There are a lot of different malware names used in the IT security community for the same kind of malware. This repository holds regular expression to match those and derive a commonly used malware family name.
This mapping is used in reporting (as generic name) and for statistics purpose.
This mapping can be used in IntelMQ, see the tools provided by intelmq in contrib/: https://github.com/certtools/intelmq/tree/maintenance/contrib/malware_name_mapping The IntelMQ integration can also import the threat actors available in the MISP Galaxies.
Currently it is comma-separated. The meaning of the columns is:
- regular expression, starting with
^and ending with$. It can/should be applied case-insensitive. The field is encapsulated in double quotes ("). - malware family name
- optional comment (origin of the rule, where the malware names occur etc)
> ./scripts/tools.py lookup b66-ir
Found match 'b66-ir' -> 'andromeda'.To check the validity of the file, you can run ./scripts/test.py. It checks if
- all lines do match the format,
- there are not family matching to other family names and
- that each family names is matched to itself.
mapping.csv and everything else: CC0-1.0
malpedia.csv: CC-BY-NC-SA-3.0. The usage of this data is optional in tools and integration.
Malpedia provides an inventory of malware including known alternative names. This data can optionally by used to supplement the existing mapping.
The mapping.csv also contains some references to malpedia, which does not necessarily mean, that the data is from there.