{
	"id": "418cc622-a4b8-429b-a48e-7a09acf48736",
	"created_at": "2026-04-06T00:11:36.976597Z",
	"updated_at": "2026-04-10T03:30:57.241889Z",
	"deleted_at": null,
	"sha1_hash": "70c161844080204afb1a98d9a062e467eac3dafb",
	"title": "Sept 21 Greedy Shylock - financial malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 132038,
	"plain_text": "Sept 21 Greedy Shylock - financial malware\r\nArchived: 2026-04-05 19:47:13 UTC\r\nSept 21 Greedy Shylock - financial malware\r\nBesides, it should appear, that if he had\r\nThe present money to discharge the Jew,\r\nHe would not take it. Never did I know\r\nA creature, that did bear the shape of man,\r\nSo keen and greedy to confound a man:\r\n(The Merchant of Venice W. Shakespeare Act 3, Scene 2 )\r\nOn September 7, 2011,  Trusteer announced they are investigating new financial malware they called Shylock that\r\n\"uses unique mechanisms not found in other financial malware toolkits, including: an improved method for\r\ninjecting code into additional browser processes to take control of the victim’s computer; a better evasion\r\ntechnique to prevent malware scanners from detecting its presence; a sophisticated watchdog service that allows it\r\nto resist removal attempts and restore operations\"\r\nTrusteer called the malware Shylock for Shakespeare quotes in the properties of the file.\r\npublisher....: He is ready at the door\r\ncopyright....: (c) 2009\r\nproduct......: He is\r\ndescription..: So keen and greedy to confound a man\r\nor\r\npublisher....: To take a tedious leave thus\r\ncopyright....: (c) 2008\r\nhttp://contagiodump.blogspot.com/2011/09/sept-21-greedy-shylock-financial.html\r\nPage 1 of 6\n\nproduct......: To take\r\ndescription..: Exeunt GRATIANO and LORENZO\r\nor\r\npublisher....: And so riveted with faith unto\r\ncopyright....: (c) 2009\r\nproduct......: And so\r\ndescription..: And be a day before our husbands home\r\nor\r\npublisher....: Therefore he hates me\r\ncopyright....: (c) 2009\r\nproduct......: Therefore he\r\ndescription..: Thou almost makest me waver in my faith\r\nor\r\npublisher....: Which makes me think that this\r\ncopyright....: (c) 2009\r\nproduct......: Which makes\r\ndescription..: price of hogs if we grow all to be porkeaters we\r\n or\r\npublisher....: I humbly do desire your grace\r\ncopyright....: (c) 2009\r\nproduct......: I humbly\r\ndescription..: The dearest friend to me the kindest man\r\nand so on\r\nRead more about greedy Shylock from Merchant of Venice here. Read more about Shylock malware below\r\nExploit information and analysis links\r\nNew Trusteer Cybercrime Prevention Architecture Adds Browser Exploit Removal and Fraudster Machine\r\nFingerprinting to Arsenal  - Trusteer\r\nSignature and Traffic - ET TROJAN Shylock Module Server Response Emerging sigs\r\nhttp://www.threatexpert.com/report.aspx?md5=4fda5e7e8e682870e993f97ad26ba6b2\r\nDebugging Injected Code with IDA Pro by malwareninja\r\nShylock via volatility \r\nThe file is digitally signed by an invalid digital certificate - the CN may vary\r\n00 df 44 1a bc fc 5b 32 fa\r\nCN = Astothyfriendsforwhendidfriendshiptake\r\nThursday, August 18, 2011 7:08:46 PM\r\nhttp://contagiodump.blogspot.com/2011/09/sept-21-greedy-shylock-financial.html\r\nPage 2 of 6\n\nWednesday, May 14, 2014 7:08:46 PM\r\nANTONIO I am as like to call thee so again,\r\nTo spit on thee again, to spurn thee too.\r\nIf thou wilt lend this money, lend it not\r\nAs to thy friends; for when did friendship take\r\nA breed for barren metal of his friend?\r\nBut lend it rather to thine enemy,\r\nWho, if he break, thou mayst with better face\r\nExact the penalty. (The Merchant of Venice W. Shakespeare Act 1, Scene 2 )\r\n   General File Information\r\nMD5:\r\n4fda5e7e8e682870e993f97ad26ba6b2\r\nbae400baf6760a1646cd44e348eea0f7\r\n742cfd2be5d44fa072802bd4b031e818   \r\n1fd7cf2405ae599c1a91fe75912d18ff\r\nd74f5f045c4b0f1d61746ded3a2a152e\r\nfe17c2cddffd731ee6a34457121c6b20\r\na8ff900f5f3134a1f04d9217ab2d5dd0\r\n715fb3cef70458b857bd55a0259a1265  - unconfirmed - see this related\r\n5571be9c7b0d2e950bada71e72984e7a\r\n72ace5e603bb4a5e2d8ef4434dc31417\r\n9a8657a61daeafd7053017103ab53cd6\r\nFile Type: exe\r\nDownload\r\nhttp://contagiodump.blogspot.com/2011/09/sept-21-greedy-shylock-financial.html\r\nPage 3 of 6\n\n4fda5e7e8e682870e993f97ad26ba6b2 (many thanks to Anthony Aykut from Frame4 for the sample)\r\nbae400baf6760a1646cd44e348eea0f7 (Many thanks to Anthony Aykut from Frame4 and EVILCRY for the\r\nsamples)\r\nDownload F7EDFF31835DA5E7D15FBB89508295D8 (many thanks to Jon Gross for the sample)\r\nDownload E1FF6F6D1B5467E5612AB36CD323A568  (many thanks to Jon Gross for the sample)\r\nEmail me if you need the password\r\nAutomated Scans\r\nOriginal scan:\r\nhttp://www.virustotal.com/file-scan/report.html?\r\nid=4c71d1e15287d7a90b0526c23dbe21400a65fe683eb75e88368696f1aa24ac21-1314121053\r\nFile name:\r\nd1b17c351bafc899ba14c84e09b5cc258a2195bf\r\n2011-08-23 17:37:33 (UTC)\r\nResult:4 /44 (9.1%)\r\nComodo     9847     2011.08.23     TrojWare.Win32.Trojan.Agent.Gen\r\nKaspersky     9.0.0.837     2011.08.23     UDS:DangerousObject.Multi.Generic\r\nSymantec     20111.2.0.82     2011.08.23     Suspicious.Cloud.5\r\nMD5   : 4fda5e7e8e682870e993f97ad26ba6b2\r\nScan dated today:\r\n4FDA5E7E8E682870E993F97AD26BA6B2\r\nSubmission date:2011-09-21 20:29:18 (UTC)\r\nCurrent status: Result:29 /43 (67.4%)\r\nhttp://www.virustotal.com/file-scan/report.html?\r\nid=4c71d1e15287d7a90b0526c23dbe21400a65fe683eb75e88368696f1aa24ac21-1316636958\r\nAhnLab-V3     2011.09.21.02     2011.09.21     Win-Trojan/Caphaw.371800\r\nAntiVir     7.11.15.3     2011.09.21     TR/Agent.hvbv\r\nAvast     4.8.1351.0     2011.09.18     Win32:Malware-gen\r\nAvast5     5.0.677.0     2011.09.18     Win32:Malware-gen\r\nAVG     10.0.0.1190     2011.09.21     Agent3.AETB\r\nBitDefender     7.2     2011.09.21     Gen:Variant.Kazy.35924\r\nCAT-QuickHeal     11.00     2011.09.21     Trojan.Agent.hvbv\r\nComodo     10196     2011.09.21     TrojWare.Win32.Trojan.Agent.Gen\r\nEmsisoft     5.1.0.11     2011.09.21     Backdoor.Win32.Caphaw!IK\r\nF-Secure     9.0.16440.0     2011.09.21     Gen:Variant.Kazy.35924\r\nFortinet     4.3.370.0     2011.09.21     W32/Agent.TDB!tr\r\nhttp://contagiodump.blogspot.com/2011/09/sept-21-greedy-shylock-financial.html\r\nPage 4 of 6\n\nGData     22     2011.09.21     Gen:Variant.Kazy.35924\r\nIkarus     T3.1.1.107.0     2011.09.21     Backdoor.Win32.Caphaw\r\nKaspersky     9.0.0.837     2011.09.21     Trojan.Win32.Agent.hvbv\r\nMcAfee     5.400.0.1158     2011.09.21     Artemis!4FDA5E7E8E68\r\nMcAfee-GW-Edition     2010.1D     2011.09.21     Artemis!4FDA5E7E8E68\r\nMicrosoft     1.7604     2011.09.21     Backdoor:Win32/Caphaw.A\r\nNOD32     6483     2011.09.21     a variant of Win32/Kryptik.SHX\r\nNorman     6.07.11     2011.09.21     W32/Suspicious_Gen2.QKYDE\r\nnProtect     2011-09-21.02     2011.09.21     Gen:Variant.Kazy.35924\r\nPanda     10.0.3.5     2011.09.21     Generic Trojan\r\nPCTools     8.0.0.5     2011.09.21     Trojan.Gen\r\nSophos     4.69.0     2011.09.21     Troj/Agent-TDB\r\nTheHacker     6.7.0.1.304     2011.09.21     Trojan/Agent.hvbv\r\nTrendMicro     9.500.0.1008     2011.09.21     TROJ_GEN.R4FC2IH\r\nTrendMicro-HouseCall     9.500.0.1008     2011.09.21     TROJ_GEN.R4FC2IH\r\nVBA32     3.12.16.4     2011.09.21     Trojan.Agent.hvbv\r\nVIPRE     10545     2011.09.21     Trojan.Win32.Generic!BT\r\nVirusBuster     14.0.225.0     2011.09.21     Trojan.Agent!WmW5mI7QqD8\r\nMD5   : 4fda5e7e8e682870e993f97ad26ba6b2\r\nTraffic information from http://article.gmane.org/gmane.comp.security.ids.snort.emerging-sigs/12975/match=shylock\r\nHTTP/1.1 200 OK\r\nServer: nginx\r\nDate: Sun, 21 Aug 2011 23:48:10 GMT\r\nContent-Type: text/plain; charset=UTF-8\r\nContent-Length: 39\r\nConnection: keep-alive\r\nKeep-Alive: timeout=20\r\nX-Powered-By: PHP/5.2.17\r\nCache-Control: max-age=0\r\nExpires: Sun, 21 Aug 2011 23:47:40 GMT\r\n###ERROR_SRC###yes###ERROR_SRC_END###\r\n-----\r\nhxxp://nw-serv[.]cc/client.html\r\nhxxp://m-sservices[.]at/client.html\r\nhxxp://webhelper[.]at/client.html\r\nhxxp://globstorage[.]at/client.html\r\nhxxp://additional-group[.]at/client.html\r\nnw-serv.cc 91.223.180.66\r\nm-sservices.at 92.60.177.233\r\nhttp://contagiodump.blogspot.com/2011/09/sept-21-greedy-shylock-financial.html\r\nPage 5 of 6\n\nwebhelper.at 92.60.177.235\r\nglobstorage.at 92.60.177.230\r\nadditional-group.at 93.190.45.75\r\n91.223.180.66 \"56485 | UA | ripencc | 2011-03-02 | THEHOST-AS FOP\r\nSedinkin Olexandr Valeriyovuch\"\r\n92.60.177.233 \"15772 | UA | ripencc | 2000-10-10 | WNET LLC W Net Ukraine\"\r\n92.60.177.235 \"15772 | UA | ripencc | 2000-10-10 | WNET LLC W Net Ukraine\"\r\n92.60.177.230 \"15772 | UA | ripencc | 2000-10-10 | WNET LLC W Net Ukraine\"\r\n93.190.45.75 \"6849 | UA | ripencc | 1996-11-29 | UKRTELNET JSC UKRTELECOM,\"\r\nSource: http://contagiodump.blogspot.com/2011/09/sept-21-greedy-shylock-financial.html\r\nhttp://contagiodump.blogspot.com/2011/09/sept-21-greedy-shylock-financial.html\r\nPage 6 of 6\n\nglobstorage.at additional-group.at  92.60.177.230 93.190.45.75  \n91.223.180.66 \"56485 | UA | ripencc | 2011-03-02 | THEHOST-AS FOP\nSedinkin Olexandr Valeriyovuch\"   \n92.60.177.233 \"15772 | UA | ripencc | 2000-10-10 | WNET LLC W Net Ukraine\"\n92.60.177.235 \"15772 | UA | ripencc | 2000-10-10 | WNET LLC W Net Ukraine\"\n92.60.177.230 \"15772 | UA | ripencc | 2000-10-10 | WNET LLC W Net Ukraine\"\n93.190.45.75 \"6849 | UA | ripencc | 1996-11-29 | UKRTELNET JSC UKRTELECOM,\"\nSource: http://contagiodump.blogspot.com/2011/09/sept-21-greedy-shylock-financial.html    \n   Page 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"http://contagiodump.blogspot.com/2011/09/sept-21-greedy-shylock-financial.html"
	],
	"report_names": [
		"sept-21-greedy-shylock-financial.html"
	],
	"threat_actors": [
		{
			"id": "f9806b99-e392-46f1-9c13-885e376b239f",
			"created_at": "2023-01-06T13:46:39.431871Z",
			"updated_at": "2026-04-10T02:00:03.325163Z",
			"deleted_at": null,
			"main_name": "Watchdog",
			"aliases": [
				"Thief Libra"
			],
			"source_name": "MISPGALAXY:Watchdog",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434296,
	"ts_updated_at": 1775791857,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/70c161844080204afb1a98d9a062e467eac3dafb.pdf",
		"text": "https://archive.orkl.eu/70c161844080204afb1a98d9a062e467eac3dafb.txt",
		"img": "https://archive.orkl.eu/70c161844080204afb1a98d9a062e467eac3dafb.jpg"
	}
}