Skip to content

S0696 Flagpro

Flagpro is a Windows-based, first-stage downloader that has been used by BlackTech since at least October 2020. It has primarily been used against defense, media, and communications companies in Japan.1

Item Value
ID S0696
Associated Names
Version 1.0
Created 25 March 2022
Last Modified 01 April 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Flagpro can communicate with its C2 using HTTP.1
enterprise T1010 Application Window Discovery Flagpro can check the name of the window displayed on the system.1
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder Flagpro has dropped an executable file to the startup directory.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell Flagpro can use cmd.exe to execute commands received from C2.1
enterprise T1059.005 Visual Basic Flagpro can execute malicious VBA macros embedded in .xlsm files.1
enterprise T1132 Data Encoding -
enterprise T1132.001 Standard Encoding Flagpro has encoded bidirectional data communications between a target system and C2 server using Base64.1
enterprise T1005 Data from Local System Flagpro can collect data from a compromised host, including Windows authentication information.1
enterprise T1041 Exfiltration Over C2 Channel Flagpro has exfiltrated data to the C2 server.1
enterprise T1070 Indicator Removal Flagpro can close specific Windows Security and Internet Explorer dialog boxes to mask external connections.1
enterprise T1105 Ingress Tool Transfer Flagpro can download additional malware from the C2 server.1
enterprise T1036 Masquerading Flagpro can download malicious files with a .tmp extension and append them with .exe prior to execution.1
enterprise T1106 Native API Flagpro can use Native API to enable obfuscation including GetLastError and GetTickCount.1
enterprise T1135 Network Share Discovery Flagpro has been used to execute net view to discover mapped network shares.1
enterprise T1027 Obfuscated Files or Information Flagpro has been delivered within ZIP or RAR password-protected archived files.1
enterprise T1069 Permission Groups Discovery -
enterprise T1069.001 Local Groups Flagpro has been used to execute the net localgroup administrators command on a targeted system.1
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment Flagpro has been distributed via spearphishing as an email attachment.1
enterprise T1057 Process Discovery Flagpro has been used to run the tasklist command on a compromised system.1
enterprise T1018 Remote System Discovery Flagpro has been used to execute net view on a targeted system.1
enterprise T1029 Scheduled Transfer Flagpro has the ability to wait for a specified time interval between communicating with and executing commands from C2.1
enterprise T1614 System Location Discovery -
enterprise T1614.001 System Language Discovery Flagpro can check whether the target system is using Japanese, Taiwanese, or English through detection of specific Windows Security and Internet Explorer dialog.1
enterprise T1016 System Network Configuration Discovery Flagpro has been used to execute the ipconfig /all command on a victim system.1
enterprise T1049 System Network Connections Discovery Flagpro has been used to execute netstat -ano on a compromised host.1
enterprise T1033 System Owner/User Discovery Flagpro has been used to run the whoami command on the system.1
enterprise T1204 User Execution -
enterprise T1204.002 Malicious File Flagpro has relied on users clicking a malicious attachment delivered through spearphishing.1

Groups That Use This Software

ID Name References
G0098 BlackTech 1