Artifacts

Refer to malware samples that are used to emulate various types of cyber threats. These artifacts are essential components in the platform's testing and validation processes, allowing organizations to emulate real-world attack scenarios in a controlled environment.

Each artifact represents a specific type of threat and is designed to mimic the behavior of actual cyberattacks.

Artifacts Categories in EVE

The EVE platform organizes artifacts into several categories that describe how a sample is constructed and how it behaves during an emulation. These categories help security teams understand the level of realism, transformation, and evasion techniques applied to each artifact.

Artifacts can belong to a single category or a combination of categories, such as Known, Obfuscated, Forced, or combinations like Known-Obfuscated. This classification allows organizations to select artifacts that best align with the threat scenarios they want to emulate and the level of sophistication they want to test against.

Known

Known artifacts are samples that are well identified and commonly recognized by the cybersecurity community. These samples correspond to malware families, tools, or techniques that have been previously observed in real-world attacks and are documented by threat intelligence sources.

The naming of these artifacts follows a structured convention aligned with commonly used industry naming, allowing analysts and defenders to easily identify the type of threat being emulated and its relationship to known campaigns, tools, or malware families.

Testing with Known artifacts allows organizations to validate whether their security controls are capable of detecting threats that are already publicly documented. These artifacts are useful for validating baseline detection capabilities across security technologies such as endpoint protection platforms, EDR solutions, network security controls, and SIEM systems.

Obfuscated

Obfuscated artifacts are samples that have undergone a process of code transformation designed to disguise their structure and behavior, making them more difficult for security tools to detect using traditional signature-based methods.

These artifacts emulate more sophisticated threats that rely on evasion techniques to bypass security controls. The purpose of these artifacts is to simulate adversaries who deliberately manipulate code in order to evade detection and analysis.

The obfuscation techniques applied to these artifacts take into account common obfuscation methods documented in the MITRE ATT&CK framework, particularly techniques such as Mutation and Virtualization.

Mutation-based obfuscation involves altering the internal structure of the code while preserving its functionality. This may include actions such as:

Modifying instruction sequences
Rewriting control flows
Renaming variables or functions
Inserting nonfunctional or junk instructions
Encoding or transforming parts of the payload

These changes produce multiple unique versions of the same artifact, making it more difficult for static signatures or hash-based detection mechanisms to identify the sample.

Virtualization-based obfuscation introduces an additional layer of complexity by executing the malicious logic inside a custom virtual machine or interpreter embedded in the artifact. In this approach, the original instructions are translated into a set of virtual instructions that are executed by an internal runtime engine. This abstraction layer hides the real logic of the artifact, making analysis and detection significantly more challenging.

By incorporating these techniques, Obfuscated artifacts allow organizations to evaluate whether their security stack can detect threats that intentionally attempt to evade detection mechanisms.

Forced

Forced artifacts are samples that have been encrypted through a proprietary process implemented by Reveald. In this category, the original sample, which may belong to any other category such as Known or Obfuscated, is encrypted before being delivered to the endpoint.

The encrypted artifact can only be decrypted by the EVE agent during the download phase on the endpoint. This controlled decryption process ensures that the artifact remains protected during distribution and cannot be easily analyzed or intercepted before execution.

This mechanism provides several benefits. First, it allows artifacts to be delivered in a secure and controlled manner, preventing exposure of the original sample during transit. Second, it enables the platform to avoid premature detection by security tools that may inspect files before they reach the endpoint environment.

Forced artifacts therefore simulate scenarios where payloads are protected or concealed until execution, providing a realistic method for testing how security solutions behave when malicious content becomes visible only at runtime.

Zero

Zero artifacts are custom samples generated on demand by Reveald. Unlike Known artifacts, which are based on previously identified threats, Zero artifacts are dynamically created to simulate new or unknown attack conditions.

These artifacts are designed to help organizations evaluate their defenses against previously unseen threats, similar to zero-day scenarios where no known signatures or indicators exist.

By using Zero artifacts, security teams can assess whether their defenses rely solely on known threat intelligence or whether they can also detect suspicious behavior and anomalous activity, which is critical for identifying emerging threats and advanced adversaries.

Naming Conventions for Artifacts

Artifacts in EVE are named according to a structured nomenclature that provides clarity and consistency. The naming convention varies depending on whether the artifact is a known, generic, or modified sample.

Known Artifacts (Named)

For named known artifacts, the structure is as follows:

[Sample Name] . [Malware Type] . exe

Sample Name: The most common name of the sample, usually found through research on platforms like VirusTotal.
Malware Type: The abbreviation of the malware type from the provided list (e.g., Ransom for ransomware).
Extension: Always .exe.

Example: WannaCry.Ransom.exe

Generic Artifacts

For generic known artifacts, the structure is:

[First 5 characters of SHA256] . [Malware Type] . exe

First 5 characters of SHA256: A unique identifier derived from the sample's hash.
Malware Type: The abbreviation of the malware type from the provided list.
Extension: Always .exe.

Example: e54d1.Adware.exe

Modified Artifacts

Modified artifacts follow similar naming conventions to known artifacts but include an additional identifier for obfuscation or other modifications:

[Sample Name or First 5 characters of SHA256] . [Malware Type] . Obf . exe

Obf: Indicates that the sample has been obfuscated.
Extension: Always .exe.

Example: WannaCry.Ransom.Obf.exe or e54d1.Adware.Obf.exe

Special Cases

Variants: If a sample has variants, these are specified with a "V" followed by the variant number:
- Example: PetyaRedV2.Ransom.Obf.exe
Re-Obfuscated Samples: If a sample has been obfuscated multiple times, the subsequent obfuscation is indicated by a consecutive number:
- Example: PetyaRedV2.Ransom.Obf.2.exe
Encrypted Samples (Forced): For samples that have been encrypted, the name includes the identifier "F" for forced:
- Example: PetyaRedV2.Ransom.F.ex

Malware Families Available

Upon customer request, these malware families are available for upload.

Families

7ev3n

9002Rat

ABCBot

AESRTRansomware

AMOS

ATMitch

AXLocker

AbaddonPOS

AceDeceiver

AcidRain

AcrStealer

ActionSpy

Adhubllka

AdvisorBot

AgendaRansomware

AgentTesla

AgnianeStealer

AilurophileStealer

AkiraRansomware

AlmondRAT

Amadey

Amavaldo

Android.Anatsa

Android.Anubis

Android.AwSpy

Android.BadMirror

Android.BlankBot

Android.Brata

Android.Bzy

Android.Chameleon

Android.CleaningService

Android.Coper

Android.Copybara

Android.Cynos

Android.FluBot

Android.Greywolf

Android.HookBot

Android.Hummingbad

Android.ItauSinc

Android.Joker

Android.MazarBot

Android.Medusa

Android.MobileOrder

Android.Mobtes

Android.Octo

Android.Psiphone

Android.RATMilad

Android.Rootnik

Android.Rummus

Android.Sharkbot

Android.SoumniBot

Android.SpyNote

Android.Teabot

Android.Vultur

Android.WyrmSpy

Android.Xavier

Android.Xbot

Andromeda

AnglerEK

AppleSeed

Arechclient2

AresLoader

Aria-Body

AridGopher

ArkeiStealer

Asbit

AsyncRAT

AteraAgent

Atharvan

AtlantidaStealer

AtlasAgent

AtomSilo

AuKill

AugustStealer

AuroraStealer

AveMaria

Aveo

AvosLockerRansomware

Azorult

AzovRansomware

B1txor20

BHUNTStealer

Babadeda

Babuk

BackMyDataRansomware

BadSpace

BandarChorRansomware

BanditStealer

Bandook

Bankshot

Banload

BansheeStealer

BartRansomware

Bartalex

BasBanke

Bashlite

BatchWiper

Batloader

BazarLoader

Bazarbackdoor

Bedep

BiBiWiper

BianLianRansomware

BitRAT

Bizarro

BlackBastaRansomware

BlackByte

BlackCatRansomware

BlackGuard

BlackLotus Bootkit

BlackMagicRansomware

BlackMatter

BlackRock

BlackSnakeRansomware

BlackTech

BlackholeEK

Blackmoon

Blacksoul

BlackwoodLoader

BlankGrabber

BlisterLoader

BlueFox

BlueSkyRansomware

BoldMove

BoratRAT

BotenaGo

BottomLoader

BouldSpy

BrasDex

Brbbot

BruteRatel

BuerLoader

BumbleBeeLoader

BunnyLoader

CABless-40444

CSInstaller

CTB-Locker

CVE-2008-2551

CVE-2015-0359

CVE-2017-10271

CVE-2017-11882

CVE-2018-0802

CVE-2018-4878

CVE-2020-1599

CVE-2022-22954

CacheFlow

CactusRansomware

CaddyWiper

CapraRAT

CatB

CenterPOS

CerberRansomware

CertBreaker

CertiShell

ChChes

Chaes

Chameleon

ChaosRansomware

Chapak

ChargeWeapon

CherryLoader

ChromeExploitKits

Chromeloader

Cl0pRansomware

ClearFake

ClipBanker

ClownicRansomware

CobaltStrike

CodeRAT

Coinstomp

Coinvault

ColdStealer

ColibriLoader

CollectorGoomba

CollectorStealer

Conficker

Conti

Coper

CoreShell

Coroxy

Cova

CrateDepression

CrimsonRAT

Cronrat

CrushArcade

CryptBot

CryptNetRansomware

CryptNetRasnomware

CryptoFortress

CryptoMixRansomware

Cryptolocker

Cryptowall

CrysisRansomware

CrytoxRansomware

Cryxos

CubaRansomware

CuratorRansomware

CustomerLoader

CyberGateRAT

CyclopsBlink

DBatLoader

DCRat

DDosia

DLRAT

DMALocker

DTrack

DanaBot

DangerAds

DarkBitRansomware

DarkCloud

DarkComet

DarkGateLoader

DarkMeLoader

DarkMeRAT

DarkWatchmanRAT

Darkbit

Darkside

Darktrack Rat

Daserf

Dasref

DaveLoader

Daxin

DeadBoltRansomware

DearCryRansomware

DecafRansomware

Denonia

Derusbi

DevOpt

Dexbia

DiavolRansomware

DinodasRAT

DiscordRAT

DiscordTokenStealers

DisgoMoji

DistTrack

Djvu

DnSpyTrojan

DnWipe

DoNexRansomware

DonutLoader

DoubleFinger

DoubleZeroWiper

DowneksLoader

Dracarys

DreamBusBot

DreamLand

Dridex-Maldocs

Dridex

Drokbk

Dyre

Eamfo

EasyStealer

EchelonStealer

ElectronBot

Elirks

Emdivi

Emissary

Emotet

Enemybot

Enigma

Ermac

Escelar

Escobar

EternalRocks

EternityProject

EvilAntRansomware

EvilExtractor

EvilGrab

EvilNominatusRansomware

EvilPlayout

EvilQuest

ExByte

Exaramel

Exmatter

Expiro

EyService

EyePyramid

FBIOperationDuckHunt

FabookieStealer

FakeBat

FakeDivX

Fanny

Fareit

FastFire

FastViewer

Fastcash

FighterPOS

Filmkan

FinSpy

Flashback

FlawedGrace

Fleckpe

FlokiBot

FluHorse

FormBook

Fragtor

FritzFrog

Fysbis

GCleaner

GOLDBACKDOORDropper

GPCodeRansomware

Gafgyt

Gamaredon

GameoverP2P

GandCrab

Gauss

GenshinDriver

GeopByteBomb

Get2

Gh0stCringe

Gh0stRAT

GigabudRAT

GlobelImposter

Glupteba

GoDDOSIRC

GoSearch

GoTitan

GodFather

Gomir

Goodor

GoodwillRansomware

GootLoader

Gopuram

GoziIsfb

GraceWire

Grandoreiro

GraphicalProton

Graphiron

GreetingGhoul

Grief

GriftHorse

GrimPlant

GuLoader

GwisinLocker

HTran

HakBit

HalkBank

Hancitor

HaronRansomware

HavannaCrypt

HavexRat

Havoc

HawkEyeKeylogger

HazyLoad

HeaderTip

HelloKitty

HermeticWiper

Hi-Zor

HijackLoader

HinataBot

HiveRansomware

Hoplight

HotCroissant

Houdini

Hydra

HydraBankBot

HyperBro

HyperSSL

HzRAT

INCRansomware

IPStorm

IRATA

IceFireRansomware

IceXLoader

IcedId

Icefrog

ImminentMonitor

Immortal Stealer

In2al5dp3in4erLoader

Industroyer

Industroyer2

Infy

InstatWiper

IronWind

IsmAgent

IssacWiper

Ixeshe

JLoRat

JSocket

Jaff

JaffRansomware

Jianmo

JripBot

Jupyter

KMSPico

KRBanker

KTLVdoor

KandyKorn

Karma

KasseikaRansomware

KematianStealer

Keybase

KghSpy

KimjongRat

Kinsing

Knot

Koadic

Kobalos

KoiLoader

Konni

Korlia

Kovter

KoxicRansomware

KrakenGoBotnet

Kriptovor

Kronos

KrusRansomware

KrustyLoader

KurayStealer

Kutaki

Kwampirs

LEMURLOOT

Lalala Stealer

Lambert

Lampion

LatentBot

Latrodectus

LazyScripter

LeetMX

LemonDuck

LgoogLoader

LightningFramework

LilithBot

LilithRansomware

Limerat

Linux.Spike

LitterDrifter

Lobshot

LockBitRansomware

LockerGoga

LockyRansomware

Loda

Log4JMalware

LokiLockerRansomware

LokiPasswordStealer

Lokibot

LorenzRansomware

Lucifer

LummaStealer

M0yv

MNKit

MacOS.AdLoad

MacOS.Adwind

MacOS.AppleJeus

MacOS.BirdMiner

MacOS.Calisto

MacOS.Cointicker

MacOS.Coldroot

MacOS.Convuster

MacOS.Cookieminer

MacOS.Dok

MacOS.Dummy

MacOS.Evilquest

MacOS.KeRanger

MacOS.Kitm

MacOS.LaoShu

MacOS.Macma

MacOS.Pirrit

MacOS.Shlayer

MacOS.Tarmac

MacOS.WireLurker

MacOS.XCSSET

MacOS.XLoader

MacOS.Zuru

MagicRAT

Magnat

MagniberRansomware

Mandrake

Manjusaka

MarsStealer

MassLogger

Matanbuchus

MauiRansomware

Maze

MedusaLocker

MekotioBanker

MementoRansomware

MeowRansomware

MercurialStealer

Metamorfo

MgBot

MicroClip

Micropsia

MidasRansomware

MinodoLoader

Mirai

Mispadu

Mmon

Modernloader

MoishaRansomware

Molerats

MoneyRansomware

MooBot

Moqhao

MortisLocker

MosesStaff

MuddyWater.Alien

Multigrain

Murofet

MyDogs

MyDoom

MyloBot

MysticStealer

NSIS

Nachocheese

Nanhaishu

NanoLocker

Nanocore

Necro

Necurs

NerbianRAT

Neshta

NetFilter

NetSupport

NetSupportRAT

NetTraveler

NetWireRAT

Netwalker

Networm

NeutrinoBot

NeutrinoEK

NewBotLoader

Nexus

Ngrbot

NightHawkRAT

NightSkyRansomware

Nimrev

NineRAT

NitlovePOS

NjRat

NodeStealer

NokoyawaRansomware

Nosu

NuclearEK

Nukesped

Nullmixer

Numando

NvRendererMiner

Octocrypt

Ohagi

Okiru

OldGremlin

OnlinerSpambot

OnyxRansomware

OrBit

Orcus

OriginLogger

Oscorp

Oski

Osno

Ousaban

Owowa

OxyPumper

Oyster

P2PInfect

PIVY

PLAYRansomware

PPAMDropper

PadCrypt

Panchan

PandaBanker

PandoraRansomware

Paradies

ParadiseRansomware

ParallaxRat

PassCV

Pay2Key

Pegasus

PetyaRansomware

PhiladelphiaRansomware

PhobosRansomware

Phorpiex

PickandPlaceRAT

PikaBot

PingPull

PlanetStealer

PlatinumGroup

PlugX

Pony

Poseidon

PoweRAT

PowerStager

Powersniff

Predator the Thief

PrivateLoader

ProLock

ProjectSauron

Prometei

PryntStealer

Pterodo

Punkey

PupyRAT

PureCrypter

PureLogStealer

PurpleFox

Pushdo

PwnPOS

Pymafka

Pysa

QakBot

Qealler

QtBot

QuantumRansomware

QuasarRAT

REvil

ROMCOMRat

RTMLocker

RURansom

RaccoonStealer

RagnarLocker

Rakos

Ramdo

RansomExx

Rapperbot

RaspberryRobin

RatDispenser

RatMilad

Ratopak

RawPOS

Rawdoor

Razy

Rdat

Reaver

RecordBreaker

RedAlertRansomware

RedCap

RedLeaves

RedLine

Rekoobe

Rekt Loader

Remcos

Retefe

RevengeRAT

RhadamanthysLoader

RhysidaRansomware

RisePro

RoadsweepRansomware

RoamingMantis

RockLoader

RogueRobin

RokRAT

Rombertik

RookRansomware

Roopy

RotaJakiro

Rovnix

RoyalRansomware

Rozena

RtPOS

RustBucket

Ryuk

SFileRansomware

SIGNBT

SPECTRALVIPER

STOPRansomware

STRRAT

SVCReady

SYS01Stealer

SageRansomware

Saitama

Sakula

Sality

SamsamRansomware

Sanya

Satacom

Satana

ScareCrowRansomware

Scieron

ScrubCrypt

SectopRAT

ShadowPad

SharkBot

ShellCrew

Shellbot

Shifu

Shikitega

ShimRAT

ShinoLocker

ShinyMW2Exploit

Shlayer

Sidewalk

Sierra

SiestaGraph

Siloscape

Skipper

SkuldStealer

SkypeWorm

Slave

Sliver

SmashJacker

SmokeLoader

SnakeKeylogger

SocGholish

Socks5Systemz

SolarwindsBreach

SpiderpigRAT

Spring4Shell

SshNet

Stantinko

StealBit

Stealc

Stegoloader

Strab

StrifeWater

SubtlePaws

SugarRansomware

SundownEK

SunnyDayRansomware

SweetSpecter

SwiftSlicerWiper

Sword2033

Sykipot

Symmi

SynAckRansomware

SysJoker

Syslogk

SystemBC

TelB

Telemiris

TempStealer

TerraStealer

TeslaCrypt

Thanatos

ThanosRansomware

TianySpy

TidePool

Tinba

TinyTurla

TitanStealer

Tofsee

TokyoX

Tomiris

ToneShell

Tor2Mine

Trat

TriangleDB

TrickBot

TrickGate

TrigonaRansomware

Trochilus Rat

TrollStealer

Truebot

TsCookie

TunnelSpecter

Tur

Turian

Turla

TwoFace

TypeHash

UBoatRAT

UDPRat

Upatre

Upstyle

Urausy

UsbCulprit

UsbFerry

VBCrypt

VMProtect

VSingle

Vadokrist

Vaggen

Valyria

VareStealer

Vawtrak

VenomRAT

VenusRansomware

VermilionStrike

Vermin

VettaLoader

Vidar

VideoSkimmer

VileLoader

ViperSoftX

Virlock

VirusSign

Voho

VohukRansomware

Void

Volgmer

Vultur

WSLMalware

WagnerWiper

WannaCry

Warmcookie

WellMail

WellMess

Werdlod

WhisperGate

WhiteBlackCrypt

WhiteRabbitRansomware

WikiLoader

Win32.CrowdStruck

WinDealer

WinMM

WineLoader

WinsLoader

WizardUpdate

WpBruteBot

XBinder

XCSSET

XFilesStealer

XLoader

XMRig

XPack

XPertRat

XRat

XTremeRat

XTunnel

XWorm

XXMM

XdSpy

Xdr33

XenoRAT

Xenomorph

XorDdoS

XsPlus

YTStealer

YanluowangRansomware

Yorekey

YoungLotus

Zanubis

Zenar

ZeroT

Zeus

ZeusAction

ZharkRAT

Zombinder

Zumanek

ZuoRAT

dnWipe

in2al5dp3in4erLoader

node-ipc-Protestware

slnRAT

zLoader

zLob

zgRAT

zxShell

In order to upload the families a reques from the customer needs to be done.

Depending on the malware family, up to 10 samples can be uploaded for each family.

PreviousArtifacts Severity NextDownload Report

Last updated 1 day ago

hashtagArtifacts Categories in EVE

hashtagKnown

hashtagObfuscated

hashtagForced

hashtagZero

hashtagNaming Conventions for Artifacts

hashtagKnown Artifacts (Named)

hashtagGeneric Artifacts

hashtagModified Artifacts

hashtagMalware Families Available