SharpStage (Malware Family)

SharpStage

aka: LastConn

The SharpStage backdoor is a .NET malware with backdoor capabilities. Its name is a derivative of the main activity class called “Stage_One”. SharpStage can take screenshots, run arbitrary commands and downloads additional payloads. It exfiltrates data from the infected machine to a dropbox account by implementing a dropbox client in its code. SharpStage was seen used by the Molerats group in targeted attacks in the middle east.

References

2021-07-06 ⋅ 0ffset Blog ⋅ 0verfl0w_, Daniel Bunce
New TA402/MOLERATS Malware – Decrypting .NET Reactor Strings
SharpStage

2020-12-09 ⋅ Cybereason ⋅ Cybereason Nocturnus
New Malware Arsenal Abusing Cloud Platforms in Middle East Espionage Campaign
DropBook MoleNet Quasar RAT SharpStage Spark

2020-12-09 ⋅ Cybereason ⋅ Cybereason Nocturnus Team
MOLERATS IN THE CLOUD: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign
DropBook JhoneRAT Molerat Loader Pierogi Quasar RAT SharpStage Spark

There is no Yara-Signature yet.

SharpStage Propose Change

References

SharpStage