SOFTWARE

Overview

3PARA RAT

4H RAT

adbupd

Adups

ADVSTORESHELL

Agent Tesla

Agent.btz

Allwinner

Android/Chuli.A

ANDROIDOS_ANSERVER.A

AndroRAT

Arp

ASPXSpy

Astaroth

at

AuditCred

AutoIt backdoor

Azorult

BabyShark

Backdoor.Oldrea

BACKSPACE

BADCALL

BADNEWS

BadPatch

Bandook

Bankshot

BBSRAT

BISCUIT

Bisonal

BITSAdmin

BLACKCOFFEE

BlackEnergy

BONDUPDATER

BOOSTWRITE

BOOTRASH

BrainTest

Brave Prince

Briba

BS2005

BUBBLEWRAP

Cachedump

CALENDAR

Calisto

CallMe

Cannon

Carbanak

Carbon

Cardinal RAT

Catchamas

CCBkdr

certutil

Chaos

Charger

ChChes

Cherry Picker

China Chopper

CHOPSTICK

CloudDuke

cmd

Cobalt Strike

Cobian RAT

CoinTicker

Comnie

ComRAT

CORALDECK

CORESHELL

CosmicDuke

CozyCar

Crimson

CrossRAT

DarkComet

Daserf

DDKONG

DealersChoice

Dendroid

Denis

Derusbi

Dipsind

DOGCALL

Dok

Downdelph

DownPaper

DressCode

Dridex

DroidJack

dsquery

DualToy

Duqu

DustySky

Dyre

Ebury

Elise

ELMER

Emissary

Emotet

Empire

Epic

esentutl

EvilBunny

EvilGrab

Exaramel for Linux

Exaramel for Windows

Exodus

Expand

FakeM

FALLCHILL

Felismus

FELIXROOT

Fgdump

Final1stspy

FinFisher

Flame

FLASHFLOOD

FlawedAmmyy

FlawedGrace

FlexiSpy

FLIPSIDE

Forfiles

FruitFly

FTP

Fysbis

Gazer

GeminiDuke

gh0st RAT

GLOOXMAIL

Gold Dragon

Gooligan

GravityRAT

GreyEnergy

GRIFFON

gsecdump

Gustuff

H1N1

Hacking Team UEFI Rootkit

HALFBAKED

HAMMERTOSS

HAPPYWORK

HARDRAIN

Havij

HAWKBALL

hcdLoader

HDoor

Helminth

Hi-Zor

HiddenWasp

HIDEDRV

Hikit

HOMEFRY

HOPLIGHT

HTRAN

HTTPBrowser

httpclient

HummingBad

HummingWhale

Hydraq

HyperBro

ifconfig

iKitten

Impacket

InnaputRAT

InvisiMole

Invoke-PSImage

ipconfig

ISMInjector

Ixeshe

Janicab

JCry

JHUHUGIT

JPIN

jRAT

Judy

KARAE

Kasidet

Kazuar

KeyBoy

Keydnap

KEYMARBLE

KeyRaider

Koadic

Komplex

KOMPROGO

KONNI

Kwampirs

LaZagne

LightNeuron

Linfo

Linux Rabbit

LockerGoga

LoJax

LOWBALL

Lslsass

Lurid

Machete

MacSpy

MailSniper

Marcher

Matroyshka

MazarBOT

meek

Micropsia

Mimikatz

MimiPenguin

Miner-C

MiniDuke

MirageFox

Mis-Type

Misdat

Mivast

MobileOrder

Monokle

MoonWind

More_eggs

Mosquito

MURKYTOP

Naid

NanHaiShu

NanoCore

NavRAT

nbtstat

NDiskMonitor

Nerex

Net

Net Crawler

NETEAGLE

netsh

netstat

NetTraveler

NETWIRE

Nidiran

njRAT

Nltest

NOKKI

NotCompatible

NotPetya

OBAD

OceanSalt

Octopus

OLDBAIT

OldBoot

Olympic Destroyer

OnionDuke

OopsIE

Orz

OSInfo

OSX/Shlayer

OSX_OCEANLOTUS.D

OwaAuth

P2P ZeuS

Pallas

Pasam

Pass-The-Hash Toolkit

Pegasus for Android

Pegasus for iOS

PHOREAL

PinchDuke

Ping

Pisloader

PJApps

PLAINTEE

PlugX

pngdowner

PoisonIvy

POORAIM

PoshC2

POSHSPY

Power Loader

PowerDuke

POWERSOURCE

PowerSploit

PowerStallion

POWERSTATS

POWERTON

POWRUNER

Prikormka

Proton

Proxysvc

PsExec

Psylo

Pteranodon

PUNCHBUGGY

PUNCHTRACK

Pupy

pwdump

QUADAGENT

QuasarRAT

RARSTONE

RATANKBA

RawDisk

RawPOS

RCSAndroid

RDFSNIFFER

Reaver

RedDrop

RedLeaves

Reg

Regin

Remcos

Remexi

RemoteCMD

Remsec

Responder

Revenge RAT

RGDoor

Riltok

RIPTIDE

RobbinHood

ROCKBOOT

RogueRobin

ROKRAT

Rotexy

route

Rover

RTM

Ruler

RuMMS

RunningRAT

S-Type

Sakula

SamSam

schtasks

SDelete

SeaDuke

Seasalt

SEASHARPEE

ServHelper

Shamoon

ShiftyBug

SHIPSHAPE

SHOTPUT

SHUTTERSPEED

Skeleton Key

Skygofree

SLOWDRIFT

Smoke Loader

SNUGRIDE

Socksbot

SOUNDBITE

SPACESHIP

SpeakUp

spwebmember

SpyDealer

SpyNote RAT

sqlmap

SQLRat

SslMM

Starloader

Stealth Mango

StoneDrill

StreamEx

Sykipot

SynAck

Sys10

Systeminfo

T9000

Taidoor

Tangelo

Tasklist

TDTESS

TEXTMATE

TINYTYPHON

TinyZBot

Tor

TrickBot

Trojan-SMS.AndroidOS.Agent.ao

Trojan-SMS.AndroidOS.FakeInst.a

Trojan-SMS.AndroidOS.OpFake.a

Trojan.Karagany

Trojan.Mebromi

Truvasys

TURNEDUP

Twitoor

TYPEFRAME

UACMe

UBoatRAT

Umbreon

Unknown Logger

UPPERCUT

Uroburos

Ursnif

USBStealer

Vasport

VERMIN

Volgmer

WannaCry

WEBC2

Wiarp

Windows Credential Editor

WINDSHIELD

WINERACK

Winexe

Wingbird

WinMM

Winnti

Wiper

WireLurker

X-Agent for Android

XAgentOSX

Xbash

Xbot

xCmd

XcodeGhost

XLoader

XTunnel

Yahoyah

YiSpecter

yty

Zebrocy

ZergHelper

Zeroaccess

ZeroT

Zeus Panda

ZLib

zwShell

ZxShell

SOFTWARE

Overview

1-9

3PARA RAT

4H RAT

A-B

adbupd

Adups

ADVSTORESHELL

Agent Tesla

Agent.btz

Allwinner

Android/Chuli.A

ANDROIDOS_ANSERVER.A

AndroRAT

Arp

ASPXSpy

Astaroth

at

AuditCred

AutoIt backdoor

Azorult

BabyShark

Backdoor.Oldrea

BACKSPACE

BADCALL

BADNEWS

BadPatch

Bandook

Bankshot

BBSRAT

BISCUIT

Bisonal

BITSAdmin

BLACKCOFFEE

BlackEnergy

BONDUPDATER

BOOSTWRITE

BOOTRASH

BrainTest

Brave Prince

Briba

BS2005

BUBBLEWRAP

C-D

Cachedump

CALENDAR

Calisto

CallMe

Cannon

Carbanak

Carbon

Cardinal RAT

Catchamas

CCBkdr

certutil

Chaos

Charger

ChChes

Cherry Picker

China Chopper

CHOPSTICK

CloudDuke

cmd

Cobalt Strike

Cobian RAT

CoinTicker

Comnie

ComRAT

CORALDECK

CORESHELL

CosmicDuke

CozyCar

Crimson

CrossRAT

DarkComet

Daserf

DDKONG

DealersChoice

Dendroid

Denis

Derusbi

Dipsind

DOGCALL

Dok

Downdelph

DownPaper

DressCode

Dridex

DroidJack

dsquery

DualToy

Duqu

DustySky

Dyre

E-F

Ebury

Elise

ELMER

Emissary

Emotet

Empire

Epic

esentutl

EvilBunny

EvilGrab

Exaramel for Linux

Exaramel for Windows

Exodus

Expand

FakeM

FALLCHILL

Felismus

FELIXROOT

Fgdump

Final1stspy

FinFisher

Flame

FLASHFLOOD

FlawedAmmyy

FlawedGrace

FlexiSpy

FLIPSIDE

Forfiles

FruitFly

FTP

Fysbis

G-H

Gazer

GeminiDuke

gh0st RAT

GLOOXMAIL

Gold Dragon

Gooligan

GravityRAT

GreyEnergy

GRIFFON

gsecdump

Gustuff

H1N1

Hacking Team UEFI Rootkit

HALFBAKED

HAMMERTOSS

HAPPYWORK

HARDRAIN

Havij

HAWKBALL

hcdLoader

HDoor

Helminth

Hi-Zor

HiddenWasp

HIDEDRV

Hikit

HOMEFRY

HOPLIGHT

HTRAN

HTTPBrowser

httpclient

HummingBad

HummingWhale

Hydraq

HyperBro

I-J

ifconfig

iKitten

Impacket

InnaputRAT

InvisiMole

Invoke-PSImage

ipconfig

ISMInjector

Ixeshe

Janicab

JCry

JHUHUGIT

JPIN

jRAT

Judy

K-L

KARAE

Kasidet

Kazuar

KeyBoy

Keydnap

KEYMARBLE

KeyRaider

Koadic

Komplex

KOMPROGO

KONNI

Kwampirs

LaZagne

LightNeuron

Linfo

Linux Rabbit

LockerGoga

LoJax

LOWBALL

Lslsass

Lurid

M-N

Machete

MacSpy

MailSniper

Marcher

Matroyshka

MazarBOT

meek

Micropsia

Mimikatz

MimiPenguin

Miner-C

MiniDuke

MirageFox

Mis-Type

Misdat

Mivast

MobileOrder

Monokle

MoonWind

More_eggs

Mosquito

MURKYTOP

Naid

NanHaiShu

NanoCore

NavRAT

nbtstat

NDiskMonitor

Nerex

Net

Net Crawler

NETEAGLE

netsh

netstat

NetTraveler

NETWIRE

Nidiran

njRAT

Nltest

NOKKI

NotCompatible

NotPetya

O-P

OBAD

OceanSalt

Octopus

OLDBAIT

OldBoot

Olympic Destroyer

OnionDuke

OopsIE

Orz

OSInfo

OSX/Shlayer

OSX_OCEANLOTUS.D

OwaAuth

P2P ZeuS

Pallas

Pasam

Pass-The-Hash Toolkit

Pegasus for Android

Pegasus for iOS

PHOREAL

PinchDuke

Ping

Pisloader

PJApps

PLAINTEE

PlugX

pngdowner

PoisonIvy

POORAIM

PoshC2

POSHSPY

Power Loader

PowerDuke

POWERSOURCE

PowerSploit

PowerStallion

POWERSTATS

POWERTON

POWRUNER

Prikormka

Proton

Proxysvc

PsExec

Psylo

Pteranodon

PUNCHBUGGY

PUNCHTRACK

Pupy

pwdump

Q-R

QUADAGENT

QuasarRAT

RARSTONE

RATANKBA

RawDisk

RawPOS

RCSAndroid

RDFSNIFFER

Reaver

RedDrop

RedLeaves

Reg

Regin

Remcos

Remexi

RemoteCMD

Remsec

Responder

Revenge RAT

RGDoor

Riltok

RIPTIDE

RobbinHood

ROCKBOOT

RogueRobin

ROKRAT

Rotexy

route

Rover

RTM

Ruler

RuMMS

RunningRAT

S-T

S-Type

Sakula

SamSam

schtasks

SDelete

SeaDuke

Seasalt

SEASHARPEE

ServHelper

Shamoon

ShiftyBug

SHIPSHAPE

SHOTPUT

SHUTTERSPEED

Skeleton Key

Skygofree

SLOWDRIFT

Smoke Loader

SNUGRIDE

Socksbot

SOUNDBITE

SPACESHIP

SpeakUp

spwebmember

SpyDealer

SpyNote RAT

sqlmap

SQLRat

SslMM

Starloader

Stealth Mango

StoneDrill

StreamEx

Sykipot

SynAck

Sys10

Systeminfo

T9000

Taidoor

Tangelo

Tasklist

TDTESS

TEXTMATE

TINYTYPHON

TinyZBot

Tor

TrickBot

Trojan-SMS.AndroidOS.Agent.ao

Trojan-SMS.AndroidOS.FakeInst.a

Trojan-SMS.AndroidOS.OpFake.a

Trojan.Karagany

Trojan.Mebromi

Truvasys

TURNEDUP

Twitoor

TYPEFRAME

U-V

UACMe

UBoatRAT

Umbreon

Unknown Logger

UPPERCUT

Uroburos

Ursnif

USBStealer

Vasport

VERMIN

Volgmer

W-X

WannaCry

WEBC2

Wiarp

Windows Credential Editor

WINDSHIELD

WINERACK

Winexe

Wingbird

WinMM

Winnti

Wiper

WireLurker

X-Agent for Android

XAgentOSX

Xbash

Xbot

xCmd

XcodeGhost

XLoader

XTunnel

Y-Z

Yahoyah

YiSpecter

yty

Zebrocy

ZergHelper

Zeroaccess

ZeroT

Zeus Panda

ZLib

zwShell

ZxShell

TEXTMATE

TEXTMATE is a second-stage PowerShell backdoor that is memory-resident. It was observed being used along with POWERSOURCE in February 2017. ^[1]

ID: S0146

Associated Software: DNSMessenger

Type: MALWARE

Platforms: Windows

Version: 1.0

Associated Software Descriptions

Name	Description
DNSMessenger	Based on similar descriptions of functionality, it appears S0146, as named by FireEye, is the same as Stage 4 of a backdoor named DNSMessenger by Cisco's Talos Intelligence Group. However, FireEye appears to break DNSMessenger into two parts: S0145 and S0146. ^[2] ^[1]

Techniques Used

Domain	ID	Name	Use
Enterprise	T1059	Command-Line Interface	TEXTMATE executes cmd.exe to provide a reverse shell to adversaries.^[1]^[2]
Enterprise	T1071	Standard Application Layer Protocol	TEXTMATE uses DNS TXT records for C2.^[1]

Groups That Use This Software

ID	Name	References
G0046	FIN7	^[1]

References

Miller, S., et al. (2017, March 7). FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings. Retrieved March 8, 2017.

Brumaghin, E. and Grady, C.. (2017, March 2). Covert Channels and Poor Decisions: The Tale of DNSMessenger. Retrieved March 8, 2017.