SYMBOLCOMMON_NAMEaka. SYNONYMS
win.sharpstage (Back to overview)

SharpStage

aka: LastConn

Actor(s): Molerats


The SharpStage backdoor is a .NET malware with backdoor capabilities. Its name is a derivative of the main activity class called “Stage_One”. SharpStage can take screenshots, run arbitrary commands and downloads additional payloads. It exfiltrates data from the infected machine to a dropbox account by implementing a dropbox client in its code. SharpStage was seen used by the Molerats group in targeted attacks in the middle east.

References
2021-07-060ffset BlogDaniel Bunce, 0verfl0w_
@online{bunce:20210706:new:36ccc46, author = {Daniel Bunce and 0verfl0w_}, title = {{New TA402/MOLERATS Malware – Decrypting .NET Reactor Strings}}, date = {2021-07-06}, organization = {0ffset Blog}, url = {https://www.0ffset.net/reverse-engineering/malware-analysis/molerats-string-decryption/}, language = {English}, urldate = {2021-07-11} } New TA402/MOLERATS Malware – Decrypting .NET Reactor Strings
SharpStage
2020-12-09CybereasonCybereason Nocturnus
@online{nocturnus:20201209:new:ef00418, author = {Cybereason Nocturnus}, title = {{New Malware Arsenal Abusing Cloud Platforms in Middle East Espionage Campaign}}, date = {2020-12-09}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/new-malware-arsenal-abusing-cloud-platforms-in-middle-east-espionage-campaign}, language = {English}, urldate = {2020-12-10} } New Malware Arsenal Abusing Cloud Platforms in Middle East Espionage Campaign
DropBook MoleNet Quasar RAT SharpStage Spark

There is no Yara-Signature yet.