ID |
C0051 |
Objective(s) |
File System |
Related ATT&CK Techniques |
None |
Version |
2.3 |
Created |
4 December 2020 |
Last Modified |
30 April 2024 |
Malware reads a file.
Name |
Date |
Method |
Description |
Dark Comet |
2008 |
-- |
Dark Comet reads files on Windows. [1] |
DNSChanger |
2011 |
-- |
DNSChanger reads files on Windows. [1] |
Gamut |
2014 |
-- |
Gamut reads files on Windows. [1] |
GravityRAT |
2018 |
-- |
GravityRAT reads files on Windows. [1] |
Hupigon |
2013 |
-- |
Hupigon reads files on Windows. [1] |
Kovter |
2016 |
-- |
Kovter reads files on Windows. [1] |
Locky Bart |
2017 |
-- |
Locky Bart reads files on Windows. [1] |
Mebromi |
2011 |
-- |
Mebromi reads files on Windows. [1] |
Poison Ivy |
2005 |
-- |
Poison Ivy reads files on Windows. [1] |
Redhip |
2011 |
-- |
Redhip reads files on Windows. [1] |
Rombertik |
2015 |
-- |
Rombertik reads files on Windows. [1] |
SamSam |
2015 |
-- |
SamSam reads files on Windows. [1] |
Shamoon |
2012 |
-- |
Shamoon reads files on Windows. [1] |
UP007 |
2016 |
-- |
UP007 reads files on Windows. [1] |
Tool: capa |
Mapping |
APIs |
read file on Windows |
Read File (C0051) |
kernel32.ReadFile, ReadFileEx, NtReadFile, ZwReadFile, LZRead, _read, fread, System.IO.File::ReadAllBytes, System.IO.File::ReadAllBytesAsync, System.IO.File::ReadAllLines, System.IO.File::ReadAllLinesAsync, System.IO.File::ReadAllText, System.IO.File::ReadAllTextAsync, System.IO.File::ReadLines |
read file via mapping |
Read File (C0051) |
kernel32.MapViewOfFile, kernel32.UnmapViewOfFile, kernel32.CreateFileMapping |
read file on Linux |
Read File (C0051) |
fgetc, fgets, getc, getchar, read, getline, getdelim, fgetwc, getwc, fscanf, vfscanf, fread |
read .ini file |
Read File (C0051) |
GetPrivateProfileInt, GetPrivateProfileString, GetPrivateProfileStruct, GetPrivateProfileSection, GetPrivateProfileSectionNames, GetFullPathName |
File System::Read File
SHA256: e5897829835f3e9fbab71674ca06f48ff127ec014d1629817f0566203c93b732
Location: 0x401762
mov r9, rdi ; variable that will hold number of bytes actually read from file
mov r8d, ebx ; number of bytes to read
mov param_2, rsi ; pointer to buffer that will hold content read from file
mov param_1, r12 ; handle to the device/file to read from
mov qword ptr [rsp + local_58], 0x0 ; optional pointer to OVERLAPPED structure (in this case, it is NULL)
call qword ptr [->KERNEL32.DLL::ReadFile] ; API call to read file specified in param_1
[1] capa v4.0, analyzed at MITRE on 10/12/2022