Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Saint Bot

Saint Bot is a .NET downloader that has been used by Saint Bear since at least March 2021.(Citation: Malwarebytes Saint Bot April 2021)(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )
ID: S1018
Type: MALWARE
Platforms: Windows
Version: 2.0
Created: 09 Jun 2022
Last Modified: 08 Oct 2024

Techniques Used

Domain ID Name Use
Enterprise T1548 .002 Abuse Elevation Control Mechanism: Bypass User Account Control

Saint Bot has attempted to bypass UAC using `fodhelper.exe` to escalate privileges.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )

Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Saint Bot has used HTTP for C2 communications.(Citation: Malwarebytes Saint Bot April 2021)

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Saint Bot has established persistence by being copied to the Startup directory or through the `\Software\Microsoft\Windows\CurrentVersion\Run` registry key.(Citation: Malwarebytes Saint Bot April 2021)(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Saint Bot has used PowerShell for execution.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )

.003 Command and Scripting Interpreter: Windows Command Shell

Saint Bot has used `cmd.exe` and `.bat` scripts for execution.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )

.005 Command and Scripting Interpreter: Visual Basic

Saint Bot has used `.vbs` scripts for execution.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )

Enterprise T1132 .001 Data Encoding: Standard Encoding

Saint Bot has used Base64 to encode its C2 communications.(Citation: Malwarebytes Saint Bot April 2021)

Enterprise T1070 .004 Indicator Removal: File Deletion

Saint Bot can run a batch script named `del.bat` to remove any Saint Bot payload-linked files from a compromise system if anti-analysis or locale checks fail.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

Saint Bot has been disguised as a legitimate executable, including as Windows SDK.(Citation: Malwarebytes Saint Bot April 2021)

Enterprise T1027 .002 Obfuscated Files or Information: Software Packing

Saint Bot has been packed using a dark market crypter.(Citation: Malwarebytes Saint Bot April 2021)

Enterprise T1566 .001 Phishing: Spearphishing Attachment

Saint Bot has been distributed as malicious attachments within spearphishing emails.(Citation: Malwarebytes Saint Bot April 2021)(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )

.002 Phishing: Spearphishing Link

Saint Bot has been distributed through malicious links contained within spearphishing emails.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )

Enterprise T1055 .001 Process Injection: Dynamic-link Library Injection

Saint Bot has injected its DLL component into `EhStorAurhn.exe`.(Citation: Malwarebytes Saint Bot April 2021)

.004 Process Injection: Asynchronous Procedure Call

Saint Bot has written its payload into a newly-created `EhStorAuthn.exe` process using `ZwWriteVirtualMemory` and executed it using `NtQueueApcThread` and `ZwAlertResumeThread`.(Citation: Malwarebytes Saint Bot April 2021)

.012 Process Injection: Process Hollowing

The Saint Bot loader has used API calls to spawn `MSBuild.exe` in a suspended state before injecting the decrypted Saint Bot binary into it.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Saint Bot has created a scheduled task named "Maintenance" to establish persistence.(Citation: Malwarebytes Saint Bot April 2021)

Enterprise T1218 .004 System Binary Proxy Execution: InstallUtil

Saint Bot had used `InstallUtil.exe` to download and deploy executables.(Citation: Malwarebytes Saint Bot April 2021)

.010 System Binary Proxy Execution: Regsvr32

Saint Bot has used `regsvr32` to execute scripts.(Citation: Malwarebytes Saint Bot April 2021)(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )

Enterprise T1204 .001 User Execution: Malicious Link

Saint Bot has relied on users to click on a malicious link delivered via a spearphishing.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )

.002 User Execution: Malicious File

Saint Bot has relied on users to execute a malicious attachment delivered via spearphishing.(Citation: Malwarebytes Saint Bot April 2021)(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )

Enterprise T1497 .001 Virtualization/Sandbox Evasion: System Checks

Saint Bot has run several virtual machine and sandbox checks, including checking if `Sbiedll.dll` is present in a list of loaded modules, comparing the machine name to `HAL9TH` and the user name to `JohnDoe`, and checking the BIOS version for known virtual machine identifiers.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )

.003 Virtualization/Sandbox Evasion: Time Based Evasion

Saint Bot has used the command `timeout 20` to pause the execution of its initial loader.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )

Groups That Use This Software

ID Name References
G1003 Ember Bear

(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )

G1003 Ember Bear

(Citation: CISA GRU29155 2024)

G1031 Saint Bear

(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.