SYMBOLCOMMON_NAMEaka. SYNONYMS
win.pyxie (Back to overview)

PyXie

aka: PyXie RAT

Full-featured Python RAT compiled into an executable.

PyXie RAT functionality includes:
* Man-in-the-middle (MITM) Interception
* Web-injects
* Keylogging
* Credential harvesting
* Network Scanning
* Cookie theft
* Clearing logs
* Recording video
* Running arbitrary payloads
* Monitoring USB drives and exfiltrating data
* WebDav server
* Socks5 proxy
* Virtual Network Connection (VNC)
* Certificate theft
* Inventorying software
* Enumerating the domain with Sharphound

References
2022-05-17Trend MicroTrend Micro Research
@online{research:20220517:ransomware:7b86339, author = {Trend Micro Research}, title = {{Ransomware Spotlight: RansomEXX}}, date = {2022-05-17}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomexx}, language = {English}, urldate = {2022-05-25} } Ransomware Spotlight: RansomEXX
LaZagne Cobalt Strike IcedID MimiKatz PyXie RansomEXX TrickBot
2022-05-03Cluster25Cluster25
@online{cluster25:20220503:strange:1481afa, author = {Cluster25}, title = {{The Strange Link Between A Destructive Malware And A Ransomware-Gang Linked Custom Loader: IsaacWiper Vs Vatet}}, date = {2022-05-03}, organization = {Cluster25}, url = {https://cluster25.io/2022/05/03/a-strange-link-between-a-destructive-malware-and-the-loader-of-a-ransomware-group-isaacwiper-vs-vatet/}, language = {English}, urldate = {2022-05-04} } The Strange Link Between A Destructive Malware And A Ransomware-Gang Linked Custom Loader: IsaacWiper Vs Vatet
Cobalt Strike IsaacWiper PyXie
2021-11-01FBIFBI
@techreport{fbi:20211101:pin:a9b78d3, author = {FBI}, title = {{PIN Number 20211101-001: Ransomware Actors Use Significant Financial Events and Stock Valuation to Facilitate Targeting and Extortion of Victims}}, date = {2021-11-01}, institution = {FBI}, url = {https://www.ic3.gov/Media/News/2021/211101.pdf}, language = {English}, urldate = {2021-11-03} } PIN Number 20211101-001: Ransomware Actors Use Significant Financial Events and Stock Valuation to Facilitate Targeting and Extortion of Victims
DarkSide RansomEXX DarkSide PyXie RansomEXX
2021-02-26CrowdStrikeEric Loui, Sergei Frankoff
@online{loui:20210226:hypervisor:8dadf9c, author = {Eric Loui and Sergei Frankoff}, title = {{Hypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to Maximize Impact}}, date = {2021-02-26}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout}, language = {English}, urldate = {2021-05-26} } Hypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to Maximize Impact
DarkSide RansomEXX Griffon Carbanak Cobalt Strike DarkSide IcedID MimiKatz PyXie RansomEXX REvil
2021-02-23CrowdStrikeCrowdStrike
@techreport{crowdstrike:20210223:2021:bf5bc4f, author = {CrowdStrike}, title = {{2021 Global Threat Report}}, date = {2021-02-23}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf}, language = {English}, urldate = {2021-02-25} } 2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader KNOCKOUT SPIDER OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER
2021-02-02CRONUPGermán Fernández
@online{fernndez:20210202:de:6ff4f3a, author = {Germán Fernández}, title = {{De ataque con Malware a incidente de Ransomware}}, date = {2021-02-02}, organization = {CRONUP}, url = {https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware}, language = {Spanish}, urldate = {2021-03-02} } De ataque con Malware a incidente de Ransomware
Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DanaBot Dharma Dridex Egregor Emotet Empire Downloader FriedEx GootKit IcedID MegaCortex Nemty Phorpiex PwndLocker PyXie QakBot RansomEXX REvil Ryuk SDBbot SmokeLoader TrickBot Zloader
2020-11-06Palo Alto Networks Unit 42Ryan Tracey, Drew Schmitt, CRYPSIS
@online{tracey:20201106:when:8e743b9, author = {Ryan Tracey and Drew Schmitt and CRYPSIS}, title = {{When Threat Actors Fly Under the Radar: Vatet, PyXie and Defray777}}, date = {2020-11-06}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/}, language = {English}, urldate = {2020-11-12} } When Threat Actors Fly Under the Radar: Vatet, PyXie and Defray777
PyXie RansomEXX
2020-11-06Palo Alto Networks Unit 42Ryan Tracey, Drew Schmitt, CRYPSIS
@online{tracey:20201106:last:11cf9f2, author = {Ryan Tracey and Drew Schmitt and CRYPSIS}, title = {{Last, but Not Least: Defray777}}, date = {2020-11-06}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/3}, language = {English}, urldate = {2020-11-12} } Last, but Not Least: Defray777
PyXie RansomEXX
2020-11-06Palo Alto Networks Unit 42Ryan Tracey, Drew Schmitt, CRYPSIS
@online{tracey:20201106:linking:152fbf2, author = {Ryan Tracey and Drew Schmitt and CRYPSIS}, title = {{Linking Vatet, PyXie and Defray777}}, date = {2020-11-06}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/4}, language = {English}, urldate = {2020-11-12} } Linking Vatet, PyXie and Defray777
PyXie RansomEXX
2020-11-06Palo Alto Networks Unit 42Ryan Tracey, Drew Schmitt, CRYPSIS
@online{tracey:20201106:indicators:1ec9384, author = {Ryan Tracey and Drew Schmitt and CRYPSIS}, title = {{Indicators of Compromise related to Cobaltstrike, PyXie Lite, Vatet and Defray777}}, date = {2020-11-06}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/5/}, language = {English}, urldate = {2020-11-12} } Indicators of Compromise related to Cobaltstrike, PyXie Lite, Vatet and Defray777
Cobalt Strike PyXie RansomEXX
2020-11-06Palo Alto Networks Unit 42Ryan Tracey, Drew Schmitt, CRYPSIS
@online{tracey:20201106:next:c911bb5, author = {Ryan Tracey and Drew Schmitt and CRYPSIS}, title = {{Next Up: “PyXie Lite”}}, date = {2020-11-06}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/2/}, language = {English}, urldate = {2020-11-09} } Next Up: “PyXie Lite”
Defray PyXie
2020SecureworksSecureWorks
@online{secureworks:2020:gold:8050e44, author = {SecureWorks}, title = {{GOLD DUPONT}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-dupont}, language = {English}, urldate = {2020-05-23} } GOLD DUPONT
Cobalt Strike Defray PyXie GOLD DUPONT
2019-12-02CylanceRyan Tracey
@online{tracey:20191202:meet:9cac66d, author = {Ryan Tracey}, title = {{Meet PyXie: A Nefarious New Python RAT}}, date = {2019-12-02}, organization = {Cylance}, url = {https://threatvector.cylance.com/en_us/home/meet-pyxie-a-nefarious-new-python-rat.html}, language = {English}, urldate = {2020-02-01} } Meet PyXie: A Nefarious New Python RAT
PyXie

There is no Yara-Signature yet.