StreamEx is a malware family that has been used by Deep Panda since at least 2015. In 2016, it was distributed via legitimate compromised Korean websites. [1]

ID: S0142
Platforms: Windows
Version: 1.1
Created: 31 May 2017
Last Modified: 30 March 2020

Techniques Used

Domain ID Name Use
Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

StreamEx has the ability to remotely execute commands.[1]

Enterprise T1543 .003 Create or Modify System Process: Windows Service

StreamEx establishes persistence by installing a new service pointing to its DLL and setting the service to auto-start.[1]

Enterprise T1083 File and Directory Discovery

StreamEx has the ability to enumerate drive types.[1]

Enterprise T1112 Modify Registry

StreamEx has the ability to modify the Registry.[1]

Enterprise T1027 Obfuscated Files or Information

StreamEx obfuscates some commands by using statically programmed fragments of strings when starting a DLL. It also uses a one-byte xor against 0x91 to encode configuration data.[1]

Enterprise T1057 Process Discovery

StreamEx has the ability to enumerate processes.[1]

Enterprise T1518 .001 Software Discovery: Security Software Discovery

StreamEx has the ability to scan for security tools such as firewalls and antivirus tools.[1]

Enterprise T1218 .011 System Binary Proxy Execution: Rundll32

StreamEx uses rundll32 to call an exported function.[1]

Enterprise T1082 System Information Discovery

StreamEx has the ability to enumerate system information.[1]

Groups That Use This Software

ID Name References
G0009 Deep Panda