Skip to content

S0080 Mivast

Mivast is a backdoor that has been used by Deep Panda. It was reportedly used in the Anthem breach. 1

Item Value
ID S0080
Associated Names
Version 1.1
Created 31 May 2017
Last Modified 25 March 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder Mivast creates the following Registry entry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Micromedia.2
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell Mivast has the capability to open a remote shell and run basic commands.2
enterprise T1105 Ingress Tool Transfer Mivast has the capability to download and execute .exe files.2
enterprise T1003 OS Credential Dumping -
enterprise T1003.002 Security Account Manager Mivast has the capability to gather NTLM password information.2

Groups That Use This Software

ID Name References
G0009 Deep Panda 1


Back to top