8be8fea71e1a0\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_fe5e116bb07c0629\ * c:\windows\system32\driverstore\filerepository\igdlh64.inf_amd64_fe73d2ebaa05fb95\ * c:\windows\system32\driverstore\filerepository\igdlh64_kbl_kit127397.inf_amd64_e1da8ee9e92ccadb\ * c:\windows\system32\driverstore\filerepository\k127153.inf_amd64_364f43f2a27f7bd7\ * c:\windows\system32\driverstore\filerepository\k127153.inf_amd64_3f3936d8dec668b8\ * c:\windows\system32\driverstore\filerepository\k127793.inf_amd64_3ab7883eddccbf0f\ * c:\windows\system32\driverstore\filerepository\ki129523.inf_amd64_32947eecf8f3e231\ * c:\windows\system32\driverstore\filerepository\ki126950.inf_amd64_fa7f56314967630d\ * c:\windows\system32\driverstore\filerepository\ki126951.inf_amd64_94804e3918169543\ * c:\windows\system32\driverstore\filerepository\ki126973.inf_amd64_06dde156632145e3\ * c:\windows\system32\driverstore\filerepository\ki126974.inf_amd64_9168fc04b8275db9\ * c:\windows\system32\driverstore\filerepository\ki127005.inf_amd64_753576c4406c1193\ * c:\windows\system32\driverstore\filerepository\ki127018.inf_amd64_0f67ff47e9e30716\ * c:\windows\system32\driverstore\filerepository\ki127021.inf_amd64_0d68af55c12c7c17\ * c:\windows\system32\driverstore\filerepository\ki127171.inf_amd64_368f8c7337214025\ * c:\windows\system32\driverstore\filerepository\ki127176.inf_amd64_86c658cabfb17c9c\ * c:\windows\system32\driverstore\filerepository\ki127390.inf_amd64_e1ccb879ece8f084\ * c:\windows\system32\driverstore\filerepository\ki127678.inf_amd64_8427d3a09f47dfc1\ * c:\windows\system32\driverstore\filerepository\ki127727.inf_amd64_cf8e31692f82192e\ * c:\windows\system32\driverstore\filerepository\ki127807.inf_amd64_fc915899816dbc5d\ * c:\windows\system32\driverstore\filerepository\ki127850.inf_amd64_6ad8d99023b59fd5\ * c:\windows\system32\driverstore\filerepository\ki128602.inf_amd64_6ff790822fd674ab\ * c:\windows\system32\driverstore\filerepository\ki128916.inf_amd64_3509e1eb83b83cfb\ * c:\windows\system32\driverstore\filerepository\ki129407.inf_amd64_f26f36ac54ce3076\ * c:\windows\system32\driverstore\filerepository\ki129633.inf_amd64_d9b8af875f664a8c\ * c:\windows\system32\driverstore\filerepository\ki129866.inf_amd64_e7cdca9882c16f55\ * c:\windows\system32\driverstore\filerepository\ki130274.inf_amd64_bafd2440fa1ffdd6\ * c:\windows\system32\driverstore\filerepository\ki130350.inf_amd64_696b7c6764071b63\ * c:\windows\system32\driverstore\filerepository\ki130409.inf_amd64_0d8d61270dfb4560\ * c:\windows\system32\driverstore\filerepository\ki130471.inf_amd64_26ad6921447aa568\ * c:\windows\system32\driverstore\filerepository\ki130624.inf_amd64_d85487143eec5e1a\ * c:\windows\system32\driverstore\filerepository\ki130825.inf_amd64_ee3ba427c553f15f\ * c:\windows\system32\driverstore\filerepository\ki130871.inf_amd64_382f7c369d4bf777\ * c:\windows\system32\driverstore\filerepository\ki131064.inf_amd64_5d13f27a9a9843fa\ * c:\windows\system32\driverstore\filerepository\ki131176.inf_amd64_fb4fe914575fdd15\ * c:\windows\system32\driverstore\filerepository\ki131191.inf_amd64_d668106cb6f2eae0\ * c:\windows\system32\driverstore\filerepository\ki131622.inf_amd64_0058d71ace34db73\ * c:\windows\system32\driverstore\filerepository\ki132032.inf_amd64_f29660d80998e019\ * c:\windows\system32\driverstore\filerepository\ki132337.inf_amd64_223d6831ffa64ab1\ * c:\windows\system32\driverstore\filerepository\ki132535.inf_amd64_7875dff189ab2fa2\ * c:\windows\system32\driverstore\filerepository\ki132544.inf_amd64_b8c1f31373153db4\ * c:\windows\system32\driverstore\filerepository\ki132574.inf_amd64_54c9b905b975ee55\ * c:\windows\system32\driverstore\filerepository\ki132869.inf_amd64_052eb72d070df60f\ * c:\windows\system32\driverstore\filerepository\kit126731.inf_amd64_1905c9d5f38631d9\

Resources: * https://www.sothis.tech/author/jgalvez/

Detection: * Sigma: proc_creation_win_lolbin_gfxdownloadwrapper_file_download.yml * IOC: Usually GfxDownloadWrapper downloads a JSON file from https://gameplayapi.intel.com.[GfxDownloadWrapper.exe - LOLBAS Project]

Internal MISP references

UUID a83cfdbf-023a-4874-a3d8-9674149ceb53 which can be used as unique global reference for GfxDownloadWrapper in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5186
source Tidal Cyber
tags ['303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

gh0st RAT

gh0st RAT is a remote access tool (RAT). The source code is public and it has been used by multiple groups.[FireEye Hacking Team][Arbor Musical Chairs Feb 2018][Nccgroup Gh0st April 2018]

Internal MISP references

UUID 269ef8f5-35c8-44ba-afe4-63f4c6431427 which can be used as unique global reference for gh0st RAT in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['macOS', 'Windows']
software_attack_id S0032
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

GLASSTOKEN

GLASSTOKEN is a custom web shell used by threat actors during Cutting Edge to execute commands on compromised Ivanti Secure Connect VPNs.[Volexity Ivanti Zero-Day Exploitation January 2024]

Internal MISP references

UUID 5c1a1ce5-927c-5c79-8a14-2789756d41ee which can be used as unique global reference for GLASSTOKEN in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Network']
software_attack_id S1117
source MITRE
type ['malware']

GLOOXMAIL

GLOOXMAIL is malware used by APT1 that mimics legitimate Jabber/XMPP traffic. [Mandiant APT1]

Internal MISP references

UUID 09fdec78-5253-433d-8680-294ba6847be9 which can be used as unique global reference for GLOOXMAIL in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0026
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

GMER

GMER is a tool used to remove rootkits.[U.S. CISA Understanding LockBit June 2023]

Internal MISP references

UUID 83713f85-8b2f-4733-9fea-e6a1494d0bbb which can be used as unique global reference for GMER in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5033
source Tidal Cyber
tags ['e1af18e3-3224-4e4c-9d0f-533768474508', '39d6e8b7-6c8a-4ec5-a584-54ca32aa29fb', 'ed2b3f47-3e07-4019-a9bf-ec9d87f28c96', 'af5e9be5-b86e-47af-91dd-966a5e34a186', '758c3085-2f79-40a8-ab95-f8a684737927', '2185ed93-7e1c-4553-9452-c8411b5dca93', '904ad11a-20ca-479c-ad72-74bd5d9dc7e4', '1dc8fd1e-0737-405a-98a1-111dd557f1b5', '35e694ec-5133-46e3-b7e1-5831867c3b55', '15787198-6c8b-4f79-bf50-258d55072fee', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']
Related clusters

To see the related clusters, click here.

Gold Dragon

Gold Dragon is a Korean-language, data gathering implant that was first observed in the wild in South Korea in July 2017. Gold Dragon was used along with Brave Prince and RunningRAT in operations targeting organizations associated with the 2018 Pyeongchang Winter Olympics. [McAfee Gold Dragon]

Internal MISP references

UUID 348fdeb5-6a74-4803-ac6e-e0133ecd7263 which can be used as unique global reference for Gold Dragon in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0249
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

GoldenSpy

GoldenSpy is a backdoor malware which has been packaged with legitimate tax preparation software. GoldenSpy was discovered targeting organizations in China, being delivered with the "Intelligent Tax" software suite which is produced by the Golden Tax Department of Aisino Credit Information Co. and required to pay local taxes.[Trustwave GoldenSpy June 2020]

Internal MISP references

UUID 1b135393-c799-4698-a880-c6a86782adee which can be used as unique global reference for GoldenSpy in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0493
source MITRE
tags ['f2ae2283-f94d-4f8f-bbde-43f2bed66c55']
type ['malware']

GoldFinder

GoldFinder is a custom HTTP tracer tool written in Go that logs the route a packet takes between a compromised network and a C2 server. It can be used to inform threat actors of potential points of discovery or logging of their actions, including C2 related to other malware. GoldFinder was discovered in early 2021 during an investigation into the SolarWinds Compromise by APT29.[MSTIC NOBELIUM Mar 2021]

Internal MISP references

UUID 4e8c58c5-443e-4f73-91e9-89146f04e307 which can be used as unique global reference for GoldFinder in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0597
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

GoldMax

GoldMax is a second-stage C2 backdoor written in Go with Windows and Linux variants that are nearly identical in functionality. GoldMax was discovered in early 2021 during the investigation into the SolarWinds Compromise, and has likely been used by APT29 since at least mid-2019. GoldMax uses multiple defense evasion techniques, including avoiding virtualization execution and masking malicious traffic.[MSTIC NOBELIUM Mar 2021][FireEye SUNSHUTTLE Mar 2021][CrowdStrike StellarParticle January 2022]

Internal MISP references

UUID b05a9763-4288-4656-bf4e-ba02bb8b35d6 which can be used as unique global reference for GoldMax in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'Windows']
software_attack_id S0588
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

Goopy

Goopy is a Windows backdoor and Trojan used by APT32 and shares several similarities to another backdoor used by the group (Denis). Goopy is named for its impersonation of the legitimate Google Updater executable.[Cybereason Cobalt Kitty 2017]

Internal MISP references

UUID a75855fd-2b6b-43d8-99a5-2be03b544f34 which can be used as unique global reference for Goopy in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0477
source MITRE
tags ['febea5b6-2ea2-402b-8bec-f3f5b3f73c59']
type ['malware']
Related clusters

To see the related clusters, click here.

GooseEgg

GooseEgg is a custom tool developed by Russian espionage group Forest Blizzard that is designed for privilege escalation and credential access purposes. GooseEgg exploits CVE-2022-38028, a vulnerability in the Windows Print Spooler service. Researchers describe the tool as a "simple" launcher application, but a range of subsequent post-exploitation actions are possible, including remote code execution, backdoor deployment, and lateral movement within the compromised network.[Microsoft Security Blog 4 22 2024]

Internal MISP references

UUID f9c32a11-964c-4480-968b-e520b8c7b26e which can be used as unique global reference for GooseEgg in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5318
source Tidal Cyber
tags ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', 'dcd6d78a-50e9-4fbd-a36a-06fbe6b7b40c', '7de7d799-f836-4555-97a4-0db776eb6932', '2feda37d-5579-4102-a073-aa02e82cb49f']
type ['malware']
Related clusters

To see the related clusters, click here.

Gootloader

Gootloader is a highly active banking Trojan-turned-loader malware that has attacked organizations in a wide range of verticals and countries. Gootloader, also referred to by its related payload, Gootkit, first emerged in 2014 but has been especially active since 2020. In the past two years alone, verticals including finance, healthcare, defense, pharmaceutical, energy, & automotive have faced Gootloader campaigns, with victims across North America, Western Europe, & South Korea, and the malware is regularly used to deliver high-impact payloads, including Cobalt Strike, IcedID (a common ransomware precursor), & more. Cybereason indicates the financial & healthcare sectors are especially impacted.[Cybereason Gootloader February 2023] Red Canary & The DFIR Report provide tool-agnostic suggested detection logic for key behaviors observed during recent Gootloader campaigns.[Red Canary Gootloader April 2023][DFIR Report Gootloader]

Internal MISP references

UUID 3eec857e-dce3-4865-a65f-3ad5a559a3e6 which can be used as unique global reference for Gootloader in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5289
source Tidal Cyber
tags ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', '84615fe0-c2a5-4e07-8957-78ebc29b4635', '2feda37d-5579-4102-a073-aa02e82cb49f']
type ['malware']

Gpscript

This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.

Description: Used by group policy to process scripts

Author: Oddvar Moe

Paths: * C:\Windows\System32\gpscript.exe * C:\Windows\SysWOW64\gpscript.exe

Resources: * https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/

Detection: * Sigma: proc_creation_win_lolbin_gpscript.yml * IOC: Scripts added in local group policy * IOC: Execution of Gpscript.exe after logon[Gpscript.exe - LOLBAS Project]

Internal MISP references

UUID acf4a502-2730-4b36-aea3-652420390977 which can be used as unique global reference for Gpscript in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5113
source Tidal Cyber
tags ['2ca5c5e4-ee7f-4698-84ec-ce04d2c1e9cc', '303a3675-4855-4323-b042-95bb1d907cca', '509a90c7-9ca9-4b23-bca2-cd38ef6a6207']
type ['tool']

Grandoreiro

Grandoreiro is a banking trojan written in Delphi that was first observed in 2016 and uses a Malware-as-a-Service (MaaS) business model. Grandoreiro has confirmed victims in Brazil, Mexico, Portugal, and Spain.[Securelist Brazilian Banking Malware July 2020][ESET Grandoreiro April 2020]

Internal MISP references

UUID 61d277f2-abdc-4f2b-b50a-10d0fe91e588 which can be used as unique global reference for Grandoreiro in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0531
source MITRE
tags ['16b47583-1c54-431f-9f09-759df7b5ddb7']
type ['malware']

GraphicalProton

According to joint Cybersecurity Advisory AA23-347A (December 2023), GraphicalProton "is a simplistic backdoor that uses OneDrive, Dropbox, and randomly generated BMPs" to exchange data with its operators. During a 2023 campaign, authorities also observed a HTTPS variant of GraphicalProton that relies on HTTP requests instead of cloud-based services.[U.S. CISA SVR TeamCity Exploits December 2023]

Internal MISP references

UUID f77398ad-e043-4694-ade0-d6ea16a994e7 which can be used as unique global reference for GraphicalProton in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5077
source Tidal Cyber
type ['malware']
Related clusters

To see the related clusters, click here.

GravityRAT

GravityRAT is a remote access tool (RAT) and has been in ongoing development since 2016. The actor behind the tool remains unknown, but two usernames have been recovered that link to the author, which are "TheMartian" and "The Invincible." According to the National Computer Emergency Response Team (CERT) of India, the malware has been identified in attacks against organization and entities in India. [Talos GravityRAT]

Internal MISP references

UUID 08cb425d-7b7a-41dc-a897-9057ce57fea9 which can be used as unique global reference for GravityRAT in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0237
source MITRE
type ['malware']

Green Lambert

Green Lambert is a modular backdoor that security researchers assess has been used by an advanced threat group referred to as Longhorn and The Lamberts. First reported in 2017, the Windows variant of Green Lambert may have been used as early as 2008; a macOS version was uploaded to a multiscanner service in September 2014.[Kaspersky Lamberts Toolkit April 2017][Objective See Green Lambert for OSX Oct 2021]

Internal MISP references

UUID f5691425-6690-4e5e-8304-3ede9d2f5a90 which can be used as unique global reference for Green Lambert in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Linux', 'macOS', 'Windows', 'iOS']
software_attack_id S0690
source MITRE
type ['malware']

GreyEnergy

GreyEnergy is a backdoor written in C and compiled in Visual Studio. GreyEnergy shares similarities with the BlackEnergy malware and is thought to be the successor of it.[ESET GreyEnergy Oct 2018]

Internal MISP references

UUID f646e7f9-4d09-46f6-9831-54668fa20483 which can be used as unique global reference for GreyEnergy in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0342
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

GRIFFON

GRIFFON is a JavaScript backdoor used by FIN7. [SecureList Griffon May 2019]

Internal MISP references

UUID ad358082-d83a-4c22-81a1-6c34dd67af26 which can be used as unique global reference for GRIFFON in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0417
source MITRE
tags ['84615fe0-c2a5-4e07-8957-78ebc29b4635']
type ['malware']
Related clusters

To see the related clusters, click here.

GrimAgent

GrimAgent is a backdoor that has been used before the deployment of Ryuk ransomware since at least 2020; it is likely used by FIN6 and Wizard Spider.[Group IB GrimAgent July 2021]

Internal MISP references

UUID c40a71d4-8592-4f82-8af5-18f763e52caf which can be used as unique global reference for GrimAgent in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0632
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

Grixba

Grixba is a tool used by Play Ransomware operators to scan victim networks for information discovery purposes. Grixba compiles and saves collected information into CSV files, which are then compressed with WinRAR and exfiltrated to threat actors.[Symantec Play Ransomware April 19 2023]

Internal MISP references

UUID 3ff9e020-8a7a-4c6f-a607-117ce9e436c5 which can be used as unique global reference for Grixba in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
owner TidalCyberIan
platforms ['Windows']
software_attack_id S5079
source Tidal Cyber
tags ['4d767e87-4cf6-438a-927a-43d2d0beaab7']
type ['malware']
Related clusters

To see the related clusters, click here.

gsecdump

gsecdump is a publicly-available credential dumper used to obtain password hashes and LSA secrets from Windows operating systems. [TrueSec Gsecdump]

Internal MISP references

UUID 5ffe662f-9da1-4b6f-ad3a-f296383e828c which can be used as unique global reference for gsecdump in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0008
source MITRE
tags ['4d767e87-4cf6-438a-927a-43d2d0beaab7']
type ['tool']
Related clusters

To see the related clusters, click here.

GuLoader

GuLoader is a file downloader that has been used since at least December 2019 to distribute a variety of remote administration tool (RAT) malware, including NETWIRE, Agent Tesla, NanoCore, FormBook, and Parallax RAT.[Unit 42 NETWIRE April 2020][Medium Eli Salem GuLoader April 2021]

Internal MISP references

UUID 03e985d6-870b-4533-af13-08b1e0511444 which can be used as unique global reference for GuLoader in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0561
source MITRE
tags ['c6e1f516-1a18-4ff9-b563-e6ac8103b104', '2feda37d-5579-4102-a073-aa02e82cb49f', '84615fe0-c2a5-4e07-8957-78ebc29b4635']
type ['malware']

H1N1

H1N1 is a malware variant that has been distributed via a campaign using VBA macros to infect victims. Although it initially had only loader capabilities, it has evolved to include information-stealing functionality. [Cisco H1N1 Part 1]

Internal MISP references

UUID 5f1602fe-a4ce-4932-9cf9-ec842f2c58f1 which can be used as unique global reference for H1N1 in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0132
source MITRE
type ['malware']

Hacking Team UEFI Rootkit

Hacking Team UEFI Rootkit is a rootkit developed by the company Hacking Team as a method of persistence for remote access software. [TrendMicro Hacking Team UEFI]

Internal MISP references

UUID 75db2ac3-901e-4b1f-9a0d-bac6562d57a3 which can be used as unique global reference for Hacking Team UEFI Rootkit in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
software_attack_id S0047
source MITRE
type ['malware']

HALFBAKED

HALFBAKED is a malware family consisting of multiple components intended to establish persistence in victim networks. [FireEye FIN7 April 2017]

Internal MISP references

UUID 5edf0ef7-a960-4500-8a89-8c8b4fdf8824 which can be used as unique global reference for HALFBAKED in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
software_attack_id S0151
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

HAMMERTOSS

HAMMERTOSS is a backdoor that was used by APT29 in 2015. [FireEye APT29] [F-Secure The Dukes]

Internal MISP references

UUID cc07f03f-9919-4856-9b30-f4d88940b0ec which can be used as unique global reference for HAMMERTOSS in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0037
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

Hancitor

Hancitor is a downloader that has been used by Pony and other information stealing malware.[Threatpost Hancitor][FireEye Hancitor]

Internal MISP references

UUID 4eee3272-07fa-48ee-a7b9-9dfee3e4550a which can be used as unique global reference for Hancitor in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0499
source MITRE
tags ['84615fe0-c2a5-4e07-8957-78ebc29b4635']
type ['malware']

HAPPYWORK

HAPPYWORK is a downloader used by APT37 to target South Korean government and financial victims in November 2016. [FireEye APT37 Feb 2018]

Internal MISP references

UUID c2c31b2e-5da6-4feb-80e3-14ea6d0ea7e8 which can be used as unique global reference for HAPPYWORK in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
software_attack_id S0214
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

HARDRAIN

HARDRAIN is a Trojan malware variant reportedly used by the North Korean government. [US-CERT HARDRAIN March 2018]

Internal MISP references

UUID ad0ae3b7-88aa-48b3-86ca-6a5d8b5309a7 which can be used as unique global reference for HARDRAIN in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0246
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

Havij

Havij is an automatic SQL Injection tool distributed by the Iranian ITSecTeam security company. Havij has been used by penetration testers and adversaries. [Check Point Havij Analysis]

Internal MISP references

UUID 8bd36306-bd4b-4a76-8842-44acb0cedbcc which can be used as unique global reference for Havij in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
software_attack_id S0224
source MITRE
type ['tool']
Related clusters

To see the related clusters, click here.

HAWKBALL

HAWKBALL is a backdoor that was observed in targeting of the government sector in Central Asia.[FireEye HAWKBALL Jun 2019]

Internal MISP references

UUID 392c5a32-53b5-4ce8-a946-226cb533cc4e which can be used as unique global reference for HAWKBALL in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0391
source MITRE
type ['malware']

hcdLoader

hcdLoader is a remote access tool (RAT) that has been used by APT18. [Dell Lateral Movement]

Internal MISP references

UUID a7ffe1bd-45ca-4ca4-94da-3b6c583a868d which can be used as unique global reference for hcdLoader in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0071
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

HDoor

HDoor is malware that has been customized and used by the Naikon group. [Baumgartner Naikon 2015]

Internal MISP references

UUID f155b6f9-258d-4446-8867-fe5ee26d8c72 which can be used as unique global reference for HDoor in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0061
source MITRE
type ['malware']
Related clusters

To see the related clusters, click here.

HELLOKITTY

HELLOKITTY is a ransomware written in C++ that shares similar code structure and functionality with DEATHRANSOM and FIVEHANDS. HELLOKITTY has been used since at least 2020, targets have included a Polish video game developer and a Brazilian electric power company.[FireEye FiveHands April 2021]

Internal MISP references

UUID 813a4ca1-84fe-42dc-89de-5873d028f98d which can be used as unique global reference for HELLOKITTY in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0617
source MITRE
tags ['4ac8dcde-2665-4066-9ad9-b5572d5f0d28', '3535caad-a155-4996-b986-70bc3cd5ce1e', 'f1ad9eba-f4fd-4aec-92c0-833ac14d741b', '5e7433ad-a894-4489-93bc-41e90da90019', '15787198-6c8b-4f79-bf50-258d55072fee', '7e7b0c67-bb85-4996-a289-da0e792d7172']
type ['malware']
Related clusters

To see the related clusters, click here.

Helminth

Helminth is a backdoor that has at least two variants - one written in VBScript and PowerShell that is delivered via a macros in Excel spreadsheets, and one that is a standalone Windows executable. [Palo Alto OilRig May 2016]

Internal MISP references

UUID d6560c81-1e7e-4d01-9814-4be4fb43e655 which can be used as unique global reference for Helminth in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0170
source MITRE
tags ['f8669b82-2194-49a9-8e20-92e7f9ab0a6f']
type ['malware']
Related clusters

To see the related clusters, click here.

HermeticWiper

HermeticWiper is a data wiper that has been used since at least early 2022, primarily against Ukraine with additional activity observed in Latvia and Lithuania. Some sectors targeted include government, financial, defense, aviation, and IT services.[SentinelOne Hermetic Wiper February 2022][Symantec Ukraine Wipers February 2022][Crowdstrike DriveSlayer February 2022][ESET Hermetic Wiper February 2022][Qualys Hermetic Wiper March 2022]

Internal MISP references

UUID f0456f14-4913-4861-b4ad-5e7f3960040e which can be used as unique global reference for HermeticWiper in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
platforms ['Windows']
software_attack_id S0697
source MITRE
tags ['2e621fc5-dea4-4cb9-987e-305845986cd3']
type ['malware']

HermeticWizard

HermeticWizard is a worm that has been used to spread HermeticWiper in attacks against organizations in Ukraine since at least 2022.[ESET Hermetic Wizard March 2022]

Internal MISP references

UUID 36ddc8cd-8f80-489e-a702-c682936b5393 which can be used as unique global reference for Hermetic