Research Article
Characterizing Anomalies in Malware-Generated HTTP Traffic
Table 10
Top 5 malware families in categories grouped by the number of request groups.
| Family name | Number of request groups |
| Backdoor | Htbot | 3 | GrayBird | 2 | Dimnie | 2 | Zeprox | 1 | Votwup.D | 1 | Mokes | 1 |
| Banker | Ursnif | 27 | Dreambot | 24 | Chthonic | 12 | Emotet | 11 | Kronos | 10 |
| Bruteforce | No-name | 6 | Pifagor | 2 |
| Clicker | KOVTER | 6 | Zeroaccess | 4 | Sefnit | 2 | Miuref/Boaxxe | 1 |
| DDoS | DirtJumper | 17 | MegalodonHTTP | 4 | Madness | 2 | MedusaHTTP | 1 |
| Downloader | Pony | 21 | Nemucod | 19 | SmokeLoader | 17 | Locky | 12 | Zbot | 11 |
| Downloader/JS | No-name | 8 | Cryxos | 4 |
| IP check | No-name | 28 |
| Keylogger | AgentTesla | 3 | Keybase | 2 | KeyLogger.acqh | 1 |
| Maldoc | No-name | 16 |
| Malicious download | No-name | 20 |
| Miner | No-name | 11 | Adylkuzz | 4 | 1ms0rry | 2 | Smominru | 1 |
| Other | FakeAlert.jh | 3 | Ratankba | 1 | Psiphon | 1 | No-name | 1 | DustySky | 1 |
| PUA/Adware | Wizzcaster | 3 | InstallCapital | 3 | BubbleDock | 3 | Sureseeker | 2 | OfferCast | 2 |
| Ransomware | Locky | 38 | AlphaCrypt | 8 | PadCrypt | 4 | Sage | 3 | Fatboy | 3 |
| RAT | Quasar | 2 | XPCSpyPro | 1 | TViewer | 1 | Teamspy | 1 | ShinoBot | 1 |
| Spambot | Kelihos.F | 8 | Necurs | 5 | XnxxAgent | 3 | Sality | 3 | Tofsee | 1 |
| Stealer | AZORult | 11 | Loki | 10 | FormBook | 6 | WernikStealer | 2 | Hawkeye | 2 |
| Trojan | Zbot | 29 | No-name | 16 | Andromeda | 12 | Graftor | 7 | Betabot | 6 |
| UA problem | No-name | 26 |
|
|