S1137: Moneybird

Moneybird is a ransomware variant written in C++ associated with Agrius operations. The name "Moneybird" is contained in the malware's ransom note and as strings in the executable.[1]

EnterpriseS1137MalwareObject v1.0 Modified Aug 29, 2024, 15:19 UTC (UTC+00:00)

Moneybird matters because it is a Windows ransomware variant associated in ATT&CK with Agrius operations and linked to data encryption for impact. For leaders, the practical issue is not just malware identification; it is whether the organization can prevent, detect, contain, and recover from file-encryption activity before business operations, evidence retention, and incident decision-making are disrupted.

Executive priority

Prioritize Moneybird as a ransomware-readiness validation item: confirm that critical Windows environments have resilient backups, practiced restoration paths, endpoint visibility, and incident response playbooks for encryption events. Because ATT&CK provides no official detection guidance for this software, executives should ask for evidence of coverage against the related behaviors—embedded payload concealment and data encryption for impact—rather than a claim of tool-name detection.

Technical view

SOC and IR teams should validate controls against the supplied relationships: T1027.009 Embedded Payloads and T1486 Data Encrypted for Impact. On Windows, focus on whether endpoint and file-system telemetry can surface suspicious executable content with embedded payloads, abnormal file rewrite/encryption patterns, ransom-note creation, and process behavior consistent with ransomware impact. Detection engineering should treat the Moneybird name, ransom-note strings, and executable strings as supporting context, not sufficient coverage by themselves.

Likely telemetry

Windows endpoint process execution telemetry
File creation, modification, rename, and mass-write activity on local and accessible drives
Endpoint security alerts for suspicious or packed/embedded payload content
Ransom note file creation or strings referencing Moneybird where available
Hash, filename, path, command-line, parent process, and user context for suspicious executables

Detection direction

Validate behavior-based detection for rapid or high-volume file encryption/modification rather than relying only on malware family names.
Review alerting for executables or scripts carrying embedded payloads, with tuning to reduce false positives from legitimate installers and self-extracting archives.
Correlate endpoint process activity with file-system changes and ransom-note creation to distinguish ransomware impact from normal bulk file operations.
Ensure SOC triage captures user, host, share, and process lineage so responders can quickly decide isolation and recovery steps.
Document that ATT&CK provides no official detection text for Moneybird; any local analytics should be tested against the related techniques, not assumed from the ATT&CK entry alone.

Mitigation priorities

Maintain and regularly test offline or otherwise resilient backups for systems and data whose loss would affect business operations.
Harden Windows endpoints with least privilege, application control where feasible, and endpoint protection capable of inspecting suspicious executable content.
Limit write access to shared data stores and monitor privileged or service accounts that can modify large data volumes.
Prepare ransomware response procedures covering host isolation, credential risk review, evidence preservation, restoration sequencing, and executive communications.
Use the Moneybird mapping to validate ransomware control coverage in tabletop exercises, audit evidence, and incident response readiness reviews.

Analyst notes and limits

The ATT&CK object identifies Moneybird as a C++ ransomware variant, associated with Agrius operations, with Windows listed as the platform. The only supplied behavioral relationships are Embedded Payloads and Data Encrypted for Impact, so defensive interpretation should center on ransomware impact readiness and payload-concealment visibility.

ATT&CK supplies no official detection guidance, aliases, labels, or malware-specific tactics for Moneybird in this object. The take does not infer active exploitation, victim exposure, or guaranteed detection. Local telemetry, tested analytics, backup architecture, and incident response evidence are required to determine actual organizational coverage.

Official MITRE ATT&CK definition

Moneybird

Moneybird is a ransomware variant written in C++ associated with Agrius operations. The name "Moneybird" is contained in the malware's ransom note and as strings in the executable.[1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 2 rows

Domain	ID	Name	Relationship / procedure
Enterprise	T1027.009	Embedded Payloads Sub-technique	Moneybird contains a configuration blob embedded in the malware itself.CitationCheckPoint Agrius 2023
Enterprise	T1486	Data Encrypted for Impact	Moneybird targets a common set of file types such as documents, certificates, and database files for encryption while avoiding executable, dynamic linked libraries, and similar items.CitationCheckPoint Agrius 2023

Associated objects

Groups, software, and campaigns

G1030: Agrius

Agrius is an Iranian threat actor active since 2020 notable for a series of ransomware and wiper operations in the Middle East, with an emphasis on Israeli targets.[1][2] Public reporting has linked Agrius to Iran's Ministry of Intelligence and Security (MOIS).[3]

Relationship explorer

All related ATT&CK context

uses · Technique T1027.009: Embedded Payloads Enterprise uses · Technique T1486: Data Encrypted for Impact Enterprise uses · Group G1030: Agrius Enterprise

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: May 22, 2024, 23:05 UTC (UTC+00:00)
Modified: Aug 29, 2024, 15:19 UTC (UTC+00:00)
Raw hash: 42e9e1734ae5fe2b...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Aug 29, 2024, 15:19 UTC (UTC+00:00)	Current bundle	`42e9e1734ae5…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
CheckPoint Agrius 2023

Marc Salinas Fernandez & Jiri Vinopal. (2023, May 23). AGRIUS DEPLOYS MONEYBIRD IN TARGETED ATTACKS AGAINST ISRAELI ORGANIZATIONS. Retrieved May 21, 2024.
Open source URL
[2]
mitre-attack S1137
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use