Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Oct. 9 and Oct. 16. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.

The most prevalent threats highlighted in this roundup are:

Threat NameTypeDescription
Doc.Malware.Emotet-9774982-0 Malware Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a wide variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.
Win.Packed.njRAT-9775005-1 Packed njRAT, also known as Bladabindi, is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes and remotely turn on the victim's webcam and microphone. njRAT was developed by the Sparclyheason group. Some of the largest attacks using this malware date back to 2014.
Win.Packed.Razy-9775377-1 Packed Razy is oftentimes a generic detection name for a Windows trojan. This malware typically collects sensitive information from the infected host, formats and encrypts the data, and sends it to a C2 server. In this case, the malware is functioning as ransomware, encrypting files with a .png, .txt, .html or .mp3 file extension.
Win.Packed.Gh0stRAT-9776529-0 Packed Gh0stRAT is a well-known family of remote access trojans designed to provide an attacker with complete control over an infected system. Capabilities include monitoring keystrokes, collecting video footage from the webcam, and uploading/executing follow-on malware. The source code for Gh0stRAT has been publicly available on the internet for years, significantly lowering the barrier for actors to modify and reuse the code in new attacks.
Win.Dropper.Tofsee-9775522-0 Dropper Tofsee is multi-purpose malware that features a number of modules used to carry out various activities such as sending spam messages, conducting click fraud, mining cryptocurrency, and more. Infected systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages to infect additional systems and increase the overall size of the botnet under the operator's control.
Win.Dropper.Remcos-9775269-0 Dropper Remcos is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam and capture screenshots. This malware is commonly delivered through Microsoft Office documents with macros, sent as attachments on malicious emails.
Win.Packed.Dridex-9776370-1 Packed Dridex is a well-known banking trojan that aims to steal credentials and other sensitive information from an infected machine.

Threat Breakdown

Doc.Malware.Emotet-9774982-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 12 samples
Registry KeysOccurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FSUTIL
Value Name: ImagePath
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FSUTIL
Value Name: Description
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TRACERT
Value Name: Description
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AUTOFMT
Value Name: Description
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CDOSYS
Value Name: ImagePath
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MSXBDE40
Value Name: Description
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSHEXT
Value Name: ImagePath
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SQLCEQP30
Value Name: Description
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CDOSYS
Value Name: Description
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSHEXT
Value Name: Description
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSDCHNGR
Value Name: Description
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SECPROC
Value Name: Description
1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
190[.]85[.]46[.]52 10
167[.]71[.]227[.]113 10
116[.]91[.]240[.]96 10
45[.]252[.]251[.]10 6
142[.]4[.]14[.]109 6
217[.]73[.]131[.]5 4
82[.]76[.]111[.]249 2
202[.]22[.]141[.]45 2
202[.]29[.]239[.]162 2
37[.]187[.]161[.]206 2
172[.]67[.]130[.]58 2
80[.]87[.]201[.]221 2
104[.]27[.]145[.]33 1
35[.]213[.]151[.]141 1
35[.]184[.]245[.]68 1
139[.]196[.]92[.]176 1
104[.]27[.]144[.]33 1
104[.]28[.]8[.]36 1
216[.]47[.]196[.]104 1
104[.]28[.]9[.]36 1
162[.]241[.]27[.]28 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
schema[.]org 6
api[.]w[.]org 6
gmpg[.]org 6
codienvietnhat[.]com 6
packzon[.]in 6
www[.]cloudflare[.]com 5
e13678[.]dspb[.]akamaiedge[.]net 4
cse-engineer[.]com 4
listingera[.]com 4
blog[.]zunapro[.]com 1
electronicsvibes[.]com 1
brycebrumley[.]com 1
www[.]jornco[.]com 1
healthcureathome[.]com 1
Files and or directories createdOccurrences
%HOMEPATH%\Fd659f5\Nt882_p\Mwa6v5whk.exe 6
%HOMEPATH%\fD659f5 6
%HOMEPATH%\fD659f5\nT882_P 6
%HOMEPATH%\G0c64r2\L6rym4o\N3hpboq.exe 4
%HOMEPATH%\g0C64r2 4
%HOMEPATH%\g0C64r2\L6rYm4o 4
%SystemRoot%\SysWOW64\Syncreg 1
%SystemRoot%\SysWOW64\avicap32 1
%SystemRoot%\SysWOW64\NlsData004c 1
%SystemRoot%\SysWOW64\WlanMM 1
%SystemRoot%\SysWOW64\netprof 1
%SystemRoot%\SysWOW64\imapi2 1
%SystemRoot%\SysWOW64\dpnaddr 1
%SystemRoot%\SysWOW64\NlsLexicons000d 1
%SystemRoot%\SysWOW64\userenv 1
%SystemRoot%\SysWOW64\mfc140deu 1
%SystemRoot%\SysWOW64\NlsLexicons0020 1
%SystemRoot%\SysWOW64\ds32gt 1
%System32%\NgcCtnrGidsHandler\cofire.exe (copy) 1
%System32%\iphlpsvc\XInputUap.exe (copy) 1
%System32%\TokenBrokerCookies\dsclient.exe (copy) 1
%System32%\certca\InternetMailCsp.exe (copy) 1
%System32%\msdtckrm\capiprovider.exe (copy) 1
%System32%\apprepapi\iaspolcy.exe (copy) 1
%System32%\wscapi\FXSST.exe (copy) 1

*See JSON for more IOCs

File Hashes

3dc27bfea129de80fabb8e5ec05816202ae50e9b182b9d1f67546491c7fbe01c
3f5284458a0d2d7d50d7487391aae521f625a8920bfe03a7c88d412f8c17699e
939e9772cc64e88895365ccc1be8d7a6ef4b7c47b70165c35c79e2391ab50656
9f2b84e3636d99a49ea3ae417c564253d9a351cc49c756a61c63acd530fd3748
b18241915f09540635b0cc900d7652b72af39fa16e4a3fb8a1e17264b3e0b3e0
c127cf0ce097e22f9f1fe0ca565c77a111745b85b0e78b21d20833055bc821d5
cf9401d8bcbb01edf06c19509b572a26047b2788a41f0ffa5d52c2189fe5a125
d366dfc971747d113549ee401fa6dc07dfa0f478c9b08109640f84151bd2da29
d7f2699f9b7e0c263fcbd73238a883871965586fad16985455a85498ce8b520a
e145443e68242815362d6737543409a1adb395879c75c43849abd5e401df522d
e218d7c8b3bd6e69065f2a2bee81c88865d2068a46c3997339a200318f7b82b4
e3f75fa3896fe0551e1a892b0bf308e786326218836e5824fcfac7cd813c142e

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


Malware


MITRE ATT&CK


Win.Packed.njRAT-9775005-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
Registry KeysOccurrences
<HKCU>\ENVIRONMENT
Value Name: SEE_MASK_NOZONECHECKS
25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: ParseAutoexec
25
<HKCU>\SOFTWARE\DCF85917AB8C5B61C254CBEEFA6BF578 10
<HKCU>\SOFTWARE\DCF85917AB8C5B61C254CBEEFA6BF578
Value Name: [kl]
10
<HKCU>\SOFTWARE\90B2434F3ECE5313178BA9B0027DAA86 3
<HKCU>\SOFTWARE\90B2434F3ECE5313178BA9B0027DAA86
Value Name: [kl]
3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 279f6960ed84a752570aca7fb2dc1552
1
<HKCU>\SOFTWARE\279F6960ED84A752570ACA7FB2DC1552
Value Name: [kl]
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 279f6960ed84a752570aca7fb2dc1552
1
<HKCU>\SOFTWARE\CF56EE275CC59274062DC1B03224CA99
Value Name: [kl]
1
<HKCU>\SOFTWARE\279F6960ED84A752570ACA7FB2DC1552 1
<HKCU>\SOFTWARE\5F7D1D941484D5F928FCE4D10EE1D4B4 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 5f7d1d941484d5f928fce4d10ee1d4b4
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 5f7d1d941484d5f928fce4d10ee1d4b4
1
<HKCU>\SOFTWARE\5F7D1D941484D5F928FCE4D10EE1D4B4
Value Name: [kl]
1
<HKCU>\SOFTWARE\CF56EE275CC59274062DC1B03224CA99 1
<HKCU>\SOFTWARE\CMD 1
<HKCU>\SOFTWARE\CMD
Value Name: [kl]
1
<HKCU>\SOFTWARE\45378FAB7904E257E11B9F51F98B8EBD 1
<HKCU>\SOFTWARE\45378FAB7904E257E11B9F51F98B8EBD
Value Name: [kl]
1
<HKCU>\SOFTWARE\88108416B573A8CBCD201FA5911501FB 1
<HKCU>\SOFTWARE\88108416B573A8CBCD201FA5911501FB
Value Name: [kl]
1
<HKCU>\SOFTWARE\04E89D4DCF58F2A8D6444CD714BCEFA6 1
<HKCU>\SOFTWARE\502E14A835CA50F7E3A72AE4E46A4AD9 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 04e89d4dcf58f2a8d6444cd714bcefa6
1
MutexesOccurrences
<32 random hex characters> 14
dcf85917ab8c5b61c254cbeefa6bf578 10
cmd 1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
41[.]102[.]39[.]1 1
41[.]42[.]68[.]235 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
softnetdos[.]no-ip[.]org 10
khaled39[.]no-ip[.]biz 3
imsara[.]dynu[.]net 1
karem[.]no-ip[.]org 1
nourj2002[.]ddns[.]net 1
chabbilal[.]servemp3[.]com 1
arseisa[.]no-ip[.]org 1
redprince[.]no-ip[.]org 1
sawaaa[.]zapto[.]org 1
etoile85[.]ddns[.]net 1
jou7a[.]no-ip[.]biz 1
mido[.]linkpc[.]net 1
Files and or directories createdOccurrences
%TEMP%\svchost.exe 4
%TEMP%\server.exe 3
%APPDATA%\svchost.exe 1
%TEMP%\system.exe 1
%TEMP%\cmd.exe 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\cmd.exe 1
%ProgramData%\fefid.exe 1
%SystemRoot%\netsh.exe 1
%TEMP%\serve1r.exe 1

File Hashes

0688af91de8a61286262dc8793059d20b23b9f1f9cef6f24691689806ee74014
12be53cf28956a78871ef209726cc278b0e22d466b65488dfdae0b4841feb8e9
31754a3bae68fd636bed62d342cc380a5eabd6e45ea7588729ba790a8198d985
38b3c5aa27fcbfc082dc770cead2014f985419a689e7c6a5155d4d2acdb8a1ed
40806048e6fd3ea240f36c4d6c8076e07f1b609e10770aa1c5ed785e9541f464
435061f10fc7fb9bb2fd0c6dfe893b2aa1eb3f22ff2e63e85529a110b7824755
48fdb5b6671fec8d9c5ab04c197f39f904e9da4f2a575733a613bec6357855eb
495556e1fe9a4a5329b05b6a34b22b61174f6abae0f66976cc19bd02203d0253
526c9bfa52ce5880ea967c31706c47bfcf9a3317b2184a061a50616b4294bbd7
6357268318677115b7d467602ef5f4dc4ad6134d52f33221147b905894953f64
684a7b6feff7f131c02524f07f553df684bd5d6478811fa1d1f8c3ab0fee20c5
783cb391648b7354cf89983fa86176876d74f9c08a209dc5408217e0d21055ff
7a7249ea33a800883d0cabf880abba858bc9a9d34e58a85bbf67be84a889f21c
88c9bc1352c7719dd1e72dce8f25424ef3102d084fc51e790943cda099137f09
926d76f6143d782690a0e9c39e7022854c982d24a30f374da45184f75d3802db
a5683bafd10956d103dfc8f2a33491790800481da766c729b229a8f4f2ae088c
ab2f8aec0cc00f9b6b8bcdb0d75d1f43d9944f86c7d5652ba4c2fac807790f98
b981a8c149990487a1fc868bad58d4aee1bf7644a5449c50c7f11bded7b4b360
c5270baa9d57818e7724106fc70c45630fd5f2440acd38f13203bf46611fc952
d378cf79077da04069a0d2a37fcf9c30a50f33edee20d6fcea6efa1afe07e16a
e17dad29f9e124a53978f250bfc6498db5d4c5ea5bbab55958dddafacb4ac0b9
e728ab793b17fe04c166074747720a74dc5585d9f5739719ab4acbcfa6ed0669
ed4d9b68035a737ec7b16396a1a47572e4d6692d2714ae2681cf259aac94df2c
f5633cf902863b6a3a5775794a2ec9a513e6ca7367374caf9a0c6c1deeed2bdd
fa421ae7ef693702067542426fe30f9f74799ed444bd82cee400abc8e23a033f

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Packed.Razy-9775377-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 18 samples
Registry KeysOccurrences
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: AGP Manager
2
MutexesOccurrences
Global\{b7c5d67b-f577-4d35-adc7-6994a8049b53} 3
3749282D282E1E80C56CAE5A 2
9DAA44F7C7955D46445DC99B 1
Global\{a039597e-730f-4f99-80a0-3fc9d9f01396} 1
0f2edf0cec8246d2a8b4bec33606ed52 1
QSR_MUTEX_rVn0OUE8f1tzJgSd1f 1
1FbCZ4b926z65MjMq8coMhXqm8pXuRvLxEclipperrorRER1233326FDSH123 1
"C:\TEMP\674b6b071bc03e9e95abcdc930f6df18.exe" 1
"C:\TEMP\16cbf284ad8ba39cd8660caf5c96b659da01c48d227faa9c0b19ab73877b93bf.exe" 1
"C:\TEMP\4f40d0c6e41b42bcd713138009c76d2ce4b43f0b869c53ff8760e3803e8d652c.exe" 1
"C:\TEMP\573a4ac703fcb9aff145a3d56ec9fbb34af2d260d1523858f838c4ccdb653571.exe" 1
cf2e49d5189c25536738c7da064894bb 1
"C:\TEMP\bd071330fde9d2d39058b1c36af731649b49c816a619d98ce59a29f250956322.exe" 1
Global\{2f901924-92c3-4b7e-a0c7-7b8fa4d2fdb3} 1
"C:\TEMP\e561e60e52424d0b332e924758d04a3079e62e26cd816daff2f6bfbace32728a.exe" 1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
5[.]231[.]208[.]172 3
208[.]95[.]112[.]1 2
88[.]99[.]66[.]31 1
37[.]235[.]1[.]177 1
37[.]235[.]1[.]174 1
192[.]35[.]177[.]64 1
72[.]21[.]81[.]240 1
79[.]134[.]225[.]69 1
79[.]134[.]225[.]77 1
185[.]244[.]30[.]148 1
195[.]69[.]140[.]147 1
23[.]46[.]238[.]193 1
184[.]73[.]247[.]141 1
104[.]28[.]5[.]170 1
23[.]21[.]109[.]69 1
50[.]19[.]252[.]36 1
45[.]142[.]214[.]109 1
185[.]244[.]26[.]214 1
129[.]205[.]113[.]226 1
79[.]134[.]225[.]45 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
finlandmc[.]com 3
ip-api[.]com 2
ctldl[.]windowsupdate[.]com 2
cpanel[.]com 1
apps[.]digsigtrust[.]com 1
apps[.]identrust[.]com 1
elb097307-934924932[.]us-east-1[.]elb[.]amazonaws[.]com 1
api[.]ipify[.]org 1
cs11[.]wpc[.]v0cdn[.]net 1
iplogger[.]org 1
ubanano20[.]ddns[.]net 1
a767[.]dscg3[.]akamai[.]net 1
pklz[.]xyz 1
dailyupdates[.]theworkpc[.]com 1
judge777[.]ddns[.]net 1
Files and or directories createdOccurrences
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5 5
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\Logs 5
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\Logs\Administrator 5
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\run.dat 5
%APPDATA%\24E2B309-1719-4436-B195-573E7CB0F5B1\run.dat 4
%APPDATA%\D282E1 2
%APPDATA%\D282E1\1E80C5.lck 2
%ProgramFiles(x86)%\AGP Manager 2
%ProgramFiles(x86)%\AGP Manager\agpmgr.exe 2
%ProgramFiles%\UPNP Host\upnphost.exe 2
%System32%\Tasks\TASKDIRFORTASKCREATE\TASKFORTASKCREATE 1
%TEMP%\Remove.bat 1
%APPDATA%\GvFndnBatchX2\GvFndnBatchX2.exe 1
%APPDATA%\GvFndnBatchX2\GvFndnBatchX2.exe:ZoneIdentifier 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\GvFndnBatchX2.vbs 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\mlopq.vbs 1
%APPDATA%\zxcvq\sqdfg.exe 1
%APPDATA%\zxcvq\sqdfg.exe:ZoneIdentifier 1
%APPDATA%\Logs\10-08-2020 1
%TEMP%\eeue8tyr.0.cs 1
%TEMP%\eeue8tyr.cmdline 1
%TEMP%\eeue8tyr.dll 1
%TEMP%\eeue8tyr.out 1
%TEMP%\RESA89E.tmp 1
%TEMP%\CSCA89D.tmp 1

*See JSON for more IOCs

File Hashes

06ad7352e8df2766524e159ceb405d0f3fdf2906bbc5b134e7c9caed881ed8fc
16cbf284ad8ba39cd8660caf5c96b659da01c48d227faa9c0b19ab73877b93bf
255be6fc1b75b14337d3c047df8a531d08d4e8866e21b05061137ccbc3905dea
4f40d0c6e41b42bcd713138009c76d2ce4b43f0b869c53ff8760e3803e8d652c
505d2d03509ee090cd93eafe0f014f664e03721cc27f7c8a56735e8329fd5306
509f65635f1ee1a9d7907944dca2f9671f29c9bf72e9546d04141b2d074696ac
530a9cd4b0b789fa5ca4290b7295d2c02deff78de3eb7fbbc2f9e78ebd998b27
573a4ac703fcb9aff145a3d56ec9fbb34af2d260d1523858f838c4ccdb653571
5d7c904da62fd0e06c2bfa07a4e28514e73f1fe40a2bc41e7ed0bb73347042aa
7200b362dfb336483d716fbbd84930894e5c8c28acd6a2ceff2b5da5cd3894fc
7de531a94dffa3e9402b48e51640150d672a61ac3955727b93b85260dc77039e
8447b866a7df3c93b8fb34e3102c91fe98d9a3f70725d854d27ef64975eed118
a2b6095c45460733b8abddc5568ffc5f3090f9d6e3d2bb435eeaa81dd99a5296
bd071330fde9d2d39058b1c36af731649b49c816a619d98ce59a29f250956322
bd2cc506c957ff052800919a41bdef128dfe530a1713dbaabae4d98ce6344c35
dd9c191d56c856c10dbfaf044fabc224f4f0b500821552a8f1a9c6b8b0eaa218
e561e60e52424d0b332e924758d04a3079e62e26cd816daff2f6bfbace32728a
f4c18b1462a5749f2b85902b78b12e5209bcbcbb29aa767d3500e1c1189f6dc1

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Packed.Gh0stRAT-9776529-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
MutexesOccurrences
xmrminer.f3322.net 25
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
122[.]114[.]28[.]118 3
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
xmrminer[.]f3322[.]net 25

File Hashes

086a43e783b6301d5758f43bce59a71908c7beb9f31afd3c88bde7d89081db6b
0b69637677363f8765ef59d4073f10c19db3e6eda763fee1a4680bc61a5a5945
18d500db9d5d870bbca3ed50670ad6e259003592dc61ce372d7626b6acf5989f
1e3b12941b0f169ad30bc307350172e2c3b346541e379bc8a1c98e0aa625f0ba
1eb49a10b3992a8d7a95108f6e48e0ca482aebe5f56e5ad436b87c4c3e4e13ee
210377d50800161c63db7068f7224b7f7e18d3fd739d15a1b77f2bef091adc79
24911cabb1d9b217f00e6dafdb6607c6c01c073f2f6e23605ff5fc8f2a44ccea
32bb54dba512c34638c104e41ceeac1083ec83d5958616775e7fc9009f8abfba
397e9cbb36cb663e3117e3f577773d377df712ab208178c8e35c84a9a91da4fb
3b3e40373cc7c1235a262683ac539c8f6efc902a6765d2fe8694c9e60dd46e1b
41125961b0048ffe6b29b121148deddd19f2f58887c64281422fef29ac1a3786
424198f8dc6074042785e70a152dac8473bf6dafe9db158f8b94c444293cb55e
4f723ee7efd7fae98d2d60de1265e387b436caf68cb2791b970c4a9ac1356c6b
536afb2611a0363bbb675e6f32657e7db6dd05fad13b5dc066c9c427c2066a60
54613784248cdfe8f41caddc0888270f2dbfcde9b1f666689d7bc50fa803975c
5760976203c3ad7df17d2cc47c117cecd665662307c7a6085b7243ce769c101f
5d478008dcf53e99a5ab7d795ccbb60943fc17510d8e3bb7416701e026590e20
602fcadc6cbfd5ab1504bb17e29dab6ad4b00c0afd0b2e1e0207f44e79fadb2d
73b6ce9667f67bb47f49ed5e21e9456fffab34d5cc457c9c83eba0fba23019c8
7c7ccb06b03ceecc340775c5171401b4ec8a28e43b30149536a2f7236079c4fe
7c95ba9702aee8994f1984ea219ff662f01d5cf6da61ffaef451d944f6aa9fe3
8c19a55d2fd21ea8fb21e6e3bb9954e82fc90f052bb8f4537b939c07e57293d3
8cad83a9d756c65c308f46753fed9e2214a139d93070ba82ddc367bb61dba887
9131e51ffc8308856fd17b203819d0f06361fb3e91e145de8c00a3d9a807dd25
95a60431f9aa43ed178df4a2f1b2ffb4a5768ca86d990cb02b5a622583d9eb33

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Dropper.Tofsee-9775522-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 80 samples
Registry KeysOccurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Type
23
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Start
23
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ErrorControl
23
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: DisplayName
23
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: WOW64
23
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ObjectName
23
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Description
23
<HKU>\.DEFAULT\CONTROL PANEL\BUSES 23
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> 23
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config2
23
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ImagePath
18
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TRUSTEDINSTALLER
Value Name: Start
6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TRUSTEDINSTALLER
Value Name: Type
6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TRUSTEDINSTALLER
Value Name: ErrorControl
6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TRUSTEDINSTALLER
Value Name: DisplayName
6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TRUSTEDINSTALLER
Value Name: DependOnService
6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TRUSTEDINSTALLER
Value Name: DependOnGroup
6
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\rss
6
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Users\Administrator\AppData\Local\Temp\csrss
6
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\windefender.exe
6
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Users\Administrator\AppData\Local\Temp\wup
6
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PROCESSES
Value Name: csrss.exe
6
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PROCESSES
Value Name: windefender.exe
6
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows
6
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\System32\drivers
6
MutexesOccurrences
Global\SetupLog 6
Global\WdsSetupLogInit 6
Global\h48yorbq6rm87zot 6
Global\Mp6c3Ygukx29GbDk 6
Global\ewzy5hgt3x5sof4v 6
Global\xmrigMUTEX31337 6
WininetConnectionMutex 6
Global\a00ba776735f6e27e0619d46a07be9d3 6
a00ba776735f6e27e0619d46a07be9d3 6
983379e5eacf56a55f44720792d81bc2 6
Global\983379e5eacf56a55f44720792d81bc2 6
NMOZAQcxzER 1
NNDRIOZ8933 1
NattyNarwhal 1
NeoNetPlasma 1
NetRegistry 1
OneiricOcelot 1
OnlineShopFinder 1
P79zA00FfF3 1
PCV5ATULCN 1
PJOQT7WD1SAOM 1
PSHZ73VLLOAFB 1
RaspberryManualViewer 1
RouteMatrix 1
SSDOptimizerV13 1

*See JSON for more IOCs

IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
239[.]255[.]255[.]250 23
172[.]217[.]6[.]196 23
43[.]231[.]4[.]7 23
69[.]55[.]5[.]252 23
85[.]114[.]134[.]88 23
217[.]172[.]179[.]54 23
5[.]9[.]72[.]48 23
130[.]0[.]232[.]208 23
144[.]76[.]108[.]82 23
185[.]253[.]217[.]20 23
45[.]90[.]34[.]87 23
157[.]240[.]18[.]174 22
173[.]194[.]208[.]104/31 20
144[.]76[.]173[.]210 19
157[.]240[.]2[.]174 18
216[.]239[.]34[.]21 17
173[.]194[.]208[.]147 17
173[.]194[.]208[.]99 17
173[.]194[.]208[.]103 16
69[.]31[.]136[.]5 14
104[.]47[.]53[.]36 14
173[.]194[.]208[.]106 14
104[.]106[.]246[.]61 11
204[.]79[.]197[.]200 10
12[.]167[.]151[.]115 10

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
schema[.]org 23
microsoft-com[.]mail[.]protection[.]outlook[.]com 23
252[.]5[.]55[.]69[.]zen[.]spamhaus[.]org 23
252[.]5[.]55[.]69[.]in-addr[.]arpa 23
252[.]5[.]55[.]69[.]bl[.]spamcop[.]net 23
252[.]5[.]55[.]69[.]sbl-xbl[.]spamhaus[.]org 23
252[.]5[.]55[.]69[.]cbl[.]abuseat[.]org 23
252[.]5[.]55[.]69[.]dnsbl[.]sorbs[.]net 23
blo[.]pool-pay[.]com 19
api[.]sendspace[.]com 14
sso[.]godaddy[.]com 11
work[.]a-poster[.]info 10
115[.]151[.]167[.]12[.]in-addr[.]arpa 10
www[.]sendspace[.]com 9
www[.]google[.]co[.]in 7
www[.]sneakersnstuff[.]com 7
www[.]net-a-porter[.]com 7
iv0001-npxs01001-00[.]auth[.]np[.]ac[.]playstation[.]net 6
www[.]google[.]nl 6
e6225[.]x[.]akamaiedge[.]net 6
cacerts[.]digicert[.]com 6
ip[.]pr-cy[.]hacklix[.]com 6
119[.]151[.]167[.]12[.]in-addr[.]arpa 5
www[.]google[.]com[.]ua 5
www[.]google[.]de 5

*See JSON for more IOCs

Files and or directories createdOccurrences
%SystemRoot%\SysWOW64\config\systemprofile 23
%SystemRoot%\SysWOW64\config\systemprofile:.repos 23
%SystemRoot%\SysWOW64\<random, matching '[a-z]{8}'> 23
%TEMP%\<random, matching '[a-z]{8}'>.exe 23
%System32%\config\systemprofile:.repos 22
%System32%\<random, matching '[a-z]{8}\[a-z]{6,8}'>.exe (copy) 18
%SystemRoot%\Logs\CBS\CBS.log 6
%SystemRoot%\rss 6
%SystemRoot%\rss\csrss.exe 6
%TEMP%\csrss 6
%TEMP%\csrss\patch.exe 6
%TEMP%\Symbols 6
%TEMP%\dbghelp.dll 6
%TEMP%\ntkrnlmp.exe 6
%TEMP%\osloader.exe 6
%TEMP%\symsrv.dll 6
%TEMP%\csrss\DBG0.tmp 6
%System32%\Tasks\ScheduledUpdate 6
%System32%\Tasks\csrss 6
%System32%\drivers\Winmon.sys 5
%System32%\drivers\WinmonFS.sys 5
%System32%\drivers\WinmonProcessMonitor.sys 5
%TEMP%\<random, matching '[a-z]{4,9}'>.exe 4
%APPDATA%\indepoped 2
%TEMP%\csrss\app.exe 2

*See JSON for more IOCs

File Hashes

064b91b5308847dc1da7594d6d57e5a61938a8b09013393c7af4f78c7e2f4622
071561d9d38c97ba6d85dee3b24f0a394e956a7dcc5c9235f90142e365429773
0a05a774a29d6c8fa54d7706ea9f1fe289be3f15280d432aa3aa9751a8c1049d
0a58a1f9e4c89d7e023a269b984fbfed1178936bd9498a42130c0cca0233e1a5
0b67b0e1db50d203f458f42f4564938373d27d272ac48156e7741429a84ea955
0c28dccb21e275b37e66b53a2738690c78c7649fe73c3f4e9878ba1b24b90a17
0d204a3dcd80cbbf3063bfa130f163a4281c56bab9a5017faf6307025b5c829d
0d9a659ca367421228f7e145afc7223f2c93e9e69500ac9c1290f5b5785ec466
13b9aaafab8d031b804d078479e553f43bb277386c681ad5364ef9d59d2e4426
16bfb3ec570d91f3c7321858d3707770ee005d36bb36a51e78fcdeec80b1ed20
17855cca50e283f0144afad6ba76c2242a6ea865993eddb75859ef02affa2b69
17d1e8f9b9257d2a55be61d9ad7fadeed6cba1db5e4252946d7ca9f0ed9c4390
19e97313de65543b319eb1e33017838a21f612433313b7a8fb1f9e55b33bcb4c
1a5dd163ad9bac6381fd91d792469ddf47190a7e7c521add6a0c701fb61d6ae4
1b67021a8020192aa458dc3d6242712ac9c8299181aa8a27b62b6df43e64b59f
1b6c9b7af48b1657f0c2c5af418bd17d2df88619d10829493fe0597eea59a3b1
1c76b631dd54f736e8bf3c822ab85e167c91fa18f19b7f38cc57e0aa4cfb6511
1f54885497804c465f2cfd5275b6ec09cf1a62c8578cec16e2e9795f1526923d
20dc57ac2a9bad9f717c272626aa30d81d9b67634029aca9e8c4b5df067f5885
223a2ae4d6b4ce958fb225a7c31a51690d30a57a2eed855d0ff23eae142141d5
22b2ddca1597c8f420d624bf894d505f2acbddad48417e10d3acf09e3bbce132
235e0ab0483a7a3f6cb4301f18f359517e12120e1acfd19cd814252cde5733d2
274c361fd9334c84a4ec51972eb13df63411492562524e48f412c9438d1a20dc
27cb6c16f047e0f99186b7d1abbda4d89929559a51ee97d0a9efa329d4592100
280e6ff50667190b051ff91d5836cbaa430628fb8e8de2fbc9157bd47439a816

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Dropper.Remcos-9775269-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 19 samples
Registry KeysOccurrences
<HKCU>\ENVIRONMENT
Value Name: windir
11
<HKCU>\SOFTWARE\NETWIRE 2
<HKCU>\SOFTWARE\NETWIRE
Value Name: HostId
1
<HKCU>\SOFTWARE\REMCOS-KO8TXB 1
<HKCU>\SOFTWARE\REMCOS-KO8TXB
Value Name: exepath
1
<HKCU>\SOFTWARE\REMCOS-KO8TXB
Value Name: licence
1
<HKCU>\SOFTWARE\REMCOSSS-ZQM59L 1
<HKCU>\SOFTWARE\REMCOSSS-ZQM59L
Value Name: exepath
1
<HKCU>\SOFTWARE\REMCOSSS-ZQM59L
Value Name: licence
1
<HKCU>\SOFTWARE\REMCOS-1XWULW 1
<HKCU>\SOFTWARE\REMCOS-1XWULW
Value Name: exepath
1
<HKCU>\SOFTWARE\REMCOS-1XWULW
Value Name: licence
1
<HKCU>\SOFTWARE\REMCOS-88VOSB 1
<HKCU>\SOFTWARE\REMCOS-88VOSB
Value Name: exepath
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Yqgx
1
<HKCU>\SOFTWARE\REMCOS-88VOSB
Value Name: licence
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Tkhv
1
<HKCU>\SOFTWARE\CVXDSAXZCAS-C19IL8 1
<HKCU>\SOFTWARE\CVXDSAXZCAS-C19IL8
Value Name: licence
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Ccgx
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Lglz
1
<HKCU>\SOFTWARE\-Y4K8X5 1
<HKCU>\SOFTWARE\-Y4K8X5
Value Name: exepath
1
<HKCU>\SOFTWARE\-Y4K8X5
Value Name: licence
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Avcm
1
MutexesOccurrences
Remcos_Mutex_Inj 8
3749282D282E1E80C56CAE5A 7
9DAA44F7C7955D46445DC99B 7
- 1
Remcos-KO8TXB 1
Remcosss-ZQM59L 1
Remcos-1XWULW 1
Remcos-88VOSB 1
cvxdsaxzcas-C19IL8 1
-Y4K8X5 1
Remcos-D772CV 1
September-IJ9HLQ 1
aqyuio-A5YQYE 1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
162[.]159[.]135[.]232/31 8
172[.]217[.]11[.]33 7
172[.]217[.]11[.]14 6
209[.]85[.]201[.]132 6
195[.]69[.]140[.]147 4
162[.]159[.]128[.]233 4
162[.]159[.]137[.]232 4
204[.]79[.]197[.]200 3
162[.]159[.]133[.]233 3
162[.]159[.]138[.]232 3
185[.]234[.]52[.]117 3
104[.]223[.]143[.]132 3
173[.]194[.]206[.]100/31 3
72[.]21[.]81[.]240 2
23[.]3[.]13[.]154 2
162[.]159[.]136[.]232 2
172[.]217[.]11[.]46 1
194[.]5[.]98[.]5 1
205[.]185[.]216[.]42 1
205[.]185[.]216[.]10 1
79[.]134[.]225[.]69 1
79[.]134[.]225[.]76 1
162[.]159[.]130[.]233 1
162[.]159[.]129[.]233 1
79[.]134[.]225[.]85 1

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
discord[.]com 18
cdn[.]discordapp[.]com 8
ctldl[.]windowsupdate[.]com 7
googlehosted[.]l[.]googleusercontent[.]com 6
cpanel[.]com 3
a767[.]dscg3[.]akamai[.]net 3
nilemixitupd[.]biz[.]pl 3
cs11[.]wpc[.]v0cdn[.]net 2
cds[.]d2s7q6s2[.]hwcdn[.]net 2
doc-0o-9o-docs[.]googleusercontent[.]com 2
goddywin[.]freedynamicdns[.]net 1
latua[.]nsupdate[.]info 1
rromaniitalfoodsinc[.]zapto[.]org 1
fuckfuck0[.]ddns[.]net 1
zubbymoney4life[.]ddns[.]net 1
bushuc009[.]duckdns[.]org 1
doc-14-9o-docs[.]googleusercontent[.]com 1
doc-0s-9o-docs[.]googleusercontent[.]com 1
macapslafg[.]ug 1
perrymason[.]ac[.]ug 1
doc-0g-1c-docs[.]googleusercontent[.]com 1
doc-10-1c-docs[.]googleusercontent[.]com 1
insidelife1[.]ddns[.]net 1
doc-0s-1c-docs[.]googleusercontent[.]com 1
u875414[.]ddns[.]net 1

*See JSON for more IOCs

Files and or directories createdOccurrences
%PUBLIC%\Natso.bat 11
%PUBLIC%\x.bat 11
%PUBLIC%\cde.bat 11
%PUBLIC%\x.vbs 11
%APPDATA%\D282E1 7
%APPDATA%\D282E1\1E80C5.lck 7
%APPDATA%\7C7955\5D4644.lck 7
%APPDATA%\D282E1\1E80C5.exe 4
%APPDATA%\7C7955\5D4644.exe 4
%APPDATA%\remcos 3
%APPDATA%\remcos\logs.dat 3
%LOCALAPPDATA%\Microsoft\Windows\Yqgxnek.exe 1
%LOCALAPPDATA%\xgqY.url 1
%LOCALAPPDATA%\Microsoft\Windows\Tkhvnek.exe 1
%LOCALAPPDATA%\vhkT.url 1
%LOCALAPPDATA%\Microsoft\Windows\Lglznek.exe 1
%LOCALAPPDATA%\Microsoft\Windows\Ccgxnek.exe 1
%LOCALAPPDATA%\xgcC.url 1
%LOCALAPPDATA%\zlgL.url 1
%APPDATA%\Appo\Appo.dat 1
%LOCALAPPDATA%\Microsoft\Windows\Avcmnek.exe 1
%LOCALAPPDATA%\mcvA.url 1
%LOCALAPPDATA%\Microsoft\Windows\Akhrnek.exe 1
%LOCALAPPDATA%\rhkA.url 1
%LOCALAPPDATA%\Microsoft\Windows\Svpdnek.exe 1

*See JSON for more IOCs

File Hashes

02ec3e0823ceee4aad4a57753d47fe390db22cf4001708bbbe6af077fe146db8
1f04efba216a70f67f7d86cb3cfdccb282adcf9bfa3b5fb01168befcf584639c
2079033b3845344ea2b3f6ef451dcab2ade39e8c614f1a6da490a928ebc69453
23bc54e7ea03405d99a2bcb63cf3fb9ce8660b52124d8e56b1726e48ace19c2c
2df48332de94a5f6d50d6f2a6bba4695770d01679f72163671f0d75571f091c4
452b05fe37ebecdf74fdf43d5c119ac12f1454b918f7b763fb6a3999cc1c7a4c
639e9b01966ca0e3966e6cbc513c9f66f97c9d50ab7e59c17c4cbccdbfa2984f
6459a9e97d4b982bd7ab59434fbe96d7e289871733e46c755eaba190728818c6
66a80184a65bd847cfad4dc290dcad8e59791c19b13c277678c75dd2d0d11f5c
70becb8767f332806988daf8754f73c6d13b9b6d7f4ca4bc1f3ccf6e4d4e9e73
730ff53ff20637037da39558845d875852ad760be508d612d3a87241d7c7e2c6
7a7eae36a54dada555db57bd8f24e4a38a9b0f0432e13d19b16b538deb5e4142
8b918f9c74b65e17578f548419922dcacb08408b5fbae15fd2269f7dbb2a50d8
9c4a8d19b4569f2c457c7fc801ccbbd841228a5e201aa9ca71c26a1808ef5e14
b35655f68c781994bf22edcaf49e039366238da22d09c14ec373e55e7b5b0d66
ba31bf4be9b465954f0295e46dfc26f6028afde0276916070561e0715333138f
bf299d7470853a3e46815224518714e34b2338256bdb5d12f838b5e5da45b529
d2260cf4bc6a1c1c042af5caa0c0d76c4efca389588ddef8a57108ca3f1c41cb
fda7edab2bfba6005bc2f82548b9dcef7deec1fef238acc5fee12322d2b2629e

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Packed.Dridex-9776370-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
Registry KeysOccurrences
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: trkcore
25
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: DisableTaskMgr
25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.CHECK.0
Value Name: CheckSetting
25
MutexesOccurrences
qv0Zk1TE8z 1
3geEzUvDSm 1
9PuVjsTunk 1
AExohw6chU 1
LqkiDOOuVm 1
QpsrvsMXav 1
Rru9sFPNk2 1
em1kia7UgL 1
zVxwpac899 1
0OUWBUr4FV 1
TWL8Zg664j 1
bEaUTx9TPq 1
c2vGxebf2w 1
uVNJh8qi6y 1
veVGARYxef 1
w6e8Pm37vO 1
wqKR9CoJfz 1
PE1Wguwh6v 1
1Eb8vVOmiF 1
q7HPx7p5v4 1
IctUkwdmMV 1
g0UFoyNGe6 1
hbE0gPMgbJ 1
vUVAWD5xtc 1
02H0oP1Yd3 1

*See JSON for more IOCs

IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
172[.]217[.]10[.]110 25
104[.]23[.]99[.]190 13
104[.]23[.]98[.]190 12
173[.]194[.]204[.]138/31 9
173[.]194[.]204[.]100/31 7
72[.]21[.]81[.]240 6
23[.]3[.]13[.]154 4
173[.]194[.]204[.]113 3
23[.]3[.]13[.]88 2
216[.]218[.]206[.]69 1
172[.]217[.]197[.]101 1
173[.]194[.]204[.]102 1
173[.]194[.]207[.]105 1
172[.]217[.]197[.]94/31 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
pastebin[.]com 25
ctldl[.]windowsupdate[.]com 12
cs11[.]wpc[.]v0cdn[.]net 6
a767[.]dscg3[.]akamai[.]net 6
www[.]dwir95r7lx[.]com 1
www[.]nebzvmv0km[.]com 1
www[.]at0gjuf9f9[.]com 1
www[.]a4v8cngiue[.]com 1
www[.]s3zcpvwy40[.]com 1
www[.]yuoravluek[.]com 1
www[.]2otoezi8ft[.]com 1
www[.]r10dvot7bi[.]com 1
www[.]kxs2x93bos[.]com 1
www[.]0brofwnnbx[.]com 1
www[.]6axcgvzeuc[.]com 1
www[.]5470ezrlqr[.]com 1
www[.]4rge2mddbz[.]com 1
www[.]etdcdbn9si[.]com 1
www[.]kevogqdyyt[.]com 1
www[.]o3ivqjfjjj[.]com 1
www[.]qntrvj4imw[.]com 1
www[.]fm2urnafdp[.]com 1
www[.]tv27wsrp7o[.]com 1
www[.]pcxhgigv3j[.]com 1
www[.]lluc8zkkv3[.]com 1

*See JSON for more IOCs

Files and or directories createdOccurrences
%TEMP%\<random, matching '[a-z]{3}[A-F0-9]{3,4}'>.tmp 25
<malware cwd>\old_<malware exe name> (copy) 25

File Hashes

001b67330a3a39977ad6e2bfd60dd0420f467948f632d0086b965e7cb0aad189
00f7e8018adc3a72debe7426b551a0c7e60f55563090c714cf70033011e34371
088a6c8608f43ca29d92c420bd2c2827f743f09b4a96587cfdeb9ebde63f78a7
0bbc8f3445755822102b1f5df2307ee1105cdf88bcc34806ff33d028822c3889
0f3fb51d48c0bb09d54452c28ca4d3a46f3607daf9dbcc2db0da7b3422147f5b
15524d542e9913e716db2b93a930ba2fbd8b72e42cceb66b8cd21623b20cc2bd
1a8bf1123a93a97ce01d01ebde971db5d0f8df7236aac3976e98828eb6fc9451
29664c67c00d75eba029684967df7437eb7b47e73709c98a7490a7047f04e4a6
2e4e6f8dde0f6421d3282b9d4cbbd85e188be8f4af5fe99f98b04cbde16565da
3018e4ee9008cebda5a9b3ddab088796eceb21d5c08edc33a90ce0fbfd97e34a
376a9e0d9d381f1bd3ba826cea641fab2f48292e997938e71f96dc0533b25492
3e7c3ae58cea13778a5848539fb502b4d508858176b3978c7c01c78bd9fb4002
408d06d0159fefb4bb39e8f4073a7a08192c9a1956f45ba82bbaf79366772cdf
44ff9dca7883258e206d52859ac7cb314ae208efb645e626010993fe8723722d
489bddd788d5a361ad3cad279dc739320dec8fa175e2e44590681d8793edd575
4cdf508b6de5bc22decf0ad3ce710f5136a7c99583af67b18593d19ddf3db22c
4d44e86d2ee7599f90d01da6f336f2cb743471e70af9a523972cfd08df466130
4d6456c480a372d6c054690ffb23e921b5fe44a0b552307e34edbd31f2eeb645
4fa9f09b42eca4b5b80434c705569de9923da74a524cb5b5fd44dbd954202a00
50a877f11021b43c6988199e0751302e310d48ba0798fe8c1583a3591021ac40
5381ae7e22ddd84f61eb38fdaf3197a734c6eb2625862d2dc6697fab40936442
56924db7d3f39a229b6d6bdcf0d1fc3f83ccea863e7f0a06126cead76a61ebb5
5b287c60ff17d5c080d9b5922f630455f0a3b2a48cb451ca9f0959b67ab57add
5b2afb6d15b94d38ac55e3671023faa66392379f67e673259c168b82d650e788
6112acd6d997db13e0ead13e6a9805880aac44926554162b3b3ea904da53ce48

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Exploit Prevention

Cisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities.

Fareit trojan has been detected - (5068)
Behavior assocaited with Fareit has been detected. Fareit is an information stealing trojan that can send sensitive data back to an attacker from the victim machine.
Dealply adware detected - (3541)
DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.
Process hollowing detected - (3266)
Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.
CVE-2019-0708 detected - (1218)
An attempt to exploit CVE-2019-0708 has been detected. The vulnerability, dubbed BlueKeep, is a heap memory corruption which can be triggered by sending a specially crafted Remote Desktop Protocol (RDP) request. Since this vulnerability can be triggered without authentication and allows remote code execution, it can be used by worms to spread automatically without human interaction.
Squiblydoo application whitelist bypass attempt detected. - (505)
An attempt to bypass application whitelisting via the "Squiblydoo" technique has been detected. This typically involves using regsvr32.exe to execute script content hosted on an attacker controlled server.
Kovter injection detected - (420)
A process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns.
Installcore adware detected - (414)
Install core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware.
Crystalbit-Apple DLL double hijack detected - (383)
Crystalbit-Apple DLL double hijack was detected. During this attack, the adversary abuses two legitimate vendor applications, such as CrystalBit and Apple, as part of a dll double hijack attack chain that starts with a fraudulent software bundle and eventually leads to a persistent miner and in some cases spyware deployment.
Excessively long PowerShell command detected - (273)
A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.
Gamarue malware detected - (115)
Gamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system.