Define the common malware categories and explain how you classify a sample by behavior.
Short answer
You classify by what the sample is built to do, observed from its behavior and capabilities. A dropper carries and writes a payload to disk; a loader fetches or injects the next stage, often only in memory; a RAT gives an operator interactive remote control; a wiper destroys data or boot records with no recovery intent; ransomware encrypts files and demands payment. Real samples often combine roles — a loader that deploys a RAT — so you describe the capability chain rather than forcing one label, and you map each behavior to ATT&CK techniques.
Classifying malware is about answering "what is this built to do?" so responders can scope the incident and prioritize. Interviewers ask juniors this to confirm the vocabulary is solid and that you classify on behavior, not on the antivirus label or the language it was written in.
The common categories
- Dropper. Carries an embedded payload and writes it to disk, then executes it. Self-contained; the malicious payload travels inside the dropper.
- Loader (stager). Fetches or injects the next stage — often pulling it from a C2 server and running it in memory to stay fileless. Lightweight by design; its whole job is to deliver something else.
- RAT (Remote Access Trojan). Gives an operator interactive remote control: shell, file transfer, screen capture, keylogging, webcam. Look for a command dispatcher and a C2 channel that takes tasking.
- Wiper. Destroys data, partitions, or the master boot record with no intent to recover — destruction, not extortion. Often disguised as ransomware to mislead responders.
- Ransomware. Encrypts files (and increasingly exfiltrates them) and demands payment, dropping ransom notes and usually deleting shadow copies.
Related labels you should know: backdoor, banking trojan, worm (self-propagating), rootkit/bootkit (stealth/persistence), and infostealer.
How you classify
Examine capabilities and behavior: imports and API calls, files written, network tasking, encryption versus destruction, persistence, and propagation. Wiper versus ransomware is the classic trap — both encrypt, but a wiper discards the key or corrupts irrecoverably, so the tell is whether recovery is even possible.
The mature framing
Real samples are multi-role: a phishing attachment drops a loader, which pulls a RAT, which later stages ransomware. Strong candidates describe the capability chain and map each behavior to MITRE ATT&CK, rather than forcing one rigid label.
Likely follow-ups
- How do you tell a wiper from ransomware when both encrypt files?
- Why is a loader often fileless or memory-only, and how does that affect analysis?
- How would a single intrusion involve several of these categories in sequence?