shiz is classified as a banking trojan, a category of malware focused on stealing online-banking and financial credentials. It has one or more associated MITRE ATT&CK technique references (linked on this page) that document the behaviors observed for it. We have not yet published a hand-verified detailed profile for this family; the MITRE references below are the authoritative source for its documented techniques.
Threat reports may refer to this family under multiple names:
This family has been observed using the following ATT&CK techniques: T1185 T1056.001 T1113 T1041 T1547.001
These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.
rule MALWARE_WIN_SHIZ {
meta:
description = "Detects Shiz (banking_trojan)"
author = "SystemHelpdesk Boilerplate Generator"
date = "2026-07-06"
strings:
$s1 = "shiz" ascii wide nocase
$s2 = "win32.shiz" ascii wide nocase
$s3 = "shiz.a" ascii wide nocase
$s4 = "shiz.b" ascii wide nocase
$s5 = "shiz_banker" ascii wide nocase
condition:
uint16(0) == 0x5a4d and any of them
}title: Suspicious Shiz Activity
id: b846e823d7376211eee0aa58beef9652
status: experimental
description: Detects generic indicators of the shiz malware family.
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
CommandLine|contains:
- "*shiz*"
- "*win32.shiz*"
- "*shiz.a*"
- "*shiz.b*"
- "*shiz_banker*"
condition: selection
level: mediumRefer to the linked MITRE ATT&CK technique pages, which document the behaviors associated with this family.
Explore other malware families in the same category:
Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/shiz.json
This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.