Registry Manager Feature - Malware Gallery

Description

The Registry Access and Manager feature in malware allows attackers to interact with the Windows Registry, the hierarchical database that stores low-level settings for the operating system and installed applications. With capabilities to view, create, edit, or delete registry keys and data, this feature gives attackers a powerful tool to manipulate system configurations and behavior. Additionally, it can be used to steal sensitive information such as passwords and software licenses stored in registry entries. For instance, by modifying or creating registry entries, malware can ensure its own persistence, deactivate security measures, or even alter user permissions. The ability to steal passwords and licenses from the registry can also facilitate privilege escalation, making the compromised system even more vulnerable to further exploitation. This kind of access is particularly valuable for advanced attacks, where fine-grained control over the target system is required. By manipulating the registry, attackers can not only deepen their level of system compromise but also tailor the environment to suit their malicious objectives, making this feature a key asset in a sophisticated malware toolkit.

Categories	Exfiltration, Alteration, Credentials, System Management, Disruption
Dangerousness	High

Existing Techniques

Name	Associated Feature(s)	Has Snippet	Matching Sample
Windows Registry Actions	Registry Manager, Destructive Operations		0
Windows Registry Enumeration	Registry Manager		0
Windows Registry Search	Registry Manager		0

Associated with Releases

Version	Origins	Authors	Languages	Release Date
Turkojan 3.0	Turkey 🇹🇷	Fungus	Delphi	Sep, 2006
Bifrost 1.2.1	Sweden 🇸🇪	ksv	C++	Jan, 2007
Bandook 1.35	Lebanon 🇱🇧	PrinceAli	Delphi, C++	Apr, 2007
Poison Ivy 2.3.0	Sweden 🇸🇪	Shapeless	Delphi, MASM	Jun, 2007
sharK 2.4.0 Fwb+	Germany 🇩🇪	sNiper109 , rockZ	Visual Basic 6 (VB6)	Aug, 2007
Nuclear RAT 2.1.0	Brazil 🇧🇷	caesar2k	Delphi	Sep, 2007
Poison Ivy 2.3.2	Sweden 🇸🇪	Shapeless	Delphi, MASM	Jan, 2008
Turkojan 4	Turkey 🇹🇷	FµNGµ§	Delphi	Feb, 2008
Turkojan 4.0	Turkey 🇹🇷	Fungus	Delphi	Mar, 2008
sharK 3.1 fwb++	Germany 🇩🇪	sNiper109 , rockZ	Visual Basic 6 (VB6)	Mar, 2008
SynRAT 4.0.1	France 🇫🇷	DarkCoderSc	Delphi	May, 2009
Cerberus 1.0 Beta	United States 🇺🇸, United Kingdom 🇬🇧	Protocol , Steve10120 , 2sly , Sam	Delphi	Aug, 2009
Cerberus 1.01 Beta	United States 🇺🇸, United Kingdom 🇬🇧	Protocol , Steve10120 , 2sly , Sam	Delphi	Aug, 2009
Cerberus 1.02 Beta	United States 🇺🇸, United Kingdom 🇬🇧	Protocol , Steve10120 , 2sly , Sam	Delphi	Aug, 2009
SynRAT 4.3.1-A-1	France 🇫🇷	DarkCoderSc	Assembly, Delphi	Aug, 2009
Apocalypse RAT 1.4	Turkey 🇹🇷	ap0calypse	Delphi	Aug, 2009
Cerberus 1.03.4	United States 🇺🇸, United Kingdom 🇬🇧	Protocol , Steve10120 , 2sly , Sam	Delphi	Sep, 2009
Spy-Net 2.6	Brazil 🇧🇷	Raphael	Delphi	Oct, 2009
DarkComet RAT 1.3	France 🇫🇷	DarkCoderSc		Nov, 2009
Cerberus 1.03.5 Beta	United States 🇺🇸, United Kingdom 🇬🇧	Protocol , Steve10120 , 2sly , Sam	Delphi	Dec, 2009
DarkComet RAT 2.0 RC4	France 🇫🇷	DarkCoderSc	Delphi	Mar, 2010
CyberGate 1.04.8	United States 🇺🇸	johnyk	Delphi	Apr, 2010
Lost Door 4.3.1	Tunisia 🇹🇳	OussamiO	Visual Basic 6 (VB6)	Apr, 2010
DarkComet RAT 2.0 RC7	France 🇫🇷	DarkCoderSc	Assembly, Delphi	Jun, 2010
Schwarze Sonne 1.0	Unknown 🏴‍☠️, Germany 🇩🇪, Turkey 🇹🇷	ap0calypse , Slayer616 , Counterstrikewi	Delphi	Jun, 2010
Lost Door 5.1	Tunisia 🇹🇳	OussamiO	Visual Basic 6 (VB6)	Oct, 2010
Coolvibes 1 Update 8	Spain 🇪🇸	Thor	Delphi	May, 2011
Xtreme RAT 2.9	Brazil 🇧🇷	Raphael	Delphi	Jul, 2011
DarkComet RAT 5.3	France 🇫🇷	DarkCoderSc	Assembly, Delphi	Jun, 2012
DarkComet RAT 5.3.1	France 🇫🇷	DarkCoderSc	Assembly, Delphi	Jun, 2012
NjRat 0.7d	Kuwait 🇰🇼	njq8	VB .net	Dec, 2013