{ "id": "86d0a5f6-34a0-40a1-8212-2b221da385d4", "created_at": "2026-04-06T00:18:38.190262Z", "updated_at": "2026-04-10T03:30:55.447072Z", "deleted_at": null, "sha1_hash": "583b0e438953e7a5fbd242e0c16e18d55f3e44da", "title": "HALFBAKED (Malware Family)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 31250, "plain_text": "HALFBAKED (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 14:29:32 UTC\r\nHALFBAKED\r\nActor(s): Anunak\r\nThe HALFBAKED malware family consists of multiple components designed to establish and maintain a\r\nfoothold in victim networks, with the ultimate goal of gaining access to sensitive financial information.\r\nHALFBAKED listens for the following commands from the C2 server:\r\ninfo: Sends victim machine information (OS, Processor, BIOS and running processes) using WMI\r\nqueries\r\nprocessList: Send list of process running\r\nscreenshot: Takes screen shot of victim machine (using 58d2a83f777688.78384945.ps1)\r\nrunvbs: Executes a VB script\r\nrunexe: Executes EXE file\r\nrunps1: Executes PowerShell script\r\ndelete: Delete the specified file\r\nupdate: Update the specified file\r\nReferences\r\nThere is no Yara-Signature yet.\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/vbs.halfbaked\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/vbs.halfbaked\r\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/vbs.halfbaked" ], "report_names": [ "vbs.halfbaked" ], "threat_actors": [ { "id": "c9617bb6-45c8-495e-9759-2177e61a8e91", "created_at": "2022-10-25T15:50:23.405039Z", "updated_at": "2026-04-10T02:00:05.387643Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Carbanak", "Anunak" ], "source_name": "MITRE:Carbanak", "tools": [ "Carbanak", "Mimikatz", "PsExec", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "ed3810b7-141a-4ed0-8a01-6a972b80458d", "created_at": "2022-10-25T16:07:23.443259Z", "updated_at": "2026-04-10T02:00:04.602946Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Anunak", "Carbanak", "Carbon Spider", "ELBRUS", "G0008", "Gold Waterfall", "Sangria Tempest" ], "source_name": "ETDA:Carbanak", "tools": [ "AVE_MARIA", "Agentemis", "AmmyyRAT", "Antak", "Anunak", "Ave Maria", "AveMariaRAT", "BABYMETAL", "BIRDDOG", "Backdoor Batel", "Batel", "Bateleur", "BlackMatter", "Boostwrite", "Cain \u0026 Abel", "Carbanak", "Cl0p", "Cobalt Strike", "CobaltStrike", "DNSMessenger", "DNSRat", "DNSbot", "DRIFTPIN", "DarkSide", "FOXGRABBER", "FlawedAmmyy", "HALFBAKED", "JS Flash", "KLRD", "MBR Eraser", "Mimikatz", "Nadrac", "Odinaff", "POWERPIPE", "POWERSOURCE", "PsExec", "SQLRAT", "Sekur", "Sekur RAT", "SocksBot", "SoftPerfect Network Scanner", "Spy.Agent.ORM", "TEXTMATE", "TeamViewer", "TiniMet", "TinyMet", "Toshliph", "VB Flash", "WARPRISM", "avemaria", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434718, "ts_updated_at": 1775791855, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/583b0e438953e7a5fbd242e0c16e18d55f3e44da.pdf", "text": "https://archive.orkl.eu/583b0e438953e7a5fbd242e0c16e18d55f3e44da.txt", "img": "https://archive.orkl.eu/583b0e438953e7a5fbd242e0c16e18d55f3e44da.jpg" } }