<!DOCTYPE html> <html lang='en'> <head> <script async src="https://www.googletagmanager.com/gtag/js?id=UA-62667723-1"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-62667723-1'); </script> <meta name="google-site-verification" content="2oJKLqNN62z6AOCb0A0IXGtbQuj-lev5YPAHFF_cbHQ"/> <meta charset='utf-8'> <meta name='viewport' content='width=device-width, initial-scale=1,shrink-to-fit=no'> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <link rel='shortcut icon' href="/versions/v13/theme/favicon.ico" type='image/x-icon'> <title>Ursnif, Software S0386 | MITRE ATT&CK&reg;</title> <!-- Bootstrap CSS --> <link rel='stylesheet' href="/versions/v13/theme/style/bootstrap.min.css" /> <link rel='stylesheet' href="/versions/v13/theme/style/bootstrap-glyphicon.min.css" /> <link rel='stylesheet' href="/versions/v13/theme/style/bootstrap-tourist.css" /> <link rel='stylesheet' href="/versions/v13/theme/style/bootstrap-select.min.css" /> <link rel="stylesheet" type="text/css" href="/versions/v13/theme/style.min.css?e8044105"> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css"> </head> <body> <div class="container-fluid attack-website-wrapper d-flex flex-column h-100"> <div class="row sticky-top flex-grow-0 flex-shrink-1"> <!-- header elements --> <header class="col px-0"> <nav class='navbar navbar-expand-lg navbar-dark position-static'> <a class='navbar-brand' href="/versions/v13/"><img src="/versions/v13/theme/images/mitre_attack_logo.png" class="attack-logo"></a> <button class='navbar-toggler' type='button' data-toggle='collapse' data-target='#navbarCollapse' aria-controls='navbarCollapse' aria-expanded='false' aria-label='Toggle navigation'> <span class='navbar-toggler-icon'></span> </button> <div class='collapse navbar-collapse' id='navbarCollapse'> <ul class='nav nav-tabs ml-auto'> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v13/matrices/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Matrices</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v13/matrices/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v13/matrices/mobile/">Mobile</a> <a class="dropdown-item" href="/versions/v13/matrices/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v13/tactics/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Tactics</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v13/tactics/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v13/tactics/mobile/">Mobile</a> <a class="dropdown-item" href="/versions/v13/tactics/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v13/techniques/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Techniques</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v13/techniques/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v13/techniques/mobile/">Mobile</a> <a class="dropdown-item" href="/versions/v13/techniques/ics/">ICS</a> </div> </li> <li class="nav-item"> <a href="/versions/v13/datasources" class="nav-link" ><b>Data Sources</b></a> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v13/mitigations/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Mitigations</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v13/mitigations/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v13/mitigations/mobile/">Mobile</a> <a class="dropdown-item" href="/versions/v13/mitigations/ics/">ICS</a> </div> </li> <li class="nav-item"> <a href="/versions/v13/groups" class="nav-link" ><b>Groups</b></a> </li> <li class="nav-item"> <a href="/versions/v13/software/" class="nav-link" ><b>Software</b></a> </li> <li class="nav-item"> <a href="/versions/v13/campaigns" class="nav-link" ><b>Campaigns</b></a> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v13/resources/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Resources</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v13/resources/">General Information</a> <a class="dropdown-item" href="/versions/v13/resources/getting-started/">Getting Started</a> <a class="dropdown-item" href="/versions/v13/resources/training/">Training</a> <a class="dropdown-item" href="/versions/v13/resources/attackcon/">ATT&CKcon</a> <a class="dropdown-item" href="/versions/v13/resources/working-with-attack/">Working with ATT&CK</a> <a class="dropdown-item" href="/versions/v13/resources/faq/">FAQ</a> <a class="dropdown-item" href="/resources/updates/">Updates</a> <a class="dropdown-item" href="/resources/versions/">Versions of ATT&CK</a> <a class="dropdown-item" href="/versions/v13/resources/related-projects/">Related Projects</a> <a class="dropdown-item" href="/versions/v13/resources/brand/">Brand Guide</a> </div> </li> <li class="nav-item"> <a href="https://medium.com/mitre-attack/" target="_blank" class="nav-link"> <b>Blog</b>&nbsp; <img src="/versions/v13/theme/images/external-site.svg" alt="External site" class="external-icon" /> </a> </li> <li class="nav-item"> <a href="/versions/v13/resources/contribute/" class="nav-link" ><b>Contribute</b></a> </li> <li class="nav-item"> <button id="search-button" class="btn search-button">Search <div id="search-icon" class="icon-button search-icon"></div></button> </li> </ul> </div> </nav> </header> </div> <div class="row flex-grow-0 flex-shrink-1"> <!-- banner elements --> <div class="col px-0"> <!-- don't edit or remove the line below even though it's commented out, it gets parsed and replaced by the versioning feature --> <div class="container-fluid version-banner"><div class="icon-inline baseline mr-1"><img src="/versions/v13/theme/images/icon-warning-24px.svg"></div>Currently viewing <a href="https://github.com/mitre/cti/releases/tag/ATT%26CK-v13.1" target="_blank">ATT&CK v13.1</a> which was live between April 25, 2023 and October 30, 2023. <a href="/resources/versions/">Learn more about the versioning system</a> or <a href="/">see the live site</a>.</div> </div> </div> <div class="row flex-grow-1 flex-shrink-0"> <!-- main content elements --> <!--start-indexing-for-search--> <div class="sidebar nav sticky-top flex-column pr-0 pt-4 pb-3 pl-3" id="v-tab" role="tablist" aria-orientation="vertical"> <div class="resizer"></div> <!--stop-indexing-for-search--> <div id="v-tab" role="tablist" aria-orientation="vertical" class="h-100"> <div class="sidenav-wrapper"> <div class="heading" data-toggle="collapse" data-target="#sidebar-collapse" id="v-home-tab" aria-selected="false">SOFTWARE <i class="fa fa-fw fa-chevron-down"></i> <i class="fa fa-fw fa-chevron-up"></i> </div> <br class="br-mobile"> <div class="collapse show" id="sidebar-collapse"> <div class="sidenav-list"> <div class="sidenav"> <div class="sidenav-head " id="0-0"> <a href="/versions/v13/software/"> Overview </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="3PARA RAT-3PARA RAT"> <a href="/versions/v13/software/S0066/"> 3PARA RAT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="4H RAT-4H RAT"> <a href="/versions/v13/software/S0065/"> 4H RAT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="AADInternals-AADInternals"> <a href="/versions/v13/software/S0677/"> AADInternals </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ABK-ABK"> <a href="/versions/v13/software/S0469/"> ABK </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="AbstractEmu-AbstractEmu"> <a href="/versions/v13/software/S1061/"> AbstractEmu </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ACAD/Medre.A-ACAD/Medre.A"> <a href="/versions/v13/software/S1000/"> ACAD/Medre.A </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Action RAT-Action RAT"> <a href="/versions/v13/software/S1028/"> Action RAT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="adbupd-adbupd"> <a href="/versions/v13/software/S0202/"> adbupd </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="AdFind-AdFind"> <a href="/versions/v13/software/S0552/"> AdFind </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Adups-Adups"> <a href="/versions/v13/software/S0309/"> Adups </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ADVSTORESHELL-ADVSTORESHELL"> <a href="/versions/v13/software/S0045/"> ADVSTORESHELL </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Agent Smith-Agent Smith"> <a href="/versions/v13/software/S0440/"> Agent Smith </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Agent Tesla-Agent Tesla"> <a href="/versions/v13/software/S0331/"> Agent Tesla </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Agent.btz-Agent.btz"> <a href="/versions/v13/software/S0092/"> Agent.btz </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Allwinner-Allwinner"> <a href="/versions/v13/software/S0319/"> Allwinner </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Amadey-Amadey"> <a href="/versions/v13/software/S1025/"> Amadey </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Anchor-Anchor"> <a href="/versions/v13/software/S0504/"> Anchor </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Android/AdDisplay.Ashas-Android/AdDisplay.Ashas"> <a href="/versions/v13/software/S0525/"> Android/AdDisplay.Ashas </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Android/Chuli.A-Android/Chuli.A"> <a href="/versions/v13/software/S0304/"> Android/Chuli.A </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="AndroidOS/MalLocker.B-AndroidOS/MalLocker.B"> <a href="/versions/v13/software/S0524/"> AndroidOS/MalLocker.B </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ANDROIDOS_ANSERVER.A-ANDROIDOS_ANSERVER.A"> <a href="/versions/v13/software/S0310/"> ANDROIDOS_ANSERVER.A </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="AndroRAT-AndroRAT"> <a href="/versions/v13/software/S0292/"> AndroRAT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Anubis-Anubis"> <a href="/versions/v13/software/S0422/"> Anubis </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="AppleJeus-AppleJeus"> <a href="/versions/v13/software/S0584/"> AppleJeus </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="AppleSeed-AppleSeed"> <a href="/versions/v13/software/S0622/"> AppleSeed </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Aria-body-Aria-body"> <a href="/versions/v13/software/S0456/"> Aria-body </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Arp-Arp"> <a href="/versions/v13/software/S0099/"> Arp </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Asacub-Asacub"> <a href="/versions/v13/software/S0540/"> Asacub </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ASPXSpy-ASPXSpy"> <a href="/versions/v13/software/S0073/"> ASPXSpy </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Astaroth-Astaroth"> <a href="/versions/v13/software/S0373/"> Astaroth </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="at-at"> <a href="/versions/v13/software/S0110/"> at </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Attor-Attor"> <a href="/versions/v13/software/S0438/"> Attor </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="AuditCred-AuditCred"> <a href="/versions/v13/software/S0347/"> AuditCred </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="AuTo Stealer-AuTo Stealer"> <a href="/versions/v13/software/S1029/"> AuTo Stealer </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="AutoIt backdoor-AutoIt backdoor"> <a href="/versions/v13/software/S0129/"> AutoIt backdoor </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Avaddon-Avaddon"> <a href="/versions/v13/software/S0640/"> Avaddon </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Avenger-Avenger"> <a href="/versions/v13/software/S0473/"> Avenger </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="AvosLocker-AvosLocker"> <a href="/versions/v13/software/S1053/"> AvosLocker </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Azorult-Azorult"> <a href="/versions/v13/software/S0344/"> Azorult </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Babuk-Babuk"> <a href="/versions/v13/software/S0638/"> Babuk </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="BabyShark-BabyShark"> <a href="/versions/v13/software/S0414/"> BabyShark </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="BackConfig-BackConfig"> <a href="/versions/v13/software/S0475/"> BackConfig </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Backdoor.Oldrea-Backdoor.Oldrea"> <a href="/versions/v13/software/S0093/"> Backdoor.Oldrea </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="BACKSPACE-BACKSPACE"> <a href="/versions/v13/software/S0031/"> BACKSPACE </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Bad Rabbit-Bad Rabbit"> <a href="/versions/v13/software/S0606/"> Bad Rabbit </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="BADCALL-BADCALL"> <a href="/versions/v13/software/S0245/"> BADCALL </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="BADFLICK-BADFLICK"> <a href="/versions/v13/software/S0642/"> BADFLICK </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="BADNEWS-BADNEWS"> <a href="/versions/v13/software/S0128/"> BADNEWS </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="BadPatch-BadPatch"> <a href="/versions/v13/software/S0337/"> BadPatch </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Bandook-Bandook"> <a href="/versions/v13/software/S0234/"> Bandook </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Bankshot-Bankshot"> <a href="/versions/v13/software/S0239/"> Bankshot </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Bazar-Bazar"> <a href="/versions/v13/software/S0534/"> Bazar </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="BBK-BBK"> <a href="/versions/v13/software/S0470/"> BBK </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="BBSRAT-BBSRAT"> <a href="/versions/v13/software/S0127/"> BBSRAT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="BendyBear-BendyBear"> <a href="/versions/v13/software/S0574/"> BendyBear </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="BISCUIT-BISCUIT"> <a href="/versions/v13/software/S0017/"> BISCUIT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Bisonal-Bisonal"> <a href="/versions/v13/software/S0268/"> Bisonal </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="BitPaymer-BitPaymer"> <a href="/versions/v13/software/S0570/"> BitPaymer </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="BITSAdmin-BITSAdmin"> <a href="/versions/v13/software/S0190/"> BITSAdmin </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Black Basta-Black Basta"> <a href="/versions/v13/software/S1070/"> Black Basta </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="BlackCat-BlackCat"> <a href="/versions/v13/software/S1068/"> BlackCat </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="BLACKCOFFEE-BLACKCOFFEE"> <a href="/versions/v13/software/S0069/"> BLACKCOFFEE </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="BlackEnergy-BlackEnergy"> <a href="/versions/v13/software/S0089/"> BlackEnergy </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="BlackMould-BlackMould"> <a href="/versions/v13/software/S0564/"> BlackMould </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="BLINDINGCAN-BLINDINGCAN"> <a href="/versions/v13/software/S0520/"> BLINDINGCAN </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="BloodHound-BloodHound"> <a href="/versions/v13/software/S0521/"> BloodHound </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="BLUELIGHT-BLUELIGHT"> <a href="/versions/v13/software/S0657/"> BLUELIGHT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Bonadan-Bonadan"> <a href="/versions/v13/software/S0486/"> Bonadan </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="BONDUPDATER-BONDUPDATER"> <a href="/versions/v13/software/S0360/"> BONDUPDATER </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="BoomBox-BoomBox"> <a href="/versions/v13/software/S0635/"> BoomBox </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="BOOSTWRITE-BOOSTWRITE"> <a href="/versions/v13/software/S0415/"> BOOSTWRITE </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="BOOTRASH-BOOTRASH"> <a href="/versions/v13/software/S0114/"> BOOTRASH </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="BoxCaon-BoxCaon"> <a href="/versions/v13/software/S0651/"> BoxCaon </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="BrainTest-BrainTest"> <a href="/versions/v13/software/S0293/"> BrainTest </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Brave Prince-Brave Prince"> <a href="/versions/v13/software/S0252/"> Brave Prince </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Bread-Bread"> <a href="/versions/v13/software/S0432/"> Bread </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Briba-Briba"> <a href="/versions/v13/software/S0204/"> Briba </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Brute Ratel C4-Brute Ratel C4"> <a href="/versions/v13/software/S1063/"> Brute Ratel C4 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="BS2005-BS2005"> <a href="/versions/v13/software/S0014/"> BS2005 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="BUBBLEWRAP-BUBBLEWRAP"> <a href="/versions/v13/software/S0043/"> BUBBLEWRAP </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="build_downer-build_downer"> <a href="/versions/v13/software/S0471/"> build_downer </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Bumblebee-Bumblebee"> <a href="/versions/v13/software/S1039/"> Bumblebee </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Bundlore-Bundlore"> <a href="/versions/v13/software/S0482/"> Bundlore </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="BusyGasper-BusyGasper"> <a href="/versions/v13/software/S0655/"> BusyGasper </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Cachedump-Cachedump"> <a href="/versions/v13/software/S0119/"> Cachedump </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="CaddyWiper-CaddyWiper"> <a href="/versions/v13/software/S0693/"> CaddyWiper </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Cadelspy-Cadelspy"> <a href="/versions/v13/software/S0454/"> Cadelspy </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="CALENDAR-CALENDAR"> <a href="/versions/v13/software/S0025/"> CALENDAR </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Calisto-Calisto"> <a href="/versions/v13/software/S0274/"> Calisto </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="CallMe-CallMe"> <a href="/versions/v13/software/S0077/"> CallMe </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Cannon-Cannon"> <a href="/versions/v13/software/S0351/"> Cannon </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Carbanak-Carbanak"> <a href="/versions/v13/software/S0030/"> Carbanak </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Carberp-Carberp"> <a href="/versions/v13/software/S0484/"> Carberp </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Carbon-Carbon"> <a href="/versions/v13/software/S0335/"> Carbon </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="CarbonSteal-CarbonSteal"> <a href="/versions/v13/software/S0529/"> CarbonSteal </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Cardinal RAT-Cardinal RAT"> <a href="/versions/v13/software/S0348/"> Cardinal RAT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="CARROTBALL-CARROTBALL"> <a href="/versions/v13/software/S0465/"> CARROTBALL </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="CARROTBAT-CARROTBAT"> <a href="/versions/v13/software/S0462/"> CARROTBAT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Catchamas-Catchamas"> <a href="/versions/v13/software/S0261/"> Catchamas </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Caterpillar WebShell-Caterpillar WebShell"> <a href="/versions/v13/software/S0572/"> Caterpillar WebShell </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="CCBkdr-CCBkdr"> <a href="/versions/v13/software/S0222/"> CCBkdr </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ccf32-ccf32"> <a href="/versions/v13/software/S1043/"> ccf32 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Cerberus-Cerberus"> <a href="/versions/v13/software/S0480/"> Cerberus </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="certutil-certutil"> <a href="/versions/v13/software/S0160/"> certutil </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Chaes-Chaes"> <a href="/versions/v13/software/S0631/"> Chaes </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Chaos-Chaos"> <a href="/versions/v13/software/S0220/"> Chaos </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Charger-Charger"> <a href="/versions/v13/software/S0323/"> Charger </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="CharmPower-CharmPower"> <a href="/versions/v13/software/S0674/"> CharmPower </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ChChes-ChChes"> <a href="/versions/v13/software/S0144/"> ChChes </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="CHEMISTGAMES-CHEMISTGAMES"> <a href="/versions/v13/software/S0555/"> CHEMISTGAMES </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Cherry Picker-Cherry Picker"> <a href="/versions/v13/software/S0107/"> Cherry Picker </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="China Chopper-China Chopper"> <a href="/versions/v13/software/S0020/"> China Chopper </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Chinoxy-Chinoxy"> <a href="/versions/v13/software/S1041/"> Chinoxy </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="CHOPSTICK-CHOPSTICK"> <a href="/versions/v13/software/S0023/"> CHOPSTICK </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Chrommme-Chrommme"> <a href="/versions/v13/software/S0667/"> Chrommme </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Circles-Circles"> <a href="/versions/v13/software/S0602/"> Circles </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Clambling-Clambling"> <a href="/versions/v13/software/S0660/"> Clambling </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Clop-Clop"> <a href="/versions/v13/software/S0611/"> Clop </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="CloudDuke-CloudDuke"> <a href="/versions/v13/software/S0054/"> CloudDuke </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="cmd-cmd"> <a href="/versions/v13/software/S0106/"> cmd </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Cobalt Strike-Cobalt Strike"> <a href="/versions/v13/software/S0154/"> Cobalt Strike </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Cobian RAT-Cobian RAT"> <a href="/versions/v13/software/S0338/"> Cobian RAT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="CoinTicker-CoinTicker"> <a href="/versions/v13/software/S0369/"> CoinTicker </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Comnie-Comnie"> <a href="/versions/v13/software/S0244/"> Comnie </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ComRAT-ComRAT"> <a href="/versions/v13/software/S0126/"> ComRAT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Concipit1248-Concipit1248"> <a href="/versions/v13/software/S0426/"> Concipit1248 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Conficker-Conficker"> <a href="/versions/v13/software/S0608/"> Conficker </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ConnectWise-ConnectWise"> <a href="/versions/v13/software/S0591/"> ConnectWise </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Conti-Conti"> <a href="/versions/v13/software/S0575/"> Conti </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="CookieMiner-CookieMiner"> <a href="/versions/v13/software/S0492/"> CookieMiner </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="CORALDECK-CORALDECK"> <a href="/versions/v13/software/S0212/"> CORALDECK </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="CORESHELL-CORESHELL"> <a href="/versions/v13/software/S0137/"> CORESHELL </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Corona Updates-Corona Updates"> <a href="/versions/v13/software/S0425/"> Corona Updates </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="CosmicDuke-CosmicDuke"> <a href="/versions/v13/software/S0050/"> CosmicDuke </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="CostaBricks-CostaBricks"> <a href="/versions/v13/software/S0614/"> CostaBricks </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="CozyCar-CozyCar"> <a href="/versions/v13/software/S0046/"> CozyCar </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="CrackMapExec-CrackMapExec"> <a href="/versions/v13/software/S0488/"> CrackMapExec </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="CreepyDrive-CreepyDrive"> <a href="/versions/v13/software/S1023/"> CreepyDrive </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="CreepySnail-CreepySnail"> <a href="/versions/v13/software/S1024/"> CreepySnail </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Crimson-Crimson"> <a href="/versions/v13/software/S0115/"> Crimson </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="CrossRAT-CrossRAT"> <a href="/versions/v13/software/S0235/"> CrossRAT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Crutch-Crutch"> <a href="/versions/v13/software/S0538/"> Crutch </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Cryptoistic-Cryptoistic"> <a href="/versions/v13/software/S0498/"> Cryptoistic </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="CSPY Downloader-CSPY Downloader"> <a href="/versions/v13/software/S0527/"> CSPY Downloader </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Cuba-Cuba"> <a href="/versions/v13/software/S0625/"> Cuba </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Cyclops Blink-Cyclops Blink"> <a href="/versions/v13/software/S0687/"> Cyclops Blink </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Dacls-Dacls"> <a href="/versions/v13/software/S0497/"> Dacls </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="DanBot-DanBot"> <a href="/versions/v13/software/S1014/"> DanBot </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="DarkComet-DarkComet"> <a href="/versions/v13/software/S0334/"> DarkComet </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="DarkTortilla-DarkTortilla"> <a href="/versions/v13/software/S1066/"> DarkTortilla </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="DarkWatchman-DarkWatchman"> <a href="/versions/v13/software/S0673/"> DarkWatchman </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Daserf-Daserf"> <a href="/versions/v13/software/S0187/"> Daserf </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="DCSrv-DCSrv"> <a href="/versions/v13/software/S1033/"> DCSrv </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="DDKONG-DDKONG"> <a href="/versions/v13/software/S0255/"> DDKONG </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="DEADEYE-DEADEYE"> <a href="/versions/v13/software/S1052/"> DEADEYE </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="DealersChoice-DealersChoice"> <a href="/versions/v13/software/S0243/"> DealersChoice </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="DEATHRANSOM-DEATHRANSOM"> <a href="/versions/v13/software/S0616/"> DEATHRANSOM </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="DEFENSOR ID-DEFENSOR ID"> <a href="/versions/v13/software/S0479/"> DEFENSOR ID </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Dendroid-Dendroid"> <a href="/versions/v13/software/S0301/"> Dendroid </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Denis-Denis"> <a href="/versions/v13/software/S0354/"> Denis </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Derusbi-Derusbi"> <a href="/versions/v13/software/S0021/"> Derusbi </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Desert Scorpion-Desert Scorpion"> <a href="/versions/v13/software/S0505/"> Desert Scorpion </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Diavol-Diavol"> <a href="/versions/v13/software/S0659/"> Diavol </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Dipsind-Dipsind"> <a href="/versions/v13/software/S0200/"> Dipsind </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="DnsSystem-DnsSystem"> <a href="/versions/v13/software/S1021/"> DnsSystem </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="DOGCALL-DOGCALL"> <a href="/versions/v13/software/S0213/"> DOGCALL </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Dok-Dok"> <a href="/versions/v13/software/S0281/"> Dok </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Doki-Doki"> <a href="/versions/v13/software/S0600/"> Doki </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Donut-Donut"> <a href="/versions/v13/software/S0695/"> Donut </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="DoubleAgent-DoubleAgent"> <a href="/versions/v13/software/S0550/"> DoubleAgent </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="down_new-down_new"> <a href="/versions/v13/software/S0472/"> down_new </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Downdelph-Downdelph"> <a href="/versions/v13/software/S0134/"> Downdelph </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="DownPaper-DownPaper"> <a href="/versions/v13/software/S0186/"> DownPaper </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="DRATzarus-DRATzarus"> <a href="/versions/v13/software/S0694/"> DRATzarus </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="DressCode-DressCode"> <a href="/versions/v13/software/S0300/"> DressCode </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Dridex-Dridex"> <a href="/versions/v13/software/S0384/"> Dridex </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Drinik-Drinik"> <a href="/versions/v13/software/S1054/"> Drinik </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="DroidJack-DroidJack"> <a href="/versions/v13/software/S0320/"> DroidJack </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="DropBook-DropBook"> <a href="/versions/v13/software/S0547/"> DropBook </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Drovorub-Drovorub"> <a href="/versions/v13/software/S0502/"> Drovorub </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="dsquery-dsquery"> <a href="/versions/v13/software/S0105/"> dsquery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Dtrack-Dtrack"> <a href="/versions/v13/software/S0567/"> Dtrack </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="DualToy-DualToy"> <a href="/versions/v13/software/S0315/"> DualToy </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Duqu-Duqu"> <a href="/versions/v13/software/S0038/"> Duqu </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="DustySky-DustySky"> <a href="/versions/v13/software/S0062/"> DustySky </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Dvmap-Dvmap"> <a href="/versions/v13/software/S0420/"> Dvmap </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Dyre-Dyre"> <a href="/versions/v13/software/S0024/"> Dyre </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Ebury-Ebury"> <a href="/versions/v13/software/S0377/"> Ebury </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ECCENTRICBANDWAGON-ECCENTRICBANDWAGON"> <a href="/versions/v13/software/S0593/"> ECCENTRICBANDWAGON </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Ecipekac-Ecipekac"> <a href="/versions/v13/software/S0624/"> Ecipekac </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Egregor-Egregor"> <a href="/versions/v13/software/S0554/"> Egregor </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="EKANS-EKANS"> <a href="/versions/v13/software/S0605/"> EKANS </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Elise-Elise"> <a href="/versions/v13/software/S0081/"> Elise </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ELMER-ELMER"> <a href="/versions/v13/software/S0064/"> ELMER </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Emissary-Emissary"> <a href="/versions/v13/software/S0082/"> Emissary </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Emotet-Emotet"> <a href="/versions/v13/software/S0367/"> Emotet </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Empire-Empire"> <a href="/versions/v13/software/S0363/"> Empire </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="EnvyScout-EnvyScout"> <a href="/versions/v13/software/S0634/"> EnvyScout </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Epic-Epic"> <a href="/versions/v13/software/S0091/"> Epic </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="esentutl-esentutl"> <a href="/versions/v13/software/S0404/"> esentutl </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="eSurv-eSurv"> <a href="/versions/v13/software/S0507/"> eSurv </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="EventBot-EventBot"> <a href="/versions/v13/software/S0478/"> EventBot </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="EvilBunny-EvilBunny"> <a href="/versions/v13/software/S0396/"> EvilBunny </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="EvilGrab-EvilGrab"> <a href="/versions/v13/software/S0152/"> EvilGrab </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="EVILNUM-EVILNUM"> <a href="/versions/v13/software/S0568/"> EVILNUM </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Exaramel for Linux-Exaramel for Linux"> <a href="/versions/v13/software/S0401/"> Exaramel for Linux </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Exaramel for Windows-Exaramel for Windows"> <a href="/versions/v13/software/S0343/"> Exaramel for Windows </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Exobot-Exobot"> <a href="/versions/v13/software/S0522/"> Exobot </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Exodus-Exodus"> <a href="/versions/v13/software/S0405/"> Exodus </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Expand-Expand"> <a href="/versions/v13/software/S0361/"> Expand </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Explosive-Explosive"> <a href="/versions/v13/software/S0569/"> Explosive </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="FakeM-FakeM"> <a href="/versions/v13/software/S0076/"> FakeM </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="FakeSpy-FakeSpy"> <a href="/versions/v13/software/S0509/"> FakeSpy </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="FALLCHILL-FALLCHILL"> <a href="/versions/v13/software/S0181/"> FALLCHILL </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="FatDuke-FatDuke"> <a href="/versions/v13/software/S0512/"> FatDuke </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Felismus-Felismus"> <a href="/versions/v13/software/S0171/"> Felismus </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="FELIXROOT-FELIXROOT"> <a href="/versions/v13/software/S0267/"> FELIXROOT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Ferocious-Ferocious"> <a href="/versions/v13/software/S0679/"> Ferocious </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Fgdump-Fgdump"> <a href="/versions/v13/software/S0120/"> Fgdump </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Final1stspy-Final1stspy"> <a href="/versions/v13/software/S0355/"> Final1stspy </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="FinFisher-FinFisher"> <a href="/versions/v13/software/S0182/"> FinFisher </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="FIVEHANDS-FIVEHANDS"> <a href="/versions/v13/software/S0618/"> FIVEHANDS </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Flagpro-Flagpro"> <a href="/versions/v13/software/S0696/"> Flagpro </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Flame-Flame"> <a href="/versions/v13/software/S0143/"> Flame </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="FLASHFLOOD-FLASHFLOOD"> <a href="/versions/v13/software/S0036/"> FLASHFLOOD </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="FlawedAmmyy-FlawedAmmyy"> <a href="/versions/v13/software/S0381/"> FlawedAmmyy </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="FlawedGrace-FlawedGrace"> <a href="/versions/v13/software/S0383/"> FlawedGrace </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="FlexiSpy-FlexiSpy"> <a href="/versions/v13/software/S0408/"> FlexiSpy </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="FLIPSIDE-FLIPSIDE"> <a href="/versions/v13/software/S0173/"> FLIPSIDE </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="FluBot-FluBot"> <a href="/versions/v13/software/S1067/"> FluBot </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="FoggyWeb-FoggyWeb"> <a href="/versions/v13/software/S0661/"> FoggyWeb </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Forfiles-Forfiles"> <a href="/versions/v13/software/S0193/"> Forfiles </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="FrameworkPOS-FrameworkPOS"> <a href="/versions/v13/software/S0503/"> FrameworkPOS </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="FrozenCell-FrozenCell"> <a href="/versions/v13/software/S0577/"> FrozenCell </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="FruitFly-FruitFly"> <a href="/versions/v13/software/S0277/"> FruitFly </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ftp-ftp"> <a href="/versions/v13/software/S0095/"> ftp </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="FunnyDream-FunnyDream"> <a href="/versions/v13/software/S1044/"> FunnyDream </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="FYAnti-FYAnti"> <a href="/versions/v13/software/S0628/"> FYAnti </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Fysbis-Fysbis"> <a href="/versions/v13/software/S0410/"> Fysbis </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Gazer-Gazer"> <a href="/versions/v13/software/S0168/"> Gazer </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Gelsemium-Gelsemium"> <a href="/versions/v13/software/S0666/"> Gelsemium </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="GeminiDuke-GeminiDuke"> <a href="/versions/v13/software/S0049/"> GeminiDuke </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Get2-Get2"> <a href="/versions/v13/software/S0460/"> Get2 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="gh0st RAT-gh0st RAT"> <a href="/versions/v13/software/S0032/"> gh0st RAT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Ginp-Ginp"> <a href="/versions/v13/software/S0423/"> Ginp </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="GLOOXMAIL-GLOOXMAIL"> <a href="/versions/v13/software/S0026/"> GLOOXMAIL </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Gold Dragon-Gold Dragon"> <a href="/versions/v13/software/S0249/"> Gold Dragon </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Golden Cup-Golden Cup"> <a href="/versions/v13/software/S0535/"> Golden Cup </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="GoldenEagle-GoldenEagle"> <a href="/versions/v13/software/S0551/"> GoldenEagle </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="GoldenSpy-GoldenSpy"> <a href="/versions/v13/software/S0493/"> GoldenSpy </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="GoldFinder-GoldFinder"> <a href="/versions/v13/software/S0597/"> GoldFinder </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="GoldMax-GoldMax"> <a href="/versions/v13/software/S0588/"> GoldMax </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="GolfSpy-GolfSpy"> <a href="/versions/v13/software/S0421/"> GolfSpy </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Gooligan-Gooligan"> <a href="/versions/v13/software/S0290/"> Gooligan </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Goopy-Goopy"> <a href="/versions/v13/software/S0477/"> Goopy </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="GPlayed-GPlayed"> <a href="/versions/v13/software/S0536/"> GPlayed </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Grandoreiro-Grandoreiro"> <a href="/versions/v13/software/S0531/"> Grandoreiro </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="GravityRAT-GravityRAT"> <a href="/versions/v13/software/S0237/"> GravityRAT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Green Lambert-Green Lambert"> <a href="/versions/v13/software/S0690/"> Green Lambert </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="GreyEnergy-GreyEnergy"> <a href="/versions/v13/software/S0342/"> GreyEnergy </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="GRIFFON-GRIFFON"> <a href="/versions/v13/software/S0417/"> GRIFFON </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="GrimAgent-GrimAgent"> <a href="/versions/v13/software/S0632/"> GrimAgent </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="gsecdump-gsecdump"> <a href="/versions/v13/software/S0008/"> gsecdump </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="GuLoader-GuLoader"> <a href="/versions/v13/software/S0561/"> GuLoader </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Gustuff-Gustuff"> <a href="/versions/v13/software/S0406/"> Gustuff </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="H1N1-H1N1"> <a href="/versions/v13/software/S0132/"> H1N1 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Hacking Team UEFI Rootkit-Hacking Team UEFI Rootkit"> <a href="/versions/v13/software/S0047/"> Hacking Team UEFI Rootkit </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="HALFBAKED-HALFBAKED"> <a href="/versions/v13/software/S0151/"> HALFBAKED </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="HAMMERTOSS-HAMMERTOSS"> <a href="/versions/v13/software/S0037/"> HAMMERTOSS </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Hancitor-Hancitor"> <a href="/versions/v13/software/S0499/"> Hancitor </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="HAPPYWORK-HAPPYWORK"> <a href="/versions/v13/software/S0214/"> HAPPYWORK </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="HARDRAIN-HARDRAIN"> <a href="/versions/v13/software/S0246/"> HARDRAIN </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Havij-Havij"> <a href="/versions/v13/software/S0224/"> Havij </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="HAWKBALL-HAWKBALL"> <a href="/versions/v13/software/S0391/"> HAWKBALL </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="hcdLoader-hcdLoader"> <a href="/versions/v13/software/S0071/"> hcdLoader </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="HDoor-HDoor"> <a href="/versions/v13/software/S0061/"> HDoor </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="HELLOKITTY-HELLOKITTY"> <a href="/versions/v13/software/S0617/"> HELLOKITTY </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Helminth-Helminth"> <a href="/versions/v13/software/S0170/"> Helminth </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="HenBox-HenBox"> <a href="/versions/v13/software/S0544/"> HenBox </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="HermeticWiper-HermeticWiper"> <a href="/versions/v13/software/S0697/"> HermeticWiper </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="HermeticWizard-HermeticWizard"> <a href="/versions/v13/software/S0698/"> HermeticWizard </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Heyoka Backdoor-Heyoka Backdoor"> <a href="/versions/v13/software/S1027/"> Heyoka Backdoor </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Hi-Zor-Hi-Zor"> <a href="/versions/v13/software/S0087/"> Hi-Zor </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="HiddenWasp-HiddenWasp"> <a href="/versions/v13/software/S0394/"> HiddenWasp </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="HIDEDRV-HIDEDRV"> <a href="/versions/v13/software/S0135/"> HIDEDRV </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Hikit-Hikit"> <a href="/versions/v13/software/S0009/"> Hikit </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Hildegard-Hildegard"> <a href="/versions/v13/software/S0601/"> Hildegard </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="HOMEFRY-HOMEFRY"> <a href="/versions/v13/software/S0232/"> HOMEFRY </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="HOPLIGHT-HOPLIGHT"> <a href="/versions/v13/software/S0376/"> HOPLIGHT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="HotCroissant-HotCroissant"> <a href="/versions/v13/software/S0431/"> HotCroissant </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="HTRAN-HTRAN"> <a href="/versions/v13/software/S0040/"> HTRAN </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="HTTPBrowser-HTTPBrowser"> <a href="/versions/v13/software/S0070/"> HTTPBrowser </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="httpclient-httpclient"> <a href="/versions/v13/software/S0068/"> httpclient </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="HummingBad-HummingBad"> <a href="/versions/v13/software/S0322/"> HummingBad </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="HummingWhale-HummingWhale"> <a href="/versions/v13/software/S0321/"> HummingWhale </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Hydraq-Hydraq"> <a href="/versions/v13/software/S0203/"> Hydraq </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="HyperBro-HyperBro"> <a href="/versions/v13/software/S0398/"> HyperBro </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="HyperStack-HyperStack"> <a href="/versions/v13/software/S0537/"> HyperStack </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="IceApple-IceApple"> <a href="/versions/v13/software/S1022/"> IceApple </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="IcedID-IcedID"> <a href="/versions/v13/software/S0483/"> IcedID </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ifconfig-ifconfig"> <a href="/versions/v13/software/S0101/"> ifconfig </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="iKitten-iKitten"> <a href="/versions/v13/software/S0278/"> iKitten </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Imminent Monitor-Imminent Monitor"> <a href="/versions/v13/software/S0434/"> Imminent Monitor </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Impacket-Impacket"> <a href="/versions/v13/software/S0357/"> Impacket </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="INCONTROLLER-INCONTROLLER"> <a href="/versions/v13/software/S1045/"> INCONTROLLER </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Industroyer-Industroyer"> <a href="/versions/v13/software/S0604/"> Industroyer </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Industroyer2-Industroyer2"> <a href="/versions/v13/software/S1072/"> Industroyer2 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="InnaputRAT-InnaputRAT"> <a href="/versions/v13/software/S0259/"> InnaputRAT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="INSOMNIA-INSOMNIA"> <a href="/versions/v13/software/S0463/"> INSOMNIA </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="InvisiMole-InvisiMole"> <a href="/versions/v13/software/S0260/"> InvisiMole </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Invoke-PSImage-Invoke-PSImage"> <a href="/versions/v13/software/S0231/"> Invoke-PSImage </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ipconfig-ipconfig"> <a href="/versions/v13/software/S0100/"> ipconfig </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="IronNetInjector-IronNetInjector"> <a href="/versions/v13/software/S0581/"> IronNetInjector </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ISMInjector-ISMInjector"> <a href="/versions/v13/software/S0189/"> ISMInjector </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Ixeshe-Ixeshe"> <a href="/versions/v13/software/S0015/"> Ixeshe </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Janicab-Janicab"> <a href="/versions/v13/software/S0163/"> Janicab </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Javali-Javali"> <a href="/versions/v13/software/S0528/"> Javali </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="JCry-JCry"> <a href="/versions/v13/software/S0389/"> JCry </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="JHUHUGIT-JHUHUGIT"> <a href="/versions/v13/software/S0044/"> JHUHUGIT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="JPIN-JPIN"> <a href="/versions/v13/software/S0201/"> JPIN </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="jRAT-jRAT"> <a href="/versions/v13/software/S0283/"> jRAT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="JSS Loader-JSS Loader"> <a href="/versions/v13/software/S0648/"> JSS Loader </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Judy-Judy"> <a href="/versions/v13/software/S0325/"> Judy </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="KARAE-KARAE"> <a href="/versions/v13/software/S0215/"> KARAE </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Kasidet-Kasidet"> <a href="/versions/v13/software/S0088/"> Kasidet </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Kazuar-Kazuar"> <a href="/versions/v13/software/S0265/"> Kazuar </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Kerrdown-Kerrdown"> <a href="/versions/v13/software/S0585/"> Kerrdown </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Kessel-Kessel"> <a href="/versions/v13/software/S0487/"> Kessel </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Kevin-Kevin"> <a href="/versions/v13/software/S1020/"> Kevin </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="KeyBoy-KeyBoy"> <a href="/versions/v13/software/S0387/"> KeyBoy </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Keydnap-Keydnap"> <a href="/versions/v13/software/S0276/"> Keydnap </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="KEYMARBLE-KEYMARBLE"> <a href="/versions/v13/software/S0271/"> KEYMARBLE </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="KEYPLUG-KEYPLUG"> <a href="/versions/v13/software/S1051/"> KEYPLUG </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="KeyRaider-KeyRaider"> <a href="/versions/v13/software/S0288/"> KeyRaider </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="KGH_SPY-KGH_SPY"> <a href="/versions/v13/software/S0526/"> KGH_SPY </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="KillDisk-KillDisk"> <a href="/versions/v13/software/S0607/"> KillDisk </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Kinsing-Kinsing"> <a href="/versions/v13/software/S0599/"> Kinsing </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Kivars-Kivars"> <a href="/versions/v13/software/S0437/"> Kivars </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Koadic-Koadic"> <a href="/versions/v13/software/S0250/"> Koadic </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Kobalos-Kobalos"> <a href="/versions/v13/software/S0641/"> Kobalos </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="KOCTOPUS-KOCTOPUS"> <a href="/versions/v13/software/S0669/"> KOCTOPUS </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Komplex-Komplex"> <a href="/versions/v13/software/S0162/"> Komplex </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="KOMPROGO-KOMPROGO"> <a href="/versions/v13/software/S0156/"> KOMPROGO </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="KONNI-KONNI"> <a href="/versions/v13/software/S0356/"> KONNI </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Kwampirs-Kwampirs"> <a href="/versions/v13/software/S0236/"> Kwampirs </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="LaZagne-LaZagne"> <a href="/versions/v13/software/S0349/"> LaZagne </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="LightNeuron-LightNeuron"> <a href="/versions/v13/software/S0395/"> LightNeuron </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Linfo-Linfo"> <a href="/versions/v13/software/S0211/"> Linfo </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Linux Rabbit-Linux Rabbit"> <a href="/versions/v13/software/S0362/"> Linux Rabbit </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="LiteDuke-LiteDuke"> <a href="/versions/v13/software/S0513/"> LiteDuke </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="LitePower-LitePower"> <a href="/versions/v13/software/S0680/"> LitePower </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Lizar-Lizar"> <a href="/versions/v13/software/S0681/"> Lizar </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="LockerGoga-LockerGoga"> <a href="/versions/v13/software/S0372/"> LockerGoga </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="LoJax-LoJax"> <a href="/versions/v13/software/S0397/"> LoJax </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Lokibot-Lokibot"> <a href="/versions/v13/software/S0447/"> Lokibot </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="LookBack-LookBack"> <a href="/versions/v13/software/S0582/"> LookBack </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="LoudMiner-LoudMiner"> <a href="/versions/v13/software/S0451/"> LoudMiner </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="LOWBALL-LOWBALL"> <a href="/versions/v13/software/S0042/"> LOWBALL </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Lslsass-Lslsass"> <a href="/versions/v13/software/S0121/"> Lslsass </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Lucifer-Lucifer"> <a href="/versions/v13/software/S0532/"> Lucifer </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Lurid-Lurid"> <a href="/versions/v13/software/S0010/"> Lurid </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Machete-Machete"> <a href="/versions/v13/software/S0409/"> Machete </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="MacMa-MacMa"> <a href="/versions/v13/software/S1016/"> MacMa </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="macOS.OSAMiner-macOS.OSAMiner"> <a href="/versions/v13/software/S1048/"> macOS.OSAMiner </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="MacSpy-MacSpy"> <a href="/versions/v13/software/S0282/"> MacSpy </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Mafalda-Mafalda"> <a href="/versions/v13/software/S1060/"> Mafalda </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="MailSniper-MailSniper"> <a href="/versions/v13/software/S0413/"> MailSniper </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Mandrake-Mandrake"> <a href="/versions/v13/software/S0485/"> Mandrake </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Marcher-Marcher"> <a href="/versions/v13/software/S0317/"> Marcher </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="MarkiRAT-MarkiRAT"> <a href="/versions/v13/software/S0652/"> MarkiRAT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Matryoshka-Matryoshka"> <a href="/versions/v13/software/S0167/"> Matryoshka </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="MazarBOT-MazarBOT"> <a href="/versions/v13/software/S0303/"> MazarBOT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Maze-Maze"> <a href="/versions/v13/software/S0449/"> Maze </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="MCMD-MCMD"> <a href="/versions/v13/software/S0500/"> MCMD </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="MechaFlounder-MechaFlounder"> <a href="/versions/v13/software/S0459/"> MechaFlounder </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="meek-meek"> <a href="/versions/v13/software/S0175/"> meek </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="MegaCortex-MegaCortex"> <a href="/versions/v13/software/S0576/"> MegaCortex </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Melcoz-Melcoz"> <a href="/versions/v13/software/S0530/"> Melcoz </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="MESSAGETAP-MESSAGETAP"> <a href="/versions/v13/software/S0443/"> MESSAGETAP </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="metaMain-metaMain"> <a href="/versions/v13/software/S1059/"> metaMain </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Metamorfo-Metamorfo"> <a href="/versions/v13/software/S0455/"> Metamorfo </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Meteor-Meteor"> <a href="/versions/v13/software/S0688/"> Meteor </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Micropsia-Micropsia"> <a href="/versions/v13/software/S0339/"> Micropsia </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Milan-Milan"> <a href="/versions/v13/software/S1015/"> Milan </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Mimikatz-Mimikatz"> <a href="/versions/v13/software/S0002/"> Mimikatz </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="MimiPenguin-MimiPenguin"> <a href="/versions/v13/software/S0179/"> MimiPenguin </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Miner-C-Miner-C"> <a href="/versions/v13/software/S0133/"> Miner-C </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="MiniDuke-MiniDuke"> <a href="/versions/v13/software/S0051/"> MiniDuke </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="MirageFox-MirageFox"> <a href="/versions/v13/software/S0280/"> MirageFox </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Mis-Type-Mis-Type"> <a href="/versions/v13/software/S0084/"> Mis-Type </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Misdat-Misdat"> <a href="/versions/v13/software/S0083/"> Misdat </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Mivast-Mivast"> <a href="/versions/v13/software/S0080/"> Mivast </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="MobileOrder-MobileOrder"> <a href="/versions/v13/software/S0079/"> MobileOrder </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="MoleNet-MoleNet"> <a href="/versions/v13/software/S0553/"> MoleNet </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Mongall-Mongall"> <a href="/versions/v13/software/S1026/"> Mongall </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Monokle-Monokle"> <a href="/versions/v13/software/S0407/"> Monokle </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="MoonWind-MoonWind"> <a href="/versions/v13/software/S0149/"> MoonWind </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="More_eggs-More_eggs"> <a href="/versions/v13/software/S0284/"> More_eggs </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Mori-Mori"> <a href="/versions/v13/software/S1047/"> Mori </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Mosquito-Mosquito"> <a href="/versions/v13/software/S0256/"> Mosquito </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="MURKYTOP-MURKYTOP"> <a href="/versions/v13/software/S0233/"> MURKYTOP </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Mythic-Mythic"> <a href="/versions/v13/software/S0699/"> Mythic </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Naid-Naid"> <a href="/versions/v13/software/S0205/"> Naid </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="NanHaiShu-NanHaiShu"> <a href="/versions/v13/software/S0228/"> NanHaiShu </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="NanoCore-NanoCore"> <a href="/versions/v13/software/S0336/"> NanoCore </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="NativeZone-NativeZone"> <a href="/versions/v13/software/S0637/"> NativeZone </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="NavRAT-NavRAT"> <a href="/versions/v13/software/S0247/"> NavRAT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="NBTscan-NBTscan"> <a href="/versions/v13/software/S0590/"> NBTscan </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="nbtstat-nbtstat"> <a href="/versions/v13/software/S0102/"> nbtstat </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="NDiskMonitor-NDiskMonitor"> <a href="/versions/v13/software/S0272/"> NDiskMonitor </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Nebulae-Nebulae"> <a href="/versions/v13/software/S0630/"> Nebulae </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Neoichor-Neoichor"> <a href="/versions/v13/software/S0691/"> Neoichor </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Nerex-Nerex"> <a href="/versions/v13/software/S0210/"> Nerex </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Net-Net"> <a href="/versions/v13/software/S0039/"> Net </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Net Crawler-Net Crawler"> <a href="/versions/v13/software/S0056/"> Net Crawler </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="NETEAGLE-NETEAGLE"> <a href="/versions/v13/software/S0034/"> NETEAGLE </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="netsh-netsh"> <a href="/versions/v13/software/S0108/"> netsh </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="netstat-netstat"> <a href="/versions/v13/software/S0104/"> netstat </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="NetTraveler-NetTraveler"> <a href="/versions/v13/software/S0033/"> NetTraveler </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Netwalker-Netwalker"> <a href="/versions/v13/software/S0457/"> Netwalker </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="NETWIRE-NETWIRE"> <a href="/versions/v13/software/S0198/"> NETWIRE </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Ngrok-Ngrok"> <a href="/versions/v13/software/S0508/"> Ngrok </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Nidiran-Nidiran"> <a href="/versions/v13/software/S0118/"> Nidiran </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="njRAT-njRAT"> <a href="/versions/v13/software/S0385/"> njRAT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Nltest-Nltest"> <a href="/versions/v13/software/S0359/"> Nltest </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="NOKKI-NOKKI"> <a href="/versions/v13/software/S0353/"> NOKKI </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="NotCompatible-NotCompatible"> <a href="/versions/v13/software/S0299/"> NotCompatible </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="NotPetya-NotPetya"> <a href="/versions/v13/software/S0368/"> NotPetya </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="OBAD-OBAD"> <a href="/versions/v13/software/S0286/"> OBAD </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ObliqueRAT-ObliqueRAT"> <a href="/versions/v13/software/S0644/"> ObliqueRAT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="OceanSalt-OceanSalt"> <a href="/versions/v13/software/S0346/"> OceanSalt </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Octopus-Octopus"> <a href="/versions/v13/software/S0340/"> Octopus </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Okrum-Okrum"> <a href="/versions/v13/software/S0439/"> Okrum </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="OLDBAIT-OLDBAIT"> <a href="/versions/v13/software/S0138/"> OLDBAIT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="OldBoot-OldBoot"> <a href="/versions/v13/software/S0285/"> OldBoot </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Olympic Destroyer-Olympic Destroyer"> <a href="/versions/v13/software/S0365/"> Olympic Destroyer </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="OnionDuke-OnionDuke"> <a href="/versions/v13/software/S0052/"> OnionDuke </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="OopsIE-OopsIE"> <a href="/versions/v13/software/S0264/"> OopsIE </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Orz-Orz"> <a href="/versions/v13/software/S0229/"> Orz </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="OSInfo-OSInfo"> <a href="/versions/v13/software/S0165/"> OSInfo </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="OSX/Shlayer-OSX/Shlayer"> <a href="/versions/v13/software/S0402/"> OSX/Shlayer </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="OSX_OCEANLOTUS.D-OSX_OCEANLOTUS.D"> <a href="/versions/v13/software/S0352/"> OSX_OCEANLOTUS.D </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Out1-Out1"> <a href="/versions/v13/software/S0594/"> Out1 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="OutSteel-OutSteel"> <a href="/versions/v13/software/S1017/"> OutSteel </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="OwaAuth-OwaAuth"> <a href="/versions/v13/software/S0072/"> OwaAuth </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="P.A.S. Webshell-P.A.S. Webshell"> <a href="/versions/v13/software/S0598/"> P.A.S. Webshell </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="P2P ZeuS-P2P ZeuS"> <a href="/versions/v13/software/S0016/"> P2P ZeuS </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="P8RAT-P8RAT"> <a href="/versions/v13/software/S0626/"> P8RAT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Pallas-Pallas"> <a href="/versions/v13/software/S0399/"> Pallas </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Pandora-Pandora"> <a href="/versions/v13/software/S0664/"> Pandora </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Pasam-Pasam"> <a href="/versions/v13/software/S0208/"> Pasam </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Pass-The-Hash Toolkit-Pass-The-Hash Toolkit"> <a href="/versions/v13/software/S0122/"> Pass-The-Hash Toolkit </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Pay2Key-Pay2Key"> <a href="/versions/v13/software/S0556/"> Pay2Key </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="PcShare-PcShare"> <a href="/versions/v13/software/S1050/"> PcShare </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Pegasus for Android-Pegasus for Android"> <a href="/versions/v13/software/S0316/"> Pegasus for Android </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Pegasus for iOS-Pegasus for iOS"> <a href="/versions/v13/software/S0289/"> Pegasus for iOS </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Peirates-Peirates"> <a href="/versions/v13/software/S0683/"> Peirates </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Penquin-Penquin"> <a href="/versions/v13/software/S0587/"> Penquin </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Peppy-Peppy"> <a href="/versions/v13/software/S0643/"> Peppy </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="PHOREAL-PHOREAL"> <a href="/versions/v13/software/S0158/"> PHOREAL </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Pillowmint-Pillowmint"> <a href="/versions/v13/software/S0517/"> Pillowmint </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="PinchDuke-PinchDuke"> <a href="/versions/v13/software/S0048/"> PinchDuke </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Ping-Ping"> <a href="/versions/v13/software/S0097/"> Ping </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="PingPull-PingPull"> <a href="/versions/v13/software/S1031/"> PingPull </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="PipeMon-PipeMon"> <a href="/versions/v13/software/S0501/"> PipeMon </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Pisloader-Pisloader"> <a href="/versions/v13/software/S0124/"> Pisloader </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="PJApps-PJApps"> <a href="/versions/v13/software/S0291/"> PJApps </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="PLAINTEE-PLAINTEE"> <a href="/versions/v13/software/S0254/"> PLAINTEE </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="PLC-Blaster-PLC-Blaster"> <a href="/versions/v13/software/S1006/"> PLC-Blaster </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="PLEAD-PLEAD"> <a href="/versions/v13/software/S0435/"> PLEAD </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="PlugX-PlugX"> <a href="/versions/v13/software/S0013/"> PlugX </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="pngdowner-pngdowner"> <a href="/versions/v13/software/S0067/"> pngdowner </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="PoetRAT-PoetRAT"> <a href="/versions/v13/software/S0428/"> PoetRAT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="PoisonIvy-PoisonIvy"> <a href="/versions/v13/software/S0012/"> PoisonIvy </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="PolyglotDuke-PolyglotDuke"> <a href="/versions/v13/software/S0518/"> PolyglotDuke </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Pony-Pony"> <a href="/versions/v13/software/S0453/"> Pony </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="POORAIM-POORAIM"> <a href="/versions/v13/software/S0216/"> POORAIM </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="PoshC2-PoshC2"> <a href="/versions/v13/software/S0378/"> PoshC2 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="POSHSPY-POSHSPY"> <a href="/versions/v13/software/S0150/"> POSHSPY </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Power Loader-Power Loader"> <a href="/versions/v13/software/S0177/"> Power Loader </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="PowerDuke-PowerDuke"> <a href="/versions/v13/software/S0139/"> PowerDuke </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="PowerLess-PowerLess"> <a href="/versions/v13/software/S1012/"> PowerLess </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="PowerPunch-PowerPunch"> <a href="/versions/v13/software/S0685/"> PowerPunch </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="PowerShower-PowerShower"> <a href="/versions/v13/software/S0441/"> PowerShower </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="POWERSOURCE-POWERSOURCE"> <a href="/versions/v13/software/S0145/"> POWERSOURCE </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="PowerSploit-PowerSploit"> <a href="/versions/v13/software/S0194/"> PowerSploit </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="PowerStallion-PowerStallion"> <a href="/versions/v13/software/S0393/"> PowerStallion </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="POWERSTATS-POWERSTATS"> <a href="/versions/v13/software/S0223/"> POWERSTATS </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="POWERTON-POWERTON"> <a href="/versions/v13/software/S0371/"> POWERTON </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="PowGoop-PowGoop"> <a href="/versions/v13/software/S1046/"> PowGoop </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="POWRUNER-POWRUNER"> <a href="/versions/v13/software/S0184/"> POWRUNER </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Prestige-Prestige"> <a href="/versions/v13/software/S1058/"> Prestige </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Prikormka-Prikormka"> <a href="/versions/v13/software/S0113/"> Prikormka </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ProLock-ProLock"> <a href="/versions/v13/software/S0654/"> ProLock </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Proton-Proton"> <a href="/versions/v13/software/S0279/"> Proton </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Proxysvc-Proxysvc"> <a href="/versions/v13/software/S0238/"> Proxysvc </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="PS1-PS1"> <a href="/versions/v13/software/S0613/"> PS1 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="PsExec-PsExec"> <a href="/versions/v13/software/S0029/"> PsExec </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Psylo-Psylo"> <a href="/versions/v13/software/S0078/"> Psylo </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Pteranodon-Pteranodon"> <a href="/versions/v13/software/S0147/"> Pteranodon </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="PUNCHBUGGY-PUNCHBUGGY"> <a href="/versions/v13/software/S0196/"> PUNCHBUGGY </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="PUNCHTRACK-PUNCHTRACK"> <a href="/versions/v13/software/S0197/"> PUNCHTRACK </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Pupy-Pupy"> <a href="/versions/v13/software/S0192/"> Pupy </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="pwdump-pwdump"> <a href="/versions/v13/software/S0006/"> pwdump </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="PyDCrypt-PyDCrypt"> <a href="/versions/v13/software/S1032/"> PyDCrypt </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Pysa-Pysa"> <a href="/versions/v13/software/S0583/"> Pysa </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="QakBot-QakBot"> <a href="/versions/v13/software/S0650/"> QakBot </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="QUADAGENT-QUADAGENT"> <a href="/versions/v13/software/S0269/"> QUADAGENT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="QuasarRAT-QuasarRAT"> <a href="/versions/v13/software/S0262/"> QuasarRAT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="QuietSieve-QuietSieve"> <a href="/versions/v13/software/S0686/"> QuietSieve </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Ragnar Locker-Ragnar Locker"> <a href="/versions/v13/software/S0481/"> Ragnar Locker </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Raindrop-Raindrop"> <a href="/versions/v13/software/S0565/"> Raindrop </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="RainyDay-RainyDay"> <a href="/versions/v13/software/S0629/"> RainyDay </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Ramsay-Ramsay"> <a href="/versions/v13/software/S0458/"> Ramsay </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="RARSTONE-RARSTONE"> <a href="/versions/v13/software/S0055/"> RARSTONE </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="RATANKBA-RATANKBA"> <a href="/versions/v13/software/S0241/"> RATANKBA </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="RawDisk-RawDisk"> <a href="/versions/v13/software/S0364/"> RawDisk </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="RawPOS-RawPOS"> <a href="/versions/v13/software/S0169/"> RawPOS </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Rclone-Rclone"> <a href="/versions/v13/software/S1040/"> Rclone </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="RCSAndroid-RCSAndroid"> <a href="/versions/v13/software/S0295/"> RCSAndroid </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="RCSession-RCSession"> <a href="/versions/v13/software/S0662/"> RCSession </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="RDAT-RDAT"> <a href="/versions/v13/software/S0495/"> RDAT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="RDFSNIFFER-RDFSNIFFER"> <a href="/versions/v13/software/S0416/"> RDFSNIFFER </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Reaver-Reaver"> <a href="/versions/v13/software/S0172/"> Reaver </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Red Alert 2.0-Red Alert 2.0"> <a href="/versions/v13/software/S0539/"> Red Alert 2.0 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="RedDrop-RedDrop"> <a href="/versions/v13/software/S0326/"> RedDrop </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="RedLeaves-RedLeaves"> <a href="/versions/v13/software/S0153/"> RedLeaves </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Reg-Reg"> <a href="/versions/v13/software/S0075/"> Reg </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="RegDuke-RegDuke"> <a href="/versions/v13/software/S0511/"> RegDuke </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Regin-Regin"> <a href="/versions/v13/software/S0019/"> Regin </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Remcos-Remcos"> <a href="/versions/v13/software/S0332/"> Remcos </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Remexi-Remexi"> <a href="/versions/v13/software/S0375/"> Remexi </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="RemoteCMD-RemoteCMD"> <a href="/versions/v13/software/S0166/"> RemoteCMD </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="RemoteUtilities-RemoteUtilities"> <a href="/versions/v13/software/S0592/"> RemoteUtilities </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Remsec-Remsec"> <a href="/versions/v13/software/S0125/"> Remsec </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Responder-Responder"> <a href="/versions/v13/software/S0174/"> Responder </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Revenge RAT-Revenge RAT"> <a href="/versions/v13/software/S0379/"> Revenge RAT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="REvil-REvil"> <a href="/versions/v13/software/S0496/"> REvil </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="RGDoor-RGDoor"> <a href="/versions/v13/software/S0258/"> RGDoor </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Rifdoor-Rifdoor"> <a href="/versions/v13/software/S0433/"> Rifdoor </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Riltok-Riltok"> <a href="/versions/v13/software/S0403/"> Riltok </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="RIPTIDE-RIPTIDE"> <a href="/versions/v13/software/S0003/"> RIPTIDE </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Rising Sun-Rising Sun"> <a href="/versions/v13/software/S0448/"> Rising Sun </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ROADTools-ROADTools"> <a href="/versions/v13/software/S0684/"> ROADTools </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="RobbinHood-RobbinHood"> <a href="/versions/v13/software/S0400/"> RobbinHood </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ROCKBOOT-ROCKBOOT"> <a href="/versions/v13/software/S0112/"> ROCKBOOT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="RogueRobin-RogueRobin"> <a href="/versions/v13/software/S0270/"> RogueRobin </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ROKRAT-ROKRAT"> <a href="/versions/v13/software/S0240/"> ROKRAT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Rotexy-Rotexy"> <a href="/versions/v13/software/S0411/"> Rotexy </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="route-route"> <a href="/versions/v13/software/S0103/"> route </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Rover-Rover"> <a href="/versions/v13/software/S0090/"> Rover </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Royal-Royal"> <a href="/versions/v13/software/S1073/"> Royal </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="RTM-RTM"> <a href="/versions/v13/software/S0148/"> RTM </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Rubeus-Rubeus"> <a href="/versions/v13/software/S1071/"> Rubeus </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Ruler-Ruler"> <a href="/versions/v13/software/S0358/"> Ruler </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="RuMMS-RuMMS"> <a href="/versions/v13/software/S0313/"> RuMMS </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="RunningRAT-RunningRAT"> <a href="/versions/v13/software/S0253/"> RunningRAT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Ryuk-Ryuk"> <a href="/versions/v13/software/S0446/"> Ryuk </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="S-Type-S-Type"> <a href="/versions/v13/software/S0085/"> S-Type </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="S.O.V.A.-S.O.V.A."> <a href="/versions/v13/software/S1062/"> S.O.V.A. </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Saint Bot-Saint Bot"> <a href="/versions/v13/software/S1018/"> Saint Bot </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Sakula-Sakula"> <a href="/versions/v13/software/S0074/"> Sakula </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="SamSam-SamSam"> <a href="/versions/v13/software/S0370/"> SamSam </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="schtasks-schtasks"> <a href="/versions/v13/software/S0111/"> schtasks </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="SDBbot-SDBbot"> <a href="/versions/v13/software/S0461/"> SDBbot </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="SDelete-SDelete"> <a href="/versions/v13/software/S0195/"> SDelete </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="SeaDuke-SeaDuke"> <a href="/versions/v13/software/S0053/"> SeaDuke </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Seasalt-Seasalt"> <a href="/versions/v13/software/S0345/"> Seasalt </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="SEASHARPEE-SEASHARPEE"> <a href="/versions/v13/software/S0185/"> SEASHARPEE </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ServHelper-ServHelper"> <a href="/versions/v13/software/S0382/"> ServHelper </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Seth-Locker-Seth-Locker"> <a href="/versions/v13/software/S0639/"> Seth-Locker </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ShadowPad-ShadowPad"> <a href="/versions/v13/software/S0596/"> ShadowPad </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Shamoon-Shamoon"> <a href="/versions/v13/software/S0140/"> Shamoon </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Shark-Shark"> <a href="/versions/v13/software/S1019/"> Shark </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="SharkBot-SharkBot"> <a href="/versions/v13/software/S1055/"> SharkBot </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="SharpStage-SharpStage"> <a href="/versions/v13/software/S0546/"> SharpStage </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="SHARPSTATS-SHARPSTATS"> <a href="/versions/v13/software/S0450/"> SHARPSTATS </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ShiftyBug-ShiftyBug"> <a href="/versions/v13/software/S0294/"> ShiftyBug </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ShimRat-ShimRat"> <a href="/versions/v13/software/S0444/"> ShimRat </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ShimRatReporter-ShimRatReporter"> <a href="/versions/v13/software/S0445/"> ShimRatReporter </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="SHIPSHAPE-SHIPSHAPE"> <a href="/versions/v13/software/S0028/"> SHIPSHAPE </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="SHOTPUT-SHOTPUT"> <a href="/versions/v13/software/S0063/"> SHOTPUT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="SHUTTERSPEED-SHUTTERSPEED"> <a href="/versions/v13/software/S0217/"> SHUTTERSPEED </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Sibot-Sibot"> <a href="/versions/v13/software/S0589/"> Sibot </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="SideTwist-SideTwist"> <a href="/versions/v13/software/S0610/"> SideTwist </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="SILENTTRINITY-SILENTTRINITY"> <a href="/versions/v13/software/S0692/"> SILENTTRINITY </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="SilkBean-SilkBean"> <a href="/versions/v13/software/S0549/"> SilkBean </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Siloscape-Siloscape"> <a href="/versions/v13/software/S0623/"> Siloscape </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="SimBad-SimBad"> <a href="/versions/v13/software/S0419/"> SimBad </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Skeleton Key-Skeleton Key"> <a href="/versions/v13/software/S0007/"> Skeleton Key </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Skidmap-Skidmap"> <a href="/versions/v13/software/S0468/"> Skidmap </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Skygofree-Skygofree"> <a href="/versions/v13/software/S0327/"> Skygofree </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Sliver-Sliver"> <a href="/versions/v13/software/S0633/"> Sliver </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="SLOTHFULMEDIA-SLOTHFULMEDIA"> <a href="/versions/v13/software/S0533/"> SLOTHFULMEDIA </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="SLOWDRIFT-SLOWDRIFT"> <a href="/versions/v13/software/S0218/"> SLOWDRIFT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Small Sieve-Small Sieve"> <a href="/versions/v13/software/S1035/"> Small Sieve </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Smoke Loader-Smoke Loader"> <a href="/versions/v13/software/S0226/"> Smoke Loader </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="SMOKEDHAM-SMOKEDHAM"> <a href="/versions/v13/software/S0649/"> SMOKEDHAM </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="SNUGRIDE-SNUGRIDE"> <a href="/versions/v13/software/S0159/"> SNUGRIDE </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Socksbot-Socksbot"> <a href="/versions/v13/software/S0273/"> Socksbot </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="SodaMaster-SodaMaster"> <a href="/versions/v13/software/S0627/"> SodaMaster </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="SombRAT-SombRAT"> <a href="/versions/v13/software/S0615/"> SombRAT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="SoreFang-SoreFang"> <a href="/versions/v13/software/S0516/"> SoreFang </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="SOUNDBITE-SOUNDBITE"> <a href="/versions/v13/software/S0157/"> SOUNDBITE </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="SPACESHIP-SPACESHIP"> <a href="/versions/v13/software/S0035/"> SPACESHIP </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Spark-Spark"> <a href="/versions/v13/software/S0543/"> Spark </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="SpeakUp-SpeakUp"> <a href="/versions/v13/software/S0374/"> SpeakUp </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="SpicyOmelette-SpicyOmelette"> <a href="/versions/v13/software/S0646/"> SpicyOmelette </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="spwebmember-spwebmember"> <a href="/versions/v13/software/S0227/"> spwebmember </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="SpyDealer-SpyDealer"> <a href="/versions/v13/software/S0324/"> SpyDealer </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="SpyNote RAT-SpyNote RAT"> <a href="/versions/v13/software/S0305/"> SpyNote RAT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="sqlmap-sqlmap"> <a href="/versions/v13/software/S0225/"> sqlmap </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="SQLRat-SQLRat"> <a href="/versions/v13/software/S0390/"> SQLRat </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Squirrelwaffle-Squirrelwaffle"> <a href="/versions/v13/software/S1030/"> Squirrelwaffle </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="SslMM-SslMM"> <a href="/versions/v13/software/S0058/"> SslMM </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Starloader-Starloader"> <a href="/versions/v13/software/S0188/"> Starloader </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="STARWHALE-STARWHALE"> <a href="/versions/v13/software/S1037/"> STARWHALE </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Stealth Mango-Stealth Mango"> <a href="/versions/v13/software/S0328/"> Stealth Mango </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="StoneDrill-StoneDrill"> <a href="/versions/v13/software/S0380/"> StoneDrill </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="StreamEx-StreamEx"> <a href="/versions/v13/software/S0142/"> StreamEx </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="StrifeWater-StrifeWater"> <a href="/versions/v13/software/S1034/"> StrifeWater </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="StrongPity-StrongPity"> <a href="/versions/v13/software/S0491/"> StrongPity </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Stuxnet-Stuxnet"> <a href="/versions/v13/software/S0603/"> Stuxnet </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="SUGARDUMP-SUGARDUMP"> <a href="/versions/v13/software/S1042/"> SUGARDUMP </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="SUGARUSH-SUGARUSH"> <a href="/versions/v13/software/S1049/"> SUGARUSH </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="SUNBURST-SUNBURST"> <a href="/versions/v13/software/S0559/"> SUNBURST </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="SUNSPOT-SUNSPOT"> <a href="/versions/v13/software/S0562/"> SUNSPOT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="SUPERNOVA-SUPERNOVA"> <a href="/versions/v13/software/S0578/"> SUPERNOVA </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="SVCReady-SVCReady"> <a href="/versions/v13/software/S1064/"> SVCReady </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Sykipot-Sykipot"> <a href="/versions/v13/software/S0018/"> Sykipot </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="SynAck-SynAck"> <a href="/versions/v13/software/S0242/"> SynAck </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="SYNful Knock-SYNful Knock"> <a href="/versions/v13/software/S0519/"> SYNful Knock </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Sys10-Sys10"> <a href="/versions/v13/software/S0060/"> Sys10 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="SYSCON-SYSCON"> <a href="/versions/v13/software/S0464/"> SYSCON </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Systeminfo-Systeminfo"> <a href="/versions/v13/software/S0096/"> Systeminfo </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="SysUpdate-SysUpdate"> <a href="/versions/v13/software/S0663/"> SysUpdate </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="T9000-T9000"> <a href="/versions/v13/software/S0098/"> T9000 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Taidoor-Taidoor"> <a href="/versions/v13/software/S0011/"> Taidoor </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="TAINTEDSCRIBE-TAINTEDSCRIBE"> <a href="/versions/v13/software/S0586/"> TAINTEDSCRIBE </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="TajMahal-TajMahal"> <a href="/versions/v13/software/S0467/"> TajMahal </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Tangelo-Tangelo"> <a href="/versions/v13/software/S0329/"> Tangelo </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="TangleBot-TangleBot"> <a href="/versions/v13/software/S1069/"> TangleBot </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Tarrask-Tarrask"> <a href="/versions/v13/software/S1011/"> Tarrask </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Tasklist-Tasklist"> <a href="/versions/v13/software/S0057/"> Tasklist </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="TDTESS-TDTESS"> <a href="/versions/v13/software/S0164/"> TDTESS </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="TEARDROP-TEARDROP"> <a href="/versions/v13/software/S0560/"> TEARDROP </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="TERRACOTTA-TERRACOTTA"> <a href="/versions/v13/software/S0545/"> TERRACOTTA </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="TEXTMATE-TEXTMATE"> <a href="/versions/v13/software/S0146/"> TEXTMATE </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ThiefQuest-ThiefQuest"> <a href="/versions/v13/software/S0595/"> ThiefQuest </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ThreatNeedle-ThreatNeedle"> <a href="/versions/v13/software/S0665/"> ThreatNeedle </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="TianySpy-TianySpy"> <a href="/versions/v13/software/S1056/"> TianySpy </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Tiktok Pro-Tiktok Pro"> <a href="/versions/v13/software/S0558/"> Tiktok Pro </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="TinyTurla-TinyTurla"> <a href="/versions/v13/software/S0668/"> TinyTurla </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="TINYTYPHON-TINYTYPHON"> <a href="/versions/v13/software/S0131/"> TINYTYPHON </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="TinyZBot-TinyZBot"> <a href="/versions/v13/software/S0004/"> TinyZBot </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Tomiris-Tomiris"> <a href="/versions/v13/software/S0671/"> Tomiris </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Tor-Tor"> <a href="/versions/v13/software/S0183/"> Tor </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Torisma-Torisma"> <a href="/versions/v13/software/S0678/"> Torisma </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="TrailBlazer-TrailBlazer"> <a href="/versions/v13/software/S0682/"> TrailBlazer </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Triada-Triada"> <a href="/versions/v13/software/S0424/"> Triada </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="TrickBot-TrickBot"> <a href="/versions/v13/software/S0266/"> TrickBot </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="TrickMo-TrickMo"> <a href="/versions/v13/software/S0427/"> TrickMo </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Triton-Triton"> <a href="/versions/v13/software/S1009/"> Triton </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Trojan-SMS.AndroidOS.Agent.ao-Trojan-SMS.AndroidOS.Agent.ao"> <a href="/versions/v13/software/S0307/"> Trojan-SMS.AndroidOS.Agent.ao </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Trojan-SMS.AndroidOS.FakeInst.a-Trojan-SMS.AndroidOS.FakeInst.a"> <a href="/versions/v13/software/S0306/"> Trojan-SMS.AndroidOS.FakeInst.a </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Trojan-SMS.AndroidOS.OpFake.a-Trojan-SMS.AndroidOS.OpFake.a"> <a href="/versions/v13/software/S0308/"> Trojan-SMS.AndroidOS.OpFake.a </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Trojan.Karagany-Trojan.Karagany"> <a href="/versions/v13/software/S0094/"> Trojan.Karagany </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Trojan.Mebromi-Trojan.Mebromi"> <a href="/versions/v13/software/S0001/"> Trojan.Mebromi </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Truvasys-Truvasys"> <a href="/versions/v13/software/S0178/"> Truvasys </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="TSCookie-TSCookie"> <a href="/versions/v13/software/S0436/"> TSCookie </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Turian-Turian"> <a href="/versions/v13/software/S0647/"> Turian </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="TURNEDUP-TURNEDUP"> <a href="/versions/v13/software/S0199/"> TURNEDUP </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Twitoor-Twitoor"> <a href="/versions/v13/software/S0302/"> Twitoor </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="TYPEFRAME-TYPEFRAME"> <a href="/versions/v13/software/S0263/"> TYPEFRAME </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="UACMe-UACMe"> <a href="/versions/v13/software/S0116/"> UACMe </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="UBoatRAT-UBoatRAT"> <a href="/versions/v13/software/S0333/"> UBoatRAT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Umbreon-Umbreon"> <a href="/versions/v13/software/S0221/"> Umbreon </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Unknown Logger-Unknown Logger"> <a href="/versions/v13/software/S0130/"> Unknown Logger </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="UPPERCUT-UPPERCUT"> <a href="/versions/v13/software/S0275/"> UPPERCUT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Uroburos-Uroburos"> <a href="/versions/v13/software/S0022/"> Uroburos </a> </div> </div> <div class="sidenav"> <div class="sidenav-head active " id="Ursnif-Ursnif"> <a href="/versions/v13/software/S0386/"> Ursnif </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="USBferry-USBferry"> <a href="/versions/v13/software/S0452/"> USBferry </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="USBStealer-USBStealer"> <a href="/versions/v13/software/S0136/"> USBStealer </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Valak-Valak"> <a href="/versions/v13/software/S0476/"> Valak </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="VaporRage-VaporRage"> <a href="/versions/v13/software/S0636/"> VaporRage </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Vasport-Vasport"> <a href="/versions/v13/software/S0207/"> Vasport </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="VBShower-VBShower"> <a href="/versions/v13/software/S0442/"> VBShower </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="VERMIN-VERMIN"> <a href="/versions/v13/software/S0257/"> VERMIN </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ViceLeaker-ViceLeaker"> <a href="/versions/v13/software/S0418/"> ViceLeaker </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ViperRAT-ViperRAT"> <a href="/versions/v13/software/S0506/"> ViperRAT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Volgmer-Volgmer"> <a href="/versions/v13/software/S0180/"> Volgmer </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="VPNFilter-VPNFilter"> <a href="/versions/v13/software/S1010/"> VPNFilter </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="WannaCry-WannaCry"> <a href="/versions/v13/software/S0366/"> WannaCry </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="WarzoneRAT-WarzoneRAT"> <a href="/versions/v13/software/S0670/"> WarzoneRAT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="WastedLocker-WastedLocker"> <a href="/versions/v13/software/S0612/"> WastedLocker </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Waterbear-Waterbear"> <a href="/versions/v13/software/S0579/"> Waterbear </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="WEBC2-WEBC2"> <a href="/versions/v13/software/S0109/"> WEBC2 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="WellMail-WellMail"> <a href="/versions/v13/software/S0515/"> WellMail </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="WellMess-WellMess"> <a href="/versions/v13/software/S0514/"> WellMess </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Wevtutil-Wevtutil"> <a href="/versions/v13/software/S0645/"> Wevtutil </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="WhisperGate-WhisperGate"> <a href="/versions/v13/software/S0689/"> WhisperGate </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Wiarp-Wiarp"> <a href="/versions/v13/software/S0206/"> Wiarp </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Windows Credential Editor-Windows Credential Editor"> <a href="/versions/v13/software/S0005/"> Windows Credential Editor </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="WINDSHIELD-WINDSHIELD"> <a href="/versions/v13/software/S0155/"> WINDSHIELD </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="WindTail-WindTail"> <a href="/versions/v13/software/S0466/"> WindTail </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="WINERACK-WINERACK"> <a href="/versions/v13/software/S0219/"> WINERACK </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Winexe-Winexe"> <a href="/versions/v13/software/S0191/"> Winexe </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Wingbird-Wingbird"> <a href="/versions/v13/software/S0176/"> Wingbird </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="WinMM-WinMM"> <a href="/versions/v13/software/S0059/"> WinMM </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Winnti for Linux-Winnti for Linux"> <a href="/versions/v13/software/S0430/"> Winnti for Linux </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Winnti for Windows-Winnti for Windows"> <a href="/versions/v13/software/S0141/"> Winnti for Windows </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Wiper-Wiper"> <a href="/versions/v13/software/S0041/"> Wiper </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="WireLurker-WireLurker"> <a href="/versions/v13/software/S0312/"> WireLurker </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="WolfRAT-WolfRAT"> <a href="/versions/v13/software/S0489/"> WolfRAT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Woody RAT-Woody RAT"> <a href="/versions/v13/software/S1065/"> Woody RAT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="X-Agent for Android-X-Agent for Android"> <a href="/versions/v13/software/S0314/"> X-Agent for Android </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="XAgentOSX-XAgentOSX"> <a href="/versions/v13/software/S0161/"> XAgentOSX </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Xbash-Xbash"> <a href="/versions/v13/software/S0341/"> Xbash </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Xbot-Xbot"> <a href="/versions/v13/software/S0298/"> Xbot </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="xCaon-xCaon"> <a href="/versions/v13/software/S0653/"> xCaon </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="xCmd-xCmd"> <a href="/versions/v13/software/S0123/"> xCmd </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="XcodeGhost-XcodeGhost"> <a href="/versions/v13/software/S0297/"> XcodeGhost </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="XCSSET-XCSSET"> <a href="/versions/v13/software/S0658/"> XCSSET </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="XLoader for Android-XLoader for Android"> <a href="/versions/v13/software/S0318/"> XLoader for Android </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="XLoader for iOS-XLoader for iOS"> <a href="/versions/v13/software/S0490/"> XLoader for iOS </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="XTunnel-XTunnel"> <a href="/versions/v13/software/S0117/"> XTunnel </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="YAHOYAH-YAHOYAH"> <a href="/versions/v13/software/S0388/"> YAHOYAH </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="YiSpecter-YiSpecter"> <a href="/versions/v13/software/S0311/"> YiSpecter </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="yty-yty"> <a href="/versions/v13/software/S0248/"> yty </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Zebrocy-Zebrocy"> <a href="/versions/v13/software/S0251/"> Zebrocy </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Zen-Zen"> <a href="/versions/v13/software/S0494/"> Zen </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ZergHelper-ZergHelper"> <a href="/versions/v13/software/S0287/"> ZergHelper </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Zeroaccess-Zeroaccess"> <a href="/versions/v13/software/S0027/"> Zeroaccess </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ZeroT-ZeroT"> <a href="/versions/v13/software/S0230/"> ZeroT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Zeus Panda-Zeus Panda"> <a href="/versions/v13/software/S0330/"> Zeus Panda </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ZLib-ZLib"> <a href="/versions/v13/software/S0086/"> ZLib </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="Zox-Zox"> <a href="/versions/v13/software/S0672/"> Zox </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="zwShell-zwShell"> <a href="/versions/v13/software/S0350/"> zwShell </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ZxShell-ZxShell"> <a href="/versions/v13/software/S0412/"> ZxShell </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ZxxZ-ZxxZ"> <a href="/versions/v13/software/S1013/"> ZxxZ </a> </div> </div> </div> </div> </div> </div> <!--start-indexing-for-search--> </div> <div class="tab-content col-xl-9 col-lg-9 col-md-8 pt-4" id="v-tabContent"> <div class="tab-pane fade show active" id="v-attckmatrix" role="tabpanel" aria-labelledby="v-attckmatrix-tab"> <ol class="breadcrumb"> <li class="breadcrumb-item"><a href="/versions/v13/">Home</a></li> <li class="breadcrumb-item"><a href="/versions/v13/software/">Software</a></li> <li class="breadcrumb-item">Ursnif</li> </ol> <div class="tab-pane fade show active" id="v-" role="tabpanel" aria-labelledby="v--tab"></div> <div class="row"> <div class="col-xl-12"> <div class="jumbotron jumbotron-fluid"> <div class="container-fluid"> <h1> Ursnif </h1> <div class="row"> <div class="col-md-8"> <div class="description-body"> <p><a href="/versions/v13/software/S0386">Ursnif</a> is a banking trojan and variant of the Gozi malware observed being spread through various automated exploit kits, <a href="/versions/v13/techniques/T1566/001">Spearphishing Attachment</a>s, and malicious links.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" data-reference="NJCCIC Ursnif Sept 2016">^{<a href="https://www.cyber.nj.gov/threat-profiles/trojan-variants/ursnif" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" data-reference="ProofPoint Ursnif Aug 2016">^{<a href="https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span> <a href="/versions/v13/software/S0386">Ursnif</a> is associated primarily with data theft, but variants also include components (backdoors, spyware, file injectors, etc.) capable of a wide variety of behaviors.<span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" data-reference="TrendMicro Ursnif Mar 2015">^{<a href="https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-the-multifaceted-malware/?_ga=2.165628854.808042651.1508120821-744063452.1505819992" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span></p> </div> </div> <div class="col-md-4"> <div class="card"> <div class="card-body"> <div id="card-id" class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">ID:&nbsp;</span>S0386 </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="Names that have overlapping reference to a software entry and may refer to the same or similar software in threat intelligence reporting">&#9432;</span> </div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Associated Software</span>: Gozi-ISFB, PE_URSNIF, Dreambot </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="This software is commercial, custom closed source, or open source software intended to be used for malicious purposes by adversaries">&#9432;</span> </div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Type</span>: MALWARE </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="The system an adversary is operating within; could be an operating system or application">&#9432;</span> </div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Platforms</span>: Windows </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Version</span>: 1.4 </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Created:&nbsp;</span>04 June 2019 </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Last Modified:&nbsp;</span>22 March 2023 </div> </div> </div> </div> <div class="text-center pt-2 version-button permalink"> <div class="live"> <a data-toggle="tooltip" data-placement="bottom" title="Permalink to this version of S0386" href="/versions/v13/software/S0386/" data-test-ignore="true">Version Permalink</a> </div> <div class="permalink"> <a data-toggle="tooltip" data-placement="bottom" title="Go to the live version of S0386" href="/software/S0386/" data-test-ignore="true">Live Version</a><!--do not change this line without also changing versions.py--> </div> </div> </div> </div> <h2 class="pt-3" id ="aliasDescription">Associated Software Descriptions</h2> <table class="table table-bordered table-alternate mt-2"> <thead> <tr> <th scope="col">Name</th> <th scope="col">Description</th> </tr> </thead> <tbody> <tr> <td> Gozi-ISFB </td> <td> <p><span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" data-reference="FireEye Ursnif Nov 2017">^{<a href="https://www.fireeye.com/blog/threat-research/2017/11/ursnif-variant-malicious-tls-callback-technique.html" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a>}</span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" data-reference="ProofPoint Ursnif Aug 2016">^{<a href="https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span></p> </td> </tr> <tr> <td> PE_URSNIF </td> <td> <p><span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" data-reference="TrendMicro Ursnif Mar 2015">^{<a href="https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-the-multifaceted-malware/?_ga=2.165628854.808042651.1508120821-744063452.1505819992" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span></p> </td> </tr> <tr> <td> Dreambot </td> <td> <p><span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" data-reference="NJCCIC Ursnif Sept 2016">^{<a href="https://www.cyber.nj.gov/threat-profiles/trojan-variants/ursnif" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" data-reference="ProofPoint Ursnif Aug 2016">^{<a href="https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span></p> </td> </tr> </tbody> </table> <!--stop-indexing-for-search--> <div class="dropdown h3 mt-3 float-right"> <button class="btn btn-navy dropdown-toggle" type="button" id="dropdownMenuButton" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>ATT&amp;CK^&reg; Navigator Layers</b> </button> <div class="dropdown-menu" aria-labelledby="dropdownMenuButton"> <h6 class="dropdown-header">Enterprise Layer</h6> <a class="dropdown-item" href="/versions/v13/software/S0386/S0386-enterprise-layer.json" download target="_blank">download</a> <!-- only show view on navigator link if layer link is defined --> <a class="dropdown-item" href="#" id="view-layer-on-navigator-enterprise" target="_blank">view <img width="10" src="/versions/v13/theme/images/external-site-dark.jpeg"></a> <script src="/versions/v13/theme/scripts/settings.js"></script> <script> if (window.location.protocol == "https:") { //view on navigator only works when this site is hosted on HTTPS var layerURL = window.location.protocol + "//" + window.location.host + base_url + "software/S0386/S0386-enterprise-layer.json"; document.getElementById("view-layer-on-navigator-enterprise").href = "https://mitre-attack.github.io/attack-navigator//#layerURL=" + encodeURIComponent(layerURL); } else { //hide button document.getElementById("view-layer-on-navigator-enterprise").classList.add("d-none"); } </script> </div> </div> <!--start-indexing-for-search--> <h2 class="pt-3 mb-2" id="techniques">Techniques Used</h2> <table class="table techniques-used background table-bordered"> <thead> <tr> <th class="p-2" scope="col">Domain</th> <th class="p-2" colspan="2">ID</th> <th class="p-2" scope="col">Name</th> <th class="p-2" scope="col">Use</th> </tr> </thead> <tbody> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v13/techniques/T1071">T1071</a> </td> <td> <a href="/versions/v13/techniques/T1071/001">.001</a> </td> <td> <a href="/versions/v13/techniques/T1071">Application Layer Protocol</a>: <a href="/versions/v13/techniques/T1071/001">Web Protocols</a> </td> <td> <p><a href="/versions/v13/software/S0386">Ursnif</a> has used HTTPS for C2.<span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" data-reference="TrendMicro Ursnif Mar 2015">^{<a href="https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-the-multifaceted-malware/?_ga=2.165628854.808042651.1508120821-744063452.1505819992" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span><span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" data-reference="FireEye Ursnif Nov 2017">^{<a href="https://www.fireeye.com/blog/threat-research/2017/11/ursnif-variant-malicious-tls-callback-technique.html" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a>}</span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" data-reference="ProofPoint Ursnif Aug 2016">^{<a href="https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v13/techniques/T1547">T1547</a> </td> <td> <a href="/versions/v13/techniques/T1547/001">.001</a> </td> <td> <a href="/versions/v13/techniques/T1547">Boot or Logon Autostart Execution</a>: <a href="/versions/v13/techniques/T1547/001">Registry Run Keys / Startup Folder</a> </td> <td> <p><a href="/versions/v13/software/S0386">Ursnif</a> has used Registry Run keys to establish automatic execution at system startup.<span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" data-reference="TrendMicro PE_URSNIF.A2">^{<a href="https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/PE_URSNIF.A2?_ga=2.131425807.1462021705.1559742358-1202584019.1549394279" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a>}</span><span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" data-reference="TrendMicro BKDR_URSNIF.SM">^{<a href="https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/BKDR_URSNIF.SM?_ga=2.129468940.1462021705.1559742358-1202584019.1549394279" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v13/techniques/T1185">T1185</a> </td> <td> <a href="/versions/v13/techniques/T1185">Browser Session Hijacking</a> </td> <td> <p><a href="/versions/v13/software/S0386">Ursnif</a> has injected HTML codes into banking sites to steal sensitive online banking information (ex: usernames and passwords).<span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" data-reference="TrendMicro BKDR_URSNIF.SM">^{<a href="https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/BKDR_URSNIF.SM?_ga=2.129468940.1462021705.1559742358-1202584019.1549394279" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v13/techniques/T1059">T1059</a> </td> <td> <a href="/versions/v13/techniques/T1059/001">.001</a> </td> <td> <a href="/versions/v13/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/versions/v13/techniques/T1059/001">PowerShell</a> </td> <td> <p><a href="/versions/v13/software/S0386">Ursnif</a> droppers have used PowerShell in download cradles to download and execute the malware's full executable payload.<span onclick=scrollToRef('scite-7') id="scite-ref-7-a" class="scite-citeref-number" data-reference="Bromium Ursnif Mar 2017">^{<a href="https://www.bromium.com/how-ursnif-evades-detection/" target="_blank" data-hasqtip="6" aria-describedby="qtip-6">[7]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v13/techniques/T1059/005">.005</a> </td> <td> <a href="/versions/v13/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/versions/v13/techniques/T1059/005">Visual Basic</a> </td> <td> <p><a href="/versions/v13/software/S0386">Ursnif</a> droppers have used VBA macros to download and execute the malware's full executable payload.<span onclick=scrollToRef('scite-7') id="scite-ref-7-a" class="scite-citeref-number" data-reference="Bromium Ursnif Mar 2017">^{<a href="https://www.bromium.com/how-ursnif-evades-detection/" target="_blank" data-hasqtip="6" aria-describedby="qtip-6">[7]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v13/techniques/T1543">T1543</a> </td> <td> <a href="/versions/v13/techniques/T1543/003">.003</a> </td> <td> <a href="/versions/v13/techniques/T1543">Create or Modify System Process</a>: <a href="/versions/v13/techniques/T1543/003">Windows Service</a> </td> <td> <p><a href="/versions/v13/software/S0386">Ursnif</a> has registered itself as a system service in the Registry for automatic execution at system startup.<span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" data-reference="TrendMicro PE_URSNIF.A2">^{<a href="https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/PE_URSNIF.A2?_ga=2.131425807.1462021705.1559742358-1202584019.1549394279" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v13/techniques/T1132">T1132</a> </td> <td> <a href="/versions/v13/techniques/T1132">Data Encoding</a> </td> <td> <p><a href="/versions/v13/software/S0386">Ursnif</a> has used encoded data in HTTP URLs for C2.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" data-reference="ProofPoint Ursnif Aug 2016">^{<a href="https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span> </p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v13/techniques/T1005">T1005</a> </td> <td> <a href="/versions/v13/techniques/T1005">Data from Local System</a> </td> <td> <p><a href="/versions/v13/software/S0386">Ursnif</a> has collected files from victim machines, including certificates and cookies.<span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" data-reference="TrendMicro BKDR_URSNIF.SM">^{<a href="https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/BKDR_URSNIF.SM?_ga=2.129468940.1462021705.1559742358-1202584019.1549394279" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v13/techniques/T1074">T1074</a> </td> <td> <a href="/versions/v13/techniques/T1074/001">.001</a> </td> <td> <a href="/versions/v13/techniques/T1074">Data Staged</a>: <a href="/versions/v13/techniques/T1074/001">Local Data Staging</a> </td> <td> <p><a href="/versions/v13/software/S0386">Ursnif</a> has used tmp files to stage gathered information.<span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" data-reference="TrendMicro Ursnif Mar 2015">^{<a href="https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-the-multifaceted-malware/?_ga=2.165628854.808042651.1508120821-744063452.1505819992" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v13/techniques/T1140">T1140</a> </td> <td> <a href="/versions/v13/techniques/T1140">Deobfuscate/Decode Files or Information</a> </td> <td> <p><a href="/versions/v13/software/S0386">Ursnif</a> has used crypto key information stored in the Registry to decrypt Tor clients dropped to disk.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" data-reference="ProofPoint Ursnif Aug 2016">^{<a href="https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v13/techniques/T1568">T1568</a> </td> <td> <a href="/versions/v13/techniques/T1568/002">.002</a> </td> <td> <a href="/versions/v13/techniques/T1568">Dynamic Resolution</a>: <a href="/versions/v13/techniques/T1568/002">Domain Generation Algorithms</a> </td> <td> <p><a href="/versions/v13/software/S0386">Ursnif</a> has used a DGA to generate domain names for C2.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" data-reference="ProofPoint Ursnif Aug 2016">^{<a href="https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v13/techniques/T1041">T1041</a> </td> <td> <a href="/versions/v13/techniques/T1041">Exfiltration Over C2 Channel</a> </td> <td> <p><a href="/versions/v13/software/S0386">Ursnif</a> has used HTTP POSTs to exfil gathered information.<span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" data-reference="TrendMicro Ursnif Mar 2015">^{<a href="https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-the-multifaceted-malware/?_ga=2.165628854.808042651.1508120821-744063452.1505819992" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span><span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" data-reference="FireEye Ursnif Nov 2017">^{<a href="https://www.fireeye.com/blog/threat-research/2017/11/ursnif-variant-malicious-tls-callback-technique.html" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a>}</span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" data-reference="ProofPoint Ursnif Aug 2016">^{<a href="https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v13/techniques/T1564">T1564</a> </td> <td> <a href="/versions/v13/techniques/T1564/003">.003</a> </td> <td> <a href="/versions/v13/techniques/T1564">Hide Artifacts</a>: <a href="/versions/v13/techniques/T1564/003">Hidden Window</a> </td> <td> <p><a href="/versions/v13/software/S0386">Ursnif</a> droppers have used COM properties to execute malware in hidden windows.<span onclick=scrollToRef('scite-7') id="scite-ref-7-a" class="scite-citeref-number" data-reference="Bromium Ursnif Mar 2017">^{<a href="https://www.bromium.com/how-ursnif-evades-detection/" target="_blank" data-hasqtip="6" aria-describedby="qtip-6">[7]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v13/techniques/T1070">T1070</a> </td> <td> <a href="/versions/v13/techniques/T1070/004">.004</a> </td> <td> <a href="/versions/v13/techniques/T1070">Indicator Removal</a>: <a href="/versions/v13/techniques/T1070/004">File Deletion</a> </td> <td> <p><a href="/versions/v13/software/S0386">Ursnif</a> has deleted data staged in tmp files after exfiltration.<span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" data-reference="TrendMicro Ursnif Mar 2015">^{<a href="https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-the-multifaceted-malware/?_ga=2.165628854.808042651.1508120821-744063452.1505819992" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v13/techniques/T1105">T1105</a> </td> <td> <a href="/versions/v13/techniques/T1105">Ingress Tool Transfer</a> </td> <td> <p><a href="/versions/v13/software/S0386">Ursnif</a> has dropped payload and configuration files to disk. <a href="/versions/v13/software/S0386">Ursnif</a> has also been used to download and execute additional payloads.<span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" data-reference="TrendMicro PE_URSNIF.A2">^{<a href="https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/PE_URSNIF.A2?_ga=2.131425807.1462021705.1559742358-1202584019.1549394279" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a>}</span><span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" data-reference="TrendMicro BKDR_URSNIF.SM">^{<a href="https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/BKDR_URSNIF.SM?_ga=2.129468940.1462021705.1559742358-1202584019.1549394279" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v13/techniques/T1056">T1056</a> </td> <td> <a href="/versions/v13/techniques/T1056/004">.004</a> </td> <td> <a href="/versions/v13/techniques/T1056">Input Capture</a>: <a href="/versions/v13/techniques/T1056/004">Credential API Hooking</a> </td> <td> <p><a href="/versions/v13/software/S0386">Ursnif</a> has hooked APIs to perform a wide variety of information theft, such as monitoring traffic from browsers.<span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" data-reference="TrendMicro Ursnif Mar 2015">^{<a href="https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-the-multifaceted-malware/?_ga=2.165628854.808042651.1508120821-744063452.1505819992" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v13/techniques/T1559">T1559</a> </td> <td> <a href="/versions/v13/techniques/T1559/001">.001</a> </td> <td> <a href="/versions/v13/techniques/T1559">Inter-Process Communication</a>: <a href="/versions/v13/techniques/T1559/001">Component Object Model</a> </td> <td> <p><a href="/versions/v13/software/S0386">Ursnif</a> droppers have used COM objects to execute the malware's full executable payload.<span onclick=scrollToRef('scite-7') id="scite-ref-7-a" class="scite-citeref-number" data-reference="Bromium Ursnif Mar 2017">^{<a href="https://www.bromium.com/how-ursnif-evades-detection/" target="_blank" data-hasqtip="6" aria-describedby="qtip-6">[7]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v13/techniques/T1036">T1036</a> </td> <td> <a href="/versions/v13/techniques/T1036/005">.005</a> </td> <td> <a href="/versions/v13/techniques/T1036">Masquerading</a>: <a href="/versions/v13/techniques/T1036/005">Match Legitimate Name or Location</a> </td> <td> <p><a href="/versions/v13/software/S0386">Ursnif</a> has used strings from legitimate system files and existing folders for its file, folder, and Registry entry names.<span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" data-reference="TrendMicro Ursnif Mar 2015">^{<a href="https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-the-multifaceted-malware/?_ga=2.165628854.808042651.1508120821-744063452.1505819992" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v13/techniques/T1112">T1112</a> </td> <td> <a href="/versions/v13/techniques/T1112">Modify Registry</a> </td> <td> <p><a href="/versions/v13/software/S0386">Ursnif</a> has used Registry modifications as part of its installation routine.<span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" data-reference="TrendMicro BKDR_URSNIF.SM">^{<a href="https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/BKDR_URSNIF.SM?_ga=2.129468940.1462021705.1559742358-1202584019.1549394279" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a>}</span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" data-reference="ProofPoint Ursnif Aug 2016">^{<a href="https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v13/techniques/T1106">T1106</a> </td> <td> <a href="/versions/v13/techniques/T1106">Native API</a> </td> <td> <p><a href="/versions/v13/software/S0386">Ursnif</a> has used <code>CreateProcessW</code> to create child processes.<span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" data-reference="FireEye Ursnif Nov 2017">^{<a href="https://www.fireeye.com/blog/threat-research/2017/11/ursnif-variant-malicious-tls-callback-technique.html" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v13/techniques/T1027">T1027</a> </td> <td> <a href="/versions/v13/techniques/T1027">Obfuscated Files or Information</a> </td> <td> <p><a href="/versions/v13/software/S0386">Ursnif</a> has used an XOR-based algorithm to encrypt Tor clients dropped to disk.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" data-reference="ProofPoint Ursnif Aug 2016">^{<a href="https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span> <a href="/versions/v13/software/S0386">Ursnif</a> droppers have also been delivered as password-protected zip files that execute base64 encoded <a href="/versions/v13/techniques/T1059/001">PowerShell</a> commands.<span onclick=scrollToRef('scite-7') id="scite-ref-7-a" class="scite-citeref-number" data-reference="Bromium Ursnif Mar 2017">^{<a href="https://www.bromium.com/how-ursnif-evades-detection/" target="_blank" data-hasqtip="6" aria-describedby="qtip-6">[7]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v13/techniques/T1027/010">.010</a> </td> <td> <a href="/versions/v13/techniques/T1027/010">Command Obfuscation</a> </td> <td> <p><a href="/versions/v13/software/S0386">Ursnif</a> droppers execute base64 encoded <a href="/versions/v13/techniques/T1059/001">PowerShell</a> commands.<span onclick=scrollToRef('scite-7') id="scite-ref-7-a" class="scite-citeref-number" data-reference="Bromium Ursnif Mar 2017">^{<a href="https://www.bromium.com/how-ursnif-evades-detection/" target="_blank" data-hasqtip="6" aria-describedby="qtip-6">[7]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v13/techniques/T1057">T1057</a> </td> <td> <a href="/versions/v13/techniques/T1057">Process Discovery</a> </td> <td> <p><a href="/versions/v13/software/S0386">Ursnif</a> has gathered information about running processes.<span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" data-reference="TrendMicro Ursnif Mar 2015">^{<a href="https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-the-multifaceted-malware/?_ga=2.165628854.808042651.1508120821-744063452.1505819992" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span><span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" data-reference="TrendMicro BKDR_URSNIF.SM">^{<a href="https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/BKDR_URSNIF.SM?_ga=2.129468940.1462021705.1559742358-1202584019.1549394279" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v13/techniques/T1055">T1055</a> </td> <td> <a href="/versions/v13/techniques/T1055/005">.005</a> </td> <td> <a href="/versions/v13/techniques/T1055">Process Injection</a>: <a href="/versions/v13/techniques/T1055/005">Thread Local Storage</a> </td> <td> <p><a href="/versions/v13/software/S0386">Ursnif</a> has injected code into target processes via thread local storage callbacks.<span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" data-reference="TrendMicro Ursnif Mar 2015">^{<a href="https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-the-multifaceted-malware/?_ga=2.165628854.808042651.1508120821-744063452.1505819992" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span><span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" data-reference="TrendMicro PE_URSNIF.A2">^{<a href="https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/PE_URSNIF.A2?_ga=2.131425807.1462021705.1559742358-1202584019.1549394279" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a>}</span><span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" data-reference="FireEye Ursnif Nov 2017">^{<a href="https://www.fireeye.com/blog/threat-research/2017/11/ursnif-variant-malicious-tls-callback-technique.html" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v13/techniques/T1055/012">.012</a> </td> <td> <a href="/versions/v13/techniques/T1055">Process Injection</a>: <a href="/versions/v13/techniques/T1055/012">Process Hollowing</a> </td> <td> <p><a href="/versions/v13/software/S0386">Ursnif</a> has used process hollowing to inject into child processes.<span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" data-reference="FireEye Ursnif Nov 2017">^{<a href="https://www.fireeye.com/blog/threat-research/2017/11/ursnif-variant-malicious-tls-callback-technique.html" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v13/techniques/T1090">T1090</a> </td> <td> <a href="/versions/v13/techniques/T1090">Proxy</a> </td> <td> <p><a href="/versions/v13/software/S0386">Ursnif</a> has used a peer-to-peer (P2P) network for C2.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" data-reference="NJCCIC Ursnif Sept 2016">^{<a href="https://www.cyber.nj.gov/threat-profiles/trojan-variants/ursnif" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" data-reference="ProofPoint Ursnif Aug 2016">^{<a href="https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v13/techniques/T1090/003">.003</a> </td> <td> <a href="/versions/v13/techniques/T1090/003">Multi-hop Proxy</a> </td> <td> <p><a href="/versions/v13/software/S0386">Ursnif</a> has used <a href="/versions/v13/software/S0183">Tor</a> for C2.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" data-reference="NJCCIC Ursnif Sept 2016">^{<a href="https://www.cyber.nj.gov/threat-profiles/trojan-variants/ursnif" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" data-reference="ProofPoint Ursnif Aug 2016">^{<a href="https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v13/techniques/T1012">T1012</a> </td> <td> <a href="/versions/v13/techniques/T1012">Query Registry</a> </td> <td> <p><a href="/versions/v13/software/S0386">Ursnif</a> has used <a href="/versions/v13/software/S0075">Reg</a> to query the Registry for installed programs.<span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" data-reference="TrendMicro Ursnif Mar 2015">^{<a href="https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-the-multifaceted-malware/?_ga=2.165628854.808042651.1508120821-744063452.1505819992" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span><span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" data-reference="TrendMicro BKDR_URSNIF.SM">^{<a href="https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/BKDR_URSNIF.SM?_ga=2.129468940.1462021705.1559742358-1202584019.1549394279" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v13/techniques/T1091">T1091</a> </td> <td> <a href="/versions/v13/techniques/T1091">Replication Through Removable Media</a> </td> <td> <p><a href="/versions/v13/software/S0386">Ursnif</a> has copied itself to and infected removable drives for propagation.<span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" data-reference="TrendMicro Ursnif Mar 2015">^{<a href="https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-the-multifaceted-malware/?_ga=2.165628854.808042651.1508120821-744063452.1505819992" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span><span onclick=scrollToRef('scite-8') id="scite-ref-8-a" class="scite-citeref-number" data-reference="TrendMicro Ursnif File Dec 2014">^{<a href="https://blog.trendmicro.com/trendlabs-security-intelligence/info-stealing-file-infector-hits-us-uk/" target="_blank" data-hasqtip="7" aria-describedby="qtip-7">[8]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v13/techniques/T1113">T1113</a> </td> <td> <a href="/versions/v13/techniques/T1113">Screen Capture</a> </td> <td> <p><a href="/versions/v13/software/S0386">Ursnif</a> has used hooked APIs to take screenshots.<span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" data-reference="TrendMicro Ursnif Mar 2015">^{<a href="https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-the-multifaceted-malware/?_ga=2.165628854.808042651.1508120821-744063452.1505819992" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span><span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" data-reference="TrendMicro BKDR_URSNIF.SM">^{<a href="https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/BKDR_URSNIF.SM?_ga=2.129468940.1462021705.1559742358-1202584019.1549394279" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v13/techniques/T1082">T1082</a> </td> <td> <a href="/versions/v13/techniques/T1082">System Information Discovery</a> </td> <td> <p><a href="/versions/v13/software/S0386">Ursnif</a> has used <a href="/versions/v13/software/S0096">Systeminfo</a> to gather system information.<span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" data-reference="TrendMicro Ursnif Mar 2015">^{<a href="https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-the-multifaceted-malware/?_ga=2.165628854.808042651.1508120821-744063452.1505819992" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v13/techniques/T1007">T1007</a> </td> <td> <a href="/versions/v13/techniques/T1007">System Service Discovery</a> </td> <td> <p><a href="/versions/v13/software/S0386">Ursnif</a> has gathered information about running services.<span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" data-reference="TrendMicro Ursnif Mar 2015">^{<a href="https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-the-multifaceted-malware/?_ga=2.165628854.808042651.1508120821-744063452.1505819992" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v13/techniques/T1080">T1080</a> </td> <td> <a href="/versions/v13/techniques/T1080">Taint Shared Content</a> </td> <td> <p><a href="/versions/v13/software/S0386">Ursnif</a> has copied itself to and infected files in network drives for propagation.<span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" data-reference="TrendMicro Ursnif Mar 2015">^{<a href="https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-the-multifaceted-malware/?_ga=2.165628854.808042651.1508120821-744063452.1505819992" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span><span onclick=scrollToRef('scite-8') id="scite-ref-8-a" class="scite-citeref-number" data-reference="TrendMicro Ursnif File Dec 2014">^{<a href="https://blog.trendmicro.com/trendlabs-security-intelligence/info-stealing-file-infector-hits-us-uk/" target="_blank" data-hasqtip="7" aria-describedby="qtip-7">[8]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v13/techniques/T1497">T1497</a> </td> <td> <a href="/versions/v13/techniques/T1497/003">.003</a> </td> <td> <a href="/versions/v13/techniques/T1497">Virtualization/Sandbox Evasion</a>: <a href="/versions/v13/techniques/T1497/003">Time Based Evasion</a> </td> <td> <p><a href="/versions/v13/software/S0386">Ursnif</a> has used a 30 minute delay after execution to evade sandbox monitoring tools.<span onclick=scrollToRef('scite-8') id="scite-ref-8-a" class="scite-citeref-number" data-reference="TrendMicro Ursnif File Dec 2014">^{<a href="https://blog.trendmicro.com/trendlabs-security-intelligence/info-stealing-file-infector-hits-us-uk/" target="_blank" data-hasqtip="7" aria-describedby="qtip-7">[8]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v13/techniques/T1047">T1047</a> </td> <td> <a href="/versions/v13/techniques/T1047">Windows Management Instrumentation</a> </td> <td> <p><a href="/versions/v13/software/S0386">Ursnif</a> droppers have used WMI classes to execute <a href="/versions/v13/techniques/T1059/001">PowerShell</a> commands.<span onclick=scrollToRef('scite-7') id="scite-ref-7-a" class="scite-citeref-number" data-reference="Bromium Ursnif Mar 2017">^{<a href="https://www.bromium.com/how-ursnif-evades-detection/" target="_blank" data-hasqtip="6" aria-describedby="qtip-6">[7]</a>}</span></p> </td> </tr> </tbody> </table> <h2 class="pt-3" id="groups">Groups That Use This Software</h2> <table class="table table-bordered table-alternate mt-2"> <thead> <tr> <th scope="col">ID</th> <th scope="col" width="20%">Name</th> <th scope="col">References</th> </tr> </thead> <tbody> <tr> <td> <a href="/versions/v13/groups/G0127">G0127</a> </td> <td> <a href="/versions/v13/groups/G0127">TA551</a> </td> <td> <p><span onclick=scrollToRef('scite-9') id="scite-ref-9-a" class="scite-citeref-number" data-reference="Cybereason Valak May 2020">^{<a href="https://www.cybereason.com/blog/valak-more-than-meets-the-eye" target="_blank" data-hasqtip="8" aria-describedby="qtip-8">[9]</a>}</span><span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" data-reference="Unit 42 Valak July 2020">^{<a href="https://unit42.paloaltonetworks.com/valak-evolution/" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a>}</span><span onclick=scrollToRef('scite-11') id="scite-ref-11-a" class="scite-citeref-number" data-reference="Unit 42 TA551 Jan 2021">^{<a href="https://unit42.paloaltonetworks.com/ta551-shathak-icedid/" target="_blank" data-hasqtip="10" aria-describedby="qtip-10">[11]</a>}</span><span onclick=scrollToRef('scite-12') id="scite-ref-12-a" class="scite-citeref-number" data-reference="Secureworks GOLD CABIN">^{<a href="https://www.secureworks.com/research/threat-profiles/gold-cabin" target="_blank" data-hasqtip="11" aria-describedby="qtip-11">[12]</a>}</span></p> </td> </tr> </tbody> </table> <h2 class="pt-3" id="references">References</h2> <div class="row"> <div class="col"> <ol> <li> <span id="scite-1" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-1" href="https://www.cyber.nj.gov/threat-profiles/trojan-variants/ursnif" target="_blank"> NJCCIC. (2016, September 27). Ursnif. Retrieved June 4, 2019. </a> </span> </span> </li> <li> <span id="scite-2" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-2" href="https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality" target="_blank"> Proofpoint Staff. (2016, August 25). Nightmare on Tor Street: Ursnif variant Dreambot adds Tor functionality. Retrieved June 5, 2019. </a> </span> </span> </li> <li> <span id="scite-3" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-3" href="https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-the-multifaceted-malware/?_ga=2.165628854.808042651.1508120821-744063452.1505819992" target="_blank"> Caragay, R. (2015, March 26). URSNIF: The Multifaceted Malware. Retrieved June 5, 2019. </a> </span> </span> </li> <li> <span id="scite-4" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-4" href="https://www.fireeye.com/blog/threat-research/2017/11/ursnif-variant-malicious-tls-callback-technique.html" target="_blank"> Vaish, A. & Nemes, S. (2017, November 28). Newly Observed Ursnif Variant Employs Malicious TLS Callback Technique to Achieve Process Injection. Retrieved June 5, 2019. </a> </span> </span> </li> <li> <span id="scite-5" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-5" href="https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/PE_URSNIF.A2?_ga=2.131425807.1462021705.1559742358-1202584019.1549394279" target="_blank"> Trend Micro. (2014, December 11). PE_URSNIF.A2. Retrieved June 5, 2019. </a> </span> </span> </li> <li> <span id="scite-6" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-6" href="https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/BKDR_URSNIF.SM?_ga=2.129468940.1462021705.1559742358-1202584019.1549394279" target="_blank"> Sioting, S. (2013, June 15). BKDR_URSNIF.SM. Retrieved June 5, 2019. </a> </span> </span> </li> </ol> </div> <div class="col"> <ol start="7.0"> <li> <span id="scite-7" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-7" href="https://www.bromium.com/how-ursnif-evades-detection/" target="_blank"> Holland, A. (2019, March 7). Tricks and COMfoolery: How Ursnif Evades Detection. Retrieved June 10, 2019. </a> </span> </span> </li> <li> <span id="scite-8" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-8" href="https://blog.trendmicro.com/trendlabs-security-intelligence/info-stealing-file-infector-hits-us-uk/" target="_blank"> Caragay, R. (2014, December 11). Info-Stealing File Infector Hits US, UK. Retrieved June 5, 2019. </a> </span> </span> </li> <li> <span id="scite-9" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-9" href="https://www.cybereason.com/blog/valak-more-than-meets-the-eye" target="_blank"> Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020. </a> </span> </span> </li> <li> <span id="scite-10" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-10" href="https://unit42.paloaltonetworks.com/valak-evolution/" target="_blank"> Duncan, B. (2020, July 24). Evolution of Valak, from Its Beginnings to Mass Distribution. Retrieved August 31, 2020. </a> </span> </span> </li> <li> <span id="scite-11" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-11" href="https://unit42.paloaltonetworks.com/ta551-shathak-icedid/" target="_blank"> Duncan, B. (2021, January 7). TA551: Email Attack Campaign Switches from Valak to IcedID. Retrieved March 17, 2021. </a> </span> </span> </li> <li> <span id="scite-12" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-12" href="https://www.secureworks.com/research/threat-profiles/gold-cabin" target="_blank"> Secureworks. (n.d.). GOLD CABIN Threat Profile. Retrieved March 17, 2021. </a> </span> </span> </li> </ol> </div> </div> </div> </div> </div> </div> </div> </div> <!--stop-indexing-for-search--> <!-- search overlay for entire page -- not displayed inline --> <div class="overlay search" id="search-overlay" style="display: none;"> <div class="overlay-inner"> <!-- text input for searching --> <div class="search-header"> <div class="search-input"> <input type="text" id="search-input" placeholder="search"> </div> <div class="search-icons"> <div class="search-parsing-icon spinner-border" style="display: none" id="search-parsing-icon"></div> <div class="close-search-icon" id="close-search-icon">&times;</div> </div> </div> <!-- results and controls for loading more results --> <div id="search-body" class="search-body"> <div class="results" id="search-results"> <!-- content will be appended here on search --> </div> <div id="load-more-results" class="load-more-results"> <button class="btn btn-default" id="load-more-results-button">load more results</button> </div> </div> </div> </div> </div> <div class="row flex-grow-0 flex-shrink-1"> <!-- footer elements --> <footer class="col footer p-3"> <div class="container-fluid"> <div class="row"> <div class="col-4 col-sm-4 col-md-3"> <div class="footer-center-responsive my-auto"> <a href="https://www.mitre.org" target="_blank" rel="noopener" aria-label="MITRE"> <img src="/versions/v13/theme/images/mitrelogowhiteontrans.gif" class="mitre-logo-wtrans"> </a> </div> </div> <div class="col-2 col-sm-2 footer-responsive-break"></div> <div class="col-6 col-sm-6 text-center"> <p> 漏 2015-2023, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. </p> <div class="row"> <div class="col text-right"> <small> <a href="/versions/v13/resources/privacy" class="footer-link">Privacy Policy</a> </small> </div> <div class="col text-center"> <small> <a href="/versions/v13/resources/terms-of-use" class="footer-link">Terms of Use</a> </small> </div> <div class="col text-left "> <small> <a href="/versions/v13/resources/changelog.html" class="footer-link" data-toggle="tooltip" data-placement="top" data-html="true" title="ATT&amp;CK content v13.1&#013;Website v4.0.5">ATT&CK v13.1</a> </small> </div> </div> </div> <div class="w-100 p-2 footer-responsive-break"></div> <div class="col"> <div class="footer-float-right-responsive-brand"> <div class="mb-1"> <a href="https://twitter.com/MITREattack" class="btn btn-primary w-100"> <!-- <i class="fa fa-twitter"></i> --> <img src="/versions/v13/theme/images/twitter.png" class="mr-1 twitter-icon"> <b>@MITREattack</b> </a> </div> <div class=""> <a href="/versions/v13/contact" class="btn btn-primary w-100"> Contact </a> </div> </div> </div> </div> </div> </div> </footer> </div> </div> <!--stopindex--> </div> <!--SCRIPTS--> <script src="/versions/v13/theme/scripts/jquery-3.5.1.min.js"></script> <script src="/versions/v13/theme/scripts/popper.min.js"></script> <script src="/versions/v13/theme/scripts/bootstrap-select.min.js"></script> <script src="/versions/v13/theme/scripts/bootstrap.bundle.min.js"></script> <script src="/versions/v13/theme/scripts/site.js?2214"></script> <script src="/versions/v13/theme/scripts/settings.js?3095"></script> <script src="/versions/v13/theme/scripts/search_bundle.js"></script> <script src="/versions/v13/theme/scripts/resizer.js"></script> <!--SCRIPTS--> <script src="/versions/v13/theme/scripts/navigation.js"></script> <script src="/versions/v13/theme/scripts/bootstrap-tourist.js"></script> <script src="/versions/v13/theme/scripts/settings.js"></script> <script src="/versions/v13/theme/scripts/tour/tour-relationships.js"></script> </body> </html>