malware-mutex
malware-mutex copied to clipboard
Published
20 hours ago •
albertzsigovits
albertzsigovits
Muteces (mutexes/mutants) used by various malware families
malware-mutex
Muteces (mutexes/mutants) used by various malware families
Hardcoded strings:
Hardcoded constants, can be easily tracked in a blacklist
Predicated:
Some algorithm is used to generate a constant.
The constant is usually derived from the following components and added/mixed together via some algorithm:
- SID
- UID
- GUID
- Hostname
- Username
- Current time
- Current date
- Windows' Product ID
- CRC32 checksum of binary
- Using APIs for generation and then concatonating: GetComputerNameA/GetEnvironmentVariableW
| Malware Family | Observed/hardcoded Mutex |
|---|---|
| AsyncRAT | AsyncMutex_6SI8OkPnk |
| Azorult | A4gds89g46dfgs |
| Babuk old ransomware | chichigotmanagedyou |
| Babuk v3 ransomware | babuk_v3 |
| Babuk v3 ransomware | DoYouWantToHaveSexWithCuongDong |
| BlackBasta ransomware | dsajdhas.0 |
| BlackStore ransomware | Global\BlackStoreMutex |
| BoratRAT | BoratRatMutex_Sa8XOfH1BudX |
| Brolux trojan | ...SB... |
| BunnyLoader | BunnyLoader_MUTEXCONTROL |
| Conti ransomware | kjsidugidf99439 |
| Conti ransomware | hsfjuukjzloqu28oajh727190 |
| Conti ransomware | kasKDJSAFJauisiudUASIIQWUA82 |
| Cylance Ransomware | CylanceMutex |
| CystLoader | Global\syst* |
| DarkBit ransomware | Global\dbdbdbdb |
| DarkComet RAT | DC_MUTEX-70ALC2H |
| DarkRATv2 | Local\3mCUq1z |
| DarkRATv2 | Local\mutextest |
| DarkRATv2 | Local\qwertqewyt |
| DarkRATv2 | Local$myprogram$ |
| DarkSide | Global\3e93e49583d6401ba148cd68d1f84af7 |
| DiceLoader | Global\%08x |
| Dustman Wiper | """Down With Bin Salman""" |
| Emotet | Global\I98B68E3C |
| Emotet | M3EC19644 |
| Emotet (later) | Emotet later indroduced Mutex generation algorithm |
| FFDroider stealer | 37238328-1324242-5456786-8fdff0-67547552436675 |
| Flaccidrose RAT | xmutex |
| FlawedAmmy RAT | Ammyy |
| FlawedAmmy RAT | Popss |
| HelloKitty ransomware | HELLOKITTYMutex |
| Hermes 2.1 ransomware | tech |
| Kraken ransomware | Microsoft-Kraken-[ComputerName] Insert your comp name |
| Lockbit | \BaseNamedObjects\{3FE573D4-3FE5-DD38-399C-886767BD8875} |
| LockBit | Global{BEF590BE-11A6-442A-A85B-656C1081E04C} |
| Makop ransomware | m23071644 |
| MarkiRAT | Global\{2194ABA1-BFFA-4e6b-8C26-D1BB20190312} |
| MRAC | =MRAC= |
| Nefilim ransomware | ONA MOYA ROZA I YA EE LUBLUUUUUUUU, ONA MOYA DOZA - SEGODNYA ZATYANU |
| NjRAT | 60909ccdd0662558d215dc57445a446d |
| NetDooka RAT | 3f0d73e2-4b8e-4539-90fd-812330bb39c8 |
| Nemty 2.5 | Vremya tik-tak... Odinochestvo moi simvol... |
| Nemty 2.6 | edu v magazi gucccchi v spb, grrrrrraa, |
| Odinaff trojan | Sr2W06mW |
| Pandora ransomware | ThisIsMutexa |
| PhobosImposter | XO1XADpO01 |
| Poison Ivy RAT | )!VoqA.I4 |
| PrincessEvolution ransomware | hoJUpcvgHA |
| PlugX | Global\ReStart0 |
| PlugX | Global\DelSelf(00000000) (where the zeros are the process ID in hexadecimal format, prepended with zeros to ensure 8 digits are used) |
| Pushdo/Cutwail | gangrenb |
| Pushdo/Cutwail | germeonb |
| Pushdo/Cutwail | crypt32LogOffPortEvent |
| RemcosRAT | Remcos_Mutex_Inj |
| Reyptson | -=Reyptson=- |
| RevengeRAT | RV_MUTEX-UlgZblRvZwfR |
| Rhadamanthys | Global\MSCTF.Asm.{digits} |
| Scarabey | STOPSCARABSTOPSCARABSTOPSCARABSTOPSCARABSTOPSCARAB |
| SolidBit ransomware | ec03f91ae56e478455e3786e91559194 |
| SparrowDoor | Global\gup0 |
| SunCrypt ransomware | \Sessions\2\BaseNamedObjects\0c91c96fd7124f21a0193cf842e3495f6daf84a394f44013e92a87ad9d2ef4a0ceec9dd2e2eca22e |
| TrickBot | Global\TrickBot |
| Unknown | !SHMSFTHISTORY! |
| Unknown | 290541776 |
| Unknown | 5BB0650C |
| Unknown | mymutsglwork |
| Unknown | psec_once |
| Unknown | Security Tool |
| Unknown | XGBPPAQHSE |
| Unknown | YMING |
| Unknown Loader | 11171909 |
| Unknown Ransomware | With best wishes And good intentions... |
| Unknown RAT | Ghy52kl69kmspgG |
| Unknown Trojan | DANCHODANCHEV_AND_BRIANKREBS_GOT_MARRIED |
| Xpert RAT | V1B5S2E0-T6R4-C4O1-P7F0-W443P1Y6T3M2 |
| Yanluowang ransomware | \Sessions\1\BaseNamedObjects\SM0:pid:handle:WilStaging_02 |
| WannaCry ransomware | MsWinZonesCacheCounterMutexA |
| Worm:W32/AutoIt.Q | 6E523163793968624 |
| Worm:Win32/Koobface.U (Facebook worm) | xx464dg433xx16 |
| Worm/Allaple | jhdheruhfrthkgjhtjkghjk5trh |
| Worm/Allaple | jhdgcjhasgdc09890gjasgcjhg2763876uyg3fhg |
| Zegost (Backdoor) | WuSh B- Is Running! |
| Zegost (Backdoor) | 0x18f73c |
Metadata
18
Stars
2
Forks
Watchers
Owner
albertzsigovits
Metadata
Muteces (mutexes/mutants) used by various malware families