The sub-techniques beta is now live! Read the release blog post for more info.


TA505 is a financially motivated threat group that has been active since at least 2014. The group is known for frequently changing malware and driving global trends in criminal malware distribution.[1][2][3]

ID: G0092
Version: 1.0
Created: 28 May 2019
Last Modified: 24 June 2019

Techniques Used

Domain ID Name Use
Enterprise T1116 Code Signing

TA505 has signed payloads with code signing certificates from Thawte and Sectigo.[4][7]

Enterprise T1503 Credentials from Web Browsers

TA505 has used malware to gather credentials from Internet Explorer.[1]

Enterprise T1081 Credentials in Files

TA505 has used malware to gather credentials from FTP clients and Outlook.[1]

Enterprise T1486 Data Encrypted for Impact

TA505 has used a wide variety of ransomware, such as Locky, Jaff, Bart, Philadelphia, and GlobeImposter, to encrypt victim files and demand a ransom payment.[1]

Enterprise T1173 Dynamic Data Exchange

TA505 has leveraged malicious Word documents that abused DDE.[2]

Enterprise T1027 Obfuscated Files or Information

TA505 has password-protected malicious Word documents and used base64 encoded PowerShell commands.[1][4][7]

Enterprise T1086 PowerShell

TA505 has used PowerShell to download and execute malware and reconnaissance scripts.[1][5][4][7]

Enterprise T1105 Remote File Copy

TA505 has downloaded additional malware to execute on victim systems.[4][7][5]

Enterprise T1085 Rundll32

TA505 has leveraged rundll32.exe to execute malicious DLLs.[4][7]

Enterprise T1064 Scripting

TA505 has used PowerShell, VBS, and JavaScript for code execution.[1][2]

Enterprise T1218 Signed Binary Proxy Execution

TA505 has used msiexec to download and execute malicious Windows Installer files.[4][7]

Enterprise T1193 Spearphishing Attachment

TA505 has used spearphishing emails with malicious attachments to initially compromise victims.[1][2][3][4][5][6]

Enterprise T1192 Spearphishing Link

TA505 has sent spearphishing emails containing malicious links.[1][3]

Enterprise T1204 User Execution

TA505 has used lures to get users to click links in emails and attachments, enable content in malicious attachments, and execute malicious files contained in archives. For example, TA505 makes their malware look like legitimate Microsoft Word documents, .pdf and/or .lnk files. [1][2][3][4][5][6]


ID Name References Techniques
S0384 Dridex [1] [2] Connection Proxy, Man in the Browser, Remote Access Tools, Standard Application Layer Protocol, Standard Cryptographic Protocol
S0381 FlawedAmmyy [6] Commonly Used Port, Data Obfuscation, Peripheral Device Discovery, Permission Groups Discovery, Security Software Discovery, Standard Application Layer Protocol, Standard Cryptographic Protocol, System Information Discovery, System Owner/User Discovery, Windows Management Instrumentation
S0383 FlawedGrace [3] Commonly Used Port, Custom Command and Control Protocol, Obfuscated Files or Information
S0382 ServHelper [3] [4] [7] Command-Line Interface, Commonly Used Port, Create Account, File Deletion, Registry Run Keys / Startup Folder, Remote Desktop Protocol, Remote File Copy, Rundll32, Scheduled Task, Standard Application Layer Protocol, Standard Cryptographic Protocol, System Information Discovery, System Owner/User Discovery
S0266 TrickBot [1] Account Discovery, Commonly Used Port, Credentials from Web Browsers, Credentials in Files, Credentials in Registry, Custom Cryptographic Protocol, Data from Local System, Deobfuscate/Decode Files or Information, Disabling Security Tools, Domain Trust Discovery, Email Collection, Execution through API, File and Directory Discovery, Hooking, Man in the Browser, Modify Registry, Obfuscated Files or Information, Process Injection, Registry Run Keys / Startup Folder, Remote File Copy, Scheduled Task, Scripting, Software Packing, Spearphishing Attachment, Standard Application Layer Protocol, System Information Discovery, System Network Configuration Discovery, System Service Discovery, Uncommonly Used Port, User Execution