Malpedia

Malware galaxy cluster based on Malpedia.

Authors

Authors and/or Contributors
Davide Arcuri
Alexandre Dulaunoy
Steffen Enders
Andrea Garavaglia
Andras Iklody
Daniel Plohmann
Christophe Vandeplas

FastCash

Internal MISP references

UUID e8a04177-6a91-46a6-9f63-6a9fac4dfa02 which can be used as unique global reference for FastCash in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

888 RAT

Internal MISP references

UUID e98ae895-0831-4e10-aad1-593d1c678db1 which can be used as unique global reference for 888 RAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Aberebot

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Aberebot.

Known Synonyms
`Escobar`

Internal MISP references

UUID 4b9c0228-2bfd-4bc7-bd64-8357a2da12ee which can be used as unique global reference for Aberebot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

AbstractEmu

According to PCrisk, AbstractEmu is the name of rooting malware that can gain privileged access to the Android operating system. Threat actors behind AbstractEmu are using legitimate-looking apps (like password managers, app launchers, data savers) to trick users into downloading and opening/executing this malware.

Internal MISP references

UUID 57a4c8c0-140a-45e3-9166-64e3e35c5986 which can be used as unique global reference for AbstractEmu in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ActionSpy

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular ActionSpy.

Known Synonyms
`AxeSpy`

Internal MISP references

UUID 5c7a35bf-e5f1-4b07-b93a-c3608cc9142e which can be used as unique global reference for ActionSpy in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

AdoBot

Internal MISP references

UUID d95708e9-220a-428c-b126-a63986099892 which can be used as unique global reference for AdoBot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

AdultSwine

Internal MISP references

UUID 824f284b-b38b-4a57-9e4a-aee4061a5b2d which can be used as unique global reference for AdultSwine in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Agent Smith

Internal MISP references

UUID 34770e6e-e2c3-4e45-aa86-9d74b5309773 which can be used as unique global reference for Agent Smith in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

AhMyth

According to PCrisk, Ahmyth is a Remote Access Trojan (RAT) targeting Android users. It is distributed via trojanized (fake) applications. Ahmyth RAT steals cryptocurrency and banking credentials, 2FA codes, lock screen passcodes, and captures screenshots.

Internal MISP references

UUID 86a5bb47-ac59-449a-8ff2-ae46e19cc6d2 which can be used as unique global reference for AhMyth in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Alien

According to ThreatFabric, this is a fork of Cerberus v1 (active January 2020+). Alien is a rented banking trojan that can remotely control a phone and achieves RAT functionality by abusing TeamViewer.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Alien.

Known Synonyms
`AlienBot`

Internal MISP references

UUID de483b10-4247-46b3-8ab5-77d089f0145c which can be used as unique global reference for Alien in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

AmexTroll

Internal MISP references

UUID 6b153952-9415-4710-8175-354b59252dbc which can be used as unique global reference for AmexTroll in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

AmpleBot

This malware was initially named BlackRock and later renamed to AmpleBot.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular AmpleBot.

Known Synonyms
`BlackRock`

Internal MISP references

UUID 2f3f82f6-ec21-489e-8257-0967c567798a which can be used as unique global reference for AmpleBot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Anatsa

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Anatsa.

Known Synonyms
`ReBot`
`TeaBot`
`Toddler`

Internal MISP references

UUID 147081b9-7e59-4613-ad55-bbc08141fee1 which can be used as unique global reference for Anatsa in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

AndroRAT

Androrat is a remote administration tool developed in Java Android for the client side and in Java/Swing for the Server. The name Androrat is a mix of Android and RAT (Remote Access Tool). It has been developed in a team of 4 for a university project. The goal of the application is to give the control of the android system remotely and retrieve informations from it.

Internal MISP references

UUID 80447111-8085-40a4-a052-420926091ac6 which can be used as unique global reference for AndroRAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ANDROSNATCH

According to Google, a Chrome cookie stealer.

Internal MISP references

UUID 8cd795ed-3a4d-41a3-abb1-0c3dd3aa4eab which can be used as unique global reference for ANDROSNATCH in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Anubis (Android)

BleepingComputer found that Anubis will display fake phishing login forms when users open up apps for targeted platforms to steal credentials. This overlay screen will be shown over the real app's login screen to make victims think it's a legitimate login form when in reality, inputted credentials are sent to the attackers.

In the new version spotted by Lookout, Anubis now targets 394 apps and has the following capabilities:

Recording screen activity and sound from the microphone Implementing a SOCKS5 proxy for covert communication and package delivery Capturing screenshots Sending mass SMS messages from the device to specified recipients Retrieving contacts stored on the device Sending, reading, deleting, and blocking notifications for SMS messages received by the device Scanning the device for files of interest to exfiltrate Locking the device screen and displaying a persistent ransom note Submitting USSD code requests to query bank balances Capturing GPS data and pedometer statistics Implementing a keylogger to steal credentials Monitoring active apps to mimic and perform overlay attacks Stopping malicious functionality and removing the malware from the device

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Anubis (Android).

Known Synonyms
`BankBot`
`android.bankbot`
`android.bankspy`

Internal MISP references

UUID 85975621-5126-40cb-8083-55cbfa75121b which can be used as unique global reference for Anubis (Android) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

AnubisSpy

Internal MISP references

UUID 06ffb614-33ca-4b04-bf3b-623e68754184 which can be used as unique global reference for AnubisSpy in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Asacub

Internal MISP references

UUID dffa06ec-e94f-4fd7-8578-2a98aace5473 which can be used as unique global reference for Asacub in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Ashas

Internal MISP references

UUID aabcfbb6-6385-486d-a30b-e3a2edcf493d which can be used as unique global reference for Ashas in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ATANK

According to Lukas Stefanko, this is an open-source crypto-ransomware found on Github in 2018. IT can en/decrypt files (AES, key: 32 random chars, sent to C&C), uses email as contact point but will remove all files after 24 hours or after a reboot.

Internal MISP references

UUID 231f9f49-6752-49af-9ee0-7774578fcbe4 which can be used as unique global reference for ATANK in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

AxBanker

According to EnigmaSoft, AxBanker is a banking Trojan targeting Android devices specifically. The threatening tool has been deployed as part of large attack campaigns against users in India. The threat actors use smishing (SMS phishing) techniques to smuggle the malware threat onto the victims' devices. The fake applications carrying AxBanker are designed to visually impersonate the official applications of popular Indian banking organizations. The weaponized applications use fake promises or rewards and discounts as additional lures.

Internal MISP references

UUID 4a854e8c-d6ad-4997-8931-b27e39b7f7fa which can be used as unique global reference for AxBanker in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

badbazaar

BadBazaar is a type of malware primarily functioning as a banking Trojan. Designed to compromise Android devices, it is often distributed through malicious apps downloaded from unofficial app stores or third-party websites. Once installed, BadBazaar seeks to steal financial information and login credentials by intercepting SMS messages, performing screen recordings, and logging keystrokes on the device. Additionally, it can execute remote commands and download and install other malicious applications, further compromising the security of the affected device.

Internal MISP references

UUID 80b30290-40d3-4ce3-a878-2e0af4b107d8 which can be used as unique global reference for badbazaar in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BADCALL (Android)

remote access tool (RAT) payload on Android devices

Internal MISP references

UUID 5eec00de-5d81-4907-817d-f99cb33d9b66 which can be used as unique global reference for BADCALL (Android) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BadPatch

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BadPatch.

Known Synonyms
`WelcomeChat`

Internal MISP references

UUID 9b96e274-1602-48a4-8e0d-9f756d4e835b which can be used as unique global reference for BadPatch in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Bahamut (Android)

According to PCrisk, Bahamut is the name of Android malware with spyware functionality. Threat actors use Bahamut to steal sensitive information. The newest malware version targets various messaging apps and personally identifiable information.

Internal MISP references

UUID 4038c3bc-b559-45bb-bac1-9665a54dedf9 which can be used as unique global reference for Bahamut (Android) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Basbanke

Internal MISP references

UUID c59b65d6-d363-4b19-b082-d72508e782c0 which can be used as unique global reference for Basbanke in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BianLian (Android)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BianLian (Android).

Known Synonyms
`Hydra`

Internal MISP references

UUID 1faaa5c5-ab4e-4101-b2d9-0e12207d70fc which can be used as unique global reference for BianLian (Android) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BingoMod

Internal MISP references

UUID 2778f61a-48e4-4585-8eff-983d5a4fd6ac which can be used as unique global reference for BingoMod in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BlankBot

Internal MISP references

UUID c4a42580-bc5e-4185-adfd-cc6ade9b8424 which can be used as unique global reference for BlankBot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BrasDex

According to PCrisk, BraDex is a banking malware targeting Android operating systems. This malicious program aims to gain access to victims' bank accounts and make fraudulent transactions.

At the time of writing, BrasDex targets Brazilian banking applications exclusively. In previous BrasDex campaigns, it infiltrated devices under the guise of Android system related apps. Lately, this malware has been installed by a fake Brazilian Banco Santander banking application.

Internal MISP references

UUID dc5408e9-e9e8-44fd-ac5c-231483d0ebe3 which can be used as unique global reference for BrasDex in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BRATA

According to Cleafy, the victim's Android device is factory reset after the attackers siphon money from the victim's bank account. This distracts users from the crime, while removing traces or footprints that might be of interest to forensic analysts.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BRATA.

Known Synonyms
`AmexTroll`
`Copybara`

Internal MISP references

UUID d9ff080d-cde0-48da-89db-53435c99446b which can be used as unique global reference for BRATA in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Brunhilda

PRODAFT describes Brunhilda as a "Dropper as a Service" for Google Play, delivering e.g. Alien.

Internal MISP references

UUID 5d3d5f52-0a55-4c81-af87-7809ce43906b which can be used as unique global reference for Brunhilda in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BusyGasper

Internal MISP references

UUID 4bf68bf8-08e5-46f3-ade5-0bd4f124b168 which can be used as unique global reference for BusyGasper in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CapraRAT

According to PCrisk, CapraRAT is the name of an Android remote access trojan (RAT), possibly a modified version of another (open-source) RAT called AndroRAT. It is known that CapraRAT is used by an advanced persistent threat group (ATP) called APT36 (also known as Earth Karkaddan). CapraRAT allows attackers to perform certain actions on the infected Android device.

Internal MISP references

UUID 7cd1c5f3-7635-46d2-87f1-e638fb8d714c which can be used as unique global reference for CapraRAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CarbonSteal

Internal MISP references

UUID 56090c0b-2b9b-4624-8eff-ef6d3632fd2b which can be used as unique global reference for CarbonSteal in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Catelites

Catelites Bot (identified by Avast and SfyLabs in December 2017) is an Android trojan, with ties to CronBot. Once the malicious app is installed, attackers use social engineering tricks and window overlays to get credit card details from the victim. The distribution vector seems to be fake apps from third-party app stores (not Google Play) or via malvertisement. After installation and activation, the app creates fake Gmail, Google Play and Chrome icons. Furthermore, the malware sends a fake system notification, telling the victim that they need to re-authenticate with Google Services and ask for their credit card details to be entered. Currently the malware has overlays for over 2,200 apps of banks and financial institutions.

Internal MISP references

UUID 2c672b27-bc65-48ba-ba3d-6318473e78b6 which can be used as unique global reference for Catelites in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Cerberus

According to PCrisk, Cerberus is an Android banking Trojan which can be rented on hacker forums. It was been created in 2019 and is used to steal sensitive, confidential information. Cerberus can also be used to send commands to users' devices and perform dangerous actions.

Internal MISP references

UUID c3a2448f-bb41-4201-b524-3ddcb02ddbf4 which can be used as unique global reference for Cerberus in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Chameleon

The malware chamaleon is an Android trojan that pretends to be legitimate entities to steal data from users in Australia and Poland. It exploits the Accessibility Service to monitor and modify the device screen.

Internal MISP references

UUID 90b3a256-311d-416b-b333-e02b910ba75d which can be used as unique global reference for Chameleon in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Chamois

Internal MISP references

UUID 2e230ff8-3971-4168-a966-176316cbdbf2 which can be used as unique global reference for Chamois in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Charger

Internal MISP references

UUID 6e0545df-8df6-4990-971c-e96c4c60d561 which can be used as unique global reference for Charger in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Chinotto (Android)

Internal MISP references

UUID 6cc7b402-21cf-4510-be7d-d7f811a57bc1 which can be used as unique global reference for Chinotto (Android) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Chrysaor

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Chrysaor.

Known Synonyms
`JigglyPuff`
`Pegasus`

Internal MISP references

UUID 52acea22-7d88-433c-99e6-8fef1657e3ad which can be used as unique global reference for Chrysaor in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Clientor

Internal MISP references

UUID c0a48ca3-682d-45bc-805c-e62aecd4c724 which can be used as unique global reference for Clientor in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Clipper

Internal MISP references

UUID ff9b47c6-a5b5-4531-abfc-2e4db3dcdc7e which can be used as unique global reference for Clipper in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CloudAtlas

Internal MISP references

UUID ed780667-b67c-4e17-ab43-db1b7e018e66 which can be used as unique global reference for CloudAtlas in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CometBot

Internal MISP references

UUID 151bf399-aa8f-4160-b9b5-8fe222f2a6b1 which can be used as unique global reference for CometBot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Connic

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Connic.

Known Synonyms
`SpyBanker`

Internal MISP references

UUID 93b1c63a-4a34-44fd-805b-0a3470ff7e6a which can be used as unique global reference for Connic in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Coper

Coper is a descendant of ExoBotCompat, which was a rewritten version of Exobot. Malicious Coper apps have a modular architecture and a multi-stage infection mechanism. Coper has originally been spotted in Colombia but has since emerged in Europa as well.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Coper.

Known Synonyms
`ExobotCompact`
`Octo`

Internal MISP references

UUID 70973ef7-e031-468f-9420-d8aa4eb7543a which can be used as unique global reference for Coper in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Copybara

Internal MISP references

UUID e3d07fda-d29d-42e4-a0d6-5827b2d14d17 which can be used as unique global reference for Copybara in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Coronavirus Android Worm

Poses as an app that can offer a "corona safety mask" but phone's address book and sends sms to contacts, spreading its own download link.

Internal MISP references

UUID f041032e-01af-4e66-9fb2-f8da88a6ea35 which can be used as unique global reference for Coronavirus Android Worm in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Cpuminer (Android)

Internal MISP references

UUID 8a42a699-1746-498b-a558-e7113bb916c0 which can be used as unique global reference for Cpuminer (Android) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CraxsRAT

Internal MISP references

UUID 1f7a8a57-f3e2-4e4b-a4d7-8eb0ba9243c5 which can be used as unique global reference for CraxsRAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CryCryptor

According to NHS Digital, CryCryptor is distributed via websites that spoof health organisations. At the time of publication these websites have affected the Canadian health service. CryCryptor cannot be obtained from the Google Play store, so devices restricted to only running apps from the store are not affected.

When CryCryptor is run it encrypts common file types and saves a ransom note to every directory where files have been encrypted. Encrypted files have the extension '.enc' appended to the filenames. Additional files are saved containing the salt values used in each encryption and an initialisation vector. These files have the extensions '.enc.salt' and '.enc.iv' respectively.

When files have been encrypted, a notification is displayed directing users to open the ransom note.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular CryCryptor.

Known Synonyms
`CryCrypter`
`CryDroid`

Internal MISP references

UUID 21e9d7e6-6e8c-49e4-8869-6bac249cda8a which can be used as unique global reference for CryCryptor in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CyberAzov

Internal MISP references

UUID bb1821f9-eace-4e63-b55d-fc7821a6e5f1 which can be used as unique global reference for CyberAzov in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DAAM

According to PCrisk, DAAM is an Android malware utilized to gain unauthorized access to targeted devices since 2021. With the DAAM Android botnet, threat actors can bind harmful code with a genuine application using its APK binding service.

Lookout refers to this malware as BouldSpy and assesses with medium confidence that this Android surveillance tool is used by the Law Enforcement Command of the Islamic Republic of Iran (FARAJA).

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DAAM.

Known Synonyms
`BouldSpy`

Internal MISP references

UUID 37a3b62e-99da-47d7-81fb-78f745427b16 which can be used as unique global reference for DAAM in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Dark Shades

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Dark Shades.

Known Synonyms
`Rogue`

Internal MISP references

UUID 97fe35c9-f50c-495f-8736-0ecd95c70192 which can be used as unique global reference for Dark Shades in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DawDropper

Internal MISP references

UUID bd9756da-220d-48d6-a4f5-6646558c4b30 which can be used as unique global reference for DawDropper in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DEFENSOR ID

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DEFENSOR ID.

Known Synonyms
`Defensor Digital`

Internal MISP references

UUID 76346e4d-d14e-467b-9409-82b28a4d6cd6 which can be used as unique global reference for DEFENSOR ID in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Dendroid

Internal MISP references

UUID 89989df2-e8bc-4074-a8a2-130a15d6625f which can be used as unique global reference for Dendroid in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

dmsSpy

Internal MISP references

UUID 72a25832-4bf4-4505-a77d-8c0fc52dc85d which can be used as unique global reference for dmsSpy in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DoubleAgent

Internal MISP references

UUID 73fd1bda-e4aa-4777-a628-07580bc070f4 which can be used as unique global reference for DoubleAgent in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DoubleLocker

Internal MISP references

UUID 10d0115a-00b4-414e-972b-8320a2bb873c which can be used as unique global reference for DoubleLocker in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Dracarys

Android malware that impersonates genuine applications such as Signal, Telegram, WhatsApp, YouTube, and other chat applications and distributes through phishing sites.

Internal MISP references

UUID bf94eee6-2274-40f4-b181-2b49ce6ef9fb which can be used as unique global reference for Dracarys in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DragonEgg

Android variant of ios.LightSpy.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DragonEgg.

Known Synonyms
`LightSpy`

Internal MISP references

UUID 4ef28f14-17f4-4f87-a292-e63b42027c8c which can be used as unique global reference for DragonEgg in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DroidJack

Internal MISP references

UUID 8990cec7-ddd8-435e-97d6-5b36778e86fe which can be used as unique global reference for DroidJack in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DroidWatcher

Internal MISP references

UUID 15f3e50b-9fa5-4eab-ac2b-928e9ce03b72 which can be used as unique global reference for DroidWatcher in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DualToy (Android)

Internal MISP references

UUID 8269e779-db23-4c94-aafb-36ee94879417 which can be used as unique global reference for DualToy (Android) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Dvmap

Internal MISP references

UUID e5de818e-d25d-47a8-ab31-55fc992bf91b which can be used as unique global reference for Dvmap in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Elibomi

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Elibomi.

Known Synonyms
`Drinik`

Internal MISP references

UUID 63cc0b01-c92e-40e7-8669-48d10a490ffb which can be used as unique global reference for Elibomi in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ERMAC

According to Intel471, ERMAC, an Android banking trojan enables bad actors to determine when certain apps are launched and then overwrites the screen display to steal the user's credentials

Internal MISP references

UUID 602944f4-a86c-4a05-b98f-cfb525fb8896 which can be used as unique global reference for ERMAC in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ErrorFather

ErrorFather is an Android banking trojan with a multi-stage dropper. The final payload is derived from the Cerberus source code leak.

Internal MISP references

UUID 2c7f6a97-4469-4f97-9a69-5549282a94a6 which can be used as unique global reference for ErrorFather in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Eventbot

According to ThreatFabric, the app overlays 15 financial targets from UK, Italy, and Spain, sniffs 234 apps from banks located in Europe as well as crypto wallets.

Internal MISP references

UUID 5a6fb8cd-d582-4c8c-b7e0-a5b4cf4f248f which can be used as unique global reference for Eventbot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ExoBot

Internal MISP references

UUID c9f2b058-6c22-462a-a20a-fca933a597dd which can be used as unique global reference for ExoBot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Exodus

Internal MISP references

UUID 462bc006-b7bd-4e10-afdb-52baf86121e8 which can be used as unique global reference for Exodus in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

FaceStealer

Facebook Credential Stealer.

Internal MISP references

UUID c35ebd96-d2f8-4add-b86f-f552ed5dfa9b which can be used as unique global reference for FaceStealer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

FakeAdBlocker

Internal MISP references

UUID d0ae2b6b-5137-4b64-be3e-4bbc9aa007a6 which can be used as unique global reference for FakeAdBlocker in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Fakecalls

According to Kaspersky, Fakecalls is a Trojan that masquerades as a banking app and imitates phone conversations with bank employees.

Internal MISP references

UUID 014aeab6-2292-4ee5-83d6-fffb0fc21423 which can be used as unique global reference for Fakecalls in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

FakeDefend

Internal MISP references

UUID 8ea1fc8c-ec66-4d39-b32a-da69d3277da4 which can be used as unique global reference for FakeDefend in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

FakeSpy

Internal MISP references

UUID dd821edd-901b-4a5e-b35f-35bb811964ab which can be used as unique global reference for FakeSpy in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

FakeGram

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular FakeGram.

Known Synonyms
`FakeTGram`

Internal MISP references

UUID 6c0fc7e4-4629-494f-b471-f7a8cc47c0e0 which can be used as unique global reference for FakeGram in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

FastFire

Internal MISP references

UUID 5613da3a-06f5-4363-b468-0b8a03ffc292 which can be used as unique global reference for FastFire in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

FastSpy

Internal MISP references

UUID a5e3e217-3790-4d7c-b67a-906b9ee69034 which can be used as unique global reference for FastSpy in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

FileCoder

According to heimdal, A new strain of ransomware emerged on Android mobile devices. It targets those who are running the operating system Android 5.1 and higher. This Android ransomware strain has been dubbed by security researchers FileCoder (Android/Filecoder.c) and it spreads via text messages containing a malicious link.

Internal MISP references

UUID 09ff3520-b643-44bd-a0de-90c0e75ba12f which can be used as unique global reference for FileCoder in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

FinFisher (Android)

Internal MISP references

UUID 0bf7acd4-6493-4126-9598-d2ed069e32eb which can be used as unique global reference for FinFisher (Android) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

FlexiSpy (Android)

Internal MISP references

UUID 4305d59a-0d07-4021-a902-e7996378898b which can be used as unique global reference for FlexiSpy (Android) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

FlexNet

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular FlexNet.

Known Synonyms
`gugi`

Internal MISP references

UUID 80d7d229-b3a7-4205-8304-f7b18bda129f which can be used as unique global reference for FlexNet in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

FluBot

PRODAFT describes FluBot as a banking malware which originally targeted Spain. Since the first quarter of 2021 it has been targeting many other European countries as well as Japan. It uses a DGA for it's C&C and relies on both DNS and DNS-over-HTTPS for name resolution. Despite arrests of multiple people suspected of involvement with this malware in March of 2021, the campaign has only intensified since.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular FluBot.

Known Synonyms
`Cabassous`
`FakeChat`

Internal MISP references

UUID ef91833f-3334-4955-9218-f106494e9fc0 which can be used as unique global reference for FluBot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

FluHorse

According to Check Point, this malware features several malicious Android applications that mimic legitimate applications, most of which have more than 1,000,000 installs. These malicious apps steal the victims’ credentials and Two-Factor Authentication (2FA) codes. FluHorse targets different sectors of Eastern Asian markets and is distributed via emails. In some cases, the emails used in the first stage of the attacks belong to high-profile entities. The malware can remain undetected for months making it a persistent, dangerous, and hard-to-spot threat.

Internal MISP references

UUID aeaeb8b2-650e-471d-a901-3c4fbae42854 which can be used as unique global reference for FluHorse in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

FlyTrap

Zimperium notes that this malware has hit more than 10,000 victims in 140+ countries using social media hijacking, 3rd party app stores and sideloading.

Internal MISP references

UUID 24af5bcc-d4bd-42dd-aed4-f994b30b4921 which can be used as unique global reference for FlyTrap in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

FunkyBot

Internal MISP references

UUID bc0d37fa-113a-45ba-8a1c-b9d818e31f27 which can be used as unique global reference for FunkyBot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

FurBall

According to Check Point, they uncovered an operation dubbed "Domestic Kitten", which uses malicious Android applications to steal sensitive personal information from its victims: screenshots, messages, call logs, surrounding voice recordings, and more. This operation managed to remain under the radar for a long time, as the associated files were not attributed to a known malware family and were only detected by a handful of security vendors.

Internal MISP references

UUID 53282cc8-fefc-47d7-b6a5-a82a05a88f2a which can be used as unique global reference for FurBall in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Geost

Internal MISP references

UUID b9639878-733c-4f30-9a13-4680a7e17415 which can be used as unique global reference for Geost in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Ghimob

Internal MISP references

UUID 3d1f2591-05fe-42f4-aaf8-ed1428f17605 which can be used as unique global reference for Ghimob in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

GhostCtrl

Internal MISP references

UUID 3b6c1771-6d20-4177-8be0-12116e254bf5 which can be used as unique global reference for GhostCtrl in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Gigabud

Gigabud is the name of an Android Remote Access Trojan (RAT) Android that can record the victim's screen and steal banking credentials by abusing the Accessibility Service. Gigabud masquerades as banking, shopping, and other applications. Threat actors have been observed using deceptive websites to distribute Gigabud RAT.

Internal MISP references

UUID 8f188382-7a31-46a5-83c6-5991dfe739ee which can be used as unique global reference for Gigabud in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Ginp

Ginp is a mobile banking software targeting Android devices that was discovered by Kaspersky. The malware is able to steal both user credentials and credit cards numbers by implementing overlay attacks. For this, overlay targets are for example the default SMS application. What makes Ginp a remarkable family is how its operators managed to have it remain undetected over time even and it receiving version upgrades over many years. According to ThreatFabric, Ginp has the following features:

Overlaying: Dynamic (local overlays obtained from the C2) SMS harvesting: SMS listing SMS harvesting: SMS forwarding Contact list collection Application listing Overlaying: Targets list update SMS: Sending Calls: Call forwarding C2 Resilience: Auxiliary C2 list Self-protection: Hiding the App icon Self-protection: Preventing removal Self-protection: Emulation-detection.

Internal MISP references

UUID 77e9ace0-f6e5-4d6e-965a-a653ff626be1 which can be used as unique global reference for Ginp in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

GlanceLove

Internal MISP references

UUID 24a709ef-c2e4-45ca-90b6-dfa184472f49 which can be used as unique global reference for GlanceLove in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

GnatSpy

Internal MISP references

UUID a3b6a355-3afe-49ae-9f87-679c6c382943 which can be used as unique global reference for GnatSpy in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

GoatRAT

Internal MISP references

UUID f699d295-1072-418b-8aa2-cb36fbd4c6c7 which can be used as unique global reference for GoatRAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Godfather

According to PCrisk, Godfather is the name of an Android malware targeting online banking pages and cryptocurrency exchanges in 16 countries. It opens fake login windows over legitimate applications. Threat actors use Godfather to steal account credentials. Additionally, Godfather can steal SMSs, device information, and other data.

Internal MISP references

UUID 8e95a9d5-08fb-4f11-b70a-622148bd1e62 which can be used as unique global reference for Godfather in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

GoldenEagle

Internal MISP references

UUID b7c0c11d-8471-4b10-bbf2-f9c0f30bc27e which can be used as unique global reference for GoldenEagle in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

GoldenRAT

Internal MISP references

UUID e111fff8-c73c-4069-b804-2d3732653481 which can be used as unique global reference for GoldenRAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

GoldDigger

Internal MISP references

UUID 8ff9cde1-627e-4967-8b12-195544f31d83 which can be used as unique global reference for GoldDigger in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

goontact

Internal MISP references

UUID 008ef3f3-579e-4065-ad0a-cf96be00becf which can be used as unique global reference for goontact in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

GPlayed

Cisco Talos identifies GPlayed as a malware written in .NET using the Xamarin environment for mobile applications. It is considered powerful because of its capability to adapt after its deployment. In order to achieve this adaptability, the operator has the capability to remotely load plugins, inject scripts and even compile new .NET code that can be executed.

Internal MISP references

UUID 13dc1ec7-aba7-4553-b990-8323405a1d32 which can be used as unique global reference for GPlayed in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Gravity RAT (Android)

Internal MISP references

UUID fed09d31-6378-4e85-b644-5500491dff88 which can be used as unique global reference for Gravity RAT (Android) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

GriftHorse

Internal MISP references

UUID fe40a0b2-be48-41c5-8814-7fa3a6a993b9 which can be used as unique global reference for GriftHorse in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Guerrilla

Internal MISP references

UUID 57de6ac2-8cf0-4022-aee2-5f76e3dbd503 which can be used as unique global reference for Guerrilla in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Gustuff

Group-IB describes Gustuff as a mobile Android Trojan, which includes potential targets of customers in leading international banks, users of cryptocurrency services, popular ecommerce websites and marketplaces. Gustuff has previously never been reported. Gustuff is a new generation of malware complete with fully automated features designed to steal both fiat and crypto currency from user accounts en masse. The Trojan uses the Accessibility Service, intended to assist people with disabilities. The analysis of Gustuff sample revealed that the Trojan is equipped with web fakes designed to potentially target users of Android apps of top international banks including Bank of America, Bank of Scotland, J.P.Morgan, Wells Fargo, Capital One, TD Bank, PNC Bank, and crypto services such as Bitcoin Wallet, BitPay, Cryptopay, Coinbase etc. Group-IB specialists discovered that Gustuff could potentially target users of more than 100 banking apps, including 27 in the US, 16 in Poland, 10 in Australia, 9 in Germany, and 8 in India and users of 32 cryptocurrency apps.

Internal MISP references

UUID a5e2b65f-2087-465d-bf14-4acf891d5d0f which can be used as unique global reference for Gustuff in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

HARDRAIN (Android)

Internal MISP references

UUID 0caf0292-b01a-4439-b56f-c75b71900bc0 which can be used as unique global reference for HARDRAIN (Android) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

HawkShaw

Internal MISP references

UUID 5ae490bd-84ca-434f-ab34-b87bd38e4523 which can be used as unique global reference for HawkShaw in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

HenBox

Internal MISP references

UUID 0185f9f6-018e-4eb5-a214-d810cb759a38 which can be used as unique global reference for HenBox in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Hermit

Lookout states that Hermit is an advanced spyware designed to target iOS and Android mobile devices. It is designed to collect extensive amounts of sensitive data on its victims such as their location, contacts, private messages, photos, call logs, phone conversations, ambient audio recordings, and more.

Internal MISP references

UUID b95f25a0-ba22-4320-95e3-323fbf852846 which can be used as unique global reference for Hermit in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

HeroRAT

Internal MISP references

UUID 537f17ac-74e5-440b-8659-d4fdb4af41a6 which can be used as unique global reference for HeroRAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

HiddenAd

HiddenAd is a malware that shows ads as overlays on the phone.

Internal MISP references

UUID 171c97ca-6b61-426d-8f72-c099528625e9 which can be used as unique global reference for HiddenAd in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

HilalRAT

RAT, which can be used to extract sensitive information, e.g. contact lists, txt messages, location information.

Internal MISP references

UUID 96bea6aa-3202-4352-8e36-fa05c677c0e8 which can be used as unique global reference for HilalRAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Hook

According to ThreatFabric, this is a malware family based on apk.ermac. The name hook is the self-advertised named by its vendor DukeEugene. It provides WebSocket communication and has RAT capabilities.

Internal MISP references

UUID c101bc42-1011-43f6-9d30-629013c318cd which can be used as unique global reference for Hook in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Hydra

Avira states that Hydra is an Android BankBot variant, a type of malware designed to steal banking credentials. The way it does this is by requesting the user enables dangerous permissions such as accessibility and every time the banking app is opened, the malware is hijacking the user by overwriting the legit banking application login page with a malicious one. The goal is the same, to trick the user to enter his login credentials so that it will go straight to the malware authors.

Internal MISP references

UUID ae25953d-cf7c-4304-9ea2-2ea1498ea035 which can be used as unique global reference for Hydra in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

IPStorm (Android)

Android variant of IPStorm (InterPlanetary Storm).

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular IPStorm (Android).

Known Synonyms
`InterPlanetary Storm`

Internal MISP references

UUID dc0c8824-64ac-4ab2-a0e4-955a14ecc59c which can be used as unique global reference for IPStorm (Android) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

IRATA

According to redpiranha, IRATA (Iranian Remote Access Trojan) Android Malware is a new malware detected in the wild. It originates from a phishing attack through SMS. The theme of the message resembles information coming from the government that will ask you to download this malicious application. IRATA can collect sensitive information from your mobile phone including bank details. Since it infects your mobile, it can also gather your SMS messages which then can be used to obtain 2FA tokens.

Internal MISP references

UUID 24fb43b4-d6a6-49c0-a862-4211a245b635 which can be used as unique global reference for IRATA in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

IRRat

Internal MISP references

UUID 3e7c6e8c-46fc-4498-a28d-5b3d144c51cf which can be used as unique global reference for IRRat in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

JadeRAT

Internal MISP references

UUID 8804e02c-a139-4c3d-8901-03302ca1faa0 which can be used as unique global reference for JadeRAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Joker

Joker is one of the most well-known malware families on Android devices. It manages to take advantage of Google’s official app store with the help of its trail signatures which includes updating the virus’s code, execution process, and payload-retrieval techniques. This malware is capable of stealing users’ personal information including contact details, device data, WAP services, and SMS messages.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Joker.

Known Synonyms
`Bread`

Internal MISP references

UUID aa2ad8f4-3c46-4f16-994b-2a79c7481cac which can be used as unique global reference for Joker in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

KevDroid

Internal MISP references

UUID 1e1924b5-89cb-408b-bcee-d6aaef7b24e0 which can be used as unique global reference for KevDroid in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

KnSpy

Internal MISP references

UUID 084ebca7-91da-4d9c-8211-a18f358ac28b which can be used as unique global reference for KnSpy in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Koler

Internal MISP references

UUID 4ff34778-de4b-4f48-9184-4975c8ccc3f3 which can be used as unique global reference for Koler in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Konni (Android)

Internal MISP references

UUID d4f90ffc-72cb-49a5-b796-527785f49161 which can be used as unique global reference for Konni (Android) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

KSREMOTE

Internal MISP references

UUID 196d51bf-cf97-455d-b997-fc3e377f2188 which can be used as unique global reference for KSREMOTE in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

LittleLooter

Internal MISP references

UUID 41cb4397-7ae0-4a9f-894f-47828e768aa9 which can be used as unique global reference for LittleLooter in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Loki

Internal MISP references

UUID a6f481fe-b6db-4507-bb3c-28f10d800e2f which can be used as unique global reference for Loki in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

LokiBot

Android banker Trojan with the standard banking capabilities such as overlays, SMS stealing. It also features ransomware functionality. Note, the network traffic is obfuscated the same way as in Android Bankbot.

Internal MISP references

UUID 4793a29b-1191-4750-810e-9301a6576fc4 which can be used as unique global reference for LokiBot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

LuckyCat

Internal MISP references

UUID 1785a4dd-4044-4405-91c2-efb722801867 which can be used as unique global reference for LuckyCat in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Mandrake

Internal MISP references

UUID 0f587654-7f70-43be-9f1f-95e3a2cc2014 which can be used as unique global reference for Mandrake in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Marcher

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Marcher.

Known Synonyms
`ExoBot`

Internal MISP references

UUID f691663a-b360-4c0d-a4ee-e9203139c38e which can be used as unique global reference for Marcher in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

MasterFred

According to heimdal, MasterFred malware, this is designed as an Android trojan that makes use of false login overlays to target not only Netflix, Instagram, and Twitter users, but also bank customers. The hackers’ goal is to steal credit card information.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular MasterFred.

Known Synonyms
`Brox`

Internal MISP references

UUID 87131ea3-4c5e-42ba-a8e2-edd62a0bcd8d which can be used as unique global reference for MasterFred in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

MazarBot

Internal MISP references

UUID 38cbdc29-a5af-46ae-ab82-baf3f6999826 which can be used as unique global reference for MazarBot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Medusa (Android)

According to ThreatFabric, this is an Android banking trojan under active development as of July 2020. It is using TCP for C&C communication and targets Turkish banks.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Medusa (Android).

Known Synonyms
`Gorgona`

Internal MISP references

UUID f155e529-dbea-4e4d-9df3-518401191c82 which can be used as unique global reference for Medusa (Android) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Meterpreter (Android)

Internal MISP references

UUID e1ae3e4e-5aaf-4ffe-ba2f-7871507f6d52 which can be used as unique global reference for Meterpreter (Android) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

MobileOrder

Check Point has identified samples of this spyware being distributed since 2015. No samples were found on Google Play, meaning they were likely through other channels like social engineering.

Internal MISP references

UUID ee19588f-9752-4516-85f4-de18acfc64b3 which can be used as unique global reference for MobileOrder in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Monokle

Monokle is a sophisticated mobile surveillanceware that possesses remote access trojan (RAT) functionality, advanced data exfiltration techniques as well as the ability to install an attacker-specified certificate to the trusted certificates on an infected device that would allow for man-in-the-middle (MITM) attacks. According to Lookout researchers, It is believed to be developed by Special Technology Center (STC), which is a Russian defense contractor sanctioned by the U.S. Government in connection to alleged interference in the 2016 US presidential elections.

Internal MISP references

UUID 739d6d22-b187-4754-9098-22625ea612cc which can be used as unique global reference for Monokle in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

MoqHao

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular MoqHao.

Known Synonyms
`Shaoye`
`XLoader`

Internal MISP references

UUID 41a9408d-7020-4988-af2c-51baf4d20763 which can be used as unique global reference for MoqHao in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

MOrder RAT

Internal MISP references

UUID f91f27ad-edcd-4e3d-824e-23f6acd81a7b which can be used as unique global reference for MOrder RAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Mudwater

Internal MISP references

UUID 9a8a5dd0-c86e-40d1-bc94-51070447c907 which can be used as unique global reference for Mudwater in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

MysteryBot

MysteryBot is an Android banking Trojan with overlay capabilities with support for Android 7/8 but also provides other features such as key logging and ransomware functionality.

Internal MISP references

UUID 0a53ace4-98ae-442f-be64-b8e373948bde which can be used as unique global reference for MysteryBot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Nexus

Internal MISP references

UUID fe0b4e6e-268e-4c63-a095-bf1ddff95055 which can be used as unique global reference for Nexus in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

OmniRAT

Internal MISP references

UUID ec936d58-6607-4e33-aa97-0e587bbbdda5 which can be used as unique global reference for OmniRAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Oscorp

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Oscorp.

Known Synonyms
`UBEL`

Internal MISP references

UUID 8d383260-102f-46da-8cc6-7659cbbd9452 which can be used as unique global reference for Oscorp in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PackChat

Internal MISP references

UUID b0f56103-1771-4e01-9ed7-44149e39ce93 which can be used as unique global reference for PackChat in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PhantomLance

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular PhantomLance.

Known Synonyms
`PWNDROID1`

Internal MISP references

UUID a73375a5-3384-4515-8538-b598d225586d which can be used as unique global reference for PhantomLance in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Phoenix

Internal MISP references

UUID b5d57344-0486-4580-a437-54c61cb0bf4d which can be used as unique global reference for Phoenix in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PhoneSpy

According to Zimperium, PhoneSpy is a spyware aimed at South Korean residents with Android devices.

Internal MISP references

UUID ff00bbb6-6856-4cf5-adde-d1cc536dd0e2 which can be used as unique global reference for PhoneSpy in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PINEFLOWER

According to Mandiant, PINEFLOWER is an Android malware family capable of a wide range of backdoor functionality, including stealing system inform information, logging and recording phone calls, initiating audio recordings, reading SMS inboxes and sending SMS messages. The malware also has features to facilitate device location tracking, deleting, downloading, and uploading files, reading connectivity state, speed, and activity, and toggling Bluetooth, Wi-Fi, and mobile data settings.

Internal MISP references

UUID a17a7c5d-0a8f-42e7-b4c9-63c258267776 which can be used as unique global reference for PINEFLOWER in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PixPirate

According to PCrisk, The PixPirate is a dangerous Android banking Trojan that has the capability to carry out ATS (Automatic Transfer System) attacks. This allows threat actors to automatically transfer funds through the Pix Instant Payment platform, which numerous Brazilian banks use.

In addition to launching ATS attacks, PixPirate can intercept and delete SMS messages, prevent the uninstallation process, and carry out malvertising attacks.

Internal MISP references

UUID cdf707bd-a8b0-4ee3-917d-a56b11f30206 which can be used as unique global reference for PixPirate in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PixStealer

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular PixStealer.

Known Synonyms
`BrazKing`

Internal MISP references

UUID 5d047596-eb67-4fed-b41d-65fa975150c5 which can be used as unique global reference for PixStealer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PjobRAT

Internal MISP references

UUID 6fa6c769-2546-4a5c-a3c7-24dda4ab597d which can be used as unique global reference for PjobRAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Podec

Internal MISP references

UUID 82f9c4c1-2619-4236-a701-776c6c781f45 which can be used as unique global reference for Podec in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

X-Agent (Android)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular X-Agent (Android).

Known Synonyms
`Popr-d30`

Internal MISP references

UUID 0a7d9d22-a26d-4a2b-ab9b-b296176c3ecf which can be used as unique global reference for X-Agent (Android) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Fake Pornhub

Internal MISP references

UUID 3272a8d8-8323-4e98-b6ce-cb40789a3616 which can be used as unique global reference for Fake Pornhub in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/apk.pornhub - webarchive

Associated metadata

Metadata key	Value
type	[]

Premier RAT

Internal MISP references

UUID 661471fe-2cb6-4b83-9deb-43225192a849 which can be used as unique global reference for Premier RAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Rafel RAT

Internal MISP references

UUID cdaa0a6d-3709-4e6f-8807-fff388baaba0 which can be used as unique global reference for Rafel RAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

RambleOn

Internal MISP references

UUID 41ab3c99-297c-465c-8375-3e9f7ce4b996 which can be used as unique global reference for RambleOn in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Rana

Internal MISP references

UUID 65a8e406-b535-4c0a-bc6d-d1bec3c55623 which can be used as unique global reference for Rana in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

RatMilad

RatMilad, a newly discovered Android spyware, has been stealing data from mobile devices in the Middle East. The malware is spread through links on social media and pretends to be applications for services like VPN and phone number spoofing. Unwary users download these trojan applications and grant access to malware.

Internal MISP references

UUID 542c3e5e-2124-4c36-af05-65893974d5ce which can be used as unique global reference for RatMilad in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Raxir

Internal MISP references

UUID f5cabe73-b5d6-4503-8350-30a6d54c32ef which can be used as unique global reference for Raxir in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

RedAlert2

RedAlert 2 is an new Android malware used by an attacker to gain access to login credentials of various e-banking apps. The malware works by overlaying a login screen with a fake display that sends the credentials to a C2 server. The malware also has the ability to block incoming calls from banks, to prevent the victim of being notified. As a distribution vector RedAlert 2 uses third-party app stores and imitates real Android apps like Viber, Whatsapp or fake Adobe Flash Player updates.

Internal MISP references

UUID e9aaab46-abb1-4390-b37b-d0457d05b28f which can be used as unique global reference for RedAlert2 in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

RemRAT

Internal MISP references

UUID 23809a2b-3c24-41c5-a310-2b8045539202 which can be used as unique global reference for RemRAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Retefe (Android)

The Android app using for Retefe is a SMS stealer, used to forward mTAN codes to the threat actor. Further is a bank logo added to the specific Android app to trick users into thinking this is a legitimate app. Moreover, if the victim is not a real victim, the link to download the APK is not the malicious APK, but the real 'Signal Private Messenger' tool, hence the victim's phone doesn't get infected.

Internal MISP references

UUID 22ef1e56-7778-41d1-9b2b-737aa5bf9777 which can be used as unique global reference for Retefe (Android) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Revive

According to PCrisk, Revive is the name of a banking Trojan targeting Android users (customers of a specific Spanish bank). It steals sensitive information. Cybercriminals use Revive to take ownership of online accounts using stolen login credentials. This malware abuses Accessibility Services to perform malicious activities.

Internal MISP references

UUID 25669934-14bf-463f-bcae-c59c590c3bf8 which can be used as unique global reference for Revive in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Riltok

Internal MISP references

UUID d7b347f8-77a5-4197-b818-f3af504da2c1 which can be used as unique global reference for Riltok in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Roaming Mantis

Internal MISP references

UUID 31d2ce1f-44bf-4738-a41d-ddb43466cd82 which can be used as unique global reference for Roaming Mantis in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Rogue

Internal MISP references

UUID 4b53480a-8006-4af7-8e4e-cc8727c62648 which can be used as unique global reference for Rogue in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Rootnik

Internal MISP references

UUID db3dcfd1-79d2-4c91-898f-5f2463d7c417 which can be used as unique global reference for Rootnik in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Sauron Locker

Internal MISP references

UUID a7c058cf-d482-42cf-9ea7-d5554287ea65 which can be used as unique global reference for Sauron Locker in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SharkBot

SharkBot is a piece of malicious software targeting Android Operating Systems (OSes). It is designed to obtain and misuse financial data by redirecting and stealthily initiating money transfers. SharkBot is particularly active in Europe (United Kingdom, Italy, etc.), but its activity has also been detected in the United States.

Internal MISP references

UUID 7b20fdb1-5aee-4f17-a88e-bcd72c893f0a which can be used as unique global reference for SharkBot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SideWinder (Android)

SideWinder involved a fake VPN app for Android devices published on Google Play Store along with a custom tool that filters victims for better targeting.

Internal MISP references

UUID af929cac-e0c6-4a63-ac5a-02c4cbbab746 which can be used as unique global reference for SideWinder (Android) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SilkBean

Internal MISP references

UUID 00ab3d3b-dbbf-40de-b3d8-a3466704a1a7 which can be used as unique global reference for SilkBean in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Skygofree

Internal MISP references

UUID f5fded3c-8f45-471a-a372-d8be101e1b22 which can be used as unique global reference for Skygofree in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Slempo

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Slempo.

Known Synonyms
`SlemBunk`

Internal MISP references

UUID d87e2574-7b9c-4ea7-98eb-88f3e139f6ff which can be used as unique global reference for Slempo in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Slocker

Internal MISP references

UUID fe187c8a-25d4-4d30-bd43-efca18d527f0 which can be used as unique global reference for Slocker in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SmsAgent

Internal MISP references

UUID ee42986c-e736-4092-a2f9-2931a02c688d which can be used as unique global reference for SmsAgent in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SMSspy

Internal MISP references

UUID 7a38c552-0e1a-4980-8d62-1aa38617efab which can be used as unique global reference for SMSspy in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/apk.smsspy - webarchive

Associated metadata

Metadata key	Value
type	[]

SoumniBot

Internal MISP references

UUID ed53cdaf-0649-4ca5-adcd-592a46f79da8 which can be used as unique global reference for SoumniBot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

S.O.V.A.

Internal MISP references

UUID 2aa95661-b63a-432e-8e5e-74ac93b42d57 which can be used as unique global reference for S.O.V.A. in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SpyBanker

Internal MISP references

UUID e186384b-8001-4cdd-b170-1548deb8bf04 which can be used as unique global reference for SpyBanker in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SpyC23

Internal MISP references

UUID 8fb4910f-e645-4465-a202-a20835416c87 which can be used as unique global reference for SpyC23 in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SpyMax

SpyMax is a popular Android surveillance tool. Its predecessor, SpyNote, was one of the most widely used spyware frameworks.

Internal MISP references

UUID e1dfb554-4c17-4d4c-ac48-604c48d8ab0b which can be used as unique global reference for SpyMax in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SpyNote

The malware has been released on github at https://github.com/EVLF/Cypher-Rat-Source-Code

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SpyNote.

Known Synonyms
`CypherRat`

Internal MISP references

UUID 31592c69-d540-4617-8253-71ae0c45526c which can be used as unique global reference for SpyNote in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

StealthAgent

Internal MISP references

UUID 0777cb30-534f-44bb-a7af-906a422bd624 which can be used as unique global reference for StealthAgent in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Stealth Mango

Internal MISP references

UUID 7d480f11-3de8-463d-8a19-54685c8b9e0f which can be used as unique global reference for Stealth Mango in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Svpeng

Internal MISP references

UUID d99c0a47-9d61-4d92-86ec-86a87b060d76 which can be used as unique global reference for Svpeng in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Switcher

Internal MISP references

UUID e3e90666-bc19-4741-aca8-1e4cbc2f4c9e which can be used as unique global reference for Switcher in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

TalentRAT

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular TalentRAT.

Known Synonyms
`Assassin RAT`

Internal MISP references

UUID 46151a0d-aa0a-466c-9fff-c2c3474f572e which can be used as unique global reference for TalentRAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

TangleBot

Internal MISP references

UUID 1e37d712-df02-48aa-82fc-28fa80c92c2b which can be used as unique global reference for TangleBot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

TeleRAT

Internal MISP references

UUID e1600d04-d2f7-4862-8bbc-0f038ea683ea which can be used as unique global reference for TeleRAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

TemptingCedar Spyware

Internal MISP references

UUID 982c3554-1df2-4062-8f32-f311940ad9ff which can be used as unique global reference for TemptingCedar Spyware in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ThiefBot

Internal MISP references

UUID 5863d2eb-920d-4263-8c4b-7a16d410ff89 which can be used as unique global reference for ThiefBot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

TianySpy

According to Trend Micro, this malware appears to have been designed to steal credentials associated with membership websites of major Japanese telecommunication services.

Internal MISP references

UUID 8260dda5-f608-48f2-9341-28dbc5a8e895 which can be used as unique global reference for TianySpy in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

TinyZ

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular TinyZ.

Known Synonyms
`Catelites Android Bot`
`MarsElite Android Bot`

Internal MISP references

UUID 93b27a50-f9b7-4ab6-bb9f-70a4b914eec3 which can be used as unique global reference for TinyZ in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Titan

Internal MISP references

UUID 7d418da3-d9d2-4005-8cc7-7677d1b11327 which can be used as unique global reference for Titan in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ToxicPanda

Internal MISP references

UUID 7ac4865d-dc9d-468e-a462-67dfc63d118b which can be used as unique global reference for ToxicPanda in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Triada

Internal MISP references

UUID fa5fdfd2-8142-43f5-9b48-d1033b5398c8 which can be used as unique global reference for Triada in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

TrickMo

TrickMo is an advanced banking trojan for Android. Starting out as a companion malware to TrickBot in 2020, it first became a standalone banking trojan by addition of overlay attacks in 2021 and was later (2024) upgraded with remote control capabilities for on-device fraud. The continued development and progressively improved obfuscation suggests an active Threat Actor.

Internal MISP references

UUID cff89ce1-a133-48a6-b8bd-e4f97cf23d6a which can be used as unique global reference for TrickMo in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Triout

Bitdefender described Triout as a Android spyware, which appears to act as a framework for building extensive surveillance capabilities into seemingly benign applications. Found bundled with a repackaged app, the spyware’s surveillance capabilities involve hiding its presence on the device, recording phone calls, logging incoming text messages, recoding videos, taking pictures and collecting GPS coordinates, then broadcasting all of that to an attacker-controlled C&C (command and control) server.

Internal MISP references

UUID bd9ce51c-53f9-411b-b46a-aba036c433b1 which can be used as unique global reference for Triout in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/apk.triout - webarchive

Associated metadata

Metadata key	Value
type	[]

UltimaSMS

Internal MISP references

UUID 65476d5f-321f-4385-867a-383094cadb58 which can be used as unique global reference for UltimaSMS in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Unidentified APK 001

Internal MISP references

UUID bbd5a32e-a080-4f16-98ea-ad8863507aa6 which can be used as unique global reference for Unidentified APK 001 in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Unidentified APK 002

Internal MISP references

UUID afb6a7cc-4185-4f19-8ad4-45dcbb76e544 which can be used as unique global reference for Unidentified APK 002 in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/apk.unidentified_002 - webarchive

Associated metadata

Metadata key	Value
type	[]

Unidentified APK 004

According to Check Point Research, this is a RAT that is disguised as a set of dating apps like "GrixyApp", "ZatuApp", "Catch&See", including dedicated websites to conceal their malicious purpose.

Internal MISP references

UUID 55626b63-4b9a-468e-92ae-4b09b303d0ed which can be used as unique global reference for Unidentified APK 004 in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Unidentified APK 005

Internal MISP references

UUID 5413ca94-1385-40c0-8eb2-1fc3aff87fb1 which can be used as unique global reference for Unidentified APK 005 in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/apk.unidentified_005 - webarchive

Associated metadata

Metadata key	Value
type	[]

Unidentified APK 006

Information stealer posing as a fake banking app, targeting Korean users.

Internal MISP references

UUID 2263198d-af38-4e38-a7a8-4435d29d88e8 which can be used as unique global reference for Unidentified APK 006 in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Unidentified 007 (ARMAAN RAT)

According to Cyble, this is an Android application that pretends to be the legitimate application for the Army Mobile Aadhaar App Network (ARMAAN), intended to be used by Indian army personnel. The application was customized to include RAT functionality.

Internal MISP references

UUID 75c641c4-17df-43c4-9773-c27464c5d2ff which can be used as unique global reference for Unidentified 007 (ARMAAN RAT) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Unidentified APK 008

Android malware distributed through fake shopping websites targeting Malaysian users, targeting banking information.

Internal MISP references

UUID 2ffddca0-841c-4eb6-9983-ff38abb5d6d6 which can be used as unique global reference for Unidentified APK 008 in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Unidentified APK 009 (Chrome Recon)

According to Google, a Chrome reconnaissance payload

Internal MISP references

UUID 6d3bcabe-6b3a-49c1-b1a9-2239ce06deae which can be used as unique global reference for Unidentified APK 009 (Chrome Recon) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

VajraSpy

Internal MISP references

UUID c328b30f-e076-47dc-8c93-4d20f62c72ab which can be used as unique global reference for VajraSpy in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

vamp

Related to the micropsia windows malware and also sometimes named micropsia.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular vamp.

Known Synonyms
`android.micropsia`

Internal MISP references

UUID 1ad5b462-1b0d-4c2f-901d-ead6c9f227bc which can be used as unique global reference for vamp in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

VINETHORN

According to Mandiant, VINETHORN is an Android malware family capable of a wide range of backdoor functionality. It can steal system information, read SMS inboxes, send SMS messages, access contact lists and call histories, record audio and video, and track device location via GPS.

Internal MISP references

UUID 6da6dfb6-2c50-465c-9394-26695d72e8c7 which can be used as unique global reference for VINETHORN in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Viper RAT

Internal MISP references

UUID 3482f5fe-f129-4c77-ae98-76e25f6086b9 which can be used as unique global reference for Viper RAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Vultur

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Vultur.

Known Synonyms
`Vulture`

Internal MISP references

UUID 49b1c344-ce13-48bf-9839-909ba57649c4 which can be used as unique global reference for Vultur in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

WireX

Internal MISP references

UUID 77f2254c-9886-4eed-a7c3-bbcef4a97d46 which can be used as unique global reference for WireX in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

WolfRAT

Internal MISP references

UUID 994c7bb3-ba40-41bb-89b3-f05996924b10 which can be used as unique global reference for WolfRAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Wroba

According to Avira, this is a banking trojan targeting Japan.

Internal MISP references

UUID 40a5d526-ef9f-4ddf-a326-6f33dceeeebc which can be used as unique global reference for Wroba in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

WyrmSpy

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular WyrmSpy.

Known Synonyms
`AndroidControl`

Internal MISP references

UUID 77f81373-bb3a-449d-82ff-b28fe31acef6 which can be used as unique global reference for WyrmSpy in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Xbot

Internal MISP references

UUID 4cfa42a3-71d9-43e2-bf23-daa79f326387 which can be used as unique global reference for Xbot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Xenomorph

Xenomorph is a Android Banking RAT developed by the Hadoken.Security actor.

Internal MISP references

UUID d202e42d-2c35-4c1c-90f1-644a8cae38f1 which can be used as unique global reference for Xenomorph in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

xHelper

Internal MISP references

UUID f54dec1f-bec6-4f4a-a909-690d65e0f14b which can be used as unique global reference for xHelper in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

XploitSPY

Internal MISP references

UUID 57600f52-b55f-49c7-9c0c-de10b2d23370 which can be used as unique global reference for XploitSPY in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

XRat

Internal MISP references

UUID a8f167a8-30b9-4953-8eb6-247f0d046d32 which can be used as unique global reference for XRat in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

YellYouth

Internal MISP references

UUID a2dad59d-2355-415c-b4d6-62236d3de4c7 which can be used as unique global reference for YellYouth in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Zanubis

According to cyware, Zanubis malware pretends to be a malicious PDF application. The threat actor uses it as a key to decrypt responses received from the C2 server.

Internal MISP references

UUID cebf13e5-dbfc-49d6-8715-e3b7687d386f which can be used as unique global reference for Zanubis in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Zen

Internal MISP references

UUID 46d6d102-fc38-46f7-afdc-689cafe13de5 which can be used as unique global reference for Zen in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ZooPark

Internal MISP references

UUID b1fc66de-fda7-4f0c-af00-751d334444b3 which can be used as unique global reference for ZooPark in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Ztorg

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Ztorg.

Known Synonyms
`Qysly`

Internal MISP references

UUID 9fbf97c0-d87a-47b0-a511-0147a58b5202 which can be used as unique global reference for Ztorg in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Nightrunner

WebShell.

Internal MISP references

UUID b0206aac-30ff-41ce-b7d4-1b94ab15e3b1 which can be used as unique global reference for Nightrunner in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Tunna

WebShell.

Internal MISP references

UUID b057f462-dc32-4f7b-95e0-98a20a48f2b2 which can be used as unique global reference for Tunna in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

TwoFace

According to Unit42, TwoFace is a two-staged (loader+payload) webshell, written in C# and meant to run on webservers with ASP.NET. The author of the initial loader webshell included legitimate and expected content that will be displayed if a visitor accesses the shell in a browser, likely to remain undetected. The code in the loader webshell includes obfuscated variable names and the embedded payload is encoded and encrypted. To interact with the loader webshell, the threat actor uses HTTP POST requests to the compromised server.

The secondary webshell, which we call the payload, is embedded within the loader in encrypted form and contains additional functionality that we will discuss in further detail. When the threat actor wants to interact with the remote server, they provide data that the loader will use to modify a decryption key embedded within the loader that will be in turn used to decrypt the embedded TwoFace payload. Commands supported by the payload are execution of programs, up-, download and deletion of files and capability to manipulate MAC timestamps.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular TwoFace.

Known Synonyms
`HighShell`
`HyperShell`
`Minion`
`SEASHARPEE`

Internal MISP references

UUID a98a04e5-1f86-44b8-91ff-dbe1534782ba which can be used as unique global reference for TwoFace in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Unidentified ASP 001 (Webshell)

Internal MISP references

UUID d4318f40-a39a-4ce0-8d3c-246d9923d222 which can be used as unique global reference for Unidentified ASP 001 (Webshell) in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/asp.unidentified_001 - webarchive

Associated metadata

Metadata key	Value
type	[]

Abcbot

Abcbot is a modular Go-based botnet and malware that propagates via exploits and brute force attempts. The botnet was observed launching DDoS attacks, perform internet scans, and serve web pages. It is probably linked to Xanthe-based clipjacking campaign.

Internal MISP references

UUID 8d17175b-4e9f-43a9-851d-898bb6696984 which can be used as unique global reference for Abcbot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Abyss Locker

Family based on HelloKitty Ransomware. Encryption algorithm changed from AES to ChaCha. Sample seems to be unpacked.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Abyss Locker.

Known Synonyms
`elf.hellokitty`

Internal MISP references

UUID 302a96b1-73cb-4f70-a329-e68debd87bf8 which can be used as unique global reference for Abyss Locker in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ACBackdoor (ELF)

A Linux backdoor that was apparently ported to Windows. This entry represents the Linux version. This version appears to have been written first and the Windows version was ported later, without full functionality. The Linux version offers persistence as well as some process manipulation techniques, though both versions apparently offer the ability to access the command line and execute programs as well as self-update.

Internal MISP references

UUID cd2d7040-edc4-4985-b708-b206b08cc1fe which can be used as unique global reference for ACBackdoor (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

AcidPour

Internal MISP references

UUID 11981e96-be46-4ce9-8085-af7224591951 which can be used as unique global reference for AcidPour in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

AcidRain

A MIPS ELF binary with wiper functionality used against Viasat KA-SAT modems.

Internal MISP references

UUID 6108aa3d-ea6e-47fd-9344-d333b07f5a56 which can be used as unique global reference for AcidRain in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

AgeLocker

Internal MISP references

UUID 5d04aac3-fdf5-4922-9976-3a5a75e96e1a which can be used as unique global reference for AgeLocker in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

AirDropBot

AirDropBot is used to create a DDoS botnet. It spreads as a worm, currently targeting Linksys routers. Backdoor and other bot functionality is present in this family. Development seems to be ongoing.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular AirDropBot.

Known Synonyms
`CloudBot`

Internal MISP references

UUID e91fcb82-e788-44cb-be5d-73b9601b9533 which can be used as unique global reference for AirDropBot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Aisuru

Honeypot-aware variant of Mirai.

Internal MISP references

UUID e288425b-40f0-441e-977f-5f1264ed61b6 which can be used as unique global reference for Aisuru in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Akira (ELF)

Ransomware

Internal MISP references

UUID 365081b9-f60d-4484-befa-d4fc9d0f55d7 which can be used as unique global reference for Akira (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

AnchorDNS

Backdoor deployed by the TrickBot actors. It uses DNS as the command and control channel as well as for exfiltration of data.

Internal MISP references

UUID b88dc3ec-d94c-4e6e-a846-5d07130df550 which can be used as unique global reference for AnchorDNS in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ANGRYREBEL

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular ANGRYREBEL.

Known Synonyms
`Ghost RAT`

Internal MISP references

UUID 6cb47609-b03e-43d9-a4c7-8342f1011f3b which can be used as unique global reference for ANGRYREBEL in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

AVrecon

AVrecon is a Linux-based Remote Access Trojan (RAT) targeting small-office/home-office (SOHO) routers and other ARM-embedded devices. The malware is distributed via exploitation of unpatched vulnerabilities or common misconfiguration of the targeted devices. Once deployed, AVreckon will collect some information about the infected device, open a session to pre-configured C&C server, and spawn a remote shell for command execution. It might also download additional arbitrary files and run them. The malware has recently been used in campaigns aimed at ad-fraud activities, password spraying and data exfiltration.

Internal MISP references

UUID 1b218432-dd5c-4593-8f37-e202f9418fff which can be used as unique global reference for AVrecon in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

azazel

Azazel is a Linux user-mode rootkit based off of a technique from the Jynx rootkit (LD_PRELOAD technique). Azazel is purportedly more robust than Jynx and has many more anti-analysis features

Internal MISP references

UUID 37374572-3346-4c00-abc9-9f6883c8866e which can be used as unique global reference for azazel in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

B1txor20

B1txor20 is a malware that was discovered by 360 Netlab along others exploiting Log4J. the name is derived from using the file name "b1t", the XOR encrpytion algorithm, and the RC4 algorithm key length of 20 bytes. According to 360 Netlab this Backdoor for Linux platform uses DNS Tunnel to build a C2 communication channel. They also had the assumption that the malware is still in development, because of some bugs and not fully implemented features.

Internal MISP references

UUID 05e6d9ff-93a1-429b-b856-794d9ded75df which can be used as unique global reference for B1txor20 in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Babuk (ELF)

ESX and NAS modules for Babuk ransomware.

Internal MISP references

UUID 26b4d805-890b-4767-9d9f-a08adeee1c96 which can be used as unique global reference for Babuk (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Backdoorit

According to Avast Decoded, Backdoorit is a multiplatform RAT written in Go programming language and supporting both Windows and Linux/Unix operating systems. In many places in the code it is also referred to as backd00rit.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Backdoorit.

Known Synonyms
`backd00rit`

Internal MISP references

UUID 4a4bc444-9e93-47a6-a572-0e13f743d875 which can be used as unique global reference for Backdoorit in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Irc16

Internal MISP references

UUID 3008fa01-492a-42e2-ab9b-a0a9d12823b8 which can be used as unique global reference for Irc16 in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BADCALL (ELF)

BADCALL is a Trojan malware variant used by the group Lazarus Group.

Internal MISP references

UUID 350817e8-4d70-455e-b1fd-000bed4a4cf4 which can be used as unique global reference for BADCALL (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Bashlite

Bashlite is a malware family which infects Linux systems in order to launch distributed denial-of-service attacks (DDoS). Originally it was also known under the name Bashdoor, but this term now refers to the exploit method used by the malware. It has been used to launch attacks of up to 400 Gbps.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Bashlite.

Known Synonyms
`Gafgyt`
`gayfgt`
`lizkebab`
`qbot`
`torlus`

Internal MISP references

UUID 81917a93-6a70-4334-afe2-56904c1fafe9 which can be used as unique global reference for Bashlite in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BCMPUPnP_Hunter

Internal MISP references

UUID d8dd47a5-85fe-4f07-89dc-00301468d209 which can be used as unique global reference for BCMPUPnP_Hunter in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BianLian (ELF)

Internal MISP references

UUID f6be433e-7ed0-4777-876b-e3e2ba7d5c7f which can be used as unique global reference for BianLian (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BiBi-Linux

According to Security Joes, this malware is an x64 ELF executable, lacking obfuscation or protective measures. It allows attackers to specify target folders and can potentially destroy an entire operating system if run with root permissions. During execution, it produces extensive output, which can be mitigated using the "nohup" command. It also leverages multiple threads and a queue to corrupt files concurrently, enhancing its speed and reach. Its actions include overwriting files, renaming them with a random string containing "BiBi," and excluding certain file types from corruption.

Internal MISP references

UUID efec7bb0-4ec7-4c97-a8a9-28e0fea19852 which can be used as unique global reference for BiBi-Linux in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Bifrost

Linux version of the bifrose malware that originally targeted Windows platform only. The backdoor has the ability to perform file management, start or end a process, or start a remote shell. The connection is encrypted using a modified RC4 algorithm.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Bifrost.

Known Synonyms
`elf.bifrose`

Internal MISP references

UUID 8fa6dd0e-b630-419f-bd01-5271dd8f27c6 which can be used as unique global reference for Bifrost in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BigViktor

A DDoS bot abusing CVE-2020-8515 to target DrayTek Vigor routers. It uses a wordlist-based DGA to generate its C&C domains.

Internal MISP references

UUID 901ab128-2d23-41d7-a9e7-6a34e281804e which can be used as unique global reference for BigViktor in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BioSet

Internal MISP references

UUID 8e301f58-acef-48e7-ad8b-c27d3ed38eed which can be used as unique global reference for BioSet in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Black Basta (ELF)

ESXi encrypting ransomware, using a combination of the stream cipher ChaCha20 and RSA.

Internal MISP references

UUID 35c86fef-18fe-491c-ad3c-13f98e8f5584 which can be used as unique global reference for Black Basta (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BlackCat (ELF)

ALPHV, also known as BlackCat or Noberus, is a ransomware family that is deployed as part of Ransomware as a Service (RaaS) operations. ALPHV is written in the Rust programming language and supports execution on Windows, Linux-based operating systems (Debian, Ubuntu, ReadyNAS, Synology), and VMWare ESXi. ALPHV is marketed as ALPHV on cybercrime forums, but is commonly called BlackCat by security researchers due to an icon of a black cat appearing on its leak site. ALPHV has been observed being deployed in ransomware attacks since November 18, 2021.

ALPHV can be configured to encrypt files using either the AES or ChaCha20 algorithms. In order to maximize the amount of ransomed data, ALPHV can delete volume shadow copies, stop processes and services, and stop virtual machines on ESXi servers. ALPHV can self-propagate by using PsExec to remote execute itself on other hosts on the local network.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BlackCat (ELF).

Known Synonyms
`ALPHV`
`Noberus`

Internal MISP references

UUID 860e9d03-830e-4410-ac89-75b6eb89e7e5 which can be used as unique global reference for BlackCat (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BlackMatter (ELF)

Internal MISP references

UUID 1277a4bf-466c-40bc-b000-f55cbd0994a7 which can be used as unique global reference for BlackMatter (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Blackrota

Internal MISP references

UUID a30aedcc-562e-437a-827c-55bc00cf3506 which can be used as unique global reference for Blackrota in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BlackSuit (ELF)

According to Trend Micro, this ransomware has significant code overlap with Royal Ransomware.

Internal MISP references

UUID 5bdbeaae-0def-4547-9940-33ad94060955 which can be used as unique global reference for BlackSuit (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BOLDMOVE (ELF)

According to Mandiant, this malware family is attributed to potential chinese background and directly related to observed exploitation of Fortinet's SSL-VPN (CVE-2022-42475). There is also a Windows variant.

Internal MISP references

UUID 8f347147-c34e-4698-9439-c640233fca15 which can be used as unique global reference for BOLDMOVE (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Break out the Box

This is a pentesting tool and according to the author, "BOtB is a container analysis and exploitation tool designed to be used by pentesters and engineers while also being CI/CD friendly with common CI/CD technologies.".

It has been observed being used by TeamTNT in their activities for spreading crypto-mining malware.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Break out the Box.

Known Synonyms
`BOtB`

Internal MISP references

UUID 57c9ab70-7133-441a-af66-10c0e4eb898b which can be used as unique global reference for Break out the Box in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BotenaGo

According to Alien Labs, this malware targets embedded devices including routers with more than 30 exploits. SourceCode: https://github.com/Egida/kek/blob/19991ef983f838287aa9362b78b4ed8da0929184/loader_multi.go (2021-10-16)

Internal MISP references

UUID dffcc168-cb76-4ae6-b913-c369e92c614b which can be used as unique global reference for BotenaGo in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BPFDoor

BPFDoor is a passive backdoor used by a China-based threat actor. This backdoor supports multiple protocols for communicating with a C2 including TCP, UDP, and ICMP allowing the threat actor a variety of mechanisms to interact with the implant.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BPFDoor.

Known Synonyms
`JustForFun`

Internal MISP references

UUID 3c7082b6-0181-4064-8e35-ab522b49200f which can be used as unique global reference for BPFDoor in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

brute_ratel

Internal MISP references

UUID 2fa4ac4e-3f89-4fd0-b4fd-2c776dcf69d8 which can be used as unique global reference for brute_ratel in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Bvp47

Pangu Lab discovered this backdoor during a forensic investigation in 2013. They refer to related incidents as "Operation Telescreen".

Internal MISP references

UUID 0492f9bf-3c5d-4c17-993b-2b53d0fb06f7 which can be used as unique global reference for Bvp47 in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Caja

Linux malware cross-compiled for x86, MIPS, ARM. XOR encoded strings, 13 commands supported for its C&C, including downloading, file modification and execution and ability to run shell commands.

Internal MISP references

UUID 06816c22-be7c-44db-8d0d-395ab306bb9b which can be used as unique global reference for Caja in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Caligula

According to Avast Decoded, Caligula is an IRC multiplatform bot that allows to perform DDoS attacks. It is written in Go and distributed in ELF files targeting Intel 32/64bit code, as well as ARM 32bit and PowerPC 64bit. It is based on the Hellabot open source project.

Internal MISP references

UUID c936f24c-c04a-4cab-9ac6-6384a2d4c283 which can be used as unique global reference for Caligula in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Capoae

XMRig-based mining malware written in Go.

Internal MISP references

UUID c1b0528b-c674-4c76-8e1d-5846ba8af261 which can be used as unique global reference for Capoae in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CDorked

This is in the same family as eBury, Calfbot, and is also likely related to DarkLeech

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular CDorked.

Known Synonyms
`CDorked.A`

Internal MISP references

UUID bb9eaaec-97c9-4014-94dd-129cecf31ff0 which can be used as unique global reference for CDorked in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CDRThief

Internal MISP references

UUID 27d06ac9-42c4-433a-b1d7-660710d9e8df which can be used as unique global reference for CDRThief in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Cephei

Internal MISP references

UUID baa0704b-50d8-48af-91e1-049f30f422cc which can be used as unique global reference for Cephei in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Cetus

Internal MISP references

UUID 7a226df2-9599-4002-9a38-b044e16f76a9 which can be used as unique global reference for Cetus in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Chalubo

Sophos describes this malware as a DDoS bot, with its name originating from ChaCha-Lua-bot due to its use of ChaCha cipher and Lua. Variants exist for multiple architectures and it incorporates code from XorDDoS and Mirai.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Chalubo.

Known Synonyms
`ChaChaDDoS`

Internal MISP references

UUID af91c777-93f7-4b7f-981f-141478972011 which can be used as unique global reference for Chalubo in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Chaos (ELF)

Multi-functional malware written in Go, targeting both Linux and Windows, evolved from elf.kaiji.

Internal MISP references

UUID ef03e3c3-32d5-483a-bd1f-97dd531c4bca which can be used as unique global reference for Chaos (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Chapro

Internal MISP references

UUID 700366d8-4036-4e48-9a5f-bd6e09fb9b6b which can be used as unique global reference for Chapro in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Chisel (ELF)

Chisel is an open-source project by Jaime Pillora (jpillora) that allows tunneling TCP and UDP connections via HTTP. It is available across platforms and written in Go. While benign in itself, Chisel has been utilized by multiple threat actors. It was for example observed by SentinelOne during a PYSA ransomware campaign to achieve persistence and used as backdoor. Github: https://github.com/jpillora/chisel

Internal MISP references

UUID e5600185-39b7-49a0-bd60-a6806c7d47dd which can be used as unique global reference for Chisel (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Clop (ELF)

ELF version of clop ransomware.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Clop (ELF).

Known Synonyms
`Cl0p`

Internal MISP references

UUID 3d11ec52-9ca8-4d83-99d4-6658f306e8e4 which can be used as unique global reference for Clop (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Cloud Snooper

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Cloud Snooper.

Known Synonyms
`Snoopy`

Internal MISP references

UUID 0b1c514d-f617-4380-a28c-a1ed305a7538 which can be used as unique global reference for Cloud Snooper in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ConnectBack

ConnectBack malware is a type of malicious software designed to establish unauthorized connections from an infected system to a remote server. Once a victim's device is compromised, ConnectBack creates a covert channel for communication, allowing the attacker to remotely control and gather sensitive information from the compromised system.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular ConnectBack.

Known Synonyms
`Getshell`

Internal MISP references

UUID 82c57d1b-c11b-44f7-9675-2f0d23fb543f which can be used as unique global reference for ConnectBack in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Conti (ELF)

Ransomware

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Conti (ELF).

Known Synonyms
`Conti Locker`

Internal MISP references

UUID c1ab8323-ce61-409a-80f3-b945c8ffcd42 which can be used as unique global reference for Conti (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Cpuminer (ELF)

This was observed to be pushed by IoT malware, abusing devices for LiteCoin and BitCoin mining.

Internal MISP references

UUID 8196b6f6-386e-4499-b269-4e5c65f74141 which can be used as unique global reference for Cpuminer (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Cr1ptT0r

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Cr1ptT0r.

Known Synonyms
`CriptTor`

Internal MISP references

UUID 196b20ec-c3d1-4136-ab94-a2a6cc150e74 which can be used as unique global reference for Cr1ptT0r in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CronRAT

A malware written in Bash that hides in the Linux calendar system on February 31st. Observed in relation to Magecart attacks.

Internal MISP references

UUID c49062cc-ceef-4794-9d8a-93ede434ecfd which can be used as unique global reference for CronRAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CyclopsBlink

According to CISA, Cyclops Blink appears to be a replacement framework for the VPNFilter malware exposed in 2018, and which exploited network devices, primarily small office/home office (SOHO) routers and network attached storage (NAS) devices. Cyclops Blink has been deployed since at least June 2019, fourteen months after VPNFilter was disrupted. In common with VPNFilter, Cyclops Blink deployment also appears indiscriminate and widespread. The actor has so far primarily deployed Cyclops Blink to WatchGuard and ASUS devices, but it is likely that Sandworm would be capable of compiling the malware for other architectures and firmware.

Internal MISP references

UUID 76d4b754-e025-41c5-a767-7b00a39bd255 which can be used as unique global reference for CyclopsBlink in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Dacls (ELF)

According to PCrisk, Dacls is the name of a remote access Trojan (RAT), a malicious program that allows cyber criminals to control infected computers remotely.

Research shows that this malware is tied to Lazarus Group (a group of cyber criminals) and targets Linux and the Windows Operating System. Typically, cyber criminals use RATs to steal sensitive, confidential information, infect systems with other malware, and so on. In any case, no RAT is harmless and should be uninstalled immediately.

Internal MISP references

UUID 2e5e2a7e-4ee5-4954-9c92-e9b21649ae1b which can be used as unique global reference for Dacls (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Dark

Mirai variant exploiting CVE-2021-20090 and CVE2021-35395 for spreading.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Dark.

Known Synonyms
`Dark.IoT`

Internal MISP references

UUID d499e7ad-332f-4057-b31d-a69916408057 which can be used as unique global reference for Dark in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DarkCracks

A sophisticated payload delivery and upgrade framework, discovered in 2024. DarkCracks exploits compromised GLPI and WordPress sites to function as Downloaders and C2 servers.

Internal MISP references

UUID 043c46fc-b98a-438e-b071-3ac76380f082 which can be used as unique global reference for DarkCracks in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Dark Nexus

Internal MISP references

UUID dfba0c8f-9d06-448b-817e-6fffa1b22cb9 which can be used as unique global reference for Dark Nexus in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DarkSide (ELF)

Internal MISP references

UUID 61796628-c37b-4284-9aa4-9f054cc6c3c2 which can be used as unique global reference for DarkSide (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DarkRadiation

Internal MISP references

UUID 39be337b-8a9a-4d71-949b-5efd6248fc80 which can be used as unique global reference for DarkRadiation in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DDG

First activity observed in October 2017. DDG is a botnet with P2P capability that is targeting crypto currency mining (Monero).

Internal MISP references

UUID 5c42585b-ea92-4fe2-8a79-bb47a3df67ad which can be used as unique global reference for DDG in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ddoor

Internal MISP references

UUID 07f48866-647c-46b0-a0d4-29c81ad488a8 which can be used as unique global reference for ddoor in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DEADBOLT

DEADBOLT is a linux ransomware written in Go, targeting QNAP NAS devices worldwide. The files are encrypted with AES128 encryption and will have the .deadbolt extension appended to file names.

Internal MISP references

UUID b37c9ba2-f1b0-4a2f-9387-7310939d2189 which can be used as unique global reference for DEADBOLT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Decoy Dog RAT

Internal MISP references

UUID 6452720d-bd35-4c55-8178-ed0dd86f4c53 which can be used as unique global reference for Decoy Dog RAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Denonia

Cado discovered this malware, written in Go and targeting AWS Lambda environments.

Internal MISP references

UUID d5d9bb86-715d-4d86-a4d2-ab73085d1b0c which can be used as unique global reference for Denonia in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Derusbi (ELF)

Internal MISP references

UUID 494dcdfb-88cb-456d-a95a-252ff10c0ba9 which can be used as unique global reference for Derusbi (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DISGOMOJI

Internal MISP references

UUID 1f6098a1-2395-4329-8865-49602638f45a which can be used as unique global reference for DISGOMOJI in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Dofloo

Dofloo (aka AESDDoS) is a popular malware used to create large scale botnets that can launch DDoS attacks and load cryptocurrency miners to the infected machines.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Dofloo.

Known Synonyms
`AESDDoS`

Internal MISP references

UUID ffb5789f-d7e6-4723-a447-e5bb2fe713a0 which can be used as unique global reference for Dofloo in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/elf.dofloo - webarchive

Associated metadata

Metadata key	Value
type	[]

Doki

Internal MISP references

UUID a5446b35-8613-4121-ada4-c0b1d6f72851 which can be used as unique global reference for Doki in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DoubleFantasy (ELF)

Internal MISP references

UUID a41d8c89-8229-4936-96c2-4b194ebaf858 which can be used as unique global reference for DoubleFantasy (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DreamBus

Internal MISP references

UUID 22ff8eac-d92e-4c6e-829b-9b565d90eddd which can be used as unique global reference for DreamBus in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Ebury

This payload has been used to compromise kernel.org back in August of 2011 and has hit cPanel Support which in turn, has infected quite a few cPanel servers. It is a credential stealing payload which steals SSH keys, passwords, and potentially other credentials.

This family is part of a wider range of tools which are described in detail in the operation windigo whitepaper by ESET.

Internal MISP references

UUID ce79265c-a467-4a17-b27d-7ec7954688d5 which can be used as unique global reference for Ebury in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Echobot

The latest in this long line of Mirai scourges is a new variant named Echobot. Coming to life in mid-May, the malware was first described by Palo Alto Networks in a report published at the start of June, and then again in a report by security researchers from Akamai, in mid-June.

When it was first spotted by Palo Alto Networks researchers in early June, Echobot was using exploits for 18 vulnerabilities. In the Akamai report, a week later, Echobot was at 26.

https://www.zdnet.com/article/new-echobot-malware-is-a-smorgasbord-of-vulnerabilities

Internal MISP references

UUID 040ac9c6-e3ab-4b51-88a9-5380101c74f8 which can be used as unique global reference for Echobot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Elevator

Internal MISP references

UUID 6ee05063-4f73-4a99-86a5-906164039a3a which can be used as unique global reference for Elevator in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

EnemyBot

According to the Infosec Institute, EnemyBot is a dangerous IoT botnet that has made headlines in the last few weeks. This threat, which seems to be disseminated by the Keksec group, expanded its features by adding recent vulnerabilities discovered in 2022. It was designed to attack web servers, Android devices and content management systems (CMS) servers.

Internal MISP references

UUID 262d18be-7cab-46c2-bcb0-47fff17604aa which can be used as unique global reference for EnemyBot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Erebus (ELF)

Internal MISP references

UUID 479353aa-c6d7-47a7-b5f0-3f97fd904864 which can be used as unique global reference for Erebus (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ESXiArgs

Ransomware used to target ESXi servers.

Internal MISP references

UUID 7550af7f-91cc-49e7-a4c5-d4e4d993cbef which can be used as unique global reference for ESXiArgs in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Evilginx

According to the author, Evilginx is a standalone man-in-the-middle attack framework used for phishing login credentials along with session cookies, allowing for the bypass of 2-factor authentication.

Internal MISP references

UUID 8eee410f-0538-4a6c-897b-c6bf4f9f28d7 which can be used as unique global reference for Evilginx in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

EvilGnome

According to Infosec Institute, EvilGnome presents itself to unwitting Linux users as a legitimate GNOME extension. Legitimate extensions help to extend Linux functionality, but instead of a healthy boost in system functionality, EvilGnome begins spying on users with an array of functionalities uncommon for most Linux malware types.

Internal MISP references

UUID 149e693c-4b51-4143-9061-6a8698b0e7f5 which can be used as unique global reference for EvilGnome in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

EwDoor

Internal MISP references

UUID e75eb723-7c23-4a3b-9419-cefb88e5f6b7 which can be used as unique global reference for EwDoor in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Exaramel (ELF)

Internal MISP references

UUID 1e0540f3-bad3-403f-b8ed-ce40a276559e which can be used as unique global reference for Exaramel (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ext4

Internal MISP references

UUID 79b2b3c0-6119-4511-9c33-2a48532b6a60 which can be used as unique global reference for ext4 in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Facefish

Internal MISP references

UUID 106487ea-a710-4546-bd62-bdbfa0b0447e which can be used as unique global reference for Facefish in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

FBot

Internal MISP references

UUID 501e5434-5796-4d63-8539-d99ec48119c2 which can be used as unique global reference for FBot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

FinFisher (ELF)

Internal MISP references

UUID 44018d71-25fb-4959-b61e-d7af97c85131 which can be used as unique global reference for FinFisher (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

floodor

Internal MISP references

UUID ac30f2be-8153-4588-b29c-5e5863792930 which can be used as unique global reference for floodor in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Fodcha

Malware used to run a DDoS botnet.

Internal MISP references

UUID 4a64a1ca-e5bc-4a27-bff2-1c68cea05ba7 which can be used as unique global reference for Fodcha in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

FontOnLake

This family utilizes custom modules allowing for remote access, credential harvesting (e.g. by modifying sshd) and proxy usage.

It comes with a rootkit as well.

Internal MISP references

UUID c530d62b-e49f-4ccf-9c87-d9f6c16617b7 which can be used as unique global reference for FontOnLake in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

FritzFrog

Guardicore has discovered FritzFrog, a sophisticated peer-to-peer (P2P) botnet which has been actively breaching SSH servers since January 2020. It is a worm which is written in Golang, and is modular, multi-threaded and fileless, leaving no trace on the infected machine’s disk.

Internal MISP references

UUID b43b7b4a-9cf4-4f98-b4d2-617a7d84bfa7 which can be used as unique global reference for FritzFrog in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Gitpaste-12

Gitpaste-12 is a modular malware first observed in October 2020 targeting Linux based x86 servers, as well as Linux ARM and MIPS based IoT devices. It uses GitHub and Pastebin as dead drop C2 locations.

Internal MISP references

UUID ffd09324-b585-49c0-97e5-536d386f49a5 which can be used as unique global reference for Gitpaste-12 in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Glupteba Proxy

ARM32 SOCKS proxy, written in Go, used in the Glupteba campaign.

Internal MISP references

UUID bcfec1d3-ff29-4677-a5f6-be285e98a9db which can be used as unique global reference for Glupteba Proxy in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

GobRAT

Internal MISP references

UUID ddba032c-ebde-4736-b7ef-8376702dac6a which can be used as unique global reference for GobRAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Godlua

Internal MISP references

UUID f3cb0a78-1608-44b1-9949-c6addf6c13ce which can be used as unique global reference for Godlua in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Gomir

Internal MISP references

UUID 6fb012ce-c822-471c-9c15-4c7ecfb55528 which can be used as unique global reference for Gomir in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

GOSH

Internal MISP references

UUID 931f57f9-1edd-47b8-bf80-ae7190434558 which can be used as unique global reference for GOSH in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

GoTitan

GoTitan is a DDoS bot under development, which support ten different methods of launching distributed denial-of-service (DDoS) attacks: UDP, UDP HEX, TCP, TLS, RAW, HTTP GET, HTTP POST, HTTP HEAD, and HTTP PUT.

Internal MISP references

UUID 92007a5e-d408-4c95-b4c2-7b4e4e29559e which can be used as unique global reference for GoTitan in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

GreedyAntd

Internal MISP references

UUID 6aee7daf-9f63-4a70-bfe5-9c95cbdcb1e3 which can be used as unique global reference for GreedyAntd in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Gwisin (ELF)

Internal MISP references

UUID c02d252d-95cc-45bc-adb6-bae51b16c55b which can be used as unique global reference for Gwisin (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

HabitsRAT (ELF)

Internal MISP references

UUID e87e7f26-f2a1-437f-8650-312050e3cd48 which can be used as unique global reference for HabitsRAT (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Hadooken

Internal MISP references

UUID 84e9e1ec-3676-4d64-9134-c48221c03e38 which can be used as unique global reference for Hadooken in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Haiduc

Internal MISP references

UUID dd85732f-cbf8-4f2c-af5c-f51ef7d99b6a which can be used as unique global reference for Haiduc in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Hajime

Internal MISP references

UUID ff8ee85f-4175-4f5a-99e5-0cbc378f1489 which can be used as unique global reference for Hajime in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Hakai

Internal MISP references

UUID 0839c28a-ea11-44d4-93d1-24b246ef6743 which can be used as unique global reference for Hakai in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

HandyMannyPot

Internal MISP references

UUID 0b323b91-ad57-4127-99d1-6a2485be70df which can be used as unique global reference for HandyMannyPot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Hand of Thief

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Hand of Thief.

Known Synonyms
`Hanthie`

Internal MISP references

UUID db3e17f0-677b-4bdb-bc26-25e62a74673d which can be used as unique global reference for Hand of Thief in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

HeadCrab

Internal MISP references

UUID 7bb684d8-ad5c-4d01-91eb-2c600dbcda2a which can be used as unique global reference for HeadCrab in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

HellDown

Ransomware.

Internal MISP references

UUID 6dd0e6e4-536b-4271-a948-39282ff48940 which can be used as unique global reference for HellDown in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

HelloBot (ELF)

Internal MISP references

UUID b9fec670-2b1e-4287-ac93-68360d5adcf4 which can be used as unique global reference for HelloBot (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

HelloKitty (ELF)

Linux version of the HelloKitty ransomware.

Internal MISP references

UUID 785cadf7-5c99-40bc-b718-8a98d9aa90b7 which can be used as unique global reference for HelloKitty (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

HiatusRAT

Lumen discovered this malware used in campaign targeting business-grade routers using a RAT they call HiatusRAT and a variant of tcpdump for traffic interception.

Internal MISP references

UUID 69dcee87-dc61-48d4-a6af-177396bdb850 which can be used as unique global reference for HiatusRAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

HiddenWasp

HiddenWasp is a Linux-based Trojan used to target systems for remote control. It comes in the form of a statically linked ELF binary with stdlibc++.

Internal MISP references

UUID ae00d48d-c515-4ca9-a29c-8c53a78f8c73 which can be used as unique global reference for HiddenWasp in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Hide and Seek

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Hide and Seek.

Known Synonyms
`HNS`

Internal MISP references

UUID 41bf8f3e-bb6a-445d-bb74-d08aae61a94b which can be used as unique global reference for Hide and Seek in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

HinataBot

HinataBot is a Go-based DDoS-focused botnet. It was observed in the first quarter of 2023 targeting HTTP and SSH endpoints leveraging old vulnerabilities and weak credentials. Amongst those infection vectors are exploitation of the miniigd SOAP service on Realtek SDK devices (CVE-2014-8361), Huawei HG532 routers (CVE-2017-17215), and exposed Hadoop YARN servers.

Internal MISP references

UUID b10fc382-b740-417a-98fa-e23d10223958 which can be used as unique global reference for HinataBot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Hipid

Internal MISP references

UUID d55eb2f1-e24d-4b50-9839-2e53b5059bae which can be used as unique global reference for Hipid in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Hive (ELF)

Internal MISP references

UUID c22452c8-c818-4577-9737-0b87342c7913 which can be used as unique global reference for Hive (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Horse Shell

Checkpoint Research describes this as part of a custom firmware image affiliated with the Chinese state-sponsored actor “Camaro Dragon”, a custom MIPS32 ELF implant. HorseShell, the main implant inserted into the modified firmware by the attackers, provides the attacker with 3 main functionalities: * Remote shell: Execution of arbitrary shell commands on the infected router * File transfer: Upload and download files to and from the infected router. * SOCKS tunneling: Relay communication between different clients.

Internal MISP references

UUID 9d04d96a-92fd-4731-a3b5-a3fdafd3e523 which can be used as unique global reference for Horse Shell in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Hubnr

Internal MISP references

UUID c55389b0-e778-4cf9-9030-3d1efc1224c9 which can be used as unique global reference for Hubnr in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

HyperSSL (ELF)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular HyperSSL (ELF).

Known Synonyms
`SysUpdate`

Internal MISP references

UUID 263aaef5-9758-49f1-aff1-9a509f545bb3 which can be used as unique global reference for HyperSSL (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

iceFire

Internal MISP references

UUID c03b2f7f-31ed-4133-b947-4b8846d90f19 which can be used as unique global reference for iceFire in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Icnanker

Internal MISP references

UUID cd9f128b-6502-4e1b-a5b3-25f3c7f01ca3 which can be used as unique global reference for Icnanker in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

INC

Internal MISP references

UUID fa3f90a3-40e3-4636-90f9-3e02bf645afd which can be used as unique global reference for INC in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

IoT Reaper

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular IoT Reaper.

Known Synonyms
`IoTroop`
`Reaper`
`iotreaper`

Internal MISP references

UUID 37c357a1-ec09-449f-b5a9-c1ef1fba2de2 which can be used as unique global reference for IoT Reaper in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

IPStorm (ELF)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular IPStorm (ELF).

Known Synonyms
`InterPlanetary Storm`

Internal MISP references

UUID a24f9c4b-1fa7-4da2-9929-064345389e67 which can be used as unique global reference for IPStorm (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

IZ1H9

ccording to Fortinet, this is a Mirai-based DDoS botnet.

Internal MISP references

UUID 6e98a149-9ce2-4750-9680-69f3ced5f33e which can be used as unique global reference for IZ1H9 in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

JenX

Internal MISP references

UUID 6a4365fc-8448-4270-ba93-0341788d004b which can be used as unique global reference for JenX in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Kaden

Kaden is a DDoS botnet that is heavily based on Bashlite/Gafgyt. Next to DDoS capabilities it contains wiper functionality, which currently can not be triggerred (yet).

Internal MISP references

UUID eebd19b4-6671-4b17-be6a-cc467e5869a5 which can be used as unique global reference for Kaden in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Kaiji

Surfaced in late April 2020, Intezer describes Kaiji as a DDoS malware written in Go that spreads through SSH brute force attacks. Recovered function names are an English representation of Chinese words, hinting about the origin. The name Kaiji was given by MalwareMustDie based on strings found in samples.

Internal MISP references

UUID 33fe7943-c1b3-48d5-b287-126390b091f0 which can be used as unique global reference for Kaiji in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Kaiten

According to netenrich, Kaiten is a Trojan horse that opens a back door on the compromised computer that allows it to perform other malicious activities. The trojan does not create any copies of itself. This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Kaiten.

Known Synonyms
`STD`

Internal MISP references

UUID 9b618703-58f6-4f0b-83a4-d4f13e2e5d12 which can be used as unique global reference for Kaiten in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

kerberods

Internal MISP references

UUID e3787d95-2595-449e-8cf9-90845a9b7444 which can be used as unique global reference for kerberods in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

KEYPLUG

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular KEYPLUG.

Known Synonyms
`ELFSHELF`

Internal MISP references

UUID 2c4bfc14-3ea4-4ced-806a-fcac30b2a9d7 which can be used as unique global reference for KEYPLUG in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

kfos

Internal MISP references

UUID 5e353bc2-4d32-409b-aeb6-c7df32607c56 which can be used as unique global reference for kfos in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Kinsing

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Kinsing.

Known Synonyms
`h2miner`

Internal MISP references

UUID ef0e3a56-e614-4dc1-bb20-0dcf7215c1ea which can be used as unique global reference for Kinsing in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

KIVARS (ELF)

Internal MISP references

UUID e8b24118-4ce8-471b-8683-1077a0f5f2a9 which can be used as unique global reference for KIVARS (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Kobalos

Internal MISP references

UUID 201d54ae-7fb0-4522-888c-758fa9019737 which can be used as unique global reference for Kobalos in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Krasue RAT

Internal MISP references

UUID b111325d-dd90-47cc-8777-fcb7e610a76e which can be used as unique global reference for Krasue RAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

KrustyLoader

ELF x64 Rust downloader first discovered on Ivanti Connect Secure VPN after the exploitation of CVE-2024-21887 and CVE-2023-46805. Downloads Sliver backdoor and deletes itself.

Internal MISP references

UUID 1a5d8c38-42fa-4405-83fc-4e07b4407205 which can be used as unique global reference for KrustyLoader in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

KTLVdoor (ELF)

According to Trend Micro, KTLVdoor is a highly obfuscated malware that masquerades as different system utilities, allowing attackers to carry out a variety of tasks including file manipulation, command execution, and remote port scanning.

Internal MISP references

UUID 3ee0b08d-b872-4eda-8f8f-6d2f37b053ae which can be used as unique global reference for KTLVdoor (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Kuiper (ELF)

Internal MISP references

UUID 30ad3f49-bffd-4383-88b3-067ccfac7038 which can be used as unique global reference for Kuiper (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Lady

Internal MISP references

UUID f8b91c34-b4f0-4ef2-b9fb-15bd5ec0a66d which can be used as unique global reference for Lady in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

LeetHozer

Internal MISP references

UUID e9f2857a-cb91-4715-ac8b-fdc89bc9a03e which can be used as unique global reference for LeetHozer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Lightning Framework

Internal MISP references

UUID 927bc8fc-fef4-4331-877d-18bcd33bdf9c which can be used as unique global reference for Lightning Framework in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

LiLock

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular LiLock.

Known Synonyms
`Lilocked`
`Lilu`

Internal MISP references

UUID 1328ed0d-9c1c-418b-9a96-1c538e4893bc which can be used as unique global reference for LiLock in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

lilyofthevalley

Internal MISP references

UUID f789442f-8f50-4e55-8fbc-b93d22b5314e which can be used as unique global reference for lilyofthevalley in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Linodas

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Linodas.

Known Synonyms
`DinodasRAT`
`XDealer`

Internal MISP references

UUID e47295eb-e907-410a-ab16-62ed8652d8bf which can be used as unique global reference for Linodas in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

LiquorBot

BitDefender tracked the development of a Mirai-inspired botnet, dubbed LiquorBot, which seems to be actively in development and has recently incorporated Monero cryptocurrency mining features. Interestingly, LiquorBot is written in Go (also known as Golang), which offers some programming advantages over traditional C-style code, such as memory safety, garbage collection, structural typing, and even CSP-style concurrency.

Internal MISP references

UUID 3fe8f3db-4861-4e78-8b60-a794fe22ae3f which can be used as unique global reference for LiquorBot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

LockBit (ELF)

Internal MISP references

UUID afce6aba-d4c4-49fa-b9a9-1a70e92e5a0e which can be used as unique global reference for LockBit (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Loerbas

Loader and Cleaner components used in attacks against high-performance computing centers in Europe.

Internal MISP references

UUID 6332d57c-c46f-4907-8dac-965b15ffbed6 which can be used as unique global reference for Loerbas in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Log Collector

Internal MISP references

UUID 0473214a-2daa-4b5b-84bc-1bcbab11ef80 which can be used as unique global reference for Log Collector in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Lootwodniw

Internal MISP references

UUID cfcf8608-03e7-4a5b-a46c-af342db2d540 which can be used as unique global reference for Lootwodniw in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Luna

ESXi encrypting ransomware written in Rust.

Internal MISP references

UUID bc9022d6-ee65-463f-9823-bc0f96963a75 which can be used as unique global reference for Luna in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Manjusaka (ELF)

Cisco Talos compared this RAT to Cobalt Strike and Sliver. Written in Rust.

Internal MISP references

UUID cd3a3a96-af66-4470-8115-b8bf3eef005a which can be used as unique global reference for Manjusaka (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Masuta

Masuta takes advantage of the EDB 38722 D-Link exploit.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Masuta.

Known Synonyms
`PureMasuta`

Internal MISP references

UUID b9168ff8-01df-4cd0-9f70-fe9e7a11eccd which can be used as unique global reference for Masuta in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Matryosh

Internal MISP references

UUID 4e989704-c49f-468c-95e1-1b7c5a58b3c4 which can be used as unique global reference for Matryosh in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Melofee

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Melofee.

Known Synonyms
`Mélofée`

Internal MISP references

UUID 1ffd85bd-389c-4e04-88fd-8186423c3691 which can be used as unique global reference for Melofee in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

MESSAGETAP

MESSAGETAP is a 64-bit ELF data miner initially loaded by an installation script. It is designed to monitor and save SMS traffic from specific phone numbers, IMSI numbers and keywords for subsequent theft.

Internal MISP references

UUID a07d6748-3557-41ac-b55b-f4348dc2a3c7 which can be used as unique global reference for MESSAGETAP in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Midrashim

A x64 ELF file infector with non-destructive payload.

Internal MISP references

UUID fe220358-7118-4feb-b43e-cbdaf2ea09dc which can be used as unique global reference for Midrashim in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

MiKey

Internal MISP references

UUID aae3b83d-a116-4ebc-aae0-f6327ef174ea which can be used as unique global reference for MiKey in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Mirai (ELF)

Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Mirai (ELF).

Known Synonyms
`Katana`

Internal MISP references

UUID 17e12216-a303-4a00-8283-d3fe92d0934c which can be used as unique global reference for Mirai (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Mokes (ELF)

Internal MISP references

UUID 6d5a5357-4126-4950-b8c3-ee78b1172217 which can be used as unique global reference for Mokes (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Momentum

Internal MISP references

UUID aaf8ce1b-3117-47c6-b756-809538ac8ff2 which can be used as unique global reference for Momentum in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Monti

A ransomware, derived from the leaked Conti source code.

Internal MISP references

UUID 7df77b77-00dd-4eba-a697-b9a7be262acc which can be used as unique global reference for Monti in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

MooBot

Internal MISP references

UUID cd8deffe-eb0b-4451-8a13-11f6d291064a which can be used as unique global reference for MooBot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Moose

Internal MISP references

UUID 7fdb91ea-52dc-499c-81f9-3dd824e2caa0 which can be used as unique global reference for Moose in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Mozi

Mozi is a IoT botnet, that makes use of P2P for communication and reuses source code of other well-known malware families, including Gafgyt, Mirai, and IoT Reaper.

Internal MISP references

UUID 236ba358-4c70-434c-a7ac-7a31e76c398a which can be used as unique global reference for Mozi in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

MrBlack

MrBlack, first identified in May 2014 by Russian security firm Dr. Web, is a botnet that targets Linux OS and is designed to conduct distributed denial-of-service (DDoS) attacks. In May 2015, Incapsula clients suffered a large-scale DDoS attack which the company attributed to network traffic generated by tens of thousands of small office/home office (SOHO) routers infected with MrBlack. This massive botnet spans over 109 countries, especially in Thailand and Brazil.

MrBlack scans for and infects routers that have not had their default login credentials changed and that allow remote access to HTTP and SSH via port 80 and port 22, respectively. One of the most impacted router brands is Ubiquiti, a U.S.-based firm that provides bulk network hub solutions for internet service providers to lease to their customers. Once a vulnerable router is compromised and MrBlack is injected into the system, a remote server is contacted and system information from the device is transmitted. This allows the host server to receive commands in order to perform different types of DDoS attacks, download and execute files, and terminate processes.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular MrBlack.

Known Synonyms
`AESDDoS`
`Dofloo`

Internal MISP references

UUID fc047e32-9cf2-4a92-861a-be882efd8a50 which can be used as unique global reference for MrBlack in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Mumblehard

Internal MISP references

UUID 5f78127b-25d3-4f86-8a64-f9549b2db752 which can be used as unique global reference for Mumblehard in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Nextcry

Ransomware used against Linux servers.

Internal MISP references

UUID 7ec8a41f-c72e-4832-a5a4-9d7380cea083 which can be used as unique global reference for Nextcry in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Ngioweb (ELF)

Internal MISP references

UUID a4ad242c-6fd0-4b1d-8d97-8f48150bf242 which can be used as unique global reference for Ngioweb (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Nimbo-C2 (ELF)

According to the author, Nimbo-C2 is yet another (simple and lightweight) C2 framework. The agent currently supports Windows x64 and Linux. It's written in Nim, with some usage of .NET (by dynamically loading the CLR to the process).

Internal MISP references

UUID 5dbdf2ea-a15b-4ad6-bf7a-a030998c66b4 which can be used as unique global reference for Nimbo-C2 (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

NiuB

Golang-based RAT that offers execution of shell commands and download+run capability.

Internal MISP references

UUID 7c516b66-f4a4-406a-bf35-d898ac8bffec which can be used as unique global reference for NiuB in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

NoaBot

Internal MISP references

UUID b5ee45a0-d75b-40e7-b737-3cfa1cc8246c which can be used as unique global reference for NoaBot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Nood RAT

Internal MISP references

UUID 59ac87c0-f2ce-4e83-83bd-299e123b72a7 which can be used as unique global reference for Nood RAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Nosedive

According to Black Lotus Labs, Nosedive is a custom variation of the Mirai implant that is supported on all major SOHO and IoT architectures (e.g. MIPS, ARM, SuperH, PowerPC, etc.). Nosedive implants are typically deployed from Tier 2 payload servers in the Raptor Train infrastructure through a unique URL encoding scheme and domain injection method. Nosedive droppers use this method to request payloads for specific C2s by encoding the requested C2 domain and joining it with a unique "key" that identifies the bot and the target architecture of the compromised device (e.g. MIPS, ARM, etc.), which is then injected into the Nosedive implant payload that is deployed to the Tier 1 node. Once deployed, Nosedive runs in-memory only and allows the operators to execute commands, upload and download files, and run DDoS attacks on compromised devices.

The malware and its associated droppers are memory-resident only and deleted from disk. This, in addition to anti-forensics techniques employed on these devices including the obfuscation of running process names, compromising devices through a multi-stage infection chain, and killing remote management processes, makes detection and forensics much more difficult.

Internal MISP references

UUID 13840bb0-494d-403e-a37d-65cf144d71e9 which can be used as unique global reference for Nosedive in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

NOTROBIN

FireEye states that NOTROBIN is a utility written in Go 1.10 and compiled to a 64-bit ELF binary for BSD systems. It periodically scans for and deletes files matching filename patterns and content characteristics. The purpose seems to be to block exploitation attempts against the CVE-2019-19781 vulnerability; however, FireEye believes that NOTROBIN provides backdoor access to the compromised system.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular NOTROBIN.

Known Synonyms
`remove_bds`

Internal MISP references

UUID aaeb76b3-3885-4dc6-9501-4504fed9f20b which can be used as unique global reference for NOTROBIN in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

OrBit

According to stormshield, Orbit is a two-stage malware that appeared in July 2022, discovered by Intezer lab. Acting as a stealer and backdoor on 64-bit Linux systems, it consists of an executable acting as a dropper and a dynamic library.

Internal MISP references

UUID ae9d84f2-60e5-4a33-98f4-a0061938ec6d which can be used as unique global reference for OrBit in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Owari

Mirai variant by actor "Anarchy" that used CVE-2017-17215 in July 2018 to compromise 18,000+ devices.

Internal MISP references

UUID ec67f206-6464-48cf-a012-3cdfc1278488 which can be used as unique global reference for Owari in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

p0sT5n1F3r

According to Yarix digital security, this is a malware that allows to sniff on HTTPS traffic, implemented as Apache module.

Internal MISP references

UUID cc48c6ae-d274-4ad0-b013-bd75041a20c8 which can be used as unique global reference for p0sT5n1F3r in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

P2Pinfect

P2Pinfect is a fast-growing multi platform botnet, the purpose of which is still unknown. Written in Rust, it is compatible with Windows and Linux, including a MIPS variant for Linux based routers and IoT devices. It is capable of brute forcing SSH logins and exploiting Redis servers in order to propagate itself both to random IPs on the internet and to hosts it can find references to in files present on the infected system.

Internal MISP references

UUID 31a32308-7034-4419-b1f3-56a4d64b4358 which can be used as unique global reference for P2Pinfect in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

pbot

P2P botnet derived from the Mirai source code.

Internal MISP references

UUID 7aff049d-9326-466d-bbcc-d62da673b32c which can be used as unique global reference for pbot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Penquin Turla

Internal MISP references

UUID 262e0cf2-2fed-4d37-8d7a-0fd62c712840 which can be used as unique global reference for Penquin Turla in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

perfctl

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular perfctl.

Known Synonyms
`perfcc`

Internal MISP references

UUID 5a4408f2-6ee3-4c82-9ee2-a1b4290666be which can be used as unique global reference for perfctl in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PerlBot

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular PerlBot.

Known Synonyms
`DDoS Perl IrcBot`
`ShellBot`

Internal MISP references

UUID 24b77c9b-7e7e-4192-8161-b6727728170f which can be used as unique global reference for PerlBot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Persirai

Internal MISP references

UUID 2ee05352-3d4a-448b-825d-9d6c10792bf7 which can be used as unique global reference for Persirai in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PG_MEM

Internal MISP references

UUID 74ffa404-9082-4db9-ac19-18a875db9fe7 which can be used as unique global reference for PG_MEM in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PigmyGoat

Internal MISP references

UUID fcdcdc68-4c82-4d3d-aef1-96eac0a62761 which can be used as unique global reference for PigmyGoat in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PingPull

Internal MISP references

UUID 65a7944c-15d9-4ca5-8561-7c97b18684c8 which can be used as unique global reference for PingPull in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Pink

A botnet with P2P and centralized C&C capabilities.

Internal MISP references

UUID 67063764-a47c-4058-9cb2-1685ffa14fe8 which can be used as unique global reference for Pink in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PLEAD (ELF)

Internal MISP references

UUID de3c14aa-f9f4-4071-8e6e-a2c16a3394ad which can be used as unique global reference for PLEAD (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Poseidon (ELF)

Part of Mythic C2, written in Golang.

Internal MISP references

UUID ad796632-2595-4ae5-a563-b92197210d61 which can be used as unique global reference for Poseidon (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PRISM

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular PRISM.

Known Synonyms
`waterdrop`

Internal MISP references

UUID 9a4a866b-84a9-4778-8de8-2780a27c0597 which can be used as unique global reference for PRISM in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PrivetSanya

Black Lotus Labs identified malware for the Windows Subsystem for Linux (WSL). Mostly written in Python but compiled as Linux ELF files.

Internal MISP references

UUID 41e5aafb-5847-421e-813d-627414ee31bb which can be used as unique global reference for PrivetSanya in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Prometei (ELF)

Internal MISP references

UUID b6899bda-54e9-4953-8af5-22af39776b69 which can be used as unique global reference for Prometei (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Pro-Ocean

Unit 42 describes this as a malware used by Rocke Group that deploys an XMRig miner.

Internal MISP references

UUID aa918c10-e5c7-4abd-b8c0-3c938a6675f5 which can be used as unique global reference for Pro-Ocean in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

pupy (ELF)

Pupy is an open-source, cross-platform RAT and post-exploitation framework mainly written in python. Pupy can be loaded from various loaders, including PE EXE, reflective DLL, Linux ELF, pure python, powershell and APK. Most of the loaders bundle an embedded python runtime, python library modules in source/compiled/native forms as well as a flexible configuration. They bootstrap a python runtime environment mostly in-memory for the later stages of pupy to run in. Pupy can communicate using various transports, migrate into processes, load remote python code, python packages and python C-extensions from memory.

Internal MISP references

UUID 92a1288f-cc4d-47ca-8399-25fe5a39cf2d which can be used as unique global reference for pupy (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Qilin

Internal MISP references

UUID d97af6c5-640f-46b4-943c-0e8940f8011e which can be used as unique global reference for Qilin in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

QNAPCrypt

The QNAPCrypt ransomware works similarly to other ransomware, including encrypting all files and delivering a ransom note. However, there are several important differences:

The ransom note was included solely as a text file, without any message on the screen—naturally, because it is a server and not an endpoint.
Every victim is provided with a different, unique Bitcoin wallet—this could help the attackers avoid being traced.
Once a victim is compromised, the malware requests a wallet address and a public RSA key from the command and control server (C&C) before file encryption.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular QNAPCrypt.

Known Synonyms
`eCh0raix`

Internal MISP references

UUID a0b12e5f-0257-41f1-beda-001ad944c4ca which can be used as unique global reference for QNAPCrypt in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

QSnatch

The malware infects QNAP NAS devices, is persisting via various mechanisms and resists cleaning by preventing firmware updates and interfering with QNAP MalwareRemover. The malware steals passwords and hashes

Internal MISP references

UUID 48389957-30e2-4747-b4c6-8b8a9f15250f which can be used as unique global reference for QSnatch in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

QUIETEXIT

Mandiant observed this backdoor being observed by UNC3524. It is based on the open-source Dropbear SSH source code.

Internal MISP references

UUID 6a5ab9ca-944c-4187-bdef-308516745d18 which can be used as unique global reference for QUIETEXIT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

r2r2

Internal MISP references

UUID 759f8590-a049-4c14-be8a-e6605e2cd43d which can be used as unique global reference for r2r2 in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

RagnarLocker (ELF)

Internal MISP references

UUID 5f96787e-fc9f-486b-a15f-f46c8179a4d5 which can be used as unique global reference for RagnarLocker (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Rakos

Internal MISP references

UUID 4592384c-48a7-4e16-b492-7add50a7d2f5 which can be used as unique global reference for Rakos in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

RansomEXX (ELF)

According to SentineOne, RansomEXX (aka Defray, Defray777), a multi-pronged extortion threat, has been observed in the wild since late 2020. RansomEXX is associated with attacks against the Texas Department of Transportation, Groupe Atlantic, and several other large enterprises. There are Windows and Linux variants of this malware family, and they are known for their limited and exclusive targeting.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular RansomEXX (ELF).

Known Synonyms
`Defray777`

Internal MISP references

UUID 946814a1-957c-48ce-9068-fdef24a025bf which can be used as unique global reference for RansomEXX (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

RansomExx2

According to IBM Security X-Force, this is a new but functionally very similar version of RansomExx, fully rewritten in Rust and internally referred to as RansomExx2.

Internal MISP references

UUID c6d750d5-fa47-4fcb-9d24-2682036fc6e5 which can be used as unique global reference for RansomExx2 in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

RapperBot

A Mirai derivate bruteforcing SSH servers.

Internal MISP references

UUID 914c94eb-38e2-4cb8-a62b-21fbe9c48496 which can be used as unique global reference for RapperBot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

RaspberryPiBotnet

Internal MISP references

UUID 8dee025b-2233-4cd8-af02-fcdcd40b378f which can be used as unique global reference for RaspberryPiBotnet in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

rat_hodin

Internal MISP references

UUID 6aacf515-de49-4afc-a135-727c9beaab0b which can be used as unique global reference for rat_hodin in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

rbs_srv

Internal MISP references

UUID a08d9f8b-2cc5-48c2-8cce-ee713bcdc4b7 which can be used as unique global reference for rbs_srv in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

RedTail

RedTail is a cryptomining malware, which is based on the open-source XMRIG mining software. It is being spread via known vulnerabilities such as: - CVE-2024-3400 - CVE-2023-46805 - CVE-2024-21887 - CVE-2023-1389 - CVE-2022-22954 - CVE-2018-20062

Internal MISP references

UUID ba89a509-ff8e-446b-867c-7f15efe0477f which can be used as unique global reference for RedTail in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

RedXOR

RedXOR is a sophisticated backdoor targeting Linux systems disguised as polkit daemon and utilizing network data encoding based on XOR. Believed to be developed by Chinese nation-state actors, this malware shows similarities to other malware associated with the Winnti umbrella threat group.

RedXOR uses various techniques such as open-source LKM rootkits, Python pty shell, and network data encoding with XOR. It also employs persistence methods and communication with a Command and Control server over HTTP.

The malware can execute various commands including system information collection, updates, shell commands, and network tunneling.

Internal MISP references

UUID 421b2ec7-d4e6-4fc8-9bd3-55fe26337aae which can be used as unique global reference for RedXOR in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

RedAlert Ransomware

Ransomware that targets Linux VMware ESXi servers. Encryption procedure uses the NTRUEncrypt public-key encryption algorithm.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular RedAlert Ransomware.

Known Synonyms
`N13V`

Internal MISP references

UUID 12137c8d-d3f4-44fe-b25e-2fb5f90cecce which can be used as unique global reference for RedAlert Ransomware in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Rekoobe

A Trojan for Linux intended to infect machines with the SPARC architecture and Intel x86, x86-64 computers. The Trojan’s configuration data is stored in a file encrypted with XOR algorithm

Internal MISP references

UUID 48b9a9fd-4c1a-428a-acc0-40b1a3fa7590 which can be used as unique global reference for Rekoobe in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

reptile

Internal MISP references

UUID 934478a1-1243-4c26-8360-be3d01ae193e which can be used as unique global reference for reptile in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

REvil (ELF)

ELF version of win.revil targeting VMware ESXi hypervisors.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular REvil (ELF).

Known Synonyms
`REvix`

Internal MISP references

UUID d9d76456-01a3-4dcd-afc2-87529e00c1ba which can be used as unique global reference for REvil (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Rex

Internal MISP references

UUID 49639ff5-e0be-4b6a-850b-d5d8dd37e62b which can be used as unique global reference for Rex in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

RHOMBUS

Internal MISP references

UUID af886910-9a0b-478e-b53d-54c8a103acb4 which can be used as unique global reference for RHOMBUS in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Rhysida (ELF)

Internal MISP references

UUID 1dbd7cbb-960d-4ef4-9520-1748fb7cd4c6 which can be used as unique global reference for Rhysida (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Roboto

P2P Botnet discovered by Netlab360. The botnet infects linux servers via the Webmin RCE vulnerability (CVE-2019-15107) which allows attackers to run malicious code with root privileges and take over older Webmin versions. Based on the Netlabs360 analysis, the botnet serves mainly 7 functions: reverse shell, self-uninstall, gather process' network information, gather Bot information, execute system commands, run encrypted files specified in URLs and four DDoS attack methods: ICMP Flood, HTTP Flood, TCP Flood, and UDP Flood.

Internal MISP references

UUID e18bf514-b978-4bef-b4d9-834a5100fced which can be used as unique global reference for Roboto in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

RotaJakiro

RotaJakiro is a stealthy Linux backdoor which remained undetected between 2018 and 2021. The malware uses rotating encryption to encrypt the resource information within the sample, and C2 communication, using a combination of AES, XOR, ROTATE encryption and ZLIB compression.

Internal MISP references

UUID 66fb7b48-60f2-44fc-9cbe-f70e776d058b which can be used as unique global reference for RotaJakiro in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Royal Ransom (ELF)

According to Trendmicro, Royal ransomware was first observed in September 2022, and the threat actors behind it are believed to be seasoned cybercriminals who used to be part of Conti Team One.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Royal Ransom (ELF).

Known Synonyms
`Royal`
`Royal_unix`

Internal MISP references

UUID 4e29dae1-5a8c-4b3c-81dc-dcc0fdd3c93a which can be used as unique global reference for Royal Ransom (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Rshell

Internal MISP references

UUID 4947e9d3-aa13-4359-ac43-c1c436c409c9 which can be used as unique global reference for Rshell in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

RudeDevil

Internal MISP references

UUID 923ee959-4ea5-46c5-8926-84e41ca77ca4 which can be used as unique global reference for RudeDevil in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SALTWATER

According to Mandiant, SALTWATER is a module for the Barracuda SMTP daemon (bsmtpd) that has backdoor functionality. SALTWATER can upload or download arbitrary files, execute commands, and has proxy and tunneling capabilities. The backdoor is implemented using hooks on the send, recv, close syscalls via the 3rd party kubo/funchook hooking library, and amounts to five components, most of which are referred to as "Channels" within the binary. In addition to providing backdoor and proxying capabilities, these components exhibit classic backdoor functionality.

Internal MISP references

UUID d55ea436-b2c1-400c-99dc-6e35bc05438b which can be used as unique global reference for SALTWATER in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Satori

Satori is a variation of elf.mirai which was first detected around 2017-11-27 by 360 Netlab. It uses exploit to exhibit worm-like behaviour to spread over ports 37215 and 52869 (CVE-2014-8361).

Internal MISP references

UUID 9e5d83a8-1181-43fe-a77f-28c8c75ffbd0 which can be used as unique global reference for Satori in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SBIDIOT

Internal MISP references

UUID b4c20cf4-8e94-4523-8d48-7781aab6785d which can be used as unique global reference for SBIDIOT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SEASPY

According to CISA, this malware is a persistent backdoor that masquerades as a legitimate Barracuda Networks service. The malware is designed to listen to commands received from the Threat Actor’s Command-and-Control through TCP packets. When executed, the malware uses libpcap sniffer to monitor traffic for a magic packet on TCP port 25 (SMTP) and TCP port 587. It checks the network packet captured for a hard-coded string. When the right sequence of packet is captured, it establishes a TCP reverse shell to the C2 server for further exploitation. This allows the TA to execute arbitrary commands on the compromised system. The malware is based on an open-source backdoor program named "cd00r".

Internal MISP references

UUID a6699c42-69d8-4bdd-8dd9-72f4c80efefa which can be used as unique global reference for SEASPY in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

sedexp

Internal MISP references

UUID 4e71e8ab-a34a-494f-814d-cc983a2de463 which can be used as unique global reference for sedexp in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ShellBind

Internal MISP references

UUID b51caf06-736e-46fc-9b13-48b0b81df4b7 which can be used as unique global reference for ShellBind in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Shishiga

Internal MISP references

UUID 51da734c-70dd-4337-ab08-ab61457e0da5 which can be used as unique global reference for Shishiga in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SideWalk (ELF)

Internal MISP references

UUID ec994efc-a8a4-4e92-ada2-e37d421baf01 which can be used as unique global reference for SideWalk (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Silex

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Silex.

Known Synonyms
`silexbot`

Internal MISP references

UUID bf059cb4-f73a-4181-bf71-d8da7bf50dd8 which can be used as unique global reference for Silex in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SimpleTea (ELF)

SimpleTea for Linux is an HTTP(S) RAT.

It was discovered in Q1 2023 as an instance of the Lazarus group's Operation DreamJob campaign for Linux. It was a payload downloaded in an execution chain which started with an HSBC-themed job offer lure. It shared the same C&C server as payloads from the 3CX incident around the same time.

It’s an object-oriented project, which does not run on Linux distributions without a graphical user interface, and decrypts its configuration from /home/%user%/.config/apdl.cf using 0x7E as the XOR key. It uses AES-GCM for encryption and decryption of its network traffic.

It supports basic commands that include operations on the victim’s filesystem, manipulation with its configuration, file exfiltration (via ZIP archives), and the download and execution of additional tools from the attacker’s arsenal. The commands are indexed by 16-bit integers, starting with the value 0x27C3.

SimpleTea for Linux seems like an updated version of BadCall for Linux, rewritten from C to C++, as there are similarities in class names and function names between the two.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SimpleTea (ELF).

Known Synonyms
`PondRAT`
`SimplexTea`

Internal MISP references

UUID e8695701-8055-4b98-bcb6-e4bb7e0a3346 which can be used as unique global reference for SimpleTea (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SLAPSTICK

According to FireEye, SLAPSTICK is a Solaris PAM backdoor that grants a user access to the system with a secret, hard-coded password.

Internal MISP references

UUID fb3e0a1d-3a98-4cbd-ad7f-4bbb4b9a8351 which can be used as unique global reference for SLAPSTICK in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SnappyTCP

According to PwC, SnappyTCP is a simple reverse shell for Linux/Unix systems, with variants for plaintext and TLS communication. SeaTurtle has used SnappyTCP at least between 2021 and 2023.

Internal MISP references

UUID 72e045be-eba2-4571-9c6e-7d35add3d2f8 which can be used as unique global reference for SnappyTCP in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SoWaT

This is an implant used by APT31 on home routers to utilize them as ORBs.

Internal MISP references

UUID c2866996-d622-4ee2-b548-a6598836e5ae which can be used as unique global reference for SoWaT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Spamtorte

Internal MISP references

UUID 7b9a9ea0-04d2-42ef-b72f-9d6476b9e0d0 which can be used as unique global reference for Spamtorte in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SpeakUp

Internal MISP references

UUID 3ccd3143-c34d-4680-94b9-2cc4fa4f86fa which can be used as unique global reference for SpeakUp in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Specter

Internal MISP references

UUID b9ed5797-b591-4ca9-ba77-ce86308e333a which can be used as unique global reference for Specter in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SpectralBlur (ELF)

Internal MISP references

UUID a14e7ea4-668c-4990-a1a9-be99722f88f7 which can be used as unique global reference for SpectralBlur (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Speculoos

Internal MISP references

UUID df23ae3a-e10d-4c49-b379-2ea2fd1925af which can be used as unique global reference for Speculoos in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SprySOCKS

Internal MISP references

UUID 3b5c485b-b6a6-4586-a7dc-9e23a3b0aa5a which can be used as unique global reference for SprySOCKS in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SSHDoor

Internal MISP references

UUID 275d65b9-0894-4c9b-a255-83daddb2589c which can be used as unique global reference for SSHDoor in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Stantinko

Internal MISP references

UUID e8c131df-ee3b-41d4-992d-71d3090d2d98 which can be used as unique global reference for Stantinko in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

STEELCORGI

According to FireEye, STEELCORGI is a packer for Linux ELF files that makes use of execution guardrails by sourcing decryption key material from environment variables.

Internal MISP references

UUID 21ff33b5-ef21-4263-8747-7de3d2dbdde6 which can be used as unique global reference for STEELCORGI in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Sunless

Internal MISP references

UUID d03fa69b-53a4-4f61-b800-87e4246d2656 which can be used as unique global reference for Sunless in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

sustes miner

Sustes Malware doesn’t infect victims by itself (it’s not a worm) but it is spread over exploitation and brute-force activities with special focus on IoT and Linux servers. The initial infection stage comes from a custom wget directly on the victim machine followed by a simple /bin/bash mr.sh. The script is a simple bash script which drops and executes additional software.

Internal MISP references

UUID 5c117b01-826b-4656-b6ca-8b18b6e6159f which can be used as unique global reference for sustes miner in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Suterusu

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Suterusu.

Known Synonyms
`HCRootkit`

Internal MISP references

UUID d2748a0c-8739-4006-95c4-bdf6350d7fa9 which can be used as unique global reference for Suterusu in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Sword2033

Internal MISP references

UUID 9c1a32c7-45b4-4d3a-9d15-300b353f32a7 which can be used as unique global reference for Sword2033 in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Symbiote

A malware capable of capturing credentials and enabling backdoor access, implemented as a userland rootkit. It uses three methods for hiding its network activity, by hooking and hijacking 1) fopen/fopen64, 2) eBPF, 3) a set of libpcap functions.

Internal MISP references

UUID 4339d876-768c-4cdf-941f-3f55a08aafca which can be used as unique global reference for Symbiote in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SysJoker (ELF)

Internal MISP references

UUID c4b681ec-f5b5-433a-9314-07e06f739ba2 which can be used as unique global reference for SysJoker (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Sysrv-hello (ELF)

Cryptojacking botnet

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Sysrv-hello (ELF).

Known Synonyms
`Sysrv`

Internal MISP references

UUID d471083a-c8e1-4d9b-907e-685c9a75c1f9 which can be used as unique global reference for Sysrv-hello (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

TeamTNT

Since Fall 2019, Team TNT is a well known threat actor which targets *nix based systems and misconfigured Docker container environments. It has constantly evolved its capabilities for its cloud-based cryptojacking operations. They have shifted their focus on compromising Kubernetes Clusters.

Internal MISP references

UUID 24695f84-d3af-477e-92dd-c05c9536ebf5 which can be used as unique global reference for TeamTNT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

TheMoon

Internal MISP references

UUID ed098719-797b-4cb3-a73c-65b6d08ebdfa which can be used as unique global reference for TheMoon in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

TNTbotinger

Internal MISP references

UUID 00319b53-e31c-4623-a3ac-9a18bc52bf36 which can be used as unique global reference for TNTbotinger in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Torii

Internal MISP references

UUID a874575e-0ad7-464d-abb6-8f4b7964aa92 which can be used as unique global reference for Torii in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

TripleCross

According to its author, TripleCross is a Linux eBPF rootkit that demonstrates the offensive capabilities of the eBPF technology.

Internal MISP references

UUID a462c60d-a7f9-4a05-aaa1-be415870310e which can be used as unique global reference for TripleCross in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Trump Bot

Internal MISP references

UUID feb6a5f6-32f9-447d-af9c-08e499457883 which can be used as unique global reference for Trump Bot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

TSCookie

Internal MISP references

UUID 592f7cc6-1e07-4d83-8082-aef027e9f1e2 which can be used as unique global reference for TSCookie in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

tsh

Internal MISP references

UUID 95a07de2-0e17-48a7-b935-0c1c0c0e39af which can be used as unique global reference for tsh in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Tsunami (ELF)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Tsunami (ELF).

Known Synonyms
`Amnesia`
`Muhstik`
`Radiation`

Internal MISP references

UUID 21540126-d0bb-42ce-9b93-341fedb94cac which can be used as unique global reference for Tsunami (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Turla RAT

Internal MISP references

UUID 1b62a421-c0db-4425-bcb2-a4925d5d33e0 which can be used as unique global reference for Turla RAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Umbreon

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Umbreon.

Known Synonyms
`Espeon`

Internal MISP references

UUID 637000f7-4363-44e0-b795-9cfb7a3dc460 which can be used as unique global reference for Umbreon in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Unidentified Linux 001

According to Cybereason, these scripts have been used in an ongoing campaign exploiting a widespread vulnerability in the Exim MTA: CVE-2019-10149. This attack leverages a week-old vulnerability to gain remote command execution on the target machine, search the Internet for other machines to infect, and initiates a crypto miner.

Internal MISP references

UUID b5b59d9f-f9e2-4201-a017-f2bae0470808 which can be used as unique global reference for Unidentified Linux 001 in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Unidentified ELF 004

Implant used by APT31 on compromised SOHO infrastructure, tries to camouflage as a tool ("unifi-video") related to Ubiquiti UniFi surveillance cameras.

Internal MISP references

UUID 44a57915-2ec0-476f-9f20-b11082f5b5a4 which can be used as unique global reference for Unidentified ELF 004 in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Unidentified 005 (Sidecopy)

Internal MISP references

UUID d49402b3-9f2a-4d9a-ae09-b1509da2e8fd which can be used as unique global reference for Unidentified 005 (Sidecopy) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Unidentified ELF 006 (Tox Backdoor)

Enables remote execution of scripts on a host, communicates via Tox.

Internal MISP references

UUID 61a36688-0a4f-4899-8b17-ca0d5ff7e800 which can be used as unique global reference for Unidentified ELF 006 (Tox Backdoor) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Hive (Vault 8)

Internal MISP references

UUID 721fa6d1-da73-4dd4-9154-a60ff4607467 which can be used as unique global reference for Hive (Vault 8) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Vermilion Strike (ELF)

Internal MISP references

UUID a4ded098-be7b-4852-adfd-8971ace583f1 which can be used as unique global reference for Vermilion Strike (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

VPNFilter

Internal MISP references

UUID 5ad30da2-2645-4893-acd9-3f8e0fbb5500 which can be used as unique global reference for VPNFilter in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

WatchBog

According to Intezer, this is a spreader module used by WatchBog. It is a dynamically linked ELF executable, compiled with Cython. C&C adresses are fetched from Pastebin. C&C communication references unique identification keys per victim. It contains a BlueKeep scanner, reporting positively scanned hosts to the C&C server (RC4 encrypted within SSL/TLS). It contains 5 exploits targeting Jira, Exim, Solr, Jenkins and Nexus Repository Manager 3.

Internal MISP references

UUID aa00d8c9-b479-4d05-9887-cd172a11cfc9 which can be used as unique global reference for WatchBog in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

WellMail

Internal MISP references

UUID 93ffafbd-a8af-4164-b3ab-9b21e6d09232 which can be used as unique global reference for WellMail in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

elf.wellmess

Internal MISP references

UUID b0046a6e-3b8b-45ad-a357-dabc46aba7de which can be used as unique global reference for elf.wellmess in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

WHIRLPOOL

Internal MISP references

UUID be3a5211-45a8-496a-974f-6ef14f44af3d which can be used as unique global reference for WHIRLPOOL in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

WhiteRabbit

Internal MISP references

UUID 901b88e6-4759-4aa6-b4d1-9f7da53c2adf which can be used as unique global reference for WhiteRabbit in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Winnti (ELF)

Internal MISP references

UUID d6c5211e-506d-415c-b886-0ced529399a1 which can be used as unique global reference for Winnti (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Wirenet (ELF)

Internal MISP references

UUID 47a8fedb-fd60-493a-9b7d-082bdb85621e which can be used as unique global reference for Wirenet (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

X-Agent (ELF)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular X-Agent (ELF).

Known Synonyms
`chopstick`
`fysbis`
`splm`

Internal MISP references

UUID a8404a31-968a-47e8-8434-533ceaf84c1f which can be used as unique global reference for X-Agent (ELF) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Xanthe

Internal MISP references

UUID 55b4d75f-adcc-47df-81cf-6c93ccb54a56 which can be used as unique global reference for Xanthe in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Xaynnalc

Internal MISP references

UUID 32b95dc7-03a6-45ab-a991-466208dd92d2 which can be used as unique global reference for Xaynnalc in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Xbash

Internal MISP references

UUID ee54fc1e-c574-4836-8cdb-992ac38cef32 which can be used as unique global reference for Xbash in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

xdr33

According to 360 netlab, this backdoor was derived from the leaked CIA Hive project. It propagates via a vulnerability in F5 and communicates using SSL with a forged Kaspersky certificate.

Internal MISP references

UUID c7b1cc91-7464-436e-ac40-3b06c98400a5 which can be used as unique global reference for xdr33 in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

XOR DDoS

Linux DDoS C&C Malware

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular XOR DDoS.

Known Synonyms
`XORDDOS`

Internal MISP references

UUID 7f9df618-4bd1-44a1-ad88-e5930373aac4 which can be used as unique global reference for XOR DDoS in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Zergeca

Zergeca is a DDoS-botnet and backdoor written in Golang. It uses modified UPX for packing, with the magic number 0x30219101 instead of "UPX!". It is being distributed via weak telnet passwords and known vulnerabilities.

Internal MISP references

UUID a660eeda-910a-4df5-86ba-f17d8ac93c31 which can be used as unique global reference for Zergeca in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ZeroBot

ZeroBot is a Go-based botnet that spreads primarily through IoT and web application vulnerabilities. It is offered as malware as a service (MaaS) and infrastructure overlaps with DDoS-for-hire services seized by the FBI in December 2022.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular ZeroBot.

Known Synonyms
`ZeroStresser`

Internal MISP references

UUID 458c583b-4353-4104-bee8-9e68cb77f151 which can be used as unique global reference for ZeroBot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ZHtrap

Internal MISP references

UUID d070ff73-ad14-4f6b-951f-1645009bdf80 which can be used as unique global reference for ZHtrap in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Zollard

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Zollard.

Known Synonyms
`darlloz`

Internal MISP references

UUID 9218630d-0425-4b18-802c-447a9322990d which can be used as unique global reference for Zollard in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ZuoRAT

According to Black Lotus Labs, ZuoRAT is a MIPS file compiled for SOHO routers that can enumerate a host and internal LAN, capture packets being transmitted over the infected device and perform person-in-the-middle attacks (DNS and HTTPS hijacking based on predefined rules).

Internal MISP references

UUID c4b0a7cd-b349-44a1-94ca-3d5a4ac288b2 which can be used as unique global reference for ZuoRAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

AutoCAD Downloader

Small downloader composed as a Fast-AutoLoad LISP (FAS) module for AutoCAD.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular AutoCAD Downloader.

Known Synonyms
`Acad.Bursted`
`Duxfas`

Internal MISP references

UUID fb22d876-c6b5-4634-a468-5857088d605c which can be used as unique global reference for AutoCAD Downloader in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

COOKIESNATCH

According to Google, this is a cookie stealer

Internal MISP references

UUID 1b2d02d7-aa83-4101-ab10-2767b59c9c75 which can be used as unique global reference for COOKIESNATCH in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DualToy (iOS)

Internal MISP references

UUID f7c1675f-b38a-4511-9ac4-6e475b3815e6 which can be used as unique global reference for DualToy (iOS) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

GuiInject

Internal MISP references

UUID d9215579-eee0-4e50-9157-dba7c3214769 which can be used as unique global reference for GuiInject in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

lightSpy

Internal MISP references

UUID 8a1b524b-8fc9-4b1d-805d-c0407aff00d7 which can be used as unique global reference for lightSpy in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Phenakite

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Phenakite.

Known Synonyms
`Dakkatoni`

Internal MISP references

UUID 7ba7488c-b153-4949-8391-bcf6c4b057bd which can be used as unique global reference for Phenakite in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PoisonCarp

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular PoisonCarp.

Known Synonyms
`INSOMNIA`

Internal MISP references

UUID 7982cc15-f884-40ca-8a82-a452b9c340c7 which can be used as unique global reference for PoisonCarp in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Postlo

Internal MISP references

UUID 25bff9ad-20dc-4746-a174-e54fcdd8f0c1 which can be used as unique global reference for Postlo in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

TriangleDB

Internal MISP references

UUID 25754894-018b-4bed-aab6-c676fac23a77 which can be used as unique global reference for TriangleDB in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

VALIDVICTOR

According to Google, this reconnaissance payload uses a profiling framework drawing canvas to identify the target’s exact iPhone model, a technique used by many other actors. The iPhone model is sent back to the C2 along with screen size, whether or not a touch screen is present, and a unique identifier per initial GET request (e.g., 1lwuzddaxoom5ylli37v90kj). The server replies with either an AES encrypted next stage or 0, indicating that no payload is available for this device. The payload makes another request to the exploit server with gcr=1 as a parameter to get the AES decryption key from the C2.

Internal MISP references

UUID 16c0e484-7d03-46f4-870a-297d5397d693 which can be used as unique global reference for VALIDVICTOR in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

WireLurker (iOS)

The iOS malware that is installed over USB by osx.wirelurker

Internal MISP references

UUID bb340271-023c-4283-9d22-123317824a11 which can be used as unique global reference for WireLurker (iOS) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

X-Agent (iOS)

Internal MISP references

UUID 430b9f30-5e37-49c8-b4e7-21589f120d89 which can be used as unique global reference for X-Agent (iOS) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

AdWind

Part of Malware-as-service platform Used as a generic name for Java-based RAT Functionality - collect general system and user information - terminate process -log keystroke -take screenshot and access webcam - steal cache password from local or web forms - download and execute Malware - modify registry - download components - Denial of Service attacks - Acquire VPN certificates

Initial infection vector 1. Email to JAR files attached 2. Malspam URL to downlaod the malware

Persistence - Runkey - HKCU\Software\Microsoft\Windows\current version\run

Hiding Uses attrib.exe

Notes on Adwind The malware is not known to be proxy aware

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular AdWind.

Known Synonyms
`AlienSpy`
`Frutas`
`JBifrost`
`JSocket`
`Sockrat`
`UNRECOM`

Internal MISP references

UUID 8eb9d4aa-257a-45eb-8c65-95c18500171c which can be used as unique global reference for AdWind in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Adzok

Internal MISP references

UUID 90cb8ee6-52e6-4d8d-8f45-f04b9aec1f6c which can be used as unique global reference for Adzok in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Banload

F-Secure observed Banload variants silently downloading malicious files from a remote server, then installing and executing the files.

Internal MISP references

UUID 30a61fa9-4bd1-427d-9382-ff7c33bd7043 which can be used as unique global reference for Banload in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Blue Banana RAT

Internal MISP references

UUID c51bbc9b-0906-4ac5-8026-d6b8b7b23e71 which can be used as unique global reference for Blue Banana RAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CrossRAT

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular CrossRAT.

Known Synonyms
`Trupto`

Internal MISP references

UUID bae3a6c7-9e58-47f2-8749-a194675e1c84 which can be used as unique global reference for CrossRAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DynamicRAT

DynamicRAT is a malware that is spread via email attachments and compromises the security of computer systems. Once running on a device, DynamicRAT establishes a persistent presence and gives attackers complete remote control. Its features include sensitive data exfiltration, hardware control, remote action, and the ability to perform DDoS attacks. In addition, DynamicRAT uses evasion and persistence techniques to evade detection and analysis by security solutions.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DynamicRAT.

Known Synonyms
`DYNARAT`

Internal MISP references

UUID 28539c3d-89a4-4dd6-85f5-f4c95808c0b7 which can be used as unique global reference for DynamicRAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

EpicSplit RAT

EpicSplit RAT is a multiplatform Java RAT that is capable of running shell commands, downloading, uploading, and executing files, manipulating the file system, establishing persistence, taking screenshots, and manipulating keyboard and mouse events. EpicSplit is typically obfuscated with the commercial Allatori Obfuscator software. One unique feature of the malware is that TCP messages sent by EpicSplit RAT to its C2 are terminated with the string "packet" as a packet delimiter.

Internal MISP references

UUID 90b304a2-452a-4c74-ae8d-80d9ace881a4 which can be used as unique global reference for EpicSplit RAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

FEimea RAT

Internal MISP references

UUID 3724d5d0-860d-4d1e-92a1-0a7089ca2bb3 which can be used as unique global reference for FEimea RAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

IceRat

According to Karsten Hahn, this malware is actually written in JPHP, but can be treated similar to .class files produced by Java. IceRat has been observed to carry out information stealing and mining.

Internal MISP references

UUID ac83a481-2ab4-42c2-a8b6-a4aec96e1c4b which can be used as unique global reference for IceRat in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

JavaDispCash

JavaDispCash is a piece of malware designed for ATMs. The compromise happens by using the JVM attach-API on the ATM's local application and the goal is to remotely control its operation. The malware's primary feature is the ability to dispense cash. The malware also spawns a local port (65413) listening for commands from the attacker which needs to be located in the same internal network.

Internal MISP references

UUID 71286008-9794-4dcc-a571-164195390c39 which can be used as unique global reference for JavaDispCash in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

JavaLocker

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular JavaLocker.

Known Synonyms
`JavaEncrypt Ransomware`

Internal MISP references

UUID 4bdddf41-8d5e-468d-905d-8c6667a5d47f which can be used as unique global reference for JavaLocker in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

jRAT

jRAT, also known as Jacksbot, is a RAT with history, written in Java. It has support for macOS, Linux, Windows and various BSD. It also has functionality to participate in DDoS-attacks as well as to perform click fraud. Note that the Adwind family often is mistakenly labeled as jRAT, because of of a red hering reference to jrat.io.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular jRAT.

Known Synonyms
`Jacksbot`

Internal MISP references

UUID f2a9f583-b4dd-4669-8808-49c8bbacc376 which can be used as unique global reference for jRAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

jSpy

Internal MISP references

UUID ff24997d-1f17-4f00-b9b8-b3392146540f which can be used as unique global reference for jSpy in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Mineping

DDoS for Minecraft servers.

Internal MISP references

UUID f3f38528-a8bf-496a-af46-7eb60a9ec6c3 which can be used as unique global reference for Mineping in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Octopus Scanner

Internal MISP references

UUID 8ae996fe-50bb-479b-925c-e6b1e51a9b40 which can be used as unique global reference for Octopus Scanner in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Pronsis Loader

According to TrustWave, this is a loader leveraging JPHP, which was observed fetching Latrodectus and Lumma.

Internal MISP references

UUID 80005653-bfbb-4a37-a8bf-87f8dc9e4047 which can be used as unique global reference for Pronsis Loader in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Qarallax RAT

According to SpiderLabs, in May 2015 the "company" Quaverse offered a RAT known as Quaverse RAT or QRAT. At around May 2016, this QRAT evolved into another RAT which became known as Qarallax RAT, because its C2 is at qarallax.com. Quaverse also offers a service to encrypt Java payloads (Qrypter), and thus qrypted payloads are sometimes confused with Quaverse RATs (QRAT / Qarallax RAT).

Internal MISP references

UUID e7852eb9-9de9-43d3-9f7e-3821f3b2bf41 which can be used as unique global reference for Qarallax RAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Qealler

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Qealler.

Known Synonyms
`Pyrogenic Infostealer`

Internal MISP references

UUID d16a3a1f-e244-4715-a67f-61ba30901efb which can be used as unique global reference for Qealler in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

QRat

QRat, also known as Quaverse RAT, was introduced in May 2015 as undetectable (because of multiple layers of obfuscation). It offers the usual functionality (password dumper, file browser, keylogger, screen shots/streaming, ...), and it comes as a SaaS. For additional historical context, please see jar.qarallax.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular QRat.

Known Synonyms
`Quaverse RAT`

Internal MISP references

UUID ef385825-bfa1-4e8c-b368-522db78cf1bd which can be used as unique global reference for QRat in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Ratty

Ratty is an open source Java RAT, made available on GitHub and promoted heavily on HackForums. At some point in 2016 / 2017 the original author deleted his repository, but several clones exist.

Internal MISP references

UUID da032a95-b02a-4af2-b563-69f686653af4 which can be used as unique global reference for Ratty in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Sorillus RAT

Sorillus is a Java-based multifunctional remote access trojan (RAT) which targets Linux, macOS and Windows operating systems. While it was first created in 2019, interest in the tool has increased considerably in 2022. Beginning on January 18, 2022, different obfuscated client versions of the tool started to be uploaded to VirusTotal. Sorillus' features are described in detail on its website (hxxps://sorillus[.]com). The tool supposedly costs 49.99€ for lifetime access but is currently available at a discounted 19.99€. Conveniently, the Sorillus can be purchased via a variety of cryptocurrencies. The tool's creator and distributor, a YouTube user known as "Tapt", asserts that the tool is able to collect the following information from its target: - HardwareID - Username - Country - Language - Webcam - Headless - Operating system - Client Version

Internal MISP references

UUID 80694785-aeb6-4e05-a3e8-cb972993d769 which can be used as unique global reference for Sorillus RAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

STRRAT

STRRAT is a Java-based RAT, which makes extensive use of plugins to provide full remote access to an attacker, as well as credential stealing, key logging and additional plugins. The RAT has a focus on stealing credentials of browsers and email clients, and passwords via keylogging. It supports the following browsers and email clients: Firefox, Internet Explorer, Chrome, Foxmail, Outlook, Thunderbird.

Since Version 1.2 and above, STRRAT was infamous for its ransomware-like behavior of appending the file name extension .crimson to files. Version 1.5 is notably more obfuscated and modular than previous versions, but the backdoor functions mostly remain the same: collect browser passwords, run remote commands and PowerShell, log keystrokes, among others. Version 1.5 of STRRAT Malware includes a proper encryption routine, though currently pretty simple to revert.

Internal MISP references

UUID 6d1335d5-8351-4725-ad8a-07cabca4119e which can be used as unique global reference for STRRAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SupremeBot

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SupremeBot.

Known Synonyms
`BlazeBot`

Internal MISP references

UUID 651e37e0-1bf8-4024-ac1e-e7bda42470b0 which can be used as unique global reference for SupremeBot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Verblecon

This malware seems to be used for attacks installing cryptocurrency miners on infected machines. Other indicators leads to the assumption that attackers may also use this malware for other purposes (e.g. stealing access tokens for Discord chat app). Symantec describes this malware as complex and powerful: The malware is loaded as a server-side polymorphic JAR file.

Internal MISP references

UUID 793565b4-666b-47a4-b15b-de9c80c75a51 which can be used as unique global reference for Verblecon in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

VersaMem

According to Lumen, a web shell used by Volt Typhoon.

Internal MISP references

UUID eb15c0ec-108e-4082-a0c1-ea41345b7db7 which can be used as unique global reference for VersaMem in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

AIRBREAK

AIRBREAK, a JavaScript-based backdoor which retrieves commands from hidden strings in compromised webpages.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular AIRBREAK.

Known Synonyms
`Orz`

Internal MISP references

UUID fd419da6-5c0d-461e-96ee-64397efac63b which can be used as unique global reference for AIRBREAK in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Bateleur

Internal MISP references

UUID fb75a753-24ba-4b58-b7ed-2e39b0c68c65 which can be used as unique global reference for Bateleur in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BeaverTail

BeaverTail is a JavaScript malware primarily distributed through NPM packages. It is designed for information theft and to load further stages of malware, specifically a multi-stage Python-based backdoor known as InvisibleFerret. BeaverTail targets cryptocurrency wallets and credit card information stored in the victim's web browsers. Its code is heavily obfuscated to evade detection. Threat actors can either upload malicious NPM packages containing BeaverTail to GitHub or inject BeaverTail code into legitimate NPM projects. Researchers have identified additional Windows and macOS variants, indicating that the BeaverTail malware family is likely still under development.

Internal MISP references

UUID da0fb7ce-d730-4ee8-bcc8-3da7eba8ad79 which can be used as unique global reference for BeaverTail in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BELLHOP

• BELLHOP is a JavaScript backdoor interpreted using the native Windows Scripting Host(WSH). After performing some basic host information gathering, the BELLHOP dropper downloads a base64-encoded blob of JavaScript to disk and sets up persistence in three ways: • Creating a Run key in the Registry • Creating a RunOnce key in the Registry • Creating a persistent named scheduled task • BELLHOP communicates using HTTP and HTTPS with primarily benign sites such as Google Docs and PasteBin.

Internal MISP references

UUID 7ebeb691-b979-4a88-94e1-dade780c6a7f which can be used as unique global reference for BELLHOP in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CACTUSTORCH

According to the GitHub repo, CACTUSTORCH is a JavaScript and VBScript shellcode launcher. It will spawn a 32 bit version of the binary specified and inject shellcode into it.

Internal MISP references

UUID efbb5a7c-8c01-4aca-ac21-8dd614b256f7 which can be used as unique global reference for CACTUSTORCH in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ChromeBack

GoSecure describes ChromeBack as a browser hijacker, redirecting traffic and serving advertisements to users.

Internal MISP references

UUID ec055670-4d25-4918-90c7-281fddf3a771 which can be used as unique global reference for ChromeBack in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ClearFake

ClearFake is a malicious JavaScript framework deployed on compromised websites to deliver further malware using the drive-by download technique. The malware leverages social engineering to trick the user into running a fake web browser update.

Internal MISP references

UUID 8899bc6f-62e1-4732-988a-d5d64a5cf9bd which can be used as unique global reference for ClearFake in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CryptoNight

WebAssembly-based crpyto miner.

Internal MISP references

UUID faa19699-a884-4cd3-a307-36492c8ee77a which can be used as unique global reference for CryptoNight in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CukieGrab

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular CukieGrab.

Known Synonyms
`Roblox Trade Assist`

Internal MISP references

UUID d47ca107-3e03-4c25-88f9-8156426b7f60 which can be used as unique global reference for CukieGrab in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DarkWatchman

Prevailion found this RAT written in JavaScript, which dynamically compiles an accompanying keylogger written in C# and uses a DGA for C&C.

Internal MISP references

UUID 4baf5a22-7eec-4ad8-8780-23a351d9b5f5 which can be used as unique global reference for DarkWatchman in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DNSRat

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DNSRat.

Known Synonyms
`DNSbot`

Internal MISP references

UUID a4b40d48-e40b-47f2-8e30-72342231503e which can be used as unique global reference for DNSRat in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

doenerium

Open sourced javascript info stealer, with the capabilities of stealing crypto wallets, password, cookies and modify discord clients https://github.com/doener2323/doenerium

Internal MISP references

UUID dc446dbc-6f8a-48ee-9e90-10e679a003e1 which can be used as unique global reference for doenerium in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Enrume

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Enrume.

Known Synonyms
`Ransom32`

Internal MISP references

UUID d6e5f6b7-cafb-476d-958c-72debdabe013 which can be used as unique global reference for Enrume in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

EVILNUM (Javascript)

According proofpoint, EvilNum is a backdoor that can be used for data theft or to load additional payloads. The malware includes multiple interesting components to evade detection and modify infection paths based on identified antivirus software.

Internal MISP references

UUID b7deec7e-24f7-4f78-9d58-9b3c1e182ab3 which can be used as unique global reference for EVILNUM (Javascript) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

FakeUpdateRU

FakeUpdateRU is a malicious JavaScript code injected into compromised websites to deliver further malware using the drive-by download technique. The malicious code displays a copy of the Google Chrome web browser download page and redirects the user to the download of a next-stage payload.

Internal MISP references

UUID 9106e280-febe-45a3-9cd1-cbffafc0c85b which can be used as unique global reference for FakeUpdateRU in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

FAKEUPDATES

FAKEUPDATES is a downloader written in JavaScript that communicates via HTTP. Supported payload types include executables and JavaScript. It writes the payloads to disk prior to launching them. FAKEUPDATES has led to further compromise via additional malware families that include CHTHONIC, DRIDEX, EMPIRE, KOADIC, DOPPELPAYMER, and AZORULT.

FAKEUPDATES has been heavily used by UNC1543, a financially motivated group.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular FAKEUPDATES.

Known Synonyms
`FakeUpdate`
`SocGholish`

Internal MISP references

UUID cff35ce3-8d6f-417b-ae6c-a9e6a60ee26c which can be used as unique global reference for FAKEUPDATES in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

GootLoader

According to PCrisk, they discovered GootLoader malware while examining legitimate but compromised websites (mainly websites managed using WordPress). It was found that GootLoader is used to infect computers with additional malware. Cybercriminals using GootLoader seek to trick users into unknowingly downloading and executing the malware by disguising it as a document or other file.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular GootLoader.

Known Synonyms
`SLOWPOUR`

Internal MISP references

UUID 5b2569e5-aeb2-4708-889f-c6d598bd5e14 which can be used as unique global reference for GootLoader in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

grelos

grelos is a skimmer used for magecart-style attacks.

Internal MISP references

UUID 79580c0b-c390-4421-976a-629a5c11af95 which can be used as unique global reference for grelos in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Griffon

GRIFFON is a lightweight JavaScript validator-style implant without any persistence mechanism. The malware is designed for receiving modules to be executed in-memory and sending the results to C2s. The first module downloaded by the GRIFFON malware to the victim’s computer is an information-gathering JavaScript, which allows the cybercriminals to understand the context of the infected workstation.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Griffon.

Known Synonyms
`Harpy`

Internal MISP references

UUID 85c25380-69d7-4d7e-b279-6b6791fd40bd which can be used as unique global reference for Griffon in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

inter

Internal MISP references

UUID 36b0f1a0-29a4-4ec5-bca2-18a241881d49 which can be used as unique global reference for inter in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Jeniva

Internal MISP references

UUID b0631a44-3264-429d-b8bc-3a27e27be305 which can be used as unique global reference for Jeniva in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Jetriz

Internal MISP references

UUID 9e6a0a54-8b55-4e78-a3aa-15d1946882e1 which can be used as unique global reference for Jetriz in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

jspRAT

Internal MISP references

UUID 71903afc-7129-4821-90e5-c490e4902de3 which can be used as unique global reference for jspRAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

KopiLuwak

Internal MISP references

UUID 2269d37b-87e9-460d-b878-b74a2f4c3537 which can be used as unique global reference for KopiLuwak in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

LNKR

The LNKR trojan is a malicious browser extension that will monitor the websites visited by the user, looking for pages with administrative privileges such as blog sites or web-based virtual learning environments. When the administrative user posts to the page, the infected extension will execute stored cross-site scripting attack and injects malicious JavaScript into the legitimate HTML of the page. This is used to redirect the second-party visitors of the site to both benign and malicious domains.

Internal MISP references

UUID 1a85acf3-4bda-49b4-9e50-1231f0b7340a which can be used as unique global reference for LNKR in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

magecart

Magecart is a malware framework intended to steal credit card information from compromised eCommerce websites. Used in criminal activities, it's a sophisticated implant built on top of relays, command and controls and anonymizers used to steal eCommerce customers' credit card information. The first stage is typically implemented in Javascript included into a compromised checkout page. It copies data from "input fields" and send them to a relay which collects credit cards coming from a subset of compromised eCommerces and forwards them to Command and Control servers.

Internal MISP references

UUID f53e404b-0dcd-4116-91dd-cad94fc41936 which can be used as unique global reference for magecart in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

megaMedusa

MegaMedusa is NodeJS DDoS Machine Layer-7 provided by RipperSec Team.

Internal MISP references

UUID 8a51e636-13be-4bdc-a32f-2d832263ba5b which can be used as unique global reference for megaMedusa in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

MiniJS

MiniJS is a very simple JavaScript-based first-stage backdoor. The backdoor is probably distributed via spearphishing email. Due to infrastructure overlap, the malware can be attributed to the actor Turla. Comparable JavaScript-based backdoor families of the actor are KopiLuwak and IcedCoffee.

Internal MISP references

UUID 5fd2f4f0-0591-45bb-a843-c194d5e294cd which can be used as unique global reference for MiniJS in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

MintsLoader

According to Orange Cyberdefense, MintsLoader is a little-known, multi-stage malware loader that has been used since at least February 2023. It has been observed in widespread distribution campaigns between July and October 2024. The name comes from a very characteristic use of an URL parameter “1.php?s=mintsXX" (with XX being numbers).

MintsLoader primarily delivers malicious RAT or infostealing payloads such as AsyncRAT and Vidar through phishing emails, targeting organizations in Europe (Spain, Italy, Poland, etc.). Written in JavaScript and PowerShell, MintsLoader operates through a multi-step infection process involving several URLs and domains, most of which use a domain generation algorithm (DGA) with .top TLD.

Internal MISP references

UUID 0cd219f4-1f3b-4958-b678-173257abd67e which can be used as unique global reference for MintsLoader in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

More_eggs

More_eggs is a JavaScript backdoor used by the Cobalt group. It attempts to connect to its C&C server and retrieve tasks to carry out, some of which are: - d&exec = download and execute PE file - gtfo = delete files/startup entries and terminate - more_eggs = download additional/new scripts - more_onion = run new script and terminate current script - more_power = run command shell commands

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular More_eggs.

Known Synonyms
`SKID`
`SpicyOmelette`

Internal MISP references

UUID 1c3009ff-b9a5-4ac1-859c-9b3b4a66a63f which can be used as unique global reference for More_eggs in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

NanHaiShu

NanHaiShu is a remote access tool and JScript backdoor used by Leviathan. NanHaiShu has been used to target government and private-sector organizations that have relations to the South China Sea dispute.

Internal MISP references

UUID 3e46af39-52e8-442f-aff1-38eeb90336fc which can be used as unique global reference for NanHaiShu in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

NodeRAT

Internal MISP references

UUID e3b0ed5c-4e6a-4f50-bef2-1f7112aa31ed which can be used as unique global reference for NodeRAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

OFFODE

According to the author, this is a project that will give understanding of bypassing Multi Factor Authentication (MFA) of an outlook account. It is build in node.js and uses playwright for the automation in the backend.

Internal MISP references

UUID 0be6d248-382a-48b8-9a52-dba08aaa891e which can be used as unique global reference for OFFODE in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ostap

Ostap is a commodity JScript downloader first seen in campaigns in 2016. It has been observed being delivered in ACE archives and VBA macro-enabled Microsoft Office documents. Recent versions of Ostap query WMI to check for a blacklist of running processes:

AgentSimulator.exe anti-virus.EXE BehaviorDumper BennyDB.exe ctfmon.exe fakepos_bin FrzState2k gemu-ga.exe (Possible misspelling of Qemu hypervisor’s guest agent, qemu-ga.exe) ImmunityDebugger.exe KMS Server Service.exe ProcessHacker procexp Proxifier.exe python tcpdump VBoxService VBoxTray.exe VmRemoteGuest vmtoolsd VMware2B.exe VzService.exe winace Wireshark

If a blacklisted process is found, the malware terminates.

Ostap has been observed delivering other malware families, including Nymaim, Backswap and TrickBot.

Internal MISP references

UUID a3b93781-c51c-4ccb-a856-804331470a9d which can be used as unique global reference for ostap in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ParaSiteSnatcher

Internal MISP references

UUID 9af9557c-04fc-4231-85c4-d1fb30c53cb6 which can be used as unique global reference for ParaSiteSnatcher in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Parrot TDS

This malicious code written in JavaScript is used as Traffic Direction System (TDS). This TDS showes similarities to the Prometheus TDS. According to DECODED Avast.io this TDS has been active since October 2021.

Internal MISP references

UUID dbefad0a-29d3-49d3-b925-116598182dee which can be used as unique global reference for Parrot TDS in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PeaceNotWar

PeaceNotWar was integrated into the nodejs module node-ipc as a piece of malware/protestware with wiper characteristics. It targets machines with a public IP address located in Russia and Belarus (using geolocation) and overwrites files recursively using a heart emoji.

Internal MISP references

UUID 6c304481-024e-4f34-af06-6235edacfdcc which can be used as unique global reference for PeaceNotWar in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PindOS

Internal MISP references

UUID 6af1eb7a-bc54-43af-9e15-7187a5f250c4 which can be used as unique global reference for PindOS in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Powmet

Internal MISP references

UUID 9521ceb0-039d-412c-a38b-7bd9ddfc772e which can be used as unique global reference for Powmet in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

QNodeService

According to Trend Micro, this is a Node.js based malware, that can download/upload/execute files, steal credentials from Chrome/Firefox browsers, and perform file management, among other things. It targets Windows and has components for both 32 and 64bit.

Internal MISP references

UUID 52d9260f-f090-4e79-b0b3-0c89f5db6bc6 which can be used as unique global reference for QNodeService in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

QUICKCAFE

QUICKCAFE is an encrypted JavaScript downloader for QUICKRIDE.POWER that exploits the ActiveX M2Soft vulnerabilities. QUICKCAFE is obfuscated using JavaScript Obfuscator.

Internal MISP references

UUID 475766d2-1e99-4d81-89e4-0d0df4a562d0 which can be used as unique global reference for QUICKCAFE in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

scanbox

Internal MISP references

UUID 0a13a546-91a2-4de0-9bbb-71c9233ce6fa which can be used as unique global reference for scanbox in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SQLRat

SQLRat campaigns typically involve a lure document that includes an image overlayed by a VB Form trigger. Once a user has double-clicked the embedded image, the form executes a VB setup script. The script writes files to the path %appdata%\Roaming\Microsoft\Templates\, then creates two task entries triggered to run daily. The scripts are responsible for deobfuscating and executing the main JavaScript file mspromo.dot. The file uses a character insertion obfuscation technique, making it appear to contain Chinese characters. After deobfuscating the file, the main JavaScript is easily recognizable. It contains a number of functions designed to drop files and execute scripts on a host system. The SQLRat script is designed to make a direct SQL connection to a Microsoft database controlled by the attackers and execute the contents of various tables.

Internal MISP references

UUID d51cb8f8-cca3-46ce-a05d-052df44aef40 which can be used as unique global reference for SQLRat in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Starfighter (Javascript)

According to the author, this is a JavaScript based Empire launcher that runs with its own embedded powershell host to not be dependent on local powershell availability.

Internal MISP references

UUID f6c80748-1cce-4f6b-92e9-f8a04ff3464a which can be used as unique global reference for Starfighter (Javascript) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Swid

Internal MISP references

UUID d4be22cf-497d-46a0-8d57-30d10d9486e3 which can be used as unique global reference for Swid in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

HTML5 Encoding

Internal MISP references

UUID c7ab9e5a-0ec9-481e-95ec-ad08f06cf985 which can be used as unique global reference for HTML5 Encoding in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Maintools.js

Expects a parameter to run: needs to be started as 'maintools.js EzZETcSXyKAdF_e5I2i1'.

Internal MISP references

UUID 218f8ca8-1124-4e44-8fbd-4b05b46bde4b which can be used as unique global reference for Maintools.js in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Unidentified JS 001 (APT32 Profiler)

Internal MISP references

UUID f2b0ffdc-7d4e-4786-8935-e7036faa174d which can be used as unique global reference for Unidentified JS 001 (APT32 Profiler) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Unidentified JS 003 (Emotet Downloader)

According to Max Kersten, Emotet is dropped by a procedure spanned over multiple stages. The first stage is an office file that contains a macro. This macro then loads the second stage, which is either a PowerShell script or a piece of JavaScript, which is this family entry.

Internal MISP references

UUID 7bf28be0-3153-474d-8df7-e12fec511d7e which can be used as unique global reference for Unidentified JS 003 (Emotet Downloader) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Unidentified JS 004

A simple loader written in JavaScript found by Marco Ramilli.

Internal MISP references

UUID a15e7c49-4eb6-46f0-8f79-0b765d7d4e46 which can be used as unique global reference for Unidentified JS 004 in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Unidentified JS 005 (Stealer)

Internal MISP references

UUID a797e9b9-cb3f-484a-9273-ac73e9ea1e06 which can be used as unique global reference for Unidentified JS 005 (Stealer) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Unidentified JS 006 (Winter Wyvern)

A script able to list folders and emails in the current Roundcube account, and to exfiltrate email messages to the C&C server by making HTTP requests.

Internal MISP references

UUID 547fed09-38d0-4813-b9b0-870a1d4136df which can be used as unique global reference for Unidentified JS 006 (Winter Wyvern) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Unidentified JS 002

Internal MISP references

UUID 7144063f-966b-4277-b316-00eb970ccd52 which can be used as unique global reference for Unidentified JS 002 in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/js.unidentified_js_002 - webarchive

Associated metadata

Metadata key	Value
type	[]

Valak

According to PCrisk, Valak is malicious software that downloads JScript files and executes them. What happens next depends on the actions performed by the executed JScript files. It is very likely that cyber criminals behind Valak attempt to use this malware to cause chain infections (i.e., using Valak to distribute other malware).

Research shows that Valak is distributed through spam campaigns, however, in some cases, it infiltrates systems when they are already infected with malicious program such as Ursnif (also known as Gozi).

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Valak.

Known Synonyms
`Valek`

Internal MISP references

UUID b37b4d91-0ac7-48f5-8fd1-5237b9615cf7 which can be used as unique global reference for Valak in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

witchcoven

Internal MISP references

UUID dcc0fad2-29a9-4b69-9d75-d288ca458bc7 which can be used as unique global reference for witchcoven in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Godzilla Webshell

Internal MISP references

UUID 07e88ccf-6027-412b-99bf-0fa1d3cfb174 which can be used as unique global reference for Godzilla Webshell in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

3CX Backdoor (OS X)

Internal MISP references

UUID d5e10bf9-9de8-46be-96d0-aa502b14ffe8 which can be used as unique global reference for 3CX Backdoor (OS X) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

AMOS

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular AMOS.

Known Synonyms
`Atomic macOS Stealer`

Internal MISP references

UUID 2fa2be52-e44f-4998-bde7-c66cfb6f4521 which can be used as unique global reference for AMOS in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

AppleJeus (OS X)

According to PcRisk AppleJeus is the name of backdoor malware that was distributed by the Lazarus group. They spread this malicious software through a fake app disguised as a cryptocurrency trading application called Celas Trade Pro.

Internal MISP references

UUID ca466f15-8e0a-4030-82cb-5382e3c56ee5 which can be used as unique global reference for AppleJeus (OS X) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BANSHEE

Internal MISP references

UUID 5d7b9bcf-a0b6-47eb-8350-a80fac356567 which can be used as unique global reference for BANSHEE in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Bella

Internal MISP references

UUID 3c5036ad-2afc-4bc1-a5a3-b31797f46248 which can be used as unique global reference for Bella in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Bundlore

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Bundlore.

Known Synonyms
`SurfBuyer`

Internal MISP references

UUID 5f5f5496-d9f8-4984-aa66-8702741646fe which can be used as unique global reference for Bundlore in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Careto

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Careto.

Known Synonyms
`Appetite`
`Mask`

Internal MISP references

UUID dcabea75-a433-4157-bb7a-be76de3026ac which can be used as unique global reference for Careto in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Casso

Internal MISP references

UUID 387e1a19-458d-4961-a8e4-3f82463085e5 which can be used as unique global reference for Casso in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CDDS

Google TAG has observed this malware being delivered via watering hole attacks using 0-day exploits, targeting visitors to Hong Kong websites for a media outlet and a prominent pro-democracy labor and political group.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular CDDS.

Known Synonyms
`Macma`

Internal MISP references

UUID 5e4bdac7-b6c8-4c59-996f-babfc3bb3a3c which can be used as unique global reference for CDDS in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Choziosi (OS X)

A loader delivering malicious Chrome and Safari extensions.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Choziosi (OS X).

Known Synonyms
`ChromeLoader`
`Chropex`

Internal MISP references

UUID 57f75f24-b77b-46b3-a06a-57d49374fb82 which can be used as unique global reference for Choziosi (OS X) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CloudMensis

Internal MISP references

UUID 557fc183-f51a-4740-b2dd-5e81e6f6690a which can be used as unique global reference for CloudMensis in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CoinThief

CoinThief was a malware package designed to steal Bitcoins from the victim, consisting of a binary patcher, browser extensions, and a backdoor component.

It was spreading in early 2014 from several different sources: - on Github (where the trojanized compiled binary didn’t match the displayed source code), o - on popular and trusted download sites line CNET's Download.com or MacUpdate.com, and - as cracked applications via torrents camouflaged as Bitcoin Ticker TTM, BitVanity, StealthBit, Litecoin Ticker, BBEdit, Pixelmator, Angry Birds and Delicious Library.

The patcher‘s role was to locate and modify legitimate versions of the Bitcoin-Qt wallet application. The analyzed malware samples targeted versions of Bitcoin-Qt 0.8.1, 0.8.0 and 0.8.5. The earlier patch modified Bitcoin-Qt adding malicious code that would send nearly all the victim’s Bitcoins to one of the hard-coded addresses belonging to the attacker.

The browser extensions targeted Chrome and Firefox and are disguised as a “Pop-up blocker”. The extensions monitored visited websites, download malicious JavaScripts and injected them into various Bitcoin-related websites (mostly Bitcoin exchanges and online wallet sites). The injected JS scripts were able to modify transactions to redirect Bitcoin transfers to an attacker’s address or simply harvest login credentials to the targeted online service.

The backdoor enabled the attacker to take full control over the victim’s computer: - collect information about the infected computer - execute arbitrary shell scripts on the target computer - upload an arbitrary file from the victim’s hard drive to a remote server - update itself to a newer version

Internal MISP references

UUID 70e73da7-21d3-4bd6-9a0e-0c904e6457e8 which can be used as unique global reference for CoinThief in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Coldroot RAT

Internal MISP references

UUID 076a7ae0-f4b8-45c7-9de4-dc9cc7e54bcf which can be used as unique global reference for Coldroot RAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Convuster

Internal MISP references

UUID 3819ded3-27ac-4e2f-9cd6-c6ef1642599b which can be used as unique global reference for Convuster in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CpuMeaner

Internal MISP references

UUID 74360d1e-8f85-44d1-8ce7-e76afb652142 which can be used as unique global reference for CpuMeaner in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CreativeUpdater

Internal MISP references

UUID 40fc6f71-75ac-43ac-abd9-c90b0e847999 which can be used as unique global reference for CreativeUpdater in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Crisis

Internal MISP references

UUID 2bb6c494-8057-4d83-9202-fda3284deee4 which can be used as unique global reference for Crisis in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Crossrider

Internal MISP references

UUID 05ddb459-5a2f-44d5-a135-ed3f1e772302 which can be used as unique global reference for Crossrider in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Cthulhu Stealer

Internal MISP references

UUID 549f4c7c-55e3-478e-a84e-e27c5e195c97 which can be used as unique global reference for Cthulhu Stealer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Dacls (OS X)

According to PCrisk, Dacls is the name of a remote access Trojan (RAT), a malicious program that allows cyber criminals to control infected computers remotely.

Research shows that this malware is tied to Lazarus Group (a group of cyber criminals) and targets Linux and the Windows Operating System. Typically, cyber criminals use RATs to steal sensitive, confidential information, infect systems with other malware, and so on. In any case, no RAT is harmless and should be uninstalled immediately.

Internal MISP references

UUID 81def650-f52e-49a3-a3fe-cb53ffa75d67 which can be used as unique global reference for Dacls (OS X) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DarthMiner

Internal MISP references

UUID a8e71805-014d-4998-b21e-3125da800124 which can be used as unique global reference for DarthMiner in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DazzleSpy

Internal MISP references

UUID ba2c7d3c-7f7a-42f7-854c-a6cc0b5eb850 which can be used as unique global reference for DazzleSpy in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Dockster

Internal MISP references

UUID 713d8ec4-4983-4fbb-827c-2ef5bc0e6930 which can be used as unique global reference for Dockster in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Dummy

Internal MISP references

UUID cbf9ff89-d35b-4954-8873-32f59f5e4d7d which can be used as unique global reference for Dummy in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Eleanor

Eleanor comes as a drag-and-drop file utility called EasyDoc Converter. This application bundle wraps a shell script that uses Dropbox name as a disguise and installs three components: a hidden Tor service, a Pastebin agent and a web service with a PHP-based graphical interface.

The Tor service transforms the victim’s computer into a server that provides attackers with full anonymous access to the infected machine via Tor-generated address.

The Pastebin agent uploads the address in encrypted form to the Pastebin website where the attackers can obtain it.

The web service is the main malicious component that provides the attackers with the control over the infected machine. After successful authentication, the interface offers several control panels to the attackers, allowing them to do the following actions:

Managing files
Listing processes
Connecting to various database management systems such as MySQL or SQLite
Connecting via bind/reverse shell
Executing shell command
Capturing and browsing images and videos from the victim’s webcam
Sending emails with an attachment

Internal MISP references

UUID c221e519-fe3e-416e-bc63-a2246b860958 which can be used as unique global reference for Eleanor in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ElectroRAT

According to PCrisk, ElectroRAT is a Remote Access Trojan (RAT) written in the Go programming language and designed to target Windows, MacOS, and Linux users. Cyber criminals behind ElectroRAT target mainly cryptocurrency users. This RAT is distributed via the trojanized Jamm, eTrader, and DaoPoker applications.

Internal MISP references

UUID f8ccf928-7d4f-4999-91a5-9222f148152d which can be used as unique global reference for ElectroRAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

EvilOSX

Internal MISP references

UUID 24f3d8e1-3936-4664-b813-74c797b87d9d which can be used as unique global reference for EvilOSX in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

EvilQuest

According to PcRisk, EvilQuest (also known as ThiefQuest) is like many other malicious programs of this type - it encrypts files and creates a ransom message. In most cases, this type of malware modifies the names of encrypted files by appending certain extensions, however, this ransomware leaves them unchanged.

It drops the "READ_ME_NOW.txt" in each folder that contains encrypted data and displays another ransom message in a pop-up window. Additionally, this malware is capable of detecting if certain files are stored on the computer, operates as a keylogger, and receives commands from a Command & Control server.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular EvilQuest.

Known Synonyms
`ThiefQuest`

Internal MISP references

UUID d5b39223-a8cc-4d47-8030-1d7d6312d351 which can be used as unique global reference for EvilQuest in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

FailyTale

Internal MISP references

UUID 5dfd704c-a69d-4e93-bd70-68f89fbbb32c which can be used as unique global reference for FailyTale in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

FinFisher (OS X)

Internal MISP references

UUID 89ce536c-03b9-4f69-83ce-723f26b36494 which can be used as unique global reference for FinFisher (OS X) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

FlashBack

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular FlashBack.

Known Synonyms
`FakeFlash`

Internal MISP references

UUID f92b5355-f398-4f09-8bcc-e06df6fe51a0 which can be used as unique global reference for FlashBack in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

FruitFly

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular FruitFly.

Known Synonyms
`Quimitchin`

Internal MISP references

UUID a517cdd1-6c82-4b29-bdd2-87e281227597 which can be used as unique global reference for FruitFly in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

FULLHOUSE

Fullhouse (AKA FULLHOUSE.DOORED) is a custom backdoor used by subsets of the North Korean Lazarus Group. Fullhouse is written in C/C++ and includes the capabilities of a tunneler and backdoor commands support such as shell command execution, file transfer, file managment, and process injection. C2 communications occur via HTTP and require configuration through the command line or a configuration file.

Internal MISP references

UUID 2ab781d8-214d-41e2-acc9-23ded4f77663 which can be used as unique global reference for FULLHOUSE in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

GIMMICK (OS X)

This multi-platform malware is a ObjectiveC written macOS variant dubbed GIMMICK by Volexity. This malware is a file-based C2 implant used by Storm Cloud.

Internal MISP references

UUID 0e259d0f-717a-4ced-ac58-6fe9d72e2c96 which can be used as unique global reference for GIMMICK (OS X) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Gmera

According to PCrisk, GMERA (also known as Kassi trojan) is malicious software that disguises itself as Stockfolio, a legitimate trading app created for Mac users.

Research shows that there are two variants of this malware, one detected as Trojan.MacOS.GMERA.A and the other as Trojan.MacOS.GMERA.B. Cyber criminals proliferate GMERA to steal various information and upload it to a website under their control. To avoid damage caused by this malware, remove GMERA immediately.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Gmera.

Known Synonyms
`Kassi`
`StockSteal`

Internal MISP references

UUID 1c65cf4e-5df4-4d56-a414-7b05f00814ba which can be used as unique global reference for Gmera in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

HiddenLotus

According to Malwarebytes, The HiddenLotus "dropper" is an application named Lê Thu Hà (HAEDC).pdf, using an old trick of disguising itself as a document - in this case, an Adobe Acrobat file.

Internal MISP references

UUID fc17e41f-e9f7-4442-a05c-7a19b9174c39 which can be used as unique global reference for HiddenLotus in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

HLOADER

Internal MISP references

UUID 28304d68-689e-4488-80cb-d5b7b50a8d57 which can be used as unique global reference for HLOADER in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

HZ RAT (OS X)

Internal MISP references

UUID 37f37678-c8c3-44d7-82bd-ecb452fba012 which can be used as unique global reference for HZ RAT (OS X) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

iMuler

The threat was a multi-stage malware displaying a decoy that appeared to the victim as a Chinese language article on the long-running dispute over the Diaoyu Islands; an array of erotic pictures; or images of Tibetan organisations. It consisted of two stages: Revir was the dropper/downloader and Imuler was the backdoor capable of the following operations:

capture screenshots
exfiltrate files to a remote computer
send various information about the infected computer
extract ZIP archive
download files from a remote computer and/or the Internet
run executable files

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular iMuler.

Known Synonyms
`Revir`

Internal MISP references

UUID 261fd543-60e4-470f-af28-7a9b17ba4759 which can be used as unique global reference for iMuler in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Interception (OS X)

Internal MISP references

UUID d4f7ea92-04e7-405c-9faf-7993ffd5c473 which can be used as unique global reference for Interception (OS X) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Janicab (OS X)

According to Patrick Wardle, this malware persists a python script as a cron job. Steps: 1. Python installer first saves any existing cron jobs into a temporary file named '/tmp/dump'. 2. Appends its new job to this file. 3. Once the new cron job has been added 'python (~/.t/runner.pyc)' runs every minute.

Internal MISP references

UUID 01325d85-297f-40d5-b829-df9bd996af5a which can be used as unique global reference for Janicab (OS X) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

JokerSpy

Internal MISP references

UUID 171b0695-8cea-4ca6-a3f0-c9a8455ef9de which can be used as unique global reference for JokerSpy in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

KANDYKORN

Internal MISP references

UUID d314856b-1c07-4f4a-ab3e-eeae38536857 which can be used as unique global reference for KANDYKORN in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

KeRanger

Internal MISP references

UUID 01643bc9-bd61-42e8-b9f1-5fbf83dcd786 which can be used as unique global reference for KeRanger in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Keydnap

Internal MISP references

UUID 2173605b-bf44-4c76-b75a-09c53bb322d6 which can be used as unique global reference for Keydnap in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Kitmos

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Kitmos.

Known Synonyms
`KitM`

Internal MISP references

UUID 8a1b1c99-c149-4339-9058-db3b4084cdcd which can be used as unique global reference for Kitmos in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Komplex

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Komplex.

Known Synonyms
`JHUHUGIT`
`JKEYSKW`
`SedUploader`

Internal MISP references

UUID d26b5518-8d7f-41a6-b539-231e4962853e which can be used as unique global reference for Komplex in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Kuiper (OS X)

Internal MISP references

UUID c39087ca-05b7-4374-aff1-116a73f2ba74 which can be used as unique global reference for Kuiper (OS X) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Lador

Internal MISP references

UUID 9c6b54ce-44a0-4d0c-89cb-6532c8f89d8d which can be used as unique global reference for Lador in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Lambert (OS X)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Lambert (OS X).

Known Synonyms
`GreenLambert`

Internal MISP references

UUID 7433f3a8-f53c-4ba0-beff-e312fae9ad39 which can be used as unique global reference for Lambert (OS X) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Laoshu

Internal MISP references

UUID a13a2cb8-b0e6-483a-9916-f44969a2c42b which can be used as unique global reference for Laoshu in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Leverage

Internal MISP references

UUID 15daa766-f721-4fd5-95fb-153f5361fb87 which can be used as unique global reference for Leverage in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

LockBit (OS X)

Internal MISP references

UUID 0821b5c8-db48-4d0e-a969-384dbd74a6c9 which can be used as unique global reference for LockBit (OS X) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

MacDownloader

Internal MISP references

UUID 910d3c78-1a9e-4600-a3ea-4aa5563f0f13 which can be used as unique global reference for MacDownloader in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

MacInstaller

Internal MISP references

UUID d1f8af3c-719b-4f64-961b-8d89a2defa02 which can be used as unique global reference for MacInstaller in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

MacRansom

Internal MISP references

UUID 66862f1a-5823-4a9a-bd80-439aaafc1d8b which can be used as unique global reference for MacRansom in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

MacSpy

Internal MISP references

UUID c9915d41-d1fb-45bc-997e-5cd9c573d8e7 which can be used as unique global reference for MacSpy in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

MacVX

Internal MISP references

UUID 4db9012b-d3a1-4f19-935c-4dbc7fdd93fe which can be used as unique global reference for MacVX in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

MaMi

Internal MISP references

UUID 7759534c-3298-42e9-adab-896d7e507f4f which can be used as unique global reference for MaMi in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Manuscrypt

Internal MISP references

UUID f85c3ec9-81f0-4dee-87e6-b3f6b235bfe7 which can be used as unique global reference for Manuscrypt in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Mokes (OS X)

Internal MISP references

UUID bfbb6e5a-32dc-4842-936c-5d8497570c74 which can be used as unique global reference for Mokes (OS X) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Mughthesec

Internal MISP references

UUID aa1bf4e5-9c44-42a2-84e5-7526e4349405 which can be used as unique global reference for Mughthesec in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

NetWire

Internal MISP references

UUID f0d52afd-e7c9-4bd1-be8a-9ab09b14ea24 which can be used as unique global reference for NetWire in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

OceanLotus

According to PcRisk, Research shows that the OceanLotus 'backdoor' targets MacOS computers. Cyber criminals behind this backdoor have already used this malware to attack human rights and media organizations, some research institutes, and maritime construction companies.

The OceanLotus backdoor is distributed via a fake Adobe Flash Player installer and a malicious Word document (it is likely that threat authors distribute the document via malspam emails).

Internal MISP references

UUID 65b7eff4-741c-445e-b4e0-8a4e4f673a65 which can be used as unique global reference for OceanLotus in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Olyx

Internal MISP references

UUID cd397973-8f42-4c49-8322-414ea77ec773 which can be used as unique global reference for Olyx in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

oRAT

SentinelOne describes this as a malware written in Go, mixing own custom code with code from public repositories.

Internal MISP references

UUID 699dac0f-092c-4c8e-85e9-6e3c86129190 which can be used as unique global reference for oRAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

OSAMiner

Internal MISP references

UUID 89d0c423-c4ff-46e8-8c79-ea5e974e53e7 which can be used as unique global reference for OSAMiner in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Patcher

This crypto-ransomware for macOS was caught spreading via BitTorrent distribution sites in February 2017, masquerading as 'Patcher', an application used for pirating popular software like Adobe Premiere Pro or Microsoft Office for Mac.

The downloaded torrent contained an application bundle in the form of a single zip file. After launching the fake application, the main window of the fake cracking tool was displayed.

The file encryption process was launched after the misguided victim clicked 'Start'. Once executed, the ransomware generated a random 25-character string and set it as the key for RC4 encryption of all of the user's files. It then demanded ransom in Bitcoin, as instructed in the 'README!' .txt file copied all over the user's directories.

Despite the instructions being quite thorough, Patcher lacked the functionality to communicate with any C&C server, and therefore made it impossible for its operators to decrypt affected files. The randomly generated encryption key was also too long to be guessed via a brute-force attack, leaving the encrypted data unrecoverable in a reasonable amount of time.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Patcher.

Known Synonyms
`FileCoder`
`Findzip`

Internal MISP references

UUID bad1057c-4f92-4747-a0ec-31bcc062dab8 which can be used as unique global reference for Patcher in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PintSized

Backdoor as a fork of OpenSSH_6.0 with no logging, and “-P” and “-z” hidden command arguments. “PuffySSH_5.8p1” string.

Internal MISP references

UUID de13bec0-f443-4c5a-91fe-2223dad43be5 which can be used as unique global reference for PintSized in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Pirrit

Internal MISP references

UUID b749ff3a-df68-4b38-91f1-649864eae52c which can be used as unique global reference for Pirrit in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

POOLRAT

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular POOLRAT.

Known Synonyms
`SIMPLESEA`
`SIMPLETEA`

Internal MISP references

UUID bfd9e30e-ddc7-426f-8f77-4d2e1a846541 which can be used as unique global reference for POOLRAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Poseidon (OS X)

Part of Mythic C2, written in Golang.

Internal MISP references

UUID e4ac9105-c3ad-41e2-846b-048e2bbedc6a which can be used as unique global reference for Poseidon (OS X) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Poseidon Stealer

macOS infostealer sold by an individual named Rodrigo4, currently consisting of a disk image containing a Mach-O without app bundle, which when executed spawns osascript executing an AppleScript with the actual infostealer payload. The AppleScript payload will steal files by packing them in a ZIP archive and uploading them to a hardcoded C2 via HTTP.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Poseidon Stealer.

Known Synonyms
`Rodrigo Stealer`

Internal MISP references

UUID 9eb9f899-acfb-4452-981f-5937aa1f47cc which can be used as unique global reference for Poseidon Stealer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Proton RAT

Proton RAT is a Remote Access Trojan (RAT) specifically designed for macOS systems. It is known for providing attackers with complete remote control over the infected system, allowing the execution of commands, keystroke capturing, access to the camera and microphone, and the ability to steal credentials stored in browsers and other password managers. This malware typically spreads through malicious or modified applications, which, when downloaded and installed by unsuspecting users, trigger its payload. Proton RAT is notorious for its sophistication and evasion capabilities, including techniques to bypass detection by installed security solutions.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Proton RAT.

Known Synonyms
`Calisto`

Internal MISP references

UUID d7e31f19-8bf2-4def-8761-6c5bf7feaa44 which can be used as unique global reference for Proton RAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Pwnet

Cryptocurrency miner that was distributed masquerading as a Counter-Strike: Global Offensive hack.

Internal MISP references

UUID 70059ec2-9315-4af7-b65b-2ec35676a7bb which can be used as unique global reference for Pwnet in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Dok

Dok a.k.a. Retefe is the macOS version of the banking trojan Retefe. It consists of a codesigned Mach-O dropper usually malspammed in an app bundle within a DMG disk image, posing as a document. The primary purpose of the dropper is to install a Tor client as well as a malicious CA certificate and proxy pac URL, in order to redirect traffic to targeted sites through their Tor node, effectively carrying out a MITM attack against selected web traffic. It also installs a custom hosts file to prevent access to Apple and VirusTotal. The macOS version shares its MO, many TTPs and infrastructure with the Windows counterpart.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Dok.

Known Synonyms
`Retefe`

Internal MISP references

UUID 80acc956-d418-42e3-bddf-078695a01289 which can be used as unique global reference for Dok in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

RustBucket (OS X)

Internal MISP references

UUID 03f356e6-296f-4195-bed0-9719a84887db which can be used as unique global reference for RustBucket (OS X) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Shlayer

According to PCrisk, Shlayer is a trojan-type virus designed to proliferate various adware and other unwanted applications, and promote fake search engines. It is typically disguised as a Adobe Flash Player installer and various software cracking tools.

In most cases, users encounter this virus when visiting dubious Torrent websites that are full of intrusive advertisements and deceptive downloads.

Internal MISP references

UUID c3ee82df-a004-4c68-89bd-eb4bb2dfc803 which can be used as unique global reference for Shlayer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Silver Sparrow

According to Red Canary, Silver Sparrow is an activity cluster that includes a binary compiled to run on Apple’s new M1 chips but has been distributed without payload so far.

Internal MISP references

UUID f6a7aeeb-fcc5-4d26-9eab-c0b6e2819a6c which can be used as unique global reference for Silver Sparrow in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SimpleTea (OS X)

SimpleTea is a RAT for macOS that is based on the same object-oriented project as SimpleTea for Linux (SimplexTea).

It also shares similarities with POOLRAT (also known as SIMPLESEA), like the supported commands or a single-byte XOR encryption of its configuration. However, the indices of commands are different.

SimpleTea for macOS was uploaded to VirusTotal from Hong Kong and China in September 2023.

Internal MISP references

UUID ce384804-8580-4d57-97b3-bde0d903f703 which can be used as unique global reference for SimpleTea (OS X) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SpectralBlur (OS X)

Internal MISP references

UUID c7c32006-a2d1-4bc2-8a25-84c07286464a which can be used as unique global reference for SpectralBlur (OS X) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SUGARLOADER

Internal MISP references

UUID 171501fd-d504-4257-9c3d-fbc066d6eeba which can be used as unique global reference for SUGARLOADER in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SysJoker (OS X)

Internal MISP references

UUID 5bffe0fe-22f6-4d18-9372-f8c5d262d852 which can be used as unique global reference for SysJoker (OS X) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

systemd

General purpose backdoor

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular systemd.

Known Synonyms
`Demsty`
`ReverseWindow`

Internal MISP references

UUID a8e7687b-9db7-4606-ba81-320d36099e3a which can be used as unique global reference for systemd in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Tsunami (OS X)

Internal MISP references

UUID 59d4a2f3-c66e-4576-80ab-e04a4b0a4317 which can be used as unique global reference for Tsunami (OS X) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Unidentified macOS 001 (UnionCryptoTrader)

Internal MISP references

UUID 1c96f6b9-6b78-4137-9d5f-aa5575f80daa which can be used as unique global reference for Unidentified macOS 001 (UnionCryptoTrader) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

UpdateAgent

Internal MISP references

UUID 1f1bc885-5987-41fa-bb04-8775eeb45d88 which can be used as unique global reference for UpdateAgent in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Uroburos (OS X)

Internal MISP references

UUID 13173d75-45f0-4183-8e18-554a5781405c which can be used as unique global reference for Uroburos (OS X) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Vigram

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Vigram.

Known Synonyms
`WizardUpdate`

Internal MISP references

UUID 021e2fb4-1744-4fde-8d59-b247f1b34062 which can be used as unique global reference for Vigram in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

WatchCat

Internal MISP references

UUID a73468d5-2dee-4828-8bbb-c37ea9295584 which can be used as unique global reference for WatchCat in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

WindTail

Internal MISP references

UUID 48751182-0b17-4326-8a72-41e4c4be35e7 which can be used as unique global reference for WindTail in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Winnti (OS X)

Internal MISP references

UUID 5aede44b-1a30-4062-bb97-ac9f4985ddb6 which can be used as unique global reference for Winnti (OS X) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

WireLurker (OS X)

Internal MISP references

UUID bc32df24-8e80-44bc-80b0-6a4d55661aa5 which can be used as unique global reference for WireLurker (OS X) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Wirenet (OS X)

Internal MISP references

UUID f99ef0dc-9e96-42e0-bbfe-3616b3786629 which can be used as unique global reference for Wirenet (OS X) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

X-Agent (OS X)

Internal MISP references

UUID 858f4396-8bc9-4df8-9370-490bbb3b4535 which can be used as unique global reference for X-Agent (OS X) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

XCSSET

Internal MISP references

UUID 041aee7f-cb7a-4199-9fe5-494801a18273 which can be used as unique global reference for XCSSET in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Xloader

Xloader is a Rebranding of Formbook malware (mainly a stealer), available for macOS as well.

Formbook has a "magic"-value FBNG (FormBook-NG), while Xloader has a "magic"-value XLNG (XLoader-NG). This "magic"-value XLNG is platform-independent.

Not to be confused with apk.xloader or ios.xloader.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Xloader.

Known Synonyms
`Formbook`

Internal MISP references

UUID d5f2f6ad-2ed0-42d4-9116-f95eea2ab543 which can be used as unique global reference for Xloader in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

XSLCmd

Internal MISP references

UUID 120a5890-dc3e-42e8-950e-b5ff9a849d2a which can be used as unique global reference for XSLCmd in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Yort

Internal MISP references

UUID 725cd3eb-1025-4da3-bcb1-a7b6591c632b which can be used as unique global reference for Yort in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ZuRu

A malware that was observed being embedded alongside legitimate applications (such as iTerm2) offered for download on suspicious websites pushed in search engines. It uses a Python script to perform reconnaissance on the compromised system an pulls additional payload(s).

Internal MISP references

UUID bd293592-d2dd-4fdd-88e7-6098e0bbb043 which can be used as unique global reference for ZuRu in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Ani-Shell

Ani-Shell is a simple PHP shell with some unique features like Mass Mailer, a simple Web-Server Fuzzer, Dosser, Back Connect, Bind Shell, Back Connect, Auto Rooter etc.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Ani-Shell.

Known Synonyms
`anishell`

Internal MISP references

UUID 7ef3c0fd-8736-47b1-8ced-ca7bf6d27471 which can be used as unique global reference for Ani-Shell in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ANTAK

Antak is a webshell written in ASP.Net which utilizes PowerShell.

Internal MISP references

UUID 88a71ca8-d99f-416a-ad29-5af12212008c which can be used as unique global reference for ANTAK in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ASPXSpy

Internal MISP references

UUID 4d1c01be-76ad-42dd-b094-7a8dbaf02159 which can be used as unique global reference for ASPXSpy in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Behinder

A webshell for multiple web languages (asp/aspx, jsp/jspx, php), openly distributed through Github.

Internal MISP references

UUID 5e5cd3a6-0348-4c6b-94b1-13ca0d845547 which can be used as unique global reference for Behinder in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

c99shell

C99shell is a PHP backdoor that provides a lot of functionality, for example:

run shell commands;
download/upload files from and to the server (FTP functionality);
full access to all files on the hard disk;
self-delete functionality.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular c99shell.

Known Synonyms
`c99`

Internal MISP references

UUID cd1b8ec2-dbbd-4e73-b9a7-1bd1287a68f2 which can be used as unique global reference for c99shell in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DEWMODE

FireEye discovered the DEWMODE webshell starting mid-December 2020 after exploitation of zero-day vulnerabilities in Accellion's File Transfer Appliance. It is a PHP webshell that allows threat actors to view and download files in the victim machine. It also contains cleanup function to remove itself and clean the Apache log.

Internal MISP references

UUID a782aac8-168d-4691-a182-237d7d473e21 which can be used as unique global reference for DEWMODE in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Ensikology

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Ensikology.

Known Synonyms
`Ensiko`

Internal MISP references

UUID dfd8deac-ce86-4a22-b462-041c19d62506 which can be used as unique global reference for Ensikology in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

p0wnyshell

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular p0wnyshell.

Known Synonyms
`Ponyshell`
`Pownyshell`

Internal MISP references

UUID a6d13ffe-1b1a-46fe-afd9-989e8dec3773 which can be used as unique global reference for p0wnyshell in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Parrot TDS WebShell

In combination with Parrot TDS the usage of a classical web shell was observed by DECODED Avast.io.

Internal MISP references

UUID c9e7c5a6-9082-47ec-89eb-477980e73dcb which can be used as unique global reference for Parrot TDS WebShell in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PAS

Internal MISP references

UUID e6a40fa2-f79f-40e9-89d3-a56984bc51f7 which can be used as unique global reference for PAS in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Prometheus Backdoor

Backdoor written in php

Internal MISP references

UUID b4007b02-106d-420f-af1c-76c035843fd2 which can be used as unique global reference for Prometheus Backdoor in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

RedHat Hacker WebShell

Internal MISP references

UUID e94a5b44-f2c2-41dc-8abb-6de69eb38241 which can be used as unique global reference for RedHat Hacker WebShell in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

WSO

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular WSO.

Known Synonyms
`Webshell by Orb`

Internal MISP references

UUID 7f3794fc-662e-4dde-b793-49bcaccc96f7 which can be used as unique global reference for WSO in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Silence DDoS

Internal MISP references

UUID b5cc7a39-305b-487e-b15a-02dcebefce90 which can be used as unique global reference for Silence DDoS in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BlackSun

Ransomware.

Internal MISP references

UUID 1fcc4425-6e14-47e6-8434-745cf1bc9982 which can be used as unique global reference for BlackSun in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BONDUPDATER

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BONDUPDATER.

Known Synonyms
`Glimpse`
`Poison Frog`

Internal MISP references

UUID 99600ba5-30a0-4ac8-8583-6288760b77c3 which can be used as unique global reference for BONDUPDATER in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CASHY200

Internal MISP references

UUID 7373c789-2dc2-4867-9c60-fa68f8d971a2 which can be used as unique global reference for CASHY200 in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

EugenLoader

A loader written in Powershell, usually delivered packaged in MSI/MSIX files.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular EugenLoader.

Known Synonyms
`FakeBat`
`NUMOZYLOD`
`PaykLoader`

Internal MISP references

UUID cf9c14cf-6246-4858-8bcc-5a943c8df715 which can be used as unique global reference for EugenLoader in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

FlowerPower

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular FlowerPower.

Known Synonyms
`BoBoStealer`

Internal MISP references

UUID 6f0f034a-13f1-432d-bc70-f78d7f27f46f which can be used as unique global reference for FlowerPower in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

FRat Loader

Loader used to deliver FRat (see family windows.frat)

Internal MISP references

UUID 385a3dca-263d-46be-b84d-5dc09ee466d9 which can be used as unique global reference for FRat Loader in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

FTCODE

The malware ftcode is a ransomware which encrypts files and changes their extension into .FTCODE. It later asks for a ransom in order to release the decryption key, mandatory to recover your files. It is infamous for attacking Italy pretending to be a notorious telecom provider asking for due payments.

Internal MISP references

UUID f727a05e-c1cd-4e95-b0bf-2a4bb64aa850 which can be used as unique global reference for FTCODE in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

GhostMiner

Internal MISP references

UUID 0db05333-2214-49c3-b469-927788932aaa which can be used as unique global reference for GhostMiner in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

HTTP-Shell

The author describes this open source shell as follows. HTTP-Shell is Multiplatform Reverse Shell. This tool helps you to obtain a shell-like interface on a reverse connection over HTTP. Unlike other reverse shells, the main goal of the tool is to use it in conjunction with Microsoft Dev Tunnels, in order to get a connection as close as possible to a legitimate one.

This shell is not fully interactive, but displays any errors on screen (both Windows and Linux), is capable of uploading and downloading files, has command history, terminal cleanup (even with CTRL+L), automatic reconnection, movement between directories and supports sudo (or sudo su) on Linux-based OS.

Internal MISP references

UUID 50b94b67-dc2a-4953-a354-edf2cc4e17d3 which can be used as unique global reference for HTTP-Shell in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

JasperLoader

Internal MISP references

UUID 286a14a1-7113-4bed-97ce-8db41b312a51 which can be used as unique global reference for JasperLoader in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Lazyscripter

Internal MISP references

UUID 74e5711e-b777-4f09-a4bc-db58d5e23e29 which can be used as unique global reference for Lazyscripter in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

LightBot

According to Bleeping Computer and Vitali Kremez, LightBot is a compact reconnaissance tool suspected to be used to identify high-value targets for potential follow-up ransomware attacks.

Internal MISP references

UUID 319c4b4f-2901-412c-8fa5-70be75ba51cb which can be used as unique global reference for LightBot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Octopus (Powershell)

The author describes Octopus as an "open source, pre-operation C2 server based on python which can control an Octopus powershell agent through HTTP/S."

It is different from the malware win.octopus written in Delphi and attributed to DustSquad by Kaspersky Labs.

Internal MISP references

UUID c3ca7a89-a885-444a-8642-31019b34b027 which can be used as unique global reference for Octopus (Powershell) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

OilRig

Internal MISP references

UUID 4a3b9669-8f91-47df-a8bf-a9876ab8edf3 which can be used as unique global reference for OilRig in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PhonyC2

Internal MISP references

UUID c630e510-a0ad-405a-9aeb-9d8057b6a868 which can be used as unique global reference for PhonyC2 in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

POSHSPY

Internal MISP references

UUID 4df1b257-c242-46b0-b120-591430066b6f which can be used as unique global reference for POSHSPY in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PowerBrace

Internal MISP references

UUID 7b334343-0045-4d65-b28a-ebf912c7aafc which can be used as unique global reference for PowerBrace in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PowerHarbor

PowerHarbor is a modular PowerShell-based malware that consists of various modules. The primary module maintains constant communication with the C2 server, executing and deleting additional modules received from it. Currently, the communication with the C2 server is encrypted using RSA encryption and hardcoded key data. Moreover, the main module incorporates virtual machine (VM) detection capabilities. The StealData module employs the Invoke-Stealer function as its core, enabling the theft of system information, browser-stored credentials, cryptocurrency wallet details, and credentials for various applications like Telegram, FileZilla, and WinSCP.

Internal MISP references

UUID 73b40a4c-9163-4a07-bf1b-e4a4344ac63a which can be used as unique global reference for PowerHarbor in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PowerPepper

Internal MISP references

UUID 6544c75b-809f-4d31-a235-8906d4004828 which can be used as unique global reference for PowerPepper in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

POWERPIPE

Internal MISP references

UUID 60d7f668-66b6-401b-976f-918470a23c3d which can be used as unique global reference for POWERPIPE in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

POWERPLANT

This powershell code is a PowerShell written backdoor used by FIN7. Regarding to Mandiant that is was revealed to be a "vast backdoor framework with a breadth of capabilities, depending on which modules are delivered from the C2 server."

Internal MISP references

UUID 697626d3-04a1-4426-aeae-d7054c6e78fb which can be used as unique global reference for POWERPLANT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

powershell_web_backdoor

Internal MISP references

UUID 4310dcab-0820-4bc1-8a0b-9691c20f5b49 which can be used as unique global reference for powershell_web_backdoor in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PowerShortShell

Internal MISP references

UUID f2198153-2d8b-49ed-b8a8-0952c289b8c0 which can be used as unique global reference for PowerShortShell in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PowerShower

Internal MISP references

UUID 0959a02e-6eba-43dc-bbbf-b2c7488e9371 which can be used as unique global reference for PowerShower in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

POWERSOURCE

POWERSOURCE is a heavily obfuscated and modified version of the publicly available tool DNS_TXT_Pwnage. The backdoor uses DNS TXT requests for command and control and is installed in the registry or Alternate Data Streams.

Internal MISP references

UUID a4584181-f739-43d1-ade9-8a7aa21278a0 which can be used as unique global reference for POWERSOURCE in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PowerSpritz

Internal MISP references

UUID c07f6484-0669-44b7-90e6-f642e316d277 which can be used as unique global reference for PowerSpritz in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

POWERSTAR

Internal MISP references

UUID 60e11a7b-8452-4177-b709-99ef0976c296 which can be used as unique global reference for POWERSTAR in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

POWERSTATS

POWERSTATS is a backdoor written in powershell. It has the ability to disable Microsoft Office Protected View, fingerprint the victim and receive commands.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular POWERSTATS.

Known Synonyms
`Valyria`

Internal MISP references

UUID b81d91b5-23a4-4f86-aea9-3f212169fce9 which can be used as unique global reference for POWERSTATS in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

POWERTON

Internal MISP references

UUID 08d5b8a4-e752-48f3-ac6d-944807146ce7 which can be used as unique global reference for POWERTON in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

POWERTRASH

This PowerShell written malware is an in-memory dropper used by FIN7 to execute the included/embedded payload. According to Mandiant's blog article: "POWERTRASH is a uniquely obfuscated iteration of a shellcode invoker included in the PowerSploit framework available on GitHub."

Internal MISP references

UUID ff20d720-285e-4168-ac8c-86a7f9ac18d4 which can be used as unique global reference for POWERTRASH in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PowerWare

Internal MISP references

UUID 5c5beab9-614c-4c86-b369-086234ddb43c which can be used as unique global reference for PowerWare in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PowerZure

PowerZure is a PowerShell project created to assess and exploit resources within Microsoft’s cloud platform, Azure. PowerZure was created out of the need for a framework that can both perform reconnaissance and exploitation of Azure, AzureAD, and the associated resources.

Internal MISP references

UUID f5fa77e9-9851-48a6-864d-e0448de062d4 which can be used as unique global reference for PowerZure in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PowerMagic

Internal MISP references

UUID 7ee51054-1d3b-45ec-a7fd-1e212c891b99 which can be used as unique global reference for PowerMagic in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PowerRAT

Internal MISP references

UUID 970bdeaf-bc34-458a-ae67-8c3578e8663d which can be used as unique global reference for PowerRAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PowGoop

DLL loader that decrypts and runs a powershell-based downloader.

Internal MISP references

UUID d8429f6d-dc4b-4aae-930d-234156dbf354 which can be used as unique global reference for PowGoop in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

POWRUNER

Internal MISP references

UUID 63f6df51-4de3-495a-864f-0a7e30c3b419 which can be used as unique global reference for POWRUNER in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PresFox

The family is adding a fake root certificate authority, sets a proxy.pac-url for local browsers and redirects infected users to fake banking applications (currently targeting Poland). Based on information shared, it seems the PowerShell script is dropped by an exploit kit.

Internal MISP references

UUID c8c5ca3c-7cf0-453e-9fe9-d5637b1ab1f8 which can be used as unique global reference for PresFox in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

QUADAGENT

Internal MISP references

UUID e27bfd65-4a58-416a-b03a-1ab1703edb24 which can be used as unique global reference for QUADAGENT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

RandomQuery (Powershell)

A set of powershell scripts, using services like Google Docs and Dropbox as C2.

Internal MISP references

UUID b0a67107-dff2-4fb9-a47e-10f83779bdbb which can be used as unique global reference for RandomQuery (Powershell) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

RMOT

According to Trellix, this is a first-stage, powershell-based malware dropped via Excel/VBS. It is able to establish a foothold and exfiltrate data. Targets identified include hotels in Macao.

Internal MISP references

UUID 7e79444b-95d9-422d-92f0-aeb833a7cbcd which can be used as unique global reference for RMOT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

RogueRobin

Internal MISP references

UUID 1e27a569-1899-4f6f-8c42-aa91bf0a539d which can be used as unique global reference for RogueRobin in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Royal Ransom (Powershell)

Toolkit downloader used by Royal Ransomware group, involving GnuPG for decryption.

Internal MISP references

UUID 1c75ffff-59f9-4fdc-958d-51f822f76c35 which can be used as unique global reference for Royal Ransom (Powershell) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Schtasks

Internal MISP references

UUID 3c627182-e4ee-4db0-9263-9d657a5d7c98 which can be used as unique global reference for Schtasks in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

skyrat

Internal MISP references

UUID 8e5d7d24-9cdd-4376-a6c7-967273dfeeab which can be used as unique global reference for skyrat in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

sLoad

sLoad is a PowerShell downloader that most frequently delivers Ramnit banker and includes noteworthy reconnaissance features. The malware gathers information about the infected system including a list of running processes, the presence of Outlook, and the presence of Citrix-related files. sLoad can also take screenshots and check the DNS cache for specific domains (e.g., targeted banks), as well as load external binaries.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular sLoad.

Known Synonyms
`Starslord`

Internal MISP references

UUID e78c0259-9299-4e55-b934-17c6a3ac4bc2 which can be used as unique global reference for sLoad in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Snugy

Internal MISP references

UUID 773a6520-d164-4727-8351-c4201b04f10b which can be used as unique global reference for Snugy in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

STEELHOOK

Internal MISP references

UUID f963e3df-13d1-4fd0-abdd-792c0d05e41c which can be used as unique global reference for STEELHOOK in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SUBTLE-PAWS

Internal MISP references

UUID 399258d3-6919-45f9-a557-10c3cbef9bd4 which can be used as unique global reference for SUBTLE-PAWS in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Swrort Stager

Internal MISP references

UUID 3347a1bc-6b4d-459c-98a5-746bab12d011 which can be used as unique global reference for Swrort Stager in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Tater PrivEsc

Internal MISP references

UUID 808445e6-f51c-4b5d-a812-78102bf60d24 which can be used as unique global reference for Tater PrivEsc in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ThunderShell

Internal MISP references

UUID fd9904a6-6e06-4b50-8bfd-64ffb793d4a4 which can be used as unique global reference for ThunderShell in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Unidentified PS 001

Recon and exfiltration script, dropped from a LNK file. Attributed to APT-C-12.

Internal MISP references

UUID 77231587-0dbe-4064-97b5-d7f4a2e3dc67 which can be used as unique global reference for Unidentified PS 001 in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Unidentified PS 002 (RAT)

A Powershell-based RAT capable of pulling further payloads, delivered through Russia-themed phishing mails.

Internal MISP references

UUID 73578ff6-b218-4271-9bda-2a567ba3e259 which can be used as unique global reference for Unidentified PS 002 (RAT) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Unidentified PS 003 (RAT)

This malware is a RAT written in PowerShell. It has the following capabilities: Downloading and Uploading files, loading and execution of a PowerShell script, execution of a specific command. It was observed by Malwarebytes LABS Threat Intelligence Team in a newly discovered campaign: this campaigns tries to lure Germans with a promise of updates on the current threat situation in Ukraine according to Malwarebyte LABS.

Internal MISP references

UUID 709ba4ad-9ec5-4e0b-b642-96db3b7f6898 which can be used as unique global reference for Unidentified PS 003 (RAT) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Unidentified PS 004 (RAT)

Internal MISP references

UUID a8f69576-676f-4536-b301-246ddd87ceeb which can be used as unique global reference for Unidentified PS 004 (RAT) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ViperSoftX

Internal MISP references

UUID 15b551ea-b59a-40f9-a10f-6144415d2d5c which can be used as unique global reference for ViperSoftX in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

WannaMine

Internal MISP references

UUID beb4f2b3-85d1-491d-8ae1-f7933f00f820 which can be used as unique global reference for WannaMine in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

WannaRen Downloader

Internal MISP references

UUID c9ef106e-def9-4229-8373-616a298ed645 which can be used as unique global reference for WannaRen Downloader in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

WMImplant

Internal MISP references

UUID d1150a1a-a2f4-4954-b22a-a85b7876408e which can be used as unique global reference for WMImplant in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

AndroxGh0st

According to Laceworks, this is a SMTP cracker, which is primarily intended to scan for and parse Laravel application secrets from exposed .env files. Note: Laravel is an open source PHP framework and the Laravel .env file is often targeted for its various configuration data including AWS, SendGrid and Twilio. AndroxGh0st has multiple features to enable SMTP abuse including scanning, exploitation of exposed creds and APIs, and even deployment of webshells. For AWS specifically, the malware scans for and parses AWS keys but also has the ability to generate keys for brute force attacks. However, the brute force capability is likely a novelty and is a statistically unlikely attack vector.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular AndroxGh0st.

Known Synonyms
`Androx`
`AndroxGhost`

Internal MISP references

UUID e8f24c9c-c03c-4740-a121-d73789931c8e which can be used as unique global reference for AndroxGh0st in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Archivist

Internal MISP references

UUID 2095a09c-3fdd-4164-b82e-2e9a41affd8e which can be used as unique global reference for Archivist in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Ares (Python)

Ares is a Python RAT.

Internal MISP references

UUID c4a578de-bebe-49bf-8af1-407857acca95 which can be used as unique global reference for Ares (Python) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BlankGrabber

Stealer written in Python 3, typically distributed bundled via PyInstaller.

Internal MISP references

UUID c41d4749-b713-4f4c-b718-4076c0479ebc which can be used as unique global reference for BlankGrabber in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BrickerBot

Internal MISP references

UUID f0ff8751-c182-4e9c-a275-81bb03e0cdf5 which can be used as unique global reference for BrickerBot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Creal Stealer

Stealer written in Python.

Internal MISP references

UUID 8a7becae-fc06-4ff1-b364-b26dd3d2edd9 which can be used as unique global reference for Creal Stealer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

DropboxC2C

Internal MISP references

UUID 53dd4a8b-374e-48b6-a7c8-58af0e31f435 which can be used as unique global reference for DropboxC2C in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Empyrean

Discord Stealer written in Python with Javascript-based inject files.

Internal MISP references

UUID b1aa0be3-b725-4135-b0b9-3a895d4ef047 which can be used as unique global reference for Empyrean in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Evil Ant

Ransomware written in Python.

Internal MISP references

UUID 24d570c6-3ed4-4346-a8b1-9fed2ed67a95 which can be used as unique global reference for Evil Ant in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Guard

According to Kaspersky Labs, Guard is a malware developed by threat actor WildPressure. It is written in Python and packaged using PyInstaller, both for Windows and macOS operating systems. Its intrinsics resemble parts of how win.milum operates.

Internal MISP references

UUID ac3382b3-3c18-4b16-8f1b-b371794916ac which can be used as unique global reference for Guard in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

InvisibleFerret

Internal MISP references

UUID 332478a1-146f-406e-9af0-b329e478efff which can be used as unique global reference for InvisibleFerret in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

KeyPlexer

Internal MISP references

UUID cadf8c9d-7bb0-40ad-8c8c-043b1d4b2e93 which can be used as unique global reference for KeyPlexer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

LaZagne

The author described LaZagne as an open source project used to retrieve lots of passwords stored on a local computer. It has been developed for the purpose of finding these passwords for the most commonly-used software. It is written in Python and provided as compiled standalone binaries for Linux, Mac, and Windows.

Internal MISP references

UUID c752f295-7f08-4cb0-92d5-a0c562abd08c which can be used as unique global reference for LaZagne in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Lofy

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Lofy.

Known Synonyms
`LofyLife`

Internal MISP references

UUID 10882613-ac61-42da-82c8-c0f4bb2673f8 which can be used as unique global reference for Lofy in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Loki RAT

This RAT written in Python is an open-source fork of the Ares RAT. This malware integrates additional modules, like recording, lockscreen, and locate options. It was used in a customized form version by El Machete APT in an ongoing champaign since 2020. The original code can be found at: https://github.com/TheGeekHT/Loki.Rat/

Internal MISP references

UUID 5e7bb9d4-6633-49f8-8770-9ac1163e6531 which can be used as unique global reference for Loki RAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

MASEPIE

Internal MISP references

UUID 9233f6e6-9dd7-4b30-adaa-5baf5359d22a which can be used as unique global reference for MASEPIE in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

N3Cr0m0rPh

An IRC bot written in (obfuscated) Python code. Distributed in attack campaign FreakOut, written by author Freak/Fl0urite and development potentially dating back as far as 2015.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular N3Cr0m0rPh.

Known Synonyms
`FreakOut`
`Necro`

Internal MISP references

UUID 2351539a-165a-4886-b5fe-f56fdf6b167a which can be used as unique global reference for N3Cr0m0rPh in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

NetWorm

Internal MISP references

UUID 6c6acd00-cdc2-460d-8edf-003b84875b5d which can be used as unique global reference for NetWorm in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PIRAT

Internal MISP references

UUID bca94d33-e5a1-4bcc-981e-f35fd74a79d1 which can be used as unique global reference for PIRAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Poet RAT

Cisco Talos has discovered a Python-based RAT they call Poet RAT. It is dropped from a Word document and delivered including a Python interpreter and required libraries. The name originates from references to Shakespeare. Exfiltration happens through FTP.

Internal MISP references

UUID b07819a9-a2f7-454d-a520-c6424cbf1ed4 which can be used as unique global reference for Poet RAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

poweRAT

Internal MISP references

UUID b5cb3d2b-0205-4883-aaff-0d0b7a7f032d which can be used as unique global reference for poweRAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

pupy (Python)

Internal MISP references

UUID afcc9bfc-1227-4bb0-a88a-5accdbfd58fa which can be used as unique global reference for pupy (Python) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PyAesLoader

Internal MISP references

UUID b9ba4f66-78dc-491f-8fd4-0143816ce80e which can be used as unique global reference for PyAesLoader in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/py.pyaesloader - webarchive

Associated metadata

Metadata key	Value
type	[]

PyArk

Internal MISP references

UUID 01f15f4e-dd40-4246-9b99-c0d81306e37f which can be used as unique global reference for PyArk in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

pyback

Internal MISP references

UUID 6d96cd1e-98f4-4784-9982-397c5df19bd9 which can be used as unique global reference for pyback in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PY#RATION

According to Securonix, this malware exhibits remote access trojan (RAT) behavior, allowing for control of and persistence on the affected host. As with other RATs, PY#RATION possesses a whole host of features and capabilities, including data exfiltration and keylogging. What makes this malware particularly unique is its utilization of websockets for both command and control (C2) communication and exfiltration as well as how it evades detection from antivirus and network security measures.

Internal MISP references

UUID 1dc471d3-6303-48a1-a17a-b4f29e5ba6a9 which can be used as unique global reference for PY#RATION in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

PyVil

PyVil RAT

Internal MISP references

UUID 2cf75f3c-116f-4faf-bd32-ba3a5e2327cf which can be used as unique global reference for PyVil in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

QUIETBOARD

Internal MISP references

UUID 6ebeed34-4a7d-44d8-ae44-83ae37cf5f2f which can be used as unique global reference for QUIETBOARD in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Responder

Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Responder.

Known Synonyms
`SpiderLabs Responder`

Internal MISP references

UUID 3271b5ca-c044-4ab8-bbfc-0d6e1a6601fc which can be used as unique global reference for Responder in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Saphyra

Internal MISP references

UUID 30a22cdb-9393-460b-86ae-08d97c626155 which can be used as unique global reference for Saphyra in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Serpent

According to Proofpoint, this is a backdoor written in Python, used in attacks against French entities in the construction, real estate, and government industries.

Internal MISP references

UUID 8052319b-f6da-4f53-a630-59245ff65eaf which can be used as unique global reference for Serpent in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

SpaceCow

Internal MISP references

UUID ff5c0845-6740-45d5-bd34-1cf69c635356 which can be used as unique global reference for SpaceCow in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

stealler

Internal MISP references

UUID 689247a2-4e75-4802-ab94-484fc3d6a18e which can be used as unique global reference for stealler in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Stitch

Internal MISP references

UUID 6239201b-a0bd-4f01-8bbe-79c6fc5fa861 which can be used as unique global reference for Stitch in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Stormous

Internal MISP references

UUID e2580f5e-417b-4f21-88ba-8d3e43514363 which can be used as unique global reference for Stormous in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

unidentified_002

Internal MISP references

UUID 7e5fe6ca-3323-409a-a5bb-d34f60197b99 which can be used as unique global reference for unidentified_002 in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/py.unidentified_002 - webarchive

Associated metadata

Metadata key	Value
type	[]

unidentified_003

Internal MISP references

UUID 43282411-4999-4066-9b99-2e94a17acbd4 which can be used as unique global reference for unidentified_003 in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/py.unidentified_003 - webarchive

Associated metadata

Metadata key	Value
type	[]

UPSTYLE

Internal MISP references

UUID 1824c463-77df-43af-a055-d94567918f6b which can be used as unique global reference for UPSTYLE in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Venomous

Ransomware written in Python and delivered as compiled executable created using PyInstaller.

Internal MISP references

UUID 0bd5aed2-9c74-41a5-9fcf-9379f2cb0e2c which can be used as unique global reference for Venomous in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Venus Stealer

Venus Stealer is a python based Infostealer observed early 2023.

Internal MISP references

UUID 20f72d3c-87b7-4349-ad1b-59d7909c1df4 which can be used as unique global reference for Venus Stealer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

VileRAT

Internal MISP references

UUID aba54ca9-ef0d-4061-93d1-65251e90afad which can be used as unique global reference for VileRAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

W4SP Stealer

A basic info stealer w/ some capability to inject code into legit applications.

Internal MISP references

UUID c4d46e47-3af8-4117-84ad-1e5699956f2b which can be used as unique global reference for W4SP Stealer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

WIREFIRE

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular WIREFIRE.

Known Synonyms
`GIFTEDVISITOR`

Internal MISP references

UUID 54f3e853-5f0e-4940-9e27-79e6991886f9 which can be used as unique global reference for WIREFIRE in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

KV

Internal MISP references

UUID 37784130-81fd-40d7-87d4-38e5085513bd which can be used as unique global reference for KV in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

xzbot

A backdoor brought into version 5.6.0 and 5.6.1 of compression library/tool xz/liblzma, which was intended to enable access via (Open)SSH on affected servers.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular xzbot.

Known Synonyms
`xzorcist`

Internal MISP references

UUID 293b9d76-8e58-48bc-936b-e8dfb00f6f6c which can be used as unique global reference for xzbot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

FlexiSpy (symbian)

Internal MISP references

UUID 9f85f4fc-1cce-4557-b3d8-b9ef522fafb2 which can be used as unique global reference for FlexiSpy (symbian) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

BASICSTAR

Internal MISP references

UUID ca86807d-5466-496a-b41f-4bde905f9064 which can be used as unique global reference for BASICSTAR in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

CageyChameleon

CageyChameleon Malware is a VBS-based backdoor which has the capability to enumerate the list of running processes and check for the presence of several antivirus products. CageyChameleon will collect user host information, system current process information, etc. The collected information is sent back to the C2 server, and continue to initiate requests to perform subsequent operations.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular CageyChameleon.

Known Synonyms
`Cabbage RAT`

Internal MISP references

UUID ea71b7c1-79eb-4e9c-a670-ea75d80132f4 which can be used as unique global reference for CageyChameleon in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

forbiks

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular forbiks.

Known Synonyms
`Forbix`

Internal MISP references

UUID 2ad12163-3a8e-4ece-969e-ac616303ebe1 which can be used as unique global reference for forbiks in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

GGLdr

Internal MISP references

UUID 8ca31b9b-6e78-4dcc-9d14-dfd97d44994e which can be used as unique global reference for GGLdr in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

GlowSpark

Internal MISP references

UUID ab6f8b6d-f0a0-4d2c-a81b-2dcb146914ea which can be used as unique global reference for GlowSpark in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Grinju Downloader

Internal MISP references

UUID f0a64323-62a6-4c5a-bb3d-44bd3b11507f which can be used as unique global reference for Grinju Downloader in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

HALFBAKED

The HALFBAKED malware family consists of multiple components designed to establish and maintain a foothold in victim networks, with the ultimate goal of gaining access to sensitive financial information. HALFBAKED listens for the following commands from the C2 server:

info: Sends victim machine information (OS, Processor, BIOS and running processes) using WMI queries processList: Send list of process running screenshot: Takes screen shot of victim machine (using 58d2a83f777688.78384945.ps1) runvbs: Executes a VB script runexe: Executes EXE file runps1: Executes PowerShell script delete: Delete the specified file update: Update the specified file

Internal MISP references

UUID 095c995c-c916-488e-944d-a3f4b9842926 which can be used as unique global reference for HALFBAKED in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

HOMESTEEL

Internal MISP references

UUID 9058df01-6f7c-447e-9a68-83a41ef2f15f which can be used as unique global reference for HOMESTEEL in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Iloveyou

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Iloveyou.

Known Synonyms
`Love Bug`
`LoveLetter`

Internal MISP references

UUID bba3f3c9-f65f-45f1-a482-7209b9fa5adb which can be used as unique global reference for Iloveyou in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Janicab (VBScript)

Internal MISP references

UUID b3cb5859-2049-43d3-aed2-73db45ed0112 which can be used as unique global reference for Janicab (VBScript) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

lampion

Malware is delivered by emails, containing links to ZIP files or ZIP attachments. The ZIP contains a VBscript that, when executed, downloads additional files from AWS S3, Google Drive or other cloud hosting services. The downloaded files are encrypted .exe and .dll files. The malware targets banking clients in Portugal.

Internal MISP references

UUID 97f89048-2a57-48d5-9272-0d1061a14eca which can be used as unique global reference for lampion in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

LitterDrifter

Internal MISP references

UUID 31f64da5-e20b-4aa8-acf6-029bca10a7e6 which can be used as unique global reference for LitterDrifter in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

lockscreen

Internal MISP references

UUID a583a2db-616e-48e5-b12b-088a378c2307 which can be used as unique global reference for lockscreen in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

MOUSEISLAND

MOUSEISLAND is a Microsoft Word macro downloader used as the first infection stage and is delivered inside a password-protected zip attached to a phishing email. Based on Fireeye intrusion data from responding to ICEDID related incidents, the secondary payload delivered by MOUSEISLAND has been PHOTOLOADER, which acts as an intermediary downloader to install ICEDID.

Internal MISP references

UUID e9afcd80-c1c6-4194-af32-133fe31e835f which can be used as unique global reference for MOUSEISLAND in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

NodeJS Ransomware

Downloads NodeJS when deployed.

Internal MISP references

UUID 93c87125-7150-4bc6-a0f9-b46ff8de1839 which can be used as unique global reference for NodeJS Ransomware in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

RandomQuery (VBScript)

According to SentinelLabs, this is a VisualBasic-based malware that gathers system and file information and exfiltrates the data using InternetExplorer.Application or Microsoft.XMLHTTP objects.

Internal MISP references

UUID 76fd3fcb-151d-4880-b97e-ea890c337aad which can be used as unique global reference for RandomQuery (VBScript) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Starfighter (VBScript)

According to the author, this is a JavaScript based Empire launcher that runs with its own embedded powershell host to not be dependent on local powershell availability.

Internal MISP references

UUID e24b852c-3ede-42ac-8d04-68ab96bf53a0 which can be used as unique global reference for Starfighter (VBScript) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

STARWHALE

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular STARWHALE.

Known Synonyms
`Canopy`
`SloughRAT`

Internal MISP references

UUID 27c70673-d40e-46a2-8f47-13cc5738ff36 which can be used as unique global reference for STARWHALE in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Unidentified VBS 001

Internal MISP references

UUID ba354d45-bc41-40cd-93b2-26139db296bd which can be used as unique global reference for Unidentified VBS 001 in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Unidentified 002 (Operation Kremlin)

Unnamed malware. Delivered as remote template that drops a VBS file, which uses LOLBINs to crawl the disk and exfiltrate data zipped up via winrar.

Internal MISP references

UUID d8e8d701-ebe4-44ab-8c5b-70a11246ddf1 which can be used as unique global reference for Unidentified 002 (Operation Kremlin) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Unidentified 003 (Gamaredon Downloader)

Internal MISP references

UUID d5955c4b-f507-4b3f-8d57-080849aba831 which can be used as unique global reference for Unidentified 003 (Gamaredon Downloader) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Unidentified VBS 004 (RAT)

Lab52 describes this as a light first-stage RAT used by MuddyWater and observed samples between at least November 2020 and January 2022.

Internal MISP references

UUID 84c6b483-ba17-4a22-809d-dc37d9ce1822 which can be used as unique global reference for Unidentified VBS 004 (RAT) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Unidentified VBS 005 (Telegram Loader)

Internal MISP references

UUID 8eb8ebbc-c5b1-47d8-816a-4e21dee145c3 which can be used as unique global reference for Unidentified VBS 005 (Telegram Loader) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Unidentified VBS 006 (Telegram Loader)

Internal MISP references

UUID a6bd28db-c1a3-44b1-8bc3-7882e2896d67 which can be used as unique global reference for Unidentified VBS 006 (Telegram Loader) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

VBREVSHELL

According to Mandiant, VBREVSHELL is a VBA macro that spawns a reverse shell relying exclusively on Windows API calls.

Internal MISP references

UUID 991179a0-efd5-450a-a1ce-78d1109bb50b which can be used as unique global reference for VBREVSHELL in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

WasabiSeed

Internal MISP references

UUID 0c6568da-7017-4d9f-b077-0c486b3f9057 which can be used as unique global reference for WasabiSeed in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

WhiteShadow

Internal MISP references

UUID dc857b7d-f228-4aa5-9e89-f7e17bb7ea8c which can be used as unique global reference for WhiteShadow in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

000Stealer

Internal MISP references

UUID 24e598cf-4c55-468a-ac1d-cc4f89104943 which can be used as unique global reference for 000Stealer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

0bj3ctivityStealer

Information stealer, based on strings it seems to target crypto currencies, instant messengers, and browser data.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular 0bj3ctivityStealer.

Known Synonyms
`PXRECVOWEIWOEI`

Internal MISP references

UUID ac22ee6f-0d15-4edb-8ea5-1675df57597c which can be used as unique global reference for 0bj3ctivityStealer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

3CX Backdoor (Windows)

According to CrowdStrike, this backdoor was discovered being embedded in a legitimate, signed version of 3CXDesktopApp, and thus constitutes a supply chain attack.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular 3CX Backdoor (Windows).

Known Synonyms
`SUDDENICON`

Internal MISP references

UUID b6a00e25-9d8d-4ebc-b9fc-7fd41797303b which can be used as unique global reference for 3CX Backdoor (Windows) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

404 Keylogger

Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victim’s sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular 404 Keylogger.

Known Synonyms
`404KeyLogger`
`Snake Keylogger`

Internal MISP references

UUID 6b87fada-86b3-449d-826d-a89858121b68 which can be used as unique global reference for 404 Keylogger in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

4h_rat

Internal MISP references

UUID 823f4eb9-ad37-4fab-8e69-3bdae47a0028 which can be used as unique global reference for 4h_rat in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

5.t Downloader

Downloader used in suspected APT attack against Vietnam.

Internal MISP references

UUID 685c9c30-aa9f-43ee-a262-43c17c350049 which can be used as unique global reference for 5.t Downloader in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

7ev3n

The NJCCIC describes 7ev3n as a ransomware "that targets the Windows OS and spreads via spam emails containing malicious attachments, as well as file sharing networks. It installs multiple files in the LocalAppData folder, each of which controls different functions including disabling bootup recovery options, deleting the ransomware installation file, encrypting data, and gaining administrator privileges. This variant also adds registry keys that disables various Windows function keys such as F1, F3, F4, F10, Alt, Num Lock, Ctrl, Enter, Escape, Shift, and Tab. Files encrypted by 7ev3n are labeled with a .R5A extension. It also locks victims out of Windows recovery options making it challenging to repair the damage done by 7ev3n."

Internal MISP references

UUID ac2608e9-7851-409f-b842-e265b877a53c which can be used as unique global reference for 7ev3n in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

8Base

The 8Base ransomware group has remained relatively unknown despite the massive spike in activity in Summer of 2023. The group utilizes encryption paired with “name-and-shame” techniques to compel their victims to pay their ransoms. 8Base has an opportunistic pattern of compromise with recent victims spanning across varied industries. Despite the high amount of compromises, the information regarding identities, methodology, and underlying motivation behind these incidents still remains a mystery. Samples of their ransomware show they are using customized Phobos with SmokeLoader.

Internal MISP references

UUID 7ee60640-29cd-4127-b805-1f2b753e9e15 which can be used as unique global reference for 8Base in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

8.t Dropper

8T_Dropper has been used by Chinese threat actor TA428 in order to install Cotx RAT onto victim's machines during Operation LagTime IT. According to Proofpoint the attack was developed against a number of government agencies in East Asia overseeing government information technology, domestic affairs, foreign affairs, economic development, and political processes. The dropper was delivered through an RTF document exploiting CVE-2018-0798.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular 8.t Dropper.

Known Synonyms
`8t_dropper`
`RoyalRoad`

Internal MISP references

UUID df755d5f-db11-417d-8fed-b7abdc826590 which can be used as unique global reference for 8.t Dropper in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

9002 RAT

9002 RAT is a Remote Access Tool typically observed to be used by an APT to control a victim's machine. It has been spread over via zero day exploits (e.g. targeting Internet Explorer) as well as via email attachments. The infection chain starts by opening a .LNK (an OLE packager shell object) that executes a Powershell command.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular 9002 RAT.

Known Synonyms
`HOMEUNIX`
`Hydraq`
`McRAT`

Internal MISP references

UUID bab647d7-c9d6-4697-8fd2-1295c7429e1f which can be used as unique global reference for 9002 RAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Abaddon

Uses Discord as C&C, has ransomware feature.

Internal MISP references

UUID 97be2d1a-878d-46bd-8ee7-d8798ec61ef1 which can be used as unique global reference for Abaddon in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

AbaddonPOS

MajorGeeks describes this malware as trying to locate credit card data by reading the memory of all processes except itself by first blacklisting its own PID using the GetCurrentProcessId API. Once that data is discovered, it sends this data back to a command and control server using a custom binary protocol instead of HTTP.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular AbaddonPOS.

Known Synonyms
`PinkKite`
`TinyPOS`

Internal MISP references

UUID a492a3e0-13cb-4b7d-93c1-027e7e69b44d which can be used as unique global reference for AbaddonPOS in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

abantes

Internal MISP references

UUID 27b54000-26b5-405f-9296-9fbc9217a8c9 which can be used as unique global reference for abantes in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.abantes - webarchive

Associated metadata

Metadata key	Value
type	[]

Abbath Banker

Internal MISP references

UUID e46262cd-961f-4c7d-8976-0d35a066ab83 which can be used as unique global reference for Abbath Banker in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.abbath_banker - webarchive

Associated metadata

Metadata key	Value
type	[]

ABCsync

Internal MISP references

UUID 1e6afd04-d7d1-43a0-9ca5-082d418bd397 which can be used as unique global reference for ABCsync in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

AbSent Loader

Internal MISP references

UUID 532d67fc-0c93-4345-80c4-0c1657056d5e which can be used as unique global reference for AbSent Loader in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ACBackdoor (Windows)

A Linux backdoor that was apparently ported to Windows. This entry represents the Windows version. It appears the Linux version was written first and the Windows version was ported later, without full functionality. The Linux version offers persistence as well as some process manipulation techniques, though both versions apparently offer the ability to access the command line and execute programs as well as self-update.

Internal MISP references

UUID 9aa1a516-bd88-4038-a37d-cf66c607e68c which can be used as unique global reference for ACBackdoor (Windows) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ACEHASH

ACEHASH is described by FireEye as combined credential harvester that consists of two components, a loader and encrypted/compressed payload. To execute, a password is necessary (e.g. 9839D7F1A0) and the individual modules are addressed with parameters (-m, -w, -h).

Internal MISP references

UUID 51f8c94a-572f-450b-a52f-d3da96302d6b which can be used as unique global reference for ACEHASH in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

AcidBox

Unit42 found AcidBox in February 2019 and describes it as a malware family used by an unknown threat actor in 2017 against Russian entities, as stated by Dr.Web. It reused and improved an exploit for VirtualBox previously used by Turla. The malware itself is a modular toolkit, featuring both usermode and kernelmode components and anti-analysis techniques such as stack-based string obfuscation or dynamic XOR-encoded API usage.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular AcidBox.

Known Synonyms
`MagicScroll`

Internal MISP references

UUID 4ccc1ec4-6008-4788-95d9-248749f5a7fe which can be used as unique global reference for AcidBox in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

AcridRain

AcridRain is a password stealer written in C/C++. This malware can steal credentials, cookies, credit cards from multiple browsers. It can also dump Telegram and Steam sessions, rob Filezilla recent connections, and more.

Internal MISP references

UUID ffc368a5-2cd0-44ca-869b-223fdb462c41 which can be used as unique global reference for AcridRain in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Acronym

Internal MISP references

UUID bee73d0f-8ff3-44ba-91dc-d883884c754e which can be used as unique global reference for Acronym in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.acronym - webarchive

Associated metadata

Metadata key	Value
type	[]

ACR Stealer

First introduced in March 2024, ACR Stealer is an information stealer sold as a Malware-as-a-Service (MaaS) on Russian-speaking cybercrime forums by a threat actor named "SheldIO". Researchers posit that this malware is an evolved version of the GrMsk Stealer, which likely aligns with the private stealer that SheldIO has been selling since July 2023. The malware, written in C++, is compatible with Windows 7 through 10, and the seller manages all command and control (C2) infrastructure. ACR Stealer can harvest system information, stored credentials, web browser cookies, cryptocurrency wallets, and configuration files for various programs. Additionally, it employs the dead drop resolver (DDR) technique to obfuscate the actual C2 infrastructure.

Internal MISP references

UUID 9d80476e-7121-4eeb-a39f-689d8eb872ab which can be used as unique global reference for ACR Stealer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Action RAT

Internal MISP references

UUID 57df4c54-3fff-49dd-9657-19265a66f5de which can be used as unique global reference for Action RAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Adamantium Thief

Internal MISP references

UUID 28e01527-dbb5-4331-b5bf-5658ebf58297 which can be used as unique global reference for Adamantium Thief in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

AdamLocker

Adam Locker (detected as RANSOM_ADAMLOCK.A) is a ransomware that encrypts targeted files on a victim’s system but offers them a free decryption key which can be accessed through Adf.ly, a URL shortening and advertising service.

Internal MISP references

UUID 1ed36f9a-ae00-4d16-bbf7-e97217385fb1 which can be used as unique global reference for AdamLocker in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Adhubllka

Some Ransomware distributed by TA547 in Australia

Internal MISP references

UUID ebf31d45-922a-42ad-b326-8a72ba6dead7 which can be used as unique global reference for Adhubllka in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

AdKoob

Internal MISP references

UUID ace3cb99-3523-44a1-92cc-9f002cf364bf which can be used as unique global reference for AdKoob in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

AdvisorsBot

AdvisorsBot is a downloader named after early command and control domains that all contained the word "advisors". The malware is written in C and employs a number of anti-analysis features such as junk code, stack strings and Windows API function hashing.

Internal MISP references

UUID e3f49ec0-614e-4070-a620-5196d45df7b5 which can be used as unique global reference for AdvisorsBot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Adylkuzz

Internal MISP references

UUID 3d6c3ed5-804d-4d0b-8a01-68bc54ae8c58 which can be used as unique global reference for Adylkuzz in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

AESRT

Ransomware written using .NET.

Internal MISP references

UUID fb0eb7a8-ab32-4371-96b7-2d19f9064ac5 which can be used as unique global reference for AESRT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Afrodita

Internal MISP references

UUID 4c9f8ad2-ace4-42e5-ab70-efdfaad4d1bd which can be used as unique global reference for Afrodita in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

AgendaCrypt

Ransomware written in Go.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular AgendaCrypt.

Known Synonyms
`Agenda`
`Qilin`

Internal MISP references

UUID d430e861-07d3-442a-8444-0bf87e660c26 which can be used as unique global reference for AgendaCrypt in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Agent.BTZ

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Agent.BTZ.

Known Synonyms
`ComRAT`
`Minit`
`Sun rootkit`

Internal MISP references

UUID d9cc15f7-0880-4ae4-8df4-87c58338d6b8 which can be used as unique global reference for Agent.BTZ in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Agent Racoon

Agent Racoon is a .NET-based backdoor malware that leverages DNS for covert C2 communication, employing randomized subdomains and Punycode encoding to evade detection. It features encrypted communication using a unique key per sample, supports remote command execution, and facilitates file transfers. Despite lacking an inherent persistence mechanism, it relies on external methods like scheduled tasks for execution. The malware, active since at least 2020, has targeted organizations in the U.S., Middle East, and Africa, including non-profits and government sectors. It disguises itself as legitimate binaries such as Google Update and MS OneDrive Updater, using obfuscation techniques like Base64 encoding and timestamp modifications to avoid detection.

Internal MISP references

UUID f3dde421-0f6b-4a2e-b591-64820169ef1a which can be used as unique global reference for Agent Racoon in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Agent Tesla

A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Agent Tesla.

Known Synonyms
`AgenTesla`
`AgentTesla`
`Negasteal`

Internal MISP references

UUID b88e29cf-79d9-42bc-b369-0383b5e04380 which can be used as unique global reference for Agent Tesla in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

AgfSpy

The agfSpy backdoor retrieves configuration and commands from its C&C server. These commands allow the backdoor to execute shell commands and send the execution results back to the server. It also enumerates directories and can list, upload, download, and execute files, among other functions. The capabilities of agfSpy are very similar to dneSpy, except each backdoor uses a different C&C server and various formats in message exchanges.

Internal MISP references

UUID 405fe149-1454-4e8c-a4a3-d56e0c5f62d7 which can be used as unique global reference for AgfSpy in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Ahtapot

Internal MISP references

UUID 549b23b1-6f53-494e-a302-1d00aa71043b which can be used as unique global reference for Ahtapot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Akira (Windows)

Internal MISP references

UUID 834635f7-fb0f-472c-913e-fb112ae29fdc which can be used as unique global reference for Akira (Windows) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Albaniiutas

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Albaniiutas.

Known Synonyms
`BlueTraveller`

Internal MISP references

UUID dff7e10c-41ca-481d-8003-73169803272d which can be used as unique global reference for Albaniiutas in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Aldibot

According to Trend Micro Encyclopia: ALDIBOT first appeared in late August 2012 in relevant forums. Variants can steal passwords from the browser Mozilla Firefox, instant messenger client Pidgin, and the download manager jDownloader. ALDIBOT variants send the gathered information to their command-and-control (C&C) servers.

This malware family can also launch Distributed Denial of Service (DDoS) attacks using different protocols such as HTTP, TCP, UDP, and SYN. It can also perform flood attacks via Slowloris and Layer 7.

This bot can also be set up as a SOCKS proxy to abuse the infected machine as a proxy for any protocols.

This malware family can download and execute arbitrary files, and update itself. Variants can steal information, gathering the infected machine’s hardware identification (HWID), host name, local IP address, and OS version.

This backdoor executes commands from a remote malicious user, effectively compromising the affected system.

Internal MISP references

UUID 43ec8adc-0658-4765-be20-f22679097fab which can be used as unique global reference for Aldibot in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Alfonso Stealer

Internal MISP references

UUID a76874b3-12d0-4dec-9813-01819e6b6d49 which can be used as unique global reference for Alfonso Stealer in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Project Alice

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Project Alice.

Known Synonyms
`AliceATM`
`PrAlice`

Internal MISP references

UUID 41bfc8ad-ce2c-4ede-aa54-b3240a5cc8ca which can be used as unique global reference for Project Alice in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Alina POS

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Alina POS.

Known Synonyms
`alina_eagle`
`alina_spark`
`katrina`

Internal MISP references

UUID 27d90cd6-095a-4c28-a6f2-d1b47eae4f70 which can be used as unique global reference for Alina POS in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

AllaKore

AllaKore is a simple Remote Access Tool written in Delphi, first observed in 2015 but still in early stages of development. It implements the RFB protocol which uses frame buffers and thus is able to send back only the changes of screen frames to the controller, speeding up the transport and visualization control.

Internal MISP references

UUID fb1c6035-42ee-403c-a2ae-a53f7ab2de00 which can be used as unique global reference for AllaKore in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Allaple

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Allaple.

Known Synonyms
`Starman`

Internal MISP references

UUID 6aabb492-e282-40fb-a840-fe4e643ec094 which can be used as unique global reference for Allaple in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

AllcomeClipper

Allcome is classified as a clipper malware. Clippers are threats designed to access information saved in the clipboard (the temporary buffer space where copied data is stored) and substitute it with another. This attack is targeted at users who are active in the cryptocurrency sector mainly.

Internal MISP references

UUID 43ca1245-a5e0-4b44-9892-cf317170c7b8 which can be used as unique global reference for AllcomeClipper in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Almanahe

Internal MISP references

UUID 352f79b1-6862-4164-afa3-a1d787c40ec1 which can be used as unique global reference for Almanahe in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Alma Communicator

Internal MISP references

UUID a0881a0c-e677-495b-b475-290af09bb716 which can be used as unique global reference for Alma Communicator in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

AlmaLocker

Internal MISP references

UUID b5138914-6c2b-4c8e-b182-d94973fe5a6b which can be used as unique global reference for AlmaLocker in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.alma_locker - webarchive

Associated metadata

Metadata key	Value
type	[]

AlmondRAT

AlmondRAT is a .NET Remote Access Trojan deployed by the Bitter APT group. It is capable of collecting system information, modifying and exfiltrating data and allows for remote command execution.

Internal MISP references

UUID c5fa22fd-5869-4a4d-b5fc-c3be18255d2e which can be used as unique global reference for AlmondRAT in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ALPC Local PrivEsc

Internal MISP references

UUID 86517f1a-6e67-47ba-95dd-84b3125ad983 which can be used as unique global reference for ALPC Local PrivEsc in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Alphabet Ransomware

The Alphabet ransomware is a new screenlocker that is currently being developed by a criminal developer. As the malware is not ready it does not affect any user files.

The virus includes a screenlocking function which locks the user’s screen and prohibits any interaction with the computer.

Internal MISP references

UUID 5060756f-8385-465d-a7dd-7bf09a54da92 which can be used as unique global reference for Alphabet Ransomware in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

AlphaLocker

A new form of ransomware named AlphaLocker that is built by cybercriminals for cybercriminals. Like all incarnations of Ransomware As A Service (RaaS), the AlphaLocker malware program can be purchased and launched by pretty much anyone who wants to get into the ransomware business. What makes AlphaLocker different from other forms of RaaS is its relatively cheap cost. The ransomware can be purchased for just $65 in bitcoin.

AlphaLocker, also known as Alpha Ransomware, is based on the EDA2 ransomware, an educational project open-sourced on GitHub last year by Turkish researcher Utku Sen. A Russian coder seems to have cloned this repository before it was taken down and used it to create his ransomware, a near-perfect clone of EDA2. The ransomware's author, is said to be paying a great deal of attention to updating the ransomware with new features, so it would always stay ahead of antivirus engines, and evade detection.

AlphaLocker's encryption process starts when the ransomware contacts its C&C server. The server generates a public and a private key via the RSA-2048 algorithm, sending the public key to the user's computer and saving the private key to its server. On the infected computer, the ransomware generates an AES-256 key for each file it encrypts, and then encrypts this key with the public RSA key, and sent to the C&C server.

To decrypt their files, users have to get ahold of the private RSA key which can decrypt the AES-encrypted files found on their computers. Users have to pay around 0.35 Bitcoin (~$450) to get this key, packaged within a nice decrypter.

Internal MISP references

UUID c1b9e8c5-9283-4dbe-af10-45956a446fb7 which can be used as unique global reference for AlphaLocker in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

AlphaNC

Internal MISP references

UUID 6e94186c-987e-43da-be2d-9b44f254c8b9 which can be used as unique global reference for AlphaNC in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

AlphaSeed

Internal MISP references

UUID 966c5a6d-16b8-43b1-acbd-163e904d4a03 which can be used as unique global reference for AlphaSeed in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Alreay

Alreay is a remote access trojan that uses HTTP(S) or TCP for communication with its C&C server.

It uses either RC4 or DES for encryption of its configuration, which is stored in the registry.

It sends detailed information about the victim's environment, like computer name, Windows version, system locale, and network configuration.

It supports almost 25 commands that include operations on the victim’s filesystem, basic process management, file exfiltration, command line execution, and process injection of an executable downloaded from the attacker’s C&C server. As in many RATs from Lazarus arsenal, the commands are indexed by 32-bit integers, starting with values like 0x21A8B293, 0x23FAE29C or 0x91B93485.

It comes either as an EXE or as a DLL with the internal DLL name t_client_dll.dll. It may contain statically linked code from open-source libraries like Mbed TLS or zLib (version 1.0.1).

Alreay RAT was observed in 2016-2017, running on networks of banks operating SWIFT Alliance software.

Internal MISP references

UUID d258de39-e351-47e3-b619-731c87f13d9c which can be used as unique global reference for Alreay in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Alureon

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Alureon.

Known Synonyms
`Olmarik`
`Pihar`
`TDL`
`TDSS`
`wowlik`

Internal MISP references

UUID ad4e6779-59a6-4ad6-98de-6bd871ddb271 which can be used as unique global reference for Alureon in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Amadey

Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.

Internal MISP references

UUID 77f2c81f-be07-475a-8d77-f59b4847f696 which can be used as unique global reference for Amadey in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

AMTsol

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular AMTsol.

Known Synonyms
`Adupihan`

Internal MISP references

UUID ce25929c-0358-477c-a85e-f0bdfcc99a54 which can be used as unique global reference for AMTsol in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Anatova Ransomware

Anatova is a ransomware family with the goal of ciphering all the files that it can and then requesting payment from the victim. It will also check if network shares are connected and will encrypt the files on these shares too. The code is also prepared to support modular extensions.

Internal MISP references

UUID 2a28ad28-8ba5-4b8b-9652-bc0cdd37b2c4 which can be used as unique global reference for Anatova Ransomware in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Anchor

Anchor is a sophisticated backdoor served as a module to a subset of TrickBot installations. Operating since August 2018 it is not delivered to everybody, but contrary is delivered only to high-profile targets. Since its C2 communication scheme is very similar to the one implemented in the early TrickBot, multiple experts believe it could be attributed to the same authors.

Internal MISP references

UUID c38308a1-c89d-4835-b057-744f66ff7ddc which can be used as unique global reference for Anchor in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

AnchorMail

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular AnchorMail.

Known Synonyms
`ANCHOR.MAIL`
`Delegatz`

Internal MISP references

UUID 7792096a-7623-43a1-9a67-28dce0e4b39e which can be used as unique global reference for AnchorMail in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

AnchorMTea

Recon/Loader malware attributed to Lazarus, disguised as Notepad++ shell extension.

Internal MISP references

UUID 565de3f5-7eb7-43ca-a9d9-b588dfd6a50a which can be used as unique global reference for AnchorMTea in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Andardoor

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Andardoor.

Known Synonyms
`ROCKHATCH`

Internal MISP references

UUID 59a2437b-ae63-466a-9172-60d6610c3e19 which can be used as unique global reference for Andardoor in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Andromeda

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Andromeda.

Known Synonyms
`B106-Gamarue`
`B67-SS-Gamarue`
`Gamarue`
`b66`

Internal MISP references

UUID 07f46d21-a5d4-4359-8873-18e30950df1a which can be used as unique global reference for Andromeda in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

AndroMut

According to Proofpoint, AndroMut is a new downloader malware written in C++ that Proofpoint researchers began observing in the wild in June 2019. The “Andro” part of the name comes from some of the pieces which bear resemblance to another downloader malware known as Andromeda [1] and “Mut” is based off a mutex that the analyzed sample creates: “mutshellmy777”.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular AndroMut.

Known Synonyms
`Gelup`

Internal MISP references

UUID 85673cd4-fb05-4f6d-94ec-71290ae2e422 which can be used as unique global reference for AndroMut in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Anel

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Anel.

Known Synonyms
`UPPERCUT`
`lena`

Internal MISP references

UUID a180afcc-d42d-4600-b70f-af27aaf851b7 which can be used as unique global reference for Anel in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

AnteFrigus

Ransomware that demands payment in Bitcoin.

Internal MISP references

UUID 04788457-5b72-4a66-8f2c-73497919ece2 which can be used as unique global reference for AnteFrigus in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Antilam

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Antilam.

Known Synonyms
`Latinus`

Internal MISP references

UUID 02be7f3a-f3bf-447b-b8b4-c78432b82694 which can be used as unique global reference for Antilam in MISP communities and other software using the MISP galaxy

External references

https://malpedia.caad.fkie.fraunhofer.de/details/win.antilam - webarchive

Associated metadata

Metadata key	Value
type	[]

Anubis (Windows)

According to Microsoft Security Intelligence, Anubis is an information stealer sold on underground forums since June 2020. The name overlaps with the Android banking malware but is unrelated. It contains code forked from Loki PWS.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Anubis (Windows).

Known Synonyms
`Anubis Stealer`

Internal MISP references

UUID b19c9f63-a18d-47bb-a9fe-1f9cea21bac0 which can be used as unique global reference for Anubis (Windows) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Anubis Loader

A loader written in Go, tracked since at least October 2021 by ZeroFox. Originally named Kraken and rebranded to Anubis in February 2022.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Anubis Loader.

Known Synonyms
`Kraken`
`Pepega`

Internal MISP references

UUID e65ca164-f448-4f8e-a672-3ff7ec37e191 which can be used as unique global reference for Anubis Loader in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

APERETIF

Internal MISP references

UUID 573eb306-f6c7-4ba9-91a9-881473d335b8 which can be used as unique global reference for APERETIF in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Apocalipto

Internal MISP references

UUID d3e16d46-e436-4757-b962-6fd393056415 which can be used as unique global reference for Apocalipto in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Apocalypse

Internal MISP references

UUID e87d9df4-b464-4458-ae1f-31cea40d5f96 which can be used as unique global reference for Apocalypse in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Apollo

This is an implant usable with the Mythic C2 framework. Apollo is a Windows agent written in C# using the 4.0 .NET Framework designed to be used in SpecterOps training offerings.

Internal MISP references

UUID f995662c-27ad-440b-97ce-f1ecd2b59221 which can be used as unique global reference for Apollo in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Apostle

Malware used by suspected Iranian threat actor Agrius, turned from wiper into ransomware.

Internal MISP references

UUID cb2d3a6f-8ff5-4b08-af95-7377cfe3f7c3 which can be used as unique global reference for Apostle in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

AppleJeus (Windows)

Internal MISP references

UUID 2b655949-8a17-46e5-9522-519c6d77c45f which can be used as unique global reference for AppleJeus (Windows) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Appleseed

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Appleseed.

Known Synonyms
`JamBog`

Internal MISP references

UUID c7f8e3b8-328d-43c3-9235-9a2f704389b4 which can be used as unique global reference for Appleseed in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

ArdaMax

According to f-secure, Ardamax is a commercial keylogger program that can be installed onto the system from the product's website.& When run, the program can capture a range of user activities, such as keystrokes typed, instant messenger chat logs, web browser activity and even screenshots of the active desktop.

This program can be configured to a complete stealth mode, with password protection, to avoid user detection.

The information gathered is stored in an encrypted log file, which is only viewable using the built-in Log Viewer. The log file can be sent to an external party through e-mail, via a local area network (LAN) or by upload to an FTP server (in either HTML or encrypted format).

Internal MISP references

UUID 4f5c2f8b-06ef-4fb3-b03c-afdcafa88de5 which can be used as unique global reference for ArdaMax in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Arefty

Internal MISP references

UUID bf135b0a-3120-42c4-ba58-c80f9ef689bf which can be used as unique global reference for Arefty in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

Ares (Windows)

A banking trojan, derived from the source code of win.kronos. In August 2022 it started to incorporate DGA code from win.qakbot.

Internal MISP references

UUID a711ad02-0120-41a1-8c03-8a857a7dc297 which can be used as unique global reference for Ares (Windows) in MISP communities and other software using the MISP galaxy

External references

Associated metadata

Metadata key	Value
type	[]

AresLoader

AresLoader is a new malware "downloader" that has been advertised on some Russian language Dark Web forums “RAMP and "XSS" by a threat actor called "DarkBLUP". Researchers assess this loader is likely a legitimate penetration testing tool that is now being abused by threat actors. This is because of a similar project, dubbed “Project Ares,” was previously uploaded to GitHub as a proof-of-concept (PoC) by the well-regarded user and red teamer “CerberSec.”

The loader mimics legitimate software to trick victims into executing malware with administrator rights on their machines. Additional features of the loader include:

Written in C/C++
Supports 64-bit payloads
Makes it look like malware spawned by another process
Prevents non-Microsoft signed binaries from being injected into malware
Hides suspicious imported Windows APIs
Leverages anti-analysis techniques to avoid reverse engineering

Furthermore, It was observed that SystemBC, Amadey, and several Raccoon Stealers were directly installing AresLoader. To date, the AresLoader downloader has been seen delivering payloads like SystemBC, Lumma Stealer, StealC, Aurora Stealer, and Laplas Clipper.

Internal MISP references

UUID 1bd6c2ab-341e-43e1-90ca-2e7509828268 which can be used as unique global reference for AresLoader in MISP communities and other software using the MISP galaxy

External references