Skip to content

Hide Navigation Hide TOC

Edit

Banker

A list of banker malware.

Authors
Authors and/or Contributors
Unknown
raw-data

Zeus

Zeus is a trojan horse that is primarily delivered via drive-by-downloads, malvertising, exploit kits and malspam campaigns. It uses man-in-the-browser keystroke logging and form grabbing to steal information from victims. Source was leaked in 2011.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Zeus.

Known Synonyms
Zbot
Internal MISP references

UUID f0ec2df5-2e38-4df3-970d-525352006f2e which can be used as unique global reference for Zeus in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date Initally discovered between 2006 and 2007. New bankers with Zeus roots still active today.
Related clusters

To see the related clusters, click here.

Vawtrak

Delivered primarily by exploit kits as well as malspam campaigns utilizing macro based Microsoft Office documents as attachments. Vawtrak/Neverquest is a modularized banking trojan designed to steal credentials through harvesting, keylogging, Man-In-The-Browser, etc.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Vawtrak.

Known Synonyms
Neverquest
Internal MISP references

UUID f3813bbd-682c-400d-8165-778be6d3f91f which can be used as unique global reference for Vawtrak in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date Discovered early 2013
Related clusters

To see the related clusters, click here.

Dridex

Dridex leverages redirection attacks designed to send victims to malicious replicas of the banking sites they think they're visiting.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Dridex.

Known Synonyms
Cridex
Feodo Version D
Internal MISP references

UUID 44754726-e1d5-4e5f-a113-234c4a8ca65e which can be used as unique global reference for Dridex in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date Discovery in 2014, still active
Related clusters

To see the related clusters, click here.

Gozi

Banking trojan delivered primarily via email (typically malspam) and exploit kits. Gozi 1.0 source leaked in 2010

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Gozi.

Known Synonyms
CRM
Papras
Snifula
Ursnif
Internal MISP references

UUID b9448d2a-a23c-4bf2-92a1-d860716ba2f3 which can be used as unique global reference for Gozi in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date First seen ~ 2007
Related clusters

To see the related clusters, click here.

Goziv2

Banking trojan attributed to Project Blitzkrieg targeting U.S. Financial institutions.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Goziv2.

Known Synonyms
Prinimalka
Internal MISP references

UUID 71ad2c86-b9da-4351-acf9-7005f64062c7 which can be used as unique global reference for Goziv2 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date Fall Oct. 2012 - Spring 2013

Gozi ISFB

Banking trojan based on Gozi source. Features include web injects for the victims’ browsers, screenshoting, video recording, transparent redirections, etc. Source leaked ~ end of 2015.

Internal MISP references

UUID ffbbbc14-1cdb-4be9-a631-ed53c5407369 which can be used as unique global reference for Gozi ISFB in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date Beginning 2010
Related clusters

To see the related clusters, click here.

Dreambot

Dreambot is a variant of Gozi ISFB that is spread via numerous exploit kits as well as through malspam email attachments and links.

Internal MISP references

UUID 549d1f8c-f76d-4d66-a1a2-2cd048d739ea which can be used as unique global reference for Dreambot in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date Since 2014

IAP

Gozi ISFB variant

Internal MISP references

UUID 0f96a666-bf26-44e0-8ad6-f2136208c924 which can be used as unique global reference for IAP in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date Seen Autumn 2014
Related clusters

To see the related clusters, click here.

GozNym

GozNym hybrid takes the best of both the Nymaim and Gozi ISFB. From the Nymaim malware, it leverages the dropper’s stealth and persistence; the Gozi ISFB parts add the banking Trojan’s capabilities to facilitate fraud via infected Internet browsers.

Internal MISP references

UUID bcefac9a-a928-490f-9cb6-a8863f40c949 which can be used as unique global reference for GozNym in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date Spring 2016

Zloader Zeus

Zloader is a loader that loads different payloads, one of which is a Zeus module. Delivered via exploit kits and malspam emails.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Zloader Zeus.

Known Synonyms
Zeus Terdot
Internal MISP references

UUID 2eb658ed-aff4-4253-a21f-9059b133ce17 which can be used as unique global reference for Zloader Zeus in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date First seen in Fall 2016 and still active today.
Related clusters

To see the related clusters, click here.

Zeus VM

Zeus variant that utilizes steganography in image files to retrieve configuration file.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Zeus VM.

Known Synonyms
VM Zeus
Internal MISP references

UUID 09d1cad8-6b06-48d7-a968-5b17bbe9ca65 which can be used as unique global reference for Zeus VM in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date First seen ~Feb 2014
Related clusters

To see the related clusters, click here.

Zeus Sphinx

Sphinx is a modular banking trojan that is a commercial offering sold to cybercriminals via underground fraudster boards.

Internal MISP references

UUID 8914802c-3aca-4a0d-874a-85ac7a1bc505 which can be used as unique global reference for Zeus Sphinx in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date First seen ~Aug 2015
Related clusters

To see the related clusters, click here.

Panda Banker

Zeus like banking trojan that is delivered primarily through malspam emails and exploit kits.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Panda Banker.

Known Synonyms
Zeus Panda
Internal MISP references

UUID f1971442-6477-4aa2-aafa-7529b8252455 which can be used as unique global reference for Panda Banker in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date First seen ~ Spring 2016

Zeus KINS

Zeus KINS is a modified version of ZeuS 2.0.8.9. It contains an encrypted version of it's config in the registry.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Zeus KINS.

Known Synonyms
Kasper Internet Non-Security
Maple
Internal MISP references

UUID bc0be3a4-89d8-4c4c-b2aa-2dddbed1f71d which can be used as unique global reference for Zeus KINS in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date First seen 2014
Related clusters

To see the related clusters, click here.

Chthonic

Chthonic according to Kaspersky is an evolution of Zeus VM. It uses the same encryptor as Andromeda bot, the same encryption scheme as Zeus AES and Zeus V2 Trojans, and a virtual machine similar to that used in ZeusVM and KINS malware.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Chthonic.

Known Synonyms
Chtonic
Internal MISP references

UUID 6deb9f26-969b-45aa-9222-c23663fd6ef8 which can be used as unique global reference for Chthonic in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date First seen fall of 2014
Related clusters

To see the related clusters, click here.

Trickbot

Trickbot is a bot that is delivered via exploit kits and malspam campaigns. The bot is capable of downloading modules, including a banker module. Trickbot also shares roots with the Dyre banking trojan

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Trickbot.

Known Synonyms
Trickloader
Trickster
Internal MISP references

UUID 07e3260b-d80c-4c86-bd28-8adc111bbec6 which can be used as unique global reference for Trickbot in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date Discovered Fall 2016
Related clusters

To see the related clusters, click here.

Dyre

Dyre is a banking trojan distributed via exploit kits and malspam emails primarily. It has a modular architectur and utilizes man-in-the-browser functionality. It also leverages a backconnect server that allows threat actors to connect to a bank website through the victim's computer.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Dyre.

Known Synonyms
Dyreza
Internal MISP references

UUID 15e969e6-f031-4441-a49b-f401332e4b00 which can be used as unique global reference for Dyre in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date Discovered ~June 2014
Related clusters

To see the related clusters, click here.

Tinba

Tinba is a very small banking trojan that hooks into browsers and steals login data and sniffs on network traffic. It also uses Man in The Browser (MiTB) and webinjects. Tinba is primarily delivered via exploit kits, malvertising and malspam email campaigns.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Tinba.

Known Synonyms
TinyBanker
Zusy
illi
Internal MISP references

UUID 5594b171-32ec-4145-b712-e7701effffdd which can be used as unique global reference for Tinba in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date Discovered ~Spring 2012
Related clusters

To see the related clusters, click here.

Geodo

Geodo is a banking trojan delivered primarily through malspam emails. It is capable of sniffing network activity to steal information by hooking certain network API calls.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Geodo.

Known Synonyms
Emotet
Feodo Version C
Internal MISP references

UUID 8e002f78-7fb8-4e70-afd7-0b4ac655be26 which can be used as unique global reference for Geodo in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date Discovered ~Summer 2014
Related clusters

To see the related clusters, click here.

Feodo

Feodo is a banking trojan that utilizes web injects and is also capable of monitoring & manipulating cookies. Version A = Port 8080, Version B = Port 80 It is delivered primarily via exploit kits and malspam emails.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Feodo.

Known Synonyms
Bugat
Cridex
Internal MISP references

UUID 7ca93488-c357-44c3-b246-3f88391aca5a which can be used as unique global reference for Feodo in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date Discovered ~September 2011
Related clusters

To see the related clusters, click here.

Ramnit

Originally not a banking trojan in 2010, Ramnit became a banking trojan after the Zeus source code leak. It is capable of perforrming Man-in-the-Browser attacks. Distributed primarily via exploit kits.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Ramnit.

Known Synonyms
Nimnul
Internal MISP references

UUID 7e2288ec-e7d4-4833-9245-a2bc5ae40ee2 which can be used as unique global reference for Ramnit in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date Discovered ~2010.
Related clusters

To see the related clusters, click here.

Qakbot

Qakbot is a banking trojan that leverages webinjects to steal banking information from victims. It also utilizes DGA for command and control. It is primarily delivered via exploit kits.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Qakbot.

Known Synonyms
Akbot
Pinkslipbot
Qbot
Internal MISP references

UUID b2ec1f16-2a76-4910-adc5-ecb3570e7c1a which can be used as unique global reference for Qakbot in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date Discovered ~2007
Related clusters

To see the related clusters, click here.

Corebot

Corebot is a modular trojan that leverages a banking module that can perform browser hooking, form grabbing, MitM, webinjection to steal financial information from victims. Distributed primarily via malspam emails and exploit kits.

Internal MISP references

UUID 8a3d46db-d3b4-4f89-99e2-d1f0de3f484c which can be used as unique global reference for Corebot in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date Discovered ~Fall 2015
Related clusters

To see the related clusters, click here.

TinyNuke

TinyNuke is a modular banking trojan that includes a HiddenDesktop/VNC server and reverse SOCKS 4 server. It's main functionality is to make web injections into specific pages to steal user data. Distributed primarily via malspam emails and exploit kits.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular TinyNuke.

Known Synonyms
MicroBankingTrojan
Nuclear Bot
NukeBot
Xbot
Internal MISP references

UUID e683cd91-40b4-4e1c-be25-34a27610a22e which can be used as unique global reference for TinyNuke in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date Discovered ~December 2016
Related clusters

To see the related clusters, click here.

Retefe

Retefe is a banking trojan that is distributed by what SWITCH CERT calls the Retefe gang or Operation Emmental. It uses geolocation based targeting. It also leverages fake root certificate and changes the DNS server for domain name resolution in order to display fake banking websites to victims. It is spread primarily through malspam emails.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Retefe.

Known Synonyms
Tsukuba
Werdlod
Internal MISP references

UUID 87b69cb4-8b65-47ee-91b0-9b1decdd5c5c which can be used as unique global reference for Retefe in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date Discovered in 2014
Related clusters

To see the related clusters, click here.

ReactorBot

ReactorBot is sometimes mistakenly tagged as Rovnix. ReactorBot is a full fledged modular bot that includes a banking module that has roots with the Carberp banking trojan. Distributed primarily via malspam emails.

Internal MISP references

UUID d939e802-acb2-4881-bdaf-ece1eccf5699 which can be used as unique global reference for ReactorBot in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date Discovered ~early 2015
Related clusters

To see the related clusters, click here.

Matrix Banker

Matrix Banker is named accordingly because of the Matrix reference in it's C2 panel. Distributed primarily via malspam emails.

Internal MISP references

UUID aa3fc68c-413c-4bfb-b4cd-bca7094da985 which can be used as unique global reference for Matrix Banker in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date Discovered ~Spring 2017
Related clusters

To see the related clusters, click here.

Zeus Gameover

Zeus Gameover captures banking credentials from infected computers, then use those credentials to initiate or re-direct wire transfers to accounts overseas that are controlled by the criminals. GameOver has a decentralized, peer-to-peer command and control infrastructure rather than centralized points of origin. Distributed primarily via malspam emails and exploit kits.

Internal MISP references

UUID 8653a94e-3eb3-4d88-8683-a1ae4a524774 which can be used as unique global reference for Zeus Gameover in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date Discovered ~Sept. 2011

SpyEye

SpyEye is a similar to the Zeus botnet banking trojan. It utilizes a web control panel for C2 and can perform form grabbing, autofill credit card modules, ftp grabber, pop3 grabber and HTTP basic access authorization grabber. It also contained a Kill Zeus feature which would remove any Zeus infections if SpyEye was on the system. Distributed primarily via exploit kits and malspam emails.

Internal MISP references

UUID ebce18e9-b387-4b7d-bab9-4acd4fca7a7c which can be used as unique global reference for SpyEye in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date Discovered early 2011

Citadel

Citadel is an offspring of the Zeus banking trojan. Delivered primarily via exploit kits.

Internal MISP references

UUID 9eb89081-3245-423a-995f-c1d78ce39619 which can be used as unique global reference for Citadel in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date Discovered ~January 2012
Related clusters

To see the related clusters, click here.

Atmos

Atmos is derived from the Citadel banking trojan. Delivered primarily via exploit kits and malspam emails.

Internal MISP references

UUID ee021933-929d-4d6c-abca-5827cfb77289 which can be used as unique global reference for Atmos in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date Discovered ~spring 2016

Ice IX

Ice IX is a bot created using the source code of ZeuS 2.0.8.9. No major improvements compared to ZeuS 2.0.8.9.

Internal MISP references

UUID 1d4a5704-c6fb-4bbb-92b2-88dc67f86339 which can be used as unique global reference for Ice IX in MISP communities and other software using the MISP galaxy

External references
  • https://securelist.com/ice-ix-not-cool-at-all/29111/
Associated metadata
Metadata key Value
date Discovered ~Fall 2011
Related clusters

To see the related clusters, click here.

Zitmo

Zeus in the mobile. Banking trojan developed for mobile devices such as Windows Mobile, Blackberry and Android.

Internal MISP references

UUID 3b1aff8f-647d-4709-aab0-6db1859c5f11 which can be used as unique global reference for Zitmo in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date Discovered ~end of 2010

Licat

Banking trojan based on Zeus V2. Murofet is a newer version of Licat found ~end of 2011

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Licat.

Known Synonyms
Murofet
Internal MISP references

UUID 0b097926-2e1a-4134-8ab9-4c16d0cca0fc which can be used as unique global reference for Licat in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date Discovered in 2010
Related clusters

To see the related clusters, click here.

Skynet

Skynet is a Tor-powered trojan with DDoS, Bitcoin mining and Banking capabilities. Spread via USENET as per rapid7.

Internal MISP references

UUID f20791e4-26a7-45e0-90e6-709553b223b2 which can be used as unique global reference for Skynet in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date Discovered end of 2012

IcedID

According to X-Force research, the new banking Trojan emerged in the wild in September 2017, when its first test campaigns were launched. Our researchers noted that IcedID has a modular malicious code with modern banking Trojan capabilities comparable to malware such as the Zeus Trojan. At this time, the malware targets banks, payment card providers, mobile services providers, payroll, webmail and e-commerce sites in the U.S. Two major banks in the U.K. are also on the target list the malware fetches.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular IcedID.

Known Synonyms
BokBot
Internal MISP references

UUID 9d67069c-b778-486f-8158-53f5dcd05d08 which can be used as unique global reference for IcedID in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date Discovered in September 2017
Related clusters

To see the related clusters, click here.

GratefulPOS

GratefulPOS has the following functions 1. Access arbitrary processes on the target POS system 2. Scrape track 1 and 2 payment card data from the process(es) 3. Exfiltrate the payment card data via lengthy encoded and obfuscated DNS queries to a hardcoded domain registered and controlled by the perpetrators, similar to that described by Paul Rascagneres in his analysis of FrameworkPOS in 2014[iii], and more recently by Luis Mendieta of Anomoli in analysis of a precursor to this sample.

Internal MISP references

UUID 7d9362e5-e3cf-4640-88a2-3faf31952963 which can be used as unique global reference for GratefulPOS in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Dok

A macOS banking trojan that that redirects an infected user's web traffic in order to extract banking credentials.

Internal MISP references

UUID e159c4f8-3c22-49f9-a60a-16588a9c22b0 which can be used as unique global reference for Dok in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

downAndExec

Services like Netflix use content delivery networks (CDNs) to maximize bandwidth usage as it gives users greater speed when viewing the content, as the server is close to them and is part of the Netflix CDN. This results in faster loading times for series and movies, wherever you are in the world. But, apparently, the CDNs are starting to become a new way of spreading malware. The attack chain is very extensive, and incorporates the execution of remote scripts (similar in some respects to the recent “fileless” banking malware trend), plus the use of CDNs for command and control (C&C), and other standard techniques for the execution and protection of malware.

Internal MISP references

UUID bfff538a-89dd-4bed-9ac1-b4faee373724 which can be used as unique global reference for downAndExec in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Smominru

Since the end of May 2017, we have been monitoring a Monero miner that spreads using the EternalBlue Exploit (CVE-2017-0144). The miner itself, known as Smominru (aka Ismo) has been well-documented, so we will not discuss its post-infection behavior. However, the miner’s use of Windows Management Infrastructure is unusual among coin mining malware. The speed at which mining operations conduct mathematical operations to unlock new units of cryptocurrency is referred to as “hash power”. Based on the hash power associated with the Monero payment address for this operation, it appeared that this botnet was likely twice the size of Adylkuzz. The operators had already mined approximately 8,900 Monero (valued this week between $2.8M and $3.6M). Each day, the botnet mined roughly 24 Monero, worth an average of $8,500 this week.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Smominru.

Known Synonyms
Ismo
lsmo
Internal MISP references

UUID f93acc85-8d2c-41e0-b0c5-47795b8c6194 which can be used as unique global reference for Smominru in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

DanaBot

It's a Trojan that includes banking site web injections and stealer functions. It consists of a downloader component that downloads an encrypted file containing the main DLL. The DLL, in turn, connects using raw TCP connections to port 443 and downloads additional modules (i.e. VNCDLL.dll, StealerDLL.dll, ProxyDLL.dll)

Internal MISP references

UUID 844417c6-a404-4c4e-8e93-84db596d725b which can be used as unique global reference for DanaBot in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Backswap

The banker is distributed through malicious email spam campaigns. Instead of using complex process injection methods to monitor browsing activity, the malware hooks key Windows message loop events in order to inspect values of the window objects for banking activity. The payload is delivered as a modified version of a legitimate application that is partially overwritten by the malicious payload

Internal MISP references

UUID ea0b5f45-6b56-4c92-b22b-0d84c45160a0 which can be used as unique global reference for Backswap in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Bebloh

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Bebloh.

Known Synonyms
Shiotob
URLZone
Internal MISP references

UUID 67a1a317-9f79-42bd-a4b2-fa1867d37d27 which can be used as unique global reference for Bebloh in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Banjori

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Banjori.

Known Synonyms
BackPatcher
BankPatch
MultiBanker 2
Internal MISP references

UUID f68555ff-6fbd-4f5a-bc23-34996f629c52 which can be used as unique global reference for Banjori in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Qadars

Internal MISP references

UUID a717c873-6670-447a-ba98-90db6464c07d which can be used as unique global reference for Qadars in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Sisron

Internal MISP references

UUID 610a136c-820d-4f5f-b66c-ae298923dc55 which can be used as unique global reference for Sisron in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Ranbyus

Internal MISP references

UUID 6720f960-0382-479b-a0f8-f9e008995af4 which can be used as unique global reference for Ranbyus in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Fobber

Internal MISP references

UUID da124511-463c-4514-ad05-7ec8db1b38aa which can be used as unique global reference for Fobber in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Karius

Trojan under development and already being distributed through the RIG Exploit Kit. Observed code similarities with other well-known bankers such as Ramnit, Vawtrak and TrickBot. Karius works in a rather traditional fashion to other banking malware and consists of three components (injector32\64.exe, proxy32\64.dll and mod32\64.dll), these components essentially work together to deploy webinjects in several browsers.

Internal MISP references

UUID a088c428-d0bb-49c8-9ed7-dcced0c74754 which can be used as unique global reference for Karius in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Kronos

Kronos was a type of banking malware first reported in 2014. It was sold for $7000. As of September 2015, a renew version was reconnecting with infected bots and sending them a brand new configuration file against U.K. banks and one bank in India. Similar to Zeus it was focused on stealing banking login credentials from browser sessions. A new version of this malware appears to have been used in 2018, the main difference is that the 2018 edition uses Tor-hosted C&C control panels.

Internal MISP references

UUID 5b42af8e-8fdc-11e8-bf48-f32ff64d5502 which can be used as unique global reference for Kronos in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

CamuBot

A newly discovered banking Trojan departs from the regular tactics observed by malware researchers by choosing visible installation and by adding social engineering components. CamuBot appeared last month in Brazil targeting companies and organizations from the public sector. The victim is the one installing the malware, at the instructions of a human operator that pretends to be a bank employee.

Internal MISP references

UUID 2fafe8b2-b0db-11e8-a81e-4b62ee50bd87 which can be used as unique global reference for CamuBot in MISP communities and other software using the MISP galaxy

External references
  • https://www.bleepingcomputer.com/news/security/new-banking-trojan-poses-as-a-security-module/
Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Dark Tequila

Dark Tequila has primarily been designed to steal victims’ financial information from a long list of online banking sites, as well as login credentials to popular websites, ranging from code versioning repositories to public file storage accounts and domain registrars.

Internal MISP references

UUID fa574138-a3bd-4ebc-a5f7-3b465df7106f which can be used as unique global reference for Dark Tequila in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Malteiro

Distributed by Malteiro

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Malteiro.

Known Synonyms
URSA
Internal MISP references

UUID d27eea57-e55f-40b1-9690-55c2c8500876 which can be used as unique global reference for Malteiro in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.