The sub-techniques beta is now live! Read the release blog post for more info.


Zebrocy is a Trojan that has been used by APT28 since at least November 2015. The malware comes in several programming language variants, including C++, Delphi, AutoIt, C#, and VB.NET. [1][2][3]

ID: S0251
Associated Software: Zekapab
Platforms: Windows
Contributors: Emily Ratliff, IBM
Version: 2.0
Created: 17 October 2018
Last Modified: 17 July 2019

Associated Software Descriptions

Name Description
Zekapab [8][6]

Techniques Used

Domain ID Name Use
Enterprise T1119 Automated Collection

Zebrocy scans the system and automatically collects files with the following extensions: .doc, .docx, ,.xls, .xlsx, .pdf, .pptx, .rar, .zip, .jpg, .jpeg, .bmp, .tiff, .kum, .tlg, .sbx, .cr, .hse, .hsf, and .lhz.[4][5]

Enterprise T1059 Command-Line Interface

Zebrocy uses cmd.exe to execute commands on the system.[5]

Enterprise T1503 Credentials from Web Browsers

Zebrocy has the capability to upload dumper tools that extract credentials from web browsers and store them in database files.[5]

Enterprise T1094 Custom Command and Control Protocol

Zebrocy uses raw sockets to communicate with its C2 server.[1]

Enterprise T1132 Data Encoding

Zebrocy has used URL/Percent Encoding on data exfiltrated via HTTP POST requests.[6]

Enterprise T1022 Data Encrypted

Zebrocy uses an encryption method similar to RC4 as well as AES to encrypt data before exfiltration.[7][4]

Enterprise T1074 Data Staged

Zebrocy stores all collected information in a single file before exfiltration.[4]

Enterprise T1140 Deobfuscate/Decode Files or Information

Zebrocy decodes its secondary payload and writes it to the victim’s machine. Zebrocy also uses AES and XOR to decrypt strings and payloads.[2][4]

Enterprise T1041 Exfiltration Over Command and Control Channel

Zebrocy has exfiltrated data to the designated C2 server using HTTP POST requests.[6]

Enterprise T1083 File and Directory Discovery

Zebrocy searches for files that are 60mb and less and contain the following extensions: .doc, .docx, .xls, .xlsx, .ppt, .pptx, .exe, .zip, and .rar. Zebrocy also runs the echo %APPDATA% command to list the contents of the directory. Zebrocy can obtain the current execution path as well as perform drive enumeration.[7][4][5][6]

Enterprise T1107 File Deletion

Zebrocy has a command to delete files and directories.[4][5]

Enterprise T1179 Hooking

Zebrocy installs an application-defined Windows hook to get notified when a network drive has been attached, so it can then use the hook to call its RecordToFile file stealing method.[7]

Enterprise T1037 Logon Scripts

Zebrocy performs persistence via adding a Registry key with a logon script.[4]

Enterprise T1135 Network Share Discovery

Zebrocy identifies network drives when they are added to victim systems.[7]

Enterprise T1120 Peripheral Device Discovery

Zebrocy enumerates information about connected storage devices.[2]

Enterprise T1057 Process Discovery

Zebrocy uses the tasklist and wmic process get Capture, ExecutablePath commands to gather the processes running on the system.[2][4][3][5][6]

Enterprise T1012 Query Registry

Zebrocy executes the reg query command to obtain information in the Registry.[5]

Enterprise T1060 Registry Run Keys / Startup Folder

Zebrocy creates an entry in a Registry Run key for the malware to execute on startup.[4][5][6]

Enterprise T1105 Remote File Copy

Zebrocy obtains additional code to execute on the victim's machine, including the downloading of a secondary payload.[1][2][5][6]

Enterprise T1113 Screen Capture

A variant of Zebrocy captures screenshots of the victim’s machine in JPEG and BMP format.[2][4][3][5][6]

Enterprise T1045 Software Packing

Zebrocy's Delphi variant was packed with UPX.[3][6]

Enterprise T1071 Standard Application Layer Protocol

Zebrocy uses HTTP, SMTP, and POP3 for C2.[1][2][4][3][5][6]

Enterprise T1032 Standard Cryptographic Protocol

Zebrocy uses SSL and AES ECB for encrypting C2 communications.[4][5]

Enterprise T1082 System Information Discovery

Zebrocy collects the OS version, computer name and serial number for the storage volume C:. Zebrocy also runs the systeminfo command to gather system information.[1][2][4][3][5][6]

Enterprise T1016 System Network Configuration Discovery

Zebrocy runs the ipconfig /all command.[5]

Enterprise T1049 System Network Connections Discovery

Zebrocy uses netstat -aon to gather network connection information.[5]

Enterprise T1033 System Owner/User Discovery

Zebrocy gets the username from the system.[4]

Enterprise T1124 System Time Discovery

Zebrocy gathers the current time zone and date information from the system.[4]

Enterprise T1065 Uncommonly Used Port

Zebrocy uses port 465 for C2.[4]

Enterprise T1047 Windows Management Instrumentation

One variant of Zebrocy uses WMI queries to gather information.[3]

Groups That Use This Software

ID Name References
G0007 APT28 [1] [2] [7] [3] [5]