From 5442a262ab8cf298c8d3c4f6011604529a40342c Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy <a@foo.be>
Date: Fri, 10 Feb 2017 10:09:37 +0100
Subject: [PATCH] StreamEX added

---
 clusters/tool.json | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/clusters/tool.json b/clusters/tool.json
index cd3e1e2..beb3906 100644
--- a/clusters/tool.json
+++ b/clusters/tool.json
@@ -1289,9 +1289,16 @@
        "meta": {
         "refs": ["https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx"]
        }
+    },
+    {
+       "value": "StreamEx",
+       "description": "Cylance dubbed this family of malware StreamEx, based upon a common exported function used across all samples ‘stream’, combined with the dropper functionality to append ‘ex’ to the DLL file name.  The StreamEx family has the ability to access and modify the user’s file system, modify the registry, create system services, enumerate process and system information, enumerate network resources and drive types, scan for security tools such as firewall products and antivirus products, change browser security settings, and remotely execute commands. The malware documented in this post was predominantly 64-bit, however, there are 32-bit versions of the malware in the wild. ",
+       "meta": {
+        "refs": ["https://blog.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar"]
+       }
     }
   ],
-  "version": 18,
+  "version": 19,
   "uuid": "0d821b68-9d82-4c6d-86a6-1071a9e0f79f",
   "description": "threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.",
   "author": [