Malware


ARS

References:
  • RAT Gone Rogue: Meet ARS VBS Loader - 2018-04-16 - Flashpoint - Paul Burbage - Mike Mimoso ARS
  • ARS Loader evolution, a new stealer (ZeroEvil) and AirNaine (TA545) - 2018-10-05 - Blueliv - Blueliv Labs team - Jose Miguel Esparza ARS OnlinerBot
  • Read More ›

    ASN1

    Read More ›

    AZORult

    References:
  • New version of AZORult stealer improves loading features, spreads alongside ransomware in new campaign - 2018-07-30 - Proofpoint - Proofpoint Staff AZORult
  • Read More ›

    AdvisorsBot

    References:
  • New modular downloaders fingerprint systems - Part 2: AdvisorsBot - 2018-08-23 - Proofpoint - Proofpoint Staff AdvisorsBot PoshAdvisor Marap TA555
  • Read More ›

    Alina

    Read More ›

    AndroMut

    - Gelup

    References:
  • TA505 begins summer campaigns with a new pet malware downloader, AndroMut, in the UAE, South Korea, Singapore, and the United States - 2019-07-02 - Proofpoint - Matthew Mesa - Dennis Schwarz - Proofpoint Staff AndroMut FlawedAmmyy TA505
  • Read More ›

    AtolSpammer

    References:
  • Loader / Spammer spread in France for a few weeks now ! Domains related (recommended to block) are here https://pastebin.com/fuAK9BHC - 2019-06-04 - Twitter - Hash Miser AtolSpammer TinyNuke
  • Read More ›

    BackSwap

    References:
  • BackSwap malware finds innovative ways to empty bank accounts - 2018-05-25 - Eset - Michal Poslušný BackSwap
  • Backswap malware analysis - 2018-06-19 - CertPL - Hubert Barc BackSwap
  • The Evolution of BackSwap - 2018-11-30 - Checkpoint - Itay Cohen BackSwap
  • Read More ›

    Bateleur

    Read More ›

    BitPaymer

    - FriedEx

    References:
  • Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware - 2018-11-14 - CrowdStrike - Sergei Frankoff - Bex Hartley INDRIK SPIDER BitPaymer Dridex
  • Head Fake: Tackling Disruptive Ransomware Attacks - 2019-10-01 - FireEye - Bryce Abdo - Brandan Schondorfer - Kareem Hamdan - Kimberly Goody - Noah Klapprodt - Matt Bromiley BitPaymer SocGholish Dridex Chthonic AZORult
  • Read More ›

    Bolek

    - KBOT

    References:
  • Newest addition to a happy family: KBOT - 2016-05-17 - CertPL - Maciej Kotowicz Bolek
  • Read More ›

    BrushaLoader

    References:
  • Combing Through Brushaloader Amid Massive Detection Uptick - 2019-02-20 - Talos - Nick Biasini - Edmund Brumaghin - Edmund Brumaghin - Matthew Molyett BrushaLoader Danabot
  • BrushaLoader still sweeping up victims one year later - 2019-07-22 - Proofpoint - Kafeine - Proofpoint Staff BrushaLoader Danabot Gootkit TA544
  • Read More ›

    Buhtrap

    - Ratopak

    References:
  • Operation Buhtrap, the trap for Russian accountants - 2015-04-09 - Eset - Jean-Ian Boutin Buhtrap CVE-2012-0158
  • Read More ›

    Buran

    - Ghost

    Read More ›

    Cerber

    References:
  • Cerber ransomware: new, but mature - 2016-03-11 - Malwarebytes - hasherezade Cerber
  • Read More ›

    Chthonic

    - Andromedins - AndroKINS

    References:
  • Chthonic: a new modification of ZeuS - 2014-12-18 - Securelist - Yury Namestnikov - Vladimir Kuskov - Oleg Kupreev Chthonic
  • Read More ›

    Clop

    References:
  • Clop Ransomware - 2019-09-01 - McAfee - Alexandre Mundo - Marc Rivero Lopez Clop
  • PDF: ASEC REPORT vol.96 Q3 2019 - 2019-10-11 - Ahnlab - ASEC Researchers Clop SDBbot FlawedAmmyy TA505
  • Read More ›

    CryptXXX

    References:
  • CryptXXX: New Ransomware From the Actors Behind Reveton, Dropping Via Angler - 2016-04-18 - Proofpoint - Kafeine CryptXXX Angler Dridex
  • Read More ›

    Danabot

    References:
  • DanaBot - A new banking Trojan surfaces Down Under - 2018-05-31 - Proofpoint - Proofpoint Staff Danabot TA547 CryptXXX
  • DanaBot control panel revealed - 2019-03-13 - Proofpoint - Dennis Schwarz - Proofpoint Staff Danabot
  • DanaBot Demands a Ransom Payment - 2019-06-20 - Checkpoint - Yaroslav Harakhavik - Aliaksandr Chailytko Danabot NonRansomware
  • Read More ›

    DoppelPaymer

    References:
  • BitPaymer Source Code Fork: Meet DoppelPaymer Ransomware and Dridex 2.0 - 2019-07-12 - CrowdStrike - Brett Stone-Gross - Sergei Frankoff - Bex Hartley DoppelPaymer BitPaymer Dridex INDRIK SPIDER
  • Read More ›

    Dridex

    References:
  • Talking to Dridex (part 0) – inside the dropper - 2015-11-10 - CertPL - Maciej Kotowicz Dridex
  • Dridex: A History of Evolution - 2017-05-25 - Securelist - Nikita Slepogin Dridex Shifu
  • Read More ›

    Emotet

    - Heodo

    References:
  • Emutet - 2019-10-21 - d00rt - d00rt Emotet Trickbot
  • Read More ›

    FlawedAmmyy

    References:
  • Leaked Ammyy Admin Source Code Turned into Malware - 2018-03-07 - Proofpoint - Proofpoint Staff FlawedAmmyy TA505 Quant
  • An in-depth malware analysis of QuantLoader - 2018-03-28 - Malwarebytes - Vishal Thakur Quant TA505 FlawedAmmyy
  • Read More ›

    FlawedGrace

    References:
  • ServHelper and FlawedGrace - New malware introduced by TA505 - 2019-01-09 - Proofpoint - Dennis Schwarz - Proofpoint Staff ServHelper FlawedGrace TA505
  • Read More ›

    Fleercivet

    References:
  • EITest Nabbing Chrome Users with a “Chrome Font” Social Engineering Scheme - 2017-01-17 - Proofpoint - Kafeine EITest Fleercivet
  • Read More ›

    FrameworkPoS

    - Grateful POS

    Read More ›

    GandCrab

    References:
  • Sodinokibi ransomware exploits WebLogic Server vulnerability - 2019-04-30 - Talos - Pierre Cadieux - Colin Grady - Jaeson Schultz - Matt Valites Sodinokibi GandCrab
  • Good riddance, GandCrab! We’re still fixing the mess you left behind. - 2019-06-17 - Bitdefender - Bogdan Botezatu GandCrab
  • Read More ›

    Get2

    References:
  • TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader - 2019-10-16 - Proofpoint - Dennis Schwarz - Kafeine - Matthew Mesa - Axel F - Proofpoint Staff Get2 TA505 SDBbot FlawedGrace FlawedAmmyy Snatch ServHelper
  • Read More ›

    Gootkit

    Read More ›

    Gozi ISFB

    References:
  • ISFB - Still live and Kicking - 2016-12-01 - Lokalhost - Maciej Kotowicz Gozi ISFB
  • Read More ›

    Gozi v2

    References:
  • Analyzing ISFB – The Second Loader - 2019-05-25 - 0ffset - 0verfl0w Gozi v2 TA551
  • Read More ›

    Gozi v3

    Read More ›

    Hancitor

    - Chanitor

    Read More ›

    Hawkeye

    References:
  • Hawkeye Keylogger – Reborn v8: An in-depth campaign analysis - 2018-07-11 - Microsoft - Office 365 Threat Research Hawkeye
  • Read More ›

    Hermes

    References:
  • Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware - 2019-01-10 - CrowdStrike - Alexander Hanel Ryuk Hermes GRIM SPIDER Trickbot WIZARD SPIDER
  • Read More ›

    Hidden Mellifera

    - 隱蜂 - Hidden Bee

    References:
  • New Underminer Exploit Kit Delivers Bootkit and Cryptocurrency-mining Malware with Encrypted TCP Tunnel - 2018-07-26 - Trend Micro - Jaromir Horejsi - Joseph C. Chen Underminer Hidden Mellifera
  • The Hidden Bee infection chain, part 1: the stegano pack - 2019-08-15 - Malwarebytes - hasherezade Hidden Mellifera Underminer
  • Read More ›

    IcedID

    - BokBot

    References:
  • Bokbot: The (re)birth of a banker - 2018-09-09 - Fox-IT - Alfred Klason IcedID Vawtrak TinyLoader Hancitor
  • Read More ›

    KPOT

    References:
  • New KPOT v2.0 stealer brings zero persistence and in-memory features to silently steal credentials - 2019-05-09 - Proofpoint - Dennis Schwarz - Proofpoint Staff KPOT Fallout RIG
  • Read More ›

    Kelihos

    References:
  • Inside the Takedown of ZOMBIE SPIDER and the Kelihos Botnet - 2017-04-13 - CrowdStrike - Falcon Intelligence Team Kelihos Severa
  • Farewell to Kelihos and ZOMBIE SPIDER - 2018-12-05 - CrowdStrike - Brett Stone-Gross - Tillman Werner - Bex Hartley Severa Kelihos
  • Read More ›

    Koler

    Read More ›

    Kovter

    References:
  • Ransomware - Kovter : looking at your browsing history for more credibility - 2013-03-29 - MDNC - Kafeine Kovter
  • Kovter 2016 – Anti Analysis tricks - 2017-05-11 - Riscy Business - RISCyBusiness Kovter
  • Threat Actor Profile: KovCoreG, The Kovter Saga - 2017-11-01 - Proofpoint - Kafeine Kovter KovCoreG Angler Sweet Orange Nuclear Sakura BlackHole Neutrino Fiesta Styx EITest
  • Kovter Uncovered - 2018-08-03 - Github - eWhite Hats Kovter
  • Read More ›

    LockerGoga

    Read More ›

    Locky

    References:
  • Dridex Actors Get In the Ransomware Game With "Locky" - 2016-02-16 - Proofpoint - Proofpoint Staff Locky Neutrino TA505
  • Read More ›

    Lurk

    References:
  • Lurk Banker Trojan: Exclusively for Russia - 2016-06-10 - Securelist - Alexey Shulmin - Mikhail Prokhorenko Lurk Angler
  • Read More ›

    Madness

    References:
  • Meet Madness Pro or Few days rise of a Ddos Botnet - 2013-10-14 - MDNC - Kafeine Madness Cool
  • Read More ›

    Marap

    References:
  • New modular downloaders fingerprint systems, prepare for more - Part 1: Marap - 2018-08-16 - Proofpoint - Proofpoint Staff Marap TA555
  • Read More ›

    Maze

    Read More ›

    Mole

    Read More ›

    More_Eggs

    - Terra Loader

    Read More ›

    Necurs

    - Crap2p

    References:
  • Necurs – hybrid spam botnet - 2016-09-02 - CertPL - Adam Krasuski Necurs
  • Read More ›

    Netwire

    References:
  • New Release: Decrypting NetWire C2 Traffic - 2014-08-04 - PaloAlto - Phil Da Silva - Rob Downs - Ryan Olson Netwire
  • Read More ›

    Ngioweb

    - grobios

    References:
  • Ramnit’s Network of Proxy Servers - 2018-08-05 - Checkpoint Ramnit Ngioweb
  • An Analysis of Linux.Ngioweb Botnet - 2019-06-21 - Netlab - Alex Turing - Yegenshen Ngioweb
  • Read More ›

    Nodster

    References:
  • New Fileless Botnet Novter Distributed by KovCoreG Malvertising Campaign - 2019-10-01 - Trend Micro - Jaromir Horejsi - Joseph C. Chen Novter Nodster KovCoreG Kovter
  • Read More ›

    NonRansomware

    - Blitzkrieg

    Read More ›

    Novter

    - Divergent - Nodersok

    References:
  • Bring your own LOLBin: Multi-stage, fileless Nodersok campaign delivers rare Node.js-based malware - 2019-09-26 - Microsoft - Microsoft Defender ATP Research Team Novter KovCoreG
  • Divergent: "Fileless" NodeJS Malware Burrows Deep Within the Host - 2019-09-26 - Talos - Edmund Brumaghin - Edmund Brumaghin Novter KovCoreG
  • New Fileless Botnet Novter Distributed by KovCoreG Malvertising Campaign - 2019-10-01 - Trend Micro - Jaromir Horejsi - Joseph C. Chen Novter Nodster KovCoreG Kovter
  • Read More ›

    Nymaim

    References:
  • Nymaim – obfuscation chronicles - 2013-08-26 - Eset - Jean-Ian Boutin Nymaim
  • Meet GozNym: The Banking Malware Offspring of Gozi ISFB and Nymaim - 2016-04-14 - IBM Security - Limor Kessem - Lior Keshet Nymaim Gozi ISFB
  • Nymaim - The untold story - 2016-10-06 - Lokalhost - Jarosław Jedynak - Maciej Kotowicz Nymaim
  • Nymaim config decoded - 2019-03-12 - Proofpoint - Georgi Mladenov Nymaim
  • GozNym Cyber-Criminal Network Operating out of Europe Targeting American Entities Dismantled in International Operation - 2019-05-16 - Department of Justice - DoJ Nymaim
  • Read More ›

    OnlinerBot

    - OnlinerSpambot

    References:
  • A journey inside Gozi campaign - 2017-01-20 - BenkowLab - benkow_ OnlinerBot Gozi ISFB
  • ARS Loader evolution, a new stealer (ZeroEvil) and AirNaine (TA545) - 2018-10-05 - Blueliv - Blueliv Labs team - Jose Miguel Esparza ARS OnlinerBot
  • Read More ›

    Osiris

    References:
  • Kronos Reborn - 2018-07-24 - Proofpoint - Proofpoint Staff Osiris RIG
  • Osiris: An Enhanced Banking Trojan - 2018-07-31 - Checkoint - Yaroslav Harakhavik - Nikita Fokin Osiris
  • Read More ›

    Ostap

    References:
  • Ostap Bender: 400 Ways to Make the Population Part With Their Money - 2016-12-08 - Proofpoint - Proofpoint Staff Ostap Dridex Gozi ISFB TinyLoader
  • Ostap malware analysis (Backswap dropper) - 2018-06-01 - CertPL - Paweł Srokosz Ostap Nymaim
  • Read More ›

    Otlard

    - Jahoo

    References:
  • Inside Jahoo (Otlard.A ?) - A spam Botnet - 2015-11-28 - MDNC - Kafeine Otlard VirtualDonna Angler Nuclear ProxyBack Ramnit
  • Read More ›

    Parasite HTTP

    References:
  • Parasite HTTP RAT cooks up a stew of stealthy tricks - - Proofpoint - Proofpoint Staff Parasite HTTP
  • Read More ›

    Pitou

    References:
  • The DGA of Pitou - Analyzing a Virtualized Algorithm - 2019-07-08 - Johannesbader - Johannes Bader Pitou
  • Read More ›

    PoshAdvisor

    References:
  • New modular downloaders fingerprint systems - Part 2: AdvisorsBot - 2018-08-23 - Proofpoint - Proofpoint Staff AdvisorsBot PoshAdvisor Marap TA555
  • Read More ›

    PowerBrace

    Read More ›

    PowerEnum

    Read More ›

    Predator The Thief

    References:
  • A predatory tale: Who’s afraid of the thief? - 201-03-11 - SecureList - GReAT Predator The Thief
  • Predator The Thief: In-depth analysis (v2.3.5) - 2018-10-15 - Fumik0 - Fumik0_ Predator The Thief
  • Read More ›

    Princess

    Read More ›

    Princess Evolution

    References:
  • Ransomware as a Service Princess Evolution Looking for Affiliates - 2018-09-09 - Trend Micro - Joseph C. Chen Princess Evolution RIG
  • Read More ›

    ProxyBack

    - Hbot

    References:
  • ProxyBack Malware Turns User Systems Into Proxies Without Consent - 2015-12-23 - PaloAlto - Jeff White ProxyBack
  • Read More ›

    PsiXBot

    References:
  • It's called PsiX. It's a modular bot. - 2018-08-30 - Twitter - Matthew Mesa PsiXBot
  • PsiXBot: The Evolution Of A Modular .NET Bot - 2019-03-27 - Fox-IT - Stefano Antenucci - Antonio Parata PsiXBot Spelevo
  • Read More ›

    Quant

    - QuantLoader

    References:
  • Locky distributor uses newly released quant loader sold on Russian underground - 2016-09-14 - Forcepoint - Nicholas Griffin Quant Locky TA505
  • An in-depth malware analysis of QuantLoader - 2018-03-28 - Malwarebytes - Vishal Thakur Quant TA505 FlawedAmmyy
  • Read More ›

    Quasar

    Read More ›

    Raccoon

    References:
  • Raccoon Stealer In development? - 2019-02-21 - Twitter - 0xffff0800 Raccoon
  • Read More ›

    Ramnit

    References:
  • Ramnit’s Network of Proxy Servers - 2018-08-05 - Checkpoint Ramnit Ngioweb
  • Read More ›

    RecoLoad

    - PUNCHBUGGY

    References:
  • A fileless Ursnif doing some POS focused reco - 2015-07-05 - MDNC - Kafeine RecoLoad Angler
  • Angler Exploit Kit Used to Find and Infect PoS Systems - 2015-07-27 - Trendmicro - Anthony Joe Melgarejo RecoLoad Angler
  • Read More ›

    Ryuk

    References:
  • Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware - 2019-01-10 - CrowdStrike - Alexander Hanel Ryuk Hermes GRIM SPIDER Trickbot WIZARD SPIDER
  • A Nasty Trick: From Credential Theft Malware to Business Disruption - 2019-01-10 - FireEye - Kimberly Goody - Jeremy Kennelly - Jaideep Natu - Christopher Glyer Ryuk GRIM SPIDER Trickbot
  • Read More ›

    SDBbot

    References:
  • PDF: ASEC REPORT vol.96 Q3 2019 - 2019-10-11 - Ahnlab - ASEC Researchers Clop SDBbot FlawedAmmyy TA505
  • TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader - 2019-10-16 - Proofpoint - Dennis Schwarz - Kafeine - Matthew Mesa - Axel F - Proofpoint Staff Get2 TA505 SDBbot FlawedGrace FlawedAmmyy Snatch ServHelper
  • Read More ›

    Sednit

    Read More ›

    Seon

    Read More ›

    ServHelper

    References:
  • ServHelper and FlawedGrace - New malware introduced by TA505 - 2019-01-09 - Proofpoint - Dennis Schwarz - Proofpoint Staff ServHelper FlawedGrace TA505
  • Read More ›

    Shifu

    References:
  • Shifu: ‘Masterful’ New Banking Trojan Is Attacking 14 Japanese Banks - 2015-08-31 - IBM Security - Limor Kessem - Ilya Kolmanovich - Denis Laskov Shifu
  • Shifu <3 Great Britain - 2015-09-24 - MDNC - Kafeine Shifu VirtualDonna Angler
  • Shifu Malware Analyzed: Behavior, Capabilities and Communications - 2015-10-29 - FireEye - Richard Hummel Shifu
  • 2016 Updates to Shifu Banking Trojan - 2017-01-06 - PaloAlto - Dominik Reichel Shifu CVE-2016-0167
  • Read More ›

    Silence

    - TrueBot

    References:
  • (PDF) Silence: Moving into the darkside - 2018-09 - Group-IB Silence
  • (PDF) Silence 2.0: Going Global - 2019-07-04 - Group-IB Silence FlawedAmmyy
  • Read More ›

    Smokebot

    - Dofoil - Smoke Loader

    References:
  • Dissecting Smoke Loader - 2018-07-18 - CertPL - Michał Praszmo Smokebot
  • SmokeLoader ups its game in 2019 and emerges with a fresh new version. A blog post with all the recent updates is coming up shortly. Meanwhile, here are some IOCs - 2019-06-18 - Twitter - Check Point Research Smokebot bbsindex
  • The 2019 Resurgence of Smokeloader - 2019-07-09 - Checkpoint - Israel Gubi Smokebot bbsindex
  • Read More ›

    Snatch

    References:
  • SnatchLoader Reloaded - 2017-10-27 - Arbor - Dennis Schwarz Snatch Ramnit TA554
  • Read More ›

    Sodinokibi

    - REvil - Sodin

    References:
  • Sodinokibi ransomware exploits WebLogic Server vulnerability - 2019-04-30 - Talos - Pierre Cadieux - Colin Grady - Jaeson Schultz - Matt Valites Sodinokibi GandCrab
  • Malware Tales: Sodinokibi - 2019-06-14 - Certego - Matteo Lodi Sodinokibi GandCrab
  • Sodin ransomware exploits Windows vulnerability and processor architecture - 2019-07-03 - Securelist - Orkhan Mamedov - Artur Pakulov - Fedor Sinitsyn Sodinokibi
  • Read More ›

    Spora

    References:
  • Spora Ransomware Works Offline, Has the Most Sophisticated Payment Site as of Yet - 2017-01-10 - BleepingComputer - Catalin Cimpanu Spora
  • Read More ›

    StillerX

    References:
  • CryptXXX Ransomware Learns the Samba, Other New Tricks With Version 3.100 - 2016-06-01 - Proofpoint - Proofpoint Staff StillerX CryptXXX
  • Read More ›

    SystemBC

    References:
  • SystemBC is like Christmas in July for SOCKS5 Malware and Exploit Kits - 2019-08-01 - Proofpoint - Kade Karmon - Kafeine - Dennis Schwarz - Proofpoint Staff SystemBC Fallout RIG Danabot PowerEnum
  • Read More ›

    TinyLoader

    Read More ›

    TinyNuke

    - NuclearBot - NukeBot - Xbot

    References:
  • Dismantling a Nuclear Bot - 2016-12-19 - Arbor - Dennis Schwarz TinyNuke
  • Self-Proclaimed ‘Nuclear Bot’ Author Weighs U.S. Job Offer - 2017-04-06 - Krebs On Security - Brian Krebs TinyNuke
  • Quick look at another Alina fork: XBOT-POS - 2017-08-16 - BenkowLab - benkow_ TinyNuke Alina
  • Read More ›

    Tofsee

    References:
  • A deeper look at Tofsee modules - 2017-10-19 - CertPL - Jarosław Jedynak Tofsee
  • Read More ›

    Trickbot

    Read More ›

    URLZone

    - Bebloh - Shiotob

    References:
  • URLZone reloaded: new evolution - 2012-09-01 - VirusBulletin - Neo Tan URLZone
  • The DGA of Shiotob - 2015-01-12 - Johannesbader - Johannes Bader URLZone
  • Read More ›

    Vawtrak

    - Neverquest

    Read More ›

    Xagent

    References:
  • A Look Into Fysbis: Sofacy' s Linux Backdoor - 2016-02-12 - PaloAlto - Bryan Lee - Rob Downs Xagent APT28
  • XAgentOSX: Sofacy's XAgent macOS Tool - 2017-02-14 - PaloAlto - Robert Falcone Xagent APT28
  • Read More ›

    js-GhoLoader

    References:
  • Fake Software Update Abuses NetSupport Remote Access Too - 2018-04-05 - FireEye - Sudhanshu Dubey js-GhoLoader SocGholish
  • Deep Analysis of Queryn Campaign - 2018-07-10 - Github - Koike js-GhoLoader SocGholish
  • Read More ›

    sLoad

    References:
  • Hello, internal name of this loader is sLoad. Appeared May 1st. Payload is the UK focused Ramnit ( fB1oN5frGqf ) - 2018-05-19 - Twitter - Kafeine sLoad Ramnit TA554
  • sLoad and Ramnit pairing in sustained campaigns against UK and Italy - 2018-10-23 - Proofpoint - Proofpoint Staff TA554 sLoad Ramnit PsiXBot Gootkit Snatch
  • Read More ›