Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Aug. 28 and Sept. 4. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post.  A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.

The most prevalent threats highlighted in this roundup are:

Threat NameTypeDescription
Win.Malware.Ponystealer-9635182-1 Malware Ponystealer is known to be able to steal credentials from over 100 different applications and may also install other malware such as a Remote Access Trojan (RAT).
Win.Trojan.Scar-9633394-0 Trojan Scar will download and execute files to the system while attempting to spread to other machines by copying itself to removable media.
Win.Trojan.Chthonic-9633435-1 Trojan Chthonic is a banking trojan derived from the Zeus family of banking malware. It is typically spread via phishing emails and attempts to steal sensitive information from an infected machine. Chthonic has also been observed downloading follow-on malware such as Azorult, another information stealer.
Win.Malware.Blackshades-9633290-1 Malware Blackshades is a prevalent trojan with many capabilities including logging keystrokes, recording video from webcams, and downloading and executing additional malware.
Win.Worm.Bublik-9631383-1 Worm Bublik is a downloader that targets Windows hosts. Although it's primarily used as malware to distribute various banking trojans, it's also capable of extracting and exfiltrating sensitive information from the host.
Win.Trojan.ZeroAccess-9631324-1 Trojan ZeroAccess is a trojan that infects Windows systems, installing a rootkit to hide its presence on the affected machine and serves as a platform for conducting click-fraud campaigns.
Win.Packed.Kuluoz-9629090-1 Packed Kuluoz, sometimes known as "Asprox," is a modular remote access trojan that is also known to download and execute follow-on malware, such as fake antivirus software. Kuluoz is often delivered via spam emails pretending to be shipment delivery notifications or flight booking confirmations.
Win.Dropper.Glupteba-9622152-0 Dropper Glupteba is a multi-purpose trojan that is known to use the infected machine to mine cryptocurrency and also steals sensitive information like usernames and passwords, spreads over the network using exploits like EternalBlue, and leverages a rootkit component to remain hidden. Glupteba has also been observed using the Bitcoin blockchain to store configuration information.
Doc.Downloader.Emotet-9619866-0 Downloader Emotet is one of the most widely distributed and active malware families today. It is a modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.
Win.Trojan.Gh0stRAT-7619117-1 Trojan Gh0stRAT is a well-known family of remote access trojans designed to provide an attacker with complete control over an infected system. Capabilities include monitoring keystrokes, collecting video footage from the webcam, and uploading and executing follow-on malware. The source code for Gh0stRAT has been publicly available on the internet for years, significantly lowering the barrier for actors to modify and reuse the code in new attacks.

Threat Breakdown

Win.Malware.Ponystealer-9635182-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 78 samples
Registry KeysOccurrences
<HKCU>\SOFTWARE\WINRAR 14
<HKCU>\SOFTWARE\WINRAR
Value Name: HWID
14
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Ooawak
12
<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\GROUPS\00000201
Value Name: C
2
<HKLM>\SAM\SAM\DOMAINS\BUILTIN\ALIASES\00000220
Value Name: C
2
<HKLM>\SAM\SAM\DOMAINS\BUILTIN\ALIASES\0000022B
Value Name: C
2
<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS 2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\SPECIALACCOUNTS 2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\SPECIALACCOUNTS\USERLIST 2
<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\NAMES\SUPPORT_8712 2
<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000003EE 2
<HKLM>\SAM\SAM\DOMAINS\BUILTIN\ALIASES\MEMBERS\S-1-5-21-2580483871-590521980-3826313501\000003EE 2
<HKLM>\SAM\SAM\DOMAINS\ACCOUNT
Value Name: F
2
<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000003EE
Value Name: V
2
<HKLM>\SAM\SAM\DOMAINS\BUILTIN\ALIASES\MEMBERS\S-1-5-21-2580483871-590521980-3826313501 2
<HKLM>\SAM\SAM\DOMAINS\BUILTIN\ALIASES\MEMBERS\S-1-5-21-2580483871-590521980-3826313501\000003EE 2
<HKLM>\SAM\SAM\DOMAINS\BUILTIN
Value Name: F
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NETWORK ADAPTER EVENTS
Value Name: Type
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NETWORK ADAPTER EVENTS
Value Name: Start
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NETWORK ADAPTER EVENTS
Value Name: ErrorControl
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NETWORK ADAPTER EVENTS
Value Name: DisplayName
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NETWORK ADAPTER EVENTS
Value Name: WOW64
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NETWORK ADAPTER EVENTS
Value Name: ObjectName
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NETWORK ADAPTER EVENTS
Value Name: Description
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NETWORK ADAPTER EVENTS
Value Name: FailureActions
2
MutexesOccurrences
e621ca05-Mutex 27
FvLQ49IlzIyLjj6m 12
msrdp#v4.4.11 2
GLOBAL\{<random GUID>} 1
Local\{<random GUID>} 1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
204[.]79[.]197[.]200 27
212[.]83[.]168[.]196 18
68[.]66[.]253[.]100 18
23[.]40[.]30[.]30 2
134[.]209[.]227[.]14 2
209[.]85[.]232[.]94 1
23[.]56[.]9[.]181 1
173[.]194[.]68[.]95 1
193[.]148[.]158[.]228 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
api[.]wipmania[.]com 18
uranus[.]kei[.]su 18
earth[.]pipro[.]net 18
saturn[.]losa[.]pl 18
gooryto[.]info 14
saliply[.]info 14
upload[.]wikimedia[.]org 2
www[.]kaspersky[.]com 2
mqvbi-jloa[.]in 2
www[.]securelist[.]com 2
xbgmttu-zlymbjs[.]in 2
e13678[.]dspb[.]akamaiedge[.]net 1
datetimes[.]cc 1
googlebarcorp[.]com 1
Files and or directories createdOccurrences
%APPDATA%\<random, matching [A-Fa-z0-9]{5,8}.exe 24
%System32%\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb 22
%System32%\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb 22
%System32%\sru\SRU.chk 22
%System32%\sru\SRU.log 22
%System32%\sru\SRUDB.dat 22
%System32%\drivers\etc\hosts 14
\atsvc 14
%System32%\Tasks\At1 14
%SystemRoot%\Tasks\At1.job 14
%System32%\drivers\etc\test 14
%System32%\drivers\etc\hosts.sam 14
%APPDATA%\Ooawak.exe 12
%System32%\sru\SRUtmp.log 12
%System32%\SRU\SRU.log (copy) 12
%System32%\SRU\SRU000A8.log (copy) 12
%SystemRoot%\SysWOW64\Storage 2
%SystemRoot%\SysWOW64\Storage\D4CF19EB 2
%SystemRoot%\SysWOW64\Storage\D4CF19EB\$RECYCLE.BIN 2
%SystemRoot%\SysWOW64\Storage\D4CF19EB\$RECYCLE.BIN\S-1-5-21-2580483871-590521980-3826313501-500 2
%SystemRoot%\SysWOW64\Storage\D4CF19EB\$RECYCLE.BIN\S-1-5-21-2580483871-590521980-3826313501-500\desktop.ini 2
%SystemRoot%\SysWOW64\Storage\D4CF19EB\System Volume Information 2
%SystemRoot%\SysWOW64\Storage\D4CF19EB\System Volume Information\tracking.log 2
%SystemRoot%\SysWOW64\Storage\log.log 2
%TEMP%\ppcrlui_1752_2 1

*See JSON for more IOCs

File Hashes

00d001d2987100038444af29be5416d0edf05a578288cd0789f6ed1c61b208f3
08470a9a850e8e90699fcb7bd98af1aadc170b722bc37e42012140f3470e98d7
08ffca3515c2e27bf2a540d76d9f41b2196fcd41e4b54596010746661c964c72
0eb6544dbae3a211f5df28d2caf7d9161708235d3fb9cb74aefba58a7a826959
0f1f19244fcc11818083aa1f943bbead338f89e046b8a57a50ec7cf48b62496f
128c831146b1535b041615cfc11b4049b62140d5fb94384f803bdab8768a92af
150e9a31cdb937e508186231dea5e4ed1629bde8a82d40e06b31f2032ba26933
1699e8bd2ac59be6b3cd92fffd879066d277955deddda3bdd154a159351c9789
16d2a031f52a17bb9f38c46021db1a9fbeba45ae39f376b1fd87971293e354f3
181a1e4f4717ab3c53911c8517273ee8d4b2cf93d3095790ce216e33b9506f63
194358bb34803734db262b101868964c2b014b9c2a8590282d51dc9a2d0f8ec0
1e08ec0c3b1f420e156d79c5884913e3d1616a21c2ccb568319647ebd6689c34
26581c9984282b2edb51caf460380bc0379e6ab15fdbd66c0b916700957a5d7d
27ce60a59ef0d798e7720ca9366819401069af78777d7adccb8761744e2332c0
2ce8eb8d28cd9a4c620e2034e51f5c26596869e435b8bed3c42587887ece221c
2d78c819d70b25833ab37f29fca7cce7c3ec2a9934ab9c459cdf9399b1451279
2ea50b1e232999a7f59c27af9ffaaa35354d18c048ee47693e6aa5a77c98025b
2eceebec98d1e3d5a4d821a32ba17389f4f4c125c6d65c521b89ad436b02cba0
30c9c62283c1dd19e06f9819cc9f83dde1aaa35b794b18a954434a69ce0cd9fe
3561698e67140a8e22daf2d2d451c21b07ed56a2cc553dbb8e84e4ccbaf453d1
37041d1ab5cebf5fe4d786eb19316a6ad421af569f52d7bab6bcb7434f74c1d7
3b86ab82b81edbff4e11f7224950fe2762a206188bf7f9a2a23bf62e907fb11d
3c77f844c8c5a5aa22b846c29b14477a5fecd04b80d9391f9f43d7c3c2af905e
4024180ef0748e795124a9f0e6c32f5d58ada618992d9454708e2e8422e1cc83
42b4e79513d6111987f57eab12e7f84df2098b2e94d5b151ab63b6ce29d782b6

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Trojan.Scar-9633394-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 13 samples
Registry KeysOccurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: MSkip
9
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED
Value Name: ShowSuperHidden
8
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED
Value Name: SuperHidden
8
<HKCU>\CONSOLE
Value Name: cmdls
8
<HKCU>\SOFTWARE\MICROSOFT\CTF\MSUTB
Value Name: Left
5
<HKCU>\SOFTWARE\MICROSOFT\CTF\MSUTB
Value Name: Top
5
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\STUCKRECTS2
Value Name: Settings
5
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\STREAMS\DESKTOP
Value Name: TaskbarWinXP
5
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER
Value Name: CleanShutdown
5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINMGMT\PARAMETERS
Value Name: ServiceDllUnloadOnStop
5
MutexesOccurrences
PCAdministrator 9
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
172[.]217[.]12[.]238 9
208[.]84[.]244[.]116 6
173[.]192[.]182[.]44 3
72[.]21[.]81[.]240 1
205[.]185[.]216[.]42 1
205[.]185[.]216[.]10 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
fotolog[.]terra[.]com[.]br 6
ctldl[.]windowsupdate[.]com 4
cds[.]d2s7q6s2[.]hwcdn[.]net 2
cs11[.]wpc[.]v0cdn[.]net 1
elbanner[.]net 1
Files and or directories createdOccurrences
\autorun.inf 9
E:\autorun.inf 9
E:\Start.exe 9
%SystemRoot%\Sys 9
%SystemRoot%\Sys\RegSrvc.exe 9
\Start.exe 9

File Hashes

45fdf9bfe4c45fc67cce43ffd7cdcdf51fe65c0229ae7148052aca6cc792fe99
549e7fedac2343b571887cb41f8f2fc9bc7003498e4afddc4d1a9e2ff74df8f0
58484a5b5b90cdf2d5a20825843dee3718385ed122c861f0529cf64cc37bd481
5a3d431e05638bc182d5bb3dbeb2e1649a0ed37ac158b71822b4176ee83cb8d5
5d3201845051d5ccc6f2fc3abed5e0b16370f93a0aae07151691474459eff8ec
77152de213616807248b3d159070953425d02914885206a557a9e81a636bd4ef
932da996ec431ea6f34247f24b30d9b175a77dd1dc5cb6020fc360956c46eb28
d2887f0131644fc660b1636584c5082d5d85ef1b5a7f8e3ae3a5d5b6c38df042
dd5034418a4875fa6d9d4a23fafc677e343c9c2ce22dc8667792bd3750b64462
deb61d7fb26f72f5e2c95f05bcf79b6d9eee5fb94ebfd924d69ac26d188a2995
e9470f7c72a28ead35ee0115ca4a51dd889e4442837f2408defb5a3d2cd7c8f5
ef604c31226dcaf59821451398434ad2c036238812eaf5aac22f7295b1db0206
f39050818dab18d89102e1b045c0f6b5073cc4eb621ba6f0ab61bf98f7a63e4a

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Trojan.Chthonic-9633435-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
Registry KeysOccurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED
Value Name: Hidden
25
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: EnableLUA
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: Start
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: Start
25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED
Value Name: ShowSuperHidden
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC
Value Name: Start
25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER
Value Name: HideSCAHealth
25
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER
Value Name: HideSCAHealth
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WUAUSERV
Value Name: Start
25
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER
Value Name: TaskbarNoNotification
25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER
Value Name: TaskbarNoNotification
25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS
Value Name: Load
25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 1081297374
25
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: 1081297374
25
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN 25
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
184[.]105[.]192[.]2 25
23[.]236[.]62[.]147 25
104[.]215[.]148[.]63 25
51[.]38[.]27[.]129 3
212[.]7[.]1[.]131 3
204[.]79[.]197[.]200 2
195[.]78[.]244[.]34 2
45[.]87[.]76[.]3 2
178[.]16[.]128[.]13 2
13[.]107[.]21[.]200 1
172[.]217[.]197[.]157 1
172[.]217[.]197[.]106 1
172[.]217[.]197[.]102 1
172[.]217[.]197[.]139 1
173[.]194[.]175[.]154 1
192[.]33[.]214[.]47 1
194[.]177[.]34[.]116 1
92[.]243[.]6[.]5 1
173[.]194[.]205[.]154 1
193[.]182[.]111[.]141 1
82[.]141[.]152[.]3 1
209[.]85[.]232[.]94 1
85[.]236[.]36[.]4 1
173[.]194[.]207[.]95 1
173[.]194[.]68[.]95 1

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
europe[.]pool[.]ntp[.]org 25
outsphere[.]com 25
benezramarketing[.]com 25
karaokeboom[.]ru 25
www[.]tangchenbeijianhealth[.]com 25
baidishenko111[.]in 25
north-america[.]pool[.]ntp[.]org 5
Files and or directories createdOccurrences
%ProgramData%\msodtyzm.exe 25
%ProgramData%\ms.exe 3
%ProgramData%\2135719256 1
%ProgramData%\2347482797 1
%ProgramData%\2347482017 1
%ProgramData%\2347480598 1
%ProgramData%\2347476900 1
%ProgramData%\2347482485 1
%ProgramData%\2347484466 1
%ProgramData%\2347479521 1
%ProgramData%\2347475184 1
%ProgramData%\2347481097 1
%ProgramData%\2347484919 1
%ProgramData%\2347490613 1
%ProgramData%\2347488320 1
%ProgramData%\2347486354 1
%ProgramData%\2347483608 1
%ProgramData%\2347489708 1
%ProgramData%\2347483967 1
%ProgramData%\2347492547 1
%ProgramData%\2347478258 1
%ProgramData%\2347486026 1
%ProgramData%\2347491861 1
%ProgramData%\2347483702 1
%ProgramData%\2347506681 1

*See JSON for more IOCs

File Hashes

005914e205f85350145da7a3b8def9303f136c862d075498bf6196b92b479624
118a187039c2214646ca07f87f002196d89c0185195d5b2ddb07f55bc6246c29
19ca2dc9d603ab22a8d8a67c174c42bfd9138a7b3a163622e9c929d25b855309
24b5e337a5a75cdfa39a5ca7dc20c20c4df773f1b9e2f58159d65b20118621f2
3c709d5b9795b97e4449f445b236b7138f03534421a195571385010b9d5fef58
3d1fa3fbb8a03da9701b8611e31e304c6c799793062e822d0e38385de54eff2c
541d6f689c9cbb71d9897ea5858da69e56e7842e526f74f22b024cd53273b887
569b2ead1b3bb667be96fa94244b257f32ae29e37b8291be98c6862360e757e7
5e37d6d9e74d73eb5905af752d66be6ccb574f2b2def2eff36a0e919964349ea
648c528bcd12fc46c273f2e1db6480e43b810570df0104e5788797b1dc0e4be0
6b405d3a85cc499003e9a2bedb90c201cb765c5c21c702af1694461374c06b5e
7d0170da5c96a21df32fec382357661706a9a80e9070057779bf0aa728237ae1
7d227a6df94c82c1a3cc4faa3b1f9ff56ccc44511aa39440d3b78c301a28a97d
87f89d19305365624d586dbc4c9061b3fddf5706ba507b1e039ab21d5170e83c
9da3b60372dfa145858fc4b3b76340388b9790a015c8f0365188ca71ac4584f0
a525117af10f3f2ad10f3e42137b643c03d5c97c75e997a5d7e59a058efd749c
a7cc11bff5fa8bb28c3568958d0fb65e8cd9082c9f6f11592099f2dfed1f37d3
ab09ca91c9a24028db7fd22f8cf3ac5f0e333d4a56338e5f342b8f91e410675c
b0100b458b420d2b769c42690ad1f9f8dfe63bd18214c3e5b84688fe02d8b062
bb53b524ba263390398c853013e34ea406de418a0a60a379f153ac01a76358aa
c3438080b0f9a66cbebd637827a124067012e5767172dc90d2e48263ba8a1289
d1eb98a2a9b69060f2cb246fb43807d783ac27620710b2058fb2431d3f49404c
d8546ba80be168602dd86da57e9ffe53fd12a29185e11a9e80945a2db8c98278
de48d4bb1583115ed9cd4a99b66ab54c90a8b506d1e422c07e0d2b2e11bd022e
e078c4359437fc0d7112a64003b3f60508c4f63dd6d1ad18026fc3a10c410ffb

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Malware.Blackshades-9633290-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 12 samples
Registry KeysOccurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: DoNotAllowExceptions
12
<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\INSTALL 12
<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS 12
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST 12
<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\SRVID 12
<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\SRVID\ID 12
<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\INSTALL\DATE 12
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Java_Update
12
<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\SRVID\ID
Value Name: PNPR45LDRT
12
<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\INSTALL\DATE
Value Name: PNPR45LDRT
12
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST
Value Name: C:\Users\Administrator\AppData\Roaming\JavaUpd.exe
12
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST
Value Name: C:\Users\Administrator\AppData\Roaming\.Java\JavaUpdate.exe
12
MutexesOccurrences
PNPR45LDRT 12
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
204[.]79[.]197[.]200 1
104[.]19[.]148[.]8 1
172[.]67[.]161[.]60 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
myftip[.]myftp[.]biz 12
Files and or directories createdOccurrences
%APPDATA%\JavaUpd.exe 12
%SystemRoot%\SERVIC~2\Local Settings\AppData\Local\Temp\MpCmdRun.log 12
%APPDATA%\.Java 12
%APPDATA%\.Java\JavaUpdate.exe 12
%APPDATA%\Ted 12
%TEMP%\FNFWO.bat 1
%TEMP%\FNFWO.txt 1
%TEMP%\FGDME.bat 1
%TEMP%\FGDME.txt 1
%TEMP%\GFTAJ.bat 1
%TEMP%\GFTAJ.txt 1
%TEMP%\BGLYK.bat 1
%TEMP%\BGLYK.txt 1
%TEMP%\JIVCL.bat 1
%TEMP%\XUIUF.bat 1
%TEMP%\UBCIA.bat 1
%TEMP%\JIVCL.txt 1
%TEMP%\XUIUF.txt 1
%TEMP%\UBCIA.txt 1
%TEMP%\HMIIU.bat 1
%TEMP%\HMIIU.txt 1
%TEMP%\GRWSG.bat 1
%TEMP%\GRWSG.txt 1
%TEMP%\FSOMR.bat 1
%TEMP%\FSOMR.txt 1

*See JSON for more IOCs

File Hashes

1d62f2c6387aa34114f16326557891cbaba09a70c05d5a9162ba22fea063d87e
2c9060b861f90c68ea8399401f9cca67c7f927fb0493ccffe09688db14afd1ce
305c837547aa24e57539f0a08f38815cc1e75a4e57c8577f6ca43986b9b56ee1
531ffbb5bd0f768b515f1a9441339d538c5f43d698b47585503ba3316e4f55c0
5af4bca9cc73c8832b7e3d534d48efdccb82508573785077f4b70cd56e96380c
5f14120b9ec348e8c83d4bb35c35115b39fac4592ffe984f2f82a38ba84ebf10
5ff410ba8a06cb0651a50e2c318580887520b25ea9e03cd3624a64a0122431af
711638888077e196b40ef64a26cc9091f3e85fa9d6a97b446e39761682c7b81e
86c7d6f242a0baac707140642d7cf83bb40276e24e9a02f84b397ce020477e1d
baf10696e313cbd84543301976b1ac53a7e3598566a32a0cdb3208ed28fc82ca
e740612c44fe4f1ef0678ea57654174eca8f6db93f498fb2260bddfe9607a134
ee3c2f88446fca30a5a0d5a43b790da16532294203b0f4a032cffe566e5eb7c9

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Worm.Bublik-9631383-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 13 samples
Registry KeysOccurrences
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\APPCOMPATFLAGS\LAYERS 13
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\APPCOMPATFLAGS\LAYERS
Value Name: C:\Windows\system32\igfxpk32.exe
13
MutexesOccurrences
muipcdraotse 13
S3xY! 13
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
204[.]79[.]197[.]200 1
Files and or directories createdOccurrences
%SystemRoot%\SysWOW64\igfxpk32.exe 13

File Hashes

26dd1c792ddaeaff392a5f4009177e491bd7bf4d21f8040b8e15a320ecd02cf6
3a8aa80c0d99ceb079ceec150b580cc9e6fb21ab9ed5e3f0c2eaf8049e1dcb29
456302f04ff83bc8fcb9c8de1629ef6e8318252c8413cae51f4546a3b0c168d6
484e46ad2463cf0a06594346dfe846bb176455537333c577f98d164e1e0c3a80
49f8afaa872469f5d122fcb620c5d5fed579a5ef65cd3030da0b17a0f36613ad
60c9114fe6bf4144d47b7feaad919bbfe1b7cf46923627bbd128cb9c76528cd6
67dd691f0ed950a8ec2312e3d2d3cea812b5c9e18efb557d51621f5759ab1772
71b8a0fe946d53a998e3ad22217b51f710c5856e8ca623ac41fecd57ef43bd0c
7eeff85c9e16b4b0e60a45747eddac2e770532fd0f1f3530cabd89cdff38005f
a7406be23b62618628f4e5a2418a52e0b19d841aab17ae8893d34b7afff46d57
c446f7354d7075a4ee6fd2ebed009cfbf6069b1de4bf630af320ef734bc1996e
ca8b27caa960829b33970fe6648b5f5b18cc06e7c351eef64c8a74c842bdbf1c
ffcb36874eaa55fc457f56d10a9a85e475d7132b650186e003ddccd75f18e6d6

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Trojan.ZeroAccess-9631324-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 27 samples
Registry KeysOccurrences
<HKLM>\SOFTWARE\MICROSOFT\TRACING\KMDDSP
Value Name: EnableConsoleTracing
24
<HKLM>\SOFTWARE\MICROSOFT\TRACING\KMDDSP
Value Name: FileTracingMask
24
<HKLM>\SOFTWARE\MICROSOFT\TRACING\KMDDSP
Value Name: ConsoleTracingMask
24
<HKLM>\SOFTWARE\MICROSOFT\TRACING\KMDDSP
Value Name: MaxFileSize
24
<HKLM>\SOFTWARE\MICROSOFT\TRACING\KMDDSP
Value Name: FileDirectory
24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC
Value Name: Start
24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IPHLPSVC
Value Name: Start
24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC
Value Name: DeleteFlag
24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: DeleteFlag
24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\BROWSER
Value Name: Start
24
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Windows Defender
24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: Type
24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: ErrorControl
24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IPHLPSVC
Value Name: Type
24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IPHLPSVC
Value Name: ErrorControl
24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IPHLPSVC
Value Name: DeleteFlag
24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: Type
24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: ErrorControl
24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC
Value Name: Type
24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC
Value Name: ErrorControl
24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9\CATALOG_ENTRIES\000000000010
Value Name: PackedCatalogItem
24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9\CATALOG_ENTRIES\000000000009
Value Name: PackedCatalogItem
24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9\CATALOG_ENTRIES\000000000008
Value Name: PackedCatalogItem
24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9\CATALOG_ENTRIES\000000000007
Value Name: PackedCatalogItem
24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9\CATALOG_ENTRIES\000000000006
Value Name: PackedCatalogItem
24
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
64[.]210[.]151[.]32 24
178[.]32[.]190[.]142 24
94[.]242[.]250[.]64 14
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
promos[.]fling[.]com 24
Files and or directories createdOccurrences
\systemroot\assembly\GAC_32\Desktop.ini 24
\systemroot\assembly\GAC_64\Desktop.ini 24
%SystemRoot%\assembly\GAC_32\Desktop.ini 24
%SystemRoot%\assembly\GAC_64\Desktop.ini 24
\systemroot\assembly\temp\@ 24
\systemroot\assembly\temp\U 24
\systemroot\assembly\temp\cfg.ini 24
\systemroot\system32\consrv.dll 24
%System32%\consrv.dll 24
%SystemRoot%\assembly\temp\@ 24
%SystemRoot%\assembly\temp\cfg.ini 24
\systemroot\system64 24

File Hashes

039552a16cf5c7b3731e4e5013f19a580c9a6787b6217be5c8e5bed551a8c9bd
07abcc453343aed175a9abe88d51a438d1b7548d7992935bfd0586f36a78a2d8
0a93110ac61febeeb234588deea0c35eaafb7115424a27adacb939240b07305a
1508adadb00a54f472142e8fc27184267e57e2fa15543a291e9342cc62084ca6
1991d2e45cc4c24ca40cf05e82b00145a71582812f8b0d73145320fb6a8d4244
1b69f487fe828a1b6fc473b3c7332d18be117f612e365cbb3a6fadc942ca1e5c
40a9e5cabc887d6784ab31625e3f37e8051bf14315f3f7d5fb5805d67f4d7b53
4f17948d36607e0e1b930f6da0c76340a84257636d14c29e0f7648a66964f352
540509748b74848c8aa3a9704f16a503ddbf7df4229f566d78d1b05d60741887
55da27a6c9e665432754cde6e4933e520c998d56eab1681fc79c651297c482f1
58cf1ebdb1dcd3ddf6eae851ee52677c022f84dbe7c7aa569a9c9a6132201515
597ce54444671d8bbb5e61352ef6d48c00f8f322545ae571f08d564726212b41
59a051a82056203aa92299b60b22c274df04be6f17718ecfcadd785319165243
59b21753f42d77d69b635bdcc4acff4f8deedbbced18754a1ac28eff00084090
5a56413ef86eecdbe4b9a04818f7ebb834dce2d5a3c3eb9682d5e2addee874e1
60d6024212002d636954e9616c56536641a9e3994e4ff0174e6d5530a335b20a
64289adcfd09811a9ec2d882c942ee0b708d6771e63a2656b8d5e5cc2f1d908d
7aa8a26899f2f2287501641c5c53eb73fefed72d1599c63b8fc6f32fc0a1c9ff
81ae7f44f69abace943404c81112576938f7e4190f51040b7f871deb8da61884
81cc23c7e8ecac16bece423897caf68e797ae81a6a57d3df72456fbf392acc35
87da52fd686e821544ff2232989fb465ebe39b1d35e1436c7030f8095157200a
8b4c98fb3dfb33bba5a9c302b0e1003a60160bc892a62412a5ad41ff4f23efce
95b7261f13e7c036931200e66068e7dc0c1e8c7a4274cd1bf745a55aabf306b8
9aceeff5e3d045963e5ea69a8a0b5ff28e64528a9aec8d3b29f3892fe4f62d8f
9f8e0402ede3d530a0722d093c5f3c7e9b9de2c70592369eae0cd8ace7cf762d

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Packed.Kuluoz-9629090-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
Registry KeysOccurrences
<HKCU>\SOFTWARE\<random, matching '[a-zA-Z0-9]{5,9}'> 25
<HKCU>\SOFTWARE\KCHKBLNC
Value Name: hhimcenm
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: ccdxhofk
2
<HKCU>\SOFTWARE\LCUTKVAC
Value Name: pqnpumbf
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: kuqaqvqq
1
<HKCU>\SOFTWARE\FDMDPESL
Value Name: axeujtmf
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: qwbkcjmg
1
<HKCU>\SOFTWARE\QHGNEPEQ
Value Name: gdvkbpqf
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: ehfofqxs
1
<HKCU>\SOFTWARE\GOVTXRBN
Value Name: jsmkoflu
1
<HKCU>\SOFTWARE\QQNKBLIS
Value Name: xumqjooc
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: dbqpjilo
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: btxnirrc
1
<HKCU>\SOFTWARE\AKXOQNRO
Value Name: pxutqlqd
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: esjpchtf
1
<HKCU>\SOFTWARE\RVRLNNEQ
Value Name: rhauhrou
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: mupsusfl
1
<HKCU>\SOFTWARE\FARFXMBO
Value Name: atdugnea
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: dcqekeup
1
<HKCU>\SOFTWARE\PIILHSNW
Value Name: lfldaakq
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: umucwdrc
1
<HKCU>\SOFTWARE\WPKFEMJL
Value Name: jcpvvamd
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: wwejkisx
1
<HKCU>\SOFTWARE\XWOIBFVM
Value Name: vlorwpbv
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: tjflffto
1
MutexesOccurrences
aaAdministrator 25
abAdministrator 25
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
212[.]129[.]21[.]210 16
112[.]124[.]126[.]139 15
192[.]254[.]138[.]62 13
95[.]110[.]147[.]192 13
46[.]4[.]105[.]170 13
162[.]13[.]189[.]52 12
173[.]199[.]182[.]152 12
193[.]46[.]84[.]84 10
205[.]134[.]239[.]167 1
Files and or directories createdOccurrences
%LOCALAPPDATA%\<random, matching '[a-z]{8}'>.exe 25

File Hashes

022596c4398651672fb4c1865f50de91a34c23389f34ddc2d926870b4c4aaa44
04d238d4d0abcf9a1b60c72a888b43827a777cc9bf09dd393e3efbb716c3d210
04dc06aafb680073e000f16b37e4dc6947ebe3010dbaaaaeb25b1a29b24f7d89
054dc9f517a7b965bfc0537ce204dbee5bfab8bdccad2eecfa14393eef1e1e15
05c79148850b56f208ca1299ea3e5c2f0c6f39f284f1932b180b78b1a4351e83
0658444e555e65863c26410f5e091f0dad3544cc2a712813a98a0f7073760d2c
07110d7eed5b6bb3ef68283538f4b7a70c171e929a3d2afd45ed9ab44f31c692
0783de2739630da7660a8b96c51c90350e271a8afb24843edd95599754dc3baa
0847d4bd6ac111cc1160592a4aa9ca33bbbeff4b7455feae45637d80547af92e
0ccd627101652de74561611ec88001121265e7986a18d25306951c0ce2c542e4
0f9ed445b8e39109f08b080e4fa141f7242900e2e7fbab85b4c3b3f66710b348
1070009498a537b2dd88abf3bfc76e7eef52ecd4787df03853bb14698a43a3d4
10f0b391c9817529579db6d0e61e6a4dd6ba6fdb64fa202266d548df923ff10e
124a64e6a185f9fb59fe5bb39eab2fd078d22f76b8355b01d125dcbff0aa35af
12bbb892bd85589a2e5b98bddc5fae3b033fec93b2bbf0e9f9b988f6b23ecd76
134c718385fa6feec81508f9e2d880a5eca9b23f52fcff9dde6b0ae9b0f40ce3
13d126c1ddb26541b2c1312689a02fb2ad145970a9c1ecc4ce7aecc453fc4f3e
151bdfdb660f0d46d3924c9542b0554ea5273b8587a50c8cb3830d9a1be8600c
15f9f0a1666d3641e169692ba6fd1b5edfbd1621fbe73dfe467506c8084b3136
16f613d8aaa09ec94b035c947cb3b35e6aee48d01ee9cd499adcaaf8465340b3
17f5634d98efc7a2053340a83360d37e336a9c4e378c39c93c7dc462763792ff
1b22f08632944461aecefbab990c712a66d25b34d71f43f46f453ad04a37f55a
1bfaf667b85f53530fbc50ff2fcf8130529fdacb7997b025af046dd06eacbba1
1c58f6f6e17c4d100c1c3ae1f1a0b3671c75e19ebcfd4f470e014dc1cfc79c6c
1ebc2776129394e6ff422368dee9a1f7afae82cba887241a284f61d922a466cd

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Dropper.Glupteba-9622152-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 16 samples
Registry KeysOccurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WUAUSERV
Value Name: DeleteFlag
8
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINMONFS 8
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINMONFS\INSTANCES 8
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINMONFS\INSTANCES\WINMONFS 8
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINMON 8
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINMON\SECURITY 8
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINMONFS\SECURITY 8
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINMONPROCESSMONITOR 8
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINMONPROCESSMONITOR\SECURITY 8
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PROCESSES
Value Name: d12c99f7af77.exe
8
<HKCU>\SOFTWARE\MICROSOFT\A1890984
Value Name: DistributorID
8
<HKCU>\SOFTWARE\MICROSOFT\A1890984
Value Name: CampaignID
8
<HKCU>\SOFTWARE\MICROSOFT\A1890984
Value Name: SB
8
<HKCU>\SOFTWARE\MICROSOFT\A1890984
Value Name: PatchTime
8
<HKCU>\SOFTWARE\MICROSOFT\A1890984
Value Name: PGDSE
8
<HKCU>\SOFTWARE\MICROSOFT\A1890984 8
<HKCU>\SOFTWARE\MICROSOFT\A1890984
Value Name: Firewall
8
<HKCU>\SOFTWARE\MICROSOFT\A1890984
Value Name: Defender
8
<HKCU>\SOFTWARE\MICROSOFT\A1890984
Value Name: FirstInstallDate
8
<HKCU>\SOFTWARE\MICROSOFT\A1890984
Value Name: ServiceVersion
8
<HKCU>\SOFTWARE\MICROSOFT\A1890984
Value Name: SC
8
<HKCU>\SOFTWARE\MICROSOFT\A1890984
Value Name: VC
8
<HKCU>\SOFTWARE\MICROSOFT\A1890984
Value Name: ServersVersion
8
<HKCU>\SOFTWARE\MICROSOFT\A1890984
Value Name: OSCaption
8
<HKCU>\SOFTWARE\MICROSOFT\A1890984
Value Name: OSArchitecture
8
MutexesOccurrences
Global\h48yorbq6rm87zot 8
Global\Mp6c3Ygukx29GbDk 8
Global\ewzy5hgt3x5sof4v 8
Global\xmrigMUTEX31337 8
25ba6ebb3e470993540ebc62e98a51e2 8
Global\25ba6ebb3e470993540ebc62e98a51e2 8
Global\b7c341015338340fc8cc5c21e0473579 8
b7c341015338340fc8cc5c21e0473579 8
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
204[.]79[.]197[.]219 8
104[.]214[.]40[.]16 8
104[.]31[.]69[.]181 5
104[.]28[.]17[.]75 5
104[.]27[.]165[.]226 4
204[.]79[.]197[.]200 3
172[.]64[.]204[.]26 3
172[.]67[.]177[.]188 3
172[.]64[.]205[.]26 3
104[.]27[.]164[.]226 3
172[.]64[.]171[.]11 2
172[.]67[.]132[.]177 2
72[.]21[.]91[.]29 1
151[.]101[.]192[.]133 1
69[.]64[.]46[.]27 1
104[.]31[.]65[.]6 1
104[.]31[.]64[.]6 1
217[.]172[.]179[.]54 1
185[.]253[.]217[.]20 1
74[.]67[.]240[.]204 1
45[.]90[.]34[.]87 1
83[.]151[.]238[.]34 1
40[.]90[.]22[.]185 1
172[.]67[.]154[.]90 1
104[.]28[.]16[.]75 1

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
vsblobprodscussu5shard60[.]blob[.]core[.]windows[.]net 8
vsblobprodscussu5shard35[.]blob[.]core[.]windows[.]net 8
bbistrovantonbb[.]com 8
raw[.]githubusercontent[.]com 1
yuio[.]top 1
dragon085[.]startdedicated[.]de 1
electrumx[.]electricnewyear[.]net 1
3da53086-4bcb-43b0-ad47-2ffbf815ec2a[.]server1[.]2makestorage[.]com 1
3da53086-4bcb-43b0-ad47-2ffbf815ec2a[.]server1[.]sndvoices[.]com 1
3da53086-4bcb-43b0-ad47-2ffbf815ec2a[.]server3[.]easywbdesign[.]com 1
58ad11f1-d032-4975-96d8-fb3a8f088d23[.]server2[.]sndvoices[.]com 1
58ad11f1-d032-4975-96d8-fb3a8f088d23[.]server4[.]easywbdesign[.]com 1
ec923cc8-b4f7-4944-a089-ebb2522bb210[.]server3[.]easywbdesign[.]com 1
ec923cc8-b4f7-4944-a089-ebb2522bb210[.]server3[.]sndvoices[.]com 1
33e2874d-00ce-417d-a487-6fc888b62a43[.]server1[.]2makestorage[.]com 1
33e2874d-00ce-417d-a487-6fc888b62a43[.]server2[.]easywbdesign[.]com 1
33e2874d-00ce-417d-a487-6fc888b62a43[.]server3[.]sndvoices[.]com 1
3a5443d4-9e76-479b-b8c6-383c3acfe191[.]server1[.]sndvoices[.]com 1
3a5443d4-9e76-479b-b8c6-383c3acfe191[.]server2[.]2makestorage[.]com 1
3a5443d4-9e76-479b-b8c6-383c3acfe191[.]server3[.]easywbdesign[.]com 1
9f1361f6-1c00-44b0-b0c4-84cf5197de8f[.]server2[.]2makestorage[.]com 1
9f1361f6-1c00-44b0-b0c4-84cf5197de8f[.]server2[.]easywbdesign[.]com 1
9f1361f6-1c00-44b0-b0c4-84cf5197de8f[.]server3[.]sndvoices[.]com 1
e2[.]keff[.]org 1
rbx[.]curalle[.]ovh 1

*See JSON for more IOCs

Files and or directories createdOccurrences
%SystemRoot%\Logs\CBS\CBS.log 8
%SystemRoot%\rss 8
%SystemRoot%\rss\csrss.exe 8
%TEMP%\csrss 8
%TEMP%\csrss\dsefix.exe 8
%TEMP%\csrss\patch.exe 8
%System32%\drivers\Winmon.sys 8
%System32%\drivers\WinmonFS.sys 8
%System32%\drivers\WinmonProcessMonitor.sys 8
%TEMP%\Symbols 8
%TEMP%\Symbols\ntkrnlmp.pdb 8
%TEMP%\Symbols\ntkrnlmp.pdb\9E22A5947A15489895CE716436B45BE02 8
%TEMP%\Symbols\ntkrnlmp.pdb\9E22A5947A15489895CE716436B45BE02\download.error 8
%TEMP%\Symbols\pingme.txt 8
%TEMP%\Symbols\winload_prod.pdb 8
%TEMP%\Symbols\winload_prod.pdb\B7B16B17E078406E806A050C8BEE2E361 8
%TEMP%\Symbols\winload_prod.pdb\B7B16B17E078406E806A050C8BEE2E361\download.error 8
%TEMP%\dbghelp.dll 8
%TEMP%\ntkrnlmp.exe 8
%TEMP%\osloader.exe 8
%TEMP%\symsrv.dll 8
%TEMP%\csrss\DBG0.tmp 8
%System32%\Tasks\ScheduledUpdate 8
%System32%\Tasks\csrss 8
%APPDATA%\d12c99f7af77\d12c99f7af77.exe 1

File Hashes

5670199aa0a3dd81555823a2605a27600bb3c363aaa83fd5800ba184bce20b7a
614a91973a8f2c0bba77da1964a5e2c1a2fd4bf025c0aa93e1a796ac8feb4366
618d248a10be3159a7d98d1494526ba85e15916b5ed08fdd5aa93ba79fa4a22e
6d25ac88ccd2415a7d5a79c3a4a16627e02dea3393bfecda5d8c12526828f68c
7d4f7aac870360fbd88a7960e78b7734b847adfe665eab96cd248eadaa03d55c
8524e02ea05b6ec59aaf2262a23e585f5542e8df74147c281617ed0919469611
912dae86e4a8900fd638577498b104a044566ec1f383325b54ac3f7700f1cb57
a99a10ac6ba7dd0ee6fdd7baa36e37d461222a5315a065490e32ba352e4cf2b2
b036c3198cd726b3a26c01addc66485a8db8f43a8b46865fb5917d4924fa307d
bac04e8347c6823fe43f7382fa11d8b995d6a2bd9b6e57de99128f11114188ce
ca9a5c64bac3f876312fd82ad7f50735c7df5278635a7e62c86fb901f30e0db4
e20ba316d143b2da20e1edf92c9199d8f84f1c787f10af230fa604197a863208
e58be00166c4ad9d98a1bddeaad1ddb9e8963f8b5c29d1e64fcf2b32cec7792f
e6cf436b4f2826f5c08cf759c5115c090e244c6e663ececf31baebf0fb88e6fc
fa43be09e5dc02df2f1bcfbbb132dc29e7c0367bb4f3c24b8bf03d5b518c423b
fb1057dc18d7bc29ec601279a1b7be92a98fd98e1e366db5b6c0621954fa4cc9

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Doc.Downloader.Emotet-9619866-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 27 samples
Registry KeysOccurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> 10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Type
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Start
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ErrorControl
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ImagePath
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: DisplayName
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: WOW64
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ObjectName
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Description
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MIBINCODEC
Value Name: ImagePath
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\COMPUTERDEFAULTS
Value Name: ImagePath
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\KBDURDU
Value Name: Description
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TXFLOG
Value Name: ImagePath
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ONLINEIDCPL
Value Name: ImagePath
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\KBDURDU
Value Name: ImagePath
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\PRVDMOFCOMP
Value Name: ImagePath
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NLSLEXICONS0026
Value Name: Description
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\COMPUTERDEFAULTS
Value Name: Description
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NETWORKITEMFACTORY
Value Name: ImagePath
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NETWORKITEMFACTORY
Value Name: Description
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NLSDATA0018
Value Name: ImagePath
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MMCICO
Value Name: ImagePath
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MMCICO
Value Name: Description
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\PRVDMOFCOMP
Value Name: Description
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ONLINEIDCPL
Value Name: Description
1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
50[.]121[.]220[.]50 27
81[.]169[.]145[.]94 27
204[.]79[.]197[.]200 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
sindicatodeseguridad[.]com 27
e13678[.]dspb[.]akamaiedge[.]net 11
Files and or directories createdOccurrences
%HOMEPATH%\Yt_y5jN 27
%HOMEPATH%\Yt_y5jN\nKmZfVz 27
%HOMEPATH%\Yt_y5jn\Nkmzfvz\Sp3k7gus.exe 27
%System32%\raserver\NPSMDesktopProvider.exe (copy) 2
%System32%\InstallAgent\LockScreenContent.exe (copy) 2
%SystemRoot%\SysWOW64\taskeng 1
%System32%\drtprov\KBDMAC.exe (copy) 1
%System32%\pid\netjoin.exe (copy) 1
%System32%\iesysprep\LocationGeofences.exe (copy) 1
%System32%\msobjs\mskeyprotect.exe (copy) 1
%System32%\mscat32\MSFlacDecoder.exe (copy) 1
%System32%\ngctasks\msxml6r.exe (copy) 1
%System32%\setbcdlocale\osbaseln.exe (copy) 1
%System32%\mfvdsp\msaudite.exe (copy) 1
%System32%\KBDINASA\MDMAgent.exe (copy) 1
%System32%\webcheck\EmailApis.exe (copy) 1
%System32%\NcaSvc\mstext40.exe (copy) 1
%System32%\msxbde40\msscp.exe (copy) 1
%System32%\ActionQueue\hhsetup.exe (copy) 1
%System32%\MP3DMOD\msdmo.exe (copy) 1
%System32%\setupetw\PackageStateRoaming.exe (copy) 1
%System32%\MSWB7\msrle32.exe (copy) 1
%System32%\MapControlCore\moshost.exe (copy) 1

File Hashes

005325575d0ddbf7aec9594a763e56fcc14abfd856946c12a1509c79ed17f8dc
03da988ff6a60cb9d289fff840624b9e96b880c01038823dfe75427d6cf1c8e4
040f519923edd040b77e610b9928e938c2bf3553390a011c9b28499af1a5e87d
0f4310db63ae6642dc990b17657155bc953ea205fc152628816d0b3102f53699
13395480728601e6b67c7e01322f384949f98c91ba17cf4f36c39463bb168fcd
2bda437f09055e67fa0c1d952b205163dc7b14127a35cdbd9fcb537df3625ca3
2d3eaebc55dcb73142a4c137f0b6b3d3af9bfd7a3df0f6ede0556e077a2e817c
37a52d71ece62cad2a708882c8c6d9a68918ed8cbd5c6bbeb3d8fb1d62f51cea
380ec7963c4ae61fe23694d6d55c5fadd6e0b3edd1703a68eae08a19a45deef4
3912572607dde23ef906cc198ef93a9ecf84792c73bab6453018d430f5bddc35
39341f8c39d9397c55c0b7d2fd8900a53a1a31102b472049adcbd285a226ec6a
41cc987e92831331507bf07c6e6635971148a2e8f1d81c2324fed8cf612c2cb2
530048acdaab8b2319906709eff1ff80f8a4d9faf499636f5fae1183bcd36cc0
5388831073b175702bdf8e8a8abed37a7448f76884e34abdc179cc5748e1d91a
56755cb9f435a575b6cf95eb11ebdf48edb89a7819e943711011aa67a6950455
5ad7061c5a437ca0a7f358c7e8b9494ba6ee003ae6ea933b936647dbf7c856c6
60baed172cf35a78dd78d4c95a7866fa0d2d44b190f4d2ad7d1a5012332cd70d
631a8626457099b376007028e7ddd99899a6b99d925ff306ca79c4413814d481
84681632f20394f4915badee1115455244c7b9230558bd38b65cca9c6ca20bce
8a837c90cc69c5cbecf3dc77435760f26695216fc2205bed858900192a21e3cc
8f40611a222c4fb8e27120fb520be8d93e4aa213e7de94ad906995eb75d3dc19
9d114841ba6da315c87716d1decfb1baa3cb6cb2ca29266329a317c893370f9f
9f94d47fc752edcc692c4a93ac71b18af8143c69d6c6301a1ed57a4b3eb029ee
bf12044c256ca7078037769931b69191298f89d88f874e8076220fc0c47e20aa
ca3a968ced4668226b426782a2d4796750d6f445abd41022be05620ec34bc293

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


Malware


MITRE ATT&CK


Win.Trojan.Gh0stRAT-7619117-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 26 samples
Registry KeysOccurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: EvtMgr
26
MutexesOccurrences
67.198.215.213:3204 26
M67.198.215.213:3204 26
0x5d65r455f 25
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
67[.]198[.]215[.]214 26
67[.]198[.]215[.]212/31 26
49[.]7[.]37[.]126 25
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
blogx[.]sina[.]com[.]cn 25
blog[.]sina[.]com[.]cn 25
Files and or directories createdOccurrences
\1.txt 26
\<random, matching '[a-z]{4,7}'>.exe 25
\<random, matching [a-z]{7,15}> 9
\cgtmj\ReadMe.txt 2
\cgtmj 2
\cgtmj\yzbltu.dll 2
\taoyi\ReadMe.txt 2
\taoyi 2
\tnkclcyng.exe 2
\zqqhe\mhnzk.dll 1
\qidlg\xtpwj.dll 1
\taoyi\covuhnat.dll 1
\gpbtj\hxhmxk.dll 1
\taoyi\hskie.dll 1
\geqbtmsmb.exe 1
\znxscr\ebfsh.dll 1
\vtqth\ijfhuma.dll 1
\syvbqon\fntkc.dll 1
\wgbxsc\bkfot.dll 1
\jpcukn\moclw.dll 1
\gjocxlijx\hdvjp.dll 1
\mwovt\esvwxcy.dll 1
\padcnyqx\hhhpz.dll 1
\ufbll\xmhsv.dll 1
\kixyica\zjbqm.dll 1

*See JSON for more IOCs

File Hashes

0225ebf072e5c74f9179676762247f3caf47334d2f2b939057a47c40fa79fb5a
0b20f04056d09956ea25ec8738b037ff260ed4149c2f21a8030496565e5c4819
0bf67561654828de1955ec3a5e4af6fd84b131cae8aa86a9b9267d868d1be0d4
12611b8ea7441b4079113cb6dfa6005149681d54cd7b9a69e2fac53010133069
13183e032d68e2eaa43fab76ac418def7aec81de2a4ce3be79ac5533be504dac
14d4012b2679ff2d9fb6e2fcf16b8b804fff4bc6d9a89c526f4dafd0ac169010
16ac608a5e30a74c8c30df48be7ffac442d0a471f282175d0b2c99fc97d21b3c
19e1577eda0392edb8c8725390864dfa5550e796fd3c54cd49a1a03547a26677
1e116b100786f611bc31743f291bfc42571967ee1b900a1983d157a97b31caf9
1f96fa31ef56e38367547debe06b6648c8d6938e56261417fd0e05b0cecd191b
2450d0b60b4806376763eb75068417a082f32c06a42d8a4a804d2d4eec7f02ea
250e5bea7cc118edbf466df3166514040b6c916c82872fb346450919af2f3f0b
2aa73c1d1f2cc10553f40342244732ee7ecc6c3f1d3dd968e4cd3f718d8c0304
2b9ef3222cb445434e4f0b4951b2063e015a28b0c89e4337d5ac60a3566c069a
2c97142d44aaa560085d1ad6fd1b110c84d44ca508e27a553e60493e0b0f3c40
323e8062469d8c6396ef4c0a71e784c199788eb6ef2d550072ad629f17e292fa
35f3d0f028074053d44a8cb28f50f951a695362c35aa2b49d792f9f39e137e4b
3bef30da08225429001b1cf8af9af56745fa3093fdb3e1694778319b9a74afd8
3ca4fc376cd164bbb3fc377d08d53269412a3877354e287320eba9a328e2078d
42961510ff9c7107011e6522c3e4c9f156aaa76269290fb54a4dc56c7a2221c0
46f8cde62bad1f6410687c52bcf2914714e8013c6711e0a0d25eaa18fae908ce
4d87cceab4f07132d6da5ad81f0bb273943b88dec7df8bddc7092515ed58b86d
504a953dbaba29c86932e5ed39a5fa60fc1c0d8e8d9b414c483cc5763e71cff7
50b2866b894438f507a6e4cbf0b8ab2ac9bf8a95511043e8e7d83a0a53a05d89
534eaf89d8c124c45d45e7b219809d0f074d04ded068a20479e83a9939b1a48e

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Exploit Prevention

Cisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities.

Dealply adware detected - (18423)
DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.
CVE-2019-0708 detected - (2556)
An attempt to exploit CVE-2019-0708 has been detected. The vulnerability, dubbed BlueKeep, is a heap memory corruption which can be triggered by sending a specially crafted Remote Desktop Protocol (RDP) request. Since this vulnerability can be triggered without authentication and allows remote code execution, it can be used by worms to spread automatically without human interaction.
Process hollowing detected - (1266)
Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.
Installcore adware detected - (1155)
Install core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware.
Squiblydoo application whitelist bypass attempt detected. - (1004)
An attempt to bypass application whitelisting via the "Squiblydoo" technique has been detected. This typically involves using regsvr32.exe to execute script content hosted on an attacker controlled server.
Crystalbit-Apple DLL double hijack detected - (730)
Crystalbit-Apple DLL double hijack was detected. During this attack, the adversary abuses two legitimate vendor applications, such as CrystalBit and Apple, as part of a dll double hijack attack chain that starts with a fraudulent software bundle and eventually leads to a persistent miner and in some cases spyware deployment.
Excessively long PowerShell command detected - (542)
A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.
Kovter injection detected - (429)
A process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns.
Palikan browser hijacker detected - (113)
Palikan is a potentially unwanted application (PUA), browser hijacker, a type of malware that most of the time does not explicitly or completely state its function or purpose. When is present on the system, it may change the default homepage, change the search engine, redirect traffic to malicious sites, install add-ons, extensions, or plug-ins, open unwanted windows or show advertising. Palikan commonly arrives as a file dropped by other malware or as a file downloaded unknowingly from a malicious site. It has also been closely associated with DealPly.
Gamarue malware detected - (86)
Gamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system.