SUGARUSH
The MITRE Corporation
· Published 04/10/2022 23:48 · Modified 27/03/2026 01:03
Family
Essential information
- Confidence
- 100/100
- Is family
- Yes
- Published
- 04/10/2022 23:48
- Modified
- 27/03/2026 01:03
- Revoked
- No
- Author / Source
- The MITRE Corporation
- Related entities
- 28 attack patterns (mitre), 5 sectors, 1 countries, 20 indicators, 1 campaign, 1 campaigns
Description
[SUGARUSH](https://attack.mitre.org/software/S1049) is a small custom backdoor that can establish a reverse shell over TCP to a hard coded C2 address. [SUGARUSH](https://attack.mitre.org/software/S1049) was first identified during analysis of UNC3890's [C0010](https://attack.mitre.org/campaigns/C0010) campaign targeting Israeli companies, which began in late 2020.(Citation: Mandiant UNC3890 Aug 2022)
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Attack patterns, malware, vulnerabilities, indicators, intrusion sets and other entities linked to this malware.
Attack patterns (MITRE) (28)
-
T1571 usesNon-Standard Port MITRE
-
T1071 usesApplication Layer Protocol MITRE
-
T1543 usesCreate or Modify System Process MITRE
-
T1587 usesDevelop Capabilities MITRE
-
T1059 usesCommand and Scripting Interpreter MITRE
-
T1555 usesCredentials from Password Stores MITRE
-
T1588 usesObtain Capabilities MITRE
-
-
T1199 usesTrusted Relationship MITRE
-
T1566 usesPhishing MITRE
-
T1059.003 usesWindows Command Shell MITRE
-
T1036 usesMasquerading MITRE
Sectors (5)
-
Energy targets
-
Transportation targets
-
Healthcare targets
-
Government targets
-
Air transport targets
Countries (1)
-
Israel targets
Indicators (20)
-
stix 100/100 Revoked
Delphi SHA256 of ae0a16b6feddd53d1d52ff50d85a42d5
· Valid until 21/11/2023 · Source: AlienVault -
stix 100/100 Revoked
SHA256 of 9c8788e7ae87ae4f46bfe5ba7b7aa938
· Valid until 21/11/2023 · Source: AlienVault -
stix 100/100 Revoked
TEL:NoPowShell!msil SHA256 of 69b2ab3369823032991d4b306a170425
· Valid until 21/11/2023 · Source: AlienVault -
http://128.199.6.246/3-Video-VLC.exeindicatesstix 100/100 Revoked· Valid until 04/10/2022 · Source: AlienVault -
stix 100/100 Revoked
Trojan:Win32/Meterpreter.O SHA256 of d47bbec805c00a549ab364d20a884519
· Valid until 21/11/2023 · Source: AlienVault -
stix 100/100 Revoked
Metasploit SHA256 of 6dbd612bbc7986cf8beb9984b473330a
· Valid until 21/11/2023 · Source: AlienVault -
stix 100/100 Revoked
Win32:TrojanX-gen\ [Trj] SHA256 of e125ed072fc4529687d98cf4c62e283e
· Valid until 21/11/2023 · Source: AlienVault
Campaign (1)
-
C0010 uses
Campaigns (1)
-
C0010