System Information Discovery

4H RAT sends an OS version identifier in its beacons.^[7]

Action RAT has the ability to collect the hostname, OS version, and OS architecture of an infected host.^[8]

admin@338 actors used the following commands after exploiting a machine with LOWBALL malware to obtain information about the OS: ver >> %temp%\download systeminfo >> %temp%\download^[9]

ADVSTORESHELL can run Systeminfo to gather information about the victim.^[10][11]

Agent Tesla can collect the system's computer name and also has the capability to collect information on the processor, memory, OS, and video card from the system.^[12][13][14]

Akira uses the GetSystemInfo Windows function to determine the number of processors on a victim machine.^[15]

Amadey has collected the computer name and OS version from a compromised machine.^[16][17]

Anchor can determine the hostname and linux version on a compromised host.^[18]

AppleJeus has collected the victim host information after infection.^[19]

AppleSeed can identify the OS version of a targeted system.^[20]

APT18 can collect system information from the victim’s machine.^[21]

APT19 collected system architecture information. APT19 used an HTTP malware variant and a Port 22 malware variant to gather the hostname and CPU information from the victim’s machine.^[22][23]

APT3 has a tool that can obtain information about the local system.^[24][25]

APT32 has collected the OS version and computer name from victims. One of the group's backdoors can also query the Windows Registry to gather system information, and another macOS backdoor performs a fingerprint of the machine on its first connection to the C&C server. APT32 executed shellcode to identify the name of the infected host.^{[26][27][28][29]}

APT37 collects the computer name, the BIOS model, and execution path.^[30]

APT38 has attempted to get detailed information about a compromised host, including the operating system, version, patches, hotfixes, and service packs.^[31]

APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information.^[32]

Aquatic Panda has used native OS commands to understand privilege levels and system details.^[33]

Aria-body has the ability to identify the hostname, computer name, Windows version, processor speed, machine GUID, and disk information on a compromised host.^[34]

Astaroth collects the machine name and keyboard language from the system. ^[35][36]

AsyncRAT can check the disk size through the values obtained with DeviceInfo.^[37]

Attor monitors the free disk space on the system.^[38]

AuTo Stealer has the ability to collect the hostname and OS information from an infected host.^[8]

Avenger has the ability to identify the host volume ID and the OS architecture on a compromised host.^[39]

Azorult can collect the machine information, system architecture, the OS version, computer name, Windows product name, the number of CPU cores, video card information, and the system language.^[40][41]

Babuk can enumerate disk volumes, get disk information, and query service status.^[42]

BabyShark has executed the ver command.^[43]

BackConfig has the ability to gather the victim's computer name.^[44]

Backdoor.Oldrea collects information about the OS and computer name.^[45][46]

During its initial execution, BACKSPACE extracts operating system information from the infected host.^[47]

BADCALL collects the computer name and host name on the compromised system.^[48]

BADFLICK has captured victim computer name, memory space, and CPU details.^[49]

BADHATCH can obtain current system information from a compromised machine such as the SHELL PID, PSVERSION, HOSTNAME, LOGONSERVER, LASTBOOTUP, drive information, OS type/version, bitness, and hostname.^[50][51]

BadPatch collects the OS system, OS version, MAC address, and the computer name from the victim’s machine.^[52]

Bandook can collect information about the drives available on the system.^[53]

Bankshot gathers system information, network addresses, disk type, disk free space, and the operation system version.^[54][55]

Bazar can fingerprint architecture, computer name, and OS version on the compromised host. Bazar can also check if the Russian language is installed on the infected machine and terminate if it is found.^[56][57]

BISCUIT has a command to collect the processor type, operation system, computer name, and whether the system is a laptop or PC.^[58]

Bisonal has used commands and API calls to gather system information.^[59][60][61]

Black Basta can enumerate volumes and collect system boot configuration and CPU information.^[62][63]

BlackCat can obtain the computer name and UUID, and enumerate local drives.^[64]

BlackEnergy has used Systeminfo to gather the OS version, as well as information on the system configuration, BIOS, the motherboard, and the processor.^[65][66]

BlackMould can enumerate local drives on a compromised host.^[67]

BLINDINGCAN has collected from a victim machine the system name, processor information, OS version, and disk information, including type and free space available.^[68]

Blue Mockingbird has collected hardware details for the victim's system, including CPU and memory information.^[69]

BLUELIGHT has collected the computer name and OS version from victim machines.^[70]

Bonadan has discovered the OS version, CPU model, and RAM size of the system it has been installed on.^[71]

BoomBox can enumerate the hostname, domain, and IP of a compromised host.^[72]

Brave Prince collects hard drive content and system configuration information.^[73]

BUBBLEWRAP collects system information, including the operating system version and hostname.^[9]

build_downer has the ability to send system volume information to C2.^[39]

Bumblebee can enumerate the OS version and domain on a targeted system.^[74][75][76]

Bundlore will enumerate the macOS version to determine which follow-on behaviors to execute using /usr/bin/sw_vers -productVersion.^[77][3]

During C0017, APT41 issued ping -n 1 ((cmd /c dir c:\|findstr Number).split()[-1]+ commands to find the volume serial number of compromised systems.^[78]

CaddyWiper can use DsRoleGetPrimaryDomainInformation to determine the role of the infected machine. CaddyWiper can also halt execution if the compromised host is identified as a domain controller.^[79][80]

Cadelspy has the ability to discover information about the compromised host.^[81]

Cannon can gather system information from the victim’s machine such as the OS version, machine name, and drive information.^[82][83]

Carberp has collected the operating system version from the infected system.^[84]

Cardinal RAT can collect the hostname, Microsoft Windows version, and processor architecture from a victim machine.^[85]

CARROTBAT has the ability to determine the operating system of the compromised host and whether Windows is being run with x86 or x64 architecture.^[86][87]

Caterpillar WebShell has a module to gather information from the compromrised asset, including the computer version, computer name, IIS version, and more.^[88]

Chaes has collected system information, including the machine name and OS version.^[89]

CharmPower can enumerate the OS version and computer name on a targeted system.^[90]

ChChes collects the victim hostname, window resolution, and Microsoft Windows version.^[91][92]

Chimera has used fsutil fsinfo drives, systeminfo, and vssadmin list shadows for system information including shadow volumes and drive information.^[93]

Chrommme has the ability to list drives and obtain the computer name of a compromised host.^[94]

Clambling can discover the hostname, computer name, and Windows version of a targeted machine.^[95][96]

cmd can be used to find information about the operating system.^[97]

Comnie collects the hostname of the victim machine.^[98]

Confucius has used a file stealer that can examine system drives, including those other than the C drive.^[99]

CORESHELL collects hostname, volume serial number and OS version data from the victim and sends the information to its C2 server.^[100]

Covenant implants can gather basic information on infected systems.^[101]

A system info module in CozyCar gathers information on the victim host’s configuration.^[102]

CrackMapExec can enumerate the system drives and associated system name.^[103]

Crimson contains a command to collect the victim PC name, disk drive information, and operating system.^{[104][105][106]}

Cuba can enumerate local drives, disk type, and disk free space.^[107]

Cuckoo Stealer can gather information about the OS version and hardware on compromised hosts.^[108][109]

CURIUM deploys information gathering tools focused on capturing IP configuration, running application, system information, and network connectivity information.^[110]

During Cutting Edge, threat actors used the ENUM4LINUX Perl script for discovery on Windows and Samba hosts.^[111]

Cyclops Blink has the ability to query device information.^[112]

Daggerfly utilizes victim machine operating system information to create custom User Agent strings for subsequent command and control communication.^[113]

DarkComet can collect the computer name, RAM used, and operating system version from the victim’s machine.^[114][115]

DarkGate uses the Delphi methods Sysutils::DiskSize and GlobalMemoryStatusEx to collect disk size and physical memory as part of the malware's anti-analysis checks for running in a virtualized environment.^[116] DarkGate will gather various system information such as display adapter description, operating system type and version, processor type, and RAM amount.^[116]

Darkhotel has collected the hostname, OS version, service pack version, and the processor architecture from the victim’s machine.^[117][118]

DarkTortilla can obtain system information by querying the Win32_ComputerSystem, Win32_BIOS, Win32_MotherboardDevice, Win32_PnPEntity, and Win32_DiskDrive WMI objects.^[119]

DarkWatchman can collect the OS version, system architecture, and computer name.^[120]

DEADEYE can enumerate a victim computer's volume serial number and host name.^[78]

DEATHRANSOM can enumerate logical drives on a target system.^[121]

Denis collects OS information and the computer name from the victim’s machine.^[122][123]

Derusbi gathers the name of the local host, version of GNU Compiler Collection (GCC), and the system information about the CPU, machine, and operating system.^[124]

Diavol can collect the computer name and OS version from the system.^[125]

down_new has the ability to identify the system volume information of a compromised host.^[39]

DownPaper collects the victim host name and serial number, and then sends the information to the C2 server.^[126]

Dridex has collected the computer name and OS architecture information from the system.^[127]

DropBook has checked for the presence of Arabic language in the infected machine's settings.^[128]

dsquery has the ability to enumerate various information, such as the operating system and host name, for systems within a domain.^[78]

Dtrack can collect the victim's computer name, hostname and adapter information to create a unique identifier.^[129][130]

DUSTTRAP reads the value of the infected system's HKLM\SYSTEM\Microsoft\Cryptography\MachineGUID value.^[131]

DustySky extracts basic information about the operating system.^[132]

Dyre has the ability to identify the computer name, OS version, and hardware configuration on a compromised host.^[133]

Egregor can perform a language check of the infected system and can query the CPU information (cupid).^[134][135]

Elise executes systeminfo after initial communication is made to the remote server.^[136]

Emissary has the capability to execute ver and systeminfo commands.^[137]

Empire can enumerate host system information like OS, architecture, domain name, applied patches, and more.^[138][139]

EnvyScout can determine whether the ISO payload was received by a Windows or iOS device.^[72]

Epic collects the OS version, hardware information, computer name, available system memory status, disk space information, and system and user language settings.^[140]

EVILNUM can obtain the computer name from the victim's system.^[141]

Explosive has collected the computer name from the infected host.^[142]

FALLCHILL can collect operating system (OS) version information, processor information, system name, and information about installed disks from the victim.^[143]

FatDuke can collect the user name, Windows version, computer name, and available space on discs from a compromised host.^[144]

Felismus collects the system information, including hostname and OS version, and sends it to the C2 server.^[145]

FELIXROOT collects the victim’s computer name, processor architecture, OS version, volume serial number, and system type.^[146][147]

Ferocious can use GET.WORKSPACE in Microsoft Excel to determine the OS version of the compromised host.^[148]

FIN13 has collected local host information by utilizing Windows commands systeminfo, fsutil, and fsinfo. FIN13 has also utilized a compromised Symantex Altiris console and LanDesk account to retrieve host information.^[149][150]

FIN8 has used PowerShell Scripts to check the architecture of a compromised machine before the selection of a 32-bit or 64-bit version of a malicious .NET loader.^[151]

Final1stspy obtains victim Microsoft Windows version information and CPU architecture.^[152]

FinFisher checks if the victim OS is 32 or 64-bit.^[153][154]

FlawedAmmyy can collect the victim's operating system and computer name during the initial infection.^[155]

During Frankenstein, the threat actors used Empire to obtain the compromised machine's name.^[139]

FunnyDream can enumerate all logical drives on a targeted machine.^[156]

During FunnyDream, the threat actors used Systeminfo to collect information on targeted hosts.^[156]

Fysbis has used the command ls /etc | egrep -e"fedora*|debian*|gentoo*|mandriva*|mandrake*|meego*|redhat*|lsb-*|sun-*|SUSE*|release" to determine which Linux OS version is running.^[157]

A Gamaredon Group file stealer can gather the victim's computer name and drive serial numbers to send to a C2 server.^{[158][159][160]}

Gelsemium can determine the operating system and whether a targeted machine has a 32 or 64 bit architecture.^[94]

Get2 has the ability to identify the computer name and Windows version of an infected host.^[161]

gh0st RAT has gathered system architecture, processor, OS configuration, and installed hardware information.^[162]

Gold Dragon collects endpoint information using the systeminfo command.^[73]

GoldenSpy has gathered operating system information.^[163]

Gootloader can inspect the User-Agent string in GET request header information to determine the operating system of targeted systems.^[164]

Grandoreiro can collect the computer name and OS version from a compromised host.^[165]

GravityRAT collects the MAC address, computer name, and CPU information.^[166]

Green Lambert can use uname to identify the operating system name, version, and processor type.^[167][168]

GRIFFON has used a reconnaissance module that can be used to retrieve information about a victim's computer, including the resolution of the workstation .^[169]

GrimAgent can collect the OS, and build version on a compromised host.^[170]

HALFBAKED can obtain information about the OS, processor, and BIOS.^[171]

can collect system information, including computer name, system manufacturer, IsDebuggerPresent state, and execution path.^[172]

HAWKBALL can collect the OS version, architecture information, and computer name.^[173]

HELLOKITTY can enumerate logical drives on a target system.^[121]

HermeticWiper can determine the OS version, bitness, and enumerate physical drives on a targeted host.^{[174][175][176][177]}

HEXANE has collected the hostname of a compromised machine.^[178]

Heyoka Backdoor can enumerate drives on a compromised host.^[179]

Higaisa collected the system volume serial number, GUID, and computer name.^[180][181]

Hildegard has collected the host's OS, CPU, and memory information.^[182]

HOPLIGHT has been observed collecting victim machine information like OS version, volume information, and more.^[183]

HotCroissant has the ability to determine if the current user is an administrator, Windows product name, processor name, screen resolution, and physical RAM of the infected host.^[184]

Hydraq creates a backdoor through which remote attackers can retrieve information such as computer name, OS version, processor speed, memory size, and CPU speed.^[185]

The IceApple Server Variable Dumper module iterates over all server variables present for the current request and returns them to the adversary.^[186]

IcedID has the ability to identify the computer name and OS version on a compromised host.^[187][188]

IMAPLoader uses WMI queries to gather information about the victim machine.^[189]

INC Ransomware can discover and mount hidden drives to encrypt them.^[190]

Inception has used a reconnaissance module to gather information about the operating system and hardware on the infected host.^[191]

Industroyer collects the victim machine’s Windows GUID.^[192]

InnaputRAT gathers volume drive information and system information.^[193]

InvisiMole can gather information on the mapped drives, OS version, computer name, DEP policy, memory size, and system volume serial number.^[194][195]

Ixeshe collects the computer name of the victim's system during the initial infection.^[196]

JHUHUGIT obtains a build identifier as well as victim hard drive information from Windows registry key HKLM\SYSTEM\CurrentControlSet\Services\Disk\Enum. Another JHUHUGIT variant gathers the victim storage volume serial number and the storage device name.^[197][198]

JPIN can obtain system information such as OS version and disk space.^[199]

jRAT collects information about the OS (version, build type, install date) as well as system up-time upon receiving a connection from a backdoor.^[200]

KARAE can collect system information.^[172]

Kasidet has the ability to obtain a victim's system name and operating system version.^[201]

Kazuar gathers information on the system and local drives.^[202]

Ke3chang performs operating system information discovery using systeminfo and has used implants to identify the system language and computer name.^{[203][204][205]}

Kerrdown has the ability to determine if the compromised host is running a 32 or 64 bit OS architecture.^[206]

Kessel has collected the system architecture, OS version, and MAC address information.^[71]

Kevin can enumerate the OS version and hostname of a targeted machine.^[178]

KeyBoy can gather extended system information, such as information about the operating system, disks, and memory.^[207][208]

KEYMARBLE has the capability to collect the computer name, language settings, the OS version, CPU information, disk devices, and time elapsed since system start.^[209]

KGH_SPY can collect drive information from a compromised host.^[210]

KillDisk retrieves the hard disk name by calling the CreateFileA to \.\PHYSICALDRIVE0 API.^[211]

Kimsuky has enumerated drives, OS type, OS version, and other information using a script or the "systeminfo" command.^[212][213]

Koadic can obtain the OS version and build, computer name, and processor architecture from a compromised host.^[214]

Kobalos can record the hostname and kernel version of the target machine.^[215]

KOCTOPUS has checked the OS version using wmic.exe and the find command.^[214]

KOMPROGO is capable of retrieving information about the infected system.^[216]

KONNI can gather the OS version, architecture information, connected drives, hostname, RAM size, and disk space information from the victim’s machine and has used cmd /c systeminfo command to get a snapshot of the current system state of the target machine.^{[217][218][219]}

KOPILUWAK can discover logical drive information on compromised hosts.^[220]

KV Botnet Activity includes use of native system tools, such as uname, to obtain information about victim device architecture, as well as gathering other system information such as the victim's hosts file and CPU utilization.^[221]

Kwampirs collects OS version information such as registered owner details, manufacturer details, processor type, available storage, installed patches, hostname, version info, system date, and other system information by using the commands systeminfo, net config workstation, hostname, ver, set, and date /t.^[222]

Latrodectus can gather operating system information.^{[223][224][224][225]}

Several Lazarus Group malware families collect information on the type and version of the victim OS, as well as the victim computer name and CPU information. A Destover-like variant used by Lazarus Group also collects disk space information and sends it to its C2 server.^{[226][227][228][229][230][231]}

LightNeuron gathers the victim computer name using the Win32 API call GetComputerName.^[232]

Linfo creates a backdoor through which remote attackers can retrieve system information.^[233]

LiteDuke can enumerate the CPUID and BIOS version on a compromised system.^[144]

LitePower has the ability to list local drives and enumerate the OS architecture.^[148]

LITTLELAMB.WOOLTEA can check the type of Ivanti VPN device it is running on by executing first_run() to identify the first four bytes of the motherboard serial number.^[234]

Lizar can collect the computer name from the machine,.^[235]

Lokibot has the ability to discover the computer name and Windows product name/version.^[236]

LoudMiner has monitored CPU usage.^[237]

Lucifer can collect the computer name, system architecture, default language, and processor frequency of a compromised host.^[238]

LunarMail can capture environmental variables on compromised hosts.^[239]

LunarWeb can use WMI queries and shell commands such as systeminfo.exe to collect the operating system, BIOS version, and domain name of the targeted system.^[239]

Machete collects the hostname of the target computer.^[240]

MacMa can collect information about a compromised computer, including: Hardware UUID, Mac serial number, macOS version, and disk sizes.^[241]

macOS.OSAMiner can gather the device serial number and has checked to ensure there is enough disk space using the Unix utility df.^[242]

Mafalda can collect the computer name and enumerate all drives on a compromised host.^[243][244]

Magic Hound malware has used a PowerShell command to check the victim system architecture to determine if it is an x64 machine. Other malware has obtained the OS version, UUID, and computer/host name to send to the C2 server.^{[245][246][247]}

Malteiro collects the machine information, system architecture, the OS version, computer name, and Windows product name.^[248]

Manjusaka performs basic system profiling actions to fingerprint and register the victim system with the C2 controller.^[249]

MarkiRAT can obtain the computer name from a compromised host.^[250]

Maze has checked the language of the infected system using the "GetUSerDefaultUILanguage" function.^[251]

metaMain can collect the computer name from a compromised host.^[244]

Metamorfo has collected the hostname and operating system version from the compromised host.^{[252][253][254]}

Meteor has the ability to discover the hostname of a compromised host.^[255]

Micropsia gathers the hostname and OS version from the victim’s machine.^[256][257]

Milan can enumerate the targeted machine's name and GUID.^[258][259]

MiniDuke can gather the hostname on a compromised machine.^[144]

MirageFox can collect CPU and architecture information from the victim’s machine.^[260]

The initial beacon packet for Mis-Type contains the operating system version and file system of the victim.^[261]

The initial beacon packet for Misdat contains the operating system version of the victim.^[261]

Mispadu collects the OS version, computer name, and language ID.^[262]

MobileOrder has a command to upload to its C2 server victim mobile device information, including IMEI, IMSI, SIM card serial number, phone number, Android version, and other information.^[263]

MoleNet can collect information about the about the system.^[128]

Mongall can identify drives on compromised hosts and retrieve the hostname via gethostbyname.^[179]

Moonstone Sleet has gathered information on victim systems.^[264]

MoonWind can obtain the victim hostname, Windows version, RAM amount, number of drives, and screen resolution.^[265]

More_eggs has the capability to gather the OS version and computer name.^[266][267]

Moses Staff collected information about the infected host, including the machine names and OS architecture.^[268]

MuddyWater has used malware that can collect the victim’s OS version and machine name.^{[269][270][271][272][273]}

MURKYTOP has the capability to retrieve information about the OS.^[274]

Mustang Panda has gathered system information using systeminfo.^[275]

Mustard Tempest has used implants to perform system reconnaissance on targeted systems.^[276]

Naid collects a unique identifier (UID) from a compromised host.^[277]

NanHaiShu can gather the victim computer name and serial number.^[278]

NavRAT uses systeminfo on a victim’s machine.^[279]

NDiskMonitor obtains the victim computer name and encrypts the information to send over its C2 channel.^[280]

Nebulae can discover logical drive information including the drive type, free space, and volume information.^[281]

Neoichor can collect the OS version and computer name from a compromised host.^[205]

Netwalker can determine the system architecture it is running on to choose which version of the DLL to use.^[282]

NETWIRE can discover and collect victim system information.^[283]

Nightdoor gathers information on the victim system such as CPU and Computer name as well as device drivers. Nightdoor can also collect information about disk drives, their total and free space, and file system type.^[113]

Ninja can obtain the computer name and information on the OS and physical drives from targeted hosts.^[284][285]

njRAT enumerates the victim operating system and computer name during the initial infection.^[286]

NKAbuse conducts multiple system checks and includes these in subsequent "heartbeat" messages to the malware's command and control server.^[287]

NOKKI can gather information on drives and the operating system on the victim’s machine.^[288]

ObliqueRAT has the ability to check for blocklisted computer names on infected endpoints.^[289]

OceanSalt can collect the computer name from the system.^[290]

Octopus can collect system drive information, the computer name, the size of the disk, OS version, and OS architecture information.^[291]

OilRig has run hostname and systeminfo on a victim.^{[292][293][294][295]}

Okrum can collect computer name, locale information, and information about the OS and architecture.^[296]

OopsIE checks for information on the CPU fan, temperature, mouse, hard disk, and motherboard as part of its anti-VM checks.^[297]

During Operation CuckooBees, the threat actors used the systeminfo command to gather details about a compromised system.^[298]

During Operation Honeybee, the threat actors collected the computer name, OS, and other system information using cmd /c systeminfo > %temp%\ temp.ini.^[299]

During Operation Wocao, threat actors discovered the local disks attached to the system and their hardware information including manufacturer and model, as well as the OS versions of systems connected to a targeted network.^[300]

Orz can gather the victim OS version and whether it is 64 or 32 bit.^[278]

OSInfo discovers information about the infected machine.^[24]

OSX/Shlayer has collected the IOPlatformUUID, session UID, and the OS version using the command sw_vers -productVersion.^[301][302]

OSX_OCEANLOTUS.D collects processor information, memory information, computer name, hardware UUID, serial number, and operating system version. OSX_OCEANLOTUS.D has used the ioreg command to gather some of this information.^{[303][304][3]}

Pasam creates a backdoor through which remote attackers can retrieve information such as hostname and free disk space.^[305]

Patchwork collected the victim computer name, OS version, and architecture type and sent the information to its C2 server. Patchwork also enumerated all available drives on the victim's machine.^[306][280]

Pay2Key has the ability to gather the hostname of the victim machine.^[307]

Penquin can report the file system type and disk space of a compromised host to C2.^[308]

Pikabot performs a variety of system checks and gathers system information, including commands such as whoami.^[309][310]

PinchDuke gathers system configuration information.^[311]

PingPull can retrieve the hostname of a compromised host.^[312]

PipeMon can collect and send OS version and computer name as a part of its C2 beacon.^[313]

Pisloader has a command to collect victim system information, including the system name and OS version.^[314]

PLAINTEE collects general system enumeration data about the infected machine and checks the OS version.^[315]

Play has leveraged tools to enumerate system information.^[316]

PoetRAT has the ability to gather information about the compromised host.^[317]

Pony has collected the Service Pack, language, and region information to send to the C2.^[318]

POORAIM can identify system information, including battery status.^[172]

PoshC2 contains modules, such as Get-ComputerInfo, for enumerating common system information.^[319]

PowerDuke has commands to get information about the victim's name, build, version, serial number, and memory usage.^[320]

PowerShower has collected system information on the infected host.^[321]

POWERSTATS can retrieve OS name/architecture and computer/domain name information from compromised hosts.^[322][323]

POWRUNER may collect information about the system by running hostname and systeminfo on a victim.^[324]

A module in Prikormka collects information from the victim about Windows OS version, computer name, battery info, and physical memory.^[325]

Proxysvc collects the OS version, country name, MAC address, computer name, physical memory statistics, and volume information for all drives on the system.^[230]

PUNCHBUGGY can gather system information such as computer names.^[326]

Pupy can grab a system’s information including the OS version, architecture, etc.^[327]

QakBot can collect system information including the OS version and domain on a compromised host.^{[328][329][330][276]}

QuasarRAT can gather system information from the victim’s machine including the OS type.^[331]

Raccoon Stealer gathers information on infected systems such as operating system, processor information, RAM, and display information.^[332][333]

Ramsay can detect system information--including disk names, total space, and remaining space--to create a hardware profile GUID which acts as a system identifier for operators.^[334][335]

Raspberry Robin performs several system checks as part of anti-analysis mechanisms, including querying the operating system build number, processor vendor and type, video controller, and CPU temperature.^[336]

RATANKBA gathers information about the OS architecture, OS name, and OS version/Service pack.^[337][338]

RCSession can gather system information from a compromised host.^[339]

Reaver collects system information from the victim, including CPU speed, computer name, volume serial number, ANSI code page, OEM code page identifier for the OS, Microsoft Windows version, and memory information.^[340]

RedCurl has collected information about the target system, such as system information and list of network connections.^[341][342]

RedLeaves can gather extended system information including the hostname, OS version number, platform, memory information, time elapsed since system startup, and CPU information.^[92][343]

Remsec can obtain the OS version information, computer name, processor architecture, machine role, and OS edition.^[344]

Revenge RAT collects the CPU information, OS information, and system language.^[345]

REvil can identify the username, machine name, system language, keyboard layout, OS version, and system drive information on a compromised host.^{[346][347][348][349][349][350][351][352]}

Rifdoor has the ability to identify the Windows version on the compromised host.^[353]

Rising Sun can detect the computer name, operating system, and drive information, including drive type, total number of bytes on disk, total number of free bytes on disk, and name of a specified volume.^[354]

ROADSWEEP can enumerate logical drives on targeted devices.^[355][356]

Rocke has used uname -m to collect the name and information about the infected system's kernel.^[357]

RogueRobin gathers BIOS versions and manufacturers, the number of CPU cores, the total physical memory, and the computer name.^[358]

ROKRAT can gather the hostname and the OS version to ensure it doesn’t run on a Windows XP or Windows Server 2003 systems.^{[359][360][361][362][363][364]}

RotaJakiro executes a set of commands to collect device information, including uname. Another example is the cat /etc/*release | uniq command used to collect the current OS distribution.^[365]

Royal can use GetNativeSystemInfo and GetLogicalDrives to enumerate system processors and logical drives.^[366][367]

RTM can obtain the computer name, OS version, and default language identifier.^[368]

RunningRAT gathers the OS version, logical drives information, processor information, and volume information.^[73]

Ryuk has called GetLogicalDrives to emumerate all mounted drives, and GetDriveTypeW to determine the drive type.^[369]

The initial beacon packet for S-Type contains the operating system version and file system of the victim.^[261]

Saint Bot can identify the OS version, CPU, and other details from a victim's machine.^[370]

Sandworm Team used a backdoor to enumerate information about the infected system's operating system.^[371][372]

Sardonic has the ability to collect the computer name, CPU manufacturer name, and C:\ drive serial number from a compromised machine. Sardonic also has the ability to execute the ver and systeminfo commands.^[373]

SDBbot has the ability to identify the OS version, OS bit information and computer name.^[161][16]

ServHelper will attempt to enumerate Windows version and system architecture.^[374]

ShadowPad has discovered system information including memory status, CPU frequency, OS versions, and volume serial numbers.^[375]

Shamoon obtains the victim's operating system version and keyboard layout and sends the information to the C2 server.^[376][377]

Shark can collect the GUID of a targeted machine.^[258][259]

SharpDisco can use a plugin to enumerate system drives.^[378]

SharpStage has checked the system settings to see if Arabic is the configured language.^[379]

SHARPSTATS has the ability to identify the IP address, machine name, and OS of the compromised host.^[323]

ShimRatReporter gathered the operating system name and specific Windows version of an infected machine.^[380]

SHUTTERSPEED can collect system information.^[172]

SideCopy has identified the OS version of a compromised host.^[8]

SideTwist can collect the computer name of a targeted system.^[295]

Sidewinder has used tools to collect the computer name, OS version, installed hotfixes, as well as information regarding the memory and processor on a compromised host.^[381][382]

SILENTTRINITY can collect information related to a compromised host, including OS version and a list of drives.^[383]

Skidmap has the ability to check whether the infected system’s OS is Debian or RHEL/CentOS to determine which cryptocurrency miner it should use.^[384]

SLOTHFULMEDIA has collected system name, OS version, adapter information, memory usage, and disk information from a victim machine.^[385]

SLOWDRIFT collects and sends system information to its C2.^[172]

SMOKEDHAM has used the systeminfo command on a compromised host.^[386]

Snip3 has the ability to query Win32_ComputerSystem for system information. ^[387]

SocGholish has the ability to enumerate system information including the victim computer name.^{[388][389][390]}

SodaMaster can enumerate the host name and OS version on a target system.^[391]

During the SolarWinds Compromise, APT29 used fsutil to check available free space before executing actions that might create large files on disk.^[392]

SombRAT can execute getinfo to enumerate the computer name and OS version of a compromised system.^[393]

SoreFang can collect the hostname, operating system configuration, product ID, and disk space on victim machines by executing Systeminfo.^[394]

SOUNDBITE is capable of gathering system information.^[216]

Sowbug obtained OS version and hardware configuration from a victim.^[395]

Spark can collect the hostname, keyboard layout, and language from the system.^[396]

SpeakUp uses the cat /proc/cpuinfo | grep -c "cpu family" 2>&1 command to gather system information. ^[397]

SpicyOmelette can identify the system name of a compromised host.^[398]

Squirrelwaffle has gathered victim computer information and configurations.^[399]

SslMM sends information to its hard-coded C2, including OS version, service pack information, processor speed, system name, and OS install date.^[400]

STARWHALE can gather the computer name of an infected host.^[401][402]

Stealth Falcon malware gathers system information via WMI, including the system directory, build number, serial number, version, manufacturer, model, and total physical memory.^[403]

StoneDrill has the capability to discover the system OS, Windows version, architecture and environment.^[404]

StreamEx has the ability to enumerate system information.^[405]

StrifeWater can collect the OS version, architecture, and machine name to create a unique token for the infected host.^[406]

StrongPity can identify the hard disk volume serial number on a compromised host.^[407]

Stuxnet collects system information including computer and domain names, OS version, and S7P paths.^[408]

SUNBURST collected hostname and OS version.^[409][410]

SVCReady has the ability to collect information such as computer name, computer manufacturer, BIOS, operating system, and firmware, including through the use of systeminfo.exe.^[411]

SynAck gathers computer names, OS version info, and also checks installed keyboard layouts to estimate if it has been launched from a certain list of countries.^[412]

Sys10 collects the computer name, OS versioning information, and OS install date and sends the information to the C2.^[400]

SYSCON has the ability to use Systeminfo to identify system information.^[87]

Systeminfo can be used to gather information about the operating system.^[413]

SysUpdate can collect a system's architecture, operating system version, hostname, and drive information.^[414][415]

T9000 gathers and beacons the operating system build number and CPU Architecture (32-bit/64-bit) during installation.^[416]

TA2541 has collected system information prior to downloading malware on the targeted host.^[417]

TAINTEDSCRIBE can use DriveList to retrieve drive information.^[418]

TajMahal has the ability to identify hardware information, the computer name, and OS information on an infected host.^[419]

TeamTNT has searched for system version, architecture, disk partition, logical volume, and hostname information.^[420][421]

ThreatNeedle can collect system profile information from a compromised host.^[422]

ToddyCat has collected information on bootable drives including model, vendor, and serial numbers.^[285]

Torisma can use GetlogicalDrives to get a bitmask of all drives available on a compromised system. It can also use GetDriveType to determine if a new drive is a CD-ROM drive.^[423]

TrickBot gathers the OS version, machine name, CPU type, amount of RAM available, and UEFI/BIOS firmware information from the victim’s machine.^{[424][425][426][427]}

Trojan.Karagany can capture information regarding the victim's OS, security, and hardware configuration.^[428]

Tropic Trooper has detected a target system’s OS version and system volume information.^[429][430]

Turian can retrieve system information including OS version, memory usage, local hostname, and system adapter information.^[431]

Turla surveys a system upon check-in to discover operating system configuration details using the systeminfo and set commands.^[432][433]

TURNEDUP is capable of gathering system information.^[434]

TYPEFRAME can gather the disk volume information.^[435]

Unknown Logger can obtain information about the victim computer name, physical memory, country, and date.^[436]

UPPERCUT has the capability to gather the system’s hostname and OS version.^[437]

Uroburos has the ability to gather basic system information and run the POSIX API gethostbyname.^[438]

Ursnif has used Systeminfo to gather system information.^[439]

Valak can determine the Windows version and computer name on a compromised host.^[440][441]

VERMIN collects the OS name, machine name, and architecture information.^[442]

Volgmer can gather system information, the computer name, OS version, drive and serial information from the victim's machine.^{[443][444][445]}

Volt Typhoon has discovered file system types, drive names, size, and free space on compromised systems.^{[446][447][448][449]}

WarzoneRAT can collect compromised host information, including OS version, PC name, RAM size, and CPU details.^[450]

WellMess can identify the computer name of a compromised host.^[451][452]

WhisperGate has the ability to enumerate fixed logical drives on a targeted system.^[453]

Windigo has used a script to detect which Linux distribution and version is currently installed on the system.^[71]

WINDSHIELD can gather the victim computer name.^[216]

Windshift has used malware to identify the computer name of a compromised host.^[454]

WINERACK can gather information about the host.^[172]

Wingbird checks the victim OS version after executing to determine where to drop files based on whether the victim is 32-bit or 64-bit.^[455]

WinMM collects the system name, OS version including service pack, and system install date and sends the information to the C2 server.^[400]

Winnti for Windows can determine if the OS on a compromised host is newer than Windows XP.^[456]

Winter Vivern script execution includes basic victim information gathering steps which are then transmitted to command and control servers.^[457]

Wizard Spider has used Systeminfo and similar commands to acquire detailed configuration information of a victim's machine. Wizard Spider has also utilized the PowerShell cmdlet Get-ADComputer to collect DNS hostnames, last logon dates, and operating system information from Active Directory.^[458][459]

Woody RAT can retrieve the following information from an infected machine: OS, architecture, computer name, OS build version, environment variables, and storage drives.^[460]

XAgentOSX contains the getInstalledAPP function to run ls -la /Applications to gather what applications are installed.^[461]

XCSSET identifies the macOS version and uses ioreg to determine serial number.^[462]

YAHOYAH checks for the system’s Windows OS version and hostname.^[429]

yty gathers the computer name, the serial number of the main disk volume, CPU information, Microsoft Windows version, and runs the command systeminfo.^[463]

Zebrocy collects the OS version, computer name and serial number for the storage volume C:. Zebrocy also runs the systeminfo command to gather system information. ^{[464][82][465][83][466][467][468]}

ZeroCleare can use the IOCTL_DISK_GET_DRIVE_GEOMETRY_EX, IOCTL_DISK_GET_DRIVE_GEOMETRY, and IOCTL_DISK_GET_LENGTH_INFO system calls to compute disk size.^[355]

ZeroT gathers the victim's computer name, Windows version, and system language, and then sends it to its C2 server.^[469]

Zeus Panda collects the OS version, system architecture, computer name, product ID, install date, and information on the keyboard mapping to determine the language used on the system.^[470][471]

ZIRCONIUM has used a tool to capture the processor architecture of a compromised host in order to register it with C2.^[472]

ZLib has the ability to enumerate system information.^[261]

Zox can enumerate attached drives.^[473]

zwShell can obtain the victim PC name and OS version.^[474]

ZxShell can collect the local hostname, operating system details, CPU speed, and total physical memory.^[475]

ZxxZ has collected the host name and operating system product name from a compromised machine.^[476]