Exbyte
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1140 | Deobfuscate/Decode Files or Information |
Exbyte decodes and decrypts data stored in the configuration file with a key provided on the command line during execution.[2] |
|
| Enterprise | T1480 | Execution Guardrails |
Exbyte checks for the presence of a configuration file before completing execution.[2] |
|
| Enterprise | T1567 | Exfiltration Over Web Service |
Exbyte exfiltrates collected data to online file hosting sites such as |
|
| Enterprise | T1083 | File and Directory Discovery |
Exbyte enumerates all document files on an infected machine, then creates a summary of these items including filename and directory location prior to exfiltration to cloud hosting services.[1] |
|
| Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
Exbyte will self-delete if a hard-coded configuration file is not found.[2] |
| Enterprise | T1106 | Native API |
Exbyte calls |
|
| Enterprise | T1069 | .001 | Permission Groups Discovery: Local Groups |
Exbyte checks whether the process is running with privileged local access during execution.[2] |
| Enterprise | T1518 | .001 | Software Discovery: Security Software Discovery |
Exbyte checks for the presence of various security software products during execution.[1] |
| Enterprise | T1497 | .001 | Virtualization/Sandbox Evasion: System Checks |
Exbyte performs various checks to determine if it is running in a sandboxed environment to prevent analysis.[1] |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G1043 | BlackByte |
BlackByte used Exbyte for automated file collection and exfiltration.[1][2] |