Skip to content

S0546 SharpStage

SharpStage is a .NET malware with backdoor capabilities.12

Item Value
ID S0546
Associated Names
Version 1.1
Created 22 December 2020
Last Modified 18 August 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder SharpStage has the ability to create persistence for the malware using the Registry autorun key and startup folder.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell SharpStage can execute arbitrary commands with PowerShell.12
enterprise T1059.003 Windows Command Shell SharpStage can execute arbitrary commands with the command line.12
enterprise T1140 Deobfuscate/Decode Files or Information SharpStage has decompressed data received from the C2 server.2
enterprise T1105 Ingress Tool Transfer SharpStage has the ability to download and execute additional payloads via a DropBox API.12
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task SharpStage has a persistence component to write a scheduled task for the payload.1
enterprise T1113 Screen Capture SharpStage has the ability to capture the victim’s screen.12
enterprise T1082 System Information Discovery SharpStage has checked the system settings to see if Arabic is the configured language.2
enterprise T1614 System Location Discovery -
enterprise T1614.001 System Language Discovery SharpStage has been used to target Arabic-speaking users and used code that checks if the compromised machine has the Arabic language installed.2
enterprise T1102 Web Service SharpStage has used a legitimate web service for evading detection.1
enterprise T1047 Windows Management Instrumentation SharpStage can use WMI for execution.12

Groups That Use This Software

ID Name References
G0021 Molerats 1