The file below contains Yara rules for all malware located in the malware table. Note: some malware might not have Yara rules created for it yet. Sourced from Malpedia
From 2023-11-22 through 2024-01-10
Malware | Description |
---|---|
Agent Tesla —> Last Updated: 2024-01-10 —> alt_names: AgenTesla, AgentTesla, Negasteal —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla | A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host’s clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel. A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host’s clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel. |
AsyncRAT —> Last Updated: 2024-01-10 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat | AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victim’s computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques. AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victim’s computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques. |
Babuk —> Last Updated: 2024-01-10 —> alt_names: Babyk, Vasa Locker —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.babuk | Babuk Ransomware is a sophisticated ransomware compiled for several platforms. Windows and ARM for Linux are the most used compiled versions, but ESX and a 32bit old PE executable were observed over time. as well It uses an Elliptic Curve Algorithm (Montgomery Algorithm) to build the encryption keys. Babuk Ransomware is a sophisticated ransomware compiled for several platforms. Windows and ARM for Linux are the most used compiled versions, but ESX and a 32bit old PE executable were observed over time. as well It uses an Elliptic Curve Algorithm (Montgomery Algorithm) to build the encryption keys. |
Cobalt Strike —> Last Updated: 2024-01-10 —> alt_names: Agentemis, BEACON, CobaltStrike, cobeacon —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike | Cobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named ‘Beacon’ on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained. Cobalt Strike comes with a toolkit for developing shellcode loaders, called Artifact Kit.The Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable. Cobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named ‘Beacon’ on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained. Cobalt Strike comes with a toolkit for developing shellcode loaders, called Artifact Kit. The Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable. |
DarkGate —> Last Updated: 2024-01-10 —> alt_names: Meh, MehCrypter —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate | First documented in 2018, DarkGate is a commodity loader with features that include the ability to download and execute files to memory, a Hidden Virtual Network Computing (HVNC) module, keylogging, information-stealing capabilities, and privilege escalation. DarkGate makes use of legitimate AutoIt files and typically runs multiple AutoIt scripts. New versions of DarkGate have been advertised on a Russian language eCrime forum since May 2023. First documented in 2018, DarkGate is a commodity loader with features that include the ability to download and execute files to memory, a Hidden Virtual Network Computing (HVNC) module, keylogging, information-stealing capabilities, and privilege escalation. DarkGate makes use of legitimate AutoIt files and typically runs multiple AutoIt scripts. New versions of DarkGate have been advertised on a Russian language eCrime forum since May 2023. |
Emotet —> Last Updated: 2024-01-10 —> alt_names: Geodo, Heodo —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.emotet | While Emotet historically was a banking malware organized in a botnet, nowadays Emotet is mostly seen as infrastructure as a service for content delivery. For example, since mid 2018 it is used by Trickbot for installs, which may also lead to ransomware attacks using Ryuk, a combination observed several times against high-profile targets.It is always stealing information from victims but what the criminal gang behind it did, was to open up another business channel by selling their infrastructure delivering additional malicious software. From malware analysts it has been classified into epochs depending on command and control, payloads, and delivery solutions which change over time.Emotet had been taken down by authorities in January 2021, though it appears to have sprung back to life in November 2021. While Emotet historically was a banking malware organized in a botnet, nowadays Emotet is mostly seen as infrastructure as a service for content delivery. For example, since mid 2018 it is used by Trickbot for installs, which may also lead to ransomware attacks using Ryuk, a combination observed several times against high-profile targets.It is always stealing information from victims but what the criminal gang behind it did, was to open up another business channel by selling their infrastructure delivering additional malicious software. From malware analysts it has been classified into epochs depending on command and control, payloads, and delivery solutions which change over time.Emotet had been taken down by authorities in January 2021, though it appears to have sprung back to life in November 2021. |
Lumma Stealer —> Last Updated: 2024-01-10 —> alt_names: LummaC2 Stealer —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma | Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor “Shamel”, who goes by the alias “Lumma”. Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim’s machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent “TeslaBrowser/5.5″.” The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor “Shamel”, who goes by the alias “Lumma”. Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim’s machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent “TeslaBrowser/5.5″.” The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. |
Nanocore RAT —> Last Updated: 2024-01-10 —> alt_names: Nancrat, NanoCore —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore | Nanocore is a Remote Access Tool used to steal credentials and to spy on cameras. It as been used for a while by numerous criminal actors as well as by nation state threat actors. Nanocore is a Remote Access Tool used to steal credentials and to spy on cameras. It as been used for a while by numerous criminal actors as well as by nation state threat actors. |
OriginLogger —> Last Updated: 2024-01-10 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.originlogger | There is no description at this point. |
Pikabot —> Last Updated: 2024-01-10 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.pikabot | Introducing Pikabot, an emerging malware family that comprises a downloader/installer, a loader, and a core backdoor component. Despite being in the early stages of development, it already demonstrates advanced techniques in evasion, injection, and anti-analysis. Notably, the loader component incorporates an array of sophisticated anti-debugging and anti-VM measures inspired by the open-source Al-Khaser project, while leveraging steganography to conceal its payload. Additionally, Pikabot utilizes a proprietary C2 framework and supports a diverse range of commands, encompassing host enumeration and advanced secondary payload injection options. Introducing Pikabot, an emerging malware family that comprises a downloader/installer, a loader, and a core backdoor component. Despite being in the early stages of development, it already demonstrates advanced techniques in evasion, injection, and anti-analysis. Notably, the loader component incorporates an array of sophisticated anti-debugging and anti-VM measures inspired by the open-source Al-Khaser project, while leveraging steganography to conceal its payload. Additionally, Pikabot utilizes a proprietary C2 framework and supports a diverse range of commands, encompassing host enumeration and advanced secondary payload injection options. |
PlugX —> Last Updated: 2024-01-10 —> alt_names: Destroy RAT, Kaba, Korplug, Sogu, TIGERPLUG, RedDelta —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.plugx | RSA describes PlugX as a RAT (Remote Access Trojan) malware family that is around since 2008 and is used as a backdoor to control the victim’s machine fully. Once the device is infected, an attacker can remotely execute several kinds of commands on the affected system.Notable features of this malware family are the ability to execute commands on the affected machine to retrieve:machine informationcapture the screensend keyboard and mouse eventskeyloggingreboot the systemmanage processes (create, kill and enumerate)manage services (create, start, stop, etc.); andmanage Windows registry entries, open a shell, etc.The malware also logs its events in a text log file. RSA describes PlugX as a RAT (Remote Access Trojan) malware family that is around since 2008 and is used as a backdoor to control the victim’s machine fully. Once the device is infected, an attacker can remotely execute several kinds of commands on the affected system. Notable features of this malware family are the ability to execute commands on the affected machine to retrieve:machine informationcapture the screensend keyboard and mouse eventskeyloggingreboot the systemmanage processes (create, kill and enumerate)manage services (create, start, stop, etc.); andmanage Windows registry entries, open a shell, etc. The malware also logs its events in a text log file. |
QakBot —> Last Updated: 2024-01-10 —> alt_names: Oakboat, Pinkslipbot, Qbot, Quakbot —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot | QBot is a modular information stealer also known as Qakbot or Pinkslipbot. It has been active for years since 2007. It has historically been known as a banking Trojan, meaning that it steals financial data from infected systems, and a loader using C2 servers for payload targeting and download. QBot is a modular information stealer also known as Qakbot or Pinkslipbot. It has been active for years since 2007. It has historically been known as a banking Trojan, meaning that it steals financial data from infected systems, and a loader using C2 servers for payload targeting and download. |
ShadowPad —> Last Updated: 2024-01-10 —> alt_names: POISONPLUG.SHADOW, XShellGhost —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.shadowpad | There is no description at this point. |
Akira —> Last Updated: 2024-01-09 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.akira | There is no description at this point. |
MuddyC2Go —> Last Updated: 2024-01-09 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.muddyc2go | There is no description at this point. There is no Yara-Signature yet. |
phemedrone_stealer —> Last Updated: 2024-01-09 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.phemedrone_stealer | There is no description at this point. There is no Yara-Signature yet. |
PhonyC2 —> Last Updated: 2024-01-09 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/ps1.phonyc2 | There is no description at this point. There is no Yara-Signature yet. |
Quasar RAT —> Last Updated: 2024-01-09 —> alt_names: CinaRAT, QuasarRAT, Yggdrasil —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat | Quasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult. Quasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult. |
RedLine Stealer —> Last Updated: 2024-01-09 —> alt_names: RECORDSTEALER —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer | RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer. RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer. There is no Yara-Signature yet. |
Ryuk —> Last Updated: 2024-01-09 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.ryuk | Ryuk is a ransomware which encrypts its victim’s files and asks for a ransom via bitcoin to release the original files. It is has been observed being used to attack companies or professional environments. Cybersecurity experts figured out that Ryuk and Hermes ransomware shares pieces of codes. Hermes is commodity ransomware that has been observed for sale on dark-net forums and used by multiple threat actors. Ryuk is a ransomware which encrypts its victim’s files and asks for a ransom via bitcoin to release the original files. It is has been observed being used to attack companies or professional environments. Cybersecurity experts figured out that Ryuk and Hermes ransomware shares pieces of codes. Hermes is commodity ransomware that has been observed for sale on dark-net forums and used by multiple threat actors. |
404 Keylogger —> Last Updated: 2024-01-08 —> alt_names: 404KeyLogger, Snake Keylogger —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger | Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victim’s sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram. Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victim’s sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram. There is no Yara-Signature yet. |
IcedID —> Last Updated: 2024-01-08 —> alt_names: BokBot, IceID —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.icedid | According to Proofpoint, IcedID (aka BokBot) is a malware originally classified as a banking malware and was first observed in 2017. It also acts as a loader for other malware, including ransomware. The well-known IcedID version consists of an initial loader which contacts a Loader C2 server, downloads the standard DLL Loader, which then delivers the standard IcedID Bot. IcedID is developed and operated by the actor named LUNAR SPIDER.As previously published, historically there has been just one version of IcedID that has remained constant since 2017.* In November 2022, Proofpoint researchers observed the first new variant of IcedID Proofpoint dubbed ‘IcedID Lite’ distributed as a follow-on payload in a TA542 Emotet campaign. It was dropped by the Emotet malware soon after the actor returned to the e-crime landscape after a nearly four-month break.* The IcedID Lite Loader observed in November 2022 contains a static URL to download a ‘Bot Pack’ file with a static name (botpack.dat) which results in the IcedID Lite DLL Loader, and then delivers the Forked version of IcedID Bot, leaving out the webinjects and backconnect functionality that would typically be used for banking fraud.* Starting in February 2023, Proofpoint observed the new Forked variant of IcedID. This variant was distributed by TA581 and one unattributed threat activity cluster which acted as initial access facilitators. The campaigns used a variety of email attachments such as Microsoft OneNote attachments and somewhat rare to see .URL attachments, which led to the Forked variant of IcedID. According to Proofpoint, IcedID (aka BokBot) is a malware originally classified as a banking malware and was first observed in 2017. It also acts as a loader for other malware, including ransomware. The well-known IcedID version consists of an initial loader which contacts a Loader C2 server, downloads the standard DLL Loader, which then delivers the standard IcedID Bot. IcedID is developed and operated by the actor named LUNAR SPIDER. As previously published, historically there has been just one version of IcedID that has remained constant since 2017.* In November 2022, Proofpoint researchers observed the first new variant of IcedID Proofpoint dubbed ‘IcedID Lite’ distributed as a follow-on payload in a TA542 Emotet campaign. It was dropped by the Emotet malware soon after the actor returned to the e-crime landscape after a nearly four-month break.* The IcedID Lite Loader observed in November 2022 contains a static URL to download a ‘Bot Pack’ file with a static name (botpack.dat) which results in the IcedID Lite DLL Loader, and then delivers the Forked version of IcedID Bot, leaving out the webinjects and backconnect functionality that would typically be used for banking fraud.* Starting in February 2023, Proofpoint observed the new Forked variant of IcedID. This variant was distributed by TA581 and one unattributed threat activity cluster which acted as initial access facilitators. The campaigns used a variety of email attachments such as Microsoft OneNote attachments and somewhat rare to see .URL attachments, which led to the Forked variant of IcedID. |
INC —> Last Updated: 2024-01-08 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/elf.inc | There is no description at this point. There is no Yara-Signature yet. |
RansomEXX —> Last Updated: 2024-01-08 —> alt_names: Defray777 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/elf.ransomexx | According to SentineOne, RansomEXX (aka Defray, Defray777), a multi-pronged extortion threat, has been observed in the wild since late 2020. RansomEXX is associated with attacks against the Texas Department of Transportation, Groupe Atlantic, and several other large enterprises. There are Windows and Linux variants of this malware family, and they are known for their limited and exclusive targeting. According to SentineOne, RansomEXX (aka Defray, Defray777), a multi-pronged extortion threat, has been observed in the wild since late 2020. RansomEXX is associated with attacks against the Texas Department of Transportation, Groupe Atlantic, and several other large enterprises. There are Windows and Linux variants of this malware family, and they are known for their limited and exclusive targeting. There is no Yara-Signature yet. |
RansomExx2 —> Last Updated: 2024-01-08 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/elf.ransomexx2 | According to IBM Security X-Force, this is a new but functionally very similar version of RansomExx, fully rewritten in Rust and internally referred to as RansomExx2. According to IBM Security X-Force, this is a new but functionally very similar version of RansomExx, fully rewritten in Rust and internally referred to as RansomExx2. There is no Yara-Signature yet. |
Roaming Mantis —> Last Updated: 2024-01-08 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/apk.roaming_mantis | There is no description at this point. There is no Yara-Signature yet. |
SnappyTCP —> Last Updated: 2024-01-08 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/elf.snappy_tcp | According to PwC, SnappyTCP is a simple reverse shell for Linux/Unix systems, with variants for plaintext and TLS communication. SeaTurtle has used SnappyTCP at least between 2021 and 2023. According to PwC, SnappyTCP is a simple reverse shell for Linux/Unix systems, with variants for plaintext and TLS communication. SeaTurtle has used SnappyTCP at least between 2021 and 2023. There is no Yara-Signature yet. |
Unidentified 111 (IcedID Loader) —> Last Updated: 2024-01-08 —> alt_names: BLACKWIDOW, Latrodectus, Lotus —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_111 | First discovered in October 2023, BLACKWIDOW is a backdoor written in C that communicates over HTTP using RC4 encrypted requests. The malware has the capability to execute discovery commands, query information about the victim’s machine, update itself, as well as download and execute an EXE, DLL, or shellcode. The malware is believed to have been developed by LUNAR SPIDER, the creators of IcedID (aka BokBot) Malware. First discovered in October 2023, BLACKWIDOW is a backdoor written in C that communicates over HTTP using RC4 encrypted requests. The malware has the capability to execute discovery commands, query information about the victim’s machine, update itself, as well as download and execute an EXE, DLL, or shellcode. The malware is believed to have been developed by LUNAR SPIDER, the creators of IcedID (aka BokBot) Malware. |
Bandook —> Last Updated: 2024-01-05 —> alt_names: Bandok —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.bandook | Bandook malware is a remote access trojan (RAT) first seen in 2007 and has been active for several years. Written in both Delphi and C++, it was first seen as a commercial RAT developed by a Lebanese creator named PrinceAli. Over the years, several variants of Bandook were leaked online, and the malware became available for public download. Bandook malware is a remote access trojan (RAT) first seen in 2007 and has been active for several years. Written in both Delphi and C++, it was first seen as a commercial RAT developed by a Lebanese creator named PrinceAli. Over the years, several variants of Bandook were leaked online, and the malware became available for public download. |
DanaBot —> Last Updated: 2024-01-05 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.danabot | Proofpoints describes DanaBot as the latest example of malware focused on persistence and stealing useful information that can later be monetized rather than demanding an immediate ransom from victims. The social engineering in the low-volume DanaBot campaigns we have observed so far has been well-crafted, again pointing to a renewed focus on “quality over quantity” in email-based threats. DanaBot’s modular nature enables it to download additional components, increasing the flexibility and robust stealing and remote monitoring capabilities of this banker. Proofpoints describes DanaBot as the latest example of malware focused on persistence and stealing useful information that can later be monetized rather than demanding an immediate ransom from victims. The social engineering in the low-volume DanaBot campaigns we have observed so far has been well-crafted, again pointing to a renewed focus on “quality over quantity” in email-based threats. DanaBot’s modular nature enables it to download additional components, increasing the flexibility and robust stealing and remote monitoring capabilities of this banker. |
HijackLoader —> Last Updated: 2024-01-05 —> alt_names: GHOSTPULSE, IDAT Loader, SHADOWLADDER —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.hijackloader | According to Rapid7, this is a loader first spotted in July 2023. It implements several evasion techniques including Process Doppelgänging, DLL Search Order Hijacking, and Heaven’s Gate. It has been observed to store its malicious payload in the IDAT chunk of PNG file format. According to Rapid7, this is a loader first spotted in July 2023. It implements several evasion techniques including Process Doppelgänging, DLL Search Order Hijacking, and Heaven’s Gate. It has been observed to store its malicious payload in the IDAT chunk of PNG file format. There is no Yara-Signature yet. |
Royal Ransom —> Last Updated: 2024-01-05 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.royal_ransom | Ransomware Ransomware |
SysJoker —> Last Updated: 2024-01-05 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.sysjoker | Sysjoker is a backdoor malware that was first discovered in December 2021 by Intezer. It is sophisticated and written from scratch in C++. Sysjoker is a cross-platform malware that has Linux, Windows, and macOS variants. Possible attack vectors for Sysjoker are email attachments, malicious advertisements, and trojanized software. Sysjoker is a backdoor malware that was first discovered in December 2021 by Intezer. It is sophisticated and written from scratch in C++. Sysjoker is a cross-platform malware that has Linux, Windows, and macOS variants. Possible attack vectors for Sysjoker are email attachments, malicious advertisements, and trojanized software. |
Remcos —> Last Updated: 2024-01-04 —> alt_names: RemcosRAT, Remvio, Socmer —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos | Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity. Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers. Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity. |
csharp-streamer RAT —> Last Updated: 2024-01-03 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.csharpstreamer | There is no description at this point. There is no Yara-Signature yet. |
DUCKTAIL —> Last Updated: 2024-01-03 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.ducktail | According to Tony Lambert, this is a malware written in .NET. It was observed to be delivered using the .NET Single File deployment feature. According to Tony Lambert, this is a malware written in .NET. It was observed to be delivered using the .NET Single File deployment feature. |
MetaStealer —> Last Updated: 2024-01-03 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.metastealer | On March 7, 2022, KELA observed a threat actor named _META_ announcing the launch of META – a new information-stealing malware, available for sale for USD125 per month or USD1000 for unlimited use. The actor claimed it has the same functionality, code, and panel as the Redline stealer, but with several improvements. On March 7, 2022, KELA observed a threat actor named _META_ announcing the launch of META – a new information-stealing malware, available for sale for USD125 per month or USD1000 for unlimited use. The actor claimed it has the same functionality, code, and panel as the Redline stealer, but with several improvements. |
Nova Stealer —> Last Updated: 2024-01-03 —> alt_names: Malicord —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.nova | Nova Stealer is a new information stealer that is offered as Malware-as-a-Service by a new actor called “Sordeal”. Its capabilities include password stealing, browser injections, crypto wallet stealing, discord injections, and screen recordings. Parts of its source code have been made available on GitHub, with certain “Premium” features missing. Nova Stealer is a new information stealer that is offered as Malware-as-a-Service by a new actor called “Sordeal”. Its capabilities include password stealing, browser injections, crypto wallet stealing, discord injections, and screen recordings. Parts of its source code have been made available on GitHub, with certain “Premium” features missing. There is no Yara-Signature yet. |
PureLogs Stealer —> Last Updated: 2024-01-03 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.purelogs | There is no description at this point. There is no Yara-Signature yet. |
WhiteSnake Stealer —> Last Updated: 2024-01-03 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.whitesnake | There is no description at this point. There is no Yara-Signature yet. |
AlphaSeed —> Last Updated: 2024-01-02 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.alphaseed | There is no description at this point. There is no Yara-Signature yet. |
Appleseed —> Last Updated: 2024-01-02 —> alt_names: JamBog —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.appleseed | There is no description at this point. |
Konni —> Last Updated: 2024-01-02 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.konni | Konni is a remote administration tool, observed in the wild since early 2014. The Konni malware family is potentially linked to APT37, a North-Korean cyber espionage group active since 2012. The group primary victims are South-Korean political organizations, as well as Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and other parts of the Middle East. Konni is a remote administration tool, observed in the wild since early 2014. The Konni malware family is potentially linked to APT37, a North-Korean cyber espionage group active since 2012. The group primary victims are South-Korean political organizations, as well as Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and other parts of the Middle East. |
MASEPIE —> Last Updated: 2024-01-02 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/py.masepie | There is no description at this point. There is no Yara-Signature yet. |
Serpent Stealer —> Last Updated: 2024-01-02 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.serpent | There is no description at this point. There is no Yara-Signature yet. |
TriangleDB —> Last Updated: 2024-01-02 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/ios.triangledb | There is no description at this point. There is no Yara-Signature yet. |
Chameleon —> Last Updated: 2023-12-28 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/apk.chameleon | The malware chamaleon is an Android trojan that pretends to be legitimate entities to steal data from users in Australia and Poland. It exploits the Accessibility Service to monitor and modify the device screen. The malware chamaleon is an Android trojan that pretends to be legitimate entities to steal data from users in Australia and Poland. It exploits the Accessibility Service to monitor and modify the device screen. There is no Yara-Signature yet. |
FiveHands —> Last Updated: 2023-12-28 —> alt_names: Thieflock —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.fivehands | There is no description at this point. There is no Yara-Signature yet. |
MimiKatz —> Last Updated: 2023-12-28 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.mimikatz | Varonis summarizes Mimikatz as an open-source application that allows users to view and save authentication credentials like Kerberos tickets. Benjamin Delpy continues to lead Mimikatz developments, so the toolset works with the current release of Windows and includes the most up-to-date attacks.Attackers commonly use Mimikatz to steal credentials and escalate privileges: in most cases, endpoint protection software and anti-virus systems will detect and delete it. Conversely, pentesters use Mimikatz to detect and exploit vulnerabilities in your networks so you can fix them. Varonis summarizes Mimikatz as an open-source application that allows users to view and save authentication credentials like Kerberos tickets. Benjamin Delpy continues to lead Mimikatz developments, so the toolset works with the current release of Windows and includes the most up-to-date attacks. Attackers commonly use Mimikatz to steal credentials and escalate privileges: in most cases, endpoint protection software and anti-virus systems will detect and delete it. Conversely, pentesters use Mimikatz to detect and exploit vulnerabilities in your networks so you can fix them. |
SombRAT —> Last Updated: 2023-12-28 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.sombrat | There is no description at this point. |
Vidar —> Last Updated: 2023-12-28 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar | Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser. Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser. |
8Base —> Last Updated: 2023-12-27 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.8base | The 8Base ransomware group has remained relatively unknown despite the massive spike in activity in Summer of 2023. The group utilizes encryption paired with “name-and-shame” techniques to compel their victims to pay their ransoms. 8Base has an opportunistic pattern of compromise with recent victims spanning across varied industries. Despite the high amount of compromises, the information regarding identities, methodology, and underlying motivation behind these incidents still remains a mystery. Samples of their ransomware show they are using customized Phobos with SmokeLoader. The 8Base ransomware group has remained relatively unknown despite the massive spike in activity in Summer of 2023. The group utilizes encryption paired with “name-and-shame” techniques to compel their victims to pay their ransoms. 8Base has an opportunistic pattern of compromise with recent victims spanning across varied industries. Despite the high amount of compromises, the information regarding identities, methodology, and underlying motivation behind these incidents still remains a mystery. Samples of their ransomware show they are using customized Phobos with SmokeLoader. |
Ares —> Last Updated: 2023-12-27 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/py.ares | Ares is a Python RAT. Ares is a Python RAT. There is no Yara-Signature yet. |
BATLOADER —> Last Updated: 2023-12-27 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.bat_loader | According to PCrisk, BATLOADER is part of the infection chain where it is used to perform the initial compromise. This malware is used to execute payloads like Ursnif. Our team has discovered BATLOADER after executing installers for legitimate software (such as Zoom, TeamViewer Visual Studio) bundled with this malware. We have found those installers on compromised websites. According to PCrisk, BATLOADER is part of the infection chain where it is used to perform the initial compromise. This malware is used to execute payloads like Ursnif. Our team has discovered BATLOADER after executing installers for legitimate software (such as Zoom, TeamViewer Visual Studio) bundled with this malware. We have found those installers on compromised websites. There is no Yara-Signature yet. |
BlackCat —> Last Updated: 2023-12-27 —> alt_names: ALPHV, Noberus —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.blackcat | ALPHV, also known as BlackCat or Noberus, is a ransomware family that is deployed as part of Ransomware as a Service (RaaS) operations. ALPHV is written in the Rust programming language and supports execution on Windows, Linux-based operating systems (Debian, Ubuntu, ReadyNAS, Synology), and VMWare ESXi. ALPHV is marketed as ALPHV on cybercrime forums, but is commonly called BlackCat by security researchers due to an icon of a black cat appearing on its leak site. ALPHV has been observed being deployed in ransomware attacks since November 18, 2021.ALPHV can be configured to encrypt files using either the AES or ChaCha20 algorithms. In order to maximize the amount of ransomed data, ALPHV can delete volume shadow copies, stop processes and services, and stop virtual machines on ESXi servers. ALPHV can self-propagate by using PsExec to remote execute itself on other hosts on the local network. ALPHV, also known as BlackCat or Noberus, is a ransomware family that is deployed as part of Ransomware as a Service (RaaS) operations. ALPHV is written in the Rust programming language and supports execution on Windows, Linux-based operating systems (Debian, Ubuntu, ReadyNAS, Synology), and VMWare ESXi. ALPHV is marketed as ALPHV on cybercrime forums, but is commonly called BlackCat by security researchers due to an icon of a black cat appearing on its leak site. ALPHV has been observed being deployed in ransomware attacks since November 18, 2021. ALPHV can be configured to encrypt files using either the AES or ChaCha20 algorithms. In order to maximize the amount of ransomed data, ALPHV can delete volume shadow copies, stop processes and services, and stop virtual machines on ESXi servers. ALPHV can self-propagate by using PsExec to remote execute itself on other hosts on the local network. |
BlackLotus —> Last Updated: 2023-12-27 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.blacklotus | There is no description at this point. |
Carbanak —> Last Updated: 2023-12-27 —> alt_names: Anunak, Sekur RAT —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.carbanak | MyCERT states that Carbanak is a remote backdoor designed for espionage, data exfiltration, and to remote control.The attacker deploy malware via spear phishing email to lure the user to open and run the malicious attachment that will infect the machine. The main objective of this campaign is primarily to remotely control the infected machine and gain control of the internal destinations of money processing services such as Automated Teller Machines(ATM) and financial accounts. The following information are the malware capabilities: MyCERT states that Carbanak is a remote backdoor designed for espionage, data exfiltration, and to remote control. The attacker deploy malware via spear phishing email to lure the user to open and run the malicious attachment that will infect the machine. The main objective of this campaign is primarily to remotely control the infected machine and gain control of the internal destinations of money processing services such as Automated Teller Machines(ATM) and financial accounts. The following information are the malware capabilities: |
CLOUDBURST —> Last Updated: 2023-12-27 —> alt_names: NickelLoader —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudburst | CLOUDBURST aka NickelLoader is an HTTP(S) downloader. It recognizes a set of four basic commands, all five letters long, like abcde, avdrq, gabnc and dcrqv (alternatively: eknag, eacec, hjmwk, wohnp). The most important functionality is to load a received buffer, either as a DLL via the MemoryModule implementation, or as a shellcode.It uses AES for encryption and decryption of network traffic. It usually sends the following information back to its C&C server: computer name, product name and the list of running processes. Typically, it uses two hardcoded parameter names for its initial HTTP POST requests: gametype and type (alternatively: type and code).The CLOUDBURST payload is disguised as mscoree.dll and is side-loaded via a legitimate Windows binary PresentationHost.exe with the argument -embeddingObject. It comes either as a trojanized plugin project for Notepad++ (usually FingerText by erinata), or as a standalone DLL loaded by a dropper, which is a trojanized plugin project as well (usually NppyPlugin by Jari Pennanen).The CLOUDBURST malware was used in Operation DreamJob attacks against an aerospace company and a network running Microsoft Intune software in Q2-Q3 2022. CLOUDBURST aka NickelLoader is an HTTP(S) downloader. It recognizes a set of four basic commands, all five letters long, like abcde, avdrq, gabnc and dcrqv (alternatively: eknag, eacec, hjmwk, wohnp). The most important functionality is to load a received buffer, either as a DLL via the MemoryModule implementation, or as a shellcode. It uses AES for encryption and decryption of network traffic. It usually sends the following information back to its C&C server: computer name, product name and the list of running processes. Typically, it uses two hardcoded parameter names for its initial HTTP POST requests: gametype and type (alternatively: type and code). The CLOUDBURST payload is disguised as mscoree.dll and is side-loaded via a legitimate Windows binary PresentationHost.exe with the argument -embeddingObject. It comes either as a trojanized plugin project for Notepad++ (usually FingerText by erinata), or as a standalone DLL loaded by a dropper, which is a trojanized plugin project as well (usually NppyPlugin by Jari Pennanen). The CLOUDBURST malware was used in Operation DreamJob attacks against an aerospace company and a network running Microsoft Intune software in Q2-Q3 2022. |
Conti —> Last Updated: 2023-12-27 —> alt_names: Conti Locker —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/elf.conti | Ransomware Ransomware There is no Yara-Signature yet. |
CryptoClippy —> Last Updated: 2023-12-27 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptoclippy | There is no description at this point. There is no Yara-Signature yet. |
DoppelDridex —> Last Updated: 2023-12-27 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.doppeldridex | DoppelDridex is a fork of Indrik Spider’s Dridex malware. DoppelDridex has been run as a parallel operation to Dridex with a different malware versioning system, different RSA key, and with different infrastructure. DoppelDridex is a fork of Indrik Spider’s Dridex malware. DoppelDridex has been run as a parallel operation to Dridex with a different malware versioning system, different RSA key, and with different infrastructure. |
DoppelPaymer —> Last Updated: 2023-12-27 —> alt_names: Pay OR Grief —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.doppelpaymer | Doppelpaymer is a ransomware family that encrypts user data and later on it asks for a ransom in order to restore original files. It is recognizable by its trademark file extension added to encrypted files: .doppeled. It also creates a note file named: “.how2decrypt.txt”. Doppelpaymer is a ransomware family that encrypts user data and later on it asks for a ransom in order to restore original files. It is recognizable by its trademark file extension added to encrypted files: .doppeled. It also creates a note file named: “.how2decrypt.txt”. |
Dridex —> Last Updated: 2023-12-27 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.dridex | OxCERT blog describes Dridex as “an evasive, information-stealing malware variant; its goal is to acquire as many credentials as possible and return them via an encrypted tunnel to a Command-and-Control (C&C) server. These C&C servers are numerous and scattered all over the Internet, if the malware cannot reach one server it will try another. For this reason, network-based measures such as blocking the C&C IPs is effective only in the short-term.”According to MalwareBytes, “Dridex uses an older tactic of infection by attaching a Word document that utilizes macros to install malware. However, once new versions of Microsoft Office came out and users generally updated, such a threat subsided because it was no longer simple to infect a user with this method.”IBM X-Force discovered “a new version of the Dridex banking Trojan that takes advantage of a code injection technique called AtomBombing to infect systems. AtomBombing is a technique for injecting malicious code into the ‘atom tables’ that almost all versions of Windows uses to store certain application data. It is a variation of typical code injection attacks that take advantage of input validation errors to insert and to execute malicious code in a legitimate process or application. Dridex v4 is the first malware that uses the AtomBombing process to try and infect systems.” OxCERT blog describes Dridex as “an evasive, information-stealing malware variant; its goal is to acquire as many credentials as possible and return them via an encrypted tunnel to a Command-and-Control (C&C) server. These C&C servers are numerous and scattered all over the Internet, if the malware cannot reach one server it will try another. For this reason, network-based measures such as blocking the C&C IPs is effective only in the short-term.”According to MalwareBytes, “Dridex uses an older tactic of infection by attaching a Word document that utilizes macros to install malware. However, once new versions of Microsoft Office came out and users generally updated, such a threat subsided because it was no longer simple to infect a user with this method.”IBM X-Force discovered “a new version of the Dridex banking Trojan that takes advantage of a code injection technique called AtomBombing to infect systems. AtomBombing is a technique for injecting malicious code into the ‘atom tables’ that almost all versions of Windows uses to store certain application data. It is a variation of typical code injection attacks that take advantage of input validation errors to insert and to execute malicious code in a legitimate process or application. Dridex v4 is the first malware that uses the AtomBombing process to try and infect systems.” |
ERMAC —> Last Updated: 2023-12-27 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/apk.ermac | According to Intel471, ERMAC, an Android banking trojan enables bad actors to determine when certain apps are launched and then overwrites the screen display to steal the user’s credentials According to Intel471, ERMAC, an Android banking trojan enables bad actors to determine when certain apps are launched and then overwrites the screen display to steal the user’s credentials There is no Yara-Signature yet. |
FriedEx —> Last Updated: 2023-12-27 —> alt_names: BitPaymer, DoppelPaymer, IEncrypt —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.friedex | There is no description at this point. |
Gwisin —> Last Updated: 2023-12-27 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/elf.gwisin | There is no description at this point. There is no Yara-Signature yet. |
HelloKitty —> Last Updated: 2023-12-27 —> alt_names: KittyCrypt —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.hellokitty | Unit42 states that HelloKitty is a ransomware family that first surfaced at the end of 2020, primarily targeting Windows systems. The malware family got its name due to its use of a Mutex with the same name: HelloKittyMutex. The ransomware samples seem to evolve quickly and frequently, with different versions making use of the .crypted or .kitty file extensions for encrypted files. Some newer samples make use of a Golang packer that ensures the final ransomware code is only loaded in memory, most likely to evade detection by security solutions. Unit42 states that HelloKitty is a ransomware family that first surfaced at the end of 2020, primarily targeting Windows systems. The malware family got its name due to its use of a Mutex with the same name: HelloKittyMutex. The ransomware samples seem to evolve quickly and frequently, with different versions making use of the .crypted or .kitty file extensions for encrypted files. Some newer samples make use of a Golang packer that ensures the final ransomware code is only loaded in memory, most likely to evade detection by security solutions. |
Hive —> Last Updated: 2023-12-27 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.hive | Hive is a strain of ransomware that was first discovered in June 2021. Hive was designed to be used by Ransomware-as-a-service providers, to enable novice cyber-criminals to launch ransomware attacks on healthcare providers, energy providers, charities, and retailers across the globe.In 2022 there was a switch from GoLang to Rust. Hive is a strain of ransomware that was first discovered in June 2021. Hive was designed to be used by Ransomware-as-a-service providers, to enable novice cyber-criminals to launch ransomware attacks on healthcare providers, energy providers, charities, and retailers across the globe.In 2022 there was a switch from GoLang to Rust. |
Hook —> Last Updated: 2023-12-27 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/apk.hook | According to ThreatFabric, this is a malware family based on apk.ermac. The name hook is the self-advertised named by its vendor DukeEugene. It provides WebSocket communication and has RAT capabilities. According to ThreatFabric, this is a malware family based on apk.ermac. The name hook is the self-advertised named by its vendor DukeEugene. It provides WebSocket communication and has RAT capabilities. There is no Yara-Signature yet. |
LazarDoor —> Last Updated: 2023-12-27 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.lazardoor | There is no description at this point. |
LockBit —> Last Updated: 2023-12-27 —> alt_names: ABCD Ransomware —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.lockbit | There is no description at this point. |
Monti —> Last Updated: 2023-12-27 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/elf.monti | A ransomware, derived from the leaked Conti source code. A ransomware, derived from the leaked Conti source code. There is no Yara-Signature yet. |
Paradise —> Last Updated: 2023-12-27 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.paradise | Ransomware. Ransomware. There is no Yara-Signature yet. |
Phobos —> Last Updated: 2023-12-27 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.phobos | MalwareBytes states that Phobos is one of the ransomware families that are distributed via hacked Remote Desktop (RDP) connections. This isn’t surprising, as hacked RDP servers are a cheap commodity on the underground market, and can make for an attractive and cost efficient dissemination vector for threat groups. MalwareBytes states that Phobos is one of the ransomware families that are distributed via hacked Remote Desktop (RDP) connections. This isn’t surprising, as hacked RDP servers are a cheap commodity on the underground market, and can make for an attractive and cost efficient dissemination vector for threat groups. |
RagnarLocker —> Last Updated: 2023-12-27 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.ragnarlocker | There is no description at this point. |
RustBucket —> Last Updated: 2023-12-27 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/osx.rustbucket | There is no description at this point. There is no Yara-Signature yet. |
SmokeLoader —> Last Updated: 2023-12-27 —> alt_names: Dofoil, Sharik, Smoke, Smoke Loader —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader | The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body. The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body. |
Stealc —> Last Updated: 2023-12-27 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc | Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth’s statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth’s statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline. Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. |
SystemBC —> Last Updated: 2023-12-27 —> alt_names: Coroxy, DroxiDat —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.systembc | SystemBC is a proxy malware leveraging SOCKS5. Based on screenshots used in ads on a underground marketplace, Proofpoint decided to call it SystemBC.SystemBC has been observed occasionally, but more pronounced since June 2019. First samples goes back to October 2018. SystemBC is a proxy malware leveraging SOCKS5. Based on screenshots used in ads on a underground marketplace, Proofpoint decided to call it SystemBC. SystemBC has been observed occasionally, but more pronounced since June 2019. First samples goes back to October 2018. |
Trigona —> Last Updated: 2023-12-27 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.trigona | According to PCrisk, Trigona is ransomware that encrypts files and appends the “._locked” extension to filenames. Also, it drops the “how_to_decrypt.hta” file that opens a ransom note. An example of how Trigona renames files: it renames “1.jpg” to “1.jpg._locked”, “2.png” to “2.png._locked”, and so forth.It embeds the encrypted decryption key, the campaign ID, and the victim ID in the encrypted files. According to PCrisk, Trigona is ransomware that encrypts files and appends the “._locked” extension to filenames. Also, it drops the “how_to_decrypt.hta” file that opens a ransom note. An example of how Trigona renames files: it renames “1.jpg” to “1.jpg._locked”, “2.png” to “2.png._locked”, and so forth. It embeds the encrypted decryption key, the campaign ID, and the victim ID in the encrypted files. There is no Yara-Signature yet. |
Unidentified 112 (Rust-based Stealer) —> Last Updated: 2023-12-27 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_112 | A Rust-based stealer, observed by Seqrite, along TTPs overlapping with Pakistan-linked APT groups. A Rust-based stealer, observed by Seqrite, along TTPs overlapping with Pakistan-linked APT groups. There is no Yara-Signature yet. |
wAgentTea —> Last Updated: 2023-12-27 —> alt_names: wAgent —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.wagenttea | wAgentTea is an HTTP(S) downloader. It was deployed mostly against South Korean targets like a pharmaceutical company (Q4 2020) or semiconductor industry (Q2 2023). In several cases, the initial access was obtained via exploitation of South Korean software like Initech’s INISAFE CrossWeb EX or Dream Security’s MagicLine4NX.It uses AES-128 for encryption and decryption of its network traffic, and for decryption of its binary configuration.There is a hard-coded list of parameter names used in its HTTP POST request:identy;tname;blogdata;content;thesis;method;bbs;level;maincode;tab;idx;tb;isbn;entry;doc;category;articles;portalIt contains a specific RTTI symbol “.?AVCHttp_socket@@”. wAgentTea is an HTTP(S) downloader. It was deployed mostly against South Korean targets like a pharmaceutical company (Q4 2020) or semiconductor industry (Q2 2023). In several cases, the initial access was obtained via exploitation of South Korean software like Initech’s INISAFE CrossWeb EX or Dream Security’s MagicLine4NX. It uses AES-128 for encryption and decryption of its network traffic, and for decryption of its binary configuration. There is a hard-coded list of parameter names used in its HTTP POST request:identy;tname;blogdata;content;thesis;method;bbs;level;maincode;tab;idx;tb;isbn;entry;doc;category;articles;portal It contains a specific RTTI symbol “.?AVCHttp_socket@@”. There is no Yara-Signature yet. |
WinDealer —> Last Updated: 2023-12-27 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.windealer | Information stealer used by threat actor LuoYu. Information stealer used by threat actor LuoYu. |
3CX Backdoor —> Last Updated: 2023-12-19 —> alt_names: SUDDENICON —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.3cx_backdoor | According to CrowdStrike, this backdoor was discovered being embedded in a legitimate, signed version of 3CXDesktopApp, and thus constitutes a supply chain attack. According to CrowdStrike, this backdoor was discovered being embedded in a legitimate, signed version of 3CXDesktopApp, and thus constitutes a supply chain attack. |
BianLian —> Last Updated: 2023-12-19 —> alt_names: Hydra —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/apk.bianlian | There is no description at this point. There is no Yara-Signature yet. |
BLINDINGCAN —> Last Updated: 2023-12-19 —> alt_names: AIRDRY, ZetaNile —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.blindingcan | BLINDINGCAN is a remote access trojan that communicates with its C&C server via HTTP(S).It uses a (custom) RC4 or AES for encryption and decryption of its configuration and network traffic. It sends information about the victim’s environment, like computer name, IP, Windows product name and processor name.It supports around 30 commands that include operations on the victim’s filesystem, basic process management, command line execution, file exfiltration, configuration update, and the download and execution of additional payloads from the attackers’ C&C. The commands are indexed by 16-bit integers, starting with the index 0x2009 and going incrementally up to 0x2057, with some indicis being skipped. It uses various parameter names in its HTTP POST requests, mostly associated with web servers running bulletin board systems, like bbs, article, boardid, s_board, page, idx_num, etc.It contains specific RTTI symbols like “.?AVCHTTP_Protocol@@”, “.?AVCFileRW@@” or “.?AVCSinSocket@@”.BLINDINGCAN RAT is a flagship payload deployed in many Lazarus attacks, especially in the Operation DreamJob campaigns happening in 2020-2022. BLINDINGCAN is a remote access trojan that communicates with its C&C server via HTTP(S).It uses a (custom) RC4 or AES for encryption and decryption of its configuration and network traffic. It sends information about the victim’s environment, like computer name, IP, Windows product name and processor name.It supports around 30 commands that include operations on the victim’s filesystem, basic process management, command line execution, file exfiltration, configuration update, and the download and execution of additional payloads from the attackers’ C&C. The commands are indexed by 16-bit integers, starting with the index 0x2009 and going incrementally up to 0x2057, with some indicis being skipped. It uses various parameter names in its HTTP POST requests, mostly associated with web servers running bulletin board systems, like bbs, article, boardid, s_board, page, idx_num, etc.It contains specific RTTI symbols like “.?AVCHTTP_Protocol@@”, “.?AVCFileRW@@” or “.?AVCSinSocket@@”.BLINDINGCAN RAT is a flagship payload deployed in many Lazarus attacks, especially in the Operation DreamJob campaigns happening in 2020-2022. |
DRATzarus —> Last Updated: 2023-12-19 —> alt_names: ThreatNeedle —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.dratzarus | There is no description at this point. |
ForestTiger —> Last Updated: 2023-12-19 —> alt_names: ScoringMathTea —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.forest_tiger | There is no description at this point. |
ImprudentCook —> Last Updated: 2023-12-19 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.imprudentcook | ImprudentCook is an HTTP(S) downloader.It was delivered in the Operation DreamJob type of activity targeting aerospace and defense companies in South Africa (in Q2 2022) and in Central Europe (in H1 2023), and against an unknown sector in South Korea back in Q2 2021. It uses the AES cipher implemented through Windows Cryptographic Providers for decryption of its binary configuration, and also for encryption and decryption of the client-server communication.It’s hidden in an ADS stream (:dat or :zone) of its dropper, together with its configuration (:rsrc) and an AES-128 CBC key with an initialization vector for its decryption (:kgb or :data).It contains two characteristic arrays of strings that represent cookie names for web services, including Bing, Daum and GitHub:1. iKc;__uid;OAX;DMP_UID;PCID;_gid;_gat;csrftoken;NID;1P_JAR;JSESSIONID;WLS;SNID;__utma;BID;SRCHD;GsCK_AC;spintop;eader;XSRF-TOKEN;_gat_gtag_UA;webid_enabled;EDGE_V;dtck_channel;dtmulti;UUID;XUID;ZIA;IUID;SSID;_gh_sess;_octo2. channel;post_titles;xfw_exp;wiht_clkey;SGPCOUPLE;NRTK;fbp;uaid;SRCHUSR;GUC;HPVN;dtck_blog;dtck_media;MUIDB;SRCHHPGUSR;SiteMainIt contains a string, “5.40” or “5.60”, looking like version information. ImprudentCook is an HTTP(S) downloader. It was delivered in the Operation DreamJob type of activity targeting aerospace and defense companies in South Africa (in Q2 2022) and in Central Europe (in H1 2023), and against an unknown sector in South Korea back in Q2 2021. It uses the AES cipher implemented through Windows Cryptographic Providers for decryption of its binary configuration, and also for encryption and decryption of the client-server communication. It’s hidden in an ADS stream (:dat or :zone) of its dropper, together with its configuration (:rsrc) and an AES-128 CBC key with an initialization vector for its decryption (:kgb or :data). It contains two characteristic arrays of strings that represent cookie names for web services, including Bing, Daum and GitHub: 1. iKc;__uid;OAX;DMP_UID;PCID;_gid;_gat;csrftoken;NID;1P_JAR;JSESSIONID;WLS;SNID;__utma;BID;SRCHD;GsCK_AC;spintop;eader;XSRF-TOKEN;_gat_gtag_UA;webid_enabled;EDGE_V;dtck_channel;dtmulti;UUID;XUID;ZIA;IUID;SSID;_gh_sess;_octo 2. channel;post_titles;xfw_exp;wiht_clkey;SGPCOUPLE;NRTK;fbp;uaid;SRCHUSR;GUC;HPVN;dtck_blog;dtck_media;MUIDB;SRCHHPGUSR;SiteMain It contains a string, “5.40” or “5.60”, looking like version information. |
LambLoad —> Last Updated: 2023-12-19 —> alt_names: OfficeCertTea —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.lambload | According to Microsoft, this is a downloader used in a supply chain attack involving a malicious variant of an application developed by CyberLink. It is centered around a legitimate CyberLink application installer that has been modified to include malicious code that downloads, decrypts, and loads a second-stage payload. The file, which was signed using a valid certificate issued to CyberLink Corp., is hosted on legitimate update infrastructure owned by CyberLink and includes checks to limit the time window for execution and evade detection by security products. According to Microsoft, this is a downloader used in a supply chain attack involving a malicious variant of an application developed by CyberLink. It is centered around a legitimate CyberLink application installer that has been modified to include malicious code that downloads, decrypts, and loads a second-stage payload. The file, which was signed using a valid certificate issued to CyberLink Corp., is hosted on legitimate update infrastructure owned by CyberLink and includes checks to limit the time window for execution and evade detection by security products. |
LightlessCan —> Last Updated: 2023-12-19 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.lightlesscan | LightlessCan is a complex HTTP(S) RAT, that is a successor of the Lazarus RAT named BlindingCan. In Q2 2022 and Q1 2023, it was deployed in targeted attacks against an aerospace company in Spain and a technology company in India.Besides the support for commands already present in BlindingCan, its most significant update is mimicked functionality of many native Windows commands:• ipconfig• net• netsh advfirewall firewall • netstat • reg• sc• ping (for both IPv4 and IPv6 protocols)• wmic process call create • nslookup • schstasks • systeminfo• arpThese native commands are often abused by the attackers after they have gotten a foothold in the target’s system. Lightless is able to execute them discreetly within the RAT itself, rather than being executed visibly in the system console. This provides stealthiness, both in evading real-time monitoring solutions like EDRs, and postmortem digital forensic tools.LightlessCan use RC6 for decryption of its configuration, and also for encryption and decryption of network traffic. LightlessCan is a complex HTTP(S) RAT, that is a successor of the Lazarus RAT named BlindingCan. In Q2 2022 and Q1 2023, it was deployed in targeted attacks against an aerospace company in Spain and a technology company in India. Besides the support for commands already present in BlindingCan, its most significant update is mimicked functionality of many native Windows commands:• ipconfig• net• netsh advfirewall firewall • netstat • reg• sc• ping (for both IPv4 and IPv6 protocols)• wmic process call create • nslookup • schstasks • systeminfo• arp These native commands are often abused by the attackers after they have gotten a foothold in the target’s system. Lightless is able to execute them discreetly within the RAT itself, rather than being executed visibly in the system console. This provides stealthiness, both in evading real-time monitoring solutions like EDRs, and postmortem digital forensic tools. LightlessCan use RC6 for decryption of its configuration, and also for encryption and decryption of network traffic. |
miniBlindingCan —> Last Updated: 2023-12-19 —> alt_names: AIRDRY.V2, EventHorizon —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.miniblindingcan | miniBlindingCan is an HTTP(S) orchestrator.It is a variant of the BlindingCan RAT, having the same command parsing logic, but supporting only a small subset of commands available previously. The main operations are the update of the malware configuration, and the download and execution of additional payloads from the attackers’ C&C.The miniBlindingCan malware was used in Operation DreamJob attacks against aerospace and media companies in Q2-Q3 2022. miniBlindingCan is an HTTP(S) orchestrator. It is a variant of the BlindingCan RAT, having the same command parsing logic, but supporting only a small subset of commands available previously. The main operations are the update of the malware configuration, and the download and execution of additional payloads from the attackers’ C&C. The miniBlindingCan malware was used in Operation DreamJob attacks against aerospace and media companies in Q2-Q3 2022. |
POOLRAT —> Last Updated: 2023-12-19 —> alt_names: SIMPLESEA —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/osx.poolrat | There is no description at this point. There is no Yara-Signature yet. |
PostNapTea —> Last Updated: 2023-12-19 —> alt_names: SIGNBT —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.postnaptea | PostNapTea aka SIGNBT is an HTTP(S) RAT that is written as a complex object-oriented project.In 2022-2023, it was deployed against targets like a newspaper organization, agriculture-related entity or a software vendor. The initial access was usually achieved by exploiting vulnerabilities in widely-used software in South Korea.It collects various information about the victim’s computer, such as computer name, product name, OS details, system uptime, CPU information, system locale, time zone, network status, and malware configuration. PostNapTea uses AES for encryption and decryption ot network traffic. There is a constant prefix SIGNBT occuring in its HTTP POST requests. The prefix is concatenated with 2 characters that identify the communication stage:• LG: logging into the C&C server• KE: acknowledging the succesful login to the C&C• FI: sending the status of a failed operation • SR: sending the status of a successful operation• GC: getting the next commandThere are five classes that represent command groups:• CCButton: for file manipulation and screen capturing• CCBitmap: for network commands, implementing functionality of Windows commands often abused by attackers, like sc, reg, arp, net, ver, wmic, ping, whoami, netstat, tracert, lookup, ipconfig,systeminfo, and netsh advfirewall. • CCComboBox: for file system management• CCList: for process management• CCBrush: for control of the malware itselfIt stores its configuration in JSON format. It resolves the Windows APIs it requires during runtime, via the Fowler–Noll–Vo (FNV) hash function.Its internal name in the version-information resource is usually ppcsnap.dll or pconsnap.dll, which loosely inspired its code name. PostNapTea aka SIGNBT is an HTTP(S) RAT that is written as a complex object-oriented project. In 2022-2023, it was deployed against targets like a newspaper organization, agriculture-related entity or a software vendor. The initial access was usually achieved by exploiting vulnerabilities in widely-used software in South Korea. It collects various information about the victim’s computer, such as computer name, product name, OS details, system uptime, CPU information, system locale, time zone, network status, and malware configuration. PostNapTea uses AES for encryption and decryption ot network traffic. There is a constant prefix SIGNBT occuring in its HTTP POST requests. The prefix is concatenated with 2 characters that identify the communication stage:• LG: logging into the C&C server• KE: acknowledging the succesful login to the C&C• FI: sending the status of a failed operation • SR: sending the status of a successful operation• GC: getting the next command There are five classes that represent command groups:• CCButton: for file manipulation and screen capturing• CCBitmap: for network commands, implementing functionality of Windows commands often abused by attackers, like sc, reg, arp, net, ver, wmic, ping, whoami, netstat, tracert, lookup, ipconfig,systeminfo, and netsh advfirewall. • CCComboBox: for file system management• CCList: for process management• CCBrush: for control of the malware itself It stores its configuration in JSON format. It resolves the Windows APIs it requires during runtime, via the Fowler–Noll–Vo (FNV) hash function. Its internal name in the version-information resource is usually ppcsnap.dll or pconsnap.dll, which loosely inspired its code name. |
Rhadamanthys —> Last Updated: 2023-12-19 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.rhadamanthys | According to PCrisk, Rhadamanthys is a stealer-type malware, and as its name implies – it is designed to extract data from infected machines.At the time of writing, this malware is spread through malicious websites mirroring those of genuine software such as AnyDesk, Zoom, Notepad++, and others. Rhadamanthys is downloaded alongside the real program, thus diminishing immediate user suspicion. These sites were promoted through Google ads, which superseded the legitimate search results on the Google search engine. According to PCrisk, Rhadamanthys is a stealer-type malware, and as its name implies – it is designed to extract data from infected machines. At the time of writing, this malware is spread through malicious websites mirroring those of genuine software such as AnyDesk, Zoom, Notepad++, and others. Rhadamanthys is downloaded alongside the real program, thus diminishing immediate user suspicion. These sites were promoted through Google ads, which superseded the legitimate search results on the Google search engine. There is no Yara-Signature yet. |
S.O.V.A. —> Last Updated: 2023-12-19 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/apk.sova | There is no description at this point. There is no Yara-Signature yet. |
SimpleTea —> Last Updated: 2023-12-19 —> alt_names: SimplexTea —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/elf.simpletea | SimpleTea for Linux is an HTTP(S) RAT. It was discovered in Q1 2023 as an instance of the Lazarus group’s Operation DreamJob campaign for Linux. It was a payload downloaded in an execution chain which started with an HSBC-themed job offer lure. It shared the same C&C server as payloads from the 3CX incident around the same time.It’s an object-oriented project, which does not run on Linux distributions without a graphical user interface, and decrypts its configuration from /home/%user%/.config/apdl.cf using 0x7E as the XOR key. It uses AES-GCM for encryption and decryption of its network traffic.It supports basic commands that include operations on the victim’s filesystem, manipulation with its configuration, file exfiltration (via ZIP archives), and the download and execution of additional tools from the attacker’s arsenal. The commands are indexed by 16-bit integers, starting with the value 0x27C3.SimpleTea for Linux seems like an updated version of BadCall for Linux, rewritten from C to C++, as there are similarities in class names and function names between the two. SimpleTea for Linux is an HTTP(S) RAT. It was discovered in Q1 2023 as an instance of the Lazarus group’s Operation DreamJob campaign for Linux. It was a payload downloaded in an execution chain which started with an HSBC-themed job offer lure. It shared the same C&C server as payloads from the 3CX incident around the same time. It’s an object-oriented project, which does not run on Linux distributions without a graphical user interface, and decrypts its configuration from /home/%user%/.config/apdl.cf using 0x7E as the XOR key. It uses AES-GCM for encryption and decryption of its network traffic. It supports basic commands that include operations on the victim’s filesystem, manipulation with its configuration, file exfiltration (via ZIP archives), and the download and execution of additional tools from the attacker’s arsenal. The commands are indexed by 16-bit integers, starting with the value 0x27C3. SimpleTea for Linux seems like an updated version of BadCall for Linux, rewritten from C to C++, as there are similarities in class names and function names between the two. There is no Yara-Signature yet. |
SimpleTea —> Last Updated: 2023-12-19 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/osx.simpletea | SimpleTea is a RAT for macOS that is based on the same object-oriented project as SimpleTea for Linux (SimplexTea).It also shares similarities with POOLRAT (also known as SIMPLESEA), like the supported commands or a single-byte XOR encryption of its configuration. However, the indices of commands are different.SimpleTea for macOS was uploaded to VirusTotal from Hong Kong and China in September 2023. SimpleTea is a RAT for macOS that is based on the same object-oriented project as SimpleTea for Linux (SimplexTea). It also shares similarities with POOLRAT (also known as SIMPLESEA), like the supported commands or a single-byte XOR encryption of its configuration. However, the indices of commands are different. SimpleTea for macOS was uploaded to VirusTotal from Hong Kong and China in September 2023. There is no Yara-Signature yet. |
SnatchCrypto —> Last Updated: 2023-12-19 —> alt_names: BackbitingTea —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.snatchcrypto | Malware observed in the SnatchCrypto campaign, attributed by Kaspersky Labs to BlueNoroff with high confidence. Malware observed in the SnatchCrypto campaign, attributed by Kaspersky Labs to BlueNoroff with high confidence. |
WebbyTea —> Last Updated: 2023-12-19 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.webbytea | WebbyTea is an HTTP(S) downloader that uses AES for C&C trafic encryption.It sends detailed information about the victim’s environment, like proxy settings, system instalation date, Windows product name and version, manufacturer, product name, system boot time, time zone, computer name, user name, current time and a list of currently running processes. Data sent to the C&C server consists of the prefix “ci”, a 16-characters long hexadecimal string representing the victim ID and an encrypted data about the victim’s system. After the payload is acquired from the server and successfully injected in a newly created explorer.exe process, the malware responds back with the same victim ID having the prefix changed to “cs”.The internal DLL name of the native WebbyTea is usually pe64.dll or webT64.dll (from which its name is derived).The usual payload associated with WebbyTea is SnatchCrypto. WebbyTea is an HTTP(S) downloader that uses AES for C&C trafic encryption. It sends detailed information about the victim’s environment, like proxy settings, system instalation date, Windows product name and version, manufacturer, product name, system boot time, time zone, computer name, user name, current time and a list of currently running processes. Data sent to the C&C server consists of the prefix “ci”, a 16-characters long hexadecimal string representing the victim ID and an encrypted data about the victim’s system. After the payload is acquired from the server and successfully injected in a newly created explorer.exe process, the malware responds back with the same victim ID having the prefix changed to “cs”. The internal DLL name of the native WebbyTea is usually pe64.dll or webT64.dll (from which its name is derived). The usual payload associated with WebbyTea is SnatchCrypto. |
WinInetLoader —> Last Updated: 2023-12-19 —> alt_names: LIDSHOT —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.wininetloader | There is no description at this point. |
WyrmSpy —> Last Updated: 2023-12-19 —> alt_names: AndroidControl —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/apk.wyrmspy | There is no description at this point. There is no Yara-Signature yet. |
Amadey —> Last Updated: 2023-12-15 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey | Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called “tasks”) for all or specifically targeted computers compromised by the malware. Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called “tasks”) for all or specifically targeted computers compromised by the malware. |
Atharvan —> Last Updated: 2023-12-15 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.atharvan | There is no description at this point. |
BottomLoader —> Last Updated: 2023-12-15 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.bottomloader | There is no description at this point. There is no Yara-Signature yet. |
DLRAT —> Last Updated: 2023-12-15 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.dlrat | There is no description at this point. There is no Yara-Signature yet. |
HazyLoad —> Last Updated: 2023-12-15 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.hazy_load | There is no description at this point. |
Lilith —> Last Updated: 2023-12-15 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.lilith | There is no description at this point. |
Meduza Stealer —> Last Updated: 2023-12-15 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.meduza | There is no description at this point. |
NineRAT —> Last Updated: 2023-12-15 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.ninerat | There is no description at this point. There is no Yara-Signature yet. |
Raccoon —> Last Updated: 2023-12-15 —> alt_names: Mohazo, RaccoonStealer, Racealer, Racoon —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.raccoon | Raccoon Stealer is a malware reportedly sold for $75 a week or $200 a month. It gathers personal information including passwords, browser cookies and autofill data, as well as cryptowallet details. Additionally, Raccoon Stealer records system information such as IP addresses and geo-location data. Raccoon Stealer is a malware reportedly sold for $75 a week or $200 a month. It gathers personal information including passwords, browser cookies and autofill data, as well as cryptowallet details. Additionally, Raccoon Stealer records system information such as IP addresses and geo-location data. |
RecordBreaker —> Last Updated: 2023-12-15 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.recordbreaker | This malware is a successor to Raccoon Stealer (also referred to as Raccoon Stealer 2.0), which is however a full rewrite in C/C++. This malware is a successor to Raccoon Stealer (also referred to as Raccoon Stealer 2.0), which is however a full rewrite in C/C++. |
Rhysida —> Last Updated: 2023-12-15 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/elf.rhysida | There is no description at this point. There is no Yara-Signature yet. |
Rhysida —> Last Updated: 2023-12-15 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.rhysida | There is no description at this point. |
Unidentified 100 (APT-Q-12) —> Last Updated: 2023-12-15 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_100 | There is no description at this point. |
BADCALL —> Last Updated: 2023-12-14 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/elf.badcall | BADCALL is a Trojan malware variant used by the group Lazarus Group. BADCALL is a Trojan malware variant used by the group Lazarus Group. There is no Yara-Signature yet. |
BADCALL —> Last Updated: 2023-12-14 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.badcall | There is no description at this point. |
GootLoader —> Last Updated: 2023-12-14 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/js.gootloader | According to PCrisk, they discovered GootLoader malware while examining legitimate but compromised websites (mainly websites managed using WordPress). It was found that GootLoader is used to infect computers with additional malware. Cybercriminals using GootLoader seek to trick users into unknowingly downloading and executing the malware by disguising it as a document or other file. According to PCrisk, they discovered GootLoader malware while examining legitimate but compromised websites (mainly websites managed using WordPress). It was found that GootLoader is used to infect computers with additional malware. Cybercriminals using GootLoader seek to trick users into unknowingly downloading and executing the malware by disguising it as a document or other file. There is no Yara-Signature yet. |
GraphDrop —> Last Updated: 2023-12-14 —> alt_names: GraphicalProton, SPICYBEAT —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.graphdrop | PANW Unit 42 describes this malware as capable of up and downloading files as well as loading additional shellcode payloads into selected target processes. It uses the Microsoft Graph API and Dropbox API as C&C channel. PANW Unit 42 describes this malware as capable of up and downloading files as well as loading additional shellcode payloads into selected target processes. It uses the Microsoft Graph API and Dropbox API as C&C channel. |
IconicStealer —> Last Updated: 2023-12-14 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.iconic_stealer | Follow-up payload in 3CX supply chain incident, which according to Volexity is an infostealer collecting information about the system and browser using an embedded copy of the SQLite3 library. Follow-up payload in 3CX supply chain incident, which according to Volexity is an infostealer collecting information about the system and browser using an embedded copy of the SQLite3 library. |
KV —> Last Updated: 2023-12-14 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/sh.kv | There is no description at this point. There is no Yara-Signature yet. |
FAKEUPDATES —> Last Updated: 2023-12-13 —> alt_names: FakeUpdate, SocGholish —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/js.fakeupdates | FAKEUPDATES is a downloader written in JavaScript that communicates via HTTP. Supported payload types include executables and JavaScript. It writes the payloads to disk prior to launching them. FAKEUPDATES has led to further compromise via additional malware families that include CHTHONIC, DRIDEX, EMPIRE, KOADIC, DOPPELPAYMER, and AZORULT.FAKEUPDATES has been heavily used by UNC1543,a financially motivated group. FAKEUPDATES is a downloader written in JavaScript that communicates via HTTP. Supported payload types include executables and JavaScript. It writes the payloads to disk prior to launching them. FAKEUPDATES has led to further compromise via additional malware families that include CHTHONIC, DRIDEX, EMPIRE, KOADIC, DOPPELPAYMER, and AZORULT. FAKEUPDATES has been heavily used by UNC1543,a financially motivated group. There is no Yara-Signature yet. |
DICELOADER —> Last Updated: 2023-12-12 —> alt_names: Lizar —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.diceloader | A RAT written in .NET, used by FIN7 since 2021. In some instances dropped by ps1.powertrash. A RAT written in .NET, used by FIN7 since 2021. In some instances dropped by ps1.powertrash. |
Headlace —> Last Updated: 2023-12-12 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.headlace | There is no description at this point. There is no Yara-Signature yet. |
KEYPLUG —> Last Updated: 2023-12-12 —> alt_names: ELFSHELF —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/elf.keyplug | There is no description at this point. There is no Yara-Signature yet. |
Krasue RAT —> Last Updated: 2023-12-12 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/elf.krasue_rat | There is no description at this point. There is no Yara-Signature yet. |
LuaDream —> Last Updated: 2023-12-12 —> alt_names: DreamLand —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.luadream | There is no description at this point. There is no Yara-Signature yet. |
P2Pinfect —> Last Updated: 2023-12-12 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/elf.p2pinfect | P2Pinfect is a fast-growing multi platform botnet, the purpose of which is still unknown. Written in Rust, it is compatible with Windows and Linux, including a MIPS variant for Linux based routers and IoT devices. It is capable of brute forcing SSH logins and exploiting Redis servers in order to propagate itself both to random IPs on the internet and to hosts it can find references to in files present on the infected system. P2Pinfect is a fast-growing multi platform botnet, the purpose of which is still unknown. Written in Rust, it is compatible with Windows and Linux, including a MIPS variant for Linux based routers and IoT devices. It is capable of brute forcing SSH logins and exploiting Redis servers in order to propagate itself both to random IPs on the internet and to hosts it can find references to in files present on the infected system. |
POWERTRASH —> Last Updated: 2023-12-12 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powertrash | This PowerShell written malware is an in-memory dropper used by FIN7 to execute the included/embedded payload. According to Mandiant’s blog article: “POWERTRASH is a uniquely obfuscated iteration of a shellcode invoker included in the PowerSploit framework available on GitHub.” This PowerShell written malware is an in-memory dropper used by FIN7 to execute the included/embedded payload. According to Mandiant’s blog article: “POWERTRASH is a uniquely obfuscated iteration of a shellcode invoker included in the PowerSploit framework available on GitHub.” There is no Yara-Signature yet. |
STONEBOAT —> Last Updated: 2023-12-12 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.stoneboat | According to Mandiant, STONEBOAT is an installer for DICELOADER. It is written in .NET and drops its payload in-memory. According to Mandiant, STONEBOAT is an installer for DICELOADER. It is written in .NET and drops its payload in-memory. There is no Yara-Signature yet. |
Vetta Loader —> Last Updated: 2023-12-12 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.vetta_loader | Vetta Loader is a persistent Loader spreading with infected USB drives. It downloads other components leveraging legit hosting services.https://yoroi.company/wp-content/uploads/2023/12/202311-Vetta-Loader_Def-min.pdf Vetta Loader is a persistent Loader spreading with infected USB drives. It downloads other components leveraging legit hosting services.https://yoroi.company/wp-content/uploads/2023/12/202311-Vetta-Loader_Def-min.pdf There is no Yara-Signature yet. |
CageyChameleon —> Last Updated: 2023-12-11 —> alt_names: Cabbage RAT —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/vbs.cageychameleon | CageyChameleon Malware is a VBS-based backdoor which has the capability to enumerate the list of running processes and check for the presence of several antivirus products. CageyChameleon will collect user host information, system current process information, etc. The collected information is sent back to the C2 server, and continue to initiate requests to perform subsequent operations. CageyChameleon Malware is a VBS-based backdoor which has the capability to enumerate the list of running processes and check for the presence of several antivirus products. CageyChameleon will collect user host information, system current process information, etc. The collected information is sent back to the C2 server, and continue to initiate requests to perform subsequent operations. There is no Yara-Signature yet. |
CloudEyE —> Last Updated: 2023-12-11 —> alt_names: GuLoader, vbdropper —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye | CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored. CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored. |
Gameover P2P —> Last Updated: 2023-12-11 —> alt_names: GOZ, Mapp, ZeuS P2P —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.gameover_p2p | Gameover ZeuS is a peer-to-peer botnet based on components from the earlier ZeuS trojan. According to a report by Symantec, Gameover Zeus has largely been used for banking fraud and distribution of the CryptoLocker ransomware. In early June 2014, the U.S. Department of Justice announced that an international inter-agency collaboration named Operation Tovar had succeeded in temporarily cutting communication between Gameover ZeuS and its command and control servers. Gameover ZeuS is a peer-to-peer botnet based on components from the earlier ZeuS trojan. According to a report by Symantec, Gameover Zeus has largely been used for banking fraud and distribution of the CryptoLocker ransomware. In early June 2014, the U.S. Department of Justice announced that an international inter-agency collaboration named Operation Tovar had succeeded in temporarily cutting communication between Gameover ZeuS and its command and control servers. |
GoTitan —> Last Updated: 2023-12-11 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/elf.gotitan | GoTitan is a DDoS bot under development, which support ten different methods of launching distributed denial-of-service (DDoS) attacks: UDP, UDP HEX, TCP, TLS, RAW, HTTP GET, HTTP POST, HTTP HEAD, and HTTP PUT. GoTitan is a DDoS bot under development, which support ten different methods of launching distributed denial-of-service (DDoS) attacks: UDP, UDP HEX, TCP, TLS, RAW, HTTP GET, HTTP POST, HTTP HEAD, and HTTP PUT. There is no Yara-Signature yet. |
miniTypeFrame —> Last Updated: 2023-12-11 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.minitypeframe | miniTYPEFRAME is a variant of TYPEFRAME, a RAT for Windows.Its functionality is reduced to serve mostly as a proxy module. Its commands are indexed by 16-bit integers, usually in the range 0x8027–0x8044. miniTYPEFRAME is a variant of TYPEFRAME, a RAT for Windows. Its functionality is reduced to serve mostly as a proxy module. Its commands are indexed by 16-bit integers, usually in the range 0x8027–0x8044. There is no Yara-Signature yet. |
Murofet —> Last Updated: 2023-12-11 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.murofet | There is no description at this point. |
OriginBot —> Last Updated: 2023-12-11 —> alt_names: OriginBotnet, OriginLoader —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.originbot | OriginBot is a modular information stealer which can also download and execute other malicious payloads. OriginBot is a modular information stealer which can also download and execute other malicious payloads. There is no Yara-Signature yet. |
PureCrypter —> Last Updated: 2023-12-11 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.purecrypter | According to zscaler, PureCrypter is a fully-featured loader being sold since at least March 2021The malware has been observed distributing a variety of remote access trojans and information stealersThe loader is a .NET executable obfuscated with SmartAssembly and makes use of compression, encryption and obfuscation to evade antivirus software productsPureCrypter features provide persistence, injection and defense mechanisms that are configurable in Google’s Protocol Buffer message format According to zscaler, PureCrypter is a fully-featured loader being sold since at least March 2021The malware has been observed distributing a variety of remote access trojans and information stealersThe loader is a .NET executable obfuscated with SmartAssembly and makes use of compression, encryption and obfuscation to evade antivirus software productsPureCrypter features provide persistence, injection and defense mechanisms that are configurable in Google’s Protocol Buffer message format There is no Yara-Signature yet. |
Racket Downloader —> Last Updated: 2023-12-11 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.racket | Racket Downloader is an HTTP(S) downloader.It uses a custom substitution cipher for decryption of its character strings, and RC5 with a 256-bit key for encryption and decryption of network traffic. It sends an HTTP POST request containing a particular value that inspired its name, like “?product_field=racket” or “prd_fld=racket”.Racket Downloader was deployed against South Korean targets running the Initech INISAFE CrossWeb EX software in Q2 2021 and Q1 2022. Racket Downloader is an HTTP(S) downloader. It uses a custom substitution cipher for decryption of its character strings, and RC5 with a 256-bit key for encryption and decryption of network traffic. It sends an HTTP POST request containing a particular value that inspired its name, like “?product_field=racket” or “prd_fld=racket”. Racket Downloader was deployed against South Korean targets running the Initech INISAFE CrossWeb EX software in Q2 2021 and Q1 2022. |
RustBucket —> Last Updated: 2023-12-11 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.rustbucket | There is no description at this point. There is no Yara-Signature yet. |
TYPEFRAME —> Last Updated: 2023-12-11 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.typeframe | TYPEFRAME is a RAT. It supports ~25 commands that include operations on the victim’s filesystem, manipulation with its configuration, modification of the system’s firewall, the download and execution of additional tools from the attacker’s C&C and the uninstall via a self-delete batch. The commands are indexed by 16-bit integers, starting with the value 0x8000.The RAT uses RC4 for decryption of its binary configuration. It has a statically linked OpenSSL 0.9.8k library used for SSL communication. TYPEFRAME is a RAT. It supports ~25 commands that include operations on the victim’s filesystem, manipulation with its configuration, modification of the system’s firewall, the download and execution of additional tools from the attacker’s C&C and the uninstall via a self-delete batch. The commands are indexed by 16-bit integers, starting with the value 0x8000. The RAT uses RC4 for decryption of its binary configuration. It has a statically linked OpenSSL 0.9.8k library used for SSL communication. There is no Yara-Signature yet. |
Qilin —> Last Updated: 2023-12-05 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/elf.qilin | There is no description at this point. There is no Yara-Signature yet. |
X-Files Stealer —> Last Updated: 2023-12-04 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.xfilesstealer | There is no description at this point. |
Ave Maria —> Last Updated: 2023-12-04 —> alt_names: AVE_MARIA, AveMariaRAT, Warzone RAT, WarzoneRAT, avemaria —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.ave_maria | Information stealer which uses AutoIT for wrapping. Information stealer which uses AutoIT for wrapping. |
Bankshot —> Last Updated: 2023-12-04 —> alt_names: COPPERHEDGE, FoggyBrass —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.bankshot | There is no description at this point. |
Behinder —> Last Updated: 2023-12-04 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/php.behinder | A webshell for multiple web languages (asp/aspx, jsp/jspx, php), openly distributed through Github. A webshell for multiple web languages (asp/aspx, jsp/jspx, php), openly distributed through Github. There is no Yara-Signature yet. |
BlackCat —> Last Updated: 2023-12-04 —> alt_names: ALPHV, Noberus —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/elf.blackcat | ALPHV, also known as BlackCat or Noberus, is a ransomware family that is deployed as part of Ransomware as a Service (RaaS) operations. ALPHV is written in the Rust programming language and supports execution on Windows, Linux-based operating systems (Debian, Ubuntu, ReadyNAS, Synology), and VMWare ESXi. ALPHV is marketed as ALPHV on cybercrime forums, but is commonly called BlackCat by security researchers due to an icon of a black cat appearing on its leak site. ALPHV has been observed being deployed in ransomware attacks since November 18, 2021.ALPHV can be configured to encrypt files using either the AES or ChaCha20 algorithms. In order to maximize the amount of ransomed data, ALPHV can delete volume shadow copies, stop processes and services, and stop virtual machines on ESXi servers. ALPHV can self-propagate by using PsExec to remote execute itself on other hosts on the local network. ALPHV, also known as BlackCat or Noberus, is a ransomware family that is deployed as part of Ransomware as a Service (RaaS) operations. ALPHV is written in the Rust programming language and supports execution on Windows, Linux-based operating systems (Debian, Ubuntu, ReadyNAS, Synology), and VMWare ESXi. ALPHV is marketed as ALPHV on cybercrime forums, but is commonly called BlackCat by security researchers due to an icon of a black cat appearing on its leak site. ALPHV has been observed being deployed in ransomware attacks since November 18, 2021. ALPHV can be configured to encrypt files using either the AES or ChaCha20 algorithms. In order to maximize the amount of ransomed data, ALPHV can delete volume shadow copies, stop processes and services, and stop virtual machines on ESXi servers. ALPHV can self-propagate by using PsExec to remote execute itself on other hosts on the local network. |
BlueSky —> Last Updated: 2023-12-04 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.bluesky | Ransomware. Ransomware. There is no Yara-Signature yet. |
Chrysaor —> Last Updated: 2023-12-04 —> alt_names: Pegasus, JigglyPuff —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/apk.chrysaor | |
CommonMagic —> Last Updated: 2023-12-04 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.common_magic | There is no description at this point. |
DeimosC2 —> Last Updated: 2023-12-04 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.deimos_c2 | Trend Micro describes DeimosC2 as an open-source C&C framework that was released in June 2020. It is a fully-functional framework that allows for multiple attackers to access, create payloads for, and interact with victim computers. As a post-exploitation C&C framework, DeimosC2 will generate the payloads that need to be manually executed on computer servers that have been compromised through other means such as social engineering, exploitation, or brute-force attacks. Once it is deployed, the threat actors will gain the same access to the systems as the user account that the payload was executed as, either as an administrator or a regular user. Note that DeimosC2 does not perform active or privilege escalation of any kind. Trend Micro describes DeimosC2 as an open-source C&C framework that was released in June 2020. It is a fully-functional framework that allows for multiple attackers to access, create payloads for, and interact with victim computers. As a post-exploitation C&C framework, DeimosC2 will generate the payloads that need to be manually executed on computer servers that have been compromised through other means such as social engineering, exploitation, or brute-force attacks. Once it is deployed, the threat actors will gain the same access to the systems as the user account that the payload was executed as, either as an administrator or a regular user. Note that DeimosC2 does not perform active or privilege escalation of any kind. |
Godzilla Webshell —> Last Updated: 2023-12-04 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/jsp.godzilla_webshell | There is no description at this point. |
GoldMax —> Last Updated: 2023-12-04 —> alt_names: SUNSHUTTLE —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.goldmax | Gold Max is a Golang written command and control backdoor used by the NOBELIUM threat actor group. It uses several different techniques to obfuscate its actions and evade detection. The malware writes an encrypted configuration file to disk, where the file name and AES-256 cipher keys are unique per implant and based on environmental variables and information about the network where it is running. Gold Max is a Golang written command and control backdoor used by the NOBELIUM threat actor group. It uses several different techniques to obfuscate its actions and evade detection. The malware writes an encrypted configuration file to disk, where the file name and AES-256 cipher keys are unique per implant and based on environmental variables and information about the network where it is running. There is no Yara-Signature yet. |
HemiGate —> Last Updated: 2023-12-04 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.hemigate | There is no description at this point. There is no Yara-Signature yet. |
Kazuar —> Last Updated: 2023-12-04 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.kazuar | There is no description at this point. |
LIONTAIL —> Last Updated: 2023-12-04 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.liontail | There is no description at this point. There is no Yara-Signature yet. |
LitterDrifter —> Last Updated: 2023-12-04 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/vbs.litterdrifter | There is no description at this point. There is no Yara-Signature yet. |
Loda —> Last Updated: 2023-12-04 —> alt_names: LodaRAT, Nymeria —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.loda | Loda is a previously undocumented AutoIT malware with a variety of capabilities for spying on victims. Proofpoint first observed Loda in September of 2016 and it has since grown in popularity. The name Loda is derived from a directory to which the malware author chose to write keylogger logs. It should be noted that some antivirus products currently detect Loda as “Trojan.Nymeria”, although the connection is not well-documented. Loda is a previously undocumented AutoIT malware with a variety of capabilities for spying on victims. Proofpoint first observed Loda in September of 2016 and it has since grown in popularity. The name Loda is derived from a directory to which the malware author chose to write keylogger logs. It should be noted that some antivirus products currently detect Loda as “Trojan.Nymeria”, although the connection is not well-documented. There is no Yara-Signature yet. |
NAPLISTENER —> Last Updated: 2023-12-04 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.naplistener | There is no description at this point. |
NjRAT —> Last Updated: 2023-12-04 —> alt_names: Bladabindi, Lime-Worm —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat | RedPacket Security describes NJRat as “a remote access trojan (RAT) has capabilities to log keystrokes, access the victim’s camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim’s desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives.”It is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored. RedPacket Security describes NJRat as “a remote access trojan (RAT) has capabilities to log keystrokes, access the victim’s camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim’s desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives.” It is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored. |
PoshC2 —> Last Updated: 2023-12-04 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.poshc2 | PoshC2 is a proxy aware C2 framework used to aid penetration testers with red teaming, post-exploitation and lateral movement.PoshC2 is primarily written in Python3 and follows a modular format to enable users to add their own modules and tools, allowing an extendible and flexible C2 framework. Out-of-the-box PoshC2 comes PowerShell/C# and Python3 implants with payloads written in PowerShell v2 and v4, C++ and C# source code, a variety of executables, DLLs and raw shellcode in addition to a Python3 payload. These enable C2 functionality on a wide range of devices and operating systems, including Windows, *nix and OSX. PoshC2 is a proxy aware C2 framework used to aid penetration testers with red teaming, post-exploitation and lateral movement. PoshC2 is primarily written in Python3 and follows a modular format to enable users to add their own modules and tools, allowing an extendible and flexible C2 framework. Out-of-the-box PoshC2 comes PowerShell/C# and Python3 implants with payloads written in PowerShell v2 and v4, C++ and C# source code, a variety of executables, DLLs and raw shellcode in addition to a Python3 payload. These enable C2 functionality on a wide range of devices and operating systems, including Windows, *nix and OSX. There is no Yara-Signature yet. |
PowerMagic —> Last Updated: 2023-12-04 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/ps1.power_magic | There is no description at this point. There is no Yara-Signature yet. |
QUIETCANARY —> Last Updated: 2023-12-04 —> alt_names: Kapushka, Tunnus —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.quietcanary | There is no description at this point. There is no Yara-Signature yet. |
SiestaGraph —> Last Updated: 2023-12-04 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.siesta_graph | There is no description at this point. There is no Yara-Signature yet. |
StrifeWater RAT —> Last Updated: 2023-12-04 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.strifewater_rat | There is no description at this point. |
tomiris —> Last Updated: 2023-12-04 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.tomiris | There is no description at this point. There is no Yara-Signature yet. |
TrickBot —> Last Updated: 2023-12-04 —> alt_names: Trickster, TheTrick, TrickLoader —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.trickbot | A financial Trojan believed to be a derivative of Dyre: the bot uses very similar code, web injects, and operational tactics. Has multiple modules including VNC and Socks5 Proxy. Uses SSL for C2 communication.- Q4 2016 – Detected in wildOct 2016 – 1st Report2017 – Trickbot primarily uses Necurs as vehicle for installs.Jan 2018 – Use XMRIG (Monero) minerFeb 2018 – Theft BitcoinMar 2018 – Unfinished ransomware moduleQ3/4 2018 – Trickbot starts being spread through Emotet.Infection Vector1. Phish > Link MS Office > Macro Enabled > Downloader > Trickbot2. Phish > Attached MS Office > Macro Enabled > Downloader > Trickbot3. Phish > Attached MS Office > Macro enabled > Trickbot installed A financial Trojan believed to be a derivative of Dyre: the bot uses very similar code, web injects, and operational tactics. Has multiple modules including VNC and Socks5 Proxy. Uses SSL for C2 communication. – Q4 2016 – Detected in wildOct 2016 – 1st Report2017 – Trickbot primarily uses Necurs as vehicle for installs.Jan 2018 – Use XMRIG (Monero) minerFeb 2018 – Theft BitcoinMar 2018 – Unfinished ransomware moduleQ3/4 2018 – Trickbot starts being spread through Emotet. Infection Vector1. Phish > Link MS Office > Macro Enabled > Downloader > Trickbot2. Phish > Attached MS Office > Macro Enabled > Downloader > Trickbot3. Phish > Attached MS Office > Macro enabled > Trickbot installed |
Tunna —> Last Updated: 2023-12-04 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/asp.tunna | WebShell. WebShell. There is no Yara-Signature yet. |
Unidentified JS 006 (Winter Wyvern) —> Last Updated: 2023-12-04 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/js.unidentified_006 | A script able to list folders and emails in the current Roundcube account, and to exfiltrate email messages to the C&C server by making HTTP requests. A script able to list folders and emails in the current Roundcube account, and to exfiltrate email messages to the C&C server by making HTTP requests. There is no Yara-Signature yet. |
VBREVSHELL —> Last Updated: 2023-12-04 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/vbs.vbrevshell | According to Mandiant, VBREVSHELL is a VBA macro that spawns a reverse shell relying exclusively on Windows API calls. According to Mandiant, VBREVSHELL is a VBA macro that spawns a reverse shell relying exclusively on Windows API calls. There is no Yara-Signature yet. |
WellMess —> Last Updated: 2023-12-04 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.wellmess | WellMess is A Remote Access Trojan written in GoLang and .NET. It has hard-coded User-Agents. Attackers deploy WellMess using separate tools which also allow lateral movement, for example “gost”. Command and Control traffic is handled via HTTP using the Set-Cookie field and message body. WellMess is A Remote Access Trojan written in GoLang and .NET. It has hard-coded User-Agents. Attackers deploy WellMess using separate tools which also allow lateral movement, for example “gost”. Command and Control traffic is handled via HTTP using the Set-Cookie field and message body. |
AppleJeus —> Last Updated: 2023-11-30 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/osx.applejeus | According to PcRisk AppleJeus is the name of backdoor malware that was distributed by the Lazarus group. They spread this malicious software through a fake app disguised as a cryptocurrency trading application called Celas Trade Pro. According to PcRisk AppleJeus is the name of backdoor malware that was distributed by the Lazarus group. They spread this malicious software through a fake app disguised as a cryptocurrency trading application called Celas Trade Pro. |
AppleJeus —> Last Updated: 2023-11-30 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.applejeus | There is no description at this point. |
RisePro —> Last Updated: 2023-11-30 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.risepro | RisePro is a stealer that is spread through downloaders like win.privateloader. Once executed on a system, the malware can steal credit card information, passwords, and personal data. RisePro is a stealer that is spread through downloaders like win.privateloader. Once executed on a system, the malware can steal credit card information, passwords, and personal data. |
Serpent —> Last Updated: 2023-11-30 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/py.serpent | According to Proofpoint, this is a backdoor written in Python, used in attacks against French entities in the construction, real estate, and government industries. According to Proofpoint, this is a backdoor written in Python, used in attacks against French entities in the construction, real estate, and government industries. There is no Yara-Signature yet. |
GSpy —> Last Updated: 2023-11-28 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.gspy | A malware family with a DGA. A malware family with a DGA. |
Tiger RAT —> Last Updated: 2023-11-28 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.tiger_rat | This is third stage backdoor mentioned in the Kaspersky blog, “Andariel evolves to target South Korea with ransomware”. The third stage payload was created via the second stage payload, is interactively executed in the operation and exists in both x64 and x86 versions. Most of them use Internet Explorer or Google Chrome icons and corresponding file names to disguise themselves as legitimate internet browsers. The malware decrypts the embedded payload at runtime. It uses an embedded 16-byte XOR key to decrypt the base64 encoded payload. The decrypted payload is another portable executable file that runs in memory. Before getting decrypted with a hardcoded XOR key, the backdoor also checks for sandbox environment.The backdoor has some code overlap with a know malware family PEBBLEDASH, attributed to Lazarus/LABYRINTH CHOLLIMA. This is third stage backdoor mentioned in the Kaspersky blog, “Andariel evolves to target South Korea with ransomware”. The third stage payload was created via the second stage payload, is interactively executed in the operation and exists in both x64 and x86 versions. Most of them use Internet Explorer or Google Chrome icons and corresponding file names to disguise themselves as legitimate internet browsers. The malware decrypts the embedded payload at runtime. It uses an embedded 16-byte XOR key to decrypt the base64 encoded payload. The decrypted payload is another portable executable file that runs in memory. Before getting decrypted with a hardcoded XOR key, the backdoor also checks for sandbox environment.The backdoor has some code overlap with a know malware family PEBBLEDASH, attributed to Lazarus/LABYRINTH CHOLLIMA. |
8.t Dropper —> Last Updated: 2023-11-27 —> alt_names: 8t_dropper, RoyalRoad —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.8t_dropper | 8T_Dropper has been used by Chinese threat actor TA428 in order to install Cotx RAT onto victim’s machines during Operation LagTime IT. According to Proofpoint the attack was developed against a number of government agencies in East Asia overseeing government information technology, domestic affairs, foreign affairs, economic development, and political processes. The dropper was delivered through an RTF document exploiting CVE-2018-0798. 8T_Dropper has been used by Chinese threat actor TA428 in order to install Cotx RAT onto victim’s machines during Operation LagTime IT. According to Proofpoint the attack was developed against a number of government agencies in East Asia overseeing government information technology, domestic affairs, foreign affairs, economic development, and political processes. The dropper was delivered through an RTF document exploiting CVE-2018-0798. |
BianLian —> Last Updated: 2023-11-27 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.bianlian | BianLian is a GoLang-based ransomware that continues to breach several industries and demand large ransom amounts. The threat actors also use the double extortion method by stealing an affected organization’s files and leaking them online if the ransom is not paid on time. BianLian gains access to victim systems through valid Remote Desktop Protocol (RDP) credentials, uses open-source tools and command-line scripting for discovery and credential harvesting, and exfiltrates victim data via File Transfer Protocol (FTP), Rclone, or Mega. BianLian originally employed a double-extortion model in which they encrypted victims’ systems after exfiltrating the data; however, around January 2023, they shifted to primarily exfiltration-based extortion. The BianLian ransomware uses goroutines and encrypts files in chunks to quickly hijack an infected system. The ransomware adds its own extension to each encrypted file. BianLian is a GoLang-based ransomware that continues to breach several industries and demand large ransom amounts. The threat actors also use the double extortion method by stealing an affected organization’s files and leaking them online if the ransom is not paid on time. BianLian gains access to victim systems through valid Remote Desktop Protocol (RDP) credentials, uses open-source tools and command-line scripting for discovery and credential harvesting, and exfiltrates victim data via File Transfer Protocol (FTP), Rclone, or Mega. BianLian originally employed a double-extortion model in which they encrypted victims’ systems after exfiltrating the data; however, around January 2023, they shifted to primarily exfiltration-based extortion. The BianLian ransomware uses goroutines and encrypts files in chunks to quickly hijack an infected system. The ransomware adds its own extension to each encrypted file. There is no Yara-Signature yet. |
FudModule —> Last Updated: 2023-11-27 —> alt_names: LIGHTSHOW —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.fudmodule | FudModule is a user-mode DLL that gets the ability to read and write arbitrary kernel memory via the BYOVD technique. Its main goal is to turn off Windows system monitoring features, which is done by modifying kernel variables and removing kernel callbacks. Its actions may very likely affect various types of security products, e.g. EDRs, firewalls, antimalware and even digital forensics tools. FudModule is a user-mode DLL that gets the ability to read and write arbitrary kernel memory via the BYOVD technique. Its main goal is to turn off Windows system monitoring features, which is done by modifying kernel variables and removing kernel callbacks. Its actions may very likely affect various types of security products, e.g. EDRs, firewalls, antimalware and even digital forensics tools. |
Gozi —> Last Updated: 2023-11-27 —> alt_names: CRM, Gozi CRM, Papras, Snifula, Ursnif —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.gozi | 2000 Ursnif aka Snifula2006 Gozi v1.0, Gozi CRM, CRM, Papras2010 Gozi v2.0, Gozi ISFB, ISFB, Pandemyia(*)-> 2010 Gozi Prinimalka -> Vawtrak/NeverquestIn 2006, Gozi v1.0 (‘Gozi CRM’ aka ‘CRM’) aka Papras was first observed.It was offered as a CaaS, known as 76Service. This first version of Gozi was developed by Nikita Kurmin, and he borrowed code from Ursnif aka Snifula, a spyware developed by Alexey Ivanov around 2000, and some other kits. Gozi v1.0 thus had a formgrabber module and often is classified as Ursnif aka Snifula.In September 2010, the source code of a particular Gozi CRM dll version was leaked, which led to Vawtrak/Neverquest (in combination with Pony) via Gozi Prinimalka (a slightly modified Gozi v1.0) and Gozi v2.0 (aka ‘Gozi ISFB’ aka ‘ISFB’ aka Pandemyia). This version came with a webinject module. 2000 Ursnif aka Snifula2006 Gozi v1.0, Gozi CRM, CRM, Papras2010 Gozi v2.0, Gozi ISFB, ISFB, Pandemyia(*)-> 2010 Gozi Prinimalka -> Vawtrak/Neverquest In 2006, Gozi v1.0 (‘Gozi CRM’ aka ‘CRM’) aka Papras was first observed.It was offered as a CaaS, known as 76Service. This first version of Gozi was developed by Nikita Kurmin, and he borrowed code from Ursnif aka Snifula, a spyware developed by Alexey Ivanov around 2000, and some other kits. Gozi v1.0 thus had a formgrabber module and often is classified as Ursnif aka Snifula. In September 2010, the source code of a particular Gozi CRM dll version was leaked, which led to Vawtrak/Neverquest (in combination with Pony) via Gozi Prinimalka (a slightly modified Gozi v1.0) and Gozi v2.0 (aka ‘Gozi ISFB’ aka ‘ISFB’ aka Pandemyia). This version came with a webinject module. |
HTTP(S) uploader —> Last Updated: 2023-11-27 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.httpsuploader | The HTTP(S) uploader is a Lazarus tool responsible for data exfiltration, by using the HTTP or HTTPS protocols.It accepts up to 10 command line parameters: a 29-byte decryption key, a C&C for data exfiltration, the name of a local RAR split volume, the name of the multivolume archive on the server side, the size of a RAR split (max 200,000 kB), the starting index of a split, the ending index of a split, and the switch -p with a proxy IP address and port The HTTP(S) uploader is a Lazarus tool responsible for data exfiltration, by using the HTTP or HTTPS protocols. It accepts up to 10 command line parameters: a 29-byte decryption key, a C&C for data exfiltration, the name of a local RAR split volume, the name of the multivolume archive on the server side, the size of a RAR split (max 200,000 kB), the starting index of a split, the ending index of a split, and the switch -p with a proxy IP address and port |
LPEClient —> Last Updated: 2023-11-27 —> alt_names: LPEClientTea —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.lpeclient | LPEClient is an HTTP(S) downloader that expects two command line parameters: an encrypted string containing two URLs (a primary and a secondary C&C server), and the path on the victim’s file system to store the downloaded payload. It sends detailed information about the victim’s environment, like computer name, type and number of processors, computer manufacturer, product name, major and minor Windows versions, architecture, memory information, installed security software and the version of the ntoskrnl.exe from its version-information resource.LPEClient uses specific 32-bit values to represent its execution state (0x59863F09 when connecting via the WinHTTP interface, 0xA9348B57 via WinINet), or the nature of HTTP requests to the C&C servers (0xF07D6B34 when sending system information, 0xEF8C0D51 when requesting a DLL payload, 0xCB790A25 when reporting the successful loading of the DLL, 0xD7B20A96 when reporting the state of the the DLL execution). As the final step, malware looks for the export CloseEnv and executes it. LPEClient is an HTTP(S) downloader that expects two command line parameters: an encrypted string containing two URLs (a primary and a secondary C&C server), and the path on the victim’s file system to store the downloaded payload. It sends detailed information about the victim’s environment, like computer name, type and number of processors, computer manufacturer, product name, major and minor Windows versions, architecture, memory information, installed security software and the version of the ntoskrnl.exe from its version-information resource. LPEClient uses specific 32-bit values to represent its execution state (0x59863F09 when connecting via the WinHTTP interface, 0xA9348B57 via WinINet), or the nature of HTTP requests to the C&C servers (0xF07D6B34 when sending system information, 0xEF8C0D51 when requesting a DLL payload, 0xCB790A25 when reporting the successful loading of the DLL, 0xD7B20A96 when reporting the state of the the DLL execution). As the final step, malware looks for the export CloseEnv and executes it. |
MACAMAX —> Last Updated: 2023-11-27 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.macamax | There is no description at this point. There is no Yara-Signature yet. |
MysterySnail —> Last Updated: 2023-11-27 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.mystery_snail | There is no description at this point. There is no Yara-Signature yet. |
NedDnLoader —> Last Updated: 2023-11-27 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.neddnloader | NedDnLoader is an HTTP(S) downloader that uses AES for C&C trafic encryption.It sends detailed information about the victim’s environment, like computer name, user name, type and free disk space of all drives, and a list of currently running processes. It uses three typical parameter names for HTTP POST requests: ned, gl, hl. The usual payload downloaded with NedDnLoader is Torisma.The internal DLL name of NedDnLoader is usually Dn.dll, Dn64.dll or DnDll.dll. It is deployed either as a standalone payload or within a trojanized MFC application project. It contains specific RTTI symbols like “.?AVCWininet_Protocol@@” or “.?AVCMFC_DLLApp@@”. NedDnLoader is an HTTP(S) downloader that uses AES for C&C trafic encryption. It sends detailed information about the victim’s environment, like computer name, user name, type and free disk space of all drives, and a list of currently running processes. It uses three typical parameter names for HTTP POST requests: ned, gl, hl. The usual payload downloaded with NedDnLoader is Torisma. The internal DLL name of NedDnLoader is usually Dn.dll, Dn64.dll or DnDll.dll. It is deployed either as a standalone payload or within a trojanized MFC application project. It contains specific RTTI symbols like “.?AVCWininet_Protocol@@” or “.?AVCMFC_DLLApp@@”. |
ParaSiteSnatcher —> Last Updated: 2023-11-27 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/js.parasitesnatcher | There is no description at this point. There is no Yara-Signature yet. |
PrivateLoader —> Last Updated: 2023-11-27 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.privateloader | According to sekoia, PrivateLoader is a modular malware whose main capability is to download and execute one or several payloads. The loader implements anti-analysis techniques, fingerprints the compromised host and reports statistics to its C2 server. According to sekoia, PrivateLoader is a modular malware whose main capability is to download and execute one or several payloads. The loader implements anti-analysis techniques, fingerprints the compromised host and reports statistics to its C2 server. |
TOUCHMOVE —> Last Updated: 2023-11-27 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.touchmove | There is no description at this point. |
Volgmer —> Last Updated: 2023-11-27 —> alt_names: FALLCHILL, Manuscrypt —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.volgmer | There is no description at this point. |
WikiLoader —> Last Updated: 2023-11-27 —> alt_names: WailingCrab —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.wikiloader | There is no description at this point. There is no Yara-Signature yet. |
BeaverTail —> Last Updated: 2023-11-23 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/js.beavertail | There is no description at this point. There is no Yara-Signature yet. |
Choziosi —> Last Updated: 2023-11-23 —> alt_names: ChromeLoader, Chropex —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/osx.choziosi | A loader delivering malicious Chrome and Safari extensions. A loader delivering malicious Chrome and Safari extensions. There is no Yara-Signature yet. |
Choziosi —> Last Updated: 2023-11-23 —> alt_names: ChromeLoader —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.choziosi | Choziosi is a browser hijacker for Chrome. It was first seen in January 2022. It commonly infects users via pirated media downloads like games, software, wallpapers or movies. The initial infectors are available for several platforms such as Mac and Windows.Its main component is the Chrome browser extension written in JavaScript with the purpose of serving advertisments and hijacking search requests to Google, Yahoo and Bing. Choziosi is a browser hijacker for Chrome. It was first seen in January 2022. It commonly infects users via pirated media downloads like games, software, wallpapers or movies. The initial infectors are available for several platforms such as Mac and Windows. Its main component is the Chrome browser extension written in JavaScript with the purpose of serving advertisments and hijacking search requests to Google, Yahoo and Bing. There is no Yara-Signature yet. |
InvisibleFerret —> Last Updated: 2023-11-23 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/py.invisibleferret | There is no description at this point. There is no Yara-Signature yet. |
Action RAT —> Last Updated: 2023-11-22 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.action_rat | There is no description at this point. |
AllaKore —> Last Updated: 2023-11-22 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.allakore | AllaKore is a simple Remote Access Tool written in Delphi, first observed in 2015 but still in early stages of development. It implements the RFB protocol which uses frame buffers and thus is able to send back only the changes of screen frames to the controller, speeding up the transport and visualization control. AllaKore is a simple Remote Access Tool written in Delphi, first observed in 2015 but still in early stages of development. It implements the RFB protocol which uses frame buffers and thus is able to send back only the changes of screen frames to the controller, speeding up the transport and visualization control. There is no Yara-Signature yet. |
Chaos —> Last Updated: 2023-11-22 —> alt_names: FakeRyuk, RyukJoke, Yashma —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.chaos | In-development ransomware family which was released in June 2021 by an unknown threat actor. The builder initially claimed to be a “Ryuk .Net Ransomware Builder” even though it was completely unrelated to the Ryuk malware family. Presently it appears to contain trojan-like features, but lacks features commonly found in ransomware such as data exfiltration. In-development ransomware family which was released in June 2021 by an unknown threat actor. The builder initially claimed to be a “Ryuk .Net Ransomware Builder” even though it was completely unrelated to the Ryuk malware family. Presently it appears to contain trojan-like features, but lacks features commonly found in ransomware such as data exfiltration. |
Chinotto —> Last Updated: 2023-11-22 —> Family Link: https://malpedia.caad.fkie.fraunhofer.de/details/win.chinotto | There is no description at this point. |