Skip to content

S0152 EvilGrab

EvilGrab is a malware family with common reconnaissance capabilities. It has been deployed by menuPass via malicious Microsoft Office documents as part of spearphishing campaigns. 1

Item Value
ID S0152
Associated Names
Type MALWARE
Version 1.1
Created 14 December 2017
Last Modified 23 March 2023
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1123 Audio Capture EvilGrab has the capability to capture audio from a victim machine.1
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder EvilGrab adds a Registry Run key for ctfmon.exe to establish persistence.1
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging EvilGrab has the capability to capture keystrokes.1
enterprise T1113 Screen Capture EvilGrab has the capability to capture screenshots.1
enterprise T1125 Video Capture EvilGrab has the capability to capture video from a victim machine.1

Groups That Use This Software

ID Name References
G0045 menuPass 1

References