Moneybird

Moneybird is a ransomware variant written in C++ associated with Agrius operations. The name "Moneybird" is contained in the malware's ransom note and as strings in the executable.[1]

ID: S1137
Type: MALWARE
Platforms: Windows
Version: 1.0
Created: 22 May 2024
Last Modified: 29 August 2024

Techniques Used

Domain ID Name Use
Enterprise T1486 Data Encrypted for Impact

Moneybird targets a common set of file types such as documents, certificates, and database files for encryption while avoiding executable, dynamic linked libraries, and similar items.[1]

Enterprise T1027 .009 Obfuscated Files or Information: Embedded Payloads

Moneybird contains a configuration blob embedded in the malware itself.[1]

Groups That Use This Software

ID Name References
G1030 Agrius

Moneybird is associated with ransomware operations launched by Agrius.[1]

References