Skip to main content
Mallory
Back to malware
MalwareUsed by 1 actorExploits 1 CVE

Downloader.Climax.B

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
EXPLOITED CVES

Vulnerabilities exploited

1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

1 CVES
CVE-2017-11882Microsoft Office Equation Editor Remote Code Execution

Другой вид загрузчика для своего исполнения может использовать уязвимости в Microsoft Equation Editor.

via ptsecurityptsecurity.com
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
Space Pirates

Другой вид загрузчика для своего исполнения может использовать уязвимости в Microsoft Equation Editor.

via ptsecurityptsecurity.com
MITRE ATT&CK

Techniques & procedures

4 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique
T1566.001Spearphishing AttachmentEvidence1
TacticInitial Access

В конце 2019 года специалисты ... обнаружили фишинговое письмо ... Оно содержало ссылку на ранее неизвестное вредоносное ПО... Приложения MITRE: T1566.001 Phishing: Spearphishing Attachment

Persistence

2 techniques
T1112Modify RegistryEvidence1
TacticsPersistenceDefense Impairment

Deed RAT хранит в реестре все свои данные, включая конфигурацию и плагины

T1547.001Registry Run Keys / Startup FolderEvidence1
TacticsPersistencePrivilege Escalation

Downloader.Climax.B закрепляется в системе через ключ реестра HKCU\Software\Microsoft\Windows\CurrentVersion\Run\GetUserConfig... группа Space Pirates может ... использовать ключи реестра Run и RunOnce

Privilege Escalation

1 technique
T1547.001Registry Run Keys / Startup FolderEvidence1
TacticsPersistencePrivilege Escalation

Downloader.Climax.B закрепляется в системе через ключ реестра HKCU\Software\Microsoft\Windows\CurrentVersion\Run\GetUserConfig... группа Space Pirates может ... использовать ключи реестра Run и RunOnce

Defense Impairment

1 technique
T1112Modify RegistryEvidence1
TacticsPersistenceDefense Impairment

Deed RAT хранит в реестре все свои данные, включая конфигурацию и плагины

Command and Control

1 technique
T1132.001Standard EncodingEvidence1
TacticCommand and Control

ВПО группы Space Pirates может сжимать сетевые сообщения с помощью алгоритмов LZNT1 и LZW

INDICATORS OF COMPROMISE

IOCs tracked for this family

22 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
1 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes
21 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

TypeValueLatest sighting
hash.md5●●●●●●●●●●●●View more in app4 years ago
hash.md5●●●●●●●●●●●●View more in app4 years ago
hash.sha1●●●●●●●●●●●●View more in app4 years ago
hash.sha1●●●●●●●●●●●●View more in app4 years ago
hash.sha1●●●●●●●●●●●●View more in app4 years ago
hash.sha1●●●●●●●●●●●●View more in app4 years ago
ACTIVITY FEED

Recent activity

1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

1 SOURCESView more in app
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching22

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities1

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping4

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.