malware-mutex

Muteces (mutexes/mutants) used by various malware families

Hardcoded strings:

Hardcoded constants, can be easily tracked in a blacklist

Predicated:

Some algorithm is used to generate a constant.
The constant is usually derived from the following components and added/mixed together via some algorithm:

• SID
• UID
• GUID
• Hostname
• Username
• Current time
• Current date
• Windows' Product ID
• CRC32 checksum of binary
• Using APIs for generation and then concatonating: GetComputerNameA/GetEnvironmentVariableW

Malware Family	Observed/hardcoded Mutex
AsyncRAT	AsyncMutex_6SI8OkPnk
Azorult	A4gds89g46dfgs
Babuk old ransomware	chichigotmanagedyou
Babuk v3 ransomware	babuk_v3
Babuk v3 ransomware	DoYouWantToHaveSexWithCuongDong
BlackBasta ransomware	dsajdhas.0
BlackStore ransomware	Global\BlackStoreMutex
BoratRAT	BoratRatMutex_Sa8XOfH1BudX
Brolux trojan	...SB...
BunnyLoader	BunnyLoader_MUTEXCONTROL
Conti ransomware	kjsidugidf99439
Conti ransomware	hsfjuukjzloqu28oajh727190
Conti ransomware	kasKDJSAFJauisiudUASIIQWUA82
Cylance Ransomware	CylanceMutex
CystLoader	Global\syst*
DarkBit ransomware	Global\dbdbdbdb
DarkComet RAT	DC_MUTEX-70ALC2H
DarkRATv2	Local\3mCUq1z
DarkRATv2	Local\mutextest
DarkRATv2	Local\qwertqewyt
DarkRATv2	Local$myprogram$
DarkSide	Global\3e93e49583d6401ba148cd68d1f84af7
DiceLoader	Global\%08x
Dustman Wiper	"""Down With Bin Salman"""
Emotet	Global\I98B68E3C
Emotet	M3EC19644
Emotet (later)	Emotet later indroduced Mutex generation algorithm
FFDroider stealer	37238328-1324242-5456786-8fdff0-67547552436675
Flaccidrose RAT	xmutex
FlawedAmmy RAT	Ammyy
FlawedAmmy RAT	Popss
HelloKitty ransomware	HELLOKITTYMutex
Hermes 2.1 ransomware	tech
Kraken ransomware	Microsoft-Kraken-[ComputerName] Insert your comp name
Lockbit	\BaseNamedObjects\{3FE573D4-3FE5-DD38-399C-886767BD8875}
LockBit	Global{BEF590BE-11A6-442A-A85B-656C1081E04C}
Makop ransomware	m23071644
MarkiRAT	Global\{2194ABA1-BFFA-4e6b-8C26-D1BB20190312}
MRAC	=MRAC=
Nefilim ransomware	ONA MOYA ROZA I YA EE LUBLUUUUUUUU, ONA MOYA DOZA - SEGODNYA ZATYANU
NjRAT	60909ccdd0662558d215dc57445a446d
NetDooka RAT	3f0d73e2-4b8e-4539-90fd-812330bb39c8
Nemty 2.5	Vremya tik-tak... Odinochestvo moi simvol...
Nemty 2.6	edu v magazi gucccchi v spb, grrrrrraa,
Odinaff trojan	Sr2W06mW
Pandora ransomware	ThisIsMutexa
PhobosImposter	XO1XADpO01
Poison Ivy RAT	)!VoqA.I4
PrincessEvolution ransomware	hoJUpcvgHA
PlugX	Global\ReStart0
PlugX	Global\DelSelf(00000000) (where the zeros are the process ID in hexadecimal format, prepended with zeros to ensure 8 digits are used)
Pushdo/Cutwail	gangrenb
Pushdo/Cutwail	germeonb
Pushdo/Cutwail	crypt32LogOffPortEvent
RemcosRAT	Remcos_Mutex_Inj
Reyptson	-=Reyptson=-
RevengeRAT	RV_MUTEX-UlgZblRvZwfR
Rhadamanthys	Global\MSCTF.Asm.{digits}
Scarabey	STOPSCARABSTOPSCARABSTOPSCARABSTOPSCARABSTOPSCARAB
SnipBot	SnipMutex
SolidBit ransomware	ec03f91ae56e478455e3786e91559194
SparrowDoor	Global\gup0
SunCrypt ransomware	\Sessions\2\BaseNamedObjects\0c91c96fd7124f21a0193cf842e3495f6daf84a394f44013e92a87ad9d2ef4a0ceec9dd2e2eca22e
TrickBot	Global\TrickBot
Unknown	!SHMSFTHISTORY!
Unknown	290541776
Unknown	5BB0650C
Unknown	mymutsglwork
Unknown	psec_once
Unknown	Security Tool
Unknown	XGBPPAQHSE
Unknown	YMING
Unknown Loader	11171909
Unknown Ransomware	With best wishes And good intentions...
Unknown RAT	Ghy52kl69kmspgG
Unknown Trojan	DANCHODANCHEV_AND_BRIANKREBS_GOT_MARRIED
Xpert RAT	V1B5S2E0-T6R4-C4O1-P7F0-W443P1Y6T3M2
Yanluowang ransomware	\Sessions\1\BaseNamedObjects\SM0:pid:handle:WilStaging_02
WannaCry ransomware	MsWinZonesCacheCounterMutexA
Worm:W32/AutoIt.Q	6E523163793968624
Worm:Win32/Koobface.U (Facebook worm)	xx464dg433xx16
Worm/Allaple	jhdheruhfrthkgjhtjkghjk5trh
Worm/Allaple	jhdgcjhasgdc09890gjasgcjhg2763876uyg3fhg
Zegost (Backdoor)	WuSh B- Is Running!
Zegost (Backdoor)	0x18f73c