{ "id": "31222b6a-05d9-4582-ab2b-966a68a80dd1", "created_at": "2026-04-06T00:17:59.95619Z", "updated_at": "2026-04-10T03:34:23.486138Z", "deleted_at": null, "sha1_hash": "68bc957fec77d143470f7e36d8090203656dbfc8", "title": "malware-ioc/evilnum at master · eset/malware-ioc", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 40292, "plain_text": "malware-ioc/evilnum at master · eset/malware-ioc\r\nBy eset-research\r\nArchived: 2026-04-05 13:20:53 UTC\r\nSHA-1 malware Filename malware\r\nLegitimate\r\nApp\r\nPossible legitimate SHA-1\r\nB3094794A9D2A5C16D0A95D236FB1FAAD6973F8E SynTPHelp.exe\r\nSynaptics\r\nPointing\r\nDevice\r\nDriver\r\n40DAF0E93B2F6C7DA0A48DAC65113C19B993C\r\n5329EFEA85D725228FCCFA39494EFD086FA786C4 DSBTray.exe\r\nHD Audio\r\nBackground\r\nProcess\r\n2FEAE85AA80C64E3AC75B25C58246DFB76184\r\nAF12FD706F24B5296916FD85AF815541CC8FB810 tvw32.exe\r\nIntel USB\r\n3.0 installer\r\n22C4F55BBA23E9B886923784E7BAB8E95C33D\r\nB56122668F30F678D60753EE4D13EBE8E1E2F395 chrmtsp.exe Tencentdl 7D6AFAC88CD869BF0DB8ED401EAF652FE75BC\r\n0C8F24DAA4489329D0CDD4A82B3B45DAD14CA024 nvstregs.exe\r\nWindows\r\nInstaller\r\nTable\r\nCreator\r\nB2824928A60B3C129E257F16F41CDD5DD2365\r\nFC7DC9ECF1E2B931EAB2B653070CAEAE8FC78BEB RAVCp64.exe\r\nJava\r\nPlatform\r\nSE 8 U131\r\n2D3452A5B430F3DCDBEDBEAA78CCFA0E0E37C\r\nAF5F9CD45757F928E5BCC6F50BCD62AAB50119C1 fsnotifier32.exe\r\nGoogle\r\nUpdate\r\nCore\r\n14FDFFEB640F897C120870155F7FB2C8EA62A\r\nF18BA69C54664E0BC801E9DE4D7096DD3B4EC3B8 RdrCER.exe\r\nGoogle\r\nCrash\r\nHandler\r\nACD6F130238FE953EC023CC3C3C596384CAB2\r\nhttps://github.com/eset/malware-ioc/tree/master/evilnum\r\nPage 1 of 2\n\nBDC58CFB499E96695386B722053B52AF66EA3372 nvsmartmaxapps.exe\r\nNVIDIA\r\nnView\r\nToolbar\r\n3032C3AF72C4462EF7587CCB5732D6B579B89\r\n09448ADB01064F9E9ECC38B8274FA7D7AF6C9423 runnerw32.exe\r\nNVIDIA\r\nGeForce\r\n3D Vision\r\n633E8B759929B35A19D9424DFDA4512176C48\r\n919C812C524EAE95781E64FE9B9B035542727FD0 MagicTransfers.exe\r\nNVIDIA\r\nUninstaller\r\nUtility\r\n(unsigned)\r\n738020EBFDAEBE59F7F0AECBAC9DCBEE3CA62\r\nC8458A1568639EA2270E1845B0A386FF75C23421 nvstviews.exe\r\nALPS\r\nSetup\r\nB1C248AD370D1ACE6FA03572CE1AE6297E14A\r\nSource: https://github.com/eset/malware-ioc/tree/master/evilnum\r\nhttps://github.com/eset/malware-ioc/tree/master/evilnum\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://github.com/eset/malware-ioc/tree/master/evilnum" ], "report_names": [ "evilnum" ], "threat_actors": [ { "id": "059b16f8-d4e0-4399-9add-18101a2fd298", "created_at": "2022-10-25T15:50:23.29434Z", "updated_at": "2026-04-10T02:00:05.380938Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "Evilnum" ], "source_name": "MITRE:Evilnum", "tools": [ "More_eggs", "EVILNUM", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "8ce861d7-7fbd-4d9c-a211-367c118bfdbd", "created_at": "2023-01-06T13:46:39.153487Z", "updated_at": "2026-04-10T02:00:03.232006Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "EvilNum", "Jointworm", "KNOCKOUT SPIDER", "DeathStalker", "TA4563" ], "source_name": "MISPGALAXY:Evilnum", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "39ea99fb-1704-445d-b5cd-81e7c99d6012", "created_at": "2022-10-25T16:07:23.601894Z", "updated_at": "2026-04-10T02:00:04.684134Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "G0120", "Jointworm", "Operation Phantom in the [Command] Shell", "TA4563" ], "source_name": "ETDA:Evilnum", "tools": [ "Bypass-UAC", "Cardinal RAT", "ChromeCookiesView", "EVILNUM", "Evilnum", "IronPython", "LaZagne", "MailPassView", "More_eggs", "ProduKey", "PyVil", "PyVil RAT", "SONE", "SpicyOmelette", "StealerOne", "Taurus Loader Stealer Module", "Taurus Loader TeamViewer Module", "Terra Loader", "TerraPreter", "TerraStealer", "TerraTV" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434679, "ts_updated_at": 1775792063, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/68bc957fec77d143470f7e36d8090203656dbfc8.pdf", "text": "https://archive.orkl.eu/68bc957fec77d143470f7e36d8090203656dbfc8.txt", "img": "https://archive.orkl.eu/68bc957fec77d143470f7e36d8090203656dbfc8.jpg" } }