Today, Talos is publishing a glimpse into the most prevalent threats we've observed between July 31 and Aug. 7. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.

The most prevalent threats highlighted in this roundup are:

Threat NameTypeDescription
Win.Dropper.Qakbot-9146336-0 Dropper Qakbot, aka Qbot, has been around since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB.
Win.Packed.HawkEye-9228219-0 Packed HawkEye is an information stealing malware that specifically targets usernames and passwords stored by web browsers and mail clients on an infected machine. It is commonly spread via email and can also propagate through removable media.
Win.Dropper.DarkComet-9199045-1 Dropper DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. Capabilities of this malware include the ability to download files from a user's machine, mechanisms for persistence and hiding, and the ability to send back usernames and passwords from the infected system.
Win.Dropper.LokiBot-9170218-0 Dropper Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from popular applications. It is commonly pushed via malicious documents delivered via spam emails.
Win.Dropper.Gh0stRAT-9224912-0 Dropper Gh0stRAT is a well-known family of remote access trojans designed to provide an attacker with complete control over an infected system. Capabilities include monitoring keystrokes, collecting video footage from the webcam, and uploading/executing follow-on malware. The source code for Gh0stRAT has been publicly available on the internet for years, significantly lowering the barrier for actors to modify and reuse the code in new attacks.
Win.Dropper.NetWire-9164792-0 Dropper NetWire is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam, remote desktop, and read data from connected USB devices. NetWire is commonly delivered through Microsoft Office documents with macros, sent as attachments on malicious emails.

Threat Breakdown

Win.Dropper.Qakbot-9146336-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
Registry KeysOccurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AVKAXOQ
Value Name: Type 		15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AVKAXOQ
Value Name: Start 		15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AVKAXOQ
Value Name: ErrorControl 		15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AVKAXOQ
Value Name: ImagePath 		15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AVKAXOQ
Value Name: DisplayName 		15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AVKAXOQ
Value Name: DependOnService 		15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AVKAXOQ
Value Name: DependOnGroup 		15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AVKAXOQ
Value Name: WOW64 		15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AVKAXOQ
Value Name: ObjectName 		15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AVKAXOQ 15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AQEJPWSX
Value Name: Type 		10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AQEJPWSX
Value Name: Start 		10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AQEJPWSX
Value Name: ErrorControl 		10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AQEJPWSX
Value Name: ImagePath 		10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AQEJPWSX
Value Name: DisplayName 		10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AQEJPWSX
Value Name: DependOnService 		10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AQEJPWSX
Value Name: DependOnGroup 		10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AQEJPWSX
Value Name: WOW64 		10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AQEJPWSX
Value Name: ObjectName 		10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AQEJPWSX 10
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: iyifdyu 		1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: cvuhzmmn 		1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: udilcq 		1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: pgmgxaj 		1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: gfnrpxh 		1
MutexesOccurrences
llzeou 25
Global\amztgg 15
amztgga 15
Global\eqfik 10
eqfika 10
<32 random hex characters> 10
<random, matching [a-zA-Z0-9]{5,9}> 8
<random, matching [a-fA-F0-9]{10}> 6
\Sessions\1\BaseNamedObjects\yctaxosa 1
\Sessions\1\BaseNamedObjects\445662303a 1
\Sessions\1\BaseNamedObjects\suzwffr 1
\Sessions\1\BaseNamedObjects\Global\yyvta 1
\Sessions\1\BaseNamedObjects\445662305a 1
\Sessions\1\BaseNamedObjects\yyvtaa 1
\Sessions\1\BaseNamedObjects\Global\ailvb 1
\Sessions\1\BaseNamedObjects\445662309a 1
\Sessions\1\BaseNamedObjects\oaubkey 1
\Sessions\1\BaseNamedObjects\ailvba 1
\Sessions\1\BaseNamedObjects\Global\rjiceww 1
\Sessions\1\BaseNamedObjects\rjicewwa 1
\Sessions\1\BaseNamedObjects\445662307a 1
\Sessions\1\BaseNamedObjects\kpzvif 1
\Sessions\1\BaseNamedObjects\vpubka 1
\Sessions\1\BaseNamedObjects\Global\vpubk 1
\Sessions\1\BaseNamedObjects\kebqimrg 1

*See JSON for more IOCs

Files and or directories createdOccurrences
%APPDATA%\Microsoft\Amztggm 15
%APPDATA%\Microsoft\Amztggm\amztg.dll 15
%APPDATA%\Microsoft\Amztggm\amztgg.exe 15
%TEMP%\~amztgg.tmp 15
%APPDATA%\Microsoft\Eqfikq 10
%APPDATA%\Microsoft\Eqfikq\eqfi.dll 10
%APPDATA%\Microsoft\Eqfikq\eqfik.exe 10
%TEMP%\~eqfik.tmp 10
%APPDATA%\Microsoft\Duazxlbu\duazxl.dll 1
%APPDATA%\Microsoft\Duazxlbu\duazxlb.exe 1
%APPDATA%\Microsoft\Dcpptfmac\dcpptfm.dll 1
%APPDATA%\Microsoft\Dcpptfmac\dcpptfma.exe 1
%APPDATA%\Microsoft\Uunhru\uunh.dll 1
%APPDATA%\Microsoft\Uunhru\uunhr.exe 1
%APPDATA%\Microsoft\Wyrcaqdy\wyrcaq.dll 1
%APPDATA%\Microsoft\Wyrcaqdy\wyrcaqd.exe 1
%APPDATA%\Microsoft\Lhbdih\lhbd.dll 1
%APPDATA%\Microsoft\Lhbdih\lhbdi.exe 1
%APPDATA%\Microsoft\Zaemxbdja\zaemxbd.dll 1
%APPDATA%\Microsoft\Zaemxbdja\zaemxbdj.exe 1
%APPDATA%\Microsoft\Poebyko\poeby.dll 1
%APPDATA%\Microsoft\Poebyko\poebyk.exe 1
%APPDATA%\Microsoft\Gueathru\gueath.dll 1
%APPDATA%\Microsoft\Gueathru\gueathr.exe 1
%APPDATA%\Microsoft\Fiqyoi\fiqy.dll 1

*See JSON for more IOCs

File Hashes

00cad8f6750c3f223f9a228969c727ce711830492436947fc6c16282d528e0be
064e6ce0623bef879ea9d85f5653b7e1dd06e17b8852c65614d813b9fc0aecb2
11358b03f203810ba77da708c3f511aaa56f5aef0361f4954e33728f2e4b5df1
1172f535563187bb44be9e7cfe1f5eabb5e8cfc22ca0e69be079a664abc52e6c
12d77a596dd4b6209a95a52e7950b9845579cdb493de616c4165ce5b3314b8f1
164398b068ba8ab5ea8ca731ad9f8ffe7f2c4cd87a799010aa18dc1f7258c623
195a7c0debf86e788da5475161572ac5eecf9217ca978b2ff3942ebdb4694b0d
1fa4f25154137ccc88d289267b9055569326486ed04af47fe7ff21e043d86fde
210c4073b9f8cfbad599329cc41a0278d2cc55b28a666630dce33534c9299e32
24af6d356227daa57c11887b14a4cc0bfe422c73752e784ce2868739fbd7a82d
274cac7b54de8a5b23209af3bb8b9b2950a87267b8f62471df432ef2fb21afe3
2a981c6a52c04db6d074ea75abff3b1db6ec3d2f5104bd6f3b9feba215730c34
2aecba1acd75adbabd9bc5d11c129ca3527bd646ab28c90ac40f04f55816e97d
2f6d93b3ecd92eebfba2d262ceb78fa90cc3e4b85369a1473c59865aec868e1d
2feb022802257d13f5d296b966d92759b6a872766c47e90b3b8b371a0819b98f
30e0c7051021cf70472ae34741aeb1aae1af98c1cbe0a6ca9de86b9fa687c16f
31e127a5571c2f8c4dc097b6ab219ffb764594d3fa42df4040511c139e0af02d
31fd1383bcc447fd2726b003d5a8c02270df67b49321182749a8f0cf204d1e0b
3af60109f2158300ad8925c927e4716d55b1d27a9c43a396d12d4b64e026645f
3b5ae60682df4f20b0ed2d0f53aefa85d38f63ef6fcbd6ac75ab895f51a65324
3b64ba312348241705f0a7ce61cc6e4abcf49f5b5f9b842956848cb374932f7c
3e28437ec03595cba0e16a029dba289c6c1f19de272190edcae5c59d867653bf
430b65da54219d0c97e1a2a1db0281be4d11c94861577646f68cf2c3a8c310c8
431682a701e14edb3f942d0d53708aec65b65948f8ea139e91d8d2e568e86662
45cd32ffbc15160ad7aeb98c0bf08c25c2085df7b9b49d1202e9d7476eaf0687

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP

ThreatGrid

MITRE ATT&CK

Win.Packed.HawkEye-9228219-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 22 samples
Registry KeysOccurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED
Value Name: Hidden 		22
<HKCR>\LOCAL SETTINGS\MUICACHE\66\52C64B7E
Value Name: LanguageList 		21
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Windows Update 		3
MutexesOccurrences
WAdYUoVlJMDozTcnfGyo 1
AtBUGSYNOJQfUkQxnnGp 1
xLKmUOQjVQhJAltxEDap 1
xeqJzzMVyAyYnoTrCxFC 1
QzcHfvhyYmPAaxNyiPOv 1
kGICOjHlcOSzAhmoklHj 1
SyfAjmiHnNlQLJcjjEXx 1
falklIVtkFihJmUVSTXE 1
sUAXLQaxSQfYNpWJAuBP 1
cWUiiqhvlmsDMYJjLfkN 1
tSpmLtnijYJIHwQpFVTy 1
teVOqzhfFhQnxWVkhAcA 1
bLqdxULAMnpWeOHsDkJe 1
ycCYSAgmGRupHMOqxEbh 1
HPMUMhghCsItkYLOGKRq 1
dcrTXLYTeHaImzpsynua 1
fpXLMUIlDWlGHLbpJvRg 1
RbUDNRSedTOGBrvsvUhD 1
hvncOfryNgVnlSdgfoiU 1
muCbudfCdwsRPJlTEnII 1
OXgeRTSNuzldRxagdXvR 1
FLoNVwOlzJinJeWpHeAi 1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
216[.]146[.]43[.]70/31 14
216[.]146[.]38[.]70 9
162[.]88[.]193[.]70 7
103[.]17[.]124[.]72 7
91[.]198[.]22[.]70 6
91[.]198[.]22[.]142 5
131[.]186[.]161[.]70 5
146[.]148[.]88[.]167 5
131[.]186[.]113[.]70 4
103[.]254[.]255[.]235 3
74[.]208[.]5[.]15 2
103[.]215[.]136[.]10 2
82[.]223[.]149[.]134 2
202[.]75[.]53[.]189 2
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
checkip[.]dyndns[.]org 22
checkip[.]dyndns[.]com 22
mail[.]falconequipment[.]com[.]my 7
mail[.]vogue-steel[.]com 5
mail[.]zenitel[.]com[.]sg 4
13[.]169[.]14[.]0[.]in-addr[.]arpa 3
smtp[.]mail[.]com 2
232[.]243[.]5[.]0[.]in-addr[.]arpa 2
216[.]47[.]6[.]0[.]in-addr[.]arpa 2
mail[.]airkelantan[.]com[.]my 2
mail[.]cofrupla[.]com 2
24[.]107[.]12[.]0[.]in-addr[.]arpa 1
159[.]228[.]9[.]0[.]in-addr[.]arpa 1
207[.]189[.]1[.]0[.]in-addr[.]arpa 1
205[.]12[.]2[.]0[.]in-addr[.]arpa 1
241[.]215[.]8[.]0[.]in-addr[.]arpa 1
236[.]76[.]10[.]0[.]in-addr[.]arpa 1
35[.]56[.]3[.]0[.]in-addr[.]arpa 1
242[.]116[.]3[.]0[.]in-addr[.]arpa 1
146[.]215[.]12[.]0[.]in-addr[.]arpa 1
167[.]187[.]14[.]0[.]in-addr[.]arpa 1
27[.]58[.]7[.]0[.]in-addr[.]arpa 1
57[.]122[.]6[.]0[.]in-addr[.]arpa 1
Files and or directories createdOccurrences
%APPDATA%\pid.txt 22
%APPDATA%\pidloc.txt 22
%TEMP%\Mail.txt 22
%TEMP%\Web.txt 22
%System32%\wbem\Logs\wbemprox.log 18
%TEMP%\dw.log 18
%TEMP%\<random, matching '[A-F0-9]{4,5}'>.dmp 17
\Sys.exe 9
\autorun.inf 9
E:\autorun.inf 9
E:\Sys.exe 9
%APPDATA%\WindowsUpdate.exe 3

File Hashes

03344bc984096a07b79e85237352ef2286805b993d3a7ee43a588cf42a6ed519
07886e04b3ac7e91dbb6994be27cfc929933c654978b64a3a7a0009f997e161d
0936878054623832906646290d8f5f5fe955f60523a0f7ebf4896c329cbebdfa
0afc9af65a81c5ab801faf042a3bf5d3d1eee3d4a75962a9d8e51b495f0ac2fb
2230badacb83d848b44ecbeb2ebd9a72c046669e6fb7fd209a44db96a007632a
230ccb40553d3abd4fe593813495194d67b117a20cf3c33fb8074c9fdde45ab1
25d122f2016f4c5e1f409ddddb40f1d2f5667bf17f7ee3abb3bb4039599cb824
3124cc47d6580290a1d95055879e6c0876106ed4331101d8d5eb3d721c5d779d
32efa6a26fb26eab1efbc8ad110d067914522cbddb15200a577064474555201a
456adc548e01b5c7462a6cb97c4814389bcccdffbc5ffa87073ff69d8ea4805d
5d48e1129e22ce7f73c6f4f82ed7b60cba754354e7ae5552ca617612b3d26d09
793260438b0d1a87604e37a077f50109b425a0aae810fb4213b3d39c241d2104
8f70816165287d9bd18bc4678b8bc5f421ac9616f239e835e226d2c02913b90e
9085a359e0bb5b5594d08cd8210527cc18eef2ecbd6abad2a0194eaebe3ed962
a8f4e015e9082c93af28b3c4aae4b9a0605d577ab92b14179c74f2cd53baf1d2
c1867350880ca673f64adfdd87121868c2997e74800426fc5600c659482134bc
c2b64b805d62e4ebd0869fc391588cb19ad5ebf0b1b915fe28fe0ee9a282c56c
cd62fc24cab06b7792d8091d60999b9b108cea519e51584e920a816269228e72
cdb1a7a1559ec2a88555c1a09bde03f8af2be52f33db28d5d8810937bde3edf2
d41966907a2a009036f71a8c22c831f15ac02ee1efc8d69b4af768cc904f711a
f68ba6510fd91f4f49caa10e19dc31ecb85e189afd4a4b581fb792732c239cec
ff09dbdd5ea882b3f94caabb1e8826514ebdf05e9a514d15e53856d5d0e8e778

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP

ThreatGrid

MITRE ATT&CK

Win.Dropper.DarkComet-9199045-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 11 samples
Registry KeysOccurrences
<HKCU>\SOFTWARE\DC3_FEXEC 11
MutexesOccurrences
DC_MUTEX-ZFF80Q7 11
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
209[.]97[.]151[.]172 11
204[.]79[.]197[.]200 2
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
pownedfag[.]pw 11
Files and or directories createdOccurrences
%APPDATA%\dclogs 11
%TEMP%\ExdosVT 11
%TEMP%\ExdosVT\exmsae.exe 11
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\exmsae.vbs 11

File Hashes

112cf541506407f27c512bdbffb2b608b4e608bbfd9497fb2657ed8f1f478c8f
1eb6b14ddd5e440c5ecb7e7b078b0b58954292728f5ec9ac02e8702f9e47a317
2063076cd065bd1f302bfbae83055eedf1282276a06804e7806ced2316d815c9
4b240ac760235aa37777283771ae2f69a0651cdd071dce8286514f9810b6d464
667763873e8b017386361ff89ac14ddb9e00c387a8426e05652231c98acf20be
92777d292742325b78ea9626bf3c266354b34813ccbbb9136488503a2bf7cdb3
9d7b148f01da2b61bee602fec0717d065627ae3a5ca09404b526a1eb4059dbc1
a9d2bad78b514cd9a109125073eb44a85fe7e2bdb14acc9a44b1ae7a643a453f
ba8b311cf604bd41d778c106c5139df15996346d570f2047662aa94d780b4d41
c16197238a4e8cf459f91665178dccf0512c0cd0de7f88bf1f69dc5205f42a35
c78ff74f453540088ee77551679c07e6f7c6351fd69ecf4a3403a17e51e598cc

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP

ThreatGrid

Umbrella

MITRE ATT&CK

Win.Dropper.LokiBot-9170218-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 19 samples
Registry KeysOccurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\WINDOWS ERROR REPORTING\DEBUG
Value Name: StoreLocation 		3
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\WINDOWS ERROR REPORTING\DEBUG
Value Name: StoreLocation 		3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED
Value Name: Hidden 		1
<HKCU>\SOFTWARE\NETWIRE 1
<HKCU>\SOFTWARE\NETWIRE
Value Name: HostId 		1
<HKCU>\SOFTWARE\NETWIRE
Value Name: Install Date 		1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: d89c6a81c7330d528071da246dac388b1e63d93dad11c332b093d6e2b4eb880a 		1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: d89c6a81c7330d528071da246dac388b1e63d93dad11c332b093d6e2b4eb880a 		1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: d9085f342d9c9d0d59c9db5e085f2034886007aa670d1cb141bde063f2fca871 		1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: d9085f342d9c9d0d59c9db5e085f2034886007aa670d1cb141bde063f2fca871 		1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: fcbeac9fe0d60767d0a54af568880f3032a9db588d492325ede97e219e69d6c0 		1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: fcbeac9fe0d60767d0a54af568880f3032a9db588d492325ede97e219e69d6c0 		1
MutexesOccurrences
- 3
Global\<<BID>>98B68E3C00000001 3
Global\<<BID>>98B68E3C00000000 3
\Sessions\1\BaseNamedObjects\- 3
3749282D282E1E80C56CAE5A 2
A16467FA7-343A2EC6-F2351354-B9A74ACF-1DC8406A 2
(null)\69884752-95BE-4032-8AF1-B300F0E2CB97-Mutex 2
\Sessions\1\BaseNamedObjects\9DAA44F7C7955D46445DC99B 2
Global\0a70f6c1-d435-11ea-887e-00501e3ae7b6 1
Global\f25df061-d434-11ea-887e-00501e3ae7b6 1
Global\ff8d6d61-d434-11ea-887e-00501e3ae7b6 1
\Sessions\1\BaseNamedObjects\A2CF10742-C1AFDB0A-F2351354-EF2CFB53-EE38A44C 1
\Sessions\1\BaseNamedObjects\A2CF10742-C1AFDB0A-F2351354-874F81C6-865B2AC0 1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
79[.]134[.]225[.]103 2
208[.]91[.]199[.]225 1
104[.]16[.]155[.]36 1
204[.]79[.]197[.]200 1
103[.]200[.]5[.]128 1
208[.]91[.]199[.]223 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
ml[.]warzonedns[.]com 2
bright1[.]awsmppl[.]com 2
hgfjhfs[.]ru 2
whatismyipaddress[.]com 1
us2[.]smtp[.]mailhostbox[.]com 1
202[.]200[.]1[.]0[.]in-addr[.]arpa 1
gracetime[.]tech 1
jetterweb[.]tech 1
Files and or directories createdOccurrences
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\desktop.ini.id[98B68E3C-2275].[recovermyfiles2019@thesecure.biz].Adame 3
%CommonProgramFiles(x86)%\microsoft shared\Help 8\1033\dv_dexplore.hxs.id[98B68E3C-2275].[recovermyfiles2019@thesecure.biz].Adame 3
%CommonProgramFiles(x86)%\microsoft shared\Help 8\1033\msenvui.dll.id[98B68E3C-2275].[recovermyfiles2019@thesecure.biz].Adame 3
%CommonProgramFiles(x86)%\microsoft shared\Help 8\1033\vslogui.dll.id[98B68E3C-2275].[recovermyfiles2019@thesecure.biz].Adame 3
%CommonProgramFiles(x86)%\microsoft shared\Help 8\1033\vsmsoui.dll.id[98B68E3C-2275].[recovermyfiles2019@thesecure.biz].Adame 3
%CommonProgramFiles(x86)%\microsoft shared\Help 8\Microsoft.WizardFramework.dll.id[98B68E3C-2275].[recovermyfiles2019@thesecure.biz].Adame 3
%CommonProgramFiles(x86)%\microsoft shared\Help 8\Microsoft.WizardFrameworkVS.dll.id[98B68E3C-2275].[recovermyfiles2019@thesecure.biz].Adame 3
%CommonProgramFiles(x86)%\microsoft shared\Help 8\Visualui.TTF.id[98B68E3C-2275].[recovermyfiles2019@thesecure.biz].Adame 3
%CommonProgramFiles(x86)%\microsoft shared\Help 8\cmddef.dll.id[98B68E3C-2275].[recovermyfiles2019@thesecure.biz].Adame 3
%CommonProgramFiles(x86)%\microsoft shared\Help 8\custsat.dll.id[98B68E3C-2275].[recovermyfiles2019@thesecure.biz].Adame 3
%CommonProgramFiles(x86)%\microsoft shared\Help 8\dexplore.exe.config.id[98B68E3C-2275].[recovermyfiles2019@thesecure.biz].Adame 3
%CommonProgramFiles(x86)%\microsoft shared\Help 8\dexplore.exe.id[98B68E3C-2275].[recovermyfiles2019@thesecure.biz].Adame 3
%CommonProgramFiles(x86)%\microsoft shared\Help 8\dexplore.exe.manifest.id[98B68E3C-2275].[recovermyfiles2019@thesecure.biz].Adame 3
%CommonProgramFiles(x86)%\microsoft shared\Help 8\dexplore.prf.id[98B68E3C-2275].[recovermyfiles2019@thesecure.biz].Adame 3
%CommonProgramFiles(x86)%\microsoft shared\Help 8\vslog.dll.id[98B68E3C-2275].[recovermyfiles2019@thesecure.biz].Adame 3
%CommonProgramFiles(x86)%\microsoft shared\Help\1028\hxvzui.dll.id[98B68E3C-2275].[recovermyfiles2019@thesecure.biz].Adame 3
%CommonProgramFiles(x86)%\microsoft shared\Help\1031\hxdsui.dll.id[98B68E3C-2275].[recovermyfiles2019@thesecure.biz].Adame 3
%CommonProgramFiles(x86)%\microsoft shared\Help\1031\hxvzui.dll.id[98B68E3C-2275].[recovermyfiles2019@thesecure.biz].Adame 3
%CommonProgramFiles(x86)%\microsoft shared\Help\1033\hxdsui.dll.id[98B68E3C-2275].[recovermyfiles2019@thesecure.biz].Adame 3
%CommonProgramFiles(x86)%\microsoft shared\Help\1033\hxvzui.dll.id[98B68E3C-2275].[recovermyfiles2019@thesecure.biz].Adame 3
%CommonProgramFiles(x86)%\microsoft shared\Help\1036\hxdsui.dll.id[98B68E3C-2275].[recovermyfiles2019@thesecure.biz].Adame 3
%CommonProgramFiles(x86)%\microsoft shared\Help\1036\hxvzui.dll.id[98B68E3C-2275].[recovermyfiles2019@thesecure.biz].Adame 3
%CommonProgramFiles(x86)%\microsoft shared\Help\1040\hxdsui.dll.id[98B68E3C-2275].[recovermyfiles2019@thesecure.biz].Adame 3
%CommonProgramFiles(x86)%\microsoft shared\Help\1040\hxvzui.dll.id[98B68E3C-2275].[recovermyfiles2019@thesecure.biz].Adame 3
%CommonProgramFiles(x86)%\microsoft shared\Help\1041\hxdsui.dll.id[98B68E3C-2275].[recovermyfiles2019@thesecure.biz].Adame 3

*See JSON for more IOCs

File Hashes

2479a1f285949cf7a2b19758f78ecbc595665073d3b13fd399e06c1a33ca157d
267005cd5221b3fffb3d57a3a30782df4428888287974534a82d5a81bf531344
37e8f8cf627b3621dcd50754245d1148d669ab617ede5d253f15fed34cdfd2b7
4abe0fb2888c22709d10e06e7c3865e0a7b64d2d0bf49d9f4cdafef6467e1afc
6b9d2a9fed4f31531e86ddddbd22e07f3603179d1f9cfd3aa15c2d21cbe28496
6e3360bcd7d3087b3b91e12e3d579791183c62a4a080448b44150a16a301d3aa
75b5a3506e7061b43a6d0f48dcb816b496dad94ff4e6b09617126ce5f590dbc7
8754bf9bad26c7832e391c2761e0835b925f40a06410dfedfb77fa22ad90a408
8e8a41d7eb37d4532ee8bdc830d68393c89d35b53725f3faace4eab94b3718af
94363327dedb6a3d4fbdbb46ff0df0278287cdc14f7167500481e69c78998fc6
97dd7438acf6b0934b4d40818ad12337f68e8ed848b21b63723fed889e5aa487
a1954b3233d9982d400046f616bbdf41f2e76aa11521cba382eb46de7a04a02c
bbd6b46b84553bdf7a5b0a4f75f47d4ca733ddba4bff8d40ae41ea568ccb7b93
bec06905124882892ac557c70e35587c8295c493ce9a6435f52bcdebf867dbfd
d89c6a81c7330d528071da246dac388b1e63d93dad11c332b093d6e2b4eb880a
d9085f342d9c9d0d59c9db5e085f2034886007aa670d1cb141bde063f2fca871
e0e6dbd7e409794d63e509a80a52ba93e8b6fa3e1c4a78ae58d6b4a1381b225d
eeadaefc0f9331fbb9e1ceecf90667722dcae800a29c37413be37ff484daa61a
fcbeac9fe0d60767d0a54af568880f3032a9db588d492325ede97e219e69d6c0

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP

ThreatGrid

MITRE ATT&CK

Win.Dropper.Gh0stRAT-9224912-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 18 samples
Registry KeysOccurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: it 		18
MutexesOccurrences
98.126.40.18:3204 18
M98.126.40.18:3204 18
\Sessions\1\BaseNamedObjects\M98.126.40.18:3204 17
\Sessions\1\BaseNamedObjects\98.126.40.18:3204 17
\Sessions\1\BaseNamedObjects\0x5d65r455f 3
0x5d65r455f 1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
107[.]163[.]43[.]161 18
98[.]126[.]40[.]20 18
98[.]126[.]40[.]18/31 18
99[.]86[.]230[.]49 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
blogx[.]sina[.]com[.]cn 3
blog[.]sina[.]com[.]cn 3
Files and or directories createdOccurrences
\1.txt 18
%TEMP%\<random, matching '[a-z]{4,9}'>.exe 18
%ProgramFiles%\<random, matching '[a-z]{5,9}\[a-z]{3,9}'>.exe 18
%ProgramFiles%\<random, matching '[a-z]{5,9}\[a-z]{3,9}'>.dll 18
%ProgramFiles%\<random, matching '[a-z]{5,8}'> 18
%TEMP%\<random, matching '[a-z]{3}[A-F0-9]{3,4}'>.tmp 17
%ProgramFiles%\osjmr\11220225 2

File Hashes

14c2e56ccf01db50b6242a22f101c3efa9647a1b2c64ab2934aec5f2203df371
1ba0917fe3179d56b20d19497d9fafb8c95bea11772a2f57a9e955044eeb3514
2a9bd454a0959f08695c41cf6b1dbd74f7b87e32335e5d687dcdfc8d0a4b3d92
33e5851f462dd323a0566c5c873577090caad0904f4dbabe9f9b46914f01a578
3b58437a04bc83687f5cb8da5e1da3a042bba2a7f2fd629a569bd4429f4a4ba1
41811767f2db21ab2448bd083b7f6d373269753c6b5b43fb43e9410f35e1bd06
55986f8df9ec84d3fff651d384cee3f59b85844723a411c5182c9bc95b1ee2e6
573418b8b607425005a66a878da015e5e8a601f817fdabbd8871b4504386bb67
756011afc3c4002c09b3ad38fefc973503b3162b1161c2e3a55f90fd61254fd8
8157fad7ad37b2f6123bf5f57408e8b3a11c9941676d7d5a92c4eeb1f26d6441
93f77dc4ab8f30cd2f53596ae343a3f95a235c0cc895445cd0e33f8be6265342
99d33060ab078f0e43ec5c978013ba8157f413a7f9f0fe847955eced09ca356d
a7e3b7014dfd10577d8b8353ecd8cf541977683db4f6505c04aea82923608418
b8b1ebcb4859e9c0a93211b4f1070f7565b652a72f8e90139f1d92659bab6e23
bd6972691dd471a5118efb1f0d33c1928c07e943023d83f5eef0809a94a6f7d0
d2cf78a56e2979ac9cf625b8c0babd025452e1d40ca1fd77e90b45f044763104
fa08b3c9958e8823179acebc883b45e67eeee6f013222e831c179c6f24304a3e
fd0ab4af554ea084e65ae83451dd6a042d85923ff90de709ba13bdb547cce55c

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP

ThreatGrid

MITRE ATT&CK

Win.Dropper.NetWire-9164792-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 26 samples
Registry KeysOccurrences
<HKCU>\SOFTWARE\WINRAR 7
<HKCU>\SOFTWARE\WINRAR
Value Name: HWID 		7
<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000003E9
Value Name: F 		7
<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000001F5
Value Name: F 		7
<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000003EC
Value Name: F 		7
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: NetWire 		5
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{MWL6CFL3-Q618-6BKD-A3S6-62B587EIG42V} 2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{MWL6CFL3-Q618-6BKD-A3S6-62B587EIG42V}
Value Name: StubPath 		2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{80C05YHJ-SE4K-3AO5-QWV7-76Q74G80K50I} 2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: microsofts 		2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{80C05YHJ-SE4K-3AO5-QWV7-76Q74G80K50I}
Value Name: StubPath 		2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{74G121A4-RDHN-CC75-UK35-2O8372AD7026} 1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{74G121A4-RDHN-CC75-UK35-2O8372AD7026}
Value Name: StubPath 		1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{016Y712U-4LBJ-3H75-8D8M-KK3WW07Q65Q5} 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: adobe2 		1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{016Y712U-4LBJ-3H75-8D8M-KK3WW07Q65Q5}
Value Name: StubPath 		1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Imgburn 		1
MutexesOccurrences
- 11
<random, matching [a-zA-Z0-9]{5,9}> 8
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
173[.]254[.]223[.]117 3
105[.]112[.]99[.]57 2
23[.]227[.]199[.]214 2
67[.]227[.]226[.]240 1
5[.]56[.]133[.]98 1
213[.]184[.]116[.]47 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
noch419[.]myftp[.]org 8
noch419[.]zapto[.]org 8
prensoland[.]ddns[.]net 2
nony3000[.]ddns[.]net 2
nonny3000[.]ddns[.]net 2
pornhouse[.]mobi 1
ithbault[.]com 1
felceconserve[.]com 1
sender455[.]ddns[.]net 1
grupocava-mx[.]com 1
Files and or directories createdOccurrences
%APPDATA%\Install 15
%APPDATA%\Install\.Identifier 15
%APPDATA%\Install\Host.exe 13
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\drawname.vbs 8
%TEMP%\corelfolder 8
%TEMP%\corelfolder\drawname.exe 8
%LOCALAPPDATA%\Microsoft\Windows\WebCache\WebCacheV01.tmp 7
%TEMP%\-<random, matching '[0-9]{9}'>.bat 6
\TEMP\.Identifier 2
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\app.vbs 2
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\hhsghg.vbs 2
%TEMP%\Pictures 2
%TEMP%\Pictures\hhsghg.exe 2
%TEMP%\Win7x 2
%TEMP%\Win7x\app.exe 2
%APPDATA%\Install\netwire.exe 2
%TEMP%\subfolder 1
%TEMP%\subfolder\filename.scr 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\filename.vbs 1
%TEMP%\802093.bat 1
%APPDATA%\adobe2 1
%APPDATA%\adobe2\pdf.exe 1
%APPDATA%\adobe2\.Identifier 1
%APPDATA%\Imgburnl 1
%APPDATA%\Imgburnl\ImgBurn.exe 1

*See JSON for more IOCs

File Hashes

08749bade577bfa92df7904bb8a146a687121d6153ed12b098ba668dcac49b8e
09099cde53b9ec037323f0d9ab82b8b0c713363d922b0c632935040586aa0a93
0c17a0cb945d50d7522e1970a5fd0b1c300602bb53e08b33e96a59b4807560ef
0d0d9163eb5227d3f451f5f4ee34e401d8882a8d71990192c66bf118847af2ec
215fa58ee9c00f5a23f331b910c5e992cbf94ee4338b0f81a051461cf2f7f198
250b810cfc08f764fe64253706c368a93d72a3f94599412265dd23c35221539d
27dfaf49362e5661f5a1555dd7d4bfd417e96091b546369ae69c40dab7069a67
2879a12ec400376386cf05bfd7e99cc3ab63ff565d552e0b89987b84a9fd436a
28da8e983a388bda854c1f4bdb7fcf6f89762f421f866c096571d735029167e3
430f8a219249f5151e1c010f5e12a1decefaede6254865dbea96a8bb86687ca1
5ca94a8724016bd252ae1eab571dc3f284db4622fe5e16098e5385eaa647e231
62db82c78f9ae72c0b3c5a61953f8ac30120d351a416acd0f253816dc694188e
6fc6198c488efc782bd4d67bffb924a3e317d0f7a65749d77209242837170126
7889a0d5eec069c45c0da71e3f94f9c144f7b3d1c5a61d71cb6a11f6e37f34da
92ae4ec3adbb6ae3f86fbc88b8144fd9eea9b88adec4ce9f9d92a943a195824e
a1083a2e7b5bc329c7f70ef04bf5afbc0e712a495ad2d89626b185a002dd7180
aec65ae5f623adc8027b68c42da3cfb80f4d53c486dc198fc82483c21b669187
b911cef4b970aeb2fb7b0131baabfadd240b4d154dea1dd8343698e4f51790be
b9c64e0aa71a3439aea071ce766833f7d422a7b6b528a9e6b7217af0fa7977c5
bda8b13fe58fe92afaeab2079d182fb4992d21897c6241c25739591d51214988
c25d4d2c0d09f06b1c7e83debc48fdd1a3b469630c8b18dd647679c73e9d082d
cf953d7b94c05e4020925da1191d8142495e21f5eb60122dc26c402a1f7ab3eb
d0061cacd685d7e29560e1aee5242851a94833d41779af52742cd6bc54766f62
d4d4435b3908aa2238ed1695e28ec70fb16bc3d7a7b00c1bdaa72f1e022bb86b
d7d9c7a88ce09e393d8bf03f10dc7a8b46b16a40b0e75746d6ab331de6333a09

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP

ThreatGrid

MITRE ATT&CK

Exploit Prevention

Cisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities.

Dealply adware detected - (16454)
DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.
CVE-2019-0708 detected - (3369)
An attempt to exploit CVE-2019-0708 has been detected. The vulnerability, dubbed BlueKeep, is a heap memory corruption which can be triggered by sending a specially crafted Remote Desktop Protocol (RDP) request. Since this vulnerability can be triggered without authentication and allows remote code execution, it can be used by worms to spread automatically without human interaction.
Crystalbit-Apple DLL double hijack detected - (2002)
Crystalbit-Apple DLL double hijack was detected. During this attack, the adversary abuses two legitimate vendor applications, such as CrystalBit and Apple, as part of a dll double hijack attack chain that starts with a fraudulent software bundle and eventually leads to a persistent miner and in some cases spyware deployment.
Process hollowing detected - (1565)
Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.
Squiblydoo application whitelist bypass attempt detected. - (1103)
An attempt to bypass application whitelisting via the "Squiblydoo" technique has been detected. This typically involves using regsvr32.exe to execute script content hosted on an attacker controlled server.
Trickbot malware detected - (738)
Trickbot is a banking Trojan which appeared in late 2016. Due to the similarities between Trickbot and Dyre, it is suspected some of the individuals responsible for Dyre are now responsible for Trickbot. Trickbot has been rapidly evolving over the months since it has appeared. However, Trickbot is still missing some of the capabilities Dyre possessed. Its current modules include DLL injection, system information gathering, and email searching.
Excessively long PowerShell command detected - (524)
A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.
Installcore adware detected - (482)
Install core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware.
Gamarue malware detected - (253)
Gamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system.
Kovter injection detected - (175)
A process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns.