SombRAT

Malware Profile Updated 2 months ago
Download STIX
Preview STIX
Sombrat is a sophisticated malware that poses a significant financial threat, as reported by Mandiant in April 2021. It operates in conjunction with FIVEHANDS Ransomware under the umbrella of UNC2447, a malicious cyber activity group. The malware infects systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside a system, it can steal personal information, disrupt operations, or hold data hostage for ransom. This particular variant of malware is notable for its use of a 64-bit SombRAT loader, identifiable through the WwanSvc.b artifact when decoded. The threat actors behind Sombrat demonstrated advanced techniques to bypass organizational anti-malware programs. They used batch and text files to execute and invoke PowerShell scripts that decoded a SombRAT loader, enabling PowerShell to evade detection. These evasion tactics align with known methods such as Windows Command Shell and PowerShell scripting interpreters, as well as general defense evasion strategies, as outlined in MITRE ATT&CK framework. Sombrat exhibits unique characteristics that distinguish it from other malware types. It uses RSA for C2 encryption, HTTP for C2 communication, and a custom storage file. It also employs specific decryption and string decoding scripts for its payload. The malware is designed to be downloaded via the SombRAT loader, which is detected by code similarity. These features underscore the sophistication of Sombrat, making it a formidable threat to financial institutions and other potential targets.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
DEATHRANSOM
1
DeathRansom is a form of malware, specifically ransomware, known for its damaging effects on computer systems. It operates by infiltrating systems through suspicious downloads, emails, or websites, and once inside, it can steal personal information, disrupt operations, or hold data hostage for ranso
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Trojan
Loader
t1059.003
Windows
t1059.001
Vulnerability
Malware
Cobalt Strike
Proxy
Apt
Payload
Encryption
Beacon
Vpn
Espionage
T1105
Backdoor
Phishing
Dropper
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
FIVEHANDSis related to
3
FiveHands, also known as HelloKitty, is a sophisticated form of malware that primarily targets financial institutions. It was first reported by Mandiant in April 2021 as part of a cyber threat posed by the UNC2447 group. The ransomware is typically delivered through Encryptor.exe, a loader that init
HELLOKITTYUnspecified
1
HelloKitty is a malicious software (malware) that has been designed to exploit and damage computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information, disrupt operations, or even hold dat
CostaBricksUnspecified
1
None
Cobalt Strike BeaconUnspecified
1
Cobalt Strike Beacon is a type of malware known for its harmful capabilities, including stealing personal information, disrupting operations, and potentially holding data hostage for ransom. The malware has been loaded by HUI Loader through various files such as mpc.tmp, dlp.ini, vmtools.ini, and an
malware.binary.exeUnspecified
1
None
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
CostaRictoUnspecified
1
CostaRicto, a threat actor group first reported by Blackberry Cylance in November 2020, has been identified as a potential cyber-espionage-for-hire criminal entity. The group is known for its custom proxy tool and the use of a Rich header, both associated with the CostaRicto campaign. Their bespoke
APT10Unspecified
1
APT10, also known as the Menupass Team, is a threat actor believed to operate on behalf of the Chinese Ministry of State Security (MSS). The group has been active since 2009 and is suspected to be based in Tianjin, China, according to research by IntrusionTruth in 2018. APT10 has primarily targeted
APT28Unspecified
1
APT28, also known as Fancy Bear, is a threat actor linked to Russia and has been involved in numerous cyber espionage campaigns. The group is notorious for its sophisticated tactics, techniques, and procedures (TTPs). Recently, NATO and the EU formally condemned APT28's activities, acknowledging the
The Costaricto CampaignUnspecified
1
None
HavexUnspecified
1
Havex, also known as Dragonfly or the Energetic Bear RAT, is a prominent threat actor in the cybersecurity landscape. Spotted initially in 2013, Havex was part of a broad industrial espionage campaign. The threat actors behind Havex utilized various techniques to infect their targets, including phis
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the SombRAT Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
6 months ago
Infographic: A History of Network Device Threats and What Lies Ahead
CERT-EU
6 months ago
Infographic: A History of Network Device Threats and What Lies Ahead | #ransomware | #cybercrime | National Cyber Security Consulting
MITRE
a year ago
The CostaRicto Campaign: Cyber-Espionage Outsourced
MITRE
a year ago
UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat | Mandiant
MITRE
a year ago
FiveHands Ransomware | CISA