Skip to content

S0615 SombRAT

SombRAT is a modular backdoor written in C++ that has been used since at least 2019 to download and execute malicious payloads, including FIVEHANDS ransomware.321

Item Value
ID S0615
Associated Names
Version 1.2
Created 26 May 2021
Last Modified 05 October 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.004 DNS SombRAT can communicate over DNS with the C2 server.32
enterprise T1560 Archive Collected Data -
enterprise T1560.003 Archive via Custom Method SombRAT has encrypted collected data with AES-256 using a hardcoded key.3
enterprise T1005 Data from Local System SombRAT has collected data and files from a compromised host.31
enterprise T1074 Data Staged -
enterprise T1074.001 Local Data Staging SombRAT can store harvested data in a custom database under the %TEMP% directory.3
enterprise T1140 Deobfuscate/Decode Files or Information SombRAT can run upload to decrypt and upload files from storage.31
enterprise T1568 Dynamic Resolution -
enterprise T1568.002 Domain Generation Algorithms SombRAT can use a custom DGA to generate a subdomain for C2.3
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography SombRAT has encrypted its C2 communications with AES.3
enterprise T1573.002 Asymmetric Cryptography SombRAT can SSL encrypt C2 traffic.321
enterprise T1041 Exfiltration Over C2 Channel SombRAT has uploaded collected data and files from a compromised host to its C2 server.3
enterprise T1083 File and Directory Discovery SombRAT can execute enum to enumerate files in storage on a compromised system.3
enterprise T1564 Hide Artifacts -
enterprise T1564.010 Process Argument Spoofing SombRAT has the ability to modify its process memory to hide process command-line arguments.2
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion SombRAT has the ability to run cancel or closeanddeletestorage to remove all files from storage and delete the storage temp file on a compromised host.3
enterprise T1105 Ingress Tool Transfer SombRAT has the ability to download and execute additional payloads.321
enterprise T1036 Masquerading SombRAT can use a legitimate process name to hide itself.1
enterprise T1106 Native API SombRAT has the ability to respawn itself using ShellExecuteW and CreateProcessW.3
enterprise T1095 Non-Application Layer Protocol SombRAT has the ability to use TCP sockets to send data and ICMP to ping the C2 server.32
enterprise T1027 Obfuscated Files or Information SombRAT can encrypt strings with XOR-based routines and use a custom AES storage format for plugins, configuration, C2 domains, and harvested data.321
enterprise T1057 Process Discovery SombRAT can use the getprocesslist command to enumerate processes on a compromised host.321
enterprise T1055 Process Injection -
enterprise T1055.001 Dynamic-link Library Injection SombRAT can execute loadfromfile, loadfromstorage, and loadfrommem to inject a DLL from disk, storage, or memory respectively.3
enterprise T1090 Proxy SombRAT has the ability to use an embedded SOCKS proxy in C2 communications.1
enterprise T1082 System Information Discovery SombRAT can execute getinfo to enumerate the computer name and OS version of a compromised system.3
enterprise T1033 System Owner/User Discovery SombRAT can execute getinfo to identify the username on a compromised host.31
enterprise T1007 System Service Discovery SombRAT can enumerate services on a victim machine.3
enterprise T1124 System Time Discovery SombRAT can execute getinfo to discover the current time on a compromised host.31