S1137 Moneybird
Moneybird is a ransomware variant written in C++ associated with Agrius operations. The name “Moneybird” is contained in the malware’s ransom note and as strings in the executable.1
| Item | Value |
|---|---|
| ID | S1137 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 22 May 2024 |
| Last Modified | 29 August 2024 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1486 | Data Encrypted for Impact | Moneybird targets a common set of file types such as documents, certificates, and database files for encryption while avoiding executable, dynamic linked libraries, and similar items.1 |
| enterprise | T1027 | Obfuscated Files or Information | - |
| enterprise | T1027.009 | Embedded Payloads | Moneybird contains a configuration blob embedded in the malware itself.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G1030 | Agrius | Moneybird is associated with ransomware operations launched by Agrius.1 |