Skip to content

S1018 Saint Bot

Saint Bot is a .NET downloader that has been used by Ember Bear since at least March 2021.12

Item Value
ID S1018
Version 1.0
Created 09 June 2022
Last Modified 09 June 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1548 Abuse Elevation Control Mechanism -
enterprise T1548.002 Bypass User Account Control Saint Bot has attempted to bypass UAC using fodhelper.exe to escalate privileges.2
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Saint Bot has used HTTP for C2 communications.1
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder Saint Bot has established persistence by being copied to the Startup directory or through the \Software\Microsoft\Windows\CurrentVersion\Run registry key.12
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell Saint Bot has used PowerShell for execution.2
enterprise T1059.003 Windows Command Shell Saint Bot has used cmd.exe and .bat scripts for execution.2
enterprise T1059.005 Visual Basic Saint Bot has used .vbs scripts for execution.2
enterprise T1132 Data Encoding -
enterprise T1132.001 Standard Encoding Saint Bot has used Base64 to encode its C2 communications.1
enterprise T1005 Data from Local System Saint Bot can collect files and information from a compromised host.1
enterprise T1622 Debugger Evasion Saint Bot has used is_debugger_present as part of its environmental checks.1
enterprise T1140 Deobfuscate/Decode Files or Information Saint Bot can deobfuscate strings and files for execution.1
enterprise T1083 File and Directory Discovery Saint Bot can search a compromised host for specific files.2
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion Saint Bot can run a batch script named del.bat to remove any Saint Bot payload-linked files from a compromise system if anti-analysis or locale checks fail.2
enterprise T1105 Ingress Tool Transfer Saint Bot can download additional files onto a compromised host.2
enterprise T1036 Masquerading Saint Bot has renamed malicious binaries as wallpaper.mp4 and slideshow.mp4 to avoid detection.12
enterprise T1036.005 Match Legitimate Name or Location Saint Bot has been disguised as a legitimate executable, including as Windows SDK.1
enterprise T1106 Native API Saint Bot has used different API calls, including GetProcAddress, VirtualAllocEx, WriteProcessMemory, CreateProcessA, and SetThreadContext.12
enterprise T1027 Obfuscated Files or Information Saint Bot has been obfuscated to help avoid detection.2
enterprise T1027.002 Software Packing Saint Bot has been packed using a dark market crypter.1
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment Saint Bot has been distributed as malicious attachments within spearphishing emails.12
enterprise T1566.002 Spearphishing Link Saint Bot has been distributed through malicious links contained within spearphishing emails.2
enterprise T1057 Process Discovery Saint Bot has enumerated running processes on a compromised host to determine if it is running under the process name dfrgui.exe.2
enterprise T1055 Process Injection -
enterprise T1055.001 Dynamic-link Library Injection Saint Bot has injected its DLL component into EhStorAurhn.exe.1
enterprise T1055.004 Asynchronous Procedure Call Saint Bot has written its payload into a newly-created EhStorAuthn.exe process using ZwWriteVirtualMemory and executed it using NtQueueApcThread and ZwAlertResumeThread.1
enterprise T1055.012 Process Hollowing The Saint Bot loader has used API calls to spawn MSBuild.exe in a suspended state before injecting the decrypted Saint Bot binary into it.2
enterprise T1012 Query Registry Saint Bot has used check_registry_keys as part of its environmental checks.1
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task Saint Bot has created a scheduled task named “Maintenance” to establish persistence.1
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.004 InstallUtil Saint Bot had used InstallUtil.exe to download and deploy executables.1
enterprise T1218.010 Regsvr32 Saint Bot has used regsvr32 to execute scripts.12
enterprise T1082 System Information Discovery Saint Bot can identify the OS version, CPU, and other details from a victim’s machine.1
enterprise T1614 System Location Discovery Saint Bot has conducted system locale checks to see if the compromised host is in Russia, Ukraine, Belarus, Armenia, Kazakhstan, or Moldova.12
enterprise T1016 System Network Configuration Discovery Saint Bot can collect the IP address of a victim machine.1
enterprise T1033 System Owner/User Discovery Saint Bot can collect the username from a compromised host.1
enterprise T1204 User Execution -
enterprise T1204.001 Malicious Link Saint Bot has relied on users to click on a malicious link delivered via a spearphishing.2
enterprise T1204.002 Malicious File Saint Bot has relied upon users to execute a malicious attachment delivered via spearphishing.12
enterprise T1497 Virtualization/Sandbox Evasion -
enterprise T1497.001 System Checks Saint Bot has run several virtual machine and sandbox checks, including checking if Sbiedll.dll is present in a list of loaded modules, comparing the machine name to HAL9TH and the user name to JohnDoe, and checking the BIOS version for known virtual machine identifiers.2
enterprise T1497.003 Time Based Evasion Saint Bot has used the command timeout 20 to pause the execution of its initial loader.2

Groups That Use This Software

ID Name References
G1003 Ember Bear 2