Deadglyph: a new advanced backdoor from Stealth Falcon
Tags
cmtmf-attack-pattern: Acquire Infrastructure Application Layer Protocol Command And Scripting Interpreter Develop Capabilities Event Triggered Execution Obfuscated Files Or Information Obtain Capabilities
country: United Arab Emirates
maec-delivery-vectors: Watering Hole
attack-pattern: Acquire Infrastructure Acquire Infrastructure - T1583 Software Discovery - T1418 Application Layer Protocol - T1437 Code Signing Certificates - T1587.002 Code Signing Certificates - T1588.003 Command And Scripting Interpreter - T1623 Data From Local System - T1533 Develop Capabilities - T1587 Disable Or Modify Tools - T1562.001 Disable Or Modify Tools - T1629.003 Domains - T1583.001 Domains - T1584.001 Encrypted Channel - T1521 Encrypted Channel - T1573 Environmental Keying - T1480.001 Event Triggered Execution - T1624 Event Triggered Execution - T1546 Execution Guardrails - T1480 Execution Guardrails - T1627 Exfiltration Over C2 Channel - T1646 File Deletion - T1070.004 File Deletion - T1630.002 Impair Defenses - T1562 Impair Defenses - T1629 System Network Configuration Discovery - T1422 Malicious File - T1204.002 Malware - T1587.001 Malware - T1588.001 Obfuscated Files Or Information - T1406 Process Discovery - T1424 System Information Discovery - T1426 Native Api - T1575 Obtain Capabilities - T1588 Reflective Code Loading - T1620 Rundll32 - T1218.011 Security Software Discovery - T1418.001 Security Software Discovery - T1518.001 Server - T1583.004 Server - T1584.004 Software - T1592.002 Software Discovery - T1518 Symmetric Cryptography - T1521.001 Symmetric Cryptography - T1573.001 Windows Command Shell - T1059.003 Web Protocols - T1071.001 Web Protocols - T1437.001 Windows Management Instrumentation Event Subscription - T1546.003 Virtual Private Server - T1583.003 Virtual Private Server - T1584.003 Access Token Manipulation - T1134 Standard Application Layer Protocol - T1071 Command-Line Interface - T1059 Connection Proxy - T1090 Data From Local System - T1005 Deobfuscate/Decode Files Or Information - T1140 Execution Through Api - T1106 Exfiltration Over Command And Control Channel - T1041 File Deletion - T1107 Indicator Removal On Host - T1070 Modify Registry - T1112 Obfuscated Files Or Information - T1027 Process Discovery - T1057 Query Registry - T1012 Rundll32 - T1085 Security Software Discovery - T1063 Signed Binary Proxy Execution - T1218 System Information Discovery - T1082 System Network Configuration Discovery - T1016 System Owner/User Discovery - T1033 System Service Discovery - T1007 Windows Management Instrumentation - T1047 Windows Management Instrumentation Event Subscription - T1084 User Execution - T1204 User Execution
Show in Graph
Common Information
Type Value
UUID 73e1c59c-d141-4681-8e8f-e2eccd1f301f
Fingerprint faf409326cfcd652
Analysis status DONE
Considered CTI value 2
Text language
Published Sept. 24, 2023, midnight
Added to db Nov. 6, 2023, 5:27 p.m.
Last updated Nov. 17, 2024, 10:40 p.m.
Headline Deadglyph: a new advanced backdoor from Stealth Falcon
Title Deadglyph: a new advanced backdoor from Stealth Falcon
Detected Hints/Tags/Attributes 116/4/49
Source URLs
Redirection Url
Details Source https://andreafortuna.org/2023/09/24/deadglyph-a-new-advanced-backdoor-from-stealth-falcon/
URL Provider
Details Provider Source level domain
Details andreafortuna.org andreafortuna.org
RSS Feed
Details Id Enabled Feed title Url Added to db
Details 13 Andrea Fortuna https://andreafortuna.org/feed.xml 2024-08-30 22:08
Attributes
Details Type #Events CTI Value
Details Domain 2 
chessandlinkss.com
Details Domain 2 
easymathpath.com
Details Domain 2 
joinushealth.com
Details File 2126 
cmd.exe
Details File 1018 
rundll32.exe
Details File 13 
clr.dll
Details sha1 2 
c40f1f46d230a85f702daa38cfa18d60481ea6c2
Details sha1 2 
740d308565e215eb9b235cc5b720142428f540db
Details sha1 2 
1805568d8362a379af09fd70d3406c6b654f189f
Details sha1 2 
9cb373b2643c2b7f93862d2682a0d2150c7aec7e
Details sha1 2 
f47cb40f6c2b303308d9d705f8cad707b9c39fa5
Details sha1 2 
3d4d9c9f2a5aceff9e45538f5ebe723acaf83e32
Details sha1 2 
3d2accea98dbdf95f0543b7c1e8a055020e74960
Details sha1 2 
4e3018e4fd27587bd1c566930ae24442769d16f0
Details sha1 2 
7f728d490ed6ea64a7644049914a7f2a0e563969
Details IPv4 2 
135.125.78.187
Details IPv4 2 
45.14.227.55
Details IPv4 2 
185.25.50.60
Details MITRE ATT&CK Techniques 82 
T1583.001
Details MITRE ATT&CK Techniques 62 
T1583.003
Details MITRE ATT&CK Techniques 96 
T1587.001
Details MITRE ATT&CK Techniques 33 
T1588.003
Details MITRE ATT&CK Techniques 310 
T1047
Details MITRE ATT&CK Techniques 333 
T1059.003
Details MITRE ATT&CK Techniques 239 
T1106
Details MITRE ATT&CK Techniques 365 
T1204.002
Details MITRE ATT&CK Techniques 22 
T1546.003
Details MITRE ATT&CK Techniques 627 
T1027
Details MITRE ATT&CK Techniques 297 
T1070.004
Details MITRE ATT&CK Techniques 550 
T1112
Details MITRE ATT&CK Techniques 116 
T1134
Details MITRE ATT&CK Techniques 504 
T1140
Details MITRE ATT&CK Techniques 119 
T1218.011
Details MITRE ATT&CK Techniques 18 
T1480.001
Details MITRE ATT&CK Techniques 298 
T1562.001
Details MITRE ATT&CK Techniques 91 
T1620
Details MITRE ATT&CK Techniques 100 
T1007
Details MITRE ATT&CK Techniques 501 
T1012
Details MITRE ATT&CK Techniques 245 
T1016
Details MITRE ATT&CK Techniques 230 
T1033
Details MITRE ATT&CK Techniques 433 
T1057
Details MITRE ATT&CK Techniques 1006 
T1082
Details MITRE ATT&CK Techniques 185 
T1518
Details MITRE ATT&CK Techniques 141 
T1518.001
Details MITRE ATT&CK Techniques 534 
T1005
Details MITRE ATT&CK Techniques 442 
T1071.001
Details MITRE ATT&CK Techniques 152 
T1090
Details MITRE ATT&CK Techniques 130 
T1573.001
Details MITRE ATT&CK Techniques 422 
T1041