Skip to content

Latest commit

 

History

History
108 lines (104 loc) · 4.33 KB

README.md

File metadata and controls

108 lines (104 loc) · 4.33 KB

malware-mutex

Muteces (mutexes/mutants) used by various malware families

Hardcoded strings:

Hardcoded constants, can be easily tracked in a blacklist

Predicated:

Some algorithm is used to generate a constant.
The constant is usually derived from the following components and added/mixed together via some algorithm:

  • SID
  • UID
  • GUID
  • Hostname
  • Username
  • Current time
  • Current date
  • Windows' Product ID
  • CRC32 checksum of binary
  • Using APIs for generation and then concatonating: GetComputerNameA/GetEnvironmentVariableW
Malware Family Observed/hardcoded Mutex
AsyncRAT AsyncMutex_6SI8OkPnk
Azorult A4gds89g46dfgs
Babuk old ransomware chichigotmanagedyou
Babuk v3 ransomware babuk_v3
Babuk v3 ransomware DoYouWantToHaveSexWithCuongDong
BlackBasta ransomware dsajdhas.0
BlackStore ransomware Global\BlackStoreMutex
BoratRAT BoratRatMutex_Sa8XOfH1BudX
Brolux trojan ...SB...
BunnyLoader BunnyLoader_MUTEXCONTROL
Conti ransomware kjsidugidf99439
Conti ransomware hsfjuukjzloqu28oajh727190
Conti ransomware kasKDJSAFJauisiudUASIIQWUA82
Cylance Ransomware CylanceMutex
CystLoader Global\syst*
DarkBit ransomware Global\dbdbdbdb
DarkComet RAT DC_MUTEX-70ALC2H
DarkRATv2 Local\3mCUq1z
DarkRATv2 Local\mutextest
DarkRATv2 Local\qwertqewyt
DarkRATv2 Local$myprogram$
DarkSide Global\3e93e49583d6401ba148cd68d1f84af7
DiceLoader Global\%08x
Dustman Wiper """Down With Bin Salman"""
Emotet Global\I98B68E3C
Emotet M3EC19644
Emotet (later) Emotet later indroduced Mutex generation algorithm
FFDroider stealer 37238328-1324242-5456786-8fdff0-67547552436675
Flaccidrose RAT xmutex
FlawedAmmy RAT Ammyy
FlawedAmmy RAT Popss
HelloKitty ransomware HELLOKITTYMutex
Hermes 2.1 ransomware tech
Kraken ransomware Microsoft-Kraken-[ComputerName] Insert your comp name
Lockbit \BaseNamedObjects\{3FE573D4-3FE5-DD38-399C-886767BD8875}
LockBit Global{BEF590BE-11A6-442A-A85B-656C1081E04C}
Makop ransomware m23071644
MarkiRAT Global\{2194ABA1-BFFA-4e6b-8C26-D1BB20190312}
MRAC =MRAC=
Nefilim ransomware ONA MOYA ROZA I YA EE LUBLUUUUUUUU, ONA MOYA DOZA - SEGODNYA ZATYANU
NjRAT 60909ccdd0662558d215dc57445a446d
NetDooka RAT 3f0d73e2-4b8e-4539-90fd-812330bb39c8
Nemty 2.5 Vremya tik-tak... Odinochestvo moi simvol...
Nemty 2.6 edu v magazi gucccchi v spb, grrrrrraa,
Odinaff trojan Sr2W06mW
Pandora ransomware ThisIsMutexa
PhobosImposter XO1XADpO01
Poison Ivy RAT )!VoqA.I4
PrincessEvolution ransomware hoJUpcvgHA
PlugX Global\ReStart0
PlugX Global\DelSelf(00000000) (where the zeros are the process ID in hexadecimal format, prepended with zeros to ensure 8 digits are used)
Pushdo/Cutwail gangrenb
Pushdo/Cutwail germeonb
Pushdo/Cutwail crypt32LogOffPortEvent
RemcosRAT Remcos_Mutex_Inj
Reyptson -=Reyptson=-
RevengeRAT RV_MUTEX-UlgZblRvZwfR
Rhadamanthys Global\MSCTF.Asm.{digits}
Scarabey STOPSCARABSTOPSCARABSTOPSCARABSTOPSCARABSTOPSCARAB
SnipBot SnipMutex
SolidBit ransomware ec03f91ae56e478455e3786e91559194
SparrowDoor Global\gup0
SunCrypt ransomware \Sessions\2\BaseNamedObjects\0c91c96fd7124f21a0193cf842e3495f6daf84a394f44013e92a87ad9d2ef4a0ceec9dd2e2eca22e
TrickBot Global\TrickBot
Unknown !SHMSFTHISTORY!
Unknown 290541776
Unknown 5BB0650C
Unknown mymutsglwork
Unknown psec_once
Unknown Security Tool
Unknown XGBPPAQHSE
Unknown YMING
Unknown Loader 11171909
Unknown Ransomware With best wishes And good intentions...
Unknown RAT Ghy52kl69kmspgG
Unknown Trojan DANCHODANCHEV_AND_BRIANKREBS_GOT_MARRIED
Xpert RAT V1B5S2E0-T6R4-C4O1-P7F0-W443P1Y6T3M2
Yanluowang ransomware \Sessions\1\BaseNamedObjects\SM0:pid:handle:WilStaging_02
WannaCry ransomware MsWinZonesCacheCounterMutexA
Worm:W32/AutoIt.Q 6E523163793968624
Worm:Win32/Koobface.U (Facebook worm) xx464dg433xx16
Worm/Allaple jhdheruhfrthkgjhtjkghjk5trh
Worm/Allaple jhdgcjhasgdc09890gjasgcjhg2763876uyg3fhg
Zegost (Backdoor) WuSh B- Is Running!
Zegost (Backdoor) 0x18f73c